Novell Home

Integrating NSL with ActivCard Card Readers, Using the NESCM Method

Novell Cool Solutions: AppNote
By DP Kiran Prabhu

Rate This Page

Reader Rating  stars  from 1 ratings

Digg This - Slashdot This

Posted: 3 Jan 2007 		 

Introduction

When a smart card is used in conjunction with SecureLogin, a number of new features can be implemented optionally to increase security. Some of them are:

  • Using smart card to encrypt SecureLogin.
  • Storing SSO credentials such as application user names and passwords on the smart card.
  • Entering SSO availability to the smart cards so that only those who log in using a smart card are able are allowed to start and administer SSO.

This AppNote explains the steps to integrate the ActivCard smart card reader, using the Novell Enhanced Smart Card Method (NESCM) for NMAS.

Prerequisites

  • ActivCard USB Reader v2
  • NSL 6.0 SP1
  • OES SP2 with eDirectory 8.7.3.7 on a NetWare platform
  • Windows 2000 SP4 with Novell Client 4.91 SP2
  • CMS (Configuration Management System)
  • ActivClient with the latest hot fix

Procedure

1. Install the NESCM client method nescm_3.0. Make sure you select the PKCS #11 Library with ActivCard as the option during install.

Figure 1 - Installing the NESCM client method

2. Install the NMAS.npm version on the server using this iManager tool:
http://www.novell.com/coolsolutions/appnote/18225.html

3. Install the NESCM server method.

4. Create a trusted root container under the context where you want to configure NESCM.

Figure 2 - Trusted root container

5. Export the Self-Signed CA certificate.

Figure 3 - Exporting the CA cert

6. Select "No" for the "Do you want to export the private key with the certificate?" radio button.

Figure 4 - Omitting the private key

7. Select the "File in binary DER format" option in the Output format page.

Figure 5 - File in binary DER format

8. Click the "Save the exported certificate to a file" link to save the certificate to a file.

Figure 6 - Saving the certificate to a file

9. Import the certificate to Trusted root object.

Figure 7 - Exporting the cert, with private key

10. To configure the NESCM method to use the above trusted root container, log in to iManager.

11. Select Smart card logon > Global settings.

12. Select Certificate Search Containers, then add the trusted root container.

13. Create a user certificate and export it along with the private key to a file.

14. Export the certificate along with the private key.

NOTE: Make sure to select the appropriate key size using the custom options during create user certificate.

The Create User Certificate Results page looks as follows:

Figure 8 - Configuring the smart card PIN

15. Export the certificate file to your local hard drive. Make sure you export the private key as well.

16. Configure the PIN for the smart card. If you use CMS for administering the smart card, then create a user through CMS.

Figure 9 - Importing the cert

17. Enter the details for the user.

Figure 10 - User details

18. Do a local issuance to the smart card in use before you import the user certificate created in Step 14.

Figure 11 - Local issuance

19. Enter a PIN.

Figure 12 - PIN

20. Select Start > ActivCard ActivClient > User Console to import this certificate back to smart card in use.

21. Import the user certificate as shown below:

Figure 13 - User cert import

22. Click Yes when prompted during import, to accept the certificate.

Figure 14 - Accepting the cert

23. If the import is successful, a dialogue box is displayed. Click OK to close it.

Figure 15 - Successful import

24. Change the registry setting on the client machine as shown below.

  • Key: HKLM\SOFTWARE\Novell\NMAS\MethodData\NCL smart card
  • Value: InterfaceType
  • Type: String
  • Data: PCSC or PKCS11
  • Value: PKCS11Module
  • Type: String
    • Data: Name of the PKCS11 DLL to be used when in PKCS11 mode

Note: You may need to reboot the machine before the above changes to the registry values will take effect.

25. When logging in using Novell Client, if the password field is enabled in the dialog box, enter the smart card PIN in the password field to log in.

26. If the password field is disabled in the dialogue box, enter the smart card PIN in the password field provided by NESCM method as shown below:

Figure 16 - Entering the smart card PIN

27. If PIN authentication is successful, Novell SecureLogin loads successfully.

Conclusion

For more information on NESCM, refer to:
http://www.novell.com/documentation/ncl201/index.html?page=/documentation/ncl201/nclinstall/data/bvqecn3.html

For more information on smart card functionality with NSL, refer to:
http://www.novell.com/documentation/securelogin60/index.html

Reader Comments

  • good reference

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2008 Novell, Inc. All Rights Reserved.