Custom IDP Class to Check the Integrity of the Client Machine



By: cagautham

March 29, 2011 11:03 am

Reads: 202

Comments:0

Rating:0

Background:

The Client Integrity Check (CIC) feature is available with the SSL VPN component of Novell Access Manager. You can configure a client integrity check policy to verify if the prescribed software (such as firewall and antivirus software) is installed on the client machine. You can configure different policies for Windows, Linux, and Macintosh machines, then specify applications that must be present in the client machines in order to pass the client integrity check.

Requirement:

An IDP Authentication class has to be created which would check for software information on the client workstation. The customer should be able to configure checks like process, file, windows registry, system service, etc. as a input to the class at the admin console. This class can be executed with first method of the contract. If the check fails, authentication fails for the user, else continues with next method execution.

Approach:

The following will be the flow in which this will be achieved:

  • Admin configures this new authentication class in the admin console.
  • Policies for the CIC are configured as a property to this class.
  • This policy can contain checks for Windows, Linux and Mac workstations.
  • The first method in the contract can contain this class.
  • When this class is executed, a java applet will be loaded on the client machine.
  • Applet will download the policies and CIC binary from the IDP server for execution.
  • Applet will then execute the CIC binary with the provided policy.
    • While executing, the browser will show a wait status to the end user.
    • There is no end user input needed in this process.
  • Applet will then return the result back to server.
    • If failed, an error page is thrown to the user.
    • On success, method execution will proceed.

Details:

This feature is tested on 3.1.2 and above with IDP on Linux. As per design, it should work on earlier builds and Windows. You can follow the steps below to enable this feature in an IDP installed box:

$cd /var/opt/novell/tomcat5/webapps/nidp
$tar xzvf NIDP_CIC_CLASS.tar.gz  #(http://www.netiq.com/communities/media/nidp_cic_class.tar.gz)
Above statement should output as below,
classUtils/ 
classUtils/linux/
classUtils/linux/cic_linux.txt
classUtils/linux/LinCic
classUtils/maci386/
classUtils/maci386/cic_mac.txt
classUtils/maci386/MacCic
classUtils/windows/
classUtils/windows/cic_windows.txt
classUtils/windows/wincic.exe
classUtils/cic-applet.jar
WEB-INF/lib/cic-custom-class.jar
jsp/ClientIntegrityCheck.jsp

$/etc/init.d/novell-tomcat5 restart

Please refer to the demo link section for details on generating the CIC configuration.

Now you can configure the admin console with the new authentication class as shown below.

You also need to configure properties for the new class as shown below.

Demo Link:

https://sas.elluminate.com/mr.jnlp?suid=M.2AF4D485120D5716A2C42E754D4560&sid=873

Troubleshooting:

  • Make sure you have jre installed on the client for the applet to load.
  • Once the applet is loaded on browser, the user needs to click “run” on the java pop-up to run the applet.
  • This new class has to be assigned to a method and that method has to be assigned to a contract.

Example CIC configuration:

(Please refer to the demo link for details on generating the CIC configuration.)

Policy text file example:

--------------------------------------------------start--------------------------------------------------------------
MAX_LEVEL=3 
LEVEL=1 
CATEGORIES= 
LEVEL=2 
CATEGORIES= 
LEVEL=3 
CATEGORIES=Antivirus_Windows ,  new cic policy

[Antivirus_Windows] 
{ 
Name=Symantec AntiVirus 10.0 
Process=UserInterfaceID==0&Name==rtvscan.exe&Version==10.0&RegistryKey==HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\InstalledApps&RegistryKeyValue==NAVNT 
SoftwareService=Name==blabla&UserInterfaceID==1289976299949&Status==Running 
AbsoluteFile=Version==123&Name==aasd&UserInterfaceID==1289976307589&HashMD5==sdfkjhkj23hkl21h 
RegistryKey=Name==\HKEY_CURRENT_USER\windows&ValueName==12&Operator==gt=&ValueData==13&UserInterfaceID==1289976317526 
} 
{ 
Name=example antivirus 
SoftwareService=Name==example&UserInterfaceID==1290072241929&Status==Running 
} 
[new cic policy] 
{ 
Name=new application 
SoftwareService=Name==new service&UserInterfaceID==1290072457890&Status==Running 
Process=Version==101&RegistryKey==\HKEY_LOCAL_USER\newreg&RegistryKeyValue==newvalue&Owner==&Name==new process&UserInterfaceID==1290072495675 
} 

---------------------------------end--------------------------------------------------------------------------------------

In the above policy, there are two catogories configured, Antivirus_Windows and the new CIC policy. Antivirus_Windows has 2 applications under it, Symantec AntiVirus 10.0 and example antivirus.

If one of the applications is satisfied then Antivirus_Windows is passed.

Symantec AntiVirus 10.0 application configured with 4 definitions. Those are Process, SoftwareService, AbsoluteFile and RegistryKey.

A process definition contains, the name of the process, registry key and the value of the process and version of the process.

NOTE: UserInterfaceID can be ignored. You can install a SSL VPN device and generate a huge number of policies using CIC and CIC level sections.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment