176 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
4.11.1 WebSEAL Session Management Server configuration
After the installation and initial configuration (using smscfg -action config), you
need to configure WebSEAL servers to work with the Session Management
Server.
WebSEAL configuration steps are the following:
1. Enabling and disabling the Session Management Server for WebSEAL
Use the dsess-enabled stanza entry in the [session] stanza of the WebSEAL
configuration file to enable and disable use of the Session Management
Server. To enable WebSEAL to use the Session Management Server to
maintain user sessions, enter a value of yes. For example:
[session]
dsess-enabled = yes
2. Specifying the Session Management Server location
Use the dsess-url stanza entry in the [dsess] stanza of the WebSEAL
configuration file to provide WebSEAL with the location (URL) of the session
management server. For example:
[dsess]
dsess-url = http://abc.example.com/DSess/services/DSess
If the dsess-url stanza entry specifies the HTTPS protocol in the URL, you
must configure WebSEAL for SSL communication with the Session
Management Server.
3. Retrieving the maximum concurrent sessions policy value
– You can use the maximum concurrent sessions policy to control the
number of sessions each user can have at one time within a distributed
session environment managed by the Session Management Server. By
default, this policy is enabled:
[session]
enforce-max-sessions-policy = yes
Setting the max-concurrent-web-sessions user attribute does not, by
itself, trigger policy enforcement.
– When this policy is enabled you have to use WPM or the pdadmin
command to set appropriate maximum value on global or user level. For
example, to allow every user to establish only one session with WebSEAL,
use the following command:
pdadmin> policy set max-concurrent-web-sessions 1
– The policy is stored in the Tivoli Access Manager user registry. To be
enforced by the authentication process in a Session Management Server
Chapter 4. Configuration and customization 177
environment, the policy must be retrieved from the registry and stored as
an extended attribute in each user’s credential. To store a policy value as
an extended attribute in a user credential, you must enable the built-in
credential policy entitlements service for Tivoli Access Manager using
cred-attribute-entitlement-services. The name of credential policy
attribute is: tagvalue_max_concurrent_web_sessions.
Managing session realms and replica sets
An authorized user can use WPM or the pdadmin CLI to display session realms,
list the participating replica sets, list current sessions, and search for specific
sessions.
After the initial configuration, you can add session realms and add replica sets to
a specific session realm. The following UNIX command is the minimal
requirement for this type of session management server configuration:
/opt/pdsms/bin/smscfg.sh -action config -was_host host_name -was_port
port \ -session_realm_add realm=set_name[,...][;realm=set_name[,...]...
Do not combine the –session_realm_add configuration parameters with any of
the following parameters:
–session_realm_remove
–replica_sets_add
–replica_sets_remove
After the initial configuration, you can add replica sets that are not assigned to a
specific session realm. The following UNIX command is the minimal requirement
for this type of session management server configuration:
/opt/pdsms/bin/smscfg.sh -action config -was_host host_name -was_port
port \ -replica_sets_add set_name[,...]
Do not combine the –replica_sets_add configuration parameters with any of the
following parameters:
–session_realm_add
–session_realm_remove
–replica_sets_remove
Replica set configuration
A replica set consists of servers with identical configurations and protected Web
spaces. A client session created by one member of a replica set can be used
unmodified by another.
Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
