1.3 Access Manager Appliance Components and Their Features

1.3.1 Administration Console

The Administration Console is the central configuration and management tool for the product. It is a modified version of iManager that can be used only to manage the Access Manager Appliance components. It contains a Dashboard option, which allows you to assess the health of all Access Manager Appliance components.

Figure 1-3 Access Manager Appliance Dashboard Page

The Administration Console also allows you to configure and manage each component, and allows you to centrally manage resources, such as policies, hardware, and certificates, which are used by multiple components.

1.3.2 Identity Servers

The Identity Server is the central authentication and identity access point for all other services. It is responsible for authenticating users and distributing role information to facilitate authorization decisions. It also provides the Liberty Alliance Web Service Framework to distribute identity information.

An Identity Server always operates as an identity provider and can optionally be configured to run as an identity consumer (also known as a service provider), using Liberty, SAML 1.1, or SAML 2.0 protocols. As an identity provider, the Identity Server validates authentications against the supported identity user store, and is the heart of the user’s identity federations or account linkage information.

In an Access Manager Appliance configuration, the Identity Server is responsible for managing:

  • Authentication: Verifies user identities through various forms of authentication, both local (user supplied) and indirect (supplied by external providers). The identity information can be some characteristic attribute of the user, such as a role, e-mail address, name, or job description.

  • Identity Stores: Links to user identities stored in eDirectory, Microsoft Active Directory, or Sun ONE Directory Server.

  • Identity Federation: Enables user identity federation and provides access to Liberty-enabled services.

  • Account Provisioning: Enables service provider account provisioning, which automatically creates user accounts during a federation request.

  • Custom Attribute Mapping: Allows you to define custom attributes by mapping Liberty Alliance keywords to LDAP-accessible data, in addition to the available Liberty Alliance Employee and Person profiles.

  • SAML Assertions: Processes and generates SAML assertions. Using SAML assertions in each Access Manager Appliance component protects confidential information by removing the need to pass user credentials between the components to handle session management.

  • Single Sign-on and Logout: Enables users to log in only once to gain access to multiple applications and platforms. Single sign-on and single logout are primary features of Access Manager Appliance and are achieved after the federation and trust model is configured among trusted providers and the components of Access Manager.

  • Identity Integration: Provides authentication and identity services to Access Gateways that are configured to protect Web servers, Java* applications, and SSL VPN. The Access Gateway and other Access Manager Appliance components include an embedded service provider that is trusted by Access Manager Identity Servers.

  • Roles: Provides RBAC (role-based access control) management. RBAC is used to provide a convenient way to assign a user to a particular job function or set of permissions within an enterprise, in order to control access. The identity provider service establishes the active set of roles for a user session each time the user is authenticated. Roles can be assigned to particular subsets of users based on constraints outlined in a role policy. The established roles can then be used in authorization policies to form the basis for granting and restricting access to particular Web resources.

  • Clustering: Adds capacity and failover management. An Identity Server can be a member of a cluster of Identity Servers, and the cluster is configured to act as a single server.

1.3.3 Access Gateways

An Access Gateway provides secure access to existing HTTP-based Web servers. It provides the typical security services (authorization, single sign-on, and data encryption) previously provided by Novell iChain, and is integrated with the new identity and policy services of Access Manager.

Figure 1-4 Access Gateway Component

The Access Gateway is designed to work with the Identity Server to enable single sign-on to protected Web services. The following features facilitate single sign-on to Web servers that are configured to enforce authentication or authorization policies:

  • Identity Injection: Injects the information the Web server requires into HTTP headers.

  • Form Fill: Automatically fills in requested form information.

If your Web servers have not been configured to enforce authentication and authorization, you can configure the Access Gateway to provide these services. Authentication contracts and authorization policies can be assigned so that they protect the entire Web server, a single page, or somewhere in between.

The Access Gateway can also be configured so that it caches requested pages. When the user meets the authentication and authorization requirements, the user is sent the page from cache rather than requesting it from the Web server, which can increase content delivery performance.

The Access Gateway can be installed as a soft appliance (which includes the operating system) or as a service (which requires you to provide the operating system). For more information, see the NetIQ Access Manager Appliance 3.2 SP3 Access Gateway Guide.

1.3.4 SSL VPN

The SSL VPN server provides secure access to non-HTTP based applications, such as e-mail servers, FTP services, or Telnet services. The SSL VPN server is a Linux-based service that can be installed in two modes:

  • As a resource accelerated by and protected by the Access Gateway, which shares session information with the SSL VPN server

  • As a stand-alone device with an Embedded Service Provider, which allows the SSL VPN server to establish its own relationship with the Identity Server.

An ActiveX plug-in or Java applet is delivered to the client on successful authentication. Roles and policies determine authorization decisions for back-end applications. Client integrity checking is available to ensure the existence of approved firewall and virus scanning software, before the SSL VPN session is established.

1.3.5 Policies

Policies provide the authorization component of Access Manager Appliance. The administrator of the Identity Server can use policies to define how properties of a user’s authenticated identity map to the set of active roles for the user. This role definition serves as the starting point for role-based authorization policies of the Access Manager Appliance. Additionally, authorization policies can be defined that control access to protected resources based on user and system attributes other than assigned roles.

The flexibility built into the policy component is nearly unlimited. You can, for example, set up a policy that permits or denies access to a protected Web site, depending on user roles (such as employee or manager), the value of an LDAP attribute, or the user’s IP address.

Each Access Gateway includes an embedded service provider agent that interacts with the Identity Server to provide authentication, policy decision, and enforcement. For the Java application servers, the agent also provides role pass-through to allow integration with the Java application server’s authorization processes. For Web application servers, the Access Gateway provides the ability to inject the user’s roles into HTTP headers to allow integration with the Web server’s authorization processes.

1.3.6 Certificate Management

Access Manager Appliance includes a certificate management service, which allows you to manage the certificates used for digital signatures and data encryption. You can create locally signed certificates or import externally signed certificates, then assign these certificates to the Access Manager Appliance, which in turn makes the certificates available for the Access Manager Appliance components:

  • Identity Server: Certificates allow you to provide secure authentication to the Identity Server and enable encrypted content from the Identity Server portal, via HTTPS. They also provide secure communications between trusted Identity Servers and user stores.

  • Access Gateway: Uses server certificates and trusted roots to protect Web servers, provide single sign-on, and enable the product's data confidentiality features, such as encryption.

You can install and distribute certificates to the Access Manager Appliance components and configure how the components use certificates. This includes central storage, distribution, and expired certificate renewal.

1.3.7 Auditing and Logging

Access Manager Appliance supports audit logging and file logging at the component level. To provide compliance assurance logging and to maintain audit log entries that can be subsequently included in reports, the Access Manager Appliance components can be configured to send their auditing events to an external Audit server like Sentinel Log Manager server or a Novell NSure Audit server. Each component creates assurance log entries to show the effect of each policy statement on each access control decision. Log entries include events such as notifications pertaining to the operational state of Access Manager Appliance components, the results of administrator and user requests, and policy actions invoked in determining request results.

1.3.8 Embedded Service Provider

The Access Gateway, SSL VPN server uses an embedded service provider to redirect authentication requests to the Identity Server. The Identity Server requires requests to be digitally signed and encrypted and allows only trusted devices to participate. To become trusted, devices must exchange metadata. The embedded service provider performs this task automatically for the Access Gateway and the SSL VPN server.

1.3.9 The User Portal Application

The Access Manager Appliance User Portal is a customizable application where end users can access and manage their authentications, federations, and profile data. The authentication methods you create in the Administration Console are reflected in the Portal.

Figure 1-5 Access Manager User Portal

Help information for the end users is provided in the user interface. If you know how to customize JSP pages, you can customize the portal for rebranding purposes and for creating custom login pages.

1.3.10 Sample Application

The sample application is enabled by default during installation of the Access Manager Appliance. This application is a single place for launching the Administration Console and the Access Manager Appliance help. You can configure the application to learn and experiment the Access Manager Appliance quickly as long as it is not in production. We recommend you to remove the landing application because it is visible for the users.

The sample application demonstrates the following functionalities:

  • Role based access control policies

  • Automatic authentication header injection

  • User attribute propagation using headers

  • Automatically filling forms with authenticated user's attributes

The sample application includes a simple Payroll application, where users of role "Employee" and "Manager" can see and edit their basic information. Payroll information of each user is protected. Users with the “Employee” role cannot see the pay info of other users, unless they are assigned the role of "Manager."

By default, the Access Manager Appliance installation creates two users Alice with both “Manager” and “Employee” role and Bob with “Employee” role. Any request without basic authentication headers will be Forbidden. Any request without the required role will also be Forbidden. A default allowance is automatically filled in by Access Manager Appliance as defined in the fill_allowance policy while editing the pay info.

NOTE:A separate database is used for this demo application. The information you modify here does not modify the actual user store. You must remove the portal before moving to production. Also, delete the default users Alice and Bob or change the default password for these users. The default password is novell.

Removing the Portal

To remove the portal:

  • Delete the proxy service associated with the portal. It is a path based proxy with name namportal.

  • Delete the public and protected resources associated with this service. These resources are portal and portal_public.

  • Change the default proxy service to point to the production Web server.

  • Change the NAM-RP > NAM-Service target Web server to do this.

Steps:

  1. Stop the Access Manager Appliance by running the /etc/init.d/novell-appliance stop command.

  2. Go to the /opt/novell/nam/ folder and run the rm -rf namportal command.

  3. Start the Access Manager Appliance by running the /etc/init.d/novell-appliance start command.

1.3.11 Language Support

The Access Manager Appliance software for installation and administration uses English and is not localized. The Administration Console is also not localized and uses only English. However, the client pieces of Access Manager Appliance are either localized or allow you to create custom pages.

  • The User Portal, which appears when the user logs directly into the Identity Server, is localized and so is its help file.

  • The SSL VPN client, which displays when the user establishes an SSL VPN session, is also localized.

The User Portal and the SSL VPN client are localized for German, French, Spanish, Italian, Japanese, Portuguese, Dutch, Chinese (Simplified), and Chinese (Traditional). The language must be set in the client’s browser to display a language other than English.

The Access Gateway and Identity Server, which can send messages to users when an error occurs, allow you to customize the error pages, but you are responsible for supplying the content of the customized pages.