If your user store is eDirectory and you have installed Novell SecretStore, you can choose to use the SecretStore on your eDirectory server to store the secrets. This differs from the schema extension method as Novell SecretStore can also be accessed and managed by NetIQ SecureLogin. This allows secrets to be shared with SecureLogin to provide a thick client single sign-on while Access Manager can provide a web single sign-on experience without credential collisions.
For Access Manager to use Novell SecretStore, the user store must be eDirectory and Novell SecretStore must be installed there. When configuring this user store for secrets, Access Manager extends the eDirectory schema for an NMAS method. This method converts authentication credentials to a form understood by eDirectory. For example, Access Manager supports smart card and token authentications, and these authentication credentials must be converted into the username and password credentials that eDirectory requires. This allows Identity Server to authenticate as that user and access the user’s secrets. Without this NMAS method, Identity Server is denied access to the user’s secrets.
To use a remote SecretStore, your network environment must meet to the following requirements:
The eDirectory server must have Novell SecretStore installed.
When you configure a user store to use Novell SecretStore, the admin user that you have configured for the user store must have sufficient rights to extend the schema on the eDirectory server, to install the SAML NMAS method, and set up the required certificates and objects. For more information about the rights required, see Configuring an Admin User for the User Store.
The user store must be configured to use secure connections (click Access Manager > Identity Servers > Edit > Local > User Stores > [User Store Name]. In Server replicas, ensure that the Port is 636 and that Use SSL is enabled. If not, click the name of the replica and reconfigure it.
NOTE:While configuring new replicas for the same user store, by default, Use secure LDAP connections is selected and the default port is 636. Use secure LDAP connections is non-editable.
If you have enabled a firewall between Administration Console and user store, and between Identity Server and user store, ensure that both LDAP ports (389 and 636) and NCP port (524) are opened.
To configure Access Manager to use secrets that are used by other applications, plan a configuration to allow users to unlock a locked SecretStore. See Determining a Strategy for Unlocking SecretStore.
To configure the user store:
Click Devices > Identity Servers > Edit > Local.
Click the name of your user store.
Select Install NMAS SAML method, then click OK.
This installs a required NMAS method in the eDirectory schema and adds required objects to the tree.
IMPORTANT:If your eDirectory user store is running on SLES 11 SP1 64-bit operating system (or a later version), the eDirectory server is missing some support libraries that this SAML method requires. For information about installing these libraries, see TID 7006437.
Click Liberty > Web Service Providers.
Click Credential Profile.
Scroll to the Remote Storage of Secrets section.
Click New under Novell Secret Store User Store References. This adds a reference to a user store where SecretStore has been installed.
Click the user store that you configured for SecretStore.
Click OK > OK.
Update Identity Server.
Continue with one of the following:
If other applications use the secret store, determine whether Access Manager users need to unlock the secret store. See Determining a Strategy for Unlocking SecretStore.
To create policies that use the stored secrets, see Creating and Managing Shared Secrets.
For troubleshooting information, see Troubleshooting Secrets Storage.
When an administrator resets a user's password, secrets written to SecretStore with an enhanced security flag become locked. Identity Server does not write the secrets that it creates with this flag, but other applications might:
If Access Manager is not sharing secrets with other applications, the secrets it is using are never locked, and you do not need to configure Access Manager to unlock secrets.
If Access Manager is sharing secrets with other applications and these application are using the security flag that locks secrets when a user’s password is reset, configure Access Manager so that users can unlock their secrets.
For users to receive a prompt for a passphrase when secrets are locked, perform the following steps:
Require all users to set up a passphrase (also called the Master Password).
Access Manager uses the SecretStore Master Password as the passphrase to unlock the secrets. If the user has not set a passphrase before SecretStore is locked, this feature of Access Manager cannot unlock SecretStore. If it is necessary to unlock SecretStore by using the user’s prior password, another tool must be used. See the SecretStore documentation.
Configure Identity Server to perform the check:
Click Devices > Identity Servers > Edit > Local > [User Store Name].
Select the Enable Secret Store lock checking option.
Click OK > OK, then update Identity Server.
Ensure that Web Services Framework is enabled:
Click Devices > Identity Servers > Edit > Liberty > Web Services Framework.
In the Framework General Settings section, ensure that Enable Framework is selected.
Click OK. If you made any changes, update Identity Server.
Continue with Section 6.5.4, Creating and Managing Shared Secrets.
When SecretStore is locked and users log in, users are first prompted for their login credentials, then prompted for the passphrase that is used to unlock SecretStore.