Configure IBM Security Verify Access for authentication only

Configure IBM Security Verify Access for authentication only

If we use IBM Security Verify Access (aka ISAM) for authorization, also use ISAM for authentication. Using ISAM only for authorization is not supported.
HCL WebSphere Portal and IBM WebSphere Application Server support the Trust Association Interceptors (TAI)). WebSEAL junctions forward requests to an HTTP server, and then to HCL WebSphere Portal. If there is no HTTP server, modify the junction target host name and port values to enable direct communication from WebSEAL to HCL WebSphere Portal. The following examples do not show any load balancing or other performance-related request features in WebSEAL.
Start the ISAM policy and authorization servers, which are mandatory for successful configuration and for single sign-on (SSO) to occur.
Create the junctions on the WebSEAL server.
Create a virtual host TCP junction:
Open a pdadmin command from any node that has a ISAM run time component installed.
Use the ISAM Server node, WebSEAL node, or the HCL WebSphere Portal node.
The general format for the pdadmin command to create a virtual host junction is
pdadmin> server task instance-webseald-host virtualhost create -t type -h hostname [options] vhost-label

Mandatory parameters for the pdadmin command:

instance-webseald-host

web1 WebSEAL instance name
-websealed- Literal string
webseal.myco.com Host name

vhost-label Name for the virtual host junction.

Virtual host junctions are always mounted at the root of the WebSEAL object space.
We can refer to a junction in the pdadmin utility with this label.
The virtual host junction label must be unique within each instance of WebSEAL.
The label name must not contain the forward slash character (/).

-t type Whether the junction is encrypted (-t ssl) or not encrypted (-t tcp). Mandatory when creating a virtual host junction.
-h hostname The backend server to which the junction connects. In most situations, the host name is the HTTP server that sits in front of HCL WebSphere Portal. Mandatory when creating a virtual host junction.

The [options] includes the following parameters:

-p port Port number for the backend server to which the junction connects. If not specified, the default value is 80 for HTTP or 443 for HTTPS. It is best to specify this value explicitly in the junction creation command even if the default values are in use.
-v vhost[:port] Virtual host name and port number that defines the junction. WebSEAL maps incoming requests to this host name and port to this junction. If not specified, the values default to the -h hostname and -p port values.
-c header_type Insert the ISAM client identity in HTTP headers across the junction. The header_type argument can include any combination of the following ISAM HTTP header types:

{iv_user|iv_user-l}
iv_groups
iv_creds
all

The header types must be comma-separated, and cannot have a space between the types. For example: -c iv_user,iv_groups. Specifying -c all is the same as specifying -c iv_user,iv_groups,iv_creds. Valid for all junctions except for the type of local. The setting here depends on how we want the TAI running within WebSphere Application Server to operate. In certain modes, the TAI might be looking for the presence of one or more of these headers. The TAI looks for these headers to know that it must claim the request when interrogated by WebSphere Application Server security. This setting must be set to match what the TAI is looking for.
-b This option controls how WebSEAL passes authentication information to the backend server. Usually this setting depends on how we want the TAI to be configured in WebSphere to validate a trust relationship with WebSEAL. The usual option chosen is -b supply.
-k This option controls whether WebSEAL includes its own session cookie in the request to the backend server. In some situations, sending the WebSEAL session cookie to the backend server is necessary. This action is necessary to support single sign-on from HCL WebSphere Portal to other backend services where WebSEAL also protects those backend services. Junctions to HCL WebSphere Portal whether direct or through an HTTP server does not support the -q option the query_contents function. Query_contents is not possible on HCL WebSphere Portal

Here is a sample command to create a virtual host TCP junction, on the web1 WebSEAL instance, running on host webseal.myco.com, for the IHS host name portalvhost.myco.com, running on port 80. The virtual host junction label is vhost_junction_portal_1. The virtual host junction host name must be mapped in DNS to the WebSEAL server. The portal or http server is running on host portal.myco.com and is using port 8080.
pdadmin> server \
         task web1-webseald-webseal.myco.com \
         virtualhost \
         create \
         -t tcp \
         -v portalvhost.myco.com:80 \
         -h portal.myco.com \
         -p 8080 \
         -c all \
         -k \
         -b supply vhost_junction_portal_1
Optional: To use an SSL junction a key and truststore must be set up with certificates. Follow the instructions in steps 1-3 of the topic about configuring SSL, then complete the following steps.

Use the IBM Key Management utility to load the web server certificate into the key ring for the appropriate instance of WebSEAL.

Restart WebSEAL.

Follow the steps mentioned earlier to create the junction. But change the -t value to ssl and add the appropriate set of options from the Mutually Authenticated SSL junctions portion of the WebSEAL Administration Guide: -B, -D, -K, -U, and -W.

Create the trusted user account.
This step is mandatory for TAI junctions only. Skip this step if we created an LTPA junction using the -A parameter.
The trusted user account in the ISAM user registry must be the same as the one the TAI within WebSphere Application Server is configured to use. It is the ID that WebSEAL uses to identify itself to WebSphere Application Server using the -b supply option, and it is one of the underlying TAI security requirements.
To prevent potential vulnerabilities, do not use the sec_master or wpsadmin users for the trusted user account. The trusted user account must be a dedicated user account for the purposes of communication between WebSEAL and the TAI.

pdadmin> user create webseal_userid webseal_userid_DN firstname surname password
pdadmin> user modify webseal_userid account-valid yes

To validate PdPerm.properties is correct and that communication between HCL WebSphere Portal and the ISAM server works:

cd WP_PROFILE/ConfigEngine
./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo

For clustered environments, run the validate-pdadmin-connection task on all nodes in the cluster. Complete all other steps only on the primary node.
If the task does not run successfully run the run-svrssl-config task to create PdPerm.properties. See Creating PdPerm.properties. Then, run the validate-pdadmin-connection task again. If the task is not successful after a second attempt, do not proceed with any subsequent steps. The fact the task does not run successfully indicates the portal cannot connect to the ISAM server. Troubleshoot the connectivity issue between the portal instance and the ISAM server.

Edit...
WP_PROFILE/ConfigEngine/properties/wkplc_comp.properties

...and enter the following parameters under the WAS WebSEAL TAI parameters heading:

ISAMTAIName com.ibm.ws.security.web.ISAMTrustAssociationInterceptorPlus
wp.ac.impl.TAICreds Headers inserted by WebSEAL. The TAI uses these headers to identify the request as originating from WebSEAL. Refer to the values entered for the -c header_type parameter. If we entered -c iv-user, then the value for wp.ac.impl.TAICreds is iv-user. If we entered -c all, the value for wp.ac.impl.TAICreds is iv-user,iv-groups,iv-creds.
Never specify a header name for wp.ac.impl.TAICreds that the WebSEAL server is not sending over the junction.
wp.ac.impl.hostnames Fully qualified URL for HCL WebSphere Portal. This value must match the -h and -p parameters from the junction creation command.
wp.ac.impl.ports Port number used to access the host server identified in wp.ac.impl.hostnames. Must match the -p parameter from the junction creation command.
wp.ac.impl.loginId Reverse proxy identity used when creating a TCP junction. This value must match the trusted user account.
wp.ac.impl.BaUserName Reverse proxy identity used when creating an SSL junction.
wp.ac.impl.BaPassword Password for the SSL junction reverse proxy ID.

Save the changes to the properties file.

Configure TAI for ISAM:
./ConfigEngine.sh enable-tam-tai -DWasPassword=foo -Dwp.ac.impl.PDAdminPwd=foo

Optional: Enable user provisioning. Do this only if we are using HCL WebSphere Portal to create and provision new users directly in LDAP, and we need these users to also be recognized by ISAM. In an enterprise deployment of HCL WebSphere Portal this task would be unusual, as most large deployments have a separate user provisioning process, perhaps using IBM Security Identity Manager. HCL WebSphere Portal reads from LDAP but does not create new users.

If we are using IBM Security Verify integrated with HCL WebSphere Portal in a stand-alone environment that does not include a web server between WebSEAL and Portal, log on to the, dmgr go to...
Servers | Server Types | Web application servers | WebSphere_Portal | Web container settings | Web Container | Additional Properties | Custom properties | New

...and add the properties...
com.ibm.ws.webcontainer.extracthostheaderport custom property = true
trusthostheaderport = true

Stop and restart the appropriate servers to propagate the changes.

Go to the WebSEAL node and edit webseald-instance.conf for the appropriate WebSEAL instance. For example webseald-web1.conf. This file sets the basicauth-dummy-passwd value to the password for the ID that WebSEAL uses to identify itself to WebSphere Application Server. This password is the trusted user ID and password that were created in an earlier step. Stop and start the WebSEAL server before continuing.

If the WebSEAL instance is on the Windows operating system, limit the length of the generated URLs. Edit webseald-instance.conf and change the process-root-requests property value to filter to avoid problems with WebSEAL processing.

Import HCL WebSphere Portal users and groups into ISAM.
Enter the following commands on the ISAM administrative command, where wpsadmin is the user ID for the administrator, and wpsadmins is the administrators group name. The fully distinguished names of the user and group IDs vary depending on the LDAP settings.
user import wpsadmin uid=wpsadmin,cn=users,dc=ibm,dc=com
user modify wpsadmin account-valid yes
group import wpsadmins cn=wpsadmins,cn=groups,dc=ibm,dc=com

Some functions of HCL WebSphere Portal require the use of the PUT, and DELETE HTTP method. By default, WebSEAL does not allow these requests. Either allow this method at the applicable WebSEAL ACL and web server, or change the HTTP methods in the x-method-override configuration in the WebSEAL config file webseald-instance.conf.
Parent Configure IBM Security Verify Access
Related tasks:
Migrate Security Access Manager
Create PdPerm.properties
Set up SSL
Administer WebSEAL
WebSEAL Administration Guide
ETAI Download

-p port	Port number for the backend server to which the junction connects. If not specified, the default value is 80 for HTTP or 443 for HTTPS. It is best to specify this value explicitly in the junction creation command even if the default values are in use.
-v vhost[:port]	Virtual host name and port number that defines the junction. WebSEAL maps incoming requests to this host name and port to this junction. If not specified, the values default to the -h hostname and -p port values.
-c header_type	Insert the ISAM client identity in HTTP headers across the junction. The header_type argument can include any combination of the following ISAM HTTP header types: {iv_user\|iv_user-l} iv_groups iv_creds all The header types must be comma-separated, and cannot have a space between the types. For example: -c iv_user,iv_groups. Specifying -c all is the same as specifying -c iv_user,iv_groups,iv_creds. Valid for all junctions except for the type of local. The setting here depends on how we want the TAI running within WebSphere Application Server to operate. In certain modes, the TAI might be looking for the presence of one or more of these headers. The TAI looks for these headers to know that it must claim the request when interrogated by WebSphere Application Server security. This setting must be set to match what the TAI is looking for.
-b	This option controls how WebSEAL passes authentication information to the backend server. Usually this setting depends on how we want the TAI to be configured in WebSphere to validate a trust relationship with WebSEAL. The usual option chosen is -b supply.
-k	This option controls whether WebSEAL includes its own session cookie in the request to the backend server. In some situations, sending the WebSEAL session cookie to the backend server is necessary. This action is necessary to support single sign-on from HCL WebSphere Portal to other backend services where WebSEAL also protects those backend services. Junctions to HCL WebSphere Portal whether direct or through an HTTP server does not support the -q option the query_contents function. Query_contents is not possible on HCL WebSphere Portal

ISAMTAIName	com.ibm.ws.security.web.ISAMTrustAssociationInterceptorPlus
wp.ac.impl.TAICreds	Headers inserted by WebSEAL. The TAI uses these headers to identify the request as originating from WebSEAL. Refer to the values entered for the -c header_type parameter. If we entered -c iv-user, then the value for wp.ac.impl.TAICreds is iv-user. If we entered -c all, the value for wp.ac.impl.TAICreds is iv-user,iv-groups,iv-creds. Never specify a header name for wp.ac.impl.TAICreds that the WebSEAL server is not sending over the junction.
wp.ac.impl.hostnames	Fully qualified URL for HCL WebSphere Portal. This value must match the -h and -p parameters from the junction creation command.
wp.ac.impl.ports	Port number used to access the host server identified in wp.ac.impl.hostnames. Must match the -p parameter from the junction creation command.
wp.ac.impl.loginId	Reverse proxy identity used when creating a TCP junction. This value must match the trusted user account.
wp.ac.impl.BaUserName	Reverse proxy identity used when creating an SSL junction.
wp.ac.impl.BaPassword	Password for the SSL junction reverse proxy ID.