IBM - Vol2 PDF

Front cover
Draft Document for Review September 30, 2003 10:50 am SG24-6060-00
Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Simplify PC lifecycle process through the use of ThinkVantage Technologies Simple maintenance and recovery in corporate environments Using the Technologies to lower costs
Manoj Babulal David Doyle Jim Loebach Dudley Miller Michael Schmid Goran Wibran Byron Braswell
ibm.com/redbooks
Draft Document for Review September 24, 2003 4:27 pm
6060edno.fm
International Technical Support Organization Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems September 2003
SG24-6060-00
6060edno.fm
Note: Before using this information and the product it supports, read the information in Notices on page ix.
First Edition (September 2003) This edition applies to Version 3.01 SP1 of Rapid Restore Ultra, Version 5.1 of IBM Client Security Software and Version 4 of Access IBM. This document created or updated on September 24, 2003.
Copyright International Business Machines Corporation 2003. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Draft Document for Review September 30, 2003 10:38 am
6060TOC.fm
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi The team that wrote this redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 ThinkVantage Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 ThinkVantage Technologies process improvements. . . . . . . . . . . . . . . . . . 6 1.3 Implementing a ThinkVantage Technologies solution. . . . . . . . . . . . . . . . . 7 Chapter 2. Rapid Restore Ultra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1 Introducing Rapid Restore Ultra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1.1 Rapid Restore Ultra features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1.2 Rapid Restore Ultra backup methodology . . . . . . . . . . . . . . . . . . . . 13 2.1.3 Rapid Restore Ultra components . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2 Installing Rapid Restore Ultra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.1 Rapid Restore Ultra requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.2 Rapid Restore Ultra installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2.3 Enabling backup support on a USB drive after install . . . . . . . . . . . . 23 2.3 Using Rapid Restore Ultra. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.1 Backing up your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.2 Restoring your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.3.3 Running Rapid Restore Ultra service . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.4 Migrating to a new hard disk drive . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.5 Uninstall Rapid Restore Ultra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.4 Rapid Restore deployment in an enterprise . . . . . . . . . . . . . . . . . . . . . . . 40 2.4.1 Obtaining the Rapid Restore Ultra for custom install . . . . . . . . . . . . 40 2.4.2 Customizing Rapid Restore install options . . . . . . . . . . . . . . . . . . . . 42 2.4.3 Deployment methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 2.4.4 Post deployment management options. . . . . . . . . . . . . . . . . . . . . . . 56 2.4.5 Rapid Restore Ultra considerations for IT Administrators . . . . . . . . . 57 2.5 Rapid Restore Ultra troubleshooting information . . . . . . . . . . . . . . . . . . . 60 2.5.1 Backup and restore troubleshooting information. . . . . . . . . . . . . . . . 60 2.5.2 Installation troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 2.5.3 Partition and boot manager troubleshooting tips. . . . . . . . . . . . . . . . 61 2.5.4 Miscellaneous troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Copyright IBM Corp. 2003. All rights reserved.
iii
6060TOC.fm
2.5.5 Rapid Restore Ultra Frequently Asked Questions (FAQ) . . . . . . . . . 63 Chapter 3. The Access IBM experience . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.2 Access IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.2.1 Access IBM User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 3.2.2 Customizing Access IBM and Access Help . . . . . . . . . . . . . . . . . . . 69 3.2.3 Customizing Access IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.2.4 Access IBM Customization Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.3 Access Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 3.3.1 Customizing Access Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 3.4 Access IBM Predesktop Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.4.1 Partition-based recovery solutions . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.4.2 Hidden protected area based recovery solutions . . . . . . . . . . . . . . . 79 3.4.3 Hidden Protected Area main areas . . . . . . . . . . . . . . . . . . . . . . . . . . 81 3.4.4 Keys used during startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 3.4.5 Creating an image of the hard drive . . . . . . . . . . . . . . . . . . . . . . . . . 85 3.5 Access IBM Message Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 3.5.1 Local messages vs. Web messages. . . . . . . . . . . . . . . . . . . . . . . . . 88 3.5.2 What a message file contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 3.5.3 Delivering messages of your own . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 3.6.1 Access IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 3.6.2 IBM Hidden Protected Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 3.6.3 Access IBM Message Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 3.6.4 Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Chapter 4. Embedded Security Subsystem . . . . . . . . . . . . . . . . . . . . . . . . 97 4.1 IBM Embedded Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 4.1.1 IBM Embedded Security Chip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 4.1.2 IBM Client Security Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.1.3 IBM Client Security Password Manager . . . . . . . . . . . . . . . . . . . . . 101 4.1.4 File and Folder Encryption (FFE) Utility . . . . . . . . . . . . . . . . . . . . . 102 4.2 Planning: Installation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.2.1 Client Security Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.2.2 File and Folder Encryption considerations . . . . . . . . . . . . . . . . . . . 105 4.2.3 IBM Client Security Password Manager . . . . . . . . . . . . . . . . . . . . . 106 4.3 Preparation: Prerequisite instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 4.3.1 Before installing the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 4.4 Preparation: Installation instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 4.4.1 Installing prerequisite device drivers . . . . . . . . . . . . . . . . . . . . . . . . 108 4.4.2 Installing the IBM Client Security Software . . . . . . . . . . . . . . . . . . . 109 4.4.3 Installing the Targus PC Card Fingerprint Reader . . . . . . . . . . . . . 111
iv
6060TOC.fm
4.4.4 Installing the IBM Client Security Password Manager . . . . . . . . . . 112 4.4.5 Installing the IBM File and Folder Encryption . . . . . . . . . . . . . . . . . 112 4.4.6 Performing an unattended installation. . . . . . . . . . . . . . . . . . . . . . . 113 4.4.7 Upgrading your version of Client Security Software . . . . . . . . . . . . 117 4.5 Implementation: Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 4.5.1 Configuring the IBM Client Security Software . . . . . . . . . . . . . . . . . 121 4.5.2 Modifying your security settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 4.5.3 Authentication Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 4.5.4 Registering fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 4.5.5 Using User Verification Manager protection for Lotus Notes . . . . . 133 4.6 Implementation: Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 4.6.1 Using the User Verification Manager policy editor . . . . . . . . . . . . . 134 4.6.2 Editing a UVM policy on remote clients. . . . . . . . . . . . . . . . . . . . . . 135 4.6.3 IBM Client Security Password Manager . . . . . . . . . . . . . . . . . . . . . 135 4.6.4 File and Folder Encryption (FFE) . . . . . . . . . . . . . . . . . . . . . . . . . . 139 4.6.5 Using User Verification Manager protection within Lotus Notes . . . 142 4.6.6 Using the Administrator Console. . . . . . . . . . . . . . . . . . . . . . . . . . . 144 4.6.7 Changing the key archive location . . . . . . . . . . . . . . . . . . . . . . . . . 145 4.6.8 Changing the archive key pair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 4.6.9 Restoring keys from archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 4.7 Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 4.7.1 Windows 2000 and Windows XP clients using Outlook Express . . 148 4.7.2 Windows 2000 clients using Lotus Notes . . . . . . . . . . . . . . . . . . . . 149 4.7.3 Multiple Windows 2000 clients managed by Tivoli Access Manager150 4.8 Uninstalling Client Security Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 4.9 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 4.9.1 Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 4.9.2 Setting a supervisor password (ThinkPad) . . . . . . . . . . . . . . . . . . . 153 4.9.3 Setting an administrator password (ThinkCentre). . . . . . . . . . . . . . 154 4.9.4 Clearing the IBM Embedded Security Chip (ThinkPad) . . . . . . . . . 155 4.9.5 Clearing the IBM Embedded Security Chip (ThinkCentre) . . . . . . . 156 4.9.6 Fail counts on TCPA and non-TCPA systems . . . . . . . . . . . . . . . . 157 4.9.7 IBM File and Folder Encryption (FFE) Utility known issues . . . . . . 158 4.9.8 Installation troubleshooting information. . . . . . . . . . . . . . . . . . . . . . 160 4.9.9 Administrator Utility troubleshooting information. . . . . . . . . . . . . . . 161 4.9.10 User Configuration Utility troubleshooting information . . . . . . . . . 163 4.9.11 ThinkPad-specific troubleshooting information . . . . . . . . . . . . . . . 164 4.9.12 Microsoft troubleshooting information . . . . . . . . . . . . . . . . . . . . . . 164 4.9.13 Netscape application troubleshooting information . . . . . . . . . . . . 168 4.9.14 Digital certificate troubleshooting information . . . . . . . . . . . . . . . . 170 4.9.15 Tivoli Access Manager troubleshooting information . . . . . . . . . . . 170 4.9.16 Lotus Notes troubleshooting information. . . . . . . . . . . . . . . . . . . . 171 4.9.17 Encryption troubleshooting information. . . . . . . . . . . . . . . . . . . . . 172
Contents
6060TOC.fm
4.9.18 UVM-aware device troubleshooting information . . . . . . . . . . . . . . 172 Chapter 5. Scenarios Implementing ThinkVantage Technologies . . . . . 175 5.1 Migration/rollout scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 5.1.1 PC Migration or upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 5.1.2 PC Rollout Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 5.1.3 Helpdesk scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 5.2 ESS and Rapid Restore Ultra scenario . . . . . . . . . . . . . . . . . . . . . . . . . . 182 5.2.1 Installation of CSS and RRU on the same system . . . . . . . . . . . . . 182 5.2.2 Usage considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 5.2.3 Possible conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 5.3 Integrating Rapid Restore with ImageUltra Builder . . . . . . . . . . . . . . . . . 183 5.3.1 Service partition setting in ImageUltra Builder . . . . . . . . . . . . . . . . 183 5.3.2 Adding Rapid Restore modules to ImageUltra Builder image. . . . . 186 5.4 Integrating Rapid Restore Ultra with IBM Director . . . . . . . . . . . . . . . . . 189 5.4.1 Installing Rapid Restore Ultra using IBM Director. . . . . . . . . . . . . . 189 5.4.2 Adding Rapid Restore to the IBM Director software dictionary . . . . 191 5.4.3 Managing all Rapid Restore Ultra systems as one group . . . . . . . . 193 5.4.4 Receive alert when Rapid Restore is not active on client system. . 195 5.4.5 Remotely change the Rapid Restore Ultra backup schedule . . . . . 197 5.4.6 Remotely initiate Rapid Restore Ultra incremental backup . . . . . . . 198 5.5 Integrating Rapid Restore Ultra with IBM RDM . . . . . . . . . . . . . . . . . . . . 199 5.5.1 IBM RDM requirements/preparations . . . . . . . . . . . . . . . . . . . . . . . 200 5.5.2 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 5.6 IBM Director & Asset Depot scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 5.7 Software deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 5.7.1 Integrating Web-D into ImageUltra Builder . . . . . . . . . . . . . . . . . . . 205 5.7.2 Integrating Asset Depot into ImageUltra Builder . . . . . . . . . . . . . . . 206 5.8 Asset Depot and Web-D conceptual scenarios . . . . . . . . . . . . . . . . . . . . 206 Appendix A. Rapid Restore batch files . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Appendix B. Additional material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Locating the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Using the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 How to use the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Abbreviations and acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
vi
6060TOC.fm
Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Contents
vii
6060TOC.fm
viii
6060spec.fm
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.
ix
6060spec.fm
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: ^ Lotus Notes ThinkPad ThinkVantage AIX Lotus Tivoli Enterprise Asset ID NetVista Notes Tivoli DB2 DFS Rapid Restore ibm.com Redbooks (logo) Wake on LAN IBM Redbooks WebSphere ImageUltra ThinkCentre The following terms are trademarks of other companies: Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. Microsoft, Windows, Windows NT, Windows XP and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC. Other company, product, and service names may be trademarks or service marks of others.
6060pref.fm
Preface
ThinkVantage Technologies brings your IBM PCs one step closer to being self-configured, self-optimizing, self-protecting, or self-healing to help save you time and money throughout the life of your systems. In short, ThinkVantage Technologies let you focus your attention on your business, rather than on your computer. ThinkVantage Technologies are software tools designed to help customers drive down IT support costs (in particular, the cost of a PC in managing and supporting systems after its initial purchase), increase security and decrease the complexity of todays IT infrastructure. This Redbook will help you maintain, recover and secure the IBM ThinkVantage Technologies on IBM and OEM desktops. This Redbook is volume two of a two-volume set of ThinkVantage Technologies Redbooks. It describes how to maintain and recover client systems. The first Redbook is Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045. In addtion, there are two Redpapers that cover IBM Service Offerings which complement ThinkVantage Technology investments: Using Asset Depot, REDP-3763 Using Web-D, REDP-3764
The team that wrote this redbook

This redbook was produced by a team of specialists from around the world working at the International Technical Support Organization, Raleigh Center.
xi
6060pref.fm
Figure 0-1 Byron Braswell, Dudley Miller, Manoj Babulal, Michael Schmid, David Doyle
Byron Braswell is a networking professional at the International Technical Support Organization, Raleigh Center. He received a B.S degree in Physics and an M.S. degree in Computer Sciences from Texas A&M University. He writes extensively in the areas of networking and host integration software. Before joining the ITSO three years ago, Byron worked in IBM Learning Services Development in networking education development. Manoj Babulal is a software engineer at IBM India. He has more than 3 years of experience in networking and systems management field. He holds a graduation degree in Computer Science from NIT, Surathkal India. His areas of expertise include networking and remote management solutions. David Doyle is a PC Technical Advocate for the IBM Personal Computing Division in Melbourne Australia. He has 10 years of IT experience in fields ranging from GIS, Desktop/Server Administration to Image creation and management. He has worked at IBM for 6 years. His areas of expertise include Image Ultra, RDM, SDA, SMA, IBM Director and Client Security solutions.
xii
6060pref.fm
Jim Loebach is a software engineer for IBM Personal Computing Division supporting the IBM ThinkVantage Technology software applications in Raleigh, NC. He has worked at IBM for 7 years with experience on hardware and software on IBM ThinkPad, NetVista, and ThinkCentre systems. His areas of expertise include all the ThinkVantage applications and the Windows Operating Systems. Dudley Miller is a Senior Systems Management Professional for IBM Global Services, South Delivery Center. He received a B.S. degree in Engineering Science from The University of Texas at Austin. He has over 15 years of experience in the IT industry. His areas of expertise include object oriented design and development of electronic software delivery solutions. Michael Schmid is a IT Specialist at IBM Switzerland. He has been with IBM Global Services, Integrated Technologies Services for 6 years . As an IT Specialist he plans and realizes customer projects in Microsoft environments. He holds the certification as Microsoft Certified Systems Engineer. His areas of expertise include Microsoft infrastructure services and ThinkVantage Technologies. Goran Wibran is a Segment Manager for IBM TCO and ThinkVantage technologies, based at Research Triangle Park, North Carolina, US. His mission is to help IBM PCD create solutions for cost and resource effective IT management, IT process automation and IT system integration. He is one of IBM's leading experts on deploying and managing PC-based products. In his leadership role, he works with the IBM Development teams to create the next generation PC and Server management solutions. He simultaneously continues his work as a consultant, in helping IBM customers to develop and implement automated IT processes around the world. Thanks to the following people for their contributions to this project: Margaret Ticknor Linda Robinson Rufus Credle David Watts Tamikia Barrow International Technical Support Organization, Raleigh Center Clain Anderson Nathan Bigger Phil Menzies Caroline Patzer Fletcher Stone Dean Suraci Andy Trotter Goran Wibran
Preface
xiii
6060pref.fm Jeffrey Witt IBM RTP Oscar Aguirre IBM Chicago David Gemuenden Syed Irfan Bill Lee IBM Austin Mickey Iqbal IBM Alpharetta James MacKenzie Gavin Cameron IBM UK, Greenock.
Become a published author

Join us for a two- to six-week residency program! Help write an IBM Redbook dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You'll team with IBM technical professionals, Business Partners and/or customers. Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you'll develop a network of contacts in IBM development labs, and increase your productivity and marketability. Find out more about the residency program, browse the residency index, and apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us! We want our Redbooks to be as helpful as possible. Send us your comments about this or other Redbooks in one of the following ways: Use the online Contact us review redbook form found at:
ibm.com/redbooks
Send your comments in an Internet note to:
xiv
Draft Document for Review September 24, 2003 5:22 pm redbook@us.ibm.com
6060pref.fm
Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HZ8 Building 662 P.O. Box 12195 Research Triangle Park, NC 27709-2195
Preface
xv
6060pref.fm
xvi
6060ch01.fm
Chapter 1.
Introduction
Over the last decade, controlling complexity has been the goal of every IT manager. While the introduction of the Internet, new devices and processes have made delivery of service more complex, it has become critical for IT managers to contain costs. Understanding the total cost of ownership has created the necessity to seek methods to reduce costs while improving service. Despite cost reductions in PC hardware costs, many have seen costs rise due to increased product complexity, proliferation related management and support issues. Today, the initial cost of buying a PC is the tip of the iceberg. This emphasis on cost reductions has imposed the requirement for ways to improve the overall PC management process. What has IBM done to alleviate the stress of these costs? IBM has focused research and development efforts around the challenges of reducing total cost of ownership. Through the evaluation of each phase of the PC lifecycle, IBM has developed a number of technologies in hardware and software to reduce IT management costs. Known as ThinkVantage Technologies, they manage the PC LifeCycle from pre-deploy planning through end-of-life disposition. Figure 1-1 is an overview of the functions performed by various ThinkVantage Technologies during the hardware/software life cycle of a typical client PC.
6060ch01.fm
Image creation
Image deployment
Migration
Recovery
Inventory
Software dist
Support
Retire
Figure 1-1 High Level ThinkVantage Technologies Functions
1.1 ThinkVantage Technologies

To address key concerns regarding the reduction of costs and to improve return on investment (ROI), the ThinkVantage Tools can be implemented individually or as a complete solution. As a result, organizations can integrate these solutions into their existing environments to complement existing processes or develop new more cost efficient processes if not already in place. ThinkVantage Technologies simplify the PC LifeCycle processes in the following ways: Improves IT resource utilization Improves IT budget usage Automates resource intensive tasks Minimizes Help Desk and Desk Side costs Reinforce best practices Delivers low total cost of ownership (TCO)
6060ch01.fm
Symantec GHOST PowerQuest DeployCenter
IBM Director IBM Director Agent Integration [Access IBM] [Access Connections]
RRU
ImageUltra Builder
Image Creation Management and Test Deploy Image RDM SDA
TOOLS RRU - Rapic Restore Ultra SDA - Software Delivery Assistant SMA - System Migration Assistant RDM - Remote Deployment Manager SDD - Secure Data Disposal
Backup/Recovery Migrate Data and Application Settings [Remote] Support Software Updates Inventory IBM Director Agent Asset Depot* [SDA/Web-D*]
Install Client
Cascading Disposal SDD
SMA
* Service Offerings that complement a customer's ThinkVantage Technology investments
Figure 1-2 Simplifying PC LifeCycle processes
The two volume set of ThinkVantage Technology RedBooks cover the products that address each of the functional areas in the PC Lifecycle. These products are introduced in the following sections.
Rapid Restore Ultra

IBM Rapid Restore Ultra is a simple managed backup and recovery solution that protects computers from software-related system failures. In the event of a system failure, you can use IBM Rapid Restore Ultra to restore the contents of the hard disk to a previously saved state, with recovery times averaging approximately 20 minutes for a complete restoration. For enterprise use, Rapid Restore Ultra allows an IT staff to maintain a set of known recovery images stored locally on the system while empowering the end user with separate backup and recovery capabilities. Rapid Restore Ultra is discussed in Chapter 2, Rapid Restore Ultra on page 11.
Asset Depot
Asset Depot is a cost and resource effective inventory solution, that complements and leverages the customers investment in ThinkVantage Technologies. Features included in Asset Depot are easy browser accessibility, minimal resource usage, control of Software license management and central management.
Chapter 1. Introduction
6060ch01.fm
Asset Depot is discussed in the ITSO Redpaper Using Asset Depot for Inventory Management, REDP-3763.
Web-D
Web-D is a Java based Web-enabled software distribution solution that complements and leverages the customers investment in ThinkVantage Technologies. Web-D uses industry standard components, is simple to manage, easily integrates into an existing customer network infrastructure, is customizable, and is very cost effective both at the time of implementation and over the long term. Web-D is discussed in the ITSO Redpaper Using Web-D for Software Distribution, REDP-3764.
Access IBM and Access Help

Access IBM and Access Help are comprehensive, on-board help and information centers for your computer. They travel with you, eliminating the need to carry reference manuals or user guides. Access IBM and Access Help are discussed in Chapter 3, The Access IBM experience on page 65.
Embedded Security Subsystem

The IBM Embedded Security Subsystem, available on select IBM computers, consists of the integrated security chip and IBM Client Security Software (download required). Working together, these components provide security not previously available. The integrated security chip provides hardware-based protection of critical security information, including passwords, encryption keys and electronic credentials. The security software provides the interface between security-aware applications and the functionality of the chip. In addition, it provides support for peripheral security devices that control access to the PC itself. Embedded Security Subsystem is discussed in Chapter 4, Embedded Security Subsystem on page 97.
ImageUltra Builder
ImageUltra Builder was designed to help simplify your image creation, deployment and management. This technology is designed to help enterprises save time and money and to stay productive with a do-it-yourself tool that can allow you to deploy as few as one image across your enterprise. By combining multiple languages, applications and operating systems* into a single hard drive image, you help eliminate or reduce the need for manual application installation, hardware testing and support. This patent-pending technology lets you better
6060ch01.fm
control your IT environment, making deployments less painful, and lower IT costs. ImageUltra builder allows for the separation of drivers and applications from a traditional image unlike Ghost and PowerQuest DriveImage. By separating these components, as well as the OS, we greatly reduce the number of images that need to be kept. As drivers and applications are updated, there is also no need to open each traditional image to apply the updates. For customers already using Ghost or PowerQuest Drive Image, they can incorporate their images into ImageUltra Builder as either semi-portable or system specific images. For more information regarding ImageUltra Builder, refer to Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045.
Software Delivery Assistant (SDA)

Software Delivery Assistant addresses the challenge of loading software and handling the unique software requirements of your company's different business groups (finance, marketing, etc.). The SDA tool allows you to create a single set of applications within a business group, thereby reducing your labor costs for system deployment and application maintenance. SDA is discussed in Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045.
System Migration Assistant (SMA)

System Migration Assistant enables custom settings, preferences, and data to be migrated from a user's former PC to the new PC accurately, efficiently and effectively. When older computers are refreshed or new computers are introduced, moving user data and system settings to the new system becomes expensive and time-consuming. Removing the problems associated with migration is an important customer satisfaction issue. SMA is discussed in Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045.
Secure Data Disposal

IBM Secure Data Disposal removes all data on a hard disk drive protecting sensitive information when a drive is re-deployed or retired. After using this process, data will be non-recoverable. Secure Data Disposal is discussed in Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045.
6060ch01.fm
Access Connections
IBM Access Connections is a connectivity assistant program for your IBM ThinkPad computer that allows you to create and manage location profiles. Each location profile stores all of the network and Internet configuration settings that are needed to connect to a network infrastructure from a specific location such as home or work. By switching between location profiles as you move your computer from place to place, you can quickly and easily connect to a network without having to manually reconfigure your settings and restarting your computer each time. Access Connections is discussed in Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045.
IBM Director
BM Director V4.1 is the newest release of the industry leading client/server workgroup manager. IBM Directors tools provide customers with flexible capabilities to realize maximum system availability and lower IT costs. With IBM Director, IT administrators can view and track the hardware configuration of remote systems in detail and monitor the usage and performance of critical components, such as processors, disks, and memory. IBM Director is discussed in Implementing Systems Management Solutions using IBM Director, SG24-6188.
Remote Deployment Manager

RDM provides tools to simplify configuration and deployment of operating systems and applications. Adding a computer to the RDM database allows for remote installation, maintenance, and software updates on client computers.
1.2 ThinkVantage Technologies process improvements

Using the ThinkVantage tools can help optimize the PC lifecycle to enhance current processes. The two volumes of Using ThinkVantage Technologies are divided into creation/deployment and maintenance/recovery of the ThinkVantage Technologies. The tools discussed in these RedBooks are key contributors in deployment optimization. ThinkVantage Technologies allow PCs to be more than just clients. ThinkVantage Technologies provides optimization and cost avoidance solutions for: Simplified image complexity by delivering a hardware independent imaging solution
6060ch01.fm
Improved application deployment by delivering a detached application deployment solution Rapid transition by delivering a smooth data migration solution Down the Wire recovery by delivering a managed system recovery and backup solution Life cycle ends with data removal by delivering a Secure Data Disposal solution Additional solutions for security, deployment, management, support, wireless and more. Many organizations will relate to Figure 1-3 in the times for each part of the processes defined. Implementation of the ThinkVantage Technologies will reduce cost and offer opportunities for companies as illustrated below.
End-User Responsibility 1-12h Generate help desk calls
Image Creation Team 1-3 day [update] 3-4 weeks [complex image] 2-3 IT resources 1 day - 1 week 1-2 IT resources
Loading Team 20-40 min per client
Install Team 2.5-3h per system 3-4 system/day per IT resource
Help Desk/Desk-Side Resources needs to have allocated funds COST of DOING business
Install Team 20-60 min per client
3-5 min per client
25-30 min per system 15-30 system/day per IT resource
5-15 min SLA driven and automated
50% cost reduction not uncommon Better resource usage
10-15 min per client
Backup/Recovery Image Creation Management and Test Migrate Data and Application Settings Remote Support Software Updates Inventory
Deploy Image
Install Client
Cascading Disposal
Figure 1-3 TVT tools and simplification of PC LifeCycle Processes
1.3 Implementing a ThinkVantage Technologies solution

Table 1-1 on page 8 outlines the efforts required to implement the tools to be discussed in both books. It also outlines whether training is recommended or required to ensure a smooth implementation into an organization.You will notice that as a worst case, it will take less than two weeks to get staff trained on all of
6060ch01.fm
the tools mentioned in the chart below. Many of the tools have optional training and can be learned through the use of this Redbook or existing product documentation.
Table 1-1 Implementing ThinkVantage Technologies IBM PCD Tool People needed to implement
2-5 skilled Administrator for Large Enterprise Company 1 skilled Administrator for Small Medium Business Company Software Delivery Assistant (SDA) Rapid Deployment Manager (RDM) 1-3 skilled Administrator for LE 1 skilled Administrator for SMB 1-3 skilled Administrator for LE 1 skilled Administrator for SMB
Process change required

Yes, to build image, but the deployment of image remains similar Yes, to regroup applications by line of business or dept. No existing process with image deployment best practice No existing process with automated migration beat practice Yes, to create hidden recovery partition on local hard drive No, existing process with system management best practice No, existing process with system management best practice No, existing process with asset management practice No, existing process with Hard Drive Data Disposal best practice
Training needed
Yes, Required 2 day training
ImageUltra Builder Imaging
Optional 1 day training
Network Deployment
Yes, recommended 1 day training
Migration
System Migration Assistant (SMA)
1 skilled Administrator for LE and SMB
Recovery
Rapid Restore Ultra (RRU)
1 skilled Administrator for LE and SMB
IBM Director Agent
1-3 skilled Administrator for LE 1 skilled Administrator for SMB
Included in IBM Director training
IBM Director Management
Yes, recommended 2 day training
AssetID
Included in IBM Director training
Disposal
Secure Data Disposal
1 IT staff for LE and SMB
6060ch01.fm
Low
Med
High
Note: The scale is relative to the other TVT Uptime and Migration Tools and not a measure of good, average and poor.
6060ch01.fm
10
6060ch02.fm
Chapter 2.
Rapid Restore Ultra

IBM Rapid Restore Ultra is a simple managed-recovery solution that protects computers from software-related system failures. In the event of a system failure, you can use IBM Rapid Restore Ultra to restore the contents of the hard disk to a previously saved state, with recovery times (depending on image size) averaging approximately 20 minutes for a complete restoration. For enterprise use, Rapid Restore Ultra allows an IT staff to maintain a set of known recovery images stored locally on the system while empowering the end user with separate backup and recovery capabilities. Unless otherwise specified any reference to term Rapid Restore in this book should be interpreted as IBM Rapid Restore Ultra. In this chapter we discuss Rapid Restore Ultra as follows: 2.1, Introducing Rapid Restore Ultra on page 12 2.2, Installing Rapid Restore Ultra on page 15 2.3, Using Rapid Restore Ultra on page 23 2.4, Rapid Restore deployment in an enterprise on page 40 2.5, Rapid Restore Ultra troubleshooting information on page 60
11
6060ch02.fm
2.1 Introducing Rapid Restore Ultra

In this section we introduce you to the features, components and workings of Rapid Restore Ultra V3.01 SP1.
2.1.1 Rapid Restore Ultra features

Rapid Restore Ultra enables you to perform the following functions: Save files to a local service partition - Rapid Restore Ultra uses a hidden, locked partition on the local hard disk for storage known as service partition, thereby minimizing the use of network bandwidth during a backup and restore operation. Restore system to any of 3 backed-up levels - Rapid Restore Ultra in a normal installation can store three levels of backup images. This gives the user more flexibility in backup management. Refer to 2.1.2, Rapid Restore Ultra backup methodology on page 13 for information on different backup levels. Restore files after an operating-system failure - Under normal circumstances, you can use Rapid Restore Ultra from the Windows interface. However if an operating-system failure prevents you from accessing the Windows interface, you can use the pre-OS interface known as F11 recovery console to perform a full system-recovery operation. Protects the entire software image including user data - Rapid Restore Ultra protects the entire hard disk content thereby protecting the Windows operating system, software applications, registry settings, network settings, service packs, desktop settings, and user data files. Archive backup images to CD-Rs - If your computer has a CD-Read/Write drive, Rapid Restore Ultra gives you the option to archive backup images to CD-Rs, thus providing an additional level of protection. These recovery CDs can later be used to restore the contents of the hard disk onto a new hard disk in the event of a hard disk failure. Support enterprise-wide recovery and backup policies - Rapid Restore Ultra supports a command-line interface which can be used with systems management tools to integrate enterprise-wide recovery and backup policies. Restore individual files - Rapid Restore Ultra enables you to view, select and recover one or more individual files from a backup image. You can recover any file that is stored in a file-based backup (incremental backup type) image. For details on using this feature, see Restoring individual files on page 37. Exclude specific files from a backup - Rapid Restore Ultra enables you to exclude specific files during a backup operation. The exclude option gives the
12
6060ch02.fm
user a way to prevent unwanted files from being backed up, thereby reducing backup image size and hence enables the backup to be performed more quickly. Save backups to the IBM portable USB 2.0 hard drive - Rapid Restore Ultra can also save backups on IBM USB hard drive, making backup protection more robust and giving user the capability to restore the system in case of hard disk failure. Only IBM USB hard drives are supported.
2.1.2 Rapid Restore Ultra backup methodology

Rapid Restore Ultra (RRU) presents backups in a time/date format for the end user. The different backup levels in Rapid Restore Ultra are as shown in Figure 2-1.
Only two optional administrator images
BASE LEVEL
Base Image
(A0)
Only one base image
Adminstrator Image 1 (A1)
Adminstrator Image 2 (A2)
CUMULATIVE LEVEL
Cumulative
(B)
Each cumulative image replaces the previous cumulative image
MOST RECENT LEVEL
Most recent
(C)
Each most recent image replaces the previous most recent image
Figure 2-1 Rapid Restore Ultra backup architecture
There is one base backup image known as A0. A0 gets created during the Rapid Restore Ultra install and becomes the foundation for later levels of backups known as incremental backup images. Incremental backups are user initiated backups and/or scheduled backups taken in Windows mode. For incremental backups to work, the base image A0 must be uniquely created on each target PC. The A0 image is unique to each machine. For IT administrators use, Rapid Restore Ultra also gives the option of creating two unique Administrator images known as A1 and A2. These images are similar to the base backup image except that they do not support incremental backups.
Chapter 2. Rapid Restore Ultra
13
6060ch02.fm
The normal installation of Rapid Restore Ultra uses only one base image (A0) and successive incremental backups (a combination of B and C images). This is represented graphically in Figure 2-2.
Installation
Base Image
Backup #1
Base Image
Backup #2
Base Image
Backup #3
Base Image
Backup #4
Base Image
Backup #5
Base Image
(A0)
(A0)
(A0)
(A0)
(A0)
(A0)
...
Cumulative Cumulative Cumulative
(B)
(B)
(B)
Cumulative
Cumulative
(B)
(B)
V1
V1
V1
V2
V2
Most recent
(C)
Most recent
(C)
Most recent
V1.1 T0 T1 T2
(C)
V1.2 T3
Time
V2.1 T4 T5
Figure 2-2 How backups are managed over time for ThresholdCBackupCnt value of 2
Figure 2-2 shows the base image (A0) created during Rapid Restore Ultra install. A0 never changes unless it is forced to be. Retaking A0 is supported but is not part of the normal operation of Rapid Restore Ultra. Details on retaking the A0 backup are described later in How to reset the A0 backup on page 57. Scheduled backups or user-initiated backups are incremental in nature because they only store the differences between successive backup levels. The steps below give the sketch of how incremental backups proceed after the creation of A0 image. 1. Create (replace if already present) Cumulative (B) backup. 2. Create (replace if already present) Most Recent (C) backup. 3. Repeat step 2 until Most Recent (C) backup is updated (including creation) n times.
n is the value of ThresholdCBackupCnt key in file PCREC.TXT (before install)

or file PCREC.INI after installation. The default value is 7. To learn more on customizing options before installation, refer to 2.4.2, Customizing Rapid Restore install options on page 42. To modify options after install refer the Modifications to pcrec.ini on page 56. 4. Go to step 1 for next backup.
14
6060ch02.fm
2.1.3 Rapid Restore Ultra components

Rapid Restore Ultra includes the following main components: Windows interface - Rapid Restore Ultra includes a Windows interface that enables the end-user to customize its behavior. From this interface, the user can define a backup schedule, initiate a backup, create an archive (on CD-Rs), restore the system from a backup and select individual files to restore. Enterprise administrators can disable this interface to enforce a company-wide policy (see GUIGroup setting in Custom settings in \rrpcgui\RR.INI on page 47). Many of these functions can also be performed using the command-line interface. F11 interface - The F11 interface allows to restore a system that is unable to boot to the Windows operating system. During the system startup, the user is informed that pressing F11 will launch a recovery menu. In some cases, pressing F11 will display the ImageUltra menu or the IBM Product Recovery menu, which list IBM Rapid Restore Ultra on their menus. Otherwise, pressing F11 will display the Rapid Restore Ultra menu. F11 menu gives a list of backups from which the system can be restored. Command-line interface - The command-line interface can be used from both Windows and DOS. This interface is intended for large-enterprise administrator use. Onscreen help - Rapid Restore Ultra online help can be accessed from the Help menu in Rapid Restore Ultra GUI in Windows. Hidden Protected Area (HPA) compatibility - IBM Rapid Restore Ultra is compatible with the HPA (Hidden Protected Area - a special kind of firmware secured hard disk partition found in newer IBM ThinkPads and desktop systems). However Rapid Restore Ultra does not use HPA for storing backups. The backups are stored in separate service partition.
2.2 Installing Rapid Restore Ultra

If you purchased an IBM computer manufactured after 10/1999, you can use IBM Rapid Restore Ultra on your IBM client system. A list of all IBM computers supported by Rapid Restore Ultra is maintained at the following URL:
http://www-3.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-4Q2QAK
The following table lists all the IBM computers supported by Rapid Restore Ultra a the time this book was published.
15
6060ch02.fm
Draft Document for Review September 24, 2003 4:27 pm Table 2-1 IBM computers supported by Rapid Restore Ultra System
ThinkCentre A30 ThinkCentre A50 ThinkCentre A50p ThinkCentre M50 ThinkCentre S50 ThinkPad
Type
2296, 8191, 8198, 8199, 8316, 8434 8320, 8419 8192, 8193, 8194, 8195, 8196, 8197, 8432, 8433 8185, 8186, 8187, 8188, 8189, 8190, 8413, 8414, 8415 8183, 8184, 8416, 8417, 8418 A20m, A20p, A21e, A21m, A21p, A22e, A22m, A22p, A30, A30p, A31, A31p, G40, R30, R31, R32, R40, R40e, S30, T20, T21, T22, T23, T30, T40, T40p, X21, X22, X23, X24, X30, X31, TransNote 2169, 2194, 2196, 2197, 2251, 2254, 2255, 2256, 2257, 2271, 2275, 2289, 2292, 6018, 6058, 6059, 6266, 6269, 6270, 6276, 6279, 6280, 6286, 6336, 6337, 6339, 6341, 6342, 6343, 6345, 6346, 6347, 6348, 6349, 6350, 6568, 6569, 6578, 6579, 6599, 6647, 6648, 6649, 6650, 6790, 6791, 6792, 6793, 6794, 6795, 6822, 6823, 6824, 6825, 6826, 6830, 6831, 6832, 6833, 6837, 6838, 6840, 6841, 6842, 6847, 6848, 6881, 8181, 8182, 8301, 8303, 8304, 8305, 8306, 8307, 8308, 8309, 8310, 8311, 8312, 8313, 8314, 8315, 8317, 8318, 8319 2169, 6344, 6345 6272 6562, 6565, 6584, 6592, 6594, 6862, 6871, 6872, 6890, 6892 6588
NetVista
PC 300 PC 300GL PC 300PL PC 300XL
It is recommended that you download the latest version of Rapid Restore Ultra from th IBM website. You can download from
http://www.ibm.com/pc/support/site.wss/MIGR-4Q2QAK.html
Alternatively, you can visit the IBM systems support website

http://www.pc.ibm.com/support
and search for Rapid Restore Ultra.
2.2.1 Rapid Restore Ultra requirements

Rapid Restore Ultra requires following system configurations and requirements to be met before installation: Single disk drive - Only one hard disk (primary hard disk) is protected. Rapid Restore Ultra supports up to three primary partitions. Rapid Restore Ultra
16
6060ch02.fm
installation will abort on systems having an extended partition. SCSI drives are not supported. 20-40 percent of the hard disk space is available - Rapid Restore Ultra will utilize this space for storing all backups during the lifecycle of the system. No third party boot manager is installed - Rapid Restore Ultra will install a boot manager that will enable the F11 interface during system startup. Any pre-existing boot manager will be overwritten. Rapid Restore Ultra cannot be used in conjunction with any other backup or utility software that modifies the Master Boot Record (MBR). Software that modifies the MBR might render Rapid Restore backups inaccessible for restoration. Such software includes, but is not limited to Roxio GoBack, VCOM System Commander, Novell ZENworks and PowerQuest BootMagic. Supported operating systems - Rapid Restore Ultra is compatible with following non-server operating systems: Microsoft Windows XP Microsoft Windows 2000 Professional Installation time - Installation time will differ from system to system. The install time depends on initial backup time which is proportional to the hard disk data size being backed up. USB drive backup support - Only IBM USB hard disk drives can be used for the optional USB backup feature that IBM Rapid Restore Ultra provides.
2.2.2 Rapid Restore Ultra installation

This section describes Rapid Restore Ultra installation on an IBM system having Windows XP Professional. This installation is described from a single user perspective who does a manual install on a single system. IT administrators can choose the custom install method described in 2.4.1, Obtaining the Rapid Restore Ultra for custom install on page 40. Important: By default, Rapid Restore Ultra does not run background operations (such as scheduled backups) if a non-administrative user or no user is logged in. To enable Rapid Restore Ultra to run background operations for all users, you must enable Rapid Restore Ultra to run as a service. This decision must be made before installing Rapid Restore Ultra. To do this, set RunAsService=1 in file \INSTALL.INI of the custom install package. See 2.4.1, Obtaining the Rapid Restore Ultra for custom install on page 40 to get the custom install package.
17
6060ch02.fm
Note: The steps shown below may vary when you do an install on your system depending on the system configuration at the time of installation and the options you choose during installation. 1. Download the installable program from the IBM website (see beginning of 2.2, Installing Rapid Restore Ultra on page 15). Execute the installable program. If you are installing on an non-IBM computer, the install process aborts with an error message as shown in Figure 2-3. You will need to buy a license to run Xpoint Rapid Restore on non-IBM systems. Visit Xpoint
http://www.xpoint.com
for more details about purchasing Xpoint Rapid Restore for non-IBM systems.
Figure 2-3 Installation abort message on non-IBM system
2. The first window you see during installation gives an introduction of Rapid Restore Ultra. Read the information and click Next. 3. The next window gives the approximate time that would be taken for install and initial backup. Click Next.
18
6060ch02.fm
4. In the next screen, a set of backup options is presented to choose from.
Figure 2-4 Backup configuration screen
Each backup option is described briefly as follows: Backup to Primary Hard Drive Only The Backup to Primary Hard Drive Only option configures Rapid Restore Ultra to store backups on your primary hard drive by creating a service partition on the hard disk. This enables the recovery of the primary hard disk from its own service partition. You can change this option later (refer to 2.2.3, Enabling backup support on a USB drive after install on page 23). Backup to Both Drives The Backup to Both Drives option configures Rapid Restore Ultra to store backups on both your primary hard disk drive and a USB drive. Choosing this option enables you to recover your system from either the primary hard disks service partition or USB drives service partition. For every backup operation, Rapid Restore Ultra ensures that the backup data on the USB drive is in sync with that of primary hard disk. In the event your USB drive was not attached to the system during the backup time, the USB drive is automatically synchronized the next time you connect it to
19
6060ch02.fm
your system. There are several reasons why you may want to incorporate two storage devices in your backup strategy. One reason for doing so is the added protection inherent in redundant backup strategy. For example, if one of your backup devices is not available (for example: damaged, stolen, etc.) you can still restore from the other storage device. We will select this option for further description of our installation process in this section. Backup to USB Drive Only Selecting the Backup to USB Drive Only option configures Rapid Restore Ultra to store backup data on IBM USB drive only. The USB Drive Only option is useful in scenarios where there is not enough space on your primary hard disk to store backup data. When this option is chosen, a service partition is created on USB drive to store all the backup data. However a thin partition still gets created on your on your primary hard disk to store some necessary pre-operating system programs and data files. Note: The restore operation from a USB drive will take a longer time than that from a standard hard disk drive since USB drives are slower than the standard hard disks. If you select Backup to Both Drives or Backup to USB Drive Only option and later decide to change, you would need to uninstall and then reinstall Rapid Restore Ultra. 5. This dialog (Figure 2-5) appears if USB drive is included in backup strategy. Click OK.
Figure 2-5 Message displayed before resizing USB drives existing partition
6. In the next screen (Figure 2-6), you select the backup option Ongoing or One-time protection. These options are described as follows: Ongoing protection (recommended)
20
6060ch02.fm
The Ongoing protection option allows you to have multiple backup images. That is, the base backup image and the incremental backups. Refer to for different image types. This option reserves 20 to 40% of hard disk space to accommodate the base backup image and incremental backups. One-time protection The One-time protection reserves the hard drive space for the creation of only one backup level. That is, the base backup image. However later if you make incremental backups, the service partition is resized to accommodate new backups.
Figure 2-6 Backup configuration screen
7. A startup diskette must be created if the system has no prior service partition or Hidden Protected Area (see page 2.1.3, Rapid Restore Ultra components on page 15 for information on HPA). The floppy disk drive must be attached to the system prior to the start of installation.
21
6060ch02.fm
Figure 2-7 Message prompt to indicate startup diskette creation is required
8. After the startup diskette is created, reboot from the startup diskette to create a service partition in DOS mode. On creation of service partition, you will see a message that reads Partitioning is complete. Remove the diskette and press any key to restart the system. 9. On restart, the operating system processes the new partition and reboots. At this time the base backup image is created in DOS mode (Figure 2-8).
IBM Rapid Restore Ultra
Backup
This process requires a substantial amount of time. Connect your mobile computer to an AC power supply. Do not turn off your computer during the restore process; however, if you do lose power, restart the restore process.
[ Progress ]
[ 50%]
powered by Xpoint
Figure 2-8 Screen showing backup progress status
22
6060ch02.fm
10.After the base backup is done, the system boots back in Windows. A message as shown in Figure 2-9 is displayed indicating that Rapid Restore is successfully installed (If the USB drive is also included in backup strategy, the creation of service partition in USB drive and its synchronization will happen at this stage).
Figure 2-9 Message box informing completion of Rapid Restore install
2.2.3 Enabling backup support on a USB drive after install

If you did not configure backup support on a USB drive during install of Rapid Restore Ultra (meaning you selected Backup to Primary Hard Drive Only in Figure 2-4 on page 19), you can do so later by following the Start -> Programs -> Access IBM -> IBM Rapid Restore Enable USB menu sequence.
2.3 Using Rapid Restore Ultra

This section describes how to perform: Backup operations - see 2.3.1, Backing up your system on page 23. Restore operations - see 2.3.2, Restoring your system on page 29. Archive operations - see , Archiving backups on page 28. Migration to a new hard disk - see 2.3.4, Migrating to a new hard disk drive on page 38.
2.3.1 Backing up your system

During the installation process, Rapid Restore Ultra creates the base backup. Incremental backups can be taken on-demand or scheduled. The following sub-sections give a brief procedure on how to perform manual backup and set a schedule for automated backups.
23
6060ch02.fm
Procedure to initiate a manual backup

1. Open the Rapid Restore window through Start -> Programs -> Access IBM -> IBM Rapid Restore Ultra menu sequence. Select Backup -> Backup Now option from menu. A window displaying current backup state is displayed (Figure 2-10).
Figure 2-10 Manual Backup - details of current backup information
You can exclude some files from being a part of the new backup. To do that, click Exclude Files button (bottom left corner in Figure 2-10).
24
6060ch02.fm
2. You can only exclude files that were not included in previous backups (filenames having grey checkboxes as shown in Figure 2-11 indicate that they are already included in base backup or previous incremental backup).
Figure 2-11 Exclude files from backup
In Figure 2-11 we have selected three files for exclusion. Though they are not large files, we have selected them to illustrate the process. Excluding large, unimportant files helps to reduce backup image size and the backup process time. For example, you might consider excluding your Lotus Notes local database replicas since they are always available on the Lotus Notes server. Click Next to continue.
25
6060ch02.fm
3. The incremental backup progress is displayed (Figure 2-12).
Figure 2-12 Backup progress status window
Note: Incremental backup requires that system windows such as Windows Explorer, Internet Explorer or My Computer window be closed before backup can start. You will be prompted to close them if they are open. 4. On completion, you will see a message as shown in Figure 2-13.
Figure 2-13 Backup completion notification
26
6060ch02.fm
If the USB drive is also part of backup strategy, backup sychronization on USB drive will be initiated at this stage (Figure 2-14).
Figure 2-14 Synchronizing service partition on USB drive with primary hard disk backup
Scheduling backups
The schedule feature enables automated backups to take place on a daily, weekly or monthly basis at a day and time of your choosing. Weekly schedule backups are enabled by default. To change the schedule: 1. Open the Rapid Restore console by selecting Start -> Programs -> Access IBM -> IBM Rapid Restore Ultra menu sequence.
27
6060ch02.fm
2. Select Backup -> Schedule Your Backups from menu. You will see the screen as shown in Figure 2-15. You can configure the frequency and schedule time of the automated backups.
Figure 2-15 Configuration schedule for automated backups
You can also disable schedule backups by selecting the Off radio button. Note: Scheduled backups will not take place if your computer is powered off (shut down) or is in sleep mode (standby) when a backup operation is scheduled to take place. Rather, when you start/awake your computer, Rapid Restore Ultra prompts you to begin the missed backup operation at that time.
Archiving backups
Rapid Restore Ultra enables you to create a set of recovery CDs which you can use to recover your system in events like hard disk failures. The system should have a CD-Read/Write drive. Rapid Restore Ultra supports only CD-R media for archive (CD-RW media is not supported because it is more susceptible to data loss or accidental erasure). To start an archive operation:
28
6060ch02.fm
1. Open the Rapid Restore console by selecting Start -> Programs -> Access IBM -> IBM Rapid Restore Ultra menu sequence. Select Backup -> Archive Your Backups from menu.You will see a window as shown in Figure 2-16.
Figure 2-16 Archive backup screen
Note: If the menu item Archive your backups is grayed (not enabled) then either the CD-Writable drive is not present in your system or it is not properly configured. Note that USB and FireWire CD drives are not supported. 2. Follow the on-screen instructions to complete the archive process.
2.3.2 Restoring your system

Rapid Restore Ultra enables you to recover or restore your system from different media and different states as listed below: 1. Restore from the systems hard disk a. Restore in pre-OS or DOS mode
29
6060ch02.fm
b. Restore in Windows mode 2. Restore from an IBM USB drive 3. Restore from a set of archive CDs.
Restoring in Windows mode

This option is chosen when you can boot in Windows but might want to restore your system in events such as unintentional deletion of required data, virus problems, performance degradation, etc. However you can only restore data that has been backed up previously in one of Rapid Restore Ultras backup images. Following steps describe a restore operation in Windows mode: 1. Open Start -> Programs -> Access IBM -> IBM Rapid Restore Ultra. 2. Close all other applications. 3. Select Restore -> Restore your system. You will see a window as shown in Figure 2-17.
Figure 2-17 Restore your system window
30
6060ch02.fm
4. Select the backup state you want to revert to based on date and time of backups listed. Click OK to continue. 5. At this stage, you are given the option to continue or cancel the restore operation. This is the last chance to cancel the restore operation. All the data that was created since the selected backup will be lost. A warning window will be displayed (Figure 2-18).
Figure 2-18 Data erase alert window
6. After a reboot, the restoration operation will proceed. Restore operations are full image restore operations in the sense that first the base backup image is restored (in DOS mode) and then the incremental backup data is restored (in Windows mode).
Restoring in pre-OS mode

In the event of a complete operating system failure, or if you are unable to start the Rapid Restore Ultra application in Windows, you would choose the pre-OS interface to restore. Following is the procedure to restore your system in pre-OS mode: 1. During the system startup, press F11 when you see a message similar to this: To start the system recovery program, press F11 Note: In some cases pressing F11 will show an intermediary window prompting you to select an application. If this occurs, select Rapid Restore Ultra recovery. In some other cases (such as on IBM ThinkPad T40) you must choose the Access IBM menu on system startup by pressing the Enter key or pressing the Access IBM key on the ThinkPad keyboard. Then you can press F11 to enter recovery menu.
31
6060ch02.fm
2. When the Rapid Restore Ultra recovery menu displays (Figure 2-19), use the arrow keys to highlight the desired recovery option and press the Enter key to proceed with the restore operation.
Restore [ Please choose which backup to restore ] 2003/7/18 11:09 Base Backup 7/18/2003 at 11:16 Cumulative Backup 7/18/2003 at 11:19 Most Recent Backup
This process requires a substantial amount of time. Connect your mobile computer to an AC power supply before continuing.
[ Progress ]
[ 0%]
ESC = reboot
UP/DOWN = Move highlight
ENTER = Select
Figure 2-19 Restore menu showing multiple backup images
32
6060ch02.fm
3. You will be asked to confirm this restore operation (Figure 2-20).

You have chosen to restore your system to: "7/18/2003 at 11:19 Most Recent Backup" This will result in loss of any changes to your system (including user application data files) which are more recent than the selected time and date. Restore may require several reboots to complete the restore. Would you like to perform the restore?
Yes
No
ESC = reboot
UP/DOWN = Move highlight
ENTER = Select
Figure 2-20 Confirmation dialog to start restoration of selected image
33
6060ch02.fm
4. Rapid Restore Ultra restoration progress will be displayed as shown in Figure 2-21.
Restore
This process requires a substantial amount of time. Connect your mobile computer to an AC power supply. Do not turn off your computer during the restore process; however, if you do lose power, restart the restore process.
[ Progress ]
[ 27%]
powered by Xpoint
Figure 2-21 Screen showing restore process in progress
5. After base backup is restored in DOS mode, the system boots back to Windows. 6. If any incremental backup restore was a part of the restore image, it happens now.
34
6060ch02.fm
Restore from Base Backup is completed successfully.
Please wait while restoring system from Most Recent Backup.
Figure 2-22 Incremental backup restore message in Windows mode
Restoring from an IBM USB drive

If you have an IBM USB drive in your Rapid Restore Ultra backup strategy, you can use it to recover your system in events such as hard disk failure where you can replace the hard disk and start restoring from USB drive. To restore from an IBM USB hard drive, the USB drive must be accessible in pre-OS mode (or in DOS mode). Here are the some of the ways to do that: 1. Boot from USB drive: Some system BIOS support booting from USB hard drives. In this case, you can directly boot from the IBM USB drive and proceed with restore operation. You may need to modify the startup sequence in BIOS setup interface. 2. Boot from diskette: You can create a boot diskette which will make the USB drive accessible. To create such a boot diskette follow these steps: a. Open Start -> Programs -> Access IBM -> IBM Rapid Restore media creator on a system having Rapid Restore Ultra installed. b. Select the tab Boot from diskette (Figure 2-23) and click Create boot diskette button. Note: It cannot be a USB floppy disk drive.
35
6060ch02.fm
Figure 2-23 USB boot media creator
3. Boot from CD: If the system to be recovered does not have a floppy drive but has a CD drive, you can create a bootable CD which can make USB drive accessible in pre-OS mode. To create such a boot CD follow these steps: a. Open Start -> Programs -> Access IBM -> IBM Rapid Restore media creator on a system having Rapid Restore Ultra installed. b. Select the tab Boot from CD (Figure 2-23). Use the specified ISO image to create a bootable CD.
Restoring from archived CDs

Rapid Restore Ultra can restore your system from archived recovery CDs (if you have archived backups on CD-Rs as shown in Archiving backups on page 28. To restore a system from archived CDs, follow the instructions listed below: 1. Boot from the archive CD-R (Volume 1) CD. 2. The system boots up in DOS mode and you are prompted to continue with the restoration process. Press the Y key to continue. Note: If your system does not boot from CD drive, you must change your BIOS startup sequence. 3. You are reminded that restoring your system will delete all existing data and you are prompted to confirm the initiation of the restoration process. Press the Y key to continue.
36
6060ch02.fm
4. You can view the restorations completion percentage by viewing the onscreen progress bar. Depending on the size of your service partition archive, you may at some point during the restoration process be prompted to insert CD Volume 2, CD Volume 3, etc.
Restoring individual files

Rapid Restore Ultra enables you to recover individual files from incremental backups (B and C backups - see 2.1.2, Rapid Restore Ultra backup methodology on page 13). The restoring individual file(s) feature is extremely useful if you have accidentally lost some important files. However the files can only be restored if they were backed up in one of the previous incremental backups. Note: You can only restore individual files from incremental backups. Files that are backed in base backup image cannot be restored individually. To recover one or more individual files, follow these steps: 1. Open Start -> Programs -> Access IBM -> IBM Rapid Restore Ultra and choose Restore -> Restore files. Alternatively, you can double click on Single File Restore icon in My Computer window. 2. The Restore file explorer window appears as shown in Figure 2-24. The user interface is similar to Windows explorer window.
Figure 2-24 Individual files restore window
3. Click the Single_File_Restore icon shown in the right pane of the window. You will see subfolders like:
37
6060ch02.fm
Drive(C)_Cumulative_Backup_xx_xx_xx_At_xx_xxxx Drive(C)_Most_Recent_Backup_xx_xx_xx_At_xx_xxxx (where xx_xx_xx_At_xx_xxxx is the date and time the backup image was created or last updated) 4. Locate the file that needs to be restored by exploring these subfolders. 5. Right click on the selected file and click Restore (Figure 2-25). The restore process will restore the file in the same location from where it was backed up previously. If such path does not exist, it will create that folder/path and restore the file in it.
Figure 2-25 Selecting the file to be restored from Single File Restore window
2.3.3 Running Rapid Restore Ultra service

By default, Rapid Restore Ultra does not run background operations (such as scheduled backups) if a non-administrative user or no user is logged in. To enable Rapid Restore Ultra to run background operations for all users, you must enable Rapid Restore Ultra to run as a service. This decision must be made before installing Rapid Restore Ultra. To do this, set RunAsService=1 in file \INSTALL.INI of the custom install package. See 2.4.1, Obtaining the Rapid Restore Ultra for custom install on page 40 to get the custom install package.
2.3.4 Migrating to a new hard disk drive

IBM Rapid Restore Ultra can move your backup files onto a second drive. This is very helpful when your current disk drive starts to get full or when you are upgrading your computer.
38
6060ch02.fm
Note: For migration, the new hard disk drive must be larger in capacity than the first disk drive. To migrate your data, follow this process: 1. Initiate a manual backup operation (refer to Procedure to initiate a manual backup on page 24) on your current hard drive to ensure the backup is the latest. 2. When the backup procedure is complete, attach the second hard disk drive to the computer. 3. From the Windows desktop, click Start -> Run. 4. Run c:\program files\xpoint\pe\skin\migrate.exe. 5. While the migration is taking place, a progress bar is displayed. When the migration is complete, the progress bar will disappear. There will be no other indication that the migration process is complete. 6. Start the computer from the second hard drive. The DOS-based recovery menu will be displayed. 7. Select the backup that you want to restore and proceed.
2.3.5 Uninstall Rapid Restore Ultra

1. Open the Add/Remove programs wizard from Control Panel. 2. Select Rapid Restore Ultra and click the Remove button. 3. You will be asked to reboot the system to complete uninstall (Figure 2-26). Click OK.
Figure 2-26 RRU Uninstall - reboot prompt dialog
39
6060ch02.fm
Note: Quite often during uninstall the window shown in Figure 2-26 may get hidden under other application windows (for example: Control Panel window). In such case, press Alt+Tab keys to switch between windows and select the Rapid Restore Ultra icon to get to this dialog box.
2.4 Rapid Restore deployment in an enterprise

This section is intended for IT administrators who are responsible for deploying IBM Rapid Restore Ultra on end-user systems in their organization. You have to make sure that Rapid Restore Ultra licenses are available for each target client system. IBM client systems (shipped after 10/1999) do not require purchase of Rapid Restore Ultra license. All non-IBM systems will require license to use Rapid Restore. Visit Xpoint (http://www.xpoint.com) for details on buying Xpoint Rapid Restore that can be used on non-IBM systems. This section assumes that you are using IBM Rapid Restore Ultra V3.01 SP1 or a later version.
2.4.1 Obtaining the Rapid Restore Ultra for custom install

Download the installable code from IBM website as shown in 2.2, Installing Rapid Restore Ultra on page 15.
40
6060ch02.fm
1. Run the executable. When you see the screen prompting for location to save files (Figure 2-27), select the directory where you would like to extract the install files. This location will be referred to as <custom location> from here on in this redbook. Click Next to continue.
Figure 2-27 Screen prompt to enter the location for saving extracted files
41
6060ch02.fm
2. After a couple of message screens, you will see license agreement dialog box (Figure 2-28). Select No to close this window and click Yes button when asked to confirm quit setup. The extracted install files will remain in the <custom location> path.
Figure 2-28 License agreement window prompt
2.4.2 Customizing Rapid Restore install options

Before you begin installation of Rapid Restore Ultra on your client systems you will need to determine what options you would like to have Rapid Restore Ultra operate under. Many of these options cannot be changed after the install (for example RunAsService option). All path locations specified are relative to the <custom location> where we saved the install files of Rapid Restore Ultra (see 2.4.1, Obtaining the Rapid Restore Ultra for custom install on page 40). Rapid Restore install customization can be done in four configuration files as listed below: \INSTALL.INI \rrpc\INSTALL.INI \rrpc\PCREC.TXT \rrpcgui\RR.INI
The following sub-sections describe the custom settings that can be done in each of these configuration files.
42
6060ch02.fm
Custom settings in \INSTALL.INI

If you would like to enable the service that allows Rapid Restore Ultra to operate in the background (to run operations such as schedule backups) when a non-administrator user or when no user is logged on, you will need to modify the value of RunAsService option. RunAsService=0 - The service is not installed (default value). In this case, background operations would run only if a user with administrative privileges is logged in. RunAsService=1 - The service is installed. Background operations such as scheduled backups will run irrespective of any user or no user logged in. Rapid Restore Ultra also has a setting to enable or disable Rapid Restore Ultra GUI access in Windows. This access is controlled by key GUIGroup. This key can only be used if RunAsService is set to 1. See Custom settings in \rrpcgui\RR.INI on page 47 for more information about this key.
Custom settings in \rrpc\INSTALL.INI

The file \rrpc \INSTALL.INI allows for customization of uninstall options. 1. If you would like to control the listing of Rapid Restore Ultra software in the Add/Remove Programs in the Control Panel, you will need to modify the value of key ShowUninstall in the [options] section. ShowUninstall=1 - Rapid Restore Ultra is listed in Add/Remove Programs (default). ShowUninstall=0 - Rapid Restore Ultra is not listed in Add/Remove Programs. 2. If you would like to add a shortcut for uninstall of Rapid Restore Ultra in the Start -> Programs -> Access IBM menu then the value of Uninstall will need to be modified in the [links] section. Uninstall=0 - Rapid Restore uninstall is not in the Start menu (default). Uninstall=1 - Rapid Restore uninstall in the Start menu.
Custom settings in \rrpc\PCREC.TXT

This configuration file has many important settings. Settings made in this file are carried on to the following files during the installation: c:\program files\xpoint\pe\PCREC.INI. PCREC.INI in the Master Boot Record (MBR). This is the master copy that is referenced by every process of Rapid Restore Ultra. PCREC.INI in the IBM_SERVICE partition. Following are the settings options configurable in file rrpc\PCREC.TXT:
43
6060ch02.fm
1. If you would like to disable the ability of an end user to do Single File Restore (restore individual files) you will need to add an option EnableSingleFileRestore in the file \rrpc\PCREC.TXT as follows: EnableSingleFileRestore=1 - Allows Single File Restore to function (this setting is default even when EnableSingleFileRestore entry does not exist) EnableSingleFileRestore=0 - Disables Single File Restore. Note that this will not remove the Single File Restore icon from My Computer. If an end user tries to open this icon, no files (blank window) will be displayed. 2. Configuration of IBM_SERVICE partition is controlled by three keys in \rrpc\PCREC.TXT. The first two define the value for how much hard disk space would be reserved for the IBM_SERVICE partition. These keys are PEMinStor and PEMaxStor. The third key SP_PSA affects the resizing capability of IBM_SERVICE partition as illustrated in Table 2-2. For On-going backups in Rapid Restore Ultra, specify SP_PSA value 0 or 1. For One-time backup specify SP_PSA value 2 or 3. See page 20 for more information on On-going and One-time backups.
Table 2-2 SP_PSA value options SP_PSA 0 Description The IBM_SERVICE partition will be sized based on the value of PEMinStor. If the IBM_SERVICE partition becomes full, it will be resized to the value of PEMaxStor. The IBM_SERVICE partition will be sized based on the value of PEMaxStor. If the IBM_SERVICE partition becomes full, no resizing will occur since it is already at its maximum size. The IBM_SERVICE partition will be sized based on the estimated size needed for the base backup created during the install. The IBM_SERVICE partition will not resize if it becomes full. This will behave same as for SP_PSA=2 except that extra space will be added to the IBM_SERVICE partition based on the value of the SP_Xfactor. SP_Xfactor option can be set to specify the size of the extra space in bytes.
PEMinStor and PEMaxStor represent the minimum and maximum percentage of the hard disk space that will be used for the IBM_SERVICE partition. The valid range for each of these keys is 10%-40%. Note that the value of PEMinStor must not be larger than the value of PEMaxStor. The best way to understand these settings is to look at a couple of scenarios shown in Table 2-3.
44
Draft Document for Review September 24, 2003 4:27 pm Table 2-3 Example IBM_SERVICE partition configuration settings SP_PSA, PEMaxStor, PEMinStor SP_PSA=0 PEMinStor=20 PEMaxStor=40 Behavior of IBM_SERVICE partition
6060ch02.fm
During the installation of Rapid Restore, the IBM_SERVICE partition will be sized to 20% of the HDD. During the life cycle of the PC if the IBM_SERVICE partition becomes full, the application will prompt the user that the IBM_SERVICE partition needs to be resized. The system will then resize the IBM_SERVICE to 40% of the HDD. During the installation of Rapid Restore, the IBM_SERVICE partition will be sized to 39% of the HDD. During the life cycle of the PC, if the IBM_SERVICE partition becomes full, the application will not resize the partition since it is already at it maximum size During the installation of Rapid Restore, the space needed to store the base backup is calculated. The size of the IBM_SERVICE partition will be based on this calculation. This setting of SP_PSA will not prevent incremental backups but if the IBM_SERVICE partition becomes full it will not resize.
SP_PSA=1 PEMinStor=Dont care PEMaxStor=39
SP_PSA=2 PEMinStor=Dont care PEMaxStor=Dont care
3. You can set the backup schedule by configuring the value of BackupSchedule key. This key value can also be modified later after installation (either through GUI or via the command line). Refer to Modifications to pcrec.ini on page 56 for information on how to modify this value after installation. The format of BackupSchedule value is defined in the Table 2-4 below.
Table 2-4 Backup schedule settings Frequency Monthly Weekly Daily On demand Format 1500000 00 dd 0000 0 hh mm 0000000000 000000000000000 1400000 00 00 0000 w hh mm 0000000000 000000000000000 1300000 00 00 0000 0 hh mm 0000000000 000000000000000 1100000 00 00 0000 0 00 00 0000000000 000000000000000
where: dd = Day of the month. 2 digits (01-28).To run at the end of each month set the value to 35. w = Day of the week. Single digit (0 = Sunday, 1 = Monday, etc). hh = Hour of the day in 24-hour time format. 2 digits (00-23). mm = Minute of the hour. 2 digits (00-59).
45
6060ch02.fm
4. To control how many times the Most Recent (type C) backup gets reset before the Cumulative (type B) backup is reset, modify the key ThresholdCBackupCnt. The default value is 7. For information for different types of backups see 2.1.2, Rapid Restore Ultra backup methodology on page 13.
Table 2-5 ThresholdCBackupCnt value ThresholdCBackupCnt 0 Backup behavior
Cumulative backup will be reset on demand only. This is done from the command line with the command: c:\program files\xpoint\pe\f11exec /bb /gui
n is an integer greater than or equal to 2 that

defines the number of times the Most Recent backup is reset before the Cumulative backup is reset. The default value is 7. For a graphical description of how the ThresholdCBackupCnt value affects the backup behavior, refer to Figure 2-2 on page 14.
5. On some systems it may be desirable to reduce the priority of Rapid Restore process so as to give other processes enough system resources. The keys for this setting are BackupThrottleSleep and BackupThrottlePriority. These settings can also be modified after installation as well. Refer to Modifications to pcrec.ini on page 56 for information on how to modify after installation. a. BackupThrottleSleep=n - n is an integer between 0 and 3000 that represents the number of milliseconds that the backup engine will yield the CPU to other processes. The backup engine will yield to other process for n milliseconds after every 10MB of data is backed up. b. Table 2-6 below describes the effect of BackupThrottlePriority key values.
Table 2-6 BackupThrottlePriority value BackupThrottlePriority 0 -1 -2 Effect Normal priority Yield to normal processes Only active if no other process is running
6. It may be desirable to suppress the congratulations message box at the end of the install process. To suppress the congratulations message box add the key HIDE_CONGRAT=1 to file \rrpc\PCREC.TXT. However one must be careful when specifying this option because the congratulations message is the only
46
6060ch02.fm
visible indicator for the user that the installation has completed. If the install is not allowed to comlete properly, Rapid Restore Ultra may behave abnormally. 7. If you have upgraded the system from Rapid Restore PC 2.6 to Rapid Restore Ultra, you may decide to have a Cumulative backup (type B) occur automatically after the upgrade. Adding the key CumulativeAfterOverinstall=1 to file \rrpc\PCREC.TXT will cause this to happen. This option should only be used when upgrading from Rapid Restore PC 2.6 to Rapid Restore Ultra.
Custom settings in \rrpcgui\RR.INI

All the settings options available in this file can also be modified after install. After installation, this file will be located at c:\program files\xpoint\pe\skin\RR.INI. Changes made to this file will take affect when GUI window is opened next time. 1. If you would like to hide the Exclude Files button (see Figure 2-10) in Rapid Restore backup window you can modify the HideExclude key in the [RapidRestore] section. HideExclude=0 - The Exclude Files button is visible (default). HideExclude=1 - The Exclude Files button is hidden. 2. You can also exclude files by file type. This option is available only after install. To exclude files by file type, you need edit the file c:\program files\xpoint\pe\IBMEXCLD.TXT. Place each <file type> on a new line. For example: To exclude all files with a file type of *.mp3 from backup, the contents of IBMEXCLD.TXT would look like this:
Example 2-1 Sample IBMEXCLD.TXT file C:\Notes\Data\mymail.nsf <-------- Added from the GUI C:\Notes\Data\localDBreplica.nsf <-------- Added from the GUI MP3 <-------- Added by Admin
The files excluded by file types will not be shown as excluded in Rapid Restore exclude list in the GUI. Also one must be careful when excluding files by file type. For example excluding JPG files would break applications such as Access IBM after restore. Similarly some important files whose file type is excluded will not be backed up and will be lost on restore. 3. If you have the plan to create Administrator images (A1, A2 as shown in Figure 2-1 on page 13) you also have the option to hide these images from appearing in the Rapid Restores restore GUI. However these images will remain visible in the F11 restore console.
47
6060ch02.fm
To hide the Administrator images from the GUI you can modify the HideLEImages key in the [RapidRestore] section of file \rrpcgui\RR.INI. HideLEImages=0 - Administrator images will be displayed in GUI (default) HideLEImages=1 - Administrator images will not be displayed in the GUI 4. You can limit the users from accessing the Windows Rapid Restore GUI. Rapid Restore Ultra provides a method to specify one Windows group that can access the GUI. To specify the group that you would like to grant access to the RRU GUI add the key GUIGroup=<group name> to the [RapidRestore] section of \rrpcgui\RR.INI. This key can only be used if RunAsService option in file \INSTALL.INI option was set to 1 before Rapid Restore install (see Custom settings in \INSTALL.INI on page 43). If you want to hide the GUI from all users, add the line GUIGroup=none (this assumes none is not a valid group on the system). If you want the Users group to have access to the GUI, add the line GUIGroup=Users. If the GUIGroup setting is not defined, then all users on the system will have access to the Rapid Restore GUI.
Silent install settings

Silent install requires a valid IBM_SERVICE partition (or Hidden Protected Area) made available prior to the installation. See Creation of an IBM_SERVICE partition on page 49 to create an IBM_SERVICE partition. The configuration options needed for silent install are located in files \rrpc\INSTALL.INI and \rrpc\PCREC.TXT. Details of these options are discussed in the following sections while describing various scenarios of deployment. Note that Rapid Restore silent installation with an option to enable backup on a USB drive is not available as of the current release (version 3.01.1).
Full silent install settings

By full silent install, what we mean is to set the options and run a final command that performs a complete Rapid Restore install including the creation of initial backup. To support silent install, change the settings as listed below: Modify ForceOptions entry under [options] section in file \rrpc\INSTALL.INI to read as ForceOptions=1. Add an entry SilentInit=1 in file \rrpc\PCREC.TXT. To initiate the one step full silent install of Rapid Restore, execute the following command (make sure you verify the existence of IBM_SERVICE partition or HPA before running this command): <custom location>\setup.exe s
48
6060ch02.fm
Two stage silent install settings

Rapid Restore can be installed in two stages. The first stage will install the Windows component of Rapid Restore and the second stage (which can be invoked at a later point in time) will create base backup image. To configure two stage silent install make the following changes: Modify the ForceOptions entry under [options] section to read as ForceOptions=1 in file \rrpc\INSTALL.INI. Add an entry DialogMode=Silent under the [options] section in file \rrpc\INSTALL.INI. Add an entry SilentInit=1 in file \rrpc\PCREC.TXT. The first stage of installation does not require IBM_SERVICE partition. However the the second stage requires it. a. First stage of installation To initiate the first stage of the installation, run the command: <custom location>\setup.exe s This will install the Windows component of Rapid Restore Ultra. b. Second stage of installation If you do not have a valid IBM_SERVICE partition you need to create one before continuing with the second stage. To initiate the second stage, either run the program c:\program files\xpoint\pe\regpe.exe or click Start -> Programs -> Access IBM -> IBM Rapid Restore Ultra. This will create the base backup image.
Creation of an IBM_SERVICE partition

For silent installation of Rapid Restore, it is required that a preconfigured IBM_SERVICE partition exist prior to the installation (unless the system has an IBM Hidden Protected Area). At the time this book was written, IBM systems that come with a Hidden Protected Area (HPA) include IBM ThinkPad T40, X31, R40 and ThinkCentre systems. The installation of Rapid Restore will detect the IBM Hidden Protected Area and will automatically create the IBM_SERVICE partition. On pre-HPA IBM systems that have a valid disk-to-disk recovery partition you will need to modify the partition type of the existing IBM_SERVICE partition to qualify for silent install. To do this run the command: bmgr32.exe /us /q in Windows mode and reboot the system after the command completes execution.
49
6060ch02.fm
Note: bmgr32.exe can be found in a folder or one of the subfolders at <custom location> where you have stored the Rapid Restore custom install files (See 2.4.1, Obtaining the Rapid Restore Ultra for custom install on page 40). If the system does not have an IBM_SERVICE partition or Hidden Protected Area, there are two methods to create an IBM_SERVICE partition. The first method is to create a boot diskette (or make a bootable CD out of the created boot diskette) and physically boot each system with the diskette/CD for the creation of IBM_SERVICE partition. 1. Boot diskette method to create IBM_SERVICE partition: a. You will need a donor system which has Rapid Restore Ultra installed. Unzip the contents of SPCreate.zip (see Appendix B, Additional material on page 215) into a temporary directory on that system. b. Open a command window and change to that temporary directory. From this location type the following command in the command prompt window: make <fdd> where <fdd> is replaced with the drive letter of your floppy disk drive. c. When the USB boot media creator window opens, select the Boot From Diskette tab and then click Create Boot Diskette as shown in following Figure 2-29. The windows message box stating diskette created will be displayed. Do not remove the diskette at this point. Wait until you are prompted to do so in the DOS command prompt window (when the make batch file returns control back to command prompt shell).
Figure 2-29 Boot diskette for creating IBM_SERVICE partition
50
6060ch02.fm
d. To create IBM_SERVICE partition, boot from this diskette. The service partition gets created. The IBM_SERVICE partition size is about 305 MB. During installation Rapid Restore Ultra will resize it as required. 2. The second method is to create an IBM_SERVICE partition (using the diskette method discussed above) on the donor system that will be used for deployment of image build. See Rapid Restore Ultra install through image deployment on page 52 discusses in detail about deploying Rapid Restore Ultra through image.
2.4.3 Deployment methods

This section describes the different ways of deploying Rapid Restore Ultra on systems. Rapid Restore Ultra can be deployed as follows: a. Manual install - see Manual system install on page 51 b. As a part of image deployment - see Rapid Restore Ultra install through image deployment on page 52 c. Remote install - see Remote install on page 54
Manual system install

You can manually install Rapid Restore Ultra with default settings by just running the installable code or customize the install settings before manual install. Unique settings per system Download (see 2.2, Installing Rapid Restore Ultra on page 15) and run the Rapid Restore Ultra installable code. Follow the onscreen instructions for installation. Common settings for all systems To install Rapid Restore with common settings for many systems: i. Configure custom settings as described in 2.4.2, Customizing Rapid Restore install options on page 42. ii. Prepare the install package for silent install (see Silent install settings on page 48). iii. Copy the installation package on to a CD or create a network share to access the installation package on network. iv. Install on each client system by running the command: setup.exe -s
51
6060ch02.fm
Rapid Restore Ultra install through image deployment

Rapid Restore Ultra install can be made a part of image rollout for client systems. For image deployment, we have several options as described below: Provide the customized Rapid Restore install package as a part of image but defer its installation to the user. See Defer Rapid Restore install to post-deployment time on page 52 Partially install Rapid Restore as part of image deployment on end user systems and defer the completion of Rapid Restore install to the user. See Install Rapid Restore but defer base backup to post-deployment on page 52 Fully install Rapid Restore Ultra as part of image deployment on end user system. This case does not require any user action for Rapid Restore install. In this case, A0 base backup is a sysprep image. As a result, no incremental backups are possible in this case. See Complete Rapid Restore install with base backup on page 53.
Defer Rapid Restore install to post-deployment time

The process flow of image creation for this option is as follows: 1. Install and configure Windows on the donor system with your applications. 2. Copy the Rapid Restore install files from <custom location> to a directory C:\IBMTOOLS\APPS\RRU3 on the donor system. 3. Extract the files from FullSilentInstallFromDesktop.zip (see Appendix B, Additional material on page 215). Move the extracted files to respective folder locations as mentioned in the readme.txt of this zip package. 4. Create an IBM_SERVICE partition using the diskette method (see Creation of an IBM_SERVICE partition on page 49). 5. Sysprep Windows and shutdown the system. Do not boot back to Windows or you will need to run sysprep again. 6. Create an image of the entire HDD as described in Requirements for imaging with Rapid Restore Ultra on page 55. 7. After deployment of this image on end user systems, the user can initiate the installation of Rapid Restore by clicking on the install icon as mentioned in readme.txt file of FullSilentInstallFromDesktop.zip (see Appendix B, Additional material on page 215) package.
Install Rapid Restore but defer base backup to post-deployment

The process flow of image creation for this option would be as follows: 1. Install and configure Windows on donor system with your applications. 2. Complete first stage install of Rapid Restore as described in Two stage silent install settings on page 49.
52
6060ch02.fm
3. Create an IBM_SERVICE partition using the diskette method (see Creation of an IBM_SERVICE partition on page 49). 4. Sysprep Windows and shutdown the system. Do not boot back to Windows or you will need to run sysprep again. 5. Create an image of the entire HDD as described in Requirements for imaging with Rapid Restore Ultra on page 55. 6. After deployment of this image on end user systems, the user can complete the installation of Rapid Restore by initiating the second stage install. To initiate the second stage install, users will have to either run the program c:\program files\xpoint\pe\regpe.exe or just click Start -> Programs -> Access IBM -> IBM Rapid Restore Ultra.
Complete Rapid Restore install with base backup

While customizing Rapid Restore install package the recommended customization settings would be as follows: Required settings: In file \rrpc\INSTALL.INI, set ForceOptions to 1 In file \rrpc\PCREC.TXT, set BackupSchedule to 1100000 00 00 0000 0 00 00 0000000000 000000000000000 In file \rrpc\PCREC.TXT, set SilentInit to 1 Suggested settings: In file \INSTALL.INI, set RunAsService to 1 In file \rrpc\PCREC.TXT, set SP_PSA to 2 In file \rrpcgui\RR.INI, set GUIGroup to none The process flow of image creation is as follows: 1. Install and configure Windows on donor system with your applications. 2. Create an IBM_SERVICE partition using the diskette method (see Creation of an IBM_SERVICE partition on page 49). 3. Do a complete silent install of Rapid Restore (see Full silent install settings on page 48). This process will also perform the base backup. 4. This step is optional. Remove the icons related to Rapid Restore from Start -> Access IBM. They are IBM Rapid Restore Ultra, IBM Rapid Restore Enable USB and USB Media Creator. 5. Sysprep Windows and shutdown. Do not boot back to Windows or you will need to run sysprep again.
53
6060ch02.fm
6. Power on the system and press F11. When Rapid Restore recovery menu is displayed, press F3 to exit to a DOS command line. 7. Capture a new base backup image A0 with the command: lastboot.exe /I /NR Important note: This command will not insert the proper entries in the image to allow a restore of an incremental backup and should not be used in any situation other than this one. 8. When the image process is complete, power down the system. Create an image of the entire HDD as described in Requirements for imaging with Rapid Restore Ultra on page 55. This image is your deployment image. Attention: In this scenario, base backup (A0) is a sysprep image. Rapid Restore Ultra does not support incremental backups if A0 is sysprep image. For more details see 2.4.5, Rapid Restore Ultra considerations for IT Administrators on page 57.
Remote install
Remote installation can be done provided the client system has a valid IBM_SERVICE partition (or Hidden Protected Area). Refer to Creation of an IBM_SERVICE partition on page 49. Following are the steps to proceed with remote install: 1. Customize Rapid Restore settings files (see 2.4.2, Customizing Rapid Restore install options on page 42) as needed. 2. Prepare the Rapid Restore install package for silent install (refer to Silent install settings on page 48). 3. Package the Rapid Restore install files into the delivery package as per your deployment tool requirement. Silent install settings on page 48 describes the command to launch Rapid Restore setup (typically it is executing the command setup.exe -s to start the installation process). An example of remote install using IBM Director is illustrated in 5.4, Integrating Rapid Restore Ultra with IBM Director on page 189.
Integration with ImageUltra Builder 2.0 Smart Image creation

This is discussed in 5.3, Integrating Rapid Restore with ImageUltra Builder on page 183.
54
6060ch02.fm
Requirements for imaging with Rapid Restore Ultra

Documented below are the minimum requirements for two popular imaging tools. Your implementation of imaging tools may require more options. In both the imaging tools discussed below, the image must be created for the entire hard disk capturing all partitions.
PowerQuest DeployCenter image

Assuming that PowerQuest DeployCenter tool PQIMGCTR is installed in the location X:\PQ following are the scripts files that needs to be created. 1. X:\PQ\RRUSAVE.TXT
Example 2-2 Script file: X:\PQ\RRUSAVE.TXT SELECT DRIVE 1 <-----------------------Selects 1st HDD SELECT PARTITION ALL <-----------------Selects all partitions
2. X:\PQ\RRDEPLY.TXT
Example 2-3 Script file: X:\PQ\RRDEPLY.TXT SELECT DRIVE 1 <-----------------------Selects DELETE ALL <---------------------------Deletes SELECT FREESPACE FIRST <---------------Selects SELECT IMAGE ALL <---------------------Selects RESTORE <------------------------------Restore 1st HDD all the partitions 1st free space all partitions in image image
Image creation To initiate the image creation process use the following command: X:\PQ\PQIMGCTR /CMD=X:\PQ\RRUSAVE.TXT /MBI=1 /IMG=X:\IMAGE.PQI where X:\PQ\PQIMGCTR <-----------------------Image creation program /CMD=X:\PQ\RRUSAVE.TXT <-----------PowerQuest script file /MBI=1 <-----------------------------------Capture the RRU boot manager /IMG=X:\IMAGE.PQI <------------------Image file Image deployment For image deployment use the following command: X:\PQ\PQIMGCTR /CMD=X:\PQ\RRDEPLY.TXT /MBR=1 /IMG=X:\IMAGE.PQI where X:\PQ\PQIMGCTR <-----------------------Image creation program /CMD=X:\PQ\RRDEPLY.TXT <-----------PowerQuest script file
55
6060ch02.fm
/MBR=1 <-----------------------------------Restore the RRU boot manager /IMG=X:\IMAGE.PQI <------------------Image file
Symantec Ghost image

When creating the Ghost image, following setting need to be set: The command line switch -ib (can also be set through ghost.ini file) must be used. This ensures that image also has the capture of Rapid Restore Ultras Boot Manager. Refer to the documentation provided by Symantec for details on configuring the Ghost tool.
2.4.4 Post deployment management options

This section discusses Rapid Restore management options after deployment.
Modification of RRU settings after installation

In this sub-section we discuss details of modifying PCREC.INI file and RR.INI file.
Modifications to pcrec.ini
There are several settings that can be modified after the installation of Rapid Restore on a end user system. Modifying pcrec.ini requires special attention because the master copy of the pcrec.ini resides in the Master Boot Record. (MBR). The high level flow for making these changes is as follows: 1. Fetch the pcrec.ini file from the MBR. 2. Edit the pcrec.ini file and save it. 3. Push the pcrec.ini file back to the MBR. This process can be automated with DOS batch files. Following example gives the process flow for batch file creation (assuming that it runs from the directory c:\program files\xpoint\pe and user has administrative privilege).
Example 2-4 Batch file flow to modify PCREC.INI ::---------Step 1) Fetch the PCREC.INI file from MBR---------start /WAIT pcrecsa bini -fetch ::---------Step 2) Modify the PCREC.INI file-----------------Edit the file pcrec.ini here.... ::---------Step 3) Write back the PCREC.INI file to MBR------start /WAIT pcrecsa bini -flush
56
6060ch02.fm
The BackupScheduleMod.zip (see Appendix B, Additional material on page 215) package has a sample script which modifies the scheduled backups time. In this sample, the required modification is put in the file time.mod. The batch file rrutime.bat determines if the Rapid Restore Ultra program and/or service is running on the system and takes steps to stop them. Then the batch file fetches the Master Boot Record copy of PCREC.INI. After the PCREC.INI file is fetched from the MBR, the program RRPCEDIT.exe will merge the contents of time.mod with PCREC.INI. The batch file will then push the modified PCREC.INI file back to the MBR and restart the service if it had been stopped by the batch file. Though the above example illustrates modifying schedule, it can be used to modify many of the PCREC.INI options. To modify any option in PCREC.INI (See Custom settings in \rrpc\PCREC.TXT on page 43 for details of options), place the option(s) in the time.mod file and run the rrutime.bat script.
Modifications to RR.INI
There are several settings that can be modified in file RR.INI. Unlike PCREC.INI these settings can directly be modified in the file RR.INI located at c:\program files\xpoint\pe\skin\RR.INI. To reflect the changes, you will have to reopen the Rapid Restore Ultra GUI.
How to reset the A0 backup

If you have administrative privilege on the system, you can reset the base backup A0 image. Extract the package RedoA0.zip (see Appendix B, Additional material on page 215). It has two different options to redo base backup. 1. The 1-step process will erase any existing A0 base backup and initiate a new A0 backup. The script file to execute is redoa0.bat. 2. The 2-step process will erase the existing A0 base backup and place a shortcut in the Start menu. The new A0 backup will not be initiated until the user clicks on the shortcut in the Start Menu. The script file to execute for 2-step process is InstRedoA0.bat.
2.4.5 Rapid Restore Ultra considerations for IT Administrators

1. The IBM Rapid Restore Ultra base backup called A0 (see 2.1.2, Rapid Restore Ultra backup methodology on page 13) should not be a sysprep image if you plan to use have incremental backups in Rapid Restore Ultra. If the A0 image was a sysprep image and you have created incremental backups then restore operations using the incremental backup will fail. This is explained as follows:
57
6060ch02.fm
Sysprep introduces Windows mini-setup into the first boot of a sysprep image. During the restore of an incremental backup, Rapid Restore Ultra expects to see a Windows compatible GINA (Graphical Identification and Authentication). Since a sysprep image does not have a Windows compatible GINA, it is unable to process an incremental restore. Note: If there is a need to incorporate a sysprep image as A0 base backup and still maintain the ability to perform incremental backups on your deployed systems, you will need to build and deploy your image with IBM ImageUltra Builder or use the services offered by the IBM Image Technology Center (IITC). 2. After the creation of the base backup, it is imperative that the system be booted back in Windows for the creation of the index for future backups. If the limited user service is on, this creation will begin once the Windows logon screen is reached. If the limited user service is off, a user with administrative privileges on the local machine must logon and remain logged on during the creation of the index. Confirmation of index being created is done in one of two ways. If you have not suppressed the congratulation screen with the option in pcrec.txt, a message will be posted to the desktop advising you that the base backup is complete (see Figure 2-30). Alternatively, you can look for the presence of the key INITIALIZED=1 in the file c:\program files\xpoint\pe\pcrec.ini.
Figure 2-30 Rapid Restore installation complete message
3. Rapid Restore Ultra is an image backup utility and not truly a data backup utility. It is strongly recommended that you continue to use data backup processes within your organization. 4. If you plan to change the ThresholdCBackupCnt key value, do it judiciously. If the value is set too low (for example: 1 or 2) there is a chance that both the incremental backups (B and C type) may become unusable in some events like virus problems. Setting too high will make cumulative backup (type B) less useful (it will not have more updated data).The default value for this key is 7. See 2.1.2, Rapid Restore Ultra backup methodology on page 13 for different backup types.
58
6060ch02.fm
5. If you use an imaging program with Rapid Restore Ultra, you will need to create your donor image on smallest hard disk drive that the image will be deployed to. This is due to the restore process not being able to scale down to smaller hard disk drives than what it was created on. 6. Rapid Restore Ultra will assign a drive letter to the IBM_SERVICE partition during installation. That drive letter will be hidden in My Computer view after Rapid Restore Ultra installation. Once the drive letter for the IBM_SERVICE partition is assigned it cannot be changed. 7. Rapid Restore Ultra does not support changes in the drive number of the HDD that the IBM_SERVICE partition is created on. For example, if you create a backup on an IBM ThinkPad that was started while docked and a hard disk drive was in dock bay at the time of backup, future backup and restore will not work unless the same configuration is reproduced. 8. There are multiple ways to encrypt files in the Windows operating system. The most popular ways are Windows Encrypted File System (EFS), IBM Client Security Right Click Encryption and IBM Client Security File and Folder Encryption (FFE). Although the backup image file stored in IBM_SERVICE partition is encrypted, it is important to understand how the data is backed up in incremental backups and how do they appear after an image restore. See Table 2-7 for encrypted file status in the incremental backups.
Table 2-7 Encrypted files status in an incremental backup Limited user service on RunAsService=1 Encryption type Encrypted File System (EFS) File and Folder Encryption (FFE) Right click encryption File status in an incremental backup File not backed up File status after restore File not restored Limited user service off RunAsService=0 File status in an incremental backup Unencrypted Logged on user only Unencrypted Logged on user only Encrypted a File status after restore Unencrypted Logged on user only Unencrypted Logged on user only Encrypted a
Unencrypted Logged on user only Encrypted a
Unencrypted Logged on user only Encrypted a
a. If the file has been decrypted by the end user and then the backup oc-
curs, the file will remain decrypted.
59
6060ch02.fm
2.5 Rapid Restore Ultra troubleshooting information

Most of the information presented in this section is also available in the Rapid Restore product online help. To access this help from Rapid Restore GUI console, select Help -> Help Topics -> Troubleshooting. In this section, we describe the troubleshooting information under the following categories: 2.5.1, Backup and restore troubleshooting information on page 60 2.5.2, Installation troubleshooting on page 61 2.5.3, Partition and boot manager troubleshooting tips on page 61 2.5.5, Rapid Restore Ultra Frequently Asked Questions (FAQ) on page 63
2.5.1 Backup and restore troubleshooting information

This section lists some of the issues related to backup and restore operations.
Table 2-8 Backup and restore troubleshooting information Problem Backup or restore operation is slow Solution/Explanation Backup/Restore operation performance depends upon the size and type of data being backed up or restored. The backup operation performance can be optimized by performing frequent backups. Running others programs such as an anti-virus program while a backup/restore operation is in progress adversely affects system performance. Do not run any resource intensive programs while Rapid Restore Ultra operations are in progress. Rapid Restore Ultra does not allow you to specify a scheduled backup on the 29th, 30th or 31st day of the month but you can schedule a backup for the end of the month. Archive your backups option is not enabled if the system does not have supported CD-Read/Write drive or it is not configured properly. Note that USB and FireWire CD-R drives are not supported.
Scheduling dates on 29th, 30th or 31st
Unable to select Archive your backups option
60
6060ch02.fm
Solution/Explanation The system is restored to an older state when this user account would not have existed or the password might have been different. Contact the administrator of your system to create your account again or reset your password.
Problem User cannot logon after a restore operation
2.5.2 Installation troubleshooting

This section discusses some issues relating to Rapid Restore Ultra install/uninstall.
Table 2-9 troubleshooting information about install/uninstall of Rapid Restore Problem Rapid Restore Ultra install fails on system with SCSI drives Unable to upgrade Rapid Restore Ultra Solution/Explanation IBM Rapid Restore Ultra does not support SCSI drives. Rapid Restore Ultra cannot be reinstalled over certain previous versions. The earlier version must be uninstalled prior to installing the newer version. Rapid Restore Ultra must be installed on the C: drive. Rapid Restore Ultra only supports primary partitions. Rapid Restore Ultra creates a service partition by resizing the last primary partition and getting the required space for creation of service partition (varies from 20% to 40% of total hard drive space). If the Rapid Restore Ultra is not able to squeeze out this space from last primary partition, it throws this error message. Solution: Using partition management tools (like PowerQuest PartitionMagic), restructure the hard disk partitions such that the last primary partition has at least about 40% of total hard disk space.
Rapid Restore Ultra install fails on systems with extended partitions Rapid Restore Ultra install fails with an error message insufficient space
2.5.3 Partition and boot manager troubleshooting tips

Tips relating to partition problems:
61
6060ch02.fm
Rapid Restore Ultra can only resize primary partitions. A service partition cannot be created on hard disk drives containing four primary partitions or an extended partition. If new partitions are added to a drive, Rapid Restore Ultra must be reinstalled. Previous backups will be lost. You can only create a service partition on the first hard disk in the system. Backing up to a different hard disk or to a network is only supported in Xpoint Rapid Restore Professional Edition. For details about this product visit http://www.xpoint.com. When attempting to write an image to your hard disk using an IBM recovery program or a third party image utility after IBM Rapid Restore Ultra has been installed, a message might display stating that an error was found on your disk due to differing LBA and CHS values. If you are prompted to allow a fix of this error, your Rapid Restore backups and service partition might become inaccessible. The following error messages might appear during the installation of Rapid Restore Ultra or while the program is trying to resize an existing service partition: The IBM service partition could not be created. There is insufficient space on the hard disk. To resolve these messages attempt to clear some space on your hard disk. Another option is to buy Rapid Restore Professional Edition from Xpoint (www.xpoint.com). Rapid Restore Professional Edition provides the option to migrate all of your data from the first disk drive to the second drive so that you can then remove the first drive. During data migration, the new hard drive must be on the same IDE channel as the old hard drive Some disk utilities, such as PartitionMagic are not compatible with Rapid Restore Ultra because Rapid Restore Ultra locks the IBM service partition, making the partition inaccessible to applications, including PartitionMagic.
2.5.4 Miscellaneous troubleshooting tips

Rapid Restore Ultra responds to the systems power management requests (standby, hibernation, power loss etc.) in the following manner: When a Windows mode backup or CD-R Archive is in progress - When a Windows backup or CD-R Archive is in progress and the system requests to enter standby/hibernate, Rapid Restore Ultra will stop the backup in progress and allow the power request to proceed. Upon resume, it will record the backup as failed and query the user to run the backup again.
62
6060ch02.fm
When a Windows mode restore is in progress - When a Windows restore is in progress, the power request will be rejected and the restore will continue. When a DOS mode backup is in progress - When a DOS backup is in progress, the power request will occur and the user will have to reinitiate the backup. When a DOS mode restore is in progress - When a DOS restore is in progress, the power request will occur, and the user will have to initiate an F11 restore to return the machine to a stable configuration.
2.5.5 Rapid Restore Ultra Frequently Asked Questions (FAQ)

Table 2-10 troubleshooting information Subject If Rapid Restore Ultra is used to archive the systemss entire hard disk to a set of CD-Rs and then when the system fails, can the user restore everything to a totally different system and keep working while the failing system is in for repair? Can the backup be done onto second hard disk on the system instead of backup on same hard disk or CD- Rs archive? Solution/Explanation That's correct. If the primary hard disk fails and the user has created the recovery CDs then the hard disk can be replaced and the recovery CDs will restore the entire system as was at the time of archive backup. The user is still responsible for obeying all applicable software licensing agreements. These features are not available with IBM Rapid Restore Ultra. However Xpoint Rapid Restore Pro is optimized for the Power User and will backup a 'mirror image' of the primary HDD to the second HDD. It also includes the ability to backup and restore databases. Xpoint Rapid Restore Enterprise Edition is optimized for the IT Admin and can manage Rapid Restore Ultra or Rapid Restore Pro client systems by backing them up & restoring them from a central location on the network. These are extensions or upgrades available from Xpoint. No. Rapid Restore Ultra performs a complete restore. All the data created after the backup will be lost. Recommendation: Increase the frequency of backup operation to minimize data loss.
Can the image be restored without disturbing the data? For example, a user corrupts the operating system and wants to restore it (presumably would need to restore all application software as well). However, user does not want to destroy his/her files, just the software. Is there a way to do this with Rapid Restore Ultra? What is the default size of the hidden partition that is created?
Rapid Restore Ultra creates a hidden service partition that occupies 20% of the available HDD space. The IT administrator can resize this partition to anywhere between 5% and 40% of the hard drive.
63
6060ch02.fm
Subject Which IBM systems are fully supported by Rapid Restore Ultra?
Solution/Explanation When a customer purchases any IBM client system, IBM Rapid Restore Ultra is included at no charge. All IBM client systems manufactured after 10/1999 are supported. Even if Rapid Restore Ultra is not provided explicitly in the bundle with the IBM system, the user is licensed to use Rapid Restore Ultra on IBM client systems.
64
6060ch05.fm
Chapter 3.
The Access IBM experience

A major source of frustration for users of mobile and desktop computers is not having access to information, help and utilities when needed. Information that is contained on the World Wide Web can be difficult to find and access, and hard copy information is frequently not carried with a mobile system. IBM is addressing this issue by equipping ThinkPad and ThinkCentre computers with a unique one-touch solution including several applications: Access IBM (refer to 3.2, Access IBM on page 66) Access Help (refer to 3.3, Access Help on page 76) Access IBM Predesktop Area (refer to 3.4, Access IBM Predesktop Area on page 78) Access IBM Message Center (refer to 3.5, Access IBM Message Center on page 87) You can get to these solutions no matter the state of your computer by presssing the blue Access IBM button (on ThinkPads) or by pressing the Enter key to interrupt boot and using the predesktop area.
65
6060ch05.fm
3.1 Overview
This chapter contains information and instructions on the new Access IBM experience -- an updated help and support application for the Microsoft Windows operating system and the Predesktop Area (a help, recovery, configuration, and diagnostic environment that can be opened even if Microsoft Windows won't.) In addition, with tools and instructions, various aspects of the applications (Access IBM, Access Help, Access IBM Message Center, and Access IBM Predesktop Area) can be tailored to fit your in-house needs.
3.2 Access IBM

Access IBM provides the window into IBMs value provided with the system. Access IBM is displayed to the user when the blue Access IBM button is pressed, or the Desktop icon is clicked. Access IBM makes available to the user, information, services, and tools that are both local to the system (i.e., available when the system is connected to the Internet or disconnected) and remote on IBMs Internet sites. When Access IBM is launched, the user is presented with a Welcome dialog to give a brief description of the five categories in the Access IBM user interface. See Figure 3-1.
66
6060ch05.fm
Figure 3-1 Access IBM Welcome window
Access IBM information is categorized into task oriented sections to provide the user with quick access to the subject or function they wish to view or execute.
3.2.1 Access IBM User Interface

In the tool bar header of Access IBM there are five topics that categorize the information in the application. See figure Figure 3-2.
Chapter 3. The Access IBM experience
67
6060ch05.fm
Figure 3-2 Access IBM topic windows
Learn takes you to a visual map of your computer and other helpful topics Configure allows quick access to tools such as Access Connections and Battery MaxiMiser (ThinkPad only) Protect & Recover takes you through a series of windows to protect and backup your data using Rapid Restore Ultra, secure your computer using passwords, antivirus software, and passwords, diagnos problems, and restore data using Rapid Restore Ultra. Get Help & Support allows you to view onsystem help and reference, find support information on the Web, and download and update your computer with the latest device drivers. Stay Current offers solutions and options to keep your software and applications at the latest levels. Access IBM provides the user an interface to the on-system users guide, system tools, services, and to IBM web sites on the Internet. The Access IBM interface provides links to the Access Help, categorized to aid the user to find the information that they are looking for more easily. At the top center is the Search field which provides a keyword search into the Access Help Index. This Search
68
6060ch05.fm
capability provides a major advantage to the customer to be able to quickly find problem help or information.
3.2.2 Customizing Access IBM and Access Help

This section details the level of customization that can be achieved with both Access IBM and Access Help.
Advantages of customization
Access IBM and Access Help provide a powerful way to provide help and information to IBM Customers. Access IBM is started by pressing the blue Access IBM button that is prominently displayed on the ThinkPad keyboard, or by clicking on the desktop icon, whenever they need help or information about using their system. Access IBM then provides access to the Access Help, which contains information about using the IBM system, tools, and access to the IBM Internet Sites that provide updated information and help. There are several different possibilities for customization of the Access IBM and Access Help products. Table 3-1 shows the possibilities and advantages to each.
Table 3-1 Modification suggestion table Option Full Integration of Business information with IBM Help Information. Access IBM Modify topics of Access IBM to point to new or different information. Modify web links of Access IBM to point to business specific web sites. Access Help Add new chapters and topics (HTML pages) to Access Help. Also some topics can be removed if they are not acceptable to business needs. Advantage to the Business When the customer selects the Access IBM button they will get information about there system as well as information about the business. The search field on the Access IBM interface will search system and business information. The web links will point to business appropriate web sites.
69
6060ch05.fm
Option Access IBM integration with Access Help topic removal only. Access IBM Modify the sections of Access IBM to point to the remaining topics. Any unused categories can point to other programs or web sites. Modify the web links of Access IBM to point to business specific web sites.
Access Help Remove topics that are not applicable or appropriate to the business environment.
Advantage to the Business When the customer selects the Access IBM button they will get appropriate information about their system. The Search field on the Access IBM interface will search the remaining Access Help information. The web links will point to business appropriate web sites. The web links will point to business specific we sites, and the customer will still have the power of the Access Help and the search capability
Access IBM integration with no Access Help changes.
Modify the web link connections of the Access IBM interface to point to business specific web sites.
No changes necessary.
3.2.3 Customizing Access IBM

IBM Provides many customization guides and tools that detail the process of customizing Access IBM and Access Help. The customization guide and tools can be downloaded from http://www.ibm.com/pc/support/site.wss/AIBM-TOOLS.html These guides include the steps needed to customize the Access Help, and provides the Access IBM Customization tool that can be used to customize the Access IBM interface. You can change the following elements of Access IBM with the customization tool: The text in the Welcome window that opens when Access IBM is started The five category names at the top of the interface The Web-links within Access IBM The text associated with the Web links Password protect the application so only an administrator can enable use of Access IBM Change user interface fonts and colors
70
6060ch05.fm
Change the color of the background for the Access IBM application Enable or disable application sounds and animations Change the Alt-key Quick launch keys for the five main topics You can add and delete content in the interface at will so links to your companys most important information and tools are easily accessed through the interface.
3.2.4 Access IBM Customization Tool

The Access IBM Customization tool is offered by IBM to help in modifying Access IBM to better meet the customers company environment. This tool makes the task of modification easier for a system administrator to manage for the company systems. Changes can be made to one system and broadcast to other systems controlled by an administrator. Figure 3-3 on page 72 shows the company tab of the Access IBM Customization Tool.
71
6060ch05.fm
Figure 3-3 Access IBM Customization Tool-Company tab
In this tab you can modify the name that will be displayed in the title bar of the Access IBM application. The tile bar will display for example: Access IBM Customized by ABC Company If you would like to have the Access IBM application on the system, but not have the user be able to use the application without help from a system administrator or IT technician, it can be password protected. When password protection is enabled the IT engineer can give special instructions in a message to the user on how to proceed, or get access to the application. The Menus tab allows the editor to change what Access Help topics, Web links, and application launches are displayed on the Access IBM user interface.
72
6060ch05.fm
Figure 3-4 Access IBM Customization Tool - Menus Tab
This interface makes it easy for the IT engineer to modify the Access IBM configuration files that contain the user interface information. This configuration data is contained in several files: They are: machine-specifics.csv access-config.ini access-text.ini These three files make up the configuration of the main user interface of Access IBM. The machine-specifics.csv file can also be modified by using a spreadsheet program such as Microsoft Excel, The changes will be more easily understood and made through the customization tool.
73
6060ch05.fm
Figure 3-5 Access IBM Customization Tool - Welcome tab
This customization tool window shown in Figure 3-5 of the enables you to modify the content of the welcome page that is displayed to the user upon starting Access IBM. This would be done if you change the categories in the Access IBM user interface. The welcome page can be enabled or disabled from this screen or from Access IBM it self.
74
6060ch05.fm
Figure 3-6 Access IBM Customization Tool - Personalization tab
The Personalization tab allows you to modify the default size of Access IBM when it is started. The size can be set to large for hi-resolution screens, low for lower resolution screens, or set to automatic, which will let Access IBM choose depending on the system settings. You can choose whether to display the Access IBM Message Center icon in the task tray with the Show system tray icon option. When this box is unchecked the user will not receive informative popup messages from Access IBM. The next two check boxes enable the opening animation and startup sound for Access IBM. You may choose to disable these here or from the Access IBM personalization dialog.
75
6060ch05.fm
Using the font color and background modification you can make it easier for the user to read the information on the Access IBM user interface. Only the default pictures, a black, or a white background are supported at this time.
3.3 Access Help

The Access Help is an online documentation system that provides hardware, software, and support information and help to the end customer. Access Help is based on the Microsoft HTML Help engine included with Microsoft Windows, and therefore can use the power of the Internet browser to bring excellent content to the user including: HTML based content pages containing information about the hardware and software that is a part of the ThinkPad product Hyperlinks to other topics included in the text Related topics links in topics Animations using Macromedia Flash and Shockwave technology to aid the users understanding beyond what simple words and pictures can show Links to start software programs that are described as part of the content Visual map of the system to point out key features of the hardware Note: See the Access Help Customization Guide for more information on modifying Access Help. The Access Help Customization Guide and tools are available at http://www.ibm.com/pc/support/site.wss/AIBM-TOOLS.html
76
6060ch05.fm
Figure 3-7 Access Help
Figure 3-7 shows an example of the Access Help interface. Shown in the figure is the main Welcome page. The entire online help document is broken up into topics, some major topics shown in the above figure.
3.3.1 Customizing Access Help

The Access Help is compiled to run as HTML Help System using the BlueSky RoboHelp HTML Edition product (http://www.blue-sky.com/products/) and the Microsoft HTML Help Workshop (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlh elp/html/vsconwhtshw.asp). Using these tools and an HTML editor, the Access
77
6060ch05.fm
Help can be readily customized. The Access Help customization guide will provide assistance and guidelines to help with editing.
3.4 Access IBM Predesktop Area

IBM is changing its disk-to-disk recovery solution to improve customer usability and to further protect important user data. This section presents an overview of the current partition-based disk-to-disk solution. It then provides an in-depth description of the new hidden protected area (HPA) based disk-to-disk solution. Most new IBM computers available in 2003 will come with the HPA-based solution. The hidden protected area, also referred to as Protected Area Runtime Interface Extension Services (PARTIES), enables IBM to provide a disk-based recovery solution that provides greater flexibility and that enhances the security for recovery data, diagnostics and potential future applications. The graphical user interface used to work with the hidden protected area is called the Access IBM Predesktop Area.
3.4.1 Partition-based recovery solutions

Partition-based recovery solutions use a hidden primary partition on the hard drive to store recovery, diagnostics, Rapid Restore Ultra (if it is installed), and data. This hard disk-based recovery is commonly called disk-to-disk. Figure 3-8 illustrates the space used and disk layout on a typical hard drive with a hidden primary partition, called a service partition.
Service partition
User operating system, applications, and free space
Figure 3-8 Disk Space usage
78
6060ch05.fm
Hard disk-based recovery and diagnostics has many advantages over CD-based recovery solutions. With this recovery solution, a backup system image is always present on your hard drive in the service partition. No additional hardware or software is needed to restore your system, so there is nothing to lose or misplace. Consequently, any necessary waiting time is minimized and, in most cases, no technician is required. To access the recovery image, you simply interrupt the startup process by pressing F11. A disadvantage of a partition-based solution is that it requires the use of a primary partition. This might cause problems for some users because Microsoft Windows operating systems are limited to four primary partitions on each hard disk. Also, a hard disk-based solution must use some hard disk space to store the recovery image.
Hard-disk layout for a partition-based recovery solution

The service partition is simply a bootable area that holds the recovery image, including Rapid Restore Ultra (if it is installed), and all the data needed for a recovery process. Figure 3-9 illustrates the components of a computer using the former partition-based recovery solution.
Disk space used in service partition
Recovery and diagnostics applications System image Device drivers and applications Additional space
Core portion of Disk-to-Disk (ImageUltra compatible)
C:\ Drive
Figure 3-9 Hard-disk layout for partition based recovery
3.4.2 Hidden protected area based recovery solutions

IBM systems available starting 1Q 2003 use a firmware-secured area of the hard disk known as the hidden protected area (HPA). The HPA is a standard from the
79
6060ch05.fm
ANSI/ATAPI committee (ANSI+NCITS+346-2001) that affords several advantages. With an HPA-based solution, each function can be stored in its own area. This enables each function to be individually protected and accessed. For example, by using an HPA-based recovery format, system diagnostics, Rapid Restore Ultra, or recovery data can each be accessed separately. An HPA-based recovery solution provides a level of flexibility and security that is not available with the partition-based disk-to-disk recovery solution. Simply by separating the data in the hidden protected area, this solution provides greater protection from data loss and unauthorized access. Each of the areas is protected by firmware locking, which effectively hides the area from unauthorized software. As with the partition-based recovery solution, some disk space is needed to store the factory recovery image. The amount of space needed to store the applications and data is based on the system ordered and the number of options. On computers using the HPA-based recovery solution, the total amount of disk space will reflect only the storage space available to the user. The space used by the hidden protected area is subtracted from the total disk space. For example, a 20 GB drive that has a 2 GB HPA will display as an 18 GB drive. To access the contents of the HPA, you simply interrupt the startup process by pressing the Enter key. ThinkPad computer users can also press the Access IBM button to interrupt the startup process. Figure 3-10 illustrates the space used and disk layout on a typical hard drive using the HPA-based recovery solution.
Hidden protected area

Service Service partition
Figure 3-10 HPA disk layout
80
6060ch05.fm
Hard-disk layout for a HPA based recovery solution

The hidden protected area is separated into several areas. These areas store the recovery applications, Rapid Restore Ultra (if it is installed), and all the data needed to recover. Note that the Rapid Restore Ultra backup images are not stored in the HPA; they are stored in the hidden service partition. The hard-disk layout of a typical computer with this solution includes the Access IBM Predesktop Area and additional space for storing startup information and security data. Separate areas exist for diagnostics, recovery applications, and recovery data. Figure 3-11 illustrates the components and disk layout of a system using an HPA-based recovery solution.
Disk space used in HPA
Diagnostics Recovery Applications Recovery Data System image Device drivers and applications Additional space
Service partition
Core portion of Disk-to-Disk (ImageUltra compatible) Some components are dependent upon the system configuration Rapid Restore Ultra backup data
C:\ Drive
Figure 3-11 Hard-disk layout for HPA based recovery
3.4.3 Hidden Protected Area main areas

The hidden protected area space is made up of four main areas: 1. HPA header 2. Access IBM Predesktop Area 3. Additional bootable functions areas 4. Data areas Figure 3-12 provides details about the various sections.
81
6060ch05.fm
HPA HPA Header
BEER (Boot Engineering Extension Record) DOS
Access IBM IBM Predesktop Area
Access IBM predesktop menu Create diagnostic disks Run diagnostics Recovery to factory contents Restore your backups service partition code Recovery data
Hidden protected area

Service partition
Additional Bootable Areas
Data Areas
Recovery to factory contents Update area
Figure 3-12 HPA main areas
HPA header
The HPA header consists of two parts: a boot engineering extension record (BEER) and a directory of services (DOS). For complete details on the hidden protected area, see the ANSI/ATAPI committee document (ANSI+NCITS+346-2001). The HPA header is similar to a partition table. It contains a listing of all the areas in the HPA, along with their sizes.
Access IBM Predesktop Area

The Access IBM Predesktop Area is the main entry point for the user. Press the Enter key during startup to access the Access IBM Predesktop Area. (ThinkPad computer users can also press the blue Access IBM button during startup to access the Access IBM Predesktop Area.) This area presents the user with a number of selections, as shown in Figure 3-13.
82
6060ch05.fm
Figure 3-13 Access IBM Predesktop area
To select an activity, click the desired task or use the Tab key to highlight the desired task and then press Enter. Each icon represents a separate function which has its own area within the HPA. These functions are performed independently of the operating system. Access to individual functions in the Predesktop Area, or access to the entire Predesktop Area, may be disabled using the Predesktop Administrator Utility available at http://www.ibm.com/pc/support/site.wss/AIBM-TOOLS.html
Additional bootable areas

The hidden protected area enables additional bootable areas to be established. Each bootable area is digitally signed to deter tampering and to prevent viruses. Every time an area is booted its signature is checked. Only validly signed areas are allowed to boot.
83
6060ch05.fm
Data areas
Data areas provide storage and additional space for the bootable areas. Data areas store recovery data, flash repair, and Rapid Restore Ultra data (if it is installed). An update area also exists that enables IBM to supply patches and updates to the HPA areas.
3.4.4 Keys used during startup

Depending upon the model and configuration of your IBM system, different keys might be used to interrupt the startup sequence and to access various functions. Table 3-2 lists the keys and functions that are available when the BIOS screen is displayed.
Table 3-2 Keys and functions available from BIOS screen
Key HPA-based recovery configurations HPA no service partition no RRU BIOS: HPA enabled F1 F11 BIOS setup Disabled HPA with service partition with RRU BIOS: HPA enabled BIOS setup RRU (ThinkCentre) Disabled (ThinkPad) Alt boot menu (text mode) Access IBM Predesktop Area System Configuration Partition-based recovery configurations No HPA with service partition BIOS: not HPA-enabled BIOS setup recovery No HPA with service partition BIOS: HPA-enabled No HPA No service partition BIOS: HPA enabled
BIOS setup recovery
BIOS setup Disabled
F12
Alt boot menu (text mode) Access IBM Predesktop Area
Alt boot menu (text mode) Nothing (ThinkPad) BIOS menu (ThinkCentre) Nothing
Alt boot menu (text mode) BIOS Menu
Alt boot menu (text mode) BIOS menu (no recovery choice)
Enter
Access IBM Button (ThinkPad only)
BIOS Menu
BIOS menu (no recovery choice)
BIOS Access IBM predesktop security levels

Along with the startup options, the hidden protected area also has some configuration options. The configuration options can be accessed using in the BIOS setup screen. Table 3-3 lists the available security settings for the hidden protected area.
Table 3-3 Security settings for HPA
HPA Setting Locked Hidden Bootable Cloning Enabled Protected from removal Removal not possible Attributes Support User Update Updates not yet possible Security Level User profile
High Security
Yes
Yes
Yes
Cloning not possible.
Highest security
Security conscious users.
84
6060ch05.fm
Attributes
HPA Normal Security (Default) More secure than the current system No Yes Yes Cloning possible. Industry tools must be modified to issue clone commands Cloning possible IBM provides a tool for removing the HPA, if requested. Removal is possible
Updates possible
Medium security. The HPA can be made visible.
manageability conscious users.
Security Disabled
No
No
No
Updates possible
No security. The entire HPA is open and visible
Customers who want to clone sector based images
Note: 1. If you are using the high security setting, be sure to verify that the high security mode has been restored in BIOS settings after a service action is required (for example, the system board is replaced). 2. Do not disable security to remove the hidden protected area. IBM provides a Web tool that can be downloaded from the IBM web site for this purpose. The Security Disabled setting is only intended to be used when creating an image of the drive using a sector-based imaging tool. Security should be restored after the image has been created.
3.4.5 Creating an image of the hard drive

The procedure for creating and delivering an image of the hard drive with an HPA-based system is different than the procedure for creating and delivering an image of the hard disk with a hidden partition. To create an image of a hard disk using an HPA-based system, you must complete the following procedure using IBM-supplied tools and a third party disk-imaging tool, such as PowerQuest DriveImage, Phoenix ImageCast or Symantec Ghost. 1. Ensure that the Access IBM Predesktop Area security level is set to Normal. This is the IBM default setting. 2. Copy the FWBACKUP and FWRESTOR tools from the factory recovery area in the HPA using the following procedure: a. Start the system and press Enter or the Access IBM button during startup. b. Double-click the Recover to Factory Contents icon. The Recovery Menu is displayed. c. Press F3. A command prompt is displayed. d. Change to the A: drive. (This is a virtual diskette drive in the hidden protected area.)
85
6060ch05.fm
e. Change to the recovery directory. The command prompt displays A:\RECOVERY> f. Insert a diskette into the diskette drive, which is mapped as the B: drive. g. Type copy fwbackup.exe b: h. Type copy fwrestor.exe b: i. Eject the disk and turn the system off. j. Follow the directions below for using FWBACKUP and FWRESTOR. 3. Create an image of the hidden protected area using a command prompt to run the FWBACKUP tool. FWBACKUP has the following format: FWBACKUP size=<span file size must be between 25MB and 640MB> file=<Path and name of file set> If you are creating an image of the HPA to a network drive, it must have a drive letter assigned. For example, if you want to store an image of the HPA space to drive D: that is of span size 640MB, the command is FWBACKUP size=640 file=d:\IMGSET The image set consists of files IMGSET.001IMGSET.nnn. 4. Create an image of the main partition using a third party imaging tool to capture first the C: partition, and then the main partition. 5. Restore the hard drive image using the following procedure: a. Make sure the destination hard drive is blank. b. Make sure that the master boot record is deleted and that no partitions exist on the hard disk. c. Run FWRESTOR from a command prompt. FWRESTOR has the following format: FWRESTOR file=<name of span file set> If you are restoring an image of the HPA from a network drive, it must have a drive letter assigned. For example, if you want to restore an image from the D: drive that was created using the above example. The command would be: FWRESTOR file=D:\IMGSET This loads all the files in the image set (IMGSET.001 ... IMGSET.nnn). All of the files in the image set must be in the same subdirectory. d. When this is complete, perform a power cycle. 6. Restore the main partition using the normal procedure of your imaging tool.
86
6060ch05.fm
7. Restore the security setting to High Security, if this setting was changed in Step 1.
3.5 Access IBM Message Center

The Access IBM Message Center is designed to deliver relevant, system-specific notifications to a user. These messages might be preinstalled on the computer by IBM (local messages), delivered through Access Support from IBM (web messages), or added to the Message Center later by an IT department or system administrator. The Access IBM Message Center delivers important information about software installed on the computer and about device driver updates. Only messages that apply to the recipients computer model are displayed. The Access IBM Message Center program icon resides in the system tray and, when a new message is broadcast, pops up a bubble display to get the attention of the user. Any program can deliver a message through the Message Center as long as the message adheres to the guidelines presented in this section. To open the Message Center, double-click the Message Center icon shown in Figure 3-14.
Figure 3-14 Access IBM Message Center Icon
If there are any messages, they are displayed as shown in Figure 3-15. Otherwise, the Message Center is blank.
Figure 3-15 Message Center
87
6060ch05.fm
When the icon in the system tray is clicked, a menu is displayed enabling the user to launch Access IBM programs, to view the Message Center, to hide the Access IBM bubble messages, or to exit the Message Center. When a message becomes available, the Message Center alerts the user with a pop-up bubble that displays the title of the new message. The icon in the system tray also changes color to indicate a new message is available. On systems running Windows XP, the Message Center opens when the bubble is clicked. On systems running Windows 2000, the bubble message is minimized when the bubble is clicked.
3.5.1 Local messages vs. Web messages

The Access IBM Message Center delivers two types of messages in the preinstalled environment. The first type is the local message. Local messages are preinstalled on the computer and programmed to display when certain events occur. For example, one message that might get delivered locally is a message reminding the user to use Access IBM. But this message is only delivered if Access IBM is installed on the computer, and it has not been opened two days after the computer is initially used. There are six local messages in the current implementation, but that could change at any time. Local messages do not require an Internet connection. Web messages are delivered through a program called Access Support. To get Web messages, Access Support must be enabled. To enable Access Support, simply click the Preferences button in the Message Center. Figure 3-16 illustrates what the Preferences window will look like if Access Support is installed.
Figure 3-16 Preferences Window
Click the Get IBM support messages for my computer check box to get Web messages. Web messages enable IBM to inform users of useful information that is becoming available. The Message Center automatically filters these messages so that only those messages that apply to your particular machine type and operating system are displayed. For example, a Web message might inform the
88
6060ch05.fm
user that a new device driver is available for their particular machine type. This message will display automatically if Web messages are enabled. Web messages can also be expanded to include messages about all IBM computers models and operating systems. When you select the Get IBM support messages for my computer check box, the Advanced button is enabled. Click the Advanced button to get messages for other computers models and operating systems. The Advanced Messaging Preferences window is shown in Figure 3-17.
Figure 3-17 Advanced preferences
3.5.2 What a message file contains

The following is an example of what an XML message file might look like:
Example 3-1 Sample XML file <?xml version="1.0" encoding="utf-8" standalone="yes"?> <message id=aconn.xml> <title>Manage all your connections simply!</title> <body>Configure multiple network connections and easily switch between them. Gain ultimate PC freedom with the latest in wireless networking.</body> <category>Wireless</category> <version>1.0</version> <language>English</language> <locale>AU</locale>
89
6060ch05.fm
Draft Document for Review September 24, 2003 4:11 pm <machines>all</machines> <launch1> <text>Start Now</text> <app>aibmrun.exe</app> <param1>'IBM Access Connections'</param1> </launch1> </message>
Table 3-4 lists the elements that each Message Center message XML file might contain. The <?xml version="1.0" encoding="utf-8" standalone="yes"?> line should always be at the top of the file. If other languages are used, then the encoding might need to change, but utf-8 should be used otherwise. Every message must be enclosed in the < message id= > element and have a unique ID, which is the same as the file name.
Table 3-4 XML message file elements Element version title Require d No Yes Contents Version of the Access IBM Message Centre Title of the message Example 1.0 let Access IBM Simplify Your PC Experience Learn Useful PC Tasks. Click Start now or press the Blue Access IBM Button anytime 08/06/2003
body
yes
Main text of the message
date_received
No
Date of the message in MM/DD/YYYY format. If left blank it will fill in with the current date Date the message expires in MM/DD/YYYY format. The message is deleted after this date The URL of the website to present the user The message category
date_expired
No
09/06/2003
url category
No No
www.ibm.com Driver Update
90
6060ch05.fm
Example EN AU Access Support 2653,2373
Element language locale source machines
Require d No No No Yes
Contents The message language The message locale Program that generated the file This is the four-digit machine type number(s) that this message applies to. If there are multiple machine types, a comma separates the numbers. If every machine, it can be all. DEFAULT should be all Inside of this element are the next 3 elements
launch1
No
<launch1> <app>c:\windows\n otepad.exe</app> <text>Notepad</tex t> <param1>c:\filetoo pen.txt</para,> </launch1> c:\windows\notepa d.exe Notepad
launch1 app
Yes, if a launch1 Yes, if a launch1 No No
This is the path to the executable file that will be launched Text to display to the user at launch, such as the application name Parameter to pass to the application Inside of this element are the next 3 elements
launch1 text
launch1 param1 launch2
c:\filetoopen.txt <launch2> <app>c:\windows\n otepad.exe</app> <text>Notepad</tex t> <param1>c:\filetoo pen.txt</para,> </launch2> c:\windows\notepa d.exe
launch2 app
Yes, if a launch2
This is the path to the executable file that will be launched
91
6060ch05.fm
Element launch2 text Require d Yes, if a launch2 No No
Contents Text to display to the user at launch, such as the application name Parameter to pass to the application Inside of this element are the next 3 elements
Example Notepad
launch2 param1 launch3
c:\filetoopen.txt <launch3> <app>c:\windows\n otepad.exe</app> <text>Notepad</tex t> <param1>c:\filetoo pen.txt</para,> </launch3> c:\windows\notepa d.exe Notepad
launch3 app
Yes, if a launch3 Yes, if a launch3 No
This is the path to the executable file that will be launched Text to display to the user at launch, such as the application name Parameter to pass to the application
launch3 text
launch3 param1
c:\filetoopen.txt
3.5.3 Delivering messages of your own

To use the Access IBM Message Center to deliver messages of your own, you must set up a client-server application so that every computer that will receive messages is linked as a client to the server application that will post the messages. This could be a simple client-server application where a client residing on the recipient system queries the server at given intervals for any available messages. You can use sockets or an HTTP protocol to accomplish this. The key is to deliver the message to the correct directory, and in the appropriate format. To have a message display in the Access IBM Message Center, the message must be placed in the c:\documents and settings\all users\application data\ibm\messages\ directory. This directory changes for other languages and, in rare circumstances, for Microsoft Windows 2000 and XP. This folder is used because it is the common application folder and any user can write to it or read from it. This folder is stored in the path in the registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Expl
92
6060ch05.fm
orer\Shell Folders\CommonAppData. This key refers to the path c:\documents and settings\all users\application data only, but by simply appending the key with \ibm\messages\ the full path to the message directory is provided. After a client-server application has been set up, the Access IBM Message Center will display local messages, Web messages, and customer messages, as illustrated in Figure 3-18.
Local messages
IBM Web messages from Access Support Message Center Customer messages from IT department
Figure 3-18 Customer message flow
After an XML message file is placed in the appropriate directory, it might take up to 30 seconds for the Message Center to respond to it, if the Message Center is running. The typical response is a bubble message that pops up and that contains the title of the message. However, if a bubble has popped up in the past hour, the Message Center responds by changing the Message Center system tray icon and by adding flyover text to note that a new message is available. In this way, users are not distracted by too many pop-up messages. If an XML message is placed in the appropriate directory and the Message Center does not respond at all, then either the XML file is incorrect or the message guidelines were not followed. To verify that the XML file is correct, open it with Microsoft Internet Explorer. The Message Center uses the same XML parser as Internet Explorer, so if the Internet Explorer can read the file, the Message Center can read it too. The illustrates how Microsoft Internet Explorer displays an XML file:
93
6060ch05.fm
Figure 3-19 XML message in Explorer
After the Message Center has opened and new messages have been displayed, these messages are considered to be read. They are then moved to the Read directory in the c:\documents and settings\all users\IBM\messages\read path.
3.6 Summary
The following is a brief summary of the topics discussed in this chapter.
3.6.1 Access IBM

The Access IBM environment combines and provides a help system, called Access Help, and many other links and tools into one convenient interface. Tools and instructions are available to tailor these applications to make them applicable
94
6060ch05.fm
to your business environment. All of IBM's value is accessible from one easy-to-use application
3.6.2 IBM Hidden Protected Area

A hidden protected area-based service space offers numerous advantages. The Access IBM Predesktop Area provides users with a less confusing and more usable interface, which will reduce the anxiety many users feel when requiring help in a preboot environment. Each function of the Access IBM Predesktop Area has its own reserved space that is separate from the other functions. This provides a level of flexibility and security that previously was not available. Also, limitations caused by the Microsoft Windows operating system are avoided because all four primary partitions are still available for customer use. Along with the improved security, usability, and flexibility, an HPA-based recovery solution has the advantages of IBMs existing hard disk-based solution. As stated earlier, a hard disk-based recovery solution enables a backup system image to be present on the hard drive in the service partition. No additional hardware or software is needed to restore the system, so there is nothing to lose or misplace. Consequently, any necessary waiting time is minimized and, in most cases, no technician is required.
3.6.3 Access IBM Message Center

The Access IBM Message Center can greatly enhance productivity by providing users with timely notifications and information about the powerful tools that are on their computers. Whether these messages are local messages that are scheduled to be displayed at predetermined events or specific times, Web messages that provide timely information about the latest updates for the computer, or customer messages that broadcast useful company messages, the Access IBM Message Center delivers powerful results. By providing a simple and easy means to notify and educate users about the powerful tools that exist on their systems, the Access IBM Message Center provides information that users need when they need it the most.
3.6.4 Customization
All of these features and applications are customizable to fit your local needs. For more information, go to http://www.ibm.com/pc/support/site.wss/AIBM-TOOLS.html
95
6060ch05.fm
96
6060ch06.fm
Chapter 4.
Embedded Security Subsystem

As we become increasingly dependent on desktop and mobile PCs (clients) for storage and transmission of important confidential information, security of these important data assets is becoming an increasingly important issue for businesses. Unwanted exposure of this information to the public, competitors or unauthorized users and hackers can prove very costly. Security requirements can vary from customer to customer and even from system to system within a single enterprise. Due to the many configuration possibilities and usage scenarios, the hardware and software components in clients should complement each other to provide progressive, robust levels of security, both locally and across a network. IBM addresses this issue by equipping selected ThinkPad and ThinkCentre computers with built-in cryptographic technologies in both hardware and software that work together to provide a strong level of trust and security in the client PC platform. The IBM solution supports key-management solutions, such as Public Key Infrastructure (PKI), and local file and folder encryption and advanced authentication solutions -- all of which combine to provide strong, secure storage and transmission of electronic information. In this chapter, the following topics are discussed:
97
6060ch06.fm
4.1, IBM Embedded Security Overview on page 98 4.2, Planning: Installation considerations on page 103 4.3, Preparation: Prerequisite instructions on page 106 4.4, Preparation: Installation instructions on page 108 4.5, Implementation: Configuration on page 120 4.6, Implementation: Utilization on page 134 4.7, Usage Scenarios on page 147 4.8, Uninstalling Client Security Software on page 152 4.9, Troubleshooting on page 153
4.1 IBM Embedded Security Overview

This chapter describes the installation, configuration and implementation of the IBM Embedded Security Subsystem. The IBM Embedded Security Subsystem (ESS) consists of: Embedded Security Chip IBM Client Security Software (CSS) V5.1 Also covered in this chapter are: IBM Password Manager (refer to 4.1.3, IBM Client Security Password Manager on page 101 for an overview) IBM File and Folder Encryption (refer to 4.1.4, File and Folder Encryption (FFE) Utility on page 102 for an overview) Targus Biometric Fingerprint reader (refer to Targus DEFCON Fingerprint Reader on page 110)
4.1.1 IBM Embedded Security Chip

The IBM Embedded Security Chip is a Trusted Computing Platform Alliance (TCPA) compliant, cryptographic microprocessor that is embedded in the system board of the IBM client. The Embedded Security Chip supports: RSA PKI operations such as encryption for privacy and digital signatures for authentication. The Embedded Security Chip includes EEPROM memory where RSA key pairs are stored. The chip communicates with the main processor of the computer through the Low Pin Count (LPC) bus. RSA Key Generation performed by the chip.
98
6060ch06.fm
Pseudo Random Number Generator in the chip. RSA operations computed in 200 milliseconds. All TCPA (TCG) functions defined in specification V1.1. Note: In April of 2003 the Trusted Computing Platform Alliance (TCPA) evolved into The Trusted Computing Group (TCG). The TCG has adopted existing trusted computing specifications from TCPA. For more information visit http://www.trustedcomputinggroup.org.
4.1.2 IBM Client Security Software

IBM has developed security software specially designed to be used with the Embedded Security Chip. IBM Client Security Software consists of multiple software components that support cryptographic and identification services which strengthen the security of the personal computer. Administrator Utility - The Administrator Utility provides tools for the administration of the Client Security Software and the Embedded Security Chip, including initialization, configuration and archive and restore functions. Client Utility - The Client Utility enables the end user to change individualunique attributes, such as the users UVM passphrase and enrolled fingerprints. Support for Microsoft Crypto API (MSCAPI) - Support for Microsoft Crypto API is built into Client Security Software. Defined by Microsoft, Crypto API is the default cryptographic service for Microsoft operating systems and applications. Support for Public-Key Cryptography Standard #11 (PKCS#11) - Defined by RSA Data Security Inc., PKCS#11 is used as the cryptographic standard used by Netscape, Entrust and other products. File and Folder Protection Right Click File and Folder Protection: The end user right clicks a file and selects encrypt or decrypt. Policies can be set to require authentication when the encryption and decryption takes place. Transparent or On the Fly Encryption: The end user selects a particular folder to protect. All data saved or created in this directory is automatically encrypted with no additional end user requirements. When a file is selected by the end user to be opened by an application, the decryption happens on the fly, being passed unencrypted into the application. When the user saves the file in the protected folder the contents are automatically encrypted. User authentication for On the Fly encryption takes place after system logon as the client is starting services.
Chapter 4. Embedded Security Subsystem
99
6060ch06.fm
UVM protection for Windows logon and the Client Security screen saver User Verification Manager (UVM) protection for Windows logon and the Client Security screen saver ensure that only authorized users can gain access to the operating system, using the multiple, and configurable authentication methods supported by User Verification Manager. Support for Lotus Notes - Client Security Software provides User Verification Manager support for tasks performed in Notes that are password protected, such as logging on to Notes or changing the password for a user ID file, replacing the Lotus Notes password prompt with UVMs multiple, configurable authentication mechanisms. Entrust Ready support for Entrust 6.0 - Client Security Software provides User Verification Manager-controlled embedded hardware protection and advanced authentication support for PKI operations performed by the Entrust Enterprise Desktop Solutions.
http://www.entrust.com/partners/solutions/77.htm
Support for RSA SecurID - Client Security Software provides User Verification Manager-controlled embedded hardware protection and advanced authentication support for generation of software based RSA SecurID authentication passcodes.
http://rsasecurity.agora.com/rsasecured/detail.asp?product_id=1082
Support for Tivoli - Client Security Software was designed to interface with various components of the Tivoli Enterprise software including: Ability to set policy centrally and distribute to clients Policy can be set for CSS through a Tivoli Access Manger (TAM) plug-in provided by download from the IBM CSS download site. The client system is configured to pull policy from TAM on a timed interval. WebSeal Integration WebSeal is a web based authentication method that allows a user to be authenticated through the inter/intranet. This authentication can be based on certificates and/or username and password. In the case of the certificate, the private key operation can be carried out in the Embedded Security Chip. In the case of user name and password, the IBM CSS Password Manager component can be used to store these values. In either case the end user can be authenticated using the User Verification Manager multi-factor, policy based capabilities. Once the end user is authenticated, the Tivoli Global Sign On product can be used to determine which resources, rights, etc the user can access. Wireless support - ESS supports the latest industry standard 802.1x as well as Cisco Leap through IBMs Access Connections. Learn more about IBM wireless offering at
http://www.pc.ibm.com/us/wireless/index.html
100
6060ch06.fm
Support for Checkpoint VPN-1 - IBMs ESS has been Checkpoint OPSEC certified. Private key operations for certificate based operations are carried out in the IBM Embedded Security Chip with the capability to set configurable, multi- factor authentication. Support for Verisign Personal Trust Agent (PTA) - The Verisign PTA is a core component of the Verisign architecture for managing user credentials. The Verisign PTA leverages the hardware protection of the IBM Embedded Security Chip to perform all private key operations.
4.1.3 IBM Client Security Password Manager

The IBM Client Security Password Manager enables you to manage your sensitive and easy-to-forget login information, such as user IDs, passwords, and other personal information, with IBM Client Security. The IBM Client Security Password Manager stores all information through the IBM Security Chip so that your User Verification Manager user authentication policy controls access to your secure applications and Web sites. This means that rather than having to remember and provide multiple individual passwords (all subject to different rules and expiration dates) you only have to remember one passphrase, provide your fingerprint, provide your proximity badge, or any combination of identification elements. The IBM Client Security Password Manager enables you to perform the following functions: Encrypt all stored information through the IBM Embedded Security Chip The IBM Password Manager automatically encrypts all information through the IBM Embedded Security Chip. This ensures that all your sensitive password information is secured by the IBM Client Security encryption keys. Transfer user IDs and passwords quickly and easily utilizing a simple type-and-transfer interface Use the IBM Password Manager type-and-transfer interface to place information directly into the logon dialog of your web browser or application. This helps minimize typing errors and enables you to save all of your information securely through the IBM Embedded Security Chip. Autokey user IDs and passwords The IBM Password Manager automates your login process, entering your login information automatically when you access Web sites entered into the IBM Password Manager. Generate random passwords
101
6060ch06.fm
The IBM Password Manager enables you to generate random passwords for each Web site or application. This enables you to increase the security of your data because each application will have much more rigorous password protection enabled. Random passwords are far more secure than user-defined passwords because experience indicates that most users use easy-to-remember personal information for passwords that are often relatively easy to crack. Edit entries using the Password Manager interface The IBM Password Manager enables you to edit all of your account entries and set up all optional password features in one easy-to-use interface. This makes managing your passwords and personal information quick and easy. Access Password Manager from the icon tray on your Windows desktop or with a simple keyboard shortcut The IBM Password Manager icon enables you to have instant access whenever you need to add another application to Password Manager, such as when you are surfing the Web. Each Password Manager function can also be easily accessed by a simple keyboard shortcut. Note:The IBM Password Manager does not support icon tray functionality on computers running the Windows NT operating system. If you are using a Windows NT system, use the keyboard shortcuts. Archive your login information Using the Client Security archiving function, the IBM Password Manager enables you to restore your sensitive login information from a Client Security archive to protect against a hard drive or system failure. See the Client Security Software Users Guide for more information on how to archive information.
4.1.4 File and Folder Encryption (FFE) Utility

The IBM File and Folder Encryption Utility, which can be downloaded from the IBM Client Security Web site, enables Client Security Software users to protect sensitive files and folders using the right-click button of their mouse. How the utility protects a file and folder differs depending upon how the file or folder is initially encrypted. Refer to 4.6.4, File and Folder Encryption (FFE) on page 139 to determine which encryption technique you should use to protect your data. IBM Client Security Software must be installed before you install the IBM File and Folder Encryption utility.
102
6060ch06.fm
Note: File and Folder Encryption is different from the right click encryption that comes native in the IBM Client Security Software install. You do not need to install File and Folder Encryption unless your seeking the on the fly capability of protecting a folder. The Check Disk utility might run when restarting the operating system after protecting or unprotecting folders. Wait for the system to be checked before using your computer.
4.2 Planning: Installation considerations

The IBM Embedded Security Chip is a cryptographic microprocessor that is embedded on the system board of select ThinkPad and ThinkCentre computers. The chip cannot be retro fitted to existing hardware. Note: If you try to download and install the software onto a computer that does not contain an IBM Embedded Security Chip, the software will not install or run properly.
4.2.1 Client Security Software

Supported IBM models
Client Security Software is licensed for and supports numerous IBM desktop and notebook computers. For a complete list of supported models, refer to:
http://www.pc.ibm.com/us/security/secdownload.html
Operating systems supported:

Microsoft Windows 2000 Microsoft Windows XP
User Verification Manager (UVM) - aware products

IBM Client Security Software comes with User Verification Manager (UVM) software that enables you to customize authentication for your desktop machine. This first level of policy-based control increases asset protection and the efficiency of password management. User Verification Manager, which is compatible with enterprise-wide security policy programs, enables you to use UVM-aware products, including the following: Biometrics devices, such as fingerprint readers
103
6060ch06.fm
User Verification Manager provides a plug-and-play interface for biometrics devices. You must install Client Security Software before you install a User Verification Manager-aware sensor. To use a UVM-aware sensor that is already installed on an IBM client, you must uninstall the UVM-aware sensor, install Client Security Software, and then reinstall the UVM-aware sensor. Tivoli Access Manager versions 3.8 or 3.9 User Verification Manager software simplifies and improves policy management by smoothly integrating with a centralized, policy-based access control solution, such as Tivoli Access Manager. User Verification Manager software enforces policy locally whether the system is on the network (desktop) or stands alone, thus creating a single, unified policy model. Lotus Notes version 4.5 or later User Verification Manager works with Client Security Software to improve the security of your Lotus Notes logon (Lotus Notes version 4.5 or later). Entrust Desktop Solutions 5.1, 6.0, or 6.1 Entrust Desktop Solutions enhances Internet security capabilities so that critical enterprise processes can be moved to the Internet. Entrust Entelligence provides a single security layer that can encompass an enterprises entire set of enhanced security needs including identification, privacy, verification, and security management. RSA SecurID Software Token The RSA SecurID Software Token enables the same seed record that is used in traditional RSA hardware tokens to be embedded on existing user platforms. Consequently, users can authenticate to protected resources by accessing the embedded software instead of having to carry dedicated authentication devices. Targus fingerprint reader The Targus fingerprint reader provides a simple easy interface that enables the security policy to include fingerprint authentication. Gemplus GemPC400 smart card reader The Gemplus GemPC400 smart card reader enables the security policy to include smart card authentication, adding an additional layer of security to the standard passphrase protection.
Web Browsers supported

Client Security Software supports the following Web browsers for requesting digital certificates: Internet Explorer 5.0 or later
104
6060ch06.fm
Netscape 4.51 to Netscape 7
Cryptographic services
Client Security Software supports the following cryptographic services: Microsoft CryptoAPI: CryptoAPI is the default cryptographic service for Microsoft operating systems and applications. With built-in CryptoAPI support, Client Security Software enables you to use the cryptographic operations of the IBM Embedded Security Chip when you create digital certificates for Microsoft applications. PKCS#11: PKCS#11 is the cryptographic standard for Netscape, Entrust, RSA and other products. After you install the IBM Embedded Security Chip PKCS#11 module, you can use the IBM Embedded Security Chip to generate digital certificates for Netscape, Entrust, RSA and other applications that use PKCS#11.
E-mail applications
Client Security Software supports the following application types using secure e-mail: e-mail applications that use the Microsoft CryptoAPI for cryptographic operations, such as Outlook Express and Outlook (when used with a supported version of Internet Explorer). e-mail applications that use Public Key Cryptographic Standard #11 (PKCS#11) for cryptographic operations, such as Netscape Messenger (when used with a supported version of Netscape).
4.2.2 File and Folder Encryption considerations

The following information might be useful when performing certain file and folder encryption functions. Drive-letter protection - The IBM FFE utility can be used to encrypt files and folders on the C drive only. This utility does not support encryption on any other hard-disk partition or physical drive. Deleting protected files and folders - To ensure that no sensitive files or folders are left unprotected in the Recycle Bin, you must use the Shift+Del key combination to delete protected folders and files. The Shift+Del key sequence performs an unconditional delete operation and does not attempt to put deleted files in the Recycle Bin. Before upgrading from a previous version of the IBM FFE - If you intend to upgrade from a previous version of the IBM FFE utility (version 1.04 or earlier) and you have protected folders on drives other than the C drive, unprotect those folders before you install version 1.05 of the IBM FFE utility. If
105
6060ch06.fm
you need to re-protect those folders after you install version 1.05, move those folders to the C drive and then protect them. Before uninstalling the IBM FFE utility - before you uninstall the IBM FFE utility, use the IBM FFE utility to unprotect any files or folders that are currently protected.

This section contains information about known limitations related to the IBM Client Security Password Manager. 1. The IBM Client Security Password Manager does not support Netscape Navigator. You must use Microsoft Internet Explorer to utilize the functionality of the IBM Password Manager program. 2. The IBM Client Security Password Manager does not support icon tray functionality on computers running the Windows NT operating system. The IBM Password Manager does not support icon tray functionality on computers running the Windows NT operating system. If you are using a Windows NT system, use the keyboard shortcuts.
4.3 Preparation: Prerequisite instructions

Downloading the software
All files required for the installation of Client Security Software, File and Folder Encryption and Client Security Password Manager are available to download from the http://www.pc.ibm.com/us/security/secdownload.html IBM Web site. The Web site provides the specific model number information that helps you ensure that your system has the IBM Embedded Security Chip, and whether your system is TCPA compliant or not. It will also inform you if you need to use the latest SMbus driver.
Registration form
When you download the software, you must complete a registration form and questionnaire, and agree to the license terms. Follow the instructions that are provided at the Web site to download the software. The installation files for Client Security Software are included within the self-extracting file. The version used in this Redbook was csec51.exe.
Export regulations
Client Security Software contains encryption code that can be downloaded within North America and internationally. If you live in a country where downloading
106
6060ch06.fm
encryption software from a Web site in the United States is prohibited, you cannot download Client Security Software.
4.3.1 Before installing the software

The installation program installs Client Security Software on the IBM client and enables the IBM Embedded Security Chip; however, installation specifics vary depending on a number of factors. Installing on clients running Windows XP and Windows 2000 - Windows XP and Windows 2000 users must log on with administrator rights to install Client Security Software. Installing for use with Tivoli Access Manager - If you intend to use Tivoli Access Manager to control the authentication requirements for your computer, you must install some Tivoli Access Manager components before you install Client Security Software. For details, see Using Client Security with Tivoli Access Manager. Startup feature considerations - Two IBM startup features might affect the way that you enable the security subsystem (Embedded Security Chip) and generate hardware encryption keys. These features are the administrator password and Enhanced Security. Administrator password (NetVista) - Administrator passwords prevent unauthorized persons from changing the configuration settings of an IBM computer. These passwords are set using the Configuration/Setup Utility program, which is accessed by pressing F1 during the system startup sequence. Supervisor password (ThinkPad) - Supervisor passwords prevent unauthorized persons from changing the configuration settings of an IBM ThinkPad computer. These passwords are set using the IBM BIOS Setup Utility program, which is accessed by pressing F1 during the system startup sequence. Enhanced Security - Enhanced Security provides extra protection for your administrator password, as well as your startup sequence settings. You can find out if Enhanced Security is enabled or disabled by using the Configuration/Setup Utility program, which is accessed by pressing F1 during the system startup sequence. For more information about passwords and Enhanced Security, see the documentation provided with your computer.
107
6060ch06.fm
4.4 Preparation: Installation instructions

This section contains instructions for installing and upgrading the Client Security Software on IBM clients. This section also contains instructions for uninstalling the software. Be sure that you install IBM Client Security Software prior to installing any of the various utilities that enhance Client Security functionality.
4.4.1 Installing prerequisite device drivers

The following device drivers must be installed before the CSS installation procedure: The SM bus device driver The LPC bus device driver (for TCPA systems)
Installing the SM Bus device driver

1. From the Windows desktop, click Start -> Run. 2. In the Run field, type d:\directory\CSSmbusDriver.exe, where d:\directory\ is the drive letter and directory where the file is located. 3. Click OK. 4. When the Welcome to the InstallShield Wizard for CSSmbus window opens, click Next. 5. When the Windows Found New Hardware Wizard pops up, accept the recommended default and click Next. 6. When the Windows Found New Hardware Wizard finishes installing, click Finish. 7. If a second Windows Found New Hardware Wizard pops up, accept the recommended default and click Next. 8. When the Windows Found New Hardware Wizard finishes installing, click Finish. 9. At the InstallShield Wizard Complete window, click Finish.
Installing the LPC Bus device driver

1. From the Windows desktop, click Start -> Run. 2. In the Run field, type d:\directory\LPCsetup.exe, where d:\directory\ is the drive letter and directory where the file is located. 3. Click OK. 4. When the Welcome to the InstallShield Wizard for Atmel TPM window opens, Click Next.
108
6060ch06.fm
5. At the InstallShield Wizard Complete window, click Finish.
4.4.2 Installing the IBM Client Security Software

1. From the Windows desktop, click Start -> Run. 2. In the Run field, type d:\directory\csecX_X.exe, where d:\directory\ is the drive letter and directory where the file is located and X is the version number. 3. Click OK. 4. The Welcome to the InstallShield Wizard for the IBM Client Security Software window opens. Click Next. 5. At the InstallShield Wizard License Agreement window, click YES. 6. At the Choose Destination Location window, click Browse to select the Destination Folder you want, then click Next. 7. From the Select Program Folder, choose the Program Folder you would like setup to add program icons to. Click Next. 8. At the InstallShield Wizard Complete window, select Yes to restart and click Finish. The remaining steps to configure the Client Security Software using the Wizard are covered in 4.5.1, Configuring the IBM Client Security Software on page 121.
109
6060ch06.fm
Figure 4-1 IBM Client Security Setup Wizard
Note: If you intend to use a fingerprint reader, you must install it before completing the IBM Client Security Setup Wizard shown in Figure 4-1.
Targus DEFCON Fingerprint Reader

In this example we will install a Targus Defcon Authenticator PC Card Fingerprint Reader. The latest TARGUS software and driver can be downloaded from http://www.targususa.com/downloads/download.asp At the IBM Client Security Setup Wizard window (shown in Figure 4-1), click Cancel. When asked if you are sure click Yes. The remaining steps to configure CSS using the Wizard are covered in 4.5.1, Configuring the IBM Client Security Software on page 121. You may now install the BioMetric finger print reader.
110
6060ch06.fm
Important: You must install the software and restart your system before connecting the DEFCON Authenticator.
4.4.3 Installing the Targus PC Card Fingerprint Reader

1. From the Windows desktop, click Start -> Run. 2. In the Run field, type d:\directory\install.exe, where d:\directory\ is the drive letter and directory where the install file is located. Note: It is important that you run the install.exe file and not the setup.exe because the setup.exe file will skip the device type and orientation section of the install. 3. Click OK. 4. The DEFCON Authenticator windows opens. Click Next. 5. The sensor device selection windows open. Click on the picture of the sensor device your using. If you select the PC Card device you will be asked which PC Card slot you will be using the device in. 6. Click on the green arrow indicating which side of the ThinkPad the PC Card slot is located on. 7. The Welcome to the InstallShield Wizard for the OmniPass window opens. Click Next. 8. At the InstallShield Wizard License Agreement window, click YES. 9. At the Choose Destination Location window, click Browse to select the Destination Folder you want, then click Next. 10.When the message box in Figure 4-2 is displayed Click OK.
Figure 4-2 OmniPass installation for CSS
11.At the setup completed successfully window, click OK.
111
6060ch06.fm
12.You can now shutdown your system and insert your DEFCON Authenticator and restart. The Windows Found New Hardware Wizard pops up. Accept the recommended default. Click Next. 13.When the Windows Found New Hardware Wizard finishes installing, click Finish.
4.4.4 Installing the IBM Client Security Password Manager

1. From the Windows desktop, click Start -> Run. 2. In the Run field, type d:\directory\pwmgrX_X.exe, where d:\directory\ is the drive letter and directory where the install file is located and X is the version. 3. Click OK. 4. The Welcome to the InstallShield Wizard for IBM Password Manager window opens. Click Next. 5. At the InstallShield Wizard License Agreement window, click YES. 6. At the Choose Destination Location window, click Browse to select the Destination Folder you want, then click Next. 7. At the InstallShield Wizard Complete window, click Finish.
4.4.5 Installing the IBM File and Folder Encryption

Before beginning installation of File and Folder Encryption, review the considerations listed at 4.2.2, File and Folder Encryption considerations on page 105. 1. From the Windows desktop, click Start -> Run. 2. In the Run field, type d:\directory\ffeX_X.exe, where d:\directory\ is the drive letter and directory where the install file is located and X is the version. 3. Click OK. 4. The Welcome to the InstallShield Wizard for IBM File and folder Encryption window opens. Click Next. 5. At the InstallShield Wizard License Agreement window, click YES. 6. At the Choose Destination Location window, click Browse to select the Destination Folder you want, then click Next. 7. From the Select Program Folder, choose the Program Folder you would like setup to add program icons to. Click Next. 8. At he InstallShield Wizard Complete window, click Finish. 9. When prompted to reboot your system, click OK.
112
6060ch06.fm
4.4.6 Performing an unattended installation

An unattended installation enables an administrator to install Client Security Software on a remote IBM client without having to physically go to the client computer. Before you begin an unattended installation, read 4.3.1, Before installing the software on page 107. No error messages are displayed during unattended installations. If an unattended installation ends prematurely, you must perform an attended installation to view any error messages that might be displayed. Note: Users must log on with administrator user rights to install Client Security Software. For complete information on how to perform an unattended installation, complete the following procedure. In addition, see the Client Security Software Installation Guide available on the http://www.pc.ibm.com/us/security/secdownload.html IBM Web site.
Mass deployment
Mass deployment enables security administrators to initiate security policies on multiple computers simultaneously. This makes it easier to manage and deploy security measures and helps ensure that the correct security policies are implemented. The following device drivers must be installed before completing the mass deployment procedure: The SM bus device driver (see Installing the SM Bus device driver on page 108) The LPC bus device driver (for TCPA systems) (see Installing the LPC Bus device driver on page 108) There are two major steps to a mass deployment: Mass installation Mass configuration Performing a mass installation and mass configuration at two different times is supported. For example, some installations may prefer to do the mass install at roleout time, but may not want to configure or start using the Embedded Security Subsystem until a later date, perhaps when they have a full security policy decided on or an installation of Tivoli Access Manager completed . In addition, it is possible (and more likely) that a customer would go back to the mass installed and mass configured systems at a later date using the mass configuration option over the life of the systems when the security policy changes from time to time.
113
6060ch06.fm
Mass installation
You must perform an unattended installation to install IBM Client Security Software on a multitude of clients simultaneously. You must use the unattended installation parameter (see step 5 below) when initiating a mass deployment. To initiate a mass installation, complete the following procedure: 1. Create the CSS.ini file. The CSS.ini file is a response file used during mass configuration. This step is only required if you intend to perform a mass configuration. The CSS.ini file contains all the configuration options you would go through if setting up the CSS software manually. For example User names, location of the keys, and so on. The CSS.ini file must be created in the same directory that the install files are in. 2. Extract the contents of the CSS installation package with Winzip using folder names. 3. Edit the szIniPath and szDir entries in the setup.iss file. The szDir entry is required for a mass installation and mass configuration. The szIniPath parameter is only required if you intend to perform a mass configuration. The full contents of this file are listed below in Example 4-1. 4. Copy the files to the target system. 5. Create the \setup -s command-line statement. The -s parameter indicates an unattended installation. This command-line statement should be run from the desktop of a user who has administrator rights. The StartUp program group or the Run key is a good place to do this. 6. Remove the command-line statement on the next boot. An example of the contents of the setup.iss file is listed below with a few descriptions:
Example 4-1 setup.iss file [InstallShield Silent] Version=v6.00.000 File=Response File szIniPath=d:\csssetup.ini (The above parameter is the name and location of the .ini file, which is required for mass configuration. If this is a network drive, it must be mapped. When a mass configuration is not being used with a silent installation, remove this entry.) [FileTransfer] OverwrittenReadOnly=NoToAll [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}- DlgOrder] Dlg0={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdLicense- 0 Count=4 Dlg1={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdAskDestPath- 0 Dlg2={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdSelectFolder- 0 Dlg3={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdFinishReboot- 0
114
6060ch06.fm
[{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdLicense-0] Result=1 [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdAskDestPath-0] szDir=C:\Program Files\IBM\Security (The above parameter is the directory used to install Client Security. It must be local to the computer.) Result=1 [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdSelectFolder-0] szFolder=IBM Client Security Software (The above parameter is the program group for Client Security.) Result=1 [Application] Name=Client Security Version=5.00.002f Company=IBM Lang=0009 [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdFinishReboot- 0] Result=6 BootOption=
Mass configuration
The following file is also essential when initiating a mass configuration. The file can be named anything, as long as it has a .ini extension. This file can be created and distributed with the mass installation process. Or it can be created and configured on any system and then distributed to all systems and then used just for a mass configuration. Below is how the file should look. To the side is a brief description not to be included in the file. Each parameter must be on a separate line. The following command runs this file from the command line when the mass configuration is not done along with a mass installation: <CSS installation folder>\acamucli /ccf:c:\csec.ini c:\csec.ini is the name of the mass configuration .ini file for our example. Note: If any files or paths are on a network drive, the drive must be mapped to a letter. [CSSSetup] suppw=bootup hwpw=11111111 Section header for CSS setup. Administrator/Supervisor password. Leave blank if not required. CSS hardware password. Must be eight characters. Always required. Must be correct if hardware password has already been set. 1 to generate a new admin key pair 0 to use an existing admin key pair. When newkp is 1, this determines the number of private key components.
newkp=1 keysplit=1
115
6060ch06.fm
Note: If the existing keypair uses multiple private key parts, all private key parts must be stored in the same directory. kpl=c:\jgk kal=c:\jgk\archive pub=c:\jk\admin.key Location of the admin key pair when newkp is 1, if this is a network drive it must be mapped. Location of the user key archive, if this is a network drive it must be mapped. Location of the admin public key when using an existing admin key pair, if this is a network drive it must be mapped.
pri=c:\jk\private1.key Location of the admin private key when using an existing admin key pair, if this is a network drive it must be mapped. clean=0 [UVMEnrollment] enrollall=0 defaultuvmpw=top defaultwinpw=down enrollusers=2 1 to delete the .ini file after initialization. 0 to leave the .ini file after initialization. Section header for user enrollment. 1 to enroll all local user accounts in User Verification Manager, 0 to enroll specific user accounts in UVM. When enrollall is 1, this will be the User Verification Manager passphrase for all users. When enrollall is 1, this will be the Windows password registered with User Verification Manager for all users. When enrollall is 0, this is the number of users that will be enrolled in User Verification Manager. Upgrading your version of Client Security Software Enumerate number of users to be enrolled starting with 1, user names must be the account names. In order to get the actual account name on XP, do the following 1. Start Computer Management (Device Manager). 2. Expand the Local Users and Groups node. 3. Open the Users folder. The items listed in the Name column are the account names. user1uvmpw=chrome Enumerate number of users to be enrolled User Verification Manager passphrase starting with 1. user1winpw=spinning Enumerate number of users to be enrolled Windows passphrase registered with UVM starting with 1.
user1=joseph
116
6060ch06.fm
user1domain=0 user2=hallie user2uvmpw=left user2winpw=right user2domain=0 [UVMAppConfig] uvmlogon=0 entrust=0 notes=0 passman=0 folderprotect=0
0 to indicate that this account is local. 1 to indicate that this account is on the domain.
Section header for uvm-aware application setup and uvm-aware module setup. 1 to use UVM logon protection, 0 to use Windows logon. 1 to use UVM for entrust authentication, 0 to use entrust authentication. 1 to use UVM protection for lotus notes, 0 to use notes password protection. 1 to use Password Manager, 0 to not use Password Manager 1 to use File and Folder Encryption, 0 to not use File and Folder Encryption.
4.4.7 Upgrading your version of Client Security Software

Clients that have installed versions of Client Security prior to Version 5.0 should update their software to Client Security Software Version 5.1 to take advantage of new Client Security features. Important: Trusted Computing Platform Alliance systems that had IBM Client Security Software Version 4.0x installed must clear the chip before installing IBM Client Security Software Version 5.1. Failure to do so might result in an installation failure, or non-responsive software. Also if you are upgrading from a version prior to Client Security Software 5.0, you must decrypt all encrypted files before installing Client Security Software 5.1. Client Security Software 5.1 cannot decrypt files that were encrypted using versions prior to Client Security Software 5.0 because of changes in its file encryption implementation.
Upgrading using new security data

If you would like to completely remove Client Security Software and start over, complete the following procedure: 1. Uninstall your previous version of Client Security Software using the Control Panel Add/Remove Programs applet.
117
6060ch06.fm 2. Reboot the system.
3. Clear the IBM Embedded Security Chip in the BIOS utility. Reboot your system. 4. Install Client Security Software Release 5.1 and configure it using the IBM Client Security Software Setup Wizard.
Upgrading using existing security data

If you would like to upgrade from a release of Client Security Software prior to Version 5.0 using your existing security data, complete the following procedure: 1. Update your archive by completing the following steps: a. Click Start -> Programs -> Access IBM -> IBM Client Security Software -> Client Utility. b. Click the Update Archive button to ensure that your backup information is updated. Note the archive directory. c. Exit the IBM Client Security Software Client Utility. 2. Remove the existing version of Client Security Software by completing the following steps: a. Locate the Administrator public and private keys that were created when you configured your previous version of Client Security Software. b. Click Start -> Settings -> Control Panel -> Add/Remove Programs and select to remove IBM Client Security Software. c. Select No when prompted for reboot. d. Shut down the system. 3. Clear the Embedded Security Chip by completing the following steps: a. b. c. d. Power on the system. Press F1 to enter the BIOS Setup utility. Go to Security Chip settings, and clear the security chip. Exit the BIOS Setup utility.
The system will continue its reboot. 4. Run the Client Security Software Version 5.0 installation program. 5. Reboot when prompted. Important: After reboot, the Client Security Software Setup Wizard will automatically launch. Do NOT run the Setup Wizard. 6. Press Cancel to exit the Setup Wizard.
118
6060ch06.fm
7. Temporarily back up the default security policy by completing the following steps: a. Using Windows Explorer, go to the IBM Client Security Software install directory (default is c:\program files\ibm\security). b. Right-click the UVM_Policy folder and select Copy. c. Right-click on the Windows desktop and click Paste. This will create a temporary backup on the Windows desktop. Note: Your existing security policy settings will be replaced with new defaults. 8. Restore settings from IBM Client Security Software Version 4.0x by completing the following steps: a. Click Start -> Settings -> Control Panel -> IBM Client Security Subsystem. The IBM Client Security Software Administrator Utility main screen is displayed. b. Click the Key Configuration button. c. Select Yes to restore keys from the key archive. 9. Provide the location of the previous archive directory. 10.Provide the location of the Administrator public and private key files you created in the previous release. You will be notified that your archive will be updated for the new release. 11.Click OK. 12.Provide the location to create new Administrator keys. Be sure to create the keys in a location different from the location of your existing Administrator keys. If you have Administrator keys you already created for Release 5.0 on another system, you can select Use an existing CSS Archive keypair and provide the location of the existing keys. 13.Click Next. Your archive will be converted and restored. 14.Exit the application when finished. 15.Restore policy settings by completing the following steps: a. Using Windows Explorer, go to the IBM Client Security Software install directory (default is c:\program files\ibm\security). b. Using the left-mouse button, drag the UVM_Policy folder from the desktop to the IBM Client Security Software install directory. c. Click Yes to all warning messages.
119
6060ch06.fm
Your security data has now been migrated to Client Security Software Release 5.0. Note: If you previously changed your security policy in Client Security Software Version 4.0x, you might want to resubmit your security policy settings by completing the following steps: 1. Click Start > Settings > Control Panel > IBM Client Security Subsystem. 2. Click the Configure Application Support and Policies button. 3. Click the Application Policy button. 4. Click the Edit Policy button.
Upgrading from Release 5.x using existing security data

If you would like to upgrade from Client Security Software Version 5.0 to later versions of the software using your existing security data, complete the following procedure: 1. Update your archive by completing the following steps: a. Click Start -> Programs -> Access IBM -> IBM Client Security Software -> Modify Your Security Settings. b. Click the Update Archive button to ensure that your backup information is updated. Note the archive directory. c. Exit the IBM Client Security Software User Configuration Utility. 2. Remove the existing version of Client Security Software by completing the following steps: a. Locate the Administrator public and private keys that were created when you configured your previous version of Client Security Software. b. Run csec51.exe. c. Select Upgrade. d. Reboot the system.
4.5 Implementation: Configuration

The following section discuses how to configure the various elements of the ESS solution outlined in this chapter.
120
6060ch06.fm
4.5.1 Configuring the IBM Client Security Software

After installing the IBM Client Security Software and any Biometric Authentication devices that you wish to us, the next step is to configure the Client Security Software. This is a 5 step process which this section will guide you through. At the IBM Client Security Wizard Window shown in Figure 4-1 on page 110, click Next. 1. The first step is to enter the Security Admnistrator Password in the box provided. This password must be exactly 8 characters long. Re-enter the password to confirm in the box provided. Click Next. Definition: The Security Administrator Password is used to control access to the IBM Client Security Administration Utility. Each time the Administration Utility is opened, the user must enter the Administrator password before they can continue. 2. The next step is the Create Administrator Security keys page. See Figure 4-3. This is where you can create the Administrator Security Keys for the system, or import an existing set. It is recommended that both the Administrator Security Keys and the Backup keys be kept on a removable disk or drive. For extra security you can split the Administrator Security Keys to a maximum of 5 times. When you have finished entering your Security Keys location, Click Next. Definition: The Administrator Security keys are a set of digital keys that are stored in a computer file in the archive location. When a change to the security policy is made in the Security Administrator Utility, you will be prompted for this file to prove that the policy change is authorized. The archive location is encrypted with the archive key pair and in the event of a planar failure an administrator would need to recover the keys.
121
6060ch06.fm
Figure 4-3 Administrator Security Keys
3. Next is the Protect Applications with IBM Client Security page. See Figure 4-4. This is where you can select the applications that you wish to protect with the IBM Client Security Software. To protect an application, simply place a check mark in the appropriate check box. When you have made your selection, click Next.
122
6060ch06.fm
Figure 4-4 IBM Client Security Application selection
After reading the warning screen shown in Figure 4-5, click OK to close.
Figure 4-5 IBM Client Security Logon Warning.
123
6060ch06.fm
4. The next step is the authorization of users. All users who will use the system need to be authorized before they can access the computer. To authorize a user, complete the following steps. Important: Only authorize user accounts that can be used to logon to the operating system. If a user account that cannot be used to logon to the operating system is authorized, all users will be locked out of the system when User Verification Manager logon protection is enabled. a. On the IBM Client Security Authorize Users screen (Figure 4-6), select the user you wish to authorize. b. Click Authorize User>
Figure 4-6 IBM Client Security User Authorization.
124
6060ch06.fm
c. At the IBM Client Security Passphrase screen, enter the users passphrase in the box provided. Insure that the passphrase rules are meet. This is step 1 of a 3 step process. Definition: In the IBM Client Security Passphase is a long password (up to 256 characters long). This Passphrase can replace many of the users other passwords. Users are required to enter their Passphrase in order to gain access to the system. The User Verification Manager Passphrase must meet the following requirements: contain at least 6 characters. contain at least 1 digit. not contain more than 2 repeated characters. not end with a digit. not start with a digit. not contain the User ID. d. Step 2 is to set the Passphrase expiration rules. See Figure 4-7.
Figure 4-7 Passphrase expiration rules
125
6060ch06.fm
e. Step 3 is to enter the users Windows password. Enter the password in the box provided. Click Finish. f. Click Next, to move onto the final step in the set-up process. 5. At the System Security level selection screen (Figure 4-8), slide the selection bar to the desired level of security.
Figure 4-8 Security level selection
Important: Remember to tick the Use fingerprint reader radio button if you have installed a Biometric fingerprint reading device. 6. Click Next. 7. Review your security settings and Click Finish when done.
126
6060ch06.fm
8. The system will now apply your security settings, this may take several minutes. 9. At the setup completion window, Click OK to reboot your system.
4.5.2 Modifying your security settings

Before attempting to edit the User Verification Manager Policy for the local client, make sure at least one user is authorized to use User Verification Manager. Otherwise, an error message will be displayed when the policy editor attempts to open the local policy file. After users have been authorized to use User Verification Manager, you must edit and save a security policy for each IBM client. The security policy provided by Client Security Software is called UVM policy, which combines the settings that you provided in 4.5.1, Configuring the IBM Client Security Software on page 121 with authentication requirements at the client level. UVM policy can be used to control the security policy of a local client or it can be copied to remote clients across a network. The Administrator Utility has a built-in UVM policy editor that you can use to edit and save a UVM policy for a local client. Tasks performed at the IBM client, such as logging on to the operating system or clearing the screen saver, are called authentication objects, and these objects have authentication requirements assigned to them within UVM policy. For example, you can set UVM policy to require the following: Each user must type a User Verification Manager passphrase and provide fingerprint authentication to log on to the operating system. Each user must type a User Verification Manager passphrase each time a digital certificate is acquired. You can also use Tivoli Access Manager to control specific authentication objects as set in UVM policy. UVM policy sets the requirements for authentication objects for the IBM client, not for the individual user. Therefore, if you set UVM policy to require fingerprint authentication for an object (such as the operating-system logon), each user that is authorized to use User Verification Manager must register a fingerprint to use that object. UVM policy is saved in a file named globalpolicy.gvm. To use User Verification Manager on remote clients, UVM policy must be saved on one IBM client and then copied to the remote clients. Copying the UVM policy file to remote clients can save you time setting up UVM policy on the remote clients.
127
6060ch06.fm
Editing the local UVM policy

You edit a local UVM policy and use it only on the client for which it was edited. If you installed Client Security in its default location, the local UVM policy is stored as \Program Files\IBM\Security\UVM_Policy\globalpolicy.gvm. Use the UVM policy editor to edit and save a local UVM policy. Only a user who has been added to User Verification Manager can use the UVM policy editor. The interface for the UVM policy editor is provided in the Administrator Utility. When you save changes to the UVM policy, a message is displayed that asks for the admin private key. Type the admin private key and click OK to save your changes. If you provide an incorrect admin private key, your changes will not be saved. Authentication occurs based on what you select in the policy editor. For example, if you select No passphrase required after 1st used this way for Lotus Notes Logon, then whenever you log on to Lotus Notes it will ask for User Verification Manager authentication. Each time you access Lotus Notes after that, until you reboot or log off, the passphrase is not required. When you set UVM policy to require fingerprint for an authentication object (such as the operating-system logon), each user that is added to User Verification Manager must have registered their fingerprints to use that object. While you are editing UVM policy, you can view the policy summary information by clicking UVM Policy Summary. Also, you can click Apply to save your changes. When you click Apply, a message is displayed that prompts you for the admin private key. Type the admin private key and click OK to save your changes. If you provide an incorrect admin private key, your changes will not be saved.
Object Selection
UVM policy objects enable you to establish different security policies for various user actions. Valid UVM objects are specified on the Object Selection tab of the IBM UVM Policy screen in the Administrator Utility. Valid UVM policy objects include the following: System Logon This object controls authentication requirements necessary to log onto the system. System Unlock This object controls authentication requirements necessary to clear the Client Security screen saver.
128
6060ch06.fm
Lotus Notes Logon This object controls authentication requirements necessary to log onto Lotus Notes. Lotus Notes Change Password This object controls authentication requirements necessary to use User Verification Manager to generate a random Lotus Notes password. Digital Signature (e-mail) This object controls authentication requirements necessary when you click the Sign button in Microsoft Outlook or Outlook Express. Decryption (e-mail) This object controls authentication requirements necessary when you click the Decrypt button in Microsoft Outlook or Outlook Express. File and Folder Protection This object controls authentication requirements necessary when right-click encryption and decryption has been selected. Password Manager This object controls authentication requirements necessary when you use the IBM Password Manager, which is available from the IBM Web site. When activated, most users should leave this setting on. No passphrase required after 1st used this way. Netscape - PKCS#11 Logon This object controls authentication requirements necessary when a PKCS#11 C_OpenSession call is received by the PKCS#11 module. Most users should leave this setting on. No passphrase required after 1st used this way. Entrust Logon This object controls authentication requirements necessary when Entrust issues a PKCS#11 C_OpenSession call to be received by the PKCS#11 module. Most users should leave this setting on. No passphrase required after 1st used this way. Change Entrust Logon Password This object controls authentication requirements necessary to change the Entrust logon password. Entrust does this by issuing a PKCS#11 C_OpenSession call to be received by the PKCS#11 module. Most users
129
6060ch06.fm
should leave this setting on. No passphrase is required after 1st used this way.
4.5.3 Authentication Elements

UVM policy establishes which available authentication elements will be required for each object you enable. This enables you to establish different security policies for various user actions. Authentication elements that can be selected on the Authentication elements tab of the IBM UVM Policy screen in the Administrator Utility include the following: Passphrase Selection This selection enables an administrator to establish the User Verification Manager passphrase be used to authenticate a user in any of the following three manners: A new passphrase required each time. No passphrase required after 1st used this way. No passphrase required if given at system logon. Fingerprint Selection This selection enables an administrator to establish that a fingerprint scan be used to authenticate a user in any of the following three manners: A new fingerprint required each time. No fingerprint required after 1st used this way. No fingerprint required if given at system logon. Global Fingerprint Settings This selection enables an administrator to establish a maximum number of authentication retries before the system will lock out a user. This area also enables the administrator to allow fingerprint authentication protection to be overridden with the User Verification Manager passphrase. Smart Card Selection This selection enables an administrator to require that a smart card be provided as an additional authentication device. Global Smart Card Settings This selection enables an administrator to set the policy to allow overrides when the User Verification Manager passphrase is provided.
130
6060ch06.fm
4.5.4 Registering fingerprints

When UVM policy has been edited to include fingerprint authentication, each user must register fingerprints with User Verification Manager. There are two ways to register fingerprints, this can be done by an Administrator or a User.
Registering a fingerprint as an administrator

1. From the Control Panel double click the IBM Client Security Subsystem Icon. 2. Enter the Security Administrator Password that you set in 4.5.1, Configuring the IBM Client Security Software on page 121. 3. In the Windows Users Authorized to use User Verification Manager area, select a user name from the list. Click Edit User. 4. The Modify Client Security Key Configuration - Edit UVM User Attributes window is displayed. Select the Register fingerprint and/or smart card check box and click Next. 5. The UVM Enabled Devices window is displayed. Click Enroll user fingerprints. 6. The Fingerprint Registration window Figure 4-9, is displayed. In the Select a hand area, click Left or Right. 7. In the Select a finger area, click the check box next to the finger you will scan for prints, and click Start registration.
131
6060ch06.fm
Figure 4-9 Fingerprint Registration window
8. Place your finger on the User Verification Manager-aware fingerprint sensor and follow the on-screen instructions. 9. Click Ok, once youve registered your finger print. 10.Specify another finger to register, or click Exit to finish.
Registering a fingerprint as a user

1. Click Start -> Programs -> X -> IBM Client Security Software -> Modify Your Security Settings, where X is the Destination Folder you chose during the installation. 2. Select the Fingerprint/Smart Card Registration tab. 3. Click the Click to launch fingerprint registration tab. 4. Enter your passphrase, click Ok. 5. The Fingerprint Registration window Figure 4-9 on page 132, is displayed. In the Select a hand area, click Left or Right. 6. In the Select a finger area, click the check box next to the finger you will scan for prints, and click Start registration.
132
6060ch06.fm
7. Place your finger on the User Verification Manager-aware fingerprint sensor and follow the on-screen instructions. 8. Click Ok, once youve registered your finger print. 9. Specify another finger to register, or click Exit to finish.
4.5.5 Using User Verification Manager protection for Lotus Notes

User Verification Manager provides enhanced security protection for Lotus Notes users. The following explains the process for setting this us. Note: If there is a planer failure while using User Verification Manager protection for Lotus Notes, an administrator will be required to recover the keys to enable Lotus Notes use again. It is also possible to use IBM Password Manager to gain the same level of protection without this issue.
Configuring UVM protection for a Lotus Notes User ID

Before you can enable User Verification Manager protection for Lotus Notes, Notes must be installed on the IBM client, a Notes User ID and password must be established for the user, and the Notes user must be authorized to use User Verification Manager. To set up User Verification Manager protection for Lotus Notes, complete the following procedure: 1. From the Windows desktop of the IBM client, click Start -> Settings -> Control Panel -> IBM Client Security Subsystem. 2. The Administrator Utility main window is displayed. Click Configure Application Support and Policies. 3. The UVM Application and Policy Configuration screen is displayed. Select the Enable Lotus Notes support checkbox. User Verification Manager protection for the Lotus Notes User ID is now enabled. If necessary continue with the following optional steps to configure a policy for Lotus Notes logon. 1. Click Application Policy. 2. The Modify Client Security Policy Configuration screen is displayed. Click Edit Policy. 3. Enter the administrator password and click OK. The IBM UVM Policy: Lotus Notes Logon screen is displayed. 4. On the Object Selection tab, select Lotus Notes Logon from the Action drop-down menu.
133
6060ch06.fm
5. On the Authentication Elements tab, select the authentication elements that you want to require for Lotus Notes Logon. 6. Click Apply to save the selections. 7. The Admin Private Key Required screen is displayed. Specify the location of the Private Key by either typing the path name in the provided field or by clicking Browse and selecting the appropriate folder. 8. Click OK. 9. The IBM User Verification Manager: Summary of Policy screen displays a summary of objects controlled by the local client policy. 10.Start Lotus Notes. User Verification Manager Password registration is complete when Lotus Notes is started.
4.6 Implementation: Utilization

The following section discuses administrative usage of the various elements of the ESS solution outlined in this chapter.
4.6.1 Using the User Verification Manager policy editor

See 4.5.2, Modifying your security settings on page 127 for a disucssion of the User Verification Manager policy editor. To use the UVM policy editor, complete the following Administrator Utility procedure: 1. Open the Windows Control Panel and double click the IBM Security Subsystem Administrator Utility icon. When prompted enter the Administrator password. 2. Click the Configure Application Support and Policies button. 3. The UVM Application and Policy Configuration screen is displayed. Click the Application Policy button. 4. The Modify Client Security Policy Configuration screen is displayed. Click the Edit Policy button. 5. The Enter Administrator Password screen is displayed. Enter your Administrator password and click OK. 6. The IBM UVM Policy screen is displayed. On the Object Selection tab, Click Action or Object Type and select the object for which you want to assign authentication requirements.
134
6060ch06.fm
Actions include System Logon, System Unlock, and E-mail Decryption; an example of an object type is Acquire Digital Certificate. 7. For each object you select, do one the following: Click the Authentication Elements tab, and edit the settings for the available authentication elements that you want to assign to the object. Select Access Manager controls selected object to enable Tivoli Access Manager to control the object you chose. Select this option only if you want Tivoli Access Manager to control the authentication elements for the IBM client. For more information, see Using Client Security with Tivoli Access Manager. Important: If you enable Tivoli Access Manager to control the object, you are giving control to the Tivoli Access Manager object space. If you do this, you must reinstall Client Security Software to re-establish local control over that object. Select Deny all access to selected object to deny access for the object you chose. 8. Click OK to save your changes and exit.
4.6.2 Editing a UVM policy on remote clients

To use UVM policy across multiple IBM clients, edit and save UVM policy for a remote client, and then copy the UVM policy file to other IBM clients. If you install Client Security in its default location, the UVM policy file will be stored as \Program Files\IBM\Security\UVM_Policy\remote\globalpolicy.gvm. Copy the following files to other remote IBM clients that will use this UVM policy: \IBM\Security\UVM_Policy\remote\globalpolicy.gvm \IBM\Security\UVM_Policy\remote\globalpolicy.gvm.sig If you installed Client Security Software in its default location, the root directory for the preceding paths is \Program Files. Copy both files to the \IBM\Security\UVM_Policy\ directory path on the remote clients.

The section shows step-by-step procedures on how to perform common IBM Client Security Password Manager functions.
135
6060ch06.fm
Creating new entries

The IBM Client Security Password Manager enables users to enter information into Web sites and applications using the Password Manager interface. The IBM Password Manager program encrypts and saves the information that is entered into the appropriate fields through the IBM Embedded Security Chip. Once the information is saved in Password Manager, these fields are automatically populated with this secure information whenever access to the Web site or application is granted according to the User Verification Manager user authentication policy. To enter password information into the IBM Client Security Password Manager, complete the following procedure: 1. Open the application or Web site logon screen. 2. Right-click the Password Manager icon in the Windows icon tray and select Create. a. The Password Manager Create function can also be accessed with the keyboard shortcut Ctrl+Shift+H. b. The IBM Password Manager does not support icon tray functionality on computers running the Windows NT operating system. If you are using a Windows NT system, use the keyboard shortcut. 3. Enter the information for a field in the Password Manager- Create New Entry window. Note: The information in this field must be less than 260 characters in length. 4. If you do not want the entered text to be displayed, click the Obscure typed text for privacy check box. Note:This check box only controls how the text is displayed within Password Manager. After the text is dropped into a Web site or application, its properties will be controlled by that application. 5. Use the Select Field target icon to drag the text from the Password Manager utility into the appropriate field on the Web site or application. Note: This icon enables the text to be copied without using your computer clipboard or other non-secure location. 6. Repeat step 3 through step 5 for each field, as necessary.
136
6060ch06.fm
7. Click Save New Entry. 8. Click the Add Enter to automatically submit entry checkbox if you want Password Manager to submit the login information after recalling. Note: Some Web sites do not use the Enter key to submit login information. If login is failing, disable this convenience feature. 9. Click Save New Entry to complete the procedure.
Managing entries
The IBM Client Security Password Manager enables users to work with information stored in the Password Manager. The Password Manager- Manage window enables you to change your user ID, password, and other information entered into Password Manager that populate the fields on a Web site or application. To change information stored in the IBM Client Security Password Manager, complete the following procedure: 1. Right-click the Password Manager icon in the Windows icon tray and click Manage. a. The Password Manager Manage function can also be accessed with the keyboard shortcut Ctrl+Shift+B. b. The IBM Password Manager does not support icon tray functionality on computers running the Windows NT operating system. If you are using a Windows NT system, use the keyboard shortcut. 2. Enter your User Verification Manager passphrase, or complete the access requirements specified by the User Verification Manager user authentication policy. 3. Edit your information. Select from the following options: Entry information. To edit entry information, complete the following procedure: a. Right-click the entry you want to edit. b. Select from the following actions: Add Enter Select Add Enter to automatically have your entry information entered into the Web site or application. A check icon will appear next to Add Enter when this function is activated. Delete Select Delete to delete the entry entirely.
137
6060ch06.fm c. Click Save Changes.
Entry field information. To edit entry field information, complete the following procedure: a. Right-click the field you want to edit. b. Select from the following actions: Change entry field. Select Change Entry Field to change the information stored for this field. You can change an entry field in one of the following ways: By creating a randomized entry To create a randomized entry, select Randomize. Password Manager will create randomized entries that are 7, 14, or 127 characters in length. By manually editing an entry field To manually edit an entry field, select Edit and make the appropriate changes to the field. Delect entry field. Select Delete to delete the entry field entirely. c. Click Save Changes. 4. Click Save Changes. Note: Changing a field in Password Manager will only update the login information within Password Manager. If you want to increase the security of your passwords by using the Password Manager randomize feature, you must synchronize the application or website with the new random password generated by this feature. Use the convenient Password Manager Transfer Field Tool to transfer the new randomized password into application or Web site Change Password form. Verify that the new password is valid for the application or Website and then use the Save Changes in the Password Manger - Manage Window. There is no need to re-create the entry with the new password since all the necessary information has been retained.
Recalling entries
Recalling passwords using the IBM Client Security Password Manager is simple and easy. To recall information stored in the IBM Client Security Password Manager, complete the following procedure: 1. Open the application or Web site logon screen for the information that you want to recall. 2. Double-click the Password Manager icon in the Windows icon tray. Password Manager will populate the fields on the logon screen with the stored information.
138
6060ch06.fm
a. The Password Manager Recall function can also be accessed with the keyboard shortcut Ctrl+Shift+G. b. The IBM Password Manager does not support icon tray functionality on computers running the Windows NT operating system. If you are using a Windows NT system, use the keyboard shortcut. 3. Enter your User Verification Manager passphrase, or complete the access requirements specified by the User Verification Manager user authentication policy. 4. If the Add Enter to automatically submit entry check box is not checked, click the Submit button on the application or the Web site. If no entry is recalled, a prompt will ask you if you would like to create a new entry. Click Yes to launch the Password Manager- Create New Entry window.
4.6.4 File and Folder Encryption (FFE)

IBM Client Security Software enables users to protect sensitive files and folders using the right-click button of their mouse. How the software protects a file and folder differs depending upon how the file or folder is initially encrypted. Note: File and Folder Encryption is different from the right click encryption that comes native in the IBM Client Security Software install. You do not need to install File and Folder Encryption unless your seeking the on the fly capability of protecting a folder. Before using File and Folder Encryption, review the considerations listed at 4.2.2, File and Folder Encryption considerations on page 105. A folder can be in any one of the following states; each state is handled differently by the right-click protect folder option: An Unprotected Folder - Neither this folder, its subfolders, nor any of its parents has been designated as protected. The user is given the option to protect this folder. A Protected Folder - A protected folder can be in one of three states: Protected by the current user - The current user has designated this folder as protected. All files are encrypted, including files in all subfolders. The user is given the option to unprotect the folder. A subfolder of a folder protected by the current user - The current user has designated one of this folders parents as protected. All files are encrypted. The current user has no right-click options. Protected by a different user - A different user has designated this folder as protected. All files are encrypted, including files in all subfolders, and
139
6060ch06.fm
are unavailable to the current user. The current user has no right-click options. A Parent of a Protected Folder - A parent of a protected folder can be in one of three states: It can contain one or more subfolders protected by the current user The current user has designated one or more subfolders as protected. All files in the protected subfolders are encrypted. The user is given the option to protect the parent folder. It can contain one or more subfolders protected by one or more different users - A different user or users have designated one or more subfolders as protected. All files in the protected subfolders are encrypted, and are unavailable to the current user. The current user has no right-click options. It can contain subfolders protected by the current user and one or more different users - Both the current user and one or more different users have designated subfolders as protected. The current user has no right-click options. A Critical Folder - A critical folder is a folder in a critical path and, therefore, cannot be protected. There are two critical paths: the Windows path and the Client Security path. Each state is handled differently by the right-click protect folder option.
Right-click File protection

Files can be encrypted and decrypted manually through the right-click menu. When files are encrypted in this manner, the encryption operation appends a .$enc$ extension to the files. These encrypted files can then be securely stored on remote servers. They will remain encrypted and unavailable to applications for use until the right-click facility is used again to decrypt them.
Right-click File and Folder protection

A User Verification Manager-enrolled user can select a folder to protect or unprotect through the right-click interface. This will encrypt all of the files contained in the folder or any of its subfolders. When files are protected in this manner, no extension is appended to the file name. When an application tries to access a file in an encrypted folder, the file will be decrypted into memory and will be re-encrypted before it is saved on the hard disk. Any Windows operation that tries to access a file in a protected folder will be given access to the data in a decrypted form. This feature adds ease-of-use so that a file doesnt have to be decrypted before it is used, and then re-encrypted after a program is finished with it.
140
6060ch06.fm
File and Folder Encryption (FFE) utility limitations

The IBM FFE utility has the following limitations:
Limitations when moving protected files and folders

The IBM FFE utility does not support the following actions: Moving files and folders within protected folders Moving files or folders between protected and unprotected folders If you attempt to perform either of these unsupported Move operations, an Access Denied message will be displayed by the operating system. This message is normal. It simply provides notification that this Move operation is not supported. As an alternative to using a Move operation, do the following: 1. Copy the protected files or folders to the new location. 2. Delete the original files or folders by using the Shift+Del key combination.
Limitations when running applications

The IBM FFE utility does not support running applications from a protected folder. For example, if you have an executable named PROGRAM.EXE, you cannot run that application from a protected folder.
Path name length limitations

As you attempt to protect a folder using the IBM FFE utility or attempt to copy or move a file or folder from an unprotected folder to a protected folder, you might receive a One or more path names are too long message from the operating system. If you receive this message, you have one or more files or folders that have a path that exceeds the maximum allowable character length. To correct the problem, either rearrange the folder structure to shorten its depth or shorten some folder or file names.
Problems protecting a folder

If you attempt to protect a folder and receive a message stating, The folder cannot be protected, one or more files may be in use. Check the following: Verify that none of the files contained in the folder are currently in use. If Windows Explorer is displaying one or more subfolders of a folder that you are attempting to protect, make sure that the folder you are attempting to protect is highlighted and active, not any of the subfolders.
IBM File and Folder Encryption Known issues

IBM File and Folder Encryption might encounter problems when using any application that re-partitions the hard drive.
141
6060ch06.fm
You should disable File and Folder Encryption before using an application that re-partitions the computer hard drive because these types of applications might interfere with vital FFE operations. Applications that re-partition the hard drive include applications such as PowerQuest PartitionMagic and IBM Rapid Restore Ultra. To disable FFE, complete the following procedure: 1. From the Control Panel, select IBM Client Security Software Subsystem. 2. Click the Configure Application Support and Policies button. 3. Clear the Enable File and Folder protection checkbox. 4. Restart the system. For more known issues and limitations see 4.9.7, IBM File and Folder Encryption (FFE) Utility known issues on page 158.
4.6.5 Using User Verification Manager protection within Lotus Notes

Before you can use User Verification Manager protection for Lotus Notes, you must follow the steps in 4.5.5, Using User Verification Manager protection for Lotus Notes on page 133.
Setting up UVM protection within Lotus Notes

To set up UVM protection within Lotus Notes, do the following: 1. Log in to Lotus Notes. The IBM User Verification Manager window is displayed. 2. Enter and verify your Lotus Notes password in the available fields. Your Lotus Notes password is now registered with UVM.
Re-setting your Lotus Notes password

To reset your Lotus Notes password, do the following: 1. Log in to Lotus Notes. 2. From the Lotus Notes menu bar, click File -> Tools -> User ID. The IBM User Verification Manager window is displayed. 3. Enter your User Verification Manager passphrase and click OK. The User ID window is displayed. 4. Click Set Password. The IBM User Verification Manager window is displayed.
142
6060ch06.fm
5. Select the Create your own password radio button. 6. Enter and verify your new Lotus Notes password in the available fields, and click OK. Important: When you change your password within Lotus Notes to a value that you have used before, Notes rejects the password change, but does not inform the Client Security Software. Consequently, User Verification Manager stores the password that Notes rejected. If you receive a message indicating that the password has been used before when changing your password within Lotus Notes, you will need to exit Lotus Notes, start the User Configuration Utility, and restore the Lotus Notes password to the value it was before. If your Lotus Notes password was randomly generated, and you get this error, you have no way of knowing what the password was, and therefore you can not reset it manually. You must request a new ID file from your administrator or restore a previously-saved copy of your ID file.
Disabling UVM protection for a Lotus Notes User ID

If you want to disable User Verification Manager protection for a Lotus Notes User ID, do the following: 1. From the Windows desktop of the IBM client, click Start -> Settings -> Control Panel -> IBM Client Security Subsystem. After you enter your password, the Administrator Utility main window is displayed. 2. Click Configure Application Support and Policies. The User Verification Manager Application and Policy Configuration screen is displayed. 3. Unselect the Enable Lotus Notes support checkbox. 4. Click OK. The Application Support Actions screen is displayed with a message indicating that Lotus Notes support is disabled.
Setting up UVM protection for a switched Lotus Notes User ID

To switch from a User ID that has User Verification Manager protection enabled to another User ID, do the following: 1. Exit Lotus Notes. 2. Disable User Verification Manager protection for the current User ID.
143
6060ch06.fm
3. Enter Lotus Notes and switch User IDs. See your Lotus Notes documentation for information on switching User IDs. 4. To set up User Verification Manager protection for the User ID that you have switched to, enter the Lotus Notes Configuration tool (provided by Client Security Software), and set up UVM protection. Refer to 4.5.5, Using User Verification Manager protection for Lotus Notes on page 133.
4.6.6 Using the Administrator Console

The Client Security Software Administrator Console enables a Security Administrator to perform administrator-specific tasks remotely from his system. The Administrator Console application (console.exe) is run from the \program files \ibm \security directory. The Administrator Console enables a Security Administrator to perform the following functions: Bypass or override authentication elements - The bypass or override functions that the administrator can perform include the following: User Verification Manager passphrase bypass - This function enables the administrator to provide bypass the UVM passphrase. When this function is used, a random temporary passphrase is created, along with a password file. The administrator send the password file to the user, and communicates the password by some other means. This ensures the security of the new passphrase. Display/Change Fingerprint/Smart Card Override Password - This function enables the administrator to override the security policy even if it is set to NOT allow passphrase override for fingerprint or smart card. This might be necessary if a users fingerprint reader is broken or his smart card is not available. The administrator can read or e-mail the override password to the user. Access archive key information - The information that the administrator can access includes following: Archive directory - This field enables the administrator to locate the archive key information from a remote location. Admin private key location - This field enables the administrator to locate the administrator private key. Other remote administrator functions - The Administrator console enables security administrators to remotely perform the following functions: Create the Administrator Configuration file - This function enables the administrator to generate the administrator configuration file, which is required when a user wants to enroll or reset himself using the Client Utility. The administrator typically emails this file to a user.
144
6060ch06.fm
Encrypt/Decrypt Setup Configuration File - This function enables the encryption of the setup configuration file for additional security. It will also decrypt the file so that it can be edited. Configure Credential Roaming - This function registers this system as a CSS Roaming Server. Once registered, all UVM-authorized users in the network will be able to access their personal data (passphrases, certificate, etc.) on this system.
4.6.7 Changing the key archive location

When the key archive is first created, copies of all encryption keys are created and saved to the location specified at installation. To change the key archive location, complete the following Administrator Utility procedure: 1. Click the Key Configuration button. 2. The Modify Client Key Configuration - Configure Keys screen is displayed. Click the Change the archive location radio button and click Next. 3. The Modify Client Key Configuration - New Key Archive Location screen is displayed. Type the new path or click Browse to select the path. 4. Click OK. 5. A message displays that the operation is complete. Click Finish.
4.6.8 Changing the archive key pair

When the archive key pair is first created, it is usually stored on a diskette or network directory. If the archive key pair becomes damaged, you can change to a different archive key pair. Note: Be sure to update the archive before changing the archive key pair. To change the archive key pair, complete the following Administrator Utility procedure: 1. Click the Key Configuration button. 2. The Modify Client Key Configuration - Configure Keys screen is displayed. Click the Change IBM Security Subsystem Archive key pair radio button and click Next. 3. The Modify Client Security Key Configuration - New User Verification Manager Administrator Public Key File screen is displayed. In the New CSS Archive Key area, type the file name for the new archive public key in the Public Key File field. You can also click Browse to search for the new file, or click Create to generate a new archive public key.
145
6060ch06.fm
Note: Make sure you create the new public key in a location other than that which contains the old archive key files. 4. In the Old CSS Archive Key area, type the file name for the old archive private key in the Private Key File field, or click Browse to search for the file. 5. In the Archive Location area, type the file path where the key archive is stored, or click Browse to select the path. 6. Click Next. Note: If the archive key pair was split into multiple files, a message is displayed that asks you to type in the location and name of each file. Click Read Next after you type each file name in the Key File field. 7. A message displays that the operation completed successfully. Click OK. 8. A message displays that the operation is complete. Click Finish.
4.6.9 Restoring keys from archive

You might need to restore keys if you have replaced a system board or a failed hard disk drive. When you restore keys, you are copying the most recent user key files from the key archive and storing them on the IBM Embedded Security Chip. These copied user key files appear in the directory where they were previously stored on the computer, such as on a network directory or diskette. If a hard disk drive failure in the computer compromises the integrity of the user keys, you can restore the keys from the key archive. Restoring the keys will overwrite any keys that have been stored. If you replace the system board in your computer with a system board that contains the IBM Embedded Security Chip, and the encryption keys are still valid on your hard disk drive, you can restore the encryption keys that were previously associated with the computer by re-encrypting them with the IBM Embedded Security Chip on the new system board. You perform a key restoration after you have enabled the new chip and set a Security Chip password. Note: The User Verification Manager logon gets enabled automatically after a key restoration. Consequently, if you had fingerprint authentication required for User Verification Manager logon, you MUST install the fingerprint software before rebooting after a restore to avoid being locked out of the system.
146
6060ch06.fm
The following instructions assume that the Administrator Utility has not been damaged by a hard disk drive failure. If a hard disk drive failure has damaged the client security files, you might need to reinstall Client Security Software. To restore encryption keys from a key archive, complete the following Administrator Utility procedure: Note: If you change the admin key pair after you restore the archive, an error message displays. If this occurs, you must add the users to User Verification Manager, and then request new certificates. 1. Click the Key Configuration button. 2. The Modify Client Key Configuration - Configure Keys screen is displayed. Click the Restore IBM Security Subsystem keys from archive radio button, and click Next. 3. The Modify Client Key Configuration - Restore All IBM Security Subsystem Keys screen is displayed. In the Archive Directory (Path) field, type the file path of the archive directory, or click Browse to search for the directory. 4. In the CSS Archive Public Key File field, type the path and file name of the admin public key, or click Browse to search for the file. 5. In the CSS Archive Private Key File field, type the path and file name of the admin private key, or click Browse to search for the file. 6. Click Next. A message is displayed indicating that the operation completed successfully. Note: If the admin private key was split into multiple files, a message is displayed that asks you to type in the location and name of each file. Click Read Next after you type each file in the Key File field. 7. Click OK. 8. Click Finish.
4.7 Usage Scenarios

Administrators can use the multiple components provided by Client Security Software to set up the security features that IBM client users require. You can use the following examples as a guide to your thinking as you plan your Client Security policy and configuration.
147
6060ch06.fm
4.7.1 Windows 2000 and Windows XP clients using Outlook Express

In this example, one IBM client (client 1) has Windows 2000 and Outlook Express installed, the other client (client 2) has Windows XP and Outlook Express installed. There are three users who will require authentication setup with User Verification Manager on client 1; one client user will require authentication setup with User Verification Manager on client 2. All client users will register their fingerprints so that they can be used for authentication. A Targus DEFCON fingerprint sensor will be installed during this example. It has also been established that both clients will require User Verification Manager protection for Windows logon. The administrator decided that the local UVM policy will be edited and used at each client. To set up client security, complete the following procedure: 1. Install the software on client 1 and client 2. Refer to 4.4, Preparation: Installation instructions on page 108 for details. 2. Install the Targus fingerprint reader and its associated software on each client. Refer to 4.4.3, Installing the Targus PC Card Fingerprint Reader on page 111 for details. 3. Set up user authentication with User Verification Manager for each client. Do the following: Add users to User Verification Manager by assigning them a User Verification Manager passphrase. Because client 1 has three users, you must repeat the process for adding users to User Verification Manager until all users have been added. Set up User Verification Manager protection for the Windows logon for each client. Register user fingerprints. Because a policy will be set stating three users will use client 1, all three users must register their fingerprints. Note: If you set fingerprint as an authentication requirement as part of User Verification Manager policy for a client, each user must register his or her fingerprints. 4. Edit and save a local User Verification Manager policy at each client that requires authentication for the following: Logging on the operating system Acquiring a digital certificate Using a digital signature for e-mail messages
148
6060ch06.fm
5. Restart each client to enable the User Verification Manager protection for the Windows logon. 6. Inform the users of the User Verification Manager passphrases that you have set for them and of the authentication requirements that you set in the UVM policy for the IBM client. Client users can now perform the following tasks: Use User Verification Manager protection to lock and unlock the operating system. Apply for a digital certificate and choose the Embedded Security Chip as the cryptographic service provider associated with the certificate. Use the digital certificate to encrypt e-mail messages created with Outlook Express.
4.7.2 Windows 2000 clients using Lotus Notes

In this example, the two IBM clients (client 1 and client 2) both have Windows 2000 and Lotus Notes installed. Two users will require authentication setup with User Verification Manager on client 1; one user will require authentication setup with User Verification Manager on client 2. Both clients will require User Verification Manager protection for the system logon, and will use the Client Security screen saver and User Verification Manager protection for Lotus Notes. The administrator decided a User Verification Manager policy for remote clients will be edited on client 1, and then be copied to client 2. To set up client security, complete the following procedure: 1. Install the software on client 1 and client 2. Because a UVM policy for remote clients will be used, you must use the same admin public key when you install the software on both client 1 and client 2. Refer to 4.4, Preparation: Installation instructions on page 108 for details about the software installation. 2. Set up user authentication with User Verification Manager for each client. Then, do the following: Add users to User Verification Manager by assigning them a User Verification Manager passphrase. Because client 1 has two users, you must repeat the process for adding users to User Verification Manager until both users have been added. Set up User Verification Manager protection for Windows logon on each client.
149
6060ch06.fm
3. Enable User Verification Manager protection for Lotus Notes on both clients. Refer to 4.5.5, Using User Verification Manager protection for Lotus Notes on page 133. 4. Edit and save a User Verification Manager policy for remote clients on client 1, and then copy it to client 2. User Verification Manager policy would require user authentication for clearing the screen saver, logging on to Lotus Notes, and logging on the operating system. Refer to 4.6.2, Editing a UVM policy on remote clients on page 135 for Details. 5. Restart each client to enable the User Verification Manager protection for the system logon. 6. Inform the client users of the User Verification Manager passphrases and the policy that has been set for each client. The users can now read the Client Security Software Users Guide to learn how to perform the following tasks: Enable the Client Security screen saver Use User Verification Manager protection for Windows 2000
4.7.3 Multiple Windows 2000 clients managed by Tivoli Access Manager

The intended audience for the following example is an enterprise administrator who plans to use Tivoli Access Manager to manage the authentication objects that are set by UVM policy. In this example, multiple IBM clients have both Windows 2000 and Netscape (for e-mail) installed. All clients have NetSEAT client, a Tivoli Access Manager component, installed. All clients using an LDAP server have LDAP client installed. UVM policy for remote clients will be installed on all clients. UVM policy will enable Tivoli Access Manager to control selected authentication objects for the clients. In this example, one user will require authentication setup with User Verification Manager on each client. All users will register their fingerprints so that they can be used for authentication. A Targus DEFCON fingerprint sensor will be installed during this example and all clients will require User Verification Manager protection for Windows logon. To set up client security, complete the following procedure: 1. Install the Client Security component on the Tivoli Access Manager server. For details, see Using Client Security with Tivoli Access Manager. 2. Install Client Security Software on all clients. Because a User Verification Manager policy for remote clients will be used, you must use the same admin public key when you install the software on all clients. Refer to 4.4.1,
150
6060ch06.fm
Installing prerequisite device drivers on page 108 for details about the software installation. 3. Install the User Verification Manager-aware fingerprint sensors and any associated software on each client. For information about available User Verification Manager-aware products, go to http://www.pc.ibm.com/us/security/secdownload.html on the World Wide Web. 4. Set up user authentication with User Verification Manager on each client. Then, do the following: Add users to User Verification Manager by assigning them a User Verification Manager passphrase. Set up User Verification Manager protection for the Windows logon on each client. Register the fingerprints for each client user. If fingerprint authentication is required on an IBM client, all users of that client must register their fingerprints. 5. Configure the Tivoli Access Manager setup information at each client. For details, see Using Client Security with Tivoli Access Manager. 6. Edit and save a UVM policy for remote clients on one of the clients, and then copy it to the other clients. Set UVM policy so that Tivoli Access Manager will control the following authentication objects: Logging on the operating system Acquiring a digital certificate Using a digital signature for e-mail message For details, refer to 4.6.2, Editing a UVM policy on remote clients on page 135. 7. Restart each client to enable the User Verification Manager protection for the Windows logon. 8. Install the IBM Embedded Security Chip PKCS#11 module onto each client. This module provides cryptographic support on clients that use Netscape for sending and receiving e-mail messages, and the IBM Embedded Security Chip for acquiring digital certificates. For more information, see the Client Security Software Installation Guide. 9. Enable Tivoli Access Manager to control the IBM Client Security Solutions objects that appear in the Tivoli Access Manager Management Console. 10.Inform client users of the User Verification Manager passphrases that have been set and the policy that has been set for each client.
151
6060ch06.fm
11.Advise client users to read the Client Security Software Users Guide to learn how to perform the following tasks: Use User Verification Manager protection to lock and unlock the operating system Use the User Configuration Utility Apply for a digital certificate that uses the Embedded Security Chip as the cryptographic service provider associated with the certificate Use the digital certificate to encrypt e-mail messages created with Netscape
4.8 Uninstalling Client Security Software

Be sure that you uninstall the various utilities that enhance Client Security functionality before you uninstall IBM Client Security Software. Users must log on with administrator rights to uninstall Client Security Software. Note: You must uninstall all IBM Client Security Software utilities and all User Verification Manager-aware sensor software before you uninstall IBM Client Security Software. To uninstall Client Security Software, complete the following procedure: 1. Close all Windows programs. 2. From the Windows desktop, click Start -> Settings -> Control Panel. 3. Click the Add/Remove Programs icon. 4. In the list of software that can be automatically removed, select IBM Client Security. 5. Click Add/Remove. 6. Select the Remove radio button. 7. Click Yes to uninstall the software. 8. Do one of the following: If you installed the IBM Embedded Security Chip PKCS#11 module for Netscape, a message is displayed that asks you to start the process to disable the IBM Embedded Security Chip PKCS#11 module. Click Yes to proceed. A series of messages will be displayed. Click OK for each message until the IBM Embedded Security Chip PKCS#11 module is removed.
152
6060ch06.fm
If you did not install the IBM Embedded Security Chip PKCS#11 module for Netscape, a message is displayed that asks if you want to delete shared DLL files that were installed with Client Security Software. Click Yes to uninstall these files, or click No to leave the files installed. Leaving these files installed has no affect on the normal operation of your computer. 9. Click OK after the software is removed. You must restart the computer after uninstalling Client Security Software. When you uninstall Client Security Software, you remove all installed Client Security software components along with all user keys, digital certificates, registered fingerprints and stored passwords. However, the key archive is not affected when Client Security Software is uninstalled.
4.9 Troubleshooting
This section contains information that an administrator might find helpful when identifying and correcting problems that might arise as you use Client Security Software.
4.9.1 Error Messages

Error messages related to Client Security Software are generated in the event log: Client Security Software uses a device driver that might generate error messages in the event log. The errors associated with these messages do not affect the normal operation of your computer. UVM invokes error messages that are generated by the associated program if access is denied for an authentication object: If UVM policy is set to deny access for an authentication object, for example e-mail decryption, the message stating that access has been denied will vary depending on what software is being used. For example, an error message from Outlook Express that states access is denied to an authentication object will differ from a Netscape error message that states that access was denied.
4.9.2 Setting a supervisor password (ThinkPad)

Security settings available in the IBM BIOS Setup Utility enable administrators to perform the following tasks:
153
6060ch06.fm
Enable or disable the IBM Embedded Security Chip Clear the IBM Embedded Security Chip When the IBM Embedded Security Chip is cleared, all encryption keys and certificates stored on the chip are lost. It is necessary to temporarily disable the supervisor password on some ThinkPad models before installing or upgrading Client Security Software. After setting up Client Security Software, set a supervisor password to deter unauthorized users from changing these settings. To set a supervisor password, complete the following procedure: 1. Shut down and restart the computer. 2. When the IBM BIOS Setup Utility prompt appears on the screen, press F1. The main menu of the IBM BIOS Setup Utility opens. 3. Select Password. 4. Select Supervisor Password. 5. Type your password and press Enter. 6. Type your password again and press Enter. 7. Click Continue. 8. Press F10 to save and exit. After you set a supervisor password, a prompt appears each time you attempt to access the IBM BIOS Setup Utility. Important: Keep a record of your supervisor password in a secure place. If you lose or forget the supervisor password, you cannot access the IBM BIOS Setup Utility, and you cannot change or delete the password. See the hardware documentation that came with your computer for more information.
4.9.3 Setting an administrator password (ThinkCentre)

Security settings available in the Configuration/Setup Utility enable administrators to do the following: Change the hardware password for the IBM Embedded Security Chip Enable or disable the IBM Embedded Security Chip Clear the IBM Embedded Security Chip
154
6060ch06.fm
Because your security settings are accessible through the Configuration/Setup Utility of the computer, set an administrator password to deter unauthorized users from changing these settings. To set an administrator password: 1. Shut down and restart the computer. 2. When the Configuration/Setup Utility prompt appears on the screen, press F1. The main menu of the Configuration/Setup Utility opens. 3. Select System Security. 4. Select Administrator Password. 5. Type your password and press the down arrow on your keyboard. 6. Type your password again and press the down arrow. 7. Select Change Administrator password and press Enter ; then press Enter again. 8. Press Esc to exit and save the settings. After you set an administrator password, a prompt appears each time you try to access the Configuration/Setup Utility. Tip: You set a Security Chip password to enable the IBM Embedded Security Chip for a client. After you set a Security Chip password, access to the Administrator Utility is protected by this password. You should protect the Security Chip password to prohibit unauthorized users from changing settings in the Administrator Utility.
4.9.4 Clearing the IBM Embedded Security Chip (ThinkPad)

If you want to erase all user encryption keys from the IBM Embedded Security Chip and clear the hardware password for the chip, you must clear the chip. Read the information in the box below before clearing the IBM Embedded Security Chip.
155
6060ch06.fm
Important: Do not clear or disable the IBM Embedded Security Chip when User Verification Manager logon protection is enabled. If you do, you will be completely locked out of the system. To disable User Verification Manager protection, open the Administrator Utility, click Configure Application Support and Policies, and clear the Replace the standard Windows logon with UVMs secure logon check box. You must restart the computer before User Verification Manager protection is disabled. When the IBM Embedded Security Chip is cleared, all encryption keys and certificates stored on the chip are lost. To clear the IBM Embedded Security Chip, complete the following procedure: 1. Shut down and restart the computer. When prompted to Interrupt the normal startup sequence, press the blue Access IBM button on the keyboard
.
Note: On some older ThinkPad models, you might need to press the F1 key at power on when prompted to access the IBM BIOS Setup Utility. Refer to the help message at IBM BIOS Setup Utility for details. 2. At the Access IBM Predesktop Area double click Start setup utility. 3. Select Security. 4. Select IBM Security Chip. 5. Select Clear IBM Security Chip. 6. When prompted to Clear encryption keys? Select Yes. 7. Press Enter to continue. 8. Press F10 to save and exit. 9. When prompted to Save configuration changes and exit now. Select Yes 10.Press Enter to continue.
4.9.5 Clearing the IBM Embedded Security Chip (ThinkCentre)

If you want to erase all user encryption keys from the IBM Embedded Security Chip and clear the hardware password for the chip, you must clear the chip. Read the information in the Attention box below before clearing the IBM Embedded Security Chip.
156
6060ch06.fm
Important: Do not clear or disable the IBM Embedded Security Chip when User Verification Manager logon protection is enabled. If you do, you will be completely locked out of the system. To disable User Verification Manager protection, open the Administrator Utility, click Configure Application Support and Policies, and clear the Replace the standard Windows logon with UVMs secure logon check box. You must restart the computer before User Verification Manager protection is disabled. To clear the IBM Embedded Security Chip, complete the following procedure: 1. Shut down and restart the computer. When the Configuration/Setup Utility prompt appears on the screen, press F1. The main menu of the Configuration/Setup Utility opens. 2. Select Security. 3. Select Clear IBM Security Chip. 4. Press Enter. 5. Select Yes. 6. Press Enter. 7. Press Esc to continue. 8. Press F10 to exit and save the settings. 9. Press Yes.
4.9.6 Fail counts on TCPA and non-TCPA systems

The following table shows the anti-hammering delay settings for a TCPA system:
Table 4-1 Fail counts Attempts 15 31 47 63 79 95 111 Delay on next failure 1.1 Minutes 2.2 Minutes 4.4 Minutes 8.8 Minutes 17.6 Minutes 35.2 Minutes 1.2 Hours
157
6060ch06.fm
Attempts 127 143
Delay on next failure 2.3 Hours 4.7 Hours
TCPA systems do not distinguish between user passphrases and the administrator password. Any authentication using the IBM Embedded Security Chip adheres to the same policy. The maximum timeout is 4.7 hours. TCPA systems will not delay for longer than 4.7 hours. Non-TCPA systems distinguish between the administrator password and user passphrases. On non-TCPA systems, the administrator password has a 77-minute delay after 10 failed attempts; user passwords have only a one-minute delay after 32 failed attempts, and then the lockout time doubles after every 32 failed attempts.
4.9.7 IBM File and Folder Encryption (FFE) Utility known issues
IBM File and Folder Encryption Utility might encounter a blue screen error when using an application that re-partitions the hard drive. If you encounter a blue screen error, you must disable FFE. Complete the following procedure to recover from the error state: Reboot and log onto the system. Disable FFE using the Administrator Utility procedure described in , IBM File and Folder Encryption Known issues on page 141. If the above procedure does not work because your system continues in a blue screen loop, complete the following procedure: 1. Shutdown the system from the blue screen. 2. Start the system into Safe Mode by pressing F8 while the BIOS IBM logo screen is displayed during startup. 3. Select Safe Mode from the Windows menu. 4. Logon to Windows. 5. Rename the device driver from ibmfilter.sys to ibmfilter.xxx in the \system32\drivers folder of the Windows installation directory. 6. Reboot the system and log on to the system. 7. Disable FFE using the Administrator Utility procedure described above. Recovering from a blue screen STOP condition (BSOD) while installing Norton Anti-Virus 2003 application software with Client Security Software
158
6060ch06.fm
The following procedure guides you through the steps to recover your system after you encounter a blue screen STOP condition (BSOD) while installing the Norton Anti-Virus 2003 (Norton AV 2003) application. With Client Security Software and FFE installed on a system, a Norton Anti-Virus 2003 software installation will terminate with a STOP 0x7A condition. To recover from this condition, complete the following procedure: 1. Restart your computer from the blue screen. 2. When the system has restarted, log on to the system and authenticate with FFE The Norton Anti-virus software has only been partially installed. The following message might be displayed from Norton AntiVirus 2003. Note: Do NOT click the OK button in Figure 4-10. This will reboot the system.
Figure 4-10 NAV error message
3. Click the hyperlink within the message box to go to the Symantec Technical Support Knowledge Base. 4. Find the section labelled NAV installed as a stand-alone product in the middle of the page. Follow the instructions to download and run the Rnav2003.exe removal utility, as follows: a. Click the Rnav2003.exe icon to start the download process. b. Click Save this program to disk, and then click OK. c. Change the location in the Save in field to Desktop, and then click Save. d. Click Close when the download is complete. e. Double-click the Rnav2003.exe icon on the Desktop to launch the application. 5. On the RNAV Question screen, click No to continue.
159
6060ch06.fm
6. Select the appropriate version of Norton AntiVirus, and then click OK. 7. Click Yes to start the uninstall procedure. A progress indicator appears while the Rnav2003.exe utility removes Norton AntiVirus files and registry keys. 8. Click No to stop the computer from restarting when the uninstallation is completed. 9. Disable the FFE component through the CSS Administrator Utility, using the following procedure: a. Start the Administrator Utility. b. Click the Configure Application Support and Policies button. c. Uncheck the Enable File and Folder protection checkbox. d. Click OK. 10.Restart the computer. 11.Reinstall the Norton AntiVirus 2003 utility. 12.Enable the FFE component through the Administrator Utility. The computer will restart.
4.9.8 Installation troubleshooting information

The following troubleshooting information might be helpful if you experience problems when installing Client Security Software.
Table 4-2 Installation troubleshooting information Problem Symptom An error message is displayed during software installation A message is displayed when you install the software that asks if you want to remove the selected application and all of its components. A message is displayed during installation stating that a previous version of Client Security Software is already installed. Possible Solution Click OK to exit the window. Begin the installation process again to install the new version of Client Security Software.
Click OK to exit from the window. Do the following: 1. Uninstall the software. 2. Reinstall the software. Note: If you plan to use the same hardware password to secure the IBM Embedded Security Chip, you do not have to clear the chip and reset the password.
160
6060ch06.fm
Possible Solution Clear the chip to continue with the installation.
Problem Symptom Installation access is denied due to an unknown hardware password When installing the software on an IBM client with an enabled IBM Embedded Security Chip, the hardware password for the IBM Embedded Security Chip is unknown. The setup.exe file does not respond properly (CSS version 4.0x) If you extract all files from the csec4_0.exe file into a common directory, the setup.exe file will not work properly.
Run the smbus.exe file to install the SMBus device driver, and then run the csec4_0.exe file to install the Client Security Software code.
4.9.9 Administrator Utility troubleshooting information

The following troubleshooting information might be helpful if you experience problems when using the Administrator Utility.
Table 4-3 Administrator Utility troubleshooting information Problem Symptom UVM passphrase policy not enforced The not contain more than 2 repeated characters check box does not work in IBM Client Security Software Version 5.0 The Next button is unavailable after entering and confirming your UVM passphrase in the Administrator Utility When you add users to UVM, the Next button might not be available after you enter and confirm your UVM passphrase in the Administrator Utility. An error message displays when you attempt to edit local UVM policy When you edit the local UVM policy, an error message might display if no users are enrolled in UVM. Possible Solution This is a known limitation with IBM Client Security Software Version 5.0.
Click the Information item on the Windows Task Bar and continue the procedure.
Add a user to UVM before attempting to edit the policy file.
161
6060ch06.fm
Problem Symptom
Possible Solution Add the users to UVM and request new certificates, if applicable.
An error message displays when you change the admin public key When you clear the Embedded Security Chip and then restore the key archive, an error message might display if you change the admin public key. An error message displays when you attempt to recover a UVM passphrase When you change the admin public key and then attempt to recover a UVM passphrase for a user, an error message might display.
Do one of the following:
a. If the UVM passphrase for the user is not needed, no action is required. a. If the UVM passphrase for the user is needed, you must add the user to UVM, and request new certificates, if applicable.
Exit the error message, edit the UVM-policy file again to make your changes, and then save the file.
An error message displays when you try to save the UVM-policy file. When you attempt to save a UVM-policy file (globalpolicy.gvm) by clicking Apply or Save, an error message is displayed. An error message displays when you try to open the UVM-policy editor When the current user (logged on to the operating system) has not been added to UVM, the UVM-policy editor will not open. An error message displays when you are using the Administrator Utility When you are using the Administrator Utility, the following error message might display: A buffer I/O error occurred while trying to access the Client Security chip. This might be corrected by a reboot.
Add the user to UVM and open the UVM-policy editor.
Exit the error message and restart your computer.
162
6060ch06.fm
Possible Solution Do the following: 1. Exit from the disable chip confirmation window. 2. To change the Security Chip password, type the new password, type the confirmation password, and then click Change. Do not press Enter or Tab >Enter after you type the confirmation password.
Problem Symptom A disable chip message is displayed when change the Security Chip password When you attempt to change the Security Chip password, and you press Enter or Tab>Enter after you type the confirmation password, the Disable chip button will be enabled and a disable chip confirmation message is displayed.
4.9.10 User Configuration Utility troubleshooting information

The following troubleshooting information might be helpful if you experience problems when using the User Configuration Utility.
Table 4-4 User Configuration Utility troubleshooting information Problem Symptom Limited Users are unable to perform certain User Configuration Utility functions in Windows XP Professional Windows XP Professional Limited Users might not be able to perform the following User Configuration Utility tasks: Change their UVM passphrases Update the Windows password registered with UVM Update the key archive Limited Users are unable to use the User Configuration Utility in Windows XP Home Windows XP Home Limited Users will not be able to use the User Configuration Utility in any of the following situations: Client Security Software is installed on an NTFS formatted partition The Windows folder is on an NTFS formatted partition The archive folder is on an NTFS formatted partition Possible Solution These limitations are cleared after an administrator starts and exits the Administrator Utility.
This is a known limitation with Windows XP Home. There is no solution to this problem.
163
6060ch06.fm
4.9.11 ThinkPad-specific troubleshooting information

The following troubleshooting information might be helpful if you experience problems when using Client Security Software on ThinkPad computers.
Table 4-5 ThinkPad specific troubleshooting Problem Symptom An error message is displayed when attempting a Client Security administrator function The following error message is displayed after trying to perform a Client Security administrator function: ERROR 0197: Invalid Remote change requested. Press F1 to Setup Possible Solution The ThinkPad supervisor password must be disabled to perform certain Client Security administrator functions. To disable the supervisor password, complete the following procedure: 1. Press F1 to access the IBM BIOS Setup Utility. 2. Enter the current supervisor password. 3. Enter a blank new supervisor password, and confirm a blank password. 4. Press Enter. 5. Press F10 to save and exit. Do not switch fingerprint sensor models. Use the same model when working remotely as when working from a docking station.
Different UVM-aware fingerprint sensor does not work properly The IBM ThinkPad computer does not support the interchanging of multiple UVM-aware fingerprint sensors.
4.9.12 Microsoft troubleshooting information

The following troubleshooting charts contain information that might be helpful if you experience problems using Client Security Software with Microsoft applications or operating systems. Restriction: In Windows XP, users enrolled in UVM that previously had their Windows user name changed will not be recognized by UVM. This limitation occurs even if the Windows user name was changed prior to installing Client Security Software.
164
Draft Document for Review September 24, 2003 4:11 pm Table 4-6 Microsoft troubleshooting information Problem Symptom Screen saver only displays on the local screen When using the Windows Extended Desktop function, the Client Security Software screen saver will only be displayed on the local screen even though access to your system and its keyboard will be protected. Windows Media Player files are encrypted rather than being played in Windows XP In Windows XP, when you open a folder and click Play all, the contents of the file will be encrypted rather than played by the Windows Media Player. Client Security does not work properly for a user enrolled in UVM The enrolled client user might have changed his Windows user name. If that occurs, all Client Security functionality is lost. Problems reading encrypted e-mail using Outlook Express Encrypted e-mail cannot be decrypted because of the differences in encryption strengths of the Web browsers used by the sender and recipient. Possible Solution
6060ch06.fm
If any sensitive information is being displayed, minimize the windows on your extended desktop before you invoke the Client Security screen saver.
To enable the Windows Media Player to play the files, complete the following procedure: 1. Start Windows Media Player. 2. Select all the files in the appropriate folder. 3. Drag the files to the Windows Media Player playlist area. Re-enroll the new user name in UVM and request all new credentials.
Verify the following: 1. The encryption strength for the Web browser that the sender uses is compatible with the encryption strength of the Web browser that the recipient uses. 2. The encryption strength for the Web browser is compatible with the encryption strength provided by the firmware of Client Security Software.
165
6060ch06.fm
Problem Symptom
Possible Solution Ask the recipient to resend his digital certificate; then select that certificate in the address book for Outlook Express.
Problems using a certificate from an address that has multiple certificates associated with it Outlook Express can list multiple certificates associated with a single e-mail address and some of those certificates can become invalid. A certificate can become invalid if the private key associated with the certificate no longer exists on the IBM Embedded Security Chip of the senders computer where the certificate was generated. Failure message when trying to digitally sign an e-mail message If the composer of an e-mail message tries to digitally sign an e-mail message when the composer does not yet have a certificate associated with his or her e-mail account, an error message displays. Outlook Express (128 bit) only encrypts e-mail messages with the 3DES algorithm When sending encrypted e-mail between clients that use Outlook Express with the 128-bit version of Internet Explorer 4.0 or 5.0, only the 3DES algorithm can be used.
Use the security settings in Outlook Express to specify a certificate to be associated with the user account. See the documentation provided for Outlook Express for more information.
To use 128-bit browsers with Client Security Software, the IBM Embedded Security Chip must support 256-bit encryption. If the IBM Embedded Security Chip supports 56-bit encryption, you must use a 40-bit Web browser. You can find out the encryption strength provided by Client Security Software in the Administrator Utility. See Microsoft for current information on the encryption algorithms used with Outlook Express. No action is required. An RC2(40), RC2(64), or RC2(128) encryption request from a Netscape client to an Outlook Express (128-bit) client is always returned to the Netscape client with the RC2(40) algorithm. See Microsoft for current information on the encryption algorithms used with your version of Outlook Express.
Outlook Express clients return e-mail messages with a different algorithm An e-mail message encrypted with the RC2(40), RC2(64), or RC2(128) algorithm is sent from a client using Netscape Messenger to a client using Outlook Express (128-bit). A returned e-mail message from the Outlook Express client is encrypted with the RC2(40) algorithm.
166
6060ch06.fm
Possible Solution After restoring the keys, do one of the following:
Problem Symptom Error message when using a certificate in Outlook Express after a hard disk drive failure Certificates can be restored by using the key restoration feature in the Administrator Utility. Some certificates, such as the free certificates provided by VeriSign, might not be restored after a key restoration. Outlook Express does not update the encryption strength associated with a certificate When a sender selects the encryption strength in Netscape and sends a signed e-mail message to a client using Outlook Express with Internet Explorer 4.0 (128-bit), the encryption strength of the returned e-mail might not match. An error decryption message displays in Outlook Express You can open a message in Outlook Express by double-clicking it. In some instances, when you double-click an encrypted message too quickly, a decryption error message appears. Also, a decryption error message might display in the preview pane when you select an encrypted message. An error message displays when you click the Send button twice on encrypted e-mails When using Outlook Express, if you click the send button twice to send an encrypted e-mail message, an error message displays stating that the message could not be sent. An error message displays when you requesting a certificate When using Internet Explorer, you might receive an error message if you request a certificate that uses the IBM Embedded Security Chip CSP.
obtain new certificates register the certificate authority again in Outlook Express
Delete the associated certificate from the address book in Outlook Express. Open the signed e-mail again and add the certificate to the address book in Outlook Express.
Close the message, and open the encrypted e-mail message again. If an error message appears in the preview pane, no action is required.
Close the error message and click the Send button once.
Request the digital certificate again.
167
6060ch06.fm
4.9.13 Netscape application troubleshooting information

The following troubleshooting charts contain information that might be helpful if you experience problems using Client Security Software with Netscape applications. Note: To use 128-bit browsers with Client Security Software, the IBM Embedded Security Chip must support 256-bit encryption. If the IBM Embedded Security Chip supports 256-bit encryption, you must use a 40-bit Web browser. You can find out the encryption strength provided by Client Security Software in the Administrator Utility.
Table 4-7 Netscape application troubleshooting information Problem Symptom Problems reading encrypted e-mail Encrypted e-mail cannot be decrypted because of the differences in encryption strengths of the Web browsers used by the sender and recipient. Possible Solution Verify the following: 1. That the encryption strength for the Web browser that the sender uses is compatible with the encryption strength of the Web browser that the recipient uses. 2. That the encryption strength for the Web browser is compatible with the encryption strength provided by the firmware of Client Security Software. Use the security settings in Netscape Messenger to select the certificate. When Netscape Messenger is open, click the security icon on the toolbar. The Security Info window opens. Click Messenger in the left panel and then select the IBM Embedded Security Chip certificate. See the documentation provided by Netscape for more information. No action is required. An RC2(40), RC2(64), or RC2(128) encryption request from a Netscape client to an Outlook Express (128-bit) client is always returned to the Netscape client with the RC2(40) algorithm. See Microsoft for current information on the encryption algorithms used with your version of Outlook Express.
Failure message when trying to digitally sign an e-mail message When the IBM Embedded Security Chip certificate has not been selected in Netscape Messenger, and the writer of an e-mail message tries to sign the message with the certificate, an error message displays. An e-mail message is returned to the client with a different algorithm An e-mail message encrypted with the RC2(40), RC2(64), or RC2(128) algorithm is sent from a client using Netscape Messenger to a client using Outlook Express (128-bit). A returned e-mail message from the Outlook Express client is encrypted with the RC2(40) algorithm.
168
6060ch06.fm
Possible Solution Verify that the correct UVM passphrase was typed when Netscape was opened. If you type the incorrect UVM passphrase, an error message displays stating an authentication failure. If you click OK, Netscape opens, but you will not be able to use the certificate generated by the IBM Embedded Security Chip. You must exit and re-open Netscape, and then type the correct UVM passphrase. If you receive multiple e-mail certificates, only one certificate is the default certificate. Use the security features in Netscape to delete the first certificate, and then re-open the second certificate or ask the sender to send another signed e-mail. Go to the Administrator Utility or User Configuration Utility to update the key archive. When you update the key archive, copies of all the certificates associated with the IBM Embedded Security Chip are created. After restoring the keys, obtain a new certificate.
Problem Symptom Unable to use a digital certificate generated by the IBM Embedded Security Chip The digital certificate generated by the IBM Embedded Security Chip is not available for use.
New digital certificates from the same sender are not replaced within Netscape When a digitally signed e-mail is received more than once by the same sender, the first digital certificate associated with the e-mail is not overwritten. Cannot export the IBM Embedded Security Chip certificate The IBM Embedded Security Chip certificate cannot be exported in Netscape. The export feature in Netscape can be used to back up certificates. Error message when trying to use a restored certificate after a hard disk drive failure Certificates can be restored by using the key restoration feature in the Administrator Utility. Some certificates, such as the free certificates provided by VeriSign, might not be restored after a key restoration. Netscape agent opens and causes Netscape to fail Netscape agent opens and closes Netscape. Netscape delays if you try to open it If you add the IBM Embedded Security Chip PKCS#11 module and then open Netscape, a short delay will occur before Netscape opens.
Turn off the Netscape agent.
No action is required. This is for informational purposes only.
169
6060ch06.fm
4.9.14 Digital certificate troubleshooting information

The following troubleshooting information might be helpful if you experience problems obtaining a digital certificate.
Table 4-8 Digital certificate troubleshooting Problem Symptom UVM passphrase window or fingerprint authentication window displays multiple times during a digital certificate request The UVM security policy dictates that a user provide the UVM passphrase or fingerprint authentication before a digital certificate can be acquired. If the user tries to acquire a certificate, the authentication window that asks for the UVM passphrase or fingerprint scan displays more than once. A VBScript or JavaScript error message displays When you request a digital certificate, an error message related to VBScript or JavaScript might display. Possible Solution Type your UVM passphrase or scan your fingerprint each time the authentication window opens.
Restart the computer, and obtain the certificate again
4.9.15 Tivoli Access Manager troubleshooting information

The following troubleshooting information might be helpful if you experience problems when using Tivoli Access Manager with Client Security Software.
Table 4-9 Tivoli Access manager Problem Symptom Local policy settings do not correspond to those on the server Tivoli Access Manager allows certain bit configurations that are not supported by UVM. Consequently, local policy requirements can override settings made by an administrator when configuring the PD server. Possible Solution This is a known limitation.
170
6060ch06.fm
Possible Solution Install the Tivoli Access Manager runtime Environment. If the Runtime Environment is not installed on the IBM client, the Tivoli Access Manager settings on the Policy Setup page will not be available. No action is required.
Problem Symptom Tivoli Access Manager setup settings are not accessible Tivoli Access Manager setup and local cache setup settings are not accessible on the Policy Setup page in the Administrator Utility. A users control is valid for both the user and the group When configuring the Tivoli Access Manager server, if you define a user to a group, the users control is valid for both the user and the group if Traverse bit is on.
4.9.16 Lotus Notes troubleshooting information

The following troubleshooting information might be helpful if you experience problems with using Lotus Notes with Client Security Software.
Table 4-10 Lotus Notes troubleshooting Problem Symptom After enabling UVM protection for Lotus Notes, Notes is not able to finish its setup Lotus Notes is not able to finish setup after UVM protection is enabled using the Administrator Utility. An error message displays when you try to change the Notes password Changing the Notes password when using Client Security Software might display in an error message. Possible Solution This is a known limitation. Lotus Notes must be configured and running before Lotus Notes support is enabled in the Administrator Utility.
Retry the password change. If this does not work, restart the client.
171
6060ch06.fm
Problem Symptom
Possible Solution Click OK to close the error message. No other action is required. Contrary to the error message, the password has changed. The new password is a randomly-generated password created by Client Security Software. The Notes ID file is now encrypted with the randomly-generated password, and the user does not need a new User ID file. If the end user changes the password again, UVM will generate a new random password for the Notes ID.
An error message displays after you randomly-generate a password An error message might display when you do the following:
Use the Lotus Notes Configuration tool to set UVM protection for a Notes ID Open Notes and use the function provided by Notes to change the password for Notes ID file Close Notes immediately after you change the password
4.9.17 Encryption troubleshooting information

The following troubleshooting information might be helpful if you experience problems when encrypting files using Client Security Software 3.0 or later.
Table 4-11 Encryption troubleshooting Problem Symptom Previously encrypted files will not decrypt Files encrypted with previous versions of Client Security Software do not decrypt after upgrading to Client Security Software 3.0 or later. Possible Solution This is a known limitation. You must decrypt all files that were encrypted using prior versions of Client Security Software before installing Client Security Software 3.0 or later. Client Security Software 3.0 cannot decrypt files that were encrypted using prior versions of Client Security Software because of changes in its file encryption implementation.
4.9.18 UVM-aware device troubleshooting information

The following troubleshooting information might be helpful if you experience problems when using UVM-aware devices.
172
Draft Document for Review September 24, 2003 4:11 pm Table 4-12 UVM-aware device troubleshooting Problem Symptom A UVM-aware device stops working properly When you disconnect a UVM-aware device from a Universal Serial Bus (USB) port, and then reconnect the device to the USB port, the device might not work properly. Possible Solution
6060ch06.fm
Restart the computer after the device has been reconnected to the USB port.
173
6060ch06.fm
174
6060ch07.fm
Chapter 5.
Scenarios Implementing ThinkVantage Technologies

IBM ThinkVantage Technologies create a competitive advantage that will help your organization succeed. Building, distributing, and maintaining software on workstations can become less dependent on IT staff or user intervention for basic tasks like deployment, backup, security and more, thereby freeing resources so they can be refocussed on driving business successs. This chapter discusses some multiple tools scenarios using ThinkVantage Technologies tools.
175
6060ch07.fm
5.1 Migration/rollout scenarios

In this section we will show different possible scenarios to demonstrate how ThinkVantage Tools can be used together.
5.1.1 PC Migration or upgrade

In this section we will show in a example how a migration or an operating system upgrade can be done by using the different ThinkVantage Tools. For example, a user has a Thinkpad 600 with Windows 98. He will receive a Thinkpad T40 with Windows XP. Or another example, a company wants to use the ThinkVantage tools to upgrade from Windows NT to Windows XP. The process steps shown here briefly describe the things to do for a migration. See the corresponding chapters in this book and Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045 for detailed use and configuration of the ThinkVantage tools.
176
Draft Document for Review September 24, 2003 4:27 pm Table 5-1 TVT migration process steps Process steps 1.) Image creation ThinkVantage Tool used ImageUltra Builder To Do
6060ch07.fm
1. Choose the image type you want to use with ImageUltra Builder. 2. Integrate the System Migration Assistant as a software module into your ImageUltra Builder image. 3. Integrate the Web-D client as a software module into your ImageUltra Builder image. 4. Integrate the Software Delivery Assistant as a software module into your ImageUltra Builder image. 5. Integrate the Asset Depot client as a software module into your ImageUltra Builder image. 6. Integrate Access IBM as a software module into your ImageUltra Builder image. 7. Integrate Access connections as a software module into your ImageUltra Builder image. Keep in mind that Access connections is only supported on specific ThinkPads. Refer to Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045. 8. Integrate Embedded Security Subsystem as follows, to your ImageUltra Builder image: create driver modules for the SM bus driver and the LPC bus driver. create a software module for the IBM Client security software. Refer to Supported IBM models on page 103 for which IBM systems ESS can be installed. 1. Install on the old pc system, System Migration Assistant. 2. Run System Migration Assistant. 3. Place the SMA profile file to a network share. We have several possibilities to deploy the image to a client system. 1. Creating a ImageUltra Builder boot floppy. 2. Creating a ImageUltra Builder distribution CD set. 3. Creating a custom network boot floppy. 4. Creating your own network deployment boot floppy. 5. With Remote Deploy Manager we have the possibility to replace the boot floppy. We can remotely wake up a pc system, send a virtual boot floppy to it and deploy the image. When the image is deployed to the service partition on a PC system, the installation process will automatically start from the service partition on the local PC system.
2.) User data and user settings migration 3.) Image deployment
System Migration Assistant ImageUltra Builder Remote Deploy Manager
4.) Install client
ImageUltra Builder
Chapter 5. Scenarios Implementing ThinkVantage Technologies
177
6060ch07.fm
Process steps 5.) Software distribution ThinkVantage Tool used Web-D Software Delivery Assistant System Migration Assistant Rapid Restore Ultra
To Do We have two possible tools to use for software distribution. Which tools is best depends on the need of the customers. Distribute and Install Rapid Restore Ultra with Web-D or SDA. Rapid Restore will do a Base Backup after the installation. 1. Run System Migration Assistant on the client system. 2. Restore the SMA profile file from the network share. When the user data and settings are correctly on the client system, run Rapid Restore for creating the first incremental backup. Run or schedule the Asset Depot agent on the client system.
6.) Restore user data and user settings 7.) Backup
8.) Inventory
Asset Depot
These are some necessary steps to perform for a successful migration of PC systems with ThinkVantage Technology tools.
5.1.2 PC Rollout Scenario

In this section we will show in a example how a PC rollout can be done using the different ThinkVantage tools. As an example, we can take a customer that purchased new IBM hardware. The process steps here show briefly the things to do for a rollout. See the corresponding chapters in this book and Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045 for detailed use and configuration of the ThinkVantage tools.
178
Draft Document for Review September 24, 2003 4:27 pm Table 5-2 TVT rollout process steps Process steps 1.) Image creation ThinkVantage Tool used ImageUltra Builder To Dos
6060ch07.fm
When a customer purchases new IBM hardware, we have the advantage that we can import the service partition from the systems. In this case we will use ultra portable images. 1. Import service partitions from the systems and create the corresponding operating system, driver and application modules. 2. Integrate the Web-D client as a software module into your ImageUltra Builder image. 3. Integrate the Software Delivery Assistant as a software module into your ImageUltra Builder image. 4. Integrate the Asset Depot client as a software module into your ImageUltra Builder image. 5. Integrate Access connections as a software module into your ImageUltra Builder image. Keep in mind that Access connections is only supported on specific ThinkPads. Refer to Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045. 6. Integrate Embedded Security Subsystem as follows, to your ImageUltra Builder image: create driver modules for the SM bus driver and the LPC bus driver. create a software module for the IBM Client security software. Refer to Supported IBM models on page 103 for which IBM systems ESS can be installed. We have several possibilities to deploy the image to a client system. 1. Creating a ImageUltra Builder boot floppy. 2. Creating a ImageUltra Builder distribution CD set. 3. Creating a custom network boot floppy. 4. Creating your own network deployment boot floppy. 5. With Remote Deploy Manager we have the possibility to replace the boot floppy. We can remotely wake up a pc system, send a virtual boot floppy to it and deploy the image. When the image is deployed to the service partition on a PC system, the installation process will automatically start from the service partition on the local PC system.
2.) Image deployment
ImageUltra Builder Remote Deploy Manager
3.) Install client
ImageUltra Builder
179
6060ch07.fm
Process steps 4.) Software distribution ThinkVantage Tool used Web-D Software Delivery Assistant
To Dos We have two possible tools to use for software distribution. Its upon decision which tool is best used, depends on the need of the customers. Distribute and Install Rapid Restore Ultra with Web-D or SDA. Rapid Restore will do a Base Backup after the installation. Bring the PC system to the end-user and finalize the configuration.
5.)Prepare the system for the user 6.) Backup Rapid Restore Ultra
When the user data and settings are correctly on the client system, run Rapid Restore for creating the first incremental backup. Run or schedule the Asset Depot agent on the client system.
7.) Inventory
Asset Depot
These are some necessary steps to perform for a successful rollout of PC systems with ThinkVantage Technology tools.
5.1.3 Helpdesk scenario

In this section we will show in a example scenario in which ThinkVantage tools can be integrated into a Help Desk. Large enterprises have a Help Desk to support end users. The Help Desk has a trouble ticket tool to open trouble tickets for users which have a problem with their PC system. It is possible to use some of the ThinkVantage tools for integration into a Help Desk tool system. We assume for this example that SMA, Web-D, Rapid Restore Ultra, Asset Depot and IBM Director Agent are used on the client systems. See the following table for a example scenario:
Table 5-3 Help Desk scenario example Action 1.) A user calls the help desk, concerning an Outlook problem with his PC system. The user received the following error message when outlook was started. Outlook caused an invalid page fault. Tool used
180
6060ch07.fm
Tool used Help Desk Tool Asset Depot
Action 2.) The help desk opens a trouble ticket for the problem in the Help Desk tool. Based on the inventory information from Asset Depot, the supporter can see what PC system the user has and what software and versions are installed on the users computer. 3.) The help desk accesses the users computer remotely to see the problem. 4.) The help desk decides to reinstall Outlook. 5.) The help desk starts SMA to backup the users desktop settings and data. 6.) The help desk uses Web-D to reinstall Outlook on the users computer. 7.) The help desk restores users settings and data with SMA. 8.) The help desk starts outlook and checks the settings and if everything is working correctly. 9.) The help desk initializes a incremental backup with RRU. 10.) The help desk closes the troubleticket.
IBM Director Agent
System Migration Assistant Web-D System Migration Assistant
Rapid Restore Ultra Help Desk Tool.
181
6060ch07.fm
5.2 ESS and Rapid Restore Ultra scenario

This section will discuss the usage of Rapid Restore Ultra (RRU) on a system which has been configured with the Embedded Security Subsystem (ESS) and Client Security Software (CSS). It is assumed that you have read Chapter 2, Rapid Restore Ultra on page 11 and Chapter 4, Embedded Security Subsystem on page 97 in this book and understand the concepts of both products prior to reading this section.
5.2.1 Installation of CSS and RRU on the same system

The installation of Rapid Restore Ultra on a system with the Embedded Security Subsystem and Client Security Software fully configured is the same as it is for a system without the ESS configured. However some considerations need to be made as to the order of installation. If you install and configure the ESS on a system that has used RRU previously to create the Base backup (A0), the base backup will not contain the CSS software. This could result in any encrypted files or folders being unusable until such time as the CSS is reinstalled and the archive keys restored. If you do install and configure CSS on a system with RRU previously installed, then it recommended that you replace the base backup (A0) after installing and configuring the CSS on the system.
5.2.2 Usage considerations

Table 2-7 on page 59 gives an indication of how the backup and restore feature in RRU works with the ESS. Care also needs to be taken when files in the users image are in a different encryption status than the same file in the incremental backup.
5.2.3 Possible conflicts

The following are examples of usage conflicts using the ESS & RRU where care is needed to prevent loss of data.
Encrypted files have different file type extensions

When a user has an unencrypted file backed up by RRU into the incremental backups, it will be in unencrypted form in the backup too. When the original file is then encrypted by the user, its extension changes and it now looks like a different file to RRU. If the user has some reason to restore the file from the incremental backup in its unencrypted state, it will not overwrite the encrypted version on the disk as they will have different file extensions. However if they then unencrypt the encrypted version of this file, it will overwrite the newly restored
182
6060ch07.fm
unencrypted file. The opposite is also true for restoring encrypted files that could overwrite the unencrypted version.
ESS keys are backed up by RRU

When using Rapid Restore Ultra and the Embedded Security Subsystem, it is important to remember that any keys stored on the systems hard disk will be backed up by RRU. If the systems keys are subsequently changed, the base backups will need to be redone to replicate that. Restoring a backup with older keys could lead to encrypted data being inaccessible until such time as the original keys are restored.
5.3 Integrating Rapid Restore with ImageUltra Builder

Integration of Rapid Restore Ultra with ImageUltra Builder should be performed as recommended in chapter 11 of the ImageUltra Builder 2.0 User Guide. Some content of this chapter has been reproduced here for convenience.
5.3.1 Service partition setting in ImageUltra Builder

Rapid Restore Ultra can reuse the same IBM_SERVICE partition which ImageUltra Builder creates and uses for image deployment. However some settings have to be configured during ImageUltra Builder image build so that IBM_SERVICE partition can be correctly reused by Rapid Restore Ultra. These settings are as mentioned below:
183
6060ch07.fm
1. Select No for Direct network install under Network Options tab of Map Settings window of your base map (Figure 5-1). This will ensure that ImageUltra Builder creates the service partition and uses it as staging area during installation.
Figure 5-1 Network options in map settings
184
6060ch07.fm
2. In the Partition tab of the Map Settings window reserve extra space in service partition size for Rapid Restore Ultra use (Figure 5-2). This will save a substantial amount of time during the Rapid Restore Ultra installation because the Rapid Restore Ultra will not have to resize the service partition during its initial backup.
Figure 5-2 Service partition size option in map settings
Generally reserving the service partition size of 20 to 40 percent of the total hard disk space is adequate for most situations.
185
6060ch07.fm
3. In the Image cleanup tab in Map Settings window you have three choices to define the behavior of the target computers service partition after the image deployment: Delete none, Delete unused and Delete all (Figure 5-3). Do not select Delete all option. For Rapid Restore Ultra to reuse service partition, service partition should not be deleted by ImageUltra Builder after it has finished using it.
Figure 5-3 Image cleanup option in map settings
5.3.2 Adding Rapid Restore modules to ImageUltra Builder image

Steps to integrate Rapid Restore Ultra with ImageUltra Builder image are as follows: 1. Create two application modules. One module to copy the Rapid Restore Ultra install files to location C:\IBMTOOLS\APPS\RRU3 and a second module to copy an install link file to C:\Documents and Settings\All Users\Desktop location. a. To create the first module, copy the contents of <custom location> (see Section 2.4.1, Obtaining the Rapid Restore Ultra for custom install on
186
6060ch07.fm
page 40) to a temporary directory X on ImageUltra Builder system. Configure the custom settings for Rapid Restore Ultra as discussed in Section 2.4.2, Customizing Rapid Restore install options on page 42. Also make sure to include the full silent install customizations as described in section Full silent install settings on page 48. Extract the files rru1.reg, rru2.reg, rru3.bat and rru3-2.bat from IUB2AltMethod.zip (see Appendix B, Additional material on page 215) package to this temporary location X. In ImageUltra Builder, create an application module with settings to copy the files from location X to the folder C:\IBMTOOLS\APPS\RRU3. b. To create the second module, extract the file Install Rapid Restore Ultra.lnk from IUB2AltMethod.zip to a temporary location. In ImageUltra Builder, create a module that will copy this file to folder C:\Documents and Settings\All Users\Desktop. 2. ImageUltra Builder provides a filter and an utility for Rapid Restore Ultra to enable both ImageUltra recovery and Rapid Restore Ultra recovery menu to appear when the F11 key is pressed during system startup. Steps to include ImageUltra 2.0 - Rapid Restore filter and ImageUltra 2.0 Rapid Restore utility in base map of your image: a. Insert a new menu item directly under the base map root entry and name it IBM Rapid Restore Recovery as shown in Figure 5-4.
Figure 5-4 Addition of Rapid Restore recovery menu item
187
6060ch07.fm
b. Associate the ImageUltra 2.0 - Rapid Restore utility (Figure 5-5) and ImageUltra 2.0 - Rapid Restore filter (Figure 5-6) to the menu item created in step above.
Figure 5-5 ImageUltra 2.0- Rapid Restore utility addition
Figure 5-6 ImageUltra 2.0 - Rapid Restore Ultra filter addition
Note: Including Rapid Restore specific filter and utility in the base map of your ImageUltra Builder image is important. If this is not done, then pressing F11 during system startup will only activate ImageUltra recovery program and Rapid Restore Ultra recovery console will not be accessible through F11 interface. 3. After deployment of ImageUltra Builder image on the end-user system, the user can click the Rapid Restore Ultra install icon located on Desktop to start the installation. Caution: Do not install Rapid Restore Ultra as a part of image installation process. It should be installed after the image installation process is complete.
188
6060ch07.fm
5.4 Integrating Rapid Restore Ultra with IBM Director

IBM Director can be used to manage many of the Windows based features of Rapid Restore Ultra. IBM Director manages Rapid Restore Ultra using the IBM Director Agent present on client systems. For more information on IBM Director, see Implementing Systems Management Solutions using IBM Director, SG24-6188. The following sections describe some of the tasks that IBM Director can do to manage Rapid Restore Ultra systems.
5.4.1 Installing Rapid Restore Ultra using IBM Director

In this section, we describe a method to do remote silent install of Rapid Restore Ultra using IBM Director v4.1 as follows: Pre-requisites The client system should have IBM Director Agent installed. The client system is discovered by IBM Director server and is listed in the Director console (in the middle pane). On the client system, an account Director (it can be any name) with administrative privileges exists. This is required for IBM Directors Process Management to run the process tasks on the client system. The client system is booted in Windows (and should not be in standby mode). It is also recommended that no user is logged-in on the client system while the Rapid Restore Ultra operation is in progress. This is because some features of Rapid Restore Ultra do not work in multi-user environment. Additionally Rapid Restore Ultras incremental backup requires that no system windows such as My Computer, Windows Explorer, Internet Explorer are open. If they are open, you will be prompted (by message boxes) to close them on client system thus defeating the purpose of remote operation. The client system has Rapid Restore Ultra installed else if you are using IBM Director to install Rapid Restore Ultra then IBM_SERVICE partition or HPA should exist (See Creation of an IBM_SERVICE partition on page 49). INSTSVR is the server system that has the Rapid Restore Ultra custom install files located at c:\rru for distribution (to get custom install package, see Section 2.4.1, Obtaining the Rapid Restore Ultra for custom install on page 40). The folder c:\rru is shared as RRU on the network with default settings (everyone can access). The INSTSVR system has a guest a/c enabled with no password set.
189
6060ch07.fm
The custom install package should be configured for full silent installation. See section Silent install settings on page 48. along with other customization options discussed in 2.4.2, Customizing Rapid Restore install options on page 42. Steps: 1. Create a batch file rruinst.bat in the folder c:\rru of INSTSVR with content as follows:
REM map the RRU package as a network drive SET drive=X net use %drive%: \\INSTSVR\RRU REM launch RRU setup by running the setup file in silent install mode %drive%:\setup.exe -s
2. In the IBM Director management console, create a new process task. To do this, double-click on the Process tasks under Process management category in the right pane. A new Process task creation window appears. Fill in the details similar to as shown in Figure 5-7. Save the process task as Rapid Restore Ultra Install.
Figure 5-7 A new process task creation window
3. The created task will be show in the console window (Figure 5-8).
190
6060ch07.fm
Figure 5-8 IBM Director console showing Rapid Restore Install task in right pane
4. Drag and drop the Rapid Restore Ultra Install task (right pane) onto the client system entry (in the middle pane). Select Execute now to start the install.
5.4.2 Adding Rapid Restore to the IBM Director software dictionary

1. Open the IBM Director management console. Select Tasks -> Edit software dictionary from the menu bar. Add Rapid Restore Ultra details as shown in Figure 5-9. In the Associated files field, we have specified filename pcrecsa.exe (one of the main program file for Rapid Restore) to enable IBM Director to locate the Rapid Restore Ultra installation on a client system by scanning for this file.
191
6060ch07.fm
Figure 5-9 Adding Rapid Restore to IBM Director software dictionary
Save the information and close the window. Rapid Restore Ultra is now added to the IBM Director software dictionary. 2. In the Options -> Server preferences -> Inventory collection preferences, enable Collect software data. This is required because by default IBM Director does not collect software inventory details of a client system during inventory collection process. 3. Collect the inventory details of all systems. To do this, right click on All systems and devices (in left pane) and select Perform inventory collection. After the inventory collection has completed, verify that Rapid Restore Ultra appears under software category of collected inventory data for systems having Rapid Restore Ultra installed (Figure 5-10).
192
6060ch07.fm
Figure 5-10 Rapid Restore entry in inventory data
5.4.3 Managing all Rapid Restore Ultra systems as one group

IBM Director has the capability to allow IT personnel to group systems based on the collected information. In this example we show how we can create a dynamic group that only displays systems having Rapid Restore Ultra installed. 1. Right click in an empty area (white background region) of the left pane to see a context menu. Select New dynamic. Select the Rapid Restore entry by navigating through Inventory(PC) -> Software -> Program Title as shown in Figure 5-11.
193
6060ch07.fm
Figure 5-11 Create dynamic group of systems with Rapid Restore Ultra
2. Click Add button. Save the group as All systems with Rapid Restore and close the window. The new group appears in the left pane of Director console (Figure 5-12).
Figure 5-12 Rapid Restore systems listed under single group
194
6060ch07.fm
5.4.4 Receive alert when Rapid Restore is not active on client system
The IBM Director has extensive monitoring capability. The example below shows how you can monitor the Rapid Restore agent and receive an alert if the Rapid Restore agent gets stopped on a client system. Alert functionality can further be customized to monitor Rapid Restore Ultra uninstall events or create an auto-response to reactivate the Rapid Restore agent if it has been stopped. 1. Drag and drop the Process Management task (right pane) onto one of the client systems belonging to the group All system with Rapid Restore (middle pane). 2. In the process management window, select the Application tab. Locate and select the process c:\program files\xpoint\pe\pcrecsa.exe as shown in Figure 5-13.
Figure 5-13 Adding process monitor for Rapid Restore Ultra
3. Right click on the selected process and click Add to monitors. The process monitor for pcrecsa.exe has been added. Close the window. 4. In the IBM Director console, drag and drop the Process monitor (it is located under Process management in right side pane) task onto one of the clients under All systems with Rapid Restore (middle pane). 5. Select Stop and save the process monitor (Figure 5-14),
195
6060ch07.fm
Figure 5-14 Modify setting of Rapid Restore alert monitor
6. To verify that alert is working, on the client system logon as Administrator and in Windows Task manager, end the process pcrecsa.exe. Now check the IBM Director management console if an alert has been received. To view event alerts, drag and drop Event log task (in the right pane) onto the All systems with Rapid Restore (left pane) in Director console. You will see an event log window as shown in Figure 5-15. The alert message informing that pcrecsa.exe is stopped on client system will be seen.
Figure 5-15 Event log window showing alert message received
196
6060ch07.fm
5.4.5 Remotely change the Rapid Restore Ultra backup schedule

The procedure to remotely modify backup schedule is similar to install procedure described in 5.4.1, Installing Rapid Restore Ultra using IBM Director on page 189. We will describe only those steps that needs change. Steps to change backup schedule remotely: 1. Check the pre-requisites as discussed in Pre-requisites on page 189. 2. Extract the contents of BackupScheduleMod.zip (see Appendix B, Additional material on page 215) to folder c:\rrutools on INSTSVR system. Create the network share for the c:\rrutools folder as RRUTOOLS. 3. Change the backup schedule as required in file time.mod. 4. Replace the existing rrutime.bat file with a new one having contents as listed in Appendix A, Rapid Restore batch files on page 209. 5. Create a process task named Rapid Restore backup schedule change pointing to file \\INSTSVR\rrutools\rrutime.bat (see step 2 of section 5.4.1, Installing Rapid Restore Ultra using IBM Director on page 189 on how to create a new process task).
Figure 5-16 Creating a process task for changing schedule time of backups
6. Drag and drop the Rapid Restore backup schedule change task (right pane) onto the client system entry (in the middle now) to initiate a backup schedule change (Figure 5-17).
197
6060ch07.fm
Figure 5-17 Process task to change schedule of backups shown in right pane
5.4.6 Remotely initiate Rapid Restore Ultra incremental backup

Steps to initiate an incremental backup remotely are as follows: 1. Make sure that the pre-requisites are as discussed in section Pre-requisites on page 189 are met. 2. Create a batch file incbckup.bat file with contents as listed in Appendix A, Rapid Restore batch files on page 209. Save it to the folder C:\rrutools on INSTSVR system. 3. Create a process task named Rapid Restore incremental backup pointing to file \\INSTSVR\rrutools\incbckup.bat (incbckup.bat is shown in Appendix A, Rapid Restore batch files on page 209). See step 2 on page 190 for how to create a new process task. The new process task will be listed in right pane of the console (Figure 5-19).
198
6060ch07.fm
Figure 5-18 Process task creation for incremental backup
Figure 5-19 Process task for incremental backup listed in right panE
4. Drag and drop the Rapid Restore incremental backup task (right pane) onto the client system entry (in the middle now) to initiate the incremental backup. Note that though the task status is shown complete in Director console after the execution of script (incbckup.bat), the backup operation would still be in progress on client system.
5.5 Integrating Rapid Restore Ultra with IBM RDM

IBM Remote Deployment Manager (RDM) can be used to perform DOS mode remote Rapid Restore backup and restore on client systems having Rapid
199
6060ch07.fm
Restore Ultra installed. In our example, we have used IBM RDM v4.1. RDM 4.1 is not included with IBM Director 4.1 and has to be purchased separately.The pre-requisite for RDM 4.1 is that IBM Director v4.1 is installed. RDM 4.1 has no separate Windows GUI and is managed through IBM Director 4.1 management console. We assume that you are already familiar with IBM Director and RDM. Figure 5-20 shows the RDM menu in IBM Director console.
Figure 5-20 RDM menu in the right pane of Director console
5.5.1 IBM RDM requirements/preparations

1. Client systems should support network boot. Client systems should be configured such that they enter network boot on power-on. Each of the client system should have booted to the network once while IBM Director and RDM were running in the network so that the client systems are scanned, discovered and are listed in Director console (in the middle pane). 2. Client systems should support Wake on LAN. This enables an administrator to remotely power-on the client systems. 3. The client systems should be powered-off for RDM to start the Rapid Restore backup/restore process.
200
6060ch07.fm
4. Client systems should have Rapid Restore Ultra installed.
5.5.2 Procedure
IBM RDM provides a basic scan image (dos71s) that boots the client system in DOS and gets the system inventory details. It also sets up network connectivity on the client and provides a Trivial FTP (TFTP) program called mtftp.exe to facilitate download of files from RDM server to the client. We will use dos71s scan image and a set of batch files to execute Rapid Restore backup/restore using Rapid Restore Ultra DOS commands. The process we follow for backup and for restore is very similar. We would therefore describe the process for backup operation and along the way, if restore process is any different from backup process, we will make a mention of it. 1. Create RDM task for backup (or restore) process. In the right pane of Director console, select Remote Deployment Manager -> Scan. Right click on it and select Create new task. Enter the contents similar to as shown in Figure 5-21 and Figure 5-22.
Figure 5-21 Rapid Restore Ultra backup task settings
201
6060ch07.fm
Figure 5-22 Rapid Restore Ultra backup task settings
Each task is associated with a commandlist shown in Figure 5-22. The commandlist after our changes will look like this:
;This is command list for RRU backup/restore task BOOTTYPE !LOADDOS /ENVIRONMENT/DOS71S WAKE !!setenv !scan.bat HandleScanOutput HandleUserPrompt !mtftp get 10.1.1.1 TEMPLATE\%TASKTEMPLATEID%\%TASKTOID%\RRUJOB.BAT RRUJOB.BAT !rrujob.bat ;Reboot the system to start backup or restore on next boot !!REBOOT
Note that we have removed command !!SHUTDOWN and instead added !!REBOOT in the commandlist script. Also we have given dummy IP address of the RDM server (as 10.1.1.1). You will need to change it. After the changes are done, click OK. The task RRU base backup and/or RRU base restore created will appear under Remote Deployment Manager -> Scan in the right pane of Director console (Figure 5-20). To locate the folder where the commandlist script for the above created task is stored, right click on the task item in the Director console and select Edit
202
6060ch07.fm
task. In the task window that opens, select Task Folder under Advanced tab. Make a note of the task folder location specified there. Let us call it as X. Copy the below listed script files to this location X (the script files are described in Appendix A, Rapid Restore batch files on page 209). RRUJOB.BAT PREPARE.BAT BACKUP.BAT RESTORE.BAT CLEANUP.BAT
2. Edit the batch file RRUJOB.BAT as follows: a. Change the SERVER_IP variable value. b. If the current task is to do a restore operation, then change the parameter value to restore that is passed to prepare.bat call. 3. To assign the RRU base backup or RRU base restore script task to a client system, drag and drop the task item onto the client entry (in the middle pane). 4. When the task is executed, it does the following: a. Wakes up the selected Rapid Restore Ultra client system b. Runs the scan image on client system c. Gets the next command from RDM server (as per the commandlist script) which is to fetch the batch file RRUJOB.BAT (using mtftp program) from RDM server onto the client system and execute d. RRUJOB.BAT is a small batch file that fetches the PREPARE.BAT file from the RDM server and executes it with a parameter backup or restore PREPARE.BAT distinguishes the task (backup or restore) based on the parameter it is called with. PREPARE.BAT gets the file backup.bat (or restore.bat) from RDM server and copies it as autoexec.bat (the original autoexec.bat is saved as autoxec.rr) in the IBM_SERVICE partition. PREPARE.BAT also sets the boot manager on client system to boot to IBM_SERVICE partition on next boot. e. The last command in the commandlist script of the task makes the client system to reboot. With this the RDM task is finished. However the actual backup (or restore) operation will begin on reboot. 5. On reboot, the client system does a network boot and since there are no pending tasks, RDM directs the client system to do local boot. Rapid Restore boot manager then takes control of the system and boots to the IBM_SERVICE partition. The autoxec.bat is executed (it is a backup.bat or restore.bat file we copied in previous step). The backup or restoration process takes place now. The autoexec.bat file finishes execution by finally calling cleanup.bat file.
203
6060ch07.fm
This completes the base backup or the restore operation. RESTORE.BAT or BACKUP.BAT are the script files that executed Rapid Restore DOS command lastboot.exe with appropriate parameters to do base backup or base restore. A point to note here is that using RDM, you can do most of the operations that Rapid Restores DOS command line tools (lastboot.exe, bmgr.exe and recrtsp.exe) allows you to do. To learn about more operations that these tools can allow you to do, run these tools with /h or /? parameter (Try these options with on test systems first and only when you are sure what the option(s) does). Since RDM only allows you to implement DOS based features of Rapid Restore Ultra, you cannot do Rapid Restore Ultras Windows based functions such as scheduled backups or incremental backups. You can however use IBM Director process tasks to implement most of Windows based features of Rapid Restore Ultra (see Section 5.4, Integrating Rapid Restore Ultra with IBM Director on page 189).
5.6 IBM Director & Asset Depot scenario

In a scenario with IBM Director and Asset Depot, customers have the advantage that one database can be used for both tools. For example, a customer wants to use IBM Director for server systems, because he needs server systems management capabilities only on server systems. Client systems management is not needed. So the customer installs the Asset Depot agent on desktop, laptop and server computers for gathering the asset information. The IBM Director agent will be installed only on server systems. For more information on IBM Director, see Implementing Systems Management Solutions using IBM Director, SG24-6188. In the following figure, we see a possible scenario structure of Asset Depot and IBM Director.
204
6060ch07.fm
PC system
Server system
Asset Depot agent
Asset Depot agent IBM Director agent
Asset Depot Server

Asset Depot server delivers the asset management capabilities.
IBM Director Server

IBM Director server delivers the server management capabilities.
Centralized database for: - Asset Depot - IBM Director

Figure 5-23 Asset Depot and IBM Director scenario
5.7 Software deployment

A common problem that comes up with ThinkVantage Technology tools is the deployment of the tools to the client systems. Following are two examples.
5.7.1 Integrating Web-D into ImageUltra Builder

A Web-D agent is required on each client that will use Web-D. Getting the Web-D agent installed on the clients is best accomplished by including the Web-D agent within an ImageUltra Builder image. An application module can easily be created which will install the Web-D agent. The Web-D agent is installed via a program
205
6060ch07.fm
called esdsetup.exe. This setup can be included as part of the image and run silently using the following command: esdsetup.exe /s
5.7.2 Integrating Asset Depot into ImageUltra Builder

Similarly, an Asset Depot agent is required on each client that is monitored by the Asset Depot server. Installation of the Asset Depot agent on the clients is best accomplished by including the Asset Depot agent within an ImageUltra Builder image. We can create a application module in the ImageUltra Builder image with the Asset Depot agent executable included.
5.8 Asset Depot and Web-D conceptual scenarios

The integration of Asset Depot into Web-D brings a customer several benefits: Customer has a software distribution and a asset management solution in one package. The asset inventory collection process can be automated. The software change management process can be automated. The Asset Depot server and Web-D server can be installed on the same machine. Software license usage can be controlled and if the specified software is not used, it can be deinstalled from a client system to free up the unused license. When integrating Web-D with Asset Depot, customers have a software distribution solution and a asset management solution in one package. Both tools can be also installed on the same system. With the Asset Depot agent, we can automate the inventory collection process, thereby always having the actual asset information. With the integration of Web-D and Asset Depot we can have an automated control mechanism for the software licence usage in a company. Unused licenses can be released from a client system through Web-D. This license can be used on another system. There is also the possibility to see which users use which software packages. This feature presupposes that Asset Depot is also integrated with an LDAP directory service. With Web-D we can also control the software change management process. Based on the software inventory information from Asset Depot, Web-D can check for old versions of software used on client systems. After that, Web-D can
206
6060ch07.fm
deinstall old versions of software on client systems. Web-D will then push the new versions of software on to the client systems. In the following figure we show an example for a software change management process. This feature will be available in a future release of Web-D and Asset Depot.
Client system with Web-D and Asset Depot agent
Client agent collects data on the client system and sends it to the Asset Depot Web server.
1 2
Web-D checks the Software inventory from Asset Depot. Web-D compares it with a software catalog to see if software updates are available. If any software update needs to be done, Web-D sends a command to the Web-D agent on the client system.
Web-D and Asset Depot Web server

Web server with Java support
Web-D agent executes the software deinstallation.
3
Web-D agent picks up the new software package.
4
Database with Web-D and Asset Depot
Web-D agent executes the software installation.
5
Figure 5-24 Software change management scenario
207
6060ch07.fm
208
6060ax01.fm
Appendix A.
Rapid Restore batch files

This appendix describes the batch files used to perform Rapid Restore Ultra functions. Here is the list of the batch file that are described here and their place of use:
Table A-1 List of batch files described in this appendix Name of the batch file RRUTIME.BAT Use Used to change backup schedule for Rapid Restore Ultra remotely through IBM Director. Used to initiate a incremental backup for Rapid Restore Ultra remotely through IBM Director. One of the batch files used to process the RDM task of performing Rapid Restore Ultra backup or restore. One of the batch files used to process the RDM task of performing Rapid Restore Ultra backup or restore. This batch file does the Rapid Restore Ultra base backup in DOS mode. After the completion of base backup, it calls CLEANUP.BAT file.
INCBCKUP.BAT
RRUJOB.BAT
PREPARE.BAT
BACKUP.BAT
209
6060ax01.fm
Name of the batch file RESTORE.BAT
Use This batch file does the Rapid Restore Ultra restore from base backup image in DOS mode. After the completion of base restore, it calls CLEANUP.BAT file. This batch file resets IBM_SERVICE partition autoexec.bat file following a Rapid Restore Ultra backup or restore operation through RDM.
CLEANUP.BAT
RRUTIME.BAT
@echo off REM REM REM SET SET SET NET ======================================================= Setup Environment ======================================================= DRIVE=X RRU_SERVICE=NO path=%path%;C:\Program Files\xpoint\pe;c:\Program Files\xpoint\pe\skin USE %DRIVE%: \\INSTSVR\RRUTOOLS
REM ======================================================= REM Change to the xpoint\pe directory REM ======================================================= c: cd\"Program Files\Xpoint\PE" REM ======================================================= REM Determine if the Service is Running REM ======================================================= net stop "IBM Rapid Restore Ultra Service" :: ERRORLEVEL=0 if it stops (i.e. is there) :: ERRORLEVEL=2 if it does not stop (i.e. is not there) if errorlevel==2 goto noservice :: ======================================================= :: The service is running so do the work for the service :: ======================================================= SET RRU_SERVICE=YES :: "c:\Program regsvr32 /s /u regsvr32 /s /u regsvr32 /s /u Files\Xpoint\PE\skin\uninstall.bat" RRBackupInfo.ocx RRFileTypes.ocx RRName.ocx
210
Draft Document for Review September 24, 2003 4:12 pm regsvr32 /s regsvr32 /s regsvr32 /s regsvr32 /s regsvr32 /s start /WAIT u.exe /u RRPie.ocx /u RRProgress.ocx /u RRTime.ocx /u RRTree.ocx /u RRTreeSummaryExclude.ocx rrpcsb -unregserver
6060ax01.fm
:: ======================================== :: get ini file from the MBR :: ======================================== start /WAIT pcrecsa bini -fetch :: ======================================== :: edit the ini file :: ======================================== start /WAIT %DRIVE%:\rrpcedit pcrec.ini %DRIVE%:\time.mod :: ======================================== :: save the ini file :: ======================================== start /WAIT pcrecsa bini -flush ::"c:\Program Files\Xpoint\PE\skin\install.bat" regsvr32 /s RRBackupInfo.ocx regsvr32 /s RRFileTypes.ocx regsvr32 /s RRName.ocx regsvr32 /s RRPie.ocx regsvr32 /s RRProgress.ocx regsvr32 /s RRTime.ocx regsvr32 /s RRTree.ocx regsvr32 /s RRTreeSummaryExclude.ocx start /WAIT rrpcsb -service net start "IBM Rapid Restore Ultra Service" goto end :noservice :: ======================================================= :: The service is NOT running so do the work for :: no service running :: ======================================================= :: ======================================== :: get ini file from the MBR :: ======================================== start /WAIT pcrecsa bini -fetch
Appendix A. Rapid Restore batch files
211
6060ax01.fm
:: ======================================== :: edit the ini file :: ======================================== start /WAIT %DRIVE%:\rrpcedit pcrec.ini %DRIVE%:\time.mod :: ======================================== :: save the ini file :: ======================================== start /WAIT pcrecsa bini -flush :end :: ======================================================= :: Cleanup after the work is done :: ======================================================= NET USE %DRIVE%: /d
INCBCKUP.BAT
@echo off Rem set the current folder c: cd\"Program Files\Xpoint\PE" set path=%path%;. Rem starting the a new incremental backup f11exec.exe /BC /GUI Rem incremental backup started..
RRUJOB.BAT
SET SERVER_IP=10.1.1.1 SET SRC_FILE_PATH=template\%TASKTEMPLATEID%\%TASKTOID% mtftp get %SERVER_IP% %SRC_FILE_PATH%\prepare.bat prepare.bat call prepare.bat backup
PREPARE.BAT
Rem ************************************************************** Echo RRU-RDM Integration Backup/Restore Echo Creating logfile >a:\rru.log
212
Draft Document for Review September 24, 2003 4:12 pm Echo ======================================= >>a:\rru.log Set >> a:\rru.log
6060ax01.fm
Rem SERVER_IP and SRC_FILE_PATH are already set in batch file RRUJOB.BAT Echo ======================================= >>a:\rru.log Echo Determine which operation is to be performed >>a:\rru.log if %1 == backup set batfile=backup.bat if %1 == restore set batfile=restore.bat Echo = Operation set to: %batfile% >>a:\rru.log Echo. >>a:\rru.log Echo ======================================= >>a:\rru.log Echo Detecting IBM Service partition >>a:\rru.log if exist c:\lastboot.exe set drive=C: if exist d:\lastboot.exe set drive=D: if exist e:\lastboot.exe set drive=E: if exist f:\lastboot.exe set drive=F: Echo = IBM Service partition set to: %drive% >>a:\rru.log Echo. >>a:\rru.log Echo ======================================= >>a:\rru.log Echo Prepare autoexec.bat in SP to perform operation >>a:\rru.log copy %drive%\autoexec.bat %drive%\autoexec.rr >>a:\rru.log mtftp get %SERVER_IP% %SRC_FILE_PATH%\%batfile% %drive%\autoexec.bat Echo. >>a:\rru.log Echo ======================================= >>a:\rru.log Echo Prepare the restoration of Autoexec.bat in the SP >>a:\rru.log Echo to original after the selected operation has been performed >>a:\rru.log mtftp get %SERVER_IP% %SRC_FILE_PATH%\cleanup.bat %drive%\cleanup.bat Echo. >>a:\rru.log Echo ======================================= >>a:\rru.log Echo Set client to boot to the Service Partition at next boot >>a:\rru.log %drive%\bmgr.exe /BS >>a:\rru.log Echo. >>a:\rru.log Echo ======================================= >>a:\rru.log Echo RRU preparation completed. The client will now reboot to service partition Echo to initiate the operation... Echo Copying the log file to the server folder C:\PROGRAM FILES\IBM\RDM\TEMP mtftp put %SERVER_IP% a:\rru.log RRU.log sleep 10
BACKUP.BAT
Rem perform the base backup and do not reboot c:\lastboot.exe /I /NR Rem Restore IBM Service Partition settings
Appendix A. Rapid Restore batch files
213
6060ax01.fm
cleanup.bat
RESTORE.BAT
Rem perform the base restore and do not reboot c:\lastboot.exe /RA /NR Rem reset IBM Service Partition cleanup.bat
CLEANUP.BAT
Rem Reset IBM Service Partition Rem Service Partition will always be C: when booting from Service Partition erase c:\autoexec.bat copy c:\autoexec.rr autoexec.bat erase c:\autoexec.rr rem reboot the machine c:\lastboot /B
214
6060addm.fm
Appendix B.
Additional material
This redbook refers to additional material that can be downloaded from the Internet as described below.
Locating the Web material

The Web material associated with this redbook is available in softcopy on the Internet from the IBM Redbooks Web server. Point your Web browser to:
ftp://www.redbooks.ibm.com/redbooks/SG246060
Alternatively, you can go to the IBM Redbooks Web site at:

ibm.com/redbooks
Select the Additional materials and open the directory that corresponds with the redbook form number, SG24-6060.
Using the Web material

The additional Web material that accompanies this redbook includes the following files: File name Description
215
6060addm.fm RRU-scripts.zip
AccessIBM.zip
Zipped scripts and tools that are referenced in Chapter 2, Rapid Restore Ultra on page 11 and Chapter 5, Scenarios Implementing ThinkVantage Technologies on page 175 of this redbook in relation to Rapid Restore Ultra. Zipped file contains some of the customization tools and help file mentioned in Chapter 3, The Access IBM experience on page 65.
How to use the Web material

This section describes the content of the above mentioned zip packages and their usage. RRU-scripts.zip extract Download the RRU-scripts.zip package to a temporary folder on your workstation and unzip the contents of the zip file. The following files will be extracted:
Table B-1 Details of tools and scripts referenced in relation to Rapid Restore Ultra Filename SPCreate.zip Use Used to prepare a boot diskette that can be used to create IBM_SERVICE partition. See , Creation of an IBM_SERVICE partition on page 49 Has a shortcut file and a script file to simplify silent install of Rapid Restore for user. See , Defer Rapid Restore install to post-deployment time on page 52 Has a script file to change backup schedule. This package can also be used to change other options of PCREC.INI file by placing them in the time.mod file included in the package. See , Modifications to pcrec.ini on page 56 Includes script files to retake a new base backup. See , How to reset the A0 backup on page 57 Has files for use when planning to deploy Rapid Restore Ultra as a part of ImageUltra Builder image. This package is referenced in 5.3, Integrating Rapid Restore with ImageUltra Builder on page 183.
FullSilentInstallFromDesktop.zip
BackupScheduleMod.zip
RedoA0.zip
IUB2AltMethod.zip
216
6060addm.fm
AccessIBM.zip extract Download the AccessIBM.zip package to a temporary folder on your workstation and unzip the contents of the zip file. The following files will get extracted
Table B-2 Contents of AccessIBM.zip Filename aimb_config_tool.exe Use This tool enables you to change content and look of your Access IBM application. It is a wizard-like tool that walks you through the interface and allows you to easily change categories and listed content as well as add your own, if appropriate These sets of files, which exist per family, are needed to tell the HTML Help compiler what attributes to apply when compiling the help modules. This HTML Help-based document describes how to manipulate the help content -- how to add, delete, and edit topics and how to remove entire chapters, based on your users and your business. It explains how to work with Microsoft's HTML Help Workshop (a tool available at no cost from Microsoft), the information development tool used to create the IBM help system.
aibmhpp.exe
customacchelp.chm
Appendix B. Additional material
217
6060addm.fm
218
6060abrv.fm
Abbreviations and acronyms

AD AES ANSI API ATAPI BEER BIOS BSOD CA CAPI CHS CISC CSS DLL DLT ECC EEPROM Asset Depot Advanced Encryption Standard American National Standards Institute application programming interface Advanced Technology Attachment Packet Interface Boot Engineering Extension Record Basic Input/Output System blue screen of death Certificate Authority cryptographic application programming interface cylinders, heads, sectors Complex Instruction Set Computer Client Security Software dynamic link library digital linear tape error checking and correcting Electrically Eraseable Programmable Read Only Memory Encrypted File System electronic software distribution Embedded Security Subsystem File and Folder Encryption CompuServe Graphics Interchange Format GINA GSK GUI HDD HPA HTML IBM IDE IE IP ISO ITSO IUB JDBC JDK JRE LBA LDAP LPC LTO MBR MDAC MSCAPI MSI NIC NLS NTFS Graphical Identification and Authentication Global Security Toolkit Graphical User Interface Hard Disk Drive Hidden Protected Area Hypertext Markup Language International Business Machines Corporation Integrated Drive Electronics Internet Explorer Internet Protocol international Standards Organization International Technical Support Organization ImageUltra Builder Java database connection Java Development Kit Java Runtime Environment Logical Block Addressing Lightweight Directory Access Protocol low pin count linear tape open Master Boot Record Microsoft Data Access Components Microsoft Crypto API Microsoft Software Installation Network Interface Card National Language Support New Technology File System
EFS ESD ESS FFE GIF
219
6060abrv.fm
OEM PARTIES PKCS PKI PTA RAID RDM RISC ROI RRU RSA RTE SCSI SDA SDD SDK SMA SMBIOS SQL TAM TCG TCO TCPA TFTP TVT UDB USB UVM VPN Original Equipment Manufacturer Protected Area Runtime Interface Extension Services Public Key Cryptographic Standard Public Key Infrastructure Personal Trust Agent Redundant Array of Inexpensive Disks
Draft Document for Review September 24, 2003 4:27 pm WMI XML Windows Management Instrumentation eXtensible Markup Language
Remote Deployment Manager Reduced Instruction Set Computer Return on Investment Rapid Restore Ultra Rivest, Shamir, and Adleman Java Runtime Environment Small Computer Systems Interface Software Delivery Assistant Secure Data Disposal Software Developers Kit System Migration Assistant Systems Management Basic Input Output System Structured Query Language Tivoli Access Manager Trusted Computing Group total cost of ownership Trusted Computing Platform Alliance Trivial File Transfer Protocol ThinkVantage Technologies Universal Database Universal Serial Bus User Verification Manager Virtual Private Network
220
6060bibl.fm
Related publications
The publications listed in this section are considered particularly suitable for a more detailed discussion of the topics covered in this redbook.
IBM Redbooks
For information on ordering these publications, see How to get IBM Redbooks on page 223. Note that some of the documents referenced here may be available in softcopy only. Using ThinkVantage Technologies: Volume 1 Creating and Deploying Client Systems, SG24-7045 Using Asset Depot for Inventory Management, REDP-3763 (ITSO Redpaper) Using Web-D for Software Distribution, REDP-3764 (ITSO-Redpaper) Implementing Asset ID, SG24-6165 Implementing Systems Management Solutions using IBM Director, SG24-6188 Using the System Installation Toolkit to Streamline Client Rollout, SG24-6178 IBM DB2 Application Development Guide: Building and Running Applications Version 8, SC09-4825-00 DB2 UDB Evaluation Guide for Linux and Windows, SG24-6934-00
Other publications
These publications are also relevant as further information sources: Web-D Installation and Configuration, by Oscar Aguirre and Dudley Miller, IBM IBM Rapid Restore Ultra 3.01.1 Enterprise Deployment Guide, by Jim Loebach, IBM ESD-U Design Specification, by Dudley Miller, IBM IBM ImageUltra Builder 2.0 User guide IBM Portable USB 2.0 Hard Drive with Rapid Restore - User Guide
221
6060bibl.fm
Developing Enterprise Java Applications Using DB2 Version 8, by Grant Hutchison, IBM/DB2 Integration Center MySQL Reference Manual, from MySQL AB. http://www.mysql.com. Client Security Software 5.1 Installation Guide Client Security Software 5.1 Administrators Guide Client Security Software5.1 usersGuide Pasword Manager 1.1 Users Guide Using Client Security Software 5.1 with Tivoli Access Manager
Online resources
These Web sites and URLs are also relevant as further information sources: Introduction to IBM ThinkVantage Technologies: Security (TXW14) course on IBM PC Institute. This is a Web-based course that covers the security features of IBM ThinkVantage Technologies that are used in NetVista and ThinkCentre desktops and ThinkPad notebooks. To view the course description and take the course, go to:
http://www.pc.ibm.com/training/txw14.html
Introduction to IBM ThinkVantage Technologies: Wireless (TXW15) course on IBM PC Institute. This is a Web-based course that covers the wireless features of IBM ThinkVantage Technologies that are used in NetVista and ThinkCentre desktops and ThinkPad notebooks. It also covers industry standard wireless terminology. To view the course description and take the course, go to:
http://www.pc.ibm.com/training/txw15.html
IBM ESS installation, configuration and usage guides.

http://www.pc.ibm.com/us/security/secdownload.html
Access IBM and Access Help Customization guide.

http://www-3.ibm.com/pc/support/site.wss/document.do?lndocid=AIBM-TOOLS
Targus DEFCON Authenticator PC Card Fingerprint Reader

http://www.targus.com
Targus Fingerprint Reader installation guide.

http://www.targus.com/Downloads/PA460_PA470_UG.pdf
222
6060bibl.fm
How to get IBM Redbooks

You can search for, view, or download Redbooks, Redpapers, Hints and Tips, draft publications and Additional materials, as well as order hardcopy Redbooks or CD-ROMs, at this Web site:
ibm.com/redbooks
Help from IBM

IBM Support and downloads
ibm.com/support
IBM Global Services

ibm.com/services
Related publications
223
6060bibl.fm
224
6060IX.fm
Index
Symbols
\INSTALL.INI 17, 38, 43, 48, 53 customizing 43 \rrpc\INSTALL.INI 43, 48 customizing 43 \rrpc\PCREC.TXT 43, 48 customizing 43 \rrpcgui\RR.INI 47 customizing 47 access-text.ini 73 additional bootable areas 83 administrator image 13, 4748 See also A1 image See also A2 image hiding 48 archive key pair 121, 145146 Asset Depot 204, 206207 overview 3 with IBM Director 204 with ImageUltra Builder 206 with Web-D 206207
A
A0 image 1314, 52, 54, 5758 See also base backup resetting 57 A1 image 13, 47 See also administrator image A2 image 13, 47 See also administrator image Access Connections overview 6 Access Help 7678 customizing 77 overview 4 Access IBM 6676 customization tool 71 customizing 70 overview 4 Access IBM Message Center 8794 Access Support 88 enabling 88 local message 88 Web messages 88 Access IBM Predesktop Area 7887 additional bootable areas 83 data areas 84 Hidden Protected Area based recovery solutions 7981 HPA header 82 interrupt keys 84 Partition based recovery solutions 7879 Access Support 88 enabling 88 access-config.ini 73
B
B image 14, 4647 See also incremental backup BACKUP.BAT 209, 213 BackupSchedule 45, 53 BackupScheduleMod.zip 57, 216 BackupThrottlePriority 46 BackupThrottleSleep 46 base backup 13, 2123, 34, 49, 54, 5758 See also A0 image definition 13 resetting 57 BEER See boot engineering extension record biometrics devices 103 boot engineering extension record 82
C
C image 14, 46 See also incremental backup CLEANUP.BAT 210, 214 Client Security Password Manager 101102, 106, 135139 downloading the software 106 installing 112 limitations 106 overview 101 using 135139 Client Security Software 99101, 152 administrator console 144
225
6060IX.fm
Draft Document for Review September 30, 2003 10:38 am 142, 160 fingerprint reader installing 111 installing 109 installing prerequisite device drivers 108 registering fingerprints 131133 unattended installation 113117 uninstalling 152 upgrading 117120 User Verification Manager aware 103 modifying security settings 127130 overview 100 using the policy editor 134 with Lotus Notes 133, 142 downloading the software 106 File and Folder Encryption 102103, 105, 139142 considerations 105 installing 112 overview 102 using 139142 overview 4 Troubleshooting 153 with Rapid Restore Ultra 182183 EnableSingleFileRestore 44 Encrypted File System 59 ESS See Embedded Security Subsystem
components 99 configuring 121127 downloading the software 106 File and Folder Protection 99, 129, 140, 142, 160 fingerprint reader installing 111 installing 109 installing prerequisite device drivers 108 registering fingerprints 131133 unattended installation 113117 uninstalling 152 upgrading 117120 User Verification Manager aware 103 modifying security settings 127130 overview 100 using the policy editor 134 with Lotus Notes 133, 142 CSS See Client Security Software CumulativeAfterOverinstall 47
D
data areas 84 DeployCenter 55
E
EFS See Encrypted File System Embedded Security Chip 98101, 103, 105, 107 clearing ThinkCentre 156 ThinkPad 155 overview 98, 103 restoring keys 146 Embedded Security Subsystem 97173, 182183 Client Security Password Manager 101102, 106, 135139 installing 112 limitations 106 overview 101 using 135139 Client Security Software 99101, 152 administrator console 144 components 99 configuring 121127 File and Folder Protection 99, 129, 140,
F
FFE See File and Folder Encryption File and Folder Encryption 59, 102103, 105, 139142 considerations 105 downloading the software 106 installing 112 overview 102 using 139142 File and Folder Protection 99, 129, 140, 142, 160 fingerprint reader 98, 103104, 222 installing 111 FullSilentInstallFromDesktop.zip 52, 216
G
Ghost 5 GUIGroup 15, 43, 48, 53
226
6060IX.fm
H
Hidden Protected Area 15, 21, 4850, 54, 7984 additional bootable areas 83 data areas 84 defined 15, 79 HPA header 82 main areas 81 Hidden Protected Area based recovery solutions 7981 HIDE_CONGRAT 46 HideExclude 47 HideLEImages 48 HPA See Hidden Protected Area HPA header 82
M
machine-specifics.csv 73 managed-recovery 11
P
PARTIES See Protected Area Runtime Interface Extension Services Partition based recovery solutions 7879 PartitionMagic 6162, 142 PCREC.INI 14, 43, 5657 modifying 56 PEMaxStor 4445 PEMinStor 4445 PKCS See Public-Key Cryptography Standard PKI See Public Key Infrastructure PowerQuest BootMagic 17 DeployCenter 55 DriveImage 5, 85 PartitionMagic 6162, 142 PREPARE.BAT 209, 212 Protected Area Runtime Interface Extension Services 78 See also Hidden Protected Area Public Key Infrastructure 9798 Public-Key Cryptography Standard 99, 105, 129, 151152
I
IBM Director 6, 189199, 204 overview 6 with Asset Depot 204 with Rapid Restore Ultra 189199 IBM_SERVICE partition 4345, 4851, 59 configuration 4445 creation 4951 drive letter 59 ImageUltra Builder 58, 179, 183184, 205206 overview 4 with Asset Depot 206 with Web-D 205206 INCBCKUP.BAT 209, 212 incremental backup 1314, 21, 23, 26, 34, 37, 52, 54, 5759 See also B image See also C image caveat 26 definition 13 restoring individual files 37 with sysprep image 57 interrupt keys 84
R
Rapid Restore Ultra 1164, 81, 182204 \INSTALL.INI customizing 43 \rrpc\INSTALL.INI customizing 43 \rrpc\PCREC.TXT customizing 43 \rrpcgui\RR.INI customizing 47 A0 image 1314, 52, 54, 5758 resetting 57 A1 image 13, 47 A2 image 13, 47 administrator image 13, 4748 hiding 48 archiving backups 28
K
key archive 116, 119, 145147, 153
L
LPC Bus device driver 108, 113
Index
227
6060IX.fm
Draft Document for Review September 30, 2003 10:38 am RedoA0.zip 57, 216 registering fingerprints 131133 Remote Deployment Manager 6, 199204 overview 6 with Rapid Restore Ultra 199204 RESTORE.BAT 210, 214 restoring individual files 12, 15, 37 caveat 37 disabling 44 steps 37 restoring your system 2938 from archived CDs 36 pre-OS mode 31 USB drive 35 Windows mode 30 RR.INI 5657 modifying 57 RRUJOB.BAT 209, 212 RRUTIME.BAT 209210 RSA SecurID Software Token 104 RunAsService 17, 38, 4243, 48, 53, 59
backup methodology 13 base backup 13, 2123, 34, 49, 54, 5758 definition 13 resetting 57 C image 14 components 15 features 12 incremental backup 1314, 21, 23, 26, 34, 37, 52, 54, 5759 caveat 26 definition 13 restoring individual files 37 with sysprep image 57 installation 1523 One-time protection 21 Ongoing protection 20 overview 3 PCREC.INI 14, 43, 5657 modifying 56 requirements 16 restoring individual files 12, 15, 37 caveat 37 disabling 44 steps 37 restoring your system 2938 from archived CDs 36 pre-OS mode 31 USB drive 35 Windows mode 30 RR.INI 5657 modifying 57 run as a service 17, 38 scheduling backups 27 silent install 4851 sysprep image 52, 54, 5758 troubleshooting 60 uninstall 39 USB hard drive 13, 17, 1920, 23, 3536 caveat 17 enabling after install 23 restoring from 35 silent install support 48 with Embedded Security Subsystem 182183 with IBM Director 189199 with Remote Deployment Manager 199204 RDM See Remote Deployment Manager Redbooks Web site 223 Contact us xiv
S
SDA See Software Delivery Assistant Secure Data Disposal overview 5 SecurID 100 service partition 12, 15, 1922, 6263, 7879, 84, 95, 177, 179, 183185 size 61 startup diskette 21 ShowUninstall 43 silent install Rapid Restore Ultra 4851 SM Bus device driver 108, 113 SMA See Software Migration Assistant Software Delivery Assistant overview 5 SP_PSA 44 SPCreate.zip 50, 216 Symantec Ghost 56 sysprep image 52, 54, 5758 System Migration Assistant overview 5
228
6060IX.fm
T
Targus 98, 104, 222 fingerprint reader 98, 104, 222 install 111 TCG See Trusted Computing Group TCPA See Trusted Computing Platform Alliance ThresholdCBackupCnt 14, 46, 58 Tivoli Access Manager 100, 104, 107, 135, 150151 troubleshooting 170 Trusted Computing Group 99 Trusted Computing Platform Alliance 9899, 106, 108, 113, 117, 158
U
Uninstall 43 USB hard drive 13, 17, 1920, 23, 3536 caveat 17 enabling after install 23 restoring from 35 silent install support 48 User Verification Manager aware 103 modifying security settings 127130 overview 100 using the policy editor 134 with Lotus Notes 133, 142 UVM See User Verification Manager
W
Web-D 205207 overview 4 with Asset Depot 206207 with ImageUltra Builder 205206 WebSeal 100
Index
229
6060IX.fm
230
To determine the spine width of a book, you divide the paper PPI into the number of pages in the book. An example is a 250 page book using Plainfield opaque 50# smooth which has a PPI of 526. Divided 250 by 526 which equals a spine width of .4752". In this case, you would use the .5 spine. Now select the Spine width for the book and hide the others: Special>Conditional Text>Show/Hide>SpineSize(-->Hide:)>Set . Move the changed Conditional text settings to all files in your book by opening the book file with the spine.fm still open and File>Import>Formats the Conditional Text Settings (ONLY!) to the book files. Draft Document for Review September 24, 2003 4:27 pm 6060spine.fm
231
(0.5 spine) 0.475<->0.875 250 <-> 459 pages
To determine the spine width of a book, you divide the paper PPI into the number of pages in the book. An example is a 250 page book using Plainfield opaque 50# smooth which has a PPI of 526. Divided 250 by 526 which equals a spine width of .4752". In this case, you would use the .5 spine. Now select the Spine width for the book and hide the others: Special>Conditional Text>Show/Hide>SpineSize(-->Hide:)>Set . Move the changed Conditional text settings to all files in your book by opening the book file with the spine.fm still open and File>Import>Formats the Conditional Text Settings (ONLY!) to the book files. Draft Document for Review September 24, 2003 4:27 pm 6060spine.fm 232
Back cover

Simplify PC lifecycle process through the use of ThinkVantage Technologies Simple maintenance and recovery in corporate environments Using the Technologies to lower costs
ThinkVantage Technologies brings your IBM PCs one step closer to being self-configured, self-optimizing, self-protecting, or self-healing to help save you time and money throughout the life of your systems. In short, ThinkVantage Technologies let you focus your attention on your business, rather than on your computer. ThinkVantage Technologies are software tools designed to help customers drive down IT support costs (in particular, the cost of a PC in managing and supporting systems after its initial purchase), increase security and decrease the complexity of todays IT infrastructure. This Redbook will help you maintain, recover and secure the IBM ThinkVantage Technologies on IBM and OEM desktops. This Redbook is volume two of a two-volume set of ThinkVantage Technologies Redbooks. It describes how to maintain and recover client systems. The first Redbook is Using ThinkVantage Technologies Volume 1: Creating and Deploying Client Systems.
INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION
BUILDING TECHNICAL INFORMATION BASED ON PRACTICAL EXPERIENCE IBM Redbooks are developed by the IBM International Technical Support Organization. Experts from IBM, Customers and Partners from around the world create timely technical information based on realistic scenarios. Specific recommendations are provided to help you implement IT solutions more effectively in your environment.
For more information: ibm.com/redbooks

SG24-6060-00 ISBN

IBM - Vol2 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IBM - Vol2 PDF

Uploaded by

Copyright:

Available Formats

Front cover

Draft Document for Review September 30, 2003 10:50 am SG24-6060-00

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 24, 2003 4:27 pm

Draft Document for Review September 24, 2003 4:27 pm

Draft Document for Review September 30, 2003 10:38 am

Copyright IBM Corp. 2003. All rights reserved.

Draft Document for Review September 30, 2003 10:38 am

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 30, 2003 10:38 am

Draft Document for Review September 30, 2003 10:38 am

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 30, 2003 10:38 am

Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Draft Document for Review September 30, 2003 10:38 am

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 24, 2003 4:01 pm

Copyright IBM Corp. 2003. All rights reserved.

Draft Document for Review September 24, 2003 4:01 pm

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 24, 2003 5:22 pm

The team that wrote this redbook

Copyright IBM Corp. 2003. All rights reserved.

Draft Document for Review September 24, 2003 5:22 pm

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 24, 2003 5:22 pm

Draft Document for Review September 24, 2003 5:22 pm

Become a published author

Send your comments in an Internet note to:

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 24, 2003 5:22 pm redbook@us.ibm.com

Draft Document for Review September 24, 2003 5:22 pm

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 30, 2003 10:38 am

Copyright IBM Corp. 2003. All rights reserved.

Draft Document for Review September 30, 2003 10:38 am

Figure 1-1 High Level ThinkVantage Technologies Functions

1.1 ThinkVantage Technologies

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 30, 2003 10:38 am

Symantec GHOST PowerQuest DeployCenter

Cascading Disposal SDD

* Service Offerings that complement a customer's ThinkVantage Technology investments

Figure 1-2 Simplifying PC LifeCycle processes

Rapid Restore Ultra

Draft Document for Review September 30, 2003 10:38 am

Access IBM and Access Help

Embedded Security Subsystem

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 30, 2003 10:38 am

Software Delivery Assistant (SDA)

System Migration Assistant (SMA)

Secure Data Disposal

Draft Document for Review September 30, 2003 10:38 am

Remote Deployment Manager

1.2 ThinkVantage Technologies process improvements

Using ThinkVantage Technologies: Volume 2 Maintaining and Recovering Client Systems

Draft Document for Review September 30, 2003 10:38 am

Loading Team 20-40 min per client

Install Team 2.5-3h per system 3-4 system/day per IT resource

Install Team 20-60 min per client

3-5 min per client

25-30 min per system 15-30 system/day per IT resource