If you want the Identity Server to display error details when certificate validation fails, edit the /opt/
novell/nam/idp/conf/server.xml by using the following procedure:
1 Search for the clientauth attribute in the server.xml file.
2 Modify the value of the clientauth attribute from the default value of false to want.
3 Save the file and restart Identity Server by using the rcnovell-idp restart command.
4 Export the certificate from the Administration Console by using the Security > Certificates option.
5 Import the certificate into the browser:
Internet Explorer: Tools > Internet Option > Content > Certificate > Add into Trusted Roots Mozilla Firefox: Firefox Options > Encryption > Advanced > View Certificates > Servers.
2.1.3 Troubleshooting Tips for Custom Login Pages
If your custom login page does not display or generates an error message, use the following procedure to discover the root cause:
1 Set the Application option of Component File Logger Levels to debug, update the Identity Server, attempt to log in, then view the log file.
Check for Unable to Compile errors in the log file. If your custom page does not compile, a blank page is displayed.
2 If you receive an Unable to Find File error, verify the value of the JSP property. Ensure that the value does not contain the JSP extension as part of the filename.
3 If you see pages that you have deleted or pages where your modifications have not been implemented:
3a Open the new custom file with a text editor to ensure it has a newer date than the compiled file.
If this does not solve the problem, continue with Step 3b.
3b Delete the nidp directory in the Tomcat work directory on each Identity Server. This forces a recompile the JSP pages.
Linux: /opt/novell/nam/idp/work/Catalina/localhosts/nidp
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\work\Catalina
\localhosts\nidp
3c Restart Tomcat on each Identity Server.
2.2 Customizing the Identity Server Logout
You can also use the following methods to modify the Identity Server logout page:
Section 2.2.1, “Rebranding the Logout Page,” on page 80
Section 2.2.2, “Replacing the Logout Page with a Custom Page,” on page 80
Section 2.2.3, “Configuring for Local Rather Than Global Logout,” on page 81
To customize the logout page when the user logs out of an Access Gateway protected resource, see
“Customizing Logout Requests” in the NetIQ Access Manager 4.0 SP1 Access Gateway Guide.
When you have both Liberty and SAML 2.0 sessions running on the Identity Server and you log out of the Access Gateway, the logoutsuccess.jsp page is not executed with the customization you have made to the logout page. For information about the workaround, see “Logging Out of Sessions to the Access Gateway and SAML Connectors when Branding Exists in the Customized Logout Page” in the NetIQ Access Manager 4.0 SP1 Access Gateway Guide.
NOTE: After customizing a JSP file, you need to sanitize the JSP file to prevent XSS attacks. See, Section 2.5, “Preventing Cross-site Scripting Attacks,” on page 101.
2.2.1 Rebranding the Logout Page
The branding in the header of the logout page is controlled by the branding of the nidp.jsp file. If you have modified this file for a customized login, the same branding appears in the logout page. For information about how to modify nidp.jsp for logos, titles, and colors, see “Rebranding the Header”
on page 65.
IMPORTANT: Save a copy of your modified nipd.jsp file. Every time you upgrade your Identity Server, you need to restore this file.
2.2.2 Replacing the Logout Page with a Custom Page
You can create your own logout page and configure the Identity Server to use it. To do this, you need to modify the logoutSuccess.jsp file on the Identity Server. It is located in the following directory:
Linux: /opt/novell/nids/lib/webapp/jsp
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp
The logoutSuccess.jsp file is called in a frame from the nidp.jsp file. You can modify the file to display what you want or you can modify it to redirect the user to your custom page. One way to provide redirection is to replace the information in the <body> element of the file with something similar to the following:
<body>
<script language="JavaScript">
top.location.href='http://<hostname/path>';
</script>
</body>
Replace the <hostname/path> string with the location of your customized logout page.
IMPORTANT: Save a copy of your modified logoutSuccess.jsp file. Every time you upgrade your Identity Server, you will need to restore this file.
2.2.3 Configuring for Local Rather Than Global Logout
By default, when the Identity Server receives a logout request, the Identity Server logs the user out of any identity providers and service providers to which the user has authenticated. If you want to modify this behavior so that the logout request logs the user out of just the Identity Server and leaves the user authenticated to identity providers and service providers, you need to add the following query string to the logout URL:
?local=true
The logout URL has the following format:
<Base_URL>/app/logout
Replace <Base_URL> with the base URL of your Identity Server. If the base URL of your Identity Server was hhb1.provo.novell.com:8443, your local logout URL would be the following:
https://hhb1.provo.novell.com:8443/app/logout?local=true To modify the logout.jsp file so that it performs a local logout:
1 At the Identity Server, open the logout.jsp file.
Linux: /opt/novell/nids/lib/webapp/jsp
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp 2 Find the following line in the file:
<form method="post" target="_top" action="<%= request.getContextPath() %>/app/
logout">
3 To the /app/logout string, add ?local=true. This modified line should look similar to the following:
<form method="post" target="_top" action="<%= request.getContextPath() %>/app/
logout?local=true">
4 Save the file.
5 Copy the file to each Identity Server in the cluster.
6 Back up this file.
2.3 Customizing Identity Server Messages
Section 2.3.1, “Customizing Messages,” on page 82
Section 2.3.2, “Customizing the Branding of the Error Page,” on page 84
Section 2.3.3, “Customizing Tooltip Text for Authentication Contracts,” on page 85
NOTE: After customizing a JSP file, you need to sanitize the JSP file to prevent XSS attacks. See, Section 2.5, “Preventing Cross-site Scripting Attacks,” on page 101.
2.3.1 Customizing Messages
1 To customize the error pages, determine whether you need one custom file or multiple files:
If you do not need to support multiple languages, you can create one custom file for all your customized messages.
If you need to support multiple languages, you need to create a custom file for each language you want to customize.
2 Create the custom properties file and name it:
To support one language, name the file nidp_custom_resources.properties.
To support multiple languages, create a nidp_custom_resources_<le_cy>.properties file for each supported language. Replace <le_cy> with the standard convention for Java Resource Bundles for the language or the language and country. For example:
nidp_custom_resources_en_US.properties nidp_custom_resources_fr.properties nidp_custom_resources_es.properties
If you want to support a custom messages for a language and a country and for just the language, you must create two files. For example:
nidp_custom_resources_es_VE.properties nidp_custom_resources_es.properties
3 Copy the nidp.jar file to a working area. This file is located in the following directory:
Linux: /opt/novell/nids/lib/webapp/WEB-INF/lib
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\lib
4 Unzip the nidp.jar file in your working directory.
5 In your working directory, locate the .properties files in the following directories.
com/novell/nidp/resource/strings
The properties files that have been localized contain the messages that end users might see.
The properties files that have not been localized contain messages that the end users should not see.
6 Locate the messages you want to customize and copy them to your custom file.
All the messages you want to customize are placed in this file, even though they come from different properties files. Your file should look similar to the following if you selected to customize messages from the nidp_resources_en_US.properties file and the
SSModelResources_en_US.properties file. For example:
NIDPMAIN.100=An Identity Provider response was received that failed to authenticate this session.
NIDPMAIN.101=A request for identity federation could not be completed.
NIDPMAIN.102=A request for identity federation termination could not be completed.
SS.WKSLdapCreds = LDAP Credentials
SS.WKSELdapCredsUserName = LDAP User Name SS.WKSELdapCredsUserDN = LDAP User DN
SS.WKSELdapCredsUserPassword = LDAP Password SS.WKSX509Creds = X509 Credentials
7 (Conditional) If you are supporting multiple languages, copy the messages to each custom language file.
8 Replace the messages in the file with your custom messages.
Replace the string after the equals (=) sign with your translated or customized message.
If you are using double-byte characters, the characters need to be in Unicode, hexadecimal format with a \u prefix. For example: \u5c71.
9 Save the file.
10 Copy the custom properties file to the following directory on all Identity Servers in the cluster:
Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\classes
11 (Optional) To enable messages about the loading of the custom properties files, enable debug logging:
11a In the Administration Console, click Devices > Identity Servers > Edit > Logging.
11b In the Component File Logger Levels section, select Debug level for Application.
11c Click OK, then update the Identity Server.
12 Restart Tomcat.
Linux Identity Server: Enter one of the following commands:
/etc/init.d/novell-idp restart rcnovell-idp restart
Windows Identity Server: Enter the following commands:
net stop Tomcat7 net start Tomcat7
13 (Optional) To verify the loading of the custom properties files:
13a View the log file by clicking Auditing > General Logging.
13b Search for messages similar to the following in the catalina.out or stdout.log file:
The named Custom Properties File was loaded and will be used:
Custom Properties File successfully loaded! Name: <Custom Properties FileName>
An error occurred loading a specific Custom Properties File. Loading of other Custom Properties Files will continue.
<Error Description>, Attempting to load Custom Properties File! Name:
<Custom Properties FileName>
The locale specifier in the Custom Properties File filename could not be successfully parsed into a valid locale. Loading of other Custom Properties Files will continue.
Custom Properties File load failed. Could not determine correct locale!
Name: <Custom Properties FileName>
A general error occurred loading Custom Properties Files. Loading will stop and all un-loaded Custom Properties Files will not be loaded.
<Error Description>, Attempting to load Custom Properties Files!
To create custom error pages for the Access Gateway, see “Customizing Error Messages and Error Pages on Access Gateway” in the NetIQ Access Manager 4.0 SP1 Access Gateway Guide.
2.3.2 Customizing the Branding of the Error Page
The error page (err.jsp) is returned when the Identity Server encounters an error with the following message:
Error: Unable to authenticate, (300101014-esp-01E79F6000B87D4E8) The file is located in the following directory.
Linux: /opt/novell/nids/lib/webapp/jsp
Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp
IMPORTANT: After you have customized this page, you need to ensure you back up this page before doing an upgrade. The upgrade process overrides any custom changes made to the err.jsp page.
For information about customizing the error message, see Section 2.3.1, “Customizing Messages,”
on page 82.
You can customize the following items:
The window title and the display title. See “Customizing the Titles” on page 84.
The header image and the Novell logo. See “Customizing the Images” on page 85.
Background colors. See “Customizing the Colors” on page 85.