WebSphere Application Server Network Deployment, Version 6.0.x   Operating Systems: AIX, HP-UX, Linux, Solaris, Windows
             [TIP: Focusing the table of contents and search results]

Configuring Tivoli Access Manager plug-in for Web servers for use with WebSphere Application Server

Tivoli Access Manager plug-in for Web servers can be used as a security gateway for your protected WebSphere Application Server resources.

About this task

With such an arrangement the plug-in authorizes all user requests before passing the credentials of the authorized user to WebSphere Application Server in the form of an iv-creds header. Trust between the plug-in and WebSphere Application Server is established through use of basic authentication headers containing the single sign-on (SSO) user password.

Procedure

  1. The Tivoli Access Manager plug-in for Web servers configuration shows IV headers configured for post-authorization processing, and basic authentication that is configured as the authentication mechanism and for post-authorization processing, as shown in the example below.
  2. After a request is authorized, the basic authentication header is removed from the request (strip-hdr=always) and a new one is added (add-hdr=supply).
  3. Included in this new header is the password that is set when the SSO user is created in Creating a trusted user account in Tivoli Access Manager .
  4. Specify this password in the supply-password parameter and it is passed in the newly created header. This basic authentication header enables trust between WebSphere Application Server and the plug-in.
  5. An iv-creds header is also added (generate=iv-creds), which contains the credential information of the user passed onto WebSphere Application Server. Session cookies are used to maintain session state.

Example

[common-modules]
authentication = BA
session = session-cookie
post-authzn = BA
post-authzn = iv-headers

[iv-headers]
accept = all
generate = iv-creds

[BA]
strip-hdr = always
add-hdr = supply
supply-password = sso_user_password

What to do next

Configuring single sign-on using the trust association interceptor or Configuring single sign-on using trust association interceptor ++




Related tasks
Creating a trusted user account in Tivoli Access Manager
Configuring single sign-on capability with Tivoli Access Manager or WebSEAL
Task topic    

Terms of Use | Feedback

Last updated: Mar 8, 2007 8:14:28 PM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_sso_ws_step3_plugin_config.html

© Copyright IBM Corporation 2004, 2006. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)