IBM Client Security Software can only be used with IBM computers that contain the IBM Embedded Security Subsystem. This software consists of applications and components that enable IBM clients to secure their sensitive information through a secure hardware chip rather than through vulnerable software.

Before client user information can be protected, IBM Client Security Software must be installed on the client and users must be authorized to use the software. An easy-to-use Setup Wizard guides you through the entire installation process.

WARNING: At least one client user MUST be authorized to use UVM during setup. If NO user is authorized to use UVM when initially setting up Client Security Software, your security settings will NOT be applied and your information will NOT be protected.

If you completed the Setup Wizard without authorizing any users, shut down and restart your system; then run the Client Security Setup Wizard from the Windows Start menu and authorize a Windows user to use UVM. This will enable IBM Client Security Software to apply your security settings and protect your sensitive information.

New in this release

• IBM Password Manager 1.4 is included in the CSS installation package

• UPEK fingerprint reader supported in this release

• One-click installation installs all necessary files

• Variable length administrator password supported in this release

• New configuration option for novice users: typical configuration

• Only National TPMs and Atmel TPMs are supported in this release

• Only Targus USB fingerprint readers are supported in this release

• ThinkPad BIOS supervisor passphrase supported in this release

Note: If you are using a ThinkPad or NetVista computer with a security chip that is not TCG-compliant, you must use Client Security Software 5.3. Client Security Software 5.4 will not install successfully on these computers.

Required software versions to use with this release

• IBM Password Manager Release 1.4

• IBM File and Folder Encryption Release 2.10

Known issues or limitations in CSS Version 5.4

• Multiple administrator users cannot unlock a computer using fingerprint or smart card authentication only
  When the security policy does not require the UVM passphrase for authentication (i.e., when the security policy requires fingerprint or smart card authentication only), only the active administrator user can unlock the computer. If you want to be able to switch administrator users while the system is locked, passphrase authentication must be enabled.

• Passphrase problems possible after a restore operation
  Backup-and-restore utilities, such as IBM Rescue and Recovery, might cause password synchronization problems after completing a restore operation. Synchronization problems will result after restoring the computer to a backup taken prior to when the passphrase was changed. The described operation will result in the restored passphrase being out of synchronization with the passphrase stored in the security subsystem. When the computer is in this state, users cannot be added and the policy cannot be changed.

  To resolve this situation, clear the security chip and then use the restored password (the password used when the backup was taken) to re-synchronize Client Security Software and the security chip. This known limitation is caused by the inability of a backup-and-restore utility to back up the state of the security chip.

• Limited users are unable to uninstall the File and Folder Encryption utility (FFE)
  Limited users will not be able to uninstall FFE even though the button to uninstall FFE looks enabled. Administrator privileges are required to uninstall FFE.

• Other utilities might be confused with IBM Client Security Password Manager
  Users might be presented with a different Password Manager interface even after installing IBM Client Security Password Manager. Both Netscape and Microsoft support a software-based password manager for use with their browsers. These utilities should not be confused with the hardware-based IBM Client Security Password Manager.

• Multiple fingerprint readers are not supported
  Client Security Software 5.4 does not support more than one fingerprint software on one computer at the same time. To use a different fingerprint reader, the current fingerprint software must be uninstalled.

• Wireless network connection fails after transferring a user certificate
  Leaving the passphrase dialog open without entering a passphrase for an extended period might cause your wireless network connection to fail. If this occurs, disable and re-enable your wireless adapter after authenticating to IBM User Verification Manager (UVM).

• Simultaneous right-click encryption attempts might fail
  Attempting to encrypt multiple files at once using the right-click button might cause the encryption to fail. This is most likely to happen if the first file is very large. If this occurs, use the right-click button to encrypt the files individually.

• Fingerprint or smart card override passwords for limited users
  When an administrator updates a user fingerprint or smart card override password using the Administrator Console, an updated file is generated and placed in the user archive directory. The end user must then copy this updated file from the archive into the correct directory on the system. The usual means for doing this is to select Restore user configuration from archive in the User Configuration Utility. However, this option is only available to users with administrator privileges on the computer. Limited users are not be able to retrieve an updated override password. Limited users must have an administrator manually copy the appropriate file to the Windows directory on the system.

• Guest users cannot use the File and Folder Encryption or Password Manager utilities
  The File and Folder Encryption or Password Manager utilities do not permit access to a guest user even though the guest user account is displayed in the Administrator Utility.

• Roaming limitations

  • Using a CSS roaming server

    The CSS administrator password prompt will display whenever someone attempts to log on to the CSS roaming server. However, the computer can be used normally without entering this password.

  • Using the IBM Client Security Password Manager in a roaming environment

    Passwords stored on one system using IBM Client Security Password Manager can be used on other systems within the roaming environment. New entries are automatically retrieved from the archive when the user logs onto another system (if the archive is available) in the roaming network. Therefore, if a user is already logged onto one system, he must log off and log on again before any new entries will be available on the roaming network.

  • Internet Explorer certificate and roaming refresh delays

    Internet Explorer certificates are refreshed in the archive every 20 seconds. When a new Internet Explorer certificate is generated by a roaming user, the user must wait at least 20 seconds before importing, restoring, or changing his CSS configuration on another system. Attempting any of these actions before the 20 second refresh interval will cause the certificate to be lost. Also, if the user was not connected to the archive when the certificate was generated, the user should wait 20 seconds after connecting to the archive to be sure the certificate is updated in the archive.

  • Lotus Notes password and credential roaming

    If Lotus Notes support is enabled, users' Lotus Notes password will be stored by UVM. Users will not need to enter their Notes password to log on to Lotus Notes. They will be asked for their UVM passphrase, fingerprint, smart card, etc. (depending on the security policy settings) to gain access to Lotus Notes.

    If a user changes his Notes password from within Lotus Notes, the Lotus Notes ID file is updated with the new password and UVM's copy of the new Notes password is also updated. In a roaming environment, the user's UVM credentials will be available on other systems on the roaming network that the user can access. It is possible that UVM's copy of the Notes password might not match the Notes password in the ID file on other systems in the roaming network if the Notes ID file with the updated password is not also available on the other system. If this occurs, the user will not be able to access Lotus Notes.

    If a user's Notes ID file with updated password is not also available on another system, the updated Notes ID file should be copied to the other systems in the roaming network so that the password in the ID file will match the copy stored by UVM. Alternately, users can run Modify Your Security Settings from the Start Menu, and change the Notes password back to the old value. The Notes password can then be updated again via Lotus Notes.

  • Credential availability at logon in a roaming environment

    When an archive is located on a network share, the latest sets of user credentials are downloaded from the archive as soon as the user has access to the archive. At logon, users do not yet have access to network shares, so the latest credentials might not be downloaded until after system logon is complete. For example, if the UVM passphrase was changed on another system in the roaming network, or new fingerprints were registered on another system, those updates will not be available until the logon process is complete. If updated user credentials are not available, users should try the previous passphrase or other registered fingers to log on to the system. After log on is complete, the user's updated credentials will be available and the new passphrase and fingerprints will be registered with UVM.

  • Using Netscape in a roaming environment

    If you are using Netscape in a roaming environment, all systems in the roaming network must use the same version of Netscape. Credentials cannot be used on different versions, such as 4.8 and 7.1

• Restoring keys

  After performing a key restore operation, you must restart the computer before you can continue using Client Security Software.

• Local and domain user names

  If domain and local user names are the same, you should use the same Windows password for both accounts. IBM User Verification Manager only stores one Windows password per ID, so users should use the same password for local and domain logon. If not, they will be prompted to update the IBM UVM Windows password when they switch between local and domain logons when IBM UVM secure Windows logon replacement is enabled.

  CSS does not provide the ability to enroll separate domain and local users with the same account name. If you attempt to enroll local and domain users with the same ID, the following message is displayed: The selected user ID has already been configured. CSS does not allow separate enrolling of common domain and local user ID's on one system so that the common user ID will have access to the same set of credentials, like certificates, stored fingerprints, etc.

• Re-installing Targus fingerprint software

  If the Targus fingerprint software is removed and re-installed, the needed registry entries for enabling fingerprint support in Client Security Software must be added manually for fingerprint support to be enabled. Download the registry file that contains the needed entries (atplugin.reg) and double-click it to have the registry entries merged into the registry. Click Yes, when prompted, to confirm this operation. The system must be rebooted for Client Security Software to recognize the changes and enable fingerprint support.

  Note: You must have administrator privileges on the system in order to add these registry entries.

• Targus USB fingerprint reader

  If you change the port that the Targus USB fingerprint reader is connected to, the IBM User Verification Manager might experience problems recognizing user fingerprints. If this occurs, switch the USB reader back to the port it was originally attached to.

• BIOS supervisor passphrase

  IBM Client Security Software 5.3 and earlier does not support the BIOS supervisor passphrase feature available on some ThinkPad systems. If you enable use of the BIOS Supervisor Passphrase, any enabling and disabling of the security chip must be done from BIOS Setup. The IBM Embedded Security Subsystem will not be enabled during interactive installation when a BIOS supervisor password has been set.

• Using Netscape 7.x

  Netscape 7.x behaves differently from Netscape 4.x. The passphrase prompt does not appear as soon as Netscape is started. Rather, the PKCS#11 module is only loaded when needed, so that the passphrase prompt only appears when performing an operation that requires the PKCS#11 module.

• Using a diskette for archiving

  If you specify a diskette as your archive location when configuring the security software, long delays will be experienced as the configuration process writes data to the diskette. Some other medium, such as a network share or a USB key, might be a superior archive location.

• Registering smart cards

  Smart cards must be registered with UVM before a user can successfully authenticate using the card. If one card is assigned to multiple users, only the last user to register the card will be able to use the card. Consequently, smart cards should be registered for one user account only.

• Authenticating with smart cards

  If a smart card is required for authentication, UVM will display a dialog requesting the smart card. When the smart card is inserted in the reader, a dialog requesting the smart card PIN will be displayed. If the user enters an incorrect PIN, UVM will request the smart card again. The smart card must be removed and re-inserted before the PIN can be re-entered. Users must continue to remove and re-insert the smart card until the correct PIN for the card is entered.

• The plus (+) character is displayed on folders after encryption

  After encrypting files or folders, Windows Explorer might display an extraneous plus (+) character before the folder icon. This extra character will disappear when the Explorer window is refreshed.

• File count after right-click encryption

  When attempting to encrypt multiple files using the right-click encryption function, the operation might fail if any of the files being encrypted are of a prohibited type, such as DLL, VxD, SYS, etc. When the right-click operation fails, the number of files not encrypted displayed in the error window might be incorrect.

• Archiving user credentials

  IBM Client Security Software attempts to keep backup information stored in the archive up-to-date by frequently backing up the information on the system into the archive directory (specified during configuration of the security subsystem). If this archive directory is stored on a removable media drive, such as a USB key, or on a network share, the archive directory might not always be available. In the event that CSS cannot access the archive directory, a message prompt will be displayed indicating that the archive is not available. Clicking Cancel will merely cancel the attempt to backup a specific file, and CSS might be attempting to backup multiple files so that the message might be displayed multiple times. In order to avoid having this message displayed repeatedly when the archive is not available, select the Do not show this message again check box. The warning message will not be displayed again.

• Windows XP Home limited user limitations

  Windows XP Home limited users cannot update their UVM passphrase, Windows password, or update their key archive using the User Configuration Utility.

• A system POST 190 error might occur when installing a new system board.

To clear the POST error, complete the following procedure:

1. Restart your computer.

2. Press F1 to enter the BIOS Setup Utility when prompted.

3. Exit the BIOS Setup Utility.

The POST error will be cleared when you exit the BIOS Setup Utility.

CSS 5.4: Supported GINAs

• IBM Access Connections GINA (qcongina.dll)

• Utimaco SafeGuard Easy GINA (sslogon.dll)

• Atheros Wireless GINA (athgina.dll)

• Intel Wireless GINA (iWPDGina.dll)

Upgrading from Release 4.0x

To completely remove Client Security Software, simply uninstall Client Security Software Release 4.0x from the Control Panel Add/Remove Programs applet. After restarting the computer, Client Security Software Release 5.4 can be installed and configured through the Setup Wizard.

To complete the following procedure, you will need the public and private keys that were created when Release 4.0x was configured. Be sure to have them available.

To remove Client Security Software Release 4.0x, but use your existing security data with Release 5.4, complete the following procedure:

1. Update the archive information.
   Before removing Client Security Release 4.0x, be sure the archive information is up-to-date. This can be done by completing the following procedure:

   1. Click Start > Programs > IBM Client Security Software >Client Utility.

   2. Click the Update Archive button. This updates the backup information. Take note of the archive directory.

   3. Exit the utility.

2. Remove the existing Client Security Software from the computer, using the following procedure:

   1. From the Control Panel, use Add/Remove Programs to remove IBM Client Security Software.

   2. Select No when prompted for reboot.

   3. Shut down the system using the Start menu.

3. Clear the Embedded Security Chip, using the following procedure:

1. Power up the system.

2. Press F1 during startup to enter the BIOS Setup Utility.

3. Go to Security Chip Settings and clear the security chip.

4. Exit BIOS Setup and the system will continue to reboot.

   Note: You might need to press and hold the Fan key during startup. The Chip Clear procedure varies between systems. Refer to the user guide that came with your computer.

4. Install IBM Client Security Release 5.4, using the following procedure:

1. Run the Release 5.4 installation program.

2. Reboot when prompted. After reboot, the Client Security Setup Wizard will automatically launch.

3. Do not run the Setup Wizard. Rather, click Cancel to exit.

5. Temporarily back up default security policy, using the following procedure:

1. Using Windows Explorer, go to the IBM Client Security Software install directory (default is c:\program files\IBM\security).

2. Right-click the UVM_Policy folder and select Copy.

3. Right-click the desktop and select Paste. This will create a temporary backup on the desktop. Note that your existing security policy settings will be replaced with new defaults.

6. Restore settings from Release 4.0, using the following procedure:

   1. From the Control Panel, select the IBM Embedded Security System, and enter the chip password.

   2. Click the Key Configuration button.

   3. Select Yes to restore keys from the key archive.

   4. Provide the location of the Release 4.0 archive directory.

   5. Provide the location of the public and private key files that were created when Release 4.0x was configured. You will be notified that your archive will be updated for the new release.

   6. Click OK.

   7. Provide a location to create new (Release 5.4) archive keys. Be sure to create the keys in a location different from the location of your existing Release 4.0x archive keys. If you have administrator keys you already created for Release 5.4 on another system, you can select Use an existing CSS Archive key pair and provide the location of the existing keys.

   8. Click Next. Your archive will be converted and restored.

   9. Exit the application when finished.

7. Restore policy settings

8. Using Windows Explorer, go to the IBM Client Security Software install directory (default is c:\program files\IBM\security).

9. Using the left mouse button, drag the UVM_Policy folder from the desktop to the IBM Client Security Software install directory.

10. Answer 'Yes' to all warnings.

Your security data has now been migrated from Release 4.0 to Release 5.4.

If you previously changed your security policy in Release 4.0x, you might want to re-submit your security policy settings by running the IBM Embedded Security Subsystem from the Control Panel. Click Configure Application Support and Policies and then Application Policy, and then Edit Policy.