160 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Passing an unchanged basic authentication header
WebSEAL can be configured to pass the received basic authentication data
unchanged to the junctioned application. If Access Manager and the application
share the same LDAP registry, Access Manager authenticates a user against the
same LDAP attributes as an application performing a regular LDAP bind (that is,
using a main user ID and password). In this case, there is no need to maintain
the GSO attributes of a user, and the main password may be encrypted.
However, basic authentication is the only available authentication method used
by WebSEAL because WebSEAL has to obtain the BA header values in order to
pass them through.
The –b ignore option instructs WebSEAL to pass the original client basic
authentication (BA) header straight to the back-end server without interference.
Because sensitive authentication information (user name and password) is
passed across the junction, the security of the junction is important. An SSL
junction is most appropriate.
Junction without BA authentication information
This may be useful if WebSEAL does all of the authentication and authorization
and there is no need to forward any information to the back-end servers.
This scenario seems applicable either for servers without any reliable security
functions or where there is no need for extra back-end authentication and
authorization (for example, providing only static Web pages). Nevertheless, this
approach requires full trust toward WebSEAL, and the back-end servers should
be configured to accept only incoming requests from WebSEAL.
Junction needs to be configured with the -b filter option to remove all basic
authentication header information from any client requests before forwarding the
requests to the back-end server. In this scenario, WebSEAL becomes the single
If the back-end server needs to have some client information, this option can be
combined with the –c option to insert Tivoli Access Manager client identity
information into HTTP header fields. This option is described in 4.9.4, “Supplying
identity information in HTTP headers” on page 161.
Providing client identity with a generic password
This scenario assumes that the back-end server requires authentication from a
Tivoli Access Manager identity. By mapping a client user to a known Tivoli
Access Manager user, WebSEAL manages authentication for the back-end
server and provides a simple domain-wide single sign-on solution.