Novell SecretStore 3.4.x Administration Guide

Category
Software
Type
Administration Guide
Novell®
www.novell.com
novdocx (en) 25 June 2008
AUTHORIZED DOCUMENTATION
Novell SecretStore 3.4.x Administration Guide
SecretStore
®
3.4
November 15, 2006
Administration Guide
novdocx (en) 25 June 2008
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no
responsibility for your failure to obtain any necessary export approvals.
Copyright © 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent
applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the online documentation for this and other Novell products, and to get
updates, see www.novell.com/documentation.
novdocx (en) 25 June 2008
Novell Trademarks
Novell is a registered trademark of Novell, Inc., in the United States and other countries.
SUSE is a registered trademark of Novell, Inc., in the United States and other countries.
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 25 June 2008
Contents 5
Contents
novdocx (en) 25 June 2008
About This Guide 7
1 Novell SecretStore Overview 9
1.1 Server and Workstation Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.1 Server Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.2 Workstation Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 SecretStore Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.3 How SecretStore Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3.1 Single Sign-On Authentication Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2 Installing SecretStore 21
2.1 Installing SecretStore on a NetWare Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.1.1 NetWare Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.1.2 Installing the SecretStore Service on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.1.3 Synchronizing Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2 Installing SecretStore on a Windows Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.1 Windows NT/2000/XP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.2 Installing or Upgrading NICI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.3 Installing the SecretStore Service on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.4 Synchronizing Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.3 Installing SecretStore on a Solaris, Linux, AIX, or HP-UX Server . . . . . . . . . . . . . . . . . . . . . . 23
2.3.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.3.2 Installing the SecretStore Service on Solaris, Linux, AIX, or HP-UX. . . . . . . . . . . . . 24
2.3.3 Synchronizing Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.4 Installing the SecretStore Client on Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.4.1 Workstation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.4.2 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.5 Uninstalling SecretStore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.5.1 Uninstalling SecretStore on NetWare Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.5.2 Uninstalling SecretStore on Solaris, Linux, AIX, or HP-UX . . . . . . . . . . . . . . . . . . . . 29
2.5.3 Uninstalling SecretStore on Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3 Managing SecretStore 31
3.1 Managing SecretStore Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1.1 SecretStore Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1.2 Viewing and Changing Settings on Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.1.3 Customizing Settings for Groups or Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.2 Setting Up a SecretStore Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.2.1 Adding Advanced Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.3 Sharing Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.3.1 Example Configuration: Sharing Secrets with Novell Products . . . . . . . . . . . . . . . . . 37
3.4 Managing Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.4.1 Adding a Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.4.2 Editing a Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.4.3 Removing a Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.4 Unlocking a Secret. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.5 Viewing a Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.6 Viewing a Secret's Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6 Novell SecretStore 3.4.x Administration Guide
novdocx (en) 25 June 2008
3.5 Using Enhanced Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.5.1 Locking SecretStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.5.2 Setting a Master Password and Hint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.5.3 Using SecretStore Manager to Set a Master Password . . . . . . . . . . . . . . . . . . . . . . 42
3.5.4 Using SecretStore Status to Set a Master Password . . . . . . . . . . . . . . . . . . . . . . . . 42
3.5.5 Using Disconnected Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.6 Testing SecretStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.6.1 Testing the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.6.2 Making Advanced Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.7 Viewing Information about SecretStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.8 Using Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4 Troubleshooting SecretStore 49
4.1 Where to Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2 Setting Up a Tree Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.3 Reading Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.4 Merging Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.5 ‘Not Available’ Displays for Last Admin Unlock Time Stamp . . . . . . . . . . . . . . . . . . . . . . . . . . 49
A Sharing Secrets with Novell Portal Services 51
A.1 Specifying an NPS SecretStore Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
A.1.1 Adding a Setting to the PortalServlet.properties file . . . . . . . . . . . . . . . . . . . . . . . . . 51
A.1.2 Adding a Setting to the Portal Configuration Object . . . . . . . . . . . . . . . . . . . . . . . . . 51
A.2 Configuring NPS to Share Secrets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
B Novell SecretStore Error Codes 53
B.1 SecretStore Return Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
About This Guide 7
novdocx (en) 25 June 2008
About This Guide
This guide is for network administrators. It provides information on the following:
Chapter 1, “Novell SecretStore Overview,” on page 9
Chapter 2, “Installing SecretStore,” on page 21
Chapter 3, “Managing SecretStore,” on page 31
Chapter 4, “Troubleshooting SecretStore,” on page 49
Appendix A, “Sharing Secrets with Novell Portal Services,” on page 51
Appendix B, “Novell SecretStore Error Codes,” on page 53
Documentation Updates
For the most recent version of the Novell SecretStore 3.x Administration Guide, see SecretStore
(http://www.novell.com/documentation-index/index.jsp) on the Novell
®
documentation Web site.
Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items
within a cross-reference path.
A trademark symbol (
®
,
TM
, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
8 Novell SecretStore 3.4.x Administration Guide
novdocx (en) 25 June 2008
Novell SecretStore Overview
1
9
novdocx (en) 25 June 2008
1
Novell SecretStore Overview
Novell
®
SecretStore
®
is a simple and secure password management solution. SecretStore enables
you to use a single authentication to Novell eDirectory
TM
to access most UNIX*, Windows*, Web,
and mainframe applications.
After you've authenticated to eDirectory, SecretStore-enabled applications store and retrieve the
appropriate login credentials. When you use SecretStore, you eliminate the need to remember or
synchronize all the multiple passwords required for accessing password-protected applications, Web
sites, and mainframes.
NOTE: SecretStore 3.4.x has the same functionality as earlier versions, but is built on eDirectory
8.8.x, rather than eDirectory 8.7.3.x used in earlier versions.
This section provides information on the following:
Section 1.1, “Server and Workstation Components,” on page 9
Section 1.2, “SecretStore Service Objects,” on page 13
Section 1.3, “How SecretStore Works,” on page 14
1.1 Server and Workstation Components
This topic describes SecretStore components for servers and workstations.
1.1.1 Server Components
“NetWare Servers” on page 9
“Linux, Solaris, or AIX Servers” on page 10
“HP-UX Servers” on page 10
“Windows Servers” on page 10
NetWare Servers
Filename Description
sssi.nlm The Novell SecretStore installation NetWare Loadable Module
TM
(NLM). Sssi.nlm extends
the eDirectory schema, installs the Novell SecretStore server and its plugins (sss.nlm,
ssldp.nlm, and ssncp.nlm), configures the eDirectory LDAP server to enable SecretStore
extensions, and initializes or validates the Security Domain Infrastructure (SDI) on
NetWare
®
.
You use nwconfig.nlm to load sssi.nlm.
NOTE: On UNIX, the ss_install script is the equivalent of sssi.nlm. Windows Server* has its
own complete GUI install.
10 Novell SecretStore 3.4.x Administration Guide
novdocx (en) 25 June 2008
Linux, Solaris, or AIX Servers
HP-UX Servers
Windows Servers
sss.nlm The Novell SecretStore service.
SecretStore provides a secure infrastructure for storing and retrieving secrets and
credentials in eDirectory. SecretStore uses NICI and SDI to safely and securely store a
user's secrets.
Novell SecureLogin, Novell Portal Services, and Novell iChain
®
all provide single sign-on
functionality to applications that use SecretStore.
Upon a successful authentication of the user to an application, the SecretStore-enabled
application stores the application's login credential in SecretStore. From then on, when the
user logs in to eDirectory and launches the application, the single sign-on client retrieves
the application password from SecretStore, provides it to the application or Web site in the
background, and authenticates the user.
ssldp.nlm The SecretStore LDAP transport plug-in.
sssncp.nlm The SecretStore NCP
TM
transport plug-in.
lsss.nlm The LDAP SecretStore extension manager. Enables applications to use the Lightweight
Directory Access Protocol (LDAP) to store secrets.
Filename Description
libsss.so The SecretStore service.
libssldp.so The SecretStore LDAP transport plug-in.
libssncp.so The SecretStore NCP transport plug-in.
liblsss.so The LDAP SecretStore extension manager.
Filename Description
libsss.sl The SecretStore service.
libssldp.sl The SecretStore LDAP transport plug-in.
libssncp.sl The SecretStore NCP transport plug-in.
liblsss.sl The LDAP SecretStore extension manager.
Filename Description
sss.dlm The SecretStore service.
ssldp.dlm The SecretStore LDAP transport plug-in for Windows.
Filename Description
Novell SecretStore Overview 11
novdocx (en) 25 June 2008
For more information on SecretStore, see the following:
SecretStore-related information in Novell Developer Kits, available at:
Novell SecretStore Developer Kit for C (http://developer.novell.com/ndk/ssocomp.htm)
Novell SecretStore Developer Kit for Java (http://developer.novell.com/ndk/nssoj.htm)
Novell AppNotes, May, 2003, A Technical Overview of Novell SecretStore 3.2 (http://
support.novell.com/techcenter/articles/dnd20030503.html)
Novell AppNotes, June, 2003, Understanding the Novell SecretStore 3.2 APIs (http://
support.novell.com/techcenter/articles/dnd20030603.html)
1.1.2 Workstation Components
For the SecretStore 3.4.x service release, the SecretStore client requires the following components:
NICI client: Enables the SecretStore client to provide all the encrypted traffic between SecretStore,
the SecretStore client, the Novell Modular Authentication Services (NMAS
TM
) client, and
application connectors.
NMAS client: Enables single sign-on users (online or offline) to authenticate to eDirectory.
The NMAS client can confirm authentication during the following situations:
You are not logged in to eDirectory.
You are logged in to an eDirectory tree that is different from the one that the single sign-on
client synchronizes with.
A default timeout has occurred.
SecretStore client: Provides the mechanism to access the SecretStore service and ensure secure
transmission of secrets to and from eDirectory.
The SecretStore client collects secrets (for example, usernames and passwords), recognizes an
application credential or password field, and helps to authenticate users by passing the credentials to
the application.
The SecureLogin client enables anyone to use applications without repeatedly entering passwords.
A user can be logged in to or disconnected from a network.
NOTE: The NCP protocol is supported only on the Windows client platform.
SecretStore snap-in to ConsoleOne (sssnapin.exe): Enables administrators or users to
create, configure, and administer SecretStore components.
Novell eDirectory automatically installs ConsoleOne
®
on a server. However, to use ConsoleOne,
you install the SecretStore snap-in to ConsoleOne on a client workstation (or to a directory on a
server) and run ConsoleOne from a workstation.
ssncp.dlm The SecretStore NCP transport plug-in for Windows.
lsss.dll The LDAP SecretStore extension manager.
Filename Description
12 Novell SecretStore 3.4.x Administration Guide
novdocx (en) 25 June 2008
The SecretStore installation program installs the snap-in. You can run the ConsoleOne snap-in on
your workstation provided you have also installed the NICI component.
SecretStore Manager: Enables users to perform basic maintenance tasks on their SecretStore.
SecretStore Manager protects secrets by requiring NMAS authentication before a user can view
secrets.
Although SecretStore Manager is not intended as the primary interface to SecretStore, it helps users
manage SecretStore secrets.
The following figure illustrates SecretStore Manager:
SecretStore Status: Enables users to set their master passwords, unlock SecretStore, switch
between eDirectory trees, or switch between eDirectory usernames associated with different trees or
servers.
SecretStore Status is a light version of SecretStore Manager. The following figure illustrates
SecretStore Status:
Novell SecretStore Overview 13
novdocx (en) 25 June 2008
1.2 SecretStore Service Objects
This topic explains how SecretStore server components, workstation components, and eDirectory
objects work together. This background prepares you for installing, setting up, managing, using, and
troubleshooting SecretStore.
SecretStore: A Container object, located within eDirectory's security container, that can hold
default SecretStore service settings.
This object is automatically named SecretStore and placed in the Security container.
The SecretStore system requires at least one SecretStore Container object. The SecretStore object
can contain sssServerPolicyOverride objects.
The following figure illustrates a SecretStore object.
sssServerPolicyOverride object: Objects that enable you to customize access to applications,
depending on group or user needs for different parts of the tree.
sssServerPolicyOverride objects reside in the SecretStore Container object. Each
sssServerPolicyOverride object must take the name of the context that the Group or User objects are
in.
As the next step, the server servicing the replicas of that container should be configured to load with
/o= option on the command line to use the override.object DN for the users in that container, as
shown in the following example:
load sss /o=RSDev.digitalairlines.SecretStore.Security
This configuration permits the server to advertise itself to the root of the partition with the specified
override.object DN. To minimize the amount of tree walking by the SecretStore client, you can
define the sssServerPolicyOverrideDN attribute for individual users, organizational unit,
14 Novell SecretStore 3.4.x Administration Guide
novdocx (en) 25 June 2008
organization, etc. This allows the SecretStore client to read this attribute, search the root of the
partition for the server that supports that override configuration, then connect the user to that read/
write replica for SecretStore access.
The following figure illustrates an sssServerPolicyOverride object:
Scenario. You want to provide more liberal restrictions for groups and users in the RSDev context.
This object is in the digitalairlines Organization object. In ConsoleOne, you create a new
sssServerPolicyOverride object, name it RSDev.digitalairlines, and configure server options for this
new object.
The following figure illustrates the name-and-context relationship.
1.3 How SecretStore Works
SecretStore 3.x and above runs on AIX, Linux, Solaris, HP-UX, NetWare 5.x, NetWare 6.x, and
Windows 2000/NT.
The UNIX servers require Novell eDirectory 8.7.1 or later. (NICI is automatically installed during
server installation.)
The NetWare 5.x and NetWare 6.x servers can run NDS 7, as long as NICI 2.4 or later is installed.
However, we recommend that you upgrade to Novell eDirectory 8.8 or later.
Windows NT/2000 servers require eDirectory 8.7x and NICI 2.4 or later. The following figure
illustrates SecretStore running on these platforms:
Novell SecretStore Overview 15
novdocx (en) 25 June 2008
When you install SecretStore on these servers, the installation program installs the SecretStore
service on top of eDirectory and NICI. SecretStore plug-ins run on top of SecretStore.
The following figure illustrates the server NCP and LDAP protocol stacks on a server platform:
The following figure illustrates the client NCP and LDAP protocol stacks on a client workstation:
NICI 2.4
or later
Novell
eDirectory 8.7.X
AIX
Server
Solaris
Server
NetWare 5X or
NetWare 6
Servers
Linux
Server
Windows
NT/2000
Server
NCP 92 Access LDAP Access
SSL
LDAP Server
SSS LDAP Ext Handler
SSS LDAP Plug-in
LDAP Server
SSS LDAP Ext Handler
Novell SecretStore Service (SSS)
NICI
For wire
encryption
decryption
eDirectory
Server OS
Note: NCP-92 Access is only available on
NetWare server operating systems
16 Novell SecretStore 3.4.x Administration Guide
novdocx (en) 25 June 2008
The following figure illustrates the SecretStore client and server architecture in Java*:
SecretStore plug-ins include client APIs, NCP, and an LDAP extension.
You install administrative and SecretStore components on a Windows workstation and administer
SecretStore from there.
The following figure illustrates client software running on a Windows workstation:
NCP 92 Access
NSSS NCP-92 Plug-in
NSSS LDAP Plug-in
NSSS API
Enabler Application
SSL
LDAP
NICI
DS-API
NCP-92
Client 32 Requester
LDAP Access
Note: NCP-92 Access is only available on Windows client
operating systems, when Client 32 is installed
User
Application
Client
User Name
Password
1
6
25
3
4
eDirectory
SecretStore
(User Cedentials
Encrypted Using
NICI)
Java
application
that uses
this API
Server
Novell SecretStore Overview 17
novdocx (en) 25 June 2008
The following steps illustrate how SecretStore works:
1. A user logs in to eDirectory by using a password.
2. A successful login allows the user's secrets to be downloaded (when necessary) from
SecretStore to the workstation.
3. The user accesses a client-, Web-, or host-based application. The connection recognizes the
application and responds with the appropriate username and password from SecretStore.
If the connection does not discover matching credentials, the client prompts the user to add the
application. Secrets are synchronized when certain events occur or when the user connects to or
disconnects from eDirectory.
1.3.1 Single Sign-On Authentication Process
The figures below describe the process of single sign-on authentication and show how an enabled
application can interface with SecretStore, read and write secrets, and authenticate the user.
Authentication without SecretStore
For purposes of comparison, the following figure illustrates how a user might authenticate to a
network application that isn’t enabled for single sign-on.
1. The user runs a network application.
2. The application calls the authentication module.
NCP92
Server
SSS
API
ConsoleOne
SecretStore
Manager
SecretStore
Status
ConnectorsApplication
Workstation
LDAP
(version 3
or later)
Workstation
Network
Application
User
1
5
2
4
Login
3
18 Novell SecretStore 3.4.x Administration Guide
novdocx (en) 25 June 2008
3. The module prompts the user to log in. The user submits credentials (for example, a user ID or
smart card) and secrets (for example, a password or PIN), then authenticates.
4. The authentication module notifies the application that access has been granted.
5. The user starts interacting with the application.
Initial Authentication to a SecretStore-Enabled Application
The following figure illustrates the first-time authentication to an application that has been enabled
for single sign-on with SecretStore.
1. The user runs an enabled network application.
2. The application calls the authentication module.
3. The module prompts the user to log in. The user submits credentials (for example, a user ID or
Smart Card) and secrets (for example, a password or PIN), then authenticates.
4. The authentication module updates Novell SecretStore with the user's verified authentication
information.
5. The authentication module notifies the application that access has been granted.
6. The user starts interacting with the application.
Subsequent Authentication to a SecretStore-Enabled Application
The following figure illustrates the processes involved in subsequent user authentication to a single
sign-on enabled application using SecretStore.
1. The user starts interacting with the application.
2. The application calls the authentication module.
3. The authentication module calls Novell SecretStore to retrieve the user's authentication secrets.
4. Novell SecretStore returns the user's authentication secrets (identification, secrets, etc.) to the
authentication module, and the user is authenticated.
Network
Application
User
1
5
2
4
Login
3
ID
ACCESS
ID
ACCESS
4
SecretStore
Network
Application
User
1
6
2
5
Login
ID
ACCESS
ID
ACCESS
3
SecretStore
4
Novell SecretStore Overview 19
novdocx (en) 25 June 2008
5. The authentication module notifies the application that access has been granted.
6. The user runs a single sign-on-enabled network application.
20 Novell SecretStore 3.4.x Administration Guide
novdocx (en) 25 June 2008
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63

Novell SecretStore 3.4.x Administration Guide

Category
Software
Type
Administration Guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI