NOVELL FORUMS - Access Manager 3

multihoming - mixing dns and path based?

kjhurni — Fri, 20 Nov 2009 21:10:52 GMT

I'm on my last iChain to NAM upgrade.

The ichain setup had 3 accelerators on it.

One was regular domain based multihoming (with a few items having Secure Exchange in them).

One was a "parent" accelerator with 3-5 path-based children

One was an http (not https) accelerator.

With NAM, I know I will need at least two IP for my proxies.

One proxy will be for HTTP (non SSL as we had that discussion in this forum that you couldn't have one IP do both http and https).

the other proxy would be for the other stuff.

However, I'm not sure if I can mix proxies.

The reason I had to separate them out in iChain was that I couldn't do this (have the parent contain both domain and path based)

So my path based ones can only do SSL.

I THINK I can do this in NAM, but not sure.

Diff branding/pages for diff. resources

kjhurni — Fri, 20 Nov 2009 18:56:01 GMT

Hopefully someone can help me decide which method is the best/easiest to use:

I have two IDP clusters and two LAG clusters.

One set for internal, one set for "outside" users.

The "outside" one needs to have different branding (so that means changes to the nidp.jsp file) for two diff. proxies.

One proxy gets "branding1" and one proxy gets "branding2". the proxy with branding2 will have many proxies on it (like one parent, many children if I were to use iChain terms).

The docs on page 42 seem to indicate that if I created a custom page from the nidp.jsp file (which I'm assuming I would have to do since that's where the branding is at), that I MUST use the "adding logic to the main.jsp file" section.

Both "login pages" would also have their own respective and different login.jsp file as well.

But that's it.

Just want to make sure that if I need to customize the branding (again that's in the nidp.jsp) that I MUST do the "long/nasty" portion of the login page, vs. just creating two methods and specifying the pages there.

128-bit encryption for IDP - server.xml file

kjhurni — Fri, 20 Nov 2009 16:33:19 GMT

The docs say to add the following line:

bunch of ciphers= blah here

The question is that where do you add this?

Can it be anywhere in the server.xml file?

At the end, the beginning, where?

Right now, mine's right below the:

line

Invalid Signature on SAML artifact Request

skalpa13 — Fri, 20 Nov 2009 16:18:32 GMT

Hi,

I have configured my NAM 3.1.1 to protect a web server using SSL. When I try to access it I get to the login page and enter my credential. According to the logs the authentication succeed on the IDS but then I get the following error :

2009-11-20T15:45:57Z INFO NIDS IDFF: AM#500106006: AMDEVICEID#79EE784B25D1CD3E: Validation failure on message from https://collab-test.mymazars.com:443/nesp/idff/metadata : Digital signature is required

I don't get it, I've solver all the 100101043 and 100101044 errors so I thought I had the certificates right but it doesn't work. Can anyone help ?
Thanks & regards
Pascal

Does NAM protect the web servers from vulnerabilities?

jsauve — Fri, 20 Nov 2009 15:45:21 GMT

Hello, everyone!

I keep describing NAM to my customers as �a firewall for your web servers�. But I'm curious to know if NAM protects the web servers from vulnerabilities, such as users trying to send commands to the server to try and hack it. I mean, if the Access Gateway simply hands off all commands back to the web server, wouldn't the command eventually run on the web server anyways?

I'd appreciate your input on this!

Thanks!

Jacques

Identity Server Audit SourceIP

kkyen — Fri, 20 Nov 2009 04:13:36 GMT

Hi Guys, I noticed that auditing for Identity Server only capture server's IP in Source IP field, is there any way for me to record the client IP, says like client browser authenticate to IDS.

Thanks.

Incoming HTTP Request Active for too long

nareshbk — Thu, 19 Nov 2009 17:17:12 GMT

Hi,

I am running AM 3.1.1.236. In the Identity server Health, I see the icon Yellow and it has the message "There are 2 incoming HTTP requests that have been active for between 74997 and 75034 seconds."

How do I get rid of this?

-Naresh

openSAML

rrawson — Thu, 19 Nov 2009 17:04:11 GMT

My client is going to be using NAM to federate to a hosted forums vendor that uses openSAML. Since they provide guest access, they were asking if NAM supports the following:

forceAuthentication = false
isPassive = true

Not really certain if this is an openSAMLism or I just can't find similar parameters in NAM or if this simply isn't supported.

Thanx
Rob

Multi-directory authentcationh

rrawson — Thu, 19 Nov 2009 15:53:06 GMT

I have a client who is implementing NAM right now. We have a use case question.

The large majority of users will be in an edirectory instance which has been populated by data from a database and one of two authentication directories. The data in the directory will be used for identity injection, the password will come from their current authentication directory. No problem here, straightforward.

These first two directories are customers and partners. For employees, they will not permit IDM to be installed in the directory (it's controlled by a parent). So I suggested we could authenticate to their employee AD via Kerberos and get them some nice added benefit there. So far so good.

The question is that they have information from the database sitting in the eDir instance, how would i configure authentication and identity injection so that I authenticate to one directory using the Kerberos authentication (or directly using that domain's creds if they are on a standalone workstation) and then look up all the data to do ID injection from the other eDir instance?

user self registration - built in functionality ?

brunold — Wed, 18 Nov 2009 20:55:15 GMT

Hello,

it seems I cannot find enough information in the NAM documentation to answer my question.

I want to put a self registration portal into the internet where customers can register itself requesting access to a specific resource like a web page that is protected via the access manager. Once the customer has registered another internal person needs to approve the request and then access will be granted.

So my question is if the access manager has such a self registration function or if I need to use a different application like the IDM user application for that.

Thanks for any information,
Rainer

IDP Issue from the Outside

jsauve — Wed, 18 Nov 2009 02:36:10 GMT

Hello, everyone!

Just setup an AM3.1 config at work: 1 LAG and 1 Identity Server. I am using authentication on 2 web sites; from the inside, everything works great on all workstations, including my Mac. When I try to hit one of these web sites, I get redirected to the Identity Server for authentication, and once done, on to the web server. Beautiful.

From the outside, I have created 2 public IPs, with the same DNS names as internally. I have opened up ports 8080 and 8443 to the Identity Server. When I try to hit one of the web servers, I can see in my browser that I get redirected to the Identity Server. However, I never get the login page and eventually get a timeout.

I had one of my colleagues try it from his Windows workstation and it works fine! WHY? My Mac with Firefox works great on the internal network, why not from the outside?

Any suggestions would be greatly appreciated!

Thanks!

Jacques

The cluster object was not found in the configuration store.

jeynon — Tue, 17 Nov 2009 21:32:00 GMT

Hi,

I am trying to add an edirectory replica to my LDAP configuration for an identity provider in access manager. When I try to import the trusted root, I get this error:

The cluster object was not found in the configuration store.

Any idea what this meals? The error is from the calalina.out file on the admin server.

Thanks,

Jeff

create web certificate for Oracle wallet

bctechnology — Tue, 17 Nov 2009 21:06:22 GMT

Hello.

Does novell or can AM3 create a certificate that we could use to install to Oracle wallet? Our application cannot use the shared certificate and every year we have to buy the certs and install it on the server.

If novell has a product that allows us to create our certificate and install it on our server via Oracle wallet, that could solve our issues.

thanks

SSLVPN: Failed to start client on Opensuse

jklaauw — Tue, 17 Nov 2009 20:00:17 GMT

Hi,

We had tot install SP4_IR4 for Access Manager 3.0 (on advice of Novell to solve a problem with roles in SSLVPN).
Now I have a problem with SSLVPN on Opensuse.
After the installation SSLVPN did not work anymore on Opensuse 11.1
Error "AM#1019:Failed to start client - Please logout"
I upgraded to Opensuse 11.2, same error.

Anyone an idea how to solve this (I know that Opensuse is not supported, but it worked all the time before we installed the patch)?

/usr/sbin/novl-sslvpn-service is started (novl-sslvpn-service-3.0.4-10.i586).

VPN-client-log:
SSL VPN Applet Logs :
Tue Nov 17 20:38:32 CET 2009 SSL VPN Applet: Installed SSL VPN trust manager
Tue Nov 17 20:38:33 CET 2009 SSL VPN Applet: Novell SSL VPN ConnectApplet version 3.0.4.4
Tue Nov 17 20:38:33 CET 2009 SSL VPN Applet: OS Language : Nederlands (Nederland)
Tue Nov 17 20:38:33 CET 2009 SSL VPN Applet: Checking Client Integrity. Please wait ...
Tue Nov 17 20:38:34 CET 2009 SSL VPN Applet: Starting SSL VPN Client in Enterprise mode...
Tue Nov 17 20:38:34 CET 2009 SSL VPN Applet: Unable to run specified command

Messages in /var/log/messages
Nov 17 20:57:35 snake NOVELL_SSLVPN_SERVICE: :Successfull command GETVERSION
Nov 17 20:57:35 snake NOVELL_SSLVPN_SERVICE: SIGNATUER varification error
Nov 17 20:57:35 snake NOVELL_SSLVPN_SERVICE: :Bad Binary

Regards, Jeroen

SSO to ANGEL learning management system

jdwilbur — Tue, 17 Nov 2009 19:21:41 GMT

I�m looking for SSO options to ANGEL learning management system.
ANGEL Learning -- Learning Management Suite for K-12 and Higher Education