4.5 Deploying

Novell SecureLogin provides centralized management and deployment of user configuration by using the directory structure and administration tools in the same utility

We recommend that you configure Novell SecureLogin on a test user account before deployment.

4.5.1 Deployment and Distribution Options

Novell SecureLogin provides the following options for deployment and distribution of user configurations:

Table 4-1 Deployment and Distribution Options

Option

Description

Copy settings

Copy Novell SecureLogin configuration from one object in a directory to another object in the same directory.

Export and import

Use an XML file to distribute the configuration.

Directory object inheritance

Inherit the configuration from a higher-level directory object, for example, a Group Policy.

Corporate configuration re-direction

Specify the directory object from which the configuration is inherited.

4.5.2 Installing Novell SecureLogin on a User Workstation

We recommend using the industry standard application distribution packages such as Microsoft IntelliMirror*, Systems Management Server, and Novell ZENWorks® to deploy and manage Novell SecureLogin across large enterprises.

Novell SecureLogin can be installed, configured, and features can be added and removed using Microsoft Windows Installer options and parameters from the command line or provided through a batch file.

Prior to installing Novell SecureLogin, ensure the LDAP certificate file is saved in the default certificate location of the LDAP log, for example, securelogin\rootcert.der.

The procedure explained here applies to manual installation and is also applicable to installing on a small number of workstations and laptop computers.

  1. Log in to the workstation as an administrator.

  2. Run the Novell SecureLogin.msi from the Novell SecureLogin installer package. The Welcome page is displayed.

  3. Click Next. The License agreement page is displayed.

  4. Read the license agreement. Select I accept the terms in the license agreement if you want to proceed with the execution of the license agreement. If you do not want to proceed with the execution of the license agreement, click Cancel to quit the setup.

  5. Click Next. The Program location folder is displayed. The default location for Novell SecureLogin is ..\Program Files\SecureLogin\. If you want to change the location, click Change and select an alternative location for Novell SecureLogin on the drive.

  6. Click Next. The installation environment page is displayed.

  7. Select LDAP directory.

  8. Select Enable Microsoft Active Directory Group Policies (reboot required).

    Enabling this is optional in LDAP installation. This group policies option is used only where the LDAP directory is working with Microsoft Active Directory, or if Microsoft Active Directory is used for Novell SecureLogin in LDAP mode.

  9. Click Next. The smart card support page is displayed.

    The ActivClient card settings are used if they are detected.

  10. Select Use smart card or cryptographic token.

    This option is based on the whether you want to have Novell SecureLogin users use their smart cards to store single sign-on data to encrypt the users’ directory data with a Public Key Infrastructure (PKI) token.

  11. If you are not using the ActivClient smart card option, or if you want to change the smart card or cryptographic token, select Use ActivClient smart card settings option. This is the recommended option.

  12. From the Cryptographic Service Provider (Microsoft Crypto API) drop-down list, select the appropriate cryptographic service provider.

  13. Browse to locate and select the appropriate Smart card (PKCS#11) library link (.dll) file.

    Manually configuring the third-party smart card PKCS#11 link library assumes a high level of understanding of the cryptographic service provider’s product, so, we recommend that you use the ActivClient smart card support.

  14. Click Open.

  15. Click Next. The Installation features page is displayed.

  16. Select the startup options.

    We recommend that you select the Start SecureLogin at Windows startup option. However, depending on your enterprises’s operating environment, you can opt to have Novell SecureLogin start at Windows startup or at user login.

  17. Select Install Directory administration tools.

    The Directory administration tools are provided for corporate environments to manage users centrally at the directory. In the LDAP mode, Novell SecureLogin installs the Administrative Management utility.

  18. If applicable, select Install Citrix and Terminal Services support.

    Novell recommends that you test all the Citirx environment deployments in a test environment before the actual deployment.

  19. Click Next. The Cache location folder page is displayed.

    IMPORTANT:Consider the following information before changing the cache location:

    • The user's application data folder is the Triple DES or optionally AES encrypted repository for all Novell SecureLogin user data, which includes credentials, preferences, password policies, preconfigured applications, and application definitions.

    • By default Novell SecureLogin data is stored in both your organization's corporate directory and in the SecureLogin offline cache on your workstation's hard drive. The data in the directory and the local cache are synchronized to ensure user data is always current.

    • When the smart card is used to store application credentials, the credentials are stored on the smart card and directory only. The cache and directory contain the application definitions, policies, and settings for single sign-on.

    • If smart cards are not used in the LDAP implementation, you can turn off the cache using an administrative preference so that the users access their single sign-on data from the directory only. This option has an impact on system performance.

  20. If you want to change the location of the cache folder, select Custom Location > Browse and locate the an alternative folder.

  21. Click Next. The Ready to Install the Program page is displayed.

  22. Click Install. The installation process takes a few minutes. A confirmation message appears after the installation is complete.

  23. Click OK.

  24. Click Finish.

  25. If you are prompted for a restart, click Yes. The computer is automatically restarted.

IMPORTANT:Save and close all open data before logging out and logging in by using the Novell SecureLogin.

If you are deploying Novell SecureLogin for the first time and if you have not disabled the passphrase functionality, the next time a user logs in the Passphrase Setup dialog box is displayed. For information on setting up a passphrase, see Section 4.5.3, Setting Up a Passphrase.

4.5.3 Setting Up a Passphrase

A passphrase is a question and answer combination used as an alternative form of identity verification. Passphrase functionality protects SecureLogin credentials from unauthorized access and enables users to access Novell SecureLogin in offline mode. Passphrase verification also prohibits an administrator from accessing a user's single sign-on credentials if they reset the user's password. Passphrases can also be used as a substitute authentication mode if, for example, a user forgets his or her password. Depending on the preferences, SecureLogin passphrase questions can be generated by the administrator and, or the user.

Administrators can also set up the passphrase questions for the users and enforce strict policies on the passphrase answer. For more information, see the Novell SecureLogin 6.1 SP1 Administration Guide.

During installation, the passphrase security is enabled to enforce passphrase setup during the initial login. You can disable the passphrase policy by deselecting Use Passphrase Policy option in the Advanced Settings pane of the Administrative Management utility.

If a passphrase has previously been configured, this dialog box does not display and the installation is complete.

On initial login to SecureLogin all users are requested to save a passphrase response. It is important that this response is easy to recall because it cannot be viewed by anyone.

WARNING:Remember the passphrase answer. If you forget the answer, it cannot be accessed.

As administrator, and therefore first user of SecureLogin, you must create a passphrase question for yourself.

After installing Novell SecureLogin successfully, when you attempt to log in to the workstation, you are prompted to set your passphrase question and answer.

  1. Specify a question in the Enter a question field.

  2. Specify an answer in the Enter the answer field.

  3. Specify the answer again in the Confirm the answer field.

  4. Click OK. Your passphrase is saved and SecureLogin is installed on the administration workstation.

NOTE:When you upgrade, SecureLogin stores all users data, including the user’s passphrase question and response, from the previous version, so you do not need to re-create the passphrase.

You can create passphrase questions for users to select from in a directory environment; however, because you are the first SecureLogin user, you must create your own passphrase question.

4.5.4 Installing for Mobile Users and Laptops

Installing Novell SecureLogin for mobile and remote users is the same as Section 4.5.2, Installing Novell SecureLogin on a User Workstation.

However, it is important for you to ensure that the cache is saved locally, or users will be unable to access applications when they are disconnected from the network.

By default, the Enable cache file setting in the Preferences Properties Table is set to Yes. You can set this at either Organizational Unit level or on a per-user basis.