5.4 Creating and Managing Shared Secrets

A shared secret is an object that holds name and value pairs for Form Fill and Identity Injection policies.

Access Manager supports the creation and use of secrets from the following locations:

For more information on configuring Access Manager to store secrets, see Configuring a User Store for Secrets in the NetIQ Access Manager 3.1 SP5 Identity Server Guide.

This section describes the following topics:

5.4.1 Naming Conventions for Shared Secrets

The policy engine allows you to create shared secrets and name the attributes for the store as you are creating an Identity Injection or Form Fill policy. When you create the shared secret, we recommend that you name the shared secret after the application for which you are creating the policy. Each value requires a name, and we recommend that you use the same name for the value name as the Input Field Name on a Form Fill policy or for the header name on an Identity Injection policy. For example if your e-mail application requires the e-mail address for the name on the login form, you could set up the following Shared Secret values:

Input Field Name

Input Field Value

Shared Secret Name

Entry Name

emailaddress

Shared Secret

emailapp

emailaddress

Your applications, how you use them, and your personal preferences determine whether you create one shared secret and use it for all your applications or whether you create a shared secret for each application.

  • If the applications use some of the same secrets, you can use the same shared secret for these applications. In this case, give the shared secret a name that reflects all of the applications using it.

  • If an application does not use the same secrets as another application and you want the freedom to remove the application and its secrets without affecting other applications, you should create a separate shared secret for this application.

  • If you are using Novell SecretStore, the secret names specified in your Access Manager policies need to match the names you have already configured.

A local shared secret store does not contain any name/value pairs until you configure a Form Fill policy to add name/value pairs or enable the Allow End Users to See Credential Profile option. This option allows the username and password to be stored in the local secret store. To set this option, click Devices > Identity Servers > Edit > Liberty > Web Service Providers > Credential Profile.

5.4.2 Creating a Shared Secret Independent of a Policy

You can create a shared secret as part of the process of creating a Form Fill or Identity Injection policy. You can also create a shared secret independent of a policy:

  1. In the Administration Console, click Devices > Identity Servers, then click Shared Settings > Custom Attributes.

  2. To create a new shared secret, click New in the Shared Secret Names section, and fill in the following fields:

    Secret Name: Specify a display name for the shared secret.

    Secret Entry Name. Specify an attribute name for a value you want to store.

  3. Click OK.

    The Identity Server creates and encrypts the object.

  4. To create additional attributes to store values, click the secret name, click New, specify a name, then click OK.

  5. Click OK.

5.4.3 Modifying and Deleting a Shared Secret

Before deleting a shared secret, you need to delete the policies that are using the shared secret or modify the policies to use a different shared secret. For information about deleting policies, see Section 1.3.3, Deleting Policies.

Both Form Fill and Identity Injection policies can use shared secrets. The following instructions explain how to modify an Identity Injection policy to use a new shared secret and then how to delete the old shared secret.

  1. In the Administration Console, click Policies > Policies > [Name of Policy] > [Rule].

  2. Select the Value field that uses the shared secret you want to delete. Click its name, then click New Shared Secret.

  3. Specify the name for a new shared secret, then click OK.

  4. Click the name of the shared secret, select the new shared secret store, then click New Shared Secret Entry.

  5. Specify the attribute name for this shared secret entry, then click OK.

  6. Modify any other Value fields to use the new shared secret. Create new attributes as needed.

  7. To save the modifications to the policy, click OK twice, then Apply Changes.

  8. To delete the old shared secret, click Identity Servers > Shared Settings > Custom Attributes.

  9. Select the name of the old shared secret and the attributes, then click Delete.