Novell Doc: Novell Enhanced Smart Card Method 3.0.8 Installation and Administration Guide

2.2 Installing the Method

Installation consists of installing the method on the eDirectory server and on the client workstations.

2.2.1 eDirectory Server Installation

Log in to iManager as an Administrator.
From the Roles and Tasks view, click NMAS > NMAS Login Methods.
Click New.

The method installation wizard is launched.
Follow the steps in the method installation wizard:
1. Browse to and double-click the EnhancedSmartCard_iMan27.zip file that comes with the method. It is located on the client disk under the NMAS Methods folder.
  
  This zip file contains the server components and the iManager components.
2. Read and accept the license agreement.
3. Review the method information and modify the values as needed.
  
  If you don’t change the name, the default name (Enhanced Smart Card) is used for the method and login sequence name.
4. Click Finish.
Review the installation summary page, then click Close.
Restart iManager to ensure that the plug‑in is enabled.
Continue with Section 3.0, Configuring the Server to use the plug-in to configure the NESCM installation on the server.

2.2.2 Client Workstation Installation

The method must be installed on each workstation. To install the method, use the NESCM setup program.

The method can also be installed and configured silently. For more information on silent installation, see Section B.0, Silently Installing and Configuring the Method on Workstations.

Log in to a workstation as an Administrator.
Run the following program from the ...\enhancedsmartcard\client directory:

Windows Vista (32-bit)/7 (32-bit)/XP/Server 2008 (32-bit): Setup.exe

Windows Vista (64-bit)/7 (64-bit)/Server 2008 (64-bit)/Server 2008 R2 (64-bit): Setup_64.exe

This launches the NESCM setup program. Follow the steps in this setup program to install and configure NESCM. For information concerning specific steps in the setup program for all client platforms (Windows Vista/7/XP/Server 2008), see Table 2-2.

For information concerning specific steps in the setup program for Windows XP client, see Table 2-3.

For extended information on the options, see Section A.0, Client Configuration Options.
Repeat Step 1 and Step 2 for every workstation where you want to install the method.

Table 2-3 explains the configuration options that are available when you use the setup program to install the method on a workstation.

Table 2-2 Setup Program Options for all Client Platforms

Window	Options
Smart Card Interface	The method can communicate with the smart card by using a Windows Cryptographic Service Provider (CSP) or PKCS#11 library. The recommended communication method is CSP with PC/SC Interfaces. Use PKCS#11 interfaces only if you know your smart card vendor does not provide a CSP. CSP with PC/SC Interfaces: Select this option to use MS Crypto APIs and the vendor’s CSP. PKCS#11 Library: Select this and specify a PKCS#11 library to use PKCS#11 interfaces. If the library file is not present in the default system path, you must provide the file path of the library file. For more information on the smart card interface, see Section A.1, Smart Card Interface.
Smart Card PIN	The smart card PIN is always validated during login unless this option is turned off (not selected). If this option is off, the PIN is not validated during login. It might be desirable to turn off PIN validation if another application has established a smart card session and previously validated the PIN. This prevents users from having to re-enter the PIN. Require Smart Card PIN Validation: Select this option to validate the PIN during login. For more information on smart card PIN validation, see Section A.2, Smart Card PIN Validation.
Workstation Only Login	Normally, workstation only logins are password-based. The following options allow the smart card to be used during a workstation only login: Use Smart Card for Workstation Only Login: Select this option to use the smart card for workstation only logins. Require Smart Card for Workstation Only Login: Select this option to disable password-based workstation only logins. This option is only available if the Novell Client is installed. For more information on Workstation Only Login, see Section A.4, Workstation Only Login (Disconnected Support Login).
User Account Lookup - Identity Plug-in Support	The method can use eDirectory to look up the username that is associated with the smart card. The method uses the certificate information on the smart card and performs an LDAP search to locate the user account. Automatically Look Up User Account: Select this option if you want the method to automatically look up the user account. This option is only available if the Novell Client is installed. For more information on User Account Lookup, see Section A.5, User Account Lookup (Identity Plug-In Functionality).
(Conditional: LDAP Search Options - Page 1) Identity Plug-in Configuration	The following options specify how the LDAP search functionality of the Identity plug-in functions: LDAP Servers: In the Servers field, specify the server where you want the search to take place. This is the LDAP server IP address or DNS name. LDAP Search Base: In the Base field, specify the starting container to use when searching for the user. LDAP Search Timeout: In the Timeout field, specify the number of seconds before the search does a timeout.
(Conditional: LDAP Search Options - Page 2) Identity Plug-in Configuration	The following options specify how the LDAP search functionality of the Identity Plug-in functions: Search By: Select how the search matches user accounts. If you select Certificate Subject Name, it searches by the certificate’s subject name. If you select Certificate, it searches using the complete certificate. This setting should match the method’s Match By configuration setting. Search Performance: Select Do Complete Search if you want the search operation to wait to complete the search before returning. Select Use First Account Returned if you want the search to quit after receiving the first result. For large directories where searches can take a significant amount of time, selecting Use First Account Returned can increase performance. However, if in your environment one certificate is associated with multiple accounts, you should select Do Complete Search to ensure that all possible matches are presented to the user.
(Conditional: Progress Message and Login Options) Identity Plug-in Configuration	The following options allow you to configure progress messages and login options for the Identity Plug-in: Status Message: In the Message field, specify the message that you want to be displayed on the Novell Client Login dialog box while the user lookup is in progress. Leave the field blank for no message. The status message is displayed on the Novell Client Login dialog box while the user lookup is in progress. Wait Message: In the Message field, specify the message that you want to be displayed in the Novell Client Login dialog box after user lookup is complete and login has begun. Leave the field blank for no message. The wait message is displayed in the Novell Client Login dialog box after the user lookup is complete and login has begun. Login Options: The following login options are available: Automatically begin login when user lookup returns: Select this option to automatically start the login process after the account lookup finishes. If you select this option, the user does not need to click the OK button to begin the login process. Restart user lookup if login fails: Select this option to automatically restart the Identity Plug-in if the login fails. Selecting both Automatically begin login when user lookup returns and Restart user lookup if login fails is not recommended. Using these two options simultaneously can lead to continuous looping failed login attempts.
(Conditional: Novell Client Login Dialog Options) Identity Plug-in Configuration	Selecting the following options allows you to hide user interface controls in the Novell Client login dialog: Hide OK Button: Select this option only when Automatically begin login when user lookup returns is selected. See (Conditional: Progress Message and Login Options) Identity Plug-in Configuration for more information. Hide Cancel Button: Select this option if you don’t want users to see the Cancel button. Hide Advanced Button: Select this option if you don’t want users to see the additional login dialog box settings. Hide Username Field: You might want to select this option when using the user account lookup functionality, because users usually do not interact with the username field. Hiding this field might be considered useful in some circumstances. See User Account Lookup - Identity Plug-in Support for more information. Hide Password Field: You might want to select this option when Automatically begin login when user lookup returns is selected. After the lookup returns, the login begins and the method prompts the user for a PIN unless PIN validation is turned off. See Smart Card PIN for more information.

Table 2-3 Setup Program Options for Windows XP Client

Window	Options
Password Field Descriptor	The Novell Client login dialog box labels the Password field with the word “Password.” When using NESCM, enter the smart card PIN in the Password field. This option allows you to change the label to a more intuitive description, like “PIN.” Use Custom Descriptor: Select this option and enter a new label to change the descriptor. This option is only available if the Novell Client is installed. For more information on the Password Field Descriptor, see Section A.3, Password Field Descriptor.

Window

Options

Password Field Descriptor

The Novell Client login dialog box labels the Password field with the word “Password.” When using NESCM, enter the smart card PIN in the Password field. This option allows you to change the label to a more intuitive description, like “PIN.”

Use Custom Descriptor: Select this option and enter a new label to change the descriptor.

This option is only available if the Novell Client is installed.

For more information on the Password Field Descriptor, see Section A.3, Password Field Descriptor.