Novell Doc: Novell iChain Administration Guide - Accelerator Authentication Parameter Page

8.1 Accelerator Authentication Parameter Page

In ConsoleOne, the fifth page of the iChain Web Server Accelerator Wizard is where you specify the accelerator authentication parameters. You can enable or disable authentication, enable or disable Secure Exchange, and create authentication profiles.

Figure 8-1 Accelerator Authentication Parameter Page

The following table describes the fields on this page:

Field Name	Description	Status
Enable Authentication	Selecting this option forces a user to authenticate to access this Web server	Optional
Enable Secure Exchange	Selecting this option enables Secure Exchange (formerly known as SSLizer). Advanced options for Secure Exchange are not currently available from the wizard, but can be set from the proxy server administration application.	Optional If you choose to enable this option, see Section 5.3, Using Third-Party Certificates for instructions on how to import the trusted root. Required to use Basic Authentication for LDAP. See Section 6.2, Enabling Authentication Through the HTTP Authorization Header
SSL Listening Port	The SSL port that the user is redirected to for authentication if Secure Exchange is enabled.	Required if authentication or Secure Exchange is enabled
SSL Certificate Name	The certificate name for this accelerator. If the name does not appear in the drop-down list, it can be entered manually.	Required if Secure Exchange is enabled
Session Timeout Interval	The amount of time a connection can be inactive before re-authentication is required.	Required if authentication is enabled or Secure Exchange is enabled
Forward iChain Cookie to Web Server	Sends the Novell® iChain® cookie to the Web server along with the other data being sent.	Optional
Forward Authentication Information to Web Server	Sends username and/or password to the Web server	Optional
Authenticate over HTTP	Allows authentication over unencrypted HTTP instead of HTTPS. This feature is not compatible with RADIUS authentication profiles.	Optional
Authentication Profiles	Each existing profile is listed; those in use appear with a check box. At least one profile must be selected when authentication is enabled. When multiple profiles are in the list, more than one can be enabled. Currently, only Mutual SSL profiles may be used with LDAP or RADIUS profiles. LDAP and RADIUS profiles cannot be used together.	Required if authentication is enabled.
Multiple Profile Rule	Only valid if multiple Authentication Profiles are checked. Selects whether only one profile is required (OR) or if all selected authentication methods need to be fulfilled before authentication is granted (AND). OR is the default when multiple profiles are checked.
Create another accelerator	If this check box is selected when you select the Next button, the wizard returns to the Accelerator Specification Page where a new accelerator can be created. This saves you from needing to select the Next button followed by selecting the Back button three times to return to the Accelerator Specification Page.	Optional

8.1.1 Controls for Accelerator Authentication Parameters

Four buttons allow you to modify authentication parameters:

Advanced Options: Launches the Advanced Authentication Options dialog box as shown in Figure 8-2.
Add: Launches the Add Authentication Profile dialog box.
Delete: Allows you to delete an existing Authentication Profile.
Edit: Launches the Modify Authentication Profile dialog box.

8.1.2 Advanced Authentication Options Dialog Box

The Advanced Authentication Options dialog box allows you to specify advanced authentication options, including options that are set under special circumstances.

Figure 8-2 Advanced Authentication Options Dialog Box

The following table describes the fields in this dialog box:

Field Name	Description	Status
Enable X-Forwarded-For	Selecting the X-Forwarded-For option causes the appliance to either add information to an existing X-Forwarded-For or Forwarded-For header, or to create a header if one doesn't already exist.	Optional
Alternate Host Name	Selecting this option causes the specified string to be substituted for the host name in the HTTP header before the request is forwarded to the Web server.	Optional
Return Error if Host Name Sent by Browser Does Not Match the Accelerator DNS Host Name	Selecting this option causes iChain Proxy Services to match the host name in the DNS header that came from the browser against the DNS name specified in this accelerator definition. If the names don't match, the request is not forwarded to the Web server. Instead, iChain Proxy Services returns an error to the requesting browser.	Optional
Use Host Name Sent by Browser	Selecting this option preserves the host name in the HTTP header exactly as it came in the browser request.	Optional
Custom Login Page Location	Specifies the location of the login page for this accelerator. The login page must exist on the iChain Proxy server.	Optional
Send an Error Page When a Mutual-SSL Certificate Error Occurs	Select this option to send a specific error page when a Mutual-SSL certificate error occurs. Otherwise a “page not found” message is always given.	Optional

8.1.3 RADIUS Authentication Load Balance and Failover

Load balancing divides a computer's workload between two or more computers so more work can be accomplished in the same amount of time. For authentication, load balancing commonly distributes credential search requests in a fixed sequential order to the different servers.

This feature has a 60-second, non-configurable timeout period after which the authentication search cycle begins again.

When a configuration requires multiple servers, load balancing is often combined with failover. Failover is a backup operational mode where processes are shifted to another server if the primary server becomes unavailable. The failover process offloads tasks to a standby system component. Failover is different from load balancing. Instead of searching servers sequentially, it continues to search on one server until the information cannot be found or the server becomes inactive. Then it moves to the next server.

In the proxy server administration tool, click Configure, click the Authentication tab, select radius, then click Modify.
Select RADIUS Authentication, click RADIUS Options.
In the RADIUS Connect Mode drop-down menu, select FailOver or RoundRobin.
Click OK.

8.1.4 Add (Modify) Authentication Profile Dialog Box

The Add Authentication Profile dialog box allows you to name and create authentication profiles. The Modify Authentication Profile dialog box is exactly the same except for the dialog box title.

Figure 8-3 Add Authentication Profile Dialog Box

The following table describes the fields in this dialog box:

Field Name	Description	Status
Authentication Profile Name	The name of the authentication profile. This name must be unique and must be less than 8 characters with no special characters.	Required
SSL Certificate Mutual Authentication	Specifies a mutual authentication profile.	Optional
LDAP Authentication	Creates an LDAP profile. Selecting this button enables the corresponding options button.	Optional
RADIUS Authentication	Creates a RADIUS profile. Enables the Radius Options button.	Optional

8.1.5 Mutual Certificate Mapping Dialog Box

The Mutual Certificate Mapping dialog box allows you to configure certificate mapping types. See Figure 8-4.

Figure 8-4 Mutual Certificate Mapping Dialog Box

The following table describes the fields and buttons in this dialog box:

Field Name or Button	Description	Status
Directory Name	Enables certificate mapping, which gives four ways to map the user certificate to a user in the iChain LDAP Authentication tree.	Optional
Use sasAllowableSubjectNames attribute	If a user is not found with Directory Name and Use sasAllowableSubjectNames is also enabled for directory mapping, the LDAP Authentication tree is searched for a user containing an sasAllowableSubjectName attribute matching the Directory Name in the Subject Alternative Name field of the certificate. If sasAllowableSubjectName is enabled, the LDAP Authentication tree should be configured so that there is no duplication of allowed names between users in the sasAllowableSubjectName attribute.
Email Description	With Email mapping, there are two possible fields in the user certificate that can be used to identify the certificate portion of the user. The first is the Subject Alternative Name field in the user certificate, with a name type of RFC822. The second is when an e-mail name is embedded in the Subject field of the certificate. If both the Subject Field and the Subject Alternative Name field contain an e-mail address, the Subject Alternative Name is the only field used.
Attribute Mapping	This attribute is used to match the Email address from the certificate when searching for a user in the LDAP Authentication tree. The default LDAP attribute is mail, which is the attribute currently used by GroupWise® and Novell Certificate Server™. The LDAP Authentication tree should be configured so that there is no duplication of Email addresses between users in the configured email attribute mapping.
Serial Number and Issuer Name	With serial number and issuer name mapping, both the serial number and the issuer name fields from the certificate are used together to identify the certificate portion of the user.
Attribute Mapping	Both the issuer name and the serial number need to be put into the same LDAP attribute of the user. The LDAP attribute that is used is specified in this field. The LDAP attribute can be any Case Ignore List or Cast Ignore String attribute of the user. If you are configuring your own attribute, make sure the attribute is added to the Person class.
Subject Name	A user in the LDAP Authentication tree matching the Subject Name field of the certificate is checked first.
Use sasAllowableSubjectNames Attribute	If a user is not found with Subject name and Use sasAllowableSubjectNames is also enabled for directory name mapping, the LDAP Authentication tree will be searched for a user containing an sasAllowableSubjectName attribute matching the Directory Name in the Subject Alternative Name field of the certificate. If sasAllowableSubjectName is enabled, the LDAP Authentication tree should be configured so that there is no duplication of allowed names between users in the sasAllowableSubjectName attribute.
Add	The iChain Proxy Server can be configured to use any combination of the four mapping types. This button allows type to be added to the Mapping types currently in the use list.
Remove	Allows a type to be removed from Mapping types currently in the use list.
Order Up	Allows for a mapping type within the Mapping types currently in the use list to be moved up. NOTE:When searching for a user with the configured mappings, the first user found is the user that is used for authentication and access control, even if the other users map to the same certificate. See Using Certificate Mapping for more information.
Order Down	Allows for a mapping type within the Mapping types currently in the use list to be moved down. NOTE:When searching for a user with the configured mappings, the first user found is the user that is used for authentication and access control, even if the other users map to the same certificate. See Using Certificate Mapping for more information.

8.1.6 Controls for Authentication Profiles

LDAP Options: Launches the LDAP Authentication Profile Options dialog box, which allows you to specify LDAP authentication parameters. It is functionally identical to the corresponding dialog box in the iChain Proxy Server administration application.

Radius Options: Launches the RADIUS options dialog box.

Figure 8-5 LDAP Authentication Profile Options Dialog Box

The following table describes the fields in this dialog box:

Field Name	Description	Status
LDAP Servers	This table lists the IP address, port, and connection type for all the LDAP servers used for this profile. Currently, the port and connection type must be the same for all servers.	Required
Use Distinguished Name	Selecting this option requires users to log in using their DS names.	Optional
Use User's Email Address	Selecting this option requires users to log in using their e-mail addresses.	Optional
Use LDAP Field Name	Selecting this option requires users to log in using some LDAP field.	Optional
LDAP Search Base (LDAP User Contexts)	This field displays as LDAP Search Base when either Use User's Email Address or Use LDAP Field Name is selected. It allows entry/deletion/modification of LDAP search bases or user contexts.	Required
Use Anonymous Bind for LDAP Search	Bind anonymously to search the LDAP directory.	Optional
Use Username/Password Bind for LDAP Search	Bind with a proxy server to search the LDAP directory.	Optional
Username	Proxy username in LDAP format.	Required when Use Username/Password Bind for LDAP Search is selected
Password	Proxy user password.	Required when Use Username/Password Bind for LDAP Search is selected
Password Confirmation	Proxy user password confirmation.	Required when Use Username/Password Bind for LDAP Search is selected
LDAP Field Name	LDAP field name to search for (only visible with Field Name).	Required when Use LDAP Field Name is selected.

8.1.7 Controls for Authentication Profile Options

Use the following buttons to control the authentication profile:

Add LDAP Server: Allows you to launch the New LDAP Authentication Server dialog box.
Delete LDAP Server: Allows you to delete an authentication server from the list.
Edit LDAP Server: Allows you to launch the Modify LDAP Authentication server dialog box.
Add LDAP Context: Allows you to launch the dialog box to add an LDAP Search Base/User Context (if DN is selected).
Delete LDAP Context: Allows you to delete an LDAP Search Base/User Context from the list.
Edit LDAP Context: Allows you to launch the dialog box to modify an LDAP Search Base/User Context (if DN is selected).

8.1.8 New LDAP Authentication Server Dialog Box

The New LDAP Authentication Server dialog box allows you to specify the parameters for new LDAP authentication servers. The Modify LDAP Authentication Server dialog box is exactly the same except for the dialog box title.

Figure 8-6 New LDAP Authentication Server Dialog Box

The following table describes the fields in this dialog box:

Field Name	Description	Status
IP Address	The IP address of this LDAP server.	Required
Port	The LDAP port to communicate over. Currently, this is only modifiable for the first LDAP server in the list.	Required
Use a Secure Connection (LDAP over SSL)	If selected, authentication information is sent over LDAPS (encrypted). This is only modifiable for the first LDAP server.	Optional
Trusted Root File	Specifies the trusted root file to be used for secure communications. This is only modifiable for the first LDAP server.	Required when Use a Secure Connection is selected.

8.1.9 Add LDAP Context Dialog Box

The Add LDAP Context dialog box provides the input of LDAP search bases or user contexts. The Modify LDAP Context dialog box is exactly the same except for the dialog box title.

Figure 8-7 Add LDAP Context

The following table describes the field in this dialog box:

Field Name	Description	Status
Container name in LDAP format	The name of the container in LDAP (comma delimited) format	Required

8.1.10 Controls for Add LDAP Context

Use the Object Browser button to launch an object browser to select the desired container.

8.1.11 Radius Options Dialog Box

The Radius Options dialog box allows you to specify the parameters for RADIUS profiles. This dialog box is functionally identical to the corresponding iChain Proxy Server administration application dialog box.

Figure 8-8 RADIUS Profile Options Dialog Box

The following table describes the fields in this dialog box:

Field Name	Description	Status
RADIUS Server Address	The IP address of the RADIUS server.	Required
RADIUS Server Listening Port	The port number on which the RADIUS server listens for incoming authentication.	Required
RADIUS Server Shared Secret	The string the RADIUS server uses to verify that the appliance can request authentication of users.	Required
RADIUS Server Reply Time in Seconds	The total time the appliance waits for a response from the RADIUS server before authentication fails. The default is 7 seconds.	Required
RADIUS Server Resend Time in Seconds	The interval in seconds between appliance requests to the RADIUS server. The default is two seconds. This means that the appliance could send three requests before the 7-second default limit expires and the authentication request fails.	Required
User Search Base(s) for All RADIUS Profiles	Lists the contexts that the proxy server uses when searching for the user being authenticated when using non-Novell RADIUS authentication. This list applies to all RADIUS profiles, not just the current one being created or modified.	Optional

8.1.12 Controls for RADIUS Options

The following buttons allow you to add or delete search bases:

Add Search Base: Allows you to launch an object browser to select the desired container.
Delete Search Base: Allows you to delete a search base from the list.