The iChain Wizard is an interface included with ConsoleOne that helps to integrate the configuration of the iChain Proxy Server and the iChain Authentication Server. It can dramatically decrease the amount of time needed to accelerate a resource on the network. While most normal configurations can be done using the wizard, there are some advanced configurations which still require the use of the Web-based administration utility or the command line.
The following walkthrough assumes you have configured a LAN adapter and enabled the FTP server as described in Installing the iChain Proxy Services Software. Only the steps necessary to create a working configuration are described in this section. A detailed listing of all the wizard options is available in iChain Management .
To launch the iChain Wizard:
In ConsoleOne, select the container where you want to create your iChain objects in ConsoleOne.
Select Wizards > iChain Web Server Accelerator.
Several wizard pages will follow, as described in this section.
If you have already created an iChain Service object, select it by using the browser button next to the iChain Service Object field. Otherwise, you can create an iChain Service object by entering the common name without the context in the iChain Service Object field and clicking Enter. You will then be prompted to create the object in the container you selected when launching the wizard.
Enter the IP address of the LAN adapter for the iChain Proxy Server that has the FTP server enabled in the Master Proxy Server IP address field.
Click Next. You will be prompted for a password. Enter the password you have selected for the Config user on the iChain Proxy Server, or leave this field blank if no password was set.
Click OK to log in and read the configuration from the iChain Proxy Server. If the login is successful, click Next to proceed to Page 2 of the wizard. Otherwise, you will need to determine why the wizard failed and try to log in again.
Click Add to create a new iChain Access Control Server. The information on this page corresponds to the Configure > Access Control page in the Web-based administration utility.
Enter the IP address, port, administrator name, and password for the iChain authentication server in the ensuing dialog box. The administrator name should be in LDAP format; if you use the Browse button to select the user, the name will automatically be formatted correctly. If you will be using secure LDAP for access control, check the LDAP over SSL box and enter the name of the trusted root file. You will need to import the trusted root through the Web utility. Click OK to save this information.
Enter optional information as described in iChain Management .
Click Next to continue to Wizard Page 3.
If this is an initial configuration, enter the Web server accelerator name and DNS name.
The accelerator name must be 8 characters or less and must be unique.
The DNS name is the DNS name by which users will access the Web server and should resolve to the public IP address of the iChain Proxy Server.
When additional accelerators have been configured, you can modify, delete, and set up path-based multi-homing from this page as well.
Click Next to continue to Wizard Page 4.
Click Add (located next to the Web Server Addresses field). Enter the private IP addresses or DNS names of the origin Web server in this field. Clients should not be able to access this address directly, or iChain can be bypassed.
Enter the port the origin Web server is running on in the Web server port field.
Select the check box next to the public IP addresses through which clients can access this Web server.
NOTE: You cannot currently define new proxy server IP addresses through the wizard. This must be done from the command line or the Web-based administration utility.
Enter the port through which the content will be delivered from the iChain Proxy Server to the browser in the Accelerator proxy port field.
Click Next to continue to Wizard Page 5.
Select the Enable Authentication check box to enable the authentication option fields.
Select the Enable Secure Exchange check box if you want content delivered from the iChain Proxy Server to the client over a secure channel.
In the SSL Listening Port field, enter the secure port for authentication and Secure Exchange to use. This port must be different for each accelerator using a given IP address on the iChain Proxy Server.
If you have created a custom certificate using the iChain certificate creation utility, you can enter the name in the SSL Certificate Name field. Otherwise, leave the setting on Auto and iChain will generate its own certificates.
In the Session Timeout Interval field, enter the idle time before re-authentication is required.
Select the Forward Authentication Information to Web Server check box if you want user credentials or OLAC parameters passed to the origin Web server.
Select the Authenticate over HTTP check box if you want LDAP authentication to occur over an HTTP (clear text) connection.
NOTE: The Authenticate over HTTP option cannot be used simultaneously with Secure Exchange or SSL Certificate Authentication.
Select the Add button (located next to the Authentication Profiles field).
This area is very similar to the Configure > Authentication tab in the Web-based administration utility, and can be used to add, delete, or modify authentication profiles.
Enter a unique name, 8 characters or less, in the name field.
Select the radio button for the type of profile you want to create --- either mutual SSL certificate authentication, LDAP authentication, or RADIUS authentication.
This walkthrough assumes LDAP authentication is used. Click the Authentication Options button.
Click Add (located next to the LDAP Servers field). Enter the IP address, port, and security settings (if applicable) for the iChain Authorization server, as done in Wizard Page 2.
Click OK. Repeat Step 11 for any additional servers used for authentication failover.
Select whether users will authenticate using their distiguished username, e-mail address, or another LDAP field by selecting the appropriate radio button.
Add the contexts where users can be found by selecting the Add button (located next to LDAP User Contexts for DN logins or LDAP Search Base for e-mail and LDAP field name logins).
You can either manually enter the container name in comma-delimited LDAP format or use the Browser button to select the container.
For e-mail and LDAP field logins, select whether an anonymous bind or an LDAP proxy user is used to search the tree. If applicable, enter the proxy username and password.
For LDAP field logins, enter the LDAP attribute name used to log in with.
Click OK > OK to save the new authentication profile.
Click the check box next to the desired profiles to use them for this accelerator.
If multiple authentication profiles are used together (such as an LDAP and a mutual SSL profile), use the Multiple Profile Rule to determine whether only one method (Or) or all the specified methods (And) are required to log in.
Add any advanced authentication options as described in iChain Management .
Click Next to continue to Wizard Page 6.
Page 6 of the wizard is identical to the Protected Resource page for the iChain service object selected on Wizard Page 1.
To create a protected resource:
Specify a name for the resource and the URL for the resource. This should be in the form http://www.resource.com, where www.resource.com is the DNS name specified when you created the Web Server Accelerator. The iChain snap-in will automatically attach the http:// prefix, so all that needs to be entered is the DNS name.
NOTE: If the URL starts with https:// (that is, this is a secure Web site), you will still need to specify http:// in this field. iChain uses this field for matching purposes. It does not affect the URL in the query string.
Choose whether this protected resource will be Public, Restricted, or Secure. See Differentiating Among Protected Resources for more information.
This walkthrough assumes a secure resource, requiring both authentication (login) and authorization (ensuring the authenticated user has permission) to access the resource.
Select whether any associated OLAC parameters should be sent in the query string or as header variables by selecting the appropriate radio button.
Click OK to save the new protected resource.
If you want to specify Object-Level Access Control parameters, they can be entered using the OLAC button under the Modify button. See Setting Up Protected Resources and Setting Up Object-Level Access Control for more details.
Click Next to save the information and continue with the wizard.
Use the Browse button (located next to the Access Control Rule field) to select the desired ACL rule.
You can also create the new rule by typing the context-free common name in the Access Control Rule field and selecting Enter.
Once an ACL rule is selected or created, the screen will display the parameters for the selected ACL rule. This is identical to the information in the Access Control properties tab for the ACL rule.
Enter the Allowed URLs as defined in Defining iChain Access Control Rules.
A simple configuration to apply this rule to the entire Web site can be created by entering the resource name defined in Wizard Page 6 and adding /* in the URL Postfix. The forward slash corresponds to the root directory of the Web server, and the asterisk is a wildcard meaning all files in this directory and all subdirectories.
If desired, add Excluded URLs as defined in ACL Exceptions.
Click Add (located next to the Apply To List field) to add the users to which this rule will grant access. You can also select containers and groups as desired.
If desired, in the Exception List, select individual users to deny access to.
Click Next to continue to the Summary page.
At any time in the wizard, you can activate the changes you have made by clicking the Finish button. This will display a summary of the configuration that you can view before the changes will take effect. Once you complete the wizard, the changes you have made will be visible both in the Web-based administration utility, and in subsequent uses of the wizard. See iChain Management for a detailed description of the options available in the iChain Wizard.