Post on 18-Aug-2020
IBM Tivoli Access Manager for e-business
Plug-in for Web Servers/I8O
f> 5.1
S152-0813-00
���
IBM Tivoli Access Manager for e-business
Plug-in for Web Servers/I8O
f> 5.1
S152-0813-00
���
"b
Z9C>JO0d'VDz7.0,kDAZ 193 3D=< F, :yw;PDE"#
Z;f(2003 j 11 B)
>f>JCZ IBM Tivoli Access Manager V5.1.0(z7E 5724-C08)T0yPsx"PfM^)f,1=ZBf>P
mPyw*9#
© Copyright International Business Machines Corporation 2000, 2003. All rights reserved.
?<
< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
0T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii>iDA_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii>iDZ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiivfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
"PE" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvBase E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvWeb 2+TE" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv*"_N<JO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi<u9d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi`Xvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiZ_CJvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
(z!n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx*5m~'V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx>i9CD<( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
VM<( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxYw53xp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
Z 1 B IBM Tivoli Access Manager Plug-in for Web Servers ri . . . . . . . . . 1Tivoli Access Manager Plug-in for Web Servers <u . . . . . . . . . . . . . . . . . . . . . . 1
y>Ywi~Me5a9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1'Vibwz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
9C Tivoli Access Manager Plug-in for Web Servers #$zD Web Ud . . . . . . . . . . . . . . . 3Tivoli Access Manager Plug-in for Web Servers O$ . . . . . . . . . . . . . . . . . . . . . . 3>$q! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC . . . . . . . . . 7#fe~E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Tivoli Access Manager Plug-in for Web Servers 20Dy?< . . . . . . . . . . . . . . . . . . 7pdwebpi.conf dCD~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8pdwebpimgr.conf dCD~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9t/M#9 Tivoli Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . . . 9HTTP ms{" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9j'V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10km%`XDj . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
dCZ(~qw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11dC$wLr_L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11hC IPC ksDnsa0P'Z . . . . . . . . . . . . . . . . . . . . . . . . . . . 11dCms3f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
dCibwz~qw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Web ~qwX(DdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Web ~qw"bBn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16(FTsPm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
|nPN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17dv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
*\m1dCP;C'(SU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18KbP;C'D&mwL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
© Copyright IBM Corp. 2000, 2003 iii
tCP;C' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19dCP;C' HTML m% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19TP;C'tCME}C' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20dCP;C'O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210ld|e~&\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
T LDAP ~qwdCJO*F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23'V~=W!n=((P3P)7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
dC P3P 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24dCe~sF"U>G<"zYM_Y:f}]b . . . . . . . . . . . . . . . . . . . . . . . 26
sFG< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27sFdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28zYe~Yw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28_Y:f}]bhC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
dCZ( API ~q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30>$"B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
dC>$"B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30dC HTTP ks_Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
dC~qwKD_Y:fN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32oT'VkV{/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m . . . . 35ks&m}L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35O$}L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36dCO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
dCibwzDO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38dCO$=(D3r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39dCZ(s&m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
\ma04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44dCe~a0/>$_Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459C SSL a0j6,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Cy>O$,Va04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Ca0 Cookies ,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . 479C HTTP 7,Va04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489C IP X7,Va04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499C LTPA cookie ,Va04, . . . . . . . . . . . . . . . . . . . . . . . . . . . 499C iv 7,Va04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
O$dCEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50>XO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50b?(F CDAS O$N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50e~D1!dC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51dC`vO$=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51"z"|D\kMoz|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
dCy>O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53tCy>O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53dCy>O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53hCr{F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53&m BA 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538(T BA 7xP UTF-8 `k . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
dCm%O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55tCm%O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55dCm%O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55(F HTML l&m% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56(Fm%G< URI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564( BA 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568(T BA 7xP UTF-8 `k . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
dC$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
iv IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
9C$i%`O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57tC$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58dC$iO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
dCnFO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58SecurID nFO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58tCnFO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60dCnFO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61(FnFl&3f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
dC SPNEGO O$. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62=(MC'"am'V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62+ SPNEGO dCS V4.1 }6= V5.1 . . . . . . . . . . . . . . . . . . . . . . . . . 62V^T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Windows @f%;"adC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63JOoO<I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
dC NTLM O$(vkT IIS =() . . . . . . . . . . . . . . . . . . . . . . . . . . 68dC Web ~qwO$(vkT IIS =() . . . . . . . . . . . . . . . . . . . . . . . . . 69dCJO*FO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
JO*FO$En . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70JO*FO$dC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
dC IV 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83tC9C IV 7DO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84dC IV 7N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 848(T IV 7xP UTF-8 `k . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85dC iv-remote-address D IV 7O$zF . . . . . . . . . . . . . . . . . . . . . . . . 85
dC HTTP 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85tC9C HTTP 7DO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868(7`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86dC HTTP 7O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
dC IP X7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87tC9C IP X7DO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87dC IP X7O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
dC LTPA O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88tC LTPA O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88hC\?j8E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88dC LTPA Z(s&m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
dCG<sDC'X(r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88tCC'X(r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89dCC'X(rN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
*>$mS)9tT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89+)9tTmS=>$DzF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Z(~qdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
r HTTP 7mS LDAP )9DtT(jG5) . . . . . . . . . . . . . . . . . . . . . . . 92tCjG5&m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93dCjG5N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
'V`74CzmLr(MPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93P'a0}]`MMO$=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93MPA M`vM'zDO$xLw . . . . . . . . . . . . . . . . . . . . . . . . . . . 94tC MPA O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95* MPA 4(C'J' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96r pdwebpi-mpa-servers imS MPA J' . . . . . . . . . . . . . . . . . . . . . . . . 96
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T . . . . . . 97e~X(DCJXFm(ACL)_T . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
/PDWebPI/host r virtual_host . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98e~ ACL mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991! /PDWebPI ACL _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
?< v
}N%wG<_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100\k?H_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
pdadmin 5CLrhCD\k?H_T . . . . . . . . . . . . . . . . . . . . . . . . . 101X(C'M+VhC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
O$?H\#$Ts_T(]}) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103dC]}=O$6p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103tC]}=O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104]}=O$"bBnM^F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
`rSO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106tC`rSO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
XBO$\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060l POP XBO$Du~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074(M&CXBO$ POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
yZxgDO$\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1088( IP X7M6' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108{C4 IP X7D]}O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109yZxgDO$c( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
#$6p\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109&m4O$C'(HTTP/HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
&m4Td{M'zDks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110?FC'G< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110&C4O$ HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110C ACL/POP _TXF4O$C' . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Z 5 B Web %;"abv=8 . . . . . . . . . . . . . . . . . . . . . . . . . 113%;"aEn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113T/"a=\#$D&CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
9C HTTP 7dCT2+&CLrD%;"a . . . . . . . . . . . . . . . . . . . . . . 1149C LTPA cookie %;"a= WebSphere Application Server . . . . . . . . . . . . . . . . . 115
S WebSEAL rd|zm%;"a=e~ . . . . . . . . . . . . . . . . . . . . . . . . . 116tCM{C9C IV 7DO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117dC IV 7N}. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
9CJO*F cookie xP%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . 117tC9CJO*F cookie D%;"a . . . . . . . . . . . . . . . . . . . . . . . . . 117
9C+V%;"a(GSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118dC+V%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
2+Ta)Lr NEGOtiation(SPNEGO)%;"a . . . . . . . . . . . . . . . . . . . . . . 1209Cm%D%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
m%%;"a&mwL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121&CLr'VD*s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122tCm%%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122dCm%%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123IBM HelpNow dCD~>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Z 6 B grG<bv=8 . . . . . . . . . . . . . . . . . . . . . . . . . . . 127gr%;"a(CDSSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
CDSSO DO$&mwL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127tCM{C CDSSO O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129S\O$nF}] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129dCnF1dAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130ZO$nFP|,>$tT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1308( sso-create M sso-consume b . . . . . . . . . . . . . . . . . . . . . . . . . . 131m> CDSSO 4S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131#$O$nF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
gSgx%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132gSgx%cO$&\M*s . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
vi IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
gSgx%;"a&mwL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133gSgx cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134$5ksM&p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134$5nF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135S\$5DnF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135dCgSgx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135dCgSgx%;"a - >} . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Z 7 B &CLr/I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143,$M'zMsK&CLr.dDa04, . . . . . . . . . . . . . . . . . . . . . . . . . 143
tCC'a0j6\m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143+>$}]ek= HTTP 7P . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144U9C'a0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
a)T/, URL DCJXF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145dC/, URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Z 8 B Z(v_E"lw . . . . . . . . . . . . . . . . . . . . . . . . . . . 147ADI lwEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Se~M'zkslw ADI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
>}:Sks7lw ADI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148>}:Sksi/V{.lw ADI . . . . . . . . . . . . . . . . . . . . . . . . . . 149>}:Sks POST welw ADI . . . . . . . . . . . . . . . . . . . . . . . . . . 149
SC'>$lw ADI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150a)JO-r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150dC/, ADI lw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
dCe~T9C AMWebARS Web ~q . . . . . . . . . . . . . . . . . . . . . . . . 151
=< A. 9C pdbackup 8]e~}] . . . . . . . . . . . . . . . . . . . . . . 153&\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
8]e~}] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153V4e~}] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
o( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
UNIX >} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Windows >} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155pdinfo-pdwebpi.lst DZ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156d|8]}] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
=< B. pdwebpi.conf N< . . . . . . . . . . . . . . . . . . . . . . . . . . 157#fdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157O$dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160a0dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168LDAP dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169zmdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Z( API dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170X(Z Web ~qwDdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
=< C. #ilYN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
=< D. |nlYN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181pdwebpi_start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182pdwebpi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184pdwpi-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185pdwpicfg –action config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186pdwpicfg –action unconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
?< vii
=< E. }rmo=PJmDXbV{ . . . . . . . . . . . . . . . . . . . . . . . 191
=< F. yw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Lj . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Jcm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
w} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
viii IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
<
1. e~M Tivoli Access Manager i~D;%wC# . . . . . . . . . . . . . . . . . . . . . 22. 7(O$#iDe~wL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423. O$aJ}L_- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434. 7(a0#iDe~wL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455. JO*F cookie DdM~qwe5a9# . . . . . . . . . . . . . . . . . . . . . . . 716. 9C GSO T2+&CLrDC'CJ# . . . . . . . . . . . . . . . . . . . . . . . 1197. m%%;"a&mwL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1218. CDSSO &mwL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1289. G<=gSgx# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
10. gSgx%;"adC>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14011. tTlw~q&mwL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
© Copyright IBM Corp. 2000, 2003 ix
x IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m
1. Tivoli Access Manager EPAC VN . . . . . . . . . . . . . . . . . . . . . . . . . . 52. pdwebpi.conf Z** . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83. 'VDjf; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104. [proxy] ms3fdCN}# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125. Web ~qwX(DdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156. [p3p-header] N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247. O$sFG<VN(e# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278. sFdCN}(e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289. e~'VDoTT0'VD?<# . . . . . . . . . . . . . . . . . . . . . . . . . . 33
10. >XZCO$Lr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5011. b? CDAS ~qwN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5012. V4.1 M V5.1 D,H SPNEGO dC# . . . . . . . . . . . . . . . . . . . . . . . . 6213. JO*FO$bD~{ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7714. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8415. MPA DP'a0}]`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9416. P'D MPA O$`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9417. e~ ACL mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9918. e~ WebDAV mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9919. pdadmin LDAP G<_T|n . . . . . . . . . . . . . . . . . . . . . . . . . . . 10120. pdadmin LDAP \k?H|n . . . . . . . . . . . . . . . . . . . . . . . . . . . 10221. \k>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10222. QOP 6phv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10923. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11424. LTPA dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11625. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11626. #fdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15727. O$dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16028. a0dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16829. LDAP dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16930. zmdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16931. Z( API dCN}. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17032. X(Z Web ~qwDdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . 17133. e~O$=(/#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17534. X(Z Windows DO$#i . . . . . . . . . . . . . . . . . . . . . . . . . . . 17735. e~a0#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17736. e~Z(0#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17837. e~Z(s#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17938. l&#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
© Copyright IBM Corp. 2000, 2003 xi
xii IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
0T
IBM® Tivoli® Access Manager Plug-in for Web Servers(>DPF*e~)w*M'z
M2+ Web Ud.dDxX4\mzDyZ Web DJ4D2+T#e~5V#$z
Web TsUdD2+T_T#e~Ia)%;"a,'V Web ~qww*ibwzK
P,"+ Web &CLr~qwJ4"k|D2+_T#
":PXe~D'V=("ELMZfhs"X8m~T0208>E"Dj8E
",kN<6Tivoli Access Manager for e-business Web Security 208O7#
IBM® Tivoli® Access Manager(Tivoli Access Manager)GKP IBM Tivoli Access
Manager z75PPD&CLryhDy!m~#|'V IBM Tivoli Access Manager
&CLrD/I,bya)Ks6'DZ(M\mbv=8#b)z7w*/Ibv
=8v[,|Ga)K;VCJXF\mbv=8,bV=8*gSLq&C/P\
mxgM&CLr2+T_T#
":IBM Tivoli Access Manager GH0"PDF* Tivoli SecureWay® Policy Director
m~DB{F#,y,TZl$ Tivoli SecureWay Policy Director m~MD5DC
'45,management server VZF* policy server#
6IBM Tivoli Access Manager for e-business Plug-in for Web Servers /I8O7a)
PX9C Plug-in for Web Servers &CLr4#$zD Web rD\m}LM<uN<
E"#
>iDA_
>8Ofr:p20"?pM\m Access Manager Plug-in for Web Servers D53\
m1#
A_&1l$TBZ]:
v PC M UNIX® Yw53#
v }]be5a9MEn#
v 2+\m#
v rXx-i,|( HTTP"HTTPS M TCP/IP#
v a?6?<CJ-i(LDAP)M?<~q#
v \'VDC'"am#
v O$MZ(#
g{*tC2+WSVc(SSL)(E,r9&l$ SSL -i"\?;;(+CM(
C)"}V){"\kc(MO$PD#
>iDZ]
>i|,TBw?V:
v Z 1 B, :IBM Tivoli Access Manager Plug-in for Web Servers ri;
© Copyright IBM Corp. 2000, 2003 xiii
a) Access Manager Plug-in for Web Servers &CLrDri,xv53e5a9"
&\MYw73Dj8E"#
v Z 2 B, :IBM Tivoli Access Manager Plug-in for Web Servers dC;
a)XZ Access Manager Plug-in for Web Servers DdChsDE"#
v Z 3 B, :IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m;
V[e~gN,Va04,"&mO$}LT0TZ(Da04PyPXhDZ(
s&m#
v Z 4 B, :IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T;
XZdCM(F Access Manager Plug-in for Web Servers 2+T_TDE"#
v Z 5 B, :Web %;"abv=8;
V[CZ Access Manager Plug-in for Web Servers #$D Web UdD%;"ab
v=8#
v Z 6 B, :grG<bv=8;
V[ Access Manager Plug-in for Web Servers Dgr%;"abv=8#
v Z 143 3DZ 7 B, :&CLr/I;
V[(}e~D73d?M HTTP 7D)95VDZ}=&CLr/IT0/, URL
\&#
v Z 147 3DZ 8 B, :Z(v_E"lw;
V[e~gNa)rq!@@Z(fr(CfrC4#$ Tivoli Access Manager r
PDJ4)yXhDZ(v_E"(ADI)#
v Z 153 3D=< A, :9C pdbackup 8]e~}];
PX9C pdbackup 5CLrDE"#
v =< B, :pdwebpi.conf N<;
Pv Access Manager Plug-in for Web Servers dCN}0X*Dhv#
v =< C, :#ilYN<;
PvyPe~O$"a0MZ(s=(0X*Dhv#
v =< D, :|nlYN<;
PvICe~5CLr0dy4PYwDhv#
v Z 191 3D=< E, :}rmo=PJmDXbV{;
Pv pdwebpi.conf dCD~P9CD}rmo=JmDXbV{#
vfo
4iT Tivoli Access Manager b"X8vfoT0`XvfoDhvT7(D)vf
oI\TzPoz#Z7(zh*Dvfo.s,kN<Z_CJvfoD8>E
"#
XZ IBM Tivoli Access Manager for e-business z7>mD=SE"IZTBX7R
=:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/
Tivoli Access Manager bITV*TBV`:
v Z xv 3D:"PE";
xiv IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
v :Base E";
v :Web 2+TE";
v Z xvi 3D:*"_N<JO;
v Z xvi 3D:<u9d;
"PE"
v 6IBM Tivoli Access Manager for e-business kHDA7(G152-0804-00)
a)20M*<9C Tivoli Access Manager DE"#
v 6IBM Tivoli Access Manager for e-business "P5w7(G152-0805-00)
a)nBE",}gm~V^"d(=(T0D5|B#
Base E"
v 6IBM Tivoli Access Manager Base 208O7(S152-0806-00)
5wgN20MdC Tivoli Access Manager Base m~,|( Web Portal Manager
gf#CiG6IBM Tivoli Access Manager for e-business Web Security 208O7
DS/,|CZd| Tivoli Access Manager z7(g IBM Tivoli Access Manager
for Business Integration M IBM Tivoli Access Manager for Operating Systems)#
v 6IBM Tivoli Access Manager Base \m8O7(S152-0807-00)
hv9C Tivoli Access Manager ~qDEnM}L#a)S Web Portal Manager g
fM(}9C pdadmin |n4PNqD8>E"#
Web 2+TE"
v 6IBM Tivoli Access Manager for e-business Web Security 208O7(S152-0808-00)
a)PX Tivoli Access Manager Base m~T0 Web Security i~D20"dCM
}%8>E"#CiG6IBM Tivoli Access Manager Base 208O7D)9/
(superset)#
v IBM Tivoli Access Manager Upgrade Guide(SC32-1369-00)
5wgNS Tivoli SecureWay Policy Director V3.8 r Tivoli Access Manager DH
0f>}6= Tivoli Access Manager V5.1#
v 6IBM Tivoli Access Manager for e-business WebSEAL \m8O7(S152-0809-00)
a)9C WebSEAL \m2+ Web rDJ4D30JO"\m}LT0<uN<E
"#
v 6IBM Tivoli Access Manager for e-business IBM WebSphere Application Server /
I8O7(S152-0810-00)
a)CZ+ Tivoli Access Manager k IBM WebSphere® Application Server /ID
20"}%M\m8>E"#
v IBM Tivoli Access Manager for e-business IBM WebSphere Edge Server Integration
Guide(SC32-1367-00)
a)CZ+ Tivoli Access Manager k IBM WebSphere Edge Server &CLr/I
D20"}%M\m8>E"#
v 6IBM Tivoli Access Manager for e-business Plug-in for Web Servers /I8O7
(S152-0813-00)
0T xv
a)9C Plug-in for Web Servers #$ Web r2+D208>E""\m}LT
0<uN<E"#
v 6IBM Tivoli Access Manager for e-business BEA WebLogic Server /I8O7
(S152-0811-00)
a)CZ+ Tivoli Access Manager k BEA WebLogic Server /ID20"}%M
\m8>E"#
v IBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager Provisioning
Fast Start Guide(SC32-1364-00)
a)k+ Tivoli Access Manager k Tivoli Identity Manager /I`XDNqDEv,
"5wgN9CM20 Provisioning Fast Start /O#
*"_N<JO
v IBM Tivoli Access Manager for e-business Authorization C API Developer
Reference(SC32-1355-00)
a)hvgN9C Tivoli Access Manager Z( C API M Tivoli Access Manager ~
qe~SZ+ Tivoli Access Manager 2+TmS=&CLrPDN<JO#
v IBM Tivoli Access Manager for e-business Authorization Java Classes Developer
Reference(SC32-1350-00)
a)9CZ( API D Java™ oT5V9&CLr\;9C Tivoli Access Manager
2+TDN<E"#
v IBM Tivoli Access Manager for e-business Administration C API Developer
Reference(SC32-1357-00)
a)XZ9C\m API 9&CLr\;4P Tivoli Access Manager \mNqDN
<E"#>D5hv\m API D C 5V#
v IBM Tivoli Access Manager for e-business Administration Java Classes Developer
Reference(SC32-1356-00)
a)9C\m API D Java oT5V9&CLr\;4P Tivoli Access Manager \
mNqDN<E"#
v IBM Tivol i Access Manager for e-bus iness Web Secur i ty Deve loper
Reference(SC32-1358-00)
a)PXgrO$~q(CDAS)"gr3dr\(CDMF)T0\k?H#iD\
mM`LE"#
<u9d
v IBM Tivoli Access Manager for e-business Command Reference(SC32-1354-00)
a)XZf Tivoli Access Manager a)D|nP5CLrME>DE"#
v IBM Tivoli Access Manager Error Message Reference(SC32-1353-00)
a) Tivoli Access Manager yzz{"D5wMFvDYw#
v IBM Tivo l i Acces s Manager for e -bus ines s Prob lem Determina t ion
Guide(SC32-1352-00)
a) Tivoli Access Manager D7(JbDE"#
v 6IBM Tivoli Access Manager for e-business T\w{8O7(S152-0812-00)
xvi IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
a)IT IBM Tivoli Directory Server w*C'"amD Tivoli Access Manager y
9ID73DT\w{E"#
`Xvfo
b;?VPvKk Tivoli Access Manager b`XDvfo#
Tivoli Software Library a)K`V Tivoli vfo,}gW$i"}]m"]>"l$
iMyw/# Tivoli Software Library ITSTB Web >cq!:
http://www.ibm.com/software/tivoli/library/#
Tivoli Software Glossary |,m`k Tivoli m~`XD<uuoD(e#Tivoli Software
Glossary(v"of)ISTB Tivoli Software Library Web 3fOs_D Glossary4Sq!:http://www.ibm.com/software/tivoli/library/#
IBM Global Security KitTivoli Access Manager (}9C IBM Global Security Kit(GSKit)V7.0 a)}]S
\#GSKit |,ZT&ZzX(=(D IBM Tivoli Access Manager Base CD"IBM Tivoli
Access Manager Web Security CD"IBM Tivoli Access Manager Web Administration
Interfaces CD M IBM Tivoli Access Manager Directory Server CD O#
GSKit m~|a) iKeyman \?\m5CLr gsk7ikm,|CZ4(\?}]b"+
C-(C\?TT0$iks#TBD5IS Tivoli Information Center Web >cOk
IBM Tivoli Access Manager z7D5`,D?VPR=:
v IBM Global Secur i ty Ki t Secure Sockets Layer and iKeyman User’s
Guide(SC32-1363-00)
*F.Zd Tivoli Access Manager 73PtC SSL (EDxgr532+T\m
1a)KE"#
IBM Tivoli Directory ServerIBM Tivoli Directory Server V5.2 |,ZT&ZZ{DYw53D IBM Tivoli Access
Manager Directory Server CD O#
":IBM Tivoli Directory Server GH0"PD{FgBDm~DB{F:
v IBM Directory Server(V4.1 M V5.1)
v IBM SecureWay Directory Server(V3.2.2)
IBM Directory Server V4.1"IBM Directory Server V5.1 M IBM Tivoli Directory Server
V5.2 <\ IBM Tivoli Access Manager V5.1 D'V#
XZ IBM Tivoli Directory Server Dd|E"IZTBX7R=:
http://www.ibm.com/software/network/directory/library/
IBM DB2 (C}]bIBM DB2® Universal Database™((C}]b)s5~qwf V8.1 Z IBM Tivoli Access
Manager Directory Server CD Oa),"k IBM Tivoli Directory Server m~;p2
0#Z+ IBM Tivoli Directory Server"z/OS™ r OS/390® LDAP ~qwCw Tivoli
Access Manager DC'"am1,DB2 GXhD#
XZ DB2 Dd|E"IZTBX7R=:
0T xvii
http://www.ibm.com/software/data/db2/
IBM WebSphere Application ServerIBM WebSphere Application Server, Advanced Single Server Edition 5.0 |,ZT&Z
Z{DYw53D IBM Tivoli Access Manager Web Administration Interfaces CD O#
WebSphere Application Server tCT Web Portal Manager gf(CZ\m Tivoli Access
Manager)M Web \m$_(CZ\m IBM Tivoli Directory Server)b=_D'V#
IBM WebSphere Application Server Fix Pack 2 2G Tivoli Access Manager yXhD,
"Z IBM Tivoli Access Manager WebSphere Fix Pack CD Oa)#
XZ IBM WebSphere Application Server Dd|E"IZTBX7R=:
http://www.ibm.com/software/webservers/appserv/infocenter.html
IBM Tivoli Access Manager for Business IntegrationIBM Tivoli Access Manager for Business Integration w*I%@):Dz7a),* IBM
MQSeries® V5.2 M IBM WebSphere® MQ V5.3 D{"a)K2+Tbv=8#IBM
Tivoli Access Manager for Business Integration Jm WebSphere MQSeries &CLr(
}9Ck"MMSU&CLrX*D\?X\X"Rj{X"M}]#s WebSEAL M
IBM Tivoli Access Manager for Operating Systems ;y,IBM Tivoli Access Manager
for Business Integration G9C IBM Tivoli Access Manager ~qDJ4\mw.;#
XZ IBM Tivoli Access Manager for Business Integration Dd|E"IZTBX7R
=:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
TBk IBM Tivoli Access Manager for Business Integration V5.1 `XDD5IZ Tivoli
Information Center Web >cOR=:
v 6IBM Tivoli Access Manager for Business Integration \m8O7(S152-0085-01)
v 6IBM Tivoli Access Manager for Business Integration Jb7(8O7(G152-0676-00)
v 6IBM Tivoli Access Manager for Business Integration "P5w7(G152-0518-01)
v 6IBM Tivoli Access Manager for Business Integration kHDA7(G152-0675-00)
IBM Tivoli Access Manager for WebSphere BusinessIntegration BrokersIBM Tivoli Access Manager for WebSphere Business Integration Brokers w* IBM Tivoli
Access Manager for Business Integration D;?Va),* WebSphere Business Integration
Message Broker V5.0 M WebSphere Business Integration Event Broker V5.0 a)2+
Tbv=8#IBM Tivoli Access Manager for WebSphere Business Integration Brokers
(}a)yZ\kM>$DO$"/P(eDZ(MsF~q4k Tivoli Access Manager
-,YwT#$ JMS "</$)&CLr#
XZ IBM Tivoli Access Manager for WebSphere Integration Brokers Dd|E"IZ
TBX7R=:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
TBk IBM Tivoli Access Manager for WebSphere Integration Brokers V5.1 `XDD
5IZ Tivoli Information Center Web >cOR=:
xviii IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
v 6IBM Tivoli Access Manager for WebSphere Business Integration Brokers \m8O7
(S152-0793-00)
v 6IBM Tivoli Access Manager for WebSphere Business Integration Brokers "P5w7
(G152-0794-00)
v 6IBM Tivoli Access Manager for Business Integration kHDA7(G152-0675-00)
IBM Tivoli Access Manager for Operating SystemsIBM Tivoli Access Manager for Operating Systems w*I%@):Dz7qC,a)
}K>zYw53ya)DZ]TbZ UNIX 53ODZ(_T5)c#IBM Tivoli
Access Manager for Operating Systems s WebSEAL M IBM Tivoli Access Manager
for Business Integration ;y,G9C IBM Tivoli Access Manager ~qDJ4\mw
.;#
XZ IBM Tivoli Access Manager for Operating Systems Dd|E"IZTBX7R=:
http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/
TBk IBM Tivoli Access Manager for Operating Systems V5.1 `XDD5IZ Tivoli
Information Center Web >cOR=:
v 6IBM Tivoli Access Manager for Operating Systems 208O7(S152-0190-00)
v 6IBM Tivoli Access Manager for Operating Systems \m8O7(S152-0571-00)
v 6IBM Tivoli Access Manager for Operating Systems Jb7(8O7(S152-0179-00)
v 6IBM Tivoli Access Manager for Operating Systems "P5w7(G152-0185-00)
v 6IBM Tivoli Access Manager for Operating Systems kHDA7(G152-0186-00)
IBM Tivoli Identity ManagerIBM Tivoli Identity Manager V4.5 w*I%@):Dz7a),|9zIT/P\mC
'(gC'j6M\k)M)&(a)r7zT&CLr"J4rYw53DCJ)#
Tivoli Identity Manager IT(}9C Tivoli Access Manager zmLrxk Tivoli Access
Manager /IZ;p#k*5zD IBM M'zmTq!XZ:rCzmLrD|`E
"#
XZ IBM Tivoli Identity Manager Dd|E"IZTBX7R=:
http://www.ibm.com/software/tivoli/products/identity-mgr/
Z_CJvfo
TB Tivoli software library PZ_a)>z7DIF2D5q=(PDF)M/r,D>
jGoT(HTML)q=Dvfo:http://www.ibm.com/software/tivoli/library
*ZbPR=z7vfo,k%wb3fs`D Product manuals 4S#;sZ Tivoli
Software Information Center 3fOR="%wz7{F#
z7vfo|("P5w"208O"C'8O"\m18OT0*"_N<s+#
":*7#\}7r! PDF vfo,kZ Adobe Acrobat0r!10Z(I(}%w
D~ → r!4T>C0Z)P!qJO3f4!r#
0T xix
(z!n
(z!n&\oz_PmePO(gP/;crS&O-)DC'I&9CwVm~
z7#TZ>z7,I9C(z<u}!M/@gf#2I9C|L4fzsj4P
<NC'gfDyP&\#
*5m~'V
ZM3;Jb*5 IBM Tivoli m~'V.0,k%w;ZTB Web >cD Tivolisupport 4STCJ IBM Tivoli m~'V>c: http://www.ibm.com/software/support/
g{h*d|oz,rk(}9CTB Web >cD IBM Software Support Guide Py
hvD=(4*5m~'V: http://techsupport.services.ibm.com/guides/handbook.html
C8Oa)KTBE":
v *C='VyhD"aMJq*s
v g0Ek(y]zyZDzRrXx)
v *5M''V.0&U/D;5PE"
>i9CD<(
>N<JOTXbuoMYwT0@5ZYw53D|nM769CKtI<(#
VM<(
>N<JOP9CKTBVM<(:
VeV QTk\'D>"X|V"N}"!n"Java `{T0TsxVD!4|nr
s!4lO|nyTVeVT>#
1eV d?"vfojbM&C?wDXb%JrLoyT1eVT>#
HmVM
QTk\'D>"53{""C'XkdkDD>T0N}r|n!nD5x
VDzk>}"|nP"A;dvT0D~{M?<{yTHmVMT>#
Yw53xp
>i9C UNIX <(8(73d?M?<{E#9C Windows |nP1,TZ73d
?kC %variable% f; $variable,"C41\(\)f;?<76PD?v}1\(/)#
g{Z Windows 53O9C bash shell,rIT9C UNIX <(#
xx IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Z 1 B IBM Tivoli Access Manager Plug-in for WebServers ri
IBM Tivoli Access Manager(Tivoli Access Manager)Plug-in for Web Servers G;V
/Ibv=8,cZC'*\#$ Web Ud5VM\m2+_T#Ce~w*kzD
Web ~qw`,DxLD;?V20,d1EzDM'zM\#$ Web UdD2+T
xX#
>i\TBZa)K Tivoli Access Manager Plug-in for Web Servers <uDEv,5
wKz7D<u*s,"a)KT9Ce~7# Web Ud2+D}LDi\#
":PXKe~D'V=("ELMZfhs"X8m~T0208>E"Dj8E
",kN<6Tivoli Access Manager for e-business Web Security 208O7#P
X+ Tivoli Access Manager Plug-in for Web Servers }6= V5.1 Dj8E",
kN< IBM Tivoli Access Manager Upgrade Guide#
>i\TBZ|,TBwb:
v :Tivoli Access Manager Plug-in for Web Servers <u;
v Z 3 3D:9C Tivoli Access Manager Plug-in for Web Servers #$zD Web U
d;
v Z 3 3D:Tivoli Access Manager Plug-in for Web Servers O$;
v Z 4 3D:>$q!;
Tivoli Access Manager Plug-in for Web Servers <u
Tivoli Access Manager Plug-in for Web Servers Ik Tivoli Access Manager &CLr
/IZ;p*zD Web J4a)j{D2+Tbv=8#e~w* Web ~qw,;
xLD;?VKP,|9X=oD?vks,7(Gqh*Z(v_"a)C'O$
DVN(g{h*)#e~Ia)%;"abv=8"+ Web &CLrJ4"k|D2
+_T#
y>Ywi~Me5a9
=vy>9~iIK Tivoli Access Manager Plug-in for Web Servers - e~i~MZ
(~qw#e~i~k Web ~qw_L;pYw,(}xLd(E(IPC)SZ+?v
ksDj8E""M= Authorization Server#Z(~qw4PxkDksDO$MZ(#
Z(~qwG>X==D AZNAPI &CLr,|S\"&m4Te~Dks"xPl
&,f_e~gN&m?vks#
© Copyright IBM Corp. 2000, 2003 1
Z(~qw7(ks*07=DvibwzO(g{ Web ~qwOfZibwz)"
7(ksGqh*Z(#;h*Z(Dks1S+]x Web ~qwxP&m#h*Z
(DksIZ(~qwTBP==&m:
1. a0MO$E"SH0QO$DksPi!#
2. h*D0,t/kC'DO$;%wC#
3. 4( Tivoli Access Manager >$#
4. j6C'ITCJDJ4,;s+b)J43d=`&D Tivoli Access Manager \
#$Ts{F#;v\#$DTs{Fzm;vgS5e,}g Web >cD2+?
Vr;Jm3)C'CJD&CLr#
5. 7(Gqh*^Dksrl&#
6. (}rksrl&PmS cookie r7,r_zIl&(}g,QO$Dl&r4Z
(Dl&)4zIe~rwz Web ~qwyhDl&#
'Vibwz
Web ~qwDibwz&\9d\;ZrXxOw*`vwzvV#Tivoli Access
Manager Plug-in for Web Servers y'VD Web ~qw<a)ibw\&\#
Tivoli Access Manager Plug-in for Web Servers a)yZ?vibwz5V2+_TD
&\#5VK&\yhD&CLrhCZ>D5Dsf?VxPV[#
< 1. e~M Tivoli Access Manager i~D;%wC#
2 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
9C Tivoli Access Manager Plug-in for Web Servers #$zD WebUd
Tivoli Access Manager Plug-in for Web Servers a)TB&\:
v 'V`vO$=(,|(:y>O$"IP X7"nF"$iMm%HH#
v S\ HTTP M HTTPS ks#
v (}T@5Zi/_TDC'ksxPO$MZ(4#$ Web ~qwJ4#
v 'Vibwz73PDksO$MZ(#
v \mT Web ~qwUdDCJXF#\'VDJ4|( URL"yZ URL D}rm
o="CGI Lr"HTML D~"Java !~qLrM Java `D~#
v _Y:fa0M>$E",T\bZ(liZdTC'"am}]bDX4i/#
v a)%;"a&\
+>2+T_Tj6h*#$D Web J4M?v Web J4yhD#$6p#Tivoli
Access Manager 9Cb) Web J4Dibm>,F.*\#$TsUd#\#$Ts
Ud|,zmxgPD5JomJ4DTs#(}+J1D2+zF&C=h*#$
DTs5V2+T_T#
2+zF|(:
v CJXFm(ACL)_T
ACL _Tj6C'`M,b)C'ITCJM8(?vC'`MDTsOJmDY
w#
v \#$Ts_T(POP)
POP 8('dT\#$TsDCJD=Su~,}g#\T"j{T"sFMCJD
?U1d#
v Z(fr
Z(frG|,ZZ(_TPDu~,IC|G4yZtT(}gC'"&CLr
M73OBD)wvCJv_#
v )9tT
)9tTGCZIT0lZ(v_DTs"ACL r POP D=S5#
Tivoli Access Manager Plug-in for Web Servers DZ(~qwi~yZC'>$MkT
TsDCJXF4Jmr\xCJ\#$DJ4#*I&5V2+T_T,XkZ>
Xi/;,DZ]`M"&CJ1D ACL M POP _T#CJ\mI\GO4SD,
+IT(}TZ]`MP8V`x9ddC]W#XZ Tivoli Access Manager D+f
E"(|,hC_TDj8E")IZ6IBM Tivoli Access Manager Base \m18O7
PR=#
Tivoli Access Manager Plug-in for Web Servers O$
O$Gj6"TG<=2+rD%@xLr5eD=(#Z(G7(qO$DC'G
qP(^TX(J44PYwD=(#O$7#vKm]Df5T,+;TdTJ4
4PYwD\&vNNPO#
Z 1 B IBM Tivoli Access Manager Plug-in for Web Servers ri 3
Tivoli Access Manager Plug-in for Web Servers *s?vM'za)m]$w45)2
+rPD_62+T#(}9 Tivoli Access Manager Plug-in for Web Servers a)M
'zDO$MZ(,Ia)+fDxg2+T#
TBu~JCZ Tivoli Access Manager Plug-in for Web Servers O$:
v e~'VO$=(Dj</O#IT(Fe~T'Vd|O$=(#
v e~xL@"ZO$=(#
v e~vh*M'zm]#(}Cm],e~q!QO$(r4O$)D>$,Z(
~qwI9CC>$Jmr\xTJ4DCJ#
b;inDO$=(Jm2+T_TyZ5qhs,x;GomxgXKa9#
Tivoli Access Manager Plug-in for Web Servers O$}LzzTBYw:
1. M'zO$zzM'zm]#
;PC'_P Tivoli Access Manager C'"amP(eDJ'1,M'zO$Ea
I&#qr+CC'8(*4O$#
2. Tivoli Access Manager Plug-in for Web Servers 9CM'zm]4qCCM'zD
>$#
e~9O$DM'zm]k"aD Tivoli Access Manager C'%d#;se~q!
J1DC'>$#bF*>$q!#
>$|(C'{0C'_PI1JqDyPi#e~I9Cb)>$4Jmr\x
T Tivoli Access Manager \#$TsUdPyksTsDCJ#
>$ICZNN Tivoli Access Manager ~q,b)~qh*XZM'zDE"#>
$9 Tivoli Access Manager \;2+4Ps?~q,}gZ("sFM/I#
XZ'VX(O$=(Dx;=E",kNDZ 35 3DZ 3 B, :IBM Tivoli Access
Manager Plug-in for Web Servers O$Mks&m;#
>$q!
O$}LDw*?DGq!hvM'zC'D>$E"#C'>$GNk2+rDX
|*s#
Tivoli Access Manager xpT}C'O$M>$q!#C'Dm]<UG;dD#;x,
>$((eC'NkDirG+)GIdD#X(ZOBDD>$ITfE1dDw
Ex|D#}g,z}3K1,>$Xk5XBD0p6p#
O$}L+zzX(Z=(DC'm]E"#+CE"k$tZ Tivoli Access Manager
C'"am(1!ivB* LDAP)PDC'J'E"xPKT#Tivoli Access Manager
Plug-in for Web Servers +C'{MiE"3dI+2r6'ZDm>Mq=,F*)
9X(tT$i(EPAC)#
X(Z=(Dm]E"(}g\k"jGM$i)zmC'Domm]tT#KE"
IC4k~qw("2+a0#
nUC=D>$(zm2+rPDC'X()hvX(OBDPDC'"RvZCa
0DP'ZZP'#
Tivoli Access Manager >$|,C'm]MKC'_PI1JqDi#
4 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
>$ICZNN Tivoli Access Manager ~q,b)~qh*XZM'zDE"#}g,
Tivoli Access ManagerZ(~qw9C>$47(GqZ(C'T2+rPD\#$J
44PX(Yw#>$9CZd|Nq,}gG<U>MsF#
EPAC |,(;(Cj6(UUID),Tivoli Access Manager h*Cj64&mCJX
Fm(ACL)#
TB EPAC VNJCZ Tivoli Access Manager:
m 1. Tivoli Access Manager EPAC VN
tT hv
Secure Domain ID weDw2+rj6
Principal UUID weD UUID
Group UUIDs weytDiD UUID
I+ Tivoli Access Manager Plug-in for Web Servers dC*Z#VC'Da0G10
D,1"BC'D>$E"#1C'h*T3)2+&CLrxPnbDCJrz#
{^F3C'DCJ(x;h*9CC'S{GD10a0P"z,K&\G\PC
D#PXdCe~xP>$"BD|`E",kNDZ 30 3D:>$"B;#
Z 1 B IBM Tivoli Access Manager Plug-in for Web Servers ri 5
6 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Z 2 B IBM Tivoli Access Manager Plug-in for WebServers dC
>Bhv#f\mMdCNq,IT4Pb)NqCZ(F IBM Tivoli Access
Manager(Tivoli Access Manager)Plug-in for Web Servers#
>BP|(Dwb:
v :#fe~E";
v Z 11 3D:dCZ(~qw;
v Z 12 3D:dCibwz~qw;
v Z 15 3D:Web ~qwX(DdC;
v Z 17 3D:(FTsPm;
v Z 18 3D:*\m1dCP;C'(SU);
v Z 23 3D:T LDAP ~qwdCJO*F;
v Z 23 3D:'V~=W!n=((P3P)7;
v Z 26 3D:dCe~sF"U>G<"zYM_Y:f}]b;
v Z 30 3D:dCZ( API ~q;
v Z 30 3D:>$"B;
v Z 31 3D:dC HTTP ks_Y:f;
v Z 32 3D:oT'VkV{/;
#fe~E"
TBwZhvKXZ Tivoli Access Manager Plug-in for Web Servers dCD#fE":
v :Tivoli Access Manager Plug-in for Web Servers 20Dy?<;
v Z 8 3D:pdwebpi.conf dCD~;
v Z 9 3D:pdwebpimgr.conf dCD~;
v Z 9 3D:t/M#9 Tivoli Access Manager Plug-in for Web Servers;
v Z 9 3D:HTTP ms{";
v Z 10 3D:j'V;
v Z 10 3D:km%`XDj;
Tivoli Access Manager Plug-in for Web Servers 20Dy?
<
Tivoli Access Manager Plug-in for Web Server DLrD~20ZTBy?<P:
UNIX:
/opt/pdwebpi/
Windows:
C:\Program Files\Tivoli\PDWebPI\
© Copyright IBM Corp. 2000, 2003 7
ITZCe~D Windows 20ZddCK76#;\Z UNIX 20OdCK76#>
8O9C install_path d?zmKy?<#
Z UNIX 20P,TB%@?<|,I)9DD~,}gsFMU>D~:
/var/pdwebpi/
g{ZdC Tivoli Access Manager KP1Zd!qK+2 Tivoli ?<,r+U>D~
4kK?<#
pdwebpi.conf dCD~
IT(}dC;Z pdwebpi.conf dCD~DN}(Fe~DYw#CD~;ZTB?
<:
UNIX:
install_path/etc/
Windows:
install_path\etc\
BmTdCD~DZxPKV`#
m 2. pdwebpi.conf Z**
n Z
GENERAL [module-mgr] [modules] [wpiconfig] [pdweb-plugins]
[performance]
AUTHENTICATION [ c o m m o n - m o d u l e s ] [ a u t h e n t i c a t i o n - l e v e l s ]
[authentication-mechanisms] [user-agent] [acctmgmt] [BA]
[failover] [failover-add-attributes] [failover-restore-attributes]
[forms] [login-form-1] [ltpa] [tag-value] [token-card] [http-hdr]
[iv-headers] [login-redirect] [ntlm] [spnego] [boolean-rules]
[switch-user] [dynurl] [cred-refresh] [ext-auth-int] [auth-data]
[http-method-perms] [web-server-authn]
SINGLE SIGNON [fsso] [ecsso] [ecsso-domain-keys] [ecsso-token-attributes]
[ecsso-incoming-attributes] [cdsso] [cdsso-domain-keys]
[cdsso-token-attributes] [cdsso-incoming-attributes]
VIRTUAL HOSTS [virtual-host-name]
SESSIONS [sessions] [session-cookie]
LDAP [ldap]
LOGGING [web-log]
AUTHORIZATION SERVER [proxy-if] [proxy]
P3P [p3p-header]
AUTHORIZATION API [aznapi-entitlement-services] [aznapi-configuration]
WEB SERVER [ihs] [iis] [iplanet] [apache]
XZ pdwebpi.conf dCD~PDIdCN}Dhv,kNDZ 157 3D=< B,
:pdwebpi.conf N<;#
8 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
":^[N1T pdwebpi.conf D~xP|D,<XkV$XBt/ Tivoli Access
Manager Plug-in for Web Servers Tc6pBD|D#XZt/M#9&CLrD
E",kND:t/M#9 Tivoli Access Manager Plug-in for Web Servers;#
pdwebpimgr.conf dCD~
e~D UNIX 20|,dCD~ pdwebpimgr.conf#KdCD~|,C4ZZ(X$L
r'\1T/XBt/|DN}#
CD~;ZTB?<:
install_path/etc/
NNivB<;&|DKD~PDN}#
t/M#9 Tivoli Access Manager Plug-in for Web Servers*t/M#9e~xL,Z UNIX O9C pdwebpi_start |n,Z Windows O9C
0~qXFfe1#
UNIX:
pdwebpi_start {start|stop|restart|status}
}g,*#9e~;sXBt/|,9C:
# pdwebpi_start restart
pdwebpi_start |n;ZTB?<:
install_path/sbin/
Windows:
j60~qXFfe1PDe~xL"9CJ1DXF4%#
":pdwebpi GZ(~qwxL#Z UNIX 20P,xL pdwebpimgrd T/XB
t/Z(~qw(g{|'\)#Z Windows O,Z(~qwI Windows ~qT
/XBt/#
HTTP ms{"
Tivoli Access Manager Plug-in for Web Servers P1a"TT3vksa)~q"'\
K#C'\I\P\`-r#=Vn#{D'\-rG:
v D~;fZ
v mI(hC{9CJ
1"zTksa)~qD'\1,e~5Xmszkx Web ~qw,C Web ~qw
bMKmszk"T>`&Dms3f#
(F IIS ms{"DT>
IIS a)(FrM'zT>Dms3fDq=MZ]D\&#bTrM'zT>|`j8
DmsE"\PC#e~IT{C IIS PDb;ms(F$_#
9C pdwebpi.conf dCD~D [iis] ZPD use-error-pages N},zIT!qG+
IIS dCDms3f9G+j<mszk3f5XxM'z/@w#g{hC* yes,r
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 9
use-error-pages N}9Ce~{CNN(FD IIS ms3f#g{hC* no,rT
Authorization Server v=DmsT>j<ms3f#use-error-pages N}Z1!iv
BhC* no#
":g{+ use-error-pages hC* yes,SxJmT Authorization server DmsT
>(FD IIS ms3f,a<Be~T\DTx5M#
j'V
TBjICZ(F HTML ms3f#j+/,Xf;ICDJ1E"#
m 3. 'VDjf;
j hv
%USERNAME% QG<C'D{F
%ERROR_CODE% kmsX*Dmszk}V
%ERROR_TEXT% kmsX*DmsD>
%URL% M'zksD URL
%HOSTNAME% +^(wz{
%HTTP_BASE% ~qwDy> HTTP URL:
http://host:tcpport/
%HTTPS_BASE% ~qwDy> HTTPS URL:
https://host:sslport/
%HTTP_BODY% ksDwe(g{fZ)#
%REFERER% 4TksDN<_7D5,r.4*/(g{^)
%BACK_URL% 4TksDN<_7D5,r.//(g{^)
%BACK_NAME% g{ksPfZN<_7,r5*.BACK/,g{^,r
*.HOME/#
%POST_URL% NN Tivoli Access Manager a)Dm%DQdC POST
URL#
%COOKIES% ZksPR=DNN cookie#
km%`XDj
Tivoli Access Manager Plug-in for Web Servers a)TBm%,|G;Z
/opt/pdwebpi/nls/html/lang/charset ?<P:
v P;C',
v nF,
v m%G<,
v |D\k#
QC %POST_URL% jdCb)m%#%POST_URL% jJme~XB"MNbI\
Q|,Z-<ksPD POST }]#g{;P %HTTP_BODY% j,;)e~axm
%&m,f-<ksa)DyP POST }]<+*'#
9+1!m%dC*_Y:fm%TmZDyPh*Da0}]#Ka0}]|(-
<ksD URL"-<ksD URL DN<_T0-<ksDwe#
10 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
dCZ(~qw
Z(~qw&mZ(MO$Ds?V&m#Z(~qwa)$wLr_LX,CXC
Z:
v Se~S\ks,
v +?vksDa{"MXe~#
e~(}9C2mZf5VD IPC zFkZ(~qw(E#pdwebpi.conf dCD~D
[proxy-if] Z8(JOZe~MZ(~qw.d(EDdCN}#
dC$wLr_L
dCD~D [proxy-if] ZPD number-of-workers M worker-size N}8(ITd
xPw{Ta)nEDe~Z(~qwT\D5#1hCb)51,k<GxgOE
"wD}?M`M#
[proxy-if]number-of-workers = 10worker-size = 10000cleanup-interval=300
number-of-workers N}8(IIe~~qD""xkDks}#1yP$wLr_L
&1=oDks+EZ:exP,1=$wLr_LIC#KN}r%X8(ICZ
~q1Z4^($wSPD_L}#&Cy]zZ{ Web ~qw,1S\Dnsks
}4vSKN}#Z UNIX =(O,Yw53I\TC5)S^F#
(#vS_L}+auYjIksy(QD=y1d#;x,vS_L}a0l+T
~qwT\zz;{0lDd|rX#
worker-size N}(e*?v$wLr_L$VdDZf?(TVZ*%;)#
cleanup-interval GZ(~qw2mZf=N,xe}.dDVS}#
":vv|D cleanup-interval M worker-size N}4TT\JbxPJOoO#
hC IPC ksDnsa0P'Z
pdwebpi.conf dCD~D [proxy-if] ZPD max-session-lifetime N}hCe~Z
,1.0+H}4TZ(~qwDl&D1d(k)#KN}vkZe~kZ(~qw
.d("D&mksDLZ0a01PX#g{"zbyD,1,rrM'z"M;
vms3f#+Ya"zK`,1#
[proxy-if]max-session-lifetime = 300
":max-session-lifetime N};XFQO$a0DP'Z#QO$a0DP'ZI
[sessions] ZPD timeout N}XF#
dCms3f
;Z pdwebpi.conf dCD~D [proxy] ZPDN}CZzmvm18(*T>D
HTML 3f#[proxy] ZPhCDN}P:error-page"acct-locked-page"
retry-limit-reached-page M login-success#fZb)N}D1!D~#IT`-b
) D ~ r 8 ( B D ~ 4 J & z D i / D h * # B m \ a K b ) N } #
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 11
m 4. [proxy] ms3fdCN}#
N} hv
error-page vVbb~qwms1,=C3fD76T>ZC'D
/@wO#
acct-locked-page C'"TCJx(DJ'1,T>=C3fD76#
retry-limit-reached-page o=JmDns'\G<"T}1,T>=C3fD7
6#nsJmG<'\}Z LDAP PhC - PXhC
C5Dj8E",kN<Z 100 3D:}N%wG<_
T;#
login-success ZI&Dm%rnFG<s,g{e~;P*+C'X
(rXD3f,r8(*T>D3f#I\Z9(+G
< POST }]1S"MXe~DG<m%1"zbVi
v#
1!ivB,y> HTML 3f;ZTB?<: install_path/nls/html/lang/charset#
dP:
v lang 4T NLS dC#Z@z"o20P#lang +hC* C#
v charset GCdT3fxP`kDV{/#1!5* utf-8#
XZe~oT'VDj8E",kN<Z 32 3D:oT'VkV{/;#
dCibwz~qw
C pdwebpi.conf dCD~D [pdweb-plugins] ZPhCDNb{F+ibwzj6
x Tivoli Access Manager Plug-in for Web Servers#
e~ITy]ksD=vXw4&C@XD2+T_T:
v ksTd07DibwzDj6,
v ks(}d=oD-i(http r https)#
ibwzj6Iwz Web ~qwDdCE"Izx4"RG Web ~qwX(D#|
4TBu~7(:
IHS M Apache C49libwzj6DdCc(gB:
1. g{ ServerName 18nfZZ <VirtualHost {hosta}:{port}
{hostb}:{port}...> iZ?,rC{FC4TibwzPmPD?vwz9l
TsUd#;xPNN"TT+a)D servername bvI+^(
hostname#
2. g{ VirtualHost iDZ?;fZ ServerName 18n,"RPmPD
wz{F;G}V IP X7,rxP"TTT?v{FxP+^(,;s
T?v;,Dwz{4(TsUd#
3. g{ VirtualHost iDZ?;fZ ServerName 18n,"RPmPD
wz{FG}V IP X7,rxP"TT+?v IP X7bvI+^(w
z{#
4. g{TI;fZwz{FxZ+V ServerName 18nP8(K;v{
F,r9CC{F(;xPbv)#
5. g{;fZ+V ServerName 18n,r9C53wz{D+^(N=#
12 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
IIS 5.0 M 6.0 Cj6k Internet Information Services \me~PT>D Web >c{Fj+
{O#}g,dC IIS 1y4(D1! Web >c{*0Default Web Site1,
bGI Tivoli Access Manager Plug-in for Web Servers 9CDj6#
Sun ONE WebServer(-{*
iPlanet)
Cj6kZ Sun ONE Web Server dC GUI P4(ibwz18(Dib
wz{j+{O#C{Ff"Z server.xml D~D <VS id= > *XP#
Tivoli Access Manager Plug-in for Web Servers y]ibwz(e2+_T#TivoliAccess Manager Plug-in for Web Servers ibwz(}Ov=(M|&C#$D-i
/(http"https r both)y(eDibwzj646p#ibwz(eO$#=/M
EH3r"a0j6#=MZ(s&m,C&m&1&CZ(}%dD-i"M=
Web ~qwibwzDks#ibwz9(e URI = Tivoli Access Manager \#
$TsUd{FD3d#
Tivoli Access Manager Plug-in for Web Servers ibwzZdCD~D [pdweb-plugins]ZP(e#IT+|G(e*\#$r;\#$#;\#$DibwzO;aP&C
=dOD Tivoli Access Manager 2+_T#g{S\=kNNQ(eD\#$r;\
#$Dibwz<;%dDks,rZ Authorization Server DU>D~PzI;u8
vibwzj6MksD-iD/f{","+CJ(Zhks#by+c{TdC
JbDoO#
\#$ibwzI [pdweb-plugins] ZD virtual-host N}(e#;\#$Dibw
zI [pdweb-plugins] ZD unprotected-virtual-host N}(e#9CDibwz{
F(#kCibwz%dDibwzj6`{,+;;(\GbViv#C4(ei
bwzX(D2+_TD}GZ [pdweb-plugins] ZP(eDibwz{F#
X(ibwzD2+_TI_Pibwz{FDZP8(DdCN}4(e#Zib
wzZPI\(eDyPN}<PJ1D1!5,rK;XC?vibwz<P;v
Z#;PZibwzD2+_T;,Z1!51EXkPbyDZ#
ibwzP=vN}C4+xkDksk(e&C&C=ksOD2+_TDibw
z%d#b=vN}G id M protocols#
id N}(e*Cibwz+*%dDibwzj6#id N}D1!5Gibwz{F
>m#
protocols N}(eibwz+*%dD-i/#d5I\G http"https r both#
1!5* both#
ibwzDd`N}(e&C&C=ksODkCibwz%dD2+_T#
ibwzk\#$TsUdDXbSV'X*"ksD URI TCSV'*0:,T9
l\#$TsUd{F#K\#$TsUd{FCZwvZ(v_#branch dCN}
(eK\#$TsUdD{F#
[virtual_host_name]branch = virtual_host_id
g{ibwzj65;P0<41\(/),rCu?D0:G /PDWebPI/#
branch N}1!*<B1!Ts{F0:* /PDWebPI/virtual-host-id D id N}D5#
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 13
bMDibwzV'
Ze~dCZd,4(;vF* /PDWebPI DTsUd#ZCTsUdP,*e~y#
$D?vibwz<4(u?#;vibwzTsBDTsUdIZibwzTsU
dP4PJ4DZ(v_De~Z(~qw5P#1!ivB,CZibwzDTs
UdDV'Sibwzj6qCd{F#g{*9C /PDWebPI TsUdD;,V',
r9C branch )94TdxP8(#V'ITZibwz.d2m#bVivZib
wz%*p{1I\"z#
":|DV'1,h*4(_PB{FDTs#IV'B,SDyP ACL #V,S=
VZQ;fZDTsO#
TB>}5wK Web ~qwyh*DdCN},K~qwPDvibwz:
v ibm.com,
v lotus.com-HTTP,
v lotus.com-HTTPS,
v domino.com#
ibwz lotus.com-HTTP M lotus.com-HTTPS IZ2m,;V',rK|G5JOG
`,Dibwz;+G(}CJ`M(HTTP r HTTPS)4xV|G#ZbVivB,
O$`MI\y]CJ`MD;,xhCC;,#domino.com ;\e~#$,x
ibm.com G,;v~qwOm;vibwz#
[pdweb-plugins]virtual-host = ibm.comvirtual-host = lotus.com-HTTPSvirtual-host = lotus.com-HTTPunprotected-virtual-host = domino.com
web-server = iplanet
[lotus.com-HTTPS]id = lotus.comprotocols = httpsprotocols = httpbranch = lotus.com
[lotus.com-HTTP]id = lotus.comid = lotus.comprotocols = httpbranch = lotus.com
[ibm.com]id = ibm.comid = ibm.comprotocols = http, httpsbranch = ibm.com
?NZ pdwebpi.conf dCD~PTibwzDdCxPK|Ds,k7#XBt/
Web ~qw#
**?v%@ibwzhCO$N},h*Z?vibwzDy!OxPx;=Dd
C#XZ*ibwzdCO$=(Dj8E",kN<Z 38 3D:dCibwzDO
$;#
14 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Web ~qwX(DdC
e~D3)YwGX(Z Web ~qwD,rKh*y]e~KPD Web ~qw`M
xPXbdC#9C pdwebpi.conf dCD~PD [pdweb-plugins] ZPD web-serverN}(e Web ~qw`M#P'5* ihs"iplanet"iis r apache#}g:
[pdweb-plugins]web-server = ihs
Web-server-specific dCn;Z pdwebpi.conf dCD~PD [iis]"[ihs]"[apache] M
[iplanet] ZP#
(}rZP7Sj+DibwzV',IyZ?vV'hC;) Web ~qwdCN}#
}g,[iplanet:/PDWebPI/lotus.com]#k/@ Web Ud`XDN}IT(}K==
4dC#
Bm5wKX( Web ~qw`MDIdCN}#
m 5. Web ~qwX(DdCN}
N} hv
[ihs]
query-contents 8(CZ(}0pdadmin> object list1|n/@ IBM
HTTP Server Web UdDi/Z]Lr#(}Z{*
[ihs:branch] DZ(}g [ihs:/PDWebPI/lotus.com])P
8(;vN}5ITyZ?vV'4XhKN}#
query-log-file G<i/Z]Lrv=DmsDU>D~D;C#
doc-root 8(D5y,CD5ya)4P0pdadmin> object
list1|nyhD Web Ud/@\&#KN}IdC5
CLrZhCibwz1hC - |Z [ihs:branch] Z
P y Z ? v _ T V ' x P 8 ( , } g
[ihs:/PDWebPI/lotus.com]
[apache]
query-contents 8(CZ(}0pdadmin> object list1|n/@ Apache
W e b U d D i / Z ] L r # ( } Z { *
[ a p a c h e : b r a n c h ] D Z P 8 ( ; v 5 ( } g
[apache:/PDWebPI/lotus.com])ITyZ?vV'X
hKN}#
query-log-file G<i/Z]Lrv=DmsDU>D~D;C#
doc-root 8(D5y,CD5ya)4P0pdadmin> object
list1|nyhD Web Ud/@\&#KN}ZhCi
bwz1IdC5CLrhC - Z [apache:branch]Z P y Z ? v _ T V ' 8 ( K N } , } g
[apache:/PDWebPI/lotus.com]
[iis]
query-contents 8(CZ pdadmin /@ IIS Web UdDi/Z]L
r#(}Z{* [iis:branch] DZP8(;vN}5,
}g [iis:/PDWebPI/lotus.com],ITyZ?vV'Xh
KN}
query-log-file G<i/Z]Lrv=DmsDU>D~D;C#
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 15
m 5. Web ~qwX(DdCN} (x)
N} hv
log-file (e4T IIS e~DmsMzY{"DU>D~,C
D~#VkZ(~qwDU>D~;,Tc7#D~
D;BT#g{8(*`T76,r;Ck20?<
DU>S?<`X#g{8(*xT76,r9Cx
T76#
[iplanet]
query-contents 8(CZ pdadmin /@ Sun ONE(iPlanet)Web U
dDi/Z]Lr#(}Z{* [iplanet:branch] DZ
P 8 ( ; v N } 5 , } g
[iplanet:/PDWebPI/lotus.com],ITyZ?vV'Xh
KN}
query-log-file G<i/Z]Lrv=DmsDU>D~D;C#
doc-root 8(D5y,CD5ya)4P0pdadmin> object
list1|nyhD Web Ud/@\&#KN}IdCL
rZhCibwz1hC - |Z [iplanet:branch] Z
P y Z ? v _ T V ' x P 8 ( , } g
[iplanet:/PDWebPI/lotus.com]
ZTB>}P,ibwz ibm.com M lotus.com ZdCD~P<P`&DZ:
[iplanet:/PDWebPI/ibm.com] M [iplanet:/PDWebPI/lotus.com],dP(eX(Dd
CN}#
[pdweb-plugins]virtual-host = ibm.comvirtual-host = lotus.comweb-server = iplanet
[iplanet]query-contents = /opt/pdweb/bin/wpi_iplanet_ls
[iplanet:/PDWebPI/ibm.com]doc-root = /usr/local/ibm.com/doc/root
[iplanet:/PDWebPI/lotus.com]doc-root = /usr/local/lotus.com/doc/root
Web ~qw"bBn
IIS9C Web ~qwtTT0rPD?<2+T!n(dC IIS 2+ThC1,G!;)
IdCD2+ThCI(} Web UdcNa9LPG\X*D#
e~/,4(0ib1Web UdTs4&mwV&\#PXb)TsD2+ThC(#
\X*#Xkv=;|Db)TsD2+TtT#
ZtTT0rD?<2+T!n(P^D IIS 2+ThCs,T>LP2GT0r#L
P2GT0rPvK2GzUUhCD5DSZc#zP(!qD)Zc&C9CB
5#;\ZKT0rP!q PDWebPI Zc#
16 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Apache M IHS
{C Multiviews: 9C Apache r IHS Web ~qw1,&{Cy?<BD
MultiViews 18n#tC MultiViews 18n+F} Tivoli Access Manager Plug-in for
Web Servers DO$li,bya#0 Web ~qwD2+T#
1!ivB,Z Apache PDD5y?<BtC Multiviews 18n#
dC PHP E>: Tivoli Access Manager Plug-in for Web Servers v1 PHP E>Z
Web ~qwZ?&m1}7$w,|9CdC*#i5VD PHP 'V#
(FTsPm
Tivoli Access Manager Plug-in for Web Servers T?v\'VD Web ~qwa);v
~xFD~,C~xFD~C47( pdadmin \mTsPmrTsT>|nDdv#
Bm8vj<~xF{FM|GD;C:
v iPlanet — install_path/bin/wpi_apache_ls
v IHS — install_path/bin/wpi_ihs_ls
v IIS — install_path/bin/wpi_iis_ls
g{zh*;Gj<&\D;?VDTs/@\&,rh**"zT:D(F~xF
D~Tf;e~a)D~xFD~#
1*";v(FD~xFD~1,k&CTB<r:
|nPN}
iPlanet"IHS"Apache
directory virtual_host log_file [-d]
dP:
directory *PvrT>D?<rD~DxT76#
virtual_host C?<rD~Dibwz#
log_file =|,yPIYwzIDmsE"DD~DxT76#
-d 8( -d !n1,4PTsT>x;GTsPm#
IIS
[-log log_file] -path directory -vhost virtual_host [-d]
dP:
log_file =|,yPIYwzIDmsE"DD~DxT76#
directory *PvrT>D?<rD~DxT76#
virtual_host C?<rD~Dibwz#
-d 8( -d !n1,4PTsT>x;GTsPm#
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 17
dv
TZ?vPvDu?,dvq=*:
<Object Type=[type] Description=[description] Attachable=[yes/no]> [name] </Object>
dP:
type 8vTs`MD}V#105|(:
v 0 4*
v 1 r
v 2 D~
v 3 Lr
v 4 ?<
v 5 ac
v 9 HTTP Server
v 10 ;fZDTs
v 11 ]w
v 12 6
v 14 &CLr]w
v 15 &CLr6
description TsDD>hv#
attachable _TGqI,S=Ts#
name TsDTs{#KTs{0f;&|,NN?<{F#
}g:
<Object Type=2 Description="File" Attachable="yes"> apache.gif </Object>
*\m1dCP;C'(SU)
Plug-in for Web Servers P;C'&\JmX(\m1IC Tivoli Access Manager 2
+rDI1DC'j6#P;C'5V`FZ UNIX 73PD su |n#Ze~73
P,\m1q!C'Df5>$"Tkf5C'j+`,D\&kJ4MsK&CL
r;%#
TZiRJOMJboO,P;C'G\PCD Help Desk $_#P;C'2ICZb
TC'TJ4DCJ(,"I4P&CLr/IbT#
TBwn;v5wKP;C'DX*Xw:
v P;C';h*C'\k#
v \m19C>$4m>f5C'#
v P;C'^ZXb\m1iI1#\m1;IP;C'=KiDNNd|I1#
v (}hCE}iPDI1Jq,IE} Tivoli Access Manager xL"sec_master M
d|!(C'DP;C'&\#
v 9C;vXbD HTML m%a)P;C'E""$nXbDO$zF,CzF5X
8(C'D>$x;h*\k#
v \m19C pkmslogout 5CLr4axP;C'a0#
18 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
KbP;C'D&mwL
TBrPhvKP;C'D&mwL:
1. CwLSw* su-admins iDI1DQO$\m1*<#
2. \m1,S=$dCDP;C' HTML m%#Km%vII su-admins iDI1
CJ#g{C';G su-admins iDI1,+5X;v0R;=13f#
3. jIP;C'm%"xPBPE"5X:C'{(\m1Q0P;=1KC')"
?j URL MO$=(#KYw<B;v POST ks"M= /pkmssu.form#
4. ZZ(P;.0*xP=Nli#
a. e~li0P;=1C'GqG su-admins iDI1#;vC';\0I*1
G su-admins iDI1Dm;vC'#
b. e~li0P;=1C'GqG su-excluded iDI1#;JmNNC'0I
*1 su-excluded iDI1#g{b=vliPDN;v'\,r5X;vm
s#+xPyPsxks,g,GI0P;=1C'"vD#
5. \m1#V*0P;=1C',1=Z0P;=1C'"z"R\m15X={G
D-<a01wCKj< Tivoli Access Manager /pkmslogout 5CLr#
tCP;C'
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tCP;C'&\,h*+ switch-user #ihC*$Z(#i#bJmP;C'&\
Z4PZ(.0CJC'#
[common-modules]...pre-authzn = switch-user...
":g{ acctmgmt #iM switch-user #i<QhC*$Z(#i,rZPmP
switch-user #iXkT>Z acctmgmt #i.0#
7#Z pdwebpi.conf dCD~PD [modules] ZPfZP;C'u?#}g:
[modules]...switch-user = pdwpi-su-module...
dCP;C' HTML m%
P;C'm%(eZ pdwebpi.conf dCD~D [switch-user] ZP#
v switch-user-form N}8(D~D{F#1!ivB,D~{* switchuser.html,
;Z?< install_path/nls/html/lang/charsetP#Z@z"o53P,lang ?<
F* C,x charset * utf-8#
[switch-user]switch-user-form = switchuser.html
v switch-user-uri N}|,C4wCP;C'&\D URI#k"b,j<Z(_T;
JCZK URI#xPyZiDZ(li,x;G ACL li#
[switch-user]switch-user-uri = /switchuser.html
v switch-user-post-uri N}8(P;C'm%a;=D URI:
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 19
[switch-user]switch-user-post-uri = /pkmssu.form
I+P;C'm%`-*(FDb[M&\#m%|,TBwnDks:
v C'{(\m10P;=1KC')
KC';\G su-excluded"securitygroup r su-admins DI1#
v ?j URL
ZP;C'YwI&.sT>K3f#zI+KdC*|,J1Dw3rP;C'
I&7O3fD~Xdk#
v O$=(
O$=(7(C49(C'>$DE"`M#zI+KVNdC*~Xdk#XZ
P'O$=(N}DPm,kN<TB"M#
v j %CUSTOM% |,Z1!m%P,"IC4+yPQdCDP;C'O$zFT
/|,ZCm%P#
P;C'm%"M:
v Km%vT su-admins iDI1IC#ZKD~P;h* ACL#e~4PZ?2`
kDiI1Jqli#iI1Jqli'\1,e~5X;v 4040R;=1ms#
v C'{"?j URL MO$=(<GXhD}]#
v I+XhD}]w*~XVN9(=m%P#
v e~i$yPXhD}]<fZZQa;Dm%P#g{1Y}],m%+9Ch
vT{"5Xx\m1#
v O$=(DP'5|(:
su-passwordsu-token-cardsu-certificatesu-http-requestsu-cdsso
b)O$=(N}8(e~+9CD;VO$zF#
v +P;C'm%}]a;= /pkmssu.form Yw URL#
TP;C'tCME}C'
vw* su-admins iI1D\m1I9CP;C'&\MSUP;C' HTML m%#
ITG su-admins iI1DNbC'tCP;C'&\#
\m1IP;C'=}tZ3)iDC'bDNb Tivoli Access Manager J'#I(
}hC su-excluded iPDI1JqE}d| Tivoli Access Manager C'I*P;
C'#Kb,E} Tivoli Access Manager securitygroup iDI1DP;C'&\#
(#,sec_master M Tivoli Access Manager xLG securitygroup DI1#
ZP;C'Zd,e~ZyP}viO4Pli#z;\0P;=1w* su-admins"
su-excluded r securitygroup iDI1D3K#
20 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
dCP;C'O$zF
P;C'O$zF(;vZCD2mb)Dw*0pGyZya)DC'{MO$=
(x;h*4dkD\k44(zm0P;=1C'D>$#(F CDAS O$zFXk
{O,yD*s#
Z pdwebpi.conf dCD~D
[authentication-mechanisms] ZP8(P;C'O$zF#'VTBO$zF:
[authentication-mechanisms ]#su-password = su-password-library#su-token-card = su-token-card-library#su-certificate = su-certificate-library#su-http-request = su-http-request-library#su-cdsso = su-cdsso-library
Tivoli Access Manager a);v%;DP;C'b,CbICZZ1!DG(FD73
PtCNbOvO$zF#P;C'b;,Zj<O$b#Cb8(9CC'j6
(ZP;C'm%Pa))DO$zF,"rCC'5XP'D>$x;h*dkC
'\k#
Tivoli Access Manager a)DZCDP;C'2mbF*:
UNIX libsuauthn
Windowssuauthn
P;C'&\2'V(F CDAS O$zF#C'VG#X*,r*(F CDAS -#a
TC'>$a)=SE"#
'V;h*dkC'\kx5X>$Dhs1,z*:p`4#bVP CDAS P*D(
FP;C' CDAS#
49Z1!b(libsuauthn)CZ`vO$=(1,?vQdCDP;C'O$b2
Xk(;|{#
>}:
ZTB>}(CZ Solaris =()P,VP73QtC}vO$=(:
1. 9CZC libldapauthn bDm%O$
2. 9CZC libsslauthn bD$iO$
3. 9C(F CDAS zFDnFO$
VZC73Q)9*T}VO$=(PDNb;V<'VP;C'&\#XkZ
pdwebpi.conf dCD~PtCCZP;C'D}v=SO$N}#Kb,Xk`4BD
(F CDAS bT#bVPDnF CDAS "'VP;C'O$Dhs:
[authentication-mechanisms ]passwd-ldap =/opt/PolicyDirector/lib/libldapauthn.socert-ssl =/opt/PolicyDirector/lib/libsslauthn.sotoken-cdas =/opt/PolicyDirector/lib/libcustom.sosu-password =/opt/PolicyDirector/lib/libsuformauthn.sosu-certificate =/opt/PolicyDirector/lib/libsucert.sosu-token-card =/opt/PolicyDirector/lib/libsucustom.so
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 21
0ld|e~&\
Ta0_Y:f,1dCD0l
QdCDe~a0_Y:f;n/&\MzfZ,15;\P;C'YwD0l#;
n/4,MzfZ(1wk\m1a0_Y:fu?x;GZP;C'YwZd|D
Da0}]X*#
1\m1w*0P;=1C'4Pks1,a0;n/(1wLx4;#\m1ax
P;C'a01,;n/4,TX(D\m1a0T;P'#
P;C'Yw;a)9a0zfZ5#ZP;C'YwZd,\m1a0zfZ,1
I\a=Z#g{"z,1,r>}a0,"z\m1M0P;=1C'#\m1X
kXBO$"YN*<P;C'Yw#
O"]}=O$6p
2mbf6Zm%PIxP=SDN}:
library&arg1 arg2 ... argx
IZ6p}V0f9C –l !n8(]}=O$6p#}g:
su-password =/opt/PolicyDirector/lib/libsuformauthn.so&-l 1su-certificate =/opt/PolicyDirector/lib/libsucert.so&-l 0su-token-card =/opt/PolicyDirector/lib/libsucustom.so&-l 2
":TZ Tivoli Access Manager DKf>,\m1Xk*@C'\kE\I&4P]
}=O$#
'VXBO$
e~XBO$&\IP;C'Yw6p#g{ZP;C'YwZdh*XBO$,\
m1XkO$*0P;=1C'#
":TZ Tivoli Access Manager DKf>,\m1Xk*@0P;=1C'D\kE
\I&XBO$#
'VC'a0\m
P;C'Yw'VC'a0\m#\m1P(;D0C'a0j61#Kb,ZP;C
'YwZd,T0P;=1C'fZ;v(;D0C'a0j61#terminate single user
session NqM terminate all user sessions NqYwgB:
v 8(0P;=1a0j6rC'a0j61,0P;=1C'a0U9#
v 8(\m1a0j6rC'a0j61,\m1a0M0P;=1C'a0<U
9#
'V tag-value(#I CDAS 9CD tag-value &\IP;C'&\6pM'V#
ZP;C'ZdsF\m1
ZP;C'ZdITsF\m1#P;C'&\+)9tTmS=j6\m1D0P
;=1C'>$#f"Z>$PD)9tTF* tag_value_prefix_su-admin:
tag_value_prefix_su-admin = su-admin-name
22 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
dP tag_value_prefix_ zme~dCD~D [pdwebpi-plugins] ZPdCD
tag_value_prefix N}#K)9tTTyPsFzF<IC#
T LDAP ~qwdCJO*F
!vZEH6,1 Tivoli Access Manager plug-in for Web servers t/1,|kNN
ICD LDAP ~qw(wr1>),S#g{ LDAP w~qwrNN-r1z,re
~Xk\kICD LDAP 1>~qw,STxPNNAYw#bGj< Tivoli Access
Manager LDAP 1>dC#PX|`j8E",kN<6IBM Tivoli Access Manager Base
\m18O7#
IBM Directory(LDAP)'VfZ;vr`v;A1> LDAP ~qw#Sun ONE(-{
* iPlanet)Directory Server(LDAP)'VfZ;vr`vF*0{Q_1D;A1>
LDAP ~qw#zXkr pdwebpi.conf dCD~D [ldap] ZPmSP4j6yPI
CZe~D1>~qw#T?v1>9CBPo(:
replica =ldap_server,port,type,preference
dP:
ldap-server LDAP 1>~qwDxg{F#
port C~qwl}DKZ#(#,Tb\D(E9C 389,T SSL OD(E9C
636#
type 1>~qwD&\ - 0;A1r0A41#(#9C0;A1#0A41`M
+zmw~qw#
preference 1 – 10 .dD}V#!q_Pn_EH(5D~qwxP LDAP ,S#kN
D6IBM Tivoli Access Manager Base \m18O7PD:hC1> LDAP ~
qwDW!n5;#
>}:
replica =replica1.ldap.tivoli.com,389,readonly,5replica =replica2.ldap.tivoli.com,389,readonly,5
'V~=W!n=((P3P)7
~=W!n=((P3P)n?GC;V3;D==a)hvC'~=W!nM Web ~q
w~=_TE"D==Dr,x*Kj<#C'I9C P3P dC7(T Web ~qw+
*DE"MgN9Cb)E"D~=W!n#Web ~qwI9C P3P 8(|U/NV
C'~=_TE"M|+gN9Cb)E"#M'zITzwIAq=q! Web ~q
wD~=_T,b)M'zODtCK P3P D/@wIAC~=_T"+dkC'T:
D~=W!nxPHO#Web ~qwD~=_TMC'D~=dC;%d1,+TC'
"v/f#
P3P D(#C>G9/@w\;wvXZGqS\S Web ~qwSU=D cookie D
G\v_#Z Internet Explorer 6.0 P1!tCTK&\D'V#g{ Internet Explorer
6.0 SU=4T4"M P3P _Tr"MD_TkC'~=W!n;%dD>cD
cookie,r/@wITv(T/h{C cookie#
e~@5Z cookies 4,$a0E",T0}g#tJO*FE".`DE"#Internet
Explorer 9Cd1!hCh{ cookie,rK+;f"e~ cookie,byMP'X^FK
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 23
e~D&\#hCe~ cookie 1,e~a)8(k3f;p"MD9u P3P _Tod
D P3P dC!n#e~ P3P dC!nJmz4(kzDi/D~=_T%dD9u
P3P _T#;sIM'zv(GqJmhC Tivoli Access Manager cookie#
":;&+ P3P _TdC*kzDi/~=_T;%dTvJm Internet Explorer S
\ cookie#ZTe~ cookie tC P3P _T.0,k7#zl$ P3P f6"}7
mbgNywzDi/D~=_T#
dC P3P 7
e~a)dCN},b)N}k W3C P3P (iD9u_To(D(e%d#&+b)
N}dC*TZ,$zDi/D~=_TDj{TD,1Jme~ cookie#
dC P3P 7DZ;=GhC pdwebpi.conf dCD~PD [pdweb-plugins] PD
send-p3p-header N}#I(}ZC'(eD [virtual_host_name] ZP(eKu?4
yZ?vibwzhC|#+ send-p3p-header N}hC* true 48(e~Gq+
|,9u_TodD P3P 7mS=hCK cookie DyP HTTP l!ivB,
{C P3P _TD"M#
g{zQtCK P3P 7D"M,r&hC [p3p-header] r [p3p-header:virtual_host]ZPDN}#b)N}(e&CZyP HTTP cookie /D9u_T#
KZPD1!hCJm+a0 cookie f"= Internet Explorer 6 /@wP - 49|
GT>*Z}= cookies#
m 6. [p3p-header] N}
N} 9C
p3p-element }9CKZPd|N}dCD9u_Tb,9I9CKN}48(T
j+ XML _TD}C#
TP p3p-element = policyref="/w3c/p3p.xml"
!{"M,8>/@w"MTj+ XML _TD8(}C#
":h*T /w3c ?<hCJm!{O$CJD ACL TJmCJC
_T#IZ Internet Explorer ;fks"MJmi4_TDO$E
",yTbGXhD#
access 8(C'_PDT|,Z cookie P"(} cookie 4SDE"DCJ
(#I\D5P:
none
all
nonident
contact-and-other
ident-contact
other-ident
disputes 8(j+ P3P _TGq|,;)E",b)E"XZT cookie P|,
DE"Dyi#P'5* true r false#KN}Z1!ivBhC*
false#
24 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 6. [p3p-header] N} (x)
N} 9C
remedies 8(yiDI\^4#I\D5|(:
correct
money
law
g{48(,r_TP;|(NN^4E"#
non-identifiable hC* true 1,KN}8(;TNN==C cookie PDE"r(}
cookie 4SDE"vT/Xj6C'#P'5G true r false#KN}
Z1!ivBhC* false#
purpose 8(Z cookie PM(} cookie 4SDE"DC>#I\D5|(:
current
admin
develop
tailoring
pseudo-analysis
pseudo-decision
individual-analysis
individual-decision
contact
historical
telemarketing
M other-purpose#
TyP} current TbD5,ITdC=S5w{#I\D5|(:
always
opt-in
opt-out#
T48(DC>,1!5* always#C5Z purpose s8(,C0EV
*,}g:
purpose = contact:opt-in
recipient 8(Z cookie PM(} cookie 4SDE"DU~K#I\D5|(:
ours
delivery
same
unrelated
public
other-recipient#
retention 8(Z cookie Pr(} cookie 4SDE"D#t1d#
I\D5|(:
no-retention
stated-purpose
legal-requirement
business-practices
indefinitely#
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 25
m 6. [p3p-header] N} (x)
N} 9C
categories 8(f"Z cookie Pr(} cookie 4SDE"D`M#
g{hC non-identifiable N}* true,r;h*dCNN`p#I\D
5|(:
physical
online
uniqueid
purchase
financial
computer
navigation
interactive
demographic
content
state
political
health
preference
location
government
other-category
P3P dCD>}:
[pdweb-plugins] r [virtual_host_name]send-p3p-header = true...[p3p-header] r [p3p-header:virtual_host_name]# p3p-element = policyref="/w3c/p3p.xml"access = nonedisputes = falsenon-identifiable = falsepurpose = currentpurpose = other-purpose:opt-inrecipient = oursretention = no-retentioncategories = uniqueid
dCe~sF"U>G<"zYM_Y:f}]b
U>G<MsFITrza)PzZ7(zI\v=DXZe~DyPJbDE"#
g{"VPJb"h*ms{"D51S<,rZ0(9C -foreground !nt/e
~:
pdwebpi -foreground
":TZ IIS OD20,ZT0(==t/e~.0XBt/ IIS 4MEyPVPD2
mZf#
4,Mms{"G<Z pdwebpi.conf dCD~D[pdweb-plugins] ZPD log-file"
logs M log-entries N}PdCDD~P#
26 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
e ~ s F M y > _ Y : f } ] b d C 9 C p d w e b p i . c o n f d C D ~ P D
[aznapi-configuration] ZPDN}4P#
sFG<
Z( API Dy>~qJm6qO$(authn)MZ((azn)sFB~#
;xj<0authn1sFB~;b0XZO$"TDc;E",e~}Z#$`vwz
1,b0b)E"CZJm+b)B~kX(ibwz`X#*K,e~4P|T:
DsFB~`pT6qibwzX(DO$E"#
j<0azn1sFB~y]9C /PDWebPI/virtual_host_name 0:9lD\#$Ts{F
6qke~`XDibwzE"#
e~X(DO$sFB~G<ZibwzX(DsFB~XP,9lgB:
wpi.virtual_host_name.authn.authentication_module_name
e~X(DO$sFB~{O6IBM Tivoli Access Manager Base \m18O7Phv
D DTD (e#
XML y=.wpi/sFG<D*XZBmPxPKhv#
m 7. O$sFG<VN(e#
XML jG hv
<event> sFG<Db0jG#C*X|,hvG<D doc `M(e^
)DtT#
<date> B~"zDUZM1dDG<#
<outcome> KjG*X|,j6 Tivoli Access Manager re~mszkD
status N}#C*XhvB~DwVa{#I\D5|(:
v 0 = I&
v 1 = '\
v 2 = ]R
v 3 = 4*
<originator> sFG<DzI_ZD7jG#KjG*X|,j6TB~:
pD Tivoli Access Manager blade D blade N}#
<component> CjGj66qsFG<Di~#Ci~TBPq=G<:
wpi. virtual_host_name.type_of_event.module_name
<action> j6"TDO$=(#Ywzk0d`&DO$zF|(:
16961 - BA17236 - M'zK$i17731 - Ecsso17999 - JO*F cookie17997 - m%18504 - HTTP 718768 - IP X74806211 - IV 7:PAC >$4806229 - IV 7:C'{4806220 - IV 7:(P{F300609 - IV 7:IP X721579 - nF
<location> (et/B~D~qw{F#
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 27
m 7. O$sFG<VN(e# (x)
XML jG hv
<accessor> sFG<DCJ_ZD7jG#jG*XIT|,CJ_D{
F#
<principal> principal jG|,j6}ZO$D?<~qDN} auth#Cj
G(eQi$DC'{#
<target> target jG|,ITGBP5.;DN} resource:
v 0 = Z(
v 1 = xL
v 2 = TCB
v 3 = >$
v 4 = #f
O$sFG<<UQbv5hC* 3 - >$#
<object> #tTZO$}L;_PbeDsF}]#
<data> =SO$JOE"#}g,9C HTTP 7E"DO$"TZdD
JO+ZKVNPzzsFU>G<,G<'\D HTTP 7#
sFdC
BmT>KsFdCN}"5wd&\#
m 8. sFdCN}(e
N} hv
logsize U>D~}I*BD~Ds!(TVZ*%;)#g{hC*
0,r;}IU>D~#g{C5*:},r;\ds!x?l
}IU>#
logflush "BU>D1ddt(k)#n`* 6 !1,1!5* 20 k#
logaudit tCr{CsF#
auditlog 8(sFD~D{F#
auditcfg tCr{CZ(M/rO$sF#
}g:
[aznapi-configuration]logsize = 2000000logflush = 20logaudit = nologaudit = noauditlog = audit.logauditcfg = azn#auditcfg = authnauditcfg = wpi
zYe~Yw
Tivoli Access Manager Plug-in for Web Servers a)zYYwM+a{f"ZD~PT
CZwTD\&#zYw*GI&CLr'V9CDVvMJboO$_,CZq!
<BJbDYwDj{S<#w*C',zI\"V,}GzZoO4SJb,3)
e~zY$_GPCD,!\s`}$_C&;s#
28 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Ze~&zY HTTP {"GI\D#ba\PC,r*|7PXT>SC'U=DT0
5XxC'D{" - 49(EG(} HTTPS D#9Cj< pdadmin zY|n4r
*MXUzY#
IzYZ(v_DdkMa{Tc{Z(_TdCJbDoO#KzYT>C'>$
E",|({F"UUID"a0j6MtT#KzY9T>C4wvv_D Tivoli Access
Manager \#$TsD{FMh*DmI(#9aT>v_Da{T05XDNbv_
tT#
pdadmin zY|n
PvzYi~: list |nzzITzYDyPe~YwDPm#
o(:
pdadmin> server task PDWebPI-server-name trace list [component]
PvDs`}zYNqGX(Z Tivoli Access Manager D#e~X(DzYnT
pdwebpi *0:#
hCzYi~: zI\"V}vw*DzYnTwT\PC:
v pdwebpi.request
v pdwebpi.plugin
v pdwebpi.azn
p d w e b p i . r e q u e s t h C * 2 1 , T ? v ( } e ~ + ] D k s x P z Y #
pdwebpi.request hC* nine 1,ks7|,ZzYP#pdwebpi.plugin Ze~~
qwP$nzY#yP{"<"M= Web ~qwDU>D~P,rZ IIS DivB"
M=;,Z)Z(~qw9CDU>P#+ pdwebpi.azn hC*XZ?vZ(v_D
zYr*E",|(\#$Ts{F"mI(V{."C'{"a0j6"HTTP =("
HTTP URI Mv_a{#pdwebpi.azn hC* two 1,T=SD>$tTE"T0d
kdvv_tTxPzY#pdwebpi.azn hC* five 1,|(XZ]}=XBO$&
mD=SE"#
zY set |n_PBPo(:
pdadmin> server task PDWebPI-server-name trace set componentlevel [file path=file|other-log-agent-config]
dP component GI list |nT>DzYi~D{F#zYkTKi~xhC#level G
*zYU/Dj8E"?#6'G 1 = 9,1 m>n;j8,9 m>nj8#I!D
file path N}8(zYdvD;C#1!ivB,+zYdv"M=j<dCDe~U
>D~(}9Ci~ pdwebpi.plugin Tb)#TZ IIS 20,<U9CdCD~PD
[iis] ZPD log-file N}4dC+e~i~zY"M=DD~D{F#
I9C -foreground !n+dv"M=A;#4:
pdwebpi -foreground
T>zYi~: *T>zYi~,TBPq=9C show |n:
pdadmin> server task PDWebPI-server-name trace show [component]
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 29
_Y:f}]bhC
ITdCe~(ZV/wZ(}]bT|BE"#cache-refresh-interval N}ITh
C*0default1"0disable1rTk*%;DX(1ddt#0default1hCG{C#
[aznapi-configuration]cache-refresh-interval = 60
db-file N}(e= ACL _Y:f}]bD+76#1!ivB;hCKN}#
[aznapi-configuration]db-file = /var/pdwebpi/db/pdwebpi.db
listen-flags N}tCr{C_T_Y:f|B(*DSU#0disable15{C(*l}
w#KN}I svrsslcfg 5CLrhC#
[aznapi-configuration]listen-flags = disable
dCZ( API ~q
pdwebpi.conf dCD~D [aznapi-entitlement-services] ZT~q8(~qj6#?
vZu?(e;,`MD aznAPI ~q#XZ|`E",kN< IBM Tivoli Access
Manager Administration C API Developer’s Reference#
?vu?ICBPq=:
service_id = path_to_dll [ & params ... ]
~qj6I aznAPI M'zC4j6wV~q#1~qI aznAPI u</1,IT8(
+]=~qDN}#Zu?P,N}Z0&1{Es#
>$"B
Za0Zd,C'O$1U/DE"+_Y:f=>$P,XZe~C'>$D|`
j8E",kNDZ 4 3D:>$q!;#
}GdC>$"B,qrTC'O$E"D4wvD|D(gSiPmSr}%C
');a43ZC'a0P,1=4(BDC'a0#
>$"B\PCD;)-r|(:
v zIT"BC'D>$x^h*s{G"z"XBG<=&CLr#by\9C'
|=cX9C&CLr#
v |*\m1a)Z10a0ZdTC'a)T2+ Web TsDnbCJ(D\&#
v g{\m1PmI`EC';PJ1XYw,|(}Jm\m1^FCC'Z10
a0ZdDCJmI(a_K2+T#
dC>$"B
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tCO$"B&\,h*+ cred-refresh #idC*$O$#i#
[common-modules]...pre-authzn = cred-refresh...
30 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
7#Z pdwebpi.conf dCD~PD [modules] ZPfZ>$"Bu?;4:
[modules]...cred-refresh = pdwpi-cred-refresh-module...
"B>$1,zI\"VS-<>$#t;)XZC'DE"\PX*#}g,;v
(FtTI\G<KC'DG<1d,Z"B>$1#VC1d;dG\X*D#e
~JmzZ4P"P1dC*#tDtT#b)dCyZtT{F#
[cred-refresh] r [cred-refresh:virtual-host] Z8(*S-<>$#tDtTMZ"z
>$"BYw1*"B=B>$PDtT#Cq= preserve = attribute_pattern 8(5
CZ*S-<>$#tDtT#Cq= refresh = attribute_pattern 8(*"BD5#
j<e~#=%dfrJCZtT#=,+V{HOGxVs!4D#XZJmD%
dfrD|`E",kN<Z 191 3D=< E, :}rmo=PJmDXbV{;#
TBfrJCZtTPm:
v ZZPvVCOgDfrEHZvVOmDfr#
v 1!ivB,"B;kNNtT%dDfr#
v ^[ [cred-refresh] ZgNdC,3)tT<U#t#b)tT*:
– AZN_CRED_AUTHNMECH_INFO,
– AZN_CRED_BROWSER_INFO,
– AZN_CRED_IP_ADDRESS,
– AZN_CRED_PRINCIPAL_NAME,
– AZN_CRED_QOP_INFO
v ^[ [cred-refresh] ZDZ]G24,<U#tI aznAPI jG*;ADtT#
v g{;vtTZ-<>$P;fZ,r^[KZgNdC,<;#tCtT#
":v13>$Z>$_Y:fP;fZ1,ES"am"BC>$#
;)dCK>$"B&\,zMIT9C pdadmin |nP5CLr4"BX(C'D
>$#TB>}T>+C'mS=Bi"ZC'T;&ZG<4,1"Bd>$D|
n,byMP'XZhKC'TCBiDCJmI(#
pdadmin> group modify group_name add user_namepdadmin> server task server_name refresh all_sessions user_name
":Z UNIX =(O,Zw{>$"BdCs^hXBt/e~#Z Windows O,g
,T pdwebpi.conf yvDyP|D,*9>$"BdC|Dz',h*XBt/
e~#
dC HTTP ks_Y:f
g{XBO$*sPOKks&mDjI,Z HTTP X(rZd,e~_Y:fks}
]"9CK_Y:fD}]X(ks#K&\PfZ POST M PUT ks,r*b)k
s`MI|(;,DE"VN#
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 31
1O$*sPOK;vks1,e~+_Y:fyPX*DE",TZXBO$sD
HTTP X(rZdX(Cks#_Y:fDksE"|( URL"METHOD"{"we"
i/V{.T0yP HTTP 7(|( cookie)#K}]]1f"Ze~>$/a0_Y
:fP#
I&O$(rXBO$)s,e~+ HTTP X(r"M=/@w#/@wq-A|,Z
X(rPD-< URL DX(r#e~9XX(r"9C_Y:fD}]X(ks#+
X(ks+]= URL ?j#
dC~qwKD_Y:fN}
Ze~dCD~PD [pdweb-plugins] ZPD max-cached-http-body N}8(K*
Nbx(Dks_Y:fD HTTP we}]Dns}?#1we}]D}?,vdCD
ns51,+OzyPwe}?#
[proxy- i f ] ZPD worker -s ize N}XFTNbx(ksVdDZf?#
max-cached-http-body Ds!AY&C{OTBc(:
max-cached-http-body * 4/3 * 2 + 3000 <= worker-size # #
Kc(Y( 3000 VZDZfcTfEksu%Nb POST }]M5XDm%u%_Y
:fD POST }]#g{ksDs!SO5Xm%Ds!I\,v 3000 VZ,r&C
vs worker-size u?ru! max-cached-http-body 5#
oT'VkV{/
Tivoli Access Manager Plug-in for Web Servers ITC'W!DoTT> Tivoli Access
Manager zID HTML 3f#HTML 3fPCZT>DoTS HTTP ksPR=D
j< Accept-Language 7qC#oT5C=vV{4m>#;CX(D5C=?VDq
=m>,8>oTMCoTf>y9CDzRrXx#>}|(:
v es(w`@o)
v de(Bo)
v en("o)
v it(bs{o)
v en-US("o/@z)
v en-GR("o/"z)
v es-ES(w`@o/w`@)
v es-MX(w`@o/+wg)
v pt-BR(OQ@o/Mw)
g{e~Z HTTP ksPR=;OJDoTzk,Z;fZ_PJqD=TDivB,
|XToTPm(}g es-MX XT* es)#g{T;R;=OJDoT,~qw+9C
"o#
;P|,Z install_path/nls/html/lang/charsetPD Tivoli Access Manager zI3
fET`VoTa)#b)3fD>}|(yP Tivoli Access Manager O$m%M
Tivoli Access Manager J'\m3f#
32 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
HTTP 7P Accept Language VN8(DoT1S3d=Z install_path/nls/html ?
<PR=D?<#IT(}4FoT?<4^D~qwTJ&oT5w{Dd/#*
^D~qw,&C4FD5JoT?<*:
am base install directory/nls/msg/langam webpi install directory/nls/html/lang/charsetam webpi install directory/nls/msg/lang/charset
BmPvKe~'VDoT0X*DS?<{F:
m 9. e~'VDoTT0'VD?<#
oT 53?<
"o(1!5) C
]Ko cs
Bo de
w`@o es
(o fr
Y@{o hu
bs{o it
Uo ja
+zo ko
(<o pl
MwOQ@o pt_BR
mo ru
PD(Pz) zh_CN
PD((e) zh_TW
HTTP 7PD Accept Language VNA`\6p.VoTf6#
x ( o T D ; , D V { / ; Z o T ' V B D ? < P # y Z S M ' z S U = D
accept-charset 7D5!q9CDV{/?<#g{R;=%d(rg{4hC7),
r9C utf-8 ?<#
IyZ accept-language M accept-charset 7tCM{CT;,oTMV{/D'
V#Z [pdweb-plugins] ZPdCb)N}D1!hC,+I(}9Cibwzj6
D{FZ3ZP(e|G4T?vibwzXhb)N}#
[pdweb-plugins] r [virtual-host]...use-accept-langauge-header = true...use-accept-charset-header = false
Z1!ivB,{C accept-charset 7#
"T(;zID HTML l&DoT1,use-accept-language-header N}tCr{
C accept-language HTTP 7#
" T ( ; + H T T P k s D * X b k T 0 z I H T M L l & D V { / 1 ,
use-accept-charset-header N}tCr{C accept-charset HTTP 7#1!5(g{
ZKdCD~PR;=D0)* false#
Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 33
I+ user-agent 7Cw!qoTMV{/D accept-language M accept-charset 7D8
!n#user-agent 7|,ZQ*h8Dhs1IC4a)oTMV{E"DX(Zh8
DE"#v1R;= accept-language M/r accept-charset 71,rG)7;{C1,
E9C user-agent 7#
S user-agent =oTMV{/D1!3dZ [user-agent] ZPdC"IT?;vib
wzXh#CZ|(48(3rk user-agent 7Z]%dD#=Pm#PXICD(d
{DPm,kN<Z 191 3D=< E, :}rmo=PJmDXbV{;#g{R=%
d,r9C`&DoTMV{/D?<#}Tx(D user-agent #=8(oTMV{/
b,9I\8(;v?<#ZbVivB,"M Tivoli Access Manager 3f19C8
(D?<{x;GV{/D?<{#K?<Xk;Z8(DoT?<B#
34 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Z 3 B IBM Tivoli Access Manager Plug-in for WebServers O$Mks&m
>BV[ IBM Tivoli Access Manager(Tivoli Access Manager) Plug-in for Web Servers
gN,Va04,"&mO$xLT0TZ(Da04PNNXhDsO$&m#
>B|(TBwb:
v :ks&m}L;
v Z 37 3D:dCO$;
v Z 44 3D:\ma04,;
v Z 50 3D:O$dCEv;
v Z 53 3D:dCy>O$;
v Z 55 3D:dCm%O$;
v Z 57 3D:dC$iO$;
v Z 58 3D:dCnFO$;
v Z 62 3D:dC SPNEGO O$;
v Z 68 3D:dC NTLM O$(vkT IIS =();
v Z 69 3D:dC Web ~qwO$(vkT IIS =();
v Z 70 3D:dCJO*FO$;
v Z 83 3D:dC IV 7O$;
v Z 85 3D:dC HTTP 7O$;
v Z 87 3D:dC IP X7O$;
v Z 88 3D:dC LTPA O$;
v Z 88 3D:dCG<sDC'X(r;
v Z 89 3D:*>$mS)9tT;
v Z 92 3D:r HTTP 7mS LDAP )9DtT(jG5);
v Z 93 3D:'V`74CzmLr(MPA);
ks&m}L
Tivoli Access Manager Plug-in for Web Servers Z?v Web ks=o Web ~qw1
TdxP&m#ks&m}L2PKv=h:
1. ibwzj6
ks&mDZ;=GTksykTDibwzxPj6#ZZ 12 3D:dCib
wz~qw;PV[KibwzDj6#
2. a0j6
;)7(Kibwz,MTksxPliTq!VPDQO$a0E"#KE"I
\Ga0 cookie,2I\G SSL a0j6#CZj6a0DE"IQdCDa0#
i7(#Z 44 3D:\ma04,;V[K?vICDa0#i#
3. O$
© Copyright IBM Corp. 2000, 2003 35
g{4j6NNVPa0,rliksTq!O$E"#KE"I\Gngy>O
$C'{M\k"G<m%a;rM'z$i.`DE"#CZO$M'zDE"
IQdCDO$#i7(#:O$}L;V[K?vICDO$#i#
g{ZksPfZP'O$E",r4(BDQO$C'a0#g{;fZO$E
",r+ksw*4O$Dks#g{ksPfZDG^'DO$E"RO$=(
'VO$E"DXBdk(}g,y>O$),ra*sC'YNa){GDO
$#g{O$=(;'VXBdk(}g,M'z$i),rTM'z5X;vm
s#
4. Z(0
Z3)ivB,ZZ(TksDJ4DCJ0,I\h*u<ks&m#NNQd
CDZ(0#iyI4PK&m#Z(0#ia);h*Z(D&\,r|G'V
h*ZZ(v_0CJksD\&#
5. Z(
ZZ(}LP,(}9Cka0`X*D>$E"4I/ Tivoli Access Manager _
TT7(Gq&Z(CJyksDJ4T0ZNVu~BxPZ(#b)(eC4
XFTJ4DCJD_TZZ 97 3DZ 4 B, :IBM Tivoli Access Manager Plug-in
for Web Servers 2+T_T;P(e#
6. O$}6
1C'DO$6p;JOCJyksDJ4rksG4O$D1r,YNliKk
sTq!ITy*sDO$6pO$C'DO$E"#g{;fZbyDE",R
dCKO$#i(C#i'Vby;V&\,C&\*sC'a)y*sDO$6
pDE"),r*sC'a)byDE"#g{^(+QO$DC'a0}6=c
;D6p4CJJ4,r\xCJ#
7. Z(s
ZxPZ(v_s,P12ah*xP3)&m:
v Z Web ~qw&m Web ks0,^D Web ks,}g,ek;v7
(header),
v ^D Web ~qwzID Web l&,}g,hC cookie,
v zIj{Dl&x;h* Web ~qw&mCks,}g,I&G<s+C'X(
r=X(3f#
IZZ(v_I\a0l&mksD==,rK+Z*@Z(}LDa{s4Pb
)Yw#b)&\IZ(s#ia)#
8. l&&m
ngm%%;"a(FSSO)Mb?O$SZ(EAI)&m.`D&\h*Ie~&
m Web ~qwzIDl&x;G+d"MAM'z#(#,9Cl&&m,e~I
Z+fzl&+]xC'0&m4T Web ~qwDl&#h*K&\D#iF*l
&#i#
O$}L
O$Gj6"TG<=2+rD%@xLr5eD=(#I&DO$azzzmC'
D Tivoli Access Manager m]#e~9CKm]q!CC'D>$#>$I
Authorization Server 9C,TcZT ACL mI("POP u~MZ(fr(|GXF?
vJ4D_T)xP@@sJmr\xCJ\#$DJ4#
36 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
":ACL = CJXFm_T
POP = \#$Ts_T
1!ivB,Tivoli Access Manager Plug-in for Web Servers 'V8VO$=(,"I
xP(FT9Cd|=(#
dCO$
yPICDO$=(0dX*D2mb{F<(eZ pdwebpi.conf dCD~D
[modules] ZP#[modules] Z9PvKCZa0j6MZ(s&mD#i#b)#i
Zsfhv#2mbXkfZZ pdwebpi/lib ?<P#8(2mb{1;xPNNYw
53X(D0:(g lib)MNNYw53X(Ds:(g dll)#}g:
BA = pdwpi-ba-module
Z0v>}P,BA #ib8(* pdwpi-ba-module#Z Windows O,e~a0R{
* pdwpi-ba-module.dll DD~,Z Solaris O,|+0R{* libpdwpi-ba-module.so
DD~,xZ AIX O,|+0R{* libpdwpi-ba-module.a DD~#
":bD~D8C1!Qw76IT(eZ [module-mgr] ZP#
[modules] ZP(eD?vj)<PdTm`&DZ,}g [BA]"[cert] M [token]#Zb)ZP8(?vO$=(DX(dCE","&CZCO$=(,K=(@"Z
wCdDibwz#g{h*Z?vibwzDy!OxPXbdC,rIT9C{
Cibwzj)^(#ij)DZ2G1!dC#}g:
[BA]basic-auth-realm = "Access Manager"
[BA:ibm.com]basic-auth-realm = "ibm.com"
ZOv>}P,9Cy>O$CJibwz ibm.com DC'+~S [BA:ibm.com] Z
P8(DdCN}#
#iDj<dC;Jm*x(DO$=(8(;v#ib5},}g:
[modules]BA = pdwpi-ba-module
;)20I\h*8(`vO$b5}#1T;,O$6ph*;,D#iP*1I
\4Pb;Yw#TB>}T>Km%O$#iD=v5}DdC#
[modules]BA = pdwpi-ba-moduleforms-authn-level1 = pdwpi-forms-moduleforms-authn-level2 = pdwpi-forms-module
[common-modules]authentication = forms-authn-level1authentication = forms-authn-level2authentication = BA
[forms-authn-level1]login-form = level1-form
[forms-authn-level2]login-form = level2-form
[BA]...
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 37
dCO$=(Dns=hG8(O$=(#b)=(4U|GDEH3rZdCD~
D [common-modules] ZPhC#}g:
[common-modules]session = ssl-idsession = BAsession = session-cookie
authentication = certauthentication = BA
post-authzn = ltpa
ZOv>}P,dChC7#:
v W! SSL a0j6CZ,$a0E"#
v SSL a0j6;IC1,BA 7(g{IC)CZ,$a0E"#
v SSL a0j6r BA 7<;IC1,ns9Ca0 cookie ,$a0E"#
v W!$iCwO$=(#
v $i;IC1,9C BA O$#
v LTPA cookies w*Z(s&mD;?VmS=ks#
dCibwzDO$
(}Z?vibwzZP1S8(=(ITyZ?vibwz5VO$=(DdC#
}g:
[pdweb-plugins]virtual-host = ibm.com
[ibm.com]....session = ssl-idsession = BAsession = session-cookie
authentication = certauthentication = BA
post-authzn = ltpa
8(ibwzDO$=(D8C==G*O$=(dC(e;Z#by+Jm`vi
bwz2m;v#idC##idCZIibwzZPD modules N}8(#}g:
[pdweb-plugins]virtual-host = ibm.comvirtual-host = lotus.com
[ibm.com]modules = ibm-lotus-module-stanza
[lotus.com]modules = ibm-lotus-module-stanza
[ibm-lotus-module-stanza]authentication = BAsession = BApost-authzn = ltpa
38 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
g{4ZdCD~P(eyZ?vibwzDO$=(dCD%@Z,ryPibw
z9C [common-modules] ZPdCDN};4,modules N}D1!5G common
modules#
TB>}hC;vF* ibm.com Dibwz,+KwzdC*ZIT9C SSL a0j
6DX=9C SSL a0j6,Z;IT9C SSL j6+_P BA 7DX=9C BA
7,"R9Ca0 cookie w*,$a0E"DnsVN#|'VZy>O$.0xP$
iO$,"R;)O$I&c+ LTPA cookie mS=+I Web ~qw&mDksP#
>}vT>K&(eDN}#
[pdweb-plugins]virtual-host = ibm.com
[modules]ssl-id = pdwpi-ssl-idsession-cookie = pdwpi-session-cookieBA = pdwpi-bacert = pdwpi-certltpa = pdwpi-ltpa
[ibm.com]session = ssl-idsession = BAsession = session-cookie
authenitcation = cert
post-authzn = ltpa
(}4(ibwzX(DO$dCZ,ITyZ?vibwz5VO$N}Dx;=
dC#TB>}T>K=vibwz(ibm.com M lotus.com)DdC#?vibwz<
P#iX(DO$dC#
[pdweb-plugins]virtual-host = ibm.comvirtual-host = lotus.com
[modules]...
[ibm.com]session = BAsession = session-cookie
authenitcation = BAauthentication = forms
[lotus.com]session = session-cookie
authenitcation = BAauthentication = cert
[BA:ibm.com]basic-auth-realm = "Access Manager - ibm.com"
[BA:lotus.com]basic-auth-realm = "Access Manager - lotus.com"
dCO$=(D3r
QdCDO$=(T>ZdCD~PD3rTZe~m~D}7YwG\X*D#h
*P8<G!qDO$=(,"RT_PJO#$D==xP5)"5V2+?j#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 39
Tivoli Access Manager Plug-in for Web Servers Z3VLHO'VwVO$=(,b)
=(ITkT;,DC'hsxP(FTzc;,D2+*s#
g>D5D0vwZPy{,pdwebpi.conf dCD~D [common-modules] Z8(
#{9CDO$=(#dCD~D [authentication-levels] Z(e]}=O$6p(k
N<Z 103 3D:O$?H\#$Ts_T(]});)T0 [common-modules] Z
PdCDO$=(DEr#
g{4Z [authentication-levels] ZP(eu?,rO$=(D1!5*6p 1#;s
+ [authentication-levels] ZP(eDO$=(DO$3r7(*Sn_O$6p=n
MO$6p#g{3vO$6pI`v#i2m,r4U#iZ [common-modules]ZPvVD3r47(S3r#
*Kbe~O$,<<e~aT|&mD?vks/J=vJbaPzZzDmb:
1. RIT9CQdCDO$=(O$Kksp?
g{KJbDXpGq,re~+/JB;vJb#
2. RIT9CQdCDO$=(zIO$ksp?
<GTBdC#
[common-modules]authentication = BA
TZ;vxkDks,g{ ACL ;Jm4-O$DC',rXkTC'xPO$#e
~+ BA 4wvPDQdCO$=(,+/J:0RIT9Cy>O$O$Kks
p?1g{ksGBDrXpq - e~;*@PbvC'#;se~+/J:0RI
T9Cy>O$zIO$ksp?1g{Q}7dCy>O$,rXp*G#e~+
a>C'dkj6M\k#
bG9Cy>O$Dr%O$>}#y]zDTsUdD2+T*s,zI\kdC
`vO$=(#
BfGb;_-Dm;vj8>},e~9CK_-TX(DO$=(8(EH6#
TBNdPV[DO$_-Y(;Jm4-O$DC'CJJ4,"Y(QT
pdwebpi.conf dCD~xPTBPdC#
[common-modules]authentication = BAauthentication = failoverauthentication = forms
post-authzn = failover
[authentication-levels]1 = BA2 = failover
OvdC8(K}VO$=(:BA"JO*F cookie Mm%,JO*F cookie C4
xPZ(s&m#[authentication-levels] ZPhCD6pv(TO$kswCO$=
(D3r#g{4Z [authentication-levels] ZP(e6p,rm%O$D1!5*6
p 1#
40 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
9COvdC,e~ZSUks1iRks7PDJO*F cookie#e~Z BA }].
0iRJO*F cookie GIZ [authentication-levels] ZP8(DJO*F6p*
2#[authentication-levels] ZEHZ [common-modules] ZPO$#i(eD3r#
e~+/J:0RIT9CJO*F cookie O$Kksp?1g{H04O$ks,r
Xpq,r*e~H0;P*ks9lJO*F cookie#;se~+/JZ~vJb:
0RIT9CJO*F cookie zIO$ksp?1Xpq,r*JO*F cookie #i
^(*O$zIks#
e~+F/= [authentication-levels] ZPDB;vQdCO$=(,ZC>}P*
BA#e~+/J:0RIT9C BA 7O$Kksp?1g{H04O$ks,rX
pq#;se~+/J:0RIT9C BA zIO$ksp?1Xp\I\*G,ra
>C'dkC'j6M\k#I&DO$+zzZ(Da0,RJO*F cookie +ek
ks7"Cw,;a0ZdDsLksDZ;vO$=(#
r; BA #i;\zIO$C'D=(,re~a1!*dCD~D
[common-modules] ZPPvD=(Er#ZOvdC>}P,e~+8(O$=(
DEH6,rx:
level 1 = BA, forms
level 2 = failover cookie
g{JO*F cookie M BA 4\a)C'O$D=(,re~+9Cm%O$#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 41
BfDwL<T>CZ!qO$#iDe~_-#
e~4UydCD3rwC?vO$#i,1=#i.;5X;vC'>$#g{d
CDO$#iP;P;v\zI>$,rrC'"MO$aJ,a>{Ga)O$E
"#
g{O$aJGXhD,rwCQdCPmPDZ;vOJDO$#i4zIh*z
zaJD|n#;GyPDO$#i<ITzIaJ#}g,TZks HTTP 7;Pa
J - b)7fZr;fZZksP#Kb,O$#iI\;IC,r*|QC4j6
re~*"ksDzmLr#IT*C'zIaJDn#CO$zFGy>O$(BA a
J+"M=C')MyZm%DO$(G<m%+"M=C')#g{^O$=(I
C,r^(O$C',Re~5X{9CJ3f#
< 2 PDwL<T>K!qO$=(TrC'"MaJD}L#
+4UdC3rli?vQdCDO$=(,1=R=zcyhDO$6pD;v=
(#g{R=zcO$u~D#i,rwC|49("MxC'DaJ#g{QdC
DO$=(P;P;vOJ,rI\;xPO$#e~rC'5X0{9CJ13
f,r*C';_PCJyksJ4h*DmI(,Sx;I\r{G"MaJTc
4yhD6pxPO$#
< 2. 7(O$#iDe~wL#
42 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
dCZ(s&m
Z(kss,+wCQdCDZ(s#i#Z(s#i7(Z+ks+]Xe~Tc
Web ~qw&m0Gqh*4PNNd|Yw#+wCyPQdCDZ(s#iT7(
Gqh*Tks4PYw#
Z(s#iITi*TBNb;`:
v ^D SSO Dks - b)Z(s#i+mS Web &CLrCZj6C'DE"
(cookie r7),x;h*Z~NO$#
v ^Dl& - (#,b)Z(s#i(#rl&mS7r cookie 4^Dl&#}g,
JO*F#i+JO*F cookie mS=l&#
v Xb/} - b)Z(s#i+yksD URI 6p*3;Xb&\D%"w#Xb
&\8>e~&mCks#}g,eCSSO $5ks#
Z(s#i4|GZdCD~PvVD3rwC#ZPmP8(0?s1DZ(s#
iP\&7zr2GI0fDZ(s#iyxPD|D#
}g;TBdC+<B;,De~P*,!vZZ [common-modules] ZP8(D BA
M forms D3r#
< 3. O$aJ}L_-
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 43
[common-modules]...post-authzn = BApost-authzn = forms
[BA]...strip-hdr = always
[forms]...create-ba-hdr = yes
OvdCG(}Z(s#iM#idCDErI\5V`sinTD;vr%>}#
\ma04,
e~9Ca04,E"j6xkksD4#1M'z4P;va0PDs?ks1,
e~9Cks4Dm],$M'zM~qw.dDa04,#g{M'zM~qw.
d;fZQ("a04,,rXk*?vsLksXB-LM'zM~qw.dD(
E#(}{}X4O$Dh*,a04,E"IDFT\#M'zITZ;NG<
s,"vs?ks,x;X*?vks4P%@DG<#
Tivoli Access Manager Plug-in for Web Servers &m HTTP M HTTPS D(E#e~
hFCZ9CTBNNE"`M4,$kM'zDa0D4,#
1. SSL a0j6
2. y>O$
3. X(Z~qwDa0 cookie
4. HTTP 7}]
5. IP X7
6. LTPA cookie
7. IV 7
e~@NwC?vQdCDa0#i#e~LxQwQdCDa0#i`M,1=P
;V`M5X>$#;se~+7(&CLrGq*N<`74CzmLr#g{|
G;vzmLr,rm;va0Xk*5JDnUC'xfZ#*iRCm;a0,
e~LxwC`BDQdCa0#i#"VQ-"zDC'O$DVPa01,+5
XC'>$#K>$CZZ(ks#g{QdCDa0#iP;P;v5XC'>
44 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
$,ra0*4GBa0,*4GP4(">$Da0#
dCe~a0/>$_Y:f
e~a0_Y:fJm~qwf"4T`vM'zDa0j6E"#a0_Y:f\
#f HTTPS M HTTP a04,E"#
e~_Y:ff"a0j6E"M*?vM'zq!D>$E"#_Y:f>$E"
IT{}Z(liZdTC'"am}]bDX4i/#e~_Y:f9,$e~M
LDAP C'"am.dD SSL ,SDa04,E"#
P8vdCN}ICZe~_Y:f,b)N}Jmzw{_Y:fDT\#
":pdwebpi.conf dCD~D [sessions] ZPdCD5I\Z [module_name] ZP
;2G,3)59I\Z [ module_name:virtual_host_name] ZP;x;=2G(Z
?vibwzDy!O)#
hCns""u?5
max-entries N};Z pdwebpi.conf dCD~D [sessions] ZP,|hC?va0
#iDa0/>$_Y:fP""u?Dns}?#
C5kX(a0#iD""G<a0}`T&#_Y:fs!o=K51,+y]n
|nY9CDc(S_Y:f}%u?TJmBxkDG<#
1!""G<a0}G 4096:
[sessions]max-entries = 4096
< 4. 7(a0#iDe~wL#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 45
hC_Y:fu?,15
timeout N};Z pdwebpi.conf dCD~D [sessions] ZP,|Te~a0/>$
_Y:fPDu?hCnsP'Z,1#
e~ZZ?_Y:f>$E"#a0_Y:f,1N}8>Z(>$E"#tZZf
PD1d$H#
CN};G;n/,1#C53d=0>$P'Z1,x;G0>$,11#d?DG
Zo=8(,1^F1(}?FC'XBO$4v?2+T#
1!G<a0,1(k)* 3600:
[sessions]timeout = 3600
IT+a0_Y:fP'ZdC*^[N1"zXBO$1<xP4;#?N"zX
BO$1,a0_Y:f timeout 5+4;#*dCa0_Y:fP'Z4;,k9C
pdwebpi.conf dCD~D [sessions] ZPD reauth-lifetime-reset N}:
[sessions]reauth-lifetime-reset = yes
1!5G no#
C'}Z4PXBO$1,a0_Y:fP'Z5I\a=Z#ZXBO$G<m%
"M=C'.s,RZ5XjIDG<m%0,a0_Y:fP'Za=Z#a0_
Y:fP'Z5=Z1,+>}a0_Y:fu?#G<m%5X=e~s,;YP
CZCC'Da0#mb,yPQ_Y:fDC'ks}]+*'#g{XBO$Z
da0_Y:fP'Z}Z,zITTa0_Y:fP'ZdCS1rm^Z#
pdwebpi.conf dCD~D [sessions] ZPD reauth-grace-period N}a)K1d
)9,Tk*%;#}g:
[reauthentication]reauth-grace-period = 20
1!5 0 ;Ta0_Y:f,15a)S1#reauth-grace-period N}&CZ9CV
Pa0_Y:fu?DC'T0h*XBO$DC'#}g:
v IZ POP 2+_Tx4PXBO$DC',
v IZa0_Y:f;n/x4PXBO$DC',
v 4P]}=O$DC'#
reauth-grace-period !nC4M reauth-lifetime-reset = yes !naO9C#
hC_Y:fu?;n/,15
inactive-timeout N}(;Z pdwebpi.conf dCD~D [sessions] ZP)hCG<
a0;n/D,15#
1!G<a0Gn/,1(k)* 600:
[sessions]inactive-timeout = 600
*{CK,1&\,+N}5hC* 0#
46 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
9C SSL a0j6,$a04,
Tivoli Access Manager Plug-in for Web Servers IT9Cxk HTTPS ksD SSL a
0j6zYa0#K$_;ICZ IIS,r* IIS 9 SSL a0j6;ICZe~#
":SSL a0j6;CZO$ks#
pdwebpi.conf dCD~PD [common-modules] Z(eyPa0"O$MZ(s=
(DC>,9CDq=* module_type = module-name#*9C SSL a0j6,Va0
4,,+%J ssl-id 8(x session N},gBy>:
[common-modules]session = ssl-id
7#QZ pdwebpi.conf dCD~D [modules] ZP* ssl-id dCK2mb#4:
[modules]ssl-id = pdwpi-sslsessid-module
9Cy>O$,Va04,
y>O$(BA)G;V(}dkC'{M\kO$C'M,Va04,D=(#BA I
HTTP -i(e,RIT(} HTTP M HTTPS 5V#
y>O$(}+y>O$7DZ]G<xP_Y:f4,Va04,#
*9Cy>O$dCe~T,Va04,,9C pdwebpi.conf dCD~PD
[common-modules] Z#dkN} session,d5* BA,gBy>:
[common-modules]session = BA
g{ BA CZ,Va04,,r9h*+dCZC'O$#dCD~D [commonmodules] Z2&1*O$hC BA#
[common-modules]session = BAauthentication = BA
2+/f:
9Cy>O$Z(7j6a0a9 Web ~qwDC')6Z^^FD\kBb%w#
bGZZ(7P|,C'\kD HTTP y>O$#=DV^T#
1!ivB,;tC Tivoli Access Manager Plug-in for Web Servers#y>O$a0j
6&\G*G)*@ky>O$`X*DyP2+TgU(|(K2+TgUZZ)
D\m1a)D#
1e~#$D Web ~qwZ`74CzmLrs(}gZ WebSEAL acs)KP
1,(}9Cy>O$+TmO$=e~,I2+X9Cy>O$a0j6#ZbV
ivB`74CzmLr;a+y>O$Z(7SC'*"=e~,byM;I\\
=%w#
9Ca0 Cookies ,$a04,
9Ca0 cookie #fa0E"G,Ve~a04,D;V=(#~qw+XbM'zD
4,E"r|= cookie P"+d"M=M'zD/@w#TZ?vBDks,/@w(
}+ cookie(_Pa0j6)"MX~qwTXBj6|>m#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 47
ZM'z9C/@wZ\LD1dsXB-Ld SSL a0DivB,a0 cookie a)
I\Dbv=8#}g,3)f>D Microsoft Internet Explorer /@w?t=r}VS
MXB-L SSL a0#
a0 cookie vZL1d(s<.VS)ZTO$M'zD~qwa)M'zDXBO
$#KzFGyZ0~qw cookie1D,C cookie ;\+]=kzIK cookie Dzw
;,DNNzw#
mb,a0 cookie |,;vC4Z~qwa0_Y:fPw}|Dfz}j6{ - ^
d|E"T>Za0 cookie P#a0 cookie ;a962+T_T#
Tivoli Access Manager Plug-in for Web Servers 9C2+D~qwX(Da0 cookie#
TBu~JCZK cookie zF:
v Cookie v|,a0E";|;|,m]E"#
v Cookie v;Z/@wZfP(|;a4=ELOD/@w cookie ]wP)#
v Cookie _PP^DP'Z(IdC)#
v Cookie _P76Mh9d|~qw9CC cookie DrN}#
*dCe~9Ca0 cookie ,Va04,,9C pdwebpi.conf dCD~PD
[common-modules] Z#dkN} session,d5* session-cookie,gBy>:
[common-modules]session = session-cookie
resend-pdwebpi-cookies N}(;Z pdwebpi.conf dCD~D [sessions] ZP)
tCr{CZ?Nl&1+a0 cookie "M=/@w#KYwoz7#a0 cookie #
tZ/@wZfP#resend-pdwebpi-cookies N}_P no D1!h5:
[sessions]resend-pdwebpi-cookies = no
+1!hC|D* yes TZ?Nl&1"Me~a0 cookie#
9C HTTP 7,Va04,
IT+ Tivoli Access Manager Plug-in for Web Servers dCI9C HTTP 7E"4
j6a0M,Va04,#
e~IT9C HTTP 7CZzYa0T0O$C'#g{+e~dC*9C HTTP 7
zYa0,r9Xk+ddC*9C HTTP 7O$C'#;x,+e~dC*9C
HTTP 7O$xkDks;h*+e~dC*zYa0#XZdCe~9C HTTP 7C
ZM'zO$Dj8E",kN<Z 85 3D:dC HTTP 7O$;#
19C HTTP 7,Va04,1,pdwebpi.conf dCD~D [common-modules] Z
XkdCPTB5:
[common-modules]authentication = http-hdrsession = http-hdr
HTTP 7Dj<dC;Jm8(;v7,}g:
[modules]http-hdr = pdwpi-httphdr-module
*8(`v HTTP 7,XkdC HTTP 7#iD`v5}#
48 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
}g:
[modules]entrust-client-header = pdwpi-httphdr-modulesome-other-header = pdwpi-httphdr-module
[entrust-client-header]header = entrust-client
[some-other-header]header = some-other
9C IP X7,Va04,
Tivoli Access Manager Plug-in for Web Servers IT9C IP X74j6MzYa0#
*dCe~9C IP X7zYa0,9C pdwebpi.conf PD [common-modules] Z#
dkN} session,d5* ip-addr#4:
[common-modules]session = ip-addr
7#QZ pdwebpi.conf dCD~D [modules] ZP* IP X7O$dCK2mb#
4:
[modules]ip-addr = pdwpi-ipaddr-module
g{9C IP X74,Va04,,|G9XkC4O$xkks#PXdC Tivoli
Access Manager Plug-in for Web Servers T+ IP X7CwM'zO$=(Dj8E",
kNDZ 87 3D:dC IP X7O$;#;x9C IP X7CZO$M'z;h*+b
)X7Cwj6a0D=(#
9C LTPA cookie ,Va04,
ITyZ3v LTPA cookie 9C LTPA O$4S\"xPO$#LTPA O$IT9C
Z?v HTTP ksPR=D LTPA cookie 4,Va04,#
*9C LTPA O$dCe~T,Va04,,k9C pdwebpi.conf dCD~PD
[common-modules] Z#dkN} session,d5* ltpa,gBy>:
[common-modules]session = ltpa
g{9C LTPA ,Va04,,|9h*kTC'O$xPdC#dCD~PD
[common-modules] Z2&C*O$hC LTPA#
[common-modules]authentication = ltpasession = ltpa
9C iv 7,Va04,
Tivoli Access Manager Plug-in for Web Servers IT_Y:f iv 7E"4DF53T
\#
pdwebpi.conf dCD~PD [common-modules] Z(eyPa0"O$MZ(s=
(DC>,9CDq=* module_type = module-name#*_Y5f iv 7E",k+5
iv-headers 8(x session N},gBy>:
[common-modules]session = iv-headers
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 49
7# iv 7D2mbdCZ pdwebpi.conf dCD~D [modules] ZP#4:
[modules]iv-headers = pdwpi-iv-headers-module
O$dCEv
}gZ 37 3D:dCO$;;ZP4=DGy,O$#i4PSksPi!O$E"
D}L#ksD5JO$Ii$O$E"DO$zF4P#O$#iMO$zF.d
DG+VkJm* WebSEAL `4D(F CDAS bke~;p9C#
Tivoli Access Manager Plug-in for Web Servers 'VDCZyPO$=(DzFZ
pdwebpi.conf dCD~D [authentication-mechanisms] ZPxPdC#\'VDO
$=(N}|(:
v >X(ZC)O$Lr
>XO$LrDN}8(J1DZC2mb(UNIX)r DLL(Windows)D~#
v (Fb?O$Lr
e~a)#e~qwzk,zIT9CCzk9(M8((Fb?;frO$~q
(CDAS)~qw#
b? CDAS O$Lr8(J1D(F2mb#
":M [modules] ZDdC;,DG,Z [authentication-mechanisms] ZPdC
zFD,1mS+D~{#4,|(D~0:MYw53X(D)9{#
>XO$zF
BPO$zFN}8(>XZCDO$Lr:
m 10. >XZCO$Lr.
N} hv
m%My>O$
passwd-ldap 9C LDAP C'{M\kxPM'zCJ#
M'zK$iO$
cert-ssl 9CM'zK$i(} SSL xPM'zCJ#
$nK iv-remote-address D HTTP 7"IP X7O$M IV 7#
http-request -I$nK iv-remote-address DXb HTTP 7"IP X7r IV 7D
M'zCJ#
9C [authentication-mechanisms] ZdCO$=("TBPq=5V:
authentication_method_parameter = shared_library
b?(F CDAS O$N}
TBN}ICZ8(b? CDAS ~qwD(F2mb:
m 11. b? CDAS ~qwN}.
N} hv
passwd-cdas 9CZ}="amDC'{M\kxPM'zCJ#
50 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 11. b? CDAS ~qwN} (x).
N} hv
token-cdas 9C LDAP C'{MnF(PzkxPM'zCJ#
cert-cdas 9CM'zK$i(} SSL xPM'zCJ#
}O$b.b9P=VICZe~Dd|j< Tivoli Access Manager b:
v passwd-strength
Kbli\k|Dm%PdkDB\k#
v cred-ext-attrs
KbJm+(FtT({F/5T)8(*|,Z>$P#
PX9(MdC5V CDAS ~qwD(F2mbDj8E",kN< IBM Tivoli Access
Manager for e-business Web Security Developer Reference#
e~D1!dC
1!ivB,e~hC*9Cy>O$(BA)C'{M\k(LDAP "am)O$M'
z#
e~(#,1* TCP M SSL CJtC#rx,[authentication-mechanisms] ZD
dMdC|('VC'{M\k(LDAP "am)M'V(} SSL DM'zK$i#
TB>}zm Solaris OD [authentication-mechanisms] ZDdMdC:
[authentication-mechanisms]passwd-ldap = libldapauthn.so cert-ssl = pdwpi-sslauthn.so
*dCd|O$=(,mSJ1DN}0d2mb(r CDAS #i)#
dC`vO$=(
^D pdwebpi.conf dCD~D [authentication-mechanisms] Z,8(CZNN\
'VO$=(D2mb#dC`vO$=(1,&CTBu~:
1. yPO$=(<IT`%@"XP9&\#I\*?v\'VD=(dC2mb#
2. 1,1dC cert-cdas =(M cert-ssl =(1,0_+2Gs_#XktCb=v
=(.;4'VM'zK$i#
3. dC`vO$Lr1,5Jv9C;v\k`MO$Lr#e~9CTBEH63
r4bv`vQdCD\kO$Lr:
a. passwd-cdas
b. passwd-ldap
4. I\*=v;,DO$=(dC`,D(Fb#}g,IT`4;v(F2mb&
mC'{/\kM HTTP 7O$#TZK>},z+9C`,D2mbdC
passwd-cdas M http-request N}#*"_PpN,$a04,,"\b=V=
(.dDe;#
"z"|D\kMoz|n
Tivoli Access Manager a)TB|n4'V(} HTTP r HTTPS O$DM'z#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 51
pkmslogout1M'z9CDO$=(;f?vksa)O$}]1,M'zIT9C pkmslogout|nS10a0"z#19CDO$=(f?vksa)O$}]1,!\>$E"
TI|,Zks7P,pkmslogout |n<ae}a0_Y:f#ZbVivB,C'
XkXU/@wTj+Sa0"z#
pkmslogout |nJCZ9CnF(Pzk"m%O$M HTTP 7O$D3)5VD
O$#
4TB=(KP|n:
https://www.tivoli.com/pkmslogout
/@wT>(eZ pdwebpi.conf dCD~PD"zm%:
[acctmgmt]logout-success = logout_success.html
"zI&u?IT8(;v$(eD HTML D~(|,Zy>
install_path/nls/html/C ?<P)r;v URI#8(D URI I\G`T URI,r_
I\GxT URI#
1xga9h*`vKvA;CZC'Sj+;,Dibwz"z1,pkmslogout 5
CLr9'V`v"zl&3f#
pkmspasswd9Cy>O$(BA)rm%O$1,IT9CK|n|DG<\k#K|nJOZ
HTTP r HTTPS O9C#
}g:
https://www.tivoli.com/pkmspasswd
C/@w+T>(eZ pdwebpi.conf dCD~PD\km%D|D:
[acctmgmt]password-change-form-uri = /pkmspasswd.formpassword-change-uri = /pkmspasswdpassword-change-success = password_change_success.htmlpassword-change-failure = password_change_failure.html
IT^D password_change_success.html M password_change_failure.html D~T
J&zD*s#
pkmshelpIT9CK|nCJoz3f#K|nJOZ HTTP r HTTPS O9C#
oz3fD{FM;C(eZ pdwebpi.conf dCD~P:
[acctmgmt]help-uri = /pkmshelphelp-page = help.html
IT^D help.html D~TJ&zD*s#
52 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
dCy>O$
y>O$(BA)G+C'{M\ka)xO$zFDj<=(#BA I HTTP -i(
e,R(} HTTP M HTTPS 5V#
tCy>O$
1!ivB,*e~dC BA C'{M\k#pdwebpi.conf dCD~PD
[common-modules] Z(eK9C BA CZO$ks#4:
[common-modules]authentication = BA
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#y>O$Du?fZ;4:
[modules]BA = pdwpi-ba-module
1!ivB,ZdCD~D [authentication levels] ZP8( BA O$zFD6p*
1#KhCkxkksDO$zFDEH6`X#
dCy>O$zF
passwd-ldap N}8(CZ&mC'{M\kO$D2mb#
v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libldapauthn#
v Z Windows O,a)ZC3d&\DD~G;v DLL,F* ldapauthn#
IT(}Z pdwebpi.conf dCD~PD [authentication-mechanisms] ZPdk
passwd-ldap N}T02mbD~DX(=({F4dCC'{M\kO$zF,gB
y>:
Solaris:
[authentication-mechanisms]passwd-ldap = libldapauthn.so
Windows:
[authentication-mechanisms]passwd-ldap = ldapauthn.dll
hCr{F
rT>ZI/@wJVxC'DT0rP,C4ksC'{M\k#r{8(x
pdwebpi.conf dCD~D [BA] ZPD basic-auth-realm N}#
[BA]basic-auth-realm = realm_name
&m BA 7
(}XF"Mx Web ~qwD BA 7DZ],zITdCe~4r\#$D&CLr
a)-<r^D}DM'zm]E"#SM'z"MDVP7IT:
v %}yPks"
v %}4-O$Dks"
v TyPks#V;dX+]#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 53
TZ;a) BA 7DM'zr+]x Web ~qwDVPM'z7E"45,7E"I
T:
v hCIL(DC'{M\k"
v "ML(D\k(C'{w*QO$C'D{F+])"
v 9C4T Tivoli Access Manager GSO x(dPDE"xPhC#
*&mxkksD BA 7,e~XkdCIJm9Cy>O$xPZ(s&m#*4P
CYw,mSN} post-authzn "Z pdwebpi.conf dCD~D [common-modules]ZP+dhCI5 BA#4:
[common-modules]post-authzn = BA
strip-hdr |n8>e~4PTBN;Yw:
5 a{
ignore C7#t>4DyS#e~Q-<DM'z BA 7;-IfX+]xJ
4#by>O9ITJ4D1SG<,byTe~45G8wD(}g
1z#{F}e~O$1)#
":
1. K!n1ZXJm4-O$DC'r Web ~qw"M BA 7#;P
Zz7(h*K!n"mb2+TD,eDivBE&C9C|#
2. 1Ze~dCK BA O$R\#$J4"T9CT:D BA aJO$
M'z1,\#$J4+;S\C'D>$#Ze~dCDd|O$
zF(}gm%)+Q-<M'z BA 7;-IfX+]xJ4#
always Zr Web ~qw*"ks.0,<USyPM'zksP}%y>O$
7E"#ZbVivB,e~dI%;D2+Ta)Lr#g{zh*
a) Web ~qw;)M'zE",ITaOK!nk IV 7O$T+
Tivoli Access Manager M'zm]E"Ek HTTP 7VNP#
":g{\#$D~qwZtCK!nDivB"M BA aJ,rM'z
+4=;vO$/v0Z+G^(G<,r*|GDl&\G;}%#
unauth SM'zU=D BA 7+SyPksP}%,}KG)4TC'DQ-9
Cy>O$Ie~O$}Dks.b#bJmQO$DC'r Web ~q
w"MQO$DBA 7,+h94O$DC'byv#
dCD~D [BA] ZPD add-hdr N}JmzZ HTTP y>O$(BA)7Pa)M
'zm]E"#9C add-hdr N}Z HTTP BA 7Pa)M'zm]E""zZI
strip-hdr N}D&\5VDNN&m.s#add-hdr IThC*:none"gso r
supply#
v g{hC* none,BA 7;amS=ksP#
v g{hC* gso,GSO BA 7mS=ksP - kN<Z 118 3D:9C+V%;"
a(GSO);qCPXdCe~ GSO &\Dj8E"#
v g{hC* supply,2,\kMC'{mS= BA 7P#b)2,\kMC'{(e
ZdCD~D [BA] ZPD supply-password M supply-username N}P#
supply-username N}IThCIL(DC'{5#g{;hC supply-usernameN},BA 7PDC'{9C Tivoli Access Manager O$DC'{44(#ZbV
ivB,e~#$DJ4h*S Tivoli Access Manager m]xPO$#
54 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
1 add-hdr N}hCI supply "hCK supply-password M supply-usernameN}1,8(DC'{M\kCZyPks#+2C'{M\kD9C;T&CL
r~qwa)NN@]4$59CCC'{G<DM'zDO(T#g{M'z<
U(}e~4CJJ4,Kbv=8;fZNN2+TJb#+G,SomO#$
J49d;aPd|I\DCJ==x4D#UG\X*D#IZbViv^\k
6pD2+T,e~#$DJ4XkxTENe~Ti$M'zDO(T#C'"
am9Xk6p Tivoli Access Manager Dm]TcS\|#
g{4hC supply-username R4O$C',r;aP BA 7mS=ksP#
8(T BA 7xP UTF-8 `k
`-e~dCD~#8(e~Gq&T BA 7xP UTF-8 `k#
[BA]use-utf8 = true
1!5* true#
PXe~T UTF-8 `kD'VD|`E",kNDZ 32 3D:oT'VkV{/;#
dCm%O$
Tivoli Access Manager a)m%O$w*j<y>O$zFD8C=(#C=(S Tivoli
Access Manager zz(FD HTML G<m%,x;GIy>O$aJzzDj<G<
a>#
9CyZm%DG<1,/@w;s9Cy>O$1Gy+C'{M\kE"xP_
Y:f#
tCm%O$
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tC9Cm%DO$,+%J forms 8(xO$N};4:
[common-modules]authentication = forms
9Cm%CZO$1,9Xk+e~dC*9Cm%CZZ(s&m#9Cm%Jm
e~+QO$DC'X(rX-<Dks URL#Z pdwebpi.conf dCD~D
[common-modules] ZP,mSN} pre-authzn,gBy>:
[common-modules]authentication = formspre-authzn = forms
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#m%O$Du?fZ;4:
[modules]forms = pdwpi-forms-module
dCm%O$zF
passwd-ldap N}8(CZ&mC'{M\kO$D2mb#
v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libldapauthn#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 55
v Z Windows O,a)ZC3d&\DD~G;v DLL,F* ldapauthn#
IT(}Z pdwebpi.conf dCD~PD [authentication-mechanisms] ZPdk
passwd-ldap N}T02mbD~DX(=({F4dCC'{M\kO$zF,gB
y>:
Solaris:
[authentication-mechanisms]passwd-ldap = libldapauthn.so
Windows:
[authentication-mechanisms]passwd-ldap = ldapauthn.dll
(F HTML l&m%
m%O$h*z9C(FG<m%#1!ivB,y> login.html m%;ZTB?<:
install_path/nls/html/lang/charset#
dP lang S NLS dCPq!#Z@z"o53P,lang ?<F* C,charset *
utf-8#
dCD~D [forms] ZD login-form N}(eG<Zda)xC'Dm%DD~{#
D~76&Ck*;D pdwebpi HTML ?<(}g pdwebpi/nls/html/lang/charset)
`X#
[forms]login-form = login.html
":S login.html m%}% wpi_url VNa9fG<m%a;D POST }]w*
POST }]d?Z HTTP ksPIC#b|(KCZG<= Tivoli Access Manager
DC'{M\k#Kb,Sm%}% wpi_url VNa{CyPD POST }]_Y
:f&\Mj,}g %POST_URL% +;Y\'V#
(Fm%G< URII\_PZ%vibwzP9Cm%G<#iD`v5}#ZK`ivB,XkZT
m%G<#iD?v%@5}a;G<m%1|D0+<1=dOD URI#[forms] Z
PD login-uri N}XFEK URI#g{QS1!5xPK|D,rXk|BI
login-form N}(ND:(F HTML l&m%;)8(Dm%T43v|D#
4( BA 7
m%O$a)yZG<m%Pa)DC'{M\k44( BA 7D\D4(a)
aI%;D"azF,CzFITZsK&CLrh*y>O$,T0C'{M\k
k Tivoli Access Manager y9CDC'{M\k%d19C#
BA 7D4(Im%Z(s#i&m#+m%Z(s&mu?mS=e~dCD~D
[common-modules] Z:
[common-modules]post-authzn = forms
dCD~D [forms] ZPD create-ba-hdr N}tCr{C BA 7D4(,}g:
56 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
[forms]create-ba-hdr = yes
1!ivB,m%O$;4( BA 7 - create-ba-hdr hC* no#14I&O$C
'1;4( BA 7,"RC'\k}Z12;4( BA 7,kuyhCN}^X#
":g{ post-authzn PmPm%#i.sDm;v#i2GK BA 7(r}%K
|),rK&\;pwC#wGDv(G+m%#i8(* post-authzn PmPD
ns;v#i#
8(T BA 7xP UTF-8 `k
`-e~dCD~#8(e~Gq&T BA 7xP UTF-8 `k#
[forms]use-utf8 = true
1!5* true#
PXe~T UTF-8 `kD'VD|`E",kNDZ 32 3D:oT'VkV{/;#
dC$iO$
Tivoli Access Manager Plug-in for Web Servers 'V(} SSL k9CM'zK}V$
iDM'zxP2+(E#ICb;O$=(,$iE"(g(P{Fr DN)3dI
Tivoli Access Manager m]#
9C$i%`O$
9C}V$iDO$"zZ=vWN:
v e~yZD Web ~qw(}|D~qwK$ir SSL M'zj6|>m#
v Web ~qw9C|DO$PD(CA)y$i}]b4i$(}M'zK$iCJ~
qwDM'z#"zTB}L:
1. SSL M'z(}e~ksk Web ~qwD,S#
2. Web ~qwDl&G9CQ)pD~qwK$i"Md+C\?#K$iH0QI
IEDZ}=O$PD(CA))p#
3. M'z+li$iD)p_GqGIERIS\D#M'zD/@w(#|,4
TIE CA Dy$iPm#g{ Web ~qwD$iOD){kb)y$i.;%
d,rITENC~qw#
4. g{;P){kd%d,r/@w(*dC',K$iI4*O$PD)p#;
s,C'PpNS\r\x$i#
5. g{C){k/@wDy$i}]bPDu?%d,r2+XZM'zM Web ~
qw.d-La0\?#
K}LDnUa{GM'zIT(};v2+(@xPO$(}g,9CC'{
M\k)#I&O$s,M'zM~qwITLx2+X(}K(@(E#
6. VZM'z(}e~+d+C\?$i"M= Web ~qw#
7. Web ~qw"T9C Web ~qwD$if"+M'z$iOD){kQ* CA %
d#
8. g{;P){kd%d,rzI SSL mszk""MxM'z#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 57
9. g{P){kd%d,rITENCM'z#"zM'zDO$,Sxzz;v
Tivoli Access Manager m]#
10. +ZM'zM Web ~qw.d2+X-La0\?#K}LDnUa{GZ`%
O$DM'zM~qw.dzz2+MIED(EE@#
tC$iO$
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tC9C$iDO$,T authentication N}8(J0cert1:
[common-modules]authentication = cert
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0X*D2mb{
F#7#$iO$u?fZ:
[modules]cert = pdwpi-certificate-module
":TZZ IHS OD20,zXkdC Web ~qwTSM'zks$i#
dC$iO$zF
cert-ssl N}8(CZ3d$iO$E"D2mb#
Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libpdwpi-sslauthn#Z
Windows O,a)ZC3d&\DD~G;v DLL,F* sslauthn#
IT(}Z pdwebpi.conf dCD~PD [authentication-mechanisms] ZPdk
cert-ssl N}T02mbD~DX(=({F4dC$iO$zF#
Solaris:
[authentication-mechanisms]cert-ssl= libpdwpi-sslauthn.so
Windows:
[authentication-mechanisms]cert-ssl = pdwpi-sslauthn.dll
":pdwpi-sslauthn CDAS h*C'$iPDwb DN 4j+%dC'D LDAP DN#
g{zh*9C|4SD3d,rh**"(FD CDAS#PX9( CDAS #i
D8>E",kN< IBM Tivoli Access Manager for e-business Web Security
Developer Reference,b)8>E"9JCZ Plug-in for Web Servers#
dCnFO$
Tivoli Access Manager Plug-in for Web Servers 'V(}M'za)DnF(PzkD
O$#
SecurID nFO$
e~nFO$}Lh*Z20e~D~qwO20MdC RSA SecurID M'z,Tk
6L RSA ~qwxP(E#\'VD SecurID M'zf>* 5.1#
58 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
RSA D ACE/Server O$8v;,DnF,|(m~nFMVV"&mwXFDh8#
SecurID m~nFGKPZ$w>OD~xFLr,|20ZG\(O,rw* Web /
@wDe~KP# SecurID m~nFIw*&CLrKP#C&CLrT>;v0Z,
C'IZK0ZPdkvK6pEk(PIN),;sm~nF+Fcv(Pzk#;s
C'I(}+(PzkdkG<m%4O$=e~#
SecurID nFndMDN=*VVh8#Kh8(#G?W4=D(key fob)rG\(
=D(slim card)#KnFIP;v PIN !|L,C'IZdPdk PIN,TzI(P
zk#g{nF;P PIN |L,(}+C'D PIN MnFzk,SZ;p4zI(P
zk#nFzkGT>Z?W4OD;O|DD}V#nFzkG SecurID nF4;V
SD1ddtzID}V#;sC'dk PIN MnFzk4O$= ACE/Server#
e~'V_=V RSA nF==:
v B;vnFzk==
1C'dkD PIN }7+nFzkms1,9CK==#(#,XkZ;PP}Nd
kmsDnFzkEa9nF(xkB;vnFzk==#1C'dk}7D(P
zk1,nFzkT/|D#C'H}BDnFzk,;sYNdk(Pzk#
v B PIN ==
1T8(ID PIN 1,nFI&ZB PIN ==#1\m1#{5)ns\kY|_
T1,nF+&ZK==#1 PIN ;e}rP48(1,nF2I&ZB PIN ==
P#B8(DnFI\9;P PIN#1C'|G PIN r3I|Q96,r\m1I
e}|#
SecurID PIN IT;,D==4(:
v C'(e
v 53zI
v C'!q
y]4(=(M8(\k4(Mh8`MN}Dfr(e PIN ==#
e~'VTB`MDC'(eD PIN:
v 4 - 8 vV8}VV{,G PINPAD nF
v 4 - 8 vV8}VV{,\k
v 5 - 7 v}VV{,G PINPAD nF
v 5 - 7 v}VV{,PINPAD nF
v 5 - 7 v}VV{,;IC 4 ;}VD PIN
v 5 - 7 v}VV{,;ICV8}V
e~;'VTB`MDB PIN:
v 53zID,G PINPAD nF
v 53zID,PINPAD nF
v C'!qD,G PINPAD nF
v C'!qD,PINPAD nF
Z ACE \m1;PHe}nFrP4+dCZB PIN ==1,nFC';\+{G
D PIN 4;#bb6E^(+_PP' PIN DC'+<x pkmspassword.form#"T
CJKm%a5X;vms{"#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 59
B PIN ==BDnFO$$ww
TZB PIN ==BnFDO$,a"zTB}L:
1. M'z(/@w)ks;vh*nFO$D\#$ Web Ts#
2. e~5XO$3f,ksC'{M(Pzk#
3. C'nk{GDC'{MnFzk,"+m%a;=e~DO$b#1C';P PIN
1(I\Gr*nF(GBD,r\m1T PIN xPK4;),nFzkM(Pz
kG`,D#1C'_P PIN +nF(&ZB PIN ==1,C'dk PIN SO
nFzk#
4. e~DnFO$b+O$ks"MA ACE/Server#
5. ACE/Server 4gB==&mks:
a. g{O$;I&,r+a{5X=e~nFO$b,Cb+ms3fT>=M
'z(5XA=h 2)#
b. g{nF4&ZB PIN ==,rO$C'#e~nFO$b+I&{"5X=
e~,byM<mKksD\#$ Web Ts#(O$$wwax)#
c. g{nF&ZB PIN ==,r ACE/Server + NEW_PIN mszk5XAe~
nFO$b#
6. e~rC'a)\k=Zm%#
7. C'dknFzkr(PzkT0B PIN,"+B PIN +<xe~#
8. e~liGqQ?p\k?H~qw#
a. g{\k?H~qwP4?p,re~Lx4P=h 9#
b. g{Q?p\k?H~qw,re~liB PIN#g{ PIN P',re~Lx
4P=h 9#g{ PIN ^',re~5XA=h 6#
9. e~O$b+nFzkMB PIN "MA ACE/Server#
10. ACE/Server 5Xl&zk#
11. g{T ACE/Server D PIN set wCI&,re~+nuksD\#$ Web Ts
5XxM'z#g{ PIN set wC'\,rO$$ww5X=h 6#
T\k?H~qw9CnFO$
e~2'VX(ZO$zFD\k?H~qw#K'V9C2+ThF$L&IT;
9Ce~O$zF*;,DO$=(*";,D\k?H_T#}g,D;}D}V
PIN I\{O ACE/Server D*s,+G4;{O|OqD\k?H~qwD*s#
tCnFO$
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tC9CnFDO$,+%J0token18(x authentication N};4:
t C 9 C n F D O $ 1 , 2 X k * Z ( s & m d C n F # Z d C D ~ D
[ c o m m o n - m o d u l e s ] Z P , 9 l K p o s t - a u t h z n N } " * d 8 ( 5
0token1#[common-modules] Z&1|,TB=vu?:
[common-modules]authentication = tokenpost-authzn = token
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0X*D2mb{
F#7#nFO$u?fZ:
60 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
[modules]token = pdwpi-token-module
dCnFO$zF
token-cdas N}8(CZ3dnF(PzkO$E"D2mb#
v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libxtokenauthn#
v Z Windows O,a)ZC3d&\DD~G;v DLL,F* xtokenauthn#
nF2mbGw* Tivoli Access Manager Web Security Runtime(PDWebRTE)m~
|D;?V20D#K2mb;Z:
UNIX /opt/pdwebrte/lib
Windowsc:\Program Files\Tivoli\PDWebRTE\bin
1!ivB,KZC2mbG2`kD,CZ3d SecureID nF(Pzk}]#zI
T(FKD~4O$d|`MDXbnF}],"IT!q+K}]3dI Tivoli
Access Manager m]#XZ API J4DE",kN< IBM Tivoli Access Manager for
e-business Web Security Developer Reference#
IT(}Z pdwebpi.conf dCD~PD [authentication-mechanisms] ZPdk
token-cdas N}T02mbD~DX(=({F4dCnFO$zF#
}g:
Solaris:
[authentication-mechanisms]token-cdas = libxtokenauthn.so
Windows:
[authentication-mechanisms]token-cdas = xtokenauthn.dll
(FnFl&3f
dCD~D [token-card] ZD token-login-form N}(enFG<Zda)xC'
M'zDm%DD~{#D~76&Ck*;De~ HTML ?<`X(}g
pdwebpi/nls/html/lang/charset)#dP lang S NLS dCPq!#Z@z"o53
P,lang ?<F* C,x charset * utf-8#
[token-card] ZPD next-token-form N}(eT>=C'M'zDm%TksZ~
vnF#1~qwpu;\I&O$C'1,cksM'zdkm;vnF#;P\
&O$C'I\GIm`-rlID#+G,vmDn#{-rGr*M'zk~q
w1S;,=}pD#1O$9CZ;vnF^(Lx1,rT> next-token-form N
}P8(D3fTa>dkB;vnF#
token-card ZDq=gB:
[token-card]token-login-form = tokenlogin.htmlnext-token-form = nexttoken.html
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 61
dC SPNEGO O$
19C Internet Explorer CJ\#$Ts1,SPNEGO O$* Windows C'J'a)
%;"a(SSO)&\#Z SPNEGO O$P,e~4P-LD~qwK,Internet
Explorer r4PM'zK#
1C'ksCJ2+ Web ~qw1,Internet Explorer 9CC'D Windows G<>$
Nkk Web ~qwD-LT$5C'Df5T#;)~qw7OKC'Dm],rZ
zcTBu~DivBZh{GCJ(:
v C'*rDI1,
v QZ Authorization Server PtC SPNEGO,
v Authorization Server JmCJ#
CJIe~ SPNEGO O$#$DJ4,R;GrDI1r_}Z9CG Internet
Explorer D/@wDC'Xk9Cm;V=(xPO$,}gy>O$rm%#
":SPNEGO O$#i&\vZ+ Web ~qwdC*Jmd{CJ1EI}#KP#
Z9C IIS 1,Xk;!P/IG<,+*!Pd{CJ#Z9Cd| Web ~q
w1,&9Cj<dC#
=(MC'"am'V
SPNEGO O$zFZyP\'VD Web ~qw/=(/C'"amiOOyIC#
1 Active Directory ;G Tivoli Access Manager C'"am1,rXkZ Active
Directory "amM Access Manager C'"am.d4FC'#
+ SPNEGO dCS V4.1 }6= V5.1Tivoli Access Manager Plug–in for Web Servers V4.1 a)K spnego #i#Z V5.1
D e ~ P , K # i D & \ ; " k } v @ " D # i : s p n e g o " n t l m M
web-server-authn#^(T/+ 4.1 SPNEGO dCF= 5.1 - z+h*V$xPX
BdC#BmT>K`TZ V4.1 dChCD,H V5.1 dChC#
P=Viv:
v V4.1 dCD~D [spnego] ZP web-server-does-authn N}hC* true#
v V4.1 dCD~D [spnego] ZP web-server-does-authn N}hC* false#
m 12. V4.1 M V5.1 D,H SPNEGO dC#
V4.1 De~ V5.1 De~
[common-modules]authentication = spnegoauthentication = BA
session = spnegosession = session-cookie
[spnego]web-server-does-authn = true
[common-modules]authentication = web-server-authn
session = session-cookie
PX|`dC!n,kN<Z 69 3D:dC
Web ~qwO$(vkT IIS =();#
62 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 12. V4.1 M V5.1 D,H SPNEGO dC# (x)
V4.1 De~ V5.1 De~
[common-modules]authentication = spnegoauthentication = BA
session = spnegosession = session-cookie
[spnego]web-server-does-authn = false
[common-modules]authentication = spnegoauthentication = ntlmauthentication = BA
session = session-cookie
PXx;=DdC!n,kN<Z 68 3D
:dC NTLM O$(vkT IIS =();#
V^T
Z SPNEGO O$P;'VTBe~&\:
v yZ POP ra0(1wD SPNEGO QO$M'zDXBO$#
v T} Active Directory .bDC'"am9C pkmpasswd 4xP\k|D#
v (} CDAS xPDC'{3d#
v SPNEGO M'z^(Se~"z#M'zXkS$w>"z#CJe~ pkms |n3
fDM'z(}P;C'.b)SU= PKMS oz3f#
v TZ SPNEGO M'z,1Gn/a0(1w=Z1xPXBO$#>}C'_Y:
fu?,+#ta0j6#S SPNEGO M'zSUD7PDE"CZXBO$#M
'z;h*YNG<,+M'z+SUBDa0_Y:fu?#
v 1C'CJ;v=PXBO$_TDTs1xPXBO$#ZbVivB\xC
J,RC'U=;v5wh*XBO$D{"#
Windows @f%;"adC
>Z|,(}Te~9C SPNEGO O$45V Windows @f%;"ayXkjID
dC=h#";GT?v=(<h*yPD=h#*dC SPNEGO O$,jITB?
v=h:
=h 1:+e~~qwdC= Active Directory r
*Nk Kerberos M Internet Explorer .dD;;,e~~qwXkZ Active Directory
Kerberos rP_P;vm]#bh*r Active Directory rXFw"ae~#;s
Explorer browser /@wI{CC'D Windows G<>$4CJe~v?~qw#
PXgN+e~~qwwzDm]mS= Active Directory rD8>E",kND
Microsoft D5#
":
1. Z Windows P,1!e~~qw(Z;v~qw5})Zk Active Directory rX
Fw*519C>X~qJ'm]#
2. Z UNIX P,7#C'{ke~~qwwzDwz{`%d#k;*9C+r{#
}g,TZ53 diamond.subnet2.ibm.com,4(C' diamond#;h*C'ZB;
NG<1|D\k#k;*+\khC*=Z#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 63
=h 2:+ Kerberos we3d= Active Directory C'
T Active Directory rXFwD Internet Explorer M'zksksCJ{FD kerberos
we:
HTTP/DNS_name_of_plug-in_server@Active_Directory_domain_name
Xk+C{F3d=zme~v?~qw5}D Active Directory C',gOf=h 1
P4(DC'Gy#
K3dh* ktpass 5CLr#1!ivB,Z Windows 53OI\40k ktpass5CLr#IS Windows CD D Windows 'V$_m~|Pq!K5CLr#
Windows: "ae~~qwD~qwe{F#Z Active Directory rXFwO,KP
ktpass |n#}g,1e~wz* diamond.subnet2.ibm.com R Active Directory r
* IBM.COM 1,|n*:
ktpass -princ HTTP/diamond.subnet2.ibm.com@IBM.COM -mapuser diamond
UNIX: kjITB=h:
1. Z UNIX 53P,}3dC'b,9Xk4( keytab D~TcZ"a= Kerberos
rP19CCD~#o(*(w*;Pdk):
ktpass -princ HTTP/DNS_name_of_WebPI_server@Active_Directory_domain_name-pass your_password -mapuser WebPI_server_instance-out full_path_to_keytab_file -mapOp set
ZOfD|nP,-mapuser !n8(DC'm]* Active Directory C'#K&8
(D\kXhK Active Director C'D\k#nC!q2+LHO_D\k,}g
fzzID\k# keytab D~I;ZNb;C##tK\k,TcZsfD=hP
CZbTzD Kerberos dC(1bTS UNIX zw= Active Directory \?V"
PDDO$1)#
2. + keytab D~+M= UNIX 53#7#9CDG2++M=(#(iD;C*:
/opt/pdwebpi/etc/key_tab_filename
3. *K5VnQD2+T,kS Windows 53>} keytab D~#
4. Z UNIX 53P,+CD~DyP(8(x pdwebpi,"^F keytab D~DmI
(,9C;PyP_EICJ|#}g:
# chown pdwebpi keytab_file# chgrp pdwebpi keytab_file# chmod 600 keytab_file
5. TZ UNIX ~qw,T?ve~5}X4TO=h#
=h 3:20 Kerberos KP1M'z(vkT UNIX)
20Ke~D~qwXk20 Kerberos KP1#Z Windows 53P,Kerberos KP
1M'zGYw53D;?V#;h*d|m~|#
Z UNIX 53O,20J1Dm~|:
v AIX
IBM Network Authentication Service M'z#
KM'zIZ AIX Expansion Pack PR=#
v Solaris
– IBM Network Authentication Service M'z#
64 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
KM'z|,Z Tivoli Access Manager Web Security CD P#9C pkgadd x
P20#
– SUN Kerberos Client SUNWkr5cl#
IBM Network Authentication Service M'zh*Cm~|#
Km~|G SEAM m~|D;?V,IS Sun Web >cOBX#
v Linux
MIT Kerberos V1.2.5
=h 4:dC Kerberos M'z(vkT UNIX)
XkdCO;=P20D Kerberos M'z#bh*4(r^D Kerberos dCD~#Z
Solaris M AIX P,CD~* /etc/krb5/krb5.conf,Z Linux P,CD~*
/etc/krb5.conf#jIJCZzDYw53D8>E":
AIX
9C mkkrb5clnt 5CLr#K5CLr4("jI /etc/krb5/krb5.conf#
1. KP mkkrb5clnt#o(*:
mkkrb5clnt -r Active_Directory_domain -c Active_Directory_controller_DNS-s Active_Directory_controller_DNS -d local_DNS_domain
}g:
mkkrb5clnt -r IBM.COM -c dc1.ibm.com -s dc1.ibm.com -d dns.com
2. V$`- krb5.conf T}%NN;\ Active Directory 'VD\khC#
[libdefaults]default_tkt_enctypes = des-cbc-md5 des-cbc-crcdefault_tgs_enctypes = des-cbc-md5 des-cbc-crc
K=h}% des3-cbc-sha1#
Solaris M Linux
V$`- krb5.conf#*zDr(domain)(FTBE":
v r(realm)#}g:IBM.COM
v Active Directory XFw~qw{#}g,dc1#
v r(domain){#}g,ibm.com#
v DNS {#}g,ibm.com#9CTO>}5,Kerberos dCD~DZ]+|,TBu
?:
Pv krb5.conf PD?Vn:
[libdefaults]default_realm = IBM.COMdefault_tkt_enctypes = des-cbc-md5 des-cbc-crcdefault_tgs_enctypes = des-cbc-md5 des-cbc-crc
[realms]IBM.COM = {kdc = dc1.ibm.com:88admin_server = dc1.ibm.com:749default_domain = ibm.com}
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 65
[domain_realm]dc1.ibm.com = IBM.COM.ibm.com = IBM.COM
TO>}D~PDns;P(.ibm.com = IBM.COM)m>e~v?~qwZdPKPT
0C',S=D DNS r#k"bns;PPZ IBM r.0Ddc(.)#|w*
ibm.com rPyPSrMwzD(d{#
":Z9CKF* Heimdal D Kerberos f>D United Linux P,*cZbT,I\
h*+TBPmS= [libdefaults] ZP#
[libdefaults]default_etypes = des-cbc-md5 des-cbc-crcdefault_etypes_des = des-cbc-md5 des-cbc-crc
=h 5:i$ Web ~qwweDO$(vkT UNIX)
9C kinit Lr4i$e~v?~qwD Kerberos weGqIO$#9CZ=h 2 P
KP ktpass 18(D\k:
# /usr/krb5/bin/kinit diamond@IBM.COMPassword for diamond@IBM.COM: server_password# klist
z&14= klist D3vdvT>K diamond@IBM.COM D>$
":kinit 5CLrD;CI\ay]Yw53=(xPy;,#
=h 6:9C keytab D~i$e~O$(vkT UNIX)
9C=h 2 P4(D keytab D~i$e~GqIO$#T;,xPdkTB kinit |
n:
# kinit -k -t /var/pdweb/keytab-diamond/diamond_HTTP.keytabHTTP/diamond.subnet2.ibm.com@IBM.COM# klist
z&4= klist D3vdvT>K HTTP/diamond.subnet2.ibm.com@IBM.COM D>$
=h 7:Ze~ZtC SPENGO O$
*Ze~ZtC SPNEGO O$:
1. +5 spnego 8(xe~dCD~ pdwebpi.conf D [common-modules] ZPD
authentication N}#
[common-modules]authentication = spnego
2. Z [authentication-mechanisms] ZZ,+ kerberosv5 N}hC*2+T*;
cSZ(stli)2mbDxT76#}g:
AIX: kerberosv5 = /opt/PolicyDirector/lib/libstliauthn.a
d| UNIX:
kerberosv5 = /opt/PolicyDirector/lib/libstliauthn.so
Windows:
kerberosv5 = C:\PROGRA~1\Tivoli\POLICY~1\bin\stliauthn.dll
3. Z [spnego] ZZ,hC:
v spnego-krb-service-name * HTTP r
HTTP@fully_qualified_host_domain_name#
66 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
v spnego-krb5-keytab-file *e~9CD keytab D~D+76{#vZ UNIX =
(OEh*K5#Z Windows =(O,vTK!n#
=h 8:Z Web ~qwZtC SPENGO O$
** IIS tC SPNEGO,k7# Web ~qwDCJ_T(Z?<2+T!n(Ph
C)hC*d{#TZd| Web ~qw,IS\1!dC#
*Z Internet Explorer M'zZtC SPNEGO:
1. g{e~20Z UNIX O,r+>XZ?xxrdC*|, UNIX ~qwD{F:
a. !q$_ → rXx!n#
b. S2+T!n(!q>XZ?x → >c → _6rIE>c → >c#
c. dk}ZKPe~D UNIX ~qw#
2. dC/IG<P*:
a. !q$_ → rXx!n#
b. S2+T!n(%w(F6p#
c. rBv/=2+ThCT0rPDG<?V,;sy]zh*D&\!qT/...
ra>...#
":g{ZOfD=h 1 P!qKIE>c!n,+@;a>C'dkC'{M
\kE"#
3. g{M'z* Internet Explorer V6,rh*dC/I Windows G<#*jIKY
w:
a. !q$_ → rXx!n#
b. S_6!n(P,!PtC/I Windows G<#
c. XBt//@wT9|Dz'#
JOoO<IKerberos dC
v Jb:19C kinit bT* UNIX ~qw4(D keytab 1,vVms0q!u<>
$1,1S+n}`#1
bv=8:19C Kerberos 1,Xk#V1S,=#*@CbvKJb,IZzw
O?p3V1d,=~q#*Y1bvKJb,Iw{zwOD1S,9|G.d
Dsn;,};VS#
v Jb:19C kinit bT* UNIX ~qw4(D keytab 1,vVms0q!u<>
$1$O$'\1r0q!u<>$1\kms1#
bv=8:keytab D~PD\?;}7#7#}7zI keytab D~,"Rwe{F"
Active Directory C'{M76}7#
v Jb:1KP kinit -k -t 1 kinit @#
bv=8:1Z keytab D~P;PR=3;u?1,3)f>D kinit ;\}7&m
Jb#P8li keytab D~PGqPkz}Z+]x kinit Du?j+`,Du?#
Tivoli Access Manager Plug-in for Web Servers dC
v vVJb1,<GtCT SPNEGO DzY#+;vu?mS=7ID~#C7ID
~;Z20?<BD etc/routing P#u?>}:
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 67
bst:*.9:TEXTFILE:install_path/log/spnegotrace.log
Z UNIX O,e~1!20?<* /opt/pdwebpi#CC76f;zD20?<##
9"XBt/e~#ZzYD~PiRms{"#
v J b : e ~ ~ q w ; t / # U > D ~ | , m s { " 0 4 d C O $ = (
(kerberosv5)#1
bv=8:Ze~dCD~D [authentication-mechanisms] ZPtC kerberosv5
O$=(#
v Jb:e~;t/#ms{"*02+~q&\ gss_import_name 5Xw*msk
131072 MN*msk -1765328168#1
b v = 8 : Z d C D ~ P 8 ( D w e { F ^ ' # | D q = & *
0HTTP@host_name1,dP host_name GdC= kerberos r(realm)DFczD
+^( DNS {#
v Jb:e~~qw;t/#ms{"*:02+~q&\ gss_acquire_cred 5Xw*
msk 851968 MN*msk 397560331#
bv=8:dCD~PDwe{Fk8(D keytab D~PDNN\?y;%d#
keytab D~PD\?{F`FZ HTTP/host_name@REALM#we{FDq=&*
HTTP@host_name
v Jb:1C'"TCJe~1SU=ms0HPDIA0100E v=Z?ms#1e~zY
U>D~|,{"02+~q&\ gss_accept_sec_context 5Xw*msk 851968 M
N*msk5Xw*msk 851968 MN*msk -1765328347#1
bv=8:M'zOD531Ske~~qwOD531S;,=#19C Kerberos
1,Xk#V1S,=#*@CbvKJb,IZzwO?p1d,=~q#*Y
1bvKJb,Iw{zwOD1S,9|G.dDsn;,};VS#
vVJb1*liDd|dCn
v li keytab D~DD~mI(MyP(GqJme~ authorization server TdxP
CJ(gZ 64 3D:=h 2:+ Kerberos we3d= Active Directory C';Py
v)#
v (}9C ktutil 5CLrT>|,Z keytab D~PDE"4li keytab D~Gq
|,}7we{FDP'}]M\?#
v li{vr(rXFwMM'z)D DNS dCGq}7,R{FGq}7bv"k
;,;C(keytab D~"e~dCD~H)P~qwe{FdCnPD5%d# .
v liZrPDyP53O531SGq,=RV<=1d~qGq#V1S,=#
v lixgdCGq}7,R;Png5{"7Ims"{Fe;.`DJb#7#
H}1dZI]LD6'Z#7#@p="NAT T0d|xg2+~q;aIErD
Kw#
dC NTLM O$(vkT IIS =()
If>D Windows =(a)F* NT Lan Manager(NTLM)O$Dy>%;"a
(SSO)zF#KO$=(yZ"Pc(,Cc(a)ky>O$`FD2+T6p
MYw#e~'V NTLM O$,TcZHxD Windows =((XP"2000)kng
Windows NT HOg53.dDrsf]#e~vZ Windows IIS =(O'V NTLM,
x;'V UNIX =(#
68 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
*tC NTLM O$,+5 n t lm 8(xe~dCD~ pdwebpi.conf D
[common-modules] ZPD authentication N}#
[common-modules]authentication = ntlm
*tC NTLM O$,7# IIS Web ~qwDCJ_ThC*d{#
*dC Internet Explorer TNk NTLM(M SPNEGO);;:
1. dC/IG<P*:
a. !q$_ → rXx!n#
b. S2+T!n(%w(F6p#
c. rBv/=2+ThCT0rPDG<?V,;sy]zh*D&\!qT/...
ra>...#
":g{ZOfD=h 1 P!qKIE>c!n,+@;a>C'dkC'{M
\kE"#
2. g{M'z* Internet Explorer V6,rh*dC/I Windows G<#*jIKY
w:
a. !q$_ → rXx!n
b. S_6!n(P,!PtC/I Windows G<#
c. XBt//@wT9|Dz'#
e~dCD~D [ntlm] ZPD use-pre-windows-2000-logon-name N}ICZdC
Windows 2000 r Windows 2000 T0f>DC'{q=#1!ivB,Z Tivoli Access
Manager P ntlm #i9C Windows 2000 G<{m>QO$C'#|G
username@domain.com G<{D username ?V#Z Tivoli Access Manager P
use-pre-windows-2000-logon-name N}JmC Windows 2000 T0f>DG<{m
>QO$C'#|G DOMAIN\USERNAME G<{D username ?V#g{ Tivoli
Access Manager 9C Active Directory w*|DC'"am,rvTKN}#TZ Active
Directory,C'D Tivoli Access Manager C'{<UG username@domain.com G<{
D username ?V#
dC Web ~qwO$(vkT IIS =()
;) Web ~qwa)>z4PO$D\&#K\&D>}.;G IIS 4P/I
Windows G<(SPNEGO"NTLM r BA)D\&#e~IdC*9CK>z Web ~
qwO$,CO$`E Web ~qwQdV4P2+O$li#e~D Web ~qwO
$10vZ IIS O\'V#
*Ze~PtC Web ~qwO$,+5 web_svr_authn 8(xe~dCD~
pdwebpi.conf D [common-modules] ZPD authentication N}#
[common-modules]authentication = web_svr_authn
*dC Internet Explorer TNk NTLM(M SPNEGO);;:
1. dC/IG<P*:
a. !q$_ → rXx!n#
b. S2+T!n(%w(F6p#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 69
c. rBv/=2+ThCT0rPDG<?V,;sy]zh*D&\!qT/...
ra>...#
":g{ZOfD=h 1 P!qKIE>c!n,+@;a>C'dkC'{M
\kE"#
2. g{M'z* Internet Explorer V6,rh*dC/I Windows G<#*jIKY
w:
a. !q$_ → rXx!n#
b. S_6!n(P,!PtC/I Windows G<#
c. XBt/FczT9|Dz'#
I(}hCe~dCD~D [web-server-authn] ZPD
use-pre-windows-2000-logon-name N}+ web-server-authn O$#idC*9C
Windows 2000 r Windows 2000 T0f>DC'{q=#
1!ivB,Z Tivoli Access Manager P web-server-authn #i9C Windows 2000
G<{m>QO$C'#|G username@domain.com G<{D username ?V#Z Tivoli
Access Manager P use-pre-windows-2000-logon-name N}JmC Windows 2000
T0f>DG<{m>QO$C'#|G DOMAIN\USERNAME G<{D username ?
V#g{ Tivoli Access Manager 9C Active Directory w*|DC'"am,rvT
KN}#TZ Active Directory,C'D Tivoli Access Manager C'{<UG
username@domain.com G<{D username ?V#
dCJO*FO$
>Z|,TBwb:
v :JO*FO$En;
v Z 76 3D:JO*FO$dC;
JO*FO$En
e~a);VO$=(,1e~v?~qw;IC1,CO$=(ZM'zM*#t
De~v? Web ~qw.dtCQO$a0#K=(F*JO*FO$#JO*FO
$9M'z,S=m;ve~v? Web ~qw,"4(|,`,C'a0}]MC'
>$DO$a0#
JO*F cookie &\(#)M'C4(}:XybzF,S=4FD0K Web ~q
w#1~qwMM'z.dD-<a0d*;IC1,JO*F cookie I@9?FDX
BO$#
9C*Z(s&mdCDJO*F cookie,e~S\~qwX(Drr6'D cookie P
D>$}]#1M'zZ;N,S1,cookie GEZ/@wOD#g{u< Web ~q
wa0*',r9 cookie T>xM'z*X(rDB;v~qw#cookie CZT/D
XBO$,byM'zM;CV/4PXBO$DNqK#4FD~qwODe~2
m;v+2\?,|b\ cookie Py,D>$E""("BDa0#
70 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
O<T>KdMDe5a9,Ca9+SJO*F cookie D9Cqf#,; Web ~q
wD}v`,5};Z:X=b~qws,C~qwy]:XMICT+ks(r=
}v~qw.;#}g,Y(+ www.ibm.com D?v5}dCI9CJO*F cookie
O$M'zCJ,9+ddCI9CJO*F cookie xPZ(s&m#M'zCJ
www.ibm.com "(r=~qwD5} 1 4xPI&O$#+S\M'zD>$"+d
f"Zr6'D cookie P,C cookie f"ZM'z/@wP#g{Za0Zd,M'
zh*CJ www.ibm.com D5} 2 r5} 3(}g,g{5} 1 "zJOrhsd
C+s),r9Cf"ZM'z/@wPDJO*F cookie xPT/XBO$,x^h
C'I$#-<a0t/1df cookie #t,byZ"z=JO*F~qwDT/X(
r1a0zfZDj{T#VP'#
JO*FO$&C!O
w*JO*F&\D;?V,e~9CJO*F cookie 'VC'O$#JO*F cookie
GX(Z~qwD cookie rr cookie#JO*F cookie |,X(ZM'zD}],}
gC'{"cookie 4(1dAG"-<O$=(MtTPm#1!ivB,CtTPm
|,C'DO$6p#e~IdC*+X()9tTmS=tTPm#
e~TKX(ZM'zD}]xPS\#4FDe~v? Web ~qw2m;v+2\
?,C\?T cookie E"xPb\#14FDe~~qwU=K cookie 1,|T
cookie xPb\,"9CC'{MO$=(4XBzIM'zD>$#Ke~2IdC
*+Nb)9tTS cookie 4F=C'>$#VZM'zI("k1>e~v?~qw
.dDBa0,x;a;a>G<#
":JO*F cookie ICZ HTTP r HTTPS#
JO*FO$B~DB~3r*:
1. M'z(/@w)"TCJ\#$J4#M'zks=o:Xybw,C:Xyb
wXFT4FD~qwDCJ#
< 5. JO*F cookie DdM~qwe5a9#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 71
2. :Xybw!q?j~qw"*"C'ks#
3. e~9C\'VDO$=(.;9M'zI&O$=~qw#
4. e~4(|,M'zO$E"DJO*FO$ cookie,;s+K cookie "MxM'
z#
5. M'z(}:Xybw+ cookie ,,?vsxDks"M=e~#e~&m?vk
s#
6. g{:Xybw"Ve~v?~qw;ICJ,r+M'zks(r=m;v4F
De~v?~qw#
7. +4FD~qwODe~dC*Z?N"TO$C'1liJO*FO$ cookie G
qfZ#
8. e~9C cookie PDE"4("kM'z.dDa0,x;h*M'zYNV$G
<#9(M'zDa0}]MC'>$,"&mT\#$J4Dks#
9. S;ve~v?~qw=m;ve~v?~qwDa0|DTZM'z45G8w
D#IZe~v?~qw|,j+`,DJ4,rKM'za0LxxPR;a\
=IE#
JO*FO$be~*?v\'VDO$=(a)ZCJO*FO$2mb#?vJO*F2mb*
`&DO$=(#b2mb,Kb,|9V4nu;ZC'>$PDNb)9tT#
1"zJO*FO$B~1,e~wCkC'Z-<~qw'\0ns;N9CDO
$=(`%dDJO*FO$b#
e~*TBO$=(a)JO*FO$&\:
v y>rm%O$(2F*\kO$)#
v nF(O$,
v $iO$,
v HTTP ksO$,
v gr%;"a(CDSSO),
v Kerberos O$(SPNEGO)#
e~a);vj<JO*F2mb,CZTOyPO$=(#Z UNIX 53O,KbF
* libfailoverauthn,Z Windows O,KbF* failoverauthn#
":r_,z2Ia);v(F CDAS b,Cba)zD73yh*DX(O$&\#
}g,I+e~dC*'Vm%O$MJO*FO$#1e~t/1,m%O$2m
bM0JO*F - m%1O$b<a;0k#C'9Cm%O$xPO$#e~~q
w+JO*FO$ cookie "Mx?vM'z(/@w)# cookie }]8( cookie Zm
%O$73P4(#
1e~v?~qw;IC1,+JO*F cookie "MxZ~ve~v?~qw#Z~v
~qw((#G4FD~qw)2aZe~P0km%O$2mbM0m% - JO*
F1b#ZZ~v~qwODe~5}SUJO*F cookie,"T|xPliT7(C
'DH0O$=(#ZZ~v~qwODe~wC0JO*F - m%1O$2mb4
S cookie Pi!XhD}],;s9CC}]O$C'"q!C'>$#
72 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
}g,1Z4FDe~73PtCKm%O$MJO*FO$1,XkZe~dCD
~PdC=v%@Db#;vb8(m%O$=(b#m;vb8(JO*FO$=
(b#dCD~u?>}*:
[authentication-mechanisms]passwd-ldap = /opt/pdweb/lib/libldapauthn.sofailover-password = /opt/pdweb/lib/libfailoverauthn.so
ZK}P,passwd-ldap Zu?8(e~DZCm%O$b#failover-password Zu
?8(e~DZCJO*FO$b#
rJO*F cookie PmS}]
e~T/+X(}]SC'a0mS=?vJO*FO$ cookie#e~IdC*S>$
_Y:fP#tDM'z}]mS=SE"#Kb,e~9IdC*mSX(Z?p
DC'(eD}]#}g,(FgrO$~qq!DC'tTImS= cookie P#
1!ivB,e~+TB}]mS=?v cookie:
v C'{
K{FkC4j6C'"amPC'D{F`{#
":1QO$C'9CKe~DP;C'&\4q!m;vC'DP'm]1,G
vC'Dm];amS= cookie P#;P-<DQO$C'm]EamS=
cookie P#
v O$=(
KO$=(CZ+C'O$=e~#
v Cookie 4(1d
1 cookie 4(1D531d#
e~94(|,=S}]DtTPm#1!ivB,tTPm|,;v5:
v O$6p
ke~DO$?H6p(2*{}5)`{D{}5,Z>Xe~v?~qwO+
C6p8(xO$=(#O$?H(2F*]}=O$)9C'IT;,DO$=
(O$x;h*"z#
e~(eKImS= cookie tTPmD=SC'}]:
v a0zfZ1dAG
1C'O$1,e~zYa0_Y:fPC'u?D9CZ^rzfZ#a0zf
Z1dAGI101dT0;Z|0fD"dCCZC'a0}]I#tZa0_
Y:fPDn$1dDk}iI#10531d,}1dAG51,e~9a0_
Y:fPDC'u?^'(|(C'>$)#
I+e~dC*+a0zfZ1dAGmS= cookie#1C1dAGmS= cookie
1,IgJO*FB~#ta0zfZ(1w#rK,1Z4FD~qwO("M
'za01,e~\m1I!qGq4;M'zDa0(1w#
k"b\qI&9CK&\!vZ4FDe~v?~qw.dD1S,=#g{1
SEE+n}`,a0+Z;#{D1d=Z#
v a0;n/1dAG
e~9zYe~a0_Y:fPC'u?&Z;n/4,D1d?#1C'a0&
Z;n/4,D1d$H,}K*a0;n/hCD5,re~9C'a0^'#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 73
a0;n/1dAG2ImS=JO*FO$ cookie P#K1dAGke~a0_
Y:f#fDa0;n/1dAGTP;,#_Y:f#fD53;n/,1I(
}+=v5`aOFc:
– 10531d
– C'a0I#V;n/4,Dnsk}#
1+K5mS=JO*FO$ cookie 1,|k;v=S5`aO:
– JO*FO$ cookie D|B.dDnsk}(1ddt)
TJO*F cookie D|B.dD1ddtDhCa0lT\#\m1XkZnQT
\M cookie P;n/(1wDxT<7T.d!q;v=bc#*9;n/(1w
#VnQ<7T,&ZC'?N"vks1MT|xP|B#+G,cookie Z]D5
1|Ba<B*z}s,Sx9T\B5#
?v\m1Xk!qnJOe~?pD1ddt#Z3)ivB,?1C'"vk
s1MTJO*F cookie xP|BGOJD#Zm;)ivB,\m1I\!q@
;|BJO*F cookie PD;n/(1w#
v =S)9tT
\m1I+e~dC*+;i(FDtTekJO*F cookie#I%@8(tT,2
I4i8(tT#*8(;itT,ZdCD~u?P9C(d{#=%d#K&
\Z,y9C(FO$b(}ggrO$~qw)+X(tTekC'>$D?p
PGG#PCD#(}Ze~dCD~P8(b)tT,\m1I7#ZJO*F
O$}LPtTICZmS=XB4(DC'>$P#
":JO*FO$ cookie Dnss!* 4 'VZ(4096 VZ)#
SJO*F cookie Pi!}]
1"zJO*FO$B~1,e~SUJO*FO$ cookie "Z1!ivBS?v
cookie i!TB}]:
v C'{,
v O$=(,
v Cookie 4(1d#
e~WH(}S531du% cookie 4(1d"+K5kJO*F cookie zfZDe
~dCD~u?`HO47( cookie GqP'#
g{,}K cookie zfZ,r cookie ^',R;a"TxPJO*FO$#g{;P
,} cookie zfZ,re~9CC'{MO$=(4O$C'"9(C'>$#
;se~lidChCT7(Gq&i!"@@=S cookie }]#k"b1!ivBe
~;aSJO*FO$ cookie Pi!d|NNtT#XkZe~dCD~P8(?v*
i!D=StT#(d{#=%dICZq!tTi#
e~IdC*i!TB(eDtT:
v O$6p
1i!K51,e~9C|47#C'G(}#V8(O$6pyhDO$=(4
O$D#
k"be~IS8v;,DX=q!O$6p:
74 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
– JO*F cookie
– JO*FO$b
– grO$~q
– Z(~q
SJO*F cookie i!DO$6pEHZSd|X=q!DO$6p#
v a0zfZ1dAG
e~I9CK1dAG47(-<~qwa0_Y:fPDC'u?Gq=Z#g
{=Z,re~+OzK cookie 0dyPD1Z>$tT#;#ta0zfZ,R
a>C'G<#
v a0;n/1dAG
e~I9CK1dAG47(-<~qwa0_Y:fPDC'u?GqQ&Z;
n/4,P\$;N1dK#g{Gby,re~+OzK cookie 0dyPD1Z
>$tT#;#ta0zfZ,Ra>C'G<#
":I&9Cb)1dAGh*4FDe~~qw.dD1S,=#g{1SEE
+n}`,a0+Z;#{D1d=Zrd*;n/#
v =S)9tT
b)tT|(C'(eD(FtT,}ggrO$~qzIDtT#e~+b)t
TmS=C'>$P#
4Ze~dCD~P8(DtT+;vT,R;a;i!#Kb,\m1I8(ZJ
O*F cookie i!}LPXkvT3)tT#!\vT*1!P*,+K8(GPC
D,}g,I7#C'tTGSC'"amx;GSJO*F cookie q!D#
r6'ZDJO*FO$
e~'V;vI!dC,CdC9CJO*FO$ cookie ;jG*ZJO*FO$}L
PICZ Tivoli Access Manager rPNbT0d|yPe~v?~qw#KdC!n
9CJO*FO$ cookie ICZ;h*P:XybwM4FDe~v?~qwD?p#
1M'za0(}JO*FO$B~=o4FDe~v?~qw1,M'zLxCJ
,;i\#$J4#1M'za0(}JO*FO$B~=o"G4FDe~v?~
qw1,M'zI\aCJ;i;,DJ4#ZsM?pP,Tivoli Access Manager r
ZDJ4VxG\#{D#IvZT\M\m=fD?DxPVx#
1M'zDks9C|%ks^((}>X~qwCJDJ41,r6'ZDJO*
FO$ICZ+M'zX(r=m;v~qw#ZbVivB,+M'z(/@w)
X(r=m;ve~v?~qw#SUe~IdC*iRJO*FO$ cookie#e~"
TO$M'z,"6pJO*FO$ cookie#(}9C cookie,e~;h*a>M'z
a)G<E",+IT("kM'zDa0,"9l;iP'DC'>$#
rsf]T
V5.1 .0f>De~Imb"A!({D)V5.1 De~zIDJO*F cookie#,y,
V5.1 De~Imb"A!({D)Ogf>(V5.1 .0f>)De~zIDJO*F
cookie#4kOgf>(V5.1 .0f>)e~D(FJO*F cookie D CDAS #i+
k V5.1 De~;p$w#
*7#j+Drsf]T,a)TB&\:
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 75
v e~IdC*Z;fZa0zfZ1dAG1yZJO*F cookie Z]O$C'#
Z V5.1 .0DJO*FO$ cookie P;fZa0zfZ1dAG#
v e~IdC*Z;fZa0;n/1dAG1yZJO*F cookie Z]O$C'#
Z V5.1 .0f>DJO*FO$ cookie P;fZa0;n/1dAG#
v Q* V4.1 De~|BKCZS\JO*FO$ cookie PM'z}]Dc(#19
C V4.1 .0f>De~1,dCD~hCIhC*tCTOg`MD cookie DC
J#
v e~IdC*TJO*F cookie PDV{.;9C UTF-8 `k#(}T V5.1 De
~O4(D cookie ;9C UTF-8 `k,Ogf>(V5.1 .0f>)De~Imb
"A!({D)b) cookie#
}6JO*FO$
Ze~dCD~P,[failover-add-attributes] M [failover-restore-attributes]
Zf;K V5.1 .0f>D [failover-attributes] Z#
ZS Tivoli Access Manager V4.1 }6=10 Tivoli Access Manager f>D}LP,
[failover-attributes] Z0dZ];(F= [failover-add-attributes] ZP#
C}6}LGT/D,Z20e~1xP}6#;h*Tb)u?xPV$}6#
JO*FO$dC
>ZhvgNdCJO*FO$#
g{z;l$JO*FO$DEn,kXKZ 70 3D:JO*FO$En;#
*dCJO*FO$,jITBNq:
1. #9e~~qw#
2. *tCJO*FO$,kjITB?vNq:
a. Z 77 3D:tC9CJO*F cookie DO$;
b. Z 77 3D:8(JO*FO$b;
c. Z 78 3D:* cookie }]4(S\\?;
d. Z 78 3D:8( cookie zfZ;
e. Z 57 3D:8(T BA 7xP UTF-8 `k;
3. I!q+e~dC*gJO*FO$a0#Va04,#g{KdCJCZzD?
p,kjITB8>:
a. Z 80 3D:mSa0zfZ1dAG;
b. Z 80 3D:mSa0n/1dAG;
c. Z 80 3D:mS|Bn/1dAGD1ddt;
4. I!q+e~dC*+)9tTmS=JO*F cookie:
v Z 81 3D:mS)9tT;
5. 1+e~dC*+tTmS=JO*F cookie s,Xk+e~dC*ZA! cookie
1i!tT:
v Z 81 3D:8(i!DtT;
76 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
6. I!qtCJO*FO$ cookie CZrZDNbe~v?~qw#g{KdCJC
ZzD?p,kND
v Z 82 3D:tCr6'ZDJO*F cookie;
7. g{h*#Vrsf] V5.1 .0f>De~v?~qwzIDJO*FO$
cookie,kjITB8>:
a. Z 57 3D:8(T BA 7xP UTF-8 `k;
b. Z 82 3D:*si$zfZ1dAG;
c. Z 83 3D:*si$n/1dAG;
d. Z 83 3D:*S\tCrsf]T;
8. ZjIyPJCZzD?pD8>s,XBt/~qw#
tC9CJO*F cookie DO$
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#I
T+JO*F cookie dC*4PO$MZ(sNq#
dC*9CJO*F cookie xPZ(s&mDe~T>$xPS\,"+dw*JO*
F cookie f"ZBql&P#
dC*9CJO*F cookie 4PO$De~,9CSBqksPR=DJO*F cookie
PDS\>$XBO$M'z#
*tC9CJO*F cookie DO$MZ(s&m,k+}C0failover18(x
authentication M post-authzn N}:
[common-modules]authentication = failoverpost-authzn = failover
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#JO*FO$u?fZ:
[modules]failover = pdwpi-failovercookie-module
8(JO*FO$b`-e~dCD~#Z [authentication-mechanisms] ZP,TXk'VJO*F
cookie DO$`Mu?!{"M#mSJCZYw53`MDe~JO*F cookie b
D{F#
1!dCD~u?*:
[authentication-mechanisms]#failover-password = failover_password_library_filename#failover-token-card = failover_token_card_filename#failover-certificate = failover_certificate_filename#failover-http-request = failover_http_request_filename#failover-cdsso = failover_cdsso_filename#failover-kerberosv5 = failover_kerberos_library
e~a);vj<JO*F2mb,CZTOyPO$=(#XZb{,kN<B
m:
m 13. JO*FO$bD~{
Solaris libfailoverauthn.so
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 77
m 13. JO*FO$bD~{ (x)
Linux libfailoverauthn.so
AIX libfailoverauthn.a
Windows failoverauthn.dll
}g,**nuZ Solaris O(}m%O$xPO$DM'ztCJO*FO$,T
failover-password u?!{"M"mSb{:
[authentication-mechanisms]failover-password = libfailoverauthn.so
r_,1*;vr`vO$=(*"K5VJO*FO$D(Ff>D CDAS b1,+
(F CDAS D{Fw*dCD~X|V5ek#}g,g{*m%O$*"K(F
CDAS,rdkxT76{:
[authentication-mechanisms]failover-password = /dir_name/custom_cdas_failover_library.so
* cookie }]4(S\\?
9C cdsso_key_gen 5CLr4#$ cookie }]#K5CLrzIT cookie PD
}]xPS\Mb\DTF\?#
/f: g{4+e~dC*TJO*FO$ cookie xPS\+QtCKJO*FO
$,re~+zIms"\xt/#XkTJO*FO$ cookie xPS\#
1. ZdP;v4FD~qwOKPC5CLr#S|nP8(k*4(D\?D~D
;C#Xk8(xT76{#
}g:
UNIX:
# /opt/pdwebrte/bin/cdsso_key_gen absolute_pathname_for_keyfile
Windows:
MSDOS> C:\Program Files\Tivoli\PDWebrte\bin\cdsso_key_genabsolute_pathname_for_keyfile
zI*\?D~8(NbOJD{F,}g /opt/pdwebrte/lib/wpi.key#
2. `-e~dCD~#Z [failover] ZP8(\?D~D;C#
[failover]failover-cookies-keyfile = absolute_pathname_for_keyfile
3. +\?D~V$4F=?v#`D4FD~qwP#
4 . Z?v4FD~qwO,`-e~dCD~,T* [failover] ZPD
failover-cookies-keyfile a)}7D76{#
8( cookie zfZ
`-e~dCD~#*JO*F cookie 8(P'zfZ#
[failover]failover-cookie-lifetime = 30
1!zfZ* 30 VS#
8(T cookie V{.xP UTF-8 `k
`-e~dCD~#8(e~Gq&TJO*F cookie ZDV{.9C UTF-8 `k#
78 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
[failover]use-utf8 = true
1!5* true#
1Ze~v?~qw}Z9CD,;zk3P4+ cookie PDC'{r>$tTxP`
k1,&9C UTF-8#1!ivB,e~'V UTF-8 `k#1e~?pPDyP~q
wy9C UTF-8 `k1,+K5#t*1!hC true#
rsf]T
V5.1 .0f>De~20;9C UTF-8 `k#rK,b)~qw4(D cookie ;T
dV{.9C UTF-8 `k#1e~5}k V5.1 .0f>De~;pKP1,e~;
&9C UTF-8 `k#
*5Vrsf]T,+ use-utf8 hC* false#
[failover]use-utf8 = false
PXe~T UTF-8 `kD'VD|`E",kNDZ 32 3D:oT'VkV{/;#
8(O$6p
e~a)m`;,D=(48(O$6p#TZJO*F cookie,P=V=(I)9
C#;V=(GZJO*F cookie PhCO$6p#m;V=(GZwCJO*FO$
b1hC6p#
1=V=(<9C1,JO*F cookie PDO$6pEHZwCb1hCD6p#
g{=V=(<4dC,r(} [authentication-levels] Z+O$6phC*kJO*
F=(`X*DO$6p#
b=V=(*:
v ZJO*FO$ cookie P8(O$6p#
+O$6pmS=e~dCD~#Xk9CZu?X|V AUTHENTICATON_LEVEL:
[failover-add-attributes] r [failover-add-attributes:virtual-host]AUTHENTICATION_LEVEL = add
AUTHENTICATION_LEVEL D5J5*e~Z?zYD{}#;h*ZKZP8(C{
}#
*#VO$6pI"p=I!X0k cookie,Xk9CTBu?+C5dC*ZSU
K#t:
[failover-restore-attributes] r [failover-restore-attributes:virtual-host]AUTHENTICATION_LEVEL = preserve
v ZwCJO*FO$b18(O$6p#
1dCZCe~JO*FO$br CDAS b1,I!q8(O$6p,T+d8(
xQO$C'#O$6pG3d*X(O$=(D{},|Ge~O$?H&\D
;?V#
+|nPN}mS=J1DJO*FO$bDdCD~u?P#o(*:
[authentication-mechanisms]failover_authentication_method = failover_authentication_libary& -l level_number
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 79
level_number XkkZe~dCD~D [authentication-levels] ZP8(DP'{
}`{#
}g,*Z Solaris 53O*m%O$$nJO*FO$"+O$6p0318(xC
',k4(TBdCD~u?:
[authentication-mechanisms]failover-password = libfailoverauthn.so& -l 3
mSa0zfZ1dAG
e~(}+TB5`aO4Fca0zfZ1dAG:
v 10531d#
v Jmu?fZZe~>$_Y:fPDn$zfZ(Tk*%;)#
Ze~dCD~D [session] ZP8(Kn$zfZ(Tk*%;):
[sessions]timeout = 3600
*+K5mS=JO*FO$ cookie,k+TBu?mS=e~dCD~:
[failover-add-attributes]session-lifetime-timestamp = add
k " b K t T ; I ( } ( d { % d 4 h C # X k d k 7 P D u ?
session-lifetime-timestamp#
mSa0n/1dAG
e~(}+b)5S=;p4Fca0n/1dAG:
v 531d#
v >$_Y:fP;n/u?Dn$zfZ#
ZdCD~D [sessions] ZPhC;n/u?Dn$zfZ:
[session]inactive-timeout = 600
1!5* 600 k#
v |BJO*FO$ cookie D1ddt#
Ze~dCD~D [failover] ZPhCC5:
[failover]failover-update-cookie = -1
1!5G -1 k#:{}m>vZxPO$r"B>$1E|BJO*F cookie#X
Z|`E",kND:mS|Bn/1dAGD1ddt;#
*+K5mS=JO*FO$ cookie,k+TBu?mS=e~dCD~:
[failover-add-attributes]session-activity-timestamp = add
k " b K t T ; I ( } ( d { % d 4 h C # X k d k 7 P D u ?
session-activity-timestamp#
mS|Bn/1dAGD1ddt
I!qZC'a0}LPI|BJO*F cookie PDa0n/1dAG#
80 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Ku?|,JO*F cookie Dn/1dAG|B.dD1ddtD{}5(Tk*%
;)#
1!u?*:
[failover]failover-update-cookie = -1
failover-update-cookie hC* 0 1,MZ?Nks1|Bn|;NDn/1dAG#
1 failover-update-cookie hC*!Z 0 D{}(Nb:})1,@;|Bn|;N
Dn/1dAG#
1 failover-update-cookie hC*sZ 0 D{}1,cookie PDa0n/1dAG
4Ck}D1ddtxP|B#
*>ZDu?!qD5a0l=T\#kNDZ 73 3D:rJO*F cookie PmS}
];#
mS)9tT
I!q+e~dC*+4TC'>$D8()9tTD1>EkJO*FO$ cookie#
1!ivB,;dC)9tT#
*mS)9tT,k+b)u?mS=e~dCD~D [failover-add-attributes] Z
P#o(*:
[failover-add-attributes]attribute_pattern = add
attribute_pattern I*X(tT{F,2I*k`vtT{F`%dD;xVs!4D(
d{mo=#}g,*8(yPx0: tagvalue_ DtT,rmSTBu?:
[failover-add-attributes]tagvalue_* = add
Zu?D3r\X*#Z [failover-add-attributes] POgvVDfrEHZOmC
ZKZPDfr#
;rJO*F cookie mSkNN(d{#=y;%dr4w78(DtT#
8(i!DtT
I!q+e~dC*SJO*FO$ cookie i!tT;s+|GEkC'>$#1!i
vB,;+tTdC*i!#
*i!DtTZe~dCD~D [failover-restore-attributes] ZPyw#o(*:
[failover-restore-attributes]attribute_pattern = {preserve|refresh}
5 preserve f_e~i!tT"+dmS=>$P#(}K=(hCD5XFZO$
CDAS 4(B>$1hCD,{tT#
5 refresh f_e~Pu~Xi!tT"+dmS=>$P(;P1O$ CDAS 4(
B>$14mS,{tT1)#
attribute_pattern I*X(tT{F,2I*k`vtT{F`%dD;xVs!4D(
d{mo=#}g,*i!yPx0: tagvalue_ DtT,rmSTBu?:
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 81
[failover-restore-attributes]tagvalue_* = preserve
;SJO*FO$ cookie i!k(} preserve 58(DNN#=y;%dDtT#
Zu?D3r\X*#Z [failover-restore-attributes] POgvVDfrEHZO
mCZKZPDfr#
TBtT;I(}(d{#=%d,+Xkw7(e*i!:
v O$6p
[failover-restore-attributes]AUTHENTICATION_LEVEL = preserve
v a0zfZ1dAG
[failover-restore-attributes]session-lifetime-timestamp = preserve
v a0;n/1dAG
[failover-restore-attributes]session-inactivity-timestamp = preserve
tCr6'ZDJO*F cookieIJmk4( cookie De~Z,;r(domain)PDNNe~9CJO*FO$
cookie#K&\(} [failover] ZPDZu?4XF#
1!ivB,r6'ZDJO*F cookie &\G{CD:
[failover]enable-failover-cookie-for-domain = false
*tCK&\,+ enable-failover-cookie-for-domain hC* true:
[failover]enable-failover-cookie-for-domain = true
PXtCKZu?D0lDE",kNDZ 75 3D:r6'ZDJO*FO$;#
*si$zfZ1dAG
I!q+e~dC**s?vJO*FO$ cookie |,a0zfZ1dAG#1!iv
B,;h*a0zfZ1dAG#1!dCD~u?*:
[failover]failover-require-lifetime-timestamp-validation = false
KZu?w*CZrsf]T#
/f: *5Vrsf] V5.1 .0f>De~4(DJO*F cookie,+Ku?hC
* false#V5.1 .0f>De~4(DJO*FO$ cookie ;|,C1dAG#
v 1K5* false,RJO*F cookie P1Ya0zfZ1dAG1,SU~qw+
C cookie SwP'#
v 1K5* true,RJO*F cookie P1Ya0zfZ1dAG1,SU~qw+C
cookie Sw^'#
v 1K5* false r true,RJO*F cookie PfZa0zfZ1dAG1,SU
~qw+@@C1dAG#g{K1dAG^',rO$'\#g{K1dAGP
',rxPO$}L#
82 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
":I@"Za0n/1dAGdCa0zfZ1dAG#
*si$n/1dAG
I!q+e~dC**s?vJO*FO$ cookie |,a0n/1dAG#1!iv
B,;h*a0n/1dAG#1!dCD~u?*:
[failover]failover-require-activity-timestamp-validation = false
KZu?w*CZrsf]T#
/f: *5Vrsf] V5.1 .0f>De~4(DJO*F cookie,+Ku?hC
* false#V5.1 .0f>De~4(DJO*FO$ cookie ;|,C1dAG#
v 1K5* false,RJO*F cookie P1Ya0n/1dAG1,SU~qw+C
cookie SwP'#
v 1K5* true,RJO*F cookie P1Ya0n/1dAG1,SU~qw+C
cookie Sw^'#
v 1K5* false r true,RJO*F cookie PfZa0n/1dAG1,SU~
qw+@@C1dAG#g{K1dAG^',rO$'\#g{K1dAGP
',rxPO$}L#
":I@"Za0zfZ1dAGdCa0n/1dAG#
*S\tCrsf]T
TZ Tivoli Access Manager V4.1,JO*FO$ cookie DS\2+6pQvS#KS
\c(;Grsf]D#g{z+JO*FO$ cookie k9C V4.1 .0f>D Tivoli
Access Manager De~v?~qw/I,zXkZe~dCD~P8(dCD~hC4
tCrsf]T#
1!ivB,;tCTOgDS\c(Drsf]:
[pdweb-plugins]pre-410-compatible-tokens = false
*tCrsf]T,+ pre-410-compatible-tokens hC* true:
[pdweb-plugins]pre-410-compatible-tokens = true
dC IV 7O$
Tivoli Access Manager 'V9CIf]M'zrzmLra)DZ?zID7E"xP
O$#IZz7-r,b);F* IV(IntraVerse)7#1e~v? Web ~qwSI
ED&CLr(}g WebSEAL r`74CzmLr)SUks1,IV 7I\aek
*Sxe~zm~qwDksP#
IV 7|,j6p<M'zDE",x;G*S~qwDE"#7PDE"CZ9lp<
M'zD>$,TCZZ(#,y,g{e~v? Web ~qw+ks*Sxm;v6
p IV 7D Tivoli Access Manager ~qw,re~zmITek IV 74j6p<D
M'z#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 83
ITdCe~9C IV 7CZZ(s&mrO$ks#g{dCCZZ(s&m,re
~ZI&O$.s,(}ekM'zDf5m]w* IV 7^DBq#;sb)7II
p<D Web ~qw*"xm;v~qw#
g{dCe~9C IV 74PM'zO$,re~9CSBqksPR=D IV 7Pi
!Dm]4(M'z>$#IZM'z1l IV 7\]W,rKv1ksG(}IED
`74CzmLr(MPA)SUD1rE4(>$#kNDZ 93 3D:'V`74C
zmLr(MPA);#
*xPO$,I+ IV 7dCIZ(}zmSU1S\ksPD;v";)r+?
iv-user"iv-user-l"iv-creds r iv-remote-address 7,w*O$D$w#iv-remote-address
7CZG<C'Df56LX7#
g{dCCZZ(s&m,r IV 7f;v";)ryP
iv-user"iv-user-l"iv-creds"iv-groups M/r iv-remote-address"HTTP 7;pekks#
m 14. IV 7VNhv
IV 7VN hv
iv-user Access Manger C'DrL{F#g{M'z4O$(4*),
r1!*4O$#
iv-user-l C'Dj{r{($Mq=)#}g,LDAP (P{F#
iv-groups C'ytiPm#
iv-creds `kD;8w}]a9,zmC'D Tivoli Access Manager >$#
iv-remote-address M'zD IP X7#K5ITzmzm~qwrxgX7*;Lr
(NAT)D IP X7#
":Access Manager vENSIE0KSUD7#g{0K;6p*`74CzmLr
(MPA),rO*|GIED#XZdCe~T'V MPA Dj8E",kN<Z
93 3D:'V`74CzmLr(MPA);#
tC9C IV 7DO$
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tC9C IV 7DO$,k+}C iv-headers 8(x authentication N}:
[common-modules]authentication = iv-headers
*TZ(s&mtC IV 7,+5 iv-headers 8(x pdwebpi.conf dCD~D
[common-modules] ZPD post-authzn N}:
[common-modules]post-authzn = iv-headers
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7# IV 7O$u?fZ:
[modules]iv-headers = pdwpi-iv-headers-module
dC IV 7N}
IV 7O$N}Z pdwebpi.conf dCD~D [iv-headers] ZPdC#
84 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
accept N}8(*4P IV 7O$xS\D IV 7`M#1!ivB,e~S\yP
D IV 7`M#P'!nG all"iv-creds"iv-user"iv-user-l M iv-remote-address#*d
k`v7`M,k9C:EVt5#
}g:
[iv-headers]accept = iv-creds,iv-user
generate N}8(*"zmks1+zID IV 7`M#1!ivB,*"zmks
1e~zIyP`MD IV 7#P'!n*:
all"iv-creds"iv-user"iv-user-l"iv-remote-address#*dk`v7`M,k9C:EV
t5#
8(T IV 7xP UTF-8 `k
`-e~dCD~#8(e~Gq&T IV 79C UTF-8 `k#
[iv-headers]use-utf8 = true
1!5* true#
PXe~T UTF-8 `kD'VD|`E",kNDZ 32 3D:oT'VkV{/;#
dC iv-remote-address D IV 7O$zF
Z IV 7P9C iv-remote-address 1,zh*8(CZ3d HTTP O$7E"D2
mb#http-request O$zF8(2mb43d HTTP O$7E"#
v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libhttpauth#
v Z Windows O,a)ZC3d&\DD~G;v DLL,F* httpauthn.dll#
ITdC HTTP 7O$zF,=(GZ pdwebpi.conf dCD~D
[authentication-mechanisms] ZPdk http-request N}T0X(Z=(D2mbD
~{,4:
Solaris:
[authentication-mechanisms]http-request = libhttpauth.so
Windows:
[authentication-mechanisms]http-request = httpauthn.dll
dC HTTP 7O$
Tivoli Access Manager 'V(}IM'zrzmLra)D(F HTTP 7E"xPO
$#
CzFh*;V+IE($O$D)7}]3d* Tivoli Access Manager m]D3d
/}(2mb)#e~ITS\Kj6"*C'4(>$#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 85
e~Y((F HTTP 7}]H0QIzmLrxPO$#rK,vZe~;ZQO$D
Web zmLr.s,"R [pdweb-plugins] ZPD mpa-enabled N}hC* true
1,#iEapwC#
1!ivB,9(K2mb3d4T0/Pzm17D}]#
tC9C HTTP 7DO$
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tC9C HTTP 7DO$,k+}C http-hdr 8(x authentication N};4:
[common-modules]authentication = http-hdr
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7# HTTP 7O$u?fZ:
[modules]http-hdr = pdwpi-httphdr-module
8(7`M
XkZ pdwebpi.conf dCD~D [http-hdr] ZP8(yP'VD HTTP 7`M#
[http-hdr]header = header_type
HTTP 7Dj<dC;Jm8(;v7,}g:
[modules]http-hdr = pdwpi-httphdr-module
*8(`v HTTP 7,XkdC HTTP 7#iD`v5}#
}g:
[modules]entrust-client-header = pdwpi-httphdr-modulesome-other-header = pdwpi-httphdr-module
[entrust-client-header]header = entrust-client
[some-other-header]header = some-other
dC HTTP 7O$zF
http-request N}8(CZ3d HTTP O$7E"D2mb#
v Z UNIX O,a)ZC3d&\DD~G{* libpdwpi-http-cdas D2mb#
v Z Windows O,a)ZC3d&\DD~G{* pdwpi-http-cdas D DLL#
1!ivB,KZC2mbG2`kD,CZ+0/Pzm17}]3dIP'D Tivoli
Access Manager m]#zXk(FKD~4O$d|`MDXb7}],"RIT!q
+C}]3dI Tivoli Access Manager m]#XZ API J4DE",kN< IBM Tivoli
Access Manager for e-business Web Security Developer Reference#
86 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
ITdC HTTP 7O$zF,=(GZ pdwebpi.conf dCD~D
[authentication-mechanisms] ZPdk http-request N}T0X(Z=(D2mbD
~{#
}g:
Solaris:
[authentication-mechanisms]http-request = libpdwpi-http-cdas.so
Windows:
[authentication-mechanisms]http-request = pdwpi-http-cdas.dll
dC IP X7O$
xkksD IP X7ITCZ9CM'zX77PD5,Va04,MO$M'zks#
Z9;PdCe~49C IP X7O$M'zksDivB,dCCe~49C IP X
7,Va04,G^'D#+G,g{e~;9C IP X7zYC'a0,r9C IP X
7O$C'GP'D#
tC9C IP X7DO$
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
9Ckst/LrD IP X7tCO$,k+}C ip-addr 8(x authentication N
},gBy>:
[common-modules]authentication = ip-addr
*tC IP X7zYC'a0,k+}C ip-addr 8(x session N},gBy>:
[common-modules]session = ip-addr
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7# IP X7O$u?fZ,gBy>:
[modules]ip-addr = pdwpi-ipaddr-module
dC IP X7O$zF
IP X7O$zFM HTTP 7D`,# http-request N}8( IP X7O$zFD2
mb#
v Z UNIX O,a)ZC3d&\DD~G{* libpdwpi-http-cdas D2mb#
v Z Windows O,a)ZC3d&\DD~G{* pdwpi-http-cdas D DLL#
ITdC IP X7O$zF,=(GZ pdwebpi.conf dCD~D
[authentication-mechanisms] ZPdk http-request N}T0X(Z=(D2mbD
~{#
}g:
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 87
Solaris:
[authentication-mechanisms]http-request = libpdwpi-http-cdas.so
Windows:
[authentication-mechanisms]http-request = pdwpi-http-cdas.dll
dC LTPA O$
e~IT9C LTPA cookie O$C'#LTPA cookie II Tivoli Access Manager
WebSEAL rI IBM WebSphere ~qwa)#
tC LTPA O$
pdwebpi.conf dCD~PD [common-modules] Z(e9C LTPA 4O$ks#
[common-modules]authentication = ltpa
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{#7#fZCZ LTPA O$Du?;4:
[modules]ltpa = pdwpi-ltpa-module
hC\?j8E"
U=D5J LTPA cookie I"M=S\#K cookie XkZIT"zO$.0b\#
pdwebpi.conf dCD~PD [ltpa] Z|,b\}Lh*D\?j8E":
[ltpa]ltpa-keyfile = \?D~D+76ltpa-stash-file = \kf"D~D;Cltpa-password = f"D~!yZD\k
dP:
v ltpa-keyfile u?8(Sp<zwa)D\?D~D{F#\?D~u?GXhD#
v ltpa-stash-file u?8(|,\?D~D\kDD~{F#Ku?GI!D,!\|
; f Z , + l t p a - p a s s w o r d u ? X k f Z # K u ? E H Z N N 8 ( D
ltpa-password#
v ltpa-password u?vZ ltpa-stash-file u?;fZ1GXhD#|&C|,8(
D\?D~DwD\k#
dC LTPA Z(s&m
*Z(s&mdC LTPA #iw* WebSphere Application Server D%;"abv=8
D;?V#kN<Z 115 3D:9C LTPA cookie %;"a= WebSphere Application
Server;q!dCDj8E"#
dCG<sDC'X(r
9C login-redirect #i,zITdCe~,TcZI&O$C'.s9C'X(r=
X(D URL#bI\Zz#{yPC'(r=3vE'x;G{GksD Web 3fD
ivB,r_rC'JV*z&CLrD6-3fr*<3fDivB\PC#
88 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
e~G<X(r&\@"ZC4O$C'D=(xpwC#T]}=O$rXBO$
;a"zX(r#
tCC'X(r
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
9C'Zu<G<MO$sX(r=X(D URI,k+N< login-redirect 8(x
pre-authzn N};gBy>:
[common-modules]pre-authzn = login-redirect
":9C login-redirect N}1,(i+|ECZZ(0#iPmPDZ;v;C;q
rm;vO$#iX(rI\a@H#
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#fZ login-redirect u?,gBy>:
[modules]login-redirect = pdwpi-loginredirect-module
dCC'X(rN}
C'X(rN}Z pdwebpi.conf dCD~D [login-redirect] ZPdC#
[login-redirect]redirect-uri = redirect uri
ZI&G<.s,9C redirect-uri N}48(z#{C'8rD URI#8(D URI
ITG`T URI,r_GxT URI#
*>$mS)9tT
>Z|,TBwb:
v :+)9tTmS=>$DzF;
v Z 90 3D:Z(~qdC;
+)9tTmS=>$DzF
Tivoli Access Manager Plug-in for Web Servers O$}LCJ Tivoli Access Manager
C'"am"9(C'>$#K>$|,wvCJv_yhDC'E"#C'E"|
(ngC'{T0C'ytiDPm.`DE"#
e~'VJm\m1M&CLr*"_)9O$}LD8V;,DzF(~q)#1e
~4PO$}L1,|liGqQ5V"dCKNNb?~q#1Q5V"dCKb
)~qs,e~+T|GxPwC#b)~qI4P|GT:D&m49(PXC'
m]D)9tTPm#b))9tT+mS=C'>$#
'VTB`MD~q:
v >$tTZ(~q
1!ivB,TZ Tivoli Access Manager,KZ(~qGZCD#K~qSC'"a
m(}g LDAP C'"am)q!8(DC'E""+b)}]ekC'>$DtT
Pm#KZC>$tTZ(~q*;cZ(~q,IIm`J4\mw9C#K~
qzfKT0D=((C=(h*\m1+0tag/value1u?mS= pdwebpi.conf d
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 89
CD~D [ldap-ext-creds-tag] ZP)#Z V5.1 P,&9CZCZ(~qq! LDAP
C'"am}]#PXdCE",kND:Z(~qdC;
v (FD>$tTZ(~q
1ZC>$tTZ(~q^(a)zD?pyh*DyPE"1,I`4zT:D
>$tTZ(~q#Tivoli Access Manager 'VK&\w*Z( API D;?V#X
Z|`E",kND IBM Tivoli Access Manager for e-business Authorization C API
Developer Reference#
v >$)9tTb?O$~q(CDAS)
e~a)IC4*"b?O$~qDb?O$ API SZ#b)~q(#F* CDAS
(grO$~q)#
I9Ce~Db?O$ API 4*"zT:Db?O$~q#1h*q!,vZ(E"
6'DC'O$E"1,I9CK&\#1&CLrh*CJvZO$1E\q!
DE",r&CLrh*+O$19CDC'j63d* Tivoli Access Manager C
'j61,Fv9C>$)9tT CDAS#XZ|`E",kND IBM Tivoli Access
Manager for e-business Web Security Developer Reference#
Z(~qdC
*dCZ(~q,kjITBwZPD8>:
v :=h 1 - 7(*mS=>$DtT;
v :=h 2 - (eZ(~qD9C;
v :=h 3 - 8(*mS=>$DtT;
=h 1 - 7(*mS=>$DtT
XkZ Tivoli Access Manager dCD~P(ek*mS=C'>$D?vC'tT#
(#,Ze~dCD~PjIKYw#
*A Tivoli Access Manager C'"am(}g LDAP C'"am)#zI#{>$t
TZ(~qS"ami!"+dEkC'>$D?vC'"amu?{FDPm#z
9h*C' DN Mi DN#
=h 2 - (eZ(~qD9C
1. i$GqQdC>$tTZ(~q#e~dCD~P&fZTB1!u?:
[aznapi-entitlement-services]AZN_ENT_EXT_ATTR = azn_ent_ext_attr
k"b,e~T/q!5 azn_ent_ext_attr "iR`&D2mb#}g,Z Solaris O
G libazn_ent_ext_attr.so
2. mSZ( API ~q(eu?48(TZ(~qD9C#Z [aznapi-configuration]ZPmSu?#
Cu?Xk9CN} cred-attributes-entitlement-services#zI!q;v5,}
g TAM_CRED_ATTRS_SVC#}g:
[aznapi-configuration ]cred-attributes-entitlement-services = TAM_CRED_ATTRS_SVC
=h 3 - 8(*mS=>$DtT
*mS=>$DtTdCZtIZP#+KE"mS=e~dCD~#
90 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
":r_,IZ@"DD~P(etT,TcZ(~qTdxPwC#XZ|`E
",kND IBM Tivoli Access Manager for e-business Authorization C API Developer
Reference#
4iTBu?>}#
[TAM_CRED_ATTRS_SVC]eperson = azn_cred_registry_idgroup = cn=enterprise, o=tivoli
[TAM_CRED_ATTRS_SVC:eperson]tagvalue_credattrs_lastname = sntagvalue_credattrs_employeetype = employeetypetagvalue_credattrs_address = homepostaladdresstagvalue_credattrs_email = email
[TAM_CRED_ATTRS_SVC:group]tagvalue_credattrs_businesscategory = businesscategory
Z{F [TAM_CRED_ATTRS_SVC] G~qj6#KZPG*lwDtTD4#4{
F(}gC'Mi)C4j6"amPD4;C#h*T|GxP(e#b)4D5
GfZZ"amPD"amj6#b)5ITGVPD>$tT{F#g{Gby,
r~qT/iR"9CwTD5#
Z%@ZP*~qZBD?v4dC"amtT#%@ZDo(G~qj6b{sz
0E(:),;sG4{F#IZZ,;vD~PIdC`v~q,rKh*K,S#
dCD~u?|,C'"amtT=C'(eD>$tTD3d#
}g,Z LDAP C'"amP,C'D DN ITG cn=joeuser, o=tivoli
TZCC',LDAP C'"amu?ITG:
sn=Smithemployeetype=banktellerhomepostaladdress="3004 Mission St Santa Cruz CA 95060"email=joeuser@bigco.combusinesscategory=finance
9COfT>DdCu?>},5XDtTPm&*TBu?:
tT{F tT5
credattrs_lastname Smith
credattrs_employeetype bankteller
credattrs_address 3004 Mission St Santa Cruz CA 95060
credattrs_email joeuser@bigco.com
credattrs_businesscategory finance
k"b~q"4MtTI*`5#g{8(DtT{FkZu?X|V`,,rlw
DtT+w*`5tTmS(49b)tT4T;,D4)#
}g,I+`vZ(~q4SZ;p#byM\S;v~qlwb)5#TCwm;
v~qDdk5#,y,ISC'"amPD`v DN lwtT#rK,g{z#{C
=C'iDyP businesscategory u?DPm,(}9COfD>},I+4T`vC
'(DN)D5mS=;v credattrs_businesscategory tTP#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 91
}g,g{k*9(F* myemployeeinfo DtTT+dmS=>$P,"#{KtT
|,O$D?vKDUMM1`M,zIT(eTBu?:
[myID]source = azn_cred_authzn_id
[myID:source]myemployeeinfo = lastnamemyemployeeinfo = employeetype
r HTTP 7mS LDAP )9DtT(jG5)
(#,+4T LDAP DC'X(DE"(}g,g0EkMgSJ~X7)=S=
HTTP O$DksD7PG\PCD#b9`v&CLrITCJ=SDE"x^k-
#i/ LDAP ~qw#KE"DXwG|G`T2,D,@6;a;NN9C|D&C
Lr|B#K}]w* ivauthn O$xLD;?VEkC'>$P#KE"2IT(}
C'5VD CDAS O$#i=S=C'>$P#
TBwLhvKB~D3r:
v 4TC'D LDAP "amJ'PNNVNDC'(eD9d}]w*)9tT}]m
SZC'D Tivoli Access Manager >$P#
v 1*jG5Z(s&mxPdC1,e~i! LDAP )9tT}]"+dEZksD
HTTP 7P#
v sK&CLrITS7Pi!}],x^hXbzkrZ( API#
dCe~T+ LDAP )9DtTE"ek HTTP 7f0TB=h:
1. Z Web e~PdCjG5Z(s#PXgN4Pb;YwDj8E",kN<Z 93
3D:tCjG5&m;#
2. r Access Manager PD /PDWebPI/host TsmS)9tT#}g(dkI;P):
pdadmin> object modify /PDWebPI/hostset attribute HTTP-Tag-Value ldap-home-phone=homePhone
z9IT4(BD Tivoli Access Manager )9D>$ CDAS "+d8(*e~PD;
VO$zF#}g:
1. + [authentication-mechanisms] ZPD cred-ext-attrs N}hC*BD CDAS#
}g(dkI;P):
[authentication-mechanisms]cred-ext-attrs = /opt/PolicyDirector/lib/libextcredtags.so& /opt/pdwebpi/etc/pdwebpi.conf
(1!dCD~G pd.conf)
2. `- pdwebpi.conf,mSBDZ: [ldap-ext-attr-cdas-tags] MyhD LDAP )
9tT#}g:
[ldap-ext-attr-cdas-tags]ldap-home-phone = homePhone
3. XBt/e~
4. +)9tTmSA Tivoli Access Manager D /PDWebPI/host TsP#}g(dk
I;P):
pdadmin> object modify /PDWebPI/hostset attribute HTTP-Tag-Value ldap-home-phone=homePhone
92 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
tCjG5&m
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tC9CjG5D&m,k+}C tag-value 8(x post-authzn N}:
[common-modules]post-authzn = tag-value
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#jG5u?fZ,gBy>:
[modules]tag-value = pdwpi-tag-value-module
dCjG5N}
jG5N}Z pdwebpi.conf dCD~D [tag-value] ZPdC#
[tag-value]cache-definitions = yescache-refresh-interval = 60
cache-definitions N}tCr_{CT=S=TsUdODj)5(eD_Y:f#
cache-refresh-interval (e_Y:f(eD"B1ddt(k)#
g{h*,IdC;v0:,C0:+mS=CZ tag-value HTTP 7D>$tT{F
P#K0::
v ZQw>$tT1; tag-value #iw*QwV{.9C#
v ;mS=a0j6>$tTP#
v ;P;C'#imS=|C4f"\m1C'{D>$tTP#
9Ce~dCD~D [pdweb-plugins] ZPD tag-value-prefix N}8(C0:#
I(}kT3X(ibwz9C [virtual_host] Z4*CibwzXhKN}#1!P*
G^0:#
'V`74CzmLr(MPA)
Tivoli Access Manager a)wVbv=84#$9C`74CzmLr(MPA)Dx
g#`74CzmLr(MPA)Ga)`M'zCJDxX#xX("=2+D Web ~
qwD%;QO$(@,"(}C(@0+]1(tunnel)yPM'zksMl&#T
Ze~,(}K(@DE"numV*4T;vM'zD`vks#e~XkxV MPA
~qwDO$M?v%@M'zD=SO$#b`xXD;v#{>}G^_CJ-
i(WAP)xX#1 Tivoli Access Manager WebSEAL (};vacdCIwz Web
~qwTJmZ WebSEAL Me~.dxP%;"a1,|9d1;v MPA#*dC
by;vbv=8,IT9C iv-header O$#i#PXdC SSO D|`j8E",
kNDZ 113 3DZ 5 B, :Web %;"abv=8;#
P'a0}]`MMO$=(
IZ Tivoli Access Manager Plug-in for Web Servers * MPA ,$QO$Da0,|
Xk,1*?vM'z,$%@Da0#rK,CZ MPA Da0}]MO$=(Xk
;,ZM'zy9CDa0}]MO$=(#BmPvCZ MPA MM'zDP'a0
`M:
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 93
m 15. MPA DP'a0}]`M
P'a0`M
MPA =e~ M'z=e~
SSL a0j6
HTTP 7 HTTP 7
BA 7 BA 7
IP X7
Cookie Cookie
v M'z;\9C SSL a0j6w*a0}]`M#
v }g,g{ MPA 9C BA 7w*a0}]`M,rM'zDa0}]`M!nv
|( HTTP 7M cookie#
v g{ MPA 9C HTTP 7w*a0}],rM'zIT9C;,D HTTP 7`M#
v X(Z~qwD cookie v|,a0E";;|,j6E"#
v g{tC MPA 'V,r9C SSL a0j6,$a04,a|D#(#,r*Qd
C SSL a0j6,$a04,,yTv SSL a0j6CZ,$ HTTP M'zDa
0#*Jm MPA ,$_P SSL a0j6Da0"9M'z9Cm;V=(,$a
0,r}%K^F#
I0MPA =e~19CDO$=(Xkk0M'z=e~19CDO$=(;,#Bm
Pv MPA MM'zDP'O$=(:
m 16. P'D MPA O$`M
P'O$`M
MPA =e~ M'z=e~
y>O$ y>O$
m% m%
nF nF
HTTP 7 HTTP 7
$i
IP X7
v w*>},g{ MPA 9Cy>O$,rM'zDO$=(!n|(m%"nFM
HTTP 7#
v $iM IP X7O$=(TM'z9C^'#
v (#,g{TX(+MtCm%(rnF)O$,rTK+MT/{Cy>O$#
g{tC MPA 'V,r}%K^F#}g,bJmZ,;v+MO MPA 9Cm%
(rnF)G<,RM'z9Cy>O$G<#
MPA M`vM'zDO$xLw
TZ MPA M`vM'zO$,+4PTB&mwL#
1. kxPTBdC|D:
v ZdCD~PtCT`74CzmLrD'V#
v TX(D MPA xX4( Tivoli Access Manager J'#
94 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
v +KJ'Dzm([PDWebPI]p)CJ(ZhibwzD MPA #$Ts,zmk
s+8rKibwz#Z1!dCP,9C'I* pdwebpi-mpa-servers iD
I1I5VKYw#
2. M'z,S MPA xX#
3. xX+ks*;I HTTP ks#
4. xXO$M'z#
5. xX9CM'zkske~(",S#
6. MPA O$e~(9C;,ZM'zD=()"T MPA(Q5Pe~J')Izv
;vm]#
7. e~i$ MPA Z pdwebpi-mpa-servers iPDI1Jq#
8. * MPA 9(>$"Z_Y:fP+dj>*XbD MPA `M#
!\K MPA >$ifTsD?vM'zks,+d";CZTb)ksDZ(l
i#
9. VZe~h*x;=j6ksDyP_#
MPA ITxV`vM'z,xPG<a>D}77I#
10. M'zG<"9C;,Z MPA yCO$`MD=(xPO$#
11. e~SM'zO$}]9(>$#
12. ?vM'z9CDa0}]`MXk;,Z MPA 9CDa0}]`M#
13. Z(~qwy]C'>$MTsD ACL mI(Jmr_\xT\#$TsDCJ#
tC MPA O$
pdwebpi.conf dCD~D [pdweb-plugins] ZPD mpa-enabled N}tCr{C
MPA O$#P'hC* true M false,VpCZtCM{C MPA O$#1!ivB,
MPA O$G{CD#I(}ZdCD~D [virtual_host] ZP8( mpa-enabled N}
4*%@DibwzhC MPA O$#
*+Ba0j6* MPA ("Dwa0,CwvZ(v_,bT MPA #$DTsOD
zmLr([PDWebPI]p)mI(#1!ivB,MPA #$DTs(e* /PDWebPI#
*2GK1!hC(}g(e;,Dwe/zm?vibwzD MPA),IT*
mpa-protected-object dCN}8(;v5#ITT?vibwzXhKN},=(G
ZdCD~D [virtual_host] ZP*d8(;v5#}g,*T ibm.com ibwzxG
lotus.com ibwztC MPA CJ,kZ pdwebpi.conf dCD~P9CTBhC:
[pdmweb-plugins]virtual-host = ibm.comvirtual-host = lotus.com
[ibm.com]mpa-enabled = yes
*+ ibm-mpa-servers iDI1(e*T ibm.com ibwzksD MPA "+
lotus-mpa-servers iDI1(e*T lotus.com ibwzksD MPA,k9CTBdC:
[pdweb-plugins]virtual-host = ibm.comvirtual-host = lotus.com
[ibm.com]mpa-enabled = yesmpa-protected-object = /PDWebPI/ibm.com
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 95
[lotus.com]mpa-enabled = yesmpa-protected-object = /PDWebPI/lotus.com
"(eTB Tivoli Access Manager _T:
pdadmin> acl create ibm-mpapdadmin> acl modify ibm-mpa set group ibm-mpa-servers T[PDWebPI]ppdadmin> acl create lotus-mpapdadmin> acl modify lotus-mpa set group lotus-mpa-servers T[PDWebPI]ppdadmin> acl attach /PDWebPI/ibm.com ibm-mpapdadmin> acl attach /PDWebPI/lotus.com lotus-mpa
mpa-protected-object dCN}8(xPZ(v_yTUDTs#
* MPA 4(C'J'
PX4(C'J'DE",kN< IBM Tivoli Access Manager Base Administration Guide
M IBM Tivoli Access Manager Web Portal Manager Administration Guide#
r pdwebpi-mpa-servers imS MPA J'
Tivoli Access Manager Plug-in for Web Servers *cZ\mD MPA ~qw4(K;
vi#bviF* pdwebpi-mpa-servers#=SZ /PDWebPI OD default-pdwebpi ACL
+zm([PDWebPI]p)mI(Zh pdwebpi-mpa-servers iDI1#120ZAYd
CK;v WebSEAL D Tivoli Access Manager 2+rP1,h*dC default-pdwebpi
ACL Tc|I+zmmI(Z(x webseal-servers M webseal-mpa-servers iP
DI1#zIT!qT:DiM ACL,CZXFw*`74CzmLrDweDj6#
PX\miDE",kN<6IBM Tivoli Access Manager Base \m8O7M IBM Tivoli
Access Manager Web Portal Manager Administration Guide#
96 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Z 4 B IBM Tivoli Access Manager Plug-in for WebServers 2+T_T
>B|,DE"hvKgNITdC"(F IBM Tivoli Access Manager(Tivoli Access
Manager)Plug-in for Web Servers 2+T_TD=(#
>B|(TBwb:
v :e~X(DCJXFm(ACL)_T;
v Z 100 3D:}N%wG<_T;
v Z 101 3D:\k?H_T;
v Z 103 3D:O$?H\#$Ts_T(]});
v Z 106 3D:`rSO$;
v Z 106 3D:XBO$\#$Ts_T;
v Z 108 3D:yZxgDO$\#$Ts_T;
v Z 109 3D:#$6p\#$Ts_T;
v Z 110 3D:&m4O$C'(HTTP/HTTPS);
e~X(DCJXFm(ACL)_T
TB2+T"bBnJCZ\#$TsUdPD /PDWebPI ]w:
v Access Manager Plug-in for Web Servers TsGTsUdPe~xrD ACL LP
4Dpc#
v g{;&Cd|NNT= ACL,rKTs((}LP)(e{v Web UdD2+T
_T#
v *CJKTs0K;CBDNNTs,h*izmI(#
XZ Tivoli Access Manager ACL _TDj{E",kN<6IBM Tivoli Access Manager
Base \m18O7#
":1C'ksP,Pv|(yT>?<D?<76D URL 1,Microsoft IIS Web ~
qwa)ZC?<P8(1! Web 3fD\&#
I Plug-in for Web Servers 4PD ACL livJCZZks URL P8(D?
<,x;JCZI IIS ~qwa)~qTl&CksD1! Web 3f#
1Z IIS =(O5V2+T_T1,z&CaO<GK ACL li^F#
`FD,IZ Web ~qwe~e5a9D>J,|;ah9z20ke~a)D
2+Te;Dd|#i#7#;aZ Web ~qwO20ke~e;D#iG Web
~qw\m1D0p#
}g,Apache M IHS Web ~qwPD0MultiViews1&\"T/,7(ksD
URL D)9{#}g,g{T www.tivoli.com/index xPKks,r Web ~qw
+d/,3d* www.tivoli.com/index.html(g{byDD~fZ)#
© Copyright IBM Corp. 2000, 2003 97
;RDG,K3dGZxPZ(.s"zD,bb6E+T index 4P(^lix
GT index.html#
ZbyDivB,(i{C0MultiViews1!n#rhC_T46qK3d#}
g,ACL I,S= /PDWebPI/www.tivoli.com,r_g{h*x;=D8V,r
ACL I,1,S= /PDWebPI/www.tivoli.com/index M
/PDWebPI/www.tivoli.com/index.html#
/PDWebPI/host r virtual_host/PDWebPI/host r virtual_host Sw|,X(e~5}DTsUd#TB2+T"bBn
JCZKTs:
v *CJK;CBDNNTs,h*izmI(#
v g{;&Cd|NNT= ACL,rKTs((}LP)(eKzwO{vTsUdD
2+T_T#
98 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
e~ ACL mI(
BmhvJCZTsUdD Tivoli Access Manager Plug-in for Web Servers xrD ACL
mI(:
m 17. e~ ACL mI(
mI( Yw hv
[PDWebPI]r A! i4}?<bDNb*X#Nb HTTP GET r POST
ks<h*KmI(#;PX(D0Pm1mI(C
Zks?<Pm(T / axD URL D GET)#
[PDWebPI]d >} S Web UdP}% Web Ts#HTTP DELETE |
nh*KmI(#
[PDWebPI]m ^D Ze~TsUdPEC/"< HTTP Ts#HTTP
PUT ksh*KmI(#
[PDWebPI]p zm 7(C'GqITd1`74Czm#XZ|`j8
E",kNDZ 96 3D:r pdwebpi-mpa-servers i
mS MPA J';#
T iz CJK;CBDNNTs1h*KmI(#
e~9'V WebDAV Yw,gBy>#
m 18. e~ WebDAV mI(
Nq yhmI(
PROPFIND [PDWebPI]R
PROPPATCH [PDWebPI]M
MKCOL [PDWebPI]N
yZks URI(x;GyZ/OD%vI1)Z( WebDAV Yw#mb9?V'V;
)d|D WebDAV Yw:
v COPY - U/1h* [PDWebPI]R,TcITA!.4F;C/#;li?DXD
mI(#
v MOVE - bITO*GHxP4F,;sxP>}#T}ZxPF/D/Oh*
[PDWebPI]Rd#;li?DXDmI(#
1! /PDWebPI ACL _T
Tivoli Access Manager Plug-in for Web Servers ACL DKDu? default-pdwebpi |
(:
Group iv-admin TcmdbsvaBR[PDWebPI]rR
User sec_master cmdbsvaBR[PDWebPI]rR
Any-other T[PDWebPI]rR
Unauthenticated T
Group pdwebpi-mpa-servers TBR[PDWebPI]p
Group webseal-servers TBR[PDWebPI]p
Group webseal-mpa-servers TBR[PDWebPI]p
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 99
201,K1! ACL a=S=TsUdPD /PDWebPI ]wTs#
izmI(Jmg Web Portal Manager Py>)9 Web Ud#PmmI(Jm Web
Portal Manager T> Web UdDZ]#
}N%wG<_T
}N%wG<_TICZyZ LDAP D Tivoli Access Manager 20,(}8('\G
<"TDnsN}M&#x(1d,9zIT@9Fcz\k%w#K_T4(;V
u~,dPC'XkZxP|`D'\G<"T0H};N1d#}g,_TITf
( 3 N'\"T,sz 180 kDd#bVG<_T`MIT@9?k`NvV
DFczfzzIDG<"T#
}N%wG<_Th*=v pdadmin _T|nhCD2,wC:
v '\G<"TDnsN}
policy set max-login-failures
v ,}'\G<"ThCD&#
policy set disable-time-interval&#hCIT|,J'x(1ddtrTJ'j+{C#
g{G<_ThC(w*>})*}N'\"TszEX(x(1d&#,rZDN
"T(^[}7kq)+<Bms3f,5wJ'r\k_TD-r]1;IC#
1ddtTk*%;8( - n!(i1ddt* 60 k#
g{ disable-time-interval _ThC* disable,rC';x(ZJ'.b,RKC
'D LDAPaccount valid tThC* no#\m1(} Web Portal Manager XBt
CJ'#
":+ disable-time-interval hC* disable <BnbD\m*z#+ accountvalidE"4F=e~1IT[l=SY#bViv!vZ LDAP 73#mb,IZ
account valid |BYw,3) LDAP 5VI\-zT\B5#IZb)-r,
(i9C,11ddt#
100 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
TB pdadmin |nvJOCZ LDAP "am#
m 19. pdadmin LDAP G<_T|n
|n hv
policy set max-login-failures {number|unset} [-user username]
policy get max-login-failures [-user username]
TXF)S�yJmDns'\G<"TN}D_
TxP\m#K|n!vZ policy set disable-time-interval
|nPhCD&##
w*\m1,ITTX(C'&CK_T,rT LDAP
"amPPvDyPC'+V&CK_T#
1!hC* 10 N"T#
policy set disable-time-interval {number|unset|disable} [-user username]
policy get disable-time-interval [-user username]
\m&#_T,C_TXFg{=o'\G<"Tns
N}sJ'&{CD1d\Z#
w*\m1,ITTX(C'&CK&#_T,rT
LDAP "amPPvDyPC'+V&CK_T#
1!hC* 180 k#
\k?H_T
Tivoli Access Manager yZ LDAP D20a)=VXF\k9lD==:
v ev pdadmin \k_T|n
v Jm(F\k_TDIekO$#i(PAM)
kN< Tivoli Access Manager Authorization C API Developer’s Reference
pdadmin 5CLrhCD\k?H_T
(} pdadmin 5CLr5VDev\k?HtT|(:
v n!\k$H
v n!V8V{}
v n!GV8V{}
v nsX4V{}
v JmUq
9C pdadmin r Web Portal Manager 4(C'T09C pdadmin"Web Portal
Manager r pkmspasswd 5CLr|D\k15)b)_T#
TB pdadmin |nvJCZ LDAP "am#unset hC!n{CK_TtT - 4;
5)K_T#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 101
m 20. pdadmin LDAP \k?H|n
|n hv
policy set min-password-length {number|unset} [-user username]
policy get min-password-length [-user username]
\mXFn!\k$HD_T#
w*\m1,ITTX(C'&CK_T,rT1!"
amPPvDyPC'+V&CK_T#
1!hC* 8#
policy set min-password-alphas {number|unset} [-user username]
policy get min-password-alphas [-user username]
\mXF\kPJmDn!V8V{}D_T#
w*\m1,ITTX(C'&CK&#_T,rT1
!"amPPvDyPC'+V&CK_T#
1!hC* 4#
policy set min-password-non-alphas {number|unset} [-user username]
policy get min-password-non-alphas [-user username]
\mXF\kPJmDn!GV8(}V)V{}D_
T#
w*\m1,ITTX(C'&CK_T,rT1!"
amPPvDyPC'+V&CK_T#
1!hC* 1#
policy set max-password-repeated-chars {number|unset} [-user username]
policy get max-password-repeated-chars [-user username]
\mXF\kPJmDnsX4V{}D_T#
w*\m1,ITTX(C'&CK_T,rT1!"
amPPvDyPC'+V&CK_T#
1!hC* 2#
policy set password-spaces {yes|no|unset} [-user username]
policy get password-spaces [-user username]
\mXF\kPGqIT|,UqD_T#
w*\m1,ITTX(C'&CK_T,rT1!"
amPPvDyPC'+V&CK_T#
1!hC* unset#
Bm5wyZev pdadmin N}D1!5D;)\k>}M_Ta{:
m 21. \k>}
>} a{
password ^':XkAY|,;vGV8V{#
pass ^':XkAY|, 8 vV{#
102 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 21. \k>} (x)
>} a{
passs1234 ^':|,=vTODX4V{#
12345678 ^':XkAY|,DvV8V{#
password3 P'#
X(C'M+VhC
ITTX(C'(9C - user !n)r+V(;9C - user !n)hC pdadmin _
T|n#NNX(ZC'DhC<2G_TD+VhC#2IT{C(unset)_TN
},bb6EKN};|,NN5#;lir5)NN_P unset !nD_T#
}g:
pdadmin> policy set min-password-length 8
pdadmin> policy set min-password-length 4 -user matt
pdadmin> policy get min-password-length
Minimum password length: 8
pdadmin> policy get min-password-length -user matt
Minimum password length: 4
C' matt Dn!\k$H_T* 4 vV{;d|yPC'Dn!\k$H_T* 8#
pdadmin> policy set min-password-length unset -user matt
VZC' matt I 8 vV{D+Vn!\k$H_TXF#
pdadmin> policy set min-password-length unset
yPC'(|(C' matt)VZ^n!\k$H_T#
O$?H\#$Ts_T(]})
O$?H\#$Ts_T(POP)9yZTs9CDO$=(XFTTsDCJI*
I\#
IT9CK&\(P1F*]}=O$)7#CJ|*tPJ4DC'9C|?DO
$zF#IZ;1CJDOs~2,zI\#{9CKu~#
}g,IT(}&C]} POP _T(Zu<xke~r1h*HM'zy9CDO$
|_6pDO$)T Web UdDxra)|_D2+T#
2IT* Web ~qwOD?vX(ibwzhC]}=O$,Jm%vibwz9C
dT:D]}=O$6p,x;X~S~qw6'D_T5V#
O$?H_TGZ POP _TD0IP KcO$=(1tTPhCD#
dC]}=O$6p
dCX(ZO$DCJDZ;=GdC'VDO$=("7(3r,b)O$=(&
4K3rS*|?s#XZdCO$zFDj8E",kN<Z 35 3DZ 3 B, :IBM
Tivoli Access Manager Plug-in for Web Servers O$Mks&m;#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 103
(}e~CJ Web ~qwDNNM'z<_PO$6p,}g04O$1r0\k1,
8>M'zns;N(}e~O$y9CD=(#
Z3)ivB,I\PX*5)CJX( Web UdTsyhDnM02+16pO$#
}g,Z373P,(}nF(PzkxPDO$ITS*H(}C'{M\kxP
DO$|2+#m;v73IT_P;,Dj<#
k?FM'zZ4zcXhDO$6p1XBt/da0;,,]}O$zFa)M
'zm;Nza9Cyh=((6p)xPXBO$#
]}=O$b6EC'"TCJh*HdG<1_PDO$6p0|_1DO$6p
DJ41,;a"4rdT>0\x1{"#xrdT>BDO$a>,ks'V|
_O$6pDE"#g{{GITa)KO$6p,rJmdu<ks#
Z pdwebpi.conf dCD~D [authentication-levels] r
[authentication-levels:virtual_host_label] ZPdCO$6p#}g:
[authentication-levels]1 = BA2 = iv-headers3 = cert
y]PmP=(D3r,T?V=(8(6pw}#
v Y(4O$D6p* 0#
v sL=(ITNb3rEC#kNDZ 105 3D:]}=O$"bBnM^F;
v *tC]}=O$,XkAYP=vu?#
v ( } 9 C T B q = D Z I * X ( i b w z h C O $ z F D 6 p :
[authentication-levels:virtual_host_name]#
":XZhCyhO$zFDj8E",kNDZ 35 3DZ 3 B, :IBM Tivoli Access
Manager Plug-in for Web Servers O$Mks&m;#
tC]}=O$
]}O$G(}Z*sO$tPZ(DTsOyECD POP _Tx5VD#z+9C
POP _TD0IP KcO$=(1tT#
pdadmin pop modify set ipauth |n8( IP KcO$=(tTPJmDxgMy
hDO$6p#
QdCDO$6pI4S= IP X76'#K=(D?DGa)\minT#g{4 IP
X7}KC'";X*,rIT anyothernw(Nbd|xg)hC%;u?#KhC
+0lyPCJC'(;\ IP X7),"*s{G48(6pxPO$#bG5V]
}=O$Dn#C=(#
o(:
pdadmin> pop modify pop_name set ipauth anyothernw level_index
anyothernw u?Cwxg6',K6'+k4Z POP PmP8(DyPxg%d#
K=(CZ4(1!u?,Ku?I\xyP;%dD IP X7,rJmITzcO$
6p*sDNNKxPCJ#
104 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
1!ivB,anyothernw TO$6pw} 0 vVZ POP P#Z pop show |nP
Ku?T>*0Nbd|xg1:
pdadmin> pop show test\#$Ts_T:testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:
anytime:localIP KcO$=(_TNbd|xg 0
Z]}=O$Zd,I(}+ [module-mgr] ZPD verify-step-up-user N}hC*
true 4tCTa)DC'j6Di$#
[module-mgr]verify-step-up-user = true
tC verify-step-up-user N}7#Za>9C|_6pzFDXBO$1dkDj6
knudkDj6%d#g{j6;%d,+5X;v0403 {913f#
]}=O$>}
1. Z pdwebpi.conf PdCO$6p:
[authentication-levels] r [authentication-levels:virtual_host_label]1 = BA2 = token
2. dC0IP KcO$=(1POP tT:
pdadmin> pop modify test set ipauth anyothernw 2pdadmin> pop show test
\#$Ts_T:testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:mon, wed, fri:anytime:localIP KcO$=(_TNbd|xg 2
by,C'CJIbT POP #$DTsh*6p 2 O$,r_+?F9CnF=
(xPO$#
m{Z 108 3D:yZxgDO$\#$Ts_T;#
]}=O$"bBnM^F
v HTTP M HTTPS O<'V]}O$#
v ;\S HTTP -i]}= HTTPS#
v [authentication-levels] ZP48(DO$=(1!*6p 1#
v O$=(;\Z6pPmP8(;N#
v SPNEGO ;a]}=9C POST m%DNNO$=(#9C SPNEGO O$#id
C]}P*a<BrM'z5X;vms3f#
v T]}=O$6pDmsdC<B{Ce~PD]}&\#bVivI\}pbb
DO$P*,}gT POP #$DTs"v\kG<3f,K POP h*nF(Pz
kO$=(#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 105
dC]}=O$zFs,kli pdwebpi.log D~,Tq!XZNNdCmsD(
f#
`rSO$
`rSO$&\G]}=O$&\D)9,|Jmz8(;v\#$Ts_T
(POP),C_T?FC'9CHQdCD POP O$6pMDyPO$zF4O$#4
*sC'ZZhCJ(.0DXh6pT0MZC6pDyP6pOxPO$#`r
SO$2IkXBO$aO9CT?F`rSXBO$#
yZj<O$6pDO$Jm_Tk;vTsX*,CTshCKZZhCJ(.0
Xko=DnMXhO$6p#ZdCPa)K\'VO$zFDEr,CEr8(
KwzFdD?uX5#C'WN*CJ;vTsxPO$1,T{Ga)yP{O
CTsXh6pDO$=(D!q#IC'v({G+9CD;V=(#
*5V`rSO$,h*4Z 103 3D:O$?H\#$Ts_T(]});PD[
vdC]}=O$#;)dCK]}=O$,Mh*+)9tT MULTI-FACTOR-AUTH
mS= Tivoli Access Manager Plug-in for Web Servers TsD\#$Ts_T(POP)
P#
hC MULTI-FACTOR-AUTH tTs,ZZ(CJJ40*s4P8(D POP O$6
pTB(|(C6p)DyPO$6p#
}g,Y(ZdCD~PhCKTBdC:
[authentication-levels]1 = cert2 = forms
TZTOhC,POP ,S=*sO$6p 2 DJ4"RBD MULTI-FACTOR-AUTH
tThC* true 1,ZxPyZm%DG<0C'XkWHa);vP'DM'z$
i#g{,S=J4D POP 4tC MULTI-FACTOR-AUTH tT,rv9CyZm%
DO$#
tC`rSO$
`rSO$G(}9CT*s`rSO$DTshCD POP _T5VD#
o(:
pdadmin> pop modify pop_name set attribute MULT-FACTOR_AUTH true
XBO$\#$Ts_T
Tivoli Access Manager Plug-in for Web Servers IT?FC'4P=SG<(XBO
$),T7#CJ\#$J4DC'MnuZa0*<WNO$DG,;vK#\#
$TsOD\#$Ts_T(POP)ra0_Y:fGn/,15=Z<IT$nX
BO$#>ZV[ POP )9tT8(DyZ2+T_TDXBO$#XZdCa0/
>$_Y:fDj8E",kNDZ 45 3D:dCe~a0/>$_Y:f;#
106 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
0l POP XBO$Du~
?FDXBO$T2+rPDtPJ4a)=S#$#yZ2+T_TDXBO$I
POP PDX()9tT$n,K POP #$yksDJ4Ts#POP IT1S=S=T
sO,r_TsITS8TsLP POP u~#TBe~O$=('VXBO$:
v m%(C'{M\k)O$
v nFO$
mb,IT`4(FDC'{/\k CDAS T'VXBO$#
XBO$Y(C'-HQ-G<=2+r,"RfZKC'DP'>$#ZXBO$
xLP,C'Xk9CMzIVP>$`,Dm]xPG<#XBO$Zd,Tivoli
Access Manager #tC'-HDa0E",|(>$#XBO$Zd;f;>$#
ZXBO$}LP,e~9_Y:fa>XBO$Dks#XBO$I&1,_Y:
f}]CZXB9(ks#
g{XBO$'\,re~YN5XG<a>#g{XBO$I&,+ ACL liTK
J4'\,r5X 4030{9CJ1{""R\xC'TyksJ4DCJ#ZN;i
vB,C'S;"z#9CT;P'D>$,C'ITU9XBO$xL((}ks
m;v URL)"(}CJd|;h*XBO$DJ4@INk2+r#
4(M&CXBO$ POPyZ2+T_TD?FXBO$(}4(_P{*0reauth1DXb)9tTD\#$
Ts_T(POP)dC#IT+K POP =S=NNh*?FXBO$a)Dnb#$D
TsO#
kG!_P POP DTsDyPS2LP POP u~#?vksDSTsh*%@DX
BO$#
9C pdadmin pop create"pdadmin pop modify M pdadmin pop attach |n#
TB>}{vC reauth )9tT4({*0secure1D POP "+d=S=TsO:
pdadmin>pop create securepdadmin>pop modify secure set attribute REAUTH truepdadmin>pop attach /PDWebPI/hostA/budget.html secure
NN"TCJ budget.html DK<;?H9CMzIVP>$`,Dm]MO$=(x
PXBO$#
g{ksJ4DC'4O$,r POP ?FC'xPO$#?NTXBO$_Ty#$
TsDCJ<h*XBO$#
Z?<PDs`}(+"G+?)Ts<*sXBO$DivB,nCG+ POP =S
={v?<P,|(0reauth1)9tT#TZG);h*XBO$DTs,*d=S
k?<`,D POP,+;|,0reauth1)9tT#
XZ pdadmin |nP5CLrDj8E"ITZ6IBM Tivoli Access Manager Base
\m18O7PR=#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 107
yZxgDO$\#$Ts_T
yZxgDO$\#$Ts_T(POP)_T9CyZC'D IP X7XFTTsDC
JI*I\#IT9CK&\h9X( IP X7(r IP X76')CJ2+rPDN
NJ4#
2ITK_T&C]}O$dC,"T?v8(D IP X76'*sX(O$=(#
yZxgDO$_TGZ POP _TD0IP KcO$=(1tTPhCD#XkZKt
TP8(=v*s:
v O$6p
v JmDxg
XZ8(dC6pDj8E",kNDZ 103 3D:dC]}=O$6p;
8( IP X7M6'
dCO$6p.s,Xk8(K POP _TyJmD IP X7M IP X76'#
pdadmin pop modify set ipauth add |nZ0IP KcO$=(1tTP,18(
Kxg(rxg6')MyhO$6p#
o(:
pdadmin> pop modify pop_name set ipauth add network netmask level_index
QdCDO$6p4S= IP X76'#K=(D?DGa)inT#g{4 IP X7
}KC'";X*,rIT anyothernw(Nbd|xg)hC%;u?#KhC+0
lyPCJC'(;\ IP X7),"*s{G48(6pxPO$#
o(:
pdadmin> pop modify pop_name set ipauth anyothernw level_index
`4,g{#{vTO$6p"Rv#{yZ IP X7Jmr\xCJ,rIT*Jm
D6'9C6p 0,T*\xD6'9C0forbidden1#
anyothernw u?Cwxg6',K6'k4Z POP PmP8(DyPxg%d#K
=(ICZ4(1!u?,Ku?I\xyP;%dD IP X7,rJmzcO$6p
*sDNNKxPCJ#
1!ivB,anyothernw TO$6pw} 0 vVZ POP P#Z pop show |nP
Ku?T>*0Nbd|xg1:
pdadmin> pop show test\#$Ts_T:testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:
anytime:localIP KcO$=(_TNbd|xg 0
XZhCO$6pD|j8V[,kN<Z 103 3D:dC]}=O$6p;#
108 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
>}
*s IP X76'* 9.0.0.0 RxgZk* 255.0.0.0 DC'9C6p 1 O$(1!i
vBG0password1):
pdadmin> pop modify test set ipauth add 9.0.0.0 255.0.0.0 1
*sX(C'9C6p 0 O$:
pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.255 0
h9yPC'(}KgOv>}P8(DG))CJTs:
pdadmin> pop modify test set ipauth anyothernw forbidden
{C4 IP X7D]}O$
*(} IP X7{C]}=O$,kdkTB|n:
pdadmin> pop modify pop_name set ipauth remove network netmask
}g:
pdadmin> pop modify test set ipauth remove 9.0.0.0 255.0.0.0
yZxgDO$c(
Tivoli Access Manager Plug-in for Web Servers 9CTBc(&m POP PDu~:
1. li POP PD IP KcO$=(_T#
2. li ACL mI(#
3. li POP PD?U1d_T#
4. li POP PDsF6p_T#
#$6p\#$Ts_T
#$6p\#$Ts_T(POP)tTJmz8(ZTsO4PYw1yhD}]#
$6p#
pdadmin> pop modify pop_name set qop {none|integrity|privacy}
m 22. QOP 6phv
QOP 6p hv
privacy *s}]S\(SSL)#
integrity 9C3)zF7#}]P4|D#
none 49CNN}]#$=(#
}g:
pdadmin> pop modify test set qop privacy
1 ACL v_D0G1l&2|,yhD#$6p1,#$6p POP tTJm5V%
vBq#g{e~^(#$yhD#$6p,r\xks#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 109
&m4O$C'(HTTP/HTTPS)
Tivoli Access Manager Plug-in for Web Servers S\4T HTTP M HTTPS OQO$
M4O$C'Dks#;se~@5Z(~qw5)2+T_T,=(GJmr_\
xT\#$J4DCJ#
TBu~JCZT SSL _PCJ(D4O$C':
v 4O$C'Me~.dDE";;GS\D - g,kQO$C'D;;#
v 4O$C'Me~.dD SSL ,Svh*~qwKO$#
&m4Td{M'zDks
1. d{M'z(}e~r Web ~qwavks(9C HTTP r HTTPS)#
2. e~*KM'z4(4O$D>$#
3. ks9CK>$Lx0x=\#$D Web Ts#
4. Z(~qwliKTs ACL 4O$u?DmI(,Jmr\xyksDYw#
5. TKTsDI&CJ!vZAY|,A(r)mI(D4O$ ACL u?#
6. g{ks<BZ(v_'\,rM'zSU=G<m%(yZ BA rm%)#
?FC'G<
(}Z#$yksTsD ACL _TPD4O$u?O}7hCJ1mI(,IT?F
4O$C'G<#
A! [PDWebPI]r mI(JmTTsD4O$CJ#
*?F4O$C'G<,kS#$TsD ACL _TPD4O$u?P}%A!
[PDWebPI]r mI(#
&C4O$ HTTPS'V(} HTTPS Te~v? Web ~qwxP4O$DCJGr*m`5JDL5-
r#b)-r|(:
v ;)&CLr;h*vKG<,4h*tPDE",}gX7MEC(E#>}|
(Z_:rIz1Md|L7#
v ;)&CLrh*ZITLxx;=;W.0H"aK5qDJ'#,y,Xk(
}xg+]tPE"#
C ACL/POP _TXF4O$C'
*C ACL/POP _TXF4O$C':
":0any-other1u?`M2F*0any-authenticated1u?`M#
1. *Jm4O$C'CJ+2Ts,k9CAY|,4O$M+O$u?DA!
[PDWebPI]r mI(D ACL 4#$+2Z]#
unauthenticated [PDWebPI]rany-other [PDWebPI]r
":7(mI(1,unauthenticated u?GT any-other u?DZk(p;0k1
Yw)#v1 unauthenticated DmI(Z any-other u?P2vV1EZh
110 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
KmI(#IZ unauthenticated !vZ any-other,yT ACL |,
unauthenticated x;|, any-other Dbe;s#g{ ACL 75|,
unauthenticated x;|, any-other,r1!l&G;r unauthenticatedZhNNmI(#
2. **sS\(SSL),k9C8( privacy w*u~D\#$Ts_T(POP)#$
Z]#
kNDZ 109 3D:#$6p\#$Ts_T;#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 111
112 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Z 5 B Web %;"abv=8
+ Tivoli Access Manager Plug-in for Web Servers w*Z(~q5VTT2+ra)
#$1,(#h*TCrPDJ4a)%;"abv=8#>BV[CZ Tivoli Access
Manager Plug-in for Web Servers #$D Web UdD%;"abv=8#
>B|(TBwb:
v :%;"aEn;
v Z 114 3D:T/"a=\#$D&CLr;
v Z 116 3D:S WebSEAL rd|zm%;"a=e~;
v Z 117 3D:9CJO*F cookie xP%;"a;
v Z 118 3D:9C+V%;"a(GSO);
v Z 120 3D:2+Ta)Lr NEGOtiation(SPNEGO)%;"a;
v Z 120 3D:9Cm%D%;"a;
%;"aEn
\#$J4;Ze~v? Web &CLr~qwO1,IT*sksKJ4DM'zZ
CJ;,2+&CLr14P`NG<#?NG<\I\h*;,DG<j6#
\mM,$`vG<j6DJb(#I(}%;"a(SSO)zFbv#SSO JmC'
v9C;v-<G<CJJ4#Web ~qwOJ4DNNx;=G<ksD&mTC'
<G8wD#
Tivoli Access Manager Plug-in for Web Servers 'Vs?;,D%;"ae5a9#b
)e5a9*:
1. ;ve~5}a)T~qwOD`v2+&CLrD%;"a#
2. S WebSEAL rd|zmLr(g WAP xX)%;"a=e~#
3. 9CJO*F cookie a);,Dr.dD%;"a#
4. 9C+V%;"a(GSO)x(d#ia)T9Cf"DC'>$E"D&CLr
DCJ(#
5. 9C2+Ta)Lr NEGOtiation(SPNEGO)4JmTyZ IIS D Web ~qwO
DJ4xPCJ#
6. +yZm%DO$w* SSO DzF#
7. a)g`v2+r+MC'>$DzFDgr%;"a#
8. gSgx%;"a,9CCzFC';hO$;N"aTC')"nF,KnFJ
mC'CJribgxPDd|rx;h*XBO$#
>BV[0 6 v SSO &C!O#Z_MZKv&C!OGB;BDwb#
© Copyright IBM Corp. 2000, 2003 113
T/"a=\#$D&CLr
IT9C HTTP 7M LTPA cookie(&CLr* WebSphere Application Server 1)
q!T~qwO\e~5}#$D&CLrD SSO#
M'zDu<O$.s,e~IT9( HTTP 7,dP|,M'zm]E",ICZT
/O$T#$~qwOKPD&CLr#(}`F==,LTPA cookie ICZq!T
Web &CLr~qw(g WebSphere)D SSO#
9C HTTP 7dCT2+&CLrD%;"a
CZ"a=&CLrD HTTP 7I iv-header Z(s#izI#IzID7/O\F*
IV 7#
I&Z(C'kss,e~IT+(eM'zj6D IV 7ekksP,)&CLr&
m#ksI\#$ Web ~qww\D&CLr&m1,K7E"ICwC'j6D$
w#?NCJBD2+&CLr1,C'MITb%G<DX*#
g{dCCZZ(s&m,r IV 7f;v";)ryP iv-user"iv-user-l"iv-creds"
iv-groups"iv-remote-address"HTTP 7`M;pek#BmPhvKb)7`M#
m 23. IV 7VNhv
IV 7VN hv
iv-user Tivoli Access Manager C'DrL{F#g{M'z4O$(4
*),r1!*4O$#
iv-user-l C'Dj{r{($Mq=),}g LDAP (P{F#
iv-groups C'ytiPm#
iv-creds `kD;8w}]a9,zmC'D Tivoli Access Manager >$#
iv-remote-address M'zD IP X7#K5ITzmzm~qwrxgX7*;Lr
(NAT)D IP X7#
tCM{CzI IV 7
*9e~IT+ IV 7ekQZ(Dks,h*dCe~9C IV 7xPZ(s&m#
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tC IV 7CZZ(s&m,kZ pdwebpi.conf dCD~D [common-modules] Z
P+X|V5 iv-headers 8(x post-authzn N}#4:
[common-modules]post-authzn = iv-headers
dC IV 7N}
IV 7O$N}Z pdwebpi.conf dCD~D [iv-headers] ZPdC#
generate N}8(*"zmks1+zID IV 7`M#1!ivB,*"zmks
1e~zIyP`MD IV 7#P'!n*:all"iv-creds"iv-user"iv-user-l M
iv-remote-address#*dk`v7`M,k9C:EVt5#
}g:
[iv-headers]generate = iv-creds,iv-user,iv-user-1
114 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
9C LTPA cookie %;"a= WebSphere Application Server20e~w* WebSphere Application Server D#$c1,CJDM'zfT=v1Z
DG<c - WebSphere ~qDe~M2+&CLr#*ZKivB*a)%;"a,
ITdCe~zIyZ cookie Da?6Z}=O$(LTPA)zF,"Qd+]='V
LTPA cookie D Web &CLr~qw#
C'"vT~qwOJ4Dks1,XkWHTe~O$C'#O$I&s,e~z
IzmC'D LTPA cookie#w* Web &CLr~qwDO$nFD LTPA cookie |
,C'j6M\kE"#KE"C;Ve~M&CLr~qw.d2mD\\k#$
D\?xPS\#
e~+ cookie ek=ksD HTTP 7P,Kks"M= Web &CLr~qw#&C
Lr~qwSUks,T cookie xPb\,"y] cookie Pa)Dj6E"O$C
'#
*a_T\,e~+ LTPA cookie f"Za0_Y:fP,"T,;C'a0ZdD
sxks9C_Y:fD LTPA cookie#XZhCa0_Y:fDN}Dj8E",k
N<Z 45 3D:dCe~a0/>$_Y:f;#
T9C LTPA cookie %;"a= WebSphere xPdC
9C LTPA cookie 5V%;"a='V LTPA cookie D&CLr~qwGe~DZ(
s&mD;?V#*tCK&\,kT pdwebpi.conf dCD~PD
[common-modules] ZPDN} post-authzn dk|5 ltpa:
[common-modules]post-authzn = ltpa
Z 5 B Web %;"abv=8 115
LTPA cookie dCGZ pdwebpi.conf dCD~D [ltpa] ZP4PD#TBN}h*
dC#
m 24. LTPA dCN}
N} hv
ltpa-keyfile CZS\ cookie Py|,j6E"D\?D~D+76
{#
ltpa-stash-file \kf"D~D;C#g{^\kf"D~fZ,r&!{
"MKu?#
ltpa-password \kf"D~;fZ1*9CD\k#
ltpa-lifetime LTPA cookie DP'Z(k)#
LTPA %;"aD<u5w
v \?D~|,XZX( Web &CLr~qwDE"#g{r,;e~mS`v&C
Lr~qw,ryP~qw+2m`,D\?D~#
v *9%;"aI&,e~M&CLr~qwXkT3V==2m`,D"amE
"#
v &CLr~qw:phC LTPA M4(2mD\?#
S WebSEAL rd|zm%;"a=e~
1e~v? Web ~qwSU=4TIE&CLr(g WebSEAL r`74CzmL
r)Dks1,IV 7I\aek*S=e~DksP#IV 7|,j6p<M'zDE
",x;G*S~qwDE"#7PDE"CZ9lp<M'zD>$,TCZZ
(#
g{dCe~9C IV 74PM'zO$,re~9CSBqksPR=D IV 7Pi
!Dm]4(M'z>$#IZM'z1l IV 7\]W,yTvZO$ksPhC09
C~6O$Lr1j>1E4(byD>$#
TZO$,ITdC IV 7Z(}zmSU1S\ksPD;v";)ryP
iv-user"iv-user-l"iv-creds r iv-remote-address 7,w*O$D$]#iv-remote-address
7CZG<C'Df}6LX7#b) IV 7`MI Tivoli Access Manager M
WebSEAL 6p#
m 25. IV 7VNhv
IV 7VN hv
iv-user M'zDrL{F#g{M'z4O$(4*),r1!*4O
$#
iv-user-l C'Dj{r{($Mq=)#
iv-groups M'zytiPm#
iv-creds `kD;8w}]a9,zm Tivoli Access Manager >$#
iv-remote-address M'zD IP X7#K5ITzmzm~qwrxgX7*;Lr
(NAT)D IP X7#
116 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
":Access Manager vENSIE0KSUD7#g{0K;6p*`74CzmLr
(MPA),rO*|GIED#XZdCe~T'V MPA Dj8E",kN<Z
93 3D:'V`74CzmLr(MPA);#
*Kw*M'zj6D$wS\,WebSEAL rd|zm>mXkQre~O$#b(
#G(}zmMe~#$D Web ~qw.d`%O$D SSL ,S5VD#
tCM{C9C IV 7DO$
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tC9C IV 7DO$,k+}C0iv-header18(x authentication N}:
[common-modules]authentication = iv-header
dC IV 7N}
IV 7O$N}Z pdwebpi.conf dCD~D [iv-headers] ZPdC#
accept N}8(S\CZ IV 7O$D IV 7`M#1!ivB,e~S\yP`M
D IV 7#P'!n*:all"iv-creds"iv-user"iv-user-l M iv-remote-address#*dk
`v7`M,k9C:EVt5#
}g:
[iv-headers]accept = iv-creds,iv-user
9CJO*F cookie xP%;"a
*Z(s&mdCJO*F cookie s,e~ZX(Z~qwrGr6'D cookie PT
M'zD>$}]xPS\#1M'zZ;N,S1,cookie GEZ/@wOD#M'
z"TCJrPDm;v2+~qw1,cookie a)xM'zX(r=DB;v~q
w#cookie CZT/DXBO$,byM'zM;CV/4PXBO$DNqK#4F
D~qwODe~2m;+2\?,K\?b\ cookie Py,D>$E",("Ba
0#
":kTJO*F cookie DzI,Ze~ 4.1 "PfPTnF2+TxPKDx#b
)Dx;\M Tivoli Access Manager 3.9 nF`k#=2,9C#*K\;Lx
k 3.9 Tivoli Access Manager Web 2+Tz72,9C,k+ [pdweb-plugins]ZPDdCN} pre-410-compatible-tokens hC* true#KN}GxL6D,
;\yZ?vibwz8(#
tC9CJO*F cookie D%;"a
IT+JO*F cookie dC*4PO$MZ(sNq#
dC*9CJO*F cookie xPZ(s&mDe~T>$xPS\,"+dw*JO*
F cookie f"ZBql&P#
dC*9CJO*F cookie 4PO$De~CBqksPR=DJO*F cookie PD
S\>$XBO$M'z#
*tC9CJO*F cookie D SSO,k+}C0failover18(xdCD~D
[common-modules] ZPD authentication M post-authzn N}:
Z 5 B Web %;"abv=8 117
[common-modules]authentication = failoverpost-authzn = failover
PXdCJO*F cookie O$Dx;=j8E",kN<Z 70 3D:dCJO*FO
$;#
9C+V%;"a(GSO)
ITdC Tivoli Access Manager Plug-in for Web Servers 4Z(C'CJFcJ4,
b)J4G(}%;G<Z(C'9CD#GSO kTI;,V`DV<=Fc73PD
`v53M&CLriIDsMs5xhF,|9nUC';Yh*\m`vC'{
M\k#
":iPlanet Web ~qw9Ck Tivoli Access Manager `,D LDAP 5}1,TZ
iPlanet Web ~qw,GSO ;GOJD%;"abv=8#
*4( GSO bv=8,XkWH9C Web E'\mwr pdadmin 5CLr44(
Tivoli Access Manager GSO J4M GSO J4i#PX4( GSO J4M GSO J4
iDj8E",kN<6IBM Tivoli Access Manager Base \m18O7#
ZQZ(3vks47(J4>$GqICZyksDJ4sawCy>O$(BA)
Z(s#i#J4>$G3d=?vJ4Mf"ZC'"amPDC'{/\kDi
O#BA Z(s#ilwJOZC'MyksD&CLrJ4DJ4>$,"9Clw
DJ4>$4( HTTP y>O$7,;s+C BA 7mS= HTTP ksP#vTZ;
vksSC'"amPlwJ4>$,TZyPsxks,J4>$lw*a0E
"#
B<5wKgN9C GSO zF4lwsK&CLrJ4DC'{M\k#
118 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
1. C' Michael ksCJ\#$DsK Web ~qw&CLr travel-app#Tivoli Access
Manager O$KM'SxqC Tivoli Access Manager m]#g{ksDJ4G;\
#$D,r+ks*"x Web ~qwxP&m#
":%;"a}L@"Zu<O$=(#
2. e~+ Tivoli Access Manager m]+]xC'"am~qw(LDAP r URAF)#
C'"am~qwT+J43dIX(O$E"DN=,${vO$E"D}]
b#O$E"GC'{/\kiO,F*J4>$#;\*Q"aC'4(J4>
$#
Bm5wK GSO J4>$}]bDa9:
Michael Jane
resource: travel-app
username=mike
password=123
resource: travel-app
username=Jane
password=abc
resource: payroll-app
username=smith
password=456
resource: payroll-app
username=Jones
password=xyz
3. "am+C'{0mike1M\k012315Xxe~#
4. e~+ Michael DC'{M\kE"ek"MX Web ~qwDksD HTTP y>
O$(BA)7P#
5. Web ~qwyZS 9 B 4 UekksPD BA 7P Michael D>$4O$ Michael
(TZ{QksDJ4),Mq|G4TM'z;y#
dC+V%;"a
*tC+V%;"a&\,h*dC pdwebpi.conf#Z [common-modules] ZPT
post-authzn N}8(5 BA,gB:
[common-modules]authentication = ...session = ...post-authzn = BA
7#Z modules ZPAY+ BA N}8(*1!#i,4:
[modules]BA = pdwpi-ba-module
Z pdwebpi.conf dCD~D [BA] ZP,Pm`N}ICZdC BA Z(s#i#b
)e5a9*:
v basic-auth-realm
v strip-hdr
v add-hdr
v gso-resource-name
v supply-password
v supply-username
< 6. 9C GSO T2+&CLrDC'CJ#
Z 5 B Web %;"abv=8 119
*5V=sK&CLrD GSO,h*dC add-hdr M gso-resource-name N}#d
| BA N}ZZ 53 3D:dCy>O$;PxPK|j8DV[#
;)ksQC=O$,add-hdr N}XFBD BA 7DmS#*5V GSO,k+CN
}hC*5 gso:
[BA:virtual_host1]...add-hdr = gso
+ add-hdr N}hC* gso 5b6EyZf"ZC'"amPDJ4E"+BD BA
7mS= HTTP ksP#dCD~D [BA] ZPD gso-resource-name N}8(*
tC GSO D Web ~qwJ4D{F#bITyZ?vibwzxP8(#f"ZC
'"amPDJ4>$3d=f"ZKC'"amPD?vJ4#
+ gso-resource-name N}hCI*tC GSO D Tivoli Access Manager J4D{
F#}g:
[BA:virtual_host1]...gso-resource-name = payroll-app
?vibwz;\8(;v GSO J4{F#g{4T gso-resource-name 8(5,
r9Cibwz{Fw* GSO J4{F#
":g{zZ Sun ONE(-{* iPlanet)M Tivoli Access Manager .d2m LDAP
"am,r^(9CkG)Z{O$x Sun ONE Web Server DC'{`,D?
jC'{TZ Tivoli Access Manager Z4( GSO J4>$#bGr*1O$C
';Qw}7D LDAP Ts`DTs1,Sun ONE Web Server ;\^( LDAP
Qwu~#
2+Ta)Lr NEGOtiation(SPNEGO)%;"a
Ze~Z+ SPNEGO CwO$zFIa)%;"a&\,byJmC';*u<G=
=rx;h*d|O$M\S Windows M'zCJ2+ IIS Web ~qwODJ4#
SPNEGO %;"aDYwMdCDj8E"|,ZZ 62 3D:dC SPNEGO O$;
P#
9Cm%D%;"a
%;"am%O$Jm Tivoli Access Manager Plug-in for Web Servers 9-O$D Tivoli
Access Manager C'8wXG<=*s9C HTML m%O$De~#$D Web ~q
w#
%;"am%O$'V9C HTML m%O$DVP&CLr,"R;\^D*1SE
NIe~4PDO$#yZe~m%D%;"aa)lYD/I=8,1*"v;v
|IE|_'DO$=(1,&+K=8Sw}Ibv=8#
tC%;"am%O$zzTBa{:
v e~POIsK&CLrt/DO$}L#
v e~a)G<m%yhD}]"zmC'a;G<m%#
v C';*@}Z"zZ~NG<#
120 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
v sK&CLr;*@G<m%"G1S4TC'#
e~XkdC*:
v 6pM9XG<m%
v nkJ1DO$}]
\m1(}dCgN6p"jIM&mG<m%4tCm%%;"a#
m%%;"a&mwL
TB&C!OY(e~QO$C'#
1. C'ks\#$ibwzODJ4#
2. e~+ks+]xsK&CLr#
3. r*sK&CLr*sC'O$,A&CLrG<3fDX(r"Xe~#
4. e~+X(r+]x/@w#
5. /@wq-CX(r"ksG<3f#
":=K1*9ZxLwP4PDyPYw<Gj<e~&\#
6. Q*e~dCm%%;"a#e~ FSSO #iyZ|,Ze~dCD~PDE"+
Cks6p*TG<3fDks#+ks"M=&CLr#
7. &CLr5XG<3f,I\95XX(Z&CLrD cookie#
< 7. m%%;"a&mwL#. m%%;"a&mwL#
Z 5 B Web %;"abv=8 121
8. e~9Xl&"bv5XD HTML T6pG<m%#1e~ZD5PR= HTML
m%1,|+m%PDYw URI ke~dCD~PD login-form-action N}5
wHO#g{fZ%d,re~9CR=Dm%,qre~LxQwd|m%#
g{ZC3fP;Pm%k4TdCD~DYw URI #=%d,re~l#U9
m%%;"a&m"+4^DDl&+X/@w#
g{R=G<m%,e~bvD5PDCm% HTML T6pks=("Yw URI
Mm%PDyPd|dkVN,#f|GT)=h 10 9C#;s,|r/@w"
MAG<m%DYw URI DX(r,C URI xP7S*i/D(;ksj6#y
PX(Z&CLrD cookie 2|,ZX(rP#
9. /@wq-CX(r"ksCYw URI#
10. e~(}d(;Di/V{.6pk>ks,"9C4TN}ZM=h 8 P#fD
}]zIO$ks#;s,jIDG<m%(O$ks)+"M=sK&CL
r#
11. &CLr9Ce~Zm%Pa)DO$}]xPO$#&CLr+X(r5X=
u<ksDJ4#
12. e~+X(r5X=/@w#
":bMjIKX(Zm% SSO D&\#
13. /@wq-X(r"ksJ4#
14. e~+ks+]=2+J4#
ZK}LP,/@wTe~"vDvks#SC'DGH44,v"vK;vTJ4
Dks#d|ks(} HTTP X(rT/"z#
&CLr'VD*sm%%;"aO$Z{OTB*sD&CLrO\'V:
1. XkIT9C;vr`v}rmo=j6G<3fr&CLrD3f#
2. G<3fI|,`v HTML m%#+G,G<m%Xk(}+;v}rmo=&C
Z?vG<3fDYw URI 4j6,r_G<m%GG<3fDZ;vm%#k"
b,19C0action1tT4j6G<3f1,0action1tT;a(}e~D HTML
}K#Z}K.0,}rmo=&kYw URI %d#
3. M'zKE>IC4i$dk}],+|;\^Ddk}]#bE}KT9C
Javascript 4/,zIG<m%rZC'D/@wPhC cookie D Web >cD'
V#
4. ZO$}LPG<}]va;;N#
5. ZO;ZD=h 8 P9XDG< URI Xkw*Wc Web ~qwD%;ksxP
&m#}g,Z Apache P,w*b?|nD PHP E>\zK`vSks"^(;
9X#
tCm%%;"a
FSSO #i&mm%%;"a}L#ZZ(ks.s,Web ~qwl&ks.0,h*
wCC#i#rKh*+ FSSO #idC* post-authzn #iM response #i#b
)<Z pdwebpi.conf dCD~PD [common-modules] ZP8(#4:
[common-modules]...response = fsso
122 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
response #iC46qI Web ~qwT>DG<m%,TcTdxP&m#
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7# fsso u?fZ:
[modules]fsso = pdwpi-fsso-module
IZe~Dw*G+G#$ Web J4;\4-Z(DCJ,yT49TJ4DyPk
sGyZm%D%;"a}LD;?V,2XkIe~T|GZ(#ZJmCJsK
&CLrG<3f.0,e~*li ACL }]b,ZJmCJm%Yw(ZdP"M
QjIDm%)P8(D URI 02*xPli#g{2+T_T4Zh10C'Tb
)3fDCJ(,ryZm%D%;"a+'\#
dCm%%;"a
m%%;"adCE";Z pdwebpi.conf dCD~PD [fsso] r [fsso:virtual-host]ZP#CZ|,;vr`v8rd|(F|{DZD login-page-stanza u?,b)(
F|{DZ|,ZsK&CLrOR=DG<3fDdCE"#
'V`vG<3fD\&G\X*D,r*~qwI\GtI&CLrDwz,x?
v&CLr9C;,DO$=(#
}g:
[fsso]login-page-stanza = login-from-1login-page-stanza = login-form-2
(FG<3fZ
?v(FG<3fZCZ9XXbD URL #=#CZI|,TBN}:
N} hv
login-page KN}9C;v}rmo=8((;j6&CLrG<3fD
ksD#=#+QdCD#=kks URI `HO#
login-form-action KN}9C;v}rmo=8(;v#=,C#=j6D;v
|,Z9XD3fPDm%G&CLrDG<m%#g{P`
vm%%dC#=,r9CZ;vm%#
argument-stanza KN}8rm;vPvjIG<m%yhDVNM}]D(F
Z#
gso-resource KN}a)Z0k arguments-stanza P(eD GSO 4}]1*
9CD Tivoli Access Manager J4D{F#T?v(FG<3
fZvI8(;v GSO J4{F#g{4T gso-resource 8
(5,r9Cibwz{w* GSO J4{F#
}g:
[login-form-1]login-page = /cgi-bin/getloginpage*login-form-action = *argument-stanza = form1-datagso-resource = payroll-app
XZ login-page N}: login-page N}D5G;v}rmo=,e~C|47(
xkDks5JOGqGTG<3fDks#g{GbViv,e~9XKks"*
<m%%;"a&m#
Z 5 B Web %;"abv=8 123
Z?v(FDG<3fZPvJm;v login-page N}#T?v=SD login-page N
},Xk4(;v=SD(FG<3fZ#
+ login-page }rmo=kks URI `HO#ZTB>}P,TF* myserver1 D
\#$ibwzDksD URI I\T>gB:
https://myserver1.mycompany.com/auth/login.html
K URL Pk login-page }rmo=HOD?V*:
/auth/login.html
XZ login-form-action N}: login-form-action N}CZj6IsK~qwq-
k login-page N}%dDks5XD3fODG<m%#Z?vZPvJm;v
login-form-action N}#
login-form-action N}D5G;v*k HTML form jGD action= tTDZ]HO
D}rmo=#C action tTGT`T76"~qw`T76rxT76m>D URI#
4TsK~qwD login-form-action N}XkkK76%d - 49Z|;*"xM
'z.0(#a;e~^D#
g{3fOD`v action tTkC}rmo=%d,rv+Z;v%dw*G<m%S
\#
g{ login-form-action }rmo=k3fODyPm%<;%d,r+;vms5X
/@w,(fR;=m%#
13f;|,;vG<m%1,IT+ login-form-action = * hC*;VkG<m%
%dDr%=(#
9C}rmo=: ZZ 191 3D=< E, :}rmo=PJmDXbV{;P(eK
m%%;"adCP9CD}rmo=PJmDXbV{#
s`}ivB;h*XbV{,r*G<3fksG%;Ij6D URI#Z3)iv
B,IZmo=Da29C0*1,by URI a2&DNNi/}]<;ah9G<3
f%d#
N}Z: (FN}ZCTBq=|,;vr`vu?:
name = method:value
name
+ name N}D5hC*HZ HTML input jGP name tTD5#}g:
<input name=uid type=text>Username</input>
KN}2I9C HTML select r textarea jGD nametTD5#
method:value
KN}iOlwm%yhDO$}]#O$}]I|,:
v DV.}]
string:text
9CDdkGD>V{.#
124 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
v GSO C'{M\k
gso:usernamegso:password
dkG10C'D GSO C'{M\k(4T(FG<3fZP8(D?j
gso-resource)#
v C'>$P;vtTD5
cred:cred-ext-attr-name
1!ivB,C>$|,ngC'D Tivoli Access Manager C'{M DN .`DE
"#*+C'D Tivoli Access Manager C'{Cwdk5,kgB8(C5:
cred:azn_cred_principal_name
ITgBCJC'D DN:
cred:azn_cred_authzn_id
2I9C(F>$tT(9Cj)/5zFmS)#
ZKZP;X8(~XdkVN#T/S HTML m%lwb)VN"+|GMO$k
s;pa;#
}g:
[form1-data]uid = string:brian
":
1. g{G<}Lh*zk,rZa;I\<BJbDm%.0,e~;4PE>zk
(Javascript"AxcitveX H)#g{KzkZa;.0;lidk,r;a"zJb,
+g{zk^DKC'dk,rI\"zJb#
2. d;yZm%D SSO I{C GSO }]bDE",+|;0lI BA #ia)D
GSO &\#
g{h*,I\P;v GSO ?jC4n4"M=sK~qwDy>O$7,9IZ
yZm%D SSO dCP8(m;v GSO ?j)n4G<m%19C#
IBM HelpNow dCD~>}
IBM HelpNow >cwCdT:DyZm%DG<,rKbGm%%;"abv=8g
NTdQGGDC'a)T>cD^lCJD>}#
>Z|,:
v m%?V,`FZI HelpNow &CLr5XD HTML G<3fO"MDm%
v C4&mKm%D(Fm%%;"adCD~
Z9XD HTML 3fPR=Dm%:
<form name="confirm" method="post" action="../files/wcls_hnb_welcomePage2.cgi"><p>Employee Serial Number:&nbp;<input name="data" size="10" maxlength="6"><p>Country Name:<select name="Cntselect" size="1"><OPTION value="notselected" selected>Select Country</OPTION><OPTION value=675>United Arab Emirates - IBM</OPTION>
Z 5 B Web %;"abv=8 125
<OPTION value=866>United Kingdom</OPTION><OPTION value=897>United States</OPTION><OPTION value=869>Uruguay</OPTION><OPTION value=871>Venezuela</OPTION><OPTION value=852>Vietnam</OPTION><OPTION value=707>Yugoslavia</OPTION><OPTION value=825>Zimbabwe</OPTION></select></p><input type=submit value=Submit></form>
C4&mKm%D(FdCD~:
helpnow FSSO configuration:[forms-sso-login-pages]login-page-stanza = helpnow
[helpnow]# The HelpNow site redirects you to this page# you are required to log in.login-page = /bluebase/bin/files/wcls_hnb_welcomePage1.cgi
# The login form is the first in the page, so we can just call it# ’*’.login-form-action = *
# The GSO resource, helpnow, contains the employee serial number.gso-resource = helpnow
# Authentication arguments follow.argument-stanza = auth-data
[auth-data]# The ’data’ field contains the employee serial number.data = gso:username
# The Cntselect field contains a number corresponding to the employee’s# country of origin. The string "897" corresponds to the USA.Cntselect = string:897
126 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Z 6 B grG<bv=8
5V Tivoli Access Manager Plug-in for Web Servers Ta)T2+rD#$1,(#
h*a)TJ4xP%;"aDbv=8#>BV[g;,e~#$Dr5V%;"
aD=V=(;gSgx%;"aMgrD%;"a(CDSSO)#=Vbv=8<9C
IEDnFZ;,Dr.d+]C'O$E"#
!qD;Vbv=8!vZh*`sDinT#gSgx%;"a9CZ;,r.d
-w%;"a}LDPk~qw#9C CDSSO,r;PPkO$~qw,2;Pa)|
`inTDT/X(r#
|(TBwb:
v :gr%;"a(CDSSO);
v Z 132 3D:gSgx%;"a;
gr%;"a(CDSSO)
Tivoli Access Manager gr%;"a(CDSSO)a)K;VzF4g`v2+r+MC
'>$#CDSSO (}Jm/I`v2+r4'VIluDxge5a9#}g,;vs
MDs5b?xIC=vr|`@XDrhC(?vrPdT:DC'MTsUd)#
CDSSO JmC'9C%;"aZrdF/#CDSSO O$zF;sZ 132 3D:gSg
x%;"a;Gy@5wO$~qw#
9C CDSSO,1C'T;Zm;vrDJ4"vks1,CDSSO zF+;vS\DC
'j6nFSZ;vr+M=Z~vr#VZZ~vrM_PKCC'Dj6(gZ
Z;vrPO$D;y),"RC';X4Pm;NG<#
CDSSO ryZ DNS r#Z,;v DNS rPDyP~qw2m,;vTF\?#*
KTm;v DNS r(I\Z,2I\;Z;,D Tivoli Access Manager rP)PD
~qw4P CDSSO,h*;v;,D\?#
CDSSO DO$&mwL
ZBfD<MD>PhvK CDSSO &mwL#NN#{Nk`vrDC'XkZwr
(ZK}P*r A)P_PP'DC'J'M;vI;3d*?vNkD6LrPP'
J'Dj6#4u<O$=|,CC'J'Du<2+r(A)DC';IwC CDSSO
&\#
© Copyright IBM Corp. 2000, 2003 127
1. C'9CZr A PD Web 3fOD(F4S"vCJr B PDJ4Dks#
2. C4S|,;vI pdwpi.conf dCD~PD [cdsso] ZPD uri N}8(DXb
CDSSO mo=#1!5* pkmscdsso:
/pkmscdsso?destination-URL
}g:
/pkmscdsso?https://www.domainB.com/index.html
WHIr A PDe~~qw&mCks#e~9(;v|,C'D Tivoli Access
Manager j6(L{F)"10r(0A1)"=SDC'E"M1dAGDO$n
F#
(}wC(FD CDMF 2mb(cdmf_get_usr_attributes)qC=SC'E"()
9tT)#Kb_PZC'3d}LZda)IIr B 9CDC'tTD\&#
e~}X DES 9CI cdsso_key_gen 5CLrzIDTF\?S\KnF}]#
2mK\?D~"+|f"Zr A Mr B De~v? Web ~qwOD
pdwebpi.conf dCD~PD [cdsso-domain-keys] ZP#
CnF|,;v(enFzfZDIdC1dAG(authtoken-lifetime)#}7d
CC1dAGI@9XE%w#
3. r A De~~qw+CksMS\DnFX(rX/@w,;sX(r=r B D
e~~qw(HTTP X(r)#
4. r B De~~qw9CdT:f>D,;\?D~4b\Mi$4TN<rDn
F#
VZr B De~~qwwC CDSSO O$zFb#SB4,K CDSSO bwC4
P5JC'3d(cdmf_map_usr)D(F CDMF b#
CDMF b+C'j6MyP)9tTE"+]X CDSSO b#CDSSO b9CKE
"9(>$#
5. r B DZ(~qyZC'>$MkksDTsX*DX( ACL mI(Jmr\x
T\#$TsDCJ#
< 8. CDSSO &mwL#.
128 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
tCM{C CDSSO O$
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
tC CDSSO O$,k+u? cdsso 8(xO$N}:
[common-modules]authentication = cdsso
9C CDSSO O$1,9XkdCe~CZ CDSSO Z(s&m#Z pdwebpi.conf d
CD~D [common-modules] ZPmSN} post-authzn,gBy>:
[common-modules]authentication = cdssopost-authzn = cdsso
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#m%O$Du?fZ:
[modules]cdsso = pdwpi-cdsso-module
S\O$nF}]
e~Xk9CI cdsso_key_gen 5CLrzID\?TnFPDO$}]xPS\#
Xk(}Z?vNkrPD?ve~v? Web ~qw.d2m\?D~40,=1K
\?#?vrPD?vNkDe~~qwh*9C,;\?#
":4(MV"\?D~;G Tivoli Access Manager CDSSO }LD;?V#
KP cdsso_key_gen 5CLr1,CLr*s8(\?D~D;C(xT76{):
UNIX:# cdsso_key_gen absolute-pathname
Windows:MSDOS> cdsso_key_gen absolute-pathname
Z?vrPDNke~~qwD pdwebpi.conf dCD~PD [cdsso-domain-keys] Z
PdkK\?D~D;C#[cdsso-domain-keys] ZSZ [modules] ZP(eD
pdwpi-cdsso-module {FIzd{F#|Dq=* [cdsso-module-name-domain-keys]#I(}4( [cdsso-module-name-domain-keys:virtual-host-name] ZT?vibwz8(
Cr\?#Ku?Dq=|(r{M\?D~;C:
[cdsso-domain-keys]domain-name = keyfile-location
r A dC>}:
[cdsso-domain-keys]www.domainB.com = pathname/A-B.key
r B dC>}:
[cdsso-domaina-keys]www.domainA.com = pathname/A-B.key
ZTO>}P,IZ;(zw(}ge~ A)OzI A-B.key D~"V/("2+X)
+|4F=m;(zw(}ge~ B)#
Z 6 B grG<bv=8 129
dCnF1dAG
nF|,;vIdCD1dAG,C1dAG(eO$nFDzfZ#;)1dAG
Q}Z,MO*CnF^'"R;I9C#C1dAG(}hC;vc;LD5T@
9nF;T"ZdzfZZ;XE,4oz@9XE%w#
;Z pdwebpi.conf dCD~D [cdsso] ZPD authtoken-lifetime N}hCnFD
zfZ5#C5Tkm>#1!5* 180:
[cdsso]authtoken-lifetime =180
IT?vibwzXhK5#Xk<GNkDr.dD1S+n#
ZO$nFP|,>$tT
I(}Ze~dCD~D [cdsso-token-attributes] ZP8(>$tT4+|G|,Z
CDSSO nFP#*|,DtTIyZTHrr?vr8(#v1}Z9C1! SSO n
F4(M{Db1KZPPvD>$tTEG`XD#g{Z CDSSO $5nFP;h
*>$tT,rI+KZtU#
KZD1!{FSZ [modules] ZP(eD pdwpi-cdsso-module D#i{FIzx4#
|Dq=* [cdsso_module_name-token-attributes]#
1!ivB,[cdsso-token-attributes] ZPD5gyPibwz9C,"I(}4(
[cdsso_module_name -token-attributes:virtual_host] ZT?vibwzXhC5#
Cu?Dq=*:domain_name = pattern1, pattern2, ... pattern n#
k?jwzrrD8(#=%dD>$tT|,Z*C?jwzrr9lD CDSSO $
5nFP#T?vtTv9C;v5,"R;'VV{.5#+vTd|`MD>$
tT5#ICkZ 191 3D=< E, :}rmo=PJmDXbV{;P5wDV{.
%dD#=48(#=#
}g:
[cdsso-token-attributes]ibm.com = attrprefix_*, *name*tivoli.com = *_attrsuffix, some_exact_attribute
I9C>ZPD <default> u?4dC1!tT/#1;Pd|u?kX(D?jwz
%d1,r9CK1!tT/#g{ <default> u?;fZ,1!ivB;|,NNt
T#
S\M\x4T CDSSO O$nFD>$tT
I(}Z [cdsso-incoming-attributes] ZP8(5,8(*SxkD CDSSO O$n
FS\M\xD>$tT#k+vDtTdC;,,^(yZTHrr?vrdCx
ktT#vIdC;vtT#=/,"R^[4gN,b)#=<+&CZxkDn
F(x;\b)nF4TN=)#v1}Z9C1! SSO nF4(M{DbxPK&
m#KZD1!{FS [modules] ZP(eD pdwpi-cdsso-module D#i{FIzx
4#|Dq=* [cdsso_module_name-incoming-attributes]#1!ivB,KZPD5
g y P i b w z # + G , I ( } d C
[cdsso_module_name-incoming-attributes:virtual_host]ZT?vibwzXh|G#
KZPu?Dq=*:
130 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
attribute_pattern = preserve|refresh
ZwC CDMF bT+6LC'3d=>XrP0,S CDSSO nFP}%k refresh u
?%dDtT##tk preserve u?%dDtTrkNNu?<;%dDtT#g{4
dCNNu?,r#tyPtT#
8( sso-create M sso-consume b* 8 ( s s o - c r e a t e M s s o - c o n s u m e b , k ` - e ~ d C D ~ # Z
[authentication-mechanisms] ZP,!{ sso-create M sso-consume u?D"M"m
SJOZYw53`MDe~JO*F cookie bD{F#
1!dCD~u?*:
[authentication-mechanisms]sso-create = /opt/pdwebrte/lib/ibssocreate.sosso-consume = /opt/pdwebrte/lib/libssoconsume.so
r_,QzI;v5V sso-create M sso-consume &\D(Ff>D CDAS b1,+
(F CDAS D{Fw*dCD~X|V5ek#}g,g{T sso-create zIK;v
(FD CDAS,kdkxT76{:
[authentication-mechanisms]sso-create = /dir_name/custom_cdas_sso-create.so
m> CDSSO 4S
=Z~v2+rODJ4D4SXk|,;vXbD CDSSO mo=,Cmo=9Cd
CD~D [cdsso] ZPD uri N}dC#1!5* /pkmscdsso:
/pkmscdsso?destinationURL
1dC*Z(s#i1,T /pkmscdsso?remote-uri Dks+QM'zX(r=
remore-uri?PD-REFERER=this-host&argument=authentication-token
9C pdwebpi.conf dCD~PD [cdsso] ZPD cdsso-argument N}dC8(O
$nFDi/V{.N}D{F#1!5* PD-ID#IT?vibwzXhK5#
;&Z9C(F SSO 4(/{Db1|D cdsso-argument N}D1!5 PD-ID#
9Ca)D SSO 4(/{Db1,Xk9C1!5 PD-ID#
#$O$nF
1O$nF;|,O$E"(gC'{M\k)1,|;|,ZSUrPIEDC'
j6#rKXk#$nFTm;;T!MXE#
(}9C SSL 4#$e~v? Web ~qwMC'.dD(E,I#$nF;;S_
7PT!#nFI\;SC'D/@wz7G<P;[-TXT!#nFOD1dA
G&c;LT9CZnFDzfZZ;I\T!MXEnF#
+G,d1dAGQ=ZDnFT;W\\k%w#g{C4S\nFD\?;"V
r9\,rqbC'I9(dT:DnF#
;sI+b)nFek=0pseudo-CDSSO w1P#^(+|GM CDSSO rPNkD
e~~qwDf5O$nFxPxV#rK,2Xkww\mC4#$nFD\?,
"(ZxP|D#
Z 6 B grG<bv=8 131
gSgx%;"a
Tivoli Access Manager Plug-in for Web Servers gSgx%;"a&\JmC'g`v
rPD`v~qwCJJ4x^hXBO$#
0gSgx1G;iNkL5X5D;,Dr(Tivoli Access Manager r DNS)#b)
NkDrITdC*;nL5D;?V("RIZXm-rI\9C;,D DNS {
F),rdC*5P2mX5D;,5q(}g+>\?"KY#U+>MFq\m
+>)#
ZN;=8P,\P;vr8(*0w1r0yP_1r#ZNk5qDivB,w
r5P\mgSgxDL5-i#
Z=V=8P,XZNkgSgxDC'DO$E"(|(CZO$DC'{M\
k)GZwrP,$D#bV2EJmT\mJbD%c}C,}ggSgxPDo
z@fwC,|G<8rwr#
w*!q,ITC Tivoli Access Manager Web Portal Manager /ITKE"D\m,
byNkr:p\mdT:DC'#
wr05P1C' - 4XFC'DO$E"#^[C'ZN&ksJ4,wr<UG
C'XkxPO$DX=#
TwO$~qw(MAS)xPO$ - ;ZwrP"RdC*O$yPC'D~qw
(r1>~qw/O)#MAS D0p&^F*a)O$~q#MAS ;C|,TC'I
CDJ4#
C'r MAS I&O$.s,MAS zI$5nF#KnF+XC'"vksD~qw#
~qw+K$5nFS*$w,$5C'QI&r MAS O$"ITNkgSgx#
gSgxr.dDE"*FZZ 133 3D:gSgx%;"a&mwL;;ZPj8
hv#
gSgx%cO$&\M*sgSgx%;"aPgB&\M*s:
v gSgx&\'V9CJ4D1S URL(i))xPCJ#
v 5VgSgx*sTNkgSgxDyPrPDyPe~xP;BDdC#
v NkgSgxDyPC'T;ZwrPD%vwO$~qw(MAS)xPO$#
v g{C';P MAS DP'J',rgSgx5VJmZ6LrPxP0>X1O
$#
ksG MAS(+Nk)rPDJ41,r MAS O$'\DC'IT!qr"vk
sD>X~qwO$#
v MAS(nsG6LrPd|y!~qw)$5C'DQO$j6#
v rX(D cookie CZj6ITa)$5~qD~qw#bJm6LrPD~qwZ
>Xks$5E"#gSgx cookie DS\Z];|,C'j6r2+TE"#
v XbnFCZ+]S\D0$51C'j6#$5nF;|,5JDC'O$E"#
j{TI2m\?a)(}X DES)#nF|,^FnFP'TVx1dD,1(P
'Z)5#
132 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
v HTTP M HTTPS O<'VgSgx5V#
v gSgxDdCZ?vNke~D pdwebpi.conf D~PhC#
gSgx%;"a&mwL
gSgxIe~v?wO$~qw(MAS)Mw*gSgxD=Se~v?~qwi
I#gSgx%;"abv=89Ik WebSEAL #$DJ4;%Yw#
gSgxD5VyZ$553#(#,14O$C'(}e~ksJ41,aa>{
Ga)O$E"#ZgSgxdCP,e~~qwj6$5~qw"SK$5~qw
ksC'QO$Di$#$5~qwf"C'DP'>$E"#
TZC'DZ;Nks,$5~qw<UG MAS#MAS Lxd1;ZwrPDJ4D
$5~qw#fEC'LxZgSgxZksJ4,?v6LrPD%v~qw<I
T*C'9(dT:D>$(y]4T MAS DC'j6E"),"#NdrPJ4D
$5~qwG+#
TO>}T>fZZgSgxPD=vr,IBM rM Lotus r#TBxLZC'Z;
NG<=gSgxPD2+ Web >c1"z:
1. C'ksT Web ~qw ww1.ibm.com ODJ4xPCJ#e~9Xks"7O
ww1.moo.com QdCI Tivoli-IBM-Lotus gSgxD;?V#S ww1.ibm.com d
CPj6gSgxPD MAS ~qw#
2. ks+]= MAS - www.tivoli.com#MAS zm ww1.ibm.com O$ks,")"$
5nF,KnFI*C'DgSgxj6#nFPDC'j6E"GS\D#
< 9. G<=gSgx#
Z 6 B grG<bv=8 133
3. MAS +$5nF"M= ww1.ibm.com#ww1.ibm.com +K$5nFS*$w,$5
C'QI&r MAS O$,VZITyZ#fZ(XFCJyksDJ4#
gSgx cookiev gSgx cookie GIe~hCDX(ZrD cookie /O,f"ZC'/@wDZf
P,"ZsxksP+M=d|e~5}(,;rP)#
v X(ZrD cookie |,$5~qwD{F"gSgxj6"$5~qwD;C
(URL)M&\T0P'Z5#cookie ;|,C'E"#
v gSgx cookie JmNkrPD~qwZ>Xks$5E"#MAS y(;DrDg
Sgx cookie DwC;Pb4X*#
v cookie _PZ pdwebpi.conf dCD~PhCDP'Z(,1)5#KP'Z58(
6L~qwIT*C'a)$5E"D1d$H#cookie P'Z=Z1,C'XkX
(r MAS TxPO$#
v XU/@w1,cookie SZfe}#g{C'SX(rP"z,rgSgx cookie 2
G*U#KYwP'X+dS/@wP}%#
$5ksM&p
gSgx$5Ywh*(CD&\,K&\(}=vXb9lD URL CJ:$5ks
M$5&p#b) URL GZgSgx$5 HTTP X(rZdy] pdwebpi.conf PD
dCE"9lD#
$5ksC'S;|,dNN>$E"D?j~qw(*gSgxdC)ksJ41,%"$
5ks#~qwr$5~qw(MAS rgSgx cookie P8(D~qw)"M HTTP
X(r#
$5ks|,TBE":
https://vouch_for_server/pkmsvouchfor?ecommunity_name&target_url
SU=~qwli ecommunity_name Ti$gSgxj6#SU=~qw9C$5&p
PD target_url +/@wX(r=-HksD3f#
pkmsvouchfor $5 URL GIdCD#
}g:
https://www.tivoli.com/pkmsvouchfor?companyABC&https://ww2.lotus.com/index.html
$5&p
$5&pG$5~qwT?j~qwDl&#
$5&p|,TBE":
https://target_url?PD-VFHOST=vouch_for_server&PD-VF=encrypted_token
PD-VFHOST N}8(4P$5YwD~qw#SU=(?j)~qw9CKE"!q
b\$5nF(PD-VF)yhD}7\?#PD-VF N}zmS\D$5nF#
}g:
https://ww2.lotus.com/index.html?PD-VFHOST=www.tivoli.com&PD-VF=3qhe9fjkp...ge56wgb
134 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
$5nF
*5Vgr%c"a,XkZ~qw.d+d;)C'j6E"#KtPE"IX(
r&m,X(r|,S\w* URL ;?VDj6E"#KS\}]F*$5nF#
v nF|,$5I&r'\4,"C'Dm](g{I&)"4(nFD~qwD+
^({F,gSgxj6T04(1d5#
v P'$5nFDVP_IT9CKnFZ~qwO(";va0(T0>$/
O),x;XT=rK~qwO$#
v nF9C2mD}X DES \?S\,rKITi$df5T#
v S\DnFE";f"Z/@wO#
v nF;+];N#SU=~qw9CKE"ZdT:D_Y:fP9(C'>$#
~qw+b)>$CZ,;a0PKC'TsavDks#
v nF_PZ pdwebpi.conf dCD~PhCDP'Z(,1)5#K5I\\L(8
k)TuYXE%wD#U#
":nF2+TQZe~ 4.1 "PfPxPKDx#b)Dx;\M Tivoli Access
Manager 3.9 nF`k#=2,9C#*K\;Lxk 3.9 Tivoli Access Manager
W e b 2 + T z 7 2 , 9 C , k + [ p d w e b - p l u g i n s ] Z P D d C N }
pre-410-compatible-tokens hC* true#KN}GxL6D,;\yZ?vib
wz8(#
S\$5DnF
Tivoli Access Manager Plug-in for Web Servers Xk9CI;Z pdwebrte/bin ?<D
cdsso_key_gen 5CLrzID\?S\nFPDO$}]#Xk(}M?vNkr
PD?ve~~qw2m\?D~0,=1\??#?vrPD?vNkDe~~q
wh*9C,;\?#
":4(MV"\?D~;G Tivoli Access Manager gSgxxLD;?V#XkV
/+\?2+4F=?vNkD~qw#
KP cdsso_key_gen 5CLr1,CLr*sz8(K5CLrD+76M\?D~
D;C(xT76{):
UNIX:
# /opt/pdwebrte/bin/cdsso_key_gen absolute_pathname
Windows:
MSDOS> install_path/pdwebrte/bin/cdsso_key_gen absolute_pathname
S\\?Z pdwebpi.conf dCD~D [ecsso-domain-keys] ZPdC#KdCDj
8E"|,ZB;ZP,:dCgSgx;#
dCgSgx>Z4igSgx5Vh*DyPdCN}#b)N};Z pdwebpi.conf D~P#X
k*gSgxPD?ve~P8dCKD~#
Z 6 B grG<bv=8 135
tCM{CgSgxI1
pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
9e~~qwIZgSgxZxPYw,k+u? ecsso 8(x authentication M
pre-authzn N},gBy>:
[common-modules]authentication = ecssopre-authzn = ecsso
*G MAS gSgxI1xPdC1,ecsso O$XkEHZd|O$zF;4,Xk
ZO$#iPmPDd|O$#=.08( ecsso#xR,g{ ecsso #iEHZCH
1!5 1 |_DO$6p8(DO$#i,r ecsso #i>mXkAYdC*,;O
$6p#
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#gSgx SSO Du?fZ:
[modules]ecsso = pdwpi-ecsso-module
e-community-namee-community-name N}j6~qwytDgSgxD{F#}g:
[ecsso]e-community-name = companyABC
gSgxyPI1D e-community-name 5Xk`,#
is-master-authn-serverKN}j6C~qwGqG MAS#I\D5* yes r no#TZgSgx MAS,N}
hCgB:
[ecsso]is-master-authn-server = yes
`ve~ITdC*wO$~qw,;sEZ:X=bw.s#ZK=8P,gSg
xPDd|yPe~~qw<+:X=bw6p* MAS#
g{ is-master-authn-server hCI yes,rK~qw+S\4Td|e~5}D$5
k s , b ) e ~ 5 } D e - c o m m u n i t y - n a m e ` , , " R d r \ ? P Z
[ecsso-domain-keys] ZP#
master-authn-serverg { i s - m a s t e r - a u t h n - s e r v e r N } h C * n o , r X k ! { " M " 8 (
master-authn-server N}#KN}j6gSgx MAS D+^(r{#}g:
[ecsso]master-authn-server = www.tivoli.com
master-http-portVdwO$~qwCZSU HTTP ksDKZE#g{KZE;Gj<KZ 80,rX
kZK8(Gj<KZE#
[ecsso]master-http-port = port_number
136 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
master-https-portVdwO$~qwCZSU HTTPS ksDKZE#g{KZE;Gj<KZ 443,r
XkZK8(Gj<KZE#
[ecsso]master-https-port = port_number
vf-token-lifetimeKN}hC$5nFDP'Z,15(k)#y] cookie OD4(1dAGliK5#
1!5* 180 k#Xk<GNk~qw.dD1S+n#1!ivB,N}hCgB:
[ecsso]vf-token-lifetime = 180
vf-urlKN}8($5 URL#K5XkT}1\(/)*<#1!hC5*:
[ecsso]vf-url = /pkmsvouchfor
2ITm>)9 URL:
vf-url = /ecommA/pkmsvouchfor
vf-argumentvf-argument N}D5GvVZ$5&pPD$5nFDN}{#;P}Z9C(F4
(M{D#i"R9C;,DN}{4m>$5nF1,E&|D PD-VF D1!5#
MAS 9CC549($5&p,"INkD ECSSO ~qwC4+xkDksxp*
xP$5E"Dks#
[ecsso]vf-argument = PD-VF
allow-login-retry1C'4PK;I&DG<1,9CyZC'{/\kDO$#=D MAS _P=v!
n:|I\a>C'YNdkd>$,r_|I\9C'"4X(rX{Gnu"T
CJD~qw,x;$5KC'#Zs;VivB,?FC'1SrSt~qwO
$#allow-login-retry N}Z MAS &XFCP*#CN}vJCZ ecsso gxP MAS
DdC#
":C'IT"TXBhC=ZD\k#
Z MAS &"zDd|G<JO(}gJ'x()<B"4X(rXSt~qw,k
allow-login-retry N}D5^X#1!ivB,N}hCgB:
[ecsso]allow-login-retry = true
use-utf8KN}XF ECSSO $5nFMgSgx cookie ZDV{.`k#KN}D5;0l
I1! SSO 4(M{Db4(M{DD$5nF#
[ecsso]use-utf8 = true
ecsso r\?
dCD~D [ecsso-domain-keys] ZP(eDG\?D~D;C,T MAS M6Lr
PNkD~qw.dDnFxPS\Mb\1h*b)\?D~#dC MAS |(*?
Z 6 B grG<bv=8 137
vdGwDr(e\?#dC MAS TbDgSgxI1|(*rM MAS (e\?#
Xk*~qw8(+^(r{,"*\?D~;C8(xT76{#
TB MAS dC>}T;Z tivoli.com rZD MAS a)\?D~,CZk=v6Lr
(E:
[ecsso-domain-keys]ibm.com = /abc/xyz/ibm-tivoli.keylotus.com = /abc/xyz/lotus-tivoli.keytivoli = /abc/xyz/tivoli.key
":ZOv>}P,_PCZZ tivoli rPD~qw.d;;}]D tivoli.key G\X
|D#
dCrPD~qw|(8( MAS rMCZk MAS ;;E"D`&\?#rP~qw
. d D } ] ; ; 2 h * \ ? # } g : N k g S g x D r P D ~ q w D
[ecsso-domain-keys] ZI\gB:
[ecsso-domain-keys]#the key for data exchange between the MAS (tivoli.com)#and the ibm.com domain serverstivoli.com = /abc/xyz/ibm-tivoli.key#the key for data exchange between servers in the ibm.com domainibm.com = /abc/xyz/ibm.key
Z$5nFP|,>$tT
I(}Ze~dCD~D [ecsso-token-attributes] ZP8(>$tT+|G|,Z
eCSSO $5nFP#*|,DtTIyZTHrr?vr8(#v1}Z9C1! SSO
nF4(M{Db1KZPPvD>$tTEG`XD#g{Z eCSSO $5nFP;
h*>$tT,rI+KZ#t*U#
KZD1!{FSZ [modules] ZP(eD pdwpi-ecsso-module D#i{FIzx4#
|Dq=* [ecsso_module_name-token-attributes]#
1!ivB [ecsso-token-attributes] ZPD5gyPibwz,"I(}4(
[ecsso_module_name-token-attributes:virtual_host] ZT?vibwzXh#
Cu?Dq=*:domain_name = pattern1, pattern2, ... pattern n#
k?jwzrrD8(#=%dD>$tT|,Z*C?jwzrr9lD eCSSO $
5nFP#T?vtTv9C;v5,"R;'VV{.5#+vTd|`MD>$
tT5#ICkZ 191 3D=< E, :}rmo=PJmDXbV{;P5wDV{.
%dD#=48(#=#
}g:
[ecsso-token-attributes]ibm.com = attrprefix_*, *name*tivoli.com = *_attrsuffix, some_exact_attribute
I9C>ZPD <default> u?4dC1!tT/#1;Pd|u?kX(D?jwz
%d1,r9CK1!tT/#g{ <default> u?;fZ,1!ivB;|,NNt
T#
S\M\x4T$5nFD>$tT
I(}Z [ecsso-incoming-attributes] ZP8(5,8(*SxkD$5nFS\M
\xD>$tT#k+vDtTdC;,,^(yZTHrr?vrdCxktT#
138 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
vIdC;vtT#=/,"R^[4gN,b)#=<+&CZxkDnF(x;
\b)nF4TN=)#v1}Z9C1! SSO nF4(M{DbxPK&m#KZD
1!{FSZ [modules] ZP(eD pdwpi-ecsso-module D#i{FIzx4#|Dq
=* [ecsso_module_name-incoming-attributes]#1!ivB,KZPD5gyPib
wz#+G,I(}dC [ecsso_module_name-incoming-attributes:virtual_host] ZT?v
ibwzXhb)5#
KZPu?Dq=*:
attribute_pattern = preserve|refresh
ZwC CDMF bT+6LC'3d=>Xr0,S eCSSO $5nFP}%k refresh
u?%dDtT##tk preserve u?%dDtTrkNNu?<;%dDtT#g{
4dCNNu?,r#tyPtT#
8( sso-create M sso-consume b* 8 ( s s o - c r e a t e M s s o - c o n s u m e b , k ` - e ~ d C D ~ # Z
[authentication-mechanisms] ZP,!{ sso-create M sso-consume u?D"M"m
SJOZYw53`MDe~JO*F cookie bD{F#
1!dCD~u?*:
[authentication-mechanisms]sso-create = /opt/pdwebrte/lib/ibssocreate.sosso-consume = /opt/pdwebrte/lib/libssoconsume.so
r_,QzI;v5V sso-create M sso-consume &\D(Ff>D CDAS b1,+
(F CDAS D{Fw*dCD~X|V5ek#}g,g{T sso-create zIK;v
(FD CDAS,kdkxT76{:
[authentication-mechanisms]sso-create = /dir_name/custom_cdas_sso-create.so
t4\}7dC ecsso \?,re~U>D~PazI/f#
dCgSgx%;"a - >}
TB>}P,P=vQdCDgSgx(lotus-domino M ibm-db2)T0O$b=vg
xDksD%v MAS#
Z 6 B grG<bv=8 139
TBu~JCZK>}:
v www.tivoli.com G=vgSgxD MAS#
v lotus-domino gSgxPfZ=v;,Dr(rcp{?vrPP;v~qw)-
domino.com M lotus.com#CJb)rdP.;DC'IT;hXBO$MCJd|
r,r*yPDCJ<G(} MAS Z(D#
v ibm-db2 gSgx|,=v;,Dr - ibm.com M db2.com#CJb)rdP.;
DC'IT;hXBO$MCJd|r#
v CJ ibm.com ~qw.;DC'IT9C$5nFCJm;v~qw#ZKivB,
;h* MAS ZhCJ(MIT5V%;"a#
ZTO>}P,TBdC!nJC:
dC MAS - www.tivoli.comr* MAS G`vgSgxDXFPD,yTh*dC ecsso #iD=v;,
5}"(e MAS X~h*DgSgx{F#MAS h*Q8(dXFDyPg
xPDwrDyP\?#gBy>hCdC:
[modules]ecsso1 = pdwpi-ecsso-moduleecsso2 = pdwpi-ecsso-module
[common-modules]authentication = ecsso1authentication = ecsso2
pre-authzn = ecsso1pre-authzn = ecsso2
[ecsso1]e-community-name = lotus-dominois-master-authn-server = yes--HH
< 10. gSgx%;"adC>}
140 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
[ecsso2]e-community-name = ibm-db2is-master-authn-server = yes--HH
[ecsso1-domain-keys]# one key for each domain the MAS controlsdomino.com = /abc/tivolikeys/tivoli-domino.keylotus.com = /abc/tivolikeys/tivoli-lotus.keydb2.com = /abc/tivolikeys/tivoli-db2.keyibm.com = /abc/tivolikeys/tivoli-ibm.key
dC www.domino.com
[modules]ecsso = pdwpi-ecsso-module
[common-modules]authentication = ecsso
pre-authzn = ecsso
[ecsso]e-community-name = lotus-dominois-master-authn-server = nomaster-authn-server = www.tivoli.com.....etc
[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the domino.com domaindomino.com = /abc/domino-keys/domino.key#key for encrypting/decrypting data between#servers in the domino.com domain and the MAStivoli.com = /abc/domino-keys/tivoli-domino.key
dC www.lotus.com}Kr\?;,b,5VT www.lotus.com xP%;"aDdCN}M*
www.domino.com dCDN}`,#www.lotus.com Dr\?dCgB:
[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the lotus.com domainlotus.com = /abc/lotus-keys/lotus.key#key for encrypting/decrypting data#between servers in the lotus.com domain and the MAStivoli.com = /abc/lotus-keys/tivoli-lotus.key
dC www.db2.com
[modules]ecsso = pdwpi-ecsso-module
[common-modules]authentication = ecsso
pre-authzn = ecsso
[ecsso]e-community-name = ibm-db2is-master-authn-server = nomaster-authn-server = www.tivoli.com.....etc
[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the db2.com domaindb2.com = /abc/db2-keys/db2.key
Z 6 B grG<bv=8 141
#key for encrypting/decrypting data between#servers in the db2.com domain and the MAStivoli.com = /abc/db2-keys/tivoli-db2.key
dC ww1.ibm.comT ww1.ibm.com DgSgx%;"adCMT www.db2.com D`,#h*=
v\?,;vCZ MAS M ibm.com r.d}]DS\/b\,m;v\?C
Z ibm.com rZ?~qw.d}]DS\/b\(4K>}PD ww1.ibm.com
M ww2.ibm.com)#
[ecsso-domain-keys]ibm.com = /abc/ibm-keys/ibm.keytivoli.com = /abc/ibm-keys/tivoli-ibm.key
dC ww2.ibm.comww2.ibm.com D\?(eM ww1.ibm.com D`,#
[ecsso-domain-keys]ibm.com = /abc/ibm-keys/ibm.keytivoli.com = /abc/ibm-keys/tivoli-ibm.key
142 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Z 7 B &CLr/I
Tivoli Plug-in for Web Servers (}73d?M/, URL \&'VZ}=&CLr/
I#e~)973d?M HTTP 7D6'T9Z}=&CLrITyZM'zj64P
Yw#Kb,e~Ia)T/, URL(gG)|,i/D>D URL)DCJXF#
>B|(TBwb:
v :,$M'zMsK&CLr.dDa04,;
v Z 145 3D:a)T/, URL DCJXF;
,$M'zMsK&CLr.dDa04,
gZZ 44 3D:\ma04,;Py>,Tivoli Access Manager for Web Servers I9
CwV;,DE"(} HTTP M HTTPS ,$kM'z.dDa0D4,#e~2IT
sK&CLra)C'a0E"TcsK&CLrI,$kM'z.dDa0D4
,#TbV==a)C'a0E",a)K;Vj6C'a0MZe~#$D&CL
rDksB>}C'a0D\&D=(#
g{M'zM~qw.d;fZQ("a04,,rXk*?vsLksXB-LM
'zM~qw.dD(E#(}{}TM'z/~qw,SDX4XUMX4r*,
a04,E"IDFT\#M'zI;NG<""vs?ks,x^h*?vks4
P%@DG<#
tCC'a0j6\m
e~dCD~D [performance] ZPD add-session-id-to-cred N}JmzZ"vk
sD?vM'z>$PtCM{C(;C'a0j6D4(#1!5* true(tC):
[performace]add-session-id-to-cred = true
*{C(;C'a0j6D4(,k+ add-session-id-to-cred hC* false#
(;C'a0j6w*xP;v{FM5D)9tTf"ZC'>$P:
tagvalue_user_session_id = user-session-id
Z>$TmP,>$)9tT{(user_session_id)xP0tag value10:T>,C0:
I9CdCD~D [pdweb-plugins] ZPD tag-value-prefix N}dC#8(0:I
@9k>$PDd|VPE""zNNe;#
C'a0j6D5G(;j6QO$C'DX(a0DV{.#CC'a0j6G;
v|(e~5}{(T'V`ve~>})MCC'Dj<e~a0j6D MIME-64 `
kV{.#
`NG<D%vC'(}g,S;,zwOG<)P`ve~a0j6#r*C'a
0j6yZe~a0j6,yTZ|G.dfZ;T;D3d#+(;DC'a0j
6f"*C'>$DtT#bJm+C5w* HTTP 7(9CjG - 5&\)gac
+],"9.TsK&CLrIC#
© Copyright IBM Corp. 2000, 2003 143
+>$}]ek= HTTP 7P
C'a0\mD?jGT&CLr~qwa)(;DC'a0j6#K?j(}dC
TsD HTTP-Tag-Value )9tT4jI#
9C pdadmin object modify set attribute |nZe~#$DTsUdPhCTsD)9
tT#
pdadmin> object modify object_name set attribute attr_name attr_value
tT(0attr-name1)9e~\;4PX(`MD&\#HTTP-Tag-Value tT9e~
\;S>$)9tTPi!5"Z HTTP 7P+C5"M=~qw#
HTTP-Tag-Value )9tTD59CTBq=:
credential_extended_attribute_name=http_header_name
TZC'a0j6}],credential_extended_attribute_name u?kZdCD~P8(D
user_session_id )9tT{F`,,+;PQdCD0:#Cu?;xVs!4#K)
9tTD5|,(;DC'a0j6#
http_header_name u?8(C4+]}]D HTTP 7D{F#ZK>}P,9CF*
PD-USER-SESSION-ID D7:
pdadmin> object modify /PDWebPI/host set attribute \HTTP-Tag-Value user_session_id=PD-USER-SESSION-ID
1 e ~ & m = s K & C L r ~ q w D C ' k s 1 , | i R T T s d C D N N
HTTP-Tag-Value )9tT#
Z K > } P , e ~ Z " v k s D C ' D > $ P i R " S C > $ P D
tagvalue_user_session_id )9tTi!C'a0j65,"+C5E= HTTP 7P,
gBy>:
PD-USER-SESSION-ID:user_session_id_number
\a:
Te~TshCD HTTP-Tag-ValuetTD5:
user_session_id=PD-USER-SESSION-ID
vVZC'>$PDtT{FM5: tagvalue_user_session_id:user_session_id_number
HTTP 7{FM5: PD-USER-SESSION-ID:user_session_id_number
g{sK&CLrG CGI &CLr,rC CGI f6TBPq=8v CGI LrI+
HTTP 7w*73d?q!:
HTTP_HTTP_header_name
}g:
HTTP_PD-USER-SESSION-ID=user_session_id
U9C'a0
C'a0j6\m&\IC4U9C'a0,Yha)K(;DC'a0j6r Tivoli
Access Manager C'{#IS PDADMIN |nP(9C~qwNq)KPb)|n,
144 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
+b)|nGhFCZ(} PDAdmin API IsK&CLr9CD#9CC'a0j6
U9a0+9e~!{CC'a0j6yj6D%va0#,;C'Dd|a0IL
x#
9C Tivoli Access Manager C'{U9a0+9e~!{x(C'{5PDyPa0#
g{CC'QS;,D;Cr;,D/@w`NG<,K|nI\axm`a0#
C'I(} pkmslogout |nU910a0#Kb,C'a0j6PDE"Jm\m1
MsK&CLrzYM\mC'#TBhvGZ\m6pU9C'a0D=V=(:
\m1I9C pdadmin 5CLrU99CCC'j6D%vC'a0#
pdadmin> server task pdwebpi-plugin-instance-name terminate all_sessions user-id
gOy>9C all-sessions |n,ZCzwODyPibwzOU98(C'D?v
a0#
I9C -vhost N}E/K|n,TZX(ibwzOU9X(C'DC'a0,gBy
>(kw*;Pdk):
pdadmin> server task pdwebpi-plugin-instance-name terminate all_sessionsuser-id -vhost "virtual-host-name"
a)T/, URL DCJXF
Tivoli Access Manager Plug-in for Web Servers IyZ{vksV{.x;;GTsD
URL D#=%d+(^&CZ Web Ts#TZ/,zI URL Tl&?vT;h*P
&D#$T@9;Z{D9CrCJDC'ks,bG\PCD#bZ+;,DmI
(8(x;,DE>=(12\PC#
}g,i/V{. GET /cgi-bin/servercontrol?action=showstatus T GET/cgi-bin/servercontrol?action=shutdown I\P;,D2+T*s#I\h*ZTs
UdP(;Xm>b)ksPD?vks,TcI+;,D_T&C=?vks#
dynurl #iJm(e;v#=/,TkTxkDksxP%d##=k{vksV{.
%d,rKI\ki/V{.PDE"%d#T?v DynURL #=,(e;v Tivoli
Access Manager Ts#KTsvVZTsUdP,Tc_TIk|X*#ZKP1P,
9Ck dynurl #=X*DTsx;GzmC URL DTsTkC#=%dDNbks
xPZ(#(}(e@"%d;,i/V{.D;,#=,I9C;,D Tivoli Access
Manager Ts"&C;,D_T#
dC/, URLpdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*
TxkDkstC/, URL D#=%d,h*+ dynurl #idC*$Z(#i#b
Jm dynurl #iZ=oZ(}f0|DksDTs#
[common-modules]...pre-authzn = dynurl...
7#Z pdwebpi.conf dCD~D [modules] ZPfZ/, URL Du?:
Z 7 B &CLr/I 145
[modules]...dynurl = pdwpi-dynurl-module...
[dynurl] Z(1!ivB,r_kQdCD#i{F%dDZ{)|,/, URL $Z
(#iD(e#IT?vibwzXhKZ,4 [dynurl:virtual-host]#Z [dynurl] Z
PDu?q=* object = pattern,?vu?Z%@DPP#PmD3r7(&mfrD
3r#ZCZPOgvVDu?EHZOmvVDu?#}g:
[dynurl]/servershutdown = /servercontrol.asp\?*action=shutdown*/serverreset = /servercontrol.asp\?*action=reset*/helppages = *help.html
k"b,Ts<T41\(0/1)*7#OvdCPDns;vu?T>K dynurl #
iDZ~N9C#ZK}P,#=k URL /(yPT help.html axD URL)%d#
ZK}P,DynURL }Z4PS URL = Tivoli Access Manager TsD`T;3d#
kT,;v Tivoli Access Manager TsTF* help.html(^[|GD76gN)D
3fDyPksZ(#Z_P`F{FDD~(I4#=4xPVi),R<P`,
D2+T*sDivB,bI\\PC#+G,k"b,?vQ(eD#=k?vk
s%d,yTu:K?vZ(#
9k"b,9C#= *help.html I\#f=E>D2+T,r*ks
/servercontrol.asp?action=some_other_action&pointless_variable_used_to_evade_acl_attached_to_server_control.asp=help.html
+k *help.html /, URL `%d#rK,+yZ /helppages Tsx;G
/servercontrol.asp Ts@@CJ#`FX,ks
/someotherscript?action=someaction&other_var=help.html
+yZ /helppages Tsx;G /someotherscript TsxP@@#
XZm%%;"adCD~P9CD}rmo=PJmDXbV{DPm,kN<Z
191 3D=< E, :}rmo=PJmDXbV{;#
s`}ivB;h*XbV{,r*G<3fksG%;Ij6D URI#Z3)iv
B,IZmo=Da29C0*1,by URI a2&DNNi/}]<;ah9G<3
f%d#
146 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Z 8 B Z(v_E"lw
>B|,hv Tivoli Access Manager Plug-in for Web Servers IgNa)rq!Z(
v_E"(ADI)DE",b)Z(v_E"G@@#$ Tivoli Access Manager rP
DJ4DZ(fryXhD#
>B|(TBwb:
1. :ADI lwEv;
2. Z 148 3D:Se~M'zkslw ADI;
3. Z 150 3D:SC'>$lw ADI;
4. Z 150 3D:a)JO-r;
5. Z 150 3D:dC/, ADI lw;
ADI lwEv
Tivoli Access Manager Z(fr@@LryZ&CZX(CJv_E"(ADI)D<{
_-4PZ(v_#IZ6IBM Tivoli Access Manager Base \m8O7PR=XZZ
(fr(9C<{_-)D9lMZ(v_E"(ADI)Dj8E"#
ISTB4Plwfr@@yhD ADI:
v IZ(~qw* ADI a)xZ(frDZ(v_N}#
b)N}|(?jJ4(\#$Ts)MTJ44PDksDYw#XZKwbD
x;=E",kN<6IBM Tivoli Access Manager Base \m8O7#
v C'>$
C'>$<UfTZ(fr@@LrD/}wC|,,rK|"4IC#
v J4\mw73(&CLrOBD)
IdCJ4\mw(ge~)TSdTmD73a) ADI#}g,e~P\&a)|
,ZM'zksD3)?VPD ADI#ZZ(frP9CXbD0:T0%"1bV
`MD ADI 4#
v (}/, ADI lw~qDb?4#
I(} AMWebARS Web ~qSb?q! ADI#(}J4\mwDZ(~qwC
AMWebARS Web ~q#4Tb?4D ADI T XML q=5X=Z(fr@@L
r#
Zfr@@Zd,I(}wCQdCCZ/,lw ADI DX(Z(~q/,q!
ADI#wC?v/, ADI lw~q"+ ADI 55X=Z(fr@@Lr#Tivoli
Access Manager a)D/, ADI lw~qD>}G0"amtTZ(~q1(SC
'"amlw ADI 5)M AMWebARS Z(~q(9C AMWebARS web ~ql
w ADI 5)#b=v>}Z Tivoli Access Manager Authorization C Developer’s
Reference PP|j8DV[#
© Copyright IBM Corp. 2000, 2003 147
Se~M'zkslw ADII+Z(v_E"(ADI)|,Zks7"ksi/V{.Mks POST weP#I4
(}CKZ(v_E"(ADI)DZ(fr#9C}C*q!D ADI DX(Ze~D
XML ]w45VKYw#
pdwebpi.conf dCD~D [aznapi-configuration] ZPD
resource-manager-provided-adi N}(TZ(fr@@}L)8(ICZZ(fr8
(D]w{FPD0:#*8(`v0:,k9C resource-manager-provided-adi N
}D`vu?:
TB]w{F|,JCZCe~D0::
v AMWS_hd_name
ks7]w{F#+ HTTP ksD HTTP 7PD name D5w* ADI 5X=Z(
fr@@Lr#
v AMWS_qs_name
ksi/V{.]w{F#+ksi/V{.P name D5w* ADI 5X=Z(f
r@@Lr#
v AMWS_pb_name
ks POST we]w{F#+ks POST weP name D5w* ADI 5X=Z(
fr@@Lr#
0:ITX(ZNbJ4\mw#`&X,XkhFJ4\mwTJ1l&T ADI D
ks#
`48(M'zksyhD ADI DZ(fr#}g,g{h*+|,Z HTTP 7PD
wz{w* ADI,r+ AMWS_hd_ 0:CZfrP8(D XML ]w{F#KX(Ze
~D0:aQZ(@@}L:IZM'zksPq!yhD ADI,"Re~*@gNi
R"i!M5XK ADI#+ AMWS_hd_host ]w{F"M=e~#e~(}ZM'zk
sPiR0host17"i!kC7`X*D54l& AMWS_hd_host ]w{F#e~+
0host175(w* XML ]w)5X=Z(fr@@}L#Z(fr@@}LZdf
r@@P+C5w* ADI 9C#
>}:Sks7lw ADITBZ(fr>}h*M'zDwz{#hCM'zksTZksD0host17P|,
wz{5#ZfrP9C AMWS_hd_ 0:TaQZ(@@}L:IZM'zksPq!
yhD ADI,"Re~*@gNiR"i!M5XK ADI#
<xsl:if test=’AMWS_hd_host = "machineA"’>!TRUE!</xsl:if>
Q+e~hF**@gNSksPi! ADI E":
[aznapi-configuration]resource-manager-provided-adi = AMWS_hd_
e~*@IZks7{F host PR=KE"#e~i!|,Z0host17PD5"+|
5X=Z(@@}L#
g{ZksD0host17Pa)D5*0machineA1,r+Z(fr>}@@*f#
148 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
T`FD==,@@Z(fryhDE"I4TZks POST werksDi/V{
.#
>}:Sksi/V{.lw ADITBZ(fr>}h*(} GET ksDi/V{.+](*l&m%a;)DM'z
9uzkD{F#M'zkshC*Zksi/V{.D0zip1VNP|,9uzk
5#
https://www.service.com/location?zip=99999
ZfrP9C AMWS_qs_ 0:TaQZ(@@}L:IZM'zksPq!yhD
ADI,"Re~*@gNiR"i!M5XK ADI#
<xsl:if test=’AMWS_qs_zip = "99999"’>!TRUE!</xsl:if>
Q+e~hF**@gNSksPi! ADI E":
[aznapi-configuration]resource-manager-provided-adi = AMWS_qs_
e~*@IZVN{0zip1BDksi/V{.PR=KE"#e~i!|,Z
0zip1VNPD5"+|5XxZ(@@}L#
g{ZksDi/V{.0zip1VNPa)D5*099991,r+Z(fr>}@@
*f#
T`FD==,@@Z(fryhDE"I4TZks POST werks7#
>}:Sks POST welw ADITBZ(fr>}h*(} POST ksDwe+](*l&m%a;)D Web :o5
DM'z\:r?D{F#hCM'zksTZks POST wePD0purchase-total1
VNP|,\:r5#
ZfrP9C AMWS_pb_ 0:TaQZ(@@}L:IZM'zksPq!yhD
ADI,"Re~*@gNiR"i!M5XK ADI#
<xsl:if test=’AMWS_pb_purchase-total < "1000.00"’>!TRUE!</xsl:if>
Q+e~hF**@gNSksPi! ADI E":
[aznapi-configuration]resource-manager-provided-adi = AMWS_pb_
e~*@IZVN{0purchase-total1BDks POST wePR=KE"#e~i!|
,Z0purchase-total1VNPD5"+|5X=Z(@@}L#
g{ZksD POST we0purchase-total1VNPa)D5!Z01000.001,r+Z(
fr>}@@*f#
T`FD==,@@Z(fryhDE"I4TZks7rksDi/V{.#
Z 8 B Z(v_E"lw 149
SC'>$lw ADII`4Z(fr9C ADI w*>$D;?Vu<a)xZ(fr@@Lr#TZ(~
qDu<wC(azn_decision_access_allowed_ext())5JO|,KC'D>$E"#Z
(fr@@Lr<UiRK>$E"Tq!&mfryhDyP ADI#Z(frI9C
4T>$PDNbVND5,|(ZO$ZdmS=>$D)9tT#
ZZ 89 3D:*>$mS)9tT;P5wKZC'>$P4()9tTD<u#
a)JO-r
Z(frJmzhCXbD"(#G4SDC4XFCJ\#$J4D\&Du~#
+G,'\DZ(v_Dj<a{G#9TXFJ4D~q&CLrDksDxP,
"TM'zT>0{91{"#g{*`4Z(frT|,JO-r,"R(} Tivoli
Access Manager Z(fr@@Lr+Z(fr@@*0Y1,re~SZ(~qSUf
rDJO-rMj<0{91{"#(#vTJO-r"5)0{91v_#
I!q+e~dC*\xKj<l&"Jm\xDksLxKPsK~q&CLr#
CksxPZZ(frPa)DJO-r#;ssK~q&CLrPzakTCiv
LxdTmDl	C pdwebpi.conf D~PD [boolean-rules] ZPD
pass-on-rule-failure-reason N}8(KI!DdC#
(#+Z(frk~q&CLraO9C,C~q&CLrImb"&mK|4SD
CJXF6p#Z3)ivB,~q&CLrh*SU; Tivoli Access Manager Z(
~q\xDks#4kbyD&CLrTKbJO-rE",xRCLrIT9C Tivoli
Access Manager Z(fr'\Dksa)dTmDl&#
}g,:o5&CLrD)%&mi~IIZ(frXF,g{\:r[q,}C'
DEC^n,rCZ(fr\x)%Yw#:o5&CLrKb{vksMJO-r
G\X*D#VZ:o5&CLrIT:&mBq"a);vC'QCDl&,g(
iC'!{?V)%#+#tx;GPOkC'D;%#
k<UwX9CK!n#9C~q&CLrD\&,-wZ(frPDJO-rD9
CTbM"l&KE"G\X*D#z;#{bbXvV;Viv,ZCivBTI
^(}7l& AM_AZN_FAILURE 7D&CLryXFDJ4DCJxPZ(#
dC/, ADI lw
I4kh*3)Z(v_E"(ADI)Dfr,b)E"^(Z Tivoli Access Manager
Z(~qICJDNNE"PR=#Zb)ivB,PX*Sb?4lw ADI#Klw
II/, ADI Z(lw~q514P#10f WebSEAL tTlw~qa)D
AMWebARS Web ~qMG;VZ(lw~q#
tTlw~q(ARS)Ze~DZ(~qbMZ(v_E"Db?a)Lr.da)
(EMq=*;~q#B<5wK AMWEBARS Web ~qD&mwL:
150 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
&mwL:
1. M'z"vTIZ(fr#$DJ4Dks#
2. Z(fr@@Lr(Z(~qD;?V)7(h*X(Z(v_E"(ADI)Tj
IfrD@@#;\SC'>$"Z(~qre~q!ksD ADI#
3. (}Z(~qb+ ADI lwNq"M= AMWebARS Web ~q#K~q+T ADI
Dksq=/* SOAP ks#+ SOAP ks(} HTTP "M= AMWebARS Web
~qD Web ~qhvoT(WSDL)gf#
4. AMWebARS Web ~q+J1Xq=/Cks,TCZ+a) ADI Db?E*V
v~q#
5. b?E*Vv~q5XOJD ADI#
6. Zm;v SOAP ]wPq=/ ADI "+|5X=e~DZ(~q#VZZ(fr
@@LrQ_PyhDE",I@@fr"wvS\r\x-<M'zksDv
_#
XZ?ptTlw~qDE",kN<6Tivoli Access Manager WebSEAL \m18
O7#
dCe~T9C AMWebARS Web ~q
4PTBNqTdCe~9C AMWebARS Web ~q:
1. Z pdwebpi.conf dCD~P,8(Zfr@@Zdlb=D1YD ADI 1yi/
D/, ADI Z(lw~qDj6{F(ID)#ZKivB,8( AMWebARS Web
~q:
[aznapi-configuration]dynamic-adi-entitlements-services = AMWebARS
2. Z pdwebpi.conf dCD~P,+QdCD/, ADI Z(lw~qj6CwN}T
8(q=/v> ADI ksMbM+kl&DJ1DZCb:}g:
< 11. tTlw~q&mwL#.
Z 8 B Z(v_E"lw 151
[aznapi-entitlement-services]dynADI = azn_ent_amwebars
3. Z pdwebpi.conf dCD~P,8(=;Z WebSphere 73PD dynADI Web ~
qD URL(kw*;Pdk):
[amwebars]service-url = http://websphere_hostname:websphere_port \/dynadi/dynadi/ServiceToIServicePortAdapter
4. XBt/e~#
152 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
=< A. 9C pdbackup 8]e~}]
pdbackup 5CLr9zIT8]MV4 Tivoli Access Manager }]#pdbackup 5
CLr+8(h*8]DD~M?<D8]PmD~w*N}9C#?vw*D Tivoli
Access Manager i~(}g Base"WebSEAL Me~)<P|T:DPmD~#
pdinfo-pdwebpi.lst D~8( pdbackup 5CLr8]De~D~M?<#
>=<hvgN9C pdbackup 5CLr8]MV4e~}]#pdbackup 5CLr
Dj{N<;Z IBM Tivoli Access Manager Command Reference P#
&\
8]e~}]
pdbackup 5CLr8]|,Ze~8]PmD~ pdinfo-pdwebpi.lst PDD~M?
<DPm#
UNIX:
1!ivB,pdinfo-pdwebpi.lst ;Z /opt/pdwebpi/etc/ P#
1!ivB,zzD8]i5w*%v .tar D~f"Z /var/PolicyDirector/pdbackup
P#
9C8]PmD~{SOUZM1dAG49l1! .tar D~{:
list-file-name_ddmmyyy.hh_mm.tar
}g:
pdinfo-pdwebpi.lst_30jul2003.10_39.tar
r_,zIT8(:
v .tar D~D(FD~{(9C –file !n)
K(FD~{;|,UZM1dAG#
v .tar D~D(F?<;C(9C –path !n)
.tar D~DZ]b9u=TB?<:
opt/ var/ tmp/
Windows:
1!ivB,pdinfo-pdwebpi.lst D~;Z
C:\Program Files\Tivoli\PDWebpi\etc\
1!ivB,zzD8]i5w*?<wf"Z
C:\Program Files\Tivoli\PDWebpi\pdbackup\ ?<P#
1! .dar ?<{I8]PmD~{SOUZM1dAG49l:
list-file-name_ddmmmyyyy.hh_mm.dar
© Copyright IBM Corp. 2000, 2003 153
}g:
pdinfo-pdwebpi.lst_30jul2003.10_39.dar
.dar D~DZ]b9u=S?<MD~P:
%C%Registry
%C% ?<|,j{D8]w#K?<D{FIe~D~M?<yZD}/wDL{8(
7(#"amD~f""am|(.reg )9{)#
r_,zIT8(:
v .dar ?<i5D(FD~{(9C –file !n)
K(FD~{;|,UZM1dAG#
v .dar ?<i5D(F?<;C(9C –path !n)
V4e~}]
UNIX:
+i5D~M?<S .tar D~V4= /opt/pdwebpi ?<#
Windows:
+i5D~V4=dnuD20?<;C#
o(
PX pdbackup 5CLrDj{N<IZ IBM Tivoli Access Manager Command
Reference PR=#
pdbackup –a backup –l backup-list-pathname \[–path custom-pathname][–file archive-pathname] [–usage] [–?]
pdbackup –a restore –file archive-pathname \[–path custom-pathname] [–usage] [–?]
!n hv
–a [backup|restore|extract] 8(8]"V4ri!Yw#
–l backup-list-pathname 8(=8]PmD~(pdinfo-pdwebpi.lst)D+^
(76#
–path custom-pathname CZ8],8((Fi5?<;C#
–file archive-pathname CZ8],8(i5D~D(F{F#
CZV4,8(=*V4Di5D~D+^(7
6#
I9C|n!n{FDrLm>,+u4Xkw7#}g,Idk a m> action#+
G,b)!nDN}5;\u4#
154 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
>}
UNIX >}
1. TB>}9C1!54Pj<8]:
pdbackup -a backup -l /opt/pdwebpi/etc/pdinfo-pdwebpi.lst
bazz{* pdinfo-pdwebpi.lst_date.time.tar DD~,CD~f"Z
/var/PolicyDirector/pdbackup ?<P#
2. TB>}4P8],"+1!i5D~f"Z /var/backup ?<P:
pdbackup -a backup -l /opt/pdwebpi/etc/pdinfo-pdwebpi.lst -path /var/backup
bazz{* pdinfo-pdwebpi.lst_date.time.tar DD~,CD~;Z
/var/pdbackup ?<P#
3. TB>}4P8],"4({* amwebarchive.tar Di5D~:
pdbackup -a backup -l /opt/pdwebpi/etc/pdinfo-pdwebpi.lst -file amwebarchive
1!i5)9{(.tar)7S=(F amwebarchive D~{s#KD~f"Z1!
/var/PolicyDirector/pdbackup ?<P#
4. TB>}S1!?<;CV4Ki5D~:
pdbackup -a restore -file pdinfo-pdwebpi.lst_29Aug2003.07_24.tar
5. TB>}S /var/pdback ?<V4i5D~:
pdbackup -a restore -file /var/pdback/pdinfo-pdwebpi.lst_29Aug2003.07_25.tar
Windows >}
1. TB>}9C1!54Pj<8]:
pdbackup -a backup -l install_path\etc\pdinfo-pdwebpi.lst
bazz{* pdinfo-pdwebpi.lst_date.time.dar DD~,CD~;Ze~D
install_path\pdbackup ?<P#
2. TB>}9C1!i5D~{4P8],"+KD~f"Z C:\pdback ?<P:
pdbackup -a backup -l install_path\etc\pdinfo-pdwebpi.lst -path c:\pdback
3. TB>}4P8],"4({* pdarchive.dar DD~:
pdbackup -a backup -l install_path\etc\pdinfo-pdwebpi.lst -file pdarchive
1!i5)9{(.dar)CZ(F pdarchive D~{#KD~f"Z1!
install_path\pdbackup ?<P#
4. TB>}4P= F: }/wOD \pdback ?<D8]:
pdbackup -a backup -l pdinfo-pdwebpi.lst -path f:\pdback
5. TB>}S1!?<(T>Z=POD;v?<)V4i5D~:
pdbackup -a restore -file install_path\pdbackup\pdinfo-pdwebpi.lst_29Jun2003.07_24.dar
6. TB>}S H:\pdbackup ?<V4D~:
pdbackup -a restore -file h:\pdbackup\pdinfo-pdwebpi.lst_29Jun2003.07_25.dar
=< A. 9C pdbackup 8]e~}] 155
pdinfo-pdwebpi.lst DZ]
[UNIX FILES]# fully qualified file names./opt/pdwebpi/etc./var/pdwebpi/audit./var/pdwebpi/db./var/pdwebpi/keytab./var/pdwebpi/log
[UNIX CONF FILES]# configuration files that specify a file to include# file:stanza:option/opt/pdwebpi/etc/pdwebpi.conf:uraf-ad:ad-server-config/opt/pdwebpi/etc/pdwebpi.conf:uraf-domino:domino-server-config/opt/pdwebpi/etc/pdwebpi.conf:ldap:ldap-server-config/opt/pdwebpi/etc/pdwebpi.conf:ldap:ssl-keyfile/opt/pdwebpi/etc/pdwebpi.conf:ldap:ssl-keyfile-stash/opt/pdwebpi/etc/pdwebpi.conf:failover:failover-cookies-keyfile/opt/pdwebpi/etc/pdwebpi.conf:ltpa:ltpa-keyfile/opt/pdwebpi/etc/pdwebpi.conf:ltpa:ltpa-stash-file/opt/pdwebpi/etc/pdwebpi.conf:iis:query-log-file/opt/pdwebpi/etc/pdwebpi.conf:iis:log-file/opt/pdwebpi/etc/pdwebpi.conf:iplanet:query-log-file
[WINDOWS FILES]BASEDIR=SOFTWARE\Tivoli\Access Manager Plug-in for Web Servers:Path<BASEDIR>etc<BASEDIR>log<BASEDIR>audit<BASEDIR>db<BASEDIR>keytab
[WINDOWS CONF FILES]# configuration files that specify a file to include# file:stanza:option<BASEDIR>etc/pdwebpi.conf:uraf-ad:ad-server-config<BASEDIR>etc/pdwebpi.conf:uraf-domino:domino-server-config<BASEDIR>etc/pdwebpi.conf:ldap:ldap-server-config<BASEDIR>etc/pdwebpi.conf:ldap:ssl-keyfile<BASEDIR>etc/pdwebpi.conf:ldap:ssl-keyfile-stash<BASEDIR>etc/pdwebpi.conf:failover:failover-cookies-keyfile<BASEDIR>etc/pdwebpi.conf:ltpa:ltpa-keyfile<BASEDIR>etc/pdwebpi.conf:ltpa:ltpa-stash-file<BASEDIR>etc/pdwebpi.conf:iis:query-log-file<BASEDIR>etc/pdwebpi.conf:iis:log-file<BASEDIR>etc/pdwebpi.conf:iplanet:query-log-file
[WINDOWS REGISTRY]# specify keys to backupSOFTWARE\Tivoli
d|8]}]
TBwZMN}4Z pdinfo-pdwebpi.lst D~PPv,rx;aT/8]#g{h*
8 ] K } ] , r X k ` - p d i n f o - p d w e b p i . l s t " m S K E " # k q - Z
pdinfo-pdwebpi.lst D~*7hvDq=#
[cdsso-domain-keys]<domain name> = <key file>
[ecsso-domain-keys]<domain name> = <key file>
156 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
=< B. pdwebpi.conf N<
Tivoli Access Manager Plug-in for Web Servers 9C;Z pdwebpi.conf dCD~PD
N}xPdC#CD~;ZTB?<:
UNIX:
install_path/etc/
Windows:
install_path\etc\
TBwZa)T pdwebpi.conf dCD~P?vIdCN}Dhv#y]N}D9C+
|GVi*TBwm:
v #f,
v O$,
v a0,
v LDAP,
v zm,
v Z( API,
v X(Z Web ~qw#
#fdCN}
m 26. #fdCN}
#f
N} hv
[pdweb-plugins]
(e Tivoli Access Manager Plug-in for Web Servers +#$DibwzMd|+Vr1!dC
N}#
virtual-host j6|,XZX(ibwzDdCE"DStZ#
web-server j6y9CD Web ~qwD`M#IS\D5P:
v iis 8 Microsoft Internet Information Services
v ihs 8 IBM HTTP Server
v iplanet 8 Sun ONE(-{* iPlanet)Web Server
v apache 8 Apache
KN}Z20ZdT/hC#
© Copyright IBM Corp. 2000, 2003 157
m 26. #fdCN} (x)
#f
N} hv
windows-file-system 8>Z(~qw&I!$@k)\bk URI(zm
Windows D~53J4)`XD2+TJb#
g{hC* true,r{9T_P`F Windows 2000 L7
6{D76*XD URI xPNNCJ#XpGT ~}Va
xD76*X+;\x#Z Windows 53O,KN}1!
ivBhC* true#Z UNIX 53O,|hC* false#
ITyZ?vibwzXhKN},=(GZJ1D
[virtual_host] ZP8(KN}#
case-sensitive f_Z(~qwgN&m URI Ds!4#
g{hC* false,URI Z9l`&D Tivoli Access
Manager Ts{F1*;*!4,Z(v_}GTUKTs
{FwvD#
Z UNIX 53O,KN}hC* true#Z Windows 53
O,|hC* false#
windows-file-system N}hC* true R case-sensitive4(e1,1!ivB+ URI *;*!4#
k"b,Ts{FD /PDWebPI/branch ?V;axP*
;#
ITyZ?vibwzXhKN},=(GZJ1D
[virtual_host] ZP8(KN}#
log-file j6dP6qyPZ(~qwNqDU>D~DD~{M
76#Iw*xTr`T76{8(#
logs 8(ZXB9CZ;vU>D~.0*4(DU>D~
}#
log-entries 8(Zv/=BU>D~.0*4kDU>u?}#
mpa-enabled `74CzmLr(MPA)Ga)`M'zCJDxX#
("k4~qwD%;QO$(@,"(}K(@"My
PM'zksMl&(E#
g{hC* true,rtC MPA \&#
g{hC* false,r{C MPA \&# ITyZ?vib
wzXhKN},=(GZ [virtual_host] ZP(eKN
}#
mpa-protected-object (exPZ(v_y@]D MPA Ts#
ITyZ?vibwzXhKN},=(GZ [virtual_host]ZP(eKN}#
user Z UNIX 53O,KN}|,\mwMzmxL+*Td
KPDC'{F#
group Z UNIX 53O,KN}|,\mwMzmxL+*Td
KPDi{#
158 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 26. #fdCN} (x)
#f
N} hv
pre-410-compatible-tokens Z Tivoli Access Manager V4.1 M Tivoli Access Manager
3.9 PDnFv?&\.dtCr{Cf]T#g{hC*
true,rgSgx%;"aMJO*F cookie zIDnF
2+T+k Tivoli Access Manager 3.9 nF`k#=2,
wC#KN}GxL6D,;\yZ?vibwz8(#
use-accept-language-header 1"T(;zID HTML l&DoT1,tCr{C
accept-language HTTP 7#
use-accept-charset-header 1"T(;+ HTTP ksD*XxPbkrzI HTML
l&DV{/1,tCr{C accept-charset HTTP 7#
max-cached-http-body 8(TZNbx(ks+*_Y:fD HTTP we}]D
ns}]?#g{we}]?,}KdCDns5,+O
zyPwe}]#
send-p3p-header XF Tivoli Access Manager Plug-in for Web Servers Gq
+|,9u_TodD P3P 7mS=ZdPhCK cookie
DNN HTTP l&P#
tag-value-prefix 8(mS=CZ tag-value HTTP 7D>$tT{FDI!
0:#
use-uri-encoded-session-id XFGq&T terminate session \mNqP8(Da0j
6xP URI `k#
remove-headers 8(Z tag-value &m0Gq&Sks}% tag-value #i
I\hCDNN7#}%b)7I7#qbDC'zmL
r^(ekdP(g{ek,ra[->$PIzvD
5)#
/f!
{C}%7D\&I\axzD Web >cx42+T~
<#XkXB5V@5Z TAG-VALUE 7(TAG-VALUE
&m04Sks}% TAG-VALUE 7)D&CLrT\b
TAG-VALUE HTTP 7;qbC'zmLr[-DI\
T#
[module-mgr]
|,PXzm#i\mwDj8E"#
path |,#i2mbD~D76#Jm`v76u?,r*e
~+QwyPu?#
verify-step-up-user g{4P]}=Yw,7(BC'j6GqXkkNN$
HfZDC'j6%d#
[wpiconfig]
|,dCLr*-z!{dCxhCDE"#
server-type ZdC1hC,T-z!{dC#
install-dir ZdC1hC,T-z!{dC#
vhosts ZdC1hC,T-z!{dC#
[user-agent]
4(C'zmLr(I user-agent HTTP 7(e)MX(oT73.dD3d#q=*:
user-agent-pattern = locale string
=< B. pdwebpi.conf N< 159
O$dCN}
m 27. O$dCN}
O$
N} hv
[modules]
ywICDO$=(M`X*Db#q=*:
module_name = shared_library_name
acctmgmt J'\m
BA y>O$
cert $i
failover JO*F
forms m%
fsso m%%;"a
ip-addr IP X7
iv-headers IV 7
session-cookie a0 cookie
ssl-id SSL j6
tag-value jG5
http-hdr HTTP 7
token nF
ltpa LTPA cookie
ecsso gSgx%;"a
cdsso gr%;"a
login-redirect G<X(r
ntlm NTLM
spnego 2+Ta)Lr-L
web-log Web U>
boolean rules <{fr
switch-user P;C'
dynurl /, URL
cred-refresh >$"B
ext-auth-int b?O$SZ
[common-modules]
|, [common] #idC#CZDiIq=gB: module-type = module-name#'V#i|(:
Authentication 8(CZC'O$D=(#
Session 8(CZ,Va04,D=(#
Pre-authzn 8(CZC'Z(0yhDNN&mD=(#
Post-authzn 8(CZZ(s&mD=(#
Response 8(CZNNT4T Web ~qwDl&D&mD=(#
[authentication-levels]
160 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 27. O$dCN} (x)
O$
N} hv
[authentication-levels] Z(e]}=O$6pT0Z [modules] ZP(eDO$=(DEr#
q=*:
level = module_name
g{4Td(eNNu?,rO$=(1!*6p 1#O$3r7(*Q(eO$=(Dn_O
$6p5AnMO$6p#g{O$6pItIO$=(2m,rS3r4U#iZ [modules]ZPvVD3r7(#
[authentication-mechanisms]
passwd-cdaspasswd-ldap
passwd-uraftoken-cdas
cert-sslcert-cdas
http-requestsso-create
sso-consumepasswd-strength
cred-ext-attrskerberosv5
ext-auth-interfacefailover-password
cdssosu-passwordsu-token-cardsu-certificate
su-http-requestsu-cdsso
y'VD=SO$zFMek Tivoli Access Manager O$
S53DX*2mbDPm#
[sessions]
ywyPa0#i+CD1!5#
max-entries (eIf"Za0#iD%v5}PDnsa0}#
timeout (ea0DnszfZ(Tk*%;)#
inactive-timeout (ea0Z,10yhDUP1d$H(Tk*%;)#
resend-pdwebpi-cookies (e Web e~ cookie Gq&f?vks"M#
reauth-lifetime-reset g{* yes,rZXBO$I&14;>$zfZ(1w#
reauth-grace-period 8(M'zDm^Z(Tk*%;),ZKZdII&4
PXBO$,g{;\O$r>$Q=Z#
[performance]
|,wVPzZ"w53T\DdC!n#
enable-pop XFGq5) POP#
add-session-id-to-cred XFGq+a0j6mS=a0>$#
[user-agent]
CZ4(C'zmLr(I user-agent HTTP 7(e)MX(oT73.dD3d#kqUTB
q=:user-agent-pattern = locale-string#
=< B. pdwebpi.conf N< 161
m 27. O$dCN} (x)
O$
N} hv
[BA]
basic-auth-realm ywr{,K{F+vVZy>O$G<1TC'T>D
T0rO#|Xk(Z+}EP#
strip-hdr XFSksP}% BA 7#P'!nP:
v ignore - ;T BA 74PNNYw#
v always - SksP}% BA 7#
v unauth - g{ BA 74-O$,rSksP}%|#
add-hdr XF+BD BA 7mS=ksP#Ku?DP'!nP:
v none - ;+B BA 7mS=ks(1!5)#
v gso - rksmS GSO BA 7#
v supply - Z BA 7Pa)2,\kM/rC'{
gso-resource-name |,C44( GSO BA 7D GSO J4D{F#1
add-hdr hC* gso 18(3v5GI!D#1 add-hdrhC* gso R4hC gso-resource-name 1,9C&m
ksDibwzD{F#
supply-password g{ add-hdr hC* supply,r5GXhD#hCs,K
N}8(ZQ4(D BA 7P9CD2,\k#
supply-username |,ZQ4(D BA 7P9CD2,C'{#1 add-hdrN}hC* supply 1,KN}DhCGI!D#1hCK
supply N}RP4hC supply-username(4,|#V
"M4,)1,QO$C'D{FZ4(D BA 7P9
C#
[failover]
|,yPPXJO*F cookie O$MZ(s#iDj8dCE"#
failover-cookies-keyfile yw\?D~D76,K\?D~+CZS\Mb\JO
*F cookie PD>$}]#
failover-cookies-lifetime JO*F cookie DP'Z(VS)#
enable-failover-cookie-for-domain
Z{vr6'ZtC/{CJO*F cookie#
failover-update-cookie (eJO*F cookie n/1dAGD|B5J#g{hC
* 0,rJO*F cookie +Z?Nks1|B#g{hC
*}{},rJO*F cookie +ZC1dN(Tk*%
;)}s|B#g{hC*:{},rJO*F cookie ;
ZxPO$r"B>$1|B#
162 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 27. O$dCN} (x)
O$
N} hv
failover-require-lifetime-timestamp-validation
b)u?7(1dAGi$TZJO*FO$I&GqG
XhD#hC*:
true: 1dAGGXhD#g{1dAG1Yr^',
rJO*FO$+'\#
false: 1dAG;GXhD,+Gg{|fZR^',
rJO*FO$+'\#g{ Web e~h*S\
AMWebPI r AMWebSEAL DOgf>zIDJ
O*F cookie,rTZb=n,<h*9CK!
n#
failover-require-activity-timestamp-validation
use-utf8 (e9CNVV{/4TJO*F cookie xP`k#
[failover-add-attributes] |,+D)tTS-<>$mS=JO*F cookie Dd
C#
[failover-restore-attributes] |,C'9CJO*F cookie xPO$1+D)tTSJ
O*F cookie lw=>$DdC#
[ltpa]
|,yZ LTPA cookie DZ(s#iDyPj8E"#K#ihFCZJmT WebSphere ~q
wxP%;"a#
ltpa-keyfile LTPA \?D~D+76{#
ltpa-stash-file \kf"D~D;C
ltpa-password Zf"D~!yP9CD\k#
ltpa-lifetime LTPA cookie DP'Z(k)#
[forms]
|,yZm%DG<#iDyPj8E"#
login-form G<m%DD~{#
login-uri G<m%*rda;G<j8E"D URI#Xk9C POST
}]tT username P8(DC'{M POST }]tT
password P8(DC'\k+G<j8E"a;=K
URI#
create-ba-hdr 8>Z BA 7PGq&+xvDC'{M\ka)x?j
&CLrD<{5#
use-utf8 8>Gq&9C UTF-8 r>Xzk/T BA 7(g{Q
4()xP`k#1!5* true#
[fsso]
Pvm%%;"a#i9XDG<m%#
login-page-stanza G<;vr`vZD{F,|GZ|,*9XD?vG<
m%Dj8E"#
[login-form-1]
G<m%(};v 2 WND#=%d}L4j6# FSSO 9Xk login-page }rmo=%dD
yP3f#(}+ HTML m%*XDYwtTk login-form-action }rmo=`%d4(;b
)3fPDG<m%#
=< B. pdwebpi.conf N< 163
m 27. O$dCN} (x)
O$
N} hv
login-page KdCu?;Z login-page-stanza N}8(DZP#|
9C;v}rmo=8(#=,Z9Ce~Dm%%;"
a&\1,C#=(;j6&CLrG<3fks#+Q
dCD#=kks URI `HO#
login-form-action KN};Z login-page-stanza N}8(DZP#|9C
;v}rmo=8(#=,Z9Ce~Dm%%;"a&
\1,C#=j6|,Z9X3fPDDvm%*&CL
rDG<m%#g{P`vm%%dC#=,r9CZ;
v#
argument-stanza KN};Z login-page-stanza N}8(DZP#|8r
PvjIG<m%yhDVNM}]Dm;v(FZ#
[auth-data]
|,;vr`vm%u?:name = method:value#KN};Z argument-stanza N}8(DZ
P#
name kG<m%Pdk*XD name tT`%d#
method * cred"gso r string#
value |,y]=(59XDV{.#
[web-log]
|,PX#i(C#i8(+|,Z Web ~qwCJU>D~PDE")DyPj8E",9
|,PX SunONE"IHS M Apache Web ~qwT0 REMOTE_USER CGI d?DyPj8E
"#
format-string CZ9l Web U>C'{,2CZ SunONE"IHS M
Apache Web ~qwT0 REMOTE_USER CGI d?Dq
=V{.#
unauth-user-string CZm> Web ~qwCJU>D~P4O$D Acess
Manager C'(%u)DV{.#
unauth-server-user-string CZm> Web ~qwCJU>D~P4O$D Web ~q
wC'(%u)DV{.#
auth-type CZ*G)Jm8(O$`MD Web ~qw8(O$`M
Dq=V{.#JmCYwD(; Web ~qw* iPlanet#
[tag-value]
cache-definitions 8>GqT,S=TsUdDjG5(exP_Y:fD
<{5#g{Q_Y:f,rh*XBt/zmTqCT
jG/5(eDyP|D#
cache-refresh-interval T(exP_Y:fD"B1ddt(k)#
use-utf8 (e9CNVV{/4T tag-value }]xP`k#g{K
5hC* false,+9C>Xzk3T tag-value xP`k#
1!5* true#
use-uri-encoding (eGq4PT tag-value }]D URI `k#
[token-card]
nF(G<3f#
164 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 27. O$dCN} (x)
O$
N} hv
token-login-form nFG<3fDD~{#
next-token-form (erC'M'zT>DCZksB;vnFDm%#1
~qw^(SZ;vnFI&O$C'1,+ksM'z
dkm;vnF#
[http-hdr]
|, HTTP 7O$Ma0#iDyPj8E"#
header +]=grO$~q(CDAS)CZO$D7{F#
[iv-headers]
|, IV 7O$MZ(s#iDyPj8E"#
accept w*4TzmDO$$wS\D7Pm#P'!nP:
v all - S\yP7`M#
v iv-creds - C'>$E"#
v iv-user - LC'{#
v iv-user-l - $C'{#
v iv-groups
v iv-remote-address - M'zD IP X7#
v server-name
generate *"4TzmDks1*zID7Pm#P'!nP:
v all - zIyP7`M#
v iv-creds - C'>$E"#
v iv-user - LC'{#
v iv-user-l - $C'{#
v iv-remote-address - M'zD IP X7#
use-utf8 (eGq&9C UTF-8 r>Xzk/T iv 7xP`k#
g{ Web e~h*S\ AMWebPI r AMWebSEAL D
Ogf>zID iv 7,rh*+K5hC* false#
server-name-header 1 server-name fZZ*zID5DPmP19CD7D{
F#1!5* iv-server-name#
[acctmgmt]
|,J'\m1Z(s#iD}]#K#i:p\mJ'Yw,}g|DC'\kM"z#
password-change-form C'ks|D\k1T>Dm%#
password-change-form-uri C'ks|D\k1CJD URI#
password-change-uri \k|DsD URI ?DX#
password-change-success C'I&jI\k|D1T>D3f#
password-change-failure C'4\I&G<1T>D3f#
logout-uri C'"zsD URI ?DX#
help-uri oz3fD;C#
help-page C'ksoz1T>Doz3fDD~{#
logout-success C'I&"z1T>D URI rD~#
[ecsso]
=< B. pdwebpi.conf N< 165
m 27. O$dCN} (x)
O$
N} hv
gSgx%;"a#CZD{FXkk [modules] ZP(eD pdwpi-ecsso-module #i{F`
%d#*}7&mXZgSgx%;"aD"z URI(1!ivB* /pkmslogout), XkZd
C acct-mgmt Z(0#i.0dC ecsso Z(0#i#
e-community-name $5nFMksPvVDgSgx{F#
is-master-authn-server 8(~qwGw~qw9G;ZgSgxP#g{hC*
yes,rK~qwS\4Td|e~5}D$5ks,b
)e~5}Dr\?PZ [ecsso-domain-keys] ZP#
master-authn-server gSgxPw~qwD{F#g{ is-master-authn-server h
C* no,rKN}GXhD#
master-http-port Zl} HTTP ksDwO$~qwO8(KZ(}Kj<
KZ 80 Tb)#g{~qwGwO$~qw,rvTKN
}#
master-https-port Zl} HTTPS ksDwO$~qwO8(KZ(}Kj<
KZ 443 Tb)#g{~qwGwO$~qw,rvTKN
}#
vf-token-lifetime $5nFP'Z(k)#
vf-url $5 URL#
allow-login-retry 14-O$DC'X(r=w~qw1tCr{CC'G
<XTTxPO$#g{hC* true,rw~qwJmC'
Zu<'\"T.sXBdkdC'{/\k#g{hC
* false,r+C'X(rXS~qwx;$5KC'#
vf-argument 1$5nFvVZ$5&pP1,$5nFDN}{#
use-utf8 Z ECSSO $5nFMgSgx cookie ZtCr{C utf8
V{.`k#
[ecsso-token-attributes] r [ecsso_module_name-token-attributes:virtual_host]
domain_name = pattern1, pattern2,
... pattern n
8(+|,Z eCSSO $5nFPD>$tT#
[ecsso-incoming-attributes] or [ecsso_module_name-incoming-attributes]
attribute_pattern = preserve|refresh 8(*SxkD$5nFS\M\xD>$tT#
[ecsso-domain-keys]
(ek4TgSgxP8(rDNk_xP(E1y9CD\?#
CZD{FS [modules] ZP(eD pdwpi-ecsso-module D#i{FIzx4#|Dq=
* [ecsso-module-name-domain-keys]# q=*:domain-name = key-file
[cdsso]
uri 8> CDSSO X(rM%;"aDX( uri#
cdsso-argument 8(O$nFDi/V{.N}D{F#ZX(r uri P9
C|#
authtoken-lifetime O$nFDzfZ(Tk*%;)#
use-utf8 XF CDSSO nFZDV{.`k#K!n;0lI1!
SSO 4(M{Db4(M{DD CDSSO nF#1!iv
BC UTF-8 TnFxP`k#
[cdsso-token-attributes]
166 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 27. O$dCN} (x)
O$
N} hv
(e+*|,Z CDSSO O$nFPDtT/(yZ?vTHh8r?vr8()#v1}Z9
C1! SSO nF4(M{DbxPK&m#b)u?Dq=*:domain-name = pattern-1,pattern-2, ... pattern-n
[cdsso-incoming-attributes]
(e*SxkD CDSSO O$nFS\M\xDtT/#KZPDu?q=*:attributepattern=preserve | refresh
[cdsso-domain-keys]
(ek4TgSgxP8(rDNk_xP(E1y9CD\?#q=*:domain-name = key-file
CZD{FS [modules] ZP(eD pdwpi-ecsso-module D#i{FIzx4#|Dq=
* [ecsso-module-name-domain-keys]#
[login-redirect]
|,G<X(rZ(s#iDyPj8E"#*9K#i}7$w,XkZdCJ'\mZ(
0#i.0dC|#
redirect-uri C'ZI&O$s+X(r=dOD URI#
[spnego]
spnego-krb-service-name Z spnego Z(#iu</}LP+~q{Ff"=
AMWebPI ~qwO$D;C#
spnego-krb-keytab-file Kerberos dCD~D76{#
[ntlm]
use-pre-windows-2000-logon-name
Z Tivoli Access Manager PJmC Windows 2000 T0
f > D G < { m > Q O $ C ' # | G
DOMAIN\USERNAME G<{D username ?V#
[web-server-authn]
use-pre-windows-2000-logon-name
Z Tivoli Access Manager PJmC Windows 2000 T0
f > D G < { m > Q O $ C ' # | G
DOMAIN\USERNAME G<{D username ?V#
[boolean-rules]
|D<{Z(fr0lCJv_a{D==#
pass-on-rule-failure-reason hC*1!5 false r;fZ,g{<{Z(fr5X
!FALSE!,r\xCks#hC* true,+G,g{Z(f
r5X !FALSE! RxPk_T}]bPfrTs`X*D
'\-rV{.,rJmCJ,"+'\-rV{.ek
AM_AZN_FAILURE 7PD HTTP ks#
[http-method-perms]
(e9CX( HTTP =(4PksyhDmI(#
<default> (eZCZP;Pw78(DNN=(yhDmI(#
<default> u?Tm;P1!5,RZCZPXkw*GU
V{.8(Ku?#
[ext-auth-int]
JmyZsK&CLra)DE"4(>$#
auth-url 1rdCD2+_Tx%"O$B~1+C'X(r=D
URL#
=< B. pdwebpi.conf N< 167
m 27. O$dCN} (x)
O$
N} hv
trigger-url CZm>l&&C4zI>$D URL#
redirect-url-hdr-namepac-hdr-name
pac-svc-id-hdr-nameuser-id-hdr-name
user-auth-level-hdr-nameuser-qop-hdr-name
user-ext-attr-list-hdr-name
b)u?|,ZzI>$19CDl&7D{F#
[switch-user]
switch-user-form 8(T0su1xPks15X=M'zD HTML D~D{
F # K D ~ & ; Z ? <
/opt/pdwebpi/nls/html/lang/charset P#
switch-user-uri 8(CZwCP;C'&\D URI D{F#
switch-user-post-uri 8(0su1m%a;=D URI#
[dynurl]
8(/, URL Z(0#iD(e#q=*:
object = pattern
a0dCN}
m 28. a0dCN}
a0
N} hv
[sessions]
max-entries f"Za0#iD%v5}PDnsa0}#?vi
bwzD?va0#iDnsa0}#
timeout a0DnsP'Z(k)#
inactive-timeout a0Z,10h*DUP1d$H(k)#
resend-pdwebpi-cookies tCr_{Cf?vks;p"M Web e~ cookie#
reauth-lifetime-reset XFa0P'Z(1w#g{hC* yes,ra0P'
Z(1w(4,Z timeout N}PhCD5)ZI&D
XBO$s4;#g{hC* no,rI&XBO$s
;4P4;#
reauth-grace-period +M'z5PD1d?(k)hC*m^Z,ZKZ
dg{>$rd|-r=Z,M'zMaI&4PX
BO$#
[session-cookie]
use-same-session 8( HTTP M HTTPS -iGq&C9C,;a0#
[cred-refresh]
|,>$"BYw"z1+S-<>$#tT0"B=B>$DtTDdCE"#
preserve (e+S-<C'>$0#t1DtT#
168 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 28. a0dCN} (x)
a0
N} hv
refresh (e+ZB>$P"BDtT#
LDAP dCN}
m 29. LDAP dCN}
LDAP
N} hv
[ldap]
bind-pwd Web e~X$LrD\k(ZdC1hC)#
ssl-enabled 8>GqtC SSL#
ssl-keyfile 8> SSL \?D~D76/D~{#
ssl-keyfile-dn 8> SSL \?D~PD$ij)(g{PD0)#
ssl-keyfile-pwd 8> SSL \?D~\k#
cache-enabled tCM{C>X LDAP _Y:f#
ldap-server-config ldap.conf D~D;C#
auth-using-compare 8>Gq(}9C LDAP s(rHO\k44PO
$#
prefer-readwrite-server 8>Gq!qI4D LDAP ~qw(1~qwIC
1)#
bind-dn 8>X$xLD(P{F#
default-policy-override-support Xk* yes r no#* yes 1,;liC'_T,;l
i1!_T(#f3) LDAP Qw)#
user-and-group-in-same-suffix 8>GqCkC'`,D LDAP s:(ei#
zmdCN}
m 30. zmdCN}
zm
N} hv
[proxy-if]
id 8(zmgfDj6r2mZfD~{#Kj6Xk
ke~9CDj6%d#
number-of-workers &me~ksD$wLr_L}#
worker-size T?v&me~ksD$wLr_L$VdDZf}
?#
cleanup-interval ?NZfem.dD1d(k)#
max-session-lifetime Z,10,e~H}4TZ(~qwDl&Dk}#
[proxy]
=< B. pdwebpi.conf N< 169
m 30. zmdCN} (x)
zm
N} hv
error-page vVbb~qwms1,ZC'/@wOT>D3f
D76#
acct-locked-page C'"TCJx(DJ'1,T>=C3fD76#
retry-limit-reached-page o=JmDns'\G<"T}1,T>=C3fD
76#Z LDAP P9C policy |nhCnsJmG
<'\}#
login-success ZI&Dm%rnFG<s,g{e~;P*+C'
X(rXD3f,r8(*T>D3f#I\Z9(
+G< POST }]1S"MXe~DG<m%1"zb
Viv#
Z( API dCN}
m 31. Z( API dCN}
Z( API
N} hv
[aznapi-configuration]
sFMU>G<N}0dC#
logsize U>s!(VZ),,vKs!r4(BU>D~#
g{hC* 0,r;4(BU>D~#
g{hC*:},r?l4(;vBU>D~,x;
\s!#
logflush "BU>D1ddt(k)#
ns5G 21600(6 !1)#
logaudit tCr{CsFG<U>#
auditlog sFD~D{F#
auditcfg tCr{Ci~X(DsFG<#P'5*:
authn - 6qO$B~#
azn - 6qZ(B~#
db-file ACL }]b_Y:fD~D;C#
cache-refresh-interval liTwZ(~qwD|B.dD1ddt(k)#
listen-flags tCr{CS\_T_Y:f|B(*Dj>#
policy-cache-size Zf_T_Y:fDnss!#C5XFI_Y:f
`YE"#+Cs!8(*u?D}?#
resource-manager-provided-adi 8(S HTTP kslwDZ(v_E"D0:(e#
;&|DkKN}`XD5#
170 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 31. Z( API dCN} (x)
Z( API
N} hv
input-adi-xml-prolog +mS= XML D5%?DrT,C XML D5G9
C@@<{Z(fryhDCJv_E"(ADI)4
(D#
xsl-stylesheet-prolog +mS= XSL y=m%?DrT,C XSL y=mG
9C(e<{Z(frD XSL D>4(D#
dynamic-adi-entitlement-services KN}8(QdCDZ(~qj6(ZZ(fr@@
}LPg{lbv1Y ADI,rfr}fTb)Z(~
qj6xPi/)DPm#K&PvDZ(~qXk
q- Authorization Programmer’s Guide PEvD/,
ADI lw~qDdkMdvf6#1Zfr@@}LP
"V1Y ADI 1,43ri/QdCPmPD?v~
q#b)u?XkG8(}9CZ(~qdCZru
</tTPD~qu?0kDVPZ(~q#
cred-attribute-entitlement-services Z>$4(}LP*U/+*ekK>$DtTxw
CDQdCZ(~qj6DPm#
[aznapi-entitlement-services]
Z( API ~q(e#
service_id ?vZu?(e;,`MD aznAPI ~q#XZ|`E
",kN< IBM Tivoli Access Manager Authorization
C API Developer’s Reference#
AZN_ENT_EXT_ATTR bG;v;&|DD536N}#KN}JmZTs
UdO9C)9tT#
X(Z Web ~qwDdCN}
m 32. X(Z Web ~qwDdCN}
X(Z Web ~qw
N} hv
[p3p-header]
8(JCZyP HTTP cookie /D P3P 9u_T#
p3p-element ZKZP,}9Cd|N}dCD9u_Tb,9I
CKN}48(Tj+ XML _TD}C#
TP p3p-element = policyref="/w3c/p3p.xml" !{
"M,+e~(r=j+ XML _T#
access 8(C'_PDT|,Z cookie P"(} cookie 4
SDE"DCJ(#I\D5P:
none
all
nonident
contact-and-other
ident-contact
other-ident
=< B. pdwebpi.conf N< 171
m 32. X(Z Web ~qwDdCN} (x)
X(Z Web ~qw
N} hv
disputes 8(j+ P3P _TGq|,;)E",b)E"XZ
T cookie P|,DE"Dyi#P'5* true r
false#1!ivB,KN}G{CD#
remedies 8(yiDI\^4#I\D5|(:
correct
money
law
g{48(,r_TP;|(NN^4E"#
non-identifiable hC* true 1,KN}8(;TNN==C cookie
PDE"r(} cookie 4SDE"vT/Xj6C
'#P'5G true r false#1!ivB,KN}G{
CD#
purpose 8(Z cookie PM(} cookie 4SDE"DC>#
I\D5|(:
current
admin
develop
tailoring
pseudo-analysis
pseudo-decision
individual-analysis
individual-decision
contact
historical
telemarketing
M other-purpose#
TyP} current TbD5,ITdC=S5w{#I
\D5|(:
always
opt-in
opt-out#
T48(DC>,1!5* always#C5Z purpose
s8(,C0EV*,}g:
purpose = contact:opt-in
recipient 8(Z cookie PM(} cookie 4SDE"DU~
K#I\D5|(:
ours
delivery
same
unrelated
public
other-recipient#
172 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 32. X(Z Web ~qwDdCN} (x)
X(Z Web ~qw
N} hv
retention 8(Z cookie Pr(} cookie 4SDE"D#t1
d#
I\D5|(:
no-retention
stated-purpose
legal-requirement
business-practices
indefinitely#
categories 8(f"Z cookie Pr(} cookie 4SDE"D`
M#
g{hC non-identifiable N}* true,r;h*dC
NN`p#I\D5|(:
physical
online
uniqueid
purchase
financial
computer
navigation
interactive
demographic
content
state
political
health
preference
location
government
other-category
[ihs]
query-contents 8(CZ(}0pdadmin> object list1|n/@ IBM
HTTP Server Web UdDi/Z]Lr#(}Z{*
[ihs:branch] DZ(}g [ihs:/PDWebPI/foo.bar.com])
P8(;vN}5,ITyZ?vV'XhKN}
query-log-file G<i/Z]Lrv=DmsDU>D~D;C#
doc-root 8(D5y,CD5ya)4P0pdadmin> object
list1|nyhD Web Ud/@\&#KN}ZhCi
bwz1IdC5CLrhC - Z [ihs:branch] Z
(}g [ihs:/PDWebPI/foo.bar.com])PyZ?v_TV
'8(KN}
[apache]
=< B. pdwebpi.conf N< 173
m 32. X(Z Web ~qwDdCN} (x)
X(Z Web ~qw
N} hv
query-contents 8(CZ(}0pdadmin> object list1|n/@ Apache
W e b U d D i / Z ] L r # ( } Z { *
[ a p a c h e : b r a n c h ] D Z P 8 ( ; v 5 ( } g
[apache:/PDWebPI/lotus.com])ITyZ?vV'X
hKN}#
query-log-file G<i/Z]Lrv=DmsDU>D~D;C#
doc-root 8(D5y,CD5ya)4P0pdadmin> object
list1|nyhD Web Ud/@\&#KN}ZhCi
bwz1IdC5CLrhC - Z [apache:branch]Z P y Z ? v _ T V ' 8 ( K N } , } g
[apache:/PDWebPI/lotus.com]
[iis]
query-contents 8(CZ pdadmin /@ IIS Web UdDi/Z]L
r # ( } Z { * [ i i s : b r a n c h ] D Z ( } g
[iis:/PDWebPI/foo.bar.com])P8(;vN}5,I
TyZ?vV'XhKN}
query-log-file G<i/Z]Lrv=DmsDU>D~D;C#
log-file *4T IIS e~DmsMzY{"(eU>D~#*
K7#D~D;BT,+b){"kZ(~qwDU
>D~V*#f#g{8(*`T76,rC;C`
TZ20?<D log S?<#g{8(*xT76,
r9CxT76#
use-error-pages XFG+mszkD IIS QdC3f"MXM'z,
9G+;)r%9lD3f"MXM'z#
[iplanet]
X(Z Tivoli Access Manager iPlanet Web Server Plug-in DdCN}#
query-contents 8(CZ pdadmin /@ Sun ONE Web UdDi/
Z]Lr#(}Z{* [iplanet:branch] DZ(}g
[iplanet:/PDWebPI/foo.bar.com])P8(;vN}5,
ITyZ?vV'XhKN}
query-log-file G<i/Z]Lrv=DmsDU>D~D;C#
doc-root 8(a)4P.pdadmin> object list/|nyhD Web
Ud/@&\DD5y#KN}ZhCibwz1I
dC5CLrhC - Z [iplanet:branch] Z(}g
[iplanet:/PDWebPI/foo.bar.com])PyZ?v_TV'
8(KN}
174 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
=< C. #ilYN<
O$Gj6"TG<=2+rD%@xLr5eD=(#verxLC4CJe~#
$DrDO$=(ITIC`VN=.;#IBM Tivoli Access Manager Plug-in for Web
Servers 'Vm`O$=(#BPwmPPvKb)O$=(0J1Dhv#
m 33. e~O$=(/#iN<
O$=(/#i hv
BA
pdwpi-ba-module
y>O$O$#i#
2ITdC*a0MZ(s#i#
m%
pdwpi-forms-module
HTML m%O$#i#
9C(}m%a;DC'{M\kxPO$#
9C1,K#iXk,1dC*Z(s#i#
ip-addr
pdwpi-ipaddr-module
M'z IP X7O$#i#
a)vyZM'z IP X7DO$#C'Xka) http k
sO$zF,T+ IP X7E"3d= Tivoli Access
Manager we#
2ITdC*a0#i#
http-hdr
pdwpi-httphdr-module
HTTP 7O$#i#
a)vyZksP8(D HTTP 7D5DO$#C'Xk
a) http ksO$zF,T+7E"3d= Tivoli Access
Manager we#
2ITdC*a0#i#
nF
pdwpi-token-module
nFO$#i#
Tivoli Access Manager Plug-in for Web Servers 'V(}
M'za)DnF(PzkDO$#KO$9CyZ RSA
SecureID fobs D+rSG<#
9C1,Xk,1dC*Z(s#i#
cert
pdwpi-certificate-module
M'z$iO$#i#
M'z$iDwb DN I cert-ssl O$zF3d= Tivoli
Access Manager we{F#cert-ssl O$zF*sM'z$
iDwb DN 1S3d=C'"amP Tivoli Access
Manager C'D DN#
K#ivTT(} SSL a04=oDksDO$,rKI
T*&m HTTP M HTTPS ksDZ(Dibwz2+X
dCK#i#
© Copyright IBM Corp. 2000, 2003 175
m 33. e~O$=(/#iN< (x)
O$=(/#i hv
JO*F
pdwpi-failovercookie-module
JO*F cookie O$#i#
K#iS\JO*F cookie TO$C'#
9C1,K#iXk,1dC*Z(s#i#
iv 7
pdwpi-iv-headers-module
IV 7O$#i#
a)yZksPD iv-user" iv-user- l" iv-creds r
iv-remote-address HTTP 7D5DO$#1C'Qr0Kz
m~qwO$1,bTZ9C%;"aT"a= Access
Manager Plug-in for Web Servers G`1PCD#
* q C E N , k s X k ( } 0 K z m ~ q w ( } g
WebSEAL ac)DQO$a0=o#zmXkO$*_P
T } Z C J D i b w z \ # $ T s U d V ' D z m
([PDWebPI]p)mI(DC'#
TZ9C iv-remote-address 7DO$,C'Xka) http
ksO$zF,T+ IP X7E"3d= Tivoli Access
Manager we#
K#i2ITdC*Z(s#iMa0#i#
ecsso
pdwpi-ecsso-module
gSgx%;"aO$#i#
K#iXkdC*}wO$~qwTbNkgSgxDi
bwzDO$#i#
9C1,K#iXk,1dC*Z(0#i#
unauth
pdpwi-unauth-module
4O$C'O$#i#
ZKPvK#iGvZj{T<G#K#i<U~=dC
*EH6nMDO$#i,"CZ*4O$C'zI>
$#
ltpa
pdwpi-ltpa-module
LTPA O$#i
yZ LTPA cookie S\MO$C'#LTPA cookie II
WebSEAL r WebSphere ~qwa)#
spnego
pdwpi-spnego-module
SPNEGO O$#i
9C Windows LAN rPDj< SPNEGO O$-i4q
CZ IIS Oe~D%;"abv=8D5V#
cdsso
pdwpi-cdsso-module
CDSSO O$#i
Jm;,Dr.dDgr%;"a#
ext-auth-int
pdwpi-ext-auth-int
-module
b?O$SZ#i#
JmyZsK&CLra)DE"4(>$#
176 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 34. X(Z Windows DO$#i
#i hv
ntlm
pdwpi-ntlm-module
NTLM O$#i#
NTLM GX(Z Windows DO$#i,Z Tivoli
Access Manager PC#i9C Windows 2000 G<{m
>QO$C'#
web-server-authn
pdwpi-websvrauth-module
Web ~qwO$#i#
Web ~qwO$#iGCZ Windows =(DO$#i#
Z Tivoli Access Manager PC#i9C Windows 2000 G
<{m>QO$C'#
m 35. e~a0#iN<
#i hv
BA
pdwpi-ba-module
y>O$a0#i#
9C0y>O$Z(17D5w*a0\?#
9C1,Xk,1dC*O$#i#
2ITdC*Z(s#i#
ip-addr
pdwpi-ipaddr-module
IP X7a0#i#
9CQO$DM'z IP X7w*a0\?#
9C1,Xk,1dC*O$#i#
http-hdr
pdwpi-httphdr-module
HTTP 7a0#i#
9CQO$D HTTP 7w*a0\?#
9C1,Xk,1dC*O$#i#
session-cookie
pdwpi-sesscookie-module
a0 cookie a0#i#
K#izI"S\ cookie,T)j6a019C#(#vC
wMEH6Da0j6zF#
ssl-id
pdwpi-sslsessid-module
SSL a0j6a0#i#
9C0SSL a0j61w*a0\?#k"b,!\ Tivoli
Access Manager Plug-in for Web Servers D Windows V
"Pa)K#i,+ Microsoft Internet Information Services
Web Server ";re~a)0SSL a0j61E",r
K,0SSL a0j61;\Cw IIS Da0\?#
iv-headers
pdwpi-iv-headers-module
IV 7a0#i
9C IV 7,Va04,#
ltpa
pdwpi-ltpa-module
LTPA a0#i#
9C LTPA cookie ,Va04,#
=< C. #ilYN< 177
m 36. e~Z(0#iN<
#i hv
boolean-rules
pdwpi-boolean-rules-module
<{frZ(0#i#
switch-user
pdwpi-switch-user-module
P;C'Z(0#i#
dynurl
pdwpi-dynurl-module
/, URL Z(0#i#
acctmgt
pdwpi-acct-mgmt-module
J'\mZ(0#i#
K # i a ) " z ( / p k m s l o g o u t ) " | D \ k
(/pkmspasswd)Moz(/pkmshelp)&\#
cred-refresh
pdwpi-cred-refresh-module
>$"BZ(0#i#
forms
pdwpi-forms-module
m%Z(0#i#
token
pdwpi-token-module
nFZ(0#i#
Tivoli Access Manager Plug-in for Web Servers 'V(}M
'za)DnF(PzkDO$#KO$9CyZ RSA
SecureID fobs D+rSG<#
9C1,nF#iXk,1dC*O$#i#
ext-auth-int
pdwpi-ext-auth-int-module
b?O$SZZ(0#i#
login-redirect
pdwpi-loginredirect-module
G<X(rZ(0#i#
19Ce~'VDNb;V=(4PG<1,;)O$I
&C'cX(r=QdCD3f#
ecsso
pdwpi-ecsso-module
gSgx%;"aZ(0#i#
yPNkgSgxDibwz<Xk+ ecsso #idC*Z
(s#i#
K#iXk,1dC*}wO$~qwTbyPNk_D
O$#i#
178 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
m 37. e~Z(s#iN<
#i hv
forms
pdwpi-forms-module
HTML m%Z(s#i#
K#i&myZ0HTML m%1DG<ZdDm%}]a
;#
9C1,Xk,1dC*O$#i#
K#i9ISa;DC'{M\k4hC BA 7#
BA
pdwpi-ba-module
y>O$Z(s#i#
^DI Web ~qw4=D BA 7r(}S GSO x(d}
]4(D BA 7#
failover
pdwpi-failovercookie-module
JO*F cookie Z(s#i#
K#i*M'zzIJO*F cookie#
9C1,JO*F cookie #iXk,1dC*O$#i#
iv-headers
pdwpi-iv-headers-module
IV 7Z(s#i#
K#iZJm Web ~qw&mks0,+C'j6E"w
* IV 7ekksP#bTZr Web ~qww\D&CL
r a ) % ; " a ` 1 P C # I T m S D 7 P
iv-user"iv-user-l"iv-groups"iv-creds M iv-remote-address#
K#i2ITdC*O$#iMa0#i#
tag-value
pdwpi-tag-value-module
0jG/51Z(s#i#
K#iZJm Web ~qw&mks0,+4TC'>$D
=S)9tTw* HTTP 7ekksP#b))9tT(#
MC'"amPDC'tT`T&#
ltpa
pdwpi-ltpa-module
LTPA cookie Z(s#i#
K#iZJm Web ~qw&mks0,+ WebSphere
A p p l i c a t i o n S e r v e r ( W A S ) a ? 6 Z } = O $
(LTPA)cookie ekksP#ba)KT Web ~qww
\D WAS D%;"a#
cdsso
pdwpi-cdsso-module
CDSSO Z(s#i#
boolean-rules
pdwpi-boolean-rules-module
<{frZ(s#i#
fsso
pdwpi-fsso-module
m%%;"a#i#
web-log
pdwpi-web-log-module
Web U>Z(s#i#
m 38. l&#iN<
#i hv
fsso
pdwpi-fsso-module
m%%;"al&#i#
=< C. #ilYN< 179
m 38. l&#iN< (x)
#i hv
ext-auth-int
pdwpi-ext-auth-int-module
b?O$SZl&#i#
180 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
=< D. |nlYN<
© Copyright IBM Corp. 2000, 2003 181
pdwebpi_startt/"XBt/M#9 UNIX 20OD Tivoli Access Manager Plug-in for Web Servers
xL#k"b,t/r#9 Tivoli Access Manager Base z71,Plug-in for Web Servers
T/t/M#9#"R,T>yP Web ~qwD4,#
":g{h*,I9C pdwebpi_start |n@"Z Tivoli Access Manager Base z7
XF Plug-in for Web Servers#
o(
pdwebpi_start start
pdwebpi_start stop
pdwebpi_start restart
pdwebpi_start status
N}
pdwebpi_start {start|stop|restart|status} dP:
startt/ UNIX 20OD Plug-in for Web Servers xL#
stop#9 UNIX 20OD Plug-in for Web Servers xL
restart#9;sXBt/ UNIX 20OD Plug-in for Web Servers xL
statusa) UNIX 20OD Plug-in for Web Servers 4,E"#
"M
*t/M#9e~D Windows 20,kZ0~q1XFfePR= Plug-in for Web
Servers xL"9CJ1DXF4%#
ICT
K|n;ZTB1!20?<:
v UNIX 53:
/opt/pdwebpi/sbin/
v Z Windows 53O:
C:\Program Files\Tivoli\pdwebpi\sbin\
1!qKG1!?<D20?<1,K5CLr;Z20?<BD sbin ?<P(}g,
install_dir\sbin\)#
5Xk
a5XTBKv4,k:
182 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
0 |nI&jI#
1 "zKms#
=< D. |nlYN< 183
pdwebpia) Tivoli Access Manager Plug-in for Web Servers f>E"#97(G+ Plug-in for
Web Servers w*X$xLKP9GZ0(KP#
o(
pdwebpi [–foreground] [–version]
N}
–foregroundZ0(KP Plug-in for Web Servers ~xFD~x;Gw*X$xLKP#
–versionT Plug-in for Web Servers 20a)f>E"#
ICT
K|n;ZTB1!20?<:
v UNIX 53:
/opt/pdwebpi/bin/
v Z Windows 53O:
C:\Program Files\Tivoli\pdwebpi\bin\
1!qKG1!?<D20?<1,K5CLr;Z20?<BD bin ?<P(}g,
install_dir\bin\)#
5Xk
a5XTBKv4,k:
0 |nI&jI#
1 |n'\#
|n'\1,a)mshvM.yxFq=Dms4,k(}g,0x14c012f2)#
kN< IBM Tivoli Access Manager Error Message Reference#KN<s+4.x
Fr.yxFzka)K Tivoli Access Manager ms{"DPm#
184 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
pdwpi-versionPv Tivoli Access Manager Plug-in for Web Servers 20Df>Mf(E"#
o(
pdwpi-version [–h] [–V] [–l | binary [binary ... ]]
N}
–h T>ozrC({"#
–l 8(PvyP~xFD~Df>(x;;Gm~|f>)D$Pm#
–VT> pdwpi-version ~xFD~Df>E"#
binary [binary]T>8(~xFD~Df>E",rg{;P8(~xFD~,rT>yPD~D
f>E"#
ICT
K|n;ZTB1!20?<:
v UNIX 53:
/opt/pdwebpi/bin/
v Z Windows 53O:
C:\Program Files\Tivoli\pdwebpi\bin\
1!qKG1!?<D20?<1,K5CLr;Z20?<BD bin ?<P(}g,
install_dir\bin\)#
5Xk
a5XTBKv4,k:
0 |nI&jI#
1 "zKms#
=< D. |nlYN< 185
pdwpicfg –action config
dC Tivoli Access Manager Plug-in for Web Servers#
o(
pdwpicfg –action config –admin_id admin_id –admin_pwd admin_pwd –auth_portauthorization_port_number –web_server {iis|iplanet|ihs|apache} –iis_filter {yes|no}–web_directory server_install_directory –vhosts virtual_host_id –ssl_enable {yes|no}–keyfile keyfile –key_pwd key_password –key_label key_label –ssl_port ssl_port_number
pdwpicfg –action config –interactive {yes|no}
pdwpicfg –action config –rspfile response_file
pdwpicfg –operations
pdwpicfg –help [ options]
pdwpicfg –usage
pdwpicfg –?
N}
–admin_id admin_id
8(\mC'j6((#G sec_master)#
–admin_pwd admin_pwd
8(\mC' admin_id D\k#
–auth_port authorization_port_number
8( authorization server DKZE#1!KZE5* 7237#
–help [options]Pv!n{FMrLhv#g{8(K;vr`v!n,|Pv?v!nM;vr
Lhv#
–interactive {yes|no}g{G yes,rT|ntC;%==;qrT|n{C;%==#1!5* yes#
–iis_filter {yes|no}g{G yes,rtC Internet Information Server(IIS)}K;qr,{C IIS }K#
–keyfile keyfile
8( LDAP SSL \?D~#;P1!5#4T;%==KPC|nRQZ Plug-in
for Web Servers M LDAP .dtC SSL 1,k8(K!n#
–key_label key_label
8( LDAP SSL \?j)#;P1!5#4T;%==KPC|nRQZ Plug-in
for Web Servers M LDAP .dtC SSL 1,k8(K!n#
–key_pwd key_password
8( LDAP SSL \?D~\k#
186 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
–operations;vS;vX;xhvPv?v!n{F#
–rspfile response_file
a) Plug-in for Web Servers l&D~D+^(76MD~{TZ2,20Zd9
C#l&D~ICZdCr!{dC#^1!l&D~{#l&D~|,ZM
option=value TZu?#*9Cl&D~,kND6IBM Tivoli Access Manager for
e-business Web Security 208O7PD}L#
–ssl_enable {yes|no}g{G yes,rtC9C LDAP D SSL (E;qr,{C9C LDAP D SSL (
E#1!5* yes#
–ssl_port ssl_port_number
8( LDAP SSL KZ#1!KZE5* 636#
–usageT>K|nD9Co(#9aT>;v>}#
–vhosts virtual_host_id
8(*#$Dibwz#C5Dq=&CGC:EVtD;5Pibwzj6#Z
ibwzj6.d;&PUq#
–web_directory server_install_directory
8( Web ~qw20?<#
–web_server {iis|iplanet|ihs|apache}8(20 Plug-in for Web Servers D Web ~qw`M#!n*:T Internet
Information Server 9C iis"T Sun ONE Server 9C iplanet "T IBM HTTP
Server 9C ihs rT Apache Server 9C apache#K!n1!*QdC Web ~
qwD`MM;C#
–? T>K|nD9Co(#9aT>;v>}#
ICT
K|n;ZTB1!20?<:
v UNIX 53:
/opt/pdwebpi/bin/
v Z Windows 53O:
C:\Program Files\Tivoli\pdwebpi\bin\
1!qKG1!?<D20?<1,K5CLr;Z20?<BD bin ?<P(}g,
install_dir\bin\)#
5Xk
a5XTBKv4,k:
0 |nI&jI#
1 |n'\#
|n'\1,a)mshvM.yxFq=Dms4,k(}g,0x14c012f2)#
kN< IBM Tivoli Access Manager Error Message Reference#KN<s+4.x
Fr.yxFzka)K Tivoli Access Manager ms{"DPm#
=< D. |nlYN< 187
pdwpicfg –action unconfig
!{ Tivoli Access Manager Plug-in for Web Servers DdC#
o(
pdwpicfg –action unconfig –admin_id admin_id –admin_pwd admin_pwd –force{yes|no} –remove {none|acls|objspace|all} –vhosts virtual_host_id
pdwpicfg –action unconfig –interactive {yes|no}
pdwpicfg –action unconfig –rspfile response_file
pdwpicfg –operations
pdwpicfg –help [ options]
pdwpicfg –usage
pdwpicfg –?
N}
–admin_id admin_id
8(\mC'j6((#G sec_master)#
–admin_pwd admin_pwd
8(\mC' admin_id D\k#
–force {yes|no}49^(,S policy server,2?F!{dCxLTLx#1!5G no#
–help [options]Pv!n{FMrLhv#g{8(K;vr`v!n,|Pv?v!nM;vr
Lhv#
–interactive {yes|no}g{G yes,rT|ntC;%==;qrT|n{C;%==#1!5* yes#
–operations;vS;vX;xhvPv?v!n{F#
–remove {none|acls|objspace|all}8(Gqw*!{dCxLD;?V}%TsUdM/r ACL#1!5* none#
–rspfile response_file
a) Plug-in for Web Servers l&D~D+^(76MD~{TZ2,20Zd9
C#l&D~ICZdCr!{dC#^1!l&D~{#l&D~|,ZM
option=value TZu?#*9Cl&D~,kND6IBM Tivoli Access Manager for
e-business Web Security 208O7PD}L#
–usageT>K|nD9Co(#9aT>;v>}#
188 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
–vhosts virtual_host_id
8(*!{dCDibwzDj6#C5Dq=ITG:EVtD;5Pibwz
j6#Zibwzj6.d;&PUq#
–? T>K|nD9Co(#9aT>;v>}#
ICT
K|n;ZTB1!20?<:
v UNIX 53:
/opt/pdwebpi/bin/
v Z Windows 53O:
C:\Program Files\Tivoli\pdwebpi\bin\
1!qKG1!?<D20?<1,K5CLr;Z20?<BD bin ?<P(}g,
install_dir\bin\)#
5Xk
a5XTBKv4,k:
0 |nI&jI#
1 |n'\#
|n'\1,a)mshvM.yxFq=Dms4,k(}g,0x14c012f2)#
kN< IBM Tivoli Access Manager Error Message Reference#KN<s+4.x
Fr.yxFzka)K Tivoli Access Manager ms{"DPm#
=< D. |nlYN< 189
190 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
=< E. }rmo=PJmDXbV{
BmPvK pdwebpi.conf dCD~P9CD}rmo=JmDXbV{#
* k 0 vr`vV{%d
? kNb;vV{%d
\ *eV{(}g,¿ k ? %d)
[acd] kV{ a"c r d %d(xVs!4)
[^acd] k} a"c r d .bDNNV{%d(xVs!4)
[a-z] k a = z .dDNNV{%d(!4V8)
[^0-9] k;Z 0 M 9 .dDNNV{%d(G}V)
[a-zA-Z] k a = z(!4)r A = Z(s4).dDNNV{%d
© Copyright IBM Corp. 2000, 2003 191
192 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
=< F. yw
>E"G*Z@za)Dz7M~q`4D#IBM I\Zd{zRrXx;a)>D5
PV[Dz7"~qr&\XT#PXz10yZxrDz7M~qDE",krz
1XD IBM zmI/#NNT IBM z7"Lrr~qD}C"GbZw>r5>;
\9C IBM Dz7"Lrr~q#;*;V8 IBM D*6z(,NN,H&\Dz
7"Lrr~q,<ITzf IBM z7"Lrr~q#+G,@@Mi$NNG IBM
z7"Lrr~q,rIC'TP:p#
IBM +>I\Q5Pr}Zjkk>D5Z]PXDwn({#a)>D5"4ZhC
'9Cb)({DNNmI#zITCif==+mIi/Dy:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.
PX+VZ(DBCS)E"DmIi/,kkzyZzRrXxD IBM *6z(?E*
5,rCif==+i/Dy:
IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan
>un;JC"zrNNbyDunk1X(I;;BDzRrXx:International
Business Machines Corporation04V41a)>vfo,;=PNNV`D(^[Gw
>D9G5,D)#$,|(+;^Z5,DPXGV("JzMJCZ3VX(C
>D#$#3)zRrXxZ3);WP;Jmb}w>r5,D#$#rK>un
I\;JCZz#
>E"PI\|,<u=f;;<7DX=r!"ms#K&DE"+(Z|D;b
)|D+`k>vfoDBf>P#IBM ITf1T>vfoPhvDz7M/rLr
xPDxM/r|D,x;mP(*#
>E"PTG IBM Web >cDNN}C<;G*K=cp{Ea)D,;TNN==
d1TG) Web >cD#$#G) Web >cPDJO;G IBM z7JOD;?V,
9CG) Web >cx4DgU+IzTPP##
IBM IT4|O*J1DNN==9CrV"zya)DNNE"x^kTzP#NN
pN#
>LrD;mI=g{*KbPXLrDE"To=gB?D:(i)JmZ@"4(
DLrMd{Lr(|(>Lr).dxPE";;,T0(ii)JmTQ-;;DE
"xP`%9C,kkBPX7*5:
IBM Corporation2Z4A/10111400 Burnet Road
© Copyright IBM Corp. 2000, 2003 193
Austin, TX 78758U.S.A.
;*qXJ1Du~Mun,|(3)iNBD;(}?D6Q,<IqCb=fD
E"#
>JOPhvDmILr0dyPICDmIJOyI IBM @] IBM M'-i"IBM
zJm~mI-irNN,H-iPDuna)#
K&|,DNNT\}]<GZ\X73PbCD#rK,Zd{Yw73PqCD
}]I\aPwTD;,#P)b?I\GZ*"6D53OxPD,rK;#$k
;cIC53OxPDb?a{`,#Kb,P)b?G(}Fcx@FD,5Ja
{I\aPnl#>D5DC'&1i$dX(73DJC}]#
f0G IBM z7DE"ISb)z7D)&L"dvf5wrd{I+*qCDJO
Pq!#IBM ;PTb)z7xPbT,2^(7OdT\D+7T"f]TrNNd
{XZG IBM z7Dyw#PXG IBM z7T\DJb&1rb)z7D)&La
v#
yPXZ IBM 44=rrbrDyw<If1|DrUX,x;mP(*,|Gvv
m>K?jMb8xQ#
>JOvCZF.#ZhvDz7vV.0,K&DE"I\|D#
>JO|,U#5qKwP9CD}]M(mD>}#*K!I\j{X{v|G,
>}P|,KvK"+>"7FMz7D{F#yPb){Fy5i9,gP5JD
s5{FMX7kKW,,?tIO#
g{zZi4>JODm=4,<,MJ+<}I\^(T>#
Lj
BPuoG International Business Machines Corporation +>Z@zM/rd{zRr
XxDLjr"aLj:
AIX
DB2
IBM
IBM(Uj)
OS/390
SecureWay
Tivoli
Tivoli(Uj)
Universal Database
WebSphere
z/OS
zSeries
Microsoft M Windows G Microsoft Corporation Z@zM/rd{zRrXxDLj#
UNIX G The Open Group Z@zMd{zRrXxD"aLj#
194 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
d{+>"z7M~q{FI\Gd{+>DLjr~qjG#
=< F. yw 195
196 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Jcm
2A3
2+\m(security management): ;V\m<x,+
3i/D\&/PZXFTCi/DI&\X|D&CL
rM}]yxPDCJ#
2+WSVc(secure sockets layer,SSL): a)(
E#\TD;V2+T-i#SSL 9M'z/~qw&C
Lr\;T3VhFC4@9T}"\DM1l{"D=
=xP(E#SSL GI Netscape Communications Corp. M
RSA Data Security, Inc *"D#
2B3
s((bind): 9j6kLrPDm;vTs`X;}
g,9j6k3v5"X7rm;vj6`X,r_9N
=N}k5JN}`X*#
#$6p(quality of protection): }]2+TD6
p,IO$"j{TM#\Tu~DiO7(#
2C3
Yw(action): ;VCJXFm(ACL)mI(tT#
m{CJXFm(access control list)#
_T(policy): &CZ\\J4D;ifr#
, D > + d - i ( h y p e r t e x t t r a n s f e rprotocol,HTTP): rXx-i/PCZ+d"T>,D
>D5D-i#
2D3
%;"a(single signon,SSO): C'G<;NM\
CJ`v&CLr"x^hVpG<=?v&CLrD\
&#m{+V"a(global signon)#
]}=O$(step-up authentication): ;V\#$T
s_T(POP),|@5Z$HdCDO$6pcNa
9,"y]J4OhCD_T5)X(6pDO$#]}
=O$ POP ;?FC'9C`vO$6pxPO$SxC
JNNx(J4,+*sC'AY9Ck#$CJ4D_
Ty*sD,HO$6pxPO$#
`74CzmLr(multiplexing proxy agent,MPA):
a)`vM'zCJD;VxX#1`vM'z9C WAP
CJ32+r1,b)xXP1;F*^_CJ-i
(Wireless Access Protocol,WAP)xX#xX("(r4
~qwD%vO$(@,"(}K(@dMyPM'zk
sMl&#
`rSO$(multi-factor authentication): ?FC'
9C=vr`vO$6pxPO$D;V\#$Ts_T
(POP)#}g,T3\#$J4DCJXFIT*sC
',19CC'{/\kMC'{/nF(PzkxPO
$#m{\#$Ts_T(protected object policy)#
2F3
CJXFm(access control list,ACL): ZFcz2
+TPk3vTs`X*D;vPm,|8vG)\;C
JCTsDyPweT0|GDCJ(#}g,CJXF
mGk3vD~X*DPm,CPmj6ITCJKD~
DC'"j6G)C'TKD~DCJ(#
CJXF(access control): ZFcz2+TP,7#
Fcz53DJ4;\IZ(C'TZ(==CJD}
L#
CJmI((access permission): JCZ{vTsD
CJX(#
~q(service): I~qwy4PDYw#~qITGT
*"Mrf"D}]xPDr%ks(}gTD~~q
w"HTTP ~qw"gSJ~~qwM8k~qwDk
s),2ITG|*4SDYw,}gr!~qwrxL
~qwDYw#
1>~qw(replica): |,m;v~qw;vr`v?
<D1>D~qw#1>~qw8]w~qw,Tcv?
T\ruLl&1d,"7#}]j{T#
2G3
+2xXSZ(common gateway interface,CGI): (
eX(E>DrXxj<,b)E>(} HTTP ksS
Web ~qwr&CLr+ME",4.`;# CGI E>G
;vCng PERL .`DE>`FoT`4D CGI Lr#
+C\?(public key): Fcz2+TPyPK<IC
D;V\?#k(C\?(private key)`T#
\m~q(administration service): ;VZ( API K
P1e~,IC4T Tivoli Access Manager J4\mw&
CLr4P\mks#\m~q+l& pdadmin |n"v
© Copyright IBM Corp. 2000, 2003 197
D6Lks,T4PngZ\#$TswPPvX(Zc
BDTs.`DNq#M'IT9CZ( ADK *"b)~
q#
\mr(management domain): ;v1!r,dP
Tivoli Access Manager ?F4PO$"Z(MCJXFD
2+_T#Cr4(ZdC policy server 1#m{r
(domain)#
fr(rule): ;ur`u_-od,b)od9B~~
qw\;6pB~.dDX5(B~`X),T0`&X
4PT/l&#
2H3
s:(suffix): j6>X#fD?<cNa9P%cu?
D;V(P{F#IZa?6?<CJ-i(LDAP)P
y9CD`T|{#=,Ks:JCZC?<cNa9P
D?vd|u?#;v?<~qwIT_P`vs:,?
;vs:<j6>X#fD?<cNa9#
2J3
y>O$(basic authentication): ;VO$=(,Z
ZhC'T32+Z_J4DCJ(.0*sC'dkP
'DC'{M\k#
yZxgDO$(network-based authentication): y
]C'DxJ-i(IP)X7XFTTsDCJD;V\
#$Ts_T(POP)#m{\#$Ts_T(protected
object policy)#
S\(encryption): ZFcz2+TP+}]*;*;
V^(bADN=D}L,9CK=(+^(q!-<}
]r_vI9Cb\}Lq!-<}]#
G+$n(role activation): TG+&CCJmI(D
}L#
G+8((role assignment): *C'8(G+D}L,
Sx9CC'_PTCG+y(eTsD`&DCJmI
(#
xLd(E(interprocess communication,IPC): (1)
Lrd%`(E",=dn/yhzDxL#Ej"EE
MZ?{"SPGxLd(ED#{=(# (2) ;VYw5
3zF,|CxL\;Z,;FczZr(}xgZ`%
.dxP(E#
2,20(silent installation): ;rXF("M{",
xGZU>D~Pf"{"MmsD;V20#Kb,2
,20IT9Cl&D~w*}]dk#m{l&D~
(response file)#
2K3
IluT(scalability): xg53T;Ov$DCJJ
4DC'}wvl&D\&#
IEy(trusted root): 2+WSVc(SSL)PO$P
D(CA)D+C\?T0X*D(P{F#
grO$~q(cross domain authent ica t ionservice,CDAS): a)2mbzFD;V WebSEAL ~
q,9z\;+1!D WebSEAL O$zFf;*r
WebSEAL 5X Tivoli Access Manager m]D(FxL#
m{ WebSEAL#
g r 3 d r \ ( c r o s s d o m a i n m a p p i n gframework,CDMF): ;V`LSZ,9*"_Z9C
WebSEAL gSgx SSO &\1\;TC'm]D3dT
0C'tTD&mxP(F#
2L3
,S(connection): (1) Z}](EP,("Z&\%
*.dCZ+ME"D;VX*# (2) Z TCP/IP P,Z
=v-i&CLr.da)I?}]w+]~qD;V7
6#ZrXxP,,SS;v53OD TCP &CLrSl
=m;v53OD TCP &CLr# (3) Z53(EP,I
TZ=v53.dr53kh8.d+]}]D;V_
7#
*a(junction): 0K WebSEAL ~qwMsK Web
&CLr~qw.dD;V HTTP r HTTPS ,S#
WebSEAL 9C*a4zmsK~qwa)#$TD~q#
nF(token): (1) VrxPD;V(^{E,|S;v
}]>,x+]=m;v>,T8>C>]1XF+di
J#?v}]><Pzaq!"9CnFTXFiJ#n
FGm>}+MmI(D;uX({"r;#=# (2) Vr
x(LAN)PX+diJS;vh8+]=m;vh8D
;rP#1nFs7S}]1,nFMI*!#
7ID~(routing file): |,XF{"dCD|nD;
V ASCII D~#
V/(polling): ;vxL,(}KxL(Z/J}]
b,T7(Gqh*+M}]#
2M3
E'x>(portal): ;V/ID Web >c,|y]X(
C'DCJmI(,/,zIICZCX(C'D Web J
4(}g4S"Z]r~q)D(FPm#
\k(cipher): ;VS\}],Z9C\?+d*;*
wk}](b\).0;IA#
198 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
\?T(key pair): Fcz2+TPD+C\?M(C
\?#1\?TCZS\1,"M=+9C+C\?TE
"xPS\,xSU=+9C(C\?TCE"xPb
\#1\?TCZ){1,){=+9C(C\?TE"
D3Vm>xPS\,xSU=+9C+C\?TCE"
DKVm>xPb\,Sxi$){#
\?7(key ring): Fcz2+TPD;VD~,|,
+C\?"(C\?"IEyM$i#
\?}]bD~(key database file): kND\?7
(key ring)#
\?D~(key file): kND\?7(key ring)#
\?(key): Fcz2+TPD;V{ErP,CZT}
]xPS\rb\D\kc(#kND(C\?(private
key)M+C\?(public key)#
#=(schema): T}](eoTm>D;iod,b)
odj{Xhv}]bDa9#ZX5}]bP,#=(
eKm"?vmPDVNMVNkm.dDX5#
?<#=(directory schema): ITZ?<PvVDP
'DtT`MMTs`#b)tT`MMTs`(eC?
<DtT5Do("XkfZDtTT0I\fZDt
T#
2P3
dC(configuration): (1) E"&m53Dm2~Di
/k%,==# (2) iI53"S53rxgDzw"h8
MLr#
>$^)~q(credentials modification service): ;
VIC4^D Tivoli Access Manager >$DZ( API K
P1e~#IM'Zb?*"D>$^)~qv^ZS>
$tTPm4PmSr}%Yw,"Rv^ZG)O*I
^DDtT#
>$(credential): ZO$}LPqCDj8E",hv
C'"NNiX*T0d|k2+T`XDm]tT#>
$ITCZ4Ps?~q,}gZ("sFM/I#
2Q3
(F(migration): 203LrDBf>rB"PfSx
f;OgDf>r"Pf#
a ? 6 Z } = O $ ( l i g h t w e i g h t t h i r d p a r t yauthentication,LTPA): ;VO$r\,JmZrXx
rPD;i Web ~qwZxP%;"a#
a?6?<CJ-i(lightweight directory accessprotocol,LDAP): {OTBu~D*E-i:(a)9
C TCP/IP a)T'V X.500 #MD?<DCJ,R(b)
;}"T|*4SD X.500 ?<CJ-iDJ4*s#9
C LDAP D&CLr(F*tC?<D&CLr)IT+
?<w*+2}]f"9C,2IT+dCZlwXZv
Kr~qDE",}ggSJ~X7"+C\?rX(Z
~qDdCN}#LDAP nuGZ RFC 1777 P8(D#
LDAP V3 GZ RFC 2251 P8(D,R IETF 9ZLx
*"=SDj<&\#3) IETF (eD LDAP j<#=
ITZ RFC 2256 PR=#
+V"a(global signon,GSO): ;VinD%;"
abv=8,9C'\rsK Web &CLr~qwa)8
CC'{M\k#+V"a+Z(C'(}%;G<CJ
QZ(d9CDFcJ4# GSO G*3)sMs5hF
D,b)s5I&Zl9DV<=Fc73D`v53M
&CLr9I,GSO 9C';X\m`vC'{M\k#
m{%;"a(single signon)#
2R3
O$PD(certificate authority,CA): )"$iDi
/#O$PDT$iyP_m]T0Z(CyP_9CD
~qxPO$")"B$i"x)VP$i,T07zt
Z;YZ(dLx9C$iDC'D$i#
O$(authentication): (1) ZFcz2+TP,TC'
m]rC'CJTsDJqDi$# (2) ZFcz2+T
P,i${"GqP4|Drp5# (3) ZFcz2+T
P,CZi$E"53r\#$J4DC'D}L#m{
`rSO$(multi-factor authentication)"yZxgDO$
(network-based authentication)M]}=O$(step-up
authentication)#
]wTs(container object): +TsUdi/*;,
D&\xrDa9/8(#
2S3
X$Lr(daemon): ;v^KU\KPDLr,CZ
4P,xDr\ZTD"536'ZDNq,gxgX
F#P)X$Lr\T/%"4PdNq;xP)r\Z
TKw#
\#$Ts_T(protected object policy,POP): ;
V2+_T,+=Su~?SZ ACL _TJmDYw,T
CJ\#$DTs#J4\mw:p?F4P POP u~#
m{CJXFm(access control list,ACL) "\#$Ts
(protected object)M\#$TsUd(protected object
space)#
Jcm 199
\#$TsUd(protected object space): 5J53
J4DibTsm>,|CZ&C ACL M POP T0Z(
C'CJ#m{\#$Ts(protected object)M\#$T
s_T(protected object policy)#
\#$Ts(protected object): 5J53J4D_-
m>,|CZ&C ACL M POP T0Z(C'CJ#m{
\#$Ts_T(protected object policy)M\#$TsU
d(protected object space)#
Z(~qe~(authorization service plug-in): ;v
I/,0kDb(DLL r2mb),ITI Tivoli Access
Manager Z( API KP1M'zZu</WN0k,T4
PZZ( API P)9~qSZDYw#10ICD~qS
Z|(\m"b?Z(">$^D"Z(M PAC YwS
Z#M'IT9CZ( ADK *"b)~q#
Z(~q(entitlement service): ;VICZSwer
u~/Db?45XZ(DZ( API KP1e~#Z((
#GX(Z&CLrD}],|+IJ4\mw&CLr
T3VN=9C,rmSAweD>$P,TcZZ(x
LPx;=9C#M'IT9CZ( ADK(Authorization
ADK)*"b)~q#
Z(fr(authorization rule): kNDfr(rule)#
Z((authorization): (1) ZFcz2+TP,ZhC
'k3Fcz53(Er9C3Fcz53D(^# (2) Z
hC'T3vTs"J4r&\Dj+r^FCJ(D}
L#
Z((entitlement): |,_e/D2+_TE"D}]
a9#Z(|,9CX(&CLrImbD==xPq=
/D_T}]M\&#
tTPm(attribute list): |,CZxPZ(v_D)
9E"D4SPm#tTPmGI;i name = value Ti
ID#
}V){(digital signature): ZgSLqP7S=3
}]%*rG3}]%*-}\k*;xID;V}],
9C}]%*DSU=\;i$C%*D4Mj{T"6
pI\vVD1l}]#
2T3
X(tT$i~q(privilege attribute certificateservice): +$(q=D PAC *;* Tivoli Access
Manager >$(4.`;)D;VZ( API KP1M'z
e~#b)~q2ITCZ*+d=2+rDd|I1x
T Tivoli Access Manager >$xPb0r}]`k#M'
IT9CZ( ADK(Authorization ADK)*"b)~q#
m{X(tT$i(privilege attribute certificate)#
X(tT$i(privilege attribute certificate): |,
weDO$"Z(tTMwe\&D}VD5#
3;J4j6(uniform resource identifier,URI): C
ZZrXxOj6Z]DV{.,|(J4{F(?<{
MD~{)"J4;C(?<{MD~{yZDFcz)
T0gNCJJ4(-i,}g HTTP)# URI D>}G
3;J4(;w,r URL#
3;J4(;w(uniform resource locator,URL):
m>FczOrxg(}grXx)PE"J4DV{r
P#KV{rP|,:(a)CZCJCE"J4D-i
Dr4{F,T0(b)C-iCZ(;KE"J4DE
"#}g,ZrXxOBDP,TBb)GCZCJwV
E " J 4 D 3 ) - i D r 4 { F :
http"ftp"gopher"telnet M news;xTBbvrG IBM w
3D URL:http://www.ibm.com#
2W3
b?Z(~q(external authorization service): ;V
Z( API KP1e~,IC49X(Z&CLrr73D
Z(v_I* Tivoli Access Manager Z(v_4D;?
V#M'IT9CZ( ADK *"b)~q#
xJ-i(Internet Protocol,IP): rXx-i/PD
;V^,S-i,(}xgr%,xg7I}],"d1
O_-ickomxg.dD=i#
D~+d-i(file transfer protocol,FTP): ZrX
x-i/P,9C+dXF-i(TCP)M Telnet ~qZ
zwrwz.d+dz?}]D~D;V&CLrc-
i#
2X3
l&D~(response file): |,TLryaJbD;i
$(eXpDD~,9CKD~M^h?NdkG)5P
.;#
ibw\(virtual hosting): Web ~qwD;V\&,
9d\;TrXxmV*`vwz#
mI((permission): CJ\#$Ts(}gD~r?
<)D\&#TsmI(D}?M,eGICJXFm
(ACL)(eD#m{CJXFm(access contro l
list,ACL)#
2Y3
5qZ((business entitlement): C'>$D9dt
T,CtThvICZTJ4DZ(ksD+8u~#
200 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
rXx-i/(Internet suite of protocols): *Zr
XxO9Cx*"D;i-i,(}rXx$LNqi/
(Internet Engineering Task Force,IETF)Tj<]8
(RFC)D=="<#
C ' " a m ( u s e r r e g i s t r y ) : k N D " a m
(registry)#
C'(user): 9CId|Tsya)~qDNNvK"
i/"xL"h8"Lr"-ir53#
r{(domain name): rXx-i/Pwz53D{
F#r{I;PT(gV{VtDS{iI#}g,g{
w z 5 3 D + ^ ( r { ( F Q D N ) G
as400.rchland.vnet.ibm.com,rTB?v{F<Gr{:
as400.rchland.vnet.ibm.com"vnet.ibm.com"ibm.com#
r(domain): (1) 2m+2~qR(#p+2C>wC
DC'"53MJ4D_-Vi# (2) FczxgD;?
V , Z d P } ] & m J 4 S \ + 2 X F # m { r {
(domain name)#
*}](metadata): hvyf"}]DXwD}]#
KP1(run time): 4PFczLrD1dN#KP1
73G;V4P73#
2Z3
$i(certificate): Fcz2+TPD;V}VD5,|
++C\?s(=$iyP_m],Sx9$iyP_\
;;O$#$iGIO$PD)"D#
wz(host): ,S=3vxg(}grXxr SNA x
g)"a)=CxgDCJcDFcz#Kb,wzIT
y]73a)TxgD/PXF#wzITGM'z"~
qwr,1w*M'zM~qw#
"am(registry): |,C'"53Mm~DCJ0dC
E"D}]f"#
(C\?(private key): Fcz2+TPvyP_*~
D;V\?#k+C\?(public key)`T#
(P{F(distinguished name,DN): (;j6?<
Pu?D{F#(P{FItT:5TiI,ddC:EV
t#
J4Ts(resource object): 5JxgJ4(}g~
q"D~MLr)Dm>#
T"a(self-registration): G;V}L,ZdPC'I
Tdk*sD}]"I* Tivoli Access Manager D"aC
',x^h\m1DNk#
A
ACL: kNDCJXFm(access control list,ACL)#
B
BA: kNDy>O$(basic authentication)#
blade: a)X(Z&CLrD~qMi~D;Vi~#
C
CA: kNDO$PD(certificate authority)#
C D A S : k N D g r O $ ~ q ( C r o s s D o m a i n
Authentication Service)#
CDMF: kNDgr3dr\(Cross Domain Mapping
Framework)#
CGI: kND+2xXSZ(common gateway interface)#
cookie: ~qwf"ZM'zORZfsDa0}LPC
JDE"#cookie 9~qw\;G!XZM'zDX(E
"#
D
DN: kND(P{F(distinguished name)#
E
EAS: kNDb?Z(~q(External Authorization
Service)#
G
GSO: kND+V"a(global signon)#
H
HTTP: kND,D>+d-i(Hypertext Transfer
Protocol)#
I
IP: kNDxJ-i(Internet Protocol)#
IPC: kNDxLd(E(Interprocess Communication)#
Jcm 201
L
LDAP: kNDa?6?<CJ-i(Lightweight Directory
Access Protocol)#
LTPA: kNDa?6Z}=O$(lightweight third party
authentication)#
M
management server: QOz#kND policy server#
P
PAC: kNDX(tT$i(pr i v i l ege a t t r i bu t e
certificate)#
policy server: ,$XZ2+rPd|~qwD;CE"
D Tivoli Access Manager ~qw#
POP: kND\#$Ts_T(protected object policy)#
R
RSA S\(RSA encryption): CZS\MO$D+C
\?S\53#K53GI Ron Rivest"Adi Shamir M
Leonard Adleman Z 1977 j"wD#K53D2+T!v
Z+=vsJ}DK}Vb*rSDQH#
S
SSL: kND2+WSVc(Secure Sockets Layer)#
SSO: kND%;"a(Single Signon)#
U
URI: kND3;J4j6(uniform resource identifier)#
URL: kND3;J4(;w(uni form resource
locator)#
W
Web Portal Manager(WPM): ;VyZ Web D<N
&CLr,CZZ2+rP\m Tivoli Access Manager
Base M WebSEAL 2+T_T#pdadmin |nPgfD
fzgf,K GUI 'V6L\m1CJ,"9\m1\;
4(/IDC'r,"8(/I\m1xb)r#
WebSEAL: ;V Tivoli Access Manager blade Lr#
WebSEAL G;V_T\"`_LD Web ~qw,|+2
+T_T&C=\#$TsUd#WebSEAL \;a)%;
"abv=8,"+sK Web &CLr~qwJ4iO=
2+T_TP#
WPM: kND Web Portal Manager#
202 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
w}
[A]2+T_T 3
20?< 7
[B]#$6p POP _T 109
8] 153
>XO$N} 50
jG5 89, 92
m%
%;"a 120
m%O$ 55
[C]_T
#$6p POP 109
XBO$ 106
4(M&C 107
u~ 107
G< 100
]} 103
yZxgDO$ POP 108
XF4O$C' 110
\k 101
O$?H POP 103
C'M+V 103
ACL 97, 99
IP X7 108
e~
2+T_T 3
20?< 7
&\ 3
j'V 10
dC 11
t/M#9 9
ks&m 35
O$ 3
HTTP ms{" 9
e~xLw 1
,1
_Y:fGn/ 46
XBO$ 106
4( BA 7 56
ms{" 9
ms3f
dC 11
ms,* IIS (F 9
[D]%;"a
m% 120
=zm 116
gSgx 132
En 113
gr 127
9CJO*F cookie 117
9C HTTP 7 114
9C LTPA cookie 115
9C SPNEGO 62
GSO 118
SPNEGO 120
WebSEAL 116
Windows 63
G<
?F 110
G<_T 100
G<sX(r 88
]} 103
tC 104
^F 105
I IP X7{C 109
gSgx%;"a
Ev 132
&\M*s 132
S\$5DnF 135
xLw 133
dC 135
dC>} 139
>} 139
cookie 134
/, ADI lw 150
/, URL
CJXF 145
TsPm 17
`74CzmLr 93
`rSO$ 106
`oT'V 32
[G]Ev
ks&m}L 35
_Y:f
}]bhC 30
_Y:fGn/,1 46
_Y:f}]b 26
y?< 7
zY 28
© Copyright IBM Corp. 2000, 2003 203
zY (x)
pdadmin |n 29
&\ 3
$wLr_L,dC 11
JO-r
a) 150
JOoO
Kerberos 67
SPNEGO 67
JO*FO$ 70
b 72
dC 76
}6 76
rsf]T 75
r6' 75
JO*F cookie 70, 73, 74
%;"a 117
S\/b\ cookie }] 78
dC cookie zfZ 78
tCr6'ZD cookie 82
[H]j'V 10
sK&CLr
,$a04, 143
a0j6 35
a0,1 46
a0XBO$4; 46
a0_Y:f 45
a04,
\m 44
9Ca0 cookie 47
9Cy>O$ 47
9C HTTP 7 48
9C IP X7 49
9C iv 7 49
9C SSL a0j6 47
,$ 143
a0 cookie 47
[J]y>O$ 47, 53
yZxgDO$ POP _T 108
G< 26
Z,dCD~ 157
bMDibwzV' 14
[K]gr
%;"a 127
)9X(tT$i(EPAC) 4
[L]nF 58
nFO$ 58
nFl&3f 61
[M]\k_T 101
|n 181
|D\k 51
"z 51
help 51
#i 37
lYN< 175
[N]d{M'z&m 110
[P]dC
N}
#f 157
zm 169
a0 168
O$ 160
Z( API 170
X(Z Web ~qw 171
LDAP 169
e~ 8
ms3f 11
G<X(r 88
gSgx%;"a 135
TZ Web ~qw 15
~qwX( 15
_Y:f 30
_Y:f}]b 26
a0Da0 cookie 47
a0D HTTP 7 48
a0D iv 7 49
a0D SSL a0j6 47
a0/>$_Y:f 45
Z 157
nFl&3f 61
>$"B 30
P;C' 19
1!5 51
O$ 37
=( 39
O$Dy>O$ 53
O$=( 51
O$Ev 50
O$ibwz 38
204 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
dC (x)
U> 26
sF 28
sFU> 26
Z(~qw 11
Z(s 43
ibwz 12
CZa0Dy>O$ 47
CZO$Dm% 55
CZO$DJO*F cookie 70
CZO$DnF 58
CZO$D HTTP 7 85
CZO$D IP X7 87
CZO$D IV 7 83
CZZ(sDjG5 89, 92
$iO$ 57
API ~q 30
HTTP ks_Y:f 31
IP X7 49
Kerberos 65
LDAP DJO*F 23
LTPA cookie CZO$ 88
NTLM O$ 68
P3P 24
pdwebpimgr.conf 9
pdwebpi.conf 8
SPNEGO CZO$ 62
Web ~qwO$ 69
>$
q! 4
>$"B 30
[Q]t/e~ 9
P;C'
xLw 19
dC 18
tC 19
0l 22
ks&m}L
Ev 35
+V%;"a - GSO 118
[R]O$ 35
m% 55
N} 160
]} 103
`rS 106
=( 39
lYN< 175
3r 39
Ev 3
O$ (x)
yZxgD POP _T 108
?D 4
dCEv 37, 50
9CJO*F cookie 70
9Cy>O$ 53
9CnF 58
9C$i 57
9C HTTP 7 85
9C IP X7 87
9C IV 7 83
9C LTPA cookie 88
9C SPNEGO 62
ibwzDdC 38
NTLM 68
Web ~qw 69
O$=( 51
O$zF 50
m% 55
y>O$ 53
nF 61
P;C' 20
9C IP X7 87
9C IV 7 85
$i 58
HTTP 7 86
O$xL 36
O$#i
lYN< 175
O$?H POP
IP X7 103
O$}6}L 36
O$aJ
xLw 43
[S]sF 26
sFG< 27
5CLr
pdwebpi 184
pdwebpi_start 182
pdwpicfg -action config 186
pdwpicfg -action unconfig 188
pdwpi-version 185
Z(~qw
dC 11
Z(}L 36
Z(s
G<X(r 88
9CjG5 89, 92
Z(s&m 36, 43
Z(v_E"
Ev 147
lw 148
dClw 150
w} 205
Z(0&m 36
[T]XbV{ 191
e5a9 1
#9e~ 9
7
P3P 23
7`M
8( 86
[W]4O$D HTTPS 110
4O$C' 110
C_TXF 110
[X]`Xvfo xvii
l&&m 36
ibwz
dC 12
O$dC 38
'V 2
mI(
ACL 99
WebDAV 99
[Y]~==(7 23
&C4O$ HTTPS 110
oT
'V 32
r{F,hC 53
[Z]}rmo= 191
$5
nF 135
nFS\ 135
ksM&p 134
$i 57
U9C'a0 144
i~ 1
Aaccept N} 84
acct-locked-page N} 11
ACL _T 97
ACL _T (x)
1!5 99
ACL mI( 99
add-hdr 54
ADI 147
allow-login-retry 137
AMWebARS
dC 151
Apache
"bBn 16
API ~q 30
audit configuration 28
auditcfg N} 28
auditlog N} 28
authentication-levels stanza 39
BBA 7
&m 53
UTF-8 `k 57
branch N} 13
Ccache-definitions 93
cache-refresh-interval 93
cache-refresh-interval N} 30
CDAS O$N} 50
CDSSO 127
tC 129
cdsso >$tT 130
cdsso_key_gen 78
cert-cdas N} 50
cert-ssl N} 50
cleanup-interval N} 11
common-modules Z 37
create-ba-hdr 56
cred-ext-attrs 92
Ddb-file N} 30
doc-root 15
dynurl 145
Eecsso >$tT 138
ecsso r\? 137
enable-failover-cookie-for-domain 82
EPAC 4
error-page N} 11
e-community-name 135
206 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
Ffailover-cdsso 77
failover-certificate 77
failover-cookies-keyfile 78
failover-cookie-lifetime 78
failover-http-request 77
failover-password 77
failover-token-card 77
Ggenerate N} 84
GSO 118
HHTML l&m% 56
HTTP ms{" 9
HTTP ks_Y:f 31
HTTP 7 48
%;"a 114
O$ 85
http-request N} 50
Iid N} 11, 13
IHS
"bBn 16
ihs
X(dC 15
IIS
"bBn 16
iis
X(dC 15
IIS ms
(F 9
IP X7 49, 87
IP X7M6' 108
iplanet NDSun ONE 15
is-master-authn-server 135
IV 7 114
O$ 83
UTF-8 `k 85
iv 7 49
iv-creds 84
iv-groups 84
iv-remote-address 84
iv-user 84
iv-user-l 84
KKerberos 64
LLDAP
)9tT 89, 92
dCJO*F 23
LDAP DJO*F 23
LDAP,dCN} 169
ldap-ext-cred-tags stanza 92
libfailoverauthn 2mb 77
listen-flags N} 30
logaudit N} 28
logflush N} 28
login-form 56
login-redirect 88
login-success N} 11
login-uri 56
logsize N} 28
log-file 15
LTPA
Z(s&m 88
LTPA cookie 88, 115
ltpa-keyfile 88
ltpa-password 88
ltpa-stash-file 88
Mmaster-authn-server 136
master-https-port 137
master-http-port 136
max-entries N} 45
max-session-lifetime 11
max-session-lifetime N} 11
modules Z 37
modules dC 37
MPA 93
NNTLM O$ 68
number-of-workers N} 11
PP3P 23
dC 24
passwd-cdas N} 50
passwd-ldap N} 50
pdbackup 153
pdwebpi 184
pdwebpimgr.conf 9
pdwebpi.conf 8
pdwebpi_start 182
pdweb-plugin Z 12
pdweb-plugins Z 15
w} 207
pdwpicfg -action config 186
pdwpicfg -action unconfig 188
pdwpi-version 185
pkmshelp 52
pkmslogout 52
pkmspasswd 52
POP _T
#$6p 109
XBO$ 106
yZxgDO$ 108
O$?H - ]} 103
c( 109
protocols N} 13
proxy-if Z 11
Qquery-contents 15
query-log-file 15
Rreauth-grace-period 46
reauth-lifetime-reset 46
retry-limit-reached-page N} 11
Ssessions Z 45
SPNEGO 62, 120
%;"a 62
tC 66
SSL a0j6 47
strip-hdr 54
Sun ONE
X(dC 15
supply-password 54
supply-username 54
Ttimeout N} 11
token-cdas N} 50
Uunprotected-virtual-host N} 12
use-utf8 137
Vvf-argument 137
vf-token-lifetime 137
vf-url 137
virtual-host N} 12
WWeb ~qwO$ 69
WebDAV mI( 99
WebSEAL
%;"a= 116
worker-size N} 11
208 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O
���
Pz!"
S152-0813-00