IBM

Tivoli

Access

Manager

for

e-business

Plug-in

for

Web

Servers

Integration

Guide

Version

5.1

SC32-1365-00

IBM

Tivoli

Access

Manager

for

e-business

Plug-in

for

Web

Servers

Integration

Guide

Version

5.1

SC32-1365-00

Note

Before

using

this

information

and

the

product

it

supports,

read

the

information

in

Appendix

F,

Notices,

on

page

215.

First

Edition

(November

2003)

This

edition

applies

to

version

5,

release

1,

modification

0

of

IBM

Tivoli

Access

Manager

(product

number

5724-C08)

and

to

all

subsequent

releases

and

modifications

until

otherwise

indicated

in

new

editions.

Copyright

International

Business

Machines

Corporation

2000,

2003.

All

rights

reserved.

US

Government

Users

Restricted

Rights

Use,

duplication

or

disclosure

restricted

by

GSA

ADP

Schedule

Contract

with

IBM

Corp.

Contents

Figures

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. ix

Tables

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xi

Preface

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xiii

Who

should

read

this

book

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xiii

What

this

book

contains

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xiii

Publications

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xiv

Release

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xv

Base

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xv

Web

security

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xv

Developer

references

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xvi

Technical

supplements

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xvi

Related

publications

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xvii

Accessing

publications

online

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xx

Accessibility

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xx

Contacting

software

support

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xx

Conventions

used

in

this

book

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xx

Typeface

conventions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xx

Operating

system

differences

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xxi

Chapter

1.

Introducing

IBM

Tivoli

Access

Manager

Plug-in

for

Web

Servers

.

.

.

.

.

. 1

Tivoli

Access

Manager

Plug-in

for

Web

Servers

technology

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 1

Basic

operational

components

and

architecture

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 1

Support

for

virtual

hosts

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 2

Protecting

your

Web

space

with

Tivoli

Access

Manager

Plug-in

for

Web

Servers

.

.

.

.

.

.

.

.

.

.

.

.

. 3

Tivoli

Access

Manager

Plug-in

for

Web

Servers

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 4

Credential

acquisition

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 5

Chapter

2.

IBM

Tivoli

Access

Manager

Plug-in

for

Web

Servers

configuration

.

.

.

.

.

. 7

General

plug-in

information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 7

Root

directory

of

the

Tivoli

Access

Manager

Plug-in

for

Web

Servers

installation

.

.

.

.

.

.

.

.

.

.

. 7

The

pdwebpi.conf

configuration

file

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 8

The

pdwebpimgr.conf

configuration

file

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 9

Starting

and

stopping

Tivoli

Access

Manager

Plug-in

for

Web

Servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 9

HTTP

error

messages

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 9

Macro

support

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 10

Forms

related

macros

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 10

Configuring

the

Authorization

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 11

Configuring

Worker

Threads

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 11

Setting

the

Maximum

Session

Lifetime

for

IPC

requests

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 12

Configuring

error

pages

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 12

Configuring

for

virtual

host

servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 13

Web-server-specific

configuration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 15

Web

server

considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 17

Customizing

object

listings

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 18

Command

Line

Arguments

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 18

Output

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 19

Configuring

switch

user

(SU)

for

administrators

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 19

Understanding

the

switch

user

process

flow

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 20

Enabling

switch

user

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 20

Configuring

the

switch

user

HTML

form

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 21

Enabling

and

excluding

users

from

switch

user

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 22

Configuring

the

switch

user

authentication

mechanism

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 22

Copyright

IBM

Corp.

2000,

2003

iii

Impacting

other

plug-in

functionality

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 23

Configuring

fail-over

for

LDAP

servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 24

Supporting

Platform

for

Privacy

Preferences

(P3P)

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 25

Configuring

P3P

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 26

Configuring

plug-in

auditing,

logging,

tracing,

and

the

cache

database

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 28

Audit

records

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 29

Auditing

configuration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 30

Tracing

Plug-in

actions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 31

Cache

database

settings

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 32

Configuring

the

authorization

API

service

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 33

Credential

refresh

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 33

Configuring

credential

refresh

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 33

Configuring

HTTP

request

caching

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 34

Configuring

server-side

caching

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 35

Language

support

and

character

sets

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 35

Chapter

3.

IBM

Tivoli

Access

Manager

Plug-in

for

Web

Servers

authentication

and

request

processing

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 39

The

request

handling

process

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 39

The

authentication

process

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 41

Configuring

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 41

Configuring

authentication

for

virtual

hosts

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 42

Configuring

the

order

of

authentication

methods

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 44

Configuring

post-authorization

processing

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 48

Managing

session

state

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 49

Configuring

the

plug-in

session/credentials

cache

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 50

Maintaining

session

state

with

the

SSL

session

ID

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 52

Maintaining

session

state

using

Basic

Authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 52

Maintaining

session

state

with

Session

Cookies

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 53

Maintaining

session

state

using

HTTP

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 54

Maintaining

session

state

using

IP

addresses

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 54

Maintaining

session

state

using

LTPA

cookies

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 55

Maintaining

session

state

using

iv-headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 55

Authentication

configuration

overview

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 55

Local

authentication

mechanisms

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 56

External

custom

CDAS

authentication

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 56

Default

configuration

for

plug-ins

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 57

Configuring

multiple

authentication

methods

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 57

Logout,

change

of

password

and

help

commands

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 57

Configuring

Basic

Authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 59

Enabling

Basic

Authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 59

Configuring

the

Basic

Authentication

mechanism

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 59

Setting

the

realm

name

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 59

Manipulating

BA

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 60

Specify

UTF-8

encoding

of

BA

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 61

Configuring

forms

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 61

Enabling

forms

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 62

Configuring

the

forms

authentication

mechanism

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 62

Customizing

HTML

response

forms

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 62

Customizing

the

forms

login

URI

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 63

Creating

a

BA

Header

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 63

Specify

UTF-8

encoding

on

BA

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 63

Configuring

certificate

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 64

Mutual

authentication

using

certificates

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 64

Enabling

certificate

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 65

Configuring

the

certificate

authentication

mechanism

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 65

Configuring

token

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 65

SecurID

Token

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 65

Enabling

token

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 68

Configuring

the

token

authentication

mechanism

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 68

Customizing

token

response

pages

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 69

iv

IBM

Tivoli

Access

Manager

for

e-business:

Plug-in

for

Web

Servers

Integration

Guide

Configuring

SPNEGO

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 69

Platform

and

user

registry

support

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 69

Upgrading

SPNEGO

configuration

from

version

4.1

to

5.1

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 70

Limitations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 70

Windows

desktop

single

signon

configuration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 71

Troubleshooting

tips

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 75

Configuring

NTLM

authentication

(IIS

platforms

only)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 76

Configuring

Web

server

authentication

(IIS

platforms

only)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 77

Configuring

Failover

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 78

Failover

authentication

concepts

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 78

Failover

authentication

configuration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 85

Configuring

IV

header

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 93

Enabling

authentication

using

IV

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 94

Configuring

IV

header

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 94

Specify

UTF-8

encoding

of

IV

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 95

Configuring

the

IV

header

authentication

mechanism

for

iv-remote-address

.

.

.

.

.

.

.

.

.

.

.

.

. 95

Configuring

HTTP

header

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 95

Enabling

authentication

using

HTTP

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 96

Specifying

header

types

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 96

Configuring

the

HTTP

header

authentication

mechanism

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 96

Configuring

IP

address

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 97

Enabling

authentication

using

the

IP

address

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 97

Configuring

the

IP

address

authentication

mechanism

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 97

Configuring

LTPA

Authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 98

Enabling

LTPA

Authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 98

Setting

the

Key

Details

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 98

Configuring

LTPA

post-authorization

processing

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 98

Configuring

the

redirection

of

users

after

logon

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 99

Enabling

user

redirection

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 99

Configuring

user

redirection

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 99

Adding

extended

attributes

for

credentials

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 99

Mechanisms

for

adding

extended

attributes

to

a

credential

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 99

Entitlement

service

configuration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 100

Adding

LDAP

extended

attributes

to

the

HTTP

header

(tag

value)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 102

Enabling

tag

value

processing

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 103

Configuring

tag

value

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 103

Supporting

Multiplexing

Proxy

Agents

(MPA)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 104

Valid

session

data

types

and

authentication

methods

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 104

Authentication

process

flow

for

MPA

and

multiple

clients

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 105

Enabling

MPA

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 106

Create

a

user

account

for

the

MPA

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 107

Add

the

MPA

account

to

the

pdwebpi-mpa-servers

group

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 107

Chapter

4.

IBM

Tivoli

Access

Manager

Plug-in

for

Web

Servers

security

policy

.

.

.

. 109

Plug-in-specific

Access

Control

List

(ACL)

policies

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 109

/PDWebPI/host

or

virtual_host

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 110

Plug-in

ACL

permissions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 111

Default

/PDWebPI

ACL

policy

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 111

Three

strikes

logon

policy

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 112

Password

strength

policy

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 113

Password

strength

policy

set

by

the

pdadmin

utility

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 113

Specific

user

and

global

settings

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 115

Authentication-strength

Protected

Object

Policy

(Step-up)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 116

Configuring

levels

for

step-up

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 116

Enabling

step-up

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 117

Step-up

authentication

notes

and

limitations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 118

Multi-factor

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 118

Enabling

multi-factor

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 119

Reauthentication

Protected

Object

Policy

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 119

Conditions

affecting

POP

reauthentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 119

Creating

and

applying

the

reauthentication

POP

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 120

Contents

v

Network-based

authentication

Protected

Object

Policy

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 121

Specifying

IP

addresses

and

ranges

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 121

Disabling

step-up

authentication

by

IP

address

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 122

Network-based

authentication

algorithm

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 122

Quality-of-protection

Protected

Object

Policy

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 122

Handling

unauthenticated

users

(HTTP/HTTPS)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 123

Processing

a

request

from

an

anonymous

client

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 123

Forcing

user

log

on

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 123

Applying

unauthenticated

HTTPS

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 123

Controlling

unauthenticated

users

with

ACL/POP

policies

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 124

Chapter

5.

Web

single

sign-on

solutions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 125

Single

sign-on

concepts

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 125

Automatically

signing-on

to

a

secured

application

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 126

Configuring

single

sign-on

to

secure

applications

using

HTTP

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

. 126

Single

sign-on

to

WebSphere

application

server

using

LTPA

cookies

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 127

Single

sign-on

to

the

plug-in

from

WebSEAL

or

other

proxy

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 128

Enabling

and

disabling

authentication

using

IV

headers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 129

Configuring

IV

header

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 129

Using

the

Failover

cookie

for

single

sign-on

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 129

Enabling

single

sign-on

using

Failover

cookies

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 130

Using

Global

single

sign-on

(GSO)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 130

Configuring

Global

single

sign-on

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 132

Security

Provider

NEGOtiation

(SPNEGO)

single

sign-on

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 133

Single

sign-on

using

forms

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 133

Forms

single

sign-on

process

flow

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 133

Requirements

for

application

support

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 135

Enabling

forms

single

sign-on

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 135

Configuring

forms

single

sign-on

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 136

Example

configuration

file

for

IBM

HelpNow

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 139

Chapter

6.

Cross-domain

sign-on

solutions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 141

Cross

domain

single

sign-on

(CDSSO)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 141

Authentication

process

flow

for

CDSSO

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 141

Enabling

and

disabling

CDSSO

authentication

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 143

Encrypting

the

authentication

token

data

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 143

Configuring

the

token

time

stamp

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 144

Including

credential

attributes

in

the

authentication

tokens

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 144

Specify

the

sso-create

and

sso-consume

libraries

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 145

Expressing

CDSSO

links

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 145

Protecting

the

authentication

token

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 146

e-Community

single

sign-on

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 146

e-Community

single

sign-on

features

and

requirements

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 147

e-Community

single

sign-on

process

flow

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 148

The

e-community

cookie

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 149

The

vouch-for

request

and

reply

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 149

The

vouch-for

token

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 150

Encrypting

the

vouch-for

token

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 150

Configuring

an

e-community

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 151

Configuring

e-community

single

sign-on

-

an

example

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 155

Chapter

7.

Application

integration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 159

Maintaining

session

state

between

the

client

and

back-end

applications

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 159

Enabling

user

session

ID

management

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 159

Inserting

credential

data

into

the

HTTP

header

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 160

Terminating

user

sessions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 161

Providing

access

control

to

dynamic

URLs

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 161

Configuring

dynamic

URLs

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 162

Chapter

8.

Authorization

decision

information

retrieval

.

.

.

.

.

.

.

.

.

.

.

.

.

. 165

vi

IBM

Tivoli

Access

Manager

for

e-business:

Plug-in

for

Web

Servers

Integration

Guide

Overview

of

ADI

retrieval

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 165

Retrieving

ADI

from

the

plug-in

client

request

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 166

Example:

Retrieving

ADI

from

the

request

header

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 166

Example:

Retrieving

ADI

from

the

request

query

string

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 167

Example:

Retrieving

ADI

from

the

request

POST

body

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 167

Retrieving

ADI

from

the

user

credential

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 168

Supplying

a

failure

reason

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 168

Configuring

dynamic

ADI

retrieval

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 169

Configuring

the

plug-in

to

use

the

AMWebARS

Web

service

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 170

Appendix

A.

Using

pdbackup

to

backup

plug-in

data

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 171

Functionality

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 171

Backing

up

plug-in

data

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 171

Restoring

plug-in

data

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 172

Syntax

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 172

Examples

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 173

UNIX

examples

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 173

Windows

examples

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 173

Contents

of

pdinfo-pdwebpi.lst

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 174

Additional

backup

data

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 174

Appendix

B.

pdwebpi.conf

reference

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 175

General

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 175

Authentication

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 178

Sessions

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 188

LDAP

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 189

Proxy

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 189

Authorization

API

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 190

Web

server

specific

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 192

Appendix

C.

Module

quick

reference

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 197

Appendix

D.

Command

quick

reference

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 203

pdwebpi_start

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 204

pdwebpi

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 206

pdwpi-version

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 207

pdwpicfg

action

config

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 208

pdwpicfg

action

unconfig

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 210

Appendix

E.

Special

characters

allowed

in

regular

expressions

.

.

.

.

.

.

.

.

.

.

. 213

Appendix

F.

Notices

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 215

Trademarks

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 216

Glossary

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 219

Index

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 225

Contents

vii

viii

IBM

Tivoli

Access

Manager

for

e-business:

Plug-in

for

Web

Servers

Integration

Guide

Figures

1.

Plug-in

and

Tivoli

Access

Manager

component

interaction.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 2

2.

Plug-in

process

flow

for

determining

authentication

module.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 47

3.

Authentication

challenge

process

logic.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 48

4.

Plug-in

process

flow

for

determining

session

module.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 50

5.

Typical

server

architecture

for

failover

cookies.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 79

6.

User

access

to

secure

applications

using

GSO.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 131

7.

Forms

single

sign-on

process

flow.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 134

8.

CDSSO

process

flow.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 142

9.

Logging

into

an

e-community.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 148

10.

e-Community

single

sign-on

configuration

example

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 155

11.

Attribute

retrieval

service

process

flow.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 169

Copyright

IBM

Corp.

2000,

2003

ix

x

IBM

Tivoli

Access

Manager

for

e-business:

Plug-in

for

Web

Servers

Integration

Guide

Tables

1.

Tivoli

Access

Manager

EPAC

fields

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 5

2.

pdwebpi.conf

section

summary

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 8

3.

Supported

Macro

Substitutions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 10

4.

[proxy]

error

page

configuration

parameters.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 12

5.

Web-server-specific

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 16

6.

[p3p-header]

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 26

7.

Authentication

audit

record

field

definitions.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 29

8.

Auditing

configuration

parameter

definitions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 30

9.

Plug-in

supported

languages

with

supported

directory.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 36

10.

Local

Built-in

Authenticators

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 56

11.

External

CDAS

Server

Parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 56

12.

Equivalent

SPNEGO

configuration

between

version

4.1

and

5.1.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 70

13.

Failover

authentication

library

file

names

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 87

14.

IV

header

field

descriptions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 94

15.

Valid

session

data

types

for

MPA

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 104

16.

Valid

MPA

authentication

types

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 105

17.

Plug-in

ACL

permissions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 111

18.

Plug-in

WebDAV

permissions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 111

19.

pdadmin

LDAP

logon

policy

commands

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 113

20.

pdadmin

LDAP

password

strength

commands

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 114

21.

Password

examples

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 115

22.

QOP

level

descriptions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 122

23.

IV

header

field

descriptions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 126

24.

LTPA

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 128

25.

IV

header

field

descriptions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 128

26.

General

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 175

27.

Authentication

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 178

28.

Sessions

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 188

29.

LDAP

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 189

30.

Proxy

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 189

31.

Authorization

API

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 190

32.

Web

server

specific

configuration

parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 192

33.

Plug-in

authentication

method/module

reference

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 197

34.

Windows-specific

authentication

modules

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 199

35.

Plug-in

session

module

reference

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 199

36.

Plug-in

pre-authorization

module

reference

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 200

37.

Plug-in

post-authorization

module

reference

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 201

38.

Response

module

reference

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 202

Copyright

IBM

Corp.

2000,

2003

xi

xii

IBM

Tivoli

Access

Manager

for

e-business:

Plug-in

for

Web

Servers

Integration

Guide

Preface

IBM

Tivoli

Access

Manager

Plug-in

for

Web

Servers

manages

the

security

of

your

Web-based

resources

by

acting

as

the

gateway

between

your

clients

and

secure

Web

space.

The

plug-in

implements

the

security

policies

that

protect

your

Web

object

space.

The

plug-in

can

provide

single

sign-on,

support,

Web

servers

running

as

virtual

hosts,

and

incorporate

Web

application

server

resources

into

its

security

policy.

Note:

For

details

on:

supported

platforms,

disk

and

memory

requirements,

software

prerequisites

and

installation

instructions

for

the

plug-in,

refer

to

the

Tivoli

Access

Manager

for

e-business

Web

Security

Installation

Guide.

IBM

Tivoli

Access

Manager

(Tivoli

Access

Manager)

is

the

base

software

that

is

required

to

run

applications

in

the

IBM

Tivoli

Access

Manager

product

suite.

It

enables

the

integration

of

IBM

Tivoli

Access

Manager

applications

that

provide

a

wide

range

of

authorization

and

management

solutions.

Sold

as

an

integrated

solution,

these

products

provide

an

access

control

management

solution

that

centralizes

network

and

application

security

policy

for

e-business

applications.

Note:

IBM

Tivoli

Access

Manager

is

the

new

name

of

the

previously

released

software

entitled

Tivoli

SecureWay

Policy

Director.

Also