8.4 Using PKI Encryption for the Datastore and Cache

If PKI credentials are used to encrypt Novell SecureLogin data with the passphrase security system off (set to No), you should consider implementing a key archive/backup and recovery. If key archive/backup and recovery is not implemented and the passphrases security system is not enabled, the users can never decrypt their Novell SecureLogin data if they lose their smart card because the private key is stored on the lost smart card.

Without private key recovery, you have to clear the user’s Novell SecureLogin data store and reset users’ application passwords before they use Novell SecureLogin again. This is a high security solution but is inconvenient to end users as they cannot Novell SecureLogin access without the smart card.

8.4.1 Choosing a Certificate

When a smart card is configured to use PKI credentials to encrypt single sign-on data, SecureLogin retrieves the serial number of the current certificate and locates the certificate in the certificate store as specified in the relevant SecureLogin preferences. SecureLogin then loads the associated private key and attempts to decrypt the user key with the private key.

If the decryption fails or the certificate is not located, a smart card is present, and a certificate that matches the selection criteria is not located, then Novell SecureLogin assumes that a recovered smart card is in use. It then attempts to decrypt the user key with each key pair stored on the card.

IMPORTANT:If you using PKI encryption and the certificate selection criteria depends on the certificate’s friendly name, disable the Microsoft certificate propogation.

Because the windows certificate propogation method does not propagate the certificate friendly name, you cannot successfully start Novell SecureLogin.

To disable the Microsoft certificate propogation, set the registry key value to 0.

  1. On the Windows Start menu, click Start > Run to display the Run dialog box.

  2. Type regedit then click OK to open the Registry Editor.

  3. Browse to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

  4. Create a DWORD Value named Enabled.

  5. Set the value of the DWORD to 0.

  6. Exit the Registry Editor.

Figure 8-2 Setting the DWORD Value for Disabling Microsoft Certificate Propogation

8.4.2 Certificate Selection Criteria

The Certificate Selection Criteria option allows you to select an encryption or authentication certificate to encrypt user's single sign-on information in the directory.

Figure 8-3 Certificate Selection Criteria

The certificate selection criteria determine which certificate to select if multiple certificates are in use (for example, if an enterprise has configured an Entrust certificate for single sign-on encryption and a Microsoft certificate for login and or, authentication).

If only one certificate is used, the field is blank and the certificate is detected automatically and set to User Certificate. When entering certificate selection criteria, no special formatting is required and the search string is not case sensitive. Wildcards are not used and a search matches if the search text is a substring of the certificate subject field. SecureLogin attempts to match against certificate subject, issuer, and friendly name in the following order:

  1. Certificate Subject

  2. Certificate Issuer

  3. Friendly Name

Example 8-1 For example if the subject is

CN=Writer,OU=Users,OU=Accounts,OU=APAC,DC=Novell,DC=Int

Then Writer is a valid search value, as are Accounts, APAC, and Int. The prefixes CN=, OU=, or DC= are not required.

Similarly, if the Certificate Issuer is

CN=IssuingCA1,OU=AD,DC=undiscovered,DC=com

Then IssuingCA1 is a valid search value, as are AD, undiscovered, and com.

8.4.3 Current Certificate

This option displays the certificate that is currently being used by SecureLogin to encrypt a user’s single sign-on data.

Figure 8-4 Current Certificate