Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0

Chapter 4. Configuration and customization 127

Additional entries can be placed in any order.

For example, to enable authentication strength levels for certificate authentication

at the highest level, the completed stanza entry would be:

[authentication-levels]

level = unauthenticated

level = password

level = ssl

In this example, SSL authentication needs to be configured in

delayed certificate

authentication mode

since the user is not required to authenticate with a

certificate at session start-up. The user can later initiate certificate authentication.

Delayed certificate authentication mode is enabled in WebSEAL by configuring

the following stanza:

[certificate]

accept-client-certs = prompt_as_needed

4.4.5 External authentication interface (EAI)

Tivoli Access Manager provides an external authentication interface that enables

you to extend the functionality of the WebSEAL authentication process. The

external authentication interface allows third-party systems to supply an

authenticated identity to WebSEAL and Web-server Plug-ins. The identity

information is then used to generate a credential. This extended authentication

functionality is similar to the existing custom authentication module capability

provided by the Web security external authentication C API (formerly known as

CDAS). However, the external authentication interface allows the user identity to

be supplied in HTTP response headers rather than through the authentication

module API interface.

EAI is described in more detail in Chapter 5, “Programming” on page 181.

4.4.6 No authentication

Any user who can reach WebSEAL belongs to the group of unauthenticated

users. This group can also get certain permissions.

Important: To successfully perform step-up authentication you need to

disable the use of SSL session IDs to track session state. Verify the default

value for the ssl-id-sessions for the [sessions] stanza entry in the

WebSEAL configuration file. In this case, SSL IDs cannot be used to maintain

user sessions because when the user is prompted for a certificate, the user’s

SSL ID will change.

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 by Axel Buecker, Vladimir Jeremic