When you configure the Access Gateway so it can protect your application server, the Access Gateway must be configured to protect multiple resources. The first reverse proxy and proxy service combination of the Access Gateway is assigned to perform authentication. The agent must be set up as a secondary proxy service because the proxy service for an agent cannot be used for authentication.
If the Access Gateway has multiple IP addresses, you can configure the Access Manager so that users access different types of Web resources from each IP address. If the Access Gateway has only one IP address, you still can configure it so users access different types of resources. In this case, you configure the resources to use multi-homing. The following configuration steps assume that you have only one IP address and that you must use multi-homing to access multiple resources, either domain-base or path-based.
With path-based multi-homing, you use one DNS name for the Access Gateway, and have the user specify a path-based URL to access the correct resource. For example:
You configure the name, www.mytest.com, to resolve to the Access Gateway, and the Access Gateway is configured to proxy the request to a Web server.
You have users access the application server with the URL www.mytest.com/j2ee. The domain name, www.mytest.com, resolves to the Access Gateway, and the Access Gateway uses the path portion of the URL to proxy the request to the J2EE server.
For more information, see Section 2.5.1, Setting Up a Path-Based Proxy Service for an Application Server.
With domain-based multi-homing, your Access Gateway uses domain names to access multiple resources. For example:
You configure the name mytest.company.com to resolve to the Access Gateway, and the Access Gateway is configured to proxy the request to a Web server.
You configure the name j2ee.company.com to resolve to the Access Gateway, and the Access Gateway is configured to proxy it to the application server.
For more information, see Section 2.5.2, Setting Up a Domain-Based Proxy Service for an Application Server.
Figure 2-3 illustrates the basic configuration for a path-based proxy service. The www.mytest.com name is the published DNS name of the parent proxy service that protects the Web servers. The www.mytest.com/j2ee name resolves to the Access Gateway, and the Access Gateway uses the /j2ee path to proxy the request to the application server.
Figure 2-3 Protecting the Application Server with Path-Based Multi-Homing
Your DNS server needs to be configured to resolve www.mytest.com and www.mytest.com/j2ee to the Access Gateway.
In the Administration Console, click
> > > .The following steps assume that you have already enabled SSL between the Access Gateway and the browsers. If you haven’t, see Configuring SSL Communication with the Browsers and the Identity Server
in the Novell Access Manager 3.1 SP2 Access Gateway Guide.
In the
section, click .Fill in the following fields:
Proxy Service Name: Specify a display name for this configuration.
Multi-Homing Type: Select
.Path. Specify the path for J2EE server. For this example, this is /j2ee.
Web Server IP Address: Specify the IP address of the application server. For the configuration in Figure 2-3, enter 10.10.10.40.
Host Header: Select
.Web Server Host Name: Specify the DNS name of the application server.
Click
.To create a protected resource for the application server, select the name of the parent proxy in the
.Click
then clickSpecify a name for the resource, then click
.Specify a name that allows you to associate this protected resource with your path-based service.
Configure the resource for the type of protection you want.
Public Access to the First Page: If you want users to be able to access the first page of the application without authentication, select /* in the . Click and continue with Step 9. If you have already created this type of protected resource, you don’t need to create another one.
for the type of contract and accept the default path ofJ2EE Agent configuration allows you to set up authentication and access restrictions to the pages in the application.
Authentication Required for the First Page: If you want users to authenticate before they have access to the first page of the application, you need to create two protected resources: one to prompt for authentication and one to allow public access to the nesp application. A path-based service can only have multiple protected resources if the multi-homing path exists on the Web server and the path is not removed when the request is sent to the Web server (see Step 10). To create the multiple resources:
For this first protected resource, select
for the contract.In the
, specify the path to the nesp application. For this example:/j2ee/nesp
Click
twice.To add a second protected resource, click
, specify a name, then click .For the contract, select the contract you want to use for authentication.
In the
, specify the path to the application. For the sample payroll application, this is the following path:/j2ee/payroll
Click
three times.In the
, select the path-based proxy service.Configure the
option.If the path you specified for the proxy service exists on the Web server and specifies the location of the Web resource, do not select this option.
If the path you specified for the proxy service does not exist on the Web server, select this option. The
option is also selected.In the
on the Path-Based Multi-Homing page, configure the paths.Remove Path on Fill Service: If the path is removed before sending the request to the J2EE server, the path specified here must allow public access (no authentication required) to the nesp application. A path is automatically created for you (in this example, /j2ee) and a protected resource is assigned. Click the link, verify that the contract for this resource is and the path is /*, then click .
If the wrong type of protected resource is assigned, return to Step 8 and create a protected resource that allows public access.
Keep Path on Fill Service: If you are keeping the path, select the default path and delete it. Click /j2ee/nesp), then click . The protected resource that you created for this path should be automatically assigned to the path.
, specify the path to the nesp application (for example,Create the path to the application. Click /j2ee/payroll), then click . The protected resource that you created for this path should be automatically assigned to the path.
, specify the path to the application (for example,If the wrong protected resource is assigned, return to Step 8 and create protected resources with the correct paths.
Click the
tab.To configure SSL, select
.This option is not available if you have not set up SSL between the browsers and the Access Gateway. See Configuring SSL Communication with the Browsers and the Identity Server
in the Novell Access Manager 3.1 SP2 Access Gateway Guide and select the field.
Configure how you want the certificate verified.
The auto import screen appears.
Select the IP address of the application server and change the port if the application server is using a different port for SSL.
Click
.The server certificate, the root CA certificate, and any CA certificates from a chain are displayed and selected.
Specify an alias, then click
.In the
option, specify the port that your application server uses for SSL connections. For JBoss, the default value is 8443. For WebSphere, the default value is 9443. For WebLogic, the default value is 7002.Click
.Click the
link.On the
page, click .Continue with Configuring a Protected Agent for Access.
Figure 2-4 illustrates the basic configuration for a domain-based proxy service. The mycompany.com name is the published DNS name of parent proxy service that protects the Web server. The j2ee.mycompany.com name is the published DNS name of the proxy service that protects the J2EE server.
Figure 2-4 J2EE Server as a Domain-Based Protected Resource
You must set up your DNS configuration so that it resolves mycompany.com and j2ee.mycompany.com to the IP address of your Access Gateway. The Access Gateway URL requests for mycompany.com to the Web server (mywebserver.com) and requests for j2ee.mycompany.com to the application server.
In the Administration Console, click
> > > .The following steps assume that you have already enabled SSL between the Access Gateway and the browsers. If you haven’t, in the Novell Access Manager 3.1 SP2 Access Gateway Guide.
In the
section, click .Fill in the following fields.
Proxy Service Name: Specify a display name for this configuration.
Multi-Homing Type: Because this configuration example uses a domain name to access the J2EE server, select
.Published DNS Name. Specify the domain name for the application server.
Web Server IP Address: Specify the IP address of the application server. For the configuration in Figure 2-4, enter 10.10.70.25.
Host Header: Select either
or .Click
.Click the name of the proxy service you just created.
Click
.To configure SSL, select
.This option is not available if you have not set up SSL between the browsers and the Access Gateway. See Configuring SSL Communication with the Browsers and the Identity Server
in the Novell Access Manager 3.1 SP2 Access Gateway Guide and select the field.
Configure how you want the certificate verified.
The auto import screen appears.
Select the IP address of the application server and change the port if the application server is using a different port for SSL.
Click
.The server certificate, the root CA certificate, and any CA certificates from a chain are displayed and selected.
Specify an alias, then click
.In the
option, specify the port that your application server uses for SSL connections. For JBoss, the default value is 8443. For WebSphere, the default value is 9443. For WebLogic, the default value is 7002.To create a protected resource for the application server, click
then click .Specify a name for the resource, then click
.Configure the resource for the type of protection you want.
Public Access to the First Page: If you want users to be able to access the first page of the application without authentication, select Step 16.
for the type of contract and accept the default path in the . Click then continue withJ2EE Agent configuration allows you to set up authentication and access restrictions to the pages in the application.
Authentication Required for the First Page: If you want users to authenticate before they have access to the first page of the application, you need to create two protected resources: one to prompt for authentication and one to allow public access to the nesp application.
For this first protected resource, select
for the contract.In the
, specify the following path:/nesp
Click
twice.To add a second protected resource, click
, specify a name, then click .For the contract, select the contract you want to use for authentication.
In the
, specify the path to the application. For the sample payroll application, this is the following path:/payroll
Click
twice.In the
, make sure your J2EE protected resources are enabled, then click .Click the
link.On the
page, click .Continue with Configuring a Protected Agent for Access.
In the Administration Console, click
> .Fill in the fields:
Identity Server Cluster: Select the Identity Server you want the agent to trust for authentication by selecting the configuration you have assigned to the Identity Server.
The option is used as the default, before you configure the agent.
Contract: Select the type of contract, which determines the information a user must supply for authentication. By default, the Administration Console allows you to select from the following contracts and options when specifying an authentication contract.
Name/Password - Basic: Specifies basic authentication over HTTP, using a standard login pop-up provided by the Web browser.
Name/Password - Form: Specifies a form-based authentication over HTTP, using the Access Manager login form.
Secure Name/Password - Basic: Specifies basic authentication over HTTPS, using a standard login pop-up provided by the Web browser.
Secure Name/Password - Form: Specifies a form-based authentication over HTTPS, using the Access Manager login form.
Any Contract: If the user has authenticated, allows any contract defined for the Identity Server to be valid; or if the user has not authenticated, prompts the user to authenticate by using the default contract assigned to the Identity Server configuration.
You can configure other contract types.
J2EE Application Server URL: Specify the URL to access the application server, including the port. Select the format based on whether the agent is protected by a path-based or a domain-based proxy service.
If the agent is protecting a path-based proxy service, specify the published DNS name of the Access Gateway proxy service, including the path. For example:
http://j2ee.mycompany.com/j2ee
If the agent is protecting a domain-based proxy service, specify the published DNS name of the Access Gateway proxy service. For example:
http://j2ee.mycompany.com
SOAP Base URL: Specify the URL used to communicate between the agent components residing in an application server. If you have created a cluster, select each cluster node from the nesp. For example:
drop list and specify separate URLs for each node. The SOAP URL must end withhttps://j2ee.mycompany.com:8443/nesp
Both J2EE application server and SOAP base URL have three parts:
Scheme: For the scheme, specify the scheme you have configured the Access Gateway to use for connections (http or https). If you have configured the Access Gateway to use SSL, the scheme needs to be https.
Domain: Specify the published DNS name of the Access Gateway proxy service.
Path: (Conditional) If the proxy service is a path-based service, specify the path. For this example, this is /j2ee.
Click
, then click > .To update the Identity Server, click
> .Whenever you set up a new trusted identity configuration, you need to update the Identity Server.
Continue with Preparing the Applications and the J2EE Servers.