Chapter 4. Configuration and customization 161
The –b supply option instructs WebSEAL to supply the authenticated Tivoli
Access Manager user name (client’s original identity) with a static, generic
(“dummy”) password. The original client password is not used in this scenario.
The dummy password is specified in the [junction] stanza under
basicauth-dummy-passwd and by default it is set to dummy.
In this solution the same Tivoli Access Manager dummy password is used for all
requests, which means that all users have the same password in the back-end
The use of the common dummy password offers no basis for the application
server to prove the legitimacy of the client logging in with that user name. If
clients always go through WebSEAL to access the back-end server, this solution
does not present any security problems. However, it is important to physically
secure the back-end server from other possible means of access.
Because sensitive authentication information (user name and password) is
passed across the junction, the security of the junction is important. Therefore,
an SSL junction is appropriate.
Supplying user names and passwords from GSO
This mechanism requires -b gso junction option and it is described in 4.9.1,
“Tivoli Global Sign-On (GSO) lockbox” on page 155
The following conditions exist for this solution:
The back-end server applications require different user names and
passwords that are not contained in the WebSEAL registry.
Security is important for both WebSEAL and the back-end server.
4.9.4 Supplying identity information in HTTP headers
WebSEAL can be configured to provide information to a junctioned application
about user ID, groups, and resources the user has access to. That is
accomplished by supplying the values of defined HTTP variables:
iv-user For user ID
iv-user-l For user’s LDAP distinguished name (DN) of the client
iv-groups For groups a particular user belongs to
iv-creds For the user’s credentials in base64-encoded Privilege
Attribute Certificate (PAC) format