Advertisement
Quick Links
Access Manager 3.1 SP2 Beta 1
Scenarios
December 21, 2009
The following scenarios have been designed to introduce you to the new features in Access Manager
3.1 SP2.
Section 1, "Linux Access Gateway Appliance Scenarios," on page 1
Section 2, "Timeout Per Protected Resource Scenarios," on page 5
Section 3, "Access Gateway Service Scenarios," on page 10
Section 4, "SSL VPN Server Scenarios," on page 11
1 Linux Access Gateway Appliance Scenarios
Section 1.1, "Installing the SLES 11 Version," on page 1
Section 1.2, "Upgrading the Linux Access Gateway Appliance," on page 2
Section 1.3, "Migrating a SLES 9 Access Gateway to SLES 11," on page 3
Section 1.4, "Configuring Timeout Per Protected Resource," on page 5
1.1 Installing the SLES 11 Version
This beta scenario introduces you to the new Access Gateway Appliance which is built on SUSE
Linux Enterprise Server (SLES 11). The SLES 11 version of the Access Gateway Appliance
supports newer hardware, and SLES 11 is a supported operating system that provides security
updates.
The previous version of the Access Gateway Appliance is built on SLES 9 SP3. The SLES 9
operating system is no longer a supported operating system and does not run on the latest hardware.
1.1.1 Assumptions
You need an installed 3.1 SP2 version of the Administration Console and Identity Server. For
installation information, see the
documentation/beta/novellaccessmanager31/installation/data/bookinfo.html).
1.1.2 Known Issues
Bug 554518 -Network mode of installation through TFTP is not supported
Bug 560278 -Installation: There is no provision to return to the configuration screen to make
changes
Bug 559398 - The network gateway address is removed when the network interface is restarted.
Bug 558698 - The Linux Access Gateway SLES 11 appliance installation summary screen does
not display SSL VPN, even if the Install and Enable SSL VPN option is selected. Also, the
installation does not perform a password strength check.
Access Manager Installation Guide (http://www.novell.com/
Access Manager 3.1 SP2 Beta 1 Scenarios
Novell
®
®
1
Advertisement
Related Manuals for Novell ACCESS MANAGER 3.1 SP2 BETA 1 - SCENARIOS 2009
Summary of Contents for Novell ACCESS MANAGER 3.1 SP2 BETA 1 - SCENARIOS 2009
- Page 1 1.1.1 Assumptions You need an installed 3.1 SP2 version of the Administration Console and Identity Server. For installation information, see the Access Manager Installation Guide (http://www.novell.com/ documentation/beta/novellaccessmanager31/installation/data/bookinfo.html). 1.1.2 Known Issues Bug 554518 -Network mode of installation through TFTP is not supported...
- Page 2 Web server IP address to the loopback IP address , 127.0.0.1. For more information, see Section 2.2.7: Configuration Changes to the SSL VPN Server Installed with the Linux Access Gateway in the SSL VPN Server Guide (http://www.novell.com/documentation/beta/ novellaccessmanager31/sslvpnhelp/?page=/documentation/beta/novellaccessmanager31/ sslvpnhelp/data/bmmi1it.html) The session timeout for Identity Server is 15 minutes in 3.0 SP4 and this is reflected in the...
- Page 3 1.2.3 Procedure 1 Upgrade the Administration Console and Identity Server to 3.1 SP2. For more information, see Upgrading Access Manager Components (http://www.novell.com/documentation/ novellaccessmanager31/installation/?page=/documentation/novellaccessmanager31/ installation/data/bookinfo.html) in the Installation Guide. For upgrade information, see Upgrading from Access Manager 3.0 SP4 to Access Manager 3.1 SP2 (http://www.novell.com/documentation/beta/novellaccessmanager31/installation/data/...
-
Page 4: Known Issues
None. 1.3.3 Procedure 1 Upgrade the 3.1 SP1 Access Gateway Appliance to 3.1 SP2. For installation instructions, see “Upgrading the Linux Access Gateway Appliance” (http://www.novell.com/documentation/ beta/novellaccessmanager31/installation/data/bbycmhz.html). 2 Back up the SLES 9 Access Gateway configuration. The backup script allows you to restore touch files and customized error page configurations. - Page 5 Auto partition log file: /var/adm/autoinstall/logs/diskParitition.sh.log JCC configure logs: /opt/novell/devman/jcc/logs/configure.log.0 1.4 Configuring Timeout Per Protected Resource This scenario explains how to restrict session availability based on user activity. It explains how to configure the Timeout Per Protected Resource feature. In previous versions of Access Manager, there is one global session timeout for all the protected resources.
- Page 6 Appliance or an Access Gateway Service. The base URL of the Identity Server is secure (it uses SSL/HTTPS). You understand authentication methods and authentication contracts. You have read “Assigning a Timeout Per Protected Resource” (http://www.novell.com/ documentation/beta/novellaccessmanager31/accessgatehelp/data/prlist.html#bmn94qo). 2.1.2 Known Issues None 2.1.3 Procedure...
- Page 7 4e Click Next. 4f Modify the Text and Image to fit your needs. 4g Click Finish. 5 Update the Identity Server. 6 Make sure the Access Gateway has two protected resources (PR1 and PR2). Create them if necessary. 7 Assign authentication contract C1 to protected resource PR1. 8 Assign authentication contract C2 to protected resource PR2.
- Page 8 Appliance or an Access Gateway Service. The base URL of the Identity Server is secure (it uses SSL/HTTPS). You understand authentication methods and authentication contracts. You have read “Assigning a Timeout Per Protected Resource” (http://www.novell.com/ documentation/beta/novellaccessmanager31/accessgatehelp/data/prlist.html#bmn94qo). 2.2.2 Known Issues None.
- Page 9 2f Modify the Text and Image to fit your needs. 2g Click Finish. 3 Create a new authentication method (M2): 3a Select Secure Name/Password – Form for the class. 3b Select the Identifies User option. 3c Select a user store. 4 Create a new authentication contract (C2): 4a Make sure the URI is unique.
- Page 10 3.1.2 Known Issues None. 3.1.3 Procedure For installation instructions, see “Installing the Access Gateway Service” (http://www.novell.com/ documentation/beta/novellaccessmanager31/installation/data/bitxc3y.html). 3.1.4 Test Results To verify the installation of the Access Gateway Service: 1 Log in to the Administration Console. 2 Click Devices > Access Gateways.
- Page 11 “Digital Airlines Example (http://www.novell.com/documentation/beta/novellaccessmanager31/basicconfig/data/ bayxa4y.html). 3.2.4 Troubleshooting Tips “Troubleshooting the Access Gateway Service” (http://www.novell.com/documentation/beta/ novellaccessmanager31/accessgatehelp/data/bjxln4j.html). 4 SSL VPN Server Scenarios Section 4.1, “Importing and Exporting Client Integrity Check Policies,” on page 12 Section 4.2, “Configuring Client Cleanup Options,” on page 13 Section 4.3, “Configuring for HMAC (Hash-Based Message Authentication Code),”...
- Page 12 4.1 Importing and Exporting Client Integrity Check Policies Access Manager 3.1 SP2 provides the option to back up and restore the Client Integrity Check policies through the Import and Export feature. 4.1.1 Assumptions The most basic way to test the feature is to export of existing Client Integrity Check policies, delete them, then import an exported Client Integrity Check policy file.
-
Page 13: Configuring Client Cleanup Options
11 Click Import, browse to the file, then click OK. 12 Verify that all the policies, including the default policy and the policies you created have been imported with the correct application definition. 4.1.4 Test Results The exported Client Integrity Check policies should be imported with the correct application definitions and enabled/disabled status. - Page 14 3 In the Client Cleanup Options section, configure default values and configure whether the user can modify the default. By default Java Cache Cleanup and Clear Browser Private Data options are enabled and the Allow User to Override option is enabled for all options. For this beta scenario, allow the user to override the default setting for some of the options.
- Page 15 The second client connection should be successful. 4.3.5 Troubleshooting Tips At the server: Check the file to verify that the following lines are /etc/opt/novell/sslvpn/config.xml in the file: <EnableHMACKeyForTLS>true</EnableHMACKeyForTLS> <HMACKeyForTLS LastModified="<time stamp>"><HMAC key></HMACKeyForTLS> Check that the file holds the same HMAC key as in the /opt/novell/sslvpn/hmac.key...
- Page 16 “Configuring Traffic Policies” (http://www.novell.com/documentation/beta/novellaccessmanager31/sslvpnhelp/data/ trafficpolicy.html) in the SSL VPN Server Guide (http://www.novell.com/documentation/beta/ novellaccessmanager31/sslvpnhelp/data/bmr43tr.html). 4.4.2 Known Issues For this beta release, there is no limit on the number of destination address entries for a single rule. After this beta, a limit will be introduced.
- Page 17 4.5.1 Assumptions You have an understanding of how to configure the SSL VPN server by using the Administration Console. You have access to the SSL VPN Server Guide (http://www.novell.com/documentation/beta/ novellaccessmanager31/sslvpnhelp/data/bmr43tr.html). You have access to the SSL VPN User Guide (http://www.novell.com/documentation/beta/ novellaccessmanager31/sslvpnclienthelp/data/bookinfo.html).
- Page 18 4.5.5 Procedure for Using the SSL VPN Server on a New Operating System 1 Install the SSL VPN server on a SLES 11, 64-bit or 32-bit operating system. For instructions, see the SSL VPN Server Guide (http://www.novell.com/documentation/beta/ novellaccessmanager31/sslvpn_serverguide/data/). 2 Log in to the Administration Console.
- Page 19 If the client connection fails, check the logs. Check the browser agent logs and the respective components for more details on the error. If the server is not responding, check the server logs in the following locations: /ar/opt/novell/tomcat5/logs/catalina.out /ar/log/messages /ar/log/novell-openvpn.log /ar/log/stunnel.log...
- Page 20 4.7.1 Assumptions Supported only on the ESP-enabled SSL VPN server. You have installed the 3.1 SP2 version of the Administration Console. For installation information, see the Access Manager Installation Guide (http://www.novell.com/ documentation/beta/novellaccessmanager31/installation/data/bookinfo.html). Access Manager 3.1 SP2 Beta 1 Scenarios...
-
Page 21: Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark Access Manager 3.1 SP2 Beta 1 Scenarios... -
Page 22: Legal Notices
Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.