Novell Home

 

When you think of Novell, there’s a good chance your next thought is NetWare or eDirectory. In the past that would have been an accurate thought process—but not any more. Novell is not just a NetWare or eDirectory company. Its focus is to provide solutions that meet the complex scenarios many businesses face.

For example, let’s say that an organization, ABC Company, uses Active Directory as their primary authentication tool. One of the great things about Novell SecureLogin is that you can get the security from the solution without having Client 32 installed on the workstations, terminal servers or even Citrix servers. One example of this is a large financial institution with 37,000 users deployed. Many options make it easy to implement Novell SecureLogin in your specific environment.

Given that the network infrastructure is in place, how can we leverage Novell SecureLogin to help ABC Company be more productive and add more security? This article discusses how easy Novell SecureLogin is to install and implement and explains the benefits of adding it to your network.

When using Novell SecureLogin, there’s no requirement for Client 32. With Active Directory, the native ADSI protocol is used to communicate with Active Directory just as it does today with workstation or server logins to a domain.

Out of the box, Novell SecureLogin natively supports Active Directory, ADAM, LDAP to eDirectory and any LDAP v3-compliant directory. And it obviously supports eDirectory. (See Figure 1.) With the LDAP support, you can set up a workstation with the Microsoft GINA and seamlessly login to eDirectory without the end user ever knowing. Some LDAP directories Novell SecureLogin communicates with are SunOne and Critical Path.

Note that Novell SecureLogin is a client-based directory solution without server components (unless Secret Store is used), no hardware appliances or services installed. Because it is directory-based, an external database is not required to manage users; Novell SecureLogin leverages the enterprise directory as the central store of user credentials.

You use MMC (Microsoft Management Console) to manage users in Novell SecureLogin the same way you manage users in Active Directory. (See Figure 2.) Managing the Novell SecureLogin solution in Active Directory provides you with cool additional options for managing users. Besides using native management tools like MMC, there is also full support for using Group Policies, typical of Active Directory environments.

 

In the following example, we will set up the “Finance” application so that only users in the “Finance Group” will inherit this via Group Policy. Start by selecting the “Finance – NSL” Group Policy and then choose “Edit.” (See Figure 3.)

When you open this policy, browse down to “User Configuration” and then double click the “SecureLogin” folder on the right.

You will then have an interface similar to the Figure 5. For this Group Policy Object (GPO) we have already created a Windows Application Definition for “Finance.exe.”

“CPerigo” is a member of the Finance Group (see the user object details at the top of Figure 6), so he will see Finance Novell SecureLogin applications and settings. Now that he has logged in, we can see that the Finance Application is set up for Novell SecureLogin. Notice at the bottom of Figure 6, Novell SecureLogin shows from where the application is inherited . This function is very useful when you have multiple GPOs to manage.

We will now do the same for the “Accounts Payable” application, so only users in the “Accounts Payable Group” will inherit this.

When you open the Accounts Payable policy, browse down to “User Configuration” and then double click the “SecureLogin” folder on the right. (See Figure 4.)

You will then have an interface similar to the following. For this GPO we already created a Windows Application Definition for “AP.exe.” (See Figure 5.)

The user “TCathey” is a member of the Accounts Payable Group and therefore will see the Accounts Payable Novell SecureLogin applications and settings. Now that this user is logged in, you can see that the Accounts Payable Application is set up for Novell SecureLogin. Also note that this user does NOT see the “Finance” application that the “CPerigo” user has displayed. They are both in the same container; however, they do not see the same information. (See Figure 6.)

Novell SecureLogin also comes with support for Windows applications, Web emulators and Java. For those of you that have legacy applications, have no fear—we can help you, too. If your applications were built with Power Builder back in the 1980s, and the folks who wrote them have moved on, relax! Novell SecureLogin is flexible enough to deal with older legacy applications. Also, if your applications require complex or multi-step logins, and they can’t be enabled via the Novell SecureLogin Application Wizard, Novell SecureLogin’s powerful built-in scripting language will do the trick!

 

Now as we all know, not all Java applications are created equal. Novell SecureLogin comes with support for Java applications that use JRE 1.40 and greater. For those of you that use applications with more than 1 JRE format on a given machine, Novell SecureLogin can support this as well. Novell SecureLogin 6.1.0, which is now available, will be enabled automatically for JRE support. This means that applications such as JInitiator that can have different JRE versions auto installed when a Web site is accessed, can be fully supported automatically by Novell SecureLogin. In previous versions of Novell SecureLogin, this has been a manual configuration process.

Also with Novell SecureLogin (6.1.0), the installer has been modified from an InstallShield setup.exe file to an MSI file. This allows more flexibility in the installation and management of the deployment with solutions such as ZENworks and SMS. With this new MSI, the upgrade path from an earlier version is simple. You just upgrade and reboot, and you are done. If this is a fresh installation such as Vista, which is also supported with NSL 6.1.0, then simply install and reboot to enjoy the full benefits of Novell SecureLogin.

The security question works much the same as when you call on a credit card, and they ask you, “What is your mother’s maiden name?” You have already provided a credit card number; however, you may not be the original account holder. By asking this additional question, they can verify who they are speaking to and whether or not you are an authorized user.

Another new feature in Novell SecureLogin 6.1.0 is the “Desktop Automation Services” or DAS. When using DAS with Novell SecureLogin, understand that Client 32 is not required! DAS can be configured to use Novell SecureLogin’s LDAP GINA to communicate with Active Directory. (Note: This can be configured to replace the GINA or not replace the GINA and is a Network Provider.) A software component service runs locally on the workstation that is configurable to handle unique-use cases associated with shared workstations. DAS provides a way to execute selective, configurable lists of user operations from virtually any scripting or programming medium on the Windows operating system such as mapping drives, auto launching applications or providing hot-key functionality. This is very useful in a shared-access computer environment in which multiple users need to log in and log out quickly (fast user switching).

This solution allows an administrator to configure machine(s) to boot and auto log in to Active Directory as a generic user with little to no rights. Then DAS will start up and provide a login prompt from Novell SecureLogin for a user to provide their login credentials. Once they successfully log in, the Novell SecureLogin client is started and they can run applications and get single sign-on (SSO) features. Depending on your environment, DAS can quickly log the user off all applications, close Novell SecureLogin, and reset back at the Novell SecureLogin Login ready for a new user in under five seconds. Independent actions or a sequence of actions can also be defined. DAS also provides an API for introducing additional operations via extensions.

A common scenario where DAS is very useful is a workstation that is configured to boot up and auto log in to the Windows desktop and Active Directory domain automatically. All of the drive mappings are done at login by the generic user via auto login. There might be three to five users that use the workstation in a single hour, and they all log in to applications that require unique usernames and passwords. When it’s time for Mary to log in, she can have her home drive mapped and, based on her role, device or location, have her applications displayed. She then has all of the benefits of Novell SecureLogin single sign-on features.

 

How do you ensure that a workstation is ready for the next user? Is there a way to know if the previous user has logged out and all of the active applications are ready without restarting Windows? By implementing DAS you have a few options. You can set up logout timers or provide sonar devices on the workstations to provide walk away fast logout procedures. If users are well trained, they can click a logout button on the toolbar or a hot key sequence such as Ctrl+L. That tells DAS to send a message to close all applications opened during a user session (gracefully when possible in conjunction with Novell SecureLogin). It then brings up a login window for the next user to log in within seconds.

Ensuring your security continues to be a prime concern for Novell SecureLogin. By default, all of its data is encrypted with 3DES. You also have the option of changing to AES, provided all operating systems are Windows XP and above. Novell SecureLogin gives you some options for setting up the user environment to specify what they can and cannot do. An important consideration in this context is the Passphrase system. When Novell SecureLogin is first installed the user can be prompted to create a security question for Novell SecureLogin. (See Figure 7.)

The security question works much the same as when you call on a credit card, and they ask you, “What is your mother’s maiden name?” You have already provided a credit card number; however, you may not be the original account holder. By asking this additional question, they can verify who they are speaking to and whether or not you are an authorized user.

With Novell SecureLogin you have a similar scenario.

Let’s say that a rogue administrator changes the password for “CPerigo” using his administrator rights. Normally he could log in as “CPerigo” with the newly changed password and access everything that “CPerigo” can. But because Novell SecureLogin’s passphrase functionality is installed, the impostor is asked to answer a question that the user “Cperigo” created without the help of an administrator. Of course, the rogue administrator does not have that information. Therefore, Novell SecureLogin will not load and the SSO credentials are not available to him. This provides one more layer of protection from unauthorized parties accessing private SSO user data. Although not recommended, there is an option to disable Passphrase Security if required.

The new release of Novell SecureLogin fully supports (as in previous versions) Terminal Server and Citrix. These features will allow a seamless, secure pass through to log in to a Terminal Server or Citrix Server. Typically, if you select a “Remote Desktop Connection,” you are prompted for the username and password. When this happens, Novell SecureLogin will take your current username and password and pass them to the Terminal Server. You are logged in without any additional intervention. Because the Novell SecureLogin client is also installed on the server, it will leverage the modules loaded and shared across multiple users. So if we take one more step into this, you could have a thin client without Novell SecureLogin.

For example, Jane, one of your remote users, is at a coffee shop accessing a public computer. She logs in to your portal manually and launches the Terminal Server application. She manually provides her username and password and accesses a Terminal Server desktop where Novell SecureLogin is installed. Now she can leverage Novell SecureLogin on the Terminal Server desktop and Novell SecureLogin will securely provide the credentials for each application configured. The same scenario is also available if you are using Citrix with published applications or a published desktop.

A common question with Terminal Server and Citrix is memory consumption. Typically, every session needs to load the Novell SecureLogin files (three by default). Once loaded into memory, this is managed as shared memory. For example, instead of 15 MB for Novell SecureLogin x 10 users (consuming 150 MB of RAM), it is now using roughly 10 MB of memory shared for all 10 users. Granted, this will vary as it is accessed; however, this is typical of most applications’ use of RAM.

Another nice feature of Novell SecureLogin is the ability to import and export information to XML or ESX (encrypted XML). In this way, you move data from a test environment to a production environment in under five minutes. In your test environment, simply export your definitions and settings to an XML file. Next, import this information to production. Now install Novell SecureLogin and enjoy the benefits of an enhanced end user experience and a more secure environment.

Another great feature in Novell SecureLogin is its integration with Novell Identity Manager. Novell Identity Manager is a solution that deals with the provisioning of a user and generating needed usernames and passwords based on the user’s role and unit. Travis, for example, is hired in IS&T. To do his job, he will need an e-mail account, a mainframe account and Internet access. With Identity Manager, policies determine Travis’ rights, and his account is created in the directory. He gets provisioned with everything he needs, including a username and password. Now that Novell Identity Manager has provisioned his information to the directory, Novell SecureLogin can securely provide him with seamless access to mainframe, e-mail and Internet, without Travis ever needing to enter or know any of his account information, such as his username and password.

Get a demo of Novell SecureLogin today at novell.com/products/securelogin by clicking Request a Call or download an evaluation version.

For the documentation on Novell SecureLogin, go to: novell.com/documentation/securelogin60.


© 2014 Novell