Configure Tivoli Access Manager plug-in for Web servers for use with WAS
Tivoli Access Manager plug-in for Web servers can be used as a security gateway for your protected WAS resources.
Overview
With such an arrangement the plug-in authorizes all user requests before passing the credentials of the authorized user to WebSphere Application Server in the form of an iv-creds header. Trust between the plug-in and WebSphere Application Server is established through use of basic authentication headers containing the SSO user password.
Procedure
- The Tivoli Access Manager plug-in for Web servers configuration shows IV headers configured for post-authorization processing, and basic authentication that is configured as the authentication mechanism and for post-authorization processing, as shown in the example below.
- After a request is authorized, the basic authentication header is removed from the request (strip-hdr=always) and a new one is added (add-hdr=supply).
- Included in this new header is the password that is set when the SSO user is created in Creating a trusted user account in Tivoli Access Manager.
- Specify this password in the supply-password parameter and it is passed in the newly created header. This basic authentication header enables trust between WAS and the plug-in.
- An iv-creds header is also added (generate=iv-creds), which contains the credential information of the user passed onto WebSphere Application Server. Session cookies are used to maintain session state.
Example
[common-modules] authentication = BA session = session-cookie post-authzn = BA post-authzn = iv-headers [iv-headers] accept = all generate = iv-creds [BA] strip-hdr = always add-hdr = supply supply-password = sso_user_password
What to do next
Configure single sign-on using the trust association interceptor or Configuring single sign-on using trust association interceptor ++
Related tasks
Creating a trusted user account in Tivoli Access Manager
Configure single sign-on capability with Tivoli Access Manager or WebSEAL