23.1 About LDAP SSL Server Certificate Verification
The LDAP SSL server certificate verification is a security feature that was introduced in the
SecureLogin 6.0 SP1 release. This feature allows the client to verify the trustworthiness of the server, using a process similar to the certificate verification process carried out by browsers like Microsoft Internet Explorer and Mozilla Firefox.
Certificate verification of the server is important to prevent potential security risks. It is essential that the client verify the server certificate during the LDAP SSL connection to the server. If the client cannot verify the server certificate, it is possible that an intruder on the same subnet can decrypt the communication between the client and access user credentials.
By default, eDirectory is configured for self-signed certificates. Although self-signed certificate works, it does not pass all the validation checks carried out during the verification process. So, users are prompted to validate the certificate at the first time they attempt to access the server. To prevent this, you can obtain a signed certificate from a known certificate authority such as VeriSign and replace the existing certificate.
23.2 Validating an LDAP SSL Server Certificate
During the establishment of an LDAP SSL connection, client receives the root certificate from the server so that the client can verify the trustworthiness of the server. The client uses the following process to validate the certificate:
It compares the current certificate with any of the previously stored certificate. If the certificates match, the client does not perform further checks, and adds the certificate to the local store. If the certificates do not match, the client continues the validation process.
It checks whether the certificate is trusted. This ensures that a known authority is issuing the certificate.
It checks whether the date on the certificate is valid with reference to the current date.
It checks whether the host name on the certificate matches the date on the server.
If the certificate passes these preceding tests, the client adds the certificate to local store so it can be used for future verification.
If the certificate does not pass the verification process, the application prompts you to either continue the connection or terminate the connection.
172 NetIQ SecureLogin Administration Guide
Figure 23-1 Certificate Verification
To continue the connection, click Yes. The certificate is added to the local store so it can be used for future verification, and the authentication process continues.
To terminate the connection, click No.
To get details about the certificate, click View Certificate to display the Certificate Information dialog box shown in the proceeding figure. If you decide that the certificate is valid, you can click Install Certificate to permanently install the certificate.
NOTE: The Windows workstation local store is different from the SecureLogin LDAPAuth clients certificate store.
LDAP SSL Server Certificate Verification 173
Figure 23-2 Certificate Information
23.3 Enabling LDAP SSL Certificate Verification
By default, the certificate verification feature is disabled. You can enable this feature by adding the following registry value:
1 On a Windows workstation, click Start > Run to display the Run dialog box.
2 Type regedit then click OK to open the Registry Editor.
3 Browse to the HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP registry hive.
4 Create a new DWORD Value named VerifySSLCert and set it to 1.
5 Exit the Registry Editor.
174 NetIQ SecureLogin Administration Guide
24
Security Considerations 175
24
Security Considerations
Consider the following to help ensure security for SecureLogin:
It is not recommended to use pcProx alone for authentication. Use pcProx in conjunction with other NMAS authentication methods for more security.
Use the AES (Advanced encryption standard) or Triple DES (Data Encryption Standard) for the encryption of SecureLogin data.
Back up SecureLogin data and directory data by using encryption and password protection.
Use AAVerify to provide additional advanced authentication to single sign-on applications with NMAS methods or other AA methods such as NetIQ Advanced Authentication Framework.
Implement smart cards, storing application credentials on cards and the encryption of the data store using PKI credentials.
Protect the SecureLogin desktop shortcut with a password so that others cannot view SecureLogin data.
Prevent certain SecureLogin settings and options from being visible or modifiable by others.
Use a universal password for increased security by providing additional layers of policies.
Require SecureLDAP when using LDAP to authenticate to SecureLogin.
Use Novell SecretStore to provide additional security to SecureLogin data stored on eDirectory.
Use AA methods such as OTP and NMAS to provide advanced authentication, such as pcProx, fingerprint, and token-based authentication.
Store SecureLogin credentials in a PIN-protected smart card, which provides a secure, portable, and efficient single sign-on solution.
Keep the local cache files in a user profile directory so that only the corresponding Windows user can access them.
Enable a passphrase to provide additional security to SecureLogin user data.
Ensure strict password policies for SecureLogin users and for all single sign-on logins.
Randomization of passwords and hiding them from end users is also essential.
Use auditing features such as NetIQ Sentinel, SNMP alerts and Windows event logs to capture SecureLogin activity wherever applicable.
When you are using LDAP with NMAS, the SecureLogin universal password must be enabled.
176 NetIQ SecureLogin Administration Guide
25
SecureLogin Security Role Configuration for Active Directory 177
25
SecureLogin Security Role
Configuration for Active Directory
For a user to administer SecureLogin in an Active Directory environment, the user must have both sufficient permissions to the SecureLogin attributes and the SecureLogin settings to allow the users proper access.
Section 25.1, “Directory Attributes,” on page 177