26.1 Understanding Universal Password

Universal Password is managed by the Secure Password Manager, a component of the NetIQ Modular Authentication Services (NMAS) module. The Secure Password Manager simplifies the management of password-based authentication schemes across a wide variety of NetIQ products as well as NetIQ partner products. The management tools expose only one password and do not expose all of the behind-the-scenes processing for backwards compatibility.

Secure Password Manager and the other components that manage or make use of Universal Password are installed as part of an eDirectory. However, Universal Password is not enabled by default. Because all APIs for authentication and setting passwords are moving to support Universal Password, all the existing management tools, when run on clients with these new libraries, automatically work with the Universal Password.

NOTE:Password Management plug-in for NetIQ eDirectory for iManager 3.x, is available for download at the NetIQ Downloads Web site. Information on how to download and install this plug-in is available on the download site.

Novell Client software supports the Universal Password. It also continues to support the NDS password for older systems in the network. After Universal Password has been configured and enabled for a user, the Novell Client has the capability of automatically upgrading/migrating the NDS password to the Universal Password.

26.1.1 How Secure Is Universal Password?

Reversible encryption of Universal Password is required for convenient interoperation with other password systems. Administrators have to evaluate the costs and benefits of the system. Using a Universal Password stored in eDirectory might be more secure or convenient than attempting to manage several different passwords. NetIQ provides several levels of security to make sure Universal Password is protected while stored in eDirectory.

A Universal Password is protected by three levels of security:

  • encryption of the password itself

  • eDirectory rights

  • file system rights

The Universal Password is encrypted by a user specific key. Both the Universal Password and the user key are stored in system attributes that only eDirectory can read. The user key is stored encrypted with the tree key, and the tree key is protected by a unique Novell International Cryptographic Infrastructure (NICI) key on each machine. Note that neither the tree key nor the NICI key is stored within eDirectory. They are not stored with the data they protect.

The tree key is present on each machine within a tree, but each tree has a different tree key. So, data encrypted with the tree key can be recovered only on a machine within the same tree. Thus, while stored, the Universal Password is protected by three layers of encryption.

Each key is also secured via eDirectory rights. Only administrators with the Supervisor right or the users themselves have the rights to change Universal Passwords.

File system rights ensure that only a user with the proper rights can access these keys.

By default, the user specific key and the tree key are 3 DES keys. eDirectory 9.0 supports AES 256-bit keys. To create an AES 256-bit key, see Creating an AES 256-Bit Tree Key in the NICI Administration Guide. When a user logs in to eDirectory, NMAS re-encrypts the passwords that were earlier encrypted with 3DES keys. As an administrator, you can re-encrypt passwords using the Diagpwd utility. For more information, see Diagpwd utility.

NOTE:The Password policy should allow the user running this utility to retrieve the user's universal password.

If Universal Password is deployed in an environment requiring high security, you can take the following precautions:

  1. Make sure that the following directories and files are secure:




    • %SystemRoot%\SysWOW64\Novell\nici

    • %SystemRoot%\System32\ where the NICI DLL is installed


    • /var/opt/novell/nici

    • /etc/opt/novell/nici64.cfg

    • /opt/novell/lib64/libccs2.so and the NICI shared libraries in the same directory

    Consult the documentation for your system for specific details of the location of NICI and eDirectory files.

  2. As with any security system, restricting physical access to the server where the keys reside is very important.

26.1.2 Universal Password

In the past, administrators have needed to manage multiple passwords (simple password, NDS password, enhanced password) because of password limitations. Administrators have also needed to deal with keeping the passwords synchronized.

  • NDS Password: The older NDS password is stored in a hash form that is nonreversible. Only the NDS system can make use of this password, and it cannot be converted into any other form for use by any other system.

  • Simple Password: The simple password was originally implemented to allow administrators to import users and passwords (clear text and hashed) from foreign nds-cluster-config directories such as Active Directory and iPlanet.

    The limitations of the simple password are that no password policy (minimum length, expiration, etc.) is enforced.

  • Enhanced Password: The enhanced password is no longer supported by NetIQ. The enhanced password is the forerunner of Universal Password. It offers some password policy, but its design is not consistent with other passwords. It provides a one-way synchronization and it replaces the simple or NDS password.

NetIQ introduced Universal Password as a way to simplify the integration and management of different password and authentication systems into a coherent network.

Universal Password addresses these password problems by doing the following:

  • Providing one password for all access to eDirectory.

  • Enabling the use of extended characters in passwords.

  • Enabling advanced password policy enforcement.

  • Allowing synchronization of passwords from eDirectory to other systems.

Most features of password management require Universal Password to be enabled.

For detailed information, see Deploying Universal Password.

26.1.3 Password Policies

Universal Password provides the ability to create advanced password policies. A password policy is a collection of administrator-defined rules that specify the criteria for creating and replacing end user passwords. NMAS allows you to enforce password policies that you assign to users in eDirectory.

You manage password policies by using iManager.

For more information, see Managing Passwords by Using Password Policies.

26.1.4 Password Synchronization

Password synchronization across connected systems is a feature included with NetIQ Identity Manager. It provides the following benefits:

  • Bidirectional password synchronization

  • Enforcement of Password Policies on connected systems

  • E-mail notification when synchronization fails

  • The ability to check password synchronization status for a user

For more information, see Chapter 3, “Connected System Support for Password Synchronization” in the NetIQ Identity Manager 4.5 Password Management Guide.