When it comes to security, there are times when having passwords simply isn’t enough. The problem with passwords is that they can be written down—which means unscrupulous persons may find them and use them to access information they shouldn’t. What can you do to tighten security on your network? In this series of Daily Drill Downs, I’ll show you how to use Novell’s Modular Authentication Service (NMAS). This week, I’ll cover installment and configuration issues.

What’s NMAS?
Novell recently announced NMAS, an add-on to NetWare that further leverages NDS. The add-on allows additional requirements to be put in place so that users need more than passwords when logging into the network. Three types of authentication are supported by NMAS:

  • Password (something that you know)
  • Token (something you hold)
  • Biometric (something you are—fingerprint, retina scan, etc.)

Novell has announced two versions of NMAS: the Starter Edition and the Enterprise Edition. The Enterprise Edition can handle multiple levels of authentication before access will be granted to a particular resource. Or it will restrict access based on the types of authentication not used. The Enterprise Edition also lets you specify the level of access resources are allowed, depending on the access tokens or methods used by the person logging in.

The Starter Pack is limited to a single type of authentication. For the purposes of this Daily Drill Down, I’ll use NMAS Starter Edition, which you can download for free from Novell.

Preparing the server
Before you can install either NMAS Starter or Enterprise Edition, you’ll need to perform a few updates. Required files include:

  • NetWare 5 Service Pack 3 or later
  • NDS eDirectory Upgrade
  • NICI (Novell International Cryptographic Infrastructure)1.5.1
  • Novell Certificate Server 2.0

Depending on the type of Internet connectivity you have and the number of files you’ll need to download, plan on allocating one to two hours of download time. I have a 384K feed to the Internet and it took me about two-and-a-half hours to download the files.

I recommend creating a directory called NMAS, with subdirectories for server and client files. This directory serves as a central place to store the downloaded files and to extract the files from the larger downloads, such as the NetWare Service Pack and NMAS Starter Edition.

The installation documentation provides the order in which you need to install the updates. The current version of the service pack for NetWare 5 is Service Pack 4. The download size is a little over 110 MB. Once you’ve downloaded the file, you’ll spend about 20 to 30 minutes running the self-extracting executable.

Depending on the number of services already installed on your NetWare 5 server, the application process of the service pack may take the better part of an hour. Some of the files being updated are used by RConsole, so make sure you aren’t running RConsole. Once the service pack has been applied, you’ll need to down the server and run SERVER.EXE to restart.

The NMAS Installation and Administration Guide recommends installing the eDirectory Upgrade before you install the NICI module. However, the eDirectory install process will inform you that the NICI component must be installed first. At this point, you’ll have to abort the eDirectory Upgrade install process and install the NICI component before continuing.

To avoid this hassle, go into NWConfig before you start the NMAS installation and check to see whether NICI is currently installed (and if so, which version). In my case, NICI 1.0.0 was installed, and I received the warning screen while trying to install the eDirectory Upgrade.

Once you’ve downloaded the correct version of NICI for your server, extract the files to a directory on the server and start NWConfig. Once NWConfig opens, select Product Options; then, select Install A Product Not Listed. Press [F3] and type the path to where you’ve extracted the NICI files. After you press [Enter], you should see a license agreement. Review the agreement, and then press [Esc]. Once you’ve pressed the [Esc] key, you’ll need to choose the Accept License Agreement option.

Accept the default option of reviewing the README file. After you’ve gone over the README file, press [Esc] to continue with the installation process. Once you’ve agreed to start the installation process, you should see a progress bar as the files are updated. Periodically during the file-copying process, you may see other windows open and then close just as quickly. Don’t worry—that’s just part of the NICI installation process. When the process completes, you’ll see a window suggesting that you restart the server so that the newly installed files can be loaded. The time required to install NICI should be less than a minute.

Next, you’ll need to apply the eDirectory Upgrade for NDS. Before blindly proceeding with the update, print out the README file and carefully go over the steps for upgrading NDS. Depending on what version of DSRepair your server is currently running on, you may need to copy one of the included versions of DSREPAIR.NLM into the SYS:SYSTEM directory and run a DSRepair pass prior to starting the installation of the eDirectory Upgrade. You can rename the current copy of DSREPAIR.NLM using an .OLD or .BAK extension. Better yet, create a backup directory below the system directory as a holding place for all NLMs that are upgraded as a result of a manual upgrade.

Once you’ve copied the proper version of DSRepair into the SYS:SYSTEM directory, load DSRepair and open the Advanced Options menu. Then, select the Global Schema Operations menu. You may be asked to authenticate to the NDS tree. Be sure to use the fully qualified NDS name of the user with full rights to the tree. Once you’ve properly authenticated to the tree, you should see the Global Schema Options menu. At this point, choose the Post NetWare 5 Schema Update option.

Installing NDS eDirectory
You are now ready to install the NDS eDirectory Upgrade on this server. Load the NWConfig NLM, and from the Product Options menu, select Install A Product Not Listed. Press [F3], type the path that you’ll be installing eDirectory from, and then press [Enter].

After a few files have been copied, you will see a window containing the license for eDirectory. Press the [Esc] key to continue. Select Accept License Agreement to accept the terms of the agreement. You will now see the README file that we mentioned earlier. Because you should’ve already reviewed the file at this point, press [Esc] to continue.

An additional warning window will appear that explains dismounting and mounting of volumes during the installation process. Read this warning carefully, because it raises several good points. Press [Esc] to close this window, and you should see a progress window. Here you can view the progress of the file-copying process and see when volumes are mounted/dismounted and when the server is restarted. A couple of minutes into the eDirectory installation process, the server should automatically restart itself.

After the server restarts, a NetWare Installation window will appear on the server. Enter the full NDS name of Admin or the Admin equivalent user, along with the password, and then press [Enter]. A window will open that specifies which changes are being made to the NDS schema. Once these changes have been made, you should see the progress window reappear as the remaining files are copied. When the eDirectory installation process completes, it advises you that the server will need to be restarted to implement the changes just installed. A log of the changes made during the installation will follow that message. Once you exit this window, you have the option of restarting the server at that point or later. Unless you have a good reason for doing otherwise, restart the server now.

Installing Novell Certificate Server
After the server has restarted, you’ll need to install Novell’s Certificate Server 2.0. Go to the directory in which you extracted the Certificate Server files and run the install program. Once the program has been started, you should see an installation window that tells you it is installing Certificate Server 2.0 (and ConsoleOne 1.2b if needed). Click Next to continue.

When the Certificate Server license window appears, click the Accept button. In the target server window, click on the server name that you want Certificate Server installed on and click Next. You’ll see a window indicating that the install program is connecting to the designated server. Don’t be overly concerned if nothing seems to happen for a long period of time. Check the connection on the server in MONITOR.NLM for reassurance that information is still going from the workstation to the server.

At some point, you must specify where to install ConsoleOne and the Certificate Server management snap-ins. The default directory is C:\NOVELL. Accept this default (unless you’ve installed ConsoleOne elsewhere) and click Next. You might want to change this directory to something like F:\CONSOLEONE. That way, all the files required for ConsoleOne—and the associated snap-ins it can use (such as for the Certificate Server)—will not be located on the server.

Next, you must create an Organization Certificate Authority and a server certificate, and export the trusted root certificate. Unless you have a lot of experience in this area, accept the default options and click Next. You’ll then see a window that will summarize the choices you’ve made. Click Finish to proceed with the installation of the Certificate Server.

As the install process begins, it may detect one or more files that are more recent than the ones the Certificate Server installation process is trying to install. By default, the No, Do Not Overwrite The Existing File option is selected. If you leave this option selected, this window will appear each time there is a file date stamp conflict that must be resolved. The recommended option appears at the bottom of this window: Never Overwrite Newer Files. Select this option and click OK.

After the files have been copied and the schema has been extended, all objects required for the Certificate Server to operate will be created. Once the Certificate Server has been installed, you’ll see a message on your workstation to this effect. Click Close to continue. It should take about 20 minutes to install the Certificate Server.

Configuring the client
At this point, you’ve installed all of the software needed on the server to run NMAS. Three steps are all that is required to enable the client to log in using NMAS services.

The first step is a basic check of the client. You should be using at least a Pentium Pro 200 with a minimum of 64 MB of RAM. The client operating system should be either Windows 95 release B or later, Windows 98, or Windows NT 4.0 with Service Pack 3 or later. My personal preference on Windows NT Service Pack is to use Service Pack 5 at a minimum. Several problems such as SNMP memory leaks were resolved at Service Pack 5.

You’ll need to download two files to properly prepare the clients for logging in under NMAS: the latest Novell client and the NICI Crypto piece for Windows. As of May 30, 2000, the latest client for Windows 9x is version 3.21, and for Windows NT/2000, it’s version 4.71. Depending on where your Novell server running NMAS is located, you may want to download a different version of the NICI component for Windows. You have a choice of either the US/Worldwide or the 128-bit version for the U.S. only. All of these files are available from Novell’s Web site.

I recommend you create a directory structure where you can store the latest client and the NICI component. After downloading the Novell client, extract the files from the self-extracting archive and run the setup program to install the client. Unless you’ve installed additional services on the network, you can go with the default installation option.

Plan on rebooting a couple of times to get the software installed on the client required for NMAS. There is a required reboot after installing the latest Novell client, and you should do one as well after installing the NICI software. The NICI software installation is a refreshing change. All you’ll need to do is answer the default questions, and the NICI component will install directly from the downloaded file.

At each point in the installation process, test the file server and at least one of the workstations to make sure that everything is working. For example, because ConsoleOne is a required component, it is important to verify that ConsoleOne still works.

After installing the version 3.21 client, I saw an error message that certain DLL files needed by ConsoleOne were out of date. After I clicked Yes to update the files, the files appeared to be updated. I clicked Finish and specified that I wanted to immediately run ConsoleOne, but I continued getting the message about out-of-date files. I kept answering Yes and seeing the same prompt each time I attempted to start ConsoleOne.

My temporary solution was to downgrade back to the Novell client that was on the NetWare 5.0 server to which I installed NMAS. After my next attempt to start ConsoleOne, the DLLs were updated, and once I rebooted the computer, I was able to get into ConsoleOne.

In my next installment, I’ll go into detail as to what I did to resolve this problem. I’ll also delve into the configuration details for ConsoleOne and the last software component that you’ll need to install before logging in using the NMAS services. Once I’ve covered the basics, I’ll start going on a vendor-by-vendor basis, showing you what is currently available from the different Novell partners that support NMAS.

Ronald Nutter is a senior systems engineer in Lexington, KY. He’s an MCSE, a Novell Master CNE, and a Compaq ASE. Ron has worked with networks ranging in size from single servers to multiserver/multi-OS setups, including NetWare, Windows NT, AS/400, 3090, and UNIX. He’s also the help desk editor for Network World. If you’d like to contact Ron, send him an e-mail. (Because of the large volume of e-mail that he receives, it’s impossible for him to respond to every message. However, he does read them all.)

The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.