IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
A<br />
user<br />
who<br />
fails<br />
authentication<br />
with<br />
the<br />
MAS<br />
when<br />
requesting<br />
a<br />
resource<br />
in<br />
a<br />
non-MAS<br />
(but<br />
participating)<br />
domain<br />
is<br />
given<br />
the<br />
option<br />
to<br />
authenticate<br />
to<br />
the<br />
local<br />
server<br />
where<br />
the<br />
request<br />
is<br />
being<br />
made.<br />
v<br />
The<br />
MAS<br />
(and<br />
eventually<br />
other<br />
selected<br />
servers<br />
in<br />
the<br />
remote<br />
domains)<br />
″vouch<br />
<strong>for</strong>″<br />
the<br />
user’s<br />
authenticated<br />
identity.<br />
v<br />
Domain-specific<br />
cookies<br />
are<br />
used<br />
to<br />
identify<br />
the<br />
server<br />
that<br />
can<br />
provide<br />
″vouch<br />
<strong>for</strong>″<br />
services.<br />
This<br />
allows<br />
servers<br />
in<br />
a<br />
remote<br />
domain<br />
to<br />
request<br />
″vouch<br />
<strong>for</strong>″<br />
in<strong>for</strong>mation<br />
locally.<br />
The<br />
encrypted<br />
contents<br />
of<br />
e-community<br />
cookies<br />
do<br />
not<br />
contain<br />
user<br />
identity<br />
or<br />
security<br />
in<strong>for</strong>mation.<br />
v<br />
Special<br />
tokens<br />
are<br />
used<br />
to<br />
pass<br />
encrypted<br />
″vouched<br />
<strong>for</strong>″<br />
user<br />
identity.<br />
The<br />
″vouch<br />
<strong>for</strong>″<br />
token<br />
does<br />
not<br />
contain<br />
actual<br />
user<br />
authentication<br />
in<strong>for</strong>mation.<br />
Integrity<br />
is<br />
provided<br />
by<br />
shared<br />
secret<br />
key<br />
(triple-DES).<br />
The<br />
token<br />
contains<br />
a<br />
time-out<br />
(lifetime)<br />
value<br />
to<br />
limit<br />
the<br />
duration<br />
of<br />
the<br />
token<br />
validity.<br />
e-community<br />
process<br />
flow<br />
An<br />
e-community<br />
consists<br />
of<br />
a<br />
master<br />
authentication<br />
<strong>WebSEAL</strong><br />
server<br />
(MAS)<br />
and<br />
additional<br />
<strong>WebSEAL</strong><br />
servers<br />
located<br />
in<br />
the<br />
home<br />
domain<br />
and<br />
remote<br />
domains.<br />
The<br />
MAS<br />
can<br />
exist<br />
as<br />
a<br />
single<br />
instance<br />
of<br />
a<br />
<strong>WebSEAL</strong><br />
server,<br />
or<br />
a<br />
set<br />
of<br />
<strong>WebSEAL</strong><br />
replicas<br />
located<br />
behind<br />
a<br />
load<br />
balancer<br />
(where<br />
the<br />
load<br />
balancer<br />
is<br />
identified<br />
as<br />
the<br />
MAS).<br />
All<br />
participating<br />
local<br />
and<br />
remote<br />
<strong>WebSEAL</strong><br />
servers<br />
need<br />
to<br />
be<br />
configured<br />
to<br />
use<br />
the<br />
home<br />
domain<br />
MAS<br />
<strong>for</strong><br />
initial<br />
client<br />
authentication.<br />
This<br />
is<br />
a<br />
hard<br />
requirement<br />
<strong>for</strong><br />
servers<br />
in<br />
the<br />
home<br />
domain,<br />
and<br />
a<br />
soft<br />
requirement<br />
<strong>for</strong><br />
servers<br />
in<br />
remote<br />
domains.<br />
For<br />
example,<br />
some<br />
servers<br />
in<br />
remote<br />
domains<br />
can<br />
be<br />
configured<br />
to<br />
handle<br />
their<br />
own<br />
authentication.<br />
These<br />
servers,<br />
and<br />
the<br />
resources<br />
they<br />
protect,<br />
can<br />
operate<br />
independently<br />
of<br />
the<br />
e-community,<br />
even<br />
if<br />
they<br />
are<br />
located<br />
in<br />
a<br />
participating<br />
e-community<br />
domain.<br />
The<br />
e-community<br />
implementation<br />
is<br />
based<br />
on<br />
a<br />
″vouch<br />
<strong>for</strong>″<br />
system.<br />
Normally,<br />
when<br />
a<br />
user<br />
requests<br />
a<br />
resource<br />
from<br />
a<br />
<strong>WebSEAL</strong><br />
server<br />
where<br />
the<br />
user<br />
has<br />
not<br />
established<br />
a<br />
valid<br />
session,<br />
<strong>WebSEAL</strong><br />
prompts<br />
the<br />
user<br />
<strong>for</strong><br />
authentication<br />
in<strong>for</strong>mation.<br />
In<br />
an<br />
e-community<br />
configuration,<br />
the<br />
<strong>WebSEAL</strong><br />
server<br />
identifies<br />
a<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
and<br />
requests<br />
verification<br />
from<br />
this<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
that<br />
the<br />
user<br />
has<br />
authenticated.<br />
The<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
has<br />
valid<br />
credential<br />
in<strong>for</strong>mation<br />
<strong>for</strong><br />
that<br />
user.<br />
For<br />
the<br />
user’s<br />
first<br />
request,<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
is<br />
always<br />
the<br />
MAS.<br />
The<br />
MAS<br />
continues<br />
to<br />
serve<br />
as<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
<strong>for</strong><br />
resources<br />
located<br />
in<br />
the<br />
home<br />
domain.<br />
As<br />
the<br />
user<br />
continues<br />
with<br />
resource<br />
requests<br />
across<br />
the<br />
e-community,<br />
an<br />
individual<br />
server<br />
in<br />
each<br />
remote<br />
domain<br />
can<br />
build<br />
its<br />
own<br />
credential<br />
<strong>for</strong><br />
the<br />
user<br />
(based<br />
on<br />
user<br />
identity<br />
in<strong>for</strong>mation<br />
from<br />
the<br />
MAS)<br />
and<br />
assume<br />
the<br />
role<br />
of<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
<strong>for</strong><br />
resources<br />
in<br />
its<br />
domain.<br />
The<br />
verification<br />
requested<br />
of<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
takes<br />
the<br />
<strong>for</strong>m<br />
of<br />
a<br />
″vouch<br />
<strong>for</strong>″<br />
token.<br />
The<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
creates<br />
the<br />
token<br />
and<br />
returns<br />
it<br />
to<br />
the<br />
requesting<br />
<strong>WebSEAL</strong><br />
server.<br />
The<br />
user<br />
identity<br />
in<strong>for</strong>mation<br />
in<br />
the<br />
token<br />
is<br />
encrypted.<br />
The<br />
token<br />
contains<br />
a<br />
lifetime<br />
limit.<br />
Upon<br />
receipt<br />
of<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
token,<br />
the<br />
requesting<br />
server<br />
builds<br />
credentials<br />
and<br />
a<br />
local<br />
session<br />
<strong>for</strong><br />
that<br />
user.<br />
The<br />
user<br />
can<br />
now<br />
access<br />
the<br />
requested<br />
resource<br />
based<br />
on<br />
normal<br />
authorization<br />
controls.<br />
The<br />
user<br />
benefits<br />
from<br />
not<br />
having<br />
to<br />
re-authenticate—a<br />
goal<br />
of<br />
the<br />
e-community<br />
model.<br />
258<br />
<strong>IBM</strong><br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
<strong>for</strong><br />
e-<strong>business</strong>:<br />
<strong>WebSEAL</strong><br />
<strong>Administration</strong><br />
Guide