Information for installing and configuring the login method is provided here. For additional information, including how to create and authorize login sequences, see the NMAS Administration Guide at the Novell Documentation Web site.
You must meet the following prerequisites before installing:
You must complete the following steps to make the Universal SmartCard login method available for use:
Installing the login method on the Server.
Creating the user certificate.
Authorizing login sequences for users.
(This step is not necessary if installing only the ID snap-in.)
Set up any required workstation hardware.
Install the SmartCard Client Module on each workstation.
Run ConsoleOne® from a Windows* client workstation by using the ConsoleOne executable file located on the server at server:sys\public\mgmt\consoleone\1.2\consoleone.exe.
To install the login method on the server, you must perform the following proceedures:
In ConsoleOne, expand the Security container.
Right-click the Authorized Login Methods container.
Click New > Object.
Select SAS:NMAS Login Method.
Specify the login method configuration file, then click Next.
The configuration file is located in the Universal SmartCard login method folder on the NMAS CD and is usually named config.txt.
(Conditional) If necessary, close and restart ConsoleOne to run the newly installed ConsoleOne login method snap-ins.
Right-click the Security container.
Click New > Object.
Select the NDSPKI:Trusted Root Class, then click OK.
Name the new Trusted Root Container.
Obtain a self-signed certificate from the Certificate Authority.
There are two sources for certificates: those created by Novell on the server and those delivered by a third-party certificate server. If you have a third-party certificate, skip to Install the Trusted Root Certificate into the Trusted Root Container; otherwise continue. (Third-part certificates must be in either DER or Base 64 format.)
Select the Security container.
Right-click the CA object, then select Properties.
Click the Certificates tab, then select the Self-signed Certificate.
Click Export to start the certificate export wizard.
Verify that the No button is selected (default), then click Next > Next.
Accept the defaults, then click Finish.
Right-click the Trusted Root container object, click New > Object, then select the NDSPKI:Trusted Root Object Class object.
Name the new Trusted Root Object, then click OK.
Click the Read from File button.
Scroll to select the Novell CA certificate or third-party certificate, then click Open > Finish.
Select the Authorized Login Methods container, then select the Universal SmartCard Method object.
Right-click the SmartCard authentication object, then click Properties.
Select the Certificate tab, then click ADD.
Navigate to the Security container, then select the NDSPKI:Trusted Root container you created earlier.
Click OK > OK to finish configuring the server certificate.
You need a user certificate for each user loaded in the user's SmartCard, and the user's certificate subject name in eDirectory. The certificate on the SmartCard must also contain the user's private key. This can be done with either Novell created user certificates or third-party user certificates.
To create the user certificate with private key for use with the SmartCard method you will:
You can use a third-party user certificate if it is provided.
If you want to use a third-party certificate, skip to Use a Third-party Certificate for a User . Otherwise, you must create a user certificate for each user as follows:
In ConsoleOne, double-click a User object.
Click Security > Certificate > Create.
Select the Custom radio button.
Create a Nickname for the certificate.
Click Next >Next.
Specify the key size.
Most cards support up to 1024 bits (default is 2048). Check with your SmartCard vendor.
Accept the vendor values in the other fields, then click Next > Next.
Normally you would accept the defaul values displayed.
Click Yes to clear the e-mail address warning message.
Click Finish to create the certificate.
After the certificate is created, it appears in the Properties window listing.
In the User Properties window, click Details.
Click the X.509 tab, copy the certificate subject name to the Windows clipboard, then Close the dialog box.
Click Security Tab > Certificate Subject Names > Add.
Paste in the certificate subject name from the clipboard.
Click Apply > Close.
Shut down ConsoleOne, log in to NDS as the user you have just created a certificate for, then reopen ConsoleOne.
In ConsoleOne, right-click the User, then click Properties.
Click Security > Certificates.
Select the certificate, then click Export.
Verify that Yes button to Export with Private Key is selected, then click Next.
Type the password to encrypt the private key that will be placed on the SmartCard.
Accept or select a filename and destination for the file containing the user certificate and private key, then click Next > Finish to export it.
Close the Properties window and exit ConsoleOne.
Create the user certificate using the vendor software.
Determine the subject name of the user certificate using the vendor software.
Log in to ConsoleOne as Admin.
Right-click the User object, then click Properties.
Click Security > Certificate Subject Names > Add.
Type the certificate subject name from step 2.
Click Apply > Close.
User objects can be configured to use one or more of the available login sequences defined in eDirectory. Users with no login restrictions are already authorized for the Universal SmartCard login sequence. If you have configured login sequence restrictions for your users, you will need to authorize the Universal SmartCard sequence for those users. To do so, complete the following authorization steps:
Log in to ConsoleOne as admin.
Right-click the User object, then click Properties.
On the Security tab, select Login Sequences.
Move the Universal SmarCard authorization sequence from the Available Sequences list to the Authorized Sequences list.
Click Apply > Close.
(Optional) Repeat the above steps for additional users.
Exit ConsoleOne.
The reader and its software are provided by the reader manufacturer, and must be installed on the client workstation according to manufacturer instructions before installing the login method.
The NMAS Client on the workstation must be updated to version 2.02 or later unless the ID snap-in will be used; in that case NMAS should be updated to version 2.1 or later. The SmartCard client module must be installed on each workstation that will use the SmartCard login method.
To install the client module:
To update the NMAS client on the workstation, run nmasinstall.exe (located at the root directory of the NMAS CD) on each workstation that will use the Universal SmartCard login method.
Select the NMAS Client, then click OK. (Requires NICI 2.4.1 Client)
Accept the agreement.
From the Select NMAS Clent Login panel, select Universal SmartCard and then click Next.
From the Select NMAS Post-Login Methods panel, do not select any method, click Next.
The wizard completes the NMAS upgrade and method selection. The SmartCard client module can be configured during setup to initiate a user login automatically with the insertion of the SmartCard in the reader, or to follow a manual login with the user presenting the SmartCard when prompted in the sequence.
At the PKCS#11 Library Selection panel, select the SmartCard vendor you are using from the list, or select User Specified. Then click Next.
(If you select User Specified you will need to provide the name of the vendor provided PKCS#11 library .DLL file.)
(Optionl) On the Select Options panel, you can choose to use the card reader to obtain the username of the SmartCard holder. NMAS restrictions allow only one method to automatically obtain the username at the workstation being configured.
If you select the option, the ID-snap-in will be configured to allow the SmartCard to provide both Identity and Authentication to the network for the user. To select, check the option and click Next. Otherwise, proceed to step 8.
Fill in the information if you want to specify which tree, server, and sequence are used for authentication. Otherwise, click Next
If the sequence field is left blank on the previous screen, the Sequence Options panel appears. In this case, select Use the Users Default Sequence if you have previously defined a sequence for your users. Otherwise, select the sequence last used on that workstation option, then click Next.
On the LDAP Servers panel, specify the name or IP Address of the LDAP server and any alternates, then click Next, > Next.
Complete the wizard to finish the installation.
(Conditional) If you have Secure Workstation installed, you will be required to restart the Secure Workstation service.
To initialize a SmartCard for use with this method, the SmartCard must have at least one private key and a user certificate corresponding to that private key. The private key must be enabled for signature generation. This is done preferably by using the vendor-supplied utility, or it can be done with the Novell supplied initsc.exe utility to upload the contents of a PKCS#12 (PFX) file into the Smart Card.
For example, if the name of the PFX file is MyKeys.pfx, its password is "Novell", and the SmartCard's PIN is 1234, then execute: initsc -p 1234 -s Novell -f MyKeys.pfx -m pk2priv.dllNote that "-m pk2priv.dll" is the name of the PKCS#11 provider library for GemSAFE. Other providers might have different names. In this example, it is a GemSAFE SmartCard and PKCS#11 provider. This utility does not accept Unicode* passwords and PINs, and it is tested with the GemSAFE SmartCard and library. The use of this library with other vendors might or might not work. Use it at your own risk.