113 lines
5.4 KiB
HTML
113 lines
5.4 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
|
|
|
<title>Configure a trust association interceptor</title>
|
|
</head>
|
|
|
|
<BODY>
|
|
<!-- Java sync-link -->
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
|
|
|
<h4><a name="secctai"></a>Configure a trust association interceptor</h4>
|
|
|
|
<p>For more information about trust association interceptors, see <a href="sectai.htm">Trust associations</a>.</p>
|
|
|
|
<p>A typical scenario where the trust association interceptor (TAI) is used is better understood based on an environment where IBM Tivoli WebSEAL product is deployed and used with WebSphere Application Server. For WebSEAL, there is an implementation of the TAI already provided with the product. These steps outline the typical flow of an HTTP request for a secured WebSphere Application Server resource authenticated by WebSEAL, through a Web trust association.</p>
|
|
|
|
<ol>
|
|
<li>The browser makes a request for a secured WebSphere resource.</li>
|
|
<li>WebSEAL sends back a challenge, either an HTTP Basic authentication or form-based challenge.</li>
|
|
<li>User name and password are supplied.</li>
|
|
<li>WebSEAL authenticates the user.</li>
|
|
<li>The modified request is forwarded by WebSEAL to the WebSphere Application Server.</li>
|
|
<li>The plug-in (TAI) uses the validateEstablishedTrust method to establish that WebSphere Application Server trusts the WebSEAL server.</li>
|
|
<li>The plug-in extracts the end-user name from the iv-user header field and passes it to the WebSphere Application Server to handle authorization.</li>
|
|
</ol>
|
|
|
|
<p><strong>Note:</strong> Versions 3.9 and higher of WebSEAL do not send the user ID and password to the server. Trust is based on a mutual secure sockets layer connection established between WebSEAL and the WebSphere Application Server. As a result, steps 6 and 7 do not apply to versions 3.9 and higher of WebSEAL.</p>
|
|
|
|
<p><img src="rzaiz586.gif" width="550" height="272" alt="Flow of an HTTP request that is authenticated by WebSEAL through a trust association"></p>
|
|
|
|
<p>When you set up security for the first time, you need to complete the following steps if you want to use WebSEAL Trust Association Interceptor or your own trust association interceptor with a reverse proxy security server.</p>
|
|
|
|
<p>Perform these steps in the WebSphere administrative console:</p>
|
|
|
|
<ol>
|
|
<li><p><a href="../admin/acstart.htm">Start the administrative console</a>.</p></li>
|
|
|
|
<li><p>In the topology tree, expand <strong>Security --> Authentication mechanisms</strong> and click <strong>LTPA</strong>.</p></li>
|
|
|
|
<li><p>Click <strong>Trust Association</strong> under Additional Properties.</p></li>
|
|
|
|
<li><p>Select the <strong>Trust Association Enabled</strong> check box.</p></li>
|
|
|
|
<li><p>Click <strong>Interceptors</strong> under Additional Properties.</p></li>
|
|
|
|
<li><p>Select the interceptor that you want to configure. For additional information, see <a href="../admin/help/usec_tainterceptor.html">Trust association interceptor settings</a>. <img src="help.gif" width="18" height="15" align="absbottom" alt="Go to Help documentation"></p>
|
|
<ul>
|
|
<li>If you are using WebSEAL Interceptor, select com.ibm.ws.security.web.WebSEALTrustAssociationInterceptor.</li>
|
|
<li>To set up additional interceptors, perform these steps:
|
|
<ol type="a">
|
|
<li>Click <strong>New</strong>.</li>
|
|
<li>Specify the classname for the interceptor.</li>
|
|
<li>Click <strong>Apply</strong>.</li>
|
|
</ol>
|
|
</ul><p></p></li>
|
|
|
|
<li><p>To configure an interceptor, click the interceptor classname.</p></li>
|
|
|
|
<li><p>Click <strong>Custom Properties</strong>.</p></li>
|
|
|
|
<li><p>On the <strong>Custom Properties</strong> page, click <strong>New</strong>.</p></li>
|
|
|
|
<li><p>Specify the property name and value pairs. These are the name and value pairs for WebSEAL:</p>
|
|
|
|
<table border="1" cellpadding="3">
|
|
<tr>
|
|
<th>Property name</th>
|
|
<th>Value</th>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>com.ibm.websphere.security.trustassociation.types</td>
|
|
<td>WebSEAL</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>com.ibm.websphere.security.webseal.loginID</td>
|
|
<td>The ID of the WebSEAL server.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>com.ibm.websphere.security.webseal.id</td>
|
|
<td>iv-user. This is a special header field that is sent by WebSEAL with the request to WebSphere Application Server.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>com.ibm.websphere.security.webseal.hostnames</td>
|
|
<td>The host names (case sensitive) that are expected in the request header (the VIA header). This should also include the proxy host names (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy is set to <tt>true</tt>.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>com.ibm.websphere.security.webseal.ports</td>
|
|
<td>The corresponding port number of the host names that are expected in the request header (the VIA header). This should also include the proxy ports (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy is set to <tt>true</tt>.</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>com.ibm.websphere.security.webseal.ignoreProxy</td>
|
|
<td>An optional property that if set to <tt>true</tt> or <tt>yes</tt> ignores the proxy host names and ports in the VIA header. By default this property is set to <tt>false</tt>.</td>
|
|
</tr>
|
|
</table><p></p></li>
|
|
|
|
<li><p>Click <strong>OK</strong>.</p></li>
|
|
|
|
<li><p>Save the configuration.</p></li>
|
|
</ol>
|
|
|
|
</body>
|
|
</html>
|
|
|