Setup Guide Access Manager 4.0 SP1 May 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. For purposes of clarity, any module, adapter or other similar material (“Module”) is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. © 2014 NetIQ Corporations. All Rights Reserved. For information about NetIQ trademarks, see https://www.netiq.com/company/legal/. Contents About NetIQ Corporation 7 About This Book and the Library 9 1 Setting Up a Basic Access Manager Configuration 11 1.1 Understanding Access Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 1.2 Prerequisites for Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 1.3 Creating a Basic Identity Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 1.4 Configuring the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 1.4.1 Configuring a Reverse Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 1.4.2 Configuring a Public Protected Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 1.5 Configuring the Access Gateway for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 1.5.1 Verifying Time Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 1.5.2 Enabling Trusted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 1.6 Setting Up an Identity Injection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 2 Enabling SSL Communication 29 2.1 Identifying the SSL Communication Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 2.2 Using Access Manager Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 2.2.1 Configuring Secure Communication on the Identity Server. . . . . . . . . . . . . . . . . . . . . . . . .30 2.2.2 Configuring the Access Gateway for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 2.3 Using Externally Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 2.3.1 Obtaining Externally Signed Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 2.3.2 Configuring the Identity Server to Use an Externally Signed Certificate . . . . . . . . . . . . . . .40 2.3.3 Configuring the Access Gateway to Use an Externally Signed Certificate . . . . . . . . . . . . .42 2.4 Using an SSL Terminator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 2.4.1 Required Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 2.4.2 Configuring the SSL Terminator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 2.4.3 Configuring the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 2.5 SSL Renegotiation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 3 Clustering and Fault Tolerance 49 3.1 Installing Secondary Versions of the Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 3.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 3.1.2 Installing a Second Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 3.1.3 Understanding How the Consoles Interact with Each Other and Access Manager Devices . 51 3.2 Clustering Identity Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 3.2.1 Configuration Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 3.2.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 3.2.3 Setting Up a Cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 3.3 Clustering Access Gateways. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 3.3.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 3.3.2 Designing the Membership Type for a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 3.3.3 Configuring a Cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 3.4 Clustering SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 3.4.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 3.4.2 Creating a Cluster of SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 3.5 Configuration Tips for the L4 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Contents 3 3.5.1 Sticky Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 3.5.2 Network Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 3.5.3 Health Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 3.5.4 Real Server Settings Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67 3.5.5 Virtual Server Settings Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 3.6 Setting up L4 Switch for IPv6 Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 3.6.1 Web SSO Over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 3.6.2 Federated SSO over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70 3.6.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71 3.7 Using a Software Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71 4 Setting Up Federation 73 4.1 Understanding a Simple Federation Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 4.2 Configuring Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 4.2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 4.2.2 Establishing Trust between Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 4.2.3 Configuring SAML 1.1 for Account Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 4.3 Sharing Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 4.3.1 Configuring Role Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 4.3.2 Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 4.4 Setting Up Federation with Third-Party Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 4.5 External Attribute Source Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 4.5.1 Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 4.5.2 Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 5 Digital Airlines Example 99 5.1 Installation Overview and Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 5.1.1 Installation Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 5.1.2 Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 5.2 Setting Up the Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102 5.2.1 Installing the Apache Web Server and PHP Components. . . . . . . . . . . . . . . . . . . . . . . . .102 5.2.2 Installing Digital Airlines Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102 5.2.3 Configuring Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 5.3 Configuring Public Access to Digital Airlines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 5.4 Implementing Access Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 5.4.1 Enabling an Authentication Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 5.4.2 Configuring a Role-Based Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 5.4.3 Assigning an Authorization Policy to Protect a Resource . . . . . . . . . . . . . . . . . . . . . . . . .119 5.4.4 Configuring an Identity Injection Policy for Basic Authentication. . . . . . . . . . . . . . . . . . . .122 5.4.5 Initiating an SSL VPN Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 6 Protecting an Identity Server with an Access Gateway 133 6.1 Configuring a Linux Identity Server as a Protected Resource. . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 6.2 Configuring a Windows Identity Server as a Protected Resource . . . . . . . . . . . . . . . . . . . . . . . . . .140 A Modifications Required for a 4.0 Login Page 147 A.1 Modifying the File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 A.2 Sample Modified File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 4 NetIQ Access Manager 4.0 SP1 Setup Guide Contents 5 6 NetIQ Access Manager 4.0 SP1 Setup Guide About NetIQ Corporation We are a global, enterprise software company, with a focus on the three persistent challenges in your environment: Change, complexity and risk—and how we can help you control them. Our Viewpoint Adapting to change and managing complexity and risk are nothing new In fact, of all the challenges you face, these are perhaps the most prominent variables that deny you the control you need to securely measure, monitor, and manage your physical, virtual, and cloud computing environments. Enabling critical business services, better and faster We believe that providing as much control as possible to IT organizations is the only way to enable timelier and cost effective delivery of services. Persistent pressures like change and complexity will only continue to increase as organizations continue to change and the technologies needed to manage them become inherently more complex. Our Philosophy Selling intelligent solutions, not just software In order to provide reliable control, we first make sure we understand the real-world scenarios in which IT organizations like yours operate — day in and day out. That's the only way we can develop practical, intelligent IT solutions that successfully yield proven, measurable results. And that's so much more rewarding than simply selling software. Driving your success is our passion We place your success at the heart of how we do business. From product inception to deployment, we understand that you need IT solutions that work well and integrate seamlessly with your existing investments; you need ongoing support and training post-deployment; and you need someone that is truly easy to work with — for a change. Ultimately, when you succeed, we all succeed. Our Solutions (cid:138) Identity & Access Governance (cid:138) Access Management (cid:138) Security Management (cid:138) Systems & Application Management (cid:138) Workload Management (cid:138) Service Management About NetIQ Corporation 7 Contacting Sales Support For questions about products, pricing, and capabilities, contact your local partner. If you cannot contact your partner, contact our Sales Support team. Worldwide: www.netiq.com/about_netiq/officelocations.asp United States and Canada: 1-888-323-6768 Email: [email protected] Web Site: www.netiq.com Contacting Technical Support For specific product issues, contact our Technical Support team. Worldwide: www.netiq.com/support/contactinfo.asp North and South America: 1-713-418-5555 Europe, Middle East, and Africa: +353 (0) 91-782 677 Email: [email protected] Web Site: www.netiq.com/support Contacting Documentation Support Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, click Add Comment at the bottom of any page in the HTML versions of the documentation posted at www.netiq.com/documentation. You can also email Documentation- [email protected]. We value your input and look forward to hearing from you. Contacting the Online User Community Qmunity, the NetIQ online community, is a collaborative network connecting you to your peers and NetIQ experts. By providing more immediate information, useful links to helpful resources, and access to NetIQ experts, Qmunity helps ensure you are mastering the knowledge you need to realize the full potential of IT investments upon which you rely. For more information, visit http:// community.netiq.com. 8 NetIQ Access Manager 4.0 SP1 Setup Guide About This Book and the Library This book is intended to help you understand and set up a basic Access Manager configuration. IMPORTANT: To avoid configuration errors, it is strongly recommended that you closely follow the steps outlined in this document during your initial Access Manager setup. (cid:138) Chapter1, “Setting Up a Basic Access Manager Configuration,” on page11 (cid:138) Chapter2, “Enabling SSL Communication,” on page29 (cid:138) Chapter3, “Clustering and Fault Tolerance,” on page49 (cid:138) Chapter4, “Setting Up Federation,” on page73 (cid:138) Chapter5, “Digital Airlines Example,” on page99 (cid:138) Chapter6, “Protecting an Identity Server with an Access Gateway,” on page133 (cid:138) AppendixA, “Modifications Required for a 4.0 Login Page,” on page147 Not all Access Manager functionality and administrative tasks are discussed here. After you are familiar with Access Manager and the steps in this section, you can use the NetIQ Access Manager 4.0 SP1 Identity Server Guide and the NetIQ Access Manager 4.0 SP1 Access Gateway Guide as the sources for additional or advanced configuration. Intended Audience This book is intended for Access Manager administrators. It is assumed that you have knowledge of evolving Internet protocols, such as: (cid:138) Extensible Markup Language (XML) (cid:138) Simple Object Access Protocol (SOAP) (cid:138) Security Assertion Markup Language (SAML) (cid:138) Public Key Infrastructure (PKI) digital signature concepts and Internet security (cid:138) Secure Socket Layer/Transport Layer Security (SSL/TLS) (cid:138) Hypertext Transfer Protocol (HTTP and HTTPS) (cid:138) Uniform Resource Identifiers (URIs) (cid:138) Domain Name System (DNS) (cid:138) Web Services Description Language (WSDL) Other Information in the Library The library provides the following information resources: (cid:138) NetIQ Access Manager 4.0 SP1 Installation Guide (cid:138) NetIQ Access Manager 4.0 SP1 Administration Console Guide (cid:138) NetIQ Access Manager 4.0 SP1 Identity Server Guide (cid:138) NetIQ Access Manager 4.0 SP1 Access Gateway Guide About This Book and the Library 9 (cid:138) NetIQ Access Manager 4.0 SP1 Policy Guide (cid:138) NetIQ Access Manager 4.0 SSL VPN Server Guide NOTE: Contact [email protected] for any query related to Access Manager SDK. 10 NetIQ Access Manager 4.0 SP1 Setup Guide