10.1 Understanding the Differences between iChain and Access Manager

The following sections describe some of the major differences between iChain and Access Manager:

10.1.1 Component Differences

With iChain, you have a single machine that provides authentication and authorization for single sign-on to protected resources. Administration is done through multiple applications: the Web application, ConsoleOne, and sometimes an LDAP browser. The embedded operation system is NetWare, and at the NetWare console, you use command line options to configure the system.

With Access Manager, you have multiple components. Each component can be installed on its own machine, some can be installed on the same machine, and some can be installed on different operating systems such as Linux and Windows.

Access Manager has the following components:

  • Administration Console: Installed on Linux or Windows to provide a single point of administration. It stores the configuration for all Access Manager components and uses a modified iManager interface. It can be installed on the same machine as the Identity Server.

  • Identity Server: Installed on Linux or Windows to provide single sign-on authentication, federation with other identity providers, and role and policy distribution. Roles are assigned at authentication time and filter though all components, thus simplifying the definition of authorization policies.

  • Access Gateway: Installed on Linux as a soft appliance or on Linux and Widows as a service. It provides single sign-on to Web servers and uses policies assigned to the resources on the Web servers to enforce access control. You can require SSL connections between the browsers and the Access Gateway, but require only HTTP connections between the Access Gateway and the Web servers, thus reducing the need for certificates on the Web servers.

  • SSL VPN Server: Installed on Linux to provide single sign-on to private networks with non-HTTP applications.

  • J2EE Agent: Installed on a J2EE sever to provide fine-grained authorization for J2EE applications and single sign-on. Access Manager currently has agents for WebSphere, WebLogic, and JBoss servers installed on Linux, Windows, and AIX.

One of the first decisions you need to make is which Access Manager components you need (an Administration Console and Identity Server are required; the others are optional), which components you are going to install on separate machines, which components you are going to combine on a single machine, and what operating systems you want to support.

For a more thorough description of these components, see Section 1.0, Novell Access Manager Product Overview. For some deployment ideas, see Section 2.1, Recommended Installation Scenarios.

10.1.2 Feature Comparison

The following table lists some of the major features of Access Manager and indicates support levels for both iChain and Access Manager.

Table 10-1 iChain and Access Manager Feature Comparison



Access Manager

Web access management

iChain Proxy

Access Gateway

Access management of non-Web applications

Not supported


Fine-grained access control of J2EE applications

Not supported

J2EE Agents

Identity Federation

SAML 1.0

SAML 1.1/2.0 Liberty Alliance


Not supported

CardSpace protocol with personal and managed card support

WS Federation

Not supported

Federation with SharePoint servers

Management tools

ConsoleOne Web application

iManager (a product-specific version called the Administration Console)

Proxy configuration store

Local. Stored on each iChain appliance.

Global. Stored on the Administration Console and used by all devices.

Authorization configuration store

eDirectory ISO object for protected resources, trusted roots, Form Fill, and Session Broker.

eDirectory Rule objects (static and dynamic)

Administration Console configuration store

User store and authentication sources

LDAP (eDirectory only), RADIUS, NMAS, OCSP/CLR Server

LDAP (eDirectory, Active Directory, Sun ONE), RADIUS, NMAS, OCSP/CLR Server, Custom

Supported operation systems


Linux, Windows

Citrix* integration

Proxy ICA traffic