Configure a trust association interceptor

For more information about trust association interceptors, see Trust associations.

A typical scenario where the trust association interceptor (TAI) is used is better understood based on an environment where IBM Tivoli WebSEAL product is deployed and used with WebSphere Application Server. For WebSEAL, there is an implementation of the TAI already provided with the product. These steps outline the typical flow of an HTTP request for a secured WebSphere Application Server resource authenticated by WebSEAL, through a Web trust association.

  1. The browser makes a request for a secured WebSphere resource.
  2. WebSEAL sends back a challenge, either an HTTP Basic authentication or form-based challenge.
  3. User name and password are supplied.
  4. WebSEAL authenticates the user.
  5. The modified request is forwarded by WebSEAL to the WebSphere Application Server.
  6. The plug-in (TAI) uses the validateEstablishedTrust method to establish that WebSphere Application Server trusts the WebSEAL server.
  7. The plug-in extracts the end-user name from the iv-user header field and passes it to the WebSphere Application Server to handle authorization.

Note: Versions 3.9 and higher of WebSEAL do not send the user ID and password to the server. Trust is based on a mutual secure sockets layer connection established between WebSEAL and the WebSphere Application Server. As a result, steps 6 and 7 do not apply to versions 3.9 and higher of WebSEAL.

Flow of an HTTP request that is authenticated by WebSEAL through a trust association

When you set up security for the first time, you need to complete the following steps if you want to use WebSEAL Trust Association Interceptor or your own trust association interceptor with a reverse proxy security server.

Perform these steps in the WebSphere administrative console:

  1. Start the administrative console.

  2. In the topology tree, expand Security --> Authentication mechanisms and click LTPA.

  3. Click Trust Association under Additional Properties.

  4. Select the Trust Association Enabled check box.

  5. Click Interceptors under Additional Properties.

  6. Select the interceptor that you want to configure. For additional information, see Trust association interceptor settings. Go to Help documentation

  7. To configure an interceptor, click the interceptor classname.

  8. Click Custom Properties.

  9. On the Custom Properties page, click New.

  10. Specify the property name and value pairs. These are the name and value pairs for WebSEAL:

    Property name Value
    com.ibm.websphere.security.trustassociation.types WebSEAL
    com.ibm.websphere.security.webseal.loginID The ID of the WebSEAL server.
    com.ibm.websphere.security.webseal.id iv-user. This is a special header field that is sent by WebSEAL with the request to WebSphere Application Server.
    com.ibm.websphere.security.webseal.hostnames The host names (case sensitive) that are expected in the request header (the VIA header). This should also include the proxy host names (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy is set to true.
    com.ibm.websphere.security.webseal.ports The corresponding port number of the host names that are expected in the request header (the VIA header). This should also include the proxy ports (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy is set to true.
    com.ibm.websphere.security.webseal.ignoreProxy An optional property that if set to true or yes ignores the proxy host names and ports in the VIA header. By default this property is set to false.

  11. Click OK.

  12. Save the configuration.