Use the following property values to install SecureLogin.
NOTE:All the commands described in this section display details on the user interface. Use option /quiet to stop displaying details on the user interface displays and option /passive for minimal display of details on the user interface. For example: NetIQSecureLogin.exe /install /quiet X_PRIMARYSTORE=MAD.
When you install or migrate SecureLogin in LDAP environment, ensure that certificates used are certified by Certification Authority (CA). Server Certificates are installed and available on your LDAP server. For more information on how to export certificates from eDirectory using iManager, see Exporting Certificates from eDirectory Using iManager.
WARNING:Installing SecureLogin without a root CA certificate makes SecureLogin and the LDAP server open to security threats. It is not recommended to install SecureLogin without the root CA certificate.
IMPORTANT:Ensure that you provide the valid root CA certificate on every workstation during SecureLogin installation. The installation fails if the valid root CA certificate is not specified. However, if you want to install SecureLogin without the root CA certificate, see Installing SecureLogin in the LDAP Mode Without Root CA Certificate.
IMPORTANT:Ensure that the Subject Name or Subject Alternative Name of the certificate in eDirectory matches with the SecureLogin LDAP server name. If it does not match, create a new eDirectory certificate with the custom option in iManager.
IMPORTANT:Use the following command to upgrade SecureLogin without a root CA certificate.
NetIQSecureLogin.exe /install INSTALLWITHOUTCACERT=Yes
Table 8-1 Command Options for Installing in eDirectory Environment
|
Installation Mode |
Command Line Parameters |
Description |
|---|---|---|
|
eDirectory in NDS Credential Provider mode |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=NDS |
Use this command to install SecureLogin in Credential Provider mode on eDirectory. |
|
eDirectory in LDAP Credential Provider Mode |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPGina LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt |
Use this command to install SecureLogin in LDAP Credential Provider Mode on eDirectory. The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPGina LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=359 CERTPATH=c:\temp\<certifictate file> /log log.txt |
|
eDirectory in LDAP Credential Manager Mode |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPCred LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt |
Use this command to install SecureLogin in Credential Manager mode on eDirectory. The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPEND_LOCAL=SeamlessLDAPCred LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt |
|
eDirectory in LDAP Application Mode |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=LDAPApp LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt |
Use this command to install SecureLogin in LDAP Application Mode on eDirectory. The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe install X_PRIMARYSTORE=LDAP APPENDLOCAL=LDAPApp LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt |
When you install or migrate SecureLogin in LDAP environment, ensure that certificates used are certified by Certification Authority (CA). Server Certificates are installed and available on your LDAP server. For more information on how to export certificates from eDirectory using iManager, see Exporting Certificates from eDirectory Using iManager.
WARNING:Installing SecureLogin without a root CA certificate makes SecureLogin and the LDAP server open to security threats. It is not recommended to install SecureLogin without the root CA certificate.
IMPORTANT:Ensure that you provide the valid root CA certificate on every workstation during SecureLogin installation. The installation fails if the valid root CA certificate is not specified. However, if you want to install SecureLogin without the root CA certificate, see Installing SecureLogin in the LDAP Mode Without Root CA Certificate.
IMPORTANT:Ensure that the Subject Name or Subject Alternative Name of the certificate in eDirectory matches with the SecureLogin LDAP server name. If it does not match, create a new eDirectory certificate with the custom option in iManager.
IMPORTANT:Use the following command to upgrade SecureLogin without a root CA certificate.
NetIQSecureLogin.exe /install INSTALLWITHOUTCACERT=Yes
Table 8-2 Command Options for Installing in LDAP v3 (non-eDirectory) Environment
|
Installation Mode |
Command Line Parameters |
Description |
|---|---|---|
|
LDAP Credential Provider mode |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPGina X_NONEDIRLDAP=1 LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt |
Use this command to install SecureLogin in LDAP Credential Provider mode on any LDAP-compliant directories (non-eDirectory). The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPGina X_NONEDIRLDAP=1 LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt |
|
LDAP Credential Manager Mode |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=SeamlessLDAPCred LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt |
Use this command to install SecureLogin in Credential Manager mode on any LDAP-compliant directories (non-eDirectory). The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=SeamlessLDAPCred LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt |
|
LDAP Application Mode |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=LDAPApp LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt |
Use this command to install SecureLogin in LDAP Application Mode on any LDAP-compliant directories (non-eDirectory). The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=LDAPApp LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt |
Table 8-3 Command Options for Installing in Active Directory Environment
|
Installation Mode |
Command Line Parameters |
Description |
|---|---|---|
|
Complete install |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=MAD |
Use this command to install SecureLogin on Microsoft Active Directory, without prompting users for any selection. |
|
With group policies enabled |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=MAD APPENDLOCAL=GPO |
Use this command to install SecureLogin on Microsoft Active Directory with support for group policy. |
Table 8-4 Command Options for Installing in Active Directory Application Mode Environment
|
Installation Mode |
Command Line Parameters |
Description |
|---|---|---|
|
Complete install |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=ADAM |
Use this command to install SecureLogin on Microsoft Active Directory Application Mode, without prompting users for any selection. |
|
With group policies enabled |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=ADAM APPENDLOCAL=GPO |
Use this command to install SecureLogin on Microsoft Active Directory Application Mode with support for group policy. |
Table 8-5 Command Options for Installing in Standalone Mode
|
Installation Mode |
Command Line Parameter |
Description |
|---|---|---|
|
Complete install |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=DUMMY |
Use this command to install SecureLogin in a standalone mode, without any user interface. |
When installing SecureLogin, the GPO and RunAtStartup features are installed by default. You can choose to install various features such as support for smart card and support for Citrix.
Use the following table as reference to specify these features when installing SecureLogin.
HINT:APPENDLOCAL can be used to install any specific feature using the feature name. For enabling multiple features, specify the feature names separated by a comma.
For example: To install DAS, and SmartCard, use APPENDLOCAL in the following manner:APPENDLOCAL=DAS, SmartCard
Table 8-6 Commands for Installing Features
|
Command Line Parameters |
Value |
Description |
Example |
|---|---|---|---|
|
INSTALLDIR |
Installation folder |
Installs SecureLogin in the specified folder or directory. |
INSTALLDIR=C:\Program Files\NetIQ\SecureLogin\ |
|
X_CACHEDIR |
Cache folder |
Installs SecureLogin in the specified folder or directory. |
X_CACHEDIR=%LOCALAPPDATA% |
|
X_PRIMARYSTORE=MAD |
Install SecureLogin on Microsoft Active Directory. |
NetIQSecureLogin.exe /install X_PRIMARYSTORE=MAD |
|
|
SMARTCARD |
Installs smartcard support. |
APPENDLOCAL=SmartCard Smart card support is installed only if ActivIdentity ActivClient is detected on the machine. Set the cryptographic service provider and smart card DLL file by defining the X_CSP and X_SMARTCARDLIB properties. X_CSP=Microsoft Base Smart Card Crypto Provider X_SMARTCARDLIB=C:\Windows\System32\basecsp.dll |
|
|
Desktop |
Installs desktop and tray icon for SecureLogin. |
ADDLOCAL=Desktop |
|
|
MMC_AD |
Installs Active Directory MMC Snapin and Active Directory query extension. |
ADDLOCAL=MMC_AD |
|
|
MMC_GPO_EDIT |
Installs Active Directory MMC Snapin for GPO editor. |
ADDLOCAL=MMC_GPO_EDIT |
|
|
Citrix |
Installs Citrix support. |
ADDLOCAL=Citrix |
|
|
CitrixSeamless |
Installs Citrix support for seamless sign-on. |
APPENDLOCAL=CitrixSeamless |
|
|
CitrixAgent |
|
Installs Citrix Agent support. |
APPENDLOCAL=CitrixAgent |
|
TerminalServer |
|
Installs general configurations of Terminal Server. |
APPENDLOCAL=TerminalServer |
|
TSSeamless |
|
Installing this feature allows seamless sign-on using eDirectory, AD, LDAP etc. |
APPENDLOCAL=TSSeamless |
|
TSAgent |
|
Installs files and registry for Terminal Server Virtual Channels to allow seamless sign-on to remote terminal servers. |
APPENDLOCAL=TSAgent |
|
AAF2 |
Installs files that are required to configure Advanced Authentication. |
APPENDLOCAL=AAF2 |
|
|
HELP |
Installs SecureLogin help files. |
APPENDLOCAL=HELP |
|
|
DAS |
Installs files that are required to configure Desktop Automation Services for Kiosk mode. |
APPENDLOCAL=DAS |
|
|
LDAPPORT |
Port address |
Specifies the LDAP port address. |
LDAPPORT=389 |
|
SecureWorkstation |
|
Installs SecureWorkstation. |
APPENDLOCAL=SecureWorkstation |
|
Admin |
Specifies installing the directory administration tools. |
APPENDLOCAL=Admin |
|
|
SMARTCARDLIB |
|
Specifies the PKCS#11 encryption library to use. The value is supplied as the name of the desired DLL file. |
X_SMARTCARDLIB="C:\Resources\acpkcs201rc.dll" |
|
CSP |
|
Specifies a cryptographic service provider. It is typically a string constant from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\ Defaults\Provider. |
X_CSP="ActivCard Gold Cryptographic Service Provider" |
|
GPO |
Installs Microsoft Group Policy Support for ADAM, AD and AD LDS. |
APPENDLOCAL=GPO |
|
|
MinMem |
Installing this feature will allow you to set the minimum and maximum working set sizes for the specified SecureLogin process. |
APPENDLOCAL=MinMem |
|
|
RoamProfile |
Installs settings that change seamless sign-on process to allow roaming files to log off cleanly. |
APPENDLOCAL=RoamProfile |
|
|
DisableCache |
It disables the local file cache for offline support. Do not install this feature if a local cache is required. |
APPENDLOCAL=DisableCache |
|
|
SeamlessMAD |
Uses the Windows credentials for seamless sign on in the Active Directory environment. |
APPENDLOCAL=SeamlessMAD |
|
|
VCRedist_*_* |
Installs Visual C++ Redistributable Package |
APPENDLOCAL=VCRedist_11_x86 APPENDLOCAL=VCRedist_11_x64 APPENDLOCAL=VCRedist_10_x64 APPENDLOCAL=VCRedist_10_x86 |
|
|
*SSO |
WinSSO, JavaSSO, TermSSO, IESSO, FireFoxSSOJS, ChromeSSO, EdgeSSO, DotNetSSO |
Enables SSO support for various platforms respectively. |
APPENDLOCAL=WinSSO APPENDLOCAL=JavaSSO APPENDLOCAL=TermSSO APPENDLOCAL=DotNetSSO |
|
Auditing |
|
Installs files to audit SecureLogin events. |
APPENDLOCAL=Auditing |
|
WindowsEventLog |
Logs Windows event messages. |
APPENDLOCAL=WindowsEventLog |
|
|
SysLogCacheForward |
Installing this feature forwards the events logged in Windows Event Log to the Syslog server. |
APPENDLOCAL=SysLogCacheForward |
|
|
SysLog |
Installing this feature sends audit messages to the Syslog server. |
APPENDLOCAL=SysLog |
|
|
Tools |
Installing tools required for the administrative tasks. For example, SlapTool for provisioning. |
APPENDLOCAL=Tools |
This section lists some examples that you can use in your environment.
The following example installs SecureLogin in the following setup.
Microsoft Active Directory mode
Support for Group Policy
SecureLogin is not launched at the completion of the installation
NetIQSecureLogin.exe /install X_PRIMARYSTORE=MAD APPENDLOCAL=GPO
The following example installs SecureLogin in the following setup.
eDirectory mode.
SecureLogin is not launched at the completion of the installation
User is prompted to restart after the installation is complete.
NetIQSecureLogin.exe /install X_PRIMARYSTORE=NDS APPENDLOCAL=INSTALLADMIN
A silent install provides InstallShield Wizard with instructions for installing SecureLogin. To use a silent install, you must use a response file.
A response file is a text file (responsefile.ini) containing sections and keys. The response file is created during installation in <WidowsVolume>\NSLFiles\responsefile.ini. It captures your responses to the dialogs that you encounter during the installation. This is later used as an input for silent installation. It is recommended that you do not modify the responsefile.ini.
IMPORTANT:During silent install, the PATHTOISS property must contain the absolute path to responsefile.ini. If it is a relative path or if the file path is invalid, then SecureLogin installation is aborted.
For instance,
An administrator runs the graphical installer on a single machine. During the install, the administrator selects the configuration he or she wants to roll out to the machines of the target users.
At the end of the installation a response file is created and available located in <windows Volume>\NSLFiles. It contains the command line properties required to replicate the graphical installation the administrator has done.
The administrator can take this response file and copy it to the target machines or to a mapped network drive for use with target machine installs.
IMPORTANT:Upgrading SecureLogin using the responsefile.ini file is not supported.
To install SecureLogin on all the target machines with the responsefile.ini file, run the following command:
NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP PATHTOISS="c:\temp\responsefile.ini" /quiet /log /log.txt
Substitute value of X_PRIMARYSTORE with one of the following values:
MAD -Microsoft Active Directory
ADAM - Active Directory Application Mode
NDS - NetIQ eDirectory with Novell Client
LDAP - NetIQ eDirectory with LDAP
If you try to install NSL using responsefile.ini in any of LDAP modes (like Gina/CP, CM and App mode), then these modes have certain prerequisites like NICI, NMAS etc. So it is important to pass value for Data store along with responsefile.ini.
For example :
NetIQSecureLogin.exe X_PRIMARYSTORE=LDAP PATHTOISS="C\Users....\responsefile.ini" /quietInstallation fails if we do not specify the X_PRIMARYSTORE, as prerequisites are not met. If prerequisites like NICI and NMAS is already present in the workstation, then do not specify X_PRIMARYSTORE value in command line
You can create a new response file or edit one from a previous installation. During the installation, the responsefile.ini is created in the <WindowsVolume>\NSLFiles folder.
IMPORTANT:Non-English users must first run MSI with transform file and then run the update sequentially.
The following is an example of a response file.
INSTALLDIR=C:\Program Files\NetIQ\SecureLogin\X_CACHEDIR=%LOCALAPPDATA%X_PRIMARYSTORE=MADX_NONEDIRLDAP=NoADDLOCAL=SmartCard,GPO,MinMem,RoamProfile,DisableCache,SeamlessMAD,WinSSO,JavaSSO,TermSSO,IESSO,FireFoxSSOJS,ChromeSSO,EdgeSSO,DotNetSSO,Admin,MMC_AD,MMC_GPO_Edit,Tools,Citrix,CitrixSeamless,CitrixAgent,TerminalServer,TSSeamless,TSAgent,AAF2,DAS,SysLogCacheForward,SysLog,RunAtStartup,Desktop,CredStore,DirectorySignon,SSOAut,PrimaryStore,WindowsEventLog,Auditing,VCRedist_11_x86,VCRedist_11_x64,VCRedist_10_x64,VCRedist_10_x86LDAPSERVERADDRESS=LDAP server addressLDAPPORT=636LDAPSERVERADDRESS=LDAP server addressLDAPPORT=636CERTPATH=LDAPSERVERADDRESS1=LDAPPORT1=CERTPATH1=LDAPSERVERADDRESS2=LDAPPORT2=CERTPATH2=X_SMARTCARDLIB=C:\Windows\System32\basecsp.dllX_CSP=Microsoft Base Smart Card Crypto ProviderX_STOREONCARD=LOCATIONFORXML=DASSERVER=DASCONFIGOBJECT=X_SYSLOGSERVERURI=tls://localhost:6514X_SYSLOGLANGUAGEID=#1033X_AAFSERVERNAME=164.99.91.104X_AAFSERVERPORT=443X_AAFEVENTNAME=Windows logon
For more information on commands to use for respective features, see Commands for Installing the Features.