Finding Form Fill Secret Store Details in Access Manager



By: ncashell

December 5, 2007 3:17 am

Reads: 390

Comments:0

Rating:0

Problem

You need to identify the location where the Form Fill Secret Store details are stored, and what the vaue of the Secret Store entry itself is.

Solution

For those of you familiar with iChain, the Form Fill Secret Store attribute values were stored as attributes of the iChainFormfillCrib user attribute. For Access Manager, these details are no longer stored as an attribute of the user object but are stored directly within the Admin Console configuration store, within the users attribute profile object.

There are two ways to find the details:

Method 1: Go to the user object in the user store and get the GUID of that object. That GUID is used as the name of that user’s attribute profile object. The GUIDs are long, “ugly” numbers in eDirectory.

To see the GUID in ConsoleOne,

1. Go to the Other tab of the User object.

2. Click the Show Read Only checkbox. It is the attribute named ‘Globally Unique Identifier’.

3. Write down the number:

Method 2: Use an LDAP browser. Browse to the configuration store on the Admin Console (secure LDAP connection required). Locate the attribute profile objects located in the directory under the following path:

accessManagerContainer > nids > cluster > SCC* > LibertyUserProfiles*

When multiple SCC* entries exist, you need to locate the one where the nidsBaseURL matches that of the Novell Indentity Provider baseURL you are accessing via the Access Gateway. To do this,

1. Look for the nidsGUID attribute.

2. Find the one matching the value for the ‘Globally Unique Identifier’ above.

3. Look at the nidsWsfSS attribute of that object.

4. If you want to delete the SecretStore entry for that user, simply delete this attribute.

Viewing the Values of the Secret Store Attributes

It is possible to allow users view the values of their secret store attributes, and even modify or delete them. To do this, the administrator must initially do the following:

1. Using the Access Manager Admin Console, edit the Identity Server configuration.

2. Go to Liberty > Web Service Provider and do the following:

  • Make sure the credential profile is enabled
  • Enable the ‘Allow End Users to See Credential Profile’ under the ‘Credential Profile Settings’ section’
  • Apply changes and update configuration

3. Once these changes have been applied, log in to the Identity Server configuration and access the Portal page directly.

4. Select the ‘My Profile’ tab on the left hand side and then the ‘Credential profile’ we activated above. This should display a ‘credentials’ link.

5. Click this credentials link, and all your secret store credential sets will be displayed.

6. Click on the Secret Store credential set you wish to see (SAP in the example below), and all the credential entries will be displayed.

Clicking any of the entries will display the entry name and value.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment