7.2 Installing in an LDAP Environment

The LDAP option installs SecureLogin into an LDAP environment with eDirectory.

You can specify more than one LDAP server for the SecureLogin installation. Although the dialog box in the installation program allows you to specify only three LDAP servers, you can specify additional servers by modifying the responsefile.ini file.

The LDAP option does not require Client for Open Enterprise Server for Windows. However, if Client for Open Enterprise Server is installed on the workstation, Client for Open Enterprise Server is the initial authentication or Credential Provider. If you want LDAP authentication to be the initial authenticator, you must uninstall Client for Open Enterprise Server.

  1. Log in to the workstation as an administrator.

  2. Run the NetIQSecureLogin.exe file.

  3. Accept the license agreement and click Next.

  4. Select NetIQ eDirectory with LDAP as the datastore.

  5. Click Next.

  6. Click Install.

  7. Click Next.

  8. In the Custom Setup window, select the features you want to install.

  9. Click Next.

  10. In the LDAP Server Information window, specify the server address, port and the root CA certificate path.

    NOTE:SecureLogin supports the following certificate formats:

    • BASE64 (*.b64)

    • PEM (*.pem)

    IMPORTANT:It is mandatory to specify the root CA certificate path when installing SecureLogin in the LDAP mode. Specifying the root CA certificate is also mandatory when migrating to the LDAP mode using slMigrationHelper.exe. Although it is not recommended, but if you do not wish to specify the root CA certificate path, see Installing SecureLogin in the LDAP Mode Without Root CA Certificate to install SecureLogin without a certificate.

7.2.1 Installing SecureLogin in the LDAP Mode Without Root CA Certificate

WARNING:Installing SecureLogin without a root CA certificate makes SecureLogin and the LDAP server open to security threats. It is not recommended to install SecureLogin without the root CA certificate.

Perform one of the following methods to install SecureLogin in the LDAP mode without the root CA certificate.

Installing SecureLogin in the LDAP Mode Without the Root CA Certificate Using Command Line

Perform the following steps to install the SecureLogin in the LDAP mode without the root CA certificate:

  1. Log in as an administrator.

  2. Launch the command prompt.

  3. Navigate to the location where the SecureLogin installer package is saved.

  4. Run the NetIQSecureLogin.exe installer file with the INSTALLWITHOUTCACERT=Yes parameter. For example:

    NetIQSecureLogin.exe INSTALLWITHOUTCACERT=Yes

    NOTE:You can use the INSTALLWITHOUTCACERT=Yes parameter and continue the remaining installation with the GUI installer. For example, NetIQSecureLogin.exe /install INSTALLWITHOUTCACERT=Yes.

  5. Perform the following steps to modify the registries. The registry modification is necessary to prevents SecureLogin to check for root CA certificate.

    1. Click Start > Run to open the Run dialog box.

    2. Specify regedit and click OK to open Registry Editor.

    3. Navigate to the HKEY_LOCAL_MACHINE > SOFTWARE > Novell > Login > LDAP key.

    4. Right click and click New > DWORD.

    5. Rename the DWORD to CACertNotProvided.

    6. Edit the CACertNotProvided value to 1.

For more information, see Section 9.0, Installing through the Command Line.

Installing SecureLogin in the LDAP Mode Without the Root CA Certificate Using Responsefile.ini (Silent Installation)

IMPORTANT:Upgrading SecureLogin using the responsefile.ini file is not supported.

Perform the following steps to install the SecureLogin in the LDAP mode without the root CA certificate using the responsefile.ini file:

  1. Log in as an administrator.

  2. Specify INSTALLWITHOUTCACERT=YES in the responsefile.ini file.

  3. Launch the command prompt.

  4. Navigate to the location where the SecureLogin installer package is saved.

  5. To install SecureLogin on all the target machines with the responsefile.ini file, run the following command.

    NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP PATHTOISS="c:\temp\responsefile.ini" /quiet

  6. Perform the following steps to modify the registries. The registry modification is necessary to prevents SecureLogin to check for root CA certificate.

    1. Click Start > Run to open the Run dialog box.

    2. Specify regedit and click OK to open Registry Editor.

    3. Navigate to the HKEY_LOCAL_MACHINE > SOFTWARE > Novell > Login > LDAP key.

    4. Right click and click New > DWORD.

    5. Rename the DWORD to CACertNotProvided.

    6. Edit the CACertNotProvided value to 1.

For more information, see Installing SecureLogin Using The Responsefile.ini File.

7.2.2 Enabling TLS 1.1 In SecureLogin

WARNING:Installing SecureLogin with TLS 1.1 is less secure than using TLS 1.2. It can open your deployment environment to security threats.

Perform the following steps to modify the registries. The registry modification is necessary to enable TLS 1.1 in SecureLogin.

  1. Click Start > Run to open the Run dialog box.

  2. Specify regedit and click OK to open Registry Editor.

  3. Navigate to the HKEY_LOCAL_MACHINE > SOFTWARE > Protocom > SecureLogin key.

  4. Right-click and click New > DWORD.

  5. Rename the DWORD to AllowTLSv1.1.

  6. Edit the AllowTLSv1.1 value to 1.