2.8.3 Configuring a Protected Resource for a Novell Vibe 3.3 Server

The following sections explain how to configure Access Gateway with a domain-base multi-homing service. The instructions assume that you have a functioning Novell Vibe 3.3 server on Linux and a functioning Access Manager system with a reverse proxy configured for SSL communication between the browsers and Access Gateway.

The Novell Vibe server needs to be configured to trust Access Gateway to allow single sign-on with Identity Injection and to provide simultaneous logout. You also need to create an Access Gateway proxy service and configure it.

For information about other possible Access Gateway configurations, see “Teaming 2.0: Integrating with Linux Access Gateway”.

Configuring the Novell Vibe Server to Trust Access Gateway

To use Novell Vibe as a protected resource of an Access Gateway and to use Identity Injection for single sign-on, the Teaming server needs a trusted relationship with Access Gateway. With a trusted relationship, the Teaming server can process the authorization header credentials. The Teaming server accepts only a simple username (such as user1) and password in the authorization header.

This section explains how to set up the trusted relationship and how to enable simultaneous logout, so that when the user logs out of Teaming, the user is also logged out of Access Gateway.

To configure the trusted relationship:

  1. Log in to the Novell Vibe server.

  2. Stop the Teaming server with the following command:

    /etc/init.d/teaming stop

  3. Run the installer-teaming.linux script.

  4. Follow the prompts, then select Reconfigure settings.

  5. Follow the prompts, then select Advanced installation.

  6. Follow the prompts, selecting the defaults until the Enable Access Gateway option appears, then type Yes.

  7. In the Access Gateway address(es) section, include the IP address of Access Gateway that is used for the connection to the Teaming server.

    If Access Gateway is part of a cluster, add the IP address for each cluster member. Wildcards such as 164.99.*.* are allowed.

    When you specify IP addresses in this option, Novell Vibe logins are allowed only from the specified addresses. Also, if authorization header credentials are not present or are incorrect, the user is prompted for login by using Basic Authentication.

  8. When prompted for the Logout URL, specify the URL of the published DNS name of the proxy service plus /AGLogout.

    For example, if the published DNS name of the proxy service is vibe.doc.provo.novell.com, specify the following URL:

    https://Vibe.doc.provo.novell.com/AGLogout
  9. When you are prompted to use Access Gateway for WebDAV connections, specify No.

  10. Follow the prompts to complete the reconfiguration process.

  11. Start the Vibe server with the following command:

    /etc/init.d/teaming start

  12. Continue with Configuring a Domain-Based Multi-Homing Service for Novell Vibe.

Configuring a Domain-Based Multi-Homing Service for Novell Vibe

The following instructions describe how to set up a domain-based service to protect the Novell Vibe server. In this example, the published DNS name of the service is Vibe.doc.provo.novell.com. Users would access the Vibe server with a URL similar to http://Vibe.doc.provo.novell.com.

To configure a domain-based service for Vibe, complete the following tasks:

Configuring the Domain-Based Proxy Service

You must create a new reverse proxy before you configure the domain-based proxy service. Configure the Vibe domain as the primary proxy service and enable SSL between browser and Access Gateway. For more information about how to create a new reverse proxy, see Creating a Proxy Service.

  1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

  2. In the Reverse Proxy List, click New, then specify the following details:

    Proxy Service Name: Specify a display name for the proxy service that Administration Console uses for its interfaces.

    Multi-Homing Type: Select Domain-Based.

    Published DNS Name: Specify the DNS name you want the public to use to access your site. This DNS name must resolve to the IP address you set up as the listening address. For example, vibe.doc.provo.novell.com.

    Web Server IP Address: Specify the IP address of the Vibe server.

    Host Header: Select the Forward Received Host Name option.

    Web Server Host Name: Specify the DNS name of the Vibe server.

  3. Click OK.

  4. Click the newly added proxy service, then select the Web Servers tab.

  5. Change the Connect Port to 8080.

    If the Novell Vibe server has port forwarding enabled, you do not need to change from the default port 80.

  6. Click TCP Connect Options.

  7. Change the value of Data Read Timeout option to 300 seconds.

    This longer timeout is needed for file uploads.

  8. Click OK.

  9. Continue with Configuring Protected Resources.

Configuring Protected Resources

You must configure an Identity Injection policy to enable single sign-on with the Novell Vibe server. This Identity Injection policy must be configured to inject the authentication credentials into the authorization headers.

  1. Click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify a name for the policy, select Access Gateway: Identity Injection for the type, then click OK.

  4. (Optional) Specify a description for the injection policy. This is useful if you plan to create multiple policies to be used by multiple resources.

  5. In the Actions section, click New, then select Inject into Authentication Header.

  6. Specify the following details:

    User Name: Select Credential Profile > LDAP User Name.

    Password: Select Credential Profile > LDAP Password.

  7. Click OK twice.

  8. Click Apply Changes.

    For more information about how to create such a policy, see Section 10.4.3, Configuring an Authentication Header Policy.

    Assign this policy to the protected resources. You need to create two protected resources, one for HTML content and one for WebDAV and AJAX content.

  9. Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.

  10. Create a protected resource for HTML content:

    1. In the Protected Resource List, click New, specify a name, then click OK.

    2. (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.

    3. Specify a value for Authentication Procedure. For example, select the Secure Name/Password - Form contract.

    4. In the URL Path List, remove the /* path and add the following two paths:

      /teaming/*
      /ssf/*
    5. Click OK.

  11. Create a protected resource for WebDAV and AJAX content:

    1. In the Protected Resource List, click New, specify a unique name, then click OK.

    2. (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.

    3. Click the Edit Authentication Procedure icon.

    4. In Authentication Procedure List, click New, specify a name, then click OK.

    5. Specify details in the following fields:

      Contract: Select the Secure Name/Password - Form contract, which is same contract that you selected for the HTML content protected resource.

      Non-Redirected Login: Select this option.

      Realm: Specify a name that you want to use for the Teaming server. This name does not correspond to a Vibe configuration option. It appears when the user is prompted for credentials.

      Redirect to Identity Server When No Authentication Header is Provided: Deselect this option.

    6. Click OK twice.

    7. For the Authentication Procedure, select the procedure you just created.

    8. In the URL Path List, remove the /* path and add the following paths:

      /ssfs/*
      /ssf/rss/*
      /ssf/atom/*
      /ssf/ical/*
      /ssf/ws/*
      /ssr/* 
      /rest/*

      The /ssfs/* path is for WebDAV content and the /ssf/rss/* path enables non-redirected login for RSS reader connections.

    9. Click OK.

  12. In the Protected Resource List, ensure that the protected resources you created are enabled.

  13. To apply your changes, click Devices > Access Gateways, then click Update.

  14. Continue with Configuring a Rewriter Profile.

Configuring a Rewriter Profile

  1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > HTML Rewriting.

  2. In HTML Rewriter Profile List, click New.

  3. Specify a name for the profile, select Word as the search boundary, then click OK.

  4. In the And Document Content-Type Header Is section, click New, then specify the following type:

    application/rss+xml
  5. In the Variable or Attribute Name to Search for Is section, click New, then specify the following as the variable to search for:

    value
  6. Click OK.

  7. Ensure that Enable Rewrite Actions remains selected.

  8. Click OK.

  9. In HTML Rewriter Profile List, move the Word profile you created to be the first profile in the list, and move the default profile to be the second profile in the list.

  10. Click OK.

  11. To apply your changes, click Devices > Access Gateways, Update.

  12. Continue with Creating a Pin List.

NOTE:If Vibe is configured to send the binary content in the JSON format, you must disable the HTML Rewriter to prevent errors.

Creating a Pin List

Configure Access Gateway to bypass the published URL of the proxy service:

  1. Click Devices > Access Gateways > Edit.

  2. Click Pin List in the configuration page.

  3. Click New, then specify the published DNS name of the proxy service. For example, vibe.doc.provo.novell.com.

  4. Select Bypass as the Pin type.

  5. Click OK.

  6. To save the configuration changes, click Devices > Access Gateways, then click Update.

NOTE:If you do not want Access Manager to cache site information, do not create a Pin List. Instead, you must configure Access Manager to forward cache control headers to the browser. This is the recommended configuration for Novell Vibe. For information about how to forward cache control headers to the browser, see Section 3.3.2, Controlling Browser Caching.