Simple junctions

 

+

Search Tips   |   Advanced Search

 

pdadmin is a command line utility for administration. We can also use the Tivoli Access Manager Web Portal Manager which provides a graphical interface. Before creating junctions we need to login to the secure domain using sec_master user ID as shown:

pdadmin -a sec_master
password: Enter your password for sec_master
pdadmin sec_master>

We can get a list of configured WebSEAL servers by using the server list command

pdadmin sec_master> server list
default-webseald-m23vnx61
 default-webseald-m10d9ffd
 ivacld-m23vnx61

From this server list output, we can choose the server required, for example default-webseald-m23vnx61, for junction creation. There are three required options for creating basic WebSEAL junctions:

  • -h: hostname of the backend junctioned server
  • -t: junction transport type, the options are: tcp, ssl, tcpproxy, sslproxy, local
  • junction point name

The syntax for creating a basic junction is

server task webseal-instance_name create -t transport_type -h host_name jct_point_name

For example:

server task default-webseald-m23vnx61 create -t tcp -h bc2srv2.itso.ral.ibm.com /test

A junction can be configured to insert Tivoli Access Manager specific client identity and group information into the HTTP header by using the -c option. This information can then be passed to the backend servers which can use this information from the HTTP Header. There are four options that we can use with -c:

iv-user Passes the short name or the long name. Defaults to unauthenticated if the client is unauthenticated.
iv-user_l Passes full Distinguished Name of the user.
iv-groups Passes a list of comma separated groups to which the client belongs.
iv-creds Encoded opaque data structure representing an Access Manager credential. Used by the new TAI to create a PDPrincipal object and insert that object into the Subject.

Note: -c all adds all of the four options mentioned above.

We can also list the options using a comma as a separator.

A junction can be configured to supply client identity in the Basic Authentication (BA) header by using the -b option when creating the junctions. This is different from the -c option discussed earlier.

To configure a junction for use with the Trust Association Interceptor (TAI) of WebSphere application Server, configure the junction with the -b supply option, which inserts the dummy password configured in webseald.conf in the BA header. This dummy password is used in the WebSEAL TAI to establish trust between the participating WebSEAL servers and WebSphere Application Servers.

We can use the -f option to force a new junction to overwrite an existing junction mount point. Here is an example of using the options described above:

server task default-webseald-m23vnx61 create -t ssl -h bc2srv2.itso.ral.ibm.com -f -c iv_user,iv_creds /test

This creates a new junction test that overwrites the existing junction. To view the details of this junction use the server task <webseal server> show <junction-name> command.

pdadmin sec_master> server task default-webseald-m23vnx61 show /test
    Junction point: /test
    Type: TCP
    Junction hard limit: 0 - using global value
    Junction soft limit: 0 - using global value
    Active worker threads: 0
    Basic authentication mode: supply
    Forms based SSO: disabled
    Authentication HTTP header: insert - iv_user iv_creds
    Remote Address HTTP header: do not insert
    Stateful junction: no
    Boolean Rule Header: no
    Scripting support: yes
    Preserve cookie names: no
    Delegation support: no
    Mutually authenticated: no
    Insert WebSphere LTPA cookies: no
    Insert WebSEAL session cookies: no
    Request Encoding: UTF-8, URI Encoded
    Server 1:
        ID: f33eb906-28f1-11d9-9d0e-0002557c751d
        Server State: running
        Hostname: bc2srv2.itso.ral.ibm.com
        Port: 80
        Virtual hostname: bc2srv2.itso.ral.ibm.com
        Server DN:
        Query_contents URL: /cgi-bin/query_contents
        Query-contents: unknown
        Case insensitive URLs: no
        Allow Windows-style URLs: yes
        Total requests : 2437

If the communications channel between WebSEAL and the junctioned backend server is not secured, use SSL junctions to ensure security.