2.10 Configuring a Protected Identity Server Through Access Gateways

These configuration steps assume that you are using SSL. For information about why to configure a protected Identity Server, see Protecting an Identity Server Through Access Gateway in the NetIQ Access Manager 5.0 Installation and Upgrade Guide.

  1. (Conditional) If you are using domain-based multi-homing, create a wildcard certificate to be used by Identity Server and Access Gateway.

    For example, *.provo.novell.com, where Identity Server DNS is idp.provo.novell.com and Access Gateway DNS is jwilson1.provo.novell.com.

    If you don’t have a wildcard certificate, you cannot use domain-based multi-homing for this configuration scenario.

    If you are using path-based multi-homing, you can use the same certificate for Identity Server and Access Gateway.

  2. Configure the Base URL of Identity Server. For complete configuration information, see Section 2.3, Configuring Identity Servers Clusters.

    1. Click Devices > Identity Servers > Edit.

    2. Set the port to 8443.

      When you change the base URL of the Identity Provider, all Access Managerdevices that have an ESP need to be updated to import the new metadata. To re-import the metadata, configure the device so it does not have a trusted relationship with Identity Server, update the device, reconfigure the device for a trusted relationship, and update the device.

      For more information, see Embedded Service Provider Metadata.

    3. Specify the correct domain name for the proxy service type.

      Path-Based Proxy Service: If you are using path-based multi-homing, the domain name of the Base URL must match the public DNS of the authentication proxy service set up in Access Gateway.

      For example, if your proxy service has a public DNS name as jwilson1.provo.novell.com, specify this value for the Base URL.

      Domain-Based Proxy Service: If you are using domain-based multi-homing, the domain name of the Base URL can be different than Access Gateway, but your DNS server must resolve the name to the IP address of Access Gateway. Specify a name that allows the two to share a common subdomain.

      For example, if the proxy service name is jwilson1.provo.novell.com, replace jwilson1 with idp so that the domain name is idp.provo.novell.com.

  3. Configure Identity Server to use the correct certificate:

    1. Click the SSL Certificate icon.

    2. Click Replace, then click the Select Certificate icon.

    3. For a domain-based proxy service, select the wildcard certificate. For a path-based proxy service, select the certificate that matches the DNS name of Access Gateway.

    4. Click OK twice, then accept the prompt to restart Tomcat.

  4. Continue with Step 5 for a domain-based proxy service or Step 6 for a path-based proxy service.

  5. (Domain-Based Proxy Service) Set up a proxy service on Access Gateway for Identity Server:

    1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

      For more information, see Managing Reverse Proxies and Authentication.

    2. In the Proxy Service list, click New.

    3. Set the Multi-Homing Type field to Domain-Based.

    4. Set the following fields to the specified values:

      Published DNS Name: Specify the same name you have specified for the domain name of the Base URL of Identity Server. Your DNS server must be set up to resolve this name to Access Gateway.

      Web Server IP Address: Specify the IP address of Identity Server. If the cluster configuration for Identity Server contains more than one Identity Server, provide the IP address of one of the servers here. This must be the actual IP address of Identity Server and not the VIP address if Identity Server is behind an L4 switch.

      Host Header: Specify Web Server Host Name.

      Web Server Host Name: Specify the domain name of the Base URL of Identity Server. This entry matches what you specify in the Published DNS Name field.

      Your proxy service configuration must look similar to the following:

  6. (Path-Based Proxy Service) Set up a proxy service on Access Gateway for Identity Server:

    1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

      For more information, see Managing Reverse Proxies and Authentication.

    2. In the Proxy Service list, click New.

    3. Set the Multi-Homing Type field to Path-Based and set the Path field to /nidp.

    4. Set the following fields to the specified values:

      Published DNS Name: Specify the same name you have specified for the domain name of the Base URL of Identity Server. Your DNS server must be set up to resolve this name to Access Gateway.

      Web Server IP Address: Specify the IP address of Identity Server. If the cluster configuration for Identity Server contains more than one Identity Server, provide the IP address of one of the servers here. This must be the actual IP address of Identity Server and not the VIP address if Identity Server is behind an L4 switch.

      Host Header: Specify Web Server Host Name.

      Web Server Host Name: Specify the domain name of the Base URL of Identity Server. This entry matches what you specify in the Published DNS Name field.

      Your proxy service configuration must look similar to the following:

    5. Click OK.

  7. Configure a protected resource for the proxy service:

    1. In the Proxy Service List, click the link under the Protected Resources column.

      For more information, see Configuring Protected Resources.

    2. Click New, specify a name, then click OK.

    3. Configure the following fields:

      Authentication Procedure: Set this field to None. Identity Server needs to be set up as a public resource.

      URL Path: Set the path of the protected resource to /nidp/*.

      Your protected resource must look similar to the following:

    4. Click OK.

  8. (Path-Based Proxy Service) Verify the configuration:

    1. Click the name of your path-based proxy service.

    2. Verify that the Remove Path on Fill option is not selected.

    3. Verify that the Path List has an entry with /nidp as the path for the protected resource.

      Your configuration must look similar to the following:

    4. Click OK.

  9. Specify a host entry for Identity Server:

    1. Click Devices > Access Gateways > Edit > Hosts.

    2. Click New, specify the IP address of Identity Server, and click OK.

    3. In Host Name(s), specify the DNS name of Identity Server machine.

      You can also add the published DNS name of the base URL.

    4. Click OK.

  10. Set up Access Gateway to use SSL between the browsers and Access Gateway. See Section 20.5, Configuring SSL Communication with Browsers and Access Gateway.

  11. Set up SSL between the proxy service that is protecting Identity Server and Identity Server.

    In this type of configuration, Identity Server is acting as a protected web server of Access Gateway.

    1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

      For more information, see Configuring SSL between the Proxy Service and the Web Servers.

    2. Configure the following:

      Connect Using SSL: Select this option.

      Web Server Trusted Root: Select Any in Reverse Proxy Trust Store.

      SSL Mutual Certificate: Do not configure this option.

      Connect Port: Specify 443.

  12. (Conditional) If the cluster configuration for Identity Server contains more than one Identity Server, configure the following options:

    1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

    2. Specify the IP addresses of the other Identity Servers in the Web Server List.

      If Identity Servers are behind an L4 switch, you need to add the IP address of each Identity Server and not the VIP address.

    3. Click TCP Connect Options, then configure the following options.

      Policy for Multiple Destination IP Addresses: For Identity Servers, select Round Robin.

      Enable Persistent Connections: Make sure this option is selected. After the user has established an authenticated session with an Identity Server, you want that user to continue using the same Identity Server as long as that server is running.

  13. Configure HTML rewriting:

    1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > HTML Rewriting

    2. Make sure the Enable HTML Rewriting option is selected.

    3. In HTML Rewriter Profile List, click New, specify a name for the profile, and select Word for the Search Boundary.

    4. Specify the following URLs in And Requested URL Is Not. The following URLs use jwilson1.provo.novell.com/nidp as the DNS name of the proxy service for Identity Server. This is the example name for the path-based proxy service.

      jwilson1.provo.novell.com/nidp/idff/soap
      jwilson1.provo.novell.com/nidp/idff/soap/
      jwilson1.provo.novell.com/nidp/idff/soap/*
      jwilson1.provo.novell.com:443/nidp/idff/soap
      jwilson1.provo.novell.com:443/nidp/idff/soap/
      jwilson1.provo.novell.com:443/nidp/idff/soap/*

      Your rewriter profile must look similar to the following:

      The example name for the domain-based proxy service is idp.provo.novell.com. Use this as the DNS name when configuring the rewriter for a domain-based proxy service.

    5. Click OK.

    6. Use the up-arrow icon to move your profile to the top of the list.

  14. Configure the Pin List so that Identity Server pages are not cached:

    1. On the Server Configuration page, click Pin List > New, and specify the following values:

      URL Mask: Specify /nidp/* for the URL.

      Pin Type: Select Bypass.

    2. Click OK > OK.

    For more information about configuring a Pin list, see Configuring a Pin List.

  15. Update Access Gateway.

NOTE:If SuSEFirewall is configured, after starting the firewall, all ports and services are blocked by default. You need to create filters to allow Access Gateway and any other service to communicate with Identity Servers.