4.7 Configuring Access Manager for NESCM

To use a smart card with Access Manager, you need to configure Access Manager to use the eDirectory server where you have installed the Novell Enhanced Smart Card Login Method for NMAS (NESCM). You then need to create a contract that knows how to prompt the user for the smart card credentials. The last task is to assign this contract to the protected resources that you want protected with a smart card. The following sections describe the prerequisites and the tasks:

4.7.1 Prerequisites

4.7.2 Creating a User Store

The Identity Server must be configured to use the eDirectory replica where you have installed the NESCM server method.

To configure the Identity Server for the eDirectory replica that has the NESCM method:

  1. In the Administration Console, click Devices > Identity Servers > Edit > Local> User Stores > New.

  2. On the Create User Store page, fill the following fields:

    Name: A display name for the eDirectory replica (for example, nescm_replica).

    Admin Name: The distinguished name of the admin user of the directory. Administrator-level rights are required for setting up a user store.

    Admin Password and Confirm Password: The password for the admin user and the confirmation for the password.

    NOTE:If the admin account's password needs to be changed in the LDAP directory due to some issue, then change the admin password in the Create User Store page accordingly and apply the change. Else, this admin account of the user store will get locked.

    Directory Type: Select eDirectory.

  3. In the Server replica section, click New, and fill the following fields:

    Name: The display name for the LDAP directory server (for example, nescm_server).

    IP Address: The IP address of the LDAP directory server. The port is set automatically to the standard LDAP ports.

  4. Click Use secure LDAP connections. You must enable SSL between the user store and the Identity Server. The port changes to 636, which is the secure LDAP port.

  5. Click Auto import trusted root.

  6. Click OK to confirm the import.

  7. Select the Root CA Certificate to trust any certificate signed by that certificate authority.

  8. Specify an alias, then click OK.

    An alias is a name you use to identify the certificate used by Access Manager.

  9. Click Close, then click OK.

  10. Under Server Replicas, verify the Validation Status.

    The system displays a green check mark if the connection is valid.

  11. Set up a search context.

  12. Click Finish to save the information.

  13. Continue with Section 4.7.3, Creating a Contract for the Smart Card.

4.7.3 Creating a Contract for the Smart Card

You need to create a contract that uses the NESCM method. To do this, you need to first create an NMAS class, then a method that uses that class. The last task is to create a contract that uses the method. The following sections describe these tasks:

Creating an NMAS Class for NESCM

When you create a class, you can specify values for properties. In the following steps, you specify a property value that determines the sequence of login prompts that the user receives when authenticating with a smart card.

  1. In the Administration Console, click Devices > Identity Servers > Edit > Local > Classes > New.

  2. Specify a display name for the class (for example, Class-NMAS-NESCM).

  3. For the Java class, select NMASAuthClass from the selection list.

  4. Click Next.

  5. On the Specify Properties page, click New.

  6. Specify the following values for the property:

    Property Name: Specify NMAS_LOGIN_SEQUENCE

    Property Value: Specify Enhanced Smart Card

    The Property Value matches the method name as displayed in the NMAS task > NMAS Login Methods.

  7. Click OK, then click Finish.

  8. Continue with Creating a Method to Use the NMAS Class.

Creating a Method to Use the NMAS Class

When you create a method, you can specify property values that are applied to just this method and not the entire class. In this tutorial, we want the method to use the same login sequence as the class. The method also allows you to specify which user stores can use the method. For a smart card method, you need to ensure that the user store or stores specified for the method have NESCM installed.

  1. On the Local page for the Identity Server, click Methods > New.

  2. Specify a Display name (for example, Method-NMAS-NESCM).

  3. From the Class selection list, select the class created in Creating an NMAS Class for NESCM.

  4. In the Available user stores list, select the user store created in Section 4.7.2, Creating a User Store, then click the left-arrow to move this user store into the User stores list.

    Leave other settings on this page unchanged.

  5. Click Finish.

  6. Continue with Creating an Authentication Contract to Use the Method.

Creating an Authentication Contract to Use the Method

Contracts are the element you can assign to a protect a resource.

  1. On the Local page for the Identity Server, click Contracts > New.

  2. Specify a Display name (for example, Contract-NMAS-NESCM-UserStore1).

  3. Enter a URI (for example, nescm/test/uri).

    The URI is used to identify this contract for external providers and is a unique path value that you create.

  4. In the Available methods list, select the method created in Creating a Method to Use the NMAS Class, then click the left-arrow to move this method into the Methods list.

    All other fields can remain in the default state.

  5. (Conditional) If you want the user’s credentials (username and password) to be available for Identity Injection policies, add the password fetch method as a second method for the contract.

    For more information about this method and class, see Section 4.6, Configuring Password Retrieval.

  6. Click Next, then configure a card for the contract by filling in the following fields:

    ID: (Optional) Specify an alphanumeric value that identifies the card. If you need to reference this card outside of the Administration Console, you need to specify a value here. If you do not assign a value, the Identity Server creates one for its internal use.

    Text: Specify the text that is displayed on the card to the user, for example Smart Card.

    Image: Select the image to display on the card. You can select the NMAS Biometrics image or you can select the Select local image option and upload an image that your users can associate with using this smart card authentication contract.

    Show Card: Determine whether the card is shown to the user, which allows the user to select and use the card for authentication. If this option is not selected, the card is only used when a service provider makes a request for the card.

  7. Click Finish, then click OK.

  8. Update the Identity Server.

  9. Update the Access Gateway.

  10. Continue with Section 4.7.4, Assigning the NESCM Contract to a Protected Resource

4.7.4 Assigning the NESCM Contract to a Protected Resource

Contracts must be created before they can be assigned to protected resources. The following steps explain how to assign the NESCM contract to an existing protected resource. If you have not created a protected resource, see Configuring Protected Resourcesin the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.

  1. In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

    The reverse proxy should be configured with a resource that you want to protect with the smart card.

  2. Click the Protected Resource link for the proxy service where you want to assign the NESCM contract.

  3. To enable the NESCM contract on an existing protected resource, click the Authentication Procedure link for that resource, then select the NESCM contract created in Creating an Authentication Contract to Use the Method.

    If the contract is not listed, ensure that you have updated the changes to the servers, first to the Identity Server and then the Access Gateway. If you have multiple Identity Server configurations, ensure that the Access Gateway is assigned to the Identity Server configuration that contains the NESCM contract (click Access Gateways > Edit > Reverse Proxy / Authentication).

  4. Click OK.

  5. Click the Access Gateways task, then update the Access Gateway.

  6. Continue with Section 4.7.5, Verifying the User’s Experience.

4.7.5 Verifying the User’s Experience

  1. From the smart-card-equipped workstation, browse to and select the URL of the proxy service where the protected resource requiring NESCM type authentication is enabled.

  2. When prompted by Access Manager, enter a username.

  3. When prompted for the smart card password, enter a password (the smart card PIN).

If the Smart Card contains a certificate that meets the defined criteria (in this example, a matching Subject name and trusted signing CA), the user is now successfully authenticated to the IDP and is connected through the Access Gateway to the protected resource.

4.7.6 Troubleshooting

Error

Resolution

Authentication fails without prompting the user for the token

Verify that you have configured the class and method correctly. See Creating an NMAS Class for NESCM and Creating a Method to Use the NMAS Class.

Certificate validation fails

Verify that a trusted root object created for the signing CA of the certificate on the smart card exists in the eDirectory trusted root container.