NetIQ iManager configuration settings are saved in webapps/nps/WEB-INF/config.xml.
NOTE: You can either save as you go or click Save after you have made all your changes on the various tabbed pages.
Security
The security page contains the following features:
When Using a Nonsecure Connection
Select this option if you want the message "You are accessing NetIQ iManager with a non-secure connection." to warn usersAuto Import Tree Certificate for Secure LDAP
Secure LDAP connections require a certificate. If you select this feature, the system automatically imports a public tree certificate for secure LDAP.Authorized Users and Groups
Authorized users and groups are users who can run various administrative tasks. Authorized user data is saved in webapps/nps/WEB-INF/configiman.properties. This file is automatically created at install time.Using this option, you can modify the configiman.properties file. The tree name must be included with the names specified (for example, admin.novell.mytree). If you want to designate all users as authorized users, type AllUsers.
You can also add static and nested groups and organizational role to the list so that all the members of the group/organization become authorized users.
Note: If a nested group is added to the Authorized Users and Groups list, only the first level members of the group become authorized users. You cannot make a dynamic group authorized.
Note: You can add and save only valid users to the Authorized Users and Groups list. If you add invalid users and click Save, an error message, which says that the object is not found, is displayed. If you add only invalid users to the list and click Save, the error message is displayed and the list of invalid users is automatically replaced by AllUsers. If you do not want all the users of the tree to be authorized users, remove AllUsers from the list, add desired valid users to the list, and click Save.
Important: If you have installed iManager for the first time, the Authorized Users and Groups list is empty. As an Admin user, you must immediately add users and groups to the list to make them authorized, and to have rights to modify the list. Otherwise, a non-admin user might add users and groups to the list by which he/she acquires the rights to modify the list. You (Admin) might lose the rights to modify the list.
Auditing
Enabling Novell Auditing in iManager
Install iManager.
Login to iManager and navigate to > >and click .
Select, and select the required iManager events to audit.
From the eDirectory installation package, install Platform Agent.
Modify the logevent file depending on your platform.
Linux: Perform the following actions:
Edit the following entries in the /etc/logevent.conf file:
LogHost=IP_Address_of_secure_logging_server JLogCacheDir=/var/opt/novell/naudit/jcache JLogCachePort=1287 LogCachePort=1288 LogJavaClassPath=/var/opt/novell/iManager/nps/WEB-INF/lib/NAuditPA.jar LogMaxBigData=8192 LogEnginePort=1289 LogCacheUnload=no LogCacheSecure=no LogCacheLimitAction=keep logging(Conditional) Manually create the naudit folder in the /var/opt/novell/ location.
Change the permission to novlwww for the /var/opt/novell/naudit folder by running the following command:
chown -R novlwww:novlwww naudit/
Windows: Edit the following entries in the logevent.cfg from C:\Windows location:
LogHost=IP_Address_of_secure_logging_server JLogCacheDir=/var/opt/novell/naudit/jcache JLogCachePort=1287 LogCachePort=1288 LogJavaClassPath=/var/opt/novell/iManager/nps/WEB-INF/lib/NAuditPA.jar LogMaxBigData=8192 LogEnginePort=1289 LogCacheUnload=no LogCacheSecure=no LogCacheLimitAction=keep loggingDepending on your platform, uncomment the following entries in the imanager_logging.xml file:
Linux: Uncomment <appender-ref ref="NAUDIT_APPENDER"/> entry.
The imanager_logging.xml file is located in the /var/opt/novell/iManager/nps/WEB-INF/ directory.
Windows: Uncomment <appender-ref ref="NAUDIT_APPENDER"/> entry.
The imanager_logging.xml file is located in the C:\Program Files (x86)\Novell\Tomcat\webapps\nps\WEB-INF\directory.
Restart Tomcat.
Verify if the events are logged into the logging server.
Linux: Stop jcache and restart Tomcat. Generate events and check the logging server.
Windows: Generate events and check the logging server.
Enabling XDAS Auditing
XDAS Auditing comes with iManager by default. XDAS Auditing captures data about the following events:
Added Authorized User
Successful Login
Successful NPM Install
Startup iManager
Failed SSL Connection
Logout
Changed Configuration
Successful NPM Upload
Failed Login
Failed NPM Install
Shutdown iManager
To enable XDAS audit for iManager:
Log in to iManager.
Click .
In the Configure iManager page, on the tab, select .
Select the events you want to record, and then click .
Configuring XDAS Auditing
The below table lists the default location of the xdasconfig.properties file in different operating systems. You can customize the file according to your requirements:
Operating System
File
Linux
Windows
Linux and Windows Workstation
<unzipped workstation folder>\imanager\tomcat\webapps\nps\WEB-INF\imanager_logging.xmlThe below table lists the XDAS configuration files:
Options
Name
Syslog Appender
syslog
Rolling File Appender
file_appender
The following table provides an explanation of syslog setting in the imanager_logging.xml file.
Setting
Description
syslogHost
IP address of the host in which the Audit server is running.
syslogProtocol
The protocol that must be used for communication (UDP/TCP/SSL).
syslogSslKeystoreFile
Location of the key store file.(Used only for SSL).
syslogSslKeystorePassword
Password for the keystore file.(Used only for SSL).
Threshold
Specifies the minimum log level allowed in the Syslog appender. Currently, INFO log level is supported.
Facility=USER
Specifies the type of facility. The facility is used to try to classify the message.Currently, USER facility is supported. These values may be specified as upper or lower case characters.
Layout
Layout setting for Syslog appender.
The below table lists the File Appender Settings
Setting
Description
File= ${catalina.home}/logs/imanager.log
The default location of the log file for a File appender
MaxFileSize=10MB
The maximum size, in MBs, of the log file for a File appender. Set this value to the maximum size that the client allows.
MaxBackupIndex=10
Specifies the maximum number of backup files for a File appender. The maximum number of the backup files can be 10. If the value of MaxBackupIndex is set to 0, no backup file will be created.
layout class=org.apache.log4j.PatternLayout
Layout setting for File appender.
ConversionPattern="%t %d %-5p [%c:%M] %m%n"
Layout setting for File appender.
To enable the Syslog appender, make the following changes in the imanager_logging.xml file:
Edit the following entries:
<param name="Facility" value="user"/><param name="syslogHost" value=" 192.168.1.5:1468 "/<param name="syslogProtocol" value="tcp"/><param name="syslogSslKeystoreFile" value="/root/Desktop/sentinel/mykeystore.jks"/>param name="syslogSslKeystorePassword" value="novell"/><param name="Threshold" value="INFO"/>Log into iManager and change the log events.
To enable the File appender, make the following changes in the imanager_logging.xml file:
Edit the following entries:
<param name="File" value="${catalina.home}/logs/imanager.log"/><param name="Append" value="true" /><param name="MaxFileSize" value="10MB" /><param name="MaxBackupIndex" value="10" />You can customize the File value in either of the following platforms:
Linux: /home/imanager.log
Windows: C:\\<directory>\\imanager.log
Select the desired event from iManager and save changes.
NOTE: The Failed SSL connection XDAS event is logged multiple times because internally several attempts are made to establish an LDAP connection.
Enabling CEF Auditing
CEF Auditing comes with iManager by default. CEF Auditing captures data about the following events:
Added Authorized User
Successful Login
Successful NPM Install
Startup iManager
Failed SSL Connection
Logout
Changed Configuration
Successful NPM Upload
Failed Login
Failed NPM Install
Shutdown iManager
To enable CEF audit for iManager:
Log in to iManager.
Click .
In the Configure iManager page, on the tab, select .
Select the events you want to record, and then click .
Look and Feel
Use this page to customize the appearance of your iManager.Title Name
Type your organization' s name in this text box. It appears in the title bar of the Web browser in place of the default text, NetIQ iManager.Title Bar Color
You can customize the color of the title bar:
- Title Color: Let's you select the color in which your organization name will be displayed in the title bar.
- Left Color: Let's you select the color for the left panel of the title bar.
- Right Color: Let's you select the color of the right panel of the title bar.
You can select the color by entering the hexadecimal values in the text field. Entries do not need to be case sensitive.Logo Image Location
The title bar can also contain the logo of your organization. Your own logos must conform to the dimensions given in the interface. Store the logo images in /portal/modules/fw/images. Specify the path of each image in its respective text field. By default, logo is not displayed in the header. Check the Showing a logo in the header is option. Uncheck the box to hide the image box to display the logo in the header.Logging Events
Logging Level
Select a logging level for Web server debugging: No Logging to Errors, Warnings, or Information Messages.Logging Output
Select the desired option, indicating whether to send the log output to Standard Error Device, Standard Output Device, or Debug.HTML file. The log file path and log file size appear on this page.View: Click this button to view the log file.
Clear: Click this button to clear all the data in the log file. The Log File Size resets to 0 bytes (zero).
Authentication
Authentication configuration affects the iManager login page.Remember Login Credentials
If you select this option, only your password is required.Use Secure LDAP for auto-connection
This setting specifies whether iManager communicates via LDAP, SSL, or LDAP clear text. Some plug-ins, such as Dynamic Groups and NMAS™, do not work if this option is not selected. This setting does not take effect until you log out of iManager.Hide specific reason for login failure
Replaces authentication-related eDirectory messages with a generic error message that reads: Login Failure. Invalid Username or Password. This helps prevent unauthorized access.Allow 'Tree' Selection on Login Page
If you select this option, the Tree text box appears on the login page. If you do not select this option, you must have a default tree name; otherwise, you cannot log in.Contextless Login
Contextless login allows users to log in with only a username and password, without knowing or understanding their entire user object context. For example, admin.support.If there are multiple users with the same username in the tree, contextless login tries to log in using the first user account it finds with the supplied password. In this case, a user should either provide a full context when logging in or limit the search container that contextless login searches.
Select the search containers option and specify the containers where user objects can be found for login or select the search from root option to search from the root of the tree for contextless login.
- Containers to Search
The containers iManager must search to find a specific user in the provided order. You can rearrange the container search order by using the Up and Down arrows. iManager searches for a user based on the order of the container list.- Public Username
By default, iManager connects with public access, requiring no specific credentials. If you want, you can specify a user with specific credentials to do the search for the contextless lookup. The iManager public user is used if you don't specify a user.
Correct syntax for the public username is username.context; for example, admin.novell.
IMPORTANT: If you specify a public user, consider carefully the implications to password expiration settings. If the password is set to expire on the public user, you have no opportunity to change the password during login, when it expires.
- Public User Password
The password for the user specified in Public Username. The Password is saved unencrypted, in clear text.- Retype Password
Retype for accuracy.iManager Server Timeout Settings
- If you want the iManager server to time out after a certain period, specify the number of days, hours, and minutes in the respective fields.
- If you never want the server to time out, select the Never Timeout option.
Redirection after Logout
Selecting the Redirection after Logout option allows you to specify the URL to be redirected to after logging out of iManager. If you have not selected this option, then clicking Exit logs you out of iManager and by default, the Login page is shown.
Enable: Select this option to enable the Redirection After Logout feature.
URL: Specify the URL to be redirected to after logging out.
RBS
Role-Based Services (RBS) assigns the rights within eDirectory™ to perform tasks. In order to do certain things, you must have rights in the eDirectory tree. When you assign a role to a user, RBS assigns the rights necessary to perform the tasks of that role.
Force Unrestricted Access
After you configure RBS and create a collection object in the tree for iManager, you see the mode set to Collection Owner Access or Assigned Access every time you log in. If you want to bypass RBS for troubleshooting purposes, you can force iManager to use the Unrestricted Mode.IMPORTANT: Selecting the Force Unrestricted Access option allows even an unauthorized user to view all the Roles and Tasks of other users, which is not recommended.
This should be used only for troubleshooting purposes and should not be used as a long-term solution.Enable Dynamic Groups
Selecting the Enable Dynamic Groups option enables RBS to allow Dynamic Groups to be members of a role.NOTE: A group cannot be converted to a dynamic group or vise versa if the object has any role assignments.
Show Roles in Owned Collection
Selecting this option allows collection owners to see all roles and tasks where they are members. If you do not select it, owners can see only their assigned roles.
Click the drop-down arrows for lists of the following:
- Role Discovery Domain
Indicates where iManager is to search in the tree for roles that are assigned to a container object.
- Parent: Searches for roles in the user's parent container.
- Partition: Searches for roles assigned up to the first eDirectory partition of a user.
- Root: Searches for roles in the entire tree.
- Dynamic Group Discovery Domain
Indicates where iManager is to search in the tree for dynamic group membership. Role membership is checked in the dynamic groups found.
- Parent: Searches for dynamic groups up to the parent container.
- Partition: Searches for dynamic groups up to the first eDirectory partition.
- Root: Searches the entire tree for dynamic groups, up to root.
- Dynamic Group Search Type
Indicates which type of dynamic groups should be searched for role membership.
- Dynamic Group Objects Only: Searches for objects that are of the dynamicGroup class type.
- Dynamic Group Objects and Aux Classes: Searches for objects that either are of the dynamicGroup class type or have been extended with the dynamicGroupAux class. This includes Group objects that were later converted to dynamic groups.
- RBS Tree List
When a collection owner or a Role member authenticates, this setting is auto-populated with the eDirectory tree's name. This effectively keeps track of the eDirectory trees where RBS has been configured. If RBS is removed from an eDirectory tree, remove that tree's entry in this list in order to return to Unassigned Access mode.Plug-In Download
NetIQ Plug-In Module Download Settings
The NetIQ Plug-In Module Download Settings pane provides the following download options to keep you informed of updated plug-ins.Query download site for new NetIQ Plug-in modules (NPM). Select one of the following options to download NetIQ plug-in modules.
- Novell Download site: Select this option to download the plug-in modules from the Novell download site.
- Custom download site: Select this option to download the plug-in modules from a custom site. Specify the URL of the custom site in the Download URL field.
Show every available plug-in: This option displays all the plug-ins that are available in the selected site. Show only updates to installed plug-ins: This option displays only updates that are available in the selected site.
A list of NPMs is found on the Available NetIQ Plug-ins page.
Proxy
If iManager Servers are running under the firewall proxy, the client can access the Internet through a proxy server. Only HTTP Proxy is supported. It is a Web proxy HTTP. To download the plug-ins through the proxy, fill in the following fields:Enable Proxy: Select this option to enable the Proxy feature.
Proxy Host: Specify the proxy host IP address.
Proxy Port: Specify the proxy port number.
Username: Specify the proxy username.
Password: Specify the proxy password.
Retype Password: Specify the proxy password again.Misc
Enable [this]
You can safely ignore this option. Enable [this] was added to iManager to allow NetIQ teams to modify their own objects. [this] is an attribute in the tree that enables specific self-management functionality. If [this] is enabled, all servers in the tree must be version 8.6.2 or later.eGuide URL
Specifies the URL for eGuide. This is used in the eGuide launch button in the header and in the eGuide role and task management tasks. This must be a full URL (for example, https://my.dns.name/eGuide/servlet/eGuide) or the keyword EMFRAME_SERVER. Using EMFRAME_SERVER causes eMFrame to look for eGuide on the same server that eMFrame is located on.Certificate
You can use the Certificate tab to choose the cipher level based on your security requirement.
Certificate Public Key Algorithm
iManager provides the following certificates:
- RSA - The certificate uses a 2048 RSA key pair.
- ECDSA 256 - The certificate uses an ECDSA key pair with curve secp256r1.
- ECDSA 384 - The certificate uses an ECDSA key pair with curve secp384r1.
Cipher Suite
Based on the certificate you choose, iManager allows you to configure the following cipher suites. For ECDSA certificates, iManager allows only Suite B ciphers.
RSA
- NONE - Allows any type of cipher.
- LOW - Allows a 56-bit or a 64-bit cipher.
- MEDIUM - Allows a 128-bit cipher.
- HIGH - Allows ciphers that are greater than 128-bit.
ECDSA 256
- SUITEB 128 ONLY - Allows a 128-bit cipher.
ECDSA 384
- SUITEB 128 - Allows a 128-bit cipher or 256-bit cipher.
- SUITEB 192 - Allows a 256-bit cipher.
By default, RSA is selected and the cipher level is set to NONE. If you change the certificate, ensure that Tomcat server is restarted for the change to take effect.
For more information on changing the cipher levels in Mozilla Firefox, refer to the Certificate section of the
NetIQ iManager Administration Guide. For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.