Establishing trust association with a reverse proxy server: WebSphere Application Server

5.6: Establishing trust association with a reverse proxy server

WebSphere Application Server can authenticate incoming user requests, but in some scenarios like Web-based applications it is often desirable to delegate this work to another process, typically a reverse proxy server. This delegation requires a trust relationship, or trust association, between WebSphere Application Server and the proxy server. In this case, the proxy server authenticates the clients for WebSphere Application Server, which accepts the authentication because it trusts the proxy. WebSphere Application Server applies its authorization policies to the requests.

To delegate authentication work to a third-party server, two things must be done:

You must have an interceptor, that is, a Java class used by WebSphere Application Server to receive requests from the proxy server.
You must establish trust between the proxy server and WebSphere Application Server. This typically requires the proxy to authenticate to WebSphere Application Server.

WebSphere Application Server provides a ready-to-use interceptor for Tivoli WebSeal Versions 3.6, 3.7 and 3.8, but you can also write your own; see "5.6.3: Writing a custom interceptor" for more information. The other related information discusses the configuration of WebSphere Application Server and WebSeal.

When the interceptor is in place and a trust relationship is established, WebSphere Application Server is able to accept and process HTTP requests that come through the proxy server rather than directly from the HTTP client. The proxy server authenticates the HTTP clients and passes authenticated requests to WebSphere Application Server. WebSphere Application Server authorizes access to the requested resources based on the application's authorization policies.

Before the authorization of clients can be delegated to a proxy server, the following WebSphere prerequisites must be met:

Security must be enabled in WebSphere Application Server. If security is disabled, incoming requests cannot be selectively authorized and refused.
The authentication mechanism used by WebSphere Application Server must be Lightweight Third-Party Authentication (LTPA). You cannot delegate authentication to a proxy if you are using the local operating system as your authentication mechanism.
If you are using WebSeal Version 3.6 as your reverse proxy server, certificates are not supported as a challenge mechanism. Only basic authentication--that is, a user ID and password combination--is supported. If you are using WebSeal Version 3.7 or 3.8 as your reverse proxy server, you can use basic authentication or certificates as your challenge mechanism.
Trust Association must be enabled in the Authentication tab of the Security Center in the administrative console.