Chapter 4. Configuration and customization 129
You can create WebSEAL junctions with the pdadmin command-line utility or
with the Web Portal Manager. To create WebSEAL junctions, use the pdadmin
server task create command:
pdadmin> server task instance_name-webseald-host_name create options
You must address the following two concerns when creating any junction:
򐂰 Decide where to junction (mount) the Web application server in the WebSEAL
object space.
򐂰 Choose the type of junction.
You can create the following Standard WebSEAL junction types:
򐂰 WebSEAL to back-end server over TCP connection
򐂰 WebSEAL to back-end server over SSL connection
򐂰 WebSEAL to back-end server over TCP connection using HTTP proxy server
򐂰 WebSEAL to back-end server over SSL connection using HTTPS proxy
򐂰 WebSEAL to WebSEAL over SSL connection
WebSEAL junction information is stored in XML-formatted database files. The
location of the junction database directory is defined in the [junction] stanza of
the WebSEAL configuration file.
The directory is relative to the WebSEAL server root (server-root stanza entry in
the [server] stanza):
junction-db = jct
Each junction is defined in a separate file with an .xml extension. The XML format
allows you to manually create, edit, duplicate, and back up junction files, but the
best approach is to manage junctions with WPM or the pdadmin tool.
4.5.1 WebSEAL object space and authorization configuration
Every installation and initial configuration of WebSEAL creates a new object
container in the Policy Server object space. /WebSEAL/host-instance_name
represents the beginning of the Web space for a particular WebSEAL instance.
Along with the object space, default ACLs are created. The ACLs are attached to
the /WebSEAL container and named default-webseal. Default ACL entries for
this ACL are:
Group iv-admin Tcmdbsvarxl
Group webseal-servers Tgmdbsrxl
User sec_master Tcmdbsvarxl
130 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Any-other Trx
Unauthenticated T
The group webseal-servers contains an entry for each WebSEAL server in the
secure domain. The default permissions allow the servers to respond to browser
The creation of a junction causes the creation of a new junction object in the
Access Manager object space under the /WebSEAL/host-instance_name
branch. The name of the object is the same as the junction point name specified
in the junction creation command.
After creating a new junction it is always recommended to place an ACL on the
junction object that provides coarse-grained control over the back-end resources.
That ACL provides a general overall (coarse-grained) set of permissions for
every individual resource accessed through the junction.
After that you can provide additional fine-grained protection to the resources
accessed through the junction by explicitly placing ACLs on individual resource
objects or groups of objects. WebSEAL cannot automatically
see and understand
a back-end file system. The object space that WebSEAL protects needs to be
either manually defined, or the
query_contents program should be used.
WebSEAL ACL permissions
Table 4-5 describes the ACL permissions applicable for the WebSEAL region of
the object space.
Table 4-5 WebSEAL ACL permissions
Operation Description
r read View the Web object.
x execute Run the CGI program.
d delete Remove the Web object from the Web space.
m modify PUT an HTTP object. (Place - publish - an HTTP object in the WebSEAL
object space.)
l list Required by policy server to generate an automated directory listing of the
Web space. This permission also governs whether a client can see the
directory contents listing when the default .index.html. page is not present.
g delegation Assigns trust to a WebSEAL server to act on behalf of a client and pass
requests to a junctioned WebSEAL server.

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.