Configuring trust association among WebSphere Application Server and WebSeal Versions 3.6, 3.7 and 3.8: WebSphere Application Server

5.6.2: Configuring trust association among WebSphere Application Server and WebSeal Versions 3.6, 3.7 and 3.8

This article covers the following topics:

Common files among WebSeal Versions 3.6, 3.7 and 3.8
Configuring WebSeal Version 3.7 and 3.8 to talk to WebSphere Application Server
Verifying the back-end server certificate
Mutually authenticated junctions in WebSeal Versions 3.7 and 3.8

Common files among WebSeal Versions 3.6, 3.7 and 3.8

The files trustedservers.properties and webseal.properties are common among WebSeal Versions 3.6, 3.7 and 3.8.

trustedservers.properties:

#Use this property to enable or disable trust association
com.ibm.websphere.security.trustassociation.enabled=true

#Use this property to specify the types of reverse proxy 
#servers that will be loaded at run time
com.ibm.websphere.security.trustassociation.types=webseal

#For each type of reverse proxy servers specified in 
#com.ibm.websphere.security.trustassociation.types,
#specify the class file that implements the associated
#interceptor for it.
Com.ibm.websphere.security.trustassociation.webseal.interceptor
  =com.ibm.ws.security.web.WebSealTrustAssociationInterceptor

#Optionally specify a properties file for any of the 
#reverse proxy servers type specified above. The properties 
#file must end with .properties, for example, webseal.properties. 
#However, do not include this extension as shown below. 
#Moreover, you can only do this if the interceptor class 
#extends WebSphereBaseTrustAssociationInterceptor and both 
#init() and cleanup() methods are implemented. The init() 
#method should read and parse the contents of the file. 
Com.ibm.websphere.security.trustassociation.webseal.config=webseal

webseal.properties:

#Uncomment and use this property to specify the header 
#name(s) you expect to exist in the HTTP Request
com.ibm.websphere.security.webseal.id=iv-creds

#Uncomment and use this property to specify where to put the WebSeal server(s).
#com.ibm.websphere.security.webseal.hostnames=workstation.box.ibm.com, workstation

#Uncomment and use this property to specify the port(s) from which the 
#WebSeal server(s) receive user requests
#com.ibm.websphere.security.webseal.ports=445

#Comment out this property when using WebSeal 3.6. For 
#WebSeal 3.7 and 3.8 uncomment and use this property to specify the 
#ID that the WebSeal server must use to validate trust with 
#the interceptor. 
#com.ibm.websphere.security.webseal.loginId=websealId

#This property is supported only for WebSeal 3.7 and 3.8. 
#Uncomment and set this property to true when mutualSSL is set 
#up between WebSeal and the Web server which in turn talks to 
#WebSphere. Always set it to false for WebSeal 3.6.
com.ibm.websphere.security.webseal.mutualSSL=false
#com.ibm.websphere.security.webseal.mutualSSL=true

When changing settings in the files, consider the following:

WebSeal Versions 3.6, 3.7 and 3.8 use the same implementation class for the interceptor. You must specify the implementation class only once.
The following REQUIRED property-value pair specifies a configuration file for the WebSeal interceptor:
```
com.ibm.websphere.security.trustassociation.webseal.config=webseal
```
Each property-value pair must appear on a single line in the file. Pairs appearing on more than one line (as in the samples above) have been broken for readability.

Configuring WebSeal Versions 3.7 and 3.8 to talk to WebSphere Application Server

Assuming Policy Director is installed and running, create a junction to talk between WebSeal and the back-end Web application server. WebSeal supports both standard TCP (HTTP) and secure SSL (HTTPS) junctions between WebSeal and back-end servers. The junction between WebSeal and a back-end server is independent of the type of connection (and its level of security) between the client and the WebSeal server.

Log in to your domain as an administrative user. You can use dce_login in a UNIX or Windows environment. You can use netseat_login in a Windows environment. WebSeal 3.8 is NOT USING DCE. Use the pdadmin tool in Policy Director 3.8 to log in. Also, use the pdadmin tool to create a junction between WebSeal 3.8 and the Web server. Refer to the WebSeal 3.8 documentation for the exact syntax.
Start the junctioncp utility with the -e option and specify the WebSeal server (host name) for which you will be performing junction tasks. The junctioncp command prompt appears. For example:
UNIX:
# junctioncp -e WebSeal_host_name
junctioncp>
Windows:
MSDOS> junctioncp -e WebSeal_host_name
junctioncp>

The mandatory command options required to create a basic WebSeal junction using junctioncp include:

-h host_name: Host name of the back-end server
-t type: Junction type, such as SSL
mount_point: Junction mount point

For example:

junctioncp> create -t type -h host_name mount_point

SSL junctions

SSL junctions function exactly like TCP junctions, with the added value that all communication between WebSeal and the back-end server is encrypted. SSL junctions allow secure end-to-end browser to application transactions. You can use SSL to secure communications from the client to WebSeal and from WebSeal to the back-end server. The back-end server must be HTTPS-enabled when you use an SSL junction.

The default port value for an SSL junction is 443.

Verifying the back-end server certificate

When a client makes a request for a resource on the back-end server, WebSeal, in its role as a security server, performs the request on behalf of the client. The SSL protocol specifies that when a request is made to the back-end server, that server must provide proof of its identity using a server-side certificate.

When WebSeal receives this certificate from the back-end server, it must verify its authenticity by matching the certificate against a list of root CA certificates stored in its certificate database.

Policy Director uses the IBM Global Security Kit (GSKit) implementation of SSL. You must use the GSKit iKeyman utility to add the root certificate of the CA who signed the back-end server certificate to the WebSeal certificate keyfile (pdsvr.kdb).

For information on managing the certificate key database, refer to "Appendix D: "Managing Certificates with iKeyman" of the WebSeal Administrative Guide for Policy Director 3.7.

Mutually authenticated junctions in WebSeal Versions 3.7 and 3.8

WebSeal supports mutual authentication between a WebSeal server and a back-end server over an SSL junction (-t ssl). While using mutual authentication, the WebSeal Interceptor in WAS will trust the underlying certificates and will not do further checking. The following outline summarizes the supported functionality for mutual authentication over SSL.

Specifying client-side certificate handling

To access a resource through WebSeal from your browser, you need to use SSL. Note that the previous steps for configuring SSL apply to the junction connecting WebSeal to your HTTP Server where WebSeal is the client. This time, you need to set up SSL between your browser and WebSeal where WebSeal plays the SSL server.

You specify how WebSeal will handle authentication using client-side certificates over SSL by setting the verify-clients parameter located in the [wand] stanza of the iv.conf configuration file. Note that, by default, WebSeal does not accept client-side certificates (verify-clients = never).

The values allowed for the verify-clients parameter are as follows:

never: Do not accept X.509 certificates from clients. Force clients to access using user name and password.
optional: Ask clients for an X.509 certificate and use certificate-based authentication, if certificate is supplied. If the client does not present a certificate, force the clients to use basic authentication.
required: Ask clients for an X.509 certificate and use certificate-based authentication. If the client does not present a certificate, do not allow a connection.

Supplying the client identity and password in the iv.conf file

The junctioncp -b supply option instructs WebSeal to supply the authenticated Policy Director user name (client's original identity) with a static password. If the back-end server requires authentication from a Policy Director identity, replace the word dummy in the basic_auth_passwd parameter of the iv.conf file with the password for the login ID specified in the webseal.properties file:

[wand] basic_auth_passwd=password

Copying the CA certificate of your HTTP Server to the Policy Director's CA certificate storage

SSL is involved in the junction where WebSeal plays the client role. Therefore, you must copy the certificate of the HTTP Server's issuing CA into WebSeal's cert directory. The mode should be set to Server Authentication only, which means that WebSeal will never ask for a certificate from the browser client. This is the default setting so you likely do not have to change the settings. However, if you are having problems, inspect the iv.conf file and make sure that the property verify-clients is not set to optional or required. Also, if WebSeal and the HTTP Server are in the same host and both are configured for SSL, ensure that they are not listening to the same SSL port (443).

Sample configuration for WebSphere Application Server 4.0.x and Policy Director 3.7 using the Basic Authentication mechanism

Suppose WebSphere Application Server Version 4.0.x is installed on host secfvt1.austin.ibm.com with global security enabled. Further, the challenge type used is Basic Authentication while the authentication mechanism is LTPA using a SecureWay LDAP server running on host secnt7.austin.ibm.com. Finally, suppose Policy Director Version 3.7 and WebSeal Version 3.7 are installed on secnt7.austin.ibm.com.

As WebSeal is using the same LDAP server as WebSphere Application Server, a junction named /ta4secfvt1 is created using the following commands:

C:\>dce_login cell_admin password
C:\>junctioncp -e secnt7 Attempting to bind to server at /.:/subsys/intraverse/secmgr/server/secnt7

junctioncp> create -c -t ssl -b supply -h secfvt1.austin.ibm.com /ta4secfvt1

Created junction at /ta4secfvt1

Note: Ensure that the CA root certificate which signed the junctioned server certificate is installed in the WebSeal certificate key database (default key database is pdsrv.kdb).

junctioncp> show /ta4secfvt1
    Junction point: /ta4secfvt1
    Type: SSL
    Basic authentication mode: supply
    Authentication HTTP header: insert - iv_user iv_user_l iv_groups iv_creds
    Stateful junction: no
    Scripting support: no
    Delegation support: no
    Mutually authenticated: no
    Server 1:
 ID: de6b062c-9ca1-11d5-a112-0040aa49239d
Server State: running
Hostname: secfvt1.austin.ibm.com
Port: 443
Virtual hostname: secfvt1.austin.ibm.com:443
Server DN:
Query_contents URL: /cgi-bin/query_contents
Query-contents: unknown
Case insensitive URLs: no
Allow Windows-style URLs: yes
junctioncp> quit

C:\>pdadmin
pdadmin> login -a sec_master -p pdapassword
pdadmin> user list * 10
test1
da1
sec_master
ivmgrd/master
ivacld/secnt7
secmgr/secnt7
pdadmin> user show da1
Login ID: da1
LDAP DN: cn=da1,o=ibm,c=us
LDAP CN: da1
LDAP SN: da1_sname
Description:
Is SecUser: yes
Is GSO user: yes
Account valid: yes
Password valid: yes
Authorization mechanism: Default:LDAP
pdadmin> user show sec_master
Login ID: sec_master
LDAP DN: cn=SecurityMaster,secAuthority=Default
LDAP CN: SecurityMaster
LDAP SN: SecurityMaster
Description: DO NOT MODIFY: Master Security User for Policy Director
Is SecUser: yes
Is GSO user: yes
Account valid: yes
Password valid: yes
Authorization mechanism: Default:LDAP
pdadmin> user create testuser "cn=testuser,o=ibm,c=us" "cn=testuser" testuser testuser1234
pdadmin> user show testuser
Login ID: testuser
LDAP DN: cn=testuser,o=ibm,c=us
LDAP CN: cn=testuser
LDAP SN: testuser
Description:
Is SecUser: yes
Is GSO user: no
Account valid: no
Password valid: yes
Authorization mechanism: Default:LDAP
pdadmin> user modify testuser account-valid yes
pdadmin> user show testuser
Login ID: testuser
LDAP DN: cn=testuser,o=ibm,c=us
LDAP CN: cn=testuser
LDAP SN: testuser
Description:
Is SecUser: yes
Is GSO user: no
Account valid: yes
Password valid: yes
Authorization mechanism: Default:LDAP

WebSeal is listening on port 443 for SSL requests with server authentication only. Therefore, use https://secnt7.austin.ibm.com to talk to Policy Director. Log in with a user ID and password of, for example, testuser and testuser1234. After WebSeal authorizes this user, enter the junction name; the address will look like: https://secnt7/ta4secfvt1. Now, the set-up is talking to the back-end Web server (IBM HTTP Server in this case) using the junction. From IBM HTTP Server, you can access the WebSphere resources. You can access SampleApp's simple.jsp resource. (The URL looks like https://secnt7/ta4secfvt1/webapp/examples/simple.jsp.)

To enable SSL in the Web server, add the following lines:

LoadModule ibm_ssl_module modules/IBMModuleSSL128.dll

Listen 443
<VirtualHost secfvt1.austin.ibm.com:443>
ServerName secfvt1.austin.ibm.com
DocumentRoot d:\HTTP\htdocs
SSLEnable
SSLCipherSpec 21
SSLCipherSpec 27
SSLCipherSpec 23
SSLCipherSpec 26
SSLCipherSpec 22
SSLCipherSpec 24
SSLCipherSpec 3A
SSLCipherSpec 35
SSLCipherSpec 34
SSLCipherSpec 39
SSLCipherSpec 33
SSLCipherSpec 36
SSLCipherSpec 32
SSLCipherSpec 31
SSLCipherSpec 30
#SSLClientAuth required
</VirtualHost>
SSLDisable
Keyfile d:\HTTP\ssl\IHS\serverkey.kdb
SSLV2Timeout 100
SSLV3Timeout 1000