novell accessmanager 安装手册

Novell

31bfdc18b7360b4c2e3f6454 novdocx (en) 16 April 2010AUTHORIZED DOCUMENTATION

Novell Access Manager 3.1 SP2 Installation Guide Access Manager

3.1 SP3

June 29, 2010

Installation Guide

novdocx (en) 16 April 2010

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and

specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.

Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,

without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims

any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,

reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to

notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the

trade laws of other countries. You agree to comply with all export control regulations and to obtain any required

licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on

the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.

You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the

Novell International Trade Services Web page (31bfdc18b7360b4c2e3f6454/info/exports/) for more information on

exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export

approvals.

Copyright ? 2007-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,

stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc.

404 Wyman Street, Suite 500

Waltham, MA 02451

U.S.A.

31bfdc18b7360b4c2e3f6454

Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (31bfdc18b7360b4c2e3f6454/documentation).

novdocx (en) 16 April 2010

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (31bfdc18b7360b4c2e3f6454/company/legal/

trademarks/tmlist).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 16 April 2010 4Novell Access Manager 3.1 SP2 Installation Guide

Contents novdocx (en) 16 April 2010

About This Guide11

1What’s New in Access Manager 3.1 SP213

1.1Administration Console Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.2Identity Server Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3Access Gateway Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.4SSL VPN Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2Novell Access Manager Product Overview17

2.1How Access Manager Solves Business Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.1.1Protecting Resources While Providing Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.1.2Managing Passwords with Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.1.3Enforcing Business Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.1.4Sharing Identity Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.1.5Protecting Identity Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.1.6Complying with Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.2How Access Manager Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.2.1Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.2.2Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.2.3Identity Injection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.2.4Identity Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.3Access Manager Devices and Their Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.3.1Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.3.2Identity Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.3.3Access Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.3.4SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2.3.5J2EE Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2.3.6Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2.3.7Certificate Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.3.8Auditing and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.3.9Embedded Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.3.10The User Portal Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2.3.11Language Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3Installation Requirements 35

3.1Recommended Installation Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.1.1Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.1.2High Availability Configuration with Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.2Hardware Platform Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.3Network Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.4Administration Console Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.4.1Linux Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.4.2Windows Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.4.3Browser Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.5Identity Server Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.5.1Linux Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.5.2Windows Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.6Access Gateway Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Contents5

novdocx (en) 16 April 2010

3.6.1Access Gateway Appliance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.6.2Linux Access Gateway Service Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.6.3Windows Access Gateway Service Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.6.4Client Access Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.6.5Access Gateway Feature Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.7SSL VPN Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3.7.1Windows Client Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3.8Virtual Machine Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3.8.1Keeping Time Synchronized on the Access Manager Devices. . . . . . . . . . . . . . . . . 48

3.8.2How Many Virtual Machines Per Physical Machine. . . . . . . . . . . . . . . . . . . . . . . . . . 48

4Installing the Access Manager Administration Console51

4.1Installation Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.1.1Installing on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.1.2Installing on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4.2Configuring the Administration Console Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4.2.1Linux Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4.2.2Windows Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4.3Logging In to the Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.4Enabling the Administration Console for Multiple Network Interface Cards. . . . . . . . . . . . . . . 59

4.5Administration Console Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5Installing the Novell Identity Server61

5.1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

5.2Installing on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

5.3Installing on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

6Installing the Linux Access Gateway Appliance65

6.1Prerequisites for the Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.2Boot Screen Function Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.3Installing the Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.4Creating Custom Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

6.5Viewing the Linux Installation Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7Installing the Access Gateway Service75

7.1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

7.2Installing the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

7.3Silently Installing the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

8Installing the SSL VPN Server81

8.1Installing the ESP-Enabled SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

8.1.1Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

8.1.2Installing the ESP-Enabled SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

8.2Installing the Traditional SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

8.2.1Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

8.2.2Installing the Traditional Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

8.3Installing the Key for the High-Bandwidth SSLVPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

8.4Verifying That Your SSL VPN Service Is Installed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

6Novell Access Manager 3.1 SP2 Installation Guide

novdocx (en) 16 April 2010

9Upgrading Access Manager Components93

9.1Upgrading from the Evaluation Version to the Purchased Version . . . . . . . . . . . . . . . . . . . . . 93

9.2Upgrading from Access Manager 3.0 SP4 to Access Manager 3.1 SP2. . . . . . . . . . . . . . . . . 94

9.2.1Before Starting the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

9.2.2Upgrading the SP4 Administration Consoles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

9.2.3Upgrading the SP4 Identity Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

9.2.4Modifying 3.0 Login Pages for 3.1 SP2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

9.2.5Upgrading the SP4 Linux Access Gateway Appliances . . . . . . . . . . . . . . . . . . . . . 105

9.2.6Upgrading the SP4 SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

9.2.7Upgrading the Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

9.2.8Troubleshooting a Failed Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

9.3Upgrading from Access Manager 3.1 to 3.1 SP2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

9.3.1Configuration Changes to the SSL VPN Server Installed with the Access Gateway

Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

9.4Upgrading from Access Manager 3.1 SP1 to 3.1 SP2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

9.5Migrating to Newer Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

9.5.1Migrating Administration Consoles from SLES 10 to SLES 11 . . . . . . . . . . . . . . . . 115

9.5.2Migrating Administration Consoles with or without Identity Servers from Windows 2003

to Windows 2008. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

9.5.3Migrating Identity Servers from SLES 10 to SLES 11. . . . . . . . . . . . . . . . . . . . . . . 118

9.5.4Migrating Stand-Alone Identity Servers from Windows 2003 to Windows 2008 . . . 118

9.5.5Migrating to the SLES 11 Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . 119

9.5.6Migrating the SSL VPN Server to SLES 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

9.6Upgrading the Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

9.6.1Upgrading the Linux Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

9.6.2Upgrading the Windows Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . 123

9.7Upgrading the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

9.7.1Upgrading the Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

9.7.2Upgrading the Windows Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

9.8Upgrading the Linux Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

9.8.1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

9.8.2Backing Up and Restoring the Linux Access Gateway Files. . . . . . . . . . . . . . . . . . 129

9.8.3Upgrading the Linux Appliance by Using the Interactive Method . . . . . . . . . . . . . . 129

9.8.4Upgrading the Linux Appliance by Passing Parameters in the Command Line. . . . 130

9.8.5Upgrading the Linux Appliance by Using the Administration Console. . . . . . . . . . . 131

9.8.6Installing or Updating the Latest Linux Patches. . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

9.9Upgrading the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

9.9.1Upgrading the Linux Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

9.9.2Upgrading the Windows Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . 139

9.10Upgrading the SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

9.10.1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

9.10.2Upgrade Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

9.10.3Upgrading SSL VPN Installed on a Separate Machine. . . . . . . . . . . . . . . . . . . . . . 143

9.10.4Migrating a Traditional SSL VPN Server to the ESP-Enabled Version . . . . . . . . . . 144

9.11Converting a NetWare Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

9.12Verifying Version Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

10Removing Components147

10.1Uninstalling the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

10.1.1Deleting Identity Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

10.1.2Uninstalling the Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

10.1.3Uninstalling the Windows Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

10.2Reinstalling an Identity Server to a New Hard Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

10.3Uninstalling the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

10.3.1Uninstalling the Windows Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . 149

Contents7

novdocx (en) 16 April 2010

10.3.2Uninstalling the Linux Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

10.4Uninstalling the Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

10.4.1Uninstalling the Linux Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

10.4.2Uninstalling the Windows Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . 151

10.5Uninstalling the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

10.5.1Deleting the SSL VPN Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

10.5.2Uninstalling the SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

10.5.3Uninstalling the RPM Key for High Bandwidth SSL VPN . . . . . . . . . . . . . . . . . . . . 152

11Migrating from iChain to Access Manager153

11.1Understanding the Differences between iChain and Access Manager . . . . . . . . . . . . . . . . . 153

11.1.1Component Differences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

11.1.2Feature Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

11.2Planning the Migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

11.2.1Possible Migration Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

11.2.2Outlining the Migration Requirements for Each Resource. . . . . . . . . . . . . . . . . . . . 162

11.3Migrating Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

11.3.1Setting Up the Hardware and Installing the Software . . . . . . . . . . . . . . . . . . . . . . . 164

11.3.2Using an L4 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

11.3.3Configuring the Identity Server for Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . 165

11.3.4Configuring System and Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

11.3.5Migrating the First Accelerator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

11.3.6Enabling Single Sign-On between iChain and Access Manager. . . . . . . . . . . . . . . 178

11.3.7Migrating Resources with Special Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . 181

11.3.8Moving Staged Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

11.3.9Removing iChain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

A Troubleshooting Installation and Upgrade195

A.1Troubleshooting a Windows Administration Console Installation. . . . . . . . . . . . . . . . . . . . . . 195

A.2Troubleshooting an Identity Server Import and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 196

A.2.1The Identity Server Fails to Import into the Administration Console . . . . . . . . . . . . 196

A.2.2Reimporting the Identity Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

A.2.3Check the Installation Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

A.3Troubleshooting a Linux Access Gateway Appliance Installation . . . . . . . . . . . . . . . . . . . . . 198

A.3.1Some of the New Hardware Drivers or Network Cards Are Not Detected during

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

A.3.2After Reinstalling the Access Gateway, SSL Fails . . . . . . . . . . . . . . . . . . . . . . . . . 199

A.3.3Reverting to an Earlier Snapshot of the Access Gateway Appliance Can Cause Multiple

Crashes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

A.3.4Manually Configuring a Network Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

A.3.5Manually Setting and Deleting the Default Gateway. . . . . . . . . . . . . . . . . . . . . . . . 200

A.3.6Manually Configuring the Hostname, Domain Name, and DNS Server. . . . . . . . . . 201

A.3.7Verifying Component Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

A.3.8Signature Error in SLES 11 Network Mode of Installation. . . . . . . . . . . . . . . . . . . . 202

A.4Troubleshooting the Access Gateway Service Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . 202

A.4.1Troubleshooting the Linux Access Gateway Service Installation . . . . . . . . . . . . . . 203

A.4.2Troubleshooting the Windows Access Gateway Service Installation. . . . . . . . . . . . 203

A.5Troubleshooting the SSL VPN Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

A.5.1Manually Uninstalling the Enterprise Mode Thin Client. . . . . . . . . . . . . . . . . . . . . . 204

A.5.2SSL VPN Health Status Is Yellow after an Upgrade . . . . . . . . . . . . . . . . . . . . . . . . 204

A.6Troubleshooting the Access Gateway Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

A.6.1Repairing an Import. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

A.6.2Triggering an Import Retry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

A.6.3Fixing Potential Configuration Errors on the Access Gateway Appliance . . . . . . . . 207

A.6.4Troubleshooting the Import Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

8Novell Access Manager 3.1 SP2 Installation Guide

novdocx (en) 16 April 2010

A.7Troubleshooting an Access Gateway Appliance Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . 213

A.7.1After You Migrate from SLES 9 to SLES 11, the Health Status Indicates That the

Embedded Service Provider Cannot Find the Keystores . . . . . . . . . . . . . . . . . . . . 213

A.7.2Embedded Service Provider Issues After Upgrading . . . . . . . . . . . . . . . . . . . . . . . 214

A.7.3Proxy Stops Responding after Trying to Upgrade with the Wrong Upgrade RPM . 215

A.7.4Pending Commands After an Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

A.7.5After You Upgrade to Version 3.1, the New Alerts for Auditing Do Not Appear . . . 215

A.7.6After Upgrading, the Access Gateway Health Status Indicates That It Is Waiting for a

Policy Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

A.7.7Upgrading the Access Gateway Appliance Randomly Stops the Embedded Service

Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

A.8Troubleshooting a Linux Administration Console Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . 216

A.8.1After You Upgrade from SLES 9 to SLES 10, Access Manager 3.1 SP2 Fails to Install

217

A.8.2Upgrade Hangs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

A.8.3Multiple IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

A.8.4Certificate Command Failure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

A.9Troubleshooting the Uninstall of the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . 218

A.10Troubleshooting the Uninstall of the Windows Identity Server. . . . . . . . . . . . . . . . . . . . . . . . 219

B Modifications Required for a 3.0 Login Page221

B.1Modifying the File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

B.2Sample Modified File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

C What’s New in Previous Releases231

C.1What’s New in Access Manager 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

C.1.1Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

C.1.2Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

C.1.3Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

C.1.4SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

C.1.5Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

C.1.6J2EE Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

C.2What’s New in Access Manager 3.1 SP1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

C.2.1Identity Server Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

C.2.2Access Gateway Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

C.2.3SSL VPN Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

C.2.4J2EE Agent Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Contents9

novdocx (en) 16 April 2010 10Novell Access Manager 3.1 SP2 Installation Guide

novdocx (en) 16 April 2010 About This Guide

The purpose of this guide is to provide an introduction to Novell Access Manager and to describe

the installation, upgrade, and removal procedures.

?Chapter1, “What’s New in Access Manager 3.1 SP2,” on page13

?Chapter2, “Novell Access Manager Product Overview,” on page17

?Chapter3, “Installation Requirements,” on page35

?Chapter4, “Installing the Access Manager Administration Console,” on page51

?Chapter5, “Installing the Novell Identity Server,” on page61

?Chapter6, “Installing the Linux Access Gateway Appliance,” on page65

?Chapter7, “Installing the Access Gateway Service,” on page75

?Chapter8, “Installing the SSL VPN Server,” on page81

?Chapter9, “Upgrading Access Manager Components,” on page93

?Chapter10, “Removing Components,” on page147

?Chapter11, “Migrating from iChain to Access Manager,” on page153

?Appendix A, “Troubleshooting Installation and Upgrade,” on page195

?Appendix B, “Modifications Required for a 3.0 Login Page,” on page221

?Appendix C, “What’s New in Previous Releases,” on page231

For information about the J2EE Agents, see the Novell Access Manager 3.1 SP2 J2EE Agent Guide.

Audience

This guide is intended for Access Manager administrators. It is assumed that you have knowledge of

evolving Internet protocols, such as:

?Extensible Markup Language (XML)

?Simple Object Access Protocol (SOAP)

?Security Assertion Markup Language (SAML)

?Public Key Infrastructure (PKI) digital signature concepts and Internet security

?Secure Socket Layer/Transport Layer Security (SSL/TLS)

?Hypertext Transfer Protocol (HTTP and HTTPS)

?Uniform Resource Identifiers (URIs)

?Domain Name System (DNS)

?Web Services Description Language (WSDL)

Feedback

We want to hear your comments and suggestions about this manual and the other documentation

included with this product. Please use the User Comments feature at the bottom of each page of the

online documentation, or go to 31bfdc18b7360b4c2e3f6454/documentation/feedback and enter your

comments there.

About This Guide11

novdocx (en) 16 April 2010

Documentation Updates

For the most recent version of the Access Manager Installation Guide, visit the Novell Access

Manager Documentation Web site (31bfdc18b7360b4c2e3f6454/documentation/novellaccessmanager31).

Additional Documentation

?Novell Access Manager 3.1 SP2 Setup Guide

?Novell Access Manager 3.1 SP2 Administration Console Guide

?Novell Access Manager 3.1 SP2 Identity Server Guide

?Novell Access Manager 3.1 SP2 Access Gateway Guide

?Novell Access Manager 3.1 SP2 Policy Guide

?Novell Access Manager 3.1 SP2 J2EE Agent Guide

?Novell Access Manager 3.1 SP2 SSL VPN Server Guide

Documentation Conventions

In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and

items in a cross-reference path.

12Novell Access Manager 3.1 SP2 Installation Guide

1

13novdocx (en) 16 April 2010

What’s New in Access Manager 3.1

SP2

Novell Access Manager 3.1 SP2 provides a number of key enhancements to various components.

These enhancements improve management, enhance security, and add cross-platform capabilities to

major components. These key features include:

?Section1.1, “Administration Console Enhancements,” on page13

?Section1.2, “Identity Server Enhancements,” on page13

?Section1.3, “Access Gateway Enhancements,” on page14

?Section1.4, “SSL VPN Enhancements,” on page15

1.1 Administration Console Enhancements

?Windows Server 2008: The Administration Console can now be installed on a Windows Server 2008 64-bit operating system on 64-bit hardware. For installation instructions, see

Section4.1.2, “Installing on Windows,” on page53. For information on migrating the

Administration Console from Windows Server 2003 to Windows Server 2008, see Section9.5,

“Migrating to Newer Operating Systems,” on page115.

?SLES 11 Support: The Administration Console can now be installed on a SUSE Linux Enterprise Server (SLES) 11 32-bit operating system on 32-bit or 64-bit hardware. For

installation instructions, see Section4.1.1, “Installing on Linux,” on page51. For information

on migrating the Administration Console from SLES 10 to SLES 11, see Section9.5,

“Migrating to Newer Operating Systems,” on page115.

1.2 Identity Server Enhancements

?Windows Server 2008: The Identity Server can now be installed on a Windows Server 2008 64-bit operating system on 64-bit hardware. For installation instructions, see Section5.3,

“Installing on Windows,” on page63. For information on migrating the Identity Server from

Windows Server 2003 to Windows Server 2008, see Section9.5, “Migrating to Newer

Operating Systems,” on page115.

?SLES 11 Support: The Identity Server can now be installed on a SUSE Linux Enterprise Server (SLES) 11 32-bit operating system on 32-bit or 64-bit hardware. For installation

instructions, see Section5.2, “Installing on Linux,” on page62. For information on migrating

the Identity Server from SLES 10 to SLES 11, see Section9.5, “Migrating to Newer Operating

Systems,” on page115.

?Timeout Per Contract: You can now specify an authentication timeout for each contract, rather than the global session timeout that was applied to all contracts in previous releases.

When you upgrade, all contracts are assigned the value specified in the global session timeout,

rounded up to the nearest value divisible by 5. You can then modify the contracts to meet your

security requirements. For more information, see “Configuring Authentication Contracts” in

the Novell Access Manager 3.1 SP2 Identity Server Guide.

What’s New in Access Manager 3.1 SP2

novdocx (en) 16 April 2010

?Attributes Sets: When you configure an attribute set, you can specify the format of the remote

attribute. For configuration information, see “Configuring Attribute Sets” in the Novell Access

Manager 3.1 SP2 Identity Server Guide.

?Passive Authentication: You can configure the authentication request so that it is passive. If

the Identity Server can fulfill the authentication request without any user interaction, the

authentication succeeds. Otherwise, it fails. For configuration information, see “Modifying the

Authentication Card for Liberty or SAML 2.0” in the Novell Access Manager 3.1 SP2 Identity

Server Guide.

?Local Logout: You can configure the Identity Server to perform a local logout rather than the

default global logout. The global logout logs the user out of any other identity providers or

service providers. For configuration information, see “Customizing the Identity Server Logout”

in the Novell Access Manager 3.1 SP2 Identity Server Guide.

?OpenID Authentication Class: Allows the Identity Server to trust and use the credentials of

an OpenID server for authentication. For more information, see “Configuring for OpenID

Authentication” in the Novell Access Manager 3.1 SP2 Identity Server Guide.

?Password Retrieval Authentication Class: Allows you to fetch and store the user’s password

as an LDAP credential when the user authenticates with a contract that does not use a password

such as RADIUS, Kerberos, OpenID, or X.509. For more information, see “Configuring

Password Retrieval” in the Novell Access Manager 3.1 SP2 Identity Server Guide.

?SAML 2 Enhancements: The following modifications were made for the SAML 2 protocol:

?You can select unspecified as a name identifier format for an authentication request. For

configuration information, see “Configuring a SAML 2.0 Authentication Request” in the

Novell Access Manager 3.1 SP2 Identity Server Guide.

?You can specify a comparison value when specifying an authentication context. For

configuration information, “Configuring a SAML 2.0 Authentication Request” in the

Novell Access Manager 3.1 SP2 Identity Server Guide.

?You can set the authentication level for the authentication context. If you use class or type

to set the authentication context, you set the authentication level by using the Trust Levels

class. For configuration information, see “Configuring the Trust Levels Class” in the

Novell Access Manager 3.1 SP2 Identity Server Guide.

If you use a contract to set the authentication context, the authentication level is set on the

contract. For configuration information, see “Configuring Authentication Contracts” in

the Novell Access Manager 3.1 SP2 Identity Server Guide.

?You can configure the Identity Server so that it displays the available identity providers to

the user and the user can select which one to use. For configuration information, see

“Configuring the Introductions Class ” in the Novell Access Manager 3.1 SP2 Identity

Server Guide.

1.3 Access Gateway Enhancements

?SLES 11 Support: The Linux Access Gateway Appliance now installs with a SUSE Linux

Enterprise Server (SLES) 11 kernel. This puts the Access Gateway Appliance on a supported

platform that supplies security updates.

?Simplified Installation: The installation program for the Access Gateway Appliance has been

simplified, has a new look, and has only one mode of installation. For more information on

installation, see Chapter6, “Installing the Linux Access Gateway Appliance,” on page65.

14Novell Access Manager 3.1 SP2 Installation Guide

novdocx (en) 16 April 2010

?Timeout Per Protected Resource: You can now configure protected resources to have

different session limits. You do this by assigning to the protected resource a contract that has

the session timeout that you require for the resource. The soft timeout has been replaced with

an activity realm, which is used to determine when the user needs to be prompted for

reauthentication. For more information, see “Assigning a Timeout Per Protected Resource” in

the Novell Access Manager 3.1 SP2 Access Gateway Guide.

?Access Gateway Service: You can install the Access Gateway as a service on a SUSE Linux Enterprise Server (SLES) 11 64-bit operating system or Windows Server 2008 64-bit operating

system. The Access Gateway Service supports all the major features of the Access Gateway

Appliance. For a comparison that identifies the minor differences between the Access Gateway

Service and the Access Gateway Appliance, see Section3.6.5, “Access Gateway Feature

Comparison,” on page44.

?Performance: A number of enhancements have been done to improve performance. For

additional ideas on how to tune your system for best performance, see “Tuning the Access

Gateway for Performance” in the Novell Access Manager 3.1 SP2 Access Gateway Guide.

1.4 SSL VPN Enhancements

?Authentication Hardening: You can enable authentication hardening in Enterprise mode to provide protection against active attacks. Authentication hardening uses a keyed Hash Message

Authentication Code (HMAC) to sign and verify packets. Packets are examined by a stateless

filter and dropped if the HMAC signature does not match. For more information, see

“Configuring the IP Address, Port, and Network Address Translation (NAT) ” in the Novell

Access Manager 3.1 SP2 SSL VPN Server Guide.

?Client Cleanup Options: The administrator can now control the Logout options that are

displayed to the end users. The administrator can also configure client cleanup options and

select whether the SSL VPN users are allowed to override the settings. For more information,

see “Configuring Client Policies” in the Novell Access Manager 3.1 SP2 SSL VPN Server

Guide.

?Client Integrity Check for MD5 Checksum: The MD5 checksum value of an absolute file can now be verified during the client integrity check. With this change, you can now use the

filename as well as the MD5 checksum value of the file to verify the client integrity. For more

information, see “Configuring Policies to Check the Integrity of the Client Machine” in the

Novell Access Manager 3.1 SP2 SSL VPN Server Guide.

?Translating the Port on the ESP-Enabled SSL VPN: The ESP-enabled SSL VPN now

provides an option to translate the listening port (8080 or 8443) to a standard listening port (80

or 443). For more information, see “Configuring Authentication for the ESP-Enabled Novell

SSL VPN” in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.

?SLES 11 Support: You can now install the SSL VPN server on SUSE Linux Enterprise Server (SLES) 11.

?Support for New Client Operating Systems: The following new operating systems are now supported by the SSL VPN client.

?Windows 7 32-bit and 64-bit clients

?Macintosh 10.6 Snow Leopard clients

?Kiosk mode is now supported on SLED 11 64-bit clients

For more information, see Section3.7.1, “Windows Client Limitations,” on page47 and give

reference to sslvpnclient help overview->1.2.3->Windows requirements section

What’s New in Access Manager 3.1 SP215

novdocx (en) 16 April 2010

IP Range Support in Traffic Policies: You can configure a traffic rule to allow or deny

access to multiple destinations. In the previous releases of Access Manager, you could

configure only a single traffic rule to allow or deny access to one destination IP or network. For

more information, see “Configuring Traffic Policies” in the Novell Access Manager 3.1 SP2

SSL VPN Server Guide.

16Novell Access Manager 3.1 SP2 Installation Guide

2

17novdocx (en) 16 April 2010

Novell Access Manager Product Overview

Novell Access Manager is a comprehensive access management solution that provides secure access

to Web and enterprise applications. Access Manager also provides seamless single sign-on across technical and organizational boundaries. It uses industry standards including Secure Assertions

Markup Language (SAML) and Liberty Alliance protocols. It has a single console for management

and configuration. To provide secure access from any location, it supports multi-factor authentication, role-based access control, data encryption, and SSL VPN services.

This section discusses the following topics:

?Section2.1, “How Access Manager Solves Business Challenges,” on page17

?Section2.2, “How Access Manager Works,” on page25

?Section2.3, “Access Manager Devices and Their Features,” on page27

2.1 How Access Manager Solves Business Challenges

As networks expand to connect people and businesses throughout the world, secure access to

business resources becomes increasingly more important and more complex. Gone are the days

when all employees worked from the same office; today’s employees work from corporate, home,

and mobile offices. Equally gone are the days when employees were the only ones who required

access to resources on your network; today, customers and partners require access to resources on

your network, and your employees require access to resources on partners’ networks or at service providers.

Novell Access Manager lets you provide employees, customers, and partners with secure access to

your network resources, whether those resources are Web applications, traditional server-based applications, or other content. If your business faces any of the following access-related challenges, Access Manager can help:

?Protecting resources so that only authorized users can access them, whether those users are employees, customers, or partners.

?Ensuring that the users who are authorized to use a resource can access that resource regardless of where the users are currently located.

?Requiring users to manage multiple passwords for authentication to Web applications.

?Making sure users have access only to the resources required for their jobs. In other words, ensuring that your authorization processes and practices match the business policies that define

access privileges to your network resources.

?Revoking network access from users in minutes rather than days.

?Protecting users’ privacy and confidential information as they access company resources or partners’ resources.

?Proving compliance with your business policies, privacy laws such as Sarbanes-Oxley, HIPAA, or European Union, and other regulatory requirements.

Novell Access Manager Product Overview

18Novell Access Manager 3.1 SP2 Installation Guide novdocx (en) 16 April 2010The following sections expand on these challenges and introduce the solutions provided by Access

Manager. If you are already aware of the business solutions provided by Access Manager, you might want to skip to the technical introduction provided in Section 2.2, “How Access Manager Works,” on page 25.

?Section 2.1.1, “Protecting Resources While Providing Access,” on page 18

?Section 2.1.2, “Managing Passwords with Single Sign-On,” on page 19

?Section 2.1.3, “Enforcing Business Policies,” on page 20

?Section 2.1.4, “Sharing Identity Information,” on page 21

?Section 2.1.5, “Protecting Identity Information,” on page 23

?Section 2.1.6, “Complying with Regulations,” on page 24

2.1.1 Protecting Resources While Providing Access

The primary purpose of Access Manager is to protect resources by allowing access only to users you have authorized. You can control access to Web (HTTP) resources as well as traditional server-based (non-HTTP) resources. As shown in the following illustration, those users who are authorized to use the protected resources are allowed access, while unauthorized users are denied access.

Access Manager secures your protected Web resources from Internet hackers. The addresses of the servers that host the protected resources are hidden from both external and internal users. The only way to access the resources is by logging in to Access Manager with authorized credentials. Access Manager protects only the resources you have set up as protected resources. It is not a firewall and should always be used in conjunction with a firewall product.

Access Manager

Authorized User Authorized User Unauthorized User

Protected Web

Resources Non-HTTP Services (E-mail, T elnet,

Thin Client, FTP)

Novell Access Manager Product Overview 19novdocx (en) 16 April 2010Because not all users work from within the confines of your local network, access to resources is independent of a user’s location, as shown in the following illustration. Access Manager provides the same secure access and same experience whether the user is accessing resources from your local office, from home, or from an airport terminal.

2.1.2 Managing Passwords with Single Sign-On

If your organization is like most, you have multiple applications that require user login. Multiple logins typically equates to multiple passwords. And multiple passwords mean forgotten passwords. Authentication through Access Manager not only establishes authorization to applications (see Protecting Resources While Providing Access above), but it can also provide authentication to those same applications. With Access Manager serving as the front-end authentication, you can deploy standards-based Web single sign-on, which means your employees, partners, and customers only need to remember one password or login routine to access all the corporate and Web-based applications they are authorized to use. That means far fewer help desk calls—and the reduced likelihood of users resorting to vulnerable written reminders.

Access Manager

Authorized User Authorized User

Authorized User

Protected Web Resources Non-HTTP Services

(E-mail, T elnet,

Thin Client, FTP)

20Novell Access Manager 3.1 SP2 Installation Guide novdocx (en) 16 April 2010

By simplifying the use and management of passwords, Access Manager helps you enhance the user’s experience, increase security, streamline business processes, and reduce system

administration and support costs.

2.1.3 Enforcing Business Policies

Determining the access policies for an organization is often complicated and difficult, but the difficulty pales in comparison to enforcing the policies. Your IT personnel can spend hours

attempting to give users the correct access to resources, and hours more retracing their steps to see why the users can’t access what they should be able to. What’s worse, you might never know about the situations where users are granted access to resources they shouldn’t be accessing.

Access Manager automates the granting and removing of access through the use of roles and

policies. As shown in the following illustration, users are assigned to roles that have access policies associated with them. Each time a user authenticates through Access Manager, the user’s access is determined by the policies associated with the user’s roles.

In the following example, users assigned to the Accounting role receive access to the Accounting resources, Payroll users receive access to the Payroll resources, and Accounting managers receive access to both the Accounting and Manager resources.Login

Authenticate

Access Manager

Authorized User

Role Assignment User Authentication Policy Evaluation

and Enforcement Access to Resource

Novell Access Manager Product Overview 21novdocx (en) 16 April 2010Because access is based on roles, you can grant access in minutes and be certain that the access is consistent with your business policies. And, equally important, you can revoke access in minutes by removing role assignments from users.

For security-minded organizations, it comes down to this simple fact: you set the policies by which users gain access, and Access Manager enforces them consistently and quickly. There are no surprises and no delays.

2.1.4 Sharing Identity Information

In today’s business environment, few organizations stand alone. More than likely, you have trusted business partners with whom you need to shared resources in a secure manner. Or, you have business services, such as a 401k management system, to which you need to provide employee access. Or, maybe your organization is the one providing services to another business. Access Manager provides federated identity management to enable users to seamlessly and securely authenticate across autonomous identity domains.

For example, assume that you have employees who need access to your corporate applications, several business partner’s applications, and their 401k service, as shown in the following figure.

Accounting Resources Accounting Role Payroll Resources Payroll Role Manager

Resources

Accounting and

Manager Role

本文来源：https://www.bwwdw.com/article/1fze.html