The fifth page of the wizard is where the accelerator authentication parameters are specified. The user enables or disables authentication, enables or disables Secure Exchange, and creates authentication profiles. See Figure 49.
Figure 49
Accelerator Authentication Parameter Page
The following table describes the fields on this page:
Table 17.
Field Name | Description | Status |
---|---|---|
Enable Authentication |
Checking this option forces a user to authenticate to access this Web server |
Optional |
Enable Secure Exchange |
Checking this option enables Secure Exchange (formerly known as SSLizer). Advanced options for Secure Exchange are not currently available from the wizard, but can be set from the proxy server administration application. |
Optional If you choose to enable this option, see Using Third-Party Certificates for instructions on how to import the trusted root. |
SSL Listening Port |
The SSL port that the user is redirected to for authentication if Secure Exchange is enabled. |
Required if authentication or Secure Exchange is enabled |
SSL Certificate Name |
The certificate name for this accelerator. If the name does not appear in the drop-down list, it can be entered manually. |
Required if Secure Exchange is enabled |
Session Timeout Interval |
The amount of time a connection can be inactive before re-authentication is required. |
Required if authentication is enabled or Secure Exchange is enabled |
Forward iChain Cookie to Web Server |
Sends the iChain cookie to the Web server along with the other data being sent. |
Optional |
Forward Authentication Information to Web Server |
Sends username and/or password to the Web server |
Optional |
Authenticate over HTTP |
Allows authentication over unencrypted HTTP instead of HTTPS. This feature is not compatible with RADIUS authentication profiles. |
Optional |
Authentication Profiles |
Each existing profile is listed, those in use appearing with a check box. At least one profile must be checked when authentication is enabled. When multiple profiles are in the list, more than one may be enabled. Currently, only Mutual SSL profiles may be used with LDAP or RADIUS profiles. LDAP and RADIUS profiles can not be used together. |
Required if authentication is enabled. |
Multiple Profile Rule |
Only valid if multiple Authentication Profiles are checked. Selects whether only one profile is required (OR) or if all selected authentication methods need to be fulfilled before authentication is granted (AND). OR is the default when multiple profiles are checked. |
|
Create another accelerator |
If this checkbox is checked when the user selecte the Next button, the wizard will return to the Accelerator Specification Page where a new accelerator may be created. This saves the user from having to select the Next button followed by selecting the Back button three times to return to the Accelerator Specification Page. |
Optional |
This section describes the following buttons:
The Advanced Options button launches the Advanced Authentication Options dialog as shown in Figure 50.
The Add button launches the Add Authentication Profile dialog box.
The Delete button allows the user to delete an existing Authentication Profile.
The Edit button launches the Modify Authentication Profile dialog box.
The Advanced Authentication Options dialog box allows you to specify advanced authentication options, including options that are set under special circumstances. See Figure 50.
Figure 50
Advanced Authentication Options Dialog Box
The following table describes the fields in this dialog box:
Table 18.
The Add Authentication Profile dialog box allows you to name and create authentication profiles. The Modify Authentication Profile dialog box is exactly the same except for the dialog box title. See Figure 51.
Figure 51
Add Authentication Profile Dialog Box
The following table describes the fields in this dialog box:
Table 19.
The Mutual Certificate Mapping dialog box allows you to configure certificate mapping types. See Figure 52.
Figure 52
Mutual Certificate Mapping Dialog Box
The following table describes the fields in this dialog box:
Table 20.
Field Name | Description | Status |
---|---|---|
Directory Name |
Enables certificate mapping, which gives four ways to map the user certificate to a user in the iChain LDAP Authentication tree. |
Optional |
Use sasAllowableSubjectNames attribute |
If a user is not found with Directory Name and Use sasAllowableSubjectNames is also enabled for directory mapping, the LDAP Authentication tree will be searched for a user containing an sasAllowableSubjectName attribute matching the Directory Name in the Subject Alternative Name field of the certificate. If sasAllowableSubjectName is enabled, the LDAP Authentication tree should be configured so that there is no duplication of allowed names between users in the sasAllowableSubjectName attribute. |
|
Email Description |
With Email mapping, there are two possible fields in the user certificate that can be used to identify the certificate portion of the user. The first is the Subject Alternative Name field in the user certificate, with a name type of RFC822. The second is when an e-mail name is embedded in the Subject field of the certificate. If both the Subject Field and the Subject Alternative Name field contain an e-mail address, the Subject Alternative Name will be the only field used. |
|
Attribute Mapping |
This attribute will be used to match the Email address from the certificate when searching for a user in the LDAP Authentication tree. The default LDAP attribute is mail, which is the attribute currently used by GroupWise and Novell Certificate Server. The LDAP Authentication tree should be configured so that there is no duplication of Email addresses between users in the configured email attribute mapping. |
|
Serial number and issuer name |
With serial number and issuer name mapping, both the serial number and the issuer name fields from the certificate will be used together to identify the certificate portion of the user. |
|
Attribute mapping |
Both the issuer name and the serial number need to be put into the same LDAP attribute of the user. The LDAP attribute that is used is specified in this field. The LDAP attribute can be any Case Ignore List or Cast Ignore String attribute of the user. If you are configuring your own attribute, make sure the attribute is added to the Person class. |
|
Subject name |
A user in the LDAP Authentication tree matching the Subject Name field of the certificate will be checked first. |
|
Use sasAllowableSubjectNames attribute |
If a user is not found with Subject name and Use sasAllowableSubjectNames is also enabled for directory name mapping, the LDAP Authentication tree will be searched for a user containing an sasAllowableSubjectName attribute matching the Directory Name in the Subject Alternative Name field of the certificate. If sasAllowableSubjectName is enabled, the LDAP Authentication tree should be configured so that there is no duplication of allowed names between users in the sasAllowableSubjectName attribute. |
|
Add button |
The iChain Proxy Server can be configured to use any combination of the four mapping types. This button allows type to be added to the Mapping types currently in the use list. |
|
Remove button |
Allows a type to be removed from Mapping types currently in the use list. |
|
Order up button |
Allows for a mapping type within the Mapping types currently in the use list to be moved up. NOTE: When searching for a user with the configured mappings, the first user found will be the user that is used for authentication and access control, even if the other users will map to the same certificate. See Using Certificate Mapping for more information. |
|
Order down button |
Allows for a mapping type within the Mapping types currently in the use list to be moved down. NOTE: When searching for a user with the configured mappings, the first user found will be the user that is used for authentication and access control, even if the other users will map to the same certificate. See Using Certificate Mapping for more information. |
|
This section describes the following buttons:
The LDAP Options button launches the LDAP options dialog box.
The RADIUS Options button launches the RADIUS options dialog box.
The LDAP Options dialog box allows the user to specify LDAP authentication parameters. It is functionally identical to the corresponding dialog box in the iChain Proxy Server administration application. See Figure 53.
Figure 53
LDAP Authentication Profile Options Dialog Box
The following table describes the fields in this dialog box:
Table 21.
This section describes the following buttons:
The Add LDAP Server button allows you to launch the New LDAP Authentication Server dialog box.
The Delete LDAP Server button allows you to delete an authentication server from the list.
The Edit LDAP Server button allows you to launch the Modify LDAP Authentication server dialog box.
The Add LDAP Context button allows you to launch the dialog box to add an LDAP Search Base/User Context (if DN is selected).
The Delete LDAP Context button allows you to delete an LDAP Search Base/User Context from the list.
The Edit LDAP Context button allows you to launch the dialog box to modify an LDAP Search Base/User Context (if DN is selected).
The New LDAP Authentication Server dialog box allows you to specify the parameters for new LDAP authentication servers. The Modify LDAP Authentication Server dialog box is exactly the same except for the dialog box title. See Figure 54.
Figure 54
New LDAP Authentication Server Dialog Box
The following table describes the fields in this dialog box:
Table 22.
The Add LDAP Context dialog box provides the input of LDAP search bases or user contexts. The Modify LDAP Context dialog box is exactly the same except for the dialog box title. See Figure 55.
Figure 55
Add LDAP Context
The following table describes the field on this dialog:
Table 23.
Field Name | Description | Status |
---|---|---|
Container name in LDAP format |
The name of the container in LDAP (comma delimited) format |
Required |
This section describes the following button:
The Object Browser button allows you to launch an object browser to select the desired container.
The Radius Options dialog box allows you to specify the parameters for RADIUS profiles. This dialog box is functionally identical to the corresponding iChain Proxy Server administration application dialog box. See Figure 56.
Figure 56
RADIUS Profile Options Dialog Box
The following table describes the fields in this dialog box:
Table 24.
This section describes the following buttons:
The Add Search Base button allows you to launch an object browser to select the desired container.
The Delete Search Base button allows you to delete a search base from the list.