manualshive.com logo in svg

Novell Access Manager 3.1 SP 2, Руководство пользователя, Страница: 122 / 126

Поделиться
Скачать
Novell Access Manager 3.1 SP 2 Скачать руководство пользователя страница 122

122

Novell Access Manager 3.1 SP2 J2EE Agent Guide

n

ov

do

cx (e

n)

  16
 Ap
ril 20

10

9.7  Unable to Federate WebSphere Custom 

Profile If Agent Already Installed 

When a WebSphere server instance that is created   one machine is federated into the deployment 
manager of another machine that already has server instances with J2EE Agent installed, the newly 
federated server instance   not start. This is because, the security configuration changes that are 
performed apply to all the instances of the deployment manager and all the application server 
instances that are part of it. 

To work around this problem, copy the following files from the 

$WAS_HOME$/lib

 folder of the 

machine that has agents installed,  to the 

$WAS_HOME$/lib

 folder of the new machine, then restart 

the server:

Š

NidsCommonAgent-unsign.jar

Š

NidsWebSphere-unsign.jar

Š

nxpe.jar

Š

jcc-unsign.jar

Š

nxpe-toolkit-unsign.jar

9.8  Authorization Fails in the WebSphere 

Application

Entries in the 

NidsJaccRoles.xml

 file indicate whether the 

RunAs

 roles and user/grouptorole 

mappings are automatically propagated to the JAAC module. If you use SLES as your WebSphere 
host, the file is located in a path similar to the following example:

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/novell/cells/sles10Node01Cell/
nodes/sles10Nodeo1/servers/server1/NidsJaccRoles.xml

The entries look similar to the following:

<J2EERole roleId="Manager">
<User Name="

If you have configured WebSphere to map roles, the authorization of the user might occasionally 
fail. This could be because, when 

Run As

 roles and user/grouptorole mappings are configured after 

the J2EE Agent is installed, they fail to be propagated to the JAAC module  even after a restart. 

To workaround this issue:

1

Browse to the folder where the Novell J2EE Agent is installed.

2

Open 

uDontKnowJacc.jy

, which is located in the 

/novell/nids_agents/bin

 folder.

3

Delete the first line.

4

Modify 

member1

 to 

<application server name>

.

Replace 

<application server name>

 with the name of the application server instance where 

NIDPJ2EEApp is installed.

5
6

Execute the following command at the shell prompt:

Содержание Access Manager 3.1 SP 2

Страница 1: ...Novell www novell com novdocx en 16 April 2010 AUTHORIZED DOCUMENTATION Novell Access Manager 3 1 SP2 J2EE Agent Guide Access Manager 3 1 SP 2 June 11 2010 J2EE Agent Guide...

Страница 2: ...nd the trade laws of other countries You agree to comply with all export control regulations and to obtain any required licenses or classification to export re export or import deliverables You agree...

Страница 3: ...Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the prope...

Страница 4: ...4 Novell Access Manager 3 1 SP2 J2EE Agent Guide novdocx en 16 April 2010...

Страница 5: ...e Console 39 1 7 4 Configuring WebLogic for J2EE Agents 40 1 8 Verifying If a J2EE Agent Is Installed 43 1 9 Uninstalling a J2EE Agent 43 2 Configuring the Agent for Authentication 45 2 1 Prerequisite...

Страница 6: ...88 5 5 Changing the IP Address of a J2EE Agent 88 6 Protecting Web and Enterprise JavaBeans Modules 89 6 1 Configuring Access Control 89 6 2 Protecting Web Resources 90 6 2 1 Creating a Protected Res...

Страница 7: ...Attributes 119 9 3 The Health Status Displays as Server Is Not Responding 120 9 4 Auto import Agents Fails on WebLogic Running on RedHat 120 9 5 Error Invalid Administration Server IP Address 120 9 5...

Страница 8: ...8 Novell Access Manager 3 1 SP2 J2EE Agent Guide novdocx en 16 April 2010...

Страница 9: ...ing Internet protocols such as Extensible Markup Language XML Simple Object Access Protocol SOAP Security Assertion Markup Language SAML Public Key Infrastructure PKI digital signature concepts and In...

Страница 10: ...miliar with the Novell Access Manager 3 1 SP2 Installation Guide and the Novell Access Manager 3 1 SP2 Setup Guide which provide information about setting up the Access Manager system Documentation Co...

Страница 11: ...installing a J2EE Agent on page 43 1 1 Overview of the J2EE Agents Users of application servers such as J2EE servers commonly fall into one of three abstract roles buyer seller or administrator For ex...

Страница 12: ...tall J2EE Agent does not have any other Access Manager components installed on it You must have a static IP address If you do not have a static IP address and the address assigned at boot changes the...

Страница 13: ...10 on 32 bit and 64 bit platforms Red Hat 5 Windows The following versions of operating systems with the latest support packs are supported on Windows Windows Server 2003 Linux The following operating...

Страница 14: ...service is already installed browse to the following location and check to see if a folder named jboss web deployer already exists path to your custom configuration deploy If the folder does exist it...

Страница 15: ...sName org jboss security plugins JaasSecurityMa nager attribute attribute name DefaultUnauthenticatedPrincipal anonymous attribute attribute name DefaultCacheTimeout 1800 attribute attribute name Defa...

Страница 16: ...cx en 16 April 2010 3 Review the License Agreement accept it then click Next The installation selection page is displayed 4 Select a directory to install the Novell J2EE agent components then click Ne...

Страница 17: ...nstaller uses the java home property value of the Java runtime that is used to run the installer to proceed with the installation 6 Optional If you want to select another JVM click Choose Another and...

Страница 18: ...ssword of the admin user of the Novell Access Manager Administration Console Confirm Password Specify the password again to confirm it Application Server IP Address Current Host Review the entered add...

Страница 19: ...have the Audit server installed follow the prompts to continue using the existing Audit server or to replace it 11a Conditional To continue using the same server click Yes to display the Audit Server...

Страница 20: ...ver click No select Use following Audit Server then specify an IP address for the Audit server 12 Click Next The Select Application Server page is displayed 13 Click OK on the Alert when the following...

Страница 21: ...art JBoss The agent is not imported into the Administration Console until the JBoss server is running 21 To verify the installation of the agent see Section 1 8 Verifying If a J2EE Agent Is Installed...

Страница 22: ...the existing Audit server Press 2 to replace the existing Audit server then specify the IP address of the new server 8b Conditional Press 1 to use the existing Novell Audit Configuration 8c Conditiona...

Страница 23: ...ine meets the minimum requirements See Section 1 3 Prerequisites on page 12 NOTE If you have disabled the admin security feature in WebSphere the installation of J2EE agent will be successful but you...

Страница 24: ...ocx en 16 April 2010 3 Select a directory to install the Novell J2EE agent components then click Next The Choose Java Virtual Machine page is displayed 4 Select a Java Virtual Machine JVM to be used b...

Страница 25: ...your Novell Access Manager Administration Console Username Specify the username of the admin user of the Novell Access Manager Administration Console Password Specify password of the admin user of th...

Страница 26: ...Agent Guide novdocx en 16 April 2010 9b Conditional If you have the Audit server installed specify if you want to replace the existing audit server or use the existing server 10 Click Next The Select...

Страница 27: ...en 16 April 2010 11 Select WebSphere then click Next The WebSphere Application Server Settings page is displayed 12 Specify the directory where you have installed the WebSphere server and click Next T...

Страница 28: ...stall the Novell J2EE agent components or press Enter to continue with the default installation path 5 Specify a Java Virtual Machine JVM to be used by the installed application All the available JVMs...

Страница 29: ...agent see Section 1 8 Verifying If a J2EE Agent Is Installed on page 43 1 6 4 Configuring WebSphere for J2EE Agents After you install the WebSphere application server you must use the ConfigureWSAgent...

Страница 30: ...re the J2EE agent is installed and click Next The Novell Administration Server Communications Credentials page is displayed 5 Specify the administration credentials to contact the Novell Access Manage...

Страница 31: ...l nids agent auth websphere NidsLTPALoginModule to the top of the list 13a Open the IBM administration console 13b Click Security Secure administration applications and infrastructure 13c Expand the J...

Страница 32: ...the Installer 1 Make sure that the WebLogic server is running The WebLogic server must be running if you are performing a single server installation of J2EE Agents The WebLogin server does not need to...

Страница 33: ...nstaller uses the java home property value of the Java runtime that is used to run the installer to proceed with the installation 6 Optional If you want to select another JVM click Choose Another and...

Страница 34: ...l Access Manager Administration Console Confirm Password Specify the password again to confirm it Application Server IP Address Current Host Review the entered address If your server is configured for...

Страница 35: ...5 novdocx en 16 April 2010 10b Conditional If you have the Audit server installed specify if you want to replace the existing Audit server or use the existing server 11 Click Next The Select Applicati...

Страница 36: ...click Next The installation selection page is displayed 13 Specify the path to the directory where WebLogic is installed or click Choose to select a folder for installation Click Restore Default to re...

Страница 37: ...erver Select this option to install a single instance of an application server Base Select this option while installing the agent on a machine that acts as a node and is part of a cluster Cluster Sele...

Страница 38: ...Choose to select a folder for installation Click Restore Default to restore the default installation location 17 Click Next The WebLogic Administration Console Details page is displayed 18 Specify the...

Страница 39: ...e Payroll Application on page 95 1 7 3 Installing a J2EE Agent through the Console 1 Download the agent installer For software download instructions see the Novell Access Manager Readme 2 Enter the fo...

Страница 40: ...IP address of the Administration Console then press Enter 15 Specify a port number for the Administration Console then press Enter 16 Specify the username of the admin user of the Administration Conso...

Страница 41: ...OME weblogic policy file Configuring the Login To configure the login you can use either use a script or the WebLogic Administration Console Using a Script to Configure Login on page 41 Using the Admi...

Страница 42: ...igure Login In the WebLogic Administration Console you need to configure the JAAS Login Module 1 Start WebLogic 2 In a browser log in to the WebLogic Administration console http weblogic ip Weblogic p...

Страница 43: ...n several minutes after installation click repair import to fix it If you have waited at least ten minutes but the message doesn t disappear and the agent doesn t appear in the list click the repair i...

Страница 44: ...44 Novell Access Manager 3 1 SP2 J2EE Agent Guide novdocx en 16 April 2010...

Страница 45: ...sites on page 45 Section 2 2 Possible Configurations on page 45 Section 2 3 Configuring the Agent for Direct Access on page 47 Section 2 4 Configuring Authentication Contracts on page 49 Section 2 5 P...

Страница 46: ...verifies the username and password against a user store an LDAP directory 4 The Identity Server builds the roles for the user and redirects the user back to the application server 5 The agent verifie...

Страница 47: ...assword against a user store an LDAP directory 4 The Identity Server builds the roles for the user and redirects the user back to the Access Gateway 5 The Access Gateway directs the user s request to...

Страница 48: ...sic authentication over HTTPS using a standard login pop up provided by the Web browser Secure Name Password Form Specifies a form based authentication over HTTPS using the Access Manager login form A...

Страница 49: ...for JBoss 7001 for WebLogic and 9080 for WebSphere If you have configured a different port use that port 3 Click OK then click Update OK 4 To update the Identity Server click Identity Servers then cli...

Страница 50: ...3 1 SP2 J2EE Agent Guide novdocx en 16 April 2010 2 Click Manage authorization policies to configure J2EE Agents Policies The Protected Web and EJB Resource page is displayed 3 Click New to create a n...

Страница 51: ...resource you are configuring Description Optional Provides a field where you can enter a description for this protected resource You can use it to briefly describe the purpose for protecting this res...

Страница 52: ...ferent authentication contract 8 Click OK then click Update OK 9 To update the Identity Server click Identity Servers then click Update OK Whenever you set up a new trusted identity configuration you...

Страница 53: ...e name www mytest com to resolve to the Access Gateway and the Access Gateway is configured to proxy the request to a Web server You have users access the application server with the URL www mytest co...

Страница 54: ...he browsers If you haven t see Configuring SSL Communication with the Browsers and the Identity Server in the Novell Access Manager 3 1 SP2 Access Gateway Guide 2 In the Proxy Service List section cli...

Страница 55: ...cation Authentication Required for the First Page If you want users to authenticate before they have access to the first page of the application you need to create two protected resources one to promp...

Страница 56: ...ically assigned to the path Create the path to the application Click New specify the path to the application for example j2ee payroll then click OK The protected resource that you created for this pat...

Страница 57: ...connections For JBoss the default value is 8443 For WebSphere the default value is 9443 For WebLogic the default value is 7002 19 Click OK 20 Click the Access Gateways link 21 On the Access Gateways...

Страница 58: ...e application server 1 In the Administration Console click Devices Access Gateways Edit Reverse Proxy Name The following steps assume that you have already enabled SSL between the Access Gateway and t...

Страница 59: ...you just created 6 Click Web Servers 7 To configure SSL select Connect Using SSL This option is not available if you have not set up SSL between the browsers and the Access Gateway See Configuring SSL...

Страница 60: ...hen continue with Step 16 J2EE Agent configuration allows you to set up authentication and access restrictions to the pages in the application Authentication Required for the First Page If you want us...

Страница 61: ...basic authentication over HTTPS using a standard login pop up provided by the Web browser Secure Name Password Form Specifies a form based authentication over HTTPS using the Access Manager login form...

Страница 62: ...parts Scheme For the scheme specify the scheme you have configured the Access Gateway to use for connections http or https If you have configured the Access Gateway to use SSL the scheme needs to be...

Страница 63: ...ic agents Section 3 1 Prerequisites on page 63 Section 3 2 Creating a Cluster Configuration on page 63 Section 3 3 Assigning a J2EE Agent to a Cluster on page 64 Section 3 4 Modifying Cluster Details...

Страница 64: ...4 Click OK The status icons for the configuration and the J2EE Agent should turn green It might take several seconds for the J2EE Agent to start and for the system to display a green status 3 3 Assign...

Страница 65: ...ef description of the J2EE Agent cluster Primary Server Specify the IP address of the primary server in that J2EE Agent cluster The Cluster Members section displays the IP address and other details of...

Страница 66: ...EE Agent Guide novdocx en 16 April 2010 4 Click OK IMPORTANT If you are not going to assign the agent to another cluster you need to reconfigure it You also need to reconfigure the L4 switch and remov...

Страница 67: ...e Section 4 1 1 Configuring for Login on page 67 Section 4 1 2 Configuring for Logout on page 68 The web xml file of the sample application PayrollApp ear has these modifications The location of this...

Страница 68: ...and single logout the J2EE Agent supports the following Notifying the Identity Server about application level logout events Informing the J2EE applications when the Identity Server logs a user out For...

Страница 69: ...let The function of the LogoutServlet is to notify the Identity Server about the application logout The Identity Server is responsible for notifying all other components about the logout 4 2 Configuri...

Страница 70: ...a login page that requires authentication The JAAC provider in the JBoss server is not informed about the login servlet For example suppose that the login page for the application has a configuration...

Страница 71: ...ther with the web xml file within the war file or with Access Manager policies In Access Manager you deny access to the anonymous user by creating an authorization policy that denies access to anyone...

Страница 72: ...or group to J2EE roles This is Step 7 of the deployment process NOTE In the graphic a WebSphere user named m1 was created and used for the RunAs configuration You can createt any user or username for...

Страница 73: ...tion 9 8 Authorization Fails in the WebSphere Application on page 122 4 3 3 Configuring the Trust Association Interceptor Module for WebSphere Application The Trust Association Interceptor TAI module...

Страница 74: ...ssion as generated by Access Manager User Roles This is a list of the iManager roles for the user All fields are fixed strings stored within the HttpServletRequest as retrievable HTTP headers When TAI...

Страница 75: ...st header that contains the fully distinguished user name in LDAP format It is passed on to WebSphere Application Server as the WSCREDENTIAL_UNIQUEID attribute and used in the arrangement of group mem...

Страница 76: ...is used in conjunction with Access Manager Update Behavior One of the TAI s key pieces of functionality is the establishment of group memberships for the currently logged in user as identified by Acce...

Страница 77: ...for the TAI module Assign the following rights to this user Create and Modify rights to the ou Groups o MP container Modify rights to the Membership attribute of all users under the user container Cr...

Страница 78: ...r value you want cache key header X Novell TAI Cookie role header X Novell TAI Roles role separator presentation container for example ou Groups o MP update connection ldap ldapserver DNS name 389 upd...

Страница 79: ...e Application Server select System Administration Console Settings Console Groups 2 Click Add and add the wasadmins group 3 Assign the role of Administrator to this group Editing Cache Settings 1 Edit...

Страница 80: ...WebSphere server select Application Servers WebSphere_Portal WebSphere_Portal Change log level details 2 Select com novell consulting 3 Set the appropriate log level and save changes NOTE If com nove...

Страница 81: ...e Identity Injection policy to the WebSphere Portal Server application resources Configuring the Roles Policy on page 81 Configuring the Identity Injection Policy for WebSphere Portal Server Applicati...

Страница 82: ...em with the appropriate Authentication contracts Configuring the Identity Injection Policy for WebSphere Portal Server Application Resources Add the following information to the WPS_roles policy then...

Страница 83: ...Preparing the Applications and the J2EE Servers 83 novdocx en 16 April 2010...

Страница 84: ...the domain When this user is mapped to the Manager role all users with the Manager role can run the EJB The weblogic enterprise bean section of the file should look similar to the following for the s...

Страница 85: ...ver log files to record information about what is being processed by the J2EE Agent Section 5 1 1 Tracing Events to Log Files on page 85 Section 5 1 2 Enabling the Auditing of Events on page 86 5 1 1...

Страница 86: ...ervice Provider module is the J2EE Agent module that communicates with the Identity Server This module handles all the authentication requests that need to be forwarded to the Identity Server for veri...

Страница 87: ...lect when enabling SSL between the agent and the Identity Server If you replace this certificate you need to replace it with a certificate whose subject name cn matches the DNS name of the agent Trust...

Страница 88: ...re your J2EE server to use a different IP address after you have installed a J2EE Agent the communication channel between the Administration Console and the J2EE Agent breaks The Administration Consol...

Страница 89: ...plain how to set up security for your J2EE resources Section 6 1 Configuring Access Control on page 89 Section 6 2 Protecting Web Resources on page 90 Section 6 3 Protecting Enterprise JavaBeans Resou...

Страница 90: ...2 Protecting Web Resources on page 90 Section 6 3 Protecting Enterprise JavaBeans Resources on page 92 6 2 Protecting Web Resources Because you can define multiple protected resources for each Web app...

Страница 91: ...ht be less disruptive to your network environment than restarting the Web server For the JBoss Agent selecting the SSL Required option is only part of the process On JBoss you must also either disable...

Страница 92: ...can define multiple protected resources for each JavaBean you can create one policy that protects the module and another policy that protects specific interfaces or methods For example you can create...

Страница 93: ...fied the policy is applied to all methods listed in the Method field If the list is empty the policy is applied only to the methods that have an empty set of parameters If the field contains parameter...

Страница 94: ...t then click Enable If no policies appear in the list you haven t created any Click Manage Policies For configuration information see WARNING EJBs that are configured to run as a role can only use lim...

Страница 95: ...ents examples directory This section has the following information Section 7 1 Deploying the Sample Payroll Application on page 95 Section 7 2 Preparing the Sample Application for the Agent on page 96...

Страница 96: ...s FORM authentication This is specified in the login config section of the application descriptor in the WEB INF web xml file as follows login config auth method FORM auth method form login config for...

Страница 97: ...use the agent for login and logout See Section 4 1 Preparing the Application for the Agent on page 67 These steps have already been performed for the sample application See the web xml file in the app...

Страница 98: ...access to their own information pages These policies do not require any J2EE server configuration to correctly enforce the policies Section 7 4 1 Creating an Employee Role and a Manager Role on page...

Страница 99: ...w 5 In Condition Group 1 click New create a condition that matches your employees but not your managers activate the Employee role then click OK The following rule uses the LDAP OU condition to determ...

Страница 100: ...requires its own type of Authorization policies and to fully protect the application you must create the following policies Creating EJB Authorization Policies on page 100 Creating Web Authorization P...

Страница 101: ...d look similar to the following 6 To save your employee policy click OK Apply Changes 7 To create a policy for the managers click New specify a name for the policy select J2EE Agent EJB Authorization...

Страница 102: ...k OK Your rule should look similar to the following 11 To save your manager policy click OK Apply Changes 12 Continue with Creating Web Authorization Policies on page 102 Creating Web Authorization Po...

Страница 103: ...ed the Employee role then click OK Your rule should look similar to the following 4 To create the second rule in the policy click New 5 To create a generic deny rule assign a deny action then click OK...

Страница 104: ...up a condition that permits access if the user has been assigned the Manager role then click OK Your rule should look similar to the following 9 To create the second rule in the policy click New 10 T...

Страница 105: ...click Manage authorization policies 3 Click New specify the name of the payroll war file PayrollWeb war select Web Module as the Type then click OK 4 Click New to create the required protected resourc...

Страница 106: ...JB is not assigned an Authorization policy This allows everyone who can log in to the Identity Server to have access to the public EJBs of the application The EmployeeEJB enables the PayrollEJBManager...

Страница 107: ...r J2EE server JBoss This tasks have already been performed for JBoss To understand what was modified see Section 4 2 Configuring Applications on the JBoss Server on page 69 WebSphere See Section 4 3 2...

Страница 108: ...108 Novell Access Manager 3 1 SP2 J2EE Agent Guide novdocx en 16 April 2010...

Страница 109: ...wing Platform Information on page 116 Section 8 9 Viewing the Status of Recent Commands on page 116 Section 8 10 Stopping and Starting the Agent on page 117 Section 8 11 Stopping and Starting the Embe...

Страница 110: ...tings have been modified on the Identity Server the update logging settings option is available Pending indicates that the agent is processing a configuration change but has not completed the process...

Страница 111: ...e might be stale click Refresh 3 If you want to have the page refreshed with the information sent from the agent click Update from Server 4 If the status icon does not turn green view the information...

Страница 112: ...contract and assigned a base URL See Section 2 3 Configuring the Agent for Direct Access on page 47 Authorization Provider Indicates whether the agent has been configured to use authorization policies...

Страница 113: ...n correcting the problem you should clear the alert from the list 1 In the Administration Console click Devices J2EE Agents Name of Agent Alerts 2 To send an acknowledgement select the check box by th...

Страница 114: ...ge 86 and Section 5 3 Configuring SSL Certificate Trust on page 87 The Embedded Service Provider could not be contacted due to a socket exception Check that the Embedded Service Provider is running pr...

Страница 115: ...or static statistics Statistics Select this option to view the statistics as currently gathered The page is static and the statistics are not updated until you click Live Statistics Monitoring Live St...

Страница 116: ...pecifies the type of server on which the J2EE Agent is installed JBoss WebLogic or WebSphere for this release Other types are in development Server Platform Specifies the operating system of the J2EE...

Страница 117: ...the action to stop and start the Embedded Service Provider occurs the user loses the items in the shopping cart but can continue shopping and adding new items without logging in again To stop or start...

Страница 118: ...no longer manage it Usually you delete an agent only if you are removing the agent from the J2EE server or if you want another console to manage the agent After you have deleted an agent the only way...

Страница 119: ...leshooting the J2EE Agent Import If the J2EE Agent does not appear in the Administration Console after the installation has finished try one or more of the following If the import started and failed t...

Страница 120: ...Pack 17 of 6 1 9 4 Auto import Agents Fails on WebLogic Running on RedHat When you install the J2EE Agents on a WebLogic server running on RedHat Enterprise Linux auto import agents might fail with th...

Страница 121: ...tallation was performed on a new instance of the WebSphere Application Server that is part of the WebSphere Cell If it is the possible cause could be that the installer uses the wsadmin script provide...

Страница 122: ...dsJaccRoles xml file indicate whether the RunAs roles and user grouptorole mappings are automatically propagated to the JAAC module If you use SLES as your WebSphere host the file is located in a path...

Страница 123: ...file On Windows the NAuditPA jar file is located in Program Files novell Nsure Audit directory On Linux the file is located in opt novell naudit java pa directory Section 9 9 1 JBoss Agent on page 123...

Страница 124: ...og messages are logged to the JBOSS_HOME log jboss log file if you launched the JBoss server by using the run sh script found in the bin folder Messages are also sent to the console so you should chec...

Страница 125: ...Access Deny Request NO Is theAccess ManagerAuthorization policy enabled YES NO YES NO Is the user authenticated YES NO Does it match a protected resourse YES NO Is the login successful YES Is the App...

Страница 126: ...ion policy you must select the Enforce additional authorization policy option create a protected resource create a policy for the resource then enable the policy Protected Resource If you have enabled...

Отзывы:

Нет отзывов