Novell is now a part of Micro Focus

iChain 2.3 Technical White Paper

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 31 Mar 2004

Securing Your eBusiness Initiatives

In order to compete in today's economy, organizations need to adopt eBusiness solutions; however, moving your organization to the Internet presents many challenges, including the need to open your network to the outside world while also securing your company's data. Novell iChain is a secure identity management solution that allows you to provide the required levels of access to your organization's resources, while protecting and maintaining data confidentiality.

Executive Summary

Novell iChain is an integrated security solution that controls access to network resources across technical and organizational boundaries. It includes identity-based Web security services and provides users with secure authentication and access to portals, Web-based content and Citrix* Thin Client services. Using Novell iChain, organizations can simplify security management, control the use of digital assets across the extended enterprise and get more from investments in eBusiness applications.

With Novell iChain as the gatekeeper to your network and application resources, you will be able to accomplish the following:

Simplify the Management of Internet Access Security

Novell iChain reduces the cost and complexity of managing Internet security in the following three areas:

  • Access. Novell iChain provides users with single sign-on access to Web-based applications across multiple platforms and networks.
  • Architecture. Novell iChain is built on a non-invasive proxy-accelerator architecture that easily plugs into your existing environment. The easy-to-use Novell management utilities and wizards simplify installation and configuration and automate routine maintenance. Once Novell iChain has been installed and configured, the convenient over-the-wire upgrade (OTWUG) significantly simplifies the upgrade process. Because Novell iChain is integrated with Novell eDirectory, you have virtually unlimited scalability.
  • Security. The unique architecture inherent in Novell iChain simplifies the management of Internet access security. Novell iChain creates a universal Web access security solution with a single point of management, alleviating the complexities of maintaining access control security on individual Web servers.

Secure the Use of Digital Assets Across the Extended Enterprise

Novell iChain allows you to build strong relationships with customers, suppliers and partners while minimizing risks. Because the Novell iChain proxy server replaces your Web server as the public interface to your Web site, the proxy server adds a layer of security to your network. Novell iChain secures your system by addressing the following issues:

  • Identities. Novell iChain leverages directorybased identity information for authentication for employees, customers, partners and suppliers across applications.
  • Privileges. Novell iChain provides fine-grained control over access privileges. Users must authenticate before receiving access to specified Web content and applications. Novell iChain supports strong authentication methods, including tokens from the leading vendors (such as ActivCard*, RSA* and VASCO*), X.509 certificates from all major PKI vendors and multi-factor authentication.
  • Policies. Novell iChain uses policies and business rules to enforce privileges and support business-process automation.
  • Data. To protect data during transmission, Novell iChain secures the data channel between the proxy server and the user's Web browser. The proxy server creates an on-the-fly Secure Sockets Layer (SSL) session with the browsers, thereby safeguarding data. With the added option of Secure Exchange, all data between the proxy server and the end-user browser is redirected and served via a secure connection.

Accelerate your Return on Investments in eBusiness Applications

Novell iChain enables you to increase profitability and gain a competitive advantage by accelerating the transformation to eBusiness. Novell iChain accelerates the following processes:

  • Development. With Novell iChain, you can reduce the development time needed for new Web-based services because you don't need to design for security—you simply leverage the Novell iChain security infrastructure. Because the infrastructure can scale as your business grows, it can significantly accelerate your transformation to an eBusiness environment.
  • Integration. Novell iChain enables you to integrate every aspect of security. Using Novell eDirectory, you can integrate the management of security and establish access to information based on identity. Security is also integrated for the end user, who can take advantage of single sign-on and the form-fill authentication feature.
  • Performance. Novell iChain offloads SSL-based security overhead from eBusiness-application Web servers with no loss in performance. Novell iChain uses industry-leading caching technology to deliver diverse material— graphics, static HTML pages, PDFs and so on— much faster than a standard Web server.

Novell iChain Overview

Novell iChain is an integrated secure identity management infrastructure that protects your network and safeguards sensitive eBusiness and identity data. Novell iChain facilitates eBusiness and remote-access initiatives (such as business-tobusiness (B2B), business-to-customer (B2C) and business-to-employee (B2E)) by providing secure authentication and access to portals, Web-based content and Citrix Thin Client Services. Novell iChain incorporates Novell eDirectory, the world's most scalable and widely used directory. Novell iChain also offers personalization, simple installation, Web Single Sign-on and the ability to secure access to data and applications across the Internet. With Novell iChain you can simplify, secure and accelerate your eBusiness transformation.

Novell iChain is a set of core services that work together to form the security infrastructure that in turn provides a foundation for all of your eBusiness solutions. Novell iChain enables you to simplify Web-access administration, secure your Web environment, and accelerate the rate at which you deploy new Web content and applications to your users. With Novell iChain you can increase revenue, strengthen customer and partner loyalty, decrease costs and manage your entire eBusiness site as one Net.

Novell iChain consists of the following three integrated components:

  • Novell eDirectory. Novell eDirectory provides integrated management by storing user information, company roles, licensing information and access rules in a single, centralized location that is available to all business applications and processes.
  • Novell iChain Proxy Server. The Novell iChain proxy server delivers content quickly, reducing end-user search and retrieval time. In addition, the proxy server provides for a single point of entry, protecting Web resources from direct access.
  • Novell iChain Authorization Server. The authorization server integrates with both Novell eDirectory and the Novell iChain proxy server to provide Web Single Sign-on and finegrained access controls, including multi-factor authentication to network resources.

As the following graphic illustrates, Novell iChain is the primary access point for all users who request secured Web applications. Users access the Novell iChain proxy server through standard Web browsers; no additional client-side software is required. Following successful authentication through the proxy server, they are granted access to authorized services.

Figure 1. Novell iChain configured as the primary access point for all Web users.

Novell eDirectory

Novell eDirectory is a full-service, multi-platform directory that serves as the foundation for identity-management and access-control capabilities found in Novell iChain.

According to a report by the Aberdeen Group, a directory must have the following characteristics to meet the needs of today's eBusiness environment:

  • Extensibility. The directory must maintain in-depth, hierarchically linked information about a range of objects, including people, devices, applications, resources and services.
  • Portability. The directory must work with multiple operating systems and applications.
  • Scalability. The directory must maintain and store information about thousands of objects.

Novell eDirectory more than meets all three criteria. Its extensible schema and hierarchical tree structure allow organizations to include and manage almost any type of object. In addition, its native Lightweight Directory Access Protocol (LDAP) support guarantees compatibility with other LDAP-based applications, and it scales to over a billion objects.

Novell eDirectory has been in development for more than a decade. Employed by more than 25,000 customers and totaling more than 1.4 billion licenses, it is by far the most fully developed directory service in the world. Novell eDirectory is flexible, extensible and powerful enough to be the directory for global networks, and it is an essential component for any organization developing an eBusiness solution.

Novell eDirectory is the only directory that eliminates the barrier between Internet, intranet, and extranet resources. Using Novell eDirectory to extend the reach of the existing infrastructure to include employees, customers and supply-chain partners, organizations can transform their traditional businesses into eBusinesses without losing control of critical business processes and without having to adopt an entirely new system. With Novell eDirectory, Novell iChain can be licensed from a central point. This simplifies the process required to install and maintain licensing.

Novell iChain Proxy Server

The Novell iChain proxy server handles all user authentication, access control and session management. It is based on enhanced reverse-proxy technology that provides connections to multiple backend Web servers.

Figure 2. The Novell iChain reverse-proxy server inside a DMZ.

The reverse proxy intercepts inbound content requests and delivers the content from its local cache. The proxy cache typically caches approximately 85 percent of a Web server's content, significantly reducing the Web server's processing requirements and greatly increasing the speeds at which content is delivered. A reverse proxy is normally placed behind an organization's firewall. Alternatively, it can be part of a demilitarized zone (DMZ), which has an additional firewall between the proxy and the organization's secured network.

When configuring the proxy server behind a firewall or in a DMZ, you must reconfigure the accessible firewall ports and the Domain Name System (DNS).

Configuring the Firewall Ports

Firewalls must be configured to allow the types of data that the iChain proxy server will be providing to pass through the firewall. If the proxy server provides standard Web server acceleration, the standard Hypertext Transfer Protocol (HTTP) port 80 will be used. If other features, such as authentication and Secure Exchange (detailed in later sections), are required, port 443 will be used. Novell iChain enables secure exchange on a single port, allowing a multi-homed configuration (same IP address/port number) when using SSL. This decreases the number of ports that need to be opened on a firewall, which reduces deployment times and allows Novell iChain to be compatible with security policies that allow only standard port numbers.

If the Novell iChain proxy server is located in a DMZ, and all the Web servers being accelerated through the proxy server use standard port 80, then that port will support all server Internet Protocol (IP) addresses. An additional port for LDAP authentication is required. (The standard non-secure LDAP port is 389.)

The exact configuration of firewalls depends upon three variables:

  • The number of Web servers being accelerated
  • The configuration of those Web servers
  • The acceleration method (authentication and Secure Exchange options)

Configuring Domain Name System

As with any reverse-proxy technology, DNS must be reconfigured for an architecture design that includes the Novell iChain proxy server. Users normally connect to a Web site on the Internet by typing in the DNS name of the site. The DNS name has a corresponding IP address that returns to the browser from a specified Internet DNS server. The browser then connects directly to the Web server, using its IP address. Different DNS servers may respond with different IP addresses so that requests can be directed either to local Web servers or to reverse proxies—whichever will deliver the content faster.

Most organizations have a private IP network and a small number of registered Internet IP addresses. Because the Novell iChain proxy server can be used to link these networks, it must understand the difference between an internal DNS request and an external DNS request.

When a user connects to the Novell iChain proxy server, the host header (URL information) is checked and the proxy server redirects the calls to the appropriate Web server. The following graphic illustrates the proxy server accelerator configuration screen:

Figure 3. The iChain Proxy Services Configuration screen.

Multi-Homed Accelerators (Domain- and Path-based)

The Novell iChain proxy server is an enhanced reverse-proxy server that adds intelligence to the reverse-proxy process and delivers two additional features: domain-based multi-homing and pathbased multi-homing.

  • Domain-based Multi-homing. The domainbased multi-homing (DBMH) feature enables the Novell iChain proxy server to redirect browser requests to multiple backend Web servers using a single Public IP address. Using the HTTP host header information sent by the browser, the proxy server identifies which resource is needed to fulfill the request and then processes the request accordingly. Domain-based multi-homing uses standard HTTP and HTTPS ports for communication. The use of DBMH results in immediate cost savings, because it drastically reduces the number of Internet IP addresses that an organization must purchase in order to provide access to multiple internal Web resources.
  • Path-based Multi-homing. The path-based multi-homing feature allows requests that are sent to a single DNS name (such as "www.acme. com") to be redirected to different Web servers using the suffix information contained in the URL. For example, Novell iChain will send "" to Web server 1 and "" to Web server 2. This technology allows an organization to present a single corporate image to the Internet user, while providing access to many different Web servers within its organization.

Authentication Service

Novell iChain supports a number of authentication methods, including LDAP UserIDs and Passwords, X.509 certificates, Tokens (token authentication requires a RADIUS service, which is supplied by iChain) and Novell NetIdentity (providing background authentication to iChain and single sign-on to Net Identity-enabled applications). Each configured authentication method is stored as an Authentication Profile. When a UserID and password are required for authentication, a user enters identification information in a secure HTML authentication form. Novell iChain then compares the credentials entered by the user against those stored in a specified LDAP server. To simplify implementation, the Novell iChain proxy server uses Novell PKI technology to automatically generate default certificates for each accelerator. These certificates can be used to encrypt the authentication process and regular content delivery. Novell iChain also supports third-party certificate vendors.

The Novell iChain proxy server stores serverside certificates using NICI technology from Novell, which secures the private-key information from would-be hackers. When using third-party certificate vendors, a Certificate Signing Request (CSR) is initiated from the Novell iChain proxy server's GUI administration tool. After the signed response is received, the same administration tool is used to import the signed information. When using third-party certificates, the accelerator Key ID setting must be changed from "Auto" to the externally signed key-material object.

Between the Novell iChain Proxy Server and Novell iChain Authorization Server (LDAP server), the administrator can select the LDAP communication method as either non-secure LDAP (standard port 389) or secure LDAP (standard port 636). To use secure LDAP, SSL must be enabled on the Novell eDirectory LDAP server, and then the trusted root of the certificate must be exported to the iChain proxy server. Novell ConsoleOne, (a Java* administration tool) simplifies this task by allowing the association of a "Trusted Roots" container to the iChain service. Any trusted root stored in the container will automatically be copied to the iChain proxy server.

The following graphic illustrates an LDAP Authentication Profile. Each profile can be assigned to individual accelerators as required.

Figure 4. The LDAP Options screen.

To configure LDAP, you need to know the IP address of the LDAP server(s), the LDAP login name to connect to the LDAP server, the LDAP login method and the LDAP contexts (if using distinguished name). The LDAP contexts provide a "Contextless" login feature and contain values that match the location of users within the directory structure, such as "ou=users, o=Acme." The LDAP login method has the following three options:

  • "Build distinguished name"—allows the administrator to define the "Naming Attribute," such as common name (CN), and the LDAP context list to search for the user's identity.
  • "Search on a single attribute"—allows the administrator to define a single "Naming
  • Attribute," such as common name or employee number, and an LDAP Search base. This feature enables iChain to search the eDirectory hierarchy from a specified context.
  • "Search using a query"—allows the administrator to set up a search criteria on more than one attribute. This feature is particularly useful if you have multiple users with the same common name, or you require more validation of a user's identity. An example search string is:
    (&(objecclass=person)(|cn=%username%) (mail=%emailValue%))
    This search string instructs iChain to match both the common name and e-mail address before submitting the password to verify authentication.

LDAP Authentication pages are fully customizable, allowing organizations to add desired text and corporate branding.

It is important to note that a user does not actually perform any LDAP binds to the directory. All requests are performed on behalf of the user by the Novell iChain proxy server.

One advantage of the authentication service found in Novell iChain is that it enables crossdomain authentication, which provides a single authentication for multiple domain names. For example, an insurance company that offers services through a number of different operating companies, each with their own domain name, can control the authentication, access control and identity management for all of the domain names from a central point.

X.509 Certificate Authentication

Novell iChain supports the use of standard X.509 certificates to authenticate users. It can support any number of certificate authorities per accelerator, but these must be specified by the administrator as trusted authorities.

As with the LDAP authentication process, an Authentication Profile is created for certificates. The following screen illustrates how to enable certificate authentication, which is actually labeled as "Background SSL Mutual Authentication."

Figure 5. The Authentication screen used to enable certificate authentication.

If you select SSL Certificate Mutual Authentication (as marked in the graphic above), the Mutual Options screen appears. You can use the Mutual Options screen to map the user's certificate to the user's distinguished name in the directory, which is required to enforce access controls. These mapping options are shown in the following graphic:

Figure 6. The Mutual Options screen used to define mappings.

A certificate profile is generally associated with an accelerator when higher levels of security are required. In this situation, a common configuration combines the certificate profile with an LDAP authentication profile to create a Dual Authentication requirement. When a user accesses an accelerator that requires an X.509 certificate, the iChain proxy server sends an identification request to the browser and allows the user to select his or her certificate.

Figure 7. An identification request that allows the user to select a certificate.

When certificate authentication is combined with an LDAP profile, iChain displays the HTTPS authentication page (username, e-mail address or LDAP field) after the user selects his or her certificate. The user then enters his or her credentials, and Novell iChain verifies that the user's credentials match the user's certificate. If the match is confirmed and the password is correct, the user is authenticated.

If multiple accelerators are configured with different authentication profiles, the user must always authenticate using the highest authentication level. In other words, if a user authenticates to the proxy with just a username and password, and then connects to another Web server that requires a higher level of security on its accelerator, the user will be asked to present a certificate before access is granted.

iChain 2.3 supports both CRL (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol) validation of users' X.509 certificates.

There might be times when a user does not possess the X.509 certificate that is required for authentication. In these cases, the administrator can define a custom error page, which is displayed when a user cancels the request for a certificate. This error page could be used to direct users to a location when they can obtain certificates.

Token Support

In addition to supporting authentication through a certificate authority, Novell iChain also supports token-based authentication through ActivCard, RSA and VASCO. To accommodate secure, token-based authentication, Novell iChain uses the Remote Authentication Dial-in User Service (RADIUS) protocol, which enables communication between remote-access servers and a central RADIUS server. When a user presents Novell iChain with a token, that information is passed to a RADIUS server, which ensures that the information is correct and then authorizes access to the system.

Secure token authentication through RADIUS is possible because Novell iChain includes Novell Modular Authentication Service RADIUS software that can be installed on any NetWare server.

Session Management

When a user successfully authenticates to the Novell iChain proxy server, a session cookie is delivered to the browser. This session cookie contains only a session ID, which is a number that the proxy server uses to track the session. The session cookie contains absolutely no user-identity information.

The session cookie is delivered to the browser through the SSL session before the user is redirected to the requested Web server. The session cookie is stored in memory until the session is terminated (user logoff) or the browser is closed. At that point, the cookie is immediately removed. When a user connects to a different protected resource, Novell iChain checks the session cookie to verify the user's credentials.

Authentication Process (Summary)

The following graphic illustrates the steps involved in the authentication process:

  1. Connection to the proxy
  2. Authentication
  3. Enforcement of access controls

Figure 8. The Novell iChain authentication process.

Access Control

The Novell iChain proxy server enforces access controls based on the digital identities that exist in Novell eDirectory. By default, all access is denied through the proxy server.

Figure 9. Novell iChain leverages the hierarchical and inheritance capabilities of Novell eDirectory.

Access rules are stored as objects in Novell eDirectory and they can be placed anywhere within the hierarchy of the directory structure.

The rule object has the following three attributes:

  1. List of URLs. This list contains the URLs that are allowed by an individual rule object.

  2. Apply To List. This list includes the objects to which the rule object applies. The rule object can be applied to the following Novell eDirectory objects:
    • User name
    • Group
    • Organizational Unit
    • Organization
    • Country
    • Location

    The Apply to List option leverages the Novell eDirectory hierarchy and inheritance mechanisms to simplify the rules process. For example, you can make a rule apply to all users within the directory simply by adding the uppermost Organization object in the Apply to List option.

  3. Exception List. The Exception List allows the administrator to define a set of objects that will not be allowed access to the URLs specified in the list of URLs. This feature is very useful when a large set of users is granted access by virtue of their inclusion in a containment object (as shown in the Organization object that appears in the above graphic) but when, at the same time, there is a small subset of users within that group that should be denied access. The Exception List can contain the same objects as the Apply To List.

The following graphic shows the Access Control tab of the Properties of Secure Site screen in ConsoleOne:

Figure 10. The Access Control tab.

Rule Processing Order

When a user makes a request for information that is protected by an iChain server, his or her access rights are checked in the following order:

  1. User name
  2. Group
  3. Organizational Unit
  4. Organization

The module that processes access rules and then grants or denies access is known as ACLCHECK. This module sequentially checks the access rules until it finds a match. If a matching rule is not found, the user is denied access. ACLCHECK also provides attribute-level access control, which is based on the attributes stored in a user's digital identity, and checks external data sources to allow integration with third-party services.

The Novell iChain proxy server caches the access rules in memory to increase the performance of the rule-checking process. These access rules are updated at specified intervals or through a manual ACL refresh.

Dynamic Access Controls

Novell iChain leverages Dynamic Access Control rules to provide more flexible and fine-grained access control. Using Dynamic Access Control, iChain queries a user's identity for specific attributes and associations. Access is granted or denied based on this information.

The diagram below illustrates a sample Dynamic Access Control rule:

Figure 11. The query setup screen that allows you to specify a Dynamic Access Control rule.

Rule Logging

Two flags allow you to enable or disable logging for each access rule object. When the "authorized access logging" flag is set, only the "allow" access attempts will be logged along with the rule identification number for each attempt. When the "unauthorized access logging" flag is set, all the "deny" access attempts will be logged along with the "allow" access attempts.

Data Confidentiality (Secure Exchange)

The Novell iChain proxy server supports Secure Exchange, which dynamically transforms insecure, plain-text Web connections into secure, encrypted communication links based on the SSL protocol.

Without Secure Exchange, any Web server needing secure content delivery would require its own PKI certificate to create an HTTPS session for the browser. Larger eBusiness solutions may involve multiple Web servers, all of which could potentially require PKI certificates and thus increase deployment costs. The data encryption tasks would also place a heavy load on the Web server and decrease its ability to process requests and deliver content in an acceptable timeframe.

Secure Exchange simplifies the delivery of secured content over the Internet and relieves the Web server from the task of encrypting data. With Secure Exchange, the Web server is available to quickly deliver Web content to users.

As illustrated below, Secure Exchange reads the HTTP data from the origin Web server and then converts that data into a HTTPS data stream, which is sent to the browser.

If the accelerator has Secure Exchange enabled, the browser is forced to redirect its request to the Secure Exchange port. The Novell iChain proxy server then presents a certificate. If the certificate is accepted, a secure session is established. If necessary, the proxy server can also use Secure Exchange to protect data traveling over the wire to the origin Web server.

Figure 12. Secure Exchange converts HTTP data from the origin server into HTTPS.

Strong Cryptography

Strong cryptography settings allow an administrator to configure the Novell iChain proxy server to require the requesting browser to support 128-bit strong encryption before servicing any requests. Both the client mode (when the proxy server initiates the secure session) and the server mode (when the proxy server accepts a secure session from another machine) can be configured separately. By default, the proxy server does not use strong cryptography in either mode because it can cause problems for users who have weak browsers. Rather than being granted access to the Web site, users with weaker browsers (which cannot decrypt a 128-bit key) will receive a message indicating that they need to upgrade their browsers.

Data Confidentiality (No Cache)

The Novell iChain proxy server allows you to mark a particular site with a "No Cache" option. When selected, this option stops the browser from caching data. When delivering content to the browser, the proxy server places a number of standard no-caching headers, such as "Pragma no-cache," in the data stream. These headers instruct the browser not to cache any of the content that it receives from the Web servers.

Web Personalization

Object Level Access Control (OLAC) technology injects dynamic data into the HTTP header based on the user's digital identity. OLAC is a Java-based extensible framework that sends administrator-defined attributes to the origin Web server in the HTTP header. The defined attributes are a set of "Parameter = Value," where "parameter" is the attribute name forwarded to the Web server, and "value" is an LDAP value that will be queried in order to build the parameter string.

Using the security and powerful identity-management features of Novell eDirectory, the user's digital identity is configured to include details such as shipping address, credit card information and books of interest. LDAP mappings to this data allow the iChain OLAC technology to read the user's digital information and forward that information to the Web server, facilitating the ordering and billing processes and enhancing the user's experience with the site.

Figure 13. The Novell iChain proxy server injects dynamic data into an HTTP header to personalize the Web experience.

To illustrate how Novell iChain proxy server uses the OLAC technology, imagine a bookstore developing an online presence. In addition to enabling online transactions and other customer services, the store will provide targeted marketing. This type of marketing displays new books that may be of interest to each individual customer, based on his or her interests. This is accomplished using the following steps:

  1. The LDAP mapping of "books of interest" is used by Novell iChain to read the user's personal interests and build a "Books" parameter.
  2. Novell iChain forwards the "Books" parameter to the Web server.
  3. The Web server customizes a display of new books in the specific categories in which the user has expressed interest.
  4. The user authenticates to the service.
  5. Novell iChain forwards the personalized information to the Web server.
  6. The Web server builds the dynamic content for the user and displays a list of appropriate titles.

If the user then wants to order an item, a further LDAP mapping to "Credit Card Details" is used to automatically fill in credit card information and complete the transaction.

Single Sign-on

By forwarding authentication information to a Web server in the HTTP authentication header, Novell iChain provides single sign-on to Web resources that use Basic HTTP authentication. With Novell iChain single sign-on, users can access a variety of network resources through a single sign-on process. Once users have logged into a network computer, they are automatically authenticated to all of the applications and data to which they have authorized access. This feature is an optional setting for each Web site that's accelerated by Novell iChain. The injection of user credentials in the HTTP header is performed by the OLAC technology inherent in Novell iChain.

Two pre-defined parameters instruct Novell iChain to insert the authentication information. The ICHAIN_UID parameter specifies the user ID, and the ICHAIN_PWD parameter specifies the password that will be forwarded to the Web server.

By default, Novell iChain will forward a user's distinguished name in the HTTP authentication header. The distinguished name consists of the user's common name (for example, "jsmith") and the context information where the user's identity exists in Novell eDirectory (for example, "").

Many Web servers are unable to understand this user-identity format, so they are unable to authenticate a user if they receive this information in the HTTP authentication header. To solve this problem, Novell iChain substitutes the distinguished name of the user with the specified LDAP value (for example, "cn" for common name) when ICHAIN_UID is selected. The LDAP value can be used by non-context-aware Web servers to authenticate the user.

Because ICHAIN_UID and ICHAIN_PWD are built from LDAP values, Novell iChain single sign-on can support Web servers where the user's authentication credentials are different than those used to authenticate to iChain.

Figure 14. The Novell iChain proxy server enables single sign-on capability.

Form-Fill Authentication (Single Sign-on)

Novell iChain offers users a convenient form-fill authentication feature that simplifies access to Web applications. With the form-fill feature, users must first authenticate to Novell iChain before they are granted access to the Web-application form page. As they enter their credentials into the form, the information is automatically stored in Novell eDirectory. From then on, whenever users connect to that Web page and need to authenticate through the same Web-application form, Novell iChain automatically retrieves their credentials and completes the form for them.

Secure Thin Client Services

With Novell iChain, users can securely connect to Citrix Thin Client Services, specifically to Citrix Nfuse* or Citrix MetaFrame*. However, users must establish a valid iChain session before they will be permitted to access a Citrix MetaFrame server.

Figure 15. The Novell iChain proxy server securely connects users to Citrix Thin Client Services.

Password Management

Novell iChain provides enhanced passwordmanagement features, including the following:

  • Minimum password length
  • Minimum number of numeric characters
  • Forced password Change with optional grace logins
  • Non-dictionary words
  • Password history

Users perform all password changes from their Web browsers.

Logon Restrictions and Intruder Lockout

Novell iChain can use time restrictions and other logon restrictions within Novell eDirectory. Depending on the type of solution Novell iChain is securing, you may want to restrict authentication to certain times of the day.

Novell iChain also provides intruder-lockout capabilities that allow Novell iChain to monitor the number of unsuccessful logon attempts. If this number exceeds a specified value, the account is locked. The administrator can define whether the account remains locked or is reset after a certain amount of time.

Acceleration of Web Content

The proxy operating system (OS) and the cache object store technologies make the Novell iChain proxy server one of the fastest and most efficient caching servers available.

Proxy OS

The proxy OS lies at the heart of the Novell iChain proxy server. The highly specialized proxy OS has been designed as a high-performance protocol engine. In contrast to general-purpose operating systems, the specialized proxy OS does not have to fulfil all of the needs of complex Internet applications. Instead, it performs very specific sets of tasks that focus on moving data through the system as quickly as possible. Furthermore, the tight integration of these core operations greatly increases the efficiency of inter-process communications.

Another benefit of a specialized proxy OS is that is does not need to act as an authoritative data source. If cached data becomes lost, the proxy server simply requests another copy from the server of origin. Therefore, the proxy server avoids much of the overhead associated with general-purpose file systems. As a highly refined microkernel, the proxy server OS creates a system that can provide extremely efficient resource delivery, process execution, connection management and persistent storage for Internet objects.

The primary proxy OS functions have been coupled with narrowly defined capabilities for context scheduling, event notification and input/output (I/O) transport, resulting in an extraordinarily fast and highly scalable proxycache architecture.

Cache Object Store (COS)

The cache object store (COS) manages the persistent storage of cached objects in the Novell iChain proxy server. It is also responsible for migrating objects between the RAM and disk cache. The COS interacts directly with the proxy server's disk I/O subsystem.

Studies measuring the performance of Web proxy caches have identified persistent storage systems as the principal bottleneck in performance and scalability. The bottleneck is caused by the inefficient read/write operations of traditional file systems and poor organization of data on disk. The COS solves both of these problems in the following manner:

  • Increased Read/Write Efficiency. The COS optimizes read and write operations to increase the efficiency of disk drives participating in the cache. In traditional file systems, both read and write requests are queued. In contrast, COS automatically appends a pending write event whenever a read operation takes place. The result is that the write event takes place at a location that is physically close to the read event. Consequently, the overhead normally associated with write events is largely eliminated, as it is "piggy backed" onto a read operation. Similar integration has been instituted for create and delete operations. These optimizations are designed to allow the object store to use a sin gel disk more efficiently and to take full advantage of multiple drives on multiple channels.
  • Improved Disk Organization. The COS optimizes disk content by organizing HTML and XML source documents and their embedded objects so that they are located in the same region of the disk. This optimization makes it much easier to provide automatic read-ahead capabilities for requests of complex Web pages, greatly increasing the responsiveness of the system during disk reads.

The COS has been specifically designed for optimal performance under the special circumstances presented by a cache system. The result of the customized RAM and diskmanagement system provided by the COS is that the iChain proxy server can more seamlessly insert itself into the flow of data across the Internet. The latency inherent to delivering "in the flow" services is greatly reduced, and clients notice a marked improvement in the responsiveness of systems that leverage Novell iChain.

SAML Extension for Novell

The SAML extension for Novell iChain helps you improve relationships with both customers and business partners. As its name suggests, the SAML extension for Novell iChain relies on Security Assertion Markup Language (SAML), an emerging standard for secure, online data exchange. With this extension, you can enhance your iChain implementation and securely share user information with trusted business partners across the Web.

This free download extends the Novell Nsure family of secure identity management solutions to include a flexible, federated identity management service that you can fine tune to meet your specific needs, as well as those of your partners. Just as importantly, the SAML extension for Novell iChain offers single sign-on access to Web-based resources. Consequently, customers don't have to remember dozens of passwords to do business with you and your partners. Furthermore, you can collaborate with your partners to deliver a set of personalized services that seamlessly integrate the business offerings on your respective Web sites.

To download the SAML extension for Novell iChain, go to pages/PublicSearch.jsp. For more information, visit samlextension/quicklook.html.

iChain Requirements

Hardware Requirements

For basic system requirements and tested hardware please visit: products/ichain/sysreqs.html

Software Requirements

Novell iChain is self-contained and does not require any software or licensing outside of the box.


Novell iChain is a robust, integrated security identity management solution that provides the foundation you need to succeed in eBusiness. It streamlines and simplifies how you manage Internet access security and, through its integration with Novell eDirectory, enables you to grant or restrict access based on your business policies and user identities. With Novell iChain you will be able to maintain your eBusiness advantage and create a unified one Net environment where customers, vendors and employees can securely access the information and applications they need.

Novell Nsure Solutions

Novell iChain is an integral part of Novell Nsure solutions, a family of secure identity management products and services. With Novell Nsure solutions, you can confidently and securely deliver the right resources to the right people, whenever and wherever they need them. For more information about Novell iChain and other Novell Nsure Solutions, please visit solutions/nsure.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates