Integrating and configuring Novell Access Manager 3.0 with Novell Secret Store

  • 3573235
  • 17-Nov-2006
  • 26-Apr-2012


Novell Access Manager 3 FCS
Novell Identity Server FCS build 491
NetWare Access Gateway (NAG)
Linux Access Gateway (LAG)


This document provides information regarding use of Novell Access Manager's Formfill and Identity Injection features with Novell SecretStore The doc will include

1 Basic Information
2 Known Issues
3 Configuration Notes
4 Troubleshooting tips


1 Basic Information

This document provides information regarding use of Novell Access Manager's Formfill and Identity Injection features with Novell SecretStore.

2 Known Issues

No outstanding interoperability defects.

3 Configuration Notes

The internal instance of eDirectory (the "config store”) running on the IDP server is used by default for creating and reading "Shared Secrets” for use with Identity Injection and Formfill. However, this implementation is not thefull-blown SecretStore and is not accessible to other applications; these secrets cannot be shared.

To use an external instance of Novell SecretStore so that secrets can be shared between applications such as SecureLogin, Formfill, Identity Injection, ConsoleOne, iManager, etc., the IDP must be configured to use an external user store where Novell SecretStore has been installed.

  1. Install Novell SecretStore on an eDirectory server

  2. Configure the IDP configuration to use this eDirectory server as a user store. Be sure to enable "Use secure LDAP connections” when configuring this user store.

  3. Configure the IDP configuration to use the external SecretStore:

  • iMgr/DevMan->Access Manager task->Identity Servers link

  • click the Setup tab, then click the Configuration link (or click the configuration under the Configuration Assignment column on the Servers tab)

  • click the Liberty tab->click the Web Service Provider menu item->click the Credential Profile link.

  • At the bottom of this Credential Profile page under section "Novell Secret Store User Store References”, click New. A list of User Stores will be displayed. Only those eDir type user stores configured for SSL communication with the IDP will be included in the list. From this list, select the user store(s) where Novell Secret Store has been installed. Click OK, OK, OK, then follow the prompt and click the Update Servers link on the configuration Setup page.

At this point, Identity Injection or Formfill policies which are configured to use a "Shared Secret” will read and/or write information from/to the SecretStore server. During configuration of these policies, the administrator is able to define the name of the secret as well as the keynames where data is stored in that secret.

4 Troubleshooting

Notes on the "internal” secret store:

When using Formfill and Identity Injection when an external SercretStore has not been configured, the secret data is stored on an attribute of an object representing the user in the IDP config store tree. When troubleshooting policies that use this internal secretstore, it is sometimes convenient to be able to view and/or delete this attribute. This can be done as follows:

  1. Do an NCP login to the config store tree on the IDP box

  2. Launch ConsoleOne from the workstation or other NetWare server

  3. Expand the config store tree and navigate down to ->novell->accessManagerContainer->nids->cluster->->LibertyUserProfiles.

This container holds nidsGUID objects for every user that has authenticated to the IDP. Rt click an object and select Properties. On the "Other” tab, attribute "nidsWsfSS” is the attribute used to store the Shared Secret data for that user. Highlight the attribute and click Modify to view some of the detail, such as secret name and key names (user data is encrypted). The attribute can also be deleted if desired (this would clear the secret of existing values and the attribute would be recreated on next login or whatever action is being used to create/populate the secret).