116 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
with the user name and password included in the BA header of the HTTP
request. WebSEAL extracts this information from the header and uses it to verify
the user’s identity. In this case, a specific library shipped with Access Manager
implements a built-in authentication service and performs a check against the
Access Manager user registry. If successful, a credential is created and cached.
After a user has authenticated an ID and password through the browser, the
browser caches this information in memory and sends it with each subsequent
request to the same server. Even by configuring a session log-out parameter,
which is possible for HTTPS sessions, the user will automatically log on to
WebSEAL with each new request the user sends. The only way to clear this
cache (and log the current user out) is to close all browser panels.
4.3.2 Forms-based login with user ID and password
The alternative to using basic authentication is to use forms-based login. Rather
than send a basic authentication challenge in response to a client request,
WebSEAL responds with a sign-in form in HTML format. The client browser
displays this and the user fills in a user ID and password. When the user clicks
the send or logon button, the form is returned to WebSEAL using an HTTP POST
request. WebSEAL extracts the information and uses it to verify the user’s
identity through the Access Manager authentication service, where it performs a
check against the Access Manager user registry.
Since the user ID and password information is not cached on the browser, it
becomes possible to perform a programmatic logout for the user. On a client
request, WebSEAL presents a customized logout form to a user. After the user
confirms the logout, the session is considered closed and the credential is
deleted from the WebSEAL cache.
Another benefit of using the forms-based login process is that you can enforce a
time-based logout for authenticated sessions. The time values can be
customized in the WebSEAL configuration files.
4.3.3 Authentication with X.509 client certificates
In response to a certificate request from WebSEAL, as part of the SSL Version 3
tunnel negotiation, the browser prompts the user to select a certificate from the
local certificate store or smartcard. The user is asked for a password to access
the private key. When the user has selected a certificate, it is passed to
WebSEAL, which uses the certificate authentication library to check the
signature of the client certificate. It also checks the validity period to ensure that
the certificate has not expired. Assuming that the certificate is valid, the identity
in the certificate is mapped (one-to-one) to an Access Manager identity. After the