1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. ACCESS MANAGER 3.1 SP1 - AGENT GUIDE
  6. Manual

Novell ACCESS MANAGER 3.1 SP1 - AGENT GUIDE Manual

J2ee* agent guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
AUTHORIZED DOCUMENTATION
J2EE* Agent Guide
Novell
®
Access Manager
3.1 SP 1
July 15, 2009
www.novell.com
Novell Access Manager 3.1 SP1 Agent Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell ACCESS MANAGER 3.1 SP1 - AGENT GUIDE

Summary of Contents for Novell ACCESS MANAGER 3.1 SP1 - AGENT GUIDE

  • Page 1 AUTHORIZED DOCUMENTATION J2EE* Agent Guide Novell ® Access Manager 3.1 SP 1 July 15, 2009 www.novell.com Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 5: Table Of Contents

    Contents About This Guide 1 Installing the J2EE Agents Overview of J2EE Agents ........... . 11 Prerequisites .
  • Page 6 Viewing Statistics ............103 Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 7 9 Troubleshooting the J2EE Agent Troubleshooting the J2EE Agent Import ........105 Authorization Policies Fail for Some Attributes .
  • Page 8 Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 9: About This Guide

    Please use the User Comments feature at the bottom of each page of the online documentation, or go to Documentation Feedback (http://www.novell.com/documentation/ feedback.html) at www.novell.com/documentation/feedback.html and enter your comments there. Documentation Updates For the most recent version of the Access Manager J2EE Agent Guide, visit the Novell Access Manager Documentation Web site (http://www.novell.com/documentation/novellaccessmanager31).
  • Page 10 ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash.

  • Page 11: Installing The J2Ee Agents

    Installing the J2EE Agents Access Manager currently has J2EE agents for JBoss*, WebLogic*, and WebSphere* servers. The agents can be installed on Linux, Windows* and AIX* platforms. The J2EE Agents allow you to use roles and other types of policies to restrict access to specific application modules and Enterprise JavaBeans.

  • Page 12: Prerequisites

    Windows 2003 supported on Windows: AIX: AIX 5.3 Solaris: Solaris 10 on Windows 2003 SPARC, X86, 32-bit and 64-bit platforms. NOTE: There is no support for Novell Audit on Solaris for this release. Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 13: Installing The J2Ee Agent On Jboss

    1.3.2 Installing and Configuring the JBoss Web Deployer Service If you want to use a custom JBoss configuration, the Novell J2EE Agent depends on the JBoss Web deployer service. To verify if the JBoss Web deployer service is already installed, browse to the...
  • Page 14 6 Copy the file from the ejb-deployer.xml <jboss-home>/server/default/deploy/ location to the location. <path-to-your-custom-configuration>/deploy 7 Specify the following commands to copy the additional JAR files in sequence: cd default/lib/ cp jboss.jar jboss-j2ee.jar jbosssx.jar servlet-api.jar Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 15: Installing Jboss By Using The Installer

    Section 1.3.3, “Installing JBoss By Using the Installer,” on page 1.3.3 Installing JBoss By Using the Installer 1 Download the agent installer from Novell (http://www.novell.com/products). 2 If JBoss is running, stop JBoss. 3 Run the installer. 4 Review the License Agreement, accept it, then click Next. The installation selection page is displayed.
  • Page 16 5 Select a directory to install the Novell J2EE agent components, then click Next. The Choose a Java Virtual Machine page is displayed. 6 Select a Java Virtual Machine (JVM*) to be used by the installed application. A default JVM is displayed.
  • Page 17 10 Click Next. 11 (Conditional) If you do not have the audit server installed, the J2EE installer installs the Audit server for you. Specify the IP address of the Novell Access Manager Administration Console as the Audit Server IP. Installing the J2EE Agents...
  • Page 18 12a You are prompted to specify if you want to replace the existing audit server or use the existing server. 12b (Conditional) If you click Yes, the Audit Server Setting page is displayed. Select Use following Audit Server. Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 19 12c (Conditional) If you click No, select Use following Audit Server, then specify an IP address of the Audit server. 13 Click Next. The Select Application Server page is displayed. 14 Click OK at the Alert page. 15 Select JBoss, then click Next. The JBoss Application Server Settings page is displayed. Installing the J2EE Agents...

  • Page 20: Installing The Jboss Agent Through The Console

    Replace <filename> with the name of the J2EE agent installer. 3 Review the License Agreement, then press to accept it. 4 Specify an absolute path to install the Novell J2EE agent components, or press Enter to continue with the default installation path. Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 21: Installing The J2Ee Agent On Websphere

    Novell Access Manager administration console is reachable. 7 (Conditional) If you do not have the Audit server installed, J2EE installer installs the Audit server for you. Specify the IP address of the Novell Access Manager Administration Console as the Audit Server IP, then press Enter.

  • Page 22: Prerequisites

    1.4.2 Installing on WebSphere By Using the Installer 1 Download the agent installer from Novell (http://www.novell.com/products). 2 Run the installer. 3 Review the License Agreement, accept it, then click Next. The installation selection page is displayed. Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 23 4 Select a directory to install the Novell J2EE agent components, then click Next. The Choose Java Virtual Machine page is displayed. 5 Select a Java Virtual Machine (JVM*) to be used by the installed application. A default JVM is displayed.
  • Page 24 10 You have to specify the audit server IP address. 10a If you do not have the audit server installed, the J2EE installer installs the Audit server for you. Specify the IP address of the Novell Access Manager Administration Console as the Audit Server IP.
  • Page 25 10b If you have the Audit server installed, specify if you want to replace the existing audit server or use the existing server. 11 Click Next. The Select Application Server page is displayed. Installing the J2EE Agents...
  • Page 26 12 Select WebSphere, then click Next. The WebSphere Application Server Settings page is displayed. 13 Specify the directory where you have installed the WebSphere server and click Next. The JCC Dependencies page is displayed. Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 27: Installing The Websphere Agent Through The Console

    3 Review the License Agreement, then press to accept it. 4 Specify an absolute path to install the Novell J2EE agent components, or press Enter to continue with the default installation path. 5 Specify a Java Virtual Machine (JVM) to be used by the installed application.

  • Page 28: Configuring Websphere For J2Ee Agents

    3 Review the License Agreement, accept it, then click Next. The Novell J2EE Agent Configuration page is displayed. 4 Select the directory where the J2EE agent is installed and click Next. The Novell Administration Server Communications Credentials page is displayed.
  • Page 29 5 Specify the administration credentials to contact the Novell Access Manager and click Next. The Websphere Application Server Settings page is displayed. 6 Specify the following: Application Server Name: Specify the name for the application server. Application Server Profile Directory: Specify the path to the application server profile.

  • Page 30: Installing The J2Ee Agent On Weblogic

    13c Expand the Java Authentication and Authorization Service option and click System Logins. 13d Select WEB_INBOUND > JAAS login modules. 13e Change the order of com.novell.nids.agent.auth.websphere.NidsLTPALoginModule so it is first in the list. 13f Save your changes. 14 (Optional) To verify the installation of the agent, see Section 1.6, “Verifying If a J2EE Agent Is...
  • Page 31 IMPORTANT: Make sure that your installation folder name has no spaces. For example, you cannot specify the folder name as , but you can Novell Access Manager J2EE Agents specify the name as Novell_Access_Manager_J2EE_Agents 3 Make sure the WebLogic server is running.
  • Page 32 6 Select a directory to install the Novell J2EE gent components, then click Next. The Choose a Java Virtual Machine page is displayed. 7 Select a Java Virtual Machine (JVM*) to be used by the installed application. A default JVM is displayed.
  • Page 33 12 Specify the audit server IP address: 12a (Conditional) If you do not have the Audit server installed, the J2EE installer installs the Audit server for you. Specify the IP address of the Novell Access Manager Administration Console as the Audit Server IP.
  • Page 34 12b (Conditional) If you have the Audit server installed, specify if you want to replace the existing Audit server or use the existing server. 13 Click Next. The Select Application Server page is displayed. Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 35 14 Select WebLogic, click Next. The installation selection page is displayed. 15 Specify the path to the directory where WebLogic is installed. Click Choose to select a folder for installation. Click Restore Default to restore the default installation location. 16 Click Next. The Installation Type page is displayed. Installing the J2EE Agents...
  • Page 36 Base: Select this option while installing the agent on a machine that acts as a node and is part of a cluster. Cluster: Select this option while installing the agent on a machine where the domain is configured. The WebLogic Domain page is displayed. Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 37 18 Specify the WebLogic Domain Home folder. Click Choose to select a folder for installation. Click Restore Default to restore the default installation location. 19 Click Next. The WebLogic Administration Console Details page is displayed. 20 Specify the information required for server communication between the agent and the Administration Console.

  • Page 38: Installing A J2Ee Agent By Using The Console

    3 Review the License Agreement, then press to accept it. 4 Specify an absolute path to install the Novell J2EE Agent components, or press Enter to continue with the default installation path. 5 Specify a Java Virtual Machine (JVM) to be used by the installed application.

  • Page 39: Configuring Weblogic For J2Ee Agents

    Press 1 to use the existing Audit server. Press 2 to replace the existing Audit server. 8b (Conditional) Press 1 to use the existing Novell Audit Configuration. 8c (Conditional) Press 2 to use a different Audit Server and then specify the IP address.
  • Page 40 Java 2 permissions for the agent to be explicitly set when the security manager is enabled. The only workaround Novell has found is to grant Java 2 permissions to everything. file contains the following lines. <AGENT_HOME>/weblogic.policy grant { java.security.AllPermission...
  • Page 41 /opt/bea/weblogic92/common/bin/wlst.sh /opt/novell/ nids_agents/bin/weblogic_config.jy weblogic password base_domain AdminServer localhost:7001 Windows Example: C:\bea\weblogic92\common\bin\wlst.cmd C:\Novell\bin\weblogic_config.jy weblogic password base_domain AdminServer localhost:7001 4 Restart the WebLogic server. The agent should import into Access Manager Administration Console when the WebLogic server starts. 5 (Optional) Verify and test the installation: To verify that the agent is installed, see Section 1.6, “Verifying If a J2EE Agent Is...

  • Page 42: Verifying If A J2Ee Agent Is Installed

    If an agent starts to import into the Administration Console but fails to complete the process, the following message appears: Server agent-<name> is currently importing. If it has been several minutes after installation, click repair import to fix it. Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 43: Uninstalling A J2Ee Agent

    “Configuring the Agent for Authentication,” on page 1.7 Uninstalling a J2EE Agent 1 Browse to <agent Install folder>\Novell Access Manager J2EE Agents\Uninstall_Novell Access Manager J2EE Agents 2 Double-click the uninstaller. 3 Click Next in the Uninstall J2EE Agents page. This removes all the features that were installed by the installer.
  • Page 44 Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 45: Configuring The Agent For Authentication

    For the sample payroll application, this is an Employee role and a Manager role. “Creating Role Policies” in the Novell Access Manager 3.1 SP1 Policy Management Guide. You have the agent installed on your J2EE server. See Chapter 1, “Installing the J2EE Agents,”...

  • Page 46: Possible Configurations

    You also have an internal DNS server that resolves the DNS name of the application server to its IP address. For configuration information, see Section 2.3, “Configuring the Agent for Direct Access,” on page Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 47: Configuring The Agent For Direct Access

    2.2.2 Protecting the Application Server with the Access Gateway When you configure the Access Gateway to protect the application server, the communication process follows the paths illustrated in Figure 2-2. The J2EE Server as a Protected Resource Figure 2-2 LDAP Identity Server Directories Access Gateway...
  • Page 48 You can configure other contract types. See “Configuring Authentication Contracts” in the Novell Access Manager 3.1 SP1 Identity Server Guide. J2EE Application Server URL: Specify the URL to access the application server, including the port. For example, if the DNS name of your J2EE server is j2ee.mycompany.com, enter the following: https://j2ee.mycompany.com:8443...

  • Page 49: Configuring Authentication Contract

    “Preparing the Applications and the J2EE Servers” on page 2.4 Configuring Authentication Contract The Novell J2EE Agent now comes with the ability to configure different au the tic at ion contracts to protect different applications that reside on the same application server instance. You can also configure additional authentication contract to applications that require them.
  • Page 50 2 Click Manage authorization policies to configure J2EE Agents Policies. The Protected Web and EJB Resource page is displayed. 3 Click New to create a new protected Web resource. Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 51 Fill in the following fields: Module File Name: Specify the name of the file you are protecting, including the file extension ( .jar .war Type: Select Web Module (.war) to protect the Web application. NOTE: You can configure different authentication contracts only for different Web applications.

  • Page 52: Configuring Additional Authentication For Applications

    2 Click the protected resource for which you want to add additional authentication contract. 3 Click New in the URL Path List section and add a new URL path, then click OK. 4 Click OK, then click Update > OK. Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 53: Protecting The Application Server With The Access Gateway

    5 To update the Identity Server, click Identity Servers, then click Update > OK. Whenever you set up a new trusted identity configuration, you need to update the Identity Server configuration. 2.5 Protecting the Application Server with the Access Gateway When you configure the Access Gateway so it can protect your application server, the Access Gateway must be configured to protect multiple resources.
  • Page 54 If you haven’t, see “Configuring SSL Communication with the Browsers and the Identity Server ” in the Novell Access Manager 3.1 SP1 Access Gateway Guide. 2 In the Proxy Service List section, click New. 3 Fill in the following fields: Proxy Service Name: Specify a display name for this configuration.
  • Page 55 Path. Specify the path for J2EE server. For this example, this is /j2ee Web Server IP Address: Specify the IP address of the application server. For the configuration in Figure 2-3, enter 10.10.10.40. Host Header: Select Web Server Host Name. Web Server Host Name: Specify the DNS name of the application server.
  • Page 56 Gateway. See “Configuring SSL Communication with the Browsers and the Identity Server ” in Novell Access Manager 3.1 SP1 Access Gateway Guide and select the Enable SSL between Browser and Access Gateway field. 14 Configure how you want the certificate verified. The Access Gateway platforms support different options: Linux Access Gateway: The Linux Access Gateway supports the following options.

  • Page 57: Setting Up A Domain-Based Proxy Service For An Application Server

    15 Select the IP address of the application server and change the port if the application server is using a different port for SSL. 16 Click OK. The server certificate, the root CA certificate, and any CA certificates from a chain are displayed and selected.
  • Page 58 If you haven’t, see “Configuring SSL Communication with the Browsers and the Identity Server ” in the Novell Access Manager 3.1 SP1 Access Gateway Guide. 2 In the Proxy Service List section, click New. 3 Fill in the following fields.
  • Page 59 Gateway. See “Configuring SSL Communication with the Browsers and the Identity Server ” in Novell Access Manager 3.1 SP1 Access Gateway Guide and select the Enable SSL between Browser and Access Gateway field. 8 Configure how you want the certificate verified. The Access Gateway platforms support...
  • Page 60 15a For this first protected resource, select None for the contract. Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 61: Configuring A Protected Agent For Access

    15b In the URL Path List, specify the following path: /nesp 15c Click OK twice. 15d To add a second protected resource, click New, specify a name, then click OK. 15e For the contract, select the contract you want to use for authentication. 15f In the URL Path List, specify the path to the application.
  • Page 62 You can configure other contract types. See “Configuring Authentication Contracts” in the Novell Access Manager 3.1 SP1 Identity Server Guide. J2EE Application Server URL: Specify the URL to access the application server, including the port. Select the format based on whether the agent is protected by a path-based or a domain- based proxy service.

  • Page 63: Clustering J2Ee Agents

    Clustering J2EE Agents The J2EE Agents can be clustered to provide load balancing and fault tolerance. If the agent where the user's session was established goes down, the user’s request is sent to another agent in the cluster. This agent pulls the user’s session information from the Identity Server. This allows the user to continue accessing resources, without needing to reauthenticate.

  • Page 64: Assigning A J2Ee Agent To A Cluster

    1 In the Administration Console, click Devices > J2EE Agents. 2 On the Servers page, select the server’s check box, then choose Actions > Assign to Cluster. To select all the servers in the list, select the top-level Server check box. Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 65: Modifying Cluster Details

    3 Select the configuration’s check box, then click Assign. The status icon for the J2EE Agent should turn green. It might take several seconds for the J2EE Agent to start and for the system to display the green status. 3.4 Modifying Cluster Details 1 In the Administration Console, click Devices >...
  • Page 66 IMPORTANT: If you are not going to assign the agent to another cluster, you need to reconfigure it. You also need to reconfigure the L4 switch and remove this agent from the cluster list. Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 67: Preparing The Applications And The J2Ee Servers

    ) has these modifications. The web.xml PayrollApp.ear location of this application is platform-specific: On a Linux J2EE server, this application is copied to the /opt/novell/nids_agents/ directory. examples On a Windows J2EE server, this application is copied to the directory. <Install_Directory>\sampleapp 4.1.1 Configuring for Login...

  • Page 68: Configuring For Logout

    <init-param> <param-name>websphereLTPAMechanism</param-name> <param-value>false</param-value> <description> This should be set to true in order to clear LTAP cookies and tokens case of websphere with LTPA as authentication mechanism </description> </init-param> </servlet> <servlet-mapping> <servlet-name>LogoutServlet</servlet-name> <url-pattern>/logout</url-pattern> </servlet-mapping> Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 69: Configuring Applications On The Jboss Server

    <param-value> WebsphereLTPAMechanism false When the WebSphere server is configured to use the LTPA authentication mechanism, the must be set to so that when the global logout is performed, the Novell <param-value> true J2EE Agent clears the LTPA cookie. If the...

  • Page 70: Configuring Security Constraints

    URL. This policy triggers authentication, and the J2EE Agent policies can then be used to determine authorization. The following is a sample security constraint for a file that triggers web.xml authentication for any path below the directory: protected <security-constraint> <web-resource-collection> <web-resource-name>Protected Content</web-resource-name> <url-pattern>/protected/*</url-pattern> </web-resource-collection> Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 71: Configuring Applications On The Websphere Server

    <auth-constraint> <role-name>authenticated</role-name> </auth-constraint> </security-constraint> <security-role> <description></description> <role-name>authenticated</role-name> </security-role> The role must be declared with the tags when it is used inside a security <security-role> constraint. 4.3 Configuring Applications on the WebSphere Server Section 4.3.1, “Configuring for Authentication,” on page 71 Section 4.3.2, “Configuring for RunAs Roles,”...
  • Page 72 The J2EE Agent uses this mapping to discover which role a user or a user's group belongs to. 2 Map a RunAs role to a user. This is Step 8 of the deployment process. Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 73: Configuring Applications On The Weblogic Server

    The WebSphere server uses this mapping to assign a user to execute an Enterprise JavaBeans method. 4.4 Configuring Applications on the WebLogic Server If the application is using RunAs roles in the file, the role needs to be weblogic-ejb-jar.xml mapped to a user in the WebLogic domain. To enable this configuration on the server, two elements need to be added to this file: element for the EJB that is configured to use RunAs roles <run-as-principal-name>...
  • Page 74 Manager role to the weblogic user specified in enterprise-bean> element. It should look similar to the following for the sample <run-as-principal-name> payroll application: <security-role-assignment> <role-name>Manager</role-name> <principal-name>weblogic</principal-name> </security-role-assignment> Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 75: Configuring The Basic Features Of A J2Ee Agent

    Chapter 6, “Protecting Web and Enterprise JavaBeans Modules,” on page 79 5.1 Enabling Tracing and Auditing of Events ® You can use either a Novell Audit server or the J2EE server log files to record information about what is being processed by the J2EE Agent.

  • Page 76: Enabling The Auditing Of Events

    Guide. 5.1.2 Enabling the Auditing of Events The Access Manager ships with a Novell Audit server that is installed when you install the first instance of the Administration Console. You can configure the J2EE Agent to send events to this audit server or to another Novell Audit server on your network.

  • Page 77: Managing Embedded Service Provider Certificates

    Identity Server. For instructions, see “Importing Public Key Certificates (Trusted Roots)” in the Novell Access Manager 3.1 SP1 Administration Console Guide, select the NIDP Trust Store, and specify the IP address and port of your application server. Configuring the Basic Features of a J2EE Agent...

  • Page 78: Modifying The Display Name And Other Details

    4 To verify your settings for the J2EE Application Server URL option, click J2EE Agents > Edit. If you used a DNS name for the J2EE Application Server URL, make sure your DNS server has been updated to resolve the DNS name to the new IP address. Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 79: Protecting Web And Enterprise Javabeans Modules

    Protecting Web and Enterprise JavaBeans Modules The J2EE Agent mechanisms for protecting Web and EJB (Enterprise JavaBeans) modules have far more granularity than what you can configure on the J2EE application server. With the agent, you can be very selective of what you are protecting. For a Web application, you can select to protect a specific page or group of pages.

  • Page 80: Protecting Web Resources

    4 To add a protected resource to the list, click New, specify a display name for the resource, then click OK. If possible, this name should indicate the URLs that you are going to configure for this resource. Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 81 5 Fill in the following fields: Description: (Optional). A text box where you can specify a description of the protected resource. You can also use it to briefly describe the purpose for protecting this resource. SSL Required: If this option is selected, the J2EE Agent sets up an SSL connection between the client and the application.

  • Page 82: Assigning A Web Authorization Policy To The Resource

    The following instructions assume that you have already created your Authorization policy for the Web resource. For general information about Authorization policies, see “Creating Authorization Policies” in the Novell Access Manager 3.1 SP1 Policy Management Guide and for information about creating a Web Authorization policy, see “Creating Web Authorization Policies for J2EE Agents ”...
  • Page 83 4 To add a protected resource to the list, click New, specify a display name for the EJB resource, then click OK. 5 Fill in the following fields: EJB Name: The module name to protect. Select [All] to protect all modules. Interfaces: The interfaces to protect.

  • Page 84: Assigning An Enterprise Javabeans Authorization Policy To A Resource

    The following instructions assume that you have already created your Authorization policy for the Web resource. For general information about Authorization policies, see “Creating Authorization Policies” in the Novell Access Manager 3.1 SP1 Policy Management Guide and for information about creating an EJB Authorization policy, see “Creating Enterprise JavaBean Authorization Policies for J2EE Agents”...

  • Page 85: Deploying The Sample Payroll Application

    “Employee Role” and “Manager Role” in the Novell Access Manager 3.1 SP1 Policy Management Guide for another way. 5 Configure the agent for authentication, if you haven’t done so already. See Chapter 2, “Configuring the Agent for Authentication,” on page 6 Make sure that the Enforce application server policy option is selected.

  • Page 86: Using Access Manager Policies To Enforce Authorization

    Manager role, then click OK. The following rule uses the LDAP OU condition to determine whether the user is a manager. It assumes that all managers are in the ou=managers,ou=payroll,o=novell container. Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 87 5 In Condition Group 1, click New, create a condition that matches your employees but not your managers, activate the Employee role, then click OK. The following rule uses the LDAP OU condition to determine whether the user is an employee. It assumes that all employees are in the ou=employees,ou=payroll,o=novell container. Deploying the Sample Payroll Application...

  • Page 88: Creating Authorization Policies

    3 For the first rule, click New, set up a condition that permits access if the user has been assigned the Employee role, then click OK. Your rule should look similar to the following: Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 89 4 To create the second rule in the policy, click New. 5 To create a generic deny rule, assign a deny action, then click OK. Your rule should look similar to the following: 6 To save your employee policy, click OK > Apply Changes. 7 To create a policy for the managers, click New, specify a name for the policy, select J2EE Agent: EJB Authorization as the type, then click OK.
  • Page 90 Creating Web Authorization Policies You need to create two policies: one that permits Managers to access resources and one that permits Employees to access resources. 1 In the Administration Console, click Devices > Policies. Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 91 2 To create an Authorization policy for the employees, click New, specify a name for the policy, select J2EE Agent: Web Authorization as the type, then click OK. 3 For the first rule, click New, set up a condition that permits access if the user has been assigned the Employee role, then click OK.
  • Page 92 10 To create a generic deny rule, assign a deny action, then click OK. Your rule should look similar to the following: 11 To save your manager policy, click OK > Apply Changes. 12 Continue with Section 7.2.3, “Assigning Policies to Protected Resources,” on page 93 Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 93: Assigning Policies To Protected Resources

    7.2.3 Assigning Policies to Protected Resources After creating the Authorization policies, you need to create protected resources for the payroll application, then assign the policies to the protected resources. “Assigning the Authorization Policies to Protected Web Resources” on page 93 “Assigning the Authorization Policies to Protected EJB Resources”...

  • Page 94: Testing The Configuration

    5 To save your changes, click Configuration Panel, then click OK. 6 On the J2EE Agents page, click Update. 7.2.4 Testing the Configuration 1 Deploy the sample payroll application on your J2EE server. Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 95 The location of the sample application is platform-specific: On Linux and AIX J2EE server, the application is copied to the /opt/novell/ directory. nids_agents/example On a Windows J2EE server, the application is copied to the directory. <Install_Directory>\sampleapp 2 On your J2EE server, prepare the application to use the agent for login and logout. (See Section 4.1, “Preparing the Application for the Agent,”...
  • Page 96 Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 97: Managing A J2Ee Agent

    Managing a J2EE Agent The following sections describe the options available for managing a J2EE Agent. Section 8.1, “Viewing General Status Information,” on page 97 Section 8.2, “Stopping and Starting the Agent,” on page 98 Section 8.3, “Stopping and Starting the Embedded Service Provider,” on page 98 Section 8.4, “Deleting an Agent from the Administration Console,”...

  • Page 98: Stopping And Starting The Agent

    The actual user session is on the Identity Server, so the user can access the resources without logging in again after the embedded service provider has started. For example, Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 99: Deleting An Agent From The Administration Console

    if a user was adding items to a shopping cart when the action to stop and start the embedded service provider occurred, the user loses the items in the shopping cart but can continue shopping and adding new items without logging in again. To stop or start the embedded service provider of a J2EE Agent: 1 In the Administration Console, click Devices >...

  • Page 100: Managing The Health Of An Agent

    3 If you want to have the page refreshed with information sent from the agent, click Update from Server. 4 If the status icon does not turn green, view the information in the Services Detail section. For an agent, this includes information such as the following: 100 Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 101: Managing Alerts

    See “Backing Up correctly. and Restoring Components” in the Novell Access Manager 3.1 SP1 Administration Console Guide. Signing and Encryption Keys: Indicates Click Devices > J2EE Agents > Edit > Service whether the Signing keystore contains a key.
  • Page 102 WebSphere server security is not WebSphere documentation. enabled. Enable WebSphere's server security. ® The JACC PolicyConfigurationFactory Contact Novell Support. was not initialized. Configure the J2EE Application Server to use the proper PolicyConfigurationFactory 4 Click Close. 102 Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 103: Viewing The Status Of Recent Commands

    8.8 Viewing the Status of Recent Commands Agent commands are issued when the configuration of the agent is modified and when the agent is stopped, started, or refreshed. 1 In the Administration Console, click Devices > J2EE Agents > [Name of Agent] > Command Status.
  • Page 104 Graphs. Start Up Time Displays when the J2EE Agent was last started. Up Time Displays how long the J2EE Agent has been running since it was last started. 4 Click Close. 104 Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 105: Troubleshooting The J2Ee Agent

    Troubleshooting the J2EE Agent This section has the following information: Section 9.1, “Troubleshooting the J2EE Agent Import,” on page 105 Section 9.2, “Authorization Policies Fail for Some Attributes,” on page 105 Section 9.3, “Health Status Displays as Server Is Not Reporting,” on page 106 Section 9.4, “Error: Invalid Administration Server IP Address,”...

  • Page 106: Health Status Displays As Server Is Not Reporting

    The installation directory of the administration console must be reachable by the LDAP. Check if the Firewall blocks the ports. If yes, release the port. Check if eDirectory is running. Check if the administration console is installed properly. 106 Novell Access Manager 3.1 SP1 Agent Guide...

  • Page 107: Installer Stops Responding While Installing On Websphere

    4 If you are prompted to confirm overwriting some of the files that were installed during the previous failed attempt, click OK. ® Contact Novell Support if the problem persists. 9.6 Unable to Federate WebSphere Custom Profile If Agent is Already Installed...

  • Page 108: Authorization Fails In The Websphere Application

    J2EE Agent is installed, they fail to be propagated to the JAAC module automatically even after a restart. If this happens, do the following: 1 Browse to the folder where the Novell J2EE Agent is installed. 2 Open , which is located in the folder.

  • Page 109: Weblogic Agent

    LogEvent.jar nesp.ear/nesp.war/WEB-INF/lib Windows: Edit the file. Change the WL_HOME/common/bin/commEnv.cmd path variable to %AGENT_LIB%\LogEvent.jar Program Files\novell\audit\NAuditPA.jar variable. Delete the file from the ESP directory ( LogEvent.jar nesp.ear/nesp.war/WEB-INF/lib 9.9 JBoss and SSL If you want to restrict access to SSL on JBoss, you need to either disable the HTTP port in JBoss and enable only the SSL port or configure SSL in the file.
  • Page 110 Figure 9-1 Request Received User Log In Authenticated? Successful? Matches Access Manager a Protected Authorization Resource? Policy Enabled? Authorization Returns Success? J2EE Application Server Authorization Policy Enabled? Successful? Grant Access Deny Request 110 Novell Access Manager 3.1 SP1 Agent Guide...
  • Page 111 If users are not getting access to a resource when they should, you need to enable tracing (see Section 9.10, “Viewing Log Files,” on page 109) and view the log files to determine where the error is occurring. Login: The Identity Server supports a variety of contracts that can be used for logging in. You need to create a contract that is compatible with the J2EE server, if it has been configured to verify login credentials.
  • Page 112 112 Novell Access Manager 3.1 SP1 Agent Guide...

This manual is also suitable for:

Access manager 3.1 sp 1

Table of Contents