8.1 Configuring a Protected Resource for a Vibe Server

The following sections explain how to configure the Access Gateway with a domain-base multi-homing service. The instructions assume that you have a functioning Vibe server on Linux and a functioning Access Manager system (3.1 SP1 IR1 or higher) with a reverse proxy configured for SSL communication between the browsers and the Access Gateway.

The Vibe server needs to be configured to trust the Access Gateway to allow single sign-on with Identity Injection and to provide simultaneous logout. You also need to create an Access Gateway proxy service and configure it.

For information on other possible Access Gateway configurations, see “Teaming 2.0: Integrating with Linux Access Gateway”.

8.1.1 Configuring the Vibe Server to Trust the Access Gateway

To use Vibe as a protected resource of an Access Gateway and to use Identity Injection for single sign-on, the server needs a trusted relationship with the Access Gateway. With a trusted relationship, the Vibe server can process the authorization header credentials. The Vibe server accepts only a simple user name (such as user1) and password in the authorization header.

This section explains how to set up the trusted relationship and how to enable simultaneous logout, so that when the user logs out of Vibe, the user is also logged out of the Access Gateway.

To configure the trusted relationship:

  1. Log in to the Vibe server.

  2. Stop the Vibe server with the following command:

    /etc/init.d/teaming stop

  3. Run the installer-teaming.linux script.

  4. Accept the license agreement, then select Reconfigure settings, then click Next.

  5. Confirm that your Vibe server is shut down, then select Advanced installation, then click Next.

  6. Continue through the installation program until you reach the Network Information page. Ensure that you have a valid Host name specified. You will need this later in the installation.

  7. Continue through the installation program until you reach the Reverse Proxy Configuration page. Specify the following configuration options:

    Enable Access Gateway: Select this option to enable the reverse proxy access gateway.

    Access Gateway address(es): Specify the IP address of the Access Gateway that is used for the connection to the Vibe server.

    If the Access Gateway is part of a cluster, add the IP address for each cluster member. Wildcards such as 164.99.*.* are allowed.

    When you specify IP addresses in this option, Vibe logins are allowed only from the specified addresses. Also, if Authorization header credentials are not present or are incorrect, the user is prompted for login using Basic Authentication.

    Logout URL: Specify the URL of the published DNS name of the reverse proxy that you have specified for the ESP, plus /AGLogout.

    You can find the domain used for the ESP by editing the LAG/MAG cluster configuration, then clicking Reverse Proxy / Authentication.

    For example, if the published DNS name of the proxy service that you have specified for the ESP is esp.yoursite.com, specify the following URL:

    https://esp.yoursite.com/AGLogout

    Use Access Gateway for WebDAV connections: Leave this option unselected.

  8. Continue through the installation program to complete the reconfiguration process.

  9. Start the Vibe server with the following command:

    /etc/init.d/teaming start

  10. Continue with Configuring a Reverse-Proxy Single Sign-On Service for Vibe.

8.1.2 Configuring a Reverse-Proxy Single Sign-On Service for Vibe

To configure a reverse-proxy single sign-on service for Vibe, complete the following tasks:

Creating a New Reverse Proxy

Before you can configure the domain-based proxy service, you need to create a new reverse proxy. For information on how to create a reverse-proxy, see Managing Reverse Proxies and Authentication in the NetIQ Access Manager Administration Guide.

Configuring the Domain-Based Proxy Service

  1. In the Administration Console, click Devices > Access Gateways > Edit, then click the name of the reverse proxy that you created in Creating a New Reverse Proxy.

  2. Click the reverse proxy link that you have previously created. In the Reverse Proxy List, click New, then fill in the following fields:

    Proxy Service Name: Specify a display name for the proxy service that the Administration Console uses for its interfaces.

    Published DNS Name: Specify the DNS name you want the public to use to access your site. This DNS name must resolve to the IP address you set up as the listening address. For example, vibe.doc.provo.Novell.com.

    Web Server IP Address: Specify the IP address of the Vibe server.

    Host Header: Select the Forward received host name.

    Web Server Host Name: Because of your selection in the Host Header field, this option is dimmed.

  3. Click OK.

  4. Click the newly added proxy service, then select the Web Servers tab.

  5. Make sure that Enable Session Stickiness is selected.

    Otherwise, users will get Invalid RPC token errors when two or more Vibe servers are online.

  6. Select the check box Connect Using SSL to enable SSL and apply the certificate.

  7. Change the Connect Port to 8080.

    If the Linux Vibe server has port forwarding enabled, you do not need to change from the default port 80.

    NOTE:Change the Connect Port to 8443, If you need to change from the default port 443.

  8. Click TCP Connect Options.

  9. Click OK.

  10. Continue with Configuring Protected Resources.

Creating Policies

There are two policies that you need to create, LDAP Identity Injection, and X-Forwarded-Proto:

Creating the LDAP Identity Injection Policy

  1. In the Administration Console, click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify ldap_auth as the name for the policy, select Access Gateway: Identity Injection for the type, then click OK.

  4. (Optional) Specify a description for the injection policy. This is useful if you plan to create multiple policies to be used by multiple resources.

  5. In the Actions section, click New, then select Inject into Authentication Header.

  6. Fill in the following fields:

    User Name: Select Credential Profile > LDAP User Name.

    Password: Select Credential Profile > LDAP Password.

  7. Leave the default value for the Multi-Value Separator, which is comma.

  8. Click OK.

  9. To save the policy, click OK, then click Apply Changes.

    For more information on creating such a policy, see Configuring an Authentication Header Policy in the NetIQ Access Manager Appliance 4.2 Administration Guide.

Creating the X-Forwarded-Proto HTTP Header Policy

When communicating over HTTPS from the browser to Access Manager, and over HTTP from Access Manager to Vibe, the X-Forwarded-Proto is a best practice. Vibe 3.3 was enhanced to take advantage of the HTTP header X-Forwarded-Proto.

  1. In the Administration Console, click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify x-forwarded as the name for the policy, select Access Gateway: Identity Injection for the type, then click OK.

  4. (Optional) Specify a description for the injection policy. This is useful if you plan to create multiple policies to be used by multiple resources.

  5. In the Actions section, click New, then select Inject into Custom Header.

  6. Fill in the following fields:

    Custom Header Name: Specify X-Forwarded-Proto as the name.

    Value: Select String Constant in the drop-down, then specify https.

  7. Leave the other settings at the defaults.

  8. Click OK.

  9. To save the policy, click OK, then click Apply Changes.

    For more information on creating such a policy, see Configuring an Identity Injection Policy in the NetIQ Access Manager Appliance 4.2 Administration Guide.

Configuring Protected Resources

You need to create three protected resources, one for HTML content, one for WebDAV content, and a public:

  1. Create a protected resource for HTML content:

    1. In the Protected Resource List, click New, specify Basic auth with redirection for the name, then click OK.

    2. (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.

    3. Specify a value for Authentication Procedure. For example, select the Secure Name/Password - Form contract.

    4. Click the Edit icon.

    5. In the dialog box that is displayed, fill in the following fields.

      Contract: Select the Secure Name/Password - Form contract, which is same contract that you selected for the HTML content protected resource.

      Non-Redirected Login: Select this option.

      Realm: Specify a name that you want to use for the Vibe server. This name does not correspond to a Vibe configuration option. It appears when the user is prompted for credentials.

      Redirect to Identity Server When No Authentication Header is Provided: Select this option.

    6. Click OK twice.

  2. Create a public protected resource for web Services:

    1. In the Protected Resource List, click New, specify public for the name, then click OK.

    2. (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.

    3. For the Authentication Procedure, select None.

    4. Click OK.

    5. In the URL Path List, remove the /* path and add the following paths:

      /ssf/atom/*
      /ssf/ical/*
      /ssf/ws/*
      /ssf/rss/* - enables non-redirected login for RSS reader connections.
      /ssf/s/readFile/share/*
      /ssr/* 
      /rest/*
      /ssf/applets/fileopen/* - enables Edit this file functionality
      /downloads/* - enables Client Downloads page
      /dave/*

      The /ssf/rss/* path enables non-redirected login for RSS reader connections. Vibe provides authentication for all of the paths listed above.

    6. Click OK.

  3. Create a protected resource for WebDAV content:

    1. In the Protected Resource List, click New, specify Basic auth without redirection for the name, then click OK.

    2. (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.

    3. Specify a value for Authentication Procedure. For example, select the Secure Name/Password - Basic contract.

    4. Click the Edit icon.

    5. In the dialog box that is displayed, fill in the following fields.

      Contract: Select the Secure Name/Password - Form contract, which is same contract that you selected for the HTML content protected resource.

      Non-Redirected Login: Select this option.

      Realm: Specify a name that you want to use for the Vibe server. This name does not correspond to a Vibe configuration option. It appears when the user is prompted for credentials.

      Redirect to Identity Server When No Authentication Header is Provided: Do not select this option.

    6. In the URL Path List, remove the /* path and add the following path:

      /dav/*
      /davs/*
    7. Click OK twice.

  4. Assign the X-Forward-Proto Header policy to all three protected resources that you created:

    1. Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.

    2. For each Vibe protected resource, click the Identity Injection link, select the x-forward policy that you created, click Enable, then click OK.

    3. Click OK.

  5. Assign the Identity Injection policy to two of the protected resources that you created, specifically Basic auth with redirection and Basic auth without redirection. Do not assign this policy to the public protected resource.

    1. Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.

    2. For each Vibe protected resource, click the Identity Injection link, select the ldap_auth policy that you created, click Enable, then click OK.

    3. Click OK.

  6. To save the configuration changes, click Devices > Access Gateways, then click Update.

  7. In the Protected Resource List, ensure that the protected resources you created are enabled.

  8. To apply your changes, click Devices > Access Gateways, then click Update.

  9. Continue with Disabling a Rewriter Profile.

Disabling a Rewriter Profile

In the Proxy Service List, ensure that the HTML Rewriter is disabled.

8.1.3 Forwarding Cache Control Headers

The recommended configuration for Vibe is to configure Access Manager to forward cache control headers to the browser. For information on how to forward cache control headers to the browser, see Controlling Browser Caching in the NetIQ Access Manager Appliance 4.2 Administration Guide.