Novell Access Manager (NAM) provides secure, single sign-on access to trusted NetIQ Cloud Manager users from any location, in spite of the internal technical and organizational boundaries in your enterprise. Novell Access Manager supports multi-factor authentication, role-based access control, data encryption, and SSL VPN services.
The content in this section is not intended as a comprehensive guide to NAM. You should have already installed Novell Access Manager and a Novell Access Manager Access Gateway. You should also have installed NetIQ Cloud Manager, and the Cloud Manager Application Server should be running.
You need to be familiar with Novell Access Manager capabilities so that you understand the context of the content in this section. For more information about Novell Access Manager, see the Access Manager documentation Web site.
A reverse proxy acts as the front end to the Cloud Manager Web Server on your Internet. The proxy off-loads frequent requests, thereby freeing up bandwidth. It also increases security because the IP addresses of your Web servers are hidden from the Internet.
You can use an existing reverse proxy and add a new proxy service for Cloud Manager or you can create a new reverse proxy with a service for Cloud Manager. You can configure the authentication settings of the reverse proxy according to the needs of your enterprise.
For information about creating a new reverse proxy, see “Managing Reverse Proxies and Authentication” in the Novell Access Manager 3.1 SP4 Configuration Guide.
When the reverse proxy is set up as you want it, you need to perform the other configuration procedures necessary for Novell Access Manager authentication:
You must create a unique proxy service for Cloud Manager. Configure the proxy service settings according to the needs of your enterprise.
The first proxy service of a reverse proxy is considered the master (or parent) proxy. Subsequent proxy services can use domain-based, path-based, or virtual multi-homing, relative to the published DNS name of the master proxy service. If you are creating a second proxy service to be used for Cloud Manager on the reverse proxy, see “Using Multi-Homing to Access Multiple Resource”s in the Novell Access Manager 3.1 SP4 Access Gateway Guide.
Remember that for the
setting of the proxy service, you need to specify the IP Address for the Cloud Manager Web server, and for the setting of the proxy service, you need to specify the DNS name of the Cloud Manager Web server.When you have configured the proxy service according to your needs, you can continue with Adding and Protecting All Cloud Manager Resources.
A protected resource configuration specifies the directory (or directories) on the Cloud Manager Web server that you want to protect. The protected resource configuration specifies the authorization procedures and the policies that should be used to enforce protection.
You need to group all of the Cloud Manager resources that use the proxy service.
To create a resource that groups all of the Cloud Manager services:
Log in to the Access Manager Administration Console. For information about accessing the console, see “Logging In to the Administration Console” in the Novell Access Manager 3.1 SP4 Installation Guide.
In the console, select
> to open the Access Gateways page.On the Access Gateways page, select
for the Gateway Server you want to edit. This displays the Access Gateway Server Configuration page.On the Access Gateway Server Configuration page, select the name of the reverse proxy. This opens the Reverse Proxy configuration page.
On the Reverse Proxy page, select the proxy service you want to configure. This opens the Reverse Proxy Service page.
On the Reverse Proxy Service page, select the
tab to open the Protected Resources page.Configure the protected resource.:
On the Protected Resources page, select
, then specify a display name for the new resource you want to protect. For example, to create a resource that you want to use to represent all Cloud Manager resources, you could name the resource “everything.”When you create the display name, the Overview page for the new resource is displayed.
Fill in the fields to configure the resource:
Description: Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.
Authentication Procedure: Select
from the drop-down list. This specifies a form-based authentication over HTTP or HTTPS, using the Access Manager login form.URL Path: Select the default path, which is /*. This specifies everything on the Cloud Manager Web Server.
Click the
breadcrumb at the top of the Overview page to return to the Protected Resources page.On the Protected Resources page, make sure that the new protected resource is selected as
.Continue with Creating an Identity Injection Policy for the New Cloud Manager Protected Resource.
When the Cloud Manager protected resource is created, you need to associate it with an Access Manager identity injection policy to protect it. This policy specifies the information that must be injected into the HTTP header. Because Cloud Manager is configured to detect certain fields in the header, it can deny user authentication or redirect that user to an alternate Web page if it does not find the required information in the header.
Log in to the Access Manager Administration Console. For information about accessing the console, see “Logging In to the Administration Console” in the Novell Access Manager 3.1 SP4 Installation Guide.
In the Access Manager Administration Console, select
> to open the Access Gateways page.On the Access Gateways page, select
for the Gateway Server you want to edit. This displays the Access Gateway Server Configuration page.On the Access Gateway Server Configuration page, select the name of the reverse proxy. This opens the Reverse Proxy configuration page.
On the Reverse Proxy page, select the proxy service you want to configure. This opens the Reverse Proxy Service page.
On the Reverse Proxy Service page, select the
tab to open the Protected Resources page.On the Protected Resources page, select the display name of the Cloud Manager protected resource to open the properties views, then select
to open the Identity Injection Policy List.Select
to open the Policies page.Fill in the fields.
Description: (Optional) Describe the purpose of this policy. Because Identity Injection policies are customized to match the content of a specific Web server, include the name of the Cloud Manager Web server as part of the description.
Priority: Specify the order in which a rule is applied in the policy, when the policy has multiple rules. The highest priority is 1 and the lowest priority is 10.
In the actions panel of the page, select
> .This inserts custom names with values into a custom header.
Configure five custom policy headers for Cloud Manager. You must configure the attributes of the custom headers as specified below. The headers must be created or moved into the order listed. You can use the
icon to copy each header, then you can modify the configurations as needed.Create the X-TrustedUser header, using the following information to populate the fields.:
Custom Header Name: Specify X-TrustedUser.
Value: Select
. Selecting this option enables the LDAP attribute list box and the Refresh Data Rate list box. For this header, select as the LDAP attribute, then select as the refresh rate.Multi-Value Separator: Select the semicolon (
) separator from the list box.DN Format: Select the
option from the list box.Create the X-TrustedRoles header, using the following information to populate the fields:
Custom Header Name: Specify X-TrustedRoles.
Value: Select
. Selecting this option enables the LDAP attribute list box and the Refresh Data Rate list box. For this header, select as the LDAP attribute, then select as the refresh rate.NOTE:The
attribute applies if you are using eDirectory. If you are using Active Directory, the attribute is .Multi-Value Separator: Select the semicolon (
) separator from the list box.DN Format: Select the
option from the list box.Create the X-TrustedUserFQDN header, using the following information to populate the fields:
Custom Header Name: Specify X-TrustedUserFQDN.
Value: Select
. Selecting this option enables the Credential Profile list box. For this header, select as the credential profile.Multi-Value Separator: Select the semicolon (
) separator from the list box.DN Format: Select the
option from the list box.Create the X-TrustedUserDisplayName header using the following information to populate the fields.
Custom Header Name: Specify X-TrustedUserDisplayName.
Value: Select
. Making this selection enables the LDAP attribute list box and the Refresh Data Rate list box. For this header, select as the LDAP attribute, then select as the refresh rate.Multi-Value Separator: Select the semicolon (
) separator from the list box.DN Format: Select the
option from the list box.Create the X-TrustedUserEmail header using the following information to populate the fields.
Custom Header Name: Specify X-TrustedUserEmail.
Value: Select
. Making this selection enables the LDAP attribute list box and the Refresh Data Rate list box. For this header, select as the LDAP attribute, then select as the refresh rate.Multi-Value Separator: Select the semicolon (
separator from the list box.DN Format: Select the
option from the list box.Click
to save the new policy and display it on the Policies page.On the Policies page, click
to enable this new policy for the protected resource.Continue with Adding and Configuring an HTML Rewriter Profile for the Proxy Service.
NOTE:Make sure that you always update your configuration when you make changes in Novell Access Manager.
For more information, see “Configuring an Identity Injection Policy” in the Novell Access Manager 3.1 SP4 Policy Guide.
The changes you make to the Novell Access Manager Access Gateway configurations for Cloud Manager require HTML rewriting because the Cloud Manager Web server is not aware that the Access Gateway machine is obfuscating its DNS names. URLs contained in its pages must be checked to ensure that these references contain the DNS names that the client browser understands. On the other end, the client browsers are not aware that the Access Gateway is obfuscating the DNS names of the resources they are accessing. The URL requests coming from the client browsers that use published DNS names must be rewritten to the DNS names that the Cloud Manager Web server expects.
The information in “Understanding the Rewriting Process” in the Novell Access Manager 3.1 SP4 Access Gateway Guide explains this process more fully.
You need to create and configure a new HTML Rewriter Profile for use with Cloud Manager.
Log in to the Access Manager Administration Console. For information about accessing the console, see “Logging In to the Administration Console” in the Novell Access Manager 3.1 SP4 Installation Guide.
In the Access Manager Administration Console, select
> to open the Access Gateways page.On the Access Gateways page, select
for the Gateway Server you want to edit. This displays the Access Gateway Server Configuration page.On the Access Gateway Server Configuration page, select the name of the reverse proxy. This opens the Reverse Proxy configuration page.
On the Reverse Proxy page, select the proxy service you want to configure. This opens the Reverse Proxy Service page.
On the Reverse Proxy Service page, select the
tab to open the HTML rewriting page.The HTML Rewriting page specifies which DNS names are to be rewritten. The HTML Rewriter Profile specifies which pages to search for DNS names that need to be rewritten.
Select
.This option is enabled by default. When it is disabled, no rewriting occurs. When it is enabled, this option activates the internal HTML rewriter. When data is sent to the browsers, this rewriter replaces the name of the Cloud Manager Web server with the published DNS name. It replaces the published DNS name with the Web Server Host Name when sending data to the Cloud Manager Web server. It also ensures that the proper scheme (HTTP or HTTPS) is included in the URL. This is needed because you can configure the Access Gateway to use HTTPS between itself and client browsers and to use HTTP between itself and the Web servers.
Specify a name for the new profile, use the default search boundary, then click
to open the HTML Rewriter configuration page.In the
section of the page, click to open a New dialog box.In the dialog box, specify the new content-type header, which is application/xml, select the check box, then click to make sure that the new Content-Type Header is enabled for the protected resource.