WebSphere Application Server - Express, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Configuring single signon using trust association interceptor ++

Before you begin

The following steps are required when setting up security for the first time. Ensure that LTPA is the active authentication mechanism:
  1. From the WebSphere Application Server console, click Security > Global Security.
  2. Ensure that the Active Authentication Mechanism field is set to Lightweight Third Party Authentication (LTPA). Save your changes.

Why and when to perform this task

This task is performed to enable single signon using trust association interceptor ++. The steps involve setting up trust association and creating the interceptor properties.

Steps for this task

  1. From the WebSphere Application Server administrative console, click Security > Global security.
  2. Under Authentication, click Authentication mechanisms > LTPA.
  3. Under Additional properties, click Trust association.
  4. Click Enable Trust Association.
  5. Click Interceptors.
  6. Click com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus to use the WebSEAL interceptor. This interceptor is the default.
  7. ClickCustom Properties.
  8. Click New to enter the property name and value pairs. Verify that the following parameters are set:
    Table 1.
    Option Description
    com.ibm.websphere.security.
    webseal.checkViaHeader
    You can configure TAI so that the via header can be ignored when validating trust for a request. Set this property to false if none of the hosts in the via header need to be trusted. When set to false you do not need to set the trusted hostnames and host ports properties. The only mandatory property to check when via header is false is com.ibm.websphere.security.webseal.loginId.

    The default value of the check via header property is false. When using Tivoli Access Manager plug-in for Web servers, set this property to false.

    Note: The via header is part of the standard HTTP header that records the server names the request that passed through.
    com.ibm.websphere.security.
    webseal.loginId
    The WebSEAL trusted user as created in Creating a trusted user account in Tivoli Access Manager The format of the username is the short name representation. This property is mandatory. If it is not set in WebSphere Application Server, the TAI initialization fails.
    com.ibm.websphere.security.
    webseal.id
    A comma-separated list of headers that exists in the request. If all of the configured headers do not exist in the request, trust cannot be established. The default value for the ID property is iv-creds. Any other values set in WebSphere Application Server are added to the list along with iv-creds, separated by commas.
    com.ibm.websphere.security.
    webseal.hostnames
    Do not set this property if using Tivoli Access Manager Plug-in for Web Servers. The property specifies the host names (case sensitive) that are trusted and expected in the request header. Requests arriving from un-listed hosts might not be trusted. If the checkViaHeader property is not set or is set to false then the trusted host names property has no influence. If the checkViaHeader property is set to true, and the trusted host names property is not set, TAI initialization fails.
    com.ibm.websphere.security.
    webseal.ports
    Do not set this property if using Tivoli Access Manager plug-in for Web servers. This property is a comma-separated list of trusted host ports. Requests that arrive from unlisted ports might not be trusted. If the checkViaHeader property is not set, or is set to false this property has no influence. If the checkViaHeader property is set to true, and the trusted host ports property is not set in WebSphere Application Server, the TAI initialization fails.
    com.ibm.websphere.security.
    webseal.viaDepth
    A positive integer that specifies the number of source hosts in the via header to check for trust. By default, every host in the via header is checked, and if any host is not trusted, trust cannot be established. The via depth property is used when only some of the hosts in the via header have to be trusted. The setting indicates the number of hosts that are required to be trusted.

    As an example, consider the following header:

    Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001

    If the viaDepth property is not set, is set to 2 or is set to 0, and a request with the previous via header is received then both webseal1:7002 and webseal2:7001 need to be trusted. The following configuration applies:

    com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
    com.ibm.websphere.security.webseal.ports = 7002,7001

    If the via depth property is set to 1, and the previous request is received, then only the last host in the via header needs to be trusted. The following configuration applies:

    com.ibm.websphere.security.webseal.hostnames =
    webseal2 com.ibm.websphere.security.webseal.ports =7001

    The viaDepth property is set to 0 by default, which means all of the hosts in the via header are checked for trust.

    com.ibm.websphere.security.
    webseal.ssoPwdExpiry
    After trust is established for a request, the single signon user password is cached, eliminating the need to have the TAI reauthenticate the single signon user with Tivoli Access Manager for every request. You can modify the cache timeout period by setting the single signon password expiry property to the required time in seconds. If the password expiry property is set to 0, the cached password never expires. The default value for the password expiry property is 600.
    com.ibm.websphere.security.
    webseal.ignoreProxy
    This property can be used to tell the TAI to ignore proxies as trusted hosts. If set to true the comments field of the hosts entry in the via header is checked to determine if a host is a proxy. Remember that not all proxies insert comments in the via header indicating that they are proxies. The default value of the ignoreProxy property is false. If the checkViaHeader property is set to false then the ignoreProxy property has no influence in establishing trust.
    com.ibm.websphere.security.
    webseal.configURL
    TAI can establish trust for a request it requires that the SvrSslCfg run for the WebSphere Java Virtual Machin,e resulting in the creation of a properties file. If this properties file is not at the default URL file://java.home/PdPerm.properties, the correct URL of the properties file must be set in the configuration URL property. If this property is not set, and the SvrSslCfg generated properties file is not in the default location, the TAI initialization fails. The default value for the config URL property is file://${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties.
  9. Click OK.
  10. Save the configuration and log out.
  11. Restart WebSphere Application Server.



Related concepts
Single signon using WebSEAL or the Tivoli Access Manager plug-in for Web servers
Trust associations

Related tasks
Configuring trust association interceptors

Related reference
Trust association interceptor support for Subject creation

Task topic    

Terms of Use | Feedback

Last updated: Jun 8, 2005 12:45:23 PM EDT
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_ssowsstep4TAIplusplus.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)