The iChain Proxy Server functions as the primary access point into your iChain infrastructure. The iChain Proxy Server is implemented on approved hardware.
This section provides a brief introduction to the basic steps needed to set up the iChain Proxy Server. For more details, see "Installing the iChain Proxy Server on Your Network" and Using and Tuning iChain Features.
To set up the iChain Proxy Server for an iChain implementation:
Access the URL of the proxy server where you installed the iChain Proxy Services software to launch the proxy server browser-based administration tool.
For example, http://xx.xx.xx.xx:1959/appliance/config.html
where xx.xx.xx.xx is the IP address for the proxy server. You should have configured an IP address during the installation of the iChain Proxy Services software.
NOTE: If the iChain Proxy Server is located behind a firewall and you are accessing the proxy server browser-based administration utility from a browser outside that firewall, you must open ports 1959, 2222, and 51100 on the firewall to administer the proxy server.
Accept the default username (do not enter a password), then click OK.
Click System > Actions > Password, then set a password for the proxy server.
Click Home > Introduction, then verify that iChain Proxy Server is installed and running on the server. (This is shown as a bitmap that lets you know if you're running version 2.2.)
Click Network > IP Addresses. Configure the Ethernet ports as follows:
Click Gateway-Firewall, then set the iChain Proxy Services default gateway to the gateway necessary to access your public IP address.
Click Network > DNS, then specify the DNS domain name (for example, www.novell.com) and the IP address of the DNS server.
Click Apply to have the new settings take effect.
Click System > Actions, then verify the internal connection to your network by pinging a server within your internal network.
To set up access to the authorization server for access control functions:
Click Configure > Access Control.
Specify the fully distinguished name of the ISO object name for the iChain service. You must use commas as delimiters, for example, cn=myISO,o=novell.
Specify the following LDAP profile settings:
NOTE: The LDAP user name and password must have read and write rights to the container you are searching.
Click Apply.
Click Refresh ACLCHECK.
To set up access to the iChain Authorization Server for authentication functions, you will need to create one or more authentication profiles. The following steps will create an LDAP authentication profile to authenticate users to your iChain Authorization Server. (You can also create SSL mutual authentication and RADIUS profiles if you want to use these authentication methods.)
Click Configure > Authentication.
Insert a new profile, name the profile, then select LDAP Authentication and click the LDAP Options button.
Set the server IP address to the iChain Authorization Server address.
Select port 389 for non-secured LDAP, or port 636 for secure LDAP (or another port as configured).
Enable secure access to LDAP server (only if you are using secure LDAP).
Specify a username and password for LDAP access (leave the field blank for anonymous bind).
Set Use Distinguished Name.
Click Insert > enter an LDAP context (for example, ou=test,o=mycompany). Repeat for each context users will authenticate from.
Click OK > OK > Apply.
To set up a Web Server accelerator:
Click Configure > Web Server Accelerator > Insert.
Specify a name for the accelerator, using a maximum of 8 characters. This must be unique for each Web Server accelerator.
Specify a DNS name for the accelerator (for example, www.novell.com).
This is the DNS name by which users will access the resource and should resolve to the public IP address of the iChain Proxy Server.
In Web Server address, click Insert, then specify the IP address of the origin Web Server that contains the desired content.
Either the IP address or the DNS name resolving to the origin Web Server can be used. This will usually be on your private network. Clients should not be able to access this server directly, or the iChain infrastructure will be bypassed.
For the Accelerator IP address, check the public IP address or addresses that the DNS name specified in Step 3 resolves to.
Check Enable Authentication.
Click Authentication Options > select an existing profile from the list > click Add to set the profile as the Service Profile.
Click OK > OK > Apply.
The Allow authentication through HTTP authorization header check box on the LDAP Authentication options screen allows Basic (401) authentication as either an alternative or a substitute for the iChain login form/page.
This feature allows iChain to process a request, log in the user (if necessary), and return the response without having a programmer deal with login redirects or parsing login pages and forms. The iChain cookie is returned in the response for possible use in subsequent requests. If authorization headers are optional, a user who is not authenticated will be redirected to the standard iChain login page. If the headers are mandatory, a 401 status will be returned. The browser will then request the user's credentials, and the request will be resubmitted along with the user's credentials. In this mode, the CDA features are disabled.
NOTE: We do not recommend Basic Authentication for use with users/browsers because of security issues relating to lack of control of the credentials on the wire. The primary use is anticipated to be programming-related, where the credentials can be passed in an authorization header along with a request. That way, a programmer retains control over the exposure of the credentials.
To enable authentication through the HTTP authorization header do the following:
Click Configure, then Authentication. Highlight the LDAP authentication profile on which you want to enable Basic Authentication.
Click Modify, then LDAP Options.
Check the Allow authentication through HTTP authorization header check box.
Select User iChain login page (basic authorization headers are optional), or Use basic/proxy authentication (basic authorization headers are mandatory).
Click OK, OK, and Apply.