IBM Security Access Manager Version 7.0: WebSEAL ...€¦ · Technical training.....xxiv Support information.....xxiv Part 1. ... Chapter 2. Server administration . . . 19 Server

IBM Security Access ManagerVersion 7.0

WebSEAL Administration Guide

SC23-6505-02

NoteBefore using this information and the product it supports, read the information in Notices on page 797.

Edition notice

Note: This edition applies to version 7, release 0, modification 0 of IBM Security Access Manager (productnumber 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions.

Copyright IBM Corporation 2002, 2012.US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . xv

Tables . . . . . . . . . . . . . . xvii

About this publication . . . . . . . . xixIntended audience . . . . . . . . . . . . xixAccess to publications and terminology . . . . . xix

Related publications . . . . . . . . . . xxiiAccessibility . . . . . . . . . . . . . xxivTechnical training. . . . . . . . . . . . xxivSupport information . . . . . . . . . . . xxiv

Part 1. Administration . . . . . . . . 1

Chapter 1. IBM Security Access Managerfor Web WebSEAL overview . . . . . . 3Introduction . . . . . . . . . . . . . . 3WebSEAL introduction . . . . . . . . . . . 4Security model . . . . . . . . . . . . . 5

Security model concepts . . . . . . . . . 5The protected object space . . . . . . . . . 5Access control lists (ACLs) and protected objectpolicies (POPs) . . . . . . . . . . . . 6Access control list (ACL) policies . . . . . . 7Protected object policies (POPs) . . . . . . . 7Explicit and inherited policy . . . . . . . . 8Policy administration: The Web Portal Manager . 8

Web space protection . . . . . . . . . . . 9Security policy planning and implementation . . . 10

Content types and levels of protection . . . . 11WebSEAL authentication . . . . . . . . . . 12Standard WebSEAL junctions . . . . . . . . 12Web space scalability . . . . . . . . . . . 14

Replicated front-end WebSEAL servers . . . . 15Junctioned back-end servers . . . . . . . . 15Replicated back-end servers . . . . . . . . 16

Chapter 2. Server administration . . . 19Server operation . . . . . . . . . . . . . 19

The pdweb command . . . . . . . . . . 19Starting the WebSEAL server . . . . . . . 19Stopping the WebSEAL server . . . . . . . 20Restarting the WebSEAL server . . . . . . . 20Displaying WebSEAL server status . . . . . 21

Backup and restore . . . . . . . . . . . . 21The pdbackup utility . . . . . . . . . . 21WebSEAL data backup . . . . . . . . . 22WebSEAL data restoration . . . . . . . . 23Extraction of archived WebSEAL data . . . . 24

Synchronization of WebSEAL data across multipleservers . . . . . . . . . . . . . . . . 24

Automating synchronization. . . . . . . . 26Backing up and restoring data . . . . . . . 28

Auditing and logging of resources for WebSEAL . . 29

Error message logging . . . . . . . . . . 29WebSEAL server activity auditing . . . . . . 29Common Auditing and Reporting Services(CARS) . . . . . . . . . . . . . . . 30Traditional auditing and logging of HTTP events 30

Problem determination resources for WebSEAL . . 31Configuration data log file . . . . . . . . 31Statistics . . . . . . . . . . . . . . 33Application Response Measurement . . . . . 33Trace utility . . . . . . . . . . . . . 34

Part 2. Configuration. . . . . . . . 37

Chapter 3. Web server configuration . . 39WebSEAL server and host name specification . . . 39

WebSEAL server name in the configuration file 39WebSEAL server name in "pdadmin server list" 40WebSEAL server name in the protected objectspace . . . . . . . . . . . . . . . 40Specifying the WebSEAL host (machine) name. . 40

WebSEAL configuration file . . . . . . . . . 41Configuration file organization . . . . . . . 41Configuration file name and location . . . . . 42Modifying configuration file settings . . . . . 43WebSEAL .obf configuration file . . . . . . 43

Default document root directory . . . . . . . 43Default root junction . . . . . . . . . . . 44

Changing the root junction after WebSEALinstallation . . . . . . . . . . . . . 44

Directory indexing . . . . . . . . . . . . 45Configuring directory indexing . . . . . . . 45Configuration of graphical icons for file types . . 46

Content caching . . . . . . . . . . . . . 46Content caching concepts . . . . . . . . . 47Configuration of content caching . . . . . . 47Impact of HTTP headers on WebSEAL contentcaching . . . . . . . . . . . . . . . 48Flushing all caches . . . . . . . . . . . 50Cache control for specific documents . . . . . 50

Communication protocol configuration . . . . . 51WebSEAL configuration for HTTP requests . . . 51WebSEAL configuration for HTTPS requests . . 52Restrictions on connections from specific SSLversions . . . . . . . . . . . . . . 52Persistent HTTP connections. . . . . . . . 53WebSEAL configuration for handling HTTPOnlycookies . . . . . . . . . . . . . . . 53Timeout settings for HTTP and HTTPScommunication . . . . . . . . . . . . 54Additional WebSEAL server timeout settings . . 55Support for WebDAV . . . . . . . . . . 56Support for Microsoft RPC over HTTP . . . . 57Support for chunked transfer coding . . . . . 58

Internet Protocol version 6 (IPv6) support . . . . 58IPv4 and IPv6 overview . . . . . . . . . 58

Copyright IBM Corp. 2002, 2012 iii

Configuring IPv6 and IPv4 support . . . . . 59IPv6: Compatibility support . . . . . . . . 59IPv6: Upgrade notes . . . . . . . . . . 60IP levels for credential attributes . . . . . . 60

LDAP directory server configuration . . . . . . 60Worker thread allocation . . . . . . . . . . 61

WebSEAL worker thread configuration . . . . 62Allocation of worker threads for junctions(junction fairness) . . . . . . . . . . . 63

HTTP data compression . . . . . . . . . . 65Compression based on MIME-type . . . . . 65Compression based on user agent type . . . . 66Compression policy in POPs. . . . . . . . 67Data compression limitation . . . . . . . . 67Configuring data compression policy . . . . . 67

Multi-locale support with UTF-8 . . . . . . . 68Multi-locale support concepts . . . . . . . 68Configuration of multi-locale support. . . . . 73

Validation of character encoding in request data . . 78Supported wildcard pattern matching characters . . 79Setting system environment variables. . . . . . 79

Chapter 4. Web server responseconfiguration . . . . . . . . . . . . 81Static HTML server response pages . . . . . . 81HTML server response page locations . . . . . 86

Account management page location . . . . . 86Error message page location . . . . . . . . 87Junction-specific static server response pages . . 87

HTML server response page modification . . . . 88Guidelines for customizing HTML responsepages . . . . . . . . . . . . . . . 88Macro resources for customizing HTML responsepages . . . . . . . . . . . . . . . 88Macros embedded in a template . . . . . . 91Adding an image to a custom login form . . . 93

Account management page configuration . . . . 94Configuration file stanza entries and values . . 94Configuration of the account expiration errormessage . . . . . . . . . . . . . . 95Configuration of the password policy options . . 95

Error message page configuration . . . . . . . 96Enabling the time of day error page . . . . . 97Creating new HTML error message pages . . . 97Compatibility with previous versions ofWebSEAL . . . . . . . . . . . . . . 98

Multi-locale support for server responses . . . . 98The accept-language HTTP header. . . . . . 98WebSEAL language packs . . . . . . . . 99Process flow for multi-locale support . . . . 100Conditions affecting multi-locale support onWebSEAL . . . . . . . . . . . . . 100

Handling the favicon.ico file with Mozilla Firefox 100Adding custom headers to server response pages 101Configuring the location URL format in redirectresponses. . . . . . . . . . . . . . . 103Local response redirection . . . . . . . . . 103

Local response redirection overview . . . . . 104Local response redirection process flow. . . . 104Enabling and disabling local responseredirection . . . . . . . . . . . . . 105

Contents of a redirected response. . . . . . 105URI for local response redirection . . . . . 105Operation for local response redirection . . . 106Macro support for local response redirection 107Local response redirection configurationexample . . . . . . . . . . . . . . 111Technical notes for local response redirection 112Remote response handling with localauthentication . . . . . . . . . . . . 112

HTML redirection . . . . . . . . . . . . 114Enabling HTML redirection. . . . . . . . 114Preserving HTML fragments on redirection . . 114

Chapter 5. Web server securityconfiguration . . . . . . . . . . . 117Cryptographic hardware for encryption and keystorage . . . . . . . . . . . . . . . 117

Cryptographic hardware concepts . . . . . 117Conditions for using IBM 4758-023 . . . . . 118Configuration of the Cipher engine and FIPSmode processing . . . . . . . . . . . 118Configuring WebSEAL for cryptographichardware . . . . . . . . . . . . . . 118

Configuring WebSEAL to support only Suite Bciphers . . . . . . . . . . . . . . . 122Prevention of vulnerability caused by cross-sitescripting . . . . . . . . . . . . . . . 123Prevention of Cross-site Request Forgery (CSRF)attacks. . . . . . . . . . . . . . . . 124

Secret token validation . . . . . . . . . 124Referrer validation . . . . . . . . . . 125Reject unsolicited authentication requests . . . 126

Suppression of WebSEAL and back-end serveridentity . . . . . . . . . . . . . . . 126

Suppressing WebSEAL server identity . . . . 126Suppressing back-end application serveridentity . . . . . . . . . . . . . . 127

Disabling HTTP methods . . . . . . . . . 127Platform for Privacy Preferences (P3P) . . . . . 128

Compact policy overview . . . . . . . . 128Compact policy declaration. . . . . . . . 129Junction header preservation . . . . . . . 130Default compact policy in the P3P header . . . 131Configuring the P3P header . . . . . . . 132Specifying a custom P3P compact policy . . . 138P3P configuration troubleshooting . . . . . 138

Chapter 6. Runtime security servicesexternal authorization service . . . . 139About the runtime security services externalauthorization service . . . . . . . . . . . 139Configuring the runtime security services externalauthorization service in WebSEAL . . . . . . 140Sample configuration data for runtime securityservices external authorization service . . . . . 143

Part 3. Authentication . . . . . . . 147

Chapter 7. Authentication overview 149

iv IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Definition and purpose of authentication . . . . 149Information in a user request . . . . . . . . 149Client identities and credentials . . . . . . . 150Authentication process flow . . . . . . . . 150Authenticated and unauthenticated access toresources . . . . . . . . . . . . . . . 151

Request process for authenticated users . . . 152Request process for unauthenticated users. . . 152Access conditions over SSL . . . . . . . . 152Forcing user login . . . . . . . . . . . 153Use of unauthenticated HTTPS . . . . . . 153

Supported authentication methods . . . . . . 153Authentication challenge based on user agent . . 154

Chapter 8. Authentication methods 157Authentication configuration overview . . . . . 157

Authentication terminology . . . . . . . 157Supported authentication mechanisms . . . . 158Authentication conversion library . . . . . 160Default configuration for WebSEALauthentication . . . . . . . . . . . . 160Conditions for configuring multipleauthentication methods . . . . . . . . . 160

Logout and password change operations . . . . 161Logging out: pkmslogout . . . . . . . . 161Controlling custom response pages forpkmslogout . . . . . . . . . . . . . 162Changing passwords: pkmspasswd . . . . . 162Password change issue with Active Directory onWindows . . . . . . . . . . . . . . 163Post password change processing. . . . . . 163

Basic authentication . . . . . . . . . . . 163Enabling and disabling basic authentication . . 164Setting the realm name . . . . . . . . . 164Configuring the basic authentication mechanism 164Multi-byte UTF-8 logins . . . . . . . . . 165

Forms authentication . . . . . . . . . . . 166Enabling and disabling forms authentication 166Configuring the forms authenticationmechanism . . . . . . . . . . . . . 166Customizing HTML response forms . . . . . 167Submitting login form data directly to WebSEAL 167

Client-side certificate authentication . . . . . . 169Client-side certificate authentication modes . . 169Certificate authentication configuration tasksummary . . . . . . . . . . . . . . 171Enabling certificate authentication . . . . . 172Configuration of the certificate authenticationmechanism . . . . . . . . . . . . . 173Certificate login error page . . . . . . . . 176Certificate login form. . . . . . . . . . 176Disabling SSL session IDs for session tracking 176Enabling and configuring the Certificate SSL IDcache . . . . . . . . . . . . . . . 177Setting the timeout for Certificate SSL ID cache 177Error page for incorrect protocol . . . . . . 178Disabling certificate authentication . . . . . 178Disabling the Certificate SSL ID cache . . . . 179Technical notes for certificate authentication . . 179

HTTP header authentication . . . . . . . . 179HTTP header authentication overview . . . . 179

Enabling HTTP header authentication . . . . 180Specifying HTTP cookies . . . . . . . . 181Specifying header types . . . . . . . . . 181Configuring the HTTP header authenticationmechanism . . . . . . . . . . . . . 182Disabling HTTP header authentication . . . . 182

IP address authentication . . . . . . . . . 183Enabling and disabling IP addressauthentication . . . . . . . . . . . . 183Configuring the IP address authenticationmechanism . . . . . . . . . . . . . 183

Token authentication . . . . . . . . . . . 184Token authentication concepts . . . . . . . 184Token authentication configuration tasksummary . . . . . . . . . . . . . . 187Enabling token authentication . . . . . . . 187Configuring the token authenticationmechanism . . . . . . . . . . . . . 188Enabling access to the RSA ACE/Agent clientlibrary. . . . . . . . . . . . . . . 189Specifying a customized password strengthmodule . . . . . . . . . . . . . . 189Disabling token authentication . . . . . . 190Submitting login form data directly to WebSEAL 190

SPNEGO protocol and Kerberos authentication . . 192LTPA authentication . . . . . . . . . . . 192

LTPA authentication overview . . . . . . . 192Enabling LTPA authentication . . . . . . . 193Key file information . . . . . . . . . . 193Specifying the cookie name for clients . . . . 194Specifying the cookie name for junctions . . . 194Controlling the lifetime of the LTPA Token . . 195Configuring the LTPA authentication mechanism 195Disabling LTPA authentication. . . . . . . 196

Chapter 9. Advanced authenticationmethods . . . . . . . . . . . . . 197Multiplexing proxy agents . . . . . . . . . 197

Multiplexing proxy agents overview. . . . . 197Valid session data types and authenticationmethods . . . . . . . . . . . . . . 198Authentication process flow for MPA andmultiple clients . . . . . . . . . . . . 199Enabling and disabling MPA authentication . . 200Creation of a user account for the MPA . . . 200Addition of the MPA account to thewebseal-mpa-servers group. . . . . . . . 200MPA authentication limitations . . . . . . 200

Switch user authentication . . . . . . . . . 200Overview of the switch user function . . . . 201Configuration of switch user authentication . . 203Using switch user . . . . . . . . . . . 209Additional switch user feature support . . . . 210Custom authentication module for switch user 211Configuration of a custom authenticationmodule for switch user . . . . . . . . . 212

Reauthentication . . . . . . . . . . . . 213Reauthentication concepts . . . . . . . . 213Reauthentication based on security policy . . . 214Reauthentication POP: creating and applying 214Reauthentication based on session inactivity . . 215

Contents v

Enabling of reauthentication based on sessioninactivity . . . . . . . . . . . . . . 215Resetting of the session cache entry lifetimevalue . . . . . . . . . . . . . . . 216Extension of the session cache entry lifetimevalue . . . . . . . . . . . . . . . 216Prevention of session removal when the sessionlifetime expires . . . . . . . . . . . . 217Removal of a user session at login failure policylimit . . . . . . . . . . . . . . . 217Customization of login forms forreauthentication . . . . . . . . . . . 219

Authentication strength policy (step-up) . . . . 219Authentication strength concepts . . . . . . 219Authentication strength configuration tasksummary . . . . . . . . . . . . . . 221Establishing an authentication strength policy 221Specifying authentication levels . . . . . . 222Specifying the authentication strength loginform . . . . . . . . . . . . . . . 224Creating a protected object policy . . . . . 224Specifying network-based access restrictions . . 226Attaching a protected object policy to aprotected resource . . . . . . . . . . . 228Enforcing user identity match acrossauthentication levels . . . . . . . . . . 229Controlling the login response forunauthenticated users . . . . . . . . . 229Stepping up authentication at higher levels . . 230

External authentication interface . . . . . . . 230Client Certificate User Mapping . . . . . . . 230

Introduction . . . . . . . . . . . . . 231User mapping rules evaluator . . . . . . . 235How to manage the CDAS . . . . . . . . 238Configuring WebSEAL to use the certificatemapping module . . . . . . . . . . . 240

Chapter 10. Post-authenticationprocessing . . . . . . . . . . . . 245Automatic redirection after authentication . . . . 245

Overview of automatic redirection . . . . . 245Enabling automatic redirection . . . . . . 246Disabling automatic redirection . . . . . . 246Limitations . . . . . . . . . . . . . 247Macro support for automatic redirection . . . 247

Server-side request caching . . . . . . . . . 249Server-side request caching concepts . . . . 249Process flow for server-side request caching . . 249Configuration of server-side caching. . . . . 251

Chapter 11. Password processing . . 255Post password change processing. . . . . . . 255

Post password change processing concepts . . 255Configuring post password change processing 256Post password change processing conditions 256

Login failure policy ("three strikes" login policy) 256Login failure policy concepts . . . . . . . 256Setting the login failure policy. . . . . . . 257Setting the account disable time interval . . . 257

Configuring the account disable notificationresponse . . . . . . . . . . . . . . 258Login failure policy with replicated WebSEALservers . . . . . . . . . . . . . . 259

Password strength policy . . . . . . . . . 260Password strength policy concepts . . . . . 260Password strength policies . . . . . . . . 261Syntax for password strength policy commands 261Default password strength policy values . . . 262Valid and not valid password examples . . . 262Specifying user and global settings . . . . . 263

Chapter 12. Credential processing 265Extended attributes for credentials . . . . . . 265

Mechanisms for adding registry attributes to acredential. . . . . . . . . . . . . . 265Configure a registry attribute entitlement service 266Junction handling of extended credentialattributes . . . . . . . . . . . . . . 268

Credential refresh . . . . . . . . . . . . 270Credential refresh concepts . . . . . . . . 270Configure credential refresh . . . . . . . 274Credential refresh usage . . . . . . . . . 275

Chapter 13. External authenticationinterface . . . . . . . . . . . . . 279External authentication interface overview. . . . 279External authentication interface process flow . . 279External authentication interface configuration . . 282

Enabling the external authentication interface 283Initiating the authentication process . . . . . 283Configuration of the external authenticationinterface trigger URL . . . . . . . . . . 284HTTP header names for authentication data . . 285Extracting authentication data from specialHTTP headers . . . . . . . . . . . . 286Configuration of the external authenticationinterface mechanism . . . . . . . . . . 286How to generate the credential . . . . . . 287External authentication interface credentialreplacement . . . . . . . . . . . . . 288Validating the user identity. . . . . . . . 289How to write an external authenticationapplication . . . . . . . . . . . . . 289

External authentication interface HTTP headerreference . . . . . . . . . . . . . . . 291Use of external authentication interface withexisting WebSEAL features . . . . . . . . . 292

Request caching with external authenticationinterface . . . . . . . . . . . . . . 292Post-authentication redirection with externalauthentication interface . . . . . . . . . 293Session handling with external authenticationinterface . . . . . . . . . . . . . . 293Authentication strength level with externalauthentication interface . . . . . . . . . 293Reauthentication with external authenticationinterface . . . . . . . . . . . . . . 294Login page and macro support with externalauthentication interface . . . . . . . . . 294

vi IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Setting a client-specific session cache entrylifetime value . . . . . . . . . . . . 295Setting a client-specific session cache entryinactivity timeout value . . . . . . . . . 297

Part 4. Session State . . . . . . . 299

Chapter 14. Session state overview 301Session state concepts . . . . . . . . . . 301Supported session ID data types . . . . . . . 301Information retrieved from a client request . . . 302WebSEAL session cache structure. . . . . . . 302Deployment considerations for clusteredenvironments . . . . . . . . . . . . . 303

Consistent configuration on all WebSEAL replicaservers . . . . . . . . . . . . . . 304Client-to-server session affinity at the loadbalancer . . . . . . . . . . . . . . 304Failover to a new master . . . . . . . . 304Failover from one WebSEAL server to another 304

Options for handling failover in clusteredenvironments . . . . . . . . . . . . . 304

Option 1: No WebSEAL handling of failoverevents . . . . . . . . . . . . . . . 305Option 2: Authentication data included in eachrequest . . . . . . . . . . . . . . 305Option 3: Failover cookies . . . . . . . . 305Option 4: The Session Management Server . . 306Option 5: LTPA cookie . . . . . . . . . 306

Chapter 15. Session cacheconfiguration . . . . . . . . . . . 309Session cache configuration overview . . . . . 309SSL session ID cache configuration . . . . . . 310

Cache entry timeout value . . . . . . . . 310Maximum concurrent SSL sessions value . . . 310

WebSEAL session cache configuration . . . . . 310Maximum session cache entries value . . . . 311Cache entry lifetime timeout value . . . . . 311Setting a client-specific session cache entrylifetime value . . . . . . . . . . . . 312Cache entry inactivity timeout value . . . . 314Concurrent session limits . . . . . . . . 315Session cache limitation . . . . . . . . . 316

Chapter 16. Failover solutions . . . . 317Failover authentication concepts . . . . . . . 317

The failover environment . . . . . . . . 317Failover cookie . . . . . . . . . . . . 318Failover authentication process flow. . . . . 319Failover authentication module . . . . . . 319Example failover configuration . . . . . . 320Addition of data to a failover cookie . . . . 321Extraction of data from a failover cookie . . . 323Domain-wide failover authentication . . . . 324

Failover authentication configuration . . . . . 325Configuring failover authentication . . . . . 325Protocol for failover cookies . . . . . . . 326

Configuring the failover authenticationmechanism . . . . . . . . . . . . . 327Generating a key pair to encrypt and decryptcookie data . . . . . . . . . . . . . 328Specifying the failover cookie lifetime . . . . 328Specifying UTF-8 encoding on cookie strings 329Adding the authentication strength level . . . 329Reissue of missing failover cookies . . . . . 329Addition of session lifetime timestamp . . . . 330Adding the session activity timestamp . . . . 331Addition of an interval for updating the activitytimestamp . . . . . . . . . . . . . 331Addition of extended attributes . . . . . . 332Authentication strength level attribute afterfailover authentication . . . . . . . . . 332Attributes for extraction . . . . . . . . . 333Enabling domain-wide failover cookies . . . . 334Validation of a lifetime timestamp . . . . . 334Validation of an activity timestamp . . . . . 334

Failover for non-sticky failover environments. . . 335Non-sticky failover concepts . . . . . . . 335Configuring the non-sticky failover solution . . 336Use of failover cookies with existing WebSEALfeatures . . . . . . . . . . . . . . 337

Change password operation in a failoverenvironment. . . . . . . . . . . . . . 338

Chapter 17. Session state innon-clustered environments . . . . . 339Maintain session state in non-clusteredenvironments . . . . . . . . . . . . . 339

Control on session state information over SSL 339Use of the same session key over differenttransports . . . . . . . . . . . . . 340Valid session key data types . . . . . . . 340Effective session timeout value . . . . . . 342Netscape 4.7x limitation for use-same-session 342

Session cookies . . . . . . . . . . . . . 343Session cookies concepts. . . . . . . . . 343Conditions for using session cookies . . . . 343Customization of the session cookie name . . . 344Sending session cookies with each request. . . 344

Customized responses for old session cookies . . 345Session removal and old session cookie concepts 345Enabling customized responses for old sessioncookies . . . . . . . . . . . . . . 346

Maintain session state with HTTP headers. . . . 347HTTP header session key concepts . . . . . 347Configuring HTTP headers to maintain sessionstate . . . . . . . . . . . . . . . 347Setup for requiring requests from an MPA. . . 349Compatibility with previous versions ofWebSEAL . . . . . . . . . . . . . 349

Share sessions with Microsoft Office applications 350Overview of session sharing with MicrosoftOffice applications. . . . . . . . . . . 350Configure the temporary session cache . . . . 351Configure shared sessions with Microsoft Officeapplications . . . . . . . . . . . . . 352

Contents vii

Part 5. Session ManagementServer . . . . . . . . . . . . . . 357

Chapter 18. Session managementserver (SMS) overview . . . . . . . 359The failover environment . . . . . . . . . 359The session management server (SMS) . . . . . 360Server clusters, replica sets, and session realms . . 360SMS process flow . . . . . . . . . . . . 361Sharing sessions across multiple DNS domains . . 362

Chapter 19. Quickstart guide forWebSEAL using SMS . . . . . . . . 365Configuration summary for WebSEAL using SMS 365

1. Information gathering. . . . . . . . . 3652. WebSEAL configuration file settings . . . . 3663. Import the Security Access Manager CACertificate . . . . . . . . . . . . . 3664. Restart the WebSEAL server. . . . . . . 3675. Create junctions for virtual hosts . . . . . 3676. Junction the session management server . . 3677. Set the maximum concurrent sessions policy 3688. Test the configuration . . . . . . . . . 368

Chapter 20. Configuration forWebSEAL using SMS . . . . . . . . 371SMS configuration for WebSEAL . . . . . . . 371

Configuring the session management server(SMS) . . . . . . . . . . . . . . . 371Enabling and disabling SMS for WebSEAL . . 371Specifying session management server clusterand location . . . . . . . . . . . . . 372Retrieving the maximum concurrent sessionspolicy value . . . . . . . . . . . . . 372

Replica set configuration . . . . . . . . . 374Configuring WebSEAL to participate in multiplereplica sets . . . . . . . . . . . . . 374Assigning standard junctions to a replica set 374Virtual hosts assigned to a replica set . . . . 375Example replica set configuration. . . . . . 375

Adjustment of the last access time updatefrequency for SMS. . . . . . . . . . . . 378SMS communication timeout configuration . . . 378

Configuring SMS response timeout . . . . . 378Configuring connection timeout for broadcastevents . . . . . . . . . . . . . . . 379

SMS performance configuration . . . . . . . 379Maximum pre-allocated session IDs . . . . . 379Configuration of the handle pool size . . . . 380

SMS Authentication . . . . . . . . . . . 380SSL configuration for WebSEAL and SMS . . . . 380

Configuring the WebSEAL key database . . . 381Specifying the SSL certificate distinguishedname (DN) . . . . . . . . . . . . . 382GSKit configuration for SMS connections . . . 383

Maximum concurrent sessions policy . . . . . 383Setting the maximum concurrent sessions policy 383Enforcing the maximum concurrent sessionspolicy . . . . . . . . . . . . . . . 387

Switch user and maximum concurrent sessionspolicy . . . . . . . . . . . . . . . 387

Single signon within a session realm . . . . . 388Session realm and session sharing concepts . . 388Configuring session sharing . . . . . . . 389

Configuring login history . . . . . . . . . 391Enabling login failure notification . . . . . 391Creating a junction to the session managementserver . . . . . . . . . . . . . . . 392Allowing access to the login history JSP . . . 392Customizing the JSP to display login history 393

Part 6. Authorization . . . . . . . 395

Chapter 21. Configuration forauthorization . . . . . . . . . . . 397WebSEAL-specific ACL policies . . . . . . . 397

/WebSEAL/host-instance_name . . . . . . 397/WebSEAL/host-instance_name/file . . . . 397WebSEAL ACL permissions . . . . . . . 397Default /WebSEAL ACL policy . . . . . . 398Valid characters for ACL names . . . . . . 398Quality of protection POP . . . . . . . . 398Configuration of authorization database updatesand polling . . . . . . . . . . . . . 399Configuring quality of protection levels . . . 400Authorization decision information . . . . . 402Support for OAuth authorization decisions . . 402

Chapter 22. Key management . . . . 409Key management overview. . . . . . . . . 409Client-side and server-side certificate concepts . . 410GSKit key database file types . . . . . . . . 410Configuration of the WebSEAL key database file 411

WebSEAL key database file . . . . . . . . 411Key database file password. . . . . . . . 412WebSEAL test certificate . . . . . . . . . 412Inter-server SSL communication for SecurityAccess Manager . . . . . . . . . . . 413

Use of the iKeyman certificate management utility 413Certificate revocation in WebSEAL . . . . . . 414

Certificate revocation list (CRL) . . . . . . 414Configuration of CRL checking . . . . . . 414

Certificate distribution points . . . . . . . . 415Configuration of the CRL cache . . . . . . . 415

Set the maximum number of cache entries. . . 415Set the GSKit cache lifetime timeout value. . . 415Enable the CRL cache . . . . . . . . . 416

Use of the WebSEAL test certificate for SSLconnections . . . . . . . . . . . . . . 416

Chapter 23. Customized authorization 419Custom requests . . . . . . . . . . . . 419Custom responses . . . . . . . . . . . . 419

Part 7. Standard WebSEALJunctions . . . . . . . . . . . . 421

viii IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Chapter 24. Standard WebSEALjunctions . . . . . . . . . . . . . 423WebSEAL junctions overview . . . . . . . . 423

Junction types . . . . . . . . . . . . 423Junction database location and format . . . . 424Applying coarse-grained access control:summary . . . . . . . . . . . . . . 424Applying fine-grained access control: summary 424Additional references for WebSEAL junctions 425

Management of junctions with Web Portal Manager 425Creating a junction using Web Portal Manager 425Listing junctions using Web Portal Manager . . 426Deleting junctions using Web Portal Manager 426

Managing junctions with the pdadmin utility. . . 426Import and export of junction databases . . . 427

Standard WebSEAL junction configuration. . . . 428The pdadmin server task create command. . . 428Creating TCP type standard junctions . . . . 428Creating SSL type standard junctions . . . . 429Creating mutual junctions . . . . . . . . 429SSL-based standard junctions . . . . . . . 430Adding multiple back-end servers to a standardjunction . . . . . . . . . . . . . . 431Local type standard junction . . . . . . . 431Disable local junctions . . . . . . . . . 431

Transparent path junctions . . . . . . . . . 432Filtering concepts in standard WebSEALjunctions . . . . . . . . . . . . . . 432Transparent path junction concepts . . . . . 433Configuring transparent path junctions . . . . 434Example transparent path junction . . . . . 434

Technical notes for using WebSEAL junctions. . . 435Guidelines for creating WebSEAL junctions . . 435Adding multiple back-end servers to the samejunction . . . . . . . . . . . . . . 435Exceptions to enforcing permissions acrossjunctions . . . . . . . . . . . . . . 436Certificate authentication across junctions . . . 436Handling domain cookies . . . . . . . . 437Supported HTTP versions for requests andresponses. . . . . . . . . . . . . . 437Junctioned application with Web PortalManager . . . . . . . . . . . . . . 438

How to generate a back-end server Web space(query_contents) . . . . . . . . . . . . 438

query_contents overview . . . . . . . . 438query_contents components . . . . . . . 440Installing and configuring query_contents onUNIX-based Web servers . . . . . . . . 440Installing and configuring query_contents onWindows-based Web servers . . . . . . . 442General process flow for query_contents . . . 443Securing the query_contents program . . . . 443

Chapter 25. Advanced junctionconfiguration . . . . . . . . . . . 445Mutually authenticated SSL junctions . . . . . 445

Mutually authenticated SSL junctions processsummary . . . . . . . . . . . . . . 445Validation of the back-end server certificate . . 446

Matching the distinguished name (DN). . . . 446Authentication with a client certificate . . . . 447Authentication with a BA header . . . . . . 447

TCP and SSL proxy junctions . . . . . . . . 448WebSEAL-to-WebSEAL junctions over SSL . . . 448Stateful junctions . . . . . . . . . . . . 450

Stateful junction concepts . . . . . . . . 450Configuration of stateful junctions . . . . . 450Specifying back-end server UUIDs for statefuljunctions . . . . . . . . . . . . . . 451Handling an unavailable stateful server . . . 453

Forcing a new junction . . . . . . . . . . 454Use of /pkmslogout with virtual host junctions 455Junction throttling . . . . . . . . . . . . 455

Junction throttling concepts. . . . . . . . 455Placing a junctioned server in a throttled state 456Junctioned server in an offline state . . . . . 458Junctioned server in an online state . . . . . 460Junction throttle messages . . . . . . . . 461Use of junction throttling with existingWebSEAL features . . . . . . . . . . . 462

Management of cookies . . . . . . . . . . 463Passing of session cookies to junctioned portalservers . . . . . . . . . . . . . . . 464Support for URLs as not case-sensitive . . . . . 466Junctions to Windows file systems . . . . . . 467

Example . . . . . . . . . . . . . . 467ACLs and POPs must attach to lower-caseobject names . . . . . . . . . . . . 468

Standard junctions to virtual hosts . . . . . . 468UTF-8 encoding for HTTP header data . . . . . 469Bypassing buffering on a per-resource basis . . . 470Single sign-on solutions across junctions . . . . 471

Chapter 26. Modification of URLs tojunctioned resources . . . . . . . . 473URL modification concepts . . . . . . . . . 473Path types used in URLs . . . . . . . . . 474Special characters in URLs . . . . . . . . . 475Modification of URLs in responses . . . . . . 475

Filtering of tag-based static URLs. . . . . . 475Modifying absolute URLs with script filtering 484Configuring the rewrite-absolute-with-absoluteoption . . . . . . . . . . . . . . . 485Filtering changes the Content-Length header 485Limitation with unfiltered server-relative links 486

Modification of URLs in requests . . . . . . . 487Modification of server-relative URLs withjunction mapping . . . . . . . . . . . 487Modification of server-relative URLs withjunction cookies . . . . . . . . . . . 488Control on the junction cookie JavaScript block 490Modification of server-relative URLs using theHTTP Referer header . . . . . . . . . . 493Controlling server-relative URL processing inrequests . . . . . . . . . . . . . . 494

Handling cookies from servers across multiple -jjunctions . . . . . . . . . . . . . . . 496

Cookie handling: -j modifies Set-Cookie pathattribute . . . . . . . . . . . . . . 496

Contents ix

Cookie handling: -j modifies Set-Cookie nameattribute . . . . . . . . . . . . . . 497Preservation of cookie names . . . . . . . 497Cookie handling: -I ensures unique Set-Cookiename attribute . . . . . . . . . . . . 498

Chapter 27. HTTP transformations 501HTTP transformation rules . . . . . . . . . 501

Extensible Stylesheet Language Transformation(XSLT). . . . . . . . . . . . . . . 502HTTP request objects . . . . . . . . . . 502HTTP response objects . . . . . . . . . 502Replacing the HTTP response . . . . . . . 503XSL transformation rules . . . . . . . . 503Reprocessing considerations . . . . . . . 505XSLT templates. . . . . . . . . . . . 505

Configuration . . . . . . . . . . . . . 505Configuration file updates . . . . . . . . 505Protected Object Policy (POP) . . . . . . . 506

Example HTTP transformation scenarios . . . . 506Scenario 1: Modifying the URI, headers, andcookies (HTTPRequest) . . . . . . . . . 506Scenario 2: Modifying the headers only(HTTPResponse) . . . . . . . . . . . 509Scenario 3: Modifying the ResponseLine/StatusCode only (HTTPResponse) . . . . . 511Scenario 4: Modifying cookies only(HTTPResponse) . . . . . . . . . . . 512Scenario 5: Providing a response to a knownHTTP request . . . . . . . . . . . . 515

Transformation errors . . . . . . . . . . 516

Chapter 28. Microsoft RPC over HTTP 519RPC over HTTP support in WebSEAL . . . . . 519Junction configuration . . . . . . . . . . 520POP configuration . . . . . . . . . . . . 521Authentication limitations . . . . . . . . . 521Timeout considerations . . . . . . . . . . 521WebSEAL server log errors . . . . . . . . . 522Worker thread consideration . . . . . . . . 522

Chapter 29. Command optionsummary: standard junctions . . . . 523Using pdadmin server task to create junctions . . 523Server task commands for junctions . . . . . . 524Creation of a junction for an initial server . . . . 525Addition of server to an existing junction . . . . 531

Part 8. Virtual Hosting . . . . . . 535

Chapter 30. Virtual host junctions . . 537Virtual host junction concepts . . . . . . . . 537

Standard WebSEAL junctions . . . . . . . 537Challenges of URL filtering. . . . . . . . 538Virtual hosting . . . . . . . . . . . . 538Virtual host junction solution . . . . . . . 538Stanzas and stanza entries ignored by virtualhost junctions . . . . . . . . . . . . 540Virtual hosts represented in the object space . . 540

Configuration of a virtual host junction . . . . 541Creation of a remote type virtual host junction 541Creation of a local type virtual host junction 543

Scenario 1: Remote virtual host junctions . . . . 544Definition of interfaces for virtual host junctions 546

Default interface specification . . . . . . . 546Defining additional interfaces . . . . . . . 546

Scenario 2: Virtual host junctions with interfaces 548Use of virtual hosts with existing WebSEALfeatures . . . . . . . . . . . . . . . 550

E-community single signon with virtual hosts 550Cross-domain single signon with virtual hosts 552Dynamic URLs with virtual host junctions. . . 552Using domain session cookies for virtual hostsingle sign-on . . . . . . . . . . . . 553Junction throttling . . . . . . . . . . . 554

Scenario 3: Advanced virtual host configuration 554Virtual host junction limitations . . . . . . . 556

SSL session IDs not usable by virtual hosts . . 557

Chapter 31. Command optionsummary: Virtual host junctions . . . 559Using pdadmin server task to create virtual hostjunctions . . . . . . . . . . . . . . . 559Server task commands for virtual host junctions 560Creation of a virtual host junction . . . . . . 561Addition of a server to a virtual host junction . . 567

Part 9. Single Signon Solutions 569

Chapter 32. Single signon solutionsacross junctions . . . . . . . . . . 571Single signon using Tivoli Federated IdentityManager . . . . . . . . . . . . . . . 571

GSKit configuration for connections with TivoliFederated Identity Manager . . . . . . . 573Use of Kerberos credentials. . . . . . . . 573

Single sign-on using HTTP BA headers . . . . . 574Single signon (SSO) concepts . . . . . . . 574Client identity in HTTP BA headers . . . . . 575Client identity and generic password . . . . 575Forwarding of original client BA headerinformation . . . . . . . . . . . . . 576Removal of client BA header information . . . 577User names and passwords from GSO . . . . 578Client identity information across junctions . . 578

Identity information supplied in HTTP headers . . 579Client identity in HTTP headers (c). . . . . 579Client IP addresses in HTTP headers (r) . . . 581Limiting the size of WebSEAL-generated HTTPheaders . . . . . . . . . . . . . . 582

Global signon (GSO) . . . . . . . . . . . 583Global sign-on overview. . . . . . . . . 583Authentication information mapping . . . . 584Configuring a GSO-enabled WebSEAL junction 585Configuration of the GSO cache . . . . . . 585

Single signon to IBM WebSphere (LTPA) . . . . 586LTPA overview . . . . . . . . . . . . 586Configuration of an LTPA junction . . . . . 587Configuration of the LTPA cache . . . . . . 588

x IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Technical notes for LTPA single sign-on. . . . 588Forms single signon authentication . . . . . . 589

Forms single signon concepts . . . . . . . 589Forms single signon process flow. . . . . . 590Requirements for application support . . . . 591Creation of the configuration file for formssingle signon . . . . . . . . . . . . 591How to enable forms single signon . . . . . 595Forms single sign-on example . . . . . . . 596

Chapter 33. Windows desktop singlesign-on . . . . . . . . . . . . . . 597Windows desktop single sign-on concepts . . . . 597

SPNEGO protocol and Kerberos authentication 597User registry and platform support for SPNEGO 598SPNEGO compatibility with otherauthentication methods . . . . . . . . . 599Mapping of user names from multi-domainActive Directory registries . . . . . . . . 599Multiple Active Directory domain support . . 601SPNEGO authentication limitations . . . . . 601

Configuring Windows desktop single signon(Windows) . . . . . . . . . . . . . . 602

1. Create an identity for WebSEAL in an ActiveDirectory domain . . . . . . . . . . . 6022. Map a Kerberos principal to an ActiveDirectory user . . . . . . . . . . . . 6033. Enable SPNEGO for WebSEAL . . . . . . 6054. Restart WebSEAL . . . . . . . . . . 6055. Configure the Internet Explorer client . . . 605Troubleshooting for Windows desktop singlesignon. . . . . . . . . . . . . . . 606

Configuring Windows desktop single signon(UNIX) . . . . . . . . . . . . . . . 606

1. Configure the embedded Kerberos client . . 6062. Create an identity for WebSEAL in an ActiveDirectory domain . . . . . . . . . . . 6083. Map a Kerberos principal to an ActiveDirectory user . . . . . . . . . . . . 6094. Verify the authentication of the Web serverprincipal . . . . . . . . . . . . . . 6125. Verify WebSEAL authentication using thekeytab file . . . . . . . . . . . . . 6126. Enable SPNEGO for WebSEAL . . . . . . 6127. Add service name and keytab file entries . . 6138. Restart WebSEAL and browser . . . . . . 6149. Configure the Internet Explorer client . . . 614Troubleshooting for Windows desktop singlesign-on . . . . . . . . . . . . . . 614

Configuration notes for a load balancerenvironment. . . . . . . . . . . . . . 615

Chapter 34. Cross-domain singlesign-on . . . . . . . . . . . . . . 617Cross-domain single signon concepts . . . . . 617

Cross-domain single signon overview . . . . 617Default and custom authentication tokens . . . 618Extended user attributes and identity mapping 618CDSSO process flow with attribute transfer anduser mapping . . . . . . . . . . . . 618

Configuration of cross-domain single signon . . . 620CDSSO configuration summary . . . . . . 620CDSSO conditions and requirements . . . . 621Enabling and disabling CDSSO authentication 622Configuring the CDSSO authenticationmechanism . . . . . . . . . . . . . 623Encrypting the authentication token data . . . 624Configuring the token time stamp . . . . . 625Configuring the token label name . . . . . 625Creating the CDSSO HTML link . . . . . . 626Handling errors from CDMF during tokencreation . . . . . . . . . . . . . . 626Protection of the authentication token . . . . 627Use of cross-domain single signon with virtualhosts . . . . . . . . . . . . . . . 627

Extended attributes for CDSSO . . . . . . . 627Extended attributes to add to token . . . . . 627Extended attributes to extract from a token . . 628

UTF-8 encoding of tokens for cross domain singlesignon. . . . . . . . . . . . . . . . 629

Chapter 35. LTPA single signon . . . 631LTPA single sign-on overview . . . . . . . . 631Configuring LTPA single signon . . . . . . . 631Technical notes for LTPA single sign-on. . . . . 632

Chapter 36. E-community singlesignon . . . . . . . . . . . . . . 633E-community single signon concepts . . . . . 633

E-community overview . . . . . . . . . 633E-community features and requirements . . . 635E-community process flow . . . . . . . . 635The e-community cookie . . . . . . . . 639The vouch-for request and reply . . . . . . 640The vouch-for token . . . . . . . . . . 641

Configuration of e-community single sign-on. . . 641E-community configuration summary . . . . 642E-community conditions and requirements . . 643Enabling and disabling e-communityauthentication . . . . . . . . . . . . 644Specifying an e-community name . . . . . 645Configuring the single sign-on authenticationmechanism . . . . . . . . . . . . . 645Encrypting the vouch-for token . . . . . . 646Configuring the vouch-for token label name . . 647Specifying the master authentication server(MAS) . . . . . . . . . . . . . . . 648Specifying the vouch-for URL . . . . . . . 649Configure token and ec-cookie lifetime values 649Handling errors from CDMF during tokencreation . . . . . . . . . . . . . . 650Enabling unauthenticated access . . . . . . 650Limiting the ability to generate vouch-for tokens 651Configuration of the behavior for authenticationfailure . . . . . . . . . . . . . . . 651Logout using pkmslogout-nomas . . . . . . 651Use of e-community with virtual hosts . . . . 652

Extended attributes for ECSSO . . . . . . . 652Extended attributes to add to token . . . . . 652Extended attributes to extract from token . . . 653

Contents xi

UTF-8 encoding of tokens for e-community singlesignon. . . . . . . . . . . . . . . . 654

Chapter 37. Single sign-off . . . . . 655Overview of the single sign-off functionality . . . 655Configuring single signoff . . . . . . . . . 655Specifications for single sign-off requests andresponses. . . . . . . . . . . . . . . 656

Part 10. Deployment . . . . . . . 657

Chapter 38. WebSEAL instancedeployment . . . . . . . . . . . . 659WebSEAL instance configuration overview . . . 659

WebSEAL instance configuration planning. . . 659Example WebSEAL instance configurationvalues . . . . . . . . . . . . . . . 664Unique configuration file for each WebSEALinstance . . . . . . . . . . . . . . 664Interactive configuration overview . . . . . 664Command line configuration overview . . . . 665Silent configuration overview (response file) . . 666

WebSEAL instance configuration tasks . . . . . 667Adding a WebSEAL instance . . . . . . . 667Removing a WebSEAL instance . . . . . . 669

Load balancing environments . . . . . . . . 670Replicating front-end WebSEAL servers . . . 670Controlling the login_success response . . . . 671

Chapter 39. Application integration 673CGI programming support . . . . . . . . . 673

WebSEAL and CGI scripts . . . . . . . . 673Creation of a cgi-bin directory . . . . . . . 673WebSEAL environment variables for CGIprogramming . . . . . . . . . . . . 674Windows environment variables for CGIprograms . . . . . . . . . . . . . . 674UTF-8 environment variables for CGI programs 675Windows: File naming for CGI programs . . . 675UNIX files misinterpreted as CGI scripts overlocal junctions . . . . . . . . . . . . 676

Support for back-end server-side applications . . 676Best practices for standard junction usage . . . . 677

Complete Host header information with -v . . 677Standard absolute URL filtering . . . . . . 677

Custom personalization service . . . . . . . 678Personalization service concepts . . . . . . 678Configuring WebSEAL for a personalizationservice. . . . . . . . . . . . . . . 679Personalization service example . . . . . . 679

User session management for back-end servers . . 680User session management concepts . . . . . 680Enabling user session ID management . . . . 681Inserting user session data into HTTP headers 682Terminating user sessions . . . . . . . . 683User event correlation for back-end servers . . 686

Chapter 40. Dynamic URLs . . . . . 689Access control for dynamic URLs. . . . . . . 689

Dynamic URL components . . . . . . . . 689Access control for dynamic URLs: dynurl.conf 689Conversion of POST body dynamic data toquery string format . . . . . . . . . . 690Mapping ACL and POP objects to dynamicURLs . . . . . . . . . . . . . . . 690Character encoding and query string validation 691Updating WebSEAL for dynamic URLs . . . . 692Resolve dynamic URLs in the object space. . . 692Configuration of limitations on POST requests 693Dynamic URLs summary and technical notes 694

Dynamic URL example: The Travel Kingdom. . . 695The application. . . . . . . . . . . . 695The interface . . . . . . . . . . . . 696The security policy . . . . . . . . . . 696Secure clients . . . . . . . . . . . . 697Access control . . . . . . . . . . . . 697Conclusion . . . . . . . . . . . . . 698

Chapter 41. Internet ContentAdaptation Protocol (ICAP) Support . 699ICAP integration with WebSEAL - Workflow . . . 700Scope of functionality . . . . . . . . . . 700Configuration of ICAP support within WebSEAL 701

Part 11. Attribute Retrieval Service 703

Chapter 42. Attribute retrieval servicereference . . . . . . . . . . . . . 705Basic configuration . . . . . . . . . . . 705

Configuration files. . . . . . . . . . . 705Descriptions of amwebars.conf configurationstanza entries . . . . . . . . . . . . 706

Data table editing . . . . . . . . . . . . 708ProviderTable . . . . . . . . . . . . 708ContainerDescriptorTable . . . . . . . . 709ProtocolTable . . . . . . . . . . . . 712

Custom protocol plug-ins . . . . . . . . . 712Overview. . . . . . . . . . . . . . 712Protocol plug-in . . . . . . . . . . . 713

Chapter 43. Authorization decisioninformation retrieval . . . . . . . . 715Overview of ADI retrieval . . . . . . . . . 715ADI retrieval from the WebSEAL client request . . 715

Example: Retrieving ADI from the requestheader. . . . . . . . . . . . . . . 717Example: Retrieving ADI from the request querystring . . . . . . . . . . . . . . . 717Example: Retrieving ADI from the request POSTbody . . . . . . . . . . . . . . . 718

ADI retrieval from the user credential . . . . . 718Supplying a failure reason across a junction . . . 719Dynamic ADI retrieval . . . . . . . . . . 720Deploying the attribute retrieval service . . . . 721Configuring WebSEAL to use the attribute retrievalservice. . . . . . . . . . . . . . . . 721

Part 12. Appendixes . . . . . . . 723

xii IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Appendix A. Guidelines for changingconfiguration files . . . . . . . . . 725General guidelines . . . . . . . . . . . 725Default values . . . . . . . . . . . . . 725Strings . . . . . . . . . . . . . . . 726Defined strings . . . . . . . . . . . . . 726File names . . . . . . . . . . . . . . 726Integers . . . . . . . . . . . . . . . 727Boolean values . . . . . . . . . . . . . 727

Appendix B. Command reference . . . 729Reading syntax statements . . . . . . . . . 730help . . . . . . . . . . . . . . . . 730server list. . . . . . . . . . . . . . . 732server task add . . . . . . . . . . . . . 732server task cache flush all . . . . . . . . . 735server task cfgdb export . . . . . . . . . . 737server task cfgdb import. . . . . . . . . . 738server task cluster restart . . . . . . . . . 739server task create . . . . . . . . . . . . 741server task delete . . . . . . . . . . . . 748server task dynurl update . . . . . . . . . 749server task file cat . . . . . . . . . . . . 750server task help . . . . . . . . . . . . 751server task jdb export . . . . . . . . . . 753server task jdb import . . . . . . . . . . 754

server task jmt . . . . . . . . . . . . . 755server task list . . . . . . . . . . . . . 757server task offline . . . . . . . . . . . . 758server task online . . . . . . . . . . . . 760server task refresh all_sessions . . . . . . . 762server task reload . . . . . . . . . . . . 763server task remove . . . . . . . . . . . 764server task server restart . . . . . . . . . 765server task show . . . . . . . . . . . . 766server task server sync . . . . . . . . . . 768server task terminate all_sessions . . . . . . . 769server task terminate session . . . . . . . . 770server task throttle . . . . . . . . . . . 771server task virtualhost add . . . . . . . . . 773server task virtualhost create . . . . . . . . 775server task virtualhost delete . . . . . . . . 782server task virtualhost list . . . . . . . . . 784server task virtualhost offline . . . . . . . . 785server task virtualhost online . . . . . . . . 787server task virtualhost remove. . . . . . . . 789server task virtualhost show . . . . . . . . 791server task virtualhost throttle . . . . . . . . 793

Notices . . . . . . . . . . . . . . 797

Index . . . . . . . . . . . . . . . 801

Contents xiii

xiv IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Figures

1. Protecting resources with WebSEAL . . . . . 42. Protected object space . . . . . . . . . 63. ACL policy . . . . . . . . . . . . . 74. Explicit and inherited policies . . . . . . . 85. Web space protection . . . . . . . . . 106. Junctions connect WebSEAL with back-end

resources . . . . . . . . . . . . . 137. WebSEAL junction results in a unified Web

space. . . . . . . . . . . . . . . 148. Junctioned back-end servers . . . . . . . 159. Unified Web space . . . . . . . . . . 16

10. Replicated back-end servers . . . . . . . 1711. Cluster Support . . . . . . . . . . . 2712. Timeout settings for HTTP and HTTPS

communication . . . . . . . . . . . 5513. Authentication process flow. . . . . . . 15114. Communication over an MPA Gateway 19815. Swapping administrator and user cache data

during switch user . . . . . . . . . . 20216. Example WebSEAL request caching process

flow . . . . . . . . . . . . . . 25117. External authentication interface process flow 28018. WebSEAL session cache . . . . . . . . 30319. Session cache configuration file entries 30920. Failover for replicated WebSEAL servers 31821. Sharing WebSEAL sessions with Microsoft

SharePoint server . . . . . . . . . . 35322. Failover for replicated WebSEAL servers 35923. WebSEAL/SMS process flow . . . . . . 36124. Junction configuration for a single WebSEAL

server . . . . . . . . . . . . . . 37625. Replica set configuration . . . . . . . . 37726. Logical flow of the OAuth EAS . . . . . 40327. Keyfile management configuration . . . . 40928. Non-secure TCP (HTTP) junction . . . . . 42829. Secure SSL (HTTPS) junction . . . . . . 42930. Example proxy junction . . . . . . . . 448

31. WebSEAL-to-WebSEAL junction scenario 44932. Stateful junctions use back-end server UUIDs 45133. Dissimilar UUIDs . . . . . . . . . . 45234. Specifying back-end server UUIDs for stateful

junctions . . . . . . . . . . . . . 45235. Configuring virtual hosts . . . . . . . 46936. Summary: Modifying URLs to back-end

resources . . . . . . . . . . . . . 47437. Filtering absolute URLs . . . . . . . . 48438. Processing server-relative URLs with junction

cookies. . . . . . . . . . . . . . 49039. WebSEAL RPC over HTTP . . . . . . . 51940. Virtual host junction scenario 1 . . . . . 54541. Virtual host junction scenario 2 . . . . . 54942. Virtual host junction scenario 3 . . . . . 55543. Multiple logins . . . . . . . . . . . 57444. Supplying authentication information to

back-end application servers . . . . . . 57545. BA Header contains identity and "dummy"

password . . . . . . . . . . . . . 57646. WebSEAL forwards original client identity

information . . . . . . . . . . . . 57747. Removing client BA header information 57748. Global sign-on mechanism . . . . . . . 58349. Forms single signon process flow . . . . . 59050. Cross-domain single signon process with

CDMF . . . . . . . . . . . . . . 62051. The e-community model . . . . . . . . 63452. Example configuration for e-community

process flow . . . . . . . . . . . . 63653. Session management . . . . . . . . . 68154. Terminate all userA sessions . . . . . . 68655. Passing data in the query string of a request

URL . . . . . . . . . . . . . . 68956. Authorization on a dynamic URL . . . . . 69157. Dynamic ADI retrieval . . . . . . . . 720

Copyright IBM Corp. 2002, 2012 xv

xvi IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Tables

1. ARM transaction classes used by WebSEAL 342. Supported wildcard matching characters 793. Characters encoded in URL and non-URL

macros . . . . . . . . . . . . . . 924. Macros for defining custom headers . . . . 1025. P3P default header values . . . . . . . 1316. Supported values for the access entry 1327. Supported values for the categories entry 1338. Supported values for the disputes entry 1349. Supported values for the remedies entry 134

10. Supported values for the non-identifiableentry . . . . . . . . . . . . . . 135

11. Supported values for the purpose entry 13512. Supported values for the opt-in or opt-out

policy . . . . . . . . . . . . . . 13613. Supported values for the recipient entry 13614. Opt-in policy values . . . . . . . . . 13715. Supported values for the retention entry 13716. Runtime security services EAS access

decisions . . . . . . . . . . . . . 13917. Stanza entries for authentication mechanisms 15818. Configuring basic authentication . . . . . 16419. Basic authentication modules . . . . . . 16520. Configuring forms authentication . . . . . 16621. Forms authentication modules . . . . . . 16722. Configuring certificate authentication 17223. Certificate authentication modules . . . . 17324. Certificate authentication modules . . . . 17525. Configuring HTTP header authentication 18026. HTTP header authentication modules 18227. Configuring IP address authentication 18328. Configuring token authentication . . . . . 18829. Token authentication modules . . . . . . 18830. Configuring LTPA authentication . . . . . 19331. LTPA authentication modules . . . . . . 19532. Switch user authentication modules . . . . 20433. Authentication methods supported for

authentication strength . . . . . . . . 22234. Example integer values for authentication

strength levels . . . . . . . . . . . 22535. Using netmask to specify a network range

(IPv4) . . . . . . . . . . . . . . 227

36. Using netmask to specify a network range(IPv6) . . . . . . . . . . . . . . 227

37. Additional files for Client Certificate UserMapping functionality . . . . . . . . 238

38. Configuring the external authenticationinterface . . . . . . . . . . . . . 283

39. Examples of authentication requests to anexternal authentication application: . . . . 284

40. External authentication interfaceauthentication modules . . . . . . . . 287

41. Supplemental credential data provided byWebSEAL . . . . . . . . . . . . . 287

42. PAC headers . . . . . . . . . . . . 29143. User identity headers . . . . . . . . . 29144. Session identifier headers . . . . . . . 29245. Common headers . . . . . . . . . . 29246. Supported protocols for failover cookies 32747. Failover authentication module names 32748. Local type junction options . . . . . . . 43149. Return codes. . . . . . . . . . . . 43950. Base elements . . . . . . . . . . . 50451. XSLT Template files . . . . . . . . . 50552. Remote type virtual host junction options 54153. Local type virtual host junction options 54354. Valid properties and values for additional

interface definitions . . . . . . . . . 54755. Configuration requirements for a Tivoli

Federated Identity Manager trust chain . . . 57156. Kerberos authentication library location 60557. CDSSO modules . . . . . . . . . . 62358. Module names for e-community . . . . . 64559. WebSEAL instances sharing the same IPv4

address . . . . . . . . . . . . . 66160. WebSEAL instances sharing the same IPv6

address . . . . . . . . . . . . . 66161. WebSEAL instances with unique IPv4

addresses . . . . . . . . . . . . . 66162. WebSEAL instances with unique IPv6

addresses . . . . . . . . . . . . . 66163. Worksheet for adding a WebSEAL instance 667

Copyright IBM Corp. 2002, 2012 xvii

xviii IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

About this publication

Welcome to the IBM Security Access Manager: WebSEAL Administration Guide.

IBM Security Access Manager for Web, formerly called IBM Tivoli Access Managerfor e-business, is a user authentication, authorization, and web single sign-onsolution for enforcing security policies over a wide range of web and applicationresources.

IBM Security Access Manager for Web WebSEAL is the resource manager forweb-based resources in a Security Access Manager secure domain. WebSEAL is ahigh performance, multi-threaded web server that applies fine-grained securitypolicy to the protected web object space. WebSEAL can provide single signonsolutions and incorporate back-end web application server resources into itssecurity policy.

This administration guide provides a comprehensive set of procedures andreference information for managing the resources of your secure web domain. Thisguide also provides you with valuable background and concept information for thewide range of WebSEAL functionality. For the complete stanza reference forWebSEAL configuration, see the IBM Security Access Manager: WebSEALConfiguration Stanza Reference.

Intended audienceThis guide is for system administrators responsible for configuring andmaintaining a Security Access Manager WebSEAL environment.

Readers should be familiar with the following:v PC and UNIX or Linux operating systemsv Database architecture and conceptsv Security managementv Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and

Telnetv Lightweight Directory Access Protocol (LDAP) and directory servicesv A supported user registryv WebSphere Application Server administrationv Authentication and authorization

If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

Access to publications and terminologyThis section provides:v A list of publications in the IBM Security Access Manager for Web library on

page xx.v Links to Online publications on page xxi.v A link to the IBM Terminology website on page xxii.

Copyright IBM Corp. 2002, 2012 xix

IBM Security Access Manager for Web library

The following documents are in the IBM Security Access Manager for Web library:v IBM Security Access Manager for Web Quick Start Guide, GI11-9333-01

Provides steps that summarize major installation and configuration tasks.v IBM Security Web Gateway Appliance Quick Start Guide Hardware Offering

Guides users through the process of connecting and completing the initialconfiguration of the WebSEAL Hardware Appliance, SC22-5434-00

v IBM Security Web Gateway Appliance Quick Start Guide Virtual OfferingGuides users through the process of connecting and completing the initialconfiguration of the WebSEAL Virtual Appliance.

v IBM Security Access Manager for Web Installation Guide, GC23-6502-02Explains how to install and configure Security Access Manager.

v IBM Security Access Manager for Web Upgrade Guide, SC23-6503-02Provides information for users to upgrade from version 6.0, or 6.1.x to version7.0.

v IBM Security Access Manager for Web Administration Guide, SC23-6504-02Describes the concepts and procedures for using Security Access Manager.Provides instructions for performing tasks from the Web Portal Managerinterface and by using the pdadmin utility.

v IBM Security Access Manager for Web WebSEAL Administration Guide, SC23-6505-02Provides background material, administrative procedures, and referenceinformation for using WebSEAL to manage the resources of your secure Webdomain.

v IBM Security Access Manager for Web Plug-in for Web Servers Administration Guide,SC23-6507-02Provides procedures and reference information for securing your Web domainby using a Web server plug-in.

v IBM Security Access Manager for Web Shared Session Management AdministrationGuide, SC23-6509-02Provides administrative considerations and operational instructions for thesession management server.

v IBM Security Access Manager for Web Shared Session Management Deployment Guide,SC22-5431-00Provides deployment considerations for the session management server.

v IBM Security Web Gateway Appliance Administration Guide, SC22-5432-00Provides administrative procedures and technical reference information for theWebSEAL Appliance.

v IBM Security Web Gateway Appliance Configuration Guide for Web Reverse Proxy,SC22-5433-00Provides configuration procedures and technical reference information for theWebSEAL Appliance.

v IBM Security Web Gateway Appliance Web Reverse Proxy Stanza Reference,SC27-4442-00Provides a complete stanza reference for the IBM Security Web GatewayAppliance Web Reverse Proxy.

v IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference,SC27-4443-00Provides a complete stanza reference for WebSEAL.

xx IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

v IBM Global Security Kit: CapiCmd Users Guide, SC22-5459-00Provides instructions on creating key databases, public-private key pairs, andcertificate requests.

v IBM Security Access Manager for Web Auditing Guide, SC23-6511-02Provides information about configuring and managing audit events by using thenative Security Access Manager approach and the Common Auditing andReporting Service. You can also find information about installing andconfiguring the Common Auditing and Reporting Service. Use this service forgenerating and viewing operational reports.

v IBM Security Access Manager for Web Command Reference, SC23-6512-02Provides reference information about the commands, utilities, and scripts thatare provided with Security Access Manager.

v IBM Security Access Manager for Web Administration C API Developer Reference,SC23-6513-02Provides reference information about using the C language implementation ofthe administration API to enable an application to perform Security AccessManager administration tasks.

v IBM Security Access Manager for Web Administration Java Classes DeveloperReference, SC23-6514-02Provides reference information about using the Java language implementationof the administration API to enable an application to perform Security AccessManager administration tasks.

v IBM Security Access Manager for Web Authorization C API Developer Reference,SC23-6515-02Provides reference information about using the C language implementation ofthe authorization API to enable an application to use Security Access Managersecurity.

v IBM Security Access Manager for Web Authorization Java Classes Developer Reference,SC23-6516-02Provides reference information about using the Java language implementation ofthe authorization API to enable an application to use Security Access Managersecurity.

v IBM Security Access Manager for Web Web Security Developer Reference,SC23-6517-02Provides programming and reference information for developing authenticationmodules.

v IBM Security Access Manager for Web Error Message Reference, GI11-8157-02Provides explanations and corrective actions for the messages and return code.

v IBM Security Access Manager for Web Troubleshooting Guide, GC27-2717-01Provides problem determination information.

v IBM Security Access Manager for Web Performance Tuning Guide, SC23-6518-02Provides performance tuning information for an environment that consists ofSecurity Access Manager with the IBM Tivoli Directory Server as the userregistry.

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

About this publication xxi

IBM Security Access Manager for Web Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.html site displays the information centerwelcome page for this product.

IBM Publications CenterThe http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss site offers customized search functions to help you find all the IBMpublications that you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

Related publicationsThis section lists the IBM products that are related to and included with theSecurity Access Manager solution.

Note: The following middleware products are not packaged with IBM SecurityWeb Gateway Appliance.

IBM Global Security Kit

Security Access Manager provides data encryption by using Global Security Kit(GSKit) version 8.0.x. GSKit is included on the IBM Security Access Manager for WebVersion 7.0 product image or DVD for your particular platform.

GSKit version 8 includes the command-line tool for key management,GSKCapiCmd (gsk8capicmd_64).

GSKit version 8 no longer includes the key management utility, iKeyman(gskikm.jar). iKeyman is packaged with IBM Java version 6 or later and is now apure Java application with no dependency on the native GSKit runtime. Do notmove or remove the bundled java/jre/lib/gskikm.jar library.

The IBM Developer Kit and Runtime Environment, Java Technology Edition, Version 6and 7, iKeyman User's Guide for version 8.0 is available on the Security AccessManager Information Center. You can also find this document directly at:

http://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdf

Note:

GSKit version 8 includes important changes made to the implementation ofTransport Layer Security required to remediate security issues.

The GSKit version 8 changes comply with the Internet Engineering Task Force(IETF) Request for Comments (RFC) requirements. However, it is not compatiblewith earlier versions of GSKit. Any component that communicates with SecurityAccess Manager that uses GSKit must be upgraded to use GSKit version 7.0.4.42,or 8.0.14.26 or later. Otherwise, communication problems might occur.

xxii IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.htmlhttp://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.htmlhttp://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wsshttp://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wsshttp://www.ibm.com/software/globalization/terminologyhttp://www.ibm.com/software/globalization/terminologyhttp://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdfhttp://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdf

IBM Tivoli Directory Server

IBM Tivoli Directory Server version 6.3 FP17 (6.3.0.17-ISS-ITDS-FP0017) is includedon the IBM Security Access Manager for Web Version 7.0 product image or DVD foryour particular platform.

You can find more information about Tivoli Directory Server at:

http://www.ibm.com/software/tivoli/products/directory-server/

IBM Tivoli Directory Integrator

IBM Tivoli Directory Integrator version 7.1.1 is included on the IBM Tivoli DirectoryIntegrator Identity Edition V 7.1.1 for Multiplatform product image or DVD for yourparticular platform.

You can find more information about IBM Tivoli Directory Integrator at:

http://www.ibm.com/software/tivoli/products/directory-integrator/

IBM DB2 Universal Database

IBM DB2 Universal Database Enterprise Server Edition, version 9.7 FP4 is providedon the IBM Security Access Manager for Web Version 7.0 product image or DVD foryour particular platform. You can install DB2 with the Tivoli Directory Serversoftware, or as a stand-alone product. DB2 is required when you use TivoliDirectory Server or z/OS LDAP servers as the user registry for Security AccessManager. For z/OS LDAP servers, you must separately purchase DB2.

You can find more information about DB2 at:

http://www.ibm.com/software/data/db2

IBM WebSphere products

The installation packages for WebSphere Application Server Network Deployment,version 8.0, and WebSphere eXtreme Scale, version 8.5.0.1, are included withSecurity Access Manager version 7.0. WebSphere eXtreme Scale is required onlywhen you use the Session Management Server (SMS) component.

WebSphere Application Server enables the support of the following applications:v Web Portal Manager interface, which administers Security Access Manager.v Web Administration Tool, which administers Tivoli Directory Server.v Common Auditing and Reporting Service, which processes and reports on audit

events.v Session Management Server, which manages shared session in a Web security

server environment.v Attribute Retrieval Service.

You can find more information about WebSphere Application Server at:

http://www.ibm.com/software/webservers/appserv/was/library/

About this publication xxiii

http://www.ibm.com/software/tivoli/products/directory-serverhttp://www.ibm.com/software/tivoli/products/directory-integrator/http://www.ibm.com/software/data/db2http://www.ibm.com/software/webservers/appserv/was/library/

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Visit the IBM Accessibility Center for more information about IBM's commitmentto accessibility.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

The IBM Security Access Manager for Web Troubleshooting Guide provides detailsabout:v What information to collect before you contact IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide more support resources.

xxiv IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

http://www-03.ibm.com/able/http://www.ibm.com/software/tivoli/educationhttp://www.ibm.com/software/support/probsub.html

2 IBM Security Access Manager Version 7.0: WebSEAL Administration Guide

Chapter 1. IBM Security Access Manager for Web WebSEALoverview

IBM Security Access Manager for Web (Security Access Manager) is a robust andsecure centralized policy management solution for distributed applications.

IBM Security Access Manager for Web WebSEAL is a high performance,multi-threaded Web server that applies fine-grained security policy to the SecurityAccess Manager protected Web object space. WebSEAL can provide single signonsolutions and incorporate back-end Web application server resources into itssecurity policy.

This overview chapter introduces you to the main capabilities of the WebSEALserver.

Topic Index:v Introductionv WebSEAL introduction on page 4v Security model on page 5v Web space protection on page 9v Security policy planning and implementation on page 10v WebSEAL authentication on page 12v Standard WebSEAL junctions on page 12v Web space scalability on page 14

Introduction

IBM Security Access Manager for Web is a complete authorization and networksecurity policy management solution that provides end-to-end protection ofresources over geographically dispersed intranets and extranets.

In addition to its state-of-the-art security policy management feature, IBM SecurityAccess Manager for Web provides authentication, authorization, data security, andcentralized resource management capabilities. You use Security Access Manager inconjunction with standard Internet-based applications to build highly secure andwell-managed intranets.

At its core, Security Access Manager provides:v Authentication framework

Security Access Manager provides a wide range of built-in authenticators andsupports external authenticators.

v Authorization frameworkThe Security Access Manager authorization service, accessed through theSecurity Access Manager authorization API, provides permit and deny decisionson requests for protected resources located in the secure domain.

With Security Access Manager, businesses can securely manage access to privateinternal network-based resources while leveraging the public Internet's broad

Copyright IBM Corp. 2002, 2012 3

connectivity and ease of use. Security Access Manager, in combination with acorporate firewall system, can fully protect the Enterprise intranet fromunauthorized access and intrusion.

WebSEAL introduction

IBM Security Access Manager for Web WebSEAL is the resource managerresponsible for managing and protecting Web-based information and resources.

WebSEAL is a high performance, multi-threaded Web server that appliesfine-grained security policy to resources in the Security Access Manager protectedWeb object space. WebSEAL can provide single signon solutions and incorporateback-end Web application server resources into its security policy.

WebSEAL normally acts as a reverse Web proxy by receiving HTTP/HTTPSrequests from a Web browser and delivering content from its own Web server orfrom junctioned back-end Web application servers. Requests passing throughWebSEAL are evaluated by the Security Access Manager authorization service todetermine whether the user is authorized to access the requested resource.

WebSEAL provides the following features:v Supports multiple authentication methods.

Both built-in and plug-in architectures allow flexibility in supporting a variety ofauthentication mechanisms.

v Integrates Security Access Manager authorization service.v Accepts HTTP and HTTPS requests.v Integrates and protects back-end server resources through WebSEAL junction

technology.Provides unified view of combined protected object space.

v Manages fine-grained access control for the local and back-end server resources.Supported resources include URLs, URL-based regular expressions, CGIprograms, HTML files, Java servlets, and Java class files.

v Performs as a reverse Web proxy.WebSEAL appears as a Web server to clients and appears as a Web browser tothe junctioned back-end servers it is protecting.

v Provides single signon capabilities.

Client

WebSEAL

request

Webapplication

server

/

unified protectedobject space

junction

firewallDMZ

Figure 1. Protecting resources with WebSEAL


Security model

This section contains the following topics:v Security model conceptsv The protected object spacev Access control lists (ACLs) and protected object policies (POPs) on page 6v Access control list (ACL) policies on page 7v Protected object policies (POPs) on page 7v Explicit and inherited policy on page 8v Policy administration: The Web Portal Manager on page 8

Security model concepts

There are two key security structures that govern and maintain the security policyfor an Security Access Manager secure domain:v User registry

The user registry (such as IBM Tivoli Directory Server or Microsoft ActiveDirectory) contains all users and groups who can participate in the SecurityAccess Manager environment. This environment is known as the secure domain.

v Master authorization (policy) databaseThe authorization database contains a representation of all resources in thedomain (the protected object space). The security administrator can dictate anylevel of security by applying rules to the resources that require protection. Theserules are known as access control list (ACL) policies and protected object policies(POPs).

The process of authentication proves the identity of a user to WebSEAL. A user canparticipate in the secure domain as authenticated or unauthenticated.Authenticated users must have an account in the user registry. Using ACLs andPOPs, the security administrator can make:v Certain resources publicly available to unauthenticated users, andv Other resources available only to certain authenticated users.

When a user successfully authenticates, WebSEAL creates a set of identificationinformation known as a credential. The credential contains the user identity, anygroup memberships, and any special ("extended") security attributes.

A user requires a credential to fully participate in the secure domain. The SecurityAccess Manager authorization service enforces security policies by comparing auser's authentication credentials with the policy permissions assigned to therequested resource. The authorization service passes the resulting recommendationto the resource manager (for example, WebSEAL), which completes the response tothe original request.

The protected object space

The protected object space is a hierarchical representation of resources belonging toa Security Access Manager secure domain. The virtual objects that appear in theobject space represent the actual physical network resources, as specified below:v System resource the actual physical file or application.

Chapter 1. WebSEAL overview 5

v Protected object the logical representation of an actual system resource usedby the authorization service, the Web Portal Manager, and other Security AccessManager management utilities.

Policies can be attached to objects in the object space to provide protection of theresource. The authorization service makes authorization decisions based thesepolicies.

The combined installation of Security Access Manager base and Security AccessManager WebSEAL provides the following object space categories:v Web objects

Web objects represent any resource that can be addressed by an HTTP URL. Thisincludes static Web pages and dynamic URLs that are converted to databasequeries or some other type of application. The WebSEAL server is responsiblefor protecting Web objects.

v Security Access Manager management objectsManagement objects represent the management activities that can be performedthrough the Web Portal Manager. The objects represent the tasks necessary todefine users and set security policy. Security Access Manager supportsdelegation of management activities and can restrict an administrator's ability toset security policy to a subset of the object space.

v User-defined objectsUser-defined objects represent customer-defined tasks or network resourcesprotected by applications that access the authorization service through theSecurity Access Manager authorization API.

v Authorization rules

Access control lists (ACLs) and protected object policies(POPs)

Security administrators protect Security Access Manager system resources bydefining rules, known as ACL and POP policies, and applying these policies to theobject representations of those resources in the protected object space.

The Security Access Manager authorization service performs authorizationdecisions based on the policies applied to these objects. When a requestedoperation on a protected object is permitted, the application responsible for theresource implements this operation.

ManagementObjects

WebObjects

User-DefinedObjects

Figure 2. Protected object space


One policy can dictate the protection parameters of many objects. Any change tothe rule affects all objects to which the ACL or POP is attached.

Access control list (ACL) policies

An access control list policy, or ACL policy, is the set of rules (permissions) thatspecifies the conditions necessary to perform certain operations on that resource.ACL policy definitions are important components of the security policy establishedfor the secure domain. ACL policies, like all policies, are used to stamp anorganization's security requirements onto the resources represented in the protectedobject space.

An ACL policy specifically controls:1. What operations can be performed on the resource2. Who can perform these operations

An ACL policy is made up of one or more entries that include user and groupdesignations and their specific permissions or rights. An ACL can also containrules that apply to unauthenticated users.

Protected object policies (POPs)

ACL policies provide the authorization service with information to make a "yes" or"no" answer on a request to access a protected object and perform some operationon that object.

Protected object policies (POPs) contain additional conditions on the request thatare passed back to Security Access Manager and the resource manager (such asWebSEAL) along with the "yes" ACL policy decision from the authorizationservice. It is the responsibility of Security Access Manager and the resourcemanager to enforce the POP conditions.

The following tables list the available attributes for a POP:

Enforced by Security Access Manager

POP Attribute Description

Name Name of the policy. This becomes the argument in the pdadmin pop commands.

Description Descriptive text for the policy. This attribute appears inthe pop show command.

Warning Mode Provides administrators a means to test ACL and POPpolicies.

user peter ---------T---rx

group engineering ---------T---rx

user michael ---------T---rx

unauthenticated ---------------

ACL(containing multiple

entries)

Figure 3. ACL policy

Chapter 1. WebSEAL overview 7

Enforced by Security Access Manager

POP Attribute Description

Audit Level Specifies the type of au

Documents

IBM Security Access Manager Version 7.0: WebSEAL ...€¦ · Technical training.....xxiv Support information.....xxiv Part 1. ... Chapter 2. Server administration . . . 19 Server