Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3
Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
About This Guide This guide describes the following features of the Novell Access Gateway: Chapter 1, “Configuring the Access Gateway to Protect Web Resources,” on page 13 Chapter 2, “Server Configuration Settings,” on page 73 Chapter 3, “Configuring the Access Gateway for SSL and Other Security Features,” on page 109 Chapter 4, “Access Gateway Maintenance,”...
Configuring the Access Gateway to Protect Web Resources The Novell Access Gateway is a reverse proxy server (protected site server) that restricts access to Web-based content, portals, and Web applications that employ authentication and access control policies. It also provides single sign-on to multiple Web servers and Web applications by securely providing the credential information of authenticated users to the protected servers and applications.
Reverse proxy names and proxy service names must be unique to the Access Gateway because they are configured for global services such as IP Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 15
addresses and TCP ports. For example, if you have a reverse proxy named and another products reverse proxy named , only one of these reverse proxies can have a proxy service named library corporate Protected resource names need to be unique to the proxy service, but they don’t need to be unique to the Access Gateway because they are always accessed through their proxy service.
Page 16
(see the Enable SSL with Embedded Service Provider option on the Reverse Proxy page). If the Identity Server cluster is using a certificate created by the Novell Access Manager certificate authority (CA), the public key is automatically added to this trust store, so you do not need to use this option.
Force HTTP-Only Cookie: Forces the Access Gateway to set the HttpOnly keyword, which prevent scripts from accessing the cookie. This helps protect browsers from cross-site scripting vulnerabilities that allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate the valid user.
Page 18
Host Header: Specify whether the HTTP header should contain the name of the back-end Web server (Web Server Host Name option) or whether the HTTP header should contain the published DNS name (the Forward Received Host Name option). Novell Access Manager 3.1 SP2 Access Gateway Guide...
Web Server Host Name: Specify the DNS name of the Web server that the Access Gateway should forward to the Web server. If you have set up a DNS name for the Web server and it requires its DNS name in the HTTP header, specify that name in this field. If the Web server has absolute links referencing its DNS name, include this name in this field.
Page 20
Cookie Domain: Specifies the domain for which the cookie is valid. If one proxy service has a DNS name of www.support.novell.com and the second proxy service has a DNS name of www.developernet.novell.com, the cookie domains are support.novell.com for the first proxy service and developernet.novell.com for the second proxy service.
For example, NetStorage requires an override for the 401 error because it includes a key in the 401 error. The portal page for the Novell Open Enterprise Server requires an override for error 403 because it includes JavaScript.
If possible, they should be configured to use an NTP server. 1 Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 23
2 Specify the hostname that is placed in the HTTP header of the packets being sent to the Web servers. In the Host Header field, select one of the following: Forward Received Host Name: Indicates that you want the HTTP header to contain the published DNS name that the user sent in the request.
A resource that has specialized protection requirements can be set up as a single protected resource. For example, a page that uses Form Fill is usually set up as a single protected resource. Novell Access Manager 3.1 SP2 Access Gateway Guide...
To configure a protected resource: 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Domain-Based Proxy Service or Primary Proxy Service] > Protected Resources. The Resource View of the Protected Resource List is used to create new protected resources or manage existing protected resources.
Page 26
5 (Conditional) To modify how the authentication procedures are handled for a specific resource and contract, click the Edit Authentication Procedures icon. For configuration information, see Section 1.3.2, “Configuring an Authentication Procedure for Non-Redirected Login,” on page 6 Configure the URL Path. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 27
The default path is /*, which indicates everything on the Web server. Modify this if you need to restrict access to a specific directory on your Web server. If you have multiple directories on your Web server that require the same authentication contract and access control, add each directory as a URL path.
Page 28
You need to then restart the Access Gateway Appliance to activate the touch file. When this touch file is used, the Access Gateway Appliance ignores the query string and uses just the path to find a match. Novell Access Manager 3.1 SP2 Access Gateway Guide...
1.3.2 Configuring an Authentication Procedure for Non- Redirected Login When a contract is created, it is assigned an authentication procedure that allows the user to be redirected to the Identity Server for authentication. Some applications, such as AJAX and WebDAV applications, do not support redirection for authentication.
Page 30
“Configuring a Protected Resource for a SharePoint Server with an ADFS Server” on page 39 “Configuring a Protected Resource for Outlook Web Access” on page 42 “Configuring a Protected Resource for a Novell Teaming 2.0 Server” on page 44 Novell Access Manager 3.1 SP2 Access Gateway Guide...
For configuration information, see “Creating Access Gateway Authorization Policies” in the Novell Access Manager 3.1 SP2 Policy Guide. When you have completed your policy modifications, continue with Step To create a new policy, click Manage Policies. On the Policies page, click New, specify a display name, select Access Gateway: Authorization as the type, then click OK.
4 To save your changes to the browser cache, click OK. 5 To apply your changes, click the Access Gateways link, then click Update > OK. Novell Access Manager 3.1 SP2 Access Gateway Guide...
You must create the policy before you can assign it to a resource (see “Creating Form Fill Policies” in the Novell Access Manager 3.1 SP2 Policy Guide). To assign a Form Fill policy to a protected resource: 1 In the Administration Console, click Devices > Access Gateways > Edit > [Reverse Proxy Name] >...
Page 34
X.509, RADIUS, smart card, or Kerberos. For information about such a class, see “Configuring Password Retrieval” in the Novell Access Manager 3.1 SP2 Identity Server Guide. Novell Access Manager 3.1 SP2 Access Gateway Guide...
The protected resource is assigned to use a contract, and the timeout is assigned to the contract. For information on how to configure the contract, see “Configuring Authentication Contracts” in the Novell Access Manager 3.1 SP2 Identity Server Guide. The following sections describe four configuration scenarios and the user experience that they create.
Page 36
With this configuration, activity at other resources influences the time limits so that they are not strictly enforced. Scenario 3: If single sign-on is more important than strictly enforcing a timeout value, Novell recommends that you configure all contracts to have the same authentication timeout value.
PR1, the time line shows no activity within the time limit specified for PR2 and the user is prompted to log in. Scenario 4: Novell does not recommend that you set different authentication timeouts on contracts and then use the Any contract option for protected resources. If you want to use the Any contract, then you should set the authentication timeout to the same value on all contracts.
Server,” on page 39 Section 1.4.3, “Configuring a Protected Resource for Outlook Web Access,” on page 42 Section 1.4.4, “Configuring a Protected Resource for a Novell Teaming 2.0 Server,” on page 44 1.4.1 Configuring Protected Resource for a SharePoint Server You can protect a SharePoint server as a domain-based or a path-based multi-homing resource on the Linux Access Gateway Appliance.
For more information on the other options, see “Configuring Authentication Contracts” in the Novell Access Manager 3.1 SP2 Identity Server Guide. 3 Click Next. 4 Configure a card for the contract by filling in the following: Text: Specify the text that is displayed on the card to the user.
Page 40
For single sign-on, all the protected resources need to specify the same contract. When assigning the contract for the /* resource, the contract needs to be configured to use non-redirected login for its authentication procedure. When a user first accesses the SharePoint server, the users are directed Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 41
either to the home page or the root of the server. From either of these locations, the users can be redirected to the Identity Server for authentication. After the users have authenticated and the SharePoint server requests authentication for access to any of the other pages, these pages need to be configured to use non-redirected login.
3 (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource. 4 Select an authentication contract. If you want to enable non-redirected login, select Name/ Password - Basic as the authentication contract. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 43
5 (Optional) If you want to enable non-redirected login, click the Edit Authentication Procedure icon, then click the contract that you have added to specify the following information: Non-Redirected Login: Select the option to enable non-redirected login. Realm: Specify the security realm configured for the IIS server running the Outlook Web Access server.
The following sections explain how to configure the Access Gateway with a domain-base multi- homing service. The instructions assume that you have a functioning Novell Teaming 2.0 server on Linux and a functioning Access Manager system (3.1 SP1 IR1 or higher) with a reverse proxy configured for SSL communication between the browsers and the Access Gateway.
Page 45
11 Start the Teaming server with the following command: /etc/init.d/teaming start 12 Continue with “Configuring a Domain-Based Multi-Homing Service for Novell Teaming” on page Configuring a Domain-Based Multi-Homing Service for Novell Teaming The following instructions describe how to set up a domain-based service to protect the Teaming server.
Page 46
This DNS name must resolve to the IP address you set up as the listening address. For example, teaming.doc.provo.novell.com Web Server IP Address: Specify the IP address of the Novell Teaming server. Host Header: Select the Web Server Host Name option.
Page 47
/teaming/* /ssf/* 2e Click OK. 3 Create a protected resource for WebDAV and AJAX content: 3a In the Protected Resource List, click New, specify a unique name, then click OK. 3b (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.
Page 48
“Configuring Single Sign-On” on page Configuring Single Sign-On You must configure an Identity Injection policy to enable single sign-on with the Novell Teaming server. This Identity Injection policy should be configured to inject the authentication credentials into the authorization headers.
HTML Rewriting Figure 1-6 Access Gateway Web Server Browsers novell.com/path data.com HTML Headers HTML Headers GET HTTP/1.1 GET /path HTTP/1.1 Host: data.com Host: www.novell.com Request HTML Rewriter HTML Page: Source HTML Page: Source <HTML> <HTML> Reply <img src=http://www.novell.com/path/image1.jpg/> <img src=http://data.com/image1.jpg/> </HTML>...
Page 50
) are evaluated if the page is read from a path- based multi-homing Web server and the reference follows an HTML tag. For example, the string href=‘/docs/file.html’ is rewritten if /docs is a multi-homing path that has been configured to be removed. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Context Criteria HTML Tags URL references occurring within the following HTML tag attributes are evaluated for rewriting: action archive background cite code codebase data dynscr filterLink href longdesc lowsrc o:WebQuerySourceHref onclick onmenuclick pluginspage usemap usermapborderimage References An absolute reference is a reference that has all the information needed to locate a resource, including the hostname, such as http:// .
Page 52
If you enable the Forward Received Host Name option on your path-based multi-homing service and your Web server is configured to use a different port, you need to add the DNS name with the port to the Additional DNS Name List. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 53
If you have a third reverse proxy protecting a Web server, the rewriting rules can become ambiguous. For example, consider the configuration illustrated in Figure 1-8. Excluding URLs Figure 1-8 Firewall Access Gateway Browsers Server product.com novell.com.uk novell.com.usa Request Request data.com novell.com.mx Configuring the Access Gateway to Protect Web Resources...
Word profile is used. This profile is preconfigured to rewrite the Web Server Host default Name and any other names listed in the Additional DNS Name List. The preconfigured profile matches all URLs with the following content-types: text/html text/javascript text/xml application/javascript text/css application/x-javascript Novell Access Manager 3.1 SP2 Access Gateway Guide...
When you modify the behavior of the default profile, remember its scope. If the default profile does not match your requirements, you should usually create your own custom Word profile or custom Character profile. Custom Word Profile A Word profile searches for matches on words. For example, “get” matches the word “get” and any word that begins with “get”...
Possible Actions for Rewriter Profiles The rewriter action section of the profile determines the actions the rewriter performs when a page matches the profile. Select from the following: Inbound Actions Enabling or Disabling Rewriting Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 57
Additional Names to Search for URL Strings to Rewrite with Host Name String Replacement Inbound Actions: A profile might require these options if the proxy service has the following characteristics: URLs appear in query strings, Post Data, or headers. The Web server uses WebDAV methods. If your profile needs to match pages from this type of proxy service, you might need to enable the options listed below.
[w] to match one white space character [ow] to match 0 or more white space characters [ep] to match a path element in a URL path, excluding words that end in a period Novell Access Manager 3.1 SP2 Access Gateway Guide...
[ew] to match a word element in a URL path, including words that end in a period [oa] to match one or more alphanumeric characters White Space Tokens: You use the [w] and the [ow] tokens to specify where white space might occur in the string.
To use the $path token, you add a search string and a replace string that uses the token. For example, if the page is generated by JavaScript and the multi-homing path for the /prices/pricelist.html proxy service is , you would specify the following stings: /inner Novell Access Manager 3.1 SP2 Access Gateway Guide...
Rewritten String for the Web Server /inner/prices/pricelist.html /prices/pricelist.html /inner/prices /prices novell.com/inner/prices inner.com/prices 1.5.4 Configuring the HTML Rewriter and Profile You configure the HTML rewriter for a proxy service, and these values are applied to all Web servers that are protected by this proxy service.
Page 62
4 In the Exclude DNS Name List section, click New, specify a DNS name that appears on the Web pages of your server that you do not want rewritten, then click OK. For more information, see “Determining Whether You Need to Exclude DNS Names from Being Rewritten” on page Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 63
5 Use the HTML Rewriter Profile List to configure a profile. Select one of the following actions: New: To create a profile, click New. Specify a display name for the profile and select either a Word or Character for the Search Boundary. Continue with Section 1.5.5, “Creating or Modifying a Rewriter Profile,”...
New and specify the name such as . Search your Web text/dns pages for content-types to determine if you need to add new types. To add multiple values, enter each value on a separate line. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 65
For more information on how to use these options, see “Page Matching Criteria for Rewriter Profiles” on page 4 Use the Actions section to specify the actions the rewriter should perform if the page matches the criteria in the Requested URLs to Search section. Configure the following actions: Rewrite Inbound Query String Data: (Not available for Character profiles) Select this option to rewrite the domain and URL in the query string to match the Web server.
Page 66
If the changes affect numerous pages, click Access Gateways, select the name of the server, then click Actions > Purge All Cache. If the changes affect only a few pages, refresh or reload the page within the browser. Novell Access Manager 3.1 SP2 Access Gateway Guide...
1.5.6 Disabling the Rewriter There are three methods you can use to disable the internal rewriter: “Disabling per Proxy Service” on page 67 “Disabling per URL” on page 67 “Disabling with Page Modifications” on page 67 Disabling per Proxy Service By default, the rewriter is enabled for all proxy services.
Page 68
URLs need to be rewritten but others cannot be rewritten, you can turn on and turn off rewriting by adding the following tags before and after the , and formvalue <input> <button> elements in the form. <option> Novell Access Manager 3.1 SP2 Access Gateway Guide...
<!--NOVELL_REWRITE_ATTRIBUTE_ON='formvalue'--> <input>, <button>, and <option> elements to be rewritten <!--NOVELL_REWRITE_ATTRIBUTE_OFF='formvalue'--> <input>, <button>, and <option> elements that shouldn’t be rewritten 1.6 Configuring Connection and Session Limits The Access Gateway establishes connections with clients and with Web servers. For most networks, the default values for unresponsive connections and sessions provide adequate performance, but you can fine-tune the options for your network, its performance requirements, and your users: Section 1.6.1, “Configuring TCP Listen Options for Clients,”...
1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers > TCP Connect Options. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 71
2 Configure the IP address to use when establishing connections with Web servers: Cluster Member: (Available only if the Access Gateway is a member of a cluster.) Select the server you want to configure from the list of servers. Only the value of the Make Outbound Connection Using option applies to the selected server.
The persistence of the browser to Web server connection is always enabled and is not configurable. This feature allows a browser to use the same Web server after an initial connection has been established. Most Web applications are designed to expect this type of behavior. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Server Configuration Settings This section describes the configuration settings that affect the Access Gateway as a server, such as changing its name or setting the time. Section 2.1, “Configuration Overview,” on page 73 Section 2.2, “Saving, Applying, or Canceling Configuration Changes,” on page 75 Section 2.3, “Managing Access Gateways,”...
Page 74
Section 4.6.3, “Managing Access Gateway Alert Profiles,” on page 152. Auditing: Allows you to select the events to send to a Novell Sentinel or Audit server. For more information, see Section 4.7, “Enabling Access Gateway Audit Events,” on page 156.
2.2 Saving, Applying, or Canceling Configuration Changes When you make configuration changes on a page accessed from Devices > Access Gateways > Edit and click OK on that page, the changes are saved to the browser cache. If your session expires or you close the browser session before you update the Access Gateway with the changes, the changes are lost.
To stop and start the Access Gateway Service, select the service, then click Restart. If the Access Gateway Service is already stopped, use Restart to start it. Refresh: To update the list of Access Gateways and the status columns (Status, Health, Alerts, Commands), click Refresh. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 77
3 To perform an action available in the Actions drop-down menu, select an Access Gateway, then select one of the following: Assign to Cluster: To add the selected Access Gateway to a cluster, select Assign to Cluster, then select the cluster. This Access Gateway is reconfigured with the configuration of the primary cluster server.
Page 78
Alerts,” on page 151. For information about the alerts sent to the cluster, click the link on the cluster row. For more information, see Section 4.6.2, “Viewing Access Gateway Cluster Alerts,” on page 151. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Commands: Indicates the status of the last executed command and whether any commands are pending. Click the link to view more information. For more information, see Section 4.9, “Viewing the Command Status of the Access Gateway,” on page 163. Statistics: Provides a link to the statistic pages. For information about the statistics of a specific Access Gateway, click the View link on the Access Gateway row and see Section 4.4, “Viewing Access Gateway Statistics,”...
Page 80
Indicates that another administrator is making configuration changes. Before you proceed with any configuration changes, you need to coordinate with this administrator and wait until the Access Gateway has been updated with the other administrator’s changes. Novell Access Manager 3.1 SP2 Access Gateway Guide...
2.3.2 Scheduling a Command Use the Schedule New Command page to schedule a command, such as a shutdown, restart, or upgrade. 1 In the Administration Console, click Devices > Access Gateways. 2 (Conditional) To schedule a shutdown or restart, select a server, then click Actions > Schedule Restart or Schedule Stop.
Description: Describe the purpose of this Access Gateway. This is optional, but useful if your network has multiple Access Gateways. 3 Click OK twice, then click Close. When you click OK, any changes are immediately applied to the Access Gateway. Novell Access Manager 3.1 SP2 Access Gateway Guide...
“Backing Up and Restoring” in the Novell Access Manager 3.1 SP2 Administration Console Guide The export feature is not an upgrade tool. You cannot export a configuration from one version of Access Manager and import it into a newer version of Access Manager.
Page 84
(DNSName elements in the file) The cookie domains associated with each proxy service (AuthenticationCookieDomain elements in the file) The URL masks in pin lists that contain fully qualified names (URLMask elements in the file) Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 85
Depending upon your naming standards, you might want to change the names of the following: UserInterfaceID elements (proxy service, pin list, and protected resource user interface ID's) Description elements (proxy service, pin list, and protected resource descriptions) Name (proxy service, pin list, and protected resource names) SubServiceID elements MultiHomeMasterSubserviceIDRef elements LogDirectoryName elements...
Page 86
IP addresses in the Web Server List: If the IP addresses in the production area are different from the IP addresses in the staging area, modify the IP addresses to match the production area. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 87
Certificates: If you have configured SSL or mutual SSL between the proxy service and the Web servers, configure the Web Server Trusted Root and SSL Mutual Certificate options. The export and import configuration option does not export and import certificates. 1e Click OK twice.
IP address and port or a tunnel for that IP address and port. To set up a tunnel: 1 In the Administration Console, click Devices > Access Gateways > Edit > Tunneling. Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 89
2 Click New, enter a display name for the tunnel, then click OK. 3 Fill in the following fields: Enable Tunnel: Specifies that the Access Gateway should set up a tunnel for all incoming traffic. This option must be enabled to configure a tunnel. Tunnel SSL Traffic Only: Allows you to configure the Access Gateway to tunnel only SSL traffic.
2 (Conditional) If the Access Gateway belongs to a cluster of Access Gateways, select the Access Gateway from the list displayed in the Cluster Member field. The modifications you make on this page apply only to the selected Access Gateway. Novell Access Manager 3.1 SP2 Access Gateway Guide...
NOTE: If you are modifying any of the above files, ensure that you retain the original filenames. The Access Gateway Appliance maintains three directories to save files that are used for error page configuration: var/novell/errorpagesconfig/.factory /var/novell/errorpagesconfig/.backup /var/novell/errorpagesconfig/current During the initial installation, the default template files are copied to the and the .factory...
Access Gateway cache. 6 Save the file. 7 Enter the following commands to restart the machine: /etc/init.d/novell-vmc stop /etc/init.d/novell-vmc start 8 If the Access Gateway belongs to a cluster, copy the modified file and images to each member in the cluster, then restart that member.
Page 94
3 Add the language information within the tag as follows: <profile> <ErrorPageConfiguration> <Profile name = “English” enable = “1” fileXn = “en”> <header value = “en-us” /> <header value = “en-uk” /> Novell Access Manager 3.1 SP2 Access Gateway Guide...
4 Save the file. 5 Enter the following commands to restart the machine: /etc/init.d/novell-vmc stop /etc/init.d/novell-vmc start 6 If the Access Gateway belongs to a cluster, copy the modified file to each member of the cluster, then restart that member.
Page 96
3e Save the file. 3f Copy your image to the directory: images Linux: /opt/novell/apache2/share/error/images Windows: \Program Files\Novell\apache\error\images 4 Copy all modified files and image files to all Access Gateways in the cluster. Novell Access Manager 3.1 SP2 Access Gateway Guide...
2.9 Configuring Network Settings After initial setup, you seldom need to change the network settings unless something in your network changes, such as adding a new gateway or DNS server. These options are for the Access Gateway Appliance. For the Linux or Windows Access Gateway Service, use the utilities supplied by the operating system.
Page 98
Subnet: Displays the address of the subnet that you are modifying. This is empty if you are creating a new subnet. Subnet Mask: (Required) Specifies the subnet mask address for this subnet. The address can be specified in standard dotted format or in CIDR format. Novell Access Manager 3.1 SP2 Access Gateway Guide...
To delete an address, select the address, then click Delete. To change the IP address, see “Changing the IP Address of the Access Gateway Appliance” in the Novell Access Manager 3.1 SP2 Administration Console Guide. 5 Click OK. 6 Configure the Adapter List Options.
Page 100
2 (Conditional) If the Access Gateway is a member of a cluster, select the server you want to configure from the list of servers in the Cluster Member field. All changes made to this page apply to the selected server. 3 Fill in the following fields: 100 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 101
Act as Router: Select this option if the Access Gateway functions as the default gateway for clients on the network. If you select this option, you can specify additional gateways. Enable Gateway Statistics Monitoring: Select this option if you want to gather statistics and monitor the traffic on the gateways.
New: To add a server to the list, click this option and specify the IP address of a DNS server. Delete: To delete a server from the list, select the address of a server, then click this option. 102 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Order: To modify the order in which the DNS servers are listed, select the server, then click either the up-arrow or the down-arrow buttons. The first server in the list is the first server contacted when a DNS name needs to be resolved. 4 Configure the DNS Cache Settings.
5 Click Adapter List. If the server is a member of a cluster, select the cluster member you want to configure. The newly added network interface is displayed here. 6 In the newly added adapter section, click New, then configure the subnet mask and IP address. 104 Novell Access Manager 3.1 SP2 Access Gateway Guide...
7 To save your changes to browser cache, click OK. 8 On the Server Configuration page, click OK, then click Update > OK. 2.9.6 Adding a New IP Address to the Access Gateway Service Before you can configure the Access Gateway Service to use a new IP address, you must first use an operating system utility to add the IP address.
One way to provide redirection is to replace the information in the element of the <body> file with something similar to the following: logoutSuccess.jsp <body> <script language="JavaScript"> top.location.href='http://<hostname/path>'; </script> </body> Replace the <hostname/path> string with the location of your customized logout page. 106 Novell Access Manager 3.1 SP2 Access Gateway Guide...
1 Log in to the Access Gateway as the root or administrator user. 2 Open the web.xml Linux: /opt/novell/nesp/lib/webapps/WEB-INF/web.xml Windows: /Program Files/Novell/nesp/lib/webapps/WEB-INF/web.xml 3 Find the section in the file. <context-param> 4 Add the following parameter to the section. <context-param>...
Web requests passing through the proxy service. 3 To save your changes to browser cache, click OK. 4 To apply your changes, click the Access Gateways link, then click Update > OK. 108 Novell Access Manager 3.1 SP2 Access Gateway Guide...
The Identity Server needs to be configured for SSL before the Access Gateway can be configured for SSL. See “Configuring Secure Communication on the Identity Server” in the Novell Access Manager 3.1 SP2 Setup Guide. Configuring the Access Gateway for SSL and Other Security Features...
You can create a certificate signing request (CSR), send it to an external CA, then import the returned certificates into Access Manager. See “Generating a Certificate Signing Request” and “Importing Public Key Certificates (Trusted Roots)” in the Novell Access Manager 3.1 SP2 Administration Console Guide. 110 Novell Access Manager 3.1 SP2 Access Gateway Guide...
“Importing Public Key Certificates (Trusted Roots)” in the Novell Access Manager 3.1 SP2 Administration Console Guide. 2 To add the public certificate to the Access Gateway: 2a In the Administration Console, click Devices > Access Gateways > Edit > Service Provider Certificates >...
SSL connection. If this option is not selected, browsers that connect to the non-secure port are denied service. This option is only available if you have selected Enable SSL with Embedded Service Provider. 112 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 113
Identity Servers in the selected Identity Server Configuration. This sets up a trusted SSL relationship between the Identity Server and the Embedded Service Provider. If you are using certificates signed by the Novell Access Manager CA, the public key is automatically added to this trust store.
Page 114
If you receive a 100101043 or 100101044 error, the trusted relationship has not been established. For information on solving this problem, see “Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors” in the Novell Access Manager 3.1 SP2 Identity Server Guide. 114 Novell Access Manager 3.1 SP2 Access Gateway Guide...
3.4 Configuring SSL between the Proxy Service and the Web Servers SSL must be enabled between the Access Gateway and the browsers before you can enable it between the Access Gateway and its Web servers. 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] >...
Page 116
A parent is missing if the chain does not include a certificate where the Subject and the Issuer have the same CN. 3e Specify an alias, then click OK. 116 Novell Access Manager 3.1 SP2 Access Gateway Guide...
All the displayed certificates are added to the trust store. 3f Click Close. 4 (Optional) Set up mutual authentication so that the Web server can verify the proxy service certificate: 4a Click the Select Certificate icon, 4b Select the certificate you created for the reverse proxy, then click OK. This is only part of the process.
Page 118
/> 6 Save the file. server.xml 7 Restart Tomcat. Linux: /etc/init.d/novell-tomcat5 restart Windows: Use the following commands: net stop "Apache Tomcat" net start "Apache Tomcat" 118 Novell Access Manager 3.1 SP2 Access Gateway Guide...
3.5.2 Securing the Proxy Session Cookie The proxy session cookies store authentication information and other information in temporary memory that is transferred between the browser and the proxy. These cookies are deleted when the browser is closed. However if these cookies are sent through a non-secure channel, there is a threat of hackers intercepting the cookies and impersonating a user on Web sites.
Administration Console and it is pushed to the Access Gateway. The certificate is available for use, but it is not used until you update the Access Gateway. 120 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 121
Phase 2: When you select to update the Access Gateway, the configuration for the Access Gateway is modified to contain references to the new certificate and the configuration change is sent to the Access Gateway. The Access Gateway loads and uses the new certificate. Configuring the Access Gateway for SSL and Other Security Features 121...
Access Gateway components. <AMEVENTID#event-id> The following table list the numbers and the components which they denote. Number Component Multi-Homing component Service Manager Request Processing Authentication Authorization Identity Injection Form Fill 124 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Number Component Caching Response Processing Rewriting Soap Channel Connection Manager. DataStream 4.1.3 Configuring Logging of SOAP Messages and HTTP Headers 1 On the Linux Access Gateway Appliance, log in as root 2 At the command prompt, enter the following command: nash 3 To enter the configuration mode, enter the following command: configure .current...
Log File: Specifies the name and extension for the log file. If you are creating multiple profiles, select a name that indicates the purpose of the profile. For example, you could create a log file for Form Fill policy entries and name the file form_fill.log 126 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 127
If this name includes a subdirectory, the subdirectory is created relative to the displayed Log File Path. Echo To Console: Causes the events to be logged in the (Linux) file or the catalina.out (Windows) file. stdout.log 3 Configure the following rollover options to control how much disk space can be used for logging before a new log file is created and old log files are deleted.
For configuration information, see Section 4.2.4, “Configuring a Log Filter,” on page 129. 3 Click OK twice, then update the Access Gateway. 128 Novell Access Manager 3.1 SP2 Access Gateway Guide...
For information on the various tags used in the log files, see “Understanding the Log Format” in the Novell Access Manager 3.1 SP2 Administration Console Guide. Device IDs: The AMDEVICEID# value identifies the device that performed the action. To correlate the ID with the device, click Auditing > General Logging.
Info: Logs informational events such as configuration changes, startups, and shutdowns that complete successfully. If the event generates any type of error, warning, or severe message, these messages are not logged. Debug: Logs messages that include additional information useful to Novell Support and Engineering. Error: Logs events that error conditions generate.
16 (Optional) To view how the Embedded Service Provider evaluates the Form Fill policy, see “Form Fill Traces” in the Novell Access Manager 3.1 SP2 Policy Guide. 17 (Optional) To add more information about Form Fill policies to the Apache...
4.3.1 Determining Logging Requirements Because logging requirements and transaction volume vary widely, Novell cannot make recommendations regarding a specific logging strategy. The following tasks guide you through the process of creating a strategy that fits your business needs. 1 Identify the reasons for tracking transactions such as customer billing, statistical analysis, or growth planning.
Page 133
logentry_size: The average log entry size. You can determine this by configuring a proxy service to track the required information, generating traffic to the proxy service, downloading the log files, determining how large each entry is, and calculating the average. request_rate: The peak rate of requests per second.
Page 134
1 Determine the values of the three variables listed above. 2 Use the max_log_roll_size formula to calculate the maximum size a log file should reach before the cache device rolls it over. 134 Novell Access Manager 3.1 SP2 Access Gateway Guide...
4.3.3 Enabling Logging Do not enable logging until you have designed a logging strategy. See Section 4.3.1, “Determining Logging Requirements,” on page 132. 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Logging. 2 Fill in the following fields: Enable Logging: Select this field to enable logging.
Page 136
All logging data in deleted files is lost. Do Not Delete: Prevents the system from automatically deleting the log files. 4 Click OK. 5 Click the Access Gateways link, then click Update > OK. 136 Novell Access Manager 3.1 SP2 Access Gateway Guide...
4.3.5 Configuring Extended Log Options Use the extended log options page to control log entry content, log rollover, and old file options. A log entry always includes the date, time, and client IP address for each entry, but with the log data options, you can add other fields such as the IP address of the server and the username of the client.
Page 138
(Access Gateway Appliance) The byte ranges sent from the Access Gateway to a requesting browser. E Tag (Access Gateway Appliance) The tag sent from the Access Gateway to a requesting browser. 138 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 139
Name Description Completion Status (Access Gateway Appliance) The completion status for the transaction, indicating that it completed successfully or that it failed. Possible values: success, timeout, reset (the client terminated the connection), administrative (the Access Gateway terminated the connection). Reply Header Size (Access Gateway Appliance) The size in bytes of the HTTP header associated with a response to a client.
Live Statistics Monitoring. Live Statistics Monitoring: Select this option to view the statistics as currently gathered and to have them refreshed at the rate specified in the Refresh Rate field. 140 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 141
These general statistics are grouped into the following categories: “Server Activity” on page 141 “Connections” on page 142 “Bytes” on page 142 “Requests” on page 143 “Cache Freshness” on page 144 Server Activity The Server Activity section displays general server utilization statistics. Statistic Description CPU Utilization...
Page 142
The bytes statistics show how fast information is being sent in response to the following types of requests: Browser requests to the Access Gateway Access Gateway requests to the Web servers 142 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 143
Statistic Description Bytes per Second from (Access Gateway Appliance) Displays the number of bytes of data being sent Origin Server each second from the Web servers to the Access Gateway. Click Graphs to view the number of bytes for a specific unit of time (1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months).
Page 144
Gateway has received from browsers. Total Not Modified Displays the total number of 304 Not Modified replies that the Access Gateway Replies has received from the Web servers for updated content. 144 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Statistic Description Cache Freshness Displays the percentage of objects in cache that are considered fresh. Click Graphs to view the percentage of fresh objects for a specific unit of time (1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months). The Value axis displays the percentage of fresh objects.
Page 146
(1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months). The Value axis displays the number of cached sessions. If no sessions have been cached, the value axis is not meaningful. 146 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Statistic Description Cached Ancestral Sessions The number of cached ancestral session IDs. An ancestral session ID is created during the failover process. When failover occurs, a new session is created to represent the previous session. The ID of the previous session is termed an “ancestral session ID,”...
(“proxied”) to the authoritative cluster member. If an L4 switch causes a request to go to a non- authoritative cluster member, then that cluster member proxies that request to the authoritative cluster member. 148 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 149
When a request is received, a cluster member uses multiple means to determine which cluster member is the authoritative server for the request. It looks for a parameter on the query string of the URL indicating the authoritative server. It looks for an HTTP cookie indicating the authoritative server.
The Access Gateway has been programmed to issue events to various types of systems (such as a Novell Audit server, a Novell Sentinel server, or a Syslog server) so that the administrator can be informed when significant changes occur that modify how the Access Gateway is performing. For information about auditing and audit events, see Section 4.7, “Enabling Access Gateway Audit...
Section 4.6.6, “Configuring a Log Profile,” on page 155 Section 4.6.7, “Configuring an E-Mail Profile,” on page 156 Section 4.6.8, “Configuring a Syslog Profile,” on page 156 4.6.1 Viewing Access Gateway Alerts The Alerts page allows you to view information about current Java alerts and to clear them. An alert is generated whenever the Access Gateway detects a condition that prevents it from performing normal system services.
Delete: To delete a profile, select the check box next to the profile, then click Delete. 3 To save your modifications, click OK twice. 4 On the Access Gateways page, click Update. 152 Novell Access Manager 3.1 SP2 Access Gateway Guide...
4.6.4 Configuring an Alert Profile The alert profile determines which alerts are sent and where the alerts are sent. 1 In the Administration Console, click Devices > Access Gateways > Edit > Alerts > [Name of Profile]. 2 Select one or more of the following: Connection Refused: Generated when a connection is refused.
Page 154
Access Gateway has been configured to stop services. To configure the Access Gateway to continue when auditing services are not available, click Auditing > Novell Auditing, deselect the Stop Services on Audit Server Failure option, then click Apply. Failure in Audit, Will lose events, but continuing services: Generated when the audit agent has failed.
/var/opt/novell/amlogging/logs/ Windows Access Gateway Service: \Program Files\Novell\amlogging\logs\ Max File Size: Specify a maximum size for the log file in KB. The size can be from 50 to 100000 KB. Specify 0 to indicate that there is no maximum file size.
155. 4.7 Enabling Access Gateway Audit Events The Novell Audit option in the Access Gateway allows you to configure the events you want audited. The following steps assume that you have already set up auditing on your network. For more information, see “Configuring Access Manager for...
2 Select the events for notification. Select All: Select this option for all events. Otherwise, select one or more of the following: Event Description Access Denied Generated when a requested action is denied because the requester has insufficient access rights to a URL. System Started Generated when the Access Gateway is started.
Gateway, this includes information such as the following: “Service Categories of the Access Gateway Appliance” on page 159 “Service Categories of the Access Gateway Service” on page 161 4 Click Close. 158 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 159
Restart the Linux Access Gateway by entering the the Linux Access Gateway is responding to health following commands: checks from the L4 switch. The number increments /etc/init.d/novell-vmc stop with each health check for which the Access /etc/init.d/novell-vmc start Gateway does not send a response.
Page 160
Server and the auditing server. auditing server. “Troubleshooting Novell Audit” (http:// Auditing must be enabled on the Identity Server to www.novell.com/documentation/novellaudit20/ activate this health check (click Devices > Identity novellaudit20/data/al0lh30.html). Servers > Edit > Logging). 160 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 161
Configuration Datastore: Indicates whether the Restore the configuration datastore. See configuration datastore is functioning correctly. “Repairing the Configuration Datastore” in the Novell Access Manager 3.1 SP2 Administration Console Guide. Clustering: Indicates whether all the cluster Restart the cluster members that are not active or members are active and processing requests.
3 To ensure that the information is current, click Refresh. 4 To view specific information about the status of an Access Gateway, click the Health icon in the Access Gateway row. 162 Novell Access Manager 3.1 SP2 Access Gateway Guide...
4.9 Viewing the Command Status of the Access Gateway Commands are issued to an Access Gateway when you make configuration changes and when you select an action such as stopping or starting the gateway. Certain commands, such as start and stop commands, retry up to 10 times before they fail. The first few retries are spaced a few minutes apart, then they move to 10-minute intervals.
Status: Specifies the status of the command, and includes such states as Pending, Incomplete, Executing, and Succeeded. Last Executed On: Specifies when the command was issued. The date and time are displayed in local time. If the command failed, additional information is available. 164 Novell Access Manager 3.1 SP2 Access Gateway Guide...
“Sending Attributes to the Embedded Service Provider” in the Novell Access Manager 3.1 SP2 Identity Server Guide. Identity Server Configuration: A number of the configuration options for the Identity Server add authentication overhead. You need to balance possible performance enhancements with your needs to enable these options.
Page 166
-Xmx This allows Java on the Access Gateway Service to use 2 GB of memory. For the Access Gateway Appliance, the default value works best so do not change the value. 166 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 167
Modifying the Java Parameters on Windows 1 Log in to the Access Gateway as the administrator. 2 Open the Tomcat configuration utility. /Program Files/Novell/Tomcat/bin/tomcat5w.exe 3 Click the Java tab. 4 In the Java options section, find the following line: -Dnids.freemem.threshold=0 If the line does not exist, you need to add it.
Configuring the Content Settings One of the major benefits of using an Access Gateway to protect Web resources is that it can cache the requested information and send it directly to the client browser rather than contacting the origin Web resource and waiting for the requested information to be sent. This can significantly accelerate access to the information.
Web server. Select one of the following options to control how the Access Gateway handles the request: Refill: Causes the proxy service to send the request to the Web server. 170 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 171
Revalidate: Causes the proxy service to check whether the current information is valid. If it is, the currently cached information is returned. If it isn’t valid, the request is forwarded to the Web server. Ignore: Causes the proxy service to ignore the request and send the data from cache without checking to see if the cached data is valid.
“Configuring Custom Cache Control Headers,” on page 173. 5 To save your changes to browser cache, click OK. 6 To apply the changes, click the Access Gateways link, then click Update > OK. 172 Novell Access Manager 3.1 SP2 Access Gateway Guide...
5.3 Configuring Custom Cache Control Headers (Access Gateway Appliance) In addition to fine-tuning cache freshness by using the HTTP timers, as explained in Section 5.1, “Configuring Caching Options,” on page 170, you can configure each proxy service to recognize custom headers in HTTP packets. Your Web server can then use these headers for transmitting caching instructions that only the Access Gateway can recognize and follow.
4 In the Cache Control Header List, select New and specify a name for the header, for example MYCACHE. 5 To save your changes to browser cache, click OK. 6 To apply the changes, click the Access Gateways link, then click Update > OK. 174 Novell Access Manager 3.1 SP2 Access Gateway Guide...
7 Modify the pages on the Web server that you want to the set custom caching intervals for the Access Gateway. To the HTTP header, add a string similar to the following: MYCACHE:600 The numeric value indicates the number of seconds the Access Gateway can retain the object in cache.
Page 176
The action taken for an object is the action specified for the first mask that the object matches. The Access Gateways recognizes four levels of specificity, using the following format: 176 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 177
Level Examples hostname http://www.foo.gov/documents/picture.gif http://www.foo.gov/documents/* http://www.foo.gov foo.gov/documents/* foo.gov/* All of these are classified as hostnames, and they are ordered by specificity. The first item in the list is considered the most specific and is processed first. The last item is the most general and is processed last. path /documents/picture.gif /documents/pictures.gif/*...
String comparisons are not case sensitive. For example, purges all objects with the text or any other combination of uppercase and ?*=SPORTS =SPORTS lowercase letters for following the question mark in the URL. =SPORTS 178 Novell Access Manager 3.1 SP2 Access Gateway Guide...
IMPORTANT: If you also configure a pin list, carefully select the objects that you add to the pin and purge lists. Make sure you don’t configure a pin list that adds objects to the cache and a purge list that removes the same objects. 1 In the Administration Console, click Devices >...
The information can be seen in sniffer traces and with plug-ins such as ieHTTPHeaders, Live HTTP Headers, and FireBug. This option should only be enabled when you are working with Novell Support and they instruct you to enable the option. #NAGGlobalOptions DebugFormFill=on: When this option is enabled, additional debug...
Protecting Multiple Resources This section describes how to create multiple resources for the various Access Gateway components, including a cluster of Access Gateways. Figure 6-1 illustrates the relationships that Access Gateways, reverse proxies, proxy services, Web servers, and protected resources have with each other when two Access Gateways are members of a cluster.
Traffic is sent to another Web server in the list only when the first Web server is no longer available. To configure this option, see Section 1.6.2, “Configuring TCP Connect Options for Web Servers,” on page 182 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Connection persistence is enabled by default. This allows the Access Gateway to send multiple HTTP requests to the Web server to be serviced before the connection is closed. To configure this option, see Section 1.6.2, “Configuring TCP Connect Options for Web Servers,” on page Session persistence is enabled whenever a second Web server is added to the list.
Page 184
IP Address test.company.com 10.10.195.90:80 test.internal.com 10.10.15.10 sales.company.com 10.10.195.90:80 sales.internal.com 10.10.15.20 apps.company.com 10.10.195.90:80 apps.internal.com 10.10.15.30 Configure your DNS server to resolve the published DNS names to the IP address of the Access Gateway. 184 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Set up the back-end Web servers. Create three proxy services for these published DNS names. To create a domain-based multi-homing proxy service, see Section 6.2.4, “Creating a Second Proxy Service,” on page 189, and select domain-based for the multi-homing type. 6.2.2 Path-Based Multi-Homing Path-based multi-homing uses the same DNS name for all resources, but each resource or resource group must have a unique path appended to the DNS name.
Page 186
Web Server Host Name. However, if they do contain links to each other, you need to set the Host Header option to Web Server Host Name and specify a DNS name for the Web server in the Web 186 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 187
Server Host Name option. The Access Gateway needs a method to distinguish between the Web servers other than the path, because after the path is removed, all the Web servers in Figure 6-4 on page 185 have the same name: www.test.com If you select to use the Forward Received Host Name option for a path-based service, you might also need to add entries to the Additional DNS Name List for the rewriter.
IP address, you are ready to configure the Access Gateway. To create a virtual multi-homing proxy service, see Section 6.2.4, “Creating a Second Proxy Service,” on page 189, and select Virtual for the multi-homing type. 188 Novell Access Manager 3.1 SP2 Access Gateway Guide...
6.2.4 Creating a Second Proxy Service 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy]. 2 In the Proxy Service List, select New. 3 Fill in the fields. Proxy Service Name: Specify a display name for the proxy service. For the sales group, you might use sales.
Proxy] > [Name of Path-Based Multi-Homing Proxy Service]. The following fields display information that must be configured on the parent proxy service (the first proxy service created for this reverse proxy). 190 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 191
Published DNS Name: Displays the value that users are currently using to access this proxy service. This DNS name must resolve to the IP address you set up as a listening address on the Access Gateway. Cookie Domain: Displays the domain for which the cookie is valid. The Web server that the user is accessing must be configured to be part of this domain.
2 Configure the following option: #NAGChildOptions WebDav=/Path: Allows the proxy service to handle the specified path. Remove the pound (#) symbol and replace /Path with the path you want the proxy service to handle. 192 Novell Access Manager 3.1 SP2 Access Gateway Guide...
6.3 Managing Multiple Reverse Proxies Each reverse proxy must have a unique IP address and port combination. If your Access Gateway has only one IP address, you must select unique port numbers for each additional reverse proxy that you create. You can configure the Access Gateway to use multiple IP addresses. These addresses can be configured to use the same network interface card, or if you have installed multiple network cards, you can assign the IP addresses to different cards.
Disable. To enable all reverse proxies, select the check box next to the Name column, then click Disable. 3 To save your changes to browser cache, click OK. 4 To apply the changes, click the Access Gateways link, then click Update > OK. 194 Novell Access Manager 3.1 SP2 Access Gateway Guide...
6.3.2 Changing the Authentication Proxy Service If you have multiple reverse proxies, you can select the reverse proxy that users are redirected to for login and logout. IMPORTANT: Changing the reverse proxy that is used for authentication is not a trivial task. For example, if you have customized the logout options on your Web servers to redirect the logout request to the Logout URL of the current authentication reverse proxy, you need to modify these options to point to a new Logout URL.
Gateways page, click Update All by the name of the cluster. 7 For information on additional required configuration tasks, see “Clustering Access Gateways” in the Novell Access Manager 3.1 SP2 Setup Guide. 196 Novell Access Manager 3.1 SP2 Access Gateway Guide...
6.4.2 Managing the Servers in the Cluster To view the servers that are currently members of clusters: 1 In the Administration Console, click Devices > Access Gateways. The members of a cluster are listed under the cluster name. The red double dagger symbol identifies the server that is the primary cluster server.
To change this assignment, select the server from the drop-down list. For more information on this process, see Section 6.4.5, “Changing the Primary Cluster Server,” on page 199. 3 Click OK. 198 Novell Access Manager 3.1 SP2 Access Gateway Guide...
6.4.5 Changing the Primary Cluster Server If the current primary cluster server is down and will be down for an extended period of time, you should select another server to be the primary cluster server 1 In the Administration Console, click Devices > Access Gateways > [Name of Cluster] > Edit. 2 In the Primary Server drop-down list, select the name of a server, then click OK.
Page 200
If you modify the published DNS name of the authentication proxy service (Access Gateways > Edit > Reverse Proxy/Authentication > [Name of Reverse Proxy] > [Name of First Proxy Service], then modify the Published DNS Name option). 200 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Guide. For XML validation errors, see “Troubleshooting XML Validation Errors on the Access Gateway Appliance” in the Novell Access Manager 3.1 SP2 Administration Console Guide. For information about installation, reinstallation, and import issues, see “Troubleshooting a Linux Access Gateway Appliance Installation”...
Gateway Appliance Logs” on page 123. /etc/init.d/novell-vmc Use the novell-vmc command line options to restart the proxy and view status. For more information, see Table 7-2 on page 203. /chroot/lag/opt/novell/bin directory contains the following scripts: 202 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Use this script to resolve auto-import issues. For more information, see “Triggering an Import Retry” in the Novell Access Manager 3.1 SP2 Installation Guide. You can use the following commands to stop and start the Access Gateway and to view its status.
Page 204
3 To access the Proxy Console screen, enter 13. 4 To access a specific screen, enter the number. Screen Description 1. Display current activity Displays information about connections (server and client), cached objects, and HTTP requests. 204 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 205
Screen Description 2. Display memory usage Displays information about memory pools and memory used and the types of objects stored in memory. 3. Display ICP statistics Displays statistics for the Internet Cache Protocol. 4. Display DNS options Displays statistics and information about the entries in the DNS table.
Novell Access Manager 3.1 SP2 Policy Guide. For information on how to use the entries for policy troubleshooting, see “Troubleshooting Access Manager Policies” in the Novell Access Manager 3.1 SP2 Policy Guide. 206 Novell Access Manager 3.1 SP2 Access Gateway Guide...
“Access Gateway Appliance Logs” on page 123. For maximum verbosity, the proxy service must be started in debug mode. See Table 7-2, “novell-vcm Commands,” on page 203. lagsoapmessages Located in the /var/log directory and available from the General Logging page in the Administration Console.
Page 208
“.spnetworkplaces” on page 213 “.AllowMSWebMiniRedir” on page 213 “.reqPostSize” on page 213 “.disableExternalDNSRewrite” on page 213 “.modifyRequestURI” on page 213 .dumpcore To enable a core dump, create the following touch file: /tmp/.dumpcore 208 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 209
Form Fill policy do not work. For more information on how to use this touch file, see“Configuring a Form Fill Policy for Forms With Scripts” in the “Novell Access Manager 3.1 SP2 Policy Guide”. Troubleshooting the Access Gateway Appliance 209...
Page 210
(TP1 IP address) and the validation fails. The Access Gateway loops as it continues to request the user to send a valid session cookie. .alwaysUseJSFor302 This file is located in the directory. /var/novell 210 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 211
302 redirect. .useJSFor302withIE7 This file is located in the directory. /var/novell When the Internet Explorer 7 browser is used, a 200 OK response is sent back with the redirect metatag instead of the 302 redirect. .useRelativeUrlInJS This file is located in the directory.
Page 212
Gateway uses the old password for identity injection. .matchLagIchainCookieName This file is located in the directory. /var/novell This file forwards a proxy session cookie to a back-end application. A cookie without this touch file enabled looks like: 212 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 213
IPCZQX01a36c6c0a=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx .spnetworkplaces This file is located in the directory. /var/novell This file enables users who use the Microsoft Network Places client to connect to the WebDAV folders of a server when the SharePoint server has been configured as a path-based SharePoint multi-homing service on the Access Gateway.
“Customizing the Identity Server Login Page” in the Novell Access Manager 3.1 SP2 Identity Server Guide. 2 Copy the custom login page to the JSP directory of the Identity Server. Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp...
Web server. Without this header, the Web server does not send any data with GZIP or Deflate encoding to the Access Gateway. To allow the Access Gateway to receive GZIP or Deflate encoded data, remove the touch file and restart the Access Gateway. 216 Novell Access Manager 3.1 SP2 Access Gateway Guide...
7.3.3 Protected Resources Reference Non-Existent Policies If your protected resources contain references to policies that do not exist, use the following procedure to remove them. 1 Click Auditing > Troubleshooting. 2 In the Access Gateways with Protected Resources Referencing Nonexistent Policies section, click Repair.
302 redirect. 7.4 Hardware and Machine Resource Issues Section 7.4.1, “Error: novell-vmc-chroot Failed to Start,” on page 218 Section 7.4.2, “Mismatched SSL Certificates in a Cluster of Access Gateways,” on page 218 Section 7.4.3, “Recovering from a Hardware Failure on an Access Gateway Machine,” on page 219 Section 7.4.4, “Reinstalling a Failed Access Gateway,”...
If the hardware of your Access Gateway fails and the Access Gateway is not a member of a cluster, you might receive the following message when you reinstall it: Start unsuccessful. Reason: Unable to read keystore: /opt/novell/devman/jcc/ certs/esp/signing.keystore. If you receive this message, use the following process to solve the problem: 1 Add the failed Access Gateway to a cluster.
2 Enter the Proxy Console option number at the Pick a Screen prompt. The Access Gateway Console screen is displayed. 3 Enter the Display Cache Statistics option number at the Enter option prompt. 220 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 221
4 Enter the Display COS Global Statistics option number at the Enter option prompt. Troubleshooting the Access Gateway Appliance 221...
Lower Limit 5 Percent Requirement for Access Gateway 500 MB Upper Limit 80 percent Default 20 percent Checking Available Memory As the user, enter the following command at the bash prompt: root 222 Novell Access Manager 3.1 SP2 Access Gateway Guide...
cat /proc/meminfo | grep MemTotal 7.5 Rewriter Issues Section 7.5.1, “Discovering the Issue,” on page 223 Section 7.5.2, “Rewriting Fails on a Page with Numerous HREFs,” on page 223 Section 7.5.3, “Links Are Broken Because the Rewriter Sends the Request to the Wrong Proxy Service,”...
2 Do one of the following: If the Web server sends a different content type for a non-default file extension, then configure the new content type in the Content-Type Header. If the Web Server does not send any content type for a non-default extension, then configure as the Content-Type Header.
In this scenario, the Access Gateway rewrites URLs and host headers based on the configured Web server host name and port number. For example, if your configuration looks similar to the following: 226 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Web server host name: www.proxy91.com:8181 Web server connect port: 8080 (HTTP) Published DNS name: www.lag.com Listening Port: 443 Then: The host header from Access Gateway to the Web server is rewritten as www.proxy91.com:8181 If a page has URLs, the URLs are rewritten as follows: is rewritten as http://www.proxy91.com:8181 https://www.lag.com...
(/) before dumping core. When the disk space goes root below 3GB, the Access Gateway prevents dumping core files. In the Novell Access Manager 3.1 SP2 release, monitor service is disabled by default. To enable this, execute the following command as: /etc/init.d/lagmonitor start For more information about this service, see Section 7.1.2, “Using the Linux Access Gateway...
The Access Gateway might crash because of the following reasons: SIGSEGV ASSERT (for a debug build only) The following sections explain how to gather the files that need to be sent to Novell for a resolution of the problem. “Access Gateway Logs” on page 229 “Event Log”...
Page 230
,save 1 This stores all the events in the /chroot/lag/opt/novell/debug/ file. <pid>all_events.0.txt 8 Tar or zip this file and send it to Novell Support. Event Log for a Debug Build To get the event log: 1 Log in as the user.
Page 231
/etc/init.d/novell-vmc stop 3 To start the Novell Access Gateway in debugging mode, enter the following command: /etc/init.d/novell-vmc gdb 4 To run the Access Gateway process, enter the following command at the GDB prompt: run -m <memory> 2>/var/log/ics_dyn.log Replace <memory> with the percentage of total memory to be used for the ics_dyn process.
Page 232
ID of the ics_dyn process. <pid> After the core is dumped, the Access Gateway restarts. 6 Tar or zip the core dump and send it to Novell Support. Proxy Hang Core To analyze the proxy hang and create a core file:...
7.6.7 Access Gateway Dumps Core After 10 Minutes When Non-Redirected Login Is Enabled In a clustered Novell Access Manager deployment setup, if non-redirected login is enabled, equal load balancing across the Identity Servers might not happen. This might result in Access Gateway dumping core after approximately 10 minutes.
Issues with Outgoing Connections To verify that the Access Gateway is able to make outbound connections: 1 Log in as the user. root 2 At the bash prompt, view the following log file: /var/log/ics_dyn.log 234 Novell Access Manager 3.1 SP2 Access Gateway Guide...
3 Search for a connection message. If the service is unavailable, the file contains messages similar to the following: ERROR Connection FAILED with peer 7.7.3 Authentication Issues “User Details” on page 235 “Error Codes” on page 237 User Details To check details about the users logged in to the Access Gateway: 1 To access the console, enter the following command: netcat localhost 2300 2 Press Enter at the...
Page 236
Access Gateway requires the user to authenticate. L: The user has logged out of the session. W: The user session is functional. U: The use count is more than zero. 236 Novell Access Manager 3.1 SP2 Access Gateway Guide...
If the Embedded Service Provider is down, restart the service provider from the Administration Console. If the issue persists, contact Novell Support. 7.8 Form Fill Issues Form Fill error messages are logged only if you set the log level to LOG_DEBUG. The entries are logged in the file.
7.8.4 Form Fill Failure Because of Incorrect Policy Configuration Form fill fails if the policy is not configured correctly. For configuration information, see “Creating Form Fill Policies” in the Novell Access Manager 3.1 SP2 Policy Guide. 238 Novell Access Manager 3.1 SP2 Access Gateway Guide...
For more information on modifying the policy, see “Implementing Form Fill Policies” in the Novell Access Manager 3.1 SP2 Policy Guide. 7.9 Authorization and Identity Injection Issues Section 7.9.1, “Authorization and Identity Injection Error Messages,” on page 239 Section 7.9.2, “Identity Injection Failures,”...
Customer Header Injection Failed. Query String Injection Failed. Authentication Header Injection Failed To receive help resolving identity injection failures, send the following information to Novell Support: Access Gateway logs. For more information on how to get Access Gateway log files, see “Access Gateway Appliance Logs”...
(patch 12527) For more information on downloading and updating the patch, see “Installing or Updating the Security Patches on the SLES 9 Linux Access Gateway Appliance” in the Novell Access Manager 3.1 SP2 Installation Guide. Troubleshooting the Access Gateway Appliance 241...
Troubleshooting the Access Gateway Service Section 8.1, “Useful Troubleshooting Files,” on page 243 Section 8.2, “Verifying That All Services Are Running,” on page 248 Section 8.3, “Enabling Debug Mode and Core Dumps,” on page 250 Section 8.4, “Useful Troubleshooting Tools for the Access Gateway Service,” on page 252 Section 8.5, “A Few Performance Tips,”...
Apache log files. These files are located in the following directory: Linux: /var/log/novell-apache2/ Windows: C:\Program Files\Novell\apache\logs\ For more information, see the following sections: “Ignoring Some Standard Messages” on page 245 “Modifying the Logging Level for the Apache Logs” on page 245 244 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 245
The error messages look similar to the following: [<time and date stamp>] [warn] Init: SSL server IP/port conflict: dbmhnsnetid.dsm.cit.novell.com:443 (C:/Program Files/Novell/apache/conf/vhosts.d/dbmhNS-NetID.conf:18) vs. magwin1430external.dsm.cit.novell.com:443 (C:/Program Files/Novell/apache/conf/vhosts.d/magMaster.conf:18) [<time and date stamp>] [warn] Init: SSL server IP/port conflict: magdbmheguide.dsm.cit.novell.com:443 (C:/Program...
Contains the messages generated between the Administration Console and the JCC module. Linux: The log file is located in the /opt/novell/devman/jcc/ directory. logs Windows: The log file is located in the \Program directory. Files\Novell\devman\jcc\logs 246 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 247
Check this file for entries that trace the evaluation of Authorization, Identity Injection, and Form Fill policies. Linux: The file is located in the /var/opt/novell/tomcat5/logs directory. Windows: The files are located in the \Program directory, and they are usually Files\Novell\Tomcat\logs prefixed with a time stamp.
6 Verify that the JCC service is running by entering the following command: ps -ef | grep /opt/novell/devman/jcc/conf/run.sh Lines similar to the following are displayed: root 3777 30290 0 13:03 pts/0 00:00:00 egrep /opt/novell/devman/jcc/ conf/run.sh root 5506 0 May11 ? 00:00:00 /bin/bash /opt/novell/devman/jcc/ conf/run.sh...
Section 8.3.3, “Disabling Debug Mode,” on page 251 8.3.1 Starting Apache in Debug Mode “Linux” on page 250 “Windows” on page 251 Linux Use the following commands to start debug mode: /etc/init.d/novell-apache2 stop /etc/init.d/novell-apache2 start debug 250 Novell Access Manager 3.1 SP2 Access Gateway Guide...
This page displays debug information about caching, SSL, workers, and proxy information. http://127.0.0.1:8181/server-info This page displays module and configuration information. 3 If a crash occurred, examine the core dump file or copy it so you can send it to Novell Technical Support. Linux: /var/cache/novell-apache2...
The Windows operating system has the following tools that can help you determine the cause of a problem. Tool Description Task Manager Use this utility to check resources available on the system. Control Panel > Administrative Use this utility to stop and start services. Services > Services 252 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Use this command to view identity provider metadata from the Linux Access Gateway. See “Testing Whether the Provider Can Access the Metadata” in the Novell Access Manager 3.1 SP2 Identity Server Guide. Use this command to view statistics about the listeners on the netstat -a Access Gateway.
Apache fails to start when it discovers a syntax error in any of the advanced options. 1 Click Devices > Edit > Advanced Options. 2 To reset all options to their default values, delete all options from the text box. 254 Novell Access Manager 3.1 SP2 Access Gateway Guide...
3 Change to the following directory and open the Apache error log file. Linux: /var/log/novell-apache2 Windows: \Program Files\Novell\Apache\logs 4 On Linux, also view the contents of the file. rcnovell-apache2.out 5 If you still do not have enough information to solve the configuration problem, continue with Section 8.6.3, “Viewing the Errors as Apache Generates Them,”...
In order for the module to start, it must be able to resolve the listening IP address to a DNS name. To install an Access Gateway Service, the machine must have a DNS name and the IP address must resolve to this name. 256 Novell Access Manager 3.1 SP2 Access Gateway Guide...
8.7 Understanding the Authentication Process of the Access Gateway Service When a user requests access to a protected resource, the request can be in one of the following states: No session or cookie is established, because this is the user’s first request. The user’s session is a public session because only public resources have been accessed.
Page 258
If the request does not contain a session cookie, the user is unknown and is assigned as a public user. The Access Gateway continues processing with the tasks outlined in Figure 8-5 on page 259. 258 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 259
When the request contains a session cookie, the Access Gateway checks its local user store for a user that matches the session cookie. Each Access Gateway in the cluster maintains its own list of known users. If the session cookie matches one of the locally known users, the user is assigned that identity. The Access Gateway continues with the tasks outlined in Figure 8-5 on page 259.
Page 260
If the URL in the request matches a URL of a protected resource, the Access Gateway needs to examine the protection type assigned to the resource. The Access Gateway continues with the tasks outlined in Figure 8-6 on page 261. 260 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 261
Determining the Protection Type Assigned to the Resource Figure 8-6 Continue Processing Is the PR Protected with a Contract? the User Authenticated with the Required Contract? Is an Are the Is the Authentication Authentication PR Enabled Header Credentials for NRL? Present? Valid? Is the NRL...
Page 262
(domains of development.novell.com can share the cookie domain of ) or configure them so that they support.novell.com novell.com cannot share a cookie domain (domains of cannot share a cookie a.slc.com b.provo.com domain). 262 Novell Access Manager 3.1 SP2 Access Gateway Guide...
Page 263
When the Access Gateway reaches the task in decision point 10, it has determined that the protected resource requires a contract and that user is not authenticated with that contract. If the protected resource is in the same cookie domain, the Access Gateway redirects the request to the Embedded Service Provider (ESP).