This section discusses the following specifications for SecretStore functions:
Novell SecretStore is a collection of hidden attributes on an object (User object by default) in eDirectory. These attributes are implemented through eDirectory schema extensions and encrypted on the server using Novell International Cryptographic Infrastructure (NICI) services.
NOTE:For more implementation information about NICI, see the NICI 2.x Administration Guide.
Hidden attributes, by definition, are not accessible from client operating systems through eDirectory common interfaces and utilities. These attributes can only be accessed by SecretStore interfaces that apply strict access control and security measures to their access, transport, and disclosure.
In addition to these hidden and encrypted attributes, which protect data against attacks directed to the server, SecretStore provides an optional Enhanced Protection (EP) mode to defend against administrative attacks by locking the user's SecretStore. EP also enables secure unlocking, either through user control or through an action involving two separate administrators.
In this two-administrator scheme, the eDirectory password or authentication credential are reset by a network administrator, but SecretStore can only be unlocked by a separate SecretStore Administrator. To provide full control over this high-security feature, audit information is recorded after each administrative unlocking of Novell SecretStore in EP mode.
The overall architecture of the SecretStore API includes:
The SecretStore service uses two basic single sign-on methods:
NOTE:These methods require implementation of the Shared Secret functions described in this document to enable applications to share secrets stored by different services.
Using application connectors (or “regular” connectors) was the original method that enabled individual applications to access SecretStore. Specific application connectors were created for a number of e-mail systems, database systems, enterprise in-house applications, etc.
One popular example of an application connector is the Connector for Lotus Notes, which was part of the now-obsolete Novell Single Sign-on product line. While SecretStore remains as the cornerstone enabling technology, application connectors have been a specialized way of enabling applications to perform single sign-on operations.
Connectors are the method of choice in network environments where home-grown applications are used and the source of the client component of a network application is available for modification. In this category, there are some very successful custom application connector implementations. For example, Novell GroupWise® and the Novell Client for Windows have built-in connectors that provide single sign-on when SecretStore is available.
This set of solutions provides cross-platform support for a wide range of applications.
Universal connectors are currently the most efficient, cost-effective, and preferred method to enable single sign-on to target services. However, their use is limited to applications operating on Windows and using the Windows GUI. Users interact with the GUI to provide secrets and IDs, which are then stored in SecretStore.
These stored credentials are then passed to the application on subsequent invocations. The passed credentials authenticate the user without active interaction. This also allows for populating SecretStore for known applications beforehand. The greatest benefit of universal connectors is that they can often provide single sign-on to an application without requiring modifications to the application code itself.
Novell SecureLogin (NSL) is an advanced example of a universal connector. NSL relies on the architecture and methods of operation in the Windows operating system, browsers, and terminal emulators to recognize the prompts for authentication. The user or the administrator uses the built-in wizards or scripting language capability of the product to enable NSL to recognize the target applications, browsers, and service authentication dialogs.
Proxy portals are another category of universal connectors. Using these, a trusted, secure service can do the following:
SecretStore can be used as a secure vault to store user or application secrets of any kind. SecretStore by default is installed on an eDirectory user object by extending schema extensions. However, by using the management utilities supplied with SecretStore, you can extend schema on other object types, which allows applications to use SecretStore as a vault for storing secrets.
When SecretStore is enabled on a user object, the service guarantees that the read operation is only available when the requestor owns the SecretStore. This means that the DN of the requestor on the connection is the same as the target object containing the SecretStore. Consequently, if the administrator is the requestor, the service allows all of the operations to be performed for management and administration of the target store except reading of the user's secrets.
For non-user object based stores, since the store is used as a vault for applications, requestors with administrative rights also are allowed to read the secrets and perform necessary operations on behalf of the service owning the vault.
SecretStore also provides the Encrypted Attribute Service, which allows requestors to store data in an encrypted secure form in eDirectory. As described in the previous items, access control on the stored data is a function of the type of object used for the target SecretStore.
The interfaces for the administrative utilities and SecretStore connectors are based on SecretStore NCP-92 and/or LDAP extensions on Windows workstations. Client applications running on NetWare and UNIX platforms (HP-UX, Linux, Solaris, and AIX) are only LDAP-based extensions. NCP-92 is SecretStore's encrypted transport for secure transmission of data between a client and a server.
The NCP-92 transport utilizes NICI for encrypting inbound and outbound data to and from SecretStore. For more information, see Section 1.10, NICI and SecretStore .
This strong encryption is based on the common algorithm and strongest session key that is negotiated between NICI running on the client and server. The key and algorithm are negotiated at the end of the user's successful Novell Client authentication to eDirectory. At the end of each session the keys are destroyed. Each session with a different server has its own keys.
An LDAP extensions-based connection can be established through an SSL LDAP bind with the server. The bind can be done by the application prior to calling SecretStore, or by SecretStore if the application provides the appropriate credentials when calling the SecretStore interface. If a connection over LDAP is not SSL-based, SecretStore rejects it. The strength of encryption on the wire is dependent on the SSL-negotiated algorithm for the session.
Figure 1-1 illustrates the client NCP and LDAP protocol stacks on a client workstation.
Figure 1-1 Novell SecretStore C Server Architecture
NOTE:The NCP-92 stack is available only on clients running Windows operating systems, when the Novell Client is installed.
Figure 1-2 illustrates the server NCP and LDAP protocol stacks on a server platform.
Figure 1-2 Novell SecretStore C Server Architecture
NOTE:The NCP-92 stack is available only on NetWare server operating systems.
This section describes the operational functions used by connectors:
SecretStore sample code is available as part of the SecretStore component of the NDK. Here are the samples that demonstrate the use of the operational functions described above:
The API also includes the following utilities to configure and manage a user's SecretStore.
SecretStore uses the following management functions for writing utilities: