6.2 Configuring Novell Access Manager to Work with Cloud Manager

Novell Access Manager (NAM) provides secure, single sign-on access to trusted NetIQ Cloud Manager users from any location, in spite of the internal technical and organizational boundaries in your enterprise. Novell Access Manager supports multi-factor authentication, role-based access control, data encryption, and SSL VPN services.

The content in this section is not intended as a comprehensive guide to NAM. You should have already installed Novell Access Manager and a Novell Access Manager Access Gateway. You should also have installed NetIQ Cloud Manager, and the Cloud Manager Application Server should be running.

You need to be familiar with Novell Access Manager capabilities so that you understand the context of the content in this section. For more information about Novell Access Manager, see the Access Manager documentation Web site.

6.2.1 Managing a Reverse Proxy for Authentication to Cloud Manager

A reverse proxy acts as the front end to the Cloud Manager Web Server on your Internet. The proxy off-loads frequent requests, thereby freeing up bandwidth. It also increases security because the IP addresses of your Web servers are hidden from the Internet.

You can use an existing reverse proxy and add a new proxy service for Cloud Manager or you can create a new reverse proxy with a service for Cloud Manager. You can configure the authentication settings of the reverse proxy according to the needs of your enterprise.

For information about creating a new reverse proxy, see “Managing Reverse Proxies and Authentication” in the Novell Access Manager 3.1 SP4 Configuration Guide.

When the reverse proxy is set up as you want it, you need to perform the other configuration procedures necessary for Novell Access Manager authentication:

Creating and Configuring the Proxy Service for the Cloud Manager Reverse Proxy

You must create a unique proxy service for Cloud Manager. Configure the proxy service settings according to the needs of your enterprise.

The first proxy service of a reverse proxy is considered the master (or parent) proxy. Subsequent proxy services can use domain-based, path-based, or virtual multi-homing, relative to the published DNS name of the master proxy service. If you are creating a second proxy service to be used for Cloud Manager on the reverse proxy, see “Using Multi-Homing to Access Multiple Resource”s in the Novell Access Manager 3.1 SP4 Access Gateway Guide.

Remember that for the Web Server IP Address setting of the proxy service, you need to specify the IP Address for the Cloud Manager Web server, and for the Web Server Host Name setting of the proxy service, you need to specify the DNS name of the Cloud Manager Web server.

When you have configured the proxy service according to your needs, you can continue with Adding and Protecting All Cloud Manager Resources.

Adding and Protecting All Cloud Manager Resources

A protected resource configuration specifies the directory (or directories) on the Cloud Manager Web server that you want to protect. The protected resource configuration specifies the authorization procedures and the policies that should be used to enforce protection.

You need to group all of the Cloud Manager resources that use the proxy service.

To create a resource that groups all of the Cloud Manager services:

  1. Log in to the Access Manager Administration Console. For information about accessing the console, see “Logging In to the Administration Console” in the Novell Access Manager 3.1 SP4 Installation Guide.

  2. In the console, select Devices > Access Gateways to open the Access Gateways page.

  3. On the Access Gateways page, select Edit for the Gateway Server you want to edit. This displays the Access Gateway Server Configuration page.

  4. On the Access Gateway Server Configuration page, select the name of the reverse proxy. This opens the Reverse Proxy configuration page.

  5. On the Reverse Proxy page, select the proxy service you want to configure. This opens the Reverse Proxy Service page.

  6. On the Reverse Proxy Service page, select the Protected Resources tab to open the Protected Resources page.

  7. Configure the protected resource.:

    1. On the Protected Resources page, select New, then specify a display name for the new resource you want to protect. For example, to create a resource that you want to use to represent all Cloud Manager resources, you could name the resource “everything.”

      When you create the display name, the Overview page for the new resource is displayed.

    2. Fill in the fields to configure the resource:

      • Description: Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.

      • Authentication Procedure: Select Name/Password -Form from the drop-down list. This specifies a form-based authentication over HTTP or HTTPS, using the Access Manager login form.

      • URL Path: Select the default path, which is /*. This specifies everything on the Cloud Manager Web Server.

    3. Click the Protected Resources breadcrumb at the top of the Overview page to return to the Protected Resources page.

    4. On the Protected Resources page, make sure that the new protected resource is selected as Enabled.

  8. Continue with Creating an Identity Injection Policy for the New Cloud Manager Protected Resource.

Creating an Identity Injection Policy for the New Cloud Manager Protected Resource

When the Cloud Manager protected resource is created, you need to associate it with an Access Manager identity injection policy to protect it. This policy specifies the information that must be injected into the HTTP header. Because Cloud Manager is configured to detect certain fields in the header, it can deny user authentication or redirect that user to an alternate Web page if it does not find the required information in the header.

  1. Log in to the Access Manager Administration Console. For information about accessing the console, see “Logging In to the Administration Console” in the Novell Access Manager 3.1 SP4 Installation Guide.

  2. In the Access Manager Administration Console, select Devices > Access Gateways to open the Access Gateways page.

  3. On the Access Gateways page, select Edit for the Gateway Server you want to edit. This displays the Access Gateway Server Configuration page.

  4. On the Access Gateway Server Configuration page, select the name of the reverse proxy. This opens the Reverse Proxy configuration page.

  5. On the Reverse Proxy page, select the proxy service you want to configure. This opens the Reverse Proxy Service page.

  6. On the Reverse Proxy Service page, select the Protected Resources tab to open the Protected Resources page.

  7. On the Protected Resources page, select the display name of the Cloud Manager protected resource to open the properties views, then select Identity Injection to open the Identity Injection Policy List.

  8. Select Manage Policies to open the Policies page.

  9. Fill in the fields.

    • Description: (Optional) Describe the purpose of this policy. Because Identity Injection policies are customized to match the content of a specific Web server, include the name of the Cloud Manager Web server as part of the description.

    • Priority: Specify the order in which a rule is applied in the policy, when the policy has multiple rules. The highest priority is 1 and the lowest priority is 10.

  10. In the actions panel of the page, select New > Inject into Custom Header.

    This inserts custom names with values into a custom header.

  11. Configure five custom policy headers for Cloud Manager. You must configure the attributes of the custom headers as specified below. The headers must be created or moved into the order listed. You can use the Copy Action icon to copy each header, then you can modify the configurations as needed.

    1. Create the X-TrustedUser header, using the following information to populate the fields.:

      • Custom Header Name: Specify X-TrustedUser.

      • Value: Select LDAP Attribute. Selecting this option enables the LDAP attribute list box and the Refresh Data Rate list box. For this header, select cn as the LDAP attribute, then select Session as the refresh rate.

      • Multi-Value Separator: Select the semicolon (;) separator from the list box.

      • DN Format: Select the LDAP option from the list box.

    2. Create the X-TrustedRoles header, using the following information to populate the fields:

      • Custom Header Name: Specify X-TrustedRoles.

      • Value: Select LDAP Attribute. Selecting this option enables the LDAP attribute list box and the Refresh Data Rate list box. For this header, select groupMembership as the LDAP attribute, then select Session as the refresh rate.

        NOTE:The groupMembership attribute applies if you are using eDirectory. If you are using Active Directory, the attribute is memberOf.

      • Multi-Value Separator: Select the semicolon (;) separator from the list box.

      • DN Format: Select the LDAP option from the list box.

    3. Create the X-TrustedUserFQDN header, using the following information to populate the fields:

      • Custom Header Name: Specify X-TrustedUserFQDN.

      • Value: Select Credential Profile. Selecting this option enables the Credential Profile list box. For this header, select LDAP Credentials: LDAP User DN as the credential profile.

      • Multi-Value Separator: Select the semicolon (;) separator from the list box.

      • DN Format: Select the LDAP option from the list box.

    4. Create the X-TrustedUserDisplayName header using the following information to populate the fields.

      • Custom Header Name: Specify X-TrustedUserDisplayName.

      • Value: Select LDAP Attribute. Making this selection enables the LDAP attribute list box and the Refresh Data Rate list box. For this header, select displayName as the LDAP attribute, then select Session as the refresh rate.

      • Multi-Value Separator: Select the semicolon (;) separator from the list box.

      • DN Format: Select the LDAP option from the list box.

    5. Create the X-TrustedUserEmail header using the following information to populate the fields.

      • Custom Header Name: Specify X-TrustedUserEmail.

      • Value: Select LDAP Attribute. Making this selection enables the LDAP attribute list box and the Refresh Data Rate list box. For this header, select mail as the LDAP attribute, then select Session as the refresh rate.

      • Multi-Value Separator: Select the semicolon (;) separator from the list box.

      • DN Format: Select the LDAP option from the list box.

  12. Click OK to save the new policy and display it on the Policies page.

  13. On the Policies page, click Enable to enable this new policy for the protected resource.

  14. Continue with Adding and Configuring an HTML Rewriter Profile for the Proxy Service.

NOTE:Make sure that you always update your configuration when you make changes in Novell Access Manager.

For more information, see “Configuring an Identity Injection Policy in the Novell Access Manager 3.1 SP4 Policy Guide.

Adding and Configuring an HTML Rewriter Profile for the Proxy Service

The changes you make to the Novell Access Manager Access Gateway configurations for Cloud Manager require HTML rewriting because the Cloud Manager Web server is not aware that the Access Gateway machine is obfuscating its DNS names. URLs contained in its pages must be checked to ensure that these references contain the DNS names that the client browser understands. On the other end, the client browsers are not aware that the Access Gateway is obfuscating the DNS names of the resources they are accessing. The URL requests coming from the client browsers that use published DNS names must be rewritten to the DNS names that the Cloud Manager Web server expects.

The information in “Understanding the Rewriting Process” in the Novell Access Manager 3.1 SP4 Access Gateway Guide explains this process more fully.

You need to create and configure a new HTML Rewriter Profile for use with Cloud Manager.

  1. Log in to the Access Manager Administration Console. For information about accessing the console, see “Logging In to the Administration Console” in the Novell Access Manager 3.1 SP4 Installation Guide.

  2. In the Access Manager Administration Console, select Devices > Access Gateways to open the Access Gateways page.

  3. On the Access Gateways page, select Edit for the Gateway Server you want to edit. This displays the Access Gateway Server Configuration page.

  4. On the Access Gateway Server Configuration page, select the name of the reverse proxy. This opens the Reverse Proxy configuration page.

  5. On the Reverse Proxy page, select the proxy service you want to configure. This opens the Reverse Proxy Service page.

  6. On the Reverse Proxy Service page, select the HTML Rewriting tab to open the HTML rewriting page.

    The HTML Rewriting page specifies which DNS names are to be rewritten. The HTML Rewriter Profile specifies which pages to search for DNS names that need to be rewritten.

  7. Select Enable HTML Rewriting.

    This option is enabled by default. When it is disabled, no rewriting occurs. When it is enabled, this option activates the internal HTML rewriter. When data is sent to the browsers, this rewriter replaces the name of the Cloud Manager Web server with the published DNS name. It replaces the published DNS name with the Web Server Host Name when sending data to the Cloud Manager Web server. It also ensures that the proper scheme (HTTP or HTTPS) is included in the URL. This is needed because you can configure the Access Gateway to use HTTPS between itself and client browsers and to use HTTP between itself and the Web servers.

  8. Specify a name for the new profile, use the default search boundary, then click OK to open the HTML Rewriter configuration page.

  9. In the Content-Type Header section of the page, click New to open a New dialog box.

  10. In the dialog box, specify the new content-type header, which is application/xml, select the Rewrite Inbound Headers check box, then click OK to make sure that the new Content-Type Header is enabled for the protected resource.