10.1 Understanding the Differences between iChain and Access Manager

The following sections describe some of the major differences between iChain and Access Manager:

10.1.1 Component Differences

With iChain, you have a single machine that provides authentication and authorization for single sign-on to protected resources. Administration is done through multiple applications: the Web application, ConsoleOne®, and sometimes an LDAP browser. The embedded operation system is NetWare®, and at the NetWare console, you use command line options to configure the system.

With Access Manager, you have multiple components. Each component can be installed on its own machine, some can be installed on the same machine, and some can be installed on different operations systems: Linux, Windows, and NetWare. Access Manager has the following components:

  • Administration Console: Installed on Linux and provides a single point of administration. It stores the configuration for all Access Manager components and uses a modified iManager interface. It can be installed on the same machine as the Identity Server.

  • Identity Server: Installed on Linux and provides single sign-on authentication, federation with other identity providers, and role and policy distribution. Roles are assigned at authentication time and filter though all components, thus simplifying the definition of authorization policies.

  • Access Gateway: Installed on Linux or NetWare as a soft appliance and provides single sign-on to Web servers and access control through policies to the resources on the Web servers. You can require SSL connections between the browsers and the Access Gateway, but require only HTTP connections between the Access Gateway and the Web servers, thus reducing the need for certificates on the Web servers.

  • SSL VPN Server: Installed on Linux and provides single sign-on to private networks with non-HTTP applications.

  • J2EE Agent: Installed on a J2EE sever to proved fine-grained authorization for J2EE applications and single sign-on. Currently Access Manager has agents for WebSphere, WebLogic, and JBoss* servers installed on Linux or Windows.

One of the first decisions you’ll need to make is which Access Manager components you need (an Administration Console, Identity Server, and Access Gateway are required, the others are optional) and which components you are going to install on separate machines, which ones you are going to combine on a single machine, and what operating systems you want to support.

For a more thorough description of these components, see Section 1.0, Introduction to Novell Access Manager.

10.1.2 Feature Comparison

The following table lists some of the major features of Access Manager and indicates support levels for both iChain and Access Manager.

Table 10-1 iChain and Access Manager Feature Comparison



Access Manager

Web access management

iChain Proxy

Access Gateway

Access management of non-Web applications

Not supported


Fine-grained access control of J2EE applications

Not supported

J2EE Agents

Identity Federation

SAML 1.0

SAML 1.1/2.0 Liberty Alliance

Management tools

ConsoleOne Web application

iManager (a product-specific version called the Administration Console)

Proxy configuration store

Local. Stored on each iChain appliance.

Global. Stored on the Administration Console and used by all devices.

Authorization configuration store

eDirectory ISO object for protected resources, trusted roots, Form Fill, and Session Broker.

eDirectory™ Rule objects (static and dynamic)

Administration Console configuration store

User store and authentication sources

LDAP (eDirectory only), RADIUS, NMAS™, OCSP/CLR Server

LDAP (eDirectory, Active Directory, SunONE), RADIUS, NMAS, OCSP/CLR Server, Custom

Supported operation systems


Linux, NetWare, Windows

Citrix* integration

Proxy ICA traffic