How to configure Novell Access Manager to proxy Novell GroupWise WebAccess 2012

  • 7010088
  • 01-Feb-2012
  • 27-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell GroupWise 2012

Situation

There are different ways to accomplish this task, all depending on your current NAM configuration and needs. You first need to decide if you are using a domain based proxy service or a path based proxy service. You then need to decide if you want to use Identity Injection (basic authorization) or form fill.

Resolution

The following are basic instructions on how to configure a domain based proxy service as well as what to configure for Identity Injection or Form Fill. The concepts also apply to path based multi-home configurations as well:

1. Create the new protected resource for WebAccess. (please refer to the documentation on more details on how to configure a protected resource if you have any questions on how to do so: https://www.novell.com/documentation/novellaccessmanager31/accessgatewayhelp/data/prlist.html)
2. Give the protected resource the path of /gw/*
3. Give the protected resource an authentication procedure of Secure Name/Password-Form
4. From here you need to know if you are going for Identity Injection, or Form Fill and create the desired policy and enable it:
    Identity Injection:
        1. On the Identity Injection tab click on manage policies to open a separate window and create the policy.
        2. Click new > Access Gateway: Identity Injection (also give the policy a name)
        3. Under Actions select New > Inject into Authorization Header
        4. For User Name: Select Credential Profile (LDAP Credentials:LDAP User Name will come up by default)
        5. For Password: Also Select Credential Profile (on this one you will have to manually select LDAP Credentials > LDAP Password)
        6. Click OK > OK > then Apply Changes > Close.
        7. The Identity Injection policy will now show up in the policy list in the protected resource list. Select it, and choose Enable.
        8. OK out of all screens and update the Access Gateway Configuration.

You will then need to enable basic authorization on the WebAccess Server:
       
On the WebAccess server, open the webacc.cfg file in a text editor.

Search to find the following line:

#Cookie.domain=.novell.com

Remove the pound sign (#) to activate the setting.

Replace .novell.com with the part of your organization’s Internet domain name that is common between NAM and the Web server where the WebAccess Application is installed.

For example, if the LAG is at lag.novell.com and the WebAccess Application is at webacc.novell.com, the domain name used to create cookies would be .novell.com, so that the cookies are accepted by both servers.

Next, find #Security.Authenticate.header=

Remove the pound sign (#) to activate the setting.

Add the IP address of your LAG after the =

*optional but preferred*
If you want to enable simultaneous logout (logs out of WebAccess and NAM simultaneously):

Search for #Security.Logout.Url

Remove the pound sign (#) to activate the setting (either IP or DNS name).

Change IP or DNS name to match you LAG IP or Published DNS name and add =/AGLogout after it.
example: Security.Logout.Url.192.168.1.102=/AGLogout or Security.Logout.Url.mail.test.com=/AGLogout

Save the webacc.cfg file.

Restart Tomcat to immediately enable the changes, or wait 10 min for the refresh routine to put changes into place (no service disruption).

OES 2 and SLES 10:

rcnovell-tomcat5 stop
rcnovell-tomcat5 start

OES 11 and SLES 11:

rcnovell-tomcat6 stop
rcnovell-tomcat6 start

Windows:

At the Windows server, click Start > Administrative Tools > Services.
Right-click Tomcat 6, then click Restart.

   Form Fill:
        1. On the Form Fill Tab click on manage policies to open a separate window and create the policy.
        2. Click new > Access Gateway: Form Fill (also give the policy a name)
        3. Enter the following for Page Matching Criteria: <TITLE>Novell GroupWise</TITLE>
        4. Enter the following for Form Name: loginForm
        5. Fill options are as follows:
              a. User.id > Text > Credential Profile : LDAP Credentials:LDAP User Name
              b. User.password > Password > Credential Profile : LDAP Credentials:LDAP Password
        6. Check Auto Submit
        7. Enter a URL for Error Handling if desired.
        8. Click OK > OK > then Apply Changes > Close.
        9. The Form Fill policy will now show up in the policy list in the protected resource list. Select it, and choose Enable.
        10. Click OK > OK.
        11. Click on HTML Rewriting for the protected resource.
        12. Create a new Character Rewriter profile and add the following as Additional Strings to Replace:
              String to Search for is: name="submit"
              Replace with: name="Submit"
        13. Click OK > move the Character profile to the top of the list, OK out and update the Access Gateway configuration.
 
When using a Form Fill policy the logout link in WebAccess will just loop you back into WebAccess. You will want to enable simultaneous logout (logs out of WebAccess and NAM simultaneously).

On the WebAccess server, open the webacc.cfg file in a text editor.

Search for #Logout.url=https://www.novell.com

Remove the pound sign (#) to activate the setting.

Change to Logout.url=/AGLogout

Save the webacc.cfg file.

Restart Tomcat to immediately enable the change, or wait 10 min for the refresh routine to put changes into place (no service disruption).
 
OES 2 and SLES 10:

rcnovell-tomcat5 stop
rcnovell-tomcat5 start

OES 11 and SLES 11:

rcnovell-tomcat6 stop
rcnovell-tomcat6 start

Windows:

At the Windows server, click Start > Administrative Tools > Services.
Right-click Tomcat 6, then click Restart.