4.4 Implementing Credential Provisioning Policies with SecretStore

The implementation of Credential Provisioning policies with SecretStore is very customizable. The steps to implement it are different depending upon the platforms SecretStore is installed on, the applications that are provisioned, and which Identity Manager drivers are involved.

To implement Credential Provisioning policies with SecretStore:

4.4.1 Meeting Requirements for Credential Provisioning Policies with Novell SecretStore

In order to use Credential Provisioning Policies with SecretStore, the following items must be in place:

  • Identity Manager 3.0.1

  • Supported on eDirectory 8.7x and eDirectory 8.8.1; eDirectory 8.8 is not supported

  • Verify that jsso.jar, idmcp.jar, and jnet.jar are in the standard location for Identity Manager Java libraries

  • SecretStore 3.3 or above

After you have verified your environment meets the requirements, proceed to Section 4.4.2, Determining Deployment Configuration Parameters for Novell SecretStore.

4.4.2 Determining Deployment Configuration Parameters for Novell SecretStore

In order to provide the synchronization functionality described in the deployment scenario illustrated in Figure 4-5, the first step is to gather all of the business process information related to the Identity Manager and SecretStore environments.You can print Table 4-3, Credential Provisioning Policies Worksheet for SecretStore, and use it as a worksheet to record the information.

Table 4-3 Credential Provisioning Policies Worksheet for SecretStore

Configuration Information Needed

Information

1) Which applications will be configured for Web Single Sign-On provisioning?

 

2) The DNS name or IP address of the SecretStore repository server.

 

3) The SSL LDAP port for the SecretStore repository server.

 

4) The fully qualified LDAP distinguished name of the administrator for the SecretStore repository server.

 

5) The password of the administrator for the SecretStore repository server.

 

6) The full path and the name of the SSL certificate exported from the SecretStore server. The certificate must be local to the Identity Manager server.

 

7) Determine if SecretStore repositories will be used by multiple drivers or if each driver will use a separate repository.

 

8) Record the type of SecretStore secret that is being used.

There are two supported types of secrets:

  • A: Application Secret (SS_App: prefix)

  • C: Credential Set Secret (SS_CredSet: prefix)

9) The application ID or Credential Set name for each provisioned application.

 

10) Find all required authentication keys for each application, such as Username and Password. They might be different for each application.

 

11) Determine if any of the authentication key values can be set with a static value.

 

12) For non-static values that are or can be different for each user, make a note of the source of the non-static information (event information or Identity Vault attribute values.)

 

13) If you are implementing SecretStore provisioning on a driver that is also synchronizing a password to the target application, determine if the SecretStore provisioning takes place before or after the password is set in the target application server.

 

14) The name of the Driver object where the repository and application objects are to be stored. (Can be different drivers.)

 

15) Determine the DN of the User objects for the target application.

 

Example Provisioning Configuration Data

Using the provisioning scenario, the following example data was determined for provision user’s SecretStore credentials for the Finance department’s GroupWise domain server onto users in the Finance eDirectory authentication tree:

Table 4-4 Example Credential Provisioning Policies Worksheet for SecretStore

Configuration Information Needed

Information

1) Which applications will be configured for Web Single Sign-On provisioning?

GroupWise

2) The DNS name or IP address of the SecretStore repository server.

151.150.191.5

3) The SSL LDAP port for the SecretStore repository server.

636

4) The fully qualified LDAP distinguished name of the administrator for the SecretStore repository server.

cn=admin,ou=finance,o=Tesetco Financials

5) The password of the administrator for the SecretStore repository server.

dixml

6) The full path and the name of the SSL certificate exported from the SecretStore server. The certificate must be local to the Identity Manager server.

c:\novell\nds\FinanceAD.cer

7) Determine if SecretStore repositories will be used by multiple drivers or if each driver will use a separate repository.

For this example, there is only one repository.

8) Record the type of SecretStore secret that is being used.

There are two supported types of secrets:

  • A: Application Secret (SS_App: prefix)

  • C: Credential Set Secret (SS_CredSet: prefix)

9) The application ID or Credential Set name for each provisioned application.

GroupWise_Credentials

10) Find all required authentication keys for each application, such as Username and Password. They might be different for each application.

Username Password

11) Determine if any of the authentication key values can be set with a static value.

No static information for this scenario.

12) For non-static values that are or can be different for each user, make a note of the source of the non-static information (event information or Identity Vault attribute values.)

Username: Identity Vault attribute “CN” Password: Event <password>

13) If you are implementing SecretStore provisioning on a driver that is also synchronizing a password to the target application, determine if the SecretStore provisioning takes place before or after the password is set in the target application server.

After

14) The name of the Driver object where the repository and application objects are to be stored. (Can be different drivers.)

GroupWise-Finance driver

15) Determine the DN of the User objects for the target application.

Identity Vault attribute “DirXML-ADContext”

Miscellaneous Environment Information:

  • The Finance department eDirectory tree would serve as the SecretStore repository for all Finance applications.

  • All finance department provisioning drivers are in a driver set call Finance Drivers.

  • The GroupWise account must be deleted and the SecretStore credentials for the GroupWise user account must be removed from the eDirectory user when the Identity Vault attribute employeeStatus is set to the value “I”.

As can be seen from the data gathered, the SecretStore repository information is global for all drivers that provision Finance department applications. In addition all provisioning information can be statically configured, with the exception of the GroupWise login parameters Username, Password, and Target User DN.

After all of the configuration data has been determined, proceed to Section 4.4.3, Creating a Repository Object for Novell SecretStore.

4.4.3 Creating a Repository Object for Novell SecretStore

Repository objects store static configuration information for SecretStore. Repository information is independent from the applications that consume the application credentials. This information is applicable for all provisioning events regardless of the connected system (for example SAP, PeopleSoft, Notes, etc.) The repository objects can be created in Designer or iManager.

Creating Repository Objects for Novell SecretStore in Designer

The following is one of many methods you can use to create the repository object in Designer.

  1. In the outline view, right-click the driver object where you want to store the repository object.

  2. Click Credential Provisioning > New Repository Object.

  3. Specify a name for the repository object.

  4. Select NSSRepository.xml to use the SecretStore template.

  5. Click OK.

  6. Double-click the repository object in the outline view to add configuration information.

  7. Click Yes, to save the new repository object.

  8. Specify the DNS name or IP address of the SecretStore server. See worksheet item 2).

  9. Specify the SSL port for the SecretStore server. See worksheet item 3).

  10. Specify the full path to the SSL certificate exported from the SecretStore server. The path must include the certificate name and must be local to the Identity Manager server. See worksheet item 6).

    NOTE:Refer to the iManager documentation for the information on how to export the SSL certificate.

  11. Specify the fully qualified LDAP distinguished name of the SecretStore administrator. See worksheet item 4).

  12. Click Set password.

  13. Specify the SecretStore administrator’s password twice, then click OK. See worksheet item 5).

  14. Review the information, then click the Save icon to save the information.

  15. (Optional) If you want to create other configuration parameters for the repository object, click the Add new item icon .

    1. Specify a name for the parameter.

    2. Specify a display name for the parameter.

    3. Specify a description for the parameter for your reference.

      The parameter is stored as a string.

    4. Click OK.

    5. Click the Save icon to save the repository object.

After the repository object is created, proceed to Creating an Application Object for Novell SecureLogin in Designer.

Creating Repository Objects for Novell SecretStore in iManager

  1. In iManager, select Credential Provisioning > Configuration.

  2. Browse to and select the Driver object where the repository object will be stored, then click OK.

  3. Click New to create a repository.

  4. Specify a name for the repository object.

  5. Select NSSRepository.xml to use the SecretStore template to create a repository.

  6. Click OK.

  7. Specify the DNS name or IP address of the SecretStore server. See worksheet item 2).

  8. Specify the SSL port for the SecretStore server. See worksheet item 3).

  9. Specify the full path to the SSL certificate exported from the SecretStore server. The path must include the certificate name and must be local to the Identity Manager server. See worksheet item 6).

    NOTE:Refer to the iManager documentation for the information on how to export the SSL certificate.

  10. Specify the fully qualified LDAP distinguished name of the SecretStore administrator. See worksheet item 4).

  11. Click Set password.

  12. Specify the SecretStore administrator’s password twice, then click OK. See worksheet item 5).

  13. Review the values specified, then click OK.

  14. (Optional) If you want to create other configuration parameters for the repository object, click New.

    The example information, is from the scenario in Figure 4-1.

    1. Specify a name for the parameter.

    2. Specify a display name for the parameter.

    3. Specify a description of the parameter for your reference.

      The parameter is stored as a string.

    4. Click OK.

After the repository object is created, proceed to Creating an Application Object for Novell SecureLogin in iManager.

4.4.4 Creating an Application Object for Novell SecretStore

Applications store static configuration parameter values for SecretStore. Application information is specific to the applications that are consuming the application credential (for example, GroupWise client information or SAP database client information). The application objects can be created in Designer or iManager.

Creating an Application Object for Novell SecretStore in Designer

The following is one of many methods you can use to create the application in Designer.

  1. In the outline view, right-click the driver object where you want to store the application object.

  2. Click Credential Provisioning > New Application Object.

  3. Specify a name for the application object.

  4. Select NSSApplication.xml to use the SecretStore template.

  5. Click OK.

  6. Double-click the application object in the outline view to add configuration information.

  7. Click Yes to save the new application object.

  8. Specify the SecretStore Application ID. See worksheet item 9).

  9. Select the SecretStore Secret Type. See worksheet item 8).

  10. Select the SecretStore Shared Secret Type. See worksheet item 8).

  11. Select whether the SecretStore Use Enhanced Protection Flag is Disabled or Enabled.

  12. Click Set Password to set the Enhanced Protection Password if it is enabled.

  13. Specify the password twice, then click OK.

  14. Click the Save icon to save the application.

  15. Click the Add new item icon to add the authentication keys required for the application.

    1. Specify a name for the authentication key.

    2. Specify a display name for the authentication key.

    3. Specify a description of the authentication key for your reference.

      The authentication key is stored as a string.

    4. Click OK.

    5. Repeat Step 15 for each new authentication key that needs to be entered.

  16. Specify the authentication key value, if it is a static value that is shared by all user credentials.

  17. Click the Save icon to save the application.

After the application object is created, proceed to Section 4.4.5, Configuring Credential Provisioning Policies for Novell SecretStore.

Creating an Application Object for Novell SecretStore in iManager

  1. In iManager, select Credential Provisioning > Configuration.

  2. Browse to and select the Driver object where the application object will be stored, then click OK.

  3. Select the Applications tab, then click New.

  4. Specify a name for the application object

  5. Select NSSApplication.xml to use the SecretStore template to create an application.

  6. Click OK.

  7. Specify the SecretStore Application ID. See worksheet item 9).

  8. Select the SecretStore Secret Type. See worksheet item 7). The SecretStore type is Shared or Not Shared.

  9. Select the SecretStore Shared Secret Type. See worksheet item 8). The Shared SecretStore type is Credential Set or Application.

  10. Select whether the SecretStore Use Enhanced Protection Flag is Disabled or Enabled.

  11. Click Set password to set the Enhanced Protection Password if it is enabled.

  12. Specify the password twice, then click OK.

  13. Click New to create an authentication key that the application requires. See worksheet item 10).

    1. Specify a name for the authentication key.

    2. Specify a display name for the authentication key.

    3. Specify a description of the authentication key for your reference.

      The authentication key is stored as a string.

    4. Click OK.

    5. Repeat Step 13 for each authentication key the application requires.

  14. Specify the value of the authentication key, if it is static, then click OK.

After the application object is created, proceed to Section 4.4.5, Configuring Credential Provisioning Policies for Novell SecretStore.

4.4.5 Configuring Credential Provisioning Policies for Novell SecretStore

After the repository and application objects are created, policies need to be created to provision SecretStore information. The policies use the information stored in the repository and application objects. There are two actions in the Policy Builder that allow the provisioning of SecretStore credentials:

Clear SSO Credential

The clear SSO credential action allows you to clear the SSO credential, so objects can be deprovisioned.

Figure 4-6 Clear SSO Credential

  • Enter Credential Store Object DN: Browse to and select the repository object.

  • Enter Target User DN: Create the DN of the target users by using the Argument Builder. See worksheet item 15).

  • Enter Application Credential ID: Specify the application ID. See worksheet item 9).

  • Enter Login Parameter Strings: Launch the String Builder and enter each authentication key for the application. See worksheet item 10).

Set SSO Credential

The set SSO credential action allows you to set the SSO credential when a user object is created or when a password is modified.

Figure 4-7 Set SSO Credential

  • Enter Credential Store Object DN: Browse to and select the repository object.

  • Enter Target User DN: Create the DN of the target users by using the Argument Builder. See worksheet item 15).

  • Enter Application Credential ID: Specify the application ID. See worksheet item 9).

  • Enter Login Parameter Strings: Launch the String Builder and enter each authentication key for the application. See worksheet item 10).

Example Credential Provisioning Policies

The credential provisioning policies can be implemented and customized to meet the needs of your environment. The following example explains how to implement the polices for the scenario presented in Figure 4-5.

In the Finance scenario, SecretStore provisioning occurs after a password is successfully set in GroupWise. Most of the necessary parameters are statically configured and available to all policies through the repository and application objects. However, there are non-static data parameters (CN, password, and DirXML-ADContext) that are available only after the GroupWise user <add> or <modify-password> commands complete and the <output> document is returned from the GroupWise driver shim. The <output> document no longer contains any of the Subscriber operation attributes and the User context of the command is lost, thus preventing queries on the object. It is therefore necessary to do the following:

  • Make sure the GroupWise driver’s Subscriber Create policy enforces the presence of the non-static data parameters.

  • Cache the non-static parameters required for the provisioning operation prior to issuing the Subscriber command to the GroupWise driver shim.

  • Retrieve cached data for use in SecretStore provisioning after the command completes successfully.

NOTE:Sample policies are available in XML format on the Identity Manager 3.0 Support Pack 1 media. The filenames are SampleInputTransform.xml, SampleSubCommandTransform.xml, and SampleSubEventTransform.xml. The files are found in the following directories:

  • linux\setup\utilities\cred_prov

  • nt\dirxml\utilities\cred_prov

  • nw\dirxml\utilities\cred_prov

The files are installed to the Identity Manager server, if Credential Provisioning Sample Policies is selected during the installation of the utilities. The sample policies are installed to the following locations, depending upon the platform:

  • Windows: C:\Novell\NDS\DirXMLUtilities (default; the user can change it during install)

  • NetWare: SYS:\System\DirXmlUtilities

  • Linux (eDir 8.7): /usr/lib/dirxml/rules/credprov

  • Linux (eDir 8.8.1): /opt/novell/eDirectory/lib/dirxml/rules/credprov (default; the user can change it during the install)

The sample policies provide a starting point to develop a policy that works for your environment.

Operation Data Caching

The mechanism that is available for required operation data caching required is the <operation-data> element. Because you might need to provision the SecretStore account from either an <add> or <modify-password> command, a logical place to implement the non-static data caching policy is in the Subscriber Command Transformation policy. The following example shows a typical SecretStore Provisioning element:

<operation-data> <nss-sync-data> <nss-target-user-dn> cn=GLCANYON,ou=finance,o=Testco Financials </nss-target-user-dn> <nss-app-username>GCANYON</nsl-app-username> <password><!-- content suppressed --></password> <nss-passphrase-answer>50024222</nsl-passphrase-answer> </nss-sync-data> </operation-data>

In the sample Finance department scenario from Figure 4-5, the following values are needed to populate the operation data payload:

  • The <nss-target-user-dn> element is populated with the value of the DirXML-ADContext attribute from the Identity Vault, which was set by the eDirectory driver. To ensure that the GroupWise driver is notified when the value is set by the eDirectory driver, make sure you add DirXML-ADContext to the Subscriber filter as a notify attribute.

  • The <nss-app-username> element is populated by the value of the CN attribute in the Identity Vault.

  • The password element is populated with the value of the <password> element in the <add> or <modify-password> command.

SecretStore Provisioning

In the sample scenario, the first available location from which the operation data can be retrieved and utilized for SecretStore credential provisioning is in the driver's Input Transformation policy. In the sample scenario, two policies are implemented:

  • Set SecretStore Credentials after successful password synchronization

  • Remove SecretStore Credentials if Application User Deleted (Identity Vault object not deleted)

    NOTE:There is a sample policy in the SampleInputTransform.xml file that sets the SecretStore credentials after a successful password synchronization occurs. The file is located in the cred_prov folder in the utilities directory on the Identity Manager 3.0 Support Pack 1 media.

The Set SecretStore Credentials policy needs to make sure the provisioning happens only if the returned command status is Success and the previously set <operation-data> is present.

SecretStore Deprovisioning

There are many scenarios that can utilize a policy in which a user account for a connected application is deleted and the Identity Vault account remains. In the Finance scenario, there is a requirement to delete the GroupWise account and deprovision the SecretStore credentials when the user's Identity Vault employeeStatus attribute value is set to “I”. To handle this situation, the GroupWise driver's Subscriber Event Transformation contains a policy to transform the modify attribute value into an object delete. Because the eDirectory account name is still needed after the delete command is completed, the <operation-data> event needs to be set on the <delete> command so it is available to the SecretStore deprovisioning policy in the Input Transformation policy.

<operation-data> <nss-sync-data> <nss-target-user-dn> cn=GLCANYON,ou=finance,o=Testco Financials </nss-targer-user-dn> </nss-sync-data> </operation-data>

The policy for transforming the <modify> event into a <delete> and creating this element is available in XML format in a file called SampleSubEventTransform.xml files in the cred_prov folder in the utilities directory on the Identity Manager 3.0 Support Pack 1 media.