Novell Access Manager 3.0 SP4 Administration Guide
- Novell Access Manager 3.0 SP4 Administration Guide
- System Management
- Security Considerations
- Certificates
- Access Manager Administration Console
- Configuration Store
- Auditing and Event Notification
- Identity Server
- NetWare Access Gateway
- Linux Access Gateway
- SSL VPN
- J2EE Agent
- Backing Up and Restoring Components
- How The Backup and Restore Process Works
- Backing up the Administration Console
- Restoring an Administration Console
- Restoring an Identity Server
- Restoring an Access Gateway
- Running the Diagnostic Configuration Export
- Administration Console
- Administration Console Conventions
- Starting and Stopping Access Manager Components
- Changing the Password for the Administration Console
- Multiple Administrators, Multiple Sessions
- Changing the IP Address of Access Manager Devices
- Changing the IP Address of the Administration Console
- Changing the IP Address of an Identity Server
- Changing the IP Address of the Access Gateway
- Changing the IP Address of an Audit Server
- Maintaining an Identity Server
- Managing an Identity Server
- Editing Server Details
- Novell Identity Server Configuration
- Configuring an Identity Server
- Managing a Cluster Configuration
- Modifying the Base URL
- Enabling Role-Based Access Control
- Using netHSM for the Signing Key Pair
- Configuring Secure Communication on the Identity Server
- Defining Shared Settings
- Configuring Attribute Sets
- Editing Attribute Sets
- Configuring User Matching Expressions
- Adding Custom Attributes
- Configuring Local Authentication
- Configuring Identity User Stores
- Creating Authentication Classes
- Configuring Authentication Methods
- Configuring Authentication Contracts
- Specifying Authentication Defaults
- Setting Up Mutual SSL Authentication
- Creating Custom Login Pages
- Managing Direct Access to the Identity Server
- Configuring Kerberos for Authentication
- Configuring Access Manager for NESCM
- Configuring Trusted Providers
- Understanding the Trust Model
- Creating a Trusted Provider Reference
- Reimporting a Trusted Provider’s Metadata
- Configuring General Provider Options
- Editing a SAML 1.1 Trusted Identity Provider’s Metadata
- Editing a SAML 1.1 Trusted Service Provider’s Metadata
- Configuring Common Access Settings for a Trusted Provider
- Selecting Attributes for a Trusted Provider
- Configuring User Authentication and Federation
- Configuring Authentication for a Trusted Identity Provider
- Configuring User Identification Methods
- Configuring Authentication for a Trusted Service Provider
- Configuring User Identification Methods for SAML 1.1 Trusted Identity Providers
- Specifying a SAML Audience URI
- Configuring Communication Profiles
- Configuring Liberty Web Services
- Configuring the Web Services Framework
- Enabling Web Services and Profiles
- Editing Web Service Descriptions
- Configuring Credential Profile Security and Display Settings
- Configuring Service and Profile Details
- Customizing Attribute Names
- Editing Web Service Policies
- Configuring the Web Service Consumer
- Mapping LDAP and Liberty Attributes
- Access Gateway Configuration
- Configuring the Access Gateway to Protect Web Resources
- Creating a Reverse Proxy and Proxy Service
- Configuring a Proxy Service
- Configuring the Web Servers of a Proxy Service
- Configuring Protected Resources
- Configuring HTML Rewriting
- Configuring Connection and Session Limits
- Configuring the Access Gateway for SSL
- Using SSL on the Access Gateway Communication Channels
- Prerequisites for SSL
- Configuring SSL Communication with the Browsers and the Identity Server
- Configuring SSL between the Proxy Service and the Web Servers
- Managing Access Gateway Certificates
- Configuring the Encryption Key
- Enabling Secure Cookies
- Server Configuration Settings
- Viewing and Updating the Configuration Status
- Saving, Applying, or Canceling Configuration Changes
- Changing the Name of an Access Gateway and Modifying Other Descriptive Details
- Setting Date and Time
- Setting Up a Tunnel
- Customizing Error Pages
- Configuring Console Access
- Configuring Network Settings
- Customizing Log Out
- Configuring X-Forwarded-For Headers
- Upgrading the Access Gateway Software
- Exporting and Importing an Access Gateway Configuration
- Configuring the Cache Settings
- Configuring Global Caching Options
- Controlling Browser Caching
- Configuring Custom Cache Control Headers
- Configuring a Pin List
- Configuring a Purge List
- Purging Cached Content
- Preventing a Web Site from Being Cached
- Protecting Multiple Resources
- Setting Up a Group of Web Servers
- Using Multi-Homing to Access Multiple Resources
- Managing Multiple Reverse Proxies
- Managing a Cluster of Access Gateways
- SSL VPN Gateway Configuration
- Overview of SSL VPN Services
- Server Module
- Client Modes
- High Bandwidth Version
- Configuring Basic Setup
- Configuring the Default Identity Injection Policy
- Configuring the IP Address, Port, and NAT
- Configuring DNS Servers for the Kiosk Mode
- Additional Configuration for Enterprise Mode
- Controlling Access
- Configuring Traffic Policies
- Configuring Client Integrity Check Policy to Protect the Internal Network
- Managing Server Settings
- Advanced Configuration Settings
- Configuring SSL VPN to Connect through Forward Proxy
- Configuring Load Balancing and Fault Tolerance
- Configuring Certificate Settings
- Modifying SSL VPN Server Details
- Moving the SSL VPN Server to a Different Administration Console
- Configuring SSL VPN for Citrix Clients
- Prerequisites
- Configuring the Access Gateway for Citrix Clients
- Security and Certificate Management
- Understanding How Access Manager Uses Certificates
- Managing Certificates
- Creating Certificates
- Auto-Importing Certificates from Servers
- Importing a Private/Public Key Pair
- Exporting a Private/Public Key Pair
- Importing Public Key Certificates (Trusted Roots)
- Renewing a Certificate
- Exporting a Public Certificate
- Enabling 4096k Keys
- Viewing Certificate Details
- Assigning Certificates to Access Manager Devices
- Importing a Trusted Root to the LDAP User Store
- Replacing Identity Server SSL Certificates
- Assigning Certificates to an Access Gateway
- Assigning Certificates to J2EE Agents
- Configuring SSL for Authentication between the Identity Server and Access Gateway
- Changing a Non-Secure (HTTP) Environment to a Secure (HTTPS) Environment
- Creating Keystores and Trust Stores
- Reviewing the Command Status for Certificates
- Policy Management
- Managing Policies
- Selecting a Policy Type
- Policy Performance
- Managing Policy Containers
- Managing Policies
- Managing a Rule List
- Enabling Policy Logging
- Creating Role Policies
- Understanding RBAC in Access Manager
- Creating Roles
- Creating Access Manager Roles from an Existing Role-Based Policy System
- Mapping Roles between Trusted Providers
- Enabling and Disabling Role Policies
- Importing and Exporting Role Policies
- Creating Authorization Policies
- Designing an Authorization Policy
- Creating Access Gateway Authorization Policies
- Creating Web Authorization Policies for J2EE Agents
- Creating Enterprise JavaBean Authorization Policies for J2EE Agents
- Conditions
- Sample Policies
- Using Multiple Conditions
- Importing and Exporting Authorization Policies
- Creating Identity Injection Policies
- Designing an Identity Injection Policy
- Configuring an Identity Injection Policy
- Configuring an Authentication Header Policy
- Configuring a Custom Header Policy
- Configuring a Custom Header with Tags
- Specifying a Query String for Injection
- Injecting into the Cookie Header
- Importing and Exporting Identity Injection Policies
- Sample Identity Injection Policy
- Creating Form Fill Policies
- Understanding an HTML Form
- Creating a Form Fill Policy for the Sample Form
- Implementing Form Fill Policies
- Creating and Managing Shared Secrets
- Importing and Exporting Form Fill Policies
- Monitoring Access Manager Components
- Enabling Auditing
- Configuring Access Manager for Novell Auditing
- Enabling Identity Server Audit Events
- Enabling Access Gateway Audit Events
- Enabling SSL VPN Audit Events
- Querying Data and Generating Reports in Novell Audit
- Configuring Logging
- Understanding the Types of Logging
- Configuring Identity Server Logging
- Configuring Debug Trace Logging
- Configuring Access Gateway Logging
- Viewing Statistics
- Monitoring Identity Server Statistics
- Monitoring Access Gateway Statistics
- Viewing SSL VPN Statistics
- Managing Server Health
- Health States
- Monitoring the Health of an Identity Server
- Monitoring the Health of an Access Gateway
- Viewing the Health of an Access Gateway Cluster
- Monitoring the Health of an SSL VPN Server
- Reviewing Command Status
- Viewing the Command Status of the Identity Server
- Viewing the Command Status of the Access Gateway
- Viewing Command Status of the SSL VPN Server
- Reviewing Alerts
- Monitoring Identity Server Alerts
- Monitoring Access Gateway Alerts
- Monitoring SSL VPN Alerts
- Troubleshooting
- Troubleshooting the Administration Console
- Checking for Potential Configuration Problems
- Logging
- Event Codes
- Fixing a Failed Secondary Console
- Converting a Secondary Console into a Primary Console
- Orphaned Objects in the Configuration Store
- Session Conflicts
- Unable to Log In to the Administration Console
- Exception Processing IdentityService_ServerPage.JSP
- Backup/Restore Failure Because of Special Characters in Passwords
- Troubleshooting for the Identity Server and Authentication
- Useful Networking Tools
- Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors
- Authentication Issues
- Translating the Identity Server Configuration Port
- Problems Reading Keystores after Identity Server Re-installation
- Troubleshooting Access Manager Policies
- Turning on Logging for Policy Evaluation
- Understanding Policy Evaluation Traces
- Common Configuration Problems That Prevent a Policy from Being Applied as Expected
- The Policy Seems to Be Using Old User Data
- Form Fill and Identity Injection Silently Fail
- Checking for Corrupted Policies
- Policy Page Timeout
- Policy Creation and Storage
- Policy Distribution
- Policy Evaluation: Access Gateway Devices
- Troubleshooting the Access Gateway
- Fixing Problems Common to Both Platforms
- Troubleshooting the Linux Access Gateway
- Troubleshooting the NetWare Access Gateway
- Troubleshooting the SSL VPN
- Connecting Successfully to the Server
- TFTP Application Does Not Work in the Enterprise Mode
- SSL VPN Not Reporting
- Verifying SSL VPN Components
- Issues With Keep Alive
- Unable to Contact the SSL VPN Server
- Unable to Get Authentication Headers
- The SSL VPN Connection Is Successful But There Is No Data Transfer
- Unable to Connect to the SSL VPN Gateway
- Multiple Instances of SSL VPN Running
- Using the Log Files for Troubleshooting
- Enabling Logging
- Understanding Log Format
- Sample Authentication Traces
- Troubleshooting XML Validation Errors
- Modifying a Configuration That References a Removed Object
- Configuration UI Writes Incorrect Information to the Local Configuration Store
- Troubleshooting Certificate Issues
- Resolving a -1226 PKI Error
- Importing an External Certificate Key Pair
- Mutual SSL with X.509 Produces Untrusted Chain Messages
- Certificate Command Failure
- Can’t Log In with Certificate Error Messages
- When a User Accesses a Resource, the Browser Displays Certificate Errors
- Access Gateway Cancelled Certificate Modifications
- A Device Reports Certificate Errors
- Appendixes
- About Liberty
- Understanding How Access Manager Uses SAML
- Attribute Mapping with Liberty
- Trusted Provider Reference Metadata
- Identity Federation
- Authorization Services
- What's New in SAML 2.0?
- Identity Provider Process Flow
- SAML Service Provider Process Flow
- Certificates Terminology
- Data Model Extension XML
- Elements
- Writing Data Model Extension XML
- Logging: Using the Custom Content Filter
- Custom Content Filter XML Syntax
- Examples of Custom Content Filter XML
- Custom Content Filter Thread Identifiers
- Authentication Classes and Duplicate Common Names
- Access Manager Audit Events and Data
- NIDS: Sent a Federate Request (002e0001)
- NIDS: Received a Federate Request (002e0002)
- NIDS: Sent a Defederate Request (002e0003)
- NIDS: Received a Defederate Request (002e0004)
- NIDS: Sent a Register Name Request (002e0005)
- NIDS: Received a Register Name Request (002e0006)
- NIDS: Logged Out an Authentication that Was Provided to a Remote Consumer (002e0007)
- NIDS: Logged out a Local Authentication (002e0008)
- NIDS: Provided an Authentication to a Remote Consumer (002e0009)
- NIDS: User Session Was Authenticated (002e000a)
- NIDS: Failed to Provide an Authentication to a Remote Consumer (002e000b)
- NIDS: User Session Authentication Failed (002e000c)
- NIDS: Received an Attribute Query Request (002e000d)
- NIDS: User Account Provisioned (002e000e)
- NIDS: Failed to Provision a User Account (002e000f)
- NIDS: Web Service Query (002e0010)
- NIDS: Web Service Modify (002e0011)
- NIDS: Connection to User Store Replica Lost (002e0012)
- NIDS: Connection to User Store Replica Reestablished (002e0013)
- NIDS: Server Started (002e0014)
- NIDS: Server Stopped (002e0015)
- NIDS: Server Refreshed (002e0016)
- NIDS: Intruder Lockout (002e0017)
- NIDS: Severe Component Log Entry (002e0018)
- NIDS: Warning Component Log Entry (002e0019)
- NIDS: Roles PEP Configured (002e0300)
- Access Gateway: PEP Configured (002e0301)
- J2EE Agent: Web Service Authorization PEP Configured (002e0305)
- J2EE Agent: JACC Authorization PEP Configured (002e0306)
- Roles Assignment Policy Evaluation (002e0320)
- Access Gateway: Authorization Policy Evaluation (002e0321)
- Access Gateway: Form Fill Policy Evaluation (002e0322)
- Access Gateway: Identity Injection Policy Evaluation (002e0323)
- J2EE Agent: Web Service Authorization Policy Evaluation (002e0324)
- J2EE Agent: Web Service SSL Required Policy Evaluation (002e0325)
- J2EE Agent: Startup (002e0401)
- J2EE Agent: Shutdown (002e0402)
- J2EE Agent: Reconfigure (002e0403)
- J2EE Agent: Authentication Successful (002e0404)
- J2EE Agent: Authentication Failed (002e0405)
- J2EE Agent: Web Resource Access Allowed (002e0406)
- J2EE Agent: Clear Text Access Allowed (002e0407)
- J2EE Agent: Clear Text Access Denied (002e0408)
- J2EE Agent: Web Resource Access Denied (002e0409)
- J2EE Agent: EJB Access Allowed (002e040a)
- J2EE Agent: EJB Access Denied (002e040b)
- Access Gateway: Access Denied (0x002e0505)
- Access Gateway: URL Not Found (0x002e0508)
- Access Gateway: System Started (0x002e0509)
- Access Gateway: System Shutdown (0x002e050a)
- Access Gateway: Identity Injection Parameters (0x002e050c)
- Access Gateway: Identity Injection Failed (0x002e050d)
- Access Gateway: Form Fill Authentication (0x002e050e)
- Access Gateway: Form Fill Authentication Failed (0x002e050f)
- Access Gateway: URL Accessed (0x002e0512)
- Access Gateway: IP Access Attempted (0x002e0513)
- Access Gateway: Webserver Down (0x002e0515)
- Access Gateway: All WebServers for a Service is Down (0x002e0516)
- Management Communication Channel: Health Change (0x002e0601)
- Management Communication Channel: Device Imported (0x002e0602)
- Management Communication Channel: Device Deleted (0x002e0603)
- Management Communication Channel: Device Configuration Changed (0x002e0604)
- Management Communication Channel: Device Alert (0x002e0605)
- Legal Notices