Authentication Contracts; Forcing 128-Bit Encryption - Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual

assertion data. Assertions might contain the user's password or other sensitive data, which can make
them less secure than an artifact when the assertion is sent to the browser. It is possible for a virus on
the browser machine to access the memory where the browser decrypts the assertion. If both
providers support artifacts, you should select this method because it is more secure. For more
details, see the Response protocol binding option in
Request for an Identity Provider," on page

1.8.2 Authentication Contracts

By default, the Administration Console allows you to select from the following contracts and
options when specifying whether a resource requires an authentication contract:
None: Allows public access to the resource and does not require authentication contract.
Name/Password - Basic: Requires that the user enter a name and password that matches an
entry in an LDAP user store. The credentials do not need to be sent over a secure port. This
uses the unprotected BasicClass, which is not recommended for a production environment.
Name/Password - Form: Requires that the user enter a name and password that matches an
entry in an LDAP user store. The credentials do not need to be sent over a secure port, although
they can be if the user is configured for HTTPS. This contract uses the unprotected
PasswordClass, which is not recommended for a production environment.
Secure Name/Password - Basic: Requires that the user enter the name and password from a
secure (SSL) connection. This uses the ProtectedBasicClass, which is recommended for a
production environment. If your Web servers are using basic authentication, this contract
provides the credentials for this type of authentication.
Secure Name/Password - Form: Requires that the user enter the name and password from a
secure (SSL) connection. This uses the ProtectedPasswordClass, which is recommended for a
production environment.
Any Contract: Allows the user to use any contract defined for the Identity Server
configuration.
If you have set up the Access Manager to require SSL connections among all of its components, you
should delete the Name/Password - Form and the Name/Password - Basic contracts. This removes
them from the list of available contracts when configuring protected resources and prevents them
from being assigned as the contract for a protected resource. If these contracts are assigned, the
user's password can be sent across the wire in clear text format. At some future date, if your system
needs this type of contract, you can re-create it from the method. To delete these contracts, go to the
Administration Console and click Identity Servers > Servers > Edit > Local > Contracts.

1.8.3 Forcing 128-Bit Encryption

You can force all client communication with the Identity Server to use 128-bit encryption by
modifying the
encryption level specified in this file, the user is not allowed to authenticate.
1 At a command prompt, change to the Tomcat configuration directory:
Linux:
Windows:
2 To the
the following line:
72 Novell Access Manager 3.1 SP1 Identity Server Guide
file used by Tomcat. If the browser is unable to supported the
server.xml
/var/opt/novell/tomcat5/conf
C:\Program Files\Novell\Tomcat\conf
file, add the cipher suites you want to support. For 128-bit encryption, add
server.xml
Section 5.4.5, "Configuring an Authentication
159.