The following sections describe some of the major differences between iChain and Access Manager:
With iChain, you have a single machine that provides authentication and authorization for single sign-on to protected resources. Administration is done through multiple applications: the Web application, ConsoleOne, and sometimes an LDAP browser. The embedded operation system is NetWare, and at the NetWare console, you use command line options to configure the system.
With Access Manager, you have multiple components. Each component can be installed on its own machine, some can be installed on the same machine, and some can be installed on different operating systems such as Linux and Windows.
Access Manager has the following components:
Administration Console: Installed on Linux or Windows to provide a single point of administration. It stores the configuration for all Access Manager components and uses a modified iManager interface. It can be installed on the same machine as the Identity Server.
Identity Server: Installed on Linux or Windows to provide single sign-on authentication, federation with other identity providers, and role and policy distribution. Roles are assigned at authentication time and filter though all components, thus simplifying the definition of authorization policies.
Access Gateway: Installed on Linux as a soft appliance or on Linux and Widows as a service. It provides single sign-on to Web servers and uses policies assigned to the resources on the Web servers to enforce access control. You can require SSL connections between the browsers and the Access Gateway, but require only HTTP connections between the Access Gateway and the Web servers, thus reducing the need for certificates on the Web servers.
SSL VPN Server: Installed on Linux to provide single sign-on to private networks with non-HTTP applications.
J2EE Agent: Installed on a J2EE sever to provide fine-grained authorization for J2EE applications and single sign-on. Access Manager currently has agents for WebSphere, WebLogic, and JBoss servers installed on Linux, Windows, and AIX.
One of the first decisions you need to make is which Access Manager components you need (an Administration Console and Identity Server are required; the others are optional), which components you are going to install on separate machines, which components you are going to combine on a single machine, and what operating systems you want to support.
For a more thorough description of these components, see Section 1.0, Novell Access Manager Product Overview. For some deployment ideas, see Section 2.1, Recommended Installation Scenarios.
The following table lists some of the major features of Access Manager and indicates support levels for both iChain and Access Manager.
Table 10-1 iChain and Access Manager Feature Comparison
|
Feature |
iChain |
Access Manager |
|---|---|---|
|
Web access management |
iChain Proxy |
Access Gateway |
|
Access management of non-Web applications |
Not supported |
SSL VPN |
|
Fine-grained access control of J2EE applications |
Not supported |
J2EE Agents |
|
Identity Federation |
SAML 1.0 |
SAML 1.1/2.0 Liberty Alliance |
|
CardSpace |
Not supported |
CardSpace protocol with personal and managed card support |
|
WS Federation |
Not supported |
Federation with SharePoint servers |
|
Management tools |
ConsoleOne Web application |
iManager (a product-specific version called the Administration Console) |
|
Proxy configuration store |
Local. Stored on each iChain appliance. |
Global. Stored on the Administration Console and used by all devices. |
|
Authorization configuration store |
eDirectory ISO object for protected resources, trusted roots, Form Fill, and Session Broker. eDirectory Rule objects (static and dynamic) |
Administration Console configuration store |
|
User store and authentication sources |
LDAP (eDirectory only), RADIUS, NMAS, OCSP/CLR Server |
LDAP (eDirectory, Active Directory, Sun ONE), RADIUS, NMAS, OCSP/CLR Server, Custom |
|
Supported operation systems |
NetWare |
Linux, Windows |
|
Citrix* integration |
Proxy ICA traffic |
SSL VPN |