Configuring iChain to accelerate Novell Teaming and Conferencing

  • 7002139
  • 09-Dec-2008
  • 13-Jan-2014

Environment

Novell iChain 2.3 Support Pack 5
Teaming and Conferencing v1.03

Resolution


Integrating Novell Teaming and Conferencing with iChain 2.3



Introduction:


Novell recently released it's Teaming and Conferencing product which include team workspace and real-time collaboration solutions. These solutions will help boost end-user and team productivity and reduce overall customer costs by improving the everyday business processes people engage in to create, share, discuss and manage information.


Novell iChain is an integrated security solution that offers web single sign-on and remote authentication services, including secure authentication and access to portals, and Web-based content.


The following document describes how iChain 2.3 can be used to front end a Teaming and Conferencing solution so that users authenticating to iChain can single sign on to the Teaming and Conferencing resources.


The following tests were performed with iChain 2.3 Support Pack 5 Interim Release 5 and Teaming and Conferencing Server 1.03. Many issues existed with versions of both products prior to the above and it is strongly recommended that administrators upgrade to the above versions at a minimum.


Configuration:


There are a few approaches available when designing a solution. We will attempt to describe the two main iChain configuration options, both of which has been verified with Teaming & Conferencing. Each configuration has advantages and disadvantages and these must be considered before beginning the implementation.


Important Notes


  • Teaming login form not compatible with formfill – must use OLAC to pass the credentials via the HTTP header

  • Teaming and Conferencing through a path-based multi-home accelerator's is not supported.




Configuration1 (Single Accelerator Mode)



Advantages:


  • Uses a single accelerator

  • Teaming and webDAV content are configured as restricted resources and thus can be controlled with proxy authentication and policy


Disadvantage:


  • User's see a Basic style login prompt for proxy login for both Teaming and webDAV content


Configuration details:


-Accelerator type: domain-based multi-home

-Authentication Profile: options "Allow authentication through http header" and "Use basic/proxy" authentication" are both enabled

-Alternate Host Name: enabled (internal web server name is different than published dns name)

-SSL enabled on Public side (port 443), non-ssl on private (port 8080)

-OLAC is used to populate custom header "x-Authorization:" with username (uid) for single-sign-on to Teaming

-OLAC is also sending uid:pwd in the standard Authorization header for single-sign-on to WebDAV

-Protected Resource path: /* (Type Restricted)

-Simultaneous Logout: enabled (in installer.xml) and working




Config 2 (Multiple Accelerator Mode)



Advantages:


  • Both Teaming and webDAV content are configured as restricted resources, with Form type login for Teaming and Basic type login for webDAV


Disadvantage:


  • Uses two separate accelerators, so two IP addresses are required



Setup Detail:


This configuration requires T+C 1.0.3 (available from https://dl.netiq.com) which provides the ability to specify a unique DNS name for the webDAV server. Also, because iChain authentication profiles are shared between a parent and all child accelerators, the two accelerators used in this configuration must not fall within the same shared authentication profile (in this example, two Master type accelerators are used).


Accelerator 1 (for Teaming content)


-Accelerator type: non-multi-home

-Authentication Profile: Form type login

-Alternate Host Name: enabled

-SSL enabled on Public side (port 443), non-ssl on private (port 8080)

-OLAC is used to populate custom header "x-Authorization:" with username (uid) for single-sign-on to Teaming

-Protected Resource path: /* (Type Restricted)

-Simultaneous Logout: enabled (in installer.xml) and working


Accelerator 2 (for webDAV)


-Accelerator type: non-multi-home

-Authentication Profile: Basic type, options "Allow authentication through http header" and "Use basic/proxy" authentication" are both enabled

-Alternate Host Name: enabled, and matches the webdav url configured in T+C

-SSL enabled on Public side (port 443), non-ssl on private (port 8080)

-OLAC is used to populate the standard Authorization: header with username:password for single-sign-on to webDAV

-Protected Resource path: /ssfs/* (Type Restricted)