Novell Home

New Features Now Available in iChain 2.2

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 20 Feb 2003
 

iChain 2.2 has entered the building. You can download your copy today at http://www.novell.com/downloads (choose iChain from the pulldown).

Here's a look at what's new in this release:

  • NetWare 6 is the Base Operating System

    NetWare 6 has replaced NetWare 5.1 as the base operating system for iChain 2.2.

  • Web Server Accelerator Tab - Enhanced User Interface

    An enhanced user interface has been provided for the Configure > Web Server Accelerator tab. This new view provides the user with the ability to quickly view the details for accelerators, and it adds the ability to view the groupings of accelerators that have a master-slave (parent- child) relationship. With the new interface, a user can choose to view all the accelerators, just the master accelerators, or just the child accelerators. This makes viewing the groupings as easy as clicking a button. Additionally, a filter field has been added that gives the user the ability to display only accelerators that match the value typed into the field. When an accelerator in the list of accelerators is highlighted, information such as the host name, master or child accelerators, web server address and port, accelerator address and port, and other settings are displayed in a view-only section on the page. As with the old user interface, accelerators can be created, modified, or deleted with the click of a button.

  • Web Server Accelerator Dialog Box - Enable/Disable Check Box

    With the enhancement of the Web Server Accelerator tab, it became necessary to restore the accelerator enable/disable checkbox in the Web Server Accelerator dialog box. When a user creates a new accelerator by clicking on the Insert button, or modifies an existing accelerator by clicking on the Modify button on the Configure > Web Server Accelerator tab, the Web Server Accelerator dialog box is displayed. The Enable This Accelerator Check Box at the top left corner of the dialog box is now visible and allows the user to enable or disable the accelerator.

  • Web Server Accelerator Dialog Box - Multi-homing Options - Ends With Radio Button

    The Ends With option has been removed from the multi-homing options dialog box. For path-based multi-homing, the only option is to use what used to be termed Starts With for the sub-path. If path-based multi-homing is used, the sub-path will default to Starts With and the user can select whether to remove the sub-path, which was available previously.

  • Web Server Accelerator Dialog Box - Secure Exchange Options - Trusted Roots Import

    The ability to import trusted roots in the Secure Exchange Options dialog has been removed. When the Secure Exchange Options button is clicked in the Web Server Accelerator dialog box, the Secure Exchange Options dialog box is displayed. The list of trusted roots and the ability to import trusted roots was also removed. The only remaining options on the dialog box are Mark Pages Non-cacheable on the Browser and Enable Secure Access Between Secure Exchange and Web Server.

  • Web Server Accelerator Dialog Box - Mark Pages Non-cacheable on the Browser Check Box Moved and Relabeled

    The Mark Pages Non-cacheable on the Browser check box originally located in the Secure Exchange Options dialog has been moved and relabeled. The check box was moved to the Web Server Accelerator dialog box and its setting now applies to the whole accelerator, not just to the secure exchange settings. Also, the label on the checkbox was changed to read Allow Pages to be Cached at the Browser" to match the text used for this setting on the proxy server. A view-only check box was added to the Configure > Web Server Accelerator tab Details section to reflect the state of this setting for the highlighted accelerator.

  • Certificate Maintenance Tab - Certificate Information Dialog Box

    The Certificate Information on the Home > Certificate Maintenance tab has changed. A new line, Organizational Unit, has been added to display that value. The View CSR, Store Certificate, and Export CA Certificate buttons were moved to the side of the dialog box to provide room for the information change.

  • Certificate Maintenance - Create Certificate Dialog Box

    The Create Certificate dialog box has changed. When a user chooses to create a certificate, he or she clicks the Create button on the Home > Certificate Maintenance tab. This displays the Create Certificate dialog box, where two changes have been made. First, the Verisign check box was removed. Second, an Organizational Unit text field was added. When creating an externally signed certificate, the user must supply values for all the text fields shown. After clicking the OK button to return to the Home > Certificate Maintenance tab, the user then clicks on the Apply button to start the process to create the certificate.

  • Certificate Maintenance - Store Certificate Dialog Box

    The Store Certificate dialog box has changed. After an external certificate Create process has begun, the user needs to click the Store Certificate button on the Home > Certificate Maintenance tab to display the Store Certificate dialog box. In this dialog, the user pastes the CA (trusted root) certificate and Server certificate contents into the appropriate fields and then clicks the Create button to Create the certificate. A new check box, No Trusted Root Certificate Available, has been added. When it is checked, the CA Certificate contents field is disabled and the user only needs to paste a value in the Server Certificate contents field. This will be used in the case where a trusted root is not available to paste into the upper field.

  • Support for Organizational Roles and eDirectory Dynamic Groups

    An administrator can now set access control rules on organizational roles and eDirectory dynamic groups, such as including them in the Apply To list of an ACL rule.

  • Form Fill Enhancements

    Form Fill now supports the GET method in addition to the POST method for submitting user's credentials.

    Form Fill enhances the data security (reduces the possibilities of exposing sensitive data) during the auto posting by adding the new tag <maskedPost/>.

    Form Fill supports the static value injection, Java script, and case conversion (values of LDAP attributes only) for serving more application login forms.

    Form Fill supports different languages at the login page.

    Form Fill supports Novell's Shared SecretStore. Form Fill can save a user's credentials in Novell's Shared SecretStore and allow other applications to share these user credentials in order to make Single Sign-on possible.

  • User-Selectable Drivers

    In order to support a greater variety of hardware, iChain 2.2 provides an option for the user to select network, disk, and adapter modules that were not shipped with iChain. Immediately after the initial image copy from CD, the installation will prompt you whether to select custom drivers. If you select Yes, the installation will stop in HDetect.nlm to allow you to select the correct drivers for the system in the same manner as the Netware 6 installation. Because of the iChain imaging process, you will need to do this twice during the installation. If you select No, or no selection is made within 30 seconds, iChain will automatically detect the drivers as in iChain 2.1 and earlier versions.

  • OLAC Enhancements

    iChain 2.2 includes a command line handler to dynamically change certain options in OLAC. The debug levels (/d1 and /d2) are now available for you to enter on the command line at the NetWare System Console screen (for example, oacint /d1). You can verify the changes and the effects of the changes by viewing the OACINT screen.

    You can now set the OLAC Request Timeout (in number of seconds) while communicating to the OACJAVA server (for example, oacint /t15).

    OLAC now passes the user DN to origin servers (Web servers) as part of the query string and/or header.

    OLAC now supports internationalization standards.

    Olac now has a plug-in for accessing a user's SecretStore credentials.

  • Self-Provisioning Servlets Enhancements

    In addition to User maintenance and Password Maintenance servlets (for authenticated sessions), there are two additional features that also affect the way user passwords are changed:

    • Password Challenge/Response: This is "forgotten password" functionality that will allow users to create a question with a specific answer (stored as an MD5 Hash) that, when responded to correctly, will allow them to change their passwords without entering a current password.

    • Password Hint: This allows users to enter a line of text that will give them a hint if they have forgotten the password.

    The two features are exclusive and either of two can be enabled at any given point in time. Both features are disabled by default.

  • LDAP Authentication Enhancement

    A new check box on the LDAP Authentication options screen allows Basic (401) authentication as either an alternative or a substitute for the iChain login form/page.

    This feature allows iChain to process a request, log in the user if necessary, and return the response without having a programmer deal with login redirects or the parsing of login pages and forms. The iChain cookie is returned in response for possible use in subsequent requests. If authorization headers are optional, the user who is not authenticated will be redirected to the standard iChain login page. If the headers are mandatory, a 401 status will be returned, the browser will request the user's credentials, and then the request will be resubmitted along with the user's credentials. In this mode, the CDA features are disabled.

    We do not recommend Basic Authentication for use with users/browsers because of security issues relating to lack of control of the credentials on the wire. The primary use is anticipated to be programming-related, where the credentials can be passed in an authorization header along with a request. That way, a programmer retains control over the exposure of the credentials.

  • HTTP 1.1 Support

    iChain is now capable of communicating with origin Web servers using the HTTP 1.1 protocol. The major features of HTTP 1.1 are implemented, although there are still some features that are not fully implemented.

    One of the main reasons for supporting HTTP 1.1 is to support the transfer encoding options of chunking, deflate, and gzip. Many of the large Web server products by default use these transfer encoding options. The initial release of iChain 2.2 will not support the transfer encoding options of compress and trailers.

    Another key HTTP 1.1 feature iChain now supports is returning content from the origin Web server based on the VARY response header. The VARY header is used to tell a cache that the response was returned based on specific information found in the request header. An example is content that is returned based on the browser's preferred language.

  • Concurrent Login Restrictions

    The following commands have been added to set features of concurrent login restrictions. These commands are entered from the iChain console.

    Note: Concurrent Login Restrictions should not be used in a Session Broker setting. Also, after changing these options, we recommend that you reboot the iChain Proxy Server.

    set authentication limitconcurrentlogins = (yes/no)

    This turns on the concurrent login restriction feature. When it is set to yes, the following two commands will control the functioning of the feature.

    set authentication maxlogins = (nonzero positive integer)

    This sets the number of concurrent logins that are allowed. After the maximum number of logins is reached, a user will either be denied access, or an older instance will be logged out. In order for the concurrent login feature to function, you must set both MaxLogins as well as LimitConcurrentLogins, applying your changes each time. The following is an example of the commands you would use:

    1) Set authentication limitconcurrentlogins=yes, then Apply.
    2) Set authentication maxlogins=4 (or the number you choose), then Apply.

    set authentication logoutoldest = (yes/no)

    This command determines what action to take once the maximum number of logins is reached. When set to yes, the least recently accessed connection of the user will be logged out and a new login will be performed. When set to no, the new login will be rejected with a message that indicates that the maximum number of logins has been exceeded. The default is no.

    If you are using SSL as an authentication method for your accelerators, you need to make sure that the Send an error page when a Mutual SSL error occurs option is enabled. Otherwise, users will get a blank page when they reach their authentication limits.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell