Complexity#

I know I still do not even understand how the Access Manager system works. Yes I have a lot of fuzzy ideas, but it is a complex product and even going through the requirments made me dizzy.

This is my attempt to determine how it could be setup in my under-funded Lab.

Novell Documentation#

This is our limited summary of what we interpreted the documentation to say. For the real story, Read The Manuals.

You may also wish to see the product pages.

Requirements and Warnings#

• Novell Access Manager does not work in a NAT (Network Address Translation) environment unless all the Access Manager devices are on the same side of the NAT. Clients can be on the other side.
• From what I can tell, you must have at least two machines dedicated to Access Manager.

Administration Console#

The Administration Console is the central configuration and management tool for the product. It is a modified version of iManager that can be used only to manage the Access Manager components. It contains an Overview option, which allows you to assess the health of all Access Manager components.

Browser Support#

To access the Administration Console after it has been installed, you need a workstation with a browser. You can use one of the following:

• Internet Explorer 6 or higher on Windows XP
• Firefox 2.0 or higher

Administration Console Requirements#

• ZIP and Unzip utilities for the backup and restore procedure.
• No LDAP software, such as eDirectory, can be installed.
• No other version of iManager can be installed.
• Static IP address (if the IP address changes after devices have been imported, these devices can no longer communicate with the Administration Console.)
• The tree for the configuration store is named after the server on which you install the Administration Console. Check the host name and rename the machine if the name is not appropriate for a configuration tree name.

IMPORTANT#

The Administration Console is the first component you install. If you have iManager installed for other products, you still need to install this version on a separate machine. You also cannot add other iManager product plug-ins to this Administration Console.

NOTES#

• The Administration Console can be installed on the same machine as the Identity Server.

Access Manager-Identity Server#

The Identity Server is the central authentication and identity access point for all other services. It is responsible for authenticating users and distributing role information to facilitate authorization decisions. It also provides the Liberty Alliance Web Service Framework to distribute identity information.

An Identity Server always operates as an identity provider and can optionally be configured to run as an identity consumer (also known as a service provider), using either Liberty, SAML 1.1, or SAML 2.0 protocols. As an identity provider, the Identity Server validates authentications against the supported identity user store, and is the heart of the user’s identity federations or account linkage information.

The Identity Server is the second component you install.

The Identity Server should be publicly accessible.

Identity Server requirements#

• 100 GB hard disk (30 GB minimum)This amount is recommended to ensure ample space for logging in a production environment.
• 2 GB RAM recommended with 1 GB as the minimum
• 2.0 GHz processor or better
• Static IP addresses

The Identity Server must be installed on a Linux operating system and requires the following software:

• SLES 10 or SLES 9 SP3, either with 32-bit or 64-bit software on x86-32 and x86-64 hardware. Because of library update conflicts, you cannot install Access Manager on a Linux User Management machine.
• gettext
• python (interpreter)
• compat: Libraries to address compatibility issues

Also for SLES 9 or 10:

• Configure SLES for a static IP address.
• Uninstall OpenLDAP. (A default installation of SLES installs and enables OpenLDAP.)

Access Manager - Access Gateway#

An Access Gateway provides secure access to existing HTTP-based Web servers. It provides the typical security services (authorization, single sign-on, and data encryption) previously provided by Novell iChain, and is integrated with the new identity and policy services of Access Manager.

The Access Gateway should be publicly accessible.

Access Gateway Requirements#

The Access Gateway runs on both NetWare and Linux. It has the same features on both platforms. Select one or the other based on your network preferences.

You install the Access Gateway on a separate machine because it clears the hard drive and sets up a soft appliance environment.

Access Gateway hardware requirements:#

• 100 GB of disk space recommended, with 20 GB as the minimum.
• 3 GB RAM recommended, with 2 GB as the minimum.
• 3.0 GHz processor or better recommended, with 2.0 GHz as the minimum.
• (NetWare Access Gateway) If your machine has hyper-threading (or logical processor) technology, you should use the computer’s setup program to turn it off. The NetWare Access Gateway shows a significant increase in performance and stability when this feature is turned off.
• (Linux Access Gateway) supports x86-32 only.
• The Access Gateway has no software requirements.
• Static IP addresses

The installation program for the Access Gateway re-images the hard drive, embeds the operating system (either NetWare or Linux), then configures the embedded operating system for optimal performance.

Before proceeding with the Access Gateway installation, make sure you have a static IP address for your Access Gateway server and an assigned DNS name (host name and domain name).

You need to know the following about your network before you install:

• The subnet mask that corresponds to the IP address of the Access Gateway.
• The IP address of the default gateway.
• The IP addresses of the DNS servers on your network. The DNS servers need to be configured to resolve the DNS name of the Access Gateway to the IP address that you assign to the Access Gateway.
• The IP address or DNS name of a NTP server, if you have one in your local environment.
• Static IP addresses

Access Manager - SSL VPN Requirements#

The SSL VPN component provides secure access to non-HTTP based applications, such as e-mail servers, FTP services, or Telnet services. SSL VPN is a Linux-based service, which is actually accelerated by (and shares session information with) the Access Gateway.

This is of course an optional component that does not need to be installed.

Notes#

• The SSL VPN maybe installed:
  • on the same machine as the Linux Access Gateway
  • on the same machine as the Identity Server.
  • on a machine by itself
• An ActiveX* plug-in or Java applet is delivered to the client on successful authentication. Roles and policies determine authorization decisions for back-end applications. Client integrity checking is available to ensure the existence of approved firewall and virus scanning software, before the SSL VPN session is established.

SSL VPN server requirements:#

• 100 MB of disk space
• Two or more network interface cards
• Static IP addresses
• SLES 9 SP3 or higher.
  • NOTE:If you want 64-bit client support you must use SLES 10
• gettext package
• Tomcat and Java installed and running
• Stunnel and OpenVPN port configured on the gateway should be opened

PeopleSoft Integrations

How NAM Utilizes Certificates

NACM Administration

More Information#

There might be more information for this subject on one of the following:

• Administration Console
• Bandit-project.org
• Custom Authentication Class
• Embedded Service Provider
• Form Fill Process
• How NAM Utilizes Certificates
• Identity Injection Process
• Linux Access Gateway
• Linux Identity Server
• Logs and File Locations
• NAM Access Manager
• NAM Administration
• NAM Application Request Information
• NAM Configuration Notes
• NAM Customized JSP Pages
• NAM Different Login Methods or Pages
• NAM Firewall Configuration
• NAM Troubleshooting
• NAM Upgrades
• Novell Access Manager Experience
• PeopleSoft Integrations
• Posting Credentials to NAM
• Secret Files
• Secure WEB Page Information