SecretStore is a service that leverages the distribution operations built into eDirectory—user profile information is securely stored in eDirectory, not on the client machine. As a result, user access is guaranteed throughout the network and is not workstation based. And, because the user is the only person authorized to access his or her secrets, access is tightly controlled.
With SecretStore, passwords and credentials are never stored or transmitted in the clear; they are first encrypted using the Novell International Cryptographic Infrastructure (NICI). When the client application retrieves the secret from SecretStore, the secret is decrypted at the client side and, upon successful completion of the application’s authentication process, is promptly destroyed and removed from memory (similar to how the eDirectory private key is handled in the eDirectory authentication process).
See Section 1.10, NICI and SecretStore and Novell International Cryptographic Infrastructure (NICI™).
To give users access to network services, eDirectory uses an authentication service based on the RSA public-key/private-key encryption/decryption algorithms. This authentication mechanism uses a private key attribute and a digital signature to verify a user's identity. eDirectory authentication is session-oriented, and the client's signature is valid only for the duration of the current session.
With SecretStore, however, after authentication to eDirectory, users don't need to be reauthenticated every time they ask for additional services or applications, because reauthentication takes place automatically in the background. Therefore, the integrity of SecretStore-enabled applications is protected and secure, and the user can access resources globally without needing to continuously reauthenticate.
In LDAP mode of SecretStore access, the client establishes a SSL-based connection with the server and the data is securely transmitted on the wire over SSL. However, as mentioned above, the data in the SecretStore on the server is encrypted through NICI.