Pros and Cons of SecretStore
Novell Cool Solutions: Feature
Digg This -
Posted: 29 Oct 2004
Have you wondered whether using SecretStore is the right choice? Here's a look at the pros and cons of adopting SecretStore technology in SecureLogin. See also TID 10082647.
The two most common ways to install the SecureLogin client are in eDirectory mode or SecretStore mode. SecureLogin works fine either way, and user authentication secrets are stored securely in the directory in both cases.
Costs of Using SecretStore
- SecretStore adds a server side piece to SecureLogin that is not needed in an eDirectory implementation. This adds some complexity and overhead to the product.
- Running in SecretStore mode requires NICI to be installed on the client workstation.
- Depending on the network environment, a SecretStore implementation of SecureLogin may tend run marginally slower than an eDirectory implementation. This was especially true with SecretStore versions prior to the one that ships with NSL 3.51. However in current version of SecretStore, performance has been significantly improved to the point of being close to the same as that experienced in a regular eDirectory implementation.
Benefits of Using SecretStore
- SecretStore is encrypted using NICI, which uses both server and workstation side encryption. An eDirectory implementation of SecureLogin uses "workstation side only" encryption. Both are secure, but server side (NICI / Secret Store) encryption is stronger. In addition, NICI is export certified to almost all countries and therefore better suits the needs of multi-national companies.
- SecretStore and eDirectory implementations of NSL both store user secrets (names and passwords) as attributes on the user inside the Directory. The SecretStore attribute is hidden and can only be seen using the secret store utilities. The eDir attribute is not hidden, though it is still strongly encrypted. (This is arguably the least of the benefits of using SecretStore.)
- SecretStore can provide a single repository for secrets used by multiple applications - iChain, Portal, and SecureLogin can all share the same secret store. If you are using iChain and/ or Portal along with SecureLogin, SecretStore is definitely the way to go.
- Arguably the biggest advantage of SecretStore is the ability to unlock user accounts for users who have forgotten their passphrase. With both SecretStore and eDirectory implementations, when an Administrator changes a user's NDS password, the user's secrets are locked in order to prevent rogue admins from accessing other secrets. In eDirectory mode, users must enter their pass phrase question/ answer to unlock their secrets. If a user cannot remember the answer to his/her passphrase, the secrets cannot be unlocked and must be deleted and repopulated.
Unlocking the Secrets
With SecretStore, the SecretStore admin (who can be a different user from the regular network admin) can unlock secrets when the user has forgotten the SecureLogin Passphrase Answer. With SecretStore, it is possible to configure SecretStore Administratior accounts with the right to unlock (but not read from) a user's SecretStore.
Ideally, this unlock occurs in two steps:
- The helpdesk password administrator resets the .user's eDirectory password.
- If the user doesn't remember (or doesn't want to bother with) the Passphrase Answer, the unlock request is passed to the SecretStore administrator, who issues the SecretStore Unlock command.
This is called the Two-Administrator Unlock feature. With SecretStore unlocked, SecureLogin can retrieve the information needed to complete the unlock without prompting for a passphrase answer. This feature eliminates the need to delete and recreate user secrets when a passphrase has been forgotten.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com