Page 2
Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3
Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
About This Guide This guide describes the following features of Novell Access Manager policies: Chapter 1, “Managing Policies,” on page 11 Chapter 2, “Creating Role Policies,” on page 23 Chapter 3, “Creating Authorization Policies,” on page 65 Chapter 4, “Creating Identity Injection Policies,” on page 115 Chapter 5, “Creating Form Fill Policies,”...
Page 10
Novell Access Manager 3.1 SP2 SSL VPN Server Guide Novell Access Manager 3.1 SP2 J2EE Agent Guide Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. Novell Access Manager 3.1 SP2 Policy Guide...
Managing Policies Policies are logical and testable rules that you use to maintain order, security, and consistency within your Access Manager infrastructure. You can specify activation criteria, deactivation criteria, temporal constraints (such as time of day or subnet), identity constraints (such as user object attribute values), and additional separation-of-duty constraints.
For more information, see “Configuring the Attributes Sent with Authentication” in the Novell Access Manager 3.1 SP2 Identity Server Guide. As you design your policies, experiment and find the type that works best for your network and your customers.
“Sorting Policies” on page 13 “Deleting Policies” on page 13 “Renaming or Copying a Policy” on page 13 “Importing and Exporting Policies” on page 14 “Creating the SSL VPN Default Policy” on page 14 “Refreshing Policy Assignments” on page 14 “Viewing Policy Information”...
Specifies whether the policy uses any extensions. If none has been used, this column has no value. Description Displays a description of the policy. If no description has been specified, this column has no value. Novell Access Manager 3.1 SP2 Policy Guide...
1.4 Managing Policy Containers You use policy containers to store and organize policies, similar to how you organize files in folders. The Master_Container is a permanent policy container, but you can use the Containers tab to create new containers. A policy container can hold up to 500 policies. When you reach that limit, you must create another container to add, copy, or import policies.
Result on Error Condition field in a rule is set incorrectly, the user matches the last rule and is denied access. Without this rule, a user might gain access because the user didn’t match any of the rules. Novell Access Manager 3.1 SP2 Policy Guide...
This data could then be used to determine access rights to Access Manager resources. For information on how to create a policy extension, see the Novell Access Manager Developer Kit (http://developer.novell.com/wiki/index.php/ Novell_Access_Manager_Developer_Tools_and_Examples). After a policy extension has been created, you need to perform the following tasks to use the extension: Section 1.6.1, “Installing the Extension on the Administration Console,”...
Page 18
6 To create an extension configuration, click New, then fill in the following fields: Name: Specify a display name for the extension. Description: (Optional) Specify the purpose of the extension and how it should be used. Novell Access Manager 3.1 SP2 Policy Guide...
Page 19
Policy Type: From the drop-down list, select the type of extension you have uploaded. Type: From the drop-down list, select the data type of the extension. Class Name: Specify the name of the class that creates the extension, such as com.acme.policy.action.successActionFactory.
For an Authorization policy, assign it to a protected resource. For more information, see “Assigning an Authorization Policy to a Protected Resource” in Novell Access Manager 3.1 SP2 Access Gateway Guide. For an Identity Injection policy, assign it to a protected resource. For more information, see “Assigning an Identity Injection Policy to a Protected...
Access Gateway Embedded Service Providers, so that the Embedded Service Providers read the logging options. See “Configuring Component Logging” in the Novell Access Manager 3.1 SP2 Identity Server Guide. When you have solved the problem, you should disable these options. Managing Policies...
Page 22
For example, if you have an Access Gateway: Authorization error, look at the log on the Access Gateway that executed the policy. For additional policy troubleshooting procedures, see Chapter 6, “Troubleshooting Access Manager Policies,” on page 161. Novell Access Manager 3.1 SP2 Policy Guide...
Creating Role Policies This section describes the following topics for Identity Server roles. Section 2.1, “Understanding RBAC in Access Manager,” on page 23 Section 2.2, “Creating Roles,” on page 27 Section 2.3, “Example Role Policies,” on page 47 Section 2.4, “Creating Access Manager Roles in an Existing Role-Based Policy System,” on page 52 Section 2.5, “Mapping Roles between Trusted Providers,”...
Logging page in the Identity Server configuration when you enable the Login Provided or Login Consumed options. 2.1.2 Using a Role to Create an Authentication Policy The simplest implementation of RBAC policies is to include roles as evaluated conditions when creating Authorization policies. Novell Access Manager 3.1 SP2 Policy Guide...
Page 25
Suppose you belong to a company of 300 employees, and ten of them are managers. You can assign all employees to an Employee role, and make it a condition of an Authorization policy with no restrictions. Such a policy would permit access to Web resources intended for all employees, as shown in the following example: Employee Authorization Policy Figure 2-4...
Authorization Policy with Multiple Rules Figure 2-6 In this example, you specify a first-priority rule with a condition that allows access if a user has been assigned to the role of Sales Representative. You add rules for users assigned to the a role of Sales Manager, Sales Vice President, and so on.
Page 28
Data Extension. For more information, see the documentation that came with the extension. 6 (Conditional) To add multiple conditions, repeat Step For more information on using multiple conditions in a rule, see Section 2.2.2, “Using Multiple Conditions,” on page Novell Access Manager 3.1 SP2 Policy Guide...
7 In the Actions section, select one of the following: Activate Role: Select this option to specify a name for the role. If you are creating a role that needs to be injected into an HTTP header, use the capitalization format that the Web server expects.
See “Configuring SAML and Liberty Trusted Providers” in the Novell Access Manager 3.1 SP2 Identity Server Guide. The most common way to use this condition is when you have a service provider that has been configured to trust two identity providers and you want to assign a role based on which identity provider authenticated the user.
Dot All Multi-Line Unicode Unix Lines For regular expression syntax information, see the Javadoc for java.util.regex.Pattern. Value: Specify the value you want to compare with the Authenticating IDP value. If you select a static value for the Authenticating IDP value, select Authenticating IDP and Current. If you select Current for the Authenticating IDP value, select Authenticating IDP, then select the name of an identity provider.
Page 32
Insensitive. Comparison: Regular Expression: Matches: Select one or more of the following: Canonical Equivalence Case Insensitive Comments Dot All Multi-Line Unicode Unix Lines For regular expression syntax information, see the Javadoc for java.util.regex.Pattern. Novell Access Manager 3.1 SP2 Policy Guide...
Value: Specify the value you want to compare with the Authentication Contract value. If you select a static value for the Authentication Contract value, select Authentication Contract and Current. If you select Current for the Authentication Contract value, select Authentication Contract, then select the name of a contract.
Contains Substring: Indicates that the Authentication Type value must contain the letters, in the same sequence, as specified in the Value field. Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. Novell Access Manager 3.1 SP2 Policy Guide...
Mode: Select the mode appropriate for the comparison type: Comparison: String: Specify whether case is important by selecting Case Sensitive or Case Insensitive. Comparison: Regular Expression: Matches: Select one or more of the following: Canonical Equivalence Case Insensitive Comments Dot All Multi-Line Unicode Unix Lines...
Page 36
Liberty User Profile: If you have a Liberty User Profile attribute that corresponds to the Credential Profile you have specified, select this option and the attribute. Novell Access Manager 3.1 SP2 Policy Guide...
. If the o=novell, ou=sales comparison type is set to Contains Substring, you can match a group of certificates by specifying a name that is part of the Subject Name, for example ou=sales Other values are possible.
OU or a child container (Subtree). Comparison: Regular Expression: Matches: Select one or more of the following: Canonical Equivalence Case Insensitive Comments Dot All Multi-Line Unicode Novell Access Manager 3.1 SP2 Policy Guide...
Page 39
For more information about the <strFilter> parameter, see RFC 2254 “LDAP Search Filter.” If you select Data Entry Field, you can specify the DN of the OU in the text field. For example: cn=users,dc=bcf2,dc=provo,dc=novell,dc=com ou=users,o=novell If you have defined a Liberty User Profile or an LDAP attribute for the OU you want to match, select this option, then select your attribute.
Page 40
LDAP. To select this attribute for comparison, click Entire Personal Identity > Entire Common Name > Common Analyzed Name > Common Last Name. Comparison: Select the comparison type that matches the data type of the selected attribute and the value. Novell Access Manager 3.1 SP2 Policy Guide...
Page 41
For information about enabling All Roles, see “Selecting Attributes for a Trusted Provider” in the Novell Access Manager 3.1 SP2 Identity Server Guide. For an example of how to use Roles from Identity Provider to create a Role policy, see Section 2.5,...
Page 42
Contains Substring: Indicates that the User Store value must contain the letters, in the same sequence, as specified in the Value field. Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. Novell Access Manager 3.1 SP2 Policy Guide...
Value: Specify the value you want to compare with the User Store value. If you select a static value for the User Store value, select User Store and Current. If you select Current for the User Store value, select User Store, then select the name of a user store. If you have created more than one Identity Server configuration, select the configuration, then select the user store.
To add another condition to a condition group, click New, then select a condition. To copy an existing condition, click the Copy Condition icon . New conditions are always added to the end of the condition group. Use the Move buttons to order the conditions in the condition group. Novell Access Manager 3.1 SP2 Policy Guide...
Adding New Condition Groups To add another condition group to the rule, click Append New Group. To copy the existing condition group, click the Copy Group icon . New condition groups are always added to the end to the Conditions section. Use the Move buttons to order the condition groups.
Page 46
If you want to use this longer query, you need to create a policy extension. For a sample extension that does this, see Novell Access Manager Developer Tools and Examples (http:// developer.novell.com/wiki/index.php/ Novell_Access_Manager_Developer_Tools_and_Examples).
If the source contains multiple values, select the format that is used to separate the values. If the value is a distinguished name, select the format of the DN. Figure 2-9 shows how to assign an LDAP Group, cn=DocGroup,o=novell, as a role. Activating a Role from an External Source Figure 2-9 To use the same conditions to activate multiple roles from different sources, select Activate Selected Role for each role you want to activate.
Page 48
If this role needs to match the name of a role required by a Java or Web application, ensure that the case of the name matches the application’s name. 9 On the Rule List page, click OK. 10 On the Policies page, click Apply Changes, then click Close. Novell Access Manager 3.1 SP2 Policy Guide...
11 On the Role Policy page, select the Employee role, then click Enable. 12 Click OK, then update the Identity Server. The Identity Server configuration must be updated after you enable a role. 13 To create a Manager role, continue with “Creating a Manager Role”...
Page 50
Manager if the condition evaluates to True. If an error occurs, you do not want random users assigned the role of Manager. Therefore, for this rule, you need to select False. 7 In the Actions section, click Activate Role. Novell Access Manager 3.1 SP2 Policy Guide...
8 In the Activate Role box, type , then click OK twice. Manager 9 On the Policies page, click Apply Changes. 10 Click Close, select the Manager role, then click Enable. 11 Click OK, then update the Identity Server. 2.3.3 Creating a Rule for a Contract with ORed Credentials A contract with ORed credentials allows the user to decide which credentials to use for authenticating.
Web resources. If your role definitions use the following types of LDAP features, you can create Access Manager Role policies that use them: Values found in LDAP attributes Location of the user objects in the directory tree Membership in groups or roles Novell Access Manager 3.1 SP2 Policy Guide...
The Access Manager Role policies that you create for these features can then be used to control access to protected Web resources. You can manually assign the roles by creating role policies with conditions or you can activate roles based on the values in the external source. Section 2.4.1, “Activating Roles from External Sources,”...
Page 54
XMLDoc),Policy=(LDAP_Group),Rule=(1::RuleID_1223587171711),Action= (AddSelectedRole::ActionID_1223588319336)~~~~Success(0) </amLogEntry> <amLogEntry> 2009-10-09T21:58:55Z INFO NIDS Application: AM#500105013: AMDEVICEID#CA50FD51DB1EEE3E: AMAUTHID#213E610199A14CEAF27395A6B35F3162: Authenticated user cn=jwilson,o=novell in User Store Internal with roles "cn=Doc,o=novell","authenticated". </amLogEntry> The first <amLogEntry> entry indicates that the action in the LDAP_Group policy was successfully assigned. The second entry gives the DN of the user and lists the roles assigned to the user: cn=Doc,o=novell and authenticated.
You can now use the cn=Doc,o=novell role when creating Authorization and Identity Injection policies, which control access to protected Web resources. Roles activated this way do not appear in the list of available roles. You need to use the Data Entry Field to manually type in the role name.
Page 56
If you have created your users in specific containers in your LDAP tree, you can use these container objects to assign users to roles. For example, suppose your LDAP tree looks similar to the following tree. Novell Access Manager 3.1 SP2 Policy Guide...
Page 57
Using an eDirectory Tree for Access Control Figure 2-13 eDirectory Tree o=Novell ou=Sales ou=HR ou=Dev Users Users Users Such a tree organization can be used to control access to resources. The following instructions explain how to create a Role policy for the users created under the Sales container.
Page 58
LDAP OU value, the user matches the condition. For example, if the DN of the user is cn=bsmith,ou=sales,o=novell and the LDAP OU value is ou=sales,o=novell, the user matches the condition. If you selected Subtree for the Mode, a user with the following DN also matches the condition: cn=djones,ou=provo,ou=sales,o=novell.
Page 59
7 Click OK twice, then click Apply Changes. 8 To enable the role so that it can be used in Authorization and Identity Injection policies, click Devices > Identity Servers > Edit > Roles. 9 Select the check box next to the name of the role, then click Enable. 10 Click OK.
Page 60
6 In the Actions section, click Activate Role. 7 In the Activate Role box, type , then click OK. ManagersGroup The name you enter in the box is the role you want assigned to the users who match the condition. Novell Access Manager 3.1 SP2 Policy Guide...
Page 61
Your rule should look similar to the following: 8 Click OK twice, then click Apply Changes. 9 To enable the role so that it can be used in Authorization and Identity Injection policies, click Devices > Identity Servers > Servers > Edit > Roles. 10 Select the check box next to the name of the role, then click Enable.
Activate Role: xyz_user In this example, employees authenticate to identity providers novell.com (Liberty) or xyz.com (SAML 2.0). Each user is assigned to a role, such as N_EmployeeRole or XYZ_Empl. Attribute sets at each of the identity providers are configured to exchange the All Roles attribute with the trusted service provider, DigitalAirlines.com.
2.5.2 Procedure The following procedure describes how the service provider configures this type of role policy for novell.com, mapping the N_Employee role to an Access Manager role: 1 In the Administration Console, click Policies > Policies. 2 Click New, then specify a name for the Role policy.
1 In the Administration Console, click Policies > Policies. 2 Click Import, then browse to and select the file. 3 Click OK. 4 When the policy appears in the list, click Apply Changes. Novell Access Manager 3.1 SP2 Policy Guide...
Creating Authorization Policies Authorization policies are used when you want to protect a resource based on criteria other than authentication, and you want Access Manager to enforce the access restrictions. Authorization policies are enforced when a user requests data from a resource. The Access Manager supports three types of Authorization policies: Access Gateway Authorization policies for protecting resources of the Access Gateway...
If an error occurs, you want the policy to assume that the user is not a manager, so he or she matches the condition and the Deny action is applied. Novell Access Manager 3.1 SP2 Policy Guide...
3.1.2 Configuring the Result on Condition Error Option The Result on Condition Error option allows you to specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True.
Page 68
Disabling or Moving Conditions and Condition Groups Condition groups and conditions within them can be disabled by clicking the Enabled check mark , which changes the icon to the Disabled icon Novell Access Manager 3.1 SP2 Policy Guide...
You usually disable a condition or condition group when testing a new rule, and if you decide that the condition or condition group is not needed, you can then use the Delete button to delete the condition or condition group from the rule. Use the Move buttons next to the Delete button to move a condition up or down within its group.
Deny rule is only processed if the user does not match one of the allow rules, and because all users match a rule with no conditions, the user is denied access to the resource. Novell Access Manager 3.1 SP2 Policy Guide...
Page 71
The first rule in such a policy for the sales application would look similar to the following. Rule 1 Granting Access Figure 3-3 The conditions in Rule 1 are ANDed, which requires the user to match both conditions before they are granted access to the resource.
When a user doesn’t match the condition, the Action is not applied and the next rule in the policy is evaluated. For example, suppose the URL condition is set to the compare the following value: http://sales.provo.novell.com/meetings/? Novell Access Manager 3.1 SP2 Policy Guide...
If the URL in the request is , the user http://sales.provo.novell.com/meetings/january does not match the condition, because the ? applies only to the files in the directory and meetings not to the subdirectories. The Action is not applied, and the next rule or policy is evaluated.
If the value from the first request to the second request changes from no to yes, the user gets access to the resource. If the value from the first request to the second request changes from yes to no, the user is denied access to the resource. Novell Access Manager 3.1 SP2 Policy Guide...
For information on how to assign the policy to a resource, see the following: For an Access Gateway policy, see “Assigning an Authorization Policy to a Protected Resource” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. For a Web Authorization policy, see “Assigning a Web Authorization Policy to the Resource”...
Page 76
X-Forwarded-For IP: Allows you to control access based on the value in the X- Forwarded-For IP header of the HTTP request. For configuration information, see Section 3.6.19, “X-Forward-For IP Condition,” on page 111. Novell Access Manager 3.1 SP2 Policy Guide...
Page 77
10 To add another rule, click New or to save the policy, click OK, then click Apply Changes. 11 Assign the policy to a protected resource (see “Assigning an Authorization Policy to a Protected Resource” in the Novell Access Manager 3.1 SP2 Access Gateway Guide). Creating Authorization Policies...
Authorization as the type, then click OK. 2 For Condition Group 1, click New, then select Credential Profile. 3 Fill in the following fields: LDAP Credentials: Select LDAP User DN. If/If Not: Select If Not. Comparison: Select Contains Substring. Novell Access Manager 3.1 SP2 Policy Guide...
Page 79
5 Assign the policy to the protected Web resources of the sales department (see “Assigning an Authorization Policy to a Protected Resource” in the Novell Access Manager 3.1 SP2 Access Gateway Guide). 6 Repeat these steps for the other two departments, changing the Value field to match the appropriate department.
Page 80
The Conditions section is left empty so that everyone who does not match the conditions of the Permit rule is denied access to the resource. 10 In the Actions section, select Deny and either accept the default action or select one of the other actions. 11 Click OK twice. Novell Access Manager 3.1 SP2 Policy Guide...
13 Assign the policy to the protected Web resources of the sales department (see “Assigning an Authorization Policy to a Protected Resource” in the Novell Access Manager 3.1 SP2 Access Gateway Guide). 3.3.2 Sample Workflow Policy One of the common workflow problems that an Authorization policy can solve is what to do with users who are denied access to resource.
Page 82
This rule grants the user the Master role if the user belongs to the cn=Master,o=novell LDAP group. If the user doesn’t belong to this group or if an error occurs trying to get the data, the user is not assigned the role. This occurs because both the condition and the Result on Condition Error evaluate to False, which prevents the Action from being applied.
Page 83
A Deny Rule with a Redirect URL Figure 3-9 With an If Not condition, the condition evaluates to True when the user does not match the condition. With such a rule, you want the Result on Condition Error to also evaluate to True. If there is an error obtaining role information for the user, you don’t want the rule to assume that the user had the Master role.
Condition,” on page Current Time of Day: Allows you to control access based on the time the request was made. For configuration information, see Section 3.6.7, “Current Time of Day Condition,” on page Novell Access Manager 3.1 SP2 Policy Guide...
7 To save the rule, click OK twice, then click Apply Changes. 8 Assign the policy to a Web resource. See “Assigning a Web Authorization Policy to the Resource” in the Novell Access Manager 3.1 SP2 J2EE Agent Guide. 3.5 Creating Enterprise JavaBean Authorization Policies for J2EE Agents An Enterprise JavaBean (EJB) Authorization policy allows you to protect the entire bean or specific interfaces or methods.
Page 86
7 To save the rule, click OK, then click Apply Changes. 8 Assign the policy to an EJB resource. See “Assigning an Enterprise JavaBeans Authorization Policy to a Resource” in the Novell Access Manager 3.1 SP2 J2EE Agent Guide. Novell Access Manager 3.1 SP2 Policy Guide...
3.6 Conditions This section describes the possible conditions for an Authorization policy. Some conditions can be set up so that the current values in the request are compared against static values (A to B), or you can compare static values to current values in the request (B to A). Within one policy, you should probably decide which direction to set up the comparisons and remain consistent unless there is a compelling reason to switch the direction for a particular condition.
If you select a contract that is defined on only one of your configurations, be aware that you must change this policy when you change configurations. If you select a contract that is defined in all your configurations, this policy requires no modifications and continues to function when you change configurations. Novell Access Manager 3.1 SP2 Policy Guide...
Page 89
For example, the following policy has selected Name/Password - Basic as the contract: An Authentication Contract Defined by Multiple Identity Server Configurations Figure 3-11 Two Identity Server configurations have been defined (idp-43.amlab.net and idp-51.amlab.net). Both configurations are highlighted because Name/Password - Basic is a contract that is automatically defined for all Identity Server configurations.
Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. If you select this option, you must also specify a mode. Select one or more of the following: Canonical Equivalence Case Insensitive Comments Dot All Multi-Line Unicode Novell Access Manager 3.1 SP2 Policy Guide...
Unix Lines For regular expression syntax information, see the Javadoc for java.util.regex.Pattern. Value: Select Data Entry Field and specify a value appropriate for your comparison type. Use the Edit button to access a text box where you can enter multiple values, each on a separate line. (For more information, see Section 3.6.23, “Edit Button,”...
Page 92
Liberty User Profile: If you have a Liberty User Profile attribute that corresponds to the Credential Profile you have specified, select this option and the attribute. Novell Access Manager 3.1 SP2 Policy Guide...
Subject Name of the certificate in the Value text box. Separate the elements with a comma and a space, for example, o=novell, ou=sales. If the comparison type is set to Contains Substring, you can match a group of certificates by specifying a name that is part of their Subject Name, for example ou=sales.
Equals: Allows you to specify a day that the client must match. In Range: Allows you to specify a range of days that the client’s request must fall within, for example, Monday to Friday. Novell Access Manager 3.1 SP2 Policy Guide...
Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. Be aware that regular expression matching uses the entire date of the server in its matching. Therefore if the value you are matching is M, the M can produce a match for months (March and May) and for time zones (such as MST).
Greater Than: Requires that the current time is greater than the specified value. Greater Than or Equal to: Requires that the current time is greater than or equal to the specified value. Less Than: Requires that the current time is less than the specified value. Novell Access Manager 3.1 SP2 Policy Guide...
Less Than or Equal to: Requires that the current time is less than or equal to the specified value. In Range: Requires that the current time must fall within the specified range, such as 08:00 and 17:00. If you specify this type of comparison, you must also specify a time zone. Select either the Local time zone or GMT (Greenwich Mean Time).
Page 98
Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True. Novell Access Manager 3.1 SP2 Policy Guide...
3.6.9 LDAP Attribute Condition The LDAP Attribute condition allows you to restrict access based on a value in an LDAP attribute defined for the inetOrgPerson class or any other LDAP attribute you have added. You can have the user’s attribute value retrieved from your LDAP directory and compared to a value of the following type: Roles from an identity provider Date and time and its various elements...
*low* Returns all OUs that have “low” in the name, such as low, yellow, and clowns. For more information about the <strFilter> parameter, see RFC 2254 “LDAP Search Filter.” 100 Novell Access Manager 3.1 SP2 Policy Guide...
If you select Data Entry Field, you can enter the DN of the OU in the text field. For example: cn=users,dc=bcf2,dc=provo,dc=novell,dc=com ou=users,o=novell If you have defined a Liberty User Profile or an LDAP attribute for the OU you want to match, select this option, then select your attribute.
Mode: Select the mode appropriate for the comparison type: Comparison: String: Specify whether case is important by selecting Case Sensitive or Case Insensitive. Comparison: Regular Expression: Matches: Select one or more of the following: Canonical Equivalence Case Insensitive Comments 102 Novell Access Manager 3.1 SP2 Policy Guide...
Dot All Multi-Line Unicode Unix Lines For regular expression syntax information, see the Javadoc for java.util.regex.Pattern. Value: If you have created Identity Server roles policies, select Roles, then select the role you want the user to have to match this condition. The role is assigned to all users when they authenticated authenticate.
HTTP request to a specified value. The comparison type you use depends upon the value you want to specify. If you want more flexibility in specifying the value, you should select to compare the current value in the HTTP request with a specified value. 104 Novell Access Manager 3.1 SP2 Policy Guide...
Page 105
To set up matching for this condition, fill in the following fields: URL Scheme: Specify the scheme you want compared. You can select Current for the current value in the HTTP request, or specify a static value of http or https. Comparison: Select one of the following types: Comparison: URL Scheme: Specifies that you want the values compared as scheme strings and how you want the values compared.
All listed hostnames are compared to the requested URL until a match is found or the list is exhausted. LDAP Attribute: If you have defined an LDAP attribute containing a URL or URL host, you can select this option, then select your attribute. 106 Novell Access Manager 3.1 SP2 Policy Guide...
Liberty User Profile: If you have defined a Liberty User Profile attribute containing a URL or URL host, you can select this option, then select your attribute. Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison.
URL. It compares the filename in the URL of the current request to the filename specified in the Value field. To set up matching for this condition, fill in the following fields: 108 Novell Access Manager 3.1 SP2 Policy Guide...
Page 109
Comparison: Select one of the following types: Comparison: URL File: Specifies that you want the values compared as filenames and how you want the names compared. Select one of the following: Equals: Indicates that the filenames must contain the same letters, in the same order as specified in the value.
Data Entry Field: To specify a static value to compare to the file extension in the current request, select this value type and specify the file extension. You can specify the extension or the period and the extension. For example: .ext 110 Novell Access Manager 3.1 SP2 Policy Guide...
This condition does not support wildcards. If you selected URL File Extension for the comparison type, you can add multiple values: Use the Edit button to access a text box where you can enter multiple values, each on a separate line. For more information, see Section 3.6.23, “Edit Button,”...
You can then select to compare this value with an LDAP attribute, a Liberty User Profile attribute, a Data Entry Field, or another Data Extension. For more information, see the documentation that came with the extension. 112 Novell Access Manager 3.1 SP2 Policy Guide...
In the URL to Dredge text box, enter the URL of a page on a Web server, then click Display URL List. A list of links and images appears. For example, if you enter for the URL to Dredge, www.novell.com/documentation/index.html links such as the following appear in the Links section of the URL Results list: www.novell.com/company/careers/index.html www.novell.com/company/strategy.html www.novell.com/documentation/novellaccessmanager/index.html...
Page 114
3 In the Administration Console, click Policies > Policies. 4 Click Import, then browse to and select the file. 5 Click OK. 6 When the policy appears in the list, click Apply Changes. 114 Novell Access Manager 3.1 SP2 Policy Guide...
Creating Identity Injection Policies Identity injection allows you to add information to the URL or to the HTML page before it is posted to the Web server. The Web server uses this information to determine whether the user should have access to the resource, so it is the Web server that determines the information that you need to inject to allow access to the resource.
If the value from the first request to the second request changes from no to yes, the user gets access to the resource. If the value from the first request to the second request changes from yes to no, the user is denied access to the resource. 116 Novell Access Manager 3.1 SP2 Policy Guide...
For example: If the attribute controls access to employee resources and an employee leaves, a quick change of this attribute value cuts the employee off from the resources that should be available to employees only. If the attribute controls access to a software download site and a user has just purchased a product, a quick change to this attribute value can grant access to the download site.
6 Fill in the User Name field. Select Credential Profile to insert the name the user entered when the user authenticated. This is the most common value type to use for the username. 118 Novell Access Manager 3.1 SP2 Policy Guide...
Page 119
Liberty User Profile: Injects the value of the selected attribute. If no profile attributes are available, you have not enabled their use in the Identity Server configuration. See “Managing Web Services and Profiles” in the Novell Access Manager 3.1 SP2 Identity Server Guide. Creating Identity Injection Policies 119...
Page 120
DN of the user, depending upon who issued the certificate. X509 Public Certificate Issuer: Injects just the issuer from the certificate, which is the name of the certificate authority (CA) that issued the certificate. X509 Public Certificate: Injects the entire certificate. 120 Novell Access Manager 3.1 SP2 Policy Guide...
Page 121
Usually, you can use either the LDAP Attribute or Liberty User Profile option to supply custom values, because both are extensible. For more information about creating a custom plug-in, see Novell Access Manager Developer Tools and Examples (http://developer.novell.com/wiki/index.php/Nacm).
Description A first name tag with an LDAP attribute value X-First_Name=givenName A last name tag with an LDAP attribute value X-Last_Name=sn X-Role=sales_role A role tag with the role name as the value. 122 Novell Access Manager 3.1 SP2 Policy Guide...
Page 123
If you create a custom header policy with these name/value pairs, the policy injects these names with their values into a custom header, before sending the request to the Web server. To create such a policy: 1 In the Administration Console, click Policies > Policies. 2 Select the policy container, then click New.
NDAP Fully Qualified Leading Dot Notation: Indicates eDirectory typed leading dot notation. .cn=jsmith.ou=Sales.o=novell 8 (Optional) To add additional custom header actions, click New, then select Inject into Custom Header or use the Copy Action icon and modify the new entry.
Page 126
Refresh Data Option,” on page 116. String Constant: Injects a static value that you specify in the text box. This value is used by all users who access the resources assigned to this policy. 126 Novell Access Manager 3.1 SP2 Policy Guide...
Data Extension: (Conditional) If you have installed a data extension for Identity Injection policies, this option injects the value that the extension retrieves. For more information about creating a data extension, see Novell Access Manager Developer Tools and Examples (http://developer.novell.com/wiki/index.php/Nacm).
Page 128
Shared Secret: Injects a value that has been stored in the selected shared secret store. The name specified as the Tag Name must match the name of a name/value pair stored in the shared secret. 128 Novell Access Manager 3.1 SP2 Policy Guide...
Page 129
Data Extension: (Conditional) If you have installed a data extension for Identity Injection policies, this option injects the value that the extension retrieves. For more information about creating a data extension, see Novell Access Manager Developer Tools and Examples (http://developer.novell.com/wiki/index.php/Nacm).
Proxy Session Cookie: Injects the session cookie for the user. Data Extension: Injects the value retrieved from the extension. For more information about creating a data extension, see Novell Access Manager Developer Tools and Examples (http:// developer.novell.com/wiki/index.php/Nacm). 6 To save the policy, click OK twice, then click Apply Changes.
To import a policy: 1 Make sure any referenced shared secret stores have been created. See Section 5.4, “Creating and Managing Shared Secrets,” on page 152. 2 If the policy uses LDAP or Liberty Profile attributes, make sure the Identity Server has been configured for these same attributes.
Page 132
13 Configure the Web server to use the IPAddress values in the custom header to distinguish between external and internal customers. In this sample scenario, the Web server is configured to recognize IP addresses starting with as internal customers and all other addresses as external customers. 132 Novell Access Manager 3.1 SP2 Policy Guide...
Creating Form Fill Policies A Form Fill policy allows you to prepopulate fields in a form on first login and then save the information in the completed form to a secret store for subsequent logins. The user is prompted to reenter the information only when something changes such as an expired password.
You might want to specify the name of the HTML page that contains the form this policy is designed to fill. 5 In the Actions section, click New, then select Form Fill. 136 Novell Access Manager 3.1 SP2 Policy Guide...
Page 137
6 In the Form Selection section, select Form Name and specify mylogin in the text box. The form name comes from the HTML page. See the following line in the source for the page: <form name="mylogin" action="validatepassword.php" method="post" id="mylogin"> 7 In the Fill Options section, specify all the input fields and select options. For each new field, click New.
Page 138
Insert Text in Header: Select this option so you can add a static value. In the Text to Insert box, specify the city value. city = Provo 9 To create a login failure policy, click New in the Actions section, then select Form Login Failure. 138 Novell Access Manager 3.1 SP2 Policy Guide...
10 In the Form Selection section, select Form Name and specify mylogin in the text box. The form name comes from the HTML page. 11 In the Login Failure Processing section, fill in the following field: Clear Shared Secret Data Values from Policy: Select this option to clear the data stored in the Shared Secret object when login fails.
Page 140
Use the following methods to match the page and the form: “Using the URL of the Protected Resource” on page 141 “Using CGI Matching Criteria” on page 141 “Using Page Matching Criteria” on page 141 “Using Form Name Criteria” on page 142 140 Novell Access Manager 3.1 SP2 Policy Guide...
Page 141
<TITLE> following string: <TITLE>Novell WebAccess</TITLE> You would add this string as the value in the text box for the Page Matching Criteria option. Remember that white space is significant when white space is entered to the left of the value in the text box.
Page 142
Including JavaScript in a Form Fill Policy The following figure illustrates a simple form. Form Login Page Figure 5-2 The source code for this simple form reveals that it includes JavaScript functions: 142 Novell Access Manager 3.1 SP2 Policy Guide...
Page 143
<html><head><title>Login Page</title></head><body> <h1 align="center">Login Page</h1> <script language="JavaScript"> function setCookie(){ document.cookie="myCookieName=myCookieValue"; function validate(){ if(document.mylogin.title.ldap.length == 0){ alert("You must provide the title for the user!"); return false; return true; </script> <form name="jscript" action="viewInfo.php" method="post" onload="setCookie()"> <center> <table border="1" cellpadding="4" cellspacing="4"> <tbody><tr> <td>Username:</td> <td><input name="username"...
Priority: Determines the order in which a rule is applied in the policy, when the policy has multiple rules. Form Fill does not use this field. 6 In the Actions section, click New and select Form Fill. 144 Novell Access Manager 3.1 SP2 Policy Guide...
Page 145
“URLs Requiring Form Fill” in the Novell Access Manager 3.1 SP2 Installation Guide. 7 In the Form Selection section, specify how the Access Gateway can identify the form on the page. Select one or more of the following methods. Be specific and use as few of the methods as possible.
Page 146
LDAP Credentials: If you prompt the user for a username and password, select this option, then either LDAP User Name (the cn of the user) or LDAP User DN (the fully distinguished name of the user). Your Web server requirements determine which one you use. 146 Novell Access Manager 3.1 SP2 Policy Guide...
Page 147
The default contracts assign the cn attribute to the Credential Profile. If your user store is an Active Directory server, the SAMAccountName attribute is used for the username and stored in the cn field of the LDAP Credential Profile. X509 Credentials: If you prompt the user for a certificate, select this option, then select one of the following option depending on your Web server requirements.
Page 148
For more information about creating a data extension, see Novell Access Manager Developer Tools and Examples (http:// developer.novell.com/wiki/index.php/Nacm). Data Conversion: Specify whether the case of the value entered by the user should be converted.
Section 5.3.3, “Creating a Login Failure Policy,” on page 149 “Assigning a Form Fill Policy to a Protected Resource” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. 5.3.3 Creating a Login Failure Policy The Login Failure policy can be part of the same policy as the Form Fill policy, if both share the same URL.
To enable the Embedded Service Provider tracing, Section 6.1, “Turning on Logging for Policy Evaluation,” on page 161. To enable Access Gateway log entries for Form Fill policies, see “Enabling Form Fill Logging” on page 176. 150 Novell Access Manager 3.1 SP2 Policy Guide...
Page 151
Configure your rewriter policy so that it runs before the default rewriter policy. For more information about rewriter policies, see “Configuring HTML Rewriting” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. The Option Element Does Not Contain a Value Attribute If an element does not contain a value attribute, Form Fill cannot fill the value.
In the local configuration store ® ® In eDirectory user stores that are running Novell SecretStore In a user store that has been configured with a custom attribute for secrets For more information on configuring Access Manager to store secrets, see “Configuring a User...
3 In the Administration Console, click Policies > Policies. 4 Click Import, then browse to the location of the file. 5 Click OK. 6 When the policy appears in the list, click Apply Changes. 154 Novell Access Manager 3.1 SP2 Policy Guide...
5.6 Configuring a Form Fill Policy for Forms With Scripts The Form Fill policy created for the Linux Access Gateway works well with forms that contain a Submit button whose action submits the form data to the Web server without executing any onclick JavaScript or VBScript.
document.forms[0].submit(); LAGSubmitForm(); //--> </script> </body> </html> In the above code, the function calls the default submit action of the form, which LAGSubmitForm() uses a POST request to send the data to the Web server. But the action for the sample login submit form requires a JavaScript function to be executed.
7 In the Fill Options section, specify all the input fields and select the options that you want. 8 In the Submit Options section, select Auto submit. 9 Select Enable JavaScript Handling. 158 Novell Access Manager 3.1 SP2 Policy Guide...
10 Select Functions to Keep, then specify the JavaScript functions that need to be retained when the form is being automatically submitted. For the example form, specify the following functions: function dvdRegisterSelect() function enableAll() function verify(f, bSubmitToSelf) function printThisView() function tpzDrillTable(a,b,c,d)() 11 Click OK.
Page 160
2 Specify the following command to create the. file: enableInPlaceSilentFill touch /var/novell/.enableInPlaceSilentFill 3 Specify the following command to create the file: enableInPlaceSilentFillNew touch /var/novell/.enableInPlaceSilentFillNew 4 Specify the following command to restart the Linux Access Gateway: /etc/init.d/novell-vmc stop /etc/init.d/novell-vmc start 160 Novell Access Manager 3.1 SP2 Policy Guide...
“Access Gateway Appliance Logs” and “Access Gateway Service Logs” in the Novell Access Manager 3.1 SP2 Access Gateway Guide “Enabling Form Fill Logging” on page 176 Logging for the policy evaluation done by Embedded Service Providers is controlled by the log settings of the Identity Server configuration.
(For information about correlation tags, see “Understanding the Correlation Tags in the Log Files” in the Novell Access Manager 3.1 SP2 Administration Console Guide.) The following log entry is a trace of an evaluation of a Role policy: <amLogEntry> 2009-06-07T21:40:25Z INFO NIDS Application: AM#500199050: AMDEVICEID#9921459858EAAC29: AMAUTHID#503EFFA4BC21ACA307796EC7D96E5532: IDP RolesPep.evaluate(), policy trace:...
Page 164
169. In the sample RL trace, this is Success(67) , indicating success. Rule Evaluation Result An RU trace has the following fields: ~<RuleID>~<ParentPolicyName>~<ConditionSetJoinType>~~<ConditionSetCount: ActionCount>~~<Result> An RU trace looks similar to the following: 164 Novell Access Manager 3.1 SP2 Policy Guide...
Page 165
~~RU~RuleID_1181251958207~Manager~DNF~~1:1~~Success(67) Table 6-2 describes the fields of a Rule Evaluation Result trace. Fields in a Rule Evaluation Result Trace Table 6-2 Element Description The identifier assigned to the rule. <RuleID> In this sample RU trace, this element is set to RuleID_1181251958207 <ParentPolicyName>...
Page 166
Fields in a Condition Trace Table 6-4 Element Description <ConditionID> The identifier assigned to the conditions in the condition group. The first condition is assigned 1. In the sample CO trace, this is 1. 166 Novell Access Manager 3.1 SP2 Policy Guide...
Page 167
Element Description The enumerative value and parameter list of the left operand. It is the first <LHSOperand> value specified for the comparison and has the following format: <Condition Name(Data ID)>: <Parameter> : <Value> The Condition Name is the string assigned to the condition type specified in the policy.
Page 168
Policy Action Completion trace. Fields in a Policy Action Completion Trace Table 6-6 Element Description The ID assigned to the action. <ActionID> In the sample PC trace, this is ActionID_1181252224665 168 Novell Access Manager 3.1 SP2 Policy Guide...
Description The fully distinguished name of the action. <ActionName> In the sample PC trace, the action has the following parts in its name: Document=(ou=xpemlPEP,ou=mastercdn, ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer, ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaConten tCollectionXMLDoc) Policy=(Manager) Rule=(1::RuleID_1181251958207) Action=(AddRole::ActionID_1181252224665) <ActionParmeters> A list of the action parameters passed to the action handler.
1. The RL trace indicates that the policy has one rule and that the policy evaluated without error. 2. The RU trace indicates that the rule ( ) has one condition and one RuleID_1181251958207 action and that the rule evaluated without error. 170 Novell Access Manager 3.1 SP2 Policy Guide...
Page 171
Access Gateway that is processing the request. Such a trace looks similar to the following: <amLogEntry> 2009-07-13T22:13:29Z INFO NIDS Application: AM#501102050: AMDEVICEID#esp-51A474B83BFDDF4F: AMAUTHID#4538DB6F6E2A237FDE674F0C6E1 6DCEC: PolicyID#N748097P-3507-3KP7-4241-410PN4152094: NXPESID#1718: AGAuthorization Policy Trace: ~~RL~1~~~~Rule Count: 1~~Success(0) ~~RU~RuleID_1182876316974~Allow_Sales~DNF~~1:1~~Success(0) ~~CS~1~~ANDs~NOT~1~~True(69) ~~CO~1~CurrentRoles(6660):no-param:authenticated~com.novell.nxpe. condition.NxpeOperator@string-substring~SelectedRole(6661):hidden- param:hidden-value:~~~False(68) ~~PA~1~~Deny Access Messasge~Sorry, you must work in sales today.~~~Success(0) ~~PC~1~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherCon tainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerConta iner,o=novell:romaContentCollectionXMLDoc),Policy=(Allow_Sales),Rule=(1::Rule ID_1182876316974),Action=(Deny::1)~~~~Success(0) </amLogEntry>...
Each identity injection policy generates two log entries. The first entry indicates whether the policy could successfully retrieve the information and inject it into the header. The second entry specifies whether the response is successfully sent to the Web server. 172 Novell Access Manager 3.1 SP2 Policy Guide...
Page 173
Header~password~pwd(1):CredentialProfile(7010:):NEPXurn~3Anovell~3Acredential profile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry ~40~40~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~3ASecret~5Bcp~3AName~ 3D~22LDAPCredentials~22~5D~2Fcp~3AEntry~5Bcp~3AName~3D~22UserPassword~22~5D:~ Ok~Success(0) ~~PC~ActionID_1181251427701~~Document=(ou=xpemlPEP,ou=mastercdn, ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root ,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(basi c_auth_ii),Rule=(1::RuleID_1181251426062),Action=(InjectAuthHeader::ActionID_ 1181251427701)~~~~Success(0) </amLogEntry> <amLogEntry> 2009-06-11T20:16:51Z INFO NIDS Application: AM#501101021: AMDEVICEID#esp-534FD0D0E32FE4BD: PolicyID#OL8659PL-0K69-0N0N-0845- 5PN113KM3842: NXPESID#2539: Response sent: Status - success </amLogEntry> These entries look very similar to the entries for a successful injection of data. This is because injecting NULL data for data that is not available is considered a successful action.
Form Fill entries. For the filter, enable the Form Fill Processing events in the Advanced Log Level Options section. Sample Form and Policy Used for the Trace Figure 6-2 illustrates the simple form that was used for the trace. 176 Novell Access Manager 3.1 SP2 Policy Guide...
Page 178
Because the URL path identifies a /identity/forms/simple.html specific file on the Web server, the policy does not require any CGI or page matching criteria. The Form Fill Policy for the mylogin Form Figure 6-3 178 Novell Access Manager 3.1 SP2 Policy Guide...
Page 179
~~RL~1~~~~Rule Count: 1~~Success(67) ~~RU~RuleID_1189711482510~simpleform~DNF~~0:1~~Success(67) ~~PA~ActionID_1189711485006~~Added Form Selection Group~~~~Success ~~PA~ActionID_1189711485006~~Added Fill Options Group~~~~Success(0) ~~PA~ActionID_1189711485006~~Added Submit Options Group~~~~Success ~~PC~ActionID_1189711485006~~Document=(ou=xpemlPEP,ou=mastercdn, ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer, ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContent CollectionXMLDoc),Policy=(simpleform),Rule=(1::RuleID_11897114 82510),Action=(FormFill::ActionID_1189711485006)~~~~Success(0) </amLogEntry> 3. <amLogEntry> 2009-09-14T00:15:52Z INFO NIDS Application: AM#501101021: AMDEVICEID#esp-917A1174C8A270FC: PolicyID#06OO287L-06LO-KKP4-207M- 6971PPM6147L: NXPESID#2663: Response sent: Status - success </amLogEntry> 1. The first log entry is the request to evaluate the policy. If this entry doesn’t occur, make sure that the Form Fill policy is enabled for the protected resource.
For more lagsoapmessages information, see “Configuring Logging of SOAP Messages and HTTP Headers” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. 6.3 Common Configuration Problems That Prevent a Policy from Being Applied as Expected When you try to determine what is functioning incorrectly in a policy, you need to turn on policy tracing and understand the evaluation traces.
If the attribute is multi-valued and your users typically have multiple values, select Substring as the Comparison type. 6 If these steps have not solved the problem, see Section 6.3.3, “Result on Condition Error Value,” on page 183. 182 Novell Access Manager 3.1 SP2 Policy Guide...
524 and 636 must be open to allow for the creation of the required objects. For more information about ports and firewalls, see “Setting Up Firewalls” in the Novell Access Manager 3.1 SP2 Setup Guide. Troubleshooting Access Manager Policies 183...
Roles for Current User User session Roles from Identity Provider User session Shared Secret User session; configurable to be cached only for the request with the Force Data Read option. String Constant User session Request 184 Novell Access Manager 3.1 SP2 Policy Guide...
(LDAP servers) and ensure that they are communicating. 6.8 Policy Creation and Storage For troubleshooting, you can export the policy and send it to Novell for debugging. If the policy uses roles, make sure you also export the Role policies.
Set the level of Application logging to info and examine the policy trace from a user accessing the protected resource. See Section 6.2, “Understanding Policy Evaluation Traces,” on page 162. 186 Novell Access Manager 3.1 SP2 Policy Guide...
6.10 Policy Evaluation: Access Gateway Devices The following diagram depicts how Authorization policies fit into the protected resource processing for the proxy. Policy Evaluation Figure 6-4 Request Received Protected Resource Defined? Authentication Authentication Returns Enabled? Success? Authorization Authorization Returns Policy? Success? Continue Processing Deny Request...
6.10.2 No Policy Defined Configuration Example The following is a sample of a configuration request where the policy code detects that no policies are in effect for the protected resource and Policy Enforcement Point (PEP). 188 Novell Access Manager 3.1 SP2 Policy Guide...