Novell Doc: Novell Credential Provisioning Policies for Identity Manager 3.5.1 - Determining Deployment Configuration Parameters for Novell SecretStore

5.2 Determining Deployment Configuration Parameters for Novell SecretStore

In order to provide the synchronization functionality described in the deployment scenario illustrated in Figure 4-1, the first step is to gather all of the business process information related to the Identity Manager and SecretStore environments. You can print Table 5-1, Credential Provisioning Policies Worksheet for SecretStore, and use it as a worksheet to record the information.

Table 5-1 Credential Provisioning Policies Worksheet for SecretStore

Configuration Information Needed	Information
1) Which applications will be configured for Web Single Sign-On provisioning?
2) The DNS name or IP address of the SecretStore repository server.
3) The SSL LDAP port for the SecretStore repository server.
4) The fully qualified LDAP distinguished name of the administrator for the SecretStore repository server.
5) The password of the administrator for the SecretStore repository server.
6) The full path and the name of the SSL certificate exported from the SecretStore server. The certificate must be local to the Identity Manager server.
7) Determine if SecretStore repositories will be used by multiple drivers or if each driver will use a separate repository.
8) Record the type of SecretStore secret that is being used. There are two supported types of secrets: A: Application Secret (SS_App: prefix) C: Credential Set Secret (SS_CredSet: prefix)
9) The application ID or Credential Set name for each provisioned application.
10) List all required authentication keys for each application, such as Username and Password. They might be different for each application.
11) Determine if any of the authentication key values can be set with a static value.
12) For non-static values that are or can be different for each user, make a note of the source of the non-static information (event information or Identity Vault attribute values.)
13) If you are implementing SecretStore provisioning on a driver that is also synchronizing a password to the target application, determine if the SecretStore provisioning takes place before or after the password is set in the target application server.
14) The name of the Driver object where the repository and application objects are to be stored. (Can be different drivers.)
15) Determine the DN of the User objects for the target application.

5.2.1 Example Provisioning Configuration Data

Using the provisioning scenario in Figure 4-1, the following example data provisions a user’s SecretStore credentials for the Finance department’s GroupWise® domain server onto users in the Finance eDirectory authentication tree:

Table 5-2 Example Credential Provisioning Policies Worksheet for SecretStore

Configuration Information Needed	Information
1) Which applications will be configured for Web Single Sign-On provisioning?	GroupWise
2) The DNS name or IP address of the SecretStore repository server.	151.150.191.5
3) The SSL LDAP port for the SecretStore repository server.	636
4) The fully qualified LDAP distinguished name of the administrator for the SecretStore repository server.	cn=admin,ou=finance,o=Tesetco Financials
5) The password of the administrator for the SecretStore repository server.	dixml
6) The full path and the name of the SSL certificate exported from the SecretStore server. The certificate must be local to the Identity Manager server.	c:\novell\nds\FinanceAD.cer
7) Determine if SecretStore repositories will be used by multiple drivers or if each driver will use a separate repository.	For this example, there is only one repository.
8) Record the type of SecretStore secret that is being used. There are two supported types of secrets: A: Application Secret (SS_App: prefix) C: Credential Set Secret (SS_CredSet: prex)
9) The application ID or Credential Set name for each provisioned application.	GroupWise_Credentials
10) List all required authentication keys for each application, such as Username and Password. They might be different for each application.	Username Password
11) Determine if any of the authentication key values can be set with a static value.	No static information for this scenario.
12) For non-static values that are or can be different for each user, make a note of the source of the non-static information (event information or Identity Vault attribute values.)	Username: Identity Vault attribute “CN” Password: Event <password>
13) If you are implementing SecretStore provisioning on a driver that is also synchronizing a password to the target application, determine if the SecretStore provisioning takes place before or after the password is set in the target application server.	After
14) The name of the Driver object where the repository and application objects are to be stored. (Can be different drivers.)	GroupWise-Finance driver
15) Determine the DN of the User objects for the target application.	Identity Vault attribute “DirXML-ADContext”

Miscellaneous Environment Information:

The Finance department eDirectory tree serves as the SecretStore repository for all Finance applications.
All finance department provisioning drivers are in a driver set called Finance Drivers.
The GroupWise account must be deleted and the SecretStore credentials for the GroupWise user account must be removed from the eDirectory user when the Identity Vault attribute employeeStatus is set to the value “I”.

As can be seen from the data gathered, the SecretStore repository information is global for all drivers that provision Finance department applications. In addition, all provisioning information can be statically configured, with the exception of the GroupWise login parameters Username, Password, and Target User DN.

After all of the configuration data has been determined, proceed to Section 5.3, Creating a Repository Object for Novell SecretStore.