Chapter 4. Configuration and customization 147
or removed from the path portion of URLs, as it is in junctions created without the
transparent path option.
WebSEAL must be configured with one transparent path junction for each unique
path that is held on each back-end server. This may mean that there are multiple
transparent path junctions to the same back-end server. When configuring
traditional junctions it is not recommended to have multiple junctions to the same
back-end server, but this restriction is lifted for transparent path junctions. The
restriction can be lifted because in the case of transparent path junctions, the
junction name is tightly linked to the resource path, so any absolute URL being
filtered can be matched uniquely to a transparent path junction.
In a case that we have two applications in the back-end server that do share a
common path we have two configuration options for the transparent path
1. Extend the transparent path junction name so it can be unique. A transparent
path junction name can contain more than one directory.
This technique is not going to work if you need to protect two instances of the
same application that are used for two different purposes. They will have the
exact same URLs in all cases, so there is no uniqueness in the paths at all to
distinguish them.
2. Use separate WebSEAL instances if you want to use transparent path
junctions for two applications that have the same URL paths.
In this case you are back to the issue of single sign-on, so perhaps virtual
host junctions would be more suitable for this application.
It is possible to use virtual host junctions, transparent path junctions, and
traditional path junctions all within the same WebSEAL instance.
1. WebSEAL will first check the Host header of requests to pick up the virtual
host junctions.
2. If the request doesn’t match a virtual host junction, it will then perform path
matching to discover if this is a transparent path or a traditional junction.
3. If none of the paths match any configured junctions, WebSEAL will assume
this is a traditional junction and will start looking for JMT matches or junction
cookies to identify the correct back-end server.
4.8 Advanced junction configuration
In this section we discuss some advanced junction configuration tasks, including:
򐂰 Mutually authenticated SSL junctions
򐂰 WebSEAL-to-WebSEAL junctions over SSL

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.