Novell Cryptographic Services

Starting with NetWare 5, Novell has provided a comprehensive security infrastructure. It provides the foundation for delivering advanced security solutions with NetWare and eDirectory. The Novell International Cryptographic Infrastructure (NICI) provides all cryptography-related services to eDirectory and its related services. Novell Certificate Server provides a public key infrastructure that integrates with today's standards-based security systems.

NICI and Certificate Server work largely behind the scenes to provide critical services to your network. Hopefully, you won't have to do much with them directly, but it is good to know a little about them in order to better understand how your network operates.

NICI

NICI is a modular security framework that is responsible for all cryptographic services in the NetWare and eDirectory environments. The advantage of using NICI as a security foundation is that it eliminates the need to build cryptographic functionality into each application. Because of varied export laws across countries , applications would have to be written in several versions if they were to be used worldwide.

NICI consolidates all cryptographic functionality into eDirectory. Applications leverage the existing cryptographic infrastructure and do not have to worry about multiple versions. It also means that all security management can take place from eDirectory management tools. The modular nature of NICI allows for the support of varied cryptographic export laws through the policy manager in NICI. NICI prevents the insertion and use of cryptographic modules that would violate export laws. Because of this, NICI has received export approval from the United States. All applications that leverage NICI for their cryptographic functions will only need to pass a cursory export review, rather than having to endure the whole process.

Certificate Server

Certificate Server is a set of services that implements a Public Key Infrastructure (PKI) to create key public key-pairs, generate certificates, import externally generated certificates, and revoke expired or invalid certificates.

PKI is also referred to as asymmetric encryption . Asymmetric encryption algorithms were developed in the 1970s as a way to avoid having to transmit cryptographic keys to those who needed to be able to decrypt secure messages. Asymmetric encryption utilizes a mathematically related key-pair instead of a single key in order to provide the encryption and decryption capabilities. When a message is encrypted using an asymmetric key, it can only be decrypted using the other half of the key-pair.

In a PKI, each person is assigned a key-pair and one of those keys is published as the public key (see Figure 6.13). The other is carefully guarded as the private key. If someone wants to send you a secure message, he encrypts it using your public key and sends it out. The sender knows the only person who can decrypt that message is the person with the other half of the key-pairyou!

Switching to the receiving end of that secure message (see Figure 6.14), you decrypt the message using your private key and find out that it is a note from the senderexcept that you can't be sure he was actually the person that authored it. What if someone is attempting to impersonate the sender by sending you a forged message? Well, PKI also solves this problem by providing the capability to electronically "sign" a message.

The next hurdle for PKI is creating repositories for all the public keys that are in use. Public keys are stored, together with vital statistics about the owner, in a standard certificate format known as X.509. These certificates can then be stored in large databases known as Certificate Authorities (CA). Certificate Server provides organizations the capability to use eDirectory as a CA. Cryptographic keys and certificates can be created and/or managed by eDirectory. Certificate Server can also interact with external entities such as VeriSign or Entrust through the use of standard communication protocols and certificate formats. Certificate Server supports the dominant standards in the security space. You can make eDirectory the hub for all your security needs from secure authentication and resource access, to secure communications with external parties and non- repudiation of business-critical communications.

Creating Server Certificates

When NetWare 6.5 is installed, all the necessary security objects are created automatically, including an organizational certificate authority and the necessary key-pairs to support cryptographic activities. During the installation, two server certificates are created: one for DNS and one for IP. These certificates are used to create secure SSL connections with client workstations. You can also create other server certificates, as needed, to support additional secure services on your NetWare 6.5 servers. To create a server certificate, complete the following steps:

1. Make sure you are logged in to the eDirectory tree as an administrator with supervisory rights to the container in which the server resides.

2. Launch iManager and open the Novell Certificate Server link in the left navigation frame.

3. Select Create Server Certificate. After the Server Certificate Wizard opens, specify the requested information and click Next.

   • Server: Specify the server that will own the certificate that is being created.

   • Certificate Nickname: Specify the name of your server certificate. This name will be combined with the server name to create a unique name for the Server Certificate object.

   • Creation Method: Select the method for creating the certificate. Standard uses typical certificate parameters, whereas Custom lets you define each option manually. Import lets you specify a PKCS#12 file from which to get the necessary data.

Follow the prompts from there to complete the installation. If you select Custom, be prepared to supply the following information:

• CA that will sign the certificate (default: your organizational CA)

• Key size (default: 2048 bits)

• Key type (default: SSL)

• Algorithm for creating the certificate (default: SHA-1)

• How long the certificate will remain valid (default: 2 years )

• Certificate root (default: your organizational certificate)

Creating User Certificates

In order to make use of a PKI, users must have key-pairs and certificates of their own. Complete the following steps to create a user certificate:

1. Make sure you are logged in to the eDirectory tree as a user with supervisory rights to the User objects as well as rights to read objects in the security container.

2. Launch iManager and open the Novell Certificate Server Management link in the left navigation frame.

3. Select Create User Certificate. After the User Certificate Wizard opens, specify the user object(s) for which you want to create a digital certificate and click Next.

4. Specify the requested information and click Next.

   • Server: Specify the server that will own the certificate that is being created.

   • Certificate nickname: Specify the name of the user certificate. This name will be combined with the User object name to create a unique Certificate object name.

   • Creation method: Select the method for creating the certificate. Standard uses typical certificate parameters, whereas Custom lets you define each option manually.

Follow the prompts from there to create the user certificate(s). If you selected Custom, be prepared to provide the same type of information as previously specified for the server certificate.

Audit

With the release of Novell Advanced Audit Services (NAAS) in NetWare 6, Novell has been making a move toward providing an effective, eDirectory-based audit solution for NetWare environments. However, the release of NetWare 6.5 indicates that the answer isn't here yet. So, to give you the audit tools you need without any further delay, Novell has included a special NetWare 6.5 version of LT Auditor+ from Blue Lance, Inc. (www.bluelance.com). Blue Lance has long been one of Novell's corporate partners , and is a leader in network audit software.

This version of LT Auditor+ was developed exclusively for Novell, but is not as robust as the Enterprise Edition of LT Auditor+. However, it will get you down the auditing road enough that you can better decide how you want to move forward.

LT Auditor+ for NetWare is a server-centric version of the software that offers reporting of audit events on a per-server basis, but lacks the capability to consolidate audit information from across the network. Each NetWare 6.5 server with the LT Auditor+ agent installed reports auditable events to a management console where they can be logged and tracked.

For more information on NAAS and LT Auditor+ for NetWare, see the NetWare 6.5 online documentation.