Novell Access Manager 3.0 SP4 User guide
- Category
- Software
- Type
- User guide
Novell
www.novell.com
novdocx (ENU) 9 January 2007
Novell Access Manager 3.0 Administration Guide
Access Manager
3.0
March 7, 2007
ADMINISTRATION GUIDE
novdocx (ENU) 9 January 2007
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no
responsibility for your failure to obtain any necessary export approvals.
Copyright © 2006-2007 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent
applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the online documentation for this and other Novell products, and to get
updates, see www.novell.com/documentation.
novdocx (ENU) 9 January 2007
Novell Trademarks
Novell is a registered trademark of Novell, Inc., in the United States and other countries.
SUSE is a registered trademark of Novell, Inc., in the United States and other countries.
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (ENU) 9 January 2007
Contents 5
Contents
novdocx (ENU) 9 January 2007
About This Guide 17
Part I System Management 19
1 Security Considerations 21
1.1 Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.2 Access Manager Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.3 Configuration Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.4 Auditing and Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.5 Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.5.1 Federation Concerns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.5.2 Authentication Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.6 NetWare Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.7 Linux Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.8 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.9 J2EE Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2 Administration Console 27
2.1 Starting and Stopping Access Manager Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.1.1 Updating an Identity Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.1.2 Restarting the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.1.3 Restarting the Access Gateway Service Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.1.4 Starting the Access Gateway Service Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.5 Stopping the Access Gateway Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.6 Restarting the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.7 Scheduling a Restart of the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.8 Stopping the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.1.9 Scheduling the Shutdown of the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2 Backing Up and Restoring the Configuration Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.1 How The Backup and Restore Process Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.2 Running the Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.3 Restoring a Configuration Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.4 Running the Diagnostic Configuration Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3 Installing Secondary Versions of the Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.4 Converting your Secondary Console into your Primary Console. . . . . . . . . . . . . . . . . . . . . . . 35
2.4.1 Changing the Master Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.4.2 Restoring CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4.3 Deleting Objects from the eDirectory Configuration Store. . . . . . . . . . . . . . . . . . . . . 36
2.4.4 Additional Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.5 Multiple Sessions, Multiple Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3 Changing the IP Address of Access Manager Devices 41
3.1 Changing the IP Address of the Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.2 Changing the IP Address of an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.3 Changing the IP Address of the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
6 Novell Access Manager 3.0 Administration Guide
novdocx (ENU) 9 January 2007
4 Maintaining an Identity Server 45
4.1 Managing in Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.2 Editing Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.3 Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Part II Novell Identity Server Configuration 51
5 Configuring an Identity Server 53
5.1 Creating an Identity Server Configuration (Advanced Options) . . . . . . . . . . . . . . . . . . . . . . . . 53
5.2 Assigning an Identity Server to a Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.3 Removing a Server from a Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.4 Modifying the Base URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.5 Enabling Role-Based Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.6 Clustering Identity Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.7 Configuring Secure Communication on the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6 Defining Reusable Configuration Settings 65
6.1 Configuring Attribute Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.2 Editing Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.3 Configuring User Matching Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.4 Adding Custom Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.4.1 Creating Shared Secret Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.4.2 Creating LDAP Attribute Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
7 Configuring Local Authentication 71
7.1 Configuring Identity User Stores. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
7.2 Creating Authentication Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
7.2.1 Creating Basic, Form-Based, or NMAS Authentication Classes . . . . . . . . . . . . . . . . 75
7.2.2 Creating an X.509 Authentication Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
7.2.3 Creating a RADIUS Authentication Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
7.3 Configuring Authentication Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
7.4 Configuring Authentication Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
7.4.1 Creating a Local Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
7.4.2 Creating an External Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
7.5 Specifying Authentication Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
7.6 Creating Custom Login Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
7.6.1 Modifying the User Portal Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
7.6.2 Creating Your Own Login or Error Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
8 Configuring Trusted Providers 87
8.1 Understanding the Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
8.2 Creating a Trusted Provider Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
8.3 Reimporting a Trusted Provider’s Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
8.4 Editing a SAML 1.1 Trusted Identity Provider’s Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
8.5 Editing a SAML 1.1 Trusted Service Provider’s Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
8.6 Configuring Common Access Settings for a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . 94
8.6.1 Configuring Display and Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
8.6.2 Configuring Communication Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
8.6.3 Specifying the Intersite Transfer Service URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Contents 7
novdocx (ENU) 9 January 2007
8.7 Selecting Attributes for a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
9 Configuring User Authentication and Federation 99
9.1 Configuring Authentication for a Trusted Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
9.2 Configuring User Identification Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
9.2.1 Selecting a User Identification Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
9.2.2 Configuring the User Matching Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
9.2.3 Defining the User Provisioning Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
9.2.4 User Provisioning Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
9.3 Configuring Authentication for a Trusted Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . 108
9.4 Configuring User Identification Methods for SAML 1.1 Trusted Identity Providers . . . . . . . . 109
9.5 Specifying a SAML Audience URI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
10 Configuring Communication Profiles 113
11 Configuring Liberty Web Services 115
11.1 Configuring the Web Services Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
11.2 Enabling Web Services and Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
11.3 Editing Web Service Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
11.4 Configuring Credential Profile Security and Display Settings . . . . . . . . . . . . . . . . . . . . . . . . 118
11.5 Configuring Service and Profile Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
11.6 Customizing Attribute Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
11.7 Editing Web Service Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
11.8 Configuring the Web Service Consumer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
11.9 Mapping LDAP and Liberty Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
11.9.1 Configuring One-to-One Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
11.9.2 Configuring Employee Type Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
11.9.3 Configuring Employee Status Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
11.9.4 Configuring Postal Address Attribute Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
11.9.5 Configuring Contact Method Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
11.9.6 Configuring Gender Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
11.9.7 Configuring Marital Status Attribute Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Part III Access Gateway Configuration 139
12 Configuring the Access Gateway to Protect Resources 141
12.1 Creating a Reverse Proxy and Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
12.2 Configuring a Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
12.3 Configuring the Web Servers of a Proxy Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
12.4 Configuring Protected Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
12.4.1 Setting Up a Protected Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
12.4.2 Assigning an Authorization Policy to a Protected Resource . . . . . . . . . . . . . . . . . . 152
12.4.3 Assigning an Identity Injection Policy to a Protected Resource . . . . . . . . . . . . . . . 153
12.4.4 Assigning a Form Fill Policy to a Protected Resource. . . . . . . . . . . . . . . . . . . . . . . 154
12.5 Configuring HTML Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
12.5.1 Understanding the Rewriting Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
12.5.2 Configuring the HTML Rewriter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
12.6 Configuring Connection Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
12.6.1 Configuring TCP Listen Options for Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
12.6.2 Configuring TCP Connect Options for Web Servers . . . . . . . . . . . . . . . . . . . . . . . . 168
12.6.3 Configuring Connection and Session Persistence . . . . . . . . . . . . . . . . . . . . . . . . . 170
8 Novell Access Manager 3.0 Administration Guide
novdocx (ENU) 9 January 2007
13 Configuring the Access Gateway for SSL 171
13.1 Using SSL on the Access Gateway Communication Channels . . . . . . . . . . . . . . . . . . . . . . . 172
13.2 Prerequisites for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
13.2.1 Prerequisites for SSL Communication between the Access Gateway and the Web
Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
13.2.2 Prerequisite for SSL Communication between the Identity Server and the Access
Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
13.3 Configuring SSL Communication with the Browsers and the Identity Server . . . . . . . . . . . . . 174
13.4 Configuring SSL between the Proxy Service and the Web Servers. . . . . . . . . . . . . . . . . . . . 176
13.5 Managing the Certificates of the Embedded Service Provider . . . . . . . . . . . . . . . . . . . . . . . . 178
13.6 Configuring the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
14 Additional Configuration Settings 181
14.1 Changing the Name of an Access Gateway and Modifying Other Descriptive Details. . . . . . 181
14.2 Modifying the Base URL of the Identity Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
14.3 Setting Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
14.4 Setting Up a Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
14.5 Configuring Error Page Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
14.6 Configuring Console Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
14.6.1 Setting Up an FTP Listening Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
14.6.2 Enabling Console Access with SSH and Telnet Sessions . . . . . . . . . . . . . . . . . . . . 187
14.6.3 Setting the Password for the admin and config Users . . . . . . . . . . . . . . . . . . . . . . . 188
14.7 Configuring Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
14.7.1 Viewing and Modifying Adapter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
14.7.2 Viewing and Modifying Gateway Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
14.7.3 Viewing and Modifying DNS Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
14.7.4 Configuring Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
14.7.5 Configuring IPQoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
14.8 Customizing Log Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
14.9 Configuring X-Forwarded-For Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
14.10 Upgrading the Access Gateway Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
15 Configuring the Cache Settings 201
15.1 Configuring Global Caching Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
15.2 Controlling Browser Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
15.3 Configuring Custom Cache Control Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
15.3.1 Understanding How Custom Cache Control Headers Work . . . . . . . . . . . . . . . . . . 205
15.3.2 Enabling Custom Cache Control Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
15.4 Configuring a Pin List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
15.4.1 URL Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
15.4.2 Pin Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
15.4.3 Follow Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
15.5 Configuring a Purge List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
15.6 Purging Cached Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
15.7 Preventing a Web Site from Being Cached . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
16 Protecting Multiple Resources 215
16.1 Setting Up a Group of Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
16.2 Using Multi-Homing to Access Multiple Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
16.2.1 Domain-Based Multi-Homing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
16.2.2 Path-Based Multi-Homing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Contents 9
novdocx (ENU) 9 January 2007
16.2.3 Virtual Multi-Homing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
16.2.4 Creating a Second Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
16.2.5 Configuring a Path-Based Multi-Homing Proxy Service . . . . . . . . . . . . . . . . . . . . . 223
16.3 Managing Multiple Reverse Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
16.3.1 Managing Entries in the Reverse Proxy List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
16.3.2 Changing the Authentication Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
16.4 Managing a Group of Access Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
16.4.1 Applying Configuration Changes to a Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
16.4.2 Issuing Commands to a Group of Access Gateways . . . . . . . . . . . . . . . . . . . . . . . 228
16.4.3 Managing the Servers in the Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
16.4.4 Adding Servers to an Existing Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
16.4.5 Changing the Primary Cluster Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
16.4.6 Deleting Members from a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
16.4.7 Viewing the Health of the Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
16.4.8 Viewing Group Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
16.4.9 Viewing Group Command Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
16.4.10 Viewing the Status of Group Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
17 Configuring Access Manager for Citrix Clients 233
17.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
17.2 Configuring the Access Gateway for Citrix Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
18 Virtualization on the Linux Access Gateway 237
18.1 Virtualization Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
18.2 Configuring VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
18.2.1 Creating a Novell COS Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
18.2.2 Configuring a VM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
18.3 Modifying a VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
18.4 Deleting a VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
18.5 Setting Maximum Memory Limit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
18.6 Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Part IV Configuring the SSL VPN Gateway 243
19 Overview of SSL VPN 245
19.1 Understanding How SSL VPN Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
19.2 SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
20 Managing SSL VPN Servers 247
20.1 Viewing SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
20.2 Viewing SSL VPN Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
20.3 Monitoring Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
21 Configuring the SSL VPN Servers 251
21.1 Viewing and Modifying Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
21.2 Configuring the DNS Server List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
21.3 Viewing and Modifying Traffic Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
21.4 Configuring Full Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
21.5 Viewing Client Integrity Check Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
10 Novell Access Manager 3.0 Administration Guide
novdocx (ENU) 9 January 2007
21.5.1 Configuring Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
21.5.2 Configuring Application Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
21.5.3 Configuring Application Attributes and Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
21.6 Creating New Client Integrity Check Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
21.7 Configuring Alerts Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
21.8 Adding Certificates to the SSL VPN Keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
21.9 Adding Trusted Roots for SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
21.10 Configuring SSL VPN to Download Applet on Internet Explorer . . . . . . . . . . . . . . . . . . . . . . 263
21.11 Accelerating SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
21.11.1 Injecting the SSL VPN Header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
21.12 Moving SSL VPN Server to a Different Administration Console. . . . . . . . . . . . . . . . . . . . . . . 267
21.13 Accelerating SSL VPN with a New Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
22 Load Balancing and Fault Tolerance 269
22.1 Installing SSL VPN Servlet on a Separate Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
22.2 Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
22.3 Fault Tolerance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
23 Accessing the SSL VPN User Portal 273
23.1 Accessing SSL VPN on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
23.2 Accessing SSL VPN on Macintosh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
23.3 Accessing SSL VPN on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
24 Understanding the SSL VPN User Interface 279
24.1 Viewing the Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
24.2 Viewing the Statistics Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
24.3 Viewing the Policies Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
24.4 Viewing the Log Entries Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
24.4.1 Saving Log Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
24.5 Viewing the Applications Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
24.5.1 SSLizing Applications on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
24.5.2 SSLizing Applications on Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
24.6 Monitoring the Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Part V Security and Certificate Management 285
25 Understanding How Access Manager Uses Certificates 287
26 Managing Certificates 289
26.1 Creating Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
26.1.1 Creating a Locally Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
26.1.2 Generating a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
26.1.3 Importing a Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
26.2 Auto-Importing Certificates from Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
26.3 Importing a Private/Public Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
26.4 Exporting a Private/Public Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
26.5 Importing Public Key Certificates (Trusted Roots) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
26.6 Renewing a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
26.7 Exporting a Public Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Contents 11
novdocx (ENU) 9 January 2007
26.8 Enabling 4096k Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
26.8.1 Jurisdiction Policy Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
27 Assigning Certificates to Access Manager Devices 301
27.1 Importing a Trusted Root to the LDAP User Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
27.2 Replacing Identity Server SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
27.3 Changing a Trust Store Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
27.4 Assigning Certificates to an Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
27.5 Assigning Certificates to J2EE Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
27.6 Configuring SSL for Authentication between the Identity Server and Access Gateway . . . . 305
27.7 Changing a Non-Secure (HTTP) Environment to a Secure (HTTPS) Environment. . . . . . . . 306
27.8 Creating Keystores and Trust Stores. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Part VI Policy Management 309
28 Managing Policies 311
28.1 Selecting a Policy Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
28.2 Managing Policy Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
28.3 Managing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
28.3.1 Creating Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
28.3.2 Deleting Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
28.3.3 Importing and Exporting Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
28.4 Managing a Rule List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
28.4.1 Rule Evaluation for Role Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
28.4.2 Rule Evaluation for Authorization Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
28.4.3 Rule Evaluation for Identity Injection and Form Fill Policies . . . . . . . . . . . . . . . . . . 314
28.5 Enabling Policy Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
29 Creating Role Policies 317
29.1 Understanding RBAC in Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
29.2 Creating Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
29.2.1 Selecting Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
29.2.2 Selecting an Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
29.2.3 Reviewing the Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
29.2.4 Example Role Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
29.3 Creating Access Manager Roles from an Existing Role-Based Policy System . . . . . . . . . . . 327
29.3.1 Creating a Role Using an LDAP Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
29.3.2 Creating a Role Using the Location of the User Objects. . . . . . . . . . . . . . . . . . . . . 330
29.3.3 Creating a Role Using Role or Group Membership . . . . . . . . . . . . . . . . . . . . . . . . . 332
29.4 Mapping Roles between Trusted Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
29.5 Enabling and Disabling Role Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
29.6 Importing and Exporting Role Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
30 Creating Authorization Policies 339
30.1 Designing an Authorization Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
30.1.1 Many Rules or Many Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
30.1.2 Controlling Access with a Deny Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
30.1.3 Controlling Access with Multiple Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
30.1.4 Using Permit Rules with a Deny Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
30.1.5 Public Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
12 Novell Access Manager 3.0 Administration Guide
novdocx (ENU) 9 January 2007
30.1.6 General Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
30.1.7 Assigning Policies to Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
30.2 Creating Access Gateway Authorization Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
30.2.1 The Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
30.2.2 Sample Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
30.3 Creating Web Authorization Policies for J2EE Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
30.4 Creating Enterprise JavaBean Authorization Policies for J2EE Agents . . . . . . . . . . . . . . . . . 351
30.5 Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
30.5.1 Authentication Contract Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
30.5.2 Client IP Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
30.5.3 Credential Profile Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
30.5.4 Current Date Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
30.5.5 Current Day of Week Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
30.5.6 Current Day of Month Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
30.5.7 Current Time of Day Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
30.5.8 HTTP Request Method Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
30.5.9 LDAP Attribute Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
30.5.10 Liberty User Profile Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
30.5.11 Roles for Current User Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
30.5.12 URL Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
30.5.13 URL Scheme Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
30.5.14 URL Host Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
30.5.15 URL Path Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
30.5.16 URL File Name Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
30.5.17 URL File Extension Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
30.5.18 X-Forward-For IP Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
30.6 Using Multiple Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
30.7 Importing and Exporting Authorization Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
31 Creating Identity Injection Policies 373
31.1 Designing an Identity Injection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
31.2 Configuring an Identity Injection Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
31.3 Configuring an Authentication Header Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
31.4 Configuring a Custom Header Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
31.5 Configuring a Custom Header with Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
31.6 Specifying a Query String for Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
31.7 Injecting into the Cookie Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
31.8 Importing and Exporting Identity Injection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
32 Creating Form Fill Policies 385
32.1 Understanding an HTML Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
32.2 Creating a Form Fill Policy for the Sample Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
32.3 Implementing Form Fill Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
32.3.1 Creating a Form Fill Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
32.3.2 Creating a Login Failure Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
32.3.3 Troubleshooting a Form Fill Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
32.4 Creating and Managing Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
32.4.1 Local Shared Secret. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
32.4.2 Remote Shared Secret. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
32.5 Importing and Exporting Form Fill Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Contents 13
novdocx (ENU) 9 January 2007
Part VII Monitoring Access Manager Components 399
33 Enabling Auditing 401
33.1 Configuring Access Manager for Novell Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
33.1.1 Specifying the Logging Server and Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
33.1.2 Generating Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
33.2 Enabling Identity Server Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
33.3 Enabling Access Gateway Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
33.4 Enabling SSL VPN Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
34 Configuring Logging 409
34.1 Understanding the Types of Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
34.1.1 Component Logging for Troubleshooting Configuration or Network Problems . . . . 409
34.1.2 Debug Trace Logging to Discover Software Problems . . . . . . . . . . . . . . . . . . . . . . 410
34.1.3 HTTP Transaction Logging for Proxy Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
34.2 Configuring Component Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
34.2.1 Enabling Component Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
34.2.2 Downloading the Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
34.2.3 Understanding the Log File Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
34.3 Configuring Debug Trace Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
34.4 Configuring Access Gateway Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
34.4.1 Determining Logging Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
34.4.2 Calculating Roll Over Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
34.4.3 Enabling Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
34.4.4 Configuring Common Log Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
34.4.5 Configuring Extended Log Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
34.4.6 Configuring Log Pushing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
34.4.7 Configuring the Size of the Log Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
35 Viewing Statistics 427
35.1 Monitoring Identity Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
35.2 Monitoring Access Gateway Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
35.2.1 Server Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
35.2.2 Server Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
35.2.3 Server SSL Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
35.2.4 Top 20 Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
35.2.5 Service Provider Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
35.2.6 Configured Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
35.3 Viewing SSL VPN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
35.3.1 Viewing the Bytes Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
36 Managing Server Health 443
36.1 Health States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
36.2 Monitoring the Health of an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
36.3 Monitoring the Health of an Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
36.4 Monitoring the Health of an SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
37 Reviewing Command Status 449
37.1 Viewing the Command Status of the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
37.2 Viewing the Command Status of the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
14 Novell Access Manager 3.0 Administration Guide
novdocx (ENU) 9 January 2007
37.2.1 Viewing the Status of Current Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
37.2.2 Viewing Detailed Command Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
37.2.3 Issuing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
37.2.4 Scheduling a Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
37.3 Viewing Command Status of the SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
37.3.1 Viewing Command Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
38 Reviewing Alerts 455
38.1 Monitoring Identity Server Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
38.2 Monitoring Access Gateway Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
38.2.1 Reviewing Java Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
38.2.2 Configuring Access Gateway Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
38.2.3 Enabling SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Part VIII Troubleshooting 465
39 Troubleshooting the Administration Console 467
39.1 Session Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
39.2 Unable to Login to the Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
39.3 Exception Processing IdentityService_ServerPage.JSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
39.4 Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
40 Troubleshooting for the Identity Server and Authentication 469
40.1 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
40.1.1 Browser Hangs in an Authentication Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
40.1.2 Prompting Users to Refresh a Session before Expiration . . . . . . . . . . . . . . . . . . . . 469
40.2 Translating the Identity Server Configuration Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
40.3 Problems Reading Keystores after Identity Server Re-installation. . . . . . . . . . . . . . . . . . . . . 471
41 Troubleshooting Access Manager Policies 473
41.1 Roles and Authorization Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
41.2 Turning on Logging for Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
41.3 Understanding Policy Evaluation Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
41.3.1 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
41.3.2 Policy Result Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
41.3.3 Sample Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
41.4 Policy Page Timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
41.5 Policy Changes Are Not Saved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
41.6 Policy Creation and Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
41.7 Policy Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
41.8 Policy Evaluation: Access Gateway Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
41.8.1 Successful Policy Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
41.8.2 No Policy Defined Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
41.8.3 Deny Access Configuration/Evaluation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
42 Troubleshooting the Access Gateway 491
42.1 Fixing Problems Common to Both Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
42.1.1 Mismatch Certificates in a Group of Access Gateways . . . . . . . . . . . . . . . . . . . . . . 491
42.2 Troubleshooting the Linux Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Contents 15
novdocx (ENU) 9 January 2007
42.2.1 Linux Access Gateway Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
42.2.2 Troubleshooting a Linux Access Gateway Crash . . . . . . . . . . . . . . . . . . . . . . . . . . 494
42.2.3 Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
42.2.4 Network Socket Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
42.2.5 Authentication Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
42.2.6 Rewriter Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
42.2.7 Useful Linux Access Gateway Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
42.2.8 Using the Linux Access Gateway Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
42.2.9 COS Related Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
42.2.10 Memory Related Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
42.2.11 Authorization and Identity Injection Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
42.2.12 Form Fill Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
42.3 Troubleshooting the NetWare Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
42.3.1 Additional Options during the Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
42.3.2 Setting the Date and Time at the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
42.3.3 Unlocking the NetWare Access Gateway Console . . . . . . . . . . . . . . . . . . . . . . . . . 509
42.3.4 Command Line Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
42.3.5 Telnet Fails after Performing an Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
42.3.6 SSL Certificate Error with X.509 Authentication from NetWare Access Gateway. . 510
43 Troubleshooting SSL VPN 511
43.1 Connecting Successfully to the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
43.1.1 Connection Problems with Mozilla Firefox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
43.1.2 Connection Problems with Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
43.2 SSL VPN Not Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
43.3 Verifying SSL VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
43.4 Issues With Keep Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
43.5 Idle Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
43.6 Mozilla Firefox Browser Displays “X” Mark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
43.7 Unable to Contact the SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
43.8 Unable to Get Authentication Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
43.9 The SSL VPN Connection Is Successful But There Is No Data Transfer . . . . . . . . . . . . . . . 516
43.10 Applications Are Not Getting SSLized from Terminal After Running the su Command . . . . 516
43.11 Unable to Connect to SSL VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Part IX Appendixes 517
A About Liberty and SAML 2.0 519
A.1 Liberty Alliance Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
A.2 What's New in SAML 2.0? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
B Certificates Terminology 521
C Data Model Extension XML 523
C.1 Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
C.2 Writing Data Model Extension XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
D Logging: Using the Custom Content Filter 529
D.1 Custom Content Filter XML Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
D.2 Examples of Custom Content Filter XML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
16 Novell Access Manager 3.0 Administration Guide
novdocx (ENU) 9 January 2007
D.2.1 Example One . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
D.2.2 Example Two . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
D.2.3 Example Three. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
D.3 Custom Content Filter Thread Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
E Authentication Classes and Duplicate Common Names 535
About This Guide
novdocx (ENU) 9 January 2007
17
About This Guide
This guide describes all of the interface features of Novell
®
Access Manager, including:
Part I, “System Management,” on page 19
Part II, “Novell Identity Server Configuration,” on page 51
Part III, “Access Gateway Configuration,” on page 139
Part IV, “Configuring the SSL VPN Gateway,” on page 243
Part V, “Security and Certificate Management,” on page 285
Part VI, “Policy Management,” on page 309
Part VII, “Monitoring Access Manager Components,” on page 399
Part VIII, “Troubleshooting,” on page 465
Part IX, “Appendixes,” on page 517
This administration guide is intended to help you understand and configure all of the features
provided by Access Manager, and includes advanced topics. It is recommended that you first
become familiar with the information in the Novell Access Manager 3.0 Setup Guide.
The basic setup guide can help you understand how to perform a basic Identity Server configuration,
set up a resource protected by an Access Gateway, and configure SSL. The basic setup and the
administration guides are designed to work together, and important information and setup steps are
not necessarily repeated in both places.
Audience
This guide is intended for Access Manager administrators. It is assumed that you have knowledge of
evolving Internet protocols, such as:
Extensible Markup Language (XML)
Simple Object Access Protocol (SOAP)
Security Assertion Markup Language (SAML)
Public Key Infrastructure (PKI) digital signature concepts and Internet security
Secure Socket Layer/Transport Layer Security (SSL/TSL)
Hypertext Transfer Protocol (HTTP and HTTPS)
Uniform Resource Identifiers (URIs)
Domain Name System (DNS)
Web Services Description Language (WSDL)
Feedback
We want to hear your comments and suggestions about this guide and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to Documentation Feedback (http://www.novell.com/documentation/
feedback.html) at www.novell.com/documentation/feedback.html and enter your comments there.
18 Novell Access Manager 3.0 Administration Guide
novdocx (ENU) 9 January 2007
Additional Documentation
Before proceeding, you should be familiar with the Novell Access Manager 3.0 Installation Guide
and the Novell Access Manager 3.0 Setup Guide, which provides information about setting up the
Access Manager system.
If you are unfamiliar with SAML 1.1, see SAML Overview (http://www.novell.com/documentation/
saml/saml/data/ag8qdk7.html) on the Documentation (http://www.novell.com/documentation/a-
z.html) Web site.
For conceptual information about Liberty, and to learn about what is new for SAML 2.0, see
Appendix A, “About Liberty and SAML 2.0,” on page 519.
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
A trademark symbol (
®
,
TM
, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.
System Management
I
novdocx (ENU) 9 January 2007
19
I
System Management
This section discusses system and server management topics that apply to the Novell
®
Access
Manager Administration Console.
Chapter 1, “Security Considerations,” on page 21
Chapter 2, “Administration Console,” on page 27
Chapter 3, “Changing the IP Address of Access Manager Devices,” on page 41
Chapter 4, “Maintaining an Identity Server,” on page 45
20 Novell Access Manager 3.0 Administration Guide
novdocx (ENU) 9 January 2007
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
Novell Access Manager 3.0 SP4 User guide
- Category
- Software
- Type
- User guide
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
Novell Access Manager 3.0 SP4 User guide
-
-
-
-
-
-
-
-
-
Other documents
-
Hewlett Packard Enterprise 604967-B21 User manual
-
Citrix 9000 Series User manual
-
Wiley 978-0-470-18146-1 Datasheet
-
Digi Secure Embedded Web Application Kit 2.0 User manual
-
Red Hat Version4.1 User manual
-
Cisco Citrix NetScaler 1000V User guide
-
MACROMEDIA FLASH MEDIA SERVER 2 Use Manual
-
Johnson Controls 24-10737-8 Installation Instructions Manual
-
Cisco Systems OL-13877-01 User manual
-
Bolens 13048 User manual
