A user's SecretStore is locked when either of the following occur:
Enhanced protection is enabled.
A network administrator changes a user’s eDirectory password.
A SecretStore administrator can unlock locked SecretStores.
However, although the SecretStore administrator can unlock a user’s SecretStore, that administrator can’t read the user’s passwords. Unlocking a user’s SecretStore only lets the logged-in user regain access to passwords after a SecretStore lock.
To avoid bypassing enhanced protection, designate two administrators (one eDirectory administrator, one SecretStore administrator).
A SecretStore administrator should not have “normal” network administrator rights. Limiting these rights prevents the administrator from resetting the user’s password (as admin), unlocking the user’s SecretStore (as SecretStore administrator), logging in as the user (with the reset password), and reading secrets.
To designate a SecretStore administrator, add that user's User object to the SecretStore Administrator List:
In iManager, in the
view, click > .In the
field, browse to a SecretStore.Security object or an sssServerPolicyOverride object, then click .The installation program automatically creates the sssServerPolicy object (SecretStore.Security).
Click
.Click
, navigate to and click the desired User object, click , then click .The following figure illustrates the SecretStore Administrator List:
To grant an administrator access to SecretStore, select the
check box. If you add additional administrators, the setting still remains disabled until you select the check box.Therefore, if you add additional SecretStore administrators, make sure that
to SecretStore is checked. Then the selected SecretStore administrator can unlock a user’s SecretStore. This is useful when a user forgets a password.Click
or to save the changes.The user is now a SecretStore Administrator.
SecretStore administrators can unlock a user’s SecretStore. To prevent these administrators from misusing this option, we recommend that you use NMAS and specify a strong security label.
If Novell Modular Authentication Service (NMAS) is installed, a Security Label box displays on the SecretStore\Administrator page. This box contains the available security labels as defined by the NMAS snap in. By selecting a label, you designate the level of security that you prefer. This option enables you to increase the security regarding SecretStore administrators.
After you define a security label on the sssServerPolicy object, a SecretStore Administrator must be logged in with a session clearance that is equal to or greater than the security label. Otherwise, that Administrator can't unlock any user’s SecretStore.