www.novell.com

iChain® 2.1: Introduction and Overview

iChain® 2.1: Introduction and Overview

Lee HowarthProduct ManagerNovell, Inc.lhowarth@novell.com

Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries

MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Agenda

• What is iChain®?

• Architectural overview• iChain features• Demonstration• Affiliate Connector

(quick intro)• Question and answer

What Is iChain?

• “iChain is a security and management infrastructure that provides a common security framework for enabling eBusiness services while at the same time reducing complexity and total cost of ownership”

• iChain is a gatekeeper to web-based resources

Today’s Typical Environment

Web servers and applications

Secu

rity

Secu

rity

Secu

rity

E-mail

ERP

CRM

Employee

Intranet

LHowarth - xxx

7748-zzz

HowarthL - yyy

Partner

Extranet

Customer

Internet

Employee

Intranet

GabeW -

xxx

WatG - yyy

7366 - zzz

Customer

Internet

Employee

Intranet

2298- zzz

HalesMY - yyyMYHales

Firewall

Novell eDirectory™

Secu

rity

in

frastr

uctu

re

Employee

One Net

Customer

Partner

MYHales - xxx

LHowarth - xxx

GabeW - xxx

Web servers and applications

E-mail

ERP

CRM

Novell iChain

Firewall

Browser

Web and application

servers

iChain

Proxy

Server

iChain Authorization Server

1. Authentication—Who are you?

3. Single Sign-on

Secu

rity

2. Access control—What do you have access to?

4. OLAC (Personalization)

5. Data confidentiality

User=xx Password=xx

Books=Thrillers,

Horrors

Novell iChain—How Does It Work?

Browser

Web and application

servers

iChain

Proxy

Server

iChain Authorization Server

Domain-Based Multi-HomingAccess Multiple Services through One Public IP Address

192.233.80.5

10.0.0.1

10.0.0.2

10.0.0.3

DNS Entrywww.novell.comsupport.novell.comdeveloper.novell.com

Browser sends www.novell.com in HTTP host header

Authentication Service

• Standard browser-based access (no client)• No agents required on web servers• Multiple authentication methods (multi-

factor) LDAP—UserID/password (e-mail address or any

LDAP field) X.509 Certificates Token (RSA, Vasco, Secure Computing)—

dependent on RADIUS

• UserID and password sent over HTTPS (HTTP optional)

Authorization Services

• Access control Leverages eDirectory hierarchy and inheritance Access based on rules stored in eDirectory (cont.)

• Three different levels available– “Public” —no authentication or access control– “Restricted” —authentication only– “Secure” —authentication and access control

Access rules may be assigned to• Users• Groups• Containers (O, OU, etc.)

Dynamic Access Control

• Adds greater flexibility to satisfy security policies

Access based on identity information Example “Object type=User” AND

“Description=Manager”

• Dynamic Access Control rule

Single Sign-On/Personalization

• iChain Proxy forwards user information to backend web servers—utilizes object level access control

Used for Single Sign-on• ICHAIN_UID and ICHAIN_PWD can be mapped to any

LDAP field (allows different names/passwords to be sent to web server)

Used for personalization• Sends “Parameter=Values” (retrieved using LDAP)

• Form fill authentication Stores credentials entered by user (Novell

SecretStore®) Automatically fills form on next request

Data Confidentiality

• Secure exchange Secure transparent (on the fly) encryption Eliminates the need to use SSL on web servers

• Increases performance of web server• Decreases management tasks

• SSL encryption strength Force 128-bit connections

• No cache setting

User and Access Management

• Browser-based utilities to change user profile information and passwords

• Leverages eDirectory restrictions Time restrictions, intruder lockout, password

history, password expiration and grace logins

• Offers enhanced password management features

Non-dictionary words, minimum number of numerals /characters

iChain 2.1—User Certificate Mapping

• Why do we need this? iChain must know the distinguished name of the

user to enforce access control Third-party certificate authorities will very

rarely distribute certificates with this information in a correct format

• What does it do? Provides a mapping between the information

held in the certificate to the user’s distinguished name

iChain 2.1—User Certificate Mapping

• How is it configured?

iChain 2.1—Custom Re-Writer

• Why do we need this? When hiding internal DNS infrastructure, the

browser must know how to get to services using the public DNS information

The default iChain re-writer will automatically change most of the relevant content as is passes through the proxy

Certain web applications (Oracle) hard code DNS information into its data stream• This must be identified and changed

iChain 2.1—Custom Re-Writer

Browser

iChain

Proxy

Server

Finance.novell.com

Oracle.prv.novell.com

Oracle.prv.novell.com

Oracle.prv.novell.com

Without custom re-write

iChain 2.1—Custom Re-Writer

Browser

iChain

Proxy

Server

finance.novell.com

Oracle.prv.novell.com

Oracle.prv.novell.com

[Name=oracleFilter]

[Extension]

Html, htm

[Replace]

<PARAM name=servHost Value=oracle.prv.novell.com> PARAM name=servHost Value=finance.novell.com

finance.novell.com

With custom re-write

iChain 2.1—Custom Login Pages

Custom page for each

accelerator

iChain 2.1—Custom Cert Error Page

• Why do we need this? Accelerator configured to require a certificate

• User has no certificate—presses Cancel, goes to a blank page

• User has no idea what to do next

iChain 2.1—Session Broker

• Increases scalability of iChain infrastructure Shares authentication information between

proxy servers

Browser

Session broker

iChain 2.1

Affiliate Connector (Quick Intro)

• What is the Affiliate Connector? Extends the iChain authentication and access

control process to affiliates (partner sites)

• Web services Uses Secure Assertions Markup Language

(SAML)

• Learn more IO124—Implementing B2B and B2C Solutions

Using Affiliate Connector

Affiliate Connector (Quick Intro)

1. Authenticate

4. Redirect to Comp X.

Method = ID/PWPerk = SilverName = John DoeFF#987654321

Affiliate siteAffiliate site

Portal

Affiliate Connector

2. Link to Benefits service

Comp X. (iChain)Comp X. (iChain)Application server

iChain6. Enforce security policies

5. Authenticate to iChain using secure token

Method = ID/PWPerk = SilverName = John DoeFF#987654321

3. Generate SAML Token

Affiliate user

Learn More About iChain

• BUS227 Novell Solutions at Sesame Street

• BUS228 How iChain Helps Ticona Improve Business

Operations

• BUS350 How Essentialtalk Uses iChain and eDirectory

for Web Commerce

Learn More About iChain

• TUT254 iChain Configuration Using the Web Server

Accelerator Wizard

• TUT254 Avoiding the Top iChain Technical Issues

• TUT361 CNI Education: Protecting the Network with

Novell iChain

wiN big

one Net solutions lab

Access and Security table

visit the

in the

to obtain an entry form