4.2 Setting Up a SecretStore Administrator

A user's SecretStore is locked when either of the following occur:

A SecretStore administrator can unlock locked SecretStores.

However, although the SecretStore administrator can unlock a user’s SecretStore, that administrator can’t read the user’s passwords. Unlocking a user’s SecretStore only lets the logged-in user regain access to passwords after a SecretStore lock.

To avoid bypassing enhanced protection, designate two administrators (one eDirectory administrator, one SecretStore administrator).

A SecretStore administrator should not have “normal” network administrator rights. Limiting these rights prevents the administrator from resetting the user’s password (as admin), unlocking the user’s SecretStore (as SecretStore administrator), logging in as the user (with the reset password), and reading secrets.

To designate a SecretStore administrator, add that user's User object to the SecretStore Administrator List:

  1. In iManager, in the Roles and Tasks view, click SecretStore > Modify Policy.

  2. In the Object name field, browse to a SecretStore.Security object or an sssServerPolicyOverride object, then click OK.

    The installation program automatically creates the sssServerPolicy object (SecretStore.Security).

  3. Click Administrators.

  4. Click Add, navigate to and click the desired User object, click Select, then click OK.

    The following figure illustrates the SecretStore Administrator List:

    To grant an administrator access to SecretStore, select the Enable administrator access to SecretStore check box. If you add additional administrators, the setting still remains disabled until you select the check box.

    Therefore, if you add additional SecretStore administrators, make sure that Enable Administrator Access to SecretStore is checked. Then the selected SecretStore administrator can unlock a user’s SecretStore. This is useful when a user forgets a password.

  5. Click OK or Apply to save the changes.

    The user is now a SecretStore Administrator.

4.2.1 Adding Advanced Security

SecretStore administrators can unlock a user’s SecretStore. To prevent these administrators from misusing this option, we recommend that you use NMAS and specify a strong security label.

If Novell Modular Authentication Service (NMAS) is installed, a Security Label box displays on the SecretStore\Administrator page. This box contains the available security labels as defined by the NMAS snap in. By selecting a label, you designate the level of security that you prefer. This option enables you to increase the security regarding SecretStore administrators.

After you define a security label on the sssServerPolicy object, a SecretStore Administrator must be logged in with a session clearance that is equal to or greater than the security label. Otherwise, that Administrator can't unlock any user’s SecretStore.