9.2 SecureLogin Properties and Values

Use the following property values to install SecureLogin.

NOTE:All commands described in this section display details on the user interface. Use option /quiet to stop displaying details on the user interface and option /passive for minimal details on the user interface. For example: NetIQSecureLogin.exe /install /quiet X_PRIMARYSTORE=MAD.

9.2.1 Installing in eDirectory Environment

When you install or migrate SecureLogin in LDAP environment, ensure that certificates used are certified by Certification Authority (CA). Server Certificates are installed and available on your LDAP server.

IMPORTANT:Installing SecureLogin without a root CA certificate makes SecureLogin and LDAP server vulnerable. It is not recommended to install SecureLogin without the root CA certificate.

Ensure to provide a valid root CA certificate on every workstation during SecureLogin installation. The installation fails if the valid root CA certificate is not specified. However, if you want to install SecureLogin without the root CA certificate, see Installing SecureLogin in the LDAP Mode Without Root CA Certificate.

Use the following command to upgrade SecureLogin without a root CA certificate:

NetIQSecureLogin.exe /install INSTALLWITHOUTCACERT=Yes

Ensure that the Subject Name or Subject Alternative Name of the certificate in eDirectory matches with the SecureLogin LDAP server name.

Table 9-1 Command Options for Installing in the eDirectory Environment

Installation Mode	Command Line Parameters	Description
eDirectory in NDS Credential Provider mode	NetIQSecureLogin.exe /install X_PRIMARYSTORE=NDS	Use this command to install SecureLogin in Credential Provider mode on eDirectory.
eDirectory in LDAP Credential Provider Mode	NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPGina LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt	Use this command to install SecureLogin in LDAP Credential Provider Mode on eDirectory. The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPGina LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=359 CERTPATH=c:\temp\<certifictate file> /log log.txt
eDirectory in LDAP Credential Manager Mode	NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPCred LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt	Use this command to install SecureLogin in Credential Manager mode on eDirectory. The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPEND_LOCAL=SeamlessLDAPCred LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt
eDirectory in LDAP Application Mode	NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=LDAPApp LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt	Use this command to install SecureLogin in LDAP Application Mode on eDirectory. The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe install X_PRIMARYSTORE=LDAP APPENDLOCAL=LDAPApp LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt

9.2.2 Installing in the LDAP v3 (non-eDirectory) Environment

When you install or migrate SecureLogin in the LDAP environment, ensure that certificates used are certified by Certification Authority (CA). Server Certificates are installed and available on your LDAP server.

WARNING:Installing SecureLogin without a root CA certificate makes SecureLogin and the LDAP server open to security threats. It is not recommended to install SecureLogin without the root CA certificate.

IMPORTANT:Ensure that you provide the valid root CA certificate on every workstation during SecureLogin installation. The installation fails if the valid root CA certificate is not specified. However, if you want to install SecureLogin without the root CA certificate, see Installing SecureLogin in the LDAP Mode Without Root CA Certificate.

IMPORTANT:Ensure that the Subject Name or Subject Alternative Name of the certificate in eDirectory matches with the SecureLogin LDAP server name.

IMPORTANT:Use the following command to upgrade SecureLogin without a root CA certificate:

NetIQSecureLogin.exe /install INSTALLWITHOUTCACERT=Yes

Table 9-2 Command Options for Installing in the LDAP v3 (non-eDirectory) Environment

Installation Mode	Command Line Parameters	Description
LDAP Credential Provider mode	NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPGina X_NONEDIRLDAP=1 LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt	Use this command to install SecureLogin in LDAP Credential Provider mode on any LDAP-compliant directories (non-eDirectory). The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPGina X_NONEDIRLDAP=1 LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt
LDAP Credential Manager Mode	NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=SeamlessLDAPCred LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt	Use this command to install SecureLogin in Credential Manager mode on any LDAP-compliant directories (non-eDirectory). The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=SeamlessLDAPCred LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt
LDAP Application Mode	NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=LDAPApp LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt	Use this command to install SecureLogin in LDAP Application Mode on any LDAP-compliant directories (non-eDirectory). The default port is 636. To add another port, include the LDAPPORT in the command line. For example, NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=LDAPApp LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt

Installation Mode

Command Line Parameters

Description

LDAP Credential Provider mode

NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPGina X_NONEDIRLDAP=1 LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt

Use this command to install SecureLogin in LDAP Credential Provider mode on any LDAP-compliant directories (non-eDirectory).

The default port is 636.

To add another port, include the LDAPPORT in the command line.

For example,

NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP APPENDLOCAL=SeamlessLDAPGina X_NONEDIRLDAP=1 LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt

LDAP Credential Manager Mode

NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=SeamlessLDAPCred LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt

Use this command to install SecureLogin in Credential Manager mode on any LDAP-compliant directories (non-eDirectory).

The default port is 636.

To add another port, include the LDAPPORT in the command line.

For example,

NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=SeamlessLDAPCred LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt

LDAP Application Mode

NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=LDAPApp LDAPSERVERADDRESS=192.168.1.255 CERTPATH=c:\temp\<certifictate file> /log log.txt

Use this command to install SecureLogin in LDAP Application Mode on any LDAP-compliant directories (non-eDirectory).

The default port is 636.

To add another port, include the LDAPPORT in the command line.

For example,

NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP X_NONEDIRLDAP=1 APPENDLOCAL=LDAPApp LDAPSERVERADDRESS=192.168.1.255 LDAPPORT=389 CERTPATH=c:\temp\<certifictate file> /log log.txt

9.2.3 Installing in the Microsoft Active Directory Environment

Table 9-3 Command Options for Installing in Active Directory Environment

Installation Mode	Command Line Parameters	Description
Complete install	NetIQSecureLogin.exe /install X_PRIMARYSTORE=MAD	Use this command to install SecureLogin on Microsoft Active Directory, without prompting users for any selection.
With group policies enabled	NetIQSecureLogin.exe /install X_PRIMARYSTORE=MAD APPENDLOCAL=GPO	Use this command to install SecureLogin on Microsoft Active Directory with support for group policy.

9.2.4 Installing in the Azure Active Directory Environment

Table 9-4 Command Options for Installing in Azure Active Directory Environment

Installation Mode	Command Line Parameters	Description
Complete install	NetIQSecureLogin.exe /install X_PRIMARYSTORE=SLAE	Use this command to install SecureLogin on Azure Active Directory, without prompting users for any selection.
With group policies enabled	NetIQSecureLogin.exe /install X_PRIMARYSTORE=SLAE APPENDLOCAL=GPO	Use this command to install SecureLogin on Azure Active Directory with support for group policy.

9.2.5 Installing in the Active Directory Application Mode Environment

Table 9-5 Command Options for Installing in Active Directory Application Mode Environment

Installation Mode	Command Line Parameters	Description
Complete install	NetIQSecureLogin.exe /install X_PRIMARYSTORE=ADAM	Use this command to install SecureLogin on Microsoft Active Directory Application Mode, without prompting users for any selection.
With group policies enabled	NetIQSecureLogin.exe /install X_PRIMARYSTORE=ADAM APPENDLOCAL=GPO	Use this command to install SecureLogin on Microsoft Active Directory Application Mode with support for group policy.

9.2.6 Installing in the Standalone Environment

Table 9-6 Command Options for Installing in Standalone Mode

Installation Mode	Command Line Parameter	Description
Complete install	NetIQSecureLogin.exe /install X_PRIMARYSTORE=DUMMY	Use this command to install SecureLogin in a standalone mode, without any user interface.

9.2.7 Commands for Installing the Features

When installing SecureLogin, GPO and RunAtStartup features are installed by default. You can choose to install various features such as support for smart card and support for Citrix.

Use the following table as reference to specify these features when installing SecureLogin.

HINT:APPENDLOCAL can be used to install any specific feature using the feature name. For enabling multiple features, specify the feature names separated by a comma.

For example: To install DAS, and SmartCard, use APPENDLOCAL in the following manner:APPENDLOCAL=DAS, SmartCard

Table 9-7 Commands for Installing Features

Command Line Parameters	Value	Description	Example
INSTALLDIR	Installation folder	Installs SecureLogin in the specified folder or directory.	INSTALLDIR=C:\Program Files\NetIQ\SecureLogin\
X_CACHEDIR	Cache folder	Installs SecureLogin in the specified folder or directory.	X_CACHEDIR=%LOCALAPPDATA%
X_PRIMARYSTORE=MAD		Install SecureLogin on Microsoft Active Directory.	NetIQSecureLogin.exe /install X_PRIMARYSTORE=MAD
SMARTCARD		Installs smartcard support.	APPENDLOCAL=SmartCard Smart card support is installed only if ActivIdentity ActivClient is detected on the machine. Set the cryptographic service provider and smart card DLL file by defining the X_CSP and X_SMARTCARDLIB properties. X_CSP=Microsoft Base Smart Card Crypto Provider X_SMARTCARDLIB=C:\Windows\System32\basecsp.dll
Desktop		Installs desktop and tray icon for SecureLogin.	ADDLOCAL=Desktop
MMC_AD		Installs Active Directory MMC Snapin and Active Directory query extension.	ADDLOCAL=MMC_AD
MMC_GPO_EDIT		Installs Active Directory MMC Snapin for GPO editor.	ADDLOCAL=MMC_GPO_EDIT
Citrix		Installs Citrix support.	ADDLOCAL=Citrix
CitrixSeamless		Installs Citrix support for seamless sign-on.	APPENDLOCAL=CitrixSeamless
CitrixPubApp		Installs Citrix Published App	APPENDLOCAL=CitrixPubApp
CitrixAgent		Installs Citrix Agent support.	APPENDLOCAL=CitrixAgent
TerminalServer		Installs general configurations of Terminal Server.	APPENDLOCAL=TerminalServer
TSSeamless		Installing this feature allows seamless sign-on using eDirectory, AD, LDAP etc.	APPENDLOCAL=TSSeamless
TSAgent		Installs files and registry for Terminal Server Virtual Channels to allow seamless sign-on to remote terminal servers.	APPENDLOCAL=TSAgent
AAF2		Installs files that are required to configure Advanced Authentication.	APPENDLOCAL=AAF2
HELP		Installs SecureLogin help files.	APPENDLOCAL=HELP
DAS		Installs files that are required to configure Desktop Automation Services for Kiosk mode.	APPENDLOCAL=DAS
LDAPPORT	Port address	Specifies the LDAP port address.	LDAPPORT=389
SecureWorkstation		Installs SecureWorkstation.	APPENDLOCAL=SecureWorkstation
Admin		Specifies installing the directory administration tools.	APPENDLOCAL=Admin
SMARTCARDLIB		Specifies the PKCS#11 encryption library to use. The value is supplied as the name of the desired DLL file.	X_SMARTCARDLIB="C:\Resources\acpkcs201rc.dll"
CSP		Specifies a cryptographic service provider. It is typically a string constant from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\ Defaults\Provider.	X_CSP="ActivCard Gold Cryptographic Service Provider"
GPO		Installs Microsoft Group Policy Support for ADAM, AD and AD LDS.	APPENDLOCAL=GPO
MinMem		Installing this feature will allow you to set the minimum and maximum working set sizes for the specified SecureLogin process.	APPENDLOCAL=MinMem
RoamProfile		Installs settings that change seamless sign-on process to allow roaming files to log off cleanly.	APPENDLOCAL=RoamProfile
DisableCache		It disables the local file cache for offline support. Do not install this feature if a local cache is required.	APPENDLOCAL=DisableCache
SeamlessMAD		Uses the Windows credentials for seamless sign on in the Active Directory environment.	APPENDLOCAL=SeamlessMAD
VCRedist__		Installs Visual C++ Redistributable Package	APPENDLOCAL=VCRedist_11_x86 APPENDLOCAL=VCRedist_11_x64
*SSO	WinSSO, JavaSSO, TermSSO, IESSO, FireFoxSSOJS, ChromeSSO, EdgeSSO, DotNetSSO	Enables SSO support for various platforms respectively.	APPENDLOCAL=WinSSO APPENDLOCAL=JavaSSO APPENDLOCAL=TermSSO APPENDLOCAL=DotNetSSO
Auditing		Installs files to audit SecureLogin events.	APPENDLOCAL=Auditing
WindowsEventLog		Logs Windows event messages.	APPENDLOCAL=WindowsEventLog
SysLogCacheForward		Installing this feature forwards the events logged in Windows Event Log to the Syslog server.	APPENDLOCAL=SysLogCacheForward
SysLog		Installing this feature sends audit messages to the Syslog server.	APPENDLOCAL=SysLog
Tools		Installing tools required for the administrative tasks. For example, SlapTool for provisioning.	APPENDLOCAL=Tools

9.2.8 Examples

This section lists some examples that you can use in your environment.

Selecting Mode and Feature

The following example installs SecureLogin in the following setup.

Microsoft Active Directory mode
Support for Group Policy
SecureLogin is not launched at the completion of the installation

NetIQSecureLogin.exe
/install X_PRIMARYSTORE=MAD APPENDLOCAL=GPO

Installing with User Interface Option

The following example installs SecureLogin in the following setup:

eDirectory mode.
SecureLogin is not launched at the completion of the installation
User is prompted to restart after the installation is complete.

NetIQSecureLogin.exe /install X_PRIMARYSTORE=NDS APPENDLOCAL=INSTALLADMIN

9.2.9 Silent Install

A silent install provides InstallShield Wizard with instructions for installing SecureLogin. To use a silent install, you must use a response file.

A response file is a text file (responsefile.ini) containing sections and keys. The response file is created during installation in <WidowsVolume>\NSLFiles\responsefile.ini. It captures your responses to the dialogs that you encounter during the installation. This is later used as an input for silent installation. It is recommended that you do not modify the responsefile.ini.

IMPORTANT:During silent install, the PATHTOISS property must contain the absolute path to responsefile.ini. If it is a relative or invalid path, then SecureLogin installation is aborted.

For instance,

An administrator runs the graphical installer on a single machine. During the install, the administrator selects the configuration he or she wants to roll out to the machines of the target users.
At the end of the installation a response file is created and available located in <windows Volume>\NSLFiles. It contains the command line properties required to replicate the graphical installation the administrator has done.
The administrator can take this response file and copy it to the target machines or to a mapped network drive for use with target machine installs.

9.2.10 Installing SecureLogin Using The Responsefile.ini File

IMPORTANT:Upgrading SecureLogin using the responsefile.ini file is not supported.

To install SecureLogin on all target machines with responsefile.ini, run the following command:

NetIQSecureLogin.exe /install X_PRIMARYSTORE=LDAP PATHTOISS="c:\temp\responsefile.ini" /quiet /log /log.txt

Replace value of X_PRIMARYSTORE with one of the following values:

MAD - Microsoft Active Directory
SLAE - Advanced Edition
ADAM - Active Directory Application Mode
NDS - NetIQ eDirectory with Novell Client
LDAP - NetIQ eDirectory with LDAP

If you try to install NSL using responsefile.ini in any of LDAP modes (like Gina/CP, CM and App mode), then these modes have certain prerequisites like NICI, NMAS etc. So it is important to pass value for Data store along with responsefile.ini.

For example:

NetIQSecureLogin.exe X_PRIMARYSTORE=LDAP PATHTOISS="C\Users....\responsefile.ini" /quietInstallation fails if we do not specify the X_PRIMARYSTORE, as prerequisites are not met. If prerequisites like NICI and NMAS is already present in the workstation, then do not specify X_PRIMARYSTORE value in command line

You can create a new response file or edit one from a previous installation. During the installation, the responsefile.ini is created in the <WindowsVolume>\NSLFiles folder.

IMPORTANT:Non-English users must first run MSI with transform file and then run the update sequentially.

9.2.11 Example of a Response File

INSTALLDIR=C:\Program Files\NetIQ\SecureLogin\
X_CACHEDIR=%LOCALAPPDATA%
X_PRIMARYSTORE=MAD
X_NONEDIRLDAP=No
ADDLOCAL=SmartCard,GPO,MinMem,RoamProfile,DisableCache,SeamlessMAD,WinSSO,JavaSSO,TermSSO,IESSO,FireFoxSSOJS,ChromeSSO,EdgeSSO,DotNetSSO,Admin,MMC_AD,MMC_GPO_Edit,Tools,Citrix,CitrixSeamless,CitrixAgent,TerminalServer,TSSeamless,TSAgent,AAF2,DAS,SysLogCacheForward,SysLog,RunAtStartup,Desktop,CredStore,DirectorySignon,SSOAut,PrimaryStore,WindowsEventLog,Auditing,VCRedist_11_x86,VCRedist_11_x64,VCRedist_10_x64,VCRedist_10_x86
LDAPSERVERADDRESS=LDAP server address
LDAPPORT=636
LDAPSERVERADDRESS=LDAP server address
LDAPPORT=636
CERTPATH=
LDAPSERVERADDRESS1=
LDAPPORT1=
CERTPATH1=
LDAPSERVERADDRESS2=
LDAPPORT2=
CERTPATH2=
X_SMARTCARDLIB=C:\Windows\System32\basecsp.dll
X_CSP=Microsoft Base Smart Card Crypto Provider
X_STOREONCARD=
LOCATIONFORXML=
DASSERVER=
DASCONFIGOBJECT=
X_SYSLOGSERVERURI=tls://localhost:6514
X_SYSLOGLANGUAGEID=#1033
X_AAFSERVERNAME=164.99.91.104
X_AAFSERVERPORT=443
X_AAFEVENTNAME=Windows logon

For more information, see Commands for Installing the Features.