Upload File

am51 webseal guide

540
IBM Tivoli Access Manager for e-business WebSEAL Administration Guide Version 5.1 SC32-1359-00

Upload: imaliraza

Post on 02-Mar-2015

501 views

Category:

Documents


2 download

Report

TRANSCRIPT

IBM Tivoli Access Manager for e-business

WebSEAL Administration GuideV ersion 5.1

SC32-1359-00

IBM Tivoli Access Manager for e-business

WebSEAL Administration GuideV ersion 5.1

SC32-1359-00

Note Before using this information and the product it supports, read the information in Appendix C, Notices, on page 497.

First Edition (November 2003) Copyright International Business Machines Corporation 1999, 2003. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiWho should read this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii What this book contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Release information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Base information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Web security information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Developer references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Technical supplements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi IBM Global Security Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi IBM Tivoli Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii IBM DB2 Universal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii IBM WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . . . . xxii IBM Tivoli Access Manager for Business Integration . . . . . . . . . . . . . . . . . . . xxii IBM Tivoli Access Manager for WebSphere Business Integration Brokers . . . . . . . . . . . . xxiii IBM Tivoli Access Manager for Operating Systems . . . . . . . . . . . . . . . . . . . xxiii IBM Tivoli Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv Accessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv Contacting software support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv Conventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv Operating system differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi

Chapter 1. IBM Tivoli Access Manager WebSEAL overview . . . . . . . . . . . . . . 1Introducing IBM Tivoli Access Manager and WebSEAL . . Understanding the Tivoli Access Manager security model . The protected object space . . . . . . . . . . . Defining and applying ACL and POP policies . . . . The access control list (ACL) . . . . . . . . . Protected object policies (POP) . . . . . . . . Explicit and inherited policy . . . . . . . . . Policy administration: The Web Portal Manager . . . Protecting the Web space with WebSEAL . . . . . . . Planning and implementing the security policy . . . . . Identifying content types and levels of protection . . . Understanding WebSEAL authentication . . . . . . . The goals of authentication . . . . . . . . . . Authenticated and unauthenticated access to resources . The WebSEAL session/credentials cache structure . . Understanding WebSEAL junctions . . . . . . . . WebSEAL junctions and Web site scalability . . . . Replicated front-end WebSEAL servers . . . . . Supporting back-end servers. . . . . . . . . Replicated back-end servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . 2 . 3 . 3 . 4 . 4 . 5 . 5 . 5 . 6 . 7 . 8 . 8 . 9 . 10 . 11 . 12 . 13 . 13 . 13

Chapter 2. WebSEAL server configuration . . . . . . . . . . . . . . . . . . . . 15Server instance configuration . . . . . . . Server instance configuration overview . . . Planning a server instance configuration . . Example server instance configuration values Unique configuration file for each instance . Interactive configuration overview . . . . Command line configuration overview . . Copyright IBM Corp. 1999, 2003

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

16 16 16 20 21 21 21

iii

Silent configuration overview . . . . . . . . . . . . . . . . . . . Server instance configuration tasks . . . . . . . . . . . . . . . . . . Adding a WebSEAL server instance . . . . . . . . . . . . . . . . . Removing a server instance . . . . . . . . . . . . . . . . . . . . Communication protocol configuration . . . . . . . . . . . . . . . . . . Configuring WebSEAL for HTTP requests . . . . . . . . . . . . . . . . Enabling/disabling HTTP access . . . . . . . . . . . . . . . . . . Setting the HTTP access port value . . . . . . . . . . . . . . . . . Configuring WebSEAL for HTTPS requests . . . . . . . . . . . . . . . . SSL connections using the WebSEAL test certificate (this belongs in an SSL discussion) Enabling/disabling HTTPS access . . . . . . . . . . . . . . . . . . Setting the HTTPS access port value . . . . . . . . . . . . . . . . . Restricting connections from specific SSL versions . . . . . . . . . . . . . Timeout parameters for HTTP/HTTPS communication . . . . . . . . . . . . Additional WebSEAL server timeout parameters . . . . . . . . . . . . . . Cryptographic hardware for encryption and key storage . . . . . . . . . . . . Conditions and prerequisites . . . . . . . . . . . . . . . . . . . . Configuring Cipher engine and FIPS mode processing . . . . . . . . . . . . Configuring WebSEAL for cryptographic hardware over BHAPI . . . . . . . . . Configuring WebSEAL for cryptographic hardware over PKCS#11 . . . . . . . . Install the cryptographic card and device driver . . . . . . . . . . . . . Create a token device label and password to store WebSEAL keys . . . . . . . Configure iKeyman to use the PKCS#11 module (shared library) . . . . . . . Open the WebSEAL token device using iKeyman . . . . . . . . . . . . . Request and store the WebSEAL server certificate. . . . . . . . . . . . . Configure WebSEAL and GSKit to use the PKCS#11 shared library . . . . . . . Modify the WebSEAL server certificate label . . . . . . . . . . . . . . Disable acceleration mode for nCipher nForce 300 . . . . . . . . . . . . Restart WebSEAL . . . . . . . . . . . . . . . . . . . . . . . Quality of protection levels . . . . . . . . . . . . . . . . . . . . . . QOP for individual hosts and networks . . . . . . . . . . . . . . . . . Configuring authorization database updates and polling . . . . . . . . . . . . Configuring update notification listening . . . . . . . . . . . . . . . . Configuring authorization database polling . . . . . . . . . . . . . . . . Managing worker thread allocation . . . . . . . . . . . . . . . . . . . Configuring WebSEAL worker threads . . . . . . . . . . . . . . . . . Configuration on AIX . . . . . . . . . . . . . . . . . . . . . . Allocating worker threads for junctions (junction fairness) . . . . . . . . . . . Background . . . . . . . . . . . . . . . . . . . . . . . . . Global allocation of worker threads for junctions . . . . . . . . . . . . . Per-junction allocation of worker threads for junctions . . . . . . . . . . . Troubleshooting notes . . . . . . . . . . . . . . . . . . . . . . Multi-locale support with UTF-8 . . . . . . . . . . . . . . . . . . . . Multi-locale support concepts . . . . . . . . . . . . . . . . . . . . WebSEAL data handling using UTF-8 . . . . . . . . . . . . . . . . UTF-8 dependency on user registry configuration . . . . . . . . . . . . UTF-8 data conversion issues . . . . . . . . . . . . . . . . . . . UTF-8 environment variables for CGI programs . . . . . . . . . . . . . UTF-8 impact on authentication . . . . . . . . . . . . . . . . . . URLs must use only one encoding type . . . . . . . . . . . . . . . . UTF-8 support during WebSEAL upgrade . . . . . . . . . . . . . . . Configuring multi-locale support . . . . . . . . . . . . . . . . . . . UTF-8 support for uniform resource locators . . . . . . . . . . . . . . UTF-8 support for forms . . . . . . . . . . . . . . . . . . . . . UTF-8 support in query strings . . . . . . . . . . . . . . . . . . . UTF-8 encoding of tokens for cross domain single sign-on . . . . . . . . . . UTF-8 encoding of tokens for e-community single sign-on . . . . . . . . . . UTF-8 encoding of cookies for failover authentication . . . . . . . . . . . UTF-8 encoding in junction requests . . . . . . . . . . . . . . . . . Multi-locale messages . . . . . . . . . . . . . . . . . . . . . . . . Handling invalid character encoding in URL query strings . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

23 24 24 26 28 28 28 28 28 28 29 29 30 30 30 32 33 33 34 34 34 34 34 35 36 36 37 37 37 38 39 40 40 40 41 41 41 42 42 42 43 43 44 44 44 45 45 46 46 47 47 48 48 49 50 50 51 51 51 53 55

iv

IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide

Preventing vulnerability caused by cross-site Background . . . . . . . . . . Configuring URL string filtering . . . Replicated front-end WebSEAL servers . . Platform for Privacy Preferences (P3P) . . Compact policy overview. . . . . . Compact policy declaration . . . . . Junction header preservation . . . . Default compact policy in the P3P header P3P header configuration . . . . . . Specifying a custom P3P compact policy . Troubleshooting . . . . . . . . . Suppressing server identity . . . . . . Handling BASE HREF tags . . . . . . Enabling HTTP TRACE method . . . .

scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

56 56 56 58 59 59 60 60 61 62 67 68 69 69 69

Chapter 3. WebSEAL server administration . . . . . . . . . . . . . . . . . . . . 71Server tasks . . . . . . . . . . . . . . . . . . Start a WebSEAL server . . . . . . . . . . . . . Stop a WebSEAL server . . . . . . . . . . . . . Restart a WebSEAL server . . . . . . . . . . . . Display WebSEAL server status . . . . . . . . . . . Managing the Web space . . . . . . . . . . . . . . WebSEAL represented in the protected object space . . . . Root directory of the Web document tree . . . . . . . Configuring directory indexing . . . . . . . . . . . Windows: File naming for CGI programs . . . . . . . Executable UNIX files on the WebSEAL server host system . Configuring Web document caching . . . . . . . . . Conditions affecting Web document caching . . . . . Flushing all caches . . . . . . . . . . . . . . Controlling caching for specific documents . . . . . . Specifying document MIME types for URL filtering . . . . HTTP data compression . . . . . . . . . . . . . . Compression based on MIME-type . . . . . . . . . Compression based on user agent type . . . . . . . . Compression policy in POPs . . . . . . . . . . . . Data compression limitation . . . . . . . . . . . . Data compression configuration . . . . . . . . . . HTTP error message pages . . . . . . . . . . . . . Default error message pages . . . . . . . . . . . . Modifying existing HTTP error pages. . . . . . . . . Creating new HTTP error pages . . . . . . . . . . Enabling the time of day error page . . . . . . . . . Specifying error page location . . . . . . . . . . . Backwards compatibility . . . . . . . . . . . . . Managing custom account management pages . . . . . . . Custom page parameters and values . . . . . . . . . Custom HTML page descriptions . . . . . . . . . . Macro support for account management pages . . . . . Modifying pages from prior versions of Tivoli Access Manager Backup and restore . . . . . . . . . . . . . . . . Backup WebSEAL data . . . . . . . . . . . . . Restore WebSEAL data . . . . . . . . . . . . . Extract archived WebSEAL data . . . . . . . . . . Problem determination tools for WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 72 72 73 73 74 74 74 75 76 77 77 78 78 78 79 80 80 81 82 82 82 84 84 86 86 86 87 87 88 88 89 89 91 92 92 93 93 94

Chapter 4. Serviceability and loggingLogging WebSEAL serviceability messages . Serviceability messages in UTF-8 format . . . . .

. . . . . . . . . . . . . . . . . . . . . . 95. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 . 97

Contents

v

Event capturing and logging . . . . . . . . . . Event logging configuration tasks . . . . . . . . Example configuration . . . . . . . . . . . . Configuring HTTP logging using event logging . . . HTTP event log output . . . . . . . . . . . Authentication event log output . . . . . . . . Audit data in UTF-8 format . . . . . . . . . Legacy auditing . . . . . . . . . . . . . . Legacy auditing for authentication . . . . . . . Legacy auditing for HTTP . . . . . . . . . . Enabling and disabling HTTP logging . . . . . Specifying the timestamp type . . . . . . . . Specifying log file rollover thresholds . . . . . Specifying the frequency for flushing log file buffers HTTP common log format (for request.log) . . . Displaying the request.log file . . . . . . . . Displaying the agent.log file . . . . . . . . Displaying referer.log . . . . . . . . . . . Log data in UTF-8 format . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . .

. 98 . 98 . 99 . 100 . 101 . 102 . 104 . 105 . 105 . 105 . 106 . 106 . 106 . 107 . 107 . 107 . 107 . 108 . 108

Chapter 5. WebSEAL security policy . . . . . . . . . . . . . . . . . . . . . . 109WebSEAL-specific ACL policies . . . . . . . . . . /WebSEAL/host-instance_name . . . . . . . . . /WebSEAL/host-instance_name/file . . . . . . . WebSEAL ACL permissions. . . . . . . . . . . Default /WebSEAL ACL policy . . . . . . . . . Valid characters for ACL names . . . . . . . . . Configuring three strikes login policy . . . . . . . . Account lock policy with load-balanced WebSEAL servers Syntax for three strikes login commands . . . . . . Configuring password strength policy . . . . . . . . Password strength policy set by the pdadmin utility . . Syntax for password strength policy commands . . . . Default policy parameter values . . . . . . . . Valid and invalid password examples . . . . . . . Specific user and global settings . . . . . . . . . Authentication strength policy . . . . . . . . . . . Overview of authentication strength . . . . . . . . Authentication strength configuration . . . . . . . Establish an authentication strength policy . . . . Specify authentication levels . . . . . . . . . Specify the authentication strength login form . . . Create a protected object policy . . . . . . . . Specify network-based access restrictions . . . . . Attach a protected object policy to a protected resource Enforce user identity match across authentication levels Quality of protection POP policy . . . . . . . . . . Handling unauthenticated users (HTTP / HTTPS) . . . . Processing a request from an anonymous client . . . . Forcing user login . . . . . . . . . . . . . . Applications of unauthenticated HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 110 110 110 110 111 112 112 113 114 114 114 115 115 116 117 117 119 119 119 120 121 122 124 125 126 126 126 126 127

Chapter 6. Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Overview of the authentication process . . . . Supported session data types . . . . . . Supported authentication methods . . . . Managing session state . . . . . . . . . Session state overview . . . . . . . . GSKit and WebSEAL session cache overview . Configuring the GSKit SSL session ID cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 130 130 132 132 132 133

vi

IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide

Setting the cache entry timeout value . . . . . Setting the maximum concurrent entries value . . Configuring the WebSEAL session/credentials cache . Setting the maximum concurrent entries value . . Setting the cache entry lifetime timeout value . . Setting the cache entry inactivity timeout value . . Credentials cache limitation . . . . . . . . Maintaining state with session cookies . . . . . . Session cookie conditions . . . . . . . . . Session cookies with basic authentication headers . Enabling and disabling session ID cookies . . . . Enabling and disabling same sessions . . . . . Same session limitation with Netscape 4.7x . . . Determining valid session ID data types . . . . . Authentication configuration overview . . . . . . . Authentication module parameters . . . . . . . Authentication conversion library . . . . . . . Default configuration for WebSEAL authentication . . Configuring multiple authentication methods . . . Prompting for login . . . . . . . . . . . . Configuring account expiry notification . . . . . Logout and change password commands . . . . . pkmslogout . . . . . . . . . . . . . . pkmspasswd . . . . . . . . . . . . . Post password change processing. . . . . . . Basic authentication . . . . . . . . . . . . . Enabling and disabling basic authentication . . . . Setting the realm name . . . . . . . . . . . Configuring the basic authentication mechanism . . Configuration conditions . . . . . . . . . . Multi-byte UTF-8 logins not supported . . . . . . Forms authentication . . . . . . . . . . . . . Enabling and disabling forms authentication . . . . Configuring the forms authentication mechanism . . Configuration conditions . . . . . . . . . . Customizing HTML response forms . . . . . . . Client-side certificate authentication . . . . . . . . Overview of client-side certificate authentication . . Required certificate authentication mode . . . . Optional certificate authentication mode . . . . Delayed certificate authentication mode . . . . Certificate authentication configuration . . . . . . Enable certificate authentication . . . . . . . Specify the certificate authentication mechanism . . Specify the certificate login form . . . . . . . Specify the certificate login error page . . . . . Disable SSL session IDs for session tracking . . . Enable and configure the Certificate SSL ID cache . Set the timeout for Certificate SSL ID cache . . . Specify an error page for incorrect protocol . . . Disable certificate authentication . . . . . . . Disable the Certificate SSL ID cache . . . . . . HTTP header authentication . . . . . . . . . . Enable HTTP header authentication . . . . . . . Specify header types . . . . . . . . . . . . Specify the HTTP header authentication mechanism . Disable HTTP header authentication . . . . . . . IP address authentication . . . . . . . . . . . Enabling and disabling IP address authentication . . Configuring the IP address authentication mechanism . Token authentication . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

133 133 133 133 134 134 134 135 135 135 136 137 138 138 140 140 141 141 142 142 142 143 143 143 144 145 145 145 145 146 146 147 147 147 148 148 149 149 149 149 149 151 151 152 152 153 153 153 154 154 155 155 156 156 157 157 158 159 159 159 160

Contents

vii

Token authentication concepts . . . . . . . . . . . . . . . . . Token authentication library . . . . . . . . . . . . . . . . SecurID Token authentication . . . . . . . . . . . . . . . . Authentication workflow for tokens in new PIN mode . . . . . . . Using token authentication with a password strength server. . . . . . RSA SecurID client does not support Linux for zSeries . . . . . . . Token authentication configuration . . . . . . . . . . . . . . . Enable token authentication . . . . . . . . . . . . . . . . Specify the token authentication mechanism . . . . . . . . . . . Enable access to the SecurID client library . . . . . . . . . . . . Specify a customized password strength library . . . . . . . . . . Enable backwards compatibility for customized token authentication library Disable token authentication . . . . . . . . . . . . . . . . Failover authentication . . . . . . . . . . . . . . . . . . . . Failover authentication concepts . . . . . . . . . . . . . . . . Failover authentication scenario . . . . . . . . . . . . . . . Failover authentication library . . . . . . . . . . . . . . . . Addition of data to a failover cookie . . . . . . . . . . . . . Extraction of data from a failover cookie . . . . . . . . . . . . Domain-wide failover authentication . . . . . . . . . . . . . Backwards compatibility . . . . . . . . . . . . . . . . . Upgrading failover authentication . . . . . . . . . . . . . . Failover authentication configuration . . . . . . . . . . . . . . Specify the protocol for failover cookie . . . . . . . . . . . . . Specify the failover authentication library . . . . . . . . . . . . Create an encryption key for cookie data . . . . . . . . . . . . Specify the cookie lifetime . . . . . . . . . . . . . . . . . Specify UTF-8 encoding on cookie strings . . . . . . . . . . . . Add the authentication level . . . . . . . . . . . . . . . . Add the session lifetime timestamp . . . . . . . . . . . . . . Add the session activity timestamp . . . . . . . . . . . . . . Add an interval for updating the activity timestamp . . . . . . . . Add extended attributes . . . . . . . . . . . . . . . . . . Specify the authentication level attribute after failover authentication . . . Specify attributes for extraction . . . . . . . . . . . . . . . Enable domain-wide failover cookies . . . . . . . . . . . . . Require validation of a lifetime timestamp. . . . . . . . . . . . Require validation of an activity timestamp . . . . . . . . . . . Enable backwards compatibility for encryption prior to Version 4.1 . . . Enable backwards compatibility for Version 4.1 cookies . . . . . . . SPNEGO protocol and Kerberos authentication . . . . . . . . . . . . Multiplexing proxy agents . . . . . . . . . . . . . . . . . . . Valid session data types and authentication methods . . . . . . . . . Authentication process flow for MPA and multiple clients . . . . . . . Enabling and disabling MPA authentication . . . . . . . . . . . . Create a user account for the MPA . . . . . . . . . . . . . . . Add the MPA account to the webseal-mpa-servers group . . . . . . . . MPA authentication limitations . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

160 160 160 161 162 162 162 163 163 164 164 165 165 166 166 166 167 168 170 171 172 172 173 174 174 175 175 175 176 176 176 177 177 178 178 179 179 180 180 181 182 183 183 184 185 185 185 185

Chapter 7. Advanced WebSEAL authentication . . . . . . . . . . . . . . . . . . 187Switch user authentication . . . . . . . . . . . . . Overview of the switch user function . . . . . . . . Configuration procedure . . . . . . . . . . . . Part 1: Configuring user access . . . . . . . . . Part 2: Configuring switch user authentication mechanisms Part 3: Configuring the switch user HTML form . . . . Part 4: Designing additional input forms . . . . . . Part 5: Stopping and restarting WebSEAL . . . . . . Using switch user . . . . . . . . . . . . . . . Additional switch user features . . . . . . . . . . Session cache timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 188 190 190 191 193 195 195 195 196 196

viii

IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide

Step-up authentication . . . . . . . . . . . . . . Reauthentication . . . . . . . . . . . . . . . . User session management . . . . . . . . . . . . . Tag-value . . . . . . . . . . . . . . . . . . . Auditing . . . . . . . . . . . . . . . . . . . Developing a custom authentication module for switch user. . . Server-side request caching . . . . . . . . . . . . . . . Overview of server-side request caching . . . . . . . . . Configuring server-side caching parameters . . . . . . . . Modifying max-client-read . . . . . . . . . . . . . Modifying request-body-max-read . . . . . . . . . . Modifying request-max-cache . . . . . . . . . . . . Configuring reauthentication based on security policy . . . . . . Conditions affecting POP reauthentication . . . . . . . . . Creating and applying the reauthentication POP . . . . . . Configuring session cache entry lifetime reset and extension . . Resetting the session cache entry lifetime value . . . . . . Extending the session cache entry lifetime value . . . . . . Customizing login forms for reauthentication. . . . . . . . Configuring reauthentication based on session inactivity policy . . Conditions affecting inactivity reauthentication . . . . . . . Enabling inactivity reauthentication . . . . . . . . . . . Resetting and extending the session cache entry lifetime value . . Resetting the session cache entry lifetime value . . . . . . Extending the session cache entry lifetime value . . . . . . Preventing session removal when the session lifetime expires . Customizing login forms for reauthentication . . . . . . . . Automatic redirection during user login . . . . . . . . . . Overview of automatic redirection . . . . . . . . . . . Enabling automatic redirection . . . . . . . . . . . . Disabling automatic redirection . . . . . . . . . . . . Limitations . . . . . . . . . . . . . . . . . . . Configuring post password change processing . . . . . . . . Post password change processing conditions . . . . . . . . Extended attributes for credentials . . . . . . . . . . . . Mechanisms for adding registry attributes to a credential . . . . Registry attribute entitlement service configuration . . . . . . Step 1 Determine the attributes to be added to the credential Step 2 Define your use of the entitlement service . . . . Step 3 Specify the attributes to be added to the credential . Junction handling of extended credential attributes . . . . . . Credential refresh . . . . . . . . . . . . . . . . . . Credential refresh concepts . . . . . . . . . . . . . . Credential refresh overview . . . . . . . . . . . . Credential refresh rules . . . . . . . . . . . . . . Refresh of cached credential information . . . . . . . . Configuration file syntax and usage . . . . . . . . . . Default settings for preserve and refresh . . . . . . . . Limitations . . . . . . . . . . . . . . . . . . Credential refresh configuration . . . . . . . . . . . . Step 1: Specify attributes to preserve or refresh . . . . . . Step 2: Enable user session IDs . . . . . . . . . . . Step 3: Enable placement of server name into junction header . Credential refresh usage . . . . . . . . . . . . . . . Refresh credentials for a specified user . . . . . . . . . Troubleshooting . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

196 197 197 197 197 197 200 200 201 202 202 203 204 204 205 205 205 206 206 208 208 209 209 209 210 210 211 212 212 212 213 213 214 214 215 215 216 216 216 217 218 220 220 220 221 221 222 223 223 224 224 224 224 225 225 225

Chapter 8. WebSEAL Key Management . . . . . . . . . . . . . . . . . . . . . 227WebSEAL Key Management Overview . . . . Managing client-side and server-side certificates . GSKit key database file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 . 228 . 228

Contents

ix

Configuring WebSEAL key database parameters . Using the iKeyman certificate management utility Configuring CRL checking . . . . . . . . Configuring the CRL cache . . . . . . . . Setting the maximum number of cache entries Setting the GSKit cache lifetime timeout value

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

229 230 231 231 232 232

Chapter 9. Client single sign-on solutions . . . . . . . . . . . . . . . . . . . . 233Windows desktop single sign-on . . . . . . . . . . . . . . . . Windows desktop single sign-on concepts . . . . . . . . . . . . SPNEGO protocol and Kerberos authentication . . . . . . . . . User registry and platform support . . . . . . . . . . . . . Compatibility with other authentication methods . . . . . . . . Limitations . . . . . . . . . . . . . . . . . . . . . Windows desktop single sign-on configuration . . . . . . . . . . Step 1: Configure WebSEAL server into Active Directory domain . . . Step 2: Map Kerberos principal to Active Directory user . . . . . . Step 3: Install Kerberos runtime client (UNIX only) . . . . . . . . Step 4: Configure Kerberos client (UNIX only) . . . . . . . . . Step 5: Verify authentication of Web server principal (UNIX only) . . . Step 6: Verify WebSEAL authentication using the keytab file (UNIX only) Step 7: Enable SPNEGO for WebSEAL . . . . . . . . . . . . Step 8: Add service name and keytab file entries (UNIX only) . . . . Step 9: Restart WebSEAL . . . . . . . . . . . . . . . . Step 10: Configure the Internet Explorer client . . . . . . . . . Troubleshooting tips . . . . . . . . . . . . . . . . . . Cross-domain single sign-on . . . . . . . . . . . . . . . . . Customizing single sign-on authentication . . . . . . . . . . . . Authentication process flow for CDSSO with CDMF . . . . . . . . Configuring CDSSO authentication . . . . . . . . . . . . . . . CDSSO conditions and requirements . . . . . . . . . . . . . Resolving machine names . . . . . . . . . . . . . . . . CDSSO configuration summary . . . . . . . . . . . . . . . Configuring default CDSSO token create functionality . . . . . . . Configuring default CDSSO token consume functionality . . . . . . 1. Enabling and disabling CDSSO authentication . . . . . . . . . 2. Configuring the single sign-on authentication mechanism . . . . . . 3. Encrypting the authentication token data . . . . . . . . . . . 4. Configuring the token time stamp . . . . . . . . . . . . . 5. Configuring the token label name . . . . . . . . . . . . . . Creating the CDSSO HTML link . . . . . . . . . . . . . . . Protecting the authentication token . . . . . . . . . . . . . . UTF-8 encoding of tokens for cross domain single sign-on . . . . . . Enabling compatibility with tokens prior to Version 4.1 . . . . . . . Enable backwards compatibility for Version 4.1 tokens . . . . . . . Specify extended attributes to add to token . . . . . . . . . . . Specify extended attributes to extract from token . . . . . . . . . e-community single sign-on . . . . . . . . . . . . . . . . . e-community features and requirements . . . . . . . . . . . . e-community process flow . . . . . . . . . . . . . . . . . Understanding the e-community cookie . . . . . . . . . . . . Understanding the vouch for request and reply . . . . . . . . . The vouch for Request . . . . . . . . . . . . . . . . . The vouch for Reply . . . . . . . . . . . . . . . . . Understanding the vouch for token . . . . . . . . . . . . . Configuring e-community single sign-on . . . . . . . . . . . . . e-community conditions and requirements . . . . . . . . . . . Resolving machine names . . . . . . . . . . . . . . . . E-community configuration summary . . . . . . . . . . . . . Configuring default token create functionality on the vouch for server Configuring default token consume functionality on the receiving server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 234 234 235 235 236 237 237 238 240 240 241 242 242 242 243 243 243 245 245 245 247 247 247 248 248 248 249 249 250 251 251 251 252 252 252 253 253 254 256 257 258 261 262 262 262 263 263 263 264 264 265 265

x

IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide

1. 2. 3. 4.

Enabling and disabling e-community authentication . . Specifying an e-community name . . . . . . . . . Configuring the single sign-on authentication mechanism . Encrypting the vouch for token . . . . . . . . . E-community Domain Keys . . . . . . . . . . 5. Configuring the vouch for token label name . . . . 6. Specifying the master authentication server (MAS) . . . 7. Specifying the vouch for URL . . . . . . . . . 8. Configure token and ec-cookie lifetime values. . . . . Enabling unauthenticated access . . . . . . . . . . UTF-8 encoding of tokens for e-community single sign-on . Enabling compatibility with tokens prior to Version 4.1 . . Enable backwards compatibility for Version 4.1 tokens . . Specify extended attributes to add to token . . . . . . Specify extended attributes to extract from token . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

266 266 266 267 267 268 268 269 270 270 271 271 271 272 273

Chapter 10. WebSEAL junctions . . . . . . . . . . . . . . . . . . . . . . . . 275WebSEAL junctions overview . . . . . . . . . . . Junction database location and format . . . . . . . Applying coarse-grained access control: summary . . . Applying fine-grained access control: summary . . . . Guidelines for creating WebSEAL junctions . . . . . Additional references for WebSEAL junctions . . . . . Managing junctions with Web Portal Manager . . . . . Create a junction using Web Portal Manager . . . . . List junctions using Web Portal Manager . . . . . . Delete junctions using Web Portal Manager . . . . . Using pdadmin to create junctions . . . . . . . . . Configuring a basic WebSEAL junction . . . . . . . . Creating TCP type junctions . . . . . . . . . . Creating SSL type junctions . . . . . . . . . . Verifying the back-end server certificate . . . . . Examples of SSL junctions . . . . . . . . . . Disabling SSL protocol versions for junctions . . . . Adding back-end servers to a junction . . . . . . . Mutually authenticated SSL junctions . . . . . . . . WebSEAL validates back-end server certificate . . . . Distinguished name (DN) matching . . . . . . . . WebSEAL authenticates with client certificate . . . . . WebSEAL authenticates with BA header . . . . . . Handling client identity information across junctions . . Using b supply . . . . . . . . . . . . . Using b ignore . . . . . . . . . . . . . Using b gso . . . . . . . . . . . . . . Using b filter . . . . . . . . . . . . . . Creating TCP and SSL proxy junctions . . . . . . . . WebSEAL-to-WebSEAL junctions over SSL . . . . . . Modifying URLs to back-end resources . . . . . . . . Understanding path types used in URLs . . . . . . Filtering URLs in responses . . . . . . . . . . Standard URL filtering rules for WebSEAL . . . . Modifying absolute URLs with script filtering . . . Filtering changes the Content-Length header . . . . Limitation with unfiltered server-relative links . . . Processing URLs in requests . . . . . . . . . . Handling server-relative URLs with junction cookies (-j) Handling server-relative URLs with junction mapping. Processing root junction requests . . . . . . . . Handling cookies from servers across multiple -j junctions Part 1: -j junctions modify Set-Cookie Path attributes . Part 2: -j junctions modify Set-Cookie Name attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 276 276 276 276 277 278 278 278 278 279 280 280 280 280 281 281 281 282 282 282 283 283 284 284 284 284 284 285 286 287 288 288 288 290 290 291 292 292 293 294 295 295 296

Contents

xi

Preserving cookie names . . . . . . . . . . . Additional junction options. . . . . . . . . . . . . Forcing a new junction (f) . . . . . . . . . . . . Supplying client identity in HTTP headers (c) . . . . . c syntax . . . . . . . . . . . . . . . . . Supplying client IP addresses in HTTP headers (r) . . . Limiting the size of WebSEAL-generated HTTP headers . . Passing session cookies to junctioned portal servers (k) . . Supporting case-insensitive URLs (i) . . . . . . . . Stateful junction support (s, u) . . . . . . . . . . Specifying back-end server UUIDs for stateful junctions (u) Example: . . . . . . . . . . . . . . . . . Junctioning to Windows file systems (w) . . . . . . . Example: . . . . . . . . . . . . . . . . . ACLs and POPs must attach to lower-case object names . Specifying UTF-8 encoding for HTTP header data . . . . Technical notes for using WebSEAL junctions . . . . . . . Mounting multiple servers at the same junction . . . . . Exceptions to enforcing permissions across junctions . . . Certificate authentication across junctions . . . . . . . Handling domain cookies . . . . . . . . . . . . WebSEAL returns HTTP/1.1 . . . . . . . . . . . Junctioned application with Web Portal Manager . . . . Using query_contents with third-party servers . . . . . . Installing query_contents components . . . . . . . . Installing query_contents on third-party UNIX servers . . Installing query_contents on third-party Win32 servers . . Testing the configuration . . . . . . . . . . . Customizing query_contents . . . . . . . . . . . Customizing the doc root directory . . . . . . . . Additional functionality . . . . . . . . . . . . Securing query_contents . . . . . . . . . . . . . Troubleshooting . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

296 297 297 298 298 299 299 300 300 301 302 303 304 304 305 305 307 307 307 307 308 308 308 309 309 309 310 311 311 312 312 312 313

Chapter 11. Single sign-on solutions across junctions . . . . . . . . . . . . . . . 315Configuring BA headers for single sign-on solutions . . Single sign-on (SSO) concepts . . . . . . . . . Supplying client identity in BA headers . . . . . Supplying client identity and generic password . . . Limitations . . . . . . . . . . . . . . Forwarding original client BA header information . . Removing client BA header information . . . . . Supplying user names and passwords from GSO . . Using global sign-on (GSO). . . . . . . . . . . Mapping the authentication information . . . . . Configuring a GSO-enabled WebSEAL junction . . . Examples of GSO-enabled WebSEAL junctions . . Configuring the GSO cache . . . . . . . . . . Configuring single sign-on to IBM WebSphere (LTPA) . . Configuring an LTPA junction . . . . . . . . . Configuring the LTPA cache . . . . . . . . . Technical notes for LTPA single sign-on. . . . . . Configuring single sign-on forms authentication . . . . Background and goals . . . . . . . . . . . Forms single sign-on process flow . . . . . . . Requirements for application support . . . . . . Creating the configuration file for forms single sign-on The [forms-sso-login-pages] stanza . . . . . . The custom login page stanza . . . . . . . . Using regular expressions . . . . . . . . . The argument stanza . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 316 316 316 317 318 318 318 320 321 322 322 322 324 324 325 325 326 326 326 328 328 329 329 330 331

xii

IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide

Enabling forms single sign-on . . . . . . Example configuration file for IBM HelpNow

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. .

. 332 . 332

Chapter 12. Application integration . . . . . . . . . . . . . . . . . . . . . . . 335Supporting CGI programming . . . . . . . . . . . . . UTF-8 environment variables for CGI programs . . . . . . Windows: Supporting WIN32 environment variables . . . . Supporting back-end server-side applications . . . . . . . . Junction best practices for application integration . . . . . . Supplying complete HOST header information with -v . . . Supporting standard absolute URL filtering . . . . . . . Building a custom personalization service . . . . . . . . . Configuring WebSEAL for a personalization service . . . . Personalization service example . . . . . . . . . . . Maintaining session state between client and back-end applications Background to user session management . . . . . . . . Enabling user session id management . . . . . . . . . Inserting credential data into the HTTP header . . . . . . Terminating user sessions . . . . . . . . . . . . . Using Administration API to terminate single user sessions . Using pdadmin to terminate all user sessions. . . . . . Providing access control to dynamic URLs . . . . . . . . Dynamic URL components . . . . . . . . . . . . . Mapping ACL and POP objects to dynamic URLs . . . . . Updating WebSEAL for dynamic URLs . . . . . . . . . Resolving dynamic URLs in the object space . . . . . . . ACL and POP Evaluation . . . . . . . . . . . . Configuring limitations on POST requests . . . . . . . . Summary and technical notes . . . . . . . . . . . . Dynamic URL example: The Travel Kingdom . . . . . . . . The application . . . . . . . . . . . . . . . . . The interface . . . . . . . . . . . . . . . . . Web space structure . . . . . . . . . . . . . . The security policy . . . . . . . . . . . . . . . Dynamic URL to object space mappings . . . . . . . Secure clients . . . . . . . . . . . . . . . . . Account and group structure . . . . . . . . . . . Access control . . . . . . . . . . . . . . . . . Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 336 337 338 339 339 339 341 341 341 343 343 343 344 345 345 345 347 347 347 349 349 350 350 351 353 353 353 353 354 354 354 354 354 355

Chapter 13. Authorization decision information retrieval . . . . . . . . . . . . . . 357Overview of ADI retrieval . . . . . . . . . . . Retrieving ADI from the WebSEAL client request . . . Example: Retrieving ADI from the request header . . Example: Retrieving ADI from the request query string Example: Retrieving ADI from the request POST body Retrieving ADI from the user credential . . . . . . Supplying a failure reason across a junction . . . . . Dynamic ADI retrieval . . . . . . . . . . . . Deploying the attribute retrieval service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 359 360 360 361 362 363 364 365

Chapter 14. Attribute retrieval service reference . . . . . . . . . . . . . . . . . 367Basic configuration . . . . . . . . . . . . . . Configuration files. . . . . . . . . . . . . . amwebars.conf . . . . . . . . . . . . . . ContainerDescriptorTable.xml . . . . . . . . . ProviderTable.xml . . . . . . . . . . . . . ProtocolTable.xml . . . . . . . . . . . . . Descriptions of amwebars.conf configuration parameters . Table locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 368 368 368 368 368 368 368

Contents

xiii

Logging . . . . . . . . . . . Limitation of client and session number Miscellaneous options . . . . . . Protocol modules to load at initialization Editing the data tables . . . . . . . . ProviderTable . . . . . . . . . . Provider sub-elements . . . . . . Example ProviderTable . . . . . . ContainerDescriptorTable . . . . . . ContainerDescriptor sub-elements . . Attribute mapping . . . . . . . Example ContainerDescriptorTable . . ProtocolTable . . . . . . . . . . Protocol sub-elements . . . . . . Example ProtocolTable . . . . . . Creating custom protocol plug-ins . . . . Overview. . . . . . . . . . . . Creating the protocol plug-in . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

369 370 370 370 371 371 371 371 372 372 373 373 374 374 374 375 375 375

Appendix A. WebSEAL configuration file reference . . . . . . . . . . . . . . . . 377Configuration file name and location Guidelines for configuring stanzas . General guidelines . . . . . Default values . . . . . . . Strings . . . . . . . . . Defined strings . . . . . . . Lists . . . . . . . . . . File names . . . . . . . . Integers . . . . . . . . . Boolean values . . . . . . . Change configuration settings . . . Stanza organization . . . . . . Server configuration . . . . . . User registry . . . . . . . . LDAP . . . . . . . . . . Active Directory . . . . . . IBM Lotus Domino . . . . . Secure Socket Layer . . . . . . Authentication . . . . . . . . Authentication methods . . . . Authentication libraries . . . . Reauthentication . . . . . . Authentication failover . . . . Cross-domain single sign-on . . e-community single sign-on . . Quality of protection . . . . . Session . . . . . . . . . . Content . . . . . . . . . . Content management . . . . . Account management . . . . Automatic redirect. . . . . . Local CGI . . . . . . . . Icons . . . . . . . . . . Content caching . . . . . . Content compression . . . . . Content MIME types . . . . . Content encodings. . . . . . Junctions . . . . . . . . . . Junction management . . . . Document filtering . . . . . Event handler filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 378 378 379 379 379 379 380 380 381 381 382 384 393 393 400 403 406 413 414 419 423 424 428 431 435 437 440 441 443 446 447 449 451 452 453 454 455 456 460 461

xiv

IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide

Scheme filtering . . . . . . . . . . MIME types and header filtering . . . . . Script filtering . . . . . . . . . . . Credential refresh . . . . . . . . . . Header names . . . . . . . . . . . Global Sign-On cache . . . . . . . . . Lightweight Third Party Authentication cache Logging . . . . . . . . . . . . . . Auditing . . . . . . . . . . . . . . Policy database . . . . . . . . . . . . Entitlement services . . . . . . . . . . Policy server . . . . . . . . . . . . Platform for Privacy Preferences (P3P) . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

462 463 464 466 466 467 469 471 474 477 479 480 481

Appendix B. WebSEAL junction reference . . . . . . . . . . . . . . . . . . . . 491Using pdadmin to create junctions . . . The junction commands . . . . . . . Create a new junction for an initial server . Add a server to an existing junction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 492 493 495

Appendix C. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Contents

xv

xvi

IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide

PrefaceWelcome to the IBM Tivoli Access Manager for e-business WebSEAL Administration Guide. IBM Tivoli Access Manager WebSEAL is the resource security manager for Web-based resources in a Tivoli Access Manager secure domain. WebSEAL is a high performance, multi-threaded Web server that applies fine-grained security policy to the protected Web object space. WebSEAL can provide single sign-on solutions and incorporate back-end Web application server resources into its security policy. This administration guide provides a comprehensive set of procedures and reference information for managing the resources of your secure Web domain. This guide also provides you with valuable background and concept information for the wide range of WebSEAL functionality. IBM Tivoli Access Manager (Tivoli Access Manager) is the base software that is required to run applications in the IBM Tivoli Access Manager product suite. It enables the integration of IBM Tivoli Access Manager applications that provide a wide range of authorization and management solutions. Sold as an integrated solution, these products provide an access control management solution that centralizes network and application security policy for e-business applications. Note: IBM Tivoli Access Manager is the new name of the previously released software entitled Tivoli SecureWay Policy Director. Also, for users familiar with the Tivoli SecureWay Policy Director software and documentation, the management server is now referred to as the policy server.

Who should read this bookThis guide is for system administrators responsible for configuring and maintaining an Tivoli Access Manager WebSEAL environment. Readers should be familiar with the following: v PC and UNIX operating systems v Database architecture and concepts v Security management v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and Telnet v Lightweight Directory Access Protocol (LDAP) and directory services v A supported user registry v Authentication and authorization If you are enabling Secure Sockets Layer (SSL) communication, you also should be familiar with SSL protocol, key exchange (public and private), digital signatures, cryptographic algorithms, and certificate authorities.

What this book containsv Chapter 1: IBM Tivoli Access Manager WebSEAL overview Copyright IBM Corp. 1999, 2003

xvii

v

v

v

v

v

v

v

v

v

v

v

v

v

This chapter introduces you to important WebSEAL concepts and functionality such as: organizing and protecting your object space, authentication, credentials acquisition, and WebSEAL junctions. Chapter 2: WebSEAL server configuration This chapter is a technical reference for WebSEAL configuration tasks including: using the WebSEAL configuration file, configuring communication parameters, managing worker thread allocation, and configuring cryptographic hardware. Chapter 3: WebSEAL server administration This chapter is a technical reference for WebSEAL administration tasks including: managing the Web space and using custom account management pages. Chapter 4: Serviceability and logging This chapter describes WebSEAL support for serviceability, logging, and auditing. Chapter 5: WebSEAL security policy This chapter provides detailed technical procedures for customizing security policy on WebSEAL including: ACL and POP policies, quality of protection, step-up authentication policy, network-based authentication policy, three-strikes login policy, and password strength policy. Chapter 6: WebSEAL authentication This chapter provides configuration instructions for setting up WebSEAL to manage a variety of authentication methods including: user name and password, client-side certificates, SecurID token passcode, special HTTP header data, and multiplexing proxy agents. Chapter 7: Advanced WebSEAL authentication This chapter provides detailed technical procedures for setting up WebSEAL for advanced authentication methods including: switch user configuration, server-side request caching, reauthentication, and automatic redirection. Chapter 8: WebSEAL key management This chapter provides detailed technical procedures for setting up WebSEAL key management including: server-side and client-side certificate management, and configuring VeriSign certificate status checking. Chapter 9: Cross domain single sign-on solutions This chapter discusses cross domain single sign-on solutions including: CDSSO (cross-domain single sign-on) and e-community. Chapter 10: WebSEAL junctions This chapter is a technical reference for setting up and using WebSEAL junctions. Chapter 11: Single sign-on solutions across junctions This chapter discusses single sign-on solutions for the internal side of a WebSEAL proxy configurationbetween the WebSEAL server and the back-end junctioned application server. Chapter 12: Application integration This chapter discusses a variety of WebSEAL capabilities for integrating third-party application functionality. Chapter 13: Authorization decision information retrieval This chapter discusses various mechanisms for obtaining authorization decision information (ADI) from WebSEAL to support the evaluation of authorization rules on protected resources. Chapter 14: Attribute retrieval service reference

xviii

IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide

This chapter discusses the administration and configuration of the attribute retrieval service. v Appendix A: WebSEAL configuration file reference v Appendix B: WebSEAL junction reference

PublicationsReview the descriptions of the Tivoli Access Manager library, the prerequisite publications, and the related publications to determine which publications you might find helpful. After you determine the publications you need, refer to the instructions for accessing publications online. Additional information on the IBM Tivoli Access Manager for e-business product itself can be found at: http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/ The Tivoli Access Manager library is organized into the following categories: v Release information v Base information v Web security information on page xx v Developer references on page xx v Technical supplements on page xxi

Release informationv IBM Tivoli Access Manager for e-business Read This First (GI11-4155-00) Provides information for installing and getting started using Tivoli Access Manager. v IBM Tivoli Access Manager for e-business Release Notes (GI11-4156-00) Provides late-breaking information, such as software limitations, workarounds, and documentation updates.

Base informationv IBM Tivoli Access Manager Base Installation Guide (SC32-1362-00) Explains how to install and configure the Tivoli Access Manager base software, including the Web Portal Manager interface. This book is a subset of IBM Tivoli Access Manager for e-business Web Security Installation Guide and is intended for use with other Tivoli Access Manager products, such as IBM Tivoli Access Manager for Business Integration and IBM Tivoli Access Manager for Operating Systems. v IBM Tivoli Access Manager Upgrade Guide (SC32-1369-00) Explains how to upgrade from Tivoli SecureWay Policy Director Version 3.8 or previous versions of Tivoli Access Manager to Tivoli Access Manager Version 5.1. v IBM Tivoli Access Manager Base Administration Guide (SC32-1360-00) Describes the concepts and procedures for using Tivoli Access Manager services. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin command.

Preface

xix

Web security informationv IBM Tivoli Access Manager for e-business Web Security Installation Guide (SC32-1361-00) Provides installation, configuration, and removal instructions for the Tivoli Access Manager base software, including the Web Portal Manager interface, as well as the Web Security components. This book is a superset of IBM Tivoli Access Manager Base Installation Guide. v IBM Tivoli Access Manager for e-business WebSEAL Administration Guide (SC32-1359-00) Provides background material, administrative procedures, and technical reference information for using WebSEAL to manage the resources of your secure Web domain. v IBM Tivoli Access Manager for e-business IBM WebSphere Application Server Integration Guide (SC32-1368-00) Provides installation, removal, and administration instructions for integrating Tivoli Access Manager with IBM WebSphere Application Server. v IBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager Provisioning Fast Start Guide (SC32-1364-00) Provides an overview of the tasks related to integrating Tivoli Access Manager and Tivoli Identity Manager and explains how to use and install the Provisioning Fast Start collection. v IBM Tivoli Access Manager for e-business BEA WebLogic Server Integration Guide (SC32-1366-00) Provides installation, removal, and administration instructions for integrating Tivoli Access Manager with BEA WebLogic Server. v IBM Tivoli Access Manager for e-business IBM WebSphere Edge Server Integration Guide (SC32-1367-00) Provides installation, removal, and administraton instructions for integrating Tivoli Access Manager with the IBM WebSphere Edge Server application. v IBM Tivoli Access Manager for e-business Plug-in for Web Servers Integration Guide (SC32-1365-00) Provides installation instructions, administration procedures, and technical reference information for securing your Web domain using the plug-in for Web servers.

Developer referencesv IBM Tivoli Access Manager for e-business Authorization C API Developer Reference (SC32-1355-00) Provides reference material that describes how to use the Tivoli Access Manager authorization C API and the Tivoli Access Manager service plug-in interface to add Tivoli Access Manager security to applications. v IBM Tivoli Access Manager for e-business Authorization Java Classes Developer Reference (SC32-1350-00) Provides reference information for using the Java language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business Administration C API Developer Reference (SC32-1357-00)

xx

IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide

Provides reference information about using the administration API to enable an application to perform Tivoli Access Manager administration tasks. This document describes the C implementation of the administration API. v IBM Tivoli Access Manager for e-business Administration Java Classes Developer Reference (SC32-1356-00) Provides reference information for using the Java language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. v IBM Tivoli Access Manager for e-business Web Security Developer Reference (SC32-1358-00) Provides administration and programming information for the cross-domain authentication service (CDAS), the cross-domain mapping framework (CDMF), and the password strength module.

Technical supplementsv IBM Tivoli Access Manager for e-business Command Reference (SC32-1354-00) Provides information about the command line utilities and scripts provided with Tivoli Access Manager. v IBM Tivoli Access Manager Error Message Reference (SC32-1353-00) Provides explanations and recommended actions for the messages produced by Tivoli Access Manager. v IBM Tivoli Access Manager for e-business Problem Determination Guide (SC32-1352-00) Provides problem determination information for Tivoli Access Manager. v IBM Tivoli Access Manager for e-business Performance Tuning Guide (SC32-1351-00) Provides performance tuning information for an environment consisting of Tivoli Access Manager with the IBM Tivoli Directory server as the user registry.

Related publicationsThis section lists publications related to the Tivoli Access Manager library. The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/library/ The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available, in English only, from the Glossary link on the left side of the Tivoli Software Library Web page http://www.ibm.com/software/tivoli/library/

IBM Global Security KitTivoli Access Manager provides data encryption through the use of the IBM Global Security Kit (GSKit) Version 7.0. GSKit is included on the IBM Tivoli Access Manager Base CD for your particular platform, as well as on the IBM Tivoli Access Manager Web Security CDs, the IBM Tivoli Access Manager Web Administration Interfaces CDs, and the IBM Tivoli Access Manager Directory Server CDs. The GSKit package provides the iKeyman key management utility, gsk7ikm, which is used to create key databases, public-private key pairs, and certificate requests. The following document is available on the Tivoli Information Center Web site in the same section as the IBM Tivoli Access Manager product documentation:Preface

xxi

v Secure Sockets Layer Introduction and iKeyman Users Guide (SC32-1363-00) Provides information for network or system security administrators who plan to enable SSL communication in their Tivoli Access Manager environment.

IBM Tivoli Directory ServerIBM Tivoli Directory Server, Version 5.2, is included on the IBM Tivoli Access Manager Directory Server CD for the desired operating system. Note: IBM Tivoli Directory Server is the new name for the previously released software known as: v IBM Directory Server (Version 4.1 and Version 5.1) v IBM SecureWay Directory Server (Version 3.2.2) IBM Directory Server Version 4.1, IBM Directory Server Version 5.1, and IBM Tivoli Directory Server Version 5.2 are all supported by IBM Tivoli Access Manager Version 5.1. If you plan to use IBM Tivoli Directory Server as your user registry, see the information provided at: http://www.ibm.com/software/network/directory/library/

IBM DB2 Universal Database

IBM DB2 Universal Database Enterprise Server Edition, Version 8.1 is provided on the IBM Tivoli Access Manager Directory Server CD and is installed with the IBM Tivoli Directory Server software. DB2 is required when using IBM Tivoli Directory Server, z/OS, or OS/390 LDAP servers as the user registry for Tivoli Access Manager. DB2 information is available at: http://www.ibm.com/software/data/db2/

IBM WebSphere Application ServerIBM WebSphere Application Server, Advanced Single Server Edition 5.0, is included on the IBM Tivoli Access Manager Web Administration Interfaces CD for the desired operating system. WebSphere Application Server enables the support of both the Web Portal Manager interface, which is used to administer Tivoli Access Manager, and the Web Administration Tool, which is used to administer IBM Tivoli Directory Server. IBM WebSphere Application Server Fix Pack 2 is also required by Tivoli Access Manager and is provided on the IBM Tivoli Access Manager WebSphere Fix Pack CD. For information about IBM WebSphere Application Server, see: http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM Tivoli Access Manager for Business IntegrationIBM Tivoli Access Manager for Business Integration, available as a separately orderable product, provides a security solution for IBM MQSeries, Version 5.2, and IBM WebSphere MQ for Version 5.3 messages. IBM Tivoli Access Manager for Business Integration allows WebSphere MQSeries applications to send data with privacy and integrity by using keys associated with sending and receiving applications. Like WebSEAL and IBM Tivoli Access Manager for Operating Systems, IBM Tivoli Access Manager for Business Integration, is one of the resource managers that use the services of IBM Tivoli Access Manager.

xxii

IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide

Additional information on IBM Tivoli Access Manager for Business Integration can be found at: http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/ The following documents associated with IBM Tivoli Access Manager for Business Integration Version 5.1 are available on the Tivoli Information Center Web site: v IBM Tivoli Access Manager for Business Integration Administration Guide (SC23-4831-01) v IBM Tivoli Access Manager for Business Integration Problem Determination Guide (GC23-1328-00) v IBM Tivoli Access Manager for Business Integration Release Notes (GI11-0957-01) v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

IBM Tivoli Access Manager for WebSphere Business Integration BrokersIBM Tivoli Access Manager for WebSphere Business Integration Brokers, available as a separately orderable product, provides a security solution for WebSphere Business Integration Message Broker, Version 5.0 and WebSphere Business Integration Event Broker, Version 5.0. IBM Tivoli Access Manager for WebSphere Business Integration Brokers operates in conjunction with Tivoli Access Manager to secure JMS publish/subscribe applications by providing password and credentials-based authentication, centrally-defined authorization, and auditing services. Additional information on IBM Tivoli Access Manager for WebSphere Integration Brokers can be found at: http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/ The following documents associated with IBM Tivoli Access Manager for WebSphere Integration Brokers, Version 5.1 are available on the Tivoli Information Center Web site: v IBM Tivoli Access Manager for WebSphere Business Integration Brokers Administration Guide (SC32-1347-00) v IBM Tivoli Access Manager for WebSphere Business Integration Brokers Release Notes (GI11-4154-00) v IBM Tivoli Access Manager for WebSphere Business Integration Brokers Read This First (GI11-4153-00)

IBM Tivoli Access Manager for Operating SystemsIBM Tivoli Access Manager for Operating Systems, available as a separately orderable product, provides a layer of authorization policy enforcement on UNIX systems in addition to that provided by the native operating system. IBM Tivoli Access Manager for Operating Systems, like WebSEAL and IBM Tivoli Access Manager for Business Integration, is one of the resource managers that use the services of IBM Tivoli Access Manager. Additional information on IBM Tivoli Access Manager for Operating Systems can be found at: http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

Preface

xxiii

The following documents associated with IBM Tivoli Access Manager for Operating Systems Version 5.1 are available on the Tivoli Information Center Web site: v IBM Tivoli Access Manager for Operating Systems Installation Guide (SC23-4829-00) v IBM Tivoli Access Manager for Operating Systems Administration Guide (SC23-4827-00) v IBM Tivoli Access Manager for Operating Systems Problem Determination Guide (SC23-4828-00) v IBM Tivoli Access Manager for Operating Systems Release Notes (GI11-0951-00) v IBM Tivoli Access Manager for Operating Systems Read Me First (GI11-0949-00)

IBM Tivoli Identity ManagerIBM Tivoli Identity Manager Version 4.5, available as a separately orderable product, when used with the Fast Start Provisioning support provided with IBM Tivoli Access Manager .... Additional information on IBM Tivoli Identity Manager can be found at: http://www.ibm.com/software/tivoli/products/identity-mgr/ The following documents associated with IBM Tivoli Identity Manager Version 4.5 are available on the Tivoli Information Center Web site: v IBM Tivoli Identity Manager Release Notes (GI11-4212-00) v IBM Tivoli Identity Manager Server Installation Guide on UNIX using WebSphere (SC32-1147-02) v IBM Tivoli Identity Manager Server Installation Guide on Windows 2000 using WebSphere (SC32-1148-01) v IBM Tivoli Identity Manager (SC32-1334-00) v IBM Tivoli Identity Manager WebLogic (SC32-1335-00) v IBM Tivoli Identity Manager (SC32-1149-01) v IBM Tivoli Identity Manager v IBM Tivoli Identity Manager v IBM Tivoli Identity Manager v IBM Tivoli Identity Manager (SC32-1165-03) v IBM Tivoli Identity Manager v IBM Tivoli Identity Manager (SC32-1161-03) v IBM Tivoli Identity Manager (SC32-1155-03) v IBM Tivoli Identity Manager v IBM Tivoli Identity Manager v IBM Tivoli Identity Manager v IBM Tivoli Identity Manager v IBM Tivoli Identity Manager v IBM Tivoli Identity Manager (SC32-1159-03) Server Installation Guide on UNIX using WebLogic Server Installation Guide on Windows 2000 using Policy and Organization Administration Guide End User Guide (SC32-1152-01) Server Configuration Guide (SC32-1150-02) Server Troubleshooting Guide (SC32-1151-01) Access Manager Agent for Windows Installation Guide Lotus Notes Agent Installation Guide (SC32-1157-03) Sybase Agent for Windows Installation Guide Oracle Agent for Windows Install


Administration Java Classes Developer Reference · 2015-09-06 · Provides a complete stanza reference for WebSEAL. x IBM Security Access Manager for Web Version 7.0: Administration

WebSEAL Administration Guide - IBM - United States a user's session at login failure policy limit 213 Customizing login forms for reauthentication 214 Authentication strength policy

Am51 Error Ref

Tivoli SecureWay Policy Director WebSEAL - Guide d ...publib.boulder.ibm.com/tividd/td/SW_30/GC32-0684... · Microsoft, Windows, Windows NT et le logo Windows sont des marques de

Tivoli SecureWay Policy Director WebSEAL ¹ÜÀíÖ¸ÄÏpublib.boulder.ibm.com/tividd/td/SW_30/GC32-0684-01/zh_CN/PDF/ws-admguide.pdf6Tivoli SecureWay Policy Director WebSEAL 208O7

WebSEAL インストール・ガイド · 2007. 9. 30. · WebSEAL サーバーまたはWebSEAL ADK システムのインストールおよび構成 を迅速に行うための、簡易インストール・プログラムの使用方法について説明し

Am51 Tim Guide

WebSEAL Guida all’installazionepublib.boulder.ibm.com/tividd/td/ITAME/SC32-1133-01/it_IT/PDF/... · di WebSEAL da AIX.....43 Rimozione di WebSEAL da HP ... comando pdadmin. Informazioni

publib.boulder.ibm.compublib.boulder.ibm.com/tividd/td/SW_30/GC32-0680... · /WebSEAL ACL policy ............................... 89 /Management ACL policy

WebSEAL Configuration Stanza Reference - IBM · IBM SecurityAccess Manager Version 7.0 WebSEAL Configuration Stanza Reference SC27-4442-01

IBM WebSphere Application Server: Guia de Integraçãopublib.boulder.ibm.com/tividd/td/ITAME/SC32-1368-00/pt_BR/PDF/am51... · A biblioteca do Tivoli Access Manager está organizada

WebSEAL Developer’s Reference - RZ DOC Server

WebSEAL Administrator’s Guide - IBM Supportpublib.boulder.ibm.com/tividd/td/ITAME/GC23-4682-00/… ·  · 2005-04-12IBM Tivoli Access Manager WebSEAL Administrator’s Guide Version

Lessons learnt using IBM BPM v8 with SAP · Websphere Message Broker SAP Email Server Tivoli Directory Server WebSeal HTTP SOAP/HTTP & JMS SOAP/HTTP - Finance - Payroll - receipts

WebSeal 96ウェルプレート Chromacol...WebSeal 96ウェルプレート Chromacol ウェルプレートはポリプロピレン製、SBSおよびANSI規格寸法に準拠しているため一般的な96ウェルプレート

IBM WebSphere Application Server I8Opublib.boulder.ibm.com/tividd/td/ITAME/SC32-1368-00/zh_CN/PDF/am51...=h 3b - 9C TAI * WebSphere Application Server V5.0.2 dC SSO.....63 =h 4

Tivoli SecureWay Policy Director WebSEAL Guia de Instalaçãopublib.boulder.ibm.com/tividd/td/SW_30/GC32-0683-01/pt_BR/PDF/P… · IBM, o logotipo da IBM, Tivoli, o logotipo da Tivoli,

WebSEAL Administrator’s Guide

Tivoli WebSEAL - Sizing and Capacity Planning · improvement by the hardware cryptographic support up to a factor of three. See “Enable and run WebSEAL with cryptographic hardware

IBM Tivoli Access Managerpublib.boulder.ibm.com/tividd/td/ITAME/GC23-4682-00/fr... · 2005. 4. 15. · IBM Tivoli Access Manager Guide d’administration WebSEAL Version 39. GC11-1908-00

BEA WebLogic Server: Guia de Integraçãopublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/pt_BR/PDF/am51... · A biblioteca do Tivoli Access Manager está organizada nas seguintes

WebSEAL Installation Guide - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1133-01/en_US/PDF/... · v IBM Tivoli Access Manager WebSEAL Installation Guide SC32-1133-01 ... authorization

Tivoli SecureWay Policy Director WebSEAL Guía de ...publib.boulder.ibm.com/tividd/td/SW_30/GC32-0684-01/es...Métodos de autenticación y tipos de datos de sesión válidos..... 125

Tivoli SecureWay Policy Director WebSEAL °ü¸® ¾È³ »¼publib.boulder.ibm.com/tividd/td/SW_30/GC32-0684-01/ko... · 2002-11-09 · Tivoli SecureWay Policy Director Base Tivoli

Podręcznik instalacji WebSEALpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1133... · Instalowanie i konfigurowanie serwera WebSEAL w systemie UNIX.....14 Instalowanie serwera WebSEAL

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap

Thermo Scientific Chromatography Well Plates...7 WebSeal Well Plates, Plastic, Non-Coated, Non-Sterile, Certified Description Material Total Height Well Format Total Volume (µL) Working

WebSEAL Administration Guide

WebSphere V4.0 and J2EE Security · 2002-08-19 · b) Authenticates Web Server and trusts that the user is ’real’ (WebSeal) 4.Security Server tells Collaborator that user is (or

WebSEAL Installation Guide - IBM

Am61 Webseal Admin

HEALTH CARE PROFESSIONAL MANUAL - WebSeal ... CARE PROFESSIONAL MANUAL Cigna LifeSOURCE is committed to providing access to quality transplant care, improved health, and lower costs

Shared Session Management Administration Guide...v IBM Security Access Manager for Web WebSEAL Administration Guide, SC23-6505-03 Provides background material, administrative procedures,

Am51 Wls Guide

Am51 Webservers Guide