Teaming 2.0 Integration with Linux Access Gateway



By: nramesh

May 6, 2010 5:55 pm

Reads: 257

Comments:0

Rating:0

By Ramesh Nerella

Table of Contents

1. Basic Information
2. Configuration Notes
     Configuring Teaming to Interoperate with Novell Access Manager
     Access Manager Sample Configurations for Teaming
     Proxy service type: Domain-based multi-home
     Proxy Service Type: Path-based multi-home (Remove Path on Fill disabled)
     Proxy Service Type: Path-based multi-home (Remove Path on Fill enabled)
     Proxy Service Type: Non multi-home
     Single sign-on

1. Basic Information

This document provides configurations to use Teaming 2.0 through Novell Access Manager (NAM) 3.1.1 IR1 Linux Access Gateway.

The browser access URL for teaming is similar to:

http(s)://<DNS>/teaming

The HTML content is located under path /ssf, while the webDAV content is located under /ssfs.

2. Configuration Notes

Configuring Teaming to Interoperate with Novell Access Manager

Teaming 2.0′s installer.xml file contains settings in the <SSO> section for use with a proxy device such as the Access Gateway. To use Teaming through a NAM Access Gateway and use Identity Injection for Single Sign On, Teaming needs to “trust” the AG so that it will then process Authorization header credentials. Teaming will accept only a simple type username (ie. user1) and password in the Authorization header.

To configure Teaming to trust a device, run script “installer-teaming.linux” and follow the prompts: select “Reconfigure settings”, choose Advanced, then accept defaults down to option “Enable Access Gateway” (yes), then set the following:

  • Access Gateway address(es): include the ip address of the AG (wildcards like 164.99.*.* are allowed). Logins will then only be allowed from those addresses. If Authorization header credentials are not present or are incorrect, user will be prompted for login using Basic.
  • Logout URL: enter the public url of the Teaming proxy service with path /AGLogout (ex: https://dbmhteaming.cit.novell.com/AGLogout)

Configuring Teaming to Trust the Access Gateway

To configure Teaming to trust a device, do the following:

NOTE: Stop the teaming service and follow the below steps. Use this command to stop the teaming service. /etc/init.d/teaming stop

  1. Run the “installer-teaming.linux” script.
  2. Select “Reconfigure settings” when prompted.
  3. Select Advanced Settings.
  4. Accept defaults options in the next few steps.
  5. Set the “Enable Access Gateway” option to Yes.
  6. In the Access Gateway address(es) field, include the IP address of the Access Gateway.

  7. After finishing the configuration changes, run this command /etc/init.d/teaming start to start the teaming service.

Access Manager Sample Configurations for Teaming

The following sections describe configurations which are tested with NAM 3.1.1 IR1 and Teaming 2.0. Note that with each configuration, users see a form type login to Access Manager when accessing HTML content of Teaming, and a Basic type login when accessing webDAV content of Teaming. When a user tries to access webDAV content, the user may be prompted to login multiple times because the session sharing is not possible between a browser and a webDAV client.

Proxy service type: Domain-based multi-home

This configuration provides protected access to Teaming HTML and webDAV content using a domain-based proxy service, single sign-on using identity injection, and simultaneous logout. With this example, users would access WebAccess with a URL similar to “https://dbmhteaming.novell.com/teaming”.

NAM setup detail:

  • Proxy service type: domain-based multi-homing (For Example, Published DNS Name=dbmhteaming.novell.com)

  • SSL enabled on Public interface (port 443), non-SSL on private (Connect Port: 8080).
  • Host Header: Web Server Host Name: enabled (For example, internal.teaming.com) and this name needs to match the DNS name of the Teaming server.
  • Web Servers page > TCP Connect Options > Data Read Timeout=1200 (to avoid timeout problems when uploading files)

  • HTML Rewriting: Word profile with “value” (without quotes) added to “Variable or Attribute Name to Search for is” list (needed for proper rewriting in workflow area “Form and View Designers” page), plus new entry in “And Document Content-Type Header Is” of application/rss+xml.

  • All other settings in these rewriter profile are default settings. Be sure to move these profile to the top of the ordered list of rewriter profiles.
  • Add a Bypass type Pin list entry for the published URL of the Teaming proxy service (workaround for defect 523610)

    For example:

    URL Mask=dbmhteaming.novell.com (DNS name of proxy service)
    Pin Type=Bypass

  • Protected Resource setup for Teaming HTML content:

    Protected Resource “pr-html”:
    -path=/*
    -Authentication Procedure: Secure Name/Password – Form type contract
    -Identity Injection: enabled, policy “ii-simple” (injects Credential Profile LDAP name and password into the Authorization headers)

  • Protected Resource setup for Teaming webDAV and AJAX content:

    Protected Resource “pr-dav”:
    -path= <Three paths as below>
         /ssfs/* (for webDAV content)
         /ssf/a/do?* (for AJAX content)
         /ssf/rss/* (for RSS reader connections)
    -Authentication Procedure:
         ”Contract:”= Secure Name/Password – Basic type contract
         ”Non-Redirected Login:” enabled
         ”Realm:” = Teaming
         ”Redirect to Identity Server When No Authentication Header is Provided:” disabled
    -Identity Injection: enabled, policy “ii-teaming” (same policy as used with pr-html)

  • Simultaneous Logout:

    Refer “Section 2: Configuring teaming to interoperate with Novell Access Manager” to update the logout url.

Proxy Service Type: Path-based multi-home (Remove Path on Fill disabled)

This configuration provides protected access to Teaming HTML and webDAV content using a path-based proxy service with the option “Remove Path on Fill” is disabled, single sign-on is configured using identity injection, and simultaneous logout is configured. In this example, users would access teaming with a URL similar to https://www.novell.com/teaming.

NAM setup detail:

  • Proxy service type: path-based multi-home (example Published DNS Name=teaming.cit.novell.com)
  • SSL enabled on Public side (port 443), non-ssl on private (Connect Port: 8080)
  • Multi-homing Path List: /ssf, /ssfs, /teaming

  • Remove Path on Fill: disabled

  • Host Header: Web Server Host Name: enabled (For example, internal.novell.com) and this name needs to match the DNS name of the Teaming server.
  • Web Servers page > TCP Connect Options > Data Read Timeout=1200 (to avoid timeout problems when uploading files)
  • HTML Rewriting: Word profile with “value” (without quotes) added to “Variable or Attribute Name to Search for is” list (needed for proper rewriting in workflow area “Form and View Designers” page), plus new entry in “And Document Content-Type Header Is” of application/rss+xml.
  • All other settings in these rewriter profile are default settings. Be sure to move these profile to the top of the ordered list of rewriter profiles.
  • Add a Bypass type Pin List entry for the published URL of the Teaming proxy service.

    For example:

    URL Mask= www.novell.com (DNS name of proxy service)

    Pin Type=Bypass
  • Protected Resource setup for Teaming HTML content:

    Protected Resource “pr-html”:
    -path= <two paths as below>
         /ssf/*
         /teaming/*
    -Authentication Procedure: Secure Name/Password – Form type contract
    -Identity Injection: enabled, policy “ii-simple” (injects Credential Profile LDAP name and password into the Authorization headers)

  • Protected Resource setup for webDAV and AJAX content:

    Protected Resource “pr-dav”:
    -path= <Three paths as below>
         /ssfs/* (for webDAV content)
         /ssf/a/do?* (for AJAX content)
         /ssf/rss/* (for RSS reader connections)
    -Authentication Procedure:
         ”Contract:”= Secure Name/Password – Basic type contract
         ”Non-Redirected Login:” enabled

         Realm: Teaming
         Redirect to Identity Server When No Authentication Header is Provided: disabled
    -Identity Injection: enabled, policy “ii-simple” (same policy used with pr-html)

  • Simultaneous Logout:
    Refer “Section 2: Configuring teaming to interoperate with Novell Access Manager” to update the logout url.

Proxy Service Type: Path-based multi-home (Remove Path on Fill enabled)

This configuration provides protected access to Teaming HTML and webDAV content using a path-based proxy service where the option “Remove Path on Fill” is enabled, single sign-on using identity injection, and simultaneous logout. With this example, users would access teaming with a URL similar to https://teaming.novell.com/testTC20/teaming”.

NAM setup detail:

  • Proxy service type: path-based multi-home (example Published DNS Name= teaming.novell.com)
  • SSL enabled on Public side (port 443), non-SSL on private (Connect Port: 8080)
  • Multi-homing Path List: /testTC20

  • Remove Path on Fill: enabled
  • Reinsert Path in “set=cookie” header: enabled

  • HTTP Options -> Allow pages to be cached by browser: enabled
  • Host Header: Web Server Host Name: enabled (For example, internal.teaming.novell.com) and this name needs to match the DNS name of the Teaming server.
  • Web Servers page > TCP Connect Options > Data Read Timeout=1200 (to avoid timeout problems when uploading files)
  • HTML Rewriting:

    Teaming needs a different rewriter setup so that HTML content does not have POST data rewritten. This allows the Send E-Mail feature in Teaming to work properly when using Teaming through NAM.

    When using Send E-Mail, the generated mail message contains a link that points to the URL of the current location of the browser when the Send E-mail button is clicked. When the user completes the mail and clicks OK, a POST is used to send the e-mail data to the Teaming server.

    The POST data has the URL of the browser’s current location, and in this case it will be the external scheme, DNS, port, and accelerated sub-path of the proxy service. When the AG forwards this POST, the data should not be reverse rewritten to the accelerated internal scheme, name, port nor should the path-based multi homing sub-path be removed. By not rewriting, when a user then opens the mail and clicks the link the browser will be sent to the URL of the path-based multihoming (Remove Path on Fill enabled) accelerated of Teaming (as desired). This issue happens when both internal (direct) and external (through an Access Gateway) users are trying to use the e-mail link. However, When Teaming is used through an Access Gateway, the same teaming is not used with direct connections. The new rewriter setup which uses two separate rewriter profiles is similar to the following:

    Word Rewriter Profile 1 (For webDAV content, top profile on rewriter profile list):
    If Requested URL is:

    https://<DNS_of_pbmh_service>/testTC20/ssfs/*

    (this entry is used so that this rewriter profile is only active on webDAV content)

    Rewrite Inbound Query String Data: enabled
    Rewrite Inbound Post Data: enabled
    Rewrite Inbound Headers: enabled
    Additional Strings to Replace:
    Search = /ssfs
    Replace=$path/ssfs

    Word Rewriter Profile 2 (For HTML content, second top on rewriter profile list):
    Rewrite Inbound Query String Data: enabled
    Rewrite Inbound Post Data: disabled
    Rewrite Inbound Headers: enabled
    “value” (without quotes) added to “Variable or Attribute Name to Search for is” list (needed for proper rewrting in workflow area “Form and View Designers” page), plus new entry in “And Document Content-Type Header Is” of application/rss+xml.
    Additional Strings to Replace:
    Search = /ssf
    Replace=$path/ssf

  • All other settings in these two rewriter profiles are at default settings. Be sure to move these profiles to the top of the ordered list of rewriter profiles as noted above.
  • Add a Bypass type PIN list entry for the published URL of the Teaming proxy service

    For example:

    URL Mask=teaming.novell.com (DNS name of proxy service)

    Pin Type=Bypass
  • Protected Resource setup for Teaming html content:

    Protected Resource “pr-html”:

    -paths=<two paths as below>

         /testTC20/*

         /testTC20/ssf/*

         /testTC20/teaming/*

    -Authentication Procedure: Secure Name/Password – Form type contract

    -Identity Injection: enabled, policy “ii-simple” (injects Credential Profile LDAP name and password into the Authorization headers)
  • Protected Resource setup for webDAV and AJAX content:

    Protected Resource “pr-dav”:

    -paths= <two paths as below>

         /testTC20/ssfs/* (for webDAV content)

         /testTC20/ssf/a/do?* (for AJAX content)
    -Authentication Procedure:

    Use an Authentication Procedure with settings:

         ”Contract:”= Secure Name/Password – Basic type contract

         ”Non-Redirected Login:” enabled

         ”Realm:” = Teaming

         ”Redirect to Identity Server When No Authentication Header is Provided:” disabled

    -Identity Injection: enabled, policy “ii-simple” (same policy used with pr-html)
  • Simultaneous Logout:

    Refer “Section 2: Configuring teaming to interoperate with Novell Access Manager” to update the logout url.

Proxy Service Type: Non multi-home

This configuration provides protected access to Teaming HTML and webDAV content using a non-multi-homing proxy service, single sign-on using identity injection, and simultaneous logout. With this example, users would access WebAccess with a URL similar to https://lag.novell.com/teaming”.

NAM setup detail:

  • Proxy service type: non multi-home (example Published DNS Name=lag.novell.com)
  • SSL enabled on Public side (port 443), non-ssl on private (Connect Port: 8080)
  • Host Header: Web Server Host Name: enabled (ex: internal.teaming.novell.com) and this name needs to match the DNS name of the Teaming server.
  • Web Servers page > TCP Connect Options > Data Read Timeout=1200 (to avoid timeout problems when uploading files)
  • HTML Rewriting: Word profile with “value” (without quotes) added to “Variable or Attribute Name to Search for is” list (needed for proper rewriting in the workflow area “Form and View Designers” page)
  • Add a Bypass type Pin list entry for the published URL of the Teaming proxy service.
    For example:
    URL Mask=lag.novell.com (DNS name of proxy service)
    Pin Type=Bypass
  • Protected Resource setup for Teaming HTML content:

         Protected Resource “pr-html”:

         -paths=/ssf/*, /teaming/*

         -Authentication Procedure: Secure Name/Password – Form type contract
  •      -Identity Injection: enabled, policy
              ”ii-simple” (injects Credential Profile LDAP name and password into the Authorization headers)

  • Protected Resource setup for Teaming webDAV and AJAX content:

    Protected Resource “pr-dav”:

         -path= <two paths as below>

              /ssfs/* (for webDAV content)

              /ssf/a/do?* (for AJAX content)

         -Authentication Procedure:

              ”Contract:”= Secure Name/Password – Basic type contract

              ”Non-Redirected Login:” enabled

              ”Realm:” = Teaming

              ”Redirect to Identity Server When No Authentication Header is Provided:” disabled

         -Identity Injection: enabled, policy “ii-simple” (same policy as used with pr-html)
  • Simultaneous Logout:
    Refer Section 2: Configuring teaming to interoperate with Novell Access Manager to update the logout url of Access Manager.

Single sign-on

  • Identity Injection

Teaming processes the Authorization header for login credentials. The username must be in a simple format such as User1. Teaming processes Authorization headers in requests from trusted hosts. See section “Teaming configuration options for interoperability with NAM” above for details.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment