Novell Confidential 00front.fm last saved 4/14/03 Manual 3/17/03 103 Novell Liberty Identity Provider for Novell eDirectory TM ® www.novell.
Novell Confidential 00front.fm last saved 4/14/03 Manual 3/17/03 103 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
Novell Confidential 00front.fm last saved 4/14/03 Novell Trademarks eDirectory is a trademark of Novell, Inc. Novell is a registered trademark of Novell, Inc. in the United States and other countries. Third-Party Trademarks All third-party trademarks are the property of their respective owners.
Novell Confidential 00front.
Novell Confidential libertyTOC.fm last saved 4/14/03 Manual 3/17/03 103 Contents About This Guide 3 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Novell Confidential B libertyTOC.fm last saved 4/14/03 Manual Version: 3/17/03 103 Modifying Apache 39 Modifying the Apache Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Importing Trusted Roots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 C Troubleshooting Your Liberty IDP Installation and Configuration Troubleshooting Installation Issues . . . . . . . . .
Novell Confidential 00prface.fm last saved 4/14/03 Manual (99a) 3/17/03 103 About This Guide Introduction The purpose of this documentation is to help you install, configure, and administer the Liberty identity provider for Novell® eDirectoryTM infrastructure. The audience for this documentation is network administrators. This guide is divided into the following sections.
Novell Confidential 4 00prface.
Novell Confidential 1 01overvw.
Novell Confidential 01overvw.fm last saved 4/14/03 Manual Version: 3/17/03 103 The result of this link is realized on the user's next authentication to the Liberty SP. If he or she is connected to his Liberty IDP, he or she will be authenticated to the Liberty SP with no user interaction. It is important to realize that it is the user who controls his or her identity federation. Thus, the user is responsible for federation (linking) and defederation of his or her identity information.
Novell Confidential 01overvw.fm last saved 4/14/03 Manual 3/17/03 103 Authentication is performed using a login form, which the user completes and submits to the Liberty IDP. If the user’s credentials (username and password) are verified, the user is authenticated and is able to federate his or her identities with chosen service providers.
Novell Confidential 8 01overvw.
Novell Confidential 2 02instal.
Novell Confidential 02instal.fm last saved 4/14/03 Manual Version: 3/17/03 103 The Novell-supported platform for installing the Liberty IDP is a Windows* 2000 server or workstation. To run the Liberty IDP, you must have: a static IP address an iManager-compatible browser: Internet Explorer 5.5 or above, or Netscape* 6.2 or above For additional information and full system requirements for Novell eDirectory 8.7, refer to the Novell eDirectory 8.
Novell Confidential 02instal.fm last saved 4/14/03 Figure 1 Manual 3/17/03 103 Liberty Identity Provider Introduction 4 If you accept the License Agreement, select the accept button, then click Next. Figure 2 License Agreement 5 The Liberty IDP created by the installation is configured to run in a non-SSL mode by default. This mode is sufficient for testing purposes only. You cannot use the non-SSL mode in a production environment.
Novell Confidential 02instal.fm last saved 4/14/03 Figure 3 Manual Version: 3/17/03 103 SSL Warning 6 The Liberty IDP requires Novell iManager to be installed. Even if you already have iManager installed on your machine, click Next to proceed with the installation. Figure 4 Install iManager The iManager installation is a wizard that consists of several screens that run on top of your Liberty IDP installation wizard. InstallAnywhere will guide you through the iManager installation.
Novell Confidential 02instal.fm last saved 4/14/03 Figure 5 Manual 3/17/03 103 iManager Installation 6b Read the Introduction screen, then click Next. Figure 6 iManager Introduction 6c Read the Detection Summary screen, which indicates the components that will be installed with iManager, then click Next. WARNING: If the Web server, servlet container, and/or JVM show as already installed, you must quit the installation, remove the component(s), then begin the installation again.
Novell Confidential 02instal.fm last saved 4/14/03 Figure 7 Manual Version: 3/17/03 Detection Summary 6d Select the directory where iManager should be installed. The default is C:\Program Files\Novell. Figure 8 Choose Install Folder 6e Click Next. 6f Review the Pre-Installation Summary. If you need to make changes, click Previous to return to the previous screens. Otherwise, click Install.
Novell Confidential 02instal.fm last saved 4/14/03 Figure 9 Manual 3/17/03 103 Pre-Installation Summary iManager is installed on your machine. (This installation might take a few minutes.) 6g If the iManager installation is successful, you will get an Install Complete screen. Review this screen, then click Done. Figure 10 Install Complete You are returned to the Liberty IDP installation.
Novell Confidential 02instal.fm last saved 4/14/03 Manual Version: 3/17/03 103 be located in the same container where your server object is located. Export the trusted root from the key material object. For more information, see “Importing Trusted Roots” on page 42. Figure 11 LDAP Configuration Page 8 Click Next. 9 All Liberty single sign-on communication must be digitally signed. To support the digitally signing, the installer program will create a digital signing certificate.
Novell Confidential 02instal.fm last saved 4/14/03 Figure 12 Manual 3/17/03 103 Signing Certificate Information: Site Information Page 10 Click Next. 11 Set up your keystore information by entering a Keystore File Name, Keypair Alias, Keypair Password, and Keystore Password. These files are used in the signing process and are referenced by the Liberty application’s web.xml file. (By default, this file is located at C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\web.xml.
Novell Confidential 02instal.fm last saved 4/14/03 Manual Version: 3/17/03 13 Enter an application name. This name will be part of the URL that will be used by service providers to request authentication services from you. For example, if you use nidp, an nidp folder will be created in your Tomcat webapps folder (\webapps) with the identity provider Web application. Figure 14 Application Name Page 14 Click Next. 15 Review the Pre-Installation Summary.
Novell Confidential 02instal.fm last saved 4/14/03 Manual 3/17/03 103 You will need to install the Liberty administration plug-ins in iManager. An installation help screen for iManager launches. To set up the Liberty Roles and Tasks, follow the instructions in the help screen to launch iManager and run the Configuration Wizard. Continue with the steps in Chapter 3, “Creating a Liberty IDP Site,” on page 21 to set up your Liberty IDP site.
Novell Confidential 02instal.fm last saved 4/14/03 Manual Version: 3/17/03 103 1 Go to your Windows Start menu, then click Settings > Control Panel > Add/Remove Programs. 2 From the list, remove all Apache, iManager, and Tomcat components using the Remove button. 3 Remove the Novell Liberty Identity Provider for Novell eDirectory program. 3a Launch the Uninstall wizard by clicking the Remove button. 3b Click Uninstall.
Novell Confidential 3 03createidp.fm last saved 4/14/03 Manual (99a) 3/17/03 103 Creating a Liberty IDP Site After you have installed the Liberty identity provider for Novell® eDirectoryTM software, your next step is to set up a Liberty identity provider (Liberty IDP) site. You cannot run Liberty unless you set up an identity provider site. IMPORTANT: As part of the Liberty IDP configuration, the IDP references information about the service provider (SP).
Novell Confidential 03createidp.fm last saved 4/14/03 Figure 16 Manual Manage Liberty Identity Sites Page 3 Click the New Site link. The New Liberty Identity Site page appears on the right-hand side.
Novell Confidential 03createidp.fm last saved 4/14/03 Figure 17 Manual 3/17/03 103 New Liberty Identity Site Page 4 Enter a Descriptive Name for your site. (The name you choose is primarily for your own reference.) 5 Enter the context for this site. The context identifies where you want to store this site object in the directory. (The default is located at the root, but you can choose the location you want.) 6 Enter the Protocol and Base URL information.
Novell Confidential 03createidp.fm last saved 4/14/03 Manual Version: 3/17/03 103 If you are running on port 80 (HTTP) or port 443 (HTTPS), you do not need to specify the port value. 7 Click OK. 2. Define Site Properties Continuing from Step 7 in the previous section, you are now at the Site Properties page. Figure 18 Site Properties Page The Descriptive Name you entered in Step 3 carries forward. The Provider ID is a required field for the Liberty specification.
Novell Confidential 03createidp.fm last saved 4/14/03 Manual 3/17/03 103 The Application Domain is an application/company extension to the Common Domain name that the IDP will use for introductions. The Application Domain and the Common Domain combine together to form a DNS name that resolves to the same IP address as the Base URL Domain. If a port value other than the Base URL port needs to be specified, it can be appended to the Common Domain.
Novell Confidential 03createidp.fm last saved 4/14/03 Figure 19 Manual Version: 3/17/03 103 Affiliate Service Providers Page 2 The Affiliate Service Providers table lists the SPs you have defined and whether they are enabled, and whether the information you have provided for them is complete. (Complete in this case means all the required fields were filled in, not that the information is necessarily correct.
Novell Confidential 03createidp.fm last saved 4/14/03 Manual 3/17/03 103 4 Enter the Descriptive Name and URL for the service provider’s definition you want to import. For example, if your IP address is 1.1.1.1, you would specify the URL as http://1.1.1.1/nwc/ metadata. 5 Click OK. 4. Set Up Your Liberty Identity Server Continuing where you left off in Step 5, click the Liberty Identity Servers tab. This page shows a list of your identity servers.
Novell Confidential 03createidp.fm last saved 4/14/03 Figure 22 Manual Version: 3/17/03 Manage Federations 3 Click OK. 4 View the User Federation you created. If you need to delete it, select Delete. 5 Click Done. If you deleted any federations, those deletions will occur when the user completely logs out of all sessions and then logs back in.
Novell Confidential 4 04secure.fm last saved 4/14/03 Manual (99a) 3/17/03 103 Configuring Your Liberty Identity Provider to Run in SSL Mode This chapter contains information on the following topics: Converting to Secure Mode Customizing Your Liberty IDP User Interface In order to become compliant with Liberty specifications, after you have successfully installed your Liberty identity provider for Novell® eDirectoryTM software, you must configure it to run in a production environment.
Novell Confidential 04secure.fm last saved 4/14/03 Manual Version: 3/17/03 103 3b Select the Manage Sites task, then select your site’s link. 3c Change the Base URL Protocol from http to https. 4 Restart Tomcat and Apache for the changes to take effect. Creating Certificates for Apache The following steps are provided as an example for how to create two certificates for Apache: 1 Using a DOS prompt, go to your Apache bin directory. (The default location is C:\Program Files\Novell\Apache\bin.
Novell Confidential 04secure.fm last saved 4/14/03 Manual 3/17/03 103 File Name Definition main.jsp Displays the main page. err.jsp Reports an error. postit.jsp Sends an automatic POST to another provider. This feature is invisible to the user. defedask.jsp Shows the list of service providers. Allows the user to defederate. loget.jsp Shows the list of service providers that the user logged out of. logframe.jsp Shows the log. For debugging only. logheader.jsp Shows the log.
Novell Confidential 32 04secure.
Novell Confidential A 05appa.fm last saved 4/14/03 Manual (99a) 3/17/03 103 Installing and Configuring a Sample Service Provider Novell provides sample code for you to use as part of the Liberty identity provider for Novell® eDirectoryTM download. This sample service provider is provided "as-is" and is not supported by Novell. This appendix provides information about how to install and configure a sample service provider (SP).
Novell Confidential 05appa.fm last saved 4/14/03 Manual Version: 3/17/03 103 InstallAnywhere will guide you through the installation process. 3 After you have read the introductory screen, click Next. Figure 23 Liberty Service Provider Introduction 4 If you accept the License Agreement, select the accept button, then click Next. Figure 24 License Agreement 5 The Liberty SP is provided as example code. You must accept this stipulation in order to proceed with the installation.
Novell Confidential 05appa.fm last saved 4/14/03 Figure 25 Manual 3/17/03 103 Example Code Stipulation 6 The Liberty SP installation creates a fictitious SP called World Financial. Read the information about the SP, note the URL, and then click Next. Figure 26 World Financial Information 7 In order for single sign-on to work seamlessly between the IDP and the SP when more than one IDP exists, you must enable Introductions on your IDP. Enter the Common Domain that Introductions will use.
Novell Confidential 05appa.fm last saved 4/14/03 Figure 27 Manual Version: 3/17/03 103 Common Domain 8 Click Next. 9 Enter a user name and password for your test user, then click Next. Figure 28 Service Provider Test User 10 Set up your keystore information by entering a Keystore File Name, Keypair Alias, Keypair Password, and Keystore Password. (This information does not have to match the keystore information you entered for the IDP.
Novell Confidential 05appa.fm last saved 4/14/03 Figure 29 Manual 3/17/03 103 Signing Certificate Information: Keystore 11 Click Next. 12 Review the Pre-Installation Summary. If you need to make changes to your configuration, click Previous to go back to previous screens. If you accept the configuration, click Install. 13 Restart Tomcat and Apache. When the installation has completed, configure your SP by following the instructions in Configuring Your Service Provider.
Novell Confidential 05appa.fm last saved 4/14/03 Manual Version: 3/17/03 103 Adding Additional Users As part of your installation, one user is created. Adding additional users to your configuration is optional. If you want to add more users, before federating your first user, locate the Liberty Principal tag section of your XML file (including the opening and closing portions of the tag), then copy and paste that section to create the additional users.
Novell Confidential B 06appb.fm last saved 4/14/03 Manual (99a) 3/17/03 103 Modifying Apache This appendix provides information on the following topics: Modifying the Apache Configuration Files Importing Trusted Roots Modifying the Apache Configuration Files 1 Go to your Apache httpd.conf file, located in your Apache directory. (The default location is C:\Program Files\Apache\conf\httpd.conf.) 2 Comment out the line that says, "include "C:/Program Files/Novell/Tomcat/conf/liberty/ liberty_jk.
Novell Confidential 06appb.fm last saved 4/14/03 JkMount JkMount JkMount JkMount JkMount JkMount JkMount JkMount JkMount JkMount JkMount JkMount JkMount JkMount JkMount JkMount JkMount Manual Version: 3/17/03 103 /nidp/slo ajp13 /nidp/*.css ajp13 /nidp/slo_return ajp13 /nidp/term ajp13 /nidp/soap ajp13 /nidp/setintro ajp13 /nidp/rni ajp13 /nidp/sso ajp13 /nidp/*.jsp ajp13 /nidp/logview ajp13 /nidp/*.gif ajp13 /nidp/metadata ajp13 /nidp/rni_return ajp13 /nidp/term_return ajp13 /nidp/*.
Novell Confidential 06appb.fm last saved 4/14/03 Manual 3/17/03 103 AllowOverride None deny from all JkMount /eMFrame/webacc ajp13 JkMount /eMFrame/webacc/* ajp13 JkMount /eMFrame/*.jsp ajp13 8 In this same Apache ssl.conf file, add a line for a second SSL listening port for the common domain. (You could add a second IP address instead of a second port. See the Apache Web site (http://httpd.apache.org/docs-2.
Novell Confidential 06appb.fm last saved 4/14/03 Manual Version: 3/17/03 103 11 In this same file, make the following changes (bolded as shown) to the second virtual host section for the common domain virtual host: # General setup for the virtual host DocumentRoot C:/PROGRA~1/Novell/Apache/htdocs ServerName nidp.commondomain.com:444 # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate.
Novell Confidential C 07appc.fm last saved 4/14/03 Manual (99a) 3/17/03 103 Troubleshooting Your Liberty IDP Installation and Configuration This section provides information on the following topics: Troubleshooting Installation Issues Troubleshooting Post-Installation Issues Basic Troubleshooting Tips Troubleshooting Installation Issues Most of the issues that occur during installation are likely to be logged in one of the log files described in this section.
Novell Confidential 07appc.fm last saved 4/14/03 Manual Version: 3/17/03 103 Summary ------Installation: Successful. 1408 SUCCESSES 0 WARNINGS 0 NONFATAL ERRORS 0 FATAL ERRORS 3. Novell_iManager_1.5.1_InstallLog: This log file, located by default at C:\Program Files\Novell\Tomcat\webapps\eMFrame\WEB-INF\install\Novell_iManager_1.5.
Novell Confidential 07appc.fm last saved 4/14/03 Manual 3/17/03 103 on> at org.apache.jasper.compiler.DelegatingListener.handleDirective . . . Tomcat's error logs are excellent resources for troubleshooting these types of errors. The logs provide additional information from Tomcat and the JavaSDK that is not provided in the results that are returned to the Web browser window.
Novell Confidential 07appc.fm last saved 4/14/03 Manual Version: 3/17/03 103 You should check to make sure that no errors are reported. The Liberty NIDP and NWT Web-based applications should load without errors or exceptions. Enabling Advanced Logging You can enable Advanced Logging on the IDP to log all requests in and out of the IDP server. This logging feature is not enabled by default, since it can quickly fill up your hard disk with information.
Novell Confidential 07appc.fm last saved 4/14/03 Figure 30 Manual 3/17/03 103 Filter Options and Log File Entries Basic Troubleshooting Tips This section includes troubleshooting information for Apache, Tomcat, and iManager. Troubleshooting Apache The following are simple tests you can conduct, either in standard or secure mode, to verify that Apache is up and running: Standard Mode: From a browser, go to http:// where is the IP address of your Apache Web server.
Novell Confidential 07appc.fm last saved 4/14/03 [Wed Apr [Wed Apr [Wed Apr [Wed Apr threads. 02 02 02 02 14:26:58 14:27:01 14:27:01 14:27:01 2003] 2003] 2003] 2003] [notice] [notice] [notice] [notice] Manual Version: 3/17/03 103 Parent: Created child process 3740 Child 3740: Child process is running Child 3740: Acquired the start mutex.
