User manual NOVELL ENHANCED SMART CARD METHOD 3.0.1 INSTALLATION 17-07-2007

[. . . ] Novell Enhanced Smart Card Method Installation Guide novdocx (en) 6 April 2007 Novell Enhanced Smart Card Method 3. 0. 1 INSTALLATION GUIDE July 17, 2007 www. novell. com novdocx (en) 6 April 2007 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. [. . . ] Trusted root certificates are stored in trusted root containers. 4. 2 Certificate Revocation Checking Configuration Level: Global Certificate revocation checking is part of the certificate validation process. The method supports On-Line Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checking. The type of revocation checking performed is configured on a per trusted root container basis. Configuring the Server 25 novdocx (en) 6 April 2007 If a trusted root container is not listed in the OCSP or CRL list, revocation checking is not performed for certificates that chain to the trusted root container. If a trusted root container is listed in both the OCSP and the CRL list, both types of revocation checks are performed. Section 4. 2. 1, "OCSP Trusted Root Containers, " on page 26 Section 4. 2. 2, "CRL Trusted Root Containers, " on page 26 4. 2. 1 OCSP Trusted Root Containers Certificates that chain to trusted root certificates in containers in this list use OCSP checking. An OCSP responder URL can be specified for each container in the list. If specified, the responder URL overrides OCSP information in a user's certificate. An OCSP response is signed using the responder's certificate and the responder's certificate must be trusted in order for the response to be considered valid. Place the OCSP responder's certificate in the trusted root container to ensure that the certificate is trusted. 4. 2. 2 CRL Trusted Root Containers Certificates that chain to trusted root certificates in containers in this list use CRL checking. The CRL distribution point information in the user certificate is used to retrieve the CRL. The Grace Period setting specifies the number of days after a CRL has expired to continue to treat it as valid. This allows revocation checking to continue, if a new CRL cannot be retrieved from the CRL Distribution Point. If a Grace Period is not specified and the CRL expiration date has passed, all certificates are considered invalid until a new CRL can be retrieved from the distribution point. 4. 3 Certificate Validation Configuration Level: Global, Container, User Certificate validation ensures that the user certificate used for login was issued by a trusted Certificate Authority and has not been revoked. In order for certificate validation to work correctly, the settings for trusted root containers and certificate verification must be properly configured. The certificate chain validation and revocation checking can be enabled or disabled. However, under normal operations there should be no reason to change the default settings. 4. 4 Certificate Matching Configuration Level: Global, Container, User Certificate matching specifies what part of the certificate presented during login is matched to the target user account. There are three options: Subject Name: Subject name matching checks the subject name of the login certificate against the subject names configured for the user object. Matching by a certificate subject name is less restrictive than matching by a specific certificate. Certificate: Certificate matching checks the login certificate against the list of certificates configured for the user object. Certificate-based matching is more restrictive than subject name matching because only a configured certificate can be used for login. 26 Novell Enhanced Smart Card Method Installation Guide novdocx (en) 6 April 2007 No Matching: No matching means no part of the login certificate must be configured on the target user account. A guest account could be configured as no matching, and then anyone with a valid certificate could log in to the account. 4. 5 Certificate Expiration Warning Configuration Level: Global, Container, User During login a user can be notified of an impending certificate expiration. This setting defines the number of days in advance to notify the user of the upcoming certificate expiration. [. . . ] When matching by subject names, the attributes are: sasAllowableSubjectNames nclTmpCertSubject nclTmpCertExpiration When matching by certificates, the attributes are: userCertificate nclTmpCert nclTmpCertExpTime 7. 4 Certificate Matching The certificate matching settings should be set to Subject Name matching or Certificate matching. Certificate matching is more restrictive because it checks the login certificate against the list of certificates configured for the user. The No Matching option should be used only in specific guest account scenarios as described in the Section 5. 4. 2, "Certificate Matching, " on page 34. 7. 5 Restricting Authentication Methods Users can be restricted to using the smart card authentication method only. This is accomplished by restricting the user to a specified NMASTM authentication sequence. [. . . ]