With iChain, you can accomplish the following:
The iChain Proxy Server is the gatekeeper to your Web-based applications. If a user is not permitted to access a particular Web page or application, the Web server/application server will never even receive the request. iChain manages access to services through "protected resources," which are defined in eDirectory. A protected resource can be defined as:
These protected resources are essentially a listing of URLs. To add flexibility when defining these protected URLs, iChain offers wildcarding (*) and entire folder (?) options.
iChain's formidable security infrastructure begins with the iChain Access Control object. This object contains a list of iChain protected resources or URLs and a list of users, groups, or containment (O, OU) objects that can access these resources. Multiple iChain Access Control objects can be configured to provide maximum flexibility to meet an organization's security policy. Without this access control, a user is denied access to any protected resource defined as secure.
In addition to a user being granted access based on his or her association to an iChain Access Control object, iChain also provides a dynamic access control process which looks at specified details of a user's identity (for example, jobTitle=manager) and grants access based on that information.
Although iChain seeks to connect your business with the rest of the world, it would hardly be worth the effort if this connection caused your corporate security to be compromised. Identity-based access control is a very secure method of protecting your data, but it must rely on some form of user recognition to ensure that the person attempting to access the protected resources is who he or she claims to be. To guard against unauthorized users, iChain supports a number of authentication methods, including user identifiers (name, e-mail address, and other LDAP attributes), passwords, token-based authentication, and X.509 digital certificates.
Before requesting a user's authentication credentials, the iChain Proxy Server establishes an SSL session with the user's browser. This prevents unauthorized users from intercepting passwords and other authentication credentials. iChain also leverages Novell Certificate ServerTM, a security product that ships with NDS® eDirectoryTM 8.5. Novell Certificate Server enables you to create and manage digital certificates of your own or import them from third-party vendors.
iChain also supports multi-factor authentication, which combines several authentication methods to produce an even higher level of security. For instance, a company can require that a user present a valid userID and password as well as an X.509 certificate before granting access to a user. Different levels of access can be required for different Web servers.
To accommodate secure, token-based authentication, iChain uses the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS enables communication between remote access servers and a central server. Secure token authentication through RADIUS is possible out of the box as iChain includes Novell Modular Authentication Service RADIUS software that can be run on an existing NetWare® server.
Whether the user of your Web application is an employee or a potential customer, the experience that person has with the Web application is often determined by convenience. To enhance each user's experience, iChain incorporates an innovative service called Web single sign-on. Thanks to this service, users need to log in only once to gain access to multiple applications and platforms.
Single sign-on is possible because iChain authenticates the user from a centralized eDirectory profile. When the user requests access to a specific server, iChain retrieves the appropriate user credentials and transparently submits them to the Web server, usually in the form of username and password. The user sees no login request, but sees only the end result as access is either granted or denied.
iChain also offers users a convenient form-fill authentication feature that simplifies access to Web applications. With the form-fill feature, the user first authenticates to iChain before accessing the Web-applications authentication form. As the user enters his or her credentials, the information is automatically stored securely to the user's object in eDirectory using Novell's SecretStoreTM technology. From then on, when the user connects to that Web application, iChain automatically retrieves the user's credentials and completes the form on the user's behalf.
By making your services more readily available, you can strengthen customer loyalty and offer employees convenient access to business-critical information. Single sign-on also lowers the overhead costs associated with maintaining many different tables of usernames and passwords on numerous servers.
Having the iChain Proxy Server as the gatekeeper (the only point of access) to Web applications increases the overall security of the Web server and identity information. Users never get direct access to either Web server or directory information. When platforms are being used to host Web applications that potentially have a higher risk of being subject to hacking attempts, iChain will ensure that only HTTP requests are serviced, and that those requests are specific to DNS names rather than to an IP address. The iChain proxy immediately stops any other request.
Generally each Web server available on the Internet requires its own IP address, which can increase the cost of a solution and can require more firewall configurations. iChain offers a multi-homing facility whereby a single IP address can be used to access multiple backend Web servers. As long as these services are represented as a single domain (for example, xxx.novell.com), all services can operate over the standard port 80 (HTTP) or 443 (HTTPS - encrypted).
Generally when organizations want to ensure the confidentiality of data as it crosses the Internet, they implement SSL services of the Web servers which increases management (certificates must be installed on each Web server), can increase costs, and can reduce the performance of content delivery (Web server processing power is dramatically reduced when it needs to encrypt data).
To address these issues, iChain provides Secure Exchange, which can dynamically encrypt the data channel between the browser and the iChain Proxy Server. The content between the iChain Proxy Server and the Web server can be either HTTP (non-encrypted) or HTTPS (encrypted), depending on specific requirements.
Secure Exchange provides a single place to manage SSL certificates (iChain proxy), and allows Web servers to do what they are designed to do: deliver content as quickly as possible. When combined with the caching technology on the iChain proxy, the speed of the overall service is greatly increased.
This feature not only performs on-the-fly encryption of data, but it also rewrites the HTML links from HTTP to HTTPS, meaning that there is no need for an administrator to change HTML content, a task that must be performed when SSL is implemented at the Web server.
Today, many companies manage user access to internal Web-based material on a server-by-server basis. These servers often run on different platforms, especially in large enterprises that have many divisions spread across a wide geographic area. A good example is a government agency with many separate departments. Each department employs its own set of standalone servers and Web applications. Something as common as modifying a user's access rights would require the IT staff to manually change all the involved systems, a time-consuming process that could necessitate a physical visit to each network server. If those servers are scattered across the entire country, the situation becomes expensive and impractical --- either a single IT staff member is constantly traveling, or it becomes necessary to maintain a separate IT staff for each part of the network.
iChain solves this problem by centralizing all administrative tasks. Changes can be made through ConsoleOne®, a single utility that defines the access controls to all iChain-protected resources, regardless of the platform or Web server used. Moreover, ConsoleOne can be run from any workstation in the network, thereby avoiding the costly upgrades and retrofits that would otherwise be needed to unify all your network resources.
Finally, iChain delivers standard login pages for each secure Web site protected by the iChain Proxy Server. Using an HTML editor, these pages can be customized to reflect the standard look and feel of the organization or department's Web sites.
Novell iChain includes the Web Server Accelerator Wizard, an installation wizard that is a time-saving, cost-effective configuration solution. The wizard enables you to customize how iChain's features will complement your network structure and eliminates several steps required by traditional configuration and installation processes. By presenting you with several questions about your configuration preferences, the wizard helps you create a configuration file that has all the necessary parameters to configure iChain.
Trying to run eBusiness applications from different vendors is usually an exercise in frustration. Because applications cannot automatically share data across the enterprise, your business infrastructure becomes fragmented. With iChain you can provide new avenues of data protection while securely consolidating all the elements of your computing environment into one Net.
To facilitate the transformation from traditional business to eBusiness, iChain integrates with Novell DirXML®. DirXML is an Extensible Markup Language (XML) solution that reliably synchronizes databases and directories from various applications and vendors.