WebSphere Application Server - Express, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Configuring WebSEAL for use with WebSphere Application Server

Why and when to perform this task

A junction must be created between WebSEAL and WebSphere Application Server. This junction carries the iv-credentials (for TAI++) or iv-user (for TAI) and the HTTP basic authentication headers with the request. You can configure WebSEAL to pass the end user identity in other ways, the iv-credentials header is the only one supported by the TAI++ and the iv-user is the only one supported by TAI.

We recommend that communications over the junction use SSL for increased security. Setting up SSL across this junction requires that you configure the HTTP Server used by WebSphere Application Server, and WebSphere Application Server itself, to accept inbound SSL traffic and route it correctly to WebSphere Application Server. This activity requires importing the necessary signing certificates into the WebSEAL certificate keystore, and possibly also the HTTP Server certificate keystore.

Create the junction between WebSEAL and WebSphere Application Server using the -c iv_creds option for TAI++ and -c iv_user for TAI. Enter either of the following commands as one line using the variables that are appropriate for your environment:

TAI++
server task webseald-server create -t ssl -b supply -c iv_creds
-h host_name -p websphere_app_port_number junction_name

TAI
server task webseald-server create -t ssl -b supply -c iv_user
-h host_name -p websphere_app_port_number junction_name

Notes:
  1. If warning messages are displayed about the incorrect setup of certificates and key databases, delete the junction, correct problems with the key databases, and re-create the junction.
  2. The junction can be created as -t tcp or -t ssl, depending on your requirements.

For single signon to WebSphere Application Server the SSO password must be set in WebSEAL. To set the password, complete the following steps:

Steps for this task

  1. Edit the WebSEAL configuration file, webseal_install_directory/etc/webseald-default.conf and set the following parameter, basicauth-dummy-passwd=webseal_userid_passwd. Where webseal_userid_passwd is the SSO password for the trusted user account set in Creating a trusted user account in Tivoli Access Manager.
  2. Restart WebSEAL.

What to do next

For more details and options about how to configure junctions between WebSEAL and WebSphere Application Server, including other options for specifying the WebSEAL server identity, refer to the Tivoli Access Manager WebSEAL Administration Guide as well as to the documentation for the HTTP Server you are using with your WebSphere Application Server. Tivoli Access Manager documentation is available at http://publib.boulder.ibm.com/tividd/td/tdprodlist.html.



Related concepts
Single signon using WebSEAL or the Tivoli Access Manager plug-in for Web servers

Related tasks
Creating a trusted user account in Tivoli Access Manager

Task topic    

Terms of Use | Feedback

Last updated: Jun 8, 2005 12:45:23 PM EDT
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_sso_ws_step3_sso_create_junct.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)