Chapter 4. Configuration and customization 149
argument that specifies the key-label of the required certificate as stored
in the WebSEAL key database.
b. Back-end server validates WebSEAL identity information in a Basic
Authentication (BA) header (–B, –U, –W).
Use the –B –U username –W password option to enable WebSEAL
authentication using basic authentication. In this type of configuration the
–b option does not work, as internally the –B option uses –b filter.
4.8.2 WebSEAL-to-WebSEAL junctions over SSL
Tivoli Access Manager supports SSL junctions between a front-end WebSEAL
server and a back-end WebSEAL server. Use the –C option with the create
command to junction the two WebSEAL servers over SSL and provide mutual
authentication. Additionally, the –C option enables single sign-on functionality
provided by the –c option.
The –c option allows you to place Tivoli Access Manager-specific client identity
and group membership information into the HTTP header of the request destined
for the back-end WebSEAL server.
Both WebSEAL servers must share a common user registry. This configuration
allows the back-end WebSEAL server to authenticate the front-end WebSEAL
server identity information.
If the WebSEAL-to-WebSEAL junction and the back-end application server
junction both use the –j junction option (for junction cookies), a naming conflict
can occur between the two junction cookies created by each of the two
WebSEAL servers. In this case, an intermediary WebSEAL server changes the
following parameter to
yes in the WebSEAL configuration file:
hostname-junction-cookie = yes
4.8.3 Stateful junction
Back-end servers that run Web-enabled applications can be replicated in order
to improve performance through load sharing. By default, Tivoli Access Manager
balances back-end server load by distributing requests across all available
replicated servers. Tivoli Access Manager uses a
least-busy algorithm. This
algorithm directs each new request to the server with the fewest connections
already in progress.
However, when WebSEAL processes a request over a stateful junction,
WebSEAL must ensure that all subsequent requests from that client during that