C/D/H Talks Tech

Novell iChain is an integrated security solution that offers web single sign-on and remote authentication services, including secure authentication and access to portals, Web-based content and Citrix* Thin Client services. It includes identity-based Web security services and enables authorized users-including employees, customers and partners-to securely authenticate from anywhere, at any time. iChain simplifies administration, secures irreplaceable data and accelerates your access to information and overall e-business integration.

Novell Access Manager comprises several tightly integrated components, each with an important role to play in controlling access to network content, applications and services. These components are fully compliant with Liberty Alliance, WS-Security and the Security Assertions Markup Language (both SAML 1.1 and SAML 2.0). They include:

• Identity Server
• Policy Engine
• Access Gateway
• Secure Sockets Layer Virtual Private Network (SSL VPN)
• Java Application Agents
• Management Interface

iChain general support ended December 01, 2008.  It’s time to start planning for your migration to Access Manager.  The following are suggestions to help you plan for a successful migration.

Before you migrate your resources from iChain to Access Manager, you need to know exactly how iChain was configured to protect your resources. You should export and have the following iChain files available:

• Current .nas file
• Export of iChain ISO object
• Custom re-writer files
• Form Fill policies: XML files and the source code for the associated HTML pages
• Certificates used for SSL

Current .nas file

This file contains the appliance’s current configuration settings since the last apply command was issued. You can view this file in the browser-based management tool if you are interested in seeing all of the commands used to recreate the current appliance configuration. To view the file, click System, click Import/Export, then select Current under Configuration Files on Appliance, then click Download.

iChain ISO object

The iChain Service object (ISO) is an object in eDirectory that functions as the main component of Novell iChain security and the single sign-on environment. You can create the ISO by using the iChain ConsoleOne snap-ins found on the iChain Authorization Server Install CD. Prior to creating the iChain Service object, you must perform an iChain schema extension to the eDirectory server (or tree).

The iChain Proxy looks at the ISO to determine the following:

• Activation details
• Whether URLs accessed by users are protected
• OLAC parameters
• Form Fill policy
• Trusted root container in eDirectory from which to copy the certificates to the proxy machine
• Primary and secondary session broker addresses

Custom Rewriter Filter

The Novell iChain custom rewrite filter (rewrite.nlm) provides a powerful tool which enables administrators to search and replace user-specified strings with new strings. The rewrite filter will replace all occurrences of user-specified string with a replacement string irrespective of the location of the original string in the data.

 Form Fill Policies

iChain Form Fill Policy controls which forms are identified and filled. The Form Fill file contains any number of URL policies encoded in XML. The iChain proxy user (specified in the Access Control page on the Web GUI) must have capability to add and modify attributes on all user objects in order for Form Fill to work.

Certificates used for SSL

Export from iChain Console.

In a subsequent post, I’ll cover how to use these sources to compile all the information found in these files, and how you’ll apply them to Access Manager.