iFolder Version OES Linux Version
iFolder 3.2 iFolder 3.1 iFolder 3.0
Novell Open Enterprise Server Support Pack 2 for SUSE Linux Enterprise Server 9 Support Pack 3 (OES SP2 Linux) Novell Open Enterprise Server Support Pack 1 for SUSE Linux Enterprise Server 9 Support Pack 2 (OES SP1 Linux) Novell Open Enterprise Server for SUSE Linux Enterprise Server 9 Support Pack 1 (OES Linux)
There is no upgrade or migration path from Novell iFolder 2.1x and earlier versions of iFolder. For information, see the Novell Open Enterprise Server product site (http://www.novell.com/ products/openenterpriseserver).
5.2.2 Install Guidelines When Using an NSS Volume to Store iFolder Data
Modify the OES Linux install and configuration to comply with the following guidelines: In YaST, on the Installation Settings page, reconfigure the Partitioning settings as needed to support using NSS. Specify a ReiserFS (default) or EXT3 partition as your system device. NSS volumes are configured after the install is complete. If you plan to use NSS volumes, some deployment scenarios require that you modify the partitioning to use EVMS (Enterprise Volume Management System) as the device manager of the system device instead of LVM (Linux Volume Manager, default) or a third-party volume manager. Make sure to compare your storage deployment plan to those listed in Installing Linux with EVMS as the Volume Manager of the System Device in the OES Linux Installation Guide to determine if you need to do this. For example, if you have only a single device on the server (such as a single physical disk or a hardware RAID 1 or RAID 5 device) and you plan to configure an NSS volume to use as your iFolder data volume, you must modify your partitioning to use EVMS to manage the device. In YaST, on the Installation Settings page, modify the Software components to add the NSS package to the install. Plan to install iFolder after your OES Linux server is set up and you have created an NSS volume to use.
In YaST, on the Installation Settings page, make sure you do not add the iFolder 3 or iFolder 3 Web Access components to the install. You will install them later. After the OES Linux system is up and running, use the Storage plug-in to iManager to create the NSS volume, create a directory at the volume root, then use YaST to install and configure iFolder. Make sure to specify the path to the directory as the iFolder data store during the iFolder configuration.
5.2.3 Install Guidelines When Using a Linux Traditional Volume to Store iFolder Data
In YaST, specify an EXT3 or ReiserFS partition as your system device. (Optional) Modify the Software components to add the iFolder 3 or iFolder 3 Web Access components to the install. If you install iFolder at this time, be prepared to configure iFolder as part of the install process. See the following: Section 6.2, Configuring the iFolder Enterprise Server, on page 53 Section 6.3, Configuring the iFolder Web Access Server, on page 55

6.2 Configuring the iFolder Enterprise Server
After you install the iFolder enterprise server, you must configure the iFolder services, including the LDAP, iFolder system, and iFolder administration settings. IMPORTANT: If you install iFolder when you install OES Linux, the same parameters described in this procedure are available as an integrated part of the server install. However, you cannot choose an NSS volume as the iFolder System Store Path because NSS volumes cannot be created during the server platform install. 1 If you plan to use an NSS volume as the System Store Path for the users iFolder data, use iManager to create the NSS volume, then create a directory on the volume. For information, see Managing NSS Volumes in the Novell Storage Services File System Administration Guide for OES. 2 Log in to the server as the root user, or open a terminal console, enter su, then enter a password. 3 Start YaST, click Network Services, then click iFolder 3. 4 Follow the Yast on-screen instructions to proceed through the Novell iFolder 3 configuration. The following table summarizes the decisions you make. IMPORTANT: If you ever need to run the configuration again, you can modify any field except the System Store Path and the iFolder User Login Based on Which LDAP Attribute options. These parameter settings cannot be modified after the initial configuration.
Install Settings Description
LDAP Server Configuration
Local or Remote Directory Server: Select Local if your LDAP directory services are running on the same server as the iFolder 3 enterprise server. Otherwise, select Remote. Directory Server Address: If directory services are Remote, specify the IP address of the LDAP server to use for this iFolder enterprise server. LDAP Admin Name: The fully distinguished name of the Admin user with administrative rights to LDAP. This information is needed during the configuration to create User objects for the administrative iFolder Proxy user. The LDAP schema is not extended. Specify an existing username and an existing context. If the user does not already exist, the username is created only if the context is valid. For example:

cn=admin.o=acme

LDAP Admin Password: Specify the LDAP Admin users password. iFolder User Login Based on Which LDAP Attribute: Specify which LDAP attribute of the User account to apply when authenticating users. Each user enters a Username in this specified format at login time. Options are Common Name (cn, default) and e-mail address (mail). This setting cannot be changed after the install. For example, if a user named John Smith has a common name of jsmith and e-mail of john.smith@example.com, this field determines whether the user enters jsmith or john.smith@example.com as the Username when logging in to the iFolder server.

rights -f /media/nss/NSSVOL -r rwfcem trustee wwwrun.ou.o.treename
If you ever get An Internal Error has occurred error message within the iManager plug-in, this is a sure sign that you have not set up file system trustee rights within NSS properly. 6 When the system prompts you to restart the Apache server, accept the option by clicking Yes, then restart the Apache server and Tomcat Web application. This is necessary to use the new settings. 6a Open a terminal console, then log in as the root user. 6b Stop the Apache server by entering either of the following commands at the prompt:
/etc/init.d/apache2 stop rcapache2 stop
6c Stop Tomcat by entering either of the following commands at the prompt:
/etc/init.d/novell-tomcat4 stop rcnovell-tomcat4 stop
6d Start Tomcat by entering either of the following commands at the prompt.
/etc/init.d/novell-tomcat4 restart rcnovell-tomcat4 start
6e Start Apache by entering either of the following commands at the prompt:
/etc/init.d/apache2 start rcapache2 start
7 Go to Novell iManager to install the Novell iFolder 3 plug-in or to manage iFolder services. For information, see Installing the Novell iFolder 3 Plug-In for iManager. Use the plug-in to provision users for services and to manage iFolder services, user access, and iFolders.
6.3 Configuring the iFolder Web Access Server
After you install the iFolder Web Access server, you must specify which iFolder enterprise server it supports and the user-friendly URL that users enter in their Web browsers to access it. IMPORTANT: If you install iFolder when you install OES Linux, the same parameters described in this procedure are available as an integrated part of the server install. Configuring Web Access 1 Log in as the root user, or open a terminal console, enter su, then enter a password to log in as root. 2 Start YaST to refresh its list of installed configuration modules. 3 When YaST opens, click Network Services, then click iFolder 3 Web Access. 4 Follow the Yast on-screen instructions to proceed through the iFolder 3 Web Access configuration. The table summarizes the decisions you make.

/etc/init.d/novell-tomcat4 restart
Tomcat sometimes requires several minutes to fully initialize. Wait at least 5 minutes before trying to log in to iManager. 7 Verify that the plug-in is enabled by opening iManager in a Web browser and checking to see if the Novell iFolder 3 plug-in appears in the list of Roles and Tasks. For information, see Section 6.5, Accessing iManager and the Novell iFolder 3 Plug-In, on page 59. 8 Continue with Section 6.6, Provisioning Users and iFolder Services, on page 60.
6.4.3 Installing a Plug-In When RBS Is Configured
If you are running iManager in Assigned Mode and have RBS configured for eDirectory, complete the following steps to install the iFolder iManager Module. IMPORTANT: To re-install an existing plug-in, you must first delete the rbsModule object for that plug-in from eDirectory, using the Module Configuration > Delete RBS Module task. 1 In a Web browser, log in to iManager as an RBS Collection Owner on the system where you installed iFolder.
Replace ifolder.example.com with the IP address (such as 192.168.1.1) or the DNS name of the iFolder server. 2 In the toolbar, click the Configure icon (person seated behind a desk). 3 In Roles and Tasks, expand Module Installation, then click Available Novell Plug-In Modules. 4 Locate the iFolder iManager Module, select its plug-in check box, then click Install.
This install takes a few minutes. You should receive a message confirming a successful install. 5 Click OK to dismiss the message, then close iManager. 6 Stop and start the Tomcat servlet engine by entering the following command at the terminal console:
Tomcat sometimes requires several minutes to fully initialize. Wait at least 5 minutes before trying to log in to iManager. 7 After Tomcat initializes, in a Web browser, log in to iManager as a Collection Owner again. 8 Click the Configure icon. 9 Under Role-Based Services, select RBS Configuration. The table on the Collections tabbed page displays modules ready to update. 10 Locate the collection where you want to install the plug-in, then click its Out-of-Date number. The iFolder iManager Module plug-in should be displayed under Modules Not Yet Installed column. 11 Select the iFolder iManager Module plug-in. 12 Click Update. 13 Wait for the Completed message, then click OK to continue. 14 Verify that the plug-in is enabled by opening iManager in a Web browser and checking to see if the Novell iFolder 3 plug-in appears in the list of Roles and Tasks. For information, see Section 6.5, Accessing iManager and the Novell iFolder 3 Plug-In, on page 59. 15 Continue with Section 6.6, Provisioning Users and iFolder Services, on page 60.
6.5 Accessing iManager and the Novell iFolder 3 Plug-In
The Novell iFolder 3 plug-in to Novell iManager 2.5 is the tool used to manage your iFolder server. For information, see Section 6.4, Installing the Novell iFolder 3 Plug-In for iManager, on page 57. 1 Open a Web browser to the iManager Login page by entering the following location:

All users in the containers and groups listed in the iFolder LDAP settings Search DN field are automatically provisioned as iFolder users. 1 In iManager, expand the Novell iFolder 3 role, select System, then wait for the page to refresh. 2 Select LDAP to open the System page to the LDAP tab, then click Modify. 3 Repeat the following for each context you want to add or modify: 3a Specify the context: Add: Type the DN of the LDAP context you want to add in the Search DN field. Search: To search, click the Search icon to open a browsable list of LDAP objects, then select the context to add. The LDAP object selector is not available if you logged into iManager in a different LDAP tree than the one where the Server Host (iFolders LDAP server) resides. Edit: To edit a value, select it from the list of Search DNs, click the Edit icon (pen), then make your changes. DNs are entered in LDAP format. For example:

o=acme ou=group,o=acme

Embedded help for completing the fields is available if you mouse-over the field. The iFolder Admin User is provisioned for services during the install. It is tracked by its GUID, so it is available even if the Search DN is empty, or if you specify Search DNs that do not contain the Folder Admin user. This identity must be provisioned to enable the iFolder Admin to perform management tasks. 3b Click OK to apply the change.
4 Continue with Section 6.6.3, Synchronizing the List of Provisioned Users with the LDAP Directory, on page 62. To modify LDAP settings at any time, see Section 8.4, Configuring the LDAP Settings for an iFolder Server, on page 84.
6.6.3 Synchronizing the List of Provisioned Users with the LDAP Directory
1 In iManager, expand the Novell iFolder 3 role, select System, then wait for the page to refresh. 2 Select LDAP to open the System page to the LDAP tab, then click Modify. 3 Click Update and Synchronize Now. During LDAP synchronization, the iFolder server queries the LDAP server to retrieve a list of users in the DNs as specified in the Search DN field. This might take several minutes, depending on the size of your LDAP directory. 4 Continue with Section 6.7, Distributing the iFolder Client to Users, on page 62. The iFolder User list is updated periodically based on the LDAP synchronization interval. Whenever you remove users from a LDAP Search DN, or remove contexts from the Search DN list, you should synchronize the list immediately using Update and Synchronize now to enforce your changes. For information, see Section 8.4.6, Synchronizing the iFolder User List with the LDAP Server, on page 89.

6.7 Distributing the iFolder Client to Users
After you configure iFolder services on the enterprise server, users can download the install files for the iFolder client from the iFolder 3.x Welcome page. NOTE: iFolder 3.x does not support a silent install (that is, a scriptable non-interactive install) on any platform. A silent install is possible the Linux client using its.rpm files, but it is not supported. Section 6.7.1, Configuring the iFolder 3.x Welcome Page, on page 62 Section 6.7.2, Accessing the iFolder 3.x Welcome Page, on page 63 Section 6.7.3, Downloading the iFolder Client, on page 63 Section 6.7.4, Installing the iFolder Client, on page 64
6.7.1 Configuring the iFolder 3.x Welcome Page
The iFolder 3.x enterprise server installs the client install files in the /var/opt/novell/ tomcat4/webapps/ifolder3-client/ directory. The references to these files are in the / var/opt/novell/tomcat4/webapps/welcome/WEB-INF/XMLData/ ifolder3.xml file. After the iFolder 3.x enterprise server install, you must restart Tomcat 4 to install the iFolder 3.x link in the OES Welcome pages. Stop and start the Tomcat servlet engine by entering the following commands at the terminal console:
/etc/init.d/novell-tomcat4 stop /etc/init.d/novell-tomcat4 start
Tomcat sometimes requires several minutes to fully initialize. Wait at least 5 minutes before trying to access the OES Welcome pages.
6.7.2 Accessing the iFolder 3.x Welcome Page
1 Open a Web browser to the following location to open the servers Welcome page:
http://ifolder3.example.com
Replace ifolder3.example.com with the DNS name or the IP address (such as 192.168.1.1) of the Novell iFolder 3.x enterprise server. 2 In the left navigator, click iFolder 3.x to open the iFolder 3.x Welcome page.
6.7.3 Downloading the iFolder Client
On the iFolder 3.x Welcome page, users can select one of the following client links to download the install files for the iFolder client for Novell iFolder 3.x:
Link Name Operating System Filename
iFolder 3.x Linux Client iFolder 3.x Windows Client iFolder 3.x Mac Client
Novell Linux Desktop 9 and later Windows 2000/XP/2003 Macintosh OS X v10.3 and later
ifolder3-linux.tar.gz ifolder3-windows.exe ifolder3-mac.tar.gz
After expanding the tar.gz files, users are ready to install the iFolder client and its dependencies with the following files:

iFolder Client

Install Files

iFolder for Linux

./linux/ifolder3 directory ifolder3-3.x.yyyymmdd-1.i686.rpm nautilus-ifolder-3.x.yyyymmdd-1.i586.rpm simias-1.0.yyyymmdd-1.i686.rpm./linux/mono directory gtk-sharp-1.0.9-0.sles9.novell.i586.rpm libgdiplus-1.1.7-1.ximian.i586.rpm mono-core-1.1.7.x-xxxxx-x.novell.i586.rpm mono-data-1.1.7.x-xxxxx-x.novell.i586.rpm mono-web-1.1.7.x-xxxxx-x.novell.i586.rpm xsp-1.0.9-0.novell.noarch.rpm
iFolder for Windows iFolder for Mac

Specify the password twice, then click OK to update the password stored in the LDAP Settings. Whenever you modify the Proxy User DN, you must also specify the password associated with the new iFolder Proxy user. The password is used to authenticate the iFolder Proxy user to the LDAP server when iFolder synchronizes users for the iFolder user list. This password must match the password stored in the iFolder Proxy users eDirectory object. For information, see Section 8.4.5, Modifying the iFolder Proxy User Password, on page 88.

Search DNs

Specify the LDAP containers and groups where iFolder 3.x searches for a list of authorized users to provision for iFolder services on this enterprise server. DNs are entered in LDAP format. For example:
To add a DN, type it in the Search DN field, then click OK. To edit a DN in the list, select it, then click the Edit icon (pen) to bring it to the Search DN field. Make your changes, then click OK to accept the changes. To search, click the Search icon to open a browsable list of LDAP objects, select the container or group you want to add, then click OK. The LDAP Object selector is not available if you logged into iManager in a different LDAP tree than the one where the Server Host (iFolders LDAP server) resides. To delete a DN from the list, select it, click the Delete icon (red X), then click OK. When you delete a DN from the Search DNs, users in that DN are removed from the iFolder user list the next time the iFolder server synchronizes LDAP information. During LDAP synchronization, the iFolder server queries the LDAP server to retrieve a list of users in the DNs (as specified in the Search DN field). The usernames in the iFolder user list are matched against this official LDAP list. Any new user in the specified Search DNs are added to the iFolder user list. If a user is no longer in the specified DNs, the username is removed from the user list, any iFolders the user owns are orphaned and reassigned to the iFolder Admin user, and the user is removed as a member of other iFolders. The iFolder Admin User is provisioned for services during the install. It is tracked by its GUID, so it is available even if the Search DN is empty, or if you specify Search DNs that do not contain the Folder Admin user. This identity must be provisioned to enable the iFolder Admin to perform management tasks. Minimum Synchronization Interval Specify the synchronization interval (in seconds) for the elapsed time to wait between attempts to retrieve an updated list of system users from the LDAP server. Default Value: 86400 seconds (elapsed time of 24 hours from whenever the timer is reset) Synchronization on Start Specify Yes to immediately synchronize the list of users with the LDAP server when you start the iFolder server, or specify No to wait until the specified Synchronization Interval has elapsed after startup to begin synchronizing. Default Value: Yes

8.5.2 Modifying iFolder System Policies
1 In iManager, expand the Novell iFolder 3 role, select System, then wait for the page to refresh. 2 Select Policy to open the System page to the Policy tab, then click Modify. 3 Select a Policy check box to enable the policy, specify values for the policy, then click OK to apply it:
Enable User Disk Space Limit
Deselect the check box to disable a system-wide quota. Select the check box to enable a system-wide quota, then specify the total space quota (in MB) for a users account. If you enable a system-wide quota that is less than a users current total space for iFolder data, the users data stops synchronizing until the data is decreased below the limit or until the quota is increased to a value that is larger than the users total space consumed. Enabling or modifying the system-wide quota does not affect existing individual user quotas. Any existing user quota always overrides system-wide quota, whether the user quota is lower or higher than the system-wide quota. Default Value: 100 MB
Enable Maximum File Size Limit
Deselect the check box to disable the Maximum File Size Limit policy. If the policy is disabled, the value is reported as No Limit. Select the check box to enable the Maximum File Size Limit policy, then specify the maximum allowed file size in MB. If a quota is specified, the default maximum file size limit is the same as the quota. Consider the following demands on your system to determine an appropriate file size limit for iFolders in your environment: Intended use How often the largest files are modified How the applications that use the largest files actually save changes to the file (whole file or deltas) How frequently the files are synchronized by each member How many users share an iFolder Whether users access iFolder on the local network or across WAN or Internet connections The average and peak available bandwidth Even if you set a very large value as a file size limit and if there is no quota to limit file sizes, the practical limit is governed by the file system on the users computer. For example, FAT32 volumes have a maximum file size of 4 GB minus 1 byte. Default Value: Disabled, No Limit
Enable File Type Restriction
Specify whether to restrict file types that are synchronized by inclusion or exclusion filters. You cannot set both. Type a file extension, then click OK to add it to the list. To edit an extension, select the value, click Edit (the pen icon), modify the entry, then click OK.

8.7.1 Using SSL for Secure Communications
In a default deployment, the iFolder 3 enterprise server uses SSL 3.0 for secure communications between components as shown in the following table.
iFolder Component Enterprise Server Web Access Server LDAP Server Client Web Browser
iFolder uses the SSL 3.0 protocol instead of SSL 2.0 because it provides authentication, encryption, integrity, and non-repudiation services for network communications. During the SSL handshake, the server negotiates the cipher suite to use, establishes and shares a session key between client and server, authenticates the server to the user, and authenticates the user to the server. The key exchange method defines how the shared secret symmetric cryptography key used for application data transfer will be agreed upon by client and server. SSL 2.0 uses only RSA key
exchange, while SSL 3.0 supports a choice of key exchange algorithms, including the RC4 and RSA key exchange, when certificates are used, and Diffie-Hellman key exchange for exchanging keys without certificates and without prior communication between client and server. SSL 3.0 also supports certificate chains, which allows certificate messages to contain multiple certificates and support certificate hierarchies.
8.7.2 Configuring the SSL Cipher Suites for the Apache Server
To restrict connections to SSL 3.0 and to ensure strong encryption, we strongly recommend the following configuration for the Apache servers SSL cipher suite settings. Use only High and Medium security cipher suites, such as RC4 and RSA. Remove from consideration any ciphers that do not authenticate, such as Anonymous DiffieHellman (ADH) ciphers. Use SSL 3.0, and disable SSL 2.0. Disable the Low, Export, and Null cipher suites. To set these parameters, modify the aliases in the OpenSSL* ciphers command (the SSLCipherSuite directive) in the /etc/httpd/conf/httpd.conf file. 1 Stop the Apache server: At a terminal console, enter
2 Open the /etc/httpd/conf/httpd.conf file in a text editor, then locate the SSLCipherSuite directive in the Virtual Hosts section:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
3 Modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:eNULL
4 Save your changes. 5 Start the Apache server: At a terminal console, enter
For more information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong Encryption: How-To (http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html) on the Apache.org Web site.

8.7.3 Configuring the Enterprise Server for SSL Communications with the LDAP Server
By default, the iFolder enterprise server is configured to communicate via SSL with the LDAP Server. For most deployments, this setting should not be changed. If the LDAP server is on the same machine as the enterprise server, communications do not need to be secured with SSL. 1 In iManager, expand the Novell iFolder 3 role, select System, then wait for the page to refresh. 2 Select LDAP to open the System page to the LDAP tab, then click Modify.
3 In the Port Is Secure field, specify Yes to configure for SSL exchanges, or specify No for insecure exchanges. 4 Click OK to apply your changes.
8.7.4 Configuring the Enterprise Server for SSL Communications with the iFolder Client
By default, the iFolder enterprise server is configured to require SSL. All iFolder client communication to the server is encrypted using the SSL protocol. In most deployments, this setting should not be changed because iFolder uses HTTP BASIC for authentication, which means passwords are sent to the server in the clear. Without SSL encryption, the iFolder data is also sent in the clear. To modify the setting, edit the SSL parameters in the appSettings section of the /opt/ novell/ifolder3/web/web.config file on the enterprise server. To configure secure Web traffic with SSL, modify the value of SimiasRequireSSL to Yes and the SimiasSSLPort to 443. For example:
<appSettings> <add key="SimiasRequireSSL" value="yes" /> <add key="SimiasSSLPort" value="443" /> </appSettings>
To configure insecure Web traffice with HTTP BASIC, modify the value of SimiasRequireSSL to No and the SimiasSSLPort to 80. For example:
<appSettings> <add key="SimiasRequireSSL" value="no" /> <add key="SimiasSSLPort" value="80" /> </appSettings>
8.7.5 Configuring the Enterprise Server for SSL Communications with the Web Access Server
By default, the iFolder enterprise server is configured to communicate via SSL with the iFolder Web Access server. For most deployments, this setting should not be changed. If the iFolder deployment is small and the Web Access server co-exists on the same machine as the iFolder enterprise server, an Administrator could reconfigure to disable SSL, which would increase the performance of local communications between the two servers. Communications between the two servers are governed by the Web access servers settings for SSL traffic. For information, see Section 9.5.3, Configuring the Web Access Server for SSL Communications with the Enterprise Server, on page 100.
8.7.6 Configuring an SSL Certificate for the Enterprise Server
For information, see Managing SSL Certificates for Apache on page 133.

Deselect this option to allow all file types to be synchronized or to apply the system-wide file type restrictions for the user account. Select this option to restrict some file types for this user, then specify the inclusion or exclusion filters that determine the file types that can be synchronized for the user account. To add a file extension to an inclusion or exclusion filter, type the extension (such as.mpg), then click OK to apply the filter. To edit an extension, select the value, click Edit (the pen icon), modify the entry, then click OK to apply the change. Default Value: Disabled, Allow all file types or the System-wide settings
106 Novell iFolder 3.x Administration Guide
Deselect the check box to set no synchronization interval or to accept the system-wide setting for the user account. If no value is set for system-wide or user policies, the value reported is No Limit. Select the check box to enable a minimum synchronization interval, then specify the minimum interval (in seconds). For example, a practical value is 600 seconds (10 minutes). Default Value: Disabled, or the system-wide policy
10.5 Enabling and Disabling iFolder User Accounts
Disabling a users account temporarily, as opposed to deleting the user account, turns off the ability of that user to log in to the iFolder server. The user remains a valid iFolder user, can be shared with, and his or her iFolders are not orphans. The user cannot log in and, therefore, cannot synchronize (up or down) any data until the account is again enabled. 1 In iManager Roles and Tasks, expand the Novell iFolder 3 role, then select Enable/Disable Users Account. 2 Search for the user whose account you want to enable or disable for login. 3 Select the User check box next to the user, then click OK. 4 Do one of the following: Enable login for the user account by selecting Account Enabled, then click OK. Disable login for the user account by deselecting Account Enabled, then click OK.
10.6 Setting a User Account Quota
1 In iManager, expand the Novell iFolder 3 role, then select Set Users Account Quota. 2 Search for the user whose account you want to manage. 3 Select the User check box next to the user, then click OK. 4 Do one of the following: Enable a space quota for the selected user by selecting Enable Space Limit, specify how much space the user can consume for all iFolders owned by the user, then click OK. Disable a space quota for the selected user by deselecting Enable Space Limit, then click OK.

<?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <httpRuntime executionTimeout="180" maxRequestLength="10240" /> <!-DYNAMIC DEBUG COMPILATION Set compilation debug="true" to enable ASPX debugging. Otherwise, setting this value to false will improve runtime performance of this application. Set compilation debug="true" to insert debugging symbols (.pdb information) into the compiled page. Because this creates a larger file that executes more slowly, you should set this value to true
120 Novell iFolder 3.x Administration Guide
only when debugging and to false at all other times. For more information, refer to the documentation about debugging ASP.NET files. --> <compilation defaultLanguage="C#" debug="true" /> <!-CUSTOM ERROR MESSAGES Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable. Add <error> tags for each of the errors you want to handle. "On" Always display custom (friendly) messages. "Off" Always display detailed ASP.NET error information. "RemoteOnly" Display custom (friendly) messages only to users not running on the local Web server. This setting is recommended for security purposes, so that you do not display application detail information to remote clients. --> <customErrors defaultRedirect="Error.aspx" mode="On" /> <!-AUTHENTICATION This section sets the authentication policies of the application. Possible modes are "Windows", "Forms", "Passport" and "None". "None" No authentication is performed. "Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to its settings for the application. Anonymous access must be disabled in IIS. "Forms" You provide a custom form (Web page) for users to enter their credentials, and then you authenticate them in your application. A user credential token is stored in a cookie. "Passport" Authentication is performed via a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites.

Managing SSL Certificates for Apache 133
YaST contains modules for the basic management of X.509 certificates. This mainly involves the creation of CAs, sub-CAs, and their certificates. For more information about how to manage and update certificates, see Managing X.509 Certification (http://www.novell.com/documentation/ sles10/sles_admin/data/cha_yast_ca.html) in the SUSE Linux Enterprise Server 10 Installation and Administration Guide (http://www.novell.com/documentation/sles10/sles_admin/data/ bookinfo_book_sles_admin.html).
C.2 Generating a Self-Signed SSL Certificate for Testing Purposes
If desired, you can use OpenSSL to create a self-signed SSL certificate to test your configuration. Because the certificate is not from a trusted certificate authority, users receive a warning when connecting to the server that the originator of the certificate cannot be verified. However, the traffic between the server and the client is encrypted at the same level of security that an official certificate generates. WARNING: The self-signed certificate works correctly for testing purposes but should not be used in an operational deployment, especially when connections cross public communications networks such as the Internet. 1 Make sure you have a valid DNS name registered to a valid IP address on your network. For a cluster solution, this should be the highly available DNS name and IP address of the cluster. 2 Create a private key (.key file). At a terminal console, enter
openssl genrsa -out filename.key 1024
Replace filename with the name you want to use for the key. 3 Create a certificate-signing request (.csr file), using the private key (filename.key) you created in Step 2. 3a At a terminal console, enter
openssl req -new -key filename.key -out filename.csr
3b When prompted, enter the following information: Locality Common name (domain name) iFolder 3.x requires accurate information for the common name of your Apache 2 server. For example, if you enter ifolder3.example.com, this common name should be a valid DNS name that is registered to a valid IP address on your network. Organization Other information 4 Generate the self-signed certificate (.cert file), using the private key (filename.key) you created in Step 2 and the certificate-signing request (filename.csr) you created in Step 3. At a terminal console, enter
openssl x509 -req -days 30 -in filename.csr -signkey filename.key -out filename.cert

Novell iFolder 3.x Security Administrator Guide novdocx (ENU) 01 February 2006

Novell iFolder

SECURITY ADMINISTRATOR GUIDE

August 15, 2006

www.novell.com
novdocx (ENU) 01 February 2006

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2005-2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries. Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com Online Documentation: To access the online documentation for this and other Novell products, and to get updates, see www.novell.com/documentation.

Novell Trademarks

For a list of Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/ legal/trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

Contents

About This Guide 1 Security Best Practices Overview

1.1 1.2

Security Recommendations for iFolder 3.x. 9 Security Recommendations for OES Linux. 10
2 Security Best Practices for Novell iFolder 3.x
2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 Using SSL for Server - LDAP Server Communications. Using SSL for Enterprise Server - iManager Communications. Using SSL for Enterprise Server - Client Communications. Using SSL for Enterprise Server - Web Access Server Communications. Using SSL for Web Access Server - Users Web Browser Communications. Disabling SSL 2.0 Protocol. Configuring a Cipher Suite to Use for SSL/TLS. Installing Trusted Roots and Certifications on the iFolder server. Installing Server Certificates from a Known Certificate Authority. Using a Shared Certificate in iFolder Clusters. Ensuring Privilege Separation for the iFolder Proxy User. Securing the iFolder Proxy User Password. Using Synchronize Now to Remove Users Effective Immediately. Controlling Access to the iFolder Data Store. Controlling Access to the iFolder Server Configuration Files. Controlling Access to and Backing Up the iFolder Audit Logs. Storing iFolder 3.x Data Nonencrypted on the Server. Preventing the Propagation of Viruses. Backing Up the iFolder Server.
3 Security Best Practices for the iFolder Client

3.1 3.2 3.3

Configuring Client-Side Firewalls for iFolder Communications. 19 Configuring Client-Side Virus Scanners for iFolder Communications. 19 Configuring a Web Browser to Use SSL 3.0. 19
4 Other Security Best Practices
4.1 4.2 4.3 4.4 4.5 Controlling Physical Access to the iFolder Servers and Resources. Securing Access to the Servers with a Firewall. Securing Communications with a VPN If SSL Is Disabled. Securing Wireless LAN Connections If SSL Is Disabled. Creating Strong Passwords.

A Documentation Updates

A.1 A.2
August 15, 2006. 23 A.1.1 Security Best Practices for iFolder 3.x. 23 November 1, 2005. 23
Novell iFolder 3.x Security Administrator Guide

About This Guide

This guide provides specific instructions on how to install, configure, and maintain Novell iFolder 3.x and the iFolderTM client for iFolder 3.x in the most secure way possible. Chapter 1, Security Best Practices Overview, on page 9 Chapter 2, Security Best Practices for Novell iFolder 3.x, on page 11 Chapter 3, Security Best Practices for the iFolder Client, on page 19 Chapter 4, Other Security Best Practices, on page 21 Audience This guide is intended for network security administrators. Feedback We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comment feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there. Documentation Updates For the most recent version of the Novell iFolder 3.x Security Administrator Guide, visit the Novell iFolder 3.x documentation Web site (http://www.novell.com/documentation/ifolder3/index.html). For emerging issues with Novell iFolder 3.x and the iFolder client, see the Novell iFolder 3.x Readme (http://www.novell.com/documentation/ifolder3/readme/data/readme.html). Additional Documentation For information, see the following: Novell iFolder 3.x documentation (http://www.novell.com/documentation/ifolder3/index.html) Novell Open Enterprise Server product site (http://www.novell.com/products/ openenterpriseserver) Novell Open Enterprise Server documentation (http://www.novell.com/documentation/oes/ index.html) Novell eDirectoryTM 8.7.3 documentation (http://www.novell.com/documentation/edir873/ treetitl.html) Novell iManager 2.5 documentation (http://www.novell.com/documentation/imanager25/ treetitl.html) Novell Linux Desktop 9 product site (http://www.novell.com/products/desktop/) Novell Linux Desktop 9 documentation (http://www.novell.com/documentation/nld/ treetitl.html) Novell Technical Support (http://www.novell.com/support/)
Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. A trademark symbol (, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash. Users of platforms that require a forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.

Security Best Practices Overview
This section summarizes the recommended configurations and settings required to run Novell iFolder 3.x and the iFolderTM client in a secure mode. Section 1.1, Security Recommendations for iFolder 3.x, on page 9 Section 1.2, Security Recommendations for OES Linux, on page 10
1.1 Security Recommendations for iFolder 3.x
The following table lists the iFolder server configuration settings that are security related or that impact the security of iFolder resources.
Parameter Possible Values Default Value Recommended Value for Best Security
Port for server to LDAP server communications iManager > Novell iFolder 3 > System > LDAP Settings > Server Port SSL for server to LDAP server communications iManager > Novell iFolder 3 > System > LDAP Settings > Port Is Secure iFolder Proxy user iManager > Novell iFolder 3 > System > LDAP Settings > iFolder Proxy User
Port 636 (secure) or port 636, secure 389 (insecure)

636, secure

Select Yes to enable SSL; deselect Yes (No) to disable SSL

Yes, SSL enabled

Autogenerated during Autogenerated the iFolder enterprise server configuration; can be modified thereafter
Keep the autogenerated iFolder Proxy username; if you change it, make sure the username is different than the iFolder Admin user, equivalent iFolder Admin users, and other system users; and update the Proxy User password.
iFolder Proxy user password iManager > Novell iFolder 3 > System > LDAP Settings > Proxy User Password Web browser to iManager Server communications

User-specified

Autogenerated during User-specified, using initial configuration of the strong password iFolder server practices
HTTPS and Novell eDirectoryTM authentication
HTTPS and eDirectory authentication

Parameter

Possible Values

Default Value

Recommended Value for Best Security

iFolder Admin user

User-specified administrator user
Special iFolder Admin user identity for managing iFolder services Users with limited administrator rights, such as for a specific iFolder server 443, secure
Equivalent iFolder Admin users

Port for iManager to server communications iManager > Novell iFolder 3 > (select any task to go to the iFolder Login page) > Port SSL for iManager to server communications iManager > Novell iFolder 3 > (select any task to go to the iFolder Login page) > Secure Server to client communications /opt/novell/ ifolder3/web/ web.config file
Port 443 (secure) or port 443, secure 80 (insecure)
Select Secure (secure) Select Secure, SSL enabled to use SSL; deselect Secure (insecure) to use unencrypted connections
Select Secure, SSL enabled
SimiasRequireSSL (Yes/ SimiasRequireSSL = No) Yes SimiasSSLPort (443/80) SimiasSSLPort = 443
SimiasRequireSSL = Yes SimiasSSLPort = 443
1.2 Security Recommendations for OES Linux
For information about security issues in Novell Open Enterprise Server, see the following in the Novell OES Planning and Implementation Guide (http://www.novell.com/documentation/oes/ implgde/data/front.html): Authentication (http://www.novell.com/documentation/oes/implgde/data/ authentication.html) Security (http://www.novell.com/documentation/oes/implgde/data/security.html)
Security Best Practices for Novell iFolder 3.x
This section provides specific instructions on how to install, configure, and maintain Novell iFolder 3.x in the most secure way possible. Section 2.1, Using SSL for Server - LDAP Server Communications, on page 11 Section 2.2, Using SSL for Enterprise Server - iManager Communications, on page 12 Section 2.3, Using SSL for Enterprise Server - Client Communications, on page 12 Section 2.4, Using SSL for Enterprise Server - Web Access Server Communications, on page 12 Section 2.5, Using SSL for Web Access Server - Users Web Browser Communications, on page 12 Section 2.6, Disabling SSL 2.0 Protocol, on page 13 Section 2.7, Configuring a Cipher Suite to Use for SSL/TLS, on page 13 Section 2.8, Installing Trusted Roots and Certifications on the iFolder server, on page 13 Section 2.9, Installing Server Certificates from a Known Certificate Authority, on page 13 Section 2.10, Using a Shared Certificate in iFolder Clusters, on page 14 Section 2.11, Ensuring Privilege Separation for the iFolder Proxy User, on page 14 Section 2.12, Securing the iFolder Proxy User Password, on page 14 Section 2.13, Using Synchronize Now to Remove Users Effective Immediately, on page 15 Section 2.14, Controlling Access to the iFolder Data Store, on page 15 Section 2.15, Controlling Access to the iFolder Server Configuration Files, on page 15 Section 2.16, Controlling Access to and Backing Up the iFolder Audit Logs, on page 15 Section 2.17, Storing iFolder 3.x Data Nonencrypted on the Server, on page 16 Section 2.18, Preventing the Propagation of Viruses, on page 16 Section 2.19, Backing Up the iFolder Server, on page 16

2.1 Using SSL for Server - LDAP Server Communications
By default, the iFolder enterprise server and Web Access server are configured to communicate with the LDAP server via SSL. For most deployments, this setting should not be changed. If the LDAP server co-exists on the same machine as the iFolder enterprise server, an administrator can reconfigure to disable SSL, which increases the performance of LDAP authentications. For information, see Configuring the Enterprise Server for SSL Communications with the LDAP Server in the Novell iFolder 3.x Administration Guide.
2.2 Using SSL for Enterprise Server - iManager Communications
By default, the Novell iFolder 3.x plug-in to iManager uses SSL for communications to the iFolder enterprise server being managed. For most deployments, this setting should not be changed. If the iManager server and the iFolder enterprise server are on the same computer, SSL is not required. For HTTP connections, the password is passed in the clear. For information, see Accessing the Novell iFolder 3 Plug-In for iManager in the Novell iFolder 3.x Administration Guide.
2.3 Using SSL for Enterprise Server - Client Communications
By default, the iFolder enterprise server is configured to require SSL. All client communication to the server is encrypted using the SSL protocol. For most deployments, this setting should not be changed because iFolder uses HTTP BASIC for authentication, which means passwords are sent to the server in the clear. For information, see Configuring the Enterprise Server for SSL Communications with the iFolder Client in the Novell iFolder 3.x Administration Guide. If you disable SSL for server-client communications, you should use a VPN (virtual private network) for communications over wireless networks and outside the firewall. For information, see Section 4.3, Securing Communications with a VPN If SSL Is Disabled, on page 21.
2.4 Using SSL for Enterprise Server - Web Access Server Communications
By default, the iFolder enterprise server is configured to communicate with the iFolder Web Access server via SSL. For most deployments, this setting should not be changed. If the Web Access server co-exists on the same machine as the iFolder enterprise server, an administrator can reconfigure to disable SSL, which increases the performance of local communications between the two servers. For information, see Configuring the Web Access Server for SSL Communications with the Enterprise Server in the Novell iFolder 3.x Administration Guide.

2.5 Using SSL for Web Access Server - Users Web Browser Communications
By default, the iFolder Web Access server is configured to require SSL. All Web-browser-based communication to the Web Access server is encrypted using the SSL protocol. In most deployments, this setting should not be changed because iFolder uses Forms-based authentication for browser communications, which means passwords are sent to the server in the clear. For information, see Configuring the Web Access Server for SSL Communications with Web Browsers in the Novell iFolder 3.x Administration Guide. If you disable SSL for server-client communications, you should use a VPN (virtual private network) for communications over wireless networks and outside the firewall. For information, see Section 4.3, Securing Communications with a VPN If SSL Is Disabled, on page 21.
2.6 Disabling SSL 2.0 Protocol
The built-in protections of SSL 3.0 for version rollback attacks (where the session is rolled back to SSL 2.0 even when both client and server support SSL 3.0) are not secure against version-rollback attackers who can brute force the key and substitute a new ENCRYPTED-KEY-DATA message containing the same key (but with normal padding) before the application specified wait threshold has expired. If you disable SSL 2.0 on the server, it is not possible to establish a session using SSL 2.0, and version rollback attacks are not be possible. For information about disabling SSL 2.0 protocol for the Apache server, see Configuring the SSL Cipher Suites for the Apache Server in the Novell iFolder 3.x Administration Guide. For information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong Encryption: How-To (http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html) on the Apache.org Web site.
2.7 Configuring a Cipher Suite to Use for SSL/ TLS
To ensure strong encryption, we strongly recommend the following configuration for the Apache servers SSL cipher suite settings. Use only High and Medium security cipher suites, such as RC4 and RSA. Remove from consideration any ciphers that do not authenticate, such as Anonymous DiffieHellman (ADH) ciphers. Disable the Low, Export, and Null cipher suites unless you need them for other applications. Do not disable Low and Export cipher suites if they are required by your customer base. Those using older browsers (4-5 years old) and older versions of Windows such as Windows 98 might still need those cipher suites for other services. For information, see Configuring the SSL Cipher Suites for the Apache Server in the Novell iFolder 3.x Administration Guide. For information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong Encryption: How-To (http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html) on the Apache.org Web site.

2.8 Installing Trusted Roots and Certifications on the iFolder server
You should manually install the trusted roots and the directory public key out-of-band. For information, see Managing SSL Certificates for Apache in the Novell iFolder 3.x Administration Guide.
2.9 Installing Server Certificates from a Known Certificate Authority
You should use valid certificates for both the Apache server and the communication between the Simias server and the Simias client daemon. Simias is the technology underpinning your iFolder server and client software. You should have the server pubic key signed by a known Certificate
Authority (CA). For information, see Generating an SSL Certificate for the Server in the Novell iFolder 3.x Administration Guide.
2.10 Using a Shared Certificate in iFolder Clusters
For a cluster where all of the nodes are acting like the same machine when they are taking their turn hosting, the user should have a single certificate (for the highly available IP address) that all of the nodes in the cluster share. For information, see Configuring Apache to Point to an SSL Certificate on a Shared Volume for an iFolder Cluster in the Novell iFolder 3.x Administration Guide.
2.11 Ensuring Privilege Separation for the iFolder Proxy User
The iFolder Proxy user is a proxy user identity used to access the LDAP server with Read access to retrieve a list of authorized users. The proxy user is automatically created during the iFolder enterprise server configuration in YaST. The username is autogenerated to be unique on the system. For most deployments, this username should never change. The iFolder Admin user or equivalent can use the iFolder 3.x iManager plug-in to change the iFolder Proxy user identity in the LDAP settings for the iFolder server. Make sure that the user account assigned as the iFolder Proxy user is different than the one used for the iFolder Admin user and other system users. Separating the proxy user from the administrator provides privilege separation. The proxy user password is stored briefly in the /opt/novell/ifolder3/etc/simiasserver-bootstrap.config on the iFolder server after configuring the iFolder enterprise server and before the iFolder service is started for the first time. The restart of Apache is forced at the end of the configuration process, which starts the iFolder service. During the initial startup, the iFolder process reads the simias-server-bootstrap.config file, stores the password in reversible encrypted format in the servers Simias database, and then removes the password from the file. For information, see Admin User Considerations in the Novell iFolder 3.x Administration Guide. For information about modifying the password, see the iFolder Proxy User setting in Modifying the iFolder LDAP Settings in the Novell iFolder 3.x Administration Guide.
2.12 Securing the iFolder Proxy User Password

2.14 Controlling Access to the iFolder Data Store
The iFolder server stores the database and user files under the /var/opt/novell/ifolder3/ simias directory. By default, the Apache Server user wwwrun owns those files. Administrators of the iFolder 3.x server machine must use every precaution to not inadvertently assign rights to unauthorized users.
2.15 Controlling Access to the iFolder Server Configuration Files
The iFolder server stores the configuration files in the /var/lib/wwwrun/.local/share/ simias directory (or in the /home/wwwrun/.local/share/simias directory if NSS is post-installed on the server). The Apache Server user wwwrun owns the configuration file. Administrators of the iFolder 3.x server machine must use every precaution to not inadvertently assign rights to unauthorized users.
2.16 Controlling Access to and Backing Up the iFolder Audit Logs
By default, the iFolder server stores the audit logs in the /var/opt/novell/simias directory. The iFolder server administrator should guarantee that rights are not inadvertently assigned to unauthorized users. Administrators should also periodically back up the rolled-over logs in case they are ever needed for forensic purposes. Audit logs should be monitored periodically.
For information, see Managing the Simias Log and Simias Access Log in the Novell iFolder 3.x Administration Guide.
2.17 Storing iFolder 3.x Data Nonencrypted on the Server
iFolder 3.x uses SSL to encrypt data exchanges between the client and enterprise server and the user Web browser and the Web Access server. The client and server do not store iFolder data in encrypted format. This is different than iFolder 2.1x, which provides passphrase-based encryption. Users and administrators need to be aware of this to determine which users have data that is eligible to an iFolder 3.x system. Some users might need to continue to use the iFolder 2.1x services. For information, see Migrating User Files from an iFolder 2.1x to a 3.x Server in the Novell iFolder 3.x Administration Guide.
2.18 Preventing the Propagation of Viruses
Because iFolder is a cross-platform distributed solution, there is a possibility of a virus infection on on platform migrating across the iFolder server to other platforms, and vice versa. You should enforce server-based virus scanning to prevent viruses from entering the corporate network. You should also enforce client-based virus scanning. For information, see Configuring Local Virus Scanner Settings for iFolder Traffic in the iFolder User Guide for Novell iFolder 3.x.
2.19 Backing Up the iFolder Server
Backup of iFolder user data and configuration data should be performed regularly. Backup media should be stored in a secure offsite facility. During backup and restore, the iFolder data itself is not encrypted. If the iFolder store and the backup media are on different computers, use SSL to transfer data between the computers. It is not necessary to use SSL if the iFolder store and backup media are on the same computer. For information, see the following in the Novell iFolder 3.x Administration Guide: Backing Up the iFolder Server Backing Up the iFolder Store with the TSAIF Recovering from a Catastrophic Loss of the iFolder Server Recovering Individual Files or Directories For sensitive data, use one of the following methods to encrypt the backup of data: Encrypt the data itself if the application that creates the data supports encryption. For example, database products and third-party tools support data encryption. Use backup software that is able to encrypt data as you back it up. This method has performance and manageability challenges, especially for managing encryption keys. Use an encryption appliance that encrypts sensitive backup media as data is backed up. If you transport and store media offsite, use a company that specializes in media shipment and storage. This way, your tapes are tracked via barcodes, stored in environmentally friendly

conditions, and are handled by a company whose reputation rests on its ability to handle your media properly.
Security Best Practices for the iFolder Client
This section provides specific instructions on how to install, configure, and maintain the iFolderTM client for Novell iFolder 3.x in the most secure way possible. Section 3.1, Configuring Client-Side Firewalls for iFolder Communications, on page 19 Section 3.2, Configuring Client-Side Virus Scanners for iFolder Communications, on page 19 Section 3.3, Configuring a Web Browser to Use SSL 3.0, on page 19
3.1 Configuring Client-Side Firewalls for iFolder Communications
If users deploy a client-side firewall, they must set the firewall to allow the iFolder client to communicate locally (on the same computer) with Mono XSP Server. iFolder communicates to Mono XSP Web services, which communicates, in turn, with the iFolder enterprise server via HTTP BASIC or SSL, as governed by the system settings for the iFolder enterprise server. The user can allow iFolder to choose a local dynamic port for local iFolder traffic, or configure a local static port for iFolder to use for that purpose. For information, see Configuring Local Firewall Settings for iFolder Traffic in the iFolder User Guide for Novell iFolder 3.x.
3.2 Configuring Client-Side Virus Scanners for iFolder Communications
Because iFolder is a cross-platform distributed solution, there is a possibility of a virus infection on one platform migrating across the iFolder server to other platforms, and vice versa. You should enforce client-based virus scanning to prevent viruses from entering the corporate network. Scanning the.\simias\WorkArea\ directory for viruses causes problems with synchronization if a virus is detected on download. The.\simias\WorkArea\ directory is where iFolder stages files for download from the server. Users should set their virus scanners to avoid scanning the.\simias\WorkArea directory. Scanners can detect the virus when iFolder moves the infected file from the staging area to the target iFolder. For information, see Configuring Local Virus Scanner Settings for iFolder Traffic in the iFolder User Guide for Novell iFolder 3.x.
3.3 Configuring a Web Browser to Use SSL 3.0
Novell iFolder 3.x servers expect users to connect to the enterprise server account and the Web access server with SSL 3.0 connections. Both the client and browser connections use the browsers settings for SSL. If Microsoft* IE is installed on your system, the iFolder client uses those settings over any other browser configuration for the client. Make sure the IE browser settings and other browsers you use to connect to iFolder servers are configured to use SSL 3.0.

Other Security Best Practices
This section discusses other security best practices for your Novell iFolder 3.x servers and resources. Section 4.1, Controlling Physical Access to the iFolder Servers and Resources, on page 21 Section 4.2, Securing Access to the Servers with a Firewall, on page 21 Section 4.3, Securing Communications with a VPN If SSL Is Disabled, on page 21 Section 4.4, Securing Wireless LAN Connections If SSL Is Disabled, on page 22 Section 4.5, Creating Strong Passwords, on page 22
4.1 Controlling Physical Access to the iFolder Servers and Resources
Servers must be kept in a physically secure location with access by authorized personnel only. The corporate network must be physically secured against eavesdropping or packet sniffing.
4.2 Securing Access to the Servers with a Firewall
If the iFolder enterprise server or Web Access server is accessible from outside the corporate network, a firewall should be employed to prevent direct access by a would-be intruder.
4.3 Securing Communications with a VPN If SSL Is Disabled
We recommend configuring Novell iFolder 3.x to use SSL (HTTPS) connections for all data exchanges between its different components because the iFolder authentication and iFolder data are not encrypted. If you configure iFolder to use insecure connections for communications between the enterprise server and client or between the Web access server and the users Web browser, the user data is susceptible to eavesdropping or packet sniffing by third parties outside the corporate firewall. Even if you consider the corporate environment to be a trusted environment, a VPN (virtual private network) should be employed for server-client and server-browser connections in the following situations: When the users access the servers from outside of the corporate firewall When the users access the servers across a wireless network. Wireless access points and adapters broadcast data into space, where the signals can be intercepted by anyone with the ability to listen in at the appropriate frequency. For accessing the Web access server over a VPN, make sure to disable split tunneling so that the traffic goes through the VPN connection to the corporate network, not over the public Internet.
For information about configuring SSL features for these communications, see the following: Section 2.3, Using SSL for Enterprise Server - Client Communications, on page 12 Section 2.5, Using SSL for Web Access Server - Users Web Browser Communications, on page 12
4.4 Securing Wireless LAN Connections If SSL Is Disabled
Protecting a wireless network requires forethought and planning, just as protecting a wired network does. Among the key protective measures to be undertaken are: Enable WEP (Wired Equivalent Privacy) encryption, but do not rely on WEP alone to provide security for the wireless network. Use other typical LAN security mechanisms such as VPNs, firewalls, and authentication to ensure privacy. For information, see Section 4.3, Securing Communications with a VPN If SSL Is Disabled, on page 21. Survey the interference and jamming likelihood for a planned wireless LAN before it is installed. Change the default manufacturers password for your wireless access points, gateways, or routers. Limit, as much as is possible, who can attach to a wireless network. For example, using MAC address filtering is practical for small networks, but it is a time-consuming administrative effort for large networks. Use an anonymous Service Set Identifier (SSID) by turning off the SSID broadcast for access points.

4.5 Creating Strong Passwords
Make sure to employ security best practices for passwords, such as the following: Length: The minimum recommended length is 6 characters. A secure password is at least 8 characters; longer passwords are better. Complexity: A secure password contains a mix of letters and numbers. It should contain both uppercase and lowercase letters and at least one numeric character. Adding numbers to passwords, especially when added to the middle and not just at the beginning or the end, can enhance password strength. Special characters such as &, $, and > can greatly improve the strength of a password. Do not use recognizable words, such as proper names or words from a dictionary, even if they are bookended with numbers. Do not use personal information, such as phone numbers, birth dates, anniversary dates, addresses, or zip codes. Do not invert recognizable information; inverting bad passwords does not make them more secure. Uniqueness: Do not use the same passwords for all servers. Make sure to use separate passwords for each server so that if one server is compromised, all of your servers are not immediately at risk.

Documentation Updates

This section contains information about documentation content changes made to the Novell iFolder 3.x Security Administrator Guide since the initial release of Novell iFolder 3. If you are an existing user, review the change entries to readily identify modified content. If you are a new user, simply read the guide in its current state. Refer to the publication date, which appears on the front cover and the Legal Notices page, to determine the release date of this guide. For the most recent version of the Novell iFolder 3.x Security Administrator Guide, see the Novell iFolder 3.x documentation Web site (http:// www.novell.com/documentation/ifolder3). In this section, content changes appear in reverse chronological order, according to the publication date. Within a dated entry, changes are grouped and sequenced, according to where they appear in the document itself. Each change entry provides a link to the related topic and a brief description of the change. This document was updated on the following dates: Section A.1, August 15, 2006, on page 23 Section A.2, November 1, 2005, on page 23

A.1 August 15, 2006

Updates were made to the following sections. Changes are explained below. Section A.1.1, Security Best Practices for iFolder 3.x, on page 23

A.1.1 Security Best Practices for iFolder 3.x
The following change was made to this section:

Location Change

Section 2.7, Configuring a Do not disable Low and Export cipher suites if they are required by your Cipher Suite to Use for SSL/ customer base. Those using older browsers (4-5 years old) and older TLS, on page 13 versions of Windows such as Windows 98 might still need those cipher suites for other services.

A.2 November 1, 2005

The entire guide was reformatted to comply with revised Novell documentation standards. The content is unchanged.