5.4 Deploying

Novell SecureLogin uses the directory structure and administrative tools for a centralized and management and deployment of user configuration. In the Active Directory, Novell SecureLogin installs an additional an additional tab to the Users and Computers > Properties dialog box. This dialog box provides Novell SecureLogin administrative functionality in the same utility you currently use to manage your Active Directory users.

5.4.1 Configuring a User’s Environment List

Configuring a user’s Novell SecureLogin environment includes:

  • Setting preferences.

  • Creating password policies (optional).

  • Enabling single sign-on to applications.

  • Creating passphrase questions for selection (optional).

NOTE:We recommend that you configure Novell SecureLogin on a test user account before deploying.

The following table shows the options available for deploying and distributing user configuration:

Table 5-1 Deploying and Distribution Options

User Configuration Options

Description

Copy Settings

Copies Novell SecureLogin configuration from one object in the same directory to another object

Export and import

Distributes the configuration by using an XML file.

Directory object inheritance

Inherits the configuration from a higher level directory object, such as a Group policy.

Corporate Configuration redirection

Specifies a directory object from which the configuration is inherited.

5.4.2 Installing On a User Workstation

It is recommended that you use industry standard application distribution packages such as Microsoft IntelliMirror, System Management Server, or Novell ZENWorks® to deploy and manage Novell SecureLogin across large enterprises.

Novell SecureLogin can be installed, configured, and features can be added and removed using Microsoft Windows Installer command-line options and parameters types from the command line or provided through a batch file.

Prior to installing Novell SecureLogin that ensure the LDAP certificate file is saved in the default certificate location of the LDAP log, for example, securelogin\rootcert.der.

The procedure explained here applies to manual installation, and is also applicable to installing on small number of workstations and laptop computers.

  1. Log in to the workstation as an administrator.

  2. Run the Novell SecureLogin.msi.

    The Welcome page is displayed.

  3. Click Next. The License agreement page is displayed.

  4. Read the license agreement. Select I accept the terms in the license agreement if you want to proceed with the execution of the license agreement. If you do not want to proceed with the execution of the license agreement, click Cancel to quit the setup.

  5. Click Next. The program location folder is displayed. The default location for Novell SecureLogin is, ..\Program Files\SecureLogin\. If you want to change the location, click Change and select an alternative location for Novell SecureLogin on the drive.

  6. Click Next. The installation environment page is displayed.

  7. Select Microsoft Active Directory.

    IMPORTANT:There are no additional installation or configurations required when running Microsoft Active Directory in LDAP mode. The only variation is in selecting the installation environment. You select the LDAP directory instead of the Microsoft Active Directory.

  8. Click Next. The smart card support page is displayed.

    The ActivClient card settings are used if they are detected.

  9. Select Use smart card or cryptographic token.

    NOTE:This option is based on whether you want to have Novell SecureLogin users use their smart card to store single sign-on data to encrypt the users’ directory data by using a Public Key Infrastructure (PKI) token.

  10. If you are not using ActivClient smart card option, or you want to change the smart card or cryptographic token, select Use ActivClient smart card settings option. This is the recommended option.

  11. From the Cryptographic Service Provider (Microsoft Crypto API) drop-down list, select the appropriate cryptographic service provider.

  12. Browse to locate and select the appropriate Smart card (PKCS#11) library link (.dll) file.

    Manually configuring the third-party smart card PKCS#11 link library assumes a high level of understanding of the cryptographic service provider’s product. Hence, we recommend that you use the ActivClient smart card support.

  13. Click Open.

  14. Click Next. The installation features page is displayed.

  15. We recommend you to select the Start SecureLogin at Windows startup option. However, depending on your enterprises’s operating environment, you can opt to have Novell SecureLogin start at Windows startup or at user login.

  16. Select Install Directory administration tools.

    The Directory administration tools are provided for corporate environments to manage users centrally at the directory. In the LDAP mode, Novell SecureLogin installs the Administrative Management utility.

  17. If applicable, select Install Citrix and Terminal Services support.

  18. Click Next. The cache location folder page is displayed.

    IMPORTANT:Consider the following information before changing the cache location:

    • The user's application data folder is the Triple DES or optionally AES encrypted repository for all Novell SecureLogin user data, which includes credentials, preferences, password policies, preconfigured applications, and application definitions.

    • By default, Novell SecureLogin data is stored in both your organization's corporate directory and in the SecureLogin offline cache on your workstation's hard drive. The data in the directory and the local cache are synchronized to ensure user data is always current.

    • When the smart card is used to store application credentials, the credentials are stored on the smart card and directory only. The cache and directory contain the application definitions, policies, and settings for single sign-on.

    • If smart cards are not used in the LDAP implementation, you can turn off the cache using an administrative preference so that the users access their single sign-on data from the directory only. This option has an impact on system performance.

  19. If you want to change the location of the cache folder, select Custom Location > Browse and locate the an alternative folder.

  20. Click Next. The Ready to install the program page is displayed.

  21. Click Install. The installation process takes a few minutes. A confirmation message appears after the installation is complete.

  22. Click OK.

  23. Click Finish.

  24. If you are prompted for a restart, click Yes. The computer is automatically restarted.

5.4.3 Setting Up a Passphrase

A SecureLogin passphrase is a question and response combination used as an alternative form of identity verification. Passphrase functionality protects SecureLogin credentials from unauthorized access and enables users to access SecureLogin in offline mode. Passphrases can also be used as a substitute authentication mode if, for example, a user forgets his or her password. Depending on your preferences, SecureLogin passphrase questions can be generated by the administrator and, or the user.

During installation, the passphrase security is enabled to enforce passphrase setup during the initial login. You can disable the passphrase policy by deselecting Use Passphrase Policy option in the Advanced Settings pane of the Administrative Management utility.

If a passphrase has previously been configured, this dialog box does not display and the installation is complete.

On initial login to SecureLogin all users are requested to save a passphrase response. It is important that this response is easy to recall because it cannot be viewed by anyone.

WARNING:Remember the passphrase answer. If you forget the answer, it cannot be accessed.

As administrator, and therefore first user of SecureLogin, you must create a passphrase question for yourself.

After installing Novell SecureLogin successfully, when you attempt to log in to the workstation, you are prompted to set your passphrase question and answer.

  1. Specify a question in the Enter a question field.

  2. Specify an answer in the Enter the answer field.

  3. Specify the answer again in the Confirm the answer field.

  4. Click OK. Your passphrase is saved and SecureLogin is installed on the administration workstation.

NOTE:When you upgrade, SecureLogin stores all users data, including the user’s passphrase question and response, from the previous version, so you do not need to re-create the passphrase.

You can create passphrase questions for users to select from in a directory environment; however, because you are the first SecureLogin user, you must create your own passphrase question.

5.4.4 Installing for Mobile Users and Notebook Users

Installing Novell SecureLogin for mobile and remote users use the same procedure as Section 5.4.2, Installing On a User Workstation.

However, it is important to ensure that the cache is saved locally, or users cannot access applications when they are disconnected from the network. The Enable cache file setting in the Preferences option is set to Yes by default. You can set this at either the Organization Unit level or on a per-user basis.

5.4.5 Configuring Roaming Profiles

Enterprises often create roaming profiles for specific groups of users, defined by their organizational role or function. For example, field engineers connecting from remote locations or accounting staff working at different locations setting the path to the target user’s profile path.

For more information on creating roaming profiles in an Active Directory environment, see the Microsoft Support Web site.

NOTE:During loading, the Novell SecureLogin loads the user’s profile effectively locking that profile and preventing the user’s credential data from being copied to their roaming profile.

To prevent the Novell SecureLogin from causing problems with the existing user roaming profiles, you must manually force the Novell SecureLogin not to encrypt the user’s credential data by using the Microsoft’s Data Protection API (DPAPI).

Configuring the Novell SecureLogin for use with roaming profiles requires additional support for a successful deployment. Contact Novell Support for assistance.