Novell Access Manager 3.1 SP4 User guide

  • Hello! I am an AI chatbot trained to assist you with the Novell Access Manager 3.1 SP4 User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
www.novell.com/documentation
Policy Guide
Access Manager 3.1 SP5
January 2013
Legal Notices
Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecifically
disclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,
reservestherighttorevisethispublicationandtomakechangestoitscontent,at
anytime,withoutobligationtonotifyany
personorentityofsuchrevisionsorchanges.
Further,Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsany
expressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,reservestheright
to
makechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityof
suchchanges.
AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade
lawsofothercountries.Youagreeto
complywithallexportcontrolregulationsandtoobtainanyrequiredlicensesor
classificationtoexport,reexportorimportdeliverables.YouagreenottoexportorreexporttoentitiesonthecurrentU.S.
exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.
exportlaws.Youagreetonotuse
deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.SeetheNovellInternationalTrade
ServicesWebpage(http://www.novell.com/info/exports/)formoreinformationonexportingNovellsoftware.Novellassumes
noresponsibilityforyourfailuretoobtainanynecessaryexportapprovals.
Copyright©2013Novell,
Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedona
retrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher.
Novell, Inc.
1800 South Novell Place
Provo, UT 84606
U.S.A.
www.novell.com
OnlineDocumentation:ToaccessthelatestonlinedocumentationforthisandotherNovellproducts,seetheNovell
DocumentationWebpage(http://www.novell.com/documentation).
Novell Trademarks
ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.novell.com/company/legal/trademarks/
tmlist.html).
Third-Party Materials
Allthirdpartytrademarksarethepropertyoftheirrespectiveowners.
Contents 3
Contents
About This Guide 7
1 Managing Policies 9
1.1 Selecting a Policy Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
1.2 Policy Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
1.3 Managing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3.1 Creating Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.2 Sorting Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.3 Deleting Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.4 Renaming or Copying a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
1.3.5 Importing and Exporting Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
1.3.6 Creating the SSL VPN Default Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
1.3.7 Refreshing Policy Assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
1.3.8 Viewing Policy Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4 Viewing Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
1.5 Managing Policy Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.6 Managing a Rule List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
1.6.1 Rule Evaluation for Role Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
1.6.2 Rule Evaluation for Authorization Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
1.6.3 Rule Evaluation for Identity Injection and Form Fill Policies . . . . . . . . . . . . . . . . . . . . . . . .15
1.6.4 Viewing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.7 Adding Policy Extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.7.1 Installing the Extension on the Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . .16
1.7.2 Distributing a Policy Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
1.7.3 Managing a Policy Extension Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
1.7.4 Viewing Extension Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
1.8 Enabling Policy Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
2 Creating Role Policies 21
2.1 Understanding RBAC in Access Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
2.1.1 Assigning All Authenticated Users to a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.1.2 Using a Role to Create an Authentication Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.1.3 Using Prioritized Rules in an Authorization Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
2.2 Creating Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
2.2.1 Selecting Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
2.2.2 Using Multiple Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.2.3 Selecting an Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
2.3 Example Role Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
2.3.1 Creating an Employee Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
2.3.2 Creating a Manager Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
2.3.3 Creating a Rule for a Contract with ORed Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
2.4 Creating Access Manager Roles in an Existing Role-Based Policy System . . . . . . . . . . . . . . . . . . .49
2.4.1 Activating Roles from External Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
2.4.2 Using Conditions to Assign Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
2.5 Mapping Roles between Trusted Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
2.5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.5.2 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
2.6 Enabling and Disabling Role Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
2.7 Importing and Exporting Role Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4 Contents
3 Creating Authorization Policies 61
3.1 Designing an Authorization Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
3.1.1 Controlling Access with a Deny Rule and a Negative Condition . . . . . . . . . . . . . . . . . . . . .62
3.1.2 Configuring the Result on Condition Error Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
3.1.3 Many Rules or Many Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
3.1.4 Using Multiple Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.1.5 Controlling Access with Multiple Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
3.1.6 Using Permit Rules with a Deny Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.1.7 Using Deny Rules with a General Permit Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
3.1.8 Public Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.1.9 General Design Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
3.1.10 Using the Refresh Data Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
3.1.11 Assigning Policies to Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
3.2 Creating Access Gateway Authorization Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
3.3 Sample Access Gateway Authorization Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
3.3.1 Sample Policy Based on Organizational Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
3.3.2 Sample Workflow Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
3.4 Creating Web Authorization Policies for J2EE Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.5 Creating Enterprise JavaBean Authorization Policies for J2EE Agents. . . . . . . . . . . . . . . . . . . . . . . 81
3.6 Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
3.6.1 Authentication Contract Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
3.6.2 Client IP Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3.6.3 Credential Profile Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
3.6.4 Current Date Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
3.6.5 Day of Week Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
3.6.6 Current Day of Month Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
3.6.7 Current Time of Day Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
3.6.8 HTTP Request Method Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
3.6.9 LDAP Attribute Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.6.10 LDAP OU Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
3.6.11 Liberty User Profile Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
3.6.12 Roles Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.6.13 URL Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.6.14 URL Scheme Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
3.6.15 URL Host Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.6.16 URL Path Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
3.6.17 URL File Name Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
3.6.18 URL File Extension Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
3.6.19 X-Forward-For IP Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
3.6.20 Condition Extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
3.6.21 Data Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
3.6.22 Using the URL Dredge Option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
3.6.23 Edit Button. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
3.7 Importing and Exporting Authorization Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
4 Creating Identity Injection Policies 109
4.1 Designing an Identity Injection Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.1.1 Using the Refresh Data Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
4.2 Configuring an Identity Injection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
4.3 Configuring an Authentication Header Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
4.4 Configuring a Custom Header Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.5 Configuring a Custom Header with Tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
4.6 Specifying a Query String for Injection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
4.7 Injecting into the Cookie Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
4.8 Importing and Exporting Identity Injection Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
4.9 Sample Identity Injection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Contents 5
5 Creating Form Fill Policies 127
5.1 Understanding an HTML Form. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
5.2 Creating a Form Fill Policy for the Sample Form. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
5.3 Implementing Form Fill Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
5.3.1 Designing a Form Fill Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
5.3.2 Creating a Form Fill Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
5.3.3 Creating a Login Failure Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
5.3.4 Troubleshooting a Form Fill Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
5.4 Creating and Managing Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
5.4.1 Naming Conventions for Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
5.4.2 Creating a Shared Secret Independent of a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
5.4.3 Modifying and Deleting a Shared Secret. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
5.5 Importing and Exporting Form Fill Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
5.6 Configuring a Form Fill Policy for Forms With Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
5.6.1 Why Does Form Fill Fail with the Default Policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
5.6.2 Understanding How a Form Is Submitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
5.6.3 Creating a Form Fill Policy for Autosubmission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
5.6.4 Creating Touch Files for Autosubmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
6 Troubleshooting Access Manager Policies 155
6.1 Turning on Logging for Policy Evaluation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
6.2 Understanding Policy Evaluation Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
6.2.1 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
6.2.2 Policy Result Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
6.2.3 Role Assignment Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
6.2.4 Identity Injection Traces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
6.2.5 Authorization Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
6.2.6 Form Fill Traces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6.3 Common Configuration Problems That Prevent a Policy from Being Applied as Expected. . . . . . .174
6.3.1 Enabling Roles for Authorization Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
6.3.2 LDAP Attribute Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
6.3.3 Result on Condition Error Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
6.3.4 An External Secret Store and Form Fill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
6.4 The Policy Is Using Old User Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
6.5 Form Fill and Identity Injection Silently Fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
6.6 Checking for Corrupted Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
6.7 Policy Page Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
6.8 Policy Creation and Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
6.9 Policy Distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
6.10 Policy Evaluation: Access Gateway Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
6.10.1 Successful Policy Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
6.10.2 No Policy Defined Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
6.10.3 Deny Access Configuration/Evaluation Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
6 Contents
About This Guide 7
About This Guide
Thisguidedescribesthefollow ingfeaturesofNovellAccessManagerpolicies:
Chapter 1,“ManagingPolicies,onpage 9
Chapter 2,“CreatingRolePolicies,onpage 21
Chapter 3,“CreatingAuthorizationPolicies,onpage 61
Chapter 4,“CreatingIdentityInjectionPolicies,onpage 109
Chapter 5,“CreatingFormFillPolicies,onpage 127
Chapter 6,“TroubleshootingAccessManagerPolicies,onpage 155
Thisis
intendedtohelpyouunderstandandconfigureallofthepolicyfeaturesprovidedbyAccess
Managerandincludesadvancedtopics.
Itisrecommendedthatyoufirstbecomefamiliarwiththeinform ationintheNetIQAccessManager
3.1SP5SetupGuide,whichhelpsyouunderstandhowtoperformabasicIdentity
Server
configuration,setuparesourceprotectedbyanAccessGateway,andconfigureSSL.
Audience
ThisguideisintendedforAccessManageradministrators.Itisassumedthatyouhaveknowledgeof
evolvingInternetprotocols,suchas:
ExtensibleMarkupLanguage(XML)
SimpleObjectAccessProtocol(SOAP)
SecurityAssertionMarkupLanguage(SAML)
PublicKeyInfrastructure(PKI)digitalsignatureconceptsandInternetsecurity
SecureSocketLayer/TransportLay erSecurity(SSL/TLS)
HypertextTransferProtocol(HTTPandHTTPS)
UniformResourceIdentifiers(URIs)
DomainNameSystem(DNS)
WebServicesDescriptionLanguage(WSDL)
Feedback
Wewanttohearyourcommentsandsuggestionsaboutthisguideandtheotherdocumentation
includedwiththisproduct.PleaseusetheUserCommentsfeatureatthebottomofeachpageofthe
onlinedocumentation,orgotoDocumentationFeedback(http://www.novell.com/documentation/
feedback.html)atwww.novell.com/documentation/feedback.htmlandenteryourcommentsthere.
Documentation Updates
ForthemostrecentversionoftheAccessManagerPoliciesGuide,visittheNovellAccessManager
DocumentationWebsite(http://www.novell.com/documentation/novellaccessmanager31).
8 Novell Access Manager 3.1 SP5 Policy Guide
Additional Documentation
Beforeproceeding,youshouldbefamiliarwiththeNetIQAccessManager3.1SP5InstallationGuide
andtheNetIQAccessManager3.1SP5SetupGuide,whichprovideinformationaboutinstallingand
settinguptheAccessManagersystem.
Thefollowingdevicereferenceguidesarealsoavailable:
NetIQAccessManager3.1SP5IdentityServer
Guide
NetIQAccessManager3.1SP5AdministrationConsoleGuide
NetIQAccessManager3.1SP5AccessGatewayGuide
NovellAccessManager3.1SP4SSLVPNServerGuide
NetIQAccessManager3.1SP5J2EEAgentGuide
Documentation Conventions
InNovelldocumentation,agreaterthansymbol(>)isusedtoseparateactionswithinastepand
itemsinacrossreferencepath.
1
Managing Policies 9
1
Managing Policies
Policiesarelogicalandtestablerulesthatyouusetomaintainorder,security,andconsistencywithin
yourAccessManagerinfrastructure.Youcanspecifyactivationcriteria,deactivationcriteria,
temporalconstraints(suchastimeofdayorsubnet),identityconstraints(suchasuserobjectattribute
values),andadditionalseparationofdutyconstraints.Identity
informationcancomefromany
identitysource(suchLDAP,anIdentityVault,oradirectory)orfromtheAccessManagersIdentity
Server,whichprovidesfullLibertyAlliancespecificationsupportandSAML2.0support.Identityis
availablethroughoutthedeterminationofrightsandpermissions.
Section 1.1,“SelectingaPolicyType,onpage 9
Section 1.2,“PolicyPerformance,”onpage 10
Section 1.3,“ManagingPolicies,”onpage 10
Section 1.4,“ViewingPolicies,onpage 13
Section 1.5,“ManagingPolicyContainers,”onpage 13
Section 1.6,“ManagingaRuleList,”onpage 14
Section 1.7,AddingPolicyExtensions,”onpage 16
Section 1.8,“EnablingPolicyLogging,”onpage 20
1.1 Selecting a Policy Type
AccessManagerusesthepolicytypetodefinethecontextwithinwhichapolicyisevaluated.Each
typeofpolicydiffersinpurpose,whichinturndeterminestheconditionsandactionsthatapply.For
example,theconditionsandactionsofanAuthorizationpolicydifferfromtheconditionsandactions
ofan
IdentityInjectionpolicy.
WhenyouclickNewonthePoliciespage,thesystemdisplaysthepredefinedpolicy typesinadrop
downlist.Eachpolicytyperepresentsthesetofconditionsandactionsthatareavailable.Youthen
configurerulestodetermineuserroles,makedecisionrequests,andenforceauthorizationdecisions.
Youcanalsosetuppolicieswithnoconditions,allowingactionstoalwaystakeplace.Aspoliciesand
conditionsbecomecomplex,itcanbesimplerandmoremanageabletodesignpolicieswith
conditionsthatdenyorrestrictaccesstolargegroupsofusers,ratherthansettinguppoliciesthat
permit
accesstocertainusers.
AccessManagerhasthefollowingpolicytypes:
AccessGateway:Authorization:Thispolicytypeisusedtopermitordenyaccesstoprotected
resources,suchasWebservers.Afteryouhavesetuptheprotectedresource,youusethepolicy
rulestodefinehowyouwanttorestrict
access.Forexample,ifauserisdeniedaccesstoa
resource,youcanuse thepolicytoredirectthemtoaURLwheretheycanrequestaccesstothe
resource.
10 Novell Access Manager 3.1 SP5 Policy Guide
AccessGateway:IdentityInjection:ThispolicytypeevaluatestherulesforIdentityInjection,
whichretrievesidentitydatafromadatasource(userstore)andforwardsittoWebapplications.
Suchapolicycanenablesinglesignon.Aftertheuserhasauthenticated,thepolicysuppliesthe
informationrequiredbythe
resourceratherthanallowingtheresourcetopromptthe userfor
theinformation.
AccessGateway:FormFill:Thispolicytypeisusedtocreateapolicythatautomaticallyfillsin
theinformationrequiredinaform,aftertheuserhasfilledintheformonce.Suchapolicycan
enablesingle
signontoresourcesthatrequireformdatabeforeallowingaccess.
IdentityServer:Roles:Thispolicytypeevaluatesrulesforestablishingtherolesofan
authenticateduser.Rolesaregeneratedbasedonpolicystatementseachtimeauser
authenticates.RolesareplacedintoanAuthenticati onProfile,whichcanbeused
asinputin
policiesforAuthorizationorIdentityInjection.
J2EEAgent:EJBAuthorization:Thispolicytypeallowsyoutocreatepoliciesthatprotectan
EnterpriseJavaBean.Youcanprotecttheentirebeanorspecificinterfacesormethods.
J2EEAgent:WebAuthorization:Thispolicytypeallowsyoutocreatepoliciesthat
protectthe
Webapplications onaJ2EEserver.
1.2 Policy Performance
AuthorizationandIdentityInjectionpoliciesallowyoutoselectconditions,oneofwhichisRoles.If
youhavethousandsofusersaccessingyourresources,youmightwanttodesignmostofyour
policiestouse roles.Rolesareevaluatedwhenauserlogsin,andtherolesassignedtotheuser
are
cachedaslongasthesessionisactive.Whentheuseraccessesaresourceprotectedbyapolicythat
usesroleconditions,thepolicycanbeimmediatelyevaluatedbecausetheusersrolevaluesare
available.Thisisnottrueforallconditions;thevaluesforsomeconditionsmustbe
retrievedfromthe
userstore.Forexample,ifthepolicyusesaconditionwithanLDAPattribute,theusersvaluemust
beretrievedfromtheLDAPuserstorebeforethepolicycanbeevaluated.Onasystemwithmedium
traffic,thisdelaywon’tbenoticed.Onasystemwithhightraffic,
thedelaymightbenoticeable.
However,youcandesignyourpoliciestohavethesameresultswithoutcausingtheretrievalofthe
LDAPattributevalueatresourceaccess.YoucancreateaRolepolicyfortheLDAPattributeandhave
usersassignedtothisroleatauthenticationwhentheymatch
theattributevaluerequirements.When
theusersaccesstheresources,theygainimmediateaccess(orareimmediatelydeniedaccess)
becausetheirroleassignmentsarecached.
IfthesameLDAPattributepolicyisusedtograntaccesstomultipleresources,thechancethatthe
usernoticesadelayisslight.Thefirst
timeapolicyisevaluatedforauser,thedatarequiredforthe
policyiscachedandisthereforeimmediatelyavailablethenexttimeitisrequested.
AnotheroptionavailableforLDAPattributesistohavetheattributevaluessentwiththeassertionat
authentication.Youconfigureanattributeset
fortheattributes,andthenconfiguretheservice
providerfortheseattributes.Formoreinformation,seeConfiguringtheAttributesSentwith
AuthenticationintheNetIQAccessManager3.1SP5IdentityServerGuide.
Asyoudesignyourpolicies,experimentandfindthetypethatworksbestforyournetworkandyour
customers.
1.3 Managing Policies
1 IntheAdministrationConsole,clickPolicies>Policies.
2 InthePolicyContainerdropdownlist,selectthecontainer.
Ifyouhavenotcreatedanycontainers,onlytheMaster_Containerisavailableinthelist.
Managing Policies 11
3 Youcanperformthefollowingtasksfromthispage:
“CreatingPoliciesonpage 11
“SortingPoliciesonpage 11
“DeletingPoliciesonpage 11
“RenamingorCopyingaPolicyonpage 11
“ImportingandExportingPoliciesonpage 12
“CreatingtheSSLVPNDefaultPolicyonpage 12
“RefreshingPolicyAssignments”onpage 12
1.3.1 Creating Policies
Beforecreatingpolicies,youneedtodesignyourpolicystrategy.Forexample,ifyouaregoingtouse
rolebasedaccess,youneedtodecidewhichrolesyouneedandwhichrolesallowaccesstoyour
protectedresources.Roles,whichareusedbyAuthorizationpoliciesthatgrantanddenyaccess,
need
tobecreatedfirst.Ifyouhavealreadycreatedtherolesandassignedthemtousersinyour
LDAPuserstore,youcanusethevaluesofyourroleattributesintheAuthorizationpoliciesrather
thanusingAccessManagerroles.
Tocreateapolicy,seethefollowingsections:
Chapter 2,“CreatingRole
Policies,onpage 21
Chapter 3,“CreatingAuthorizationPolicies,onpage 61
Chapter 4,“CreatingIdentityInjectionPolicies,onpage 109
Chapter 5,“CreatingFormFillPolicies,onpage 127
1.3.2 Sorting Policies
Policiescanbesortedbynameandbytype.OnthePoliciespage,clickNameinthePolicyList,andthe
policiesaresortedalphabeticallybyname.Tosortalphabeticallybytype,clickTypeinthePolicyList.
Youcanalsousecontainerstoorganizeyourpolicies.Formoreinformation,
seeSection 1.5,
“ManagingPolicyContainers,”onpage 13.
1.3.3 Deleting Policies
Apolicycannotbedeletedaslongasaresourceisconfiguredtousethepolicy.ForAccessGateway
andJ2EEAgentpolicies,thismeansthatyoumustremovethepolicyfromallprotectedresources.
RolescanbeusedbyAuthorization,FormFill,andIdentityInjectionpolicies.Beforeyoucandelete
a
Rolepolicy,youmustremoveanyreferencetotherolefromallotherpolicies.
1.3.4 Renaming or Copying a Policy
Copy:Tocopyapolicy,sel ecta policy,clickCopy,thenclickOK.Thenewpolicyisnamed“Copyof
...”Thisisusefulwhenyouarecreatingmultiplepoliciesthatrequireonlyminorvariationstomake
themunique.Youshouldrenamethepolicyaftermakingthesemodifications.
Rename:To
renameapolicy,selectapolicy,clickRename,specifyanewname,thenclickOK.
12 Novell Access Manager 3.1 SP5 Policy Guide
1.3.5 Importing and Exporting Policies
PoliciesthatarecreatedintheAdministrationConsolecanbeexportedandusedinanother
AdministrationConsolethatismanagingadifferentgroupofAccessGatewaysandotherdevices.
Eachpolicytypehasslightlydifferentimportrequirements.Seethefollowing:
Section 2.7,“ImportingandExportingRolePolicies,onpage 60
Section 3.7,“Importingand
ExportingAuthorizationPolicies,onpage 107
Section 4.8,“ImportingandExportingIdentityInjectionPolicies,”onpage 124
Section 5.5,“ImportingandExportingFormFillPolicies,onpage 148
1.3.6 Creating the SSL VPN Default Policy
TocreatethedefaultpolicythattheSSLVPNserveruses,clicktheCreateSSLVPNDefaultoption.
ThisoptioncreatesanIdentityInjectionpolicythatisusedtosetupsinglesignonwiththeSSLVPN
server.Afteryouhavecreatedthispolicy,thisoptionisnolongeravailable.
1.3.7 Refreshing Policy Assignments
Ifyouhavemadechangesinpolicyassignmentsthatarenotreflectedonthepage,clickRefresh
References.Thisactioncantakeawhiletocompleteifyouhavenumerouspoliciesandhaveassigned
themtoprotectnumerousresources.TheAdministrationConsoleneedstoverifytheconfiguration
ofeachdevice.
1.3.8 Viewing Policy Information
ThePolicyListtabledisplaysthefollowinginformationabouteachpolicy.
Column Description
Name Displays the name of the policy. To modify a policy, click its name.
Type Specifies the type of policy (Authorization, Identity Injection, Roles, or Form Fill) and
the type of resource that can use it (Identity Server, Access Gateway, or J2EE
Agent).
Used By Displays the name of the Access Gateway, the Identity Server configuration, or the
J2EE Agent that the policy is assigned to. If the policy is unassigned, this column
has no value.
If the policy is assigned to a protected resource, click the down-arrow button to view
the names of the resources it has been assigned to.
Extensions Used Specifies whether the policy uses any extensions. If none has been used, this
column has no value.
Description Displays a description of the policy. If no description has been specified, this
column has no value.
Managing Policies 13
1.4 Viewing Policies
TheypolicyviewadministratorscanlogintoAccessManagerwiththeircredentialsandtheyare
allowedtoviewonlythepolicycontainersassignedtothem.
1 LogintoAccesssManager.
2 InthePolicyContainerdropdownlist,selectthecontainer.
ThePolicyListtabledisplaysthefollowinginformationabouteachpolicy.
1.5 Managing Policy Containers
Youusepolicycontainerstostoreandorganizepolicies,similartohowyouorganizefilesinfol ders.
TheMaster_Containerisapermanentpolicycontainer,butyoucanusetheContainerstabtocreate
newcontainers.
Apolicycontainercanholdupto500policies.Whenyoureachthatlimit,youmust
createanother
containertoadd,copy,orimportpolicies.Forperformanceandforeaseinfindingapolicy,youmight
wanttolimitacontainerto200orfewerpolicies.Policiesinacontainercanbesortedbynameand
type,toaidyouinfindingaparticularpolicy.
If
youhaveonlyoneadministra torconfiguringandmanagingpolicies,youcancreateadditional
policycontainerstohelpyoukeeppoliciesorganized.Ifyouhavemultipleadministratorscreating
policies,youcancreateacontainerforeachadministratortouse.Thisallowsmultipleadministrators
tomodifypoliciesatthesametime.Whenan
administratoropensapolicyinacontainer,the
containerislocked,whichpreventsotheradministratorsfrommodifyinganypoliciesinthat
containeruntilchangesareappliedorcanceled.
1 IntheAdministrationConsole,clickPolicies>Containers.
2 OntheContainerspage,clickNew .
3 Namethepolicycontainer,thenclickOK.
4 ClickClose.
Afteryouaddapolicycontainer,thesystemdisplaysitinthePolicyContainerdropdownliston
thePolicyListpage.
Youmustdeleteallthepoliciesinapolicycontainerbeforeyoucandeletethepolicycontainer.
1 Selectthecheckboxofthepolicycontainer.ClickDelete.AConfirmdialogboxdisplaysa
messageʺNumberofContainersselected:1,DeleteselectedContainers?ʺ
2 ClickOktocontinueorCanceltoclosethewindow
Column Description
Name Displays the name of the policy.
Type Specifies the type of policy (Authorization, Identity Injection, Roles, or Form Fill) and
the type of resource that can use it (Identity Server, Access Gateway, or J2EE
Agent).
Description Displays a description of the policy. If no description has been specified, this
column has no value.
14 Novell Access Manager 3.1 SP5 Policy Guide
1.6 Managing a Rule List
Youconfigurerulestocreateapolicy.Therulescollectivelyrepresentadesiredcourseofactionwhen
therequiredconditionsaremet,suchasdenyingentrylevelemployeesaccesstoasecureWebsite,
andpermittingaccessforemployeeswhohavearoleofManager.
Whenthesystemevaluatesthepolicy
conditions,itbeginswiththerulewiththehighestpriorityand
evaluatestheconditions,startingwiththefirstconditiongroupintherule.Eachrulecontainsoneor
moreconditionsandoneormoreactions.Ifarule’sconditionsaremet,therule’sactionisperformed.
Forsomepolicytypes,the
performanceofanyrule’sactionterminatesthepolicyevaluation.With
Authorizationpolicies,forexample,afterthepolicyhasdeterminedthatauseriseitherpermittedor
deniedaccesstoaresource,thereisnoreasontoevaluatethepolicyfurther.However,aRolepolicy
mightidentifymultiplerolestowhich
auserbelongs.Inthiscase,eachruleofthepolicymustbe
evaluatedtodetermineallrolestowhichtheuserbelongs.
IMPORTANT:Theinterfaceforthepolicyengineisdesignedforflexibility.Itdoesnotprotectyou
fromcreatingrulesthatdonothingbecausetheyarealwaystrueoralwaysfalse.Forexample,you
cansetupaconditionwhereClientIPisequaltoClientIP,whichisalwaystrue.
Youareresponsible
fordefiningtheconditionsothat itdoesameaningfulcomparison.
Tomanagethelistofrulesforapolicy:
1 IntheAdministrationConsole,clickPolicies>Policies.
2 Selectthecontainer.
3 Clickthenameofthepolicy.
4 IntheRuleListsection,selectoneofthefollowing:
New:Tocreateanewrule,clickNew.
Youusemultiplerulestocoordinatehowapolicyoperates,andthebehaviorvariesaccordingto
thepolicytype.Tounderstandhowmultiplerulesareevaluated,seethefollowing:
Section 1.6.1,“RuleEvaluationfor
RolePolicies,”onpage 14
Section 1.6.2,“RuleEvaluationforAuthorizationPolicies,onpage 15
Section 1.6.3,“RuleEvaluationforIdentityInjectionandFormFillPolicies,onpage 15
Delete:Selectarule,thenclickthisoptiontodeletetherule.Ifthepolicyhasonlyonerule,you
cannotdeletethelastrule.
Copy:Select
arule,thenclickthisoptiontocopyarule.Tomodifythecopy,clicktherule
number.
Enable:Selectarule,thenclickthisoptiontoenablearule.
Disable:Selectarule,thenclickthisoptiontodisablearule.
5 ClickOK,thenclickApplyChanges.
1.6.1 Rule Evaluation for Role Policies
ARolepolicyisusedtodeterminewhichroleorrolesauserisassignedto.However,youcanspecify
onlyoneroleperrule.Rolepoliciesareevaluatedwhenauserauthenticates.Rolepoliciesdonot
directlydenyorallowaccesstoanyresource,nordotheydetermineifa
userisauthenticated.A
usersrolecanbeusedintheevaluationofanAuthorizationpolicy,butatthatpointtheevaluationof
therolepolicyhasalreadyoccurredandisnotdirectlypartoftheauthorizationprocess.The
performanceofanaction(assigningausertoarole)does
notterminatetheevaluationofthepolicy,
sosubsequentrulesinthepolicycontinuetobeevaluated.
Managing Policies 15
1.6.2 Rule Evaluation for Authorization Policies
WhentheAccessGatewaydiscoversaruleinanAuthorizationpolicythateitherpermitsordeniesa
useraccesstoaprotectedresource,itstopsprocessingtherulesinthepolicy.Usethefollowing
guidelinesindeterminingwhetheryourAuthorizationpolicyneedsmultiplerules:
Ifthepolicyenforcesmultipleaccessrequirements
thatcanresultindifferingactions(either
permitordeny),useseparaterulestodefinetheconditionsandactions.
Ifyouwantotherconditionsoractionsprocessedwhenarulefails,youmustcreateasecond
rulefortheusersthatfailtomatchtheconditions.
Ifyoucreatemultiplerules,
youcanmodifytheorderthattherulesareprocessed.Thisallowsyouto
createpoliciesthatcontainanumberofPermitrulesthatallowaccessiftheusermatchestherule.
ThelowestpriorityruleinsuchapolicyisaDenyrule,whichdeniesaccesstoeveryonewho
hasnot
previouslymatchedaPermitrule.
IMPORTANT:IfyoucreatepolicieswithmultiplePermitrules,youshouldmakethelastruleinthe
policyagenericdenypolicy(arulewithnoconditionsandwithanactionofdeny).Thisensuresthat
iftheResultonErrorConditionfieldinaruleissetincorrectly,the
usermatchesthelastruleandis
deniedaccess.Withoutthisrule,ausermightgainaccessbecausetheuserdidntmatchanyofthe
rules.
Youcanalsocreateanumberofpoliciesandenablemultiplepoliciesforthesameprotectedresource.
Ruleprioritydetermineshowtheenabledpoliciesinteractwitheachother.Therulesinthepolicies
aregatheredintoonelist,thensortedbypriority.Theprocessingrulesareappliedasifthe
rulescame
fromonepolicy.Itisapersonaldesignissuewhetheryoucreateapolicywithmultiplerulesorcreate
multiplepoliciesthatyouenableonasingleprotectedresource.Eitherdesignproducesalistofrules,
sortedbypriority,thatisappliedtotheuserrequestingaccesstothe
protectedresource.
1.6.3 Rule Evaluation for Identity Injection and Form Fill Policies
RulesinIdentityInjectionand FormFillpolicieshaveactions,butnoconditions.Becaus etheyhave
noconditions,alltherulesareevaluatedandtheactionsareperformed.IdentityInjectionpolicies
havetwoexceptionstothisrule;theycaninsertonlyoneauthenticationheaderandonecookie
header.Ifyoucreate
multiplerules,eachwithanauthenticationheaderandacookieheader,therule
withthehighestpriorityisprocessedanditsactionsperformed.Theactionsinthesecondrulefor
injectinganauthenticationheaderandacookieheaderareignored.
YoucannotcreatemultiplerulesforaFormFillpolicy.
1.6.4 Viewing Rules
Thepolicyviewadministratorscanviewtheinformationrelatedtorules.Therulescollectively
representadesiredcourseofactionwhentherequiredconditionsaremet,suchasdenyingentry
levelemployeesaccesstoasecureWebsite,andpermittingaccessforemployeeswhohavearoleof
Manager.
Whenthesystem
evaluatesthepolicyconditions,itbeginswiththerulewiththehighestpriorityand
evaluatestheconditions,startingwiththefirstconditiongroupintherule.Eachrulecontainsoneor
moreconditionsandoneormoreactions.Ifarule’sconditionsaremet,therule’sactionisperformed.
Forsome
policytypes,theperformanceofanyrulesactionterminatesthepolicyevaluation.
16 Novell Access Manager 3.1 SP5 Policy Guide
Toviewthelistofrulesforapolicy:
1 IntheAdministrationConsole,clickPolicies>Policies.
2 Selectthecontainer.
3 Clickthenameofthepolicy.
4 IntheRuleListsection,thepolicyviewadministratorcanviewthefollowingdetails.
Type:Displaysthetypeofthepolicy.
Description:Displaysthedescriptionofthepolicytype.
Priority:Displaysthepriorityoftherulenumbertothepolicytype.
Actions:Displaystheactionsforthepolicytype.
1.7 Adding Policy Extensions
IfAccessManagerdoesnotsupplytheaction,thedatatype,ortheconditionthatyouneedfora
policy,youcanaddacustomizedpolicyextension.Forexample,supposeyouneedapolicythat
permitsaccessbasedonwhetherauserhasaspecificrolewhichisassignedtousers
inanOracle
database.ThecustomextensioncouldreadtheroleassignmentsoftheuserfromtheOracledatabase
andreturnastringcontainingtherolenames.Thisdatacouldthenbeusedtodetermineaccessrights
toAccessManagerresources.Forinformationonhowtocreateapolicyextension,
seetheNovell
AccessManagerDeveloperKit(http://developer.novell.com/wik i/index.php/
Novell_Access_Manager_Developer_Tools_and_Examples).
Afterapolicyextensionhasbeencreated,youneedtoperformthefollowingtaskstousethe
extension:
Section 1.7.1,“InstallingtheExtensionontheAdministrationConsole,”onpage 16
Section 1.7.2,“DistributingaPolicyExtension,”onpage 18
Afteryouhaveconfiguredtheextension,
youcanperformthefollowingtasks:
Section 1.7.3,“ManagingaPolicyExtensionConfiguration,”onpage 19
Section 1.7.4,“ViewingExtensionDetails,”onpage 19
1.7.1 Installing the Extension on the Administration Console
Thepolicyextensioncanbedeliveredaseithera
.jar
fileora
.zip
file.
“UploadingandConfiguringaJARFile”onpage 16
“ImportingaZIPFile”onpage 18
Uploading and Configuring a JAR File
Toinstallanextension,youneedtohaveaccesstothe
.jar
fileandknowthefollowinginformation
abouttheextensionorextensionscontainedwithinthefile.
What you need to create
A display name for the extension.
A description for the extension.
Managing Policies 17
Ifthefilecontainsmorethanoneextension,youneedtocreateaconfigurationforeachextensionin
thefile.
1 Copythe
.jar
filetoalocationthatyoucanbrowsetofromtheAdministrationConsole.
2 IntheAdministrationConsole,clickPolicies>Extensions.
3 Touploadthefile,clickUpload>Browse,selectthefile,thenclickOpen.
4 (Conditional)Ifyouwantthis
.jar
filetooverwriteanexistingversionofthefile,select
Overwriteexisting*.jarfile.
5 ClickOK.
ThefileisuploadedtotheAdministrationConsole,butnothingisvisibleontheExtensionspage
untilyoucreateaconfiguration.
6 Tocreateanextensionconfiguration,clickNew,thenfillinthefollowingfields:
Name:Specifyadisplaynamefortheextension.
Description:(Optional)Specifythepurposeoftheextensionandhowitshouldbeused.
PolicyType:Fromthedropdownlist,selectthetypeofextensionyouhaveuploaded.
Type:From
thedropdownlist,selectthedatatypeoftheextension.
ClassName:Specifythenameoftheclassthatcreatestheextension,suchas
com.acme.policy.action.successActionFactory.
FileName:Fromthedropdownlist,selectthe
.jar
filethatcontainstheJavaclassthat
implementstheextensionanditscorrespondingfactory.Thisshouldbethefileyouuploadedin
Step 3.
7 ClickOK.
What you need to know
The policy type of the extension, which defines the policy type it can be used
with. You should know whether it is an extension for an Access Gateway
Authorization policy, an Access Gateway Identity Injection policy, or an Identity
Server Role policy.
The name of the Java class that is used by the extension. Each data type
usually uses a different Java factory class.
The filename of the extension.
The names, IDs, and mapping type of any configuration parameters.
Configuration parameters allow the policy engine to pass data to the extension,
which the extension can then use to retrieve data or to evaluate a condition.
The type of data the extension manipulates.
Authorization Policy: Can be used to return the following:
An action of deny, permit, or obligation.
A condition that the extension evaluates and returns either true or false.
A data element that the extension retrieves and the policy can use for
evaluating a condition.
Identity Injection Policy: A data extension that retrieves data for injecting into a
header.
Identity Role Policy: Can be used to return the following:
A condition that the extension evaluates and returns either true or false.
A data element that the extension retrieves which can be used in evaluating a
condition or used to assign roles.
18 Novell Access Manager 3.1 SP5 Policy Guide
8 (Conditional)IftheextensionrequiresdatafromAccessManager,clickthenameofthe
extension.
9 IntheConfigurationParameterssection,clickNew,specifyanameandID,thenclickOK.
ThedeveloperoftheextensionmustsupplythenameandIDthattheextensionrequires.
10 IntheMappingcolumn,clickthedownarrow,thenselecttherequireddatatype.
Thedeveloperoftheextensionmustsupplythedatatypethatisrequired.Ifthedatatypeisa
datastring,thenthe developerneedstoexplainthetypeofinformationyouneedtosupplyin
the
textfield.
11 (Conditional)Iftheextensionrequiresmorethanonedataitem,repeatStep 9andStep 10.
12 ClickOK.
Theextensionisnowavailableforthepolicytypeitwascreatedfor.
13 (Conditional)Iftheclasscanbeusedformultiplepolicytypes,youneedtocreateanextension
configurationforeachpolicytype.
Forexample,ifanextensioncanbeusedforbothanIdentityInjectionpolicyandaRole policy,
youneedtocreateanentryforboth.TheFileName
optionshouldcontainthesamevalue,butthe
otheroptionsshouldcontainuniquevalues.
14 ContinuewithSection 1.7.2,“DistributingaPolicyExtension,”onpage 18.
Importing a ZIP File
A
.zip
filewithanex portedextensioncontainsboththe
.jar
fileandtheextensionconfiguration.
1 Copythe
.zip
filetoalocationthatyoucanbrowsetofromtheAdministrationConsole.
2 IntheAdministrationConsole,clickPolicies>Extensions.
3 Touploadthefile,clickUpload>Browse,selectthefile,thenclickOpen.
4 (Conditional)Ifyouwantthe
.jar
fileinthe importtooverwriteanexistingversionofthefile,
selectOverwriteexisting*.jarfile.
5 ClickOK.
TheextensionisimportedintheAdministrationConsole.
6 (Conditional)Iftheextensionrequiressomecustomizing,clickthenameoftheextensionand
followtheinstructionsthatcamewiththeextension.
7 ContinuewithSection 1.7.2,“DistributingaPolicyExtension,”onpage 18.
1.7.2 Distributing a Policy Extension
Todistributedthepolicyextensiontothedevicesthatneedit:
1 Createapolicythatusestheextension:
RolePolicy:TocreateaRolepolicythatusestheextension,seeSection 2.2,“Creating
Roles,”onpage 25.
IdentityInjectionPolicy:TocreateanIdentityInjectionpolicythatusestheextension,see
Section 4.2,“ConfiguringanIdentityInjectionPolicy,onpage 111.
AuthorizationPolicy:Tocreate
anAuthorizationpolicythatusestheextension,see
Section 3.2,“CreatingAccessGatewayAuthorizationPolicies,onpage 71.
2 Assignthepolicytoadevice:
ForaRolepolicy,enableitforanIdentityServer.
Managing Policies 19
Formoreinformation,seeSection 2.6,“EnablingandDisablingRolePolicies,”onpage 60.
ForanAuthorizationpolicy,assignittoaprotectedresource.
Formoreinformation,seeAssigninganAuthorizationPolicytoaProtectedResourcein
theNetIQAccessManager3.1SP5AccessGatewayGuide.
ForanIdentityInjectionpolicy,
assignittoaprotectedresource.
Formoreinformation,seeAssigninganIdentityInjectionPolicytoaProtectedResource
intheNetIQAccessManager3.1SP5AccessGatewayGuide.
IMPORTANT:Donotupdatethedeviceatthistime.The
.jar
filesmustbedistributedbefore
youupdatethedevice.
3 Distributethe
.jar
files:
3a ClickPolicies>Extensions.
3b Selecttheextension,thenclickDistributeJARs.
3c RestartTomcatonthedeviceslistedforreboot.
Linux:Enterthefollowingcommand:
/etc/init.d/novell-tomcat5 restart
Windows:Enterthefollowingcommands:
net stop Tomcat5
net start Tomcat5
4 (Conditional)IftheextensionisforanAuthorizationpolicyoranIdentityInjectionpolicy,
updatetheAccessGateway.
1.7.3 Managing a Policy Extension Configuration
1 IntheAdministrationConsole,clickPolicies>Extensions.
2 Toexportapolicyextension,selectthepolicy,thenclickExport.
3 Todeleteanextension,apolicycannotbeusingit.UsetheUsedBycolumntodeterminethe
policiesthatareusingtheextension.Modifythelistedpolicies.Whentheextensionisnolonger
usedbyanypolicies,selecttheextension,thenclickDelete.
4 Torenameapolicyextension,selecttheextension,clickRename,specifyanewname,thenclick
OK.Whenapolicyextensionisrenamedandtheextensionisinusebyapolicy,thepolicyis
updated.ThiscausestheApplyChangesbuttontobeactiveonthePolicyListpage.
1.7.4 Viewing Extension Details
YoucanmodifythedetailsofanexistingextensionandcontroltheinformationAccessManager
providestotheextensionwhenthedataisevaluated.
1 IntheAdministrationConsole,clickPolicies>Extensions.
2 Clickthenameoftheextension.
Youcan viewormodifythefollowingdetails:
Description:(Optional)Specifiesthepurposeoftheextensionandhowitshouldbeused.
ClassName:Specifiesthenameoftheclassthatcreatestheextension,forexample
com.acme.policy.action.successActionFactory.
FileName:Specifiesthe
.jar
filethatcontainstheJavaclassthatimplementstheextensionand
itscorrespondingfactory.Selecttheappropriatefilefromthedropdownlist.
20 Novell Access Manager 3.1 SP5 Policy Guide
3 (Conditional)SpecifytheConditionParametersrequiredbytheextension.
Thedocumentationfortheextensionshouldtellyouthenumberofparametersitrequiresand
thedatatypeofeachparameter.YoucreatethenameandIDfortheparameter,andtheyneedto
beuniquefortheextension.
Toadda
configurationparameter,clickNew,enteraname(astring)andanID(anumber)
fortheparameter,thenclickOK.IntheMappingfield,clickthedownarrow,thenselectthe
dataitemfromthelist.Theselecteddataisavailablewhenevertheextensionclassiscalled
toevaluatean
action,acondition,ordata.
Todeleteaconfigurationparameter,selecttheparameter,thenclickDelete.
4 ClickOK.
1.8 Enabling Policy Logging
Policyloggingisexpensive;itusesprocessingtimeanddiskspace.Inaproductionenvironment,you
shouldenableitonlyunderthefollowingtypesofconditions:
Youhavecreatedanewpolicyandneedtoverifyitsfunctionality.
Youare troubleshootingapolicythatisnotbehavingasexpected.
Togather
troubleshootinginformation,youshouldenabletheFileLoggingandEchoToConsole
optionsintheIdentityServerconfigurationandsettheComponentFileLoggerLevelsforApplicationto
atleastinfo.ThenyoumustupdatetheIdentityServerconfigurationandrestartanyAccessGateway
EmbeddedServiceProviders,sothatthe
EmbeddedServiceProvidersreadtheloggingoptions.See
ConfiguringComponentLoggingintheNetIQAccessManager3.1SP5IdentityServerGuide.When
youhavesolvedtheproblem,youshoulddisabletheseoptions.
Thelogfileonthecomponentthatexecutedthepolicyiswhereyoushouldlookforlogging
information.Forexample,ifyouhaveanAccessGateway:Authorizationerror,lookatthelogonthe
AccessGatewaythatexecutedthepolicy.
Foradditionalpolicytroubleshootingprocedures,seeChapter 6,“TroubleshootingAccessManager
Policies,onpage 155.
/