The following options allow you to view the status of multiple devices and identify the devices that are not healthy.
If your Access Manager components are not behaving in the way you have configured them to run, you might want to check the system to see if any of the components have configuration or network problems.
In the Administration Console, click > > .
All of the options should be empty, except the option (see Step 4) and the option (see Step 5). If an option contains an entry, you need to clear it. Select the appropriate action from the following table:
When you have finished repairing or deleting invalid Access Gateway configurations, click the link, then click > .
(Optional) Verify that all members of an Access Gateway cluster have the same configuration in cache:
Click > > .
Scroll to the option.
Click next to the cluster configuration or next to an individual Access Gateway.
This option allows you to view the Access Gateway configuration that is currently residing in browser cache. If the Access Gateway belongs to a cluster, you can view the cached configuration for the cluster as well as the cached configuration for each member. The + and - buttons allow you to expand and collapse individual configurations. The configuration is displayed in XML format
To search for particular configuration parameters, you need to copy and paste the text into a text editor.
(Conditional) After viewing the Access Gateway configuration (see Step 4) and discovering that an Access Gateway does not have the current configuration, select the Access Gateway in the section, then click .
The Version page displays all the installed components along with their currently running version. Use this page to verify that you have updated all components to the latest compatible versions. There are two steps to ensuring that your Access Manager components are running compatible versions:
All components of the same type should be running the same version. If you have components that display multiple versions, identify the components that need to be upgraded and upgrade them to the newer version.
All components need to be running versions that are compatible with each other. For the latest release, view the list in the “Novell Access Manager Readme”.
To view the current version of all Access Manager devices:
In the Administration Console, click > .
Click .
A list of the devices with their version information is displayed. If a device also has an embedded service provider, the version of the Embedded Service Provider is also displayed.
The Policies page displays the policies that are in an unusable state because of configuration errors.
In the Administration Console, click > > .
If you have configured a policy without defining a valid rule for it, the policy appears in this list.
Select the policy, then click .
You can monitor all of the devices hosted by a server and quickly isolate and correct server issues. The system displays a status (green, yellow, white, or red) for the server.
In the Administration Console, click > .
The Device Health page shows the health status by IP address of the server and lists all the devices installed on the server. The health of the least healthy device is used for the status of the server.
To view more information about the health of each device, click the IP address of the machine.
Health information can also be viewed at the following locations:
>
The Dashboard page shows the heath status at the device level. The status displayed is the status of the least healthy device.
>
The Servers page for each component provides a health status for each device.
The Hardware IP Address page allows you to view the devices and agents managed through the selected IP address. You can monitor all of the devices hosted by a server and quickly isolate and correct server issues. The system displays statuses (green, yellow, white, or red) for the Access Manager devices.
In the Administration Console, click > > .
To view information about the health of each installed device, click an IP address.
Select one of the following actions:
To return to the Device Health page, click .
To edit the details of a device, click the server name.
To view health details, click the icon.
To view the alerts, click the alerts link.
To view device statistics, click the statistics link.
To view or configure audit events for the device, click the link.
The Dashboard page is the starting point and central place to monitor and manage all product components and policies. The status of each device is available, with colored warnings or alert conditions.
In the Administration Console, click > .
Click a box to view a component or click the link to view the alerts:
For conventions that apply to all pages in the interface, see Section 1.2.4, Understanding Administration Console Conventions.
The Identity Server is the central authentication and identity access point for all Access Manager devices. The Identity Server is responsible for authenticating users and distributing role information to facilitate authorization decisions. It also provides the Liberty Alliance Web Service Framework to distribute identity information.
An Identity Server always operates as an identity provider and can optionally be configured to run as an identity consumer (also known as a service provider), using either Liberty, SAML 1.1, or SAML 2.0 protocols. As an identity provider, the Identity Server is the central store for a user’s identity information and is the heart of the user’s identity federations or account linkage information. As an authentication authority, the identity provider is viewed by internal and external service providers as a trusted identity store.
In an Access Manager configuration, the Identity Server is responsible for managing the following:
Authentication: Verifies user identities through various forms of authentication, both local (user supplied) and indirect (supplied by external providers). The identity information can be some characteristic attribute of the user, such as a role, e-mail address, name, or job description.
Identity Stores: Stores user identities in eDirectory, Microsoft Active Directory, and Sun ONE Directory Server.
Identity Federation: Enables user identity federation and provides access to Liberty-enabled services.
Account Provisioning: Enables service provider account provisioning when federating, which automatically creates user accounts.
Custom Attribute Mapping: Allows you to define custom attributes by mapping Liberty Alliance keywords to LDAP-accessible data, in addition to the available Liberty Alliance Employee and Person profiles.
SAML Assertions: Processes and generates SAML assertions. Using SAML assertions in each Access Manager component protects confidential information by removing the need to pass user credentials between the components to handle session management.
Single Sign-on and Log-out: Enables users to log in only once to gain access to multiple applications and platforms. Single sign-on and single log-out are primary features of Access Manager and are achieved after the federation and trust model is configured among trusted providers and the components of Access Manager.
Embedded Service Providers: Provides authentication and identity services for the other Access Manager components. The Access Gateways, J2EE Agents, and the SSL VPN server include an Embedded Service Provider that sets up a trusted relationship with the Identity Server.
Roles: Provides RBAC (role-based access control) management. RBAC is used to provide a convenient way to assign a user to a particular job function or set of permissions within an enterprise, in order to control access. The Identity Server establishes the active set of roles for a user session each time the user is authenticated. Roles can be assigned to subsets of users based on constraints outlined in a role policy. The established role can then be used in authorization policies and J2EE permissions, to form the basis for granting and restricting access to particular Web resources.
Clustering: Adds capacity and failover management. An Identity Server can be a member of a cluster of Identity Servers that is configured to act as a single server.
An Access Gateway provides secure access to HTTP-based Web servers by hiding the IP addresses and DNS names of the Web servers. It provides the typical security services (authorization, single sign-on, and data encryption) previously provided by Novell iChain, and is integrated with the new identity and policy services of Access Manager.
An Access Gateway works with the Identity Server to enable existing Web services for the Liberty and SAML protocols. It provides single sign-on to Web servers through Identity Injection policies that supply required user information and Form Fill policies that automatically fill in requested form information. If your Web servers have not been configured to enforce authentication and authorization, you can configure an Access Gateway to provide these services. Authentication contracts and authorization policies can be assigned so that they protect the entire Web server, a single page, or somewhere in between.
An Access Gateway can also be configured so that it caches requested pages. When the user meets the authentication and authorization requirements, the user is sent the page from cache rather than requesting it from the Web server.
An Access Gateway can be installed as a soft appliance (includes both the operating system and the Access Gateway software) and as a service (includes just the Access Gateway software).
You install and configure the SSL VPN components when you need to protect non-HTTP and Java applications. The SSL VPN component provides secure access to such applications as an e-mail server, an FTP client, or Telnet service. SSL VPN is a Linux-based service, which can be installed in one of two ways:
As a protected resource of an Access Gateway, which allows it to share session information with the Access Gateway.
With an Embedded Service Provider, which allows it to set up a trusted relationship with the Identity Server.
The requests are delivered in the form of a servlet. An ActiveX plug-in or Java applet is delivered to the client on successful authentication. Roles and policies determine authorization decisions for back-end applications. Client integrity checking is available to ensure the existence of approved firewall and virus scanning software, before the SSL VPN session is established.
You install and configure the J2EE Agent components when you need to protect applications running on J2EE servers. Access Manager provides JBoss, WebLogic, and IBM WebSphere server agents for Java 2 Enterprise Edition (J2EE) application servers. These agents allow J2EE applications to leverage the product’s authentication and authorization functionality without any code changes, as long as the applications rely on the J2EE application servers for authentication and authorization.
These agents leverage the Java Authentication and Authorization Service (JAAS) and Java Authorization Contract for Containers (JACC) standards for Access Manager-controlled authentication and authorization to Java Web applications and Enterprise JavaBeans. For more information about these Java authentication and authorization standards, see the JAAS Authentication Tutorial and the Java Authorization Contract for Containers.
Like the Access Gateway, J2EE Agents are enabled for the Liberty Alliance and therefore operate as service provider agents. As such, they redirect all authentication requests to the Identity Server, which returns a SAML assertion to the component. This process has the added security benefit of removing the need to pass user credentials between the components to handle session management.
Policies provide the authorization component of Access Manager. The administrator of the Identity Server uses policies to define how properties of a user’s authenticated identity map to the set of active roles for the user. This role definition serves as the starting point for role-based authorization policies of the Access Gateway and J2EE components. Additionally, authorization policies can be defined for the Access Gateway and J2EE components that control access to protected resources based on user and system attributes other than assigned roles.
The flexibility built into the policy component is nearly unlimited. You can, for example:
Set up a URL-based policy that permits or denies users access to a protected Web site, depending on their roles, such as employee or manager.
Specify whether an administrator has access to the policy management component of the Access Manager administration console. The administrator could create, edit, and manage policies that are assigned to specific components.
Each Access Gateway and J2EE component includes an Embedded Service Provider agent that interacts with the Identity Server to provide authentication, policy decision, and enforcement. For the Java application servers, the agent also provides role pass-through to allow integration with the Java Application server’s authorization processes.
The System Alerts page displays how many unacknowledged alerts have been generated for all the devices imported into this Administration Console.
In the Administration Console, click > >
To acknowledge and clear the alerts for a device, select the name of the server, then click .
The following columns display information about the alerts for each server.