What impact do the datastore changes in version 6 have on organizations running previous versions of SecureLogin?
NSL Datastore version differences
Version 6 of SSO introduces a number of new features regarding the SSO security system. These include support for PKI encryption of SSO credentials and the option to use AES for encrypting data. Both of these features require changes to the SSO data format.
Are there any new schema extensions?
Not from v3.5 and later, no. v6 uses 6 schema extensions (note early versions of SecureLogin use 4 extensions).
The new version must be able to read old data. What is the problem?
The v6 SSO client can read data created with all previous versions of the product. However, older versions of the product cannot read data created by v6. This means that in a mixed environment where some computers are running v6 and some previous version then issues will arise when a user moves between these machines. This is especially problematic in Citrix environments or in large deployments.
I am currently running v3. x or v5.x, how can I upgrade to v6?
When you install SSO v6 it will detect that v3.x/v5.x data is in use and will continue to operate. While the product is in this mode all v3.x/5.x functionality will continue to be available, but any v6 functionality that relies on new data will not be available.
Most significantly this includes smart card support and AES encryption of data. If this new functionality is not required, then there is no great impetus to upgrade the data format. If however this new functionality is required then the following process must be completed:
- Ensure all workstation have upgraded to version 6 before toggling the datastore format (otherwise a user that has upgraded will have issues if they attempt to logon to a workstation running previous versions of SecureLogin and ASL will not load).
- Once all workstations have been upgraded, select a section of the forest/tree to upgrade and set Advanced Settings>DataStore format to v6.
- The next time those users start ASL, their SSO data will be converted to v6 format and the new features will be available.
- If the passphrase security system is used (Disable Passphrase Security System = No), when a user with data in a previous format first loads the v6 client they will be prompted to answer their passphrase question. The data will then be decrypted with the correct answer and re-encrypted using the v6 format. If the passphrase security system is disabled, the user will not be prompted for their passphrase.
Why are users prompted for their passphrase when they upgrade?
The new SSO security system stores addition passphrase information to facilitate seamless upgrades in the future and enables the use of AES. Unfortunately the passphrase data stored in previous formats does not contain the information required to support these new features, and hence the user is prompted to re-enter their passphrase answer so it can be upgraded.