IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
9.<br />
The<br />
administrator<br />
ends<br />
the<br />
switch<br />
user<br />
session<br />
using<br />
the<br />
standard<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
/pkmslogout<br />
utility.<br />
Upon<br />
successful<br />
log<br />
out:<br />
a.<br />
The<br />
user’s<br />
cache<br />
data<br />
is<br />
deleted.<br />
b.<br />
The<br />
administrator’s<br />
original<br />
cache<br />
data<br />
(and<br />
credential)<br />
is<br />
restored.<br />
c.<br />
The<br />
administrator<br />
is<br />
returned<br />
to<br />
the<br />
original<br />
page<br />
from<br />
which<br />
the<br />
switch<br />
user<br />
<strong>for</strong>m<br />
was<br />
requested.<br />
The<br />
authorization<br />
service<br />
uses<br />
the<br />
original<br />
credential<br />
of<br />
the<br />
administrator<br />
<strong>for</strong><br />
all<br />
subsequent<br />
requests.<br />
Configuration<br />
procedure<br />
The<br />
<strong>WebSEAL</strong><br />
administrator<br />
must<br />
complete<br />
several<br />
configuration<br />
steps<br />
be<strong>for</strong>e<br />
administrators<br />
can<br />
use<br />
the<br />
switch<br />
user<br />
functionality.<br />
To<br />
configure<br />
switch<br />
user,<br />
complete<br />
the<br />
instructions<br />
in<br />
each<br />
of<br />
the<br />
following<br />
sections:<br />
1.<br />
“Part<br />
1:<br />
Configuring<br />
user<br />
access”<br />
2.<br />
“Part<br />
2:<br />
Configuring<br />
switch<br />
user<br />
authentication<br />
mechanisms”<br />
on<br />
page<br />
191<br />
3.<br />
“Part<br />
3:<br />
Configuring<br />
the<br />
switch<br />
user<br />
HTML<br />
<strong>for</strong>m”<br />
on<br />
page<br />
193<br />
This<br />
part<br />
is<br />
optional.<br />
4.<br />
“Part<br />
4:<br />
Designing<br />
additional<br />
input<br />
<strong>for</strong>ms”<br />
on<br />
page<br />
195<br />
This<br />
part<br />
is<br />
optional.<br />
5.<br />
“Part<br />
5:<br />
Stopping<br />
and<br />
restarting<br />
<strong>WebSEAL</strong>”<br />
on<br />
page<br />
195<br />
Part<br />
1:<br />
Configuring<br />
user<br />
access<br />
During<br />
<strong>WebSEAL</strong><br />
installation,<br />
the<br />
<strong>WebSEAL</strong><br />
configuration<br />
process<br />
automatically<br />
creates<br />
several<br />
groups<br />
<strong>for</strong><br />
use<br />
by<br />
the<br />
switch<br />
user<br />
functionality.<br />
The<br />
<strong>WebSEAL</strong><br />
administrator<br />
controls<br />
switch<br />
user<br />
capability<br />
by<br />
adding<br />
users<br />
to<br />
the<br />
groups.<br />
To<br />
configure<br />
user<br />
access,<br />
complete<br />
the<br />
following<br />
steps:<br />
1.<br />
Add<br />
users<br />
to<br />
the<br />
su-admins<br />
group.<br />
To<br />
use<br />
switch<br />
user<br />
function,<br />
a<br />
user<br />
must<br />
be<br />
a<br />
member<br />
of<br />
a<br />
special<br />
administrative<br />
group<br />
called<br />
su-admins.<br />
This<br />
group<br />
is<br />
automatically<br />
created<br />
by<br />
default<br />
during<br />
installation<br />
of<br />
a<br />
<strong>WebSEAL</strong><br />
server.<br />
There<br />
are<br />
no<br />
users<br />
in<br />
this<br />
group<br />
by<br />
default.<br />
The<br />
<strong>WebSEAL</strong><br />
administrator<br />
must<br />
manually<br />
add<br />
users<br />
to<br />
this<br />
group.<br />
Typically,<br />
only<br />
administrative<br />
users<br />
are<br />
added<br />
to<br />
this<br />
group.<br />
Users<br />
who<br />
have<br />
been<br />
granted<br />
membership<br />
in<br />
su-admins<br />
can<br />
switch<br />
user<br />
to<br />
most<br />
other<br />
user<br />
identities,<br />
but<br />
cannot<br />
switch<br />
to<br />
the<br />
identity<br />
of<br />
any<br />
other<br />
user<br />
that<br />
is<br />
also<br />
a<br />
member<br />
of<br />
the<br />
su-admins<br />
group<br />
.<br />
Thus,<br />
once<br />
an<br />
administrator<br />
is<br />
granted<br />
switch<br />
user<br />
privileges<br />
by<br />
being<br />
added<br />
to<br />
su-admins,<br />
the<br />
administrator’s<br />
account<br />
is<br />
protected<br />
from<br />
access<br />
by<br />
any<br />
other<br />
user<br />
that<br />
gains<br />
switch<br />
user<br />
privileges.<br />
2.<br />
Add<br />
users<br />
to<br />
the<br />
su-excluded<br />
group<br />
This<br />
group<br />
contains<br />
the<br />
names<br />
of<br />
users<br />
whose<br />
identities<br />
should<br />
not<br />
be<br />
accessed<br />
through<br />
the<br />
switch<br />
user<br />
capability.<br />
During<br />
<strong>WebSEAL</strong><br />
installation,<br />
the<br />
<strong>WebSEAL</strong><br />
configuration<br />
process<br />
automatically<br />
creates<br />
this<br />
group.<br />
There<br />
are<br />
no<br />
users<br />
in<br />
this<br />
group<br />
by<br />
default.<br />
<strong>WebSEAL</strong><br />
administrator<br />
typically<br />
add<br />
to<br />
this<br />
group<br />
the<br />
names<br />
of<br />
users<br />
who<br />
are<br />
not<br />
members<br />
of<br />
the<br />
administrative<br />
group<br />
su-admins,<br />
but<br />
<strong>for</strong><br />
whom<br />
switch<br />
user<br />
access<br />
should<br />
still<br />
be<br />
blocked<br />
When<br />
switch<br />
user<br />
is<br />
used,<br />
<strong>WebSEAL</strong><br />
also<br />
checks<br />
the<br />
memberships<br />
of<br />
the<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
group<br />
called<br />
securitygroup.<br />
This<br />
group<br />
contains<br />
the<br />
name<br />
of<br />
the<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
administrative<br />
user<br />
sec_master,<br />
plus<br />
a<br />
number<br />
of<br />
<strong>WebSEAL</strong><br />
processes<br />
that<br />
must<br />
be<br />
excluded<br />
from<br />
access<br />
through<br />
switch<br />
user<br />
capability.<br />
190<br />
<strong>IBM</strong><br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
<strong>for</strong><br />
e-<strong>business</strong>:<br />
<strong>WebSEAL</strong><br />
<strong>Administration</strong><br />
Guide