Novell iChain migration to Novell Access Gateway

TUT269: Novell iChain Migration to Novell Access Gateway

There are two ways Access Manager will ship: As a Linux version or as a NetWare version. The Linux version can be installed on one machine, but the NetWare one will require two. The Linux one is based on SLES 9 SP3 and the NetWare one is NetWare 6.5 SP5.

There is a common management interface that lets you manage all pieces in one interface, and manage a bunch of them together with a common configuration set. The new one supports working behind a NAT firewall, rather than right on the gateway.

They talked about the data flow, which consists of a lot of little arrows labelled A, B, C and so on pointing in different directions between various multicoloured boxes. The highlight is that they built it so that it was componentized so they could use parts of it to validate web sites like iChain, and plugins to talk to java application server plugins to authenticate web applications, and to authenticate ssl-vpn users.

They showed some significantly complicated architectures with L4 switches, multiple access gateways, multiple firewalls, and all kinds of stuff that we don’t need. We can get by pretty much with a one-box gateway at each Internet gateway, like we do now with iChain. I expect the best way to go to the new version will be to build a new one in the local gatway site, on new hardware, then convert the other one to a second one in the other gateway site.

The proxy server component stores the protected resrouce configurations, in xml files one per publicly accessible server. The identity server machine stores the roles and policies for authorization, formfill, and identity injection (formerly called OLAC).

Migration considerations:

The user experience should be the same. The migration probably has to be done over a period of time. Hardware requirements are still being determined and a white paper for hardwaqre sizing will be available later. On linux, the Access Gateway supports multiple CPUs and takes advantage of them for performance. It doesn’t support SLES9-64, only 32-bit.

There are a lot of new features in it that support very large installations, but we probably won’t use most of the high availability server pieces.