of 66
7/26/2019 etoken and nmas 2u1
1/66
eToken and NMAS 2.1Version 1.0
Integration GuideJune 2008
7/26/2019 etoken and nmas 2u1
2/66
II
Contacting Aladdin eTokenIf you have any questions about Aladdin eToken, contact your local reseller or
the Aladdin eToken technical support team:
Region Contact
USA 1-212-329-6658
1-866-202-3494
Austria, Belgium, France, Germany,
Italy, Netherlands, Spain,
Switzerland, UK
00800-22523346
Ireland 0011800-22523346
Rest of the world +972-3-9781299
You can submit a question to the Aladdin eToken technical support team at
the following web page:
http://www.aladdin.com/forms/etoken_question/form.asp
Website
http://www.aladdin.com/eToken
mailto:[email protected]://www.aladdin.com/forms/etoken_question/form.asphttp://www.aladdin.com/eTokenhttp://www.aladdin.com/eTokenhttp://www.aladdin.com/eTokenhttp://www.aladdin.com/forms/etoken_question/form.aspmailto:[email protected]7/26/2019 etoken and nmas 2u1
3/66
III
About This GuideIntended Audience
This Integration Guide should be read by system administrators who wish to
integrate eToken and Novell NMAS solutions.
Text Conventions
The following conventions are followed throughout this publication.
Convention Explanation
Boldface Used to indicate text that you enter, type, or execute.
Example: Click Enter orSave orDelete.
Italicized Used to highlight objects in the application.
Examples: The Production Domainwindow opens.
The Connectorswindow opens.
NoteIndicates additional information related to the task
being discussed.
CautionIdentifies potential problems that you should look out
for when completing a task, or problems to be
addressed before completing a task.
> Used as a shortcut to indicate the path to be followed.
Example: Programs>eToken>TMSindicates:
From the Programs menu, choose the eToken
submenu, then choose the TMS option.
Provides ancillary information on the topic being
discussed. Go to the sidebars to learn additional
information about the topic.
7/26/2019 etoken and nmas 2u1
4/66
eToken and NMAS 2.02
IV
7/26/2019 etoken and nmas 2u1
5/66
V
Table of ContentsChapter 1 Introduction...................................................................................................... 1
Overview .......................................................................................................................... 2
NMAS Minimum Requirements ...................................................................................... 2
Universal Smart Card Login Method ............................................................................... 3
Chapter 2 Installing NMAS Server Components ........................................................... 5
Installing the NMAS Server Software .............................................................................. 6
Installing the Universal Smart Card Login Method ...................................................... 10
Configuring the Universal Smart Card Login Method .................................................. 16
Chapter 3 Creating User Certificates and Authorizing the Login Sequence ............. 21
Creating User Certificates .............................................................................................. 22
Authorizing the Login Sequence for Users .................................................................... 29
Chapter 4 Setting Up the Client Workstation ............................................................... 33
Installing eToken PKI Client 4.55 .................................................................................. 34
Updating the NMAS Client ............................................................................................ 37
Installing the Universal Smart Card Login Method ...................................................... 39
Preparing the eToken for the User ................................................................................ 42
Chapter 5 Logging in with eToken ................................................................................. 47
Configuring the NMAS Client ........................................................................................ 48
Logging in Using the Universal Smart Card Login Method .......................................... 51
Chapter 6 Troubleshooting ............................................................................................. 53
Error Logging In ............................................................................................................ 54
Chapter 7 Glossary .......................................................................................................... 55
Appendix 1 Copyrights and Trademarks ...................................................................... 57
NOTICE ......................................................................................................................... 57
Appendix 2 FCC Compliance ......................................................................................... 59
FCC Warning ................................................................................................................. 59
CE Compliance .............................................................................................................. 60
7/26/2019 etoken and nmas 2u1
6/66
eToken and NMAS 2.02
VI
UL Certification ............................................................................................................ 60
ISO 9002 Certification .................................................................................................. 60
Certificate of Compliance ............................................................................................. 60
7/26/2019 etoken and nmas 2u1
7/66
1
Chapter 1
Introduction
This integration guide describes eToken and Novell Modular Authentication
Service (NMAS) solutions for secure user access control.
This chapter includes the following:
Overview
NMAS Minimum Requirements
Universal Smart Card Login Method
7/26/2019 etoken and nmas 2u1
8/66
eToken and NMAS 2.1
2
Overview
Novell Modular Authentication Service (NMAS) Enterprise Edition provides anextensible NDS authentication framework that you can use to customize a
powerful security solution for your network. With NMAS your network users can
authenticate to NDS with something they know (such as a password), something
they have (such as a token, smart card, or X.509 certificate), and something they
are (biometric data such as a fingerprint).
NMAS Enterprise Edition is designed to help you protect information on your
network. NMAS brings together additional methods of authenticating to NDS
eDirectory to help ensure that the people accessing your network resources are
who they say they are. Also, you can grant or restrict access to network resourcesbased on how a user authenticates to NDS eDirectory.
The Universal Smart Card Login method is a certificate-based (X.509, RFC2459)
authentication method that uses a PKCS#11 (Cryptoki) token interface for
cryptography and key storage. NMAS is integrated with Aladdin Knowledge
Systems PKCS#11 library to enable the Universal Smart Card Login procedure to
be used with eToken.
NMAS Minimum Requirements
Before you begin the installation, make sure that your environment meets all ofthe listed prerequisites.
IMPORTANT: This product will not install on NetWare 5.0 or on an NDS
eDirectory version earlier than 8.6.1.
Server Requirements
NetWare 6:
NetWare 5.1 with Support Pack 2 or later installed
NDS eDirectory 8.6.1 or later
NetWare Server NICI 2.4 or later must be installed on the server prior to
installing NMAS 2.1 server components
NetWare Server NICI 2.4 is included with this product and is located in the
NICI\NWSERVER directory
7/26/2019 etoken and nmas 2u1
9/66
Introduction
3
Windows NT or 2000:
Windows NT Server 4.0 with Service Pack 6a or later, or Windows 2000
Server with Service Pack 2 or later
NDS eDirectory 8.6.1 or later
NMAS Client Workstation Requirements
Windows 98 SE, Windows 2000 Professional or Windows NT 4
Service Pack 6a or later
Novell Client for NT 4.8.3 or later installed
Windows NICI 2.4.1 or later ConsoleOne 1.3.2 or later
eToken PKI 4.55 or later
Universal Smart Card Login Method
The Universal Smart Card Login method provides user identification and
authentication using a smart card and reader connected to a network.
When used with eToken, the Universal Smart Card Login method provides
authentication only. The user provides proof of identity with the eToken, and the
smart card authenticates the user to the network.
The following are the prerequisites for installing and using the Universal
Smart Card Login method, in addition to the NMAS prerequisites listed above:
Server:
NMAS 2.02 or later
Client Workstation:
NMAS Client 2.1 or later if you are using the ID snap-ins.
7/26/2019 etoken and nmas 2u1
10/66
eToken and NMAS 2.1
4
Installing and Using the Universal Smart CardLogin Method
Making the Universal Smart Card Login method available for use with eToken
requires the following steps:
1. Install and configure the login method on the NMAS Server, as described in
Chapter 2, Installing NMAS Server Components.
2. Define the user certificates and login sequence, as described inChapter 3,
Creating User Certificates and Authorizing the Login Sequence.
3. Set up users workstations foruse with eToken and the login method, as
described inChapter 4, Setting Up the Client Workstation.
After these steps have been completed, users will be able to login securely using
eToken, as described inChapter 5, Logging in with eToken.
7/26/2019 etoken and nmas 2u1
11/66
5
Chapter 2
Installing NMAS Server Components
This chapter explains how to install and configure the required components
on the NMAS server to enable the Universal Smart Card Login method to be
used with eToken.
This chapter includes the following:
Installing the NMAS Server Software
Installing the Universal Smart Card Login Method
Configuring the Universal Smart Card Login Method
7/26/2019 etoken and nmas 2u1
12/66
eToken and NMAS 2.1
6
Installing the NMAS Server Software
The NMAS server software components are installed on the server using aWindows client workstation.
To install the NMAS server software:
1. Run ConsoleOne from a Windows client workstation using the
ConsoleOne executable file located on the server at:
server:sys\public\mgmt\consoleone\1.2\consoleone.exe.
2. On a Windows client workstation, log in as the administrator to the server
on which you want to install the server components.
3.
Insert theNMAS Enterprise Edition
CD.
Note:If an error message is displayed, stating that you need to update the
Novell Client software, install the latest Novell Client software and reboot
the workstation.
You may also be prompted to upgrade to eDirectory 8.6.1 or later. If so,
upgrade the eDirectory software.
4. From the root of the CD, run nmasinstall.exe.
TheNovell Modular Authentication Service Installwindow opens.
5. Select NMAS Server Components and click OK.
TheNovell Modular Authentication Service InstallationWelcomewindow opens.
7/26/2019 etoken and nmas 2u1
13/66
Installing NMAS Server Components
7
6. Click Next.
TheLicense Agreement window opens.
7. Read the License Agreement and clickAccept.
TheInstall Typewindow opens.
7/26/2019 etoken and nmas 2u1
14/66
eToken and NMAS 2.1
8
8. Select Remote Netware Serverand click Next.
TheSelect NMAS Componentswindow opens.
9. Select NMAS Snapinsand click Next.
The Target Serverwindow opens.
7/26/2019 etoken and nmas 2u1
15/66
7/26/2019 etoken and nmas 2u1
16/66
eToken and NMAS 2.1
10
13.Click OK.
TheInstallation Completewindow opens.
14.Restart the server.
The installation is complete.
Installing the Universal Smart Card LoginMethod
The Universal Smart Card Login method is a certificate-based (X.509,
RFC2459) authentication method that use a PKCS#11 (Cryptoki) token
interface for cryptography and key storage. NMAS needs to be integrated with
Aladdin Knowledge Systems eTpkcs11 library to enable the Universal
Smart Card Login procedure to be used with eToken.
The Universal Smart Card Login method can be installed in either of the
following ways:
With ConsoleOne - the login method snap-ins are installed using a
configuration file.
With the NMAS Login Method Install Wizard - the login method is
installed directly to eDirectory.
7/26/2019 etoken and nmas 2u1
17/66
Installing NMAS Server Components
11
To install the Universal Smart Card Login method using
ConsoleOne:
1.
Open Novell ConsoleOne.
2. SelectSecurity, right-clickAuthorized Login Methodsand select New >
Object.
TheNew Objectwindow opens.
3. Select SAS:NMAS Login Method and click OK.
TheSelect the Method Configuration Filewindow opens.
7/26/2019 etoken and nmas 2u1
18/66
eToken and NMAS 2.1
12
4. Select the login configuration file and click Open. The configuration file is
usually named config.txtand is located in the UsmartCardfolder.
The login method snap-ins are installed.
Note:It may be necessary to close and restart ConsoleOne in order to run
the newly installed login method snap-ins.
7/26/2019 etoken and nmas 2u1
19/66
Installing NMAS Server Components
13
To install the Login Method using the Login Method Install
Wizard:
1.
In theNmasMethods folder, double-click MethodInstaller.exeto launch
the NMAS Login Method Installer Wizard.
2. Click Next.
TheSelect the Login Methodswindow opens.
7/26/2019 etoken and nmas 2u1
20/66
eToken and NMAS 2.1
14
3. Select Universal Smart Cardand click Next.
TheLogin to eDirectorywindow opens.
4. Log in to eDirectory, select a path for the installation, and click Next.
7/26/2019 etoken and nmas 2u1
21/66
Installing NMAS Server Components
15
The method properties are displayed.
5. You can rename the method if you wish. Click Next.
The modules are displayed for the selected method.
7/26/2019 etoken and nmas 2u1
22/66
eToken and NMAS 2.1
16
The nextNMAS Login Method Install Wizardwindow opens.
6. Check the box to use only the Smart Card Login method and click Next.
The final window opens.
7. Click Finish.
The Universal Smart Card Login Method has been installed on the server.
Configuring the Universal Smart CardLogin Method
In order to make the Universal Smart Card Login Method available for use
with eToken, the method must be configured on the server. This includes the
following steps:
Create a trusted root certificate container.
Export a trusted root certificate.
Install the certificate in the trusted root certificate container.
Configure the Universal Smart Card Login Method to use the trusted root
certificate container on the server.
7/26/2019 etoken and nmas 2u1
23/66
Installing NMAS Server Components
17
Creating a Trusted Root Certificate Container
The first stage is to create a container for the trusted root certificate.
To create a trusted root certificate container:
1. In ConsoleOne, right-click Securityand select New > Object.
TheNew Objectwindow opens.
2. Select NDSPKI:Trusted Rootand click OK.
3. Assign a name to the new trusted root certificate container and click OK.
Exporting a Trusted Root CertificateThe trusted root certificate now needs to be exported to the location of your
choice.
To export a trusted root certificate:
1. Obtain a self-signed certificate from the Certificate Authority.
2. In ConsoleOne, select Security, right-click the CA object and select
Properties.
7/26/2019 etoken and nmas 2u1
24/66
eToken and NMAS 2.1
18
3. Select the Certificates tab.
4. Select the self-signed Certificate, and click Exportto start the Certificate
Export wizard.
5. Verify that the default Nobutton is selected, and click Next.
6. ClickNext.
7. Accept the defaults, then click Finish.
The certificate is stored in C:\(the default location).
Installing the Trusted Root Certificate in the
ContainerThe certificate can now be installed in the trusted root container.
To install the trusted root certificate in the container:
1. In ConsoleOne, right-click the new trusted root container object, and
select New> Object.
TheNew Objectwindow opens.
2. Select NDSPKI:Trusted RootObject and click OK.
3. Assign a name to the new Trusted Root object and click OK.
4. Create a certificate object and click Read from file.
7/26/2019 etoken and nmas 2u1
25/66
Installing NMAS Server Components
19
5. Select the certificate and clickOpen.
The certificate is displayed.
6. Click Finish.
The certificate is installed in the trusted root container.
7/26/2019 etoken and nmas 2u1
26/66
eToken and NMAS 2.1
20
Configuring the Universal Smart Card LoginMethod to use the Trusted Root Container
The final step is to ensure that the Universal Smart Card Login Method uses
the certificate in the trusted root container for user authentication.
1. In ConsoleOne, selectAuthorized Login Methodsand select the
Universal Smart Card Login Methodobject.
2. Right-click the Smart card authentication object and click Properties.
ThePropertieswindow opens for the eToken PKCS#11 library.
3. Select Certificate > Configuration and clickAdd.
4. Navigate to theSecuritycontainer, select the trusted root container that
you created earlier, and clickOK
.The configuration is complete.
7/26/2019 etoken and nmas 2u1
27/66
21
Chapter 3
Creating User Certificates andAuthorizing the Login Sequence
This chapter describes how to define and export user certificates for use with
the Universal Smart Card Login Method, and explains how to configure the
login policy to enable users to log in using eToken.
This chapter includes the following:
Creating User Certificates
Authorizing the Login Sequence for Users
7/26/2019 etoken and nmas 2u1
28/66
eToken and NMAS 2.1
22
Creating User Certificates
In order for a user to be able to log in using eToken, a user certificate must bestored in the users smartcard, and the users certificate subject name must be
added in eDirectory. The certificate on the smart card must also contain the
users private key. Either Novell-created user certificates or third-party user
certificates can be used.
Creating a user certificate with a private key for use with the Universal
Smart Card Login Method involves:
Creating a user certificate
Configuring the certificate subject name from the user certificate
Exporting the user certificate and private key to a PFX file
Creating a User Certificate
Users certificates are defined using the NMAS Create User Certificate wizard.
To create a user certificate:
1. In ConsoleOne, double-click the user object.
ThePropertieswindow opens for the selected user.
2. Select Security > Certificates.
7/26/2019 etoken and nmas 2u1
29/66
Creating User Certificates and Authorizing the Login Sequence
23
3. Click Create.
The Create User Certificatewindow opens.
4. Type a nickname for the certificate, select Customand click Next.
5. Click Nextin the next window.
The next Create User Certificatewindow opens, requiring the RSA keydetails.
7/26/2019 etoken and nmas 2u1
30/66
eToken and NMAS 2.1
24
6. Specify the key size and click Next.
Note: eToken PRO supports key sizes of up to 1024 bits.
The next Create User Certificatewindow opens, requiring the certificateparameters.
7. Enter the users email address and click Next.
8. If an e-mail address warning message is displayed, clickYes.
The next Create User Certificatewindow opens, displaying the selectedcertificate parameters.
7/26/2019 etoken and nmas 2u1
31/66
Creating User Certificates and Authorizing the Login Sequence
25
9. Click Finish.
The users certificate is created, and is displayed in thePropertieswindowfor the user.
7/26/2019 etoken and nmas 2u1
32/66
eToken and NMAS 2.1
26
Configuring the User Certificate Subject Name
The users properties must now be updated with the subject name for the
newly-created certificate.
To configure the user certificate subject name:
1. In theSecurity > Certificatestab of thePropertieswindow for the user,
click Details.
The certificate details are displayed.
2. Select X.509, copy the certificate subject name to the Windows clipboard,
and close the certificate details window.
3. In thePropertieswindow, select Security > Certificate Subject Names
and click Add.
7/26/2019 etoken and nmas 2u1
33/66
Creating User Certificates and Authorizing the Login Sequence
27
4. In theAllowable Certificate Subject Nameswindow, paste in the
certificate subject name from the clipboard.
5. Click OK.
6.
ClickApply.
7. Close ConsoleOne.
Exporting the User Certificate and Private Key
In order to use a certificate for secure e-mail, authentication, or encryption,
the users private key and certificate must be exported to the smartcard.
Knowing the private key proves that the user is the person indicated in the
certificate.
To export the users private key and certificate:
1. Log in to NDS as the user for whom you have just created the certificate.
2. Restart ConsoleOne.
3. Right-click the User object that hosts the user certificate and select
Properties.
4. Select Security > Certificates.
5. Select the user certificate and click Export.
7/26/2019 etoken and nmas 2u1
34/66
eToken and NMAS 2.1
28
TheExport A User Certificatewindow opens.
6. SelectYesand click Next.
The nextExport A User Certificatewindow opens, requiring file andpassword details.
7. Specify a file name and location for the PFX file to contain the certificate
and private key.
8. Specify a password to protect the private key. This password will be used
to encrypt the PFX file. It must consist of at least 6 alphanumeric
characters.
9. Re-enter the password and click Next.
7/26/2019 etoken and nmas 2u1
35/66
Creating User Certificates and Authorizing the Login Sequence
29
The nextExport A User Certificatewindow opens, displaying thecertificate parameter values.
10.Click Finish.
The certificate and the private key are exported to the PFX file in thespecified location.
11. Close thePropertieswindow and exit ConsoleOne.
Authorizing the Login Sequence for Users
User objects can be configured to use one or more of the available login
sequences defined in eDirectory.
Users with no login restrictions are already authorized for the Universal
Smart Card Login sequence.
If login sequence restrictions have been configured for users, you will need to
authorize the Universal Smart Card Login sequence for those users.
Authorizing the login sequence includes the following steps:
Defining the login policy object
Defining the login policy for users
7/26/2019 etoken and nmas 2u1
36/66
eToken and NMAS 2.1
30
Defining the Login Policy Object
The login policy object is defined once.
To define the login policy object:
1. Open ConsoleOne.
2. Right-clickAuthorized Login Methodsand select New > Object.
TheProperties of Login Policywindow opens.
3. Select Universal Smart Cardand move it from theAvailable Login
Methodslist to theSelected Login Methodslist.
Defining the Login Policy for Users
The login policy needs to be defined for each user who will log in with eToken.
To define the login policy for a user:
1. Log in to ConsoleOne as admin.
2. Right-click the User object for the user and click Properties.
3. Select Security > Login Sequences.
7/26/2019 etoken and nmas 2u1
37/66
Creating User Certificates and Authorizing the Login Sequence
31
4. Move the Universal Smart Cardauthorization sequence from the
Available Sequenceslist to theAuthorized Sequences list.
5. Select Security > Clearances.
6.
Set the default clearance for the user to logged in and move logged infrom theAvailable Clearanceslist to theAuthorized Clearanceslist.
7. Repeat the above steps as required for the other users.
7/26/2019 etoken and nmas 2u1
38/66
eToken and NMAS 2.1
32
Setting the Default Authorization Sequence for NewUsers
The Universal Smart Card authorization sequence can be set as the default for
new users when the new user is defined.
Setting this option automatically moves the Universal Smart Card
authorization sequence from theAvailable Sequenceslist to theAuthorized
Sequenceslist in thePropertieswindow for the new user.
7/26/2019 etoken and nmas 2u1
39/66
33
Chapter 4
Setting Up the Client Workstation
This chapter explains how to install the required client software modules on
the workstation and how to prepare the eToken for the user.
This chapter includes the following:
Installing eToken PKI Client 4.55
Updating the NMAS Client
Installing the Universal Smart Card Login Method
Preparing the eToken for the User
7/26/2019 etoken and nmas 2u1
40/66
eToken and NMAS 2.1
34
Installing eToken PKI Client 4.55
eToken PKI Client 4.55 must be installed on the client workstation beforeinstalling the Universal Smart Card Login method. The eToken runtime
environment PKI 4.55 includes all the necessary files and drivers to support
eToken integration. It also includes the eToken Properties facility, which
enables easy user management of the eToken password and name.
To install eToken PKI Client 4.55:
1. On the client workstation, close all currently opened applications.
2. Either:
Download eToken PKI Client 4.55 (and MSI if necessary) from the
eTokenSupport and Downloadsweb page, store it in your selected
location, and double-click the downloaded PKI 4.55.msi file.
or
Insert the eToken EnterpriseCD into your CD drive.
If the required version of MSI is not present, the eToken Installerproceeds to install it on your system.
The eToken PKI Client 4.55 Installation Wizard starts.
3. Click Next.
7/26/2019 etoken and nmas 2u1
41/66
Setting Up the Client Workstation
35
The eToken PKI Client 4.55 Setup language selection window opens.
4. Click Next.
The eToken PKI Client 4.55 Setup License Agreement window opens.
7/26/2019 etoken and nmas 2u1
42/66
eToken and NMAS 2.1
36
5. Select I acceptand click Next.
6. Remove any eTokens that are connected to the computer, and click
Install.
The eToken PKI 4.55 files are installed.
7. When the installation is complete, click Finish.
Connecting the eToken
After the installation of eToken PKI 4.55, eToken can be used to log in to the
workstation.
To connect an eToken to the workstation: Connect an eToken to the USB port or cable.
The new hardware is processed and the eToken lights up. This processmay take some time, depending on the operating system and computer.
The installation is successful.
Connecting the eToken USB Extension Cable
If the USB port is not easily accessible, an eToken USB extension cable can be
used, as described below. This extension cable enables you to insert and
remove the eToken easily without having to access the USB port directly.
The eToken connects to the computers USB port. If the USB port is located at
the back of the PC, it is probably difficult to reach. The eToken extension cable
is two meters (approximately six linear feet) long and enables easy access to
the USB port for insertion and removal of the eToken.
If a USB port or hub is located on the keyboard or monitor, you may not need
an eToken extension cable. If the port is on the monitor, make sure that the
monitor is connected to the USB port of the PC through a standard USB
type A to type B cable.
7/26/2019 etoken and nmas 2u1
43/66
Setting Up the Client Workstation
37
Updating the NMAS Client
The NMAS Client software must be updated on each workstation that isintended for use with the Universal Smart Card Login method.
To update the NMAS client on the workstation:
1. Run nmasinstall.exe(located in the root directory of the NMAS CD)
2. Select the NMAS Clientoption and click OK.
TheNMAS Client Setupapplication starts.
The NMAS Client Components Setup Welcomewindow opens.
7/26/2019 etoken and nmas 2u1
44/66
eToken and NMAS 2.1
38
3. Click Next.
TheSoftware License Agreementwindow opens.
4. ClickYes to accept the agreement.
TheSelect NMAS Client Login Methodswindow opens.
7/26/2019 etoken and nmas 2u1
45/66
Setting Up the Client Workstation
39
5. Select Universal Smart Card and click Next.
TheSelect NMAS Client Post-Login Methodswindow opens.
6. Without selecting any method, click Next.
The NMAS Client update is complete.
Installing the Universal Smart Card LoginMethod
The Universal Smart Card Login Client module must be installed on each
workstation that is intended to use the Smart Card login method.
To install the Universal Smart Card Login method on the
workstation:
1. Insert theNMAS Enterprise EditionCD.
2. Select and run the Universal Smart Card Client Loginsetup.
The Universal Smart Card Client Logininstallation starts.
7/26/2019 etoken and nmas 2u1
46/66
eToken and NMAS 2.1
40
After the initial setup process is complete, thePKCS#11 Library Selection
window opens.
3. Select User Specified Provider and click Next.
The User Specified Providerwindow opens.
7/26/2019 etoken and nmas 2u1
47/66
Setting Up the Client Workstation
41
4. Enter ,eTpkcs11.dlland click Next.
Note: Make sure to enter a comma before eTpkcs11.dll.
5. Follow the on-screen instructions until theSetup Completewindow opens.
6. Click Finish.
Note:If you have Secure Workstation installed, you will be required to
restart the Secure Workstation service.
7/26/2019 etoken and nmas 2u1
48/66
eToken and NMAS 2.1
42
Preparing the eToken for the User
To initialize an eToken to be used with the Universal Smart Card Loginmethod, the eToken must have at least one private key and a user certificate
corresponding to that private key. The private key must be enabled for
signature generation.
The initialization is performed by uploading into the smart card the contents
of the PKCS#12 (PFX) file that contains the certificate and private key.
For more information about creating the PFX file, seeExporting the User
Certificate and Private Key,on page27.
To initialize an eToken for use with the Universal Smart Card
Login method:
1. Locate the PFX file that you created earlier for the user, right-click and
select Install PFX.
Note:Alternatively, you can open Internet Explorer, select
Tools>Internet Options>Contentand click Certificates.
The Certificate Import Wizard starts and theFile to Importwindowopens.
7/26/2019 etoken and nmas 2u1
49/66
7/26/2019 etoken and nmas 2u1
50/66
eToken and NMAS 2.1
44
4. Select Place all certificates in the following store, click Browse
and select the Personal > eTokenphysical store.
5.
Click OKand then Next.
The eToken Base Cryptographic Providerwindow opens.
7/26/2019 etoken and nmas 2u1
51/66
Setting Up the Client Workstation
45
6. Type the eToken PIN and click OK.
The certificate and key pair are installed on the eToken.
A message is displayed indicating that the import was successful.
7. Click OK.
You can now view the certificate using either the Microsoft CertificateManager or the eToken Application Viewer, as shown in the examplebelow:
7/26/2019 etoken and nmas 2u1
52/66
eToken and NMAS 2.1
46
7/26/2019 etoken and nmas 2u1
53/66
47
Chapter 5
Logging in with eToken
This chapter explains how to configure the NMAS Client for use with eToken
and the Universal Smart Card Login Method, and describes the login
procedure for users.
This chapter includes the following:
Configuring the NMAS Client
Logging in Using the Universal Smart Card Login Method
7/26/2019 etoken and nmas 2u1
54/66
eToken and NMAS 2.1
48
Configuring the NMAS Client
The settings for the client can now be configured on the workstation.
To configure the NMAS Client:
1. On the client workstation, open Novell Client Configuration Properties
and select theAdvanced Settingstab.
2. Select File caching and change theSettingto Off.
3. Select theLocation Profilestab.
7/26/2019 etoken and nmas 2u1
55/66
Logging in with eToken
49
4. Click Properties.
TheNovell Loginwindow opens.
7/26/2019 etoken and nmas 2u1
56/66
eToken and NMAS 2.1
50
5. Select theNMAStab.
7/26/2019 etoken and nmas 2u1
57/66
Logging in with eToken
51
6. Select Enable taband click OK.
The following registry settings are saved in the GENERAL registry key:
Name TolerantFinalize
DWORD Value 0/1
Default 0
Logging in Using the UniversalSmart Card Login Method
You can now log in using the eToken and the Universal Smartcard Loginmethod.
To log in using the Universal Smart Card Login method:
1. Attach the eToken to the workstation.
2. Log in using the sequence and clearance that are assigned to you.
3. When prompted, enter the eToken PIN and click OK.
You are now logged in to the workstation.
7/26/2019 etoken and nmas 2u1
58/66
eToken and NMAS 2.1
52
7/26/2019 etoken and nmas 2u1
59/66
53
Chapter 6
Troubleshooting
This chapter describes the possible problems that may arise when attempting
to log in to NMAS using eToken, and suggests the steps to take to solve the
problems.
This chapter includes the following:
Error Logging In
7/26/2019 etoken and nmas 2u1
60/66
7/26/2019 etoken and nmas 2u1
61/66
55
Chapter 7
Glossary
Term Abbreviation Description
Domain Name DN
Certification
Authority
CA An authority in a network that
issues and manages security
credentials and public keys for
message encryption and
decryption. As part of a public
key infrastructure (PKI), a CA
checks with a registration
authority (RA) to verify
information provided by the
requestor of a digital certificate.
If the RA verifies the
requestor's information, the CA
can then issue a certificate.
Connectors Application extensions to TMS
allow TMS to handle different
security applications.
eToken Token
Management System
TMS eToken Token Management
System
OR
eToken TMS
Lightweight
Directory Access
Protocol
LDAP Network proposal for querying
and modifying directory
services
Microsoft Active
Directory Application
Mode
ADAM A directory service running as a
user service and not as a
system
7/26/2019 etoken and nmas 2u1
62/66
eToken and NMAS 2.1
56
Term Abbreviation Description
One Time Password OTP
Public Key
Infrastructure
PKI Method for securing web and
network access. Consists of
protocols, services and
standards supporting associated
software.
Runtime
Environment
RTE RTE is a generic term. However,
earlier versions of eToken PKI
Client were called eToken RTE.
Software
Development Kit
SDK
Token policy object TPO
7/26/2019 etoken and nmas 2u1
63/66
57
Appendix 1
Copyrights and Trademarks
The eTokensystem and its documentation are copyrighted 1985 to
present, by Aladdin Knowledge Systems Ltd.
All rights reserved.
eTokenis a trademark and ALADDIN KNOWLEDGE SYSTEMS LTD is a
registered trademark of Aladdin Knowledge Systems Ltd.
All other trademarks, brands, and product names used in this Manual aretrademarks of their respective owners.
This manual and the information contained herein are confidential and
proprietary to Aladdin Knowledge Systems Ltd. (hereinafter Aladdin). All
intellectual property rights (including, without limitation, copyrights, trade
secrets, trademarks, etc.) evidenced by or embodied in and/or
attached/connected/related to this manual, information contained herein and
the Product, are and shall be owned solely by Aladdin. Aladdin does not
convey to you an interest in or to this manual, information contained herein
and the Product, but only a limited right of use. Any unauthorized use,
disclosure or reproduction is a violation of the licenses and/or Aladdin's
proprietary rights and will be prosecuted to the full extent of the Law.
NOTICE
All attempts have been made to make the information in this document
complete and accurate. Aladdin is not responsible for any direct or indirect
damages or loss of business resulting from inaccuracies or omissions. The
specifications in this document are subject to change without notice.
7/26/2019 etoken and nmas 2u1
64/66
eToken and NMAS 2.1
58
7/26/2019 etoken and nmas 2u1
65/66
59
Appendix 2
FCC Compliance
eToken USB has been tested and found to comply with the limits for a Class B
digital device, pursuant to Part 15 of the FCC rules. These limits are designed
to provide reasonable protection against harmful interference in a residential
installation.
This equipment generates uses and can radiate radio frequency energy and, if
not installed and used in accordance with the instructions, may cause harmful
interference to radio communications. However, there is no guarantee thatinterference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television
reception, which can be determined by turning the equipment off and on, the
user is encouraged to try to correct the interference by one of the following
measures:
a. Reorient or relocate the receiving antenna.
b. Increase the separation between the equipment and receiver.
c. Connect the equipment to an outlet on a circuit different from that to whichthe receiver is connected.
d. Consult the dealer or an experienced radio/TV technician.
FCC Warning
Modifications not expressly approved by the manufacturer could void the user
authority to operate the equipment under FCC rules.
All of the above applies also to the eToken USB.
FCC authorities have determined that the rest of the eToken product line doesnot contain a Class B Computing Device Peripheral and therefore does not
require FCC regulation.
7/26/2019 etoken and nmas 2u1
66/66
eToken and NMAS 2.1
CE Compliance
The eToken product line complies with the CE EMC Directive and relatedstandards*.eToken products are marked with the CE logo and an eToken CE
conformity card is included in every shipment or upon demand.
*EMC directive 89/336/EEC and related standards EN 55022, EN 50082-1.
UL Certification
The eToken product line successfully completed UL 94 Tests for Flammability
of Plastic Materials for Parts in Devices and Appliances. eToken products
comply with UL 1950 Safety of Information Technology Equipment
regulations.
ISO 9002 Certification
The eToken product line is designed and manufactured by Aladdin
Knowledge Systems, an ISO 9002-certified company. Aladdin's quality
assurance system is approved by the International Organization for
Standardization (ISO), ensuring that Aladdin products and customer service
standards consistently meet specifications in order to provide outstanding
customer satisfaction.
Certificate of Compliance
Upon request, Aladdin Knowledge Systems will supply a Certificate of
Compliance to any software developer who wishes to demonstrate that the
eToken product line conforms to the specifications stated. Software
developers can distribute this certificate to the end user along with their
programs