This section provides information on the following:
SecureLogin supports ActivClient, Gemalto (formerly Axalto), AET SafeSign, Athena, and Fujitsu mPollux DigiSign smart card middleware only. ActiveClient 6.2 is supported on 32-bit and 64-bit system on all platforms.
To enable smart card support with SecureLogin, the
option must be selected during installation, regardless of the administrator’s intended preferences for setting the SecureLogin security preference .IMPORTANT:Contact NetIQ Support for information on other cryptographic service providers.
If you are using Novell Enhanced Smart Card Method (NESCM) as NMAS™ Client Method, NESCM is supported on Microsoft Windows XP SP3 and Microsoft Windows 2003 Server only.
Refer Section 8.2, Installing SecureLogin for Smart Cards in the NetIQ SecureLogin Installation Guide for more information on enabling smart card support during installation and deployment.
NOTE:When you use eDirectory to create a certificate for a smart card user, ensure that the key usage options
and are checked.SecureLogin allows a user to alternate their log in method by using smart card.
However, a user can only log in by using a smart card to access the SecureLogin credentials only if the smart card option is selected during installation.
If the smart card option is not selected during installation, a user attempting to access SecureLogin on the workstation is forced to log in with his or her username and network password.
The following sections explain the strong authentication methods used in SecureLogin.
SecureLogin uses the AAVerify script command to enforce strong security for applications that cannot provide such a mechanism natively. AAVerify can also be implemented to provide user authentication to applications that have no existing authentication interface. Use this command in conjunction with NetIQ Advanced Authentication Framework or NetIQ Modular Authentication Services (NMAS) to force users to log in to the configured application with a smartcard.
For details of the AAVerify application definition command, see the NetIQ SecureLogin Application Definition Guide.
The existing version of the AAVerify command relies on NetIQ Modular Authentication Services (NMAS). Any NMAS supported method like smartcard, can be deployed at the backend to process any re-authentication requests. In Active Directory environments similar support is provided by NetIQ Advanced Authentication Framework.
The new AAVerify command was developed to specifically provide a secure method to re-authenticate a user. Thus proving the users identity before injecting the SecureLogin credentials into sensitive applications. In an enterprise or corporate environment, a sensitive application is one where a SecureLogin application definition is applied that calls for re-authentication.
To process the reauthentication request, the new AAVerify command now takes into account the method by which users are currently logged in, as well as their directory connectivity status.
If users have logged in with a username and password, they are prompted to reauthenticate by using the password, regardless of whether they are offline or online.
If users have logged in with a smart card, they are prompted to reauthenticate by using the original smart card PIN, regardless of whether they are offline or online.
The new AAVerify command is independent of NMAS and can be used to enforce strong user-friendly re-authentication by using a smart card and PIN or password without installing NMAS.
The new AAVerify command caters to a mixed environment where either of the following conditions exists:
A user might log in to a number of workstations by using a combination of both smart card or password authentication
A scenario where several users might log in to one workstation by either smart card or password authentication.
?IsPin is a new SecureLogin variable available in Microsoft Active Directory mode only.
The ?IsPin variable is automatically generated when a user logs in and stores, information based on whether the user has logged in to the workstation by using a smart card and PIN, or has logged in by using a password.
When the ?IsPin variable is called from an application definition, it indicates the following:
If the returned value is true, it means that the user has logged in by using a smart card, and only the PIN value is passed through to the SecureLogin.
If the returned value is false, it means that the user has logged with a password.
NOTE:The ?IsPin variable is updated only at a login and is not updated at a screen unlock.
The
option is normally based on your preference to have the SecureLogin users utilize a smart card to store the single sign-on data or to encrypt their user’s directory data by using a Public Key Infrastructure (PKI).If you decide to allow users to log in to their workstations by using a smart card and reauthenticate against their smart card, then the
option must be selected during the installation regardless of the option set for .NOTE:We recommend that you use a smart card configuration policy to lock the screen on card removal to ensure that the smart card belongs to the currently logged-in user.
The following application definition shows how to call the AAVerify command based on the login method. It uses the Notepad application. After the Notepad application is started, the AAVerify command is invoked to prompt the user to reauthenticate, using the login method for the workstation.
Dialog Class Notepad EndDialog OnException AAVerifyFailed Call AAVerifyFailed OnException AAVerifyCancelled Call AAVerifyCancelled If ?isPin Eq “true” AAVerify -method "smartcard" ?result Else AAVerify -method "password" ?result EndIf ClearException AAVerifyFailed ClearException AAVerifyCancelled Type $username Type \n Type $password Type \n Sub AAVerifyFailed MessageBox "Reauthentication failed." EndScript EndSub Sub AAVerifyCancelled MessageBox "Reauthentication cancelled." EndScript EndSub ## EndSection: "Login Window"
If the new AAVerify command is used to reauthenticate a Web browser-based application or if the option is enabled for Web applications, then the predefined application definition for the Web browser must be applied for that particular user to avoid confusion when prompting for reauthentication.
The use of multiple passwords places high maintenance overheads on large enterprises. This results in significant cost where users use and manage multiple logins. The calls to helpdesk to reset forgotten password, providing all password when a new employee joins, or deleting the logins when an employee quits can be high in cost.
A one time password (OTP) reduces the cost, particularly with regard to calls to the help desk to reset a forgotten password, or to ensure that all passwords are provisioned when a new user starts, or deleted when existing user leaves the organization.
SecureLogin integrates with ActivIdentity’s one time password authentication functionality and provides you access to the GenerateOTP application definition command, which can be used to generate synchronous authentication and asynchronous authentication soft token support for smart card user authentication.
ActivIdentity’s Smart Card Password Login (SCPL) provides smart card-based Windows login that is not PKI-based. SCPL, when used in conjunction with SecureLogin, stores and manages a user’s Windows login and SecureLogin credentials. It provides efficient network login by allowing a user to simply insert their smart card and enter their PIN.
You can configure SecureLogin to reauthenticate an application using the SecureLogin Administrative Management Utility or application definition wizard. To use this, enable
and configure the .For more details refer Section 10.0, Reauthenticating Applications.