[Version 5.0.1 and later]Configuring WebSEAL or custom trust association interceptors

Why and when to perform this task

These steps are required to use either the WebSEAL trust association interceptor or your own trust association interceptor with a reverse proxy security server.

Steps for this task

  1. Access the administrative console by typing http://localhost:9090/admin in a Web browser.
  2. Click Security > Authentication mechanisms > LTPA in the left navigation panel.
  3. Click Trust Association under Additional Properties.
  4. Select the Trust Association Enabled option.
  5. Click Interceptors under Additional Properties.
    The default value appears.
  6. [5.0 only][Version 5.0.1][Version 5.0.2]Click com.ibm.ws.security.web.WebSealTrustAssociationInterceptor if you are using the WebSEAL interceptor. This interceptor is the default value. To use a different interceptor, complete the following steps:
    1. Click New.
    2. Type the name of the interceptor into the Interceptor Classname field.
    3. Click OK.
    4. Click the name of the new interceptor.
  7. Click OK.
  8. Click Custom Properties under Additional Properties.
  9. Click New to enter the property name and value pairs.
    The name and value pairs for the WebSEAL server to follow. For a new interceptor, enter the name and value pairs that correspond to your interceptor.
    com.ibm.websphere.security.webseal.mutualSSL
    Use this property to configure the trust association interceptor so that trust with the reverse proxy is already validated using a mutually-authenticated Secure Sockets Layer (SSL) connection. If the value of the mutual SSL property is true, then authentication is not performed for the single signon (SSO) user.

    Note: When you set this property to true, the login ID and header password combination is not verified. It is recommended that you use some form of transport level filtering so that the connections to WebSphere Application Server are Secure Sockets Layer (SSL) connections originating from WebSEAL only.

    Default: False
    Range: True or false
    com.ibm.websphere.security.webseal.loginId
    Use this property to configure the trust association interceptor using the user name of the WebSEAL trusted user. This user is the single signon (SSO) user that is authenticated using the password in the basic authentication header that is inserted in the request by WebSEAL. The format of the user name is the short name representation. This property is mandatory; if the property is not set in the WebSphere Application Server then the trust association interceptor initialization fails.
    Data type: String
    com.ibm.websphere.security.webseal.id
    Use this property to configure the trust association interceptor to ensure that specified headers exist in the request. If not all of the configured headers exist in the request, then trust can not be established. This property is mandatory and there is no default value. If this property is not set, the trust association initialization fails.
    Data type: Comma separated list of strings
    com.ibm.websphere.security.webseal.hostnames

    Use this property to list any hosts that are trusted. WebSphere Application Server depends upon the value of the com.ibm.websphere.security.webseal.viaDepth and the com.ibm.websphere.security.webseal.ignoreProxy properties to determine whether to trust requests that arrive from hosts listed in this property. If a host is not listed in this property, then WebSphere Application Server might not trust requests arriving from that host. The host names are case-sensitive. This request header also includes the proxy host names (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy interceptor is set to true.

    Data type: Comma separated list of strings
    com.ibm.websphere.security.webseal.ports

    Use this property to list the port numbers of any hosts that are trusted. WebSphere Application Server depends upon the value of the com.ibm.websphere.security.webseal.viaDepth and the com.ibm.websphere.security.webseal.ignoreProxy properties to determine whether to trust requests that arrive from ports listed in this property. If a port is not listed in this property, then WebSphere Application Server might not trust any requests arriving from that port. This request header also includes the proxy ports (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy interceptor is set to true.

    Data type: Comma separated list of integers
    com.ibm.websphere.security.webseal.viaDepth

    Use this property to configure the trust association interceptor to check only a specified number of source hosts in the VIA header to ensure that those hosts are trusted sources. By default, every host in the VIA header is checked for trust and if any of the hosts are not trusted, then trust is not established. If all of the hosts in the VIA header are not required to be trusted, then you can set the com.ibm.websphere.security.webseal.viaDepth property to indicate the number of hosts that are required to be trusted.

    For example:
    Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001

    If the com.ibm.websphere.security.webseal.viaDepth property is not set, is set to 2, or is set to 0, and a request with the above VIA header is received, then both webseal1:7002 and webseal2:7001 need to be trusted.

    • com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
    • com.ibm.websphere.security.webseal.ports = 7002,7001

    If the via depth property is set to 1 and the above request is received, then only the last host in the VIA header needs to be trusted.

    • com.ibm.websphere.security.webseal.hostnames = webseal2
    • com.ibm.websphere.security.webseal.ports = 7001

    If the via depth property is set to 0, then all of the hosts in the VIA header are checked for trust.

    If the via depth property is set to a negative value and the check VIA header property is set to true, then the trust association interceptor initialization fails.

    Default: 1
    com.ibm.websphere.security.webseal.ignoreProxy

    Use this property to configure the trust association interceptor so that any hosts in the VIA header that are proxies do not need to be trusted hosts. This property works by checking the comments field of the hosts entry in the VIA header to see if that host is a proxy. This process is not a fail-safe method because not all of the proxies insert comments in the VIA header to indicate that they are proxies.

    If this optional property is set to true or yes, it ignores the proxy host names and ports in the VIA header. By default, this property is set to false.
    Default: False
    Data type: String
    Range: True, false, yes, no
  10. Click OK.

Results

Enables trust association.

Example

  1. The browser makes a request for a secured WebSphere resource.
  2. The WebSEAL server sends back a challenge, either an HTTP basic authentication or a form-based challenge.
  3. A user name and password are supplied.
  4. The WebSEAL product authenticates the user to Lightweight Directory Access Protocol (LDAP).
  5. The modified request is forwarded by the WebSEAL product to the WebSphere Application Server.
  6. The plug-in TAI establishes trust between WebSphere Application Server and the WebSEAL server by using the negotiateAndValidateEstablishedTrust method.
  7. The plug-in extracts the end-user credentials from the iv-creds header field and passes the credentials to WebSphere Application Server for authorization.

What to do next

  1. If you are enabling security, make sure that you complete the remaining steps for enabling security.
  2. Save, stop and restart all of the product servers (deployment managers, nodes and Application Servers) for the changes to take effect.

Related concepts
Web component security
Trust Associations
Related tasks
Configuring global security
Related reference
Trust association settings
Trust association interceptor collection



Searchable topic ID:   tsectrust
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/tsec_trust.html

Library | Support | Terms of Use | Feedback