Configure WebSEAL or custom trust association interceptors: WAS ND

Configuring WebSEAL or custom trust association interceptors

Overview
These steps are required to use either the WebSEAL trust association interceptor or your own trust association interceptor with a reverse proxy security server.

Access the administrative console by typing http://localhost:9090/admin in a Web browser.

Click Security > Authentication mechanisms > LTPA in the left navigation panel.

Click Trust Association under Additional Properties.

Select the Trust Association Enabled option.

Click Interceptors under Additional Properties.The default value appears.

Click com.ibm.ws.security.web.WebSealTrustAssociationInterceptor if you are using the WebSEAL interceptor. This interceptor is the default value. To use a different interceptor, complete the following steps:

Click New.

Type the name of the interceptor into the Interceptor Classname field.

Click OK.

Click the name of the new interceptor.

Click New.

Type com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus into the Interceptor Classname field if you are using the new WebSEAL interceptor.

Click OK.

Click Custom Properties under Additional Properties.

Click New to enter the property name and value pairs. The name and value pairs for the WebSEAL server to follow. For a new interceptor, enter the name and value pairs that correspond to your interceptor.

com.ibm.websphere.security.webseal.mutualSSL

Use this property to configure the trust association interceptor so that trust with the reverse proxy is already validated using a mutually-authenticated Secure Sockets Layer (SSL) connection. If value of the mutual SSL property is true, then authentication is not performed for the single signon (SSO) user.
Therefore, if the value of the mutual SSL property is true, then the com.ibm.websphere.security.webseal.loginId property and the Single sign-on password expiry property do not have any influence.

Note: When you set this property to true, the login ID and header password combination is not verified. It is recommended that you use some form of transport level filtering so that the connections to WebSphere Application Server are Secure Sockets Layer (SSL) connections originating from WebSEAL only.

Default: False
Range: True or false

com.ibm.websphere.security.webseal.loginId

Use this property to configure the trust association interceptor using the user name of the WebSEAL trusted user. This user is the single signon (SSO) user that is authenticated using the password in the basic authentication header that is inserted in the request by WebSEAL. The format of the user name is the short name representation. This property is mandatory; if the property is not set in the WebSphere Application Server then the trust association interceptor initialization fails.

Data type: String

com.ibm.websphere.security.webseal.id

Use this property to configure the trust association interceptor to ensure that specified headers exist in the request. If not all of the configured headers exist in the request, then trust can not be established. This property is mandatory and there is no default value. If this property is not set, the trust association initialization fails.

Data type: Comma separated list of strings

com.ibm.websphere.security.webseal.hostnames

Use this property to list any hosts that are trusted. WebSphere Application Server depends upon the value of the com.ibm.websphere.security.webseal.viaDepth and the com.ibm.websphere.security.webseal.ignoreProxy properties to determine whether to trust requests that arrive from hosts listed in this property. If a host is not listed in this property, then WebSphere Application Server might not trust requests arriving from that host. The host names are case-sensitive. This request header also includes the proxy host names (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy interceptor is set to true.

Data type: Comma separated list of strings

com.ibm.websphere.security.webseal.ports

Use this property to list the port numbers of any hosts that are trusted. WebSphere Application Server depends upon the value of the com.ibm.websphere.security.webseal.viaDepth and the com.ibm.websphere.security.webseal.ignoreProxy properties to determine whether to trust requests that arrive from ports listed in this property. If a port is not listed in this property, then WebSphere Application Server might not trust any requests arriving from that port. This request header also includes the proxy ports (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy interceptor is set to true.

Data type: Comma separated list of integers

com.ibm.websphere.security.webseal.viaDepth

Use this property to configure the trust association interceptor to check only a specified number of source hosts in the VIA header to ensure that those hosts are trusted sources. By default, every host in the VIA header is checked for trust and if any of the hosts are not trusted, then trust is not established. If all of the hosts in the VIA header are not required to be trusted, then you can set the com.ibm.websphere.security.webseal.viaDepth property to indicate the number of hosts that are required to be trusted.
For example:

Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001

If the com.ibm.websphere.security.webseal.viaDepth property is not set, is set to 2, or is set to 0, and a request with the above VIA header is received, then both webseal1:7002 and webseal2:7001 need to be trusted.

com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2

com.ibm.websphere.security.webseal.ports = 7002,7001

If the via depth property is set to 1 and the above request is received, then only the last host in the VIA header needs to be trusted.

com.ibm.websphere.security.webseal.hostnames = webseal2

com.ibm.websphere.security.webseal.ports = 7001

If the via depth property is set to 0, then all of the hosts in the VIA header are checked for trust.

If the via depth property is set to a negative value and the check VIA header property is set to true, then the trust association interceptor initialization fails..

Default: 1

com.ibm.websphere.security.webseal.ignoreProxy

Use this property to configure the trust association interceptor so that any hosts in the VIA header that are proxies do not need to be trusted hosts. This property works by checking the comments field of the hosts entry in the VIA header to see if that host is a proxy. This process is not a fail safe method because not all of the proxies insert comments in the VIA header to indicate that they are proxies.
If this optional property is set to true or yes, it ignores the proxy host names and ports in the VIA header. By default, this property is set to false.

Default: False
Data type: String
Range: True, false, yes, no

com.ibm.websphere.security.webseal.configURL

Use this property to configure the trust association interceptor to be able to establish trust for a request. The property requires that SvrSslCfg has run for the WebSphere Java Virtual Machine (JVM) resulting in a properties file being created. If the configuration is to occur across multiple WebSphere Application Servers in a Network Deployment environment, then the properties file generated during server SSL configuration must be in the same location on all servers. This location must be the same relative to the WebSphere Application Server install directory if the ${WAS_INSTALL_ROOT} variable is used.

For example:

com.ibm.websphere.security.webseal.configURL = ${WAS_INSTALL_ROOT}\java\jre\PdPerm.properties

When you use the previous property in a Network Deployment environment, the properties file generated during server SSL configuration must be located in the java\jre location relative to the WebSphere Applictaion Server installation directory on all servers.

This property is mandatory and there is no default value. If this property is not set, the trust association interceptor initialization fails.

Data type: String

com.ibm.websphere.security.webseal.ssoPwdExpiry

Use this property to save the trust association interceptor from needing to re-authenticate the single signon user with Tivoli Access Manager for every request. After trust is established for the request, the password for the single signon user is cached for use with subsequent requests for trust validation. Therefore, you might find an increase in performance. You can modify the cache timeout period by setting the single signon password expiry property to the required time in seconds. If the password expiry property is set to 0, the cached password never expires. If the password expiry is set to a negative value then the trust association interceptor initialization fails.

Data type: Positive integer

Click OK.

Results
Enables trust association.

Example

The browser makes a request for a secured WebSphere resource.

The WebSEAL server sends back a challenge, either an HTTP basic authentication or a form-based challenge.

A user name and password are supplied.

The WebSEAL product authenticates the user to Lightweight Directory Access Protocol (LDAP).

The modified request is forwarded by the WebSEAL product to the WebSphere Application Server.

The plug-in TAI establishes trust between WebSphere Application Server and the WebSEAL server by using the negotiateAndValidateEstablishedTrust method.

The plug-in extracts the end-user credentials from the iv-creds header field and passes it to WebSphere Application Server for authorization.

What to do next

If you are enabling security, make sure that you complete the remaining steps for enabling security.

Save, stop and restart all of the product servers (deployment managers, nodes and Application Servers) for the changes to take effect.

Web component security
Trust Associations

Configuring global security

Trust association interceptor support for Subject creation
Trust association settings
Trust association interceptor collection