30.1 Overview of OES Security Services

This section provides specific overview information for the following key OES components:

For more security topics, see the OES online documentation.

30.1.1 Encryption (NICI)

The Novell® International Cryptography Infrastructure (NICI) is the Novell solution to a cross-platform, policy-driven, independently certified, and extensible cryptography service. NICI is the cryptography module that provides keys, algorithms, various key storage and usage mechanisms, and a large-scale key management system.

NICI controls the introduction of algorithms and the generation and use of keys. It allows production of a single commodity version of security products that support strong cryptography and multiple cryptographic technologies for worldwide consumption. Initial services built on this infrastructure are Directory Services (Novell eDirectory™), Novell Modular Authentication Services (NMAS™), Novell Certificate Server™, Novell SecretStore®, and TLS/SSL.

Key Features

NICI includes the following key features:

  • Supports industry standards: Is implemented following recognized industry standards.

  • Certified: Is FIPS-140-1 certified on selected platforms.

  • Cross-platform support: Is available on both OES platforms.

  • Complies with governmental export and import regulations: Has cryptographic interfaces that are exportable from the U.S. and importable into other countries with government-imposed constraints on the export, import, and use of products that contain embedded cryptographic mechanisms.

  • Secure and tamper-resistant architecture: The architecture uses digital signatures to implement a self-verification process so that consuming services are assured that NICI has not been modified or tampered with when it is initialized.

More Information

For more information on how to use NICI, see the NICI 2.6x Administration Guide .

30.1.2 Novell Certificate Server

Novell Certificate Server provides public key cryptography services that are natively integrated into Novell eDirectory.

These services let you mint, issue, and manage both user and server certificates to protect confidential data transmissions over public communications channels such as the Internet.

Novell Certificate Server lets you

  • Provide public key cryptography services for your network.

    You can choose to

    • Create an Organizational Certificate Authority (CA) in eDirectory and issue as many user and server certificates as needed.

    • Use the services of an external certificate authority.

    • Use a combination of both as your needs dictate.

  • Avoid the costs associated with obtaining and managing public key certificates by creating an Organizational CA to issue public key certificates.

  • Make public key certificates openly available while protecting them against tampering and leveraging eDirectory replication and access control features.

  • Expose private keys to only the software routines that use them for signing and decrypting operations.

  • Securely back up NICI-encrypted private keys using standard eDirectory backup utilities.

  • Centrally administer certificates using ConsoleOne®. The Novell iManager plug-in also lets you do some administration tasks.

  • Let users export their own certificates using ConsoleOne for use in cryptography-enabled applications.

  • Create and manage user certificates for

    • GroupWise® 5.5 and later.

    • Microsoft Outlook 98 and Outlook 2000.

    • Netscape* Messenger* and other popular e-mail clients.

    • Netscape Navigator*.

    • Microsoft Internet Explorer.

For more information on how to use Novell Certificate Server, see the Novell Certificate Server 2.7 Administration Guide .

30.1.3 User Restriction Limitations

Seasoned NetWare® administrators are accustomed to being able to set the following various access restrictions on users:

  • Account balance restrictions

  • Address restrictions

  • Intruder lockout

  • Login restrictions

  • Password restrictions

  • Time restrictions

Many of the management interfaces that set these restrictions (iManager, for example), might seem to imply that these restrictions apply to users who are accessing an OES server using any protocol.

This is generally true, with two important exceptions:

  • Maximum number of concurrent connections in login restrictions

  • Address restrictions

These two specific restrictions are enforced only for users that are accessing the server using NCP™. Connections through other access protocols (for example, HTTP or CIFS) have no concurrent connection or address restrictions imposed.

For this reason, you will probably want to consider not enabling services such as ssh and ftp for PAM access when setting up Linux User Management.

For more information on Linux User Management, see Linux Access for eDirectory Users (LUM). For more information on the services that can be PAM-enabled, see Table 18-1.