Introduction
IBM® Tivoli® Access Manager for E-Business, Version 3.9 (previously known as Tivoli Policy Director) is a secure management application that provides centralized authentication, authorization, and single login for enterprise applications. Version 3.9 has added some new features that these new features can provide robust security for WebSphere managed applications when used with WebSphere® Application Server 4.02 or later. This article will discuss the important security feature of IBM Tivoliaccess Manager brings WebSphere Application Server, first discuss some of these already one, two versions available, and finally discuss IBM Tivoli Access Manager's new J2EE role-based authorization for WebSphere Application Server . We will also discuss some technologies that help Access Manager and WebSphere Application Server work together.
Why use IBM Tivoli Access Manager with WebSphere Application Server?
WebSphere has its own security, but for some reasons, WebSphere Application Server is implemented external to external implementation, providing security management by Access Manager for WebSphere Application Server and running applications. Access Manager allows you to focus on the WebSphere Application Server and non-WebSphere Application Server applications to manage their security, which allows a complete single login solution to the entire enterprise.
Access Manager protects non-HTTP and non-RMI / IIOP access to resources, just like a WebSphere MQ queue with Access Manager to protect access to business integration, with Access Manager's operating system to protect access to operating systems. same. This access allows WebSphere Application Server to join a wide range of single login architectures, if WebSphere Application Server manages your own security, it is unable to participate in such a broad, a single login architecture .
External implementation security also allows new old applications to log in for a single login, so that old applications can join the same overall security architecture. In addition to WebSphere Application Server's own security, Access Manager provides unified, flexible high security management, using high-performance and flexible architecture, but not only expands to include rule-based decisions, but also with existing user registration data and Authorized database integration.
What security features have access to WebSphere?
Access Manager is integrated with many applications, application servers, portals, and it also provides C and JavaTM authorization API, which can be used customized security applications. WebSphere brand products, in addition to WebSphere Application Server, Access Manager can also be integrated with the following products.
WebSphere EDGE Server WebSphere Everyplace Access WebSphere MQ and MQI WebSphere Portal Server now, we only discuss WebSphere Application Server. The important security features provided by Access Manager for WebSphere Application Server are:
WebSEAL provides user authentication for a single login for a single login, LightWeight Third-Party Authentication, LTPA supports shared user registry function for programming Java security classes running in WebSphere Application Server The Java Management Application Log in to the J2EE Authorization Module on the form based on the form-based login to a built-in WebSphere Application Server security
This article will describe these security functions one by one, and some features may be more in-depth than other deeper, but the most concerned is the J2EE authorization provided by the WebSphere Application Server.
What is WebSeal?
WebSEAL is an Access Manager's Web Reverse Proxy Security Server (RPSS) component. Figure 1 shows how RPSS is embedded in a web architecture.
Figure 1. Location of the web reverse proxy security server in the web architecture
The reverse proxy server is a web server that listens to the HTTP port, usually listening to the HTTP port 80 for requesting for special URIs to prevent direct access to these URIs. The reverse proxy server is located in the non-protected area and requires a small hole in the internal firewall (on the right side of the chart) because it simply transmits HTTP and HTTPS. Reverse proxy servers forwards requests to the Web server of DMZ (or DMZ). It keeps tracking yourself the IP address and change the target address of the request to the actual target address before sending a request. RPSS can provide authentication and authorization before the forwarding request.
In this architecture, WebSEal is located within DMZ between the external and internal firewalls and receives a request to send to the web server or application server WebSphere. There are four security options between the WebSEAL and the web server and the application server.
WebSEAL is responsible for user authentication and delivering the mapped credentials to WebSphere. WebSphere executes authorization with its own user registry. Like the first choice, WebSEAL and WebSphere share user registry. WebSEAL also performs authorization, but you want to determine protected files by running a CGI program (query_contents) that access directory content (Query_Contents). WebSEAL handles authentication, running in WebSphere Application Server uses Access Manager Java PDPERMISION or Access Manager JaaS class to manage their own licenses. These APIs will be licensed to the Access Manager.
In the back of this article, we will discuss the fifth option.
The second case is a very common implementation. WebSEAL performs authentication, and WebSphere handles its own authorization needs. A shared user registry can remove duplicate data. To learn more, see Shared User Registry section.
You may want to know how WebSEAL is connected to WebSphere. Webseal is configured to talk to the web server or application server behind it, "Intelligent Joint" is part of the request URL, indicating that WebSEAL forwards the rest of the URL path to the backend web server or application server. Intelligent coupling allows multiple servers (WebSEAL or third parties) to be integrated into a unified web space. Extend Access Manager security to third-party web servers. WebSEAL provides certification and authorization inspections and enforcement services. Allow web clusters to grow and provide load balancing and fault tolerance HTTP and HTTPS join. Provides TCP and SSL connections to the backend server.
The intelligent connection can be configured to allow WebSEAL to modify the header content and basic authentication credentials that request the request to be delivered to the next web server. That is, WebSEAL can determine how to forward user identity and password.
Here Table 1 shows the four basic authentication configuration options when creating join
Table 1. Webseal joint options for BA headers
-B ignore forwards the user ID and password -B GSO to the web server "As far as the user's user ID and password pair you need to access the specific target from the GSO database, forward them to the target web server. -B Filter places the user's user's user's user's head in a separate IV-User header and places the Webseal's own user ID and password in the Basic-Auth head. -B Supply places the user's user's user's user's header to allow the user to identify the user's user name, but put a fake password as a Basic-Auth password.
Figure 2. Joints configured with WebSEAL
In this figure, if WebSEAL receives a request to http: // yourver: 80 / supplytowas / abc / somepage.html, WebSeal will forward the same HTTP method (GET, PUT, etc.) with /abc/somepage.html to WebSphere. . Here is the -b Supply option, the request sent to the web server or WebSphere Application Server will have a new IV-User header, which contains the user's user ID.
In Figure 2 above, WebSphere Application Server delegates user authentication to WebSEAL, so it needs to determine whether a request is from WebSeal to avoid secondary certification. This entrustment requires establishing a trust relationship or trust association between WebSphere Application Server and WebSEAL. Note that the "interceptor" is very important in the top WebSphere. This is a Web Trust Association Interceptor (TAI), WebSphere Application Server loads this class to establish trust in WebSEAL, WebSphere Application Server believes that Webseal has already been certified by WebSeal. TAI recognizes the IV-User header of WebSEAL to the requested addition, this IV-User header contains the user's initial user ID. If WebSphere Application Server requires, this interceptor can also determine this as a request from WebSEAL according to the value of IV-User and other request headers, and can provide user identity.
TAI is only three ways to call it below.
public boolean isTargetInterceptor (HttpServletRequest req) throws WebTrustAssociationException; public void validateEstablishedTrust (HttpServletRequest req) throws WebTrustAssociationFailedException; public String getAuthenticatedUsername (HttpServletRequest req) throws WebTrustAssociationUserException; isTargetInterceptor () determines that the request is not issued by the WebSEAL of. Because there may be more than one proxy server in the forwarding request, this method should be ensured that the corresponding, correct interceptor is used. ValidateestablishedTrust () is called to authenticate WebSeal (or another proxy server). Now, to call getAuthenticatedUserName (), know that the request is indeed from WebSeal, and WebSeal has been certified by the user.
In this case, WebSphere Application Server will still apply its authorization policies to requests. See WebSphere Application Server Infocenter for details on how to configure the trust association between WebSphere Application Server and WebSEAL.
Figure 3 shows an example of creating a smart connection.
Figure 3. Creating a WebSEAL join
In the bottom of Figure 9 below, the SupplyTowAs is also displayed in the protected object space of Access Manager. The parameter specifies that WebSEAL should add all the heads related to the user. The coupling type should be TCP coupling instead of SSL, the target host is Miller-T21, the port is 9080, and the connection should be named / suppfe.towas.
Then, when WebSphere Application Server makes Webseal provide authentication, the complete process is as shown in Figure 4 below.
Figure 4. Safety process
WebSeal first receives requests, then quizs and authenticates the user, puts the join credential format in the request head. The request is transmitted to WebSphere Application Server through a web server, then the server is responsible for granting the requestor's access to servlets and EJB.
Figure 5 shows what if we use the -b support option to join WebSEAL to WebSphere Application Server, ask the header what is.
Figure 5. Using -B Supply request head
When the user gianluca accesses the HeaderDumperServlet on the host Oleg1, the basic authorized head will "gianluca" as the user ID, but the GianLuca's password has been deleted, instead of the password "pqssw0rd" stored in the webseald.conf file. Webseald.conf is a Webseal profile that must reside in protected directories. When creating a join, WebSEAL has added IV-User, IV-Groups, and IV-CREDs heads according to the "-c all" option. IV-User includes the user ID returned when the WebSphere Application Server request is requested. Gianluca is a member of the master group, with IV-groups to identify.
Access Manager 3.9 also provides webseal's avatars for customers who have already used Web servers in DMZ. Web Server PLUG-I can provide many of the same features as WebSEAL. The currently supported web server is the IIS 5.0, Solaris 7 IS 5.0, Solaris 7 IPLANET 6.0 and AIX® 5L IBM HTTP Server 1.3.19. More support is about to appear. LTPA support in Access Manager
Lightweight Third-Party Authentication, LPTA is a technology based on tokens that use representative user credentials. It is said that the "third party" gives people feeling that trust is based on the "Third Party" LTPA server is responsible for user authentication and token creation, not based on key shared between two servers.
In an environment without Webseal, this token is created by WebSphere Application Server and stores in a cookie, which is sent back to the browser with the HTTP response. When this user later accesss, the token is extracted from this cookie and use it to authenticate the user. In this way, users only need to enter a user ID and password, and then the LTPA token can identify them. Users do not need to be re-authenticated when visiting the Lotus Domino resource.
This method has two shortcomings:
Only WebSphere Application Server and Domino support LTPA, LTPA has not been widely accepted by the industry. Kerberos is a more common third party certification mechanism. The user's credentials (in the form of token) are sent back to the browser all the way, and then send back to the server with the request. This is more likely to be attacked, especially when SSL is used between the browser and the web server.
The following 6 shows how WebSEAL solves the second shortcomings.
Figure 6. LTPA with WebSeal
Suppose Webseal and WebSphere's web servers have pre-configured trust, which may use each part of the X5.09 certificate to create an SSL session:
Users request a protected resource. Certified questions for users. User authentication To pass your own user ID and password, or may also use a certificate.
WebSeal authenticates users using information in the LDAP registry.
Webseal issues a LTPA token, caches it, and sends it to the web server with the request, and then send it to the WebSphere Application Server.
The WebSphere Application Server accepts the token, allowing the requester to access the requested resources. WebSEal maintains the status by mapping other cookies requested by the SSL session identifier to the LTPA token, and send them to WebSphere Application Server each time.
When using WebSeal, the token will never send to the browser, which avoids despite little but potential security weaknesses. When establishing trust between Webseal and WebSphere Application Server, the trust associated interceptor mechanism is better than LTPA because there are currently only WebSphere Application Server and Domino support LTPA, while TAI speed is faster, because you don't have to encrypt your token every time , Decrypt.
Shared user registry
WebSphere can share the same user registry with another application, usually implemented by changing the mode used in one of them. When WebSphere share the same user registry with Domino, both parties join the same single login security architecture. WebSphere can also share a user registry with Access Manager, for example, WebSEAL provides authentication, while WebSphere Application Server grants the requester to resource access. WebSphere has built-in support for several user registry, which is displayed in a combo box. (Secureway represents IBM Directory Server. "Secureway" is no longer used.) Access Manager 3.9 now supports a set of user registry and shared with WebSphere. Specifically, Access Manager 3.9 has added support for the following products:
Lotus Domino Server 5.0.4 Microsoft® Active Directory on Windows 2000 Advanced Server
In addition to these, there is IBM Directory Server 3.2.2 (LDAP) and IPlanet Directory Server 5.0.
Figure 7. Shared user registry
There are two ways to share the LDAP user registry between WebSphere Application Server and Access Manager:
Access Manager can import the default mode of WebSphere Application Server. You can change settings in WebSphere Application Server to the default mode of Access Manager.
Due to the simplest way is to install the LDAP of Access Manager, then configure the WebSphere Application Server to use the same registry with Access Manager, so the second choice is the easiest.
To do this, you must change some settings used by WebSphere Application Server to access the LDAP directory. Figure 8 shows the LDAP Advanced Properties dialog. To access this dialog from the WebSphere Application Server Security Center Authentication page, first select LTPA and LDAP to enable the LDAP Settings section of the dialog, and then click Advancedunder LDAP Settings.
Figure 8. WebSphere Application Server Security Center LDAP Advanced Properties dialog
Two domains that must be changed from the default LDAP (Secureway) settings as:
Group Filter - the (& (cn =% v) (| (objectclass = groupOfNames) (objectclass = groupOfUniqueNames))) to (& (cn =% v) (| (objectclass = groupOfNames) (objectclass = groupOfUniqueNames) (objectclass = accessGroup))) Group Member ID Map - the groupOfNames: member; groupOfUniqueNames: uniqueMember to groupOfNames: member; groupOfUniqueNames: uniqueMember; accessGroup: member mainly to add those strings shown in FIG. 8 to the default values. This allows WebSphere Application Server to share the registry using the default Access Manager LDAP mode. Once these settings are modified, the drop-down combo box will change from Secureway to Custom.
Java security class for programming
AZNAPI is an Open Group standard based on C- / C authorized API, which we do not discuss this. In addition to AZNAPI's pure Java replacement classes, Access Manager also provides an application-based LoginModule-based LoginModule (called com.tivoli.mts.pdlogin) and a license class (called com.TIVoli.mts.pdpermission).
The PDLoginModule class is managed with Access Manager. The application can authenticate an Access Manager user using PDLoginModule, create a corresponding PDPrIncipal object and a PDCredential object containing user credentials. PDPrincipal class implements a java.security.principal interface.
You can use PDPERMISSION to access the ACCESS Manager that determines authorized. PDPERMISSION can locate the current body (Subject), extract authentication information and contact Access Manager to determine if the subject has the right to access resources in a specific way (read, write, call, etc.). PDPERMISSION Accesses the authorization server of Access Manager via SSL. Access Manager future versions will provide local access. Servlet, EJB or utility code can use these classes according to JaaS standards. However, non-JAAS applications can also be used.
PDPERMISSION API is quite simple. The constructor uses a target resource name in an object space of Access Manager and an Access Manager access method or an operation set as a parameter. The Java2 Security Manager then checks the permissions if the main body is not allowed to access the requested target resource, and the Java2 Security Manager will throw an AccessControlException. Listing 1 is a very simple example.
Listing 1. Use the PDPERMISSION class.
// the user ten read access to some resource
Java.security.permission Whattheywant
= New PDPERMISSION ("/ Some / Resource", "R");
Try
{
SecurityManager.checkpermission (Whattheywant);
// they area allowed ...
}
Catch (AccessControlxception ace)
{
// they area not allowed
}
Access Manager Based on Web Management
Web Portal Manager is a J2EE web application running on WebSphere, and is an administrative application for Access Manager 3.9. In at least in the first release of Access Manager 3.9, WPM is provided with WebSphere Advanced Edition Single Server (AES), but the installation script will wait for the version of WebSphere Application Server to be available. But you might want to install it in WebSphere Application Server AE, especially when you manage Access Manager in other production systems.
To allow WPM to be installed in WebSphere Application Server AE in normal, automated, AES-oriented installation, you can use your own BAT file instead of the BAT file used by the default installation, use these files to stop the server, perform the installation, and re-re- Start the server. The three BAT files you need to create are:
STOPSERVER.BAT - You only provide files for stop WebSphere Application Server AES - providing files for installing applications into WebSphere Application Server AES. Our Seappinstall.bat is installed using XMLConfig and AMWPM.XML to install PDWPM.EAR to WebSphere Application Server AE. Please refer to Listing 2 below. StartServer.bat - Also provides commands that start the WebSphere Application Server AES.
Use two other files. AMWPM.XML contains configuration information for the Web Portal Manager application, which is used by XMLConfig to install the application. PdWPM.EAR is the WPM application itself. Both files should reside in the% WAS_HOME% / InstallApps directory.
Place the three bat files in the% WAS_HOME% / bin directory. StopServer.bat and StartServer.bat are empty files with zero length. Seappinstall.bat is shown in Listing 2 below.
Listing 2. Replacement samples for WPM seAppinstall.
@echo off
Rem echo "Installing am Web Portal Manager INTO WebSphere"
@Hostname> Samples.tmp
@for / f "tokens = 1" %% h in (Samples.TMP) do set hostname = %% h
@Del Samples.tmp> NUL
Call "% WAS_HOME% / bin / setupcmdline.bat"
Echo "Installing Pdwpm.ear Enterprise Application"
Call "% WAS_HOME% / BIN / XMLConfig.bat"
-Import "% WAS_HOME% / InstallableApps / AMWPM.XML"
-adminnodename% hostname%
-Substitution "Was.install.Root =% WAS_HOME%; server_root =% was_home%; com.ibm.ejs.sm.adminserver.primaryNode =% hostname%
Rem echo "regenerate the plugin-cfg.xml file"
Call% WAS_HOME% / BIN / GENPLUGINCFG.BAT -ADMINNODENAME% HOSTNAME%
Rem echo ""
Echo "AM Web Portal Manager Installation Complete"
For simplicity, install the app in the default server. AMWPM.XML is shown in Listing 3 below.
Listing 3. Install PDWPM.EAR to XML scripts in WebSphere AE.
"file: ///$ ® ® DSEP / □"> "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "
PD_WEB_PORTAL_MANAGER.EAR
/NodeHome: | Allcom.ibm.ejs.sm.adminserver.primaryNode $
/ EJBSERVERHOME: DEFAULT Server /
/NodeHome: | Allcom.ibm.ejs.sm.adminserver.primaryNode $
/ EJBSERVERHOME: DEFAULT Server /
/NodeHome: | Allcom.ibm.ejs.sm.adminserver.primaryNode $
/ EJBSERVERHOME: DEFAULT Server /
(At view, some code lines may be folded.) Use these files, you can install the Web Portal Manager into WebSphere AE.
There are three web modules that make up the Web Portal Manager: PDADMIN, DELEGATE, and REGISTER. PDADMIN is the primary application for configuring WebSEAL. Delegate and Register are used to entrust user management and self-registration.
Figure 9. Web Portal Manager PDADMIN app
Log in for a form-based login
General everyone thinks a single login is a very good thing. In this way, users do not have to be angry with each application that must be repeated to visit in one day. The best point to use WebSEAL is the best point to allow users to use any number of authentication mechanisms, even if the backend does not support these authentication mechanisms. However, the webseal -b single login options discussed above are all used for basic authentication-passing the user credentials in the BA and other heads in the HTTP request. What happens when an application that wants to join a single login environment is based on a form-based login? It seems that the user will have to log in manually. Don't worry, we have solutions! Access Manager 3.9 provides a Forms-based Single Sign-on, FSSO feature that enables WebSEAL to automatically enable an early Access Manager user to log in to the backend application that uses the HTML form request. program. When you enable FSSO:
WebSEAL intercepts the authentication process initiated by the backend application. WebSEAL provides the data needed to log in to the form and submit a login form on behalf of the user. WebSEAL saves and restores all cookies and headers. Users don't know if they are logged in. The backend application doesn't know that the login form is not directly from the user.
The user does not see the login form from the backend application, and it is not necessary to re-through the authentication of the backend application, only because the application is not basic authentication, but based on the form of authentication.
FSSO divided into three parts. First, WebSEAL must be able to find that the application is sending the login form to the user. Although WebSEAL can resolve each page sent from the application to the user and find the login form, it is damaged. Monitor the user request login page (such as login.html) may be easier to monitor directly or indirectly (by redirect). Second, after identifying the login form in the page and the page, WebSEAL must be able to fill the form and send it back with any hidden domain, cookie, and request header, just like the user in your own browser, Submit same. Finally, after the user logs in, the WebSEAL must return the response of the backend application back to the user, as if the user has executed itself.
FSSO is installed with a configuration file that describes how to identify Webseal to discover and process pages and login forms. Thus, a join must be created for the target server, and the login page and the form operation URI are accessible on this server. The join is created by specifying the configuration file with the -s option. The configuration file format is as follows.
Listing 3. Template file configured with FSSO
[Forms-SSO-Login-Pages]
Login-page-stanza =
# Login-page-stanza =
# login-page-stanza =
[
Login-Page =
Login-form-action =
Gso-resource =
Argument-Stanza =
[
This file is often starting with [Forms-Sso-login-pages]. You can identify multiple login pages in the same file, each page with a corresponding Login-page-Stanza entry. This makes a single server to serve the login page service from multiple applications, each application requires different authentication data. The login-page value is a regular expression that matches the URI to be accessed when the user requests the login. It is opposite the coupling, does not include a joint. Login-form-action is a login form operation URI and a regular expression. WebSEAL uses this value to identify a form on the login page. If there is only one form on the page, you can set this value to *.
If you don't use the GSO storage user name and password, GSO-Resource can be blank. Otherwise, you should use GSO resources from the GSO database. Argument-Stanza is named after a section containing a column of customized parameters, which is submitted with the authentication request.
In the customized parameter festival, the value of the name parameter is set to the value of the "name" attribute equal to the HTML "INPUT" tag. Press to be:
GSO: UserName - GSO's username GSO: Password - GSO Current User's Password Cred:
Listing 4. The HTML page example of FSSO.
