Novell® iChain® 2.3

Novell® iChain® 2.3

© April 12, 2023 Novell Inc, Confidential & Proprietary2

Firewall

Student

Intranet

Internet

Staff

Extranet

Professor

NT IIS

Solaris/Netscape

SEC

UR

ITY

Web Servers and Applications

SEC

UR

ITY

Linux/Apache

SEC

UR

ITY

•Direct Access to Web Servers

•Multiple User Identities

•Need to install SSL services on each web server

•Need to change links in HTML content from HTTP to HTTPS

•Many different Web Server Technologies

What are the Customer Problems?


Firewall

Student

Intranet

Internet

Staff

Extranet

Professor

NT IIS

Solaris/Netscape

SEC

UR

ITY

Web Servers and Applications

SEC

UR

ITY

Linux/Apache

SEC

UR

ITY

•Direct Access to Web Servers

•Need to install SSL services on each web server

•Need to change links in HTML content from HTTP to HTTPS

•Often need to modify applications authentication process

•Many different Web Server Technologies

Competitors Solution


Firewall

SEC

UR

ITY

IN

FR

AS

TR

UC

TU

RE

Web Servers andApplications

Student

One Net

Staff

Professor

The Novell Solution

NT IIS

Solaris/Netscape

Linux/Apache

eDirectory™

iChain®

• Single Authentication Point

• Provides Web Single Sign On Sends Personalized content to applications

• Rewrites HTML data

• Dynamically encrypts content as it passes through proxy

• Single SSL Certificate can be used for all internal web sites (proxy based)

• No change to HTML content

• No change to applications authentication process

• Secures all HTTP servers

• Remove Direct Access to Web Servers


2. Access Control- What do you have access to?

Novell iChain - How does it work?

Browser

Proxy Server

iChain Authorizatio

n Server

Web and application

servers

Secu

rit

y

User=xx Password=xx

Books=Thrillers, Horrors

1. Authentication- Who are you?

3. Single Sign On4. OLAC (Personalization)5. Data Confidentiality

ACL

ACL


Authentication Service

Standard browser based access (no client)No agents required on Web ServersMultiple Authentication Methods (Multi-Factor)

• LDAP - UserID/Password (email address or any LDAP field)

• X.509 Certificates• Token (RSA, Vasco, Secure Computing)

– dependent on RADIUS

UserID and Password sent over HTTPS (HTTP optional)


Authorization Services

Resources are defined as:• “Public” -no authentication or access control• “Restricted” -authentication only• “Secure” -authentication and access control

Access Control - Static and Dynamic Rules• Access based on rules stored in eDirectory™

• Leverages NDS® hierarchy and inheritance• Access rules may be assigned to Users, Groups,

Roles and Containers (O, OU, etc.)• Dynamic Rules supports business logic by

querying the users object for specified identity information


Automating Access Control – Integration with DirXML®

iChain Proxy

Dynamic Access Rule – checks User’s attributes for matching criteria

ACL

HRApplication

eDirectory

DirXML

PeopleSoft®


Single Sign-On / Personalization

iChain Proxy forwards user information to backend web servers - Utilizes Object Level Access Control (OLAC)

• OLAC is used for Single Sign-on– ICHAIN_UID and ICHAIN_PWD can be mapped to any LDAP field

(allows different names / password to be sent to web server)

• OLAC is used for Personalization– Sends “Parameter=Values” (retrieved using LDAP)

• OLAC can retrieve user credentials from Novell SecretStore®

Form Fill Authentication• Stores credentials entered by user (Novell SecretStore)• Automatically fills form on next request


Data Confidentiality

Secure Exchange• Secure Transparent (on the fly) encryption• Eliminates the need to use SSL on web servers

– Increases performance of web server– Decreases management tasks

SSL Encryption Strength• Force 128-bit connections• Force 3DES encryption (iChain 2.2)

No Cache Setting


User and Access Management

Browser Based Utilities to change user profile information and passwordsLeverages eDirectory restrictions

• Time Restrictions, Intruder Lockout, Password History, Password Expiration and Grace Logins

Offers enhanced Password Management features

• Non-Dictionary Words, Minimum number of numerals / characters


Typical Customer – ACME Inc.

Browser

ACME Inc is looking to:

• Provide Authorized Access to Internal Systems from the Internet

• Provide Single Sign-On to all Services (for employees and customers)

• Maintain Data Confidentiality

• Deliver content as quickly as possible

PeopleSoft®

Oracle®

Windows2000®


Novell iChain

ACME Inc. Basic (DMZ) Implementation

Browser

PeopleSoft®

Oracle®

Windows2000®

iChain Basic Authentication Single Sign-on

iChain Form Fill Single Sign-on

• Provide Authorized Access to Internal Systems from theInternet

• Provide Single Sign-On to all Services (for employees and customers)

• Maintain Data Confidentiality

• Deliver content as quickly as possible

Internet Intranet

iChain Proxy

Cache

iChain Authorization Server

ACL

ACL

ACL


Implementation - Fault Tolerance / Load Balanced (DMZ)

Browser

iChain Proxy

iChain Proxy

L4 Switch

Web Traffic

LDAP

Backup LDAP

eDirectory

Web Servers


SAML-based Single Sign-On

B2B partners need to ensure that they can trust the identity information being presented through a B2B partner

HOSPITAL 1 HOSPITAL 2

Physician connects to internal system and requests patient records from Hospital 2

1 Physician is redirected to Hospital 2 with SAML Assertions generated by Hospital 1

2 After the physicians status is cleared the patient details are securely delivered to the physician

4 Hospital 2 needs to verify that the users credentials were supplied by a trusted partner

3


SAML Extensions for iChain

Provides SAML-based single sign-on capabilities for iChain

• Single sign-on to-and-from business partners with SAML 1.0 capable products

• Supports authentication and attribute assertions• Supports Browser Post and Artifact methods• For more information please attend IO143 “SAML

& Liberty Alliance Single Sign-on”


For more information…

Visit any of the following Web resources:• Novell iChain product page: www.novell.com/products/ichain/

• Novell iChain Cool Solutions site: www.novell.com/coolsolutions/icmag/

• Novell Nsure solution site: www.novell.com/nsure

Novell® iChain® 2.3Server Configuration

Novell® iChain® 2.3Application Configuration

Novell® iChain® 2.3Live Demonstration



Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Novell® iChain® 2.3

Documents

web single sign

web server olac

backend web servers

ichain form

authorized access

access management browser

internal web sites proxy

http servers