Changing the SecureLogin client from SecretStore mode to eDirectory mode

  • 7940149
  • 19-Aug-2009
  • 14-Nov-2012

Environment

SecureLogin
SecureLogin SSO
All Versions
Novell Netware, eDirectory


Situation

Issue

Customer uses Novell eDirectory as their corporate Directory and are evaluating SecureLogin. Customer followed the documentation that comes with SecureLogin and configured SecretStore and NICI on the server and workstation as appropriate (for more information on SecretStore or NICI see www.novell.com).

The customer then installed SecureLogin in eDirectory with SecretStore mode and tested SecureLogin. They then wanted to know the quickest way of going back to eDirectory (only) mode for testing.

Resolution

Cause

In a Novell environment SecureLogin can be installed in eDirectory with SecretStore mode or eDirectory only mode. There are a number of reasons why you might go one way or the other that should be discussed with a consultant.

When SecureLogin is installed in either mode, you must run NDSSchema.Exe to extend the schema. In eDirectory only mode (no SecretStore) ALL SSO data including the user specific passphrase key, application usernames and passwords, SSO enabled applications and SecureLogin settings, is encrypted and stored in the Directory schema.

In SecretStore mode, SSO encrypted data such as the user specific passphrase key, SSO enabled applications and SecureLogin settings are stored in the schema, while actual logon credentials such as usernames and passwords are stored in SecretStore (i.e. only the actual application ""secrets"" are stored in SecretStore).

Customer wanted to test both modes of operation before deciding which suited their business requirements.

In either mode, there is protection against an administrator resetting a user’s network password and accessing their SSO secrets.

Solution

The quickest way to configure the SecureLogin client to use eDirectory mode after it has been installed in SecretStore mode is to edit the following Registry key;

HKLM/Software/Protocom/SecureLogin/Security

Set the SecureLoginDataStore to ""NDS"" instead of ""SecretStore""  or to  ""LDAP"" instead of ""LDAPSecretStore".

All SSO data will then be encrypted and saved into the Directory schema and SecretStore and NICI are no longer used (could also be useful for troubleshooting purposes).

Note: Whilst in this case you could change this registry setting back and it would use SecretStore again, you cannot change from eDirectory mode to eDirectory with SecretStore mode if you INITIALLY installed in eDirectory mode.

The SecretStore installation requires some SecretStore files on the workstation, such as the SecretStore Manager, that aren’t installed when you select the eDirectory (only) mode (but they always exist if you initially install SecretStore mode so you can switch back and forth with the registry setting)

In this case, or if you are having problems or don’t have registry access, remove the SecureLogin client (using Add/Remove Programs for example), reboot the workstation, and reinstall SecureLogin in eDirectory (only) mode.

We recommend contacting ActivIdentity Professional Services for more information.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.