The Vibe Engineering Team recommends 2 different configurations for Novell Access Manager:
- Use SSL on the back side of NAM AND turn off the re-writer completely.
- Use non-SSL on the back side of NAM AND setup Vibe/NAM to utilize X-Forward-Proto header AND turn off NAM re-writer completely.
This article will walk you through the X-Forward-Proto: https method.
References:
With NAM 3.2 there is an option to install everything as an appliance. With this lab, we'll install the Access Gateway Service as an appliance. The Identity Server and Admin Console will be a separate machine.
Assumptions:
- A single Tomcat will be fronted by NAM (use it as a start point if you have a Vibe cluster)
- LDAP is pre configured
- DNS is pre configured
- Domain Name exists for Access Gateway Appliance and Identity Server / Admin Console
- Identity Server and Admin Console will be installed together on a SLES11SP1 x64 box
- Access Gateway will be installed as an appliance
- Access Gateway and ID server/Admin Console will be installed as Virtual Machines
Identity Server and Admin Console Install:
- Verify appropriate DNS resolve capability for this server
- Download AM_32_AccessManagerServce_Linux64_Eval-1231.tar
- tar -xvf AM_32...
- change to novell-access-manager
- ./install.sh
- select installation 1,2
Accept all the defaults.
It takes a very long time (30-90 min) to get through, don't give up thinking it's hung.
Install the Appliance:
- Point the boot device to AM_32AccessManagerAppliance_Linux_SLES11_64_Eval-1231.iso
On the page that comes up to configure, it should all be straight forward info. - It will ask for 8G and 100G. Use 4G and 50G and just bypass the warning.
- At the bottom is Admin Console Config: uncheck "Primary" and point to the server set up in the steps above.
- Access the admin console with the URL provided.
- Overview install screen is presented - Finish install.
Configure the Identity Server:
Reference Configuring Access Manager Components
In the Administration Console, click Devices > Identity Servers.
Click New Cluster.
Specify a name such as idp, select your Identity Server, then click OK.
Configure the Base URL of the Identity Server, using the DNS name of the Identity Server:
Click Next, then configure the organization information.
Note: The config is geared towards a complex config; the URL would be used as the "public" face to a clustered system. Since our config is not a cluster, we will use the same URL -we only have one IDP.
Skip the Principal Contact info.
Click Next, then configure the user store:
Name: User Store
Admin name: cn=admin,o=novell
Admin password: novell
Confirm password: novell
Directory Type: Select a type from the drop-down menu.
In the Server replicas section, click New, then fill in the following fields:
Name: User Store Replica
Use secure LDAP connections: Select this option.
Auto import trusted root: Click this link, follow the prompts, and specify UserStoreRoot for the alias.
Click OK, then make sure the Validation Status of the replica displays a green check mark.
In the Search Contexts section, click New, then specify the following:
Search context: o=novell
Scope: Subtree
Click OK > Finish, then restart Tomcat as prompted.
Watch for errors /var/opt/novell/nam/logs/idp/tomcat/catalina.out
Enter the Base URL of the Identity Server in a browser:
For example: http://idpa.test.novell.com:8080/nidp
Configure the Reverse Proxy.
In the Administration Console, click Devices > Access Gateways.
Select the Appliance.
Select the Reverse Proxy Link.
In the Authentication Settings section, select IDP from the drop-down list.
Click the newly added proxy service, then select the Web Servers tab.
Change the Connect Port to 8080.
If the Linux Vibe server has port forwarding enabled, you do not need to change from the default port 80.
Select TCP Connect Options.
Change the value of Data Read Timeout option to 300 seconds (5 minutes).
In the Administration Console, click Policies > Policies. Select the policy container, then click New.
Specify a name for the policy, select Access Gateway: Identity Injection for the type, then click OK.
In the Actions section, click New, then select Inject into Authentication Header.
Fill in the following fields:
User Name: Select Credential Profile > LDAP User Name.
Password: Select Credential Profile > LDAP Password.
To save the policy, click OK, then click Apply Changes.
Assign this policy to the protected resources:
Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.
For each Vibe protected resource, click the Identity Injection link, select the Identity Injection policy, click Enable, then click OK.
Click OK. To save the configuration changes, click Devices > Access Gateways, then click Update.
There are 3 Protected resources that need to be configured.
1- Basic Auth with redirection
We'll leverage one of the default Authentication Procedures:
2- Basic Auth without redirection (for WebDAV)
Once again we'll leverage one of the default Authentication Procedures:
3- Public
Enable SSL on front end - Browser to NAM.
Create the cert with a 2048 key.
When communicating with SSL from the browser to Access Manager and http on to Vibe, the X-Forwarded-Proto is a best practice. Vibe 3.3 was enhanced to take advantage of the HTTP header X-Forwarded-Proto. Previous to 3.3 Vibe would need to use the NAM rewriter in this configuration.
To enable X-Forwarded-Proto.
Create a new policy: Call it "X-Forwarded-Proto" : the Type is "Access Gateway: Identity Injection.
The value is set to "https".
This policy needs to be added to all 3 protected resources.
As of June 2012 I was running into a problem:
It required changing the IDP link to https (rather than http)
Extra credit:
In order to accommodate the Vibe Desktop or any other web services based Vibe connection; Create a Path-Based Service to point to a separate server.
What about a Clustered Vibe site: Multiple Tomcat Servers.
It's very easy to add these servers.
Make sure that Enable Session Stickiness is checked to keep the browser sessions from bouncing between Tomcat servers.
