test

Sun Java System Portal Server Secure Remote Access 7.2 Administration Guide

Part III Managing the Secure Remote Access Server

The Secure Remote Access server has two interfaces for administration:

Most administration tasks are performed through the web-based Portal Server management console which can be accessed locally or remotely using a web browser. For more information, see Using the Portal Server Management Console in Sun Java System Portal Server 7.2 Administration Guide.

However, tasks such as file modification must be administered through the UNIX command-line interface.

Chapter 16 Managing the Gateway

highlights here

Tasks to Manage the Gateway

This section has the following tasks to manage the portal server gateway:

ProcedureTo Create a Gateway Profile

  1. Log into the Portal Server administration console as administrator.

  2. Click the Secure Remote Access tab and click New Profile.

    The New Profile page is displayed.

  3. Enter the name of the new gateway profile.

  4. Select the profile to use for creating the new profile from the drop-down list.

    By default, any new profile that you create is based on the pre-packaged Default profile. If you have created a custom profile, you can select that profile from the drop-down list. The new profile inherits all the attributes of the selected profile.

    The existing profile that is copied for the new one, copies the same port. Change the port for the new profile so that it does not conflict with the existing one.

  5. Click OK.

    The new profile is created and listed in the Profiles page.

    Caution – Caution –

    Ensure that you change the port of the instance so that it does not clash with any existing port in use.

  6. Telnet to the machine where the instance needs to be created. The default gateway instance is up and running at this machine.

  7. Install AM-SDK in configure now mode.

  8. Install Gateway using UI installer in configure now mode or select configure later mode.

  9. Copy the /opt/SUNWportal/template/sra/GWConfig.properties.template file to a temporary location . For example, /tmp.

  10. Modify the values as required.

    Note –

    The values should match the port numbers in the gateway instance for the new profile.

  11. Once complete, run the following command:

    ./psadmin create-sra-instance -u amadmin -f <passwordfile> -S <template file location>.template -t gateway

  12. Restart the Gateway with this gateway profile name to ensure the changes to take effect:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

    For more information on starting and stopping the Gateway, see To Start the Gateway Instances. To configure the Gateway, see Chapter 8, Configuring the Secure Remote Access Gateway

ProcedureTo Create Gateway Instances Using the Same LDAP

  1. Replace the key that is used to encrypt and decrypt passwords with the same string used for the first Gateway.

    am.encryption.pwd= string_key_specified_in gateway-install

  2. Replace the key that is the shared secret for application authentication module:

    com.iplanet.am.service.secret= string_key_specified_in gateway-install

  3. In /etc/opt/SUNWam/config/ums modify the following areas in serverconfig.xml to be consistent with the first installed instance of Portal Server:

    <DirDN> cn=puser,ou=DSAME Users,dc=sun,dc=net</DirDN>

    <DirPassword>string_key_specified_in gateway-install</DirPassword>

    <DirDN>cn=dsameuser,ou=DSAME Users,dc=sun,dc=net</DirDN>

    <DirPassword>string_key_specified_in gateway-install </DirPassword>

  4. Restart Access Manager services.

ProcedureTo Start the Gateway Instances

By default, the Gateway starts as user noaccess.

  1. After installing the Gateway and creating the required profile, run the following command to start the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

    default — is the default gateway profile that is created during installation. You can create your own profiles later, and restart the Gateway with the new profile. See Creating a Gateway Profile.

    Note –

    Replace the <profile name> with an appropriate profile name to start other instances of the Gateway.

    Restarting the server (the machine on which the Gateway instances are configured) restarts all instances of the Gateway.

    Ensure that no backed up profiles are present in the /etc/opt/SUNWportal directory.

  2. Run the following command to check if the Gateway is running on the specified port:

    netstat -an | grep port-number

    The default Gateway port is 443.

ProcedureTo Stop the Gateway

  1. Use the following command to stop the Gateway:

    ./psadmin stop-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

    Note –

    Replace the <profile name> with an appropriate profile name to start other instances of the Gateway.

  2. Run the following command to verify if any of the Gateway processes are still running:

    /usr/bin/ps -ef | grep entsys

ProcedureTo Start and Stop Gateway Using Management Console

  1. To Login to the Management Console in Sun Java System Portal Server 7.2 Administration Guide

  2. Select the Secure Remote Access tab.

  3. Click the Manage Instances submenu.

  4. Under SRA Proxy instances, select an instance.

    • Click Start to start an instance.

    • Click Stop to stop an instance.

ProcedureTo Restart the Gateway with a Different Profile

  1. Restart the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

ProcedureTo Restart the Gateway

  1. In a terminal window, connect as root and do one of the following:

    • Start the watchdog process:


      ./psadmin sra-watchdog -u uid -f password-filename -t instance-type on

      [--adminuser | -u] uid

      Specifies the administrator's distinguished name (DN) or user ID. 

      [-passwordfile | -f] password-filename

      Specifies the administrator's password in the password file. 

      [--type | -t] instance-type

      Specifies the type of the Secure Remote Access instance. Enter: gateway, nlproxy, or rwproxy. 

      For information on watchdog command, see the Sun Java System Portal Server Command Line Reference Guide.

      This creates an entry in the crontab utility and the watchdog process is now active. The watchdog monitors all running instances of a Gateway on a particular machine and Gateway port and restarts the Gateway if it goes down.

ProcedureTo Specify a Virtual Host

  1. Login as root and edit the platform.conffile of the required Gateway instance:


    /etc/opt/SUNWportal/platform.conf.gateway-profile-name

  2. Add the following entries:

    gateway.virtualhost=fully-qualified-gateway-host gateway-ip-address fully- qualified-reverse-proxyhost

    gateway.enable.customurl=true (This value is set to false by default.)

  3. Restart the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

    If these values are not specified, the Gateway defaults to normal behavior.

ProcedureTo Specify a Proxy

  1. From the command-line, edit the following file:


    /etc/opt/SUNWportal/platform.conf.gateway-profile-name

  2. Add the following entries:


    http.proxyHost=proxy-host
http.proxyPort=proxy-port
http.proxySet=true

  3. Restart the Gateway to use the specified proxy for requests made to the server:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

ProcedureTo create a Netlet Proxy instance

  1. Telnet to the machine where the instance needs to be created. The default gateway instance is up and running at this machine.

  2. Copy the /opt/SUNWportal/template/sra/NLPConfig.properties.template file to a temporary location . For example, /tmp.

  3. Modify the values as required in the file for the new profile.

  4. Once complete, run the following command:

    ./psadmin create-sra-instance -u amadmin -f <passwordfile> -S <template file location>.template -t nlproxy

  5. Start the new instance of the Netlet proxy with the required gateway profile name to ensure that the changes take effect:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t nlproxy

ProcedureTo Restart a Netlet Proxy

  1. In a terminal window, connect as root and do one of the following:

    • Start the watchdog process:

      psadmin sra-watchdog -u uid -f password-filename -t instance-type on

      Enter nlproxy in place of the instance-type. For more information on this command, see the Sun Java Portal Server Command Line Reference Guide.

      This creates an entry in the crontab utility and the watchdog process is now active. The watchdog monitors the Netlet proxy port and brings up the proxy if it goes down.

    • Start a Netlet proxy manually:

      psadmin start-sra-instance -u uid -f password-filename -N sra-instance-name -t instance-type

      Enter nlproxy in place of the instance-type. This the profile name corresponding to the required Netlet Proxy instance. For more information on this command, see the Sun Java Portal Server Command Line Reference Guide.

ProcedureTo Create a Rewriter Proxy Instance

  1. Telnet to the machine where the instance needs to be created. The default gateway instance is up and running at this machine.

  2. Copy the /opt/SUNWportal/template/sra/GWConfig.properties.template file to a temporary location . For example, /tmp.

  3. Modify the values as required in the file for the new profile.

  4. Once complete, run the following command:

    ./psadmin create-sra-instance -u amadmin -f <passwordfile> -S <template file location>.template -t rwproxy

  5. Start the new instance of the Rewirter Proxy with the required gateway profile name to ensure that the changes take effect:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t rwproxy

ProcedureTo Restart a Rewriter Proxy

  1. In a terminal window, connect as root and do one of the following:

    • Start the watchdog process:

      psadmin sra-watchdog -u uid -f password-filename -t instance-type on

      Enter rwproxy in place of the instance-type. For more information on this command, see the Sun Java Portal Server Command Line Reference Guide.

      This creates an entry in the crontab utility and the watchdog process is now active. The watchdog monitors the Rewriter Proxy port and brings up the proxy if it goes down.

    • Start a Rewriter Proxy manually:

      start-sra-instance -u uid -f password-filename -N sra-instance-name -t instance-type

      Enter rwproxy in place of the instance-type. This the profile name corresponding to the required Rewritter Proxy instance. For more information on this command, see the Sun Java Portal Server Command Line Reference Guide.

ProcedureTo Enable a Reverse Proxy

  1. Log in as root and edit the platform.conf file of the required Gateway instance:

    /etc/opt/SUNWportal/platform.conf.gateway-profile-name

  2. Add the following entries:

    gateway.virtualhost=fully-qualified-gateway-host gateway-ip-address fully- qualified-reverse-proxyhost

    gateway.enable.customurl=true (This value is set to false by default.)

    gateway.httpurl=http reverse-proxy-URL

    gateway.httpsurl=https reverse-proxy-URL

    gateway.httpurl is used to rewrite the response for the request received at the port which is listed as HTTP port in the gateway profile.

    gateway.httpsurl is used to rewrite the response for the request received at the port which is listed as HTTPS port in the gateway profile.

  3. Restart the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

    If these values are not specified, the Gateway defaults to normal behavior.

ProcedureTo Add Authentication Modules to an Existing PDC Instance

  1. Login to the Access Manager administration console as administrator.

  2. Select the required organization.

  3. Select Services from the View drop-down box.

    The services are displayed.

  4. Click Authentication Configuration.

    The Service Instance List is displayed.

  5. Click Gatewaypdc.

    The Gatewaypdc properties page is displayed.

  6. Click Edit.

    The Add Module page is displayed.

  7. Select Module Name and set Flag to Required.

  8. Click OK.

  9. Click Save after adding one or more modules.

  10. Click Save in the gatewaypdc properties page.

  11. Restart the Gateway for the changes to take effect:

    gateway-install-location/SUNWportal/bin/psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

ProcedureTo Disable Browser Caching

  1. Login as root and edit the platform.conf file of the required Gateway instance:


    /etc/opt/SUNWportal/platform.conf.gateway-profile-name

  2. Edit the following line:


    gateway.allow.client.caching=true

    This value is set to true by default. Change the value to false to disable browser caching at the client side.

  3. Restart the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

ProcedureTo Share LDAP Directories

  1. Modify the following areas in AMConfig.properties to synchronize with the first installed instance of Portal Server and Access Manager servers:

    # The key that will be used to encrypt and decrypt passwords. am.encryption.pwd=t/vnY9Uqjf12NbFywKuAaaHibwlDFNLO <== REPLACE THIS STRING WITH THE ONE FROM FIRST PORTAL INSTALL

    /* The following key is the shared secret for application auth module */ com.iplanet.am.service.secret=AQICxIPLNc0WWQRVlYZN0PnKgyvq3gTU8JA9 <== REPLACE THIS STRING WITH THE ONE FROM FIRST PORTAL INSTALL

  2. In /etc/opt/SUNWam/config/ums modify the following areas in serverconfig.xml to be insync with the first installed instance of Portal Server and Access Manager server:


    <DirDN>
    cn=puser,ou=DSAME Users,dc=sun,dc=net
</DirDN>
    <DirPassword>
         AQICxIPLNc0WWQT22gQnGgnCp9rUf+FuaqpY 
         <==  REPLACE THIS STRING WITH THE ONE FROM FIRST PORTAL INSTALL
  </DirPassword>

<DirDN>
   cn=dsameuser,ou=DSAME Users,dc=sun,dc=net
</DirDN>
     <DirPassword>
          AQICxIPLNc0WWQT22gQnGgnCp9rUf+FuaqpY 
          <==  REPLACE THIS STRING WITH THE ONE FROM FIRST PORTAL INSTALL
     </DirPassword>

  3. Restart the Access Manager services.

Chapter 17 Federation Management Scenarios

This chapter describes .... The following topics are discussed:

Using Federation Management

Federation Management enables users to aggregate their local identities so that they have one network identity. Federation Management uses the network identity to allow users to login at one service provider’s site and access other service providers' sites without having to re-authenticate their identity. This is referred to as single sign-on.

Federation management can be configured in open mode and secure mode on the Portal Server. The Portal Server Administration Guide describes how to configure federation management in open mode. Before configuring Federation management in secure mode, using Portal Server Secure Remote Access server, ensure that it works in open mode. If you want your users to use Federation Management from the same browser in both open and secure mode, they must clear the cookies and cache from the browser.

For detailed information on Federation Management, see the Access Manager Federation Management Guide.

Federation Management Scenario

A user authenticates to an initial service provider. Service providers are commercial or not-for-profit organizations that offer web-based services. This broad category can include internet portals, retailers, transportation providers, financial institutions, entertainment companies, libraries, universities, and governmental agencies.

The service provider uses a cookie to store the user’s session information in the client browser. The cookie also includes the user’s identity provider.

Identity providers are service providers that specialize in providing authentication services. As the administrating service for authentication, they also maintain and manage identity information. Authentication accomplished by an identity provider is honored by all service providers with whom they are affiliated.

When the user attempts to access a service that is not affiliated with the identity provider, the identity provider forwards the cookie to the unaffiliated service provider. This service provider can then access the identity provider called out in the cookie.

However, cookies cannot be read across different DNS domains. Therefore a Common Domain Cookie Service is used to redirect the service provider to the correct identity provider thus enabling single sign-on for the user.

Configuring Federation Management Resources

The Federation resources, the service providers, identity providers, and the Common Domain Cookie Service (CDCS), are configured in the gateway profile based on where they reside. This section describes how to configure three scenarios:

ProcedureTo Configure Federation Management Resources

  1. When all resources are inside the corporate intranet

  2. When all resources are not inside the corporate intranet or the identity provider resides in the Internet

  3. When all resources are not inside the corporate intranet or the service provider is a third party residing in the Internet while the identity provider is protected by the Gateway.

Configuration 1

In this configuration the service providers, identity providers and the Common Domain Cookie Service are deployed in the same corporate intranet and the identity providers are not published in the Internet Domain Name Server (DNS). The CDCS is optional.

In this configuration the Gateway points to the service provider, which is the Portal Server. This configuration is valid for multiple instances of the Portal Server.

ProcedureTo Configure Gateway to a Service Provider (Portal Server)

  1. Log into the Portal Server administration console as administrator.

  2. Select the Secure Remote Access tab and select the appropriate gateway profile to modify its attributes.

    The Edit Gateway Profile page is displayed.

  3. Select the Core tab.

  4. Select the Enable Cookie Management checkbox to enable cookie management.

  5. Select the Security tab.

  6. In the Portal Servers field, enter Portal Server names to use the relative URLs such as: /amserver or /portal/dt listed in the Non-Authenticated URLs list. For example:

    http://idp-host:port/amserver/js

    http://idp-host:port/amserver/UI/Login

    http://idp-host:port/amserver/css

    http://idp-host:port/amserver/SingleSignOnService

    http://idp-host:port/amserver/UI/blank

    http://idp-host:port/amserver/postLogin

    http://idp-host:port/amserver/login_images

  7. In the Portal Servers field, enter the Portal Server name. For example, /amserver.

  8. Click Save.

  9. Select the Security tab.

  10. In the Non-Authenticated URLs list, add the federation resources. For example:

    /amserver/config/federation

    /amserver/IntersiteTransferService

    /amserver/AssertionConsumerservice

    /amserver/fed_images

    /amserver/preLogin

    /portal/dt

  11. Click Add.

  12. Click Save.

  13. If web proxies are needed to reach the URLs listed in the Non-authenticated URLs list, select the Deployment tab.

  14. In the Proxies for Domains and Subdomains field, enter the necessary web proxies.

  15. Click Add.

  16. Click Save.

  17. From a terminal window, restart the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

Configuration 2

In this configuration the identity providers, identity providers and the Common Domain Cookie Provider (CDCP) are not deployed in the corporate intranet or the identity provider is a third party provider residing the in Internet.

In this configuration the Gateway points to the service provider, which is the Portal Server. This configuration is valid for multiple instances of the Portal Server.

ProcedureTo Configure Gateway to a Service Provider (Portal Server)

  1. Log into the Portal Server administration console as administrator.

  2. Select the Secure Remote Access tab and select the appropriate gateway profile to modify its attributes.

  3. Select the Core tab.

  4. Select the Enable Cookie Management checkbox to enable cookie management.

  5. In the Portal Servers field, enter portal server names of the service provider to use the relative URLs such as: /amserver or /portal/dt listed in the Non-Authenticated URLs list.

    http://idp-host:port/amserver/js

    http://idp-host:port/amserver/UI/Login

    http://idp-host:port/amserver/css

    http://idp-host:port/amserver/SingleSignOnService

    http://idp-host:port/amserver/UI/blank

    http://idp-host:port/amserver/postLogin

    http://idp-host:port/amserver/login_images

  6. Click Save.

  7. Click the Security tab.

  8. In the Non-Authenticated URLs list, add the Federation resources. For example:

    /amserver/config/federation

    /amserver/IntersiteTransferService

    /amserver/AssertionConsumerservice

    /amserver/fed_images

    /amserver/preLogin

    /portal/dt

  9. Click Add.

  10. Click Save.

  11. If web proxies are needed to reach the URLs listed in the Non-authenticated URLs list, select the Deployment tab.

  12. In the Proxies for Domains and Subdomains field, enter information about the web proxies.

  13. Click Add.

  14. Click Save.

  15. From a terminal window, restart the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

Configuration 3

In this configuration the identity providers, identity providers and the Common Domain Cookie Provider (CDCP) are not deployed in the corporate intranet or the service provider is a third party provider residing the in Internet and the identity provider is protected by the Gateway.

In this configuration the Gateway points to the identity provider, which is the Portal Server.

This configuration is valid for multiple instances of the Portal Server. This configuration is unlikely on the Internet, however, some corporate networks may have such a configuration within their intranet, that is the identity provider may reside in a subnet this is protected by a firewall and the service providers are directly accessible from within the corporate network.

ProcedureTo Configure Gateway to an Identity Provider (Portal Server)

  1. Log into the Portal Server administration console as administrator.

  2. Select the Secure Remote Access tab and select the appropriate gateway profile to modify its attributes.

  3. Select the Core tab.

  4. Select the Enable Cookie Management checkbox to enable cookie management.

  5. In the Portal Servers field, enter the portal server name of the identity provider to use the relative URLs such as: /amserver or /portal/dt listed in the Non-Authenticated URLs list.

    http://idp-host:port/amserver/js

    http://idp-host:port/amserver/UI/Login

    http://idp-host:port/amserver/css

    http://idp-host:port/amserver/SingleSignOnService

    http://idp-host:port/amserver/UI/blank

    http://idp-host:port/amserver/postLogin

    http://idp-host:port/amserver/login_images

  6. Click Save.

  7. Select the Security tab.

  8. In the Non-authenticated URLs list, add the federation resources. For example:

    /amserver/config/federation

    /amserver/IntersiteTransferService

    /amserver/AssertionConsumerservice

    /amserver/fed_images

    /amserver/preLogin

    /portal/dt

  9. Click Add.

  10. Click Save.

  11. If web proxies are needed to reach the URLs listed in the Non-authenticated URLs list, select the Deployment tab.

  12. In the Proxies for Domains and Subdomains field, enter information about the web proxies.

  13. Click Add.

  14. Click Save.

  15. From a terminal window, restart the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>