IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

More documents

Recommendations

Info

F failover authentication configuration steps 173 domain-wide 171 overview 166 upgrading 172 failover cookie add authentication level 176 adding data 168 extended attributes 177 extracting data 170 session lifetime timestamp 168 failover cookies configure cookie lifetime 175 configuring 166 enable domain-wide cookies 179 enabling 174 encrypting/decrypting cookie data 175 session lifetime timestamp 176 utf8 backwards compatibility 175 utf8 encoding 175 failover-add-attributes stanza 425 failover-auth 424 failover-cdsso 174, 422 failover-certificate 174, 422 failover-cookie-lifetime 175, 424 failover-cookies-keyfile 175, 424 failover-http-request 174, 422 failover-kerberosv5 422 failover-password 167, 174, 421 failover-require-activity-timestamp-validation 180, 425 failover-require-lifetime-timestamp-validation 179, 425 failover-restore-attributes stanza 178, 426 failover-token-card 174, 421 failover-update-cookie 176, 177, 425 failure reason 363 fatal.log 96 filter URLs Content-Length header 290 processing URLs in requests 292 script filtering for absolute URLs 290 standard filtering rules 288 filter-content-types stanza 79, 463 filter-events stanza 461 filter-request-headers stanza 463 filter-schemes stanza 79, 462 filter-url stanza 289, 460 filtering absolute URLs 289 best practices for absolute URLs 339 Content-Length header X-Old-Content-Length 290 filter absolute URLs with script filtering 290 processing URLs in requests 292 server-relative URLs 289 specifying document MIME types 79 standard URL filtering rules for WebSEAL 288 static documents 288 text/html 288 text/vnd.wap.wml 288 FIPS mode 33 fips-mode-processing 34, 411 flush caches 78 flush-time 107, 471 forced redirection, to home page 212 forms authentication 147 single sign-on solution 326 forms-auth 147, 414 forms-sso-login-pages stanza 329 front-end WebSEAL servers replicate 58 fsso.conf.template 328 G GET method 350 global sign-on (GSO) 320 gmt-time 106, 473 gsk-crl-cache-entry-lifetime 232, 409 gsk-crl-cache-size 232, 409 GSKit 228 CRL cache 231 file types 228 GSKit (SSL) session cache 132 configuring 133 GSO 320 configure GSO cache 322 GSO cache, configure 322 gso-cache-enabled 322, 467 gso-cache-entry-idle-timeout 322, 467 gso-cache-entry-lifetime 467 gso-cache-lifetime 322 gso-cache-size 322, 467 gso-resource 329 gzip 80 H header 157 help 88, 444 help.html 89 HOST header, best practices for junctions 339 hostname-junction-cookie 286, 464 hostname, Active Directory 400 HTML account management pages macro support 89 HTML custom pages 88 http 28, 386 HTTP data compression 80 HTTP common log format 107 HTTP error messages 84 macro support 86 HTTP error pages creating new 86 location 87 time of day 86 http event pool 100 HTTP header accept-charset 54 accept-language 53 limiting size 299 PD-USER-SESSION-ID 344 HTTP header authentication 156 HTTP logging default 105 enabling and disabling 106 using event logging 100 HTTP server identity, suppressing 69 HTTP TRACE, enabling 69 HTTP_IV_CREDS 298, 336, 338 HTTP_IV_GROUPS 298, 336, 338 HTTP_IV_REMOTE_ADDRESS 299 504 IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide
HTTP_IV_USER 298, 336, 338 HTTP_PD_USER_SESSION_ID 219 HTTP_PD-USER-SESSION-ID 345 http-headers-auth 156, 416 http-method-trace-enabled 69, 391 http-method-trace-enabled-remote 69, 391 http-port 28, 386 http-request 157, 419 HTTP-Tag-Value junction attribute 218, 344 http-timeout 456 http-timeout (junctions) 30 HTTP/1.1 responses 308 http.agent event pool 100 http.clf event pool 100 http.cof event pool (NCSA) 100 http.ref event pool 100 httpauthn 157 https 29, 386 https-port 29, 386 https-timeout 456 https-timeout (junctions) 30 I IBM 4758 32 IBM 4960 32 ICC 33 iKeyman 230 configuration for cryptographic hardware 34 mutually authenticated SSL junctions 282 overview 230 SSL type junctions 280 WebSEAL test certificate 28 ikmuser.properties 34 ikmuser.sample 34 illegal-url-substrings stanza 56 inactive-timeout 134, 437 inherited ACL policy 5 instance name 16 interactive configuration 21 io-buffer-size 457 IP address authentication 159 ipaddr-auth 159, 417 ipauth 122 is-master-authn-server 269, 431 IV_JCT (junction cookie) 292 iv-creds 298, 338 iv-groups 298, 338 iv-remote-address 299 iv-user 298, 338 J jmt load 293 jmt-map 293, 456 jmt.conf 293 junction cookie, preventing naming conflicts 286 junction cookies 292 junction fairness 42 junction mapping table 293 junction stanza 42 junction-db 276, 456 junctions -b filter 318 -b gso 318 -b ignore 318 junctions (continued) -b supply 316 authenticate with BA header (-B, -U, -W) 283 best practices 339 case-insensitive URLs (-i) 300 certificate authentication 307 client certificate (WebSEAL) (-K) 283 command reference 491 cookies across multiple -j junctions 295 Distinguished Name (DN) matching (-D) 282 enforcing permissions 307 filter absolute URLs with script filtering 290 filter URLs in responses 288 forcing new junction (-f) 75, 297 forms single sign-on (-S) 332 global sign-on (GSO) 320 gso options (-b gso, -T) 322 guidelines for creating 276 HOST header best practices (-v) 339 host option (-h) 280 HTTP-Tag-Value attribute 344 HTTP/1.0 and 1.1 responses 308 impact of -b options on mutually authenticated junctions 284 junction cookie, preventing naming conflicts 286 junction mapping table 293 LTPA (-A, -F, -Z) 324 modifying URLs from back-end applications 287 mount multiple servers 307 mutually authenticated (-D, -K, -B, -U, -W) 282 overview 11, 276 pdadmin server task 279 preserving application cookie names 296 process server-relative URLs with cookies (-j) 292 process server-relative URLs with junction mapping 293 processing URLs in requests 292 proxy junctions (-H, -P) 285 query_contents 309 required options 280 scalability 12 session cookie to portal server (-k) 300 specify back-end UUID (-u) 302 stateful junction support (-s, -u) 301 supply client identity in HTTP headers (-c) 298 supply IP address in HTTP headers (-r) 299 supplying failure reason (-R) 363 type option (-t) 280 using WPM 278 virtual host name (-v) 339 WebSEAL client certificate (-K) 283 WebSEAL-to-WebSEAL (-C) 286 Windows file systems (-w) 304 worker thread allocation (-l) 43 worker thread allocation (-L) 43 K Kerberos authentication 182, 234 kerberosv5 242, 420 key database file types 228 key management configuring CRL checking 231 configuring the CRL cache 231 configuring WebSEAL key database parameters 229 iKeyman utility 230 key database file types 228 managing client-side certificates 228 Index 505
Page 1:
IBM Tivoli Access Manager for e-bus
Page 4 and 5:
Note Before using this information
Page 6 and 7:
Silent configuration overview . . .
Page 8 and 9:
Event capturing and logging . . . .
Page 10 and 11:
Token authentication concepts . . .
Page 12 and 13:
Configuring WebSEAL key database pa
Page 14 and 15:
Preserving cookie names . . . . . .
Page 16 and 17:
Logging . . . . . . . . . . . . . .
Page 18 and 19:
xvi IBM Tivoli Access Manager for e
Page 20 and 21:
This chapter introduces you to impo
Page 22 and 23:
Web security information v IBM Tivo
Page 24 and 25:
v Secure Sockets Layer Introduction
Page 26 and 27:
The following documents associated
Page 28 and 29:
Monospace Code examples, command li
Page 30 and 31:
IBM Tivoli Access Manager WebSEAL:
Page 32 and 33:
The access control list (ACL) An ac
Page 34 and 35:
Note: Traditional applications bund
Page 36 and 37:
v Authenticated clients access usin
Page 38 and 39:
v A user makes a request for a reso
Page 40 and 41:
A unified Web space simplifies the
Page 42 and 43:
14 IBM Tivoli Access Manager for e-
Page 44 and 45:
Server instance configuration This
Page 46 and 47:
Table 1. WebSEAL instances sharing
Page 48 and 49:
- When the Web document root is not
Page 50 and 51:
-ssl_yn ssl_enable_yes_no -key_file
Page 52 and 53:
Server instance configuration tasks
Page 54 and 55:
Removing a server instance To remov
Page 56 and 57:
Communication protocol configuratio
Page 58 and 59:
Restricting connections from specif
Page 60 and 61:
Cryptographic hardware for encrypti
Page 62 and 63:
You can specify whether to enable F
Page 64 and 65:
3. In the Open dialog window, selec
Page 66 and 67:
Quality of protection levels You ca
Page 68 and 69:
Configuring authorization database
Page 70 and 71:
3. Change the settings for the data
Page 72 and 73:
Multi-locale support with UTF-8 Thi
Page 74 and 75:
WebSEAL generates logging and audit
Page 76 and 77:
Configuring multi-locale support Co
Page 78 and 79:
WebSEAL does not recognize UTF-8 en
Page 80 and 81:
ackwards compatibility, the format
Page 82 and 83:
Language System Directory English (
Page 84 and 85:
Preventing vulnerability caused by
Page 86 and 87:
Replicated front-end WebSEAL server
Page 88 and 89:
The session cookie links to session
Page 90 and 91:
Table 4. P3P default header values
Page 92 and 93:
Table 6. Supported values for the c
Page 94 and 95:
For each value specified for purpos
Page 96 and 97:
example, when your compact policy s
Page 98 and 99:
70 IBM Tivoli Access Manager for e-
Page 100 and 101:
Server tasks Start a WebSEAL server
Page 102 and 103:
Managing the Web space The followin
Page 104 and 105:
You can configure the specific grap
Page 106 and 107:
Parameter Description cache-type Sp
Page 108 and 109:
HTTP data compression WebSEAL serve
Page 110 and 111:
Compression policy in POPs You can
Page 112 and 113:
HTTP error message pages When WebSE
Page 114 and 115:
Filename Title Description HTTP Err
Page 116 and 117:
Managing custom account management
Page 118 and 119:
Macro Description %CERTAUTHN% Subst
Page 120 and 121:
Backup and restore Tivoli Access Ma
Page 122 and 123:
Problem determination tools for Web
Page 124 and 125:
Logging WebSEAL serviceability mess
Page 126 and 127:
Event capturing and logging You can
Page 128 and 129:
In this example, none of the option
Page 130 and 131:
Authentication event log output Aut
Page 132 and 133:
Table 18. Authentication errors (co
Page 134 and 135:
Log Files Location Parameter Enable
Page 136 and 137:
Displaying referer.log The referer.
Page 138 and 139:
WebSEAL-specific ACL policies The f
Page 140 and 141:
Configuring three strikes login pol
Page 142 and 143:
Configuring password strength polic
Page 144 and 145:
Specific user and global settings T
Page 146 and 147:
v token authentication v certificat
Page 148 and 149:
The entry level = unauthenticated m
Page 150 and 151:
Table 20. Example integer values fo
Page 152 and 153:
pdadmin> pop modify test set ipauth
Page 154 and 155:
Quality of protection POP policy Th
Page 156 and 157:
128 IBM Tivoli Access Manager for e
Page 158 and 159:
Overview of the authentication proc
Page 160 and 161:
Managing session state A secure con
Page 162 and 163:
This value corresponds to the numbe
Page 164 and 165:
eauthenticating the user. WebSEAL u
Page 166 and 167:
v Because the cookies are available
Page 168 and 169:
Authentication configuration overvi
Page 170 and 171:
Configuring multiple authentication
Page 172 and 173:
3. When the client makes an additio
Page 174 and 175:
You can configure the username and
Page 176 and 177:
Configuration conditions If forms a
Page 178 and 179:
If the security policy does require
Page 180 and 181:
Setting Description accept-client-c
Page 182 and 183:
Thus, the default value for cert-ca
Page 184 and 185:
HTTP header authentication Tivoli A
Page 186 and 187:
See also: v “Authentication metho
Page 188 and 189:
Token authentication Tivoli Access
Page 190 and 191:
2. WebSEAL returns an authenticatio
Page 192 and 193:
4. Restart the WebSEAL server. See
Page 194 and 195:
Failover authentication This sectio
Page 196 and 197:
authenticates using forms authentic
Page 198 and 199:
Administrators can configure WebSEA
Page 200 and 201:
cookie. By using the cookie, the We
Page 202 and 203:
Specify the protocol for failover c
Page 204 and 205:
Backwards compatibility WebSEAL ser
Page 206 and 207:
[failover-add-attributes] attribute
Page 208 and 209:
v When this value is no, and the se
Page 210 and 211:
SPNEGO protocol and Kerberos authen
Page 212 and 213:
v The client cannot use an SSL sess
Page 214 and 215:
Page 216 and 217:
Switch user authentication The WebS
Page 218 and 219:
9. The administrator ends the switc
Page 220 and 221:
supported mechanism, an additional
Page 222 and 223:
The authentication method parameter
Page 224 and 225:
The default file name is switchuser
Page 226 and 227:
xauthn_username xauthn_qop xauthn_i
Page 228 and 229:
Server-side request caching This se
Page 230 and 231:
v “Modifying request-body-max-rea
Page 232 and 233:
Configuring reauthentication based
Page 234 and 235:
Extending the session cache entry l
Page 236 and 237:
Configuring reauthentication based
Page 238 and 239:
Extending the session cache entry l
Page 240 and 241:
Automatic redirection during user l
Page 242 and 243:
Configuring post password change pr
Page 244 and 245:
WebSEAL provides an external authen
Page 246 and 247:
credattrs_email joeuser@bigco.com c
Page 248 and 249:
Credential refresh This section con
Page 250 and 251:
The default lifetime of data in the
Page 252 and 253:
Credential refresh configuration To
Page 254 and 255:
efresh can succeed. Likewise, when
Page 256 and 257:
Managing client-side and server-sid
Page 258 and 259:
At installation, WebSEAL uses the s
Page 260 and 261:
Setting the maximum number of cache
Page 262 and 263:
Windows desktop single sign-on This
Page 264 and 265:
v Failover authentication The failo
Page 266 and 267:
Each WebSEAL instance must have a s
Page 268 and 269:
highly secure password, such as a r
Page 270 and 271:
Note: The location of the kinit uti
Page 272 and 273:
v When a problem occurs, consider e
Page 274 and 275:
The link contains a special CDSSO m
Page 276 and 277:
2. Edit /etc/nsswitch.conf so the h
Page 278 and 279:
[authentication-mechanisms] sso-cre
Page 280 and 281:
http://websealB/resource.html?PD-ID
Page 282 and 283:
Each entry in the WebSEAL is assign
Page 284 and 285:
e-community single sign-on E-commun
Page 286 and 287:
A user who fails authentication wit
Page 288 and 289:
4. After successful login, the MAS
Page 290 and 291:
v The domain-specific cookie contai
Page 292 and 293:
owser is Microsoft Internet Explore
Page 294 and 295:
1. Enabling and disabling e-communi
Page 296 and 297:
[e-community-domain-keys] dA.com =
Page 298 and 299:
For example: [e-community-sso] vf-u
Page 300 and 301:
[server] pre-510-compatible-tokens
Page 302 and 303:
[ecsso-incoming-attributes] my_spec
Page 304 and 305:
WebSEAL junctions overview You can
Page 306 and 307:
Managing junctions with Web Portal
Page 308 and 309:
Configuring a basic WebSEAL junctio
Page 310 and 311:
Mutually authenticated SSL junction
Page 312 and 313:
v It is highly recommended that you
Page 314 and 315:
WebSEAL-to-WebSEAL junctions over S
Page 316 and 317:
v “Processing URLs in requests”
Page 318 and 319:
Modifying absolute URLs with script
Page 320 and 321:
To solve this problem: 1. Always wr
Page 322 and 323:
You must create the jmt.conf mappin
Page 324 and 325:
Part 2: -j junctions modify Set-Coo
Page 326 and 327:
Supplying client identity in HTTP h
Page 328 and 329:
[junction] max-webseal-header-size
Page 330 and 331:
ack-end server UUID to each front-e
Page 332 and 333:
v Back-end server 2 is called APP2
Page 334 and 335:
lcp_uri URI encoded local code page
Page 336 and 337:
v Do not mark any certificate in th
Page 338 and 339:
1. Copy query_contents.sh into a fu
Page 340 and 341:
Typical output looks like: 100 inde
Page 342 and 343:
Page 344 and 345:
Configuring BA headers for single s
Page 346 and 347:
Forwarding original client BA heade
Page 348 and 349:
Using global sign-on (GSO) Tivoli A
Page 350 and 351:
Configuring a GSO-enabled WebSEAL j
Page 352 and 353:
Configuring single sign-on to IBM W
Page 354 and 355:
Configuring single sign-on forms au
Page 356 and 357:
WebSEAL parses the HTML page to ide
Page 358 and 359:
[loginpage1] login-page = /cgi-bin/
Page 360 and 361:
It is not necessary to specify hidd
Page 362 and 363:
Page 364 and 365:
Supporting CGI programming To suppo
Page 366 and 367:
Supporting back-end server-side app
Page 368 and 369:
v Short name of the server v IP add
Page 370 and 371:
pdadmin> objectspace create /Resour
Page 372 and 373:
A single user that logs in multiple
Page 374 and 375:
346 IBM automatically with no user
Page 376 and 377:
Note: If you use Web Portal Manager
Page 378 and 379:
Object Space Entry URL Template /ow
Page 380 and 381:
The following sample dynurl.conf fi
Page 382 and 383:
The security policy To provide suit
Page 384 and 385:
Page 386 and 387:
Overview of ADI retrieval The Tivol
Page 388 and 389:
The resource-manager-provided-adi p
Page 390 and 391:
Retrieving ADI from the user creden
Page 392 and 393:
Dynamic ADI retrieval Rules can be
Page 394 and 395:
Page 396 and 397:
Basic configuration Basic configura
Page 398 and 399:
trace_verbose_get_entitlement If se
Page 400 and 401:
Erandt_Securtities_Entitlements e
Page 402 and 403:
http://ese.erant.com/attributes 1 U
Page 404 and 405:
376 IBM v v /opt/pdwebars/protocol_
Page 406 and 407:
Windows C:\Program Files\Tivoli\PDW
Page 408 and 409:
including tracking CGI types, compi
Page 410 and 411:
Stanza organization The remainder o
Page 412 and 413:
Server configuration v [server] v [
Page 414 and 415:
HTTP/1.1 connection timeout, in sec
Page 416 and 417:
Location of the file that contains
Page 418 and 419:
Enable or disable support for UTF-8
Page 420 and 421:
Specifies how WebSEAL responds to r
Page 422 and 423:
Host name of the LDAP server. The W
Page 424 and 425:
cache-group-expire-time = number_of
Page 426 and 427:
String that specifies the key label
Page 428 and 429:
Active Directory [uraf-ad] stanza a
Page 430 and 431:
ind-pwd = admin_password Encoded ad
Page 432 and 433:
LDAP port number for the Lotus Domi
Page 434 and 435:
Secure Socket Layer [ssl] stanza we
Page 436 and 437:
Disables support for SSL Version 2.
Page 438 and 439:
Port number for communication with
Page 440 and 441:
Indicates whether automatic refresh
Page 442 and 443:
Authentication methods [ba] stanza
Page 444 and 445:
Specifies how to handle certificate
Page 446 and 447:
Step-up authentication levels. WebS
Page 448 and 449:
Fully qualified path for a library
Page 450 and 451:
failover-certificate = fully_qualif
Page 452 and 453:
Authentication failover v [failover
Page 454 and 455:
List of attributes from the origina
Page 456 and 457:
Cross-domain single sign-on v [cdss
Page 458 and 459:
attribute_pattern = {preserve|refre
Page 460 and 461:
Integer value specifying the port n
Page 462 and 463:
File names for keys for any domains
Page 464 and 465:
List of string values to specify th
Page 466 and 467:
Integer value for lifetime, in seco
Page 468 and 469:
Content This section contains the f
Page 470 and 471:
Specifies how standard WebSEAL HTML
Page 472 and 473:
Page containing a change password f
Page 474 and 475:
Automatic redirect v [acnt-mgt] v [
Page 476 and 477:
List containing system environment
Page 478 and 479:
Relative path name to a graphics fi
Page 480 and 481:
Content compression v [compress-mim
Page 482 and 483: Content encodings [content-encoding
Page 484 and 485: Junction management [junction] stan
Page 486 and 487: Positive integer value indicating t
Page 488 and 489: Document filtering [filter-url] sta
Page 490 and 491: Scheme filtering [filter-schemes] s
Page 492 and 493: Script filtering v [script-filterin
Page 494 and 495: Credential refresh [credential-refr
Page 496 and 497: Integer value that specifies the ti
Page 498 and 499: Integer value that specifies the ti
Page 500 and 501: Enables or disables the requests lo
Page 502 and 503: Auditing [aznapi-configuration] sta
Page 504 and 505: Specifies event logging for the spe
Page 506 and 507: The maximum size of the in-memory p
Page 508 and 509: Policy server v [policy-director] v
Page 510 and 511: Specifies the type of access the us
Page 512 and 513: v state Mechanisms for maintaining
Page 514 and 515: Specifies the purpose of the inform
Page 516 and 517: Specifies the recipients of the inf
Page 518 and 519: 490 IBM Tivoli Access Manager for e
Page 520 and 521: For example, if the configured name
Page 522 and 523: -p port TCP port of the back-end th
Page 526 and 527: IBM may use or distribute any of th
Page 530 and 531: asic authentication configuring 145
Page 534 and 535: key management (continued) managing
Page 536 and 537: eauthentication (continued) based o
Page 538: User Registry Adapter Framework (UR
show all

IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

Create successful ePaper yourself

Delete template?

Save as template?