Configure trust association interceptors

These steps are required to use either a WebSEAL trust association interceptor or your own trust association interceptor with a reverse proxy security server.

  1. Access the administrative console by typing http://localhost:9090/admin in a Web browser.

  2. Click Security > Authentication mechanisms > LTPA in the left navigation panel.

  3. Click Trust Association under Additional Properties.

  4. Select the Trust Association Enabled check box.

  5. Click Interceptors under Additional Properties.The default value appears.

  6. Click com.ibm.ws.security.web.WebSealTrustAssociationInterceptor if you are using the WebSEAL interceptor. This interceptor is the default value. To use a different interceptor, complete the following steps...

    1. Click New.

    2. Type the name of the interceptor into the Interceptor Classname field.

    3. Click OK.

    4. Click the name of the new interceptor.

  7. Click Custom Properties under Additional Properties.

  8. Click New to enter the property name and value pairs. The name and value pairs for the WebSEAL server to follow. For a new interceptor, enter the name and value pairs that correspond to your interceptor.

    com.ibm.websphere.security.trustassociation.types WebSEAL

    com.ibm.websphere.security.webseal.loginId This property contains the ID of the WebSEAL server.

    com.ibm.websphere.security.webseal.id iv-user is a special header field that is sent by the WebSEAL server with the request to the WAS.

    com.ibm.websphere.security.webseal.hostnames The host names (case sensitive) that are expected in the request header (the VIA header). This request header also includes the proxy host names (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy interceptor is set to true.

    com.ibm.websphere.security.webseal.ports The corresponding port number of the host names that are expected in the request header (the VIA header). This request header also includes the proxy ports (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy interceptor is set to true.

    com.ibm.websphere.security.webseal.ignoreProxy An optional property that if set to true or yes ignores the proxy host names and ports in the VIA header. By default, this property is set to false.

  9. Click OK.

Enables trust association.

 

Usage Scenario

  1. The browser makes a request for a secured WebSphere resource.

  2. The WebSEAL server sends back a challenge, either an HTTP basic authentication or a form-based challenge.

  3. A user name and password are supplied.

  4. The WebSEAL product authenticates the user to LDAP.

  5. The modified request is forwarded by the WebSEAL product to the WebSphere Application Server.

  6. The plug-in (TAI) establishes that the WAS trusts the WebSEAL server by using the validateEstablishedTrust method.

  7. The plug-in extracts the end-user name from the iv-user header field and passes it to the WAS for authorization.

Note that WebSEAL Version 3.9 and later do not send the user ID and password to the server. Trust is based on a mutual SSL (SSL) established between the WebSEAL server and the WebSphere Application Server. Steps 5 and 6 do not apply to WebSEAL Version 3.9 and later.

  1. If you are enabling security, make sure that you complete the remaining steps for enabling security.

  2. Save, stop and restart all of the product servers (cell, nodes, and all of the appservers) for the changes to take effect.

 

See Also

Web component security
Trust Associations
Configuring global security
Trust association settings
Trust association interceptor collection