If you do not see this task, you are not an authorized user. See Authorized Users and Groups. This topic includes the following information:
There are three settings in the config.xml file that control the security and the certificates used when iManager creates an LDAP SSL connection:
Security.Keystore.AutoUpdate: If the value of AutoUpdate is True, when a user successfully logs in to iManager, the certificate from that eDirectory server might automatically be imported into the iManager-specific keystore. Select the setting Auto Import Tree Certificate for Secure LDAP (Configure iManager > Security).
Security.Keystore.UpdateAllowAll: When UpdateAllowAll is True, then any successful user login imports/updates a certificate into the iManager certificate keystore. If the setting is false, only an authorized user login imports/updates certificates.
Security.Keystore.Priority: The priority setting contains two words that define the search order for certificates during a connection: system, and imanager.system uses the default JVM* keystore to locate certificates when created the SSL context. If that fails, it then goes to the iManager keystore.
You can change the search order of system and iManager by removing either word from the entry.
To further tighten security, do not allow AutoUpdate and use only the system keystore. If you do this, you must manually import the certificates that you want to reside in the default system keystore by using the tools that come with Java. If you disable UpdateAllowAll, then certificate imports occur only from a successful iManager authorized user login.
These settings affect your entire Web server configuration and are saved in the config.xml file. You can either save as you go or click Save once after you have made all your changes.
Select this option if you want users without a secure connection between the Web browser and the Web server to receive the following warning: You are using a non-secure connection.
Make sure you have met the Audit Prerequisites. Select the Enable Novell Audit option and select specific iManager logging events, then click Save.
Secure LDAP connections require a certificate. If you select this feature, the system automatically imports a public tree certificate for secure LDAP.
Authorized users and groups are those that iManager permits to perform its various administrative tasks. Authorized user data is saved in TOMCAT_HOME\webapps\nps\WEB-INF\configiman.properties. The iManager installation process creates this file only if authorized user and group information is provided, but doing it, is not required. Failure to do it results in iManager allowing any user to install iManager plug-ins and modify iManager server settings (not recommended long-term.)
When a group or an organizational role is added to this list, all members of the group or the organizational role become authorised users. Adding a nested group supports only first level of members. But adding a dynamic group is not supported because it can have any type of objects as its members.
After installing iManager, you can add an authorized user, group, or organizational role by specifying, or by using the Objector Selector icon next to the Authorized Users and Groups list. Doing this modifies the configiman.properties file.
To designate all users of the tree as authorized users, type AllUsers.
NOTE:You can add and save only valid users to the Authorized Users and Groups list. If you add invalid users and click Save, an error message, which says that the object is not found, is displayed. If you add only invalid users to the list and click Save, the error message is displayed and the list of invalid users is automatically replaced by AllUsers. If you do not want all the users of the tree to be authorized users, remove AllUsers from the list, add desired valid users to the list, and click Save.
IMPORTANT:If you have installed iManager for the first time, the Authorized Users and Groups list is empty. As an Admin user, you must immediately add users and groups to the list to make them authorized, and to have rights to modify the list. Otherwise, a non-admin user might add users and groups to the list by which he/she acquires the rights to modify the list. You (Admin) might lose the rights to modify the list.
For security-related information about the configiman.properties file, see iManager Authorized Users and Groups.
The Look and Feel tab lets you customize the appearance of the iManager interface. This information is stored in TOMCAT_HOME\webapps\nps\WEB-INF\config.xml.
Specify your organization name in this text box. It then appears in the title bar of the Web browser in place of the default text (NetIQ iManager).
The Title bar contains three images: the header background image, the header filler image, and the header branding image. Your own images must conform to the dimensions given in the interface.
Store these files in nps/portal/modules/fw/images. Specify the path of each image in its respective text field.
You can customize the color of the menu header and the background of the navigation menu on the left.
You can type either color names or hexadecimal numbers. Entries do not need to be case sensitive. Click Reset to return to default colors and images, or click Save to save the settings. to the config.xml file.
The Logging Events tab lets you configure iManager’s logging environment. There are two logging settings:
Logging Level: Select the types of messages you want to log, from four options: No Logging, Errors only, Errors and Warnings, and Errors, Warnings and Debug Information.
Select your logging output options.
Logging Output: Select the destination for logged messages, from three options: Send Log Output to Standard Error Device, Send Log Output to Standard output Device, and Send Log Output to Debug.html File.
The log file path and log file size both appear on this page. Select View to display the current log file in HTML format. Select Clear to clear the current log file and reset the log file size to 0 (zero) bytes.
The Redirection After Logout option allows you to specify the URL to be redirected to, after you log out of iManager. If you have not selected this option, when you click Exit, you are logged out of iManager. By default, the Login page is displayed.
Enable: Select this option to enable Redirection After Logout feature.
URL: Specify the URL to be redirected to, after you log out of iManager.
The Authentication tab configures iManager’s login page. It contains the following options:
Remember login credentials: When selected, users must only enter a password to log in.
Use Secure LDAP for auto-connection: When selected, iManager performs LDAP communications using SSL. Some plug-ins, such as Dynamic Groups and NMAS, do not work if this option is not selected. This setting does not take effect until you log out of iManager.
Hide specific reason for login failure: When selected, iManager replaces authentication-related eDirectory messages with a generic error message that reads: Login Failure. Invalid Username or Password. For more information, see Preventing User Name Discovery.
Allow ‘Tree’ selection on Login page: When selected, iManager’s login page displays the Tree field. If you do not select this option, you must have a default tree name specified or you cannot log in.
Contextless Login: Contextless login allows users to log in with only user name and password, without knowing their entire User object context. For example, .admin.support.sales.netiq.
If there are multiple users with the same user name in the tree, contextless login allows to log in by using the first user account it finds with the supplied password within the container order list that the user has specified. User can re-arrange and set the container order list.
If there are multiple users with the same user name in the tree, to log in with a specific user name, a user should provide full context when logging in, or limit the search containers that contextless login searches.
Select Search from Root to perform the user search from the root of the directory tree. Select Search Containers to specify one or more containers where User objects can be found.
By default, iManager connects with public access, requiring no specific credentials. You can specify a user with specific credentials to do the search for the contextless lookup. The iManager public user is used if you don’t specify a user.
IMPORTANT:If you specify a public user, consider carefully the implications of password expiration settings. If the password is set to expire for the public user, you do not have the opportunity to change the password during login after it expires.
iManager Server Timeout Settings: If you want the iManager server to time out after a certain period, specify the number of days, hours, and minutes in the respective fields, in the Authentication page.
If you never want the server to time out, select the Never Timeout option.
Redirection After Logout: In the Authentication page, you have to enable this option if you want to be redirected to a desired page after logging out of iManager. You have to specify the desired URL in the URL: field. If you do not specify any URL, when you click Exit, you are logged out of iManager. By default, the Login page is displayed.
Role-Based Services (RBS) assigns the rights within eDirectory to perform tasks. When you assign a role to a user, by default RBS assigns the rights necessary to perform the tasks included with that role.
The RBS tab lets you configure the following settings:
Enable Dynamic Groups: When selected, RBS allows dynamic groups to be members of a role. For more information about dynamic groups, see the NetIQ eDirectory 8.8 SP8 Administration Guide.
Show Roles in Owned Collections: When selected, collection owners see all roles and tasks whether they are members of them or not. Deselect this option to force collection owners to see only their assigned roles.
Role Discovery Domain: Indicates where in the tree iManager is to search for roles that are assigned to a member.
Parent, iManager searches for Dynamic Groups up to the parent container.
Partition, iManager searches for Dynamic Groups up to the first eDirectory partition.
Root, iManager searches for Dynamic Groups in the entire tree.
Dynamic Group Discovery Domain: Indicates where in the tree iManager is to search for Dynamic Group membership. Role membership is then checked in the Dynamic Groups found.
Parent, iManager searches for roles in the user's parent container.
Partition, iManager searches for roles up to the first eDirectory partition.
Root, iManager searches for roles in the entire tree.
Dynamic Group Search Type: Selects which type of Dynamic Groups should be searched for role membership.
Dynamic Groups only, searches for objects that are of the Dynamic Group class type.
Dynamic Group Objects and Aux classes, searches for objects that are either of the dynamicGroup class type or have been extended with the dynamicGroupAux class. This includes group objects that were later converted to Dynamic Groups.
RBS Tree List: Auto-populated with the eDirectory tree's name when a collection owner or a role member authenticates. If RBS is removed from an eDirectory tree, remove that tree's entry in this list in order to return to Unassigned Access mode.
The Plug-in Download tab lets you configure the following settings:
Query Novell download site for new NetIQ Plug-in Modules (NPM): Indicates that the iManager Server should query the NetIQ Download site for new plug-in modules (NPMs).
Two radio buttons let you configure the query for every available NPM, or query only for updates to already-installed NPMs.
Downloading Plug-In Modules from a Custom Site: You can download the plug-in modules from a custom site by specifying the URL of the custom site in the Download URL field, in the Plug-in Download page.
Downloading Plug-In Modules Through Proxy: If iManager Servers are running under the firewall proxy, the client can access the Internet through a proxy server. Only HTTP Proxy is supported. It is a Web proxy HTTP. To download the plug-ins, the user has to do the following in the Plug-in Download page:
Select Enable Proxy.
Enter in the following fields:
Proxy Host: Specify the proxy host IP address in this field.
Proxy Port: Specify the proxy port number in this field.
Username: Specify the user name in this field.
Password: Specify the password in this field.
Retype Password: Specify the password that you have specified in the Password field, in this field.
IMPORTANT:iManager 2.7.7 plug-ins are not compatible with previous versions of iManager. Additionally, any custom plug-ins you want to use with iManager 2.7.7 must be re-compiled in the iManager 2.7.7 environment.
The Misc tab lets you configure the following settings:
Enable [this]: You can safely ignore this option. Enable [this] was added to iManager to allow some internal teams to modify their own objects. [this] is an attribute in the tree that enables specific self-management functionality. If [this] is enabled, all eDirectory servers in the tree must be version 8.6.2 or later.
eGuide URL: Specifies the URL to eGuide. This is used in the eGuide launch button in the header and in the eGuide role and task management tasks. This must be a full URL, for example, https://my.dns.name/eGuide/servlet/eGuide, or the keyword EMFRAME_SERVER. Using EMFRAME_SERVER causes eMFrame to look for eGuide on the same server on which eMFrame is located.
For more information on eGuide, see the Novell eGuide documentation Web site.
You can use the Encryption tab to choose the cipher level based on your security requirement. The four cipher levels are:
NONE - Allows any type of cipher.
LOW - Allows a 56-bit or a 64-bit cipher.
MEDIUM - Allows a 128-bit cipher.
HIGH - Allows ciphers that are greater than 128-bit.
By default, the cipher level is set to NONE. The selected cipher level is activated after the Tomcat server is restarted.
IMPORTANT:By default, Firefox does not allow LOW cipher level.
To enable the LOW cipher algorithms in your Firefox browser:
Open Firefox, type about:config in the location bar, then press Enter.
(Conditional) If a warning appears, click the I'll be careful, I promise! button to continue to the about:config page.
In the about:config page, under the Preference Name list, double-click the security.ssl3.rsa_rc4_40_md5 preference to change the value to True.
This enables the LOW cipher algorithms in your Firefox browser.
By design, the Encryption tab is not available on OES. You need to manually change the cipher levels in the vhost-ssl.conf file.
Go to /etc/apache2/vhosts.d/vhost-ssl.conf file, then modify the SSLCipherSuite parameter based on your cipher level support.
For example, to configure only HIGH cipher level, modify the SSLCipherSuite parameter as follows:
<VirtualHost _default_:443>
--------------
----------------
SSLCipherSuite ALL:ADH:EXPORT56:RC4+RSA:+HIGH:!MEDIUM:!LOW:+SSLv2:+EXP:+eNULL
-------------
---------------
<VirtualHost>
You can use the following prefixes to modify the cipher levels:
+ : adds ciphers to the list of ciphers and pulls them to the current location in the list.
- : removes a cipher from the list (can be added later again).
! : kills a cipher from the list completely (cannot be added later again).
For more information, see the Apache Module mod_ssl documentation.