Access Manager Single Sign-on to NetStorage

ScorpionSting

By: ScorpionSting

May 16, 2008 11:47 am

Reads: 578

Comments:4

Rating:0

This has been tested with the following versions:

  • NetWare OES2 (NetWare 6.5 SP7)
  • Access Manager 3 SP3

This is for HTTP/HTTPS connectivity to NetStorage only. I understand there are also issues around WEBDAV and clients running NCL and/or ZEN.

My environment consists of:

  • The OES2 server (oesnw65.i.scorpiogeek.net.nz)
  • The Linux Access Gateway (lag.i.scorpiogeek.net.nz)
  • The Identity Server (idp.i.scorpiogeek.net.nz)
  • An Accelerated domain name of am3.i.scorpiogeek.net.nz
  • The IDP protected behind the Access Gateway

So you should alter to your environment.

Firstly NetStorage needs to be modified through the iManager plugin “File Access (NetStorage)”

The main setting here is having Cookieless set to 1. You can also configure your Session Timeout at this point to reflect what you will configure in Access Manager. It is best to reboot the server to make sure the change has been applied.

Now we need to modify the NetStorage logout link to log the user out of Access Manager as well. Edit the SYS:\tomcat\4\webapps\NetStorage\logout.html.utf8 file. Comment out the 2 lines, enable the 3 lines, and modify the URL:

Now we need to set up Access Manager to accelerate the portal. We need to set up 3 Policies:

  • Inject the Basic Authentication Header
  • Inject the Session Cookie
  • Inject the ICHAIN_UID header (not sure about this one, but did it anyway – you can try without and see if it works)

Lets set up the accelerator for NetStorage now:

  • Create a new Path Based accelerator. This will have 2 paths as shown below:
  • Under HTTP Options we need to enable Enable X-Forwarded-For:
  • Under the Web Servers tab, we need to forward the web server name as the Host Header, Enable Forwarding of Encoding Header, and Connect Using SSL:
  • On the parent accelerator, create a new protect resource with 2 URL Paths and assigning your contract:
  • Assign your appropriate authentication policy:
  • Assign the 3 Identity Injections created earlier:

We now need a public resource for the logout page:

One last task is to avoid caching issues:

Apply the changes and Update all servers. NetStorage can now be accessed via https://am3.i.scorpiogeek.net.nz/NetStorage

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: Access Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

4 Comments

  1. By:khurni

    Very good setup. Just be aware Novell won’t support this configuration (their official SSO solution to NetStorage is to use SecureLogin). But it DOES work, and many thanks to the author for taking the time to illustrate this.

  2. By:sinfo

    Please update the links to the gif files. I can’t seem to access them
    Thanks

    • By:ScorpionSting

      Attachmate failed to copy the images from the old Novell Coolsolutions to the NetIQ Coolsolutions when they did the move. The originals have gone as I no longer have copies.

      • By:mcurrie

        Hi ScopionSting, Can you please update the article so it at least has the information such as the paths etc, even if it does not have the images? Thanks.

Comment