7.2 Configuring a Windows Identity Server as a Protected Resource

These configuration steps assume that you are using SSL.

  1. (Conditional) If you are using domain-based multi-homing, create a wildcard certificate to be used by the Identity Server and the Access Gateway.

    For example, *.provo.novell.com, where the Identity Server DNS is idp.provo.novell.com and the Access Gateway DNS is jwilson1.provo.novell.com.

    If you don’t have a wildcard certificate, you cannot use domain-based multi-homing for this configuration scenario.

    If you are using path-based multi-homing, you can use the same certificate for the Identity Server and the Access Gateway.

  2. Configure the Base URL of the Identity Server. For complete configuration information, see Section 1.3, Creating a Basic Identity Server Configuration.

    1. Click Devices > Identity Servers > Edit.

    2. Set the port to 443.

      When you change the base URL of the Identity Provider, all Access Manager devices that have an Embedded Service Provider need to be updated to import the new metadata. To re-import the metadata, configure the device so it does not have a trusted relationship with the Identity Server, update the device, reconfigure the device for a trusted relationship, and update the device. For more information, see Embedded Service Provider Metadatain the Novell Access Manager 3.1 SP5 Identity Server Guide.

    3. Specify the correct domain name for the proxy service type.

      Path-Based Proxy Service: If you are using path-based multi-homing, the domain name of the Base URL must match the public DNS of the authentication proxy service set up in the Access Gateway.

      For example, if your proxy service has a public DNS name of jwilson1.provo.novell.com, that is the domain name you must specify for the Base URL.

      Domain-Based Proxy Service: If you are using domain-based multi-homing, the domain name of the Base URL can be different than the Access Gateway, but your DNS server must resolve the name to the IP address of the Access Gateway. Specify a name that allows the two to share a common subdomain.

      For example, if the proxy service name is jwilson1.provo.novell.com, replace jwilson1 with idp so that the domain name is idp.provo.novell.com.

  3. Configure the Identity Server to use the correct certificate:

    1. Click the SSL Certificate icon.

    2. Click Replace, then click the Select Certificate icon.

    3. For a domain-based proxy service, select the wildcard certificate. For a path-based proxy service, select the certificate that matches the DNS name of the Access Gateway.

    4. Click OK twice, then accept the prompt to restart Tomcat.

  4. Continue with Step 5 for a domain-based proxy service or Step 6 for a path-based proxy service.

  5. (Domain-Based Proxy Service) Set up a proxy service on the Access Gateway for the Identity Server:

    1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

      For more information about creating a proxy service, see Managing Reverse Proxies and Authentication in the Novell Access Manager 3.1 SP5 Access Gateway Guide.

    2. In the Proxy Service list, click New.

    3. Set the Multi-Homing Type field to Domain-Based.

    4. Set the following fields to the specified values:

      Published DNS Name: Specify the same name you have specified for the domain name of the Base URL of the Identity Server. Your DNS server must be set up to resolve this name to the Access Gateway.

      Web Server IP Address: Specify the IP address of the Identity Server. If the cluster configuration for the Identity Server contains more than one Identity Server, provide the IP address of one of the servers here. This must be the actual IP address of the Identity Server and not the VIP address if the Identity Server is behind an L4 switch.

      Host Header: Specify Web Server Host Name.

      Web Server Host Name: Specify the domain name of the Base URL of the Identity Server. This entry matches what you specify in the Published DNS Name field.

      Your proxy service configuration should look similar to the following:

  6. (Path-Based Proxy Service) Set up a proxy service on the Access Gateway for the Identity Server:

    1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

      For more information about creating a proxy service, see Managing Reverse Proxies and Authentication in the Novell Access Manager 3.1 SP5 Access Gateway Guide

    2. In the Proxy Service list, click New.

    3. Set the Multi-Homing Type field to Path-Based and set the Path field to /nidp.

    4. Set the following fields to the specified values:

      Published DNS Name: Specify the same name you have specified for the domain name of the Base URL of the Identity Server. Your DNS server must be set up to resolve this name to the Access Gateway.

      Web Server IP Address: Specify the IP address of the Identity Server. If the cluster configuration for the Identity Server contains more than one Identity Server, provide the IP address of one of the servers here. This must be the actual IP address of the Identity Server and not the VIP address if the Identity Server is behind an L4 switch.

      Host Header: Specify Web Server Host Name.

      Web Server Host Name: Specify the domain name of the Base URL of the Identity Server. This entry matches what you specify in the Published DNS Name field.

      Your proxy service configuration should look similar to the following:

    5. Click OK.

  7. Configure a protected resource for the proxy service:

    1. In the Proxy Service List, click the link under the Protected Resources column.

      For more information about configuring protected resources, see Configuring Protected Resources in the Novell Access Manager 3.1 SP5 Access Gateway Guide.

    2. Click New, specify a name, then click OK.

    3. Configure the following fields:

      Authentication Procedure: Set this field to None.

      The Identity Server needs to be set up as a public resource.

      URL Path: Set the path of the protected resource to the following value:

      /nidp/*
      

      Your protected resource should look similar to the following:

    4. Click OK.

  8. (Path-Based Proxy Service) Verify the configuration:

    1. Click the name of your path-based proxy service.

    2. Verify that the Remove Path on Fill option is not selected.

    3. Verify that the Path List has an entry with /nidp as the path for the protected resource.

      Your configuration should look similar to the following:

    4. Click OK.

  9. Specify a host entry for the Identity Server:

    1. Click Devices > Access Gateways > Edit > Hosts.

    2. Click New, specify the IP address of the Identity Server, then click OK.

    3. In the Host Name(s) text box, specify the DNS name of the Identity Server machine.

    4. Click OK.

  10. Set up the Access Gateway to use SSL between the browsers and the Access Gateway. See Configuring SSL Communication with the Browsers and the Identity Server in the Novell Access Manager 3.1 SP5 Access Gateway Guide.

  11. Set up SSL between the proxy service that is protecting the Identity Server and the Identity Server.

    In this type of configuration, the Identity Server is acting as a protected Web server of the Access Gateway.

    1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

      For additional configuration information, see Configuring SSL between the Proxy Service and the Web Servers in the Novell Access Manager 3.1 SP5 Access Gateway Guide.

    2. Configure the following:

      Connect Using SSL: Enable this option.

      Web Server Trusted Root: Select Any in Reverse Proxy Trust Store.

      SSL Mutual Certificate: Do not configure this option.

      Connect Port: Specify 443.

  12. Modify the server.xml file on the Identity Server to use port 443.

    1. Change to the Tomcat configuration directory.

      Windows Server 2003: \Program Files\Novell\Tomcat\conf

      Windows Server 2008: \Program Files (x86)\Novell\Tomcat\conf

    2. Open the server.xml file.

    3. Change port 8080 to port 80 and port 8443 to 443, then save the file.

    4. Restart the Tomcat service.

  13. (Conditional) If the cluster configuration for the Identity Server contains more than one Identity Server, configure the following options:

    1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

    2. Specify the IP addresses of the other Identity Servers in the Web Server List.

      If the Identity Servers are behind an L4 switch, you need to add the IP address of each Identity Server and not the VIP address.

    3. Click TCP Connect Options, then configure the following options.

      Policy for Multiple Destination IP Addresses: For the Identity Servers, select Round Robin.

      Enable Persistent Connections: Make sure this option is selected. After the user has established an authenticated session with an Identity Server, you want that user to continue using the same Identity Server as long as that server is running.

  14. Configure HTML rewriting:

    1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > HTML Rewriting

    2. Make sure the Enable HTML Rewriting option is selected.

    3. In the HTML Rewriter Profile List, click New, then specify a name for the profile and select Word for the Search Boundary.

    4. Specify the following URLs in the And Requested URL Is Not section. The following URLs use jwilson1.provo.novell.com/nidp as the DNS name of the proxy service for the Identity Server. This is the example name for the path-based proxy service.

      jwilson1.provo.novell.com/nidp/idff/soap
      jwilson1.provo.novell.com/nidp/idff/soap/
      jwilson1.provo.novell.com/nidp/idff/soap/*
      jwilson1.provo.novell.com:443/nidp/idff/soap
      jwilson1.provo.novell.com:443/nidp/idff/soap/
      jwilson1.provo.novell.com:443/nidp/idff/soap/*
      

      Your rewriter profile should look similar to the following:

      The example name for the domain-based proxy service is idp.provo.novell.com, which is the DNS name you would use when configuring the rewriter for a domain-based proxy service.

    5. Click OK.

    6. Use the up-arrow icon to move your profile to the top of the list.

  15. Configure the Pin List so that the Identity Server pages are not cached:

    1. On the Server Configuration page, click Pin List.

    2. In the list, click New, then specify the following values:

      URL Mask: Specify /nidp/* for the URL.

      Pin Type: Select Bypass.

      For more information about configuring a Pin list, see Configuring a Pin List in the Novell Access Manager 3.1 SP5 Access Gateway Guide.

    3. Click OK twice.

  16. Update the Access Gateway.

NOTE:If the SuSEFirewall is configured, after starting the firewall, all ports and services are blocked by default. You need to create filters to allow the Access Gateway and any other service to communicate with the Identity Servers.