IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
If<br />
the<br />
security<br />
policy<br />
does<br />
require<br />
certificate<br />
authentication,<br />
<strong>WebSEAL</strong><br />
requests<br />
the<br />
client<br />
certificate.<br />
In<br />
this<br />
mode,<br />
the<br />
SSL<br />
ID<br />
cannot<br />
be<br />
used<br />
to<br />
track<br />
user<br />
session<br />
activity,<br />
because<br />
the<br />
SSL<br />
session<br />
will<br />
be<br />
renegotiated<br />
when<br />
there<br />
is<br />
a<br />
need<br />
to<br />
authenticate<br />
with<br />
certificates.<br />
When<br />
certificate<br />
authentication<br />
takes<br />
place,<br />
<strong>WebSEAL</strong><br />
adds<br />
the<br />
SSL<br />
ID<br />
<strong>for</strong><br />
the<br />
current<br />
session<br />
into<br />
the<br />
Certificate<br />
SSL<br />
ID<br />
(renegotiation)<br />
cache.<br />
Delayed<br />
certificate<br />
authentication<br />
is<br />
used<br />
in<br />
two<br />
scenarios,<br />
based<br />
on<br />
the<br />
user’s<br />
authentication<br />
status<br />
at<br />
the<br />
time<br />
that<br />
<strong>WebSEAL</strong><br />
requests<br />
the<br />
client<br />
certificate.<br />
In<br />
both<br />
scenarios,<br />
a<br />
client<br />
can<br />
have<br />
an<br />
unlimited<br />
number<br />
of<br />
exchanges<br />
with<br />
the<br />
<strong>WebSEAL</strong><br />
server<br />
prior<br />
to<br />
establishing<br />
a<br />
need<br />
to<br />
authenticate<br />
using<br />
certificates.<br />
The<br />
two<br />
scenarios<br />
are:<br />
v<br />
User<br />
is<br />
unauthenticated<br />
In<br />
this<br />
scenario,<br />
the<br />
client<br />
remains<br />
unauthenticated<br />
because<br />
the<br />
client<br />
does<br />
not<br />
attempt<br />
to<br />
access<br />
any<br />
resources<br />
that<br />
require<br />
any<br />
authentication.<br />
When<br />
the<br />
client<br />
eventually<br />
attempts<br />
to<br />
access<br />
a<br />
resource<br />
that<br />
requires<br />
authentication<br />
because<br />
of<br />
an<br />
ACL,<br />
<strong>WebSEAL</strong><br />
presents<br />
a<br />
certificate<br />
login<br />
page,<br />
and<br />
the<br />
client<br />
can<br />
initiate<br />
certificate<br />
transfer.<br />
<strong>WebSEAL</strong><br />
retains<br />
the<br />
entry<br />
in<br />
the<br />
session<br />
cache<br />
<strong>for</strong><br />
the<br />
unauthenticated<br />
user,<br />
but<br />
obtains<br />
a<br />
new<br />
SSL<br />
ID<br />
from<br />
GSKit.<br />
When<br />
the<br />
user<br />
successfully<br />
authenticates,<br />
<strong>WebSEAL</strong><br />
replaces<br />
the<br />
old<br />
unauthenticated<br />
user<br />
credentials<br />
from<br />
the<br />
session<br />
cache<br />
data<br />
with<br />
the<br />
new<br />
user<br />
credentials.<br />
The<br />
user<br />
is<br />
now<br />
authenticated,<br />
and<br />
able<br />
to<br />
request<br />
access<br />
over<br />
HTTPS<br />
to<br />
resources<br />
that<br />
require<br />
authentication.<br />
v<br />
User<br />
has<br />
previously<br />
authenticated<br />
using<br />
another<br />
authentication<br />
method<br />
In<br />
this<br />
scenario,<br />
the<br />
client<br />
was<br />
required<br />
to<br />
authenticate<br />
to<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
during<br />
the<br />
previous<br />
exchanges<br />
with<br />
<strong>WebSEAL</strong>.<br />
The<br />
previous<br />
authentication<br />
took<br />
place<br />
through<br />
a<br />
different<br />
authentication<br />
method,<br />
such<br />
as<br />
<strong>for</strong>ms<br />
authentication<br />
or<br />
token<br />
authentication.<br />
The<br />
client<br />
eventually<br />
attempts<br />
to<br />
access<br />
a<br />
resource<br />
that<br />
is<br />
protected<br />
by<br />
a<br />
protected<br />
object<br />
policy<br />
(POP)<br />
that<br />
requires<br />
client-side<br />
certificate<br />
authentication<br />
in<br />
order<br />
to<br />
access<br />
the<br />
resource.<br />
<strong>WebSEAL</strong><br />
examines<br />
the<br />
current<br />
<strong>WebSEAL</strong><br />
authentication<br />
strength<br />
policy<br />
to<br />
determine<br />
the<br />
ranking<br />
of<br />
the<br />
enabled<br />
authentication<br />
methods.<br />
The<br />
authentication<br />
strength<br />
policy<br />
ranks<br />
the<br />
methods<br />
in<br />
a<br />
hierarchy<br />
from<br />
weakest<br />
to<br />
strongest.<br />
When<br />
certificate<br />
authentication<br />
is<br />
ranked<br />
stronger<br />
than<br />
the<br />
client’s<br />
current<br />
authentication<br />
method,<br />
<strong>WebSEAL</strong><br />
serves<br />
to<br />
the<br />
client<br />
to<br />
a<br />
login<br />
page<br />
with<br />
a<br />
<strong>for</strong>m<br />
<strong>for</strong><br />
certificate<br />
authentication.<br />
When<br />
the<br />
client<br />
successfully<br />
authenticates<br />
using<br />
a<br />
certificate,<br />
the<br />
client’s<br />
authentication<br />
strength<br />
level<br />
is<br />
increased<br />
<strong>for</strong><br />
the<br />
duration<br />
of<br />
the<br />
current<br />
session.<br />
<strong>WebSEAL</strong><br />
retains<br />
the<br />
user’s<br />
entry<br />
in<br />
the<br />
session<br />
cache,<br />
but<br />
obtains<br />
a<br />
new<br />
SSL<br />
ID<br />
from<br />
GSKit.<br />
<strong>WebSEAL</strong><br />
modifies<br />
the<br />
user<br />
data<br />
in<br />
the<br />
user<br />
entry,<br />
by<br />
replacing<br />
the<br />
old<br />
user<br />
credentials<br />
(which<br />
were<br />
based<br />
the<br />
user’s<br />
previous<br />
authentication<br />
method)<br />
with<br />
the<br />
new<br />
user<br />
credentials.<br />
<strong>WebSEAL</strong>’s<br />
authentication<br />
strength<br />
feature<br />
enables<br />
a<br />
user<br />
to<br />
move<br />
between<br />
different<br />
authentication<br />
levels<br />
during<br />
a<br />
session.<br />
Certificate<br />
authentication<br />
is<br />
one<br />
of<br />
the<br />
authentication<br />
levels<br />
that<br />
can<br />
be<br />
entered<br />
when<br />
a<br />
user<br />
needs<br />
to<br />
increase<br />
(step-up)<br />
authentication<br />
level<br />
in<br />
order<br />
to<br />
access<br />
protected<br />
object<br />
resources.<br />
To<br />
enable<br />
a<br />
user<br />
to<br />
move<br />
up<br />
to<br />
a<br />
certificate<br />
authentication<br />
level,<br />
administrators<br />
must<br />
modify<br />
the<br />
<strong>WebSEAL</strong><br />
configuration<br />
file<br />
to<br />
include<br />
certificate<br />
authentication<br />
in<br />
the<br />
list<br />
of<br />
supported<br />
levels<br />
<strong>for</strong><br />
authentication<br />
strength.<br />
For<br />
authentication<br />
strength<br />
configuration<br />
instructions,“Authentication<br />
strength<br />
policy”<br />
on<br />
page<br />
117.<br />
150<br />
<strong>IBM</strong><br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
<strong>for</strong><br />
e-<strong>business</strong>:<br />
<strong>WebSEAL</strong><br />
<strong>Administration</strong><br />
Guide