password management bill street, nathan jensen, mike simpson, will peterson identity management...
TRANSCRIPT
Password ManagementBill Street, Nathan Jensen, Mike Simpson, Will PetersonIdentity Management Engineering
© March 21, 2004 Novell Inc.2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 21, 2004 Novell Inc.3
The one Net vision
Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.
Novell Nsure™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 21, 2004 Novell Inc.4
Agenda
• Business Needs• Password Management• Password Policy• Forgotten Password
Challenge/HintSelf-Service Interface
• Notification Templates• Password Sync/Set• Universal Password• Summary
© March 21, 2004 Novell Inc.5
Business Needs
Reduce help desk calls related to end-user password problems
Manage and share identity and access privileges across disparate systems and platforms
Enforce password policy
© March 21, 2004 Novell Inc.6
Novell’s Answer to Password Management
Password Policy
Password Self-Service
Forgotten password features:
– Challenge Questions
– Hints
– Set Password
Notification Templates
Two-Way Password Synchronization
© March 21, 2004 Novell Inc.7
Password Policy
Password Policy
© March 21, 2004 Novell Inc.8
What is a Password Policy?
Password policy (n):
A collection of admin-defined rules that specify the criteria for creating and replacing end-user passwords.
© March 21, 2004 Novell Inc.9
Password Policies
Policies include:
• Universal Password
• Advanced Password Rules
• Forgotten Password settings
• Challenge sets
• Reset password/hint
• Assignments
© March 21, 2004 Novell Inc.10
Universal password benefits
• One Password for all access to eDirectory
● Enables the use of Extended characters
● Enables advanced password policies
● Reversible- Synchronization of passwords from eDirectory to other systems
• Attend session TUT352 for better understanding
© March 21, 2004 Novell Inc.11
What Is a Password Rule?
Rules define the criteria for acceptable passwords such as:
• Password syntax
• Password properties
• Password lifetime
• Use of special characters
• Password exclusions
© March 21, 2004 Novell Inc.12
Forgotten Password: What is it?
Configurable content for password self-service
Challenge Sets and selectable actions
Show hint on page
Allow password reset
e-mail password to user
© March 21, 2004 Novell Inc.13
Challenge Sets: What are they?
Challenge Sets: A group of questions assigned to a password policy that are used as part of a password policy’s method of authentication.
• Admin-defined• User-defined• Random questions• Mandatory questions• Adds additional level of security• Allows for forgotten password self-service
© March 21, 2004 Novell Inc.14
Password Policy: Assignment
Policy can be assigned to:
user
container
partition
tree
All password self-service (including forgotten password functionality) will be governed by the user’s effective policy.
© March 21, 2004 Novell Inc.15
Password Policy
Demo
© March 21, 2004 Novell Inc.16
iManager Self-service Console
iManager Self-Service Console
© March 21, 2004 Novell Inc.17
Looking at iManager Self-service Console
Password self-service for end-user:ge
• Sets• Hint• Advanced Change Password
© March 21, 2004 Novell Inc.18
Password Self-service for End-user
End-users manage password changes: Set hints, challenge questions/responsesChange own password
© March 21, 2004 Novell Inc.19
Configuring Forgotten Password (End-user)
Upon authentication, the user’s challenge set may be presented for the user to configure
© March 21, 2004 Novell Inc.20
Change Password (End-user)
If challenge questions are answered correctly, end-user may set a password that fits policy criteria.
•Change in policy voids old password• New password must conform to rules of assigned policy• Console displays rules to help users create compliant passwords.
© March 21, 2004 Novell Inc.21
Set Password (Admin UI)
In addition to user self-service, admin and help desk can set user passwords in iManager.
© March 21, 2004 Novell Inc.22
Password Policy
Demo
© March 21, 2004 Novell Inc.23
Notification Templates
Notification Templates
© March 21, 2004 Novell Inc.24
Notification
Notification templates allow customization for forgotten password actions involving e-mail.
•e-mail hint
•e-mail forgotten password
© March 21, 2004 Novell Inc.25
What Are Notification Templates?
Notification templates (n): A collection of predefined customizable e-mail messages that are sent to end-users after a certain action is performed, e.g. password expires, synchronization failure, etc.
© March 21, 2004 Novell Inc.26
Notification Templates
Features:
• Set of 5 predefined templates
• Modifiable through administration tool
• Send messages in HTML or Text
© March 21, 2004 Novell Inc.27
Password Notification Templates
© March 21, 2004 Novell Inc.28
• Templates contain tags that act as placeholders for user information
• Message in editable HTML
• Templates contain tags that act as placeholders for user information
• Message in editable HTML
Modifying Templates
© March 21, 2004 Novell Inc.29
Modifying Templates
© March 21, 2004 Novell Inc.30
Password Policy
Demo
© March 21, 2004 Novell Inc.31
Password Sync
Password Synchronization
© March 21, 2004 Novell Inc.32
Password Synchronization
Apply policy to connected systems
Set passwords in native interfaces
Synchronize passwords to and from numerous systems
Required changes
Where do I get Password management?
Where do I get advanced password management?
© March 21, 2004 Novell Inc.33
Applying policy to connected systems
User sets password on participating systems:•Active directory•NT Domains•NIS (UNIX)•eDirPassword is captured,and sent securely tothe DirXML server
Conforms to Policy?
Password is set on the
user object in the identity VaultPassword isdistributed
to associated userobjects on connected
systems that support
subscription to thepassoword attribute
Reset password on
participating system
to last “good” password.
Failure noticesent viaemail.
NO
YES
© March 21, 2004 Novell Inc.34
Password flow to connected systems
Imanager self console is used
to enter a new password
1
Password is checked for
conformance to policies
2
Password is set on the user
object in the identity Vault.
3
Password is distributed toassociated user objects
on connected systems thatsupport subscription to
passwords
4
Active DirectoryNTNISeDirectory
SAP User ManagementGroupwiseLotus NotesLDAP, such as SunOneRelational Databases:•Oracle•DBZ•Sybase
Imanagerweb server
DirXML
User
© March 21, 2004 Novell Inc.35
Enabling Universal Password
© March 21, 2004 Novell Inc.36
NDSPassword
SimplePassword
UniversalPassword
DistributionPassword
Password management
imanager
Imanager self-serviceconsoleNovell Client,
UniversalPassword enabled
LDAP
eGuide
ConsoleOne(Universal Passwordenabling depends on Clientor NetWare)
Novell Client, not Universal
Password enabled
NMAS 2.3
© March 21, 2004 Novell Inc.37
Password Set: Supported systems of Password set
•Active Directory• Delimited Text• eDirectory• Exchange 5.5• GroupWise• JDBC• LDAP• Lotus Notes
• NIS (UNIX)• NT Domain• PeopleSoft• SAP HR• User Management of SAP Software• Schools Interoperability Framework (SIF)• JMS WebSphere MQ
© March 21, 2004 Novell Inc.38
Supported Systems of Password Sync
Sync: Drivers that support synchronizing passwords in both directions, meaning publishing from the connected system to the DirXML data store, and subscribing to passwords from the DirXML data store.
•Active Directory •eDirectory•NDS•NIS•NT Domain
© March 21, 2004 Novell Inc.39
Required Changes for Universal Password Support
Upgrade the infrastructure to Universal Password versions of administration and client utilities
• eDir 8.7.1 or later• NMAS 2.3 • NICI 2.6.2• LDAP server 8.7.1 • iManager 2.0.1• Identity Manager 2 (Password Sync)• New client 32 and NT client, or no client at all
© March 21, 2004 Novell Inc.40
Password Management: How do I get it?
Password Management features
•Password Policy•Forgotten password
• Hint and Challenge-Response•Self-service •Free web download
© March 21, 2004 Novell Inc.41
Advanced Password Management: How do I get it?
Apply Policy to connected systems
Synchronize passwords to connected systems
Synchronize passwords from connected systems
Included with Novell Nsure Identity manager 2
Available via web download for free 90-day trial
© March 21, 2004 Novell Inc.42
Novell Confidential – Internal Use OnlyVersion 2002-3
Password Management Summary
Password Sync
• Password Policies enforced against connected systems
• Two-way sync
• Supports LDAP password change (Novell Client not required)
• Uses Universal Password
Password Policies• Advanced Password Rules• Forgotten Password self-
service• Challenge-Response• Hint
• Notification Templates
© March 21, 2004 Novell Inc.43
For more information…
1R – 1T
1Q1L1M1O1N1U
www.novell.com/nsure
To see Novell Nsure products and solutions in action, check out the following demonstrations in the BrainShare one Net Solutions Lab:
Novell Nsure Identity Manager (formerly DirXML)Novell Account Management Novell Nsure SecureLogin Novell iChainNovell Nsure AuditNovell BorderManagerNovell Nsure solutions
© March 21, 2004 Novell Inc.45
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.