IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
10.02.2013 Views
Share Embed Flag

IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
publib.boulder.ibm.com

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

9.<br />

The<br />

administrator<br />

ends<br />

the<br />

switch<br />

user<br />

session<br />

using<br />

the<br />

standard<br />

<strong>Tivoli</strong><br />

<strong>Access</strong><br />

<strong>Manager</strong><br />

/pkmslogout<br />

utility.<br />

Upon<br />

successful<br />

log<br />

out:<br />

a.<br />

The<br />

user’s<br />

cache<br />

data<br />

is<br />

deleted.<br />

b.<br />

The<br />

administrator’s<br />

original<br />

cache<br />

data<br />

(and<br />

credential)<br />

is<br />

restored.<br />

c.<br />

The<br />

administrator<br />

is<br />

returned<br />

to<br />

the<br />

original<br />

page<br />

from<br />

which<br />

the<br />

switch<br />

user<br />

<strong>for</strong>m<br />

was<br />

requested.<br />

The<br />

authorization<br />

service<br />

uses<br />

the<br />

original<br />

credential<br />

of<br />

the<br />

administrator<br />

<strong>for</strong><br />

all<br />

subsequent<br />

requests.<br />

Configuration<br />

procedure<br />

The<br />

<strong>WebSEAL</strong><br />

administrator<br />

must<br />

complete<br />

several<br />

configuration<br />

steps<br />

be<strong>for</strong>e<br />

administrators<br />

can<br />

use<br />

the<br />

switch<br />

user<br />

functionality.<br />

To<br />

configure<br />

switch<br />

user,<br />

complete<br />

the<br />

instructions<br />

in<br />

each<br />

of<br />

the<br />

following<br />

sections:<br />

1.<br />

“Part<br />

1:<br />

Configuring<br />

user<br />

access”<br />

2.<br />

“Part<br />

2:<br />

Configuring<br />

switch<br />

user<br />

authentication<br />

mechanisms”<br />

on<br />

page<br />

191<br />

3.<br />

“Part<br />

3:<br />

Configuring<br />

the<br />

switch<br />

user<br />

HTML<br />

<strong>for</strong>m”<br />

on<br />

page<br />

193<br />

This<br />

part<br />

is<br />

optional.<br />

4.<br />

“Part<br />

4:<br />

Designing<br />

additional<br />

input<br />

<strong>for</strong>ms”<br />

on<br />

page<br />

195<br />

This<br />

part<br />

is<br />

optional.<br />

5.<br />

“Part<br />

5:<br />

Stopping<br />

and<br />

restarting<br />

<strong>WebSEAL</strong>”<br />

on<br />

page<br />

195<br />

Part<br />

1:<br />

Configuring<br />

user<br />

access<br />

During<br />

<strong>WebSEAL</strong><br />

installation,<br />

the<br />

<strong>WebSEAL</strong><br />

configuration<br />

process<br />

automatically<br />

creates<br />

several<br />

groups<br />

<strong>for</strong><br />

use<br />

by<br />

the<br />

switch<br />

user<br />

functionality.<br />

The<br />

<strong>WebSEAL</strong><br />

administrator<br />

controls<br />

switch<br />

user<br />

capability<br />

by<br />

adding<br />

users<br />

to<br />

the<br />

groups.<br />

To<br />

configure<br />

user<br />

access,<br />

complete<br />

the<br />

following<br />

steps:<br />

1.<br />

Add<br />

users<br />

to<br />

the<br />

su-admins<br />

group.<br />

To<br />

use<br />

switch<br />

user<br />

function,<br />

a<br />

user<br />

must<br />

be<br />

a<br />

member<br />

of<br />

a<br />

special<br />

administrative<br />

group<br />

called<br />

su-admins.<br />

This<br />

group<br />

is<br />

automatically<br />

created<br />

by<br />

default<br />

during<br />

installation<br />

of<br />

a<br />

<strong>WebSEAL</strong><br />

server.<br />

There<br />

are<br />

no<br />

users<br />

in<br />

this<br />

group<br />

by<br />

default.<br />

The<br />

<strong>WebSEAL</strong><br />

administrator<br />

must<br />

manually<br />

add<br />

users<br />

to<br />

this<br />

group.<br />

Typically,<br />

only<br />

administrative<br />

users<br />

are<br />

added<br />

to<br />

this<br />

group.<br />

Users<br />

who<br />

have<br />

been<br />

granted<br />

membership<br />

in<br />

su-admins<br />

can<br />

switch<br />

user<br />

to<br />

most<br />

other<br />

user<br />

identities,<br />

but<br />

cannot<br />

switch<br />

to<br />

the<br />

identity<br />

of<br />

any<br />

other<br />

user<br />

that<br />

is<br />

also<br />

a<br />

member<br />

of<br />

the<br />

su-admins<br />

group<br />

.<br />

Thus,<br />

once<br />

an<br />

administrator<br />

is<br />

granted<br />

switch<br />

user<br />

privileges<br />

by<br />

being<br />

added<br />

to<br />

su-admins,<br />

the<br />

administrator’s<br />

account<br />

is<br />

protected<br />

from<br />

access<br />

by<br />

any<br />

other<br />

user<br />

that<br />

gains<br />

switch<br />

user<br />

privileges.<br />

2.<br />

Add<br />

users<br />

to<br />

the<br />

su-excluded<br />

group<br />

This<br />

group<br />

contains<br />

the<br />

names<br />

of<br />

users<br />

whose<br />

identities<br />

should<br />

not<br />

be<br />

accessed<br />

through<br />

the<br />

switch<br />

user<br />

capability.<br />

During<br />

<strong>WebSEAL</strong><br />

installation,<br />

the<br />

<strong>WebSEAL</strong><br />

configuration<br />

process<br />

automatically<br />

creates<br />

this<br />

group.<br />

There<br />

are<br />

no<br />

users<br />

in<br />

this<br />

group<br />

by<br />

default.<br />

<strong>WebSEAL</strong><br />

administrator<br />

typically<br />

add<br />

to<br />

this<br />

group<br />

the<br />

names<br />

of<br />

users<br />

who<br />

are<br />

not<br />

members<br />

of<br />

the<br />

administrative<br />

group<br />

su-admins,<br />

but<br />

<strong>for</strong><br />

whom<br />

switch<br />

user<br />

access<br />

should<br />

still<br />

be<br />

blocked<br />

When<br />

switch<br />

user<br />

is<br />

used,<br />

<strong>WebSEAL</strong><br />

also<br />

checks<br />

the<br />

memberships<br />

of<br />

the<br />

<strong>Tivoli</strong><br />

<strong>Access</strong><br />

<strong>Manager</strong><br />

group<br />

called<br />

securitygroup.<br />

This<br />

group<br />

contains<br />

the<br />

name<br />

of<br />

the<br />

<strong>Tivoli</strong><br />

<strong>Access</strong><br />

<strong>Manager</strong><br />

administrative<br />

user<br />

sec_master,<br />

plus<br />

a<br />

number<br />

of<br />

<strong>WebSEAL</strong><br />

processes<br />

that<br />

must<br />

be<br />

excluded<br />

from<br />

access<br />

through<br />

switch<br />

user<br />

capability.<br />

190<br />

<strong>IBM</strong><br />

<strong>Tivoli</strong><br />

<strong>Access</strong><br />

<strong>Manager</strong><br />

<strong>for</strong><br />

e-<strong>business</strong>:<br />

<strong>WebSEAL</strong><br />

<strong>Administration</strong><br />

Guide

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!