Overview #

What is Universal Password?#

Universal Password is an eDirectory password-based Authentication Framework that allows passwords to be stored securely while allowing the retrieval of the password value for hopefully legitimate reasons.

UUniversal Password is managed by the Novell Secure Password Manager (NSPM) which is a component of the NMAS module (nmas.nlm on NetWare). NSPM simplifies the management of password-based authentication schemes across a wide variety of Novell products as well as our partner's products. The management tools only expose one password and do not expose all of the behind-the-scenes processing for backwards compatibility.

Novell Secure Password Manager and the other components that manage or make use of Universal Password are installed as part of the NetWare 6.5 or later and eDirectory 8.7.3 install; however, Universal Password is not enabled by default. Because all APIs for authentication and setting passwords are moving to support Universal Password, all the existing management tools, when run on clients with these new libraries, automatically work with the Universal Password.

Applications such as Imanager and the Novell Client communicate with NMAS rather than directly updating a specific password. NMAS is the entity that determines which passwords are updated.

NMAS synchronizes passwords within an Identity Vault, based on your settings in NMAS password policies.

Legacy utilities that are not Universal Password-enabled update the NDS password directly, instead of communicating with NMAS and letting NMAS determine which passwords are updated. Be aware of how users and help desk administrators use legacy utilities in your environment. Because legacy utilities update the NDS password directly instead of going through NMAS, password drift (Universal Password and NDS password get out of sync) can occur if you are using Universal Password and NMAS 2.3.

For example, to ensure support of Universal Password, make sure that users upgrade to the Novell Client, and make sure that help desk users use ConsoleOne only with the latest Novell Client or NetWare release.

Distribution Password#

The Distribution password (nspmDistributionPassword) is used only by Identity Manager for distributing passwords between systems.

Universal Password was created to address these password problems by #

Provides one password type for all access to Novell eDirectory#

While end users have always seen only one password for Novell eDirectory, behind the scenes administrators have often had to manage several different passwords types because each is optimized for different functions. For example, an NDS password is extremely secure, because only a public private key signature of the password is stored in eDirectory. While that level of security is ideal for some organizations, by its nature, the password is not reversible, making an NDS password inaccessible by other applications.

In contrast, a Simple Password can be easily passed among connected applications, but it doesn't provide support for password policies, creating a potential security risk as a result of weak passwords.

Juggling these various password types not only complicated management and increased support costs, but it also gave rise to a number of problems that could occur if those different passwords were out of sync. The new Universal Password eliminates these back-end obstacles by combining characteristics of each, enabling a single password type that is securely encrypted but also accessible to other applications. The result is dramatically simplified administration and tighter, password-based security.

Enables the use of extended characters in a password#

Particularly for multi-national corporations with offices around the globe, business encompasses many languages and cultures. To accommodate that diversity, Universal Password allows the use of international/extended characters in passwords.

Enables advanced password policy enforcement#

With Universal Password, organizations can set and enforce password policies, to make sure that weak passwords are not an open front door to the corporate network. Among the supported policies are minimum or maximum characters, an "excluded password list," expiration settings, a unique password requirement, and many others.

Allows synchronization of passwords from Novell eDirectory to other systems#

Finally, when deployed with Novell Identity Manager, Universal Password allows customers to synchronize the eDirectory password with virtually any application -- giving rise to advanced password management solutions that span the enterprise.

Universal Password Background#

Universal Password is managed by the Secure Password Manager (SPM), a component of the NMAS module. SPM simplifies the management of password-based authentication schemes across a wide variety of NovellĀ® products as well as Novell partner products. The management tools expose only one password and do not expose all of the behind-the-scenes processing for backwards compatibility.

Secure Password Manager and the other components that manage or make use of Universal Password are installed as part of the eDirectory 8.7 or later install. Universal Password may not be enabled by default, depending on the version.

Because all APIs for authentication and setting passwords are moving to support Universal Password, all the existing management tools, when run on clients with these new libraries, automatically work with the Universal Password.

Novell Client software supports the Universal Password. It also continues to support the NDSĀ® password for older systems in the network. After Universal Password has been configured and enabled for a user, Novell Client has the capability of automatically upgrading/migrating the NDS password to the Universal Password.

How Secure Is Universal Password?#

Reversible encryption of Universal Password is required for convenient interoperation with other password systems. Administrators have to evaluate the costs and benefits of the system. Using a Universal Password stored in eDirectory might be more secure or convenient than attempting to manage several different passwords. Novell provides several levels of security to make sure Universal Password is protected while stored in eDirectory.

A Universal Password is protected by three levels of security:

The Universal Password is encrypted by a Triple DES, user-specific key. Both the Universal Password and the user key are stored in system attributes that only eDirectory can read. The user key is stored encrypted with the tree key, and the tree key is protected by a unique NICI key stored on each machine.

Note that neither the tree key nor the NICI key is stored within eDirectory. They are not stored with the data they protect.

The tree key is present on each machine within a tree, but each tree has a different tree key. Data encrypted with the tree key can be recovered only on a machine within the same tree. Thus, while stored, the Universal Password is protected by three layers of encryption.

Each of the following are also secured via eDirectory rights. Only selected administrators right or the users themselves have the rights to Universal Passwords.

  • user-specific key
  • Universal Password

File system rights ensure that only a user with the proper rights can access these keys:

If Universal Password is deployed in an environment requiring high security, you can take the following precautions:

Make sure that the following directories and files are secure:

  • NetWare - %system32%\novell\nici
  • Windows -
    • %system32%\novell\nici
    • %system32% where the NICI DLL is installed)
  • Linux/Unix -
    • /var/novell/nici
    • etc/nici.cfg
    • /usr/locall/lib/libccs2.so and the NICI shared libraries in the same directory
  • On LSB-compliant systems The above mentioned directories and files as well as
    • /var/opt/novell/nici
    • /etc/opt/novell
    • /opt/novell/lib
Consult the documentation for your system for specific details of the location of NICI and eDirectory files.

As with any security system, restricting physical access to the server where the keys reside is very important.

Universal Password Secret Bits#

Well, they are obviously not secret, We got them from the NW6.5 schema file. AFAIK, they are not well documented by Novell.

Implementing Universal Password#

Universal Password Removal Utility#

Universal Password - some less well known information#

Dump eDirectory Password Information Tool#

Novell Secure Password Manager#

Novell's Challenge Response System#

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-24) was last changed on 11-Jul-2017 15:07 by jim