Novell Home

NAM Open Lab 4: Basic Configuration of the Access Gateway

Novell Cool Solutions: AppNote
By Chris Van Den Abbeele

Digg This - Slashdot This

Posted: 7 Mar 2007
 

Introduction

In this fourth Novell Access Manager Open Lab, we will configure the Access Gateway component. This Open Lab builds on the results of:

1. NAM Open Lab 1: Install All_on_one
http://www.novell.com/coolsolutions/feature/18441.html

2. NAM Open Lab 2: Setting Up Test/Demo Websites
http://www.novell.com/coolsolutions/appnote/18605.html

3. Configuring the Identity Server
http://www.novell.com/coolsolutions/appnote/18606.html

Required reading:
Example Protected Web Site
http://www.novell.com/documentation/novellaccessmanager/pdfdoc/digiairexample/digiairexample.pdf

In this Open Lab we will work with the above examples.

Updating the Hosts File

1. Boot the NAM_all_on_one virtual machine.

We have updated the local /etc/hosts file of the NAM VM, but after a reboot it is overwritten again by the settings from the device manager (embedded eDirctory). Let's fix that.

2. Open a browser and go to: http://www.utopia.com:8080/nps.

3. Go to Access Gateways > Edit > Hosts.

Depending on your configuration, you should have something like this:

Figure 1 - Host IP Address List

4. Adjust these settings if needed.

5. To close, click OK twice, then click Apply Changes. A small window will pop up; wait until it closes by itself. (If you lose the connection with iManager, just log in again.)

6. Check under Access Gateways > Edit > Hosts to see if the changes were successfully applied. Re-apply them if needed.

7. Verify that the changes were saved. From a terminal on/to Device Manager, run:
cat /etc/hosts

Creating a Reverse Proxy

We are going to set up Novell Access Manager up in a "one-armed" configuration. This means we are using the same subnet for the DMZ and for the Internet access. However, we change the port numbers:

  • The internal webserver serves pages on 172.17.2.111, port 81.
  • Access Manager will serve these pages to the outside world on 172.17.2.111, port 80.

In real life, these subnets will be different, so that Access Manager works as a firewall.

1. Go to Access Manager > Access Gateways > Edit > Reverse Proxy / Authentication.

2. Set the Identity Server Configuration to "utopia-IDPa".

3. On the "Reverse Proxy List", go to New > Utopia and click OK.

4. On the "Proxy Service List" select New.

Figure 2 - New Proxy Service

5. Edit the settings as follows:

  • Proxy Service Name: Utopia
  • Published DNS Name: www.utopia.com
  • Web Server IP Address: 172.17.2.111 (this is the internal IP address, but in our one-armed setup it is the same as the external IP address)
  • Host Header: Forward Received Host Name (in most cases, the internal website will have another Host Name and we will not forward the external Host Name)

6. Click OK three times, click Apply Changes, and then wait until the pop-up window closes.

Correction: As discussed before, our internal webserver, as set up in Lab 2, serves pages at port 81.

Figure 3 - Internal Web Server setup

By default, Access Manager sets the internal port to 80. Let's correct this:

7. Go to Access Manager > Access Gateways > Edit > Utopia.

8. Under Web Server Addresses, click on 172.17.2.111.

9. Change the connect port to 81.

Figure 4 - Setting the internal port to 81

Note: At the right of your browser window, the drawing shows that you are now acting on the connection between the Access Gateway and the Web Server.

10. Click OK twice, then click Apply Changes and wait till the pop-up window closes.

11. Test the configuration by browsing to www.utopia.com.

You should get a message that you don't have access; this is OK.

Figure 5 - 403 Access Error

We will fix that in the next step ...

Creating an Unprotected Resource

1. In Access Manager, go to Access Gateways > Edit > Utopia.

2. In the Proxy Service List, under Protected Resources, click the hotlink [none].

3. Select New, then "name it" and then "everything". For now let's not select a contract, this protected resource will actually be "unprotected."

4. Click OK four times, then click Apply Changes and wait till the pop-up window closes.

5. Test the configuration by browsing to the following:

You should get access to all of these. Note that we get access now over port 80, while the pages are being served on port 81. Novell Access Manager is mapping the ports here.

Enforcing Authentication

Now, let's create a real protected resource.

1. In Access Manager, go to Access Gateways > Edit > Utopia.

2. Under Protected Resources, click Public (1).

3. Under Contract, click [None].

4. Set the contract to "Name/Password - Form".

5. Click OK.

Figure 6 - Creating a protected resource

6. Click OK three times, then click Apply Changes and wait until the pop-up window closes.

7. If you see "Pending" under Command Status, then wait a moment and click Refresh. "Pending" should turn into "Succeeded".

8. If the Server Status is red, wait a moment and click Refresh. It should become green.

9. Test the configuration by browsing to www.utopia.com.

You should get an error message:
Unable to complete authentication request. Cause/Code: 300101047.

The full list of error codes can be found at:
http://www.novell.com/documentation/novellaccessmanager/pdfdoc/errorcodes/errorcodes.pdf).
Let's fix that now ...

In Novell Access Manager, authentication is handled by the Identity Server. Whenever we make a change our configuration (using the Device Manager console), we have to apply our changes to the Access Gateway and/or to the Identity Server.

10. To Applying changes to the Access Gateway, click the Apply Changes button that we have used a few times.

11. To apply changes to the Identity Server, go to the Setup tab in Identity Servers and selecting Update Servers (under Status).

Figure 7 - Updating the Identity Server

When the Identity Servers are up to date, then the status will say "current," and the text will not be clickable.

Figure 8 - "Current" status

Changing an authentication contract touches the Identity Server(-s), and now we have applied this change. The Identity Server Status should become green. If it doesn't, wait a moment and click Refresh.

Testing the Protected Resource

1. Browse to www.utopia.com.

2. Authenticate as a user of utopia (e.g., eblake/novell) and view the protected web page.

Tip: Use Firefox for your default user (for example, iManager).

3. Start a second instance of firefox from the command line as another user (could be root), for testing Access Manager configurations. One instance can be left open (for iManager), while the other instance can be closed and started again as needed to clear session cookies, etc.

Private Data Settings in Firefox

For Firefox running as the "second user," set privacy settings as follows:

1. In Firefox, go to Edit > Preferences > Privacy > Settings (bottom of the window).

2. Select the items to be cleared: Cookies, Cache, Authenticated Sessions. When closing Firefox, all these will be cleared.

3. Check the "Clear private data when closing Firefox" box.

Figure 9 - Clearing private data

Troubleshooting

A full list with error codes can be found at:
http://www.novell.com/documentation/novellaccessmanager/pdfdoc/errorcodes/errorcodes.pdf

Problem 1: When you set the authentication contract, the drop down list is empty.

Figure 10 - Empty list for contract

Cause: The trusted IDP has not yet been assigned. The drop down list shows the available contracts of our current IDP.

Figure 11 - IDP contracts

Solution: To assign the trusted IDP,

1. In Access Manager, go to Access Gateways > Edit > Reverse Proxy / Authentication > Identity Server Configuration.

2. Select IDPa.

3. Click Apply Changes, then wait a while.

Problem 2: The system has not come up properly.

Figure 12 - Error - system has not come up

Solution: Slow down ... wait a moment, close the browser, and try again.

Problem 3: A blank login window appears, because the Access Gateway does not have an IDP assigned.

Figure 13 - Blank login window

Solution:

1. Go to Access Gateways > Edit > Reverse Proxy / Authentication > Identity Server.

2. In Configuration, Select Utopia-IDPa (see the screenshot for Problem 1 above).

Problem 4: Unable to authenticate. Cause/Code: 300101008

Figure 14 - Authentication error

Solution: Go to Verify the Authentication Contract and use "Names/Password - Form" authentication.

Figure 15 - Authentication with Name/Password - Form

Problem 5: Unable to connect to origin web server. Status: 504 Gateway Time-Out.

Figure 16 - Gateway timeout error

Cause: The web site you are attempting to access is currently unreachable. This may be due to a network outage, or the web site might be experiencing technical difficulties.

Solution: Check the IP address of the backend web server (see next screenshot).

1. Go to Access Gateways > Edit > utopia.

2. In the Proxy Service List, under Web Server Addresses, verify that the IP address is 172.17.2.111.

Problem 6: The page isn't redirecting properly. Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

Figure 17 - Redirect error

Solution: Make sure the port to the backend webserver is set correctly. This should be 81, not 80.

1. Go to Access Gateways > Edit > utopia > utopia > Web servers.

2. Select Connect Port and verify port 81.

Figure 18 - Verifying port 81

Problem 7: Login error 300101047 - An untrusted provider is being referenced in a request or a response.

Solution: Break the link from the AG to the IDP and then re-establish it again.

1. Go to Device Manager > Access Manager > Access Gateways > edit > Reverse Proxy / Authentication > Identity Server Configuration.

2. Select "none".

3. Click Apply Changes, then wait.

4. Repeat these steps, but now select "IDPa".


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell