Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3
Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
Page 7
B.1.2 When the Full Certificate Chain Is Not Returned During an Automatic Import of the Trusted Root ............112 B.1.3 Using Internet Explorer to Add a Trusted Root Chain .
About This Guide ® This guide describes the following features of Novell Access Manager Administration Console: Chapter 1, “Administration Console,” on page 11 Chapter 2, “Backing Up and Restoring Components,” on page 31 Chapter 3, “Security and Certificate Management,” on page 41 Chapter 4, “Access Manager Logging,”...
Novell Access Manager 3.1 SP1 SSL VPN Server Guide Novell Access Manager 3.1 SP1 Event Codes Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ®...
(found in the novell container), then click Restrictions. For configuration help, use the Help button. Intruder Detection: The admin user is created in the novell policy container. You should set up a intruder detection policy for this container. In the Administration Console, select the Roles and Tasks icon in the iManager header, then click Directory Administration >...
Page 12
Manager. If something happens to the user who knows the name of this user and password or if the user forgets the password, you cannot access the Administration Console. Novell recommends that you create at least one back up user and to make that user security equivalent to the admin user.
These Management Communication Channel events have an ID of 002e0605. All Access Manager events begin with 002e. SSL VPN starts with 0031. You can set up Novell Auditing to send e-mail whenever these events or your selected audit events occur. See “Configuring System Channels”...
Access Manager has two views in the Administration Console. Access Manager 3.0 and its Support Packs used the Roles and Tasks view, with Access Manager as the first listed task in the left hand navigation frame. It looks similar to the following: Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 15
Access Manager Roles and Tasks View Figure 1-1 This view has the following advantages: Other tasks that you occasionally need to manage the configuration datastore are visible. If you are familiar with 3.0, you do not need to learn new ways to navigate to configure options.
Page 16
When you install or upgrade to Access Manager 3.1 and log in to the Administration Console, the default view is set to the Access Manager view. To change the view: 1 Locate the Header frame. Novell Access Manager 3.1 SP1 Administration Console Guide...
1.5 Changing the Password for the Administration Console The admin of the Administration Console is a user created in the novell container of the configuration store. To change the password: 1 In the Administration Console, click Users > Modify User.
4 Click Security > Security Equal To. 5 Select the admin user, then click Apply > OK. 6 Repeat Step 3 through Step 5 for each user you want to make security equivalent to the admin user. Novell Access Manager 3.1 SP1 Administration Console Guide...
1.6.2 Managing Delegated Administrators As the Access Manager admin user, you can create delegated administrators to manage the following Access Manager components. Individual Access Gateways or an Access Gateway cluster Identity Server clusters Individual J2EE agents or a J2EE agent cluster Individual SSL VPN servers or an SSL VPN cluster Policy containers IMPORTANT: You need to trust the users you assign as delegated administrators.
Page 20
You can assign a user to be a delegated administrator of an Access Gateway cluster or a single Access Gateway that does not belong to a cluster. You cannot assign a user to manage a single member of a cluster. Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 21
When a delegated administrator of an Access Gateway cluster is granted View/Modify rights, the administrator has sufficient rights to change the cluster configuration, to stop and start (or reboot and shutdown), and to update the Access Gateways in the cluster. However, to configure the Access Gateway to use SSL, you need to be the admin user, rather than a delegated administrator.
Page 22
1 In the Administration Console, click Auditing > Auditing. 2 Make sure you have configured the IP address and port to use for your Secure Logging Server. The server can be a Novell Audit server or a Sentinel server. For more information about this process, see Section 1.7, “Enabling Auditing,”...
3 From the iManager view bar, select the Roles and Tasks view. 4 Click Directory Administration > Modify Object. 5 Click the Object Selector icon, expand the novell container, then select the eDirectory server. The eDirectory server uses the tree name, without the _TREE suffix, for its name. The tree name is displayed in the iManager view bar.
Novell Audit server. If the Novell Audit server is not available, the Platform Agent caches log entries until the server is operational and can accept audit log data. The Platform Agent can be configured to forward events to Sentinel rather than Novell Audit. For information on how to do this, see “Specifying the Logging Server and the Console Events”...
Page 25
Specifying the Logging Server and the Console Events The Secure Logging Server manages the flow of information to and from the Novell auditing system. It receives incoming events and requests from the Platform Agents, logs information to the data store, monitors designated events, and provides filtering and notification services. It can also be configured to automatically reset critical system attributes according to a specified policy.
Page 26
You can minimize the effects of this scenario by configuring the following two parameters in file. logevent Parameter Description LogMaxCacheSize Sets a limit to the amount of cache the Platform Agent can consume to log events when the audit server is unreachable. The default is unlimited. Novell Access Manager 3.1 SP1 Administration Console Guide...
SQL. Although you must be familiar with the SQL language to create SQL query statements, this is the most powerful and flexible query method. Novell Audit provides two tools to query events and generate reports: the Novell Audit iManager plug-in and Novell Audit Report (...
Page 28
“Novell Audit Report” on page 28 The Novell Audit iManager Plug-in The Novell Audit iManager plug-in is a Web-based JDBC* application that enables you to query MySQL and Oracle databases. All queries are defined in SQL. iManager includes several predefined queries and it includes a Query Builder to help you define basic query statements.
Page 29
“Working with Reports in Novell Audit Report” (http://www.novell.com/documentation/ novellaudit20/novellaudit20/data/alorpgw.html#alsn2fj) “Working with Queries in Novell Audit Report” (http://www.novell.com/documentation/ novellaudit20/novellaudit20/data/alorpgw.html#alshpuw) Administration Console...
Access Manager. The following sections describe how to back up and restore your Access Manager components and how to export your configuration for Novell Support: Section 2.1, “How The Backup and Restore Process Works,” on page 31 Section 2.2, “Backing Up the Administration Console,”...
The backup script backs up the objects in the ou=accessManagerContainer.o=novell container. It does not back up the following: Admin user account and password Delegated administrator accounts, their passwords, or rights Role Based Services (RBS) configuration Modified configuration files on the devices such as the file web.xml...
The certificates contained in the configuration store. The trusted roots in the trustedRoots container of the accessManagerContainer object. An encrypted LDIF file, containing everything found in the OU=accessManagerContainer,O=novell container. file containing the Tomcat configuration information for the Administration server.xml Console.
13c (Optional) To verify that the re-push of the certificates was successful, click Security > Command Status. If you are restoring only the Administration Console, other components should still function properly after the restore. Novell Access Manager 3.1 SP1 Administration Console Guide...
9a Remove the Identity Server from the cluster configuration. (See “Removing a Server from a Cluster Configuration” in the Novell Access Manager 3.1 SP1 Identity Server Guide.) 9b Delete the Identity Server from the Administration Console. (See “Managing an Identity Server”...
9 For the SSL VPN Server, complete the following steps after the restore has finished: 9a Remove the SSL VPN Server from the cluster configuration. 9b Delete the SSL VPN Server from the Administration Console. 9c Uninstall the SSL VPN server. Novell Access Manager 3.1 SP1 Administration Console Guide...
1 Remove the Identity Server from the Identity Server cluster configuration. (See “Removing a Server from a Cluster Configuration” in the Novell Access Manager 3.1 SP1 Identity Server Guide.) 2 Delete the Identity Server from the Administration Console. (See “Managing an Identity Server”...
5b If you have configured the Access Gateway to use SSL, reconfigure the certificates for the listener. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy]. 5c Save and apply any changes. Novell Access Manager 3.1 SP1 Administration Console Guide...
These are not instances of passwords, but rather definitions that describe passwords as string types. The LDIF file can then be sent to Novell Support for help in diagnosing configuration problems. Backing Up and Restoring Components...
Administration Console and is the main certificate store ® for all of the Access Manager components. If you use Novell Certificate Server , you can create certificates there and import them into Access Manager.
A CA is a third-party or network authority that issues and manages security credentials and public keys for message encryption. The CA’s certificate is held in the configuration store of the computers that trust the CA. Novell Access Manager 3.1 SP1 Administration Console Guide...
Linux Device: /opt/novell/devman/jcc/certs/<device> Windows Device: C:\Program Files\novell\devman\jcc\certs/<device> The <device> can be idp (for the Identity Server), esp (for the Embedded Service Providers, including Access Gateways, J2EE agents, and SSL VPN servers), or sslvpn (for the SSL VPN server).
A keystore is a store, such as a file, containing keys and certificates. Access Manager components and agents can access the keystore to retrieve certificates and keys as needed. Keystores for Access Manager are already defined for the components. Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 45
Linux Device: /opt/novell/devman/jcc/certs/<device> Windows Device: C:\Program Files\novell\devman\jcc\certs/<device> The <device> can be idp (for the Identity Server), esp (for the Embedded Service Providers, including Access Gateways, J2EE agents, and SSL VPN servers), or sslvpn (for the SSL VPN server). Access Manager creates keystores for the following devices: “Identity Server Keystores”...
Page 46
This keystore does not use the default location; it is located in the /etc/opt/novell/sslvpn/ directory. certs SSL Connector: This keystore contains the certificate that encrypts authentication information between the SSL VPN client browser and the SSL VPN server. Novell Access Manager 3.1 SP1 Administration Console Guide...
Keystores When Multiple Devices Are Installed on the Administration Console Access Manager creates the following keystore when the Identity Server and the SSL VPN server are installed on the Administration Console. COMMON_TOMCAT_CLUSTER: This keystore contains the certificate that is used for SSL connections.
CA that can issue and sign certificates, and a certificate server that generates or imports certificates and keys, and generate CSRs 1 In the Administration Console, click Security > Certificates. 2 Click New. Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 49
3 Select the following option: Use local certificate authority: Creates a certificate signed by the local CA (or Organizational CA), and creates the private key. For information about creating a CSR, see “Generating a Certificate Signing Request” on page 4 Provide a certificate name: Certificate name: The name of the certificate.
Page 50
7 (Optional) To configure advanced options, click Advanced Options. 8 Configure the following options as necessary for your organization: Critical: Specifies that an application should reject the certificate if the application does not understand the key usage extensions. Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 51
Alternate Names button. Alternate names can represent the entity identified by the certificate. The certificate can identify the subject CN=www.OU=novell.O=com, but the subject can also be known by an IP address, such as 222.111.100.101, or a URI, such as www.novell.com, for example.
Page 52
Registered ID: An ASN.1 object identifier. DNS Name: A domain name such as novell.com. Email Address (RFC 822 name): An e-mail address such as ca@novell.com. X400 Name: The messaging and e-mail standard specified by the ITU-TS (International Telecommunications Union - Telecommunication Standard Sector). It is an alternative to the more prevalent Simple Mail Transfer Protocol (SMTP) e-mail protocol.
Page 53
street: Describes the street address (OID: 2.5.4.9) serialNumber: Specifies the serial number of a device (OID: 2.5.4.5) title: Describes the position or function of an object (OID: 2.5.4.12) description: Describes the associated object (OID: 2.5.4.13) searchGuide: Specifies a search filter (OID: 2.5.4.14) businessCategory: Describes the kind of business performed by an organization (OID: 2.5.4.15) postalAddress: Specifies address information required for the physical delivery of postal messages (OID: 2.5.4.16)
Certificate name: The name of the certificate. Pick a unique, system-wide name for the certificate that you can easily associate with the certificate’s purpose. The name must contain only alphanumeric characters and no spaces. Novell Access Manager 3.1 SP1 Administration Console Guide...
Subject: An X.500 formatted distinguished name that identifies the entity that is bound to the public key in an X.509 certificate. Choose the subject name that the browser expects to find in the certificate. The name you enter must be fully distinguished. Completing all the fields creates a fully distinguished name that includes the appropriate types (such as C for country, ST for state, L for location, O for organization, OU for organizational unit, and CN for common name).
Certificate data file (PFX/PKCS12): The certificate file to import. You can browse to locate file. PKCS12 Certificate data file (JKS): To locate a JKS file, select this option, then click the Browse button. 4 Click OK. Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 57
If you receive an error when importing the certificate, the error comes from either NICI or PKI. ® For a description of these error codes, see Novell Certificate Server Error Codes and Novell International Cryptographic Infrastructure (http://www.novell.com/documentation/nwec/ index.html). For general certificate import issues, see Section B.1.1, “Importing an External Certificate Key Pair,”...
Page 58
You cannot export a certificate if you enabled the Do not allow private key to be exportable option while creating the certificate. 1 In the Administration Console, click Security > Certificates. 2 On the Certificates page, click the certificate. 3 On the Certificate Details page, click Export Private/Public Keypair. Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 59
4 Select the format for the key: PFX/PKCS12: Public Key Cryptography Standards #12 (PKCS#12) format, which is also called PFX format. This format can be used to create JKS or PEM files. JKS: Java keystore format. 5 Specify the password in the Encryption/decryption password field, then click OK. IMPORTANT: Remember this password because you need it to re-import the key.
Page 60
Implementations search the CRL from each distribution point (the distribution point is usually a URI that points to a store of revoked certificates) to see whether a certificate has been revoked. Novell Access Manager 3.1 SP1 Administration Console Guide...
Authority Info Access (OCSP): Displays a list of Online Certificate Status Protocol (OCSP) responders that are embedded into the certificate as an extension at certificate creation time. Implementations query the OCSP responder to see whether a certificate has been revoked. 3.2.3 Managing Trusted Roots and Trust Stores When an external certificate authority creates certificates, you need to import the trusted root of the certificate authority and assign the trusted root to the trust store of the device that needs to trust the...
Page 62
Trust store type: The type of trust store such as Java, PEM, or DER. Cluster or Device name: The name of the cluster using this trust store or the single device that is using the trust store. Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 63
Cluster members’ Trust Stores: The trust stores assigned to a cluster. If a device does not belong to a cluster, this section does not appear. Viewing Trusted Root Details 1 In the Administration Console, click Security > Trusted Roots. 2 Click the name of a trusted root. 3 View the following information: Field Description...
Section 3.3.6, “Changing a Non-Secure (HTTP) Environment to a Secure (HTTPS) Environment,” on page 69 Section 3.3.7, “Creating Keystores and Trust Stores,” on page 69 Section 3.3.8, “Reviewing the Command Status for Certificates,” on page 71 Novell Access Manager 3.1 SP1 Administration Console Guide...
3.3.1 Importing a Trusted Root to the LDAP User Store When you specify the settings of a user store for an Identity Server configuration, or add a user store, you can import the trusted root certificate to the LDAP user store device. 1 In the Administration Console, click Devices >...
If this revocation checking protocol is used, the Identity Server does not cache or store the information in the reply, but sends a request every time it needs to check the revocation status of a Novell Access Manager 3.1 SP1 Administration Console Guide...
The system restarts Tomcat for you if you click Restart Now at the prompt. If you want to restart at your convenience, select Restart Later and then manually restart Tomcat. Linux: Enter the following command: /etc/init.d/novell-tomcat5 restart Windows: Enter the following commands: net stop Tomcat5 net start Tomcat5 8 Update the Identity Server configuration on the Servers page, as prompted.
Import the public certificate of the CA into the Identity Server configuration that the component is using for authentication. In the Administration Console, click Devices >Identity Servers > Edit > Security > NIDP Trust Store and add the certificate to the Trusted Roots list. Novell Access Manager 3.1 SP1 Administration Console Guide...
4 (Conditional) If you have set up federation, reimport metadata for trusted service and identity providers. (See “Managing Metadata” in the Novell Access Manager 3.1 SP1 Identity Server Guide.) 5 Change the Access Gateway configuration to HTTPS. (See “Configuring the Access Gateway SSL”...
Page 70
This creates the keystore. 9 (Optional) On the Keystore page, assign a certificate to the new keystore by selecting the store’s check box. 10 Click OK in the Add Certificate to Keystores dialog box. Novell Access Manager 3.1 SP1 Administration Console Guide...
3.3.8 Reviewing the Command Status for Certificates You can view the status of the commands that have been sent to the certificate server for execution. 1 In the Administration Console, click Security > Certificates, then click Command Status. 2 Use the following options to review or change a server’s certificate command status: Delete: To delete a command, select the check box for the command, then click Delete.
Page 72
If the command failed, additional information is available. For a command that the Administration Console can successfully process, the page displays a Command Execution Details section with the name of the command and the command results. 4 Click Close. Novell Access Manager 3.1 SP1 Administration Console Guide...
Access Manager Logging Section 4.1, “Understanding the Types of Logging,” on page 73 Section 4.2, “Downloading the Log Files,” on page 74 Section 4.3, “Using the Log Files for Troubleshooting,” on page 79 4.1 Understanding the Types of Logging Access Manager supports three types of logging: Section 4.1.1, “Component Logging for Troubleshooting Configuration or Network Problems,”...
If you want this file to appear in this list on a Linux machine, you must make this file readable by the novlwww user. It is a breach of Novell Audit security for Access Manager code to change the permissions on this file. You must decide whether changing its permissions and displaying the file in this list compromises your security.
Page 75
Contains events related to policy app_cc.0.log configuration. Contains XML events for configuration /Program Files/Novell/log/ changes. This log file contains very little platform.0.log useful information for system administrators. Contains the log entries for Novell /Program Files/Novell/Nsure Audit/ auditing. logs/auditlog Linux Identity Server Access Manager Logging...
Page 76
Echo to Console option from the Identity Servers > Servers > Edit > Logging page. Check this file for entries tracing the evaluation of authorization, identity injection, and form fill policies. Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 77
(To enable this type of logging, see “Configuring Proxy Service Logging” in the Novell Access Manager 3.1 SP1 Access Gateway Guide.) A directory is listed for each reverse proxy on which you have enabled logging.
Page 78
0.log.0 interaction of the SSL VPN with the Administration Console, such as imports, certificates, and configuration. /var/log/messages Contains the log entries for the connection manager and socks servers. Novell Access Manager 3.1 SP1 Administration Console Guide...
Identity Server for authentication. For configuration information, see “Configuring Component Logging” in the Novell Access Manager 3.1 SP1 Identity Server Guide. Embedded Service Providers: Each Access Manager device has an Embedded Service Provider that communicates with the Identity Server. Its log level is controlled by configuring Identity Server logging.
Page 80
The following entry is a typical entry that is logged when a user has initiated a login sequence. <amLogEntry> 2007-06-08T21:06:25Z INFO NIDS Application: AM#500105014: AMDEVICEID#9921459858EAAC29: AMAUTHID#BB11C254B7521B5E836D8703826287 AF: Attempting to authenticate user cn=jwilson,o=novell with provided credentials. </amLogEntry> Fields in a Log Entry Table 4-2...
Page 81
This information is optional, and contains information that is specific to the log entry. It can be as simple as an informational string, such as the string in the example log entry: Attempting to authenticate user cn=jwilson,o=novell with provided credentials. The supplementary information can have a very specific format. For an example and explanation of the policy trace information, see “Understanding Policy Evaluation...
If the Access Gateway initiates the authentication because of a user request to a protected resource, the Embedded Service Provider log file of the Access Gateway also contains entries for the Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 84
AdditionalRole(6601):unknown():Manager:~~~Success(0) </amLogEntry> 11. <amLogEntry> 2007-06-14T17:14:39Z INFO NIDS Application: AM#500105013: AMDEVICEID#9921459858EAAC29: AMAUTHID#F35A3C7AD7F2EEDEB3D17F99EC3F39D1: Authenticated user cn=bcf,o=novell in User Store Local Directory with roles Manager,authenticated. </amLogEntry> 12. <amLogEntry> 2007-06-14T17:14:39Z INFO NIDS Application: AM#500105017: AMDEVICEID#9921459858EAAC29: AMAUTHID#F35A3C7AD7F2EEDEB3D17F99EC3F39D1: nLogin succeeded, redirecting to http://10.10.15.19:8080/nidp/app. </ amLogEntry>...
Page 85
Executing contract Name/Password - Form. </amLogEntry> <amLogEntry> 2007-07-31T17:36:49Z INFO NIDS Application: AM#500105014: AMDEVICEID#AA257DA77ED48DB0: AMAUTHID#83778AE09DCA5A35B57842D754A60D67: Attempting to authenticate user cn=admin,o=novell with provided credentials. </amLogEntry> <amLogEntry> 2007-07-31T17:36:49Z INFO NIDS Application: AM#500105012: AMDEVICEID#AA257DA77ED48DB0: AMAUTHID#83778AE09DCA5A35B57842D754A60D67: Authenticated user cn=admin,o=novell in User Store Internal with no roles. </ Access Manager Logging...
Page 86
Processing proxy request for login using contract name/password/uri and return url http://jwilson.provo.novell.com/ </amLogEntry> <amLogEntry> 2007-07-31T17:35:05Z INFO NIDS Application: AM#500105015: AMDEVICEID#esp-2FA73CE1A376FD91: AMAUTHID#C6D119FD93EEBBEBEC50BEB27B9E2832: Processing login request with TARGET = http://jwilson.provo.novell.com/, saved TARGET = . </amLogEntry> <amLogEntry> 2007-07-31T17:35:05Z INFO NIDS Application: AM#500105009: AMDEVICEID#esp-2FA73CE1A376FD91: AMAUTHID#C6D119FD93EEBBEBEC50BEB27B9E2832: Executing contract IDP Select.
See the following sections: “Installing Secondary Versions of the Administration Console” in the Novell Access Manager 3.1 SP1 Setup Guide “Converting a Secondary Console into a Primary Console” on page 95 Converting a secondary console into a primary console is not a simple task. The task was designed as a disaster recovery solution when the primary console is no longer available.
Page 88
14 Start the server communication service by using the following command: Linux: /etc/init.d/novell-jcc start Windows: net start jccserver 15 Restart Tomcat: Linux: Enter the following command: /etc/init.d/novell-tomcat5 restart Windows: Enter the following commands: net stop Tomcat5 net start Tomcat5 Novell Access Manager 3.1 SP1 Administration Console Guide...
For information about deleting an Identity Server, see “Maintaining an Identity Server” in the Novell Access Manager 3.1 SP1 Identity Server Guide. 5.3 Changing the IP Address of the Access Gateway Appliance If you need to change the IP address of the Access Gateway machine, you need to configure the Access Gateway for this change.
To move a machine or change the IP address for the audit server: 1 In the Administration Console, click Auditing > Novell Auditing. 2 On the Novell Auditing page, change the IP address for the server and, if necessary, the port. 3 Click OK.
Troubleshooting the Administration Console This section discusses general troubleshooting issues found in the Administration Console: Section 6.1, “Stopping Tomcat on Windows,” on page 91 Section 6.2, “Checking for Potential Configuration Problems,” on page 91 Section 6.3, “Logging,” on page 93 Section 6.4, “Event Codes,”...
Page 92
The invalid elements that do not have an associated resource data element are listed in this section. Click the Repair button to remove them. Novell Access Manager 3.1 SP1 Administration Console Guide...
Configuration. 6.3 Logging You can troubleshoot by configuring component logging. In the Administration Console, click Devices > Identity Server > Edit > Logging. “Configuring Component Logging” in the Novell Access Manager 3.1 SP1 Identity Server Guide. Troubleshooting the Administration Console...
3 Remove traces of the secondary console from the configuration datastore: 3a In the iManager menu bar, select View Objects. 3b In the Tree view, select novell, and view the objects. 3c Delete all objects that reference the failed secondary console.
6 Uninstall the secondary consoles. For instructions, see “Uninstalling the Administration Console” in the Novell Access Manager 3.1 SP1 Installation Guide. 7 Reinstall the secondary consoles as secondary consoles to the new primary console. 6.7 Converting a Secondary Console into a...
3 Start the program. NDSCons.exe 4 Select dsrepair.dlm 5 In the Parameters box, specify -A, then click Start 6 Click Partitions > Root > Designate This Server As The New Master Replica. Novell Access Manager 3.1 SP1 Administration Console Guide...
Administration Console. 2 Change to the backup directory: Linux: /opt/novell/devman/bin Windows: C:\Program Files\Novell\bin 3 Edit the backup properties file. 3a Open the file that on Linux is a script file, and on Windows is a properties file: Linux: defbkparm.sh Windows: defbkparm.properties...
2 Open a terminal window and shut down all services by entering the following commands: /etc/init.d/novell-jcc stop /etc/init.d/novell-tomcat5 stop /etc/init.d/novell-vmc stop 3 If you are running SSL VPN, enter the following command to stop SSL VPN: /etc/init.d/novell-sslvpn stop Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 99
6a Browse to the following container: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer. A list of devices appears. Access Gateways have an ag prefix.
Page 100
7 At the new primary Administration Console, edit the WorkingConfig object of the Linux Access Gateway: Use an LDAP browser for these steps. 7a Browse to the following container: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer. A list of devices appears. Expand the Access Gateway container.
Page 101
Tomcat5 2 Edit the file in the following directory: settings.properties C:\Program Files\Novell|devman\jcc\conf 3 Change the IP address in the list from the IP address of the failed remotemgmtip Administration Console to the address of the new primary Administration Console.
Page 102
5a Browse to the following container: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer. A list of devices appears. SSL VPN devices have an sslvpn prefix.
6 At the new primary Administration Console, edit the WorkingConfig object of the SSL VPN container: Use an LDAP browser for these steps. 6a Browse to the SSL VPN object by expanding the following containers: novell > accessManagerContainer > VCDN_Root > PartitionsContainer > Partition > AppliancesContainer.
There should only be one profile object for each GUID. 5 Delete that child profile object. 6 Repeat these steps for each User object that you want to delete. 7 Delete the User objects. 104 Novell Access Manager 3.1 SP1 Administration Console Guide...
3 In the View bar, select the Repair icon. For more information about DSRepair, see the following: Click the Help icon. Using NdsRepair (http://www.novell.com/documentation/edir88/edir88tshoot/data/ bq0gv5l.html) 6.10 Session Conflicts Do not use two instances of the same browser to simultaneously access the same Administration Console.
If the service has been started, this command returns a message that the service has been started. If the service has been stopped, its starts eDirectory. 5b Verify that the agent is running. Click Control Panel > Novell eDirectory Services, then verify that the Server box does not contain an agent closed message.
Page 107
For example, if the administrator’s password is mi$$le, then the field should be DS_ADMIN_PWD mi\$\$le This file is located in the following directory: Linux: /opt/novell/devman/bin/defbkparm.sh Windows: \Program Files\Novell\bin\defbkparm.properties Troubleshooting the Administration Console 107...
Certificates Terminology A public key certificate is a collection of information attached to an electronic message. It is used to verify that the user sending the message is who he or she claims to be. The following is a list of certificate terminology used in Access Manager: Certificate authority (CA): An entity that issues digital certificates attesting to the authenticity of the information in the certificate.
Page 110
CAs, so they are called “trusted roots.” Trust store: A keystore containing only trusted roots. Intermediate CAs and end entity public certificates can be part of a trust store. 110 Novell Access Manager 3.1 SP1 Administration Console Guide...
6 Select Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B) as the format and select Include all certificates in the certification path if possible to include the certificate chain. 7 Click Next, then specify a filename and path for the file. 112 Novell Access Manager 3.1 SP1 Administration Console Guide...
8 Click Next > Finish. 9 Use this P7B file to import your server certificate into Access Manager. B.2 Mutual SSL with X.509 Produces Untrusted Chain Messages When you set up an X.509 contract for mutual SSL authentication, you must ensure that the Identity Server trust store (NIDP-truststore) contains the trusted root from each CA that has signed the client certificates.
2 Select the store that is reporting errors, then click Re-push certificates. You can select multiple stores at the same time. 3 (Optional) To verify that the re-push of the certificates was successful, click Security > Command Status. 114 Novell Access Manager 3.1 SP1 Administration Console Guide...
When a change is applied by using the UI, the system writes the configuration to the configuration store on the Administration Console, as well as to the /var/novell/cfgdb/ file on the Linux Access Gateway. If this file passes the schema checks on the vcdn/config.xml...
XML validation error. This scenario is more complex because it involves changing the configuration store on the Administration Console. Troubleshooting Steps 1 On the Administration Console, search the /opt/novell/devman/share/logs/ file for app_sc.0.log #200904025: Error - XML VALIDATION FAILED After you find the entry, work backwards to identify the start of the Java exception.
Page 118
2a Enable the most verbose level of logging in the file: /etc/laglogs.conf . See “Configuring Log Levels” in the Novell Access Manager log_level=LOG_DEBUG 3.1 SP1 Access Gateway Guide. 2b Restart the vmc services by the following command: /etc/init.d/novell-vmc restart 118 Novell Access Manager 3.1 SP1 Administration Console Guide...
Page 119
LastModifiedBy="cn=admin,o=novell" RuleCombiningAlgorithm="DenyOverridesWithPriority" IncludedPolicyCategories=""/> <AuthenticationProcedureRef AuthProcedureIDRef="authprocedure_Name_Password___Form"/> </ProtectedResource> </ProtectedResourceList> You should also see the following information: <ProtectedResourceList LastModified="1179949051828" LastModifiedBy="cn=admin,o=novell"> <ProtectedResource Name="sjh_redirect" Enable="1" Description="" LastModified="1179949051828" LastModifiedBy="cn=admin,o=novell" UserInterfaceID="ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933 619340" ProtectedResourceID="ProtectedResourceID_svhttp_sjh_portal_sjh_portal_117 9933619340"> <URLPathList LastModified="4294967295" LastModifiedBy="String"> <URLPath URLPath="/*" UserInterfaceID="/*"/> </URLPathList> <PolicyEnforcementList LastModified="1179949047445" schemaVersion="0.1" LastModifiedBy="cn=admin,o=novell" RuleCombiningAlgorithm="DenyOverridesWithPriority" IncludedPolicyCategories="">...
Page 120
5 Restart Tomcat on the Administration Console machine. 6 Log in to the Administration Console again. Make a small change to the setup and apply that change, and verify that the XML validation error has disappeared. 120 Novell Access Manager 3.1 SP1 Administration Console Guide...
Server Options page (Auditing and Logging > Logging Server Options). You can view events on the Event list page in Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events.
160 D.1 NIDS: Sent a Federate Request (002e0001) This event is generated when you select the Federation Request Sent option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Sent a federate request.
D.2 NIDS: Received a Federate Request (002e0002) This event is generated when you select the Federation Request Handled option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Received a federate request. Originator (B): Schema Title: Originator...
D.4 NIDS: Received a Defederate Request (002e0004) This event is generated when you select the Defederation Request Handled option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Received a defederate request Originator (B): Schema Title: Originator...
D.7 NIDS: Logged Out an Authentication that Was Provided to a Remote Consumer (002e0007) This event is generated when you select the Logout Provided option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Logged out an authentication that was provided to a remote consumer...
Data (D): null D.8 NIDS: Logged out a Local Authentication (002e0008) This event is generated when you select the Logout Local option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Logged out a local authentication...
Data (D): null D.10 NIDS: User Session Was Authenticated (002e000a) This event is generated when you select the Login Provided option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: User session was authenticated...
D.11 NIDS: Failed to Provide an Authentication to a Remote Consumer (002e000b) This event is generated when you select the Login Consumed Failure option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Failed to provide an authentication to a remote consumer...
D.13 NIDS: Received an Attribute Query Request (002e000d) This event is generated when you select the Attribute Query Request Handled option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Received an attribute query request...
D.15 NIDS: Failed to Provision a User Account (002e000f) This event is generated when you select the User Account Provisioned Failure option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Failed to provision a user account...
D.16 NIDS: Web Service Query (002e0010) This event is generated when you select the Web Service Query Handled option under Novell Audit Logging on the Logging page of an Identity Server configuration. The Identity Server uses this event for two types of Web service queries: Discovery: This is a query to discover a service.
D.18 NIDS: Connection to User Store Replica Lost (002e0012) This event is generated when you select the LDAP Connection Lost option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Connection to user store replica lost...
Data Length (X): 0 Data (D): null D.20 NIDS: Server Started (002e0014) This event is generated when you select the Server Started option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Server started...
Data Length (X): 0 Data (D): null D.21 NIDS: Server Stopped (002e0015) This event is generated when you select the Server Stopped option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Server stopped...
Data Length (X): 0 Data (D): null D.23 NIDS: Intruder Lockout (002e0017) This event is generated when you select the Intruder Lockout Detected option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Intruder Lockout...
Data (D): null D.25 NIDS: Warning Component Log Entry (002e0019) This event is generated when you select the Component Log Warning Messages option under Novell Audit Logging on the Logging page of an Identity Server configuration. Description: NIDS: Warning Component Log Entry...
Data (D): Schema Title: Policy Enforcement List Data Description: Policy Enforcement List (PEL) data D.28 J2EE Agent: Web Service Authorization PEP Configured (002e0305) This event is generated when you enable auditing. 138 Novell Access Manager 3.1 SP1 Administration Console Guide...
Value1 (1): 0 Group (G): 0 Data Length (X): 0 Data (D): null D.32 Access Gateway: Form Fill Policy Evaluation (002e0322) This event is generated when you enable auditing. Description: Access Gateway: Form Fill policy evaluation Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:) Target (U): null SubTarget (Y): null...
Policy Evaluation (002e0325) This event is generated when you enable auditing. Description: J2EE Agent: Web Service SSL Required policy evaluation Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:) 142 Novell Access Manager 3.1 SP1 Administration Console Guide...
(002e0404) This event is generated when you select the Successful authentications option in the Audit Configuration section of the Server Configuration page for the J2EE Agents. Description: J2EE Agent: Authentication successful 144 Novell Access Manager 3.1 SP1 Administration Console Guide...
SubTarget (Y): Schema Title: Source IP Address Data Description: User IP Address Text1 (S): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:) Text2 (T): Schema Title: Permission Requested Data Description: Web User Data Permission 146 Novell Access Manager 3.1 SP1 Administration Console Guide...
Text3 (F): Schema Title: Event Identifier Data Description: Event Tracking Identifier Value1 (1): 0 Group (G): 0 Data Length (X): 0 Data (D): null D.43 J2EE Agent: Clear Text Access Denied (002e0408) This event is generated when you select the Denied clear text access option in the Audit Configuration section of the Server Configuration page for the J2EE Agents.
Data (D): null D.47 Access Gateway: Access Denied (0x002e0505) This event is generated when you select the Access Denied option on the Novell Audit page of an Access Gateway. Description: Access Gateway: Access Denied In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] >...
Data (D): null D.48 Access Gateway: URL Not Found (0x002e0508) This event is generated when you select the URL Not Found option on the Novell Audit page of an Access Gateway. Description: Access Gateway: URL Not Found In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] >...
Data (D): null D.49 Access Gateway: System Started (0x002e0509) This event is generated when you select the System Started option on the Novell Audit page of an Access Gateway. Description: Access Gateway: System Started In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] >...
Audit page of an Access Gateway. Description: Access Gateway: Identity Injection Parameters In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.
Data (D): null D.53 Access Gateway: Form Fill Authentication (0x002e050e) This event is generated when you select the Form Fill Success option on the Novell Audit page of an Access Gateway. Description: Access Gateway: Form Fill Authentication In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] >...
Data (D): null D.54 Access Gateway: Form Fill Authentication Failed (0x002e050f) This event is generated when you select the Form Fill Failed option on the Novell Audit page of an Access Gateway. Description: Access Gateway: Form Fill Authentication Failed In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] >...
Data (D): null D.55 Access Gateway: URL Accessed (0x002e0512) This event is generated when you select the URL Accessed option on the Novell Audit page of an Access Gateway. Description: Access Gateway: URL Accessed In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] >...
D.56 Access Gateway: IP Access Attempted (0x002e0513) This event is generated when you select the IP Access Attempted option on the Novell Audit page of an Access Gateway. Description: Access Gateway: IP Access Attempted In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] >...
D.58 Access Gateway: All WebServers for a Service is Down (0x002e0516) This event is generated when you select the IP Access Attempted option on the Novell Audit page of an Access Gateway. Description: Access Gateway: All Web servers for a service are down In the Event list (Auditing and Logging >...
Description: Management Communication Channel: Health Change In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name. In a query, this column is called EventID.
Description: Management Communication Channel: Device Deleted In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name. In a query, this column is called EventID.
Auditing page. Description: Management Communication Channel: Device Configuration Changed In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.