4.5 Using Enhanced Protection

The Enhanced Protection feature provides additional security for users' secrets. By default, a user's secrets have enhanced protection.

Figure 4-1 Enhanced Protection

This option is visible when you create a secret. For information on how to create a secret, see Section 4.4.1, Adding a Secret.

This section provides information on the following:

4.5.1 Locking SecretStore

With the Enhanced Protection option enabled for any secret in Novell SecretStore, if the network administrator changes the user's NDS password, SecretStore enters a locked state. When SecretStore is locked, no secrets stored with the Enhanced Protection option can be read until SecretStore is unlocked.

SecretStore can be unlocked only if the user provides the last NDS password that was set. Because an administrator should not know the user's previous NDS password, secrets that have enhanced protection are kept safe.

NDS and SecretStore can distinguish between user-initiated password changes and those done by an administrator. SecretStore only locks when an administrator changes a user's password. An encrypted hash of the user's previous password is updated in SecretStore only if the user initiates the change.

If the user has changed an NDS password at least once since the account was created and before enhanced protection secrets are stored, this protection is completely secure. When a user does this, the administrator doesn't know the previous password. As a standard practice when you set up new User objects in NDS, require the user to change the password at first login.

Users who have Administrator-equivalent rights (that is, they have Supervisor rights but are not the actual network administrator) need to be careful when setting their own passwords. If a user sets a password when logged in as an Administrator-equivalent user, the user's SecretStore is then locked.

4.5.2 Setting a Master Password and Hint

The Master Password feature enables users to store and update a persistent password in SecretStore. If the Enhanced Protection feature is enabled and you (the administrator) reset a user's eDirectory password, SecretStore locks.

Also, a master password is useful if your secrets are locked and you can’t remember your previous eDirectory password. By entering a master password, you gain access to your SecretStore.

By default, your master password isn’t set. Only you can set your master password.

If the SecretStore client isn’t installed and running on the workstation, you can’t set a master password.

If you use SecureLogin with SecretStore, your master password is set when you create a passphrase answer in SecureLogin.

To set your master password:

  1. Make sure that you are logged in to eDirectory as the user (not as Admin or another role).

  2. In iManager, in the Roles and Tasks view, click SecretStore > SecretStore.

  3. Browse for and select your username, then click OK.

    The SecretStore - Monitor SecretStore page is displayed.

  4. In the Master Password row, click Set in the Action column.

  5. Open the Set Master Password dialog box by clicking Set.

  6. Type and confirm the master password.

  7. Type a hint that’s easy for you to remember the answer to, but isn’t obvious to an onlooker.

  8. Click OK to save the changes.

Other interfaces that unlock SecretStore (such as those built in to the Lotus* Notes* and Entrust* connectors) accept the master password in place of the previous eDirectory password. However, these interfaces might not be capable of displaying the hint.