Novell Identity Assurance Solution Client 3.0.x Administration Guide

Brand: Novell

Model: Identity Assurance Solution Client 3.0.x

Type: Administration Guide

www.novell.com/documentation

Installation and Administration Guide

Enhanced Smart Card Method 3.0.8

April 02, 2012

Legal Notices

Novell,Inc.makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecifically

disclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.

reservestherighttorevisethispublicationandtomakechangestoitscontent,at

anytime,withoutobligationtonotifyany

personorentityofsuchrevisionsorchanges.

Further,Novell,Inc.makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsany

expressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.reservestheright

makechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityof

suchchanges.

AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade

lawsofothercountries.Youagreeto

complywithallexportcontrolregulationsandtoobtainanyrequiredlicensesor

classificationtoexport,re‐exportorimportdeliverables.Youagreenottoexportorre‐exporttoentitiesonthecurrentU.S.

exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.

exportlaws.Youagreetonotuse

deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.SeetheNovellInternationalTrade

ServicesWebpage(http://www.novell.com/info/exports/)formoreinformationonexportingNovellsoftware.Novellassumes

noresponsibilityforyourfailuretoobtainanynecessaryexportapprovals.

Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedona

retrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher.

Novell, Inc.

1800 South Novell Place

Provo, UT 84606

U.S.A.

www.novell.com

OnlineDocumentation:ToaccessthelatestonlinedocumentationforthisandotherNovellproducts,seetheNovell

DocumentationWebpage(http://www.novell.com/documentation).

Novell Trademarks

ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.novell.com/company/legal/trademarks/

tmlist.html).

Third-Party Materials

Allthird‐partytrademarksarethepropertyoftheirrespectiveowners.

Contents 3

Contents

About This Guide 7

1 Overview 9

1.1 How NESCM Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

1.2 Additional Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.2.1 Workstation Only Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

1.2.2 Card Removal Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

2 Novell Enhanced Smart Card Method Installation 11

2.1 Minimum Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

2.1.1 eDirectory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

2.1.2 Client Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

2.2 Installing the Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.2.1 eDirectory Server Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

2.2.2 Client Workstation Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

2.3 Uninstalling the Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

3 Configuring the Server 19

3.1 Configuring Trusted Root Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

3.2 Configuring Certificate Revocation Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.2.1 OCSP Trusted Root Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

3.2.2 CRL Trusted Root Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

3.2.3 Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.3 Configuring Certificate Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

3.3.1 Subject Name Matching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

3.3.2 Certificate Matching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

3.3.3 No Matching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

3.3.4 Temporary Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

3.4 Certificate Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

3.5 Certificate Expiration Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

3.6 Card Removal Behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

3.7 Check for Certificate Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

3.8 Activating the Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4 Troubleshooting 33

4.1 Method Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

4.1.1 Enabling Server Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.1.2 Enabling Client Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.2 Workstation Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.2.1 Smart Card Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.2.2 User Account Lookup (Identity Plug-In) Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

4.3 Method Configuration Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

4.3.1 Method Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

4.3.2 Certificate Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4 Contents

5 Security Guidelines 37

5.1 Trusted Root Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

5.2 Certificate Validation/Revocation Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5.3 Smart Card Enrollment eDirectory Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

5.4 Certificate Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5.5 Restricting Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5.6 User Account Lookup (Identity Plug-In) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

5.7 Workstation Only Login (Disconnected Login). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

6 Using NESCM for Access Manager Authentication 39

7 Reporting Login Events 41

A Client Configuration Options 43

A.1 Smart Card Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

A.1.1 CSP with PC/SC Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

A.1.2 PKCS#11 Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

A.2 Smart Card PIN Validation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

A.2.1 Turning Off PIN Validation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

A.2.2 Hiding the Password Field When PIN Validation is Off . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

A.3 Password Field Descriptor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

A.4 Workstation Only Login (Disconnected Support Login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

A.4.1 Certificate Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

A.4.2 Local Account Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

A.4.3 Fall-Back Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

A.4.4 Disconnected Workstation Unlock. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

A.4.5 Workstation Only Login Exception. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

A.5 User Account Lookup (Identity Plug-In Functionality) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

A.5.1 LDAP Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

A.5.2 Optimizing Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

A.6 Novell Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

A.6.1 Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

A.6.2 Passive Mode Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

B Silently Installing and Configuring the Method on Workstations 51

B.1 Installing the Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

B.1.1 Installing on a Machine without the Novell Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

B.1.2 Installing on a Machine with the Novell Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

B.1.3 Default Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

B.2 Configuring the Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

B.2.1 Using the Registry to Configure NESCM After Installation (Recommended) . . . . . . . . . . .52

B.2.2 Using the Command Line to Configure NESCM During Installation . . . . . . . . . . . . . . . . . .52

C How the Authentication Works 57

D Registry Configuration Settings 59

E Documentation Updates 61

E.1 March 30, 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

E.2 March 18, 2010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

E.3 December 09, 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Contents 5

E.4 January 20, 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

6 Novell Enhanced Smart Card Method 3.0.8 Installation and Administration Guide

About This Guide 7

About This Guide

ThisguideprovidesinstallationandconfigurationinformationfortheNovellEnhancedSmartCard

Method.

 Chapter 1,“Overview,”onpage 9

 Chapter 2,“NovellEnhancedSmartCardMethodInstallation,”onpage 11

 Chapter 3,“ConfiguringtheServer,”onpage 19

 Chapter 4,“Troubleshooting,”onpage 33

 Chapter 5,“SecurityGuidelines,”onpage 37

 Chapter 6,“UsingNESCMforAccessManagerAuthentication,”onpage 39

 Chapter 7,“ReportingLoginEvents,”onpage 41

 Appendix A,“ClientConfigurationOptions,”onpage 43

 Appendix B,“SilentlyInstallingandConfiguringtheMethodonWorkstations,”onpage 51

 Appendix C,“HowtheAuthenticationWorks,”onpage 57

 Appendix D,“RegistryConfigurationSettings,”onpage 59

Audience

Thisguideiswrittenprimarilyfornetworkadministrators.

Feedback

Wewanttohearyourcommentsandsuggestionsaboutthismanualandtheotherdocumentation

includedwiththisproduct.PleaseusetheUserCommentfeatureatthebottomofeachpageofthe

onlinedocumentationandenteryourcommentsthere.

Documentation Updates

Forthemostrecentversionofthisdocumentation,seetheNovellEnhancedSmartCardMethod

InstallationGuide(http://www.novell.com/documentation/ias/index.html?page=/documentation/

iasclient30x/nescm_install/data/bookinfo.html).

Documentation Conventions

InNovelldocumentation,agreater‐thansymbol(>)isusedtoseparateactionswithinastepand

itemsinacross‐referencepath.

Whenasinglepathnamecanbewrittenwithabackslashforsomeplatformsoraforwardslashfor

otherplatforms,thepathnameispresentedwithabackslash.Users

ofplatformsthatrequirea

forwardslash,suchasLinuxorUNIX,shoulduseforwardslashesasrequiredbyyoursoftware.

8 Novell Enhanced Smart Card Method 3.0.8 Installation and Administration Guide

Overview 9

Overview

TheNovellEnhancedSmartCardMethod(NESCM)isaNovellModularAuthenticationServices

(NMAS)methodthatprovidessmart‐card‐basedauthenticationtoeDirectory.Smartcard

authenticationisatwo‐factorauthenticationtechnique:somethingyouknow(smartcardPIN)and

somethingyouhave(smartcard).

Thefollowingsectionsprovideanoverviewto

NESCM:

 Section 1.1,“HowNESCMWorks,”onpage 9

 Section 1.2,“AdditionalFeatures,”onpage 9

1.1 How NESCM Works

Theloginmethodconsistsoftwocomponents:theservermoduleandtheclientmodule.The

appropriatemodulesareloadedduringtheauthenticationprocessbytheNMASserverandclient

components.

Duringauthentication,theclientmoduleenumeratesthecertificatesavailableontheattachedsmart

cardandsendsthemtotheservermodule.

Theservermodulechoosesacertificatetousefor

authentication,basedontheconfigurationandvalidationchecks.

Afterselectingthelogincertificate,theservermodulegeneratesarandomchallengeandsendsitto

theclientmoduletoconfirmthattheuserpossessestheprivatekeyassociatedwiththecertificate.

Theclient

moduleusesthesmartcardtosignthechallengeandencrypttheresultbyusingRSA

public/privatekeyencryption.Uponreceivingtheresult,theserverdecryptsthedatabyusingthe

certificateʹspublickeyandvalidatesthechallenge.Ifavalidcertificateisnotfoundorthechallengeis

not

validated,theloginattemptfails.Formoreinformationonhowthemethodworks,see

Appendix C,“HowtheAuthenticationWorks,”onpage 57.

1.2 Additional Features

 Section 1.2.1,“WorkstationOnlyLogin,”onpage 9

 Section 1.2.2,“CardRemovalSecurity,”onpage 10

1.2.1 Workstation Only Login

Inadditiontonetworkauthentication,themethodsupportslocal Windowsworkstationlogins.

WorkstationOnlyLoginallowsthesmartcardtobeusedforalocalworkstationloginwhenthe

eDirectoryidentitystoreisnʹtavailable.Thisisusefulinsituationswherenetworkconnectivityisnʹt

alwaysavailable,suchasforlaptop

users.

FormoreinformationonWorkstationOnlyLogin,seeSection A.4,“WorkstationOnlyLogin

(DisconnectedSupportLogin),”onpage 45.

10 Novell Enhanced Smart Card Method 3.0.8 Installation and Administration Guide

1.2.2 Card Removal Security

Themethodcanalsobeconfiguredtomonitorthesmartcardreaderdevice.Whenthesmartcardis

removed,themethodcanbeconfiguredtolocktheworkstationortologoff.Formoreinformation,

seeSection 3.6,“CardRemovalBehavior,”onpage 30.

Novell Enhanced Smart Card Method Installation 11

Novell Enhanced Smart Card Method

Installation

ThissectiondescribestheinstallationoftheNovellEnhancedSmartCardMethod(NESCM).

 Section 2.1,“MinimumRequirements,”onpage 11

 Section 2.2,“InstallingtheMethod,”onpage 13

 Section 2.3,“UninstallingtheMethod,”onpage 17

2.1 Minimum Requirements

NESCMhasthefollowingminimumrequirements:

 Section 2.1.1,“eDirectoryServer,”onpage 11

 Section 2.1.2,“ClientWorkstations,”onpage 11

2.1.1 eDirectory Server

eDirectory8.8SP1orlaterononeofthefollowingplatforms:

 NetWare6.5SP6orlater

 WindowsServer2003SP1orlaterandWindows200832‐bit

 SUSELinuxEnterpriseServer(SLES)1032‐bitor64‐bit

 SUSELinuxEnterpriseServer(SLES)1132‐bitor64‐bit

 RedHat

AS4.0Server32‐bitor64‐bit

 RedHatEnterpriseLinux(RHEL)532‐bitor64‐bit

 Solaris10onSunSPARC32‐bit

2.1.2 Client Workstations

 NovellClient4.9.1SP5IR1orlaterinstalledonWindowsXPSP2orlater

 NovellClient2SP2(IR2a)forWindowsVistaorlaterinstalledonWindowsVista(32‐bitand64‐

bit)

 NovellClient2SP2(IR2a)forWindows7orlaterinstalledonWindows7(32‐bitand

64‐bit)

 NovellClient2SP2(IR 2a)forWindowsServer2008(32‐bitand64‐bit)andWindowsServer2008

R2(64‐bit)

 iManagerversion2.7SP3withNMASplug‐inversion3.200.20090408

12 Novell Enhanced Smart Card Method 3.0.8 Installation and Administration Guide

TheNESCMiManagerplug‐inhastheabilitytoquerycertificateinformationdirectlyfromsmart

cards.ThisfunctionalityissupportedonWindowswiththefollowingbrowsers:

 InternetExplorer*6.0SP2orlater

 MozillaFirefox*3.6.x/4.x.x/5.x.x /6.x.x/7.x.x/8.x.x

Firefox4.0andlateracceptsSSLcertificatessignedbyCAs

thatarenativelytrustedbyFirefox

forplug‐ininstallat ion.ToinstalltheNESCMplug‐inoveranSSLconnection,setthe

extensions.install.requireBuiltInCerts

to

false

intheFirefoxconfiguration.

 LaunchFirefox,thentype

about:config

intheaddressbarofthebrowserwindow.

 Ontheconfigurationpagethatdisplays,right‐clicktoopentheModifyMenu.

 SelectNew>Boolean,thenspecifythenewpreferencenameas

extensions.install.requireBuiltInCerts

inthedialogboxandsetthisoptionto

false

 InstalltheNESCMcardreaderplug‐inforFirefox.

Asmartcardreaderandappropriatesmartcardmiddlewaremustbeinstalledandproperly

configuredontheworkstation.ThemethodshouldworkwithmostWindowscompliantPC/SC

middleware.Ithasbeentestedwiththefollowing:

Table 2-1 Middleware,SmartCardReaders,andSmartCards

Device Tested Applications

Middleware

 Netsign* CAC version 5.5.71.0

 Gemplus* version 3.2.2 and 4.2

 GemSAFE libraries 4.2

 Gemalto PKCS11 For .NET V2+

 GemCCID (PC USB PC/SC drivers)

 ActivCard* Gold for CAC 3.0.1

 ActivClient* 6.0 PKI Only or later

 Cryptovision cv act sc/interface 3.2.1

 eToken* Run Time Environment 3.60

 CIP 4.07

 FNMT Cryptographic Card Interface (Infineon,

ST, ST-WG10). RSA keys up to 2048

Novell Enhanced Smart Card Method Installation 13

2.2 Installing the Method

InstallationconsistsofinstallingthemethodontheeDirectoryserverandontheclientworkstations.

 Section 2.2.1,“eDirectoryServerInstallation,”onpage 13

 Section 2.2.2,“ClientWorkstationInstallation,”onpage 14

2.2.1 eDirectory Server Installation

1 LogintoiManagerasanAdministrator.

2 FromtheRolesandTasksview,clickNMAS>NMASLoginMethods.

3 ClickNew.

Themethodinstallationwizardislaunched.

4 Followthestepsinthemethodinstallationwizard:

4a Browsetoanddouble‐clickthe

EnhancedSmartCard_iMan27.zip

filethatcomeswiththe 

method.Itislocatedontheclientdiskunderthe

NMAS Methods

folder.

ThiszipfilecontainstheservercomponentsandtheiManagercomponents.

4b Readandacceptthelicenseagreement.

Smart Card Readers

 SCM Microsystems* SCR241 PCMCIA

 SCM Microsystems SCR 131 Serial (RS232)

 Cherry G83-6759LPAUS-2 USB Keyboard

 Gemplus GemPC433-SL USB

 Schlumberger Reflex 72v2

 Schlumberger Reflex USB

 SCM Microsystems SCR531-USB

 Precise Biometrics 250 MC

 ActivIdentity* USB Reader 2.0 and 3.0

 ActivCard ActivCard USB Reader V3.0

 C3P0 LTC3X USB Smart Card Reader v1.30

Smart Cards

 Axalto Access 64K CAC

 Gemplus GemXpresso* CAC

 Gemalto .NET V2+

 Oberthur CosmopolIC V4 CAC

 Schlumberger Access 32K V2 CAC

 Gemplus GemSAFE* SDK GPK16000

 Cryptovision - CardOS M4.01a

 Aladdin* - eToken PRO 64K

 Oberthur CosmpolIC 64K V5.2 Fast ATR (PIV)

 FNMT-RCM_ST_v2.0 (Ceres Card)

Device Tested Applications

14 Novell Enhanced Smart Card Method 3.0.8 Installation and Administration Guide

4c Reviewthemethodinformationand modifythevaluesasneeded.

Ifyoudon’tchangethename,thedefaultname(EnhancedSmartCard)isusedforthe

methodandloginsequencename.

4d ClickFinish.

5 Reviewtheinstallationsummarypage,thenclickClose.

6 RestartiManagertoensurethattheplug‐inisenabled.

7 ContinuewithChapter 3,“ConfiguringtheServer,”onpage 19tousetheplug‐intoconfigure

theNESCMinstallationontheserver.

2.2.2 Client Workstation Installation

Themethodmustbeinstalledoneachworkstation.Toinstallthe method,usetheNESCMsetup

program.

Themethodcanalsobeinstalledandconfiguredsilently.Formoreinformationonsilentinstallation,

seeAppendix B,“SilentlyInstallingandConfiguringtheMethodonWorkstations,”onpage 51.

1 LogintoaworkstationasanAdministrator.

2 Runthefollowingprogramfromthe

...\enhancedsmartcard\client

directory:

WindowsVista(32‐bit)/7(32‐bit)/XP/Server2008(32‐bit):

Setup.exe

WindowsVista(64‐bit)/7(64‐bit)/Server2008(64‐bit)/Server2008R2(64‐bit):

Setup_64.exe

ThislaunchestheNESCMsetupprogram.Followthestepsinthissetupprogramtoinstalland

configureNESCM.Forinformationconcerningspecificstepsinthesetupprogramforallclient

platforms(WindowsVista/7/XP/Server2008),seeTable2‐2onpage 14.

Forinformationconcerningspecificstepsinthesetupprogramfor

WindowsXPclient,seeTable

2‐3onpage 17.

Forextendedinformationontheoptions,seeAppendix A,“ClientConfigurationOptions,”on

page 43.

3 RepeatStep 1andStep 2foreveryworkstationwhereyouwanttoinstallthemethod.

Table2‐3explainstheconfigurationoptionsthatareavailablewhenyouusethesetupprogramto

installthemethodonaworkstation.

Table 2-2 SetupProgramOptionsforallClientPlatforms

Window Options

Smart Card Interface The method can communicate with the smart card by using a Windows

Cryptographic Service Provider (CSP) or PKCS#11 library. The recommended

communication method is CSP with PC/SC Interfaces. Use PKCS#11 interfaces only

if you know your smart card vendor does not provide a CSP.

 CSP with PC/SC Interfaces: Select this option to use MS Crypto APIs and the

vendor’s CSP.

 PKCS#11 Library: Select this and specify a PKCS#11 library to use PKCS#11

interfaces. If the library file is not present in the default system path, you must

provide the file path of the library file.

For more information on the smart card interface, see Section A.1, “Smart Card

Interface,” on page 43.

Novell Enhanced Smart Card Method Installation 15

Smart Card PIN The smart card PIN is always validated during login unless this option is turned off

(not selected). If this option is off, the PIN is not validated during login. It might be

desirable to turn off PIN validation if another application has established a smart card

session and previously validated the PIN. This prevents users from having to re-enter

the PIN.

Require Smart Card PIN Validation: Select this option to validate the PIN during

For more information on smart card PIN validation, see Section A.2, “Smart Card PIN

Validation,” on page 44.

Workstation Only Login Normally, workstation only logins are password-based. The following options allow

the smart card to be used during a workstation only login:

 Use Smart Card for Workstation Only Login: Select this option to use the

smart card for workstation only logins.

 Require Smart Card for Workstation Only Login: Select this option to

disable password-based workstation only logins.

This option is only available if the Novell Client is installed.

For more information on Workstation Only Login, see Section A.4, “Workstation Only

User Account Lookup -

Identity Plug-in Support

The method can use eDirectory to look up the username that is associated with the

smart card. The method uses the certificate information on the smart card and

performs an LDAP search to locate the user account.

 Automatically Look Up User Account: Select this option if you want the

method to automatically look up the user account.

This option is only available if the Novell Client is installed.

For more information on User Account Lookup, see Section A.5, “User Account

Lookup (Identity Plug-In Functionality),” on page 48.

(Conditional: LDAP

Search Options - Page

1) Identity Plug-in

Configuration

The following options specify how the LDAP search functionality of the Identity plug-

in functions:

 LDAP Servers: In the Servers field, specify the server where you want the

search to take place. This is the LDAP server IP address or DNS name.

 LDAP Search Base: In the Base field, specify the starting container to use

when searching for the user.

 LDAP Search Timeout: In the Timeout field, specify the number of seconds

before the search does a timeout.

Window Options

16 Novell Enhanced Smart Card Method 3.0.8 Installation and Administration Guide

(Conditional: LDAP

Search Options - Page

2) Identity Plug-in

Configuration

The following options specify how the LDAP search functionality of the Identity Plug-

in functions:

 Search By: Select how the search matches user accounts. If you select

Certificate Subject Name, it searches by the certificate’s subject name. If you

select Certificate, it searches using the complete certificate.

This setting should match the method’s Match By configuration setting.

 Search Performance: Select Do Complete Search if you want the search

operation to wait to complete the search before returning. Select Use First

Account Returned if you want the search to quit after receiving the first result.

For large directories where searches can take a significant amount of time,

selecting Use First Account Returned can increase performance. However, if in

your environment one certificate is associated with multiple accounts, you

should select Do Complete Search to ensure that all possible matches are

presented to the user.

(Conditional: Progress

Message and Login

Options) Identity Plug-in

Configuration

The following options allow you to configure progress messages and login options for

the Identity Plug-in:

 Status Message: In the Message field, specify the message that you want to

be displayed on the Novell Client Login dialog box while the user lookup is in

progress. Leave the field blank for no message.

The status message is displayed on the Novell Client Login dialog box while the

user lookup is in progress.

 Wait Message: In the Message field, specify the message that you want to be

displayed in the Novell Client Login dialog box after user lookup is complete and

The wait message is displayed in the Novell Client Login dialog box after the

user lookup is complete and login has begun.

 Login Options: The following login options are available:

 Automatically begin login when user lookup returns: Select this

option to automatically start the login process after the account lookup

finishes. If you select this option, the user does not need to click the OK

button to begin the login process.

 Restart user lookup if login fails: Select this option to automatically

restart the Identity Plug-in if the login fails.

Selecting both Automatically begin login when user lookup returns and Restart

user lookup if login fails is not recommended. Using these two options

simultaneously can lead to continuous looping failed login attempts.

Window Options

Novell Enhanced Smart Card Method Installation 17

Table 2-3 SetupProgramOptionsforWindowsXPClient

2.3 Uninstalling the Method

YoucanuninstallNESCMusingtheAddorRemoveProgramsoptioninControlPanel.

IfyouhaveanyoftheNESCMapplicationsrunningonWindowsVistaandWindow7,adialogbox

appears,asshowninFigure2‐1,indicatingyoutoclosetheapplications.YoumustselecttheDo

not

closeapplicationsoptiontocontinuewiththeuninstallation.

(Conditional: Novell

Client Login Dialog

Options) Identity Plug-in

Configuration

Selecting the following options allows you to hide user interface controls in the Novell

Client login dialog:

 Hide OK Button: Select this option only when Automatically begin login when

user lookup returns is selected. See “(Conditional: Progress Message and

 Hide Cancel Button: Select this option if you don’t want users to see the

Cancel button.

 Hide Advanced Button: Select this option if you don’t want users to see the

additional login dialog box settings.

 Hide Username Field: You might want to select this option when using the

user account lookup functionality, because users usually do not interact with the

username field. Hiding this field might be considered useful in some

circumstances. See “User Account Lookup - Identity Plug-in Support” on

page 15 for more information.

 Hide Password Field: You might want to select this option when Automatically

begin login when user lookup returns is selected. After the lookup returns, the

turned off. See “Smart Card PIN” on page 15 for more information.

Window Options

Password Field Descriptor The Novell Client login dialog box labels the Password field with the word

“Password.” When using NESCM, enter the smart card PIN in the Password

field. This option allows you to change the label to a more intuitive

description, like “PIN.”

Use Custom Descriptor: Select this option and enter a new label to

change the descriptor.

This option is only available if the Novell Client is installed.

For more information on the Password Field Descriptor, see Section A.3,

“Password Field Descriptor,” on page 45.

Window Options

18 Novell Enhanced Smart Card Method 3.0.8 Installation and Administration Guide

Figure 2-1 UninstallationDialogBox

Configuring the Server 19

Configuring the Server

AfterinstallingtheNovellEnhancedSmartCardMethod(NESCM),youneedtoconfiguretheserver.

Todothis,usetheNovelliManagerSmartCardLoginplug‐in.Iftheplug‐inisnotalreadyinstalled,

seeSection 2.2.1,“eDirectoryServerInstallation,”onpage 13.Administratorsusethisplug‐into

configuresettings

forthewholetree,partitions,containers,orindividualusers.

Theplug‐inhasthefollowingsettings:

 Global:Theglobalsettingsareusedtospecifypoliciesforthewholetree.Optionsconfigured

globallyapplytoalluserobjectsinthetree.

 Container:Ifthecontainerobjectisapartitionroot,thesettings

areeffectiveforalluserobjects

inthepartition.Ifthecontainerisnotapartitionroot,thesettingsareeffectiveonlyforobjectsin

theimmediatecontainer.Thesettingsdonotaffectusersinsubcontainersbelowthecontainer.

 User:UsersettingsapplytotheindividualUserobject.

Eachsettingis

describedbelowandidentifiedasaglobal,container,oruserlevelsetting.In

iManager,intheRolesandTasksview,clickSmartCardLogintodisplaythesesettings.Manysettings

canbeconfiguredonalllevels.Settingsconfiguredatlowerlevelsinthedirectoryhierarchyoverride

higher‐levelconfigurations.

 Section 3.1,

“ConfiguringTrustedRootCertificates,”onpage 19

 Section 3.2,“ConfiguringCertificateRevocationChecking,”onpage 22

 Section 3.3,“ConfiguringCertificateMatching,”onpage 24

 Section 3.4,“CertificateValidation,”onpage 30

 Section 3.5,“CertificateExpirationWarning,”onpage 30

 Section 3.6,“CardRemovalBehavior,”onpage 30

 Section 3.7,“CheckforCertificatePolicy,”onpage 30

 Section 3.8,“ActivatingtheMethod,”onpage 30

3.1 Configuring Trusted Root Certificates

ConfigurationLevel:Global

Thelistoftrustedrootcontainersisusedforcertificatevalidation.Duringcertificatevalidation,the

methodbuildsthecertificatechain.Inordertobevalid,thecertificatechainmustendwithatrusted

rootcertificate.TrustedrootcertificatesarestoredintrustedrootcontainersineDirectory.

20 Novell Enhanced Smart Card Method 3.0.8 Installation and Administration Guide

Thecertificatevalidationprocessensuresthatthelogincertificatehasbeenissuedbyatrusted

CertificateAuthority(CA).Thisisaccomplishedbyvalidatingthatthecertificatechaincontainsonly

trustedrootcertificates.

1 IniManager,createatrustedrootcontainer:

1a SelectNovellCertificateServer>CreateTrustedRootContainer.

1b Specifythecontainernameandlocation.

1c ClickOK.

2 Importtrustedrootcertificates:

2a SelectNovellCertificateServer>CreateTrustedRoot.

Page is loading ...

Novell Identity Assurance Solution Client 3.0.x Administration Guide

Novell Identity Assurance Solution Client 3.0.x Administration Guide

Novell Identity Assurance Solution Client 3.0.x Administration Guide

Related papers

Other documents