Novell® iChain® 2.3
Novell® iChain® 2.3
© April 12, 2023 Novell Inc, Confidential & Proprietary2
Firewall
Student
Intranet
Internet
Staff
Extranet
Professor
NT IIS
Solaris/Netscape
SEC
UR
ITY
Web Servers and Applications
SEC
UR
ITY
Linux/Apache
SEC
UR
ITY
•Direct Access to Web Servers
•Multiple User Identities
•Need to install SSL services on each web server
•Need to change links in HTML content from HTTP to HTTPS
•Many different Web Server Technologies
What are the Customer Problems?
© April 12, 2023 Novell Inc, Confidential & Proprietary3
Firewall
Student
Intranet
Internet
Staff
Extranet
Professor
NT IIS
Solaris/Netscape
SEC
UR
ITY
Web Servers and Applications
SEC
UR
ITY
Linux/Apache
SEC
UR
ITY
•Direct Access to Web Servers
•Need to install SSL services on each web server
•Need to change links in HTML content from HTTP to HTTPS
•Often need to modify applications authentication process
•Many different Web Server Technologies
Competitors Solution
© April 12, 2023 Novell Inc, Confidential & Proprietary4
Firewall
SEC
UR
ITY
IN
FR
AS
TR
UC
TU
RE
Web Servers andApplications
Student
One Net
Staff
Professor
The Novell Solution
NT IIS
Solaris/Netscape
Linux/Apache
eDirectory™
iChain®
• Single Authentication Point
• Provides Web Single Sign On Sends Personalized content to applications
• Rewrites HTML data
• Dynamically encrypts content as it passes through proxy
• Single SSL Certificate can be used for all internal web sites (proxy based)
• No change to HTML content
• No change to applications authentication process
• Secures all HTTP servers
• Remove Direct Access to Web Servers
© April 12, 2023 Novell Inc, Confidential & Proprietary5
2. Access Control- What do you have access to?
Novell iChain - How does it work?
Browser
Proxy Server
iChain Authorizatio
n Server
Web and application
servers
Secu
rit
y
User=xx Password=xx
Books=Thrillers, Horrors
1. Authentication- Who are you?
3. Single Sign On4. OLAC (Personalization)5. Data Confidentiality
ACL
ACL
© April 12, 2023 Novell Inc, Confidential & Proprietary6
Authentication Service
Standard browser based access (no client)No agents required on Web ServersMultiple Authentication Methods (Multi-Factor)
• LDAP - UserID/Password (email address or any LDAP field)
• X.509 Certificates• Token (RSA, Vasco, Secure Computing)
– dependent on RADIUS
UserID and Password sent over HTTPS (HTTP optional)
© April 12, 2023 Novell Inc, Confidential & Proprietary7
Authorization Services
Resources are defined as:• “Public” -no authentication or access control• “Restricted” -authentication only• “Secure” -authentication and access control
Access Control - Static and Dynamic Rules• Access based on rules stored in eDirectory™
• Leverages NDS® hierarchy and inheritance• Access rules may be assigned to Users, Groups,
Roles and Containers (O, OU, etc.)• Dynamic Rules supports business logic by
querying the users object for specified identity information
© April 12, 2023 Novell Inc, Confidential & Proprietary8
Automating Access Control – Integration with DirXML®
iChain Proxy
Dynamic Access Rule – checks User’s attributes for matching criteria
ACL
HRApplication
eDirectory
DirXML
PeopleSoft®
© April 12, 2023 Novell Inc, Confidential & Proprietary9
Single Sign-On / Personalization
iChain Proxy forwards user information to backend web servers - Utilizes Object Level Access Control (OLAC)
• OLAC is used for Single Sign-on– ICHAIN_UID and ICHAIN_PWD can be mapped to any LDAP field
(allows different names / password to be sent to web server)
• OLAC is used for Personalization– Sends “Parameter=Values” (retrieved using LDAP)
• OLAC can retrieve user credentials from Novell SecretStore®
Form Fill Authentication• Stores credentials entered by user (Novell SecretStore)• Automatically fills form on next request
© April 12, 2023 Novell Inc, Confidential & Proprietary10
Data Confidentiality
Secure Exchange• Secure Transparent (on the fly) encryption• Eliminates the need to use SSL on web servers
– Increases performance of web server– Decreases management tasks
SSL Encryption Strength• Force 128-bit connections• Force 3DES encryption (iChain 2.2)
No Cache Setting
© April 12, 2023 Novell Inc, Confidential & Proprietary11
User and Access Management
Browser Based Utilities to change user profile information and passwordsLeverages eDirectory restrictions
• Time Restrictions, Intruder Lockout, Password History, Password Expiration and Grace Logins
Offers enhanced Password Management features
• Non-Dictionary Words, Minimum number of numerals / characters
© April 12, 2023 Novell Inc, Confidential & Proprietary12
Typical Customer – ACME Inc.
Browser
ACME Inc is looking to:
• Provide Authorized Access to Internal Systems from the Internet
• Provide Single Sign-On to all Services (for employees and customers)
• Maintain Data Confidentiality
• Deliver content as quickly as possible
PeopleSoft®
Oracle®
Windows2000®
© April 12, 2023 Novell Inc, Confidential & Proprietary13
Novell iChain
ACME Inc. Basic (DMZ) Implementation
Browser
PeopleSoft®
Oracle®
Windows2000®
iChain Basic Authentication Single Sign-on
iChain Form Fill Single Sign-on
• Provide Authorized Access to Internal Systems from theInternet
• Provide Single Sign-On to all Services (for employees and customers)
• Maintain Data Confidentiality
• Deliver content as quickly as possible
Internet Intranet
iChain Proxy
Cache
iChain Authorization Server
ACL
ACL
ACL
© April 12, 2023 Novell Inc, Confidential & Proprietary14
Implementation - Fault Tolerance / Load Balanced (DMZ)
Browser
iChain Proxy
iChain Proxy
L4 Switch
Web Traffic
LDAP
Backup LDAP
eDirectory
Web Servers
© April 12, 2023 Novell Inc, Confidential & Proprietary15
SAML-based Single Sign-On
B2B partners need to ensure that they can trust the identity information being presented through a B2B partner
HOSPITAL 1 HOSPITAL 2
Physician connects to internal system and requests patient records from Hospital 2
1 Physician is redirected to Hospital 2 with SAML Assertions generated by Hospital 1
2 After the physicians status is cleared the patient details are securely delivered to the physician
4 Hospital 2 needs to verify that the users credentials were supplied by a trusted partner
3
© April 12, 2023 Novell Inc, Confidential & Proprietary16
SAML Extensions for iChain
Provides SAML-based single sign-on capabilities for iChain
• Single sign-on to-and-from business partners with SAML 1.0 capable products
• Supports authentication and attribute assertions• Supports Browser Post and Artifact methods• For more information please attend IO143 “SAML
& Liberty Alliance Single Sign-on”
© April 12, 2023 Novell Inc, Confidential & Proprietary17
For more information…
Visit any of the following Web resources:• Novell iChain product page: www.novell.com/products/ichain/
• Novell iChain Cool Solutions site: www.novell.com/coolsolutions/icmag/
• Novell Nsure solution site: www.novell.com/nsure
Novell® iChain® 2.3Server Configuration
Novell® iChain® 2.3Application Configuration
Novell® iChain® 2.3Live Demonstration
© April 12, 2023 Novell Inc, Confidential & Proprietary21
© April 12, 2023 Novell Inc, Confidential & Proprietary22
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.