Configure digest authentication and TAI for Tivoli Directory Server

You can configure digest authentication and Trust Association Interceptor (TAI) for IBM Tivoli Directory Server. To configure digest authentication and TAI on WebSphere Application Server, you will need to:

• Install Tivoli Directory Server version 5.2

• Set up and activate Lightweight Third Party Authentication. For more information, see the Lightweight Third Party Authentication section.

• You also may want to refer to the section Configuring a custom trust association interceptor for more TAI information.

Overview

Procedure

1. To set up digest authentication, verify that Lightweight Third Party Authentication (LTPA) is configured for use on your server by selecting Security > Secure administration, applications, and infrastructure > Authentication mechanisms. In the Configuration tab on the Authentication mechanisms and expiration page you should see the Password field already filled in.

2. In the administrative console, click Security > Secure administration, applications, and infrastructure .

   1. Under Authentication, expand Web security and click on Trust association.

   2. On the Configuration tab, under General properties, make sure the Enable trust association box is checked. Then click Apply.

3. On the Interceptors page of the administration console look for com.ibm.ws.sip.security.digest.DigestTAI in the Interceptor class name list:

   1. If this class name in not present, click New to open the Configuration tab and enter com.ibm.ws.sip.security.digest.DigestTAI in the Interceptor class name field and click Apply. Then proceed to the following steps.

   2. If this interceptor class is present, you may proceed to set up a realm in digest authentication. To do this, click com.ibm.ws.sip.security.digest.DigestTAI > Custom Properties:

   3. Click OK.

4. Navigate through Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expirationto the Configuration tab.

   1. In the Key generation section, click Generate Keys. (No import or export of the key is necessary.)

   2. Under the Cross-cell single sign-on section fill in the Password fields.

   3. Fill in the Internal server ID field.

   4. Click OK.

5. Click to Security > Secure administration, applications, and infrastructure.

   1. If the box Use Java 2 security to restrict application access to local resources is checked, click to deselect it.

   2. In the User account repository section of the page, select your LDAP registry from the Available realm definitions drop-down box.

   3. Click Set as current and then clickApply.

6. Save all changes.

7. Restart the server.

8. Be sure you see the following message appear in the SystemOut.log after the server has restarted:

   SECJ0121I: Trust Association Init class com.ibm.ws.sip.security.digest.DigestTAI loaded successfully

   If this message does not appear in the log, digest authentication has not been activated.