WebSEAL Administration Guide
WebSEAL Administration Guide
and to all subsequent releases
and modifications until otherwise
indicated in new editions.
© Copyright International Business
Machines Corporation 2002, 2008. All
rights reserved.
US Government Users Restricted Rights
– Use, duplication or disclosure
restricted by GSA ADP Schedule
Contract
with IBM
server task throttle . . . .
. . . . . . .
. . . . . . .
. . . . . . . .
. . . . . . 986
server task virtualhost delete . .
. . . . . . . .
. . . . . . . . .
. . . . . . . .
. . 998 server
task
virtualhost
list
Appendix D. Support information . . . . . . . . . . . . . . . . . .
. . . . . 1013 Searching knowledge bases .
. . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . 1013
Searching information centers . . .
. . . . . . . .
. . . . . . .
. . . . . . . . .
1013
Determining the business impact
. . . . . . . .
. . . . . . .
. . . . . . . . .
. . 1015 Describing problems and
gathering information . . . .
. . . . . . . . . .
. . . . . . .
1016
Submitting problems . . . .
. . . . . . . . . . .
. . . . . . . .
. . . . . . .
1016
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 1023
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 1033
About this publication
Welcome to the IBM® Tivoli® Access
Manager for e-business WebSEAL
Administration
Guide.
IBM Tivoli Access Manager WebSEAL
is the resource manager for
Web-based
resources in a Tivoli Access
Manager secure domain. WebSEAL is
a high
performance, multi-threaded Web server
that applies fine-grained security
policy to
the protected Web object space.
WebSEAL can provide single signon
solutions and
incorporate back-end Web application
server resources into its security
policy.
This administration guide provides a
comprehensive set of procedures
and
reference information for managing
the resources of your secure
Web domain. This
guide also provides you with
valuable background and concept
information for the
wide range of WebSEAL functionality.
IBM® Tivoli® Access Manager is the
base software that is required
to run applications in the Tivoli
Access Manager product suite. This
base software enables
the integration of Tivoli
Access Manager applications to
provide a wide range of
authorization and management solutions.
Sold as integrated products,
these
applications can provide an access
control management solution to
centralize
network and application security
policy for e-business applications.
Intended audience
This guide is for system
administrators responsible for configuring
and
maintaining a Tivoli Access Manager
WebSEAL environment.
Readers should be familiar with
the following:
v PC and UNIX® or Linux®
operating systems
v Database architecture and
concepts
v Security management
v Internet protocols, including HTTP,
TCP/IP, File Transfer Protocol
(FTP), and
Telnet
v A supported user registry
v Authentication and authorization
If you are enabling Secure
Sockets Layer (SSL) communication,
you also should be
familiar with SSL protocol, key
exchange (public and private),
digital signatures,
cryptographic algorithms, and certificate
authorities.
What this publication contains
Part
1:
Administration
v Chapter 1, “IBM Tivoli
Access Manager WebSEAL overview,” on
page 3
v Chapter 2, “Server administration,”
on page 21
Part
2:
Configuration
© Copyright
IBM
Corp.
2002,
2008
xxix
v Chapter 4, “Web server
response configuration,” on page
79
v Chapter 5, “Web server
security configuration,” on page 111
Part
3:
Authentication
v Chapter 8, “Advanced
authentication methods,” on page
179
v Chapter 9, “Post-authentication
processing,” on page 215
v Chapter 10, “Password processing,”
on page 223
v Chapter 11, “Credential
processing,” on page 235
v Chapter 12, “External
authentication interface,” on page
249
Part 4: Session State
v Chapter 15, “Failover solutions,”
on page 285
v Chapter 16, “Session state in
non-clustered environments,” on page
311
Part 5: Session Management Server
v Chapter 17, “Session management
server (SMS) overview,” on page
327
v Chapter 18, “Quickstart guide
for WebSEAL using SMS,” on page
333
v Chapter 19, “Configuration for
WebSEAL using SMS,” on page 339
Part 6: Authorization
v Chapter 21, “Key management,”
on page 375
Part 7: Standard WebSEAL Junctions
v Chapter 22, “Standard WebSEAL
junctions,” on page 389
v Chapter 23, “Advanced
junction configuration,” on page
411
v Chapter 24, “Modifying URLs
to junctioned resources,” on
page 441
v Chapter 25, “Command option
summary: Standard junctions,” on
page 467
Part 8: Virtual Hosting
v Chapter 26, “Virtual host
junctions,” on page 481
v Chapter 27, “Command option
summary: Virtual host junctions,”
on page 507
Part 9: Single Signon Solutions
v Chapter 28, “Single signon
solutions across junctions,” on
page 519
v Chapter 29, “Windows desktop
single signon,” on page 547
v Chapter 30, “Cross-domain single
signon,” on page 565
v Chapter 31, “E-community single
signon,” on page 581
Part
10:
Deployment
v Chapter 33, “Application
integration,” on page 623
v Chapter 34, “Dynamic URLs,”
on page 641
v Chapter 35, “Attribute retrieval
service reference,” on page 655
v Chapter 36, “Authorization decision
information retrieval,” on page
665
Appendix
v Appendix A, “Guidelines for
changing configuring files,” on page
675
v Appendix B, “Stanza reference,”
on page 679
v Appendix C, “Command reference,”
on page 943
Publications
This section lists publications in
the IBM Tivoli Access Manager for
e-business
library and related documents. The
section also describes how to
access Tivoli
publications online and how to
order Tivoli publications.
IBM Tivoli Access Manager for e-business
library
Review the descriptions of the
Tivoli Access Manager library, the
prerequisite
publications, and the related
publications to determine which
publications you
might find helpful. After you
determine the publications you need,
refer to the
instructions for accessing publications
online.
Additional information about the Tivoli
Access Manager for e-business
product
itself can be found at
the following Web address:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus
The Tivoli Access Manager
library is organized into the
following categories:
v “Release information”
v “Administration documentation”
v “Problem determination documentation”
on page xxxiii
v “Performance tuning documentation”
on page xxxiii
Release information v IBM Tivoli
Access Manager for
e-business: Release Notes, GC23-6501-00
Provides information about installing and getting started, system
requirements, known installation and
configuration problems, and problem
workarounds.
Installation and upgrade documentation v
IBM Tivoli Access
Manager for e-business:
Installation Guide, GC23-6502-00
Explains how to install and
configure Tivoli Access Manager for
e-business.
v IBM Tivoli Access
Manager for e-business: Upgrade
Guide, SC23-6503-00
Explains how to upgrade to Tivoli
Access Manager for e-business
version 6.1.
v IBM Tivoli Access
Manager for e-business:
Quick Start Guide, GI11-8174-00
Provides a high-level overview
of a Tivoli Access Manager
for e-business version
6.1 installation.
About this
Describes the concepts and procedures
for using Tivoli Access Manager.
Provides
instructions for performing tasks
from the Web Portal Manager
interface and by
using the pdadmin utility.
v IBM Tivoli Access
Manager for e-business: WebSEAL
Administration Guide,
SC23-6505-00
Provides background material,
administrative procedures, and
technical
reference information for using
WebSEAL to manage the resources
of your
secure Web domain.
v IBM Tivoli Access
Manager for e-business: Plug-in
for Edge Server Administration
Guide, SC23-6506-00
the IBM WebSphere® Edge Server
application.
v IBM Tivoli Access
Manager for e-business: Plug-in
for Web Servers Administration
Guide, SC23-6507-00
securing your Web domain using
a Web server plug-in.
v IBM Tivoli Access
Manager for e-business: Shared
Session Management Administration
Guide, SC23-6509-00
management server.
v IBM Global Security Kit:
Secure Sockets Layer Introduction and
iKeyman User’s Guide, SC23-6510-00
Provides information for network or
system security administrators who
plan to
enable SSL communication in their
Tivoli Access Manager environment.
v IBM Tivoli Access
Manager for e-business:
Auditing Guide, SC23-6511-00
Provides information about configuring
and managing audit events using
the
native Tivoli Access Manager
approach and the Common Auditing
and
Reporting Service. Information about installing and configuring the
Common Auditing and Reporting Service
that can be used for
generating and viewing
operational reports is also provided.
Reference documentation v IBM Tivoli
Access Manager for
e-business: Command Reference, SC23-6512-00
Provides reference information about
the commands, utilities, and scripts
that
are provided with Tivoli Access
Manager.
v IBM Tivoli Access
Manager for e-business:
Administration C API
Developer Reference, SC23-6513-00
Provides reference information about
using the C language implementation
of the administration API to
enable an application to perform
Tivoli Access
Manager administration tasks.
v IBM Tivoli Access
Manager for e-business:
Administration Java Classes
Developer
Reference, SC23-6514-00
Provides reference information about
using the Java™ language
implementation
of the administration API to
enable an application to perform
Tivoli Access
Manager administration tasks.
v IBM Tivoli Access
Manager for e-business:
Authorization C API
Developer Reference,
SC23-6515-00
Provides reference information about
using the C language implementation
of the authorization API to
enable an application to use Tivoli
Access Manager
security.
v IBM Tivoli Access
Manager for e-business:
Authorization Java Classes
Developer
Reference, SC23-6516-00
Provides reference information about
using the Java language
implementation of the authorization
API to enable an application
to use Tivoli Access Manager
security.
v IBM Tivoli Access
Manager for e-business: Web
Security Developer Reference, SC23-6517-00
Provides programming and reference
information for developing
authentication
modules.
Provides problem determination information
for Tivoli Access Manager.
v IBM Tivoli Access
Manager for e-business: Error
Message Reference, GI11-8157-00
Provides explanations and recommended
actions for the messages and
return
code that are generated by
Tivoli Access Manager.
Performance tuning documentation v IBM Tivoli
Access Manager for
e-business: Performance Tuning Guide,
SC23-6518-00
Provides performance tuning information
for an environment consisting
of Tivoli
Access Manager with the IBM Tivoli
Directory Server as the user
registry.
Related products and publications
This section lists the IBM
products that are related to
and included with a Tivoli
Access Manager solution.
IBM Global Security Kit Tivoli Access Manager
provides data encryption through the
use of the Global
Security Kit (GSKit) version 7.0.
GSKit is included on the IBM
Tivoli Access Manager
Base CD for your particular
platform, as well as on the
IBM Tivoli Access Manager
Web Security CDs, the IBM
Tivoli Access Manager Shared
Session Management CDs,
and the IBM Tivoli Access
Manager Directory Server CDs.
The GSKit package provides the
iKeyman key management utility, gsk7ikm,
which
is used to create key
databases, public-private key pairs,
and certificate requests.
The IBM Global Security Kit: Secure
Sockets Layer Introduction and
iKeyman User’s
Guide is available on the Tivoli
Information Center Web site in
the same section as
the Tivoli Access Manager product
documentation.
IBM Tivoli Directory Server IBM Tivoli Directory
Server version 6.1 is included
on the IBM Tivoli Access
Manager Directory Server set
of CDs for the desired
operating system.
Additional information about Tivoli
Directory Server can be found
at the following
Web address:
http://www.ibm.com/software/tivoli/products/directory-server/
IBM Tivoli Directory Integrator IBM Tivoli
Directory Integrator version 6.1.1 is
included on the IBM Tivoli
Directory Integrator CD for the
desired operating system.
About this
Additional information about IBM Tivoli
Directory Integrator can be
found at the
following Web address:
http://www-306.ibm.com/software/tivoli/products/directory-integrator/
IBM DB2 Universal Database IBM DB2 Universal
Database™ Enterprise Server Edition version
9.1 is provided on
the IBM Tivoli Access
Manager Directory Server set
of CDs and is installed
with the
Tivoli Directory Server software. DB2® is
required when using Tivoli
Directory
Server or z/OS® LDAP servers as
the user registry for Tivoli
Access Manager. For
z/OS LDAP servers, you must
separately purchase DB2.
Additional information about DB2 can
be found at the following
Web address:
http://www.ibm.com/software/data/db2
IBM WebSphere Application Server WebSphere Application
Server version 6.1 is included
on the IBM Tivoli Access
Manager WebSphere Application
Server set of CDs for
the desired operating system.
WebSphere Application Server enables
the support of the Web
Portal Manager
interface, which is used to
administer Tivoli Access Manager;
the Web
Administration Tool, which is used
to administer Tivoli Directory
Server; the
Common Auditing and Reporting
Service, which is used to
process and report on
audit events; the session management
server, which is used to
managed shared
session in a Web security
server environment and the Attribute
Retrieval Service.
Additional information about WebSphere
Application Server can be found
at the
following Web address:
Accessing terminology online
The Tivoli Software Glossary
includes definitions for many
of the technical terms
related to Tivoli software. The
Tivoli Software Glossary is
available at the following
Tivoli software library Web
site:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
The IBM Terminology Web site
consolidates the terminology from IBM
product
libraries in one convenient location.
You can access the Terminology Web
site at the
following Web address:
Accessing publications online
The Tivoli Software Library provides
a variety of Tivoli
publications such as white
papers, data sheets, demonstrations,
Redbooks™, and announcement letters.
The
publications for this product and
many other Tivoli products are
available online
in Portable Document Format (PDF)
or Hypertext Markup Language
(HTML)
format, or both in the Tivoli
software library at the
following Web address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
To locate product publications in the
library, click the first letter
of the product
name or scroll until you find
the product name. Then click
the name of the
xxxiv WebSEAL Administration
Note: To ensure proper printing
of PDF publications, select
the
Fit
to
page check
box in the Adobe Acrobat
Print window (which is available
when you click
File → Print).
Ordering publications
You can order many Tivoli
publications online at http://
www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.
You can also order by
telephone by calling one
of these numbers:
v In the United States:
800-879-2755
v In Canada: 800-426-4968
In other countries, contact your
software account representative to
order Tivoli
publications. To locate the telephone
number of your local
representative, perform
the following steps:
Go.
3. Click About this site in
the main panel to see an
information page that
includes the telephone number
of your local representative.
Accessibility
Accessibility features help users
with a physical disability, such
as restricted
mobility or limited vision, to
use software products successfully.
With this product,
you can use assistive technologies
to hear and navigate the
interface. You can also
use the keyboard instead of the
mouse to operate all features
of the graphical user
interface.
Tivoli technical training
For Tivoli technical training
information, refer to the following
IBM Tivoli
Education Web site at
http://www.ibm.com/software/tivoli/education.
Support information
If you have a problem
with your IBM software, you want
to resolve it quickly.
IBM
provides the following ways for
you to obtain the support you
need:
Online
Go to the IBM Software Support
site at http://www.ibm.com/software/ supportand
follow the instructions.
IBM
Support
Assistant
The IBM Support Assistant (ISA) is
a free local software
serviceability
workbench that helps you resolve
questions and problems with IBM
software products. The ISA provides
quick access to support-related
information and serviceability tools
for problem determination. To install
the ISA software, go to
http://www.ibm.com/software/support/isa.
Problem Determination Guide
For more information about resolving
problems, see the IBM Tivoli
Access
Manager for e-business: Problem
Determination Guide.
This publication uses several
conventions for special terms and
actions, operating
system-dependent commands and paths,
and margin graphics.
Typeface conventions
Bold
v Lowercase commands and mixed
case commands that are
otherwise
difficult to distinguish from
surrounding text
v Interface controls (check
boxes, push buttons, radio
buttons, spin
buttons, fields, folders, icons,
list boxes, items inside list
boxes,
multicolumn lists, containers, menu
choices, menu names, tabs,
property
sheets), labels (such as
Italic
v Citations (examples: titles
of publications, diskettes, and
CDs
v Words defined in text
(example: a nonswitched line is
called a
point-to-point line)
v Emphasis of words and
letters (words as words example:
"Use the word
that to introduce a restrictive
clause."; letters as letters example:
"The
LUN address must start with the
letter L.")
v New terms in text (except in
a definition list): a view is
a frame in a
workspace that contains data.
v Variables and values you
must provide: ... where myname
represents....
Monospace
v Examples and code examples
v File names, programming keywords,
and other elements that are
difficult
to distinguish from surrounding
text
v Message text and prompts
addressed to the user
v Text that the user must
type
v Values for arguments or
command options
Operating system-dependent variables and
paths
This publication uses the UNIX
convention for specifying environment
variables
and for directory notation.
When using the Windows command line,
replace $variable with % variable%
for
environment variables and replace
each forward slash ( / )
with a backslash (\) in
directory paths. The names of
environment variables are not always
the same in
the Windows and UNIX environments.
For example, %TEMP% in Windows
environments is equivalent to $TMPDIR
in UNIX environments.
Note: If you are using
the bash shell on a
Windows system, you can use
the UNIX
conventions.
overview . . . . . .
. . . . . . . . .
3
Tivoli Access Manager security model
. . . . . . 6
Security model
policies (POPs) . . . . .
. . . . . . . 7 Access
control list (ACL) policies . .
. . . . 8 Protected object
policies (POPs) . . . .
. . . 8
Explicit and inherited policy .
. . . . . . . 9
Policy administration: The Web Portal
Manager . 9
Web space protection
Replicated front-end WebSEAL servers .
. . . 17
Junctioned back-end servers .
. . . . . . . 17
Replicated back-end servers . .
. . . . . . 18
Chapter 2. Server administration .
. . . . . 21
Server operation . . . .
. . . . . . . .
. 22
Restarting the WebSEAL server .
. . . . . . 23 Displaying
WebSEAL server status . . .
. . 23
Backup and restore . . . . .
. . . . . . . 24
The pdbackup utility . . . .
. . . . . . 24 Backing
up WebSEAL data . . . .
. . . . 24 Restoring WebSEAL
data . . . . . . .
. . 25
Extracting archived
Common Auditing and Reporting
Services
(CARS) . . . . . .
. . . . . . . .
. 28
Problem determination
Notes on configuration data log
file growth . 29
Configuration data log file format .
. . . . 30 Messages relating
to the configuration data
log file . . . . .
. . . . . . . .
. 31
Chapter 1. IBM Tivoli Access
Manager WebSEAL overview
IBM®Tivoli®Access Manager for e-business
(Tivoli Access Manager) is a
robust and
secure centralized policy management
solution for e-business and
distributed
applications.
IBM Tivoli Access Manager WebSEAL
is a high performance, multi-threaded
Web
server that applies fine-grained
security policy to the Tivoli
Access Manager
protected Web object space. WebSEAL
can provide single signon solutions
and
incorporate back-end Web application
server resources into its security
policy.
This overview chapter introduces you
to the main capabilities of
the WebSEAL
server.
v “WebSEAL introduction” on page
5
v “Tivoli Access Manager security
model” on page 6
v “Web space protection” on
page 10
v “Security policy planning and
implementation” on page 12
v “WebSEAL authentication ” on
page 14
v “Standard WebSEAL junctions ”
on page 15
v “Web space scalability ” on
page 17
Tivoli Access Manager introduction
IBM Tivoli Access Manager is
a complete authorization and network
security
policy management solution that
provides end-to-end protection of
resources over
geographically dispersed intranets and
extranets.
In addition to its state-of-the-art
security policy management feature, Tivoli
Access
Manager provides authentication,
authorization, data security, and
centralized
resource management capabilities. You
use Tivoli Access Manager in
conjunction
with standard Internet-based applications
to build highly secure and
well-managed
intranets.
v Authentication framework
Tivoli Access Manager provides a
wide range of built-in
authenticators and
supports external authenticators.
v Authorization framework
The Tivoli Access Manager
authorization service, accessed through
the Tivoli
Access Manager authorization API,
provides permit and deny decisions
on
requests for protected resources
located in the secure domain.
With Tivoli Access Manager,
businesses can securely manage
access to private
internal network-based resources while
leveraging the public Internet’s
broad
connectivity and ease of use.
Tivoli Access Manager, in
combination with a
corporate firewall system, can fully
protect the Enterprise intranet
from
unauthorized access and intrusion.
WebSEAL introduction
IBM Tivoli Access Manager WebSEAL
is the resource manager responsible
for
managing and protecting Web-based
information and resources.
WebSEAL is a high performance,
multi-threaded Web server that
applies
fine-grained security policy to
resources in the Tivoli Access
Manager protected
Web object space. WebSEAL can
provide single signon solutions and
incorporate
back-end Web application server
resources into its security
policy.
WebSEAL normally acts as a
reverse Web proxy by receiving
HTTP/HTTPS
requests from a Web browser
and delivering content from its
own Web server or
from junctioned back-end Web
application servers. Requests passing
through
WebSEAL are evaluated by the
Tivoli Access Manager authorization
service to
determine whether the user is
authorized to access the requested
resource.
WebSEAL provides the following
features:
v Supports multiple authentication
methods.
Both built-in and plug-in
architectures allow flexibility in
supporting a variety of
authentication mechanisms.
v Integrates Tivoli Access Manager
authorization service.
v Accepts HTTP and HTTPS
requests.
v Integrates and protects
back-end server resources through
WebSEAL junction
technology.
Provides unified view of
combined protected object space.
v Manages fine-grained access
control for the local and
back-end server resources.
Supported resources include URLs,
URL-based regular expressions, CGI
programs, HTML files, Java
servlets, and Java class
files.
v Performs as a reverse Web
proxy.
WebSEAL appears as a Web server
to clients and appears as a
Web browser to
the junctioned back-end servers
it is protecting.
v Provides single signon
capabilities.
This section contains the following
topics:
v “Security model concepts” on
page 6
v “The protected object space ”
on page 6
v “Access control lists (ACLs)
and protected object policies (POPs)”
on page 7
v “Access control list (ACL)
policies” on page 8
v “Protected object policies (POPs)
” on page 8
v “Explicit and inherited policy
” on page 9
v “Policy administration: The Web
Portal Manager ” on page 9
Security model concepts
The security policy for a Tivoli
Access Manager secure domain is
governed and
maintained by two key security
structures:
v User registry
The user registry (such as IBM
Tivoli Directory Server, Lotus
Domino, or
Microsoft Active Directory) contains
all users and groups who are
allowed to
participate in the Tivoli Access
Manager environment (know as the
secure
domain).
v Master authorization (policy)
database
The authorization database contains a
representation of all resources
in the
domain (the protected object space). The
security administrator can dictate
any
level of security by
applying rules, known as access
control list (ACL) policies
and protected object policies (POPs),
to those resources requiring
protection.
The process of authentication
proves the identity of a
user to WebSEAL. A user can
participate in the secure domain
as authenticated or unauthenticated.
Only users
with an account in the user
registry can become authenticated
users. Using ACLs
and POPs, the security administrator
can make certain resources publicly
available
to unauthenticated users. Other
resources can be made available
only to certain
authenticated users.
When a user successfully
authenticates to WebSEAL, a set
of identification
information—known as a credential—is
created for that user. The
credential
contains the user identity, any
group memberships, and any special
(″extended″) security attributes.
A credential is required for
the user to fully participate
in the secure domain. The
Tivoli Access Manager authorization
service enforces security policies by
comparing a user’s authentication
credentials with the policy
permissions assigned
to the requested resource. The
resulting recommendation is passed to
the resource
manager (for example, WebSEAL), which
completes the response to the
original
request.
The protected object space is a
hierarchical representation of
resources belonging to
a Tivoli Access Manager secure
domain. The virtual objects that
appear in the
object space represent the actual
physical network resources, as
specified below:
v
System
resource – the actual physical file
or application.
v Protected object – the
logical representation of an
actual system resource used
by the authorization service,
the Web Portal Manager, and
other Tivoli Access
Manager management utilities.
Policies can be attached to
objects in the object space to
provide protection of the
resource. The authorization service
makes authorization decisions based
these
policies.
The combined installation of Tivoli
Access Manager base and Tivoli
Access
Manager WebSEAL provides the
following object space categories:
v Web objects
Web objects represent any resource
that can be addressed by
an HTTP URL. This
includes static Web pages and
dynamic URLs that are converted
to database
queries or some other type
of application. The WebSEAL
server is responsible
for protecting Web objects.
Management objects represent the
management activities that can
be performed
through the Web Portal Manager.
The objects represent the tasks
necessary to
define users and set security
policy. Tivoli Access Manager
supports delegation
of management activities and can
restrict an administrator’s ability
to set
security policy to a subset
of the object space.
v User-defined objects
protected by applications that
access the authorization service
through the Tivoli
Access Manager authorization API.
(POPs)
Security administrators protect Tivoli
Access Manager system resources by
defining
rules, known as ACL and POP
policies, and applying these policies
to the object
representations of those resources
in the protected object space.
The Tivoli Access Manager
authorization service performs
authorization decisions
based on the policies applied
to these objects. When a
requested operation on a
protected object is permitted, the
application responsible for the
resource
implements this operation.
One policy can dictate the
protection parameters of many
objects. Any change to
the rule affects all objects
to which the ACL or POP is
attached.
Management Objects
Web Objects
User-Defined Objects
Access control list (ACL)
policies
An access control list policy, or
ACL policy, is the set
of rules (permissions) that
specifies the conditions necessary to
perform certain operations on that
resource.
ACL policy definitions are important
components of the security
policy established
for the secure domain. ACL
policies, like all policies, are
used to stamp an
organization’s security requirements onto
the resources represented in
the
protected object space.
1. What operations can be
performed on the resource
2. Who can perform these
operations
An ACL policy is made up
of one or more entries
that include user and group
designations and their specific
permissions or rights. An ACL can
also contain
rules that apply to unauthenticated
users.
Protected object policies (POPs)
ACL policies provide the
authorization service with information
to make a ″yes″ or
″no″ answer on a request to
access a protected object and
perform some operation
on that object.
Protected object policies (POPs)
contain additional conditions on the
request that
are passed back to Tivoli
Access Manager and the resource
manager (such as
WebSEAL) along with the ″yes″ ACL
policy decision from the
authorization
service. It is the responsibility
of Tivoli Access Manager and
the resource manager
to enforce the POP conditions.
The following tables list the
available attributes for a POP:
Enforced by Tivoli Access
Manager
POP Attribute Description
argument in the pdadmin pop
commands.
Description Descriptive
the pop show command.
Warning Mode Provides administrators
a means to test ACL and
POP
policies.
denied access, errors.
Time-of-Day Access Day and time
restrictions for successful access to
the
protected object.
POP Attribute Description
Quality of Protection Specifies the
degree of data protection:
none, integrity,
privacy.
members of
Explicit and inherited policy
Policy can be explicitly
applied or inherited. The Tivoli
Access Manager protected
object space supports inheritance
of ACL and POP attributes.
Inheritance is an
important management feature for the
security administrator. The
administrator
needs to apply explicit policies
only at points in the hierarchy
where the rules
must change.
Policy administration: The Web Portal
Manager The Web Portal Manager is
a Web-based graphical application
used to manage
security policy in a Tivoli
Access Manager secure domain. The
pdadmin command
line utility provides the same
administration capabilities as the
Web Portal
Manager, plus some commands not
supported by the Web Portal
Manager.
From the Web Portal Manager (or
pdadmin), you can manage the user
registry, the
master authorization policy database,
and the Tivoli Access Manager
servers. You
can also add and delete users
and groups and apply ACLs and
POPs to network
objects.
Web space protection
When WebSEAL enforces security in
a secure domain, each user must
provide
proof of its identity. In
turn, Tivoli Access Manager
security policy determines
whether that user is permitted
to perform an operation on a
requested resource.
Because access to every Web
resource in a secure domain is
controlled by
WebSEAL, WebSEAL’s requirements for
authentication and authorization can
provide comprehensive network
security.
In security systems, authorization is
distinct from authentication.
Authorization
determines whether an authenticated user
has the right to perform an
operation on
a specific resource in a secure
domain. Authentication can validate
the identity of a
user, but says nothing about
the user’s right to perform
operations on a protected
resource.
In the Tivoli Access Manager
authorization model, authorization policy
is
implemented independently of the
mechanism used for user
authentication. Users
can authenticate their identity using
either public and private key,
secret key, or
customer-defined mechanisms.
Part of the authentication
process involves the creation
of a credential that
describes the identity of the
user. Authorization decisions made by
an
authorization service are based
on user credentials.
The resources in a secure
domain receive a level of
protection as dictated by
the
security policy for the domain. The
security policy defines the
legitimate
participants of the secure
domain and the degree of
protection surrounding each
resource that is being
protected.
The authorization process consists
of the following basic
components:
v A resource manager is
responsible for implementing the
requested operation
when authorization is granted.
WebSEAL is a resource manager.
A component of the resource
manager is a policy enforcer
that directs the
request to the authorization service
for processing.
Note: Traditional applications
bundle the policy enforcer and
resource manager
into one process. Examples of
this structure include WebSEAL
and
third-party applications.
v An authorization service performs
the decision-making action on the
request.
The following diagram illustrates the
complete authorization process:
10 WebSEAL Administration
1. A request for a resource
from an authenticated user is
directed to the resource
manager and intercepted by the
policy enforcer process.
The resource manager can be
WebSEAL (for HTTP, HTTPS access)
or a
third-party application.
2. The policy enforcer process
uses the Tivoli Access Manager
authorization API
to call the authorization service
for an authorization decision.
3. The authorization service performs
an authorization check on the
resource,
represented as an object in the
protected object space.
a. Tivoli Access Manager POPs
are checked first.
b. Next the ACL policy
attached to the object is
checked against the client’s
credentials.
c. Finally, POPs enforced by
the resource manager are checked.
4. The decision to accept or
deny the request is returned as
a recommendation to
the resource manager (through the
policy enforcer).
5. If the request is
finally approved, the resource
manager passes the request on
to
the application responsible for the
resource.
5. Authorized operation
A corporate security policy for
Web resources identifies:
v The Web resources requiring
protection.
v The level of protection.
Tivoli Access Manager uses a
virtual representation of these
Web resources, called
the protected object space. The
protected object space contains
objects that
represent actual physical resources in
your network.
You implement security policy
by applying the appropriate
security mechanisms to
the objects requiring protection.
v
Access
control
list
(ACL)
policies
ACL policies identify user types
that can be considered for
access and specify
the operations permitted on the
object.
v
Protected
object
policies
(POPs)
A POP specifies additional conditions
governing the access to the
protected
object, such as privacy, integrity,
auditing, and time-of-day access.
v Extended attributes
Extended attributes are additional
values placed on an object,
ACL, or POP that
can be read and interpreted
by third-party applications (such
as an external
authorization service).
The core component of Tivoli
Access Manager is the Tivoli Access
Manager
authorization service—which permits or
denies access to protected
objects
(resources) based on the user’s
credentials and the access controls
placed on the
objects.
To successfully implement the security
policy, you must logically organize
the
different content types (as
described in “Content types and
levels of protection ”
on page 12) and apply the
appropriate ACL and POP policies.
Access control
management can be very complex
and is made much easier
by careful
categorization of the content
types.
Content types and levels of
protection
As the security administrator of your Web space, you must
correctly identify the types of content
available to a variety of
user types. Some content must
be highly
protected and available only to
specific users; other content is
for general public
view. Each security scenario demands
different protection requirements and
an
associated WebSEAL configuration.
It is your responsibility to:
v Know your Web content
v Identify the types of
users requiring access to this
content
v Understand the strengths and
weaknesses of the available
WebSEAL
configuration options for securing
this content
Protection of Web content falls
into three broad categories:
1. Public content – access
requires no protection
v Unauthenticated users can access
resources using HTTP.
12 WebSEAL Administration
v An unauthenticated credential is
used for access control to
resources.
v Basic WebSEAL configuration
requirements provide protection.
2. Public content – access
requires privacy (encryption)
v Unauthenticated users can access
resources using HTTPS.
v Encryption, required by the
application server, is used to
protect sensitive
data (such as credit card
numbers and user account
information).
v An unauthenticated credential is
used for access control to
resources.
v WebSEAL configuration needs to
stipulate privacy.
3. Private content – access
requires authentication
v Authenticated clients can access
resources using HTTP or HTTPS.
v The administrator determines the
need for encryption.
v An authenticated credential is
used for access control to
resources; each user
must have an account defined in
the Tivoli Access Manager user
registry.
v WebSEAL configuration is complex
and all options must be
considered
carefully to determine the impact
of the security policy.
WebSEAL authentication
Authentication is the method of
identifying an individual process or
entity that is
attempting to log in to a
secure domain. WebSEAL can enforce
a high degree of security
in a secure domain by
requiring each user to provide
proof of its identity.
The following conditions apply to
the WebSEAL authentication process:
v WebSEAL supports several
authentication methods by default
and can be
customized to use other
methods.
v When both server and
client require authentication, the
exchange is known as
mutual authentication.
v The WebSEAL server process is
independent of the authentication
method.
v The result of successful
authentication to WebSEAL is a Tivoli
Access Manager
user identity.
v WebSEAL uses this identity to
build a credential for that
user.
v The authorization service uses
this credential to permit or
deny access to protected
objects after evaluating the ACL
permissions and POP conditions
governing the
policy for each requested
resource.
This flexible approach to
authentication allows security policy
to be based on
business requirements and not
physical network topology.
For a complete overview of
WebSEAL authentication concepts, see
Chapter 6,
“Authentication overview,” on page
135.
14 WebSEAL Administration
Tivoli Access Manager provides
authentication, authorization, and
management
services for a network. In a
Web-based network, these services are
best provided
by one or more front-end
WebSEAL servers that integrate and
protect Web
resources and applications located on
back-end Web servers.
The connection between a
WebSEAL server and a back-end
Web application server
is known as a standard WebSEAL
junction. A WebSEAL junction
is a TCP/IP
connection between a front-end
WebSEAL server and a back-end
server.
Note: WebSEAL also supports virtual
hosting through another form of
junctions
called virtual host junctions.
The back-end server can
be another WebSEAL server or,
more commonly, a
third-party Web application server.
The back-end server Web space
is ″connected″
to the WebSEAL server at a
specially designated junction (mount)
point in the
WebSEAL Web space.
A junction allows WebSEAL to
provide protective services on
behalf of the
back-end server. WebSEAL can
perform authentication and authorization
checks on
all requests before passing
those requests on to the
back-end server. If the
back-end
server requires fine-grained access
control on its objects, you
must perform
additional configuration steps (using
the query_contents CGI program) to
describe
the third-party Web space to
the Tivoli Access Manager security
service.
Junctions provide a scalable,
secure environment that allows load
balancing, high
availability, and state management
capabilities—all performed transparently
to
clients. As an administrator, you
can benefit from this
centralized management of the
Web space.
WebSEAL junctions provide the
added value of logically
combining the Web space
of a back-end server with
the Web space of the
WebSEAL server. Junctions
between
cooperating servers result in a
single, unified, distributed Web
space that is
seamless and transparent to
users.
The client never needs to know
the physical location of a
Web resource. WebSEAL
translates logical URL addresses into
the physical addresses that a
back-end server
expects. Web objects can be
moved from server to server
without affecting the way
the client accesses those
objects.
Client
A unified Web space simplifies
the management of all resources
for the system
administrator. Additional administrative
benefits include scalability, load
balancing,
and high availability.
Most commercial Web servers do
not have the ability to define
a logical Web object
space. Instead, their access control is
connected to the physical file
and directory
structure. WebSEAL junctions can
transparently define an object space
that reflects
organizational structure rather than
the physical machine and directory
structure
commonly encountered on standard Web
servers.
WebSEAL junctions also allow
you to create single signon
solutions. A single
signon configuration allows a user
to access a resource, regardless
of the resource’s
location, using only one initial
login. Any further login requirements
from
back-end servers are handled
transparently to the user.
WebSEAL junctions are an
important tool for making your
Web site scalable.
Junctions allow you to respond
to increasing demands on a Web
site by attaching
additional servers.
/ junction-point
Web space scalability
WebSEAL junctions are used to
create a scalable Web space. As
the demands on
the Web space grow, more
servers can easily be added
to expand the capabilities of
the site.
Additional servers can be added
for the following reasons:
v To extend the Web space with
additional content.
v To duplicate existing content for
load balancing, failover capability,
and high
availability.
Replicated front-end WebSEAL
servers
Junction support for back-end
servers starts with at least
one front-end WebSEAL
server. Replicated front-end WebSEAL
servers provide the site with
load balancing
during periods of heavy demand.
The load balancing process is
handled by a
third-party device such as IBM
Network Dispatcher or Cisco Local
Director.
Front-end replication also provides
the site with fail-over
capability—if a server
fails for some reason, the
remaining replica servers will
continue to provide access
to the site. Successful load
balancing and failover capability
results in high
availability for users of the
site.
When you replicate front-end WebSEAL
servers, each server must contain
an exact
copy of the Web space and
the junction database.
Account information for authentication is
located in a user registry
that is
independent of the front-end
servers.
Junctioned back-end servers
Web site content can be
served by the WebSEAL server
itself, back-end servers, or
a combination of both.
WebSEAL junction support for
back-end servers allows you
to scale the Web site through
additional content and resources.
Each unique back-end server
must be junctioned to a
separate junction (mount)
point. As the demand for
additional content grows, more
servers can be added
through junctions. This scenario
provides a solution for networks
that have a large
existing investment in third-party
Web servers.&n