manualshive.com logo in svg

Novell Access Manager 3.1 SP 2, Manual, Page: 97 / 126

Share
Download
Novell Access Manager 3.1 SP 2 Manual Download Page 97

Deploying the Sample Payroll Application

97

n

ov

do

cx (e

n)

  16
 Ap
ril 20

10

    <servlet>
        <servlet-name>LogoutServlet</servlet-name>
        <servlet-class>
            com.novell.nids.agent.auth.LogoutServlet
        </servlet-class>
          <init-param>
            <param-name>postLogoutURL</param-name>
            <param-value>/loggedOut</param-value>
         </init-param>
         <init-param>
             <param-name>websphereLTPAMechanism</param-name>
             <param-value>false</param-value>
        <description>
         This should be set to true in order to clear LTAP cookies and tokens 
in                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
case of websphere with LTPA as authentication mechanism
        </description> 
             </init-param>
    </servlet>

    <servlet-mapping>
        <servlet-name>LogoutServlet</servlet-name>
        <url-pattern>/logout</url-pattern>
    </servlet-mapping>

7.3  Using the J2EE Server to Enforce 

Authorization

The following procedure explains how you can configure Access Manager to use the authorization 
policies of the J2EE server:

1

Deploy the sample payroll application on your J2EE server. 

2

On your J2EE server, prepare the application to use the agent for login and logout. See 

Section 4.1, “Preparing the Application for the Agent,” on page 67

.

These steps have already been performed for the sample application. See the 

web.xml

 file in 

the application’s 

WEB-INF

 directory. 

3

Complete any platform-specific configuration:

Š

JBoss: 

These tasks have already been performed for JBoss. To understand what was 

modified, see 

Section 4.2, “Configuring Applications on the JBoss Server,” on page 69

.

Š

WebSphere: 

You need to configure the RunAs Roles feature. See 

Section 4.3.2, 

“Configuring for RunAs Roles,” on page 71

.

Š

WebLogic: 

You need to configure the RunAs Roles feature. See 

Section 4.4, 

“Configuring Applications on the WebLogic Server,” on page 84

.

4

In Access Manager, create role policies for an Employee role and a Manager role. 
For more information, see “

Creating Role Policies

” in the 

Novell Access Manager 3.1 SP2 

Policy Guide

.

5

Configure the agent for authentication. For more information, see 

Chapter 2, “Configuring the 

Agent for Authentication,” on page 45

.

6

Make sure that the 

Enforce application server policy

 option is selected. In the Administration 

Console, click 

Devices

 > 

J2EE Agents 

Edit

.

Summary of Contents for Access Manager 3.1 SP 2

Page 1: ...Novell www novell com novdocx en 16 April 2010 AUTHORIZED DOCUMENTATION Novell Access Manager 3 1 SP2 J2EE Agent Guide Access Manager 3 1 SP 2 June 11 2010 J2EE Agent Guide...

Page 2: ...nd the trade laws of other countries You agree to comply with all export control regulations and to obtain any required licenses or classification to export re export or import deliverables You agree...

Page 3: ...Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the prope...

Page 4: ...4 Novell Access Manager 3 1 SP2 J2EE Agent Guide novdocx en 16 April 2010...

Page 5: ...e Console 39 1 7 4 Configuring WebLogic for J2EE Agents 40 1 8 Verifying If a J2EE Agent Is Installed 43 1 9 Uninstalling a J2EE Agent 43 2 Configuring the Agent for Authentication 45 2 1 Prerequisite...

Page 6: ...88 5 5 Changing the IP Address of a J2EE Agent 88 6 Protecting Web and Enterprise JavaBeans Modules 89 6 1 Configuring Access Control 89 6 2 Protecting Web Resources 90 6 2 1 Creating a Protected Res...

Page 7: ...Attributes 119 9 3 The Health Status Displays as Server Is Not Responding 120 9 4 Auto import Agents Fails on WebLogic Running on RedHat 120 9 5 Error Invalid Administration Server IP Address 120 9 5...

Page 8: ...8 Novell Access Manager 3 1 SP2 J2EE Agent Guide novdocx en 16 April 2010...

Page 9: ...ing Internet protocols such as Extensible Markup Language XML Simple Object Access Protocol SOAP Security Assertion Markup Language SAML Public Key Infrastructure PKI digital signature concepts and In...

Page 10: ...miliar with the Novell Access Manager 3 1 SP2 Installation Guide and the Novell Access Manager 3 1 SP2 Setup Guide which provide information about setting up the Access Manager system Documentation Co...

Page 11: ...installing a J2EE Agent on page 43 1 1 Overview of the J2EE Agents Users of application servers such as J2EE servers commonly fall into one of three abstract roles buyer seller or administrator For ex...

Page 12: ...tall J2EE Agent does not have any other Access Manager components installed on it You must have a static IP address If you do not have a static IP address and the address assigned at boot changes the...

Page 13: ...10 on 32 bit and 64 bit platforms Red Hat 5 Windows The following versions of operating systems with the latest support packs are supported on Windows Windows Server 2003 Linux The following operating...

Page 14: ...service is already installed browse to the following location and check to see if a folder named jboss web deployer already exists path to your custom configuration deploy If the folder does exist it...

Page 15: ...sName org jboss security plugins JaasSecurityMa nager attribute attribute name DefaultUnauthenticatedPrincipal anonymous attribute attribute name DefaultCacheTimeout 1800 attribute attribute name Defa...

Page 16: ...cx en 16 April 2010 3 Review the License Agreement accept it then click Next The installation selection page is displayed 4 Select a directory to install the Novell J2EE agent components then click Ne...

Page 17: ...nstaller uses the java home property value of the Java runtime that is used to run the installer to proceed with the installation 6 Optional If you want to select another JVM click Choose Another and...

Page 18: ...ssword of the admin user of the Novell Access Manager Administration Console Confirm Password Specify the password again to confirm it Application Server IP Address Current Host Review the entered add...

Page 19: ...have the Audit server installed follow the prompts to continue using the existing Audit server or to replace it 11a Conditional To continue using the same server click Yes to display the Audit Server...

Page 20: ...ver click No select Use following Audit Server then specify an IP address for the Audit server 12 Click Next The Select Application Server page is displayed 13 Click OK on the Alert when the following...

Page 21: ...art JBoss The agent is not imported into the Administration Console until the JBoss server is running 21 To verify the installation of the agent see Section 1 8 Verifying If a J2EE Agent Is Installed...

Page 22: ...the existing Audit server Press 2 to replace the existing Audit server then specify the IP address of the new server 8b Conditional Press 1 to use the existing Novell Audit Configuration 8c Conditiona...

Page 23: ...ine meets the minimum requirements See Section 1 3 Prerequisites on page 12 NOTE If you have disabled the admin security feature in WebSphere the installation of J2EE agent will be successful but you...

Page 24: ...ocx en 16 April 2010 3 Select a directory to install the Novell J2EE agent components then click Next The Choose Java Virtual Machine page is displayed 4 Select a Java Virtual Machine JVM to be used b...

Page 25: ...your Novell Access Manager Administration Console Username Specify the username of the admin user of the Novell Access Manager Administration Console Password Specify password of the admin user of th...

Page 26: ...Agent Guide novdocx en 16 April 2010 9b Conditional If you have the Audit server installed specify if you want to replace the existing audit server or use the existing server 10 Click Next The Select...

Page 27: ...en 16 April 2010 11 Select WebSphere then click Next The WebSphere Application Server Settings page is displayed 12 Specify the directory where you have installed the WebSphere server and click Next T...

Page 28: ...stall the Novell J2EE agent components or press Enter to continue with the default installation path 5 Specify a Java Virtual Machine JVM to be used by the installed application All the available JVMs...

Page 29: ...agent see Section 1 8 Verifying If a J2EE Agent Is Installed on page 43 1 6 4 Configuring WebSphere for J2EE Agents After you install the WebSphere application server you must use the ConfigureWSAgent...

Page 30: ...re the J2EE agent is installed and click Next The Novell Administration Server Communications Credentials page is displayed 5 Specify the administration credentials to contact the Novell Access Manage...

Page 31: ...l nids agent auth websphere NidsLTPALoginModule to the top of the list 13a Open the IBM administration console 13b Click Security Secure administration applications and infrastructure 13c Expand the J...

Page 32: ...the Installer 1 Make sure that the WebLogic server is running The WebLogic server must be running if you are performing a single server installation of J2EE Agents The WebLogin server does not need to...

Page 33: ...nstaller uses the java home property value of the Java runtime that is used to run the installer to proceed with the installation 6 Optional If you want to select another JVM click Choose Another and...

Page 34: ...l Access Manager Administration Console Confirm Password Specify the password again to confirm it Application Server IP Address Current Host Review the entered address If your server is configured for...

Page 35: ...5 novdocx en 16 April 2010 10b Conditional If you have the Audit server installed specify if you want to replace the existing Audit server or use the existing server 11 Click Next The Select Applicati...

Page 36: ...click Next The installation selection page is displayed 13 Specify the path to the directory where WebLogic is installed or click Choose to select a folder for installation Click Restore Default to re...

Page 37: ...erver Select this option to install a single instance of an application server Base Select this option while installing the agent on a machine that acts as a node and is part of a cluster Cluster Sele...

Page 38: ...Choose to select a folder for installation Click Restore Default to restore the default installation location 17 Click Next The WebLogic Administration Console Details page is displayed 18 Specify the...

Page 39: ...e Payroll Application on page 95 1 7 3 Installing a J2EE Agent through the Console 1 Download the agent installer For software download instructions see the Novell Access Manager Readme 2 Enter the fo...

Page 40: ...IP address of the Administration Console then press Enter 15 Specify a port number for the Administration Console then press Enter 16 Specify the username of the admin user of the Administration Conso...

Page 41: ...OME weblogic policy file Configuring the Login To configure the login you can use either use a script or the WebLogic Administration Console Using a Script to Configure Login on page 41 Using the Admi...

Page 42: ...igure Login In the WebLogic Administration Console you need to configure the JAAS Login Module 1 Start WebLogic 2 In a browser log in to the WebLogic Administration console http weblogic ip Weblogic p...

Page 43: ...n several minutes after installation click repair import to fix it If you have waited at least ten minutes but the message doesn t disappear and the agent doesn t appear in the list click the repair i...

Page 44: ...44 Novell Access Manager 3 1 SP2 J2EE Agent Guide novdocx en 16 April 2010...

Page 45: ...sites on page 45 Section 2 2 Possible Configurations on page 45 Section 2 3 Configuring the Agent for Direct Access on page 47 Section 2 4 Configuring Authentication Contracts on page 49 Section 2 5 P...

Page 46: ...verifies the username and password against a user store an LDAP directory 4 The Identity Server builds the roles for the user and redirects the user back to the application server 5 The agent verifie...

Page 47: ...assword against a user store an LDAP directory 4 The Identity Server builds the roles for the user and redirects the user back to the Access Gateway 5 The Access Gateway directs the user s request to...

Page 48: ...sic authentication over HTTPS using a standard login pop up provided by the Web browser Secure Name Password Form Specifies a form based authentication over HTTPS using the Access Manager login form A...

Page 49: ...for JBoss 7001 for WebLogic and 9080 for WebSphere If you have configured a different port use that port 3 Click OK then click Update OK 4 To update the Identity Server click Identity Servers then cli...

Page 50: ...3 1 SP2 J2EE Agent Guide novdocx en 16 April 2010 2 Click Manage authorization policies to configure J2EE Agents Policies The Protected Web and EJB Resource page is displayed 3 Click New to create a n...

Page 51: ...resource you are configuring Description Optional Provides a field where you can enter a description for this protected resource You can use it to briefly describe the purpose for protecting this res...

Page 52: ...ferent authentication contract 8 Click OK then click Update OK 9 To update the Identity Server click Identity Servers then click Update OK Whenever you set up a new trusted identity configuration you...

Page 53: ...e name www mytest com to resolve to the Access Gateway and the Access Gateway is configured to proxy the request to a Web server You have users access the application server with the URL www mytest co...

Page 54: ...he browsers If you haven t see Configuring SSL Communication with the Browsers and the Identity Server in the Novell Access Manager 3 1 SP2 Access Gateway Guide 2 In the Proxy Service List section cli...

Page 55: ...cation Authentication Required for the First Page If you want users to authenticate before they have access to the first page of the application you need to create two protected resources one to promp...

Page 56: ...ically assigned to the path Create the path to the application Click New specify the path to the application for example j2ee payroll then click OK The protected resource that you created for this pat...

Page 57: ...connections For JBoss the default value is 8443 For WebSphere the default value is 9443 For WebLogic the default value is 7002 19 Click OK 20 Click the Access Gateways link 21 On the Access Gateways...

Page 58: ...e application server 1 In the Administration Console click Devices Access Gateways Edit Reverse Proxy Name The following steps assume that you have already enabled SSL between the Access Gateway and t...

Page 59: ...you just created 6 Click Web Servers 7 To configure SSL select Connect Using SSL This option is not available if you have not set up SSL between the browsers and the Access Gateway See Configuring SSL...

Page 60: ...hen continue with Step 16 J2EE Agent configuration allows you to set up authentication and access restrictions to the pages in the application Authentication Required for the First Page If you want us...

Page 61: ...basic authentication over HTTPS using a standard login pop up provided by the Web browser Secure Name Password Form Specifies a form based authentication over HTTPS using the Access Manager login form...

Page 62: ...parts Scheme For the scheme specify the scheme you have configured the Access Gateway to use for connections http or https If you have configured the Access Gateway to use SSL the scheme needs to be...

Page 63: ...ic agents Section 3 1 Prerequisites on page 63 Section 3 2 Creating a Cluster Configuration on page 63 Section 3 3 Assigning a J2EE Agent to a Cluster on page 64 Section 3 4 Modifying Cluster Details...

Page 64: ...4 Click OK The status icons for the configuration and the J2EE Agent should turn green It might take several seconds for the J2EE Agent to start and for the system to display a green status 3 3 Assign...

Page 65: ...ef description of the J2EE Agent cluster Primary Server Specify the IP address of the primary server in that J2EE Agent cluster The Cluster Members section displays the IP address and other details of...

Page 66: ...EE Agent Guide novdocx en 16 April 2010 4 Click OK IMPORTANT If you are not going to assign the agent to another cluster you need to reconfigure it You also need to reconfigure the L4 switch and remov...

Page 67: ...e Section 4 1 1 Configuring for Login on page 67 Section 4 1 2 Configuring for Logout on page 68 The web xml file of the sample application PayrollApp ear has these modifications The location of this...

Page 68: ...and single logout the J2EE Agent supports the following Notifying the Identity Server about application level logout events Informing the J2EE applications when the Identity Server logs a user out For...

Page 69: ...let The function of the LogoutServlet is to notify the Identity Server about the application logout The Identity Server is responsible for notifying all other components about the logout 4 2 Configuri...

Page 70: ...a login page that requires authentication The JAAC provider in the JBoss server is not informed about the login servlet For example suppose that the login page for the application has a configuration...

Page 71: ...ther with the web xml file within the war file or with Access Manager policies In Access Manager you deny access to the anonymous user by creating an authorization policy that denies access to anyone...

Page 72: ...or group to J2EE roles This is Step 7 of the deployment process NOTE In the graphic a WebSphere user named m1 was created and used for the RunAs configuration You can createt any user or username for...

Page 73: ...tion 9 8 Authorization Fails in the WebSphere Application on page 122 4 3 3 Configuring the Trust Association Interceptor Module for WebSphere Application The Trust Association Interceptor TAI module...

Page 74: ...ssion as generated by Access Manager User Roles This is a list of the iManager roles for the user All fields are fixed strings stored within the HttpServletRequest as retrievable HTTP headers When TAI...

Page 75: ...st header that contains the fully distinguished user name in LDAP format It is passed on to WebSphere Application Server as the WSCREDENTIAL_UNIQUEID attribute and used in the arrangement of group mem...

Page 76: ...is used in conjunction with Access Manager Update Behavior One of the TAI s key pieces of functionality is the establishment of group memberships for the currently logged in user as identified by Acce...

Page 77: ...for the TAI module Assign the following rights to this user Create and Modify rights to the ou Groups o MP container Modify rights to the Membership attribute of all users under the user container Cr...

Page 78: ...r value you want cache key header X Novell TAI Cookie role header X Novell TAI Roles role separator presentation container for example ou Groups o MP update connection ldap ldapserver DNS name 389 upd...

Page 79: ...e Application Server select System Administration Console Settings Console Groups 2 Click Add and add the wasadmins group 3 Assign the role of Administrator to this group Editing Cache Settings 1 Edit...

Page 80: ...WebSphere server select Application Servers WebSphere_Portal WebSphere_Portal Change log level details 2 Select com novell consulting 3 Set the appropriate log level and save changes NOTE If com nove...

Page 81: ...e Identity Injection policy to the WebSphere Portal Server application resources Configuring the Roles Policy on page 81 Configuring the Identity Injection Policy for WebSphere Portal Server Applicati...

Page 82: ...em with the appropriate Authentication contracts Configuring the Identity Injection Policy for WebSphere Portal Server Application Resources Add the following information to the WPS_roles policy then...

Page 83: ...Preparing the Applications and the J2EE Servers 83 novdocx en 16 April 2010...

Page 84: ...the domain When this user is mapped to the Manager role all users with the Manager role can run the EJB The weblogic enterprise bean section of the file should look similar to the following for the s...

Page 85: ...ver log files to record information about what is being processed by the J2EE Agent Section 5 1 1 Tracing Events to Log Files on page 85 Section 5 1 2 Enabling the Auditing of Events on page 86 5 1 1...

Page 86: ...ervice Provider module is the J2EE Agent module that communicates with the Identity Server This module handles all the authentication requests that need to be forwarded to the Identity Server for veri...

Page 87: ...lect when enabling SSL between the agent and the Identity Server If you replace this certificate you need to replace it with a certificate whose subject name cn matches the DNS name of the agent Trust...

Page 88: ...re your J2EE server to use a different IP address after you have installed a J2EE Agent the communication channel between the Administration Console and the J2EE Agent breaks The Administration Consol...

Page 89: ...plain how to set up security for your J2EE resources Section 6 1 Configuring Access Control on page 89 Section 6 2 Protecting Web Resources on page 90 Section 6 3 Protecting Enterprise JavaBeans Resou...

Page 90: ...2 Protecting Web Resources on page 90 Section 6 3 Protecting Enterprise JavaBeans Resources on page 92 6 2 Protecting Web Resources Because you can define multiple protected resources for each Web app...

Page 91: ...ht be less disruptive to your network environment than restarting the Web server For the JBoss Agent selecting the SSL Required option is only part of the process On JBoss you must also either disable...

Page 92: ...can define multiple protected resources for each JavaBean you can create one policy that protects the module and another policy that protects specific interfaces or methods For example you can create...

Page 93: ...fied the policy is applied to all methods listed in the Method field If the list is empty the policy is applied only to the methods that have an empty set of parameters If the field contains parameter...

Page 94: ...t then click Enable If no policies appear in the list you haven t created any Click Manage Policies For configuration information see WARNING EJBs that are configured to run as a role can only use lim...

Page 95: ...ents examples directory This section has the following information Section 7 1 Deploying the Sample Payroll Application on page 95 Section 7 2 Preparing the Sample Application for the Agent on page 96...

Page 96: ...s FORM authentication This is specified in the login config section of the application descriptor in the WEB INF web xml file as follows login config auth method FORM auth method form login config for...

Page 97: ...use the agent for login and logout See Section 4 1 Preparing the Application for the Agent on page 67 These steps have already been performed for the sample application See the web xml file in the app...

Page 98: ...access to their own information pages These policies do not require any J2EE server configuration to correctly enforce the policies Section 7 4 1 Creating an Employee Role and a Manager Role on page...

Page 99: ...w 5 In Condition Group 1 click New create a condition that matches your employees but not your managers activate the Employee role then click OK The following rule uses the LDAP OU condition to determ...

Page 100: ...requires its own type of Authorization policies and to fully protect the application you must create the following policies Creating EJB Authorization Policies on page 100 Creating Web Authorization P...

Page 101: ...d look similar to the following 6 To save your employee policy click OK Apply Changes 7 To create a policy for the managers click New specify a name for the policy select J2EE Agent EJB Authorization...

Page 102: ...k OK Your rule should look similar to the following 11 To save your manager policy click OK Apply Changes 12 Continue with Creating Web Authorization Policies on page 102 Creating Web Authorization Po...

Page 103: ...ed the Employee role then click OK Your rule should look similar to the following 4 To create the second rule in the policy click New 5 To create a generic deny rule assign a deny action then click OK...

Page 104: ...up a condition that permits access if the user has been assigned the Manager role then click OK Your rule should look similar to the following 9 To create the second rule in the policy click New 10 T...

Page 105: ...click Manage authorization policies 3 Click New specify the name of the payroll war file PayrollWeb war select Web Module as the Type then click OK 4 Click New to create the required protected resourc...

Page 106: ...JB is not assigned an Authorization policy This allows everyone who can log in to the Identity Server to have access to the public EJBs of the application The EmployeeEJB enables the PayrollEJBManager...

Page 107: ...r J2EE server JBoss This tasks have already been performed for JBoss To understand what was modified see Section 4 2 Configuring Applications on the JBoss Server on page 69 WebSphere See Section 4 3 2...

Page 108: ...108 Novell Access Manager 3 1 SP2 J2EE Agent Guide novdocx en 16 April 2010...

Page 109: ...wing Platform Information on page 116 Section 8 9 Viewing the Status of Recent Commands on page 116 Section 8 10 Stopping and Starting the Agent on page 117 Section 8 11 Stopping and Starting the Embe...

Page 110: ...tings have been modified on the Identity Server the update logging settings option is available Pending indicates that the agent is processing a configuration change but has not completed the process...

Page 111: ...e might be stale click Refresh 3 If you want to have the page refreshed with the information sent from the agent click Update from Server 4 If the status icon does not turn green view the information...

Page 112: ...contract and assigned a base URL See Section 2 3 Configuring the Agent for Direct Access on page 47 Authorization Provider Indicates whether the agent has been configured to use authorization policies...

Page 113: ...n correcting the problem you should clear the alert from the list 1 In the Administration Console click Devices J2EE Agents Name of Agent Alerts 2 To send an acknowledgement select the check box by th...

Page 114: ...ge 86 and Section 5 3 Configuring SSL Certificate Trust on page 87 The Embedded Service Provider could not be contacted due to a socket exception Check that the Embedded Service Provider is running pr...

Page 115: ...or static statistics Statistics Select this option to view the statistics as currently gathered The page is static and the statistics are not updated until you click Live Statistics Monitoring Live St...

Page 116: ...pecifies the type of server on which the J2EE Agent is installed JBoss WebLogic or WebSphere for this release Other types are in development Server Platform Specifies the operating system of the J2EE...

Page 117: ...the action to stop and start the Embedded Service Provider occurs the user loses the items in the shopping cart but can continue shopping and adding new items without logging in again To stop or start...

Page 118: ...no longer manage it Usually you delete an agent only if you are removing the agent from the J2EE server or if you want another console to manage the agent After you have deleted an agent the only way...

Page 119: ...leshooting the J2EE Agent Import If the J2EE Agent does not appear in the Administration Console after the installation has finished try one or more of the following If the import started and failed t...

Page 120: ...Pack 17 of 6 1 9 4 Auto import Agents Fails on WebLogic Running on RedHat When you install the J2EE Agents on a WebLogic server running on RedHat Enterprise Linux auto import agents might fail with th...

Page 121: ...tallation was performed on a new instance of the WebSphere Application Server that is part of the WebSphere Cell If it is the possible cause could be that the installer uses the wsadmin script provide...

Page 122: ...dsJaccRoles xml file indicate whether the RunAs roles and user grouptorole mappings are automatically propagated to the JAAC module If you use SLES as your WebSphere host the file is located in a path...

Page 123: ...file On Windows the NAuditPA jar file is located in Program Files novell Nsure Audit directory On Linux the file is located in opt novell naudit java pa directory Section 9 9 1 JBoss Agent on page 123...

Page 124: ...og messages are logged to the JBOSS_HOME log jboss log file if you launched the JBoss server by using the run sh script found in the bin folder Messages are also sent to the console so you should chec...

Page 125: ...Access Deny Request NO Is theAccess ManagerAuthorization policy enabled YES NO YES NO Is the user authenticated YES NO Does it match a protected resourse YES NO Is the login successful YES Is the App...

Page 126: ...ion policy you must select the Enforce additional authorization policy option create a protected resource create a policy for the resource then enable the policy Protected Resource If you have enabled...

Reviews:

No comments