User stores are LDAP directory servers to which end users authenticate. You must specify an initial user store when creating an Identity Server configuration. You use the same procedure for setting up the initial user store, adding a user store, or modifying an existing user store.
In the Administration Console, click
> > > > .Select from the following actions:
New: To add a user store, click Section 3.1.2, Configuring the User Store.
. For configuration information, seeDelete: To delete a user store, select the user store, then click
.The user store list needs to contain at least one configured user store for the Identity Server to be functional.Modify: To modify the configuration of an existing user store, click the name of a user store. For configuration information, see Section 3.1.2, Configuring the User Store.
Click
, then update the Identity Server if you have modified the configuration.See the following sections for specific configuration tasks:
You can configure the Identity Server to search more than one user store during authentication. Figure 3-2 illustrates this type of configuration.
Figure 3-2 Multiple LDAP Directories
It is assumed that each LDAP directory contains different users. You should make sure the users have unique names across all LDAP directories. If both directories contain a user with an identical name, the name and password information discovered in the search of the first directory is always used for authentication. You specify the search order when configuring the authentication method.
When users are added to the configuration store, objects are created for Access Manager profiles. If you delete a user from the LDAP directory, orphaned objects for that user remain in the configuration store. Ensure that you also delete those objects from the configuration store. See Orphaned Objects in the Trust/Configuration Store
in the Novell Access Manager 3.1 SP2 Administration Console Guide.
If you add a secondary Administration Console and you have added replicas to the user store of the primary Administration Console, ensure that you also add the replicas to the secondary Administration Console.
All user stores that you add are included in health checks. If health problems are found, the system displays the user store on the Health page and in the trace log file.
In the Administration Console, click
> > > > .In the
list, click or the name of an existing user store.If you are creating an Identity Server configuration, this is Step 3 of the wizard.
Fill in the following fields:
Name: The name of the user store for reference.
Admin Name: The distinguished name of the admin user of the LDAP directory, or a proxy user with specific LDAP rights to perform searches. Administrator-level rights are required for setting up a user store. This ensures read/write access to all objects used by Access Manager. For more information about this user, see Section 3.1.3, Configuring an Admin User for the User Store.
Each directory type uses a slightly different format for the DN:
eDirectory: cn=admin,ou=users,o=novell
Active Directory: cn=Administrator,cn=users,dc=domeh,dc=test,dc=com
or cn=john smith,cn=users,dc=domeh,dc=test,dc=com
Sun ONE: cn=admin,cn=users,dc=novell,dc=com
Admin Password and Confirm Password: Specify the password for the admin user and confirm it.
Directory Type: The type of LDAP directory. You can select LDAP Server Plug-In.
, , or . If you have installed an LDAP server plug-in, you can select the custom type that you have configured it to use. For more information, seeIf eDirectory has been configured to use Domain Services for Windows, eDirectory behaves like Active Directory. When you configure such a directory to be a user store, its
must be set to Active Directory for proper operation.Install NMAS SAML method: (eDirectory only) Extends the schema on the eDirectory server and installs an NMAS method. This method converts the Identity Server credentials to a form understood by eDirectory. This method is required if you have installed Novell SecretStore on the eDirectory server and you are going to use that SecretStore for Access Manager secrets. If you select this option, make sure the admin you have configured for the user store has sufficient rights to extend the schema and add objects to the tree.
For additional configuration steps required to use secrets, see Section 3.1.4, Configuring a User Store for Secrets.
Enable Secret Store lock checking: (eDirectory only) Enables Access Manager to prompt users for a passphrase when secrets are locked.
If Access Manager is sharing secrets with other applications and these applications are using the security flag that locks secrets when a user’s password is reset, you need to enable this option.
If Access Manager is not sharing secrets with other applications, the secrets it is using are never locked, and you do not need enable this option.
Under
, specify the following:LDAP Operation: Specify how long in seconds a transaction can take before timing out.
Idle Connection: Specify how long in seconds before connections begin closing. If a connection has been idle for this amount of time, the system creates another connection.
To specify a server replica, click
, then fill in the following fields:For an eDirectory server, you should use a replica of the partition where the users reside. Ensure that each LDAP server in the cluster has a valid read/write replica. One option is to create a users partition (a partition that points to the OU containing the user accounts) and reference this server replica.
Name: The display name for the LDAP directory server. If your LDAP directory is replicated on multiple servers, use this name to identify a specific replica.
IP Address: The IP address of the LDAP directory server.
Port: The port of the LDAP directory server. Specify 389 for the clear text port, and 636 for the encrypted port.
Use secure LDAP connections: Specifies that the LDAP directory server requires secure (SSL) connections with the Identity Server.
This is the only configuration we recommend for the connection between the Identity Server and the LDAP server in a production environment. If you use port 389, usernames and passwords are sent in clear text on the wire.
This option must be enabled if you use this user store as a Novell SecretStore User Store Reference in the Credential Profile details. (See Section 13.3, Configuring Credential Profile Security and Display Settings.) If you have specified that this user store is a SecretStore User Store Reference, this option is enabled but not editable.
Connection limit: The maximum number of pooled simultaneous connections allowed to the replica. Valid values are between 5 and 100. How many you need depends upon the speed of your LDAP servers. If you modify the default value, monitor the change in performance. Larger numbers do not necessarily increase performance.
Click
.Click
to confirm the import.Select one of the certificates in the list.
You are prompted to choose either a server certificate or a root CA certificate. To trust one certificate, choose
. Choose to trust any certificate signed by that certificate authority.Specify an alias, then click
.Click
in the dialog box.Select the replica, then click
to test the connection between the Identity Server and the replica.The system displays the result under
. The system displays a green check mark if the connection is valid.(Optional) To add additional replicas for the same user store, repeat Step 5 through Step 11.
Adding multiple replicas adds load balancing and failover to the user store. Replicas must be exact copies of each other.
For load balancing, a hash algorithm is used to map a user to a replica. All requests on behalf of that user are sent to that replica. Users are moved from their replica to another replica only when their replica is no longer available.
Add a search context.
The search context is used to locate users in the directory when a contract is executed.
If a user exists outside of the specified search context (object, subtree, one level), the Identity Server cannot find the user, and the user cannot log in.
If the search context is too broad, the Identity Server might find more than one match, in which case the contract fails, and the user cannot log in.
For example, if you allow users to have the same username and these users exist in the specified search context, these users cannot log in if you are using a simple username and password contract. The search for users matching this contract would return more than one match. In this case, you need to create a contract that specifies additional attributes so that the search returns only one match. For more information on how to create such contracts, see Section 15.3.1, Authentication Classes and Duplicate Common Names.
IMPORTANT:For Active Directory, do not set the search context at the root level and set the scope to Subtree. This setting can cause serious performance problems. It is recommended that you set multiple search contexts, one for each top-level organizational unit.
Click
.If prompted to restart Tomcat, click
. Otherwise, update the Identity Server.The Identity Server must log in to each configured user store. It searches for users, and when a user is found, it reads the user’s attributes values. When you configure a user store, you must supply the distinguished name of the user you want the Identity Server to use for logging in. You can use the admin user of your user store, or you can create a specialized admin user for the this purpose. When creating this admin user, you need to grant the following rights:
The admin user needs rights to browse the tree, so the Identity Server can find the user who is trying to authenticate. The admin user needs browse rights to the object class that defines the users and read and compare rights to the attributes of that class. When looking for the user, the Identity Server uses the GUID and naming attributes of the user class.
The admin user needs read rights to any attributes used in policies (Role, Form Fill, Identity Injection, Authorization).
If a secret store is used in Form Fill policies, the admin user needs write rights to the attributes storing the secrets.
If a password management servlet is enabled, the admin user needs read rights to the attributes controlling grace login limits and remaining grace logins.
If you enable provisioning with the SAML or Liberty protocols, the admin user needs write rights to create users in the user store.
If you use X.509 authentication, the admin user needs write rights to update the user’s login status attributes.
If your user store is an eDirectory user store, Access Manager verifies that the admin user has sufficient rights to browse for users in the specified search contexts.
IMPORTANT:This check is not performed for Active Directory or Sun ONE. If your users cannot log in, you need to verify that you have given the admin for the user store sufficient rights to the specified search contexts.
Access Manager allows you to securely store user secrets. These secrets can then be used in Form Fill and Identity Injection policies. Where and how the secrets are stored depends upon your user store and your configuration:
Configuring the Configuration Datastore to Store the Secrets.
If you want to do minimal configuration, you can use the configuration datastore on the Administration Console to store the secrets. To increase the security of the secrets, you should configure the security options.
Configuring an LDAP Directory to Store the Secrets.
If you are willing to extend the schema and add an attribute to your user object on the LDAP directory, you can store the secrets in your LDAP directory.
Configuring an eDirectory User Store to Use SecretStore.
If your user store is eDirectory and you have installed Novell SecretStore, you can select to use the SecretStore on your eDirectory server to store the secrets.
For some troubleshooting tips, see Troubleshooting the Storing of Secrets.
When you use the configuration datastore of the Administration Console as the secret store, the nidswsfss attribute of the nidsLibertyUserProfile object is used to store the secrets.
In the Administration Console, click Edit > .
> >Click
.Scroll to the
section and configure the following security options:Encryption Password Hash Key: (Required) Specify the password that you want to use as a seed to create the encryption algorithm. To increase the security of the secrets, we recommend that you change the default password to a unique alphanumeric value.
Preferred Encryption Method: Specify the preferred encryption method. Select the method that complies with your security model:
Password Based Encryption With MD5 and DES: MD5 is an algorithm that is used to verify data integrity. Data Encryption Standard (DES) is a widely used method of data encryption that uses a private key.
DES: Data Encryption Standard (DES) is a widely used method of data encryption that uses a private key. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.
Triple DES: A variant of DES in which data is encrypted three times with standard DES, using two different keys.
Extended Schema User Store References: Do not specify a user store reference. When this option contains no values, the configuration datastore is used to store the secrets.
Click
.On the Identity Servers page, update the Identity Server.
To use the secret store to store policy secrets, see Creating and Managing Shared Secrets
in the Novell Access Manager 3.1 SP2 Policy Guide.
When you use an LDAP directory to store the secrets, you need to enable the user store for the secrets. You select the LDAP directory, then specify an attribute. The attribute you specify is used to store an XML document that contains encrypted secret values. This attribute should be a single-valued case ignore string that you have defined and assigned to the user object in the schema.
To use an LDAP directory to store secrets, your network environment must conform to the following requirements:
The user class object must contain an attribute that can be used to store the secrets. This attribute must be a string attribute that is single valued and case ignore.
The user store must be configured to use secure connections (click
> > > > > . In the section, ensure that the is 636 and that is enabled. If they aren’t, click the name of the replica and reconfigure it.To configure the LDAP directory:
In the Administration Console, click Edit > .
> >Click
.Scroll to the
section and configure the following options:Encryption Password Hash Key: (Required) Specifies the password that you want to use as a seed to create the encryption algorithm. To increase the security of the secrets, we recommend that you change the default password to a unique alphanumeric value.
Preferred Encryption Method: Specifies the preferred encryption method. Select the method that complies with your security model:
Password Based Encryption With MD5 and DES: MD5 is an algorithm that is used to verify data integrity. Data Encryption Standard (DES) is a widely used method of data encryption that uses a private key.
DES: Data Encryption Standard (DES) is a widely used method of data encryption that uses a private key. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.
Triple DES: A variant of DES in which data is encrypted three times with standard DES, using two different keys.
To specify where to store secret data, click
under and fill in the following:User Store: Select the user store where you want secret store enabled.
Attribute Name: Specify the LDAP attribute that you have created to store the secrets on the selected user store.
Click
twice.On the Identity Servers page, update the Identity Server.
To create policies that use the stored secrets, see Creating and Managing Shared Secrets
in the Novell Access Manager 3.1 SP2 Policy Guide.
For troubleshooting information, see Troubleshooting the Storing of Secrets.
For Access Manager to use Novell SecretStore, the user store must be eDirectory and Novell SecretStore must be installed there. When configuring this user store for secrets, Access Manager extends the eDirectory schema for an NMAS method. This method converts authentication credentials to a form understood by eDirectory. For example, Access Manager supports smart card and token authentications, and these authentication credentials must be converted into the username and password credentials that eDirectory requires. This allows the Identity Server to authenticate as that user and access the user’s secrets. Without this NMAS method, the Identity Server is denied access to the user’s secrets.
To use a remote SecretStore, your network environment must conform to the following requirements:
The eDirectory server must have Novell SecretStore installed.
When you configure a user store to use Novell SecretStore, the admin user that you have configured for the user store must have sufficient rights to extend the schema on the eDirectory server, to install the SAML NMAS method, and set up the required certificates and objects. For more information on the rights required, see Section 3.1.3, Configuring an Admin User for the User Store.
The user store must be configured to use secure connections (click
> > > > > . In the section, ensure that the is 636 and that is enabled. If they aren’t, click the name of the replica and reconfigure it.If you have enabled a firewall between the Administration Console and the user store, and between the Identity Server and the user store, make sure that both LDAP ports (389 and 636) and the NCP port (524) are opened.
If you are going to configure Access Manager to use secrets that are used by other applications, you need to plan a configuration that allows the user to unlock a locked SecretStore. See Determining a Strategy for Unlocking the SecretStore.
To configure the user store:
In the Administration Console, click Edit > Local.
> >Click the name of your user store.
Select
, then click .This installs a required NMAS method in the eDirectory schema and adds required objects to the tree.
IMPORTANT:If your eDirectory user store is running on SLES 11 64-bit operating system on x86-64 hardware, the eDirectory server is missing some support libraries that this SAML method requires. For information on installing these libraries, see TID 7006437.
Click
> .Click
.Scroll to the
section.Click
under .This adds a reference to a user store where SecretStore has been installed.
Click the user store that you configured for SecretStore.
Click
twice.On the Identity Servers page, update the Identity Server.
Continue with one of the following:
If other applications are using the secret store, you need to determine whether Access Manager users need the option to unlock the secret store. See Determining a Strategy for Unlocking the SecretStore.
To create policies that use the stored secrets, see Creating and Managing Shared Secrets
in the Novell Access Manager 3.1 SP2 Policy Guide.
For troubleshooting information, see Troubleshooting the Storing of Secrets.
When an administrator resets a user's password, secrets written to the Novell SecretStore with an enhanced security flag become locked. The Identity Server does not write the secrets that it creates with this flag, but other applications might:
If Access Manager is not sharing secrets with other applications, the secrets it is using are never locked, and you do not need to configure Access Manager to unlock secrets.
If Access Manager is sharing secrets with other applications and these application are using the security flag that locks secrets when a user’s password is reset, you need to configure Access Manager so that users can unlock their secrets.
If you want users to receive a prompt for a passphrase when secrets are locked, complete the following configuration steps:
Require all users to set up a passphrase (also called the Master Password).
Access Manager uses the SecretStore Master Password as the passphrase to unlock the secrets. If the user has not set a passphrase before the SecretStore is locked, this feature of Access Manager cannot unlock the SecretStore. If it is necessary to unlock the SecretStore by using the user’s prior password, another tool must be used. See your SecretStore documentation.
Configure the Identity Server to perform the check:
In the Administration Console, click
> > > > .Select the
option.Click
twice, then update the Identity Server.Make sure Web Services Framework is enabled:
In the Administration Console, click
> > > > .In the
section, make sure that is selected.Click
. If you made any changes, update the Identity Server.Continue with Creating and Managing Shared Secrets
in the Novell Access Manager 3.1 SP2 Policy Guide.
When the SecretStore is locked and the users log in, the users are first prompted for their login credentials, then prompted for the passphrase that is used to unlock the SecretStore.
When you use Novell SecretStore to store the secrets, the schema on the eDirectory server must be extended, and specific SAML objects and certificates must be created.
To verify that the schema was extended and the objects were created on the eDirectory server:
Open an LDAP browser and connect to the eDirectory server.
Browse to the Security container.
Look for objects similar to the following:
If the schema has been extended correctly, you can find a SAML Assertion object in the Authorized Login Methods container. The SAML_Assertion object contains an alphanumeric generated name for a SAML affiliate object. This object has four attributes.
The SAML affiliate object name is used to generate another container in the Security container. This new container is the <AffiliateObjectName> Trusted Root container that contains public key signing certificate.
Complete one of the following:
If these objects do not exist, verify the following, then continue with Step 5:
The admin user for the user store has sufficient rights to extend the schema and add these objects to the Security container.
Any configured firewalls must allow NCP and LDAP traffic for the Administration Console, the Identity Server, and the LDAP user store.
(Linux) Verify that you have installed the required packages. See Administration Console Requirements
in the Novell Access Manager 3.1 SP2 Installation Guide.
If the objects exist, check for time synchronization problems. For more information, see Users Are Receiving Invalid Credential Messages.
In the Administration Console, modify the secret store configuration so that it is resent to the user store:
Click Edit > > .
> >In the
section, remove the user store, then add it again.Click
.On the Identity Servers page, update the Identity Server.
The <SAML_Affiliate_Object>.SAML-Assertion.AuthorizedLoginMethods.Security object contains two attributes that determine how long credentials are valid. If your Identity Server and eDirectory server are not time synchronized, the credentials can become invalid before a user has time to use them.
Either make sure that the time of your Identity Server and eDirectory server are synchronized, or increase the value of the authsamlValidAfter and authsamlValidBefore attributes of the SAML affiliate object.
Open an LDAP browser and connect to the eDirectory server.
Browse to the user object.
Verify that the user object contains the LDAP attribute that you have specified as the attribute to store the secrets.
If the attribute exists, browse to the schema and verify that the attribute has the following characteristics:
Single valued
Case ignore
String