Identity Assurance Solution 3.1.0.0 Readme

November 2013

1.0 Documentation

Identity Assurance Solution by NetIQ (IAS) enables federal agencies to comply with the credential issuance, physical and logical access requirements of Homeland Security Presidential Directive 12 (HSPD-12). This solution provides convenient yet controlled access to disparate logical IT systems and physical facilities by using combinations of biometrics, passwords, personal identification numbers, smart cards, X.509 digital certificates, and other forms of advanced authentication.

It is fully integrated with NetIQ Identity Manager and meets FIPS 201 workflow, identity management, and card life cycle requirements. Personal Identity Verification (PIV) cards issued using this solution enable users to have physical and logical access to facilities and IT systems. This solution enables convergence of IT and physical systems to provide a complete end-to-end and seamless control system.

The following sources provide information about the Identity Assurance Solution:

Installation: NetIQ Enhanced Smart Card Method 3.1.0.0 Installation and Administration Guide
Online product documentation:

For Identity Assurance Solution documentation, see the Identity Assurance Solution Documentation Web site.

For NetIQ product documentation, see the NetIQ Documentation Web site.
Third-party documentation:

For documentation about third-party software included in this solution, see the documentation provided by the vendor.

2.0 Known Issues

2.1 Dealing with the Client Login Module Not Found NMAS Error

The smart card based login with enhanced smart card method fails with NMAS and displays the client login module not found error message. For a successful login, install Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update.

2.2 NESCM iManager Plug-in Does Not Work on Windows Server 2008

NESCM iManager plug-in fails if the Windows Server machine where the iManager server is running does not have a particular version of Microsoft Visual C++ redistributable installed.

To workaround this issue, install Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update.

2.3 Login Issues When the Automatically Look Up User Account and Use First Account Returned Options are Selected When NESCM is Installed

On a system that has Identity plug-in configured for Automatically Look Up User Account and Use First Account Returned options, if you log in by right clicking the icon in the notification area of the taskbar, the Identity plug-in returns user(s) associated with the smart card. To change the user, press the Shift key and specify other login details such as Password (or pin), Tree, Context, and Server.

2.4 Issue with Ceres Card on Internet Explorer

When trying to read certificates that are on a Ceres smart card through Internet Explorer using the NetIQ Enhanced Smart Card iManager plug-in, a blank page appears.

2.5 Unattended Installation of IASC Not Supported

You cannot install IASC in silent mode. Instead, use the individual installers of the Novell Client and NESCM as follows:

Launch the Novell Client installer using setup.exe from the NovellClient\Vista\ location.
Launch the NESCM installer from the NMASMethods\EnhancedSmartCard\client location.

Ensure that appropriate NESCM installer setup.exe or setup_64.exe is launched. For more information, see the installation instructions from the Silent Installation section of the NESCM Installation Guide.

Following are the examples of batch scripts for installing the Novell Client and NESCM:

For Windows 7, run the following script:
```
start /wait NovellClient\Vista\setup.exe
```
```
start /wait NMASMethods\EnhancedSmartCard\client\setup_64.exe /S /v"/qn"
```

2.6 NESCM Installation Fails on Windows 8

Sometimes while installing NESCM on Windows 8, the installation may fail. This is because the Microsoft Visual C++ Redistributable Package that is provided as part of the installer requires restarting the computer even though it is successfully installed.

After restarting the computer, NESCM is installed successfully.

2.7 Uninstalling Novell Client Removes Configuration Information for NMAS Methods

Uninstalling the Novell Client does not remove the NMAS methods from a system, it only removes the configuration information. When NMAS client is reinstalled on a system that has NMAS methods installed on it, the NMAS Client looks for the configuration information required to load the appropriate login client module, which causes eDirectory login failure and displays the following error:

 "client login module not found".

To avoid this error, run the installation in the following order:

Install the Novell Client and NMAS Client.
Install NMAS method (LCM).

For the smart card login to work, reinstall the Novell Client and then reinstall NESCM or add NESCM by using NCC.

Instead of uninstalling and reinstalling the Novell Client, you can repair it by running the setup.exe file for the same version or upgrade it by running the setup.exe file of the new version.

2.8 NESCM Fails to Login to Windows eDirectory 8.8 SP7 Server

When you login to eDirectory 8.8 SP7 server using NESCM, the login fails because of a SidebySide error, displaying the following error message:

NMAS: invalid requested sequence

NESCM 3.1.0.0 requires some runtime libraries that are installed by NICI 2.7.7, which are not available in eDirectory 8.8 SP7 because it includes NICI 2.7.6.

To avoid this error, you must manually install the runtime libraries from this link:http://www.microsoft.com/en-in/download/details.aspx?id=26347.

2.9 NESCM Fails to Read the Certificates When Two Cards From Different Vendors are Inserted Simultaneously

If you have two card readers from different vendors connected to the computer simultaneously, NESCM fails to read the certificates. For example, if you have a Gemalto Cyberflex card inserted in a ActivCard reader and a Gemplus card reader with Gemalto .NET card connected to the computer, then NESCM fails to read the certificates.

However, NESCM works as expected if two card readers from the same vendor and with the same cards are connected to the computer. In this case, NESCM reads certificates from both the cards. The following are some examples where two card readers from the same vendor with same cards are connected to the computer:

Two ActivCard USB Reader V3 readers, each with Gemalto Cyberflex Access 64K V2c card in them.
Two Gemplus USB Reader readers, each with Gemalto .NET card in them.

3.0 Additional Documentation

3.1 iManager

For iManager information, refer to the iManager online documentation.

3.2 NMAS

For NMAS information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

3.3 Password Management

For Password Management information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

3.4 Certificate Server

For Certificate Server information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

3.5 Novell International Cryptographic Infrastructure (NICI)

For NICI information, refer to the NICI online documentation.

3.6 eDirectory

For more information on eDirectory, refer to the eDirectory online documentation.

4.0 Legal Notices

NetIQ Corporation, and its affiliates, have intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more U.S. patents and one or more additional patents or pending patent applications in the U.S. and in other countries.

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.