1.1 Universal Password Background

Universal Password is managed by the Secure Password Manager, a component of the Novell Modular Authentication Services (NMAS) module. The Secure Password Manager simplifies the management of password-based authentication schemes across a wide variety of Novell products as well as Novell partner products. The management tools expose only one password and do not expose all of the behind-the-scenes processing for backwards compatibility.

Secure Password Manager and the other components that manage or make use of Universal Password are installed as part of an eDirectory 8.7.3 or later installation. However, Universal Password is not enabled by default. Because all APIs for authentication and setting passwords are moving to support Universal Password, all the existing management tools, when run on clients with these new libraries, automatically work with the Universal Password.

NOTE:Password Management 2.02, a plug-in for Novell eDirectory for iManager 2.x, is available for download at the Novell Downloads Web site. Minimum requirements are eDirectory 8.7.3 or later and iManager 2.02 or later. Information on how to download and install this plug-in is available on the download site.

Novell Client software supports the Universal Password. It also continues to support the NDS password for older systems in the network. After Universal Password has been configured and enabled for a user, the Novell Client has the capability of automatically upgrading/migrating the NDS password to the Universal Password.

1.1.1 How Secure Is Universal Password?

Reversible encryption of Universal Password is required for convenient interoperation with other password systems. Administrators have to evaluate the costs and benefits of the system. Using a Universal Password stored in eDirectory might be more secure or convenient than attempting to manage several different passwords. Novell provides several levels of security to make sure Universal Password is protected while stored in eDirectory.

A Universal Password is protected by three levels of security:

  • triple DES encryption of the password itself

  • eDirectory rights

  • file system rights

The Universal Password is encrypted by a triple DES, user-specific key. Both the Universal Password and the user key are stored in system attributes that only eDirectory can read. The user key (3DES) is stored encrypted with the tree key, and the tree key is protected by a unique Novell International Cryptographic Infrastructure (NICI) key on each machine. Note that neither the tree key nor the NICI key is stored within eDirectory. They are not stored with the data they protect.

The tree key is present on each machine within a tree, but each tree has a different tree key. So, data encrypted with the tree key can be recovered only on a machine within the same tree. Thus, while stored, the Universal Password is protected by three layers of encryption.

Each key is also secured via eDirectory rights. Only administrators with the Supervisor right or the users themselves have the rights to change Universal Passwords.

File system rights ensure that only a user with the proper rights can access these keys.

If Universal Password is deployed in an environment requiring high security, you can take the following precautions:

  1. Make sure that the following directories and files are secure:




    • \system32\novell\nici

    • \system32\ where the NICI DLL is installed


    • /var/novell/nici

    • etc/nici.cfg

    • /usr/local/lib/libccs2.so and the NICI shared libraries in the same directory

    On LSB-compliant systems, the above mentioned directories and files as well as the following files:

    • /var/opt/novell/nici

    • etc/opt/novell

    • /opt/novell/lib

    Consult the documentation for your system for specific details of the location of NICI and eDirectory files.

  2. As with any security system, restricting physical access to the server where the keys reside is very important.