The Enhanced Protection feature provides additional security for users' secrets. By default, a user's secrets have enhanced protection. The following figure illustrates this setting:
This section provides information on the following:
With the Enhanced Protection option enabled for any secret in Novell SecretStore, if the network administrator changes the user's NDS password, SecretStore enters a locked state. When SecretStore is locked, no secrets stored with the Enhanced Protection option can be read until SecretStore is unlocked.
SecretStore can be unlocked only if the user provides the last NDS password that was set. Because an administrator should not know the user's previous NDS password, Enhanced Protection-protected secrets are kept safe.
NDS and SecretStore can distinguish between user-initiated password changes and those done by an administrator. SecretStore only locks when an administrator changes a user's password. An encrypted hash of the user's previous password is updated in SecretStore only if the user initiates the change.
If the user has changed an NDS password at least once since the account was created and before enhanced protection-protected secrets are stored, this protection is completely secure. When a user does this, the administrator doesn't know the previous password. As a standard practice when you set up new User objects in NDS, require the user to change the password at first login.
Users who have Administrator-equivalent rights (that is, they have Supervisor rights but are not the actual network administrator) need to be careful when setting their own passwords. If a user sets a password when logged in as an Administrator-equivalent user, the user's SecretStore will be locked.
The Master Password feature enables users to store and update a persistent password in SecretStore. If the Enhanced Protection feature is enabled and you (the administrator) reset a user's eDirectory password, SecretStore locks.
Also, a master password is useful if your secrets are locked and you can't remember your previous eDirectory password. By entering a master password, you gain access to your SecretStore.
By default, your master password isn't set. Only you can set your master password.
If the SecretStore client isn't installed and running on the workstation, you can't set a master password.
If you use SecureLogin with SecretStore, your master password is set when you create a passphrase answer in SecureLogin.
To set your master password:
Make sure that you are logged in to eDirectory as the user (not as Admin or another role).
In ConsoleOne, right-click your User object, click Properties, click Novell SecretStore, then click SecretStore.
Open the Set Master Password dialog box by clicking Set.
Type and confirm the master password.
Type a hint that's easy for you to remember the answer to but one that isn't obvious to an onlooker.
Save the changes by clicking OK.
SecretStore Manager (ssmanager.exe) also provides an interface to the master password. This utility enables users to store a hint along with the master password. If users later enter an incorrect password when unlocking SecretStore, SecretStore Manager can display the hint to remind users of the master password.
Other interfaces that unlock SecretStore (such as those built in to the Lotus* Notes* and Entrust* connectors) will accept the master password in place of the previous eDirectory password. However, these interfaces might not be capable of displaying the hint.
Run ssmanager.exe.
This file is in the secstore\tools\utils directory.
Click Options > Set Master Password.
Provide a new password, confirm the password, provide a hint, then click Store.
Confirm the new password by clicking OK.
Also, you can set the master password from SecretStore Manager by entering the following at the command line:
ssmanager.exe /sp
This command opens the Create/Edit Master Password dialog box.
Run SSStatus.exe.
Click Options, then click Set Master Password.
Type and confirm the password, enter a hint, then click Store.
Click OK.
For performance, secrets from SecretStore in eDirectory or NDS are cached to an encrypted information store on the workstation's Windows directory. This local store persists after the eDirectory authenticated session is closed. For laptop users, this functionality provides access to login data while the users aren't connected to the network.
Synchronization occurs when the workstation is started in the eDirectory-connected network, whenever login data is updated in the local store, or when SecretStore shuts down. Access to the local store is granted when the user logs in to Windows.
Single sign-on software (for example, SecureLogin) installation programs include and install the Novell Modular Authentication Service (NMAS) Enterprise Edition client. This client provides single sign-on programs with eDirectory disconnected authentication and password reveal re-authentication features.
By default, single sign-on installation programs (for example, setup.exe in SecureLogin) install the NMAS client and configure the Novell ClientTM to display the eDirctory Password fields on the eDirectory login dialog box.
An eDirectory password post-login method stores a NICI-encrypted, hashed copy of the eDirectory password in the registry. SecureLogin then compares this encrypted password with username and password credentials that the user enters in response to disconnected authentication or re-authentication events.
If users use non-eDirectory password methods, each user must use the eDirectory password method once to establish the password credentials on the workstation. You can then remove the eDirectory password method from the login process for normal biometric, smart card, or token authentication to the directory.