IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Understanding<br />
the<br />
“vouch<br />
<strong>for</strong>”<br />
token<br />
In<br />
order<br />
to<br />
achieve<br />
cross-domain<br />
single<br />
sign-on,<br />
some<br />
user<br />
identity<br />
in<strong>for</strong>mation<br />
must<br />
be<br />
transmitted<br />
between<br />
servers.<br />
This<br />
sensitive<br />
in<strong>for</strong>mation<br />
is<br />
handled<br />
using<br />
a<br />
redirect<br />
that<br />
includes<br />
the<br />
identity<br />
in<strong>for</strong>mation<br />
encrypted<br />
as<br />
part<br />
of<br />
the<br />
URL.<br />
This<br />
encrypted<br />
data<br />
is<br />
called<br />
a<br />
″vouch<br />
<strong>for</strong>″<br />
token.<br />
v<br />
The<br />
token<br />
contains<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
success<br />
or<br />
failure<br />
status,<br />
the<br />
user’s<br />
identity<br />
(if<br />
successful),<br />
the<br />
fully<br />
qualified<br />
name<br />
of<br />
the<br />
server<br />
that<br />
created<br />
the<br />
token,<br />
the<br />
e-community<br />
identity,<br />
and<br />
a<br />
creation<br />
time<br />
value.<br />
v<br />
The<br />
holder<br />
of<br />
a<br />
valid<br />
″vouch<br />
<strong>for</strong>″<br />
token<br />
can<br />
use<br />
this<br />
token<br />
to<br />
establish<br />
a<br />
session<br />
(and<br />
set<br />
of<br />
credentials)<br />
with<br />
a<br />
server<br />
without<br />
explicitly<br />
authenticating<br />
to<br />
that<br />
server.<br />
v<br />
The<br />
token<br />
is<br />
encrypted<br />
using<br />
a<br />
shared<br />
triple-DES<br />
secret<br />
key<br />
so<br />
that<br />
its<br />
authenticity<br />
can<br />
be<br />
verified.<br />
v<br />
Encrypted<br />
token<br />
in<strong>for</strong>mation<br />
is<br />
not<br />
stored<br />
on<br />
the<br />
browser.<br />
v<br />
The<br />
token<br />
is<br />
passed<br />
only<br />
once.<br />
The<br />
receiving<br />
server<br />
uses<br />
this<br />
in<strong>for</strong>mation<br />
to<br />
build<br />
user<br />
credentials<br />
in<br />
its<br />
own<br />
cache.<br />
The<br />
server<br />
uses<br />
these<br />
credentials<br />
<strong>for</strong><br />
future<br />
requests<br />
by<br />
that<br />
user<br />
during<br />
the<br />
same<br />
session.<br />
v<br />
The<br />
token<br />
has<br />
a<br />
lifetime<br />
(timeout)<br />
value<br />
that<br />
is<br />
set<br />
in<br />
the<br />
<strong>WebSEAL</strong><br />
configuration<br />
file.<br />
This<br />
value<br />
can<br />
be<br />
very<br />
short<br />
(seconds)<br />
to<br />
reduce<br />
the<br />
risk<br />
of<br />
a<br />
re-play<br />
attack.<br />
Configuring<br />
e-community<br />
single<br />
sign-on<br />
e-community<br />
conditions<br />
and<br />
requirements<br />
v<br />
The<br />
e-community<br />
implementation<br />
requires<br />
a<br />
consistent<br />
configuration<br />
across<br />
all<br />
<strong>WebSEAL</strong><br />
servers<br />
in<br />
all<br />
domains<br />
participating<br />
in<br />
the<br />
e-community.<br />
v<br />
For<br />
e-community<br />
to<br />
function<br />
successfully,<br />
each<br />
participating<br />
<strong>WebSEAL</strong><br />
server<br />
must<br />
reveal<br />
its<br />
fully<br />
qualified<br />
host<br />
name<br />
to<br />
the<br />
other<br />
participating<br />
servers<br />
in<br />
the<br />
cross-domain<br />
environment.<br />
If<br />
any<br />
host<br />
name<br />
does<br />
not<br />
include<br />
a<br />
domain,<br />
e-community<br />
cannot<br />
be<br />
enabled<br />
and<br />
an<br />
error<br />
message<br />
is<br />
logged<br />
in<br />
msg_webseald.log.<br />
When<br />
setting<br />
up<br />
an<br />
e-community<br />
environment,<br />
ensure<br />
that<br />
the<br />
machine-specific<br />
networking<br />
setup<br />
<strong>for</strong><br />
each<br />
participating<br />
server<br />
is<br />
configured<br />
to<br />
identify<br />
the<br />
server<br />
with<br />
a<br />
fully<br />
qualified<br />
host<br />
name.<br />
v<br />
All<br />
<strong>WebSEAL</strong><br />
servers<br />
participating<br />
in<br />
e-community<br />
must<br />
have<br />
machine<br />
times<br />
synchronized.<br />
Authentication<br />
between<br />
servers<br />
can<br />
fail<br />
when<br />
machine<br />
time<br />
differences<br />
are<br />
too<br />
great.<br />
v<br />
The<br />
e-community<br />
implementation<br />
is<br />
supported<br />
on<br />
both<br />
HTTP<br />
and<br />
HTTPS.<br />
v<br />
The<br />
following<br />
e-community<br />
scenario<br />
is<br />
not<br />
supported<br />
<strong>for</strong><br />
production<br />
or<br />
testing<br />
purposes:<br />
a<br />
MAS<br />
<strong>WebSEAL</strong><br />
instance<br />
and<br />
a<br />
participating<br />
<strong>WebSEAL</strong><br />
server<br />
instance<br />
configured<br />
to<br />
use<br />
the<br />
same<br />
network<br />
interface<br />
on<br />
the<br />
same<br />
machine.<br />
v<br />
Individual<br />
e-community<br />
domains<br />
manage<br />
their<br />
own<br />
user<br />
identities<br />
and<br />
associated<br />
privileges.<br />
You<br />
can<br />
use<br />
the<br />
Cross-domain<br />
Mapping<br />
Function<br />
(CDMF)<br />
API<br />
to<br />
map<br />
a<br />
user<br />
from<br />
a<br />
remote<br />
domain<br />
to<br />
a<br />
valid<br />
user<br />
in<br />
the<br />
local<br />
domain.<br />
If<br />
the<br />
e-community<br />
domains<br />
share<br />
global<br />
user<br />
identities,<br />
those<br />
users<br />
could<br />
be<br />
distinguished<br />
by<br />
different<br />
passwords<br />
in<br />
the<br />
different<br />
domains.<br />
For<br />
example,<br />
a<br />
user<br />
″abc″<br />
can<br />
exist<br />
in<br />
both<br />
domain<br />
A<br />
and<br />
domain<br />
B,<br />
using<br />
different<br />
passwords<br />
<strong>for</strong><br />
each<br />
domain.<br />
v<br />
Configuration<br />
<strong>for</strong><br />
e-community<br />
is<br />
set<br />
in<br />
the<br />
<strong>WebSEAL</strong><br />
configuration<br />
file<br />
of<br />
each<br />
participating<br />
<strong>WebSEAL</strong><br />
server.<br />
v<br />
If<br />
the<br />
originally<br />
requested<br />
URL<br />
is<br />
not<br />
redirected<br />
back<br />
to<br />
the<br />
browser<br />
from<br />
the<br />
MAS<br />
(or<br />
″vouch<br />
<strong>for</strong>″<br />
server),<br />
there<br />
could<br />
be<br />
a<br />
problem<br />
with<br />
page<br />
caching<br />
if<br />
the<br />
Chapter<br />
9.<br />
Client<br />
single<br />
sign-on<br />
solutions<br />
263