17.0 Enabling Enhanced Background Authentication

eDirectory provides a strong authentication mechanism that verifies the identity of users who request to access it. Authentication includes two phases:

  • Login

  • Background authentication (BA)

When a user logs in, NetIQ Modular Authentication Service (NMAS) verifies the user’s long-term credentials, such as password, and issues BA material to the user.

While authenticating to another server in the tree, the user uses this BA material. This single sign–on feature of eDirectory allows the user to authenticate to any server in the tree without providing long-term credentials again.

eDirectory 9.0 introduces a standards-based BA protocol that enables you to overcome the limitations of the proprietary BA protocol. This protocol is known as Enhanced Background Authentication (EBA). When EBA is used, NMAS issues the users an X.509 certificate as the BA material and the BA protocol uses TLS version 1.2 for mutual authentication.

NOTE:EBA is not supported with OES 2018.

Figure 17-1 EBA Process

In an EBA-enabled eDirectory tree, the EBA CA is the trusted root certifying authority for EBA. EBA CA uses a self–signed certificate. You can configure one of the servers in the tree with a writable replica of the tree root partition as the EBA CA. Usually, the first server configured in the tree hosting the writable replica of the tree-root partition and configured with EBA acts as an EBA CA. Alternatively, you can configure any eDirectory 9.0 server in the tree with a writable replica of the tree–root partition to act as EBA CA.

Figure 17-2 EBA Certificate Authority

Each EBA-enabled server in the tree becomes a CA subordinate to EBA CA and is called NCP CA. After login, NMAS returns a BA certificate issued by NCP CA to the logged-in user.

NOTE:Any object that logs into eDirectory must have the OID set in the schema for all the naming attributes in the object DN.

To use EBA to authenticate to an eDirectory server, a client needs the EBA CA certificate of the tree. To obtain the EBA CA certificate, use the ebaclientinit utility. This is a new command line utility packaged with eDirectory 9.0. This utility downloads the EBA CA certificate of the tree and saves it in a file named .eba.p12. This file is present in the user's home directory on Linux ($HOME) and in the user's profile directory (%USERPROFILE%) on Windows.

NOTE:For EBA to function properly, synchronize the time on all EBA-enabled servers and clients in your eDirectory environment.

When you run the ebaclientinit utility for multiple trees, the utility adds the EBA CA certificates associated with the eDirectory trees to the .eba.p12 file. To obtain the EBA CA certificate for each eDirectory tree, run the ebaclientinit utility once for that tree.