User manual NOVELL ACCESS MANAGER 3.1 SP2 ACCESS GATEWAY GUIDE 2010

[. . . ] novdocx (en) 16 April 2010 AUTHORIZED DOCUMENTATION Access Gateway Guide Novell® 3. 1 SP2 June 18, 2010 Access Manager www. novell. com Novell Access Manager 3. 1 SP2 Access Gateway Guide novdocx (en) 16 April 2010 Legal Notices Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] 3c Ensure that the IP address of the Web server and the port match your Web server configuration. If these values are wrong, you have entered them incorrectly on the Web server page. Click Cancel and reconfigure them before continuing. The server certificate, the Root CA certificate, and any certificate authority (CA) certificates from a chain are listed. If the whole chain is not displayed, import what is displayed. You then need to manually import the missing parents in the chain. A parent is missing if the chain does not include a certificate where the Subject and the Issuer have the same CN. 3e Specify an alias, then click OK. 116 Novell Access Manager 3. 1 SP2 Access Gateway Guide novdocx (en) 16 April 2010 All the displayed certificates are added to the trust store. 4 (Optional) Set up mutual authentication so that the Web server can verify the proxy service certificate: 4a Click the Select Certificate icon, 4b Select the certificate you created for the reverse proxy, then click OK. You need to import the trusted root certificate of the CA that signed the proxy service's certificate to the Web servers assigned to this proxy service. For instructions, see your Web server documentation. 5 In the Connect Port field, specify the port that your Web server uses for SSL communication. The following table lists some common servers and their default ports. Server Type Non-Secure Port Secure Port Web server with HTML content SSL VPN WebSphere JBoss 80 8080 9080 8080 443 8443 9443 8443 6 To save your changes to browser cache, click OK. 7 To apply your changes, click the Access Gateways link, then click Update > OK. 3. 5 Enabling Secure Cookies The Access Gateway and the Embedded Service Provider of the Access Gateway both use session cookies in their communication with the browser. The following sections explain how to protect these cookies from being intercepted by hackers. Section 3. 5. 1, "Securing the Embedded Service Provider Session Cookie, " on page 117 Section 3. 5. 2, "Securing the Proxy Session Cookie, " on page 119 For more information about making cookies secure, see the following documents: Secure attribute for cookies in RFC 2965 (http://www. faqs. org/rfcs/rfc2965. html) HTTP-only cookies (http://msdn. microsoft. com/en-us/library/ms533046. aspx) 3. 5. 1 Securing the Embedded Service Provider Session Cookie An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid user session. This might happen because the Access Gateway communicates with its Embedded Service Provider on port 8080, which is a non-secure connection. Because the Embedded Service Provider does not know whether the Access Gateway is using SSL to communicate with the browsers, the Embedded Service Provider does not mark the JSESSION cookie as secure when it creates the cookie. The Access Gateway receives the Set-Cookie header from the Embedded Service Provider and passes it back to the browser, which means that there is a non-secure, clear-text cookie in the browser. If an attacker spoofs the domain of the Access Gateway, the browser sends the nonsecure JSESSION cookie over a non-secure channel where the cookie might be sniffed. Configuring the Access Gateway for SSL and Other Security Features 117 novdocx (en) 16 April 2010 To stop this from happening, you must first configure Access Gateway to use SSL. See Section 3. 3, "Configuring SSL Communication with the Browsers and the Identity Server, " on page 112. After you have SSL configured, you need to configure Tomcat to secure the cookie. [. . . ] If the URL does not match a URL of a protected resource (PR), the Access Gateway returns an HTTP 403 error to the user. If the URL in the request matches a URL of a protected resource, the Access Gateway needs to examine the protection type assigned to the resource. The Access Gateway continues with the tasks outlined in Figure 8-6 on page 261. 260 Novell Access Manager 3. 1 SP2 Access Gateway Guide novdocx (en) 16 April 2010 Figure 8-6 Determining the Protection Type Assigned to the Resource Continue Processing 7 Is the PR Protected with a Contract? NO YES 8 Is the User Authenticated with the Required Contract? NO YES 9 Is the PR Enabled for NRL? YES 9a Is an Authentication Header Present? NO YES 9b Are the Authentication Credentials Valid? NO YES NO 9c Is the NRL Redirect Option Enabled? YES NO Continue Processing Return HTTP 401 Unauthorized Evaluate for Policies You configure a protected resource as a public resource when an authentication procedure/contract is not assigned to the protected resource. In decision point 7, the Access Gateway checks to see if a contract has been assigned to the protected resource. [. . . ]