IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
v<br />
Authentication<br />
level<br />
An<br />
integer<br />
value<br />
that<br />
corresponds<br />
to<br />
the<br />
<strong>WebSEAL</strong><br />
authentication<br />
strength<br />
level<br />
(also<br />
an<br />
integer<br />
value)<br />
that<br />
is<br />
assigned<br />
on<br />
the<br />
local<br />
<strong>WebSEAL</strong><br />
server<br />
to<br />
the<br />
authentication<br />
method.<br />
Authentication<br />
strength,<br />
also<br />
known<br />
as<br />
step-up<br />
authentication,<br />
enables<br />
a<br />
user<br />
to<br />
authenticate<br />
to<br />
a<br />
different<br />
authenticate<br />
method<br />
without<br />
having<br />
to<br />
logout.<br />
<strong>WebSEAL</strong><br />
defines<br />
additional<br />
user<br />
data<br />
that<br />
can<br />
be<br />
added<br />
to<br />
the<br />
cookie<br />
attribute<br />
list:<br />
v<br />
Session<br />
lifetime<br />
timestamp<br />
When<br />
a<br />
user<br />
authenticates,<br />
<strong>WebSEAL</strong><br />
tracks<br />
the<br />
age<br />
or<br />
lifetime<br />
of<br />
the<br />
user<br />
entry<br />
in<br />
the<br />
session<br />
cache.<br />
The<br />
session<br />
lifetime<br />
timestamp<br />
consists<br />
of<br />
the<br />
current<br />
time,<br />
advanced<br />
by<br />
the<br />
number<br />
of<br />
seconds<br />
configured<br />
<strong>for</strong><br />
the<br />
maximum<br />
time<br />
that<br />
a<br />
user’s<br />
session<br />
data<br />
can<br />
remain<br />
in<br />
the<br />
session<br />
cache.<br />
When<br />
the<br />
current<br />
system<br />
time<br />
exceeds<br />
the<br />
timestamp<br />
value,<br />
<strong>WebSEAL</strong><br />
invalidates<br />
the<br />
user’s<br />
entry<br />
in<br />
the<br />
session<br />
cache<br />
(including<br />
the<br />
user<br />
credentials).<br />
<strong>WebSEAL</strong><br />
can<br />
be<br />
configured<br />
to<br />
add<br />
the<br />
session<br />
lifetime<br />
timestamp<br />
to<br />
the<br />
cookie.<br />
When<br />
this<br />
timestamp<br />
is<br />
added<br />
to<br />
the<br />
cookie,<br />
the<br />
session<br />
lifetime<br />
timer<br />
can<br />
be<br />
preserved<br />
across<br />
failover<br />
events.<br />
Thus,<br />
<strong>WebSEAL</strong><br />
administrators<br />
can<br />
choose<br />
whether<br />
or<br />
not<br />
to<br />
reset<br />
the<br />
client’s<br />
session<br />
timer<br />
when<br />
the<br />
client<br />
session<br />
is<br />
established<br />
on<br />
a<br />
replicated<br />
server.<br />
Note<br />
that<br />
successful<br />
use<br />
of<br />
this<br />
feature<br />
is<br />
dependent<br />
on<br />
synchronization<br />
of<br />
clocks<br />
between<br />
replicated<br />
<strong>WebSEAL</strong><br />
servers.<br />
If<br />
clock<br />
skew<br />
becomes<br />
great,<br />
sessions<br />
will<br />
expire<br />
at<br />
unintended<br />
times.<br />
v<br />
Session<br />
inactivity<br />
timestamp<br />
<strong>WebSEAL</strong><br />
also<br />
tracks<br />
the<br />
amount<br />
of<br />
time<br />
that<br />
a<br />
user’s<br />
entry<br />
in<br />
<strong>WebSEAL</strong>’s<br />
session<br />
cache<br />
has<br />
been<br />
inactive.<br />
When<br />
a<br />
user<br />
session<br />
is<br />
inactive<br />
<strong>for</strong><br />
a<br />
period<br />
of<br />
time<br />
longer<br />
than<br />
the<br />
value<br />
set<br />
<strong>for</strong><br />
session<br />
inactivity,<br />
<strong>WebSEAL</strong><br />
invalidates<br />
the<br />
user’s<br />
session.<br />
The<br />
session<br />
inactivity<br />
timestamp<br />
can<br />
also<br />
be<br />
added<br />
to<br />
the<br />
failover<br />
authentication<br />
cookie.<br />
This<br />
timestamp<br />
differs<br />
slightly<br />
from<br />
the<br />
session<br />
inactivity<br />
timestamp<br />
maintained<br />
<strong>for</strong><br />
the<br />
<strong>WebSEAL</strong><br />
session<br />
cache.<br />
The<br />
system<br />
inactivity<br />
timeout<br />
maintained<br />
<strong>for</strong><br />
the<br />
cache<br />
is<br />
calculated<br />
by<br />
combining<br />
two<br />
values:<br />
–<br />
Current<br />
system<br />
time<br />
–<br />
Maximum<br />
number<br />
of<br />
seconds<br />
that<br />
a<br />
user’s<br />
session<br />
can<br />
remain<br />
inactive.<br />
When<br />
this<br />
value<br />
is<br />
added<br />
to<br />
the<br />
failover<br />
authentication<br />
cookie,<br />
it<br />
is<br />
combined<br />
with<br />
one<br />
additional<br />
value:<br />
–<br />
Maximum<br />
number<br />
of<br />
seconds<br />
(interval)<br />
between<br />
updates<br />
to<br />
the<br />
failover<br />
authentication<br />
cookie<br />
The<br />
setting<br />
<strong>for</strong><br />
the<br />
interval<br />
between<br />
the<br />
updating<br />
of<br />
failover<br />
cookies<br />
affects<br />
per<strong>for</strong>mance.<br />
Administrators<br />
must<br />
choose<br />
a<br />
balance<br />
between<br />
optimal<br />
per<strong>for</strong>mance<br />
and<br />
absolute<br />
accuracy<br />
of<br />
the<br />
inactivity<br />
timer<br />
in<br />
the<br />
cookie.<br />
To<br />
keep<br />
the<br />
inactivity<br />
timer<br />
most<br />
accurate,<br />
it<br />
should<br />
be<br />
updated<br />
every<br />
time<br />
the<br />
user<br />
makes<br />
a<br />
request.<br />
However,<br />
frequent<br />
updating<br />
of<br />
cookie<br />
contents<br />
incurs<br />
overhead<br />
and<br />
decreases<br />
per<strong>for</strong>mance.<br />
Each<br />
administrator<br />
must<br />
choose<br />
an<br />
interval<br />
that<br />
best<br />
fits<br />
the<br />
<strong>WebSEAL</strong><br />
deployment.<br />
In<br />
some<br />
cases,<br />
an<br />
update<br />
of<br />
the<br />
failover<br />
cookie<br />
with<br />
every<br />
user<br />
request<br />
is<br />
appropriate.<br />
In<br />
other<br />
cases,<br />
the<br />
administrator<br />
might<br />
choose<br />
to<br />
never<br />
update<br />
the<br />
inactivity<br />
timer<br />
in<br />
the<br />
failover<br />
cookie.<br />
v<br />
Additional<br />
extended<br />
attributes<br />
Chapter<br />
6.<br />
Authentication<br />
169