Novell Single Sign-On
Articles and Tips: article
01 Jan 2000
To people who are not directly involved with managing a network, password administration may seem like a simple task. As a network administrator, however, you know better. In an effort to protect sensitive data, many companies are deploying applications that require users to provide passwords or other credentials (such as smart cards, X.509 certificates, or tokens) to access certain network resources or applications. As a result, password administration is an enormous task--one that consumes hours of your time.
In addition, users become frustrated when they must remember multiple passwords to access applications. Consequently, many users resort to the famous "sticky-note" method of remembering passwords: Because these users write their passwords on sticky notes, the tighter security your IS group was trying to achieve proves to be a hacker's paradise.
In July 1999, Novell began shipping Novell Single Sign-on, a new Novell Directory Services (NDS) solution that enables authenticated NDS users to run secure applications without having to authenticate to each application. Novell Single Sign-on eliminates the need for users to remember and enter multiple passwords and reduces the costly and time-consuming task of password administration. You can purchase Novell Single Sign-on for U.S. $49 per user. (There is no server charge.)
AT LAST, TRUE SINGLE SIGN-ON
Since the introduction of NDS, network administrators and users alike have enjoyed single sign-on to the network--one username and password gives users access to all authorized network resources. Products such as NDS for NT, NDS for Solaris, and now NDS Corporate Edition have extended this single sign-on across multiple platforms including Windows NT, Solaris, Linux, and OS/390. (For more information about NDS Corporate Edition, see the related story.)
With Novell Single Sign-on, users have the added convenience of single sign-on to network applications across multiple platforms. In other words, the username and password that users enter to access the network also authenticates them to secure applications, regardless of the platform the applications run on.
The Novell Single Sign-on 1.0 CD includes support for Lotus Notes and Entrust Entelligence applications. You can download support for the following applications free of charge from Novell's web site (http://www.novell.com/products/sso):
Vantive 6, 7, and 8
Novell Client for Windows NT 4.60
Novell SQL Integrator 1.0
PeopleSoft 7.x
GroupWise 5.5 Enhancement Pack
To help Independent Software Vendors (ISVs) and inhouse developers integrate their applications with Novell Single Sign-on, Novell is providing a free software developer kit (SDK). (For more information about the SDK, see "Support for Custom Applications.")
HOW NOVELL SINGLE SIGN-ON WORKS
How does Novell Single Sign-on work? It is actually quite simple: The client components of Novell Single Sign-on extend an application's authentication services to use "secrets" stored in NDS to authenticate users, rather than prompting users to enter their username and password. On the server side, Novell Single Sign-on uses Novell's SecretStore technology to store these secrets in NDS. This SecretStore technology allows you to encrypt and store secrets such as passwords, X.509 certificates, tokens, and biometric information in NDS for applications to use.
A Secure Solution
Novell has taken several measures to ensure that Novell Single Sign-on does not compromise the security of your company's network. First, Novell Single Sign-on leverages both NDS security and Novell International Cryptographic Infrastructure (NICI) to store, access, and retrieve user secrets securely. NICI is a modular infrastructure of network cryptographic services, which are included in NetWare 5 and above. Because NICI complies with international import and export restrictions, it can provide the strongest cryptographic algorithm legally allowed in any country. (For more information about NICI, see http://www.nwconnection.com/past.)
Novell Single Sign-on uses NICI to encrypt a user's secrets and then saves these secrets in the SecretStore, an encrypted, hidden NDS attribute of the User object. When an application retrieves a secret from NDS, Novell Single Sign-on sends the encrypted secret over the wire and then decrypts the secret at the workstation. After the user is authenticated to the application, Novell Single Sign-on immediately destroys and removes the secret from the workstation's memory.
Novell Single Sign-on also ensures the confidentiality and integrity of the data stored in each user's SecretStore. To maintain this confidentiality and integrity, Novell Single Sign-on gives you, the network administrator, access to a user's SecretStore in NDS but does not allow you to access the information itself. After a user stores a secret in NDS, only that user (as long as the user has been authenticated to NDS) has access to the information in his or her SecretStore.
Novell Single Sign-on also includes an optional feature called Enhanced Protection, which locks users' secrets against any NDS password changes. To enable Enhanced Protection on their SecretStore, users simply check the Enhanced Protection box in their SecretStore property page in ConsoleOne.
To understand how Enhanced Protection works, suppose a network administrator (or an unauthorized person who has obtained administrative access) changed a user's NDS password, logged in as that user, and then tried to view the user's secret or to obtain a single login to an application. If the user has enabled Enhanced Protection, SecretStore would require the unauthorized user to enter the old NDS password rather than the new password before the application grants that user access.
A user can unlock the secret only with the last valid password that was entered before the password change occurred. This security prevents unauthorized users from changing a user's NDS password multiple times in an attempt to gain unauthorized access to an application or to data contained in a user's SecretStore.
If Enhanced Protection is not enabled and a user's NDS password is changed, Novell Single Sign-on automatically encrypts and stores the new password in the user's SecretStore as the new secret.
INSTALLATION REQUIREMENTS
To use Novell Single Sign-on, you will need a NetWare 5 server that meets the following requirements:
NetWare 5 Support Pack 1 or later must be installed on the server. (You can download NetWare support packs from http://support.novell.com/misc/patlst.htm#nw.)
If the server is running NDS 8, it must be version 8.12 or later. (You can download the latest version of NDS from http://www.novell.com/download.)
The server must be running NICI 1.3 or above configured with the Domestic or Worldwide cryptographic engine. (You can download the latest version of NICI from http://www.novell.com/products/cryptography.)
To manage and use Novell Single Sign-on, you need ConsoleOne 1.2 or above. When you install Novell Single Sign-on, the installation program gives you the option of installing ConsoleOne 1.2 (which is included with Novell Single Sign-on).
Novell Single Sign-on includes client components. Before installing these client components, you must ensure that workstations are running the following Novell client software. (You can download the latest client software from http://www.novell.com/download.)
Windows 98 and 95 workstations need Novell Client for Windows 95/98 3.0 or above.
Windows NT workstations need Novell Client for Windows NT 4.5 or above.
Installing the Server Component
When you install the Novell Single Sign-on server component, the installation process extends the NDS schema and adds new attributes. Because the installation program extends the schema, you must log in to the NDS tree as the ADMIN user or a user with write access to the [Root] of the NDS tree before you run the installation program.
To install Novell Single Sign-on, you run the NWCONFIG utility, select Product Options, and then select Install a Product Not Listed. You are then prompted to enter the directory path to the location of the Novell Single Sign-on files. Press the F3 key, and enter the appropriate directory path. (If you are installing Novell Single Sign-on through an RCONSOLE session on a workstation, press the F4 key, and specify the directory path.)
Next, the installation program prompts you to specify the files you want to install. Choose Novell SecretStore and ConsoleOne 1.2. (If you have already installed ConsoleOne 1.2, Novell recommends that you reinstall it for use with Novell Single Sign-on.) When you press the F10 key to continue, the installation program begins to copy the files to the server.
During the file-copy process, the installation program verifies that NetWare 5 Support Pack 1 or above and NICI 1.3 or above are installed on the server. If they have not been installed, the installation process will stop. You will be prompted to install the support pack and NICI on the server before restarting the Novell Single Sign-on installation.
After the files are copied to the server, the installation program extends your company's NDS schema to support SecretStore and installs the tree key that SecretStore uses. (A tree key is the private key generated by NICI for SecretStore to use in the NDS tree.) After SecretStore is installed, the ConsoleOne 1.2 installation automatically begins (if you specified that ConsoleOne 1.2 should be installed). When both Novell Single Sign-on and ConsoleOne 1.2 are installed, you must restart the server.
Installing the Client Components
The client components included on the Novell Single Sign-on 1.0 CD update the Lotus Notes and Entrust Entelligence client software to use Novell Single Sign-on. You must install the client software for these products before you install the Novell Single Sign-on client components. (The Novell Single Sign-on client components cannot update the client software for these products if this software is not installed.)
The Novell Single Sign-on client components are contained in a self-extracting executable file called SSCLIENT.EXE. When you install the Novell Single Sign-on server component, the installation program copies the SSCLIENT.EXE file to the SYS:PUBLIC\WIN32 subdirectory. When you run this file from a workstation, an Install Wizard is automatically launched. The Install Wizard walks you through the installation.
To install the client components of other supported applications (such as PeopleSoft and Vantive), you must download the appropriate file from Novell's web site. The installation process for each application varies slightly, but all are very straightforward.
Using ZENworks to Save Time
If you need to install the Novell Single Sign-on client components on multiple workstations, you can save significant time by using Novell's ZENworks to distribute the components automatically. To make it easy for you to use ZENworks to distribute these client components, Novell included ZENworks Application Object Templates (AOTs) for each of the supported applications on the Novell Single Sign-on 1.0 CD.
You can use these AOTs when you create the ZENworks Application objects to mass distribute the Novell Single Sign-on client components for the supported applications. The AOTs and the related distribution files are located in the ZENworks directory on the Novell Single Sign-on 1.0 CD. The ZENworks directory contains subdirectories for the various versions of the Lotus Notes and Entrust Entelligence applications that are supported.
Setting your Primary Tree
If your company's network includes multiple NDS trees, you must set one tree as the user's primary tree in order for Novell Single Sign-on to work properly with applications that support it. The primary tree is the NDS tree that contains a user's NDS User object.
To set a primary tree, you right-click the Network Neighborhood icon on the user's Windows desktop and choose NetWare Connections. You then highlight the desired NDS tree and click Set Primary. (To save time, you can also use ZENworks to modify this parameter on multiple workstations.)
Testing Your Installation
If you want to perform a test to ensure that Novell Single Sign-on was installed correctly, you can use the SSOTEST.EXE file. The installation program automatically copies this file to the directory in which you installed the Novell Single Sign-on client components. If you did not change the default installation directory, the SSOTEST.EXE file is located in the C:\NOVELL\SSO directory.
When you run the SSOTEST.EXE file, it stores a secret in NDS and then gives you the option to remove this secret. If both operations are successful, Novell Single Sign-on will work properly in a production environment.
THE FIRST LOGIN
After you install the Novell Single Sign-on server component and the client components, both you and users can begin enjoying the benefits of single sign-on. The first time a user launches a single sign-on application, this application's client software queries NDS to see if the user has been authenticated to NDS. If the user has not been authenticated to NDS, the application prompts the user for a username and password. If the user has been authenticated to NDS, the client software asks NDS for the user's secret.
Because this is the first time the user has logged in since you installed Novell Single Sign-on, the user's SecretStore is empty. Since NDS is unable to provide the secret, the application prompts the user to enter his or her username and password. After the user enters his or her password, NDS encrypts the password using NICI and sends it to the user's SecretStore.
Now that the user has populated his or her SecretStore with the password, the next time the user launches the application, NDS automatically provides the secret to the application. The application's login dialog box doesn't appear again.
CONCLUSION
Novell Single Sign-on is another product that demonstrates the power of NDS. One username and password can now give users access to all network resources and network applications, across multiple platforms. Although only a small number of applications now support Novell Single Sign-on, Novell is working with several ISVs to develop integration components for a wide range of applications--everything from web-based to mainframe-based applications.
Novell has also provided a free SDK to enable developers to write integration components: According to Novell, developing the Novell Single Sign-on component for Lotus Notes--from start to finish, including testing--took one engineer just one week.
For U.S. $49 per user and a free SDK, Novell Single Sign-on is a must for any company that spends too much time and too much money managing passwords.
Sandy Stevens is a freelance writer based in San Diego. She is coauthor of Novell's Guide to Integrating NetWare 5 and NT, Novell's Guide to NetWare Printing, and Novell's Guide to BorderManager.
* Originally published in Novell Connection Magazine
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.