TAIs for SSO between WAS and WebSEAL

TAIs for SSO between WAS and WebSEAL

To establish single sign-on between WebSphere and WebSEAL configure Trust Association Interceptors (TAIs)

Review settings for LTPA tokens:
Security > Global security > Authentication mechanisms and expiration

Go to...
Security > Global security > Web security > Trust association > Enable Trust Association > Interceptors > com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus

There are two interceptors:

com.ibm.portal.auth.tai.HTTPBasicAuthTAI
com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus

WAS attempts to initialize both of these interceptors even if we only supplied properties for the com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus interceptor. As a result, messages AWXRB0008E and SECJ0384E can appear during initialization to indicate that the interceptor we did not choose has failed to initialize. This is normal processing and does not affect the initialization of the interceptor we did select. To inhibit the display of messages AWXRB0008E and SECJ0384E, we can delete the interceptor we do not want to use prior to beginning the initialization. We can add that interceptor back later if the environment changes.
Enter the property name and value pairs.
Custom Properties > New

...for the following parameters...

Option Description
com.ibm.websphere.security.webseal.configURL For the TAI to establish trust for a request, the PdjRteCfg and SvrSslCfg scripts must first be run on each node in the cell. These scripts will create the PdPerms.properties file. If PdPerms.properties is not at the default URL, file://java.home/PdPerm.properties, the correct URL of the properties file must be set with the option. If this property is not set, and the SvrSslCfg-generated properties file is not in the default location, the TAI initialization fails. The PDPerm.properties file is part of the ISAM configuration. The PDPerm.properties file is created in the profile_root/etc/pd/PolicyDirector/ directory.
com.ibm.websphere.security.webseal.loginId The WebSEAL trusted user as created in Create a trusted user account in ISAM The format of the username is the short name representation. Mandatory. If it is not set, the TAI initialization fails.
com.ibm.websphere.security.webseal.id A comma-separated list of headers that exists in the request. If all of the configured headers do not exist in the request, trust cannot be established. The default value for the ID property is iv-creds. Any other values set in WAS are added to the list along with iv-creds, separated by commas.
com.ibm.websphere.security.webseal.hostnames Trusted WebSEAL host names (case sensitive) expected in the request header. Requests arriving from un-listed hosts might not be trusted. If the checkViaHeader property is not set or is set to false then the trusted host names property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, TAI initialization fails. Do not set if using ISAM Plug-in for Web Servers.
com.ibm.websphere.security.webseal.ports Comma-separated list of trusted host ports. Requests that arrive from unlisted ports might not be trusted. If the checkViaHeader property is not set, or is set to false this property has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WAS, the TAI initialization fails. Do not set if using ISAM plug-in for web servers.
com.ibm.websphere.security.webseal.ssoPwdExpiry After trust is established for a request, the single sign-on user password is cached, eliminating the need to have the TAI re-authenticate the single sign-on user with ISAM for every request. We can modify the cache timeout period by setting the single sign-on password expiry property to the required time in seconds. If the password expiry property is set to 0, the cached password never expires. The default value for the password expiry property is 600.
com.ibm.websphere.security.webseal.ignoreProxy Tell the TAI to ignore proxies as trusted hosts. If true the comments field of the hosts entry in the via header is checked to determine if a host is a proxy. Not all proxies insert comments in the via header indicating that they are proxies. The default value of the ignoreProxy property is false. If the checkViaHeader property is set to false then the ignoreProxy property has no influence in establishing trust.
com.ibm.websphere.security.webseal.checkViaHeader We can configure TAI so that the via header can be ignored when validating trust for a request. Set to false if none of the hosts in the via header need to be trusted. When set to false we do not need to set the trusted host names and host ports properties. The only mandatory property to check when via header is false is com.ibm.websphere.security.webseal.loginId. The default value of the check via header property is false. When using Security Access Manager plug-in for web servers, set this property to false. The via header is part of the standard HTTP header that records the server names the request that passed through.
com.ibm.websphere.security webseal.viaDepth Number of source hosts in the via header to check for trust. By default, every host in the via header is checked, and if any host is not trusted, trust cannot be established. The via depth property is used when only some of the hosts in the via header have to be trusted. The setting indicates the number of hosts, starting from the right end in the header, required to be trusted. For example for the following header:
Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001

If the viaDepth property is not set, is set to 2 or is set to 0, and a request with the previous via header is received then both webseal1:7002 and webseal2:7001 need to be trusted. The following configuration applies:

com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
com.ibm.websphere.security.webseal.ports = 7002,7001

If the via depth property is set to 1, and the previous request is received, then only the last host in the via header needs to be trusted. The following configuration applies:

com.ibm.websphere.security.webseal.hostnames = webseal2
com.ibm.websphere.security.webseal.ports = 7001

The viaDepth property is set to 0 by default, which means all of the hosts in the via header are checked for trust.

Click OK.
Save the configuration and log out.
Restart WAS.

Related:

Trust associations
Configure SSO capability with ISAM WebSEAL
Integrating third-party HTTP reverse proxy servers

Option	Description
com.ibm.websphere.security.webseal.configURL	For the TAI to establish trust for a request, the PdjRteCfg and SvrSslCfg scripts must first be run on each node in the cell. These scripts will create the PdPerms.properties file. If PdPerms.properties is not at the default URL, file://java.home/PdPerm.properties, the correct URL of the properties file must be set with the option. If this property is not set, and the SvrSslCfg-generated properties file is not in the default location, the TAI initialization fails. The PDPerm.properties file is part of the ISAM configuration. The PDPerm.properties file is created in the profile_root/etc/pd/PolicyDirector/ directory.
com.ibm.websphere.security.webseal.loginId	The WebSEAL trusted user as created in Create a trusted user account in ISAM The format of the username is the short name representation. Mandatory. If it is not set, the TAI initialization fails.
com.ibm.websphere.security.webseal.id	A comma-separated list of headers that exists in the request. If all of the configured headers do not exist in the request, trust cannot be established. The default value for the ID property is iv-creds. Any other values set in WAS are added to the list along with iv-creds, separated by commas.
com.ibm.websphere.security.webseal.hostnames	Trusted WebSEAL host names (case sensitive) expected in the request header. Requests arriving from un-listed hosts might not be trusted. If the checkViaHeader property is not set or is set to false then the trusted host names property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, TAI initialization fails. Do not set if using ISAM Plug-in for Web Servers.
com.ibm.websphere.security.webseal.ports	Comma-separated list of trusted host ports. Requests that arrive from unlisted ports might not be trusted. If the checkViaHeader property is not set, or is set to false this property has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WAS, the TAI initialization fails. Do not set if using ISAM plug-in for web servers.
com.ibm.websphere.security.webseal.ssoPwdExpiry	After trust is established for a request, the single sign-on user password is cached, eliminating the need to have the TAI re-authenticate the single sign-on user with ISAM for every request. We can modify the cache timeout period by setting the single sign-on password expiry property to the required time in seconds. If the password expiry property is set to 0, the cached password never expires. The default value for the password expiry property is 600.
com.ibm.websphere.security.webseal.ignoreProxy	Tell the TAI to ignore proxies as trusted hosts. If true the comments field of the hosts entry in the via header is checked to determine if a host is a proxy. Not all proxies insert comments in the via header indicating that they are proxies. The default value of the ignoreProxy property is false. If the checkViaHeader property is set to false then the ignoreProxy property has no influence in establishing trust.
com.ibm.websphere.security.webseal.checkViaHeader	We can configure TAI so that the via header can be ignored when validating trust for a request. Set to false if none of the hosts in the via header need to be trusted. When set to false we do not need to set the trusted host names and host ports properties. The only mandatory property to check when via header is false is com.ibm.websphere.security.webseal.loginId. The default value of the check via header property is false. When using Security Access Manager plug-in for web servers, set this property to false. The via header is part of the standard HTTP header that records the server names the request that passed through.
com.ibm.websphere.security webseal.viaDepth	Number of source hosts in the via header to check for trust. By default, every host in the via header is checked, and if any host is not trusted, trust cannot be established. The via depth property is used when only some of the hosts in the via header have to be trusted. The setting indicates the number of hosts, starting from the right end in the header, required to be trusted. For example for the following header: Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001 If the viaDepth property is not set, is set to 2 or is set to 0, and a request with the previous via header is received then both webseal1:7002 and webseal2:7001 need to be trusted. The following configuration applies: com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2 com.ibm.websphere.security.webseal.ports = 7002,7001 If the via depth property is set to 1, and the previous request is received, then only the last host in the via header needs to be trusted. The following configuration applies: com.ibm.websphere.security.webseal.hostnames = webseal2 com.ibm.websphere.security.webseal.ports = 7001 The viaDepth property is set to 0 by default, which means all of the hosts in the via header are checked for trust.