Professional Documents
Culture Documents
IBM - Vol2 PDF
IBM - Vol2 PDF
Manoj Babulal David Doyle Jim Loebach Dudley Miller Michael Schmid Goran Wibran Byron Braswell
ibm.com/redbooks
6060edno.fm
International Technical Support Organization Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems September 2003
SG24-6060-00
6060edno.fm
Note: Before using this information and the product it supports, read the information in Notices on page ix.
First Edition (September 2003) This edition applies to Version 3.01 SP1 of Rapid Restore Ultra, Version 5.1 of IBM Client Security Software and Version 4 of Access IBM. This document created or updated on September 24, 2003.
Copyright International Business Machines Corporation 2003. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
6060TOC.fm
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi The team that wrote this redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 ThinkVantage Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 ThinkVantage Technologies process improvements. . . . . . . . . . . . . . . . . . 6 1.3 Implementing a ThinkVantage Technologies solution. . . . . . . . . . . . . . . . . 7 Chapter 2. Rapid Restore Ultra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1 Introducing Rapid Restore Ultra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1.1 Rapid Restore Ultra features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1.2 Rapid Restore Ultra backup methodology . . . . . . . . . . . . . . . . . . . . 13 2.1.3 Rapid Restore Ultra components . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2 Installing Rapid Restore Ultra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.1 Rapid Restore Ultra requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.2 Rapid Restore Ultra installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2.3 Enabling backup support on a USB drive after install . . . . . . . . . . . . 23 2.3 Using Rapid Restore Ultra. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.1 Backing up your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.2 Restoring your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.3.3 Running Rapid Restore Ultra service . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.4 Migrating to a new hard disk drive . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.5 Uninstall Rapid Restore Ultra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.4 Rapid Restore deployment in an enterprise . . . . . . . . . . . . . . . . . . . . . . . 40 2.4.1 Obtaining the Rapid Restore Ultra for custom install . . . . . . . . . . . . 40 2.4.2 Customizing Rapid Restore install options . . . . . . . . . . . . . . . . . . . . 42 2.4.3 Deployment methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 2.4.4 Post deployment management options. . . . . . . . . . . . . . . . . . . . . . . 56 2.4.5 Rapid Restore Ultra considerations for IT Administrators . . . . . . . . . 57 2.5 Rapid Restore Ultra troubleshooting information . . . . . . . . . . . . . . . . . . . 60 2.5.1 Backup and restore troubleshooting information. . . . . . . . . . . . . . . . 60 2.5.2 Installation troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 2.5.3 Partition and boot manager troubleshooting tips. . . . . . . . . . . . . . . . 61 2.5.4 Miscellaneous troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . 62
iii
6060TOC.fm
2.5.5 Rapid Restore Ultra Frequently Asked Questions (FAQ) . . . . . . . . . 63 Chapter 3. The Access IBM experience . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.2 Access IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.2.1 Access IBM User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 3.2.2 Customizing Access IBM and Access Help . . . . . . . . . . . . . . . . . . . 69 3.2.3 Customizing Access IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.2.4 Access IBM Customization Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.3 Access Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 3.3.1 Customizing Access Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 3.4 Access IBM Predesktop Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.4.1 Partition-based recovery solutions . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.4.2 Hidden protected area based recovery solutions . . . . . . . . . . . . . . . 79 3.4.3 Hidden Protected Area main areas . . . . . . . . . . . . . . . . . . . . . . . . . . 81 3.4.4 Keys used during startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 3.4.5 Creating an image of the hard drive . . . . . . . . . . . . . . . . . . . . . . . . . 85 3.5 Access IBM Message Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 3.5.1 Local messages vs. Web messages. . . . . . . . . . . . . . . . . . . . . . . . . 88 3.5.2 What a message file contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 3.5.3 Delivering messages of your own . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 3.6.1 Access IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 3.6.2 IBM Hidden Protected Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 3.6.3 Access IBM Message Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 3.6.4 Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Chapter 4. Embedded Security Subsystem . . . . . . . . . . . . . . . . . . . . . . . . 97 4.1 IBM Embedded Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 4.1.1 IBM Embedded Security Chip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 4.1.2 IBM Client Security Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.1.3 IBM Client Security Password Manager . . . . . . . . . . . . . . . . . . . . . 101 4.1.4 File and Folder Encryption (FFE) Utility . . . . . . . . . . . . . . . . . . . . . 102 4.2 Planning: Installation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.2.1 Client Security Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.2.2 File and Folder Encryption considerations . . . . . . . . . . . . . . . . . . . 105 4.2.3 IBM Client Security Password Manager . . . . . . . . . . . . . . . . . . . . . 106 4.3 Preparation: Prerequisite instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 4.3.1 Before installing the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 4.4 Preparation: Installation instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 4.4.1 Installing prerequisite device drivers . . . . . . . . . . . . . . . . . . . . . . . . 108 4.4.2 Installing the IBM Client Security Software . . . . . . . . . . . . . . . . . . . 109 4.4.3 Installing the Targus PC Card Fingerprint Reader . . . . . . . . . . . . . 111
iv
6060TOC.fm
4.4.4 Installing the IBM Client Security Password Manager . . . . . . . . . . 112 4.4.5 Installing the IBM File and Folder Encryption . . . . . . . . . . . . . . . . . 112 4.4.6 Performing an unattended installation. . . . . . . . . . . . . . . . . . . . . . . 113 4.4.7 Upgrading your version of Client Security Software . . . . . . . . . . . . 117 4.5 Implementation: Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 4.5.1 Configuring the IBM Client Security Software . . . . . . . . . . . . . . . . . 121 4.5.2 Modifying your security settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 4.5.3 Authentication Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 4.5.4 Registering fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 4.5.5 Using User Verification Manager protection for Lotus Notes . . . . . 133 4.6 Implementation: Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 4.6.1 Using the User Verification Manager policy editor . . . . . . . . . . . . . 134 4.6.2 Editing a UVM policy on remote clients. . . . . . . . . . . . . . . . . . . . . . 135 4.6.3 IBM Client Security Password Manager . . . . . . . . . . . . . . . . . . . . . 135 4.6.4 File and Folder Encryption (FFE) . . . . . . . . . . . . . . . . . . . . . . . . . . 139 4.6.5 Using User Verification Manager protection within Lotus Notes . . . 142 4.6.6 Using the Administrator Console. . . . . . . . . . . . . . . . . . . . . . . . . . . 144 4.6.7 Changing the key archive location . . . . . . . . . . . . . . . . . . . . . . . . . 145 4.6.8 Changing the archive key pair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 4.6.9 Restoring keys from archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 4.7 Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 4.7.1 Windows 2000 and Windows XP clients using Outlook Express . . 148 4.7.2 Windows 2000 clients using Lotus Notes . . . . . . . . . . . . . . . . . . . . 149 4.7.3 Multiple Windows 2000 clients managed by Tivoli Access Manager150 4.8 Uninstalling Client Security Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 4.9 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 4.9.1 Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 4.9.2 Setting a supervisor password (ThinkPad) . . . . . . . . . . . . . . . . . . . 153 4.9.3 Setting an administrator password (ThinkCentre). . . . . . . . . . . . . . 154 4.9.4 Clearing the IBM Embedded Security Chip (ThinkPad) . . . . . . . . . 155 4.9.5 Clearing the IBM Embedded Security Chip (ThinkCentre) . . . . . . . 156 4.9.6 Fail counts on TCPA and non-TCPA systems . . . . . . . . . . . . . . . . 157 4.9.7 IBM File and Folder Encryption (FFE) Utility known issues . . . . . . 158 4.9.8 Installation troubleshooting information. . . . . . . . . . . . . . . . . . . . . . 160 4.9.9 Administrator Utility troubleshooting information. . . . . . . . . . . . . . . 161 4.9.10 User Configuration Utility troubleshooting information . . . . . . . . . 163 4.9.11 ThinkPad-specific troubleshooting information . . . . . . . . . . . . . . . 164 4.9.12 Microsoft troubleshooting information . . . . . . . . . . . . . . . . . . . . . . 164 4.9.13 Netscape application troubleshooting information . . . . . . . . . . . . 168 4.9.14 Digital certificate troubleshooting information . . . . . . . . . . . . . . . . 170 4.9.15 Tivoli Access Manager troubleshooting information . . . . . . . . . . . 170 4.9.16 Lotus Notes troubleshooting information. . . . . . . . . . . . . . . . . . . . 171 4.9.17 Encryption troubleshooting information. . . . . . . . . . . . . . . . . . . . . 172
Contents
6060TOC.fm
4.9.18 UVM-aware device troubleshooting information . . . . . . . . . . . . . . 172 Chapter 5. Scenarios Implementing ThinkVantage Technologies . . . . . 175 5.1 Migration/rollout scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 5.1.1 PC Migration or upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 5.1.2 PC Rollout Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 5.1.3 Helpdesk scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 5.2 ESS and Rapid Restore Ultra scenario . . . . . . . . . . . . . . . . . . . . . . . . . . 182 5.2.1 Installation of CSS and RRU on the same system . . . . . . . . . . . . . 182 5.2.2 Usage considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 5.2.3 Possible conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 5.3 Integrating Rapid Restore with ImageUltra Builder . . . . . . . . . . . . . . . . . 183 5.3.1 Service partition setting in ImageUltra Builder . . . . . . . . . . . . . . . . 183 5.3.2 Adding Rapid Restore modules to ImageUltra Builder image. . . . . 186 5.4 Integrating Rapid Restore Ultra with IBM Director . . . . . . . . . . . . . . . . . 189 5.4.1 Installing Rapid Restore Ultra using IBM Director. . . . . . . . . . . . . . 189 5.4.2 Adding Rapid Restore to the IBM Director software dictionary . . . . 191 5.4.3 Managing all Rapid Restore Ultra systems as one group . . . . . . . . 193 5.4.4 Receive alert when Rapid Restore is not active on client system. . 195 5.4.5 Remotely change the Rapid Restore Ultra backup schedule . . . . . 197 5.4.6 Remotely initiate Rapid Restore Ultra incremental backup . . . . . . . 198 5.5 Integrating Rapid Restore Ultra with IBM RDM . . . . . . . . . . . . . . . . . . . . 199 5.5.1 IBM RDM requirements/preparations . . . . . . . . . . . . . . . . . . . . . . . 200 5.5.2 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 5.6 IBM Director & Asset Depot scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 5.7 Software deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 5.7.1 Integrating Web-D into ImageUltra Builder . . . . . . . . . . . . . . . . . . . 205 5.7.2 Integrating Asset Depot into ImageUltra Builder . . . . . . . . . . . . . . . 206 5.8 Asset Depot and Web-D conceptual scenarios . . . . . . . . . . . . . . . . . . . . 206 Appendix A. Rapid Restore batch files . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Appendix B. Additional material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Locating the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Using the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 How to use the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Abbreviations and acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
vi
6060TOC.fm
Contents
vii
6060TOC.fm
viii
6060spec.fm
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.
ix
6060spec.fm
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: ^ Lotus Notes ThinkPad ThinkVantage AIX Lotus Tivoli Enterprise Asset ID NetVista Notes Tivoli DB2 DFS Rapid Restore ibm.com Redbooks (logo) Wake on LAN IBM Redbooks WebSphere ImageUltra ThinkCentre The following terms are trademarks of other companies: Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. Microsoft, Windows, Windows NT, Windows XP and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC. Other company, product, and service names may be trademarks or service marks of others.
6060pref.fm
Preface
ThinkVantage Technologies brings your IBM PCs one step closer to being self-configured, self-optimizing, self-protecting, or self-healing to help save you time and money throughout the life of your systems. In short, ThinkVantage Technologies let you focus your attention on your business, rather than on your computer. ThinkVantage Technologies are software tools designed to help customers drive down IT support costs (in particular, the cost of a PC in managing and supporting systems after its initial purchase), increase security and decrease the complexity of todays IT infrastructure. This Redbook will help you maintain, recover and secure the IBM ThinkVantage Technologies on IBM and OEM desktops. This Redbook is volume two of a two-volume set of ThinkVantage Technologies Redbooks. It describes how to maintain and recover client systems. The first Redbook is Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045. In addtion, there are two Redpapers that cover IBM Service Offerings which complement ThinkVantage Technology investments: Using Asset Depot, REDP-3763 Using Web-D, REDP-3764
xi
6060pref.fm
Figure 0-1 Byron Braswell, Dudley Miller, Manoj Babulal, Michael Schmid, David Doyle
Byron Braswell is a networking professional at the International Technical Support Organization, Raleigh Center. He received a B.S degree in Physics and an M.S. degree in Computer Sciences from Texas A&M University. He writes extensively in the areas of networking and host integration software. Before joining the ITSO three years ago, Byron worked in IBM Learning Services Development in networking education development. Manoj Babulal is a software engineer at IBM India. He has more than 3 years of experience in networking and systems management field. He holds a graduation degree in Computer Science from NIT, Surathkal India. His areas of expertise include networking and remote management solutions. David Doyle is a PC Technical Advocate for the IBM Personal Computing Division in Melbourne Australia. He has 10 years of IT experience in fields ranging from GIS, Desktop/Server Administration to Image creation and management. He has worked at IBM for 6 years. His areas of expertise include Image Ultra, RDM, SDA, SMA, IBM Director and Client Security solutions.
xii
6060pref.fm
Jim Loebach is a software engineer for IBM Personal Computing Division supporting the IBM ThinkVantage Technology software applications in Raleigh, NC. He has worked at IBM for 7 years with experience on hardware and software on IBM ThinkPad, NetVista, and ThinkCentre systems. His areas of expertise include all the ThinkVantage applications and the Windows Operating Systems. Dudley Miller is a Senior Systems Management Professional for IBM Global Services, South Delivery Center. He received a B.S. degree in Engineering Science from The University of Texas at Austin. He has over 15 years of experience in the IT industry. His areas of expertise include object oriented design and development of electronic software delivery solutions. Michael Schmid is a IT Specialist at IBM Switzerland. He has been with IBM Global Services, Integrated Technologies Services for 6 years . As an IT Specialist he plans and realizes customer projects in Microsoft environments. He holds the certification as Microsoft Certified Systems Engineer. His areas of expertise include Microsoft infrastructure services and ThinkVantage Technologies. Goran Wibran is a Segment Manager for IBM TCO and ThinkVantage technologies, based at Research Triangle Park, North Carolina, US. His mission is to help IBM PCD create solutions for cost and resource effective IT management, IT process automation and IT system integration. He is one of IBM's leading experts on deploying and managing PC-based products. In his leadership role, he works with the IBM Development teams to create the next generation PC and Server management solutions. He simultaneously continues his work as a consultant, in helping IBM customers to develop and implement automated IT processes around the world. Thanks to the following people for their contributions to this project: Margaret Ticknor Linda Robinson Rufus Credle David Watts Tamikia Barrow International Technical Support Organization, Raleigh Center Clain Anderson Nathan Bigger Phil Menzies Caroline Patzer Fletcher Stone Dean Suraci Andy Trotter Goran Wibran
Preface
xiii
6060pref.fm Jeffrey Witt IBM RTP Oscar Aguirre IBM Chicago David Gemuenden Syed Irfan Bill Lee IBM Austin Mickey Iqbal IBM Alpharetta James MacKenzie Gavin Cameron IBM UK, Greenock.
Comments welcome
Your comments are important to us! We want our Redbooks to be as helpful as possible. Send us your comments about this or other Redbooks in one of the following ways: Use the online Contact us review redbook form found at:
ibm.com/redbooks
xiv
6060pref.fm
Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HZ8 Building 662 P.O. Box 12195 Research Triangle Park, NC 27709-2195
Preface
xv
6060pref.fm
xvi
6060ch01.fm
Chapter 1.
Introduction
Over the last decade, controlling complexity has been the goal of every IT manager. While the introduction of the Internet, new devices and processes have made delivery of service more complex, it has become critical for IT managers to contain costs. Understanding the total cost of ownership has created the necessity to seek methods to reduce costs while improving service. Despite cost reductions in PC hardware costs, many have seen costs rise due to increased product complexity, proliferation related management and support issues. Today, the initial cost of buying a PC is the tip of the iceberg. This emphasis on cost reductions has imposed the requirement for ways to improve the overall PC management process. What has IBM done to alleviate the stress of these costs? IBM has focused research and development efforts around the challenges of reducing total cost of ownership. Through the evaluation of each phase of the PC lifecycle, IBM has developed a number of technologies in hardware and software to reduce IT management costs. Known as ThinkVantage Technologies, they manage the PC LifeCycle from pre-deploy planning through end-of-life disposition. Figure 1-1 is an overview of the functions performed by various ThinkVantage Technologies during the hardware/software life cycle of a typical client PC.
6060ch01.fm
Image creation
Image deployment
Migration
Recovery
Inventory
Software dist
Support
Retire
6060ch01.fm
IBM Director IBM Director Agent Integration [Access IBM] [Access Connections]
RRU
ImageUltra Builder
Image Creation Management and Test Deploy Image RDM SDA
TOOLS RRU - Rapic Restore Ultra SDA - Software Delivery Assistant SMA - System Migration Assistant RDM - Remote Deployment Manager SDD - Secure Data Disposal
Backup/Recovery Migrate Data and Application Settings [Remote] Support Software Updates Inventory IBM Director Agent Asset Depot* [SDA/Web-D*]
Install Client
SMA
The two volume set of ThinkVantage Technology RedBooks cover the products that address each of the functional areas in the PC Lifecycle. These products are introduced in the following sections.
Asset Depot
Asset Depot is a cost and resource effective inventory solution, that complements and leverages the customers investment in ThinkVantage Technologies. Features included in Asset Depot are easy browser accessibility, minimal resource usage, control of Software license management and central management.
Chapter 1. Introduction
6060ch01.fm
Asset Depot is discussed in the ITSO Redpaper Using Asset Depot for Inventory Management, REDP-3763.
Web-D
Web-D is a Java based Web-enabled software distribution solution that complements and leverages the customers investment in ThinkVantage Technologies. Web-D uses industry standard components, is simple to manage, easily integrates into an existing customer network infrastructure, is customizable, and is very cost effective both at the time of implementation and over the long term. Web-D is discussed in the ITSO Redpaper Using Web-D for Software Distribution, REDP-3764.
ImageUltra Builder
ImageUltra Builder was designed to help simplify your image creation, deployment and management. This technology is designed to help enterprises save time and money and to stay productive with a do-it-yourself tool that can allow you to deploy as few as one image across your enterprise. By combining multiple languages, applications and operating systems* into a single hard drive image, you help eliminate or reduce the need for manual application installation, hardware testing and support. This patent-pending technology lets you better
6060ch01.fm
control your IT environment, making deployments less painful, and lower IT costs. ImageUltra builder allows for the separation of drivers and applications from a traditional image unlike Ghost and PowerQuest DriveImage. By separating these components, as well as the OS, we greatly reduce the number of images that need to be kept. As drivers and applications are updated, there is also no need to open each traditional image to apply the updates. For customers already using Ghost or PowerQuest Drive Image, they can incorporate their images into ImageUltra Builder as either semi-portable or system specific images. For more information regarding ImageUltra Builder, refer to Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045.
Chapter 1. Introduction
6060ch01.fm
Access Connections
IBM Access Connections is a connectivity assistant program for your IBM ThinkPad computer that allows you to create and manage location profiles. Each location profile stores all of the network and Internet configuration settings that are needed to connect to a network infrastructure from a specific location such as home or work. By switching between location profiles as you move your computer from place to place, you can quickly and easily connect to a network without having to manually reconfigure your settings and restarting your computer each time. Access Connections is discussed in Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045.
IBM Director
BM Director V4.1 is the newest release of the industry leading client/server workgroup manager. IBM Directors tools provide customers with flexible capabilities to realize maximum system availability and lower IT costs. With IBM Director, IT administrators can view and track the hardware configuration of remote systems in detail and monitor the usage and performance of critical components, such as processors, disks, and memory. IBM Director is discussed in Implementing Systems Management Solutions using IBM Director, SG24-6188.
6060ch01.fm
Improved application deployment by delivering a detached application deployment solution Rapid transition by delivering a smooth data migration solution Down the Wire recovery by delivering a managed system recovery and backup solution Life cycle ends with data removal by delivering a Secure Data Disposal solution Additional solutions for security, deployment, management, support, wireless and more. Many organizations will relate to Figure 1-3 in the times for each part of the processes defined. Implementation of the ThinkVantage Technologies will reduce cost and offer opportunities for companies as illustrated below.
End-User Responsibility 1-12h Generate help desk calls
Image Creation Team 1-3 day [update] 3-4 weeks [complex image] 2-3 IT resources 1 day - 1 week 1-2 IT resources
Help Desk/Desk-Side Resources needs to have allocated funds COST of DOING business
Backup/Recovery Image Creation Management and Test Migrate Data and Application Settings Remote Support Software Updates Inventory
Deploy Image
Install Client
Cascading Disposal
Chapter 1. Introduction
6060ch01.fm
the tools mentioned in the chart below. Many of the tools have optional training and can be learned through the use of this Redbook or existing product documentation.
Table 1-1 Implementing ThinkVantage Technologies IBM PCD Tool People needed to implement
2-5 skilled Administrator for Large Enterprise Company 1 skilled Administrator for Small Medium Business Company Software Delivery Assistant (SDA) Rapid Deployment Manager (RDM) 1-3 skilled Administrator for LE 1 skilled Administrator for SMB 1-3 skilled Administrator for LE 1 skilled Administrator for SMB
Training needed
Yes, Required 2 day training
Network Deployment
Migration
Recovery
AssetID
Disposal
6060ch01.fm
Low
Med
High
Note: The scale is relative to the other TVT Uptime and Migration Tools and not a measure of good, average and poor.
Chapter 1. Introduction
6060ch01.fm
10
6060ch02.fm
Chapter 2.
11
6060ch02.fm
12
6060ch02.fm
user a way to prevent unwanted files from being backed up, thereby reducing backup image size and hence enables the backup to be performed more quickly. Save backups to the IBM portable USB 2.0 hard drive - Rapid Restore Ultra can also save backups on IBM USB hard drive, making backup protection more robust and giving user the capability to restore the system in case of hard disk failure. Only IBM USB hard drives are supported.
BASE LEVEL
Base Image
(A0)
CUMULATIVE LEVEL
Cumulative
(B)
Most recent
(C)
Each most recent image replaces the previous most recent image
There is one base backup image known as A0. A0 gets created during the Rapid Restore Ultra install and becomes the foundation for later levels of backups known as incremental backup images. Incremental backups are user initiated backups and/or scheduled backups taken in Windows mode. For incremental backups to work, the base image A0 must be uniquely created on each target PC. The A0 image is unique to each machine. For IT administrators use, Rapid Restore Ultra also gives the option of creating two unique Administrator images known as A1 and A2. These images are similar to the base backup image except that they do not support incremental backups.
13
6060ch02.fm
The normal installation of Rapid Restore Ultra uses only one base image (A0) and successive incremental backups (a combination of B and C images). This is represented graphically in Figure 2-2.
Installation
Base Image
Backup #1
Base Image
Backup #2
Base Image
Backup #3
Base Image
Backup #4
Base Image
Backup #5
Base Image
(A0)
(A0)
(A0)
(A0)
(A0)
(A0)
...
Cumulative Cumulative Cumulative
(B)
(B)
(B)
Cumulative
Cumulative
(B)
(B)
V1
V1
V1
V2
V2
Most recent
(C)
Most recent
(C)
Most recent
V1.1 T0 T1 T2
(C)
V1.2 T3
Time
V2.1 T4 T5
Figure 2-2 How backups are managed over time for ThresholdCBackupCnt value of 2
Figure 2-2 shows the base image (A0) created during Rapid Restore Ultra install. A0 never changes unless it is forced to be. Retaking A0 is supported but is not part of the normal operation of Rapid Restore Ultra. Details on retaking the A0 backup are described later in How to reset the A0 backup on page 57. Scheduled backups or user-initiated backups are incremental in nature because they only store the differences between successive backup levels. The steps below give the sketch of how incremental backups proceed after the creation of A0 image. 1. Create (replace if already present) Cumulative (B) backup. 2. Create (replace if already present) Most Recent (C) backup. 3. Repeat step 2 until Most Recent (C) backup is updated (including creation) n times.
14
6060ch02.fm
The following table lists all the IBM computers supported by Rapid Restore Ultra a the time this book was published.
15
6060ch02.fm
Draft Document for Review September 24, 2003 4:27 pm Table 2-1 IBM computers supported by Rapid Restore Ultra System
ThinkCentre A30 ThinkCentre A50 ThinkCentre A50p ThinkCentre M50 ThinkCentre S50 ThinkPad
Type
2296, 8191, 8198, 8199, 8316, 8434 8320, 8419 8192, 8193, 8194, 8195, 8196, 8197, 8432, 8433 8185, 8186, 8187, 8188, 8189, 8190, 8413, 8414, 8415 8183, 8184, 8416, 8417, 8418 A20m, A20p, A21e, A21m, A21p, A22e, A22m, A22p, A30, A30p, A31, A31p, G40, R30, R31, R32, R40, R40e, S30, T20, T21, T22, T23, T30, T40, T40p, X21, X22, X23, X24, X30, X31, TransNote 2169, 2194, 2196, 2197, 2251, 2254, 2255, 2256, 2257, 2271, 2275, 2289, 2292, 6018, 6058, 6059, 6266, 6269, 6270, 6276, 6279, 6280, 6286, 6336, 6337, 6339, 6341, 6342, 6343, 6345, 6346, 6347, 6348, 6349, 6350, 6568, 6569, 6578, 6579, 6599, 6647, 6648, 6649, 6650, 6790, 6791, 6792, 6793, 6794, 6795, 6822, 6823, 6824, 6825, 6826, 6830, 6831, 6832, 6833, 6837, 6838, 6840, 6841, 6842, 6847, 6848, 6881, 8181, 8182, 8301, 8303, 8304, 8305, 8306, 8307, 8308, 8309, 8310, 8311, 8312, 8313, 8314, 8315, 8317, 8318, 8319 2169, 6344, 6345 6272 6562, 6565, 6584, 6592, 6594, 6862, 6871, 6872, 6890, 6892 6588
NetVista
It is recommended that you download the latest version of Rapid Restore Ultra from th IBM website. You can download from
http://www.ibm.com/pc/support/site.wss/MIGR-4Q2QAK.html
16
6060ch02.fm
installation will abort on systems having an extended partition. SCSI drives are not supported. 20-40 percent of the hard disk space is available - Rapid Restore Ultra will utilize this space for storing all backups during the lifecycle of the system. No third party boot manager is installed - Rapid Restore Ultra will install a boot manager that will enable the F11 interface during system startup. Any pre-existing boot manager will be overwritten. Rapid Restore Ultra cannot be used in conjunction with any other backup or utility software that modifies the Master Boot Record (MBR). Software that modifies the MBR might render Rapid Restore backups inaccessible for restoration. Such software includes, but is not limited to Roxio GoBack, VCOM System Commander, Novell ZENworks and PowerQuest BootMagic. Supported operating systems - Rapid Restore Ultra is compatible with following non-server operating systems: Microsoft Windows XP Microsoft Windows 2000 Professional Installation time - Installation time will differ from system to system. The install time depends on initial backup time which is proportional to the hard disk data size being backed up. USB drive backup support - Only IBM USB hard disk drives can be used for the optional USB backup feature that IBM Rapid Restore Ultra provides.
17
6060ch02.fm
Note: The steps shown below may vary when you do an install on your system depending on the system configuration at the time of installation and the options you choose during installation. 1. Download the installable program from the IBM website (see beginning of 2.2, Installing Rapid Restore Ultra on page 15). Execute the installable program. If you are installing on an non-IBM computer, the install process aborts with an error message as shown in Figure 2-3. You will need to buy a license to run Xpoint Rapid Restore on non-IBM systems. Visit Xpoint
http://www.xpoint.com
for more details about purchasing Xpoint Rapid Restore for non-IBM systems.
2. The first window you see during installation gives an introduction of Rapid Restore Ultra. Read the information and click Next. 3. The next window gives the approximate time that would be taken for install and initial backup. Click Next.
18
6060ch02.fm
Each backup option is described briefly as follows: Backup to Primary Hard Drive Only The Backup to Primary Hard Drive Only option configures Rapid Restore Ultra to store backups on your primary hard drive by creating a service partition on the hard disk. This enables the recovery of the primary hard disk from its own service partition. You can change this option later (refer to 2.2.3, Enabling backup support on a USB drive after install on page 23). Backup to Both Drives The Backup to Both Drives option configures Rapid Restore Ultra to store backups on both your primary hard disk drive and a USB drive. Choosing this option enables you to recover your system from either the primary hard disks service partition or USB drives service partition. For every backup operation, Rapid Restore Ultra ensures that the backup data on the USB drive is in sync with that of primary hard disk. In the event your USB drive was not attached to the system during the backup time, the USB drive is automatically synchronized the next time you connect it to
19
6060ch02.fm
your system. There are several reasons why you may want to incorporate two storage devices in your backup strategy. One reason for doing so is the added protection inherent in redundant backup strategy. For example, if one of your backup devices is not available (for example: damaged, stolen, etc.) you can still restore from the other storage device. We will select this option for further description of our installation process in this section. Backup to USB Drive Only Selecting the Backup to USB Drive Only option configures Rapid Restore Ultra to store backup data on IBM USB drive only. The USB Drive Only option is useful in scenarios where there is not enough space on your primary hard disk to store backup data. When this option is chosen, a service partition is created on USB drive to store all the backup data. However a thin partition still gets created on your on your primary hard disk to store some necessary pre-operating system programs and data files. Note: The restore operation from a USB drive will take a longer time than that from a standard hard disk drive since USB drives are slower than the standard hard disks. If you select Backup to Both Drives or Backup to USB Drive Only option and later decide to change, you would need to uninstall and then reinstall Rapid Restore Ultra. 5. This dialog (Figure 2-5) appears if USB drive is included in backup strategy. Click OK.
Figure 2-5 Message displayed before resizing USB drives existing partition
6. In the next screen (Figure 2-6), you select the backup option Ongoing or One-time protection. These options are described as follows: Ongoing protection (recommended)
20
6060ch02.fm
The Ongoing protection option allows you to have multiple backup images. That is, the base backup image and the incremental backups. Refer to for different image types. This option reserves 20 to 40% of hard disk space to accommodate the base backup image and incremental backups. One-time protection The One-time protection reserves the hard drive space for the creation of only one backup level. That is, the base backup image. However later if you make incremental backups, the service partition is resized to accommodate new backups.
7. A startup diskette must be created if the system has no prior service partition or Hidden Protected Area (see page 2.1.3, Rapid Restore Ultra components on page 15 for information on HPA). The floppy disk drive must be attached to the system prior to the start of installation.
21
6060ch02.fm
8. After the startup diskette is created, reboot from the startup diskette to create a service partition in DOS mode. On creation of service partition, you will see a message that reads Partitioning is complete. Remove the diskette and press any key to restart the system. 9. On restart, the operating system processes the new partition and reboots. At this time the base backup image is created in DOS mode (Figure 2-8).
IBM Rapid Restore Ultra
Backup
This process requires a substantial amount of time. Connect your mobile computer to an AC power supply. Do not turn off your computer during the restore process; however, if you do lose power, restart the restore process.
[ Progress ]
[ 50%]
powered by Xpoint
22
6060ch02.fm
10.After the base backup is done, the system boots back in Windows. A message as shown in Figure 2-9 is displayed indicating that Rapid Restore is successfully installed (If the USB drive is also included in backup strategy, the creation of service partition in USB drive and its synchronization will happen at this stage).
23
6060ch02.fm
You can exclude some files from being a part of the new backup. To do that, click Exclude Files button (bottom left corner in Figure 2-10).
24
6060ch02.fm
2. You can only exclude files that were not included in previous backups (filenames having grey checkboxes as shown in Figure 2-11 indicate that they are already included in base backup or previous incremental backup).
In Figure 2-11 we have selected three files for exclusion. Though they are not large files, we have selected them to illustrate the process. Excluding large, unimportant files helps to reduce backup image size and the backup process time. For example, you might consider excluding your Lotus Notes local database replicas since they are always available on the Lotus Notes server. Click Next to continue.
25
6060ch02.fm
Note: Incremental backup requires that system windows such as Windows Explorer, Internet Explorer or My Computer window be closed before backup can start. You will be prompted to close them if they are open. 4. On completion, you will see a message as shown in Figure 2-13.
26
6060ch02.fm
If the USB drive is also part of backup strategy, backup sychronization on USB drive will be initiated at this stage (Figure 2-14).
Figure 2-14 Synchronizing service partition on USB drive with primary hard disk backup
Scheduling backups
The schedule feature enables automated backups to take place on a daily, weekly or monthly basis at a day and time of your choosing. Weekly schedule backups are enabled by default. To change the schedule: 1. Open the Rapid Restore console by selecting Start -> Programs -> Access IBM -> IBM Rapid Restore Ultra menu sequence.
27
6060ch02.fm
2. Select Backup -> Schedule Your Backups from menu. You will see the screen as shown in Figure 2-15. You can configure the frequency and schedule time of the automated backups.
You can also disable schedule backups by selecting the Off radio button. Note: Scheduled backups will not take place if your computer is powered off (shut down) or is in sleep mode (standby) when a backup operation is scheduled to take place. Rather, when you start/awake your computer, Rapid Restore Ultra prompts you to begin the missed backup operation at that time.
Archiving backups
Rapid Restore Ultra enables you to create a set of recovery CDs which you can use to recover your system in events like hard disk failures. The system should have a CD-Read/Write drive. Rapid Restore Ultra supports only CD-R media for archive (CD-RW media is not supported because it is more susceptible to data loss or accidental erasure). To start an archive operation:
28
6060ch02.fm
1. Open the Rapid Restore console by selecting Start -> Programs -> Access IBM -> IBM Rapid Restore Ultra menu sequence. Select Backup -> Archive Your Backups from menu.You will see a window as shown in Figure 2-16.
Note: If the menu item Archive your backups is grayed (not enabled) then either the CD-Writable drive is not present in your system or it is not properly configured. Note that USB and FireWire CD drives are not supported. 2. Follow the on-screen instructions to complete the archive process.
29
6060ch02.fm
b. Restore in Windows mode 2. Restore from an IBM USB drive 3. Restore from a set of archive CDs.
30
6060ch02.fm
4. Select the backup state you want to revert to based on date and time of backups listed. Click OK to continue. 5. At this stage, you are given the option to continue or cancel the restore operation. This is the last chance to cancel the restore operation. All the data that was created since the selected backup will be lost. A warning window will be displayed (Figure 2-18).
6. After a reboot, the restoration operation will proceed. Restore operations are full image restore operations in the sense that first the base backup image is restored (in DOS mode) and then the incremental backup data is restored (in Windows mode).
31
6060ch02.fm
2. When the Rapid Restore Ultra recovery menu displays (Figure 2-19), use the arrow keys to highlight the desired recovery option and press the Enter key to proceed with the restore operation.
IBM Rapid Restore Ultra
Restore [ Please choose which backup to restore ] 2003/7/18 11:09 Base Backup 7/18/2003 at 11:16 Cumulative Backup 7/18/2003 at 11:19 Most Recent Backup
This process requires a substantial amount of time. Connect your mobile computer to an AC power supply before continuing.
[ Progress ]
[ 0%]
ESC = reboot
ENTER = Select
32
6060ch02.fm
Yes
No
ESC = reboot
ENTER = Select
33
6060ch02.fm
4. Rapid Restore Ultra restoration progress will be displayed as shown in Figure 2-21.
IBM Rapid Restore Ultra
Restore
This process requires a substantial amount of time. Connect your mobile computer to an AC power supply. Do not turn off your computer during the restore process; however, if you do lose power, restart the restore process.
[ Progress ]
[ 27%]
powered by Xpoint
5. After base backup is restored in DOS mode, the system boots back to Windows. 6. If any incremental backup restore was a part of the restore image, it happens now.
34
6060ch02.fm
35
6060ch02.fm
3. Boot from CD: If the system to be recovered does not have a floppy drive but has a CD drive, you can create a bootable CD which can make USB drive accessible in pre-OS mode. To create such a boot CD follow these steps: a. Open Start -> Programs -> Access IBM -> IBM Rapid Restore media creator on a system having Rapid Restore Ultra installed. b. Select the tab Boot from CD (Figure 2-23). Use the specified ISO image to create a bootable CD.
36
6060ch02.fm
4. You can view the restorations completion percentage by viewing the onscreen progress bar. Depending on the size of your service partition archive, you may at some point during the restoration process be prompted to insert CD Volume 2, CD Volume 3, etc.
3. Click the Single_File_Restore icon shown in the right pane of the window. You will see subfolders like:
37
6060ch02.fm
Drive(C)_Cumulative_Backup_xx_xx_xx_At_xx_xxxx Drive(C)_Most_Recent_Backup_xx_xx_xx_At_xx_xxxx (where xx_xx_xx_At_xx_xxxx is the date and time the backup image was created or last updated) 4. Locate the file that needs to be restored by exploring these subfolders. 5. Right click on the selected file and click Restore (Figure 2-25). The restore process will restore the file in the same location from where it was backed up previously. If such path does not exist, it will create that folder/path and restore the file in it.
Figure 2-25 Selecting the file to be restored from Single File Restore window
38
6060ch02.fm
Note: For migration, the new hard disk drive must be larger in capacity than the first disk drive. To migrate your data, follow this process: 1. Initiate a manual backup operation (refer to Procedure to initiate a manual backup on page 24) on your current hard drive to ensure the backup is the latest. 2. When the backup procedure is complete, attach the second hard disk drive to the computer. 3. From the Windows desktop, click Start -> Run. 4. Run c:\program files\xpoint\pe\skin\migrate.exe. 5. While the migration is taking place, a progress bar is displayed. When the migration is complete, the progress bar will disappear. There will be no other indication that the migration process is complete. 6. Start the computer from the second hard drive. The DOS-based recovery menu will be displayed. 7. Select the backup that you want to restore and proceed.
39
6060ch02.fm
Note: Quite often during uninstall the window shown in Figure 2-26 may get hidden under other application windows (for example: Control Panel window). In such case, press Alt+Tab keys to switch between windows and select the Rapid Restore Ultra icon to get to this dialog box.
40
6060ch02.fm
1. Run the executable. When you see the screen prompting for location to save files (Figure 2-27), select the directory where you would like to extract the install files. This location will be referred to as <custom location> from here on in this redbook. Click Next to continue.
Figure 2-27 Screen prompt to enter the location for saving extracted files
41
6060ch02.fm
2. After a couple of message screens, you will see license agreement dialog box (Figure 2-28). Select No to close this window and click Yes button when asked to confirm quit setup. The extracted install files will remain in the <custom location> path.
The following sub-sections describe the custom settings that can be done in each of these configuration files.
42
6060ch02.fm
43
6060ch02.fm
1. If you would like to disable the ability of an end user to do Single File Restore (restore individual files) you will need to add an option EnableSingleFileRestore in the file \rrpc\PCREC.TXT as follows: EnableSingleFileRestore=1 - Allows Single File Restore to function (this setting is default even when EnableSingleFileRestore entry does not exist) EnableSingleFileRestore=0 - Disables Single File Restore. Note that this will not remove the Single File Restore icon from My Computer. If an end user tries to open this icon, no files (blank window) will be displayed. 2. Configuration of IBM_SERVICE partition is controlled by three keys in \rrpc\PCREC.TXT. The first two define the value for how much hard disk space would be reserved for the IBM_SERVICE partition. These keys are PEMinStor and PEMaxStor. The third key SP_PSA affects the resizing capability of IBM_SERVICE partition as illustrated in Table 2-2. For On-going backups in Rapid Restore Ultra, specify SP_PSA value 0 or 1. For One-time backup specify SP_PSA value 2 or 3. See page 20 for more information on On-going and One-time backups.
Table 2-2 SP_PSA value options SP_PSA 0 Description The IBM_SERVICE partition will be sized based on the value of PEMinStor. If the IBM_SERVICE partition becomes full, it will be resized to the value of PEMaxStor. The IBM_SERVICE partition will be sized based on the value of PEMaxStor. If the IBM_SERVICE partition becomes full, no resizing will occur since it is already at its maximum size. The IBM_SERVICE partition will be sized based on the estimated size needed for the base backup created during the install. The IBM_SERVICE partition will not resize if it becomes full. This will behave same as for SP_PSA=2 except that extra space will be added to the IBM_SERVICE partition based on the value of the SP_Xfactor. SP_Xfactor option can be set to specify the size of the extra space in bytes.
PEMinStor and PEMaxStor represent the minimum and maximum percentage of the hard disk space that will be used for the IBM_SERVICE partition. The valid range for each of these keys is 10%-40%. Note that the value of PEMinStor must not be larger than the value of PEMaxStor. The best way to understand these settings is to look at a couple of scenarios shown in Table 2-3.
44
Draft Document for Review September 24, 2003 4:27 pm Table 2-3 Example IBM_SERVICE partition configuration settings SP_PSA, PEMaxStor, PEMinStor SP_PSA=0 PEMinStor=20 PEMaxStor=40 Behavior of IBM_SERVICE partition
6060ch02.fm
During the installation of Rapid Restore, the IBM_SERVICE partition will be sized to 20% of the HDD. During the life cycle of the PC if the IBM_SERVICE partition becomes full, the application will prompt the user that the IBM_SERVICE partition needs to be resized. The system will then resize the IBM_SERVICE to 40% of the HDD. During the installation of Rapid Restore, the IBM_SERVICE partition will be sized to 39% of the HDD. During the life cycle of the PC, if the IBM_SERVICE partition becomes full, the application will not resize the partition since it is already at it maximum size During the installation of Rapid Restore, the space needed to store the base backup is calculated. The size of the IBM_SERVICE partition will be based on this calculation. This setting of SP_PSA will not prevent incremental backups but if the IBM_SERVICE partition becomes full it will not resize.
3. You can set the backup schedule by configuring the value of BackupSchedule key. This key value can also be modified later after installation (either through GUI or via the command line). Refer to Modifications to pcrec.ini on page 56 for information on how to modify this value after installation. The format of BackupSchedule value is defined in the Table 2-4 below.
Table 2-4 Backup schedule settings Frequency Monthly Weekly Daily On demand Format 1500000 00 dd 0000 0 hh mm 0000000000 000000000000000 1400000 00 00 0000 w hh mm 0000000000 000000000000000 1300000 00 00 0000 0 hh mm 0000000000 000000000000000 1100000 00 00 0000 0 00 00 0000000000 000000000000000
where: dd = Day of the month. 2 digits (01-28).To run at the end of each month set the value to 35. w = Day of the week. Single digit (0 = Sunday, 1 = Monday, etc). hh = Hour of the day in 24-hour time format. 2 digits (00-23). mm = Minute of the hour. 2 digits (00-59).
45
6060ch02.fm
4. To control how many times the Most Recent (type C) backup gets reset before the Cumulative (type B) backup is reset, modify the key ThresholdCBackupCnt. The default value is 7. For information for different types of backups see 2.1.2, Rapid Restore Ultra backup methodology on page 13.
Table 2-5 ThresholdCBackupCnt value ThresholdCBackupCnt 0 Backup behavior
Cumulative backup will be reset on demand only. This is done from the command line with the command: c:\program files\xpoint\pe\f11exec /bb /gui
5. On some systems it may be desirable to reduce the priority of Rapid Restore process so as to give other processes enough system resources. The keys for this setting are BackupThrottleSleep and BackupThrottlePriority. These settings can also be modified after installation as well. Refer to Modifications to pcrec.ini on page 56 for information on how to modify after installation. a. BackupThrottleSleep=n - n is an integer between 0 and 3000 that represents the number of milliseconds that the backup engine will yield the CPU to other processes. The backup engine will yield to other process for n milliseconds after every 10MB of data is backed up. b. Table 2-6 below describes the effect of BackupThrottlePriority key values.
Table 2-6 BackupThrottlePriority value BackupThrottlePriority 0 -1 -2 Effect Normal priority Yield to normal processes Only active if no other process is running
6. It may be desirable to suppress the congratulations message box at the end of the install process. To suppress the congratulations message box add the key HIDE_CONGRAT=1 to file \rrpc\PCREC.TXT. However one must be careful when specifying this option because the congratulations message is the only
46
6060ch02.fm
visible indicator for the user that the installation has completed. If the install is not allowed to comlete properly, Rapid Restore Ultra may behave abnormally. 7. If you have upgraded the system from Rapid Restore PC 2.6 to Rapid Restore Ultra, you may decide to have a Cumulative backup (type B) occur automatically after the upgrade. Adding the key CumulativeAfterOverinstall=1 to file \rrpc\PCREC.TXT will cause this to happen. This option should only be used when upgrading from Rapid Restore PC 2.6 to Rapid Restore Ultra.
The files excluded by file types will not be shown as excluded in Rapid Restore exclude list in the GUI. Also one must be careful when excluding files by file type. For example excluding JPG files would break applications such as Access IBM after restore. Similarly some important files whose file type is excluded will not be backed up and will be lost on restore. 3. If you have the plan to create Administrator images (A1, A2 as shown in Figure 2-1 on page 13) you also have the option to hide these images from appearing in the Rapid Restores restore GUI. However these images will remain visible in the F11 restore console.
47
6060ch02.fm
To hide the Administrator images from the GUI you can modify the HideLEImages key in the [RapidRestore] section of file \rrpcgui\RR.INI. HideLEImages=0 - Administrator images will be displayed in GUI (default) HideLEImages=1 - Administrator images will not be displayed in the GUI 4. You can limit the users from accessing the Windows Rapid Restore GUI. Rapid Restore Ultra provides a method to specify one Windows group that can access the GUI. To specify the group that you would like to grant access to the RRU GUI add the key GUIGroup=<group name> to the [RapidRestore] section of \rrpcgui\RR.INI. This key can only be used if RunAsService option in file \INSTALL.INI option was set to 1 before Rapid Restore install (see Custom settings in \INSTALL.INI on page 43). If you want to hide the GUI from all users, add the line GUIGroup=none (this assumes none is not a valid group on the system). If you want the Users group to have access to the GUI, add the line GUIGroup=Users. If the GUIGroup setting is not defined, then all users on the system will have access to the Rapid Restore GUI.
48
6060ch02.fm
49
6060ch02.fm
Note: bmgr32.exe can be found in a folder or one of the subfolders at <custom location> where you have stored the Rapid Restore custom install files (See 2.4.1, Obtaining the Rapid Restore Ultra for custom install on page 40). If the system does not have an IBM_SERVICE partition or Hidden Protected Area, there are two methods to create an IBM_SERVICE partition. The first method is to create a boot diskette (or make a bootable CD out of the created boot diskette) and physically boot each system with the diskette/CD for the creation of IBM_SERVICE partition. 1. Boot diskette method to create IBM_SERVICE partition: a. You will need a donor system which has Rapid Restore Ultra installed. Unzip the contents of SPCreate.zip (see Appendix B, Additional material on page 215) into a temporary directory on that system. b. Open a command window and change to that temporary directory. From this location type the following command in the command prompt window: make <fdd> where <fdd> is replaced with the drive letter of your floppy disk drive. c. When the USB boot media creator window opens, select the Boot From Diskette tab and then click Create Boot Diskette as shown in following Figure 2-29. The windows message box stating diskette created will be displayed. Do not remove the diskette at this point. Wait until you are prompted to do so in the DOS command prompt window (when the make batch file returns control back to command prompt shell).
50
6060ch02.fm
d. To create IBM_SERVICE partition, boot from this diskette. The service partition gets created. The IBM_SERVICE partition size is about 305 MB. During installation Rapid Restore Ultra will resize it as required. 2. The second method is to create an IBM_SERVICE partition (using the diskette method discussed above) on the donor system that will be used for deployment of image build. See Rapid Restore Ultra install through image deployment on page 52 discusses in detail about deploying Rapid Restore Ultra through image.
51
6060ch02.fm
52
6060ch02.fm
3. Create an IBM_SERVICE partition using the diskette method (see Creation of an IBM_SERVICE partition on page 49). 4. Sysprep Windows and shutdown the system. Do not boot back to Windows or you will need to run sysprep again. 5. Create an image of the entire HDD as described in Requirements for imaging with Rapid Restore Ultra on page 55. 6. After deployment of this image on end user systems, the user can complete the installation of Rapid Restore by initiating the second stage install. To initiate the second stage install, users will have to either run the program c:\program files\xpoint\pe\regpe.exe or just click Start -> Programs -> Access IBM -> IBM Rapid Restore Ultra.
53
6060ch02.fm
6. Power on the system and press F11. When Rapid Restore recovery menu is displayed, press F3 to exit to a DOS command line. 7. Capture a new base backup image A0 with the command: lastboot.exe /I /NR Important note: This command will not insert the proper entries in the image to allow a restore of an incremental backup and should not be used in any situation other than this one. 8. When the image process is complete, power down the system. Create an image of the entire HDD as described in Requirements for imaging with Rapid Restore Ultra on page 55. This image is your deployment image. Attention: In this scenario, base backup (A0) is a sysprep image. Rapid Restore Ultra does not support incremental backups if A0 is sysprep image. For more details see 2.4.5, Rapid Restore Ultra considerations for IT Administrators on page 57.
Remote install
Remote installation can be done provided the client system has a valid IBM_SERVICE partition (or Hidden Protected Area). Refer to Creation of an IBM_SERVICE partition on page 49. Following are the steps to proceed with remote install: 1. Customize Rapid Restore settings files (see 2.4.2, Customizing Rapid Restore install options on page 42) as needed. 2. Prepare the Rapid Restore install package for silent install (refer to Silent install settings on page 48). 3. Package the Rapid Restore install files into the delivery package as per your deployment tool requirement. Silent install settings on page 48 describes the command to launch Rapid Restore setup (typically it is executing the command setup.exe -s to start the installation process). An example of remote install using IBM Director is illustrated in 5.4, Integrating Rapid Restore Ultra with IBM Director on page 189.
54
6060ch02.fm
2. X:\PQ\RRDEPLY.TXT
Example 2-3 Script file: X:\PQ\RRDEPLY.TXT SELECT DRIVE 1 <-----------------------Selects DELETE ALL <---------------------------Deletes SELECT FREESPACE FIRST <---------------Selects SELECT IMAGE ALL <---------------------Selects RESTORE <------------------------------Restore 1st HDD all the partitions 1st free space all partitions in image image
Image creation To initiate the image creation process use the following command: X:\PQ\PQIMGCTR /CMD=X:\PQ\RRUSAVE.TXT /MBI=1 /IMG=X:\IMAGE.PQI where X:\PQ\PQIMGCTR <-----------------------Image creation program /CMD=X:\PQ\RRUSAVE.TXT <-----------PowerQuest script file /MBI=1 <-----------------------------------Capture the RRU boot manager /IMG=X:\IMAGE.PQI <------------------Image file Image deployment For image deployment use the following command: X:\PQ\PQIMGCTR /CMD=X:\PQ\RRDEPLY.TXT /MBR=1 /IMG=X:\IMAGE.PQI where X:\PQ\PQIMGCTR <-----------------------Image creation program /CMD=X:\PQ\RRDEPLY.TXT <-----------PowerQuest script file
55
6060ch02.fm
Modifications to pcrec.ini
There are several settings that can be modified after the installation of Rapid Restore on a end user system. Modifying pcrec.ini requires special attention because the master copy of the pcrec.ini resides in the Master Boot Record. (MBR). The high level flow for making these changes is as follows: 1. Fetch the pcrec.ini file from the MBR. 2. Edit the pcrec.ini file and save it. 3. Push the pcrec.ini file back to the MBR. This process can be automated with DOS batch files. Following example gives the process flow for batch file creation (assuming that it runs from the directory c:\program files\xpoint\pe and user has administrative privilege).
Example 2-4 Batch file flow to modify PCREC.INI ::---------Step 1) Fetch the PCREC.INI file from MBR---------start /WAIT pcrecsa bini -fetch ::---------Step 2) Modify the PCREC.INI file-----------------Edit the file pcrec.ini here.... ::---------Step 3) Write back the PCREC.INI file to MBR------start /WAIT pcrecsa bini -flush
56
6060ch02.fm
The BackupScheduleMod.zip (see Appendix B, Additional material on page 215) package has a sample script which modifies the scheduled backups time. In this sample, the required modification is put in the file time.mod. The batch file rrutime.bat determines if the Rapid Restore Ultra program and/or service is running on the system and takes steps to stop them. Then the batch file fetches the Master Boot Record copy of PCREC.INI. After the PCREC.INI file is fetched from the MBR, the program RRPCEDIT.exe will merge the contents of time.mod with PCREC.INI. The batch file will then push the modified PCREC.INI file back to the MBR and restart the service if it had been stopped by the batch file. Though the above example illustrates modifying schedule, it can be used to modify many of the PCREC.INI options. To modify any option in PCREC.INI (See Custom settings in \rrpc\PCREC.TXT on page 43 for details of options), place the option(s) in the time.mod file and run the rrutime.bat script.
Modifications to RR.INI
There are several settings that can be modified in file RR.INI. Unlike PCREC.INI these settings can directly be modified in the file RR.INI located at c:\program files\xpoint\pe\skin\RR.INI. To reflect the changes, you will have to reopen the Rapid Restore Ultra GUI.
57
6060ch02.fm
Sysprep introduces Windows mini-setup into the first boot of a sysprep image. During the restore of an incremental backup, Rapid Restore Ultra expects to see a Windows compatible GINA (Graphical Identification and Authentication). Since a sysprep image does not have a Windows compatible GINA, it is unable to process an incremental restore. Note: If there is a need to incorporate a sysprep image as A0 base backup and still maintain the ability to perform incremental backups on your deployed systems, you will need to build and deploy your image with IBM ImageUltra Builder or use the services offered by the IBM Image Technology Center (IITC). 2. After the creation of the base backup, it is imperative that the system be booted back in Windows for the creation of the index for future backups. If the limited user service is on, this creation will begin once the Windows logon screen is reached. If the limited user service is off, a user with administrative privileges on the local machine must logon and remain logged on during the creation of the index. Confirmation of index being created is done in one of two ways. If you have not suppressed the congratulation screen with the option in pcrec.txt, a message will be posted to the desktop advising you that the base backup is complete (see Figure 2-30). Alternatively, you can look for the presence of the key INITIALIZED=1 in the file c:\program files\xpoint\pe\pcrec.ini.
3. Rapid Restore Ultra is an image backup utility and not truly a data backup utility. It is strongly recommended that you continue to use data backup processes within your organization. 4. If you plan to change the ThresholdCBackupCnt key value, do it judiciously. If the value is set too low (for example: 1 or 2) there is a chance that both the incremental backups (B and C type) may become unusable in some events like virus problems. Setting too high will make cumulative backup (type B) less useful (it will not have more updated data).The default value for this key is 7. See 2.1.2, Rapid Restore Ultra backup methodology on page 13 for different backup types.
58
6060ch02.fm
5. If you use an imaging program with Rapid Restore Ultra, you will need to create your donor image on smallest hard disk drive that the image will be deployed to. This is due to the restore process not being able to scale down to smaller hard disk drives than what it was created on. 6. Rapid Restore Ultra will assign a drive letter to the IBM_SERVICE partition during installation. That drive letter will be hidden in My Computer view after Rapid Restore Ultra installation. Once the drive letter for the IBM_SERVICE partition is assigned it cannot be changed. 7. Rapid Restore Ultra does not support changes in the drive number of the HDD that the IBM_SERVICE partition is created on. For example, if you create a backup on an IBM ThinkPad that was started while docked and a hard disk drive was in dock bay at the time of backup, future backup and restore will not work unless the same configuration is reproduced. 8. There are multiple ways to encrypt files in the Windows operating system. The most popular ways are Windows Encrypted File System (EFS), IBM Client Security Right Click Encryption and IBM Client Security File and Folder Encryption (FFE). Although the backup image file stored in IBM_SERVICE partition is encrypted, it is important to understand how the data is backed up in incremental backups and how do they appear after an image restore. See Table 2-7 for encrypted file status in the incremental backups.
Table 2-7 Encrypted files status in an incremental backup Limited user service on RunAsService=1 Encryption type Encrypted File System (EFS) File and Folder Encryption (FFE) Right click encryption File status in an incremental backup File not backed up File status after restore File not restored Limited user service off RunAsService=0 File status in an incremental backup Unencrypted Logged on user only Unencrypted Logged on user only Encrypted a File status after restore Unencrypted Logged on user only Unencrypted Logged on user only Encrypted a
a. If the file has been decrypted by the end user and then the backup oc-
59
6060ch02.fm
60
6060ch02.fm
Solution/Explanation The system is restored to an older state when this user account would not have existed or the password might have been different. Contact the administrator of your system to create your account again or reset your password.
Rapid Restore Ultra install fails on systems with extended partitions Rapid Restore Ultra install fails with an error message insufficient space
61
6060ch02.fm
Rapid Restore Ultra can only resize primary partitions. A service partition cannot be created on hard disk drives containing four primary partitions or an extended partition. If new partitions are added to a drive, Rapid Restore Ultra must be reinstalled. Previous backups will be lost. You can only create a service partition on the first hard disk in the system. Backing up to a different hard disk or to a network is only supported in Xpoint Rapid Restore Professional Edition. For details about this product visit http://www.xpoint.com. When attempting to write an image to your hard disk using an IBM recovery program or a third party image utility after IBM Rapid Restore Ultra has been installed, a message might display stating that an error was found on your disk due to differing LBA and CHS values. If you are prompted to allow a fix of this error, your Rapid Restore backups and service partition might become inaccessible. The following error messages might appear during the installation of Rapid Restore Ultra or while the program is trying to resize an existing service partition: The IBM service partition could not be created. There is insufficient space on the hard disk. To resolve these messages attempt to clear some space on your hard disk. Another option is to buy Rapid Restore Professional Edition from Xpoint (www.xpoint.com). Rapid Restore Professional Edition provides the option to migrate all of your data from the first disk drive to the second drive so that you can then remove the first drive. During data migration, the new hard drive must be on the same IDE channel as the old hard drive Some disk utilities, such as PartitionMagic are not compatible with Rapid Restore Ultra because Rapid Restore Ultra locks the IBM service partition, making the partition inaccessible to applications, including PartitionMagic.
62
6060ch02.fm
When a Windows mode restore is in progress - When a Windows restore is in progress, the power request will be rejected and the restore will continue. When a DOS mode backup is in progress - When a DOS backup is in progress, the power request will occur and the user will have to reinitiate the backup. When a DOS mode restore is in progress - When a DOS restore is in progress, the power request will occur, and the user will have to initiate an F11 restore to return the machine to a stable configuration.
Can the image be restored without disturbing the data? For example, a user corrupts the operating system and wants to restore it (presumably would need to restore all application software as well). However, user does not want to destroy his/her files, just the software. Is there a way to do this with Rapid Restore Ultra? What is the default size of the hidden partition that is created?
Rapid Restore Ultra creates a hidden service partition that occupies 20% of the available HDD space. The IT administrator can resize this partition to anywhere between 5% and 40% of the hard drive.
63
6060ch02.fm
Subject Which IBM systems are fully supported by Rapid Restore Ultra?
Solution/Explanation When a customer purchases any IBM client system, IBM Rapid Restore Ultra is included at no charge. All IBM client systems manufactured after 10/1999 are supported. Even if Rapid Restore Ultra is not provided explicitly in the bundle with the IBM system, the user is licensed to use Rapid Restore Ultra on IBM client systems.
64
6060ch05.fm
Chapter 3.
65
6060ch05.fm
3.1 Overview
This chapter contains information and instructions on the new Access IBM experience -- an updated help and support application for the Microsoft Windows operating system and the Predesktop Area (a help, recovery, configuration, and diagnostic environment that can be opened even if Microsoft Windows won't.) In addition, with tools and instructions, various aspects of the applications (Access IBM, Access Help, Access IBM Message Center, and Access IBM Predesktop Area) can be tailored to fit your in-house needs.
66
6060ch05.fm
Access IBM information is categorized into task oriented sections to provide the user with quick access to the subject or function they wish to view or execute.
67
6060ch05.fm
Learn takes you to a visual map of your computer and other helpful topics Configure allows quick access to tools such as Access Connections and Battery MaxiMiser (ThinkPad only) Protect & Recover takes you through a series of windows to protect and backup your data using Rapid Restore Ultra, secure your computer using passwords, antivirus software, and passwords, diagnos problems, and restore data using Rapid Restore Ultra. Get Help & Support allows you to view onsystem help and reference, find support information on the Web, and download and update your computer with the latest device drivers. Stay Current offers solutions and options to keep your software and applications at the latest levels. Access IBM provides the user an interface to the on-system users guide, system tools, services, and to IBM web sites on the Internet. The Access IBM interface provides links to the Access Help, categorized to aid the user to find the information that they are looking for more easily. At the top center is the Search field which provides a keyword search into the Access Help Index. This Search
68
6060ch05.fm
capability provides a major advantage to the customer to be able to quickly find problem help or information.
Advantages of customization
Access IBM and Access Help provide a powerful way to provide help and information to IBM Customers. Access IBM is started by pressing the blue Access IBM button that is prominently displayed on the ThinkPad keyboard, or by clicking on the desktop icon, whenever they need help or information about using their system. Access IBM then provides access to the Access Help, which contains information about using the IBM system, tools, and access to the IBM Internet Sites that provide updated information and help. There are several different possibilities for customization of the Access IBM and Access Help products. Table 3-1 shows the possibilities and advantages to each.
Table 3-1 Modification suggestion table Option Full Integration of Business information with IBM Help Information. Access IBM Modify topics of Access IBM to point to new or different information. Modify web links of Access IBM to point to business specific web sites. Access Help Add new chapters and topics (HTML pages) to Access Help. Also some topics can be removed if they are not acceptable to business needs. Advantage to the Business When the customer selects the Access IBM button they will get information about there system as well as information about the business. The search field on the Access IBM interface will search system and business information. The web links will point to business appropriate web sites.
69
6060ch05.fm
Option Access IBM integration with Access Help topic removal only. Access IBM Modify the sections of Access IBM to point to the remaining topics. Any unused categories can point to other programs or web sites. Modify the web links of Access IBM to point to business specific web sites.
Access Help Remove topics that are not applicable or appropriate to the business environment.
Advantage to the Business When the customer selects the Access IBM button they will get appropriate information about their system. The Search field on the Access IBM interface will search the remaining Access Help information. The web links will point to business appropriate web sites. The web links will point to business specific we sites, and the customer will still have the power of the Access Help and the search capability
Modify the web link connections of the Access IBM interface to point to business specific web sites.
No changes necessary.
70
6060ch05.fm
Change the color of the background for the Access IBM application Enable or disable application sounds and animations Change the Alt-key Quick launch keys for the five main topics You can add and delete content in the interface at will so links to your companys most important information and tools are easily accessed through the interface.
71
6060ch05.fm
In this tab you can modify the name that will be displayed in the title bar of the Access IBM application. The tile bar will display for example: Access IBM Customized by ABC Company If you would like to have the Access IBM application on the system, but not have the user be able to use the application without help from a system administrator or IT technician, it can be password protected. When password protection is enabled the IT engineer can give special instructions in a message to the user on how to proceed, or get access to the application. The Menus tab allows the editor to change what Access Help topics, Web links, and application launches are displayed on the Access IBM user interface.
72
6060ch05.fm
This interface makes it easy for the IT engineer to modify the Access IBM configuration files that contain the user interface information. This configuration data is contained in several files: They are: machine-specifics.csv access-config.ini access-text.ini These three files make up the configuration of the main user interface of Access IBM. The machine-specifics.csv file can also be modified by using a spreadsheet program such as Microsoft Excel, The changes will be more easily understood and made through the customization tool.
73
6060ch05.fm
This customization tool window shown in Figure 3-5 of the enables you to modify the content of the welcome page that is displayed to the user upon starting Access IBM. This would be done if you change the categories in the Access IBM user interface. The welcome page can be enabled or disabled from this screen or from Access IBM it self.
74
6060ch05.fm
The Personalization tab allows you to modify the default size of Access IBM when it is started. The size can be set to large for hi-resolution screens, low for lower resolution screens, or set to automatic, which will let Access IBM choose depending on the system settings. You can choose whether to display the Access IBM Message Center icon in the task tray with the Show system tray icon option. When this box is unchecked the user will not receive informative popup messages from Access IBM. The next two check boxes enable the opening animation and startup sound for Access IBM. You may choose to disable these here or from the Access IBM personalization dialog.
75
6060ch05.fm
Using the font color and background modification you can make it easier for the user to read the information on the Access IBM user interface. Only the default pictures, a black, or a white background are supported at this time.
76
6060ch05.fm
Figure 3-7 shows an example of the Access Help interface. Shown in the figure is the main Welcome page. The entire online help document is broken up into topics, some major topics shown in the above figure.
77
6060ch05.fm
Help can be readily customized. The Access Help customization guide will provide assistance and guidelines to help with editing.
Service partition
78
6060ch05.fm
Hard disk-based recovery and diagnostics has many advantages over CD-based recovery solutions. With this recovery solution, a backup system image is always present on your hard drive in the service partition. No additional hardware or software is needed to restore your system, so there is nothing to lose or misplace. Consequently, any necessary waiting time is minimized and, in most cases, no technician is required. To access the recovery image, you simply interrupt the startup process by pressing F11. A disadvantage of a partition-based solution is that it requires the use of a primary partition. This might cause problems for some users because Microsoft Windows operating systems are limited to four primary partitions on each hard disk. Also, a hard disk-based solution must use some hard disk space to store the recovery image.
Recovery and diagnostics applications System image Device drivers and applications Additional space
C:\ Drive
79
6060ch05.fm
ANSI/ATAPI committee (ANSI+NCITS+346-2001) that affords several advantages. With an HPA-based solution, each function can be stored in its own area. This enables each function to be individually protected and accessed. For example, by using an HPA-based recovery format, system diagnostics, Rapid Restore Ultra, or recovery data can each be accessed separately. An HPA-based recovery solution provides a level of flexibility and security that is not available with the partition-based disk-to-disk recovery solution. Simply by separating the data in the hidden protected area, this solution provides greater protection from data loss and unauthorized access. Each of the areas is protected by firmware locking, which effectively hides the area from unauthorized software. As with the partition-based recovery solution, some disk space is needed to store the factory recovery image. The amount of space needed to store the applications and data is based on the system ordered and the number of options. On computers using the HPA-based recovery solution, the total amount of disk space will reflect only the storage space available to the user. The space used by the hidden protected area is subtracted from the total disk space. For example, a 20 GB drive that has a 2 GB HPA will display as an 18 GB drive. To access the contents of the HPA, you simply interrupt the startup process by pressing the Enter key. ThinkPad computer users can also press the Access IBM button to interrupt the startup process. Figure 3-10 illustrates the space used and disk layout on a typical hard drive using the HPA-based recovery solution.
80
6060ch05.fm
Diagnostics Recovery Applications Recovery Data System image Device drivers and applications Additional space
Service partition
Core portion of Disk-to-Disk (ImageUltra compatible) Some components are dependent upon the system configuration Rapid Restore Ultra backup data
C:\ Drive
81
6060ch05.fm
Access IBM predesktop menu Create diagnostic disks Run diagnostics Recovery to factory contents Restore your backups service partition code Recovery data
Data Areas
HPA header
The HPA header consists of two parts: a boot engineering extension record (BEER) and a directory of services (DOS). For complete details on the hidden protected area, see the ANSI/ATAPI committee document (ANSI+NCITS+346-2001). The HPA header is similar to a partition table. It contains a listing of all the areas in the HPA, along with their sizes.
82
6060ch05.fm
To select an activity, click the desired task or use the Tab key to highlight the desired task and then press Enter. Each icon represents a separate function which has its own area within the HPA. These functions are performed independently of the operating system. Access to individual functions in the Predesktop Area, or access to the entire Predesktop Area, may be disabled using the Predesktop Administrator Utility available at http://www.ibm.com/pc/support/site.wss/AIBM-TOOLS.html
83
6060ch05.fm
Data areas
Data areas provide storage and additional space for the bootable areas. Data areas store recovery data, flash repair, and Rapid Restore Ultra data (if it is installed). An update area also exists that enables IBM to supply patches and updates to the HPA areas.
F12
Alt boot menu (text mode) Nothing (ThinkPad) BIOS menu (ThinkCentre) Nothing
Alt boot menu (text mode) BIOS menu (no recovery choice)
Enter
BIOS Menu
High Security
Yes
Yes
Yes
Highest security
84
6060ch05.fm
Attributes
HPA Normal Security (Default) More secure than the current system No Yes Yes Cloning possible. Industry tools must be modified to issue clone commands Cloning possible IBM provides a tool for removing the HPA, if requested. Removal is possible
Updates possible
Security Disabled
No
No
No
Updates possible
Note: 1. If you are using the high security setting, be sure to verify that the high security mode has been restored in BIOS settings after a service action is required (for example, the system board is replaced). 2. Do not disable security to remove the hidden protected area. IBM provides a Web tool that can be downloaded from the IBM web site for this purpose. The Security Disabled setting is only intended to be used when creating an image of the drive using a sector-based imaging tool. Security should be restored after the image has been created.
85
6060ch05.fm
e. Change to the recovery directory. The command prompt displays A:\RECOVERY> f. Insert a diskette into the diskette drive, which is mapped as the B: drive. g. Type copy fwbackup.exe b: h. Type copy fwrestor.exe b: i. Eject the disk and turn the system off. j. Follow the directions below for using FWBACKUP and FWRESTOR. 3. Create an image of the hidden protected area using a command prompt to run the FWBACKUP tool. FWBACKUP has the following format: FWBACKUP size=<span file size must be between 25MB and 640MB> file=<Path and name of file set> If you are creating an image of the HPA to a network drive, it must have a drive letter assigned. For example, if you want to store an image of the HPA space to drive D: that is of span size 640MB, the command is FWBACKUP size=640 file=d:\IMGSET The image set consists of files IMGSET.001IMGSET.nnn. 4. Create an image of the main partition using a third party imaging tool to capture first the C: partition, and then the main partition. 5. Restore the hard drive image using the following procedure: a. Make sure the destination hard drive is blank. b. Make sure that the master boot record is deleted and that no partitions exist on the hard disk. c. Run FWRESTOR from a command prompt. FWRESTOR has the following format: FWRESTOR file=<name of span file set> If you are restoring an image of the HPA from a network drive, it must have a drive letter assigned. For example, if you want to restore an image from the D: drive that was created using the above example. The command would be: FWRESTOR file=D:\IMGSET This loads all the files in the image set (IMGSET.001 ... IMGSET.nnn). All of the files in the image set must be in the same subdirectory. d. When this is complete, perform a power cycle. 6. Restore the main partition using the normal procedure of your imaging tool.
86
6060ch05.fm
7. Restore the security setting to High Security, if this setting was changed in Step 1.
If there are any messages, they are displayed as shown in Figure 3-15. Otherwise, the Message Center is blank.
87
6060ch05.fm
When the icon in the system tray is clicked, a menu is displayed enabling the user to launch Access IBM programs, to view the Message Center, to hide the Access IBM bubble messages, or to exit the Message Center. When a message becomes available, the Message Center alerts the user with a pop-up bubble that displays the title of the new message. The icon in the system tray also changes color to indicate a new message is available. On systems running Windows XP, the Message Center opens when the bubble is clicked. On systems running Windows 2000, the bubble message is minimized when the bubble is clicked.
Click the Get IBM support messages for my computer check box to get Web messages. Web messages enable IBM to inform users of useful information that is becoming available. The Message Center automatically filters these messages so that only those messages that apply to your particular machine type and operating system are displayed. For example, a Web message might inform the
88
6060ch05.fm
user that a new device driver is available for their particular machine type. This message will display automatically if Web messages are enabled. Web messages can also be expanded to include messages about all IBM computers models and operating systems. When you select the Get IBM support messages for my computer check box, the Advanced button is enabled. Click the Advanced button to get messages for other computers models and operating systems. The Advanced Messaging Preferences window is shown in Figure 3-17.
89
6060ch05.fm
Draft Document for Review September 24, 2003 4:11 pm <machines>all</machines> <launch1> <text>Start Now</text> <app>aibmrun.exe</app> <param1>'IBM Access Connections'</param1> </launch1> </message>
Table 3-4 lists the elements that each Message Center message XML file might contain. The <?xml version="1.0" encoding="utf-8" standalone="yes"?> line should always be at the top of the file. If other languages are used, then the encoding might need to change, but utf-8 should be used otherwise. Every message must be enclosed in the < message id= > element and have a unique ID, which is the same as the file name.
Table 3-4 XML message file elements Element version title Require d No Yes Contents Version of the Access IBM Message Centre Title of the message Example 1.0 let Access IBM Simplify Your PC Experience Learn Useful PC Tasks. Click Start now or press the Blue Access IBM Button anytime 08/06/2003
body
yes
date_received
No
Date of the message in MM/DD/YYYY format. If left blank it will fill in with the current date Date the message expires in MM/DD/YYYY format. The message is deleted after this date The URL of the website to present the user The message category
date_expired
No
09/06/2003
url category
No No
90
6060ch05.fm
Example EN AU Access Support 2653,2373
Require d No No No Yes
Contents The message language The message locale Program that generated the file This is the four-digit machine type number(s) that this message applies to. If there are multiple machine types, a comma separates the numbers. If every machine, it can be all. DEFAULT should be all Inside of this element are the next 3 elements
launch1
No
<launch1> <app>c:\windows\n otepad.exe</app> <text>Notepad</tex t> <param1>c:\filetoo pen.txt</para,> </launch1> c:\windows\notepa d.exe Notepad
launch1 app
This is the path to the executable file that will be launched Text to display to the user at launch, such as the application name Parameter to pass to the application Inside of this element are the next 3 elements
launch1 text
c:\filetoopen.txt <launch2> <app>c:\windows\n otepad.exe</app> <text>Notepad</tex t> <param1>c:\filetoo pen.txt</para,> </launch2> c:\windows\notepa d.exe
launch2 app
Yes, if a launch2
91
6060ch05.fm
Element launch2 text Require d Yes, if a launch2 No No
Contents Text to display to the user at launch, such as the application name Parameter to pass to the application Inside of this element are the next 3 elements
Example Notepad
c:\filetoopen.txt <launch3> <app>c:\windows\n otepad.exe</app> <text>Notepad</tex t> <param1>c:\filetoo pen.txt</para,> </launch3> c:\windows\notepa d.exe Notepad
launch3 app
This is the path to the executable file that will be launched Text to display to the user at launch, such as the application name Parameter to pass to the application
launch3 text
launch3 param1
c:\filetoopen.txt
92
6060ch05.fm
orer\Shell Folders\CommonAppData. This key refers to the path c:\documents and settings\all users\application data only, but by simply appending the key with \ibm\messages\ the full path to the message directory is provided. After a client-server application has been set up, the Access IBM Message Center will display local messages, Web messages, and customer messages, as illustrated in Figure 3-18.
Local messages
IBM Web messages from Access Support Message Center Customer messages from IT department
After an XML message file is placed in the appropriate directory, it might take up to 30 seconds for the Message Center to respond to it, if the Message Center is running. The typical response is a bubble message that pops up and that contains the title of the message. However, if a bubble has popped up in the past hour, the Message Center responds by changing the Message Center system tray icon and by adding flyover text to note that a new message is available. In this way, users are not distracted by too many pop-up messages. If an XML message is placed in the appropriate directory and the Message Center does not respond at all, then either the XML file is incorrect or the message guidelines were not followed. To verify that the XML file is correct, open it with Microsoft Internet Explorer. The Message Center uses the same XML parser as Internet Explorer, so if the Internet Explorer can read the file, the Message Center can read it too. The illustrates how Microsoft Internet Explorer displays an XML file:
93
6060ch05.fm
After the Message Center has opened and new messages have been displayed, these messages are considered to be read. They are then moved to the Read directory in the c:\documents and settings\all users\IBM\messages\read path.
3.6 Summary
The following is a brief summary of the topics discussed in this chapter.
94
6060ch05.fm
to your business environment. All of IBM's value is accessible from one easy-to-use application
3.6.4 Customization
All of these features and applications are customizable to fit your local needs. For more information, go to http://www.ibm.com/pc/support/site.wss/AIBM-TOOLS.html
95
6060ch05.fm
96
6060ch06.fm
Chapter 4.
97
6060ch06.fm
4.1, IBM Embedded Security Overview on page 98 4.2, Planning: Installation considerations on page 103 4.3, Preparation: Prerequisite instructions on page 106 4.4, Preparation: Installation instructions on page 108 4.5, Implementation: Configuration on page 120 4.6, Implementation: Utilization on page 134 4.7, Usage Scenarios on page 147 4.8, Uninstalling Client Security Software on page 152 4.9, Troubleshooting on page 153
98
6060ch06.fm
Pseudo Random Number Generator in the chip. RSA operations computed in 200 milliseconds. All TCPA (TCG) functions defined in specification V1.1. Note: In April of 2003 the Trusted Computing Platform Alliance (TCPA) evolved into The Trusted Computing Group (TCG). The TCG has adopted existing trusted computing specifications from TCPA. For more information visit http://www.trustedcomputinggroup.org.
99
6060ch06.fm
UVM protection for Windows logon and the Client Security screen saver User Verification Manager (UVM) protection for Windows logon and the Client Security screen saver ensure that only authorized users can gain access to the operating system, using the multiple, and configurable authentication methods supported by User Verification Manager. Support for Lotus Notes - Client Security Software provides User Verification Manager support for tasks performed in Notes that are password protected, such as logging on to Notes or changing the password for a user ID file, replacing the Lotus Notes password prompt with UVMs multiple, configurable authentication mechanisms. Entrust Ready support for Entrust 6.0 - Client Security Software provides User Verification Manager-controlled embedded hardware protection and advanced authentication support for PKI operations performed by the Entrust Enterprise Desktop Solutions.
http://www.entrust.com/partners/solutions/77.htm
Support for RSA SecurID - Client Security Software provides User Verification Manager-controlled embedded hardware protection and advanced authentication support for generation of software based RSA SecurID authentication passcodes.
http://rsasecurity.agora.com/rsasecured/detail.asp?product_id=1082
Support for Tivoli - Client Security Software was designed to interface with various components of the Tivoli Enterprise software including: Ability to set policy centrally and distribute to clients Policy can be set for CSS through a Tivoli Access Manger (TAM) plug-in provided by download from the IBM CSS download site. The client system is configured to pull policy from TAM on a timed interval. WebSeal Integration WebSeal is a web based authentication method that allows a user to be authenticated through the inter/intranet. This authentication can be based on certificates and/or username and password. In the case of the certificate, the private key operation can be carried out in the Embedded Security Chip. In the case of user name and password, the IBM CSS Password Manager component can be used to store these values. In either case the end user can be authenticated using the User Verification Manager multi-factor, policy based capabilities. Once the end user is authenticated, the Tivoli Global Sign On product can be used to determine which resources, rights, etc the user can access. Wireless support - ESS supports the latest industry standard 802.1x as well as Cisco Leap through IBMs Access Connections. Learn more about IBM wireless offering at
http://www.pc.ibm.com/us/wireless/index.html
100
6060ch06.fm
Support for Checkpoint VPN-1 - IBMs ESS has been Checkpoint OPSEC certified. Private key operations for certificate based operations are carried out in the IBM Embedded Security Chip with the capability to set configurable, multi- factor authentication. Support for Verisign Personal Trust Agent (PTA) - The Verisign PTA is a core component of the Verisign architecture for managing user credentials. The Verisign PTA leverages the hardware protection of the IBM Embedded Security Chip to perform all private key operations.
101
6060ch06.fm
The IBM Password Manager enables you to generate random passwords for each Web site or application. This enables you to increase the security of your data because each application will have much more rigorous password protection enabled. Random passwords are far more secure than user-defined passwords because experience indicates that most users use easy-to-remember personal information for passwords that are often relatively easy to crack. Edit entries using the Password Manager interface The IBM Password Manager enables you to edit all of your account entries and set up all optional password features in one easy-to-use interface. This makes managing your passwords and personal information quick and easy. Access Password Manager from the icon tray on your Windows desktop or with a simple keyboard shortcut The IBM Password Manager icon enables you to have instant access whenever you need to add another application to Password Manager, such as when you are surfing the Web. Each Password Manager function can also be easily accessed by a simple keyboard shortcut. Note:The IBM Password Manager does not support icon tray functionality on computers running the Windows NT operating system. If you are using a Windows NT system, use the keyboard shortcuts. Archive your login information Using the Client Security archiving function, the IBM Password Manager enables you to restore your sensitive login information from a Client Security archive to protect against a hard drive or system failure. See the Client Security Software Users Guide for more information on how to archive information.
102
6060ch06.fm
Note: File and Folder Encryption is different from the right click encryption that comes native in the IBM Client Security Software install. You do not need to install File and Folder Encryption unless your seeking the on the fly capability of protecting a folder. The Check Disk utility might run when restarting the operating system after protecting or unprotecting folders. Wait for the system to be checked before using your computer.
103
6060ch06.fm
User Verification Manager provides a plug-and-play interface for biometrics devices. You must install Client Security Software before you install a User Verification Manager-aware sensor. To use a UVM-aware sensor that is already installed on an IBM client, you must uninstall the UVM-aware sensor, install Client Security Software, and then reinstall the UVM-aware sensor. Tivoli Access Manager versions 3.8 or 3.9 User Verification Manager software simplifies and improves policy management by smoothly integrating with a centralized, policy-based access control solution, such as Tivoli Access Manager. User Verification Manager software enforces policy locally whether the system is on the network (desktop) or stands alone, thus creating a single, unified policy model. Lotus Notes version 4.5 or later User Verification Manager works with Client Security Software to improve the security of your Lotus Notes logon (Lotus Notes version 4.5 or later). Entrust Desktop Solutions 5.1, 6.0, or 6.1 Entrust Desktop Solutions enhances Internet security capabilities so that critical enterprise processes can be moved to the Internet. Entrust Entelligence provides a single security layer that can encompass an enterprises entire set of enhanced security needs including identification, privacy, verification, and security management. RSA SecurID Software Token The RSA SecurID Software Token enables the same seed record that is used in traditional RSA hardware tokens to be embedded on existing user platforms. Consequently, users can authenticate to protected resources by accessing the embedded software instead of having to carry dedicated authentication devices. Targus fingerprint reader The Targus fingerprint reader provides a simple easy interface that enables the security policy to include fingerprint authentication. Gemplus GemPC400 smart card reader The Gemplus GemPC400 smart card reader enables the security policy to include smart card authentication, adding an additional layer of security to the standard passphrase protection.
104
6060ch06.fm
Cryptographic services
Client Security Software supports the following cryptographic services: Microsoft CryptoAPI: CryptoAPI is the default cryptographic service for Microsoft operating systems and applications. With built-in CryptoAPI support, Client Security Software enables you to use the cryptographic operations of the IBM Embedded Security Chip when you create digital certificates for Microsoft applications. PKCS#11: PKCS#11 is the cryptographic standard for Netscape, Entrust, RSA and other products. After you install the IBM Embedded Security Chip PKCS#11 module, you can use the IBM Embedded Security Chip to generate digital certificates for Netscape, Entrust, RSA and other applications that use PKCS#11.
E-mail applications
Client Security Software supports the following application types using secure e-mail: e-mail applications that use the Microsoft CryptoAPI for cryptographic operations, such as Outlook Express and Outlook (when used with a supported version of Internet Explorer). e-mail applications that use Public Key Cryptographic Standard #11 (PKCS#11) for cryptographic operations, such as Netscape Messenger (when used with a supported version of Netscape).
105
6060ch06.fm
you need to re-protect those folders after you install version 1.05, move those folders to the C drive and then protect them. Before uninstalling the IBM FFE utility - before you uninstall the IBM FFE utility, use the IBM FFE utility to unprotect any files or folders that are currently protected.
Registration form
When you download the software, you must complete a registration form and questionnaire, and agree to the license terms. Follow the instructions that are provided at the Web site to download the software. The installation files for Client Security Software are included within the self-extracting file. The version used in this Redbook was csec51.exe.
Export regulations
Client Security Software contains encryption code that can be downloaded within North America and internationally. If you live in a country where downloading
106
6060ch06.fm
encryption software from a Web site in the United States is prohibited, you cannot download Client Security Software.
107
6060ch06.fm
108
6060ch06.fm
109
6060ch06.fm
Note: If you intend to use a fingerprint reader, you must install it before completing the IBM Client Security Setup Wizard shown in Figure 4-1.
110
6060ch06.fm
Important: You must install the software and restart your system before connecting the DEFCON Authenticator.
111
6060ch06.fm
12.You can now shutdown your system and insert your DEFCON Authenticator and restart. The Windows Found New Hardware Wizard pops up. Accept the recommended default. Click Next. 13.When the Windows Found New Hardware Wizard finishes installing, click Finish.
112
6060ch06.fm
Mass deployment
Mass deployment enables security administrators to initiate security policies on multiple computers simultaneously. This makes it easier to manage and deploy security measures and helps ensure that the correct security policies are implemented. The following device drivers must be installed before completing the mass deployment procedure: The SM bus device driver (see Installing the SM Bus device driver on page 108) The LPC bus device driver (for TCPA systems) (see Installing the LPC Bus device driver on page 108) There are two major steps to a mass deployment: Mass installation Mass configuration Performing a mass installation and mass configuration at two different times is supported. For example, some installations may prefer to do the mass install at roleout time, but may not want to configure or start using the Embedded Security Subsystem until a later date, perhaps when they have a full security policy decided on or an installation of Tivoli Access Manager completed . In addition, it is possible (and more likely) that a customer would go back to the mass installed and mass configured systems at a later date using the mass configuration option over the life of the systems when the security policy changes from time to time.
113
6060ch06.fm
Mass installation
You must perform an unattended installation to install IBM Client Security Software on a multitude of clients simultaneously. You must use the unattended installation parameter (see step 5 below) when initiating a mass deployment. To initiate a mass installation, complete the following procedure: 1. Create the CSS.ini file. The CSS.ini file is a response file used during mass configuration. This step is only required if you intend to perform a mass configuration. The CSS.ini file contains all the configuration options you would go through if setting up the CSS software manually. For example User names, location of the keys, and so on. The CSS.ini file must be created in the same directory that the install files are in. 2. Extract the contents of the CSS installation package with Winzip using folder names. 3. Edit the szIniPath and szDir entries in the setup.iss file. The szDir entry is required for a mass installation and mass configuration. The szIniPath parameter is only required if you intend to perform a mass configuration. The full contents of this file are listed below in Example 4-1. 4. Copy the files to the target system. 5. Create the \setup -s command-line statement. The -s parameter indicates an unattended installation. This command-line statement should be run from the desktop of a user who has administrator rights. The StartUp program group or the Run key is a good place to do this. 6. Remove the command-line statement on the next boot. An example of the contents of the setup.iss file is listed below with a few descriptions:
Example 4-1 setup.iss file [InstallShield Silent] Version=v6.00.000 File=Response File szIniPath=d:\csssetup.ini (The above parameter is the name and location of the .ini file, which is required for mass configuration. If this is a network drive, it must be mapped. When a mass configuration is not being used with a silent installation, remove this entry.) [FileTransfer] OverwrittenReadOnly=NoToAll [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}- DlgOrder] Dlg0={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdLicense- 0 Count=4 Dlg1={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdAskDestPath- 0 Dlg2={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdSelectFolder- 0 Dlg3={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdFinishReboot- 0
114
6060ch06.fm
[{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdLicense-0] Result=1 [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdAskDestPath-0] szDir=C:\Program Files\IBM\Security (The above parameter is the directory used to install Client Security. It must be local to the computer.) Result=1 [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdSelectFolder-0] szFolder=IBM Client Security Software (The above parameter is the program group for Client Security.) Result=1 [Application] Name=Client Security Version=5.00.002f Company=IBM Lang=0009 [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdFinishReboot- 0] Result=6 BootOption=
Mass configuration
The following file is also essential when initiating a mass configuration. The file can be named anything, as long as it has a .ini extension. This file can be created and distributed with the mass installation process. Or it can be created and configured on any system and then distributed to all systems and then used just for a mass configuration. Below is how the file should look. To the side is a brief description not to be included in the file. Each parameter must be on a separate line. The following command runs this file from the command line when the mass configuration is not done along with a mass installation: <CSS installation folder>\acamucli /ccf:c:\csec.ini c:\csec.ini is the name of the mass configuration .ini file for our example. Note: If any files or paths are on a network drive, the drive must be mapped to a letter. [CSSSetup] suppw=bootup hwpw=11111111 Section header for CSS setup. Administrator/Supervisor password. Leave blank if not required. CSS hardware password. Must be eight characters. Always required. Must be correct if hardware password has already been set. 1 to generate a new admin key pair 0 to use an existing admin key pair. When newkp is 1, this determines the number of private key components.
newkp=1 keysplit=1
115
6060ch06.fm
Note: If the existing keypair uses multiple private key parts, all private key parts must be stored in the same directory. kpl=c:\jgk kal=c:\jgk\archive pub=c:\jk\admin.key Location of the admin key pair when newkp is 1, if this is a network drive it must be mapped. Location of the user key archive, if this is a network drive it must be mapped. Location of the admin public key when using an existing admin key pair, if this is a network drive it must be mapped.
pri=c:\jk\private1.key Location of the admin private key when using an existing admin key pair, if this is a network drive it must be mapped. clean=0 [UVMEnrollment] enrollall=0 defaultuvmpw=top defaultwinpw=down enrollusers=2 1 to delete the .ini file after initialization. 0 to leave the .ini file after initialization. Section header for user enrollment. 1 to enroll all local user accounts in User Verification Manager, 0 to enroll specific user accounts in UVM. When enrollall is 1, this will be the User Verification Manager passphrase for all users. When enrollall is 1, this will be the Windows password registered with User Verification Manager for all users. When enrollall is 0, this is the number of users that will be enrolled in User Verification Manager. Upgrading your version of Client Security Software Enumerate number of users to be enrolled starting with 1, user names must be the account names. In order to get the actual account name on XP, do the following 1. Start Computer Management (Device Manager). 2. Expand the Local Users and Groups node. 3. Open the Users folder. The items listed in the Name column are the account names. user1uvmpw=chrome Enumerate number of users to be enrolled User Verification Manager passphrase starting with 1. user1winpw=spinning Enumerate number of users to be enrolled Windows passphrase registered with UVM starting with 1.
user1=joseph
116
6060ch06.fm
user1domain=0 user2=hallie user2uvmpw=left user2winpw=right user2domain=0 [UVMAppConfig] uvmlogon=0 entrust=0 notes=0 passman=0 folderprotect=0
0 to indicate that this account is local. 1 to indicate that this account is on the domain.
Section header for uvm-aware application setup and uvm-aware module setup. 1 to use UVM logon protection, 0 to use Windows logon. 1 to use UVM for entrust authentication, 0 to use entrust authentication. 1 to use UVM protection for lotus notes, 0 to use notes password protection. 1 to use Password Manager, 0 to not use Password Manager 1 to use File and Folder Encryption, 0 to not use File and Folder Encryption.
117
3. Clear the IBM Embedded Security Chip in the BIOS utility. Reboot your system. 4. Install Client Security Software Release 5.1 and configure it using the IBM Client Security Software Setup Wizard.
The system will continue its reboot. 4. Run the Client Security Software Version 5.0 installation program. 5. Reboot when prompted. Important: After reboot, the Client Security Software Setup Wizard will automatically launch. Do NOT run the Setup Wizard. 6. Press Cancel to exit the Setup Wizard.
118
6060ch06.fm
7. Temporarily back up the default security policy by completing the following steps: a. Using Windows Explorer, go to the IBM Client Security Software install directory (default is c:\program files\ibm\security). b. Right-click the UVM_Policy folder and select Copy. c. Right-click on the Windows desktop and click Paste. This will create a temporary backup on the Windows desktop. Note: Your existing security policy settings will be replaced with new defaults. 8. Restore settings from IBM Client Security Software Version 4.0x by completing the following steps: a. Click Start -> Settings -> Control Panel -> IBM Client Security Subsystem. The IBM Client Security Software Administrator Utility main screen is displayed. b. Click the Key Configuration button. c. Select Yes to restore keys from the key archive. 9. Provide the location of the previous archive directory. 10.Provide the location of the Administrator public and private key files you created in the previous release. You will be notified that your archive will be updated for the new release. 11.Click OK. 12.Provide the location to create new Administrator keys. Be sure to create the keys in a location different from the location of your existing Administrator keys. If you have Administrator keys you already created for Release 5.0 on another system, you can select Use an existing CSS Archive keypair and provide the location of the existing keys. 13.Click Next. Your archive will be converted and restored. 14.Exit the application when finished. 15.Restore policy settings by completing the following steps: a. Using Windows Explorer, go to the IBM Client Security Software install directory (default is c:\program files\ibm\security). b. Using the left-mouse button, drag the UVM_Policy folder from the desktop to the IBM Client Security Software install directory. c. Click Yes to all warning messages.
119
6060ch06.fm
Your security data has now been migrated to Client Security Software Release 5.0. Note: If you previously changed your security policy in Client Security Software Version 4.0x, you might want to resubmit your security policy settings by completing the following steps: 1. Click Start > Settings > Control Panel > IBM Client Security Subsystem. 2. Click the Configure Application Support and Policies button. 3. Click the Application Policy button. 4. Click the Edit Policy button.
120
6060ch06.fm
121
6060ch06.fm
3. Next is the Protect Applications with IBM Client Security page. See Figure 4-4. This is where you can select the applications that you wish to protect with the IBM Client Security Software. To protect an application, simply place a check mark in the appropriate check box. When you have made your selection, click Next.
122
6060ch06.fm
After reading the warning screen shown in Figure 4-5, click OK to close.
123
6060ch06.fm
4. The next step is the authorization of users. All users who will use the system need to be authorized before they can access the computer. To authorize a user, complete the following steps. Important: Only authorize user accounts that can be used to logon to the operating system. If a user account that cannot be used to logon to the operating system is authorized, all users will be locked out of the system when User Verification Manager logon protection is enabled. a. On the IBM Client Security Authorize Users screen (Figure 4-6), select the user you wish to authorize. b. Click Authorize User>
124
6060ch06.fm
c. At the IBM Client Security Passphrase screen, enter the users passphrase in the box provided. Insure that the passphrase rules are meet. This is step 1 of a 3 step process. Definition: In the IBM Client Security Passphase is a long password (up to 256 characters long). This Passphrase can replace many of the users other passwords. Users are required to enter their Passphrase in order to gain access to the system. The User Verification Manager Passphrase must meet the following requirements: contain at least 6 characters. contain at least 1 digit. not contain more than 2 repeated characters. not end with a digit. not start with a digit. not contain the User ID. d. Step 2 is to set the Passphrase expiration rules. See Figure 4-7.
125
6060ch06.fm
e. Step 3 is to enter the users Windows password. Enter the password in the box provided. Click Finish. f. Click Next, to move onto the final step in the set-up process. 5. At the System Security level selection screen (Figure 4-8), slide the selection bar to the desired level of security.
Important: Remember to tick the Use fingerprint reader radio button if you have installed a Biometric fingerprint reading device. 6. Click Next. 7. Review your security settings and Click Finish when done.
126
6060ch06.fm
8. The system will now apply your security settings, this may take several minutes. 9. At the setup completion window, Click OK to reboot your system.
127
6060ch06.fm
Object Selection
UVM policy objects enable you to establish different security policies for various user actions. Valid UVM objects are specified on the Object Selection tab of the IBM UVM Policy screen in the Administrator Utility. Valid UVM policy objects include the following: System Logon This object controls authentication requirements necessary to log onto the system. System Unlock This object controls authentication requirements necessary to clear the Client Security screen saver.
128
6060ch06.fm
Lotus Notes Logon This object controls authentication requirements necessary to log onto Lotus Notes. Lotus Notes Change Password This object controls authentication requirements necessary to use User Verification Manager to generate a random Lotus Notes password. Digital Signature (e-mail) This object controls authentication requirements necessary when you click the Sign button in Microsoft Outlook or Outlook Express. Decryption (e-mail) This object controls authentication requirements necessary when you click the Decrypt button in Microsoft Outlook or Outlook Express. File and Folder Protection This object controls authentication requirements necessary when right-click encryption and decryption has been selected. Password Manager This object controls authentication requirements necessary when you use the IBM Password Manager, which is available from the IBM Web site. When activated, most users should leave this setting on. No passphrase required after 1st used this way. Netscape - PKCS#11 Logon This object controls authentication requirements necessary when a PKCS#11 C_OpenSession call is received by the PKCS#11 module. Most users should leave this setting on. No passphrase required after 1st used this way. Entrust Logon This object controls authentication requirements necessary when Entrust issues a PKCS#11 C_OpenSession call to be received by the PKCS#11 module. Most users should leave this setting on. No passphrase required after 1st used this way. Change Entrust Logon Password This object controls authentication requirements necessary to change the Entrust logon password. Entrust does this by issuing a PKCS#11 C_OpenSession call to be received by the PKCS#11 module. Most users
129
6060ch06.fm
should leave this setting on. No passphrase is required after 1st used this way.
130
6060ch06.fm
131
6060ch06.fm
8. Place your finger on the User Verification Manager-aware fingerprint sensor and follow the on-screen instructions. 9. Click Ok, once youve registered your finger print. 10.Specify another finger to register, or click Exit to finish.
132
6060ch06.fm
7. Place your finger on the User Verification Manager-aware fingerprint sensor and follow the on-screen instructions. 8. Click Ok, once youve registered your finger print. 9. Specify another finger to register, or click Exit to finish.
133
6060ch06.fm
5. On the Authentication Elements tab, select the authentication elements that you want to require for Lotus Notes Logon. 6. Click Apply to save the selections. 7. The Admin Private Key Required screen is displayed. Specify the location of the Private Key by either typing the path name in the provided field or by clicking Browse and selecting the appropriate folder. 8. Click OK. 9. The IBM User Verification Manager: Summary of Policy screen displays a summary of objects controlled by the local client policy. 10.Start Lotus Notes. User Verification Manager Password registration is complete when Lotus Notes is started.
134
6060ch06.fm
Actions include System Logon, System Unlock, and E-mail Decryption; an example of an object type is Acquire Digital Certificate. 7. For each object you select, do one the following: Click the Authentication Elements tab, and edit the settings for the available authentication elements that you want to assign to the object. Select Access Manager controls selected object to enable Tivoli Access Manager to control the object you chose. Select this option only if you want Tivoli Access Manager to control the authentication elements for the IBM client. For more information, see Using Client Security with Tivoli Access Manager. Important: If you enable Tivoli Access Manager to control the object, you are giving control to the Tivoli Access Manager object space. If you do this, you must reinstall Client Security Software to re-establish local control over that object. Select Deny all access to selected object to deny access for the object you chose. 8. Click OK to save your changes and exit.
135
6060ch06.fm
136
6060ch06.fm
7. Click Save New Entry. 8. Click the Add Enter to automatically submit entry checkbox if you want Password Manager to submit the login information after recalling. Note: Some Web sites do not use the Enter key to submit login information. If login is failing, disable this convenience feature. 9. Click Save New Entry to complete the procedure.
Managing entries
The IBM Client Security Password Manager enables users to work with information stored in the Password Manager. The Password Manager- Manage window enables you to change your user ID, password, and other information entered into Password Manager that populate the fields on a Web site or application. To change information stored in the IBM Client Security Password Manager, complete the following procedure: 1. Right-click the Password Manager icon in the Windows icon tray and click Manage. a. The Password Manager Manage function can also be accessed with the keyboard shortcut Ctrl+Shift+B. b. The IBM Password Manager does not support icon tray functionality on computers running the Windows NT operating system. If you are using a Windows NT system, use the keyboard shortcut. 2. Enter your User Verification Manager passphrase, or complete the access requirements specified by the User Verification Manager user authentication policy. 3. Edit your information. Select from the following options: Entry information. To edit entry information, complete the following procedure: a. Right-click the entry you want to edit. b. Select from the following actions: Add Enter Select Add Enter to automatically have your entry information entered into the Web site or application. A check icon will appear next to Add Enter when this function is activated. Delete Select Delete to delete the entry entirely.
137
Entry field information. To edit entry field information, complete the following procedure: a. Right-click the field you want to edit. b. Select from the following actions: Change entry field. Select Change Entry Field to change the information stored for this field. You can change an entry field in one of the following ways: By creating a randomized entry To create a randomized entry, select Randomize. Password Manager will create randomized entries that are 7, 14, or 127 characters in length. By manually editing an entry field To manually edit an entry field, select Edit and make the appropriate changes to the field. Delect entry field. Select Delete to delete the entry field entirely. c. Click Save Changes. 4. Click Save Changes. Note: Changing a field in Password Manager will only update the login information within Password Manager. If you want to increase the security of your passwords by using the Password Manager randomize feature, you must synchronize the application or website with the new random password generated by this feature. Use the convenient Password Manager Transfer Field Tool to transfer the new randomized password into application or Web site Change Password form. Verify that the new password is valid for the application or Website and then use the Save Changes in the Password Manger - Manage Window. There is no need to re-create the entry with the new password since all the necessary information has been retained.
Recalling entries
Recalling passwords using the IBM Client Security Password Manager is simple and easy. To recall information stored in the IBM Client Security Password Manager, complete the following procedure: 1. Open the application or Web site logon screen for the information that you want to recall. 2. Double-click the Password Manager icon in the Windows icon tray. Password Manager will populate the fields on the logon screen with the stored information.
138
6060ch06.fm
a. The Password Manager Recall function can also be accessed with the keyboard shortcut Ctrl+Shift+G. b. The IBM Password Manager does not support icon tray functionality on computers running the Windows NT operating system. If you are using a Windows NT system, use the keyboard shortcut. 3. Enter your User Verification Manager passphrase, or complete the access requirements specified by the User Verification Manager user authentication policy. 4. If the Add Enter to automatically submit entry check box is not checked, click the Submit button on the application or the Web site. If no entry is recalled, a prompt will ask you if you would like to create a new entry. Click Yes to launch the Password Manager- Create New Entry window.
139
6060ch06.fm
are unavailable to the current user. The current user has no right-click options. A Parent of a Protected Folder - A parent of a protected folder can be in one of three states: It can contain one or more subfolders protected by the current user The current user has designated one or more subfolders as protected. All files in the protected subfolders are encrypted. The user is given the option to protect the parent folder. It can contain one or more subfolders protected by one or more different users - A different user or users have designated one or more subfolders as protected. All files in the protected subfolders are encrypted, and are unavailable to the current user. The current user has no right-click options. It can contain subfolders protected by the current user and one or more different users - Both the current user and one or more different users have designated subfolders as protected. The current user has no right-click options. A Critical Folder - A critical folder is a folder in a critical path and, therefore, cannot be protected. There are two critical paths: the Windows path and the Client Security path. Each state is handled differently by the right-click protect folder option.
140
6060ch06.fm
141
6060ch06.fm
You should disable File and Folder Encryption before using an application that re-partitions the computer hard drive because these types of applications might interfere with vital FFE operations. Applications that re-partition the hard drive include applications such as PowerQuest PartitionMagic and IBM Rapid Restore Ultra. To disable FFE, complete the following procedure: 1. From the Control Panel, select IBM Client Security Software Subsystem. 2. Click the Configure Application Support and Policies button. 3. Clear the Enable File and Folder protection checkbox. 4. Restart the system. For more known issues and limitations see 4.9.7, IBM File and Folder Encryption (FFE) Utility known issues on page 158.
142
6060ch06.fm
5. Select the Create your own password radio button. 6. Enter and verify your new Lotus Notes password in the available fields, and click OK. Important: When you change your password within Lotus Notes to a value that you have used before, Notes rejects the password change, but does not inform the Client Security Software. Consequently, User Verification Manager stores the password that Notes rejected. If you receive a message indicating that the password has been used before when changing your password within Lotus Notes, you will need to exit Lotus Notes, start the User Configuration Utility, and restore the Lotus Notes password to the value it was before. If your Lotus Notes password was randomly generated, and you get this error, you have no way of knowing what the password was, and therefore you can not reset it manually. You must request a new ID file from your administrator or restore a previously-saved copy of your ID file.
143
6060ch06.fm
3. Enter Lotus Notes and switch User IDs. See your Lotus Notes documentation for information on switching User IDs. 4. To set up User Verification Manager protection for the User ID that you have switched to, enter the Lotus Notes Configuration tool (provided by Client Security Software), and set up UVM protection. Refer to 4.5.5, Using User Verification Manager protection for Lotus Notes on page 133.
144
6060ch06.fm
Encrypt/Decrypt Setup Configuration File - This function enables the encryption of the setup configuration file for additional security. It will also decrypt the file so that it can be edited. Configure Credential Roaming - This function registers this system as a CSS Roaming Server. Once registered, all UVM-authorized users in the network will be able to access their personal data (passphrases, certificate, etc.) on this system.
145
6060ch06.fm
Note: Make sure you create the new public key in a location other than that which contains the old archive key files. 4. In the Old CSS Archive Key area, type the file name for the old archive private key in the Private Key File field, or click Browse to search for the file. 5. In the Archive Location area, type the file path where the key archive is stored, or click Browse to select the path. 6. Click Next. Note: If the archive key pair was split into multiple files, a message is displayed that asks you to type in the location and name of each file. Click Read Next after you type each file name in the Key File field. 7. A message displays that the operation completed successfully. Click OK. 8. A message displays that the operation is complete. Click Finish.
146
6060ch06.fm
The following instructions assume that the Administrator Utility has not been damaged by a hard disk drive failure. If a hard disk drive failure has damaged the client security files, you might need to reinstall Client Security Software. To restore encryption keys from a key archive, complete the following Administrator Utility procedure: Note: If you change the admin key pair after you restore the archive, an error message displays. If this occurs, you must add the users to User Verification Manager, and then request new certificates. 1. Click the Key Configuration button. 2. The Modify Client Key Configuration - Configure Keys screen is displayed. Click the Restore IBM Security Subsystem keys from archive radio button, and click Next. 3. The Modify Client Key Configuration - Restore All IBM Security Subsystem Keys screen is displayed. In the Archive Directory (Path) field, type the file path of the archive directory, or click Browse to search for the directory. 4. In the CSS Archive Public Key File field, type the path and file name of the admin public key, or click Browse to search for the file. 5. In the CSS Archive Private Key File field, type the path and file name of the admin private key, or click Browse to search for the file. 6. Click Next. A message is displayed indicating that the operation completed successfully. Note: If the admin private key was split into multiple files, a message is displayed that asks you to type in the location and name of each file. Click Read Next after you type each file in the Key File field. 7. Click OK. 8. Click Finish.
147
6060ch06.fm
148
6060ch06.fm
5. Restart each client to enable the User Verification Manager protection for the Windows logon. 6. Inform the users of the User Verification Manager passphrases that you have set for them and of the authentication requirements that you set in the UVM policy for the IBM client. Client users can now perform the following tasks: Use User Verification Manager protection to lock and unlock the operating system. Apply for a digital certificate and choose the Embedded Security Chip as the cryptographic service provider associated with the certificate. Use the digital certificate to encrypt e-mail messages created with Outlook Express.
149
6060ch06.fm
3. Enable User Verification Manager protection for Lotus Notes on both clients. Refer to 4.5.5, Using User Verification Manager protection for Lotus Notes on page 133. 4. Edit and save a User Verification Manager policy for remote clients on client 1, and then copy it to client 2. User Verification Manager policy would require user authentication for clearing the screen saver, logging on to Lotus Notes, and logging on the operating system. Refer to 4.6.2, Editing a UVM policy on remote clients on page 135 for Details. 5. Restart each client to enable the User Verification Manager protection for the system logon. 6. Inform the client users of the User Verification Manager passphrases and the policy that has been set for each client. The users can now read the Client Security Software Users Guide to learn how to perform the following tasks: Enable the Client Security screen saver Use User Verification Manager protection for Windows 2000
150
6060ch06.fm
Installing prerequisite device drivers on page 108 for details about the software installation. 3. Install the User Verification Manager-aware fingerprint sensors and any associated software on each client. For information about available User Verification Manager-aware products, go to http://www.pc.ibm.com/us/security/secdownload.html on the World Wide Web. 4. Set up user authentication with User Verification Manager on each client. Then, do the following: Add users to User Verification Manager by assigning them a User Verification Manager passphrase. Set up User Verification Manager protection for the Windows logon on each client. Register the fingerprints for each client user. If fingerprint authentication is required on an IBM client, all users of that client must register their fingerprints. 5. Configure the Tivoli Access Manager setup information at each client. For details, see Using Client Security with Tivoli Access Manager. 6. Edit and save a UVM policy for remote clients on one of the clients, and then copy it to the other clients. Set UVM policy so that Tivoli Access Manager will control the following authentication objects: Logging on the operating system Acquiring a digital certificate Using a digital signature for e-mail message For details, refer to 4.6.2, Editing a UVM policy on remote clients on page 135. 7. Restart each client to enable the User Verification Manager protection for the Windows logon. 8. Install the IBM Embedded Security Chip PKCS#11 module onto each client. This module provides cryptographic support on clients that use Netscape for sending and receiving e-mail messages, and the IBM Embedded Security Chip for acquiring digital certificates. For more information, see the Client Security Software Installation Guide. 9. Enable Tivoli Access Manager to control the IBM Client Security Solutions objects that appear in the Tivoli Access Manager Management Console. 10.Inform client users of the User Verification Manager passphrases that have been set and the policy that has been set for each client.
151
6060ch06.fm
11.Advise client users to read the Client Security Software Users Guide to learn how to perform the following tasks: Use User Verification Manager protection to lock and unlock the operating system Use the User Configuration Utility Apply for a digital certificate that uses the Embedded Security Chip as the cryptographic service provider associated with the certificate Use the digital certificate to encrypt e-mail messages created with Netscape
152
6060ch06.fm
If you did not install the IBM Embedded Security Chip PKCS#11 module for Netscape, a message is displayed that asks if you want to delete shared DLL files that were installed with Client Security Software. Click Yes to uninstall these files, or click No to leave the files installed. Leaving these files installed has no affect on the normal operation of your computer. 9. Click OK after the software is removed. You must restart the computer after uninstalling Client Security Software. When you uninstall Client Security Software, you remove all installed Client Security software components along with all user keys, digital certificates, registered fingerprints and stored passwords. However, the key archive is not affected when Client Security Software is uninstalled.
4.9 Troubleshooting
This section contains information that an administrator might find helpful when identifying and correcting problems that might arise as you use Client Security Software.
153
6060ch06.fm
Enable or disable the IBM Embedded Security Chip Clear the IBM Embedded Security Chip When the IBM Embedded Security Chip is cleared, all encryption keys and certificates stored on the chip are lost. It is necessary to temporarily disable the supervisor password on some ThinkPad models before installing or upgrading Client Security Software. After setting up Client Security Software, set a supervisor password to deter unauthorized users from changing these settings. To set a supervisor password, complete the following procedure: 1. Shut down and restart the computer. 2. When the IBM BIOS Setup Utility prompt appears on the screen, press F1. The main menu of the IBM BIOS Setup Utility opens. 3. Select Password. 4. Select Supervisor Password. 5. Type your password and press Enter. 6. Type your password again and press Enter. 7. Click Continue. 8. Press F10 to save and exit. After you set a supervisor password, a prompt appears each time you attempt to access the IBM BIOS Setup Utility. Important: Keep a record of your supervisor password in a secure place. If you lose or forget the supervisor password, you cannot access the IBM BIOS Setup Utility, and you cannot change or delete the password. See the hardware documentation that came with your computer for more information.
154
6060ch06.fm
Because your security settings are accessible through the Configuration/Setup Utility of the computer, set an administrator password to deter unauthorized users from changing these settings. To set an administrator password: 1. Shut down and restart the computer. 2. When the Configuration/Setup Utility prompt appears on the screen, press F1. The main menu of the Configuration/Setup Utility opens. 3. Select System Security. 4. Select Administrator Password. 5. Type your password and press the down arrow on your keyboard. 6. Type your password again and press the down arrow. 7. Select Change Administrator password and press Enter ; then press Enter again. 8. Press Esc to exit and save the settings. After you set an administrator password, a prompt appears each time you try to access the Configuration/Setup Utility. Tip: You set a Security Chip password to enable the IBM Embedded Security Chip for a client. After you set a Security Chip password, access to the Administrator Utility is protected by this password. You should protect the Security Chip password to prohibit unauthorized users from changing settings in the Administrator Utility.
155
6060ch06.fm
Important: Do not clear or disable the IBM Embedded Security Chip when User Verification Manager logon protection is enabled. If you do, you will be completely locked out of the system. To disable User Verification Manager protection, open the Administrator Utility, click Configure Application Support and Policies, and clear the Replace the standard Windows logon with UVMs secure logon check box. You must restart the computer before User Verification Manager protection is disabled. When the IBM Embedded Security Chip is cleared, all encryption keys and certificates stored on the chip are lost. To clear the IBM Embedded Security Chip, complete the following procedure: 1. Shut down and restart the computer. When prompted to Interrupt the normal startup sequence, press the blue Access IBM button on the keyboard
.
Note: On some older ThinkPad models, you might need to press the F1 key at power on when prompted to access the IBM BIOS Setup Utility. Refer to the help message at IBM BIOS Setup Utility for details. 2. At the Access IBM Predesktop Area double click Start setup utility. 3. Select Security. 4. Select IBM Security Chip. 5. Select Clear IBM Security Chip. 6. When prompted to Clear encryption keys? Select Yes. 7. Press Enter to continue. 8. Press F10 to save and exit. 9. When prompted to Save configuration changes and exit now. Select Yes 10.Press Enter to continue.
156
6060ch06.fm
Important: Do not clear or disable the IBM Embedded Security Chip when User Verification Manager logon protection is enabled. If you do, you will be completely locked out of the system. To disable User Verification Manager protection, open the Administrator Utility, click Configure Application Support and Policies, and clear the Replace the standard Windows logon with UVMs secure logon check box. You must restart the computer before User Verification Manager protection is disabled. To clear the IBM Embedded Security Chip, complete the following procedure: 1. Shut down and restart the computer. When the Configuration/Setup Utility prompt appears on the screen, press F1. The main menu of the Configuration/Setup Utility opens. 2. Select Security. 3. Select Clear IBM Security Chip. 4. Press Enter. 5. Select Yes. 6. Press Enter. 7. Press Esc to continue. 8. Press F10 to exit and save the settings. 9. Press Yes.
157
6060ch06.fm
Attempts 127 143
TCPA systems do not distinguish between user passphrases and the administrator password. Any authentication using the IBM Embedded Security Chip adheres to the same policy. The maximum timeout is 4.7 hours. TCPA systems will not delay for longer than 4.7 hours. Non-TCPA systems distinguish between the administrator password and user passphrases. On non-TCPA systems, the administrator password has a 77-minute delay after 10 failed attempts; user passwords have only a one-minute delay after 32 failed attempts, and then the lockout time doubles after every 32 failed attempts.
4.9.7 IBM File and Folder Encryption (FFE) Utility known issues
IBM File and Folder Encryption Utility might encounter a blue screen error when using an application that re-partitions the hard drive. If you encounter a blue screen error, you must disable FFE. Complete the following procedure to recover from the error state: Reboot and log onto the system. Disable FFE using the Administrator Utility procedure described in , IBM File and Folder Encryption Known issues on page 141. If the above procedure does not work because your system continues in a blue screen loop, complete the following procedure: 1. Shutdown the system from the blue screen. 2. Start the system into Safe Mode by pressing F8 while the BIOS IBM logo screen is displayed during startup. 3. Select Safe Mode from the Windows menu. 4. Logon to Windows. 5. Rename the device driver from ibmfilter.sys to ibmfilter.xxx in the \system32\drivers folder of the Windows installation directory. 6. Reboot the system and log on to the system. 7. Disable FFE using the Administrator Utility procedure described above. Recovering from a blue screen STOP condition (BSOD) while installing Norton Anti-Virus 2003 application software with Client Security Software
158
6060ch06.fm
The following procedure guides you through the steps to recover your system after you encounter a blue screen STOP condition (BSOD) while installing the Norton Anti-Virus 2003 (Norton AV 2003) application. With Client Security Software and FFE installed on a system, a Norton Anti-Virus 2003 software installation will terminate with a STOP 0x7A condition. To recover from this condition, complete the following procedure: 1. Restart your computer from the blue screen. 2. When the system has restarted, log on to the system and authenticate with FFE The Norton Anti-virus software has only been partially installed. The following message might be displayed from Norton AntiVirus 2003. Note: Do NOT click the OK button in Figure 4-10. This will reboot the system.
3. Click the hyperlink within the message box to go to the Symantec Technical Support Knowledge Base. 4. Find the section labelled NAV installed as a stand-alone product in the middle of the page. Follow the instructions to download and run the Rnav2003.exe removal utility, as follows: a. Click the Rnav2003.exe icon to start the download process. b. Click Save this program to disk, and then click OK. c. Change the location in the Save in field to Desktop, and then click Save. d. Click Close when the download is complete. e. Double-click the Rnav2003.exe icon on the Desktop to launch the application. 5. On the RNAV Question screen, click No to continue.
159
6060ch06.fm
6. Select the appropriate version of Norton AntiVirus, and then click OK. 7. Click Yes to start the uninstall procedure. A progress indicator appears while the Rnav2003.exe utility removes Norton AntiVirus files and registry keys. 8. Click No to stop the computer from restarting when the uninstallation is completed. 9. Disable the FFE component through the CSS Administrator Utility, using the following procedure: a. Start the Administrator Utility. b. Click the Configure Application Support and Policies button. c. Uncheck the Enable File and Folder protection checkbox. d. Click OK. 10.Restart the computer. 11.Reinstall the Norton AntiVirus 2003 utility. 12.Enable the FFE component through the Administrator Utility. The computer will restart.
Click OK to exit from the window. Do the following: 1. Uninstall the software. 2. Reinstall the software. Note: If you plan to use the same hardware password to secure the IBM Embedded Security Chip, you do not have to clear the chip and reset the password.
160
6060ch06.fm
Possible Solution Clear the chip to continue with the installation.
Problem Symptom Installation access is denied due to an unknown hardware password When installing the software on an IBM client with an enabled IBM Embedded Security Chip, the hardware password for the IBM Embedded Security Chip is unknown. The setup.exe file does not respond properly (CSS version 4.0x) If you extract all files from the csec4_0.exe file into a common directory, the setup.exe file will not work properly.
Run the smbus.exe file to install the SMBus device driver, and then run the csec4_0.exe file to install the Client Security Software code.
Click the Information item on the Windows Task Bar and continue the procedure.
161
6060ch06.fm
Problem Symptom
Possible Solution Add the users to UVM and request new certificates, if applicable.
An error message displays when you change the admin public key When you clear the Embedded Security Chip and then restore the key archive, an error message might display if you change the admin public key. An error message displays when you attempt to recover a UVM passphrase When you change the admin public key and then attempt to recover a UVM passphrase for a user, an error message might display.
a. If the UVM passphrase for the user is not needed, no action is required. a. If the UVM passphrase for the user is needed, you must add the user to UVM, and request new certificates, if applicable.
Exit the error message, edit the UVM-policy file again to make your changes, and then save the file.
An error message displays when you try to save the UVM-policy file. When you attempt to save a UVM-policy file (globalpolicy.gvm) by clicking Apply or Save, an error message is displayed. An error message displays when you try to open the UVM-policy editor When the current user (logged on to the operating system) has not been added to UVM, the UVM-policy editor will not open. An error message displays when you are using the Administrator Utility When you are using the Administrator Utility, the following error message might display: A buffer I/O error occurred while trying to access the Client Security chip. This might be corrected by a reboot.
162
6060ch06.fm
Possible Solution Do the following: 1. Exit from the disable chip confirmation window. 2. To change the Security Chip password, type the new password, type the confirmation password, and then click Change. Do not press Enter or Tab >Enter after you type the confirmation password.
Problem Symptom A disable chip message is displayed when change the Security Chip password When you attempt to change the Security Chip password, and you press Enter or Tab>Enter after you type the confirmation password, the Disable chip button will be enabled and a disable chip confirmation message is displayed.
This is a known limitation with Windows XP Home. There is no solution to this problem.
163
6060ch06.fm
Different UVM-aware fingerprint sensor does not work properly The IBM ThinkPad computer does not support the interchanging of multiple UVM-aware fingerprint sensors.
164
Draft Document for Review September 24, 2003 4:11 pm Table 4-6 Microsoft troubleshooting information Problem Symptom Screen saver only displays on the local screen When using the Windows Extended Desktop function, the Client Security Software screen saver will only be displayed on the local screen even though access to your system and its keyboard will be protected. Windows Media Player files are encrypted rather than being played in Windows XP In Windows XP, when you open a folder and click Play all, the contents of the file will be encrypted rather than played by the Windows Media Player. Client Security does not work properly for a user enrolled in UVM The enrolled client user might have changed his Windows user name. If that occurs, all Client Security functionality is lost. Problems reading encrypted e-mail using Outlook Express Encrypted e-mail cannot be decrypted because of the differences in encryption strengths of the Web browsers used by the sender and recipient. Possible Solution
6060ch06.fm
If any sensitive information is being displayed, minimize the windows on your extended desktop before you invoke the Client Security screen saver.
To enable the Windows Media Player to play the files, complete the following procedure: 1. Start Windows Media Player. 2. Select all the files in the appropriate folder. 3. Drag the files to the Windows Media Player playlist area. Re-enroll the new user name in UVM and request all new credentials.
Verify the following: 1. The encryption strength for the Web browser that the sender uses is compatible with the encryption strength of the Web browser that the recipient uses. 2. The encryption strength for the Web browser is compatible with the encryption strength provided by the firmware of Client Security Software.
165
6060ch06.fm
Problem Symptom
Possible Solution Ask the recipient to resend his digital certificate; then select that certificate in the address book for Outlook Express.
Problems using a certificate from an address that has multiple certificates associated with it Outlook Express can list multiple certificates associated with a single e-mail address and some of those certificates can become invalid. A certificate can become invalid if the private key associated with the certificate no longer exists on the IBM Embedded Security Chip of the senders computer where the certificate was generated. Failure message when trying to digitally sign an e-mail message If the composer of an e-mail message tries to digitally sign an e-mail message when the composer does not yet have a certificate associated with his or her e-mail account, an error message displays. Outlook Express (128 bit) only encrypts e-mail messages with the 3DES algorithm When sending encrypted e-mail between clients that use Outlook Express with the 128-bit version of Internet Explorer 4.0 or 5.0, only the 3DES algorithm can be used.
Use the security settings in Outlook Express to specify a certificate to be associated with the user account. See the documentation provided for Outlook Express for more information.
To use 128-bit browsers with Client Security Software, the IBM Embedded Security Chip must support 256-bit encryption. If the IBM Embedded Security Chip supports 56-bit encryption, you must use a 40-bit Web browser. You can find out the encryption strength provided by Client Security Software in the Administrator Utility. See Microsoft for current information on the encryption algorithms used with Outlook Express. No action is required. An RC2(40), RC2(64), or RC2(128) encryption request from a Netscape client to an Outlook Express (128-bit) client is always returned to the Netscape client with the RC2(40) algorithm. See Microsoft for current information on the encryption algorithms used with your version of Outlook Express.
Outlook Express clients return e-mail messages with a different algorithm An e-mail message encrypted with the RC2(40), RC2(64), or RC2(128) algorithm is sent from a client using Netscape Messenger to a client using Outlook Express (128-bit). A returned e-mail message from the Outlook Express client is encrypted with the RC2(40) algorithm.
166
6060ch06.fm
Possible Solution After restoring the keys, do one of the following:
Problem Symptom Error message when using a certificate in Outlook Express after a hard disk drive failure Certificates can be restored by using the key restoration feature in the Administrator Utility. Some certificates, such as the free certificates provided by VeriSign, might not be restored after a key restoration. Outlook Express does not update the encryption strength associated with a certificate When a sender selects the encryption strength in Netscape and sends a signed e-mail message to a client using Outlook Express with Internet Explorer 4.0 (128-bit), the encryption strength of the returned e-mail might not match. An error decryption message displays in Outlook Express You can open a message in Outlook Express by double-clicking it. In some instances, when you double-click an encrypted message too quickly, a decryption error message appears. Also, a decryption error message might display in the preview pane when you select an encrypted message. An error message displays when you click the Send button twice on encrypted e-mails When using Outlook Express, if you click the send button twice to send an encrypted e-mail message, an error message displays stating that the message could not be sent. An error message displays when you requesting a certificate When using Internet Explorer, you might receive an error message if you request a certificate that uses the IBM Embedded Security Chip CSP.
obtain new certificates register the certificate authority again in Outlook Express
Delete the associated certificate from the address book in Outlook Express. Open the signed e-mail again and add the certificate to the address book in Outlook Express.
Close the message, and open the encrypted e-mail message again. If an error message appears in the preview pane, no action is required.
Close the error message and click the Send button once.
167
6060ch06.fm
Failure message when trying to digitally sign an e-mail message When the IBM Embedded Security Chip certificate has not been selected in Netscape Messenger, and the writer of an e-mail message tries to sign the message with the certificate, an error message displays. An e-mail message is returned to the client with a different algorithm An e-mail message encrypted with the RC2(40), RC2(64), or RC2(128) algorithm is sent from a client using Netscape Messenger to a client using Outlook Express (128-bit). A returned e-mail message from the Outlook Express client is encrypted with the RC2(40) algorithm.
168
6060ch06.fm
Possible Solution Verify that the correct UVM passphrase was typed when Netscape was opened. If you type the incorrect UVM passphrase, an error message displays stating an authentication failure. If you click OK, Netscape opens, but you will not be able to use the certificate generated by the IBM Embedded Security Chip. You must exit and re-open Netscape, and then type the correct UVM passphrase. If you receive multiple e-mail certificates, only one certificate is the default certificate. Use the security features in Netscape to delete the first certificate, and then re-open the second certificate or ask the sender to send another signed e-mail. Go to the Administrator Utility or User Configuration Utility to update the key archive. When you update the key archive, copies of all the certificates associated with the IBM Embedded Security Chip are created. After restoring the keys, obtain a new certificate.
Problem Symptom Unable to use a digital certificate generated by the IBM Embedded Security Chip The digital certificate generated by the IBM Embedded Security Chip is not available for use.
New digital certificates from the same sender are not replaced within Netscape When a digitally signed e-mail is received more than once by the same sender, the first digital certificate associated with the e-mail is not overwritten. Cannot export the IBM Embedded Security Chip certificate The IBM Embedded Security Chip certificate cannot be exported in Netscape. The export feature in Netscape can be used to back up certificates. Error message when trying to use a restored certificate after a hard disk drive failure Certificates can be restored by using the key restoration feature in the Administrator Utility. Some certificates, such as the free certificates provided by VeriSign, might not be restored after a key restoration. Netscape agent opens and causes Netscape to fail Netscape agent opens and closes Netscape. Netscape delays if you try to open it If you add the IBM Embedded Security Chip PKCS#11 module and then open Netscape, a short delay will occur before Netscape opens.
169
6060ch06.fm
170
6060ch06.fm
Possible Solution Install the Tivoli Access Manager runtime Environment. If the Runtime Environment is not installed on the IBM client, the Tivoli Access Manager settings on the Policy Setup page will not be available. No action is required.
Problem Symptom Tivoli Access Manager setup settings are not accessible Tivoli Access Manager setup and local cache setup settings are not accessible on the Policy Setup page in the Administrator Utility. A users control is valid for both the user and the group When configuring the Tivoli Access Manager server, if you define a user to a group, the users control is valid for both the user and the group if Traverse bit is on.
Retry the password change. If this does not work, restart the client.
171
6060ch06.fm
Problem Symptom
Possible Solution Click OK to close the error message. No other action is required. Contrary to the error message, the password has changed. The new password is a randomly-generated password created by Client Security Software. The Notes ID file is now encrypted with the randomly-generated password, and the user does not need a new User ID file. If the end user changes the password again, UVM will generate a new random password for the Notes ID.
An error message displays after you randomly-generate a password An error message might display when you do the following:
Use the Lotus Notes Configuration tool to set UVM protection for a Notes ID Open Notes and use the function provided by Notes to change the password for Notes ID file Close Notes immediately after you change the password
172
Draft Document for Review September 24, 2003 4:11 pm Table 4-12 UVM-aware device troubleshooting Problem Symptom A UVM-aware device stops working properly When you disconnect a UVM-aware device from a Universal Serial Bus (USB) port, and then reconnect the device to the USB port, the device might not work properly. Possible Solution
6060ch06.fm
Restart the computer after the device has been reconnected to the USB port.
173
6060ch06.fm
174
6060ch07.fm
Chapter 5.
175
6060ch07.fm
176
Draft Document for Review September 24, 2003 4:27 pm Table 5-1 TVT migration process steps Process steps 1.) Image creation ThinkVantage Tool used ImageUltra Builder To Do
6060ch07.fm
1. Choose the image type you want to use with ImageUltra Builder. 2. Integrate the System Migration Assistant as a software module into your ImageUltra Builder image. 3. Integrate the Web-D client as a software module into your ImageUltra Builder image. 4. Integrate the Software Delivery Assistant as a software module into your ImageUltra Builder image. 5. Integrate the Asset Depot client as a software module into your ImageUltra Builder image. 6. Integrate Access IBM as a software module into your ImageUltra Builder image. 7. Integrate Access connections as a software module into your ImageUltra Builder image. Keep in mind that Access connections is only supported on specific ThinkPads. Refer to Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045. 8. Integrate Embedded Security Subsystem as follows, to your ImageUltra Builder image: create driver modules for the SM bus driver and the LPC bus driver. create a software module for the IBM Client security software. Refer to Supported IBM models on page 103 for which IBM systems ESS can be installed. 1. Install on the old pc system, System Migration Assistant. 2. Run System Migration Assistant. 3. Place the SMA profile file to a network share. We have several possibilities to deploy the image to a client system. 1. Creating a ImageUltra Builder boot floppy. 2. Creating a ImageUltra Builder distribution CD set. 3. Creating a custom network boot floppy. 4. Creating your own network deployment boot floppy. 5. With Remote Deploy Manager we have the possibility to replace the boot floppy. We can remotely wake up a pc system, send a virtual boot floppy to it and deploy the image. When the image is deployed to the service partition on a PC system, the installation process will automatically start from the service partition on the local PC system.
2.) User data and user settings migration 3.) Image deployment
ImageUltra Builder
177
6060ch07.fm
Process steps 5.) Software distribution ThinkVantage Tool used Web-D Software Delivery Assistant System Migration Assistant Rapid Restore Ultra
To Do We have two possible tools to use for software distribution. Which tools is best depends on the need of the customers. Distribute and Install Rapid Restore Ultra with Web-D or SDA. Rapid Restore will do a Base Backup after the installation. 1. Run System Migration Assistant on the client system. 2. Restore the SMA profile file from the network share. When the user data and settings are correctly on the client system, run Rapid Restore for creating the first incremental backup. Run or schedule the Asset Depot agent on the client system.
8.) Inventory
Asset Depot
These are some necessary steps to perform for a successful migration of PC systems with ThinkVantage Technology tools.
178
Draft Document for Review September 24, 2003 4:27 pm Table 5-2 TVT rollout process steps Process steps 1.) Image creation ThinkVantage Tool used ImageUltra Builder To Dos
6060ch07.fm
When a customer purchases new IBM hardware, we have the advantage that we can import the service partition from the systems. In this case we will use ultra portable images. 1. Import service partitions from the systems and create the corresponding operating system, driver and application modules. 2. Integrate the Web-D client as a software module into your ImageUltra Builder image. 3. Integrate the Software Delivery Assistant as a software module into your ImageUltra Builder image. 4. Integrate the Asset Depot client as a software module into your ImageUltra Builder image. 5. Integrate Access connections as a software module into your ImageUltra Builder image. Keep in mind that Access connections is only supported on specific ThinkPads. Refer to Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045. 6. Integrate Embedded Security Subsystem as follows, to your ImageUltra Builder image: create driver modules for the SM bus driver and the LPC bus driver. create a software module for the IBM Client security software. Refer to Supported IBM models on page 103 for which IBM systems ESS can be installed. We have several possibilities to deploy the image to a client system. 1. Creating a ImageUltra Builder boot floppy. 2. Creating a ImageUltra Builder distribution CD set. 3. Creating a custom network boot floppy. 4. Creating your own network deployment boot floppy. 5. With Remote Deploy Manager we have the possibility to replace the boot floppy. We can remotely wake up a pc system, send a virtual boot floppy to it and deploy the image. When the image is deployed to the service partition on a PC system, the installation process will automatically start from the service partition on the local PC system.
ImageUltra Builder
179
6060ch07.fm
Process steps 4.) Software distribution ThinkVantage Tool used Web-D Software Delivery Assistant
To Dos We have two possible tools to use for software distribution. Its upon decision which tool is best used, depends on the need of the customers. Distribute and Install Rapid Restore Ultra with Web-D or SDA. Rapid Restore will do a Base Backup after the installation. Bring the PC system to the end-user and finalize the configuration.
5.)Prepare the system for the user 6.) Backup Rapid Restore Ultra
When the user data and settings are correctly on the client system, run Rapid Restore for creating the first incremental backup. Run or schedule the Asset Depot agent on the client system.
7.) Inventory
Asset Depot
These are some necessary steps to perform for a successful rollout of PC systems with ThinkVantage Technology tools.
180
6060ch07.fm
Tool used Help Desk Tool Asset Depot
Action 2.) The help desk opens a trouble ticket for the problem in the Help Desk tool. Based on the inventory information from Asset Depot, the supporter can see what PC system the user has and what software and versions are installed on the users computer. 3.) The help desk accesses the users computer remotely to see the problem. 4.) The help desk decides to reinstall Outlook. 5.) The help desk starts SMA to backup the users desktop settings and data. 6.) The help desk uses Web-D to reinstall Outlook on the users computer. 7.) The help desk restores users settings and data with SMA. 8.) The help desk starts outlook and checks the settings and if everything is working correctly. 9.) The help desk initializes a incremental backup with RRU. 10.) The help desk closes the troubleticket.
181
6060ch07.fm
182
6060ch07.fm
unencrypted file. The opposite is also true for restoring encrypted files that could overwrite the unencrypted version.
183
6060ch07.fm
1. Select No for Direct network install under Network Options tab of Map Settings window of your base map (Figure 5-1). This will ensure that ImageUltra Builder creates the service partition and uses it as staging area during installation.
184
6060ch07.fm
2. In the Partition tab of the Map Settings window reserve extra space in service partition size for Rapid Restore Ultra use (Figure 5-2). This will save a substantial amount of time during the Rapid Restore Ultra installation because the Rapid Restore Ultra will not have to resize the service partition during its initial backup.
Generally reserving the service partition size of 20 to 40 percent of the total hard disk space is adequate for most situations.
185
6060ch07.fm
3. In the Image cleanup tab in Map Settings window you have three choices to define the behavior of the target computers service partition after the image deployment: Delete none, Delete unused and Delete all (Figure 5-3). Do not select Delete all option. For Rapid Restore Ultra to reuse service partition, service partition should not be deleted by ImageUltra Builder after it has finished using it.
186
6060ch07.fm
page 40) to a temporary directory X on ImageUltra Builder system. Configure the custom settings for Rapid Restore Ultra as discussed in Section 2.4.2, Customizing Rapid Restore install options on page 42. Also make sure to include the full silent install customizations as described in section Full silent install settings on page 48. Extract the files rru1.reg, rru2.reg, rru3.bat and rru3-2.bat from IUB2AltMethod.zip (see Appendix B, Additional material on page 215) package to this temporary location X. In ImageUltra Builder, create an application module with settings to copy the files from location X to the folder C:\IBMTOOLS\APPS\RRU3. b. To create the second module, extract the file Install Rapid Restore Ultra.lnk from IUB2AltMethod.zip to a temporary location. In ImageUltra Builder, create a module that will copy this file to folder C:\Documents and Settings\All Users\Desktop. 2. ImageUltra Builder provides a filter and an utility for Rapid Restore Ultra to enable both ImageUltra recovery and Rapid Restore Ultra recovery menu to appear when the F11 key is pressed during system startup. Steps to include ImageUltra 2.0 - Rapid Restore filter and ImageUltra 2.0 Rapid Restore utility in base map of your image: a. Insert a new menu item directly under the base map root entry and name it IBM Rapid Restore Recovery as shown in Figure 5-4.
187
6060ch07.fm
b. Associate the ImageUltra 2.0 - Rapid Restore utility (Figure 5-5) and ImageUltra 2.0 - Rapid Restore filter (Figure 5-6) to the menu item created in step above.
Note: Including Rapid Restore specific filter and utility in the base map of your ImageUltra Builder image is important. If this is not done, then pressing F11 during system startup will only activate ImageUltra recovery program and Rapid Restore Ultra recovery console will not be accessible through F11 interface. 3. After deployment of ImageUltra Builder image on the end-user system, the user can click the Rapid Restore Ultra install icon located on Desktop to start the installation. Caution: Do not install Rapid Restore Ultra as a part of image installation process. It should be installed after the image installation process is complete.
188
6060ch07.fm
189
6060ch07.fm
The custom install package should be configured for full silent installation. See section Silent install settings on page 48. along with other customization options discussed in 2.4.2, Customizing Rapid Restore install options on page 42. Steps: 1. Create a batch file rruinst.bat in the folder c:\rru of INSTSVR with content as follows:
REM map the RRU package as a network drive SET drive=X net use %drive%: \\INSTSVR\RRU REM launch RRU setup by running the setup file in silent install mode %drive%:\setup.exe -s
2. In the IBM Director management console, create a new process task. To do this, double-click on the Process tasks under Process management category in the right pane. A new Process task creation window appears. Fill in the details similar to as shown in Figure 5-7. Save the process task as Rapid Restore Ultra Install.
3. The created task will be show in the console window (Figure 5-8).
190
6060ch07.fm
Figure 5-8 IBM Director console showing Rapid Restore Install task in right pane
4. Drag and drop the Rapid Restore Ultra Install task (right pane) onto the client system entry (in the middle pane). Select Execute now to start the install.
191
6060ch07.fm
Save the information and close the window. Rapid Restore Ultra is now added to the IBM Director software dictionary. 2. In the Options -> Server preferences -> Inventory collection preferences, enable Collect software data. This is required because by default IBM Director does not collect software inventory details of a client system during inventory collection process. 3. Collect the inventory details of all systems. To do this, right click on All systems and devices (in left pane) and select Perform inventory collection. After the inventory collection has completed, verify that Rapid Restore Ultra appears under software category of collected inventory data for systems having Rapid Restore Ultra installed (Figure 5-10).
192
6060ch07.fm
193
6060ch07.fm
Figure 5-11 Create dynamic group of systems with Rapid Restore Ultra
2. Click Add button. Save the group as All systems with Rapid Restore and close the window. The new group appears in the left pane of Director console (Figure 5-12).
194
6060ch07.fm
5.4.4 Receive alert when Rapid Restore is not active on client system
The IBM Director has extensive monitoring capability. The example below shows how you can monitor the Rapid Restore agent and receive an alert if the Rapid Restore agent gets stopped on a client system. Alert functionality can further be customized to monitor Rapid Restore Ultra uninstall events or create an auto-response to reactivate the Rapid Restore agent if it has been stopped. 1. Drag and drop the Process Management task (right pane) onto one of the client systems belonging to the group All system with Rapid Restore (middle pane). 2. In the process management window, select the Application tab. Locate and select the process c:\program files\xpoint\pe\pcrecsa.exe as shown in Figure 5-13.
3. Right click on the selected process and click Add to monitors. The process monitor for pcrecsa.exe has been added. Close the window. 4. In the IBM Director console, drag and drop the Process monitor (it is located under Process management in right side pane) task onto one of the clients under All systems with Rapid Restore (middle pane). 5. Select Stop and save the process monitor (Figure 5-14),
195
6060ch07.fm
6. To verify that alert is working, on the client system logon as Administrator and in Windows Task manager, end the process pcrecsa.exe. Now check the IBM Director management console if an alert has been received. To view event alerts, drag and drop Event log task (in the right pane) onto the All systems with Rapid Restore (left pane) in Director console. You will see an event log window as shown in Figure 5-15. The alert message informing that pcrecsa.exe is stopped on client system will be seen.
196
6060ch07.fm
Figure 5-16 Creating a process task for changing schedule time of backups
6. Drag and drop the Rapid Restore backup schedule change task (right pane) onto the client system entry (in the middle now) to initiate a backup schedule change (Figure 5-17).
197
6060ch07.fm
Figure 5-17 Process task to change schedule of backups shown in right pane
198
6060ch07.fm
Figure 5-19 Process task for incremental backup listed in right panE
4. Drag and drop the Rapid Restore incremental backup task (right pane) onto the client system entry (in the middle now) to initiate the incremental backup. Note that though the task status is shown complete in Director console after the execution of script (incbckup.bat), the backup operation would still be in progress on client system.
199
6060ch07.fm
Restore Ultra installed. In our example, we have used IBM RDM v4.1. RDM 4.1 is not included with IBM Director 4.1 and has to be purchased separately.The pre-requisite for RDM 4.1 is that IBM Director v4.1 is installed. RDM 4.1 has no separate Windows GUI and is managed through IBM Director 4.1 management console. We assume that you are already familiar with IBM Director and RDM. Figure 5-20 shows the RDM menu in IBM Director console.
200
6060ch07.fm
5.5.2 Procedure
IBM RDM provides a basic scan image (dos71s) that boots the client system in DOS and gets the system inventory details. It also sets up network connectivity on the client and provides a Trivial FTP (TFTP) program called mtftp.exe to facilitate download of files from RDM server to the client. We will use dos71s scan image and a set of batch files to execute Rapid Restore backup/restore using Rapid Restore Ultra DOS commands. The process we follow for backup and for restore is very similar. We would therefore describe the process for backup operation and along the way, if restore process is any different from backup process, we will make a mention of it. 1. Create RDM task for backup (or restore) process. In the right pane of Director console, select Remote Deployment Manager -> Scan. Right click on it and select Create new task. Enter the contents similar to as shown in Figure 5-21 and Figure 5-22.
201
6060ch07.fm
Each task is associated with a commandlist shown in Figure 5-22. The commandlist after our changes will look like this:
;This is command list for RRU backup/restore task BOOTTYPE !LOADDOS /ENVIRONMENT/DOS71S WAKE !!setenv !scan.bat HandleScanOutput HandleUserPrompt !mtftp get 10.1.1.1 TEMPLATE\%TASKTEMPLATEID%\%TASKTOID%\RRUJOB.BAT RRUJOB.BAT !rrujob.bat ;Reboot the system to start backup or restore on next boot !!REBOOT
Note that we have removed command !!SHUTDOWN and instead added !!REBOOT in the commandlist script. Also we have given dummy IP address of the RDM server (as 10.1.1.1). You will need to change it. After the changes are done, click OK. The task RRU base backup and/or RRU base restore created will appear under Remote Deployment Manager -> Scan in the right pane of Director console (Figure 5-20). To locate the folder where the commandlist script for the above created task is stored, right click on the task item in the Director console and select Edit
202
6060ch07.fm
task. In the task window that opens, select Task Folder under Advanced tab. Make a note of the task folder location specified there. Let us call it as X. Copy the below listed script files to this location X (the script files are described in Appendix A, Rapid Restore batch files on page 209). RRUJOB.BAT PREPARE.BAT BACKUP.BAT RESTORE.BAT CLEANUP.BAT
2. Edit the batch file RRUJOB.BAT as follows: a. Change the SERVER_IP variable value. b. If the current task is to do a restore operation, then change the parameter value to restore that is passed to prepare.bat call. 3. To assign the RRU base backup or RRU base restore script task to a client system, drag and drop the task item onto the client entry (in the middle pane). 4. When the task is executed, it does the following: a. Wakes up the selected Rapid Restore Ultra client system b. Runs the scan image on client system c. Gets the next command from RDM server (as per the commandlist script) which is to fetch the batch file RRUJOB.BAT (using mtftp program) from RDM server onto the client system and execute d. RRUJOB.BAT is a small batch file that fetches the PREPARE.BAT file from the RDM server and executes it with a parameter backup or restore PREPARE.BAT distinguishes the task (backup or restore) based on the parameter it is called with. PREPARE.BAT gets the file backup.bat (or restore.bat) from RDM server and copies it as autoexec.bat (the original autoexec.bat is saved as autoxec.rr) in the IBM_SERVICE partition. PREPARE.BAT also sets the boot manager on client system to boot to IBM_SERVICE partition on next boot. e. The last command in the commandlist script of the task makes the client system to reboot. With this the RDM task is finished. However the actual backup (or restore) operation will begin on reboot. 5. On reboot, the client system does a network boot and since there are no pending tasks, RDM directs the client system to do local boot. Rapid Restore boot manager then takes control of the system and boots to the IBM_SERVICE partition. The autoxec.bat is executed (it is a backup.bat or restore.bat file we copied in previous step). The backup or restoration process takes place now. The autoexec.bat file finishes execution by finally calling cleanup.bat file.
203
6060ch07.fm
This completes the base backup or the restore operation. RESTORE.BAT or BACKUP.BAT are the script files that executed Rapid Restore DOS command lastboot.exe with appropriate parameters to do base backup or base restore. A point to note here is that using RDM, you can do most of the operations that Rapid Restores DOS command line tools (lastboot.exe, bmgr.exe and recrtsp.exe) allows you to do. To learn about more operations that these tools can allow you to do, run these tools with /h or /? parameter (Try these options with on test systems first and only when you are sure what the option(s) does). Since RDM only allows you to implement DOS based features of Rapid Restore Ultra, you cannot do Rapid Restore Ultras Windows based functions such as scheduled backups or incremental backups. You can however use IBM Director process tasks to implement most of Windows based features of Rapid Restore Ultra (see Section 5.4, Integrating Rapid Restore Ultra with IBM Director on page 189).
204
6060ch07.fm
PC system
Server system
205
6060ch07.fm
called esdsetup.exe. This setup can be included as part of the image and run silently using the following command: esdsetup.exe /s
206
6060ch07.fm
deinstall old versions of software on client systems. Web-D will then push the new versions of software on to the client systems. In the following figure we show an example for a software change management process. This feature will be available in a future release of Web-D and Asset Depot.
Client system with Web-D and Asset Depot agent
Client agent collects data on the client system and sends it to the Asset Depot Web server.
1 2
Web-D checks the Software inventory from Asset Depot. Web-D compares it with a software catalog to see if software updates are available. If any software update needs to be done, Web-D sends a command to the Web-D agent on the client system.
3
Web-D agent picks up the new software package.
4
Database with Web-D and Asset Depot
5
Figure 5-24 Software change management scenario
207
6060ch07.fm
208
6060ax01.fm
Appendix A.
INCBCKUP.BAT
RRUJOB.BAT
PREPARE.BAT
BACKUP.BAT
209
6060ax01.fm
Name of the batch file RESTORE.BAT
Use This batch file does the Rapid Restore Ultra restore from base backup image in DOS mode. After the completion of base restore, it calls CLEANUP.BAT file. This batch file resets IBM_SERVICE partition autoexec.bat file following a Rapid Restore Ultra backup or restore operation through RDM.
CLEANUP.BAT
RRUTIME.BAT
@echo off REM REM REM SET SET SET NET ======================================================= Setup Environment ======================================================= DRIVE=X RRU_SERVICE=NO path=%path%;C:\Program Files\xpoint\pe;c:\Program Files\xpoint\pe\skin USE %DRIVE%: \\INSTSVR\RRUTOOLS
REM ======================================================= REM Change to the xpoint\pe directory REM ======================================================= c: cd\"Program Files\Xpoint\PE" REM ======================================================= REM Determine if the Service is Running REM ======================================================= net stop "IBM Rapid Restore Ultra Service" :: ERRORLEVEL=0 if it stops (i.e. is there) :: ERRORLEVEL=2 if it does not stop (i.e. is not there) if errorlevel==2 goto noservice :: ======================================================= :: The service is running so do the work for the service :: ======================================================= SET RRU_SERVICE=YES :: "c:\Program regsvr32 /s /u regsvr32 /s /u regsvr32 /s /u Files\Xpoint\PE\skin\uninstall.bat" RRBackupInfo.ocx RRFileTypes.ocx RRName.ocx
210
Draft Document for Review September 24, 2003 4:12 pm regsvr32 /s regsvr32 /s regsvr32 /s regsvr32 /s regsvr32 /s start /WAIT u.exe /u RRPie.ocx /u RRProgress.ocx /u RRTime.ocx /u RRTree.ocx /u RRTreeSummaryExclude.ocx rrpcsb -unregserver
6060ax01.fm
:: ======================================== :: get ini file from the MBR :: ======================================== start /WAIT pcrecsa bini -fetch :: ======================================== :: edit the ini file :: ======================================== start /WAIT %DRIVE%:\rrpcedit pcrec.ini %DRIVE%:\time.mod :: ======================================== :: save the ini file :: ======================================== start /WAIT pcrecsa bini -flush ::"c:\Program Files\Xpoint\PE\skin\install.bat" regsvr32 /s RRBackupInfo.ocx regsvr32 /s RRFileTypes.ocx regsvr32 /s RRName.ocx regsvr32 /s RRPie.ocx regsvr32 /s RRProgress.ocx regsvr32 /s RRTime.ocx regsvr32 /s RRTree.ocx regsvr32 /s RRTreeSummaryExclude.ocx start /WAIT rrpcsb -service net start "IBM Rapid Restore Ultra Service" goto end :noservice :: ======================================================= :: The service is NOT running so do the work for :: no service running :: ======================================================= :: ======================================== :: get ini file from the MBR :: ======================================== start /WAIT pcrecsa bini -fetch
211
6060ax01.fm
:: ======================================== :: edit the ini file :: ======================================== start /WAIT %DRIVE%:\rrpcedit pcrec.ini %DRIVE%:\time.mod :: ======================================== :: save the ini file :: ======================================== start /WAIT pcrecsa bini -flush :end :: ======================================================= :: Cleanup after the work is done :: ======================================================= NET USE %DRIVE%: /d
INCBCKUP.BAT
@echo off Rem set the current folder c: cd\"Program Files\Xpoint\PE" set path=%path%;. Rem starting the a new incremental backup f11exec.exe /BC /GUI Rem incremental backup started..
RRUJOB.BAT
SET SERVER_IP=10.1.1.1 SET SRC_FILE_PATH=template\%TASKTEMPLATEID%\%TASKTOID% mtftp get %SERVER_IP% %SRC_FILE_PATH%\prepare.bat prepare.bat call prepare.bat backup
PREPARE.BAT
Rem ************************************************************** Echo RRU-RDM Integration Backup/Restore Echo Creating logfile >a:\rru.log
212
Draft Document for Review September 24, 2003 4:12 pm Echo ======================================= >>a:\rru.log Set >> a:\rru.log
6060ax01.fm
Rem SERVER_IP and SRC_FILE_PATH are already set in batch file RRUJOB.BAT Echo ======================================= >>a:\rru.log Echo Determine which operation is to be performed >>a:\rru.log if %1 == backup set batfile=backup.bat if %1 == restore set batfile=restore.bat Echo = Operation set to: %batfile% >>a:\rru.log Echo. >>a:\rru.log Echo ======================================= >>a:\rru.log Echo Detecting IBM Service partition >>a:\rru.log if exist c:\lastboot.exe set drive=C: if exist d:\lastboot.exe set drive=D: if exist e:\lastboot.exe set drive=E: if exist f:\lastboot.exe set drive=F: Echo = IBM Service partition set to: %drive% >>a:\rru.log Echo. >>a:\rru.log Echo ======================================= >>a:\rru.log Echo Prepare autoexec.bat in SP to perform operation >>a:\rru.log copy %drive%\autoexec.bat %drive%\autoexec.rr >>a:\rru.log mtftp get %SERVER_IP% %SRC_FILE_PATH%\%batfile% %drive%\autoexec.bat Echo. >>a:\rru.log Echo ======================================= >>a:\rru.log Echo Prepare the restoration of Autoexec.bat in the SP >>a:\rru.log Echo to original after the selected operation has been performed >>a:\rru.log mtftp get %SERVER_IP% %SRC_FILE_PATH%\cleanup.bat %drive%\cleanup.bat Echo. >>a:\rru.log Echo ======================================= >>a:\rru.log Echo Set client to boot to the Service Partition at next boot >>a:\rru.log %drive%\bmgr.exe /BS >>a:\rru.log Echo. >>a:\rru.log Echo ======================================= >>a:\rru.log Echo RRU preparation completed. The client will now reboot to service partition Echo to initiate the operation... Echo Copying the log file to the server folder C:\PROGRAM FILES\IBM\RDM\TEMP mtftp put %SERVER_IP% a:\rru.log RRU.log sleep 10
BACKUP.BAT
Rem perform the base backup and do not reboot c:\lastboot.exe /I /NR Rem Restore IBM Service Partition settings
213
6060ax01.fm
cleanup.bat
RESTORE.BAT
Rem perform the base restore and do not reboot c:\lastboot.exe /RA /NR Rem reset IBM Service Partition cleanup.bat
CLEANUP.BAT
Rem Reset IBM Service Partition Rem Service Partition will always be C: when booting from Service Partition erase c:\autoexec.bat copy c:\autoexec.rr autoexec.bat erase c:\autoexec.rr rem reboot the machine c:\lastboot /B
214
6060addm.fm
Appendix B.
Additional material
This redbook refers to additional material that can be downloaded from the Internet as described below.
Select the Additional materials and open the directory that corresponds with the redbook form number, SG24-6060.
215
6060addm.fm RRU-scripts.zip
AccessIBM.zip
Zipped scripts and tools that are referenced in Chapter 2, Rapid Restore Ultra on page 11 and Chapter 5, Scenarios Implementing ThinkVantage Technologies on page 175 of this redbook in relation to Rapid Restore Ultra. Zipped file contains some of the customization tools and help file mentioned in Chapter 3, The Access IBM experience on page 65.
FullSilentInstallFromDesktop.zip
BackupScheduleMod.zip
RedoA0.zip
IUB2AltMethod.zip
216
6060addm.fm
AccessIBM.zip extract Download the AccessIBM.zip package to a temporary folder on your workstation and unzip the contents of the zip file. The following files will get extracted
Table B-2 Contents of AccessIBM.zip Filename aimb_config_tool.exe Use This tool enables you to change content and look of your Access IBM application. It is a wizard-like tool that walks you through the interface and allows you to easily change categories and listed content as well as add your own, if appropriate These sets of files, which exist per family, are needed to tell the HTML Help compiler what attributes to apply when compiling the help modules. This HTML Help-based document describes how to manipulate the help content -- how to add, delete, and edit topics and how to remove entire chapters, based on your users and your business. It explains how to work with Microsoft's HTML Help Workshop (a tool available at no cost from Microsoft), the information development tool used to create the IBM help system.
aibmhpp.exe
customacchelp.chm
217
6060addm.fm
218
6060abrv.fm
219
6060abrv.fm
OEM PARTIES PKCS PKI PTA RAID RDM RISC ROI RRU RSA RTE SCSI SDA SDD SDK SMA SMBIOS SQL TAM TCG TCO TCPA TFTP TVT UDB USB UVM VPN Original Equipment Manufacturer Protected Area Runtime Interface Extension Services Public Key Cryptographic Standard Public Key Infrastructure Personal Trust Agent Redundant Array of Inexpensive Disks
Draft Document for Review September 24, 2003 4:27 pm WMI XML Windows Management Instrumentation eXtensible Markup Language
Remote Deployment Manager Reduced Instruction Set Computer Return on Investment Rapid Restore Ultra Rivest, Shamir, and Adleman Java Runtime Environment Small Computer Systems Interface Software Delivery Assistant Secure Data Disposal Software Developers Kit System Migration Assistant Systems Management Basic Input Output System Structured Query Language Tivoli Access Manager Trusted Computing Group total cost of ownership Trusted Computing Platform Alliance Trivial File Transfer Protocol ThinkVantage Technologies Universal Database Universal Serial Bus User Verification Manager Virtual Private Network
220
6060bibl.fm
Related publications
The publications listed in this section are considered particularly suitable for a more detailed discussion of the topics covered in this redbook.
IBM Redbooks
For information on ordering these publications, see How to get IBM Redbooks on page 223. Note that some of the documents referenced here may be available in softcopy only. Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045 Using Asset Depot for Inventory Management, REDP-3763 (ITSO Redpaper) Using Web-D for Software Distribution, REDP-3764 (ITSO-Redpaper) Implementing Asset ID, SG24-6165 Implementing Systems Management Solutions using IBM Director, SG24-6188 Using the System Installation Toolkit to Streamline Client Rollout, SG24-6178 IBM DB2 Application Development Guide: Building and Running Applications Version 8, SC09-4825-00 DB2 UDB Evaluation Guide for Linux and Windows, SG24-6934-00
Other publications
These publications are also relevant as further information sources: Web-D Installation and Configuration, by Oscar Aguirre and Dudley Miller, IBM IBM Rapid Restore Ultra 3.01.1 Enterprise Deployment Guide, by Jim Loebach, IBM ESD-U Design Specification, by Dudley Miller, IBM IBM ImageUltra Builder 2.0 User guide IBM Portable USB 2.0 Hard Drive with Rapid Restore - User Guide
221
6060bibl.fm
Developing Enterprise Java Applications Using DB2 Version 8, by Grant Hutchison, IBM/DB2 Integration Center MySQL Reference Manual, from MySQL AB. http://www.mysql.com. Client Security Software 5.1 Installation Guide Client Security Software 5.1 Administrators Guide Client Security Software5.1 usersGuide Pasword Manager 1.1 Users Guide Using Client Security Software 5.1 with Tivoli Access Manager
Online resources
These Web sites and URLs are also relevant as further information sources: Introduction to IBM ThinkVantage Technologies: Security (TXW14) course on IBM PC Institute. This is a Web-based course that covers the security features of IBM ThinkVantage Technologies that are used in NetVista and ThinkCentre desktops and ThinkPad notebooks. To view the course description and take the course, go to:
http://www.pc.ibm.com/training/txw14.html
Introduction to IBM ThinkVantage Technologies: Wireless (TXW15) course on IBM PC Institute. This is a Web-based course that covers the wireless features of IBM ThinkVantage Technologies that are used in NetVista and ThinkCentre desktops and ThinkPad notebooks. It also covers industry standard wireless terminology. To view the course description and take the course, go to:
http://www.pc.ibm.com/training/txw15.html
222
6060bibl.fm
Related publications
223
6060bibl.fm
224
6060IX.fm
Index
Symbols
\INSTALL.INI 17, 38, 43, 48, 53 customizing 43 \rrpc\INSTALL.INI 43, 48 customizing 43 \rrpc\PCREC.TXT 43, 48 customizing 43 \rrpcgui\RR.INI 47 customizing 47 access-text.ini 73 additional bootable areas 83 administrator image 13, 4748 See also A1 image See also A2 image hiding 48 archive key pair 121, 145146 Asset Depot 204, 206207 overview 3 with IBM Director 204 with ImageUltra Builder 206 with Web-D 206207
A
A0 image 1314, 52, 54, 5758 See also base backup resetting 57 A1 image 13, 47 See also administrator image A2 image 13, 47 See also administrator image Access Connections overview 6 Access Help 7678 customizing 77 overview 4 Access IBM 6676 customization tool 71 customizing 70 overview 4 Access IBM Message Center 8794 Access Support 88 enabling 88 local message 88 Web messages 88 Access IBM Predesktop Area 7887 additional bootable areas 83 data areas 84 Hidden Protected Area based recovery solutions 7981 HPA header 82 interrupt keys 84 Partition based recovery solutions 7879 Access Support 88 enabling 88 access-config.ini 73
B
B image 14, 4647 See also incremental backup BACKUP.BAT 209, 213 BackupSchedule 45, 53 BackupScheduleMod.zip 57, 216 BackupThrottlePriority 46 BackupThrottleSleep 46 base backup 13, 2123, 34, 49, 54, 5758 See also A0 image definition 13 resetting 57 BEER See boot engineering extension record biometrics devices 103 boot engineering extension record 82
C
C image 14, 46 See also incremental backup CLEANUP.BAT 210, 214 Client Security Password Manager 101102, 106, 135139 downloading the software 106 installing 112 limitations 106 overview 101 using 135139 Client Security Software 99101, 152 administrator console 144
225
6060IX.fm
Draft Document for Review September 30, 2003 10:38 am 142, 160 fingerprint reader installing 111 installing 109 installing prerequisite device drivers 108 registering fingerprints 131133 unattended installation 113117 uninstalling 152 upgrading 117120 User Verification Manager aware 103 modifying security settings 127130 overview 100 using the policy editor 134 with Lotus Notes 133, 142 downloading the software 106 File and Folder Encryption 102103, 105, 139142 considerations 105 installing 112 overview 102 using 139142 overview 4 Troubleshooting 153 with Rapid Restore Ultra 182183 EnableSingleFileRestore 44 Encrypted File System 59 ESS See Embedded Security Subsystem
components 99 configuring 121127 downloading the software 106 File and Folder Protection 99, 129, 140, 142, 160 fingerprint reader installing 111 installing 109 installing prerequisite device drivers 108 registering fingerprints 131133 unattended installation 113117 uninstalling 152 upgrading 117120 User Verification Manager aware 103 modifying security settings 127130 overview 100 using the policy editor 134 with Lotus Notes 133, 142 CSS See Client Security Software CumulativeAfterOverinstall 47
D
data areas 84 DeployCenter 55
E
EFS See Encrypted File System Embedded Security Chip 98101, 103, 105, 107 clearing ThinkCentre 156 ThinkPad 155 overview 98, 103 restoring keys 146 Embedded Security Subsystem 97173, 182183 Client Security Password Manager 101102, 106, 135139 installing 112 limitations 106 overview 101 using 135139 Client Security Software 99101, 152 administrator console 144 components 99 configuring 121127 File and Folder Protection 99, 129, 140,
F
FFE See File and Folder Encryption File and Folder Encryption 59, 102103, 105, 139142 considerations 105 downloading the software 106 installing 112 overview 102 using 139142 File and Folder Protection 99, 129, 140, 142, 160 fingerprint reader 98, 103104, 222 installing 111 FullSilentInstallFromDesktop.zip 52, 216
G
Ghost 5 GUIGroup 15, 43, 48, 53
226
6060IX.fm
H
Hidden Protected Area 15, 21, 4850, 54, 7984 additional bootable areas 83 data areas 84 defined 15, 79 HPA header 82 main areas 81 Hidden Protected Area based recovery solutions 7981 HIDE_CONGRAT 46 HideExclude 47 HideLEImages 48 HPA See Hidden Protected Area HPA header 82
M
machine-specifics.csv 73 managed-recovery 11
P
PARTIES See Protected Area Runtime Interface Extension Services Partition based recovery solutions 7879 PartitionMagic 6162, 142 PCREC.INI 14, 43, 5657 modifying 56 PEMaxStor 4445 PEMinStor 4445 PKCS See Public-Key Cryptography Standard PKI See Public Key Infrastructure PowerQuest BootMagic 17 DeployCenter 55 DriveImage 5, 85 PartitionMagic 6162, 142 PREPARE.BAT 209, 212 Protected Area Runtime Interface Extension Services 78 See also Hidden Protected Area Public Key Infrastructure 9798 Public-Key Cryptography Standard 99, 105, 129, 151152
I
IBM Director 6, 189199, 204 overview 6 with Asset Depot 204 with Rapid Restore Ultra 189199 IBM_SERVICE partition 4345, 4851, 59 configuration 4445 creation 4951 drive letter 59 ImageUltra Builder 58, 179, 183184, 205206 overview 4 with Asset Depot 206 with Web-D 205206 INCBCKUP.BAT 209, 212 incremental backup 1314, 21, 23, 26, 34, 37, 52, 54, 5759 See also B image See also C image caveat 26 definition 13 restoring individual files 37 with sysprep image 57 interrupt keys 84
R
Rapid Restore Ultra 1164, 81, 182204 \INSTALL.INI customizing 43 \rrpc\INSTALL.INI customizing 43 \rrpc\PCREC.TXT customizing 43 \rrpcgui\RR.INI customizing 47 A0 image 1314, 52, 54, 5758 resetting 57 A1 image 13, 47 A2 image 13, 47 administrator image 13, 4748 hiding 48 archiving backups 28
K
key archive 116, 119, 145147, 153
L
LPC Bus device driver 108, 113
Index
227
6060IX.fm
Draft Document for Review September 30, 2003 10:38 am RedoA0.zip 57, 216 registering fingerprints 131133 Remote Deployment Manager 6, 199204 overview 6 with Rapid Restore Ultra 199204 RESTORE.BAT 210, 214 restoring individual files 12, 15, 37 caveat 37 disabling 44 steps 37 restoring your system 2938 from archived CDs 36 pre-OS mode 31 USB drive 35 Windows mode 30 RR.INI 5657 modifying 57 RRUJOB.BAT 209, 212 RRUTIME.BAT 209210 RSA SecurID Software Token 104 RunAsService 17, 38, 4243, 48, 53, 59
backup methodology 13 base backup 13, 2123, 34, 49, 54, 5758 definition 13 resetting 57 C image 14 components 15 features 12 incremental backup 1314, 21, 23, 26, 34, 37, 52, 54, 5759 caveat 26 definition 13 restoring individual files 37 with sysprep image 57 installation 1523 One-time protection 21 Ongoing protection 20 overview 3 PCREC.INI 14, 43, 5657 modifying 56 requirements 16 restoring individual files 12, 15, 37 caveat 37 disabling 44 steps 37 restoring your system 2938 from archived CDs 36 pre-OS mode 31 USB drive 35 Windows mode 30 RR.INI 5657 modifying 57 run as a service 17, 38 scheduling backups 27 silent install 4851 sysprep image 52, 54, 5758 troubleshooting 60 uninstall 39 USB hard drive 13, 17, 1920, 23, 3536 caveat 17 enabling after install 23 restoring from 35 silent install support 48 with Embedded Security Subsystem 182183 with IBM Director 189199 with Remote Deployment Manager 199204 RDM See Remote Deployment Manager Redbooks Web site 223 Contact us xiv
S
SDA See Software Delivery Assistant Secure Data Disposal overview 5 SecurID 100 service partition 12, 15, 1922, 6263, 7879, 84, 95, 177, 179, 183185 size 61 startup diskette 21 ShowUninstall 43 silent install Rapid Restore Ultra 4851 SM Bus device driver 108, 113 SMA See Software Migration Assistant Software Delivery Assistant overview 5 SP_PSA 44 SPCreate.zip 50, 216 Symantec Ghost 56 sysprep image 52, 54, 5758 System Migration Assistant overview 5
228
6060IX.fm
T
Targus 98, 104, 222 fingerprint reader 98, 104, 222 install 111 TCG See Trusted Computing Group TCPA See Trusted Computing Platform Alliance ThresholdCBackupCnt 14, 46, 58 Tivoli Access Manager 100, 104, 107, 135, 150151 troubleshooting 170 Trusted Computing Group 99 Trusted Computing Platform Alliance 9899, 106, 108, 113, 117, 158
U
Uninstall 43 USB hard drive 13, 17, 1920, 23, 3536 caveat 17 enabling after install 23 restoring from 35 silent install support 48 User Verification Manager aware 103 modifying security settings 127130 overview 100 using the policy editor 134 with Lotus Notes 133, 142 UVM See User Verification Manager
W
Web-D 205207 overview 4 with Asset Depot 206207 with ImageUltra Builder 205206 WebSeal 100
Index
229
6060IX.fm
230
To determine the spine width of a book, you divide the paper PPI into the number of pages in the book. An example is a 250 page book using Plainfield opaque 50# smooth which has a PPI of 526. Divided 250 by 526 which equals a spine width of .4752". In this case, you would use the .5 spine. Now select the Spine width for the book and hide the others: Special>Conditional Text>Show/Hide>SpineSize(-->Hide:)>Set . Move the changed Conditional text settings to all files in your book by opening the book file with the spine.fm still open and File>Import>Formats the Conditional Text Settings (ONLY!) to the book files. Draft Document for Review September 24, 2003 4:27 pm 6060spine.fm
231
To determine the spine width of a book, you divide the paper PPI into the number of pages in the book. An example is a 250 page book using Plainfield opaque 50# smooth which has a PPI of 526. Divided 250 by 526 which equals a spine width of .4752". In this case, you would use the .5 spine. Now select the Spine width for the book and hide the others: Special>Conditional Text>Show/Hide>SpineSize(-->Hide:)>Set . Move the changed Conditional text settings to all files in your book by opening the book file with the spine.fm still open and File>Import>Formats the Conditional Text Settings (ONLY!) to the book files. Draft Document for Review September 24, 2003 4:27 pm 6060spine.fm 232
Back cover
Draft Document for Review September 30, 2003 10:51 am
BUILDING TECHNICAL INFORMATION BASED ON PRACTICAL EXPERIENCE IBM Redbooks are developed by the IBM International Technical Support Organization. Experts from IBM, Customers and Partners from around the world create timely technical information based on realistic scenarios. Specific recommendations are provided to help you implement IT solutions more effectively in your environment.