This section provides information on the following:
SecureLogin supports ActivClient, Gemalto (formerly Axalto), AET SafeSign, Athena, and Fujitsu mPollux DigiSign smart card middleware only. ActiveClient 6.2 is supported on 32-bit and 64-bit systesm on all platforms.
To enable smart card support with Novell SecureLogin, the option must be selected during installation, regardless of the administrator’s intended preferences for setting the Novell SecureLogin security preference .
IMPORTANT:Contact Novell Support for information on other cryptographic service providers.
If you are using Novell Enhanced Smart Card Method (NESCM) as NMAS™ Client Method, NESCM is supported on Microsoft Windows XP SP3 and Microsoft Windows 2003 Server only.
Refer Section 8.2, Installing Novell SecureLogin for Smart Cards in the Novell SecureLogin Installation Guidefor more information on enabling smart card support during installation and deployment.
NOTE:When you use eDirectory to create a certificate for a smart card user, ensure that the key usage options and are checked.
Novell SecureLogin allows a user to alternate their log in method by using smart card.
However, a user can only log in by using a smart card to access the SecureLogin credentials only if the smart card option is selected during installation.
If the smart card option is not selected during installation, a user attempting to access SecureLogin on the workstation is forced to log in with his or her username and network password.
The following sections explain the strong authentication methods used in Novell SecureLogin.
Novell SecureLogin uses AAVerify command to enforce strong security on applications and functions that are cannot enforce strong security, natively. Use the command in conjunction with Novell SecureLogin re-authentication feature or Novell Modular Authentication Services (NMAS) and enforce users to log in with smartcard.
For details of the AAVerify application definition command, see the Novell SecureLogin Application Definition Guide.
The existing version of the AAVerify command relies on Novell Modular Authentication Services (NMAS) or anyother advanced authentication method like smartcard, being deployed at the backend to process any reauthentication calls.
The new AAVerify command was developed specifically provide a secure method to reauthenticate a user successfully before populating the Novell SecureLogin credentials for designated sensitive applications. In an enterprise or corporate environment, a sensitive application is one where a Novell SecureLogin application definition is applied calling for reauthentication.
To process the reauthentication request, the new AAVerify command now takes into account the method by which users are currently logged in, as well as their directory connectivity status.
If users have logged in with a username and password, they are prompted to reauthenticate by using the password, regardless of whether they are offline or online.
If users have logged in with a smart card, they are prompted to reauthenticate by using the original smart card PIN, regardless of whether they are offline or online.
The new AAVerify command is independent of NMAS and can be used to enforce strong user-friendly re-authentication by using a smart card and PIN or password without installing NMAS.
The new AAVerify command caters to a mixed environment where either of the following conditions exists:
A user might log in to a number of workstations by using a combination of both smart card or password authentication
A scenario where several users might log in to one workstation by either smart card or password authentication.
?IsPin is a new Novell SecureLogin variable available in Microsoft Active Directory mode only.
The ?IsPin variable is automatically generated when a user logs in and stores, information based on whether the user has logged in to the workstation by using a smart card and PIN, or has logged in by using a password.
When the ?IsPin variable is called from an application definition, it indicates the following:
If the returned value is true, it means that the user has logged in by using a smart card, and only the PIN value is passed through to the Novell SecureLogin.
If the returned value is false, it means that the user has logged with a password.
NOTE:The ?IsPin variable is updated only at a login and is not updated at a screen unlock.
The option is normally based on your preference to have the Novell SecureLogin users utilize a smart card to store the single sign-on data or to encrypt their user’s directory data by using a Public Key Infrastructure (PKI).
If you decide to allow users to log in to their workstations by using a smart card and reauthenticate against their smart card, then the option must be selected during the installation regardless of the option set for .
NOTE:We recommend that you use a smart card configuration policy to lock the screen on card removal to ensure that the smart card belongs to the currently logged-in user.
The following application definition shows how to call the AAVerify command based on the login method. It uses the Notepad application. After the Notepad application is started, the AAVerify command is invoked to prompt the user to reauthenticate, using the login method for the workstation.
Dialog Class Notepad EndDialog OnException AAVerifyFailed Call AAVerifyFailed OnException AAVerifyCancelled Call AAVerifyCancelled If ?isPin Eq “true” AAVerify -method "smartcard" ?result Else AAVerify -method "password" ?result EndIf ClearException AAVerifyFailed ClearException AAVerifyCancelled Type $username Type \n Type $password Type \n Sub AAVerifyFailed MessageBox "Reauthentication failed." EndScript EndSub Sub AAVerifyCancelled MessageBox "Reauthentication cancelled." EndScript EndSub ## EndSection: "Login Window"
If the new AAVerify command is used to reauthenticate a Web browser-based application or if the option is enabled for Web applications, then the predefined application definition for the Web browser must be applied for that particular user to avoid confusion when prompting for reauthentication.
The use of multiple passwords places high maintenance overheads on large enterprises. This results in significant cost where users use and manage multiple logins. The calls to helpdesk to reset forgotten password, providing all password when a new employee joins, or deleting the logins when an employee quits can be high in cost.
A one time password (OTP) reduces the cost, particularly with regard to calls to the help desk to reset a forgotten password, or to ensure that all passwords are provisioned when a new user starts, or deleted when existing user leaves the organization.
SecureLogin integrates with ActivIdentity’s one time password authentication functionality and provides you access to the GenerateOTP application definition command, which can be used to generate synchronous authentication and asynchronous authentication soft token support for smart card user authentication.
ActivIdentity’s Smart Card Password Login (SCPL) provides smart card-based Windows login that is not PKI-based. SCPL, when used in conjunction with SecureLogin, stores and manages a user’s Windows login and SecureLogin credentials. It provides efficient network login by allowing a user to simply insert their smart card and enter their PIN.
Network authentication is the verification of a user's login credentials before granting access to a network or operating system. Users typically authenticate to a network using one of the following methods:
Password
Biometric device (fingerprint or iris scan)
Smart card and PIN
Token
When a user authenticates successfully and the operating system loads, SecureLogin starts and manages the login credentials to the user's single sign-on-enabled applications.
If you want to enforce biometric, smart card, or token authentication at the application (or transaction) level, AAVerify can be used with SecureLogin to prompt the user to re-authenticate before SecureLogin retrieves their credentials and logs in to single sign-on enabled applications.
You can also integrate network authentication methods such as ActivIdentity’s SCPL with Novell SecureLogin to manage user’s Windows login credentials (user name, password, and network selection). SCPL provides secure and convenient network log in by allowing a user to simply insert the smart card and enter the PIN to gain network access. SCPL retrieves the user's Windows username and password from the smartcard and automatically enters these into the Windows Graphical Identification and Authorization (GINA) interface after a user enters his or her PIN.
You can configure SecureLogin to reauthenticate an application using the SecureLogin Administrative Management Utility or application definition wizard. To use this, enable and configure the .
For more details refer Section 10.0, Reauthenticating Applications.