Previous Page: Setting Up the iChain Proxy Server  Next Page: Defining iChain Access Control Rules

Setting Up Protected Resources

To integrate and allow access to Web-based application resources, you must set the appropriate parameters in the iChain Service object. Sometimes Web-based resources, called Protected Resources in iChain, need additional information about the user to be passed into the application to protect the resource or customize the user interface. This additional information is usually stored in Novell eDirectory or some other database. iChain uses special object-level access control plug-ins to access the database and retrieve the additional information. The iChain Proxy Services then passes the information to the application by adding it to the URL query string or as a header variable.

To set up a protected resource for an iChain service:

  1. From ConsoleOne, click the Protected Resources tab on the ISO object you created for this configuration.

  2. Click Add (the icon with the plus [+] sign).

  3. Specify a name for the resource and the URL for the resource in this format: http://www.resource.com, where www.resource.com is the DNS name specified when you created the Web Server Accelerator.

    If you enter only the DNS name of your iChain Proxy Server, the iChain snap-in will attach the http:// prefix automatically.

    You can enter the URL with subfolders. See Differentiating Among Protected Resources for more information.

    NOTE:  If the URL starts with https:// (that is, this is a secure Web site), you will still specify http:// in this field. iChain uses this field for matching purposes. It does not affect the URL in the query string.

  4. Choose whether this protected resource will be Public, Restricted, or Secure (see Differentiating Among Protected Resources for more information). Also select whether any associated Object-Level Access Control (OLAC) parameters should be sent in the query string or as a header variable (see Setting Up Object-Level Access Control for more information).

  5. Click OK > Apply to save the resource.

    You can add as many protected resources as you want.

  6. If you are using the iChain Wizard to administer the iChain Proxy Server (that is, you have configured the FTP server on the iChain proxy), you can refresh the iChain Proxy Server from the snap-in when prompted. Otherwise, you will need to go to the Web-based administration utility and click Configure > Access Control > Refresh ACLCheck and Refresh OLAC to read the new protected resource.

If you will be specifying OLAC parameters to pass to the origin Web Server, you will need to define how these are stored in eDirectory.

NOTE:  For more information on setting up object-level access control, including information on the plug-ins provided with iChain refer to Setting Up Object-Level Access Control.

To specify these parameters:

  1. Select the resource you just added > click OLAC (the OLAC button is located below the Delete button, which is the icon with the minus [-] sign).

  2. For each object-level access control attribute to be passed to the application, define the Name, Data Source, and Value.

    NOTE:  Object-level access control attributes should be created only for protected resources that are configured to process query strings or custom headers. Typically, access to these protected resources is handled by CGI scripts, Web Server plug-ins, dynamic pages, or similar methods. If this is not the case, users may encounter errors when attempting to access URLs within the protected resource.

    The Name field contains an identifying name for the attribute that is passed to the application.

    The Data Source field contains the name of the database from which to retrieve the information. With the shipping plug-in for OLAC, this field could be LDAP or CONSTANT.

    The Value field contains a key for retrieving the attribute value in the data source. The attribute is added to the URL query string in a Name = Value format. With the shipping LDAP plug-in for this OLAC, this will be the LDAP attribute name for the value where the attribute is stored. This can be different from the eDirectory attribute name.

    For example, if the application requires the last name of the user and the data is stored in an LDAP-accessible directory under Surname, the entries would be LastName, LDAP, and Surname. If the user's last name is Smith, the attribute LastName=Smith would be added to the URL query string whenever the user accesses the protected resource.

    See Setting Up Object-Level Access Control for a table of appropriate values for the Data Source and Value fields.

    NOTE:  If you have already defined the necessary object-level access control attributes for this accelerator on another protected resource on the same iChain service object, you can import them directly into this protected resource. At the OLAC Parameters dialog, select the Import button (located under the Modify button). This will display a list of other protected resources that have had OLAC parameters specified. Select the desired resource and click OK. The OLAC parameters from that resource will appear in the OLAC Parameters dialog box.

  3. Access the URL of the iChain Proxy Server where you installed the iChain Proxy Services software to launch the iChain Proxy Services browser-based administration tool.

    For example, http://xx.xx.xx.xx:1959/appliance/config.html, where xx.xx.xx.xx is the IP address.

  4. Click Configure > Web Server Accelerator > Modify.

  5. Click Authentication Options.

    If you want to pass the basic authentication header to the Web Server, check the Forward Authentication Information to Web Server check box. If you have changed the DNS name for this accelerator, ensure that the cookie domain is still accurate.

  6. Click OK > OK > Apply.

  7. To start the OLAC processor, click Configure > Access Control, then check the Enable Object Level Access Control check box > click Apply.

    NOTE:  OLAC reads the information in the access control page/tab to find out where to retrieve the parameters from. If this information changes, you will need to stop and start OLAC again. To stop OLAC service, click Configure > Access Control page/tab > uncheck the Object Level Access Control check box > click Apply. To start OLAC again, perform Step 7 (above this note).

    IMPORTANT:  If the OLAC setup is changed from non-SSL to SSL or vice versa, OLAC will need to be restarted.


Differentiating Among Protected Resources

iChain 2.1 provides a feature that allows administrators to differentiate among different protected resources.

iChain 2.1 provides three levels of security for protected resources:

iChain 2.1 allows you to use wildcard characters when specifying the URL for a protected resource. If the protected resource's URL is absolute, ending with a trailing slash (/), iChain will match just the URL. However, if the protected resource's URL ends with a question mark (?), iChain will match all files in the specified folder. For example, http://novell.ichain.com/dir1/? will match all the files under the dir1 folder. If the protected resource's URL ends with an asterisk (*), iChain will match all the files under the specified folder and all the subfolders and their contents. For example, http://novell.ichain.com/dir1/* will match all the files under the dir1 folder and any subfolders below dir1.

While matching the protected resource URLs, iChain looks for the most specific match to decide the URL access. For example, if http://ichain.novell.com has Public access, but http://ichain.novell.com/secure/ has Secure access, all of the pages in the secure folder would still require authentication and access control, while all other pages would be considered public pages and would not require authentication or access control.

IMPORTANT:  Authentication must be enabled for the Public, Restricted, or Secure levels of security to function.

If you have no authentication on the accelerator, you are using the iChain box as a caching appliance only. In this case, even if you set up a Public resource, such as a home page, not only is the home page available to anyone, but all pages below the home page are accessible to anyone.



  Previous Page: Setting Up the iChain Proxy Server  Next Page: Defining iChain Access Control Rules