Article

(View Disclaimer)

Introduction

When a smart card is used in conjunction with SecureLogin, a number of new features can be implemented optionally to increase security. Some of them are:

• Using smart card to encrypt SecureLogin.
• Storing SSO credentials such as application user names and passwords on the smart card.
• Entering SSO availability to the smart cards so that only those who log in using a smart card are able are allowed to start and administer SSO.

This AppNote explains the steps to integrate the ActivCard smart card reader, using the Novell Enhanced Smart Card Method (NESCM) for NMAS.

Prerequisites

• ActivCard USB Reader v2
• NSL 6.0 SP1
• OES SP2 with eDirectory 8.7.3.7 on a NetWare platform
• Windows 2000 SP4 with Novell Client 4.91 SP2
• CMS (Configuration Management System)
• ActivClient with the latest hot fix

Procedure

1. Install the NESCM client method nescm_3.0. Make sure you select the PKCS #11 Library with ActivCard as the option during install.

Click to view.

Figure 1

Figure 1 - Installing the NESCM client method

2. Install the NMAS.npm version on the server using this iManager tool:
http://www.novell.com/coolsolutions/appnote/18225.html

3. Install the NESCM server method.

4. Create a trusted root container under the context where you want to configure NESCM.

Click to view.

Figure 2

Figure 2 - Trusted root container

5. Export the Self-Signed CA certificate.

Click to view.

Figure 3

Figure 3 - Exporting the CA cert

6. Select "No" for the "Do you want to export the private key with the certificate?" radio button.

Click to view.

Figure 4

Figure 4 - Omitting the private key

7. Select the "File in binary DER format" option in the Output format page.

Click to view.

Figure 5

Figure 5 - File in binary DER format

8. Click the "Save the exported certificate to a file" link to save the certificate to a file.

Click to view.

Figure 6

Figure 6 - Saving the certificate to a file

9. Import the certificate to Trusted root object.

Click to view.

Figure 7

Figure 7 - Exporting the cert, with private key

10. To configure the NESCM method to use the above trusted root container, log in to iManager.

11. Select Smart card logon > Global settings.

12. Select Certificate Search Containers, then add the trusted root container.

13. Create a user certificate and export it along with the private key to a file.

14. Export the certificate along with the private key.

NOTE: Make sure to select the appropriate key size using the custom options during create user certificate.

The Create User Certificate Results page looks as follows:

Click to view.

Figure 8

Figure 8 - Configuring the smart card PIN

15. Export the certificate file to your local hard drive. Make sure you export the private key as well.

16. Configure the PIN for the smart card. If you use CMS for administering the smart card, then create a user through CMS.

Click to view.

Figure 9

Figure 9 - Importing the cert

17. Enter the details for the user.

Click to view.

Figure 10

Figure 10 - User details

18. Do a local issuance to the smart card in use before you import the user certificate created in Step 14.

Click to view.

Figure 11

Figure 11 - Local issuance

19. Enter a PIN.

Click to view.

Figure 12

Figure 12 - PIN

20. Select Start > ActivCard ActivClient > User Console to import this certificate back to smart card in use.

21. Import the user certificate as shown below:

Click to view.

Figure 13

Figure 13 - User cert import

22. Click Yes when prompted during import, to accept the certificate.

Click to view.

Figure 14

Figure 14 - Accepting the cert

23. If the import is successful, a dialogue box is displayed. Click OK to close it.

Click to view.

Figure 15

Figure 15 - Successful import

24. Change the registry setting on the client machine as shown below.

• Key: HKLM\SOFTWARE\Novell\NMAS\MethodData\NCL smart card
• Value: InterfaceType
• Type: String
• Data: PCSC or PKCS11
• Value: PKCS11Module
• Type: String

Data: Name of the PKCS11 DLL to be used when in PKCS11 mode

Note: You may need to reboot the machine before the above changes to the registry values will take effect.

25. When logging in using Novell Client, if the password field is enabled in the dialog box, enter the smart card PIN in the password field to log in.

26. If the password field is disabled in the dialogue box, enter the smart card PIN in the password field provided by NESCM method as shown below:

Click to view.

Figure 16

Figure 16 - Entering the smart card PIN

27. If PIN authentication is successful, Novell SecureLogin loads successfully.

Conclusion

For more information on NESCM, refer to: http://www.novell.com/documentation/ncl201/index.html?page=/documentation/ncl201/nclinstall/data/bvqecn3.html

For more information on smart card functionality with NSL, refer to: http://www.novell.com/documentation/securelogin60/index.html

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.