Novell ACCESS MANAGER 3.1 SP2 BETA 1 - SCENARIOS 2009, Access Manager 3.1 SP2 Beta 1 User Manual

Download

Access Manager 3.1 SP2 Beta 1 Scenarios

December 21, 2009

Novell®

The following scenarios have been designed to introduce you to the new features in Access Manager

3.1 SP2.

 Section 1, “Linux Access Gateway Appliance Scenarios,” on page 1

 Section 2, “Timeout Per Protected Resource Scenarios,” on page 5

 Section 3, “Access Gateway Service Scenarios,” on page 10

 Section 4, “SSL VPN Server Scenarios,” on page 11

1 Linux Access Gateway Appliance Scenarios

novdocx (en) 17 September 2009

 Section 1.1, “Installing the SLES 11 Version,” on page 1

 Section 1.2, “Upgrading the Linux Access Gateway Appliance,” on page 2

 Section 1.3, “Migrating a SLES 9 Access Gateway to SLES 11,” on page 3

 Section 1.4, “Configuring Timeout Per Protected Resource,” on page 5

1.1 Installing the SLES 11 Version

This beta scenario introduces you to the new Access Gateway Appliance which is built on SUSE® Linux Enterprise Server (SLES 11). The SLES 11 version of the Access Gateway Appliance supports newer hardware, and SLES 11 is a supported operating system that provides security updates.

The previous version of the Access Gateway Appliance is built on SLES 9 SP3. The SLES 9 operating system is no longer a supported operating system and does not run on the latest hardware.

1.1.1 Assumptions

You need an installed 3.1 SP2 version of the Administration Console and Identity Server. For installation information, see the Access Manager Installation Guide (http://www.novell.com/

documentation/beta/novellaccessmanager31/installation/data/bookinfo.html).

1.1.2 Known Issues

 Bug 554518 -Network mode of installation through TFTP is not supported

 Bug 560278 -Installation: There is no provision to return to the configuration screen to make

changes

 Bug 559398 - The network gateway address is removed when the network interface is restarted.

 Bug 558698 - The Linux Access Gateway SLES 11 appliance installation summary screen does

not display SSL VPN, even if the Install and Enable SSL VPN option is selected. Also, the installation does not perform a password strength check.

Access Manager 3.1 SP2 Beta 1 Scenarios 1

1.1.3 Procedure

For installation instructions, see “Installing the Linux Access Gateway Appliance” (http://

www.novell.com/documentation/beta/novellaccessmanager31/installation/data/bd1egh.html).

1.1.4 Test Results

To verify the installation of the Linux Access Gateway Appliance:

1 Log in to the Administration Console.

2 Click Devices > Access Gateways.

If the installation was successful, the IP address of your Access Gateway appears in the Server list.

1.1.5 Troubleshooting Tips

For installation issues, refer to the following logs:

novdocx (en) 17 September 2009

 RPM installation log file:

 Autoimport log file:

 Auto partition log file:

 JCC configuration logs:

/tmp/novell_access_manager/inst_lag.log

/tmp/novell_access_manager/inst_lag_import_<date>.log

/var/adm/autoinstall/logs/diskParitition.sh.log

/opt/novell/devman/jcc/logs/configure.log.0

1.2 Upgrading the Linux Access Gateway Appliance

This scenario explains how you can upgrade the SLES 9 Linux Access Gateway Appliances in a cluster from 3.0 SP4 to 3.1 SP2 and use the timeout per protected resource feature.

1.2.1 Assumptions

Your current Access Manager setup has a 3.0 SP4 IR4 version of the Administration Console, the Identity Server, and the Linux Access Gateway Appliance. The secondary Linux Access Gateway Appliance in your cluster also has the SSL VPN server installed.

1.2.2 Known Issues

 In Access Manager 3.0 SP4, the SSL VPN server installed with the Linux Access Gateway

Appliance is accelerated by using its public IP address. After upgrading to 3.1 SP2, you must change the Web server IP address to the loopback IP address , 127.0.0.1. For more information, see Section 2.2.7: Configuration Changes to the SSL VPN Server Installed with the Linux Access Gateway in the SSL VPN Server Guide (http://www.novell.com/documentation/beta/

novellaccessmanager31/sslvpnhelp/?page=/documentation/beta/novellaccessmanager31/ sslvpnhelp/data/bmmi1it.html)

 The session timeout for Identity Server is 15 minutes in 3.0 SP4 and this is reflected in the

default authentication timeout for all the contracts in the Identity Server. The session timeout for Identity Server is 60 minutes in 3.1 SP2.

2 Access Manager 3.1 SP2 Beta 1 Scenarios

1.2.3 Procedure

1 Upgrade the Administration Console and Identity Server to 3.1 SP2. For more information, see

Upgrading Access Manager Components (http://www.novell.com/documentation/ novellaccessmanager31/installation/?page=/documentation/novellaccessmanager31/ installation/data/bookinfo.html) in the Installation Guide.

For upgrade information, see Upgrading from Access Manager 3.0 SP4 to Access Manager 3.1

SP2 (http://www.novell.com/documentation/beta/novellaccessmanager31/installation/data/ bgfx9yh.html) in the Access Manager Installation Guide (http://www.novell.com/ documentation/beta/novellaccessmanager31/installation/data/bookinfo.html).

2 Upgrade the secondary Linux Access Gateway Appliance to 3.1 SP2. For more information,

see, Upgrading Access Manager Components (http://www.novell.com/documentation/

novellaccessmanager31/installation/?page=/documentation/novellaccessmanager31/ installation/data/bookinfo.html)

3 Upgrade the primary Linux Access Gateway Appliance to 3.1 SP2.

After the successful upgrade of the Linux Access Gateway Appliances, the timeout per protected resource feature is not enabled by default.

4 To enable the timeout per protected resource feature:

4a Modify the authentication contract configuration at the Identity Server.

4b Apply the changes to the Linux Access Gateway Appliance cluster.

novdocx (en) 17 September 2009

The timeout per protected resource feature is enabled on the Linux Access Gateway Appliances.

5 If you have an SSL VPN server installed on the Linux Access Gateway Appliance, apply

changes to the SSL VPN server after it is upgraded to 3.1 SP2, to get the 3.1 SP2 features.

NOTE: Any SSL VPN connection made before the changes are applied at the SSL VPN server are not enabled for the new client cleanup options.

6 Upgrade the policies.

For upgrade information, see “Upgrading the Policies” (http://www.novell.com/

documentation/beta/novellaccessmanager31/installation/data/bgfx9yh.html#bhn7nna) in the Access Manager Installation Guide (http://www.novell.com/documentation/beta/ novellaccessmanager31/installation/data/bookinfo.html).

1.3 Migrating a SLES 9 Access Gateway to SLES 11

This scenario explains how to migrate a SLES 9 SP3 Access Gateway Appliance on 3.1.1 to the SLES 11 version of the Access Gateway Appliance. The 3.1 SP1 version of the Access Gateway Appliance should be in a test environment.

1.3.1 Assumptions

 You have an installed SLES 9 version of the Access Gateway that is imported into the

Administration Console.

 You have an Administration Console and Identity Server that have been upgraded to 3.1 SP2.

For installation information, see the Access Manager Installation Guide (http://

www.novell.com/documentation/beta/novellaccessmanager31/installation/data/bookinfo.html).

Access Manager 3.1 SP2 Beta 1 Scenarios 3

1.3.2 Known Issues

None.

1.3.3 Procedure

1 Upgrade the 3.1 SP1 Access Gateway Appliance to 3.1 SP2. For installation instructions, see

“Upgrading the Linux Access Gateway Appliance” (http://www.novell.com/documentation/ beta/novellaccessmanager31/installation/data/bbycmhz.html).

2 Back up the SLES 9 Access Gateway configuration.

The backup script allows you to restore touch files and customized error page configurations.

2a At the Access Gateway machine, log in as root.

2b Run the following script:

lag-backup-restore.sh

This script creates the following files:

 lagNoRestore.tar.gz: This file contains information and files that don’t need to be

restored after migrating to SLES 11.

 lagRestore.tar.gz: This file contains information and files that need to be restored

after migrating to SLES 11.

2c Copy the tar files to another physical location.

3 Disconnect the Access Gateway Appliance from the network.

novdocx (en) 17 September 2009

4 Install the SLES 11 version of the Access Gateway Appliance.

For installation instructions, see “Installing the Linux Access Gateway Appliance” (http://

www.novell.com/documentation/beta/novellaccessmanager31/installation/data/bd1egh.html)

 Use the same DNS name and IP address as the SLES 9 version of the Access Gateway.

 Import the Access Gateway into the same Administration Console.

The Administration Console pushes the SLES 9 configuration details to the SLES 11 Access Gateway.

5 Restore the touch files and customized error pages:

5a Copy the

5b Use the

lagRestore.tar.gz

lag-backup-restore.sh

file to the Access Gateway.

script to restore the files.

1.3.4 Test Results

 Check the health of the Access Gateway in the Administration Console.

 Check the configuration of the Access Gateway, its policies, and its certificates.

 Check the system configuration settings, such as network settings and secondary IP addresses.

1.3.5 Troubleshooting Tips

For installation issues, refer to the following logs:

 RPM installation log file:

 Autoimport log file:

4 Access Manager 3.1 SP2 Beta 1 Scenarios

/tmp/novell_access_manager/inst_lag_import_<date>.log

/tmp/novell_access_manager/inst_lag.log

novdocx (en) 17 September 2009

 Auto partition log file:

 JCC configure logs:

/var/adm/autoinstall/logs/diskParitition.sh.log

/opt/novell/devman/jcc/logs/configure.log.0

1.4 Configuring Timeout Per Protected Resource

This scenario explains how to restrict session availability based on user activity. It explains how to configure the Timeout Per Protected Resource feature.

In previous versions of Access Manager, there is one global session timeout for all the protected resources. With Access Manager 3.1 SP2, session availability for individual protected resources can be configured and managed for each resource by using Timeout Per Protected Resource. You can configure a specific authentication timeout value for each individual contract at the Identity Server, then assign the contracts to the protected resources of the Access Gateway.

1.4.1 Assumptions

If the authentication method used for the contract is Name/Password-Basic, the session might be active after the timeout because the browser can still send requests with the basic authentication header.

1.4.2 Procedure

1 At the Identity Server, configure authentication contract C1, using the Name/Password-Form

method. Set the authentication timeout value to 15 minutes and set the Activity realm to

2 At the Access Gateway, create protected resource PR1 and assign C1 to it.

3 Use valid credentials to access the protected resource at 7:00 pm.

test

4 Leave the session idle for 5 minutes and access the resource again at 7:05 pm.

5 Leave the session idle for 10 minutes and access the resource again at 7:15 pm.

6 Leave the session idle for 15 minutes and access the resource again at 7:30 pm.

1.4.3 Test Results

 For Step 5: The session does not time out by 7:15 because the user was active at 7:05 pm.

 For Step 6: The session times out by 7:30 and the user is required to log in again.

1.4.4 Troubleshooting Tips

If the user does not time out after the configured timeout value has elapsed, check the defined contracts at the Identity Server to ensure that there is no other contract in the User activity in another contract in the same activity realm can affect your contract's timeout.

If the activity realm had not been configured and is left blank, any activity by the user at the Identity Server can affect the user’s session timeout. You must specify a unique activity realm for this scenario to work.

test

activity realm.

2 Timeout Per Protected Resource Scenarios

 Section 2.1, “Same Activity Realm,” on page 6

 Section 2.2, “Unique Activity Realms,” on page 8

Access Manager 3.1 SP2 Beta 1 Scenarios 5

2.1 Same Activity Realm

The purpose of this scenario is to introduce you to the Timeout Per Protected Resource feature, which is new in Access Manager 3.1 SP2. This scenario is designed to help you understand the effect of having two authentication contracts in the same activity realm.

2.1.1 Assumptions

 You have an installed and configured 3.1 SP2 version of an Administration Console, an Identity

Server, and an Access Gateway. The Access Gateway can be either an Access Gateway Appliance or an Access Gateway Service.

 The base URL of the Identity Server is secure (it uses SSL/HTTPS).

 You understand authentication methods and authentication contracts.

 You have read “Assigning a Timeout Per Protected Resource” (http://www.novell.com/

documentation/beta/novellaccessmanager31/accessgatehelp/data/prlist.html#bmn94qo).

2.1.2 Known Issues

novdocx (en) 17 September 2009

None

2.1.3 Procedure

1 Create a new authentication method (M1):

1a Select Secure Name/Password – Form for the class.

1b Select the Identifies User option.

1c Select a user store.

2 Create a new authentication contract (C1).:

2a Make sure the URI is unique.

2b Set the Authentication Timeout to 5 minutes.

2c Specify

2d Select

Same

for the Activity Realm.

for the Method.

2e Click Next.

2f Modify the Text and Image to fit your needs.

2g Click Finish.

3 Create a new authentication method (M2):

3a Select Secure Name/Password – Form for the class.

3b Select the Identifies User option.

3c Select a user store.

4 Create a new authentication contract (C2):

4a Make sure the URI is unique.

4b Set the Authentication Timeout to 10 minutes.

4c Specify

4d Select

6 Access Manager 3.1 SP2 Beta 1 Scenarios

Same

for the Activity Realm.

for the Method.

4e Click Next.

4f Modify the Text and Image to fit your needs.

4g Click Finish.

5 Update the Identity Server.

6 Make sure the Access Gateway has two protected resources (PR1 and PR2). Create them if

necessary.

7 Assign authentication contract C1 to protected resource PR1.

8 Assign authentication contract C2 to protected resource PR2.

9 Update the Access Gateway.

10 Access a page on protected resource PR1 from a client browser.

You should be prompted to authenticate.

11 Access a page on protected resource PR2 with the same browser session.

You should be prompted to authenticate again. Make sure to use the same user for both logins.

12 Refresh the page on protected resource PR2 at least once a minute over a time period greater

than 5 minutes.

novdocx (en) 17 September 2009

13 Go back to the page on protected resource PR1.

Access should still be allowed. The user has not been inactive, so the activity has kept the session to PR1 active.

14 Access the page on protected resource PR2 again.

15 Let the browser sit idle for a time period greater than 5 minutes but less than 10 minutes.

16 Refresh the page on protected resource PR2.

The page should refresh without prompting you to authenticate.

17 Access the page on protected resource P1.

You should be prompted to authenticate again. You have been idle longer than the contract’s timeout limit.

2.1.4 Test Results

Activity on a protected resource with the same realm as other protected resources prevents authentication timeout on the other protected resources.

Each protected resource can have a different authentication timeout.

2.1.5 Troubleshooting Tips

 An authentication contract with an empty realm or a realm of

Any

allows activity from any

protected resource to prevent a timeout on a protected resource that uses that contract.

Access Manager 3.1 SP2 Beta 1 Scenarios 7

+ 15 hidden pages

Novell ACCESS MANAGER 3.1 SP2 BETA 1 - SCENARIOS 2009, Access Manager 3.1 SP2 Beta 1 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual