1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. ACCESS MANAGER 3.1 SP2 - J2EE AGENT GUIDE...
  6. Manual

Novell ACCESS MANAGER 3.1 SP2 - J2EE AGENT GUIDE 2010 Manual

J2ee agent guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
AUTHORIZED DOCUMENTATION
J2EE Agent Guide
Novell
Access Manager
3.1 SP 2
June 11, 2010
www.novell.com
Novell Access Manager 3.1 SP2 J2EE Agent Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell ACCESS MANAGER 3.1 SP2 - J2EE AGENT GUIDE 2010

Summary of Contents for Novell ACCESS MANAGER 3.1 SP2 - J2EE AGENT GUIDE 2010

  • Page 1 AUTHORIZED DOCUMENTATION J2EE Agent Guide Novell Access Manager 3.1 SP 2 June 11, 2010 www.novell.com Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 5: Table Of Contents

    Contents About This Guide 1 Installing the J2EE Agents Overview of the J2EE Agents ..........11 Overview of the Sample Payroll Application .
  • Page 6 Managing Cluster Alerts ........... . . 115 Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 7 Viewing Statistics ............115 Viewing Cluster Statistics .
  • Page 8 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 9: About This Guide

    Please use the User Comments feature at the bottom of each page of the online documentation, or go to Documentation Feedback (http://www.novell.com/documentation/ feedback.html) at www.novell.com/documentation/feedback.html and enter your comments there. Documentation Updates For the most recent version of the Access Manager J2EE Agent Guide, visit the Novell Access Manager Documentation Web site (http://www.novell.com/documentation/novellaccessmanager31).
  • Page 10 Guide, which provide information about setting up the Access Manager system. Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 11: Installing The J2Ee Agents

    Installing the J2EE Agents The J2EE Agents allow you to use roles and other types of policies to restrict access to specific application modules and Enterprise JavaBeans. These agents leverage the Java Authentication and Authorization Service (JAAS) and Java Authorization Contract for Containers (JACC) standards for Access Manager-controlled authentication and authorization to Java Web applications and Enterprise JavaBeans.

  • Page 12: Overview Of The Sample Payroll Application

    Enterprise Server supported on (SLES) installation Solaris. media. To download and WebLogic 10.0 is install JBoss version not supported on 4.2.3, see JBoss Solaris. Application Server Downloads (http:// labs.jboss.com/portal/ jbossas/download). Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 13: Installing The J2Ee Agents On Jboss

    2003 Windows Server* AIX: AIX 5.3 Solaris: Solaris 10 on 2003 SPARC*, X86, 32-bit, and 64-bit platforms. NOTE: There is no support for Novell Audit on Solaris for this release. Java JRE 1.5 JRE1.5 JRE 1.5 NOTE: The JBoss Agent has not been tested with the IBM* JRE.

  • Page 14: Prerequisites

    1.5.2 Installing and Configuring the JBoss Web Deployer Service The Novell J2EE Agents depend on the JBoss Web deployer service in order to use a custom JBoss configuration. The JBoss Web deployer service must be already installed before you proceed with the installation of the Novell J2EE Agents.

  • Page 15: Installing Jboss By Using The Installer

    1.5.3 Installing JBoss by Using the Installer 1 If JBoss is running, stop JBoss. 2 Download and execute the agent installer. The license agreement page is displayed. For software download instructions, see the Novell Access Manager Readme. Installing the J2EE Agents...
  • Page 16 3 Review the License Agreement, accept it, then click Next. The installation selection page is displayed. 4 Select a directory to install the Novell J2EE agent components, then click Next. The Choose a Java Virtual Machine page is displayed. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 17 5 Select a Java Virtual Machine (JVM*) to be used by the installed application. A default JVM is displayed. If you do not select a JVM here, the installer uses the java.home property value of the Java runtime that is used to run the installer to proceed with the installation 6 (Optional) If you want to select another JVM, click Choose Another and browse to select the JVM of your choice.
  • Page 18 9 Click Next. 10 (Conditional) If you do not have the audit server installed, the J2EE installer installs the Audit server for you. Specify the IP address of the Novell Access Manager Administration Console as the Audit Server IP. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 19 11 (Conditional) If you have the Audit server installed, follow the prompts to continue using the existing Audit server or to replace it: 11a (Conditional) To continue using the same server, click Yes to display the Audit Server Setting page. 11b Select Use following Audit Server,then continue with Step 13 Installing the J2EE Agents...
  • Page 20 12 Click Next. The Select Application Server page is displayed. 13 Click OK on the Alert when the following prompt is displayed. 14 Select JBoss, then click Next.The JBoss Application Server Settings page is displayed. Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 21: Installing The Jboss Agent Through The Console

    Replace <filename> with the name of the J2EE agent installer. 3 Review the License Agreement, then press to accept it. 4 Specify an absolute path to install the Novell J2EE agent components, or press Enter to continue with the default installation path. Installing the J2EE Agents...

  • Page 22: Installing The J2Ee Agent On Websphere

    Novell Access Manager administration console is reachable. 7 (Conditional) If you do not have the Audit server installed, J2EE installer installs the Audit server for you. Specify the IP address of the Novell Access Manager Administration Console as the Audit Server IP, then press Enter.

  • Page 23: Prerequisites

    Agents into the administration console. 1.6.2 Installing on WebSphere by Using the Installer 1 Download and execute the agents installer. For software download instructions, see the Novell Access Manager Readme. The Licence Agreement page is displayed.
  • Page 24 3 Select a directory to install the Novell J2EE agent components, then click Next. The Choose Java Virtual Machine page is displayed. 4 Select a Java Virtual Machine (JVM) to be used by the installed application. A default JVM is displayed.
  • Page 25 9 Specify the audit server IP address: 9a Conditional) If you do not have the audit server installed, the J2EE installer installs the Audit server for you. Specify the IP address of the Novell Access Manager Administration Console as the Audit Server IP.
  • Page 26 9b Conditional) If you have the Audit server installed, specify if you want to replace the existing audit server or use the existing server. 10 Click Next. The Select Application Server page is displayed. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 27 11 Select WebSphere, then click Next. The WebSphere Application Server Settings page is displayed. 12 Specify the directory where you have installed the WebSphere server and click Next. The JCC Dependencies page is displayed. Installing the J2EE Agents...

  • Page 28: Installing The Websphere Agent Through The Console

    3 Review the License Agreement, then press to accept it. 4 Specify an absolute path to install the Novell J2EE agent components, or press Enter to continue with the default installation path. 5 Specify a Java Virtual Machine (JVM) to be used by the installed application.

  • Page 29: Configuring Websphere For J2Ee Agents

    1 Start the utility located at: Linux/AIX: /configure_websphere_agent.sh /opt/novell/nids-agents/bin Windows: <Installation-directory>/nids-agents/bin/ configure_websphere_agent.bat 2 Ensure that WebSphere is running. 3 Review the License Agreement, accept it, then click Next. The Novell J2EE Agent Configuration page is displayed. Installing the J2EE Agents...
  • Page 30 4 Select the directory where the J2EE agent is installed and click Next. The Novell Administration Server Communications Credentials page is displayed. 5 Specify the administration credentials to contact the Novell Access Manager and click Next. The WebSphere Application Server Settings page is displayed.

  • Page 31: Installing The J2Ee Agent On Weblogic

    13c Expand the Java Authentication and Authorization Service option and click System Logins. 13d Select WEB_INBOUND > JAAS login modules. 13e Change the order of com.novell.nids.agent.auth.websphere.NidsLTPALoginModule so it is first in the list. 13f Save your changes. 14 (Optional) To verify the installation of the agent, see Section 1.8, “Verifying If a J2EE Agent Is...

  • Page 32: Installing Weblogic Agent By Using The Installer

    3 Review the License Agreement, accept it, then click Next. The installation selection page is displayed. 4 Select a directory to install the Novell J2EE Agent components, then click Next. The Choose a Java Virtual Machine page is displayed. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 33 5 Select a Java Virtual Machine (JVM) to be used by the installed application. A default JVM is displayed. If you do not select a JVM here, the installer uses the java.home property value of the Java runtime that is used to run the installer to proceed with the installation. 6 (Optional) If you want to select another JVM, click Choose Another and browse to select the JVM of your choice.
  • Page 34 10 Specify the audit server IP address: 10a (Conditional) If you do not have the Audit server installed, the J2EE installer installs the Audit server for you. Specify the IP address of the Novell Access Manager Administration Console as the Audit Server IP.
  • Page 35 10b (Conditional) If you have the Audit server installed, specify if you want to replace the existing Audit server or use the existing server. 11 Click Next. The Select Application Server page is displayed. Installing the J2EE Agents...
  • Page 36 13 Specify the path to the directory where WebLogic is installed, or click Choose to select a folder for installation. Click Restore Default to restore the default installation location. 14 Click Next. The Installation Type page is displayed. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 37 15 Specify any one of the following options, then click Next: Single Server: Select this option to install a single instance of an application server. Base: Select this option while installing the agent on a machine that acts as a node and is part of a cluster.
  • Page 38 Click Restore Default to restore the default installation location. 17 Click Next. The WebLogic Administration Console Details page is displayed. 18 Specify the information required for server communication between the agent and the Administration Console. Fill in the following fields: Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 39: Installing A J2Ee Agent Through The Console

    3 Review the License Agreement, then press to accept it. 4 Specify an absolute path to install the Novell J2EE Agent components, or press Enter to continue with the default installation path. 5 Specify a Java Virtual Machine (JVM) to be used by the installed application.

  • Page 40: Configuring Weblogic For J2Ee Agents

    7 (Conditional) If you do not have the Audit server installed, the J2EE installer installs the Audit server for you. Specify the IP address of the Novell Access Manager Administration Console as the Audit Server IP, then press Enter. 8 (Conditional) If the Audit server is already installed on your machine:...
  • Page 41 Java 2 permissions for the agent to be explicitly set when the security manager is enabled. The only workaround Novell has found is to grant Java 2 permissions to everything. This should not add any more security risk than running WebLogic without the security manager enabled, which is the default configuration for WebLogic.
  • Page 42 9 In the Authentication Providers list, click DefaultAuthenticator and change the Control Flag from Required to Sufficient. 10 Return to the Authentication Providers list. 11 Change the NovellAccessManagerAuthenticator Control Flag to Sufficient. 12 Click Activate Changes. 13 Restart the WebLogic server. Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 43: Verifying If A J2Ee Agent Is Installed

    Chapter 2, “Configuring the Agent for Authentication,” on page 1.9 Uninstalling a J2EE Agent 1 Browse to <agent Install folder>\Novell Access Manager J2EE Agents\Uninstall_Novell Access Manager J2EE Agents 2 Double-click the uninstaller. 3 Click Next in the Uninstall J2EE Agents page.
  • Page 44 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 45: Configuring The Agent For Authentication

    “Setting Up a Basic Access Manager Configuration” in the Novell Access Manager 3.1 SP2 Setup Guide. You have a J2EE application server that has an application with security constraints. You have configured the Identity Server with policies for the roles required by your application.

  • Page 46: Allowing Direct Access To The J2Ee Server

    Access Gateway is a reverse proxy server that restricts access to Web-based content, portals, and Web applications that employ authentication and access control policies. When you configure the Access Gateway to protect the application server, the communication process follows the paths illustrated in Figure 2-2. Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 47: Configuring The Agent For Direct Access

    The J2EE Server as a Protected Resource Figure 2-2 Identity Server LDAP Directories Access Gateway J2EE Server with Browser Agent and Applications 1. The user requests access to the application server by using a published DNS name. The request is sent to the Access Gateway, and the Access Gateway proxies the request to the agent. 2.
  • Page 48 If you have created a cluster, select each cluster node from the Cluster Member drop-down list and specify separate URLs for each node. The SOAP URL must end with . For example: nesp https://j2ee.mycompany.com:8443/nesp Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 49: Configuring Authentication Contracts

    “Preparing the Applications and the J2EE Servers” on page 2.4 Configuring Authentication Contracts The Novell J2EE Agent now comes with the ability to configure different authentication contracts to protect different applications that reside on the same application server instance. You can also configure additional authentication contracts to applications that require them.
  • Page 50 2 Click Manage authorization policies to configure J2EE Agents Policies. The Protected Web and EJB Resource page is displayed. 3 Click New to create a new protected Web resource. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 51 Fill in the following fields: Module File Name: Specify the name of the file you are protecting, including the file extension ( .jar .war Type: Select Web Module (.war) to protect the Web application. You can configure different authentication contracts only for different Web applications. 4 Click OK.

  • Page 52: Configuring Additional Authentication For Applications

    4 Click OK, then click Update > OK. 5 To update the Identity Server, click Identity Servers, then click Update > OK. Whenever you set up a new trusted identity configuration, you need to update the Identity Server configuration. Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 53: Protecting The Application Server With The Access Gateway

    2.5 Protecting the Application Server with the Access Gateway When you configure the Access Gateway so it can protect your application server, the Access Gateway must be configured to protect multiple resources. The first reverse proxy and proxy service combination of the Access Gateway is assigned to perform authentication. The agent must be set up as a secondary proxy service because the proxy service for an agent cannot be used for authentication.

  • Page 54: In The

    Novell Access Manager 3.1 SP2 Access Gateway Guide. 2 In the Proxy Service List section, click New. 3 Fill in the following fields: Proxy Service Name: Specify a display name for this configuration. Multi-Homing Type: Select Path-Based. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 55 Path. Specify the path for J2EE server. For this example, this is /j2ee Web Server IP Address: Specify the IP address of the application server. For the configuration in Figure 2-3, enter 10.10.10.40. Host Header: Select Web Server Host Name. Web Server Host Name: Specify the DNS name of the application server.
  • Page 56 Gateway. See “Configuring SSL Communication with the Browsers and the Identity Server ” in Novell Access Manager 3.1 SP2 Access Gateway Guide and select the Enable SSL between Browser and Access Gateway field. 14 Configure how you want the certificate verified.

  • Page 57: Setting Up A Domain-Based Proxy Service For An Application Server

    15 Select the IP address of the application server and change the port if the application server is using a different port for SSL. 16 Click OK. The server certificate, the root CA certificate, and any CA certificates from a chain are displayed and selected.
  • Page 58 The following steps assume that you have already enabled SSL between the Access Gateway and the browsers. If you haven’t, in the Novell Access Manager 3.1 SP2 Access Gateway Guide. 2 In the Proxy Service List section, click New. 3 Fill in the following fields. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 59 “Configuring SSL Communication with the Browsers and the Identity Server ” in the Novell Access Manager 3.1 SP2 Access Gateway Guide and select the Enable SSL between Browser and Access Gateway field. 8 Configure how you want the certificate verified.

  • Page 60: Configuring A Protected Agent For Access

    18 On the Access Gateways page, click Update. 19 Continue with “Configuring a Protected Agent for Access” on page 2.5.3 Configuring a Protected Agent for Access 1 In the Administration Console, click Devices > J2EE Agents > Edit. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 61 2 Fill in the fields: Identity Server Cluster: Select the Identity Server you want the agent to trust for authentication by selecting the configuration you have assigned to the Identity Server. The option is used as the default, before you configure the agent. Contract: Select the type of contract, which determines the information a user must supply for authentication.
  • Page 62 4 To update the Identity Server, click Identity Servers > Update. Whenever you set up a new trusted identity configuration, you need to update the Identity Server. 5 Continue with “Preparing the Applications and the J2EE Servers” on page Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 63: Clustering J2Ee Agents

    Clustering J2EE Agents The J2EE Agents can be clustered to provide load balancing and fault tolerance. If the agent where the user's session was established goes down, the user’s request is sent to another agent in the cluster. This agent pulls the user’s session information from the Identity Server. This allows the user to continue accessing resources, without needing to reauthenticate.

  • Page 64: Assigning A J2Ee Agent To A Cluster

    1 In the Administration Console, click Devices > J2EE Agents. 2 On the Servers page, select the server’s check box, then choose Actions > Assign to Cluster. To select all the servers in the list, select the top-level Server check box. Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 65: Modifying Cluster Details

    3 Select the configuration’s check box, then click Assign. The status icon for the J2EE Agent should turn green. It might take several seconds for the J2EE Agent to start and for the system to display the green status. 3.4 Modifying Cluster Details 1 In the Administration Console, click Devices >...
  • Page 66 IMPORTANT: If you are not going to assign the agent to another cluster, you need to reconfigure it. You also need to reconfigure the L4 switch and remove this agent from the cluster list. Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 67: Preparing The Applications And The J2Ee Servers

    ) has these modifications. The web.xml PayrollApp.ear location of this sample payroll application is platform-specific: On a Linux J2EE server, this application is copied to the /opt/novell/nids_agents/ directory. examples On a Windows J2EE server, this application is copied to the directory.

  • Page 68: Configuring For Logout

    <param-name>websphereLTPAMechanism</param-name> <param-value>false</param-value> <description> This should be set to true in order to clear LTAP cookies and tokens case of websphere with LTPA as authentication mechanism </description> </init-param> </servlet> <servlet-mapping> <servlet-name>LogoutServlet</servlet-name> <url-pattern>/logout</url-pattern> </servlet-mapping> Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 69: Configuring Applications On The Jboss Server

    <param-value> WebsphereLTPAMechanism false When the WebSphere server is configured to use the LTPA authentication mechanism, the must be set to so that when the global logout is performed, the Novell <param-value> true J2EE Agent clears the LTPA cookie. If the...

  • Page 70: Configuring Security Constraints

    URL. This policy triggers authentication, and the J2EE Agent policies can then be used to determine authorization. The following is a sample security constraint for a file that triggers web.xml authentication for any path below the directory: protected Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 71: Configuring Applications On The Websphere Server

    <security-constraint> <web-resource-collection> <web-resource-name>Protected Content</web-resource-name> <url-pattern>/protected/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>authenticated</role-name> </auth-constraint> </security-constraint> <security-role> <description></description> <role-name>authenticated</role-name> </security-role> The role must be declared with the tags when it is used inside a security <security-role> constraint. 4.3 Configuring Applications on the WebSphere Server Section 4.3.1, “Configuring for Authentication,” on page 71 Section 4.3.2, “Configuring for RunAs Roles,”...
  • Page 72 The J2EE Agent uses this mapping to discover which role a user or a user's group belongs to. 2 Map a RunAs role to a user. This is Step 8 of the deployment process. Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 73: Configuring The Trust Association Interceptor Module For Websphere Application

    WebSphere Server file system. The TAI module, which has a class name of ¸ provides role provisioning com.novell.consulting.nl.-accessmanager.tai.Roller services to WebSphere Application Server (WAS) and WebSphere Portal Server (WPS). HTTP Preparing the Applications and the J2EE Servers...

  • Page 74: How Does The Tai Module Works

    Web browsers are intercepted by Novell Access Manager enriched with supporting information, passed on by Access Manager to WebSphere Application Server and offered to the TAI for validation. “How Does the TAI Module Works?” on page 74 “Methods”...

  • Page 75: Methods

    Methods The TAI classes implement five methods: initialize(Properties): Module initialization, based on a configuration that is provided to the TAI as a java.util.Properties set. getType(): Returns the module's Java class name, thereby identifying it to WebSphere Application Server (WAS). get Version(): Returns the module's version number, normally a fixed string. isTargetInterceptor(HttpServletRequest): Establishes whether this particular TAI instance (of wnegotiateValidateandEstablishTrust(HttpServletRequest, HttpServletResponse)negotiateValidateandEstablishTrust(HttpServletRequest,...

  • Page 76: Selective Deployment

    (as identified by Access Manager.) within an LDAP store that is queried by WebSphere Portal Server. Here, the LDAP store (normally an instance of Novell eDirectory) is used as a means of indirect communication between Access Manager and the WebSphere Portal Server.

  • Page 77: Implementing The Trust Association Interceptor Module

    In the reverse direction, a similar optimization is applied, in which updates to the groupMembership back reference attribute are combined into a single joint LDAP modification. Implementing the Trust Association Interceptor Module The TAI module is implemented in eDirectory, WebSphere Application Server, and Novell Access Manager Configuring eDirectory Use the following configuration for eDirectory: Place all application groups inside a container.
  • Page 78 = wasadmins debug-level = info 14 Save the changes. WebSphere Portal Server and WebSphere Application Server need to be restarted before the TAI is enabled. Logging is placed in the file. SystemOut.log Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 79 TAI Configuration Figure 4-1 Mapping WebSphere Application Server Roles to LDAP Groups 1 From the WebSphere Application Server select System Administration > Console Settings > Console Groups. 2 Click Add and add the wasadmins group. 3 Assign the role of Administrator to this group. Editing Cache Settings 1 Edit the file and change the following:...

  • Page 80: Configuring Novell Access Manager

    All logging is found in the file. /usr/WebSphere/PortalServer/log/SystemOut.log Example Log Configuration Figure 4-2 Configuring Novell Access Manager Novell Access Manager passes all required details to the TAI module via the HTTP header. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 81 There are three places where configuration is required: Additions to the Roles policy. Creating an Identity Injection policy for protected WebSphere Portal Server application resources. Assigning the Identity Injection policy to the WebSphere Portal Server application resources. “Configuring the Roles Policy” on page 81 “Configuring the Identity Injection Policy for WebSphere Portal Server Application Resources”...
  • Page 82 Configuring the Identity Injection Policy for WebSphere Portal Server Application Resources Add the following information to the WPS_roles policy, then use the Administration Console to assign the injection policy for the appropriate protected application in Novell Access Manager. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 83 Preparing the Applications and the J2EE Servers...

  • Page 84: Configuring Applications On The Weblogic Server

    Manager role to the weblogic user specified in enterprise-bean> element. It should look similar to the following for the sample <run-as-principal-name> payroll application: <security-role-assignment> <role-name>Manager</role-name> <principal-name>weblogic</principal-name> </security-role-assignment> Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 85: Configuring The Basic Features Of A J2Ee Agent

    Chapter 6, “Protecting Web and Enterprise JavaBeans Modules,” on page 89 5.1 Enabling Tracing and Auditing of Events ® You can use either a Novell Audit server or the J2EE server log files to record information about what is being processed by the J2EE Agent.

  • Page 86: Enabling The Auditing Of Events

    Embedded Service Provider. 5.1.2 Enabling the Auditing of Events The Access Manager ships with a Novell Audit server that is installed when you install the first instance of the Administration Console. You can configure the J2EE Agent to send events to this audit server or to another Novell Audit server on your network.

  • Page 87: Configuring Ssl Certificate Trust

    2 To view the assigned certificates, click one of the following keystores in the Service Provider Certificates section: Signing: The signing certificate keystore. Click this link to access the keystore and replace the signing certificate as necessary. The signing certificate is used to sign the assertion or specific parts of the assertion.

  • Page 88: Modifying The Display Name And Other Details

    4 To verify your settings for the J2EE Application Server URL option, click J2EE Agents > Edit. If you used a DNS name for the J2EE Application Server URL, make sure your DNS server has been updated to resolve the DNS name to the new IP address. Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 89: Protecting Web And Enterprise Javabeans Modules

    Protecting Web and Enterprise JavaBeans Modules The J2EE Agent mechanisms for protecting Web and EJB (Enterprise JavaBeans) modules have far more granularity than what you can configure on the J2EE application server. With the agent, you can be selective of what you are protecting. For a Web application, you can select to protect a specific page or group of pages.

  • Page 90: Protecting Web Resources

    4 To add a protected resource to the list, click New, specify a display name for the resource, then click OK. If possible, this name should indicate the URLs that you are going to configure for this resource. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 91 5 Fill in the following fields: Description: (Optional). A text box where you can specify a description of the protected resource. You can also use the field to briefly describe the purpose of protecting this resource. SSL Required: If this option is selected, the J2EE Agent sets up an SSL connection between the client and the application.

  • Page 92: Assigning A Web Authorization Policy To The Resource

    Type: The type of the application. Select EJB Module for an EJB module. 3 Click OK. 4 To add a protected resource to the list, click New, specify a display name for the EJB resource, then click OK. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 93 5 Fill in the following fields: EJB Name: The module name to protect. Select [All] to protect all modules. Interfaces: The interfaces to protect. Select one or more of the following: Local Local Home Remote Remote Home Web Service Method: The method to protect. Select [All] to protect all methods. Method Parameters: The parameters of the method to protect.

  • Page 94: Assigning An Enterprise Javabeans Authorization Policy To A Resource

    RunAs role EJB, the user is denied access to the EJB resource. 3 Click Configuration Panel > OK. 4 On the Configuration page, click OK, then click Update > OK. Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 95: Deploying The Sample Payroll Application

    J2EE server or to use the policies of Access Manager. During installation, the sample payroll application is copied to the following location: On a Linux J2EE server, this application is copied to the /opt/novell/nids_agents/ directory. examples On a Windows J2EE server, this application is copied to the directory.

  • Page 96: Preparing The Sample Application For The Agent

    <servlet-class> com.novell.nids.agent.auth.LoginServlet </servlet-class> </servlet> <servlet-mapping> <servlet-name>LoginServlet</servlet-name> <url-pattern>/login</url-pattern> </servlet-mapping> 7.2.2 Configuring for Logout To add a logout servlet and its servlet mapping to the file, modify the contents of web.xml web.xml as follows: Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 97: Using The J2Ee Server To Enforce Authorization

    4 In Access Manager, create role policies for an Employee role and a Manager role. For more information, see “Creating Role Policies” in the Novell Access Manager 3.1 SP2 Policy Guide. 5 Configure the agent for authentication. For more information, see Chapter 2, “Configuring the...

  • Page 98: Using Access Manager Policies To Enforce Authorization

    Manager role, then click OK. The following rule uses the LDAP OU condition to determine whether the user is a manager. It assumes that all managers are in the ou=managers,ou=payroll,o=novell container. Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 99 5 In Condition Group 1, click New, create a condition that matches your employees but not your managers, activate the Employee role, then click OK. The following rule uses the LDAP OU condition to determine whether the user is an employee. It assumes that all employees are in the ou=employees,ou=payroll,o=novell container. Deploying the Sample Payroll Application...

  • Page 100: Creating Authorization Policies

    3 For the first rule, click New, set up a condition that permits access if the user has been assigned the Employee role, then click OK. Your rule should look similar to the following: 100 Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 101 4 To create the second rule in the policy, click New. 5 To create a generic deny rule, assign a deny action, then click OK. Your rule should look similar to the following: 6 To save your employee policy, click OK > Apply Changes. 7 To create a policy for the managers, click New, specify a name for the policy, select J2EE Agent: EJB Authorization as the type, then click OK.
  • Page 102 Creating Web Authorization Policies You need to create two policies: one that permits Managers to access resources and one that permits Employees to access resources. 1 In the Administration Console, click Devices > Policies. 102 Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 103 2 To create an Authorization policy for the employees, click New, specify a name for the policy, select J2EE Agent: Web Authorization as the type, then click OK. 3 For the first rule, click New, set up a condition that permits access if the user has been assigned the Employee role, then click OK.
  • Page 104 10 To create a generic deny rule, assign a deny action, then click OK. Your rule should look similar to the following: 11 To save your manager policy, click OK > Apply Changes. 12 Continue with Section 7.4.3, “Assigning Policies to Protected Resources,” on page 105 104 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 105: Assigning Policies To Protected Resources

    7.4.3 Assigning Policies to Protected Resources After creating the Authorization policies, you need to create protected resources for the payroll application, then assign the policies to the protected resources. “Assigning the Authorization Policies to Protected Web Resources” on page 105 “Assigning the Authorization Policies to Protected EJB Resources”...

  • Page 106: Testing The Configuration

    6 To save your changes, click Configuration Panel, then click OK. 7 On the J2EE Agents page, click Update. 7.4.4 Testing the Configuration 1 Deploy the sample payroll application on your J2EE server. 106 Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 107 The location of the sample application is platform-specific: On a Linux, Solaris, or AIX J2EE server, the application is copied to the /opt/novell/ directory. nids_agents/example On a Windows J2EE server, the application is copied to the directory. <Install_Directory>\sampleapp 2 On your J2EE server, prepare the application to use the agent for login and logout. (See Section 4.1, “Preparing the Application for the Agent,”...
  • Page 108 108 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 109: Managing A J2Ee Agent

    Managing a J2EE Agent The following sections describe the options available for managing a J2EE Agent. Section 8.1, “Viewing General Status Information,” on page 109 Section 8.2, “Managing the Health of an Agent,” on page 110 Section 8.3, “Managing the Health of a Cluster,” on page 112 Section 8.4, “Managing Alerts,”...

  • Page 110: Managing The Health Of An Agent

    If a J2EE Agent is functioning normally, its health icon is green. If the icon is any other color, you need to discover the cause. 1 In the Administration Console, click Devices > J2EE Agents > [Name of Agent] > Health. 110 Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 111 2 If you think the information on the page might be stale, click Refresh. 3 If you want to have the page refreshed with the information sent from the agent, click Update from Server. 4 If the status icon does not turn green, view the information in the Services Detail section. For an agent, this includes information such as the following: Managing a J2EE Agent...

  • Page 112: Managing The Health Of A Cluster

    Server Name: Displays the IP address that identifies the J2EE Agent. Health: Displays the health status of the server. Description: Displays the description of the health status of the server. 112 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 113: Managing Alerts

    8.4 Managing Alerts The J2EE Agent sends alerts when it is not functioning correctly. After discovering the cause of an alert and then correcting the problem, you should clear the alert from the list. 1 In the Administration Console, click Devices > J2EE Agents > [Name of Agent] > Alerts. 2 To send an acknowledgement, select the check box by the alert, then click Acknowledge Alert(s).
  • Page 114 This is enabled during installation. See your enabled. Enable WebSphere's server WebSphere documentation. security. ® The JACC PolicyConfigurationFactory Contact Novell Support. was not initialized. Configure the J2EE Application Server to use the proper PolicyConfigurationFactory 114 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 115: Managing Cluster Alerts

    4 Click Close. 8.5 Managing Cluster Alerts The Alerts page allows you to view information about current Java alerts and clear them. An alert is generated whenever the configuration detects a condition that prevents it from performing normal system services. 1 In the Administration Console, click Devices >...

  • Page 116: Viewing Platform Information

    The selected command is cleared. Refresh: To update the current cache of recently executed commands, click Refresh. Name: To select all the commands in the list, click Name, then click Refresh or Delete. 116 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 117: Stopping And Starting The Agent

    3 View the information. The following columns display information about each command: Column Description Name Contains the display name of the command. Select this link to view additional details about the command. Status Specifies the status of the command and includes states such as Pending, Incomplete, Executing, Succeeded, Failed, and Unsuccessful.

  • Page 118: Deleting An Agent From The Administration Console

    To delete a J2EE Agent from the Administration Console: 1 In the Administration Console, click Devices > J2EE Agents. 2 Select the agent, then click Actions > Delete. 3 Click OK. 118 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 119: Troubleshooting The J2Ee Agent

    Troubleshooting the J2EE Agent This section has the following information: Section 9.1, “Troubleshooting the J2EE Agent Import,” on page 119 Section 9.2, “Authorization Policies Fail for Some Attributes,” on page 119 Section 9.3, “The Health Status Displays as “Server Is Not Responding,” on page 120 Section 9.4, “Auto-import Agents Fails on WebLogic Running on RedHat,”...

  • Page 120: The Health Status Displays As "Server Is Not Responding

    Section 9.5.2, “Issues With the Administration Console,” on page 121 9.5.1 JRE Version is Wrong Enter the following command to verify the version of JRE being used by the J2EE Installer: java -version 120 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

  • Page 121: Issues With The Administration Console

    3 Run the J2EE Agent installer. 4 If you are prompted to confirm overwriting some of the files that were installed during the previous failed attempt, click OK. ® Contact Novell Support if the problem persists. Troubleshooting the J2EE Agent 121...

  • Page 122: Unable To Federate Websphere Custom Profile If Agent Already Installed

    J2EE Agent is installed, they fail to be propagated to the JAAC module even after a restart. To workaround this issue: 1 Browse to the folder where the Novell J2EE Agent is installed. 2 Open , which is located in the folder.

  • Page 123: Audit Log Event Problems On 64-Bit Platforms

    LogEvent.jar NAuditPA.jar On Windows, the file is located in NAuditPA.jar Program Files\novell\Nsure Audit directory. On Linux, the file is located in directory. /opt/novell/naudit/java/pa Section 9.9.1, “JBoss Agent,” on page 123 Section 9.9.2, “WebLogic Agent,” on page 123 9.9.1 JBoss Agent...

  • Page 124: Jboss And Ssl

    Logging tab under Servers. 9.12 Troubleshooting Access Control When a user requests access to a resource protected by the J2EE Agent, the request flows through the policy enforcement points illustrated in Figure 9-1. 124 Novell Access Manager 3.1 SP2 J2EE Agent Guide...
  • Page 125 Access Control Flow Figure 9-1 Request Received Is the user Is the login authenticated? successful? Is the Access Does it Manager Authorization match a protected policy enabled? resourse? Does the Authorization succeed? Is the Is the J2EE Application Server authorization policy enabled? successful? Grant Access...
  • Page 126 Access Manager Role policies for the roles that you have configured the J2EE server to use for authorization. Depending upon the application, role names can be case sensitive, so when you create the role, make sure to use the case the application expects. 126 Novell Access Manager 3.1 SP2 J2EE Agent Guide...

This manual is also suitable for:

Access manager 3.1 sp 2

Table of Contents