etoken and nmas 2u1

7/26/2019 etoken and nmas 2u1

1/66

eToken and NMAS 2.1Version 1.0

Integration GuideJune 2008


2/66

II

Contacting Aladdin eTokenIf you have any questions about Aladdin eToken, contact your local reseller or

the Aladdin eToken technical support team:

Region Contact

USA 1-212-329-6658

1-866-202-3494

[email protected]

Austria, Belgium, France, Germany,

Italy, Netherlands, Spain,

Switzerland, UK

00800-22523346

Ireland 0011800-22523346

Rest of the world +972-3-9781299

You can submit a question to the Aladdin eToken technical support team at

the following web page:

http://www.aladdin.com/forms/etoken_question/form.asp

Website

http://www.aladdin.com/eToken
mailto:[email protected]://www.aladdin.com/forms/etoken_question/form.asphttp://www.aladdin.com/eTokenhttp://www.aladdin.com/eTokenhttp://www.aladdin.com/eTokenhttp://www.aladdin.com/forms/etoken_question/form.aspmailto:[email protected]


3/66

III

About This GuideIntended Audience

This Integration Guide should be read by system administrators who wish to

integrate eToken and Novell NMAS solutions.

Text Conventions

The following conventions are followed throughout this publication.

Convention Explanation

Boldface Used to indicate text that you enter, type, or execute.

Example: Click Enter orSave orDelete.

Italicized Used to highlight objects in the application.

Examples: The Production Domainwindow opens.

The Connectorswindow opens.

NoteIndicates additional information related to the task

being discussed.

CautionIdentifies potential problems that you should look out

for when completing a task, or problems to be

addressed before completing a task.

> Used as a shortcut to indicate the path to be followed.

Example: Programs>eToken>TMSindicates:

From the Programs menu, choose the eToken

submenu, then choose the TMS option.

Provides ancillary information on the topic being

discussed. Go to the sidebars to learn additional

information about the topic.


4/66

eToken and NMAS 2.02

IV


5/66

V

Table of ContentsChapter 1 Introduction...................................................................................................... 1

Overview .......................................................................................................................... 2

NMAS Minimum Requirements ...................................................................................... 2

Universal Smart Card Login Method ............................................................................... 3

Chapter 2 Installing NMAS Server Components ........................................................... 5

Installing the NMAS Server Software .............................................................................. 6

Installing the Universal Smart Card Login Method ...................................................... 10

Configuring the Universal Smart Card Login Method .................................................. 16

Chapter 3 Creating User Certificates and Authorizing the Login Sequence ............. 21

Creating User Certificates .............................................................................................. 22

Authorizing the Login Sequence for Users .................................................................... 29

Chapter 4 Setting Up the Client Workstation ............................................................... 33

Installing eToken PKI Client 4.55 .................................................................................. 34

Updating the NMAS Client ............................................................................................ 37

Installing the Universal Smart Card Login Method ...................................................... 39

Preparing the eToken for the User ................................................................................ 42

Chapter 5 Logging in with eToken ................................................................................. 47

Configuring the NMAS Client ........................................................................................ 48

Logging in Using the Universal Smart Card Login Method .......................................... 51

Chapter 6 Troubleshooting ............................................................................................. 53

Error Logging In ............................................................................................................ 54

Chapter 7 Glossary .......................................................................................................... 55

Appendix 1 Copyrights and Trademarks ...................................................................... 57

NOTICE ......................................................................................................................... 57

Appendix 2 FCC Compliance ......................................................................................... 59

FCC Warning ................................................................................................................. 59

CE Compliance .............................................................................................................. 60


6/66

eToken and NMAS 2.02

VI

UL Certification ............................................................................................................ 60

ISO 9002 Certification .................................................................................................. 60

Certificate of Compliance ............................................................................................. 60


7/66

1

Chapter 1

Introduction

This integration guide describes eToken and Novell Modular Authentication

Service (NMAS) solutions for secure user access control.

This chapter includes the following:

Overview

NMAS Minimum Requirements

Universal Smart Card Login Method


8/66

eToken and NMAS 2.1

2

Overview

Novell Modular Authentication Service (NMAS) Enterprise Edition provides anextensible NDS authentication framework that you can use to customize a

powerful security solution for your network. With NMAS your network users can

authenticate to NDS with something they know (such as a password), something

they have (such as a token, smart card, or X.509 certificate), and something they

are (biometric data such as a fingerprint).

NMAS Enterprise Edition is designed to help you protect information on your

network. NMAS brings together additional methods of authenticating to NDS

eDirectory to help ensure that the people accessing your network resources are

who they say they are. Also, you can grant or restrict access to network resourcesbased on how a user authenticates to NDS eDirectory.

The Universal Smart Card Login method is a certificate-based (X.509, RFC2459)

authentication method that uses a PKCS#11 (Cryptoki) token interface for

cryptography and key storage. NMAS is integrated with Aladdin Knowledge

Systems PKCS#11 library to enable the Universal Smart Card Login procedure to

be used with eToken.

NMAS Minimum Requirements

Before you begin the installation, make sure that your environment meets all ofthe listed prerequisites.

IMPORTANT: This product will not install on NetWare 5.0 or on an NDS

eDirectory version earlier than 8.6.1.

Server Requirements

NetWare 6:

NetWare 5.1 with Support Pack 2 or later installed

NDS eDirectory 8.6.1 or later

NetWare Server NICI 2.4 or later must be installed on the server prior to

installing NMAS 2.1 server components

NetWare Server NICI 2.4 is included with this product and is located in the

NICI\NWSERVER directory


9/66

Introduction

3

Windows NT or 2000:

Windows NT Server 4.0 with Service Pack 6a or later, or Windows 2000

Server with Service Pack 2 or later

NDS eDirectory 8.6.1 or later

NMAS Client Workstation Requirements

Windows 98 SE, Windows 2000 Professional or Windows NT 4

Service Pack 6a or later

Novell Client for NT 4.8.3 or later installed

Windows NICI 2.4.1 or later ConsoleOne 1.3.2 or later

eToken PKI 4.55 or later

Universal Smart Card Login Method

The Universal Smart Card Login method provides user identification and

authentication using a smart card and reader connected to a network.

When used with eToken, the Universal Smart Card Login method provides

authentication only. The user provides proof of identity with the eToken, and the

smart card authenticates the user to the network.

The following are the prerequisites for installing and using the Universal

Smart Card Login method, in addition to the NMAS prerequisites listed above:

Server:

NMAS 2.02 or later

Client Workstation:

NMAS Client 2.1 or later if you are using the ID snap-ins.


10/66

eToken and NMAS 2.1

4

Installing and Using the Universal Smart CardLogin Method

Making the Universal Smart Card Login method available for use with eToken

requires the following steps:

1. Install and configure the login method on the NMAS Server, as described in

Chapter 2, Installing NMAS Server Components.

2. Define the user certificates and login sequence, as described inChapter 3,

Creating User Certificates and Authorizing the Login Sequence.

3. Set up users workstations foruse with eToken and the login method, as

described inChapter 4, Setting Up the Client Workstation.

After these steps have been completed, users will be able to login securely using

eToken, as described inChapter 5, Logging in with eToken.


11/66

5

Chapter 2

Installing NMAS Server Components

This chapter explains how to install and configure the required components

on the NMAS server to enable the Universal Smart Card Login method to be

used with eToken.


Installing the NMAS Server Software

Installing the Universal Smart Card Login Method

Configuring the Universal Smart Card Login Method


12/66

eToken and NMAS 2.1

6

Installing the NMAS Server Software

The NMAS server software components are installed on the server using aWindows client workstation.

To install the NMAS server software:

1. Run ConsoleOne from a Windows client workstation using the

ConsoleOne executable file located on the server at:

server:sys\public\mgmt\consoleone\1.2\consoleone.exe.

2. On a Windows client workstation, log in as the administrator to the server

on which you want to install the server components.

3.

Insert theNMAS Enterprise Edition

CD.

Note:If an error message is displayed, stating that you need to update the

Novell Client software, install the latest Novell Client software and reboot

the workstation.

You may also be prompted to upgrade to eDirectory 8.6.1 or later. If so,

upgrade the eDirectory software.

4. From the root of the CD, run nmasinstall.exe.

TheNovell Modular Authentication Service Installwindow opens.

5. Select NMAS Server Components and click OK.

TheNovell Modular Authentication Service InstallationWelcomewindow opens.


13/66


7

6. Click Next.

TheLicense Agreement window opens.

7. Read the License Agreement and clickAccept.

TheInstall Typewindow opens.


14/66

eToken and NMAS 2.1

8

8. Select Remote Netware Serverand click Next.

TheSelect NMAS Componentswindow opens.

9. Select NMAS Snapinsand click Next.

The Target Serverwindow opens.


15/66


16/66

eToken and NMAS 2.1

10

13.Click OK.

TheInstallation Completewindow opens.

14.Restart the server.

The installation is complete.

Installing the Universal Smart Card LoginMethod

The Universal Smart Card Login method is a certificate-based (X.509,

RFC2459) authentication method that use a PKCS#11 (Cryptoki) token

interface for cryptography and key storage. NMAS needs to be integrated with

Aladdin Knowledge Systems eTpkcs11 library to enable the Universal

Smart Card Login procedure to be used with eToken.

The Universal Smart Card Login method can be installed in either of the

following ways:

With ConsoleOne - the login method snap-ins are installed using a

configuration file.

With the NMAS Login Method Install Wizard - the login method is

installed directly to eDirectory.


17/66


11

To install the Universal Smart Card Login method using

ConsoleOne:

1.

Open Novell ConsoleOne.

2. SelectSecurity, right-clickAuthorized Login Methodsand select New >

Object.

TheNew Objectwindow opens.

3. Select SAS:NMAS Login Method and click OK.

TheSelect the Method Configuration Filewindow opens.


18/66

eToken and NMAS 2.1

12

4. Select the login configuration file and click Open. The configuration file is

usually named config.txtand is located in the UsmartCardfolder.

The login method snap-ins are installed.

Note:It may be necessary to close and restart ConsoleOne in order to run

the newly installed login method snap-ins.


19/66


13

To install the Login Method using the Login Method Install

Wizard:

1.

In theNmasMethods folder, double-click MethodInstaller.exeto launch

the NMAS Login Method Installer Wizard.

2. Click Next.

TheSelect the Login Methodswindow opens.


20/66

eToken and NMAS 2.1

14

3. Select Universal Smart Cardand click Next.

TheLogin to eDirectorywindow opens.

4. Log in to eDirectory, select a path for the installation, and click Next.


21/66


15

The method properties are displayed.

5. You can rename the method if you wish. Click Next.

The modules are displayed for the selected method.


22/66

eToken and NMAS 2.1

16

The nextNMAS Login Method Install Wizardwindow opens.

6. Check the box to use only the Smart Card Login method and click Next.

The final window opens.

7. Click Finish.

The Universal Smart Card Login Method has been installed on the server.

Configuring the Universal Smart CardLogin Method

In order to make the Universal Smart Card Login Method available for use

with eToken, the method must be configured on the server. This includes the

following steps:

Create a trusted root certificate container.

Export a trusted root certificate.

Install the certificate in the trusted root certificate container.

Configure the Universal Smart Card Login Method to use the trusted root

certificate container on the server.


23/66


17

Creating a Trusted Root Certificate Container

The first stage is to create a container for the trusted root certificate.

To create a trusted root certificate container:

1. In ConsoleOne, right-click Securityand select New > Object.


2. Select NDSPKI:Trusted Rootand click OK.

3. Assign a name to the new trusted root certificate container and click OK.

Exporting a Trusted Root CertificateThe trusted root certificate now needs to be exported to the location of your

choice.

To export a trusted root certificate:

1. Obtain a self-signed certificate from the Certificate Authority.

2. In ConsoleOne, select Security, right-click the CA object and select

Properties.


24/66

eToken and NMAS 2.1

18

3. Select the Certificates tab.

4. Select the self-signed Certificate, and click Exportto start the Certificate

Export wizard.

5. Verify that the default Nobutton is selected, and click Next.

6. ClickNext.

7. Accept the defaults, then click Finish.

The certificate is stored in C:\(the default location).

Installing the Trusted Root Certificate in the

ContainerThe certificate can now be installed in the trusted root container.

To install the trusted root certificate in the container:

1. In ConsoleOne, right-click the new trusted root container object, and

select New> Object.


2. Select NDSPKI:Trusted RootObject and click OK.

3. Assign a name to the new Trusted Root object and click OK.

4. Create a certificate object and click Read from file.


25/66


19

5. Select the certificate and clickOpen.

The certificate is displayed.

6. Click Finish.

The certificate is installed in the trusted root container.


26/66

eToken and NMAS 2.1

20

Configuring the Universal Smart Card LoginMethod to use the Trusted Root Container

The final step is to ensure that the Universal Smart Card Login Method uses

the certificate in the trusted root container for user authentication.

1. In ConsoleOne, selectAuthorized Login Methodsand select the

Universal Smart Card Login Methodobject.

2. Right-click the Smart card authentication object and click Properties.

ThePropertieswindow opens for the eToken PKCS#11 library.

3. Select Certificate > Configuration and clickAdd.

4. Navigate to theSecuritycontainer, select the trusted root container that

you created earlier, and clickOK

.The configuration is complete.


27/66

21

Chapter 3

Creating User Certificates andAuthorizing the Login Sequence

This chapter describes how to define and export user certificates for use with

the Universal Smart Card Login Method, and explains how to configure the

login policy to enable users to log in using eToken.


Creating User Certificates

Authorizing the Login Sequence for Users


28/66

eToken and NMAS 2.1

22

Creating User Certificates

In order for a user to be able to log in using eToken, a user certificate must bestored in the users smartcard, and the users certificate subject name must be

added in eDirectory. The certificate on the smart card must also contain the

users private key. Either Novell-created user certificates or third-party user

certificates can be used.

Creating a user certificate with a private key for use with the Universal

Smart Card Login Method involves:

Creating a user certificate

Configuring the certificate subject name from the user certificate

Exporting the user certificate and private key to a PFX file

Creating a User Certificate

Users certificates are defined using the NMAS Create User Certificate wizard.

To create a user certificate:

1. In ConsoleOne, double-click the user object.

ThePropertieswindow opens for the selected user.

2. Select Security > Certificates.


29/66

Creating User Certificates and Authorizing the Login Sequence

23

3. Click Create.

The Create User Certificatewindow opens.

4. Type a nickname for the certificate, select Customand click Next.

5. Click Nextin the next window.

The next Create User Certificatewindow opens, requiring the RSA keydetails.


30/66

eToken and NMAS 2.1

24

6. Specify the key size and click Next.

Note: eToken PRO supports key sizes of up to 1024 bits.

The next Create User Certificatewindow opens, requiring the certificateparameters.

7. Enter the users email address and click Next.

8. If an e-mail address warning message is displayed, clickYes.

The next Create User Certificatewindow opens, displaying the selectedcertificate parameters.


31/66


25

9. Click Finish.

The users certificate is created, and is displayed in thePropertieswindowfor the user.


32/66

eToken and NMAS 2.1

26

Configuring the User Certificate Subject Name

The users properties must now be updated with the subject name for the

newly-created certificate.

To configure the user certificate subject name:

1. In theSecurity > Certificatestab of thePropertieswindow for the user,

click Details.

The certificate details are displayed.

2. Select X.509, copy the certificate subject name to the Windows clipboard,

and close the certificate details window.

3. In thePropertieswindow, select Security > Certificate Subject Names

and click Add.


33/66


27

4. In theAllowable Certificate Subject Nameswindow, paste in the

certificate subject name from the clipboard.

5. Click OK.

6.

ClickApply.

7. Close ConsoleOne.

Exporting the User Certificate and Private Key

In order to use a certificate for secure e-mail, authentication, or encryption,

the users private key and certificate must be exported to the smartcard.

Knowing the private key proves that the user is the person indicated in the

certificate.

To export the users private key and certificate:

1. Log in to NDS as the user for whom you have just created the certificate.

2. Restart ConsoleOne.

3. Right-click the User object that hosts the user certificate and select

Properties.

4. Select Security > Certificates.

5. Select the user certificate and click Export.


34/66

eToken and NMAS 2.1

28

TheExport A User Certificatewindow opens.

6. SelectYesand click Next.

The nextExport A User Certificatewindow opens, requiring file andpassword details.

7. Specify a file name and location for the PFX file to contain the certificate

and private key.

8. Specify a password to protect the private key. This password will be used

to encrypt the PFX file. It must consist of at least 6 alphanumeric

characters.

9. Re-enter the password and click Next.


35/66


29

The nextExport A User Certificatewindow opens, displaying thecertificate parameter values.

10.Click Finish.

The certificate and the private key are exported to the PFX file in thespecified location.

11. Close thePropertieswindow and exit ConsoleOne.

Authorizing the Login Sequence for Users

User objects can be configured to use one or more of the available login

sequences defined in eDirectory.

Users with no login restrictions are already authorized for the Universal

Smart Card Login sequence.

If login sequence restrictions have been configured for users, you will need to

authorize the Universal Smart Card Login sequence for those users.

Authorizing the login sequence includes the following steps:

Defining the login policy object

Defining the login policy for users


36/66

eToken and NMAS 2.1

30

Defining the Login Policy Object

The login policy object is defined once.

To define the login policy object:

1. Open ConsoleOne.

2. Right-clickAuthorized Login Methodsand select New > Object.

TheProperties of Login Policywindow opens.

3. Select Universal Smart Cardand move it from theAvailable Login

Methodslist to theSelected Login Methodslist.

Defining the Login Policy for Users

The login policy needs to be defined for each user who will log in with eToken.

To define the login policy for a user:

1. Log in to ConsoleOne as admin.

2. Right-click the User object for the user and click Properties.

3. Select Security > Login Sequences.


37/66


31

4. Move the Universal Smart Cardauthorization sequence from the

Available Sequenceslist to theAuthorized Sequences list.

5. Select Security > Clearances.

6.

Set the default clearance for the user to logged in and move logged infrom theAvailable Clearanceslist to theAuthorized Clearanceslist.

7. Repeat the above steps as required for the other users.


38/66

eToken and NMAS 2.1

32

Setting the Default Authorization Sequence for NewUsers

The Universal Smart Card authorization sequence can be set as the default for

new users when the new user is defined.

Setting this option automatically moves the Universal Smart Card

authorization sequence from theAvailable Sequenceslist to theAuthorized

Sequenceslist in thePropertieswindow for the new user.


39/66

33

Chapter 4

Setting Up the Client Workstation

This chapter explains how to install the required client software modules on

the workstation and how to prepare the eToken for the user.


Installing eToken PKI Client 4.55

Updating the NMAS Client

Installing the Universal Smart Card Login Method

Preparing the eToken for the User


40/66

eToken and NMAS 2.1

34

Installing eToken PKI Client 4.55

eToken PKI Client 4.55 must be installed on the client workstation beforeinstalling the Universal Smart Card Login method. The eToken runtime

environment PKI 4.55 includes all the necessary files and drivers to support

eToken integration. It also includes the eToken Properties facility, which

enables easy user management of the eToken password and name.

To install eToken PKI Client 4.55:

1. On the client workstation, close all currently opened applications.

2. Either:

Download eToken PKI Client 4.55 (and MSI if necessary) from the

eTokenSupport and Downloadsweb page, store it in your selected

location, and double-click the downloaded PKI 4.55.msi file.

or

Insert the eToken EnterpriseCD into your CD drive.

If the required version of MSI is not present, the eToken Installerproceeds to install it on your system.

The eToken PKI Client 4.55 Installation Wizard starts.

3. Click Next.


41/66


35

The eToken PKI Client 4.55 Setup language selection window opens.

4. Click Next.

The eToken PKI Client 4.55 Setup License Agreement window opens.


42/66

eToken and NMAS 2.1

36

5. Select I acceptand click Next.

6. Remove any eTokens that are connected to the computer, and click

Install.

The eToken PKI 4.55 files are installed.

7. When the installation is complete, click Finish.

Connecting the eToken

After the installation of eToken PKI 4.55, eToken can be used to log in to the

workstation.

To connect an eToken to the workstation: Connect an eToken to the USB port or cable.

The new hardware is processed and the eToken lights up. This processmay take some time, depending on the operating system and computer.

The installation is successful.

Connecting the eToken USB Extension Cable

If the USB port is not easily accessible, an eToken USB extension cable can be

used, as described below. This extension cable enables you to insert and

remove the eToken easily without having to access the USB port directly.

The eToken connects to the computers USB port. If the USB port is located at

the back of the PC, it is probably difficult to reach. The eToken extension cable

is two meters (approximately six linear feet) long and enables easy access to

the USB port for insertion and removal of the eToken.

If a USB port or hub is located on the keyboard or monitor, you may not need

an eToken extension cable. If the port is on the monitor, make sure that the

monitor is connected to the USB port of the PC through a standard USB

type A to type B cable.


43/66


37

Updating the NMAS Client

The NMAS Client software must be updated on each workstation that isintended for use with the Universal Smart Card Login method.

To update the NMAS client on the workstation:

1. Run nmasinstall.exe(located in the root directory of the NMAS CD)

2. Select the NMAS Clientoption and click OK.

TheNMAS Client Setupapplication starts.

The NMAS Client Components Setup Welcomewindow opens.


44/66

eToken and NMAS 2.1

38

3. Click Next.

TheSoftware License Agreementwindow opens.

4. ClickYes to accept the agreement.

TheSelect NMAS Client Login Methodswindow opens.


45/66


39

5. Select Universal Smart Card and click Next.

TheSelect NMAS Client Post-Login Methodswindow opens.

6. Without selecting any method, click Next.

The NMAS Client update is complete.

Installing the Universal Smart Card LoginMethod

The Universal Smart Card Login Client module must be installed on each

workstation that is intended to use the Smart Card login method.

To install the Universal Smart Card Login method on the

workstation:

1. Insert theNMAS Enterprise EditionCD.

2. Select and run the Universal Smart Card Client Loginsetup.

The Universal Smart Card Client Logininstallation starts.


46/66

eToken and NMAS 2.1

40

After the initial setup process is complete, thePKCS#11 Library Selection

window opens.

3. Select User Specified Provider and click Next.

The User Specified Providerwindow opens.


47/66


41

4. Enter ,eTpkcs11.dlland click Next.

Note: Make sure to enter a comma before eTpkcs11.dll.

5. Follow the on-screen instructions until theSetup Completewindow opens.

6. Click Finish.

Note:If you have Secure Workstation installed, you will be required to

restart the Secure Workstation service.


48/66

eToken and NMAS 2.1

42

Preparing the eToken for the User

To initialize an eToken to be used with the Universal Smart Card Loginmethod, the eToken must have at least one private key and a user certificate

corresponding to that private key. The private key must be enabled for

signature generation.

The initialization is performed by uploading into the smart card the contents

of the PKCS#12 (PFX) file that contains the certificate and private key.

For more information about creating the PFX file, seeExporting the User

Certificate and Private Key,on page27.

To initialize an eToken for use with the Universal Smart Card

Login method:

1. Locate the PFX file that you created earlier for the user, right-click and

select Install PFX.

Note:Alternatively, you can open Internet Explorer, select

Tools>Internet Options>Contentand click Certificates.

The Certificate Import Wizard starts and theFile to Importwindowopens.


49/66


50/66

eToken and NMAS 2.1

44

4. Select Place all certificates in the following store, click Browse

and select the Personal > eTokenphysical store.

5.

Click OKand then Next.

The eToken Base Cryptographic Providerwindow opens.


51/66


45

6. Type the eToken PIN and click OK.

The certificate and key pair are installed on the eToken.

A message is displayed indicating that the import was successful.

7. Click OK.

You can now view the certificate using either the Microsoft CertificateManager or the eToken Application Viewer, as shown in the examplebelow:


52/66

eToken and NMAS 2.1

46


53/66

47

Chapter 5

Logging in with eToken

This chapter explains how to configure the NMAS Client for use with eToken

and the Universal Smart Card Login Method, and describes the login

procedure for users.


Configuring the NMAS Client

Logging in Using the Universal Smart Card Login Method


54/66

eToken and NMAS 2.1

48

Configuring the NMAS Client

The settings for the client can now be configured on the workstation.

To configure the NMAS Client:

1. On the client workstation, open Novell Client Configuration Properties

and select theAdvanced Settingstab.

2. Select File caching and change theSettingto Off.

3. Select theLocation Profilestab.


55/66


49

4. Click Properties.

TheNovell Loginwindow opens.


56/66

eToken and NMAS 2.1

50

5. Select theNMAStab.


57/66


51

6. Select Enable taband click OK.

The following registry settings are saved in the GENERAL registry key:

Name TolerantFinalize

DWORD Value 0/1

Default 0

Logging in Using the UniversalSmart Card Login Method

You can now log in using the eToken and the Universal Smartcard Loginmethod.

To log in using the Universal Smart Card Login method:

1. Attach the eToken to the workstation.

2. Log in using the sequence and clearance that are assigned to you.

3. When prompted, enter the eToken PIN and click OK.

You are now logged in to the workstation.


58/66

eToken and NMAS 2.1

52


59/66

53

Chapter 6

Troubleshooting

This chapter describes the possible problems that may arise when attempting

to log in to NMAS using eToken, and suggests the steps to take to solve the

problems.


Error Logging In


60/66


61/66

55

Chapter 7

Glossary

Term Abbreviation Description

Domain Name DN

Certification

Authority

CA An authority in a network that

issues and manages security

credentials and public keys for

message encryption and

decryption. As part of a public

key infrastructure (PKI), a CA

checks with a registration

authority (RA) to verify

information provided by the

requestor of a digital certificate.

If the RA verifies the

requestor's information, the CA

can then issue a certificate.

Connectors Application extensions to TMS

allow TMS to handle different

security applications.

eToken Token

Management System

TMS eToken Token Management

System

OR

eToken TMS

Lightweight

Directory Access

Protocol

LDAP Network proposal for querying

and modifying directory

services

Microsoft Active

Directory Application

Mode

ADAM A directory service running as a

user service and not as a

system


62/66

eToken and NMAS 2.1

56

Term Abbreviation Description

One Time Password OTP

Public Key

Infrastructure

PKI Method for securing web and

network access. Consists of

protocols, services and

standards supporting associated

software.

Runtime

Environment

RTE RTE is a generic term. However,

earlier versions of eToken PKI

Client were called eToken RTE.

Software

Development Kit

SDK

Token policy object TPO


63/66

57

Appendix 1

Copyrights and Trademarks

The eTokensystem and its documentation are copyrighted 1985 to

present, by Aladdin Knowledge Systems Ltd.

All rights reserved.

eTokenis a trademark and ALADDIN KNOWLEDGE SYSTEMS LTD is a

registered trademark of Aladdin Knowledge Systems Ltd.

All other trademarks, brands, and product names used in this Manual aretrademarks of their respective owners.

This manual and the information contained herein are confidential and

proprietary to Aladdin Knowledge Systems Ltd. (hereinafter Aladdin). All

intellectual property rights (including, without limitation, copyrights, trade

secrets, trademarks, etc.) evidenced by or embodied in and/or

attached/connected/related to this manual, information contained herein and

the Product, are and shall be owned solely by Aladdin. Aladdin does not

convey to you an interest in or to this manual, information contained herein

and the Product, but only a limited right of use. Any unauthorized use,

disclosure or reproduction is a violation of the licenses and/or Aladdin's

proprietary rights and will be prosecuted to the full extent of the Law.

NOTICE

All attempts have been made to make the information in this document

complete and accurate. Aladdin is not responsible for any direct or indirect

damages or loss of business resulting from inaccuracies or omissions. The

specifications in this document are subject to change without notice.


64/66

eToken and NMAS 2.1

58


65/66

59

Appendix 2

FCC Compliance

eToken USB has been tested and found to comply with the limits for a Class B

digital device, pursuant to Part 15 of the FCC rules. These limits are designed

to provide reasonable protection against harmful interference in a residential

installation.

This equipment generates uses and can radiate radio frequency energy and, if

not installed and used in accordance with the instructions, may cause harmful

interference to radio communications. However, there is no guarantee thatinterference will not occur in a particular installation.

If this equipment does cause harmful interference to radio or television

reception, which can be determined by turning the equipment off and on, the

user is encouraged to try to correct the interference by one of the following

measures:

a. Reorient or relocate the receiving antenna.

b. Increase the separation between the equipment and receiver.

c. Connect the equipment to an outlet on a circuit different from that to whichthe receiver is connected.

d. Consult the dealer or an experienced radio/TV technician.

FCC Warning

Modifications not expressly approved by the manufacturer could void the user

authority to operate the equipment under FCC rules.

All of the above applies also to the eToken USB.

FCC authorities have determined that the rest of the eToken product line doesnot contain a Class B Computing Device Peripheral and therefore does not

require FCC regulation.


66/66

eToken and NMAS 2.1

CE Compliance

The eToken product line complies with the CE EMC Directive and relatedstandards*.eToken products are marked with the CE logo and an eToken CE

conformity card is included in every shipment or upon demand.

*EMC directive 89/336/EEC and related standards EN 55022, EN 50082-1.

UL Certification

The eToken product line successfully completed UL 94 Tests for Flammability

of Plastic Materials for Parts in Devices and Appliances. eToken products

comply with UL 1950 Safety of Information Technology Equipment

regulations.

ISO 9002 Certification

The eToken product line is designed and manufactured by Aladdin

Knowledge Systems, an ISO 9002-certified company. Aladdin's quality

assurance system is approved by the International Organization for

Standardization (ISO), ensuring that Aladdin products and customer service

standards consistently meet specifications in order to provide outstanding

customer satisfaction.

Certificate of Compliance

Upon request, Aladdin Knowledge Systems will supply a Certificate of

Compliance to any software developer who wishes to demonstrate that the

eToken product line conforms to the specifications stated. Software

developers can distribute this certificate to the end user along with their

programs

etoken and nmas 2u1

Documents