IBM WebSphere Application Server and WebSEAL integration

IBM WebSphere Application Server and WebSEAL integration

+
Search Tips | Advanced Search

Integration options

There are various options to setup Single Sign-On between WebSphere Application Server and Access Manager's WebSEAL.

Using Trust Association Interceptor (TAI)

We can set up the TAI in two ways:

With a trusted user
With a trusted connection

Trusted user

With this configuration, the TAI identifies the WebSEAL server using the Basic Authentication header. A trusted user is created in LDAP and the TAI is configured with that userID. Only the password (not the userID) is placed on the Basic Authentication header by WebSEAL. This represents a "shared secret" which only the TAI and the WebSEAL server know.
During runtime, the TAI examines the password and validates with the user registry that the password belongs to the trusted user. This procedure enables the TAI to trust that it really is the WebSEAL server asserting the end user's identity, and the TAI can therefore trust it. To set up the WebSEAL junction to use the Basic Authentication header to identify the WebSEAL server, you use the -b supply option with the junction creation command. WebSEAL builds the Basic Authentication header using the password, which is specified in the webseald.conf file (basicauth-dummy-passwd).

Trusted connection using mutual SSL

With this configuration, the WebSEAL server identifies and authenticates itself to the Web server using its own client-side certificates. In this case, the TAI will do no further validation of the WebSEAL server hosts. This configuration is set in TAI using the setting...
com.ibm.websphere.security.WebSEAL.mutualSSL=true

For the new TAI interface, also set the property...
com.ibm.websphere.security.webseal.checkViaHeader=false

With these settings the TAI validates the WebSEAL host using the hostname property, and does no further validation. It assumes that the connection from WebSEAL to application server is completely trusted.

Note: This setup requires an SSL junction. You set up an encrypted junction using SSL with client certificates.

Using Lightweight Third Party Authentication (LTPA)

With LTPA, you do not have to configure a TAI for the application server. Instead, you configure an LTPA junction.