password management bill street, nathan jensen, mike simpson, will peterson identity management...

Password ManagementBill Street, Nathan Jensen, Mike Simpson, Will PetersonIdentity Management Engineering

© March 21, 2004 Novell Inc.2

one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.

The one Net vision

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


The one Net vision

Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.

Novell Nsure™

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


Agenda

• Business Needs• Password Management• Password Policy• Forgotten Password

Challenge/HintSelf-Service Interface

• Notification Templates• Password Sync/Set• Universal Password• Summary


Business Needs

Reduce help desk calls related to end-user password problems

Manage and share identity and access privileges across disparate systems and platforms

Enforce password policy


Novell’s Answer to Password Management

Password Policy

Password Self-Service

Forgotten password features:

– Challenge Questions

– Hints

– Set Password

Notification Templates

Two-Way Password Synchronization


Password Policy

Password Policy


What is a Password Policy?

Password policy (n):

A collection of admin-defined rules that specify the criteria for creating and replacing end-user passwords.


Password Policies

Policies include:

• Universal Password

• Advanced Password Rules

• Forgotten Password settings

• Challenge sets

• Reset password/hint

• Assignments


Universal password benefits

• One Password for all access to eDirectory

● Enables the use of Extended characters

● Enables advanced password policies

● Reversible- Synchronization of passwords from eDirectory to other systems

• Attend session TUT352 for better understanding


What Is a Password Rule?

Rules define the criteria for acceptable passwords such as:

• Password syntax

• Password properties

• Password lifetime

• Use of special characters

• Password exclusions


Forgotten Password: What is it?

Configurable content for password self-service

Challenge Sets and selectable actions

Show hint on page

Allow password reset

e-mail password to user


Challenge Sets: What are they?

Challenge Sets: A group of questions assigned to a password policy that are used as part of a password policy’s method of authentication.

• Admin-defined• User-defined• Random questions• Mandatory questions• Adds additional level of security• Allows for forgotten password self-service


Password Policy: Assignment

Policy can be assigned to:

user

container

partition

tree

All password self-service (including forgotten password functionality) will be governed by the user’s effective policy.


Password Policy

Demo


iManager Self-service Console

iManager Self-Service Console


Looking at iManager Self-service Console

Password self-service for end-user:ge

• Sets• Hint• Advanced Change Password


Password Self-service for End-user

End-users manage password changes: Set hints, challenge questions/responsesChange own password


Configuring Forgotten Password (End-user)

Upon authentication, the user’s challenge set may be presented for the user to configure


Change Password (End-user)

If challenge questions are answered correctly, end-user may set a password that fits policy criteria.

•Change in policy voids old password• New password must conform to rules of assigned policy• Console displays rules to help users create compliant passwords.


Set Password (Admin UI)

In addition to user self-service, admin and help desk can set user passwords in iManager.


Password Policy

Demo


Notification

Notification templates allow customization for forgotten password actions involving e-mail.

•e-mail hint

•e-mail forgotten password


What Are Notification Templates?

Notification templates (n): A collection of predefined customizable e-mail messages that are sent to end-users after a certain action is performed, e.g. password expires, synchronization failure, etc.



Features:

• Set of 5 predefined templates

• Modifiable through administration tool

• Send messages in HTML or Text


Password Notification Templates


• Templates contain tags that act as placeholders for user information

• Message in editable HTML

• Templates contain tags that act as placeholders for user information

• Message in editable HTML

Modifying Templates


Modifying Templates


Password Policy

Demo


Password Sync

Password Synchronization


Password Synchronization

Apply policy to connected systems

Set passwords in native interfaces

Synchronize passwords to and from numerous systems

Required changes

Where do I get Password management?

Where do I get advanced password management?


Applying policy to connected systems

User sets password on participating systems:•Active directory•NT Domains•NIS (UNIX)•eDirPassword is captured,and sent securely tothe DirXML server

Conforms to Policy?

Password is set on the

user object in the identity VaultPassword isdistributed

to associated userobjects on connected

systems that support

subscription to thepassoword attribute

Reset password on

participating system

to last “good” password.

Failure noticesent viaemail.

NO

YES


Password flow to connected systems

Imanager self console is used

to enter a new password

1

Password is checked for

conformance to policies

2

Password is set on the user

object in the identity Vault.

3

Password is distributed toassociated user objects

on connected systems thatsupport subscription to

passwords

4

Active DirectoryNTNISeDirectory

SAP User ManagementGroupwiseLotus NotesLDAP, such as SunOneRelational Databases:•Oracle•DBZ•Sybase

Imanagerweb server

DirXML

User


Enabling Universal Password


NDSPassword

SimplePassword

UniversalPassword

DistributionPassword

Password management

imanager

Imanager self-serviceconsoleNovell Client,

UniversalPassword enabled

LDAP

eGuide

ConsoleOne(Universal Passwordenabling depends on Clientor NetWare)

Novell Client, not Universal

Password enabled

NMAS 2.3


Password Set: Supported systems of Password set

•Active Directory• Delimited Text• eDirectory• Exchange 5.5• GroupWise• JDBC• LDAP• Lotus Notes

• NIS (UNIX)• NT Domain• PeopleSoft• SAP HR• User Management of SAP Software• Schools Interoperability Framework (SIF)• JMS WebSphere MQ


Supported Systems of Password Sync

Sync: Drivers that support synchronizing passwords in both directions, meaning publishing from the connected system to the DirXML data store, and subscribing to passwords from the DirXML data store.

•Active Directory •eDirectory•NDS•NIS•NT Domain


Required Changes for Universal Password Support

Upgrade the infrastructure to Universal Password versions of administration and client utilities

• eDir 8.7.1 or later• NMAS 2.3 • NICI 2.6.2• LDAP server 8.7.1 • iManager 2.0.1• Identity Manager 2 (Password Sync)• New client 32 and NT client, or no client at all


Password Management: How do I get it?

Password Management features

•Password Policy•Forgotten password

• Hint and Challenge-Response•Self-service •Free web download


Advanced Password Management: How do I get it?

Apply Policy to connected systems

Synchronize passwords to connected systems

Synchronize passwords from connected systems

Included with Novell Nsure Identity manager 2

Available via web download for free 90-day trial


Novell Confidential – Internal Use OnlyVersion 2002-3

Password Management Summary

Password Sync

• Password Policies enforced against connected systems

• Two-way sync

• Supports LDAP password change (Novell Client not required)

• Uses Universal Password

Password Policies• Advanced Password Rules• Forgotten Password self-

service• Challenge-Response• Hint

• Notification Templates


For more information…

1R – 1T

1Q1L1M1O1N1U

www.novell.com/nsure

To see Novell Nsure products and solutions in action, check out the following demonstrations in the BrainShare one Net Solutions Lab:

Novell Nsure Identity Manager (formerly DirXML)Novell Account Management Novell Nsure SecureLogin Novell iChainNovell Nsure AuditNovell BorderManagerNovell Nsure solutions


General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

password management bill street, nathan jensen, mike simpson, will peterson identity management...

Documents