Novell Documentation: Novell Certificate Login - Configuring the Novell Enhanced Smart Card Method (NESCM)

Configuring the Novell Enhanced Smart Card Method (NESCM)

After the NESCM server and client components have been installed, there are three more procedures you need to complete before the login method is ready for use:

There are also other settings you can configure for use with NESCM. See Other Settings.

Configuring a Trusted Root Container

Create a trusted root container in eDirectory.
1. In iManager, click the Novell Certificate Server task.
2. Click Create Trusted Root Container.
3. Follow the wizard to completion.
Import the trusted root certificate of your Certificate Authority (CA) into the trusted root container.
1. In iManager, click the Novell Certificate Server task and then click Create Trusted Root.
2. Type the name, select the trusted root container you created in Step 1, then select the certificate you want to import into the Trusted Root object.
  
  This should be the trusted root certificate of the Certificate Authority (CA) you are using for the certificates on your smart cards.
Configure the NESCM method to use the trusted root container.
1. In iManager, click Smart Card Login > Global Settings.
2. Under Certificate Search Containers, add the trusted root container.
3. Click OK.

Enrolling a Smart Card for a User

In iManager, click Smart Card Login > User Settings.
Select a user, then click OK.
Under Certificate Settings, specify an allowable Subject name for this user.

You have several ways of doing this:
- Read the subject from the card in the card reader.
  NOTE: If you are using an unsupported card, you might not be able to read the subject name from the card for this release. Use one of the other methods to specify an allowable subject name.
- Read the subject from a file.
- Enter a subject by hand.
You can also edit and delete the subject.
Click OK or Apply.

Other Settings

The NESCM allows you to configure global, container, or user settings. Global settings apply to the entire tree. The container and user settings give you the option to use inherited settings from the global settings or you can set container-specific or user-specific settings.

Container settings can be configured for a specific container and apply to all objects in that container. Container-specific settings override global settings.

User settings can be configured for a specific user. User-specific settings override global and container settings.

You can configure the following global, container, and user settings.

Global Settings

Trusted Root Certificate Containers: Specifies the trusted root containers the method uses for certificate validation.
Certificate Revocation Checking: Defines how certificate revocation is performed. OCSP or CRL revocation checking can be configured for each trusted root container.
Certificate Expiration Warning: Defines the number of days in advance that a user is given a warning message before his certificate expires.
Card Removal Behavior: Defines the action taken when the user removes his card from the card reader. This setting takes effect the next time the user authenticates.
Check for Certificate Policy: Specifies a certificate policy. If this setting is enabled, user certificates must contain this policy to be valid.

Container Settings

Select a container and then configure the following settings:

Certificate Expiration Warning: Specifies the number of days in advance that a user is given a warning message before his certificate expires.
Card Removal Behavior: Defines the action taken when the user removes his card from the card reader. This setting takes effect the next time the user authenticates.
Check for Certificate Policy: Specifies a certificate policy. If this setting is enabled, user certificates must contain this policy to be valid.

User Settings

Select a user and then configure the following settings:

Certificate Subject Names: Specifies the certificate subject names that can be used for login.
Temporary Certificate Subject Names: Specifies a temporary certificate subject name that is used for login. A temporary certificate subject name is valid until the expiration date and overrides the certificate subject names.
Certificate Expiration Warning: Specifies the number of days in advance that a user is given a warning message before his certificate expires.
Card Removal Behavior: Defines the action taken when the user removes his card from the card reader. This setting takes effect the next time the user authenticates.
Check for Certificate Policy: Specifies a certificate policy. If this setting is enabled, user certificates must contain this policy to be valid.

Restricting Users to the Novell Enhanced Smart Card Method

You can restrict users so they can use only the NESCM method.

Launch iManager.
Authenticate to the eDirectory tree as administrator or a user with administrative rights.
From the Roles and Tasks menu, select NMAS > NMAS Users, select the user you want to authorize the login sequences for, and then click the NMAS Login Sequences tab.
Select the Restrict the User to the Authorized Login Sequences Below option.

If you deselect the option, the user can use any defined login sequence to log in.

If you select the option, use the arrows to authorize or select the sequences you want this user to use to log in. In this case, move all other login methods to the Available Methods list and leave only the NESCM method in list.
Click Apply or OK.