Novell Home

Using iChain 2.2 with GroupWise WebAccess

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 20 Jun 2003
 

For the full details (and updates) to this article, see TID-10080212.

Browser access to a user's GroupWise mailbox is provided by WebAccess (strtweb.ncf) using a URL similar to http://1300e.gwise.dsm.cit.novell.com/servlet/webacc. WebAccess is implemented as a servlet. Monitoring agents are also available for administrative purposes through a browser. Default port numbers for these web applications are given below. For secure access to the Monitor agents using SSL, the GroupWise utility GWCSRGEN.EXE is used to create a CSR and private key. Follow GroupWise documentation for this procedure. Typical access ports are shown below:

  • WebAccess Monitor: 7205
  • Domain Monitor: 7180
  • POA Monitor: 7181
  • GWIA Monitor: 9850
  • User access to mailbox: 80 or 443

When installing GroupWise Webaccess onto a NetWare 6 server, Enterprise Web Server and Tomcat are the default choices for web server and servlet engine. For this example, the Enterprise Server's default index.html has been replaced with the index.html provided by GroupWise WebAcces.

Accelerator Configuration:

For this example, the GroupWise 6/SP1 components have been installed on a single NW6/SP2 server. All GroupWise Monitoring agents have been configured for SSL. Five iChain accelerators will be configured using path-based multi-homing, one for each of the services/ports shown above.

On Web Server Accelerator page:

  1. Name: Webacc (This will be the multi-home master, used for user mailbox access via URL "http://1300e.gwise.dsm.cit.novell.com")
  2. DNS Name: 1300e.gwise.dsm.cit.novell.com
  3. Cookie Domain: dsm.cit.novell.com
  4. "Use host name sent by browser" is selected
  5. Web Server Port: 80
  6. Web Server Address: 10.251.201.253 (NW6/sp2 server with GroupWise)
  7. Accelerator Proxy port: 443
  8. Accelerator IP address: 10.251.200.1
  9. "Enable Authentication" is enabled

Authentication options:

  1. Service Profile=ldap
  2. Forward authentication info to web server: Not selected
  3. Enable Secure Exchange is enabled
  4. SSL Listening Port: 446
  5. Certificate: Auto

Secure Exchange Options:

Client<-446->Proxy<-443->Web Server
  1. "Enable secure access between iChain Proxy and the Origin Web Server" is enabled
  2. "Allow pages to be cached at the browser" is not enabled
  3. Name: POA (Child of Webacc, used for administrator access to POA Monitor via URL "http:// 1300e.gwise.dsm.cit.novell.com/poa")
  4. DNS Name: 1300e.gwise.dsm.cit.novell.com
  5. Cookie Domain: dsm.cit.novell.com
  6. "Use host name sent by browser" is selected
  7. Web Server Port: 7181
  8. Web Server Address: 10.251.201.253 (NW.6/sp2 server with GroupWise)
  9. Accelerator Proxy port: 80
  10. Accelerator IP address: 10.251.200.1
  11. "Enable Authentication" is enabled

Authentication options:

  1. Service Profile=ldap
  2. Forward authentication info to web server: Not selected
  3. "Enable Secure Exchange" is enabled
  4. SSL Listening Port: 446
  5. Certificate: Auto

Secure Exchange Options:

  1. Client<-446->Proxy<-7181->Web Server
  2. "Enable secure access between iChain Proxy and the Origin Web Server" is not enabled
  3. "Allow pages to be cached at the browser" is not enabled
  4. "Enable multi-homing" is enabled
  5. "Multi-home Master" set to "Webacc"

Multi-homing options:

  1. "Path based multi-homing " is selected
  2. "sub-path match string" set to "/poa"
  3. "starts with" is selected
  4. "Remove sub-path from URL" is selected
  5. Name: Domain (Child of Webacc, used for administrator access to Domain Monitor via URL "http://1300e.gwise.dsm.cit.novell.com/domain"))
  6. DNS Name: 1300e.gwise.dsm.cit.novell.com
  7. Cookie Domain: dsm.cit.novell.com
  8. "Use host name sent by browser" is selected
  9. Web Server Port: 7180
  10. Web Server Address: 10.251.201.253 (NW6/sp2 server with GroupWise)
  11. Accelerator Proxy port: 80
  12. Accelerator IP address: 10.251.200.1
  13. "Enable Authentication" is enabled

Authentication options:

  1. Service Profile=ldap
  2. Forward authentication info to web server: Not selected
  3. "Enable Secure Exchange" is enabled
  4. SSL Listening Port: 446
  5. Certificate: Auto
  6. Secure Exchange Options:
  7. Client<-443->Proxy<-7180->Web Server
  8. "Enable secure access between iChain Proxy and the Origin Web Server" is not enabled
  9. "Allow pages to be cached at the browser" is not enabled
  10. "Enable multi-homing" is enabled
  11. "Multi-home Master" set to "Webacc"

Multi-homing options:

  1. "Path based multi-homing " is selected
  2. "sub-path match string" set to "/domain"
  3. "starts with" is selected
  4. "Remove sub-path from URL" is selected
  5. Name: GWIA (Child of Webacc, used for administrator access to GWIA Monitor via URL "http:// 1300e.gwise.dsm.cit.novell.com/gwia")
  6. DNS Name: 1300e.gwise.dsm.cit.novell.com
  7. Cookie Domain: dsm.cit.novell.com
  8. "Use host name sent by browser" is selected
  9. Web Server Port: 9850
  10. Web Server Address: 10.251.201.253 (NW6/sp2 server with GroupWise)
  11. Accelerator Proxy port: 80
  12. Accelerator IP address: 10.251.200.1
  13. "Enable Authentication" is enabled

Authentication options:

  1. Service Profile=ldap
  2. Forward authentication info to web server: Not selected
  3. "Enable Secure Exchange" is enabled
  4. SSL Listening Port: 446
  5. Certificate: Auto
  6. Secure Exchange Options:
  7. Client<-446->Proxy<-9850->Web Server
  8. "Enable secure access between iChain Proxy and the Origin Web Server" is not enabled
  9. "Allow pages to be cached at the browser" is not enabled
  10. "Enable multi-homing" is enabled
  11. "Multi-home Master" set to "Webacc"

Multi-homing options:

  1. "Path based multi-homing" is selected
  2. "sub-path match string" set to "/gwia"
  3. "starts with" is selected
  4. "Remove sub-path from URL" is selected
  5. Name: WebAcc2 (Child of Webacc, used for administrator access to WebAccess Monitor via url "http://1300e.gwise.dsm.cit.nov.ell.com/webacc")
  6. DNS Name: 1300e.gwise.dsm.cit.novell.com
  7. Cookie Domain: dsm.cit.novell.com
  8. "Use host name sent by browser" is selected
  9. Web Server Port: 7205
  10. Web Server Address: 10.251.201.253 (NW6/sp2 server with GroupWise)
  11. Accelerator Proxy port: 80
  12. Accelerator IP address: 10.251.200.1
  13. "Enable Authentication" is enabled

Authentication options:

  1. Service Profile=ldap
  2. Forward authentication info to web server: Not selected
  3. "Enable Secure Exchange" is enabled
  4. SSL Listening Port: 446
  5. Certificate: Auto

Secure Exchange Options:

  1. Client<-446->Proxy<-7205->Web Server
  2. "Enable secure access between iChain Proxy and the Origin Web Server" is not enabled
  3. "Allow pages to be cached at the browser" is not enabled
  4. "Enable multi-homing" is enabled
  5. "Multi-home Master" set to "Webacc"

Multi-homing options:

  1. "Path based multi-homing" is selected
  2. "sub-path match string" set to "/webacc"
  3. "starts with" is selected
  4. "Remove sub-path from URL" is selected

On Access Control Page:

  1. "Enable Form Fill Authentication" is enabled
  2. "Object level access control (OLAC) is disabled

On Configuration->Management page:

  1. "Enable Pin List" is not selected

ConsoleOne Configuration:

  1. In ConsoleOne->ISO object properties:
  2. Add resource for the GroupWise web site.
  3. Name=GroupWise
  4. URL Prefix=http://1300e.gwise.dsm.cit.novell.com/*
  5. Access: Restricted

Single Sign On through iChain:

1. SSO to WebAccess:

GW6/SP2 WebAccess does not support Authorization headers, so iChain's Forward Authentication/OLAC cannot be used for SSO. Sample FormFill scripts are shown below. The first is for the language selection form (if the user does not enter resource name /servlet/webacc), followed by a login failure and a login script:

<urlPolicy>
<name>Groupwise-Language-Selection</name>
<url>1300e.gwise.dsm.cit.novell.com/*</url>
<formCriteria>
<title>Novell Web Services</title>
</formCriteria>
<actions>
<fill>
<select name="User.lang" type="listbox" value="~">
</fill>
<post/>
</actions>
</urlPolicy>
<urlPolicy>
<name>GroupWiseWebAccessLoginFailure</name>
<url>1300e.gwise.dsm.cit.novell.com/servlet/webacc</url>
<formCriteria>
<TITLE>Novell WebAccess</TITLE>

Please login again. You may have typed your name or password incorrectly.

loginForm

</formCriteria>
<actions>
<deleteRemembered>GroupWiseWebAccess</deleteRemembered>
<redirect>1300e.gwise.dsm.cit.novell.com/servlet/webacc</redirect>
</actions>
</urlPolicy>
<urlPolicy>
<name>GroupWiseWebAccess</name>
<url>1300e.gwise.dsm.cit.novell.com/servlet/webacc</url>
<formCriteria>
<TITLE>Novell WebAccess</TITLE>

loginForm

</formCriteria>
<actions>
<fill>
<INPUT NAME="User.id" value="~">
<INPUT NAME="User.password" value="~">
</fill>
<maskedPost/>
</actions>
</urlPolicy>

2. SSO to the GroupWise Monitoring Agents:

Login to the Monitoring agents is done with a pop-up login prompt. The username/password required for GWIA, POA and MTA is specified in configuration files created during installation: sys:/system/gwia.cfg, sys:/system/<NameOfGroupWiseSystem>.poa, and sys:/system/<NameOfGroupWiseSystem>.mta respectively. This name/password could match the CN and password of an actual NDS user object, but likely will not. If the username/password configured for the Monitoring agents is actually the CN (or other NDS attribute) and password of an NDS user, OLAC could be configured to inject the CN and password to provide SSO. On the "Access Control" page in the iChain GUI, select check box "Enable Object Level Access Control (OLAC)". Under the accelerator configuration, go to the "Authentication Options" window and select "Forward authentication information to web server". Add the following OLAC entry on the GroupWise ISO resource:

  • Name: ICHAIN_UID
  • Data Source: LDAP
  • Value: CN

If an NDS user will be logging in to the Monitoring agents but wants to use a name/password different than his or her NDS cn/password, that information could be stored in some other attribute(s) on that NDS user object, then OLAC configured to inject those attributes.

Sending iChain SMTP alerts to GroupWise 6 (GWIA)

IChain can send e-mail alerts using the SMTP protocol to GroupWise 6 (GWIA must be installed for SMTP access). Configure iChain to send SMTP alerts in the iChain GUI->System->Alerts page. Be sure to use a username with an account on the specified server, and be careful of the "Alert source name" field. Normally, avoid spaces if at all possible, since according to the GWIA developer they are against the SMTP RFC, and may result in a failure to send alerts. However, GWIA from GroupWise 6 SP1 will accept one space in the name, SP2 seems to accept multiples (I"ve had 4 spaces with .no trouble). Other characters like "!" will also cause problems (#306383).

Internal rewriter with WebAccess

The rewriter should detect and rewrite URL references (which match names/ip addresses listed in the accelerator's "Web server addresses" field) in the e-mail Subject lines and Body, but should never touch URL references in attachments being saved. In iChain 2.1, attachments were being rewritten (#307530). With iChain 2.2., the Subject and Message body text is not being rewritten as expected but attachments are rewritten when being viewed (#100300994). Other anomalies with rewriter and webaccess messages also exist (#100300603).

Known Issues:

GroupWise Webaccess 6.5 behind iChain:

Webaccess can now accept LDAP names for login, and can be configured to accept credentials in the Authorization header from "trusted applications" such as iChain. If Webaccess is behind an accelerator with option "Forward authentication information to web server" enabled, login to webaccess fails and the user is being prompted to login to Webaccess even though iChain has stuffed the Auth header with the correct credentials and has been configured as a trusted application.

This appears to be caused by iChain using an uppercase "CN" in the name (e.g. "CN=user1,o=novell"), and Webaccess is looking only for lowercase. A defect was entered against Webaccess to ignore case on 5/20/03.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell