1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. ACCESS MANAGER 3.1 SP2 - README 2010
  6. Manual

Novell ACCESS MANAGER 3.1 SP2 - ACCESS GATEWAY GUIDE 2010 Manual

Access gateway guide
Hide thumbs Also See for ACCESS MANAGER 3.1 SP2 - ACCESS GATEWAY GUIDE 2010:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Manual
AUTHORIZED DOCUMENTATION
Access Gateway Guide
Novell
®
Access Manager
3.1 SP2
June 18, 2010
www.novell.com
Novell Access Manager 3.1 SP2 Access Gateway Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell ACCESS MANAGER 3.1 SP2 - ACCESS GATEWAY GUIDE 2010

Summary of Contents for Novell ACCESS MANAGER 3.1 SP2 - ACCESS GATEWAY GUIDE 2010

  • Page 1 AUTHORIZED DOCUMENTATION Access Gateway Guide Novell ® Access Manager 3.1 SP2 June 18, 2010 www.novell.com Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 2: Legal Notices

    Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 5: Table Of Contents

    1.4.4 Configuring a Protected Resource for a Novell Teaming 2.0 Server ... . . 44 Configuring HTML Rewriting ..........49 1.5.1...
  • Page 6 Viewing Access Gateway Alerts ........151 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 7 4.6.2 Viewing Access Gateway Cluster Alerts ....... . . 151 4.6.3 Managing Access Gateway Alert Profiles .
  • Page 8 Error: novell-vmc-chroot Failed to Start ........218...
  • Page 9 7.12 Using Curl to Download Large Files..........241 7.13 Linux Access Gateway Crashes When Change is Applied to the Server .
  • Page 10 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 11: About This Guide

    About This Guide This guide describes the following features of the Novell Access Gateway: Chapter 1, “Configuring the Access Gateway to Protect Web Resources,” on page 13 Chapter 2, “Server Configuration Settings,” on page 73 Chapter 3, “Configuring the Access Gateway for SSL and Other Security Features,” on page 109 Chapter 4, “Access Gateway Maintenance,”...

  • Page 12: Additional Documentation

    Novell Access Manager 3.1 SP2 Identity Server Guide Novell Access Manager 3.1 SP2 Policy Guide Novell Access Manager 3.1 SP2 J2EE Agent Guide Novell Access Manager 3.1 SP2 SSL VPN Server Guide Novell Access Manager 3.1 SP2 Event Codes Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 13: Configuring The Access Gateway To Protect Web Resources

    Configuring the Access Gateway to Protect Web Resources The Novell Access Gateway is a reverse proxy server (protected site server) that restricts access to Web-based content, portals, and Web applications that employ authentication and access control policies. It also provides single sign-on to multiple Web servers and Web applications by securely providing the credential information of authenticated users to the protected servers and applications.

  • Page 14: Managing Reverse Proxies And Authentication

    Reverse proxy names and proxy service names must be unique to the Access Gateway because they are configured for global services such as IP Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 15 addresses and TCP ports. For example, if you have a reverse proxy named and another products reverse proxy named , only one of these reverse proxies can have a proxy service named library corporate Protected resource names need to be unique to the proxy service, but they don’t need to be unique to the Access Gateway because they are always accessed through their proxy service.
  • Page 16 (see the Enable SSL with Embedded Service Provider option on the Reverse Proxy page). If the Identity Server cluster is using a certificate created by the Novell Access Manager certificate authority (CA), the public key is automatically added to this trust store, so you do not need to use this option.

  • Page 17: Creating A Proxy Service

    Force HTTP-Only Cookie: Forces the Access Gateway to set the HttpOnly keyword, which prevent scripts from accessing the cookie. This helps protect browsers from cross-site scripting vulnerabilities that allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate the valid user.
  • Page 18 Host Header: Specify whether the HTTP header should contain the name of the back-end Web server (Web Server Host Name option) or whether the HTTP header should contain the published DNS name (the Forward Received Host Name option). Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 19: Configuring A Proxy Service

    Web Server Host Name: Specify the DNS name of the Web server that the Access Gateway should forward to the Web server. If you have set up a DNS name for the Web server and it requires its DNS name in the HTTP header, specify that name in this field. If the Web server has absolute links referencing its DNS name, include this name in this field.
  • Page 20 Cookie Domain: Specifies the domain for which the cookie is valid. If one proxy service has a DNS name of www.support.novell.com and the second proxy service has a DNS name of www.developernet.novell.com, the cookie domains are support.novell.com for the first proxy service and developernet.novell.com for the second proxy service.

  • Page 21: Configuring Advanced Options For A Domain-Based Proxy Service

    For example, NetStorage requires an override for the 401 error because it includes a key in the 401 error. The portal page for the Novell Open Enterprise Server requires an override for error 403 because it includes JavaScript.

  • Page 22: Configuring The Web Servers Of A Proxy Service

    If possible, they should be configured to use an NTP server. 1 Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers. Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 23 2 Specify the hostname that is placed in the HTTP header of the packets being sent to the Web servers. In the Host Header field, select one of the following: Forward Received Host Name: Indicates that you want the HTTP header to contain the published DNS name that the user sent in the request.

  • Page 24: Configuring Protected Resources

    A resource that has specialized protection requirements can be set up as a single protected resource. For example, a page that uses Form Fill is usually set up as a single protected resource. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 25: Setting Up A Protected Resource

    To configure a protected resource: 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Domain-Based Proxy Service or Primary Proxy Service] > Protected Resources. The Resource View of the Protected Resource List is used to create new protected resources or manage existing protected resources.
  • Page 26 5 (Conditional) To modify how the authentication procedures are handled for a specific resource and contract, click the Edit Authentication Procedures icon. For configuration information, see Section 1.3.2, “Configuring an Authentication Procedure for Non-Redirected Login,” on page 6 Configure the URL Path. Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 27 The default path is /*, which indicates everything on the Web server. Modify this if you need to restrict access to a specific directory on your Web server. If you have multiple directories on your Web server that require the same authentication contract and access control, add each directory as a URL path.
  • Page 28 You need to then restart the Access Gateway Appliance to activate the touch file. When this touch file is used, the Access Gateway Appliance ignores the query string and uses just the path to find a match. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 29: Configuring An Authentication Procedure For Non-Redirected Login

    1.3.2 Configuring an Authentication Procedure for Non- Redirected Login When a contract is created, it is assigned an authentication procedure that allows the user to be redirected to the Identity Server for authentication. Some applications, such as AJAX and WebDAV applications, do not support redirection for authentication.
  • Page 30 “Configuring a Protected Resource for a SharePoint Server with an ADFS Server” on page 39 “Configuring a Protected Resource for Outlook Web Access” on page 42 “Configuring a Protected Resource for a Novell Teaming 2.0 Server” on page 44 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 31: Assigning An Authorization Policy To A Protected Resource

    For configuration information, see “Creating Access Gateway Authorization Policies” in the Novell Access Manager 3.1 SP2 Policy Guide. When you have completed your policy modifications, continue with Step To create a new policy, click Manage Policies. On the Policies page, click New, specify a display name, select Access Gateway: Authorization as the type, then click OK.

  • Page 32: Assigning An Identity Injection Policy To A Protected Resource

    4 To save your changes to the browser cache, click OK. 5 To apply your changes, click the Access Gateways link, then click Update > OK. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 33: Assigning A Form Fill Policy To A Protected Resource

    You must create the policy before you can assign it to a resource (see “Creating Form Fill Policies” in the Novell Access Manager 3.1 SP2 Policy Guide). To assign a Form Fill policy to a protected resource: 1 In the Administration Console, click Devices > Access Gateways > Edit > [Reverse Proxy Name] >...
  • Page 34 X.509, RADIUS, smart card, or Kerberos. For information about such a class, see “Configuring Password Retrieval” in the Novell Access Manager 3.1 SP2 Identity Server Guide. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 35: Assigning A Timeout Per Protected Resource

    The protected resource is assigned to use a contract, and the timeout is assigned to the contract. For information on how to configure the contract, see “Configuring Authentication Contracts” in the Novell Access Manager 3.1 SP2 Identity Server Guide. The following sections describe four configuration scenarios and the user experience that they create.
  • Page 36 With this configuration, activity at other resources influences the time limits so that they are not strictly enforced. Scenario 3: If single sign-on is more important than strictly enforcing a timeout value, Novell recommends that you configure all contracts to have the same authentication timeout value.

  • Page 37: Assigning A Policy To Multiple Protected Resources

    PR1, the time line shows no activity within the time limit specified for PR2 and the user is prompted to log in. Scenario 4: Novell does not recommend that you set different authentication timeouts on contracts and then use the Any contract option for protected resources. If you want to use the Any contract, then you should set the authentication timeout to the same value on all contracts.

  • Page 38: Configuring Protected Resources For Specific Applications

    Server,” on page 39 Section 1.4.3, “Configuring a Protected Resource for Outlook Web Access,” on page 42 Section 1.4.4, “Configuring a Protected Resource for a Novell Teaming 2.0 Server,” on page 44 1.4.1 Configuring Protected Resource for a SharePoint Server You can protect a SharePoint server as a domain-based or a path-based multi-homing resource on the Linux Access Gateway Appliance.

  • Page 39: Configuring A Protected Resource For A Sharepoint Server With An Adfs Server

    For more information on the other options, see “Configuring Authentication Contracts” in the Novell Access Manager 3.1 SP2 Identity Server Guide. 3 Click Next. 4 Configure a card for the contract by filling in the following: Text: Specify the text that is displayed on the card to the user.
  • Page 40 For single sign-on, all the protected resources need to specify the same contract. When assigning the contract for the /* resource, the contract needs to be configured to use non-redirected login for its authentication procedure. When a user first accesses the SharePoint server, the users are directed Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 41 either to the home page or the root of the server. From either of these locations, the users can be redirected to the Identity Server for authentication. After the users have authenticated and the SharePoint server requests authentication for access to any of the other pages, these pages need to be configured to use non-redirected login.

  • Page 42: Configuring A Protected Resource For Outlook Web Access

    3 (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource. 4 Select an authentication contract. If you want to enable non-redirected login, select Name/ Password - Basic as the authentication contract. Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 43 5 (Optional) If you want to enable non-redirected login, click the Edit Authentication Procedure icon, then click the contract that you have added to specify the following information: Non-Redirected Login: Select the option to enable non-redirected login. Realm: Specify the security realm configured for the IIS server running the Outlook Web Access server.

  • Page 44: Configuring A Protected Resource For A Novell Teaming 2.0 Server

    The following sections explain how to configure the Access Gateway with a domain-base multi- homing service. The instructions assume that you have a functioning Novell Teaming 2.0 server on Linux and a functioning Access Manager system (3.1 SP1 IR1 or higher) with a reverse proxy configured for SSL communication between the browsers and the Access Gateway.
  • Page 45 11 Start the Teaming server with the following command: /etc/init.d/teaming start 12 Continue with “Configuring a Domain-Based Multi-Homing Service for Novell Teaming” on page Configuring a Domain-Based Multi-Homing Service for Novell Teaming The following instructions describe how to set up a domain-based service to protect the Teaming server.
  • Page 46 This DNS name must resolve to the IP address you set up as the listening address. For example, teaming.doc.provo.novell.com Web Server IP Address: Specify the IP address of the Novell Teaming server. Host Header: Select the Web Server Host Name option.
  • Page 47 /teaming/* /ssf/* 2e Click OK. 3 Create a protected resource for WebDAV and AJAX content: 3a In the Protected Resource List, click New, specify a unique name, then click OK. 3b (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.
  • Page 48 “Configuring Single Sign-On” on page Configuring Single Sign-On You must configure an Identity Injection policy to enable single sign-on with the Novell Teaming server. This Identity Injection policy should be configured to inject the authentication credentials into the authorization headers.

  • Page 49: Configuring Html Rewriting

    HTML Rewriting Figure 1-6 Access Gateway Web Server Browsers novell.com/path data.com HTML Headers HTML Headers GET HTTP/1.1 GET /path HTTP/1.1 Host: data.com Host: www.novell.com Request HTML Rewriter HTML Page: Source HTML Page: Source <HTML> <HTML> Reply <img src=http://www.novell.com/path/image1.jpg/> <img src=http://data.com/image1.jpg/> </HTML>...
  • Page 50 ) are evaluated if the page is read from a path- based multi-homing Web server and the reference follows an HTML tag. For example, the string href=‘/docs/file.html’ is rewritten if /docs is a multi-homing path that has been configured to be removed. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 51: Specifying The Dns Names To Rewrite

    Context Criteria HTML Tags URL references occurring within the following HTML tag attributes are evaluated for rewriting: action archive background cite code codebase data dynscr filterLink href longdesc lowsrc o:WebQuerySourceHref onclick onmenuclick pluginspage usemap usermapborderimage References An absolute reference is a reference that has all the information needed to locate a resource, including the hostname, such as http:// .
  • Page 52 If you enable the Forward Received Host Name option on your path-based multi-homing service and your Web server is configured to use a different port, you need to add the DNS name with the port to the Additional DNS Name List. Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 53 If you have a third reverse proxy protecting a Web server, the rewriting rules can become ambiguous. For example, consider the configuration illustrated in Figure 1-8. Excluding URLs Figure 1-8 Firewall Access Gateway Browsers Server product.com novell.com.uk novell.com.usa Request Request data.com novell.com.mx Configuring the Access Gateway to Protect Web Resources...

  • Page 54: Defining The Requirements For The Rewriter Profile

    Word profile is used. This profile is preconfigured to rewrite the Web Server Host default Name and any other names listed in the Additional DNS Name List. The preconfigured profile matches all URLs with the following content-types: text/html text/javascript text/xml application/javascript text/css application/x-javascript Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 55: Page Matching Criteria For Rewriter Profiles

    When you modify the behavior of the default profile, remember its scope. If the default profile does not match your requirements, you should usually create your own custom Word profile or custom Character profile. Custom Word Profile A Word profile searches for matches on words. For example, “get” matches the word “get” and any word that begins with “get”...

  • Page 56: Possible Actions For Rewriter Profiles

    Possible Actions for Rewriter Profiles The rewriter action section of the profile determines the actions the rewriter performs when a page matches the profile. Select from the following: Inbound Actions Enabling or Disabling Rewriting Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 57 Additional Names to Search for URL Strings to Rewrite with Host Name String Replacement Inbound Actions: A profile might require these options if the proxy service has the following characteristics: URLs appear in query strings, Post Data, or headers. The Web server uses WebDAV methods. If your profile needs to match pages from this type of proxy service, you might need to enable the options listed below.

  • Page 58: String Replacement Rules For Word Profiles

    [w] to match one white space character [ow] to match 0 or more white space characters [ep] to match a path element in a URL path, excluding words that end in a period Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 59: String Replacement Rules For Character Profiles

    [ew] to match a word element in a URL path, including words that end in a period [oa] to match one or more alphanumeric characters White Space Tokens: You use the [w] and the [ow] tokens to specify where white space might occur in the string.

  • Page 60: Using $Path To Rewrite Paths In Javascript Methods Or Variables

    To use the $path token, you add a search string and a replace string that uses the token. For example, if the page is generated by JavaScript and the multi-homing path for the /prices/pricelist.html proxy service is , you would specify the following stings: /inner Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 61: Configuring The Html Rewriter And Profile

    Rewritten String for the Web Server /inner/prices/pricelist.html /prices/pricelist.html /inner/prices /prices novell.com/inner/prices inner.com/prices 1.5.4 Configuring the HTML Rewriter and Profile You configure the HTML rewriter for a proxy service, and these values are applied to all Web servers that are protected by this proxy service.
  • Page 62 4 In the Exclude DNS Name List section, click New, specify a DNS name that appears on the Web pages of your server that you do not want rewritten, then click OK. For more information, see “Determining Whether You Need to Exclude DNS Names from Being Rewritten” on page Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 63 5 Use the HTML Rewriter Profile List to configure a profile. Select one of the following actions: New: To create a profile, click New. Specify a display name for the profile and select either a Word or Character for the Search Boundary. Continue with Section 1.5.5, “Creating or Modifying a Rewriter Profile,”...

  • Page 64: Creating Or Modifying A Rewriter Profile

    New and specify the name such as . Search your Web text/dns pages for content-types to determine if you need to add new types. To add multiple values, enter each value on a separate line. Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 65 For more information on how to use these options, see “Page Matching Criteria for Rewriter Profiles” on page 4 Use the Actions section to specify the actions the rewriter should perform if the page matches the criteria in the Requested URLs to Search section. Configure the following actions: Rewrite Inbound Query String Data: (Not available for Character profiles) Select this option to rewrite the domain and URL in the query string to match the Web server.
  • Page 66 If the changes affect numerous pages, click Access Gateways, select the name of the server, then click Actions > Purge All Cache. If the changes affect only a few pages, refresh or reload the page within the browser. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 67: Disabling The Rewriter

    1.5.6 Disabling the Rewriter There are three methods you can use to disable the internal rewriter: “Disabling per Proxy Service” on page 67 “Disabling per URL” on page 67 “Disabling with Page Modifications” on page 67 Disabling per Proxy Service By default, the rewriter is enabled for all proxy services.
  • Page 68 URLs need to be rewritten but others cannot be rewritten, you can turn on and turn off rewriting by adding the following tags before and after the , and formvalue <input> <button> elements in the form. <option> Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 69: Configuring Connection And Session Limits

    <!--NOVELL_REWRITE_ATTRIBUTE_ON='formvalue'--> <input>, <button>, and <option> elements to be rewritten <!--NOVELL_REWRITE_ATTRIBUTE_OFF='formvalue'--> <input>, <button>, and <option> elements that shouldn’t be rewritten 1.6 Configuring Connection and Session Limits The Access Gateway establishes connections with clients and with Web servers. For most networks, the default values for unresponsive connections and sessions provide adequate performance, but you can fine-tune the options for your network, its performance requirements, and your users: Section 1.6.1, “Configuring TCP Listen Options for Clients,”...

  • Page 70: Configuring Tcp Connect Options For Web Servers

    1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers > TCP Connect Options. Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 71 2 Configure the IP address to use when establishing connections with Web servers: Cluster Member: (Available only if the Access Gateway is a member of a cluster.) Select the server you want to configure from the list of servers. Only the value of the Make Outbound Connection Using option applies to the selected server.

  • Page 72: Configuring Connection And Session Persistence

    The persistence of the browser to Web server connection is always enabled and is not configurable. This feature allows a browser to use the same Web server after an initial connection has been established. Most Web applications are designed to expect this type of behavior. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 73: Server Configuration Settings

    Server Configuration Settings This section describes the configuration settings that affect the Access Gateway as a server, such as changing its name or setting the time. Section 2.1, “Configuration Overview,” on page 73 Section 2.2, “Saving, Applying, or Canceling Configuration Changes,” on page 75 Section 2.3, “Managing Access Gateways,”...
  • Page 74 Section 4.6.3, “Managing Access Gateway Alert Profiles,” on page 152. Auditing: Allows you to select the events to send to a Novell Sentinel or Audit server. For more information, see Section 4.7, “Enabling Access Gateway Audit Events,” on page 156.

  • Page 75: Saving, Applying, Or Canceling Configuration Changes

    2.2 Saving, Applying, or Canceling Configuration Changes When you make configuration changes on a page accessed from Devices > Access Gateways > Edit and click OK on that page, the changes are saved to the browser cache. If your session expires or you close the browser session before you update the Access Gateway with the changes, the changes are lost.

  • Page 76: Managing Access Gateways

    To stop and start the Access Gateway Service, select the service, then click Restart. If the Access Gateway Service is already stopped, use Restart to start it. Refresh: To update the list of Access Gateways and the status columns (Status, Health, Alerts, Commands), click Refresh. Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 77 3 To perform an action available in the Actions drop-down menu, select an Access Gateway, then select one of the following: Assign to Cluster: To add the selected Access Gateway to a cluster, select Assign to Cluster, then select the cluster. This Access Gateway is reconfigured with the configuration of the primary cluster server.
  • Page 78 Alerts,” on page 151. For information about the alerts sent to the cluster, click the link on the cluster row. For more information, see Section 4.6.2, “Viewing Access Gateway Cluster Alerts,” on page 151. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 79: Viewing And Updating The Configuration Status

    Commands: Indicates the status of the last executed command and whether any commands are pending. Click the link to view more information. For more information, see Section 4.9, “Viewing the Command Status of the Access Gateway,” on page 163. Statistics: Provides a link to the statistic pages. For information about the statistics of a specific Access Gateway, click the View link on the Access Gateway row and see Section 4.4, “Viewing Access Gateway Statistics,”...
  • Page 80 Indicates that another administrator is making configuration changes. Before you proceed with any configuration changes, you need to coordinate with this administrator and wait until the Access Gateway has been updated with the other administrator’s changes. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 81: Scheduling A Command

    2.3.2 Scheduling a Command Use the Schedule New Command page to schedule a command, such as a shutdown, restart, or upgrade. 1 In the Administration Console, click Devices > Access Gateways. 2 (Conditional) To schedule a shutdown or restart, select a server, then click Actions > Schedule Restart or Schedule Stop.

  • Page 82: Changing The Name Of An Access Gateway And Modifying Other Server Details

    Description: Describe the purpose of this Access Gateway. This is optional, but useful if your network has multiple Access Gateways. 3 Click OK twice, then click Close. When you click OK, any changes are immediately applied to the Access Gateway. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 83: Upgrading The Access Gateway Software

    “Backing Up and Restoring” in the Novell Access Manager 3.1 SP2 Administration Console Guide The export feature is not an upgrade tool. You cannot export a configuration from one version of Access Manager and import it into a newer version of Access Manager.
  • Page 84 (DNSName elements in the file) The cookie domains associated with each proxy service (AuthenticationCookieDomain elements in the file) The URL masks in pin lists that contain fully qualified names (URLMask elements in the file) Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 85 Depending upon your naming standards, you might want to change the names of the following: UserInterfaceID elements (proxy service, pin list, and protected resource user interface ID's) Description elements (proxy service, pin list, and protected resource descriptions) Name (proxy service, pin list, and protected resource names) SubServiceID elements MultiHomeMasterSubserviceIDRef elements LogDirectoryName elements...
  • Page 86 IP addresses in the Web Server List: If the IP addresses in the production area are different from the IP addresses in the staging area, modify the IP addresses to match the production area. Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 87 Certificates: If you have configured SSL or mutual SSL between the proxy service and the Web servers, configure the Web Server Trusted Root and SSL Mutual Certificate options. The export and import configuration option does not export and import certificates. 1e Click OK twice.

  • Page 88: Setting Up A Tunnel

    IP address and port or a tunnel for that IP address and port. To set up a tunnel: 1 In the Administration Console, click Devices > Access Gateways > Edit > Tunneling. Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 89 2 Click New, enter a display name for the tunnel, then click OK. 3 Fill in the following fields: Enable Tunnel: Specifies that the Access Gateway should set up a tunnel for all incoming traffic. This option must be enabled to configure a tunnel. Tunnel SSL Traffic Only: Allows you to configure the Access Gateway to tunnel only SSL traffic.

  • Page 90: Setting The Date And Time

    2 (Conditional) If the Access Gateway belongs to a cluster of Access Gateways, select the Access Gateway from the list displayed in the Cluster Member field. The modifications you make on this page apply only to the selected Access Gateway. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 91: Customizing Error Pages On The Access Gateway Appliance

    NOTE: If you are modifying any of the above files, ensure that you retain the original filenames. The Access Gateway Appliance maintains three directories to save files that are used for error page configuration: var/novell/errorpagesconfig/.factory /var/novell/errorpagesconfig/.backup /var/novell/errorpagesconfig/current During the initial installation, the default template files are copied to the and the .factory...

  • Page 92: Customizing The Error Pages By Using The Default Template

    <font color="black" face="Comic Sans MS"><ERROR_STATUS> </font> </p> <p align="left"> <font color="black" face="Comic Sans MS"><b>Description</b></ font> <font color="#ff0033" face="Comic Sans MS"><b>: </b></font> <font color="black" face="Comic Sans MS"><ERROR_DESCRIPTION></ font> </p> <br> <br> </font></td> </tr> <tr><td width="444" height="10" align="center"><img height="8" Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 93: Customizing And Localizing Error Messages

    Access Gateway cache. 6 Save the file. 7 Enter the following commands to restart the machine: /etc/init.d/novell-vmc stop /etc/init.d/novell-vmc start 8 If the Access Gateway belongs to a cluster, copy the modified file and images to each member in the cluster, then restart that member.
  • Page 94 3 Add the language information within the tag as follows: <profile> <ErrorPageConfiguration> <Profile name = “English” enable = “1” fileXn = “en”> <header value = “en-us” /> <header value = “en-uk” /> Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 95: Customizing The Error Pages Of The Access Gateway Service

    4 Save the file. 5 Enter the following commands to restart the machine: /etc/init.d/novell-vmc stop /etc/init.d/novell-vmc start 6 If the Access Gateway belongs to a cluster, copy the modified file to each member of the cluster, then restart that member.
  • Page 96 3e Save the file. 3f Copy your image to the directory: images Linux: /opt/novell/apache2/share/error/images Windows: \Program Files\Novell\apache\error\images 4 Copy all modified files and image files to all Access Gateways in the cluster. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 97: Configuring Network Settings

    2.9 Configuring Network Settings After initial setup, you seldom need to change the network settings unless something in your network changes, such as adding a new gateway or DNS server. These options are for the Access Gateway Appliance. For the Linux or Windows Access Gateway Service, use the utilities supplied by the operating system.
  • Page 98 Subnet: Displays the address of the subnet that you are modifying. This is empty if you are creating a new subnet. Subnet Mask: (Required) Specifies the subnet mask address for this subnet. The address can be specified in standard dotted format or in CIDR format. Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 99: Viewing And Modifying Gateway Settings

    To delete an address, select the address, then click Delete. To change the IP address, see “Changing the IP Address of the Access Gateway Appliance” in the Novell Access Manager 3.1 SP2 Administration Console Guide. 5 Click OK. 6 Configure the Adapter List Options.
  • Page 100 2 (Conditional) If the Access Gateway is a member of a cluster, select the server you want to configure from the list of servers in the Cluster Member field. All changes made to this page apply to the selected server. 3 Fill in the following fields: 100 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 101 Act as Router: Select this option if the Access Gateway functions as the default gateway for clients on the network. If you select this option, you can specify additional gateways. Enable Gateway Statistics Monitoring: Select this option if you want to gather statistics and monitor the traffic on the gateways.

  • Page 102: Viewing And Modifying Dns Settings

    New: To add a server to the list, click this option and specify the IP address of a DNS server. Delete: To delete a server from the list, select the address of a server, then click this option. 102 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 103: Configuring Hosts

    Order: To modify the order in which the DNS servers are listed, select the server, then click either the up-arrow or the down-arrow buttons. The first server in the list is the first server contacted when a DNS name needs to be resolved. 4 Configure the DNS Cache Settings.

  • Page 104: Adding New Network Interfaces To The Access Gateway Appliance

    5 Click Adapter List. If the server is a member of a cluster, select the cluster member you want to configure. The newly added network interface is displayed here. 6 In the newly added adapter section, click New, then configure the subnet mask and IP address. 104 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 105: Adding A New Ip Address To The Access Gateway Service

    7 To save your changes to browser cache, click OK. 8 On the Server Configuration page, click OK, then click Update > OK. 2.9.6 Adding a New IP Address to the Access Gateway Service Before you can configure the Access Gateway Service to use a new IP address, you must first use an operating system utility to add the IP address.

  • Page 106: Customizing The Access Gateway Logout Page

    One way to provide redirection is to replace the information in the element of the <body> file with something similar to the following: logoutSuccess.jsp <body> <script language="JavaScript"> top.location.href='http://<hostname/path>'; </script> </body> Replace the <hostname/path> string with the location of your customized logout page. 106 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 107: Configuring The Logout Disconnect Interval

    1 Log in to the Access Gateway as the root or administrator user. 2 Open the web.xml Linux: /opt/novell/nesp/lib/webapps/WEB-INF/web.xml Windows: /Program Files/Novell/nesp/lib/webapps/WEB-INF/web.xml 3 Find the section in the file. <context-param> 4 Add the following parameter to the section. <context-param>...

  • Page 108: Configuring X-Forwarded-For Headers

    Web requests passing through the proxy service. 3 To save your changes to browser cache, click OK. 4 To apply your changes, click the Access Gateways link, then click Update > OK. 108 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 109: Configuring The Access Gateway For Ssl And Other Security Features

    The Identity Server needs to be configured for SSL before the Access Gateway can be configured for SSL. See “Configuring Secure Communication on the Identity Server” in the Novell Access Manager 3.1 SP2 Setup Guide. Configuring the Access Gateway for SSL and Other Security Features...

  • Page 110: Prerequisites For Ssl

    You can create a certificate signing request (CSR), send it to an external CA, then import the returned certificates into Access Manager. See “Generating a Certificate Signing Request” and “Importing Public Key Certificates (Trusted Roots)” in the Novell Access Manager 3.1 SP2 Administration Console Guide. 110 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 111: Gateway

    “Importing Public Key Certificates (Trusted Roots)” in the Novell Access Manager 3.1 SP2 Administration Console Guide. 2 To add the public certificate to the Access Gateway: 2a In the Administration Console, click Devices > Access Gateways > Edit > Service Provider Certificates >...

  • Page 112: Configuring Ssl Communication With The Browsers And The Identity Server

    SSL connection. If this option is not selected, browsers that connect to the non-secure port are denied service. This option is only available if you have selected Enable SSL with Embedded Service Provider. 112 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 113 Identity Servers in the selected Identity Server Configuration. This sets up a trusted SSL relationship between the Identity Server and the Embedded Service Provider. If you are using certificates signed by the Novell Access Manager CA, the public key is automatically added to this trust store.
  • Page 114 If you receive a 100101043 or 100101044 error, the trusted relationship has not been established. For information on solving this problem, see “Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors” in the Novell Access Manager 3.1 SP2 Identity Server Guide. 114 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 115: Configuring Ssl Between The Proxy Service And The Web Servers

    3.4 Configuring SSL between the Proxy Service and the Web Servers SSL must be enabled between the Access Gateway and the browsers before you can enable it between the Access Gateway and its Web servers. 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] >...
  • Page 116 A parent is missing if the chain does not include a certificate where the Subject and the Issuer have the same CN. 3e Specify an alias, then click OK. 116 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 117: Enabling Secure Cookies

    All the displayed certificates are added to the trust store. 3f Click Close. 4 (Optional) Set up mutual authentication so that the Web server can verify the proxy service certificate: 4a Click the Select Certificate icon, 4b Select the certificate you created for the reverse proxy, then click OK. This is only part of the process.
  • Page 118 /> 6 Save the file. server.xml 7 Restart Tomcat. Linux: /etc/init.d/novell-tomcat5 restart Windows: Use the following commands: net stop "Apache Tomcat" net start "Apache Tomcat" 118 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 119: Securing The Proxy Session Cookie

    3.5.2 Securing the Proxy Session Cookie The proxy session cookies store authentication information and other information in temporary memory that is transferred between the browser and the proxy. These cookies are deleted when the browser is closed. However if these cookies are sent through a non-secure channel, there is a threat of hackers intercepting the cookies and impersonating a user on Web sites.

  • Page 120: Managing Embedded Service Provider Certificates

    Administration Console and it is pushed to the Access Gateway. The certificate is available for use, but it is not used until you update the Access Gateway. 120 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 121 Phase 2: When you select to update the Access Gateway, the configuration for the Access Gateway is modified to contain references to the new certificate and the configuration change is sent to the Access Gateway. The Access Gateway loads and uses the new certificate. Configuring the Access Gateway for SSL and Other Security Features 121...
  • Page 122 122 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 123: Access Gateway Maintenance

    Access Gateway Maintenance Section 4.1, “Access Gateway Appliance Logs,” on page 123 Section 4.2, “Access Gateway Service Logs,” on page 126 Section 4.3, “Configuring Logging for a Proxy Service,” on page 131 Section 4.4, “Viewing Access Gateway Statistics,” on page 140 Section 4.5, “Viewing Cluster Statistics,”...

  • Page 124: Interpreting Log Messages

    Access Gateway components. <AMEVENTID#event-id> The following table list the numbers and the components which they denote. Number Component Multi-Homing component Service Manager Request Processing Authentication Authorization Identity Injection Form Fill 124 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 125: Configuring Logging Of Soap Messages And Http Headers

    Number Component Caching Response Processing Rewriting Soap Channel Connection Manager. DataStream 4.1.3 Configuring Logging of SOAP Messages and HTTP Headers 1 On the Linux Access Gateway Appliance, log in as root 2 At the command prompt, enter the following command: nash 3 To enter the configuration mode, enter the following command: configure .current...

  • Page 126: Access Gateway Service Logs

    Log File: Specifies the name and extension for the log file. If you are creating multiple profiles, select a name that indicates the purpose of the profile. For example, you could create a log file for Form Fill policy entries and name the file form_fill.log 126 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 127 If this name includes a subdirectory, the subdirectory is created relative to the displayed Log File Path. Echo To Console: Causes the events to be logged in the (Linux) file or the catalina.out (Windows) file. stdout.log 3 Configure the following rollover options to control how much disk space can be used for logging before a new log file is created and old log files are deleted.

  • Page 128: Managing Log Filters

    For configuration information, see Section 4.2.4, “Configuring a Log Filter,” on page 129. 3 Click OK twice, then update the Access Gateway. 128 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 129: Configuring A Log Filter

    For information on the various tags used in the log files, see “Understanding the Log Format” in the Novell Access Manager 3.1 SP2 Administration Console Guide. Device IDs: The AMDEVICEID# value identifies the device that performed the action. To correlate the ID with the device, click Auditing > General Logging.

  • Page 130: Configuring A Log File For Troubleshooting Form Fill

    Info: Logs informational events such as configuration changes, startups, and shutdowns that complete successfully. If the event generates any type of error, warning, or severe message, these messages are not logged. Debug: Logs messages that include additional information useful to Novell Support and Engineering. Error: Logs events that error conditions generate.

  • Page 131: Configuring Logging For A Proxy Service

    16 (Optional) To view how the Embedded Service Provider evaluates the Form Fill policy, see “Form Fill Traces” in the Novell Access Manager 3.1 SP2 Policy Guide. 17 (Optional) To add more information about Form Fill policies to the Apache...

  • Page 132: Determining Logging Requirements

    4.3.1 Determining Logging Requirements Because logging requirements and transaction volume vary widely, Novell cannot make recommendations regarding a specific logging strategy. The following tasks guide you through the process of creating a strategy that fits your business needs. 1 Identify the reasons for tracking transactions such as customer billing, statistical analysis, or growth planning.
  • Page 133 logentry_size: The average log entry size. You can determine this by configuring a proxy service to track the required information, generating traffic to the proxy service, downloading the log files, determining how large each entry is, and calculating the average. request_rate: The peak rate of requests per second.
  • Page 134 1 Determine the values of the three variables listed above. 2 Use the max_log_roll_size formula to calculate the maximum size a log file should reach before the cache device rolls it over. 134 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 135: Enabling Logging

    4.3.3 Enabling Logging Do not enable logging until you have designed a logging strategy. See Section 4.3.1, “Determining Logging Requirements,” on page 132. 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Logging. 2 Fill in the following fields: Enable Logging: Select this field to enable logging.
  • Page 136 All logging data in deleted files is lost. Do Not Delete: Prevents the system from automatically deleting the log files. 4 Click OK. 5 Click the Access Gateways link, then click Update > OK. 136 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 137: Configuring Extended Log Options

    4.3.5 Configuring Extended Log Options Use the extended log options page to control log entry content, log rollover, and old file options. A log entry always includes the date, time, and client IP address for each entry, but with the log data options, you can add other fields such as the IP address of the server and the username of the client.
  • Page 138 (Access Gateway Appliance) The byte ranges sent from the Access Gateway to a requesting browser. E Tag (Access Gateway Appliance) The tag sent from the Access Gateway to a requesting browser. 138 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 139 Name Description Completion Status (Access Gateway Appliance) The completion status for the transaction, indicating that it completed successfully or that it failed. Possible values: success, timeout, reset (the client terminated the connection), administrative (the Access Gateway terminated the connection). Reply Header Size (Access Gateway Appliance) The size in bytes of the HTTP header associated with a response to a client.

  • Page 140: Viewing Access Gateway Statistics

    Live Statistics Monitoring. Live Statistics Monitoring: Select this option to view the statistics as currently gathered and to have them refreshed at the rate specified in the Refresh Rate field. 140 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 141 These general statistics are grouped into the following categories: “Server Activity” on page 141 “Connections” on page 142 “Bytes” on page 142 “Requests” on page 143 “Cache Freshness” on page 144 Server Activity The Server Activity section displays general server utilization statistics. Statistic Description CPU Utilization...
  • Page 142 The bytes statistics show how fast information is being sent in response to the following types of requests: Browser requests to the Access Gateway Access Gateway requests to the Web servers 142 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 143 Statistic Description Bytes per Second from (Access Gateway Appliance) Displays the number of bytes of data being sent Origin Server each second from the Web servers to the Access Gateway. Click Graphs to view the number of bytes for a specific unit of time (1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months).
  • Page 144 Gateway has received from browsers. Total Not Modified Displays the total number of 304 Not Modified replies that the Access Gateway Replies has received from the Web servers for updated content. 144 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 145: Server Benefits Statistics

    Statistic Description Cache Freshness Displays the percentage of objects in cache that are considered fresh. Click Graphs to view the percentage of fresh objects for a specific unit of time (1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months). The Value axis displays the percentage of fresh objects.
  • Page 146 (1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months). The Value axis displays the number of cached sessions. If no sessions have been cached, the value axis is not meaningful. 146 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 147: Incoming Http Requests

    Statistic Description Cached Ancestral Sessions The number of cached ancestral session IDs. An ancestral session ID is created during the failover process. When failover occurs, a new session is created to represent the previous session. The ID of the previous session is termed an “ancestral session ID,”...

  • Page 148: Outgoing Http Requests

    (“proxied”) to the authoritative cluster member. If an L4 switch causes a request to go to a non- authoritative cluster member, then that cluster member proxies that request to the authoritative cluster member. 148 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 149 When a request is received, a cluster member uses multiple means to determine which cluster member is the authoritative server for the request. It looks for a parameter on the query string of the URL indicating the authoritative server. It looks for an HTTP cookie indicating the authoritative server.

  • Page 150: Viewing Cluster Statistics

    The Access Gateway has been programmed to issue events to various types of systems (such as a Novell Audit server, a Novell Sentinel server, or a Syslog server) so that the administrator can be informed when significant changes occur that modify how the Access Gateway is performing. For information about auditing and audit events, see Section 4.7, “Enabling Access Gateway Audit...

  • Page 151: Viewing Access Gateway Alerts

    Section 4.6.6, “Configuring a Log Profile,” on page 155 Section 4.6.7, “Configuring an E-Mail Profile,” on page 156 Section 4.6.8, “Configuring a Syslog Profile,” on page 156 4.6.1 Viewing Access Gateway Alerts The Alerts page allows you to view information about current Java alerts and to clear them. An alert is generated whenever the Access Gateway detects a condition that prevents it from performing normal system services.

  • Page 152: Managing Access Gateway Alert Profiles

    Delete: To delete a profile, select the check box next to the profile, then click Delete. 3 To save your modifications, click OK twice. 4 On the Access Gateways page, click Update. 152 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 153: Configuring An Alert Profile

    4.6.4 Configuring an Alert Profile The alert profile determines which alerts are sent and where the alerts are sent. 1 In the Administration Console, click Devices > Access Gateways > Edit > Alerts > [Name of Profile]. 2 Select one or more of the following: Connection Refused: Generated when a connection is refused.
  • Page 154 Access Gateway has been configured to stop services. To configure the Access Gateway to continue when auditing services are not available, click Auditing > Novell Auditing, deselect the Stop Services on Audit Server Failure option, then click Apply. Failure in Audit, Will lose events, but continuing services: Generated when the audit agent has failed.

  • Page 155: Snmp Profile

    /var/opt/novell/amlogging/logs/ Windows Access Gateway Service: \Program Files\Novell\amlogging\logs\ Max File Size: Specify a maximum size for the log file in KB. The size can be from 50 to 100000 KB. Specify 0 to indicate that there is no maximum file size.

  • Page 156: Configuring An E-Mail Profile

    155. 4.7 Enabling Access Gateway Audit Events The Novell Audit option in the Access Gateway allows you to configure the events you want audited. The following steps assume that you have already set up auditing on your network. For more information, see “Configuring Access Manager for...

  • Page 157: Managing Server Health

    2 Select the events for notification. Select All: Select this option for all events. Otherwise, select one or more of the following: Event Description Access Denied Generated when a requested action is denied because the requester has insufficient access rights to a URL. System Started Generated when the Access Gateway is started.

  • Page 158: Health States

    Gateway, this includes information such as the following: “Service Categories of the Access Gateway Appliance” on page 159 “Service Categories of the Access Gateway Service” on page 161 4 Click Close. 158 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 159 Restart the Linux Access Gateway by entering the the Linux Access Gateway is responding to health following commands: checks from the L4 switch. The number increments /etc/init.d/novell-vmc stop with each health check for which the Access /etc/init.d/novell-vmc start Gateway does not send a response.
  • Page 160 Server and the auditing server. auditing server. “Troubleshooting Novell Audit” (http:// Auditing must be enabled on the Identity Server to www.novell.com/documentation/novellaudit20/ activate this health check (click Devices > Identity novellaudit20/data/al0lh30.html). Servers > Edit > Logging). 160 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 161 Configuration Datastore: Indicates whether the Restore the configuration datastore. See configuration datastore is functioning correctly. “Repairing the Configuration Datastore” in the Novell Access Manager 3.1 SP2 Administration Console Guide. Clustering: Indicates whether all the cluster Restart the cluster members that are not active or members are active and processing requests.

  • Page 162: Viewing The Health Of An Access Gateway Cluster

    3 To ensure that the information is current, click Refresh. 4 To view specific information about the status of an Access Gateway, click the Health icon in the Access Gateway row. 162 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 163: Viewing The Command Status Of The Access Gateway

    4.9 Viewing the Command Status of the Access Gateway Commands are issued to an Access Gateway when you make configuration changes and when you select an action such as stopping or starting the gateway. Certain commands, such as start and stop commands, retry up to 10 times before they fail. The first few retries are spaced a few minutes apart, then they move to 10-minute intervals.

  • Page 164: Viewing Detailed Command Information

    Status: Specifies the status of the command, and includes such states as Pending, Incomplete, Executing, and Succeeded. Last Executed On: Specifies when the command was issued. The date and time are displayed in local time. If the command failed, additional information is available. 164 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 165: Tuning The Access Gateway For Performance

    “Sending Attributes to the Embedded Service Provider” in the Novell Access Manager 3.1 SP2 Identity Server Guide. Identity Server Configuration: A number of the configuration options for the Identity Server add authentication overhead. You need to balance possible performance enhancements with your needs to enable these options.
  • Page 166 -Xmx This allows Java on the Access Gateway Service to use 2 GB of memory. For the Access Gateway Appliance, the default value works best so do not change the value. 166 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 167 Modifying the Java Parameters on Windows 1 Log in to the Access Gateway as the administrator. 2 Open the Tomcat configuration utility. /Program Files/Novell/Tomcat/bin/tomcat5w.exe 3 Click the Java tab. 4 In the Java options section, find the following line: -Dnids.freemem.threshold=0 If the line does not exist, you need to add it.
  • Page 168 168 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 169: Configuring The Content Settings

    Configuring the Content Settings One of the major benefits of using an Access Gateway to protect Web resources is that it can cache the requested information and send it directly to the client browser rather than contacting the origin Web resource and waiting for the requested information to be sent. This can significantly accelerate access to the information.

  • Page 170: Configuring Caching Options

    Web server. Select one of the following options to control how the Access Gateway handles the request: Refill: Causes the proxy service to send the request to the Web server. 170 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 171 Revalidate: Causes the proxy service to check whether the current information is valid. If it is, the currently cached information is returned. If it isn’t valid, the request is forwarded to the Web server. Ignore: Causes the proxy service to ignore the request and send the data from cache without checking to see if the cached data is valid.

  • Page 172: Controlling Browser Caching

    “Configuring Custom Cache Control Headers,” on page 173. 5 To save your changes to browser cache, click OK. 6 To apply the changes, click the Access Gateways link, then click Update > OK. 172 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 173: Configuring Custom Cache Control Headers

    5.3 Configuring Custom Cache Control Headers (Access Gateway Appliance) In addition to fine-tuning cache freshness by using the HTTP timers, as explained in Section 5.1, “Configuring Caching Options,” on page 170, you can configure each proxy service to recognize custom headers in HTTP packets. Your Web server can then use these headers for transmitting caching instructions that only the Access Gateway can recognize and follow.

  • Page 174: Enabling Custom Cache Control Headers

    4 In the Cache Control Header List, select New and specify a name for the header, for example MYCACHE. 5 To save your changes to browser cache, click OK. 6 To apply the changes, click the Access Gateways link, then click Update > OK. 174 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 175: Configuring A Pin List

    7 Modify the pages on the Web server that you want to the set custom caching intervals for the Access Gateway. To the HTTP header, add a string similar to the following: MYCACHE:600 The numeric value indicates the number of seconds the Access Gateway can retain the object in cache.
  • Page 176 The action taken for an object is the action specified for the first mask that the object matches. The Access Gateways recognizes four levels of specificity, using the following format: 176 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 177 Level Examples hostname http://www.foo.gov/documents/picture.gif http://www.foo.gov/documents/* http://www.foo.gov foo.gov/documents/* foo.gov/* All of these are classified as hostnames, and they are ordered by specificity. The first item in the list is considered the most specific and is processed first. The last item is the most general and is processed last. path /documents/picture.gif /documents/pictures.gif/*...

  • Page 178: Configuring A Purge List

    String comparisons are not case sensitive. For example, purges all objects with the text or any other combination of uppercase and ?*=SPORTS =SPORTS lowercase letters for following the question mark in the URL. =SPORTS 178 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 179: Purging Cached Content

    IMPORTANT: If you also configure a pin list, carefully select the objects that you add to the pin and purge lists. Make sure you don’t configure a pin list that adds objects to the cache and a purge list that removes the same objects. 1 In the Administration Console, click Devices >...

  • Page 180: Advanced Access Gateway Service Options

    The information can be seen in sniffer traces and with plug-ins such as ieHTTPHeaders, Live HTTP Headers, and FireBug. This option should only be enabled when you are working with Novell Support and they instruct you to enable the option. #NAGGlobalOptions DebugFormFill=on: When this option is enabled, additional debug...

  • Page 181: Protecting Multiple Resources

    Protecting Multiple Resources This section describes how to create multiple resources for the various Access Gateway components, including a cluster of Access Gateways. Figure 6-1 illustrates the relationships that Access Gateways, reverse proxies, proxy services, Web servers, and protected resources have with each other when two Access Gateways are members of a cluster.

  • Page 182: Setting Up A Group Of Web Servers

    Traffic is sent to another Web server in the list only when the first Web server is no longer available. To configure this option, see Section 1.6.2, “Configuring TCP Connect Options for Web Servers,” on page 182 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 183: Using Multi-Homing To Access Multiple Resources

    Connection persistence is enabled by default. This allows the Access Gateway to send multiple HTTP requests to the Web server to be serviced before the connection is closed. To configure this option, see Section 1.6.2, “Configuring TCP Connect Options for Web Servers,” on page Session persistence is enabled whenever a second Web server is added to the list.
  • Page 184 IP Address test.company.com 10.10.195.90:80 test.internal.com 10.10.15.10 sales.company.com 10.10.195.90:80 sales.internal.com 10.10.15.20 apps.company.com 10.10.195.90:80 apps.internal.com 10.10.15.30 Configure your DNS server to resolve the published DNS names to the IP address of the Access Gateway. 184 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 185: Path-Based Multi-Homing

    Set up the back-end Web servers. Create three proxy services for these published DNS names. To create a domain-based multi-homing proxy service, see Section 6.2.4, “Creating a Second Proxy Service,” on page 189, and select domain-based for the multi-homing type. 6.2.2 Path-Based Multi-Homing Path-based multi-homing uses the same DNS name for all resources, but each resource or resource group must have a unique path appended to the DNS name.
  • Page 186 Web Server Host Name. However, if they do contain links to each other, you need to set the Host Header option to Web Server Host Name and specify a DNS name for the Web server in the Web 186 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 187 Server Host Name option. The Access Gateway needs a method to distinguish between the Web servers other than the path, because after the path is removed, all the Web servers in Figure 6-4 on page 185 have the same name: www.test.com If you select to use the Forward Received Host Name option for a path-based service, you might also need to add entries to the Additional DNS Name List for the rewriter.

  • Page 188: Virtual Multi-Homing

    IP address, you are ready to configure the Access Gateway. To create a virtual multi-homing proxy service, see Section 6.2.4, “Creating a Second Proxy Service,” on page 189, and select Virtual for the multi-homing type. 188 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 189: Creating A Second Proxy Service

    6.2.4 Creating a Second Proxy Service 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy]. 2 In the Proxy Service List, select New. 3 Fill in the fields. Proxy Service Name: Specify a display name for the proxy service. For the sales group, you might use sales.

  • Page 190: Configuring A Path-Based Multi-Homing Proxy Service

    Proxy] > [Name of Path-Based Multi-Homing Proxy Service]. The following fields display information that must be configured on the parent proxy service (the first proxy service created for this reverse proxy). 190 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 191 Published DNS Name: Displays the value that users are currently using to access this proxy service. This DNS name must resolve to the IP address you set up as a listening address on the Access Gateway. Cookie Domain: Displays the domain for which the cookie is valid. The Web server that the user is accessing must be configured to be part of this domain.

  • Page 192: Configuring Advanced Options For Path-Based Multi-Homing

    2 Configure the following option: #NAGChildOptions WebDav=/Path: Allows the proxy service to handle the specified path. Remove the pound (#) symbol and replace /Path with the path you want the proxy service to handle. 192 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 193: Managing Multiple Reverse Proxies

    6.3 Managing Multiple Reverse Proxies Each reverse proxy must have a unique IP address and port combination. If your Access Gateway has only one IP address, you must select unique port numbers for each additional reverse proxy that you create. You can configure the Access Gateway to use multiple IP addresses. These addresses can be configured to use the same network interface card, or if you have installed multiple network cards, you can assign the IP addresses to different cards.

  • Page 194: Managing Entries In The Reverse Proxy List

    Disable. To enable all reverse proxies, select the check box next to the Name column, then click Disable. 3 To save your changes to browser cache, click OK. 4 To apply the changes, click the Access Gateways link, then click Update > OK. 194 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 195: Changing The Authentication Proxy Service

    6.3.2 Changing the Authentication Proxy Service If you have multiple reverse proxies, you can select the reverse proxy that users are redirected to for login and logout. IMPORTANT: Changing the reverse proxy that is used for authentication is not a trivial task. For example, if you have customized the logout options on your Web servers to redirect the logout request to the Logout URL of the current authentication reverse proxy, you need to modify these options to point to a new Logout URL.

  • Page 196: Managing A Cluster Of Access Gateways

    Gateways page, click Update All by the name of the cluster. 7 For information on additional required configuration tasks, see “Clustering Access Gateways” in the Novell Access Manager 3.1 SP2 Setup Guide. 196 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 197: Managing The Servers In The Cluster

    6.4.2 Managing the Servers in the Cluster To view the servers that are currently members of clusters: 1 In the Administration Console, click Devices > Access Gateways. The members of a cluster are listed under the cluster name. The red double dagger symbol identifies the server that is the primary cluster server.

  • Page 198: Managing Cluster Details

    To change this assignment, select the server from the drop-down list. For more information on this process, see Section 6.4.5, “Changing the Primary Cluster Server,” on page 199. 3 Click OK. 198 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 199: Changing The Primary Cluster Server

    6.4.5 Changing the Primary Cluster Server If the current primary cluster server is down and will be down for an extended period of time, you should select another server to be the primary cluster server 1 In the Administration Console, click Devices > Access Gateways > [Name of Cluster] > Edit. 2 In the Primary Server drop-down list, select the name of a server, then click OK.
  • Page 200 If you modify the published DNS name of the authentication proxy service (Access Gateways > Edit > Reverse Proxy/Authentication > [Name of Reverse Proxy] > [Name of First Proxy Service], then modify the Published DNS Name option). 200 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 201: Troubleshooting The Access Gateway Appliance

    Guide. For XML validation errors, see “Troubleshooting XML Validation Errors on the Access Gateway Appliance” in the Novell Access Manager 3.1 SP2 Administration Console Guide. For information about installation, reinstallation, and import issues, see “Troubleshooting a Linux Access Gateway Appliance Installation”...

  • Page 202: Useful Tools

    Gateway Appliance Logs” on page 123. /etc/init.d/novell-vmc Use the novell-vmc command line options to restart the proxy and view status. For more information, see Table 7-2 on page 203. /chroot/lag/opt/novell/bin directory contains the following scripts: 202 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 203: Using The Linux Access Gateway Monitor Service

    Use this script to resolve auto-import issues. For more information, see “Triggering an Import Retry” in the Novell Access Manager 3.1 SP2 Installation Guide. You can use the following commands to stop and start the Access Gateway and to view its status.
  • Page 204 3 To access the Proxy Console screen, enter 13. 4 To access a specific screen, enter the number. Screen Description 1. Display current activity Displays information about connections (server and client), cached objects, and HTTP requests. 204 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 205 Screen Description 2. Display memory usage Displays information about memory pools and memory used and the types of objects stored in memory. 3. Display ICP statistics Displays statistics for the Internet Cache Protocol. 4. Display DNS options Displays statistics and information about the entries in the DNS table.

  • Page 206: Viewing Configuration Information

    Novell Access Manager 3.1 SP2 Policy Guide. For information on how to use the entries for policy troubleshooting, see “Troubleshooting Access Manager Policies” in the Novell Access Manager 3.1 SP2 Policy Guide. 206 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 207: Using Touch Files

    “Access Gateway Appliance Logs” on page 123. For maximum verbosity, the proxy service must be started in debug mode. See Table 7-2, “novell-vcm Commands,” on page 203. lagsoapmessages Located in the /var/log directory and available from the General Logging page in the Administration Console.
  • Page 208 “.spnetworkplaces” on page 213 “.AllowMSWebMiniRedir” on page 213 “.reqPostSize” on page 213 “.disableExternalDNSRewrite” on page 213 “.modifyRequestURI” on page 213 .dumpcore To enable a core dump, create the following touch file: /tmp/.dumpcore 208 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 209 Form Fill policy do not work. For more information on how to use this touch file, see“Configuring a Form Fill Policy for Forms With Scripts” in the “Novell Access Manager 3.1 SP2 Policy Guide”. Troubleshooting the Access Gateway Appliance 209...
  • Page 210 (TP1 IP address) and the validation fails. The Access Gateway loops as it continues to request the user to send a valid session cookie. .alwaysUseJSFor302 This file is located in the directory. /var/novell 210 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 211 302 redirect. .useJSFor302withIE7 This file is located in the directory. /var/novell When the Internet Explorer 7 browser is used, a 200 OK response is sent back with the redirect metatag instead of the 302 redirect. .useRelativeUrlInJS This file is located in the directory.
  • Page 212 Gateway uses the old password for identity injection. .matchLagIchainCookieName This file is located in the directory. /var/novell This file forwards a proxy session cookie to a back-end application. A cookie without this touch file enabled looks like: 212 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 213 IPCZQX01a36c6c0a=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx .spnetworkplaces This file is located in the directory. /var/novell This file enables users who use the Microsoft Network Places client to connect to the WebDAV folders of a server when the SharePoint server has been configured as a path-based SharePoint multi-homing service on the Access Gateway.

  • Page 214: Protected Resource Issues

    Section 7.3.3, “Protected Resources Reference Non-Existent Policies,” on page 217 Section 7.3.4, “Protected Resource Configuration Changes Are Not Applied,” on page 217 Section 7.3.5, “Error AM#300101010 and Missing Resources,” on page 217 214 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 215: Html Frames Are Lost

    “Customizing the Identity Server Login Page” in the Novell Access Manager 3.1 SP2 Identity Server Guide. 2 Copy the custom login page to the JSP directory of the Identity Server. Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp...

  • Page 216: Troubleshooting Http 1.1 And Gzip

    Web server. Without this header, the Web server does not send any data with GZIP or Deflate encoding to the Access Gateway. To allow the Access Gateway to receive GZIP or Deflate encoded data, remove the touch file and restart the Access Gateway. 216 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 217: Protected Resources Reference Non-Existent Policies

    7.3.3 Protected Resources Reference Non-Existent Policies If your protected resources contain references to policies that do not exist, use the following procedure to remove them. 1 Click Auditing > Troubleshooting. 2 In the Access Gateways with Protected Resources Referencing Nonexistent Policies section, click Repair.

  • Page 218: Unable To View Contents Of Mail When Outlook Web Access Is Protected By The Access Gateway

    302 redirect. 7.4 Hardware and Machine Resource Issues Section 7.4.1, “Error: novell-vmc-chroot Failed to Start,” on page 218 Section 7.4.2, “Mismatched SSL Certificates in a Cluster of Access Gateways,” on page 218 Section 7.4.3, “Recovering from a Hardware Failure on an Access Gateway Machine,” on page 219 Section 7.4.4, “Reinstalling a Failed Access Gateway,”...

  • Page 219: Recovering From A Hardware Failure On An Access Gateway Machine

    If the hardware of your Access Gateway fails and the Access Gateway is not a member of a cluster, you might receive the following message when you reinstall it: Start unsuccessful. Reason: Unable to read keystore: /opt/novell/devman/jcc/ certs/esp/signing.keystore. If you receive this message, use the following process to solve the problem: 1 Add the failed Access Gateway to a cluster.

  • Page 220: Cos Related Issues

    2 Enter the Proxy Console option number at the Pick a Screen prompt. The Access Gateway Console screen is displayed. 3 Enter the Display Cache Statistics option number at the Enter option prompt. 220 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 221 4 Enter the Display COS Global Statistics option number at the Enter option prompt. Troubleshooting the Access Gateway Appliance 221...

  • Page 222: Memory Issues

    Lower Limit 5 Percent Requirement for Access Gateway 500 MB Upper Limit 80 percent Default 20 percent Checking Available Memory As the user, enter the following command at the bash prompt: root 222 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 223: Rewriter Issues

    cat /proc/meminfo | grep MemTotal 7.5 Rewriter Issues Section 7.5.1, “Discovering the Issue,” on page 223 Section 7.5.2, “Rewriting Fails on a Page with Numerous HREFs,” on page 223 Section 7.5.3, “Links Are Broken Because the Rewriter Sends the Request to the Wrong Proxy Service,”...

  • Page 224: Reading Configuration Files

    The HTTP header does not help, because the proxy services are forwarding the same host name: mycompany.provo.novell.com.

  • Page 225: An Additional Dns Name Without A Scheme Is Not Rewritten

    2 Do one of the following: If the Web server sends a different content type for a non-default file extension, then configure the new content type in the Content-Type Header. If the Web Server does not send any content type for a non-default extension, then configure as the Content-Type Header.

  • Page 226: The Access Gateway Rewrites A Host Header With A Port Number

    In this scenario, the Access Gateway rewrites URLs and host headers based on the configured Web server host name and port number. For example, if your configuration looks similar to the following: 226 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 227: Troubleshooting Crashes And Hangs

    Web server host name: www.proxy91.com:8181 Web server connect port: 8080 (HTTP) Published DNS name: www.lag.com Listening Port: 443 Then: The host header from Access Gateway to the Web server is rewritten as www.proxy91.com:8181 If a page has URLs, the URLs are rewritten as follows: is rewritten as http://www.proxy91.com:8181 https://www.lag.com...

  • Page 228: Enable The Access Gateway Monitor Service For The Core Dump Logic To Work Correctly

    (/) before dumping core. When the disk space goes root below 3GB, the Access Gateway prevents dumping core files. In the Novell Access Manager 3.1 SP2 release, monitor service is disabled by default. To enable this, execute the following command as: /etc/init.d/lagmonitor start For more information about this service, see Section 7.1.2, “Using the Linux Access Gateway...

  • Page 229: The Access Gateway Crashes When Log Files Are Removed

    The Access Gateway might crash because of the following reasons: SIGSEGV ASSERT (for a debug build only) The following sections explain how to gather the files that need to be sent to Novell for a resolution of the problem. “Access Gateway Logs” on page 229 “Event Log”...
  • Page 230 ,save 1 This stores all the events in the /chroot/lag/opt/novell/debug/ file. <pid>all_events.0.txt 8 Tar or zip this file and send it to Novell Support. Event Log for a Debug Build To get the event log: 1 Log in as the user.
  • Page 231 /etc/init.d/novell-vmc stop 3 To start the Novell Access Gateway in debugging mode, enter the following command: /etc/init.d/novell-vmc gdb 4 To run the Access Gateway process, enter the following command at the GDB prompt: run -m <memory> 2>/var/log/ics_dyn.log Replace <memory> with the percentage of total memory to be used for the ics_dyn process.
  • Page 232 ID of the ics_dyn process. <pid> After the core is dumped, the Access Gateway restarts. 6 Tar or zip the core dump and send it to Novell Support. Proxy Hang Core To analyze the proxy hang and create a core file:...

  • Page 233: Access Gateway Not Responding

    7.6.7 Access Gateway Dumps Core After 10 Minutes When Non-Redirected Login Is Enabled In a clustered Novell Access Manager deployment setup, if non-redirected login is enabled, equal load balancing across the Identity Servers might not happen. This might result in Access Gateway dumping core after approximately 10 minutes.

  • Page 234: Connection And Authentication Issues

    Issues with Outgoing Connections To verify that the Access Gateway is able to make outbound connections: 1 Log in as the user. root 2 At the bash prompt, view the following log file: /var/log/ics_dyn.log 234 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 235: Authentication Issues

    3 Search for a connection message. If the service is unavailable, the file contains messages similar to the following: ERROR Connection FAILED with peer 7.7.3 Authentication Issues “User Details” on page 235 “Error Codes” on page 237 User Details To check details about the users logged in to the Access Gateway: 1 To access the console, enter the following command: netcat localhost 2300 2 Press Enter at the...
  • Page 236 Access Gateway requires the user to authenticate. L: The user has logged out of the session. W: The user session is functional. U: The use count is more than zero. 236 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 237: Form Fill Issues

    If the Embedded Service Provider is down, restart the service provider from the Administration Console. If the issue persists, contact Novell Support. 7.8 Form Fill Issues Form Fill error messages are logged only if you set the log level to LOG_DEBUG. The entries are logged in the file.

  • Page 238: Form Fill Does Not Process Forms With Complicated Javascript Functions When Data Is Auto-Submitted

    7.8.4 Form Fill Failure Because of Incorrect Policy Configuration Form fill fails if the policy is not configured correctly. For configuration information, see “Creating Form Fill Policies” in the Novell Access Manager 3.1 SP2 Policy Guide. 238 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 239: Browser Spinning Issues

    For more information on modifying the policy, see “Implementing Form Fill Policies” in the Novell Access Manager 3.1 SP2 Policy Guide. 7.9 Authorization and Identity Injection Issues Section 7.9.1, “Authorization and Identity Injection Error Messages,” on page 239 Section 7.9.2, “Identity Injection Failures,”...

  • Page 240: Identity Injection Failures

    Customer Header Injection Failed. Query String Injection Failed. Authentication Header Injection Failed To receive help resolving identity injection failures, send the following information to Novell Support: Access Gateway logs. For more information on how to get Access Gateway log files, see “Access Gateway Appliance Logs”...

  • Page 241: Yast Becomes Non-Responsive When A Partition Is Deleted Or Created

    (patch 12527) For more information on downloading and updating the patch, see “Installing or Updating the Security Patches on the SLES 9 Linux Access Gateway Appliance” in the Novell Access Manager 3.1 SP2 Installation Guide. Troubleshooting the Access Gateway Appliance 241...
  • Page 242 242 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 243: Troubleshooting The Access Gateway Service

    Troubleshooting the Access Gateway Service Section 8.1, “Useful Troubleshooting Files,” on page 243 Section 8.2, “Verifying That All Services Are Running,” on page 248 Section 8.3, “Enabling Debug Mode and Core Dumps,” on page 250 Section 8.4, “Useful Troubleshooting Tools for the Access Gateway Service,” on page 252 Section 8.5, “A Few Performance Tips,”...

  • Page 244: Apache Logging Options For The Gateway Service

    Apache log files. These files are located in the following directory: Linux: /var/log/novell-apache2/ Windows: C:\Program Files\Novell\apache\logs\ For more information, see the following sections: “Ignoring Some Standard Messages” on page 245 “Modifying the Logging Level for the Apache Logs” on page 245 244 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 245 The error messages look similar to the following: [<time and date stamp>] [warn] Init: SSL server IP/port conflict: dbmhnsnetid.dsm.cit.novell.com:443 (C:/Program Files/Novell/apache/conf/vhosts.d/dbmhNS-NetID.conf:18) vs. magwin1430external.dsm.cit.novell.com:443 (C:/Program Files/Novell/apache/conf/vhosts.d/magMaster.conf:18) [<time and date stamp>] [warn] Init: SSL server IP/port conflict: magdbmheguide.dsm.cit.novell.com:443 (C:/Program...

  • Page 246: The Access Gateway Service Log Files

    Contains the messages generated between the Administration Console and the JCC module. Linux: The log file is located in the /opt/novell/devman/jcc/ directory. logs Windows: The log file is located in the \Program directory. Files\Novell\devman\jcc\logs 246 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 247 Check this file for entries that trace the evaluation of Authorization, Identity Injection, and Form Fill policies. Linux: The file is located in the /var/opt/novell/tomcat5/logs directory. Windows: The files are located in the \Program directory, and they are usually Files\Novell\Tomcat\logs prefixed with a time stamp.

  • Page 248: Verifying That All Services Are Running

    0 May12 ? 00:00:01 /opt/novell/apache2/sbin/httpd wwwrun 3188 3163 0 May12 ? 00:00:01 /opt/novell/apache2/sbin/httpd 4 Verify that the user session cache service is running by entering the following command: ps -ef | grep novell-agscd 248 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 249: Windows

    6 Verify that the JCC service is running by entering the following command: ps -ef | grep /opt/novell/devman/jcc/conf/run.sh Lines similar to the following are displayed: root 3777 30290 0 13:03 pts/0 00:00:00 egrep /opt/novell/devman/jcc/ conf/run.sh root 5506 0 May11 ? 00:00:00 /bin/bash /opt/novell/devman/jcc/ conf/run.sh...

  • Page 250: Enabling Debug Mode And Core Dumps

    Section 8.3.3, “Disabling Debug Mode,” on page 251 8.3.1 Starting Apache in Debug Mode “Linux” on page 250 “Windows” on page 251 Linux Use the following commands to start debug mode: /etc/init.d/novell-apache2 stop /etc/init.d/novell-apache2 start debug 250 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 251: Examining The Debug Information

    This page displays debug information about caching, SSL, workers, and proxy information. http://127.0.0.1:8181/server-info This page displays module and configuration information. 3 If a crash occurred, examine the core dump file or copy it so you can send it to Novell Technical Support. Linux: /var/cache/novell-apache2...

  • Page 252: Useful Troubleshooting Tools For The Access Gateway Service

    The Windows operating system has the following tools that can help you determine the cause of a problem. Tool Description Task Manager Use this utility to check resources available on the system. Control Panel > Administrative Use this utility to stop and start services. Services > Services 252 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 253: Tools For The Linux Access Gateway Service

    Use this command to view identity provider metadata from the Linux Access Gateway. See “Testing Whether the Provider Can Access the Metadata” in the Novell Access Manager 3.1 SP2 Identity Server Guide. Use this command to view statistics about the listeners on the netstat -a Access Gateway.

  • Page 254: Solving Apache Restart Issues

    Apache fails to start when it discovers a syntax error in any of the advanced options. 1 Click Devices > Edit > Advanced Options. 2 To reset all options to their default values, delete all options from the text box. 254 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 255: Viewing The Logged Apache Errors

    3 Change to the following directory and open the Apache error log file. Linux: /var/log/novell-apache2 Windows: \Program Files\Novell\Apache\logs 4 On Linux, also view the contents of the file. rcnovell-apache2.out 5 If you still do not have enough information to solve the configuration problem, continue with Section 8.6.3, “Viewing the Errors as Apache Generates Them,”...

  • Page 256: The Activemq Module Fails To Start

    In order for the module to start, it must be able to resolve the listening IP address to a DNS name. To install an Access Gateway Service, the machine must have a DNS name and the IP address must resolve to this name. 256 Novell Access Manager 3.1 SP2 Access Gateway Guide...

  • Page 257: Understanding The Authentication Process Of The Access Gateway Service

    8.7 Understanding the Authentication Process of the Access Gateway Service When a user requests access to a protected resource, the request can be in one of the following states: No session or cookie is established, because this is the user’s first request. The user’s session is a public session because only public resources have been accessed.
  • Page 258 If the request does not contain a session cookie, the user is unknown and is assigned as a public user. The Access Gateway continues processing with the tasks outlined in Figure 8-5 on page 259. 258 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 259 When the request contains a session cookie, the Access Gateway checks its local user store for a user that matches the session cookie. Each Access Gateway in the cluster maintains its own list of known users. If the session cookie matches one of the locally known users, the user is assigned that identity. The Access Gateway continues with the tasks outlined in Figure 8-5 on page 259.
  • Page 260 If the URL in the request matches a URL of a protected resource, the Access Gateway needs to examine the protection type assigned to the resource. The Access Gateway continues with the tasks outlined in Figure 8-6 on page 261. 260 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 261 Determining the Protection Type Assigned to the Resource Figure 8-6 Continue Processing Is the PR Protected with a Contract? the User Authenticated with the Required Contract? Is an Are the Is the Authentication Authentication PR Enabled Header Credentials for NRL? Present? Valid? Is the NRL...
  • Page 262 (domains of development.novell.com can share the cookie domain of ) or configure them so that they support.novell.com novell.com cannot share a cookie domain (domains of cannot share a cookie a.slc.com b.provo.com domain). 262 Novell Access Manager 3.1 SP2 Access Gateway Guide...
  • Page 263 When the Access Gateway reaches the task in decision point 10, it has determined that the protected resource requires a contract and that user is not authenticated with that contract. If the protected resource is in the same cookie domain, the Access Gateway redirects the request to the Embedded Service Provider (ESP).
  • Page 264 264 Novell Access Manager 3.1 SP2 Access Gateway Guide...

Table of Contents