Attach a protected object policy to a protected resource
After a protected object policy (POP) has been defined and created, it must be attached to the protected resources to which it applies. The syntax for attaching a POP is:
pdadmin pop attach object_name pop_name
For example, an authentication policy for a WebSEAL deployment could be defined as follows:
- The deployment will use forms authentication and certificate authentication. Forms authentication is the first authentication strength level (1) and certificate authentication is the second (stronger) authentication level (2).
- Users must authenticate using forms authentication or stronger to access the following protected resource (a WebSEAL junction):
/WebSEAL/hostA/junction
- Users must authenticate using certificate authentication to access:
/WebSEAL/hostA/junction/applicationA
To implement this policy, the following configuration steps must take place.
Steps
- Modify the WebSEAL configuration file to grant forms authentication an authentication strength of 1 and certificate authentication a strength of 2:
[authentication-levels]
level = unauthenticated
level = password
level = ssl- Create a POP for authentication level 1 (forms authentication).
pdadmin> pop create test1
pdadmin> pop modify test1 set ipauth anyothernw 1- Create a POP for authentication level 2 (certificate authentication).
pdadmin> pop create test2
pdadmin> pop modify test2 set ipauth anyothernw 2- Attach the POP test1 to /WebSEAL/hostA/junction.
pdadmin> pop attach /WebSEAL/hostA/junction test1
- Attach the POP test2 to /WebSEAL/hostA/junction/application.
pdadmin> pop attach /WebSEAL/hostA/junction/applicationA test2
Parent topic: Authentication strength policy (step-up)