New Features Summary - Novell iChain 2.2 Support Pack 3
July 22, 2004
Table of Contents
1.0 New Features in iChain Version 2.2 SP3
1.1 Form Fill Enhancements
1.1.1 Local File System Storage
1.1.2 Tag
1.1.3 Extensions Ignored During GET Requests
1.1.4 Simple Policy Validation
1.1.5 New Command
1.2 NCPIP.NLM File Renamed
1.3 OAC.PROPERTIES File Updated
1.4 APPSTART.NCF File Updated
1.5 MESSAGES.CPG File Updated
1.6 Telnet Disabled by Default
1.7 Please Login Is Translatable
1.8 New Protect Privatekey Check Box
1.9 Support for Modifying Build Version in
Via Header
1.10 Security Alerts
1.10.1 Support for Disabling Telnet
Listener
1.10.2 Cross Site Scripting Modified
1.10.3 Support for Enabling Secure Bit
On Cookies
1.11 Support for Disabling Revocaton Checking
of Certificates
2.0 New Features in iChain Version 2.2 SP2
2.1 Support for OLAC Internal Data Source
Feature
2.2 Support for Step-Up Cryptography
2.3 Change to Command for Disabling the
Internal Rewriter per Accelerator
2.4 Troubleshooting HTTP 1.0/1.1
3.0 New Features in iChain Version 2.2 SP1
3.1 Support for SAML Extension for Novell iChain
3.2 Support for WAP Devices
3.3 Internal Rewriter Updates
3.4 Custom Rewriter Updates
3.5 Form Fill Tag
3.6 Updated iChain Administration GUI to
Support Japanese Configurations
3.7 Removed NCP Access
3.8 Support for Novell Nsure Audit
4.0 New Features in iChain Version 2.2
4.1 NetWare 6 is Base Operating System
4.2 Web Server Accelerator Tab - Enhanced User
Interface
4.3 Web Server Accelerator Dialog Box - Enable/
Disable Checkbox
4.4 Web Server Accelerator Dialog Box - Multi-
homing Options - Ends With Radio Button
4.5 Web Server Accelerator Dialog Box- Secure
Exchange Options - Trusted Roots Import
4.6 Web Server Accelerator Dialog Box - Mark
Pages Non-cacheable on the Browser
Check Box Moved and Relabeled
4.7 Certificate Maintenance Tab - Certificate
Information Dialog Box
4.8 Certificate Maintenance - Create Certificate
Dialog Box
4.9 Certificate Maintenance - Store Certificate
Dialog Box
4.10 Support for Organizational Roles and eDirectory
Dynamic Groups
4.11 Form Fill Enhancements
4.11.1 GET Method
4.11.2 Data Security
4.11.3 Static Value Injection
4.11.4 Multiple Languages
4.11.5 Shared Secrets
4.12 User-Selectable Drivers
4.13 OLAC Enhancements
4.13.1 Command Line Handler
4.13.2 Request Timeout
4.13.3 Passing the User DN
4.13.4 Internationalization
4.13.5 Plug-in For SecretStore Credentials
4.14 Self-Provisioning Servlets Enhancements
4.15 LDAP Authentication Enhancement
4.16 HTTP 1.1 Support
4.17 Concurrent Login Restrictions
5.0 Legal Information
5.1 Disclaimer, Copyright, Export Notice, and Patents
5.2 Trademarks
1.0 New Features in iChain Version 2.2 SP3
1.1 Form Fill Enhancements
The following Form Fill Enhancements are
included with this support pack:
1.1.1 Local File System Storage
Form Fill supports a file stored on the
local file system as follows:
{Filename}
where, if {FileName} does not contain
slashes (\ /) or a colon (:), it is a file
that is expected to be in
SYS:ETC\Proxy\Appliance\Config\User\Formfill.
Otherwise, it will assume it as an
absolute path. You can use multiple tags
like this, but the maximum size is limited
to 1MB. This directory is reachable by
FTPing to the iChain server.
1.1.2 Tag
In a policy, you can use the
tag. This also requires or
. This tag allows single
sign-on (SSO) usage to modify the HTML
page with the changes needed for
(masked)Post, but you are able to view the
source before posting the information.
This feature allows you to debug without
the need of a sniffer.
1.1.3 Extensions Ignored During GET Requests
The following GET request extensions are
ignored for SSO purposes:
.gif
.jpg
.jpeg
.png
.zip
.jar
These extensions are quickly ignored,
and should allow SSO to process more
quickly, especially with wildcard
policies.
1.1.4 Simple Policy Validation
SSO Contains a simple policy validation. It
will parse the policies and show the
following errors if a problem occurs:
ICS_SERVER:sso refresh rule
SSO_4: REFRESH! REFRESH! Rule....
SSO_R: LocalPolicy
'sys:\etc\proxy\appliance\config\user\form
fill\formfill.xml'
ERROR: Policy imanagerLogin: Invalid
'' - Expected '**UNKNOWN**'
ERROR: Policy imanagerLogin: Invalid
'' - Expected '**UNKNOWN**'
ERROR: Policy smgsimailLogin: Missing
and/or
ERROR: Policy iconstruye: Invalid
'' - Expected ''
ERROR: Policy dphclanierLoginFailure:
deleteRemembered rule esigndphcLogin not
found
SSO_4: Rules(length = 34993) have been
refreshed!
SSO_4: Not using SecretStore!
1.1.5 New Command
The command line interpreter routine has
been changed to allow SSO parameters to be
changed on the fly. Also, the following
new command was introduced:SSO|FFICHAIN
REFRESH LDAP|RULE|ALL
where | stands for "or" in this case, so
SSO REFRESH LDAP is one possible command.
1.2 NCPIP.NLM File Renamed
For security reasons, the NCPIP.NLM file
was renamed to NCPIP.OLD. If you want to
log in to the iChain server, you must rename
this file to its original name after you
complete the over-the-wire upgrade for this
support pack.
1.3 OAC.PROPERTIES File Updated
When you install this support pack, any
custom plug-ins are overwritten. To avoid
this issue, back up your oac.properties
file before you install this support pack,
then copy the file back over once the
support pack has successfully installed.
If you haven't previously modified your
oac.properties file, you do not need to
back it up before installing this support
pack.
1.4 APPSTART.NCF File Updated
Prior to installing this support pack, you
should make note of any customized lines
in your appstart.ncf file.
Do not include load logevent or load cache
if they appear in your current file. If
these lines are present in appstart.ncf,
you might get the following abend:
Abend on POO: SERVER-5.60-8716: Thread
performed illegal recursive LOADER operation
when current LOADER state is non-recursive
OS version: Novell Netware 5.60.02 July
10, 2002
...Debug symbols are enabled!
Running Process: Server 03 Process
Stack: 16 20 E3 FC E0 02 04 D0 01 00 00 00
5E 9B E0 FC
FC 65 8F D0 61 17 OB FC 4C 6F 61 64 69 6E
67 20
4D 6F 64 75 6C 65 20 4C 43 41 43 48 45 2E
4E 4C
1.5 MESSAGES.CPG File Updated
Messages.cpg will be updated when you
install this support pack.
1.6 Telnet Disabled By Default
Telnet is disabled by default in this
support pack for security reasons. If
you use Telnet for administrative purposes,
you need to re-enable it after you have
successfully completed the support pack
installation. You do this by importing
the TELNETON configuration file from the
Proxy Administration Tool. Go to System,
then click the Import/Export tab.
1.7 Please Login Is Translatable
Please Login is translatable with this
support pack.
1.8 New Protect Privatekey Check Box
You can use the Protect Privatekey
check box to mark certificates as non-
exportable during certificate creation.
1.9 Support for Modifying Build Version in
Via Header
You can modify the build version sent
in the Via Header by using the
viaheaderbuildversion option in the
/etc/proxy/proxy.cfg file. For example,
if you add the following line to the
proxy.cfg file:
[HTTP Headers]
viaheaderbuildversion=2.2
it appears as (iChain 2.2) in the via
header. Otherwise, it appears with the
standard build version, such as (iChain
2.2.120).
1.10 Security Alerts
The following security alerts are included
with this support pack:
1.10.1 Support for Disabling Telnet Listener
You can disable the Telnet Listener
on TCP port 23. The syntax is as follows:
To display settings, use get listener
To change settings, use set listener
telnet enable=YES|NO
Telnet is disabled by default. If no
password is set, any password is accepted.
1.10.2 Cross Site Scripting Modified
In cross site scripting, the url= login
is no longer vulnerable to XSS.
1.10.3 Support for Enabling Secure Bit on Cookies
You can enable the secure bit on cookies
by editing the appstart.ncf file to load
proxy.nlm with the -cs version.
Syntax: load proxy -cs
All of your accelerators must have secure
exchange enabled for you to use this
feature.
1.11 Support for Disabling Revocation Checking of
Certificates
A new setting has been introduced to allow you
to turn off revocation checking of certificates.
This setting should only be used for
troubleshooting purposes, since it makes the
use of certificates unsecure.
You configure this setting at the command line.
The configuration is done through the SSL profile:
set authentication mutual
disablerevocationchecks = yes/no
where is the name of your SSL mutual
authentication profile.
2.0 New Features in iChain Version 2.2 SP2
2.1 Support For OLAC Internal Data Source
Feature
The INTERNAL OLAC data source obtains
user information that is available in the
proxy. This allows the login query string
to be passed to the Web server. It displays
content based on login information. See
Chapter 5, "Setting Up Web Single Sign-on
Services" in the Novell iChain 2.2
Administration Guide for more details.
2.2 Support For Step-Up Cryptography
Step-Up Cryptography is a variation of SSL
that provides a way for weaker clients to
detect the need for strong cryptography. This
feature is referred to as Server Gated
Cryptography (SGC) by Microsoft, and Step-Up
Cryptography by Netscape. iChain supports
Netscape’s Step-Up Cryptography. This feature
is especially applicable for users running on
Windows 98, Windows NT, users with older
browsers (Internet Explorer 5.0, 5.5, and
Netscape 4.7x), and machines that are used
outside the United States.
For details on how to configure Step-Up
Cryptography, see Chapter 7, "Using and
Tuning iChain Features," in the Novell iChain
2.2 Administration Guide.
2.3 Change to Command For Disabling the Internal
Rewriter Per Accelerator
By default, the internal rewriter is enabled
for all accelerators. The internal rewriter can
slow performance due to the overhead of parsing.
In some cases, a Web site might not have content
with URL references that need to be rewritten.
The internal rewriter can be disabled on a per-
accelerator basis using the following set command
on the command line of the iChain machine.
The following is an example of how you would use
this command:
SET ACCELERATOR DisableRewriter=Yes
where AcceleratorName is the name of the
accelerator for which you want to disable
rewriting. This action is permanent upon reboot
and is exported to the .nas file.
2.4 Troubleshooting HTTP 1.0/1.1
If your Web servers are experiencing issues with
having HTTP 1.1 requests sent to them, you can
using the following troubleshooting command that
enables an HTTP 1.1 request from a browser to be
translated to an HTTP 1.0 request so that the Web
server will respond correctly. The following is
an example of how you would use this command:
SET ACCELERATOR ForceHTTP10ToOrigin=Yes
where AcceleratorName is the name of the
accelerator for which you want to translate
HTTP 1.1 requests to HTTP 1.0. Purge the cache
afterwards, then HTTP 1.0 requests can be sent
to the origin server. This action is permanent
upon reboot and is exported to the .nas file.
3.0 New Features in iChain Version 2.2 SP1
3.1 Support for SAML Extension for Novell iChain
Novell iChain 2.2 SP1 provides the iChain-
related components to support the new SAML
Extension for Novell iChain. SAML (Security
Assertions Markup Language) is an XML
specification for exchange authentication and
authorization information.
The capability SAML provides with iChain
includes single sign-on (to and from) other
SAML 1.0-enabled systems. These could be
systems within your own organization or the
systems of your business partners.
For more information on SAML extension for
Novell iChain, see the documentation at
http://www.novell.com/documentation/lg/saml/
index.html.
3.2 Support for WAP Devices
Support has been added for devices that use
Simple HTML or WAP (WML). The capability this
provides is authentication to iChain-protected
devices using a WAP device and single sign-on to
GroupWise WebAccess.
3.3 Internal Rewriter Updates
The following updates have been made to the
Internal Rewriter:
Added [Exclude] support to the rewriter.cfg
file so that you can specify a single URL or
a URL path which will not be processed by the
rewriter.
Added support for source page control of rewriter,
using and
tags. Any HTML content
after a tag will not
be rewritten until a
tag is encountered or the end of the HTML data
is reached.
The following tags change the behavior of the
rewriting of values in HTML pages. Most rewriting
will still occur, but not the values
The internal rewriter now specifically looks at
the MIME types of the pages passed back. iChain
does not look at the file extensions. The
original code looked at the extension first, and
then verified whether it was one of the specified
mime types. However, if the extension didn't
match, it would not look at the mime type.
The text/plain entry has been removed from the
default mime type list. If you experience issues
with broken links or certain links not being
rewritten, try adding text/plain to the
rewriter.cfg as a workaround.
3.4 Custom Rewriter Updates
Added a [mime content-type] heading for the
custom rewriter configuration. When used, it
causes [extension] to be ignored.
3.5 Form Fill Tag
If a single login page contains multiple forms
(having many pairs of tags),
you can use the tag to specify which
form instance to fill. Usually there is only
one form in a login page.
To use the tag, enter
N, where N is the form
number of the form to be filled. The first form
is number 1, the second is number 2, and so on.
For example, your tag might look like
the following:
test
www.novell.com/signon_welcome.screen
2
..................
...................
3.6 Updated iChain Administration GUI to Support
Japanese Configurations
Browsers configured with the Japanese language
set can now successfully manage the iChain Proxy
Server using the Proxy Administration GUI.
3.7 Removed NCP Access
A number of customers enable NCP to gain file
access to the iChain Proxy Server. Although
this does not affect any resources that iChain
is protecting Novell wants to ensure that NCP
is only enabled and disabled correctly by NetWare-
trained professionals.
In accordance with this requirement the module
that controls NCP access (NCPIP.NLM) has been
renamed to NCPIP.OLD and will not be loaded by
default.
The file is located in the \nwserver directory.
You can either load NCPIP.OLD by typing
"LOAD NCPIP.OLD" at the proxy debug console,
which will give you temporary access to NCP
over IP (until the module in unloaded or the
proxy server is restarted), or you can use the
Toolbox utility to rename this file for a
permanent change.
3.8 Support For Novell Nsure Audit
iChain supports Novell Nsure Audit. Novell Nsure
Audit is a centralized, cross-platform auditing
service. It collects event data from multiple
applications across multiple platforms and writes
the data to a single, non-repudiable data store.
Nsure Audit is also capable of creating filtered
data stores. Based on criteria you define, Nsure
Audit will capture specific types of events and
write those events to secondary data stores.
The Nsure Audit configuration functionality is
managed through the iChain Command Line Interface
(CLI). The configuration can be set and viewed
using get log and set log commands. For more
information, see Appendix F, "Using iChain With
Novell Nsure Audit" in the Novell iChain 2.2
Administration Guide.
4.0 New Features in iChain Version 2.2
4.1 NetWare 6 is Base Operating System
NetWare 6 has replaced NetWare 5.1 as the base
operating system for iChain 2.2.
4.2 Web Server Accelerator Tab - Enhanced User
Interface
An enhanced user interface has been provided for
the Configure > Web Server Accelerator tab. This
new view provides the user with the ability to
quickly view the details for accelerators, and
it adds the ability to view the groupings of
accelerators that have a master-slave (parent-
child) relationship. With the new interface, a
user can choose to view all the accelerators,
just the master accelerators, or just the child
accelerators. This makes viewing the groupings as
easy as clicking a button. Additionally, a filter
field has been added that gives the user the
ability to display only accelerators that match
the value typed into the field. When an accelerator
in the list of accelerators is highlighted,
information such as the host name, master or child
accelerators, web server address and port,
accelerator address and port, and other settings
are displayed in a view-only section on the page.
As with the old user interface, accelerators can
be created, modified, or deleted with the click
of a button.
4.3 Web Server Accelerator Dialog Box - Enable/Disable
Check Box
With the enhancement of the Web Server Accelerator
tab, it became necessary to restore the accelerator
enable/disable checkbox in the Web Server
Accelerator dialog box. When a user creates a new
accelerator by clicking on the Insert button, or
modifies an existing accelerator by clicking on
the Modify button on the Configure > Web Server
Accelerator tab, the Web Server Accelerator dialog
box is displayed. The Enable This Accelerator
Check Box at the top left corner of the dialog box
is now visible and allows the user to enable or
disable the accelerator.
4.4 Web Server Accelerator Dialog Box - Multi-homing
Options - Ends With Radio Button
The Ends With option has been removed from the
multi-homing options dialog box. For path-based
multi-homing, the only option is to use what used
to be termed Starts With for the sub-path. If
path-based multi-homing is used, the sub-path will
default to Starts With and the user can select
whether to remove the sub-path, which was available
previously.
4.5 Web Server Accelerator Dialog Box - Secure Exchange
Options - Trusted Roots Import
The ability to import trusted roots in the Secure
Exchange Options dialog has been removed. When the
Secure Exchange Options button is clicked in the
Web Server Accelerator dialog box, the Secure
Exchange Options dialog box is displayed. The list
of trusted roots and the ability to import trusted
roots was also removed. The only remaining options
on the dialog box are Mark Pages Non-cacheable on
the Browser and Enable Secure Access Between Secure
Exchange and Web Server.
4.6 Web Server Accelerator Dialog Box - Mark Pages
Non-cacheable on the Browser Check Box Moved
and Relabeled
The Mark Pages Non-cacheable on the Browser
check box originally located in the Secure Exchange
Options dialog has been moved and relabeled. The
check box was moved to the Web Server Accelerator
dialog box and its setting now applies to the whole
accelerator, not just to the secure exchange
settings. Also, the label on the checkbox was
changed to read Allow Pages to be Cached at the
Browser" to match the text used for this setting
on the proxy server. A view-only check box was
added to the Configure > Web Server Accelerator
tab Details section to reflect the state of this
setting for the highlighted accelerator.
4.7 Certificate Maintenance Tab - Certificate
Information Dialog Box
The Certificate Information on the Home >
Certificate Maintenance tab has changed. A new
line, Organizational Unit, has been added to
display that value. The View CSR, Store
Certificate, and Export CA Certificate buttons
were moved to the side of the dialog box to
provide room for the information change.
4.8 Certificate Maintenance - Create Certificate
Dialog Box
The Create Certificate dialog box has changed.
When a user chooses to create a certificate, he
or she clicks the Create button on the Home >
Certificate Maintenance tab. This displays the
Create Certificate dialog box, where two changes
have been made. First, the Verisign check box
was removed. Second, an Organizational Unit text
field was added. When creating an externally
signed certificate, the user must supply values
for all the text fields shown. After clicking
the OK button to return to the Home > Certificate
Maintenance tab, the user then clicks on the
Apply button to start the process to create
the certificate.
4.9 Certificate Maintenance - Store Certificate
Dialog Box
The Store Certificate dialog box has changed.
After an external certificate Create process
has begun, the user needs to click the Store
Certificate button on the Home > Certificate
Maintenance tab to display the Store Certificate
dialog box. In this dialog, the user pastes the
CA (trusted root) certificate and Server
certificate contents into the appropriate fields
and then clicks the Create button to Create the
certificate. A new check box, No Trusted Root
Certificate Available, has been added. When it is
checked, the CA Certificate contents field is
disabled and the user only needs to paste a value
in the Server Certificate contents field. This
will be used in the case where a trusted root is
not available to paste into the upper field.
4.10 Support for Organizational Roles and eDirectory
Dynamic Groups
An administrator can now set access control rules
on organizational roles and eDirectory dynamic
groups, such as including them in the Apply To
list of an ACL rule.
4.11 Form Fill Enhancements
The following are Form Fill enhancements in
iChain 2.2:
4.11.1 GET Method
Form Fill now supports the GET method in
addition to the POST method for
submitting user's credentials.
4.11.2 Data Security
Form Fill enhances the data security
(reduces the possibilities of exposing
sensitive data) during the auto posting by
adding the new tag .
4.11.3 Static Value Injection
Form Fill supports the static value
injection, Java script, and case
conversion (values of LDAP attributes
only) for serving more application login
forms.
4.11.4 Multiple Languages
Form Fill supports different languages at
the login page.
4.11.5 Shared Secrets
Form Fill supports Novell's Shared
Secrets. Form Fill can save a user's
credentials in Shared Secrets and allow
other applications to share these user
credentials in order to make single
sign-on possible.
4.12 User-Selectable Drivers
In order to support a greater variety of hardware,
iChain 2.2 provides an option for the user to
select network, disk, and adapter modules that
were not shipped with iChain. Immediately after
the initial image copy from CD, the installation
will prompt you whether to select custom drivers.
If you select Yes, the installation will stop in
HDetect.nlm to allow you to select the correct
drivers for the system in the same manner as the
Netware 6 installation. Because of the iChain
imaging process, you will need to do this twice
during the installation. If you select No, or no
selection is made within 30 seconds, iChain will
automatically detect the drivers as in iChain 2.1
and earlier versions.
4.13 OLAC Enhancements
The following are OLAC enhancements in
iChain 2.2:
4.13.1 Command Line Handler
iChain 2.2 includes a command line handler
to dynamically change certain options in
OLAC. The debug levels (/d1 and /d2) are
now available for you to enter on the
command line at the NetWare System
Console screen (for example, oacint /d1).
You can verify the changes and the
effects of the changes by viewing the
OACINT screen.
4.13.2 Request Timeout
You can now set the OLAC Request Timeout
(in number of seconds) while communicating
to the OACJAVA server (for example,
oacint /t15).
4.13.3 Passing the User DN
OLAC now passes the user DN to origin
servers (Web servers) as part of the
query string and/or header.
4.13.4 Internationalization
OLAC now supports internationalization
standards. OLAC has been changed to always
pass UTF-8 characters (which covers most
of the charsets, including ASCII).
Applications that do not interpret the
UTF-8 character sets need to be changed to
do so.
4.13.5 Plug-in For SecretStore Credentials
OLAC now has a plug-in for accessing a
user's SecretStore credentials.
4.14 Self-Provisioning Servlets Enhancements
In addition to User maintenance and Password
Maintenance servlets (for authenticated sessions),
there are two additional features that also affect
the way user passwords are changed:
- Password Challenge/Response: This is
"forgotten password" functionality that
will allow users to create a question
with a specific answer (stored as an MD5
Hash) that, when responded to correctly,
will allow them to change their passwords
without entering a current password.
- Password Hint: This allows users to enter
a line of text that will give them a hint
if they have forgotten the password.
The two features are exclusive and either of two
can be enabled at any given point in time. Both
features are disabled by default.
4.15 LDAP Authentication Enhancement
A new check box on the LDAP Authentication options
screen allows Basic (401) authentication as either
an alternative or a substitute for the iChain login
form/page.
This feature allows iChain to process a request,
log in the user if necessary, and return the
response without having a programmer deal with
login redirects or the parsing of login pages
and forms. The iChain cookie is returned in
response for possible use in subsequent requests.
If authorization headers are optional, the user
who is not authenticated will be redirected to
the standard iChain login page. If the headers
are mandatory, a 401 status will be returned,
the browser will request the user's credentials,
and then the request will be resubmitted along
with the user's credentials. In this mode, the
CDA features are disabled.
We do not recommend Basic Authentication for use
with users/browsers because of security issues
relating to lack of control of the credentials on
the wire. The primary use is anticipated to be
programming-related, where the credentials can be
passed in an authorization header along with a
request. That way, a programmer retains control
over the exposure of the credentials.
4.16 HTTP 1.1 Support
iChain is now capable of communicating with
origin Web servers using the HTTP 1.1 protocol.
The major features of HTTP 1.1 are implemented,
although there are still some features that are
not fully implemented.
One of the main reasons for supporting HTTP 1.1
is to support the transfer encoding options of
chunking, deflate, and gzip. Many of the large
Web server products by default use these transfer
encoding options. The initial release of iChain
2.1 will not support the transfer encoding options
of compress and trailers.
Another key HTTP 1.1 feature iChain now supports
is returning content from the origin Web server
based on the VARY response header. The VARY header
is used to tell a cache that the response was
returned based on specific information found in the
request header. An example is content that is
returned based on the browser's preferred language.
4.17 Concurrent Login Restrictions
The following commands have been added to set
features of concurrent login restrictions. These
commands are entered from the iChain console.
Note: Concurrent Login Restrictions should not be
used in a Session Broker setting. Also, after
changing these options, we recommend that you
reboot the iChain Proxy Server.
set authentication limitconcurrentlogins = (yes/no)
This turns on the concurrent login restriction
feature. When it is set to yes, the following two
commands will control the functioning of the
feature.
set authentication maxlogins = (nonzero positive
integer)
This sets the number of concurrent logins that are
allowed. After the maximum number of logins is
reached, a user will either be denied access, or an
older instance will be logged out. In order for
the concurrent login feature to function, you must
set both MaxLogins as well as
LimitConcurrentLogins, applying your changes
each time. The following is an example of the
commands you would use:
1) Set authentication limitconcurrentlogins=yes,
then Apply.
2) Set authentication maxlogins=4 (or the number
you choose), then Apply.
set authentication logoutoldest = (yes/no)
This command determines what action to take once
the maximum number of logins is reached. When set
to yes, the least recently accessed connection of
the user will be logged out and a new login will
be performed. When set to no, the new login will
be rejected with a message that indicates that
the maximum number of logins has been exceeded.
The default is no.
If you are using SSL as an authentication method
for your accelerators, you need to make sure that
the Send an error page when a Mutual SSL error
occurs option is enabled. Otherwise, users will
get a blank page when they reach their
authentication limits.
5.0 Legal Information
5.1 Disclaimer, Copyright, Export Notice, and Patents
Novell, Inc. makes no representations or warranties
with respect to the contents or use of this
documentation, and specifically disclaims any
express or implied warranties of merchantability
or fitness for any particular purpose. Further,
Novell, Inc. reserves the right to revise this
publication and to make changes to its content, at
any time, without obligation to notify any person
or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or
warranties with respect to any software, and
specifically disclaims any express or implied
warranties of merchantability or fitness for any
particular purpose. Further, Novell, Inc. reserves
the right to make changes to any and all parts of
Novell software, at any time, without any
obligation to notify any person or entity of such
changes.
This product may require export authorization from
the U.S. Department of Commerce prior to exporting
from the U.S. or Canada.
Copyright (C) 2004 Novell, Inc. All rights
reserved. No part of this publication may be
reproduced, photocopied, stored on a retrieval
system, or transmitted without the express written
consent of the publisher.
U.S. Patent Nos. 5,349,642; 5,608,903; 5,671,414;
5,677,851; 5,758,344; 5,784,560; 5,818,936;
5,828,882; 5,832,275; 5,832,483; 5,832,487;
5,870,561; 5,870,739; 5,873,079; 5,878,415;
5,884,304; 5,913,025; 5,933,503; 5,933,826;
5,946,467; 5,956,718; 6,047,289; 6,065,017;
6,081,900; 6,105,132; 6,167,393. Patents Pending.
5.2 Trademarks
Novell, iChain, and NetWare are registered
trademarks of Novell, Inc. in the United States
and other countries.
eDirectory, Nsure, and SecretStore are trademarks
of Novell, Inc.
All third-party trademarks are the property of
their respective owners.