Anonymous_User Absent Member.
Absent Member.
209 views

Form Fill Advice


Hi,
We have a new print system where students can sign in using their
username and a 4-digit PIN code. The problem is that the PIN is
peculiar to this system and students do not know what it is.

So, we can generate a PIN for each student (using an Identity Manager
driver for example) and send it to them by email. We then define the
form fill policy to use a shared secret for the PIN. The user then
enters the PIN first time and thereafter Access Manager remembers the
PIN. However, generating 25,000 PINS and emaling them to students is a
big admin and communication problem, especially when it is for one
service. However, this method is secure.

Another idea involves not telling the students about the PIN at all, but
instead saving the generated PIN directly to the userstore. We then
modify the form-fill policy to auto-fill this pre-defined value; the
result is that the student is completely unware of the PIN as he never
sees the login form. The problem with this is that the PIN would have
to be stored in clear text in eDirectory. We could prevent
non-privileged users from reading by making in non-public and making
sure only certain trustees had permission to read it, however, I am a
bit concerned about the security of the PIN in this case. This method is
easier but not so secure.

Does anyone have a suggestion as to which option is best? Or is there
another way?

Any advice is welcome.
Regards
Steve Tennant


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=50039

0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Form Fill Advice

sttennant wrote:

>
> Hi,
> We have a new print system where students can sign in using their
> username and a 4-digit PIN code. The problem is that the PIN is
> peculiar to this system and students do not know what it is.
>
> So, we can generate a PIN for each student (using an Identity Manager
> driver for example) and send it to them by email. We then define the
> form fill policy to use a shared secret for the PIN. The user then
> enters the PIN first time and thereafter Access Manager remembers the
> PIN. However, generating 25,000 PINS and emaling them to students is
> a big admin and communication problem, especially when it is for one
> service. However, this method is secure.
>
> Another idea involves not telling the students about the PIN at all,
> but instead saving the generated PIN directly to the userstore. We
> then modify the form-fill policy to auto-fill this pre-defined value;
> the result is that the student is completely unware of the PIN as he
> never sees the login form. The problem with this is that the PIN
> would have to be stored in clear text in eDirectory. We could prevent
> non-privileged users from reading by making in non-public and making
> sure only certain trustees had permission to read it, however, I am a
> bit concerned about the security of the PIN in this case. This method
> is easier but not so secure.
>
> Does anyone have a suggestion as to which option is best? Or is there
> another way?


Is your userstore eDirectory? If so, use the secretstore instead.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Form Fill Advice


Hi Edward,
You are everywhere! The userstore is eDirectory, and I did think of
using secretstore - but how do I enable this ? And why do you suggest
this over the other option if you don't mind me asking?
Regards


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=50039

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Form Fill Advice

sttennant wrote:

>
> Hi Edward,
> You are everywhere! The userstore is eDirectory, and I did think of
> using secretstore - but how do I enable this ? And why do you suggest
> this over the other option if you don't mind me asking?
> Regards


Not knowing what eDir version you are on it might already be enabled or
otherwise I believe all you have to do is extend the schema for it. On
the IDM drivers there's an option to write stuff directory into the
secretstore as well and as far as I understand NAM can read from it.

I have to admit that I've never build it but I remember being on
training many moons ago where this was one of the objectives to build.

The secretstore was specifically designed for this kinda stuff. I have
little experience with the encrypted attributes. From what I understand
is that they are stored encrypted but can still be read. Probably best
to ask more about this in the eDir forums on how it works and what
happens when someone tries to read it.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Form Fill Advice


edmaa;240984 Wrote:
> sttennant wrote:
>
> >
> > Hi Edward,
> > You are everywhere! The userstore is eDirectory, and I did think of
> > using secretstore - but how do I enable this ? And why do you

> suggest
> > this over the other option if you don't mind me asking?
> > Regards

>
> Not knowing what eDir version you are on it might already be enabled or
> otherwise I believe all you have to do is extend the schema for it. On
> the IDM drivers there's an option to write stuff directory into the
> secretstore as well and as far as I understand NAM can read from it.
>
> I have to admit that I've never build it but I remember being on
> training many moons ago where this was one of the objectives to build.
>
> The secretstore was specifically designed for this kinda stuff. I have
> little experience with the encrypted attributes. From what I understand
> is that they are stored encrypted but can still be read. Probably best
> to ask more about this in the eDir forums on how it works and what
> happens when someone tries to read it.
>
> --
> Cheers,
> Edward

Hi Edward,
Interesting. I will need to find out how to enable secretstore. It is
interesting that IDM can write directly to the secret store. So I can
generate the PIN via IDM, and then write it to the secret store and then
use it to form-fill. Is that the idea? If it works we could use the
same method for other things. The only issue I have is that I am
already using shared secrets in Access Manager but they are stored in
the configuration store and not the userstore. How will access manager
know to use the userstore for these new secrets storing the PIN?
Thanks,
Steve


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=50039

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Form Fill Advice

sttennant wrote:


> Interesting. I will need to find out how to enable secretstore. It
> is interesting that IDM can write directly to the secret store. So I
> can generate the PIN via IDM, and then write it to the secret store
> and then use it to form-fill. Is that the idea? If it works we
> could use the same method for other things. The only issue I have is
> that I am already using shared secrets in Access Manager but they are
> stored in the configuration store and not the userstore. How will
> access manager know to use the userstore for these new secrets
> storing the PIN?


I built a lab over the weekend. The IDM part is pretty straight forward
but I dont have NAM reading the secretstore as yet.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Form Fill Advice


edmaa;241175 Wrote:
> sttennant wrote:
>
>
> > Interesting. I will need to find out how to enable secretstore. It
> > is interesting that IDM can write directly to the secret store. So I
> > can generate the PIN via IDM, and then write it to the secret store
> > and then use it to form-fill. Is that the idea? If it works we
> > could use the same method for other things. The only issue I have is
> > that I am already using shared secrets in Access Manager but they are
> > stored in the configuration store and not the userstore. How will
> > access manager know to use the userstore for these new secrets
> > storing the PIN?

>
> I built a lab over the weekend. The IDM part is pretty straight forward
> but I dont have NAM reading the secretstore as yet.
>
> --
> Cheers,
> Edward


Hi Edward,
The need for this has now passed, but I did get SecretStore working with
form fill. I followed the Access Manager documentation and it worked.
I had to configure the credential profile to use the user store for
shared secrets. The form fill created secrets as named but with the
prefix "Cred-SS." or something like that, in the user store (i.e.
eDirectory).
Thanks for your help. I am always amazed at what you can do with
NetIQ/Novell products and this forum is so useful.
Kindest Regards
Steve


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=50039

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Form Fill Advice


sttennant;240872 Wrote:
> Hi,
> We have a new print system where students can sign in using their
> username and a 4-digit PIN code. The problem is that the PIN is
> peculiar to this system and students do not know what it is.
>
> So, we can generate a PIN for each student (using an Identity Manager
> driver for example) and send it to them by email. We then define the
> form fill policy to use a shared secret for the PIN. The user then
> enters the PIN first time and thereafter Access Manager remembers the
> PIN. However, generating 25,000 PINS and emaling them to students is a
> big admin and communication problem, especially when it is for one
> service. However, this method is secure.
>
> Another idea involves not telling the students about the PIN at all, but
> instead saving the generated PIN directly to the userstore. We then
> modify the form-fill policy to auto-fill this pre-defined value; the
> result is that the student is completely unware of the PIN as he never
> sees the login form. The problem with this is that the PIN would have
> to be stored in clear text in eDirectory. We could prevent
> non-privileged users from reading by making in non-public and making
> sure only certain trustees had permission to read it, however, I am a
> bit concerned about the security of the PIN in this case. This method is
> easier but not so secure.
>
> Does anyone have a suggestion as to which option is best? Or is there
> another way?
>
> Any advice is welcome.
> Regards
> Steve Tennant


Hi Steve,

You can use the second method and encrypt the attribute in eDirectory.
Check out the eDir doco here: http://tinyurl.com/nusavzw

Though having said that you would still require to have the correct
trustee assignments in place. You may need to look at some inherited
rights filters if you want to block specific admin access to the
attributes.


--
rtruscot
------------------------------------------------------------------------
rtruscot's Profile: https://forums.netiq.com/member.php?userid=293
View this thread: https://forums.netiq.com/showthread.php?t=50039

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Form Fill Advice


rtruscot;240898 Wrote:
> Hi Steve,
>
> You can use the second method and encrypt the attribute in eDirectory.
> Check out the eDir doco here: http://tinyurl.com/nusavzw
>
> Though having said that you would still require to have the correct
> trustee assignments in place. You may need to look at some inherited
> rights filters if you want to block specific admin access to the
> attributes.


Hi,
I read about encrypted attributes but I am not sure I fully understand
them. You can still read them using LDAP/SSL so they are still
vulnerable aren't they?. The documentation is a bit confusing. I like
the idea of IRFs - this is essential - but how do I make sure that the
admin user can still read this attribute? :confused:
Thanks
Steve


--
sttennant
------------------------------------------------------------------------
sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=50039

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.