Simple junctions
pdadmin is a command line utility for administration. We can also use the Tivoli Access Manager Web Portal Manager which provides a graphical interface. Before creating junctions we need to login to the secure domain using sec_master user ID as shown:
We can get a list of configured WebSEAL servers by using the server list commandpdadmin -a sec_master password: Enter your password for sec_master pdadmin sec_master>
pdadmin sec_master> server list default-webseald-m23vnx61 default-webseald-m10d9ffd ivacld-m23vnx61
From this server list output, we can choose the server required, for example default-webseald-m23vnx61, for junction creation. There are three required options for creating basic WebSEAL junctions:
- -h: hostname of the backend junctioned server
- -t: junction transport type, the options are: tcp, ssl, tcpproxy, sslproxy, local
- junction point name
The syntax for creating a basic junction is
server task webseal-instance_name create -t transport_type -h host_name jct_point_nameFor example:
server task default-webseald-m23vnx61 create -t tcp -h bc2srv2.itso.ral.ibm.com /testA junction can be configured to insert Tivoli Access Manager specific client identity and group information into the HTTP header by using the -c option. This information can then be passed to the backend servers which can use this information from the HTTP Header. There are four options that we can use with -c:
iv-user Passes the short name or the long name. Defaults to unauthenticated if the client is unauthenticated. iv-user_l Passes full Distinguished Name of the user. iv-groups Passes a list of comma separated groups to which the client belongs. iv-creds Encoded opaque data structure representing an Access Manager credential. Used by the new TAI to create a PDPrincipal object and insert that object into the Subject.
Note: -c all adds all of the four options mentioned above.
We can also list the options using a comma as a separator.
A junction can be configured to supply client identity in the Basic Authentication (BA) header by using the -b option when creating the junctions. This is different from the -c option discussed earlier.
To configure a junction for use with the Trust Association Interceptor (TAI) of WebSphere application Server, configure the junction with the -b supply option, which inserts the dummy password configured in webseald.conf in the BA header. This dummy password is used in the WebSEAL TAI to establish trust between the participating WebSEAL servers and WebSphere Application Servers.
We can use the -f option to force a new junction to overwrite an existing junction mount point. Here is an example of using the options described above:
server task default-webseald-m23vnx61 create -t ssl -h bc2srv2.itso.ral.ibm.com -f -c iv_user,iv_creds /test
This creates a new junction test that overwrites the existing junction. To view the details of this junction use the server task <webseal server> show <junction-name> command.
pdadmin sec_master> server task default-webseald-m23vnx61 show /test Junction point: /test Type: TCP Junction hard limit: 0 - using global value Junction soft limit: 0 - using global value Active worker threads: 0 Basic authentication mode: supply Forms based SSO: disabled Authentication HTTP header: insert - iv_user iv_creds Remote Address HTTP header: do not insert Stateful junction: no Boolean Rule Header: no Scripting support: yes Preserve cookie names: no Delegation support: no Mutually authenticated: no Insert WebSphere LTPA cookies: no Insert WebSEAL session cookies: no Request Encoding: UTF-8, URI Encoded Server 1: ID: f33eb906-28f1-11d9-9d0e-0002557c751d Server State: running Hostname: bc2srv2.itso.ral.ibm.com Port: 80 Virtual hostname: bc2srv2.itso.ral.ibm.com Server DN: Query_contents URL: /cgi-bin/query_contents Query-contents: unknown Case insensitive URLs: no Allow Windows-style URLs: yes Total requests : 2437
If the communications channel between WebSEAL and the junctioned backend server is not secured, use SSL junctions to ensure security.