Let us assume that your setup details are as follows:
Base URL of the Identity Server cluster: https://abc.idp.com:8443/nidp
Value of the common name of the Certificate, cn=*.idp.com
Details of the Identity Server nodes:
|
Identity Server |
IP Address |
Host |
|---|---|---|
|
Node 1 |
1.1.1.10 |
abc |
|
Node 2 |
1.1.1.11 |
auth |
Perform the following steps to configure a dual connector setup:
NOTE:The second Identity Sever node acts as a connector host.
Create an X.509 authentication class and method. See Configuring X.509 Authentication and Configuring Attribute Mappings.
On the Home page, click Identity Servers > [cluster name] > Authentication > Methods.
Click X.509 authentication method > Advanced Settings > Plus icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Property Name |
CONNECTOR_HOST |
|
Property Value |
https://auth.idp.com:8448 |
NOTE:Do not add a / after the port number.
On the Home page, click Identity Servers > [cluster name] > Configuration > Properties > Plus icon.
Specify the following details:
|
Property Name |
Property Value |
|---|---|
|
CLUSTER COOKIE DOMAIN |
.idp.com |
|
CLUSTER COOKIE PATH |
/nidp |
(Identity Server Node 1 and Node 2) Back up server.xml and context.xml files located at the following paths:
server.xml: /opt/novell/nam/idp/conf
context.xml: /opt/novell/nids/lib/webapp/META-INF
In the Identity Server Node 1, navigate to the /opt/novell/nam/idp/conf directory.
Open the server.xml file.
Search the <Connector NIDP_Name="connector" string and create a copy of the existing connector in the same file.
In the new connector, change the port number to 8448.
NOTE:Ensure that clientAuth="false".
Save the server.xml file.
In the Identity Server Node 2, navigate to the /opt/novell/nam/idp/conf directory.
Open the server.xml file.
Search the <Connector NIDP_Name="connector" string and create a copy of the existing connector in the same file.
In the new connector, change the port number to 8448.
Change the clientAuth="false" string to clientAuth="want".
Add "protocol = "HTTP/1.1" for Apache Tomcat Version 9.0.87.
NOTE:Ensure that the Apache Tomcat version used is compatible with Access Manager. For determining the installed Apache Tomcat version, use the command cd /opt/novell/apache2/sbin grep "Tomcat Version" /opt/netiq/common/tomcat/RELEASE-NOTES in NAM. For further information on supported HTTP connector protocols for your Apache Tomcat version, see https://tomcat.apache.org/.
Save the server.xml file.
(Identity Server Node 1 and Node 2) Navigate to the /opt/novell/nids/lib/webapp/META-INF directory and open the context.xml file.
Ensure that the following strings are available:
<Context sessionCookiePath="/" sessionCookieDomain=".idp.com">
<Manager pathname="" saveOnRestart="false"/>
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
</Context>Save the files and restart both the Identity Server nodes. Check the log files and ensure that there are no errors.
Create a user certificate. See Section 17.0, Creating Certificates.
Import the certificate to the browser.
Create a contract for the method. See Configuring Authentication Contracts.
To verify that the dual connector setup configuration is successful, execute the X.509 dual connector contract as an end user and ensure that the CONNECTOR_HOST URL is visible in the browser URL and in the Identity Server logs.
At the User Portal, select the X.509 dual connector contract.
Select the user certificate when prompted.
A successful login to the User Portal verifies that the dual connector setup configuration is complete.