15.3 Configuring Credential Profile Security and Display Settings

On the Credential Profile Details page, you can specify whether this profile is displayed for end users, and determine how you control and store encrypted secrets. You can store and access secrets locally, on remote eDirectory servers that are running Novell SecretStore, or on a user store that has been configured with a custom attribute for secrets.

For more information about storing encrypted secrets, see the following:

To configure the Credential Profile:

  1. In the Administration Console, click Devices > Identity Servers > Edit > Liberty > Web Service Providers.

  2. Click Credential Profile.

    Credential profile details
  3. On the Credential Profile Details page, fill in the following fields as necessary:

    Display name: The name you want to display for the Web service.

    Have Discovery Encrypt This Service’s Resource Ids: Specify whether the Discovery Service encrypts the resource IDs. A resource ID is an identifier used by Web services to identify a user. The Discovery Service returns a list of resource IDs when a trusted service provider queries for the services owned by a given user. The Discovery Service has the option of encrypting the resource ID or sending it unencrypted. Encrypting resource IDs is disabled by default.

  4. Under Credential Profile Settings, enable the following option if necessary:

    Allow End Users to See Credential Profile: Specify whether to display or hide the Credential Profile in the Access Manager User Portal. Profiles are viewed on the My Profile page, where the user can modify his or her profile.

  5. Specify how you want to control and store secrets:

    1. To locally control and store secrets, configure the following fields:

      Encryption Password Hash Key: (Required) Specify the password that you want to use as a seed to create the encryption algorithm. To increase the security of the secrets, ensure that you change the default password to a unique alphanumeric value.

      Preferred Encryption Method: Specify the preferred encryption method. Select the method that complies with your security model:

      • Password Based Encryption With MD5 and DES: MD5 is an algorithm that is used to verify data integrity. Data Encryption Standard (DES) is a widely used method of data encryption that uses a private key.

      • DES: Data Encryption Standard (DES) is a widely used method of data encryption that uses a private key. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.

      • Triple DES: A variant of DES in which data is encrypted three times with standard DES by using two different keys.

    2. Specify where to store secret data. (For more information about setting up a user store for secret store, see Section 3.1.4, Configuring a User Store for Secrets.)

      • To have the secrets stored in the configuration database, do not configure the list in the Extended Schema User Store References section. You only need to configure the fields in Step 5.a.

      • To store the secrets in your LDAP user store, click New in Extended Schema User Store References and configure the following fields:

        User Store: Select a user store where secret data is stored.

        Attribute Name: Specify the LDAP attribute of the User object that can be used to store the secrets. When a user authenticates by using the user store specified here, the secret data is stored in an XML document of the specified attribute of the user object. This attribute should be a single-valued case ignore string that you have defined and assigned to the user object in the schema.

        NOTE:Do not use this LDAP attribute in Policy configuration as shared secrets. Instead you create the shared secrets attributes. The Shared secret attributes are populated in the configured LDAP attribute, and are used by policy for mapping. For more information about how to create shared secret, see Creating a Form Fill Policy in the NetIQ Access Manager 3.2 SP3 Policy Guide.

      • To use Novell SecretStore to remotely store secrets, click New under Novell Secret Store User Store References.

        Click the user store that you have configured for SecretStore.

        Secure LDAP must be enabled between the user store and the Identity Server to add this user store reference.

    3. Click OK twice.

  6. On the Identity Server page, update the Identity Server.