Access Manager

From ZENWorks Wiki

I plan to create a NAM3 and Federation Document. Here is my outline

What is Novell Access Manager 3

Access Manager deployments typically use Identity Servers and Access Gateways to provide policy-driven access control for HTTP services. For non-HTTP services, Access Manager provides secure VPN and J2EE Agent components. You can use the Access Gateway on both NetWare® (soft appliance) or Linux.

Identity federation is the association of accounts between an identity provider and a service provider. As shown in Figure 1-2, an employee named Steve is known as steve.s at his corporate identity provider. He has an account at a work-related service provider called 401k, which has set up a trust relationship with his company. At 401k he is known as ssmith_01.

An Access Gateway provides secure access to existing HTTP-based Web servers. It provides the typical security services (authorization, single sign-on, and data encryption) previously provided by Novell iChain, and is integrated with the new identity and policy services of Access Manager.

Basic Concepts

The following figure illustrates the components and process flow that make up a basic configuration.

For a basic Access Manager installation, you can install the Identity Server and the Access Gateway outside your firewall.

An advanced network configuration assumes that you want fault tolerance, so you will install clusters of Access Gateways and Identity Servers. It also assumes that your network has at least two firewalls, one that separates external clients from your network and one that separates internal clients from some components of your network.

Basic Installation

Firewall Requirements

The firewall requirements depend on the placement of the NAM boxes. If all the NAM boxes are located within the same subnet and firewall rules, setup is very simple. If multiple firewalls exist, then several rules must be created to all traffic between all the boxes, the user, and the user store.

• Required Ports

I have uploaded a spreadsheet to hopefully make firewall requests easier.

• Firewall Ports Requirements spreadsheet OpenOffice Format

Federation Using SAML or Liberty

Requirements an preparing

• Federation Type
• Binding Type
• Attributes or Information required by the other part regarding the user being federated
• Defining the SOAP message
• How will METADATA be shared.
• SP Certificates
• Certificate Authorities: Must the certificates be signed by a trusted authority?
• Binding EndPoints

General NAM3 Administrative Tasks and Tweaks

• Interesting pages and logs tidbits can be found Here

"com.volera.vcdn.excomm.keystore  :: /var/opt/novell/novlwww/devman.keystore"

Customizing login and Logout Pages

Logging In to the User Portal

Users can log directly into the Identity Server when they enter the Base URL of the Identity Server in their browsers. For example, if your base URL is http://bfrei.provo.novell.com:8080/nidp, entering this URL prompts the user to authenticate with the credentials required for the default contract.

Note: Be VERY careful about changing folder or file permissions. Using rsync, ssh, or any other file copy protocol will change the permissions on the folder and then break NAM.

Custom Login Pages can be used per Reverse Proxy. This means that each reverse proxy or path can have it's own custom login page. This is accomplished by specifying a property and value in an authentication contract. Novell Docs, Creating contracts

• Custom Login Page

• Custom Logout Page

Issues with custom pages

• Sometimes tomcat will not recompile the JSP because it believes the compiled version and the jsp version match. The compiled version and be deleted and tomcat will recompile the JSP the next time the JSP file is requested. Delete the equivalent class and java files from /var/opt/novell/tomcat4/work/Standalone/localhost/nidp/jsp/

Configuring a form to send information to the IDP

You can have a form on a page, that doesn't exist behind the Access Gateway, send the information to the IDP and then be passed to the final destination.

File: Homepage.jsp

<!-- FORM with ACTION set to IDP auth URL --> <form method="post" action="https://idp.jaredjennings.org/nidp/app/login"> <!-- INPUT tag for USERNAME --> <input type="text" size="20" name="Ecom_User_ID"> <!-- INPUT tag for PASSWORD --> <input type="password" size="20" name="Ecom_Password"> <!-- INPUT tag for redirect location on the AG (equivalent to iChain "url" field) --> <input type="hidden" name="target" value="http://jaredjennings.org">

Layer 4 Switching Load Balancing Access Gateways (LAG)

Layer 4 switches ca be used to load-balance or provide fault-tolerance For NAM3 Access Gateways.

An example of this concept Here the content switch is not rewriting the source packet. So the packet appears to come from the originating device, not from the content switch.

Here the content switch is rewriting the source packet. So the packet appears to come from the content switch, not the originating device.

Details for Layer 4 switches in front of the Access Gateways

Monitoring NAM Health

NAM provides monitoring by SNMP or syslog

IDP on 443 Instead of 8443

38.3 Translating the Identity Server Configuration Port

http://www.novell.com/documentation/novellaccessmanager/adminguide/data/b6fyxpk.html

iptables -t nat --flush

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.0.0.0:8443

To accommodate all network interfaces

iptables -t nat --flush

iptables -t nat -A PREROUTING -i 'any' -p tcp --dport 443 -j DNAT --to 10.0.0.0:8443

Form Fill

• set the “LOG_LEVEL” entry from 5(default) to 7 in the /etc/laglogs.conf file
• run
  Linux:> tail -f /var/log/ics_dyn.log