Chapter 4. Configuration and customization 161
The –b supply option instructs WebSEAL to supply the authenticated Tivoli
Access Manager user name (client’s original identity) with a static, generic
(“dummy”) password. The original client password is not used in this scenario.
The dummy password is specified in the [junction] stanza under
basicauth-dummy-passwd and by default it is set to dummy.
In this solution the same Tivoli Access Manager dummy password is used for all
requests, which means that all users have the same password in the back-end
server registry.
The use of the common dummy password offers no basis for the application
server to prove the legitimacy of the client logging in with that user name. If
clients always go through WebSEAL to access the back-end server, this solution
does not present any security problems. However, it is important to physically
secure the back-end server from other possible means of access.
Because sensitive authentication information (user name and password) is
passed across the junction, the security of the junction is important. Therefore,
an SSL junction is appropriate.
Supplying user names and passwords from GSO
This mechanism requires -b gso junction option and it is described in 4.9.1,
“Tivoli Global Sign-On (GSO) lockbox” on page 155
The following conditions exist for this solution:
򐂰 The back-end server applications require different user names and
passwords that are not contained in the WebSEAL registry.
򐂰 Security is important for both WebSEAL and the back-end server.
4.9.4 Supplying identity information in HTTP headers
WebSEAL can be configured to provide information to a junctioned application
about user ID, groups, and resources the user has access to. That is
accomplished by supplying the values of defined HTTP variables:
iv-user For user ID
iv-user-l For user’s LDAP distinguished name (DN) of the client
iv-groups For groups a particular user belongs to
iv-creds For the user’s credentials in base64-encoded Privilege
Attribute Certificate (PAC) format
162 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
To send those variables in HTTP headers, junction needs to be specified with the
-c option, followed with one or more arguments:
򐂰 iv_user
򐂰 iv_user_l
򐂰 iv_groups
򐂰 iv_creds
To pass all HTTP variables except iv_user_l use option all. For example:
-c all
You cannot use option all in a case that you need to send both headers iv_user
and iv_user_l. You must individually specify all four header options to pass all
four header types across the junction:
-c iv_user,iv_user_l,iv_groups,iv_creds
The variables supplied in the HTTP stream can be mapped easily to the CGI
environment variables that can be interpreted by a Web application. To support
CGI programming, header information is transformed into a CGI environment
variable format by replacing all dashes (-) with underscores (_) and adding
“HTTP” to the beginning of the header string. The Tivoli Access Manager-specific
HTTP header entries are available to CGI programs as the following environment
variables
򐂰 HTTP_IV_USER
򐂰 HTTP_IV_USER_L
򐂰 HTTP_IV_GROUPS
򐂰 HTTP_IV_CREDS
Supplying client IP addresses in HTTP headers (–r)
The –r junction option allows you to insert client IP address information into the
HTTP headers of requests destined for junctioned application servers. The HTTP
header information enables applications on junctioned third-party servers to
perform actions based on this IP address information. The option does not
require any arguments, and based on the type of IP protocol (version 4 or 6), one
of the following information is set up in HTTP headers:
1.
iv-remote-address, and CGI equivalent HTTP_IV_REMOTE_ADDRESS
2.
iv-remote-address-ipv6, and CGI equivalent HTTP_IV_REMOTE_ADDRESS_IPV6
Supplying server name into junction header
A header with the URI-encoded authorization API administration server name is
passed to all junction servers. When no header name is specified, the header will
not be sent to the junction.

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.