When a smart card is used in conjunction with SecureLogin, a number of new features can be implemented optionally to increase security. Some of them are:
- Using smart card to encrypt SecureLogin.
- Storing SSO credentials such as application user names and passwords on the smart card.
- Entering SSO availability to the smart cards so that only those who log in using a smart card are able are allowed to start and administer SSO.
This AppNote explains the steps to integrate the ActivCard smart card reader, using the Novell Enhanced Smart Card Method (NESCM) for NMAS.
- ActivCard USB Reader v2
- NSL 6.0 SP1
- OES SP2 with eDirectory 18.104.22.168 on a NetWare platform
- Windows 2000 SP4 with Novell Client 4.91 SP2
- CMS (Configuration Management System)
- ActivClient with the latest hot fix
1. Install the NESCM client method nescm_3.0. Make sure you select the PKCS #11 Library with ActivCard as the option during install.
Figure 1 - Installing the NESCM client method
2. Install the NMAS.npm version on the server using this iManager tool:
3. Install the NESCM server method.
4. Create a trusted root container under the context where you want to configure NESCM.
Figure 2 - Trusted root container
5. Export the Self-Signed CA certificate.
Figure 3 - Exporting the CA cert
6. Select "No" for the "Do you want to export the private key with the certificate?" radio button.
Figure 4 - Omitting the private key
7. Select the "File in binary DER format" option in the Output format page.
Figure 5 - File in binary DER format
8. Click the "Save the exported certificate to a file" link to save the certificate to a file.
Figure 6 - Saving the certificate to a file
9. Import the certificate to Trusted root object.
Figure 7 - Exporting the cert, with private key
10. To configure the NESCM method to use the above trusted root container, log in to iManager.
11. Select Smart card logon > Global settings.
12. Select Certificate Search Containers, then add the trusted root container.
13. Create a user certificate and export it along with the private key to a file.
14. Export the certificate along with the private key.
NOTE: Make sure to select the appropriate key size using the custom options during create user certificate.
The Create User Certificate Results page looks as follows:
Figure 8 - Configuring the smart card PIN
15. Export the certificate file to your local hard drive. Make sure you export the private key as well.
16. Configure the PIN for the smart card. If you use CMS for administering the smart card, then create a user through CMS.
Figure 9 - Importing the cert
17. Enter the details for the user.
Figure 10 - User details
18. Do a local issuance to the smart card in use before you import the user certificate created in Step 14.
Figure 11 - Local issuance
19. Enter a PIN.
Figure 12 - PIN
20. Select Start > ActivCard ActivClient > User Console to import this certificate back to smart card in use.
21. Import the user certificate as shown below:
Figure 13 - User cert import
22. Click Yes when prompted during import, to accept the certificate.
Figure 14 - Accepting the cert
23. If the import is successful, a dialogue box is displayed. Click OK to close it.
Figure 15 - Successful import
24. Change the registry setting on the client machine as shown below.
Note: You may need to reboot the machine before the above changes to the registry values will take effect.
25. When logging in using Novell Client, if the password field is enabled in the dialog box, enter the smart card PIN in the password field to log in.
26. If the password field is disabled in the dialogue box, enter the smart card PIN in the password field provided by NESCM method as shown below:
Figure 16 - Entering the smart card PIN
27. If PIN authentication is successful, Novell SecureLogin loads successfully.
For more information on NESCM, refer to: http://www.novell.com/documentation/ncl201/index.html?page=/documentation/ncl201/nclinstall/data/bvqecn3.html
For more information on smart card functionality with NSL, refer to: http://www.novell.com/documentation/securelogin60/index.html
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.