Tivoli® Access
Manager plug-in for Web servers can be used as a security gateway for your
protected WebSphere® Application
Server resources.
About this task
With such an arrangement the plug-in authorizes all user requests
before passing the credentials of the authorized user to WebSphere Application
Server in the form of an iv-creds header. Trust between the plug-in and WebSphere Application
Server is established through use of basic authentication headers containing
the single sign-on (SSO) user password.
Procedure
- The Tivoli Access
Manager plug-in for Web servers configuration shows IV headers configured
for post-authorization processing, and basic authentication that is configured
as the authentication mechanism and for post-authorization processing, as
shown in the example below.
- After a request is authorized, the basic authentication header
is removed from the request (strip-hdr=always) and a new one is added
(add-hdr=supply).
- Included in this new header is the password that is set when the
SSO user is created in Creating a trusted user account in Tivoli Access Manager.
- Specify this password in the supply-password parameter and
it is passed in the newly created header. This basic authentication header
enables trust between WebSphere Application Server and the plug-in.
- An iv-creds header is also added (generate=iv-creds),
which contains the credential information of the user passed onto WebSphere Application
Server. Session cookies are used to maintain session state.
Example
[common-modules]
authentication = BA
session = session-cookie
post-authzn = BA
post-authzn = iv-headers
[iv-headers]
accept = all
generate = iv-creds
[BA]
strip-hdr = always
add-hdr = supply
supply-password = sso_user_password