Transcription
Advanced NetIQ SecureLoginSolutionsLectureNIQ14Novell Training ServicesAT T L I V E 2 0 1 2 L A S V E G A Swww.novell.com
Novell Training Services (en) 12 April 2011NIQ14: NetIQ SecureLogin ScriptingMay 13, 2012NIQ14: NETIQ SECURELOGIN SCRIPTINGLegal NoticesNovell, Inc., makes no representations or warranties with respect to the contentsor use of this documentation, and specifically disclaims any express or impliedwarranties of merchantability or fitness for any particular purpose. Further,Novell, Inc., reserves the right to revise this publication and to make changes toits content, at any time, without obligation to notify any person or entity of suchrevisions or changes.Further, Novell, Inc., makes no representations or warranties with respect to anysoftware, and specifically disclaims any express or implied warranties ofmerchantability or fitness for any particular purpose. Further, Novell, Inc.,reserves the right to make changes to any and all parts of Novell software, at anytime, without any obligation to notify any person or entity of such changes.Any products or technical information provided under this Agreement may besubject to U.S. export controls and the trade laws of other countries. You agree tocomply with all export control regulations and to obtain any required licenses orclassification to export, re-export or import deliverables. You agree not to exportor re-export to entities on the current U.S. export exclusion lists or to anyembargoed or terrorist countries as specified in the U.S. export laws. You agreeto not use deliverables for prohibited nuclear, missile, or chemical biologicalweaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novellsoftware. Novell assumes no responsibility for your failure to obtain anynecessary export approvals.Copyright 2009 Novell, Inc. All rights reserved. No part of this publicationmay be reproduced, photocopied, stored on a retrieval system, or transmittedwithout the express written consent of the publisher.Novell, Inc., has intellectual property rights relating to technology embodied inthe product that is described in this document. In particular, and withoutlimitation, these intellectual property rights may include one or more of the U.S.patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patentapplications in the U.S. and in other countries.Novell, Inc.404 Wyman Street, Suite 500Waltham, MA 02451U.S.A.www.novell.comOnline Documentation: To access the latest online documentation forthis and other Novell products, see the Novell Documentation Webpage (http://www.novell.com/documentation).Novell TrademarksFor Novell trademarks, see the Novell Trademark and Service Mark list list.html).Third-Party MaterialsAll third-party trademarks are the property of their respective owners.2Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.Version 1
NIQ14: Secure Login Scripting: Advanced SecureLogin Scripting5Objective 1Agenda6Objective 2Tools and Procedures Used In Class7Objective 3Scripting for Authentication Failures and Exceptions20Handling Failed Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Scripting Password Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Handling Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Objective 4Scripting Complex Authentication Dialogs43Dialogs that have a Parent / Child Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Coding for Window Refreshes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Version 1Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.3Novell Training Services (en) 12 April 2011SECTION 1
Novell Training Services (en) 12 April 2011NIQ14: NetIQ SecureLogin Scripting4Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.Version 1
SECTION 1NIQ14: Secure Login Scripting: AdvancedSecureLogin ScriptingThe material in this session is part of a two-day Scripting class offered by NovellTraining. It is quite likely that this material require MORE than the 4-hours allocatedfor this class. This is done intentionally. Some students are very experienced withsimilar material, so the lab should offer some challenge to those individuals. Somestudents are less familar and therefore a second glance at the instructions may benecessary. The idea of the session is to provide an opportunity—not a challenge. Withthat in mind, work at a relaxed paced so that you may gain the most from theexperience.This session is intended to follow the Introduction to Novell SecureLogin Class. Theintroductory class: provided an overview of Novell SecureLogin (NSL) and the problems addressesby NSL discussed the architecture of NSL introduced other software technologies related to NSL provided hands-on work with some beginning scripting challenges.The purpose of this class is to demonstrate how to manage application dialogs viascripting (Application Definitions) that go beyond providing just a username andpassword. This class will use scripting techniques to build more intelligence intoApplication Definitions for such things as:Version 1 scripting for login failures handling change password dialogs dealing with authentication dialogs when users cancel out of the dialog and more!Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.5Novell Training Services (en) 12 April 2011NIQ14: Secure Login Scripting: Advanced SecureLogin Scripting
Novell Training Services (en) 12 April 2011NIQ14: NetIQ SecureLogin ScriptingObjective 1AgendaThe class will start by covering the tools and the procedures for using those tools, thatwill be used throughout this class. We start here because you will be going through arepetitive process that includes using those tools and procedures when building orenhancing application definitions.Learning how to script for authentication failures and exceptions is the next section.This section teaches how to code your application definitions to deal with suchconditions as a user providing incorrect credentials or clicking a Cancel button.Then you will learn how to deal with applications whose authentication dialogscreens have a structure more complex than just a user name and password field. Forinstance, applications that have authentication dialogs that: have buttons that are contained within a hidden parent/child window structure or have buttons are in different locations on a dialog whenever the applicationruns or use drop-down pick listscan be problematic when trying to SSO-enable the application.6Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.Version 1
Objective 2Tools and Procedures Used In ClassThis section covers the tools and procedures for using those tools that will be usedrepetitively throughout class. The topics in this section include: Using a tool called the Application Simulator Editing application definitions using the NSL Tray iconPersonal Management Utility) Deleting passwords and credentials using the Tray icon.(also called PMU—NOTES:Version 1Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.7Novell Training Services (en) 12 April 2011NIQ14: Secure Login Scripting: Advanced SecureLogin Scripting
Novell Training Services (en) 12 April 2011NIQ14: NetIQ SecureLogin ScriptingApplications that display authentication dialogs (especially Windows applications)can handle the dialog screens in many different ways. This means that providing alearning environment for coding application definitions that handle many types ofauthentication dialogs can be problematic. Providing such a learning environmentusing third party applications can be impractical due to: costs associated with licensing the applications disk space requirements. Using many different applications may require so muchdisk space as to make using virtual machine technology impossible due tohardware restrictions. the learning curve associated with learning many different applications so thatthey may be scripted is too great for a one or two day class.For these reasons you will be using a single application that is designed to simulatemany different types of authentication dialog screens. This tool was originallydeveloped by Novell’s Actividentity partner and is called the Application Simulator.Using the Application Simulator provides a learning environment where you canlearn how to code for different types of authentication dialog challenges withouthaving to install or learn many different applications.8Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.Version 1
The Application Simulator is a program named ASTrainer.exe. This programcan be found in your lab environment on the Windows server VM. The program islocated in a folder called ASTrainer in E:\NSLApps of the VM.ASTrainer gives you the flexibility you need in your lab environment by: presenting several different types of authentication dialog screens allowing you to configure the Application Simulator’s behavior being able to define new users to the Application Simulator and lock or unlockthose user’s login accounts.NOTES:Version 1Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.9Novell Training Services (en) 12 April 2011NIQ14: Secure Login Scripting: Advanced SecureLogin Scripting
Novell Training Services (en) 12 April 2011NIQ14: NetIQ SecureLogin ScriptingThe Application Simulator offers the following types of login scenarios: simple authentication dialog with just a user name field, password field, an OKbutton, and a Cancel button authentication dialogs requiring that the user make a selection from a drop-downlist or pick a selection in a list box buttons on the authentication screen that change position relative to one anotheron successive invocations authentication dialog screen whose window title changes with successiveinvocationsThe Application Simulator maintains a “database” of users that are allowed toauthenticate using the various login scenarios. Clicking Tools Configuration from the Application Simulator’s menu bar provides four tabs.These tabs can be used to control the behavior of, and the messages displayed by, theApplication Simulator.Clicking the Users tab as shown in the graphic above, allows for the management ofthe user accounts that are allowed to login to the Application Simulator using one ofthe login dialogs. On the Users tab, you can: 10define new user accounts or delete existing user accountsCopying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.Version 1
modify passwords lock, unlock, disable, or expire accounts.Selecting the Messages tab allows you to specify the exact messages displayed bythe Application Simulator when different kinds of authentication events occur.For instance, when a user listed on the Users tab exceeds the maximum number ofunsuccessful login attempts, the “AccountLocked” message is displayed to the user.This message states: “Your account is locked. Please call the help desk.” Thesemessages can be customized to simulate actual messages that your productionapplications generate for the same type of authentication event.NOTES:Version 1Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.11Novell Training Services (en) 12 April 2011NIQ14: Secure Login Scripting: Advanced SecureLogin Scripting
Novell Training Services (en) 12 April 2011NIQ14: NetIQ SecureLogin ScriptingThe Settings tab allows you to determine the Application Simulator’s behavior forthe following: the number of unsuccessful attempts a user can generate before the ApplicationSimulator locks that user’s account what string to display as the title on the main Application Simulator window whether or not case sensitivity should be enforced in passwords whether a “Login Success” type message should be displayed to the user whenthey successfully log into the Application Simulator using one of the loginscenarios if the user should be prompted with a “are you sure” type of dialog prior tologging out.NOTES:12Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.Version 1
During your exercises you will occasionally lock out one of the ApplicationSimulator’s user accounts. To unlock the user’s account complete the following:1.From the Application Simulator’s main menu select Tools Configuration.2.Click the Users tab.3.Double-click the cell that says Yes under the Locked column for the desired user.Select No.4.Close the Application Simulator down and restart it.Now the user’s account is unlocked and can be used again during your lab exercises.NOTES:Version 1Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.13Novell Training Services (en) 12 April 2011NIQ14: Secure Login Scripting: Advanced SecureLogin Scripting
Novell Training Services (en) 12 April 2011NIQ14: NetIQ SecureLogin ScriptingYou will be using the Personal Management Utility to develop and modifyApplication Definitions. The process of getting an Application Definition to functionthe way you want with all the dialog screens produced by the application is aniterative process. To modify an existing Application Definition follow this simplethree step procedure:1.Right-click the NSL iconin the System Tray; select Manage Logins2.Highlight the desired Application Definition under Applications in the leftpane.3.Click the Definition tab.You should develop the coding practice of commenting your Application Definitions.Any line that begins with a pound sign (#) is regarded as a comment line and isignored when the Application Definition runs.Good coding practice is to clearly delineate the code associated with each DialogSpecification Block (DSB). Note in the example above you see:## BeginSection: “Login Window”Dialogindent your code here14Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.Version 1
EndDialog## EndSection: “Login Window”This clearly delineates the code designed to process the application’s login windowAlso note in the above graphic that each line of code (including comment lines) isnumbered. If there is a syntax error in one of the lines, NSL will identify theoffending line by its line number when NSL tries to execute the ApplicationDefinition.NOTES:During the testing process for Application Definitions you may need to change orverify the password used by the application. This is especially true when buildingcode to detect a login failure. You will need to do this when using the ApplicationSimulator (ASTrainer.exe) in class. To view and change an application’s storedpassword:1.Version 1Right-click the NSL iconin the System Tray and select Manage LoginsCopying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.15Novell Training Services (en) 12 April 2011NIQ14: Secure Login Scripting: Advanced SecureLogin Scripting
Novell Training Services (en) 12 April 2011NIQ14: NetIQ SecureLogin Scripting2.Highlight the particular Application Definition under the Applications headingin the left pane. The ASTrainer Application Definition is selected in the exampleabove.3.Click Show passwords.4.Change the password if required for testing.5.Click OK.IMPORTANT: NSL allows users to display their own passwords by default. However this optioncan be disabled globally by setting Allow users to view passwords to No in the GeneralPreferences at a container level using iManager or the NSL Administrative Utility (slmanager.exe).NOTES:During the testing of Application Definitions you may need to simulate the first timeNSL captures the credentials for the application, multiple times. To do this you mustclear the stored credentials associated with the Application Definition. This willsimulate a new account running the application for the first time to the NSL Client.16Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.Version 1
To delete stored credentials for an Application Definition:1.Right-click the NSL iconin the System Tray and select Manage Logins.2.Highlight the desired Application Definition name under Applications in theleft pane.3.Click the Details tab.4.Select Username.5.Click the Delete button and select Credential.6.Select Password and repeat Step 5.7.Click OK.Next time the Application Definition is used, it will run as though it was running forthe very first time.NOTES:More on Dialog Specification Blocks:As stated in the first day of class, in order for NSL to process a given applicationdialog screen there must be a Dialog Specification Block (Dialog / EndDialogstatements) coded to detect that screen in the Application Definition.Version 1Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.17Novell Training Services (en) 12 April 2011NIQ14: Secure Login Scripting: Advanced SecureLogin Scripting
Novell Training Services (en) 12 April 2011NIQ14: NetIQ SecureLogin ScriptingDialog Specification Blocks can be coded with more or less precision depending onhow similar the dialog screens are that are generated by the application. If anapplication generates multiple dialogs that are very similar in structure, theApplication Definition will need to have more code contained within the DialogSpecification Blocks in order to accurately determine which dialog is displayed atany given moment.In the graphic above, both Dialog Specification Blocks (DSB 1 and DSB 2) willdetect the login dialog screen shown. However DSB 2 describes the dialog with muchgreater detail.DSB 1 detects the dialog if:1.it has a class ID of 327702.and has a title on the dialog of “Login - Simple”However if this application puts out dialogs with the same structure, DSB 1 may notbe detailed enough to discriminate between different dialogs.But DSB 2 will detect the this particular dialog only if all of the following are true:1.it has a title on the dialog of “Login - Simple”2.has a class ID of 327703.contains a field with a Dialog ID of 1001 (this is the field where the user types intheir user name.)4.contains a field with a Dialog ID of 1002 (this is the field where the user types intheir password.)5.has a button with the text “Login” on the button6.has a button with the text “Cancel” on the button7.has a field that has a Dialog ID of 1027 and that field contains the string“Username:”8.has a field that has a Dialog ID of 1028 and that field contains the string“Password:”9.and finally, has a static pane in the dialog that has a Dialog ID of 1009. (This isthe part of the di
Advanced NetIQ SecureLogin Solutions Lecture NIQ14. NIQ14: NetIQ SecureLogin Scripting Copying all or part of this manual, or dist ributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES. .
