140 Security Management553-3001-230 Standard 10.01 September 2007• TM 3.0 Windows client passwords are encrypted using Crypto APIs prior totransmission. The same private key is used by both the client and the server.• For TM 3.0 Web clients, by default, clear text passwords are used; however, if theTM 3.0 server has the proper certificate installed, the use of SSL encryptedtransport during authentication can be forced. To use the SSL during theauthentication process, the TM 3.0 server must have the required certificateinstalled as described in “Configuring Secure Sockets Layer (SSL)” on page 89.Click the Use SSL for Web login authentication check box after installing thecertificate.Before using SSL on the TM 3.0 server, the TM 3.0 server must have the requiredcertificate installed as described in “Configuring Secure Sockets Layer (SSL)” onpage 89. If “Use SSL for Web login authentication” is selected, Web login isperformed using https://... instead of http://... and traffic is encrypted. The TM 3.0server automatically switches to non-SSL transport when the user is successfullyauthenticated.• If CND authentication is used, the following sequence is used:— The TM 3.0 server tests to determine whether the Directory server offersSSL-based authentication.— If SSL is supported by the Directory server, passwords are encrypted beforetransmission using a Public-Private key pair negotiated through the CNDmechanism.— If SSL is not supported, passwords are transmitted as clear text.• All passwords, including passwords to access the system, are stored in the TM 3.0database in an encrypted format. Crypto API, the standard Windows SecurityProvider encryption service, is used for this purpose.Blank passwordsTM 3.0 does not support blank passwords.User managementThere are two major categories of users within TM 3.0 — Navigator users and end users.Access for these users is controlled by configuring Navigator users in the TM 3.0 Userswindow, and end users in the Employee Editor.