User manual NOVELL ACCESS MANAGER 3.1 SP2 ACCESS GATEWAY GUIDE 2010

[. . . ] novdocx (en) 16 April 2010 AUTHORIZED DOCUMENTATION Access Gateway Guide Novell® 3. 1 SP2 June 18, 2010 Access Manager www. novell. com Novell Access Manager 3. 1 SP2 Access Gateway Guide novdocx (en) 16 April 2010 Legal Notices Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] To stop this from happening, you can use the following configuration options: "Setting an Authentication Cookie with a Secure Keyword for HTTP" on page 119 "Preventing Cross-Site Scripting Vulnerabilities" on page 119 Setting an Authentication Cookie with a Secure Keyword for HTTP You can configure the Access Gateway to force the HTTP services to have the authentication cookie set with the keyword secure. To enable this option: 1 In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy / Authentication. This option is used to secure the cookie when the Access Gateway is placed behind an SSL accelerator, such as the Cisco SSL accelerator, and the Access Gateway is configured to communicate by using only HTTP Preventing Cross-Site Scripting Vulnerabilities Cross-site scripting vulnerabilities in Web browsers allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate the valid user. You can configure the Access Gateway to set its authentication cookie with the HttpOnly keyword, to prevent scripts from accessing the cookie. To enable this option: 1 In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy / Authentication. 3 Update the Access Gateway. 3. 6 Managing Access Gateway Certificates Section 3. 6. 1, "Managing Embedded Service Provider Certificates, " on page 120 Section 3. 6. 2, "Managing Reverse Proxy and Web Server Certificates, " on page 120 Configuring the Access Gateway for SSL and Other Security Features 119 novdocx (en) 16 April 2010 3. 6. 1 Managing Embedded Service Provider Certificates The Access Gateway uses an Embedded Service Provider to communicate with the Identity Server. The Service Provider Certificates page allows you to view the private keys, certificate authority (CA) certificates, and certificate containers associated with this module. These keystores do not contain the certificates that the Access Gateway uses for SSL connections to browsers or to backend Web servers. To view or modify these certificates: 1 In the Administration Console, click Devices > Access Gateways > Edit > Service Provider Certificates. Click this link to access the keystore and replace the signing certificate as necessary. The signing certificate is used to sign the assertion or specific parts of the assertion. Trusted Roots: The trusted root certificate container for the CA certificates associated with the Access Gateway. Click this link to access the trust store, where you can change the password or add trusted roots to the container. The Embedded Service Provider must trust the certificate of the Identity Server that the Access Gateway has been configured to trust. The public certificate of the CA that generated the Identity Server certificate must be in this trust store. If you configured the Identity Server to use a certificate generated by a CA other than the Access Manager CA, you must add the public certificate of this CA to the Trusted Roots store. To import this certificate, click Trusted Roots, then in the Trusted Roots section, click Auto-Import From Server. Fill in the IP address or DNS name of your Identity Server and its port, then click OK. You can also auto import the Identity Server certificate by selecting the Auto-Import Identity Server Configuration Trusted Root option on the Reverse Proxies / Authentication page (click Devices > Access Gateways > Edit > Reverse Proxies / Authentication). With this option, you do not need to specify the IP address and port of the Identity Server. 4 To apply your changes, click the Access Gateways link, then click Update > OK. 3. 6. 2 Managing Reverse Proxy and Web Server Certificates You select Access Gateway certificates on two pages in the Administration Console: Devices > Access Gateways > Edit > [Name of Reverse Proxy] Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers When you configure certificates on these pages, you need to be aware that two phases are used to push the certificates into active use. [. . . ] The ESP returns a new request, which flows to the task in decision point 6, where the URL is examined. If the URL does not match a URL of a protected resource (PR), the Access Gateway returns an HTTP 403 error to the user. If the URL in the request matches a URL of a protected resource, the Access Gateway needs to examine the protection type assigned to the resource. The Access Gateway continues with the tasks outlined in Figure 8-6 on page 261. 260 Novell Access Manager 3. 1 SP2 Access Gateway Guide novdocx (en) 16 April 2010 Figure 8-6 Determining the Protection Type Assigned to the Resource Continue Processing 7 Is the PR Protected with a Contract? NO YES 8 Is the User Authenticated with the Required Contract? NO YES 9 Is the PR Enabled for NRL? YES 9a Is an Authentication Header Present? NO YES 9b Are the Authentication Credentials Valid? NO YES NO 9c Is the NRL Redirect Option Enabled? YES NO Continue Processing Return HTTP 401 Unauthorized Evaluate for Policies You configure a protected resource as a public resource when an authentication procedure/contract is not assigned to the protected resource. [. . . ]