Tivoli SecureWay Policy Director WebSEAL ºÞ²z¤â¥Upublib.boulder.ibm.com/tividd/td/SW_30/GC32-0684-01/zh_TW/PDF/ws-adm... · ABb ñAC@≈ú ]tIBM q @vn Cb o IBM q \ iveAú P

$Page 1: Tivoli SecureWay Policy Director WebSEAL ºÞ²z¤â¥Upublib.boulder.ibm.com/tividd/td/SW_30/GC32-0684-01/zh_TW/PDF/ws-adm... · ABb ñAC@≈ú ]tIBM q @vn Cb o IBM q \ iveAú P$
Tivoli SecureWay PolicyDirector WebSEALzΓU

3.8


Tivoli SecureWay PolicyDirector WebSEALzΓU

3.8

Tivoli SecureWay Policy Director WebSEAL zΓU

@vn

© Copyright IBM Corporation 2001. All rights reserved. uαuTivoli Systems nΘvXvBuIBM nΘvXv uIBM ßvXvuTivoli úl[XvC X⌠≤í≈bo IBM q\ivºeAúúoH⌠≤í⌠≤ΦkBqlíB≈±íBCΘBBBΓÑsBα½BgBxsbtWα½⌠≤qúyÑCIBM qP Qß¡\ivis@≈i\¬σ≤wΣL QßvABbñAC@≈ú]t IBM q@vnCbo IBM q\iveAúPß⌠≤ΣL@vv¡C σ≤ú@úºBuHu¼vúAúú⌠≤íOdC búσ≤OA]AASwiΓMAC

U.S. Government Users Restricted Rights—Use, duplication or disclosure restricted by GSA ADPSchedule Contract with IBM Corporation.

IBMB IBM xBTivol iBTivol i xBAIXBCross -S i teBNetViewBOS/2BPlane tTivoliBRS/6000BTivoli CertifiedBTivoli EnterpriseBTivoli Enterprise ConsoleBTivoli Ready M TMEO IBM q Tivoli Systems Inc. bⁿΩM]ΣLΩaUC

MicrosoftBWindowsBWindows NT Windows xO Microsoft qbⁿΩM]ΣLΩaC

UNIX O The Open Group bⁿΩΣLΩaUC

Java H Java ≥ªO Sun Microsystems, Inc. bⁿΩM]ΣLΩ

aC

N

bXñú Tivoli Systems IBM úBíAúϕªb Tivoli Systems IBMτΩañúúC búoúBíAúϕuα Tivoli Systems IBM úBíACunúH Tivoli System IBM ÷z]úΣLⁿkO@v¡A⌠≤\αÑúBíAúiNbúúBíAC ²PΣLús@⌠PτAúD Tivoli Systems IBM SOⁿwAúMΣd⌠≤Cbσ≤ñiα]t Tivoli Systems IBM ºMQMQC ú ezMQº⌠≤vC ÷vΦdAHHτH IBM Director of Licensing, IBMCorporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A.

²

eÑ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiΓUA∩H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

ΓUe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

rΘD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Policy Director ÷σ≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

suWσ≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

qíσ≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

úúíσ≤QNú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

pßΣñ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

1 WebSEAL º[ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1H WebSEAL O@z Web í. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Oe¼MO@h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

WΩIwh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

A WebSEAL O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Ao. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Mv (EPAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

A WebSEAL X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

WebSEAL XP⌠i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 WebSEAL °Atm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17@δ°AΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

webseald.conf tm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

WebSEAL w² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

WebSEAL °A² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Mε WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

iiiTivoli SecureWay Policy Director WebSEAL zΓU

tmqH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

w∩ HTTP nDtm WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

w∩ HTTPS nDtm WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . 22

¡εSw SSL su . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

tm HTTP M HTTPS u@⌡µⁿ . . . . . . . . . . . . . . . . . . . . . . . 22

HTTP/HTTPS qHO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

ΣL WebSEAL °AO . . . . . . . . . . . . . . . . . . . . . . . . . 24

z Web í . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Web σ≤≡² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

tm². . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

WindowsGCGI íRWD . . . . . . . . . . . . . . . . . . . . . . . . 28

tm Web σ≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

tm HTTP Tº . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

¿Σ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

zq HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

qM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

q HTML í . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

zqM°A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

F GSKit ≈Ωw¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

tm WebSEAL ≈Ωw . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

iKeyman zí . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

tm CRL d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

tmw]O@ΦÑ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

tmWD≈M⌠⌠ QOP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

tmvΩw≤sMⁿ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

tm≤sqÑ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

tmvΩwⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

se WebSEAL °A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

tm HTTP Oⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

iv 3.8

M HTTP Oⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

ⁿwíWO¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

ⁿwΘxα½ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

ⁿwMúΘxwWv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

tmO²≤ request.log e° . . . . . . . . . . . . . . . . . . . . . . . . . 50

HTTP @Θxµí]A≤ request.log . . . . . . . . . . . . . . . . . . . 51

π request.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

π agent.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

π referer.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3 WebSEAL wh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53WebSEAL S ACL h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

/WebSEAL/<host>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

/WebSEAL/<host>/<file> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

WebSEAL ACL \iv. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

w] /WebSEAL ACL h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

TnJh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

ⁿOyk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

KXjh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

pdadmin í]wKXjh. . . . . . . . . . . . . . . . . . . . . 57

ⁿOyk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

LKXd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

SwMs]w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Oj POP h]iÑ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

tmiÑOh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

iÑO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

iÑnJϕµ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

iÑOtΓk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

iÑONM¡ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

vTivoli SecureWay Policy Director WebSEAL zΓU

⌠⌠¼O POP h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

tmOh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

ⁿw IP Md≥ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

IP iÑO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

⌠⌠¼OtΓk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

⌠⌠¼ONM¡ε. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

O@Φ POP h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

BzgO (HTTP / HTTPS). . . . . . . . . . . . . . . . . . . . . . . . . 71

BzWqoXnD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

jεnJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

gO HTTPS í . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

H ACL/POP hεgO . . . . . . . . . . . . . . . . . . . . 72

4 WebSEAL O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75AO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

ΣÑq@Ω¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

ΣOΦk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

tmΩTí . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

zÑq@¼A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

GSKit M WebSEAL Ñq@ . . . . . . . . . . . . . . . . . . . . . . . . . 79

tm WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

tm GSKit SSL Ñq@ ID . . . . . . . . . . . . . . . . . . . . . . . . . 82

Ñq@ Cookie @¼A . . . . . . . . . . . . . . . . . . . . . . . . . . 83

PÑq@ ID Ω¼ . . . . . . . . . . . . . . . . . . . . . . . . . . 86

tm Failover Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Otmº[. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

íq CDAS O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

WebSEAL Ow]tm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

vi 3.8

tmh½OΦk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

nJú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

nXM≤KXⁿO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

tm≥O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

M≥O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

]wΓW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

tm≥O≈ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

tm°≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

tmϕµíO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

MϕµíO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

tmϕµíO≈ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

tm°≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

q HTML ϕµ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

tmqíO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

IGzL¼O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

MíO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

tmíO≈ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

tm°≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

tm HTTP YO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

M HTTP YO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

ⁿwY¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

tm HTTP YO≈ε. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

tm°≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

tm IP O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

M IP O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

tm IP O≈ε. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

tmOO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

MOO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

viiTivoli SecureWay Policy Director WebSEAL zΓU

tmOO≈ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Σhu Proxy Nz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Ñq@Ω¼MOΦk . . . . . . . . . . . . . . . . . . . . . . . 108

MPA Mh½qOBzy . . . . . . . . . . . . . . . . . . . . . . . . 110

M MPA O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

MPA bß . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

sW MPA bß webseal-mpa-servers s . . . . . . . . . . . . . . . . . 111

MPA O¡ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

5 ≤⌠nJMΦ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113tm CDSSO O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

πXq CDMF @íw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

CDMF CDSSO Oy . . . . . . . . . . . . . . . . . . . . . 114

M CDSSO O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

tm CDSSO O≈ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

OOΩ[K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

tmOíWO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

ϕ CDSSO HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

O@OO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

tm e-Community µ@nJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

e-Community \αM≥nD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

e-Community y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

F e-Community Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

FußOvnDM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

FußOvO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

ußOvO[K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

tm e-Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

6 WebSEAL X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137WebSEAL Xº[ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

viii 3.8

XΩwmMµí . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

MwqWsεGJ . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

MwqδsεGJ . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

WebSEAL XIⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

WebSEAL Σ HTTP 1.0 qLX . . . . . . . . . . . . . . . . . . . . . 140

WebSEAL X [í . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

ypdadmin server taskzX . . . . . . . . . . . . . . . . . . . . . . . . . . 140

tm≥ WebSEAL X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

TCP ¼X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

SSL ¼X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

¼O SSL X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

WebSEAL τß°A . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

OW (DN) ±∩ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Hqiµ WebSEAL O . . . . . . . . . . . . . . . . . . . . . . . . 146

H BA Yiµ WebSEAL O. . . . . . . . . . . . . . . . . . . . . . . . . . 146

BzqLXq¡≈ΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

TCP M SSL Proxy X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

WebSEAL zL SSL WebSEAL X . . . . . . . . . . . . . . . . . . . . . . 149

ΣLX∩ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

jεsX (–f) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

b HTTP Yñúq¡≈ (–c) . . . . . . . . . . . . . . . . . . . . . . 152

b HTTP Yñúq IP (–r) . . . . . . . . . . . . . . . . . . . 154

NÑq@ Cookie eXJf°A (–k) . . . . . . . . . . . . . . 154

Σújpg URL (–i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Bz Script Mqí URL (–j) . . . . . . . . . . . . . 156

HXMgBz°A∩ URL . . . . . . . . . . . . . . . . . . . . . . . . . . 160

¼AXΣ (–s, –u) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

∩¼AXⁿwß°A UUID (–u). . . . . . . . . . . . . . . . . . 163

X Windows t (–w) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

ixTivoli SecureWay Policy Director WebSEAL zΓU

WebSEAL XNNG . . . . . . . . . . . . . . . . . . . . . . . . . 167

bP@XWⁿhí°A . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

qX°ALoRA HTML URL . . . . . . . . . . . . . . . . . . . . . . 168

jε\ivqLX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

zLXiµO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

∩≤Ot°A query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . 170

w query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

b≤Ot UNIX °AWw query_contents . . . . . . . . . . . . . . 171

b≤Ot Win32 °AWw query_contents. . . . . . . . . . . . . . 172

q query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

O query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

7 Web µ@nJMΦ . . . . . . . . . . . . . . . . . . . . . . . . . . . 177w∩µ@nJMΦtm BA Y . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

µ@nJ (SSO) º . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

b BA Yñúq¡≈ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

úq¡≈MPKX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

αlq BA YΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

úq BA YΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

q GSO úWMKX . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

snJ (GSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

MgOΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

tmw GSO WebSEAL X . . . . . . . . . . . . . . . . . . . . . . . 186

tm GSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

w∩ IBM WebSphere (LTPA) µ@nJ . . . . . . . . . . . . . . . . . . . . . . 188

tm LTPA X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

tm LTPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

LTPA µ@nJNN . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

8 íπX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

x 3.8

Σ CGI í]p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

WindowsGΣ WIN32 ⌠. . . . . . . . . . . . . . . . . . . . . . . . . . 192

Σß°Aí . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Dynamic Business Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

LDAP Ω Business Entitlements. . . . . . . . . . . . . . . . 195

mqHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

w∩HAtm WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

HAd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

VA URL úsε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

A URL $≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

N ACL ½≤MgA URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

w∩A URL ≤s WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

R½≤íñA URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

POST nDtm¡ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

KnMNN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

A URL dGTravel Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

wh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

wq. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

sε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

²A. webseald.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

²B. WebSEAL X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229ypdadmin server taskzX. . . . . . . . . . . . . . . . . . . . . . . . . 229

XⁿO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

l°AsX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

xiTivoli SecureWay Policy Director WebSEAL zΓU

sWB°AX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

²C. iKeyman z . . . . . . . . . . . . . . . . . . . . . . . . . 237 iKeyman í . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

w] WebSEAL ≈Ωw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

s≈Ωw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

sµp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

sW Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Rú Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

bΩwºís . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

FqsW . . . . . . . . . . . . . . . . . . . . . . . . . 248

qΩwJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

XΩw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

nD°A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Rú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

ⁿwsw] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

≤ΩwKX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

xii 3.8

eÑ

w∩ Tivoli SecureWay Policy Director WebSEAL zΓUC

Tivoli SecureWay Policy Director WebSEAL Ow∩ Web ¼Ω Policy Director ΩwzíC WebSEAL O@¬αBh½⌡µⁿ Web °AA∩≤ⁿO@ Web ½≤íwqδwhC WebSEAL iúµ@nJMΦANßWeb í°AΩJΣwhC

zΓUú@MΩTAizzw

Web ⌠ΩCΓUúz÷≤d≥sx WebSEAL\α½nIMºΩTC

ΓUA∩HΓU¬G

¶ wz

¶ twPípz

¶ ⌠⌠tz

¶ IT ]p

¶ ío

xiiiTivoli SecureWay Policy Director WebSEAL zΓU

ΓUe

¶ 1 GWebSEAL º[

½n WebSEAL ºM\αApGsO@z½≤íBOBoAH WebSEAL XC

¶ 2 GWebSEAL °Atm

O@δ WebSEAL tm@NíA]AGz WebíBOBzBBzgOAH

WebSEAL S ACL M POP hC

¶ 3 GWebSEAL wh

úb WebSEAL WqwhNA]AGACL M POP hBO@ΦBiÑOhB⌠⌠¼OhBTnJhAHKXjhC

¶ 4 GWebSEAL O

ú]w WebSEAL zUOΦkNA]AGWMKXBqBSecurID OqµNXAHSϕ HTTP YΩC

¶ 5 G≤⌠nJMΦ

QF WebSEAL Proxy tmí — qP

WebSEAL °Aºí≤⌠nJMΦC

¶ 6 GWebSEAL X

O]w WebSEAL XπNíC

¶ 7 GWeb µ@nJMΦ

QF WebSEAL Proxy tmí — WebSEAL °APßXí°Aºíµ@nJMΦC

¶ 8 GíπX

QUíU≤πX≤Otí\α

WebSEAL \αC

¶ ² AGwebseald.conf

xiv 3.8

¶ ² BGWebSEAL X

¶ ² CG iKeyman z

rΘDΓU∩SwNyM@rΘDCoDNq

pUG

Θ ⁿOWM∩B÷ΣrHzΣLΩTN

HΘπC

Θ zúBⁿOHΘπC X

DSOjr&y]HΘπC

Ñe íXdBⁿOµB⌡ΘXBM²WAH

tTºHÑer¼πC

xvTivoli SecureWay Policy Director WebSEAL zΓU

Policy Director ÷σ≤UϕJF Tivoli SecureWay Policy Director Σ⌠ñíi Policy Director σ≤G

Tivoli SecureWay Policy Director Nσ≤

wΓU

Tivoli SecureWay Policy Director ≥wΓU

Tivoli SecureWay Policy Director WebSEAL wΓU

zΓU

Tivoli SecureWay Policy Director Base zΓU

Tivoli SecureWay Policy Director WebSEAL zΓU]σ≤

Tivoli SecureWay Policy Director Plug-in for Edge Server zΓU

Tivoli SecureWay Policy Director Web Portal Manager zΓU

oHΓU

Tivoli SecureWay Policy Director Authorization ADK Developer Reference

Tivoli SecureWay Policy Director Authorization API Java Wrappers

Developer Reference

Tivoli SecureWay Policy Director Administration API Developer Reference

Tivoli SecureWay Policy Director WebSEAL Developer Reference

Ríσ≤

Tivoli SecureWay Policy Director N

Tivoli SecureWay Policy Director Performance Tuning Guide

Tivoli SecureWay Policy Director Capacity Planning Guide

suWσ≤Tivoli ßΣñ⌠ (http://www.tivoli.com/support/) úUCíσ≤ΩTG

¶ NΩTA]A NBwPtmΓUBzΓU

íoΓUC

¶ úD]FAQ

xvi 3.8

¶ nΘUⁿΩT

ziHbUCmΣußΣñΓUv]ΣAⁿ

G http://www.tivoli.com/support/getting/C

zib http://www.tivoli.com/support/documents/ ñsTivoli uWXC÷@UDniMΣSwúΣ

⌠C

zib

https://www.tivoli.com/secure/support/Prodman/html/AB.html#SecurityñúMΣ Policy Director Níσ≤C

í≈úíσ≤ PDF HTML µíCí≈ú]α½σ≤C

bzsjí≈σ≤Azn ID MKXC Yno ID HKbΣ⌠WAe

http://www.tivoli.com/support/getting/C

sΓpo Tivoli Níσ≤PΣ÷ΩTA\http://www.tivoli.com/support/smb/index.htmlC

pGOX@±Axviiiyqíσ≤zAHo÷≤p≤o Tivoli Níσ≤÷ΩTC

xviiTivoli SecureWay Policy Director WebSEAL zΓU

qíσ≤ziq

http://www.tivoli.com/support/Prodman/html/pub_order.htmluWq Tivoli íσ≤AUCqXº@G

¶ ⁿΩßG(800) 879-2755

¶ [jßG(800) 426-4968

úúíσ≤QNúNαÑz∩≤ Tivoli úíσ≤oAP]w∩zúXUA@∩iC pGz∩

úíσ≤⌠≤NúAQUCΣñ@ΦkP

pG

¶ Nqll≤ [email protected]

¶ http://www.tivoli.com/support/survey/ ±gßNúdϕC

pßΣñTivoli Customer Support Handbook ObG

http://www.tivoli.com/support/handbook/

úuTivoli ßΣñvUh÷ΩTA]AUCUG

¶ nOPΩµ

¶ pΣΦíF°DY½w

¶ qXMqll≤F°zbΩaw

¶ pΣºeΩT

xviii 3.8

WebSEAL º[

Tivoli SecureWay Policy Director WebSEAL O@í¬αBh½⌡µⁿ Web °AA∩≤ⁿO@ Web ½≤íwqδwhC WebSEAL iúµ@nJMΦANßWeb í°AΩJΣwhC

º[ WebSEAL °ADn\αC

DDG

¶ yH WebSEAL O@z Web íz

¶ 5yA WebSEAL Oz

¶ 7yAoz

¶ 8yA WebSEAL Xz

H WebSEAL O@z Web íTivoli SecureWay Policy Director WebSEAL Ow∩ Web ¼Ω Policy Director ΩwzíC

WebSEAL O@¬αBh½⌡µⁿ Web °AA∩≤ⁿO@ Web ½≤íwqδwhC WebSEAL iúµ@nJMΦANß Web í°AΩJΣwhC

1

1Tivoli SecureWay Policy Director WebSEAL zΓU

1.W

ebS

EA

Lº[

WebSEAL úUC\αG

¶ Σh½OΦk

tmúiúΣUO≈εuC

¶ ⁿ HTTP M HTTPS nD

¶ zL WebSEAL XNπXO@ß°AΩ

¶ w∩Mß°A Web íAzwqδsε

ΣΩ]A URLBH URL ≥ª WϕíBCGI íBHTML BJava servlet M Java OC

¶ ⌡µ@V Web proxy

Nq AWebSEAL O Web °AANΣO@Xß°A AΣ Web s²C

¶ úµ@nJ\α

1. H WebSEAL O@ Web í

2 3.8

Oe¼MO@h¡z Web íwzAz TaOiU¼e¼C YeYKO@AuSw

FΣLehi@δj °C C@wΩ

núPO@DM÷p WebSEAL tmC

zd⌠G

¶ Dz Web e

¶ OnDse¼

¶ A[ji WebSEAL tm∩óAHOe

Web eO@TsxOG

1. @e – ΣsúnO@

¶ zL HTTP gOqs

¶ ≤sεΩgO

¶ ≥ WebSEAL tmD

2. @e – ΣsnpK][K

¶ zL HTTPS gOqs

¶ n[KHO@í°AnD≈KΩ]p

HdXMbßΩT

¶ ≤sεΩgO

¶ WebSEAL tmWwpK

3. pKe – ΣsnO

¶ zL HTTP HTTPS gOqs

¶ zMw[Kn

¶ gO≤sεΩFqb

n²ñwqbß


1.W

ebS

EA

Lº[

¶ WebSEAL tmϕ°A∩úpqHPw∩whvT

WΩIwhX@whPOG

1. nO@ Web Ω

2. O@h

Policy Director o Web ΩΩϕΦíAⁿO@½≤íC ⁿO@½≤í]tNϕz⌠⌠ºΩΩΘΩ

½≤C

IµwhΦíO∩nO@½≤MAϕw≈εC

w≈ε]AG

¶ sεMµ (ACL) h

ACL hOiQsⁿw½≤W(\º@¼C

¶ ⁿO@½≤h (POP)

POP ⁿw [°≤AΣΣt∩ⁿO@½≤ºsAppKBπBfΘísC

¶ XR

XROm≤½≤BACL POP W [AΣi$≤Otí]píA≈c[H¬C

Policy Director $≤uA≈c]AuthorizationServicev— ΣHm≤½≤WsεA

(\ ∩ⁿO@½≤]ΩsC

YnQIµwhAzHΦΦísúPe¼

]\yWΩIwhzñíAMAϕ

4 3.8

ACL M POP hC sεziαDcAYαpOe¼ANiΣµhC

A WebSEAL OOOO nJw⌠ºOBzΩΘΦkC ϕ

°AqúnDOAΣiµµ½Y¼

OC

WebSEAL ijεbw⌠ñIµ¬wAΣΦknDC@qúΣ¡≈C ϕ WebSEAL ε∩w⌠C@ΩºsAWebSEAL nDOviúD⌠⌠wC

bwtmñAOO≤vCvPwgOO

v∩SwΩ⌡µ@C OuOTwHOTΣ

¡≈AP∩Ω⌡µ@αOLAC

UC°≤A≤ WebSEAL OG

¶ WebSEAL Σ@OΦkC

ziq WebSEAL ΣΣLOΦkC

¶ WebSEAL BzPOΦkUWB@C

2. ¼O


1.W

ebS

EA

Lº[

¶ WebSEAL unq¡≈C WebSEAL zL¡≈ogO]gOAΣiuA≈cv

(\ ∩ΩsC

ouOΦki²whHD≥ªAD≥≤

ΩΘ⌠⌠C

O÷M WebSEAL POBzL÷A²O WebSEAL nOG—q¡≈COBz PUC@G

1. OΦkúq¡≈

b Policy Director n²ñwq@bßAqO)Q¿C hAQⁿwg

OC

2. WebSEAL ¡≈oqC

WebSEAL ±∩gOq¡≈PwnO Policy DirectorC Mß WebSEAL oA≤CoNOoC

]AWHbΣñπ¿ΩµsC

pGOWAWebSEAL m@gOC

oiuA≈cv(\ ∩ WebSEALO@½≤íñnD½≤ºsC

i⌠≤nq÷ΩT Policy Director AíC i² Policy Director wa⌡µ hAApvBfeUC

÷≤ΣSwOΦki@BΩTA\ 7 5yWebSEAL OzC

6 3.8

AoOBzΣñ@DnOoíq

ΩTC OPw⌠Σñ@Dn≥nDC

Policy Director OPoC ¡≈&OTwC MA—ΣwqbΣñPsñΓ—oOC⌠SHí∩C pAϕYH

*EAMs dh C

OBzúΦkS¡≈ΩTCoΩT±∩s

±b Policy Director n²]w] LDAPñbßΩTC WebSEAL NWMsΩTMg@P⌠ϕΦíAHuExtended Privilege AttributeCertificate]EPACvµíC

ΦkS¡≈ΩT]pKXBONϕΩ

¡≈eC oΩTiP°AwÑq@C

ú]ΣNϕbw⌠ñMvHSwW

UσíABubÑq@RgC

Policy Director ]t¡≈HbΣñπ¿ΩµsC

3. Mg¡≈ΩT


1.W

ebS

EA

Lº[

Mv (EPAC)i⌠≤nq÷ΩT Policy Director AíC

pAuA≈cvPwOgvi∩

w⌠ñⁿO@Ω⌡µSw@C

EPAC ]tu@sOX]UUIDvAΣ Policy DirectornPsεMµ]ACL@ftC

Policy Director ∩ΣLAApG

¶ fA

¶ WebSEAL Xñe⌠\α

UC EPAC µA≤ Policy DirectorG

í

w⌠ ID Principal lw⌠ ID

Principal UUID Principal UUID

s UUID Principal ºs UUID

A WebSEAL XPolicy Director ú⌠⌠OBvzAC bH Web ≥ª⌠⌠ñAoO@híe WebSEAL °AαúnAAΣπXO@≤ß Web °AW Web ΩMíC

WebSEAL °APß Web í°AºísuYWebSEAL XOXC WebSEAL XOe WebSEAL °APß°Aºí TCP/IP suC

ß°Ait@í WebSEAL °AO]≤ú≤Ot Web í°AC ß°A Web íb WebSEAL

8 3.8

iWxsñSOⁿwX]ⁿIBAusv

WebSEAL °AC

Xi² WebSEAL Nϕß°AúO@AC WebSEALbnDß°AºeAi∩nD⌡µOv

dC pGß°An∩Σ½≤iµwqδsεAh

z⌡µBtmBJAHK∩ Policy Director wAíí≤Ot Web í]\170y∩≤Ot°A query_contentszC

Xú@iíBw⌠AΣe\¡ΩyqB¬i

BM¼Az\α—qiHMí í⌡µípC¡@zAziⁿq≤ñiWxszC

WebSEAL Xú@ [ AYHΦΦíNß°AWeb íP WebSEAL °A Web íXC X@°AºíXúµ@B@Bí Web íAΣLíAB∩zqC

qqúD Web ΩΩmC WebSEAL NΦURL α½¿ß°AwΩC Web ½≤ib°AºíAúvTqs½≤ΦíC

4. Xs WebSEAL Pß°A


1.W

ebS

EA

Lº[

g@ Web íitzºΩzC ΣªzuI]AiB¡Ωyq¬iC

jí≈ Web °ASwqΦ Web ½≤íαOC AΣsεOsΩΘM²cC

WebSEAL Xizqwq½≤íAΣMcAD Web °AWúΩΘ≈M²cC

5. WebSEAL Xú@ Web í

10 3.8

WebSEAL Xi²zµ@nJMΦC µ@nJtmi²@ lnJYisΩ]LΩmb

≤BC iMíBzß°A⌠≤i@BnJ

DC

WebSEAL XO@i²z⌠ÑIu½nuπC$ [B°AAXi²z⌠WWDC

WebSEAL XP⌠iWebSEAL Xií⌠C ϕ⌠DXWAzi÷aK[°AXR⌠\αC

≥≤UCz$AiWKB°AG

¶ HBeXR⌠

¶ w∩¡ΩyqBó ¬iAsse

se WebSEAL °A∩ß°AXΣl≤+@íe WebSEAL °ACse WebSEAL °AbjyqDíA∩⌠ú¡ΩyqC ¡Ωyq≈εO$p IBM Network Dispatcher Cisco Local Director Ñ≈εBzC

e°A∩⌠úó \α— pG@í°A

]GóAl°AN≥ú∩⌠sC ¿\

¡Ωyqó \αA∩⌠ú¬i

C


1.W

ebS

EA

Lº[

ϕzse WebSEAL °AAC@í°Aú]AWeb íMXΩwπC

ObßΩTbPe°AL÷n²ñC

Σß°A⌠ei$ WebSEAL °A¡Bß°A]ΓX°AC WebSEAL XΣß°AAi²zzL [eMΩAπ⌠±C

C@í@ß°AúXOX]ⁿIC

H∩ΣLeºDXWAizLXsW≤h°AC

oΩ∩jqδΩ≤Ot Web °A⌠⌠Aú@MΦC

6. se WebSEAL °A

12 3.8

U íXp≤ú@BΦ½≤íC o Web ízq≤AiiµñzC

7. Xß°A


1.W

ebS

EA

Lº[

Uísß°AXP@XIípC

sß°AYnNi\αß°AtmAzisß°A

C bπse°AípUAsß°A

]tΣºΦMv Web íC

WebSEAL “least-busy” tΓkCzL°Aiµtⁿ¡CotΓkNC@snD V+suw

biµñ°AC

ϕ°A÷¼AWebSEAL ] Taó Ab@)°Aw½sl½s[HC

pGßínzL@Σ¼AAi¼A

XTOC@Ñq@ú≡P@íß°AC

8. @ Web í

14 3.8

9. sß°A


1.W

ebS

EA

Lº[

16 3.8

WebSEAL °Atm

ñΩTíFzi⌡µ@δzMtm@Fo@

i²zq⌠⌠ñ WebSEAL °AC

DDG

¶ 18y@δ°AΩTz

¶ 21ytmqHz

¶ 25yz Web íz

¶ 31ytm HTTP Tºz

¶ 35yzq HTML z

¶ 37yzqM°Az

¶ 43ytmw]O@ΦÑz

¶ 45ytmvΩw≤sMⁿz

¶ 46yse WebSEAL °Az

¶ 48ytm HTTP Oⁿz

2


2.W

ebS

EA

L°Atm

@δ°AΩTHUí÷≤ WebSEAL °A@δΩTG

¶ y webseald.conf tmz

¶ 19yWebSEAL w²z

¶ 20yWebSEAL °A²z

¶ 20yMε WebSEALz

webseald.conf tmziHb webseald.conf tmñAtmHKq WebSEAL@CObHU²ñG

UNIXG

/opt/pdweb/etc/

WindowsG

C:\Program Files\Tivoli\PDWeb\etc\

UϕJFqMq¿G

q q¿

WEBSEAL @δ [server]

LDAP [ldap]

SSL [ssl]

X [junction] [filter-url] [filter-schemes]

[script-filtering] [gso-cache] [ltpa-cache]

18 3.8

q q¿

O [ba] [forms] [token] [certificate]

[http-headers] [auth-headers] [ipaddr]

[authentication-levels] [mpa] [cdsso]

[ c d s s o - p e e r s ] [ f a i l o v e r ]

[e-community-sso] [inter-domain-keys]

[authentication-mechanisms] [ssl-qop]

[ s s l - q o p - m g m t - h o s t s ]

[ s s l - q o p - m g m t - n e t w o r k s ]

[ssl-qop-mgmt-default]

Ñq@ [session]

e [content] [acnt-mgt] [cgi] [cgi-types]

[ c g i - e n v i r o n m e n t - v a r i a b l e ]

[ c o n t e n t - i n d e x - i c o n s ] [ i c o n s ]

[content-cache] [content-mime-types]

[content-encodings]

Oⁿ [logging]

AUTHORIZATION API [ a z n a p i - c o n f i g u r a t i o n ]

[aznapi-entitlement-services]

POLICY DIRECTOR [policy-director]

\213ywebseald.conf zC

: C ≤ webseald.conf AzúHΓΦí½s WebSEALA²s≤C\20yMε WebSEALzC

WebSEAL w²WebSEAL íwbUC²ñG

UNIXG

/opt/pdweb/

WindowsG


2.W

ebS

EA

L°Atm

C:\Program Files\Tivoli\PDWeb\

Y Windows wAzib Policy Director Wtm⌠CzLkb Policy Director UNIX wWtm⌠C

ΓU <install-path> Nϕo²C

b UNIX wLñAHUW²]tFXj]pfMΘxG

/var/pdweb/

WebSEAL °A²webseald.conf tmñ server-root ObwqWebSEAL °A@mC

[server]server-root = /opt/pdweb/www

webseald.conf tmñ»z∩⌠WAO∩≤²C

: b ¼pUAzún≤⌠WC

Mε WebSEALziHb UNIX W pdweb_start ⁿOb Windows ñuAεxvMε WebSEAL °AC

UNIXG

pdweb_start start|stop|restart|status

pAYnε WebSEAL °AMßA½sAG

# pdweb_start restart

pdweb_start ⁿOObHU²ñG

/opt/pdweb/bin/

WindowsG

20 3.8

buAεxvñΣX WebSEAL °ABzAMß Tε÷sC

tmqHHUí÷≤ WebSEAL °A@δΩTG

¶ yw∩ HTTP nDtm WebSEALz

¶ 22yw∩ HTTPS nDtm WebSEALz

¶ 22y¡εSw SSL suz

¶ 22ytm HTTP M HTTPS u@⌡µⁿz

¶ 23yHTTP/HTTPS qHOz

¶ 24yΣL WebSEAL °AOz

w∩ HTTP nDtm WebSEALWebSEAL qBz\hgO HTTP nDCpAe\W¬sz⌠qW∩wσ≤O

C

Bz HTTP nD]zL TCPOb webseald.conf tm [server] q¿ñC

/ HTTP sbtm WebSEAL HTTP sG

http = yes|no

]w HTTP s≡HTTP sw]≡ 80G

http-port = 80

pAYn≤≡ 8080A]wG

http-port = 8080


2.W

ebS

EA

L°Atm

w∩ HTTPS nDtm WebSEALBz HTTP nD]zL SSL (HTTPS)Obwebseald.conf tm [server] q¿ñC

/ HTTPS sbtm WebSEAL HTTPS sG

https = yes|no

]w HTTPS s≡HTTPS sw]≡ 443G

https-port = 443

pAYn≤≡ 4343A]wG

https-port = 4343

¡εSw SSL suziHµWM SSL 2 BSSL 3 M TLS 1sqCεSw SSL M TLS suObwebseald.conf tm [ssl] q¿ñCw]Aw SSL M TLS C

[ssl]disable-ssl-v2 = nodisable-ssl-v3 = nodisable-tls-v1 = no

tm HTTP M HTTPS u@⌡µⁿwtmu@⌡µⁿⁿw°AiAµiJnD

C tNwbu@⌡µⁿúbúLFΣL

suAu@⌡µⁿiεC

zi]wi WebSEAL AiJsu⌡µⁿC $≤iααvTA]ptmu@⌡µⁿC

otmújεPsuW¡C ouOⁿw

iAiαL¡εu@εCº⌡µⁿC

22 3.8

∩zQu@⌡µⁿAM≤∩z⌠⌠WΩyq

M¼AwC

@δÑAW[⌡µⁿYYεΣ¿nDO¡í

íC MAW[⌡µⁿvTΣL] AΣiα∩°A

αtvTC

WebSEAL @@µ@BPu@MµMu@⌡µⁿxs)ABz TCPBSSL GSSAPI qDkºqnDC oj≈εi² WebSEAL +tΩAoαBz≤Hu@qC

ziHb webseald.conf tm [server] q¿ñ]wworker-threads AHKtmu@⌡µⁿxs)jpC

[server]worker-threads = 50

: ÑOzub°αD)≤oC

HTTP/HTTPS qHOWebSEAL IBM Global Security Kit (GSKit) SSL IµCϕ WebSEAL ¼ HTTPS qnDAGSKit SSL lµñAB@Ñq@¼AC

WebSEAL w∩ HTTP M HTTPS qHΣHUOCOb webseald.conf tm [server] q¿ñC

¶ client-connect-timeout

@)oFlµñAⁿw WebSEAL nlHTTP HTTPS nDOsuh[Cw] 120 ϕC

[server]client-connect-timeout = 120

¶ persistent-con-timeout


2.W

ebS

EA

L°Atm

oM≤ HTTP/1.1]D HTTP/1.0suCb@HTTP/1.1 nD°AºßAoε WebSEALb÷¼ºeANO HTTP/1.1 ≥sujϕC w] 5 ϕC

[server]persistent-con-timeout = 5

ΣL WebSEAL °AOUCBOO]w≤ webseald.conf tmG

í w]]ϕ

[ j u n c t i o n ]http-timeout

zL TCP XA∩ß°A

eqñ¬O

C

120

[ j u n c t i o n ]https-timeout

zL SSL XA∩ß°A

eqñ¬O

C

120

10. HTTP M HTTPS qHO

24 3.8

í w]]ϕ

[cgi] cgi-timeout ∩ CGI Bzeqñ

¬OC

120

[junction] ping-time WebSEAL ∩C@X

°A⌡µwI PingA

HPwΣOb⌡µñC

WebSEAL WvNú

WLCj 300 ϕ@ ]]

wC

300

z Web íUCíz Web í@G

¶ yWeb σ≤≡²z

¶ 27ytm²z

¶ 28yWindowsGCGI íRWDz

¶ 29ytm Web σ≤z

Web σ≤≡²Web σ≤≡mO∩ WebSEAL úºσ≤σ≤≡²∩⌠C webseald.conf tm [content] q¿ñ doc-rootONϕ⌠WCbw WebSEAL íYlw]mG

UNIXG

doc-root = /opt/pdweb/www/docs

WindowsG

doc-root = C:\Program Files\Tivoli\PDWeb\www\docs

o@ —wß@ WebSEAL C HßoYxsbXΩwñC ∩ webseald.conf ñoi@B∩S⌠≤vTC


2.W

ebS

EA

L°Atm

bwºßAz pdadmin í≤σ≤²mC HUd]°AW websealAíFG

1. nJ pdadminG

# pdadminpdadmin> loginΘJ IDGsec_masterΘJKXGpdadmin>

2. server task list ⁿOπeµXIG

pdadmin> server task websealA list/

3. server task show ⁿOπXΩTG

pdadmin> server task websealA show /XIG /¼GXw¡εG0 - sXn¡εG0 - s@ñu@⌡µⁿG0²G/opt/pdweb/www/docs

4. sXHK≤½µXI]z -f ∩jεsXAHK∩gXG

pdadmin> server task websealA create -t local -f -d /tmp/docs /Xw≤ /

5. CsXIG


6. πXIG

pdadmin> server task websealA show /XIG /¼GXw¡εG0 - sXn¡εG0 - s@ñu@⌡µⁿG0²G/tmp/docs

26 3.8

tm²ϕnD URL ϕíO²WAziⁿw WebSEALnw]WC pGow]sbAWebSEAL NqCpGúsbAWebSEAL Aú²ABNMµqC

tm²Ob webseald.conf tm [content] q¿ñC

w]G

[content]directory-index = index.html

pGzxúPDAzi≤WCpG

[content]directory-index = homepage.html

pGnD²ñS directory-index wqAWebSEAL Aú²Cúñ]tF²eMµAH²ñCubq∩nDs

²Aπ²uMµv(l) \iv ACLA)αúC

zitm² WebSEAL búñA∩CX¼Sw C w e b s e a l d . c o n f tm

[content-index-icons] q¿]tFσ≤ MIME ¼MµAHπ÷ .gif G

[content-index-icons]image/*= /icons/image2.gifvideo/* = /icons/movie.gifaudio/* = /icons/sound2.giftext/html = /icons/generic.giftext/* = /icons/text.gifapplication/x-tar = /icons/tar.gifapplication/* = /icons/binary.gif

ziHtmMµC MIME ¼ⁿwΣL C m]iHOmCpG


2.W

ebS

EA

L°Atm

application/* = http://www.acme.com/icons/binary.gif

z]iHtmoB G

¶ ϕl² G

[icons]diricon = /icons/folder2.gif

¶ ϕWh² G

[icons]backicon = /icons/back.gif

¶ ϕú¼ G

[icons]unknownicon = /icons/unknown.gif

WindowsGCGI íRWDwebseald.conf tm [cgi-types] q¿ñ]tAi²zⁿwOM⌡µ CGI í Windows W¼C

UNIX @tSWnDC MAYO Windows @tAhwqW¼C [cgi-types] q¿CW¼ANC@WMg]nAϕ CGI íC

[cgi-types]<extension> = <cgi-program>

w]AuΣWPq¿ñCW

AQϕ@ CGI í⌡µC pGY CGI íWúbMµñAhú⌡µíC

Windows w]AZOΣW .exe AúQϕ@í⌡µABúMgC

: úLACϕzQb Windows Ww .exe HUⁿAzú≤WNwOs@í≈]p

.zipC

28 3.8

z∩Nϕ Script WAúAϕíCHUW¼d]AG Shell Script (.sh H .ksh)BPerlScript (.pl) M Tcl Script (.tcl) C

UCdíσ¼ [cgi-types] q¿tmG

[cgi-types]bat = cmdcmd = cmdpl = perlsh = shtcl = tclsh76

: b .bat M .cmd AY½wDA≤ΣñC po¼C

tm Web σ≤$≤ú Web σ≤αAqiαgJL°⌠⌠síUⁿíC $≤ WebSEAL °AnÑqXß°Añσ≤A]y¿αú A

CxsC

Web σ≤\αi²zNgs Web σ≤¼xsbWebSEAL °AOΘñC qNPⁿ≤

WebSEAL °Añß≥σ≤nDtHC

σ≤i]ARAσrσ≤M vC²LkAú

σ≤ApΩwdGC

Web σ≤zL WebSEALAúz°Aσ≤uADqLXß°AC

⌡µO MIME ¼Cϕzw∩ Web σ≤tmWebSEAL AOUCTG

¶ σ≤ MIME ¼

¶ xsCΘ¼

¶ xsCΘjp


2.W

ebS

EA

L°Atm

zib iv.conf tm [content-cache] q¿ñwq Web σ≤C ΣAykpUG

<mime-type> = <cache-type>:<cache-size>

í

mime-type Nϕb HTTP “Content-Type:” Yñ⌠≤

MIME ¼C oiα]tUr$ ( *

)C */* Nϕw]½≤AΣNOdD∩≤

Ttmº⌠≤½≤C

cache-type ⁿwn≤xsCΘ¼C Policy Director

ΣuOΘvC

cache-size ⁿwb½≤Qú] “Least Recently Used” tΓ

kºeAwiXRj]Hd$

(KB) µC

dGtext/html = memory:2000image/* = memory:5000*/* = memory:1000

Web σ≤≈εi[εUC°≤G

¶ ubwqFßA)oC

¶ wúwq⌠≤C

¶ pGzSⁿww]AhúP⌠≤Túú

σ≤C

¶ /M∩w∩ΩTnD⌡µvC

Mú ziH pdadmin íMútmCoíLk²zMúOC

z²H Policy Director z sec_master nJw⌠AMß)α pdadminC

30 3.8

YnMú Web σ≤AΘJUCⁿOG

UNIXG

# pdadmin server task <server-name> cache flush all

WindowsG

MSDOS> pdadmin server task <server-name> cache flush all

pzi pdadmin íú÷eq≥pC opΩTⁿXGs±bñAHw∩C

@úXnDC

z²H Policy Director z sec_master nJw⌠AMß)α pdadminC

Yno÷eqpΩTAΘJUCⁿOG

UNIXG

# pdadmin server task <server-name> cache stat

WindowsG

MSDOS> pdadmin server task <server-name> cache stat

tm HTTP Tº WebSEAL °AAnD²óC y¿óh]C pG

¶ úsb

¶ \iv]wTεs

¶ Lk⌡µ CGI íA] UNIX \ivú Toⁿíp


2.W

ebS

EA

L°Atm

ϕAnDóA°Ab HTML ñTºs²Apu403 TεvC hTºiFC@hTº

úxsbO HTML ñC

oxsbUC²ñG

UNIXG <install-path>/www/lib/errors/<locale-dir>

WindowsG <install-path>\www\lib\errors/<locale-dir>

errors ²]tXyÑ⌠l²Al²]tTºgC

pAuⁿíσvTº²⌠G

UNIXG <install-path>/www/lib/errors/en_US

WindowsG <install-path>\www\lib\errors/en_US

o²ñTººµí HTMLA]bs²ñiH TπC zisΦo HTML qΣeC WíXQ2iAXb@óC 3≤∩o

WC

Uϕ]tí≈@≈úTººWMeMµG

W D í HTTP

X

132120c8.html Oó Lkqº

C iα]]AG

¶ úú T

¶ wD°

¶ OΩwñ≥ó

32 3.8

W D í HTTP

X

1354a2fa.html D,² nD@núD

²C o@úWwC

1898d259.html LknJ nDΩn WebSEAL N

nJt@í Web °AC ú

LAϕ WebSEAL ΩT

oDC

1898d25a.html Sµ@n

JΩT

WebSEAL ΣúnDΩ

GSO C

1898d25b.html Fµ@

nJ

WebSEAL ΣúnDΩ

GSO C

1898d25c.html hnJ

w∩nDΩwqFh GSO

CoO@tmC

1898d25d.html nnJ nDΩⁿXß Web

°AO@An WebSEAL N

nJ Web °AC ⌡

µ@A²nJ

WebSEALC

1898d25e.html LknJ nDΩn WebSEAL N

nJt@í Web °AC ú

LAbßnJΩTú

TC

1898d25f.html DwOt Policy Director WebSEAL ¼

Xß Web °ADw

OtC

1898d421.html nDΩw½C ½s

VBzúϕAqNoo

ípC

302

1898d424.html nDú T WebSEAL ¼L HTTP n

DC

400

1898d425.html nnJ znDΩⁿ WebSEAL O

@ApnsΩA²µn

JC


2.W

ebS

EA

L°Atm

W D í HTTP

X

1898d427.html Tε SsnDΩ\i

vC

403

1898d428.html Σú ΣúnDΩC 404

1898d432.html AíLk eLk WebSEAL ¿nD

AíC

503

1898d437.html °Aw tzF WebSEAL °A

C bz²°A≡A¼

AeANLkBznDC

1898d439.html Ñq@ΩT≥ó s²/°Aí¼O@P

Xß°Aí¡wÑq@

A°AwúAC

WebSEAL n@b°A

AíA)α¿znDC

1898d442.html AíLk WebSEAL Aí≤

Xß°AWAB SSL

¼OoóC

1898d7aa.html CGI íó CGI Lk ⌡µC

default.html °A $≤oºAWebSEAL L

k¿znDC

500

deletesuccess.html Q¿ wQ¿ql

DELETE nDC

200

putsuccess.html Q¿ wQ¿ql PUT

@C

200

relocated.html ½ nDΩw½C 302

websealerror.html 400 WebSEAL °A

WebSEAL °AíC 400

¿ΣUC¿i≤q²eq¿ñCX HTML C¿NAm½iAϕΩTC

34 3.8

¿ í

%ERROR_CODE% XC

%ERROR_TEXT% PsTººX÷pσrC

%METHOD% qnD HTTP ΦkC

%URL% qnD URLC

%HOSTNAME% πD≈WC

%HTTP_BASE% °A≥ HTTP URL “http://<host>:<tcpport>/”C

%HTTPS_BASE% °A≥ HTTPS URLG“https://<host>:<sslport>/”C

%REFERER% nDºYAO “Unknown”]pGS

C

%BACK_URL% nDºYAO “/”]pGSC

%BACK_NAME% ϕnDñXY “BACK”ApGSAh

“HOME”C

zq HTML Policy Director ]Ad HTML ϕµAi[HqH]t⌠STº⌡µ⌠S@C jí≈ϕµíiA≤z

L HTTP HTTPS uϕµvBOM BA OC

oϕµmOwqb webseald.conf tm [acnt-mgt]q¿ mgt-pages-root ñC

mgt-pages-root = lib/html/<lang-dir>

Ω²OϕayÑC w]ⁿΩσ²G

lib/html/C

ΘσyÑ⌠≤G

lib/html/JP

qMHUSϕ HTML MOb webseald.conf tm[acnt-mgt] q¿ñCYuOuϕµnJvΦkú¡≈ΩTC


2.W

ebS

EA

L°Atm

k

login = login.html ϕµnJ

logout = logout.html ϕµnJ

account-locked = acct_locked.html ⌠≤Φk

passwd-expired = passwd_exp.html ⌠≤Φk

passwd-change = passwd.html ⌠≤Φk

passwd-change-success = passwd_rep.html ⌠≤Φk

passwd-change-failure = passwd.html ⌠≤Φk

help = help.html ⌠≤Φk

token-login = tokenlogin.html OnJ

next-token = nexttoken.html OnJ

stepup-login = stepuplogin.html iÑO

q HTML í

ϕµ í

login.html WMKXnDϕµ

logout.html QnXßπC

acct_locked.html ]bßΩw POóπC

passwd_exp.html ]KX POóπC

passwd.html ≤KXϕµCϕµ]bKX≤nDóπC

passwd_rep.html KX≤nDQ¿πC

help.html ]tzC

tokenlogin.html OnJϕµC

nexttoken.html U@OϕµC

stepuplogin.html iÑOnJϕµC

boñ]Γ¿iC o¿rΩim≤d

ñC ¿Aam½AϕC

¿ í

%USERNAME% wnJºWC

36 3.8

¿ í

%ERROR% q Policy Director ºg+TºC

zqM°Aí]w WebSEAL HBzqM°A]≤zL SSL OzMtm@C

bUCípUAWebSEAL nG

¶ WebSEAL HΣ°AA∩ SSL qOΣ¡

¶ WebSEAL HqA∩Xß°A]¼OtmOΣ¡

¶ WebSEAL Σu≈c (CA)vroot ΩwAτHqiµsq

¶ WebSEAL Σu≈c (CA)vroot ΩwAτw∩¼OtmXß°A

WebSEAL IBM Global Security Kit (GSKit) SSL Ω@AtmMzCGSKit ú iKeyman í]wz≈ΩwAΩw]t@h WebSEAL Dq CA root C

WebSEAL bw]tUC$≤AHΣzL SSL OG

¶ w]≈Ωw (pdsrv.kdb)

¶ w]≈Ωw⌠ (pdsrv.sth) MKX (“pdsrv”)

¶ @δ CA root

¶ i² WebSEAL N¡O SSL qp


2.W

ebS

EA

L°Atm

zWu≈cvoXBⁿMi

NC

WebSEAL Bztm]AG

¶ 40ytm WebSEAL ≈Ωwz

¶ 42y iKeyman zíz

¶ 42ytm CRL dz

F GSKit ≈Ωw¼IBM Key Management uπ (iKeyman) FUϕñJ¼C

CMS ≈ΩwO$W .kdb ABiαΣLΓHW¿CϕzFs≈ΩwAN

.kdb C .kdb ñ≈O²iHOAOπ[KpK≈ΩTC

.rdb M .crl ObzsnDC CAnDn .rdb C

¼ í

.kdb u≈ΩwvCOxsHBH

nDMCpAw] WebSEAL ≈Ωw

pdsrv.kdbC

.sth u⌠vCOxsgL[K≈ΩwKX

CWDníP÷ .kdb PC

38 3.8

¼ í

.rdb unDvΩwCOb .kdb ≈Ωw

CWDníP÷ .kdb PC

]tFw¿B CA ¼nDCϕq CA

Atb .rdb ñjMAHKΣXXnD

]≈CpGoFnDAN¼A

Bb .rdb ñRú∩nDCpGΣún

DA¼@NQ CnDñ@δW

BB≤DaBnDⁿwΣLΩTAHPnD

÷≈MpK≈C

.crl uoεMµvC@δ]t]]Q

oεMµC²OAiKeyman LkΣ⌠≤oεMµA

HOC

.arm H ASCII sXGiC.arm ]tFH base-64 sX

ASCII ϕF]tF≈A²OSpK≈

CGiΩQα½ ASCII ϕΦíCϕ

¼ .arm AiKeyman ASCII e

XABNGiϕe±b T .kdb ñCP

aAϕq .kdb ñAiKeyman NGi

Ωα½ ASCIIAMßNª±b .arm ñC .arm

ñ ASCII ΩNOzbnDñe CA ΩC

Gun¡ Base64 sXA⌠≤¼úi

].arm HC

.der usXWhvC .der ñ]tFHGiϕ

Fñ]tF≈A²OSpK≈Co

P .arm ϕⁿFΣtºb≤ϕΦíGiAúO

ASCIIC

.p12 PKCS 12 FΣñ PKCS Oⁿu≈[KvC

.p12 ]tFHGiϕFñ]tF≈M

pK≈C .p12 ]iα]thFpiα

BoX CA BCA oXAHΣo

XÑÑC] .p12 ]tFpK≈AⁿKX

O@C


2.W

ebS

EA

L°Atm

tm WebSEAL ≈ΩwWebSEAL ≈G

bwAW e b S E A L ú@w]≈ΩwC

webseald.conf tm [ssl] q¿ñ webseal-cert-keyfile iⁿwWMmG

[ssl]webseal-cert-keyfile = /var/pdweb/www/certs/pdsrv.kdb

zi iKeyman ís≈ΩwC MAzb webseal-cert-keyfile ñΘJs≈WMmAHK² WebSEAL iMΣt≤ΩwC

≈KXG

bwñAW e b S E A L ]ú@w]⌠AΣ]t

pdsrv.kdb ≈KXC webseal-cert-keyfile-stash ∩WebSEAL i⌠mG

webseal-cert-keyfile-stash = /var/pdweb/www/certs/pdsrv.sth

[K≤⌠w]KX “ p d s r v ”C z]ib

webseal-cert-keyfile-pwd ñHσrϕKXCpG

webseal-cert-keyfile-pwd = pdsrv

bwAW e b S E A L ⌠o≈KXC

webseal-cert-keyfile-pwd Q[C ⌠ßAziKb webseald.conf tmñHσrπKXC

: °[znSwKXC pGⁿwFKXM⌠ANKXC

WebSEAL G

40 3.8

bwñAWebSEAL úúOwµpC@°AAi² WebSEAL πV SSL qOΣ¡≈αOC

Fni@BaεAww]

C webseal-cert-keyfile-label ⁿwn@@ñ°AAB∩g≈ΩwñⁿwΣL⌠≤

uw]vC

webseal-cert-keyfile-label = WebSEAL

÷Me\ WebSEAL F SSL s²nDA²Os²]Σú]tAϕ root CA Lk[HτC $≤w]pK≈t≤C@ WebSEAL eñALkúu wqHC

z iKeyman íúieu≈c(CA)vnDC iKeyman wM°AC

pGzbúPípUúP]p –K XAziH iKeyman íBwBMoC≈ñúiµC

WebSEAL]w]H ivmgr⌡µ∩o≈Ωwπ¬ (r) \ivC

t\237y iKeyman zzC

í Policy Director °A SSL qHG

webseald.conf tm [ssl] q¿]tF.BFziHotm² WebSEAL PΣL Policy Director °AAiµí SSL qH≈CzuαzL pdconfig tmScript ∩oC


2.W

ebS

EA

L°Atm

[ssl]ssl-keyfile =ssl-keyfile-pwd =ssl-keyfile-stash =ssl-keyfile-label =

iKeyman zíiKeyman íO@H GSKit úuπAizWebSEAL C iKeyman iHG

¶ @h≈Ωw

¶ ≤≈ΩwKX

¶ s WebSEAL

¶ ]wsw] WebSEAL

¶ µp

¶ nD¼ CA root

¶ sWΩwHqΩwñRú

¶ Nq@Ωwst@Ωw

÷ iKeyman ⌡µo@ⁿA\237y iKeyman zzC

tm CRL duoεMU (CRL)vO@"ε∩úQniµτΦkC CRL ]tQ°úoH⌠ºOC WebSEAL SSL º GSKit IµΣ CRL dC GSKit i² WebSEAL∩q SSL X⌡µ CRL dC

WebSEAL DMµmHK⌡µ CRL dCbOíiw∩ CRL d[Hº LDAP °Aºm≤ webseald.conf tm [ssl] q¿ñG

42 3.8

[ssl]#ssl-ldap-server = <server-name>#ssl-ldap-server-port = <port-id>#ssl-ldap-user = <webseal-admin-name>#ssl-ldap-user-password = <admin-password>

w]A CRL d]Q[C Ynb

Oí CRL dA°[C@AMßΘJAϕC

ssl-ldap-user NULL ϕ SSL O≈εs LDAP °A@WC

tmw]O@ΦÑziHtmO@Φ (QOP) HKεzL SSL (HTTPS) sWebSEAL nw][KÑCziH webseald.conf tmñ “SSL QUALITY OF PROTECTION MANAGEMENT” q¿εw]O@ΦzG

¶ ssl-qop-mgmt M QOP zC

¶ b [ssl-qop-mgmt-default] q¿ñⁿwe\[KÑC

1. O@ΦzG

[ssl-qop]ssl-qop-mgmt = yes

2. ⁿw HTTP sw][KÑG

[ssl-qop-mgmt-default]# default = ALL | NONE | <cipher-level># ALL]KX# NONE]KXB MD5 MAC Xd# DES-40# DES-56# DES-168# RC2-40# RC2-128# RC4-40# RC4-128default = ALL


2.W

ebS

EA

L°Atm

NGz]iHⁿww∩KXsG

[ssl-qop-mgmt-default]default = RC4-128default = RC2-128default = DES-168

tmW D≈M⌠⌠ QOPssl-qop-mgmt = yes ]ib [ssl-qop-mgmt-hosts] M[ssl-qop-mgmt-networks] q¿ñX⌠≤]wCziboq¿ñⁿwD≈/⌠⌠/⌠⌠Bn IP AHKiµO@ΦzC

[ s s l - q o p - m g m t - d e f a u l t ] q¿CX≤P

[ssl-qop-mgmt-hosts] M [ssl-qop-mgmt-networks] q¿ñú IP KXC

D≈tmykdG

[ssl-qop-mgmt-hosts]# <host-ip> = ALL | NONE | <cipher-level># ALL]KX# NONE]KXB MD5 MAC Xd# DES-40# DES-56# DES-168# RC2-40# RC2-128# RC4-40# RC4-128xxx.xxx.xxx.xxx = ALLyyy.yyy.yyy.yyy = RC2-128

⌠⌠/⌠⌠BntmykdG

[ssl-qop-mgmt-networks]# <network/netmask> = ALL | NONE | <cipher-level># ALL]KX# NONE]KXB MD5 MAC Xd# DES-40# DES-56# DES-168# RC2-40# RC2-128# RC4-40

44 3.8

# RC4-128xxx.xxx.xxx.xxx/255.255.255.0 = RC4-128yyy.yyy.yyy.yyy/255.255.0.0 = DES-56

[ssl-qop-mgmt-hosts] M [ssl-qop-mgmt-networks] q¿VUeºCzúnb Policy Director 3.8 tmñªC

tmvΩw≤sMⁿuz°AvzDnvhΩwAB@w⌠

ñΣL Policy Director °AΩTC Policy Director ziHH≤w⌠whCuz°AviH∩D

nvΩw@nπAHKΩI≤ßwhC

ϕuz°Av≤DnvΩwAªN≤q

ew⌠ñAΣWh⌡µí]p WebSEALΩwCMßAh⌡µíVDnvΩwn

DΩWΩw≤sC

@ΩzíMh⌡µí WebSEAL T∩iHo÷≤vΩw≤ΩTG

¶ Ñuz°Av≤sq]ittmABww]

C

¶ wd]ⁿDnvΩw]ittmABww

]C

¶ ÑMⁿC

webseald.conf tm [aznapi-configuration] q¿A]tFtm≤sqÑMΩwⁿC

WebSEAL vhΩw⌠AOwq≤ db-file G

[aznapi-configuration]db-file = /var/pdweb/db/webseald.db


2.W

ebS

EA

L°Atm

tm≤sqÑlisten-flags iM WebSEAL ≤sqÑCw]AÑwCYnÑAΘJ “disable”C

[aznapi-configuration]listen-flags = enable

tcp-port itmÑí TCP ≡G

[aznapi-configuration]tcp-port = 12056

udp-port itmÑí UDP ≡G

[aznapi-configuration]udp-port = 0

tmvΩwⁿziHtm WebSEAL wⁿDnvΩwAHKFO≤sΩTC c a c h e - r e f r e s h - i n t e r v a l iH]w“default”B“disable” SwíjíϕC Default ]w 600ϕCw]AⁿOQC

[aznapi-configuration]cache-refresh-interval = disable

se WebSEAL °A

: HUΩTN Policy Director ²eñpdadmin server modify baseurl ⁿOC

b¬tⁿ⌠ñAshíe WebSEAL °AnBOiHúntⁿ¡HαOCϕzse WebSEAL °AAC@í°Aú]A Web íBXΩwM dynurlΩwπC

Policy Director iΣΓtmse WebSEAL°AC@úA pdadmin ⁿOC

46 3.8

bHUdñA“WS1” ODn WebSEAL °AD≈WC“WS2” Os WebSEAL °AD≈WC

1. b WS1 M WS2 °AWwMtm WebSEALC

2. ε WS2 W WebSEALC

3. b WS2 WAN webseald.conf tm server-name Aq “WS2” ≤ “WS1”G

[server]server-name = WS1

4. ½s WS2 W WebSEALC

WS2 °Ab /WebSEAL/WS1 ½≤@v⌠≥CWS2 °A]iHN /WebSEAL/WS1 ñ½≤A object listM object show ⁿOC

p d a d m i n í/MH½≤í@íCX

/WebSEAL/WS2 ½≤C½≤wúπ⌠≤ABiHúG

pdadmin> object delete /WebSEAL/WS2

¼pG

¶ µ@½≤ízG÷MziHd µ@½≤ÑhA

Mb½≤ÑhzⁿO]vT WebSEAL°AAB°AúiHoⁿOC

¶ µ@v⌠GpG WS2 °AOtm WS1 °AAWS2 °A /WebSEAL/WS1 @v⌠≥C

¶ @tmGF²e WebSEAL α B@A°AW Web íBXΩwM dynurl Ωwtmú@PC


2.W

ebS

EA

L°Atm

tm HTTP OⁿWebSEAL @TD HTTP ΘxAΣO²íDTºG

¶ request.log

¶ agent.log

¶ referer.log

w]AbUC²ñ@oΘxG

UNIX: /var/pdweb/www/log/

Windows: C:\Program Files\Tivoli\PDWeb\www\log\

tm HTTP ΘxOb webseald.conf tm[logging] q¿ñC

Uϕí HTTP ΘxPtmºí÷YG

Θx m / ] =yes no

request.log requests-file requests

referer.log referers-file referers

agent.log agents-file agents

pArequest.log ñw]mpUG

UNIXG

requests-file = /var/pdweb/www/log/request.log

WindowsG

requests-file = \Program Files\Tivoli\PDWeb\www\log\request.log

M HTTP Oⁿw]Aw HTTP OⁿG

48 3.8

[logging]requests = yesreferers = yesagents = yes

C@ΘxúiWC pG⌠≤] “no”Ah∩OⁿC

ⁿwíWO¼zi∩²C@ΘxñíWOHuµLví

(GMT)vO²ADHϕaO²C w]AOϕaG

[logging]gmt-time = no

Yn GMT íWOA]wG

gmt-time = yes

ⁿwΘxα½max-size ⁿwC@ HTTP ΘxiXRjABπHUw]]H$µG

[logging]max-size = 2000000

ϕΘxFⁿw — SΣα½ —ANHPWNs≈A [eΘMíW

OC MßsΘxC

Uiα max-size Q¿pUG

¶ pG max-size p≤s]< 0AhC qΩIsOⁿBzCj 24 pAúsΘxC

¶ pG max-size Ñ≤s]= 0Ahú⌡µ⌠≤α½ABΘxL¡XRCpGΘxwsbAN∩ª [sΩ

C


2.W

ebS

EA

L°Atm

¶ pG max-size j≤s]> 0AhϕΘxFtmAY⌡µα½C pGbΘxwsbAN∩

ª [sΩC

ⁿwMúΘxwWvΘxgJwΩΩyC pGznY°ΘxAz

∩°AjµMúΘxwWvC

w]AΘxCj 20 ϕMú@ G

[logging]flush-time = 20

pGzⁿwtAhCgJ@ºO²újεMúC

tmO²≤ request.log e°WebSEAL LoßXí°ARA HTMLURLC webseald.conf tm [filter-url] q¿wqFß°A WebSEAL Lo URL configuration file definesthe URL attributes that WebSEAL filters in responses from theback-end server. \168yqX°ALoRAHTML URLzC

ϕßX°AnDe]tFO URLAWebSEAL w²Mw⌠XIAHKLo URL rΩCbs²ßAqNiHQa URLC

]As²e°AiHñj≤X°A

WebSEAL eC

Policy Director WebSEAL i²ztm request.log ñOⁿe°]pGwC webseald.conf tm[logging] q¿ñ log-filtered-pages AiH]wOⁿ 0$jpAgLo$jpC

YnO²gLo$jpAN]w “yes”]w]G

50 3.8

[logging]log-filtered-pages = yes

YnO² 0 $jpAN]w “no”G

[logging]log-filtered-pages = no

HTTP @Θxµí]A≤ request.logPolicy Director °A]¿\óAúHHTTP @ΘxµíAxsb request.log µµñG

host - authuser [date] request status bytes

ΣñG

D≈]HostⁿwnDΦ≈ IP C

authuser oµ¼ HTTP nDº From: YC “unauth” O≤gOC

Θ]dateⁿwnDΘPíC

nD]requestⁿwqºnD@µC

¼A]statusⁿwenDΦ≈ HTTP ¼AXC

]bytesⁿwenDΦ≈$C — gL

oejpjp 0 — OH

log-filtered-pages tmC

π request.log request.log O² HTTP nDOⁿApwnDº URL WΩTAHúXnDºqWΩT]pAIP C

UCdπ request.log dG


2.W

ebS

EA

L°Atm

130.105.1.90 - - [26/Aug/2001:17:23:33 -0800]"GET /xsmith/private_html/ HTTP/1.0" 403 77

130.105.1.90 - - [26/Aug/2001:17:23:47 -0800]”GET /icons HTTP/1.0" 302 93

130.105.1.90 - - [26/Aug/2001:17:23:59 -0800]"GET /icons/ HTTP/1.0" 403 77

130.105.1.90 - - [26/Aug/2001:17:24:04 -0800]"GET /xsmith/private_html/ HTTP/1.0" 403 77

130.105.1.90 - - [26/Aug/2001:17:24:11 -0800]"GET /xsmith/ HTTP/1.0" 403 77

π agent.log agent.log O²F HTTP nDñ User_Agent: YeC oΘxªSqs²÷ΩTApC@nD

tmXC

UCdπ agent.log dG

Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)

π referer.logreferer.log O² HTTP nD RefererGYC w∩C@nDAΘxO²]t∩nDσ≤ºσ≤C

ΘxUCµíG

referer -> object

oΩT∩≤l∩z Web íñºσ≤íDCΘxªSΣ]t∩½≤º Referer ⁿXCoΘxi²zl»AHΣXO∩zσ≤

C

UCdπ referer.log dG

http://manuel/maybam/index.html -> /pics/tivoli_logo.gifhttp://manuel/maybam/pddl/index.html ->/pics/tivoli_logo.gifhttp://manuel/maybam/ -> /pddl/index.htmlhttp://manuel/maybam/ -> /pddl/index.htmlhttp://manuel/maybam/pddl/index.html ->/pics/tivoli_logo.gifhttp://manuel/maybam/ -> /pddl/index.html

52 3.8

WebSEAL wh

]típ≤tmq WebSEAL whΩTC

DDG

¶ yWebSEAL S ACL hz

¶ 55yTnJhz

¶ 57yKXjhz

¶ 61yOj POP h]iÑz

¶ 67y⌠⌠¼O POP hz

¶ 70yO@Φ POP hz

¶ 71yBzgO (HTTP / HTTPS)z

WebSEAL S ACL hUCwqA≤ⁿO@½≤íñ /WebSEAL tmG

¶ WebSEAL ½≤l½≤íº WebSEAL ACL

¶ pGzúMΣL⌠≤T ACLAho½≤wq]zLπ Web íwhC

¶ s½≤IHU⌠≤½≤únMXvC

3


3.W

ebS

EA

Lwh

÷≤ Policy Director ACL hπΩTA\ TivoliSecureWay Policy Director Base zΓUC

/WebSEAL/<host>ol²≡]tSw WebSEAL °A Web íC UCwqA≤½≤G

¶ sIHU⌠≤½≤únMXv

¶ pGzúMΣL⌠≤T ACLAho½≤wq]zL≈Wπ½≤íwhC

/WebSEAL/<host>/<file>oOww∩ HTTP sdΩ½≤C d\iv°nD@wC

WebSEAL ACL \ivUϕíA≤½≤íº WebSEAL ACL \ivG

@ í

r ¬ ° Web ½≤

x ⌡µ ⌡µ CGI íC

d Rú q Web íñú Web ½≤C

m ∩ ±m HTTP ½≤C ]±m - oG - WebSEAL

½≤íñ HTTP ½≤C

l C uz°Avú Web í²Mµ

@C

o\ivΣtbπw] “index.html”

AqOi ²eMµC

g eU v WebSEAL °ARϕqANnD

X WebSEAL °AC

w] /WebSEAL ACL hWebSEAL ACL default-webseal ]tFG

54 3.8

Group iv-admin TcmdbsvarxlGroup webseal-servers TgmdbsrxlUser sec_master TcmdbsvarxlAny-other TrxUnauthenticated T

bwñAw] ACL [½≤íñ /WebSEAL tm½≤C

webseal-servers s]tFw⌠ñ WebSEAL °An²Cw]\ivi²°As²nDC

MX\ivi² Web íXW Web Portal Manager ñπjpCMµ\ivi² Web Portal Manager π Web íeC

TnJhH LDAP ≥ª Policy Director wñúTnJhAi²zⁿwónJj]nHg@Ωwí]xAΣñb “n” ónJßAQΩw “x” ϕ]ObßQC

TnJh"εqúKX≡ Ch@°≤AY

Ñ@qíAMß)αiµ≤h²ónJ

C pAhiαⁿw 3 óßA 180 ϕg@Co¼nJhi"ε@ϕoh qúH≈ún

JC

TnJhnΓ pdadmin policy ⁿO]wX@G

¶ jónJ

policy set max-login-failures

¶ WXónJ]wg@

policy set disable-time-interval

g@]wi#JbßΩwííjbßC


3.W

ebS

EA

Lwh

pG]wFbT óºßSwΩwíg@ºnJ

h]pdAh. ]ú Tú TN

P@AⁿX$≤KXhLkbßC

ííjOHϕⁿw—pííj 60 ϕC

pG disable-time-interval h]uvAhQΩwLksbßAB LDAP bß ]

uvC zizL Web Portal Manager ½sbßC

: disable-time-interval ]uv PBz¿Czi[εNbß ΩTs WebSEAL °A≡CoípM≤z LDAP ⌠C Abß ≤s@

PY LDAP Ω@iαJαhC ≥≤]AzOíjC

ⁿOykUC pdadmin ⁿOAXP LDAP n²@C

ⁿO í

policy set max-login-failures <number>|unset [-user<username>]

policy get max-login-failures [-user <username>]

zΣg@jεΩIºeεΣjónJ

hC oⁿO° p o l i c y s e tdisable-time-interval ⁿOñ]wg@wC

¡@zAziNhMSw

ANhπΘM LDAP n²ñC

C

w]]w 10 C

policy set disable-time-interval <number>|unset|disable [-user<username>]

policy get disable-time-interval [-user <username>]

56 3.8

ⁿO í

zg@hAΣεbFjónJ

AbßC

¡@zAziNg@hMSw

ANhπΘM LDAP n²ñC

C

w]]w 180 ϕC

KXjhH LDAP ≥ª Policy Director wñKXjhAm≤÷KXhWhcKXWWwC Policy Director úΓεKXjΦkG

¶ ¡ pdadmin KXhⁿO

¶ iO]PAMAΣi²zqKXh

\ Tivoli SecureWay Policy Director WebSEAL DeveloperReferenceC

pdadmin í]wKXjhzL pdadmin íIµ¡KXj]AG

¶ pKX°

¶ pσr0

¶ pDσr0

¶ j½r$

¶ e\µ

ϕzH pdadmin Web Portal Manager AHHpdadminBWeb Portal Manager pkmspasswd í≤KXAjεohC


3.W

ebS

EA

Lwh

ⁿOykUC pdadmin ⁿOAXP LDAP n²@C unset ∩oh—τYAújεhC

ⁿO í

policy set min-password-length <number>|unset [-user<username>]

policy get min-password-length [-user <username>]

zΣεpKX°hC

¡@zAziNhMSw

ANhπΘMw]n²ñC

C

w]]w 8C

policy set min-password-alphas <number>|unset [-user<username>]

policy get min-password-alphas [-user <username>]

zΣεbKXñe\pσr0

hC

¡@zAziNhMSw

ANhπΘMw]n²ñC

C

w]]w 4C

policy set min-password-non-alphas <number>|unset [-user<username>]

policy get min-password-non-alphas [-user <username>]

zΣεbKXñe\pDσr0]

rhC

¡@zAziNhMSw

ANhπΘMw]n²ñC

C

w]]w 1C

58 3.8

ⁿO í

policy set max-password-repeated-chars <number>|unset [-user<username>]

policy get max-password-repeated-chars [-user <username>]

zΣεbKXñe\j½r$

hC

¡@zAziNhMSw

ANhπΘMw]n²ñC

C

w]]w 2C

policy set password-spaces yes|no|unset [-user <username>]

policy get password-spaces [-user <username>]

zΣεKXOi]tµhC

¡@zAziNhMSw

ANhπΘMw]n²ñC

C

w]]w]wC

w]hUϕChMw]G

w]

min-password-length 8

min-password-alphas 4

min-password-non-alphas 1

max-password-repeated-chars 2

password-spaces ]w

Yn Policy Director ñXKXhµAN unset∩MWC¡KXC@C


3.W

ebS

EA

Lwh

LKXdUϕíH¡ pdadmin ºw]≥ªKXdMhGG

d G

KX LG+]t@Dσr0C

pass LG+]t 8 r$C

passs1234 LG]tΓHW½r$C

12345678 LG+]t 4 σr0C

password3 C

SwMs]wzi∩Sw] - user ∩πΘ]D - user∩]w pdadmin policy ⁿOC ⌠≤S]wúΓrhπΘ]wC z]iH]unsethAϕút⌠≤C a unset ∩⌠≤húúQdjεC

pG

pdadmin> policy set min-password-length 8

pdadmin> policy set min-password-length 4 -user matt

pdadmin> policy get min-password-length

pKX°G8

pdadmin> policy get min-password-length -user matt

pKX°G4

] matt π 4 r$pKX°hFΣLπ 8 r$pKX°hC

pdadmin> policy set min-password-length unset -user matt

]bA matt ⁿ¡≤ 8 r$πΘpKX°hC

60 3.8

pdadmin> policy set min-password-length unset

]bA]A matt búSpKX°hC

Oj POP h]iÑOj POP hΣOΦkεs½≤¿iαC

zio\α—SiÑO—TOjO≈εs≈KΩC búAϕsAN

]wo°≤C

pAzi∩ Web íXú≤¬wAΦkMΣOh ¬≤liJ WebSEAL ⌠qiÑPOP hC

Ojh]w≤ POP huIP IOΦkvñC

tmiÑOhtmOSsv¡@BJOtmΣOΦkA

Mw[joOΦkC

⌠≤s WebSEAL °Aqú@Oh ApugOvuKXvAΣⁿX WebSEAL e OqΦkC

bYípUAiαnjµsY Web í½≤CuwvOh C pAb@⌠ñAOqµNX

iµOiαQ°±WMKXiµO≤wC

úP⌠iαúPC

ϕqúXOh AiÑO≈εújεq

½sΣP WebSEAL Ñq@AOúqG ≈nΦk]h ½sOC


3.W

ebS

EA

Lwh

iÑOΦkϕAϕsnu¬vOh

]ΣnJh Aú¿W u vTºC A

@sOúeAnDΣ¬Oh Ω

TC pGLα≈úOh AhN(\ΣlnDC

WebSEAL iT≤iÑO≈εñOΦk]h G

¶ gO

¶ KX

¶ Od

zib webseald.conf tm [authentication-levels] q¿ñtmOÑC@lAutmΓh G

[authentication-levels]level = unauthenticatedlevel = password

C@ΦkúQⁿw]ΦkbMµñ@bd≥ 0 2 h ⁿC

¶ ugOvΦkOMµñ@ΦkA]

ⁿw 0 ÑC

¶ ziH⌠≤±mß≥ΦkC

\66yiÑONM¡εzC

¶ w]AuKXvXbU@h —ΣÑ1C

¶ +Γ)αiÑOC

: ÷≤]wnO≈εºΩTA\75yWebSEAL OzC

iÑOiÑOIµOzLm≤nDOvº½≤W POP hCzi POP huIP IOΦkvC

62 3.8

pdadmin pop modify set ipauth ⁿOⁿwuIP IOΦkvñⁿ⌠⌠MnOh C

gtmOh i IP d≥C oΦkbúzuCpG I P Loú½nAhzi∩

anyothernw]ΣL⌠≤⌠⌠]wµ@Fo]wNvTs]L IP ≤AnDLbⁿwh OC oOΩIiÑOΦkC

ykG

pdadmin> pop modify <pop-name> set ipauth anyothernw <level-index>

anyothernw @@NXú POP ñⁿw⌠⌠⌠≤⌠⌠º⌠⌠d≥C oΦkw]AΣi

ú IP AⁿiXOh D⌠≤sC

w]Aanyothernw HOÑ 0 Xb POP ñCHu⌠≤ΣL⌠⌠vXb pop show ⁿOñG

pdadmin> pop show testⁿO@½≤hG testíG Test POPiG LfhG LO@ΦG LsΘíGPΘBP@BPGBPTBPBP¡B

PGHGϕa

IP IOΦkh⌠≤ΣL⌠⌠ 0

d

1. b webseald.conf ñtmOh G

[authentication-levels]level = unauthenticatedlevel = token-card

2. tmuIP IOΦk POPvG


3.W

ebS

EA

Lwh

pdadmin> pop modify test set ipauth anyothernw 1

pdadmin> pop show testⁿO@½≤hG testíG Test POPiG LfhG LO@ΦG LsΘíGP@BPTBP¡G⌠≤íGϕaIP IOΦkh⌠≤ΣL⌠⌠ 1

ohn²HugOv]h 0sAiÑOdOΦk]h 1C sⁿPOP hO@½≤ºgOAú¼@nDΘJWMOqµNXúC

t\67y⌠⌠¼O POP hzC

iÑnJϕµϕnDΩWiÑ POP hjεq½sOAWebSEAL úX@≈SϕϕµC HTML ϕµmOⁿw≤ webseald.conf tm [acnt-mgt] q¿ stepup-login ñC

[acnt-mgt]stepup-login = stepuplogin.html

ziHtm login.html tokenlogin.html ϕµPΦíAtmHTML ϕµXzDC

o]tHAϕN¿]Σí %TEXT%

CC om½@ob WebSEAL BzτdAe\ϕµ≤π TµíKXOOΦkC ªe\

bϕµñúΣLΩTApTºMΦkW]i

ÑC

64 3.8

11. ≤WMKXiÑnJϕµ

12. ≤ SecurID OqµNXiÑnJϕµ


3.W

ebS

EA

Lwh

iÑOtΓkWebSEAL UCtΓkBz POP ñ¼pG

1. d POP W IP IOΦkhC

2. d ACL \ivC

3. d POP WΘíhC

4. d POP Wfh hC

iÑONM¡ε

1. iÑOizL HTTP M HTTPS ΣC

2. zLkq HTTP ≤wiÑ HTTPSC

3. gO&Oh Mµñ@ΦkABúibMµLBoC

4. bh MµñuαⁿwΦk@ C

5. iÑOúΣOC

: iÑOΩWbBzANq°Sϕ¼pCpGqOqs

WebSEALA WebSEAL wtmiⁿAhqQ°gOABÑ 0C

lΦkG iiÑG

gO KXOd

KX Od

Od KX

6. Oh O$OΦkNϕA]NOíAúiα∩bh OⁿwT7O≈εC

OΦkiαⁿhO≈εΣA]AOíMq

íOíC

66 3.8

ϕtmFP@OΦk¼hΩAWebSEAL ϕ≤Mwn∩@OíSwWhC

7. pG 3 wtmh AhG0B1B2C pGtmF⌠≤ΣLAhCϕsF POP ⌠≤½≤QnDAWebSEAL Nπ@C

8. pGb webseald.conf tmñiÑOÑtmAh P WebSEAL ñiÑ\αQC¼p PDwOµApⁿ POP O@½≤oXKXnJAnDOqµNXOΦkC

btmFiÑOÑßAd webseald.log AO°F⌠≤tmC

⌠⌠¼O POP h⌠⌠¼O POP h IP εs½≤¿iαC zio\α"εSw IP ] IP d≥szw⌠⌠≤ΩC

z]iHNiÑOtmMhAH∩C@ⁿw IPd≥nDSwOΦkC

⌠⌠¼Oh]w≤ POP huIP IOΦkvñCzbñⁿwΓ≥nDG

¶ Oh

¶ e\⌠⌠

tmOhWebSEAL iT≤iÑO≈εñOΦkG

¶ gO

¶ KX

¶ Od


3.W

ebS

EA

Lwh

C@ΦkúQⁿw]ΦkbMµñ@bd≥ 0 2 h ⁿC

zib webseald.conf tm [authentication-levels] q¿ñtmOÑC @lAutmΓh G

[authentication-levels]level = unauthenticatedlevel = password

btm⌠⌠¼OAiow]]wCbípUAu

gOvh 0AuKXvh 1C

t\61ytmiÑOh zC

ⁿw IP Md≥bzⁿw POP h(\ IP M IP d≥C

pdadmin pop modify set ipauth add ⁿOⁿwuIP IOΦkvñ⌠⌠]⌠⌠d≥MnOh C

ykG

pdadmin> pop modify <pop-name> set ipauth add <network> <netmask> <level-index>

tmOh IP d≥C oΦkbúu

C pG IP Loú½nAhzi∩ anyothernw]ΣL⌠≤⌠⌠]wµ@Fo]wNvTs

]L IP ≤AnDLbⁿwh OC

ykG

pdadmin> pop modify <pop-name> set ipauth anyothernw <level-index>

ºApGzQñOh Aun IP ⁿ sAzi∩z@Nⁿd≥h 0A∩zn d≥uTεvC

68 3.8

anyothernw @@NXú POP ñⁿw⌠⌠⌠≤⌠⌠º⌠⌠d≥CoΦkw]AΣi

ú IP AⁿXOh D⌠≤sC

w]Aanyothernw HOÑ 0 Xb POP ñCHu⌠≤ΣL⌠⌠vXb pop show ⁿOñG

pdadmin> pop show testⁿO@½≤hG testíG Test POPiG LfhG LO@ΦG LsΘíGPΘBP@BPGBPTBPBP¡BPG

HGϕaIP IOΦkh⌠≤ΣL⌠⌠ 0

÷]wOh i@BíA\61ytmiÑOh zC

dnDb IP d≥ 9.0.0.0 ⌠⌠Bn 255.0.0.0 h 1 O]w]uKXvG

pdadmin> pop modify test set ipauth add 9.0.0.0 255.0.0.0 1

nDSwh 0 OG

pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.255 0

"ε]bWzdñⁿwús½

≤G

pdadmin> pop modify test set ipauth anyothernw forbidden

IP iÑOykG

pdadmin> pop modify <pop-name> set ipauth remove <network> <netmask>

pG

pdadmin> pop modify test set ipauth remove 9.0.0.0 255.0.0.0


3.W

ebS

EA

Lwh

⌠⌠¼OtΓkWebSEAL UCtΓkBz POP ñ¼pG

1. d POP W IP IOΦkhC

2. d ACL \ivC

3. d POP WΘíhC

4. d POP Wfh hC

⌠⌠¼ONM¡εWebSEAL ≤jε⌠⌠¼Oh IP TCP suºl IP C pGz⌠⌠ HTTP proxyAhe WebSEAL iαO proxy °A IP C

bípUAWebSEAL LkTwOu q IP C b]w⌠⌠qis WebSEAL °A⌠⌠¼OhApC

O@Φ POP hO@Φ POP i²zⁿwAb∩½≤⌡µ@n8≥h ΩO@C

eAoA≤ WebSEAL ⌠C

O@Φ POP Oe@ Policy Director ñpKMπDº “P” M “I” ACL \iv$m½C oíΦO@IµvúⁿAvTtαC

O@Φ POP (\µ@º]HuOv ACL MªA]AO@Φh C pGΩzí]p

WebSEALLkOO@h AhnDQ C

pdadmin> pop modify <pop-name> set qop none|integrity|privacy

70 3.8

QOP h í

pK Ω[KOn (SSL)C

π Y≈εTOΩ≤C

pG

pdadmin> pop modify test set qop privacy

BzgO (HTTP / HTTPS)WebSEAL ⁿgOgOzL HTTP M HTTPS oXnDC Hß WebSEAL αuA≈cv$(\ ∩ⁿO@ΩºsAIµwhC

UC°≤A≤zL SSL sgOG

¶ ∩gOP WebSEAL ºíΩTµ½[K—@kNpPgOC

¶ gOP WebSEAL ºí SSL suun°AOC

BzWqoXnD

1 . Wq∩ WebSEAL oXnD]zL HTTP

HTTPSC

2. WebSEAL qgOC

3. nDsPYeⁿO@ Web ½≤C

4. uA≈cvd∩½≤º ACL gO T\ivAMß(\ nD@C

5. OαQs½≤AM≤+]t¬ (r) MX (T)\ivgO ACL C

6. pGnDLkqLvMwAq¼@≈nJϕµ]BA uϕµívC


3.W

ebS

EA

Lwh

jεnJzijεgOnJAΦk∩O@nD½≤º

ACL hñgO]wAϕ\ivC

¬ (r) MX (T) \ive\gOs½≤C

YnjεgOnJAqO@½≤º ACL hñgOñAú¬ (r) \ivC¼nJú]BA uϕµívC

gO HTTPS íhΩz$HΣzL HTTPS ∩ WebSEAL iµgOsG

¶ YíúnHnJA²nPΩTApa

MHdXC ÑA]AuWR≈ΣLC

¶ YínDz²VqnObßAMß)αiµi

@Bµ÷C PΩTSAqL⌠⌠C

H ACL/POP hεgO

: “any-authenticated” ¼ÑP≤ “any-other” ¼C

1. Yn(\gOs@½≤AH+]t∩gO⌠≤gOº¬ (r) MX (T) \iv ACLO@@eG

unauthenticated Trany-authenticated Tr

: bPw\ivAu n a u t h e n t i c a t e d OP

any-authenticated Bn]÷$ “and” @Cuϕ unauthent icated \iv]Xb

any-authenticated ñA)P\ivC $≤unauthenticated M≤ any-authenticatedA]pGACL ]t unauthenticated ²S any-authenticatedA

72 3.8

NúP≤9úXzCpG ACL ]t unauthenticated ²S a n y - a u t h e n t i c a t e dAhw]úPunauthenticated \ivC

2. YnnD[K (SSL)AHⁿwpK°≤uⁿO@½≤h]Protected Object Policy, POPvO@eC

\70yO@Φ POP hzC


3.W

ebS

EA

Lwh

74 3.8

WebSEAL O

Q WebSEAL @Ñq@¼AMBzOΦíC¿\OúNϕ Policy Director OC WebSEALoOoCuA≈cv

(Authorization Service) (\ ∩ⁿO@ΩsC

DDG

¶ 76yAOz

¶ 79yzÑq@¼Az

¶ 90yOtmº[z

¶ 95ytm≥Oz

¶ 97ytmϕµíOz

¶ 99ytmqíOz

¶ 103ytm HTTP YOz

¶ 105ytm IP Oz

¶ 106ytmOOz

¶ 107yΣhu Proxy Nzz

4


4.W

ebS

EA

LO

AOOOO nJw⌠ºOBz¡ΦkC

¶ WebSEAL w]ΣOΦkAiQqΣLΦkC

¶ ∩ WebSEAL Q¿OGNO Policy Director n²¡≈C

¶ WebSEAL ¡≈oC

¶ uA≈cvb⌠xC@½≤ºh ACL \ivM POP °≤ºßA(\ ∩ⁿO@½≤sv¡C

: ACL = sεMµh POP = ⁿO@½≤h

bOíAWebSEAL dqnDñHUΩTG

¶ Ñq@Ω

Ñq@ΩObqM WebSEAL °AíOSwsuΩTCÑq@ΩOPq@Ps±AB≥

Hqß≥nDCªO½sOe WebSEAL°AqÑq@AHKnDsÑq

@útßC

¶ OΩ

OΩOq² WebSEAL °AOqΩTCOΩ¼]tFqBKXHOXC

ϕ WebSEAL ¼qnDAWebSEAL ²MΣOΩeÑq@ΩClqnDú]tÑq@ΩC

ΣÑq@Ω¼WebSEAL ΣHUÑq@Ω¼G

1. SSL ID]$ SSL qH≤wwq

2. °ASÑq@ cookie

76 3.8

3. BA YΩ

4. HTTP YΩ

5. IP

ϕ WebSEAL dqnDAª÷MµñⁿwjMÑq@ΩC

ΣOΦk÷M WebSEAL \αPOUWB@AWebSEAL °[Jw⌠ñCYno¡

ΩTHK≥oAWebSEAL αOoΩTC

WebSEAL ΣHUOΦkoG

OΦk Σsu¼

1. Failover cookie HTTP M HTTPS

2. CDSSO ID O HTTP M HTTPS

3. q HTTPS

4. OqµNX HTTP M HTTPS

5. ϕµO]WMKX HTTP M HTTPS

6. ≥O]WMKX HTTP M HTTPS

7. HTTP Y HTTP M HTTPS

8. IP HTTP M HTTPS

ϕ WebSEAL dqnDAª÷ϕñⁿwjMOΩC

ziHµW∩ HTTP HTTPS e¼MOΦkCpGSwe¼OΦkAhΘ¼q

NLkiµOC


4.W

ebS

EA

LO

tmΩTí

¶ 79yzÑq@¼Az

¶ 90yOtmº[z

¶ 95ytm≥Oz

¶ 97ytmϕµíOz

¶ 99ytmqíOz

¶ 103ytm HTTP YOz

¶ 105ytm IP Oz

¶ 106ytmOOz

¶ 107yΣhu Proxy Nzz

¶ CDAS O

Tivoli SecureWay Policy Director WebSEAL DeveloperReference

78 3.8

zÑq@¼A°AαOqT∩H]w∩hnDA)αbq

M°AºíwsuÑq@C°AπY

íÑq@¼AAΩTOPC@nD÷pqC

YqM°AºíÑq@¼AAqM°Aí

w∩ß≥nDiµqTW≤CÑq@¼AΩTi

ε+qP°AíA½÷¼M½ssuAHWi

αCqiHnJ@ Mßiµh nDAúnw∩C

nDiµtnJC

WebSEAL iBz HTTP M HTTPS qTCHTTP O@uL¼AvqH≤wABúú⌠≤nDΦkC t@ΦASSLΘ≤w]pñASOúFÑq@ ID HK@Ñq@¼AΩTC HTTP qTiHzL SSL ¿ HTTPSC

²OAWebSEAL ngBzgOq HTTP qTCB SSL Ñq@ ID ]úOAϕMΦC]AWebSEAL ]pOHU⌠≤ΩT¼@qÑq@¼AG

1. SSL ID

2. °ASÑq@ cookie

3. BA YΩ

4. HTTP YΩ

5. IP

GSKit M WebSEAL Ñq@Ñq@i²°AxshqÑq@ ID ΩTCΓÑq@iHe HTTPS M HTTP Ñq@¼AΩTC

¶ WebSEAL


4.W

ebS

EA

LO

WebSEAL ixs²⌠≤¼Ñq@ ID ΩT

]\HWMµAHqqoΩ

TC

ΩTQsbñAHKbvd½d

n²ΩwC

¶ GSKit SSL Ñq@ ID

GSKit Ñq@b SSL Ñq@ ID ΩTOsÑq@¼AABz HTTPS (SSL) qTC

GSKit ]Os WebSEAL M LDAP n²ºíSSL suÑq@¼AΩTC

C@úitmAi²zπ

αCoJ≤U ñG

tm WebSEAL HUtm@i≤ WebSEAL Ñq@/G

¶ ]wjµ

13. Ñq@tm

80 3.8

¶ ]wO

¶ ]wεíO

]wjµwebseald.conf tmñ [session] q¿ max-entries Ai]w WebSEAL Ñq@/ñµjqC

∩≤µnJÑq@CϕOΘjpF

AhßtΓkúAHKⁿs

nJC

µnJÑq@w]q 4096G

[session]max-entries = 4096

]wOwebseald.conf tm [session] q¿ñ timeout i]wWebSEAL Ñq@/ñARgOjC

WebSEAL bíΩTC Ñq@OⁿwOdb WebSEAL ºOΘñvΩTºí°C

úOεíOC MguRgvA

DuOvC Σb≤ú*wAΣΦkObFⁿw

O¡εAjε½sOC

w]nJÑq@O]ϕ 3600G

[session]timeout = 3600

]wεíOwebseald.conf tmñ [session] q¿ inactive-timeout i]wnJÑq@εíOC

w]nJÑq@εíO]ϕ 600G


4.W

ebS

EA

LO

[session]inactive-timeout = 600

YnO\αAN]w “0”C

tm GSKit SSL Ñq@ ID HUtm@i≤ GSKit SSL Ñq@ ID G

¶ ]wO

¶ ]wjµ

]wO]w GSKit SSL Ñq@ ID jRgOOb webseald.conf tmñ [ssl] q¿CΣñΓG V 2 su ( ss l -v2 - t imeout ) H S S L V 3 su

(ssl-v3-timeout)C

w] SSL V2 Ñq@O]ϕ 100]iαd≥O 1 100G

[ssl]ssl-v2-timeout = 100

w] SSL V3 Ñq@O]ϕ 7200]iαd≥O 1 86400G

[ssl]ssl-v3-timeout = 7200

]wjµwebseald.conf tmñ [ssl] q¿ ssl-max-entries Ai]w GSKit SSL Ñq@ ID ñµjqC

∩≤µnJÑq@CϕOΘjpF

AhßtΓkúAHKⁿs

nJC

µnJÑq@w]q 4096G

82 3.8

[ssl]ssl-max-entries = 4096

Ñq@ Cookie @¼At@ΦkO cookie OdÑq@ΩTAHK@qM°AºíÑq@¼AC°A²NSwq¼AΩT

b cookie ñAMßeqs²C w∩C@snDAs²úN cookie]tÑq@ΩT°AAHK½sO¡C

ϕqs²buííjA½s≤Σ SSL Ñq@AÑq@ Cookie iH¼púiαMΦCpAY Microsoft Internet Explorer s²CjΓTY½s≤ SSL Ñq@C

Ñq@ cookie úq∩µ@BW@LGº°A½sOFq²ewb@uq]j 10 ∩°AOC ≈ε≥ªO@LkqLú cookie Hº⌠≤≈u°A cookievC

AÑq@ cookie ]t@ IDAΣ°AÑq@C Ñq@ cookie ñS»ΣLΩTC Ñq@ cookie úMwhC

AÑq@ CookieWebSEAL w°ASÑq@ cookieC UC°≤A≤ cookie ≈εG

¶ Cookie ]tÑq@ΩTFªú]t¡ΩT

¶ Cookie usbs²OΘñ]úgJWs²cookie jar

¶ Cookie π¡Rg]itm

¶ Cookie π⌠M⌠AiTεQΣL°A


4.W

ebS

EA

LO

MÑq@ ID Cookieswebseald.conf tm [session] q¿ñ ssl-id-sessions iHMÑq@ CookieCiεOn SSLÑq@ ID @zL HTTPS sqnJÑq@CpG]w “no”AÑq@ Cookie ≤jí≈OΦkC

[session]ssl-id-sessions = no

ϕtm]w “no” ANzL HTTPS sqoHU¼pG

1. SSL Ñq@ ID úQ@Ñq@ ID ΩC

2 . C o o k i e Q@πqOB F a i l o v e rcookiesBCDSSO ID OBϕµWMKXBOqµNXHqÑq@C

3. ϕ use-same-session = yes]\U@ACookie uQbu≥OvqChABA YQ@Ñq@ ID ΩC

4. HTTP YQϕ@ HTTP YiµqOAÑq@ ID ΩC

5. IP Qϕ@ IP iµqOAÑq@ ID ΩC

ϕz Cookie @Ñq@¼AAhubQnJß)e@ Cookie s²CMAí≈s²jε¡εPxsbOΘñ Cookie qCbí≈⌠ñAíbqtWA⌠bOΘñ±mjq CookieCbípUAΣL cookie iHHNaNtm WebSEAL Ñq@cookie Failover cookieC

ϕztm WebSEAL Ñq@ Cookie]]iαO FailovercookiesAziH]w webseald.conf tm [session] q¿ñ resend-webseal-cookies A² WebSEAL bC

84 3.8

úNÑq@ cookie M Failover cookie es²Co@iH≤UTOÑq@ cookie M Failover cookie @sb≤s²OΘñC

resend-webseal-cookies w]]w “no”G

[session]resend-webseal-cookies = no

Nw]]w≤ “yes”AHKbC e WebSEAL Ñq@ Cookie M Failover CookieC

MPÑq@ziHtm WebSEAL bqzL@Θ¼]p HTTPnJßñAMßt@Θ¼]p HTTPS½snJAPÑq@ ID ΩC

webseald.conf tm [session] q¿ñ use-same-sessioniHMPÑq@ ID ΩOCw]A]w “no”G

[session]use-same-session = no

ϕtm]w “yes” ANoHU¼pG

1. ϕUCq¼ß≥zLΣLΘΦínJAYÑq@ Cookie iµOG

a. Failover Cookie

b. q

c. CDSSO ID O

d. OqµNX

e. ϕµWMKX

f. ≥O

2. HTTP Y≤ HTTP YiµqsC


4.W

ebS

EA

LO

3. IP ≤ IP iµqsC

4 . ss l - id -sess ions tmQñF PµP

ssl-id-sessions Q]w “no” PC

] HTTP qSi@Ñq@Ω SSL Ñq@IDAΦoϕ½nC

5. ] HTTP M HTTPS qúio CookieAo CookieúQw CookieC

P Ñq@ ID Ω¼HUtmSwXAiHPSwOΦkiµ

sqÑq@Ω¼G

¶ Ñq@ Cookie (ssl-id-sessions)

¶ bq7½ HTTP M HTTPS APÑq@ΩαO (use-same-session)

UϕJFi≤ ssl-id-sessions M use-same-session ]wXÑq@ ID ΩG

HTTPS q

OΦk ssl-id-sessions= yes

ssl-id-sessions =no

use-same-session= no

use-same-session= yes

ssl-id-sessions

ñ

Failover cookie SSL ID Cookie Cookie

SSL ID Cookie Cookie

CDSSO SSL ID Cookie Cookie

O SSL ID Cookie Cookie

ϕµ SSL ID Cookie Cookie

BA SSL ID BA Y Cookie

HTTP Y SSL ID HTTP Y HTTP Y

IP SSL ID IP IP

86 3.8

HTTP q

OΦk use-same-session =no

use-same-session =yes

Failover cookie Cookie Cookie

CDSSO Cookie Cookie

O Cookie Cookie

ϕµ Cookie Cookie

BA BA Y Cookie

HTTP Y HTTP Y HTTP Y

IP IP IP

tm Failover CookieHU Failover cookie \α]HTTP M HTTPSA≤zLtⁿ¡≈εAsse WebSEAL °AOqCFailover cookie sbOnb°AÑq@Aq≡MLkAKjε½sOC

e WebSEAL OiHΩ@jqqú¬iΩCtⁿ¡≈εIeinDABNnDti

e°AC

b\¬QeAHHU C


4.W

ebS

EA

LO

qúεse°AtmCtⁿ¡≈εO

nD URL ºµ@ ICtⁿ¡≈εqPi°A]p WS1sC WS1 WÑq@¼AAqß≥nDúQe WS1C

Failover Cookie iM]t WS1 ]GLkD¼p]ptóz≈≈uCpGLk WS1Atⁿ¡≈εNnD½s VΣLs°A]WS2 WS3CÑq@∩Mg≥óCq∩ N°A

ÑOsqAjεiµOC

ziHtms WebSEAL °Ab°AS cookie ñA∩qΩ[KCϕq@ sA cookie Q±bs²ñCpGl WebSEAL °ALkAcookie]πw[KΩTXb N°AWCs WebSEAL °A@ΩK@P≈CqiHbs WebSEAL °AWsÑq@AúnQjε½sOC

14. Failover Cookie Ω

88 3.8

cookie IOtⁿ¡≈ε DNSC] cookie O°AS cookieABúO⌠S cookieAHµ@ID½nCubn¼ cookie °AP cookie °AπP DNS WA°A)¼ cookieCqTwzLtⁿ¡≈εiµnDC]@ñAcookie @wQⁿABQU@i°AC

Failover Cookie

webseald.conf tm [failover] q¿ñ failover-auth iHM°AS Failover CookieG

¶ Yn Failover CookieAΘJ “http”B“https” “both”C

¶ Yn Failover CookieAΘJ “none”]w]C

pG

[failover]failover-auth = https

zbe WebSEAL °AW]wC

Ω[KMK

YnO c o o k i e ΩA W e b S E A L ú

cdsso_key_gen íC oíú∩ cookieñΩ[KMK∩≈Cbz⌡µíA

ⁿw≈m]∩⌠WG

UNIXG # cdsso_key_gen <pathname>

WindowsG MSDOS> cdsso_key_gen <pathname>

b⌠@s°AW⌡µíAMßΓN≈s

ΣLs°AWCb°A webseald.conftm [failover] q¿ñΘJ≈mCpGzúⁿw≈A°A Failover cookie \αQG


4.W

ebS

EA

LO

[failover]failover-cookies-keyfile = <absolute-pathname>

ziH∩≈⌠≤AϕWAp ws.keyC

tm Cookie Rg

cookie Rg]O]wbHUñG

failover-cookie-lifetime = 60

Otmº[ziHCΦkAM∩≤ HTTP M HTTPS qOC

webseald.conf tm [authentication-mechanisms] q¿Otm WebSEAL ΣOΦk≈εCⁿΣOΦk]AG

¶ ]Oí

OíⁿwF T@íw (UNIX) DLL (Windows) C

¶ qíOí

WebSEAL ú°AíXdAimⁿwqíu≤⌠OA (CDAS)v°AC

í CDAS Oíⁿw Tq@íwC

OUCⁿwOíG

í

ϕµM≥O

passwd-ldap H LDAP WMKXiµqsC

OO

90 3.8

í

token-cdas H LDAP WM SecurID OqµNXi

µqsC

qíO

cert-ssl zL SSL HqiµqsC

HTTP YM/ IP O

http-request zLSϕ HTTP YM/ IP iµqs

C

CDSSO ID OO

cdsso ≤⌠µ@nJOC

zi [authentication-mechanisms] q¿tmOΦkBΩ@HUµíG

<authentication-method-parameter> = <shared-library>

\78ytmΩTízC

íq CDAS OHUiⁿwí CDAS °Aq@íwG

í

passwd-cdas HTΦn²WMKXiµqs

C

token-cdas HWMOqµNXiµqsC

cert-cdas zL SSL HqiµqsC

Tivoli SecureWay Policy Director WebSEAL DeveloperReference HKFmMtmΩ@ CDAS °Aq@íwºΩTC

WebSEAL Ow]tmw]AWebSEAL ]u≥O (BA)vWMKX]LDAP n²BzL SSL OqC


4.W

ebS

EA

LO

q∩ TCP SSL sú WebSEALC ]A

[authentication-mechanisms] q¿σ¼tm]tFWMKXΣ]LDAP n²HzL SSL ºqΣC

UCdNϕ Solaris @tW [authentication-mechanisms]q¿ (Solaris) σ¼tmG

[authentication-mechanisms]passwd-ldap = libldapauthn.socert-ssl = libsslauthn.so

YntmΣLOΦkAsWAϕPΣ@íw]

CDAS C ÷OΦktmΩTA\78ytmΩTízC

tmh½OΦkziH∩ webseald.conf tmñ[authentication-mechanism] q¿Aⁿwi≤⌠≤iΣOΦk@íwCϕztmhOΦkAHU¼pí

iAG

1. OΦkúiUWB@Cz]iHCiΣΦktm@@íwC

2. ϕ cert-cdas ΦkM cert-ssl ΦkúwtmAeu²≤ßC zoΣñ@ΦkHΣqC

3. btmhKX¼OíAΩWuΣñ@CWebSEAL UCu²Rh½tmKXOíC

a. passwd-cdas

b. passwd-ldap

4. ziHΓúPOΦktmPqíwCpAziHgJ@q@íwBzW/KXM HTTP YOCbdñAzi passwd-cdas Mhttp-request tmP@íwCíoHtd@Ñq@¼AABKΓΦko≡C

92 3.8

nJúWebSEAL boHU¼púqnJG

1. qLvdgOq

2. qLvduϕµíOvu≥Ovq

HUq¼πu403 óvG

1. ϕqLOdG

a. q

b. Failover cookie

c. CDSSO

d. IP

e. HTTP Y

2. q WebSEAL wΦkiµO

nXM≤KXⁿOPolicy Director úFHUⁿOAzL HTTP HTTPS OqC

pkmslogoutϕqOΦkAúw∩nDúOΩ

AqiH pkmslogout ⁿOqµÑq@nXCpApkmslogout ∩≤u≥Ov IP OqNS@CbípUAz÷¼s²HKnXC

pkmslogout ⁿOiA≤HUOΦíGqBOqµNXBϕµíOAH HTTP YOí≈Ω@C

÷HUΦí⌡µⁿOG

https://www.tivoli.com/pkmslogout

s²π webseald.conf tmñwqnXϕµG


4.W

ebS

EA

LO

[acnt-mgt]logout = logout.html

zi∩ logout.html XzDC

ϕ⌠⌠tmnúP⌠eAnXπúPß

tApkmslogout íΣh½nXC

UCϕíOSwG

https://www.tivoli.com/pkmslogout?filename=<custom_logout_file>

Σñ custom_logout_file OnXWC os±bP]tw] logout.html ΣLd HTML ϕµP@ lib/html/C ²ñC

pkmspasswdϕzu≥O (BA)vuϕµíOvAziHⁿO≤nJKXCoⁿOA≤zL HTTP HTTPSC

pG

https://www.tivoli.com/pkmspasswd

Fb WebSEAL W BA αTO wAⁿO BA qiµHUµG

1. KX≤C

2. qqµÑq@nXC

3. ϕqoXΣLnDAs²bqWπ BA úC

4. q½snJHK≥oXnDC

¼puA≤u≥OvqC

94 3.8

tm≥Ou≥O (BA)vO∩O≈εúWMKXΦkC BA O$ HTTP qH≤wwqAizL HTTP zLHTTPS Ω@C

w]A∩ WebSEAL tmg$u≥O (BA)vWMKXBzL HTTPS iµOC

M≥Owebseald.conf tm [ba] q¿ñ ba-auth iMu≥OvΦkC

¶ Ynu≥OvΦkAΘJ “http”B“https” “both”C

¶ Ynu≥OvΦkAΘJ “none”C

pG

[ba]ba-auth = https

]wΓWϕs²úúnJΩA∩ñπσrN

OΓWC

]wΓWtmOb webseald.conf tm [ba] q¿ñC

pG

[ba]basic-auth-realm = Policy Director


4.W

ebS

EA

LO

tm≥O≈εpasswd-ldap iⁿwBzWMKXO@íwC

¶ b U N I X WAúMg\αO@

libldapauthn @íwC

¶ b Windows WAúMg\αO@ldapauthn DLLC

O≈ε @íw

Solaris AIX Windows HP-UX

passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll libldapauthn.sl

ziHb webseald.conf tm [authentication-mechanism] q¿ passwd-ldap ñAΘJ@íw¡xSwWAHKtmWMKXO≈εCpG

SolarisG

15. BA nJú

96 3.8

[authentication-mechanisms]passwd-ldap = libldapauthn.so

WindowsG

[authentication-mechanisms]passwd-ldap = ldapauthn.dll

tm°≤pGww∩SwΘΦíFuϕµíOvAhΘΦí

u≥Ov]wQñC

tmϕµíOPolicy Director úuϕµíOvAOu≥Ov≈εHt@∩CoΦk Policy Director úqHTML nJϕµAúOu≥OvtúnJúC

ϕzuϕµínJvAs²úpPΣbu≥Ov

ñ@WMKXΩTC

MϕµíOwebseald.conf tm [forms] q¿ñ forms-auth iMuϕµívOΦkC

¶ YnuϕµíOvΦkAΘJ “http”B“https” “both”C

¶ YnuϕµíOvΦkAΘJ “none”C

pG

[forms]forms-auth = https

tmϕµíO≈εpasswd-ldap iⁿwBzWMKXO@íwC


4.W

ebS

EA

LO


libldapauthn @íwC

¶ b Windows WAúMg\αO@ldapauthn DLLC

O≈ε @íw


passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll libldapauthn.sl

ziHb webseald.conf tm [authentication-mechanism] q¿ passwd-ldap ñAΘJ@íw¡xSwWAHKtmWMKXO≈εCpG

SolarisG

[authentication-mechanisms]passwd-ldap = libldapauthn.so

WindowsG

[authentication-mechanisms]passwd-ldap = ldapauthn.dll

tm°≤pGww∩SwΘΦíFuϕµíOvAhΘΦí

u≥Ov]wQñC

q HTML ϕµϕµíOnDzqnJϕµCw]A

login.html dϕµObHU²ñG

<install-directory>/lib/html

ziHqϕµeM]pCpG

98 3.8

÷ziqº HTML ϕµΩTA\35yzq HTML zC

tmqíOWebSEAL ΣzL SSL qAiµPqwqHC bOΦkñAΩT]puOWv

DNMg Policy Director ¡C

IGzL¼OzLiµOΓÑqG

¶ WebSEAL HΣ°AA∩ SSL qOΣ¡

¶ WebSEAL Σu≈c (CA)vroot ΩwAτHqiµsq

1. SSL qnDP WebSEAL °AsuC

2. WebSEAL zLwp°AeΣ≈@Co²ew$ⁿH⌠TΦ≈c (CA) pC

3. qdoOiΣH⌠ⁿC q

s²qtⁿH⌠ CA oX root MµC p

16. WebSEAL nJϕµd


4.W

ebS

EA

LO

G WebSEAL WWXoΣñ@ root Ah°AOiH⌠C

4. pGWúAs²YqΣAⁿXO$ú≈coXC UNOd⌠hⁿ

C

5. pGWXs² root ΩwñAhwa≤qP WebSEAL °AºíÑq@≈C

oBzGNO@DqizLΣiµO]pA

zLWMKXwWDCbQ¿Oº

ßAqP°AYi≥zLWDwqHC

6. bAqNeΣ≈ WebSEAL °AC

7. WebSEAL YNqWWPw CA WW±∩C pPqs²AWebSEAL °AbΣ≈Ωwñ@@≈oH⌠ CA root MµC

8. pGWúAWebSEAL ú SSL XANªeqC

9. pGWAhiH⌠qCYiµqOAú Policy Director ¡≈C

17. qτ WebSEAL

100 3.8

10. Ywa≤qP WebSEAL °AºíÑq@≈C oBzGNOb¼OqP°Aºí

@DwSiH⌠qHWDC

WebSEAL bwñAWebSEAL ]tFµp°AC÷Me\ WebSEAL F SSL s²nDA²Os²]Σú]tAϕ root CA Lk[HτC$≤w]pK≈t≤C@ WebSEAL eñALkúu wqHC

YnTOzL SSL wqHAVⁿH⌠u≈c(CA)vn²oW@LG⌠°AC ziH GSKitiKeyman íúne CA nDCz]niKeyman wMsxC webseald.conf tm [ssl] q¿ñ webseal-cert-keyfile-label Nⁿw@ñ WebSEAL °A]]w∩g≈Ωwñ⌠≤uw]vC

pGzbúPípñnúP]p¼O

XAziH iKeyman íBwMoBC

\40ytm WebSEAL ≈ΩwzC

\237y iKeyman zzC

MíOziH]w webseald.conf tm [certificate] q¿ñaccept-client-certs AHKⁿw WebSEAL np≤BzzLSSL qíOC

w]AWebSEAL úⁿqG

[certificate]accept-client-certs = never


4.W

ebS

EA

LO

ΣL]A optional M requiredC

UϕCiⁿ accept-client-certs G

í

never úⁿq X.509 C

optional nDqúX X.509 AíO

]pGúC

required nDqúX X.509 AíOC

pGqSúXANúe\suC

tmíO≈εcert-ssl iⁿwMgOΩT@íwC


libsslauthn @íwC

¶ b Windows WAúMg\αO@sslauthn DLLC

O≈ε @íw


cert-ssl libsslauthn.so libsslauthn.a sslauthn.dll libsslauthn.sl

ziHb webseald.conf tm [authentication-mechanism] q¿ cert-ssl ñAΘJ@íw¡xSwWAHKtmíO≈εC

SolarisG

[authentication-mechanisms]cert-ssl= libsslauthn.so

WindowsG

[authentication-mechanisms]cert-ssl = sslauthn.dll

102 3.8

@íwúw]MgN DN Mg LDAPDNC

tm°≤pGqBz]w “required”Aw∩ HTTPS qΣLO]wúQñC

tm HTTP YOPolicy Director ΣzLq proxy NzúqHTTP YΩTiµOC

≈εnMg\α]@íwANⁿH⌠]gw²

OYΩMg Policy Director ¡≈C WebSEAL io¡≈AMßC

WebSEAL ]²ewOq HTTP YΩC≥≤]AzMaIµΦk—úΣL⌠≤OΦkC q

HTTP YΩOiαC

w]Am@íwAHKq Entrust Proxy YMgΩC

M HTTP YOw e b s e a l d . c o n f tm [ h t t p - h e a d e r s ] q¿ñhttp-headers-auth iM HTTP YOΦkC

¶ Yn HTTP YOΦkAΘJ “http”B“https” “both”C

¶ Yn HTTP YOΦkAΘJ “none”C

pG

[http-headers]http-headers-auth = https


4.W

ebS

EA

LO

ⁿwY¼zb webseald.conf tm [auth-headers] q¿ñⁿwΣ HTTP Y¼C

[auth-headers]header = <header-type>

w]A@íwOg+bíñHΣ EntrustProxy YΩC

[auth-headers]header = entrust-client

zqoOΣL¼SϕYΩA]∩

aNΩMg Policy Director ¡C TivoliSecureWay Policy Director WebSEAL Developer ReferenceAHKo API ΩC

tm HTTP YO≈εhttp-request ⁿwMg HTTP OYΩT@íwC


libhttpauthn @íwC

¶ b Windows WAúMg\αO@httpauthn DLLC

O≈ε @íw


http-request libhttpauthn.so libhttpauthn.a httpauthn.dll libhttpauthn.sl

w]A@íwwg+≤íñAN EntrustProxy YΩMg Policy Director ¡CzqoOΣL¼SϕYΩA]∩aNΩ

Mg Policy Director ¡C Tivoli SecureWay PolicyDirector WebSEAL Developer ReferenceAHKo API ΩC

104 3.8

ziHb webseald.conf tm [authentication-mechanism] q¿ http-request ñAΘJ@íw¡xSwWAHKtm HTTP YO≈εC

pG

SolarisG

[authentication-mechanisms]http-request = libhttpauthn.so

WindowsG

[authentication-mechanisms]http-request = httpauthn.dll

tm°≤

1. pG ssl-id-sessions = noAÑq@ ID Cookie Nú@¼ACMY@¼AC

2. pGqDJOóAq¼uTεv (HTTP403)C

tm IP OPolicy Director iΣzLqú IP iµOC

M IP Owebseald.conf tm [ipaddr] q¿ñ ipaddr-auth iM IP OΦkC

¶ Yn IP OΦkAΘJ “http”B“https” “both”C

¶ Yn IP OΦkAΘJ “none”C

pG

[ipaddr]ipaddr-auth = https


4.W

ebS

EA

LO

tm IP O≈εzL IP iµOnq@íwCw∩@íw http-request C

tmOOPolicy Director iΣzLqúOqµNXiµOC

MOOwebseald.conf tm [token] q¿ñ token-auth iMOOΦkC

¶ YnOOΦkAΘJ “http”B“https” “both”C

¶ YnOOΦkAΘJ “none”C

pG

[token]token-auth = https

tmOO≈εtoken-cdas iⁿwMgOqµNXOΩT@íwC


libtokenauthn @íwC

¶ b Windows WAúMg\αO@tokenauthn DLLC

O≈ε @íw


token-cdas libtokenauthn.so libtokenauthn.a tokenauthn.dll libtokenauthn.sl

w]A@íwOg+bíñHMg SecurID OqµNXΩCziHqoOΣL¼SϕO

ΩA]∩aNΩMg Policy Director ¡C

106 3.8

Tivoli SecureWay Policy Director WebSEAL DeveloperReferenceAHKo API Ω÷ΩTC

ziHb webseald.conf tm [authentication-mechanism] q¿ token-cdas ñAΘJ@íw¡xSwWAHKtmOO≈εC

pG

SolarisG

[authentication-mechanisms]token-cdas = libtokenauthn.so

WindowsG

[authentication-mechanisms]token-cdas = tokenauthn.dll

Σhu Proxy NzPolicy Director úOuhu Proxy Nz (MPA)vº⌠⌠MΦC

u Proxy Nz (SPA)vO$hDc¿AΣΣqPl°AºízL SSL HTTP v@qÑq@C

WebSEAL iN SSL HTTP OMov@qÑq@C

uhu Proxy Nz (MPA)vOAh½qshDCϕqzLuLusqH≤w (WAP)vsAohDS WAP hDC hDµ@OWDl°AAzLWDu∩qvqnDMC

∩ WebSEAL ÑAqLWDΩTOHqh½nDXC WebSEAL MPA °AOPC@OqBOC


4.W

ebS

EA

LO

$≤ WebSEAL MPA @gLOÑq@Aª]P@qOÑq@C]AMPA Ñq@ΩMOΦkAMqÑq@ΩM

OΦkOC

Ñq@Ω¼MOΦkMPA ≤ WebSEAL Ñq@Ω¼Pq≤WebSEAL Ñq@Ω¼OCUϕCXF MPA MqÑq@¼G

Ñq@¼

MPA-to-WebSEAL Client-to-WebSEAL

SSL Ñq@ ID

HTTP Y HTTP Y

BA Y BA Y

IP

Cookie Cookie

¶ qúi SSL Ñq@ ID @Ñq@Ω¼C

18. zL MPA hDiµqH

108 3.8

¶ íApG MPA BA Y@Ñq@Ω¼AqNuα∩ HTTP YM cookie @Ñq@Ω¼C

¶ pG MPA Ñq@Ωº HTTP Y@Ñq@ΩAqiHúP HTTP Y¼C

¶ °AS cookie u]tFÑq@ΩTFªS¡≈ΩTC

¶ pGF MPA ΣAssl-id-sessions \α≤C@δÑApG ssl-id-sessions=yesAhu SSL Ñq@ID i@ HTTPS qÑq@CYn² MPA SSL Ñq@ ID @Ñq@AB²qΣLΦk@Ñq@Ah¡εNúsbCt\86yPÑq@ ID Ω¼zC

MPA ≤ WebSEAL OΦkAPq≤ WebSEALOΦkúPCUϕCXF MPA MqOΦkG

O¼

MPA-to-WebSEAL Client-to-WebSEAL

≥O ≥O

ϕµ ϕµ

O O

HTTP Y HTTP Y

IP

¶ íApG MPA u≥OvAqiH∩uϕµvBOH HTTP Y@OΦkC

¶ qúαM IP OΦkC

¶ @δÑAYYΘΦíwFuϕµv]O

OAΘΦíu≥Ov]\96ytm≥O≈εzCpGF MPA ΣAh¡


4.W

ebS

EA

LO

εúsbCoiH² MPA Huϕµv]OnJAq]ig$u≥OvAzLPΘΦín

JC

MPA Mh½qOBzy

1. WebSEAL z⌡µUCBtmG

¶ hu Proxy NzΣ

¶ Sw MPA hD Policy Director bß

¶ sW MPA bß webseal-mpa-servers s

2. qs MPA hDC

3. hDNnDα½¿ HTTP nDC

4. hDOqC

5. hDHqnDP WebSEAL suC

6. MPA V WebSEAL O]PqúPΦkABo MPA ¡≈]w WebSEAL bßC

7. WebSEAL τ MPA b webseal-mpa-servers sñ¿ΩµC

8. F MPA AbñSϕ MPA ¼C

÷M MPA ±HC@qnDA²ªú≤∩onDvdC

9. b WebSEAL i@BOnDC

MPA α≈w∩nJúAϕeAhqC

10. qnJABP MPA úPOΦkiµOC

11. WebSEAL qOΩC

12. qÑq@Ω¼P MPA úPC

110 3.8

13. uA≈cvM½≤ ACL \ivA(\ ∩ⁿO@½≤sv¡C

M MPA Owebseald.conf tm [mpa] q¿ñ mpa iMMPA OΦkC

¶ Yn MPA OΦkAΘJ “yes”C

¶ Yn MPA OΦkAΘJ “no”C

pG

[mpa]mpa = yes

MPA bß Tivoli SecureWay Policy Director ≥zΓUH TivoliSecureWay Policy Director Web Portal Manager zΓUHKobßΩTC

sW MPA bß webseal-mpa-servers s Tivoli SecureWay Policy Director Base zΓUH TivoliSecureWay Policy Director Web Portal Manager zΓUHKozsΩTC

MPA O¡ε Policy Director ΣbC@í WebSEAL °A@MPAC


4.W

ebS

EA

LO

112 3.8

≤⌠nJMΦ

ϕzN WebSEAL Ω@ Proxy °AHKw⌠úO@Azq]MΩµ@nJDC QF≤⌠

µ@nJMΦC

DDG

¶ ytm CDSSO Oz

¶ 119ytm e-Community µ@nJz

tm CDSSO OPolicy Director u≤⌠µ@nJ (CDSSO)vúFbhw⌠ñαe≈εC CDSSO i² Web ⌡µµ@nJAbΓw⌠ºíLíaC CDSSO O≈εúnuDnO°Av]\ e-Community SSOC

CDSSO ⁿhw⌠πXAΣií⌠⌠tmC

pA@j¼°⌠⌠i]wΓHW@⌠—U⌠úΣvM½≤íC CDSSO ⁿHµ@nJb⌠ºíC

ϕ∩≤t@⌠ΩúXnDACDSSO ≈εN[K¡≈Oq@⌠αeG⌠C b

G⌠π¡≈]wb@⌠OAB

úQjε⌡µt@ nJC

5


5.≤⌠nJMΦ

πXq CDMF @íwb\h CDSSO ΩñAúP⌠íw]@∩@MgAiαúAXípDC

u≤⌠Mgtm (CDMF)vO@í]pFªi²zmiBzq@íwABú¡≈

MgAC

CDMF í]pi²zuq¡≈MgAHBzC

CDMF CDSSO OyHUyíOb 19C

1. ⌠≤n[Jh⌠AbDn⌠ñbßAHib[⌠ñAMgb

ß¡≈C

@lYS∩]tbßlw⌠iµ

OAhLkIs CDSSO \αC

2. zL⌠WqAúXs⌠ B ºΩnDC

]tSϕ CDSSO ϕíG

/pkmscdsso?<destination-URL>

pG

/pkmscdsso?https://www.domainB.com/index.html

3. nD²$⌠ A WebSEAL °ABzC WebSEALOOFO]tF Policy Director ¡≈]uWBe⌠ (“A”)BΣLΩTHíWOC

ΣLΩTOzLIsq CDMF @íw

(cdmf_get_usr_attributes) oCoíwiúMgñA⌠ B nCThis library has the

114 3.8

ability to supply user attributes that can be used by domain Bduring the user mapping process.

WebSEAL T½ DES tΓkH cdsso_key_gen íú∩≈[KOΩC o≈Q@xsb

⌠ A ⌠ B WebSEAL °AW webseald.conf tm [cdsso-peers] q¿ñC

Ot@itmíWO (authtoken-lifetime)AΣwqORgC íWOYgAϕtmAi"ε½s⌡µ≡

C

4. ⌠ A WebSEAL °ANnD[W[KOA½s Vs²AMß⌠ B WebSEAL °A]HTTP ½s VC

5. ⌠ B WebSEAL °AΣP≈AKτΦ⌠OC

6. ⌠ B WebSEAL °AIs CDSSO O≈εíwCo CDSSO íw Is⌡µΩMgq

CDMF íw (cdmf_map_usr)C

CDMF íwN¡≈AHΣLi∩ΩT CDSSO íwC CDSSO íwΩTC

7. ⌠ B OAAMPnD½≤÷Sw ACL \ivAMwOπ\sⁿO@½≤C


5.≤⌠nJMΦ

M CDSSO Owebseald.conf tm [cdsso] q¿ñ cdsso-auth iM CDSSO OΦkC

¶ Yn CDSSO OΦkAΘJ “http”B“https” “both”C

¶ Yn CDSSO OΦkAΘJ “none”C

pG

[cdsso]cdsso-auth = https

tm CDSSO O≈εcdsso tmiⁿwbíñMgOΩT@íwC


libcdssoauthn @íwC

19. H CDMF iµ≤⌠µ@nJ

116 3.8

¶ b Windows WAúMg\αO@cdssoauthn DLLC

O≈ε @íw


cdsso libcdssoauthn.so libcdssoauthn.a cdssoauthn.dll libcdssoauthn.sl

ziHb cdsso ñAΘJ webseald.conf tm[authentication-mechanism] q¿ñ@íw¡xSwWC

pG

SolarisG

[authentication-mechanisms]cdsso = libcdssoauthn.so

WindowsG

[authentication-mechanisms]cdsso = cdssoauthn.dll

OOΩ[KWebSEAL cdsso_key_gen íú≈[Km≤OñOΩC zPC@P⌠C@í

WebSEAL °A@≈AuPBvoΓ≈C C@⌠C@íP WebSEAL °AúP≈C

: ≈MeD Policy Director CDSSO Bz@í≈C

ϕz⌡µ cdsso_key_gen íAínDzⁿw≈m]∩⌠WG

UNIX: # cdsso_key_gen <absolute-pathname>

Windows: MSDOS> cdsso_key_gen <absolute-pathname>


5.≤⌠nJMΦ

bC@⌠P WebSEAL °Aº webseald.conf tm [cdsso-peers] q¿ñΘJ≈mC Σµí]A

WebSEAL ≈WM≈mG

[cdsso-peers]<webseal-machine-name> = <keyfile-location>

⌠ A tmdG

[cdsso-peers]www.domainB.com = <pathname>/A-B.key

⌠ B tmdG

[cdsso-peers]www.domainA.com = <pathname>/A-B.key

bWñAA-B.key Nb@í≈]p WebSEAL AWúAQΓ]Bwast@í≈]p WebSEALBC

tmOíWOOt@itmíWOAΣwq¡≈ORgC

@)íWOLAOYQ°LAεC íW

O≤U"ε½s⌡µ≡ AΦk]w@≈uAH"

εOQ!bΣRg½s⌡µC

webseald.conf tm [cdsso] q¿ñ authtoken-lifetime i]wORgCOHϕϕC w] 180G

[cdsso]authtoken-lifetime = 180

zNPΦ⌠ºí⌠≤p"tCJqC

ϕ CDSSO HTML ∩ nw⌠WΩº HTML ]tSϕ CDSSOϕíG

/pkmscdsso?<destination-URL>

pG

118 3.8

/pkmscdsso?https://www.domainB.com/index.html

O@OO÷MOOútOΩT]pWMKXA²ª]

tb¼Φ⌠ⁿH⌠¡≈C ]O@O¡A

"ε!½s⌡µC

zL SSL O WebSEAL °APºíqHAiO@OK≤Q!C qs²ñOOiH

QC OWíWOu¼HOⁿGúiαbO

RgíQ½s⌡µC

MA]ΣíWOLO/M÷ⁿKX≡ C pG

[KO≈QtⁿMAN úyi

mΣvOC

HßoOiíJuΩ CDSSO ΩyvCoNLku OOPP CDSSO ⌠ WebSEAL °AC ≥≤]AH]pzO@O≈Aw≤∩C

tm e-Community µ@nJE-community µ@nJOb Policy Director ⌠ñt@≤⌠OΩ@C≤⌠OAOn²ibh⌠ñ

shí°AWΩAún½sOC

“e-community” O¿]Policy Director DNSí÷Y$úP⌠¿sCo[J⌠iHtmµ@°

@í]BaúP DNS WA@÷YµW°]p°íBIqH]zqC

bΩñATw@⌠Qⁿwulvu

v⌠Cb[J°ñAl⌠z e-community °≤C


5.≤⌠nJMΦ

bΓΩñA[J e-community OΩTO$l⌠@Cowie\]zDµ@IA

p e-community ñIsúⁿVl⌠C

tAziH Policy Director Web Portal Manager PΩTzvA²[J⌠itdz¡C

HU íFΓP⌠d e-communityG⌠ A(dA.com) M⌠ B (dB.com)CbdñA⌠ A NϕFl⌠C⌠ B O[⌠uv⌠C

l⌠uv — ]NOiHεOΩTC

úb≤BnDΩAí$l⌠OC

20. e-Community ¼

120 3.8

OíobDnO°A (MAS) — ≤l⌠ñt

mO°A]@°ACb

ñAmas.dA.com NϕF MASCMAS ⌠¡ε≤úOAC MAS Wúi²ΩC

ϕQqL MAS OßAMAS úußOvOCoOoXnDb°AC°AN

ußOvO°wqL MAS OABiH[Je-communityC

1 2 2ye - C o m m u n i t y yzñíe-community ⌠íΩTαeC

e-Community \αM≥nD

¶ o¼iΣzL URL]sΩCP CDSSO¼A\ααSOtm pkmscdsso ]\113ytm CDSSO OzC

¶ b e-community Ω@ñA¿⌠ WebSEAL °An@PtmC

¶ [J e-community únqLl⌠ñµ@DnO°A (MAS) OC

¶ pGb MAS WSbß]p⌡≤⌠ BA²O[J⌠ A P⌠ B

e-communityAe-community bΩ@Wie\b⌠WiµuvOC

ϕbnDD MAS]²Ow[J⌠ñΩA²qL MAS OAiH∩VnDb°AiµOC

¶ MAS]Hßb⌠ñ∩ΣL°AußOvO¡≈C


5.≤⌠nJMΦ

¶ ⌠S Cookie ObOúußOvA°ACoie\⌠ñ°AbϕanDußOvΩTC

e-community cookies [Ke]t¡≈wΩTC

¶ w[KußOv¡≈SϕOCuß

OvOú]tuΩOΩTC@K≈

]T½ DES tΓkiHúπCO]tFO]RgHK¡εO≥íC

¶ e-community bΩ@WΣ HTTP M HTTPSC

¶ µW e-community ⌠izΣ¡≈M÷MvCziHu≤⌠Mg\α (CDMF) APIvAN⌠ñAMg⌠ñC

pG e-community ⌠@s¡≈ANúnMg\αC

¶ e-community tmO]w≤¿ WebSEAL °Awebseald.conf ñC

e-Community ye-community O$DnO WebSEAL °A (MAS) M≤l⌠⌠ñΣL WebSEAL °A¿C MAS iHO WebSEAL °Aµ@ΩAOtⁿ¡IßWebSEAL ]tⁿ¡¡≈O MASC

[JM WebSEAL °Atml⌠MASA@lqOºCoOl⌠ñ°AnDABO⌠ñ°A∩DCpA⌠ñ

í≈°AiHtmBz¡OCú°AOb

e-community ¿⌠ñAo°AMO@ΩíiW≤e-community ºB@C

e-community bΩ@WOußOvtCb ípUAbV WebSEAL °AnDΩÑq@AW e b S E A L úHKoOΩTCb

122 3.8

e-community tmñAWebSEAL °AOußOv°AABVOußOv°AnDτC

ußOv°AΩTCw∩

@ nDAußOv°ATw MASC MAS ≥@l⌠ΩußOv°ACϕ≥nD e-community ñΩAC@⌠ñW°AiHµw∩

] MAS ¡≈ΩTABß⌠¡b⌠ΩußOv°AñΓC

ußOv°AnDτHußOvOíiµC

ußOv°AOAMßNOnD WebSEAL °ACOñ¡≈ΩTQ[KCO]tFRg

¡εC

b¼ußOvOAoXnD°A

HÑq@CbNiH@δvε

snDΩCNiHú½sO — e-community ¼º@C

bzϕΣLí e-community yAHU CyíΓiαu@ vsíp]1 M2CΣßΓiαuU@ vsíp]3 M 4FoΓíp≥b 2 3 ºßCuíp 5vhoblsß⌠≤íC


5.≤⌠nJMΦ

ußOv°A

¶ MAS Twb@ ns e-community ⌠≤íAiµOC

MAS u⌡µO°A⌠AúΩúCMAS úbtmDnO°APAQß:O@Ωu@COnMαqAúOw≥n

DC

¶ MAS Twl⌠ußOv°A]dñ⌠AC

¶ ⌠S e-community cookie OOSw⌠ñAΣL°AußOv°ACußOv°AO⌠ñ

@íV MAS nDußOvO°ACußOv°Ai⌠ñúußOvΩTCSw⌠ñ

ußOvAß≥nDiH$°ABzAú

ns⌠ MASCbl⌠ñAe-community cookie N MAS °ußOv°AC

21. e-Community y

124 3.8

(1) @ e-Community sGWebSEAL 1]⌠ A

¶ nDⁿ WebSEAL 1 O@Ω]P MAS B≤P⌠Cs²S⌠ e-community cookieCWebSEAL 1 ñSC

¶ WebSEAL 1 tmwF e-community OABⁿwFMAS mC WebSEAL 1 Ns²½s V MAS WSϕußOvURLC

¶ MAS ⁿußOvnDA²OΣúOAMßúnJC

¶ b¿\nJßAMAS FAHYNxsñAMßNπ[KußOvOs²½s V

b WebSEAL 1 WQúXnD URLCA⌠ AS e-community cookie wQ±bs²ñAHKO⌠ußOv°A]b¼pñ MASC

pGnJóAMAS ⁿó¼AußOvOCOcP¿\¼AußOvOϕⁿCo

XnD°AoXó¼AOANpP

OóC

¶ WebSEAL 1 OKAB¡C

: bP⌠ñún¡≈MgCpGn¡≈MgAWebSEAL 1 u≤⌠Mgtm (CDMF)vC

¶ vAíⁿ nDC

(2) @ e-Community sGWebSEAL 3]⌠ B

¶ nDⁿ WebSEAL 3 O@Ω]⌠ BCs²S⌠ e-community cookieC WebSEAL 3 ñSC

¶ WebSEAL 3 tmwF e-community OABⁿwFMAS mC WebSEAL 3 Ns²½s V MAS WSϕußOvURLC


5.≤⌠nJMΦ

¶ MAS ⁿußOvnDA²OΣúOAMßúnJC

¶ b¿\nJßAMAS FAHYNxsñAMßNπ[KußOvOs²½s V

b WebSEAL 3 WQúXnD URLCA⌠ AS e-community cookie wQ±bs²ñAHKO⌠ußOv°A]b¼pñ MASC

pGnJóAMAS ⁿó¼AußOvOCOcP¿\¼AußOvOϕⁿCo

XnD°AoXó¼AOANpP

OóC


¶ WebSEAL 3 bs²ñB]wG e-communitycookie]∩⌠ B AHKN WebSEAL 3 O⌠B ußOv°AC

¶ vAíⁿ nDC

(3) U@ e-Community sGWebSEAL 2]⌠ A

¶ nDⁿ WebSEAL 2 O@Ω]P MAS B≤P⌠C s²]tF⌠ A e-community cookieABO MAS ußOv°AC WebSEAL 2 ⁿcookieCWebSEAL 2 ñSC

¶ WebSEAL 2 tmwF e-community OABⁿwFMAS mC ⌠ A e-community cookie sbAm½WebSEAL 2 w∩ MAS mtmC cookie V WebSEAL2 úFußOv°A¡≈C]pG²oFíp 2Ah]bs²ñOd⌠ B cookieAúe⌠ A°AC

¶ WebSEAL 2 Ns²½s V cookie O⌠ AußOv°AºSOußOvURL]] WebSEAL 2 Ob⌠ AAGb¼pñ MASC

126 3.8

¶ MAS ¼ußOvnDABbñΣX]oOobíp 1 M 2C

¶ MAS Nπ[KußOvOs²A½s VbWebSEAL 2 WQúXnD URLC


¶ vAíⁿ nDC

(4) U@ e-Community sGWebSEAL 4]⌠ B

¶ nDⁿ WebSEAL 4 O@Ω]⌠ BC pG²oFíp 2As²]t⌠ B e-communitycookieABO WebSEAL 3 ußOv°AC WebSEAL4 ñSC

¶ WebSEAL 4 tmwF e-community OABⁿwFMAS mC ⌠ B e-community cookie sbAm½WebSEAL 4 w∩ MAS mtmC cookie V WebSEAL4 úFußOv°A¡≈C ]pG²oFíp 1Ahubs²ñOd⌠ A cookieAúe⌠ B°ACtttm M A S CMß

WebSEAL 4 ¿⌠ B ußOv°AC

¶ pGíp 2 ²oAWebSEAL 4 Ns²½s V⌠B cookie OAb⌠ BußOv°AWSϕußOvURL]b¼pñ WebSEAL 3C

¶ WebSEAL 3 ¼ußOvnDABbñΣX]oOobíp 2C

¶ WebSEAL 3 Nπ[KußOvOs²A½s Vb WebSEAL 4 WQúXnD URLC

¶ WebSEAL 4 OKABb°A¡C

¶ vAíⁿ nDC


5.≤⌠nJMΦ

(5) ΣL e-Community sGWebSEAL 2]⌠ A

¶ zLnDs WebSEAL 2]⌠ ACpGoFíp 3AWebSEAL 2 ñC

¶ vAíⁿ nDC

q e-Community nX

¶ pG÷¼s²nXA SSL Ñq@Me-community cookies NQMúC

¶ pGzL /pkmslogout nXA∩≤⌠ SSLÑq@M e-community cookie NQMúC

F e-Community Cookie¶ e-community cookie O$@í WebSEAL °A]w⌠S cookieFªxsbs²OΘñABbß≥nDñeΣL WebSEAL °A]bP⌠ñC

¶ ⌠S cookie ]tFußOv°AWBe-community¡≈BußOv°AM\αm (URL)AHRgC cookie ñSΩTC

¶ e-community cookie i² ⌠ñ°AbϕanDußOvΩTC MAS b⌠ e-community cookie OΩt nñΓC

¶ cookie ñπRg]OO]w≤ webseald.conftmCRgiⁿw°Anßh[íA

)αúußOvΩTCϕ cookie RgA½s V MAS HKoOC

¶ ϕs²÷¼AOΘñ cookie QMúCpGnXFSw⌠Ae-community cookie Q∩g,C@iaNªqs²ñúC

128 3.8

FußOvnDMe-communityußOv@nzLΓSOc URL sM\αGußOvnDMußOvCo URL O

webseald.conf ñtmΩTAbiµ e-communityußOvHTTP ½s VcC

ußOvnD

ϕV°AnDΩ]w∩ e-community tmA°ASΩTAN oußOvnDC

°AN HTTP ½s VTußOv°A]MAS e-community cookie ñⁿw°AC

ußOvnD]tFHUΩTG

https://<vouch-for-server>/pkmsvouchfor?<ecommunity-name>&<target-URL>

¼°Ad ecommunity-name HKτ e-community ¡C¼°AbußOvñ target-URLANs²½s VQúXnDC

ziHtm pkmsvouchforußOvURLC

pG

https://mas.dA.com/pkmsvouchfor?companyABC&https://ws5.dB.com/index.html

ußOv

ußOvOⁿußOv°A∩°AC

ußOv]tFHUΩTG

https://<target-URL>?PD-VFHOST=<vouch-for-server>&PD-VF=<encrypted-token>

PD-VFHOST iO⌡µußOv@°AC¼]°AΩT∩ußOvO (PD-VF) K T≈C PD-VF NϕF[KußOvOC


5.≤⌠nJMΦ

pG

https://w5.dB.com/index.html?PD-VFHOST=mas.dA.com&PD-VF=3qhe9fjkp...ge56wgb

FußOvOFF≤⌠µ@nJAí¡≈ΩTb°A

íΘCoPΩTzL½s VBzF½s V]

t[K URL @í¡≈ΩTCo[KΩußOv

OC

¶ O]tFußOv¿\ó¼AB¡≈

]bßO¿\BO°AπWB

e-community ¡AHíC

¶ ußOvOiHOb°AW

Ñq@]HAúngL°AOC

¶ O@T½ DES tΓkK≈[KA]iHτΣTΩC

¶ [KOΩTúxsbs²ñC

¶ Oue@ C¼°AΩTbñ

CϕbPÑq@ñ@Xß≥

nDA°ANoC

¶ OñπRg]OO]w≤ webseald.conftmCiHOu]ϕHKε+ re-play ≡ IC

ußOvO[KWebSEAL cdsso_key_gen íú≈[Km≤OñOΩC zPC@P⌠C@í

WebSEAL °A@≈AuPBvoΓ≈C C@⌠C@íP WebSEAL °AúP≈C

: ≈MeD Policy Director e-community Bz@í≈C zµwaN≈s °A

C

130 3.8

ϕz⌡µ cdsso_key_gen íAínDzⁿw≈m]∩⌠WG

UNIX: # cdsso_key_gen <absolute-pathname>

Windows: MSDOS> cdsso_key_gen <absolute-pathname>

O@OwAHKbP⌠]l⌠M⌠

°Aíeº≈mAiΘJ≤ webseald.conf tm[e-community-sso] q¿ñ intra-domain-key C

[e-community-sso]intra-domain-key = <absolute-pathname>

O@OwAHKb MAS M⌠°Aíe≈mAiΘJ≤ [inter-domain-keys] q¿CΣLP MAS bP⌠ñ°Aún inter-domain-keysC MAS O@nP⌠°AqH°AC

[inter-domain-keys]<domain-name> = <absolute-pathname><domain-name> = <absolute-pathname

tm e-Community\Ω@ e-community ntmCoOb webseald.conf ñCzJtm e-community ñ °AWC

e-community-sso-auth

i e - c o m m u n i t y OCΣ]tF

“http”B“https”B“both” “none”CpG

[e-community-sso]e-community-sso-auth = both

“http”B“https” M “both” ÑiHⁿw≤ e-community ¿qH¼C “none” i°AW e-communityCw]]w “none”C


5.≤⌠nJMΦ

master-http-port

pG e-community-sso-auth F HTTP e-community OADnO°AOb HTTP ≡]≡ 80H≡¼HTTP nDAmaster-http-port iOH≡CpG°ADnO°AAhñCw]A

wC

[e-community-sso]master-http-port = <port-number>

master-https-port

pG e-community-sso-auth F HTTPS e-community OADnO°AOb HTTPS ≡]≡ 443H≡¼HTTP nDAmaster-http-port iOH≡C pG°ADnO°AAhñC w]A

wC

[e-community-sso]master-https-port = <port-number>

e-community-name

iO¿⌠ñ °A e-community XWCpG

[e-community-sso]e-community-name = companyABC

b e-community ñ⌠ñA WebSEAL °AⁿwP e-community-name C

intra-domain-key

iOO[KMKAHKb°A⌠íµ

½≈mCpG

[e-community-sso]intra-domain-key = /abc/xyz/key.file

132 3.8

zb@mú≈AMßµ]BwaN

s⌠ñAΣL WebSEAL °AWⁿwmC

is-master-authn-server

iO°AO MASCΣ]A “yes” “no”CpG

[e-community-sso]is-master-authn-server = yes

hí WebSEAL iHtmDnO°AAMßm≤tⁿ¡ºßCbípñAtⁿ¡Q e-community ñΣLWebSEAL °AAO MASC

master-authn-server

pG is-master-authn-server ]w “no”Az°úABⁿwªCiO MAS π⌠WCpG

[e-community-sso]master-authn-server = mas.dA.com

vf-token-lifetime

]wFußOvORgO]ϕC

cookie WíWOiµdCw] 180 ϕCzN °Aíí"tCJqCpG

[e-community-sso]vf-token-lifetime = 180

vf-url

ⁿwußOvURLCHu (/) YCw]/pkmsvouchforCpG

[e-community-sso]vf-url = /pkmsvouchfor


5.≤⌠nJMΦ

z]iHϕ URLG

vf-url = /ecommA/pkmsvouchfor

ec-cookie-lifetime

OF e-communiy ⌠ cookie °Rg]Cw] 300 CpG

[e-community-sso]ec-cookie-lifetime = 300

Inter Domain Keys

MAS M⌠ °AíOA[KMK≈mOⁿw≤ [inter-domain-keys] q¿ñCzⁿw°Aπ⌠WH≈m∩⌠WC

HUdúF MAS]⌠ A≈PΓ⌠qHG

[inter-domain-keys]dB.com = /abc/xyz/key.fileBdC.com = /abc/xyz/key.fileC

bdñAkey.fileB ⁿwF⌠ A M⌠ B ºí≈C key.fileC ⁿwF⌠ A M⌠ C ºí≈C

°An MAS T≈CYnM MAS]⌠ Aµ½OA⌠ B ñ°Aúnkey.fileB C

[inter-domain-keys]dA.com = /efg/hij/key.fileB

YnM MAS]⌠ Aµ½OA⌠ C ñ°Aún key.fileC C

[inter-domain-keys]dA.com = /efg/hij/key.fileC

134 3.8

tm CDSSO O≈εe-community tmn cdsso O≈εCϕúXnD°AAußOvOñ¡≈ΩTAN

n≈εC cdsso tmiⁿwg+bíñMgOΩT@íwC


libcdssoauthn @íwC

¶ b Windows WAúMg\αO@cdssoauthn DLLC

O≈ε @íw


cdsso libcdssoauthn.so libcdssoauthn.a cdssoauthn.dll libcdssoauthn.sl

ziHb cdsso ñAΘJ webseald.conf tm[authentication-mechanism] q¿ñ@íw¡xSwWAHtm CDSSO O≈εC

pG

SolarisG

[authentication-mechanisms]cdsso = libcdssoauthn.so

WindowsG

[authentication-mechanisms]cdsso = cdssoauthn.dll


5.≤⌠nJMΦ

136 3.8

WebSEAL X

WebSEAL °APß Web í°AºísuSWebSEAL XOXC WebSEAL XOe WebSEAL °APß Web í°Aºí TCP/IP suC Xi

² WebSEAL O@≤ß°AW Web ΩC

zi pdadmin ⁿOµí Web Portal Manager WebSEAL XC í\h≤tm WebSEAL Xº∩ΩTC

DDG

¶ 138yWebSEAL Xº[z

¶ 140yypdadmin server taskzXz

¶ 141ytm≥ WebSEAL Xz

¶ 144y¼O SSL Xz

¶ 148y TCP M SSL Proxy Xz

¶ 149yWebSEAL zL SSL WebSEAL Xz

¶ 150yΣLX∩z

¶ 167y WebSEAL XNNGz

¶ 170y∩≤Ot°A query_contentsz

6


6.W

ebS

EA

LX

WebSEAL Xº[ziUC WebSEAL X¼G

¶ WebSEAL zL TCP suXß°A

¶ WebSEAL zL SSL suXß°A

¶ WebSEAL g$ HTTP PROXY °ABzL TCP suXß°A

¶ WebSEAL g$ HTTPS PROXY °ABzL SSL suXß°A

¶ WebSEAL zL SSL suX WebSEAL

b⌠≤XAzUUCΓqG

1. Mwb WebSEAL ½≤íñ≤BX]ⁿWeb í°AC

2. ∩XI¼C

XΩwmMµíWebSEAL XΩTOxsb XML µíΩwñCXΩw²mOwqb webseald.conf tm [junction] q¿ñC²O∩≤ WebSEAL °A²][server] q¿ñ server-root G

[junction]junction-db = jct

¶ C@XúOH .xml WwqbµWñC

¶ pdadmin íMzXH∩C

¶ XML µíi²zΓBsΦBsM≈XC

MwqWsεGJ

1. pdadmin í Web Portal Manager WebSEAL Mß°AºíXC

138 3.8

2. NAϕ ACL hm≤XIWAiú∩ß°AwqWεC

MwqδsεGJ

1. pdadmin í Web Portal Manager WebSEAL Mß°AºíXC

WebSEAL Lku vA≤OttC z@ query_contents SϕíqWebSEAL ÷≤Ot½≤íAíiMI≤OtWeb íA∩ WebSEAL °icMeC

2. N query_contents ís≤Ot°AC

3. N ACL hM@½≤íñAϕ½≤C

WebSEAL XIⁿUCⁿJXuWhvG

¶ zibDn WebSEAL ½≤í⌠≤msWX

¶ zibP@ⁿIWXhí°A

bP@XWⁿhí°Aº¼P

—TCP SSL

¶ qLX≤Ot°Aúu ACL h

¶ XIúiP WebSEAL °A Web íñ⌠≤²C pApG WebSEAL π /path/..., íΩAh3W /path XIC

¶ pGß°A HTML ]t∩²º°A∩URL í]p JavaScript appletAhXIúiPß°A Web íñ⌠≤²C pApGß°A]tí /path/... º URL íAúnW /path XIC


6.W

ebS

EA

LX

WebSEAL Σ HTTP 1.0 qLXWebSEAL Σ HTTP 1.0 qLXC o¡εiαvTαπHGp≤ßX°AWºíoC

su ΣqH≤w RFC X

e]q∩

WebSEAL

HTTP/1.0 M HTTP/1.1 RFC2068

ß]WebSEAL ∩X

°A

u¡ HTTP/1.0 RFC1945

: esuúⁿ HTTP/1.0 “Keep-Alive” ΣC HTTP/1.1 hⁿHTTP ≥suΣC

WebSEAL X[í\8yA WebSEAL Xzñ÷ WebSEAL Xºº[C

\229yWebSEAL XzHKoXⁿO∩πΩTC

ypdadmin server taskzXb pdadmin ºeAzH sec_master znJw⌠C

pG

UNIXG


WindowsG

140 3.8

MSDOS> pdadminpdadmin> loginΘJ IDGsec_masterΘJKXGpdadmin>

Yn WebSEAL XA pdadmin server task ⁿOG

pdadmin> server task <server-name> <task>

server-name OⁿΩ≈WπϕíAHⁿO Policy Director $≤]p WebSEALC

<policy-director-component>-<machine-name>

íApG≈WO cruz Policy Director $≤WebSEALAh server-name G

webseald-cruz

server list ⁿOτ server-name ϕíG

pdadmin> server listwebseald-cruz

tm≥ WebSEAL XWebSEAL Σ WebSEAL Pß Web í°Aºí TCP]HTTPMw SSL]HTTPSXC

WebSEAL Pß°AºíXPqP WebSEAL ºísu¼]Σwh L÷C

pdadmin ≥ WebSEAL XnⁿO∩]AG

¶ ßí°AD≈W] –h ∩

¶ X¼GtcpBsslBtcpproxyBsslproxyBlocal] –t ∩

¶ X]ⁿI

pdadmin> server task <server-name> create –t <type> –h<host-name> <jct-point>


6.W

ebS

EA

LX

pG

pdadmin> server task webseald-cruz create -t tcp -h doc.tivoli.com /pubs

TCP ¼XzL TCP su WebSEAL XúX≥eA²úúqLXwqHC

Ynw TCP XBsWl°AA create ⁿOH –t tcp ∩G

pdadmin> server task <server-name> create –t tcp –h <host-name>[–p <port>] <jct-point>

TCP Xw]≡]Yⁿw 80C

SSL ¼XSSL X\αpP TCP XA²Σ [ GWebSEALPß°AºíqHúQ[KC

22. Dw TCP (HTTP) X

142 3.8

SSL Xúw∩Bs²∩íºFziSSL Oqq WebSEAL Hq WebSEAL ß°AqHC ϕz SSL XAß°Aw

HTTPSC

Ynw SSL XBsWl°AA create ⁿOH –t ssl ∩G

pdadmin> server task <server-name> create –t ssl –h <host-name>[–p <port>] <jct-point>

SSL Xw]≡]Yⁿw 443C

τß°AϕqúX∩ß°AWºΩnDAWebSEAL]ß⌠w°AñΓYNϕq⌡µnDC SSL qH≤wⁿwGb∩ß°AúXFnDA°AzL°A

úΣ¡≈C

ϕ WebSEAL qß°A¼o≈AªτΣTΩAΣτΦkH±∩xsbΣΩwñ root CAMµC

23. w SSL (HTTPS) X


6.W

ebS

EA

LX

Policy Director SSL IBM Global Security Kit (GSKit) IµC z GSKit iKeyman ísWNß°Ap WebSEAL ≈]pdsvr.kdbº CA rootC

÷z≈ΩwπΩTA\237yiKeyman zzC

SSL XdzL SSLA/sales XI sales.tivoli.com XD≈G

pdadmin> server task <server-name> create –t ssl –hsales.tivoli.com /sales

: bWñA–t ssl ∩ⁿww]≡ 443C

zL S S LAbXI /travel ≡ 4443 WXD≈

travel_svrG

pdadmin> server task <server-name> create –t ssl –p 4443–h travel_svr /travel

¼O SSL XWebSEAL Σ WebSEAL °APß°AzL SSL X]–t ssl –t sslproxy¼OCUCnIJzL SSL ¼OΣ\α]bAϕmCXⁿO∩G

1. WebSEAL Oß°A] SSL Bz

¶ WebSEAL τß°A°AF\145yWebSEAL τß°AzC

¶ WebSEAL τt≤uOW (DN)v]–D]DnA²ÑOiµF\145yOW (DN) ±∩zC

2. ß°AO WebSEAL]ΓΦk

144 3.8

¶ ß°Aτ WebSEAL]–KqF\146yHqiµ WebSEAL OzC

¶ ß°Aτu≥O (BA)vY]–BB–UB–Wñ WebSEAL ¡≈ΩTF\146yH BA Yiµ WebSEAL OzC

εzL SSL ¼OⁿO∩úUC\αG

¶ ziⁿwq BA OΦkC

¶ zi÷CXv MOΦkC

X –b ∩]Bz BA ΩTPzL SSL ¼OSϕNAí≤147yBzqLXq¡≈ΩTz

WebSEAL τß°AWebSEAL SSL qH≤wτß°AC ß°AeΣ°A WebSEALC WebSEAL ±∩@≈w²wq rootu≈c (CA)vMµAτ°AC

í°AºH⌠]pΦ CAA]A rootu≈c (CA)vt≤ WebSEAL b≈ΩwC

zi iKeyman íz root CA ΩwC \237y iKeyman zzC

OW (DN) ±∩zizLuOW (DN)v±∩Wj°AτC Yn°A DN ±∩Azb SSL X°AAⁿwß°A DNC ÷M DN ±∩O@∩tmAúLÑOzPzL SSL X¼OftIµo\αC

b°AτíANt≤ DN PXwqDN ±C pGΓ DN úA∩ß°AsuYóC


6.W

ebS

EA

LX

Yn°A DN ±∩Ab –D “<DN>” ∩ SSLXAⁿwß°A DNCYnOdrΩñ⌠≤µAHAϕ DN rΩC pG

–D “/C=US/O=Tivoli/OU=SecureWay/CN=Policy Director”

–D ∩AXP –K –B ∩@C

Hqiµ WebSEAL O –K ∩Ai WebSEAL zLq∩Xß°AOC

–K “<≈>”

Ω°≤]AG

¶ wNß°A]wn WebSEAL º¡≈τ]qC

¶ wN WebSEAL tm]webseald.confSwqA∩ß°A (ssl-keyfile-label) OC

¶ ]ÑOzw∩ DN ±∩]–DtmXC

–K ∩ⁿwnº≈]xs≤ GSKit ≈ΩwC iKeyman íisW≈ΩwC webseald.conf tmñ ssl-keyfile-label itm≈C

≈HAϕC pG

–K “cert1_Tiv”


H BA Yiµ WebSEAL O –B –U “<username>” –W “<password>” ∩WebSEAL zLu≥OviµOC

–B –U “<username>” –W “<password>”

146 3.8

Ω°≤]AG

¶ wNß°A]wn WebSEAL º¡≈τ]BA YC

¶ 3H⌠≤ –b ∩tmXC ]úLA–B ∩bí–b filterC

¶ wN WebSEAL tmb BA YñΣ¡≈ΩTAH∩ß°AOC

¶ ÑOz]w∩ DN ±∩]–DtmXC

username M password HAϕC pG

–U “WS1” –W “abCde”

BzqLXq¡≈ΩTziNX]wb BA Yñⁿwq¡≈ΩTC –b ∩ⁿUC.iαG filterBsupplyBignoreBgsoC 177yw∩µ@nJMΦtm BA Yz ñú÷≤oΩTC

–b ∩vT¼OX]wA]zq T∩XC

–b supply

¶ o∩úⁿzL BA Y WebSEAL OC∩ BA Y@²qWMuΩvKXC

¶ o∩ⁿzLq WebSEAL OC

–b ignore

¶ o∩úⁿzL BA Y WebSEAL OC∩ BA Y@²qWMKXC



6.W

ebS

EA

LX

–b gso

¶ o∩úⁿzL BA Y WebSEAL OCo∩ BA Ys± GSO °AúWMKXC


–b filter

¶ ϕ WebSEAL OQ] BA YΩTAbí –b filter ∩C

bß≥ HTTP ºñú WebSEAL BA YCNß°A AWebSEAL ú@nJC


¶ pGß°AnΩq¡≈]s²Ah

i CGI HTTP_IV_USERBHTTP_IV_GROUP MHTTP_IV_CREDSCY Script M servletA∩P o l i c y D i r e c t o r S H T T P YG

iv-userBiv-groupsBiv-credsC

TCP M SSL Proxy Xzii²qHMX HTTP HTTPS PROXY °Aº⌠⌠ WebSEAL XC zitmXBznDA@ TCP qHⁿO@ SSL qHC

create ⁿOnUCΣñ@ type ∩AHzLPROXY °A TCP í SSL íXG

¶ –t tcpproxy

¶ –t sslproxy

create M add ⁿOúnUC∩M)αO PROXY °A Web °AG

–H <host-name> Proxy °A DNS D≈W IP C

148 3.8

–P <port> PROXY °A TCP ≡C

–h <host-name> Web °A DNS D≈W IP

C

–p <port> Web °A TCP ≡C TCP Xw

] 80FSSL Xw] 443C

TCP proxy Xd]ΘJ≤@µG

pdadmin> server task <server-name> create –t tcpproxy–H clipper –P 8081 –h www.ibm.com –p 80 /ibm

SSL proxy Xd]ΘJ≤@µG

pdadmin> server task <server-name> create –t sslproxy–H clipper –P 8081 –h www.ibm.com –p 443 /ibm

WebSEAL zL SSL WebSEAL XPolicy Director Σe WebSEAL °APß WebSEAL °Aºí SSL XC –C ∩P create ⁿOAizLSSL XΓí WebSEAL °AAú¼OC

dG

24. Proxy Xd


6.W

ebS

EA

LX

pdadmin> server task <server-name> create –t ssl –C –h serverA /jctA

bUCΓÑqño¼OG

¶ SSL qH≤wi²ß WebSEAL °AzLΣ°AA∩e WebSEAL °AOC

¶ –C ∩i²e WebSEAL °Abu≥O (BA)vYñΣ¡≈ΩTß WebSEAL °AC

A–C ∩ –c ∩\αi²zN Policy Director Sq¡≈Ms¿ΩTA±Jw∩ß WebSEAL °AºnD HTTP YC Y]A iv-userBiv-groups Miv-credsC \152yb HTTP Yñúq¡≈(–c)zC

UC°≤A≤ WebSEAL ∩ WebSEAL XG

¶ XA≤ –t ssl –t sslproxy X¼C

¶ Γí WebSEAL °Aú@@P LDAP DCE n²C oi²ß WebSEAL °AOe WebSEAL °A¡≈ΩTC

ΣLX∩ziHB∩AúUCB WebSEAL X\αG

¶ 151yjεsX (–f)z

¶ 152yb HTTP Yñúq¡≈ (–c)z

¶ 154yb HTTP Yñúq IP (–r)z

¶ 154yNÑq@ Cookie eXJf°A (–k)z

¶ 155yΣújpg URL (–i)z

¶ 156yBz Script Mqí URL(–j)z

150 3.8

¶ 160yHXMgBz°A∩ URLz

¶ 162y¼AXΣ (–s, –u)z

¶ 163y∩¼AXⁿwß°A UUID (–u)z

¶ 166yX Windows t (–w)z

jε sX (–f)ϕznjεsX∩gXAz –f ∩C

HUd]°AW websealAíFG

1. nJ pdadminG


2. server task list ⁿOπeµXIG


3. server task show ⁿOπXΩTG

pdadmin> server task websealA show /XG /¼GXw¡εG0 - sXn¡εG0 - s@ñu@⌡µⁿG0²G/opt/pdweb/www/docs

4. sXHK≤½µXI]z -f ∩jεsXAHK∩gXG

pdadmin> server task websealA create -t local -f -d /tmp/docs /Xw≤ /

5. CsXIG


6. πXG


6.W

ebS

EA

LX

pdadmin> server task websealA show /XG /¼GXw¡εG0 - sXn¡εG0 - s@ñu@⌡µⁿG0²G/tmp/docs

b HTTP Yñúq¡≈ (–c)–c ∩i²zN Policy Director Sq¡≈Ms¿ΩTAíJw∩X≤Ot°AºnD HTTP YC PolicyDirector HTTP YΩTi²X≤Ot°AWíq Policy Director ¡≈⌡µSw@C

ß°AN HTTP YΩTα½¿⌠µíAß°AWAíC YΩTα½¿ CGI ⌠µíΦkAOHu (_) N°e (-)AN “HTTP” K rΩYC HTTP YY¿s⌠C

PD S HTTPYµ

CGI ⌠Ñí í

iv-user = HTTP_IV_USER = qu°WC pGqg

O]úAhw]

“Unauthenticated”C

iv-groups = HTTP_IV_GROUPS = qsMµC $rIj

¿C

iv-creds = HTTP_IV_CREDS = gsXúzΩcNϕ Policy

Director C ú°A

A²ñhíi Authorization

API IsuA≈cvC \

Tivoli SecureWay Policy Director

Authorization ADK Developer ReferenceC

P o l i c y D i r e c t o r S H T T P YpP⌠

HTTP_IV_USERBHTTP_IV_GROUPS M HTTP_IV_CREDS i

152 3.8

CGI íCpGOΣLttmúA\úíσ≤Ao÷q HTTP nDñYⁿC

–c yk–c ∩ⁿwneßí°A Policy Director S HTTP YΩC

–c <header-types>

header-types ]tFGallB iv_userBiv_user_lBiv_groups Miv_credsC

í

iv_user úW]uíA@nD HTTP Y

ñ iv-user µΩTC

iv_user_l úπ DN]°íA@nD

HTTP Yñ iv-user µΩTC

iv_groups úsMµA@nD HTTP Yñ

iv-groups µΩTC

iv_creds úΩTA@nD HTTP Yñ

iv-creds µΩTC

: iv_user iv_user_lA²OúnPC

–c all ∩NT¼¡≈ΩTíJ HTTP Y]dñOuWµí (iv_user )C

: ¡HrIjhC únΘJ⌠≤µC

dG

–c all

–c iv_creds

–c iv_user,iv_groups

–c iv_user_l,iv_groups,iv_creds


6.W

ebS

EA

LX

b HTTP Yñúq IP (–r)–r ∩i²zbX°AnD HTTP YñAíJq IP ΩTC Policy Director HTTP YΩTi²X≤Ot°AWíA IP ⌡µSw@C

ß°AN HTTP YΩTα½¿⌠µíAß°AWAíC YΩTα½¿ CGI ⌠µíΦkAOHu (_) N°e (-)AN “HTTP” K rΩYC HTTP YY¿s⌠C

: IP ú@wNϕq≈C IP iαNϕ Proxy °A⌠⌠α½ (NAT) C

PD S HTTP

Yµ

CGI ⌠Ñí í

iv-remote-address HTTP_IV_REMOTE_ADDRESS

q IP CiαNϕ Proxy

°A⌠⌠α½ (NAT) IP

C

–r ∩iⁿwneßí°AiJnD IP C∩ún⌠≤C

NÑq@ Cookie eXJf°A (–k)Web JfOújqHΩMA°AC –k ∩i²zN Policy Director Ñq@ cookie]O≤qMWebSEAL ºíeßJf°ACe∩wiΣ WebSEAL H Plumtree Corporate Portal MΦºíπXC

ϕqVJf°AnDHΩMµAJf°As

ΣLiúΣA$ WebSEAL O@í°AABoΩMµCÑq@ cookie ie\Jf°ANϕqAVoí°Aiµ≥Kµ@nJC

154 3.8

ϕzb WebSEAL MßJf°AXA[J –k ∩A²Oún⌠≤C

tmJf°AnN¼pG

¶ YnzLWMKXsAzuϕµv

OC3u≥O (BA)vC

¶ webseald.conf tm [session] q¿ñ ssl-id-sessions]w “no”C∩≤ HTTPS qHA]wjεÑq@ cookieAú SSL Ñq@ ID @Ñq@¼AC

¶ pGJf°AeO$ WebSEAL O¿AFailover ¼ cookieC Failover cookie ]t[KΩTAi²BznD⌠≤ WebSEAL °A¿OC

Σújpg URL (–i)w]AbMsεAPolicy Director ° URL jpgC bBz∩Xß°AnDA –i ∩ⁿw WebSEAL ° URL újpgC

ϕzbXW]w∩AWebSEAL bσR URL Lkjpgr$C w]AWeb °AQwjpgC

÷Mjí≈ HTTP °AúΣN URL wqjpgHTTP WµA²Y HTTP °A° URL újpgC

pAbújpg°AWAUCΓ URLG

http://server/sales/index.htm

http://server/SALES/index.HTM

Q°P URLC oµnzNPsε

(ACL) ±boΓ URL WC

bH –i ∩X≤Ot°AßAWebSEAL N V°A URL °újpgC


6.W

ebS

EA

LX

Bz Script Mqí URL (–j)í WebSEAL Bz Script ú∩M°A∩]ß°AWΩΦíC

¶ yDIz

¶ 157yHX Cookie Bz°A∩ URLz

¶ 159yH Script LoBz∩ URLz

¶ 160yHXMgBz°A∩ URLz

DIϕqsX Web °AAΩTiαO@δ HTMLGBqí (applet) O ScriptC Web yzyÑ]A JavascriptsBVBscriptsBASPBJSP M ActiveXC

HTMLBScript applet ú⌠≤iα]t∩ß°ALBWºΣLΩ (URL)C URL ϕíiHUCµíXG

¶ ∩

¶ ∩

¶ °A∩

ß°A@¿\ípOAURL O∩]tOΣXΩTC WebSEAL dt≤d≥sxúΩTº URLAbAϕúX¡≈ΩTC

H∩µíϕ URL qún WebSEAL ⌠≤@C H

∩°A∩µíϕ∩ß°ALkQ¿A

]l URL ú]tX÷ΩTC oú TaXApP≤ WebSEAL °AWº½≤nDC

∩ URL ϕíd]N&¿\G

156 3.8

abc.html ../abc.html

./abc.html sales/abc.html

∩ URL ϕíd]nXΩTG

http://www.tivoli.com/abc.html

°A∩ URL ϕíd]nXΩTG

/abc.html /accounts/abc.html

WebSEAL HUCΦíBzAú∩°A∩ URLG

¶ RA HTML

$≤ HTML OσrQ÷aσRA] WebSEAL bAϕN TXΩT [ URLC\168yqX°ALoRA HTML URLzC

¶ Script Mqí

$≤ Script °Ao WebSEAL b∩O∩ URLM°A∩ URL ϕíqß°AqiµLo@WAϕFvC bAϕAtm

WebSEAL úXΩTC

: Web Script í]pv∩Aú URL ∩]D∩°A∩C

HX Cookie Bz°A∩ URLbUCΩñA≤ß°AW Script Aú°A∩URL ϕíC ϕOíXqAWebSEAL Lk[H@C $≤Σú]tXΩTA]q Oϕ

Φíú T URLC


6.W

ebS

EA

LX

pGqnDⁿwΩAWebSEAL Nú Ta ]ⁿVC bLkΣºßAªuΣ

úvqC

–j ∩úH cookie ≥ªMΦABz Web Script bX°AWAúBbq≈W⌡µ°A∩

URLC

@δykG

pdadmin> server task <server-name> create ... –j ...

w∩C@nDAúeXOXqC cookie ]tUCMG

IV_JCT_<backend-server-name> = </junction-name>

ϕq URL úXnDAWebSEAL YHΣlµíBz URLCϕ WebSEAL ΣúΩAY cookie úXΩT½nDCQ URL ϕíñ TXΩTANiQΣΩC

U íoLo°A∩ URL MΦ

25. Script úBSLo URL

158 3.8

WebSEAL ú@úOH cookie ≥ªºMΦ NΦABz°A∩ URLC \160yHXMgBz°A∩ URLzC

H Script LoBz∩ URLWebSEAL nBtm)αBzAúBqLX∩URLC webseald.conf tm]ti∩ URL ºLoG

[script-filtering]script-filter = no

w]Aw Script LoC Yn Script LoA]wG

script-filter = yes

: Pz –j ∩Pß°AXCXOX cookie eq]D Script Lo≈εn@C

script-filter ≈εⁿπ⌡B°ABΩµí∩URLG

http://server/resource

26. Lo°A∩ URL


6.W

ebS

EA

LX

script-filter ≈εH TXΩTN⌡M°Aí≈C

/junction-name/resource

oMΦnBBzíAiα∩αút

vTC ¡εu∩nΣ∩ URL LoX

script-filter C

U í URL LoMΦG

HXMgBz°A∩ URLPolicy Director w∩Lo°A∩ URLAú@H cookie ≥ªMΦº∩ΦC ziXMgϕAΣM

gSwΩXWC

WebSEAL Ht≤XMgϕΩAd°A∩ URL ñmΩTC pG URL ñ⌠ΩTPϕµñAWebSEAL NNnD VPm÷pXC

ϕµO@ jmt.conf ASCII σrC mOⁿw≤ webseald.conf tm [junction] q¿ñG

27. Lo∩ URL

160 3.8

jmt-map = lib/jmt.conf

ϕµñΩºµí$XWBµΩm¼

¿C z]iHUr$ϕΩm¼C

bUCXMgtmdñAΓíß°Ab /jctA M

/jctB ÑmX WebSEALG

#jmt.conf#<junction-name> <resource-location-pattern>/jctA /documents/release-notes.html/jctA /travel/index.html/jctB /accounts/*/jctB /images/weather/*.jpg

l jmt.conf MgϕO@CbsWΩºßAz jmt load ⁿOuⁿJvΩAHK²

WebSEAL sΩTC

pdadmin> server task <server-name> jmt loadJMT table successfully loaded.

UC°≤A≤XMgϕMΦG

¶ MΦún –j ∩X cookie

¶ Mgϕ$wz]w

¶ MΦúBzH∩ URL

¶ b Web íX Web í°AñAΩm¼úO@

¶ pGñ½¼AhúⁿJMgϕC úLA

WebSEAL /≥⌡µC

¶ pGbⁿJMgϕAhLkMgϕC úLA

WebSEAL /≥⌡µC

¶ pGMgϕOAOϕµñAhúⁿJMg

ϕC úLAWebSEAL /≥⌡µC


6.W

ebS

EA

LX

¶ bⁿJMgϕo⌠≤ú Pú WebSEAL °AΘx]webseald.logñC

¼AXΣ (–s, –u)jí≈ Web íAú@qº HTTP nDu¼AvC ÑAo¼AG

¶ zL CGI íúΩΘJϕµAli

¶ b⌡µ@tCΩwdA@WUσ

¶ bHNs²∩½uW½«íñA

@@≈½Mµ

is⌡µ Web ºí°AAHKzLtⁿ¡uWiαC ϕ WebSEAL °AúXosß°AAªTOt≤qÑq@nDúα

T°AAB¡ΩyqWhAúbsß°A

ºíeC

w]APolicy Director NnDei°AA¡ß°AtⁿC Policy Director “least-busy”tΓkCotΓkNC@snD V+suwb

iµñ°AC

a –s X create ⁿOm½¡ΩyqWhA@u¼AXvAΣTObπÑq@Aqn

DúαP@í°ACϕolqnDA

WebSEAL N cookie ±btⁿwºß°A UUID ºqtWC ϕq∩P@ΩúXi@BnDAcookie UUID ΩTYiTOΩα@PeP@íß°AC

–s ∩A≤bP@XXhíß°Aºµ@eWebSEAL °AC NA@)lXQ¼AAN add ⁿO]úa –s ∩ANlß°AXP@XC

162 3.8

pGΩtAhíe WebSEAL °AAíúXP@íß°AAz –u ∩A TaNC@ß°AUUID ⁿwC@íe WebSEAL °AC \y∩¼AXⁿwß°A UUID (–u)zC

∩ ¼AXⁿwß°A UUID (–u)b∩ß Web í°AFsXAWebSEAL qú@u@sOX (UUID)vOß°ACo UUID ObíA@¼AX]create–sC

ϕolqnDAWebSEAL N cookie ±btⁿwºß°A UUID ºqtWC ϕq∩P@ΩúXi@BnDAcookie UUID ΩTYiTOΩα@PeP@íß°AC

ϕhíe WebSEAL °AXhíß°AA¼AXBz@o≤°C qAe WebSEAL °Asß°AºíC@XAúß°Aú@

@ UUIDC oϕ@íß°AbC@íe WebSEAL°AWúúP UUIDC

híe°An¡Ωyq≈εAHKbΓí°Aºí

etⁿC pAiSw UUIDBzL WebSEAL °A1 ∩ß°Alu¼AvC

28. ¼AXß°A UUID


6.W

ebS

EA

LX

MApG¡Ωyq≈εzL WebSEAL °A 2 eP@qi@BnDAhúD WebSEAL °A 2 P@ UUID OP@íß°AAhu¼AvNúAsbC qAúooípC

–u ∩i²z∩Swß°AC@íe WebSEAL °AAúP UUIDC

ÑAΓíse WebSEAL °AAC@íú∩Γíß°A¼AXC ϕzb WebSEAL °A 1 Pß°A 2 ºí¼AXAú@@UUID]UUID AHOß°A 2FMAb WebSEAL °A 2 Pß°A 2 ºíF¼AXAú@sBúP UUID (UUID B) HOß°A 2C

pGqß≥nDOzL WebSEAL °A 2 eAhbqPß°A 2 ºíBzL WebSEAL °A 1 u¼AvNóC

MUCBzAibXíⁿw UUIDG

29. Dⁿ UUID

164 3.8

1. q WebSEAL °A 1 ß°AXC

create –s M addC

2. CbBJ 1 íC@íß°Aú UUIDC

showC

3. q WebSEAL °A 2 C@íß°AXAⁿwbBJ 2 ñO UUIDC

create –s –u M add –uC

bU ñAß°A 1 Q WebSEAL-1 WebSEAL-2 °UUID 1Cß°A 2 Q WebSEAL-1 WebSEAL-2 °UUID 2C

dGbHUdñA

¶ WebSEAL-1 WS1

¶ WebSEAL-2 WS2

¶ ß°A 1 APP1

¶ ß°A 2 APP2

30. ∩¼AXⁿwß°A UUID


6.W

ebS

EA

LX

pdadmin> server task webseald-WS1 create –t tcp –h APP1 –s /mntpdadmin> server task webseald-WS1 add –h APP2 /mntpdadmin> server task webseald-WS1 show /mnt

]oª UUID1 M UUID2

pdadmin> server task webseald-WS2 create –t tcp –h APP1 –u <UUID1> –s /mntpdadmin> server task webseald-WS2 add –h APP2 –u <UUID2> /mnt

ϕqPß°A 2 ¼AsuAª¼@]t UUID2 cookieC bAezdTOqN&sß°A 2ALi@BnDOzL WebSEAL-1 WebSEAL-2 eC

X Windows t (–w)WebSEAL URL ñⁿw⌠A∩eXß°AqnD⌡µwdC $≤ Win32 túΓúPs°WΦkAiαMwdC

@ΦkTπW]abcdefghijkl.txtCGΦkí 8.3 WµíAHπVe]abcdefx1.txtC

ϕzb Windows ⌠ñXA¡εuαsε@½≤ϕABúie\ñLw≈εußviαC

–w ∩úⁿ 8.3 WµíC úiWu]8.3íK°WWT ACLC °ANbΘJ⌠≤uíWWu403 TεvC

b Windows ñAW “foo.” Q°PW “foo” PC–w ∩²q URL ñWñúIAMßAenDß°AC ACL dO≥≤SIWC

: Win32 újpgD (abcde.txt = AbCdE.txt) izL –i ∩MC\155yΣújpgURL (–i)zC

166 3.8

dGb Windows NT 4.0 WA]izLUC⌠s \ProgramFiles\Company Inc.\Release.Notes G

1. \program files\company inc.\release.notes

2. \program files\company inc\release.notes

3. \prograx1\companx2\releasx3.not

Wzd 1 íuújpgvvTAΣ$ –i ∩]D–wªC

d 2 í Windows NT ñIípC

d 3 í Windows NT @bWñútµBX8.3 µíOW]w∩ DOS eΦíC

–w ∩ªd 2 M 3 íτbwC–w ∩ⁿw∩X°AnD URL ñAúe\ñIHs]t tilde W]xYuWC

WebSEAL XNNG

¶ ybP@XWⁿhí°Az

¶ 168yqX°ALoRA HTML URLz

¶ 169yjε\ivqLXz

¶ 169yzLXiµOz

bP@XWⁿhí°AziHbP@XWⁿhís°AC bP@IWi

ⁿ°Aú¡C

b@XWⁿ°AúO]ΦM Web íABPqH≤w—HTTP HTTPSC únbP@XWⁿúⁿ°AC


6.W

ebS

EA

LX

bDn Policy Director °A Web íñAs≤X°AC zα≈so]ϕMπ\ivA

oπ@PC pGYΣúA

∩AhϕAϕsC

dσ≤sbABbsΓí°Aºσ≤≡ñúO

PC

qX°ALoRA HTML URLNuLoqX°A¼ mime ¼ “text/html” RAσ≤C

WebSEAL i∩ URL 2 Gu∩vMu°A∩vC

¶ °A∩ URL H∩≤X°Aσ≤²AⁿXURL mApG

/dir/file.html

∩o URL HMX°AXIApG

/jct/dir/file.html

¶ ∩ URL H∩≤D≈W IP H⌠⌠≡AⁿXURL mApG

http://servername[:port]/file.html, orhttps://servername[:port]/file.html

UCWh∩o URLG

1. pG URL O HTTPABD≈/≡XH TCP X°AAN∩ URL HMXIApG

/jct/...

2. pG URL O HTTPSABD≈/≡XH SSL X°AAN∩ URL HMXIApG

/jct/...

3. NuLowq≤ iv.conf º TAG/∩ URLC

168 3.8

4. META h&OF≤snDLoApG

5. pG BASE ]t HREF AhNq∩qñúC

zLX°ALo URL Ob webseald.conf tm[filter-url] q¿ñC

[filter-url] q¿t@≈ HTML MµAWebSEAL °A[HLo∩πzLX°Ao∩ URLC

w]Atm HTML C ziαnsW]t URL B HTML C

t\156yBz Script Mqí URL(–j)zC

jε\ivqLXzLkjεY Policy Director \ivqLXCpAzLkHx \ivε CGI Script ⌡µAH l \ivε²CCWebSEAL S⌠≤ΦkiHT7Pwbß°AWnD½≤O]pCGI íBA²°ϕ@δ HTTP ½≤C

uzL r \ivA)iεqLX∩½≤]]A CGI íM²°ϕsC

zLXiµObwñAWebSEAL tmFw]HC

webseald.conf tm [ssl] q¿ñ webseal-cert-keyfile-labelNⁿw@ñ°AC

<META HTTP-EQUIV=”Refresh” CONTENT=”5;URL=http://server/url”>


6.W

ebS

EA

LX

pGXßí°AnqO WebSEAL¡Az² iKeyman íBwMCMßA –K <key-label> ∩tmXC\144y¼O SSL Xz

pG –K tmXAGSKit e]t≈Ωwuw]vAHKBz¼OnDCpGoúOn

AzTw≈Ωw (pdsrv.kdb) ñSQuw]]πPC

G

¶ zLWOnC

¶ únN≈Ωwñ⌠≤uw]vC

¶ webseal-cert-keyfile-label ε WebSEAL °AC

¶ zL –K X∩ε WebSEAL qC

∩≤Ot°A query_contentspGzQ Policy Director wAíO@≤Otí Web íΩAz∩ WebSEAL ú≤Ot Web íºe÷ΩTC

@ query_contents CGI íúoΩTCquery_contents íjM≤Ot Web íeAúowsΩT WebSEAL W Web Portal ManagerC oíH ≤ WebSEAL wíA²HΓΦíwb≤Ot°AWC °≤Ot°A@tO UNIX Windows úPí¼C

Cϕbu½≤ívzeñiNϕXuⁿO@½≤

íví≈AWeb Portal Manager u½≤ívzíY

170 3.8

⌡µ query_contentsC bAWeb Portal Manager wD÷≤≤OtííeAziπoΩTAM

hdAϕ½≤C

w query_contentsqw query_contents DµCΣw@]AN PolicyDirector °Añ@Γs≤Ot°AAHsΦtmC

UC Policy Director ²]tídG

UNIXG <install-path>/www/lib/query_contents

WindowsG <install-path>\www\lib\query_contents

²e]AG

(F) í

query_contents.exe Win32 tDni⌡µíC wb≤

Ot Web °A cgi-bin ²ñC

query_contents.sh UNIX tDni⌡µíC wb≤

Ot Web °A cgi-bin ²ñC

query_contents.c líXC úlíXOHz

∩ query_contents µC bjí≈ípUANúnoíXC

query_contents.html HTML µííC

query_contents.cfg O Web °Aσ≤l²dt

mC

b≤Ot UNIX °AWw query_contentsbUC²ñMΣ Shell Script query_contents.shG

<install-path>/www/lib/query_contents

1. N query_contents.sh s≤Ot Web °AW@ñ /cgi-bin ²C


6.W

ebS

EA

LX

2. ú .sh WC

3. Web °Azbß]w UNIX ⌡µ$C

b≤Ot Win32 °AWw query_contentsbUC²ñMΣi⌡µ query_contents.exe tmquery_contents.cfgG

WindowsG <install-path>\www\lib\query_contents

1. Tw≤Ot Web °Awg Ttmn CGI ²C

2. w∩ATw≤Ot Web °Aσ≤²ñsbσ≤C

3. N query_contents.exe s≤Ot Web °A CGI²ñC

4. N query_contents.cfg s Windows ²C

÷²w]úUϕG

@t Windows ²

Windows 95 c:\windows

Windows NT 3.5x c:\winnt35

Windows NT 4.x c:\winnt

5. sΦ query_contents.cfg H Tⁿw≤Ot Web °Aσ≤²C

e]t Microsoft Internet Information Server Netscape FastTrack °AdC oñH

];YUµOAquery_contents íú[HBzC

tm

1. q Win32 ≈W MS-DOS úñApUq CGI ²⌡µ query_contents íG

MSDOS> query_contents dirlist=/

172 3.8

XⁿHUΘXG

100index.htmlcgi-bin//pics//

r 100 Oϕ¿\¼AC+ r 100 O@]BiαO@@O½nC

pG OXANϕtmmA

]tσ≤lC d query_contents.cfg tmATwσ≤²sbC

2. bs²ñAΘJUC URL

http://<win32-machine-name>/cgi-bin/query_contents.exe?dirlist=/

BJPe@BJPGC pGªS

GAYϕz Web °A CGI tmú TC \°Aíσ≤≤ DC

q query_contentsquery_contents u@Ot≤ URL nD²eC

pAo°Aº Web í²ºeAs²bpHU URL W⌡µ query_contentsG

http://third-party-server/cgi-bin/query_contents?dirlist=/

query_contents Script ⌡µUC@G

1. ¬ CGI ⌠ $SERVER_SOFTWARE Pw°A¼C

Web °A¼A $DOCROOTDIR ]σ¼σ≤²mC

2. qnD URL ñ¬⌠ $QUERY_STRINGAHonD@Ao½≤⌠C


6.W

ebS

EA

LX

@xsb $OPERATION ñA½≤⌠xsb

$OBJPATH ñC bWñA$OPERATION dirlistA$OBJPATH “/”C

3. b½≤⌠W⌡µ²Mµ]lsANGm≤ΘXWAH Policy Director °AC [u (//) ϕl²C

σ¼ΘXⁿUíG

100index.htmlcgi-bin//pics//

r 100 Oϕ¿\¼AC

qσ≤²UNIXG

Ynq UNIX °A query_contents.shAziα∩σ≤²]wC

pG query_contents ¼A]100 HrABSCAnd Script ∩ $DOCROOTDIR AHXz°AtmC

pGσ≤²ⁿwLA² Script /MóAh cgi-bin mWµiαú TCd $FULLOBJPATH A∩ⁿwªAHM T cgi-bin mC

WindowsG

Ynq Windows °A query_contents.exeA∩query_contents.cfg C

Σª\αquery_contents ílíX]query_contents.cOMPolicy Director @eAút¼OC

174 3.8

íñiα[JΣL\αAHΣYΣL≤Ot Web °ASϕSC oS]AG

1. ²Mg — Σñ@Dσ≤²U ²Mg

Web íC

2. ú@DHt≥ª Web íC

oOw∩HΩwD Web °AÑC

O query_contentsPolicy Director query_contents CGI íb Web PortalManager ñπX Web °A½≤íCOwHKgv⌡µOD½nC

zNwh]wue\uz°A (pdmgrd)v¡)iHs q u e r y _ c o n t e n t s íCHUd A C L(query_contents_acl) NXhG

group ivmgrd-servers Tl

user sec_master dbxTrlcam

pdadmin íN ACL [X°Aquery_contents.sh (UNIX) query_contents.exe (Windows) ½≤Cp (UNIX)G

pdadmin> acl attach /WebSEAL/<host>/<junction-name>/query_contents.shquery_contents_acl


6.W

ebS

EA

LX

176 3.8

Web µ@nJMΦ

ϕzN WebSEAL Ω@ Proxy °AHKw⌠úO@Azq]M Web Ωµ@nJDCQFWebSEAL Proxy tm Web íµ@nJMΦCdñ]tFSOtmXBsnJM LTPAC

DDG

¶ yw∩µ@nJMΦtm BA Yz

¶ 183ysnJ (GSO)z

¶ 188yw∩ IBM WebSphere (LTPA) µ@nJz

w∩µ@nJMΦtm BA Yí –b ∩AqL WebSEAL ºµ@nJtmiαMΦC

¶ 178yµ@nJ (SSO) ºz

¶ 178yb BA Yñúq¡≈z

¶ 179yúq¡≈MPKXz

¶ 181yαlq BA YΩTz

¶ 182yúq BA YΩTz

¶ 183yq GSO úWMKXz

7


7.W

ebµ@nJMΦ

µ@nJ (SSO) ºϕⁿO@Ω≤ß Web í°AWAi∩nDΩqnD⌡µh½nJ — @w∩ WebSEAL °AA@w∩ß°AC C@nJúiαnúPnJ¡

≈C

z@h½nJ¡≈DgiHµ@nJ (SSO) ≈ε≥oMC µ@nJMΦi²@ lnJYi

sΩ]LΩmb≤BC iMíBzß

°A⌠≤i@BnJDC

b BA Yñúq¡≈zitm WebSEAL XA∩ß°Aúlg∩q¡≈ΩTC ]w –b ∩Ai²zb HTTPu≥O (BA)vYñúSwq¡≈ΩTC

¡zAzRz⌠⌠tmMwDAPw∩U

CD¬G

1. ß°AOnOΩTH

]WebSEAL HTTPu≥OvYFOΩTC

2. pGß°AnOΩTAhoΩT≤BH

]WebSEAL b HTTP Yñ±J8≥ΩTH

31. h½nJ

178 3.8

3. OO WebSEAL Pß°AºísuH

]TCP SSL XH

bqP WebSEAL ºílOºßAWebSEAL Yimsu≥OvYC nD≥qLXß°AP

AsYC ziH –b ∩ⁿwosYnú≤SwOΩTC

úq¡≈MPKX–b supply

–b supply ∩ⁿ WebSEAL úgO Policy Director W]ql¡≈PRABP]ΩKXC

ΩñúlqKXC

PKXoKXzAvΣíC uΩ

vKXO]wb w e b s e a l d . c o n f tm

basicauth-dummy-passwd ñG

[junction]basicauth-dummy-passwd = <password>

oΩ ]ß°An Policy Director ¡≈OCWebSEAL $NqMgw Policy Director Azß°AOAHú÷⌠µ@nJ

MΦC

32. úOΩTß°A


7.W

ebµ@nJMΦ

MΦUC°≤G

¶ wN WebSEAL tmG∩ß°Aút≤lqnDWA[WP]ΩKXC

¶ uΩvKXtm≤ webseald.conf tmñC

¶ ß°An²δb HTTP BA Yñú PolicyDirector ¡≈C

¶ $≤≈KOΩT]WMKXqLXA]

XwD½nCÑO SSL XC

¡εnDíP Policy DirectoruΩvKXFbß°An²ñíπPKXC @δuΩv

KXAúα∩í°AHWnJºq

Xkú⌠≤≥ªC

pGq&qL WebSEAL sß°AAhoMΦúX⌠≤wDC úLAqΣLiαsΦkΩO

ß°AOD½nC

33. BA Y]t¡≈MuΩvKX

180 3.8

$≤ΩSKXhwA]ß°A@Lh

H⌠ WebSEAL τqXkC

ß°An²]δ Policy Director ¡≈HKⁿªC

αlq BA YΩT–b ignore

–b ignore ∩ⁿ WebSEAL Nlqu≥O(BA)vYß°AAúⁿ⌠≤zZC ziN

WebSEAL tmO BA qΩTñqúBA YAMßNY]@∩αß°AC

: oúOu µ@nJ≈εAO∩ WebSEAL zqanJ≤Ot°AC

MΦUC°≤G

¶ ß°AnzL BA q¡≈ΩT

ß°ANu≥OvtqCqH

WebSEAL °A[∩qLºWMKX@C

¶ ß°A@ΣvBqúKX

¶ wN WebSEAL tmG∩ß°Aút≤lqnDWMKXC

¶ $≤≈KOΩT]WMKXqLXA]

XwD½nCÑO SSL XC


7.W

ebµ@nJMΦ

úq BA YΩT–b filter

–b filter ∩ⁿ WebSEAL q⌠≤qnDñúu≥OvYΩTAMßANnDαß°AC bΩ

ñAWebSEAL ¿µ@wúC

MΦUC°≤G

¶ wbqP WebSEAL ºítmu≥Ov

¶ ß°Aúnu≥Ov

¶ uzL WebSEAL )αsß°A

¶ WebSEAL Nϕß°ABzO

34. WebSEAL αlq¡≈ΩT

182 3.8

pGz∩ß°AúYqΩTAziN∩P

–c ∩XAN Policy Director q¡≈ΩTíJ HTTP YµC\152yb HTTP Yñúq¡≈(–c)zC

q GSO úWMKX–b gso

–b gso ∩ⁿ WebSEAL ∩ß°AúOΩT]WMKXAΩTOqQ]wBzsnJ]GSO°AñoC

MΦUC°≤G

¶ ß°AínúPWMKXAo

Ωút≤ WebSEAL n²ñC

¶ L∩ WebSEAL Mß°AÑAwúD½nC

$≤≈KOΩT]WMKXqLXA]

XwD½nC ÑO SSL XC

ysnJ (GSO)zñ≈επíC

snJ (GSO)Policy Director Σ@uµ@nJMΦAΣSΓπ∩ß Web í°Aú NWMKXαOC

35. úq BA YΩT


7.W

ebµ@nJMΦ

n²º¼Aoµ@nJMΦHΓ

ΦíⁿΣIµG

¶ H DCE n²O⌠ – Tivoli Global Sign-On (GSO)ú

¶ H LDAP n²O⌠ – LDAP ²úusnJvΣ

usnJvPsΣgvpΓΩ — zLµ

@nJC GSO Yw∩$ºΦBíBΓ⌠hítMí¿ºj¼°]pAΣ°@δzh

WMKXºC

πXOzLb WebSEAL Pß Web °Aºí “GSOaware” XF¿C ² Web Portal Manager GSOΩM GSO ΩsC

ϕ WebSEAL ¼∩≤X°AWºΩnDAWebSEAL nD GSO °AúXAϕOΩTC GSO °At@MgΩw—w∩C@wnO—ΣúSwΩMí NWMKXC

U íp≤ GSO ≈εßíΩºWMKXC

1 . qHsß°AWºíΩnDA∩

WebSEAL OC o Policy Director ¡≈C

: µ@nJBzPlOΦkUWB@C

2. WebSEAL Policy Director ¡≈ GSO LDAP °AC

3. °AA≤nDíΩWMKXC

4. WebSEAL NWMKXΩTAíJqLXeß°AºnD HTTPu≥OvYñC

184 3.8

MgOΩTUCdí GSO ∩ WebSEAL úOΩTΦíC pG Michael Qn⌡µ travel-app íΩ]\ 36AWebSEAL V GSO / LDAP °A Michael OΩTC

GSO / LDAP °A@@πOΩTΩwAΣΩTíOΩ∩SwOΩTMgCOΩTOW / KXXASΩC uαwnOΩ

C

°At@ Michael ΩwAΣMgΩ travel-app SwΩC

36. snJ≈ε


7.W

ebµ@nJMΦ

Uϕí GSO ΩΩwcG

Michael Paul

ΩGtravel-app W=mike

KX=123

ΩG t r ave l - app W

=bundy KX=abc

ΩGpayro l l - app W

=powell KX=456

ΩGpayroll-app W

=jensen KX=xyz

bñAGSO W “mike” MKX “123” WebSEALCϕ WebSEAL beqLXß°AnDñcu≥OvYAoΩTC

tmw GSO WebSEAL XGSO Σtm≤ WebSEAL Pß°AºíXC

Yn GSO XAa –b gso ∩ create ⁿOC UCdí create ⁿOykG

create –t tcp –h <host-name> –b gso –T <resource> <jct-point>

HUC]w GSO X∩G

∩ í

–b gso ⁿw GSO úqLXºnDO

ΩTC

– T < r e s o u r c e /resource-group>

ⁿw GSO ΩΩsC @∩º

ΩWP GSO ΩwñCΩ

WC O gso XnC

zL SSL ib WebSEAL/GSO MΦñXwLAΦkbX [aM –t ssl ∩C

z& SSL Xft GSOAHTO∩Ω[KC

186 3.8

GSO WebSEAL XdND≈ sales_svr WíΩ travel-app XXI/salesG

create –t tcp –b gso –T travel-app –h sales_svr /sales

ND≈ adm_svr WíΩ payroll-app XXI/admin AH SSL O@XwG

create –t ssl –b gso –T payroll-app –h adm_svr /admin

: bWñA–t ssl ∩ⁿww]≡ 443C

tm GSO snJ (GSO) \αi²zWib¬tⁿ⌠ñ GSO XαCw]AGSO OQCYS[j\αAbC GSO ΩT]GSO WM GSO KXúIs LDAP °AC

tm GSO Ob webseald.conf tm [gso-cache]q¿ñCz²CΣLitmjpH

OC°RgMD@ñOiWi

αA²OW[ΩTQSb WebSEAL OΘñICpGGSO XúObz⌠⌠MΦAún GSO C

í

gso-cache-enabled M GSO \αCΣ]t

F “yes” M “no”Cw] “no”C

gso-cache-size b°Ωϕñ]wie\j

qCN]wzL GSO

XsíµÑq@

ypC¬hO

ΘC²OiH≤tasΩTC

C°j 50 $C


7.W

ebµ@nJMΦ

í

gso-cache-entry-lifetime úOíA⌠≤iH

Osbñ°í]ϕCϕ

APU@

nDA Is LDAP °AC

gso-cache-entry-idle-timeout D@ñiHOsbñ°í]ϕC

w∩ IBM WebSphere (LTPA) µ@nJPolicy Director WebSEAL i IBM WebSphere ⌠úOBvAHO@Cϕ WebSEAL ∩≤ WebSphere wOⁿO@eAsq∩ΓiαnJIC]A

WebSEAL izL WebSEAL Xú@hí IBM WebSphere°Aµ@nJMΦC

WebSphere iú cookie íp¼≈c (LTPA)CziHtmWebSEAL XΣ LTPAABúqµ@nJMΦC

ϕnD WebSphere ΩA²qL WebSEALOAMßbqLßAúNϕ LTPA cookieC@WebSphere OO LTPA cookieA]tF¡≈HKXΩTCΩT WebSEAL M WebSphere °Aí@KXO@K≈iµ[KC

WebSEAL bnzLXe WebShpere nD HTTP YñíJ cookieCß WebSphere °A¼nDABcookie KAMß cookie ú¡≈ΩTOC

YnWiαAWebSEAL iHbñxs LTPA cookieABbPÑq@ñANxsbñ LTPA cookie ≤ß≥nDCziHxsbñ cookie tmRgOMóm]LíOC

188 3.8

tm LTPA XzL LTPA cookie iµ WebShpere µ@nJnHUtmG

1. LTPA ≈εC

2. ú¡≈ΩT[K≈mC

3. ú≈KXC

ziHb create ⁿOñTB∩AHKí¼oTtmDC

¶ –A ∩i²XΣ LPTA CookieC

¶ –F <“keyfile”> ∩Hiⁿw]t≤ cookie ñAn¡≈ΩT[K≈π⌠Wm]b

WebSEAL °AñC WebShpere °A²@≈ABAHwΦís WebSEAL °ACAϕ WebSphere íσ≤AHKo@SwΩTC

¶ –Z <“keyfile-password”> iⁿw≈KXC

KXbX XML ñH[KσrπC

ϕzn WebSEAL Mß WebShpere °AºíXAo∩HΣLnX∩CpG

create ... -A -F “/abc/xyz/key.file” -Z “abcdefg” ...

tm LTPA LTPA Cookie B[KMKúy¿BzWtⁿC LTPA\αi²zbWib¬tⁿ⌠ LTPA XαCw]ALTPA OwCYS[j\αAC@ß≥nDús LTPA cookieABiµ[KC

tm L T P A Ob webseald.conf tm[ltpa-cache] q¿ñC ΣLiⁿwjpHOC °RgMD@ñOiWiαA²O

W[ΩTQSb W e b S E A L OΘñIC


7.W

ebµ@nJMΦ

í

ltpa-cache-enabled M LTPA \αCΣ]

tF “yes” M “no”Cw] “yes”C

ltpa-cache-size b°Ωϕñ]wie\j

qCN]wzL LTPA

XsíµÑq

@ypC ¬h

OΘC²OiH≤tasΩ

TCC°j 50 $

C w] 4096 C

ltpa-cache-entry-lifetime úOíA⌠≤iH

Osbñ°í]ϕCϕ

APU@

nDs LTPA cookieCw]

3600 ϕ

ltpa-cache-entry-idle-timeout D@ñiHOsbñ°í]ϕC w] 600

ϕC

LTPA µ@nJNN

¶ ≈]tFSw WebSphere °AΩTCC@WebSphere °AM LTPA XCpGzbPXI[JFhí°AA°A@P≈

C

¶ FαQiµµ@nJAWebSEAL M WebSphere °AbYW@Pn²ΩTC

¶ WebSphere °Atd]m LTPA H@K≈CWebSEAL hOtdXMtmC

190 3.8

íπX

WebSEAL ΣzL⌠A URL \α≤OtíπXC WebSEAL ⌠M HTTP Yd≥Ai²≤Otíq¡≈⌡µ@C AWebSEAL iú∩A URL]p]tdσr URLsεC

DDG

¶ yΣ CGI í]pz

¶ 193yΣß°Aíz

¶ 194y Dynamic Business Entitlementsz

¶ 198ymqHAz

¶ 200yVA URL úsεz

¶ 208yA URL dGTravel Kingdomz

Σ CGI í]pΣ CGI í]pAWebSEAL sWTB⌠ CGI C o⌠ú CGI b WebSEAL°AXß°AW⌡µC o∩ CGI íú Policy Director SBsMΩTC

b WebSEAL °AWAo⌠i CGI íC

8


8.íπX

CGI íbX≤Ot°AW⌡µ⌠AO$q WebSEAL °A HTTP YΩTúCz –c ∩XAHKúß°A HTTP nD Policy Director SYΩTC

t\152yb HTTP Yñúq¡≈ (–c)zC

ΣL Policy Director S ⌠G

CGI ⌠ í

HTTP_IV_USER nDΦ Policy Director bßWC

HTTP_IV_GROUPS nDΦ Policy Director sCHrI

jºsMµⁿw — C@súH

AϕC

HTTP_IV_CREDS gsXúzΩcNϕ Policy Director

C ú°AA²ñh

íi Authorization API IsuA

≈cvC \ Policy Director ADK

Developer ReferenceC

WebSEAL °AW REMOTE_USER G

b W e b S E A L ε°A⌠ñAHWC

HTTP_IV_USER Qú@ REMOTE_USER C NAREMOTE_USER ]iαXb≤Xß°AW⌡µº CGI í⌠ñC úLAbípUAΣúⁿ WebSEAL εC

CGI ⌠ í

REMOTE_USER ]tP HTTP_IV_USER µPC

WindowsGΣ WIN32 ⌠uA≤XC

192 3.8

Windows úNΣt⌠úp CGI íBzC qúπznt⌠C

úLApG CGI ⌠ñSzn⌠≤ Windows t⌠AzizL webseald.conf tmATaΣi CGI íC ]NAe@ñú Policy Director ⌠úi¡xC

b webseald.conf [cgi-environment-variables] q¿ñA[J⌠≤n Windows t⌠CUCµíG

ENV = <variable-name>

pG

[cgi-environment-variables]#ENV = SystemDriveENV = SystemRootENV = PATHENV = LANGENV = LC_ALLENV = LC_CTYPEENV = LC_MESSAGESENV = LOCPATHENV = NLSPATH

CGI ⌠u⌠≤[µC

Σß°AíWebSEAL úi⌡µXΣAΣ@ß Web °AO$≤⌡µC o°Ai⌡µXd]AG

¶ Java servlet

¶ Cartridges for Oracle Web Listener

¶ °Aí

ϕz –c ∩∩ß°AXAWebSEAL bw∩°AnD HTTP YñAíJ Policy Director SqOMs¿ΩTC


8.íπX

Policy Director S HTTP YΩTi²X≤Ot°AWíq Policy Director ¡≈⌡µSw@C

WebSEAL úUC Policy Director S HTTP YG

PD S HTTPYµ

í

iv-user = qu°WC pGqgO]ú

Ahw] “Unauthenticated”C

iv-groups = qsMµC HrIjºs

MµⁿwC

iv-creds = gsXúzΩcNϕ Policy Director

C ú°AA²ñhíi

Authorization API IsuA≈cvC

\ Tivoli SecureWay Policy Director Authorization

ADK Developer ReferenceC

o H T T P YpP⌠ H T T P _ I V _ U S E RBHTTP_IV_GROUPS M HTTP_IV_CREDSi CGI íCpGOΣLD CGI ttmA\Σ÷úíσ≤Ao÷q HTTP nDñYⁿC

t\152yb HTTP Yñúq¡≈ (–c)zC

Dynamic Business Entitlements°MΣ±qn@ entitlementAp±Ω]°∩°÷YßΩ]°∩ß÷YC

¶ @δ entitlementOíΩTFúAínΩTC]AßbßΩTMßb

ΩC

194 3.8

¶ w entitlementObvΩnDAnúwqδ°≤C °≤]Ab°ññΓBs

ε¡εBMwqµ÷∩ÑX°ñΓC

Policy Director iHzLuµ¼⌠OA (CDAS)v úu≈εAi²zH/íANvQΩT[JOIñCíiH Authorization API(phrase)AqñΩC÷≤Ω@ CDAS ΣLΩTA Tivoli Policy Director WebSEAL DeveloperReferenceC

LDAP Ω Business EntitlementsWebSEAL úS entitlement ≈εAi²zNwqR LDAP ΩTA@íJñCMßoiH±bnzLXeßí°An

D HTTP YñC

¶ LDAP n²bßñ⌠≤µwqRΩAQ@sW Policy Director C

¶ WebSEAL tmqñΩABNª±bnzL WebSEAL Xeß°AnD HTTP YñC

¶ ßíiHqYñΩAúnSOí

X Authorization API (phrase)C

WebSEAL w∩NR LDAP ΩTíJ HTTP Ytm]tFΓBJG

1. q LDAP ñRΩAMßbnJNΩíJñC

2. Xⁿw°≤Aqñ TΩABNªíJnzLXenD HTTP YñC


8.íπX

NR LDAP ΩíJnNR LDAP ΩmJΓΦkG

1. b pd.conf tm [ldap-ext-cred-tags] q¿ñFtmNⁿw LDAP ΩMgñµC

ñíNOoΦkC

2. gq CDAS AN⌠≤wqΩMgñµC

Tivoli Policy Director WebSEAL Developer Reference HKoΩ@ CDAS ΩTC

ziH pd.conf tmñ [ldap-ext-cred-tags] q¿ANLDAP inetOrgPerson ½≤OñⁿwΩAMgñwqµCq¿ñOHUµíG

<custom-credential-field> = <inetOrgPerson-field>

bñAC@$ pd.conf tmñ custom-credential-field wqWAúbr[W “tagvalue_” σrCriKPñΣLsΩTo≡CpG

inetOrgPerson ½≤O LDAP

ΩGemployeeNumber:09876

qµWG ldap-employee-number

[ldap-ext-cred-tags] q¿ñG

ldap-employee-number = employeeNumber

±bñMG

tagvalue_ldap-employee-number:09876

¶ \αnzL LDAP WMKX¡τC passwd-ldap O≈εC libldapauthn

196 3.8

(ldapauthn) @íwíd pd.conf tm[ldap-ext-cred-tags] q¿AHKoRwqΩTC

¶ LDAP ΩiH inetOrgPerson ½≤OñqµC

¶ ziHb [ldap-ext-cred-tags] q¿ñ±mhC

¶ q¿ñⁿwúbnJmJ

C

¶ LDAP WújpgC

¶ µWjpgC

NΩíJ HTTP YeqñwqΩTAiH±bnzLXe

ß°AnD HTTP YCÑq]tFΓ@G

1. tmXHKe\SwRΩCziH∩ WebSEALⁿO@½≤íñX½≤A]wAϕANi

HF¿@C

2. qñ TRΩTAMßNΩíJnDHTTP YñC

ziHX½≤AεSwXΩ

CW HTTP-Tag-ValueCOHUµíG

<custom-credential-field>=<http-header-field>

c u s t o m - c r e d e n t i a l - f i e l d M p d . c o n f tmñ

[ldap-ext-cred-tags] q¿@Cú]t “tagvalue_”rCjpgChttp-header-field OⁿwxsΩ HTTP YWCpG


8.íπX

X½≤ñ HTTP-Tag-Value G

ldap-employee-number=employee-id

ñMG

tagvalue_ldap-employee-number:09876

±b HTTP YñMG employee-id:09876

ϕ WebSEAL NnDeßí°AAWebSEAL ΣMX½≤ñtm⌠≤ HTTP-Tag-Value C

ziH pdadmin object modify set attribute ⁿOtmXMΣG

pdadmin> object modify <obj-name> set attribute <attr-name> <attr-value>

pG

pdadmin> object modify /WebSEAL/WS1/junctionA set attributeHTTP-Tag-Value ldap-employee-number=employee-id

ziHh pdadmin object modify set attribute ⁿOⁿwh HTTP-Tag-Value ]CⁿOiⁿw@AHKNhΩeX°AC

mqH AWeb JflOπX Web xAFªiHAaúSwi Web ΩqMµCΩ]A°eBΣAMuπCJfΘXπSwsvú

HΩMµClhuπsvi s

ΩC

ziH WebSEAL tm∩M Authorization API EntitlementsServiceAb Policy Director ⌠ñmqJfMΦC

198 3.8

mq WebSEAL JfAy]tFHUG

1. ⁿO@½≤íSwd≥AHKTwJfΩ½≤C

2. CΩ½≤í [F TT ACLC

3. sΦ WebSEAL tmAHK[JJfA URLB]tJfΩ½≤í⌠AMbsoΩn\

iv$C

4. ∩≤Jf URL nDAWebSEAL

Authorization Entitlement Service jM½≤íABúXv°≤ΩMµC

5. WebSEAL NΩT±bneß]XJf°Aa PD_PORTAL HTTP YñC

6. bß°AWqJfA]p CGI Servlet¬ PD_PORTAL YeABNeMg⌠WπíM URL CΩTϕFsε\ivi²oΩHMµC

w∩HAtm WebSEAL1. PHAs WebSEAL XCpG

pdadmin> server task <server-name> create -t tcp-h portalhost.abc.com /portal-jct

2. sΦ webseald.conf tmAHK[Js [portal-map] q¿G

[portal-map]

3. q¿ñiHOJfAí°A÷ URLAHs\ivw∩iⁿO@JfΩAiµjM

½≤íd≥CoO PD_PORTAL YñMµC

[portal-map]<URL> = <object-space-region>:<permission>

: bjMñAuα∩]t\ivHT]w ACL Ω½≤C


8.íπX

4. bsWq¿AϕMgºßA½s WebSEAL(webseald)C

HAd

¶ PJf°AXG

pdadmin> server task webseald-WS1 -t ssl -h PORTAL1 /portal

¶ wq]tHAiΩ WebSEAL ⁿO@½≤íd≥C

pdadmin> objectspace create /Resources“Portal Object Hierarchy” 10pdadmin> object create /Resources/Content ““ 10ispolicyattachable yespdadmin> object create /Resources/Support ““ 10ispolicyattachable yespdadmin> object create /Resources/Content/CGI ““ 11ispolicyattachable yespdadmin> object create /Resources/Support/Servlet ““ 11ispolicyattachable yes

: C@Ω “ispolicyattachable” ú]w“yes”CjM≈εu∩πT ACL XµΩ½≤C

¶ WebSEAL tm (webseald.conf)G

[portal-map]/portal/servlet/PortalServlet = /Resources:r

¶ Jf URLG

https://WS1/portal/servlet/PortalServlet

VA URL úsεe Web ⌠úiYstΩTC \h

Web íHAúuεíΩw (URL)vC@nDC oA URL iαusbuíC YΣΦAA URL /MnjOO@A"εLsC

200 3.8

A URL ≤Y° Web íuπ Web s²AzL Web°A CGI Pí°AqHC

ouπíúA URL M⌠ϕµ$ A∩í°AñnD@iµqH]ΣCA URL HSw@Σ÷ΩTA[j URL C URL drΩí≈∩ Web íú@BMC

N ACL ½≤MgA URLWebSEAL ⁿO@½≤W¼Mhd (ACL) OAú URLApΩwnDú URLC bvBz

@BJñA∩ WebSEAL C@nDúR¿Sw½≤CM½≤ ACLAⁿw∩Mg½≤ºA URL nO@C

$≤A URL sbA]bw²tmvhΩwñúiαΣC Policy Director MoDΦíOAúhA URL iMg@RABⁿO@½≤º≈εC

q½≤¼MgOsbσrñG

/opt/PolicyDirector/www/lib/dynurl.conf

37. zL URL Ω CGI hD


8.íπX

m]∩≤°A²Owq≤ webseald.conftmñ [server] q¿ dynurl-map G

[server]dynurl-map = lib/dynurl.conf

zoFw]AoúsbC Y

]]tsbAhiA URL \αC

sΦo∩oMgC ñºµípUG

<object> <template>

Policy Director UNIX Shell ¼±∩l]]AUr$Awqc¿½≤íñ@½≤ºC ⌠≤X

A URL úMg½≤C

Policy Director ΣUC UNIX Shell ¼r$G

r í

\ ußr$OSϕC@í≈C pA\t O

TAB r$C ]iRϕ⌡Xr$C

? Xµ@r$Ur$C pArΩ “abcde” Pϕ

í “ab?de”

* Xs≤hr$Ur$C

[] wq@r$A⌠≤@r$úPΣCpA

rΩ “abcde” P Wϕí “ab[cty]de” C

^ ϕwC pA[^ab] ϕíP ‘a’ ‘b’ r$H

⌠≤r$C

UCdí⌡µHlBd\ºA URL ϕµG

http://<server-name>/home-bank/owa/acct.bal?acc=<account-number>

NϕA URL ½≤π¿pUG

http://<server-name>/home-bank/owa/acct.bal?acc=*

202 3.8

JddñA URL πGΣíSwbßXC bhome-bank ºbßlB½≤π ACL \ivM⌠≤bßA]ß@í≈]acc=*Xr$PUr$C

U íMgSwⁿO@½≤ºSwA URL πΩG

w∩A URL ≤s WebSEAL dynurl update ⁿO≤s WebSEAL ⁿO@½≤íH dynurl.conf tmñC

1. b dynurl.conf tmñBsΦRúA URL C

2. biµ≤ßA dynurl update ⁿO≤s°AG

pdadmin> server task webseald-<server-name> dynurl update

38. v≤A URL


8.íπX

server-name NϕF WebSEAL ≈¡wD≈WC

R½≤íñA URL∩½≤RA URL M≤b dynurl.conf tmñC

bMgA U R L ½≤AqWUy

dynurl.conf ñMgMµAΣ@¼εCϕΣ@XAbß≥vdñ∩½

≤C

pGΣúAWebSEAL ¡ URLA²Oú⌠ñ http://<server> í≈C

NMgh¡ε ACL MgObMµñ¬mC pApGqµ book.sales On¡εM≤¬sA²OúisΣlqµíAhMgUϕ

iµG

½≤í URL d

/ows/sales/bksale /ows/db-apps/owa/book.sales*

/ows/sales/general /ows/db-apps/owa/*

NApGMgVAhb /ows/db-apps/owa ²ñxsúMg /ows/sales/general ½≤C$≤oú T½≤íMΦAoiα PwñC

ϕzMg URL Wϕí½≤íAURL µí$ GET Φkúµí — LO POST GET ΦkC

bΩΘ GET ΦkñAAΩ]pbϕµñúΩ [ URLC

bΩΘ POST ΦkñAAΩht≤nD¡≈C

204 3.8

ACL ⌠@)A URL QR¿½≤íAY ACL ¼MwOBzTεnD]$≤v¡ú¼C

POST nDtm¡εPOST nDeObnDDΘñCAPOST nD]tFe$s²Mw°ABH$CXF°C

post-max-read

webseald.conf tmñ [server] q¿ post-max-read ⁿwq POST nDDΘ¬Jej$AHKjqPOST nD∩ WebSEAL y¿vTAOb¡εd≥ñCp²eúAWebSEAL ¬JeDnO@vdºC

ϕ POST nD≤A URL BzuϕµvOANpost-max-read Cw] 4096 $G

[server]post-max-read = 4096

NALk¡ε POST jejp]L¡εCiHO@ WebSEAL úBzjpúXz POST nDC

dynurl-allow-large-posts

÷M post-max-read ¡ε WebSEAL ¬MBzPOST eqAú²εNnDí°ACbíñAgTe]eí°AC

pGí°AS¡v\αAh¼piα

PwIC

dynurl-allow-large-posts i²zεϕ WebSEAL JPOST nDe°j≤ max-post-read ñⁿwAWebSEAL Bz POST nDΦíCpG]w “no”]w]AWebSEAL heWL max-post-read ⁿw° POST nDC


8.íπX

[server]dynurl-allow-large-posts = no

pG]w “yes”AWebSEAL ⁿπ POST nDA²OuTe°Ñ≤ max-post-read eqC

[server]dynurl-allow-large-posts = yes

d 1G

¶ ¼Fjq POST nD]j≤ post-max-read C

¶ dynurl-allow-large-posts = no

¶ wA URLC

¶ GGTεTºC

d 2G

¶ ¼Fjq POST nD]j≤ max-read C

¶ dynurl-allow-large-posts = yes

¶ wA URLC

¶ GGWebSEAL H post-max-read @eq¬ANqeMg½≤íAMß⌡µ½≤

vdCΣLeúQMg½≤íAB

ú∩½≤iµvdC

¶ HUd]tFjq POST nD¼w¼G

/rtpi153/webapp/examples/HitCount\?*action=reset*

KnMNNKnG

¶ Yntm WebSEAL αwaBzA URLAHUG

/opt/PolicyDirector/www/lib/dynurl.conf

206 3.8

¶ ]t@hµíµG

<object> <template>

¶ pGúsbOANLkA URL \αC

¶ bBzFßA½≤WH WebSEAL ½≤ílΩXC

¶ diH]t¼r$lCd]iHOú]

t¼r$ΘrΩC

HUd dynurl.conf wqFT½≤NϕF IBMWebSphere úñí≈d Web íG

½≤ URL d

/app_showconfig /rtpi153/webapp/examples/ShowConfig*

/app_snoop /rtpi153/servlet/snoop

/app_snoop /rtpi025/servlet/snoop

/app_hitcount/ejb /rtpi153/webapp/examples/HitCount\?source=EJB

/app_hitcount /rtpi153/webapp/examples/HitCount*

NNG

¶ h URL diHMgP½≤]p app_snoop iMgΓúP°AW URLC

¶ ½≤iH¼]p app_hitcount M app_hitcount/ejbC

¶ iJ URL nD÷$WUPd±∩CϕoANεC]AbY±mY

µdC

¶ Yn dynurl.conf ñwqAoX dynurl updateⁿO] pdadmin server taskC

≤sΦ⌡µAB½≤bz≤sⁿO@½≤í°

eAπbuWeb JfzvñC

¶ Kb½≤Wñjgr0Czuαpgr0C


8.íπX

¶ 3wsb≤ⁿO@½≤í½≤WC

¶ bRú dynurl.conf ñ½≤eAús½≤⌠≤ ACLC

A URL dGTravel KingdomUíqí⌠⌠p≤O Oracle Web Listener úURLC

ñA URL Web °AO Oracle Web ListenerCoNi∩ÑMΣLA URL Web °AC

Travel Kingdom O@úßzL⌠⌠⌠iµCq

qC q6ΓbΣ Web °AWB@Γ Oracle Ωwí — iqq"⌡≡qL⌠⌠⌠sC

1. Cqt

gvßiqúXqAdΣveqC

Travel Kingdom iqßiµqBBz≤∩AH⌡µ\hΣLµ÷C $≤íßHdΣIAA

]ÑOOΩTΘC

2. zuzív

pPΣLjí≈qATravel Kingdom ]@@zΩwAΣñ]tΩB MgτÑΩTC o≈Ω WC@

¿&C

wtm Oracle Web ServerAHú∩ΩwñUCxssG

/db-apps/owa/tr.browse úd÷≤CaB

µÑΩTαOC

/db-apps/owa/tr.book úXq]µ gO

ßC

208 3.8

/db-apps/owa/tr.change \≤eqC

/db-apps/owa/admin.browse ¿°¡ε ΩTAp≈XBqll≤M

&C

/db-apps/owa/admin.resume ú ¿°≤ΣbzΩwñiΩTºαOC

/db-apps/owa/admin.update Administration ≤s Ω

TC

Web íc WebSEAL °AA∩ Travel Kingdom X Web íúwC

¶ ∩P⌡µCqízí Oracle WebServer X]/owsC

wh∩ Web ΩúAϕwASα@÷tAqwUCwG

1. µ ixqC

2. gOßiúX≤ΣvqA²LkzwΣLgOßCΩC

3. z ∩zΩTππsvC

4. úzíH Travel Kingdom úi≤ΣviΩTAH°ΣL ¿í≈ΩTC

A URL ∩½≤íMgYnF¿WzwApUϕAtmqA URL ACL ½≤MgC

OoAbF¿ezíwñAoMgD½

nC


8.íπX

½≤í URL ¼

/ows/tr/browse /ows/db-apps/owa/tr.browse\?dest=*&date=??/??/????

/ows/tr/auth /ows/db-apps/owa/tr .book\?dest=*&depart=??/??/????&

return=??/??/????

/ows/tr/auth /ows/db-apps/owa/tr.change

/ows/admin/forall /ows/db-apps/owa/admin.resume

/ows/admin/forall /ows/db-apps/owa/admin.browse\?empid=[th]???

/ows/admin/auth /ows/db-apps/owa/admin.update\?empid=????

wqqzLwB[KqD∩ WebSEAL OC

Qn Web ßtV Travel Kingdom WebmasterU)αobßC

bßMsctWF.sG

Staff Travel Kingdom ¿C

TKStaff Travel Kingdom µC

AdminStaff Travel Kingdom zí¿C NAu

zvH]b Staff sñC

Customer Travel Kingdom ßAΣ"µαzL⌠⌠⌠úXΣCqC

C@úQú@bw⌠bßAΣiO

WebSEAL °AOC ¡≈] Oracle WebServersAH∩ Web Ωúµ@nJMΦC

sεUϕC≤²eΩTºsεG

/ows/tr/browse unauthenticated Tr any_authenticated Tr

210 3.8

/ows/tr/auth unauthenticated - any_authenticated -

group TKStaff Tr group Customer PTr

/ows/admin/forall unauthenticated - any_authenticated -

group Staff Tr

/ows/admin/auth unauthenticated - any_authenticated -

group AdminStaff Tr

ß TKStaff ∩qMCpe@½≤πPv¡AúLßbúX≈KΩ]pHdΩTqLúia⌠⌠⌠

A[KΩT]pK\ivH≥Pi@BwC

µdíGptiµUCºG

¶ OPΩT

¶ O

¶ vsPΩT

AWebSEAL Oracle Web °AúDtºO¡≈AΣiúifBµ@nJMΦMΦC


8.íπX

212 3.8

webseald.conf

webseald.conf tm

Mq¿G

¶ WEBSEAL GENERAL

[server]

¶ LDAP

[ldap]

¶ SSL

[ssl]

¶ JUNCTION

[junction]

[filter-url]

[filter-schemes]

[script-filtering]

[gso-cache]

[ltpa-cache]

¶ AUTHENTICATION

[ba]

[forms]

A


A.

web

seald.co

nf

[token]

[certificate]

[http-headers]

[auth-headers]

[ipaddr]

[authentication-levels]

[mpa]

[cdsso]

[cdsso-peers]

[failover]

[e-community-sso]

[inter-domain-keys]

[authentication-mechanisms]

[ssl-qop]

[ssl-qop-mgmt-hosts]

[ssl-qop-mgmt-networks]

[ssl-qop-mgmt-default]

¶ SESSION

[session]

¶ CONTENT

[content]

[acnt-mgt]

[cgi]

[cgi-types]

[cgi-environment-variables]

[content-index-icons]

[icons]

[content-cache]

214 3.8

[content-mime-types]

[content-encodings]

¶ LOGGING

[logging]

¶ AUTHORIZATION API

[aznapi-configuration]

[aznapi-entitlement-services]

¶ POLICY DIRECTOR

[policy-director]

[manager]

WEBSEAL GENERAL

í

[server] q¿

t

unix-user WebSEAL °A UNIX bC

unix-group WebSEAL °A UNIX sbC

unix-pid-file PID mC

server-root WebSEAL °A²C

server-name WebSEAL °AΩWC

⌡µⁿMsu

worker-threads WebSEAL u@⌡µⁿC

client-connect-timeout lqsuOC

persistent-con-timeout HTTP/1.1 ≥suOC

HTTPS q

https ⁿ HTTPS sC

https-port n≤w HTTPS nD≡C

HTTP q

http ⁿúw HTTP (TCP) sC

http-port n≤Dw HTTP nD≡C


A.

web

seald.co

nf

WEBSEAL GENERAL

í

POST nD

post-max-read q POST nDDΘ¬@e

j$C

DYNURL

dynurl-map URL "@½≤MgmC

dynurl-allow-large-posts WebSEAL Lk¬j≤

post-max-read ⁿw POST nDC

URI Bz

utf8-url-spport-enabled

LDAP

í

[ldap] q¿

ldap-server-config ldap.conf tmm]tmw]

wC

cache-enabled M LDAP C

prefer-readwrite-server ⁿbi∩igJ LDAP °A

C

auth-using-compare ⁿ±∩KX@iµ

OdAú LDAP sC

default-policy-override-support

dw]hSwhC

user-and-group-in-same-suffix

jMαCⁿXsOwq≤P

P LDAP rC

ssl-enabled M∩ WebSEAL LDAP qT

SSLC

ssl-keyfile SSL ≈mC

ssl-keyfile-dn SSL ≈ñiαC

ssl-keyfile-pwd SSL ≈KXC

216 3.8

LDAP

í

bind-dn WebSEAL daemon u@OWv

]tmw]wC

bind-pwd WebSEAL daemon KX]tmw]

wC

w

D≈]Host

≡

SSL

í

[ssl] q¿

webseal-cert-keyfile ≈mF≈]tFbP SSL

Ñq@≤A$ WebSEAL es

²°AC

webseal-cert-keyfile-pwd WebSEAL pK≈KXC

webseal-cert-keyfile-stash WebSEAL pK≈KX⌠mC

webseal-cert-keyfile-label n WebSEAL ]Dw]W

C

ssl-keyfile iµíqT WebSEAL ≈

mC

ssl-keyfile-pwd WebSEAL pK≈KX]íq

TºC

ssl-keyfile-stash WebSEAL pK≈KX⌠m

]íqTºC

ssl-keyfile-label n]Dw]W]

íqTºC

disable-ssl-v2 ∩a SSL V2 ΣC

disable-ssl-v3 ∩a SSL V3 ΣC

disable-tls-v1 ∩a TLS V1 ΣC


A.

web

seald.co

nf

SSL

í

ssl-v2-timeout SSL V2 su GSKit Ñq@ ID

OC

ssl-v3-timeout SSL V3 su GSKit Ñq@ ID

OC

ssl-max-entries GSKit SSL Ñq@ ID ñµ

jqC

ssl-ldap-server ≤ CRL d LDAP °AC

ssl-ldap-server-port LDAP °AbΣWÑiµ CRL

d≡C

ssl-ldap-user LDAP °AzC

ssl-ldap-user-password LDAP °AzKXC

ssl-auto-refresh

ssl-listening-port

ssl-pwd-life

ssl-authn-type

X

í

[junction] q¿

junction-db XΩwmC

jmt-map XPnD∩Mϕ (JMT) mC

http-timeout eM¬ TCP ¼XOC

https-timeout eM¬ SSL ¼XOC

ping-time WebSEAL ∩X°A Ping í

µíjC

basicauth-dummy-passwd zL “-b supply” Xú≥O

ΩsKXC

worker-thread-hard-limit BzSwXnDu@⌡µ

ⁿ/±C

218 3.8

X

í

worker-thread-soft-limit BzSwXnDu@⌡µ

ⁿ/±C

io-buffer-size ¬MgJXwjpC

σ≤Lo

[filter-url] q¿

<tag> = <attribute> WebSEAL LoX°A

URL C

[filter-schemes] q¿

scheme = <scheme-name> WebSEAL LoX°A URL

cMµC

[script-filtering] q¿

script-filter M∩X°AW

Script º∩ URL LoC

GSO

[gso-cache] q¿

gso-cache-enabled M GSO C

gso-cache-size GSO ñqC

gso-cache-entry-lifetime GSO jRgC

gso-cache-entry-idle-timeout D@ñ GSO jRg

C

LTPA

[ltpa-cache] q¿

ltpa-cache-enabled M LTPA C

ltpa-cache-size LPTA ñqC

ltpa-cache-entry-lifetime LPTA jRgC

ltpa-cache-entry-idle-timeout D@ñ LTPA jRg

C


A.

web

seald.co

nf

O

í

≥O

[ba] q¿

ba-auth Mu≥Ov≈εC

basic-auth-realm πbs² BA nJúñΓW

C

ϕµ

[forms] q¿

forms-auth MzLϕµOC

O

[token] q¿

token-auth MzLOqµNXOC

[certificate] q¿

accept-client-certs tm WebSEAL qBzΦ

íC

HTTP Y

[http-headers] q¿

http-headers-auth MzL HTTP YOC

[auth-headers] q¿

Y @OSw HTTP YC

IP

[ipaddr] q¿

ipaddr-auth MzL IP ΩTOC

iÑ

[authentication-levels] q¿

level = unauthenticatedlevel = password

iÑOtmC

hu PROXY Nzí

[mpa] q¿

220 3.8

O

í

mpa MzLhu Proxy Nzí

OΣC

CDSSO

[cdsso] q¿

cdsso-auth MzL CDSSO OOC

authtoken-lifetime CDSSO OOjRgC

[cdsso-peers] q¿

<machine-name> =<keyfile-location>

[J CDSSO PÑ⌠C

FAILOVER

[failover] q¿

failover-auth lMε¼ Failover CookieC

failover-cookies-keyfile cdsso_key_gen úº cookie [K≈

m]∩⌠WC

failover-cookie-lifetime Failover cookie eí¡εC

enable-failover-cookie-for-domainN Failover cookie ¼$°AS

cookie ≤⌠S cookieC

e-COMMUNITY SSO

[e-community-sso] q¿

e-community-sso-auth M e-community SSOC

e-community-name XbußOvOMnDñ

e-community WC

intra-domain-key ² DNS ⌠ñ WebSEAL Ωi

µwqH≈mC

is-master-authn-server ⁿw≈Dn WebSEAL O°A

C

master-authn-server Dn WebSEAL O°AW]pG

úO≈C

master-http-port DnO°AÑD HTTP

≡C


A.

web

seald.co

nf

O

í

master-https-port DnO°AÑD HTTPS

≡C

vf-token-lifetime ußOvORgC

vf-url ußOvURLC

ec-cookie-lifetime e-community cookie RgC

[inter-domain-keys] q¿

< d o m a i n - n a m e > =<keyfile>

[J e-community ΣL⌠≈C

O≈εMíw

[authentication-mechanisms] q¿

passwd-cdas passwd-ldappasswd-uraf token-cdasc e r t - s s l c e r t - c d a sh t t p - r e q u e s t c d s s op a s s w d - s t r e n g t hcred-ext-attrs

ΣO≈εM÷@íwM

µC

SSL "@Φz

[ssl-qop] q¿

ssl-qop-mgmt M"@ΦzC

[ssl-qop-mgmt-hosts] q¿

<ip-address> µWD≈ QOP [KÑC

[ssl-qop-mgmt-networks] q¿

<ip-address/mask> µW⌠⌠ QOP [KÑC

[ssl-qop-mgmt-default] q¿

default w∩ΣLú IP An

w] QOP [KÑC

Ñq@

í

[session] q¿

222 3.8

Ñq@

í

max-entries WebSEAL /Ñq@ñµ

jqC

timeout WebSEAL /Ñq@j

RgC

inactive-timeout WebSEAL ñAD@ñ

RgC

SSL qÑq@

ssl-id-sessions SSL ID @ HTTPS nJÑq@

C

@Ñq@

use-same-session ²7½ HTTP M HTTPS q

PÑq@ IDC

eÑq@ Cookie

resend-webseal-cookies e⌠≤tmÑq@M Failover

CookieAHqC

e

í

[content] q¿

²M

doc-root Web σ≤≡²C

directory-index ²WC

delete-trash-dir o≤²FΣñs±z

RúC

²

user-dir Σ²Dn≡FΣñ]tF

HTML σ≤C

error-dir ]t WebSEAL í²C

bßz


A.

web

seald.co

nf

e

í

[acnt-mgt] q¿

mgt-pages-root bßz²C

login nJϕµWC

logout QnXßπWC

account-locked ]bßΩw POóπ

WC

passwd-expired ]KXL POóπ

WC

passwd-change ≤KXϕµWC

passwd-change-success KX≤nDQ¿π

WC

passwd-change-failure KX≤nDóπW

C

help ]tzWC

token-login OnJϕµWC

next-token U@OϕµWC

stepup-login iÑOnJϕµWC

CGI

[cgi] q¿

cgi-timeout gJM¬l CGI OC

[cgi-types] q¿

bat = cmd cmd = cmd pl= perl sh = sh tcl =tclsh76

w∩ Win32 °AAⁿw∩Sw CGI

W⌡µíC

[cgi-environment-variables] q¿

ENV nu CGI í⌠C

[content-index-icons] q¿

224 3.8

e

í

image/* video/* audio/*

t e x t / h t m l t e x t / *

application/x-tar application/*

ⁿwϕ²O$ WebSEAL ú]S

index.html ooípn

C

[icons] q¿

diricon ≤l² C

backicon ≤Wh² C

unknownicon ≤ú¼ C

σ≤

[content-cache] q¿

text/html image/* */* ∩ WebSEAL xsbOΘñSwσ≤

MIME ¼Awq¼MjpC

MIME ¼

[content-mime-types] q¿

<extension> = <type> ∩Swσ≤Wwq MIME ¼C

deftype ϕMgϕñSCσ≤¼n

w] MIME ¼C

esX

[content-encodings] q¿

gz Z w∩ΣesXs²AMgσ≤

WsX¼C

Oⁿ

í

[logging] q¿

server-log °AΘxmC

max-size HTTP ΘxΘxα½C

flush-time Mú HTTP ΘxwWvC

requests M HTTP nDΘxC

requests-file HTTP nDΘxmC

referers M HTTP ΘxC


A.

web

seald.co

nf

Oⁿ

í

referers-file HTTP ΘxmC

agents M HTTP NzíΘxC

agents-file HTTP NzíΘxmC

gmt-time H GMT íOⁿnDAúa

C

AUTHORIZATION API

í

[aznapi-configuration] q¿

db-file qhΩw

mC

cache-refresh-interval wqdDnv°AO≤s]ⁿ

íjC

listen-flags Mh≤sq¼X

C

tcp-port ¼í TCP ≡C

udp-port ¼í UDP ≡C

AUTHORIZATION API Oⁿ

logclientid=webseald

logsize zfΘxΘxα½C

logflush MúzfΘxwWvC

logaudit MfC

auditlog fΘxmC

auditcfg = azn v≤C

auditcfg = authn O≤C

auditcfg = wand WebSEAL ≤C

AZNAPI Awq

<service-id>

mode

azn-server-name

226 3.8

AUTHORIZATION API

í

pd-user-name

[aznapi-entitlement-services] q¿

AZN_ENT_EXT_ATTR

POLICY DIRECTOR

í

[policy-director] q¿

config-file pd.conf tmmC

[manager] q¿

master-host

master-port

master-dn


A.

web

seald.co

nf

228 3.8

WebSEAL X

pdadmin íúµíⁿOµúAi²z⌡µWebSEAL X@C

DDG

¶ yypdadmin server taskzXz

¶ 231yXⁿOz

¶ 232yl°AsXz

¶ 235ysWB°AXz

ypdadmin server taskzXb pdadmin ºeAzH sec_master znJw⌠C

pG

UNIXG


WindowsG

B


B.

Web

SE

AL

X

MSDOS> pdadminpdadmin> loginΘJ IDGsec_masterΘJKXGpdadmin>

tAziHbµ@ⁿOµñHU∩ANiH≥o@

GG

# pdadmin -a sec_master -p <password>pdadmin>

Yn WebSEAL XA pdadmin server task ⁿOG

pdadmin> server task <server-name> <task>

server-name OⁿΩ≈WπϕíAHⁿO Policy Director $≤]p WebSEALC

<policy-director-component>-<machine-name>

íApG≈WO cruz Policy Director $≤WebSEALAh server-name G

webseald-cruz

server list ⁿOτ server-name ϕíG

pdadmin> server listwebseald-cruz

≥ WebSEAL XnⁿO∩]AG

¶ ßí°AD≈W]–h ∩

¶ X¼ — tcpBsslBtcpproxyBsslproxyBlocal ]–t ∩

¶ XI]ⁿI

pdadmin> server task <server-name> create –t <type>–h <host-name> <jct-point>

230 3.8

XⁿOHUXⁿOíi≤ pdadmin server taskG

ⁿO í

create l°AsXC

add bXIW[JB°AC

remove qXIú°AC

ykG remove –i <server-id> <junction-point>

show ⁿOPSw°A IDC

delete úXIC

ykG delete <junction-point>

list CX°AXIC

ykG list

show πXIΩTC

ykG show <junction-point>

jmt load jmt clear jmt load ⁿOi WebSEAL úX∩MϕΩ

(jmt.conf)AHKBzAú°A÷

URLC

jmt clear ⁿOú WebSEAL XMgϕ

ΩC

help CXXⁿOC

ykG help

help <command> πSwXⁿOíC

exit ⌡X pdadmin íC

ykG exit

UCíoⁿO÷∩C


B.

Web

SE

AL

X

l°AsX@GsXIAXl°AC

ykG

create –t <type> –h <host-name> [<options>] <junction-point>

X¼

–t <type> **n**

XI¼C HUΣñº@GtcpBsslBtcpproxyBsslproxyBlocalC

–t tcp w]≡ 80C –t ssl w]≡

443C

D≈W

–h <host-name> **n**

ß°A DNS D≈W IP

C

∩

zL SSL ¼O

–K <key-label> WebSEAL qOß°A

C

–B WebSEAL BA YΩTOß°

AC n –UB–W M –b Lo∩C

–U <“username”> WebSEAL WC P –B ft

He BA Yß°AC

–W <“password”> WebSEAL KXC P –B ftHe

BA Yß°AC

–D <“DN”> ⁿwß°AuOWvCo

YPΩ DN Ai[j

OC

Proxy X∩]n –t tcpproxy –t sslproxy

–H <host-name> Proxy °A DNS D≈W IP

C

232 3.8


ú BA YΩT

–b <BA-value> wq WebSEAL °A HTTP BA

OΩTß°AΦíC UCΣñ

@ΦíG

filter]w]BignoreBsupplyBgso

@δ TCP M SSL X∩

–c <id-types> zLXAb HTTP YñíJ Policy

Director q¡C id-types iH]tHU Policy Director HTTP Y¼

⌠≤XG

iv-userBiv-user-lBiv-groupsBiv-credsBallC

–i WebSEAL °A° URL újp

gC

–j b cookie ñúXOBz Script

ú°A∩ URLC

–k NÑq@ cookie eßJf°A

C

–p <port> ß≤Ot°A TCP ≡C TCP

Xw] 80FSSL Xw]

443C

–q <url> query_contents Script ∩ URLC

Policy Director b /cgi_bin/ ñMΣ

query_contentsC pGo²ºAO query_contents w≤WAo∩∩ WebSEAL ⁿXs

URLC

–r zLXANeJ IP íJ HTTP

YC

–s ⁿwXΣ¼AíC

w]AXD¼AC

– T < r e s o u r c e /

resource-group>

GSO ΩΩsWC u –b

gso ∩nAoΩTC


B.

Web

SE

AL

X

–u <UUID> ⁿwzL¼AX ( – s ) s

WebSEAL ºß°A UUIDC

–v <virt-host-name> Nϕß°AΩD≈WCo∩

Σ]w≤ß°AWΩD≈C

–v ≈GϕßX°A]

zX°A@ΩΩA

wD≈WYC s²w]

HTTP YnDúDß°Aπ

hWhíΩ°AC zN

WebSEAL tmúBYΩTA

Hw∩ß°A]Q]wΩD

≈nDC

–w Win32 tΣC

LTPA X

–A M LTPA XC

–F <“keyfile”> LTPA cookie Ω[K≈

mC

– Z

<“keyfile-password”>

≈KX

WebSEAL ∩ WebSEAL SSL X

–C e WebSEAL °APß WebSEAL

°AºízL SSL iµ¼OC

n –t ssl –t sslproxy ¼C

X∩]P –t local @

–d <dir> X²C **nC**

–f jε≤½sXC

XI

b WebSEAL iWxsñnXmC

234 3.8

sWB °AX@GsWB°AXIC

ykG

add –h <host-name> [<options>] <junction-point>

D≈W

–h <host-name> **n**

ß°A DNS D≈W IP

C

∩

zL SSL ¼O

–D <“DN”> ⁿwß°AuOWvCo

YPΩ DN Ai[j

OC

Proxy X∩]–t tcpproxy M –t sslproxy n∩

–H <host-name> Proxy °A DNS D≈W IP

C


@δ TCP M SSL X∩

–i WebSEAL °A° URL újp

gC

–j b cookie ñúXOBz Script

ú°A∩ URLC

–p <port> ß≤Ot°A TCP ≡C TCP

Xw] 80FSSL Xw]

443C


B.

Web

SE

AL

X

–q <url> query_contents Script ∩ URLC

Policy Director b /cgi_bin/ ñMΣ

query_contentsC pGo²ºAO query_contents w≤WAo∩∩ WebSEAL ⁿXs

URLC

–u <UUID> ⁿwzL¼AX ( – s ) s

WebSEAL ºß°A UUIDC

–v <virt-host-name> Nϕß°AΩD≈WCo∩

Σ]w≤ß°AWΩD≈C

–v ≈GϕßX°A]

zX°A@ΩΩA

wD≈WYC s²w]

HTTP YnDúDß°Aπ

hWhíΩ°AC zN

WebSEAL tmúBYΩTA

Hw∩ß°A]Q]wΩD

≈nDC

–w Win32 tΣC

XI

sW°AXIC

236 3.8

iKeyman z

i K e y m a n íOi²zzuπCQ

iKeymanAzis≈ΩwBsBsWCA root zΩwBNq@Ωwst@ΩwBV CA nD¼B]ww]≈AH≤KXC

iKeyman íOH Policy Director úº Global Security Kit(GSKit) M≤@í≈C

DDG

¶ 238y iKeyman íz

¶ 239yw] WebSEAL ≈Ωwz

¶ 241ys≈Ωwz

¶ 244ysµpz

¶ 246ysW Root CA z

¶ 247yRú Root CA z

¶ 247ybΩwºísz

¶ 251ynD°Az

¶ 253y¼z

¶ 253yRúz

C


C.

iKeym

anz

¶ 254yⁿwsw]z

¶ 255y≤ΩwKXz

iKeyman íq@tⁿOµúñ iKeyman íG

WindowsG

MSDOS> /Program Files/IBM/gsk4/bin/gsk4ikm.exe

UNIXG

# /usr/bin/gsk4ikm

X IBMu≈zv°íC

39. IBMu≈zv°í

238 3.8

w] WebSEAL ≈Ωw≈Ωw]t WebSEAL BzíO°AMqAH root CA C

bwñAWebSEAL úw]≈Ωw (pdsrv.kdb)C≈]tw] WebSEAL ]≈ = Policy DirectorH root CA ∩C

Ynw] WebSEAL ≈ΩwAϕUCBJG

1. b IBMu≈zv°íñAqu≈Ωwv\αϕñ∩uvC

2. quvs²°íñAs²UC²G

UNIXG /opt/PolicyDirector/lib/certs

W i n d o w sG C : \ P r o g r a m F i l e s \ T i v o l i \ P o l i c yDirector\lib\certs

3. ∩G

pdsrv.kdb

4. ÷@UuvC

XuKXúv∩C

5. ΣJw] WebSEAL KXG

pdsrv

6. ÷@UuTwvC

ΩwΩTYΘJz°íC

NAuHv°íñXw] WebSEAL C ≈ “Policy Director”C Xb¬#Pw]C

\240 40C


C.

iKeym

anz

NuHv∩U\αϕ≤upvC X

@δ rootu≈c (CA)vMµC

\241 41C

40. w] WebSEAL pdsrv.kdb ≈GWebSEAL

240 3.8

s≈Ωw≈Ωw]t WebSEAL BzíO°AMqAH root CA C

bwñAWebSEAL úw]≈Ωw (pdsrv.kdb)C≈]tw] WebSEAL ]≈ = Policy DirectorH root CA ∩C

zi≥w]≈ΩwAsΩwCpGz

@sΩwA"µ WebSEAL Ωw@w]ΩwAhq WebSEALAqΦktm secmgrd.conf ñ ssl-keyfile C\40ytm WebSEAL ≈ΩwzC

Yns≈ΩwAϕUCBJG

41. w] WebSEAL pdsrv.kdb ≈Gp


C.

iKeym

anz

1. b IBMu≈zv°íñAqu≈Ωwv\αϕñ∩usWvC

XusWv∩C

2. ∩≈Ωw¼µuCMS ≈ΩwvC

3. ΘJWAp key.kdbC

4. ⁿumvµw]A∩µΘJsAOus²v÷s∩sC

5. ÷@UuTwvC

XuKXúv°íC

6. buKXvµΘJKXAMßbuTKXvµA½sΣJKXC

7. ]i∩∩u]w¡ív=∩AMßΘJAϕC

8. ]i∩∩uNKX⌠v=∩C

⌠]tUCWG .sth

zV WebSEAL qs⌠AΦktm

secmgrd.conf tmñ ssl-keyfile-stash C


9. ÷@UuTwvC

XT°íATzws≈ΩwC

42. sW∩

242 3.8

10. ÷@UuTwvC

zwQFs≈ΩwC ½sX IBMu≈zv°íC

b IBMu≈zv°íMzs≈WAπzpC

HUOH iKeyman úpG

¶ RSA Secure Server CA

¶ Thawte Personal Premium CA

¶ Thawte Personal Freemail CA

¶ Thawte Personal Basic CA

¶ Thawte Premium Server CA

¶ Thawte Server CA

¶ VeriSign Class 1 Public Primary CA



¶ VeriSign Test CA Root Certificate

opúOowºu≈c (CA)v rootC WebSEAL o root τqC

pGzXbMµWpAhV CA nDANªsWz≈ΩwC

\246ysW Root CA zC

: uVeriSign Test CA Root CertificatevO@CO CAA]tOFC bN≈ΩwO±Jú

íºeA²ú rootC


C.

iKeym

anz

sΩw]t@g CA p°AAHK²

WebSEAL i∩qΣL°AOΣ¡C xsbz°íuHvqñC

\251ynD°AzC

\253y¼zC

sµpboúíAz²¿úAMßAHu

⌡µOC Q iKeymanAzi≤µpC µpOHz¡ϕ@ CAo±zvC

: 3HµpXúíFS⌠≤s²qα≈δz°AiµwqHC

bwAWebSEAL ú@ “Policy Director” µpC ziiµAOsµpC

YnsµpAϕUCBJG

1. iKeyman pdsrv.kdb ≈t@q≈C

IBMu≈zv°íDCYπz∩º≈ΩwWAⁿXwC

2. qUMµñ∩uHvC

3. ÷@UusWµpv÷sC

Xusµpv∩C

4. ΘJ≈Ap “test-cert”C

5. ΘJu@δWvMuv]ΓínΩAMß∩uΩavCblµñAⁿw]OΣJ∩s

C

\245 43C

244 3.8

6. ÷@UuTwvC

IBMu≈zv°íuHvµYπzºµpWC

43. sµp


C.

iKeym

anz

sW Root CA bsWSw CA s root ºeAz²V CA úXnDC C@ CA ∩@úW@C p

Aϕ CA ooΩTC

búXnDq CA ¼ root ºßAYiNªsWz≈ΩwC jí≈ root *.arm í]pAcert.armC

YnsW root CA ΩwAϕUCBJG

1. b IBMu≈zv°íñAqUMµñ∩upvC

2. ÷@UusWvC

XuqsW CA v°íC

1. quΩ¼vU\αϕñA∩uBase64 sX ASCII ΩvC

2. ΘJ root CA WMmA÷@Uus²v∩WMmC

3. ÷@UuTwvC

XuΘJv∩C

4. ΘJ root CA ≈]puVeriSign Root CA vAMß÷@UuTwvC

44. sW CA ∩

246 3.8

bupvµ]tzΦsWº root CA C

Rú Root CA pGzwúQAΣzpMµñΣñ@pA

zRúAϕ root CA C

: bRú root CA ºeA²≈AHzyßi½sP CA root C

YnqΩwñRú root CA ΩwAϕUCBJG

1. b IBMu≈zv°íñAqUMµñ∩upvC

2. ∩],znRú root CA C

3. ÷@UuRúvC

XuTv°íC

4. ÷@UuOvC

upvµNúAXzΦRúº root CA C

bΩwºísbF]wMH⌠⌠⌠µpAz

iαonq@ΩwñsANªsWt@

ΩwC bΩwºíΦkTG

¶ FqsW

¶ qΩwJ

¶ XΩw


C.

iKeym

anz

FqsWYnq]≈ΩwAMßsW

]≈ΩwAϕUCBJG

1. uv≈ΩwC

2. q IBMu≈zv°íU\αϕñA∩znXº¼GuHvupvC

3. ∩nsWt@ΩwC

4. Yz∩uHvA÷@Uuv÷sC Yz∩

upvA÷@Uuv÷sC

Xuv°íC


Ω¼PxsbñºΩ¼C

iKeyman uπΣ Base64 sX ASCII MGi DER sXC

6. ΘJnbΣñxsWMmA÷@Uus²v∩WMmC

7. ÷@UuTwvC

YgJⁿwC

YnNqsWΩwAϕUCBJG

1. ≈ΩwC

45.

248 3.8

2. ∩zQnsW¼GuHvupvC

3. ÷@Uuw∩psWv¼C ÷@Uuw∩H

¼v¼C

4. ΘJbzWMmC z]iHus²v÷sC

5. ÷@UuTwvC

6. XuTv°íAnDz∩On²¿w]C ÷@UuOvuvC

bwsWΩwAXbMµñC

qΩwJYnq]≈ΩwJ]≈ΩwA

ϕUCBJG

1. uv≈ΩwC


3. ÷@UuJ/Xv÷sC

XuJ/X≈v°íC

4. qu∩@¼vñ∩uJvC

5. qu≈¼vU\αϕñA∩ CMS ≈ΩwC

46. q¼


C.

iKeym

anz

6. ΘJ]tzQJº≈ΩwWMmC z]iHus²v÷sC

7. ÷@UuTwvC

πuKXúv°íC

8. ΘJKXAMß÷@UuTwvC

Xuq≈Mµñ∩v°íC

9. ∩znJAMß÷@UuTwvC

bYXbΩwMµñC

XΩwYnq]≈ΩwX]≈ΩwA

ϕUCBJG

1. uv≈ΩwC


3. ∩],znXC

4. ÷@UuJ/Xv÷sC

XuJ/X≈v°íC

5. qu∩@¼vñ∩uXvC

47. J/X≈

250 3.8

6. qu≈¼vU\αϕñA∩ CMS ≈ΩwC

7. ΘJzQ∩Σeº≈ΩwWMmC z

]iHus²v÷sC

: ñX@h÷≤≤½ΩwTºC ÷@U

uOvCXNusWΩwC ú≥

ó⌠≤C

8. ÷@UuTwvC

πuKXúv°íC

9. ΘJΩwKXAMß÷@UuTwvC

10. ϕzΩwAMµñNXwXC

nD°AWebSEAL n CA pHK∩ SSL qOΣ¡CWebSEAL iαnúP°AΣLOD]pPjunctioncp –K Xí°AC

iKeyman íi²zúieAϕ CA nDC

YnúnDAϕUCBJG

48. J/X≈


C.

iKeym

anz

1. b IBMu≈zv°íñAqUMµñ∩uHnDvC

2. ÷@UusWvC

Xus≈MnDv∩C

3. ΘJnD≈C

4. ΘJu@δWvMuvAMß∩uΩavC

blµñAⁿw]OΣJ∩sC

5. b°íAΘJWMmC z]iHus

²v÷sC

6. ÷@UuTwvC

XT°íATzwQsnDC

7. ÷@UuTwvC

uHnDvµYπzºsnD≈

C

49. s≈MnD

252 3.8

8. eAϕ CA nDsAONnD$UKJ CA ⌠ñnDϕµC

¼b CA eswpzºßAzNªsWzqñúnD≈ΩwC

Yn¼AϕUCBJG

1. b IBMu≈zv°íñAqUMµñ∩uHvC

2. ÷@Uu¼vC

Xuq¼v°íC


4. ΘJsWMmCz]iHus²v÷sC

: pG CA e]qll≤Tº@í≈AzN$KOC

5. ÷@UuTwvC

6. XuΘJv°íC

7. ΘJsAMß÷@UuTwvC

buHvµ]tsC

RúpGzúAnzΣñ@AzqΩwñ[H

RúC

: bRúºeA@≈AHzyßQn½s[HC


C.

iKeym

anz

YnRúAϕUCBJG


2. ∩],znRúAMß÷@UuRúvC

XuTv°íC

3. ÷@UuOvC

uHvµñYúAX∩ºC

ⁿwsw]iKeyman íi²zⁿww]A WebSEAL b≈Ωw]t@HWuHvC ]pGzw

lbíñµp]≤AP

Ñz∩º CA íAhzΩwñiα@HWC

b¼ CA wpºßAziNµpOdbΩwñAN CA oXⁿww]AlªCw]OHΣeP (*) ϕC

@¼¿µpQw]

C C ¼sµpA

ú²z∩s¿w]C úLAz]i

HHTa≤w]C

Yn≤w]AϕUCBJG


w]OHΣeP (*) ϕC

2. ∩t@n]w]AMß÷@Uu°/sΦvC z]iH÷ΓUC

Yπu≈ΩTv°íC

254 3.8

3. ∩uN]¿w]v=∩AMß÷@UuTwvC

bXYw]AΣe@P

(*)C

≤ΩwKXiKeyman uπi²z≤≈ΩwKXC

Yn≤≈ΩwKXAϕUCBJG

1. ≈ΩwC

2. qu≈ΩwvUí\αϕñA∩u≤KXvC

Xu≤KXv°íC

3. buKXvµΘJsKXAMßbuTKXvµA½sΣJKXC

4. nA∩u]w¡ív=∩C

5. nA∩uNKX⌠v=∩C

6. ÷@UuTwvC

¼ACñTºⁿXwQ¿nDC


C.

iKeym

anz

256 3.8

HñσrAσrASϕ

º CC

eTfTnJh 55

ef¼OX 144

e°, request.log 50

σ≤ 29

p 31

Mú 30

σ≤²

≤m 26

e¡fi 11

se°A 11

sß°A 14

gO, ε 71

² 27

e"fwh

4

O@½≤h 4

W 4

ACL h 4

eCfp 31

≤sqÑ 45, 46

eKfϕµíO 97

≈Ωw¼ 38

eEfO@Φ

D≈ 44

w]Ñ 43

⌠⌠ 44

O@Φ POP h 70

O@Ñ 3

O@Ω 3

e WebSEAL °A

s 46

ßíΣ 193


eQfHA

tm WebSEAL 199

º[ 198

d 200

², WebSEAL w 19

OO 106

Oⁿ, HTTP 48

eQ@fA URL

≤s, dynurl update 203

Mg ACL ½≤ 201

úsε 201

º[ 201

R 204

∩ POST nD[W¡ε 205

KnMNN 206

d 208

dynurl-allow-large-posts 205

dynurl-map 202

GET M POST Φk 204

post-max-read 205

≥O

tm 95

KXjh 57

X

¼O (-D, -K, -B, -U, -W) 144

Σújpg URL (-i) 155

D≈∩ (-h) 141

n∩ 141

b HTTP Yñú IP (-r) 154

b HTTP Yñúq¡≈ (-c) 152

¼AXΣ (-s, -u) 162

BA YO (-B, -U, -W) 146

X (≥)

Cookie Bz°A÷

URL 157

Script LoBz∩ URL 159

XMgBz°A÷

URL 160

ⁿ 139

ⁿOí 229

ⁿwß UUID (-u) 163

NÑq@ cookie eßJf°A

154

jεsX (-f) 151

jε\iv 169

XMgϕµ 160

Bz Script URL (-j) 156

º[ 8, 138

ⁿhí°A 167

LoRA HTML URL 168

snJ (GSO) 183

O 169

¼∩ (-t) 141

DN ±∩ (-D) 145

gso ∩ (-b gso, -T) 186

LTPA (-A, -F, -Z) 189

pdadmin server task 140

Proxy X (-H, -P) 148

WebSEAL q (-K) 146

WebSEAL ∩ WebSEAL (-C) 149

Windows t (-w) 166

-b filter 182

-b gso 183

-b ignore 181

-b supply 179

-b ∩∩¼OXvT 147

vΩwm 45

Mú 30

258 3.8

eQGfµ@nJ

b BA Yñúq¡≈ 178

tm GSO 187

º 178

snJ (GSO) 183

CDSSO 113

e-community 119

LTPA (WebSphere) 188

-b filter 182

-b gso 183

-b ignore 181

-b supply 179

nJ 35

ú¼p 93

nJú

¼p 93

nX 35

iÑO 61

Ñq@ cookie 83

84

Ñq@ ID Ω¼ 86

Ñq@

GSKit 79

WebSEAL 79

Ñq@¼A

Ñq@ ID Ω¼ 86

Ñq@ cookies 84

Ñq@ cookie 83

z 79

Ñq@Ω¼ 76

eQTfLoRA HTML URL

∩ URL 168

server-relative-URLs 168

O 81

O

HTTP M HTTPS 23

eQf⌠⌠¼O POP h 67

eQ¡fsnJ (GSO) 183

Y 104

194

vΩwm 45

s e WebSEAL °A 46

ⁿ 45

ⁿvΩw 46

eQ"f

≈Ωw¼ 38

z 37

GSKit 37

iKeyman 37

íO 99

ßOnDM 129

eQCfíΣ , ß 193


eQEf

194

NΩíJ HTTP Y 196

íJ LDAP Ω 195

o

º[ 7

EPAC 8

eGQGfO

ΣΦk 77

ΣÑq@Ω¼ 76

6

ϕµ 97

O 106

tmh½Φk 92

tmº[ 90

≥O 95

nJú 93

º[ 5

99

A 76

CDSSO 113

e-community 119

HTTP Y 103

IP 105

MPA 107

OΦk, Kn 77

Oj POP h 61

Aaccept-client-certs 101

account-locked 35

acct_locked.html 36

ACL h, WebSEAL S 53

acnt-mgt q¿ 35

agents 48

agents-file 48

agent.log 48

d 52

authentication-levels q¿ 61, 67

authtoken-lifetime 118

aznapi-configuration q¿ 45

Bbackicon 27

basicauth-dummy-passwd 179

basic-auth-realm 95

ba-auth 95

Ccache-refresh-interval 46

CDMF @íw 114

cdsso 116

CDSSO O 113

cdssoauthn 116

cdsso-auth 116

cdsso-peers q¿ 117

cdsso_key_gen 89, 117, 130

cert-ssl 102

CGI í]p

Σ 191

Σ WIN32 ⌠ 192

cgi-environment-variables q¿ 192

260 3.8

cgi-timeout 24

cgi-types q¿ 28

client-connect-timeout 23

content-caches q¿ 29

CRL d 42

Ddb-file 45

default-webseal ACL h 54

directory-index 27

diricon 27

disable-ssl-v2 22

disable-ssl-v3 22

disable-tls-v1 22

doc-root 25

Dynamic Business Entitlement 194

dynurl update 203

dynurl-allow-large-posts 205

dynurl-map 202

dynurl.conf 201

Eec-cookie-lifetime 134

entitlementADynamic Business 194

entrust-client 104

e-community cookie 128

e-community O 119

\α 121

ußOvO[K 130

tm 131

Bzy 122

ußOvnDM 129

ußOvO 130

e-community cookie 128

e-community-name 132

e-community-sso-auth 131

FFailover Cookie, tm 87

failover-auth 89

failover-cookies-keyfile 89

failover-cookie-lifetime 90

filter-url q¿ 50, 169

flush-time 50

forms-auth 97

GGET Φk 204

gmt-time 49

GSKit 37

¼ 38

GSKit Ñq@ 79

tm 82

GSO 183

tm GSO 187

GSO , tm 187

gso-cache-enabled 187

gso-cache-entry-idle-timeout 187

gso-cache-lifetime 187

gso-cache-size 187

Hhelp 35

help.html 36

HTML q 35

¿Σ 36


http 21

HTTP @Θxµí 51

HTTP Oⁿ 48

HTTP Yñ LDAP Ω 194

HTTP YO 103

HTTP Tº 31

¿Σ 34

httpauthn 104

https 22

https-port 22

https-timeout (junctions) 24

http-headers-auth 103

http-port 21

http-request 104

HTTP-Tag-Value 197

http-timeout (junctions) 24

HTTP_IV_CREDS 152, 192, 194

HTTP_IV_GROUPS 152, 192, 194

HTTP_IV_REMOTE_ADDRESS 154

HTTP_IV_USER 152, 192, 194

IiKeyman 40

¼O SSL X 145

bΩwºís 247

Rú root CA 247

Rú 253

sµp 244

s≈Ωw 241

ⁿwsw] 254

nD°A 251

¼ 253

238

w]≈Ωw 239

sW root CA 246

º[ 42

iKeyman (≥)

≤ΩwKX 255

SSL ¼X 143

WebSEAL 101

inactive-timeout 81

inter-domain-keys q¿ 130, 134

intra-domain-key 130, 132

IP O 105

ipaddr-auth 105

is-master-authn-server 133

iv-creds 152, 194

iv-groups 152, 194

iv-remote-address 154

iv-user 152, 194

Jjmt ⁿJ 160

jmt-map 160

jmt.conf 160

junction-db 138

Lldapauthn 96, 97

ldap-ext-cred-tags q¿ 196, 197

libcdssoauthn 116

libhttpauthn 104

libldapauthn 96, 97

libsslauthn 102

libtokenauthn 106

listen-flags 46

logging q¿ 50

login.html 36, 98

logout 93

logout.html 36

262 3.8

log-filtered-pages 50

LTPA (WebSphere) 188

tm LTPA 189

tmX 189

LTPA , tm 189

ltpa-cache q¿ 189

ltpa-cache-enabled 189

ltpa-cache-entry-idle-timeout 189

ltpa-cache-entry-lifetime 189

ltpa-cache-size 189

Mmaster-authn-server 133

master-https-port 132

master-http-port 132

max-entries 81

max-size 49

mgt-pages-root 35

mpa 111

MPA O 107

Nnexttoken.html 36

next-token 35

Ppasswd-change 35

passwd-change-failure 35

passwd-change-success 35

passwd-expired 35

passwd-ldap 96, 97

passwd.html 36

passwd_exp.html 36

passwd_rep.html 36

pdadmin server task]X 140

pdadmin h

disable-time-interval 55

max-login-failures 55

max-password-repeated-chars 57

min-password-alphas 57

min-password-length 57

min-password-non-alphas 57

password-spaces 57

pd.conf 196

PD_PORTAL Y 199

pd_start ⁿO 20

persistent-con-timeout 23

ping-time (junctions) 24

pkmscdsso 118

pkmslogout 93

pkmspasswd 94

pkmsvouchfor 129, 133

POP h

O@Φ 70

⌠⌠¼O 67

Oj]iÑ 61

portal-map q¿ 199

POST Φk 204

tm¡ε 205

post-max-read 205

Qquery_contents 170

w 171

q 173

O 175

query_contents.c 171

query_contents.cfg 171


query_contents.exe 171

query_contents.html 171

query_contents.sh 171

Rreferers 48

referers-file 48

referer.log 48

d 52

REMOTE_USER 192

requests 48

requests-file 48

request.log 48

tmeO²° 50

d 51

resend-webseal-cookies 84

Sscript-filter 159

script-filtering q¿ 159

server-name 46

server-root 20

SSL Ñq@ ID 84

sslauthn 102

ssl-id-sessions 84

ssl-keyfile 41

ssl-keyfile-label 41

ssl-keyfile-pwd 41

ssl-keyfile-stash 41

ssl-ldap-server 42

ssl-ldap-server-port 42

ssl-ldap-user 42

ssl-ldap-user-password 42

ssl-max-entries 82

ssl-qop-mgmt 43

ssl-qop-mgmt-default q¿ 43

ssl-qop-mgmt-hosts q¿ 44

ssl-qop-mgmt-networks q¿ 44

ssl-v2-timeout 82

ssl-v3-timeout 82

stepuplogin.html 36, 64

stepup-login 35, 64

Ttcp-port 46

tokenauthn 106

tokenlogin.html 36

token-auth 106

token-cdas 106

token-login 35

Uudp-port 46

unknownicon 27

use-same-session 84, 85

Vvf-token-lifetime 133

vf-url 133

WWebSEAL

Mε°A 20

264 3.8

WebSEAL (≥)

º[ 1

WebSEAL X, \X 137

WebSEAL Ñq@ 79

tm 80

webseald.conf

m 18

≥ 213

º[ 18

webseal-cert-keyfile 40

webseal-cert-keyfile-label 40, 101, 169

webseal-cert-keyfile-pwd 40

webseal-cert-keyfile-stash 40

webseal-mpa-servers s 110, 111

WebSphere LTPA 188

WIN32 ⌠, Σ 192

worker-threads 22


266 3.8




Printed in Australia

GC40-0635-01

Documents

Tivoli SecureWay Policy Director WebSEAL ºÞ²z¤â¥Upublib.boulder.ibm.com/tividd/td/SW_30/GC32-0684-01/zh_TW/PDF/ws-adm... · ABb ñAC@≈ú ]tIBM q @vn Cb o IBM q \ iveAú P