www.novell.com

Novell iChain® 2.x Configuration Using the Web Server Accelerator Wizard

Novell iChain® 2.x Configuration Using the Web Server Accelerator Wizard

Cary AndrewsSenior Software EngineerNovell, Inc.candrews@novell.com

Jason ArringtoniChain Software EngineerNovell, Inc.jarrington@novell.com

Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries

MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Agenda

• Architectural overview• Administration overview

• New features in Novell iChain® 2.x

• Demonstration• Question and answer

Architectural Overview

• The problem• The solution• How it works• iChain Proxy Server• iChain Authorization Server• Web/application servers

The Problem

The Internet

Your

WebServers

The Solution

The Internet

iChain

Your

WebServers

How It Works

Browser

Web and application

servers

Proxy

server

Authorization server

• A key component to the iChain infrastructure Adds an additional security layer

• Creates a security and management infrastructure

• Enhances a firewall • Does not allow direct access to web servers

or web applications Improves web server scalability Accelerates content through caching Provides in-the-flow access to the data stream

iChain Proxy Server

iChain Authorization Server

• Provides authentication and access control• Authentication

Standard browser-based access• Username and password over HTTPS• Authenticate with user ID, e-mail, or any LDAP field

Multiple authentication methods• One time passwords• Token-based authentication (RADIUS)• X.509 digital certificates

Multi-factor authentication• Combination of authentication methods

iChain Authorization Server (cont.)

• Access control Secures your data Present content based on user’s level of access Highly personalized web service for the user Maximum levels of security for the host Access based on rules stored in Novell

eDirectory™• Leverages the eDirectory hierarchy and inheritance

mechanisms (ACLs)• Cached on the proxy server for improved performance

iChain Authorization Server (cont.)

• Access control Access based on rules stored Novell eDirectory

(cont.)

• Three different levels available– “Public”: no authentication or access control– “Restricted”: authentication only– “Secure”: authentication and access control

Access rules may be assigned to:• Users• Groups• Containers (O, OU, etc.)

Web/Application Servers

• New or legacy web servers No agents installed on web servers No changes required to legacy systems

• Support for multiple platforms Support any HTTP server Win NT/IIS Solaris/Netscape Linux/Apache

Web/Application Servers (cont.)

• Single sign-on Forward ID and password in the HTTP

authentication header so user is not prompted Form-fill can be used for convenience Lowers overhead cost of maintaining tables

• Object Level Access Control (OLAC) Allows the use of different logon credentials

than name and password Can be used to personalize content May be customized to meet your needs

Administration Overview

• Configuration methods• Question• Why a wizard?• Web Server Accelerator Wizard

Configuration Methods

• Proxy server console configuration Command-line tool Configures all proxy parameters and settings

• Proxy server web-based configuration Browser-based (IE and Netscape) Easier to use than command-line tool

• ConsoleOne® snap-ins Use eDirectory objects and attributes for

authorization and access control Provide password management features

Question

So, why do we need a wizard?So, why do we need a wizard?

Okay, to start out, I go to my browser to create a new web server accelerator…

Why A Wizard?

Why A Wizard?

Now I go to ConsoleOne to create my

protected resource…

Why A Wizard?

And create and set up my ACL rule...

Then finally back to my browser to log Joe in…

Why A Wizard?

Login failed. Hmmm. Oops, I forgot to add

the sales container to my authentication profile …

Why A Wizard?

So, since I’m in my browser, I can

do that pretty quickly…

Why A Wizard?

And then try and log Joe in again…

Why A Wizard?

403? What the… Oh yeah, I didn’t add the sales container

to the ACL rule.

Why A Wizard?

This is getting old. Back to ConsoleOne, where I add

the sales container to the ACL rule…

Why A Wizard?

And then back to my browser to try and log Joe in

once again…

Why A Wizard?

Another 403? What is going on?

Did I forget to refresh ACLCHECK?

Why A Wizard?

Click the refresh button and that should do it…

Why A Wizard?

Log Joe in one more time…

Why A Wizard?

Whew… finally…

Why A Wizard?

Web Server Accelerator Wizard

• ConsoleOne-based tool• Centralizes all administrative tasks

Removes need to jump back and forth between tools

Run from any workstation in the network

• Configuration for: Proxy server Authorization and access control Accelerators and authentication profiles Multi-homing

New Features In iChain 2.x

• Session Broker• Licensing• Multi-homing (host, path, domain)• Dynamic access control rules• Future directions

Affiliate services iManager plug-ins for administration

Configuration of iChain 2.x Using the Web Server Accelerator Wizard

wiN big

one Net solutions lab

Access and Security table

visit the

in the

to obtain an entry form