Installing and Using Advanced X509

The Advanced X509 login method for NMAS^TM enables you to authenticate to eDirectory using a trusted root certificate to verify the subject name and/or alternate subject name in a user certificate. This is similar to other login methods provided for use with NMAS.

Installing and Configuring the Login Method for Advanced X509

Information for installing and configuring the login method is provided here. For additional information, including how to create and authorize login sequences, see the NMAS Administration Guide at the Novell Documentation Web site.

Prerequisites

You must meet the following prerequisites before installing Advanced X509:

NMAS Client 2.7 (ships with Novell Client for Windows version 4.9) or later
NMAS 2.3.x or later

Steps

As with all login methods, you must complete the following steps to make the login method available for use:

Set up any required hardware.
Install the login method.
Configure the login method.
Create a login sequence.
Authorize login sequences for users.

Setting Up the Hardware

The Advanced X509 login method does not require any additional hardware.

Installing the Login Method for Advanced X509

There are two steps in installing and setting up the login method for Advanced X509:

Set up the login method in Novell eDirectory^TM.
Install the Advanced X509 client module on each workstation.

Setting Up the Login Method in eDirectory

There are three ways to set up the login method in eDirectory.

The Login Method Installer (Windows)
The login method installer (methodinstaller.exe) is a stand-alone utility that installs login methods into eDirectory.
nmasinst utility (UNIX)
The nmasinst utility allows you to install login methods into eDirectory from a UNIX machine. The nmasinst utility is located in the \USR\BIN\NMASINST directory.

For information on setting up a login method using the login method installer or the nmasinst utility, see the NMAS Administration Guide.
ConsoleOne (Windows)

IMPORTANT: Run ConsoleOne^® from a Windows* client workstation by using the ConsoleOne executable located on the server at server:SYS\PUBLIC\MGMT\CONSOLEONE\1.2\BIN\CONSOLEONE.EXE.

In ConsoleOne, expand the Security container.
Right-click the Authorized Login Methods container.
Select New > Object.
The New Object Wizard starts.
Select the SAS:NMAS Login Method class > click OK.
Specify the configuration file > click Next.

The configuration file is located in the login method folder and is usually named CONFIG.TXT.
From the license agreement screen, click Accept > Next.
Accept the default method name or rename it > click Next.
Review the available modules for this method > click Next.
If you want a login sequence to only use this login method, check the appropriate check box > click Finish.
Review the installation summary > click OK.
If necessary, close and restart ConsoleOne to run the newly installed ConsoleOne login method snapins. You can then configure the login method and enroll users to use it.

Installing the Advanced X509 Client Module on Each Workstation

The client module must be installed on each workstation that will use the Advanced X509 login method.

To install the client module, run clientsetup.exe in the advx509\client directory on each workstation that will use the login method. Follow the instructions of the installation wizard.

Configuring the Login Method for Advanced X509

After the login method for Advanced X509 is installed, you can manage it using ConsoleOne.

To configure this login method, you will need to do two levels of configuration:

General Method configuration
User Object configuration

General Method Configuration

In ConsoleOne, expand the Security container.
Right-click the Organizational CA > Properties > Certificates > Self Signed Certificate > Export.

This opens the Export wizard. Follow the instructions of the wizard to export the Organizatinal CA's self signed certificate.

NOTE: Do not export the private key. Also, export the certificate in der format.
Create a new trusted root container under the Security container by right-clicking the Security container and selecting New > Object.

The New Object Wizard starts.
Select the NDSPKI:Trusted Root class and click OK.
Enter a name for the trusted root container and click OK.
Create a trusted root object in the trusted root container by right-clicking the trusted root container and selecting New > Object.

The New Object Wizard starts.
Select the NDSPKI:Trusted Root Object class and click OK.
Enter a name for the trusted root object and click OK.
Browse for the Organizational CA's self signed certificate you exported in step 2., select it, and click Finish.
Expand the Authorized Login Method, right-click the X509 Advanced Certificate object, and click Properties > Certificate tab.
Add the new trusted root container as a Certificate Search container by clicking Add. Browse for the trusted root container, select it, and click OK > OK.

User Object Configuration

Double-click a User object.
Click the Security tab > Certificates.
Create a User certificate.
Click Export and select the User certificate.

IMPORTANT: Make sure you check the box to export the certificate's private key.
Double-click the User object again.
Click the Security tab > Certificate Subject Names.
Click Add and type in either the User object's subject name or an alternate subject name, such as the e-mail ID. Click OK.

Create a Login Sequence

See Chapter 2 of the NMAS Administration Guide for information on creating a login sequence.

Authorize Login Sequences for Users

See Chapter 2 of the NMAS Administration Guide for information on authorizing a login sequence for users.

Advanced X509 Login Method for NMAS 3.x