novell accessmanager 安装手册
更新时间:2023-05-01 14:00:01 阅读量: 实用文档 文档下载
- novell属于什么网推荐度:
- 相关推荐
Novell
31bfdc18b7360b4c2e3f6454 novdocx (en) 16 April 2010AUTHORIZED DOCUMENTATION
Novell Access Manager 3.1 SP2 Installation Guide Access Manager
3.1 SP3
June 29, 2010
Installation Guide
novdocx (en) 16 April 2010
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (31bfdc18b7360b4c2e3f6454/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
Copyright ? 2007-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
31bfdc18b7360b4c2e3f6454
Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (31bfdc18b7360b4c2e3f6454/documentation).
novdocx (en) 16 April 2010
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (31bfdc18b7360b4c2e3f6454/company/legal/
trademarks/tmlist).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 16 April 2010 4Novell Access Manager 3.1 SP2 Installation Guide
Contents novdocx (en) 16 April 2010
About This Guide11
1What’s New in Access Manager 3.1 SP213
1.1Administration Console Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2Identity Server Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.3Access Gateway Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.4SSL VPN Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2Novell Access Manager Product Overview17
2.1How Access Manager Solves Business Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.1Protecting Resources While Providing Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.1.2Managing Passwords with Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.1.3Enforcing Business Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.1.4Sharing Identity Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.1.5Protecting Identity Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.1.6Complying with Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2How Access Manager Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.1Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.2Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.2.3Identity Injection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.2.4Identity Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3Access Manager Devices and Their Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.1Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.2Identity Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.3.3Access Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.3.4SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.3.5J2EE Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.3.6Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.3.7Certificate Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3.8Auditing and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3.9Embedded Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3.10The User Portal Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.3.11Language Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3Installation Requirements 35
3.1Recommended Installation Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.1.1Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.1.2High Availability Configuration with Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2Hardware Platform Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.3Network Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.4Administration Console Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.1Linux Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.2Windows Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.4.3Browser Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.5Identity Server Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.5.1Linux Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.5.2Windows Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.6Access Gateway Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Contents5
novdocx (en) 16 April 2010
3.6.1Access Gateway Appliance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.6.2Linux Access Gateway Service Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.6.3Windows Access Gateway Service Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.6.4Client Access Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.6.5Access Gateway Feature Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.7SSL VPN Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.7.1Windows Client Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.8Virtual Machine Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.8.1Keeping Time Synchronized on the Access Manager Devices. . . . . . . . . . . . . . . . . 48
3.8.2How Many Virtual Machines Per Physical Machine. . . . . . . . . . . . . . . . . . . . . . . . . . 48
4Installing the Access Manager Administration Console51
4.1Installation Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.1.1Installing on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.1.2Installing on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.2Configuring the Administration Console Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.2.1Linux Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.2.2Windows Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.3Logging In to the Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.4Enabling the Administration Console for Multiple Network Interface Cards. . . . . . . . . . . . . . . 59
4.5Administration Console Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5Installing the Novell Identity Server61
5.1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.2Installing on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.3Installing on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6Installing the Linux Access Gateway Appliance65
6.1Prerequisites for the Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.2Boot Screen Function Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.3Installing the Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.4Creating Custom Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
6.5Viewing the Linux Installation Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
7Installing the Access Gateway Service75
7.1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
7.2Installing the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
7.3Silently Installing the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
8Installing the SSL VPN Server81
8.1Installing the ESP-Enabled SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
8.1.1Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
8.1.2Installing the ESP-Enabled SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
8.2Installing the Traditional SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8.2.1Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8.2.2Installing the Traditional Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
8.3Installing the Key for the High-Bandwidth SSLVPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
8.4Verifying That Your SSL VPN Service Is Installed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
6Novell Access Manager 3.1 SP2 Installation Guide
novdocx (en) 16 April 2010
9Upgrading Access Manager Components93
9.1Upgrading from the Evaluation Version to the Purchased Version . . . . . . . . . . . . . . . . . . . . . 93
9.2Upgrading from Access Manager 3.0 SP4 to Access Manager 3.1 SP2. . . . . . . . . . . . . . . . . 94
9.2.1Before Starting the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
9.2.2Upgrading the SP4 Administration Consoles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
9.2.3Upgrading the SP4 Identity Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
9.2.4Modifying 3.0 Login Pages for 3.1 SP2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
9.2.5Upgrading the SP4 Linux Access Gateway Appliances . . . . . . . . . . . . . . . . . . . . . 105
9.2.6Upgrading the SP4 SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
9.2.7Upgrading the Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
9.2.8Troubleshooting a Failed Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
9.3Upgrading from Access Manager 3.1 to 3.1 SP2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
9.3.1Configuration Changes to the SSL VPN Server Installed with the Access Gateway
Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
9.4Upgrading from Access Manager 3.1 SP1 to 3.1 SP2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
9.5Migrating to Newer Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
9.5.1Migrating Administration Consoles from SLES 10 to SLES 11 . . . . . . . . . . . . . . . . 115
9.5.2Migrating Administration Consoles with or without Identity Servers from Windows 2003
to Windows 2008. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
9.5.3Migrating Identity Servers from SLES 10 to SLES 11. . . . . . . . . . . . . . . . . . . . . . . 118
9.5.4Migrating Stand-Alone Identity Servers from Windows 2003 to Windows 2008 . . . 118
9.5.5Migrating to the SLES 11 Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . 119
9.5.6Migrating the SSL VPN Server to SLES 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
9.6Upgrading the Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
9.6.1Upgrading the Linux Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
9.6.2Upgrading the Windows Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . 123
9.7Upgrading the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
9.7.1Upgrading the Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
9.7.2Upgrading the Windows Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
9.8Upgrading the Linux Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
9.8.1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
9.8.2Backing Up and Restoring the Linux Access Gateway Files. . . . . . . . . . . . . . . . . . 129
9.8.3Upgrading the Linux Appliance by Using the Interactive Method . . . . . . . . . . . . . . 129
9.8.4Upgrading the Linux Appliance by Passing Parameters in the Command Line. . . . 130
9.8.5Upgrading the Linux Appliance by Using the Administration Console. . . . . . . . . . . 131
9.8.6Installing or Updating the Latest Linux Patches. . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
9.9Upgrading the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
9.9.1Upgrading the Linux Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
9.9.2Upgrading the Windows Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . 139
9.10Upgrading the SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
9.10.1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
9.10.2Upgrade Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
9.10.3Upgrading SSL VPN Installed on a Separate Machine. . . . . . . . . . . . . . . . . . . . . . 143
9.10.4Migrating a Traditional SSL VPN Server to the ESP-Enabled Version . . . . . . . . . . 144
9.11Converting a NetWare Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
9.12Verifying Version Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
10Removing Components147
10.1Uninstalling the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
10.1.1Deleting Identity Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
10.1.2Uninstalling the Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
10.1.3Uninstalling the Windows Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
10.2Reinstalling an Identity Server to a New Hard Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
10.3Uninstalling the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
10.3.1Uninstalling the Windows Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . 149
Contents7
novdocx (en) 16 April 2010
10.3.2Uninstalling the Linux Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
10.4Uninstalling the Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
10.4.1Uninstalling the Linux Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
10.4.2Uninstalling the Windows Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . 151
10.5Uninstalling the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
10.5.1Deleting the SSL VPN Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
10.5.2Uninstalling the SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
10.5.3Uninstalling the RPM Key for High Bandwidth SSL VPN . . . . . . . . . . . . . . . . . . . . 152
11Migrating from iChain to Access Manager153
11.1Understanding the Differences between iChain and Access Manager . . . . . . . . . . . . . . . . . 153
11.1.1Component Differences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
11.1.2Feature Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
11.2Planning the Migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
11.2.1Possible Migration Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
11.2.2Outlining the Migration Requirements for Each Resource. . . . . . . . . . . . . . . . . . . . 162
11.3Migrating Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
11.3.1Setting Up the Hardware and Installing the Software . . . . . . . . . . . . . . . . . . . . . . . 164
11.3.2Using an L4 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
11.3.3Configuring the Identity Server for Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . 165
11.3.4Configuring System and Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
11.3.5Migrating the First Accelerator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
11.3.6Enabling Single Sign-On between iChain and Access Manager. . . . . . . . . . . . . . . 178
11.3.7Migrating Resources with Special Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . 181
11.3.8Moving Staged Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
11.3.9Removing iChain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
A Troubleshooting Installation and Upgrade195
A.1Troubleshooting a Windows Administration Console Installation. . . . . . . . . . . . . . . . . . . . . . 195
A.2Troubleshooting an Identity Server Import and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 196
A.2.1The Identity Server Fails to Import into the Administration Console . . . . . . . . . . . . 196
A.2.2Reimporting the Identity Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
A.2.3Check the Installation Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
A.3Troubleshooting a Linux Access Gateway Appliance Installation . . . . . . . . . . . . . . . . . . . . . 198
A.3.1Some of the New Hardware Drivers or Network Cards Are Not Detected during
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
A.3.2After Reinstalling the Access Gateway, SSL Fails . . . . . . . . . . . . . . . . . . . . . . . . . 199
A.3.3Reverting to an Earlier Snapshot of the Access Gateway Appliance Can Cause Multiple
Crashes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
A.3.4Manually Configuring a Network Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
A.3.5Manually Setting and Deleting the Default Gateway. . . . . . . . . . . . . . . . . . . . . . . . 200
A.3.6Manually Configuring the Hostname, Domain Name, and DNS Server. . . . . . . . . . 201
A.3.7Verifying Component Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
A.3.8Signature Error in SLES 11 Network Mode of Installation. . . . . . . . . . . . . . . . . . . . 202
A.4Troubleshooting the Access Gateway Service Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . 202
A.4.1Troubleshooting the Linux Access Gateway Service Installation . . . . . . . . . . . . . . 203
A.4.2Troubleshooting the Windows Access Gateway Service Installation. . . . . . . . . . . . 203
A.5Troubleshooting the SSL VPN Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
A.5.1Manually Uninstalling the Enterprise Mode Thin Client. . . . . . . . . . . . . . . . . . . . . . 204
A.5.2SSL VPN Health Status Is Yellow after an Upgrade . . . . . . . . . . . . . . . . . . . . . . . . 204
A.6Troubleshooting the Access Gateway Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
A.6.1Repairing an Import. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
A.6.2Triggering an Import Retry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
A.6.3Fixing Potential Configuration Errors on the Access Gateway Appliance . . . . . . . . 207
A.6.4Troubleshooting the Import Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
8Novell Access Manager 3.1 SP2 Installation Guide
novdocx (en) 16 April 2010
A.7Troubleshooting an Access Gateway Appliance Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . 213
A.7.1After You Migrate from SLES 9 to SLES 11, the Health Status Indicates That the
Embedded Service Provider Cannot Find the Keystores . . . . . . . . . . . . . . . . . . . . 213
A.7.2Embedded Service Provider Issues After Upgrading . . . . . . . . . . . . . . . . . . . . . . . 214
A.7.3Proxy Stops Responding after Trying to Upgrade with the Wrong Upgrade RPM . 215
A.7.4Pending Commands After an Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
A.7.5After You Upgrade to Version 3.1, the New Alerts for Auditing Do Not Appear . . . 215
A.7.6After Upgrading, the Access Gateway Health Status Indicates That It Is Waiting for a
Policy Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
A.7.7Upgrading the Access Gateway Appliance Randomly Stops the Embedded Service
Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
A.8Troubleshooting a Linux Administration Console Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . 216
A.8.1After You Upgrade from SLES 9 to SLES 10, Access Manager 3.1 SP2 Fails to Install
217
A.8.2Upgrade Hangs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
A.8.3Multiple IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
A.8.4Certificate Command Failure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
A.9Troubleshooting the Uninstall of the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . 218
A.10Troubleshooting the Uninstall of the Windows Identity Server. . . . . . . . . . . . . . . . . . . . . . . . 219
B Modifications Required for a 3.0 Login Page221
B.1Modifying the File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
B.2Sample Modified File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
C What’s New in Previous Releases231
C.1What’s New in Access Manager 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
C.1.1Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
C.1.2Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
C.1.3Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
C.1.4SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
C.1.5Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
C.1.6J2EE Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
C.2What’s New in Access Manager 3.1 SP1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
C.2.1Identity Server Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
C.2.2Access Gateway Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
C.2.3SSL VPN Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
C.2.4J2EE Agent Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Contents9
novdocx (en) 16 April 2010 10Novell Access Manager 3.1 SP2 Installation Guide
novdocx (en) 16 April 2010 About This Guide
The purpose of this guide is to provide an introduction to Novell Access Manager and to describe
the installation, upgrade, and removal procedures.
?Chapter1, “What’s New in Access Manager 3.1 SP2,” on page13
?Chapter2, “Novell Access Manager Product Overview,” on page17
?Chapter3, “Installation Requirements,” on page35
?Chapter4, “Installing the Access Manager Administration Console,” on page51
?Chapter5, “Installing the Novell Identity Server,” on page61
?Chapter6, “Installing the Linux Access Gateway Appliance,” on page65
?Chapter7, “Installing the Access Gateway Service,” on page75
?Chapter8, “Installing the SSL VPN Server,” on page81
?Chapter9, “Upgrading Access Manager Components,” on page93
?Chapter10, “Removing Components,” on page147
?Chapter11, “Migrating from iChain to Access Manager,” on page153
?Appendix A, “Troubleshooting Installation and Upgrade,” on page195
?Appendix B, “Modifications Required for a 3.0 Login Page,” on page221
?Appendix C, “What’s New in Previous Releases,” on page231
For information about the J2EE Agents, see the Novell Access Manager 3.1 SP2 J2EE Agent Guide.
Audience
This guide is intended for Access Manager administrators. It is assumed that you have knowledge of
evolving Internet protocols, such as:
?Extensible Markup Language (XML)
?Simple Object Access Protocol (SOAP)
?Security Assertion Markup Language (SAML)
?Public Key Infrastructure (PKI) digital signature concepts and Internet security
?Secure Socket Layer/Transport Layer Security (SSL/TLS)
?Hypertext Transfer Protocol (HTTP and HTTPS)
?Uniform Resource Identifiers (URIs)
?Domain Name System (DNS)
?Web Services Description Language (WSDL)
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to 31bfdc18b7360b4c2e3f6454/documentation/feedback and enter your
comments there.
About This Guide11
novdocx (en) 16 April 2010
Documentation Updates
For the most recent version of the Access Manager Installation Guide, visit the Novell Access
Manager Documentation Web site (31bfdc18b7360b4c2e3f6454/documentation/novellaccessmanager31).
Additional Documentation
?Novell Access Manager 3.1 SP2 Setup Guide
?Novell Access Manager 3.1 SP2 Administration Console Guide
?Novell Access Manager 3.1 SP2 Identity Server Guide
?Novell Access Manager 3.1 SP2 Access Gateway Guide
?Novell Access Manager 3.1 SP2 Policy Guide
?Novell Access Manager 3.1 SP2 J2EE Agent Guide
?Novell Access Manager 3.1 SP2 SSL VPN Server Guide
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
12Novell Access Manager 3.1 SP2 Installation Guide
1
13novdocx (en) 16 April 2010
What’s New in Access Manager 3.1
SP2
Novell Access Manager 3.1 SP2 provides a number of key enhancements to various components.
These enhancements improve management, enhance security, and add cross-platform capabilities to
major components. These key features include:
?Section1.1, “Administration Console Enhancements,” on page13
?Section1.2, “Identity Server Enhancements,” on page13
?Section1.3, “Access Gateway Enhancements,” on page14
?Section1.4, “SSL VPN Enhancements,” on page15
1.1 Administration Console Enhancements
?Windows Server 2008: The Administration Console can now be installed on a Windows Server 2008 64-bit operating system on 64-bit hardware. For installation instructions, see
Section4.1.2, “Installing on Windows,” on page53. For information on migrating the
Administration Console from Windows Server 2003 to Windows Server 2008, see Section9.5,
“Migrating to Newer Operating Systems,” on page115.
?SLES 11 Support: The Administration Console can now be installed on a SUSE Linux Enterprise Server (SLES) 11 32-bit operating system on 32-bit or 64-bit hardware. For
installation instructions, see Section4.1.1, “Installing on Linux,” on page51. For information
on migrating the Administration Console from SLES 10 to SLES 11, see Section9.5,
“Migrating to Newer Operating Systems,” on page115.
1.2 Identity Server Enhancements
?Windows Server 2008: The Identity Server can now be installed on a Windows Server 2008 64-bit operating system on 64-bit hardware. For installation instructions, see Section5.3,
“Installing on Windows,” on page63. For information on migrating the Identity Server from
Windows Server 2003 to Windows Server 2008, see Section9.5, “Migrating to Newer
Operating Systems,” on page115.
?SLES 11 Support: The Identity Server can now be installed on a SUSE Linux Enterprise Server (SLES) 11 32-bit operating system on 32-bit or 64-bit hardware. For installation
instructions, see Section5.2, “Installing on Linux,” on page62. For information on migrating
the Identity Server from SLES 10 to SLES 11, see Section9.5, “Migrating to Newer Operating
Systems,” on page115.
?Timeout Per Contract: You can now specify an authentication timeout for each contract, rather than the global session timeout that was applied to all contracts in previous releases.
When you upgrade, all contracts are assigned the value specified in the global session timeout,
rounded up to the nearest value divisible by 5. You can then modify the contracts to meet your
security requirements. For more information, see “Configuring Authentication Contracts” in
the Novell Access Manager 3.1 SP2 Identity Server Guide.
What’s New in Access Manager 3.1 SP2
novdocx (en) 16 April 2010
?Attributes Sets: When you configure an attribute set, you can specify the format of the remote
attribute. For configuration information, see “Configuring Attribute Sets” in the Novell Access
Manager 3.1 SP2 Identity Server Guide.
?Passive Authentication: You can configure the authentication request so that it is passive. If
the Identity Server can fulfill the authentication request without any user interaction, the
authentication succeeds. Otherwise, it fails. For configuration information, see “Modifying the
Authentication Card for Liberty or SAML 2.0” in the Novell Access Manager 3.1 SP2 Identity
Server Guide.
?Local Logout: You can configure the Identity Server to perform a local logout rather than the
default global logout. The global logout logs the user out of any other identity providers or
service providers. For configuration information, see “Customizing the Identity Server Logout”
in the Novell Access Manager 3.1 SP2 Identity Server Guide.
?OpenID Authentication Class: Allows the Identity Server to trust and use the credentials of
an OpenID server for authentication. For more information, see “Configuring for OpenID
Authentication” in the Novell Access Manager 3.1 SP2 Identity Server Guide.
?Password Retrieval Authentication Class: Allows you to fetch and store the user’s password
as an LDAP credential when the user authenticates with a contract that does not use a password
such as RADIUS, Kerberos, OpenID, or X.509. For more information, see “Configuring
Password Retrieval” in the Novell Access Manager 3.1 SP2 Identity Server Guide.
?SAML 2 Enhancements: The following modifications were made for the SAML 2 protocol:
?You can select unspecified as a name identifier format for an authentication request. For
configuration information, see “Configuring a SAML 2.0 Authentication Request” in the
Novell Access Manager 3.1 SP2 Identity Server Guide.
?You can specify a comparison value when specifying an authentication context. For
configuration information, “Configuring a SAML 2.0 Authentication Request” in the
Novell Access Manager 3.1 SP2 Identity Server Guide.
?You can set the authentication level for the authentication context. If you use class or type
to set the authentication context, you set the authentication level by using the Trust Levels
class. For configuration information, see “Configuring the Trust Levels Class” in the
Novell Access Manager 3.1 SP2 Identity Server Guide.
If you use a contract to set the authentication context, the authentication level is set on the
contract. For configuration information, see “Configuring Authentication Contracts” in
the Novell Access Manager 3.1 SP2 Identity Server Guide.
?You can configure the Identity Server so that it displays the available identity providers to
the user and the user can select which one to use. For configuration information, see
“Configuring the Introductions Class ” in the Novell Access Manager 3.1 SP2 Identity
Server Guide.
1.3 Access Gateway Enhancements
?SLES 11 Support: The Linux Access Gateway Appliance now installs with a SUSE Linux
Enterprise Server (SLES) 11 kernel. This puts the Access Gateway Appliance on a supported
platform that supplies security updates.
?Simplified Installation: The installation program for the Access Gateway Appliance has been
simplified, has a new look, and has only one mode of installation. For more information on
installation, see Chapter6, “Installing the Linux Access Gateway Appliance,” on page65.
14Novell Access Manager 3.1 SP2 Installation Guide
novdocx (en) 16 April 2010
?Timeout Per Protected Resource: You can now configure protected resources to have
different session limits. You do this by assigning to the protected resource a contract that has
the session timeout that you require for the resource. The soft timeout has been replaced with
an activity realm, which is used to determine when the user needs to be prompted for
reauthentication. For more information, see “Assigning a Timeout Per Protected Resource” in
the Novell Access Manager 3.1 SP2 Access Gateway Guide.
?Access Gateway Service: You can install the Access Gateway as a service on a SUSE Linux Enterprise Server (SLES) 11 64-bit operating system or Windows Server 2008 64-bit operating
system. The Access Gateway Service supports all the major features of the Access Gateway
Appliance. For a comparison that identifies the minor differences between the Access Gateway
Service and the Access Gateway Appliance, see Section3.6.5, “Access Gateway Feature
Comparison,” on page44.
?Performance: A number of enhancements have been done to improve performance. For
additional ideas on how to tune your system for best performance, see “Tuning the Access
Gateway for Performance” in the Novell Access Manager 3.1 SP2 Access Gateway Guide.
1.4 SSL VPN Enhancements
?Authentication Hardening: You can enable authentication hardening in Enterprise mode to provide protection against active attacks. Authentication hardening uses a keyed Hash Message
Authentication Code (HMAC) to sign and verify packets. Packets are examined by a stateless
filter and dropped if the HMAC signature does not match. For more information, see
“Configuring the IP Address, Port, and Network Address Translation (NAT) ” in the Novell
Access Manager 3.1 SP2 SSL VPN Server Guide.
?Client Cleanup Options: The administrator can now control the Logout options that are
displayed to the end users. The administrator can also configure client cleanup options and
select whether the SSL VPN users are allowed to override the settings. For more information,
see “Configuring Client Policies” in the Novell Access Manager 3.1 SP2 SSL VPN Server
Guide.
?Client Integrity Check for MD5 Checksum: The MD5 checksum value of an absolute file can now be verified during the client integrity check. With this change, you can now use the
filename as well as the MD5 checksum value of the file to verify the client integrity. For more
information, see “Configuring Policies to Check the Integrity of the Client Machine” in the
Novell Access Manager 3.1 SP2 SSL VPN Server Guide.
?Translating the Port on the ESP-Enabled SSL VPN: The ESP-enabled SSL VPN now
provides an option to translate the listening port (8080 or 8443) to a standard listening port (80
or 443). For more information, see “Configuring Authentication for the ESP-Enabled Novell
SSL VPN” in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.
?SLES 11 Support: You can now install the SSL VPN server on SUSE Linux Enterprise Server (SLES) 11.
?Support for New Client Operating Systems: The following new operating systems are now supported by the SSL VPN client.
?Windows 7 32-bit and 64-bit clients
?Macintosh 10.6 Snow Leopard clients
?Kiosk mode is now supported on SLED 11 64-bit clients
For more information, see Section3.7.1, “Windows Client Limitations,” on page47 and give
reference to sslvpnclient help overview->1.2.3->Windows requirements section
What’s New in Access Manager 3.1 SP215
novdocx (en) 16 April 2010
IP Range Support in Traffic Policies: You can configure a traffic rule to allow or deny
access to multiple destinations. In the previous releases of Access Manager, you could
configure only a single traffic rule to allow or deny access to one destination IP or network. For
more information, see “Configuring Traffic Policies” in the Novell Access Manager 3.1 SP2
SSL VPN Server Guide.
16Novell Access Manager 3.1 SP2 Installation Guide
2
17novdocx (en) 16 April 2010
Novell Access Manager Product Overview
Novell Access Manager is a comprehensive access management solution that provides secure access
to Web and enterprise applications. Access Manager also provides seamless single sign-on across technical and organizational boundaries. It uses industry standards including Secure Assertions
Markup Language (SAML) and Liberty Alliance protocols. It has a single console for management
and configuration. To provide secure access from any location, it supports multi-factor authentication, role-based access control, data encryption, and SSL VPN services.
This section discusses the following topics:
?Section2.1, “How Access Manager Solves Business Challenges,” on page17
?Section2.2, “How Access Manager Works,” on page25
?Section2.3, “Access Manager Devices and Their Features,” on page27
2.1 How Access Manager Solves Business Challenges
As networks expand to connect people and businesses throughout the world, secure access to
business resources becomes increasingly more important and more complex. Gone are the days
when all employees worked from the same office; today’s employees work from corporate, home,
and mobile offices. Equally gone are the days when employees were the only ones who required
access to resources on your network; today, customers and partners require access to resources on
your network, and your employees require access to resources on partners’ networks or at service providers.
Novell Access Manager lets you provide employees, customers, and partners with secure access to
your network resources, whether those resources are Web applications, traditional server-based applications, or other content. If your business faces any of the following access-related challenges, Access Manager can help:
?Protecting resources so that only authorized users can access them, whether those users are employees, customers, or partners.
?Ensuring that the users who are authorized to use a resource can access that resource regardless of where the users are currently located.
?Requiring users to manage multiple passwords for authentication to Web applications.
?Making sure users have access only to the resources required for their jobs. In other words, ensuring that your authorization processes and practices match the business policies that define
access privileges to your network resources.
?Revoking network access from users in minutes rather than days.
?Protecting users’ privacy and confidential information as they access company resources or partners’ resources.
?Proving compliance with your business policies, privacy laws such as Sarbanes-Oxley, HIPAA, or European Union, and other regulatory requirements.
Novell Access Manager Product Overview
18Novell Access Manager 3.1 SP2 Installation Guide novdocx (en) 16 April 2010The following sections expand on these challenges and introduce the solutions provided by Access
Manager. If you are already aware of the business solutions provided by Access Manager, you might want to skip to the technical introduction provided in Section 2.2, “How Access Manager Works,” on page 25.
?Section 2.1.1, “Protecting Resources While Providing Access,” on page 18
?Section 2.1.2, “Managing Passwords with Single Sign-On,” on page 19
?Section 2.1.3, “Enforcing Business Policies,” on page 20
?Section 2.1.4, “Sharing Identity Information,” on page 21
?Section 2.1.5, “Protecting Identity Information,” on page 23
?Section 2.1.6, “Complying with Regulations,” on page 24
2.1.1 Protecting Resources While Providing Access
The primary purpose of Access Manager is to protect resources by allowing access only to users you have authorized. You can control access to Web (HTTP) resources as well as traditional server-based (non-HTTP) resources. As shown in the following illustration, those users who are authorized to use the protected resources are allowed access, while unauthorized users are denied access.
Access Manager secures your protected Web resources from Internet hackers. The addresses of the servers that host the protected resources are hidden from both external and internal users. The only way to access the resources is by logging in to Access Manager with authorized credentials. Access Manager protects only the resources you have set up as protected resources. It is not a firewall and should always be used in conjunction with a firewall product.
Access Manager
Authorized User Authorized User Unauthorized User
Protected Web
Resources Non-HTTP Services (E-mail, T elnet,
Thin Client, FTP)
Novell Access Manager Product Overview 19novdocx (en) 16 April 2010Because not all users work from within the confines of your local network, access to resources is independent of a user’s location, as shown in the following illustration. Access Manager provides the same secure access and same experience whether the user is accessing resources from your local office, from home, or from an airport terminal.
2.1.2 Managing Passwords with Single Sign-On
If your organization is like most, you have multiple applications that require user login. Multiple logins typically equates to multiple passwords. And multiple passwords mean forgotten passwords. Authentication through Access Manager not only establishes authorization to applications (see Protecting Resources While Providing Access above), but it can also provide authentication to those same applications. With Access Manager serving as the front-end authentication, you can deploy standards-based Web single sign-on, which means your employees, partners, and customers only need to remember one password or login routine to access all the corporate and Web-based applications they are authorized to use. That means far fewer help desk calls—and the reduced likelihood of users resorting to vulnerable written reminders.
Access Manager
Authorized User Authorized User
Authorized User
Protected Web Resources Non-HTTP Services
(E-mail, T elnet,
Thin Client, FTP)
20Novell Access Manager 3.1 SP2 Installation Guide novdocx (en) 16 April 2010
By simplifying the use and management of passwords, Access Manager helps you enhance the user’s experience, increase security, streamline business processes, and reduce system
administration and support costs.
2.1.3 Enforcing Business Policies
Determining the access policies for an organization is often complicated and difficult, but the difficulty pales in comparison to enforcing the policies. Your IT personnel can spend hours
attempting to give users the correct access to resources, and hours more retracing their steps to see why the users can’t access what they should be able to. What’s worse, you might never know about the situations where users are granted access to resources they shouldn’t be accessing.
Access Manager automates the granting and removing of access through the use of roles and
policies. As shown in the following illustration, users are assigned to roles that have access policies associated with them. Each time a user authenticates through Access Manager, the user’s access is determined by the policies associated with the user’s roles.
In the following example, users assigned to the Accounting role receive access to the Accounting resources, Payroll users receive access to the Payroll resources, and Accounting managers receive access to both the Accounting and Manager resources.Login
Authenticate
Access Manager
Authorized User
Role Assignment User Authentication Policy Evaluation
and Enforcement Access to Resource
Novell Access Manager Product Overview 21novdocx (en) 16 April 2010Because access is based on roles, you can grant access in minutes and be certain that the access is consistent with your business policies. And, equally important, you can revoke access in minutes by removing role assignments from users.
For security-minded organizations, it comes down to this simple fact: you set the policies by which users gain access, and Access Manager enforces them consistently and quickly. There are no surprises and no delays.
2.1.4 Sharing Identity Information
In today’s business environment, few organizations stand alone. More than likely, you have trusted business partners with whom you need to shared resources in a secure manner. Or, you have business services, such as a 401k management system, to which you need to provide employee access. Or, maybe your organization is the one providing services to another business. Access Manager provides federated identity management to enable users to seamlessly and securely authenticate across autonomous identity domains.
For example, assume that you have employees who need access to your corporate applications, several business partner’s applications, and their 401k service, as shown in the following figure.
Accounting Resources Accounting Role Payroll Resources Payroll Role Manager
Resources
Accounting and
Manager Role
正在阅读:
novell accessmanager 安装手册05-01
领导行为案例分析02-02
计量基础知识试题答案D03-15
9 汽车电控新技术08-30
汽车电路经验:雨刷只有高速挡没有低速挡07-23
02J401钢梯及栏杆标准图籍07-24
GPRS控制卡软件说明书-led显示屏控制卡、led显示04-27
微生物期末考问答题2及答案04-06
市场营销多选题05-20
- 教学能力大赛决赛获奖-教学实施报告-(完整图文版)
- 互联网+数据中心行业分析报告
- 2017上海杨浦区高三一模数学试题及答案
- 招商部差旅接待管理制度(4-25)
- 学生游玩安全注意事项
- 学生信息管理系统(文档模板供参考)
- 叉车门架有限元分析及系统设计
- 2014帮助残疾人志愿者服务情况记录
- 叶绿体中色素的提取和分离实验
- 中国食物成分表2020年最新权威完整改进版
- 推动国土资源领域生态文明建设
- 给水管道冲洗和消毒记录
- 计算机软件专业自我评价
- 高中数学必修1-5知识点归纳
- 2018-2022年中国第五代移动通信技术(5G)产业深度分析及发展前景研究报告发展趋势(目录)
- 生产车间巡查制度
- 2018版中国光热发电行业深度研究报告目录
- (通用)2019年中考数学总复习 第一章 第四节 数的开方与二次根式课件
- 2017_2018学年高中语文第二单元第4课说数课件粤教版
- 上市新药Lumateperone(卢美哌隆)合成检索总结报告
- accessmanager
- 手册
- 安装
- novell
- 水泥混凝土路面病害维修施工方案
- hs41x_Microscan DPM Scanner
- 2020年部编版小学三年级语文上册第一单元知识梳理
- 数控加工与编程实验报告
- 大学英语六级翻译常用词汇
- 物理竞赛中“光学”的辅导技巧
- (√)基层反映:基层脱贫攻坚工作存在的问题和整改建议
- 8.3撒哈拉以南的非洲 教案 (人教版七年级下)
- 高中数学审题训练方法探究
- 二下科学 神奇的新材料教案
- 经典文档考试必备2018-2019年最新浙江省温州中学初升高自主招生语文模拟精品试卷含解析4套试卷
- DNF次元的BUFF套是什么 次元最强BUFF套
- 学校第六届校园艺术节活动方案
- 最新近三年高考物理试卷分析及2019年高考建议
- 人教新课标品德与社会三年级上册做学习的主人1教学设计精品教案.doc
- 酒店销售经理的简单岗位职责
- 2018年二级建造师考试《建筑工程管理与实务》真题及答案
- 上海高桥-东陆学校2020年中考化学三模试题及答案
- “ⅩⅩⅩⅩ”课程教学大纲.doc
- 道路客运新增车辆申请表审批稿