If you do not see this task, you are not an authorized user. See Authorized Users. This topic includes the following information:
There are three settings in the config.xml file that control the security and the certificates used when iManager creates an LDAP SSL connection:
Security.Keystore.AutoUpdate: If the value of AutoUpdate is True, when a user successfully logs in to iManager, the certificate from that eDirectory server might automatically be imported into the iManager-specific keystore. Select the setting Auto Import Tree Certificate for Secure LDAP ( > ).
Security.Keystore.UpdateAllowAll: When UpdateAllowAll is True, then any successful user login imports/updates a certificate into the iManager certificate keystore. If the setting is false, only an authorized user login imports/updates certificates.
Security.Keystore.Priority: The priority setting contains two words that define the search order for certificates during a connection: system, and imanager. system uses the default JVM* keystore to locate certificates when created the SSL context. If that fails, it then goes to the iManager keystore.
You can change the search order of system and iManager by removing either word from the entry.
To further tighten security, do not allow AutoUpdate and use only the system keystore. If you do this, you must manually import the certificates that you want to reside in the default system keystore by using the tools that come with Java. If you disable UpdateAllowAll, then certificate imports occur only from a successful iManager authorized user login.
These settings affect your entire Web server configuration and are saved in the config.xml file. You can either save as you go or click once after you have made all your changes on the various tabbed pages.
Select this option if you want users without a secure connection between the Web browser and the Web server to receive the following warning: You are using a non-secure connection.
Make sure you have met the Novell Audit prerequisites. Select the Enable Novell Audit option and select specific iManager logging events, then click Save.
Secure LDAP connections require a certificate. If you select this feature, the system automatically imports a public tree certificate for secure LDAP.
Authorized users are those that iManager permits to perform its various administrative tasks. Authorized user data is saved in TOMCAT_HOME\webapps\nps\WEB-INF\configiman.properties . The iManager installation process creates this file only if authorized user information is provided, but doing so is not required. Failure to do so results in iManager allowing any user to install iManager plug-ins and modify iManager server settings (not recommended long-term.)
After installing iManager, you can add an authorized user by specifying, or using the Objector Selector to find, the user object in the configiman.properties file.
field. Doing this modifies theTo designate all users as authorized users, type AllUsers.
For security-related information about the configiman.properties file, see iManager Authorized Users.
The TOMCAT_HOME\webapps\nps\WEB-INF\config.xml.
tab lets you customize the appearance of the iManager interface. This information is stored inSpecify your organization name in this text box. It then appears in the title bar of the Web browser in place of the default text (Novell iManager).
The Title bar contains three images: the header background image, the header filler image, and the header branding image. Your own images must conform to the dimensions given in the interface.
Store these files in nps/portal/modules/fw/images. Specify the path of each image in its respective text field.
You can customize the color of the menu header and the background of the navigation menu on the left.
You can type either color names or hexadecimal numbers. Entries do not need to be case sensitive. Click config.xml file.
to return to default colors and images, or click to save the settings. to theThe
tab lets you configure iManager’s logging environment. There are two logging settings:Logging Level: Select the types of messages you want to log, from four options:
, only, , and .Select your logging output options.
Logging Output: Select the destination for logged messages, from three options:
, , and .The log file path and log file size both appear on this page. Select
to display the current log file in HTML format. Select to clear the current log file and reset the log file size to 0 (zero) bytes.The
tab configures iManager’s login page. It contains the following options:Remember login credentials: If you select this option, users must only enter a password to log in.
Use Secure LDAP for auto-connection: This setting specifies whether iManager communicates via LDAP SSL or LDAP clear text. Some plug-ins, such as Dynamic Groups and NMAS™, do not work if this option is not selected. This setting does not take effect until you log out of iManager.
Allow ‘Tree’ selection on Login page: When selected, iManager’s login page displays the
field. If you do not select this option, you must have a default tree name specified or you cannot log in.Contextless Login: Contextless login allows users to log in with only a username and password, without knowing their entire User object context (for example, .admin.support.sales.novell.)
If there are multiple users with the same username in the tree, contextless login tries to log in using the first user account it finds with the supplied password. In this case, a user should provide a full context when logging in or limit the search containers that contextless login searches.
Select
to perform the user search from the root of the directory tree. Select to specify one or more containers where User objects can be found.By default, iManager connects with public access, requiring no specific credentials. You can specify a user with specific credentials to do the search for the contextless lookup. The iManager public user is used if you don’t specify a user.
IMPORTANT:If you specify a public user, consider carefully the implications of password expiration settings. If the password is set to expire for the public user, you do not have the opportunity to change the password during login after it expires.
Role-Based Services (RBS) assigns the rights within eDirectory to perform tasks. When you assign a role to a user, by default RBS assigns the rights necessary to perform the tasks included with that role.
The
tab lets you configure the following settings:Enable Dynamic Groups: When selected, RBS allows dynamic groups to be members of a role. For more information about dynamic groups, see the eDirectory Administration guide.
Show Roles in Owned Collections: When selected, collection owners see all roles and tasks whether they are members of them or not. Deselect this option to force collection owners to see only their assigned roles.
Role Discovery Domain: Indicates where in the tree iManager is to search for roles that are assigned to a member.
Parent, iManager searches for Dynamic Groups up to the parent container.
Partition, iManager searches for Dynamic Groups up to the first eDirectory partition.
Root, iManager searches for Dynamic Groups in the entire tree.
Dynamic Group Discovery Domain: Indicates where in the tree iManager is to search for Dynamic Group membership. Role membership is then checked in the Dynamic Groups found.
Parent, iManager searches for roles in the user's parent container.
Partition, iManager searches for roles up to the first eDirectory partition.
Root, iManager searches for roles in the entire tree.
Dynamic Group Search Type: Selects which type of Dynamic Groups should be searched for role membership.
Dynamic Groups only, searches for objects that are of the Dynamic Group class type.
Dynamic Group Objects and Aux classes, searches for objects that are either of the dynamicGroup class type or have been extended with the dynamicGroupAux class. This includes group objects that were later converted to Dynamic Groups.
RBS Tree List: Auto-populated with the eDirectory tree's name when a collection owner or a role member authenticates. If RBS is removed from an eDirectory tree, remove that tree's entry in this list in order to return to Unassigned Access mode.
The
tab lets you configure the following settings:Query Novell download site for new Novell Plug-in Modules (NPM): Indicates that the iManager Server should query the Novell Download site for new plug-in modules (NPMs).
Two radio buttons let you configure the query for every available NPM, or query only for updates to already-installed NPMs.
The
tab lets you configure the following settings:Enable [this]: You can safely ignore this option. Enable [this] was added to iManager to allow some internal teams to modify their own objects. [this] is an attribute in the tree that enables specific self-management functionality. If [this] is enabled, all eDirectory servers in the tree must be version 8.6.2 or later.
eGuide URL: Specifies the URL to eGuide. This is used in the eGuide launch button in the header and in the eGuide role and task management tasks. This must be a full URL, (for example, https://my.dns.name/eGuide/servlet/eGuide) or the keyword EMFRAME_SERVER. Using EMFRAME_SERVER causes eMFrame to look for eGuide on the same server that eMFrame is located on.
For more information on eGuide, see the Novell eGuide documentation Web site.