4 — Configuring the NetCrusader/Web Security Adapter

[Previous] [Next] [Contents] [Index]

This chapter describes how to configure the NetCrusader/Web Security Adapter. It contains the following sections:

4.1 Starting the Configuration Wizard
4.2 Configuring Junctions
4.3 Configuring Access Control Lists
4.4 Customizing the Default Access Denied Page
4.5 Customizing the Basic Authentication Realm
4.6 NetCrusader/Web Configuration Files

NOTE: If you have not done so already, read the NetCrusader/Web Overview Guide before you start configuring the NetCrusader/Web Security Adapter. The guide gives an overview of important security concepts and the NetCrusader/Web product.

4.1 Starting the Configuration Wizard

Start the Security Adapter configuration wizard as described in this section and then follow the instructions in the online help.

NOTE: You must restart the web server for changes to take effect.

To start the Configuration Wizard:

From the Windows Start menu, select Programs, and then NetCrusader Web, and then Security Adapter.

For information on any screen or field, see the online help. To access the online help, click the Help button.

For information on a screen or field, see the online help. To access the online help, click the Help button and then click the screen name from the Table of Contents.

4.1.1 Using the Security Adapter Configuration Wizard

When you start the Security Adapter configuration wizard on Windows platforms, the Servers screen appears. When you click the Next button, the wizard verifies that the license file (NetC.lic) has been installed. If not, you are asked if you want to install it. If you click Yes, you can then navigate to the location of the file. NetC.lic is provided on a separate diskette or via email. If you did not receive this file, contact your sales representative. At the end of the configuration, you are prompted for the security administrator username and password.

NOTE: It is possible to install and configure NetCrusader/Web without the security administrator username and password. If you require this type of installation, contact Entegrity Technical Support.

If you need information on any of the fields or concepts, click Help.

4.2 Configuring Junctions

A NetCrusader/Web junction is a mechanism which allows the Security Adapter server to act as a proxy for other web servers. (For a description of how junctions work, see the NetCrusader/Web Overview Guide).

4.2.1 Creating a Junction

You create a junction using the Junctions screen in the Security Adapter configuration wizard. Before using the wizard to create junctions, consider creating a web directory specifically for junctions. Also, be sure to read the section on limitations of junctions (Section 4.2.2 on page 24).

On the junction server:

1. Start the Security Adapter configuration wizard.

2. At the first screen, select the web server that will be the junction server.

3. Click Next. The Authentication screen appears.

4. Under Options, check Enable Junctions.

5. Click Next until the Junctions screen appears.

6. In the white area under Select the Web directory entries to be configured as junctions, expand the folder until you find the directory where you will place the junction. Click Add.

   NOTE: You cannot add a junction under another junction.

7. Enter a name for the junction. For example, you want to create a link to the product documentation that is stored on another server. You could call the junction techdocs.

   A check appears in front of the box labeled This entry is a junction.

8. Fill in the appropriate information (for example, DNS name or IP address and port). If you need more information on a field, click the Help button.

9. Click Next until the Finish button appears.

10. Click Finish.

Refer to the junction by the junction name. For example, the following link references the junction created in the previous steps:

<p><a href="Mktg/techdocs/index.html">Click here for product manuals</a></p>

NetCrusader/Web junctions have the following limitations you must consider:

• Junction servers cannot currently filter the following:
  • URLs that may be coded inside Java applets
    
  • ActiveX controls
    
  • Scripts downloaded to the browser (that is, client-side scripts)
    

    For example, if a Java applet contains a hard-coded URL link back to the target server, the junction server will not replace it with the URL that routes the link back through the junction server. Examine the applications to verify that these conditions do not exist.

    If you control the target server and you want to be sure it is isolated, configure the server to allow access only by the junction server, and re-code any URLs that refer to the target server in applets, controls, or scripts.

• The junction server filters and adjusts URLs that occur in the attributes of the HTML tags listed in Table 4-1. (Filtering is case-insensitive regarding tags and attributes; it occurs regardless of the case of the tag or attribute.) Filtering ensures that all content and links appear to the browser as originating from the junction server, thereby allowing proper operation.

  Table 4-1: Tags Filtered at Junction Server

  Tag	Attributes
  A	HREF
  APPLET	CODEBASE
  AREA	HREF
  BODY	BACKGROUND
  FORM	ACTION
  FRAME	SRC
  IMG	SRC
  INPUT	SRC
  LINK REL	HREF
  SCRIPT	SRC

• The junction points to the document root of the target server. It cannot point to a subdirectory.

• The connection between the junction server and the target server is HTTP, not HTTPS.

When you create a TCP target server, consider taking the following additional measures to increase security:

• Configure the junction server to allow access only by the user identity that the junction server is running under.

• Configure the target server to allow access only from a specific IP address (the address of the junction server).

• Configure the target server to listen on a port other than 80.

NetCrusader uses Access Control Lists (ACLs) to control access to secure data. NetCrusader ACLs are similar to the file permission mechanisms provided by some web servers and most operating systems, but provide finer-grained access control. (For more information on NetCrusader access control, see the NetCrusader/Web Overview Guide.)

To view and modify ACLs, use NetCrusader Commander. The account you use to change ACLs must be a member of the ACL Control group (wccs-admin). By default, the Security Adapter configuration program creates the wccs-admin group when you first configure a Security Adapter. Initially, only the Security Server administrator is a member of this group. You must use Commander to add additional members to this group.

To access NetCrusader Commander:

From the Windows Start menu, select Programs, and then Gradient NetCrusader, and then NetCrusader Commander.

To add a user to the wccs-admin group:

See the Commander online help for detailed instructions on performing the following tasks:

1. Log into Commander using an account with administrator privileges.

2. If the user does not already exist, create it.

3. Open the wccs-admin group's property sheet and select the Membership tab.

4. Add users to the group.

When a user attempts to access a page for which access is denied, the Security Adapter displays a page called AccessDeny.asp (IIS) or AccessDeny.htm (Netscape servers) indicating that the user does not have access to the requested page. This page is similar to the one shown in the following illustration.

You can modify this page without restriction as long as you do not change the name or location of the page. This page is located the lib/html subdirectory of the directory in which you installed NetCrusader/Web.

The following illustration shows a page modified for a Human Resource System application.

In this example, the developer changed the background color to white and added a logo graphic and contact information. You could also add navigation buttons, links to local help files, and so on.

4.5 Customizing the Basic Authentication Realm

The secure documents and application objects protected by the Security Adapter on a given web server, together with the user permissions to those objects, comprise a protection space, or realm.

The name of the realm is passed from the web server to the browser during a Basic Authentication challenge. The realm name appears in a browser dialog box along with fields that allow the user to enter a valid username and password.

The Security Adapter supplies the realm name that appears in the browser's dialog box by generating it from one of three sources:

• From the Realm field of the Authentication screen in the configuration wizard, or, if this field is blank,

• From the Full Name field of the Security Adapter principal, or, if this field is blank,

• From the Security Adapter principal name.

The realm name can be any string of characters. You can customize the realm name using either the Security Adapter Configuration wizard or Commander.

If you do not customize the realm name, the realm name that appears in the browser's dialog box during a password challenge will be the Security Adapter principal (user) name.

To customize the Realm Name using the Configuration Wizard:

1. Start the Security Adapter Configuration wizard.

2. Click Next until the Authentication screen appears.

   If SSL with Basic Authentication is checked, the Realm field will be enabled and you can enter a string for the realm name. For example, if you enter Wally World, and the hostname of your web server is rides.fun.org, a user that runs Netscape Navigator will see a dialog box that says "Enter username for Wally World at rides.fun.org".

1. Start the NetCrusader Commander program.

2. Log in using an account that has administrator privileges.

3. Expand the Users view and double-click the Security Adapter user (for example, wcsecad/RIDES).

4. In the General screen, enter a string for Full Name.

5. Click OK.

NetCrusader/Web uses external configuration files (.INI files) on both Windows and Solaris platforms to hold information about your NetCrusader/Web configuration.

There is one primary file for the NetCrusader/Web installation (NetCrusader.ini on Windows platforms, webc.ini on Solaris) and a unique file per server. The per-server configuration files are named based on the name of the web server. The configuration files are located in the secad subdirectory of the NetCrusader/Web installation directory.

For best results, you should not edit these files directly.

When you configure a Netscape web server with NetCrusader/Web, NetCrusader/Web alters the Netscape obj.conf file. Do not edit the added lines unless instructed to do so by Entegrity Technical Support.

[Previous] [Next] [Contents] [Index]

To make comments or ask for help, contact support@entegrity.com.

Copyright © 2000-2003 Entegrity Solutions Corporation & its subsidiaries