Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
Tivoli SecureWay PolicyDirector WebSEALzΓU
3.8
Tivoli SecureWay PolicyDirector WebSEALzΓU
3.8
Tivoli SecureWay Policy Director WebSEAL zΓU
@vn
© Copyright IBM Corporation 2001. All rights reserved. uαuTivoli Systems nΘvXvBuIBM nΘvXv uIBM ßvXvuTivoli úl[XvC X⌠≤í≈bo IBM q\ivºeAúúoH⌠≤í⌠≤ΦkBqlíB≈±íBCΘBBBΓÑsBα½BgBxsbtWα½⌠≤qúyÑCIBM qP Qß¡\ivis@≈i\¬σ≤wΣL QßvABbñAC@≈ú]t IBM q@vnCbo IBM q\iveAúPß⌠≤ΣL@vv¡C σ≤ú@úºBuHu¼vúAúú⌠≤íOdC búσ≤OA]AASwiΓMAC
U.S. Government Users Restricted Rights—Use, duplication or disclosure restricted by GSA ADPSchedule Contract with IBM Corporation.
IBMB IBM xBTivol iBTivol i xBAIXBCross -S i teBNetViewBOS/2BPlane tTivoliBRS/6000BTivoli CertifiedBTivoli EnterpriseBTivoli Enterprise ConsoleBTivoli Ready M TMEO IBM q Tivoli Systems Inc. bⁿΩM]ΣLΩaUC
MicrosoftBWindowsBWindows NT Windows xO Microsoft qbⁿΩM]ΣLΩaC
UNIX O The Open Group bⁿΩΣLΩaUC
Java H Java ≥ªO Sun Microsystems, Inc. bⁿΩM]ΣLΩ
aC
N
bXñú Tivoli Systems IBM úBíAúϕªb Tivoli Systems IBMτΩañúúC búoúBíAúϕuα Tivoli Systems IBM úBíACunúH Tivoli System IBM ÷z]úΣLⁿkO@v¡A⌠≤\αÑúBíAúiNbúúBíAC ²PΣLús@⌠PτAúD Tivoli Systems IBM SOⁿwAúMΣd⌠≤Cbσ≤ñiα]t Tivoli Systems IBM ºMQMQC ú ezMQº⌠≤vC ÷vΦdAHHτH IBM Director of Licensing, IBMCorporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A.
²
eÑ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiΓUA∩H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
ΓUe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
rΘD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Policy Director ÷σ≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
suWσ≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
qíσ≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
úúíσ≤QNú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
pßΣñ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
1 WebSEAL º[ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1H WebSEAL O@z Web í. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Oe¼MO@h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
WΩIwh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
A WebSEAL O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Ao. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Mv (EPAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
A WebSEAL X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
WebSEAL XP⌠i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2 WebSEAL °Atm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17@δ°AΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
webseald.conf tm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
WebSEAL w² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
WebSEAL °A² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Mε WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
iiiTivoli SecureWay Policy Director WebSEAL zΓU
tmqH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
w∩ HTTP nDtm WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
w∩ HTTPS nDtm WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . 22
¡εSw SSL su . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
tm HTTP M HTTPS u@⌡µⁿ . . . . . . . . . . . . . . . . . . . . . . . 22
HTTP/HTTPS qHO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
ΣL WebSEAL °AO . . . . . . . . . . . . . . . . . . . . . . . . . 24
z Web í . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Web σ≤≡² . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
tm². . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
WindowsGCGI íRWD . . . . . . . . . . . . . . . . . . . . . . . . 28
tm Web σ≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
tm HTTP Tº . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
¿Σ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
zq HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
qM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
q HTML í . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
zqM°A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
F GSKit ≈Ωw¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
tm WebSEAL ≈Ωw . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
iKeyman zí . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
tm CRL d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
tmw]O@ΦÑ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
tmWD≈M⌠⌠ QOP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
tmvΩw≤sMⁿ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
tm≤sqÑ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
tmvΩwⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
se WebSEAL °A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
tm HTTP Oⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
iv 3.8
M HTTP Oⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
ⁿwíWO¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
ⁿwΘxα½ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
ⁿwMúΘxwWv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
tmO²≤ request.log e° . . . . . . . . . . . . . . . . . . . . . . . . . 50
HTTP @Θxµí]A≤ request.log . . . . . . . . . . . . . . . . . . . 51
π request.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
π agent.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
π referer.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3 WebSEAL wh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53WebSEAL S ACL h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
/WebSEAL/<host>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
/WebSEAL/<host>/<file> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
WebSEAL ACL \iv. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
w] /WebSEAL ACL h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
TnJh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
ⁿOyk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
KXjh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
pdadmin í]wKXjh. . . . . . . . . . . . . . . . . . . . . 57
ⁿOyk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
LKXd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
SwMs]w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Oj POP h]iÑ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
tmiÑOh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
iÑO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
iÑnJϕµ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
iÑOtΓk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
iÑONM¡ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
vTivoli SecureWay Policy Director WebSEAL zΓU
⌠⌠¼O POP h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
tmOh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
ⁿw IP Md≥ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
IP iÑO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
⌠⌠¼OtΓk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
⌠⌠¼ONM¡ε. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
O@Φ POP h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
BzgO (HTTP / HTTPS). . . . . . . . . . . . . . . . . . . . . . . . . 71
BzWqoXnD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
jεnJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
gO HTTPS í . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
H ACL/POP hεgO . . . . . . . . . . . . . . . . . . . . 72
4 WebSEAL O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75AO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
ΣÑq@Ω¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
ΣOΦk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
tmΩTí . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
zÑq@¼A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
GSKit M WebSEAL Ñq@ . . . . . . . . . . . . . . . . . . . . . . . . . 79
tm WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
tm GSKit SSL Ñq@ ID . . . . . . . . . . . . . . . . . . . . . . . . . 82
Ñq@ Cookie @¼A . . . . . . . . . . . . . . . . . . . . . . . . . . 83
PÑq@ ID Ω¼ . . . . . . . . . . . . . . . . . . . . . . . . . . 86
tm Failover Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Otmº[. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
íq CDAS O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
WebSEAL Ow]tm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
vi 3.8
tmh½OΦk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
nJú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
nXM≤KXⁿO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
tm≥O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
M≥O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
]wΓW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
tm≥O≈ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
tm°≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
tmϕµíO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
MϕµíO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
tmϕµíO≈ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
tm°≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
q HTML ϕµ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
tmqíO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
IGzL¼O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
MíO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
tmíO≈ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
tm°≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
tm HTTP YO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
M HTTP YO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
ⁿwY¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
tm HTTP YO≈ε. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
tm°≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
tm IP O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
M IP O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
tm IP O≈ε. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
tmOO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
MOO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
viiTivoli SecureWay Policy Director WebSEAL zΓU
tmOO≈ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Σhu Proxy Nz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Ñq@Ω¼MOΦk . . . . . . . . . . . . . . . . . . . . . . . 108
MPA Mh½qOBzy . . . . . . . . . . . . . . . . . . . . . . . . 110
M MPA O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
MPA bß . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
sW MPA bß webseal-mpa-servers s . . . . . . . . . . . . . . . . . 111
MPA O¡ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5 ≤⌠nJMΦ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113tm CDSSO O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
πXq CDMF @íw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
CDMF CDSSO Oy . . . . . . . . . . . . . . . . . . . . . 114
M CDSSO O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
tm CDSSO O≈ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
OOΩ[K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
tmOíWO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
ϕ CDSSO HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
O@OO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
tm e-Community µ@nJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
e-Community \αM≥nD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
e-Community y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
F e-Community Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
FußOvnDM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
FußOvO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
ußOvO[K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
tm e-Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6 WebSEAL X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137WebSEAL Xº[ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
viii 3.8
XΩwmMµí . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
MwqWsεGJ . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
MwqδsεGJ . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
WebSEAL XIⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
WebSEAL Σ HTTP 1.0 qLX . . . . . . . . . . . . . . . . . . . . . 140
WebSEAL X [í . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
ypdadmin server taskzX . . . . . . . . . . . . . . . . . . . . . . . . . . 140
tm≥ WebSEAL X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
TCP ¼X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
SSL ¼X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
¼O SSL X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
WebSEAL τß°A . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
OW (DN) ±∩ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Hqiµ WebSEAL O . . . . . . . . . . . . . . . . . . . . . . . . 146
H BA Yiµ WebSEAL O. . . . . . . . . . . . . . . . . . . . . . . . . . 146
BzqLXq¡≈ΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
TCP M SSL Proxy X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
WebSEAL zL SSL WebSEAL X . . . . . . . . . . . . . . . . . . . . . . 149
ΣLX∩ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
jεsX (–f) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
b HTTP Yñúq¡≈ (–c) . . . . . . . . . . . . . . . . . . . . . . 152
b HTTP Yñúq IP (–r) . . . . . . . . . . . . . . . . . . . 154
NÑq@ Cookie eXJf°A (–k) . . . . . . . . . . . . . . 154
Σújpg URL (–i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Bz Script Mqí URL (–j) . . . . . . . . . . . . . 156
HXMgBz°A∩ URL . . . . . . . . . . . . . . . . . . . . . . . . . . 160
¼AXΣ (–s, –u) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
∩¼AXⁿwß°A UUID (–u). . . . . . . . . . . . . . . . . . 163
X Windows t (–w) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
ixTivoli SecureWay Policy Director WebSEAL zΓU
WebSEAL XNNG . . . . . . . . . . . . . . . . . . . . . . . . . 167
bP@XWⁿhí°A . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
qX°ALoRA HTML URL . . . . . . . . . . . . . . . . . . . . . . 168
jε\ivqLX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
zLXiµO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
∩≤Ot°A query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . 170
w query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
b≤Ot UNIX °AWw query_contents . . . . . . . . . . . . . . 171
b≤Ot Win32 °AWw query_contents. . . . . . . . . . . . . . 172
q query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
O query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
7 Web µ@nJMΦ . . . . . . . . . . . . . . . . . . . . . . . . . . . 177w∩µ@nJMΦtm BA Y . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
µ@nJ (SSO) º . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
b BA Yñúq¡≈ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
úq¡≈MPKX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
αlq BA YΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
úq BA YΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
q GSO úWMKX . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
snJ (GSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
MgOΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
tmw GSO WebSEAL X . . . . . . . . . . . . . . . . . . . . . . . 186
tm GSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
w∩ IBM WebSphere (LTPA) µ@nJ . . . . . . . . . . . . . . . . . . . . . . 188
tm LTPA X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
tm LTPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
LTPA µ@nJNN . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
8 íπX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
x 3.8
Σ CGI í]p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
WindowsGΣ WIN32 ⌠. . . . . . . . . . . . . . . . . . . . . . . . . . 192
Σß°Aí . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Dynamic Business Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
LDAP Ω Business Entitlements. . . . . . . . . . . . . . . . 195
mqHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
w∩HAtm WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
HAd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
VA URL úsε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
A URL $≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
N ACL ½≤MgA URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
w∩A URL ≤s WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
R½≤íñA URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
POST nDtm¡ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
KnMNN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
A URL dGTravel Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
wh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
wq. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
sε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
²A. webseald.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
²B. WebSEAL X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229ypdadmin server taskzX. . . . . . . . . . . . . . . . . . . . . . . . . 229
XⁿO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
l°AsX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
xiTivoli SecureWay Policy Director WebSEAL zΓU
sWB°AX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
²C. iKeyman z . . . . . . . . . . . . . . . . . . . . . . . . . 237 iKeyman í . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
w] WebSEAL ≈Ωw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
s≈Ωw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
sµp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
sW Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Rú Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
bΩwºís . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
FqsW . . . . . . . . . . . . . . . . . . . . . . . . . 248
qΩwJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
XΩw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
nD°A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Rú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
ⁿwsw] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
≤ΩwKX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
xii 3.8
eÑ
w∩ Tivoli SecureWay Policy Director WebSEAL zΓUC
Tivoli SecureWay Policy Director WebSEAL Ow∩ Web ¼Ω Policy Director ΩwzíC WebSEAL O@¬αBh½⌡µⁿ Web °AA∩≤ⁿO@ Web ½≤íwqδwhC WebSEAL iúµ@nJMΦANßWeb í°AΩJΣwhC
zΓUú@MΩTAizzw
Web ⌠ΩCΓUúz÷≤d≥sx WebSEAL\α½nIMºΩTC
ΓUA∩HΓU¬G
¶ wz
¶ twPípz
¶ ⌠⌠tz
¶ IT ]p
¶ ío
xiiiTivoli SecureWay Policy Director WebSEAL zΓU
ΓUe
¶ 1 GWebSEAL º[
½n WebSEAL ºM\αApGsO@z½≤íBOBoAH WebSEAL XC
¶ 2 GWebSEAL °Atm
O@δ WebSEAL tm@NíA]AGz WebíBOBzBBzgOAH
WebSEAL S ACL M POP hC
¶ 3 GWebSEAL wh
úb WebSEAL WqwhNA]AGACL M POP hBO@ΦBiÑOhB⌠⌠¼OhBTnJhAHKXjhC
¶ 4 GWebSEAL O
ú]w WebSEAL zUOΦkNA]AGWMKXBqBSecurID OqµNXAHSϕ HTTP YΩC
¶ 5 G≤⌠nJMΦ
QF WebSEAL Proxy tmí — qP
WebSEAL °Aºí≤⌠nJMΦC
¶ 6 GWebSEAL X
O]w WebSEAL XπNíC
¶ 7 GWeb µ@nJMΦ
QF WebSEAL Proxy tmí — WebSEAL °APßXí°Aºíµ@nJMΦC
¶ 8 GíπX
QUíU≤πX≤Otí\α
WebSEAL \αC
¶ ² AGwebseald.conf
xiv 3.8
¶ ² BGWebSEAL X
¶ ² CG iKeyman z
rΘDΓU∩SwNyM@rΘDCoDNq
pUG
Θ ⁿOWM∩B÷ΣrHzΣLΩTN
HΘπC
Θ zúBⁿOHΘπC X
DSOjr&y]HΘπC
Ñe íXdBⁿOµB⌡ΘXBM²WAH
tTºHÑer¼πC
xvTivoli SecureWay Policy Director WebSEAL zΓU
Policy Director ÷σ≤UϕJF Tivoli SecureWay Policy Director Σ⌠ñíi Policy Director σ≤G
Tivoli SecureWay Policy Director Nσ≤
wΓU
Tivoli SecureWay Policy Director ≥wΓU
Tivoli SecureWay Policy Director WebSEAL wΓU
zΓU
Tivoli SecureWay Policy Director Base zΓU
Tivoli SecureWay Policy Director WebSEAL zΓU]σ≤
Tivoli SecureWay Policy Director Plug-in for Edge Server zΓU
Tivoli SecureWay Policy Director Web Portal Manager zΓU
oHΓU
Tivoli SecureWay Policy Director Authorization ADK Developer Reference
Tivoli SecureWay Policy Director Authorization API Java Wrappers
Developer Reference
Tivoli SecureWay Policy Director Administration API Developer Reference
Tivoli SecureWay Policy Director WebSEAL Developer Reference
Ríσ≤
Tivoli SecureWay Policy Director N
Tivoli SecureWay Policy Director Performance Tuning Guide
Tivoli SecureWay Policy Director Capacity Planning Guide
suWσ≤Tivoli ßΣñ⌠ (http://www.tivoli.com/support/) úUCíσ≤ΩTG
¶ NΩTA]A NBwPtmΓUBzΓU
íoΓUC
¶ úD]FAQ
xvi 3.8
¶ nΘUⁿΩT
ziHbUCmΣußΣñΓUv]ΣAⁿ
G http://www.tivoli.com/support/getting/C
zib http://www.tivoli.com/support/documents/ ñsTivoli uWXC÷@UDniMΣSwúΣ
⌠C
zib
https://www.tivoli.com/secure/support/Prodman/html/AB.html#SecurityñúMΣ Policy Director Níσ≤C
í≈úíσ≤ PDF HTML µíCí≈ú]α½σ≤C
bzsjí≈σ≤Azn ID MKXC Yno ID HKbΣ⌠WAe
http://www.tivoli.com/support/getting/C
sΓpo Tivoli Níσ≤PΣ÷ΩTA\http://www.tivoli.com/support/smb/index.htmlC
pGOX@±Axviiiyqíσ≤zAHo÷≤p≤o Tivoli Níσ≤÷ΩTC
xviiTivoli SecureWay Policy Director WebSEAL zΓU
qíσ≤ziq
http://www.tivoli.com/support/Prodman/html/pub_order.htmluWq Tivoli íσ≤AUCqXº@G
¶ ⁿΩßG(800) 879-2755
¶ [jßG(800) 426-4968
úúíσ≤QNúNαÑz∩≤ Tivoli úíσ≤oAP]w∩zúXUA@∩iC pGz∩
úíσ≤⌠≤NúAQUCΣñ@ΦkP
pG
¶ Nqll≤ [email protected]
¶ http://www.tivoli.com/support/survey/ ±gßNúdϕC
pßΣñTivoli Customer Support Handbook ObG
http://www.tivoli.com/support/handbook/
úuTivoli ßΣñvUh÷ΩTA]AUCUG
¶ nOPΩµ
¶ pΣΦíF°DY½w
¶ qXMqll≤F°zbΩaw
¶ pΣºeΩT
xviii 3.8
WebSEAL º[
Tivoli SecureWay Policy Director WebSEAL O@í¬αBh½⌡µⁿ Web °AA∩≤ⁿO@ Web ½≤íwqδwhC WebSEAL iúµ@nJMΦANßWeb í°AΩJΣwhC
º[ WebSEAL °ADn\αC
DDG
¶ yH WebSEAL O@z Web íz
¶ 5yA WebSEAL Oz
¶ 7yAoz
¶ 8yA WebSEAL Xz
H WebSEAL O@z Web íTivoli SecureWay Policy Director WebSEAL Ow∩ Web ¼Ω Policy Director ΩwzíC
WebSEAL O@¬αBh½⌡µⁿ Web °AA∩≤ⁿO@ Web ½≤íwqδwhC WebSEAL iúµ@nJMΦANß Web í°AΩJΣwhC
1
1Tivoli SecureWay Policy Director WebSEAL zΓU
1.W
ebS
EA
Lº[
WebSEAL úUC\αG
¶ Σh½OΦk
tmúiúΣUO≈εuC
¶ ⁿ HTTP M HTTPS nD
¶ zL WebSEAL XNπXO@ß°AΩ
¶ w∩Mß°A Web íAzwqδsε
ΣΩ]A URLBH URL ≥ª WϕíBCGI íBHTML BJava servlet M Java OC
¶ ⌡µ@V Web proxy
Nq AWebSEAL O Web °AANΣO@Xß°A AΣ Web s²C
¶ úµ@nJ\α
1. H WebSEAL O@ Web í
2 3.8
Oe¼MO@h¡z Web íwzAz TaOiU¼e¼C YeYKO@AuSw
FΣLehi@δj °C C@wΩ
núPO@DM÷p WebSEAL tmC
zd⌠G
¶ Dz Web e
¶ OnDse¼
¶ A[ji WebSEAL tm∩óAHOe
Web eO@TsxOG
1. @e – ΣsúnO@
¶ zL HTTP gOqs
¶ ≤sεΩgO
¶ ≥ WebSEAL tmD
2. @e – ΣsnpK][K
¶ zL HTTPS gOqs
¶ n[KHO@í°AnD≈KΩ]p
HdXMbßΩT
¶ ≤sεΩgO
¶ WebSEAL tmWwpK
3. pKe – ΣsnO
¶ zL HTTP HTTPS gOqs
¶ zMw[Kn
¶ gO≤sεΩFqb
n²ñwqbß
3Tivoli SecureWay Policy Director WebSEAL zΓU
1.W
ebS
EA
Lº[
¶ WebSEAL tmϕ°A∩úpqHPw∩whvT
WΩIwhX@whPOG
1. nO@ Web Ω
2. O@h
Policy Director o Web ΩΩϕΦíAⁿO@½≤íC ⁿO@½≤í]tNϕz⌠⌠ºΩΩΘΩ
½≤C
IµwhΦíO∩nO@½≤MAϕw≈εC
w≈ε]AG
¶ sεMµ (ACL) h
ACL hOiQsⁿw½≤W(\º@¼C
¶ ⁿO@½≤h (POP)
POP ⁿw [°≤AΣΣt∩ⁿO@½≤ºsAppKBπBfΘísC
¶ XR
XROm≤½≤BACL POP W [AΣi$≤Otí]píA≈c[H¬C
Policy Director $≤uA≈c]AuthorizationServicev— ΣHm≤½≤WsεA
(\ ∩ⁿO@½≤]ΩsC
YnQIµwhAzHΦΦísúPe¼
]\yWΩIwhzñíAMAϕ
4 3.8
ACL M POP hC sεziαDcAYαpOe¼ANiΣµhC
A WebSEAL OOOO nJw⌠ºOBzΩΘΦkC ϕ
°AqúnDOAΣiµµ½Y¼
OC
WebSEAL ijεbw⌠ñIµ¬wAΣΦknDC@qúΣ¡≈C ϕ WebSEAL ε∩w⌠C@ΩºsAWebSEAL nDOviúD⌠⌠wC
bwtmñAOO≤vCvPwgOO
v∩SwΩ⌡µ@C OuOTwHOTΣ
¡≈AP∩Ω⌡µ@αOLAC
UC°≤A≤ WebSEAL OG
¶ WebSEAL Σ@OΦkC
ziq WebSEAL ΣΣLOΦkC
¶ WebSEAL BzPOΦkUWB@C
2. ¼O
5Tivoli SecureWay Policy Director WebSEAL zΓU
1.W
ebS
EA
Lº[
¶ WebSEAL unq¡≈C WebSEAL zL¡≈ogO]gOAΣiuA≈cv
(\ ∩ΩsC
ouOΦki²whHD≥ªAD≥≤
ΩΘ⌠⌠C
O÷M WebSEAL POBzL÷A²O WebSEAL nOG—q¡≈COBz PUC@G
1. OΦkúq¡≈
b Policy Director n²ñwq@bßAqO)Q¿C hAQⁿwg
OC
2. WebSEAL ¡≈oqC
WebSEAL ±∩gOq¡≈PwnO Policy DirectorC Mß WebSEAL oA≤CoNOoC
]AWHbΣñπ¿ΩµsC
pGOWAWebSEAL m@gOC
oiuA≈cv(\ ∩ WebSEALO@½≤íñnD½≤ºsC
i⌠≤nq÷ΩT Policy Director AíC i² Policy Director wa⌡µ hAApvBfeUC
÷≤ΣSwOΦki@BΩTA\ 7 5yWebSEAL OzC
6 3.8
AoOBzΣñ@DnOoíq
ΩTC OPw⌠Σñ@Dn≥nDC
Policy Director OPoC ¡≈&OTwC MA—ΣwqbΣñPsñΓ—oOC⌠SHí∩C pAϕYH
*EAMs dh C
OBzúΦkS¡≈ΩTCoΩT±∩s
±b Policy Director n²]w] LDAPñbßΩTC WebSEAL NWMsΩTMg@P⌠ϕΦíAHuExtended Privilege AttributeCertificate]EPACvµíC
ΦkS¡≈ΩT]pKXBONϕΩ
¡≈eC oΩTiP°AwÑq@C
ú]ΣNϕbw⌠ñMvHSwW
UσíABubÑq@RgC
Policy Director ]t¡≈HbΣñπ¿ΩµsC
3. Mg¡≈ΩT
7Tivoli SecureWay Policy Director WebSEAL zΓU
1.W
ebS
EA
Lº[
Mv (EPAC)i⌠≤nq÷ΩT Policy Director AíC
pAuA≈cvPwOgvi∩
w⌠ñⁿO@Ω⌡µSw@C
EPAC ]tu@sOX]UUIDvAΣ Policy DirectornPsεMµ]ACL@ftC
Policy Director ∩ΣLAApG
¶ fA
¶ WebSEAL Xñe⌠\α
UC EPAC µA≤ Policy DirectorG
í
w⌠ ID Principal lw⌠ ID
Principal UUID Principal UUID
s UUID Principal ºs UUID
A WebSEAL XPolicy Director ú⌠⌠OBvzAC bH Web ≥ª⌠⌠ñAoO@híe WebSEAL °AαúnAAΣπXO@≤ß Web °AW Web ΩMíC
WebSEAL °APß Web í°AºísuYWebSEAL XOXC WebSEAL XOe WebSEAL °APß°Aºí TCP/IP suC
ß°Ait@í WebSEAL °AO]≤ú≤Ot Web í°AC ß°A Web íb WebSEAL
8 3.8
iWxsñSOⁿwX]ⁿIBAusv
WebSEAL °AC
Xi² WebSEAL Nϕß°AúO@AC WebSEALbnDß°AºeAi∩nD⌡µOv
dC pGß°An∩Σ½≤iµwqδsεAh
z⌡µBtmBJAHK∩ Policy Director wAíí≤Ot Web í]\170y∩≤Ot°A query_contentszC
Xú@iíBw⌠AΣe\¡ΩyqB¬i
BM¼Az\α—qiHMí í⌡µípC¡@zAziⁿq≤ñiWxszC
WebSEAL Xú@ [ AYHΦΦíNß°AWeb íP WebSEAL °A Web íXC X@°AºíXúµ@B@Bí Web íAΣLíAB∩zqC
qqúD Web ΩΩmC WebSEAL NΦURL α½¿ß°AwΩC Web ½≤ib°AºíAúvTqs½≤ΦíC
4. Xs WebSEAL Pß°A
9Tivoli SecureWay Policy Director WebSEAL zΓU
1.W
ebS
EA
Lº[
g@ Web íitzºΩzC ΣªzuI]AiB¡Ωyq¬iC
jí≈ Web °ASwqΦ Web ½≤íαOC AΣsεOsΩΘM²cC
WebSEAL Xizqwq½≤íAΣMcAD Web °AWúΩΘ≈M²cC
5. WebSEAL Xú@ Web í
10 3.8
WebSEAL Xi²zµ@nJMΦC µ@nJtmi²@ lnJYisΩ]LΩmb
≤BC iMíBzß°A⌠≤i@BnJ
DC
WebSEAL XO@i²z⌠ÑIu½nuπC$ [B°AAXi²z⌠WWDC
WebSEAL XP⌠iWebSEAL Xií⌠C ϕ⌠DXWAzi÷aK[°AXR⌠\αC
≥≤UCz$AiWKB°AG
¶ HBeXR⌠
¶ w∩¡ΩyqBó ¬iAsse
se WebSEAL °A∩ß°AXΣl≤+@íe WebSEAL °ACse WebSEAL °AbjyqDíA∩⌠ú¡ΩyqC ¡Ωyq≈εO$p IBM Network Dispatcher Cisco Local Director Ñ≈εBzC
e°A∩⌠úó \α— pG@í°A
]GóAl°AN≥ú∩⌠sC ¿\
¡Ωyqó \αA∩⌠ú¬i
C
11Tivoli SecureWay Policy Director WebSEAL zΓU
1.W
ebS
EA
Lº[
ϕzse WebSEAL °AAC@í°Aú]AWeb íMXΩwπC
ObßΩTbPe°AL÷n²ñC
Σß°A⌠ei$ WebSEAL °A¡Bß°A]ΓX°AC WebSEAL XΣß°AAi²zzL [eMΩAπ⌠±C
C@í@ß°AúXOX]ⁿIC
H∩ΣLeºDXWAizLXsW≤h°AC
oΩ∩jqδΩ≤Ot Web °A⌠⌠Aú@MΦC
6. se WebSEAL °A
12 3.8
U íXp≤ú@BΦ½≤íC o Web ízq≤AiiµñzC
7. Xß°A
13Tivoli SecureWay Policy Director WebSEAL zΓU
1.W
ebS
EA
Lº[
Uísß°AXP@XIípC
sß°AYnNi\αß°AtmAzisß°A
C bπse°AípUAsß°A
]tΣºΦMv Web íC
WebSEAL “least-busy” tΓkCzL°Aiµtⁿ¡CotΓkNC@snD V+suw
biµñ°AC
ϕ°A÷¼AWebSEAL ] Taó Ab@)°Aw½sl½s[HC
pGßínzL@Σ¼AAi¼A
XTOC@Ñq@ú≡P@íß°AC
8. @ Web í
14 3.8
9. sß°A
15Tivoli SecureWay Policy Director WebSEAL zΓU
1.W
ebS
EA
Lº[
16 3.8
WebSEAL °Atm
ñΩTíFzi⌡µ@δzMtm@Fo@
i²zq⌠⌠ñ WebSEAL °AC
DDG
¶ 18y@δ°AΩTz
¶ 21ytmqHz
¶ 25yz Web íz
¶ 31ytm HTTP Tºz
¶ 35yzq HTML z
¶ 37yzqM°Az
¶ 43ytmw]O@ΦÑz
¶ 45ytmvΩw≤sMⁿz
¶ 46yse WebSEAL °Az
¶ 48ytm HTTP Oⁿz
2
17Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
@δ°AΩTHUí÷≤ WebSEAL °A@δΩTG
¶ y webseald.conf tmz
¶ 19yWebSEAL w²z
¶ 20yWebSEAL °A²z
¶ 20yMε WebSEALz
webseald.conf tmziHb webseald.conf tmñAtmHKq WebSEAL@CObHU²ñG
UNIXG
/opt/pdweb/etc/
WindowsG
C:\Program Files\Tivoli\PDWeb\etc\
UϕJFqMq¿G
q q¿
WEBSEAL @δ [server]
LDAP [ldap]
SSL [ssl]
X [junction] [filter-url] [filter-schemes]
[script-filtering] [gso-cache] [ltpa-cache]
18 3.8
q q¿
O [ba] [forms] [token] [certificate]
[http-headers] [auth-headers] [ipaddr]
[authentication-levels] [mpa] [cdsso]
[ c d s s o - p e e r s ] [ f a i l o v e r ]
[e-community-sso] [inter-domain-keys]
[authentication-mechanisms] [ssl-qop]
[ s s l - q o p - m g m t - h o s t s ]
[ s s l - q o p - m g m t - n e t w o r k s ]
[ssl-qop-mgmt-default]
Ñq@ [session]
e [content] [acnt-mgt] [cgi] [cgi-types]
[ c g i - e n v i r o n m e n t - v a r i a b l e ]
[ c o n t e n t - i n d e x - i c o n s ] [ i c o n s ]
[content-cache] [content-mime-types]
[content-encodings]
Oⁿ [logging]
AUTHORIZATION API [ a z n a p i - c o n f i g u r a t i o n ]
[aznapi-entitlement-services]
POLICY DIRECTOR [policy-director]
\213ywebseald.conf zC
: C ≤ webseald.conf AzúHΓΦí½s WebSEALA²s≤C\20yMε WebSEALzC
WebSEAL w²WebSEAL íwbUC²ñG
UNIXG
/opt/pdweb/
WindowsG
19Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
C:\Program Files\Tivoli\PDWeb\
Y Windows wAzib Policy Director Wtm⌠CzLkb Policy Director UNIX wWtm⌠C
ΓU <install-path> Nϕo²C
b UNIX wLñAHUW²]tFXj]pfMΘxG
/var/pdweb/
WebSEAL °A²webseald.conf tmñ server-root ObwqWebSEAL °A@mC
[server]server-root = /opt/pdweb/www
webseald.conf tmñ»z∩⌠WAO∩≤²C
: b ¼pUAzún≤⌠WC
Mε WebSEALziHb UNIX W pdweb_start ⁿOb Windows ñuAεxvMε WebSEAL °AC
UNIXG
pdweb_start start|stop|restart|status
pAYnε WebSEAL °AMßA½sAG
# pdweb_start restart
pdweb_start ⁿOObHU²ñG
/opt/pdweb/bin/
WindowsG
20 3.8
buAεxvñΣX WebSEAL °ABzAMß Tε÷sC
tmqHHUí÷≤ WebSEAL °A@δΩTG
¶ yw∩ HTTP nDtm WebSEALz
¶ 22yw∩ HTTPS nDtm WebSEALz
¶ 22y¡εSw SSL suz
¶ 22ytm HTTP M HTTPS u@⌡µⁿz
¶ 23yHTTP/HTTPS qHOz
¶ 24yΣL WebSEAL °AOz
w∩ HTTP nDtm WebSEALWebSEAL qBz\hgO HTTP nDCpAe\W¬sz⌠qW∩wσ≤O
C
Bz HTTP nD]zL TCPOb webseald.conf tm [server] q¿ñC
/ HTTP sbtm WebSEAL HTTP sG
http = yes|no
]w HTTP s≡HTTP sw]≡ 80G
http-port = 80
pAYn≤≡ 8080A]wG
http-port = 8080
21Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
w∩ HTTPS nDtm WebSEALBz HTTP nD]zL SSL (HTTPS)Obwebseald.conf tm [server] q¿ñC
/ HTTPS sbtm WebSEAL HTTPS sG
https = yes|no
]w HTTPS s≡HTTPS sw]≡ 443G
https-port = 443
pAYn≤≡ 4343A]wG
https-port = 4343
¡εSw SSL suziHµWM SSL 2 BSSL 3 M TLS 1sqCεSw SSL M TLS suObwebseald.conf tm [ssl] q¿ñCw]Aw SSL M TLS C
[ssl]disable-ssl-v2 = nodisable-ssl-v3 = nodisable-tls-v1 = no
tm HTTP M HTTPS u@⌡µⁿwtmu@⌡µⁿⁿw°AiAµiJnD
C tNwbu@⌡µⁿúbúLFΣL
suAu@⌡µⁿiεC
zi]wi WebSEAL AiJsu⌡µⁿC $≤iααvTA]ptmu@⌡µⁿC
otmújεPsuW¡C ouOⁿw
iAiαL¡εu@εCº⌡µⁿC
22 3.8
∩zQu@⌡µⁿAM≤∩z⌠⌠WΩyq
M¼AwC
@δÑAW[⌡µⁿYYεΣ¿nDO¡í
íC MAW[⌡µⁿvTΣL] AΣiα∩°A
αtvTC
WebSEAL @@µ@BPu@MµMu@⌡µⁿxs)ABz TCPBSSL GSSAPI qDkºqnDC oj≈εi² WebSEAL +tΩAoαBz≤Hu@qC
ziHb webseald.conf tm [server] q¿ñ]wworker-threads AHKtmu@⌡µⁿxs)jpC
[server]worker-threads = 50
: ÑOzub°αD)≤oC
HTTP/HTTPS qHOWebSEAL IBM Global Security Kit (GSKit) SSL IµCϕ WebSEAL ¼ HTTPS qnDAGSKit SSL lµñAB@Ñq@¼AC
WebSEAL w∩ HTTP M HTTPS qHΣHUOCOb webseald.conf tm [server] q¿ñC
¶ client-connect-timeout
@)oFlµñAⁿw WebSEAL nlHTTP HTTPS nDOsuh[Cw] 120 ϕC
[server]client-connect-timeout = 120
¶ persistent-con-timeout
23Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
oM≤ HTTP/1.1]D HTTP/1.0suCb@HTTP/1.1 nD°AºßAoε WebSEALb÷¼ºeANO HTTP/1.1 ≥sujϕC w] 5 ϕC
[server]persistent-con-timeout = 5
ΣL WebSEAL °AOUCBOO]w≤ webseald.conf tmG
í w]]ϕ
[ j u n c t i o n ]http-timeout
zL TCP XA∩ß°A
eqñ¬O
C
120
[ j u n c t i o n ]https-timeout
zL SSL XA∩ß°A
eqñ¬O
C
120
10. HTTP M HTTPS qHO
24 3.8
í w]]ϕ
[cgi] cgi-timeout ∩ CGI Bzeqñ
¬OC
120
[junction] ping-time WebSEAL ∩C@X
°A⌡µwI PingA
HPwΣOb⌡µñC
WebSEAL WvNú
WLCj 300 ϕ@ ]]
wC
300
z Web íUCíz Web í@G
¶ yWeb σ≤≡²z
¶ 27ytm²z
¶ 28yWindowsGCGI íRWDz
¶ 29ytm Web σ≤z
Web σ≤≡²Web σ≤≡mO∩ WebSEAL úºσ≤σ≤≡²∩⌠C webseald.conf tm [content] q¿ñ doc-rootONϕ⌠WCbw WebSEAL íYlw]mG
UNIXG
doc-root = /opt/pdweb/www/docs
WindowsG
doc-root = C:\Program Files\Tivoli\PDWeb\www\docs
o@ —wß@ WebSEAL C HßoYxsbXΩwñC ∩ webseald.conf ñoi@B∩S⌠≤vTC
25Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
bwºßAz pdadmin í≤σ≤²mC HUd]°AW websealAíFG
1. nJ pdadminG
# pdadminpdadmin> loginΘJ IDGsec_masterΘJKXGpdadmin>
2. server task list ⁿOπeµXIG
pdadmin> server task websealA list/
3. server task show ⁿOπXΩTG
pdadmin> server task websealA show /XIG /¼GXw¡εG0 - sXn¡εG0 - s@ñu@⌡µⁿG0²G/opt/pdweb/www/docs
4. sXHK≤½µXI]z -f ∩jεsXAHK∩gXG
pdadmin> server task websealA create -t local -f -d /tmp/docs /Xw≤ /
5. CsXIG
pdadmin> server task websealA list/
6. πXIG
pdadmin> server task websealA show /XIG /¼GXw¡εG0 - sXn¡εG0 - s@ñu@⌡µⁿG0²G/tmp/docs
26 3.8
tm²ϕnD URL ϕíO²WAziⁿw WebSEALnw]WC pGow]sbAWebSEAL NqCpGúsbAWebSEAL Aú²ABNMµqC
tm²Ob webseald.conf tm [content] q¿ñC
w]G
[content]directory-index = index.html
pGzxúPDAzi≤WCpG
[content]directory-index = homepage.html
pGnD²ñS directory-index wqAWebSEAL Aú²Cúñ]tF²eMµAH²ñCubq∩nDs
²Aπ²uMµv(l) \iv ACLA)αúC
zitm² WebSEAL búñA∩CX¼Sw C w e b s e a l d . c o n f tm
[content-index-icons] q¿]tFσ≤ MIME ¼MµAHπ÷ .gif G
[content-index-icons]image/*= /icons/image2.gifvideo/* = /icons/movie.gifaudio/* = /icons/sound2.giftext/html = /icons/generic.giftext/* = /icons/text.gifapplication/x-tar = /icons/tar.gifapplication/* = /icons/binary.gif
ziHtmMµC MIME ¼ⁿwΣL C m]iHOmCpG
27Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
application/* = http://www.acme.com/icons/binary.gif
z]iHtmoB G
¶ ϕl² G
[icons]diricon = /icons/folder2.gif
¶ ϕWh² G
[icons]backicon = /icons/back.gif
¶ ϕú¼ G
[icons]unknownicon = /icons/unknown.gif
WindowsGCGI íRWDwebseald.conf tm [cgi-types] q¿ñ]tAi²zⁿwOM⌡µ CGI í Windows W¼C
UNIX @tSWnDC MAYO Windows @tAhwqW¼C [cgi-types] q¿CW¼ANC@WMg]nAϕ CGI íC
[cgi-types]<extension> = <cgi-program>
w]AuΣWPq¿ñCW
AQϕ@ CGI í⌡µC pGY CGI íWúbMµñAhú⌡µíC
Windows w]AZOΣW .exe AúQϕ@í⌡µABúMgC
: úLACϕzQb Windows Ww .exe HUⁿAzú≤WNwOs@í≈]p
.zipC
28 3.8
z∩Nϕ Script WAúAϕíCHUW¼d]AG Shell Script (.sh H .ksh)BPerlScript (.pl) M Tcl Script (.tcl) C
UCdíσ¼ [cgi-types] q¿tmG
[cgi-types]bat = cmdcmd = cmdpl = perlsh = shtcl = tclsh76
: b .bat M .cmd AY½wDA≤ΣñC po¼C
tm Web σ≤$≤ú Web σ≤αAqiαgJL°⌠⌠síUⁿíC $≤ WebSEAL °AnÑqXß°Añσ≤A]y¿αú A
CxsC
Web σ≤\αi²zNgs Web σ≤¼xsbWebSEAL °AOΘñC qNPⁿ≤
WebSEAL °Añß≥σ≤nDtHC
σ≤i]ARAσrσ≤M vC²LkAú
σ≤ApΩwdGC
Web σ≤zL WebSEALAúz°Aσ≤uADqLXß°AC
⌡µO MIME ¼Cϕzw∩ Web σ≤tmWebSEAL AOUCTG
¶ σ≤ MIME ¼
¶ xsCΘ¼
¶ xsCΘjp
29Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
zib iv.conf tm [content-cache] q¿ñwq Web σ≤C ΣAykpUG
<mime-type> = <cache-type>:<cache-size>
í
mime-type Nϕb HTTP “Content-Type:” Yñ⌠≤
MIME ¼C oiα]tUr$ ( *
)C */* Nϕw]½≤AΣNOdD∩≤
Ttmº⌠≤½≤C
cache-type ⁿwn≤xsCΘ¼C Policy Director
ΣuOΘvC
cache-size ⁿwb½≤Qú] “Least Recently Used” tΓ
kºeAwiXRj]Hd$
(KB) µC
dGtext/html = memory:2000image/* = memory:5000*/* = memory:1000
Web σ≤≈εi[εUC°≤G
¶ ubwqFßA)oC
¶ wúwq⌠≤C
¶ pGzSⁿww]AhúP⌠≤Túú
σ≤C
¶ /M∩w∩ΩTnD⌡µvC
Mú ziH pdadmin íMútmCoíLk²zMúOC
z²H Policy Director z sec_master nJw⌠AMß)α pdadminC
30 3.8
YnMú Web σ≤AΘJUCⁿOG
UNIXG
# pdadmin server task <server-name> cache flush all
WindowsG
MSDOS> pdadmin server task <server-name> cache flush all
pzi pdadmin íú÷eq≥pC opΩTⁿXGs±bñAHw∩C
@úXnDC
z²H Policy Director z sec_master nJw⌠AMß)α pdadminC
Yno÷eqpΩTAΘJUCⁿOG
UNIXG
# pdadmin server task <server-name> cache stat
WindowsG
MSDOS> pdadmin server task <server-name> cache stat
tm HTTP Tº WebSEAL °AAnD²óC y¿óh]C pG
¶ úsb
¶ \iv]wTεs
¶ Lk⌡µ CGI íA] UNIX \ivú Toⁿíp
31Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
ϕAnDóA°Ab HTML ñTºs²Apu403 TεvC hTºiFC@hTº
úxsbO HTML ñC
oxsbUC²ñG
UNIXG <install-path>/www/lib/errors/<locale-dir>
WindowsG <install-path>\www\lib\errors/<locale-dir>
errors ²]tXyÑ⌠l²Al²]tTºgC
pAuⁿíσvTº²⌠G
UNIXG <install-path>/www/lib/errors/en_US
WindowsG <install-path>\www\lib\errors/en_US
o²ñTººµí HTMLA]bs²ñiH TπC zisΦo HTML qΣeC WíXQ2iAXb@óC 3≤∩o
WC
Uϕ]tí≈@≈úTººWMeMµG
W D í HTTP
X
132120c8.html Oó Lkqº
C iα]]AG
¶ úú T
¶ wD°
¶ OΩwñ≥ó
32 3.8
W D í HTTP
X
1354a2fa.html D,² nD@núD
²C o@úWwC
1898d259.html LknJ nDΩn WebSEAL N
nJt@í Web °AC ú
LAϕ WebSEAL ΩT
oDC
1898d25a.html Sµ@n
JΩT
WebSEAL ΣúnDΩ
GSO C
1898d25b.html Fµ@
nJ
WebSEAL ΣúnDΩ
GSO C
1898d25c.html hnJ
w∩nDΩwqFh GSO
CoO@tmC
1898d25d.html nnJ nDΩⁿXß Web
°AO@An WebSEAL N
nJ Web °AC ⌡
µ@A²nJ
WebSEALC
1898d25e.html LknJ nDΩn WebSEAL N
nJt@í Web °AC ú
LAbßnJΩTú
TC
1898d25f.html DwOt Policy Director WebSEAL ¼
Xß Web °ADw
OtC
1898d421.html nDΩw½C ½s
VBzúϕAqNoo
ípC
302
1898d424.html nDú T WebSEAL ¼L HTTP n
DC
400
1898d425.html nnJ znDΩⁿ WebSEAL O
@ApnsΩA²µn
JC
33Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
W D í HTTP
X
1898d427.html Tε SsnDΩ\i
vC
403
1898d428.html Σú ΣúnDΩC 404
1898d432.html AíLk eLk WebSEAL ¿nD
AíC
503
1898d437.html °Aw tzF WebSEAL °A
C bz²°A≡A¼
AeANLkBznDC
1898d439.html Ñq@ΩT≥ó s²/°Aí¼O@P
Xß°Aí¡wÑq@
A°AwúAC
WebSEAL n@b°A
AíA)α¿znDC
1898d442.html AíLk WebSEAL Aí≤
Xß°AWAB SSL
¼OoóC
1898d7aa.html CGI íó CGI Lk ⌡µC
default.html °A $≤oºAWebSEAL L
k¿znDC
500
deletesuccess.html Q¿ wQ¿ql
DELETE nDC
200
putsuccess.html Q¿ wQ¿ql PUT
@C
200
relocated.html ½ nDΩw½C 302
websealerror.html 400 WebSEAL °A
WebSEAL °AíC 400
¿ΣUC¿i≤q²eq¿ñCX HTML C¿NAm½iAϕΩTC
34 3.8
¿ í
%ERROR_CODE% XC
%ERROR_TEXT% PsTººX÷pσrC
%METHOD% qnD HTTP ΦkC
%URL% qnD URLC
%HOSTNAME% πD≈WC
%HTTP_BASE% °A≥ HTTP URL “http://<host>:<tcpport>/”C
%HTTPS_BASE% °A≥ HTTPS URLG“https://<host>:<sslport>/”C
%REFERER% nDºYAO “Unknown”]pGS
C
%BACK_URL% nDºYAO “/”]pGSC
%BACK_NAME% ϕnDñXY “BACK”ApGSAh
“HOME”C
zq HTML Policy Director ]Ad HTML ϕµAi[HqH]t⌠STº⌡µ⌠S@C jí≈ϕµíiA≤z
L HTTP HTTPS uϕµvBOM BA OC
oϕµmOwqb webseald.conf tm [acnt-mgt]q¿ mgt-pages-root ñC
mgt-pages-root = lib/html/<lang-dir>
Ω²OϕayÑC w]ⁿΩσ²G
lib/html/C
ΘσyÑ⌠≤G
lib/html/JP
qMHUSϕ HTML MOb webseald.conf tm[acnt-mgt] q¿ñCYuOuϕµnJvΦkú¡≈ΩTC
35Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
k
login = login.html ϕµnJ
logout = logout.html ϕµnJ
account-locked = acct_locked.html ⌠≤Φk
passwd-expired = passwd_exp.html ⌠≤Φk
passwd-change = passwd.html ⌠≤Φk
passwd-change-success = passwd_rep.html ⌠≤Φk
passwd-change-failure = passwd.html ⌠≤Φk
help = help.html ⌠≤Φk
token-login = tokenlogin.html OnJ
next-token = nexttoken.html OnJ
stepup-login = stepuplogin.html iÑO
q HTML í
ϕµ í
login.html WMKXnDϕµ
logout.html QnXßπC
acct_locked.html ]bßΩw POóπC
passwd_exp.html ]KX POóπC
passwd.html ≤KXϕµCϕµ]bKX≤nDóπC
passwd_rep.html KX≤nDQ¿πC
help.html ]tzC
tokenlogin.html OnJϕµC
nexttoken.html U@OϕµC
stepuplogin.html iÑOnJϕµC
boñ]Γ¿iC o¿rΩim≤d
ñC ¿Aam½AϕC
¿ í
%USERNAME% wnJºWC
36 3.8
¿ í
%ERROR% q Policy Director ºg+TºC
zqM°Aí]w WebSEAL HBzqM°A]≤zL SSL OzMtm@C
bUCípUAWebSEAL nG
¶ WebSEAL HΣ°AA∩ SSL qOΣ¡
¶ WebSEAL HqA∩Xß°A]¼OtmOΣ¡
¶ WebSEAL Σu≈c (CA)vroot ΩwAτHqiµsq
¶ WebSEAL Σu≈c (CA)vroot ΩwAτw∩¼OtmXß°A
WebSEAL IBM Global Security Kit (GSKit) SSL Ω@AtmMzCGSKit ú iKeyman í]wz≈ΩwAΩw]t@h WebSEAL Dq CA root C
WebSEAL bw]tUC$≤AHΣzL SSL OG
¶ w]≈Ωw (pdsrv.kdb)
¶ w]≈Ωw⌠ (pdsrv.sth) MKX (“pdsrv”)
¶ @δ CA root
¶ i² WebSEAL N¡O SSL qp
37Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
zWu≈cvoXBⁿMi
NC
WebSEAL Bztm]AG
¶ 40ytm WebSEAL ≈Ωwz
¶ 42y iKeyman zíz
¶ 42ytm CRL dz
F GSKit ≈Ωw¼IBM Key Management uπ (iKeyman) FUϕñJ¼C
CMS ≈ΩwO$W .kdb ABiαΣLΓHW¿CϕzFs≈ΩwAN
.kdb C .kdb ñ≈O²iHOAOπ[KpK≈ΩTC
.rdb M .crl ObzsnDC CAnDn .rdb C
¼ í
.kdb u≈ΩwvCOxsHBH
nDMCpAw] WebSEAL ≈Ωw
pdsrv.kdbC
.sth u⌠vCOxsgL[K≈ΩwKX
CWDníP÷ .kdb PC
38 3.8
¼ í
.rdb unDvΩwCOb .kdb ≈Ωw
CWDníP÷ .kdb PC
]tFw¿B CA ¼nDCϕq CA
Atb .rdb ñjMAHKΣXXnD
]≈CpGoFnDAN¼A
Bb .rdb ñRú∩nDCpGΣún
DA¼@NQ CnDñ@δW
BB≤DaBnDⁿwΣLΩTAHPnD
÷≈MpK≈C
.crl uoεMµvC@δ]t]]Q
oεMµC²OAiKeyman LkΣ⌠≤oεMµA
HOC
.arm H ASCII sXGiC.arm ]tFH base-64 sX
ASCII ϕF]tF≈A²OSpK≈
CGiΩQα½ ASCII ϕΦíCϕ
¼ .arm AiKeyman ASCII e
XABNGiϕe±b T .kdb ñCP
aAϕq .kdb ñAiKeyman NGi
Ωα½ ASCIIAMßNª±b .arm ñC .arm
ñ ASCII ΩNOzbnDñe CA ΩC
Gun¡ Base64 sXA⌠≤¼úi
].arm HC
.der usXWhvC .der ñ]tFHGiϕ
Fñ]tF≈A²OSpK≈Co
P .arm ϕⁿFΣtºb≤ϕΦíGiAúO
ASCIIC
.p12 PKCS 12 FΣñ PKCS Oⁿu≈[KvC
.p12 ]tFHGiϕFñ]tF≈M
pK≈C .p12 ]iα]thFpiα
BoX CA BCA oXAHΣo
XÑÑC] .p12 ]tFpK≈AⁿKX
O@C
39Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
tm WebSEAL ≈ΩwWebSEAL ≈G
bwAW e b S E A L ú@w]≈ΩwC
webseald.conf tm [ssl] q¿ñ webseal-cert-keyfile iⁿwWMmG
[ssl]webseal-cert-keyfile = /var/pdweb/www/certs/pdsrv.kdb
zi iKeyman ís≈ΩwC MAzb webseal-cert-keyfile ñΘJs≈WMmAHK² WebSEAL iMΣt≤ΩwC
≈KXG
bwñAW e b S E A L ]ú@w]⌠AΣ]t
pdsrv.kdb ≈KXC webseal-cert-keyfile-stash ∩WebSEAL i⌠mG
webseal-cert-keyfile-stash = /var/pdweb/www/certs/pdsrv.sth
[K≤⌠w]KX “ p d s r v ”C z]ib
webseal-cert-keyfile-pwd ñHσrϕKXCpG
webseal-cert-keyfile-pwd = pdsrv
bwAW e b S E A L ⌠o≈KXC
webseal-cert-keyfile-pwd Q[C ⌠ßAziKb webseald.conf tmñHσrπKXC
: °[znSwKXC pGⁿwFKXM⌠ANKXC
WebSEAL G
40 3.8
bwñAWebSEAL úúOwµpC@°AAi² WebSEAL πV SSL qOΣ¡≈αOC
Fni@BaεAww]
C webseal-cert-keyfile-label ⁿwn@@ñ°AAB∩g≈ΩwñⁿwΣL⌠≤
uw]vC
webseal-cert-keyfile-label = WebSEAL
÷Me\ WebSEAL F SSL s²nDA²Os²]Σú]tAϕ root CA Lk[HτC $≤w]pK≈t≤C@ WebSEAL eñALkúu wqHC
z iKeyman íúieu≈c(CA)vnDC iKeyman wM°AC
pGzbúPípUúP]p –K XAziH iKeyman íBwBMoC≈ñúiµC
WebSEAL]w]H ivmgr⌡µ∩o≈Ωwπ¬ (r) \ivC
t\237y iKeyman zzC
í Policy Director °A SSL qHG
webseald.conf tm [ssl] q¿]tF.BFziHotm² WebSEAL PΣL Policy Director °AAiµí SSL qH≈CzuαzL pdconfig tmScript ∩oC
41Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
[ssl]ssl-keyfile =ssl-keyfile-pwd =ssl-keyfile-stash =ssl-keyfile-label =
iKeyman zíiKeyman íO@H GSKit úuπAizWebSEAL C iKeyman iHG
¶ @h≈Ωw
¶ ≤≈ΩwKX
¶ s WebSEAL
¶ ]wsw] WebSEAL
¶ µp
¶ nD¼ CA root
¶ sWΩwHqΩwñRú
¶ Nq@Ωwst@Ωw
÷ iKeyman ⌡µo@ⁿA\237y iKeyman zzC
tm CRL duoεMU (CRL)vO@"ε∩úQniµτΦkC CRL ]tQ°úoH⌠ºOC WebSEAL SSL º GSKit IµΣ CRL dC GSKit i² WebSEAL∩q SSL X⌡µ CRL dC
WebSEAL DMµmHK⌡µ CRL dCbOíiw∩ CRL d[Hº LDAP °Aºm≤ webseald.conf tm [ssl] q¿ñG
42 3.8
[ssl]#ssl-ldap-server = <server-name>#ssl-ldap-server-port = <port-id>#ssl-ldap-user = <webseal-admin-name>#ssl-ldap-user-password = <admin-password>
w]A CRL d]Q[C Ynb
Oí CRL dA°[C@AMßΘJAϕC
ssl-ldap-user NULL ϕ SSL O≈εs LDAP °A@WC
tmw]O@ΦÑziHtmO@Φ (QOP) HKεzL SSL (HTTPS) sWebSEAL nw][KÑCziH webseald.conf tmñ “SSL QUALITY OF PROTECTION MANAGEMENT” q¿εw]O@ΦzG
¶ ssl-qop-mgmt M QOP zC
¶ b [ssl-qop-mgmt-default] q¿ñⁿwe\[KÑC
1. O@ΦzG
[ssl-qop]ssl-qop-mgmt = yes
2. ⁿw HTTP sw][KÑG
[ssl-qop-mgmt-default]# default = ALL | NONE | <cipher-level># ALL]KX# NONE]KXB MD5 MAC Xd# DES-40# DES-56# DES-168# RC2-40# RC2-128# RC4-40# RC4-128default = ALL
43Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
NGz]iHⁿww∩KXsG
[ssl-qop-mgmt-default]default = RC4-128default = RC2-128default = DES-168
tmW D≈M⌠⌠ QOPssl-qop-mgmt = yes ]ib [ssl-qop-mgmt-hosts] M[ssl-qop-mgmt-networks] q¿ñX⌠≤]wCziboq¿ñⁿwD≈/⌠⌠/⌠⌠Bn IP AHKiµO@ΦzC
[ s s l - q o p - m g m t - d e f a u l t ] q¿CX≤P
[ssl-qop-mgmt-hosts] M [ssl-qop-mgmt-networks] q¿ñú IP KXC
D≈tmykdG
[ssl-qop-mgmt-hosts]# <host-ip> = ALL | NONE | <cipher-level># ALL]KX# NONE]KXB MD5 MAC Xd# DES-40# DES-56# DES-168# RC2-40# RC2-128# RC4-40# RC4-128xxx.xxx.xxx.xxx = ALLyyy.yyy.yyy.yyy = RC2-128
⌠⌠/⌠⌠BntmykdG
[ssl-qop-mgmt-networks]# <network/netmask> = ALL | NONE | <cipher-level># ALL]KX# NONE]KXB MD5 MAC Xd# DES-40# DES-56# DES-168# RC2-40# RC2-128# RC4-40
44 3.8
# RC4-128xxx.xxx.xxx.xxx/255.255.255.0 = RC4-128yyy.yyy.yyy.yyy/255.255.0.0 = DES-56
[ssl-qop-mgmt-hosts] M [ssl-qop-mgmt-networks] q¿VUeºCzúnb Policy Director 3.8 tmñªC
tmvΩw≤sMⁿuz°AvzDnvhΩwAB@w⌠
ñΣL Policy Director °AΩTC Policy Director ziHH≤w⌠whCuz°AviH∩D
nvΩw@nπAHKΩI≤ßwhC
ϕuz°Av≤DnvΩwAªN≤q
ew⌠ñAΣWh⌡µí]p WebSEALΩwCMßAh⌡µíVDnvΩwn
DΩWΩw≤sC
@ΩzíMh⌡µí WebSEAL T∩iHo÷≤vΩw≤ΩTG
¶ Ñuz°Av≤sq]ittmABww]
C
¶ wd]ⁿDnvΩw]ittmABww
]C
¶ ÑMⁿC
webseald.conf tm [aznapi-configuration] q¿A]tFtm≤sqÑMΩwⁿC
WebSEAL vhΩw⌠AOwq≤ db-file G
[aznapi-configuration]db-file = /var/pdweb/db/webseald.db
45Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
tm≤sqÑlisten-flags iM WebSEAL ≤sqÑCw]AÑwCYnÑAΘJ “disable”C
[aznapi-configuration]listen-flags = enable
tcp-port itmÑí TCP ≡G
[aznapi-configuration]tcp-port = 12056
udp-port itmÑí UDP ≡G
[aznapi-configuration]udp-port = 0
tmvΩwⁿziHtm WebSEAL wⁿDnvΩwAHKFO≤sΩTC c a c h e - r e f r e s h - i n t e r v a l iH]w“default”B“disable” SwíjíϕC Default ]w 600ϕCw]AⁿOQC
[aznapi-configuration]cache-refresh-interval = disable
se WebSEAL °A
: HUΩTN Policy Director ²eñpdadmin server modify baseurl ⁿOC
b¬tⁿ⌠ñAshíe WebSEAL °AnBOiHúntⁿ¡HαOCϕzse WebSEAL °AAC@í°Aú]A Web íBXΩwM dynurlΩwπC
Policy Director iΣΓtmse WebSEAL°AC@úA pdadmin ⁿOC
46 3.8
bHUdñA“WS1” ODn WebSEAL °AD≈WC“WS2” Os WebSEAL °AD≈WC
1. b WS1 M WS2 °AWwMtm WebSEALC
2. ε WS2 W WebSEALC
3. b WS2 WAN webseald.conf tm server-name Aq “WS2” ≤ “WS1”G
[server]server-name = WS1
4. ½s WS2 W WebSEALC
WS2 °Ab /WebSEAL/WS1 ½≤@v⌠≥CWS2 °A]iHN /WebSEAL/WS1 ñ½≤A object listM object show ⁿOC
p d a d m i n í/MH½≤í@íCX
/WebSEAL/WS2 ½≤C½≤wúπ⌠≤ABiHúG
pdadmin> object delete /WebSEAL/WS2
¼pG
¶ µ@½≤ízG÷MziHd µ@½≤ÑhA
Mb½≤ÑhzⁿO]vT WebSEAL°AAB°AúiHoⁿOC
¶ µ@v⌠GpG WS2 °AOtm WS1 °AAWS2 °A /WebSEAL/WS1 @v⌠≥C
¶ @tmGF²e WebSEAL α B@A°AW Web íBXΩwM dynurl Ωwtmú@PC
47Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
tm HTTP OⁿWebSEAL @TD HTTP ΘxAΣO²íDTºG
¶ request.log
¶ agent.log
¶ referer.log
w]AbUC²ñ@oΘxG
UNIX: /var/pdweb/www/log/
Windows: C:\Program Files\Tivoli\PDWeb\www\log\
tm HTTP ΘxOb webseald.conf tm[logging] q¿ñC
Uϕí HTTP ΘxPtmºí÷YG
Θx m / ] =yes no
request.log requests-file requests
referer.log referers-file referers
agent.log agents-file agents
pArequest.log ñw]mpUG
UNIXG
requests-file = /var/pdweb/www/log/request.log
WindowsG
requests-file = \Program Files\Tivoli\PDWeb\www\log\request.log
M HTTP Oⁿw]Aw HTTP OⁿG
48 3.8
[logging]requests = yesreferers = yesagents = yes
C@ΘxúiWC pG⌠≤] “no”Ah∩OⁿC
ⁿwíWO¼zi∩²C@ΘxñíWOHuµLví
(GMT)vO²ADHϕaO²C w]AOϕaG
[logging]gmt-time = no
Yn GMT íWOA]wG
gmt-time = yes
ⁿwΘxα½max-size ⁿwC@ HTTP ΘxiXRjABπHUw]]H$µG
[logging]max-size = 2000000
ϕΘxFⁿw — SΣα½ —ANHPWNs≈A [eΘMíW
OC MßsΘxC
Uiα max-size Q¿pUG
¶ pG max-size p≤s]< 0AhC qΩIsOⁿBzCj 24 pAúsΘxC
¶ pG max-size Ñ≤s]= 0Ahú⌡µ⌠≤α½ABΘxL¡XRCpGΘxwsbAN∩ª [sΩ
C
49Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
¶ pG max-size j≤s]> 0AhϕΘxFtmAY⌡µα½C pGbΘxwsbAN∩
ª [sΩC
ⁿwMúΘxwWvΘxgJwΩΩyC pGznY°ΘxAz
∩°AjµMúΘxwWvC
w]AΘxCj 20 ϕMú@ G
[logging]flush-time = 20
pGzⁿwtAhCgJ@ºO²újεMúC
tmO²≤ request.log e°WebSEAL LoßXí°ARA HTMLURLC webseald.conf tm [filter-url] q¿wqFß°A WebSEAL Lo URL configuration file definesthe URL attributes that WebSEAL filters in responses from theback-end server. \168yqX°ALoRAHTML URLzC
ϕßX°AnDe]tFO URLAWebSEAL w²Mw⌠XIAHKLo URL rΩCbs²ßAqNiHQa URLC
]As²e°AiHñj≤X°A
WebSEAL eC
Policy Director WebSEAL i²ztm request.log ñOⁿe°]pGwC webseald.conf tm[logging] q¿ñ log-filtered-pages AiH]wOⁿ 0$jpAgLo$jpC
YnO²gLo$jpAN]w “yes”]w]G
50 3.8
[logging]log-filtered-pages = yes
YnO² 0 $jpAN]w “no”G
[logging]log-filtered-pages = no
HTTP @Θxµí]A≤ request.logPolicy Director °A]¿\óAúHHTTP @ΘxµíAxsb request.log µµñG
host - authuser [date] request status bytes
ΣñG
D≈]HostⁿwnDΦ≈ IP C
authuser oµ¼ HTTP nDº From: YC “unauth” O≤gOC
Θ]dateⁿwnDΘPíC
nD]requestⁿwqºnD@µC
¼A]statusⁿwenDΦ≈ HTTP ¼AXC
]bytesⁿwenDΦ≈$C — gL
oejpjp 0 — OH
log-filtered-pages tmC
π request.log request.log O² HTTP nDOⁿApwnDº URL WΩTAHúXnDºqWΩT]pAIP C
UCdπ request.log dG
51Tivoli SecureWay Policy Director WebSEAL zΓU
2.W
ebS
EA
L°Atm
130.105.1.90 - - [26/Aug/2001:17:23:33 -0800]"GET /xsmith/private_html/ HTTP/1.0" 403 77
130.105.1.90 - - [26/Aug/2001:17:23:47 -0800]”GET /icons HTTP/1.0" 302 93
130.105.1.90 - - [26/Aug/2001:17:23:59 -0800]"GET /icons/ HTTP/1.0" 403 77
130.105.1.90 - - [26/Aug/2001:17:24:04 -0800]"GET /xsmith/private_html/ HTTP/1.0" 403 77
130.105.1.90 - - [26/Aug/2001:17:24:11 -0800]"GET /xsmith/ HTTP/1.0" 403 77
π agent.log agent.log O²F HTTP nDñ User_Agent: YeC oΘxªSqs²÷ΩTApC@nD
tmXC
UCdπ agent.log dG
Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)
π referer.logreferer.log O² HTTP nD RefererGYC w∩C@nDAΘxO²]t∩nDσ≤ºσ≤C
ΘxUCµíG
referer -> object
oΩT∩≤l∩z Web íñºσ≤íDCΘxªSΣ]t∩½≤º Referer ⁿXCoΘxi²zl»AHΣXO∩zσ≤
C
UCdπ referer.log dG
http://manuel/maybam/index.html -> /pics/tivoli_logo.gifhttp://manuel/maybam/pddl/index.html ->/pics/tivoli_logo.gifhttp://manuel/maybam/ -> /pddl/index.htmlhttp://manuel/maybam/ -> /pddl/index.htmlhttp://manuel/maybam/pddl/index.html ->/pics/tivoli_logo.gifhttp://manuel/maybam/ -> /pddl/index.html
52 3.8
WebSEAL wh
]típ≤tmq WebSEAL whΩTC
DDG
¶ yWebSEAL S ACL hz
¶ 55yTnJhz
¶ 57yKXjhz
¶ 61yOj POP h]iÑz
¶ 67y⌠⌠¼O POP hz
¶ 70yO@Φ POP hz
¶ 71yBzgO (HTTP / HTTPS)z
WebSEAL S ACL hUCwqA≤ⁿO@½≤íñ /WebSEAL tmG
¶ WebSEAL ½≤l½≤íº WebSEAL ACL
¶ pGzúMΣL⌠≤T ACLAho½≤wq]zLπ Web íwhC
¶ s½≤IHU⌠≤½≤únMXvC
3
53Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
÷≤ Policy Director ACL hπΩTA\ TivoliSecureWay Policy Director Base zΓUC
/WebSEAL/<host>ol²≡]tSw WebSEAL °A Web íC UCwqA≤½≤G
¶ sIHU⌠≤½≤únMXv
¶ pGzúMΣL⌠≤T ACLAho½≤wq]zL≈Wπ½≤íwhC
/WebSEAL/<host>/<file>oOww∩ HTTP sdΩ½≤C d\iv°nD@wC
WebSEAL ACL \ivUϕíA≤½≤íº WebSEAL ACL \ivG
@ í
r ¬ ° Web ½≤
x ⌡µ ⌡µ CGI íC
d Rú q Web íñú Web ½≤C
m ∩ ±m HTTP ½≤C ]±m - oG - WebSEAL
½≤íñ HTTP ½≤C
l C uz°Avú Web í²Mµ
@C
o\ivΣtbπw] “index.html”
AqOi ²eMµC
g eU v WebSEAL °ARϕqANnD
X WebSEAL °AC
w] /WebSEAL ACL hWebSEAL ACL default-webseal ]tFG
54 3.8
Group iv-admin TcmdbsvarxlGroup webseal-servers TgmdbsrxlUser sec_master TcmdbsvarxlAny-other TrxUnauthenticated T
bwñAw] ACL [½≤íñ /WebSEAL tm½≤C
webseal-servers s]tFw⌠ñ WebSEAL °An²Cw]\ivi²°As²nDC
MX\ivi² Web íXW Web Portal Manager ñπjpCMµ\ivi² Web Portal Manager π Web íeC
TnJhH LDAP ≥ª Policy Director wñúTnJhAi²zⁿwónJj]nHg@Ωwí]xAΣñb “n” ónJßAQΩw “x” ϕ]ObßQC
TnJh"εqúKX≡ Ch@°≤AY
Ñ@qíAMß)αiµ≤h²ónJ
C pAhiαⁿw 3 óßA 180 ϕg@Co¼nJhi"ε@ϕoh qúH≈ún
JC
TnJhnΓ pdadmin policy ⁿO]wX@G
¶ jónJ
policy set max-login-failures
¶ WXónJ]wg@
policy set disable-time-interval
g@]wi#JbßΩwííjbßC
55Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
pG]wFbT óºßSwΩwíg@ºnJ
h]pdAh. ]ú Tú TN
P@AⁿX$≤KXhLkbßC
ííjOHϕⁿw—pííj 60 ϕC
pG disable-time-interval h]uvAhQΩwLksbßAB LDAP bß ]
uvC zizL Web Portal Manager ½sbßC
: disable-time-interval ]uv PBz¿Czi[εNbß ΩTs WebSEAL °A≡CoípM≤z LDAP ⌠C Abß ≤s@
PY LDAP Ω@iαJαhC ≥≤]AzOíjC
ⁿOykUC pdadmin ⁿOAXP LDAP n²@C
ⁿO í
policy set max-login-failures <number>|unset [-user<username>]
policy get max-login-failures [-user <username>]
zΣg@jεΩIºeεΣjónJ
hC oⁿO° p o l i c y s e tdisable-time-interval ⁿOñ]wg@wC
¡@zAziNhMSw
ANhπΘM LDAP n²ñC
C
w]]w 10 C
policy set disable-time-interval <number>|unset|disable [-user<username>]
policy get disable-time-interval [-user <username>]
56 3.8
ⁿO í
zg@hAΣεbFjónJ
AbßC
¡@zAziNg@hMSw
ANhπΘM LDAP n²ñC
C
w]]w 180 ϕC
KXjhH LDAP ≥ª Policy Director wñKXjhAm≤÷KXhWhcKXWWwC Policy Director úΓεKXjΦkG
¶ ¡ pdadmin KXhⁿO
¶ iO]PAMAΣi²zqKXh
\ Tivoli SecureWay Policy Director WebSEAL DeveloperReferenceC
pdadmin í]wKXjhzL pdadmin íIµ¡KXj]AG
¶ pKX°
¶ pσr0
¶ pDσr0
¶ j½r$
¶ e\µ
ϕzH pdadmin Web Portal Manager AHHpdadminBWeb Portal Manager pkmspasswd í≤KXAjεohC
57Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
ⁿOykUC pdadmin ⁿOAXP LDAP n²@C unset ∩oh—τYAújεhC
ⁿO í
policy set min-password-length <number>|unset [-user<username>]
policy get min-password-length [-user <username>]
zΣεpKX°hC
¡@zAziNhMSw
ANhπΘMw]n²ñC
C
w]]w 8C
policy set min-password-alphas <number>|unset [-user<username>]
policy get min-password-alphas [-user <username>]
zΣεbKXñe\pσr0
hC
¡@zAziNhMSw
ANhπΘMw]n²ñC
C
w]]w 4C
policy set min-password-non-alphas <number>|unset [-user<username>]
policy get min-password-non-alphas [-user <username>]
zΣεbKXñe\pDσr0]
rhC
¡@zAziNhMSw
ANhπΘMw]n²ñC
C
w]]w 1C
58 3.8
ⁿO í
policy set max-password-repeated-chars <number>|unset [-user<username>]
policy get max-password-repeated-chars [-user <username>]
zΣεbKXñe\j½r$
hC
¡@zAziNhMSw
ANhπΘMw]n²ñC
C
w]]w 2C
policy set password-spaces yes|no|unset [-user <username>]
policy get password-spaces [-user <username>]
zΣεKXOi]tµhC
¡@zAziNhMSw
ANhπΘMw]n²ñC
C
w]]w]wC
w]hUϕChMw]G
w]
min-password-length 8
min-password-alphas 4
min-password-non-alphas 1
max-password-repeated-chars 2
password-spaces ]w
Yn Policy Director ñXKXhµAN unset∩MWC¡KXC@C
59Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
LKXdUϕíH¡ pdadmin ºw]≥ªKXdMhGG
d G
KX LG+]t@Dσr0C
pass LG+]t 8 r$C
passs1234 LG]tΓHW½r$C
12345678 LG+]t 4 σr0C
password3 C
SwMs]wzi∩Sw] - user ∩πΘ]D - user∩]w pdadmin policy ⁿOC ⌠≤S]wúΓrhπΘ]wC z]iH]unsethAϕút⌠≤C a unset ∩⌠≤húúQdjεC
pG
pdadmin> policy set min-password-length 8
pdadmin> policy set min-password-length 4 -user matt
pdadmin> policy get min-password-length
pKX°G8
pdadmin> policy get min-password-length -user matt
pKX°G4
] matt π 4 r$pKX°hFΣLπ 8 r$pKX°hC
pdadmin> policy set min-password-length unset -user matt
]bA matt ⁿ¡≤ 8 r$πΘpKX°hC
60 3.8
pdadmin> policy set min-password-length unset
]bA]A matt búSpKX°hC
Oj POP h]iÑOj POP hΣOΦkεs½≤¿iαC
zio\α—SiÑO—TOjO≈εs≈KΩC búAϕsAN
]wo°≤C
pAzi∩ Web íXú≤¬wAΦkMΣOh ¬≤liJ WebSEAL ⌠qiÑPOP hC
Ojh]w≤ POP huIP IOΦkvñC
tmiÑOhtmOSsv¡@BJOtmΣOΦkA
Mw[joOΦkC
⌠≤s WebSEAL °Aqú@Oh ApugOvuKXvAΣⁿX WebSEAL e OqΦkC
bYípUAiαnjµsY Web í½≤CuwvOh C pAb@⌠ñAOqµNX
iµOiαQ°±WMKXiµO≤wC
úP⌠iαúPC
ϕqúXOh AiÑO≈εújεq
½sΣP WebSEAL Ñq@AOúqG ≈nΦk]h ½sOC
61Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
iÑOΦkϕAϕsnu¬vOh
]ΣnJh Aú¿W u vTºC A
@sOúeAnDΣ¬Oh Ω
TC pGLα≈úOh AhN(\ΣlnDC
WebSEAL iT≤iÑO≈εñOΦk]h G
¶ gO
¶ KX
¶ Od
zib webseald.conf tm [authentication-levels] q¿ñtmOÑC@lAutmΓh G
[authentication-levels]level = unauthenticatedlevel = password
C@ΦkúQⁿw]ΦkbMµñ@bd≥ 0 2 h ⁿC
¶ ugOvΦkOMµñ@ΦkA]
ⁿw 0 ÑC
¶ ziH⌠≤±mß≥ΦkC
\66yiÑONM¡εzC
¶ w]AuKXvXbU@h —ΣÑ1C
¶ +Γ)αiÑOC
: ÷≤]wnO≈εºΩTA\75yWebSEAL OzC
iÑOiÑOIµOzLm≤nDOvº½≤W POP hCzi POP huIP IOΦkvC
62 3.8
pdadmin pop modify set ipauth ⁿOⁿwuIP IOΦkvñⁿ⌠⌠MnOh C
gtmOh i IP d≥C oΦkbúzuCpG I P Loú½nAhzi∩
anyothernw]ΣL⌠≤⌠⌠]wµ@Fo]wNvTs]L IP ≤AnDLbⁿwh OC oOΩIiÑOΦkC
ykG
pdadmin> pop modify <pop-name> set ipauth anyothernw <level-index>
anyothernw @@NXú POP ñⁿw⌠⌠⌠≤⌠⌠º⌠⌠d≥C oΦkw]AΣi
ú IP AⁿiXOh D⌠≤sC
w]Aanyothernw HOÑ 0 Xb POP ñCHu⌠≤ΣL⌠⌠vXb pop show ⁿOñG
pdadmin> pop show testⁿO@½≤hG testíG Test POPiG LfhG LO@ΦG LsΘíGPΘBP@BPGBPTBPBP¡B
PGHGϕa
IP IOΦkh⌠≤ΣL⌠⌠ 0
d
1. b webseald.conf ñtmOh G
[authentication-levels]level = unauthenticatedlevel = token-card
2. tmuIP IOΦk POPvG
63Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
pdadmin> pop modify test set ipauth anyothernw 1
pdadmin> pop show testⁿO@½≤hG testíG Test POPiG LfhG LO@ΦG LsΘíGP@BPTBP¡G⌠≤íGϕaIP IOΦkh⌠≤ΣL⌠⌠ 1
ohn²HugOv]h 0sAiÑOdOΦk]h 1C sⁿPOP hO@½≤ºgOAú¼@nDΘJWMOqµNXúC
t\67y⌠⌠¼O POP hzC
iÑnJϕµϕnDΩWiÑ POP hjεq½sOAWebSEAL úX@≈SϕϕµC HTML ϕµmOⁿw≤ webseald.conf tm [acnt-mgt] q¿ stepup-login ñC
[acnt-mgt]stepup-login = stepuplogin.html
ziHtm login.html tokenlogin.html ϕµPΦíAtmHTML ϕµXzDC
o]tHAϕN¿]Σí %TEXT%
CC om½@ob WebSEAL BzτdAe\ϕµ≤π TµíKXOOΦkC ªe\
bϕµñúΣLΩTApTºMΦkW]i
ÑC
64 3.8
11. ≤WMKXiÑnJϕµ
12. ≤ SecurID OqµNXiÑnJϕµ
65Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
iÑOtΓkWebSEAL UCtΓkBz POP ñ¼pG
1. d POP W IP IOΦkhC
2. d ACL \ivC
3. d POP WΘíhC
4. d POP Wfh hC
iÑONM¡ε
1. iÑOizL HTTP M HTTPS ΣC
2. zLkq HTTP ≤wiÑ HTTPSC
3. gO&Oh Mµñ@ΦkABúibMµLBoC
4. bh MµñuαⁿwΦk@ C
5. iÑOúΣOC
: iÑOΩWbBzANq°Sϕ¼pCpGqOqs
WebSEALA WebSEAL wtmiⁿAhqQ°gOABÑ 0C
lΦkG iiÑG
gO KXOd
KX Od
Od KX
6. Oh O$OΦkNϕA]NOíAúiα∩bh OⁿwT7O≈εC
OΦkiαⁿhO≈εΣA]AOíMq
íOíC
66 3.8
ϕtmFP@OΦk¼hΩAWebSEAL ϕ≤Mwn∩@OíSwWhC
7. pG 3 wtmh AhG0B1B2C pGtmF⌠≤ΣLAhCϕsF POP ⌠≤½≤QnDAWebSEAL Nπ@C
8. pGb webseald.conf tmñiÑOÑtmAh P WebSEAL ñiÑ\αQC¼p PDwOµApⁿ POP O@½≤oXKXnJAnDOqµNXOΦkC
btmFiÑOÑßAd webseald.log AO°F⌠≤tmC
⌠⌠¼O POP h⌠⌠¼O POP h IP εs½≤¿iαC zio\α"εSw IP ] IP d≥szw⌠⌠≤ΩC
z]iHNiÑOtmMhAH∩C@ⁿw IPd≥nDSwOΦkC
⌠⌠¼Oh]w≤ POP huIP IOΦkvñCzbñⁿwΓ≥nDG
¶ Oh
¶ e\⌠⌠
tmOhWebSEAL iT≤iÑO≈εñOΦkG
¶ gO
¶ KX
¶ Od
67Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
C@ΦkúQⁿw]ΦkbMµñ@bd≥ 0 2 h ⁿC
zib webseald.conf tm [authentication-levels] q¿ñtmOÑC @lAutmΓh G
[authentication-levels]level = unauthenticatedlevel = password
btm⌠⌠¼OAiow]]wCbípUAu
gOvh 0AuKXvh 1C
t\61ytmiÑOh zC
ⁿw IP Md≥bzⁿw POP h(\ IP M IP d≥C
pdadmin pop modify set ipauth add ⁿOⁿwuIP IOΦkvñ⌠⌠]⌠⌠d≥MnOh C
ykG
pdadmin> pop modify <pop-name> set ipauth add <network> <netmask> <level-index>
tmOh IP d≥C oΦkbúu
C pG IP Loú½nAhzi∩ anyothernw]ΣL⌠≤⌠⌠]wµ@Fo]wNvTs
]L IP ≤AnDLbⁿwh OC
ykG
pdadmin> pop modify <pop-name> set ipauth anyothernw <level-index>
ºApGzQñOh Aun IP ⁿ sAzi∩z@Nⁿd≥h 0A∩zn d≥uTεvC
68 3.8
anyothernw @@NXú POP ñⁿw⌠⌠⌠≤⌠⌠º⌠⌠d≥CoΦkw]AΣi
ú IP AⁿXOh D⌠≤sC
w]Aanyothernw HOÑ 0 Xb POP ñCHu⌠≤ΣL⌠⌠vXb pop show ⁿOñG
pdadmin> pop show testⁿO@½≤hG testíG Test POPiG LfhG LO@ΦG LsΘíGPΘBP@BPGBPTBPBP¡BPG
HGϕaIP IOΦkh⌠≤ΣL⌠⌠ 0
÷]wOh i@BíA\61ytmiÑOh zC
dnDb IP d≥ 9.0.0.0 ⌠⌠Bn 255.0.0.0 h 1 O]w]uKXvG
pdadmin> pop modify test set ipauth add 9.0.0.0 255.0.0.0 1
nDSwh 0 OG
pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.255 0
"ε]bWzdñⁿwús½
≤G
pdadmin> pop modify test set ipauth anyothernw forbidden
IP iÑOykG
pdadmin> pop modify <pop-name> set ipauth remove <network> <netmask>
pG
pdadmin> pop modify test set ipauth remove 9.0.0.0 255.0.0.0
69Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
⌠⌠¼OtΓkWebSEAL UCtΓkBz POP ñ¼pG
1. d POP W IP IOΦkhC
2. d ACL \ivC
3. d POP WΘíhC
4. d POP Wfh hC
⌠⌠¼ONM¡εWebSEAL ≤jε⌠⌠¼Oh IP TCP suºl IP C pGz⌠⌠ HTTP proxyAhe WebSEAL iαO proxy °A IP C
bípUAWebSEAL LkTwOu q IP C b]w⌠⌠qis WebSEAL °A⌠⌠¼OhApC
O@Φ POP hO@Φ POP i²zⁿwAb∩½≤⌡µ@n8≥h ΩO@C
eAoA≤ WebSEAL ⌠C
O@Φ POP Oe@ Policy Director ñpKMπDº “P” M “I” ACL \iv$m½C oíΦO@IµvúⁿAvTtαC
O@Φ POP (\µ@º]HuOv ACL MªA]AO@Φh C pGΩzí]p
WebSEALLkOO@h AhnDQ C
pdadmin> pop modify <pop-name> set qop none|integrity|privacy
70 3.8
QOP h í
pK Ω[KOn (SSL)C
π Y≈εTOΩ≤C
pG
pdadmin> pop modify test set qop privacy
BzgO (HTTP / HTTPS)WebSEAL ⁿgOgOzL HTTP M HTTPS oXnDC Hß WebSEAL αuA≈cv$(\ ∩ⁿO@ΩºsAIµwhC
UC°≤A≤zL SSL sgOG
¶ ∩gOP WebSEAL ºíΩTµ½[K—@kNpPgOC
¶ gOP WebSEAL ºí SSL suun°AOC
BzWqoXnD
1 . Wq∩ WebSEAL oXnD]zL HTTP
HTTPSC
2. WebSEAL qgOC
3. nDsPYeⁿO@ Web ½≤C
4. uA≈cvd∩½≤º ACL gO T\ivAMß(\ nD@C
5. OαQs½≤AM≤+]t¬ (r) MX (T)\ivgO ACL C
6. pGnDLkqLvMwAq¼@≈nJϕµ]BA uϕµívC
71Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
jεnJzijεgOnJAΦk∩O@nD½≤º
ACL hñgO]wAϕ\ivC
¬ (r) MX (T) \ive\gOs½≤C
YnjεgOnJAqO@½≤º ACL hñgOñAú¬ (r) \ivC¼nJú]BA uϕµívC
gO HTTPS íhΩz$HΣzL HTTPS ∩ WebSEAL iµgOsG
¶ YíúnHnJA²nPΩTApa
MHdXC ÑA]AuWR≈ΣLC
¶ YínDz²VqnObßAMß)αiµi
@Bµ÷C PΩTSAqL⌠⌠C
H ACL/POP hεgO
: “any-authenticated” ¼ÑP≤ “any-other” ¼C
1. Yn(\gOs@½≤AH+]t∩gO⌠≤gOº¬ (r) MX (T) \iv ACLO@@eG
unauthenticated Trany-authenticated Tr
: bPw\ivAu n a u t h e n t i c a t e d OP
any-authenticated Bn]÷$ “and” @Cuϕ unauthent icated \iv]Xb
any-authenticated ñA)P\ivC $≤unauthenticated M≤ any-authenticatedA]pGACL ]t unauthenticated ²S any-authenticatedA
72 3.8
NúP≤9úXzCpG ACL ]t unauthenticated ²S a n y - a u t h e n t i c a t e dAhw]úPunauthenticated \ivC
2. YnnD[K (SSL)AHⁿwpK°≤uⁿO@½≤h]Protected Object Policy, POPvO@eC
\70yO@Φ POP hzC
73Tivoli SecureWay Policy Director WebSEAL zΓU
3.W
ebS
EA
Lwh
74 3.8
WebSEAL O
Q WebSEAL @Ñq@¼AMBzOΦíC¿\OúNϕ Policy Director OC WebSEALoOoCuA≈cv
(Authorization Service) (\ ∩ⁿO@ΩsC
DDG
¶ 76yAOz
¶ 79yzÑq@¼Az
¶ 90yOtmº[z
¶ 95ytm≥Oz
¶ 97ytmϕµíOz
¶ 99ytmqíOz
¶ 103ytm HTTP YOz
¶ 105ytm IP Oz
¶ 106ytmOOz
¶ 107yΣhu Proxy Nzz
4
75Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
AOOOO nJw⌠ºOBz¡ΦkC
¶ WebSEAL w]ΣOΦkAiQqΣLΦkC
¶ ∩ WebSEAL Q¿OGNO Policy Director n²¡≈C
¶ WebSEAL ¡≈oC
¶ uA≈cvb⌠xC@½≤ºh ACL \ivM POP °≤ºßA(\ ∩ⁿO@½≤sv¡C
: ACL = sεMµh POP = ⁿO@½≤h
bOíAWebSEAL dqnDñHUΩTG
¶ Ñq@Ω
Ñq@ΩObqM WebSEAL °AíOSwsuΩTCÑq@ΩOPq@Ps±AB≥
Hqß≥nDCªO½sOe WebSEAL°AqÑq@AHKnDsÑq
@útßC
¶ OΩ
OΩOq² WebSEAL °AOqΩTCOΩ¼]tFqBKXHOXC
ϕ WebSEAL ¼qnDAWebSEAL ²MΣOΩeÑq@ΩClqnDú]tÑq@ΩC
ΣÑq@Ω¼WebSEAL ΣHUÑq@Ω¼G
1. SSL ID]$ SSL qH≤wwq
2. °ASÑq@ cookie
76 3.8
3. BA YΩ
4. HTTP YΩ
5. IP
ϕ WebSEAL dqnDAª÷MµñⁿwjMÑq@ΩC
ΣOΦk÷M WebSEAL \αPOUWB@AWebSEAL °[Jw⌠ñCYno¡
ΩTHK≥oAWebSEAL αOoΩTC
WebSEAL ΣHUOΦkoG
OΦk Σsu¼
1. Failover cookie HTTP M HTTPS
2. CDSSO ID O HTTP M HTTPS
3. q HTTPS
4. OqµNX HTTP M HTTPS
5. ϕµO]WMKX HTTP M HTTPS
6. ≥O]WMKX HTTP M HTTPS
7. HTTP Y HTTP M HTTPS
8. IP HTTP M HTTPS
ϕ WebSEAL dqnDAª÷ϕñⁿwjMOΩC
ziHµW∩ HTTP HTTPS e¼MOΦkCpGSwe¼OΦkAhΘ¼q
NLkiµOC
77Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
tmΩTí
¶ 79yzÑq@¼Az
¶ 90yOtmº[z
¶ 95ytm≥Oz
¶ 97ytmϕµíOz
¶ 99ytmqíOz
¶ 103ytm HTTP YOz
¶ 105ytm IP Oz
¶ 106ytmOOz
¶ 107yΣhu Proxy Nzz
¶ CDAS O
Tivoli SecureWay Policy Director WebSEAL DeveloperReference
78 3.8
zÑq@¼A°AαOqT∩H]w∩hnDA)αbq
M°AºíwsuÑq@C°AπY
íÑq@¼AAΩTOPC@nD÷pqC
YqM°AºíÑq@¼AAqM°Aí
w∩ß≥nDiµqTW≤CÑq@¼AΩTi
ε+qP°AíA½÷¼M½ssuAHWi
αCqiHnJ@ Mßiµh nDAúnw∩C
nDiµtnJC
WebSEAL iBz HTTP M HTTPS qTCHTTP O@uL¼AvqH≤wABúú⌠≤nDΦkC t@ΦASSLΘ≤w]pñASOúFÑq@ ID HK@Ñq@¼AΩTC HTTP qTiHzL SSL ¿ HTTPSC
²OAWebSEAL ngBzgOq HTTP qTCB SSL Ñq@ ID ]úOAϕMΦC]AWebSEAL ]pOHU⌠≤ΩT¼@qÑq@¼AG
1. SSL ID
2. °ASÑq@ cookie
3. BA YΩ
4. HTTP YΩ
5. IP
GSKit M WebSEAL Ñq@Ñq@i²°AxshqÑq@ ID ΩTCΓÑq@iHe HTTPS M HTTP Ñq@¼AΩTC
¶ WebSEAL
79Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
WebSEAL ixs²⌠≤¼Ñq@ ID ΩT
]\HWMµAHqqoΩ
TC
ΩTQsbñAHKbvd½d
n²ΩwC
¶ GSKit SSL Ñq@ ID
GSKit Ñq@b SSL Ñq@ ID ΩTOsÑq@¼AABz HTTPS (SSL) qTC
GSKit ]Os WebSEAL M LDAP n²ºíSSL suÑq@¼AΩTC
C@úitmAi²zπ
αCoJ≤U ñG
tm WebSEAL HUtm@i≤ WebSEAL Ñq@/G
¶ ]wjµ
13. Ñq@tm
80 3.8
¶ ]wO
¶ ]wεíO
]wjµwebseald.conf tmñ [session] q¿ max-entries Ai]w WebSEAL Ñq@/ñµjqC
∩≤µnJÑq@CϕOΘjpF
AhßtΓkúAHKⁿs
nJC
µnJÑq@w]q 4096G
[session]max-entries = 4096
]wOwebseald.conf tm [session] q¿ñ timeout i]wWebSEAL Ñq@/ñARgOjC
WebSEAL bíΩTC Ñq@OⁿwOdb WebSEAL ºOΘñvΩTºí°C
úOεíOC MguRgvA
DuOvC Σb≤ú*wAΣΦkObFⁿw
O¡εAjε½sOC
w]nJÑq@O]ϕ 3600G
[session]timeout = 3600
]wεíOwebseald.conf tmñ [session] q¿ inactive-timeout i]wnJÑq@εíOC
w]nJÑq@εíO]ϕ 600G
81Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
[session]inactive-timeout = 600
YnO\αAN]w “0”C
tm GSKit SSL Ñq@ ID HUtm@i≤ GSKit SSL Ñq@ ID G
¶ ]wO
¶ ]wjµ
]wO]w GSKit SSL Ñq@ ID jRgOOb webseald.conf tmñ [ssl] q¿CΣñΓG V 2 su ( ss l -v2 - t imeout ) H S S L V 3 su
(ssl-v3-timeout)C
w] SSL V2 Ñq@O]ϕ 100]iαd≥O 1 100G
[ssl]ssl-v2-timeout = 100
w] SSL V3 Ñq@O]ϕ 7200]iαd≥O 1 86400G
[ssl]ssl-v3-timeout = 7200
]wjµwebseald.conf tmñ [ssl] q¿ ssl-max-entries Ai]w GSKit SSL Ñq@ ID ñµjqC
∩≤µnJÑq@CϕOΘjpF
AhßtΓkúAHKⁿs
nJC
µnJÑq@w]q 4096G
82 3.8
[ssl]ssl-max-entries = 4096
Ñq@ Cookie @¼At@ΦkO cookie OdÑq@ΩTAHK@qM°AºíÑq@¼AC°A²NSwq¼AΩT
b cookie ñAMßeqs²C w∩C@snDAs²úN cookie]tÑq@ΩT°AAHK½sO¡C
ϕqs²buííjA½s≤Σ SSL Ñq@AÑq@ Cookie iH¼púiαMΦCpAY Microsoft Internet Explorer s²CjΓTY½s≤ SSL Ñq@C
Ñq@ cookie úq∩µ@BW@LGº°A½sOFq²ewb@uq]j 10 ∩°AOC ≈ε≥ªO@LkqLú cookie Hº⌠≤≈u°A cookievC
AÑq@ cookie ]t@ IDAΣ°AÑq@C Ñq@ cookie ñS»ΣLΩTC Ñq@ cookie úMwhC
AÑq@ CookieWebSEAL w°ASÑq@ cookieC UC°≤A≤ cookie ≈εG
¶ Cookie ]tÑq@ΩTFªú]t¡ΩT
¶ Cookie usbs²OΘñ]úgJWs²cookie jar
¶ Cookie π¡Rg]itm
¶ Cookie π⌠M⌠AiTεQΣL°A
83Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
MÑq@ ID Cookieswebseald.conf tm [session] q¿ñ ssl-id-sessions iHMÑq@ CookieCiεOn SSLÑq@ ID @zL HTTPS sqnJÑq@CpG]w “no”AÑq@ Cookie ≤jí≈OΦkC
[session]ssl-id-sessions = no
ϕtm]w “no” ANzL HTTPS sqoHU¼pG
1. SSL Ñq@ ID úQ@Ñq@ ID ΩC
2 . C o o k i e Q@πqOB F a i l o v e rcookiesBCDSSO ID OBϕµWMKXBOqµNXHqÑq@C
3. ϕ use-same-session = yes]\U@ACookie uQbu≥OvqChABA YQ@Ñq@ ID ΩC
4. HTTP YQϕ@ HTTP YiµqOAÑq@ ID ΩC
5. IP Qϕ@ IP iµqOAÑq@ ID ΩC
ϕz Cookie @Ñq@¼AAhubQnJß)e@ Cookie s²CMAí≈s²jε¡εPxsbOΘñ Cookie qCbí≈⌠ñAíbqtWA⌠bOΘñ±mjq CookieCbípUAΣL cookie iHHNaNtm WebSEAL Ñq@cookie Failover cookieC
ϕztm WebSEAL Ñq@ Cookie]]iαO FailovercookiesAziH]w webseald.conf tm [session] q¿ñ resend-webseal-cookies A² WebSEAL bC
84 3.8
úNÑq@ cookie M Failover cookie es²Co@iH≤UTOÑq@ cookie M Failover cookie @sb≤s²OΘñC
resend-webseal-cookies w]]w “no”G
[session]resend-webseal-cookies = no
Nw]]w≤ “yes”AHKbC e WebSEAL Ñq@ Cookie M Failover CookieC
MPÑq@ziHtm WebSEAL bqzL@Θ¼]p HTTPnJßñAMßt@Θ¼]p HTTPS½snJAPÑq@ ID ΩC
webseald.conf tm [session] q¿ñ use-same-sessioniHMPÑq@ ID ΩOCw]A]w “no”G
[session]use-same-session = no
ϕtm]w “yes” ANoHU¼pG
1. ϕUCq¼ß≥zLΣLΘΦínJAYÑq@ Cookie iµOG
a. Failover Cookie
b. q
c. CDSSO ID O
d. OqµNX
e. ϕµWMKX
f. ≥O
2. HTTP Y≤ HTTP YiµqsC
85Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
3. IP ≤ IP iµqsC
4 . ss l - id -sess ions tmQñF PµP
ssl-id-sessions Q]w “no” PC
] HTTP qSi@Ñq@Ω SSL Ñq@IDAΦoϕ½nC
5. ] HTTP M HTTPS qúio CookieAo CookieúQw CookieC
P Ñq@ ID Ω¼HUtmSwXAiHPSwOΦkiµ
sqÑq@Ω¼G
¶ Ñq@ Cookie (ssl-id-sessions)
¶ bq7½ HTTP M HTTPS APÑq@ΩαO (use-same-session)
UϕJFi≤ ssl-id-sessions M use-same-session ]wXÑq@ ID ΩG
HTTPS q
OΦk ssl-id-sessions= yes
ssl-id-sessions =no
use-same-session= no
use-same-session= yes
ssl-id-sessions
ñ
Failover cookie SSL ID Cookie Cookie
SSL ID Cookie Cookie
CDSSO SSL ID Cookie Cookie
O SSL ID Cookie Cookie
ϕµ SSL ID Cookie Cookie
BA SSL ID BA Y Cookie
HTTP Y SSL ID HTTP Y HTTP Y
IP SSL ID IP IP
86 3.8
HTTP q
OΦk use-same-session =no
use-same-session =yes
Failover cookie Cookie Cookie
CDSSO Cookie Cookie
O Cookie Cookie
ϕµ Cookie Cookie
BA BA Y Cookie
HTTP Y HTTP Y HTTP Y
IP IP IP
tm Failover CookieHU Failover cookie \α]HTTP M HTTPSA≤zLtⁿ¡≈εAsse WebSEAL °AOqCFailover cookie sbOnb°AÑq@Aq≡MLkAKjε½sOC
e WebSEAL OiHΩ@jqqú¬iΩCtⁿ¡≈εIeinDABNnDti
e°AC
b\¬QeAHHU C
87Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
qúεse°AtmCtⁿ¡≈εO
nD URL ºµ@ ICtⁿ¡≈εqPi°A]p WS1sC WS1 WÑq@¼AAqß≥nDúQe WS1C
Failover Cookie iM]t WS1 ]GLkD¼p]ptóz≈≈uCpGLk WS1Atⁿ¡≈εNnD½s VΣLs°A]WS2 WS3CÑq@∩Mg≥óCq∩ N°A
ÑOsqAjεiµOC
ziHtms WebSEAL °Ab°AS cookie ñA∩qΩ[KCϕq@ sA cookie Q±bs²ñCpGl WebSEAL °ALkAcookie]πw[KΩTXb N°AWCs WebSEAL °A@ΩK@P≈CqiHbs WebSEAL °AWsÑq@AúnQjε½sOC
14. Failover Cookie Ω
88 3.8
cookie IOtⁿ¡≈ε DNSC] cookie O°AS cookieABúO⌠S cookieAHµ@ID½nCubn¼ cookie °AP cookie °AπP DNS WA°A)¼ cookieCqTwzLtⁿ¡≈εiµnDC]@ñAcookie @wQⁿABQU@i°AC
Failover Cookie
webseald.conf tm [failover] q¿ñ failover-auth iHM°AS Failover CookieG
¶ Yn Failover CookieAΘJ “http”B“https” “both”C
¶ Yn Failover CookieAΘJ “none”]w]C
pG
[failover]failover-auth = https
zbe WebSEAL °AW]wC
Ω[KMK
YnO c o o k i e ΩA W e b S E A L ú
cdsso_key_gen íC oíú∩ cookieñΩ[KMK∩≈Cbz⌡µíA
ⁿw≈m]∩⌠WG
UNIXG # cdsso_key_gen <pathname>
WindowsG MSDOS> cdsso_key_gen <pathname>
b⌠@s°AW⌡µíAMßΓN≈s
ΣLs°AWCb°A webseald.conftm [failover] q¿ñΘJ≈mCpGzúⁿw≈A°A Failover cookie \αQG
89Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
[failover]failover-cookies-keyfile = <absolute-pathname>
ziH∩≈⌠≤AϕWAp ws.keyC
tm Cookie Rg
cookie Rg]O]wbHUñG
failover-cookie-lifetime = 60
Otmº[ziHCΦkAM∩≤ HTTP M HTTPS qOC
webseald.conf tm [authentication-mechanisms] q¿Otm WebSEAL ΣOΦk≈εCⁿΣOΦk]AG
¶ ]Oí
OíⁿwF T@íw (UNIX) DLL (Windows) C
¶ qíOí
WebSEAL ú°AíXdAimⁿwqíu≤⌠OA (CDAS)v°AC
í CDAS Oíⁿw Tq@íwC
OUCⁿwOíG
í
ϕµM≥O
passwd-ldap H LDAP WMKXiµqsC
OO
90 3.8
í
token-cdas H LDAP WM SecurID OqµNXi
µqsC
qíO
cert-ssl zL SSL HqiµqsC
HTTP YM/ IP O
http-request zLSϕ HTTP YM/ IP iµqs
C
CDSSO ID OO
cdsso ≤⌠µ@nJOC
zi [authentication-mechanisms] q¿tmOΦkBΩ@HUµíG
<authentication-method-parameter> = <shared-library>
\78ytmΩTízC
íq CDAS OHUiⁿwí CDAS °Aq@íwG
í
passwd-cdas HTΦn²WMKXiµqs
C
token-cdas HWMOqµNXiµqsC
cert-cdas zL SSL HqiµqsC
Tivoli SecureWay Policy Director WebSEAL DeveloperReference HKFmMtmΩ@ CDAS °Aq@íwºΩTC
WebSEAL Ow]tmw]AWebSEAL ]u≥O (BA)vWMKX]LDAP n²BzL SSL OqC
91Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
q∩ TCP SSL sú WebSEALC ]A
[authentication-mechanisms] q¿σ¼tm]tFWMKXΣ]LDAP n²HzL SSL ºqΣC
UCdNϕ Solaris @tW [authentication-mechanisms]q¿ (Solaris) σ¼tmG
[authentication-mechanisms]passwd-ldap = libldapauthn.socert-ssl = libsslauthn.so
YntmΣLOΦkAsWAϕPΣ@íw]
CDAS C ÷OΦktmΩTA\78ytmΩTízC
tmh½OΦkziH∩ webseald.conf tmñ[authentication-mechanism] q¿Aⁿwi≤⌠≤iΣOΦk@íwCϕztmhOΦkAHU¼pí
iAG
1. OΦkúiUWB@Cz]iHCiΣΦktm@@íwC
2. ϕ cert-cdas ΦkM cert-ssl ΦkúwtmAeu²≤ßC zoΣñ@ΦkHΣqC
3. btmhKX¼OíAΩWuΣñ@CWebSEAL UCu²Rh½tmKXOíC
a. passwd-cdas
b. passwd-ldap
4. ziHΓúPOΦktmPqíwCpAziHgJ@q@íwBzW/KXM HTTP YOCbdñAzi passwd-cdas Mhttp-request tmP@íwCíoHtd@Ñq@¼AABKΓΦko≡C
92 3.8
nJúWebSEAL boHU¼púqnJG
1. qLvdgOq
2. qLvduϕµíOvu≥Ovq
HUq¼πu403 óvG
1. ϕqLOdG
a. q
b. Failover cookie
c. CDSSO
d. IP
e. HTTP Y
2. q WebSEAL wΦkiµO
nXM≤KXⁿOPolicy Director úFHUⁿOAzL HTTP HTTPS OqC
pkmslogoutϕqOΦkAúw∩nDúOΩ
AqiH pkmslogout ⁿOqµÑq@nXCpApkmslogout ∩≤u≥Ov IP OqNS@CbípUAz÷¼s²HKnXC
pkmslogout ⁿOiA≤HUOΦíGqBOqµNXBϕµíOAH HTTP YOí≈Ω@C
÷HUΦí⌡µⁿOG
https://www.tivoli.com/pkmslogout
s²π webseald.conf tmñwqnXϕµG
93Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
[acnt-mgt]logout = logout.html
zi∩ logout.html XzDC
ϕ⌠⌠tmnúP⌠eAnXπúPß
tApkmslogout íΣh½nXC
UCϕíOSwG
https://www.tivoli.com/pkmslogout?filename=<custom_logout_file>
Σñ custom_logout_file OnXWC os±bP]tw] logout.html ΣLd HTML ϕµP@ lib/html/C ²ñC
pkmspasswdϕzu≥O (BA)vuϕµíOvAziHⁿO≤nJKXCoⁿOA≤zL HTTP HTTPSC
pG
https://www.tivoli.com/pkmspasswd
Fb WebSEAL W BA αTO wAⁿO BA qiµHUµG
1. KX≤C
2. qqµÑq@nXC
3. ϕqoXΣLnDAs²bqWπ BA úC
4. q½snJHK≥oXnDC
¼puA≤u≥OvqC
94 3.8
tm≥Ou≥O (BA)vO∩O≈εúWMKXΦkC BA O$ HTTP qH≤wwqAizL HTTP zLHTTPS Ω@C
w]A∩ WebSEAL tmg$u≥O (BA)vWMKXBzL HTTPS iµOC
M≥Owebseald.conf tm [ba] q¿ñ ba-auth iMu≥OvΦkC
¶ Ynu≥OvΦkAΘJ “http”B“https” “both”C
¶ Ynu≥OvΦkAΘJ “none”C
pG
[ba]ba-auth = https
]wΓWϕs²úúnJΩA∩ñπσrN
OΓWC
]wΓWtmOb webseald.conf tm [ba] q¿ñC
pG
[ba]basic-auth-realm = Policy Director
95Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
tm≥O≈εpasswd-ldap iⁿwBzWMKXO@íwC
¶ b U N I X WAúMg\αO@
libldapauthn @íwC
¶ b Windows WAúMg\αO@ldapauthn DLLC
O≈ε @íw
Solaris AIX Windows HP-UX
passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll libldapauthn.sl
ziHb webseald.conf tm [authentication-mechanism] q¿ passwd-ldap ñAΘJ@íw¡xSwWAHKtmWMKXO≈εCpG
SolarisG
15. BA nJú
96 3.8
[authentication-mechanisms]passwd-ldap = libldapauthn.so
WindowsG
[authentication-mechanisms]passwd-ldap = ldapauthn.dll
tm°≤pGww∩SwΘΦíFuϕµíOvAhΘΦí
u≥Ov]wQñC
tmϕµíOPolicy Director úuϕµíOvAOu≥Ov≈εHt@∩CoΦk Policy Director úqHTML nJϕµAúOu≥OvtúnJúC
ϕzuϕµínJvAs²úpPΣbu≥Ov
ñ@WMKXΩTC
MϕµíOwebseald.conf tm [forms] q¿ñ forms-auth iMuϕµívOΦkC
¶ YnuϕµíOvΦkAΘJ “http”B“https” “both”C
¶ YnuϕµíOvΦkAΘJ “none”C
pG
[forms]forms-auth = https
tmϕµíO≈εpasswd-ldap iⁿwBzWMKXO@íwC
97Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
¶ b U N I X WAúMg\αO@
libldapauthn @íwC
¶ b Windows WAúMg\αO@ldapauthn DLLC
O≈ε @íw
Solaris AIX Windows HP-UX
passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll libldapauthn.sl
ziHb webseald.conf tm [authentication-mechanism] q¿ passwd-ldap ñAΘJ@íw¡xSwWAHKtmWMKXO≈εCpG
SolarisG
[authentication-mechanisms]passwd-ldap = libldapauthn.so
WindowsG
[authentication-mechanisms]passwd-ldap = ldapauthn.dll
tm°≤pGww∩SwΘΦíFuϕµíOvAhΘΦí
u≥Ov]wQñC
q HTML ϕµϕµíOnDzqnJϕµCw]A
login.html dϕµObHU²ñG
<install-directory>/lib/html
ziHqϕµeM]pCpG
98 3.8
÷ziqº HTML ϕµΩTA\35yzq HTML zC
tmqíOWebSEAL ΣzL SSL qAiµPqwqHC bOΦkñAΩT]puOWv
DNMg Policy Director ¡C
IGzL¼OzLiµOΓÑqG
¶ WebSEAL HΣ°AA∩ SSL qOΣ¡
¶ WebSEAL Σu≈c (CA)vroot ΩwAτHqiµsq
1. SSL qnDP WebSEAL °AsuC
2. WebSEAL zLwp°AeΣ≈@Co²ew$ⁿH⌠TΦ≈c (CA) pC
3. qdoOiΣH⌠ⁿC q
s²qtⁿH⌠ CA oX root MµC p
16. WebSEAL nJϕµd
99Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
G WebSEAL WWXoΣñ@ root Ah°AOiH⌠C
4. pGWúAs²YqΣAⁿXO$ú≈coXC UNOd⌠hⁿ
C
5. pGWXs² root ΩwñAhwa≤qP WebSEAL °AºíÑq@≈C
oBzGNO@DqizLΣiµO]pA
zLWMKXwWDCbQ¿Oº
ßAqP°AYi≥zLWDwqHC
6. bAqNeΣ≈ WebSEAL °AC
7. WebSEAL YNqWWPw CA WW±∩C pPqs²AWebSEAL °AbΣ≈Ωwñ@@≈oH⌠ CA root MµC
8. pGWúAWebSEAL ú SSL XANªeqC
9. pGWAhiH⌠qCYiµqOAú Policy Director ¡≈C
17. qτ WebSEAL
100 3.8
10. Ywa≤qP WebSEAL °AºíÑq@≈C oBzGNOb¼OqP°Aºí
@DwSiH⌠qHWDC
WebSEAL bwñAWebSEAL ]tFµp°AC÷Me\ WebSEAL F SSL s²nDA²Os²]Σú]tAϕ root CA Lk[HτC$≤w]pK≈t≤C@ WebSEAL eñALkúu wqHC
YnTOzL SSL wqHAVⁿH⌠u≈c(CA)vn²oW@LG⌠°AC ziH GSKitiKeyman íúne CA nDCz]niKeyman wMsxC webseald.conf tm [ssl] q¿ñ webseal-cert-keyfile-label Nⁿw@ñ WebSEAL °A]]w∩g≈Ωwñ⌠≤uw]vC
pGzbúPípñnúP]p¼O
XAziH iKeyman íBwMoBC
\40ytm WebSEAL ≈ΩwzC
\237y iKeyman zzC
MíOziH]w webseald.conf tm [certificate] q¿ñaccept-client-certs AHKⁿw WebSEAL np≤BzzLSSL qíOC
w]AWebSEAL úⁿqG
[certificate]accept-client-certs = never
101Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
ΣL]A optional M requiredC
UϕCiⁿ accept-client-certs G
í
never úⁿq X.509 C
optional nDqúX X.509 AíO
]pGúC
required nDqúX X.509 AíOC
pGqSúXANúe\suC
tmíO≈εcert-ssl iⁿwMgOΩT@íwC
¶ b U N I X WAúMg\αO@
libsslauthn @íwC
¶ b Windows WAúMg\αO@sslauthn DLLC
O≈ε @íw
Solaris AIX Windows HP-UX
cert-ssl libsslauthn.so libsslauthn.a sslauthn.dll libsslauthn.sl
ziHb webseald.conf tm [authentication-mechanism] q¿ cert-ssl ñAΘJ@íw¡xSwWAHKtmíO≈εC
SolarisG
[authentication-mechanisms]cert-ssl= libsslauthn.so
WindowsG
[authentication-mechanisms]cert-ssl = sslauthn.dll
102 3.8
@íwúw]MgN DN Mg LDAPDNC
tm°≤pGqBz]w “required”Aw∩ HTTPS qΣLO]wúQñC
tm HTTP YOPolicy Director ΣzLq proxy NzúqHTTP YΩTiµOC
≈εnMg\α]@íwANⁿH⌠]gw²
OYΩMg Policy Director ¡≈C WebSEAL io¡≈AMßC
WebSEAL ]²ewOq HTTP YΩC≥≤]AzMaIµΦk—úΣL⌠≤OΦkC q
HTTP YΩOiαC
w]Am@íwAHKq Entrust Proxy YMgΩC
M HTTP YOw e b s e a l d . c o n f tm [ h t t p - h e a d e r s ] q¿ñhttp-headers-auth iM HTTP YOΦkC
¶ Yn HTTP YOΦkAΘJ “http”B“https” “both”C
¶ Yn HTTP YOΦkAΘJ “none”C
pG
[http-headers]http-headers-auth = https
103Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
ⁿwY¼zb webseald.conf tm [auth-headers] q¿ñⁿwΣ HTTP Y¼C
[auth-headers]header = <header-type>
w]A@íwOg+bíñHΣ EntrustProxy YΩC
[auth-headers]header = entrust-client
zqoOΣL¼SϕYΩA]∩
aNΩMg Policy Director ¡C TivoliSecureWay Policy Director WebSEAL Developer ReferenceAHKo API ΩC
tm HTTP YO≈εhttp-request ⁿwMg HTTP OYΩT@íwC
¶ b U N I X WAúMg\αO@
libhttpauthn @íwC
¶ b Windows WAúMg\αO@httpauthn DLLC
O≈ε @íw
Solaris AIX Windows HP-UX
http-request libhttpauthn.so libhttpauthn.a httpauthn.dll libhttpauthn.sl
w]A@íwwg+≤íñAN EntrustProxy YΩMg Policy Director ¡CzqoOΣL¼SϕYΩA]∩aNΩ
Mg Policy Director ¡C Tivoli SecureWay PolicyDirector WebSEAL Developer ReferenceAHKo API ΩC
104 3.8
ziHb webseald.conf tm [authentication-mechanism] q¿ http-request ñAΘJ@íw¡xSwWAHKtm HTTP YO≈εC
pG
SolarisG
[authentication-mechanisms]http-request = libhttpauthn.so
WindowsG
[authentication-mechanisms]http-request = httpauthn.dll
tm°≤
1. pG ssl-id-sessions = noAÑq@ ID Cookie Nú@¼ACMY@¼AC
2. pGqDJOóAq¼uTεv (HTTP403)C
tm IP OPolicy Director iΣzLqú IP iµOC
M IP Owebseald.conf tm [ipaddr] q¿ñ ipaddr-auth iM IP OΦkC
¶ Yn IP OΦkAΘJ “http”B“https” “both”C
¶ Yn IP OΦkAΘJ “none”C
pG
[ipaddr]ipaddr-auth = https
105Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
tm IP O≈εzL IP iµOnq@íwCw∩@íw http-request C
tmOOPolicy Director iΣzLqúOqµNXiµOC
MOOwebseald.conf tm [token] q¿ñ token-auth iMOOΦkC
¶ YnOOΦkAΘJ “http”B“https” “both”C
¶ YnOOΦkAΘJ “none”C
pG
[token]token-auth = https
tmOO≈εtoken-cdas iⁿwMgOqµNXOΩT@íwC
¶ b U N I X WAúMg\αO@
libtokenauthn @íwC
¶ b Windows WAúMg\αO@tokenauthn DLLC
O≈ε @íw
Solaris AIX Windows HP-UX
token-cdas libtokenauthn.so libtokenauthn.a tokenauthn.dll libtokenauthn.sl
w]A@íwOg+bíñHMg SecurID OqµNXΩCziHqoOΣL¼SϕO
ΩA]∩aNΩMg Policy Director ¡C
106 3.8
Tivoli SecureWay Policy Director WebSEAL DeveloperReferenceAHKo API Ω÷ΩTC
ziHb webseald.conf tm [authentication-mechanism] q¿ token-cdas ñAΘJ@íw¡xSwWAHKtmOO≈εC
pG
SolarisG
[authentication-mechanisms]token-cdas = libtokenauthn.so
WindowsG
[authentication-mechanisms]token-cdas = tokenauthn.dll
Σhu Proxy NzPolicy Director úOuhu Proxy Nz (MPA)vº⌠⌠MΦC
u Proxy Nz (SPA)vO$hDc¿AΣΣqPl°AºízL SSL HTTP v@qÑq@C
WebSEAL iN SSL HTTP OMov@qÑq@C
uhu Proxy Nz (MPA)vOAh½qshDCϕqzLuLusqH≤w (WAP)vsAohDS WAP hDC hDµ@OWDl°AAzLWDu∩qvqnDMC
∩ WebSEAL ÑAqLWDΩTOHqh½nDXC WebSEAL MPA °AOPC@OqBOC
107Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
$≤ WebSEAL MPA @gLOÑq@Aª]P@qOÑq@C]AMPA Ñq@ΩMOΦkAMqÑq@ΩM
OΦkOC
Ñq@Ω¼MOΦkMPA ≤ WebSEAL Ñq@Ω¼Pq≤WebSEAL Ñq@Ω¼OCUϕCXF MPA MqÑq@¼G
Ñq@¼
MPA-to-WebSEAL Client-to-WebSEAL
SSL Ñq@ ID
HTTP Y HTTP Y
BA Y BA Y
IP
Cookie Cookie
¶ qúi SSL Ñq@ ID @Ñq@Ω¼C
18. zL MPA hDiµqH
108 3.8
¶ íApG MPA BA Y@Ñq@Ω¼AqNuα∩ HTTP YM cookie @Ñq@Ω¼C
¶ pG MPA Ñq@Ωº HTTP Y@Ñq@ΩAqiHúP HTTP Y¼C
¶ °AS cookie u]tFÑq@ΩTFªS¡≈ΩTC
¶ pGF MPA ΣAssl-id-sessions \α≤C@δÑApG ssl-id-sessions=yesAhu SSL Ñq@ID i@ HTTPS qÑq@CYn² MPA SSL Ñq@ ID @Ñq@AB²qΣLΦk@Ñq@Ah¡εNúsbCt\86yPÑq@ ID Ω¼zC
MPA ≤ WebSEAL OΦkAPq≤ WebSEALOΦkúPCUϕCXF MPA MqOΦkG
O¼
MPA-to-WebSEAL Client-to-WebSEAL
≥O ≥O
ϕµ ϕµ
O O
HTTP Y HTTP Y
IP
¶ íApG MPA u≥OvAqiH∩uϕµvBOH HTTP Y@OΦkC
¶ qúαM IP OΦkC
¶ @δÑAYYΘΦíwFuϕµv]O
OAΘΦíu≥Ov]\96ytm≥O≈εzCpGF MPA ΣAh¡
109Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
εúsbCoiH² MPA Huϕµv]OnJAq]ig$u≥OvAzLPΘΦín
JC
MPA Mh½qOBzy
1. WebSEAL z⌡µUCBtmG
¶ hu Proxy NzΣ
¶ Sw MPA hD Policy Director bß
¶ sW MPA bß webseal-mpa-servers s
2. qs MPA hDC
3. hDNnD૨ HTTP nDC
4. hDOqC
5. hDHqnDP WebSEAL suC
6. MPA V WebSEAL O]PqúPΦkABo MPA ¡≈]w WebSEAL bßC
7. WebSEAL τ MPA b webseal-mpa-servers sñ¿ΩµC
8. F MPA AbñSϕ MPA ¼C
÷M MPA ±HC@qnDA²ªú≤∩onDvdC
9. b WebSEAL i@BOnDC
MPA α≈w∩nJúAϕeAhqC
10. qnJABP MPA úPOΦkiµOC
11. WebSEAL qOΩC
12. qÑq@Ω¼P MPA úPC
110 3.8
13. uA≈cvM½≤ ACL \ivA(\ ∩ⁿO@½≤sv¡C
M MPA Owebseald.conf tm [mpa] q¿ñ mpa iMMPA OΦkC
¶ Yn MPA OΦkAΘJ “yes”C
¶ Yn MPA OΦkAΘJ “no”C
pG
[mpa]mpa = yes
MPA bß Tivoli SecureWay Policy Director ≥zΓUH TivoliSecureWay Policy Director Web Portal Manager zΓUHKobßΩTC
sW MPA bß webseal-mpa-servers s Tivoli SecureWay Policy Director Base zΓUH TivoliSecureWay Policy Director Web Portal Manager zΓUHKozsΩTC
MPA O¡ε Policy Director ΣbC@í WebSEAL °A@MPAC
111Tivoli SecureWay Policy Director WebSEAL zΓU
4.W
ebS
EA
LO
112 3.8
≤⌠nJMΦ
ϕzN WebSEAL Ω@ Proxy °AHKw⌠úO@Azq]MΩµ@nJDC QF≤⌠
µ@nJMΦC
DDG
¶ ytm CDSSO Oz
¶ 119ytm e-Community µ@nJz
tm CDSSO OPolicy Director u≤⌠µ@nJ (CDSSO)vúFbhw⌠ñαe≈εC CDSSO i² Web ⌡µµ@nJAbΓw⌠ºíLíaC CDSSO O≈εúnuDnO°Av]\ e-Community SSOC
CDSSO ⁿhw⌠πXAΣií⌠⌠tmC
pA@j¼°⌠⌠i]wΓHW@⌠—U⌠úΣvM½≤íC CDSSO ⁿHµ@nJb⌠ºíC
ϕ∩≤t@⌠ΩúXnDACDSSO ≈εN[K¡≈Oq@⌠αeG⌠C b
G⌠π¡≈]wb@⌠OAB
úQjε⌡µt@ nJC
5
113Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
πXq CDMF @íwb\h CDSSO ΩñAúP⌠íw]@∩@MgAiαúAXípDC
u≤⌠Mgtm (CDMF)vO@í]pFªi²zmiBzq@íwABú¡≈
MgAC
CDMF í]pi²zuq¡≈MgAHBzC
CDMF CDSSO OyHUyíOb 19C
1. ⌠≤n[Jh⌠AbDn⌠ñbßAHib[⌠ñAMgb
ß¡≈C
@lYS∩]tbßlw⌠iµ
OAhLkIs CDSSO \αC
2. zL⌠WqAúXs⌠ B ºΩnDC
]tSϕ CDSSO ϕíG
/pkmscdsso?<destination-URL>
pG
/pkmscdsso?https://www.domainB.com/index.html
3. nD²$⌠ A WebSEAL °ABzC WebSEALOOFO]tF Policy Director ¡≈]uWBe⌠ (“A”)BΣLΩTHíWOC
ΣLΩTOzLIsq CDMF @íw
(cdmf_get_usr_attributes) oCoíwiúMgñA⌠ B nCThis library has the
114 3.8
ability to supply user attributes that can be used by domain Bduring the user mapping process.
WebSEAL T½ DES tΓkH cdsso_key_gen íú∩≈[KOΩC o≈Q@xsb
⌠ A ⌠ B WebSEAL °AW webseald.conf tm [cdsso-peers] q¿ñC
Ot@itmíWO (authtoken-lifetime)AΣwqORgC íWOYgAϕtmAi"ε½s⌡µ≡
C
4. ⌠ A WebSEAL °ANnD[W[KOA½s Vs²AMß⌠ B WebSEAL °A]HTTP ½s VC
5. ⌠ B WebSEAL °AΣP≈AKτΦ⌠OC
6. ⌠ B WebSEAL °AIs CDSSO O≈εíwCo CDSSO íw Is⌡µΩMgq
CDMF íw (cdmf_map_usr)C
CDMF íwN¡≈AHΣLi∩ΩT CDSSO íwC CDSSO íwΩTC
7. ⌠ B OAAMPnD½≤÷Sw ACL \ivAMwOπ\sⁿO@½≤C
115Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
M CDSSO Owebseald.conf tm [cdsso] q¿ñ cdsso-auth iM CDSSO OΦkC
¶ Yn CDSSO OΦkAΘJ “http”B“https” “both”C
¶ Yn CDSSO OΦkAΘJ “none”C
pG
[cdsso]cdsso-auth = https
tm CDSSO O≈εcdsso tmiⁿwbíñMgOΩT@íwC
¶ b U N I X WAúMg\αO@
libcdssoauthn @íwC
19. H CDMF iµ≤⌠µ@nJ
116 3.8
¶ b Windows WAúMg\αO@cdssoauthn DLLC
O≈ε @íw
Solaris AIX Windows HP-UX
cdsso libcdssoauthn.so libcdssoauthn.a cdssoauthn.dll libcdssoauthn.sl
ziHb cdsso ñAΘJ webseald.conf tm[authentication-mechanism] q¿ñ@íw¡xSwWC
pG
SolarisG
[authentication-mechanisms]cdsso = libcdssoauthn.so
WindowsG
[authentication-mechanisms]cdsso = cdssoauthn.dll
OOΩ[KWebSEAL cdsso_key_gen íú≈[Km≤OñOΩC zPC@P⌠C@í
WebSEAL °A@≈AuPBvoΓ≈C C@⌠C@íP WebSEAL °AúP≈C
: ≈MeD Policy Director CDSSO Bz@í≈C
ϕz⌡µ cdsso_key_gen íAínDzⁿw≈m]∩⌠WG
UNIX: # cdsso_key_gen <absolute-pathname>
Windows: MSDOS> cdsso_key_gen <absolute-pathname>
117Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
bC@⌠P WebSEAL °Aº webseald.conf tm [cdsso-peers] q¿ñΘJ≈mC Σµí]A
WebSEAL ≈WM≈mG
[cdsso-peers]<webseal-machine-name> = <keyfile-location>
⌠ A tmdG
[cdsso-peers]www.domainB.com = <pathname>/A-B.key
⌠ B tmdG
[cdsso-peers]www.domainA.com = <pathname>/A-B.key
bWñAA-B.key Nb@í≈]p WebSEAL AWúAQΓ]Bwast@í≈]p WebSEALBC
tmOíWOOt@itmíWOAΣwq¡≈ORgC
@)íWOLAOYQ°LAεC íW
O≤U"ε½s⌡µ≡ AΦk]w@≈uAH"
εOQ!bΣRg½s⌡µC
webseald.conf tm [cdsso] q¿ñ authtoken-lifetime i]wORgCOHϕϕC w] 180G
[cdsso]authtoken-lifetime = 180
zNPΦ⌠ºí⌠≤p"tCJqC
ϕ CDSSO HTML ∩ nw⌠WΩº HTML ]tSϕ CDSSOϕíG
/pkmscdsso?<destination-URL>
pG
118 3.8
/pkmscdsso?https://www.domainB.com/index.html
O@OO÷MOOútOΩT]pWMKXA²ª]
tb¼Φ⌠ⁿH⌠¡≈C ]O@O¡A
"ε!½s⌡µC
zL SSL O WebSEAL °APºíqHAiO@OK≤Q!C qs²ñOOiH
QC OWíWOu¼HOⁿGúiαbO
RgíQ½s⌡µC
MA]ΣíWOLO/M÷ⁿKX≡ C pG
[KO≈QtⁿMAN úyi
mΣvOC
HßoOiíJuΩ CDSSO ΩyvCoNLku OOPP CDSSO ⌠ WebSEAL °AC ≥≤]AH]pzO@O≈Aw≤∩C
tm e-Community µ@nJE-community µ@nJOb Policy Director ⌠ñt@≤⌠OΩ@C≤⌠OAOn²ibh⌠ñ
shí°AWΩAún½sOC
“e-community” O¿]Policy Director DNSí÷Y$úP⌠¿sCo[J⌠iHtmµ@°
@í]BaúP DNS WA@÷YµW°]p°íBIqH]zqC
bΩñATw@⌠Qⁿwulvu
v⌠Cb[J°ñAl⌠z e-community °≤C
119Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
bΓΩñA[J e-community OΩTO$l⌠@Cowie\]zDµ@IA
p e-community ñIsúⁿVl⌠C
tAziH Policy Director Web Portal Manager PΩTzvA²[J⌠itdz¡C
HU íFΓP⌠d e-communityG⌠ A(dA.com) M⌠ B (dB.com)CbdñA⌠ A NϕFl⌠C⌠ B O[⌠uv⌠C
l⌠uv — ]NOiHεOΩTC
úb≤BnDΩAí$l⌠OC
20. e-Community ¼
120 3.8
OíobDnO°A (MAS) — ≤l⌠ñt
mO°A]@°ACb
ñAmas.dA.com NϕF MASCMAS ⌠¡ε≤úOAC MAS Wúi²ΩC
ϕQqL MAS OßAMAS úußOvOCoOoXnDb°AC°AN
ußOvO°wqL MAS OABiH[Je-communityC
1 2 2ye - C o m m u n i t y yzñíe-community ⌠íΩTαeC
e-Community \αM≥nD
¶ o¼iΣzL URL]sΩCP CDSSO¼A\ααSOtm pkmscdsso ]\113ytm CDSSO OzC
¶ b e-community Ω@ñA¿⌠ WebSEAL °An@PtmC
¶ [J e-community únqLl⌠ñµ@DnO°A (MAS) OC
¶ pGb MAS WSbß]p⌡≤⌠ BA²O[J⌠ A P⌠ B
e-communityAe-community bΩ@Wie\b⌠WiµuvOC
ϕbnDD MAS]²Ow[J⌠ñΩA²qL MAS OAiH∩VnDb°AiµOC
¶ MAS]Hßb⌠ñ∩ΣL°AußOvO¡≈C
121Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
¶ ⌠S Cookie ObOúußOvA°ACoie\⌠ñ°AbϕanDußOvΩTC
e-community cookies [Ke]t¡≈wΩTC
¶ w[KußOv¡≈SϕOCuß
OvOú]tuΩOΩTC@K≈
]T½ DES tΓkiHúπCO]tFO]RgHK¡εO≥íC
¶ e-community bΩ@WΣ HTTP M HTTPSC
¶ µW e-community ⌠izΣ¡≈M÷MvCziHu≤⌠Mg\α (CDMF) APIvAN⌠ñAMg⌠ñC
pG e-community ⌠@s¡≈ANúnMg\αC
¶ e-community tmO]w≤¿ WebSEAL °Awebseald.conf ñC
e-Community ye-community O$DnO WebSEAL °A (MAS) M≤l⌠⌠ñΣL WebSEAL °A¿C MAS iHO WebSEAL °Aµ@ΩAOtⁿ¡IßWebSEAL ]tⁿ¡¡≈O MASC
[JM WebSEAL °Atml⌠MASA@lqOºCoOl⌠ñ°AnDABO⌠ñ°A∩DCpA⌠ñ
í≈°AiHtmBz¡OCú°AOb
e-community ¿⌠ñAo°AMO@ΩíiW≤e-community ºB@C
e-community bΩ@WOußOvtCb ípUAbV WebSEAL °AnDΩÑq@AW e b S E A L úHKoOΩTCb
122 3.8
e-community tmñAWebSEAL °AOußOv°AABVOußOv°AnDτC
ußOv°AΩTCw∩
@ nDAußOv°ATw MASC MAS ≥@l⌠ΩußOv°ACϕ≥nD e-community ñΩAC@⌠ñW°AiHµw∩
] MAS ¡≈ΩTABß⌠¡b⌠ΩußOv°AñΓC
ußOv°AnDτHußOvOíiµC
ußOv°AOAMßNOnD WebSEAL °ACOñ¡≈ΩTQ[KCO]tFRg
¡εC
b¼ußOvOAoXnD°A
HÑq@CbNiH@δvε
snDΩCNiHú½sO — e-community ¼º@C
bzϕΣLí e-community yAHU CyíΓiαu@ vsíp]1 M2CΣßΓiαuU@ vsíp]3 M 4FoΓíp≥b 2 3 ºßCuíp 5vhoblsß⌠≤íC
123Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
ußOv°A
¶ MAS Twb@ ns e-community ⌠≤íAiµOC
MAS u⌡µO°A⌠AúΩúCMAS úbtmDnO°APAQß:O@Ωu@COnMαqAúOw≥n
DC
¶ MAS Twl⌠ußOv°A]dñ⌠AC
¶ ⌠S e-community cookie OOSw⌠ñAΣL°AußOv°ACußOv°AO⌠ñ
@íV MAS nDußOvO°ACußOv°Ai⌠ñúußOvΩTCSw⌠ñ
ußOvAß≥nDiH$°ABzAú
ns⌠ MASCbl⌠ñAe-community cookie N MAS °ußOv°AC
21. e-Community y
124 3.8
(1) @ e-Community sGWebSEAL 1]⌠ A
¶ nDⁿ WebSEAL 1 O@Ω]P MAS B≤P⌠Cs²S⌠ e-community cookieCWebSEAL 1 ñSC
¶ WebSEAL 1 tmwF e-community OABⁿwFMAS mC WebSEAL 1 Ns²½s V MAS WSϕußOvURLC
¶ MAS ⁿußOvnDA²OΣúOAMßúnJC
¶ b¿\nJßAMAS FAHYNxsñAMßNπ[KußOvOs²½s V
b WebSEAL 1 WQúXnD URLCA⌠ AS e-community cookie wQ±bs²ñAHKO⌠ußOv°A]b¼pñ MASC
pGnJóAMAS ⁿó¼AußOvOCOcP¿\¼AußOvOϕⁿCo
XnD°AoXó¼AOANpP
OóC
¶ WebSEAL 1 OKAB¡C
: bP⌠ñún¡≈MgCpGn¡≈MgAWebSEAL 1 u≤⌠Mgtm (CDMF)vC
¶ vAíⁿ nDC
(2) @ e-Community sGWebSEAL 3]⌠ B
¶ nDⁿ WebSEAL 3 O@Ω]⌠ BCs²S⌠ e-community cookieC WebSEAL 3 ñSC
¶ WebSEAL 3 tmwF e-community OABⁿwFMAS mC WebSEAL 3 Ns²½s V MAS WSϕußOvURLC
125Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
¶ MAS ⁿußOvnDA²OΣúOAMßúnJC
¶ b¿\nJßAMAS FAHYNxsñAMßNπ[KußOvOs²½s V
b WebSEAL 3 WQúXnD URLCA⌠ AS e-community cookie wQ±bs²ñAHKO⌠ußOv°A]b¼pñ MASC
pGnJóAMAS ⁿó¼AußOvOCOcP¿\¼AußOvOϕⁿCo
XnD°AoXó¼AOANpP
OóC
¶ WebSEAL 3 OKAB¡C
¶ WebSEAL 3 bs²ñB]wG e-communitycookie]∩⌠ B AHKN WebSEAL 3 O⌠B ußOv°AC
¶ vAíⁿ nDC
(3) U@ e-Community sGWebSEAL 2]⌠ A
¶ nDⁿ WebSEAL 2 O@Ω]P MAS B≤P⌠C s²]tF⌠ A e-community cookieABO MAS ußOv°AC WebSEAL 2 ⁿcookieCWebSEAL 2 ñSC
¶ WebSEAL 2 tmwF e-community OABⁿwFMAS mC ⌠ A e-community cookie sbAm½WebSEAL 2 w∩ MAS mtmC cookie V WebSEAL2 úFußOv°A¡≈C]pG²oFíp 2Ah]bs²ñOd⌠ B cookieAúe⌠ A°AC
¶ WebSEAL 2 Ns²½s V cookie O⌠ AußOv°AºSOußOvURL]] WebSEAL 2 Ob⌠ AAGb¼pñ MASC
126 3.8
¶ MAS ¼ußOvnDABbñΣX]oOobíp 1 M 2C
¶ MAS Nπ[KußOvOs²A½s VbWebSEAL 2 WQúXnD URLC
¶ WebSEAL 2 OKAB¡C
¶ vAíⁿ nDC
(4) U@ e-Community sGWebSEAL 4]⌠ B
¶ nDⁿ WebSEAL 4 O@Ω]⌠ BC pG²oFíp 2As²]t⌠ B e-communitycookieABO WebSEAL 3 ußOv°AC WebSEAL4 ñSC
¶ WebSEAL 4 tmwF e-community OABⁿwFMAS mC ⌠ B e-community cookie sbAm½WebSEAL 4 w∩ MAS mtmC cookie V WebSEAL4 úFußOv°A¡≈C ]pG²oFíp 1Ahubs²ñOd⌠ A cookieAúe⌠ B°ACtttm M A S CMß
WebSEAL 4 ¿⌠ B ußOv°AC
¶ pGíp 2 ²oAWebSEAL 4 Ns²½s V⌠B cookie OAb⌠ BußOv°AWSϕußOvURL]b¼pñ WebSEAL 3C
¶ WebSEAL 3 ¼ußOvnDABbñΣX]oOobíp 2C
¶ WebSEAL 3 Nπ[KußOvOs²A½s Vb WebSEAL 4 WQúXnD URLC
¶ WebSEAL 4 OKABb°A¡C
¶ vAíⁿ nDC
127Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
(5) ΣL e-Community sGWebSEAL 2]⌠ A
¶ zLnDs WebSEAL 2]⌠ ACpGoFíp 3AWebSEAL 2 ñC
¶ vAíⁿ nDC
q e-Community nX
¶ pG÷¼s²nXA SSL Ñq@Me-community cookies NQMúC
¶ pGzL /pkmslogout nXA∩≤⌠ SSLÑq@M e-community cookie NQMúC
F e-Community Cookie¶ e-community cookie O$@í WebSEAL °A]w⌠S cookieFªxsbs²OΘñABbß≥nDñeΣL WebSEAL °A]bP⌠ñC
¶ ⌠S cookie ]tFußOv°AWBe-community¡≈BußOv°AM\αm (URL)AHRgC cookie ñSΩTC
¶ e-community cookie i² ⌠ñ°AbϕanDußOvΩTC MAS b⌠ e-community cookie OΩt nñΓC
¶ cookie ñπRg]OO]w≤ webseald.conftmCRgiⁿw°Anßh[íA
)αúußOvΩTCϕ cookie RgA½s V MAS HKoOC
¶ ϕs²÷¼AOΘñ cookie QMúCpGnXFSw⌠Ae-community cookie Q∩g,C@iaNªqs²ñúC
128 3.8
FußOvnDMe-communityußOv@nzLΓSOc URL sM\αGußOvnDMußOvCo URL O
webseald.conf ñtmΩTAbiµ e-communityußOvHTTP ½s VcC
ußOvnD
ϕV°AnDΩ]w∩ e-community tmA°ASΩTAN oußOvnDC
°AN HTTP ½s VTußOv°A]MAS e-community cookie ñⁿw°AC
ußOvnD]tFHUΩTG
https://<vouch-for-server>/pkmsvouchfor?<ecommunity-name>&<target-URL>
¼°Ad ecommunity-name HKτ e-community ¡C¼°AbußOvñ target-URLANs²½s VQúXnDC
ziHtm pkmsvouchforußOvURLC
pG
https://mas.dA.com/pkmsvouchfor?companyABC&https://ws5.dB.com/index.html
ußOv
ußOvOⁿußOv°A∩°AC
ußOv]tFHUΩTG
https://<target-URL>?PD-VFHOST=<vouch-for-server>&PD-VF=<encrypted-token>
PD-VFHOST iO⌡µußOv@°AC¼]°AΩT∩ußOvO (PD-VF) K T≈C PD-VF NϕF[KußOvOC
129Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
pG
https://w5.dB.com/index.html?PD-VFHOST=mas.dA.com&PD-VF=3qhe9fjkp...ge56wgb
FußOvOFF≤⌠µ@nJAí¡≈ΩTb°A
íΘCoPΩTzL½s VBzF½s V]
t[K URL @í¡≈ΩTCo[KΩußOv
OC
¶ O]tFußOv¿\ó¼AB¡≈
]bßO¿\BO°AπWB
e-community ¡AHíC
¶ ußOvOiHOb°AW
Ñq@]HAúngL°AOC
¶ O@T½ DES tΓkK≈[KA]iHτΣTΩC
¶ [KOΩTúxsbs²ñC
¶ Oue@ C¼°AΩTbñ
CϕbPÑq@ñ@Xß≥
nDA°ANoC
¶ OñπRg]OO]w≤ webseald.conftmCiHOu]ϕHKε+ re-play ≡ IC
ußOvO[KWebSEAL cdsso_key_gen íú≈[Km≤OñOΩC zPC@P⌠C@í
WebSEAL °A@≈AuPBvoΓ≈C C@⌠C@íP WebSEAL °AúP≈C
: ≈MeD Policy Director e-community Bz@í≈C zµwaN≈s °A
C
130 3.8
ϕz⌡µ cdsso_key_gen íAínDzⁿw≈m]∩⌠WG
UNIX: # cdsso_key_gen <absolute-pathname>
Windows: MSDOS> cdsso_key_gen <absolute-pathname>
O@OwAHKbP⌠]l⌠M⌠
°Aíeº≈mAiΘJ≤ webseald.conf tm[e-community-sso] q¿ñ intra-domain-key C
[e-community-sso]intra-domain-key = <absolute-pathname>
O@OwAHKb MAS M⌠°Aíe≈mAiΘJ≤ [inter-domain-keys] q¿CΣLP MAS bP⌠ñ°Aún inter-domain-keysC MAS O@nP⌠°AqH°AC
[inter-domain-keys]<domain-name> = <absolute-pathname><domain-name> = <absolute-pathname
tm e-Community\Ω@ e-community ntmCoOb webseald.conf ñCzJtm e-community ñ °AWC
e-community-sso-auth
i e - c o m m u n i t y OCΣ]tF
“http”B“https”B“both” “none”CpG
[e-community-sso]e-community-sso-auth = both
“http”B“https” M “both” ÑiHⁿw≤ e-community ¿qH¼C “none” i°AW e-communityCw]]w “none”C
131Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
master-http-port
pG e-community-sso-auth F HTTP e-community OADnO°AOb HTTP ≡]≡ 80H≡¼HTTP nDAmaster-http-port iOH≡CpG°ADnO°AAhñCw]A
wC
[e-community-sso]master-http-port = <port-number>
master-https-port
pG e-community-sso-auth F HTTPS e-community OADnO°AOb HTTPS ≡]≡ 443H≡¼HTTP nDAmaster-http-port iOH≡C pG°ADnO°AAhñC w]A
wC
[e-community-sso]master-https-port = <port-number>
e-community-name
iO¿⌠ñ °A e-community XWCpG
[e-community-sso]e-community-name = companyABC
b e-community ñ⌠ñA WebSEAL °AⁿwP e-community-name C
intra-domain-key
iOO[KMKAHKb°A⌠íµ
½≈mCpG
[e-community-sso]intra-domain-key = /abc/xyz/key.file
132 3.8
zb@mú≈AMßµ]BwaN
s⌠ñAΣL WebSEAL °AWⁿwmC
is-master-authn-server
iO°AO MASCΣ]A “yes” “no”CpG
[e-community-sso]is-master-authn-server = yes
hí WebSEAL iHtmDnO°AAMßm≤tⁿ¡ºßCbípñAtⁿ¡Q e-community ñΣLWebSEAL °AAO MASC
master-authn-server
pG is-master-authn-server ]w “no”Az°úABⁿwªCiO MAS π⌠WCpG
[e-community-sso]master-authn-server = mas.dA.com
vf-token-lifetime
]wFußOvORgO]ϕC
cookie WíWOiµdCw] 180 ϕCzN °Aíí"tCJqCpG
[e-community-sso]vf-token-lifetime = 180
vf-url
ⁿwußOvURLCHu (/) YCw]/pkmsvouchforCpG
[e-community-sso]vf-url = /pkmsvouchfor
133Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
z]iHϕ URLG
vf-url = /ecommA/pkmsvouchfor
ec-cookie-lifetime
OF e-communiy ⌠ cookie °Rg]Cw] 300 CpG
[e-community-sso]ec-cookie-lifetime = 300
Inter Domain Keys
MAS M⌠ °AíOA[KMK≈mOⁿw≤ [inter-domain-keys] q¿ñCzⁿw°Aπ⌠WH≈m∩⌠WC
HUdúF MAS]⌠ A≈PΓ⌠qHG
[inter-domain-keys]dB.com = /abc/xyz/key.fileBdC.com = /abc/xyz/key.fileC
bdñAkey.fileB ⁿwF⌠ A M⌠ B ºí≈C key.fileC ⁿwF⌠ A M⌠ C ºí≈C
°An MAS T≈CYnM MAS]⌠ Aµ½OA⌠ B ñ°Aúnkey.fileB C
[inter-domain-keys]dA.com = /efg/hij/key.fileB
YnM MAS]⌠ Aµ½OA⌠ C ñ°Aún key.fileC C
[inter-domain-keys]dA.com = /efg/hij/key.fileC
134 3.8
tm CDSSO O≈εe-community tmn cdsso O≈εCϕúXnD°AAußOvOñ¡≈ΩTAN
n≈εC cdsso tmiⁿwg+bíñMgOΩT@íwC
¶ b U N I X WAúMg\αO@
libcdssoauthn @íwC
¶ b Windows WAúMg\αO@cdssoauthn DLLC
O≈ε @íw
Solaris AIX Windows HP-UX
cdsso libcdssoauthn.so libcdssoauthn.a cdssoauthn.dll libcdssoauthn.sl
ziHb cdsso ñAΘJ webseald.conf tm[authentication-mechanism] q¿ñ@íw¡xSwWAHtm CDSSO O≈εC
pG
SolarisG
[authentication-mechanisms]cdsso = libcdssoauthn.so
WindowsG
[authentication-mechanisms]cdsso = cdssoauthn.dll
135Tivoli SecureWay Policy Director WebSEAL zΓU
5.≤⌠nJMΦ
136 3.8
WebSEAL X
WebSEAL °APß Web í°AºísuSWebSEAL XOXC WebSEAL XOe WebSEAL °APß Web í°Aºí TCP/IP suC Xi
² WebSEAL O@≤ß°AW Web ΩC
zi pdadmin ⁿOµí Web Portal Manager WebSEAL XC í\h≤tm WebSEAL Xº∩ΩTC
DDG
¶ 138yWebSEAL Xº[z
¶ 140yypdadmin server taskzXz
¶ 141ytm≥ WebSEAL Xz
¶ 144y¼O SSL Xz
¶ 148y TCP M SSL Proxy Xz
¶ 149yWebSEAL zL SSL WebSEAL Xz
¶ 150yΣLX∩z
¶ 167y WebSEAL XNNGz
¶ 170y∩≤Ot°A query_contentsz
6
137Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
WebSEAL Xº[ziUC WebSEAL X¼G
¶ WebSEAL zL TCP suXß°A
¶ WebSEAL zL SSL suXß°A
¶ WebSEAL g$ HTTP PROXY °ABzL TCP suXß°A
¶ WebSEAL g$ HTTPS PROXY °ABzL SSL suXß°A
¶ WebSEAL zL SSL suX WebSEAL
b⌠≤XAzUUCΓqG
1. Mwb WebSEAL ½≤íñ≤BX]ⁿWeb í°AC
2. ∩XI¼C
XΩwmMµíWebSEAL XΩTOxsb XML µíΩwñCXΩw²mOwqb webseald.conf tm [junction] q¿ñC²O∩≤ WebSEAL °A²][server] q¿ñ server-root G
[junction]junction-db = jct
¶ C@XúOH .xml WwqbµWñC
¶ pdadmin íMzXH∩C
¶ XML µíi²zΓBsΦBsM≈XC
MwqWsεGJ
1. pdadmin í Web Portal Manager WebSEAL Mß°AºíXC
138 3.8
2. NAϕ ACL hm≤XIWAiú∩ß°AwqWεC
MwqδsεGJ
1. pdadmin í Web Portal Manager WebSEAL Mß°AºíXC
WebSEAL Lku vA≤OttC z@ query_contents SϕíqWebSEAL ÷≤Ot½≤íAíiMI≤OtWeb íA∩ WebSEAL °icMeC
2. N query_contents ís≤Ot°AC
3. N ACL hM@½≤íñAϕ½≤C
WebSEAL XIⁿUCⁿJXuWhvG
¶ zibDn WebSEAL ½≤í⌠≤msWX
¶ zibP@ⁿIWXhí°A
bP@XWⁿhí°Aº¼P
—TCP SSL
¶ qLX≤Ot°Aúu ACL h
¶ XIúiP WebSEAL °A Web íñ⌠≤²C pApG WebSEAL π /path/..., íΩAh3W /path XIC
¶ pGß°A HTML ]t∩²º°A∩URL í]p JavaScript appletAhXIúiPß°A Web íñ⌠≤²C pApGß°A]tí /path/... º URL íAúnW /path XIC
139Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
WebSEAL Σ HTTP 1.0 qLXWebSEAL Σ HTTP 1.0 qLXC o¡εiαvTαπHGp≤ßX°AWºíoC
su ΣqH≤w RFC X
e]q∩
WebSEAL
HTTP/1.0 M HTTP/1.1 RFC2068
ß]WebSEAL ∩X
°A
u¡ HTTP/1.0 RFC1945
: esuúⁿ HTTP/1.0 “Keep-Alive” ΣC HTTP/1.1 hⁿHTTP ≥suΣC
WebSEAL X[í\8yA WebSEAL Xzñ÷ WebSEAL Xºº[C
\229yWebSEAL XzHKoXⁿO∩πΩTC
ypdadmin server taskzXb pdadmin ºeAzH sec_master znJw⌠C
pG
UNIXG
# pdadminpdadmin> loginΘJ IDGsec_masterΘJKXGpdadmin>
WindowsG
140 3.8
MSDOS> pdadminpdadmin> loginΘJ IDGsec_masterΘJKXGpdadmin>
Yn WebSEAL XA pdadmin server task ⁿOG
pdadmin> server task <server-name> <task>
server-name OⁿΩ≈WπϕíAHⁿO Policy Director $≤]p WebSEALC
<policy-director-component>-<machine-name>
íApG≈WO cruz Policy Director $≤WebSEALAh server-name G
webseald-cruz
server list ⁿOτ server-name ϕíG
pdadmin> server listwebseald-cruz
tm≥ WebSEAL XWebSEAL Σ WebSEAL Pß Web í°Aºí TCP]HTTPMw SSL]HTTPSXC
WebSEAL Pß°AºíXPqP WebSEAL ºísu¼]Σwh L÷C
pdadmin ≥ WebSEAL XnⁿO∩]AG
¶ ßí°AD≈W] –h ∩
¶ X¼GtcpBsslBtcpproxyBsslproxyBlocal] –t ∩
¶ X]ⁿI
pdadmin> server task <server-name> create –t <type> –h<host-name> <jct-point>
141Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
pG
pdadmin> server task webseald-cruz create -t tcp -h doc.tivoli.com /pubs
TCP ¼XzL TCP su WebSEAL XúX≥eA²úúqLXwqHC
Ynw TCP XBsWl°AA create ⁿOH –t tcp ∩G
pdadmin> server task <server-name> create –t tcp –h <host-name>[–p <port>] <jct-point>
TCP Xw]≡]Yⁿw 80C
SSL ¼XSSL X\αpP TCP XA²Σ [ GWebSEALPß°AºíqHúQ[KC
22. Dw TCP (HTTP) X
142 3.8
SSL Xúw∩Bs²∩íºFziSSL Oqq WebSEAL Hq WebSEAL ß°AqHC ϕz SSL XAß°Aw
HTTPSC
Ynw SSL XBsWl°AA create ⁿOH –t ssl ∩G
pdadmin> server task <server-name> create –t ssl –h <host-name>[–p <port>] <jct-point>
SSL Xw]≡]Yⁿw 443C
τß°AϕqúX∩ß°AWºΩnDAWebSEAL]ß⌠w°AñΓYNϕq⌡µnDC SSL qH≤wⁿwGb∩ß°AúXFnDA°AzL°A
úΣ¡≈C
ϕ WebSEAL qß°A¼o≈AªτΣTΩAΣτΦkH±∩xsbΣΩwñ root CAMµC
23. w SSL (HTTPS) X
143Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
Policy Director SSL IBM Global Security Kit (GSKit) IµC z GSKit iKeyman ísWNß°Ap WebSEAL ≈]pdsvr.kdbº CA rootC
÷z≈ΩwπΩTA\237yiKeyman zzC
SSL XdzL SSLA/sales XI sales.tivoli.com XD≈G
pdadmin> server task <server-name> create –t ssl –hsales.tivoli.com /sales
: bWñA–t ssl ∩ⁿww]≡ 443C
zL S S LAbXI /travel ≡ 4443 WXD≈
travel_svrG
pdadmin> server task <server-name> create –t ssl –p 4443–h travel_svr /travel
¼O SSL XWebSEAL Σ WebSEAL °APß°AzL SSL X]–t ssl –t sslproxy¼OCUCnIJzL SSL ¼OΣ\α]bAϕmCXⁿO∩G
1. WebSEAL Oß°A] SSL Bz
¶ WebSEAL τß°A°AF\145yWebSEAL τß°AzC
¶ WebSEAL τt≤uOW (DN)v]–D]DnA²ÑOiµF\145yOW (DN) ±∩zC
2. ß°AO WebSEAL]ΓΦk
144 3.8
¶ ß°Aτ WebSEAL]–KqF\146yHqiµ WebSEAL OzC
¶ ß°Aτu≥O (BA)vY]–BB–UB–Wñ WebSEAL ¡≈ΩTF\146yH BA Yiµ WebSEAL OzC
εzL SSL ¼OⁿO∩úUC\αG
¶ ziⁿwq BA OΦkC
¶ zi÷CXv MOΦkC
X –b ∩]Bz BA ΩTPzL SSL ¼OSϕNAí≤147yBzqLXq¡≈ΩTz
WebSEAL τß°AWebSEAL SSL qH≤wτß°AC ß°AeΣ°A WebSEALC WebSEAL ±∩@≈w²wq rootu≈c (CA)vMµAτ°AC
í°AºH⌠]pΦ CAA]A rootu≈c (CA)vt≤ WebSEAL b≈ΩwC
zi iKeyman íz root CA ΩwC \237y iKeyman zzC
OW (DN) ±∩zizLuOW (DN)v±∩Wj°AτC Yn°A DN ±∩Azb SSL X°AAⁿwß°A DNC ÷M DN ±∩O@∩tmAúLÑOzPzL SSL X¼OftIµo\αC
b°AτíANt≤ DN PXwqDN ±C pGΓ DN úA∩ß°AsuYóC
145Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
Yn°A DN ±∩Ab –D “<DN>” ∩ SSLXAⁿwß°A DNCYnOdrΩñ⌠≤µAHAϕ DN rΩC pG
–D “/C=US/O=Tivoli/OU=SecureWay/CN=Policy Director”
–D ∩AXP –K –B ∩@C
Hqiµ WebSEAL O –K ∩Ai WebSEAL zLq∩Xß°AOC
–K “<≈>”
Ω°≤]AG
¶ wNß°A]wn WebSEAL º¡≈τ]qC
¶ wN WebSEAL tm]webseald.confSwqA∩ß°A (ssl-keyfile-label) OC
¶ ]ÑOzw∩ DN ±∩]–DtmXC
–K ∩ⁿwnº≈]xs≤ GSKit ≈ΩwC iKeyman íisW≈ΩwC webseald.conf tmñ ssl-keyfile-label itm≈C
≈HAϕC pG
–K “cert1_Tiv”
\40ytm WebSEAL ≈ΩwzC
H BA Yiµ WebSEAL O –B –U “<username>” –W “<password>” ∩WebSEAL zLu≥OviµOC
–B –U “<username>” –W “<password>”
146 3.8
Ω°≤]AG
¶ wNß°A]wn WebSEAL º¡≈τ]BA YC
¶ 3H⌠≤ –b ∩tmXC ]úLA–B ∩bí–b filterC
¶ wN WebSEAL tmb BA YñΣ¡≈ΩTAH∩ß°AOC
¶ ÑOz]w∩ DN ±∩]–DtmXC
username M password HAϕC pG
–U “WS1” –W “abCde”
BzqLXq¡≈ΩTziNX]wb BA Yñⁿwq¡≈ΩTC –b ∩ⁿUC.iαG filterBsupplyBignoreBgsoC 177yw∩µ@nJMΦtm BA Yz ñú÷≤oΩTC
–b ∩vT¼OX]wA]zq T∩XC
–b supply
¶ o∩úⁿzL BA Y WebSEAL OC∩ BA Y@²qWMuΩvKXC
¶ o∩ⁿzLq WebSEAL OC
–b ignore
¶ o∩úⁿzL BA Y WebSEAL OC∩ BA Y@²qWMKXC
¶ o∩ⁿzLq WebSEAL OC
147Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
–b gso
¶ o∩úⁿzL BA Y WebSEAL OCo∩ BA Ys± GSO °AúWMKXC
¶ o∩ⁿzLq WebSEAL OC
–b filter
¶ ϕ WebSEAL OQ] BA YΩTAbí –b filter ∩C
bß≥ HTTP ºñú WebSEAL BA YCNß°A AWebSEAL ú@nJC
¶ o∩ⁿzLq WebSEAL OC
¶ pGß°AnΩq¡≈]s²Ah
i CGI HTTP_IV_USERBHTTP_IV_GROUP MHTTP_IV_CREDSCY Script M servletA∩P o l i c y D i r e c t o r S H T T P YG
iv-userBiv-groupsBiv-credsC
TCP M SSL Proxy Xzii²qHMX HTTP HTTPS PROXY °Aº⌠⌠ WebSEAL XC zitmXBznDA@ TCP qHⁿO@ SSL qHC
create ⁿOnUCΣñ@ type ∩AHzLPROXY °A TCP í SSL íXG
¶ –t tcpproxy
¶ –t sslproxy
create M add ⁿOúnUC∩M)αO PROXY °A Web °AG
–H <host-name> Proxy °A DNS D≈W IP C
148 3.8
–P <port> PROXY °A TCP ≡C
–h <host-name> Web °A DNS D≈W IP
C
–p <port> Web °A TCP ≡C TCP Xw
] 80FSSL Xw] 443C
TCP proxy Xd]ΘJ≤@µG
pdadmin> server task <server-name> create –t tcpproxy–H clipper –P 8081 –h www.ibm.com –p 80 /ibm
SSL proxy Xd]ΘJ≤@µG
pdadmin> server task <server-name> create –t sslproxy–H clipper –P 8081 –h www.ibm.com –p 443 /ibm
WebSEAL zL SSL WebSEAL XPolicy Director Σe WebSEAL °APß WebSEAL °Aºí SSL XC –C ∩P create ⁿOAizLSSL XΓí WebSEAL °AAú¼OC
dG
24. Proxy Xd
149Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
pdadmin> server task <server-name> create –t ssl –C –h serverA /jctA
bUCΓÑqño¼OG
¶ SSL qH≤wi²ß WebSEAL °AzLΣ°AA∩e WebSEAL °AOC
¶ –C ∩i²e WebSEAL °Abu≥O (BA)vYñΣ¡≈ΩTß WebSEAL °AC
A–C ∩ –c ∩\αi²zN Policy Director Sq¡≈Ms¿ΩTA±Jw∩ß WebSEAL °AºnD HTTP YC Y]A iv-userBiv-groups Miv-credsC \152yb HTTP Yñúq¡≈(–c)zC
UC°≤A≤ WebSEAL ∩ WebSEAL XG
¶ XA≤ –t ssl –t sslproxy X¼C
¶ Γí WebSEAL °Aú@@P LDAP DCE n²C oi²ß WebSEAL °AOe WebSEAL °A¡≈ΩTC
ΣLX∩ziHB∩AúUCB WebSEAL X\αG
¶ 151yjεsX (–f)z
¶ 152yb HTTP Yñúq¡≈ (–c)z
¶ 154yb HTTP Yñúq IP (–r)z
¶ 154yNÑq@ Cookie eXJf°A (–k)z
¶ 155yΣújpg URL (–i)z
¶ 156yBz Script Mqí URL(–j)z
150 3.8
¶ 160yHXMgBz°A∩ URLz
¶ 162y¼AXΣ (–s, –u)z
¶ 163y∩¼AXⁿwß°A UUID (–u)z
¶ 166yX Windows t (–w)z
jε sX (–f)ϕznjεsX∩gXAz –f ∩C
HUd]°AW websealAíFG
1. nJ pdadminG
# pdadminpdadmin> loginΘJ IDGsec_masterΘJKXGpdadmin>
2. server task list ⁿOπeµXIG
pdadmin> server task websealA list/
3. server task show ⁿOπXΩTG
pdadmin> server task websealA show /XG /¼GXw¡εG0 - sXn¡εG0 - s@ñu@⌡µⁿG0²G/opt/pdweb/www/docs
4. sXHK≤½µXI]z -f ∩jεsXAHK∩gXG
pdadmin> server task websealA create -t local -f -d /tmp/docs /Xw≤ /
5. CsXIG
pdadmin> server task websealA list/
6. πXG
151Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
pdadmin> server task websealA show /XG /¼GXw¡εG0 - sXn¡εG0 - s@ñu@⌡µⁿG0²G/tmp/docs
b HTTP Yñúq¡≈ (–c)–c ∩i²zN Policy Director Sq¡≈Ms¿ΩTAíJw∩X≤Ot°AºnD HTTP YC PolicyDirector HTTP YΩTi²X≤Ot°AWíq Policy Director ¡≈⌡µSw@C
ß°AN HTTP YΩT૨⌠µíAß°AWAíC YΩT૨ CGI ⌠µíΦkAOHu (_) N°e (-)AN “HTTP” K rΩYC HTTP YY¿s⌠C
PD S HTTPYµ
CGI ⌠Ñí í
iv-user = HTTP_IV_USER = qu°WC pGqg
O]úAhw]
“Unauthenticated”C
iv-groups = HTTP_IV_GROUPS = qsMµC $rIj
¿C
iv-creds = HTTP_IV_CREDS = gsXúzΩcNϕ Policy
Director C ú°A
A²ñhíi Authorization
API IsuA≈cvC \
Tivoli SecureWay Policy Director
Authorization ADK Developer ReferenceC
P o l i c y D i r e c t o r S H T T P YpP⌠
HTTP_IV_USERBHTTP_IV_GROUPS M HTTP_IV_CREDS i
152 3.8
CGI íCpGOΣLttmúA\úíσ≤Ao÷q HTTP nDñYⁿC
–c yk–c ∩ⁿwneßí°A Policy Director S HTTP YΩC
–c <header-types>
header-types ]tFGallB iv_userBiv_user_lBiv_groups Miv_credsC
í
iv_user úW]uíA@nD HTTP Y
ñ iv-user µΩTC
iv_user_l úπ DN]°íA@nD
HTTP Yñ iv-user µΩTC
iv_groups úsMµA@nD HTTP Yñ
iv-groups µΩTC
iv_creds úΩTA@nD HTTP Yñ
iv-creds µΩTC
: iv_user iv_user_lA²OúnPC
–c all ∩NT¼¡≈ΩTíJ HTTP Y]dñOuWµí (iv_user )C
: ¡HrIjhC únΘJ⌠≤µC
dG
–c all
–c iv_creds
–c iv_user,iv_groups
–c iv_user_l,iv_groups,iv_creds
153Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
b HTTP Yñúq IP (–r)–r ∩i²zbX°AnD HTTP YñAíJq IP ΩTC Policy Director HTTP YΩTi²X≤Ot°AWíA IP ⌡µSw@C
ß°AN HTTP YΩT૨⌠µíAß°AWAíC YΩT૨ CGI ⌠µíΦkAOHu (_) N°e (-)AN “HTTP” K rΩYC HTTP YY¿s⌠C
: IP ú@wNϕq≈C IP iαNϕ Proxy °A⌠⌠α½ (NAT) C
PD S HTTP
Yµ
CGI ⌠Ñí í
iv-remote-address HTTP_IV_REMOTE_ADDRESS
q IP CiαNϕ Proxy
°A⌠⌠α½ (NAT) IP
C
–r ∩iⁿwneßí°AiJnD IP C∩ún⌠≤C
NÑq@ Cookie eXJf°A (–k)Web JfOújqHΩMA°AC –k ∩i²zN Policy Director Ñq@ cookie]O≤qMWebSEAL ºíeßJf°ACe∩wiΣ WebSEAL H Plumtree Corporate Portal MΦºíπXC
ϕqVJf°AnDHΩMµAJf°As
ΣLiúΣA$ WebSEAL O@í°AABoΩMµCÑq@ cookie ie\Jf°ANϕqAVoí°Aiµ≥Kµ@nJC
154 3.8
ϕzb WebSEAL MßJf°AXA[J –k ∩A²Oún⌠≤C
tmJf°AnN¼pG
¶ YnzLWMKXsAzuϕµv
OC3u≥O (BA)vC
¶ webseald.conf tm [session] q¿ñ ssl-id-sessions]w “no”C∩≤ HTTPS qHA]wjεÑq@ cookieAú SSL Ñq@ ID @Ñq@¼AC
¶ pGJf°AeO$ WebSEAL O¿AFailover ¼ cookieC Failover cookie ]t[KΩTAi²BznD⌠≤ WebSEAL °A¿OC
Σújpg URL (–i)w]AbMsεAPolicy Director ° URL jpgC bBz∩Xß°AnDA –i ∩ⁿw WebSEAL ° URL újpgC
ϕzbXW]w∩AWebSEAL bσR URL Lkjpgr$C w]AWeb °AQwjpgC
÷Mjí≈ HTTP °AúΣN URL wqjpgHTTP WµA²Y HTTP °A° URL újpgC
pAbújpg°AWAUCΓ URLG
http://server/sales/index.htm
http://server/SALES/index.HTM
Q°P URLC oµnzNPsε
(ACL) ±boΓ URL WC
bH –i ∩X≤Ot°AßAWebSEAL N V°A URL °újpgC
155Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
Bz Script Mqí URL (–j)í WebSEAL Bz Script ú∩M°A∩]ß°AWΩΦíC
¶ yDIz
¶ 157yHX Cookie Bz°A∩ URLz
¶ 159yH Script LoBz∩ URLz
¶ 160yHXMgBz°A∩ URLz
DIϕqsX Web °AAΩTiαO@δ HTMLGBqí (applet) O ScriptC Web yzyÑ]A JavascriptsBVBscriptsBASPBJSP M ActiveXC
HTMLBScript applet ú⌠≤iα]t∩ß°ALBWºΣLΩ (URL)C URL ϕíiHUCµíXG
¶ ∩
¶ ∩
¶ °A∩
ß°A@¿\ípOAURL O∩]tOΣXΩTC WebSEAL dt≤d≥sxúΩTº URLAbAϕúX¡≈ΩTC
H∩µíϕ URL qún WebSEAL ⌠≤@C H
∩°A∩µíϕ∩ß°ALkQ¿A
]l URL ú]tX÷ΩTC oú TaXApP≤ WebSEAL °AWº½≤nDC
∩ URL ϕíd]N&¿\G
156 3.8
abc.html ../abc.html
./abc.html sales/abc.html
∩ URL ϕíd]nXΩTG
http://www.tivoli.com/abc.html
°A∩ URL ϕíd]nXΩTG
/abc.html /accounts/abc.html
WebSEAL HUCΦíBzAú∩°A∩ URLG
¶ RA HTML
$≤ HTML OσrQ÷aσRA] WebSEAL bAϕN TXΩT [ URLC\168yqX°ALoRA HTML URLzC
¶ Script Mqí
$≤ Script °Ao WebSEAL b∩O∩ URLM°A∩ URL ϕíqß°AqiµLo@WAϕFvC bAϕAtm
WebSEAL úXΩTC
: Web Script í]pv∩Aú URL ∩]D∩°A∩C
HX Cookie Bz°A∩ URLbUCΩñA≤ß°AW Script Aú°A∩URL ϕíC ϕOíXqAWebSEAL Lk[H@C $≤Σú]tXΩTA]q Oϕ
Φíú T URLC
157Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
pGqnDⁿwΩAWebSEAL Nú Ta ]ⁿVC bLkΣºßAªuΣ
úvqC
–j ∩úH cookie ≥ªMΦABz Web Script bX°AWAúBbq≈W⌡µ°A∩
URLC
@δykG
pdadmin> server task <server-name> create ... –j ...
w∩C@nDAúeXOXqC cookie ]tUCMG
IV_JCT_<backend-server-name> = </junction-name>
ϕq URL úXnDAWebSEAL YHΣlµíBz URLCϕ WebSEAL ΣúΩAY cookie úXΩT½nDCQ URL ϕíñ TXΩTANiQΣΩC
U íoLo°A∩ URL MΦ
25. Script úBSLo URL
158 3.8
WebSEAL ú@úOH cookie ≥ªºMΦ NΦABz°A∩ URLC \160yHXMgBz°A∩ URLzC
H Script LoBz∩ URLWebSEAL nBtm)αBzAúBqLX∩URLC webseald.conf tm]ti∩ URL ºLoG
[script-filtering]script-filter = no
w]Aw Script LoC Yn Script LoA]wG
script-filter = yes
: Pz –j ∩Pß°AXCXOX cookie eq]D Script Lo≈εn@C
script-filter ≈εⁿπ⌡B°ABΩµí∩URLG
http://server/resource
26. Lo°A∩ URL
159Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
script-filter ≈εH TXΩTN⌡M°Aí≈C
/junction-name/resource
oMΦnBBzíAiα∩αút
vTC ¡εu∩nΣ∩ URL LoX
script-filter C
U í URL LoMΦG
HXMgBz°A∩ URLPolicy Director w∩Lo°A∩ URLAú@H cookie ≥ªMΦº∩ΦC ziXMgϕAΣM
gSwΩXWC
WebSEAL Ht≤XMgϕΩAd°A∩ URL ñmΩTC pG URL ñ⌠ΩTPϕµñAWebSEAL NNnD VPm÷pXC
ϕµO@ jmt.conf ASCII σrC mOⁿw≤ webseald.conf tm [junction] q¿ñG
27. Lo∩ URL
160 3.8
jmt-map = lib/jmt.conf
ϕµñΩºµí$XWBµΩm¼
¿C z]iHUr$ϕΩm¼C
bUCXMgtmdñAΓíß°Ab /jctA M
/jctB ÑmX WebSEALG
#jmt.conf#<junction-name> <resource-location-pattern>/jctA /documents/release-notes.html/jctA /travel/index.html/jctB /accounts/*/jctB /images/weather/*.jpg
l jmt.conf MgϕO@CbsWΩºßAz jmt load ⁿOuⁿJvΩAHK²
WebSEAL sΩTC
pdadmin> server task <server-name> jmt loadJMT table successfully loaded.
UC°≤A≤XMgϕMΦG
¶ MΦún –j ∩X cookie
¶ Mgϕ$wz]w
¶ MΦúBzH∩ URL
¶ b Web íX Web í°AñAΩm¼úO@
¶ pGñ½¼AhúⁿJMgϕC úLA
WebSEAL /≥⌡µC
¶ pGbⁿJMgϕAhLkMgϕC úLA
WebSEAL /≥⌡µC
¶ pGMgϕOAOϕµñAhúⁿJMg
ϕC úLAWebSEAL /≥⌡µC
161Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
¶ bⁿJMgϕo⌠≤ú Pú WebSEAL °AΘx]webseald.logñC
¼AXΣ (–s, –u)jí≈ Web íAú@qº HTTP nDu¼AvC ÑAo¼AG
¶ zL CGI íúΩΘJϕµAli
¶ b⌡µ@tCΩwdA@WUσ
¶ bHNs²∩½uW½«íñA
@@≈½Mµ
is⌡µ Web ºí°AAHKzLtⁿ¡uWiαC ϕ WebSEAL °AúXosß°AAªTOt≤qÑq@nDúα
T°AAB¡ΩyqWhAúbsß°A
ºíeC
w]APolicy Director NnDei°AA¡ß°AtⁿC Policy Director “least-busy”tΓkCotΓkNC@snD V+suwb
iµñ°AC
a –s X create ⁿOm½¡ΩyqWhA@u¼AXvAΣTObπÑq@Aqn
DúαP@í°ACϕolqnDA
WebSEAL N cookie ±btⁿwºß°A UUID ºqtWC ϕq∩P@ΩúXi@BnDAcookie UUID ΩTYiTOΩα@PeP@íß°AC
–s ∩A≤bP@XXhíß°Aºµ@eWebSEAL °AC NA@)lXQ¼AAN add ⁿO]úa –s ∩ANlß°AXP@XC
162 3.8
pGΩtAhíe WebSEAL °AAíúXP@íß°AAz –u ∩A TaNC@ß°AUUID ⁿwC@íe WebSEAL °AC \y∩¼AXⁿwß°A UUID (–u)zC
∩ ¼AXⁿwß°A UUID (–u)b∩ß Web í°AFsXAWebSEAL qú@u@sOX (UUID)vOß°ACo UUID ObíA@¼AX]create–sC
ϕolqnDAWebSEAL N cookie ±btⁿwºß°A UUID ºqtWC ϕq∩P@ΩúXi@BnDAcookie UUID ΩTYiTOΩα@PeP@íß°AC
ϕhíe WebSEAL °AXhíß°AA¼AXBz@o≤°C qAe WebSEAL °Asß°AºíC@XAúß°Aú@
@ UUIDC oϕ@íß°AbC@íe WebSEAL°AWúúP UUIDC
híe°An¡Ωyq≈εAHKbΓí°Aºí
etⁿC pAiSw UUIDBzL WebSEAL °A1 ∩ß°Alu¼AvC
28. ¼AXß°A UUID
163Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
MApG¡Ωyq≈εzL WebSEAL °A 2 eP@qi@BnDAhúD WebSEAL °A 2 P@ UUID OP@íß°AAhu¼AvNúAsbC qAúooípC
–u ∩i²z∩Swß°AC@íe WebSEAL °AAúP UUIDC
ÑAΓíse WebSEAL °AAC@íú∩Γíß°A¼AXC ϕzb WebSEAL °A 1 Pß°A 2 ºí¼AXAú@@UUID]UUID AHOß°A 2FMAb WebSEAL °A 2 Pß°A 2 ºíF¼AXAú@sBúP UUID (UUID B) HOß°A 2C
pGqß≥nDOzL WebSEAL °A 2 eAhbqPß°A 2 ºíBzL WebSEAL °A 1 u¼AvNóC
MUCBzAibXíⁿw UUIDG
29. Dⁿ UUID
164 3.8
1. q WebSEAL °A 1 ß°AXC
create –s M addC
2. CbBJ 1 íC@íß°Aú UUIDC
showC
3. q WebSEAL °A 2 C@íß°AXAⁿwbBJ 2 ñO UUIDC
create –s –u M add –uC
bU ñAß°A 1 Q WebSEAL-1 WebSEAL-2 °UUID 1Cß°A 2 Q WebSEAL-1 WebSEAL-2 °UUID 2C
dGbHUdñA
¶ WebSEAL-1 WS1
¶ WebSEAL-2 WS2
¶ ß°A 1 APP1
¶ ß°A 2 APP2
30. ∩¼AXⁿwß°A UUID
165Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
pdadmin> server task webseald-WS1 create –t tcp –h APP1 –s /mntpdadmin> server task webseald-WS1 add –h APP2 /mntpdadmin> server task webseald-WS1 show /mnt
]oª UUID1 M UUID2
pdadmin> server task webseald-WS2 create –t tcp –h APP1 –u <UUID1> –s /mntpdadmin> server task webseald-WS2 add –h APP2 –u <UUID2> /mnt
ϕqPß°A 2 ¼AsuAª¼@]t UUID2 cookieC bAezdTOqN&sß°A 2ALi@BnDOzL WebSEAL-1 WebSEAL-2 eC
X Windows t (–w)WebSEAL URL ñⁿw⌠A∩eXß°AqnD⌡µwdC $≤ Win32 túΓúPs°WΦkAiαMwdC
@ΦkTπW]abcdefghijkl.txtCGΦkí 8.3 WµíAHπVe]abcdefx1.txtC
ϕzb Windows ⌠ñXA¡εuαsε@½≤ϕABúie\ñLw≈εußviαC
–w ∩úⁿ 8.3 WµíC úiWu]8.3íK°WWT ACLC °ANbΘJ⌠≤uíWWu403 TεvC
b Windows ñAW “foo.” Q°PW “foo” PC–w ∩²q URL ñWñúIAMßAenDß°AC ACL dO≥≤SIWC
: Win32 újpgD (abcde.txt = AbCdE.txt) izL –i ∩MC\155yΣújpgURL (–i)zC
166 3.8
dGb Windows NT 4.0 WA]izLUC⌠s \ProgramFiles\Company Inc.\Release.Notes G
1. \program files\company inc.\release.notes
2. \program files\company inc\release.notes
3. \prograx1\companx2\releasx3.not
Wzd 1 íuújpgvvTAΣ$ –i ∩]D–wªC
d 2 í Windows NT ñIípC
d 3 í Windows NT @bWñútµBX8.3 µíOW]w∩ DOS eΦíC
–w ∩ªd 2 M 3 íτbwC–w ∩ⁿw∩X°AnD URL ñAúe\ñIHs]t tilde W]xYuWC
WebSEAL XNNG
¶ ybP@XWⁿhí°Az
¶ 168yqX°ALoRA HTML URLz
¶ 169yjε\ivqLXz
¶ 169yzLXiµOz
bP@XWⁿhí°AziHbP@XWⁿhís°AC bP@IWi
ⁿ°Aú¡C
b@XWⁿ°AúO]ΦM Web íABPqH≤w—HTTP HTTPSC únbP@XWⁿúⁿ°AC
167Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
bDn Policy Director °A Web íñAs≤X°AC zα≈so]ϕMπ\ivA
oπ@PC pGYΣúA
∩AhϕAϕsC
dσ≤sbABbsΓí°Aºσ≤≡ñúO
PC
qX°ALoRA HTML URLNuLoqX°A¼ mime ¼ “text/html” RAσ≤C
WebSEAL i∩ URL 2 Gu∩vMu°A∩vC
¶ °A∩ URL H∩≤X°Aσ≤²AⁿXURL mApG
/dir/file.html
∩o URL HMX°AXIApG
/jct/dir/file.html
¶ ∩ URL H∩≤D≈W IP H⌠⌠≡AⁿXURL mApG
http://servername[:port]/file.html, orhttps://servername[:port]/file.html
UCWh∩o URLG
1. pG URL O HTTPABD≈/≡XH TCP X°AAN∩ URL HMXIApG
/jct/...
2. pG URL O HTTPSABD≈/≡XH SSL X°AAN∩ URL HMXIApG
/jct/...
3. NuLowq≤ iv.conf º TAG/∩ URLC
168 3.8
4. META h&OF≤snDLoApG
5. pG BASE ]t HREF AhNq∩qñúC
zLX°ALo URL Ob webseald.conf tm[filter-url] q¿ñC
[filter-url] q¿t@≈ HTML MµAWebSEAL °A[HLo∩πzLX°Ao∩ URLC
w]Atm HTML C ziαnsW]t URL B HTML C
t\156yBz Script Mqí URL(–j)zC
jε\ivqLXzLkjεY Policy Director \ivqLXCpAzLkHx \ivε CGI Script ⌡µAH l \ivε²CCWebSEAL S⌠≤ΦkiHT7Pwbß°AWnD½≤O]pCGI íBA²°ϕ@δ HTTP ½≤C
uzL r \ivA)iεqLX∩½≤]]A CGI íM²°ϕsC
zLXiµObwñAWebSEAL tmFw]HC
webseald.conf tm [ssl] q¿ñ webseal-cert-keyfile-labelNⁿw@ñ°AC
<META HTTP-EQUIV=”Refresh” CONTENT=”5;URL=http://server/url”>
169Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
pGXßí°AnqO WebSEAL¡Az² iKeyman íBwMCMßA –K <key-label> ∩tmXC\144y¼O SSL Xz
pG –K tmXAGSKit e]t≈Ωwuw]vAHKBz¼OnDCpGoúOn
AzTw≈Ωw (pdsrv.kdb) ñSQuw]]πPC
G
¶ zLWOnC
¶ únN≈Ωwñ⌠≤uw]vC
¶ webseal-cert-keyfile-label ε WebSEAL °AC
¶ zL –K X∩ε WebSEAL qC
∩≤Ot°A query_contentspGzQ Policy Director wAíO@≤Otí Web íΩAz∩ WebSEAL ú≤Ot Web íºe÷ΩTC
@ query_contents CGI íúoΩTCquery_contents íjM≤Ot Web íeAúowsΩT WebSEAL W Web Portal ManagerC oíH ≤ WebSEAL wíA²HΓΦíwb≤Ot°AWC °≤Ot°A@tO UNIX Windows úPí¼C
Cϕbu½≤ívzeñiNϕXuⁿO@½≤
íví≈AWeb Portal Manager u½≤ívzíY
170 3.8
⌡µ query_contentsC bAWeb Portal Manager wD÷≤≤OtííeAziπoΩTAM
hdAϕ½≤C
w query_contentsqw query_contents DµCΣw@]AN PolicyDirector °Añ@Γs≤Ot°AAHsΦtmC
UC Policy Director ²]tídG
UNIXG <install-path>/www/lib/query_contents
WindowsG <install-path>\www\lib\query_contents
²e]AG
(F) í
query_contents.exe Win32 tDni⌡µíC wb≤
Ot Web °A cgi-bin ²ñC
query_contents.sh UNIX tDni⌡µíC wb≤
Ot Web °A cgi-bin ²ñC
query_contents.c líXC úlíXOHz
∩ query_contents µC bjí≈ípUANúnoíXC
query_contents.html HTML 桡C
query_contents.cfg O Web °Aσ≤l²dt
mC
b≤Ot UNIX °AWw query_contentsbUC²ñMΣ Shell Script query_contents.shG
<install-path>/www/lib/query_contents
1. N query_contents.sh s≤Ot Web °AW@ñ /cgi-bin ²C
171Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
2. ú .sh WC
3. Web °Azbß]w UNIX ⌡µ$C
b≤Ot Win32 °AWw query_contentsbUC²ñMΣi⌡µ query_contents.exe tmquery_contents.cfgG
WindowsG <install-path>\www\lib\query_contents
1. Tw≤Ot Web °Awg Ttmn CGI ²C
2. w∩ATw≤Ot Web °Aσ≤²ñsbσ≤C
3. N query_contents.exe s≤Ot Web °A CGI²ñC
4. N query_contents.cfg s Windows ²C
÷²w]úUϕG
@t Windows ²
Windows 95 c:\windows
Windows NT 3.5x c:\winnt35
Windows NT 4.x c:\winnt
5. sΦ query_contents.cfg H Tⁿw≤Ot Web °Aσ≤²C
e]t Microsoft Internet Information Server Netscape FastTrack °AdC oñH
];YUµOAquery_contents íú[HBzC
tm
1. q Win32 ≈W MS-DOS úñApUq CGI ²⌡µ query_contents íG
MSDOS> query_contents dirlist=/
172 3.8
XⁿHUΘXG
100index.htmlcgi-bin//pics//
r 100 Oϕ¿\¼AC+ r 100 O@]BiαO@@O½nC
pG OXANϕtmmA
]tσ≤lC d query_contents.cfg tmATwσ≤²sbC
2. bs²ñAΘJUC URL
http://<win32-machine-name>/cgi-bin/query_contents.exe?dirlist=/
BJPe@BJPGC pGªS
GAYϕz Web °A CGI tmú TC \°Aíσ≤≤ DC
q query_contentsquery_contents u@Ot≤ URL nD²eC
pAo°Aº Web í²ºeAs²bpHU URL W⌡µ query_contentsG
http://third-party-server/cgi-bin/query_contents?dirlist=/
query_contents Script ⌡µUC@G
1. ¬ CGI ⌠ $SERVER_SOFTWARE Pw°A¼C
Web °A¼A $DOCROOTDIR ]σ¼σ≤²mC
2. qnD URL ñ¬⌠ $QUERY_STRINGAHonD@Ao½≤⌠C
173Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
@xsb $OPERATION ñA½≤⌠xsb
$OBJPATH ñC bWñA$OPERATION dirlistA$OBJPATH “/”C
3. b½≤⌠W⌡µ²Mµ]lsANGm≤ΘXWAH Policy Director °AC [u (//) ϕl²C
σ¼ΘXⁿUíG
100index.htmlcgi-bin//pics//
r 100 Oϕ¿\¼AC
qσ≤²UNIXG
Ynq UNIX °A query_contents.shAziα∩σ≤²]wC
pG query_contents ¼A]100 HrABSCAnd Script ∩ $DOCROOTDIR AHXz°AtmC
pGσ≤²ⁿwLA² Script /MóAh cgi-bin mWµiαú TCd $FULLOBJPATH A∩ⁿwªAHM T cgi-bin mC
WindowsG
Ynq Windows °A query_contents.exeA∩query_contents.cfg C
Σª\αquery_contents ílíX]query_contents.cOMPolicy Director @eAút¼OC
174 3.8
íñiα[JΣL\αAHΣYΣL≤Ot Web °ASϕSC oS]AG
1. ²Mg — Σñ@Dσ≤²U ²Mg
Web íC
2. ú@DHt≥ª Web íC
oOw∩HΩwD Web °AÑC
O query_contentsPolicy Director query_contents CGI íb Web PortalManager ñπX Web °A½≤íCOwHKgv⌡µOD½nC
zNwh]wue\uz°A (pdmgrd)v¡)iHs q u e r y _ c o n t e n t s íCHUd A C L(query_contents_acl) NXhG
group ivmgrd-servers Tl
user sec_master dbxTrlcam
pdadmin íN ACL [X°Aquery_contents.sh (UNIX) query_contents.exe (Windows) ½≤Cp (UNIX)G
pdadmin> acl attach /WebSEAL/<host>/<junction-name>/query_contents.shquery_contents_acl
175Tivoli SecureWay Policy Director WebSEAL zΓU
6.W
ebS
EA
LX
176 3.8
Web µ@nJMΦ
ϕzN WebSEAL Ω@ Proxy °AHKw⌠úO@Azq]M Web Ωµ@nJDCQFWebSEAL Proxy tm Web íµ@nJMΦCdñ]tFSOtmXBsnJM LTPAC
DDG
¶ yw∩µ@nJMΦtm BA Yz
¶ 183ysnJ (GSO)z
¶ 188yw∩ IBM WebSphere (LTPA) µ@nJz
w∩µ@nJMΦtm BA Yí –b ∩AqL WebSEAL ºµ@nJtmiαMΦC
¶ 178yµ@nJ (SSO) ºz
¶ 178yb BA Yñúq¡≈z
¶ 179yúq¡≈MPKXz
¶ 181yαlq BA YΩTz
¶ 182yúq BA YΩTz
¶ 183yq GSO úWMKXz
7
177Tivoli SecureWay Policy Director WebSEAL zΓU
7.W
ebµ@nJMΦ
µ@nJ (SSO) ºϕⁿO@Ω≤ß Web í°AWAi∩nDΩqnD⌡µh½nJ — @w∩ WebSEAL °AA@w∩ß°AC C@nJúiαnúPnJ¡
≈C
z@h½nJ¡≈DgiHµ@nJ (SSO) ≈ε≥oMC µ@nJMΦi²@ lnJYi
sΩ]LΩmb≤BC iMíBzß
°A⌠≤i@BnJDC
b BA Yñúq¡≈zitm WebSEAL XA∩ß°Aúlg∩q¡≈ΩTC ]w –b ∩Ai²zb HTTPu≥O (BA)vYñúSwq¡≈ΩTC
¡zAzRz⌠⌠tmMwDAPw∩U
CD¬G
1. ß°AOnOΩTH
]WebSEAL HTTPu≥OvYFOΩTC
2. pGß°AnOΩTAhoΩT≤BH
]WebSEAL b HTTP Yñ±J8≥ΩTH
31. h½nJ
178 3.8
3. OO WebSEAL Pß°AºísuH
]TCP SSL XH
bqP WebSEAL ºílOºßAWebSEAL Yimsu≥OvYC nD≥qLXß°AP
AsYC ziH –b ∩ⁿwosYnú≤SwOΩTC
úq¡≈MPKX–b supply
–b supply ∩ⁿ WebSEAL úgO Policy Director W]ql¡≈PRABP]ΩKXC
ΩñúlqKXC
PKXoKXzAvΣíC uΩ
vKXO]wb w e b s e a l d . c o n f tm
basicauth-dummy-passwd ñG
[junction]basicauth-dummy-passwd = <password>
oΩ ]ß°An Policy Director ¡≈OCWebSEAL $NqMgw Policy Director Azß°AOAHú÷⌠µ@nJ
MΦC
32. úOΩTß°A
179Tivoli SecureWay Policy Director WebSEAL zΓU
7.W
ebµ@nJMΦ
MΦUC°≤G
¶ wN WebSEAL tmG∩ß°Aút≤lqnDWA[WP]ΩKXC
¶ uΩvKXtm≤ webseald.conf tmñC
¶ ß°An²δb HTTP BA Yñú PolicyDirector ¡≈C
¶ $≤≈KOΩT]WMKXqLXA]
XwD½nCÑO SSL XC
¡εnDíP Policy DirectoruΩvKXFbß°An²ñíπPKXC @δuΩv
KXAúα∩í°AHWnJºq
Xkú⌠≤≥ªC
pGq&qL WebSEAL sß°AAhoMΦúX⌠≤wDC úLAqΣLiαsΦkΩO
ß°AOD½nC
33. BA Y]t¡≈MuΩvKX
180 3.8
$≤ΩSKXhwA]ß°A@Lh
H⌠ WebSEAL τqXkC
ß°An²]δ Policy Director ¡≈HKⁿªC
αlq BA YΩT–b ignore
–b ignore ∩ⁿ WebSEAL Nlqu≥O(BA)vYß°AAúⁿ⌠≤zZC ziN
WebSEAL tmO BA qΩTñqúBA YAMßNY]@∩αß°AC
: oúOu µ@nJ≈εAO∩ WebSEAL zqanJ≤Ot°AC
MΦUC°≤G
¶ ß°AnzL BA q¡≈ΩT
ß°ANu≥OvtqCqH
WebSEAL °A[∩qLºWMKX@C
¶ ß°A@ΣvBqúKX
¶ wN WebSEAL tmG∩ß°Aút≤lqnDWMKXC
¶ $≤≈KOΩT]WMKXqLXA]
XwD½nCÑO SSL XC
181Tivoli SecureWay Policy Director WebSEAL zΓU
7.W
ebµ@nJMΦ
úq BA YΩT–b filter
–b filter ∩ⁿ WebSEAL q⌠≤qnDñúu≥OvYΩTAMßANnDαß°AC bΩ
ñAWebSEAL ¿µ@wúC
MΦUC°≤G
¶ wbqP WebSEAL ºítmu≥Ov
¶ ß°Aúnu≥Ov
¶ uzL WebSEAL )αsß°A
¶ WebSEAL Nϕß°ABzO
34. WebSEAL αlq¡≈ΩT
182 3.8
pGz∩ß°AúYqΩTAziN∩P
–c ∩XAN Policy Director q¡≈ΩTíJ HTTP YµC\152yb HTTP Yñúq¡≈(–c)zC
q GSO úWMKX–b gso
–b gso ∩ⁿ WebSEAL ∩ß°AúOΩT]WMKXAΩTOqQ]wBzsnJ]GSO°AñoC
MΦUC°≤G
¶ ß°AínúPWMKXAo
Ωút≤ WebSEAL n²ñC
¶ L∩ WebSEAL Mß°AÑAwúD½nC
$≤≈KOΩT]WMKXqLXA]
XwD½nC ÑO SSL XC
ysnJ (GSO)zñ≈επíC
snJ (GSO)Policy Director Σ@uµ@nJMΦAΣSΓπ∩ß Web í°Aú NWMKXαOC
35. úq BA YΩT
183Tivoli SecureWay Policy Director WebSEAL zΓU
7.W
ebµ@nJMΦ
n²º¼Aoµ@nJMΦHΓ
ΦíⁿΣIµG
¶ H DCE n²O⌠ – Tivoli Global Sign-On (GSO)ú
¶ H LDAP n²O⌠ – LDAP ²úusnJvΣ
usnJvPsΣgvpΓΩ — zLµ
@nJC GSO Yw∩$ºΦBíBΓ⌠hítMí¿ºj¼°]pAΣ°@δzh
WMKXºC
πXOzLb WebSEAL Pß Web °Aºí “GSOaware” XF¿C ² Web Portal Manager GSOΩM GSO ΩsC
ϕ WebSEAL ¼∩≤X°AWºΩnDAWebSEAL nD GSO °AúXAϕOΩTC GSO °At@MgΩw—w∩C@wnO—ΣúSwΩMí NWMKXC
U íp≤ GSO ≈εßíΩºWMKXC
1 . qHsß°AWºíΩnDA∩
WebSEAL OC o Policy Director ¡≈C
: µ@nJBzPlOΦkUWB@C
2. WebSEAL Policy Director ¡≈ GSO LDAP °AC
3. °AA≤nDíΩWMKXC
4. WebSEAL NWMKXΩTAíJqLXeß°AºnD HTTPu≥OvYñC
184 3.8
MgOΩTUCdí GSO ∩ WebSEAL úOΩTΦíC pG Michael Qn⌡µ travel-app íΩ]\ 36AWebSEAL V GSO / LDAP °A Michael OΩTC
GSO / LDAP °A@@πOΩTΩwAΣΩTíOΩ∩SwOΩTMgCOΩTOW / KXXASΩC uαwnOΩ
C
°At@ Michael ΩwAΣMgΩ travel-app SwΩC
36. snJ≈ε
185Tivoli SecureWay Policy Director WebSEAL zΓU
7.W
ebµ@nJMΦ
Uϕí GSO ΩΩwcG
Michael Paul
ΩGtravel-app W=mike
KX=123
ΩG t r ave l - app W
=bundy KX=abc
ΩGpayro l l - app W
=powell KX=456
ΩGpayroll-app W
=jensen KX=xyz
bñAGSO W “mike” MKX “123” WebSEALCϕ WebSEAL beqLXß°AnDñcu≥OvYAoΩTC
tmw GSO WebSEAL XGSO Σtm≤ WebSEAL Pß°AºíXC
Yn GSO XAa –b gso ∩ create ⁿOC UCdí create ⁿOykG
create –t tcp –h <host-name> –b gso –T <resource> <jct-point>
HUC]w GSO X∩G
∩ í
–b gso ⁿw GSO úqLXºnDO
ΩTC
– T < r e s o u r c e /resource-group>
ⁿw GSO ΩΩsC @∩º
ΩWP GSO ΩwñCΩ
WC O gso XnC
zL SSL ib WebSEAL/GSO MΦñXwLAΦkbX [aM –t ssl ∩C
z& SSL Xft GSOAHTO∩Ω[KC
186 3.8
GSO WebSEAL XdND≈ sales_svr WíΩ travel-app XXI/salesG
create –t tcp –b gso –T travel-app –h sales_svr /sales
ND≈ adm_svr WíΩ payroll-app XXI/admin AH SSL O@XwG
create –t ssl –b gso –T payroll-app –h adm_svr /admin
: bWñA–t ssl ∩ⁿww]≡ 443C
tm GSO snJ (GSO) \αi²zWib¬tⁿ⌠ñ GSO XαCw]AGSO OQCYS[j\αAbC GSO ΩT]GSO WM GSO KXúIs LDAP °AC
tm GSO Ob webseald.conf tm [gso-cache]q¿ñCz²CΣLitmjpH
OC°RgMD@ñOiWi
αA²OW[ΩTQSb WebSEAL OΘñICpGGSO XúObz⌠⌠MΦAún GSO C
í
gso-cache-enabled M GSO \αCΣ]t
F “yes” M “no”Cw] “no”C
gso-cache-size b°Ωϕñ]wie\j
qCN]wzL GSO
XsíµÑq@
ypC¬hO
ΘC²OiH≤tasΩTC
C°j 50 $C
187Tivoli SecureWay Policy Director WebSEAL zΓU
7.W
ebµ@nJMΦ
í
gso-cache-entry-lifetime úOíA⌠≤iH
Osbñ°í]ϕCϕ
APU@
nDA Is LDAP °AC
gso-cache-entry-idle-timeout D@ñiHOsbñ°í]ϕC
w∩ IBM WebSphere (LTPA) µ@nJPolicy Director WebSEAL i IBM WebSphere ⌠úOBvAHO@Cϕ WebSEAL ∩≤ WebSphere wOⁿO@eAsq∩ΓiαnJIC]A
WebSEAL izL WebSEAL Xú@hí IBM WebSphere°Aµ@nJMΦC
WebSphere iú cookie íp¼≈c (LTPA)CziHtmWebSEAL XΣ LTPAABúqµ@nJMΦC
ϕnD WebSphere ΩA²qL WebSEALOAMßbqLßAúNϕ LTPA cookieC@WebSphere OO LTPA cookieA]tF¡≈HKXΩTCΩT WebSEAL M WebSphere °Aí@KXO@K≈iµ[KC
WebSEAL bnzLXe WebShpere nD HTTP YñíJ cookieCß WebSphere °A¼nDABcookie KAMß cookie ú¡≈ΩTOC
YnWiαAWebSEAL iHbñxs LTPA cookieABbPÑq@ñANxsbñ LTPA cookie ≤ß≥nDCziHxsbñ cookie tmRgOMóm]LíOC
188 3.8
tm LTPA XzL LTPA cookie iµ WebShpere µ@nJnHUtmG
1. LTPA ≈εC
2. ú¡≈ΩT[K≈mC
3. ú≈KXC
ziHb create ⁿOñTB∩AHKí¼oTtmDC
¶ –A ∩i²XΣ LPTA CookieC
¶ –F <“keyfile”> ∩Hiⁿw]t≤ cookie ñAn¡≈ΩT[K≈π⌠Wm]b
WebSEAL °AñC WebShpere °A²@≈ABAHwΦís WebSEAL °ACAϕ WebSphere íσ≤AHKo@SwΩTC
¶ –Z <“keyfile-password”> iⁿw≈KXC
KXbX XML ñH[KσrπC
ϕzn WebSEAL Mß WebShpere °AºíXAo∩HΣLnX∩CpG
create ... -A -F “/abc/xyz/key.file” -Z “abcdefg” ...
tm LTPA LTPA Cookie B[KMKúy¿BzWtⁿC LTPA\αi²zbWib¬tⁿ⌠ LTPA XαCw]ALTPA OwCYS[j\αAC@ß≥nDús LTPA cookieABiµ[KC
tm L T P A Ob webseald.conf tm[ltpa-cache] q¿ñC ΣLiⁿwjpHOC °RgMD@ñOiWiαA²O
W[ΩTQSb W e b S E A L OΘñIC
189Tivoli SecureWay Policy Director WebSEAL zΓU
7.W
ebµ@nJMΦ
í
ltpa-cache-enabled M LTPA \αCΣ]
tF “yes” M “no”Cw] “yes”C
ltpa-cache-size b°Ωϕñ]wie\j
qCN]wzL LTPA
XsíµÑq
@ypC ¬h
OΘC²OiH≤tasΩ
TCC°j 50 $
C w] 4096 C
ltpa-cache-entry-lifetime úOíA⌠≤iH
Osbñ°í]ϕCϕ
APU@
nDs LTPA cookieCw]
3600 ϕ
ltpa-cache-entry-idle-timeout D@ñiHOsbñ°í]ϕC w] 600
ϕC
LTPA µ@nJNN
¶ ≈]tFSw WebSphere °AΩTCC@WebSphere °AM LTPA XCpGzbPXI[JFhí°AA°A@P≈
C
¶ FαQiµµ@nJAWebSEAL M WebSphere °AbYW@Pn²ΩTC
¶ WebSphere °Atd]m LTPA H@K≈CWebSEAL hOtdXMtmC
190 3.8
íπX
WebSEAL ΣzL⌠A URL \α≤OtíπXC WebSEAL ⌠M HTTP Yd≥Ai²≤Otíq¡≈⌡µ@C AWebSEAL iú∩A URL]p]tdσr URLsεC
DDG
¶ yΣ CGI í]pz
¶ 193yΣß°Aíz
¶ 194y Dynamic Business Entitlementsz
¶ 198ymqHAz
¶ 200yVA URL úsεz
¶ 208yA URL dGTravel Kingdomz
Σ CGI í]pΣ CGI í]pAWebSEAL sWTB⌠ CGI C o⌠ú CGI b WebSEAL°AXß°AW⌡µC o∩ CGI íú Policy Director SBsMΩTC
b WebSEAL °AWAo⌠i CGI íC
8
191Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
CGI íbX≤Ot°AW⌡µ⌠AO$q WebSEAL °A HTTP YΩTúCz –c ∩XAHKúß°A HTTP nD Policy Director SYΩTC
t\152yb HTTP Yñúq¡≈ (–c)zC
ΣL Policy Director S ⌠G
CGI ⌠ í
HTTP_IV_USER nDΦ Policy Director bßWC
HTTP_IV_GROUPS nDΦ Policy Director sCHrI
jºsMµⁿw — C@súH
AϕC
HTTP_IV_CREDS gsXúzΩcNϕ Policy Director
C ú°AA²ñh
íi Authorization API IsuA
≈cvC \ Policy Director ADK
Developer ReferenceC
WebSEAL °AW REMOTE_USER G
b W e b S E A L ε°A⌠ñAHWC
HTTP_IV_USER Qú@ REMOTE_USER C NAREMOTE_USER ]iαXb≤Xß°AW⌡µº CGI í⌠ñC úLAbípUAΣúⁿ WebSEAL εC
CGI ⌠ í
REMOTE_USER ]tP HTTP_IV_USER µPC
WindowsGΣ WIN32 ⌠uA≤XC
192 3.8
Windows úNΣt⌠úp CGI íBzC qúπznt⌠C
úLApG CGI ⌠ñSzn⌠≤ Windows t⌠AzizL webseald.conf tmATaΣi CGI íC ]NAe@ñú Policy Director ⌠úi¡xC
b webseald.conf [cgi-environment-variables] q¿ñA[J⌠≤n Windows t⌠CUCµíG
ENV = <variable-name>
pG
[cgi-environment-variables]#ENV = SystemDriveENV = SystemRootENV = PATHENV = LANGENV = LC_ALLENV = LC_CTYPEENV = LC_MESSAGESENV = LOCPATHENV = NLSPATH
CGI ⌠u⌠≤[µC
Σß°AíWebSEAL úi⌡µXΣAΣ@ß Web °AO$≤⌡µC o°Ai⌡µXd]AG
¶ Java servlet
¶ Cartridges for Oracle Web Listener
¶ °Aí
ϕz –c ∩∩ß°AXAWebSEAL bw∩°AnD HTTP YñAíJ Policy Director SqOMs¿ΩTC
193Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
Policy Director S HTTP YΩTi²X≤Ot°AWíq Policy Director ¡≈⌡µSw@C
WebSEAL úUC Policy Director S HTTP YG
PD S HTTPYµ
í
iv-user = qu°WC pGqgO]ú
Ahw] “Unauthenticated”C
iv-groups = qsMµC HrIjºs
MµⁿwC
iv-creds = gsXúzΩcNϕ Policy Director
C ú°AA²ñhíi
Authorization API IsuA≈cvC
\ Tivoli SecureWay Policy Director Authorization
ADK Developer ReferenceC
o H T T P YpP⌠ H T T P _ I V _ U S E RBHTTP_IV_GROUPS M HTTP_IV_CREDSi CGI íCpGOΣLD CGI ttmA\Σ÷úíσ≤Ao÷q HTTP nDñYⁿC
t\152yb HTTP Yñúq¡≈ (–c)zC
Dynamic Business Entitlements°MΣ±qn@ entitlementAp±Ω]°∩°÷YßΩ]°∩ß÷YC
¶ @δ entitlementOíΩTFúAínΩTC]AßbßΩTMßb
ΩC
194 3.8
¶ w entitlementObvΩnDAnúwqδ°≤C °≤]Ab°ññΓBs
ε¡εBMwqµ÷∩ÑX°ñΓC
Policy Director iHzLuµ¼⌠OA (CDAS)v úu≈εAi²zH/íANvQΩT[JOIñCíiH Authorization API(phrase)AqñΩC÷≤Ω@ CDAS ΣLΩTA Tivoli Policy Director WebSEAL DeveloperReferenceC
LDAP Ω Business EntitlementsWebSEAL úS entitlement ≈εAi²zNwqR LDAP ΩTA@íJñCMßoiH±bnzLXeßí°An
D HTTP YñC
¶ LDAP n²bßñ⌠≤µwqRΩAQ@sW Policy Director C
¶ WebSEAL tmqñΩABNª±bnzL WebSEAL Xeß°AnD HTTP YñC
¶ ßíiHqYñΩAúnSOí
X Authorization API (phrase)C
WebSEAL w∩NR LDAP ΩTíJ HTTP Ytm]tFΓBJG
1. q LDAP ñRΩAMßbnJNΩíJñC
2. Xⁿw°≤Aqñ TΩABNªíJnzLXenD HTTP YñC
195Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
NR LDAP ΩíJnNR LDAP ΩmJΓΦkG
1. b pd.conf tm [ldap-ext-cred-tags] q¿ñFtmNⁿw LDAP ΩMgñµC
ñíNOoΦkC
2. gq CDAS AN⌠≤wqΩMgñµC
Tivoli Policy Director WebSEAL Developer Reference HKoΩ@ CDAS ΩTC
ziH pd.conf tmñ [ldap-ext-cred-tags] q¿ANLDAP inetOrgPerson ½≤OñⁿwΩAMgñwqµCq¿ñOHUµíG
<custom-credential-field> = <inetOrgPerson-field>
bñAC@$ pd.conf tmñ custom-credential-field wqWAúbr[W “tagvalue_” σrCriKPñΣLsΩTo≡CpG
inetOrgPerson ½≤O LDAP
ΩGemployeeNumber:09876
qµWG ldap-employee-number
[ldap-ext-cred-tags] q¿ñG
ldap-employee-number = employeeNumber
±bñMG
tagvalue_ldap-employee-number:09876
¶ \αnzL LDAP WMKX¡τC passwd-ldap O≈εC libldapauthn
196 3.8
(ldapauthn) @íwíd pd.conf tm[ldap-ext-cred-tags] q¿AHKoRwqΩTC
¶ LDAP ΩiH inetOrgPerson ½≤OñqµC
¶ ziHb [ldap-ext-cred-tags] q¿ñ±mhC
¶ q¿ñⁿwúbnJmJ
C
¶ LDAP WújpgC
¶ µWjpgC
NΩíJ HTTP YeqñwqΩTAiH±bnzLXe
ß°AnD HTTP YCÑq]tFΓ@G
1. tmXHKe\SwRΩCziH∩ WebSEALⁿO@½≤íñX½≤A]wAϕANi
HF¿@C
2. qñ TRΩTAMßNΩíJnDHTTP YñC
ziHX½≤AεSwXΩ
CW HTTP-Tag-ValueCOHUµíG
<custom-credential-field>=<http-header-field>
c u s t o m - c r e d e n t i a l - f i e l d M p d . c o n f tmñ
[ldap-ext-cred-tags] q¿@Cú]t “tagvalue_”rCjpgChttp-header-field OⁿwxsΩ HTTP YWCpG
197Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
X½≤ñ HTTP-Tag-Value G
ldap-employee-number=employee-id
ñMG
tagvalue_ldap-employee-number:09876
±b HTTP YñMG employee-id:09876
ϕ WebSEAL NnDeßí°AAWebSEAL ΣMX½≤ñtm⌠≤ HTTP-Tag-Value C
ziH pdadmin object modify set attribute ⁿOtmXMΣG
pdadmin> object modify <obj-name> set attribute <attr-name> <attr-value>
pG
pdadmin> object modify /WebSEAL/WS1/junctionA set attributeHTTP-Tag-Value ldap-employee-number=employee-id
ziHh pdadmin object modify set attribute ⁿOⁿwh HTTP-Tag-Value ]CⁿOiⁿw@AHKNhΩeX°AC
mqH AWeb JflOπX Web xAFªiHAaúSwi Web ΩqMµCΩ]A°eBΣAMuπCJfΘXπSwsvú
HΩMµClhuπsvi s
ΩC
ziH WebSEAL tm∩M Authorization API EntitlementsServiceAb Policy Director ⌠ñmqJfMΦC
198 3.8
mq WebSEAL JfAy]tFHUG
1. ⁿO@½≤íSwd≥AHKTwJfΩ½≤C
2. CΩ½≤í [F TT ACLC
3. sΦ WebSEAL tmAHK[JJfA URLB]tJfΩ½≤í⌠AMbsoΩn\
iv$C
4. ∩≤Jf URL nDAWebSEAL
Authorization Entitlement Service jM½≤íABúXv°≤ΩMµC
5. WebSEAL NΩT±bneß]XJf°Aa PD_PORTAL HTTP YñC
6. bß°AWqJfA]p CGI Servlet¬ PD_PORTAL YeABNeMg⌠WπíM URL CΩTϕFsε\ivi²oΩHMµC
w∩HAtm WebSEAL1. PHAs WebSEAL XCpG
pdadmin> server task <server-name> create -t tcp-h portalhost.abc.com /portal-jct
2. sΦ webseald.conf tmAHK[Js [portal-map] q¿G
[portal-map]
3. q¿ñiHOJfAí°A÷ URLAHs\ivw∩iⁿO@JfΩAiµjM
½≤íd≥CoO PD_PORTAL YñMµC
[portal-map]<URL> = <object-space-region>:<permission>
: bjMñAuα∩]t\ivHT]w ACL Ω½≤C
199Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
4. bsWq¿AϕMgºßA½s WebSEAL(webseald)C
HAd
¶ PJf°AXG
pdadmin> server task webseald-WS1 -t ssl -h PORTAL1 /portal
¶ wq]tHAiΩ WebSEAL ⁿO@½≤íd≥C
pdadmin> objectspace create /Resources“Portal Object Hierarchy” 10pdadmin> object create /Resources/Content ““ 10ispolicyattachable yespdadmin> object create /Resources/Support ““ 10ispolicyattachable yespdadmin> object create /Resources/Content/CGI ““ 11ispolicyattachable yespdadmin> object create /Resources/Support/Servlet ““ 11ispolicyattachable yes
: C@Ω “ispolicyattachable” ú]w“yes”CjM≈εu∩πT ACL XµΩ½≤C
¶ WebSEAL tm (webseald.conf)G
[portal-map]/portal/servlet/PortalServlet = /Resources:r
¶ Jf URLG
https://WS1/portal/servlet/PortalServlet
VA URL úsεe Web ⌠úiYstΩTC \h
Web íHAúuεíΩw (URL)vC@nDC oA URL iαusbuíC YΣΦAA URL /MnjOO@A"εLsC
200 3.8
A URL ≤Y° Web íuπ Web s²AzL Web°A CGI Pí°AqHC
ouπíúA URL M⌠ϕµ$ A∩í°AñnD@iµqH]ΣCA URL HSw@Σ÷ΩTA[j URL C URL drΩí≈∩ Web íú@BMC
N ACL ½≤MgA URLWebSEAL ⁿO@½≤W¼Mhd (ACL) OAú URLApΩwnDú URLC bvBz
@BJñA∩ WebSEAL C@nDúR¿Sw½≤CM½≤ ACLAⁿw∩Mg½≤ºA URL nO@C
$≤A URL sbA]bw²tmvhΩwñúiαΣC Policy Director MoDΦíOAúhA URL iMg@RABⁿO@½≤º≈εC
q½≤¼MgOsbσrñG
/opt/PolicyDirector/www/lib/dynurl.conf
37. zL URL Ω CGI hD
201Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
m]∩≤°A²Owq≤ webseald.conftmñ [server] q¿ dynurl-map G
[server]dynurl-map = lib/dynurl.conf
zoFw]AoúsbC Y
]]tsbAhiA URL \αC
sΦo∩oMgC ñºµípUG
<object> <template>
Policy Director UNIX Shell ¼±∩l]]AUr$Awqc¿½≤íñ@½≤ºC ⌠≤X
A URL úMg½≤C
Policy Director ΣUC UNIX Shell ¼r$G
r í
\ ußr$OSϕC@í≈C pA\t O
TAB r$C ]iRϕ⌡Xr$C
? Xµ@r$Ur$C pArΩ “abcde” Pϕ
í “ab?de”
* Xs≤hr$Ur$C
[] wq@r$A⌠≤@r$úPΣCpA
rΩ “abcde” P Wϕí “ab[cty]de” C
^ ϕwC pA[^ab] ϕíP ‘a’ ‘b’ r$H
⌠≤r$C
UCdí⌡µHlBd\ºA URL ϕµG
http://<server-name>/home-bank/owa/acct.bal?acc=<account-number>
NϕA URL ½≤π¿pUG
http://<server-name>/home-bank/owa/acct.bal?acc=*
202 3.8
JddñA URL πGΣíSwbßXC bhome-bank ºbßlB½≤π ACL \ivM⌠≤bßA]ß@í≈]acc=*Xr$PUr$C
U íMgSwⁿO@½≤ºSwA URL πΩG
w∩A URL ≤s WebSEAL dynurl update ⁿO≤s WebSEAL ⁿO@½≤íH dynurl.conf tmñC
1. b dynurl.conf tmñBsΦRúA URL C
2. biµ≤ßA dynurl update ⁿO≤s°AG
pdadmin> server task webseald-<server-name> dynurl update
38. v≤A URL
203Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
server-name NϕF WebSEAL ≈¡wD≈WC
R½≤íñA URL∩½≤RA URL M≤b dynurl.conf tmñC
bMgA U R L ½≤AqWUy
dynurl.conf ñMgMµAΣ@¼εCϕΣ@XAbß≥vdñ∩½
≤C
pGΣúAWebSEAL ¡ URLA²Oú⌠ñ http://<server> í≈C
NMgh¡ε ACL MgObMµñ¬mC pApGqµ book.sales On¡εM≤¬sA²OúisΣlqµíAhMgUϕ
iµG
½≤í URL d
/ows/sales/bksale /ows/db-apps/owa/book.sales*
/ows/sales/general /ows/db-apps/owa/*
NApGMgVAhb /ows/db-apps/owa ²ñxsúMg /ows/sales/general ½≤C$≤oú T½≤íMΦAoiα PwñC
ϕzMg URL Wϕí½≤íAURL µí$ GET Φkúµí — LO POST GET ΦkC
bΩΘ GET ΦkñAAΩ]pbϕµñúΩ [ URLC
bΩΘ POST ΦkñAAΩht≤nD¡≈C
204 3.8
ACL ⌠@)A URL QR¿½≤íAY ACL ¼MwOBzTεnD]$≤v¡ú¼C
POST nDtm¡εPOST nDeObnDDΘñCAPOST nD]tFe$s²Mw°ABH$CXF°C
post-max-read
webseald.conf tmñ [server] q¿ post-max-read ⁿwq POST nDDΘ¬Jej$AHKjqPOST nD∩ WebSEAL y¿vTAOb¡εd≥ñCp²eúAWebSEAL ¬JeDnO@vdºC
ϕ POST nD≤A URL BzuϕµvOANpost-max-read Cw] 4096 $G
[server]post-max-read = 4096
NALk¡ε POST jejp]L¡εCiHO@ WebSEAL úBzjpúXz POST nDC
dynurl-allow-large-posts
÷M post-max-read ¡ε WebSEAL ¬MBzPOST eqAú²εNnDí°ACbíñAgTe]eí°AC
pGí°AS¡v\αAh¼piα
PwIC
dynurl-allow-large-posts i²zεϕ WebSEAL JPOST nDe°j≤ max-post-read ñⁿwAWebSEAL Bz POST nDΦíCpG]w “no”]w]AWebSEAL heWL max-post-read ⁿw° POST nDC
205Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
[server]dynurl-allow-large-posts = no
pG]w “yes”AWebSEAL ⁿπ POST nDA²OuTe°Ñ≤ max-post-read eqC
[server]dynurl-allow-large-posts = yes
d 1G
¶ ¼Fjq POST nD]j≤ post-max-read C
¶ dynurl-allow-large-posts = no
¶ wA URLC
¶ GGTεTºC
d 2G
¶ ¼Fjq POST nD]j≤ max-read C
¶ dynurl-allow-large-posts = yes
¶ wA URLC
¶ GGWebSEAL H post-max-read @eq¬ANqeMg½≤íAMß⌡µ½≤
vdCΣLeúQMg½≤íAB
ú∩½≤iµvdC
¶ HUd]tFjq POST nD¼w¼G
/rtpi153/webapp/examples/HitCount\?*action=reset*
KnMNNKnG
¶ Yntm WebSEAL αwaBzA URLAHUG
/opt/PolicyDirector/www/lib/dynurl.conf
206 3.8
¶ ]t@hµíµG
<object> <template>
¶ pGúsbOANLkA URL \αC
¶ bBzFßA½≤WH WebSEAL ½≤ílΩXC
¶ diH]t¼r$lCd]iHOú]
t¼r$ΘrΩC
HUd dynurl.conf wqFT½≤NϕF IBMWebSphere úñí≈d Web íG
½≤ URL d
/app_showconfig /rtpi153/webapp/examples/ShowConfig*
/app_snoop /rtpi153/servlet/snoop
/app_snoop /rtpi025/servlet/snoop
/app_hitcount/ejb /rtpi153/webapp/examples/HitCount\?source=EJB
/app_hitcount /rtpi153/webapp/examples/HitCount*
NNG
¶ h URL diHMgP½≤]p app_snoop iMgΓúP°AW URLC
¶ ½≤iH¼]p app_hitcount M app_hitcount/ejbC
¶ iJ URL nD÷$WUPd±∩CϕoANεC]AbY±mY
µdC
¶ Yn dynurl.conf ñwqAoX dynurl updateⁿO] pdadmin server taskC
≤sΦ⌡µAB½≤bz≤sⁿO@½≤í°
eAπbuWeb JfzvñC
¶ Kb½≤Wñjgr0Czuαpgr0C
207Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
¶ 3wsb≤ⁿO@½≤í½≤WC
¶ bRú dynurl.conf ñ½≤eAús½≤⌠≤ ACLC
A URL dGTravel KingdomUíqí⌠⌠p≤O Oracle Web Listener úURLC
ñA URL Web °AO Oracle Web ListenerCoNi∩ÑMΣLA URL Web °AC
Travel Kingdom O@úßzL⌠⌠⌠iµCq
qC q6ΓbΣ Web °AWB@Γ Oracle Ωwí — iqq"⌡≡qL⌠⌠⌠sC
1. Cqt
gvßiqúXqAdΣveqC
Travel Kingdom iqßiµqBBz≤∩AH⌡µ\hΣLµ÷C $≤íßHdΣIAA
]ÑOOΩTΘC
2. zuzív
pPΣLjí≈qATravel Kingdom ]@@zΩwAΣñ]tΩB MgτÑΩTC o≈Ω WC@
¿&C
wtm Oracle Web ServerAHú∩ΩwñUCxssG
/db-apps/owa/tr.browse úd÷≤CaB
µÑΩTαOC
/db-apps/owa/tr.book úXq]µ gO
ßC
208 3.8
/db-apps/owa/tr.change \≤eqC
/db-apps/owa/admin.browse ¿°¡ε ΩTAp≈XBqll≤M
&C
/db-apps/owa/admin.resume ú ¿°≤ΣbzΩwñiΩTºαOC
/db-apps/owa/admin.update Administration ≤s Ω
TC
Web íc WebSEAL °AA∩ Travel Kingdom X Web íúwC
¶ ∩P⌡µCqízí Oracle WebServer X]/owsC
wh∩ Web ΩúAϕwASα@÷tAqwUCwG
1. µ ixqC
2. gOßiúX≤ΣvqA²LkzwΣLgOßCΩC
3. z ∩zΩTππsvC
4. úzíH Travel Kingdom úi≤ΣviΩTAH°ΣL ¿í≈ΩTC
A URL ∩½≤íMgYnF¿WzwApUϕAtmqA URL ACL ½≤MgC
OoAbF¿ezíwñAoMgD½
nC
209Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
½≤í URL ¼
/ows/tr/browse /ows/db-apps/owa/tr.browse\?dest=*&date=??/??/????
/ows/tr/auth /ows/db-apps/owa/tr .book\?dest=*&depart=??/??/????&
return=??/??/????
/ows/tr/auth /ows/db-apps/owa/tr.change
/ows/admin/forall /ows/db-apps/owa/admin.resume
/ows/admin/forall /ows/db-apps/owa/admin.browse\?empid=[th]???
/ows/admin/auth /ows/db-apps/owa/admin.update\?empid=????
wqqzLwB[KqD∩ WebSEAL OC
Qn Web ßtV Travel Kingdom WebmasterU)αobßC
bßMsctWF.sG
Staff Travel Kingdom ¿C
TKStaff Travel Kingdom µC
AdminStaff Travel Kingdom zí¿C NAu
zvH]b Staff sñC
Customer Travel Kingdom ßAΣ"µαzL⌠⌠⌠úXΣCqC
C@úQú@bw⌠bßAΣiO
WebSEAL °AOC ¡≈] Oracle WebServersAH∩ Web Ωúµ@nJMΦC
sεUϕC≤²eΩTºsεG
/ows/tr/browse unauthenticated Tr any_authenticated Tr
210 3.8
/ows/tr/auth unauthenticated - any_authenticated -
group TKStaff Tr group Customer PTr
/ows/admin/forall unauthenticated - any_authenticated -
group Staff Tr
/ows/admin/auth unauthenticated - any_authenticated -
group AdminStaff Tr
ß TKStaff ∩qMCpe@½≤πPv¡AúLßbúX≈KΩ]pHdΩTqLúia⌠⌠⌠
A[KΩT]pK\ivH≥Pi@BwC
µdíGptiµUCºG
¶ OPΩT
¶ O
¶ vsPΩT
AWebSEAL Oracle Web °AúDtºO¡≈AΣiúifBµ@nJMΦMΦC
211Tivoli SecureWay Policy Director WebSEAL zΓU
8.íπX
212 3.8
webseald.conf
webseald.conf tm
Mq¿G
¶ WEBSEAL GENERAL
[server]
¶ LDAP
[ldap]
¶ SSL
[ssl]
¶ JUNCTION
[junction]
[filter-url]
[filter-schemes]
[script-filtering]
[gso-cache]
[ltpa-cache]
¶ AUTHENTICATION
[ba]
[forms]
A
213Tivoli SecureWay Policy Director WebSEAL zΓU
A.
web
seald.co
nf
[token]
[certificate]
[http-headers]
[auth-headers]
[ipaddr]
[authentication-levels]
[mpa]
[cdsso]
[cdsso-peers]
[failover]
[e-community-sso]
[inter-domain-keys]
[authentication-mechanisms]
[ssl-qop]
[ssl-qop-mgmt-hosts]
[ssl-qop-mgmt-networks]
[ssl-qop-mgmt-default]
¶ SESSION
[session]
¶ CONTENT
[content]
[acnt-mgt]
[cgi]
[cgi-types]
[cgi-environment-variables]
[content-index-icons]
[icons]
[content-cache]
214 3.8
[content-mime-types]
[content-encodings]
¶ LOGGING
[logging]
¶ AUTHORIZATION API
[aznapi-configuration]
[aznapi-entitlement-services]
¶ POLICY DIRECTOR
[policy-director]
[manager]
WEBSEAL GENERAL
í
[server] q¿
t
unix-user WebSEAL °A UNIX bC
unix-group WebSEAL °A UNIX sbC
unix-pid-file PID mC
server-root WebSEAL °A²C
server-name WebSEAL °AΩWC
⌡µⁿMsu
worker-threads WebSEAL u@⌡µⁿC
client-connect-timeout lqsuOC
persistent-con-timeout HTTP/1.1 ≥suOC
HTTPS q
https ⁿ HTTPS sC
https-port n≤w HTTPS nD≡C
HTTP q
http ⁿúw HTTP (TCP) sC
http-port n≤Dw HTTP nD≡C
215Tivoli SecureWay Policy Director WebSEAL zΓU
A.
web
seald.co
nf
WEBSEAL GENERAL
í
POST nD
post-max-read q POST nDDȬ@e
j$C
DYNURL
dynurl-map URL "@½≤MgmC
dynurl-allow-large-posts WebSEAL Lk¬j≤
post-max-read ⁿw POST nDC
URI Bz
utf8-url-spport-enabled
LDAP
í
[ldap] q¿
ldap-server-config ldap.conf tmm]tmw]
wC
cache-enabled M LDAP C
prefer-readwrite-server ⁿbi∩igJ LDAP °A
C
auth-using-compare ⁿ±∩KX@iµ
OdAú LDAP sC
default-policy-override-support
dw]hSwhC
user-and-group-in-same-suffix
jMαCⁿXsOwq≤P
P LDAP rC
ssl-enabled M∩ WebSEAL LDAP qT
SSLC
ssl-keyfile SSL ≈mC
ssl-keyfile-dn SSL ≈ñiαC
ssl-keyfile-pwd SSL ≈KXC
216 3.8
LDAP
í
bind-dn WebSEAL daemon u@OWv
]tmw]wC
bind-pwd WebSEAL daemon KX]tmw]
wC
w
D≈]Host
≡
SSL
í
[ssl] q¿
webseal-cert-keyfile ≈mF≈]tFbP SSL
Ñq@≤A$ WebSEAL es
²°AC
webseal-cert-keyfile-pwd WebSEAL pK≈KXC
webseal-cert-keyfile-stash WebSEAL pK≈KX⌠mC
webseal-cert-keyfile-label n WebSEAL ]Dw]W
C
ssl-keyfile iµíqT WebSEAL ≈
mC
ssl-keyfile-pwd WebSEAL pK≈KX]íq
TºC
ssl-keyfile-stash WebSEAL pK≈KX⌠m
]íqTºC
ssl-keyfile-label n]Dw]W]
íqTºC
disable-ssl-v2 ∩a SSL V2 ΣC
disable-ssl-v3 ∩a SSL V3 ΣC
disable-tls-v1 ∩a TLS V1 ΣC
217Tivoli SecureWay Policy Director WebSEAL zΓU
A.
web
seald.co
nf
SSL
í
ssl-v2-timeout SSL V2 su GSKit Ñq@ ID
OC
ssl-v3-timeout SSL V3 su GSKit Ñq@ ID
OC
ssl-max-entries GSKit SSL Ñq@ ID ñµ
jqC
ssl-ldap-server ≤ CRL d LDAP °AC
ssl-ldap-server-port LDAP °AbΣWÑiµ CRL
d≡C
ssl-ldap-user LDAP °AzC
ssl-ldap-user-password LDAP °AzKXC
ssl-auto-refresh
ssl-listening-port
ssl-pwd-life
ssl-authn-type
X
í
[junction] q¿
junction-db XΩwmC
jmt-map XPnD∩Mϕ (JMT) mC
http-timeout eM¬ TCP ¼XOC
https-timeout eM¬ SSL ¼XOC
ping-time WebSEAL ∩X°A Ping í
µíjC
basicauth-dummy-passwd zL “-b supply” Xú≥O
ΩsKXC
worker-thread-hard-limit BzSwXnDu@⌡µ
ⁿ/±C
218 3.8
X
í
worker-thread-soft-limit BzSwXnDu@⌡µ
ⁿ/±C
io-buffer-size ¬MgJXwjpC
σ≤Lo
[filter-url] q¿
<tag> = <attribute> WebSEAL LoX°A
URL C
[filter-schemes] q¿
scheme = <scheme-name> WebSEAL LoX°A URL
cMµC
[script-filtering] q¿
script-filter M∩X°AW
Script º∩ URL LoC
GSO
[gso-cache] q¿
gso-cache-enabled M GSO C
gso-cache-size GSO ñqC
gso-cache-entry-lifetime GSO jRgC
gso-cache-entry-idle-timeout D@ñ GSO jRg
C
LTPA
[ltpa-cache] q¿
ltpa-cache-enabled M LTPA C
ltpa-cache-size LPTA ñqC
ltpa-cache-entry-lifetime LPTA jRgC
ltpa-cache-entry-idle-timeout D@ñ LTPA jRg
C
219Tivoli SecureWay Policy Director WebSEAL zΓU
A.
web
seald.co
nf
O
í
≥O
[ba] q¿
ba-auth Mu≥Ov≈εC
basic-auth-realm πbs² BA nJúñΓW
C
ϕµ
[forms] q¿
forms-auth MzLϕµOC
O
[token] q¿
token-auth MzLOqµNXOC
[certificate] q¿
accept-client-certs tm WebSEAL qBzΦ
íC
HTTP Y
[http-headers] q¿
http-headers-auth MzL HTTP YOC
[auth-headers] q¿
Y @OSw HTTP YC
IP
[ipaddr] q¿
ipaddr-auth MzL IP ΩTOC
iÑ
[authentication-levels] q¿
level = unauthenticatedlevel = password
iÑOtmC
hu PROXY Nzí
[mpa] q¿
220 3.8
O
í
mpa MzLhu Proxy Nzí
OΣC
CDSSO
[cdsso] q¿
cdsso-auth MzL CDSSO OOC
authtoken-lifetime CDSSO OOjRgC
[cdsso-peers] q¿
<machine-name> =<keyfile-location>
[J CDSSO PÑ⌠C
FAILOVER
[failover] q¿
failover-auth lMε¼ Failover CookieC
failover-cookies-keyfile cdsso_key_gen úº cookie [K≈
m]∩⌠WC
failover-cookie-lifetime Failover cookie eí¡εC
enable-failover-cookie-for-domainN Failover cookie ¼$°AS
cookie ≤⌠S cookieC
e-COMMUNITY SSO
[e-community-sso] q¿
e-community-sso-auth M e-community SSOC
e-community-name XbußOvOMnDñ
e-community WC
intra-domain-key ² DNS ⌠ñ WebSEAL Ωi
µwqH≈mC
is-master-authn-server ⁿw≈Dn WebSEAL O°A
C
master-authn-server Dn WebSEAL O°AW]pG
úO≈C
master-http-port DnO°AÑD HTTP
≡C
221Tivoli SecureWay Policy Director WebSEAL zΓU
A.
web
seald.co
nf
O
í
master-https-port DnO°AÑD HTTPS
≡C
vf-token-lifetime ußOvORgC
vf-url ußOvURLC
ec-cookie-lifetime e-community cookie RgC
[inter-domain-keys] q¿
< d o m a i n - n a m e > =<keyfile>
[J e-community ΣL⌠≈C
O≈εMíw
[authentication-mechanisms] q¿
passwd-cdas passwd-ldappasswd-uraf token-cdasc e r t - s s l c e r t - c d a sh t t p - r e q u e s t c d s s op a s s w d - s t r e n g t hcred-ext-attrs
ΣO≈εM÷@íwM
µC
SSL "@Φz
[ssl-qop] q¿
ssl-qop-mgmt M"@ΦzC
[ssl-qop-mgmt-hosts] q¿
<ip-address> µWD≈ QOP [KÑC
[ssl-qop-mgmt-networks] q¿
<ip-address/mask> µW⌠⌠ QOP [KÑC
[ssl-qop-mgmt-default] q¿
default w∩ΣLú IP An
w] QOP [KÑC
Ñq@
í
[session] q¿
222 3.8
Ñq@
í
max-entries WebSEAL /Ñq@ñµ
jqC
timeout WebSEAL /Ñq@j
RgC
inactive-timeout WebSEAL ñAD@ñ
RgC
SSL qÑq@
ssl-id-sessions SSL ID @ HTTPS nJÑq@
C
@Ñq@
use-same-session ²7½ HTTP M HTTPS q
PÑq@ IDC
eÑq@ Cookie
resend-webseal-cookies e⌠≤tmÑq@M Failover
CookieAHqC
e
í
[content] q¿
²M
doc-root Web σ≤≡²C
directory-index ²WC
delete-trash-dir o≤²FΣñs±z
RúC
²
user-dir Σ²Dn≡FΣñ]tF
HTML σ≤C
error-dir ]t WebSEAL í²C
bßz
223Tivoli SecureWay Policy Director WebSEAL zΓU
A.
web
seald.co
nf
e
í
[acnt-mgt] q¿
mgt-pages-root bßz²C
login nJϕµWC
logout QnXßπWC
account-locked ]bßΩw POóπ
WC
passwd-expired ]KXL POóπ
WC
passwd-change ≤KXϕµWC
passwd-change-success KX≤nDQ¿π
WC
passwd-change-failure KX≤nDóπW
C
help ]tzWC
token-login OnJϕµWC
next-token U@OϕµWC
stepup-login iÑOnJϕµWC
CGI
[cgi] q¿
cgi-timeout gJM¬l CGI OC
[cgi-types] q¿
bat = cmd cmd = cmd pl= perl sh = sh tcl =tclsh76
w∩ Win32 °AAⁿw∩Sw CGI
W⌡µíC
[cgi-environment-variables] q¿
ENV nu CGI í⌠C
[content-index-icons] q¿
224 3.8
e
í
image/* video/* audio/*
t e x t / h t m l t e x t / *
application/x-tar application/*
ⁿwϕ²O$ WebSEAL ú]S
index.html ooípn
C
[icons] q¿
diricon ≤l² C
backicon ≤Wh² C
unknownicon ≤ú¼ C
σ≤
[content-cache] q¿
text/html image/* */* ∩ WebSEAL xsbOΘñSwσ≤
MIME ¼Awq¼MjpC
MIME ¼
[content-mime-types] q¿
<extension> = <type> ∩Swσ≤Wwq MIME ¼C
deftype ϕMgϕñSCσ≤¼n
w] MIME ¼C
esX
[content-encodings] q¿
gz Z w∩ΣesXs²AMgσ≤
WsX¼C
Oⁿ
í
[logging] q¿
server-log °AΘxmC
max-size HTTP ΘxΘxα½C
flush-time Mú HTTP ΘxwWvC
requests M HTTP nDΘxC
requests-file HTTP nDΘxmC
referers M HTTP ΘxC
225Tivoli SecureWay Policy Director WebSEAL zΓU
A.
web
seald.co
nf
Oⁿ
í
referers-file HTTP ΘxmC
agents M HTTP NzíΘxC
agents-file HTTP NzíΘxmC
gmt-time H GMT íOⁿnDAúa
C
AUTHORIZATION API
í
[aznapi-configuration] q¿
db-file qhΩw
mC
cache-refresh-interval wqdDnv°AO≤s]ⁿ
íjC
listen-flags Mh≤sq¼X
C
tcp-port ¼í TCP ≡C
udp-port ¼í UDP ≡C
AUTHORIZATION API Oⁿ
logclientid=webseald
logsize zfΘxΘxα½C
logflush MúzfΘxwWvC
logaudit MfC
auditlog fΘxmC
auditcfg = azn v≤C
auditcfg = authn O≤C
auditcfg = wand WebSEAL ≤C
AZNAPI Awq
<service-id>
mode
azn-server-name
226 3.8
AUTHORIZATION API
í
pd-user-name
[aznapi-entitlement-services] q¿
AZN_ENT_EXT_ATTR
POLICY DIRECTOR
í
[policy-director] q¿
config-file pd.conf tmmC
[manager] q¿
master-host
master-port
master-dn
227Tivoli SecureWay Policy Director WebSEAL zΓU
A.
web
seald.co
nf
228 3.8
WebSEAL X
pdadmin íúµíⁿOµúAi²z⌡µWebSEAL X@C
DDG
¶ yypdadmin server taskzXz
¶ 231yXⁿOz
¶ 232yl°AsXz
¶ 235ysWB°AXz
ypdadmin server taskzXb pdadmin ºeAzH sec_master znJw⌠C
pG
UNIXG
# pdadminpdadmin> loginΘJ IDGsec_masterΘJKXGpdadmin>
WindowsG
B
229Tivoli SecureWay Policy Director WebSEAL zΓU
B.
Web
SE
AL
X
MSDOS> pdadminpdadmin> loginΘJ IDGsec_masterΘJKXGpdadmin>
tAziHbµ@ⁿOµñHU∩ANiH≥o@
GG
# pdadmin -a sec_master -p <password>pdadmin>
Yn WebSEAL XA pdadmin server task ⁿOG
pdadmin> server task <server-name> <task>
server-name OⁿΩ≈WπϕíAHⁿO Policy Director $≤]p WebSEALC
<policy-director-component>-<machine-name>
íApG≈WO cruz Policy Director $≤WebSEALAh server-name G
webseald-cruz
server list ⁿOτ server-name ϕíG
pdadmin> server listwebseald-cruz
≥ WebSEAL XnⁿO∩]AG
¶ ßí°AD≈W]–h ∩
¶ X¼ — tcpBsslBtcpproxyBsslproxyBlocal ]–t ∩
¶ XI]ⁿI
pdadmin> server task <server-name> create –t <type>–h <host-name> <jct-point>
230 3.8
XⁿOHUXⁿOíi≤ pdadmin server taskG
ⁿO í
create l°AsXC
add bXIW[JB°AC
remove qXIú°AC
ykG remove –i <server-id> <junction-point>
show ⁿOPSw°A IDC
delete úXIC
ykG delete <junction-point>
list CX°AXIC
ykG list
show πXIΩTC
ykG show <junction-point>
jmt load jmt clear jmt load ⁿOi WebSEAL úX∩MϕΩ
(jmt.conf)AHKBzAú°A÷
URLC
jmt clear ⁿOú WebSEAL XMgϕ
ΩC
help CXXⁿOC
ykG help
help <command> πSwXⁿOíC
exit ⌡X pdadmin íC
ykG exit
UCíoⁿO÷∩C
231Tivoli SecureWay Policy Director WebSEAL zΓU
B.
Web
SE
AL
X
l°AsX@GsXIAXl°AC
ykG
create –t <type> –h <host-name> [<options>] <junction-point>
X¼
–t <type> **n**
XI¼C HUΣñº@GtcpBsslBtcpproxyBsslproxyBlocalC
–t tcp w]≡ 80C –t ssl w]≡
443C
D≈W
–h <host-name> **n**
ß°A DNS D≈W IP
C
∩
zL SSL ¼O
–K <key-label> WebSEAL qOß°A
C
–B WebSEAL BA YΩTOß°
AC n –UB–W M –b Lo∩C
–U <“username”> WebSEAL WC P –B ft
He BA Yß°AC
–W <“password”> WebSEAL KXC P –B ftHe
BA Yß°AC
–D <“DN”> ⁿwß°AuOWvCo
YPΩ DN Ai[j
OC
Proxy X∩]n –t tcpproxy –t sslproxy
–H <host-name> Proxy °A DNS D≈W IP
C
232 3.8
–P <port> PROXY °A TCP ≡C
ú BA YΩT
–b <BA-value> wq WebSEAL °A HTTP BA
OΩTß°AΦíC UCΣñ
@ΦíG
filter]w]BignoreBsupplyBgso
@δ TCP M SSL X∩
–c <id-types> zLXAb HTTP YñíJ Policy
Director q¡C id-types iH]tHU Policy Director HTTP Y¼
⌠≤XG
iv-userBiv-user-lBiv-groupsBiv-credsBallC
–i WebSEAL °A° URL újp
gC
–j b cookie ñúXOBz Script
ú°A∩ URLC
–k NÑq@ cookie eßJf°A
C
–p <port> ß≤Ot°A TCP ≡C TCP
Xw] 80FSSL Xw]
443C
–q <url> query_contents Script ∩ URLC
Policy Director b /cgi_bin/ ñMΣ
query_contentsC pGo²ºAO query_contents w≤WAo∩∩ WebSEAL ⁿXs
URLC
–r zLXANeJ IP íJ HTTP
YC
–s ⁿwXΣ¼AíC
w]AXD¼AC
– T < r e s o u r c e /
resource-group>
GSO ΩΩsWC u –b
gso ∩nAoΩTC
233Tivoli SecureWay Policy Director WebSEAL zΓU
B.
Web
SE
AL
X
–u <UUID> ⁿwzL¼AX ( – s ) s
WebSEAL ºß°A UUIDC
–v <virt-host-name> Nϕß°AΩD≈WCo∩
Σ]w≤ß°AWΩD≈C
–v ≈GϕßX°A]
zX°A@ΩΩA
wD≈WYC s²w]
HTTP YnDúDß°Aπ
hWhíΩ°AC zN
WebSEAL tmúBYΩTA
Hw∩ß°A]Q]wΩD
≈nDC
–w Win32 tΣC
LTPA X
–A M LTPA XC
–F <“keyfile”> LTPA cookie Ω[K≈
mC
– Z
<“keyfile-password”>
≈KX
WebSEAL ∩ WebSEAL SSL X
–C e WebSEAL °APß WebSEAL
°AºízL SSL iµ¼OC
n –t ssl –t sslproxy ¼C
X∩]P –t local @
–d <dir> X²C **nC**
–f jε≤½sXC
XI
b WebSEAL iWxsñnXmC
234 3.8
sWB °AX@GsWB°AXIC
ykG
add –h <host-name> [<options>] <junction-point>
D≈W
–h <host-name> **n**
ß°A DNS D≈W IP
C
∩
zL SSL ¼O
–D <“DN”> ⁿwß°AuOWvCo
YPΩ DN Ai[j
OC
Proxy X∩]–t tcpproxy M –t sslproxy n∩
–H <host-name> Proxy °A DNS D≈W IP
C
–P <port> PROXY °A TCP ≡C
@δ TCP M SSL X∩
–i WebSEAL °A° URL újp
gC
–j b cookie ñúXOBz Script
ú°A∩ URLC
–p <port> ß≤Ot°A TCP ≡C TCP
Xw] 80FSSL Xw]
443C
235Tivoli SecureWay Policy Director WebSEAL zΓU
B.
Web
SE
AL
X
–q <url> query_contents Script ∩ URLC
Policy Director b /cgi_bin/ ñMΣ
query_contentsC pGo²ºAO query_contents w≤WAo∩∩ WebSEAL ⁿXs
URLC
–u <UUID> ⁿwzL¼AX ( – s ) s
WebSEAL ºß°A UUIDC
–v <virt-host-name> Nϕß°AΩD≈WCo∩
Σ]w≤ß°AWΩD≈C
–v ≈GϕßX°A]
zX°A@ΩΩA
wD≈WYC s²w]
HTTP YnDúDß°Aπ
hWhíΩ°AC zN
WebSEAL tmúBYΩTA
Hw∩ß°A]Q]wΩD
≈nDC
–w Win32 tΣC
XI
sW°AXIC
236 3.8
iKeyman z
i K e y m a n íOi²zzuπCQ
iKeymanAzis≈ΩwBsBsWCA root zΩwBNq@Ωwst@ΩwBV CA nD¼B]ww]≈AH≤KXC
iKeyman íOH Policy Director úº Global Security Kit(GSKit) M≤@í≈C
DDG
¶ 238y iKeyman íz
¶ 239yw] WebSEAL ≈Ωwz
¶ 241ys≈Ωwz
¶ 244ysµpz
¶ 246ysW Root CA z
¶ 247yRú Root CA z
¶ 247ybΩwºísz
¶ 251ynD°Az
¶ 253y¼z
¶ 253yRúz
C
237Tivoli SecureWay Policy Director WebSEAL zΓU
C.
iKeym
anz
¶ 254yⁿwsw]z
¶ 255y≤ΩwKXz
iKeyman íq@tⁿOµúñ iKeyman íG
WindowsG
MSDOS> /Program Files/IBM/gsk4/bin/gsk4ikm.exe
UNIXG
# /usr/bin/gsk4ikm
X IBMu≈zv°íC
39. IBMu≈zv°í
238 3.8
w] WebSEAL ≈Ωw≈Ωw]t WebSEAL BzíO°AMqAH root CA C
bwñAWebSEAL úw]≈Ωw (pdsrv.kdb)C≈]tw] WebSEAL ]≈ = Policy DirectorH root CA ∩C
Ynw] WebSEAL ≈ΩwAϕUCBJG
1. b IBMu≈zv°íñAqu≈Ωwv\αϕñ∩uvC
2. quvs²°íñAs²UC²G
UNIXG /opt/PolicyDirector/lib/certs
W i n d o w sG C : \ P r o g r a m F i l e s \ T i v o l i \ P o l i c yDirector\lib\certs
3. ∩G
pdsrv.kdb
4. ÷@UuvC
XuKXúv∩C
5. ΣJw] WebSEAL KXG
pdsrv
6. ÷@UuTwvC
ΩwΩTYΘJz°íC
NAuHv°íñXw] WebSEAL C ≈ “Policy Director”C Xb¬#Pw]C
\240 40C
239Tivoli SecureWay Policy Director WebSEAL zΓU
C.
iKeym
anz
NuHv∩U\αϕ≤upvC X
@δ rootu≈c (CA)vMµC
\241 41C
40. w] WebSEAL pdsrv.kdb ≈GWebSEAL
240 3.8
s≈Ωw≈Ωw]t WebSEAL BzíO°AMqAH root CA C
bwñAWebSEAL úw]≈Ωw (pdsrv.kdb)C≈]tw] WebSEAL ]≈ = Policy DirectorH root CA ∩C
zi≥w]≈ΩwAsΩwCpGz
@sΩwA"µ WebSEAL Ωw@w]ΩwAhq WebSEALAqΦktm secmgrd.conf ñ ssl-keyfile C\40ytm WebSEAL ≈ΩwzC
Yns≈ΩwAϕUCBJG
41. w] WebSEAL pdsrv.kdb ≈Gp
241Tivoli SecureWay Policy Director WebSEAL zΓU
C.
iKeym
anz
1. b IBMu≈zv°íñAqu≈Ωwv\αϕñ∩usWvC
XusWv∩C
2. ∩≈Ωw¼µuCMS ≈ΩwvC
3. ΘJWAp key.kdbC
4. ⁿumvµw]A∩µΘJsAOus²v÷s∩sC
5. ÷@UuTwvC
XuKXúv°íC
6. buKXvµΘJKXAMßbuTKXvµA½sΣJKXC
7. ]i∩∩u]w¡ív=∩AMßΘJAϕC
8. ]i∩∩uNKX⌠v=∩C
⌠]tUCWG .sth
zV WebSEAL qs⌠AΦktm
secmgrd.conf tmñ ssl-keyfile-stash C
\40ytm WebSEAL ≈ΩwzC
9. ÷@UuTwvC
XT°íATzws≈ΩwC
42. sW∩
242 3.8
10. ÷@UuTwvC
zwQFs≈ΩwC ½sX IBMu≈zv°íC
b IBMu≈zv°íMzs≈WAπzpC
HUOH iKeyman úpG
¶ RSA Secure Server CA
¶ Thawte Personal Premium CA
¶ Thawte Personal Freemail CA
¶ Thawte Personal Basic CA
¶ Thawte Premium Server CA
¶ Thawte Server CA
¶ VeriSign Class 1 Public Primary CA
¶ VeriSign Class 2 Public Primary CA
¶ VeriSign Class 3 Public Primary CA
¶ VeriSign Test CA Root Certificate
opúOowºu≈c (CA)v rootC WebSEAL o root τqC
pGzXbMµWpAhV CA nDANªsWz≈ΩwC
\246ysW Root CA zC
: uVeriSign Test CA Root CertificatevO@CO CAA]tOFC bN≈ΩwO±Jú
íºeA²ú rootC
243Tivoli SecureWay Policy Director WebSEAL zΓU
C.
iKeym
anz
sΩw]t@g CA p°AAHK²
WebSEAL i∩qΣL°AOΣ¡C xsbz°íuHvqñC
\251ynD°AzC
\253y¼zC
sµpboúíAz²¿úAMßAHu
⌡µOC Q iKeymanAzi≤µpC µpOHz¡ϕ@ CAo±zvC
: 3HµpXúíFS⌠≤s²qα≈δz°AiµwqHC
bwAWebSEAL ú@ “Policy Director” µpC ziiµAOsµpC
YnsµpAϕUCBJG
1. iKeyman pdsrv.kdb ≈t@q≈C
IBMu≈zv°íDCYπz∩º≈ΩwWAⁿXwC
2. qUMµñ∩uHvC
3. ÷@UusWµpv÷sC
Xusµpv∩C
4. ΘJ≈Ap “test-cert”C
5. ΘJu@δWvMuv]ΓínΩAMß∩uΩavCblµñAⁿw]OΣJ∩s
C
\245 43C
244 3.8
6. ÷@UuTwvC
IBMu≈zv°íuHvµYπzºµpWC
43. sµp
245Tivoli SecureWay Policy Director WebSEAL zΓU
C.
iKeym
anz
sW Root CA bsWSw CA s root ºeAz²V CA úXnDC C@ CA ∩@úW@C p
Aϕ CA ooΩTC
búXnDq CA ¼ root ºßAYiNªsWz≈ΩwC jí≈ root *.arm í]pAcert.armC
YnsW root CA ΩwAϕUCBJG
1. b IBMu≈zv°íñAqUMµñ∩upvC
2. ÷@UusWvC
XuqsW CA v°íC
1. quΩ¼vU\αϕñA∩uBase64 sX ASCII ΩvC
2. ΘJ root CA WMmA÷@Uus²v∩WMmC
3. ÷@UuTwvC
XuΘJv∩C
4. ΘJ root CA ≈]puVeriSign Root CA vAMß÷@UuTwvC
44. sW CA ∩
246 3.8
bupvµ]tzΦsWº root CA C
Rú Root CA pGzwúQAΣzpMµñΣñ@pA
zRúAϕ root CA C
: bRú root CA ºeA²≈AHzyßi½sP CA root C
YnqΩwñRú root CA ΩwAϕUCBJG
1. b IBMu≈zv°íñAqUMµñ∩upvC
2. ∩],znRú root CA C
3. ÷@UuRúvC
XuTv°íC
4. ÷@UuOvC
upvµNúAXzΦRúº root CA C
bΩwºísbF]wMH⌠⌠⌠µpAz
iαonq@ΩwñsANªsWt@
ΩwC bΩwºíΦkTG
¶ FqsW
¶ qΩwJ
¶ XΩw
247Tivoli SecureWay Policy Director WebSEAL zΓU
C.
iKeym
anz
FqsWYnq]≈ΩwAMßsW
]≈ΩwAϕUCBJG
1. uv≈ΩwC
2. q IBMu≈zv°íU\αϕñA∩znXº¼GuHvupvC
3. ∩nsWt@ΩwC
4. Yz∩uHvA÷@Uuv÷sC Yz∩
upvA÷@Uuv÷sC
Xuv°íC
5. quΩ¼vU\αϕñA∩uBase64 sX ASCII ΩvC
Ω¼PxsbñºΩ¼C
iKeyman uπΣ Base64 sX ASCII MGi DER sXC
6. ΘJnbΣñxsWMmA÷@Uus²v∩WMmC
7. ÷@UuTwvC
YgJⁿwC
YnNqsWΩwAϕUCBJG
1. ≈ΩwC
45.
248 3.8
2. ∩zQnsW¼GuHvupvC
3. ÷@Uuw∩psWv¼C ÷@Uuw∩H
¼v¼C
4. ΘJbzWMmC z]iHus²v÷sC
5. ÷@UuTwvC
6. XuTv°íAnDz∩On²¿w]C ÷@UuOvuvC
bwsWΩwAXbMµñC
qΩwJYnq]≈ΩwJ]≈ΩwA
ϕUCBJG
1. uv≈ΩwC
2. q IBMu≈zv°íU\αϕñA∩znXº¼GuHvupvC
3. ÷@UuJ/Xv÷sC
XuJ/X≈v°íC
4. qu∩@¼vñ∩uJvC
5. qu≈¼vU\αϕñA∩ CMS ≈ΩwC
46. q¼
249Tivoli SecureWay Policy Director WebSEAL zΓU
C.
iKeym
anz
6. ΘJ]tzQJº≈ΩwWMmC z]iHus²v÷sC
7. ÷@UuTwvC
πuKXúv°íC
8. ΘJKXAMß÷@UuTwvC
Xuq≈Mµñ∩v°íC
9. ∩znJAMß÷@UuTwvC
bYXbΩwMµñC
XΩwYnq]≈ΩwX]≈ΩwA
ϕUCBJG
1. uv≈ΩwC
2. q IBMu≈zv°íU\αϕñA∩znXº¼GuHvupvC
3. ∩],znXC
4. ÷@UuJ/Xv÷sC
XuJ/X≈v°íC
5. qu∩@¼vñ∩uXvC
47. J/X≈
250 3.8
6. qu≈¼vU\αϕñA∩ CMS ≈ΩwC
7. ΘJzQ∩Σeº≈ΩwWMmC z
]iHus²v÷sC
: ñX@h÷≤≤½ΩwTºC ÷@U
uOvCXNusWΩwC ú≥
ó⌠≤C
8. ÷@UuTwvC
πuKXúv°íC
9. ΘJΩwKXAMß÷@UuTwvC
10. ϕzΩwAMµñNXwXC
nD°AWebSEAL n CA pHK∩ SSL qOΣ¡CWebSEAL iαnúP°AΣLOD]pPjunctioncp –K Xí°AC
iKeyman íi²zúieAϕ CA nDC
YnúnDAϕUCBJG
48. J/X≈
251Tivoli SecureWay Policy Director WebSEAL zΓU
C.
iKeym
anz
1. b IBMu≈zv°íñAqUMµñ∩uHnDvC
2. ÷@UusWvC
Xus≈MnDv∩C
3. ΘJnD≈C
4. ΘJu@δWvMuvAMß∩uΩavC
blµñAⁿw]OΣJ∩sC
5. b°íAΘJWMmC z]iHus
²v÷sC
6. ÷@UuTwvC
XT°íATzwQsnDC
7. ÷@UuTwvC
uHnDvµYπzºsnD≈
C
49. s≈MnD
252 3.8
8. eAϕ CA nDsAONnD$UKJ CA ⌠ñnDϕµC
¼b CA eswpzºßAzNªsWzqñúnD≈ΩwC
Yn¼AϕUCBJG
1. b IBMu≈zv°íñAqUMµñ∩uHvC
2. ÷@Uu¼vC
Xuq¼v°íC
3. quΩ¼vU\αϕñA∩uBase64 sX ASCII ΩvC
4. ΘJsWMmCz]iHus²v÷sC
: pG CA e]qll≤Tº@í≈AzN$KOC
5. ÷@UuTwvC
6. XuΘJv°íC
7. ΘJsAMß÷@UuTwvC
buHvµ]tsC
RúpGzúAnzΣñ@AzqΩwñ[H
RúC
: bRúºeA@≈AHzyßQn½s[HC
253Tivoli SecureWay Policy Director WebSEAL zΓU
C.
iKeym
anz
YnRúAϕUCBJG
1. b IBMu≈zv°íñAqUMµñ∩uHvC
2. ∩],znRúAMß÷@UuRúvC
XuTv°íC
3. ÷@UuOvC
uHvµñYúAX∩ºC
ⁿwsw]iKeyman íi²zⁿww]A WebSEAL b≈Ωw]t@HWuHvC ]pGzw
lbíñµp]≤AP
Ñz∩º CA íAhzΩwñiα@HWC
b¼ CA wpºßAziNµpOdbΩwñAN CA oXⁿww]AlªCw]OHΣeP (*) ϕC
@¼¿µpQw]
C C ¼sµpA
ú²z∩s¿w]C úLAz]i
HHTa≤w]C
Yn≤w]AϕUCBJG
1. b IBMu≈zv°íñAqUMµñ∩uHvC
w]OHΣeP (*) ϕC
2. ∩t@n]w]AMß÷@Uu°/sΦvC z]iH÷ΓUC
Yπu≈ΩTv°íC
254 3.8
3. ∩uN]¿w]v=∩AMß÷@UuTwvC
bXYw]AΣe@P
(*)C
≤ΩwKXiKeyman uπi²z≤≈ΩwKXC
Yn≤≈ΩwKXAϕUCBJG
1. ≈ΩwC
2. qu≈ΩwvUí\αϕñA∩u≤KXvC
Xu≤KXv°íC
3. buKXvµΘJsKXAMßbuTKXvµA½sΣJKXC
4. nA∩u]w¡ív=∩C
5. nA∩uNKX⌠v=∩C
6. ÷@UuTwvC
¼ACñTºⁿXwQ¿nDC
255Tivoli SecureWay Policy Director WebSEAL zΓU
C.
iKeym
anz
256 3.8
HñσrAσrASϕ
º CC
eTfTnJh 55
ef¼OX 144
e°, request.log 50
σ≤ 29
p 31
Mú 30
σ≤²
≤m 26
e¡fi 11
se°A 11
sß°A 14
gO, ε 71
² 27
e"fwh
4
O@½≤h 4
W 4
ACL h 4
eCfp 31
≤sqÑ 45, 46
eKfϕµíO 97
≈Ωw¼ 38
eEfO@Φ
D≈ 44
w]Ñ 43
⌠⌠ 44
O@Φ POP h 70
O@Ñ 3
O@Ω 3
e WebSEAL °A
s 46
ßíΣ 193
257Tivoli SecureWay Policy Director WebSEAL zΓU
eQfHA
tm WebSEAL 199
º[ 198
d 200
², WebSEAL w 19
OO 106
Oⁿ, HTTP 48
eQ@fA URL
≤s, dynurl update 203
Mg ACL ½≤ 201
úsε 201
º[ 201
R 204
∩ POST nD[W¡ε 205
KnMNN 206
d 208
dynurl-allow-large-posts 205
dynurl-map 202
GET M POST Φk 204
post-max-read 205
≥O
tm 95
KXjh 57
X
¼O (-D, -K, -B, -U, -W) 144
Σújpg URL (-i) 155
D≈∩ (-h) 141
n∩ 141
b HTTP Yñú IP (-r) 154
b HTTP Yñúq¡≈ (-c) 152
¼AXΣ (-s, -u) 162
BA YO (-B, -U, -W) 146
X (≥)
Cookie Bz°A÷
URL 157
Script LoBz∩ URL 159
XMgBz°A÷
URL 160
ⁿ 139
ⁿOí 229
ⁿwß UUID (-u) 163
NÑq@ cookie eßJf°A
154
jεsX (-f) 151
jε\iv 169
XMgϕµ 160
Bz Script URL (-j) 156
º[ 8, 138
ⁿhí°A 167
LoRA HTML URL 168
snJ (GSO) 183
O 169
¼∩ (-t) 141
DN ±∩ (-D) 145
gso ∩ (-b gso, -T) 186
LTPA (-A, -F, -Z) 189
pdadmin server task 140
Proxy X (-H, -P) 148
WebSEAL q (-K) 146
WebSEAL ∩ WebSEAL (-C) 149
Windows t (-w) 166
-b filter 182
-b gso 183
-b ignore 181
-b supply 179
-b ∩∩¼OXvT 147
vΩwm 45
Mú 30
258 3.8
eQGfµ@nJ
b BA Yñúq¡≈ 178
tm GSO 187
º 178
snJ (GSO) 183
CDSSO 113
e-community 119
LTPA (WebSphere) 188
-b filter 182
-b gso 183
-b ignore 181
-b supply 179
nJ 35
ú¼p 93
nJú
¼p 93
nX 35
iÑO 61
Ñq@ cookie 83
84
Ñq@ ID Ω¼ 86
Ñq@
GSKit 79
WebSEAL 79
Ñq@¼A
Ñq@ ID Ω¼ 86
Ñq@ cookies 84
Ñq@ cookie 83
z 79
Ñq@Ω¼ 76
eQTfLoRA HTML URL
∩ URL 168
server-relative-URLs 168
O 81
O
HTTP M HTTPS 23
eQf⌠⌠¼O POP h 67
eQ¡fsnJ (GSO) 183
Y 104
194
vΩwm 45
s e WebSEAL °A 46
ⁿ 45
ⁿvΩw 46
eQ"f
≈Ωw¼ 38
z 37
GSKit 37
iKeyman 37
íO 99
ßOnDM 129
eQCfíΣ , ß 193
259Tivoli SecureWay Policy Director WebSEAL zΓU
eQEf
194
NΩíJ HTTP Y 196
íJ LDAP Ω 195
o
º[ 7
EPAC 8
eGQGfO
ΣΦk 77
ΣÑq@Ω¼ 76
6
ϕµ 97
O 106
tmh½Φk 92
tmº[ 90
≥O 95
nJú 93
º[ 5
99
A 76
CDSSO 113
e-community 119
HTTP Y 103
IP 105
MPA 107
OΦk, Kn 77
Oj POP h 61
Aaccept-client-certs 101
account-locked 35
acct_locked.html 36
ACL h, WebSEAL S 53
acnt-mgt q¿ 35
agents 48
agents-file 48
agent.log 48
d 52
authentication-levels q¿ 61, 67
authtoken-lifetime 118
aznapi-configuration q¿ 45
Bbackicon 27
basicauth-dummy-passwd 179
basic-auth-realm 95
ba-auth 95
Ccache-refresh-interval 46
CDMF @íw 114
cdsso 116
CDSSO O 113
cdssoauthn 116
cdsso-auth 116
cdsso-peers q¿ 117
cdsso_key_gen 89, 117, 130
cert-ssl 102
CGI í]p
Σ 191
Σ WIN32 ⌠ 192
cgi-environment-variables q¿ 192
260 3.8
cgi-timeout 24
cgi-types q¿ 28
client-connect-timeout 23
content-caches q¿ 29
CRL d 42
Ddb-file 45
default-webseal ACL h 54
directory-index 27
diricon 27
disable-ssl-v2 22
disable-ssl-v3 22
disable-tls-v1 22
doc-root 25
Dynamic Business Entitlement 194
dynurl update 203
dynurl-allow-large-posts 205
dynurl-map 202
dynurl.conf 201
Eec-cookie-lifetime 134
entitlementADynamic Business 194
entrust-client 104
e-community cookie 128
e-community O 119
\α 121
ußOvO[K 130
tm 131
Bzy 122
ußOvnDM 129
ußOvO 130
e-community cookie 128
e-community-name 132
e-community-sso-auth 131
FFailover Cookie, tm 87
failover-auth 89
failover-cookies-keyfile 89
failover-cookie-lifetime 90
filter-url q¿ 50, 169
flush-time 50
forms-auth 97
GGET Φk 204
gmt-time 49
GSKit 37
¼ 38
GSKit Ñq@ 79
tm 82
GSO 183
tm GSO 187
GSO , tm 187
gso-cache-enabled 187
gso-cache-entry-idle-timeout 187
gso-cache-lifetime 187
gso-cache-size 187
Hhelp 35
help.html 36
HTML q 35
¿Σ 36
261Tivoli SecureWay Policy Director WebSEAL zΓU
http 21
HTTP @Θxµí 51
HTTP Oⁿ 48
HTTP Yñ LDAP Ω 194
HTTP YO 103
HTTP Tº 31
¿Σ 34
httpauthn 104
https 22
https-port 22
https-timeout (junctions) 24
http-headers-auth 103
http-port 21
http-request 104
HTTP-Tag-Value 197
http-timeout (junctions) 24
HTTP_IV_CREDS 152, 192, 194
HTTP_IV_GROUPS 152, 192, 194
HTTP_IV_REMOTE_ADDRESS 154
HTTP_IV_USER 152, 192, 194
IiKeyman 40
¼O SSL X 145
bΩwºís 247
Rú root CA 247
Rú 253
sµp 244
s≈Ωw 241
ⁿwsw] 254
nD°A 251
¼ 253
238
w]≈Ωw 239
sW root CA 246
º[ 42
iKeyman (≥)
≤ΩwKX 255
SSL ¼X 143
WebSEAL 101
inactive-timeout 81
inter-domain-keys q¿ 130, 134
intra-domain-key 130, 132
IP O 105
ipaddr-auth 105
is-master-authn-server 133
iv-creds 152, 194
iv-groups 152, 194
iv-remote-address 154
iv-user 152, 194
Jjmt ⁿJ 160
jmt-map 160
jmt.conf 160
junction-db 138
Lldapauthn 96, 97
ldap-ext-cred-tags q¿ 196, 197
libcdssoauthn 116
libhttpauthn 104
libldapauthn 96, 97
libsslauthn 102
libtokenauthn 106
listen-flags 46
logging q¿ 50
login.html 36, 98
logout 93
logout.html 36
262 3.8
log-filtered-pages 50
LTPA (WebSphere) 188
tm LTPA 189
tmX 189
LTPA , tm 189
ltpa-cache q¿ 189
ltpa-cache-enabled 189
ltpa-cache-entry-idle-timeout 189
ltpa-cache-entry-lifetime 189
ltpa-cache-size 189
Mmaster-authn-server 133
master-https-port 132
master-http-port 132
max-entries 81
max-size 49
mgt-pages-root 35
mpa 111
MPA O 107
Nnexttoken.html 36
next-token 35
Ppasswd-change 35
passwd-change-failure 35
passwd-change-success 35
passwd-expired 35
passwd-ldap 96, 97
passwd.html 36
passwd_exp.html 36
passwd_rep.html 36
pdadmin server task]X 140
pdadmin h
disable-time-interval 55
max-login-failures 55
max-password-repeated-chars 57
min-password-alphas 57
min-password-length 57
min-password-non-alphas 57
password-spaces 57
pd.conf 196
PD_PORTAL Y 199
pd_start ⁿO 20
persistent-con-timeout 23
ping-time (junctions) 24
pkmscdsso 118
pkmslogout 93
pkmspasswd 94
pkmsvouchfor 129, 133
POP h
O@Φ 70
⌠⌠¼O 67
Oj]iÑ 61
portal-map q¿ 199
POST Φk 204
tm¡ε 205
post-max-read 205
Qquery_contents 170
w 171
q 173
O 175
query_contents.c 171
query_contents.cfg 171
263Tivoli SecureWay Policy Director WebSEAL zΓU
query_contents.exe 171
query_contents.html 171
query_contents.sh 171
Rreferers 48
referers-file 48
referer.log 48
d 52
REMOTE_USER 192
requests 48
requests-file 48
request.log 48
tmeO²° 50
d 51
resend-webseal-cookies 84
Sscript-filter 159
script-filtering q¿ 159
server-name 46
server-root 20
SSL Ñq@ ID 84
sslauthn 102
ssl-id-sessions 84
ssl-keyfile 41
ssl-keyfile-label 41
ssl-keyfile-pwd 41
ssl-keyfile-stash 41
ssl-ldap-server 42
ssl-ldap-server-port 42
ssl-ldap-user 42
ssl-ldap-user-password 42
ssl-max-entries 82
ssl-qop-mgmt 43
ssl-qop-mgmt-default q¿ 43
ssl-qop-mgmt-hosts q¿ 44
ssl-qop-mgmt-networks q¿ 44
ssl-v2-timeout 82
ssl-v3-timeout 82
stepuplogin.html 36, 64
stepup-login 35, 64
Ttcp-port 46
tokenauthn 106
tokenlogin.html 36
token-auth 106
token-cdas 106
token-login 35
Uudp-port 46
unknownicon 27
use-same-session 84, 85
Vvf-token-lifetime 133
vf-url 133
WWebSEAL
Mε°A 20
264 3.8
WebSEAL (≥)
º[ 1
WebSEAL X, \X 137
WebSEAL Ñq@ 79
tm 80
webseald.conf
m 18
≥ 213
º[ 18
webseal-cert-keyfile 40
webseal-cert-keyfile-label 40, 101, 169
webseal-cert-keyfile-pwd 40
webseal-cert-keyfile-stash 40
webseal-mpa-servers s 110, 111
WebSphere LTPA 188
WIN32 ⌠, Σ 192
worker-threads 22
265Tivoli SecureWay Policy Director WebSEAL zΓU
266 3.8
Printed in Australia
GC40-0635-01