Novell SecretStore 3.4.x Administration Guide

Brand: Novell

Model: SecretStore 3.4.x

Category: Software

Type: Administration Guide

Novell®

www.novell.com

novdocx (en) 25 June 2008

AUTHORIZED DOCUMENTATION

Novell SecretStore 3.4.x Administration Guide

SecretStore

3.4

November 15, 2006

Administration Guide

novdocx (en) 25 June 2008

Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and

specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.

Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,

without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims

any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.

reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to

notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the

trade laws of other countries. You agree to comply with all export control regulations and to obtain any required

licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities

on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export

laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.

Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no

responsibility for your failure to obtain any necessary export approvals.

stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this

document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.

patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent

applications in the U.S. and in other countries.

Novell, Inc.

404 Wyman Street, Suite 500

Waltham, MA 02451

U.S.A.

www.novell.com

Online Documentation: To access the online documentation for this and other Novell products, and to get

updates, see www.novell.com/documentation.

novdocx (en) 25 June 2008

Novell Trademarks

Novell is a registered trademark of Novell, Inc., in the United States and other countries.

SUSE is a registered trademark of Novell, Inc., in the United States and other countries.

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 25 June 2008

Contents 5

Contents

novdocx (en) 25 June 2008

About This Guide 7

1 Novell SecretStore Overview 9

1.1 Server and Workstation Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1.1 Server Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1.2 Workstation Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2 SecretStore Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3 How SecretStore Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3.1 Single Sign-On Authentication Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2 Installing SecretStore 21

2.1 Installing SecretStore on a NetWare Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.1.1 NetWare Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.1.2 Installing the SecretStore Service on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.1.3 Synchronizing Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.2 Installing SecretStore on a Windows Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.2.1 Windows NT/2000/XP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.2.2 Installing or Upgrading NICI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.2.3 Installing the SecretStore Service on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.2.4 Synchronizing Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.3 Installing SecretStore on a Solaris, Linux, AIX, or HP-UX Server . . . . . . . . . . . . . . . . . . . . . . 23

2.3.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.3.2 Installing the SecretStore Service on Solaris, Linux, AIX, or HP-UX. . . . . . . . . . . . . 24

2.3.3 Synchronizing Replicas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.4 Installing the SecretStore Client on Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.4.1 Workstation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.4.2 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.5 Uninstalling SecretStore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.5.1 Uninstalling SecretStore on NetWare Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.5.2 Uninstalling SecretStore on Solaris, Linux, AIX, or HP-UX . . . . . . . . . . . . . . . . . . . . 29

2.5.3 Uninstalling SecretStore on Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3 Managing SecretStore 31

3.1 Managing SecretStore Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.1.1 SecretStore Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.1.2 Viewing and Changing Settings on Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.1.3 Customizing Settings for Groups or Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.2 Setting Up a SecretStore Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2.1 Adding Advanced Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.3 Sharing Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.3.1 Example Configuration: Sharing Secrets with Novell Products . . . . . . . . . . . . . . . . . 37

3.4 Managing Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.4.1 Adding a Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.4.2 Editing a Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.4.3 Removing a Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.4.4 Unlocking a Secret. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.4.5 Viewing a Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.4.6 Viewing a Secret's Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6 Novell SecretStore 3.4.x Administration Guide

novdocx (en) 25 June 2008

3.5 Using Enhanced Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.5.1 Locking SecretStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.5.2 Setting a Master Password and Hint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.5.3 Using SecretStore Manager to Set a Master Password . . . . . . . . . . . . . . . . . . . . . . 42

3.5.4 Using SecretStore Status to Set a Master Password . . . . . . . . . . . . . . . . . . . . . . . . 42

3.5.5 Using Disconnected Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.6 Testing SecretStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.6.1 Testing the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.6.2 Making Advanced Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.7 Viewing Information about SecretStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

3.8 Using Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4 Troubleshooting SecretStore 49

4.1 Where to Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.2 Setting Up a Tree Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.3 Reading Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.4 Merging Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.5 ‘Not Available’ Displays for Last Admin Unlock Time Stamp . . . . . . . . . . . . . . . . . . . . . . . . . . 49

A Sharing Secrets with Novell Portal Services 51

A.1 Specifying an NPS SecretStore Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

A.1.1 Adding a Setting to the PortalServlet.properties file . . . . . . . . . . . . . . . . . . . . . . . . . 51

A.1.2 Adding a Setting to the Portal Configuration Object . . . . . . . . . . . . . . . . . . . . . . . . . 51

A.2 Configuring NPS to Share Secrets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

B Novell SecretStore Error Codes 53

B.1 SecretStore Return Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

About This Guide 7

novdocx (en) 25 June 2008

About This Guide

This guide is for network administrators. It provides information on the following:

 Chapter 1, “Novell SecretStore Overview,” on page 9

 Chapter 2, “Installing SecretStore,” on page 21

 Chapter 3, “Managing SecretStore,” on page 31

 Chapter 4, “Troubleshooting SecretStore,” on page 49

 Appendix A, “Sharing Secrets with Novell Portal Services,” on page 51

 Appendix B, “Novell SecretStore Error Codes,” on page 53

Documentation Updates

For the most recent version of the Novell SecretStore 3.x Administration Guide, see SecretStore

(http://www.novell.com/documentation-index/index.jsp) on the Novell

documentation Web site.

Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items

within a cross-reference path.

A trademark symbol (

, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

trademark.

8 Novell SecretStore 3.4.x Administration Guide

novdocx (en) 25 June 2008

Novell SecretStore Overview

novdocx (en) 25 June 2008

Novell SecretStore Overview

Novell

SecretStore

is a simple and secure password management solution. SecretStore enables

you to use a single authentication to Novell eDirectory

to access most UNIX*, Windows*, Web,

and mainframe applications.

After you've authenticated to eDirectory, SecretStore-enabled applications store and retrieve the

appropriate login credentials. When you use SecretStore, you eliminate the need to remember or

synchronize all the multiple passwords required for accessing password-protected applications, Web

sites, and mainframes.

NOTE: SecretStore 3.4.x has the same functionality as earlier versions, but is built on eDirectory

8.8.x, rather than eDirectory 8.7.3.x used in earlier versions.

This section provides information on the following:

 Section 1.1, “Server and Workstation Components,” on page 9

 Section 1.2, “SecretStore Service Objects,” on page 13

 Section 1.3, “How SecretStore Works,” on page 14

1.1 Server and Workstation Components

This topic describes SecretStore components for servers and workstations.

1.1.1 Server Components

 “NetWare Servers” on page 9

 “Linux, Solaris, or AIX Servers” on page 10

 “HP-UX Servers” on page 10

 “Windows Servers” on page 10

NetWare Servers

Filename Description

sssi.nlm The Novell SecretStore installation NetWare Loadable Module

(NLM). Sssi.nlm extends

the eDirectory schema, installs the Novell SecretStore server and its plugins (sss.nlm,

ssldp.nlm, and ssncp.nlm), configures the eDirectory LDAP server to enable SecretStore

extensions, and initializes or validates the Security Domain Infrastructure (SDI) on

NetWare

You use nwconfig.nlm to load sssi.nlm.

NOTE: On UNIX, the ss_install script is the equivalent of sssi.nlm. Windows Server* has its

own complete GUI install.

10 Novell SecretStore 3.4.x Administration Guide

novdocx (en) 25 June 2008

Linux, Solaris, or AIX Servers

HP-UX Servers

Windows Servers

sss.nlm The Novell SecretStore service.

SecretStore provides a secure infrastructure for storing and retrieving secrets and

credentials in eDirectory. SecretStore uses NICI and SDI to safely and securely store a

user's secrets.

Novell SecureLogin, Novell Portal Services, and Novell iChain

all provide single sign-on

functionality to applications that use SecretStore.

Upon a successful authentication of the user to an application, the SecretStore-enabled

application stores the application's login credential in SecretStore. From then on, when the

user logs in to eDirectory and launches the application, the single sign-on client retrieves

the application password from SecretStore, provides it to the application or Web site in the

background, and authenticates the user.

ssldp.nlm The SecretStore LDAP transport plug-in.

sssncp.nlm The SecretStore NCP

transport plug-in.

lsss.nlm The LDAP SecretStore extension manager. Enables applications to use the Lightweight

Directory Access Protocol (LDAP) to store secrets.

Filename Description

libsss.so The SecretStore service.

libssldp.so The SecretStore LDAP transport plug-in.

libssncp.so The SecretStore NCP transport plug-in.

liblsss.so The LDAP SecretStore extension manager.

Filename Description

libsss.sl The SecretStore service.

libssldp.sl The SecretStore LDAP transport plug-in.

libssncp.sl The SecretStore NCP transport plug-in.

liblsss.sl The LDAP SecretStore extension manager.

Filename Description

sss.dlm The SecretStore service.

ssldp.dlm The SecretStore LDAP transport plug-in for Windows.

Filename Description

Novell SecretStore Overview 11

novdocx (en) 25 June 2008

For more information on SecretStore, see the following:

 SecretStore-related information in Novell Developer Kits, available at:

 Novell SecretStore Developer Kit for C (http://developer.novell.com/ndk/ssocomp.htm)

 Novell SecretStore Developer Kit for Java (http://developer.novell.com/ndk/nssoj.htm)

 Novell AppNotes, May, 2003, A Technical Overview of Novell SecretStore 3.2 (http://

support.novell.com/techcenter/articles/dnd20030503.html)

 Novell AppNotes, June, 2003, Understanding the Novell SecretStore 3.2 APIs (http://

support.novell.com/techcenter/articles/dnd20030603.html)

1.1.2 Workstation Components

For the SecretStore 3.4.x service release, the SecretStore client requires the following components:

NICI client: Enables the SecretStore client to provide all the encrypted traffic between SecretStore,

the SecretStore client, the Novell Modular Authentication Services (NMAS

) client, and

application connectors.

NMAS client: Enables single sign-on users (online or offline) to authenticate to eDirectory.

The NMAS client can confirm authentication during the following situations:

 You are not logged in to eDirectory.

 You are logged in to an eDirectory tree that is different from the one that the single sign-on

client synchronizes with.

 A default timeout has occurred.

SecretStore client: Provides the mechanism to access the SecretStore service and ensure secure

transmission of secrets to and from eDirectory.

The SecretStore client collects secrets (for example, usernames and passwords), recognizes an

application credential or password field, and helps to authenticate users by passing the credentials to

the application.

The SecureLogin client enables anyone to use applications without repeatedly entering passwords.

A user can be logged in to or disconnected from a network.

NOTE: The NCP protocol is supported only on the Windows client platform.

SecretStore snap-in to ConsoleOne (sssnapin.exe): Enables administrators or users to

create, configure, and administer SecretStore components.

Novell eDirectory automatically installs ConsoleOne

on a server. However, to use ConsoleOne,

you install the SecretStore snap-in to ConsoleOne on a client workstation (or to a directory on a

server) and run ConsoleOne from a workstation.

ssncp.dlm The SecretStore NCP transport plug-in for Windows.

lsss.dll The LDAP SecretStore extension manager.

Filename Description

12 Novell SecretStore 3.4.x Administration Guide

novdocx (en) 25 June 2008

The SecretStore installation program installs the snap-in. You can run the ConsoleOne snap-in on

your workstation provided you have also installed the NICI component.

SecretStore Manager: Enables users to perform basic maintenance tasks on their SecretStore.

SecretStore Manager protects secrets by requiring NMAS authentication before a user can view

secrets.

Although SecretStore Manager is not intended as the primary interface to SecretStore, it helps users

manage SecretStore secrets.

The following figure illustrates SecretStore Manager:

SecretStore Status: Enables users to set their master passwords, unlock SecretStore, switch

between eDirectory trees, or switch between eDirectory usernames associated with different trees or

servers.

SecretStore Status is a light version of SecretStore Manager. The following figure illustrates

SecretStore Status:

Novell SecretStore Overview 13

novdocx (en) 25 June 2008

1.2 SecretStore Service Objects

This topic explains how SecretStore server components, workstation components, and eDirectory

objects work together. This background prepares you for installing, setting up, managing, using, and

troubleshooting SecretStore.

SecretStore: A Container object, located within eDirectory's security container, that can hold

default SecretStore service settings.

This object is automatically named SecretStore and placed in the Security container.

The SecretStore system requires at least one SecretStore Container object. The SecretStore object

can contain sssServerPolicyOverride objects.

The following figure illustrates a SecretStore object.

sssServerPolicyOverride object: Objects that enable you to customize access to applications,

depending on group or user needs for different parts of the tree.

sssServerPolicyOverride objects reside in the SecretStore Container object. Each

sssServerPolicyOverride object must take the name of the context that the Group or User objects are

in.

As the next step, the server servicing the replicas of that container should be configured to load with

/o= option on the command line to use the override.object DN for the users in that container, as

shown in the following example:

load sss /o=RSDev.digitalairlines.SecretStore.Security

This configuration permits the server to advertise itself to the root of the partition with the specified

override.object DN. To minimize the amount of tree walking by the SecretStore client, you can

define the sssServerPolicyOverrideDN attribute for individual users, organizational unit,

14 Novell SecretStore 3.4.x Administration Guide

novdocx (en) 25 June 2008

organization, etc. This allows the SecretStore client to read this attribute, search the root of the

partition for the server that supports that override configuration, then connect the user to that read/

write replica for SecretStore access.

The following figure illustrates an sssServerPolicyOverride object:

Scenario. You want to provide more liberal restrictions for groups and users in the RSDev context.

This object is in the digitalairlines Organization object. In ConsoleOne, you create a new

sssServerPolicyOverride object, name it RSDev.digitalairlines, and configure server options for this

new object.

The following figure illustrates the name-and-context relationship.

1.3 How SecretStore Works

SecretStore 3.x and above runs on AIX, Linux, Solaris, HP-UX, NetWare 5.x, NetWare 6.x, and

Windows 2000/NT.

The UNIX servers require Novell eDirectory 8.7.1 or later. (NICI is automatically installed during

server installation.)

The NetWare 5.x and NetWare 6.x servers can run NDS 7, as long as NICI 2.4 or later is installed.

However, we recommend that you upgrade to Novell eDirectory 8.8 or later.

Windows NT/2000 servers require eDirectory 8.7x and NICI 2.4 or later. The following figure

illustrates SecretStore running on these platforms:

Novell SecretStore Overview 15

novdocx (en) 25 June 2008

When you install SecretStore on these servers, the installation program installs the SecretStore

service on top of eDirectory and NICI. SecretStore plug-ins run on top of SecretStore.

The following figure illustrates the server NCP and LDAP protocol stacks on a server platform:

The following figure illustrates the client NCP and LDAP protocol stacks on a client workstation:

NICI 2.4

or later

Novell

eDirectory 8.7.X

AIX

Server

Solaris

Server

NetWare 5X or

NetWare 6

Servers

Linux

Server

Windows

NT/2000

Server

NCP 92 Access LDAP Access

SSL

LDAP Server

SSS LDAP Ext Handler

SSS LDAP Plug-in

LDAP Server

SSS LDAP Ext Handler

Novell SecretStore Service (SSS)

NICI

For wire

encryption

decryption

eDirectory

Server OS

Note: NCP-92 Access is only available on

NetWare server operating systems

16 Novell SecretStore 3.4.x Administration Guide

novdocx (en) 25 June 2008

The following figure illustrates the SecretStore client and server architecture in Java*:

SecretStore plug-ins include client APIs, NCP, and an LDAP extension.

You install administrative and SecretStore components on a Windows workstation and administer

SecretStore from there.

The following figure illustrates client software running on a Windows workstation:

NCP 92 Access

NSSS NCP-92 Plug-in

NSSS LDAP Plug-in

NSSS API

Enabler Application

SSL

LDAP

NICI

DS-API

NCP-92

Client 32 Requester

LDAP Access

Note: NCP-92 Access is only available on Windows client

operating systems, when Client 32 is installed

User

Application

Client

User Name

Password

eDirectory

SecretStore

(User Cedentials

Encrypted Using

NICI)

Java

application

that uses

this API

Server

Novell SecretStore Overview 17

novdocx (en) 25 June 2008

The following steps illustrate how SecretStore works:

1. A user logs in to eDirectory by using a password.

2. A successful login allows the user's secrets to be downloaded (when necessary) from

SecretStore to the workstation.

3. The user accesses a client-, Web-, or host-based application. The connection recognizes the

application and responds with the appropriate username and password from SecretStore.

If the connection does not discover matching credentials, the client prompts the user to add the

application. Secrets are synchronized when certain events occur or when the user connects to or

disconnects from eDirectory.

1.3.1 Single Sign-On Authentication Process

The figures below describe the process of single sign-on authentication and show how an enabled

application can interface with SecretStore, read and write secrets, and authenticate the user.

Authentication without SecretStore

For purposes of comparison, the following figure illustrates how a user might authenticate to a

network application that isn’t enabled for single sign-on.

1. The user runs a network application.

2. The application calls the authentication module.

NCP92

Server

SSS

API

ConsoleOne

SecretStore

Manager

SecretStore

Status

ConnectorsApplication

Workstation

LDAP

(version 3

or later)

Workstation

Network

Application

User

18 Novell SecretStore 3.4.x Administration Guide

novdocx (en) 25 June 2008

3. The module prompts the user to log in. The user submits credentials (for example, a user ID or

smart card) and secrets (for example, a password or PIN), then authenticates.

4. The authentication module notifies the application that access has been granted.

5. The user starts interacting with the application.

Initial Authentication to a SecretStore-Enabled Application

The following figure illustrates the first-time authentication to an application that has been enabled

for single sign-on with SecretStore.

1. The user runs an enabled network application.

2. The application calls the authentication module.

3. The module prompts the user to log in. The user submits credentials (for example, a user ID or

Smart Card) and secrets (for example, a password or PIN), then authenticates.

4. The authentication module updates Novell SecretStore with the user's verified authentication

information.

5. The authentication module notifies the application that access has been granted.

6. The user starts interacting with the application.

Subsequent Authentication to a SecretStore-Enabled Application

The following figure illustrates the processes involved in subsequent user authentication to a single

sign-on enabled application using SecretStore.

1. The user starts interacting with the application.

2. The application calls the authentication module.

3. The authentication module calls Novell SecretStore to retrieve the user's authentication secrets.

4. Novell SecretStore returns the user's authentication secrets (identification, secrets, etc.) to the

authentication module, and the user is authenticated.

Network

Application

User

ACCESS

SecretStore

™

Network

Application

User

ACCESS

SecretStore

™

Novell SecretStore Overview 19

novdocx (en) 25 June 2008

5. The authentication module notifies the application that access has been granted.

6. The user runs a single sign-on-enabled network application.

20 Novell SecretStore 3.4.x Administration Guide

novdocx (en) 25 June 2008

Page is loading ...

Novell SecretStore 3.4.x Administration Guide

Brand: Novell

Model: SecretStore 3.4.x

Category: Software

Type: Administration Guide

Download PDF

report

Novell SecretStore 3.4.x Administration Guide

Novell SecretStore 3.4.x Administration Guide

Related papers

Other documents