Novell Doc: Novell SecureLogin 6.1 SP1 Administration Guide

3.5 Setting the Preferences

You set preferences for managing SecureLogin in the Administration Management utility:

Log in to iManager.
Click SecureLogin SSO > Manage SecureLogin SSO > Preferences. The list of preferences is displayed.
Make the changes you want, then click OK.

Use the information in the following tables to assist you in making the changes:

Changes in Preferences

This release of Novell SecureLogin has modified the Allow users to view and modify application definitions preference. This preference is now divided into two preferences:

Allow application definition to be modified by users
Allow application definition to be viewed by users

When you are upgrading from previous versions of Novell SecureLogin to version 6.1 by using a legacy directory data (6.0 or 3.5), if the Allow users to view and modify application definitions option was set to No, then the Allow application definition to be modified by users for 6.1 is dimmed.

You must reset the Allow application definition to be viewed by users to Yes before users can modify the application definitions.

Table 3-1 The General Preferences Properties Table

Preference	Value	Description
Allow "Close" option via system tray	Yes/No/Default	If the option is set to No, the Close option is not displayed and accessible in the Novell SecureLogin notification area icon. If this option is set to Yes or Default, the Close option is displayed and accessible in the Novell SecureLogin notification area icon. The default value is Yes. This preference is a available only through the administrative management utilities.
Allow "Log Off" option via system tray	Yes/No/Default	If this option is set to No, the Log Off User option is not displayed and accessible in the Novell SecureLogin notification area icon. If this option is set to Yes or Default, the Log Off User option is not displayed and accessible in the Novell SecureLogin notification area icon. The default value is Yes. This preference is available only through the administrative management utilities.
Allow "Refresh Cache" option via system tray	Yes/No/Default	If this option is set to Yes, the Refresh Cache option is not displayed and accessible in the notification area icon. If this option is set to No or Default, the Refresh Cache option is displayed in the notification area icon. The default value is No. This preference is available only through the administrative management utilities.
Allow "Work Offline" option via system tray	Yes/No/Default	If this option is set to No or Default, the Work Offline option is displayed in the notification area icon. If this option is set to Yes, the Work Offline options is not displayed in the notification area icon. The default value is No. This preference is available only through the administrative management utilities.
Allow application definition to be modified by users	Yes/No/Default	If this option is set to Yes or Default, end user can view and modify their application definitions. If this option is set to No, the end user cannot change their application definitions. The default option is Yes. NOTE:Disabling this preference does not disable the users from creating new applications through the wizards. This preference is available only through the administrative management utilities.
Allow application definition to be viewed by users	Yes/No/Default	If this option is set to Yes or Default, users can view the application definition. If this option is set to No, users cannot view the application definition. The default value is Yes. This preference is available only through the administrative management utilities.
Allow credentials to be deleted by users through the GUI	Yes/No/Default	If this option is set to Yes or Default, users can delete their credentials through the GUI. If this option is set to No, users cannot delete their credentials. The default value is Yes. This preference is available only through the administrative management utilities.
Allow credentials to be modified by users through the GUI	Yes/No/Default	If this option is set to Yes or Default, users can modify their credentials through the GUI. If this option is set to No, users cannot modify their credentials through the GUI. The default value is Yes. This preference is available only through the administrative management utilities.
Allow users to (de) activate SSO via system tray	Yes/No/Default	If this option is set to Yes or Default, users can switch between active and inactive modes of Novell SecureLogin. If this option is set to No, Novell SecureLogin is always active. User do not have the option to switch. The default value is Yes. This preference is available only through the administrative management utilities.
Allow users to backup/restore	Yes/No/Default	If this option is set to Yes or Default, users can back up and restore their single sign-on information. If this option is set to No, users cannot back up and restore their single sign-on configuration. The default value is Yes. This preference is available only through the administrative management utilities.
Allow users to change passphrase	Yes/No/Default	If this option is set to Yes or Default, users can change their passphrase through the notification area icon. If this option is set to No, the Change Passphrase option is not displayed and users cannot change their passphrase through the notification area icon. The default value is Yes. This preference is available only through the administrative management utilities.
Allow users to modify names of Applications and Logins	Yes/No/Default	If this option is set to Default, Novell SecureLogin behaves as if it is set to Yes. The default value is Yes. This preference is available only through the administrative management utilities.
Allow users to view and change Preferences	Yes/No/Default	If this option is set to Yes or Default, users can view and change their preferences. If this option is set to No, users cannot view and change their preferences. The default value is Yes. NOTE:We recommend that you create a separate ou to ensure that they are not adversely affected by the general user configuration preferences at the ou level. This preference is available only through the administrative management utilities.
Allow users to view and modify API preferences	Yes/No/Default	The API preference defines the following options for users to: Enter an API licence key(s). Provide API access. If this option is set to Yes or Default users can view and modify the API preference. If this option is set to No, users cannot view and modify the API preference. The default value is Yes. This preference is available only through the administrative management utilities.
Allow users to view passwords	Yes/Yes, per applications/No/Default	If this option is set to Yes or Default, users can view their passwords. If this option is set to No, users cannot view their passwords. If this option is set to Yes, per application, users can view their passwords for only specific applications. The default value is Yes. NOTE:Allowing users to view their passwords gives them an opportunity to view and record passwords if they need to reset the Novell SecureLogin configuration. This preference is available only through the administrative management utilities.
Change the cache refresh interval (in minutes)	5	This preference defines the time in minutes of the synchronization of the user data and directory on the local workstation. The default value is set to 5 minutes. However, depending on the network traffic and the number of users the interval can be set between 240 minutes and 480 minutes (four and eight hours). This preference is available in both the Personal Management utility and the administrative management utilities.
Container has priority over User	Yes/No/Default	If this option is set to Yes, the container settings has priority over user settings. If this option is set to No or Default, the container settings does not have priority over the user settings. The default value is No. This preference is available only through the administrative management utilities.
Detect incorrect passwords	Yes/No/Default	If this option is set to Yes or Default, incorrect passwords for Web applications are detected. If this option is set to No, incorrect passwords for Web applications are not detected. The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.
Disable single sign-on	Yes/No/Default	If this option is set to Yes, access to Novell SecureLogin is disabled. If this option is set to No or Default, access to Novell SecureLogin is enabled. The default value is No. This preference is available only through the administrative management utilities.
Display splash screen on startup	Yes/No/Default	If this option is set to Yes or Default, the splash screen appears when Novell SecureLogin startsup. If this option is set to No, the splash screen is hidden and users cannot see the splash screen when Novell SecureLogin startsup. The default value is Yes. This preference is available only through the administrative management utilities.
Display the system tray icon	Yes/No/Default	If this option is set to Yes or Default, the Novell SecureLogin icon appears on the notification area. If this option is set to No, the Novell SecureLogin icon does not appear on the notification area. The default value is Yes. NOTE:When the Novell SecureLogin is active, users can double-click the icon on the notification area to launch the Personal Management utility. When the Novell SecureLogin is inactive, user can start the Personal Management utility through Start > Programs > Novell SecureLogin > Novell SecureLogin This preference is available only through the administrative management utilities.
Enable cache file	Yes/No/Default	This options defines the enabling or disabling of the creation of a Novell SecureLogin cache file on the local workstation. The cache stores user configuration data: local and inherited. Set this option to Yes for mobile users. If this option is set to No, you cannot store files locally or you are have some conflicts with organizational security policy If this option is set to Default, Novell SecureLogin behaves as if it is set to Yes. The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.
Enable Logging to Novell Audit	Yes/No/Default	This preference defines the enabling or disabling of log events to be automatically sent to Novell Audit tool, NSure. The following ou or user objects are logged by NSure: Single sign-on client started Single sign-on client exited Single sign-on client activated by user Single sign-on client deactivated by user Password provided to an application by a script Password changed by the user in response to a change password command Password changed automatically in response to a change password command NOTE:The Novell Audit platform must be installed on the client with a registered application ID and schema file on the server. If this option is set to Yes or Default, logging to Novell Audit is enabled. If this option is set to No, logging to Novell Audit is disabled. The default value is Yes. This preference is available only through the administrative management utilities.
Enable the New Login Wizard on the system tray icon	Yes/No/Default	This preference defines the enabling or disabling the user’s ability to create multiple logins for different accounts on the same application or server. If this option is set to Yes or Default, users can create multiple logins. If this option is set to No, users cannot create multiple logins. The default value is Yes. This preference is available only through the administrative management utilities.
Enforce passphrase use	Yes/No/Default	Enforces the user definition of a passphrase question and answer when Novell SecureLogin is launched. If this option is set to Yes, users must complete setting up their passphrase before they proceed with any other activity on the workstation. If this option is set to No or Default, users can postpone setting up the passphrase. The default value is No. This preference is available only through the administrative management utilities.
Enter API license key(s)	Specify API licence key(s)	Specify the API license key(s) provided by Novell SecureLogin to activate the API functionality for an application. NOTE:You can add more than one API license keys.
Password protect the system tray icon	Yes/No/Default	Restricts the users from accessing the Novell SecureLogin icon menu option (from the notification area) without their network login password. If this option is set to Yes, the Novell SecureLogin icon on the notification area is password protected. If this option is set to No or Default, the Novell SecureLogin icon on the notification area is not password protected. The default value is No. This preference is available in both the Personal Management utility and the administrative management utilities.
Provide API Access	Yes/No/Default	Enables or disables the API functionality. If this option is set to Yes, the API access is enabled. If this option is set to No or Default, the API access is disabled. The default value is No. This preference is available in both the Personal Management utility and the administrative management utilities.
Standalone distributed settings have priority over user’s	Yes/No/Default	Allows or disallows the values of configuration settings made by user to take precedence over the configuration settings made after settings distribution. Use this preference in advanced standalone mode for overwriting locally applied scripts, settings, and credentials by centrally created credentials. Use this preference also for suers who receive the encrypted and signed settings. If this option is set to Yes, the standalone distributed settings have priority over user’s settings. If this option is set to No or Default, the standalone distributed settings do not have priority over user’s settings. The default value is No. This preference is available only in SecureLogin Manager.
Stop walking here	Yes/No/Default	Enables or disables the inheritance of settings from higher level containers or organizational units. If this option is set to Yes, the inheritance of settings from higher level containers or organizational units is disabled. Set the option to Yes during phased upgrades when higher levels might have a different version of Novell SecureLogin implemented. If this option is set to No or Default, the inheritance of settings from higher level containers or organizational units is enabled. The default value is No. This preference is available only through the administrative management utilities.

Table 3-2 The Java Preferences Properties Table

Preference	Value	Description
Add application prompts for Java applications	Yes/No/Default	If the preference is set to Yes or Default, as soon as Novell SecureLogin detects a Java application login page, it prompts the user to record it. If this option is set to No, this process never occurs, only Java predefined applications are prompted and supported The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.
Allow single sign-on to Java applications	Yes/No/Default	If the preference is set to Yes or Default, as soon as Novell SecureLogin detects a Java application login page, it prompts the user to enable it for single sign-on. If this option is set to No, Java applications are not enabled for single sign-on. The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.

Preference

Value

Description

Add application prompts for Java applications

Yes/No/Default

If the preference is set to Yes or Default, as soon as Novell SecureLogin detects a Java application login page, it prompts the user to record it.

If this option is set to No, this process never occurs, only Java predefined applications are prompted and supported

The default value is Yes.

This preference is available in both the Personal Management utility and the administrative management utilities.

Allow single sign-on to Java applications

Yes/No/Default

If the preference is set to Yes or Default, as soon as Novell SecureLogin detects a Java application login page, it prompts the user to enable it for single sign-on.

If this option is set to No, Java applications are not enabled for single sign-on.

The default value is Yes.

This preference is available in both the Personal Management utility and the administrative management utilities.

Table 3-3 The Security Preferences Properties Table

Preference	Value	Description
Certificate selection criteria	Specify text to identify your certificate	Allows you to specify a text to uniquely identify a certificate (within searchable field only). This preference is available only through the administrative management utilities.
Current certificate	No certificate selected	Allows selecting a certificate other than the default certificate. This preference is available only through the administrative management utilities.
Enable passphrase security system	Yes/No/Hidden	Prevents a rouge administrator from accessing the user’s single sign-on credentials because they are prompted for the user’s passphrase answer it they try to reset the user’s network password and start Novell SecureLogin. If this option is set to Yes or Default, the passphrase must be answered by the user. Consequently, user contribution and knowledge is required in specific configurations to start Novell SecureLogin. If this option is set to Hidden, the user is not requested to answer a passphrase question. It is automatically generated by SecureLogin according to the user’s parameters. This process is then automatically used in the configuration where a passphrase is required. If this option is set to No, the passphrase system is absent. Consequently, there is no backup process to store the user key. If the primary key is lost, Novell SecureLogin cannot be used by this user. The default value is Yes. NOTE:The Enable passphrase security system preference is supported only with the datastore version 6.0. The Disable passphrase security system preference applicable for datastore version 3.5 is removed and is no longer supported. If you are using this preference with datastore version 3.5, you must upgrade the datastore version 6.0 to use the Enable passphrase security system preference. This preference is available only through the administrative management utilities.
Lost card scenario	Allow passphrase/Require smart card	Determines how Novell SecureLogin handles a user forgetting, losing or damaging their smart card. The Lost card option can only be used if, and only if, the Enable passphrase security system option is set to Yes or Hidden and Use smart card to encrypt single sign-on data is set to one of the smart card values. If this option is set to Allow passphrase or Default, the passphrase functions as a secondary key. If the smart card is not available, the passphrase is required in online mode to retrieve credentials from the directory. If this option is set to Require smart card, then there is no way to retrieve the credentials. The default value is Allow passphrase. NOTE:This preference is not available to users who have not upgraded their datastore to version 6.0. This preference is available only through the administrative management utilities.
Require Smart Card is present for SSO and administration operations	Yes/No/Default	This preference requires that a smart card must be accessible by SecureLogin each time a single sign-on operation is performed by an end user operation or administration operation. If this preference is set, SecureLogin cannot start without the smart card. As soon as the smart card is removed, SecureLogin is locked. By default, this preference is not set. If this option is set to Yes, Novell SecureLogin cannot start without the smart card. As soon as the smart card is removed, Novell SecureLogin is locked. If this option is set to No or Default, Novell SecureLogin can start without the smart card. The default value is No. NOTE: If the Lost card scenario is set to Allow passphrase, the Require smart Card is present for SSO and administration operations preference is dimmed. If the Lost card scenario is set to Require smart card, then the Require smart Card is present for SSO and administration operations preference is available and behaves as if set to No. This preference is not available to users who have not upgraded their datastore to version 6.0. This preference is available only through the administrative management utilities.
Store credentials on smart card	Yes/No/Default	Allows you to store application credentials only on smart card. If this option is set to Yes, all credentials are stored in the PIN-protected area of a smart card instead of being encrypted in the cache file. If this option is set to No or Default, credentials are not stored in the PIN-protected area of a smart card. Scripts, settings, and policies are stored in the user’s local cache, which is a mandatory preference for using smart cards. The default value is No. This preference is not available to users who have not upgraded their datastore to version 6.0. This preference is available only through the administrative management utilities.
Use AES for SSO data encryption	Yes/No	This option is defined to change the data encryption mode. This option is not available prior to version 6.0 of Novell SecureLogin. If the preference is set to Yes or Default, you can use AES instead of Triple DES for encrypting single sign-on data. If the preference is set to No, you cannot use AES instead of Triple DES for encrypting single sign-on data. The default value is Yes. This preference is available only through the administrative management utilities.
Use enhanced protection by default	Yes/No/Default	This setting is only relevant in a Novell environment; it concerns the SecretStore protection. If this option is set to Yes or Default, then a password protection is added. If this option is set to No, a password protection is not added. The default value is Yes. This preference is not available to users who have not upgraded their datastore to version 6.0. For details, see the SecretStore documentation. This preference is available only through the administrative management utilities.
Use smart card to encrypt SSO data	No/PKI credentials/Key stored on smart card	Allows PKI credentials or a self-generated key to be created as the encryption source to encrypt the single sign-on data in the directory. If this preference is set to No or Default, all other smart card options are dimmed. If this preference is set to PKI credentials, single sign-on data is encrypted using the user's PKI credentials. Single sign-on data stored in the Directory and in the offline cache (if enabled) is encrypted using the public key from the selected certificate and he private key (stored on a PIN-protected smart card) is used for decryption. If this preference is set to Key stored on smart card, single sign-on data is encrypted using a randomly generated symmetric key that is stored on the user's smart card. This key is used to encrypt and decrypt single sign-on data stored in the Directory and in the offline cache (if enabled). The default preference is No. This preference is available only through the administrative management utilities.

Table 3-4 The Web Preferences Properties Table

Preference	Value	Description
Add application prompts for Internet Explorer	Yes/No/Default	The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.
Add application prompts for Mozilla Firefox	Yes/No/Default	The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.
Allow single sign-on to Internet Explorer	Yes/No/Default	The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.
Allow single sign-on Mozilla Firefox	Yes/No/Default	The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.
Allow single sign-on to Netscape	Yes/No/Default	The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.

Table 3-5 The Windows Preferences Properties Table

Preference	Value	Description
Add application prompts for Windows applications	Yes/No/Default	The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.
Allow single sign-on to Windows applications	Yes/No/Default	The default value is Yes. This preference is available in both the Personal Management utility and the administrative management utilities.

Preference

Value

Description

Add application prompts for Windows applications

Yes/No/Default

The default value is Yes.

This preference is available in both the Personal Management utility and the administrative management utilities.

Allow single sign-on to Windows applications

Yes/No/Default

The default value is Yes.

This preference is available in both the Personal Management utility and the administrative management utilities.