<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview 
[{$pagename}] is an [eDirectory] [password-based] [Authentication Framework|Authentication Method] that allows [passwords] to be stored securely while allowing the retrieval of the [password] value for hopefully legitimate reasons.[{$pagename}] is managed by the [Novell Secure Password Manager] ([NSPM]) which is a component of the [Novell Modular Authentication Service] ([NMAS]) module. [Novell Secure Password Manager] simplifies the management of password-based authentication schemes across a wide variety of Novell products as well as our partner's products. The management tools only expose one password and do not expose all of the behind-the-scenes processing for backwards compatibility.

[Novell Secure Password Manager|NSPM] and the other components that manage or make use of [{$pagename}] are installed as part of the NetWare 6.5 or later and [eDirectory] 8.7.3 install; however, [{$pagename}] is not enabled by default. Because all APIs for authentication and setting passwords are moving to support Universal Password, all the existing management tools, when run on clients with these new libraries, automatically work with the Universal Password.

Applications such as [Imanager] and the Novell Client communicate with [NMAS] rather than directly updating a specific password. NMAS is the entity that determines which passwords are updated.

[NMAS] synchronizes passwords within an Identity Vault, based on your settings in [NMAS] password policies.

Legacy utilities that are not Universal Password-enabled update the NDS password directly, instead of communicating with NMAS and letting NMAS determine which passwords are updated. Be aware of how users and help desk administrators use legacy utilities in your environment. Because legacy utilities update the NDS password directly instead of going through NMAS, password drift (Universal Password and NDS password get out of sync) can occur if you are using Universal Password and NMAS 2.3.

For example, to ensure support of [{$pagename}], make sure that users upgrade to the Novell Client, and make sure that help desk users use ConsoleOne only with the latest Novell Client or NetWare release.

!! Distribution Password
The Distribution password ([nspmDistributionPassword]) is used only by Identity Manager for distributing passwords between systems.

!! [{$pagename}] was created to address these password problems by 

! Provides one password type for all access to Novell [eDirectory]
While end users have always seen only one password for Novell eDirectory, behind the scenes administrators have often had to manage several different passwords types because each is optimized for different functions. For example, an NDS password is extremely secure, because only a public private key signature of the password is stored in eDirectory. While that level of security is ideal for some organizations, by its nature, the password is not reversible, making an NDS password inaccessible by other applications. 

In contrast, a [Simple Password] can be easily passed among connected applications, but it doesn't provide support for password policies, creating a potential security risk as a result of weak passwords.

Juggling these various password types not only complicated management and increased support costs, but it also gave rise to a number of problems that could occur if those different passwords were out of sync. The new Universal Password eliminates these back-end obstacles by combining characteristics of each, enabling a single password type that is securely encrypted but also accessible to other applications. The result is dramatically simplified administration and tighter, password-based security.

! Enables the use of extended characters in a password
Particularly for multi-national corporations with offices around the globe, business encompasses many languages and cultures. To accommodate that diversity, Universal Password allows the use of international/extended characters in passwords.

! Enables advanced password policy enforcement
With Universal Password, organizations can set and enforce password policies, to make sure that weak passwords are not an open front door to the corporate network. Among the supported policies are minimum or maximum characters, an &quot;excluded password list,&quot; expiration settings, a unique password requirement, and many others.

! Allows synchronization of passwords from Novell [eDirectory] to other systems
Finally, when deployed with [Novell Identity Manager|DirXML], Universal Password allows customers to synchronize the eDirectory password with virtually any application -- giving rise to advanced password management solutions that span the enterprise. 

! [{$pagename}] Background

Universal Password is managed by the [Secure Password Manager|NSPM] ([SPM|NSPM]), a component of the [NMAS] module. [SPM|NSPM] simplifies the management of password-based authentication schemes across a wide variety of Novell® products as well as Novell partner products. The management tools expose only one password and do not expose all of the behind-the-scenes processing for backwards compatibility.

[Secure Password Manager|NSPM] and the other components that manage or make use of Universal Password are installed as part of the eDirectory 8.7 or later install. Universal Password may not be enabled by default, depending on the version.

Because all APIs for authentication and setting passwords are moving to support Universal Password, all the existing management tools, when run on clients with these new libraries, automatically work with the Universal Password.

Novell Client software supports the Universal Password. It also continues to support the NDS® password for older systems in the network. After Universal Password has been configured and enabled for a user, Novell Client has the capability of automatically upgrading/migrating the NDS password to the Universal Password.

!! How Secure Is [{$pagename}]?
Reversible [encryption] of Universal Password is required for convenient interoperation with other [password] systems. Administrators have to evaluate the costs and benefits of the system. Using a [{$pagename}] stored in [eDirectory] might be more secure or convenient than attempting to manage several different [passwords]. Novell provides several levels of security to make sure Universal Password is protected while stored in eDirectory.

A Universal Password is protected by three levels of security: 
* [Triple DES] (or [AES-256] with [NICI 3.0] or higher) [encryption] of the password itself
* [eDirectory rights|nspmPasswordACL]
* [File System] rights.

[{$pagename}] is encrypted by a  [user]-[key]-specific key. Both the [{$pagename}] and the user key are stored in system attributes that only [eDirectory] can read. The user key is stored [encrypted] with the [tree key|NICITreeKeyProvider], and the [TreeKey] is protected by a unique [NICI] key stored on each [NcpServer]. 

%%information
Note that neither the [tree key|NICITreeKeyProvider] nor the [NICI] key is stored within [eDirectory]. They are not stored with the [data] they protect.
%%

The [tree key|NICITreeKeyProvider] is present on each machine within a tree, but each tree has a different [tree key|NICITreeKeyProvider]. [Data] encrypted with the [tree key|NICITreeKeyProvider] can be recovered only on a [NcpServer] within the same tree. Thus, while stored, the [{$pagename}] is protected by three layers of [encryption].

Each of the following are also secured via [eDirectory] rights. Only [selected administrators|nspmPasswordACL] right or the users themselves have the [Permissions to read Universal Password].
* user-specific key
* [{$pagename}]

[File System] rights ensure that only a user with the proper rights can access these keys:
* The [tree key|NICITreeKeyProvider]
* The [NICI] key

If [{$pagename}] is deployed in an environment requiring high security, you can take the following precautions:
Make sure that the following directories and files are secure:
* [NetWare] - %system32%\novell\nici
* [Microsoft Windows] - 
** %system32%\novell\nici  
** %system32% where the NICI DLL is installed)
* [Linux]/Unix - 
** /var/novell/nici
** etc/nici.cfg
** /usr/locall/lib/libccs2.so and the NICI shared libraries in the same directory
* On [LSB]-compliant systems The above mentioned directories and files as well as
** /var/opt/novell/nici
** /etc/opt/novell
** /opt/novell/lib
Consult the documentation for your system for specific details of the location of [NICI] and [eDirectory] files.

As with any security system, restricting physical access to the server where the [keys] reside is very important.
! [Universal Password Secret Bits|UniversalPasswordSecretBits]
Well, they are obviously not secret, We got them from the [NetWare] 6.5 [schema] file. AFAIK, they are not well documented by Novell.

! [Implementing Universal Password|Implementing Universal Password]
* [Universal Password Removal Utility|http://download.novell.com/Download?buildid=LpFHSehMEGM~|target='_blank']
* [Universal Password - some less well known information|http://wiki.novell.com/index.php/Universal_Password|target='_blank']
* [Dump eDirectory Password Information Tool|DumpEdirectoryPasswordInformationTool]
* [Novell Secure Password Manager|Novell Secure Password Manager|Novell Secure Password Manager]
* [Novell's Challenge Response System]!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>