Scenario 3: Advanced virtual host configuration

Learn how to set up forms authentication, single signon using e-community, and authenticated access to specific resources.

The following scenario is based on scenario 2. The scenario additionally sets up:

• Forms authentication.
• Single signon using e-community.
• Authenticated access to specific resources.

Required architecture:

• Single signon is required between all hosts and protocols. Each virtual host has its own session credential. Standard e-community SSO logout restrictions apply.
• Forms login is required
• Authenticated-only access is required for the following resources:
  • http(s)://a.b.com/sales/
  • https://w.x.com/doc/
  • https://y.z.com/code/

Procedure - general setup:

1. Enable forms authentication for both HTTP and HTTPS:
   [ba]
   ba-auth = none
   
   [forms]
   forms-auth = both
2. Configure e-community single signon:
   [e-community-sso]
   e-community-sso-auth = both
   e-community-name = ecomm
   is-master-authn-server = yes
   master-authn-server = a.b.com
   
   [e-community-domain-keys]
   
   [e-community-domains]
   name = b.com
   name = x.com
   name = z.com
   name = ibm.com
   
   [e-community-domain-keys:b.com]
   b.com = bb.key
   x.com = bx.key
   z.com = bz.key
   
   [e-community-domain-keys:x.com]
   x.com = xx.key
   b.com = bx.key
   
   [e-community-domain-keys:z.com]
   z.com = zz.key
   b.com = bz.key

3. Use the LMI to generate the following keys:
   • bb.key
   • bx.key
   • bz.key
   • xx.key
   • zz.key

4. Restart WebSEAL and login as sec_master to the pdadmin command.

Procedure - control access to /restricted directories:

1. Create an open (unrestricted) ACL for general unauthenticated access:

   pdadmin> sec_master> acl create open
   pdadmin> sec_master> acl modify open set user sec_master TcmdbsvaBRlrx
   pdadmin> sec_master> acl modify open set any-other Trx
   pdadmin> sec_master> acl modify open set unauthenticated Trx
   pdadmin> sec_master> acl modify open set group iv-admin TcmdbsvaBRrxl
   pdadmin> sec_master> acl modify open set group webseal-servers Tgmdbsrxl

2. Create a restricted ACL for access that requires authentication:
   pdadmin> sec_master> acl create restricted
   pdadmin> sec_master> acl modify restricted set group iv-admin TcmdbsvaBRrxl
   pdadmin> sec_master> acl modify restricted set group webseal-servers Tgmdbsrxl
   pdadmin> sec_master> acl modify restricted set user sec_master TcmdbsvaBRlrx
   pdadmin> sec_master> acl modify restricted set any-other Trx
   pdadmin> sec_master> acl modify restricted set unauthenticated T

3. Attach the open ACL to the default WebSEAL instance:
   pdadmin> sec_master> acl attach /WebSEAL/webseal.ibm.com-default open

4. Attach the restricted ACL to the /sales directory on a.b.com: pdadmin sec_master> acl attach /WebSEAL/webseal.ibm.com-default/@vhost-ab-tcp/sales restricted

5. Attach the restricted ACL to the /doc directory on w.x.com:
   pdadmin sec_master> acl attach WebSEAL/webseal.ibm.com-default/@vhost-wx-tcp/doc restricted

6. Attach the restricted ACL to the /code directory on y.z.com:
   pdadmin sec_master> acl attach /WebSEAL/webseal.ibm.com-default/@vhost-yz-ssl/code restricted

Parent topic: Virtual Hosting