implementing ichain ® in the wild: life beyond the lab rich roberts senior architect – novell...
TRANSCRIPT
Implementing iChain® in the Wild: Life beyond the lab
Rich RobertsSenior Architect – Novell ConsultingNovell Inc.
Jim ShortiChain Guru – Novell Consulting Resolution TeamNovell Inc.
© March 9, 2004 Novell Inc.2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.3
The one Net vision
Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.
Novell Nsure™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© January 27, 2004 Novell Inc.4
The Speakers
Jim ShortWith Novell Support for over 10 years
iChain guru since the product was created
Border Manager® and NMASTM
Rich Roberts With Novell Consulting for over 5 years
Implenting iChain for customers since 2000
Developer for iChain for over 3 years
© January 27, 2004 Novell Inc.5
Agenda
Feature OverviewAcceleratorsRewriterSSL / SLDAPAuthentication
ArchitectureWhere do I stick it?
Working ExamplesSecure a web site
© January 27, 2004 Novell Inc.6
What is iChain?
Web application single sign on
SSLizer
Reverse Proxy
Load Balancer
Authenticator
© January 27, 2004 Novell Inc.7
iChain Schema
© January 27, 2004 Novell Inc.8
The ISO Object
© January 27, 2004 Novell Inc.9
Skill sets required
What Skill sets do you need to successfully implement iChain
Web Site Development– HTML– Javascript– JSP
Architecture
© January 27, 2004 Novell Inc.11
Where to stick it...
Well now... What does your DMZ look like?
Where do your webbies and security folks say it should go?
There are several options and all our valid.
© January 27, 2004 Novell Inc.12
Outside The DMZ
© January 27, 2004 Novell Inc.13
In the DMZ
© January 27, 2004 Novell Inc.14
Inside of the firewall
© January 27, 2004 Novell Inc.15
Your Site Content
How to optimize your site to work better with iChain
© January 27, 2004 Novell Inc.16
The PIN List
© January 27, 2004 Novell Inc.17
Sample PIN List
Bypass
Oracle Portal v9
/mail/*/webmail.nsf*Byp
ass
Lotus Notes Mail v5
/SAPPortal/*/sapportal/*/sap/*/irj/*/hrnp$30001/*
Bypass
SAP Portal v5
/servlets/psportal/*/servlets/iclientservlet/*/servlets/cs/P8ESS/cache/*
*.gif*.jpg*.pdf
Bypass
Memory
Peoplesoft Portal
/nps/servlet/*Bypass
NPS
/iFolder/*Bypass
iFolder
/*.jspBypass
JSPs
/servlet/*Bypass
iChain Servlets
/eMFrame/*Bypass
iManager
/eGuide/*Bypass
Everyone’s searching rights are differenteGuide
URL MaskPIN Type
Issue with cachingApplication
© January 27, 2004 Novell Inc.18
eDirectory Design
Support
© January 27, 2004 Novell Inc.20
Top 10 Support Issues
© January 27, 2004 Novell Inc.21
How to debug problems when Secure Exchange is enabled
© January 27, 2004 Novell Inc.22
Taking Packet Traces from iChain
© January 27, 2004 Novell Inc.23
Exporting a NAS File
Demonstrations
© January 27, 2004 Novell Inc.25
Basic Configurations
© January 27, 2004 Novell Inc.26
Load Balancing Web Servers
© January 27, 2004 Novell Inc.27
Access Control Methods
LDAP Authentication
Radius Authentication
SSL Certificate Mutual Authentication
© January 27, 2004 Novell Inc.28
How To Determine which SSO Method to use
© January 27, 2004 Novell Inc.29
iChain and your portal
© January 27, 2004 Novell Inc.30
Secure LDAP
© January 27, 2004 Novell Inc.31
HTTPS between iChain and the web server
© January 27, 2004 Novell Inc.32
Creating a form fill script
© January 27, 2004 Novell Inc.33
Interacting with iChain
Telnet
Putty
FTP
X-Session
NCP – Drive Mappings
© January 27, 2004 Novell Inc.34
Taking Packet Traces from iChain
© January 27, 2004 Novell Inc.35
Custom Login Pages
© January 27, 2004 Novell Inc.36
Custom Error Messages
© January 27, 2004 Novell Inc.37
Using 3rd Party Certs
Wild Cards
Are there any others?
User Account Management Modules
© January 27, 2004 Novell Inc.39
Password Management
Password Expiration Handling
Password Change Handling
Password Reset Self Service
© January 27, 2004 Novell Inc.40
Help Desk Modules
Helpdesk Account Reset
Helpdesk Change Password
Helpdesk Check User Status
© January 27, 2004 Novell Inc.41
Self Registration
© January 27, 2004 Novell Inc.42
Configuring the modules
© January 27, 2004 Novell Inc.43
Customizing the Modules
Liberty Alliance
© January 27, 2004 Novell Inc.45
SAML and Liberty Services
Open Source and Novell Forge
© January 27, 2004 Novell Inc.47
Forge Resources
© January 27, 2004 Novell Inc.48
Novell Cool Solutions
iChain FAQ
© January 27, 2004 Novell Inc.50
iChain FAQ
Is user name and password in the authentication header from iChain to target servers (IIS/Domino, etc) encrypted?
Is the authentication header passed with every page request?
Can iChain be configured to force users to authenticate through the iChain proxy server? Is there any way to restrict users from directly accessing web servers that are protected by iChain?
Does iChain provide an alternative method of forcing users to authenticate (i.e., web agents loaded on target web servers)?
Can iChain be configured to not display the address bar/URL of the application that is being accessed? Is there a configurable item in SAP portal that can hide the address bar/URL from being viewed by the user?
Can I turn on Auto Restart After Abend?
© January 27, 2004 Novell Inc.51
iChain Ports
Yes5002Session Broker 2 - Logouts
Yes5001Session Broker 1- Logins
Yes1645RADIUS
YesSNMP Monitoring
Remote Debugging by EngineeringNo8880RDB
Yes443HTTPS
Yes80HTTP
Yes636Secure LDAP
Clear Text Passwords and Identity Data
Yes389LDAP
Yes123NTP
Yes53Name Resolution / DNS
Yes514SYSLOGing
Yes25SMTP Alerting
No524524File Access / NCP
Clear text password on wireNo23Remote Control / Telnet
Clear text password on wireNo21File Access for Login Pages, etc. / FTP
Clear text password on wireNo21, 524ConsoleOne snap-in Refresh Settings
No51100Web Mgmt GUI
No2222Web Mgmt GUI Authentication
No1959Web Mgmt GUI
CommentOutbound InitiationUDP PortTCP PortFunctionality
© January 27, 2004 Novell Inc.53
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.