1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. ACCESS MANAGER 3.1 SP2 - README 2010
  6. Manual

Novell ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010 Manual

Hide thumbs Also See for ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Manual
AUTHORIZED DOCUMENTATION
Policy Guide
Novell
Access Manager
3.1 SP2
June 11, 2010
www.novell.com
Novell Access Manager 3.1 SP2 Policy Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010

Summary of Contents for Novell ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010

  • Page 1 AUTHORIZED DOCUMENTATION Policy Guide Novell Access Manager 3.1 SP2 June 11, 2010 www.novell.com Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 5: Table Of Contents

    Contents About This Guide 1 Managing Policies Selecting a Policy Type ............11 Policy Performance .
  • Page 6 Importing and Exporting Identity Injection Policies....... . . 130 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 7 Sample Identity Injection Policy ..........131 5 Creating Form Fill Policies Understanding an HTML Form.
  • Page 8 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 9: About This Guide

    About This Guide This guide describes the following features of Novell Access Manager policies: Chapter 1, “Managing Policies,” on page 11 Chapter 2, “Creating Role Policies,” on page 23 Chapter 3, “Creating Authorization Policies,” on page 65 Chapter 4, “Creating Identity Injection Policies,” on page 115 Chapter 5, “Creating Form Fill Policies,”...
  • Page 10 Novell Access Manager 3.1 SP2 SSL VPN Server Guide Novell Access Manager 3.1 SP2 J2EE Agent Guide Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 11: Managing Policies

    Managing Policies Policies are logical and testable rules that you use to maintain order, security, and consistency within your Access Manager infrastructure. You can specify activation criteria, deactivation criteria, temporal constraints (such as time of day or subnet), identity constraints (such as user object attribute values), and additional separation-of-duty constraints.

  • Page 12: Policy Performance

    For more information, see “Configuring the Attributes Sent with Authentication” in the Novell Access Manager 3.1 SP2 Identity Server Guide. As you design your policies, experiment and find the type that works best for your network and your customers.

  • Page 13: Creating Policies

    “Sorting Policies” on page 13 “Deleting Policies” on page 13 “Renaming or Copying a Policy” on page 13 “Importing and Exporting Policies” on page 14 “Creating the SSL VPN Default Policy” on page 14 “Refreshing Policy Assignments” on page 14 “Viewing Policy Information”...

  • Page 14: Importing And Exporting Policies

    Specifies whether the policy uses any extensions. If none has been used, this column has no value. Description Displays a description of the policy. If no description has been specified, this column has no value. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 15: Managing Policy Containers

    1.4 Managing Policy Containers You use policy containers to store and organize policies, similar to how you organize files in folders. The Master_Container is a permanent policy container, but you can use the Containers tab to create new containers. A policy container can hold up to 500 policies. When you reach that limit, you must create another container to add, copy, or import policies.

  • Page 16: Rule Evaluation For Role Policies

    Result on Error Condition field in a rule is set incorrectly, the user matches the last rule and is denied access. Without this rule, a user might gain access because the user didn’t match any of the rules. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 17: Rule Evaluation For Identity Injection And Form Fill Policies

    This data could then be used to determine access rights to Access Manager resources. For information on how to create a policy extension, see the Novell Access Manager Developer Kit (http://developer.novell.com/wiki/index.php/ Novell_Access_Manager_Developer_Tools_and_Examples). After a policy extension has been created, you need to perform the following tasks to use the extension: Section 1.6.1, “Installing the Extension on the Administration Console,”...
  • Page 18 6 To create an extension configuration, click New, then fill in the following fields: Name: Specify a display name for the extension. Description: (Optional) Specify the purpose of the extension and how it should be used. Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 19 Policy Type: From the drop-down list, select the type of extension you have uploaded. Type: From the drop-down list, select the data type of the extension. Class Name: Specify the name of the class that creates the extension, such as com.acme.policy.action.successActionFactory.

  • Page 20: Distributing A Policy Extension

    For an Authorization policy, assign it to a protected resource. For more information, see “Assigning an Authorization Policy to a Protected Resource” in Novell Access Manager 3.1 SP2 Access Gateway Guide. For an Identity Injection policy, assign it to a protected resource. For more information, see “Assigning an Identity Injection Policy to a Protected...

  • Page 21: Viewing Extension Details

    Access Gateway Embedded Service Providers, so that the Embedded Service Providers read the logging options. See “Configuring Component Logging” in the Novell Access Manager 3.1 SP2 Identity Server Guide. When you have solved the problem, you should disable these options. Managing Policies...
  • Page 22 For example, if you have an Access Gateway: Authorization error, look at the log on the Access Gateway that executed the policy. For additional policy troubleshooting procedures, see Chapter 6, “Troubleshooting Access Manager Policies,” on page 161. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 23: Creating Role Policies

    Creating Role Policies This section describes the following topics for Identity Server roles. Section 2.1, “Understanding RBAC in Access Manager,” on page 23 Section 2.2, “Creating Roles,” on page 27 Section 2.3, “Example Role Policies,” on page 47 Section 2.4, “Creating Access Manager Roles in an Existing Role-Based Policy System,” on page 52 Section 2.5, “Mapping Roles between Trusted Providers,”...

  • Page 24: Assigning All Authenticated Users To A Role

    Logging page in the Identity Server configuration when you enable the Login Provided or Login Consumed options. 2.1.2 Using a Role to Create an Authentication Policy The simplest implementation of RBAC policies is to include roles as evaluated conditions when creating Authorization policies. Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 25 Suppose you belong to a company of 300 employees, and ten of them are managers. You can assign all employees to an Employee role, and make it a condition of an Authorization policy with no restrictions. Such a policy would permit access to Web resources intended for all employees, as shown in the following example: Employee Authorization Policy Figure 2-4...

  • Page 26: Using Prioritized Rules In An Authorization Policy

    Rule List page for the Authorization policy below: Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 27: Creating Roles

    Authorization Policy with Multiple Rules Figure 2-6 In this example, you specify a first-priority rule with a condition that allows access if a user has been assigned to the role of Sales Representative. You add rules for users assigned to the a role of Sales Manager, Sales Vice President, and so on.
  • Page 28 Data Extension. For more information, see the documentation that came with the extension. 6 (Conditional) To add multiple conditions, repeat Step For more information on using multiple conditions in a rule, see Section 2.2.2, “Using Multiple Conditions,” on page Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 29: Selecting Conditions

    7 In the Actions section, select one of the following: Activate Role: Select this option to specify a name for the role. If you are creating a role that needs to be injected into an HTTP header, use the capitalization format that the Web server expects.

  • Page 30: Authenticating Idp Condition

    See “Configuring SAML and Liberty Trusted Providers” in the Novell Access Manager 3.1 SP2 Identity Server Guide. The most common way to use this condition is when you have a service provider that has been configured to trust two identity providers and you want to assign a role based on which identity provider authenticated the user.

  • Page 31: Authentication Contract Condition

    Dot All Multi-Line Unicode Unix Lines For regular expression syntax information, see the Javadoc for java.util.regex.Pattern. Value: Specify the value you want to compare with the Authenticating IDP value. If you select a static value for the Authenticating IDP value, select Authenticating IDP and Current. If you select Current for the Authenticating IDP value, select Authenticating IDP, then select the name of an identity provider.
  • Page 32 Insensitive. Comparison: Regular Expression: Matches: Select one or more of the following: Canonical Equivalence Case Insensitive Comments Dot All Multi-Line Unicode Unix Lines For regular expression syntax information, see the Javadoc for java.util.regex.Pattern. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 33: Authentication Method Condition

    Value: Specify the value you want to compare with the Authentication Contract value. If you select a static value for the Authentication Contract value, select Authentication Contract and Current. If you select Current for the Authentication Contract value, select Authentication Contract, then select the name of a contract.

  • Page 34: Authentication Type Condition

    Contains Substring: Indicates that the Authentication Type value must contain the letters, in the same sequence, as specified in the Value field. Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 35: Credential Profile Condition

    Mode: Select the mode appropriate for the comparison type: Comparison: String: Specify whether case is important by selecting Case Sensitive or Case Insensitive. Comparison: Regular Expression: Matches: Select one or more of the following: Canonical Equivalence Case Insensitive Comments Dot All Multi-Line Unicode Unix Lines...
  • Page 36 Liberty User Profile: If you have a Liberty User Profile attribute that corresponds to the Credential Profile you have specified, select this option and the attribute. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 37: Ldap Group Condition

    . If the o=novell, ou=sales comparison type is set to Contains Substring, you can match a group of certificates by specifying a name that is part of the Subject Name, for example ou=sales Other values are possible.

  • Page 38: Ldap Ou Condition

    OU or a child container (Subtree). Comparison: Regular Expression: Matches: Select one or more of the following: Canonical Equivalence Case Insensitive Comments Dot All Multi-Line Unicode Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 39 For more information about the <strFilter> parameter, see RFC 2254 “LDAP Search Filter.” If you select Data Entry Field, you can specify the DN of the OU in the text field. For example: cn=users,dc=bcf2,dc=provo,dc=novell,dc=com ou=users,o=novell If you have defined a Liberty User Profile or an LDAP attribute for the OU you want to match, select this option, then select your attribute.
  • Page 40 LDAP. To select this attribute for comparison, click Entire Personal Identity > Entire Common Name > Common Analyzed Name > Common Last Name. Comparison: Select the comparison type that matches the data type of the selected attribute and the value. Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 41 For information about enabling All Roles, see “Selecting Attributes for a Trusted Provider” in the Novell Access Manager 3.1 SP2 Identity Server Guide. For an example of how to use Roles from Identity Provider to create a Role policy, see Section 2.5,...
  • Page 42 Contains Substring: Indicates that the User Store value must contain the letters, in the same sequence, as specified in the Value field. Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 43: Using Multiple Conditions

    Value: Specify the value you want to compare with the User Store value. If you select a static value for the User Store value, select User Store and Current. If you select Current for the User Store value, select User Store, then select the name of a user store. If you have created more than one Identity Server configuration, select the configuration, then select the user store.

  • Page 44: Or Conditions, And Groups

    To add another condition to a condition group, click New, then select a condition. To copy an existing condition, click the Copy Condition icon . New conditions are always added to the end of the condition group. Use the Move buttons to order the conditions in the condition group. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 45: Selecting An Action

    Adding New Condition Groups To add another condition group to the rule, click Append New Group. To copy the existing condition group, click the Copy Group icon . New condition groups are always added to the end to the Conditions section. Use the Move buttons to order the condition groups.
  • Page 46 If you want to use this longer query, you need to create a policy extension. For a sample extension that does this, see Novell Access Manager Developer Tools and Examples (http:// developer.novell.com/wiki/index.php/ Novell_Access_Manager_Developer_Tools_and_Examples).

  • Page 47: Example Role Policies

    If the source contains multiple values, select the format that is used to separate the values. If the value is a distinguished name, select the format of the DN. Figure 2-9 shows how to assign an LDAP Group, cn=DocGroup,o=novell, as a role. Activating a Role from an External Source Figure 2-9 To use the same conditions to activate multiple roles from different sources, select Activate Selected Role for each role you want to activate.
  • Page 48 If this role needs to match the name of a role required by a Java or Web application, ensure that the case of the name matches the application’s name. 9 On the Rule List page, click OK. 10 On the Policies page, click Apply Changes, then click Close. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 49: Creating A Manager Role

    11 On the Role Policy page, select the Employee role, then click Enable. 12 Click OK, then update the Identity Server. The Identity Server configuration must be updated after you enable a role. 13 To create a Manager role, continue with “Creating a Manager Role”...
  • Page 50 Manager if the condition evaluates to True. If an error occurs, you do not want random users assigned the role of Manager. Therefore, for this rule, you need to select False. 7 In the Actions section, click Activate Role. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 51: Creating A Rule For A Contract With Ored Credentials

    8 In the Activate Role box, type , then click OK twice. Manager 9 On the Policies page, click Apply Changes. 10 Click Close, select the Manager role, then click Enable. 11 Click OK, then update the Identity Server. 2.3.3 Creating a Rule for a Contract with ORed Credentials A contract with ORed credentials allows the user to decide which credentials to use for authenticating.

  • Page 52: Creating Access Manager Roles In An Existing Role-Based Policy System

    Web resources. If your role definitions use the following types of LDAP features, you can create Access Manager Role policies that use them: Values found in LDAP attributes Location of the user objects in the directory tree Membership in groups or roles Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 53: Activating Roles From External Sources

    The Access Manager Role policies that you create for these features can then be used to control access to protected Web resources. You can manually assign the roles by creating role policies with conditions or you can activate roles based on the values in the external source. Section 2.4.1, “Activating Roles from External Sources,”...
  • Page 54 XMLDoc),Policy=(LDAP_Group),Rule=(1::RuleID_1223587171711),Action= (AddSelectedRole::ActionID_1223588319336)~~~~Success(0) </amLogEntry> <amLogEntry> 2009-10-09T21:58:55Z INFO NIDS Application: AM#500105013: AMDEVICEID#CA50FD51DB1EEE3E: AMAUTHID#213E610199A14CEAF27395A6B35F3162: Authenticated user cn=jwilson,o=novell in User Store Internal with roles "cn=Doc,o=novell","authenticated". </amLogEntry> The first <amLogEntry> entry indicates that the action in the LDAP_Group policy was successfully assigned. The second entry gives the DN of the user and lists the roles assigned to the user: cn=Doc,o=novell and authenticated.

  • Page 55: Using Conditions To Assign Roles

    You can now use the cn=Doc,o=novell role when creating Authorization and Identity Injection policies, which control access to protected Web resources. Roles activated this way do not appear in the list of available roles. You need to use the Data Entry Field to manually type in the role name.
  • Page 56 If you have created your users in specific containers in your LDAP tree, you can use these container objects to assign users to roles. For example, suppose your LDAP tree looks similar to the following tree. Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 57 Using an eDirectory Tree for Access Control Figure 2-13 eDirectory Tree o=Novell ou=Sales ou=HR ou=Dev Users Users Users Such a tree organization can be used to control access to resources. The following instructions explain how to create a Role policy for the users created under the Sales container.
  • Page 58 LDAP OU value, the user matches the condition. For example, if the DN of the user is cn=bsmith,ou=sales,o=novell and the LDAP OU value is ou=sales,o=novell, the user matches the condition. If you selected Subtree for the Mode, a user with the following DN also matches the condition: cn=djones,ou=provo,ou=sales,o=novell.
  • Page 59 7 Click OK twice, then click Apply Changes. 8 To enable the role so that it can be used in Authorization and Identity Injection policies, click Devices > Identity Servers > Edit > Roles. 9 Select the check box next to the name of the role, then click Enable. 10 Click OK.
  • Page 60 6 In the Actions section, click Activate Role. 7 In the Activate Role box, type , then click OK. ManagersGroup The name you enter in the box is the role you want assigned to the users who match the condition. Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 61 Your rule should look similar to the following: 8 Click OK twice, then click Apply Changes. 9 To enable the role so that it can be used in Authorization and Identity Injection policies, click Devices > Identity Servers > Servers > Edit > Roles. 10 Select the check box next to the name of the role, then click Enable.

  • Page 62: Mapping Roles Between Trusted Providers

    Activate Role: xyz_user In this example, employees authenticate to identity providers novell.com (Liberty) or xyz.com (SAML 2.0). Each user is assigned to a role, such as N_EmployeeRole or XYZ_Empl. Attribute sets at each of the identity providers are configured to exchange the All Roles attribute with the trusted service provider, DigitalAirlines.com.

  • Page 63: Procedure

    2.5.2 Procedure The following procedure describes how the service provider configures this type of role policy for novell.com, mapping the N_Employee role to an Access Manager role: 1 In the Administration Console, click Policies > Policies. 2 Click New, then specify a name for the Role policy.

  • Page 64: Enabling And Disabling Role Policies

    1 In the Administration Console, click Policies > Policies. 2 Click Import, then browse to and select the file. 3 Click OK. 4 When the policy appears in the list, click Apply Changes. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 65: Creating Authorization Policies

    Creating Authorization Policies Authorization policies are used when you want to protect a resource based on criteria other than authentication, and you want Access Manager to enforce the access restrictions. Authorization policies are enforced when a user requests data from a resource. The Access Manager supports three types of Authorization policies: Access Gateway Authorization policies for protecting resources of the Access Gateway...

  • Page 66: Controlling Access With A Deny Rule And A Negative Condition

    If an error occurs, you want the policy to assume that the user is not a manager, so he or she matches the condition and the Deny action is applied. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 67: Configuring The Result On Condition Error Option

    3.1.2 Configuring the Result on Condition Error Option The Result on Condition Error option allows you to specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True.
  • Page 68 Disabling or Moving Conditions and Condition Groups Condition groups and conditions within them can be disabled by clicking the Enabled check mark , which changes the icon to the Disabled icon Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 69: Controlling Access With Multiple Conditions

    You usually disable a condition or condition group when testing a new rule, and if you decide that the condition or condition group is not needed, you can then use the Delete button to delete the condition or condition group from the rule. Use the Move buttons next to the Delete button to move a condition up or down within its group.

  • Page 70: Using Permit Rules With A Deny Rule

    Deny rule is only processed if the user does not match one of the allow rules, and because all users match a rule with no conditions, the user is denied access to the resource. Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 71 The first rule in such a policy for the sales application would look similar to the following. Rule 1 Granting Access Figure 3-3 The conditions in Rule 1 are ANDed, which requires the user to match both conditions before they are granted access to the resource.

  • Page 72: Using Deny Rules With A General Permit Rule

    When a user doesn’t match the condition, the Action is not applied and the next rule in the policy is evaluated. For example, suppose the URL condition is set to the compare the following value: http://sales.provo.novell.com/meetings/? Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 73: Public Policies

    If the URL in the request is , the user http://sales.provo.novell.com/meetings/january does not match the condition, because the ? applies only to the files in the directory and meetings not to the subdirectories. The Action is not applied, and the next rule or policy is evaluated.

  • Page 74: Using The Refresh Data Option

    If the value from the first request to the second request changes from no to yes, the user gets access to the resource. If the value from the first request to the second request changes from yes to no, the user is denied access to the resource. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 75: Assigning Policies To Resources

    For information on how to assign the policy to a resource, see the following: For an Access Gateway policy, see “Assigning an Authorization Policy to a Protected Resource” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. For a Web Authorization policy, see “Assigning a Web Authorization Policy to the Resource”...
  • Page 76 X-Forwarded-For IP: Allows you to control access based on the value in the X- Forwarded-For IP header of the HTTP request. For configuration information, see Section 3.6.19, “X-Forward-For IP Condition,” on page 111. Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 77 10 To add another rule, click New or to save the policy, click OK, then click Apply Changes. 11 Assign the policy to a protected resource (see “Assigning an Authorization Policy to a Protected Resource” in the Novell Access Manager 3.1 SP2 Access Gateway Guide). Creating Authorization Policies...

  • Page 78: Sample Access Gateway Authorization Policies

    Authorization as the type, then click OK. 2 For Condition Group 1, click New, then select Credential Profile. 3 Fill in the following fields: LDAP Credentials: Select LDAP User DN. If/If Not: Select If Not. Comparison: Select Contains Substring. Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 79 5 Assign the policy to the protected Web resources of the sales department (see “Assigning an Authorization Policy to a Protected Resource” in the Novell Access Manager 3.1 SP2 Access Gateway Guide). 6 Repeat these steps for the other two departments, changing the Value field to match the appropriate department.
  • Page 80 The Conditions section is left empty so that everyone who does not match the conditions of the Permit rule is denied access to the resource. 10 In the Actions section, select Deny and either accept the default action or select one of the other actions. 11 Click OK twice. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 81: Sample Workflow Policy

    13 Assign the policy to the protected Web resources of the sales department (see “Assigning an Authorization Policy to a Protected Resource” in the Novell Access Manager 3.1 SP2 Access Gateway Guide). 3.3.2 Sample Workflow Policy One of the common workflow problems that an Authorization policy can solve is what to do with users who are denied access to resource.
  • Page 82 This rule grants the user the Master role if the user belongs to the cn=Master,o=novell LDAP group. If the user doesn’t belong to this group or if an error occurs trying to get the data, the user is not assigned the role. This occurs because both the condition and the Result on Condition Error evaluate to False, which prevents the Action from being applied.
  • Page 83 A Deny Rule with a Redirect URL Figure 3-9 With an If Not condition, the condition evaluates to True when the user does not match the condition. With such a rule, you want the Result on Condition Error to also evaluate to True. If there is an error obtaining role information for the user, you don’t want the rule to assume that the user had the Master role.

  • Page 84: Creating Web Authorization Policies For J2Ee Agents

    Condition,” on page Current Time of Day: Allows you to control access based on the time the request was made. For configuration information, see Section 3.6.7, “Current Time of Day Condition,” on page Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 85: Creating Enterprise Javabean Authorization Policies For J2Ee Agents

    7 To save the rule, click OK twice, then click Apply Changes. 8 Assign the policy to a Web resource. See “Assigning a Web Authorization Policy to the Resource” in the Novell Access Manager 3.1 SP2 J2EE Agent Guide. 3.5 Creating Enterprise JavaBean Authorization Policies for J2EE Agents An Enterprise JavaBean (EJB) Authorization policy allows you to protect the entire bean or specific interfaces or methods.
  • Page 86 7 To save the rule, click OK, then click Apply Changes. 8 Assign the policy to an EJB resource. See “Assigning an Enterprise JavaBeans Authorization Policy to a Resource” in the Novell Access Manager 3.1 SP2 J2EE Agent Guide. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 87: Conditions

    3.6 Conditions This section describes the possible conditions for an Authorization policy. Some conditions can be set up so that the current values in the request are compared against static values (A to B), or you can compare static values to current values in the request (B to A). Within one policy, you should probably decide which direction to set up the comparisons and remain consistent unless there is a compelling reason to switch the direction for a particular condition.

  • Page 88: Authentication Contract Condition

    If you select a contract that is defined on only one of your configurations, be aware that you must change this policy when you change configurations. If you select a contract that is defined in all your configurations, this policy requires no modifications and continues to function when you change configurations. Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 89 For example, the following policy has selected Name/Password - Basic as the contract: An Authentication Contract Defined by Multiple Identity Server Configurations Figure 3-11 Two Identity Server configurations have been defined (idp-43.amlab.net and idp-51.amlab.net). Both configurations are highlighted because Name/Password - Basic is a contract that is automatically defined for all Identity Server configurations.

  • Page 90: Client Ip Condition

    Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. If you select this option, you must also specify a mode. Select one or more of the following: Canonical Equivalence Case Insensitive Comments Dot All Multi-Line Unicode Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 91: Credential Profile Condition

    Unix Lines For regular expression syntax information, see the Javadoc for java.util.regex.Pattern. Value: Select Data Entry Field and specify a value appropriate for your comparison type. Use the Edit button to access a text box where you can enter multiple values, each on a separate line. (For more information, see Section 3.6.23, “Edit Button,”...
  • Page 92 Liberty User Profile: If you have a Liberty User Profile attribute that corresponds to the Credential Profile you have specified, select this option and the attribute. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 93: Current Date Condition

    Subject Name of the certificate in the Value text box. Separate the elements with a comma and a space, for example, o=novell, ou=sales. If the comparison type is set to Contains Substring, you can match a group of certificates by specifying a name that is part of their Subject Name, for example ou=sales.

  • Page 94: Day Of Week Condition

    Equals: Allows you to specify a day that the client must match. In Range: Allows you to specify a range of days that the client’s request must fall within, for example, Monday to Friday. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 95: Current Day Of Month Condition

    Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. Be aware that regular expression matching uses the entire date of the server in its matching. Therefore if the value you are matching is M, the M can produce a match for months (March and May) and for time zones (such as MST).

  • Page 96: Current Time Of Day Condition

    Greater Than: Requires that the current time is greater than the specified value. Greater Than or Equal to: Requires that the current time is greater than or equal to the specified value. Less Than: Requires that the current time is less than the specified value. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 97: Http Request Method Condition

    Less Than or Equal to: Requires that the current time is less than or equal to the specified value. In Range: Requires that the current time must fall within the specified range, such as 08:00 and 17:00. If you specify this type of comparison, you must also specify a time zone. Select either the Local time zone or GMT (Greenwich Mean Time).
  • Page 98 Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True. Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 99: Ldap Attribute Condition

    3.6.9 LDAP Attribute Condition The LDAP Attribute condition allows you to restrict access based on a value in an LDAP attribute defined for the inetOrgPerson class or any other LDAP attribute you have added. You can have the user’s attribute value retrieved from your LDAP directory and compared to a value of the following type: Roles from an identity provider Date and time and its various elements...

  • Page 100: Ldap Ou Condition

    *low* Returns all OUs that have “low” in the name, such as low, yellow, and clowns. For more information about the <strFilter> parameter, see RFC 2254 “LDAP Search Filter.” 100 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 101: Liberty User Profile Condition

    If you select Data Entry Field, you can enter the DN of the OU in the text field. For example: cn=users,dc=bcf2,dc=provo,dc=novell,dc=com ou=users,o=novell If you have defined a Liberty User Profile or an LDAP attribute for the OU you want to match, select this option, then select your attribute.

  • Page 102: Roles Condition

    Mode: Select the mode appropriate for the comparison type: Comparison: String: Specify whether case is important by selecting Case Sensitive or Case Insensitive. Comparison: Regular Expression: Matches: Select one or more of the following: Canonical Equivalence Case Insensitive Comments 102 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 103: Url Condition

    Dot All Multi-Line Unicode Unix Lines For regular expression syntax information, see the Javadoc for java.util.regex.Pattern. Value: If you have created Identity Server roles policies, select Roles, then select the role you want the user to have to match this condition. The role is assigned to all users when they authenticated authenticate.

  • Page 104: Url Scheme Condition

    HTTP request to a specified value. The comparison type you use depends upon the value you want to specify. If you want more flexibility in specifying the value, you should select to compare the current value in the HTTP request with a specified value. 104 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 105 To set up matching for this condition, fill in the following fields: URL Scheme: Specify the scheme you want compared. You can select Current for the current value in the HTTP request, or specify a static value of http or https. Comparison: Select one of the following types: Comparison: URL Scheme: Specifies that you want the values compared as scheme strings and how you want the values compared.

  • Page 106: Url Host Condition

    All listed hostnames are compared to the requested URL until a match is found or the list is exhausted. LDAP Attribute: If you have defined an LDAP attribute containing a URL or URL host, you can select this option, then select your attribute. 106 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 107: Url Path Condition

    Liberty User Profile: If you have defined a Liberty User Profile attribute containing a URL or URL host, you can select this option, then select your attribute. Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison.

  • Page 108: Url File Name Condition

    URL. It compares the filename in the URL of the current request to the filename specified in the Value field. To set up matching for this condition, fill in the following fields: 108 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 109 Comparison: Select one of the following types: Comparison: URL File: Specifies that you want the values compared as filenames and how you want the names compared. Select one of the following: Equals: Indicates that the filenames must contain the same letters, in the same order as specified in the value.

  • Page 110: Url File Extension Condition

    Data Entry Field: To specify a static value to compare to the file extension in the current request, select this value type and specify the file extension. You can specify the extension or the period and the extension. For example: .ext 110 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 111: X-Forward-For Ip Condition

    This condition does not support wildcards. If you selected URL File Extension for the comparison type, you can add multiple values: Use the Edit button to access a text box where you can enter multiple values, each on a separate line. For more information, see Section 3.6.23, “Edit Button,”...

  • Page 112: Condition Extension

    You can then select to compare this value with an LDAP attribute, a Liberty User Profile attribute, a Data Entry Field, or another Data Extension. For more information, see the documentation that came with the extension. 112 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 113: Using The Url Dredge Option

    In the URL to Dredge text box, enter the URL of a page on a Web server, then click Display URL List. A list of links and images appears. For example, if you enter for the URL to Dredge, www.novell.com/documentation/index.html links such as the following appear in the Links section of the URL Results list: www.novell.com/company/careers/index.html www.novell.com/company/strategy.html www.novell.com/documentation/novellaccessmanager/index.html...
  • Page 114 3 In the Administration Console, click Policies > Policies. 4 Click Import, then browse to and select the file. 5 Click OK. 6 When the policy appears in the list, click Apply Changes. 114 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 115: Creating Identity Injection Policies

    Creating Identity Injection Policies Identity injection allows you to add information to the URL or to the HTML page before it is posted to the Web server. The Web server uses this information to determine whether the user should have access to the resource, so it is the Web server that determines the information that you need to inject to allow access to the resource.

  • Page 116: Using The Refresh Data Option

    If the value from the first request to the second request changes from no to yes, the user gets access to the resource. If the value from the first request to the second request changes from yes to no, the user is denied access to the resource. 116 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 117: Configuring An Identity Injection Policy

    For example: If the attribute controls access to employee resources and an employee leaves, a quick change of this attribute value cuts the employee off from the resources that should be available to employees only. If the attribute controls access to a software download site and a user has just purchased a product, a quick change to this attribute value can grant access to the download site.

  • Page 118: Configuring An Authentication Header Policy

    6 Fill in the User Name field. Select Credential Profile to insert the name the user entered when the user authenticated. This is the most common value type to use for the username. 118 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 119 Liberty User Profile: Injects the value of the selected attribute. If no profile attributes are available, you have not enabled their use in the Identity Server configuration. See “Managing Web Services and Profiles” in the Novell Access Manager 3.1 SP2 Identity Server Guide. Creating Identity Injection Policies 119...
  • Page 120 DN of the user, depending upon who issued the certificate. X509 Public Certificate Issuer: Injects just the issuer from the certificate, which is the name of the certificate authority (CA) that issued the certificate. X509 Public Certificate: Injects the entire certificate. 120 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 121 Usually, you can use either the LDAP Attribute or Liberty User Profile option to supply custom values, because both are extensible. For more information about creating a custom plug-in, see Novell Access Manager Developer Tools and Examples (http://developer.novell.com/wiki/index.php/Nacm).

  • Page 122: Configuring A Custom Header Policy

    Description A first name tag with an LDAP attribute value X-First_Name=givenName A last name tag with an LDAP attribute value X-Last_Name=sn X-Role=sales_role A role tag with the role name as the value. 122 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 123 If you create a custom header policy with these name/value pairs, the policy injects these names with their values into a custom header, before sending the request to the Web server. To create such a policy: 1 In the Administration Console, click Policies > Policies. 2 Select the policy container, then click New.
  • Page 124 NDAP Partial Dot Notation: Specifies eDirectory typeless dot notation. jsmith.sales.novell NDAP Leading Partial Dot Notation: Specifies eDirectory typeless leading dot notation. .jsmith.sales.novell NDAP Fully Qualified Partial Dot Notation: Indicates eDirectory typed dot notation. 124 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 125: Configuring A Custom Header With Tags

    NDAP Fully Qualified Leading Dot Notation: Indicates eDirectory typed leading dot notation. .cn=jsmith.ou=Sales.o=novell 8 (Optional) To add additional custom header actions, click New, then select Inject into Custom Header or use the Copy Action icon and modify the new entry.
  • Page 126 Refresh Data Option,” on page 116. String Constant: Injects a static value that you specify in the text box. This value is used by all users who access the resources assigned to this policy. 126 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 127: Specifying A Query String For Injection

    Data Extension: (Conditional) If you have installed a data extension for Identity Injection policies, this option injects the value that the extension retrieves. For more information about creating a data extension, see Novell Access Manager Developer Tools and Examples (http://developer.novell.com/wiki/index.php/Nacm).
  • Page 128 Shared Secret: Injects a value that has been stored in the selected shared secret store. The name specified as the Tag Name must match the name of a name/value pair stored in the shared secret. 128 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 129 Data Extension: (Conditional) If you have installed a data extension for Identity Injection policies, this option injects the value that the extension retrieves. For more information about creating a data extension, see Novell Access Manager Developer Tools and Examples (http://developer.novell.com/wiki/index.php/Nacm).

  • Page 130: Injecting Into The Cookie Header

    Proxy Session Cookie: Injects the session cookie for the user. Data Extension: Injects the value retrieved from the extension. For more information about creating a data extension, see Novell Access Manager Developer Tools and Examples (http:// developer.novell.com/wiki/index.php/Nacm). 6 To save the policy, click OK twice, then click Apply Changes.

  • Page 131: Sample Identity Injection Policy

    To import a policy: 1 Make sure any referenced shared secret stores have been created. See Section 5.4, “Creating and Managing Shared Secrets,” on page 152. 2 If the policy uses LDAP or Liberty Profile attributes, make sure the Identity Server has been configured for these same attributes.
  • Page 132 13 Configure the Web server to use the IPAddress values in the custom header to distinguish between external and internal customers. In this sample scenario, the Web server is configured to recognize IP addresses starting with as internal customers and all other addresses as external customers. 132 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 133: Creating Form Fill Policies

    Creating Form Fill Policies A Form Fill policy allows you to prepopulate fields in a form on first login and then save the information in the completed form to a secret store for subsequent logins. The user is prompted to reenter the information only when something changes such as an expired password.
  • Page 134 <p align="center"><font size="5">Novell Services Login </font></p> <table align="center" border="0"> <tr align="left"> <td>Username:</td> <td><input type="text" name="username" size="30"></td> </tr> <tr align="left"> <td>Password:</td> <td><input type="password" name="password" size="30"> </td> </tr> <tr align="left"> <td>City of<br>Employment:</td> <td><input type="text" name="city" size="30"></td> 134 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 135 </tr> <tr align="left"> <td>Web server:</td> <td> <select name="webserv" size="1"> <option value="default" selected> --- Choose a server --- </option> <option value="Human Resources"> Human Resources </option> <option value="Development"> Development </option> <option value="Accounting"> Accounting </option> <option value="Sales"> Sales </option> </select> </td> </tr> <tr> <td colspan="2"...

  • Page 136: Creating A Form Fill Policy For The Sample Form

    You might want to specify the name of the HTML page that contains the form this policy is designed to fill. 5 In the Actions section, click New, then select Form Fill. 136 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 137 6 In the Form Selection section, select Form Name and specify mylogin in the text box. The form name comes from the HTML page. See the following line in the source for the page: <form name="mylogin" action="validatepassword.php" method="post" id="mylogin"> 7 In the Fill Options section, specify all the input fields and select options. For each new field, click New.
  • Page 138 Insert Text in Header: Select this option so you can add a static value. In the Text to Insert box, specify the city value. city = Provo 9 To create a login failure policy, click New in the Actions section, then select Form Login Failure. 138 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 139: Implementing Form Fill Policies

    10 In the Form Selection section, select Form Name and specify mylogin in the text box. The form name comes from the HTML page. 11 In the Login Failure Processing section, fill in the following field: Clear Shared Secret Data Values from Policy: Select this option to clear the data stored in the Shared Secret object when login fails.
  • Page 140 Use the following methods to match the page and the form: “Using the URL of the Protected Resource” on page 141 “Using CGI Matching Criteria” on page 141 “Using Page Matching Criteria” on page 141 “Using Form Name Criteria” on page 142 140 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 141 <TITLE> following string: <TITLE>Novell WebAccess</TITLE> You would add this string as the value in the text box for the Page Matching Criteria option. Remember that white space is significant when white space is entered to the left of the value in the text box.
  • Page 142 Including JavaScript in a Form Fill Policy The following figure illustrates a simple form. Form Login Page Figure 5-2 The source code for this simple form reveals that it includes JavaScript functions: 142 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 143 <html><head><title>Login Page</title></head><body> <h1 align="center">Login Page</h1> <script language="JavaScript"> function setCookie(){ document.cookie="myCookieName=myCookieValue"; function validate(){ if(document.mylogin.title.ldap.length == 0){ alert("You must provide the title for the user!"); return false; return true; </script> <form name="jscript" action="viewInfo.php" method="post" onload="setCookie()"> <center> <table border="1" cellpadding="4" cellspacing="4"> <tbody><tr> <td>Username:</td> <td><input name="username"...

  • Page 144: Creating A Form Fill Policy

    Priority: Determines the order in which a rule is applied in the policy, when the policy has multiple rules. Form Fill does not use this field. 6 In the Actions section, click New and select Form Fill. 144 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 145 “URLs Requiring Form Fill” in the Novell Access Manager 3.1 SP2 Installation Guide. 7 In the Form Selection section, specify how the Access Gateway can identify the form on the page. Select one or more of the following methods. Be specific and use as few of the methods as possible.
  • Page 146 LDAP Credentials: If you prompt the user for a username and password, select this option, then either LDAP User Name (the cn of the user) or LDAP User DN (the fully distinguished name of the user). Your Web server requirements determine which one you use. 146 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 147 The default contracts assign the cn attribute to the Credential Profile. If your user store is an Active Directory server, the SAMAccountName attribute is used for the username and stored in the cn field of the LDAP Credential Profile. X509 Credentials: If you prompt the user for a certificate, select this option, then select one of the following option depending on your Web server requirements.
  • Page 148 For more information about creating a data extension, see Novell Access Manager Developer Tools and Examples (http:// developer.novell.com/wiki/index.php/Nacm). Data Conversion: Specify whether the case of the value entered by the user should be converted.

  • Page 149: Creating A Login Failure Policy

    Section 5.3.3, “Creating a Login Failure Policy,” on page 149 “Assigning a Form Fill Policy to a Protected Resource” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. 5.3.3 Creating a Login Failure Policy The Login Failure policy can be part of the same policy as the Form Fill policy, if both share the same URL.

  • Page 150: Troubleshooting A Form Fill Policy

    To enable the Embedded Service Provider tracing, Section 6.1, “Turning on Logging for Policy Evaluation,” on page 161. To enable Access Gateway log entries for Form Fill policies, see “Enabling Form Fill Logging” on page 176. 150 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 151 Configure your rewriter policy so that it runs before the default rewriter policy. For more information about rewriter policies, see “Configuring HTML Rewriting” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. The Option Element Does Not Contain a Value Attribute If an element does not contain a value attribute, Form Fill cannot fill the value.

  • Page 152: Creating And Managing Shared Secrets

    In the local configuration store ® ® In eDirectory user stores that are running Novell SecretStore In a user store that has been configured with a custom attribute for secrets For more information on configuring Access Manager to store secrets, see “Configuring a User...

  • Page 153: Naming Conventions For Shared Secrets

    If you are using Novell SecretStore, the secret names specified in your Access Manager policies need to match the names you have already configured.

  • Page 154: Modifying And Deleting A Shared Secret

    3 In the Administration Console, click Policies > Policies. 4 Click Import, then browse to the location of the file. 5 Click OK. 6 When the policy appears in the list, click Apply Changes. 154 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 155: Configuring A Form Fill Policy For Forms With Scripts

    5.6 Configuring a Form Fill Policy for Forms With Scripts The Form Fill policy created for the Linux Access Gateway works well with forms that contain a Submit button whose action submits the form data to the Web server without executing any onclick JavaScript or VBScript.
  • Page 156 " VALUE="novell081" > <input type="button" name="0" id="X8" ButtonID="0" title="Login Page" value="Login" onclick="tpzDrillTable('', 'Login', '0','listdetail')" > <input type="button" name="3" id="X9" ButtonID="3" title="Exit Login Page" value="Cancel" onclick="tpzDrillTable('', 'Cancel', '3','listdetail')" > </form> <script language="JavaScript"> <!-- function LAGSubmitForm() 156 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 157: Understanding How A Form Is Submitted

    document.forms[0].submit(); LAGSubmitForm(); //--> </script> </body> </html> In the above code, the function calls the default submit action of the form, which LAGSubmitForm() uses a POST request to send the data to the Web server. But the action for the sample login submit form requires a JavaScript function to be executed.

  • Page 158: Creating A Form Fill Policy For Autosubmission

    7 In the Fill Options section, specify all the input fields and select the options that you want. 8 In the Submit Options section, select Auto submit. 9 Select Enable JavaScript Handling. 158 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 159: Creating Touch Files For Autosubmission

    10 Select Functions to Keep, then specify the JavaScript functions that need to be retained when the form is being automatically submitted. For the example form, specify the following functions: function dvdRegisterSelect() function enableAll() function verify(f, bSubmitToSelf) function printThisView() function tpzDrillTable(a,b,c,d)() 11 Click OK.
  • Page 160 2 Specify the following command to create the. file: enableInPlaceSilentFill touch /var/novell/.enableInPlaceSilentFill 3 Specify the following command to create the file: enableInPlaceSilentFillNew touch /var/novell/.enableInPlaceSilentFillNew 4 Specify the following command to restart the Linux Access Gateway: /etc/init.d/novell-vmc stop /etc/init.d/novell-vmc start 160 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 161: Troubleshooting Access Manager Policies

    “Access Gateway Appliance Logs” and “Access Gateway Service Logs” in the Novell Access Manager 3.1 SP2 Access Gateway Guide “Enabling Form Fill Logging” on page 176 Logging for the policy evaluation done by Embedded Service Providers is controlled by the log settings of the Identity Server configuration.

  • Page 162: Understanding Policy Evaluation Traces

    Application level to config. 6.2 Understanding Policy Evaluation Traces Section 6.2.1, “Format,” on page 163 Section 6.2.2, “Policy Result Values,” on page 169 Section 6.2.3, “Role Assignment Traces,” on page 170 162 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 163: Format

    (For information about correlation tags, see “Understanding the Correlation Tags in the Log Files” in the Novell Access Manager 3.1 SP2 Administration Console Guide.) The following log entry is a trace of an evaluation of a Role policy: <amLogEntry> 2009-06-07T21:40:25Z INFO NIDS Application: AM#500199050: AMDEVICEID#9921459858EAAC29: AMAUTHID#503EFFA4BC21ACA307796EC7D96E5532: IDP RolesPep.evaluate(), policy trace:...
  • Page 164 169. In the sample RL trace, this is Success(67) , indicating success. Rule Evaluation Result An RU trace has the following fields: ~<RuleID>~<ParentPolicyName>~<ConditionSetJoinType>~~<ConditionSetCount: ActionCount>~~<Result> An RU trace looks similar to the following: 164 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 165 ~~RU~RuleID_1181251958207~Manager~DNF~~1:1~~Success(67) Table 6-2 describes the fields of a Rule Evaluation Result trace. Fields in a Rule Evaluation Result Trace Table 6-2 Element Description The identifier assigned to the rule. <RuleID> In this sample RU trace, this element is set to RuleID_1181251958207 <ParentPolicyName>...
  • Page 166 Fields in a Condition Trace Table 6-4 Element Description <ConditionID> The identifier assigned to the conditions in the condition group. The first condition is assigned 1. In the sample CO trace, this is 1. 166 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 167 Element Description The enumerative value and parameter list of the left operand. It is the first <LHSOperand> value specified for the comparison and has the following format: <Condition Name(Data ID)>: <Parameter> : <Value> The Condition Name is the string assigned to the condition type specified in the policy.
  • Page 168 Policy Action Completion trace. Fields in a Policy Action Completion Trace Table 6-6 Element Description The ID assigned to the action. <ActionID> In the sample PC trace, this is ActionID_1181252224665 168 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 169: Policy Result Values

    Description The fully distinguished name of the action. <ActionName> In the sample PC trace, the action has the following parts in its name: Document=(ou=xpemlPEP,ou=mastercdn, ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer, ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaConten tCollectionXMLDoc) Policy=(Manager) Rule=(1::RuleID_1181251958207) Action=(AddRole::ActionID_1181252224665) <ActionParmeters> A list of the action parameters passed to the action handler.

  • Page 170: Role Assignment Traces

    1. The RL trace indicates that the policy has one rule and that the policy evaluated without error. 2. The RU trace indicates that the rule ( ) has one condition and one RuleID_1181251958207 action and that the rule evaluated without error. 170 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 171 Access Gateway that is processing the request. Such a trace looks similar to the following: <amLogEntry> 2009-07-13T22:13:29Z INFO NIDS Application: AM#501102050: AMDEVICEID#esp-51A474B83BFDDF4F: AMAUTHID#4538DB6F6E2A237FDE674F0C6E1 6DCEC: PolicyID#N748097P-3507-3KP7-4241-410PN4152094: NXPESID#1718: AGAuthorization Policy Trace: ~~RL~1~~~~Rule Count: 1~~Success(0) ~~RU~RuleID_1182876316974~Allow_Sales~DNF~~1:1~~Success(0) ~~CS~1~~ANDs~NOT~1~~True(69) ~~CO~1~CurrentRoles(6660):no-param:authenticated~com.novell.nxpe. condition.NxpeOperator@string-substring~SelectedRole(6661):hidden- param:hidden-value:~~~False(68) ~~PA~1~~Deny Access Messasge~Sorry, you must work in sales today.~~~Success(0) ~~PC~1~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherCon tainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerConta iner,o=novell:romaContentCollectionXMLDoc),Policy=(Allow_Sales),Rule=(1::Rule ID_1182876316974),Action=(Deny::1)~~~~Success(0) </amLogEntry>...

  • Page 172: Identity Injection Traces

    Each identity injection policy generates two log entries. The first entry indicates whether the policy could successfully retrieve the information and inject it into the header. The second entry specifies whether the response is successfully sent to the Web server. 172 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 173 Header~password~pwd(1):CredentialProfile(7010:):NEPXurn~3Anovell~3Acredential profile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry ~40~40~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~3ASecret~5Bcp~3AName~ 3D~22LDAPCredentials~22~5D~2Fcp~3AEntry~5Bcp~3AName~3D~22UserPassword~22~5D:~ Ok~Success(0) ~~PC~ActionID_1181251427701~~Document=(ou=xpemlPEP,ou=mastercdn, ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root ,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(basi c_auth_ii),Rule=(1::RuleID_1181251426062),Action=(InjectAuthHeader::ActionID_ 1181251427701)~~~~Success(0) </amLogEntry> <amLogEntry> 2009-06-11T20:16:51Z INFO NIDS Application: AM#501101021: AMDEVICEID#esp-534FD0D0E32FE4BD: PolicyID#OL8659PL-0K69-0N0N-0845- 5PN113KM3842: NXPESID#2539: Response sent: Status - success </amLogEntry> These entries look very similar to the entries for a successful injection of data. This is because injecting NULL data for data that is not available is considered a successful action.

  • Page 174: Authorization Traces

    ~~RL~1~~~~Rule Count: 2~~Success(0) ~~RU~RuleID_1186068489688~Title_auth~DNF~~1:1~~Success(0) ~~CS~1~~ANDs~~1~~True(69) ~~CO~1~LdapAttribute(6647):NEPXurn~3Anovell~3Aldap~3A2006- 02~2Fldap~3AUserAttribute~40~40~40~40WSCQLDAPToken~40~40~40~40~2FUserAttribut e~5B~40ldap~3AtargetAttribute~3D~22title~22~5D:hidden- value:~com.novell.nxpe.condition.NxpeOperator@string-equals~(0):hidden- param:hidden-value:~~~True(69) ~~PA~1~~Permit Access~~~~Success(0) ~~PC~1~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisher Container,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerCo ntainer,o=novell:romaContentCollectionXMLDoc),Policy=(Title_auth),Rule=(1::Ru leID_1186068489688),Action=(Permit::1)~~~~Success(0) </amLogEntry> <amLogEntry> 2009-08-02T15:55:06Z INFO NIDS Application: AM#501101021: AMDEVICEID#esp-2FA73CE1A376FD91: AMAUTHID#838976482579AF372C31C47274E 9CB28: PolicyID#459O8443-N8P5-KO21-68OM-K172P107N4O5: NXPESID#1743: Response sent: Status - success </amLogEntry> 174 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 175 L58L08MN4N5M: NXPESID#4515: Evaluating policy </amLogEntry> <amLogEntry> 2009-08-03T16:30:48Z INFO NIDS Application: AM#501102050: AMDEVICEID#esp-2FA73CE1A376FD91: PolicyID#216660PM-429P-O660-N25N- L58L08MN4N5M: NXPESID#4515: AGAuthorization Policy Trace: ~~RL~1~~~~Rule Count: 2~~Success(0) ~~RU~RuleID_1186082720202~time_of_day~DNF~~1:1~~Success(0) ~~CS~1~~ANDs~~1~~True(69) ~~CO~0~TimeOfDay(1005):::Fri Aug 03 10:30:48 MDT 2007(9:30):~com.novell.nxpe.condition.NxpeOperator@time-in- range~(0)::::~~~True(69) ~~PA~1~~Permit Access~~~~Success(0) ~~PC~1~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherCon tainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerConta iner,o=novell:romaContentCollectionXMLDoc),Policy=(time_of_day),Rule=(1::Rule ID_1186082720202),Action=(Permit::1)~~~~Success(0) </amLogEntry> <amLogEntry> 2009-08-03T16:30:48Z INFO NIDS Application: AM#501101021: AMDEVICEID#esp-2FA73CE1A376FD91: PolicyID#216660PM-429P-O660-N25N- L58L08MN4N5M: NXPESID#4515: Response sent: Status - success </amLogEntry>...

  • Page 176: Form Fill Traces

    Form Fill entries. For the filter, enable the Form Fill Processing events in the Advanced Log Level Options section. Sample Form and Policy Used for the Trace Figure 6-2 illustrates the simple form that was used for the trace. 176 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 177 <form name="mylogin" action="double.php" method="post" id="mylogin"> <center> <table border="0" cellpadding="4" cellspacing="4" width="570"> <tr> <td width="121" height="285" align="left" valign="top"> </td> <td width="449" height="285" align="center" valign="top"> <p align="center"> <font size="5">Novell Services Login<br></font> </p> <table border="0" width="86%"> <tr> <td width="25%">Username:</td> <td width="75%"> <input type="TEXT" name="username"> </td>...
  • Page 178 Because the URL path identifies a /identity/forms/simple.html specific file on the Web server, the policy does not require any CGI or page matching criteria. The Form Fill Policy for the mylogin Form Figure 6-3 178 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 179 ~~RL~1~~~~Rule Count: 1~~Success(67) ~~RU~RuleID_1189711482510~simpleform~DNF~~0:1~~Success(67) ~~PA~ActionID_1189711485006~~Added Form Selection Group~~~~Success ~~PA~ActionID_1189711485006~~Added Fill Options Group~~~~Success(0) ~~PA~ActionID_1189711485006~~Added Submit Options Group~~~~Success ~~PC~ActionID_1189711485006~~Document=(ou=xpemlPEP,ou=mastercdn, ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer, ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContent CollectionXMLDoc),Policy=(simpleform),Rule=(1::RuleID_11897114 82510),Action=(FormFill::ActionID_1189711485006)~~~~Success(0) </amLogEntry> 3. <amLogEntry> 2009-09-14T00:15:52Z INFO NIDS Application: AM#501101021: AMDEVICEID#esp-917A1174C8A270FC: PolicyID#06OO287L-06LO-KKP4-207M- 6971PPM6147L: NXPESID#2663: Response sent: Status - success </amLogEntry> 1. The first log entry is the request to evaluate the policy. If this entry doesn’t occur, make sure that the Form Fill policy is enabled for the protected resource.
  • Page 180 Sep 19 09:04:50 jwilson : AM#504507000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#0: InsertText: () Sep 19 09:04:50 jwilson : AM#504507000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#0: JavaScriptHandling: Sep 19 09:04:50 jwilson : AM#504507000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#0: Not configured. 180 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 181: Common Configuration Problems That Prevent A Policy From Being Applied As Expected

    For more lagsoapmessages information, see “Configuring Logging of SOAP Messages and HTTP Headers” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. 6.3 Common Configuration Problems That Prevent a Policy from Being Applied as Expected When you try to determine what is functioning incorrectly in a policy, you need to turn on policy tracing and understand the evaluation traces.

  • Page 182: Ldap Attribute Condition

    If the attribute is multi-valued and your users typically have multiple values, select Substring as the Comparison type. 6 If these steps have not solved the problem, see Section 6.3.3, “Result on Condition Error Value,” on page 183. 182 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 183: Result On Condition Error Value

    524 and 636 must be open to allow for the creation of the required objects. For more information about ports and firewalls, see “Setting Up Firewalls” in the Novell Access Manager 3.1 SP2 Setup Guide. Troubleshooting Access Manager Policies 183...

  • Page 184: The Policy Is Using Old User Data

    Roles for Current User User session Roles from Identity Provider User session Shared Secret User session; configurable to be cached only for the request with the Force Data Read option. String Constant User session Request 184 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 185: Form Fill And Identity Injection Silently Fail

    (LDAP servers) and ensure that they are communicating. 6.8 Policy Creation and Storage For troubleshooting, you can export the policy and send it to Novell for debugging. If the policy uses roles, make sure you also export the Role policies.

  • Page 186: Policy Distribution

    Set the level of Application logging to info and examine the policy trace from a user accessing the protected resource. See Section 6.2, “Understanding Policy Evaluation Traces,” on page 162. 186 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 187: Policy Evaluation: Access Gateway Devices

    6.10 Policy Evaluation: Access Gateway Devices The following diagram depicts how Authorization policies fit into the protected resource processing for the proxy. Policy Evaluation Figure 6-4 Request Received Protected Resource Defined? Authentication Authentication Returns Enabled? Success? Authorization Authorization Returns Policy? Success? Continue Processing Deny Request...

  • Page 188: Successful Policy Configuration Example

    6.10.2 No Policy Defined Configuration Example The following is a sample of a configuration request where the policy code detects that no policies are in effect for the protected resource and Policy Enforcement Point (PEP). 188 Novell Access Manager 3.1 SP2 Policy Guide...

  • Page 189: Deny Access Configuration/Evaluation Example

    Configuration Request toBufSeg: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/ "> <SOAP-ENV:Body> <NXPES ID="11"> <Configure-ag PEPName="AGAuthorization"> <PolicyEnforcementList RuleCombiningAlgorithm="DenyOverridesWithPriority" schemaVersion="1.32" LastModified="1138389868885" LastModifiedBy="cn=admin,o=novell"> <PolicyRef ElementRefType="ExternalWithIDRef" ExternalElementRef="PolicyID_xpemlPEP_AGIdentity Injection_ii_test" ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=Content PublisherContainer,ou=Partition,ou=Partitions Container,ou=VCDN_Root,ou=accessManager Container,o=novell:romaContentCollectionXMLDoc" UserInterfaceID="PolicyID_xpemlPEP_AGIdentityInjection_ ii_test"/> </PolicyEnforcementList> </Configure-ag> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope> Configuration Response LibertyProcessMsgCB: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/ envelope/">...
  • Page 190 Configuration Response LibertyProcessMsgCB: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/ envelope/"> <SOAP-ENV:Body> <NXPES Id="" Status="success"> <ConfigureResponse PolicyId="55N3NL81-L29N-2619-K0M8-2L963M0MM701"/> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope> Evaluation Request toBufSeg: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/ "> <SOAP-ENV:Body> <NXPES ID="18"> <Evaluate PolicyId="55N3NL81-L29N-2619-K0M8-2L963M0MM701" Verbose="on"/> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 190 Novell Access Manager 3.1 SP2 Policy Guide...
  • Page 191 Evaluation Response LibertyProcessMsgCB: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/ envelope/"> <SOAP-ENV:Body> <NXPES Id="" Status="success"> <EvaluateResponse> <DoAction ActionName="Deny" ActionTTL="-1" Enum="2620"> <Parameter Enum="10" Name="Message" Value=""/> </DoAction> </EvaluateResponse> </NXPES> </SOAP-ENV:Body> </SOAP-ENV:Envelope> Troubleshooting Access Manager Policies 191...
  • Page 192 192 Novell Access Manager 3.1 SP2 Policy Guide...

Table of Contents