Previous Page: Setting Up Secure Exchange  Next Page: Multi-homed Configurations

Advanced Access Control Configuration

This section contains information about the following topics:


Enabling ACL Rule Checking for Community Objects

iChain 2.1, by default, will not check community objects for ACL rules. Community objects existed in previous versions of iChain but are no longer provided in version 2.1; however, the functionality is provided to allow the use of pre-existing community objects.

To enable ACL rule checking for community objects when upgrading from iChain 1.5 to iChain 2.1, administrators should do the following:

  1. Unlock the console.

    2.

  2. Edit the appstart.ncf.

    3.

  3. Change the load aclcheck entry to load aclcheck /m.

    4.

  4. Restart the machine.

    5.

After specifying changes in the configuration, ACL rules will be checked in the following sequence:

OUs
OUs' communities
groups
groups' communitiesuser
user's communities

If a specified option is not provided, checking for the italicized portions of the above list will not be performed for checking the ACL rules.


Enabling Debugging Messages for Access Control

The module that provides iChain's Access Control (ACLCHECK.NLM) can be configured to output debug information. The administrator can choose one of two levels of increasingly more detailed information. This information can be helpful to developers and consultants. By default, no debug information is output.

To enable these debugging options, an administrator should:

  1. Edit the APPSTART.NCF file on the iChain Proxy Server.

    2.

  2. Find the line containing the LOAD ACLCHECK command and add a debug level switch at the end of that line, for example,
    LOAD ACLCHECK /D2.

    3.

  3. Shut down and restart the proxy server.

    4.

Using ACLCHECK options

The ACLCHECK utility can be used with a number of options to refine rule checking. These options are not case sensitive. When you change an ACLCHECK option, the update is stored in the appstart.ncf file.


Table 3. ACLCHECK command line options

Option Syntax and Example Explanation

Check dynamic ACLs

ACLCHECK /Q

ACLCHECK /Q

By default, dynamic ACLs are checked after checking all traditional (static) ACLs. If this option is specified, ACLCHECK first checks for dynamic ACLs. This option should be used when you have mainly dynamic ACLs.

Cache refresh interval

ACLCHECK /Fnumber_of_minutes

ACLCHECK /F300

Default: 180 minutes

Keep this number higher if you are not likely to change DS information quickly. This can improve performance since ACLCHECK does not need to throw away the already built-up cache.

Maximum log file size

ACLCHECK /Smax_file_size_in_KB

ACLCHECK /S2000

Default: 1 MB

Number of connection handles for the LDAP server

ACLCHECK /Cnumber_of_connections

ACLCHECK /C70

Default: 10

If you see an error message stating that ACLCHECK was unable to obtain any LDAP handles, increase this number to avoid that problem. The maximum recommended number of connections is 70.

Debug level

ACLCHECK /Dlevel

ACLCHECK /D2

Default: 0

Debug information can be helpful to developers and consultants. Set the level at 1 or 2 for more detailed information.

Utility help

ACLCHECK /H

ACLCHECK /H

Gives you information about ACLCHECK.


  Previous Page: Setting Up Secure Exchange  Next Page: Multi-homed Configurations