Novell Doc: Novell SecureLogin 6.1 SP1 Administration Guide - Enabling the Passphrase Security System

5.3 Enabling the Passphrase Security System

This section contains information on the following:

The Enable Passphrase Security System option determines if users can use a passphrase to encrypt single sign-on data.

To view or modify this preference:

Access the Administrative Management utility of Novell SecureLogin.

For information on accessing the Administrative Management utility, see Section 1.2, Starting the Administrative Management Utilities and, or, Section 1.3, Accessing the Single Sign-On Plug-In Through iManager.
Click Preferences. The Preferences page is displayed.
Select Security > Enable passphrase security system and from the drop-down list, select either Yes or Hidden.
Click Apply.
Click OK.

You can set the Enable Passphrase Security System preference to Yes or Hidden depending on the enterprise security requirements.

If the Enable Passphrase Security System is set to Yes, (which is the default preference) the user is prompted to set the passphrase question and answer when Novell SecureLogin is launched for the first time.

If the Enable Passphrase Security System is set to Hidden, the user is not prompted to set the passphrase question and answer when Novell SecureLogin is launched for the first time.

WARNING:If you change the preference from Hidden to Yes, the users are prompted to re-specify their passphrase question and answer (after the initial set up). The users must specify thier the question and answer to proceed with the login.

The users are not indicated of the change you have made. So, we recommend that you do not change the preference.

You have two options, depending on what you specified.

Users can create both the passphrase question and answer.
You predefine a list of questions and answers, and the user selects from the list.

When users have set a passphrase, the application generates a random key, and a one-way hash of the passphrase answer encrypts this key. Later, the application key encrypts the new key. This key protects users’ SecureLogin credentials and passwords so that even someone with Supervisor rights to the network and access to Microsoft Management Console (MMC) is unable to view a user's passwords to applications.

After the passphrase is set, every time that a user logs in to the network, Novell SecureLogin loads seamlessly.

Typically, the prompt to create a passphrase is never seen after the first login. However, if an administrator resets the user's directory or network, the next time SecureLogin launches, users must answer the passphrase question before SecureLogin continues. This prevents other users from changing the user's directory password, logging on as the user, obtaining access to the Novell SecureLogin data, and using it to run applications.

5.3.1 Passphrases and Smart Cards

You cannot toggle the Enable Passphrase Security System setting when the users forget their smart card unless they had previously set a passphrase or had it randomly generated using the Hidden option.

If users are required to authenticate to the network by using passwords, Enable Passphrase Security System must be set either to Yes or Hidden.

Access the Administrative Management utility of Novell SecureLogin.

For information on accessing the Administrative Management utility, see Section 1.2, Starting the Administrative Management Utilities and, or, Section 1.3, Accessing the Single Sign-On Plug-In Through iManager.
Click Preferences. The Preferences page is displayed.
Under Security, select either Yes or Hidden in the Enable passphrase security passphrase drop-down list.
Click Apply.
Click OK.

If you select Yes, users must select a passphrase question and answer when they log in to SecureLogin for the first time. When the passphrase system is enabled, users are prompted to answer their passphrase question if their password has been reset by the administrator.

NOTE:With the Use smart card to encrypt SSO data option selected (either PKI credentials or Key generated on smart card), you can use the passphrase to decrypt single sign-on data if the user’s smart card is damaged or lost.

This setting must be used in conjunction with the Lost card scenario preference set to Allow passphrase and Store credentials on the smart card preference set to No. You can toggle these preferences if the user’s smart card is forgotten providing the user’s passphrase has already been set. The user is prompted to answer the passphrase question before SecureLogin loads.

For more information, see Section 8.5, Lost Card Scenarios

If the Hidden preference is selected, users are not prompted to set a user-defined passphrase. A user key is generated automatically with any input from the user.

The Enable Passphrase Security System cannot be set to No unless Use smart card to encrypt SSO data is set to PKI credentials.

If users are required to authenticate to the network by using passwords, the Enable passphrase security system option must be set to Yes or No or Hidden.

IMPORTANT:With the passphrase security system set to Hidden, a directory administrator can reset a user’s directory password, log in as the user, and access the user’s single sign-on data because they are not prompted to answer a passphrase question.

5.3.2 PKI Encryption and Passphrase Security

If the Use smart card to encrypt SSO data is set to PKI credentials, the user’s single sign-on data is encrypted by using the public key from the selected certificate and the private key and stored on a PIN-protected container on the user’s smart card. Both, the user’s directory datastore and the local cache are now protected by the PKI credentials.

The single sign-on data can be encrypted by using the private key that is PIN-protected and stored on the user’s smart card for added security. Only the user who has the physical possession of the smart card and knowledge of the PIN can decrypt the single sign-on data.

To set the Use smart card to encrypt SSO data preference:

Access the Administrative Management utility of Novell SecureLogin.

For information on accessing the Administrative Management utility, see Section 1.2, Starting the Administrative Management Utilities and, or, Section 1.3, Accessing the Single Sign-On Plug-In Through iManager.
Click Preferences. The Preferences page is displayed.
Select Security > Use smart card to encrypt SSO data and from the drop-down list, select either PKI credentials or Key Generated On Smart Card or No.
Click Apply.
Click OK.

If the Use smart card to encrypt SSO data is set to PKI credentials, the Enable passphrase security system can be optionally set to No.

If the Use smart card to encrypt SSO data is set to No, the user’s passphrases are completely disabled and the user’s smart card is always required to decrypt the single sign-on data.

IMPORTANT:If your enterprise chooses to disable the passphrase security system:

You can still access a user’s credentials by resetting the network password.
The functions of using the passphrases in conjunction with SecureLogin Self Service Password Reset (SLSSPR) is disabled. The SecureLogin Self Service Password Reset enables a user to reset his or her network passwords after answering the passphrase questions.

The supported directory modes for disabling the passphrase security system are:

Active Directory
LDAP-compatible
eDirectory (if SecretStore is used)

For detailed information on the likely scenarios that a user might experience in environments where the Enable passphrase security system option is set to No, see Section 5.5, Passphrase Security System Scenarios.