IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Workaround:<br />
As<br />
administrator,<br />
you<br />
can<br />
<strong>for</strong>ce<br />
an<br />
immediate<br />
halt<br />
to<br />
user<br />
activity<br />
in<br />
a<br />
domain<br />
by<br />
adding<br />
an<br />
entry<br />
to<br />
the<br />
default<br />
<strong>WebSEAL</strong><br />
ACL<br />
policy<br />
<strong>for</strong><br />
the<br />
deleted<br />
user<br />
with<br />
the<br />
traverse<br />
(T)<br />
permission<br />
removed.<br />
You<br />
can<br />
also<br />
terminate<br />
the<br />
session<br />
manually,<br />
using<br />
either<br />
from<br />
a<br />
command<br />
line<br />
or<br />
using<br />
a<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
administration<br />
API<br />
function.<br />
See<br />
“Terminating<br />
user<br />
sessions”<br />
on<br />
page<br />
345.<br />
Maintaining<br />
state<br />
with<br />
session<br />
cookies<br />
One<br />
method<br />
of<br />
maintaining<br />
session<br />
state<br />
between<br />
a<br />
client<br />
and<br />
a<br />
server<br />
is<br />
to<br />
use<br />
a<br />
cookie<br />
to<br />
hold<br />
this<br />
session<br />
in<strong>for</strong>mation.<br />
The<br />
server<br />
packages<br />
the<br />
state<br />
in<strong>for</strong>mation<br />
<strong>for</strong><br />
a<br />
particular<br />
client<br />
in<br />
a<br />
cookie<br />
and<br />
sends<br />
it<br />
to<br />
the<br />
client’s<br />
browser.<br />
For<br />
each<br />
new<br />
request,<br />
the<br />
browser<br />
re-identifies<br />
itself<br />
by<br />
sending<br />
the<br />
cookie<br />
(with<br />
the<br />
session<br />
in<strong>for</strong>mation)<br />
back<br />
to<br />
the<br />
server.<br />
Session<br />
cookies<br />
offer<br />
a<br />
possible<br />
solution<br />
<strong>for</strong><br />
situations<br />
when<br />
the<br />
client<br />
uses<br />
a<br />
browser<br />
that<br />
renegotiates<br />
its<br />
SSL<br />
session<br />
after<br />
very<br />
short<br />
periods<br />
of<br />
time.<br />
For<br />
example,<br />
some<br />
versions<br />
of<br />
the<br />
Microsoft<br />
Internet<br />
Explorer<br />
browser<br />
renegotiate<br />
SSL<br />
sessions<br />
every<br />
two<br />
or<br />
three<br />
minutes.<br />
A<br />
session<br />
cookie<br />
provides<br />
reauthentication<br />
of<br />
a<br />
client<br />
only<br />
to<br />
the<br />
single,<br />
unique<br />
server<br />
that<br />
the<br />
client<br />
had<br />
previously<br />
authenticated<br />
to<br />
within<br />
a<br />
short<br />
time<br />
period<br />
(around<br />
ten<br />
minutes).<br />
The<br />
mechanism<br />
is<br />
based<br />
on<br />
a<br />
″server<br />
cookie″<br />
that<br />
cannot<br />
be<br />
passed<br />
to<br />
any<br />
machine<br />
other<br />
than<br />
the<br />
one<br />
that<br />
generated<br />
the<br />
cookie.<br />
In<br />
addition,<br />
the<br />
session<br />
cookie<br />
contains<br />
only<br />
a<br />
random<br />
number<br />
identifier<br />
that<br />
is<br />
used<br />
to<br />
index<br />
the<br />
server’s<br />
session<br />
cache.<br />
There<br />
is<br />
no<br />
other<br />
in<strong>for</strong>mation<br />
exposed<br />
in<br />
the<br />
session<br />
cookie.<br />
The<br />
session<br />
cookie<br />
cannot<br />
compromise<br />
security<br />
policy.<br />
Session<br />
cookie<br />
conditions<br />
<strong>WebSEAL</strong><br />
uses<br />
a<br />
secure<br />
server-specific<br />
session<br />
cookie.<br />
The<br />
following<br />
conditions<br />
apply<br />
to<br />
this<br />
cookie<br />
mechanism:<br />
v<br />
Cookie<br />
contains<br />
session<br />
in<strong>for</strong>mation<br />
only;<br />
it<br />
does<br />
not<br />
contain<br />
identity<br />
in<strong>for</strong>mation<br />
v<br />
Cookie<br />
resides<br />
only<br />
in<br />
the<br />
browser<br />
memory<br />
(it<br />
is<br />
not<br />
written<br />
to<br />
the<br />
browser<br />
cookie<br />
jar<br />
on<br />
the<br />
disk)<br />
v<br />
Cookie<br />
has<br />
a<br />
limited<br />
lifetime<br />
v<br />
Cookie<br />
has<br />
path<br />
and<br />
domain<br />
parameters<br />
that<br />
prohibit<br />
its<br />
use<br />
by<br />
other<br />
servers<br />
Session<br />
cookies<br />
with<br />
basic<br />
authentication<br />
headers<br />
When<br />
a<br />
client<br />
requests<br />
access<br />
to<br />
a<br />
protected<br />
resource,<br />
and<br />
<strong>WebSEAL</strong><br />
is<br />
configured<br />
to<br />
use<br />
BA,<br />
<strong>WebSEAL</strong><br />
sends<br />
a<br />
session<br />
cookie<br />
to<br />
the<br />
client.<br />
Clients<br />
such<br />
as<br />
browsers<br />
can<br />
be<br />
configured<br />
to<br />
either<br />
accept<br />
or<br />
reject<br />
cookies.<br />
After<br />
the<br />
client<br />
accepts<br />
or<br />
rejects<br />
the<br />
cookie,<br />
<strong>WebSEAL</strong><br />
authenticates<br />
the<br />
user<br />
by<br />
prompting<br />
<strong>for</strong><br />
username<br />
and<br />
password.<br />
When<br />
a<br />
client<br />
accepts<br />
the<br />
session<br />
cookie<br />
and<br />
then<br />
successfully<br />
logs<br />
in,<br />
<strong>WebSEAL</strong><br />
matches,<br />
<strong>for</strong><br />
each<br />
additional<br />
request<br />
by<br />
the<br />
client,<br />
the<br />
session<br />
ID<br />
from<br />
the<br />
cookie<br />
with<br />
an<br />
existing<br />
entry<br />
in<br />
<strong>WebSEAL</strong>’s<br />
session<br />
cache.<br />
Thus<br />
<strong>WebSEAL</strong><br />
does<br />
not<br />
need<br />
to<br />
reauthenticate<br />
the<br />
client.<br />
This<br />
use<br />
of<br />
the<br />
same<br />
session<br />
ID<br />
optimizes<br />
server<br />
per<strong>for</strong>mance.<br />
When<br />
the<br />
client<br />
rejects<br />
the<br />
session<br />
cookie<br />
and<br />
then<br />
successfully<br />
logs<br />
in,<br />
<strong>WebSEAL</strong><br />
must,<br />
<strong>for</strong><br />
each<br />
additional<br />
request<br />
by<br />
the<br />
client,<br />
establish<br />
a<br />
new<br />
session<br />
by<br />
Chapter<br />
6.<br />
Authentication<br />
135