User manual NOVELL ACCESS MANAGER 3.1 SP3 GATEWAY GUIDE

[. . . ] novdocx (en) 16 April 2010 AUTHORIZED DOCUMENTATION Access Gateway Guide Novell® 3. 1 SP3 February 02, 2011 Access Manager www. novell. com Novell Access Manager 3. 1 SP3 Access Gateway Guide novdocx (en) 16 April 2010 Legal Notices Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] This verification is done even when other proxy services are set to Do not verify. If the Web server certificate is part of a chain of certificates, you need to enable the SSLProxyVerifyDepth option and specify how many certificates are in the chain. For more information about this option, see Section 1. 2. 3, "Configuring Advanced Options for a Domain-Based Proxy Service, " on page 21. The auto import screen appears. If the Access Gateway is a member of a cluster, the cluster members are listed. The Web server certificate is imported into the trust stores of each cluster member. 3c Ensure that the IP address of the Web server and the port match your Web server configuration. If these values are wrong, you have entered them incorrectly on the Web server page. The server certificate, the Root CA certificate, and any certificate authority (CA) certificates from a chain are listed. A parent is missing if the chain does not include a certificate where the Subject and the Issuer have the same CN. 3e Specify an alias, then click OK. 126 Novell Access Manager 3. 1 SP3 Access Gateway Guide novdocx (en) 16 April 2010 All the displayed certificates are added to the trust store. 4 (Optional) Set up mutual authentication so that the Web server can verify the proxy service certificate: 4a Click the Select Certificate icon, 4b Select the certificate you created for the reverse proxy, then click OK. You need to import the trusted root certificate of the CA that signed the proxy service's certificate to the Web servers assigned to this proxy service. 5 In the Connect Port field, specify the port that your Web server uses for SSL communication. The following table lists some common servers and their default ports. Server Type Non-Secure Port Secure Port Web server with HTML content SSL VPN WebSphere JBoss 80 8080 9080 8080 443 8443 9443 8443 6 To save your changes to browser cache, click OK. 7 To apply your changes, click the Access Gateways link, then click Update > OK. 3. 5 Enabling Secure Cookies The Access Gateway and the Embedded Service Provider of the Access Gateway both use session cookies in their communication with the browser. The following sections explain how to protect these cookies from being intercepted by hackers. Section 3. 5. 1, "Securing the Embedded Service Provider Session Cookie, " on page 127 Section 3. 5. 2, "Securing the Proxy Session Cookie, " on page 129 For more information about making cookies secure, see the following documents: Secure attribute for cookies in RFC 2965 (http://www. faqs. org/rfcs/rfc2965. html) HTTP-only cookies (http://msdn. microsoft. com/en-us/library/ms533046. aspx) 3. 5. 1 Securing the Embedded Service Provider Session Cookie An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid user session. This might happen because the Access Gateway communicates with its Embedded Service Provider on port 8080, which is a non-secure connection. Because the Embedded Service Provider does not know whether the Access Gateway is using SSL to communicate with the browsers, the Embedded Service Provider does not mark the JSESSION cookie as secure when it creates the cookie. The Access Gateway receives the Set-Cookie header from the Embedded Service Provider and passes it back to the browser, which means that there is a non-secure, clear-text cookie in the browser. If an attacker spoofs the domain of the Access Gateway, the browser sends the nonsecure JSESSION cookie over a non-secure channel where the cookie might be sniffed. Configuring the Access Gateway for SSL and Other Security Features 127 novdocx (en) 16 April 2010 To stop this from happening, you must first configure Access Gateway to use SSL. See Section 3. 3, "Configuring SSL Communication with the Browsers and the Identity Server, " on page 122. [. . . ] If the protected resource has been assigned a contract, the Access Gateway continues with the task in decision point 8. For a user to gain access to a resource protected by a contract, the user must have authenticated with that contract, or if the contract is configured for it, the user can authenticate with another contract as long as the contract is of a equal or higher level. If the user is authenticated with the required contract, the Access Gateway is finished with its authentication checks and continues with policy evaluation. If the user is not authenticated with the required contract, the Access Gateway continues with the task in decision point 9. 278 Novell Access Manager 3. 1 SP3 Access Gateway Guide novdocx (en) 16 April 2010 Before the user is prompted for credentials, the Access Gateway needs to know whether the protected resource has been enabled for non-redirected login (NRL). [. . . ]