Chapter 4. Configuration and customization 117
Access Manager identity is passed back to WebSEAL, WebSEAL pulls the user
information from the Access Manager user registry and builds the credential.
If you configure Access Manager to use X.509 client certificates for
authentication, but the user does not have a certificate available, WebSEAL can
fall back to basic authentication, if required.
4.3.4 Failover authentication
WebSEAL provides an authentication method that preserves an authenticated
session between a client and WebSEAL when the WebSEAL server becomes
unavailable in a replicated server (fault-tolerant) environment. The method is
called failover authentication.
The purpose of failover authentication is to prevent a forced login when the
WebSEAL server that has established the original session with the client
suddenly becomes unavailable. Failover authentication enables the client to
connect to another WebSEAL server, and creates an authentication session
containing the same user session data and user credentials. This is supported
through a failover cookie.
Failover cookie
The failover cookie is a mechanism for transparently re-authenticating the user,
and is not actually a mechanism for maintaining sessions. Failover cookies
contain encrypted user authentication data that a WebSEAL server can use to
validate a user’s identity. The cdsso_key_gen utility is used to generate a key
pair that can secure the cookie data.
A failover cookie maintains the following information:
򐂰 User credential information
򐂰 Session inactivity timeout value
򐂰 Session lifetime timeout value
All other session state data, however, is not captured or maintained by failover
cookies. Failover cookie configuration requires the distribution of a shared secret
key to all of the WebSEAL servers in the cluster.
Failover cookies pose a greater security risk than normal session cookies. If an
attacker hijacks a session cookie, the session cookie is only valid until the
WebSEAL server deletes the associated session. Failover cookies are valid until
the lifetime or inactivity timeout in the failover cookie is reached. Failover cookies
do allow the enforcement of session lifetime timeouts, inactivity timeouts, and
pkmslogout. Failover cookies can also provide single sign-on across multiple
WebSEAL clusters in the same DNS domain.

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.