2.5 Protecting the Application Server with the Access Gateway

When you configure the Access Gateway so it can protect your application server, the Access Gateway must be configured to protect multiple resources. The first reverse proxy and proxy service combination of the Access Gateway is assigned to perform authentication. The agent must be set up as a secondary proxy service because the proxy service for an agent cannot be used for authentication.

If the Access Gateway has multiple IP addresses, you can configure the Access Manager so that users access different types of Web resources from each IP address. If the Access Gateway has only one IP address, you still can configure it so users access different types of resources. In this case, you configure the resources to use multi-homing. The following configuration steps assume that you have only one IP address and that you must use multi-homing to access multiple resources, either domain-base or path-based.

With path-based multi-homing, you use one DNS name for the Access Gateway, and have the user specify a path-based URL to access the correct resource. For example:

For more information, see Section 2.5.1, Setting Up a Path-Based Proxy Service for an Application Server.

With domain-based multi-homing, your Access Gateway uses domain names to access multiple resources. For example:

For more information, see Section 2.5.2, Setting Up a Domain-Based Proxy Service for an Application Server.

2.5.1 Setting Up a Path-Based Proxy Service for an Application Server

Figure 2-3 illustrates the basic configuration for a path-based proxy service. The www.mytest.com name is the published DNS name of the parent proxy service that protects the Web servers. The www.mytest.com/j2ee name resolves to the Access Gateway, and the Access Gateway uses the /j2ee path to proxy the request to the application server.

Figure 2-3 Protecting the Application Server with Path-Based Multi-Homing

Your DNS server needs to be configured to resolve www.mytest.com and www.mytest.com/j2ee to the Access Gateway.

  1. In the Administration Console, click Devices > > Access Gateways > Edit > [Reverse Proxy Name].

    The following steps assume that you have already enabled SSL between the Access Gateway and the browsers. If you haven’t, see Configuring SSL Communication with the Browsers and the Identity Server in the NetIQ Access Manager 3.2 SP2 Access Gateway Guide.

  2. In the Proxy Service List section, click New.

    Proxy service configuration for a J2EE Agent
  3. Fill in the following fields:

    Proxy Service Name: Specify a display name for this configuration.

    Multi-Homing Type: Select Path-Based.

    Path. Specify the path for J2EE server. For this example, this is /j2ee.

    Web Server IP Address: Specify the IP address of the application server. For the configuration in Figure 2-3, enter 10.10.10.40.

    Host Header: Select Web Server Host Name.

    Web Server Host Name: Specify the DNS name of the application server.

  4. Click OK.

  5. To create a protected resource for the application server, select the name of the parent proxy in the Proxy Service List.

  6. Click Protected Resources, then click New.

  7. Specify a name for the resource, then click OK.

    Specify a name that allows you to associate this protected resource with your path-based service.

  8. Configure the resource for the type of protection you want.

    Public Access to the First Page: If you want users to be able to access the first page of the application without authentication, select None for the type of contract and accept the default path of /* in the URL Path List. Click OK and continue with Step 9. If you have already created this type of protected resource, you don’t need to create another one.

    J2EE Agent configuration allows you to set up authentication and access restrictions to the pages in the application.

    Authentication Required for the First Page: If you want users to authenticate before they have access to the first page of the application, you need to create two protected resources: one to prompt for authentication and one to allow public access to the nesp application. A path-based service can only have multiple protected resources if the multi-homing path exists on the Web server and the path is not removed when the request is sent to the Web server (see Step 10). To create the multiple resources:

    1. For this first protected resource, select None for the contract.

    2. In the URL Path List, specify the path to the nesp application. For this example:

      /j2ee/nesp
      
    3. Click OK twice.

    4. To add a second protected resource, click New, specify a name, then click OK.

    5. For the contract, select the contract you want to use for authentication.

    6. In the URL Path List, specify the path to the application. For the sample payroll application, this is the following path:

      /j2ee/payroll
      
    7. Click OK three times.

  9. In the Proxy Service List, select the path-based proxy service.

  10. Configure the Remove Path on Fill option.

    • If the path you specified for the proxy service exists on the Web server and specifies the location of the Web resource, do not select this option.

    • If the path you specified for the proxy service does not exist on the Web server, select this option. The Reinsert Path in “set cookie” Header option is also selected.

  11. In the Path List on the Path-Based Multi-Homing page, configure the paths.

    • Remove Path on Fill Service: If the path is removed before sending the request to the J2EE server, the path specified here must allow public access (no authentication required) to the nesp application. A path is automatically created for you (in this example, /j2ee) and a protected resource is assigned. Click the Protected Resource link, verify that the contract for this resource is None and the path is /*, then click OK.

      If the wrong type of protected resource is assigned, return to Step 8 and create a protected resource that allows public access.

    • Keep Path on Fill Service: If you are keeping the path, select the default path and delete it. Click New, specify the path to the nesp application (for example, /j2ee/nesp), then click OK. The protected resource that you created for this path should be automatically assigned to the path.

      Create the path to the application. Click New, specify the path to the application (for example, /j2ee/payroll), then click OK. The protected resource that you created for this path should be automatically assigned to the path.

      If the wrong protected resource is assigned, return to Step 8 and create protected resources with the correct paths.

  12. Click the Web Servers tab.

  13. To configure SSL, select Connect Using SSL.

    This option is not available if you have not set up SSL between the browsers and the Access Gateway. See Configuring SSL Communication with the Browsers and the Identity Server in the NetIQ Access Manager 3.2 SP2 Access Gateway Guide and select the Enable SSL between Browser and Access Gateway field.

  14. Configure how you want the certificate verified.

    • To not verify this certificate, select Do not verify.

    • To allow the certificate to match any certificate in the trust store, select Any in Reverse Proxy Trust Store. Continue with Step 18.

    • To add a certificate to the trust store for the application server, click the Manage Reverse Proxy Trust Store icon. Continue with Step 15.

    The auto import screen appears.

    Importing a certificate into the proxy trust store
  15. Select the IP address of the application server and change the port if the application server is using a different port for SSL.

  16. Click OK.

    The server certificate, the root CA certificate, and any CA certificates from a chain are displayed and selected.

  17. Specify an alias, then click OK.

  18. In the Connect Port option, specify the port that your application server uses for SSL connections. For JBoss, the default value is 8443. For WebSphere, the default value is 9443. For WebLogic, the default value is 7002.

  19. Click OK.

  20. Click the Access Gateways link.

  21. On the Access Gateways page, click Update.

  22. Continue with Configuring a Protected Agent for Access.

2.5.2 Setting Up a Domain-Based Proxy Service for an Application Server

Figure 2-4 illustrates the basic configuration for a domain-based proxy service. The mycompany.com name is the published DNS name of parent proxy service that protects the Web server. The j2ee.mycompany.com name is the published DNS name of the proxy service that protects the J2EE server.

Figure 2-4 J2EE Server as a Domain-Based Protected Resource

You must set up your DNS configuration so that it resolves mycompany.com and j2ee.mycompany.com to the IP address of your Access Gateway. The Access Gateway URL requests for mycompany.com to the Web server (mywebserver.com) and requests for j2ee.mycompany.com to the application server.

  1. In the Administration Console, click Devices > Access Gateways > Edit > [Reverse Proxy Name].

    The following steps assume that you have already enabled SSL between the Access Gateway and the browsers. If you haven’t, refer to the NetIQ Access Manager 3.2 SP2 Access Gateway Guide.

  2. In the Proxy Service List section, click New.

    Proxy service configuration for a J2EE Agent
  3. Fill in the following fields.

    Proxy Service Name: Specify a display name for this configuration.

    Multi-Homing Type: Because this configuration example uses a domain name to access the J2EE server, select Domain-Based.

    Published DNS Name. Specify the domain name for the application server.

    Web Server IP Address: Specify the IP address of the application server. For the configuration in Figure 2-4, enter 10.10.70.25.

    Host Header: Select either Forward Received Host Name or Web Server Host Name.

  4. Click OK.

  5. Click the name of the proxy service you just created.

  6. Click Web Servers.

  7. To configure SSL, select Connect Using SSL.

    This option is not available if you have not set up SSL between the browsers and the Access Gateway. See Configuring the Access Gateway for SSL and Other Security Features in the NetIQ Access Manager 3.2 SP2 Access Gateway Guide and select the Enable SSL between Browser and Access Gateway field.

  8. Configure how you want the certificate verified.

    • To not verify this certificate, select Do not verify.

    • To allow the certificate to match any certificate in the trust store, select Any in Reverse Proxy Trust Store. Continue with Step 12.

    • To add a certificate to the trust store for the Web server, click the Manage Reverse Proxy Trust Store icon. Continue with Step 9.

    The auto import screen appears.

    Importing a certificate into the proxy trust store
  9. Select the IP address of the application server and change the port if the application server is using a different port for SSL.

  10. Click OK.

    The server certificate, the root CA certificate, and any CA certificates from a chain are displayed and selected.

  11. Specify an alias, then click OK.

  12. In the Connect Port option, specify the port that your application server uses for SSL connections. For JBoss, the default value is 8443. For WebSphere, the default value is 9443. For WebLogic, the default value is 7002.

  13. To create a protected resource for the application server, click Protected Resources, then click New.

  14. Specify a name for the resource, then click OK.

  15. Configure the resource for the type of protection you want.

    Public Access to the First Page: If you want users to be able to access the first page of the application without authentication, select None for the type of contract and accept the default path in the URL Path List. Click OK, then continue with Step 16.

    J2EE Agent configuration allows you to set up authentication and access restrictions to the pages in the application.

    Authentication Required for the First Page: If you want users to authenticate before they have access to the first page of the application, you need to create two protected resources: one to prompt for authentication and one to allow public access to the nesp application.

    1. For this first protected resource, select None for the contract.

    2. In the URL Path List, specify the following path:

      /nesp
      
    3. Click OK twice.

    4. To add a second protected resource, click New, specify a name, then click OK.

    5. For the contract, select the contract you want to use for authentication.

    6. In the URL Path List, specify the path to the application. For the sample payroll application, this is the following path:

      /payroll
      
    7. Click OK twice.

  16. In the Protected Resource List, make sure your J2EE protected resources are enabled, then click OK.

  17. Click the Access Gateways link.

  18. On the Access Gateways page, click Update.

  19. Continue with Configuring a Protected Agent for Access.

2.5.3 Configuring a Protected Agent for Access

  1. In the Administration Console, click Devices > J2EE Agents > Edit.

  2. Fill in the fields:

    Identity Server Cluster: Select the Identity Server you want the agent to trust for authentication by selecting the configuration you have assigned to the Identity Server.

    The option is used as the default, before you configure the agent.

    Contract: Select the type of contract, which determines the information a user must supply for authentication. By default, the Administration Console allows you to select from the following contracts and options when specifying an authentication contract.

    • Name/Password - Basic: Specifies basic authentication over HTTP, using a standard login pop-up provided by the Web browser.

    • Name/Password - Form: Specifies a form-based authentication over HTTP, using the Access Manager login form.

    • Secure Name/Password - Basic: Specifies basic authentication over HTTPS, using a standard login pop-up provided by the Web browser.

    • Secure Name/Password - Form: Specifies a form-based authentication over HTTPS, using the Access Manager login form.

    • Any Contract: If the user has authenticated, allows any contract defined for the Identity Server to be valid; or if the user has not authenticated, prompts the user to authenticate by using the default contract assigned to the Identity Server configuration.

    You can configure other contract types.

    J2EE Application Server URL: Specify the URL to access the application server, including the port. Select the format based on whether the agent is protected by a path-based or a domain-based proxy service.

    • If the agent is protecting a path-based proxy service, specify the published DNS name of the Access Gateway proxy service, including the path. For example:

      http://j2ee.mycompany.com/j2ee
      
    • If the agent is protecting a domain-based proxy service, specify the published DNS name of the Access Gateway proxy service. For example:

      http://j2ee.mycompany.com
      

    SOAP Base URL: Specify the URL used to communicate between the agent components residing in an application server. If you have created a cluster, select each cluster node from the Cluster Member drop list and specify separate URLs for each node. The SOAP URL must end with nesp. For example:

    https://j2ee.mycompany.com:8443/nesp
    

    Both J2EE application server and SOAP base URL have three parts:

    • Scheme: For the scheme, specify the scheme you have configured the Access Gateway to use for connections (http or https). If you have configured the Access Gateway to use SSL, the scheme needs to be https.

    • Domain: Specify the published DNS name of the Access Gateway proxy service.

    • Path: (Conditional) If the proxy service is a path-based service, specify the path. For this example, this is /j2ee.

  3. Click OK, then click Update > OK.

  4. To update the Identity Server, click Identity Servers > Update.

    Whenever you set up a new trusted identity configuration, you need to update the Identity Server.

  5. Continue with Preparing the Applications and the J2EE Servers.