Upload
sydney-eaton
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
www.novell.com
iChain® 2.1: Introduction and Overview
iChain® 2.1: Introduction and Overview
Lee HowarthProduct ManagerNovell, [email protected]
Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries
MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world
Agenda
• What is iChain®?
• Architectural overview• iChain features• Demonstration• Affiliate Connector
(quick intro)• Question and answer
What Is iChain?
• “iChain is a security and management infrastructure that provides a common security framework for enabling eBusiness services while at the same time reducing complexity and total cost of ownership”
• iChain is a gatekeeper to web-based resources
Today’s Typical Environment
Web servers and applications
Secu
rity
Secu
rity
Secu
rity
ERP
CRM
Employee
Intranet
LHowarth - xxx
7748-zzz
HowarthL - yyy
Partner
Extranet
Customer
Internet
Employee
Intranet
GabeW -
xxx
WatG - yyy
7366 - zzz
Customer
Internet
Employee
Intranet
2298- zzz
HalesMY - yyyMYHales
Firewall
Novell eDirectory™
Secu
rity
in
frastr
uctu
re
Employee
One Net
Customer
Partner
MYHales - xxx
LHowarth - xxx
GabeW - xxx
Web servers and applications
ERP
CRM
Novell iChain
Firewall
Browser
Web and application
servers
iChain
Proxy
Server
iChain Authorization Server
1. Authentication—Who are you?
3. Single Sign-on
Secu
rity
2. Access control—What do you have access to?
4. OLAC (Personalization)
5. Data confidentiality
User=xx Password=xx
Books=Thrillers,
Horrors
Novell iChain—How Does It Work?
Browser
Web and application
servers
iChain
Proxy
Server
iChain Authorization Server
Domain-Based Multi-HomingAccess Multiple Services through One Public IP Address
192.233.80.5
10.0.0.1
10.0.0.2
10.0.0.3
DNS Entrywww.novell.comsupport.novell.comdeveloper.novell.com
Browser sends www.novell.com in HTTP host header
Authentication Service
• Standard browser-based access (no client)• No agents required on web servers• Multiple authentication methods (multi-
factor) LDAP—UserID/password (e-mail address or any
LDAP field) X.509 Certificates Token (RSA, Vasco, Secure Computing)—
dependent on RADIUS
• UserID and password sent over HTTPS (HTTP optional)
Authorization Services
• Access control Leverages eDirectory hierarchy and inheritance Access based on rules stored in eDirectory (cont.)
• Three different levels available– “Public” —no authentication or access control– “Restricted” —authentication only– “Secure” —authentication and access control
Access rules may be assigned to• Users• Groups• Containers (O, OU, etc.)
Dynamic Access Control
• Adds greater flexibility to satisfy security policies
Access based on identity information Example “Object type=User” AND
“Description=Manager”
• Dynamic Access Control rule
Single Sign-On/Personalization
• iChain Proxy forwards user information to backend web servers—utilizes object level access control
Used for Single Sign-on• ICHAIN_UID and ICHAIN_PWD can be mapped to any
LDAP field (allows different names/passwords to be sent to web server)
Used for personalization• Sends “Parameter=Values” (retrieved using LDAP)
• Form fill authentication Stores credentials entered by user (Novell
SecretStore®) Automatically fills form on next request
Data Confidentiality
• Secure exchange Secure transparent (on the fly) encryption Eliminates the need to use SSL on web servers
• Increases performance of web server• Decreases management tasks
• SSL encryption strength Force 128-bit connections
• No cache setting
User and Access Management
• Browser-based utilities to change user profile information and passwords
• Leverages eDirectory restrictions Time restrictions, intruder lockout, password
history, password expiration and grace logins
• Offers enhanced password management features
Non-dictionary words, minimum number of numerals /characters
iChain 2.1—User Certificate Mapping
• Why do we need this? iChain must know the distinguished name of the
user to enforce access control Third-party certificate authorities will very
rarely distribute certificates with this information in a correct format
• What does it do? Provides a mapping between the information
held in the certificate to the user’s distinguished name
iChain 2.1—User Certificate Mapping
• How is it configured?
iChain 2.1—Custom Re-Writer
• Why do we need this? When hiding internal DNS infrastructure, the
browser must know how to get to services using the public DNS information
The default iChain re-writer will automatically change most of the relevant content as is passes through the proxy
Certain web applications (Oracle) hard code DNS information into its data stream• This must be identified and changed
iChain 2.1—Custom Re-Writer
Browser
iChain
Proxy
Server
Finance.novell.com
Oracle.prv.novell.com
Oracle.prv.novell.com
Oracle.prv.novell.com
Without custom re-write
iChain 2.1—Custom Re-Writer
Browser
iChain
Proxy
Server
finance.novell.com
Oracle.prv.novell.com
Oracle.prv.novell.com
[Name=oracleFilter]
[Extension]
Html, htm
[Replace]
<PARAM name=servHost Value=oracle.prv.novell.com> PARAM name=servHost Value=finance.novell.com
finance.novell.com
With custom re-write
iChain 2.1—Custom Login Pages
Custom page for each
accelerator
iChain 2.1—Custom Cert Error Page
• Why do we need this? Accelerator configured to require a certificate
• User has no certificate—presses Cancel, goes to a blank page
• User has no idea what to do next
iChain 2.1—Session Broker
• Increases scalability of iChain infrastructure Shares authentication information between
proxy servers
Browser
Session broker
iChain 2.1
Affiliate Connector (Quick Intro)
• What is the Affiliate Connector? Extends the iChain authentication and access
control process to affiliates (partner sites)
• Web services Uses Secure Assertions Markup Language
(SAML)
• Learn more IO124—Implementing B2B and B2C Solutions
Using Affiliate Connector
Affiliate Connector (Quick Intro)
1. Authenticate
4. Redirect to Comp X.
Method = ID/PWPerk = SilverName = John DoeFF#987654321
Affiliate siteAffiliate site
Portal
Affiliate Connector
2. Link to Benefits service
Comp X. (iChain)Comp X. (iChain)Application server
iChain6. Enforce security policies
5. Authenticate to iChain using secure token
Method = ID/PWPerk = SilverName = John DoeFF#987654321
3. Generate SAML Token
Affiliate user
Learn More About iChain
• BUS227 Novell Solutions at Sesame Street
• BUS228 How iChain Helps Ticona Improve Business
Operations
• BUS350 How Essentialtalk Uses iChain and eDirectory
for Web Commerce
Learn More About iChain
• TUT254 iChain Configuration Using the Web Server
Accelerator Wizard
• TUT254 Avoiding the Top iChain Technical Issues
• TUT361 CNI Education: Protecting the Network with
Novell iChain
wiN big
one Net solutions lab
Access and Security table
visit the
in the
to obtain an entry form