Click here to load reader

Plug-in for Web Servers Integration Guide

  • View
    0

  • Download
    0

Embed Size (px)

Text of Plug-in for Web Servers Integration Guide

IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Integration Guideident-contact other-ident
other-purpose.
For
all
values
except
current,
an
additional
specifier
may
be
configured.
The
possible
values
retention
Specifies
how
long
the
information
in
the
cookie
or
the
information
linked
to
by
the
cookie
is
to
be
retained.
Possible
values
Chapter
2.
IBM
Tivoli
Access
Manager
Plug-in
for
Web
Servers
configuration
27
Table
6.
[p3p-header]
parameters
(continued)
Parameter
Use
categories
Specifies
the
type
of
information
stored
in
the
cookie
or
linked
to
by
the
cookie.
If
the
non-identifiable
parameter
is
set
to
true,
then
no
categories
need
be
configured.
Possible
values
Example
P3P
configuration:
[pdweb-plugins]
or
[virtual_host_name]
send-p3p-header
Examine next
3.
Within
the
[spnego]
stanza,
set:
v
spnego-krb-service-name
to
either
HTTP
or
[email protected]_qualified_host_domain_name.
v
spnego-krb5-keytab-file
to
the
full
pathname
of
the
keytab
file
that
is
to
be
used
by
the
plug-in.
This
value
is
only
required
on
UNIX
platforms.
On
Windows
platforms,
the
option
is
ignored.
Step
8:
Enabling
SPENGO
authentication
within
the
Web
server
To
enable
SPNEGO
for
IIS
ensure
the
access
policy
of
the
Web
server
absolute_pathname_for_keyfile
You
can
give
the
key
file
any
appropriate
name,
such
as
/opt/pdwebrte/lib/wpi.key.
2.
Edit
the
plug-in
configuration
file.
In
the
[failover]
stanza,
specify
the
keyfile
location.
[failover]
failover-cookies-keyfile
4
5SD
redirect to login page
application returns login form
page.html
4
5
1.
The
user
makes
a
request
to
access
a
resource
in
domain
B
using
a
custom
link
on
a
Web
page
in
Domain
A.
2.
The
link
contains
a
special
CDSSO
expression
specified
by
the
uri
parameter
in
the
[cdsso]
stanza
of
the
pdwpi.conf
configuration
file.
The
default
vaue
is
pkmscdsso:
/pkmscdsso?destination-URL
For
example:
/pkmscdsso?https://www.domainB.com/index.html
The
request
is
first
processed
by
the
plug-in
server
in
domain
A.
The
plug-in
builds
an
authentication
token
that
contains
the
The
name
of
the
query
string
argument
specifying
the
authentication
token
is
configured
using
the
cdsso-argument
parameter
in
the
[cdsso]
stanza
of
the
pdwebpi.conf
configuration
file.
The
default
value
is
PD-ID.
This
may
be
overriden
on
a
per-virtual
host
basis.
The
default
value,
PD-ID,
of
the
cdsso-argument
parameter
should
only
be
changed
when
a
custom
SSO
create/consume
library
is
in
use.
When
using
the
shipped
SSO
create/consume
libraries,
the
default,
PD-ID,
must
be
used.
Protecting
the
authentication
token
While
the
authentication
token
does
not
contain
authentication
information
(such
as
username
and
password),
it
does
contain
a
user
identity
that
is
trusted
within
the
receiving
domain.
The
token
itself
must
therefore
be
protected
against
theft
and
replay.
The
token
is
protected
against
theft
off
the
wire
through
the
use
of
SSL
to
secure
communications
between
the
plug-in
enhanced
Web
servers
and
the
users.
The
token
could
conceivably
be
stolen
from
the
WebSphere
1
2
3
other-purpose.
For
all
values
except
current,
an
additional
specifier
may
be
configured.
The
possible
values
retention
Specifies
how
long
the
information
in
the
cookie
or
the
information
linked
to
by
the
cookie
is
to
be
retained.
Possible
values
Appendix
B.
pdwebpi.conf
reference
193
Table
32.
Web
server
specific
configuration
parameters
(continued)
Web-Server
Specific
Parameter
Description
categories
Specifies
the
type
of
information
stored
in
the
cookie
or
linked
to
by
the
cookie.
If
the
non-identifiable
parameter
is
set
to
true,
then
no
categories
need
be
configured.
Possible
values
[ihs]
query-contents
Specifies
the
query
contents
program
to
use
for
browsing
the
IBM
HTTP
Server
Web
space
by
the
’pdadmin>
object
list’
command.
This
parameter
can
be
overridden
on
a
per
branch
basis
by
specifying
a
value
for
it
in
a
stanza
named
[ihs:branch]
for
example
[ihs:/PDWebPI/foo.bar.com]
query-log-file
Location
of
log
file
for
errors
encountered
by
the
query
contents
program.
doc-root
Specifies
the
documentation
root
that
provides
the
Web
space
browse
capability
needed
for
performing
’pdadmin>
object
list’
commands.
This
parameter
is
set
by
the
configuration
utility
when
setting
up
virtual
hosts
What this book contains
IBM Tivoli Access Manager for WebSphere Business Integration Brokers
IBM Tivoli Access Manager for Operating Systems
IBM Tivoli Identity Manager
Typeface conventions
Operating system differences
Chapter 1. Introducing IBM Tivoli Access Manager Plug-in for Web Servers
Tivoli Access Manager Plug-in for Web Servers technology
Basic operational components and architecture
Support for virtual hosts
Protecting your Web space with Tivoli Access Manager Plug-in for Web Servers
Tivoli Access Manager Plug-in for Web Servers authentication
Credential acquisition
Chapter 2. IBM Tivoli Access Manager Plug-in for Web Servers configuration
General plug-in information
Root directory of the Tivoli Access Manager Plug-in for Web Servers installation
The pdwebpi.conf configuration file
The pdwebpimgr.conf configuration file
Starting and stopping Tivoli Access Manager Plug-in for Web Servers
HTTP error messages
Macro support
Configuring error pages
Web-server-specific configuration
Enabling switch user
Enabling and excluding users from switch user
Configuring the switch user authentication mechanism
Impacting other plug-in functionality
Incorporating Step-up authentication levels
Support for tag-value
Configuring fail-over for LDAP servers
Supporting Platform for Privacy Preferences (P3P) headers
Configuring P3P headers
Audit records
Auditing configuration
Credential refresh
Language support and character sets
Chapter 3. IBM Tivoli Access Manager Plug-in for Web Servers authentication and request processing
The request handling process
Configuring the order of authentication methods
Configuring post-authorization processing
Managing session state
Setting the maximum concurrent entries value
Setting the cache entry timeout value
Setting the cache entry inactivity timeout value
Maintaining session state with the SSL session ID
Maintaining session state using Basic Authentication
Maintaining session state with Session Cookies
Maintaining session state using HTTP headers
Maintaining session state using IP addresses
Maintaining session state using LTPA cookies
Maintaining session state using iv-headers
Authentication configuration overview
Local authentication mechanisms
Default configuration for plug-ins
Configuring multiple authentication methods
pkmslogout
pkmspasswd
pkmshelp
Setting the realm name
Configuring forms authentication
Enabling forms authentication
Customizing HTML response forms
Creating a BA Header
Configuring certificate authentication
Configuring token authentication
SecurID Token authentication
Enabling token authentication
Customizing token response pages
Upgrading SPNEGO configuration from version 4.1 to 5.1
Limitations
Step 1: Configure the plug-in server into Active Directory domain
Step 2: Map Kerberos principal to Active Directory user
Step 3: Install Kerberos runtime client (UNIX only)
Step 4: Configure Kerberos client (UNIX only)
Step 5: Verify authentication of Web server principal (UNIX only)
Step 6: Verify plug-in authentication using the keytab file (UNIX only)
Step 7: Enabling SPENGO authentication within the plug-in
Step 8: Enabling SPENGO authentication within the Web server
Troubleshooting tips
Configuring Web server authentication (IIS platforms only)
Configuring Failover authentication
Failover authentication concepts
Failover authentication scenario
Failover authentication library
Domain-wide failover authentication
Create an encryption key for cookie data
Specify the cookie lifetime
Specify the authentication level
Add an interval for updating the activity timestamp
Add extended attributes
Enable backwards compatibility for encryption
Configuring IV header authentication
Configuring IV header parameters
Configuring the IV header authentication mechanism for iv-remote-address
Configuring HTTP header authentication
Specifying header types
Configuring IP address authentication
Configuring LTPA Authentication
Enabling LTPA Authentication
Enabling user redirection
Mechanisms for adding extended attributes to a credential
Entitlement service configuration
Step 1 — Determine the attributes to be added to the credential
Step 2 — Define your use of the entitlement service
Step 3 — Specify the attributes to be added to the credential
Adding LDAP extended attributes to the HTTP header (tag value)
Enabling tag value processing
Configuring tag value parameters
Valid session data types and authentication methods
Authentication process flow for MPA and multiple clients
Enabling MPA authentication
Add the MPA account to the pdwebpi-mpa-servers group
Chapter 4. IBM Tivoli Access Manager Plug-in for Web Servers security policy
Plug-in-specific Access Control List (ACL) policies
/PDWebPI/host or virtual_host
Plug-in ACL permissions
Specific user and global settings
Authentication-strength Protected Object Policy (Step-up)
Configuring levels for step-up authentication
Enabling step-up authentication
Step-up authentication example
Multi-factor authentication
Network-based authentication Protected Object Policy
Specifying IP addresses and ranges
Example
Network-based authentication algorithm
Forcing user log on
Single sign-on concepts
Configuring single sign-on to secure applications using HTTP headers
Enabling and disabling generation of IV headers
Configuring IV header parameters
Configuring single sign-on to WebSphere using LTPA cookies
Technical notes for LTPA single sign-on
Single sign-on to the plug-in from WebSEAL or other proxy
Enabling and disabling authentication using IV headers
Configuring IV header parameters
Enabling single sign-on using Failover cookies
Using Global single sign-on (GSO)
Configuring Global single sign-on
Single sign-on using forms
Requirements for application support
Enabling forms single sign-on
Configuring forms single sign-on
Example configuration file for IBM HelpNow
Chapter 6. Cross-domain sign-on solutions
Cross domain single sign-on (CDSSO)
Authentication process flow for CDSSO
Enabling and disabling CDSSO authentication
Encrypting the authentication token data
Configuring the token time stamp
Including credential attributes in the authentication tokens
Accepting and rejecting credential attributes from CDSSO authentication tokens
Specify the sso-create and sso-consume libraries
Expressing CDSSO links
e-Community single sign-on process flow
The e-community cookie
The vouch-for request
The vouch-for reply
The vouch-for token
Accepting and rejecting credential attributes from vouch-for tokens
Specify the sso-create and sso-consume libraries
Configuring e-community single sign-on - an example
Chapter 7. Application integration
Enabling user session ID management
Inserting credential data into the HTTP header
Terminating user sessions
Configuring dynamic URLs
Overview of ADI retrieval
Example: Retrieving ADI from the request query string
Example: Retrieving ADI from the request POST body
Retrieving ADI from the user credential
Supplying a failure reason
Configuring dynamic ADI retrieval
Appendix A. Using pdbackup to backup plug-in data
Functionality
pdwebpi_start
pdwebpi
pdwpi-version
Appendix F. Notices