The Administration Console has been designed to warn you when another administrator is making changes to a policy container or to an Access Manager device (such as an Access Gateway, SSL VPN, or J2EE Agent). The person who is currently editing the configuration is listed at the top of the page with an option to unlock and with the person’s distinguished name and IP address. If you select to unlock, you destroy all changes the other administrator is currently working on.
WARNING:Currently, locking has not been implemented on the pages for modifying the Identity Server. If you have multiple administrators, they need to coordinate with each other so that only one administrator is modifying an Identity Server cluster at any given time.
Multiple Sessions: You should not start multiple sessions to the Administration Console with the same browser on a workstation. Browser sessions share settings that can result in problems when you apply changes to configuration settings. However, if you are using two different brands of browsers simultaneously, such as Internet Explorer* and Firefox*, it is possible to avoid the session conflicts.
Multiple Administration Consoles: As long as the primary console is running, all configuration changes should be made at the primary console. If you make changes at both a primary console and a secondary console, browser caching can cause you to create an invalid configuration.
The following sections explain how to create additional administrator accounts and how to delegate rights to administrators:
The Administration Console is installed with one admin user account. If you have multiple administrators, you might want to create a user account for each one so that log files reflect the modifications of each administrator. The easiest way to do this is to create an account for each administrator and make the user security equivalent to the admin user. You can also create delegated administrators and configure them to have rights to specific components of Access Manager. For configuration information for this type of user, see Section 1.6.2, Managing Delegated Administrators.
To create a user who is security equivalent to the admin user:
In the Administration Console from the Roles and Tasks view, click > .
Create a user account for each administrator.
Click , then select the created user.
Click > .
Select the admin user, then click > .
Repeat Step 3 through Step 5 for each user you want to make security equivalent to the admin user.
As the Access Manager admin user, you can create delegated administrators to manage the following Access Manager components.
Individual Access Gateways or an Access Gateway cluster
Identity Server clusters
Individual J2EE agents or a J2EE agent cluster
Individual SSL VPN servers or an SSL VPN cluster
Policy containers
IMPORTANT:You need to trust the users you assign as delegated administrators. They are granted sufficient rights that they can compromise the security of the system. For example if you create delegated administrators with View/Modify rights to policy containers, be aware that they have sufficient rights to implement a cross-site scripting attack using the Deny Message in an Access Gateway Authorization policy.
Delegated administrators are also granted rights to the LDAP server, which means they can access the configuration datastore with an LDAP browser. Any modifications made with the LDAP browser are not logged by Access Manager. To log monitor events, you need to turn on eDirectory auditing. For configuration information, see Activating eDirectory Auditing for LDAP Events.
By default, all users except the admin user are assigned no rights to the policy containers and the devices. The admin user has all rights and cannot be configured to have less than all rights. The admin user is the only user who has the rights to delegate rights to other users, and the only user with sufficient rights to modify keystores, create certificates, and import certificates.
The configuration pages for delegated administrators control access to the Access Manager pages. They do not control access to the tasks available for the view in iManager. If you want your delegated administrators to have rights to any of these tasks such as Directory Administration or Groups, you must use eDirectory™ methods to grant the user rights to these tasks or enable and configure Role-Based Services in iManager.
To create a delegated administrator, you must first create the user accounts, then assign them rights to the Access Manager components.
In the Administration Console, select the Roles and Tasks view from the iManager view bar.
(Optional) If you want to create a container for your delegated administrators, click > then create a container for the administrators.
To create the users, click > and create user accounts for your delegated administrators.
Return to the Access Manager view, then click in the menu.
Select the component you want to assign a user to manage.
For more information about the types of rights you might want to assign for each component, see the following
To assign all delegated administrators the same rights to a component, configure by using the drop-down menu and selecting , , or .
By default, is configured for . is a quick way to assign everyone View Only rights to a component when you want your delegated administrators to have the rights to view the configuration but not change it.
To select one or more users to assign rights, click , then fill in the following fields:
Name filter: Specify a string that you want the user’s cn attribute to match. The default value is an asterisk, which matches all cn values.
Search from context: Specify the context you want used for the search. Click the down-arrow to select from a list of available contexts.
Include subcontainers: Specifies whether subcontainers should be searched for users.
Click , and the section is populated with the users that match the query.
In the section, select one or more users to whom you want to grant the same rights.
For the option, click the down-arrow and select one of the following values:
View/Modify: Grants full configuration rights to the device. View/Modify rights do not grant the rights to manage keystores, to create certificates, or to import certificates from other servers or certificate authorities. View/Modify rights allow the delegated administrator to perform actions such as stop, start, and update the device.
If the assignment is to a policy container, this option grants the rights to create policies of any type and to modify any existing policies in the container
View Only: Grants the rights to view all the configuration options of the device or all rules and conditions of the policies in a container.
None: Prevents the user from seeing the device or the policy container.
In the or s section, select the devices, the clusters, or policy containers that you want to assign for delegated administration.
Click .
The rights are immediately assigned to the selected users. If the user already had a rights assignment to the device or policy container, this new assignment overwrites any previous assignments.
After assigning a user rights, check the user’s effective rights.
A user’s effective rights and assigned rights do not always match. For example, if Kim is granted View Only rights but All Users have been granted View/Modify rights, Kim’s effective rights are View/Modify.
When a user is granted View/Modify rights to a device, the user is automatically assigned View Only rights to the policy containers. If you explicitly remove the View Only rights from the policy containers, the user no longer has the rights to view the policies for that device.
You can assign a user to be a delegated administrator of an Access Gateway cluster or a single Access Gateway that does not belong to a cluster. You cannot assign a user to manage a single member of a cluster.
When a delegated administrator of an Access Gateway cluster is granted View/Modify rights, the administrator has sufficient rights to change the cluster configuration, to stop and start (or reboot and shutdown), and to update the Access Gateways in the cluster. However, to configure the Access Gateway to use SSL, you need to be the admin user, rather than a delegated administrator.
When the user is assigned View/Modify rights to manage a cluster or an Access Gateway, the user is automatically granted View Only rights to the policy containers. This allows the delegated administrator to view the policies and assign them to protected resources. It does not allow them to modify the policies. If you want the delegated administrator to modify or create policies, you need to grant View/Modify rights to a policy container.
View/Modify rights to an Access Gateway or a cluster also grants View Only rights to the Identity Server cluster configuration. This allows the delegated administrator to modify which Identity Server cluster the Access Gateway uses for authentication. It does not allow them to update the Identity Server configuration, which is required whenever the Access Gateway is configured to trust an Identity Server. To update the Identity Server, the delegated administrator needs View/Modify rights to the Identity Server configuration.
All delegated administrators with View/Modify rights to a device have read rights to the policy containers. To create or modify policies, a delegated administrator needs View/Modify rights to a policy container. When a delegated administrator has View/Modify rights to any policy container, the delegated administrator is also granted enough rights to allow the administrator to select shared secret values, attributes, LDAP groups, and LDAP OUs to policies.
If you want your delegated administrators to have full control over a device and its policies, you might want to create a separate policy container for each delegated administrator or for each device that is managed by a group of delegated administrators.
You cannot assign a delegated administrator to an individual Identity Server. You can only assign a delegated administrator to a cluster configuration, which gives the delegated administrator rights to all the cluster members.
When a delegated administrator of an Identity Server cluster is granted View/Modify rights, the administrator has sufficient rights to change the cluster configuration and to stop, start, and update the Identity Servers in the cluster. The administrator is granted view rights to the keystores for each Identity Server in the cluster. To change any of the certificates, the administrator needs to be the admin user rather than a delegated administrator.
The delegated administrator of an Identity Server cluster is not granted any rights to the policy containers. If you want the delegated administrator with View/Modify rights to the cluster to have policy rights, grant the following rights:
To have sufficient rights to create Role policies, grant View/Modify rights to a policy container.
To have sufficient rights to enable Role policies, grant View Only rights to the policy containers with Role policies.
If the SSL VPN has an Embedded Service Provider and you grant the delegated administrator View/Modify rights to the SSL VPN or its cluster, the delegated administrator is automatically granted View Only rights to the Identity Server cluster configuration. This allows the delegated administrator to modify which Identity Server the SSL VPN or cluster uses for authentication. It does not allow them to update the Identity Server configuration, which is required for this type of modification. To update the Identity Server, the delegated administrator needs View/Modify rights to the Identity Server configuration.
If the SSL VPN is a protected resource of an Access Gateway and you want the delegated administrator to have rights to the Access Gateway and the SSL VPN policy, you need to also grant the user View/Modify rights to the Access Gateway and the SSL VPN policy container.
When a delegated administrator of an SSL VPN is granted View/Modify rights, the administrator has sufficient rights to change the configuration, to stop and start the service, and to update the server’s configuration.
To set up the secure tunnel certificate, the SSL VPN administrator also needs to be a certificate administrator with View/Modify rights.
You can assign a user to be a delegated administrator of a J2EE Agent cluster or a single J2EE Agent that does not belong to a cluster. When a user is assigned View/Modify rights to manage an agent, the user is automatically assigned View Only rights to the policy containers. If you want the delegated administrator to create or modify J2EE Agent Authorization policies, you need to grant the delegated administrator View/Modify rights to a policy container.
View/Modify rights to an agent also grants View Only rights to the Identity Server cluster configuration. This allows the delegated administrator to modify which Identity Server the agent uses for authentication. It does not allow them to update the Identity Server configuration, which is required for this configuration change. To update the Identity Server, the delegated administrator needs View/Modify rights to the Identity Server configuration.
View/Modify rights allows the administrator rights to change the configuration, to stop and start the agent, and to update the agent’s configuration.
To configure certificates for the agent, the J2EE agent administrator also needs to be a certificate administrator with View/Modify rights.
If you are concerned that your delegated administrators might use an LDAP browser to access the configuration datastore, you can configure eDirectory to audit events that come from LDAP connections to the LDAP server.
In the Administration Console, click > .
Make sure you have configured the IP address and port to use for your Secure Logging Server.
The server can be a Novell Audit server or a Sentinel server. For more information about this process, see Section 1.7, Enabling Auditing.
WARNING:Whenever you change the port or address of the Secure Logging Server, all Access Gateways must be updated, then every Access Manager device (Identity Server, Administration Console, Access Gateways, SSL VPN servers, and J2EE Agents) must be rebooted (not just the module stopped and started) before the configuration change takes affect.
From the iManager view bar, select the Roles and Tasks view.
Click > .
Click the icon, expand the container, then select the eDirectory server.
The eDirectory server uses the tree name, without the _TREE suffix, for its name. The tree name is displayed in the iManager view bar.
Click > > .
From the , , and sections, select the events that you want to monitor for potential security problems.
In the section, you would probably want to monitor changes made to groups and ACLs.
In the section, you would probably want to monitor who is logging in and out and if objects are being created or deleted.
In the section, you would probably want to monitor when attribute values are added or deleted.
Click .
(Linux) Restart eDirectory and the Audit Server. Enter the following commands:
/etc/init.d/ndsd restart
/etc/init.d/novell-naudit restart
(Windows) Restart eDirectory and the Audit Server:
Click > > .
Right click , then select .
Answer to the prompt to stop the .
Right click , then select .
Right click , then select .