Howto: Integrating Access Manager 3.1.1 with GroupWise 8 Published Calenders

  • 7004286
  • 24-Aug-2009
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Support Pack 1 applied
Client running Windows XP and IE7 with Groupwise client 8.0.1 client (requirement)

Situation

The following document outlines basic information about the Groupwise Published calender setup (including key URLs), as well as details on how to integrate it with Access Manager 3.1.1 Linux Access Gateway. The IP address/port and hostname details are specific to the test setup and should be changed to reflect the addresses, ports and hostnames from your setup.

Resolution

Basic Information

  • Enabling and configuration of GroupWise published calendars is done in Console1

  • To enable: POA object->properties->GroupWise tab->Agent settings->checkbox “Enable Calendar Publishingâ€

  • To set URL('s) of Calendar Publishing hosts: gwise system->Tools->gwise system operations->â€Web Calendar Publishing Hostsâ€

ex: http://<>/gwcal/calendar

name: seen by browsers making connection

URL: seen by browsers making connection

Address: Used for server-to-server connections between POA and Cal publishing host

Port: Used for server-to-server connections between POA and Cal publishing host

  • User setup activities:

  • Users are not allowed to publish their main GroupWise calendar, only other calendars.

  • To create a calendar: In the gwise client, highlight the calendar icon, rt click, then New Calendar.

  • To publish a calendar: In the gwise client, highlight the calendar icon, rt click, then Publish. Now on the Publish tab of the pop-up, select “Publish this calendarâ€.

  • Using (subscribing to) a published calendar:

  • Browse to http(s)://<Cal_Pub_Host>/gwcal to see a list of published calendars. The download link simply downloads the .ics file. The subscribe link launches the gwise client (if gwise is the default app for .ics type files) and allows the user to subscribe to that calendar. The gwise client opens a “Subscribe to Calendar†pop-up dialog where the user can then view/modify several options:

Location: is the URL of the calendar publishing host

Folder Name: is the name of the folder. If the calendar publishing web server is accessed through a proxy or other device requiring authentication, this field will be blank until after credentials are entered (below) and a connection is made.

Requires Authentication: select this option and enter username/pwd if the gwclient connection to the calendar publishing host is through a reverse proxy such as NAM and requires authentication (only Basic Auth is supported).

After reviewing/selecting the above options, click Subscribe

The subscribed calendar should now be shown as an icon in the left frame of the gwise client under the Calendar icon. Highlighting the subscribed calendar icon causes an HTTP GET to be sent to the URL of the published calendar. If successful, the icon shows a down arrow and contents of the calendar are then shown. If a failure occurs, the icon may be shown with a red x. Details of the connection status, url, login credentials, etc. can be seen by rt clicking the icon->Properties->Subscribe tab.

  • User Experience

  1. From Win XP/IE7 machine with gwise 8.0.0 5/14/2009 or later client installed, browse to the URL of the calendar publishing host through the AG (ex: https://<PublishedDNS>/gwcal)

-user will be see a Basic pop-up dialog for login to the Access Gateway

  1. Enter username/password

-if valid credentials are entered, user will now see page “Novell GroupWise Calendar Publishing Host†which has “Download†and “Subscribe†links to all published calendars.

-note that the Download links should should be rewritten with the scheme/name/port of the accelerator used to access the page. The Subscribe links should be a scheme of webcal:// but the dns name, port, and path of these links should also be rewritten.

  1. Click a Subscribe link

-this launches the gwise client and a “Subscribe to calendar†pop-up is displayed. The “Location:†field should have the appropriate, rewritten URL for accessing the calendar publishing host through the AG. Note that the gwise client at this point does NOT connect through the AG. It uses a gwise protocol on port 1677. This connection on 1677 does not have to succeed, for example the user may be at home and using the gwise client in caching mode.

  1. Select checkbox “This calendar requires authentication†and enter credentials for authentication to the Access Gateway.

  2. Click Subscribe

    -an icon for this calendar subscription should be created under the Calendar icon in the left frame of the gwise client

  3. Highlight the new icon

    -this action causes the gwise client to send an http(s) GET with populated Authorization header to the URL in the Location field as noted above. If the connection is successful, the icon will show a down-arrow image. When highlighted, the main gwise client frame will then show contents of the calendar.


Access Manager sample configurations

Following are examples of various configurations which have been used during testing with NAM 3.1.1 and GroupWise 8 published calendars. These configurations assume that GroupWise Webaccess and the Calendar Publishing Host are running on the same web server, both being accessed through the Access Gateway.

Proxy Service Type: Domain Based Multi-Homing

Published DNS Name: mattdbmhgw8lag.cit.novell.com

Host Header: Web Server Host Name

Web Server Host Name: internal.matt.lag.cit.novell.com

Connect Port: 80

HTML Rewriting:

Use a Char type rewriter profile with default settings except for one Search/Replace entry needed for rewriting the Subscribe links on the gwcal/calendar page. For example:

Search = webcal://<internal Web Server Host Name>

Replace = webcal://<Published DNS Name>

Be sure to enable this profile and put it at the top of the rewriter profile list (above the default, unmodified Word profile)

Protected Resources:

“pr1†for webaccess:

path /gw/*

Authentication Procedure: Secure Name/Password – Form type contract

ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header

“pr2†for ajax

path /gw/webacc?User.context*

Authentication Procedure: Non-redirected login enabled, points to same contract used by pr1. Option “Redirect to Identity Server When No Authentication Header is Provided†is disabled.

ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header

“pr3†for published calendar page

path /gwcal/*

Authentication Procedure: Same as used by pr2

ii policy – none

Path-Based Multi-Homing (Remove Path on Fill disabled)

Published DNS Name: matt.lag.cit.novell.com

Host Header: Web Server Host Name

Web Server Host Name: internal.matt.lag.cit.novell.com

Connect Port: 80

Path List: /gw, /gwcal

Remove Path on Fill: disabled

Reinsert Path in “set-cookie†Header: enabled

HTML Rewriting:

Uses both a Character type rewriter profile:

Character profile:

All default settings except for one Search/Replace entry needed for rewriting the Subscribe links on the gwcal/calendar page. For example:

Search = webcal://<internal Web Server Host Name>

Replace = webcal://<Published DNS Name>

Be sure to enable this profile and put it at the top of the rewriter profile list (above the default Word profile)

Protected Resources:

“pr1†for webaccess:

path /gw/*

Authentication Procedure: Secure Name/Password – Form type contract

ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header

“pr2†for ajax

path /gw/webacc?User.context*

Authentication Procedure: Non-redirected login enabled, points to same contract used by pr1

ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header

“pr3†for published calendar page:

path /gwcal/*

Authentication Procedure: Same Authentication Procedure used by pr2

ii policy – none

Path-Based Multi-Homing (Remove Path on Fill enabled)

Published DNS Name: matt.lag.cit.novell.com

Host Header: Web Server Host Name

Web Server Host Name:<different than the Published DNS Name>

Connect Port: 80

Path List: /testGW8

Remove Path on Fill: enabled

Reinsert Path in “set-cookie†Header: enabled

HTML Rewriting:

Uses both a Word and Character type rewriter profile:

Character profile:

All default settings except for one Search/Replace entry needed for rewriting the Subscribe links on the gwcal/calendar page. For example:

Search = webcal://<internal Web Server Host Name>

Replace = webcal://<Published DNS Name>

Be sure to enable this profile and put it at the top of the rewriter profile list

Word Profile:

All default settings except those noted below:

“Rewrite Inbound Headers:†enabled

“Variable or Attribute Name to Search for is:†value

“String to Search for is:†Search=/gw[ew], Replace=$path/gw

Protected Resources:

pr1 for webaccess:

path /testGW8/gw/*

Authentication Procedure: Secure Name/Password – Form type contract

ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header

pr2 for ajax

path /testGW8/gw/webacc?User.context*

Authentication Procedure: Non-redirected login enabled, points to same contract used by pr1

ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header

pr3 for published calendar page

path /testGW8/gwcal/*

Authentication Procedure: Same Authentication Procedure used by pr2

ii policy – none