User manual NOVELL ENHANCED SMART CARD METHOD 3.0.1 INSTALLATION 17-07-2007

[. . . ] Novell Enhanced Smart Card Method Installation Guide novdocx (en) 6 April 2007 Novell Enhanced Smart Card Method 3. 0. 1 INSTALLATION GUIDE July 17, 2007 www. novell. com novdocx (en) 6 April 2007 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. [. . . ] The type of revocation checking performed is configured on a per trusted root container basis. Configuring the Server 25 novdocx (en) 6 April 2007 If a trusted root container is not listed in the OCSP or CRL list, revocation checking is not performed for certificates that chain to the trusted root container. If a trusted root container is listed in both the OCSP and the CRL list, both types of revocation checks are performed. Section 4. 2. 1, "OCSP Trusted Root Containers, " on page 26 Section 4. 2. 2, "CRL Trusted Root Containers, " on page 26 4. 2. 1 OCSP Trusted Root Containers Certificates that chain to trusted root certificates in containers in this list use OCSP checking. An OCSP responder URL can be specified for each container in the list. If specified, the responder URL overrides OCSP information in a user's certificate. An OCSP response is signed using the responder's certificate and the responder's certificate must be trusted in order for the response to be considered valid. Place the OCSP responder's certificate in the trusted root container to ensure that the certificate is trusted. 4. 2. 2 CRL Trusted Root Containers Certificates that chain to trusted root certificates in containers in this list use CRL checking. The CRL distribution point information in the user certificate is used to retrieve the CRL. CRLs are cached in memory on the server after retrieval. This improves the performance of future logins. The Grace Period setting specifies the number of days after a CRL has expired to continue to treat it as valid. This allows revocation checking to continue, if a new CRL cannot be retrieved from the CRL Distribution Point. If a Grace Period is not specified and the CRL expiration date has passed, all certificates are considered invalid until a new CRL can be retrieved from the distribution point. 4. 3 Certificate Validation Configuration Level: Global, Container, User Certificate validation ensures that the user certificate used for login was issued by a trusted Certificate Authority and has not been revoked. In order for certificate validation to work correctly, the settings for trusted root containers and certificate verification must be properly configured. The certificate chain validation and revocation checking can be enabled or disabled. However, under normal operations there should be no reason to change the default settings. 4. 4 Certificate Matching Configuration Level: Global, Container, User Certificate matching specifies what part of the certificate presented during login is matched to the target user account. There are three options: Subject Name: Subject name matching checks the subject name of the login certificate against the subject names configured for the user object. Matching by a certificate subject name is less restrictive than matching by a specific certificate. Certificate: Certificate matching checks the login certificate against the list of certificates configured for the user object. Certificate-based matching is more restrictive than subject name matching because only a configured certificate can be used for login. 26 Novell Enhanced Smart Card Method Installation Guide novdocx (en) 6 April 2007 No Matching: No matching means no part of the login certificate must be configured on the target user account. Typically, this option would not be used for regular user accounts. A potential use would be for guest accounts. [. . . ] The password is encrypted using a 128-bit AES key generated by using the private key on the smart card. This should be a consideration when choosing whether to use the disconnected login functionality. 42 Novell Enhanced Smart Card Method Installation Guide novdocx (en) 6 April 2007 8 Novell Audit Integration The method can report login events to the Novell® Audit System. The smart card login events include specific information about the certificate used for login (Serial Number, Subject Name, Issuer, Expiration Date). In order to report audit events, the audit system must be installed and properly configured for eDirectoryTM. [. . . ]