Configuring and Using pcprox-based NMAS Authentication with NSL
Novell Cool Solutions: AppNote
By Girish Mutt
Digg This -
Posted: 5 Apr 2006
IntroductionThe goal of this AppNote is to provide an overview of configuring and using pcprox card-based authentication with Novell SecureLogin (NSL). This article clearly explains you about how you need to configure your Novell SecureLogin client and the corresponding eDirectory server to be able to use the pcprox card for authentication.
About NSL, NMAS, and Proximity Cards
Novell SecureLogin (NSL) is basically a Single-Sign On (SSO) technology that eliminates the need for Windows users to remember user names and passwords for the various applications they use, after initial network login. The user names and passwords are stored and automatically entered into the corresponding fields of an application when Windows, Java, Web, and other applications are launched. NSL can be used with most directories that exist with different mechanisms of authentication to directory.
NSL also supports advanced authentication with Novell eDirectory by the use of the Novell Modular Authentication Services (NMAS). NMAS can have both single-level and multiple-level, clearance-based authentication to eDirectory with the use of password,token and/or biometric clearances. This is where we can make use of "pcprox" as means of clearance to eDirectory based authentication. This is done with the use of the NMAS Proximity Card method supported by eDirectory.
Proximity cards are a read-only, passive (no-power) card recognized as the industry standard for physical access control. They are also used for logon-based authentication with the directory services. These cards can be securely enrolled with the user's credential, including the username and password of an individual in the directory. By using this card, the user can directly authenticate to the directory during logon prompts. This card can be used for single- level and multiple-level, clearance-based authentication. Using this approach, the unique number in the proximity card becomes part of the user object in the directory, which can then be used as the username or password for directory authentication. At the directory log-on prompt, the user simply inputs the pcprox card, and the card reader fills in the username and password fields - and login happens seamlessly.
The advantage of pcprox is that it can be used with both client32- and LDAP-based authentication.
Setup for pcprox Authentication
In order to use this pcprox mode of authentication with NSL, you need to perform the following steps:
1. On the server side, set up the eDirectory server to support NMAS Proximity card.
2. Use the Novell SecureLogin client with pcprox-based authentication.
Setting up the eDirectory server to support NMAS Proximity Card
The NMAS Proximity Card-based authentication requires the following on the eDirectory server:
- NMAS Server Component
- NMAS Proximity Card Server Login method
The basic server setup requires the following steps:
1. Install eDirectory 8.7.x or later on any server supported by eDirectory, with NICI and NMAS server components.
2. Install the NMAS Proximity Card Server Login method. This can be easily done by using the NMAS Method Installer that is bundled as part of the Novell SecureLogin (NSL). This Method Installer can be found in the ..\Nmas\NmasMethods\.. folder of the Novell SecureLogin(NSL) build.
Note: This Method Installer has to be run from a Windows workstation.
3. Go to the Nmas folder of the NSL build.
4. Run the Method Installer and choose NMAS Proximity Card Server Login method to install from the list.
Figure 1 - Startup screen after launching the NMAS Method Installer
The NMAS Method Installer can be used to install the NMAS login methods into eDirectory from a Windows workstation.
5. Select the NMAS Proximity card Login method from the list and click Next to continue.
Figure 2 - NMAS Login Method selection window
6. To install the method on the server, log in to eDirectory as a user with administrative privileges.
Figure 3 - eDirectory Login window
7. Accept the license. The installer will prepare to install the login method.
Figure 4 - NMAS Proximity Card Login Method Properties window
8. Choose the option to create a Login sequence that contains only the NMAS Proximity Login Method.
Figure 5 - NMAS Proximity Login sequence creator
The NMAS Proximity Card method is now installed in eDirectory.
Figure 6 - NMAS Proximity Card installation completion window
Using the NSL Client with pcprox-based Authentication
To use the NMAS Proximity Card based authentication with the Novell SecureLogin(NSL), you need to follow these steps:
- Check for Minimum requirements
- Configure iManager for an SSL/TLS Connection to eDirectory
- Configure a user to use the NMAS Proximity Card Method. This will provide pcprox client- login-method-based authentication with NSL.
Checking for Minimum Requirements
The following minimum requirements must be met on the Windows client side:
- Windows-XP with SP2/ Windows-2000 with SP4
- NMAS client
- NMAS-pcprox Login Client Method
- Standalone iManager 2.5 installed with all the eDirectory administration related and NSL- related iManager plug-in modules. Most of the eDirectory administration related iManager plug-ins will be part of the default installation.
Note: The above check is not necessary if you are installing NSL in eDirectory mode with NMAS, along with the pcprox Login Client Method.
For more information on the administration of the iManager plug-ins, visit the following link to the Installation Guide:http://www.novell.com/documentation/imanager25/index.html
Note: NSL is bundled with iManager plug-ins, including the pcprox plug-in for iManager which must be installed. Also, NSL should have been installed to use eDirectory to store its data and use either Client32 (Novell Client) or the LDAP protocol to access the eDirectory with the NMAS client. The Novell SecretStore client must be chosen if you have eDirectory with SecretStore on the server. In this AppNote we are assuming that only the NMAS client is installed, and none of the NMAS methods are installed.
During NSL installation, if you choose the NMAS client you will have the option of installing the various NMAS client login methods on the Windows client. So you can install the NMAS client login method during NSL installation, or this can be done only when the user needs to use those NMAS methods.
NSL can be used with the pcprox card-based login in either Novell Client mode or LDAP mode.
Configuring iManager for SSL/TLS Connection to eDirectory
To use the pcprox plug-in for the scanning pcprox card on a Windows client machine, you need to have a secured connection to eDirectory from Standalone iManager. This SSL connection to eDirectory is needed for following operations:
- Associating the pcprox card ID with the user, so the card acts like a traditional username to identify the user to the network.
- Using the pcprox card ID as a user password, so the card acts like a traditional password to authenticate the user to the network.
To set up SSL access to eDirectory, you must import a root certificate into Standalone iManager by completing the following tasks:
- Export a root certificate.
- Import an eDirectory certificate into the keystore.
Exporting a Root Certificate
1. Log in to iManager.
2. In the Contents panel, click eDirectory Administration > Modify Object.
3. In the right pane, enter the distinguished name of the LDAP server in the Object Name box, then click OK.
Note: If you do not know the name,
a) Click the Object Selector button that allows you to browse the tree for objects.
b) In the left pane, enter the container in which to begin browsing, select the other criteria for the object, then click Apply.
c) In the right pane, select the object.
d) When the object appears in the Object Name box, click OK
Figure 7 - LDAP Server object selection
4. Select the Connections tab and note the name of the server certificate listed in the Server Certificate box.
Figure 8 - LDAP Server Certificate to be used for setting up SSL connection
5. In the Contents panel, again click eDirectory Administration > Modify Object.
6. In the right pane, enter the name of the server certificate or browse to the SSL CertificateDNS object, then click OK.
Figure 9 - LDAP Server Certificate to be exported from server
7. Select the Certificates tab, select Trusted Root Certificate, then click Export.
Figure 10 - LDAP Server Certificate exporting from server
8. Choose not to export the private key with the certificate.
Figure 11 - LDAP Server Certificate being exporting from server without private key
9. After this select the certificate to save in DER format to a file to finish the exporting of server certificate.
Importing an eDirectory Certificate into the Keystore
After you have an eDirectory certificate saved in DER format, you need to import the certificate into the iManager keystore using the following steps:
1. Use the Windows Run option to go to the command prompt.
2. Change to the bin directory where you have installed the JRE, which will be C:\ProgramFiles\Novell\jre\bin for Standalone iManager 2.5.
3. Import the certificate into the keystore with the keytool. Because you are importing the certificate to iManager running in Standalone mode on a Windows machine, you need to use the following command:
keytool.exe -import -file "C:\TrustedRootCert-SSL CertificateDNS -BM3C.der" -keystore ..\lib\security\cacerts
The first path in the command, "C:\TrustedRootCert-SSL CertificateDNS -BM3C.der", specifies the location and name of the certificate you exported. The last path in the command, sys:java\lib\security\cacerts, specifies the keystore location. This varies from system to system because it is based on where iManager is installed. The default location for iManager on a Windows server is C:\Program Files\Novell\jre\lib\security\cacerts.
4. Enter "changeit" for the keystore password and then select Yes to Trust this certificate.
Figure 12 - Using keytool command to import certificate to iManager keystore3.3 Configuring a user to use the NMAS Proximity Card Method
This configuration enables pcprox client login-method-based authentication with NSL. When all the above configurations are done, you will be left with the following tasks to complete:
- Associating the pcprox card Id with the user
- Setting the default login method under NMAS login sequence as NMAS Proximity Card method
- Using pcprox login method when NSL is used in Novell client and LDAP protocol modes
Associating the pcprox Card ID with the User
When you want to use pcprox card for eDirectory authentication, you can use the pcprox card ID in two different ways:
- As an NMAS pcprox login ID, where the card acts like a traditional username to identify the user to the network.
- As a password, where the card acts like a traditional password to authenticate the user to the network.
The standard practice is to use pcprox card ID for user identification as well as password.
The association of the pcprox card ID as username and password can be done by using the following steps:
1. Connect the card reader to the port which you would have selected during pcprox client login module installation. If you have choosen USB, the you need to connect the reader to USB port.
2. Place the card that you want to associate with a eDirectory user over the reader.
3. Log in to the iManager as a user with administrative privileges.
4. In the Contents panel, click NMAS > NMAS users.
5. In the right panel enter the user name and click OK.
6. When the NMAS options for that NMAS user is displayed, click the pcprox tab.7. Scan the card and add it as part of the pcprox ID list as shown below. After this card can be used as an identification of a user.
Figure 13 - pcprox card ID associated with a user ?admin1.novell?
8. If you want to use the pcprox card ID as Password then you need to goto the ?ID As Password? tab and need to select the Set Card ID . After this you need to scan the card and click Apply followed by OK for the changes to take effect.
Figure 14 - pcprox card ID associated with a user ?admin1.novell? as password
Setting the default NMAS login method as NMAS Proximity Card
Finally, you need to set the default login sequence for that user as "NMAS Proximity Card" as shown below. Applying this option enables the user to log in with only the NMAS Proximity Card login method, using a reader and pcprox card.
Figure 15 - Associating default login sequence as ?NMAS Proximity Card?
Using pcprox login method when Novell SecureLogin is used in Novell client and LDAP protocol modes
As mentioned earlier, the pcprox login method for NSL can be used in either Novell Client mode or in LDAP mode.
When you want to use NSL in Novell Client mode, you need to remove the password field in the Novell Client login prompt. This is essential, as you are using the pcprox card ID to identify both the eDirectory user and the password for that user. This can be done easily by using the steps below:
1. From the Novell Client system tray icon, click Novell Client Properties.
2. When the options are displayed, click the Location Profiles tab and select the Default.
3. Click Properties.
4. Under Default Location Profile Properties, choose the properties option.
Figure 16 - Modifying the Default Location profile to remove the Password field
5. From the Default Location Profile, choose Properties and uncheck the "Enable password field" option as shown below.
Figure 17 - Disabling Password filed in Novell Client Login
6a. When you use the Novell Client to log in to eDirectory, you will be presented with the GINA dialog as shown below, requesting you to place the card above reader. After doing that you will log in to the eDirectory.
Figure 18 - Novell Client GINA for pcprox-based NMAS login
6b. When you want to use Novell SecureLogin(NSL) in LDAP mode, you need to choose the NMAS Proximity Card login sequence from the list of NMAS login sequences and click OK.
Figure 19 - Novell SecureLogin(NSL) GINA for for pcprox based NMAS login
7. If you have not placed the card on the reader, do so now. The login should be successful.
Figure 20 - User being prompted by LDAP GINA to place the card above reader for login to proceed
This AppNote has been written keeping all our NSL customers in mind who want to use the NMAS Proximity Card based login method with pcprox. Because it has more to do with NMAS authentication service usage with eDirectory for proximity card usage, it can also be used with other products that use NMAS.
Glossary of Terms
- NSL - Novell SecureLogin
- LDAP - Lightweight Directory Access Protocol
- NMAS - Novell Modular Authentication Service
- NICI - Novell International Cryptographic Infrastructure
- SSL - Secure Socket Layer
- TSL - Transport layer Security
- GINA - Graphical Identification and Authentication
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com