Configure single signon using trust association interceptor ++

Configure single signon using trust association interceptor ++

+
Search Tips | Advanced Search

Procedure

Ensure that LTPA is the active authentication mechanism

From the WAS console, click...
Security | Global Security

Verify that the Active Authentication Mechanism field is set to Lightweight Third Party Authentication (LTPA).
Save your changes.

From the WAS console, click...
Security | Global security | Authentication mechanisms | LTPA | Trust association | Enable Trust Association

Click the Interceptors link.
Click...
com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus

...to use the WebSEAL interceptor. This interceptor is the default.
Click the Custom Properties link.
Click New to enter the property name and value pairs. Ensure the following parameters are set:

Option Description
com.ibm.websphere.security.webseal.checkViaHeader The TAI can be configured so that the via header can be ignored when validating trust for a request. Set this property to false if none of the hosts in the via header need to be trusted. When set to false the trusted hostnames and host ports properties do not need to be set. Therefore the only mandatory property when check via header is false is...
com.ibm.websphere.security.webseal.loginId

The default value of the check via header property is false. When using Tivoli Access Manager (TAM) Plug-in for Web Servers this property should be set to false.
The via header is part of the standard HTTP header that records the server names the request has passed through.
com.ibm.websphere.security.webseal.loginId The WebSEAL trusted user
The format of the username is the short name representation. This is a mandatory property. If it is not set in WAS, then the TAI initialization fails.
com.ibm.websphere.security.webseal.id A comma-separated list of headers that should exist in the request. If not all of the configured headers exist in the request then trust can not be established. The default value for the id property is iv-creds. Any other values set in WAS are added to the list along with iv-creds, separated by commas.
com.ibm.websphere.security.webseal.hostnames Do not set this property if using TAM Plug-in for Web Servers. The property specifies the host names (case sensitive) that are trusted and expected in the request header. Requests arriving from un-listed hosts might not be trusted. If the checkViaHeader property is not set or is set to false then the trusted host names property has no influence. If the checkViaHeader property is set to true and the trusted host names property is not set then TAI initialization will fail.
com.ibm.websphere.security.webseal.ports Do not set this property if using TAM Plug-in for Web Servers. This property is a comma-separated list of trusted host ports. Requests arriving from unlisted ports might not be trusted. If the checkViaHeader property is not set or is set to false then this property has no influence. If the checkViaHeader property is set to true and the trusted host ports property is not set in WAS then the TAI initialization fails.
com.ibm.websphere.security.webseal.viaDepth A positive integer specifying the number of source hosts in the via header to check for trust. By default, every host in the via header is checked and if any are not trusted then trust cannot be established. The via depth property is used when not all hosts in the via header are required to be trusted. The setting indicates the number of hosts that are required to be trusted.
As an example, consider the following header:
Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001
If the viaDepth property is not set, is set to 2 or is set to 0, and a request with the previous via header is received then both webseal1:7002 and webseal2:7001 need to be trusted. The following configuration applies:
com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
com.ibm.websphere.security.webseal.ports = 7002,7001
If the via depth property is set to 1 and the previous request is received then only the last host in the via header needs to be trusted. The following configuration applies:
com.ibm.websphere.security.webseal.hostnames =
webseal2 com.ibm.websphere.security.webseal.ports =7001

The viaDepth property is set to 0 by default which means all hosts in the via header are checked for trust.
com.ibm.websphere.security.webseal.ssoPwdExpiry After trust is established for a request the single signon user password is cached saving the need to have the TAI re-authenticate the single signon user with TAM for every request. The cache timeout period can be modified by setting the single signon password expiry property to the required time in seconds. If the password expiry property is set to 0, the cached password will never expire. The default value for the password expiry property is 600.
com.ibm.websphere.security.webseal.ignoreProxy This property can be used to tell the TAI to ignore proxies as trusted hosts. If set to true the comments field of the hosts entry in the via header is checked to determine if a host is a proxy. It must be remembered that not all proxies insert comments in the via header indicating that they are proxies. The default value of the ignoreProxy property is false. If the checkViaHeader property is set to false then the ignoreProxy property has no influence in establishing trust.
com.ibm.websphere.security.webseal.configURL For the TAI to be able to establish trust for a request it requires that SvrSslCfg has been run for the WebSphere JVM resulting in a properties file being created. If this properties file is not at the default URL...
file://java.home/PdPerm.properties

...then the correct URL of the properties file must be set in the config URL property.
If this property is not set and the SvrSslCfg generated properties file is not in the default location, the TAI initialization fails. The default value for the config URL property is...
file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties

Click OK.
Save configuration and logout.
Restart WAS.

See Also
SSO using WebSEAL or the TAM plug-in for Web servers
Trust associations
Configuring trust association interceptors
Trust association interceptor support for Subject creation

Option	Description
com.ibm.websphere.security.webseal.checkViaHeader	The TAI can be configured so that the via header can be ignored when validating trust for a request. Set this property to false if none of the hosts in the via header need to be trusted. When set to false the trusted hostnames and host ports properties do not need to be set. Therefore the only mandatory property when check via header is false is... com.ibm.websphere.security.webseal.loginId The default value of the check via header property is false. When using Tivoli Access Manager (TAM) Plug-in for Web Servers this property should be set to false. The via header is part of the standard HTTP header that records the server names the request has passed through.
com.ibm.websphere.security.webseal.loginId	The WebSEAL trusted user The format of the username is the short name representation. This is a mandatory property. If it is not set in WAS, then the TAI initialization fails.
com.ibm.websphere.security.webseal.id	A comma-separated list of headers that should exist in the request. If not all of the configured headers exist in the request then trust can not be established. The default value for the id property is iv-creds. Any other values set in WAS are added to the list along with iv-creds, separated by commas.
com.ibm.websphere.security.webseal.hostnames	Do not set this property if using TAM Plug-in for Web Servers. The property specifies the host names (case sensitive) that are trusted and expected in the request header. Requests arriving from un-listed hosts might not be trusted. If the checkViaHeader property is not set or is set to false then the trusted host names property has no influence. If the checkViaHeader property is set to true and the trusted host names property is not set then TAI initialization will fail.
com.ibm.websphere.security.webseal.ports	Do not set this property if using TAM Plug-in for Web Servers. This property is a comma-separated list of trusted host ports. Requests arriving from unlisted ports might not be trusted. If the checkViaHeader property is not set or is set to false then this property has no influence. If the checkViaHeader property is set to true and the trusted host ports property is not set in WAS then the TAI initialization fails.
com.ibm.websphere.security.webseal.viaDepth	A positive integer specifying the number of source hosts in the via header to check for trust. By default, every host in the via header is checked and if any are not trusted then trust cannot be established. The via depth property is used when not all hosts in the via header are required to be trusted. The setting indicates the number of hosts that are required to be trusted. As an example, consider the following header: Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001 If the viaDepth property is not set, is set to 2 or is set to 0, and a request with the previous via header is received then both webseal1:7002 and webseal2:7001 need to be trusted. The following configuration applies: com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2 com.ibm.websphere.security.webseal.ports = 7002,7001 If the via depth property is set to 1 and the previous request is received then only the last host in the via header needs to be trusted. The following configuration applies: com.ibm.websphere.security.webseal.hostnames = webseal2 com.ibm.websphere.security.webseal.ports =7001 The viaDepth property is set to 0 by default which means all hosts in the via header are checked for trust.
com.ibm.websphere.security.webseal.ssoPwdExpiry	After trust is established for a request the single signon user password is cached saving the need to have the TAI re-authenticate the single signon user with TAM for every request. The cache timeout period can be modified by setting the single signon password expiry property to the required time in seconds. If the password expiry property is set to 0, the cached password will never expire. The default value for the password expiry property is 600.
com.ibm.websphere.security.webseal.ignoreProxy	This property can be used to tell the TAI to ignore proxies as trusted hosts. If set to true the comments field of the hosts entry in the via header is checked to determine if a host is a proxy. It must be remembered that not all proxies insert comments in the via header indicating that they are proxies. The default value of the ignoreProxy property is false. If the checkViaHeader property is set to false then the ignoreProxy property has no influence in establishing trust.
com.ibm.websphere.security.webseal.configURL	For the TAI to be able to establish trust for a request it requires that SvrSslCfg has been run for the WebSphere JVM resulting in a properties file being created. If this properties file is not at the default URL... file://java.home/PdPerm.properties ...then the correct URL of the properties file must be set in the config URL property. If this property is not set and the SvrSslCfg generated properties file is not in the default location, the TAI initialization fails. The default value for the config URL property is... file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties