7.3 Configuring SecureLogin for Smart Cards

SecureLogin includes a number of options that determine SecureLogin's behavior, such as how SSO data is encrypted (that is, using the smart card or a passphrase question and answer) and how to handle scenarios such as lost cards.

To configure the preferences, use the MMC snap-in for Active Directory environments, ConsoleOne® for iManager in eDirectory™ environments, for SecureLogin Manager in LDAP v3-compliant directories such as Sun*, Oracle*, and IBM*.

  1. Access the Administrative Management Utility of SecureLogin.

    For more information on how to access the Administrative Management Utility, see Section 1.2, Administrative Management Utility and Section 1.3, Accessing the SSO Plug-In Through iManager.

  2. Click Preferences. The Preferences Properties Table is displayed.

  3. In the Setting Description column, go to Security and select the appropriate preferences.

  4. Click Apply.

  5. Click OK.

The following sections explain the various security preferences:

7.3.1 Requiring a Smart Card for SSO and Administration Operations

The Require smart card is present for SSO and administrative operation option determines if a user's smart card must be present before allowing an SSO session or administration function. This option also checks to see if a smart card has been removed after the start of a SSO session, which prevents the swapping of smart cards to copy a user’s credentials.

If the smart card is removed after the SSO session has started, and then reinserted, the card serial number is checked to validate that the card now being used is the same card used to initiate the SSO session.

If you select No, the user's smart is not required for SSO and administration operations.

If you select Yes, then the user's smart is required for SSO and administration operations.

If the Default option is selected, then this option is set to No. Alternatively, the user's credentials inherit the Require smart card is present for SSO and administration operations option set by the higher-level container.

NOTE: If the Lost card scenario option is set to Allow passphrase, then the Require smart card is present for SSO and administration operations option is dimmed and not available.

If Lost card scenario is set to Require smart card, then the Require smart card is present for SSO and administration operations option is available and defaults to the Yes.

Figure 7-1 Smart Card Detection

7.3.2 Storing User Credentials on Smart Card

Use the Store User credentials on smart card option to select how user credentials are stored.

If you select No, the user's credentials are stored in the user's local (off-line) cache.

If you select Yes, the user's SSO credentials, including user names and passwords, are stored on the smart card in a secure PIN-protected container. Although credentials are stored on the smart card, other SSO data, including application definitions and preferences, are stored in the user's local cache on the hard drive.

If the Default option is selected then the user's credentials are stored in the user's local (off-line) cache as per the No option. Alternatively, the user's credentials inherit the Store credentials on smart card option set by the higher-level container.

Figure 7-2 Store Credentials on Smart Card

NOTE:You can manually disable inheritance of higher-level options by selecting the Yes option for Stop walking here (SecureLogin Administrative Management Utility > Preferences > General options.)

7.3.3 Using AES for SSO Data Encryption

This option determines the level and standard of encryption used to encrypt SSO data stored on the smart card by allowing the use of AES instead of triple DES.

If you select No, a 168-bit key used with triple DES (EDE) in Cipher-Block Chaining (CBC) mode is used to encrypt the user's SSO credentials.

NOTE:The input key for DES is 64 bits long and includes 8 parity bits. These 8 parity bits are not used during the encryption process, resulting in a DES encryption key length of 56 bits. Therefore, the key strength for Triple DES is actually 168 bits.

If you select Yes, then a 256-bit key used with AES (EDE) in CBC mode is used to encrypt the user's credentials.

If a previous version of SecureLogin has been implemented with passphrases enabled and if this option is set to Yes, users must answer with a passphrase before data cane be decrypted and reencrypted using AES.

Figure 7-3 Use AES for SSO Data Encryption

7.3.4 Using a Smart Card to Encrypt SSO Data

SecureLogin 6.0 SP1 offers various encryption options. By default, SecureLogin encrypts data using either a user-defined passphrase key or a randomly generated key. The Use smart card to encrypt SSO data option can be used to determine whether PKI credentials or the self-generated key are stored on the smart card and then used to encrypt the user's SSO data.

If you select PKI credentials, SSO data is encrypted using the user's PKI credentials. SSO data stored in the directory and in the offline cache (if enabled) is encrypted using the public key from the selected certificate, and the private key (stored on a PIN protected smart card) is used for decryption.

If you select Key generated on smart card option, SSO data is encrypted using a randomly generated symmetric key that is stored on the user's smart card. This key is used to encrypt and decrypt SSO data stored in the Directory and in the offline cache (if enabled).

NOTE:It is possible to inadvertently set these options to Require smart card under the following circumstances: First, you change the Use smart card to encrypt SSO data option to PKI credentials, then you change the Lost card scenario option to Require Smartcard, and finally change the Require Smart Card is present for SSO and administration operations option to Yes. If you do this, then both the Lost card scenario and Require smart card for SSO and administration operations are set to Require smart card.

You should set these preferences in the following order:

  1. Set the Store credentials on smart card to No.
  2. Set the Use smart card to encrypt SSO data option to PKI credentials.
  3. Click Apply.
  4. Close and then reactivate SecureLogin. Check if the options are correctly set.

IMPORTANT:You should always set the Enable passphrase security system preference to Yes or Hidden and apply the setting before you change the Use smart card to encrypt SSO data option is set to Key generated on smart card.

When a smart card is deployed with a user's PKI credentials, consider using key escrow, archiving, and backup through an enterprise card management system for the user's private key to be recovered in a lost card scenario. If no escrow is used, then the Enable passphrase security system option should be set to Yes or Hidden to prevent the loss of the user's SSO credentials if a user loses a card.

For more information, refer Section 7.6, Using a Card Management System.

Figure 7-4 Use Smart Card to Encrypt SSO Data

7.3.5 Using PKI Encryption for the Data Store and Cache

If PKI credentials are used to encrypt SSO data and the passphrase security system is set to No, you should consider implementing a key archive for backup and recovery. If this system is not implemented and the passphrase security system is not enabled, users can never decrypt their SSO data if they lose a smart card because, the private key is stored on the smart card and is not recoverable.

Without private key recovery, if the user loses his or her smart card, the SSO administrator must clear the user’s SSO data store and reset the back-end password before the user is able to use SSO again. This is a high security solution, but is more inconvenient to end users because they cannot have SSO access without the smart card.

For more information, refer Section 7.6, Using a Card Management System.

7.3.6 Selecting a Certificate

When a smart card is configured to use PKI credentials to encrypt SSO data, SecureLogin will retrieves the serial number of the current certificate and locates the certificate in the certificate store as specified in the relevant SecureLogin preferences.

SecureLogin then loads the associated private key (which may cause a PIN prompt), and attempts to decrypt the user key with the private key.

In cases where the encryption fails or the certificate cannot be located but a smart card is present and a certificate that matches the selection criteria can be located, then SecureLogin assumes that the recovered smart card is in use. SecureLogin the attempts to decrypt the user key with each key pair with the key pair stored on the card.

Figure 7-5 Selecting a Certificate

7.3.7 Certificate Selection Criteria

The Certificate Selection Criteria option allows you to select an encryption or authentication certificate to encrypt user's SSO information in the directory.

The certificate selection criteria determine which certificate to select if multiple certificates are in use (for example, if an enterprise has configured an Entrust* certificate for SSO encryption and a Microsoft* certificate for log on and/or authentication).

Figure 7-6 Certificate Selection Criteria

If only one certificate is used, the field is blank and the certificate is detected automatically and set to User Certificate. When entering certificate selection criteria, no special formatting is required and the search string is not case sensitive. Wildcards are not used and a search matches if the search text is a substring of the certificate subject field. SecureLogin attempts to match against the Certificate Subject, then the Certificate Issuer and finally the Friendly Name in that order.

Example 7-1 For example if the subject is

CN=Daniel,OU=Users,OU=Accounts,OU=APAC,DC=Novell,DC=Int

Then Daniel is a valid search value, as are Accounts, APAC, and Int. The prefixes CN=, OU=, or DC= are not required.

Similarly, if the Certificate Issuer is,

CN=IssuingCA1,OU=AD,DC=undiscovered,DC=com

Then IssuingCA1 is a valid search value, as are AD, undiscovered, and com.

7.3.8 Current Certificate

This option displays the certificate that is currently being used by SecureLogin to encrypt a user’s SSO data.

Figure 7-7 Current Certificate