The
option determines if users can use a passphrase to encrypt SSO data. You can set the Enable Passphrase Security System preference to , , or depending on the enterprise security requirements. These preferences determine if SSO is available for users to authenticate using their smart card and PIN or a username and password. The cannot be set to unless is set toDuring the first launch of SecureLogin, if the
is set either to , which is the default preference; or set to , the user is prompted to set a passphrase question and answer.Users have two options, depending on what you specified.
Once users have set a passphrase, the application generates a random key and, a one-way hash of the passphrase answer encrypts this key. Later, the application key encrypts the new key. This key protects users’ SecureLogin credentials and passwords so that even administrators with Supervisor rights to the network and access to Microsoft Management Console (MMC) are unable to view a user's passwords to applications.
The next time, and every time after that a user logs on to the network, SecureLogin loads seamlessly. Typically, passphrase quested is never prompted. However, if an administrator resets the user's directory or network, the next time SecureLogin launches, users must answer passphrase question before SecureLogin continues. This prevents other users from changing the actual user's directory password, logging on as the actual user and obtaining access to their SecureLogin data and running applications.
Administrators cannot toggle the Enable Passphrase Security System setting when the users forget their smartcard unless they had previously set a passphrase or had it randomly generated using the
option.If users are required to authenticate to the network using passwords, Enable Passphrase Security System must be set either to
or .To enable passphrase security system:
Access the Administrative Management Utility of SecureLogin. For more information on how to access the Administrative Management Utility see, Section 1.2, Administrative Management Utility and Section 1.3, Accessing the SSO Plug-In Through iManager.
Click
. The Preferences page is displayed.Under
, select either Yes or Hidden in the Enable passphrase security passphrase drop-down list.Click
.Click
.NOTE:With
option selected, you can use the passphrase to decrypt SSO data if the user’s smartcard is damaged or lost. This setting must be used in conjunction with the preference to and preference is set to . You can toggle these preferences if t he user’s smartcard is forgotten providing the user’s passphrase has already been set. The user is prompted to answer their passphrase question before SecureLogin loads.IMPORTANT:With the passphrase security system set to Hidden, a directory administrator can reset a user’s directory password. log on as the user, and access their SSO data as they are not prompted to answer a passphrase question.
If you select
, users must select a passphrase question and answer when the log on to SecureLogin for the first time. When the passphrase system is enabled, users are prompted to answer their passphrase question if their password has been reset by the administrator.If you select,
, you can use the passphrase to decrypt SSO data is the user’s smart card is forgotten if the user’s passphrase has already been set. The user is then prompted to answer the passphrase question before SecureLogin loads.If you select
, users are not prompted to set a user-defined passphrase. A user key is automatically generated.IMPORTANT:With the passphrase security system set to
, a directory administrator can reset a user’s directory password, log in as the user, and access SSO data, because they are not prompted to answer the passphrase question.In the
> properties, when the option is set to , the user’s SSO data is encrypted using the public key from the selected certificate and the private key, and is stored in a PIN protected container on the user’s smart card. Both the user’s directory data store and local cache are now both protected by the PKI credentials.For extra security, the SSO data can be encrypted using the private key, which is also PIN-protected and stored on the user’s smart card for extra security. Only the user who has physical possession of the smart card and knowledge of the PIN can decrypt the SSO data.
If the
option set to , the can be optionally set to .Supported directory modes for disabling the passphrase security system are:
To set the passphrase security system to
;Access the Administrative Management Utility of SecureLogin.
For more information on how to access the Administrative Management Utility see, Section 1.2, Administrative Management Utility and Section 1.3, Accessing the SSO Plug-In Through iManager.
Click
. The Preferences page is displayed.Under
, change the value for the option under to .Under
, select No in drop-down list.Click
Click
With this preference selected, the user’s passphrases are completely disabled and the user’s smart card is always required to decrypt SSO data.
IMPORTANT:If you set the passphrase security system preference to
, it removes the passphrase security, and administrators can access the user’s credential through resetting the network password.To view three scenarios of what the user experience can be in environments where the passphrase security system has been enabled and disabled, see Section 5.5, Passphrase Security System Scenarios.