Configure Trusted Authentication Interceptor between WebSphere 6 & WebSEAL

Configure Trusted Authentication Interceptor between WebSphere 6 & WebSEAL

+
Search Tips | Advanced Search

Create a trusted user account in Tivoli Access Manager

Tivoli Access Manager (TAM) trust association interceptors (TAI) require the creation of a trusted user account in the shared LDAP user registry.
This account includes the ID and password that WebSEAL uses to identify itself to WebSphere Application Server. To prevent potential vulnerabilities, do not use the sec_master ID as the trusted user account and ensure that the password you use is unique and generated randomly. Use the trusted user account for the TAI or TAI++ only.
Use either the TAM pdadmin command-line utility or Web Portal Manager to create the trusted user. For example, from the pdadmin command line.
pdadmin> user create webseal_userid webseal_userid_DN firstname surname password
pdadmin> user modify webseal_userid account-valid yes

Configure WebSEAL for use with WebSphere Application Server

Use this topic to set the SSO password in WebSEAL for single sign-on to WAS.
A junction must be created between WebSEAL and WAS. This junction carries the iv-credentials (for TAI++) or iv-user (for TAI) and the HTTP basic authentication headers with the request. You can configure WebSEAL to pass the end user identity in other ways, the iv-credentials header is the only one supported by the TAI++ and the iv-user is the only one supported by TAI.
IBM recommends that communications over the junction use Secure Sockets Layer (SSL) for increased security. Setting up SSL across this junction requires that you configure the HTTP Server used by WAS, and WAS itself, to accept inbound SSL traffic and route it correctly to WAS. This activity requires importing the necessary signing certificates into the WebSEAL certificate keystore, and possibly also the HTTP Server certificate keystore.
Create the junction between WebSEAL and WAS using the -c iv_creds option for TAI++ and -c iv_user for TAI. For example, for TAI++...

server task webseald-server create -t ssl -b supply -c iv_creds -h host_name -p websphere_app_port_number junction_name

If warning messages are displayed about the incorrect setup of certificates and key databases, delete the junction, correct problems with the key databases, and recreate the junction.
The junction can be created as -t tcp or -t ssl, depending on your requirements.
For SSO to WAS the SSO password must be set in WebSEAL...

Edit the WebSEAL configuration file...
webseal_install_directory/etc/webseald-default.conf

Set the following parameter...
basicauth-dummy-passwd=webseal_userid_passwd

...where webseal_userid_passwd is the SSO password for the trusted user account
Restart WebSEAL.

single sign-on using TAI++ in WebSphere 6

Perform this task to enable single sign-on using TAI++. The steps involve setting up trust association and creating the interceptor properties.

Ensure that LTPA is the active authentication mechanism. Go to...
Security > Global Security

Ensure that the Active Authentication Mechanism field is set to LTPA (LTPA). Save your changes.
Although you can use Simple WebSphere Authentication Mechanism (SWAM) by selecting the Use SWAM-no authenticated communication between servers option on the Authentication mechanisms and expiration panel, single sign-on (SSO) requires LTPA as the configured authentication mechanism.
Establish the trust association for the single sign-on

From the WAS administrative console, click...
Security | Global security Authentication | Authentication mechanisms | LTPA | Additional properties | Trust association

Click Enable Trust Association.
Click Interceptors.
Click...
com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus

...to use a WebSEAL interceptor.
This interceptor is one of two WebSEAL interceptors that are supplied for your use. You choose to use this interceptor by supplying properties as described in the next step. The other interceptor that is supplied is...
com.ibm.ws.security.web.WebSealTrustAssociationInterceptor

WAS attempts to initialize both of these interceptors even if you only supplied properties for the com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus interceptor. As a result, messages AWXRB0008E and SECJ0384E can appear during initialization to indicate that the interceptor you did not choose has failed to initialize. This is normal processing and does not affect the initialization of the interceptor you did select. To inhibit the display of messages AWXRB0008E and SECJ0384E, you can delete the interceptor you do not want to use prior to beginning the initialization. You can add that interceptor back later if your environment changes.
Click...
Custom Properties | New

...to enter the property name and value pairs. Ensure that the following parameters are set:

Option Description
com.ibm.websphere.security.webseal.checkViaHeader You can configure TAI so that the via header can be ignored when validating trust for a request. Set this property to false if none of the hosts in the via header need to be trusted. When set to false you do not need to set the trusted host names and host ports properties. The only mandatory property to check when via header is false is com.ibm.websphere.security.webseal.loginId.
The default value of the check via header property is false. When using TAM plug-in for Web servers, set this property to false.
The via header is part of the standard HTTP header that records the server names the request that passed through.
com.ibm.websphere.security.webseal.loginId The WebSEAL trusted user as created in Creating a trusted user account in TAM The format of the username is the short name representation. This property is mandatory. If it is not set in WAS, the TAI initialization fails.
com.ibm.websphere.security.webseal.id A comma-separated list of headers that exists in the request. If all of the configured headers do not exist in the request, trust cannot be established. The default value for the ID property is iv-creds. Any other values set in WAS are added to the list along with iv-creds, separated by commas. com.ibm.websphere.security.webseal.hostnames Do not set this property if using TAM Plug-in for Web Servers. The property specifies the host names (case sensitive) that are trusted and expected in the request header. Requests arriving from un-listed hosts might not be trusted. If the checkViaHeader property is not set or is set to false then the trusted host names property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, TAI initialization fails.
com.ibm.websphere.security.webseal.ports Do not set this property if using TAM plug-in for Web servers. This property is a comma-separated list of trusted host ports. Requests that arrive from unlisted ports might not be trusted. If the checkViaHeader property is not set, or is set to false this property has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WAS, the TAI initialization fails.
com.ibm.websphere.security.webseal.viaDepth A positive integer that specifies the number of source hosts in the via header to check for trust. By default, every host in the via header is checked, and if any host is not trusted, trust cannot be established. The via depth property is used when only some of the hosts in the via header have to be trusted. The setting indicates the number of hosts that are required to be trusted.
As an example, consider the following header:
Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001

If the viaDepth property is not set, is set to 2 or is set to 0, and a request with the previous via header is received then both webseal1:7002 and webseal2:7001 need to be trusted. The following configuration applies:
com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
com.ibm.websphere.security.webseal.ports = 7002,7001

If the via depth property is set to 1, and the previous request is received, then only the last host in the via header needs to be trusted. The following configuration applies:
com.ibm.websphere.security.webseal.hostnames = webseal2
com.ibm.websphere.security.webseal.ports = 7001

The viaDepth property is set to 0 by default, which means all of the hosts in the via header are checked for trust.
com.ibm.websphere.security.webseal.ssoPwdExpiry After trust is established for a request, the single sign-on user password is cached, eliminating the need to have the TAI re-authenticate the single sign-on user with TAM for every request. You can modify the cache timeout period by setting the single sign-on password expiry property to the required time in seconds. If the password expiry property is set to 0, the cached password never expires. The default value for the password expiry property is 600.
com.ibm.websphere.security.webseal.ignoreProxy Tell the TAI to ignore proxies as trusted hosts. If set to true the comments field of the hosts entry in the via header is checked to determine if a host is a proxy. Remember that not all proxies insert comments in the via header indicating that they are proxies. The default value of the ignoreProxy property is false. If the checkViaHeader property is set to false then the ignoreProxy property has no influence in establishing trust.
com.ibm.websphere.security.webseal.configURL For the TAI to establish trust for a request, it requires that the SvrSslCfg run for the Java Virtual Machine on the Application Server and result in the creation of a properties file. If this properties file is not at the default URL, which is...
file://java.home/PdPerm.properties

...the correct URL of the properties file must be set in the configuration URL property. If this property is not set, and the SvrSslCfg-generated properties file is not in the default location, the TAI initialization fails. The default value for the config URL property is...
file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties

Click OK.
Save the configuration and log out.
Restart WebSphere Application Server.

Option	Description
com.ibm.websphere.security.webseal.checkViaHeader You can configure TAI so that the via header can be ignored when validating trust for a request. Set this property to false if none of the hosts in the via header need to be trusted. When set to false you do not need to set the trusted host names and host ports properties. The only mandatory property to check when via header is false is com.ibm.websphere.security.webseal.loginId. The default value of the check via header property is false. When using TAM plug-in for Web servers, set this property to false. The via header is part of the standard HTTP header that records the server names the request that passed through.
com.ibm.websphere.security.webseal.loginId The WebSEAL trusted user as created in Creating a trusted user account in TAM The format of the username is the short name representation. This property is mandatory. If it is not set in WAS, the TAI initialization fails.
com.ibm.websphere.security.webseal.id A comma-separated list of headers that exists in the request. If all of the configured headers do not exist in the request, trust cannot be established. The default value for the ID property is iv-creds. Any other values set in WAS are added to the list along with iv-creds, separated by commas. com.ibm.websphere.security.webseal.hostnames Do not set this property if using TAM Plug-in for Web Servers. The property specifies the host names (case sensitive) that are trusted and expected in the request header. Requests arriving from un-listed hosts might not be trusted. If the checkViaHeader property is not set or is set to false then the trusted host names property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, TAI initialization fails.
com.ibm.websphere.security.webseal.ports	Do not set this property if using TAM plug-in for Web servers. This property is a comma-separated list of trusted host ports. Requests that arrive from unlisted ports might not be trusted. If the checkViaHeader property is not set, or is set to false this property has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WAS, the TAI initialization fails.
com.ibm.websphere.security.webseal.viaDepth A positive integer that specifies the number of source hosts in the via header to check for trust. By default, every host in the via header is checked, and if any host is not trusted, trust cannot be established. The via depth property is used when only some of the hosts in the via header have to be trusted. The setting indicates the number of hosts that are required to be trusted. As an example, consider the following header: Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001 If the viaDepth property is not set, is set to 2 or is set to 0, and a request with the previous via header is received then both webseal1:7002 and webseal2:7001 need to be trusted. The following configuration applies: com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2 com.ibm.websphere.security.webseal.ports = 7002,7001 If the via depth property is set to 1, and the previous request is received, then only the last host in the via header needs to be trusted. The following configuration applies: com.ibm.websphere.security.webseal.hostnames = webseal2 com.ibm.websphere.security.webseal.ports = 7001 The viaDepth property is set to 0 by default, which means all of the hosts in the via header are checked for trust.
com.ibm.websphere.security.webseal.ssoPwdExpiry	After trust is established for a request, the single sign-on user password is cached, eliminating the need to have the TAI re-authenticate the single sign-on user with TAM for every request. You can modify the cache timeout period by setting the single sign-on password expiry property to the required time in seconds. If the password expiry property is set to 0, the cached password never expires. The default value for the password expiry property is 600.
com.ibm.websphere.security.webseal.ignoreProxy	Tell the TAI to ignore proxies as trusted hosts. If set to true the comments field of the hosts entry in the via header is checked to determine if a host is a proxy. Remember that not all proxies insert comments in the via header indicating that they are proxies. The default value of the ignoreProxy property is false. If the checkViaHeader property is set to false then the ignoreProxy property has no influence in establishing trust.
com.ibm.websphere.security.webseal.configURL	For the TAI to establish trust for a request, it requires that the SvrSslCfg run for the Java Virtual Machine on the Application Server and result in the creation of a properties file. If this properties file is not at the default URL, which is... file://java.home/PdPerm.properties ...the correct URL of the properties file must be set in the configuration URL property. If this property is not set, and the SvrSslCfg-generated properties file is not in the default location, the TAI initialization fails. The default value for the config URL property is... file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties Click OK. Save the configuration and log out. Restart WebSphere Application Server.