Novell SecretStore enables you to provide additional protection by
With the Enhanced Protection option enabled for any secret in Novell SecretStore, if you change the user's NDS password, SecretStore enters a locked state. When SecretStore is locked, no secrets stored with the Enhanced Protection option can be read until SecretStore is unlocked.
SecretStore can only be unlocked if the user provides the last NDS password that was set. Since an administrator should not know the user's previous NDS password, Enhanced Protection-protected secrets are kept safe.
NDS and SecretStore can distinguish between user-initiated password changes and those done by an administrator. SecretStore only locks when an administrator changes a user's password. An encrypted hash of the user's previous password is updated in SecretStore only if the user initiates the change.
If the user has changed an NDS password at least once since the account was created and before enhanced protection-protected secrets are stored, this protection is completely secure. When a user does this, the administrator doesn't know the previous password. As a standard practice when you set up new User objects in NDS, require the user to change the password at first login.
Users that have Administrator-equivalent rights (that is, they have Supervisor rights but are not the actual network administrator) need to be careful when setting their own passwords. If a user sets a password when logged in as an Administrator-equivalent user, the user's SecretStore will be locked.
The Enhanced Protection Master Password feature provides an alternative way for users to unlock SecretStore. The Master Password feature enables users to store and update a persistent password in SecretStore. If you (the administrator) reset a user's eDirectory password, SecretStore locks. The user can unlock SecretStore by using the master password instead of the previous eDirectory password.
SecretStore Manager (ssmanager.exe) provides an interface to the master password. This utility enables users to store a hint along with the master password. If users later enter an incorrect password when unlocking SecretStore, SecretStore Manager can display the hint to remind users of the master password.
Other interfaces that unlock SecretStore (such as those built in to the Lotus* Notes* and Entrust connectors) will accept the master password in place of the previous eDirectory password. However, these interfaces might not be capable of displaying the hint.
To set a master password and hint, use SecretStore Manager or SecretStore Status.
Run ssmanager.exe.
This file is in the secstore\tools\utils directory.
Click Options > Set Master Password.
Enter a new password, confirm the password, enter a hint, then click Store.
Confirm the new password by clicking OK.
Also, you can set the master password from SecretStore Manager by entering the following at the command line:
ssmanager.exe /sp
This command opens the Create/Edit Master Password dialog box.
Run SSStatus.exe.
At the Master Password field, click Set.
Enter a new password, confirm the password, enter a hint, then click Store.
Confirm the new password by clicking OK.
For performance, secrets from SecretStore in eDirectory or NDS are cached to an encrypted information store on the workstation's Windows directory. This local store persists after the eDirectory authenticated session is closed. For laptop users, this functionality provides access to login data while on the road.
Synchronization occurs when the workstation is started in the eDirectory-connected network, whenever login data is updated in the local store, or when SecretStore shuts down. Access to the local store is granted when the user logs in to Windows.
Single sign-on software (for example, SecureLogin) installation programs include and install the Novell Modular Authentication Service (NMAS) Enterprise Edition client. This client provides single sign-on programs with eDirectory disconnected authentication and password reveal re-authentication features.
By default, single sign-on installation programs (for example, setup.exe in SecureLogin) install the NMAS client and configure the Novell ClientTM to display the eDirctory Password fields on the eDirectory login dialog box.
An eDirectory password post-login method stores an NICI-encrypted, hashed copy of the eDirectory password in the registry. SecureLogin then compares this encrypted password with username and password credentials that the user enters in response to disconnected authentication or re-authentication events.
If users use non-eDirectory password methods, each user must use the eDirectory password method once to establish the password credentials on the workstation. You can then remove the eDirectory password method from the logon process for normal biometric, smartcard, or token authentication to the directory.