Novell IMANAGER 2.7.3 Скачать руководство пользователя страница 109 | Manualshive

Страница: 109 / 114

background image

iManager Security Issues

A

109

n

ov

do

cx (e

n)

22
Ju

n

e 20
09

A

iManager Security Issues

This section provides information about potential security issues related to iManager, and includes
information about the following topics:

Section A.1, “Secure LDAP Certificates,” on page 109

Section A.2, “Self-Signed Certificates,” on page 110

Section A.3, “iManager Authorized Users and Groups,” on page 110

Section A.4, “Preventing Username Discovery,” on page 111

Section A.5, “Tomcat Settings,” on page 111

Section A.6, “Encrypted Attributes,” on page 112

Section A.7, “Secure Connections,” on page 112

A.1 Secure LDAP Certificates

iManager can create secure LDAP connections behind the scenes without any user intervention. If
the LDAP server’s SSL certificate is updated for any reason (for example, new Organizational CA),
iManager should automatically retrieve the new certificate using the authenticated connection and
import it into its own keystore database.

If this does not happen correctly, you must delete the private key store that iManager uses, in order
to force iManager and Tomcat to re-create the database and reacquire the certificate:

1

Shut down Tomcat.

2

Delete the

TOMCAT_HOME

\webapps\nps\WEB-INF\iMKS

file.

3

Restart Tomcat.
For information about restarting Tomcat, see

“Starting and Stopping Tomcat” on page 94

.

4

Open iManager in a browser and log back in to the tree, to automatically reacquire the new
certificate and re-create the database store.

Alternately, you can also manually import the required certificate into Tomcat’s JVM default
keystore using the keytool certificate management utility available in the JDK*. When creating
secure SSL connections, iManager first tries the JVM default keystore, then uses the iManager
specific keystore database.

After you have an eDirectory

TM

certificate saved in DER format, you must import the trusted root

certificate into the iManager keystore. To do this, you need a JDK to use keytool. If a JRE was
installed with iManager, you must download a JDK to use the keytool.

NOTE:

For information about creating a

.der

certificate file, see

Exporting a Trusted Root or

Public Key Certificate (http://www.novell.com/documentation/crt32/crtadmin/data/a2ebopb.html)

in the

Novell Certificate Server Admin Guide

. You will want to export the trusted root certificate.

1

Open a command window.

2

Change to the

\bin

directory where you have installed the JDK.

For example, on a Windows system, you would enter the following command:

«
...
107
108
109
110
111
...
»

Содержание IMANAGER 2.7.3

Страница 1: ...Novell www novell com novdocx en 22 June 2009 AUTHORIZED DOCUMENTATION Novell iManager 2 7 3 Administration Guide iManager 2 7 3 September 30 2009 Administration Guide...

Страница 2: ...t or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuc...

Страница 3: ...Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the prope...

Страница 4: ...4 Novell iManager 2 7 3 Administration Guide novdocx en 22 June 2009...

Страница 5: ...on 16 2 4 5 Contextless Login Using Alternate Object Classes and or Alternate Attributes 16 3 Navigating the iManager Interface 17 3 1 iManager Interface 17 3 1 1 Header Frame 18 3 1 2 Navigation Fram...

Страница 6: ...ights to Other Objects 45 5 6 4 Viewing Effective Rights 46 5 7 Schema 46 5 7 1 Adding an Attribute 46 5 7 2 Viewing Attribute Information 47 5 7 3 Viewing Class Information 47 5 7 4 Creating an Attri...

Страница 7: ...dule 80 6 7 3 Customizing the Plug In Download Location 80 6 8 E Mail Notification 81 6 8 1 Mail Server Configuration 82 6 8 2 Task Event Notification 82 6 9 Views 82 6 9 1 Showing and Hiding iManager...

Страница 8: ...ee IP Address Change 97 8 19 Java Error Messages are Displayed After Closing the Browser of iManager Workstation 98 9 Auditing iManager Events 99 9 1 Installing the IMAN_EN LSC File in iManager 99 9 2...

Страница 9: ...r documentation included with this product Please use the User Comments feature at the bottom of each page of the online documentation or go to Novell Documentation Feedback http www novell com docume...

Страница 10: ...cross reference path A trademark symbol TM etc denotes a Novell trademark An asterisk denotes a third party trademark When a single pathname can be written with a backslash for some platforms or a for...

Страница 11: ...nges to server software 1 1 What s New in iManager 2 7 3 Field Patch 1 Novell iManager 2 7 3 has the following new features Newly Supported Platform and Browser In addition to the existing platforms a...

Страница 12: ...l Resources For more information on topics relevant to Novell iManager refer to the following Web sites Tomcat servlet container http jakarta apache org tomcat How to setup Tomcat to use a proxy http...

Страница 13: ...pop ups from the iManager host If you have configured your Web browser to not display Web site images the iManager interface may become garbled and unusable In Firefox v1 5 x for example users can dis...

Страница 14: ...before RBS is configured It displays all of the roles and tasks installed Although all roles and tasks are visible the authenticated user still needs the necessary rights to use the tasks There is a s...

Страница 15: ...st have SLP properly configured for iManager to log in For more information see the Novell Open Enterprise Server SLP documentation http www novell com documentation oes networking protocols html slp...

Страница 16: ...re not an authorized user See Authorized Users and Groups on page 72 2 Set Public Username and Password to a user that has rights to read the desired attributes 3 Modify TOMCAT_HOME webapps nps WEB IN...

Страница 17: ...ial Characters on page 20 3 1 iManager Interface The iManager interface comprises three main regions or frames Header Frame Navigation Frame Content Frame Figure 3 1 iManager interface with default Ro...

Страница 18: ...age 23 Configure This view contains Role Based Services iManager Server Object Creation List Plug in Installation E mail Notification and Views all of which you can configure as you want Favorites Thi...

Страница 19: ...ring of tasks within each category is determined by the author of the applicable iManager plug in Base plug in tasks those that are included with iManager typically display before tasks from other plu...

Страница 20: ...hen a task is not selected the Content frame displays the iManager homepage with general information related to your iManager access rights 3 2 Special Characters In iManager some characters have spec...

Страница 21: ...ing the iManager Interface 21 novdocx en 22 June 2009 Leading Leading or trailing spaces For LDAP any character can be specified with xx See RFC 2253 http www faqs org rfcs rfc2253 html for more infor...

Страница 22: ...22 Novell iManager 2 7 3 Administration Guide novdocx en 22 June 2009...

Страница 23: ...tor on page 29 NOTE iManager 2 7 now supports browsing and selecting objects in an NCP enabled file system Access file system objects through Server and Volume objects in the directory tree The abilit...

Страница 24: ...jects Tree Browse Search 4 1 1 Tree The Tree tab lets you browse a directory tree with a look and feel similar to ConsoleOneTM Tree view uses both the Navigation frame and the Content frame to provide...

Страница 25: ...elected container and displays all that container s subordinate To edit the attributes of a container object you must select its checkbox then click Edit Delete Deletes the selected objects To select...

Страница 26: ...u are currently browsing Select the double period object to navigate up one level to the parent container IMPORTANT Tree view does not support selecting objects across multiple pages in the object lis...

Страница 27: ...he object list this link lets you toggle between selecting a single object or multiple objects against which you want to perform a task The default option is Single Select For more information see Sel...

Страница 28: ...efine your search using the following fields Context Specifies the starting container for the search operation If you want the search to include subordinate containers select Search sub containers Nam...

Страница 29: ...ther container or leaf to open a window with the available tasks for that type of object Selecting a task opens that tasks UI in the Content frame NOTE The Search tab does not let you navigate objects...

Страница 30: ...on and save the current filter so it can be re used respectively Contents List Displays a list of directory objects as defined by the criteria in the object filter By default the object list displays...

Страница 31: ...ctively Multiple Select Single Select Located above the right side of the results list this link lets you toggle between selecting a single object or multiple objects against which you want to perform...

Страница 32: ...32 Novell iManager 2 7 3 Administration Guide novdocx en 22 June 2009...

Страница 33: ...s For information about the roles and tasks provided by a product specific plug in consult that product s documentation In addition to the Roles and Tasks view you can configure iManager s Favorites v...

Страница 34: ...ne object at a time For more information about the Object Selector see Using the Object Selector on page 29 Simple Selection Simple Selection opens a basic search tool in the Content frame With this t...

Страница 35: ...ass for which you are searching For example User Container Specifies the container at which you want to start the search To search subordinate containers select Include sub containers Filter Specifies...

Страница 36: ...ng the icon to add a second attribute to the list When using multiple attribute filters link them together with a logical AND or logical OR After you define a filer click Preview and click OK the Modi...

Страница 37: ...he values that you hide are displayed in the list 5 2 Directory Administration Directory administration involves the management of objects in your directory tree You can create edit and organize objec...

Страница 38: ...ars according to the object class you selected then click OK If you are using a Mozilla browser click the symbol to add information instead of typing directly in the field 4 When the confirmation mess...

Страница 39: ...t name After renaming the object you can view the old name in the Other Name field on the object s General Identification tab 4 Select Create an Alias in Place of Renamed Object if you want to create...

Страница 40: ...group that is nested and dynamic You can convert a static group to a nested group by using the Modifying a Group option This makes the selected group object belong to the nestedGroupAux class 5 3 2 De...

Страница 41: ...page 39 5 3 7 Viewing My Groups This page displays the groups that you own From it you can create a new group and edit or delete an existing group 5 4 Help Desk Help Desk provides access to a limited...

Страница 42: ...43 Section 5 5 3 Moving a Partition on page 43 Section 5 5 4 Viewing Replica Information on page 43 Section 5 5 5 Viewing Partition Information on page 44 Section 5 5 6 Using the Filtered Replica Wiza...

Страница 43: ...irectory tree because the root s containment rules permit only Locality Country or Organization objects but not Organizational Unit objects 1 In Roles and Tasks select Partitions and Replicas Merge Pa...

Страница 44: ...s select Partitions and Replicas Filtered Replica Wizard 2 Specify the name and context of the server on which you want to configure a filtered replica or use the Object Selector to find it then click...

Страница 45: ...ies of the object and to individual properties 5 6 2 Modifying Trustee Rights A trustee is one object that has been granted explicit rights to another object in your directory tree To modify the trust...

Страница 46: ...ch as Users Printers and Groups and what information is required or optional at the time the object is created iManager provides the following schema related tasks Section 5 7 1 Adding an Attribute on...

Страница 47: ...g Class Information The Class Information page displays information about the selected class and lets you add attributes During class creation if the class is specified to inherit attributes from anot...

Страница 48: ...te over time To delete an attribute 1 In Roles and Tasks click Schema Delete Attribute 2 Select the attribute you want to delete then click Delete Only attributes that you can delete are displayed 5 7...

Страница 49: ...iary class click Add select the required auxiliary class then click OK 2c To delete an existing auxiliary class select the class then click Remove 3 Click Close to exit the page 5 8 Users Managing use...

Страница 50: ...he user s home directory has not been created 5 8 2 Deleting a User To delete a user object 1 In Roles and Tasks select Users Delete User 2 Type the name and context of the object or use the search fe...

Страница 51: ...Make your changes then click Apply or OK to save the changes 5 8 6 Moving a User To move a user object 1 In Roles and Tasks select Users Move User 2 Provide the required information as described in Mo...

Страница 52: ...52 Novell iManager 2 7 3 Administration Guide novdocx en 22 June 2009...

Страница 53: ...prevent non admin and non collection owner users from accessing iManager s Configure view For more information see the following topics iManager Views Views on page 82 User Preferences Chapter 7 Pref...

Страница 54: ...following ways Directly as a user Through group and dynamic group assignments If a user is a member of a group or a dynamic group that is assigned to a role then the user has access to the role Throu...

Страница 55: ...represent the context in the tree where a role is performed and are associated with rbsRole objects They inherit from the Group class User objects are assigned to an rbsScope object These objects hav...

Страница 56: ...omatically cleans up all user role associations and scopes in the tree Do not delete the RBS collection using other utilities such as ConsoleOne To remove Roll based Services 1 In the Configure view s...

Страница 57: ...u operate on multiple objects simultaneously For example you can associate or disassociate multiple members from a role at the same time From the Configure view select Role Based Services RBS Configur...

Страница 58: ...he Property Book Tab on page 61 Section 6 2 4 The Module Tab on page 63 Section 6 2 5 The Category Tab on page 64 Section 6 2 6 Plug In Studio on page 64 Section 6 2 7 Editing Member Associations on p...

Страница 59: ...the role Set a Member Association To add a member to an existing role 1 In the Role tab select the role then select Actions Member Associations 2 Provide the required member information then click Add...

Страница 60: ...ify the description in the text box then click OK 6 2 2 The Task Tab A task is a plug in that performs a distinct management function such as creating a user or setting a password iManager lists the t...

Страница 61: ...e list of tasks for a role For example a property book that modifies the attributes of User objects might have a page that lets you to specify a user s login script Another page could let you change a...

Страница 62: ...it Role Assignment page add or remove roles from the Assigned Roles field then click OK Modifying the Page List for a Property Book To modify the attribute pages associated with a property book 1 Unde...

Страница 63: ...m this page you can add if you want to create a custom property book and delete modules and also type a description for a selected plug in module The RBS Collection Module tab lets you perform the fol...

Страница 64: ...select Delete 2 Click OK to confirm the category deletion Adding a Description To add or modify the description of an existing category 1 In the Category tab select a category then select Actions Desc...

Страница 65: ...om the list of available attributes Double click the attribute to move it to the Plug in Fields field using the default control Controls Displays the available controls for the attribute selected in t...

Страница 66: ...s Use this task to deploy an exported custom tasks onto multiple iManager servers 1 In the Configure view select Role Based Services Plug in Studio 2 Select Actions Import 3 Specify or use the Object...

Страница 67: ...Reports are in chart format and can be exported to other formats and printed RBS Reporting generates the following reports 6 3 1 Creating Reports To create an RBS Report 1 In the Configure view selec...

Страница 68: ...er report Figure 6 4 Members Assigned to a Role Sorting Reports By default the items listed in a report are sorted alphabetically in ascending order on the first column To indicate the column in which...

Страница 69: ...ve the file generated by iManager select the option you prefer and proceed as required by your browser The following are examples of XML CSV and plain text files exported from the same RBS report XML...

Страница 70: ...IL TREE true true admin novell File Protocols File Protocols RBS 270 akpal 08 User admin novell BLR ANIL TREE true true admin novell Groups Group Management Role Based Service 2 novell User admin nove...

Страница 71: ...ainer Dynamic Group Search Settings Search Enabled yes Role Search parent sub directory novell Role Search Dynamic Group Objects Container Role Search up to parent novell Role Name eDirectory Administ...

Страница 72: ...Security These settings affect your entire Web server configuration and are saved in the config xml file You can either save as you go or click Save once after you have made all your changes Warn When...

Страница 73: ...and groups to the list by which he she acquires the rights to modify the list You Admin might lose the rights to modify the list For security related information about the configiman properties file...

Страница 74: ...en selected iManager performs LDAP communications using SSL Some plug ins such as Dynamic Groups and NMASTM do not work if this option is not selected This setting does not take effect until you log o...

Страница 75: ...ghts within eDirectory to perform tasks When you assign a role to a user by default RBS assigns the rights necessary to perform the tasks included with that role The RBS tab lets you configure the fol...

Страница 76: ...3 y 4 for new plug in modules NPMs Two radio buttons let you configure the query for every available NPM or query only for updates to already installed NPMs Downloading Plug In Modules from a Custom S...

Страница 77: ...on page 77 6 5 1 Adding an Object Class to the Creation List Use this task to add more objects to the Object Creation List which is the list of objects that can be created in iManager using the Direct...

Страница 78: ...splay the New iManager NPMs are available to install notice You can also view the list of the hidden plug in modules by clicking the Show Hidden button You can unhide the hidden plug in modules if req...

Страница 79: ...r the plug in is from Local Directory or Novell Download site If you select at least one plug in that has the File Location as Novell Downloads for installation the Novell iManager Plug in Modules Lic...

Страница 80: ...mplate For more information about the iManager descriptor file see Downloading and Installing Plug Ins During Installation in the iManager 2 7 Installation Guide To set up a local plug in repository s...

Страница 81: ...nux File System setting name CDATA ModuleDownloadDescriptorURL name value CDATA file home admin iManager_plugins custom xml value setting HTTP Link setting name CDATA ModuleDownloadDescriptorURL name...

Страница 82: ...separated by commas 3 Select an event The Task Event Properties screen appears 4 Specify the e mail subject and the E mail message in the appropriate fields 5 In the Additional Email Addresses field t...

Страница 83: ...2 June 2009 Hide Hides the view Show Displays the view Select Read parent containers of this object to use the settings of the object s parent container for this object When selected the parent settin...

Страница 84: ...84 Novell iManager 2 7 3 Administration Guide novdocx en 22 June 2009...

Страница 85: ...me page 3 Click OK 7 2 Object Selector Configures the Object Selector settings Window Size Specify Object Selector s window width height and left column width in pixels User Specified Defaults Specify...

Страница 86: ...ect displayed in the Object Selector When selected iManager displays the subordinate object count in parentheses next to the container name This applies to the Navigation frame in the Tree tab and the...

Страница 87: ...7 0 WebAccess Windows Server 2000 2003 on page 91 Section 8 8 Missing Attribute Object or Value Errors on page 91 Section 8 9 Missing Roles or Tasks in the Configure View on page 92 Section 8 10 Perf...

Страница 88: ...iManager Workstation iManager Workstation runs on a client workstation either Linux or Windows and leverages the NMAS client that allows it to use Universal Password if configured iManager does not u...

Страница 89: ...s The object name entered could not be found in the context specified Some possible causes Contextless login might be disabled Your User object might not be in the configured search containers list Ei...

Страница 90: ...unts and then re created them with the same name do the following to use iManager Workstation with the re created account 1 Log in as a member of the Administrator group 2 Take ownership of the system...

Страница 91: ...d Tomcat are available for use The installer reports the inability to stop the iisadmin service Near the end of the install the installer reports the inability to start Tomcat After the install is com...

Страница 92: ...properties file and either re create the file with the correct information or log in to iManager and go to Configure view iManager Server Configure iManger On the Security page add the Authorized User...

Страница 93: ...nfiguration Generally eDirectory is installed as administrator and is run as SYSTEM You can manually correct this issue but an understanding of eDirectory iManager NICI and other currently installed p...

Страница 94: ...upported by iManager 2 7 Table 8 1 Stopping and Starting Tomcat 8 13 2 Tomcat Ports If you experience port conflicts while upgrading to iManager 2 7 or need to know the ports that Tomcat is using cons...

Страница 95: ...Password feature The nmasinst utility is located in the directory For more information see the Universal Password Deployment Guide http www novell com documentation lg nw65 universal_password data fr...

Страница 96: ...lation Hangs or Plug ins Are Not Properly Installed When you install iManager plug ins sometimes either the installation hangs or the plug ins are not properly installed Work around For iManager Stand...

Страница 97: ...yy configured eDirectory on it and the tree name remains same XXX_TREE 4 Another user has taken your previous IP address xxx xx xx xx and configured a new eDirectory tree YYY_TREE Now if you log in to...

Страница 98: ...browser the following java error message is displayed An unexpected error has been detected by Java Runtime Environment SIGSEGV 0xb at pc 0x8e4c6944 pid 4106 tid 3085011872 Java VM Java HotSpot TM Ser...

Страница 99: ...M install Shutdown iManager The IMAN_EN LSC file which contains this data is distributed under nps support audit and is installed via the Novell Audit process It can also be installed manually by usin...

Страница 100: ...l tomcat5 webapps nps support audit for Linux 2 Copy this file to a temporary location on the local machine 8 In iManager click Roles and Tasks Auditing and Logging Logging Server Options 9 Browse for...

Страница 101: ...age 100 to create it 2 Type the following command to create a Logging Application Certificate for iManager Instrumentation in the Audit Server audcgen app iManagerInst cert c cacert pem pkey c capkey...

Страница 102: ...102 Novell iManager 2 7 3 Administration Guide novdocx en 22 June 2009...

Страница 103: ...kup of iManager make sure you have a valid backup of the RBS collection and all subordinate objects in the tree either through replica redundancy or with an eDirectory backup solution All local iManag...

Страница 104: ...ger servers as company size requires You manage only one collection 10 4 Failed Installs To avoid failed installs make sure that your operating system is updated to the most current version and that a...

Страница 105: ...on http www novell com documentation oes cluster services html cluster services 1 Install and configure iManager on the nodes in the cluster where the virtual IP is moved to that is an Active Active c...

Страница 106: ...PM file This file is installed like any other plug in 1 In the Configure view select Plug in Module Installation 2 Select Available Novell Plug in Modules 3 Select the patch from the download list or...

Страница 107: ...e profile name is etc opt novell tomcat5 init d tomcat5 and is installed at etc apparmor profiles extras iManager The iManager AppArmor profile is not enabled by default To enable it copy the profile...

Страница 108: ...108 Novell iManager 2 7 3 Administration Guide novdocx en 22 June 2009...

Страница 109: ...Shut down Tomcat 2 Delete the TOMCAT_HOME webapps nps WEB INF iMKS file 3 Restart Tomcat For information about restarting Tomcat see Starting and Stopping Tomcat on page 94 4 Open iManager in a browse...

Страница 110: ...jre bin keytool 4 Enter changeit for the keystore password 5 Click Yes to trust this certificate NOTE This process must be repeated for each eDirectory tree you will be accessing with iManager If LDAP...

Страница 111: ...g open the Configure view and select iManager Server Configure iManager On the Authentication tab select Hide specific reason for login failure This sets Authenticate Form HideLoginFailReason true in...

Страница 112: ...use a VPN to access iManager and eDirectory servers A 7 Secure Connections Although iManager leverages secure HTTP SSL for client communications and secure LDAP connections between iManager and eDire...

Страница 113: ...dditionally Novell occasionally releases iManager plug in updates These updates are available on the Novell Patches download site http support novell com filefinder 20544 index html iManager base plug...

Страница 114: ...114 Novell iManager 2 7 3 Administration Guide novdocx en 22 June 2009...

Отзывы:

Нет отзывов

Похожие инструкции для IMANAGER 2.7.3

010-10307-00 - MapSource Fishing Hot Spots

Бренд: Garmin Страницы: 30

Controller Mode

Бренд: Sony Ericsson Страницы: 10

User Access Control (UAC) in Windows® Vista

Бренд: Alarm Lock Страницы: 2

Бренд: Mitsubishi Страницы: 64

Scarbee Clavinet & Piano

Бренд: Native Instruments Страницы: 24

CLOUD DIRECTOR 1.0

Бренд: VMware Страницы: 3

VmWare ESX Server 2.12 Deployment

Бренд: VMware Страницы: 34

Бренд: VMware Страницы: 34

DVD MOVIEFACTORY 3

Бренд: Ulead Страницы: 78

Бренд: DeLorme Страницы: 34

Бренд: DivX Страницы: 59

Бренд: AMX Страницы: 24

Бренд: MINOLTA-QMS Страницы: 42

Бренд: FieldServer Страницы: 15

Vigil Server V5.00

Бренд: 3xLogic Страницы: 134

FLASH MX 2004 - ACTIONSCRIPT

Бренд: MACROMEDIA Страницы: 816

ANTI-VIRUS - FOR SUN SOLARIS MAIL SERVER

Бренд: KAPERSKY Страницы: 254

Бренд: Xerox Страницы: 4

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды