3.1 Prerequisites

3.1.1 NICI

The Novell International Cryptographic Infrastructure (NICI) is required for you to use Novell SecureLogin on the following:

  • eDirectory LDAP protocol

  • The SecretStore client feature

  • The NMAS™ client feature

If you are using NMAS, install NICI manually before installing NMAS Client.

3.1.2 NMAS

Novell SecureLogin requires NMAS Client 3.4.

  • When installing Novell SecureLogin in eDirectory mode, install NMASClient manually before installing Novell SecureLogin.

  • For installing on Vista, NMAS is available in \Nmas\NmasClient\Vista-x86\nmasclient_setup_v32.exe that is found as part of your Novell SecureLogin installer package.

  • For installing on Windows XP, 2000, and 2003, NMAS is available in \Nmas\NmasClient\win32\nmasclient_setup.exe that is found as part of your Novell SecureLogin installer package.

NMAS is not uninstalled when you uninstall Novell SecureLogin.

3.1.3 Novell SecureLogin and SecretStore

Novell SecureLogin has a SecretStore client option that you can use in Novell eDirectory environments. The SecretStore option provides additional security. If you want to use the SecretStore option along with Novell SecureLogin, you must install SecretStore server components on a eDirectory server and then install the SecretStore client on workstations.

3.1.4 Using the SecretStore Client

To provide the highest possible level of security for user login data, you can use Novell SecureLogin along with the patented Novell SecretStore® client/server system. SecretStore requires server components on the eDirectory server, and requires Novell SecureLogin client software with the SecretStore client, on workstations.

To determine whether SecretStore is installed on a NetWare server:

  1. At the server console, type nwconfig, then press Enter.

  2. Select Product Options > > View/Configure/Remove Installed Products, then press Enter.

  3. Scroll to find the SecretStore product (for example, SS 3.3.5 Novell SecretStore).

You can also use iManager. If SecretStore is installed, the SecretStore object is displayed in the Security container.

If SecretStore is not installed, see “Installing SecretStore” in the SecretStore 3.4 Administration Guide.

To install the SecretStore client:

  1. Upgrade SecretStore on the server.

    Upgrade SecretStore on your server to version 3.3.5 if you are using eDirectory 8.7.3 to SecretStore 3.4 if you are using eDirectory 8.8.

    WARNING:If you do not upgrade SecretStore on your server, secrets might be lost.

  2. Select the SecretStore option when you install Novell SecureLogin on workstations.

3.1.5 Extending the eDirectory Schema

The Novell® eDirectory™ schema must be extended in order to enable Novell SecureLogin to save users’ single sign-on information. Ndsschema.exe extends the eDirectory schema and grants rights to existing users so that they can use Novell SecureLogin.

To extend the schema of a given tree, you must have sufficient rights over the [root] of the tree. In addition, make sure that you have Novell Client 4.91 or later installed on your machine.

  1. Run ndsschema.exe.

    Typically, this file is in the securelogin\tools directory. However, if you unzipped it to the Temp directory on a Windows 2000 workstation, you might need to display the Local Settings directory and then locate ndsschema.exe in the following path:

    c:\Documents and settings\Administrator\Local Settings\Temp\Securelogin\Tools

    Extending the schema might take some time to filter throughout your network, depending on the size of your network and the speed of the links.

    When the NDS® or eDirectory schema is extended, the following attributes are added:

    • Prot:SSO Auth

    • Prot:SSO Entry

    • Prot:SSO Entry Checksum

    • Prot:SSO Profile

    • Prot:SSO Security Prefs

    • Prot:SSO Security Prefs Checksum

    If you use iManager to administer Novell SecureLogin, you must also extend the LDAP Schema. For information on extending the LDAP schema, see Section 4.2.2, Extending The LDAP Directory Schema.

  2. Specify an eDirectory context so that Novell SecureLogin can assign rights to User objects under that context.

  3. At the prompt, define a context where you want the User objects' rights to be updated, allowing users access to their own single sign-on credentials.

    If you do not specify a context, rights begin at the root of the eDirectory tree.

    Only the rights on Container objects are inherited. These rights flow to subcontainers, so that users can read attributes. User rights are not inherited.

    If the installation program displays a message similar to -601 No Such Attribute, you have probably entered an incorrect context or included a leading dot in the context.

  4. (Conditional) Grant rights to local cache directories.

    Users on Windows 2000, and Windows XP must have workstation rights to their local cache directory locations. To grant rights, do one of the following:

    • Grant rights to the user’s cache directory. For example, c:\programfiles\novell\securelogin\cache\v2slc\username


      (c:\users\<usersv2slc>\applicationdata on a Windows Vista machine.

      The default location is the user’s profile directory or the user’s application directory. By default, the user already has rights to this directory. However, if the user specified an alternative path during the installation, you might need to grant rights to the cache directory.

      If user selects the non-default directory to store the cache, the SecureLogin\cache is appended to the specified path.

    • During the installation, specify a path to a location that the user has rights to (for example, the user’s documents folder).