The Advanced X509 login method for NMASTM enables you to authenticate to eDirectory using a trusted root certificate to verify the subject name and/or alternate subject name in a user certificate. This is similar to other login methods provided for use with NMAS.
Information for installing and configuring the login method is provided here. For additional information, including how to create and authorize login sequences, see the NMAS Administration Guide at the Novell Documentation Web site.
You must meet the following prerequisites before installing Advanced X509:
As with all login methods, you must complete the following steps to make the login method available for use:
There are two steps in installing and setting up the login method for Advanced X509:
There are three ways to set up the login method in eDirectory.
The login method installer (methodinstaller.exe) is a stand-alone utility that installs login methods into eDirectory.
The nmasinst utility allows you to install login methods into eDirectory from a UNIX machine. The nmasinst utility is located in the \USR\BIN\NMASINST directory.
For information on setting up a login method using the login method installer or the nmasinst utility, see the NMAS Administration Guide.
IMPORTANT: Run ConsoleOne® from a Windows* client workstation by using the ConsoleOne executable located on the server at server:SYS\PUBLIC\MGMT\CONSOLEONE\1.2\BIN\CONSOLEONE.EXE.
In ConsoleOne, expand the Security container.
Right-click the Authorized Login Methods container.
Select New > Object.
The New Object Wizard starts.
Select the SAS:NMAS Login Method class > click OK.
Specify the configuration file > click Next.
The configuration file is located in the login method folder and is usually named CONFIG.TXT.
From the license agreement screen, click Accept > Next.
Accept the default method name or rename it > click Next.
Review the available modules for this method > click Next.
If you want a login sequence to only use this login method, check the appropriate check box > click Finish.
Review the installation summary > click OK.
If necessary, close and restart ConsoleOne to run the newly installed ConsoleOne login method snapins. You can then configure the login method and enroll users to use it.
The client module must be installed on each workstation that will use the Advanced X509 login method.
To install the client module, run clientsetup.exe in the advx509\client directory on each workstation that will use the login method. Follow the instructions of the installation wizard.
After the login method for Advanced X509 is installed, you can manage it using ConsoleOne.
To configure this login method, you will need to do two levels of configuration:
In ConsoleOne, expand the Security container.
Right-click the Organizational CA > Properties > Certificates > Self Signed Certificate > Export.
This opens the Export wizard. Follow the instructions of the wizard to export the Organizatinal CA's self signed certificate.
NOTE: Do not export the private key. Also, export the certificate in der format.
Create a new trusted root container under the Security container by right-clicking the Security container and selecting New > Object.
The New Object Wizard starts.
Select the NDSPKI:Trusted Root class and click OK.
Enter a name for the trusted root container and click OK.
Create a trusted root object in the trusted root container by right-clicking the trusted root container and selecting New > Object.
The New Object Wizard starts.
Select the NDSPKI:Trusted Root Object class and click OK.
Enter a name for the trusted root object and click OK.
Browse for the Organizational CA's self signed certificate you exported in step 2., select it, and click Finish.
Expand the Authorized Login Method, right-click the X509 Advanced Certificate object, and click Properties > Certificate tab.
Add the new trusted root container as a Certificate Search container by clicking Add. Browse for the trusted root container, select it, and click OK > OK.
Double-click a User object.
Click the Security tab > Certificates.
Create a User certificate.
Click Export and select the User certificate.
IMPORTANT: Make sure you check the box to export the certificate's private key.
Double-click the User object again.
Click the Security tab > Certificate Subject Names.
Click Add and type in either the User object's subject name or an alternate subject name, such as the e-mail ID. Click OK.