IBM Security Access Manager Version 7.0: WebSEAL ... · Resetting of the session cache entry...

IBM Security Access ManagerVersion 7.0

WebSEAL Administration Guide

SC23-6505-03

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 801.

Edition notice

Note: This edition applies to version 7, release 0, modification 0 of IBM Security Access Manager (productnumber 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2002, 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . xv

Tables . . . . . . . . . . . . . . xvii

About this publication . . . . . . . . xixIntended audience . . . . . . . . . . . . xixAccess to publications and terminology . . . . . xix

Related publications . . . . . . . . . . xxiiAccessibility . . . . . . . . . . . . . xxivTechnical training. . . . . . . . . . . . xxivSupport information . . . . . . . . . . . xxiv

Part 1. Administration . . . . . . . . 1

Chapter 1. IBM Security Access Managerfor Web WebSEAL overview . . . . . . 3Introduction . . . . . . . . . . . . . . 3WebSEAL introduction . . . . . . . . . . . 4Security model . . . . . . . . . . . . . 5

Security model concepts . . . . . . . . . 5The protected object space . . . . . . . . . 5Access control lists (ACLs) and protected objectpolicies (POPs) . . . . . . . . . . . . 6Access control list (ACL) policies . . . . . . 7Protected object policies (POPs) . . . . . . . 7Explicit and inherited policy . . . . . . . . 8Policy administration: The Web Portal Manager . 8

Web space protection . . . . . . . . . . . 9Security policy planning and implementation . . . 10

Content types and levels of protection . . . . 11WebSEAL authentication . . . . . . . . . . 12Standard WebSEAL junctions . . . . . . . . 12Web space scalability . . . . . . . . . . . 14

Replicated front-end WebSEAL servers . . . . 15Junctioned back-end servers . . . . . . . . 15Replicated back-end servers . . . . . . . . 16

Chapter 2. Server administration . . . 19Server operation . . . . . . . . . . . . . 19

The pdweb command . . . . . . . . . . 19Starting the WebSEAL server . . . . . . . 19Stopping the WebSEAL server . . . . . . . 20Restarting the WebSEAL server . . . . . . . 20Displaying WebSEAL server status . . . . . 21

Backup and restore . . . . . . . . . . . . 21The pdbackup utility . . . . . . . . . . 21WebSEAL data backup . . . . . . . . . 22WebSEAL data restoration . . . . . . . . 23Extraction of archived WebSEAL data . . . . 24

Synchronization of WebSEAL data across multipleservers . . . . . . . . . . . . . . . . 24

Automating synchronization. . . . . . . . 26Backing up and restoring data . . . . . . . 28

Auditing and logging of resources for WebSEAL . . 29

Error message logging . . . . . . . . . . 29WebSEAL server activity auditing . . . . . . 29Traditional auditing and logging of HTTP events 30

Problem determination resources for WebSEAL . . 31Configuration data log file . . . . . . . . 31Statistics . . . . . . . . . . . . . . 33Application Response Measurement . . . . . 33Trace utility . . . . . . . . . . . . . 34

Part 2. Configuration. . . . . . . . 37

Chapter 3. Web server configuration . . 39WebSEAL server and host name specification . . . 39

WebSEAL server name in the configuration file 39WebSEAL server name in "pdadmin server list" 40WebSEAL server name in the protected objectspace . . . . . . . . . . . . . . . 40Specifying the WebSEAL host (machine) name. . 40

WebSEAL configuration file . . . . . . . . . 41Configuration file organization . . . . . . . 41Configuration file name and location . . . . . 42Modifying configuration file settings . . . . . 43WebSEAL .obf configuration file . . . . . . 43

Default document root directory . . . . . . . 43Default root junction . . . . . . . . . . . 44

Changing the root junction after WebSEALinstallation . . . . . . . . . . . . . 44

Directory indexing . . . . . . . . . . . . 45Configuring directory indexing . . . . . . . 45Configuration of graphical icons for file types . . 46

Content caching . . . . . . . . . . . . . 46Content caching concepts . . . . . . . . . 47Configuration of content caching . . . . . . 47Impact of HTTP headers on WebSEAL contentcaching . . . . . . . . . . . . . . . 48Flushing all caches . . . . . . . . . . . 50Cache control for specific documents . . . . . 50

Communication protocol configuration . . . . . 51WebSEAL configuration for HTTP requests . . . 51WebSEAL configuration for HTTPS requests . . 52Restrictions on connections from specific SSLversions . . . . . . . . . . . . . . 52Persistent HTTP connections. . . . . . . . 53WebSEAL configuration for handling HTTPOnlycookies . . . . . . . . . . . . . . . 53Timeout settings for HTTP and HTTPScommunication . . . . . . . . . . . . 54Additional WebSEAL server timeout settings . . 55Support for WebDAV . . . . . . . . . . 56Support for Microsoft RPC over HTTP . . . . 57Support for chunked transfer coding . . . . . 58

Internet Protocol version 6 (IPv6) support . . . . 58IPv4 and IPv6 overview . . . . . . . . . 58Configuring IPv6 and IPv4 support . . . . . 59IPv6: Compatibility support . . . . . . . . 59

© Copyright IBM Corp. 2002, 2013 iii

IPv6: Upgrade notes . . . . . . . . . . 60IP levels for credential attributes . . . . . . 60

LDAP directory server configuration . . . . . . 60Worker thread allocation . . . . . . . . . . 61

WebSEAL worker thread configuration . . . . 62Allocation of worker threads for junctions(junction fairness) . . . . . . . . . . . 63

HTTP data compression . . . . . . . . . . 65Compression based on MIME-type . . . . . 65Compression based on user agent type . . . . 66Compression policy in POPs. . . . . . . . 67Data compression limitation . . . . . . . . 67Configuring data compression policy . . . . . 67

Multi-locale support with UTF-8 . . . . . . . 68Multi-locale support concepts . . . . . . . 68Configuration of multi-locale support. . . . . 73

Validation of character encoding in request data . . 78Supported wildcard pattern matching characters . . 79Setting system environment variables. . . . . . 79

Chapter 4. Web server responseconfiguration . . . . . . . . . . . . 81Static HTML server response pages . . . . . . 81HTML server response page locations . . . . . 86

Account management page location . . . . . 86Error message page location . . . . . . . . 87Junction-specific static server response pages . . 87

HTML server response page modification . . . . 88Guidelines for customizing HTML responsepages . . . . . . . . . . . . . . . 88Macro resources for customizing HTML responsepages . . . . . . . . . . . . . . . 88Macros embedded in a template . . . . . . 91Adding an image to a custom login form . . . 93

Account management page configuration . . . . 94Configuration file stanza entries and values . . 94Configuration of the account expiration errormessage . . . . . . . . . . . . . . 95Configuration of the password policy options . . 95

Error message page configuration . . . . . . . 96Enabling the time of day error page . . . . . 97Creating new HTML error message pages . . . 97Compatibility with previous versions ofWebSEAL . . . . . . . . . . . . . . 98

Multi-locale support for server responses . . . . 98The accept-language HTTP header. . . . . . 98WebSEAL language packs . . . . . . . . 99Process flow for multi-locale support . . . . 100Conditions affecting multi-locale support onWebSEAL . . . . . . . . . . . . . 100

Handling the favicon.ico file with Mozilla Firefox 100Adding custom headers to server response pages 101Configuring the location URL format in redirectresponses. . . . . . . . . . . . . . . 103Local response redirection . . . . . . . . . 103

Local response redirection overview . . . . . 104Local response redirection process flow. . . . 104Enabling and disabling local responseredirection . . . . . . . . . . . . . 105Contents of a redirected response. . . . . . 105URI for local response redirection . . . . . 105

Operation for local response redirection . . . 106Macro support for local response redirection 107Local response redirection configurationexample . . . . . . . . . . . . . . 111Technical notes for local response redirection 112Remote response handling with localauthentication . . . . . . . . . . . . 112

HTML redirection . . . . . . . . . . . . 114Enabling HTML redirection. . . . . . . . 114Preserving HTML fragments on redirection . . 114

Chapter 5. Web server securityconfiguration . . . . . . . . . . . 117Cryptographic hardware for encryption and keystorage . . . . . . . . . . . . . . . 117

Cryptographic hardware concepts . . . . . 117Conditions for using IBM 4758-023 . . . . . 118Configuration of the Cipher engine and FIPSmode processing . . . . . . . . . . . 118Configuring WebSEAL for cryptographichardware . . . . . . . . . . . . . . 119

Configuring WebSEAL to support only Suite Bciphers . . . . . . . . . . . . . . . 122Prevention of vulnerability caused by cross-sitescripting . . . . . . . . . . . . . . . 123Prevention of Cross-site Request Forgery (CSRF)attacks. . . . . . . . . . . . . . . . 124

Secret token validation . . . . . . . . . 124Referrer validation . . . . . . . . . . 125Reject unsolicited authentication requests . . . 126

Suppression of WebSEAL and back-end serveridentity . . . . . . . . . . . . . . . 126

Suppressing WebSEAL server identity . . . . 126Suppressing back-end application serveridentity . . . . . . . . . . . . . . 127

Disabling HTTP methods . . . . . . . . . 127Platform for Privacy Preferences (P3P) . . . . . 128

Compact policy overview . . . . . . . . 129Compact policy declaration. . . . . . . . 130Junction header preservation . . . . . . . 130Default compact policy in the P3P header . . . 131Configuring the P3P header . . . . . . . 132Specifying a custom P3P compact policy . . . 138P3P configuration troubleshooting . . . . . 138

Chapter 6. Runtime security servicesexternal authorization service . . . . 141About the runtime security services externalauthorization service . . . . . . . . . . . 141Configuring the runtime security services externalauthorization service in WebSEAL . . . . . . 142Sample configuration data for runtime securityservices external authorization service . . . . . 145

Part 3. Authentication . . . . . . . 149

Chapter 7. Authentication overview 151Definition and purpose of authentication . . . . 151Information in a user request . . . . . . . . 151

iv IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Client identities and credentials . . . . . . . 152Authentication process flow . . . . . . . . 152Authenticated and unauthenticated access toresources . . . . . . . . . . . . . . . 153

Request process for authenticated users . . . 154Request process for unauthenticated users. . . 154Access conditions over SSL . . . . . . . . 154Forcing user login . . . . . . . . . . . 155Use of unauthenticated HTTPS . . . . . . 155

Supported authentication methods . . . . . . 155Authentication challenge based on user agent . . 156

Chapter 8. Authentication methods 159Authentication configuration overview . . . . . 159

Authentication terminology . . . . . . . 159Supported authentication mechanisms . . . . 160Authentication conversion library . . . . . 162Default configuration for WebSEALauthentication . . . . . . . . . . . . 162Conditions for configuring multipleauthentication methods . . . . . . . . . 162

Logout and password change operations . . . . 163Logging out: pkmslogout . . . . . . . . 163Controlling custom response pages forpkmslogout . . . . . . . . . . . . . 164Changing passwords: pkmspasswd . . . . . 164Password change issue with Active Directory onWindows . . . . . . . . . . . . . . 165Post password change processing. . . . . . 165

Basic authentication . . . . . . . . . . . 165Enabling and disabling basic authentication . . 166Setting the realm name . . . . . . . . . 166Configuring the basic authentication mechanism 166Multi-byte UTF-8 logins . . . . . . . . . 167

Forms authentication . . . . . . . . . . . 168Enabling and disabling forms authentication 168Configuring the forms authenticationmechanism . . . . . . . . . . . . . 168Customizing HTML response forms . . . . . 169Submitting login form data directly to WebSEAL 169

Client-side certificate authentication . . . . . . 171Client-side certificate authentication modes . . 171Certificate authentication configuration tasksummary . . . . . . . . . . . . . . 173Enabling certificate authentication . . . . . 174Configuration of the certificate authenticationmechanism . . . . . . . . . . . . . 175Certificate login error page . . . . . . . . 178Certificate login form. . . . . . . . . . 178Disabling SSL session IDs for session tracking 178Enabling and configuring the Certificate SSL IDcache . . . . . . . . . . . . . . . 179Setting the timeout for Certificate SSL ID cache 179Error page for incorrect protocol . . . . . . 180Disabling certificate authentication . . . . . 180Disabling the Certificate SSL ID cache . . . . 181Technical notes for certificate authentication . . 181

HTTP header authentication . . . . . . . . 181HTTP header authentication overview . . . . 181Enabling HTTP header authentication . . . . 182Specifying HTTP cookies . . . . . . . . 183

Specifying header types . . . . . . . . . 183Configuring the HTTP header authenticationmechanism . . . . . . . . . . . . . 184Disabling HTTP header authentication . . . . 184

IP address authentication . . . . . . . . . 185Enabling and disabling IP addressauthentication . . . . . . . . . . . . 185Configuring the IP address authenticationmechanism . . . . . . . . . . . . . 185

Token authentication . . . . . . . . . . . 186Token authentication concepts . . . . . . . 186Token authentication configuration tasksummary . . . . . . . . . . . . . . 189Enabling token authentication . . . . . . . 189Configuring the token authenticationmechanism . . . . . . . . . . . . . 190Enabling access to the RSA ACE/Agent clientlibrary. . . . . . . . . . . . . . . 191Specifying a customized password strengthmodule . . . . . . . . . . . . . . 191Disabling token authentication . . . . . . 192Submitting login form data directly to WebSEAL 192

SPNEGO protocol and Kerberos authentication . . 194LTPA authentication . . . . . . . . . . . 194

LTPA authentication overview . . . . . . . 194Enabling LTPA authentication . . . . . . . 195Key file information . . . . . . . . . . 195Specifying the cookie name for clients . . . . 196Specifying the cookie name for junctions . . . 196Controlling the lifetime of the LTPA Token . . 197Configuring the LTPA authentication mechanism 197Disabling LTPA authentication. . . . . . . 198

Chapter 9. Advanced authenticationmethods . . . . . . . . . . . . . 199Multiplexing proxy agents . . . . . . . . . 199

Multiplexing proxy agents overview. . . . . 199Valid session data types and authenticationmethods . . . . . . . . . . . . . . 200Authentication process flow for MPA andmultiple clients . . . . . . . . . . . . 201Enabling and disabling MPA authentication . . 202Creation of a user account for the MPA . . . 202Addition of the MPA account to thewebseal-mpa-servers group. . . . . . . . 202MPA authentication limitations . . . . . . 202

Switch user authentication . . . . . . . . . 202Overview of the switch user function . . . . 203Configuration of switch user authentication . . 205Using switch user . . . . . . . . . . . 211Additional switch user feature support . . . . 212Custom authentication module for switch user 213Configuration of a custom authenticationmodule for switch user . . . . . . . . . 214

Reauthentication . . . . . . . . . . . . 215Reauthentication concepts . . . . . . . . 215Reauthentication based on security policy . . . 216Reauthentication POP: creating and applying 216Reauthentication based on session inactivity . . 217Enabling of reauthentication based on sessioninactivity . . . . . . . . . . . . . . 217

Contents v

Resetting of the session cache entry lifetimevalue . . . . . . . . . . . . . . . 218Extension of the session cache entry lifetimevalue . . . . . . . . . . . . . . . 218Prevention of session removal when the sessionlifetime expires . . . . . . . . . . . . 219Removal of a user session at login failure policylimit . . . . . . . . . . . . . . . 219Customization of login forms forreauthentication . . . . . . . . . . . 221

Authentication strength policy (step-up) . . . . 221Authentication strength concepts . . . . . . 221Authentication strength configuration tasksummary . . . . . . . . . . . . . . 223Establishing an authentication strength policy 223Specifying authentication levels . . . . . . 224Specifying the authentication strength loginform . . . . . . . . . . . . . . . 226Creating a protected object policy . . . . . 226Specifying network-based access restrictions . . 228Attaching a protected object policy to aprotected resource . . . . . . . . . . . 230Enforcing user identity match acrossauthentication levels . . . . . . . . . . 231Controlling the login response forunauthenticated users . . . . . . . . . 231Stepping up authentication at higher levels . . 232

External authentication interface . . . . . . . 232Client Certificate User Mapping . . . . . . . 232

Introduction . . . . . . . . . . . . . 233User mapping rules evaluator . . . . . . . 237How to manage the CDAS . . . . . . . . 240Configuring WebSEAL to use the certificatemapping module . . . . . . . . . . . 242

Chapter 10. Post-authenticationprocessing . . . . . . . . . . . . 247Automatic redirection after authentication . . . . 247

Overview of automatic redirection . . . . . 247Enabling automatic redirection . . . . . . 248Disabling automatic redirection . . . . . . 248Limitations . . . . . . . . . . . . . 249Macro support for automatic redirection . . . 249

Server-side request caching . . . . . . . . . 251Server-side request caching concepts . . . . 251Process flow for server-side request caching . . 251Configuration of server-side caching. . . . . 253

Chapter 11. Password processing . . 257Post password change processing. . . . . . . 257

Post password change processing concepts . . 257Configuring post password change processing 258Post password change processing conditions 258

Login failure policy ("three strikes" login policy) 258Login failure policy concepts . . . . . . . 258Setting the login failure policy. . . . . . . 259Setting the account disable time interval . . . 259Configuring the account disable notificationresponse . . . . . . . . . . . . . . 260

Login failure policy with replicated WebSEALservers . . . . . . . . . . . . . . 261

Password strength policy . . . . . . . . . 262Password strength policy concepts . . . . . 262Password strength policies . . . . . . . . 263Syntax for password strength policy commands 263Default password strength policy values . . . 264Valid and not valid password examples . . . 264Specifying user and global settings . . . . . 265

Chapter 12. Credential processing 267Extended attributes for credentials . . . . . . 267

Mechanisms for adding registry attributes to acredential. . . . . . . . . . . . . . 267Configure a registry attribute entitlement service 268Junction handling of extended credentialattributes . . . . . . . . . . . . . . 270

Credential refresh . . . . . . . . . . . . 272Credential refresh concepts . . . . . . . . 272Configure credential refresh . . . . . . . 276Credential refresh usage . . . . . . . . . 278

Chapter 13. External authenticationinterface . . . . . . . . . . . . . 281External authentication interface overview. . . . 281External authentication interface process flow . . 281External authentication interface configuration . . 284

Enabling the external authentication interface 285Initiating the authentication process . . . . . 285Configuration of the external authenticationinterface trigger URL . . . . . . . . . . 286HTTP header names for authentication data . . 287Extracting authentication data from specialHTTP headers . . . . . . . . . . . . 288Configuration of the external authenticationinterface mechanism . . . . . . . . . . 288How to generate the credential . . . . . . 289External authentication interface credentialreplacement . . . . . . . . . . . . . 290Validating the user identity. . . . . . . . 291How to write an external authenticationapplication . . . . . . . . . . . . . 291

External authentication interface HTTP headerreference . . . . . . . . . . . . . . . 293Use of external authentication interface withexisting WebSEAL features . . . . . . . . . 294

Request caching with external authenticationinterface . . . . . . . . . . . . . . 294Post-authentication redirection with externalauthentication interface . . . . . . . . . 295Session handling with external authenticationinterface . . . . . . . . . . . . . . 295Authentication strength level with externalauthentication interface . . . . . . . . . 295Reauthentication with external authenticationinterface . . . . . . . . . . . . . . 296Login page and macro support with externalauthentication interface . . . . . . . . . 296Setting a client-specific session cache entrylifetime value . . . . . . . . . . . . 297

vi IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Setting a client-specific session cache entryinactivity timeout value . . . . . . . . . 299

Part 4. Session State . . . . . . . 301

Chapter 14. Session state overview 303Session state concepts . . . . . . . . . . 303Supported session ID data types . . . . . . . 303Information retrieved from a client request . . . 304WebSEAL session cache structure. . . . . . . 304Deployment considerations for clusteredenvironments . . . . . . . . . . . . . 305

Consistent configuration on all WebSEAL replicaservers . . . . . . . . . . . . . . 306Client-to-server session affinity at the loadbalancer . . . . . . . . . . . . . . 306Failover to a new master . . . . . . . . 306Failover from one WebSEAL server to another 306

Options for handling failover in clusteredenvironments . . . . . . . . . . . . . 306

Option 1: No WebSEAL handling of failoverevents . . . . . . . . . . . . . . . 307Option 2: Authentication data included in eachrequest . . . . . . . . . . . . . . 307Option 3: Failover cookies . . . . . . . . 307Option 4: The Session Management Server . . 308Option 5: LTPA cookie . . . . . . . . . 308

Chapter 15. Session cacheconfiguration . . . . . . . . . . . 311Session cache configuration overview . . . . . 311SSL session ID cache configuration . . . . . . 312

Cache entry timeout value . . . . . . . . 312Maximum concurrent SSL sessions value . . . 312

WebSEAL session cache configuration . . . . . 312Maximum session cache entries value . . . . 313Cache entry lifetime timeout value . . . . . 313Setting a client-specific session cache entrylifetime value . . . . . . . . . . . . 314Cache entry inactivity timeout value . . . . 316Concurrent session limits . . . . . . . . 317Session cache limitation . . . . . . . . . 318

Chapter 16. Failover solutions . . . . 319Failover authentication concepts . . . . . . . 319

The failover environment . . . . . . . . 319Failover cookie . . . . . . . . . . . . 320Failover authentication process flow. . . . . 321Failover authentication module . . . . . . 321Example failover configuration . . . . . . 322Addition of data to a failover cookie . . . . 323Extraction of data from a failover cookie . . . 325Domain-wide failover authentication . . . . 326

Failover authentication configuration . . . . . 327Configuring failover authentication . . . . . 327Protocol for failover cookies . . . . . . . 328Configuring the failover authenticationmechanism . . . . . . . . . . . . . 329

Generating a key pair to encrypt and decryptcookie data . . . . . . . . . . . . . 330Specifying the failover cookie lifetime . . . . 330Specifying UTF-8 encoding on cookie strings 331Adding the authentication strength level . . . 331Reissue of missing failover cookies . . . . . 331Addition of session lifetime timestamp . . . . 332Adding the session activity timestamp . . . . 333Addition of an interval for updating the activitytimestamp . . . . . . . . . . . . . 333Addition of extended attributes . . . . . . 334Authentication strength level attribute afterfailover authentication . . . . . . . . . 334Attributes for extraction . . . . . . . . . 335Enabling domain-wide failover cookies . . . . 336Validation of a lifetime timestamp . . . . . 336Validation of an activity timestamp . . . . . 336

Failover for non-sticky failover environments. . . 337Non-sticky failover concepts . . . . . . . 337Configuring the non-sticky failover solution . . 338Use of failover cookies with existing WebSEALfeatures . . . . . . . . . . . . . . 339

Change password operation in a failoverenvironment. . . . . . . . . . . . . . 340

Chapter 17. Session state innon-clustered environments . . . . . 341Maintain session state in non-clusteredenvironments . . . . . . . . . . . . . 341

Control on session state information over SSL 341Use of the same session key over differenttransports . . . . . . . . . . . . . 342Valid session key data types . . . . . . . 342Effective session timeout value . . . . . . 344Netscape 4.7x limitation for use-same-session 344

Session cookies . . . . . . . . . . . . . 345Session cookies concepts. . . . . . . . . 345Conditions for using session cookies . . . . 345Customization of the session cookie name . . . 346Sending session cookies with each request. . . 346

Customized responses for old session cookies . . 347Session removal and old session cookie concepts 347Enabling customized responses for old sessioncookies . . . . . . . . . . . . . . 348

Maintain session state with HTTP headers. . . . 349HTTP header session key concepts . . . . . 349Configuring HTTP headers to maintain sessionstate . . . . . . . . . . . . . . . 349Setup for requiring requests from an MPA. . . 351Compatibility with previous versions ofWebSEAL . . . . . . . . . . . . . 351

Share sessions with Microsoft Office applications 352Overview of session sharing with MicrosoftOffice applications. . . . . . . . . . . 352Configure the temporary session cache . . . . 353Configure shared sessions with Microsoft Officeapplications . . . . . . . . . . . . . 354

Part 5. Session ManagementServer . . . . . . . . . . . . . . 359

Contents vii

Chapter 18. Session managementserver (SMS) overview . . . . . . . 361The failover environment . . . . . . . . . 361The session management server (SMS) . . . . . 362Server clusters, replica sets, and session realms . . 362SMS process flow . . . . . . . . . . . . 363Sharing sessions across multiple DNS domains . . 364

Chapter 19. Quickstart guide forWebSEAL using SMS . . . . . . . . 367Configuration summary for WebSEAL using SMS 367

1. Information gathering. . . . . . . . . 3672. WebSEAL configuration file settings . . . . 3683. Import the Security Access Manager CACertificate . . . . . . . . . . . . . 3684. Restart the WebSEAL server. . . . . . . 3695. Create junctions for virtual hosts . . . . . 3696. Junction the session management server . . 3697. Set the maximum concurrent sessions policy 3708. Test the configuration . . . . . . . . . 370

Chapter 20. Configuration forWebSEAL using SMS . . . . . . . . 373SMS configuration for WebSEAL . . . . . . . 373

Configuring the session management server(SMS) . . . . . . . . . . . . . . . 373Enabling and disabling SMS for WebSEAL . . 373Specifying session management server clusterand location . . . . . . . . . . . . . 374Retrieving the maximum concurrent sessionspolicy value . . . . . . . . . . . . . 374

Replica set configuration . . . . . . . . . 376Configuring WebSEAL to participate in multiplereplica sets . . . . . . . . . . . . . 376Assigning standard junctions to a replica set 376Virtual hosts assigned to a replica set . . . . 377Example replica set configuration. . . . . . 377

Adjustment of the last access time updatefrequency for SMS. . . . . . . . . . . . 380SMS communication timeout configuration . . . 380

Configuring SMS response timeout . . . . . 380Configuring connection timeout for broadcastevents . . . . . . . . . . . . . . . 381

SMS performance configuration . . . . . . . 381Maximum pre-allocated session IDs . . . . . 381Configuration of the handle pool size . . . . 382

SMS Authentication . . . . . . . . . . . 382SSL configuration for WebSEAL and SMS . . . . 382

Configuring the WebSEAL key database . . . 383Specifying the SSL certificate distinguishedname (DN) . . . . . . . . . . . . . 384GSKit configuration for SMS connections . . . 385

Maximum concurrent sessions policy . . . . . 385Setting the maximum concurrent sessions policy 385Enforcing the maximum concurrent sessionspolicy . . . . . . . . . . . . . . . 389Switch user and maximum concurrent sessionspolicy . . . . . . . . . . . . . . . 389

Single signon within a session realm . . . . . 390Session realm and session sharing concepts . . 390

Configuring session sharing . . . . . . . 391Configuring login history . . . . . . . . . 393

Enabling login failure notification . . . . . 393Creating a junction to the session managementserver . . . . . . . . . . . . . . . 394Allowing access to the login history JSP . . . 394Customizing the JSP to display login history 395

Part 6. Authorization . . . . . . . 397

Chapter 21. Configuration forauthorization . . . . . . . . . . . 399WebSEAL-specific ACL policies . . . . . . . 399

/WebSEAL/host-instance_name . . . . . . 399/WebSEAL/host-instance_name/file . . . . 399WebSEAL ACL permissions . . . . . . . 399Default /WebSEAL ACL policy . . . . . . 400Valid characters for ACL names . . . . . . 400Quality of protection POP . . . . . . . . 400Configuration of authorization database updatesand polling . . . . . . . . . . . . . 401Configuring quality of protection levels . . . 402Authorization decision information . . . . . 404Support for OAuth authorization decisions . . 404

Chapter 22. Key management . . . . 411Key management overview. . . . . . . . . 411Client-side and server-side certificate concepts . . 412GSKit key database file types . . . . . . . . 412Configuration of the WebSEAL key database file 413

WebSEAL key database file . . . . . . . . 413Key database file password. . . . . . . . 414WebSEAL test certificate . . . . . . . . . 414Server Name Indication . . . . . . . . . 415Inter-server SSL communication for SecurityAccess Manager . . . . . . . . . . . 416

Use of the iKeyman certificate management utility 416Certificate revocation in WebSEAL . . . . . . 416

Certificate revocation list (CRL) . . . . . . 417Configuration of CRL checking . . . . . . 417

Certificate distribution points . . . . . . . . 418Configuration of the CRL cache . . . . . . . 418

Set the maximum number of cache entries. . . 418Set the GSKit cache lifetime timeout value. . . 418Enable the CRL cache . . . . . . . . . 418

Use of the WebSEAL test certificate for SSLconnections . . . . . . . . . . . . . . 419

Chapter 23. Customized authorization 421Custom requests . . . . . . . . . . . . 421Custom responses . . . . . . . . . . . . 421

Part 7. Standard WebSEALJunctions . . . . . . . . . . . . 423

Chapter 24. Standard WebSEALjunctions . . . . . . . . . . . . . 425WebSEAL junctions overview . . . . . . . . 425

viii IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Junction types . . . . . . . . . . . . 425Junction database location and format . . . . 426Applying coarse-grained access control:summary . . . . . . . . . . . . . . 426Applying fine-grained access control: summary 426Additional references for WebSEAL junctions 427

Management of junctions with Web Portal Manager 427Creating a junction using Web Portal Manager 427Listing junctions using Web Portal Manager . . 428Deleting junctions using Web Portal Manager 428

Managing junctions with the pdadmin utility. . . 428Import and export of junction databases . . . 429

Standard WebSEAL junction configuration. . . . 430The pdadmin server task create command. . . 430Creating TCP type standard junctions . . . . 430Creating SSL type standard junctions . . . . 431Creating mutual junctions . . . . . . . . 431SSL-based standard junctions . . . . . . . 432Adding multiple back-end servers to a standardjunction . . . . . . . . . . . . . . 433Local type standard junction . . . . . . . 433Disable local junctions . . . . . . . . . 433

Transparent path junctions . . . . . . . . . 434Filtering concepts in standard WebSEALjunctions . . . . . . . . . . . . . . 434Transparent path junction concepts . . . . . 435Configuring transparent path junctions . . . . 436Example transparent path junction . . . . . 436

Technical notes for using WebSEAL junctions. . . 437Guidelines for creating WebSEAL junctions . . 437Adding multiple back-end servers to the samejunction . . . . . . . . . . . . . . 437Exceptions to enforcing permissions acrossjunctions . . . . . . . . . . . . . . 438Certificate authentication across junctions . . . 438Handling domain cookies . . . . . . . . 439Supported HTTP versions for requests andresponses. . . . . . . . . . . . . . 439Junctioned application with Web PortalManager . . . . . . . . . . . . . . 440

How to generate a back-end server Web space(query_contents) . . . . . . . . . . . . 440

query_contents overview . . . . . . . . 440query_contents components . . . . . . . 442Installing and configuring query_contents onUNIX-based Web servers . . . . . . . . 442Installing and configuring query_contents onWindows-based Web servers . . . . . . . 444General process flow for query_contents . . . 445Securing the query_contents program . . . . 445

Chapter 25. Advanced junctionconfiguration . . . . . . . . . . . 447Mutually authenticated SSL junctions . . . . . 447

Mutually authenticated SSL junctions processsummary . . . . . . . . . . . . . . 447Validation of the back-end server certificate . . 448Matching the distinguished name (DN). . . . 448Authentication with a client certificate . . . . 449Authentication with a BA header . . . . . . 449

TCP and SSL proxy junctions . . . . . . . . 450

WebSEAL-to-WebSEAL junctions over SSL . . . 450Stateful junctions . . . . . . . . . . . . 452

Stateful junction concepts . . . . . . . . 452Configuration of stateful junctions . . . . . 452Specifying back-end server UUIDs for statefuljunctions . . . . . . . . . . . . . . 453Handling an unavailable stateful server . . . 455

Forcing a new junction . . . . . . . . . . 456Use of /pkmslogout with virtual host junctions 457Junction throttling . . . . . . . . . . . . 457

Junction throttling concepts. . . . . . . . 457Placing a junctioned server in a throttled state 458Junctioned server in an offline state . . . . . 460Junctioned server in an online state . . . . . 462Junction throttle messages . . . . . . . . 463Use of junction throttling with existingWebSEAL features . . . . . . . . . . . 464

Management of cookies . . . . . . . . . . 465Passing of session cookies to junctioned portalservers . . . . . . . . . . . . . . . 466Support for URLs as not case-sensitive . . . . . 468Junctions to Windows file systems . . . . . . 469

Example . . . . . . . . . . . . . . 469ACLs and POPs must attach to lower-caseobject names . . . . . . . . . . . . 470

Standard junctions to virtual hosts . . . . . . 470UTF-8 encoding for HTTP header data . . . . . 471Bypassing buffering on a per-resource basis . . . 472Single sign-on solutions across junctions . . . . 473

Chapter 26. Modification of URLs tojunctioned resources . . . . . . . . 475URL modification concepts . . . . . . . . . 475Path types used in URLs . . . . . . . . . 476Special characters in URLs . . . . . . . . . 477Modification of URLs in responses . . . . . . 477

Filtering of tag-based static URLs. . . . . . 477Modifying absolute URLs with script filtering 486Configuring the rewrite-absolute-with-absoluteoption . . . . . . . . . . . . . . . 487Filtering changes the Content-Length header 487Limitation with unfiltered server-relative links 488

Modification of URLs in requests . . . . . . . 489Modification of server-relative URLs withjunction mapping . . . . . . . . . . . 489Modification of server-relative URLs withjunction cookies . . . . . . . . . . . 491Control on the junction cookie JavaScript block 492Modification of server-relative URLs using theHTTP Referer header . . . . . . . . . . 495Controlling server-relative URL processing inrequests . . . . . . . . . . . . . . 496

Handling cookies from servers across multiple -jjunctions . . . . . . . . . . . . . . . 498

Cookie handling: -j modifies Set-Cookie pathattribute . . . . . . . . . . . . . . 498Cookie handling: -j modifies Set-Cookie nameattribute . . . . . . . . . . . . . . 499Preservation of cookie names . . . . . . . 499Cookie handling: -I ensures unique Set-Cookiename attribute . . . . . . . . . . . . 500

Contents ix

Chapter 27. HTTP transformations 503HTTP transformation rules . . . . . . . . . 503

Extensible Stylesheet Language Transformation(XSLT). . . . . . . . . . . . . . . 504HTTP request objects . . . . . . . . . . 504HTTP response objects . . . . . . . . . 504Replacing the HTTP response . . . . . . . 505XSL transformation rules . . . . . . . . 505Reprocessing considerations . . . . . . . 507XSLT templates. . . . . . . . . . . . 507

Configuration . . . . . . . . . . . . . 507Configuration file updates . . . . . . . . 507Protected Object Policy (POP) . . . . . . . 508

Example HTTP transformation scenarios . . . . 508Scenario 1: Modifying the URI, headers, andcookies (HTTPRequest) . . . . . . . . . 508Scenario 2: Modifying the headers only(HTTPResponse) . . . . . . . . . . . 511Scenario 3: Modifying the ResponseLine/StatusCode only (HTTPResponse) . . . . . 513Scenario 4: Modifying cookies only(HTTPResponse) . . . . . . . . . . . 514Scenario 5: Providing a response to a knownHTTP request . . . . . . . . . . . . 517

Transformation errors . . . . . . . . . . 518

Chapter 28. Microsoft RPC over HTTP 521RPC over HTTP support in WebSEAL . . . . . 521Junction configuration . . . . . . . . . . 522POP configuration . . . . . . . . . . . . 523Authentication limitations . . . . . . . . . 523Timeout considerations . . . . . . . . . . 523WebSEAL server log errors . . . . . . . . . 524Worker thread consideration . . . . . . . . 524

Chapter 29. Command optionsummary: standard junctions . . . . 525Using pdadmin server task to create junctions . . 525Server task commands for junctions . . . . . . 526Creation of a junction for an initial server . . . . 527Addition of server to an existing junction . . . . 533

Part 8. Virtual Hosting . . . . . . 537

Chapter 30. Virtual host junctions . . 539Virtual host junction concepts . . . . . . . . 539

Standard WebSEAL junctions . . . . . . . 539Challenges of URL filtering. . . . . . . . 540Virtual hosting . . . . . . . . . . . . 540Virtual host junction solution . . . . . . . 540Stanzas and stanza entries ignored by virtualhost junctions . . . . . . . . . . . . 542Virtual hosts represented in the object space . . 542

Configuration of a virtual host junction . . . . 543Creation of a remote type virtual host junction 543Creation of a local type virtual host junction 545

Scenario 1: Remote virtual host junctions . . . . 546Definition of interfaces for virtual host junctions 548

Default interface specification . . . . . . . 548

Defining additional interfaces . . . . . . . 548Scenario 2: Virtual host junctions with interfaces 550Use of virtual hosts with existing WebSEALfeatures . . . . . . . . . . . . . . . 552

E-community single signon with virtual hosts 552Cross-domain single signon with virtual hosts 554Dynamic URLs with virtual host junctions. . . 554Using domain session cookies for virtual hostsingle sign-on . . . . . . . . . . . . 555Junction throttling . . . . . . . . . . . 556

Scenario 3: Advanced virtual host configuration 556Virtual host junction limitations . . . . . . . 558

SSL session IDs not usable by virtual hosts . . 559

Chapter 31. Command optionsummary: Virtual host junctions . . . 561Using pdadmin server task to create virtual hostjunctions . . . . . . . . . . . . . . . 561Server task commands for virtual host junctions 562Creation of a virtual host junction . . . . . . 563Addition of a server to a virtual host junction . . 569

Part 9. Single Signon Solutions 571

Chapter 32. Single signon solutionsacross junctions . . . . . . . . . . 573Single signon using Tivoli Federated IdentityManager . . . . . . . . . . . . . . . 573

GSKit configuration for connections with TivoliFederated Identity Manager . . . . . . . 575Use of Kerberos credentials. . . . . . . . 575

Single sign-on using HTTP BA headers . . . . . 576Single signon (SSO) concepts . . . . . . . 576Client identity in HTTP BA headers . . . . . 577Client identity and generic password . . . . 577Forwarding of original client BA headerinformation . . . . . . . . . . . . . 578Removal of client BA header information . . . 579User names and passwords from GSO . . . . 580Client identity information across junctions . . 580

Identity information supplied in HTTP headers . . 581Client identity in HTTP headers (–c). . . . . 581Client IP addresses in HTTP headers (–r) . . . 583Limiting the size of WebSEAL-generated HTTPheaders . . . . . . . . . . . . . . 584

Global signon (GSO) . . . . . . . . . . . 585Global sign-on overview. . . . . . . . . 585Authentication information mapping . . . . 586Configuring a GSO-enabled WebSEAL junction 587Configuration of the GSO cache . . . . . . 587

Single signon to IBM WebSphere (LTPA) . . . . 588LTPA overview . . . . . . . . . . . . 588Configuration of an LTPA junction . . . . . 589Configuration of the LTPA cache . . . . . . 590Technical notes for LTPA single sign-on. . . . 590

Forms single signon authentication . . . . . . 591Forms single signon concepts . . . . . . . 591Forms single signon process flow. . . . . . 592Requirements for application support . . . . 593

x IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Creation of the configuration file for formssingle signon . . . . . . . . . . . . 593How to enable forms single signon . . . . . 597Forms single sign-on example . . . . . . . 598

Chapter 33. Windows desktop singlesign-on . . . . . . . . . . . . . . 599Windows desktop single sign-on concepts . . . . 599

SPNEGO protocol and Kerberos authentication 599User registry and platform support for SPNEGO 600SPNEGO compatibility with otherauthentication methods . . . . . . . . . 601Mapping of user names from multi-domainActive Directory registries . . . . . . . . 601Multiple Active Directory domain support . . 603SPNEGO authentication limitations . . . . . 603

Configuring Windows desktop single signon(Windows) . . . . . . . . . . . . . . 604

1. Create an identity for WebSEAL in an ActiveDirectory domain . . . . . . . . . . . 6042. Map a Kerberos principal to an ActiveDirectory user . . . . . . . . . . . . 6053. Enable SPNEGO for WebSEAL . . . . . . 6074. Restart WebSEAL . . . . . . . . . . 6075. Configure the Internet Explorer client . . . 607Troubleshooting for Windows desktop singlesignon. . . . . . . . . . . . . . . 608

Configuring Windows desktop single signon(UNIX) . . . . . . . . . . . . . . . 608

1. Configure the embedded Kerberos client . . 6082. Create an identity for WebSEAL in an ActiveDirectory domain . . . . . . . . . . . 6103. Map a Kerberos principal to an ActiveDirectory user . . . . . . . . . . . . 6114. Verify the authentication of the Web serverprincipal . . . . . . . . . . . . . . 6145. Verify WebSEAL authentication using thekeytab file . . . . . . . . . . . . . 6146. Enable SPNEGO for WebSEAL . . . . . . 6147. Add service name and keytab file entries . . 6158. Restart WebSEAL and browser . . . . . . 6169. Configure the Internet Explorer client . . . 616Troubleshooting for Windows desktop singlesign-on . . . . . . . . . . . . . . 616

Configuration notes for a load balancerenvironment. . . . . . . . . . . . . . 617

Chapter 34. Cross-domain singlesign-on . . . . . . . . . . . . . . 619Cross-domain single signon concepts . . . . . 619

Cross-domain single signon overview . . . . 619Default and custom authentication tokens . . . 620Extended user attributes and identity mapping 620CDSSO process flow with attribute transfer anduser mapping . . . . . . . . . . . . 620

Configuration of cross-domain single signon . . . 622CDSSO configuration summary . . . . . . 622CDSSO conditions and requirements . . . . 623Enabling and disabling CDSSO authentication 624

Configuring the CDSSO authenticationmechanism . . . . . . . . . . . . . 625Encrypting the authentication token data . . . 626Configuring the token time stamp . . . . . 627Configuring the token label name . . . . . 627Creating the CDSSO HTML link . . . . . . 628Handling errors from CDMF during tokencreation . . . . . . . . . . . . . . 628Protection of the authentication token . . . . 629Use of cross-domain single signon with virtualhosts . . . . . . . . . . . . . . . 629

Extended attributes for CDSSO . . . . . . . 629Extended attributes to add to token . . . . . 629Extended attributes to extract from a token . . 630

UTF-8 encoding of tokens for cross domain singlesignon. . . . . . . . . . . . . . . . 631

Chapter 35. LTPA single signon . . . 633LTPA single sign-on overview . . . . . . . . 633Configuring LTPA single signon . . . . . . . 633Technical notes for LTPA single sign-on. . . . . 634

Chapter 36. E-community singlesignon . . . . . . . . . . . . . . 635E-community single signon concepts . . . . . 635

E-community overview . . . . . . . . . 635E-community features and requirements . . . 637E-community process flow . . . . . . . . 637The e-community cookie . . . . . . . . 641The vouch-for request and reply . . . . . . 642The vouch-for token . . . . . . . . . . 643

Configuration of e-community single sign-on. . . 643E-community configuration summary . . . . 644E-community conditions and requirements . . 645Enabling and disabling e-communityauthentication . . . . . . . . . . . . 646Specifying an e-community name . . . . . 647Configuring the single sign-on authenticationmechanism . . . . . . . . . . . . . 647Encrypting the vouch-for token . . . . . . 648Configuring the vouch-for token label name . . 649Specifying the master authentication server(MAS) . . . . . . . . . . . . . . . 650Specifying the vouch-for URL . . . . . . . 651Configure token and ec-cookie lifetime values 651Handling errors from CDMF during tokencreation . . . . . . . . . . . . . . 652Enabling unauthenticated access . . . . . . 652Limiting the ability to generate vouch-for tokens 653Configuration of the behavior for authenticationfailure . . . . . . . . . . . . . . . 653Logout using pkmslogout-nomas . . . . . . 653Use of e-community with virtual hosts . . . . 654

Extended attributes for ECSSO . . . . . . . 654Extended attributes to add to token . . . . . 654Extended attributes to extract from token . . . 655

UTF-8 encoding of tokens for e-community singlesignon. . . . . . . . . . . . . . . . 656

Contents xi

Chapter 37. Single sign-off . . . . . 657Overview of the single sign-off functionality . . . 657Configuring single signoff . . . . . . . . . 657Specifications for single sign-off requests andresponses. . . . . . . . . . . . . . . 658

Part 10. Deployment . . . . . . . 659

Chapter 38. WebSEAL instancedeployment . . . . . . . . . . . . 661WebSEAL instance configuration overview . . . 661

WebSEAL instance configuration planning. . . 661Example WebSEAL instance configurationvalues . . . . . . . . . . . . . . . 666Unique configuration file for each WebSEALinstance . . . . . . . . . . . . . . 666Interactive configuration overview . . . . . 666Command line configuration overview . . . . 667Silent configuration overview (response file) . . 668

WebSEAL instance configuration tasks . . . . . 669Adding a WebSEAL instance . . . . . . . 669Removing a WebSEAL instance . . . . . . 671

Load balancing environments . . . . . . . . 672Replicating front-end WebSEAL servers . . . 672Controlling the login_success response . . . . 673

Chapter 39. Application integration 675CGI programming support . . . . . . . . . 675

WebSEAL and CGI scripts . . . . . . . . 675Creation of a cgi-bin directory . . . . . . . 675WebSEAL environment variables for CGIprogramming . . . . . . . . . . . . 676Windows environment variables for CGIprograms . . . . . . . . . . . . . . 676UTF-8 environment variables for CGI programs 677Windows: File naming for CGI programs . . . 677UNIX files misinterpreted as CGI scripts overlocal junctions . . . . . . . . . . . . 678

Support for back-end server-side applications . . 678Best practices for standard junction usage . . . . 679

Complete Host header information with -v . . 679Standard absolute URL filtering . . . . . . 679

Custom personalization service . . . . . . . 680Personalization service concepts . . . . . . 680Configuring WebSEAL for a personalizationservice. . . . . . . . . . . . . . . 681Personalization service example . . . . . . 681

User session management for back-end servers . . 682User session management concepts . . . . . 682Enabling user session ID management . . . . 683Inserting user session data into HTTP headers 684Terminating user sessions . . . . . . . . 685User event correlation for back-end servers . . 688

Chapter 40. Dynamic URLs . . . . . 691Access control for dynamic URLs. . . . . . . 691

Dynamic URL components . . . . . . . . 691Access control for dynamic URLs: dynurl.conf 691

Conversion of POST body dynamic data toquery string format . . . . . . . . . . 692Mapping ACL and POP objects to dynamicURLs . . . . . . . . . . . . . . . 692Character encoding and query string validation 693Updating WebSEAL for dynamic URLs . . . . 694Resolve dynamic URLs in the object space. . . 694Configuration of limitations on POST requests 695Dynamic URLs summary and technical notes 696

Dynamic URL example: The Travel Kingdom. . . 697The application. . . . . . . . . . . . 697The interface . . . . . . . . . . . . 698The security policy . . . . . . . . . . 698Secure clients . . . . . . . . . . . . 699Access control . . . . . . . . . . . . 699Conclusion . . . . . . . . . . . . . 700

Chapter 41. Internet ContentAdaptation Protocol (ICAP) Support . 701ICAP integration with WebSEAL - Workflow . . . 702Scope of functionality . . . . . . . . . . 702Configuration of ICAP support within WebSEAL 703

Part 11. Attribute Retrieval Service 705

Chapter 42. Attribute retrieval servicereference . . . . . . . . . . . . . 707Basic configuration . . . . . . . . . . . 707

Configuration files. . . . . . . . . . . 707Descriptions of amwebars.conf configurationstanza entries . . . . . . . . . . . . 708

Data table editing . . . . . . . . . . . . 710ProviderTable . . . . . . . . . . . . 710ContainerDescriptorTable . . . . . . . . 711ProtocolTable . . . . . . . . . . . . 714

Custom protocol plug-ins . . . . . . . . . 714Overview. . . . . . . . . . . . . . 714Protocol plug-in . . . . . . . . . . . 715

Chapter 43. Authorization decisioninformation retrieval . . . . . . . . 717Overview of ADI retrieval . . . . . . . . . 717ADI retrieval from the WebSEAL client request . . 717

Example: Retrieving ADI from the requestheader. . . . . . . . . . . . . . . 719Example: Retrieving ADI from the request querystring . . . . . . . . . . . . . . . 719Example: Retrieving ADI from the request POSTbody . . . . . . . . . . . . . . . 720

ADI retrieval from the user credential . . . . . 720Supplying a failure reason across a junction . . . 721Dynamic ADI retrieval . . . . . . . . . . 722Deploying the attribute retrieval service . . . . 723Configuring WebSEAL to use the attribute retrievalservice. . . . . . . . . . . . . . . . 723

Part 12. Appendixes . . . . . . . 725

xii IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Appendix A. Guidelines for changingconfiguration files . . . . . . . . . 727General guidelines . . . . . . . . . . . 727Default values . . . . . . . . . . . . . 727Strings . . . . . . . . . . . . . . . 728Defined strings . . . . . . . . . . . . . 728File names . . . . . . . . . . . . . . 728Integers . . . . . . . . . . . . . . . 729Boolean values . . . . . . . . . . . . . 729

Appendix B. Command reference . . . 731Reading syntax statements . . . . . . . . . 732help . . . . . . . . . . . . . . . . 732server list. . . . . . . . . . . . . . . 734server task add . . . . . . . . . . . . . 734server task cache flush all . . . . . . . . . 737server task cfgdb export . . . . . . . . . . 739server task cfgdb import. . . . . . . . . . 740server task cluster restart . . . . . . . . . 742server task create . . . . . . . . . . . . 743server task delete . . . . . . . . . . . . 751server task dynurl update . . . . . . . . . 752server task file cat . . . . . . . . . . . . 753server task help . . . . . . . . . . . . 754server task jdb export . . . . . . . . . . 756server task jdb import . . . . . . . . . . 757

server task jmt . . . . . . . . . . . . . 759server task list . . . . . . . . . . . . . 760server task offline . . . . . . . . . . . . 761server task online . . . . . . . . . . . . 763server task refresh all_sessions . . . . . . . 765server task reload . . . . . . . . . . . . 766server task remove . . . . . . . . . . . 767server task server restart . . . . . . . . . 768server task show . . . . . . . . . . . . 769server task server sync . . . . . . . . . . 771server task terminate all_sessions . . . . . . . 772server task terminate session . . . . . . . . 773server task throttle . . . . . . . . . . . 775server task virtualhost add . . . . . . . . . 776server task virtualhost create . . . . . . . . 779server task virtualhost delete . . . . . . . . 786server task virtualhost list . . . . . . . . . 787server task virtualhost offline . . . . . . . . 788server task virtualhost online . . . . . . . . 791server task virtualhost remove. . . . . . . . 793server task virtualhost show . . . . . . . . 795server task virtualhost throttle . . . . . . . . 797

Notices . . . . . . . . . . . . . . 801

Index . . . . . . . . . . . . . . . 805

Contents xiii

xiv IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Figures

1. Protecting resources with WebSEAL . . . . . 42. Protected object space . . . . . . . . . 63. ACL policy . . . . . . . . . . . . . 74. Explicit and inherited policies . . . . . . . 85. Web space protection . . . . . . . . . 106. Junctions connect WebSEAL with back-end

resources . . . . . . . . . . . . . 137. WebSEAL junction results in a unified Web

space. . . . . . . . . . . . . . . 148. Junctioned back-end servers . . . . . . . 159. Unified Web space . . . . . . . . . . 16

10. Replicated back-end servers . . . . . . . 1711. Cluster Support . . . . . . . . . . . 2712. Timeout settings for HTTP and HTTPS

communication . . . . . . . . . . . 5513. Authentication process flow. . . . . . . 15314. Communication over an MPA Gateway 20015. Swapping administrator and user cache data

during switch user . . . . . . . . . . 20416. Example WebSEAL request caching process

flow . . . . . . . . . . . . . . 25317. External authentication interface process flow 28218. WebSEAL session cache . . . . . . . . 30519. Session cache configuration file entries 31120. Failover for replicated WebSEAL servers 32021. Sharing WebSEAL sessions with Microsoft

SharePoint server . . . . . . . . . . 35522. Failover for replicated WebSEAL servers 36123. WebSEAL/SMS process flow . . . . . . 36324. Junction configuration for a single WebSEAL

server . . . . . . . . . . . . . . 37825. Replica set configuration . . . . . . . . 37926. Logical flow of the OAuth EAS . . . . . 40527. Keyfile management configuration . . . . 41128. Non-secure TCP (HTTP) junction . . . . . 43029. Secure SSL (HTTPS) junction . . . . . . 43130. Example proxy junction . . . . . . . . 450

31. WebSEAL-to-WebSEAL junction scenario 45132. Stateful junctions use back-end server UUIDs 45333. Dissimilar UUIDs . . . . . . . . . . 45434. Specifying back-end server UUIDs for stateful

junctions . . . . . . . . . . . . . 45435. Configuring virtual hosts . . . . . . . 47136. Summary: Modifying URLs to back-end

resources . . . . . . . . . . . . . 47637. Filtering absolute URLs . . . . . . . . 48738. Processing server-relative URLs with junction

cookies. . . . . . . . . . . . . . 49239. WebSEAL RPC over HTTP . . . . . . . 52140. Virtual host junction scenario 1 . . . . . 54741. Virtual host junction scenario 2 . . . . . 55142. Virtual host junction scenario 3 . . . . . 55743. Multiple logins . . . . . . . . . . . 57644. Supplying authentication information to

back-end application servers . . . . . . 57745. BA Header contains identity and "dummy"

password . . . . . . . . . . . . . 57846. WebSEAL forwards original client identity

information . . . . . . . . . . . . 57947. Removing client BA header information 57948. Global sign-on mechanism . . . . . . . 58549. Forms single signon process flow . . . . . 59250. Cross-domain single signon process with

CDMF . . . . . . . . . . . . . . 62251. The e-community model . . . . . . . . 63652. Example configuration for e-community

process flow . . . . . . . . . . . . 63853. Session management . . . . . . . . . 68354. Terminate all userA sessions . . . . . . 68855. Passing data in the query string of a request

URL . . . . . . . . . . . . . . 69156. Authorization on a dynamic URL . . . . . 69357. Dynamic ADI retrieval . . . . . . . . 722

© Copyright IBM Corp. 2002, 2013 xv

xvi IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Tables

1. ARM transaction classes used by WebSEAL 342. Supported wildcard matching characters 793. Characters encoded in URL and non-URL

macros . . . . . . . . . . . . . . 924. Macros for defining custom headers . . . . 1025. P3P default header values . . . . . . . 1316. Supported values for the access entry 1327. Supported values for the categories entry 1338. Supported values for the disputes entry 1349. Supported values for the remedies entry 134

10. Supported values for the non-identifiableentry . . . . . . . . . . . . . . 135

11. Supported values for the purpose entry 13512. Supported values for the opt-in or opt-out

policy . . . . . . . . . . . . . . 13613. Supported values for the recipient entry 13614. Opt-in policy values . . . . . . . . . 13715. Supported values for the retention entry 13716. Runtime security services EAS access

decisions . . . . . . . . . . . . . 14117. Stanza entries for authentication mechanisms 16018. Configuring basic authentication . . . . . 16619. Basic authentication modules . . . . . . 16720. Configuring forms authentication . . . . . 16821. Forms authentication modules . . . . . . 16922. Configuring certificate authentication 17423. Certificate authentication modules . . . . 17524. Certificate authentication modules . . . . 17725. Configuring HTTP header authentication 18226. HTTP header authentication modules 18427. Configuring IP address authentication 18528. Configuring token authentication . . . . . 19029. Token authentication modules . . . . . . 19030. Configuring LTPA authentication . . . . . 19531. LTPA authentication modules . . . . . . 19732. Switch user authentication modules . . . . 20633. Authentication methods supported for

authentication strength . . . . . . . . 22434. Example integer values for authentication

strength levels . . . . . . . . . . . 22735. Using netmask to specify a network range

(IPv4) . . . . . . . . . . . . . . 229

36. Using netmask to specify a network range(IPv6) . . . . . . . . . . . . . . 229

37. Additional files for Client Certificate UserMapping functionality . . . . . . . . 240

38. Configuring the external authenticationinterface . . . . . . . . . . . . . 285

39. Examples of authentication requests to anexternal authentication application: . . . . 286

40. External authentication interfaceauthentication modules . . . . . . . . 289

41. Supplemental credential data provided byWebSEAL . . . . . . . . . . . . . 289

42. PAC headers . . . . . . . . . . . . 29343. User identity headers . . . . . . . . . 29344. Session identifier headers . . . . . . . 29445. Common headers . . . . . . . . . . 29446. Supported protocols for failover cookies 32947. Failover authentication module names 32948. Local type junction options . . . . . . . 43349. Return codes. . . . . . . . . . . . 44150. Filtered encoding types . . . . . . . . 48051. Base elements . . . . . . . . . . . 50652. XSLT Template files . . . . . . . . . 50753. Remote type virtual host junction options 54354. Local type virtual host junction options 54555. Valid properties and values for additional

interface definitions . . . . . . . . . 54956. Configuration requirements for a Tivoli

Federated Identity Manager trust chain . . . 57357. Kerberos authentication library location 60758. CDSSO modules . . . . . . . . . . 62559. Module names for e-community . . . . . 64760. WebSEAL instances sharing the same IPv4

address . . . . . . . . . . . . . 66361. WebSEAL instances sharing the same IPv6

address . . . . . . . . . . . . . 66362. WebSEAL instances with unique IPv4

addresses . . . . . . . . . . . . . 66363. WebSEAL instances with unique IPv6

addresses . . . . . . . . . . . . . 66364. Worksheet for adding a WebSEAL instance 669

© Copyright IBM Corp. 2002, 2013 xvii

xviii IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

About this publication

Welcome to the IBM Security Access Manager: WebSEAL Administration Guide.

IBM Security Access Manager for Web, formerly called IBM Tivoli Access Managerfor e-business, is a user authentication, authorization, and web single sign-onsolution for enforcing security policies over a wide range of web and applicationresources.

IBM Security Access Manager for Web WebSEAL is the resource manager forweb-based resources in a Security Access Manager secure domain. WebSEAL is ahigh performance, multi-threaded web server that applies fine-grained securitypolicy to the protected web object space. WebSEAL can provide single signonsolutions and incorporate back-end web application server resources into itssecurity policy.

This administration guide provides a comprehensive set of procedures andreference information for managing the resources of your secure web domain. Thisguide also provides you with valuable background and concept information for thewide range of WebSEAL functionality. For the complete stanza reference forWebSEAL configuration, see the IBM Security Access Manager: WebSEALConfiguration Stanza Reference.

Intended audienceThis guide is for system administrators responsible for configuring andmaintaining a Security Access Manager WebSEAL environment.

Readers should be familiar with the following:v PC and UNIX or Linux operating systemsv Database architecture and conceptsv Security managementv Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and

Telnetv Lightweight Directory Access Protocol (LDAP) and directory servicesv A supported user registryv WebSphere® Application Server administrationv Authentication and authorization

If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Access Manager for Web library” on

page xx.v Links to “Online publications” on page xxi.v A link to the “IBM Terminology website” on page xxii.

© Copyright IBM Corp. 2002, 2013 xix

IBM Security Access Manager for Web library

The following documents are in the IBM Security Access Manager for Web library:v IBM Security Access Manager for Web Quick Start Guide, GI11-9333-01

Provides steps that summarize major installation and configuration tasks.v IBM Security Web Gateway Appliance Quick Start Guide – Hardware Offering

Guides users through the process of connecting and completing the initialconfiguration of the WebSEAL Hardware Appliance, SC22-5434-00

v IBM Security Web Gateway Appliance Quick Start Guide – Virtual OfferingGuides users through the process of connecting and completing the initialconfiguration of the WebSEAL Virtual Appliance.

v IBM Security Access Manager for Web Installation Guide, GC23-6502-02Explains how to install and configure Security Access Manager.

v IBM Security Access Manager for Web Upgrade Guide, SC23-6503-02Provides information for users to upgrade from version 6.0, or 6.1.x to version7.0.

v IBM Security Access Manager for Web Administration Guide, SC23-6504-02Describes the concepts and procedures for using Security Access Manager.Provides instructions for performing tasks from the Web Portal Managerinterface and by using the pdadmin utility.

v IBM Security Access Manager for Web WebSEAL Administration Guide, SC23-6505-02Provides background material, administrative procedures, and referenceinformation for using WebSEAL to manage the resources of your secure Webdomain.

v IBM Security Access Manager for Web Plug-in for Web Servers Administration Guide,SC23-6507-02Provides procedures and reference information for securing your Web domainby using a Web server plug-in.

v IBM Security Access Manager for Web Shared Session Management AdministrationGuide, SC23-6509-02Provides administrative considerations and operational instructions for thesession management server.

v IBM Security Access Manager for Web Shared Session Management Deployment Guide,SC22-5431-00Provides deployment considerations for the session management server.

v IBM Security Web Gateway Appliance Administration Guide, SC22-5432-00Provides administrative procedures and technical reference information for theWebSEAL Appliance.

v IBM Security Web Gateway Appliance Configuration Guide for Web Reverse Proxy,SC22-5433-00Provides configuration procedures and technical reference information for theWebSEAL Appliance.

v IBM Security Web Gateway Appliance Web Reverse Proxy Stanza Reference,SC27-4442-00Provides a complete stanza reference for the IBM® Security Web GatewayAppliance Web Reverse Proxy.

v IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference,SC27-4443-00Provides a complete stanza reference for WebSEAL.

xx IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

v IBM Global Security Kit: CapiCmd Users Guide, SC22-5459-00Provides instructions on creating key databases, public-private key pairs, andcertificate requests.

v IBM Security Access Manager for Web Auditing Guide, SC23-6511-02Provides information about configuring and managing audit events by using thenative Security Access Manager approach and the Common Auditing andReporting Service. You can also find information about installing andconfiguring the Common Auditing and Reporting Service. Use this service forgenerating and viewing operational reports.

v IBM Security Access Manager for Web Command Reference, SC23-6512-02Provides reference information about the commands, utilities, and scripts thatare provided with Security Access Manager.

v IBM Security Access Manager for Web Administration C API Developer Reference,SC23-6513-02Provides reference information about using the C language implementation ofthe administration API to enable an application to perform Security AccessManager administration tasks.

v IBM Security Access Manager for Web Administration Java Classes DeveloperReference, SC23-6514-02Provides reference information about using the Java™ language implementationof the administration API to enable an application to perform Security AccessManager administration tasks.

v IBM Security Access Manager for Web Authorization C API Developer Reference,SC23-6515-02Provides reference information about using the C language implementation ofthe authorization API to enable an application to use Security Access Managersecurity.

v IBM Security Access Manager for Web Authorization Java Classes Developer Reference,SC23-6516-02Provides reference information about using the Java language implementation ofthe authorization API to enable an application to use Security Access Managersecurity.

v IBM Security Access Manager for Web Web Security Developer Reference,SC23-6517-02Provides programming and reference information for developing authenticationmodules.

v IBM Security Access Manager for Web Error Message Reference, GI11-8157-02Provides explanations and corrective actions for the messages and return code.

v IBM Security Access Manager for Web Troubleshooting Guide, GC27-2717-01Provides problem determination information.

v IBM Security Access Manager for Web Performance Tuning Guide, SC23-6518-02Provides performance tuning information for an environment that consists ofSecurity Access Manager with the IBM Tivoli Directory Server as the userregistry.

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

About this publication xxi

IBM Security Access Manager for Web Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.html site displays the information centerwelcome page for this product.

IBM Security Systems Documentation Central and Welcome pageIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product documentation and links to theproduct information center for specific versions of each product.

Welcome to IBM Security Systems Information Centers provides andintroduction to, links to, and general information about IBM SecuritySystems information centers.

IBM Publications CenterThe http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss site offers customized search functions to help you find all the IBMpublications that you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

Related publicationsThis section lists the IBM products that are related to and included with theSecurity Access Manager solution.

Note: The following middleware products are not packaged with IBM SecurityWeb Gateway Appliance.

IBM Global Security Kit

Security Access Manager provides data encryption by using Global Security Kit(GSKit) version 8.0.x. GSKit is included on the IBM Security Access Manager for WebVersion 7.0 product image or DVD for your particular platform.

GSKit version 8 includes the command-line tool for key management,GSKCapiCmd (gsk8capicmd_64).

GSKit version 8 no longer includes the key management utility, iKeyman(gskikm.jar). iKeyman is packaged with IBM Java version 6 or later and is now apure Java application with no dependency on the native GSKit runtime. Do notmove or remove the bundled java/jre/lib/gskikm.jar library.

The IBM Developer Kit and Runtime Environment, Java Technology Edition, Version 6and 7, iKeyman User's Guide for version 8.0 is available on the Security AccessManager Information Center. You can also find this document directly at:

http://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdf

Note:

GSKit version 8 includes important changes made to the implementation ofTransport Layer Security required to remediate security issues.

xxii IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.htmlhttp://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.htmlhttps://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20Security%20Systems%20Documentation%20Central/page/Welcomehttp://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsphttp://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wsshttp://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wsshttp://www.ibm.com/software/globalization/terminologyhttp://www.ibm.com/software/globalization/terminologyhttp://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdfhttp://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdf

The GSKit version 8 changes comply with the Internet Engineering Task Force(IETF) Request for Comments (RFC) requirements. However, it is not compatiblewith earlier versions of GSKit. Any component that communicates with SecurityAccess Manager that uses GSKit must be upgraded to use GSKit version 7.0.4.42,or 8.0.14.26 or later. Otherwise, communication problems might occur.

IBM Tivoli Directory Server

IBM Tivoli Directory Server version 6.3 FP17 (6.3.0.17-ISS-ITDS-FP0017) is includedon the IBM Security Access Manager for Web Version 7.0 product image or DVD foryour particular platform.

You can find more information about Tivoli Directory Server at:

http://www.ibm.com/software/tivoli/products/directory-server/

IBM Tivoli Directory Integrator

IBM Tivoli Directory Integrator version 7.1.1 is included on the IBM Tivoli DirectoryIntegrator Identity Edition V 7.1.1 for Multiplatform product image or DVD for yourparticular platform.

You can find more information about IBM Tivoli Directory Integrator at:

http://www.ibm.com/software/tivoli/products/directory-integrator/

IBM DB2 Universal Database™

IBM DB2 Universal Database Enterprise Server Edition, version 9.7 FP4 is providedon the IBM Security Access Manager for Web Version 7.0 product image or DVD foryour particular platform. You can install DB2® with the Tivoli Directory Serversoftware, or as a stand-alone product. DB2 is required when you use TivoliDirectory Server or z/OS® LDAP servers as the user registry for Security AccessManager. For z/OS LDAP servers, you must separately purchase DB2.

You can find more information about DB2 at:

http://www.ibm.com/software/data/db2

IBM WebSphere products

The installation packages for WebSphere Application Server Network Deployment,version 8.0, and WebSphere eXtreme Scale, version 8.5.0.1, are included withSecurity Access Manager version 7.0. WebSphere eXtreme Scale is required onlywhen you use the Session Management Server (SMS) component.

WebSphere Application Server enables the support of the following applications:v Web Portal Manager interface, which administers Security Access Manager.v Web Administration Tool, which administers Tivoli Directory Server.v Common Auditing and Reporting Service, which processes and reports on audit

events.v Session Management Server, which manages shared session in a Web security

server environment.v Attribute Retrieval Service.

About this publication xxiii

http://www.ibm.com/software/tivoli/products/directory-serverhttp://www.ibm.com/software/tivoli/products/directory-integrator/http://www.ibm.com/software/data/db2

You can find more information about WebSphere Application Server at:

http://www.ibm.com/software/webservers/appserv/was/library/

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Visit the IBM Accessibility Center for more information about IBM's commitmentto accessibility.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

The IBM Security Access Manager for Web Troubleshooting Guide provides detailsabout:v What information to collect before you contact IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide more support resources.

xxiv IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

http://www.ibm.com/software/webservers/appserv/was/library/http://www-03.ibm.com/able/http://www.ibm.com/software/tivoli/educationhttp://www.ibm.com/software/support/probsub.html

2 IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Chapter 1. IBM Security Access Manager for Web WebSEALoverview

IBM Security Access Manager for Web (Security Access Manager) is a robust andsecure centralized policy management solution for distributed applications.

IBM Security Access Manager for Web WebSEAL is a high performance,multi-threaded Web server that applies fine-grained security policy to the SecurityAccess Manager protected Web object space. WebSEAL can provide single signonsolutions and incorporate back-end Web application server resources into itssecurity policy.

This overview chapter introduces you to the main capabilities of the WebSEALserver.

Topic Index:v “Introduction”v “WebSEAL introduction” on page 4v “Security model” on page 5v “Web space protection” on page 9v “Security policy planning and implementation” on page 10v “WebSEAL authentication” on page 12v “Standard WebSEAL junctions” on page 12v “Web space scalability” on page 14

Introduction

IBM Security Access Manager for Web is a complete authorization and networksecurity policy management solution that provides end-to-end protection ofresources over geographically dispersed intranets and extranets.

In addition to its state-of-the-art security policy management feature, IBM SecurityAccess Manager for Web provides authentication, authorization, data security, andcentralized resource management capabilities. You use Security Access Manager inconjunction with standard Internet-based applications to build highly secure andwell-managed intranets.

At its core, Security Access Manager provides:v Authentication framework

Security Access Manager provides a wide range of built-in authenticators andsupports external authenticators.

v Authorization frameworkThe Security Access Manager authorization service, accessed through theSecurity Access Manager authorization API, provides permit and deny decisionson requests for protected resources located in the secure domain.

With Security Access Manager, businesses can securely manage access to privateinternal network-based resources while leveraging the public Internet's broad

© Copyright IBM Corp. 2002, 2013 3

connectivity and ease of use. Security Access Manager, in combination with acorporate firewall system, can fully protect the Enterprise intranet fromunauthorized access and intrusion.

WebSEAL introduction

IBM Security Access Manager for Web WebSEAL is the resource managerresponsible for managing and protecting Web-based information and resources.

WebSEAL is a high performance, multi-threaded Web server that appliesfine-grained security policy to resources in the Security Access Manager protectedWeb object space. WebSEAL can provide single signon solutions and incorporateback-end Web application server resources into its security policy.

WebSEAL normally acts as a reverse Web proxy by receiving HTTP/HTTPSrequests from a Web browser and delivering content from its own Web server orfrom junctioned back-end Web application servers. Requests passing throughWebSEAL are evaluated by the Security Access Manager authorization service todetermine whether the user is authorized to access the requested resource.

WebSEAL provides the following features:v Supports multiple authentication methods.

Both built-in and plug-in architectures allow flexibility in supporting a variety ofauthentication mechanisms.

v Integrates Security Access Manager authorization service.v Accepts HTTP and HTTPS requests.v Integrates and protects back-end server resources through WebSEAL junction

technology.Provides unified view of combined protected object space.

v Manages fine-grained access control for the local and back-end server resources.Supported resources include URLs, URL-based regular expressions, CGIprograms, HTML files, Java servlets, and Java class files.

v Performs as a reverse Web proxy.WebSEAL appears as a Web server to clients and appears as a Web browser tothe junctioned back-end servers it is protecting.

v Provides single signon capabilities.

Client

WebSEAL

request

Webapplication

server

/

unified protectedobject space

junction

firewallDMZ

Figure 1. Protecting resources with WebSEAL


Security model

This section contains the following topics:v “Security model concepts”v “The protected object space”v “Access control lists (ACLs) and protected object policies (POPs)” on page 6v “Access control list (ACL) policies” on page 7v “Protected object policies (POPs)” on page 7v “Explicit and inherited policy” on page 8v “Policy administration: The Web Portal Manager” on page 8

Security model concepts

There are two key security structures that govern and maintain the security policyfor an Security Access Manager secure domain:v User registry

The user registry (such as IBM Tivoli® Directory Server or Microsoft ActiveDirectory) contains all users and groups who can participate in the SecurityAccess Manager environment. This environment is known as the secure domain.

v Master authorization (policy) databaseThe authorization database contains a representation of all resources in thedomain (the protected object space). The security administrator can dictate anylevel of security by applying rules to the resources that require protection. Theserules are known as access control list (ACL) policies and protected object policies(POPs).

The process of authentication proves the identity of a user to WebSEAL. A user canparticipate in the secure domain as authenticated or unauthenticated.Authenticated users must have an account in the user registry. Using ACLs andPOPs, the security administrator can make:v Certain resources publicly available to unauthenticated users, andv Other resources available only to certain authenticated users.

When a user successfully authenticates, WebSEAL creates a set of identificationinformation known as a credential. The credential contains the user identity, anygroup memberships, and any special ("extended") security attributes.

A user requires a credential to fully participate in the secure domain. The SecurityAccess Manager authorization service enforces security policies by comparing auser's authentication credentials with the policy permissions assigned to therequested resource. The authorization service passes the resulting recommendationto the resource manager (for example, WebSEAL), which completes the response tothe original request.

The protected object space

The protected object space is a hierarchical representation of resources belonging toa Security Access Manager secure domain. The virtual objects that appear in theobject space represent the actual physical network resources, as specified below:v System resource – the actual physical file or application.

Chapter 1. WebSEAL overview 5

v Protected object – the logical representation of an actual system resource usedby the authorization service, the Web Portal Manager, and other Security AccessManager management utilities.

Policies can be attached to objects in the object space to provide protection of theresource. The authorization service makes authorization decisions based thesepolicies.

The combined installation of Security Access Manager base and Security AccessManager WebSEAL provides the following object space categories:v Web objects

Web objects represent any resource that can be addressed by an HTTP URL. Thisincludes static Web pages and dynamic URLs that are converted to databasequeries or some other type of application. The WebSEAL server is responsiblefor protecting Web objects.

v Security Access Manager management objectsManagement objects represent the management activities that can be performedthrough the Web Portal Manager. The objects represent the tasks necessary todefine users and set security policy. Security Access Manager supportsdelegation of management activities and can restrict an administrator's ability toset security policy to a subset of the object space.

v User-defined objectsUser-defined objects represent customer-defined tasks or network resourcesprotected by applications that access the authorization service through theSecurity Access Manager authorization API.

v Authorization rules

Access control lists (ACLs) and protected object policies(POPs)

Security administrators protect Security Access Manager system resources bydefining rules, known as ACL and POP policies, and applying these policies to theobject representations of those resources in the protected object space.

The Security Access Manager authorization service performs authorizationdecisions based on the policies applied to these objects. When a requestedoperation on a protected object is permitted, the application responsible for theresource implements this operation.

ManagementObjects

WebObjects

User-DefinedObjects

Figure 2. Protected object space


One policy can dictate the protection parameters of many objects. Any change tothe rule affects all objects to which the ACL or POP is attached.

Access control list (ACL) policies

An access control list policy, or ACL policy, is the set of rules (permissions) thatspecifies the conditions necessary to perform certain operations on that resource.ACL policy definitions are important components of the security policy establishedfor the secure domain. ACL policies, like all policies, are used to stamp anorganization's security requirements onto the resources represented in the protectedobject space.

An ACL policy specifically controls:1. What operations can be performed on the resource2. Who can perform these operations

An ACL policy is made up of one or more entries that include user and groupdesignations and their specific permissions or rights. An ACL can also containrules that apply to unauthenticated users.

Protected object policies (POPs)

ACL policies provide the authorization service with information to make a "yes" or"no" answer on a request to access a protected object and perform some operationon that object.

Protected object policies (POPs) contain additional conditions

IBM Security Access Manager Version 7.0: WebSEAL ... · Resetting of the session cache entry...

Documents

Transcript of IBM Security Access Manager Version 7.0: WebSEAL ... · Resetting of the session cache entry...