Configure WebSEAL for use with WAS

See also:

• WebSEAL setup
• IBM Security Verify Access

Overview

Configure WebSEAL for single sign-on to WebSphere Application Server by creating a junction between WebSEAL and WAS. This junction carries the iv-credentials (for TAI++) or iv-user (for TAI) and the HTTP basic authentication headers with the request. We can configure WebSEAL to pass the end user identity in other ways, the iv-credentials header is the only one supported by the TAI++ and the iv-user is the only one supported by TAI.

Setup:

1. To set up SSL across the junction:
   1. Configure the HTTP Server used by WAS, and WAS itself, to accept inbound SSL traffic
   2. Import necessary signing certificates into the WebSEAL certificate keystore, and possibly also the HTTP Server certificate keystore.

   Note that setting up SSL junctions is optional. We can use non-ssl junctions.

2. Create the junction between WebSEAL and WAS using the -c iv_creds option for TAI++ and -c iv_user for TAI.

   • TAI++
     pdadmin> server task webseald-server create -t ssl -b supply -c iv_creds -h host -p port junction_name

   • TAI
     pdadmin> server task webseald-server create -t ssl -b supply -c iv_user -h host -p port junction_name

Authentication flow:

1. When a user requests a protected object and is required to authenticate, WebSEAL first examines the user request for authentication data. Authentication data includes method-specific authentication information, such as passwords and certificates, that represent physical identity properties of the user.

2. The result of successful authentication is a client identity. The client identity is a data structure that includes the user name and any extended attribute information that is to be added to the resulting credential.

3. IBM Security Access Manager uses the client identity information to build a credential for that user. ISAM matches the client identity with a registered ISAM user and builds a credential appropriate to this user. This action is known as credentials acquisition.

   The credential is a complex structure that includes the user name, any group memberships, and any special extended security attributes associated with the user's session. The credential describes the user in a specific context and is valid only for the lifetime of that session.

   The authorization service uses this credential to permit or deny access to protected resources after evaluating the authorization policies governing each object.

   Credential acquisition can succeed only if the user has an account defined in the ISAM user registry.

Notes:

1. If warning messages are displayed about the incorrect setup of certificates and key databases, delete the junction, correct problems with the key databases, and recreate the junction.

2. The junction can be created as -t tcp or -t ssl, depending on your requirements.

Set the password in WebSEAL:

1. Edit the WebSEAL configuration file webseal_install_directory/etc/webseald-default.conf

   Set the following parameter: basicauth-dummy-passwd=webseal_userid_passwd

   where webseal_userid_passwd is the SSO password for the trusted user account set in Create a trusted user account in ISAM.

2. Restart WebSEAL.

See the ISAM WebSEAL Administration Guide as well as to the documentation for the HTTP Server we are using with out WAS. See also the ISAM documentation.

Related

Configure SSO capability with ISAM WebSEAL
Create a trusted user account in ISAM

+

Search Tips   |   Advanced Search