Plug-in for Web Servers C 8O

IBM Tivoli Access Manager

Plug-in for Web Servers C'8Of> 3.9

G152-0315-00

"b

Z9C>JO0d'VDz7.0,kDAZ 103 3D=< D, :yw;PDE"#

Z;f(2002 j 4 B)

>f>JCZ IBM Tivoli Access Manager: Plug-in for Web Servers Df> 3.9(z7E 5724–C08)0yPsL"Pf,

1=ZBf>PmPyw*9#

© Copyright International Business Machines Corporation 2002. All rights reserved.

?<

< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

0T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi>ifrDA_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi>i|,DZ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xivfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

IBM Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii`Xvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xivZ_CJvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi):vfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvia)XZvfoD4! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

(z!n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii*5M''V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii>i9CD<(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Ve<( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Z 1 B Access Manager Plug-in for Web Servers ri . . . . . . . . . . . . . . 1Kb Access Manager Plug-in for Web Servers Ywi~Ma9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1'Vibwz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

9C Access Manager Plug-in for Web Servers #$zD Web Ud . . . . . . . . . . . . . . . . . 3f.M5V2+T_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Kb Access Manager Plug-in for Web Servers O$ . . . . . . . . . . . . . . . . . . . . . . 3O$?D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Kb>$q! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5)9X(tT$i(EPAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Z 2 B 20 IBM Tivoli Access Manager Plug-in for Web Servers . . . . . . . . . 7'VD=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7ELMZf*s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7X8m~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720 Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . . . . . . . . 8

Z AIX-IHS O20e~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Z Solaris Operating Environment-iPlanet O20e~ . . . . . . . . . . . . . . . . . . . . . 9Z Windows-IIS O20e~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

}% Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . . . . . . . . 12S Windows-IIS }%e~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12S AIX-IHS }%e~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12S Solaris Operating Environment-iPlanet }%e~ . . . . . . . . . . . . . . . . . . . . . 13

Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers dC . . . . . . . . . 15#fe~E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

pdwebpi.conf dCD~ri . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15pdwebpimgr.conf dCD~. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Access Manager Plug-in for Web Servers 20Dy?< . . . . . . . . . . . . . . . . . . . . 16t/M#9 Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . . . . . 16HTTP ms{" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

dC Authorization Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

© Copyright IBM Corp. 2002 iii

dC$wLr_L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18hCnsa0P'Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18dCms3f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

dCibwz~qw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19X(Z Web ~qwDdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21dCe~sF"G"zYM_Y:f}]b . . . . . . . . . . . . . . . . . . . . . . . 22

KbsFG< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23sFdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24zYe~Yw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25_Y:f}]bhC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

dCZ( API ~q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ . . . . . . . . . 27KbO$}L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

dCO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30\ma04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

dCe~a0/>$_Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359C SSL a0j6,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . 379Cy>O$,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379Ca0 Cookies ,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . 389C HTTP 7,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389C IP X7,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

\mO$N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39O$dCEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39dCy>O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42dCm%O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43dC$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44dCnFO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46dCJO*F cookie O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47dC IV 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49dC HTTP 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50dC IP X7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52dCjG5sZ(&m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

hCibwzDO$N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53'V`74C/PzmLr(MPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

P'a0}]`MMO$=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54MPA M`vM'zDO$xLw . . . . . . . . . . . . . . . . . . . . . . . . . . . 55tC MPA O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56* MPA 4(C'J' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57r pdwebpi-mpa-servers imS MPA J' . . . . . . . . . . . . . . . . . . . . . . . . 57

Z 5 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T . . . . . . 59X(Ze~DCJXFm(ACL)_T . . . . . . . . . . . . . . . . . . . . . . . . . . 59

/PDWebPI/host r virtual_host . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59e~ ACL mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591! /PDWebPI ACL _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

}N%wG<_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61|no( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

\k?H_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62pdadmin 5CLrhCD\k?H_T . . . . . . . . . . . . . . . . . . . . . . . . . 62X(C'M+VhC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

O$?H\#$Ts_T(]}) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64dC]}O$6p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64tC]}O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65]}O$"bBnM^F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

XBO$\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

iv IBM Tivoli Access Manager: Plug-in for Web Servers C'8O

0l POP XBO$Du~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674(M&CXBO$ POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

yZxgDO$\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688( IP X7M6'. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68{C4 IP X7D]}O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69yZxgDO$c( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

#$6p\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69&m4O$C'(HTTP/HTTPS). . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

&m4Td{M'zDks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70?FC'G< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70&C4O$ HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70C ACL/POP _TXF4O$C' . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Z 6 B Web %;"abv=8 . . . . . . . . . . . . . . . . . . . . . . . . . 73%;"aEn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73T/"a=\#$D&CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

dC%;"a9C HTTP 7#$&CLr . . . . . . . . . . . . . . . . . . . . . . . . 739C LTPA cookie %;"a= WebSphere Application Server . . . . . . . . . . . . . . . . . . 74

S WebSEAL rd|zm%;"a=e~ . . . . . . . . . . . . . . . . . . . . . . . . . 75dC IV 7%;"a= Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . 76

9CJO*F cookie xP%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . 76tC9CJO*F cookie D%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . 76dCJO*F cookie N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Z 7 B gSgx%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79i\gSgx%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79gSgx%;"a&\M*s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80gSgx%;"axLw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80mbgSgx cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81mb0$51ksM&p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

0$51ks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820$51&p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

mb0$51nF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82S\0$51nF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83dCgSgx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83dCgSgx%;"a * >} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

=< A. pdwebpi.conf N< . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

=< B. O$=(lYN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

=< C. |nlYN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

=< D. yw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Lj . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

w} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

?< v

vi IBM Tivoli Access Manager: Plug-in for Web Servers C'8O

<

1. e~M Access Manager i~;%wC# . . . . . . . . . . . . . . . . . . . . . . . . 22. Web ~qwCJv_# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293. 7(O$#iDe~wL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324. O$aJ}L_- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335. 7(a0#iDe~wL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356. JO*F cookie DdM~qwe5a9# . . . . . . . . . . . . . . . . . . . . . . . 477. G<=gSgx# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818. gSgx%;"adC>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

© Copyright IBM Corp. 2002 vii

viii IBM Tivoli Access Manager: Plug-in for Web Servers C'8O

m

1. Access Manager EPAC VN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52. pdwebpi.conf Z** . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153. 'VDjf; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174. [proxy] ms3fdCN}# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185. X(Z Web ~qwDdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . 216. O$sFG<VN(e# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237. sFdCN}(e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248. >XZCO$Lr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399. b? CDAS ~qwN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

10. BA 2mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4311. m%2mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4412. $i2mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4513. nF2mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4614. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4915. IV 72mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5016. HTTP 72mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5117. IP X72mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5218. MPA DP'a0}]`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5419. P'D MPA O$`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5520. e~ ACL mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6021. e~ WebDAV mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6022. pdadmin LDAP G<_T|n. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6123. pdadmin LDAP \k?H|n. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6224. \k>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6325. QOP 6phv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6926. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7427. LTPA dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7528. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7629. #fdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8930. O$dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9131. a0dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9432. LDAP dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9433. zmdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9434. Z( API dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9535. X(Z Web ~qwDdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . 9536. e~O$=(/#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9737. e~a0#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9838. e~sZ(#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9939. e~|nN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

© Copyright IBM Corp. 2002 ix

x IBM Tivoli Access Manager: Plug-in for Web Servers C'8O

0T

IBM® Tivoli® Access Manager Plug-in for Web Servers w*M'zM2+ Web Ud

.dDxX\mzyZ Web DJ4D2+T#e~5V#$z Web TsUdD2+

T_T#Ke~Ia)%;"abv=8,'Vw*ibwzKPD Web ~qw"+

Web &CLr~qwJ4O"=d2+T_TP#

6IBM Tivoli Access Manager Plug-in for Web Servers C'8O7a)208>E""

\m}LM9C Plug-in for Web Servers &CLr#$ Web rD<uN<E"#

>ifrDA_

>8O):p20"?pM\m Access Manager Plug-in for Web Servers D53\m

19C#

A_&1l$TBZ]:

v PC M UNIX® Yw53#

v }]be5a9MEn

v 2+\m

v rXx-i,|( HTTP"HTTPS M TCP/IP

v a?6?<CJ-i(LDAP)M?<~q

v 'VDC'"am

v O$MZ(

g{*tC2+WSVc(SSL)(E,r9&l$ SSL -i"\?;;(+CM(

C)"}V){"\kc(MO$PD#

>i|,DZ]

>i|,TBw?V:

v Z 1 B, :Access Manager Plug-in for Web Servers ri;

a) Access Manager Plug-in for Web Servers &CLrDri,xv53e5a9"

&\MYw73Dj8E"#

v Z 2 B, :20 IBM Tivoli Access Manager Plug-in for Web Servers;

Access Manager Plug-in for Web Servers D208>E",|(53*sE"M}%

}L#

v Z 3 B, :IBM Tivoli Access Manager Plug-in for Web Servers dC;

a)XZ Access Manager Plug-in for Web Servers DdC*sDE"#

v Z 4 B, :IBM Tivoli Access Manager Plug-in for Web Servers O$;

,$a04,"O$ksM'VsZ(&mDE"MdC8>E"#

v Z 5 B, :IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T;

XZdCM(F Access Manager Plug-in for Web Servers 2+T_TDE"#

v Z 6 B, :Web %;"abv=8;

© Copyright IBM Corp. 2002 xi

V[CZ Access Manager Plug-in for Web Servers #$D Web UdD%;"ab

v=8#

v Z 7 B, :gSgx%;"a;

V[ Access Manager Plug-in for Web Servers DgSgx%;"abv=8#

v =< A, :pdwebpi.conf N<;

Pv Access Manager Plug-in for Web Servers dCN}0X*Dhv#

v =< B, :O$=(lYN<;

PvyPe~O$"a0MsZ(=(0X*Dhv#

v =< C, :|nlYN<;

PvICe~5CLr0dy4PYwDhv#

vfo

>ZPvK IBM Tivoli Access Manager bPDvfoT0d|yP`XD5#,19

hvgNZ_CJ Tivoli vfo,gN): Tivoli vfo,T0gNT Tivoli vfo

xP@[#

IBM Tivoli Access ManagerAccess Manager b4TB`pi/:

v "PE"

v y>E"

v WebSEAL E"

v Web 2+TE"

v *"_N<E"

v 9d<uE"

z7bPDvfoTIF2D5q=(PDF)|,Zz7 CD O#*9C Web /@w

CJb)vfo,kr* infocenter.html D~,KD~;Zz7 CD OD /doc ?<P#

XZ Access Manager M`XwbD=SE"4,kNDTB Web >c:

http://www.ibm.com/redbooks

https://www.tivoli.com/secure/support/documents/fieldguides

"PE"

v 6IBM Tivoli Access Manager for e-business kHDA7

G152-0306(am39_readme.pdf)

a)20"*<9C Access Manager DE"#

v 6IBM Tivoli Access Manager for e-business "P5w7

G152-0313(am39_relnotes.pdf)

a)nBE",}gm~^F"X\k)MD5|B#

y>E"

v 6IBM Tivoli Access Manager Base 208O7

G152-0303(am39_install.pdf)

xii IBM Tivoli Access Manager: Plug-in for Web Servers C'8O

http://www.ibm.com/redbooks

https://www.tivoli.com/secure/support/documents/fieldguides/

5wgN20"dCM}6 Access Manager m~,|( Web Portal Manager gf#

v 6IBM Tivoli Access Manager Base \m18O7

G152-0304(am39_admin.pdf)

hv9C Access Manager ~qDEnM=h#a)S Web Portal Manager gfM

9C pdadmin |n4PNqD8>E"#

v IBM Tivoli Access Manager Base for Linux on zSeries™ Installation Guide

GC23-4796(am39_zinstall.pdf)

bMgNZ zSeries =(O20MdC Access Manager Base for Linux#

WebSEAL E"

v 6IBM Tivoli Access Manager WebSEAL 208O7

G152-0302(amweb39_install.pdf)

a) WebSEAL ~qwM WebSEAL &CLr*"$_dD20"dCM}%8>

E"#

v 6IBM Tivoli Access Manager WebSEAL \m18O7

G152-0305(amweb39_admin.pdf)

a)9C WebSEAL \m2+ Web rJ4D30JO"\m}LM<uN<E"#

v IBM Tivoli Access Manager WebSEAL Developer’s Reference

GC23-4683(amweb39_devref.pdf)

a)grO$~q(CDAS)"gr3dr\(CDMF)M\k?H#iD\mM`

LE"#

v IBM Tivoli Access Manager WebSEAL for Linux on zSeries Installation Guide

GC23-4796(amweb39_zinstall.pdf)

a)Z zSeries =(OCZ Linux D WebSEAL ~qwM WebSEAL &CLr*"

$_dD20"dCM}%8>E"#

Web 2+TE"

v 6IBM Tivoli Access Manager for WebSphere Application Server C'8O7

G152-0316(amwas39_user.pdf)

a) Access Manager for IBM WebSphere® Application Server D20"}%M\m

D8>E"#

v 6IBM Tivoli Access Manager for WebLogic Server C'8O7

G152-0317(amwls39_user.pdf)

a) Access Manager for BEA WebLogic Server D20"}%M\mD8>E"#

v 6IBM Tivoli Access Manager Plug-in for Edge Server C'8O7

G152-0307(amedge39_user.pdf)

hvgN20"dCM\m Plug-in for IBM WebSphere Edge Server &CLr#

v 6IBM Tivoli Access Manager Plug-in for Web Servers C'8O7

G152-0315(amws39_user.pdf)

a)208>E""\m}LM9C Plug-in for Web Servers #$zD Web rD

<uN<E"#

0T xiii

*"_N<s+

v IBM Tivoli Access Manager Authorization C API Developer’s Reference

GC32-0849(am39_authC_devref.pdf)

a)N<JO,CJOhvgN9C Access Manager Z( C API M Access Manager

~qe~SZr&CLrmS Access Manager 2+T#

v IBM Tivoli Access Manager Authorization Java Classes Developer’s Reference

GC23-4688 (am39_authJ_devref.pdf)

a)9CZ( API D Java™ oT5V49&CLr\;9C Access Manager 2+

TDN<E"#

v IBM Tivoli Access Manager Administration C API Developer’s Reference

GC32-0843(am39_adminC_devref.pdf)

a)9C\m API 9&CLr\;4P Access Manager \mNqDPXN<E"#

KD5hv\m API D C 5V#

v IBM Tivoli Access Manager Administration Java Classes Developer’s Reference

SC32-0842 (am39_adminJ_devref.pdf)

a)9C\m API D Java oT5V49&CLr\;4P Access Manager \mN

qDN<E"#

v IBM Tivoli Access Manager WebSEAL Developer’s Reference

GC23-4683(amweb39_devref.pdf)

a)grO$~q(CDAS)"gr3dr\(CDMF)M\k?H#iD\mM`

LE"#

<u9d

v 6IBM Tivoli Access Manager T\w38O7

G152-0309 (am39_perftune.pdf)

a)I+ IBM SecureWay Directory (e*C'"amD Access Manager y9I7

3DT\w{E"#

v 6IBM Tivoli Access Manager ]?f.8O7

G152-0308(am39_capplan.pdf)

ozf._7(*o=XhD$w:XyhD WebSEAL"LDAP MsK Web ~q

wD}?#

v 6IBM Tivoli Access Manager ms{"N<s+7

S152-0312(am39_error_ref.pdf)

a)T Access Manager yzI{"DbMM(iYw#

Tivoli Glossary |,k Tivoli m~`XDm`<uuoD(e#ZTB Web >cvT

"oa)K Tivoli Glossary:

http://www.tivoli.com/support/documents/glossary/termsm03.htm

`Xvfo

>ZPvKk IBM Tivoli Access Manager b`XDvfo#

xiv IBM Tivoli Access Manager: Plug-in for Web Servers C'8O

http://www.tivoli.com/support/documents/glossary/termsm03.htm

IBM DB2® (C}]b20 IBM SecureWay® Directory"z/OS® M OS/390® LDAP ~qw1,IBM DB2 G

XhD#ZTB Web >ca)K DB2 E":

http://www-4.ibm.com/software/data/db2/

IBM Global Security ToolkitAccess Manager (}9C IBM Global Security Toolkit(GSKit)a)}]S\#GSKit

fCZzX(=(D IBM Tivoli Access Manager Base CD =x#

GSKit m~|20 iKeyman \?\m5CLr(gsk5ikm),Jmz4(\?}]b"

+C-(C\?TM$iks#Z /doc/GSKit ?<Pa)KTBD5:

v Secure Sockets Layer Introduction and iKeyman User’s Guide(gskikm5c.pdf)

*xgr532+\m1a)E",b)\m1f.Zd Access Manager 2+rP

tC SSL (E#

IBM SecureWay DirectoryIBM SecureWay Directory f> 3.2.2 GfCZzX(=(D IBM Tivoli Access Manager

Base CD =xD#g{F.20 IBM SecureWay Directory ~qww*zDC'"a

m,rISCZzDXb=(D IBM Tivoli Access Manager Base CD OD /doc/Directory

76Pq!TBD5#

v IBM SecureWay Directory Installation and Configuration Guide

(aparent.pdf"lparent.pdf"sparent.pdf"wparent.pdf)

a) AIX®"Linux"Solaris Operating Environment M Microsoft® Windows® Yw5

3OD IBM SecureWay Directory i~D20"dCM(FE"#

v IBM SecureWay Directory Release Notes

(relnote.pdf)

9d IBM SecureWay Directory f> 3.2.2 z7D5,"hvZK"PfPa)DX

TM&\#

v IBM SecureWay Directory Readme Addendum

(addendum322.pdf)

a)Z IBM SecureWay Directory D5Q-k.s"zD|DM^}PXE"#vT

"oa)KD~#

v IBM SecureWay Directory Server Readme

(server.pdf)

a)T IBM SecureWay Directory Server f> 3.2.2 Dhv#

v IBM SecureWay Directory Client Readme

(client.pdf)

a)T IBM SecureWay Directory Client f> 3.2.2 Dhv#Km~*"|(SDK)

a) LDAP &CLr*"'V#

v SSL Introduction and iKeyman User’s Guide

(gskikm5c.pdf)

*xgr532+\m1a)E",b)\m1f.Zd Access Manager 2+rP

tC SSL (E#

v IBM SecureWay Directory Configuration Schema

(scparent.pdf)

0T xv

http://www-4.ibm.com/software/data/db2/

hv?<E"w(DIT)MCZdC slapd32.conf D~DtT#Zf> 3.2 P,9C

LDAP Directory Interchange Format(LDIF)q=+?<hCf"Z slapd32.conf D

~P#

v IBM SecureWay Directory Tuning Guide

(tuning.pdf)

a) IBM SecureWay Directory DT\w{E"#ZJC.&xvK?<s!Dw{

"bBn,b)?<s!D6'S8'vu?=8Yrvu?#

XZ IBM SecureWay Directory D|`E",kNDTB Web >c:

http://www.software.ibm.com/network/directory/library/

IBM WebSphere Application ServerIBM WebSphere Application Server _6%~qwf 4.0.2 Gf Web portal manager g

f20D#XZ IBM WebSphere Application Server DPXE",kNDTB Web >

c:

http://www-4.ibm.com/software/webservers/appserv/infocenter.html

Z_CJvfo

z7bPDvfoTIF2D5q=(PDF)|,Zz7 CD O#*9C Web /@w

CJb)vfo,r* infocenter.html D~,CD~;Zz7 CD OD /doc ?<

P#

1 IBM "<;vr`vZ_r2=4vfoD|Bf>1,a+b)vfo"M=

Tivoli Information Center#Tivoli Information Center T PDF M/r HTML q=|,

z7bPvfoDnBf>#3)z79a)-k}DD5#

ITSTB Tivoli Customer Support Web >cPD Tivoli Information Center CJ|

BDvfo: http://www.tivoli.com/support/documents/

E"4z7i/,|,"P5w"208O"C'8O"\m18OM*"_N<s

+#

":g{ZGE=s!D=EOr! PDF D5,!qZ Adobe Acrobat Print T0r

(%w File → Print 1IC)PD Fit to page 4!r47#Zz9CD=EO

r!E=s!3fDj{_g#

):vfo

IZTB Web >cZ_):m` Tivoli vfo:

http://www.elink.ibmlink.ibm.com/public/applications/

publications/cgibin/pbi.cgi

2I&rTBb)Ek.;xP)::

v @z:800-879-2755

v SCs:800-426-4968

v Zd|zRrXx,XZg0EkDPm,kNDTB Web >c:

http://www.tivoli.com/inside/store/lit_order.html

xvi IBM Tivoli Access Manager: Plug-in for Web Servers C'8O

http://www.software.ibm.com/network/directory/library/

http://www.ibm.com/software/webservers/appserv/infocenter.html

http://www.tivoli.com/support/documents/

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

http://www.tivoli.com/inside/store/lit_order.html

a)XZvfoD4!

RGG#Vbc}z9C Tivoli z7MD5DP\,"RG#6-za)Dx(i#g

PNNPXz7MD5Db{M(i,kTBP==.;*5RG:

v r [email protected] "MgSJ~#

v ZTB Web >cn4KM4!ivwi:

http://www.tivoli.com/support/survey/

(z!n

(z!n&\ozPmeP2(}gP/;crS&O-)DC'I&9Cm~z

7#TZKz7,I9C(z<u}!M/@gf#2I9C|L4fzsj4P<

NC'gfDyP&\#

*5M''V

g{TZ Tivoli z7fZJb,I*5 Tivoli M''V#kNDBP Web >cD

Tivoli Customer Support Handbook:

http://www.tivoli.com/support/handbook/

CVaa)XZgNy]JbDOXT*5 Tivoli M''VDE"MBPE":

v "aMJq

v g0EkMgSJ~X7(!vZzyZDzRrXx)

v *5<u'V0&CU/DE"

>i9CD<(

>8OTXbuoMYw"Yw53`X|nM76T0T"<N9C8V<(#

Ve<(

>iP9CTBVe<(:

Ve |n{FM!n"X|VMd|Xkj+4U-D9CDE",TV

eVT>#

1e d?"|n!nMXka)D5T1eT>#vfojbT0?wD

XbJrLo2T1eT>#

HmVe zk>}"|nP"A;dv"D~M?<{FT053{"THm

VeT>#

0T xvii

http://www.tivoli.com/support/survey/

http://www.tivoli.com/support/handbook/

xviii IBM Tivoli Access Manager: Plug-in for Web Servers C'8O

Z 1 B Access Manager Plug-in for Web Servers ri

IBM Tivoli Access Manager(Access Manager)Plug-in for Web Servers G/Ibv=

8,|\c{CZzD\#$ Web UdD2+T_TD5VM\m#Ce~Gw*z

D Web ~qwD,;xLD;?V20D,`1ZM'zM\#$ Web Ud.dD

2+TxX#

>riBa)K Access Manager Plug-in for Web Servers <uDEv,xvK>z7

D<u*s"a)K9CCe~7# Web Ud2+TD}LDi\#

wbw}:

v :Kb Access Manager Plug-in for Web Servers <u;

v Z 3 3D:9C Access Manager Plug-in for Web Servers #$zD Web Ud;

v Z 3 3D:Kb Access Manager Plug-in for Web Servers O$;

v Z 5 3D:Kb>$q!;

Kb Access Manager Plug-in for Web Servers <u

Access Manager Plug-in for Web Servers w*zD Web ~qwD,;xLD;?VY

w,|9X=oD?vks"7(Gqh*Z(v_,"a)C'O$D=((g{

h*)#

Access Manager Plug-in for Web Servers /IK IBM Tivoli Access Manager &CL

rTa)CZ Web J4Dj{2+Tbv=8#Ce~Ia)%;"abv=8,"

+ Web &CLrJ4OI=d2+T_TP#

y>Ywi~Ma9

I=vy>a9i~9I Access Manager Plug-in for Web Servers * e~i~M

Authorization Server#e~i~&m Web ~qw_L,(}xLd(E(IPC)SZ+

?vksDj8E""M= Authorization Server#Authorization Server 4PxkDks

DO$MZ(#Authorization Server G>X==D AZNAPI &CLr,|S\"&m

© Copyright IBM Corp. 2002 1

4Te~Dks"xPl&,f_e~gN&m?vks#

Authorization Server 7(ksZDvibwzO07(g{ Web ~qwOfZibw

z)"7(ksGqh*Z(#TZ;h*Z(Dks,|Jm Web ~qw&mks#

Authorization Server *h*Z(Dks4PTBYw:

1. g{H0QO$ks,ri!O$ra0E"#

2. g{h*,t/kC';%wCDO$#

3. 9l Access Manager >$#

4. j6C'+CJDJ4,"+b)J43d=`&D Access Manager \#$Ts{

F#\#$Ts{FzmgS5e,}g Web >cD2+?Vr;Jm3)C'C

JD&CLr#

5. 7(Gqksrl&h*^D

6. (}+ cookie r7?VmS=ks/l&rzIl&(}gQO$Dl&r4Z(

Dl&)zIe~rwz Web ~qwyhDl&#

'Vibwz

ibwzG Web ~qwD&\,JmdTrXxT>*`vwz#Access Manager

Plug-in for Web Servers 'VD Web ~qw<'Vibwz&\#

Access Manager Plug-in for Web Servers a)Z?vibwzDy!O5V2+T_T

D&\#5VK&\yhD&CLr20Z>D5Dsf?VPDwbPV[#

< 1. e~M Access Manager i~;%wC#

2 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O

9C Access Manager Plug-in for Web Servers #$zD Web Ud

Access Manager Plug-in for Web Servers a)TB&\:

v 'V`vO$=(,|(:y>O$"IP X7"nF"$iMm%O$HH#

v S\ HTTP M HTTPS ks

v (}yZi/_TO$MZ(C'ks4#$ Web ~qwJ4#

v 'Vibwz73PDksO$MZ(#

v \mT Web ~qwUdDCJXF#

\'VDJ4|( URL"yZ URL D}rmo="CGI Lr"HTML D~"Java

!~qLrM Java `D~#

v _Y:fa0M>$E",T\bZ(liZdTC'"am}]bDX4i/#

v a)%;"a&\

f.M5V2+T_T

+>2+T_Tj6h*#$D Web J4M?v Web J4yhD#$6p#Access

Manager 9Cb) Web J4Dibm>,F*\#$TsUd#\#$TsUd|,

zmxgPD5JomJ4DTs#(}+J1D2+zF&C=h*#$DTs5

V2+T_T#

2+zF|(:

v CJXFm(ACL)_T

ACL _Tj6C'`M,b)C'ITCJM8(?vC'`MDTsOJmDY

w#

v \#$Ts_T(POP)

POP 8('dT\#$TsDCJD=Su~,}g#\T"j{T"sFMCJD

?U1d#

v )9tT

)9tTGCZIT0lZ(v_DTs"ACL r POP D=S5#

Authorization Server Plug-in for Web Servers D Authorization Server i~CZyZC

'D>$MTZTsDCJXFJmr\xT\#$J4DCJ#*I&5V2+T

_T,XkZ>Xi/;,DZ]`M"&CJ1D ACL M POP _T#CJ\mI

\GO4SD,+2IT(}TZ]`MP8V`x9ddC]W#XZ Access

Manager D+fE"(|(hC_TDj8E")ITZ6IBM Tivoli Access Manager

Base \m18O7PR=#

Kb Access Manager Plug-in for Web Servers O$

O$Gj6"TG<=2+rD%@xLr5eD=(#Z(G7(qO$DC'G

qP(^TX(J44PYwD=(#O$7#vKm]Df5T,+;TdTJ4

4PYwD\&vNNPO#

Access Manager Plug-in for Web Servers *s?vM'za)m]$w45)2+rP

D_62+T#(}9 Access Manager Plug-in for Web Servers XFM'zDO$M

Z(,ITa)+fDxg2+T#

Z 1 B Access Manager Plug-in for Web Servers ri 3

TBu~JCZ Access Manager Plug-in for Web Servers O$:

v e~'VO$=(Dj</O#IT(Fe~T'Vd|O$=(#

v e~xL@"ZO$=(#

v e~vh*M'zm]#SCm],e~q!QO$(r4O$)D>$,

Authorization Server I9CC>$Jmr\xTJ4DCJ#

KinDO$=(Jm2+T_TyZ5q*s,x;GomxgXKa9#

O$?D

Access Manager Plug-in for Web Servers O$}L}pTBYw:

1. M'zO$zzM'zm]#

;PC'_P Access Manager C'"amP(eDJ'1,M'zO$EaI&#

qr+O*CC'4O$#

2. Access Manager Plug-in for Web Servers 9CM'zm]q!CM'zD>$#

e~+O$DM'zm]k"aD Access Manager C'%d#;se~+q!J1

DC'>$#bF*>$q!#

>$#$C'{0C'_PI1JqDNNi#e~I9Cb)>$4Jmr\x

T Access Manager \#$TsUdPDQksTsDCJ#

>$ICZNN Access Manager ~q,b)~qh*XZM'zDE"#>$9

Access Manager \;2+X4PwV~q,}gZ("sFM/I#

XZ'VX(O$=(Dx;=E",kNDZ 27 3DZ 4 B, :IBM Tivoli Access

Manager Plug-in for Web Servers O$;#

Kb>$q!

O$}LDw*?DGq!hvM'zC'D>$E"#C'>$GNk2+rDX

|*s#

Access Manager xpT}C'O$M>$q!#C'Dm]<UG;dD#;x,>$

((eC'NkDirG+)Gd?#X(ZOBDD>$ITfE1dDwEx|

D#}g,a}3K1,>$Xk5XBD0p6p#

O$}L+zzX(Z=(DC'm]E"#+kTZ$tZ Access Manager C'"

am(1!ivB* LDAP)DPDC'J'E"liKE"#Access Manager Plug-in

for Web Servers +C'{MiE"3d=F*)9X(tT$i(EPAC)D+2r6

'ZDm>Mq=#

X(Z=(Dm]E"(}g\k"jGM$i)zmC'Domm]tT#KE"

ICZ9C~qw("2+a0#

zzD>$(zm2+rPDC'X()hvX(OBDPDC',xRvZCa0

DP'ZZP'#

Access Manager >$|,C'm]MKC'_PI1JqDi#

)9X(tT$i(EPAC)

>$ICZNN Access Manager ~q,b)~qh*XZM'zDE"#}g,Access

Manager Authorization Server 9C>$47(GqZ(C'T2+rPD\#$J44

PX(Yw#>$9CZd|Nq,}gGMsF#

EPAC |,(;(Cj6(UUID),Access Manager h*Cj64&mCJXFm

(ACL)#

TB EPAC VNJCZ Access Manager:

m 1. Access Manager EPAC VN

tT hv

2+rj6 weDw2+rj6

we UUID weD UUID

i UUID wetZDiD UUID

Z 1 B Access Manager Plug-in for Web Servers ri 5

Z 2 B 20 IBM Tivoli Access Manager Plug-in for WebServers

>Ba) IBM Tivoli Access Manager (Access Manager)Plug-in for Web Servers 2

0Dj8E"#|,2~Mm~*sE"T0j8D205w#

wbw}:

v :'VD=(;

v :ELMZf*s;

v :X8m~;

v Z 8 3D:20 Access Manager Plug-in for Web Servers;

v Z 12 3D:}% Access Manager Plug-in for Web Servers;

'VD=(

Access Manager Plug-in for Web Servers ZTB=(OkTB Web ~qw/I:

v Windows 2000 Server/Advanced Server * xP Internet Information Server(IIS)

f> 5.0 D Service pack 2

v xP iPlanet 6.0 D Solaris Operating Environment 7(sparc)

v xP IBM HTTP Server(IHS)1.3.19 D AIX 5L

":Tivoli Fv&C4T Web ~qw)&LDyP2+T^)#

ELMZf*s

Access Manager Plug-in for Web Servers PTB2~*s:

v kX8 Access Manager KP173aO9C1,nYh* 23MB ELUd

v Zf:nYh* 64 MB#Fv9C 256 MB#

k"bnY 64 MB G}X8 Access Manager KP173yhDnY 64 MB Zf

TbD#256 MB r|sD\Zf}+5VnEDT\a{#

X8m~

Access Manager Plug-in for Web Servers Gk Web ~qwm~/ID&CLr,|K

PZ Access Manager 2+rP#20Ce~0,XkhC Web ~qw"4( Access

Manager 2+r#

1z20 Access Manager m~1,+(" Access Manager 2+r#Km~f IBM

Tivoli Access Manager for e-business Base CD V"#

Z20 Access Manager Plug-in for Web Servers m~0,XkZ?j Web ~qwO

20TBm~:

v Web ~qwm~#*TBm~.;:


– CZ Windows 2000 Server/Advanced Server 73D IIS 5.0

– iPlanet 6.0 for Solaris Operating Environment 7(sparc)

– CZ AIX 5L 73D IHS 1.3.19#

v IBM Tivoli Access Manager KP173 v3.9

TB&CLr;h*20Z Web ~qwO * |Gw*(" Access Manager 2+r

D;?V20#|GXkfZZIIe~CJDxgPD3&#

v IBM Tivoli Access Manager Policy Server v3.9

v IBM Global Security Toolkit(GSKit)5.0.4.65

v g{9C LDAP,h*\'VD LDAP ~qw,}g IBM Secure Way Directory 3.2.2

20 Access Manager Plug-in for Web Servers>Za)Z}v\'V=(O20 Access Manager Plug-in for Web Servers D8>E

"#

Z AIX-IHS O20e~

*Z AIX O20MdC Access Manager Plug-in for Web Servers:

1. Z AIX 5L Web ~qwO,7#IZzD73P9CTBm~:

v IBM Tivoli Access Manager for e-business Policy Server v3.9#kN<6IBM Tivoli

Access Manager Base 208O7#

":Access Manager Policy Server ;h*$tZk Access Manager KP17

3`,DzwO#

2. 7#Q20TBm~:

v IHS Web ~qwm~#

v IBM Tivoli Access Manager for e-business KP173 v3.9#kN<6IBM Tivoli



v g{}Z9C LDAP C'"am,r20 IBM SecureWay Directory Client 3.2.2

3. Access Manager Plug-in for Web Servers 20+i!km~|dCV*#9C SMITZ AIX O20m~|#;s9Ce~dC5CLr pdwpicfg 4dC20#

w* root C'G<#

4. + IBM Tivoli Access Manager Web Security,f> 3.9 AIX f CD ek CD }

/w#

5. ZbGLra>BdkTB|n:

# smit

SMIT 5CLrt/#

6. !qm~20M,$#!q20M|Bm~#!qSnBICDm~20M|B

m~#

7. a>dkh81,dk20 CD D;C#

8. %wPm4%,T>*20Dm~#

`!Pm0ZT> IBM Tivoli Access Manager m~|#

9. !q Access Manager Plug-in for Web Servers m~|#%w7(#

10. T>SnBICDm~20M|Bm~T0r#

11. i$1!5GGqvVZj)*T/20X8m~VNP#

12. +d|VNhC*kzD20`&D5#Zs?VivB,zITS\1!5#

%w7(#

13. T>{"r/JzGq7(*20Km~|#%w7(#

20m~|D~#+T>;)4,{"#nsD4,{"8>I&jID~i

!#

14. TZ Access Manager Plug-in for IBM HTTP Server m~|,X4=h 8 =

=h 12#

15. %wjI#%w!{Kv SMIT#

16. g{94dC Access Manager KP173,rXkZKWNdC#XZdC Access

Manager KP173Dj8E",kN<6IBM Tivoli Access Manager Base 20

8O7#

17. *dCe~,F/= /opt/pdwebpi/bin "KP:

# ./pdwpicfg

dkV8 c#

18. T> Web ~qwQ*DyPibwzPm#zP}v!n:

v g{;k*Ce~#$;vibwz,rZT>DPmPdkkibwz`X

DEk#

v *#$`vibwz,dkkT>DPmPDibwz;C`XD5#CUq

t*dkDEk#

v dk all 9Ce~#$~qwODyPQ*ibwz#

19. dk Access Manager \m1j6M\k#

20. AZN |BGZ&CLrYwZd+_TE"v?|SZ(_T~qw*F#dkl

} AZN |BDKZE,r4 Return |,S\1!5#

21. dk Y/N tC/{Ck LDAP ~qwD SSL (E#Z Web ~qwM LDAP ~

qw$tZ`,2+xgPD73P,tC SSL I\;h*#g{IT7( Web

~qwM LDAP .d"MD}]Dj{T,r!q;9C SSL I(}}%2+T

*zxDFxgxm#

22. g{tCCe~M LDAP ~qw.dD SSL (E,ra>zdk LDAP SSL M

'z\?D~#

23. Access Manager Plug-in for Web Servers dC&1QI&jI#

Z Solaris Operating Environment-iPlanet O20e~

*Z Solaris Operating Environment O20MdC Access Manager Plug-in for Web

Servers:

1. Z Solaris Operating Environment Web ~qwO,7#IZzD73P9CTBm

~:



Z 2 B 20 IBM Tivoli Access Manager Plug-in for Web Servers 9

3`,DzwO#

2. 7#Q20TBm~:

v iPlanet Web ~qwm~#





3. e~20+D~i!Sm~|dCVk#9C pkgadd Z Solaris Operating

Environment O20m~|#;s9Ce~dC5CLr pdwpicfg 4dCe~#

w* root C'G<#

4. + IBM Tivoli Access Manager Web Security,f> 3.9 Solaris f CD 20=

/cdrom/cdrom0 O#

5. +?<|D= /cdrom/cdrom0/solaris

6. e~20h*mS=vm~|#4PTB|nT20e~:

# pkgadd -d . PDWPI PDWPIipl

a>1dk y "4 Return |#+S CD i!D~"+d20Z2LO#

7. *dCe~,F/= /opt/pdwebpi/bin "KP:

# ./pdwpicfg

8. dkV8 c dC&CLr#

9. dk iPlanet ~qwDy?<#

10. T> Web ~qwQ*DyPibwzPm#zP}v!n:

v g{;k*Ce~#$;vibwz,rZT>DPmPdkkibwz`X

DEk#

v *#$`vibwz,dkkT>DPmPDibwz;C`XD5,CUq

t*dkDEk#

v dk all 9Ce~#$~qwODyPQ*ibwz#



} AZN |BDKZE,r4 Return |,S\1!5#

13. dk Y/N tC/{Ck LDAP ~qwD SSL (E#Z Web ~qwM LDAP ~

qw$tZ`,2+xgPD73P,tC SSL I\;h*#g{IT7( Web

~qwM LDAP .d"MD}]Dj{T,r!q;9C SSL I(}}%2+T

*zxDFxgxm#

14. g{tCCe~M LDAP ~qw.dD SSL (E,ra>zdk LDAP SSL M

'z\?D~#


Z Windows-IIS O20e~

*Z Windows 2000 Server/Advanced Server Web ~qwO20 Access Manager Plug-in

for Web Servers:

1. Z Windows 2000 Web ~qwO,7#IZzD73P9CTBm~:

3`,DzwO#

2. 7#Q20TBm~:

v IIS Web ~qwm~#





3. w*_P Windows \m1X(DC'G<= Windows r#

4. + IBM Tivoli Access Manager Web Security,f> 3.9 Windows f CD ek CD

}/w#

5. +wTBD~(dPV8 E: G CD }/w)KP Access Manager Plug-in for Web

Servers InstallShield 20Lr#

E:\Windows\PolicyDirector\Disk Images\Disk1\setup.exe

6. S!qm~|0Z,!q Plug-in for Web Servers m~|"%w7(#

7. T>!qhCoTT0r#!qJ1DoT"%w7(#

8. InstallShield Lrt/"T>6-T0r#%wB;=#

9. T>mI$-iT0r#%wG,S\mI$-iDu~#

10. T>!qm~|T0r#9=v!n Access Manager Plug-in for Web ServersM Access Manager Plug-in for Microsoft Internet Information Services <

!P#%wB;=#

11. T>!q?DX;CT0r#S\1!20;Cr8(d|;C#%wB;=#

LrD~+i!=EL#+T>;u{",8>Q20m~#

12. %wjIKv20Lr#

13. S*<K%!q:Lr > Access Manager Plug-in for Web Servers > dC

T> Access Manager Plug-in for Web Servers dC!qT0r#

14. T> Web ~qwQ*DyPibwzPm#!q*#$Dibwz#%wB;=#

15. dk Access Manager \m1C'j6M\k#%wB;=#


} AZN |BDKZE,rS\1!5#%wB;=#

17. !qGrq,tC/{Ck LDAP ~qwD SSL (E#Z Web ~qwM LDAP

~qw$tZ`,2+xgPD73P,tC SSL I\;h*#g{IT7(

Web ~qwM LDAP .d"MD}]Dj{T,r!q;9C SSL I(}}%

2+T*zxDFxgxm#

g{!q9CCe~M LDAP ~qw.dD SSL (E:

a. dkCZS\ SSL D\?D~D76MD~{#

b. g{h*,dk$ij)#

c. dk\?D~\k#

!qB;=#

19. XBt/ IIS#

}% Access Manager Plug-in for Web Servers>Zhv}% Access Manager Plug-in for Web Servers D}L#>Z;hv}% Access

Manager KP1r Access Manager Policy Server D}L#XZ}%KP1M Policy

Server Dj8E",kN<6IBM Tivoli Access Manager Base 208O7#

S Windows-IIS }%e~

}%Ce~0,Xk!{ddC#

*Z Windows O!{Ce~DdC:

1. w*_P\mX(D Windows C'G<#

2. S*<K%%w:Lr > Access Manager Plug-in for Web Servers > !{d

C

":g{S|na>KP,IT9C -f !nZ^(,S Management Server 15)

!{dC#

3. T>Ce~#$DyPibwzPm#!q*!{dCDibwz#%wB;=#

4. dk Access Manager C'j6M\k#!qB;=#

;)I&!{Ce~DdC,rT>4,{"#

*S Windows }%Ce~:

1. S Windows0XFfe1,%wmS/>}Lr#

T>mS/>}LrT0r,PvyPQ20Dm~#

2. !q Access Manager Plug-in for Microsoft Internet Information ServicesDu?#%w|D/>}4%#

3. InstallShield Lrt/,"}%Ce~#

4. %wjI#

S AIX-IHS }%e~

Z}%Ce~0,h*!{ddC#*Z AIX =(O!{Ce~DdC:

1. w* root C'G<#

2. KPTB|nS bin ?<t/e~dC5CLr:

# pdwpicfg

":Z^(,S Management Server 1,IT9C -f !n5)!{dC#

3. dk u T!{dC#

4. T>\#$ibwzDPm#!q*!{dCDibwz#


6. !{dCjI1,T>{"#

*}%Ce~:

1. w* root C',t/ SMIT

2. !q(E&CLrM~q#

3. T>(E&CLrM~qK%#!q Access Manager#

4. S Access Manager K%!q Access Manager !{dC#T>QdCD IBM

Tivoli Access Manager m~|Pm#

5. !q Access Manager Plug-in for Web Servers#

a>1dk Access Manager \k#

6. TNNa>4 Enter |#

7. TZ Access Manager Plug-in for Web Servers IHS m~|,X4=h 3 =

7#

S Solaris Operating Environment-iPlanet }%e~

ZIT}%Ce~0,Xk!{ddC#*Z Solaris Operating Environment O!{C

e~DdC:

1. w* root C'G<#

2. KPTB|nS bin ?<t/e~dC5CLr:

# pdwpicfg

":Z^(,S Management Server 1,IT9C -f !n5)!{dC#

3. dk u T!{dC#

4. T>\#$ibwzDPm#!q*!{dCDibwz#


6. !{dCjI1,T>{"#

*S Solaris Operating Environment O}%Ce~:

1. dk|n:

# pkgrm PDWPI PDWPIipl

aa>z7OzDv(#Za>Bdk y#

T>{"8>I&}%#

Z 3 B IBM Tivoli Access Manager Plug-in for WebServers dC

>Bhv#f\mMdCNq,IT4Pb)NqCZ(F IBM Tivoli Access

Manager(Access Manager)Plug-in for Web Servers#

wbw}:

v :#fe~E";

v Z 17 3D:dC Authorization Server;

v Z 19 3D:dCibwz~qw;

v Z 21 3D:X(Z Web ~qwDdC;

v Z 22 3D:dCe~sF"G"zYM_Y:f}]b;

v Z 26 3D:dCZ( API ~q;

#fe~E"

TBwZhvKXZ Access Manager Plug-in for Web Servers D#fE":

v :pdwebpi.conf dCD~ri;

v Z 16 3D:pdwebpimgr.conf dCD~;

v Z 16 3D:Access Manager Plug-in for Web Servers 20Dy?<;

v Z 16 3D:t/M#9 Access Manager Plug-in for Web Servers;

v Z 17 3D:HTTP ms{";

pdwebpi.conf dCD~ri

IT(}dC;Z pdwebpi.conf dCD~DN}(Fe~DYw#CD~;ZTB?

<:

UNIX:

/opt/pdwebpi/etc/

Windows:

C:\Program Files\Tivoli\PDWebPI\etc\

Bm+dCD~DZV`#

m 2. pdwebpi.conf Z**

n Z

GENERAL [module-mgr][modules][wpiconfig][pdweb-plugins]

AUTHENTICATION [common-modules][authentication-levels][authentication-

mechanisms][BA] [failover] [forms][ltpa] [tag-value]

[token-card] [http-hdr] [iv-headers] [acctmgmt][ecsso]

[ecsso-domain-keys]

VIRTUAL HOSTS [virtual-host-name]

m 2. pdwebpi.conf Z** (x)

n Z

SESSIONS [sessions] [session-cookie]

LDAP [ldap]

PROXY [ipc][proxy]

AUTHORIZATION API [aznapi-entitlement-services][aznapi-admin-services][aznapi-

configuration]

WEB SERVER [ihs][iis][iis:minimum-post-data][iplanet]

XZ pdwebpi.conf dCD~PDIdCN}Dhv,kNDZ 89 3D=< A,

:pdwebpi.conf N<;#

":NN1LT pdwebpi.conf D~xP|D1,<XkV$XBt/ Access Manager

Plug-in for Web Servers,Tc6pBD|D#XZt/M#9&CLrDE",k

ND:t/M#9 Access Manager Plug-in for Web Servers;#

pdwebpimgr.conf dCD~

e~D UNIX 20|,dCD~ pdwebpimgr.conf#KdCD~|,CZZZ(X$L

r@#1T/XBt/|DN}#

CD~;ZTB?<:

/opt/pdwebpi/etc/

;h*|DKD~PDN}#

Access Manager Plug-in for Web Servers 20Dy?<

Access Manager Plug-in for Web Server DLrD~20ZTBy?<P:

UNIX:

/opt/pdwebpi/

Windows:

C:\Program Files\Tivoli\PDWebPI\

ITZCe~D Windows 20ZddCK76#;\Z UNIX 20PdCK76#>

8O9C install_path d?zmKy?<#

Z UNIX 20P,TB%@?<|,I)9DD~,}gsFMU>D~:

/var/pdwebpi/

t/M#9 Access Manager Plug-in for Web Servers*t/M#9e~xL,Z UNIX O9C pdwebpi_start |n,Z Windows O9C

0~qXFfe1#

UNIX:

pdwebpi_start {start|stop|restart|status}

}g,*#9e~,;sXBt/|,9C:

# pdwebpi_start restart

pdwebpi_start |n;ZTB?<P:

/opt/pdwebpi/sbin/

Windows:

j60~qXFfe1PDe~xL"9CJ1DXF4%#

HTTP ms{"

P1 Access Manager Plug-in for Web Servers "T*ks~q,"'\K#C'\I

\P\`-r#=Vn#{D'\-rG:

v D~;fZ

v mI(hC{9CJ

*ks~q'\1,e~+mszk5X= Web ~qw,C~qw9Xmszk"T

>`&Dms3f#

j'V

TBjICZ(F HTML ms3f#j+/,Xf;ICDJ1E"#

m 3. 'VDjf;

j hv

%USERNAME% G<C'D{F

%ERROR_CODE% kmsX*Dmszk}V

%ERROR_TEXT% kmsX*DmsD>

%URL% M'zksD URL

%HOSTNAME% +^(wz{

%HTTP_BASE% ~qwDy> HTTP URL:

http://host:tcpport/

%HTTPS_BASE% ~qwDy> HTTPS URL:

https://host:sslport/

%REFERER% 4TksDN<_7D5,r04*1(g{^)

%BACK_URL% 4TksDN<_7D5,r0/1(g{^)

%BACK_NAME% g{ksPfZN<_7,r5*0BACK1,g{^,r

*0HOME1#

dC Authorization ServerAuthorization Server &mZ(MO$Ds?V&m#Authorization Server a)$wLr

_LX,CXCZ:

v S\4Te~Dks

v +?vksDa{"MXe~

e~(}9C2mZf5VD IPC zFk Authorization Server (E#pdwebpi.conf d

CD~PD [ipc] Z8(XZe~M Authorization Server .d(EDdCN}#

Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers dC 17

dC$wLr_L

dCD~D [ipc] ZPD number-of-workers M worker-size N}8(ITw{C

Za)e~ Authorization Server DnQT\D5#hCb)5D=(+!vZzDx

gODw?D}?M`M#

[ipc]number-of-workers = 10worker-size = 10000cleanup-interval=300

number-of-workers N}8(IIe~~qD"PxkDks}#1yP$wLr_L

&1=oDks+EZ:exP,1=$wLr_LIC#KN}r%X8(ICZ

~q1Z4^($wSPD_L}#CN}&1y]z$F Web ~qw,1S\Dn

sks}xvS#Z UNIX =(OvSC5I\h*;(D^F#

(#vS_L}+auYjIksy(QD=y1d#;x,vS_L}a0l+T

~qwT\zz;{0lDd|rX#

worker-size N}(e*?v$wLr_L$VdDZf?(TVZ*%;)#

cleanup-interval G Authorization Server 2mZf=N,xe}.dDVS}#

":FvvZTT\JbxPJOoO1E|D cleanup-interval M worker-size N

}#

hCnsa0P'Z

pdwebpi.conf dCD~D [ipc] ZD max-session-lifetime N}hCe~H}4T

Authorization Server Dl&(Z,10)DVS}#g{"zK`,1,rms3f+

"M=M'z#+Ya"zK`,1#

[ipc]max-session-lifetime = 300

dCms3f

;Z pdwebpi.conf dCD~D [proxy] ZPDN}CZzmvm18(*T>D

HTML 3f#[proxy] ZPDN}hCG:error-page"acct-locked-page M

retry-limit-reached-page#fZb)N}D1!D~,ITT|GxP`-,r8(

BD~TJ&zDi/D*s#Bm\aKb)N}#

m 4. [proxy] ms3fdCN}#

N} hv

error-page vVbb~qwms1,ZC'/@wOT>D3fD

76#

acct-locked-page C'"TCJx(DJ'1,yT>3fD76#

retry-limit-reached-page o=JmDns'\G<"T}1,yT>3fD7

6#Z LDAP PhCKJmDnsG<'\N} * X

ZhCK5Dj8E",kN<Z 61 3D:}N%w

G<_T;#

1!ivB,y> HTML 3f;ZTB?< install_directory/nls/html/lang#

dP lang S NLS dCPq!#Z US "o20P,KN}hC* C#

dCibwz~qw

I pdwebpi.conf dCD~PD [pdweb-plugins] ZPhCDNb{F4T Access

Manager Plug-in for Web Servers j6ibwz#

e~ITy]ksD=vXw4&C@XD2+T_T:

v ksTd07DibwzDj6

v ks(}d=oD-i(http r https)

ibwzj6Swz Web ~qwDdCE"Iz,"RX(Z Web ~qw#|4T

Bu~7(:

IHS ibwzj64TBEH3rIz:

1. SZ6Z <VirtualHost....> iPD~qw{Fq!|;2MG <VirtualHostservername:port>

2. g{~qw{F4gOfZ,rS <VirtualHost....> iPD ServerName 1

8nq!ibwzj6;2MG Servername servername

3. g{~qw{FT;fZ,rS <VirtualHost....> ibD+V ServerName 1

8nq!ibwzj6;2MG ServerName servername

4. g{T;;P~qw{FfZ,rS fully_qualified_domain_name(gethostname())

q!ibwzj6

g{ibwzl}DKZ((#Z6Z <VirtualHost servername:port> P);G 80

r 443,rCKZE+=S=ibwzj6P(4,g{KZ* 8080,ribwz

j6+* servername:8080)

IIS Cj6k Internet Information Services \me~PT>D Web >c{Fj+{O#

}g,dC IIS 14(D1! Web >c|{*0Default Web Site1,rbMG

Access Manager Plug-in for Web Servers 9CDj6#

iPlanet Cj6kZ iPlanet dC GUI P4(ibwz18(Dibwz{Fj+{O#K

{C{Ff"Z server.xml D~D <VS id= > *XP#

Access Manager Plug-in for Web Servers TibwzDN=(e2+T_T#AccessManager Plug-in for Web Servers ibwzIOv(eDibwzj6M|&1#$

D-i/(http M/r https)4j6#ibwz(eO$#=/MEH3r"a0j

6#=MsZ(&m,C&m&1&CZ(}%dD-i"M= Web ~qwibw

zDks#ibwz9(e= Access Manager \#$TsUd{FD URI 3d#

Access Manager Plug-in for Web Servers ibwz(eZdCD~D [pdweb-plugins]ZP#IT+|G(e*\#$r;\#$#+;PNN2+T_TIT&CZ;\

#$Dibwz#g{SU=DkskNNQ(eD\#$r;\#$ibwz<;

%d,rZ Authorization Server DU>D~PzI;u/f{",8vibwzj6

MksD-i#by+c{TdCJbDoO#

\#$ibwzI [pdweb-plugins] ZD virtual-host N}(e#;\#$Dibw

zI [pdweb-plugins] ZD unprotected-virtual-host N}(e#9CDibwz{

F(#kKibwz%dDibwzj6`T&,+";;(<UGbViv#(e

Z [pdweb-plugins] ZPDibwz{FCZ(eX(ZibwzD2+T_T#

XbibwzD2+T_TIxPCibwz{FDZP8(DdCtT(e#IT

(eZibwzZPDyPtT<_PJ1D1!5,yT;X*?vibwzhC

;Z#g{ibwzD2+T_Tk1!5;,,rvh**CibwzhC;Z#

ibwzD=VtTCZkxk=ibwzDks%d,Cibwz(eJCZks

D2+T_T#b)tTGj6M-i#

j6tT(eCibwz+%dDibwzj6#j6tTD1!5Gibwz{F

>m#

-itT(eibwz+%dD-i/#K5I\* http"https r both#1!5G

both#

ibwzDd`tT(eJCZkCibwz%dDksD2+T_T#

ibwzk\#$TsUdDXbSV'X*"ksD URI TCSV'*0:,T9

l\#$TsUd{F#K\#$TsUd{FCZwvZ(v_#branch dCN}

(eK\#$TsUdD{F#

[virtual_host_name]branch = /PDWebPI/virtual_host_id

branch N}D1!5* id N}D5#

TB>}T>K_PDvibwzD Web ~qwyhDdCN},bDvibwz|

(:foo.com"bar.com-HTTP"bar.com-HTTPS M moo.com#ibwz bar.com-HTTP M

bar.com-HTTPS Z2m,;V'15JG`,Dibwz;;x4UCJ`M(HTTP r

HTTPS)|GVG;,D#ZKivB,ITy]CJ`M;,XhCO$dC#e

~;#$ moo.com,R foo.com G,;~qwODm;vibwz#

[pdweb-plugins]virtual-host = foo.comvirtual-host = bar.com-HTTPSvirtual-host = bar.com-HTTPunprotected-virtual-host = moo.com

web-server = iplanet

[bar.com-HTTPS]id = bar.comprotocols = httpsbranch = /PDWebPI/bar.com

[bar.com-HTTP]id = bar.comprotocols = httpbranch = PDWebPI/bar.com

[foo.com]id = foo.comprotocols = http, httpsbranch = /PDWebPI/foo.com

**?v%@ibwzhCO$N},h*Z?vibwzDy!OxPx;=Dd

C#XZ*ibwzdCO$=(Dj8E",kN<Z 53 3D:hCibwzDO

$N};#

X(Z Web ~qwDdC

e~D3)YwGX(Z Web ~qwD,Ry]e~}ZYwD Web ~qw`M+

h*XbDdC#9C pdwebpi.conf dCD~ [pdweb-plugins] ;ZPD web-serverN}(e Web ~qw`M#P'5G ihs"iplanet r iis#}g:

[pdweb-plugins]web-server = ihs

X ( Z W e b ~ q w D d C n f Z Z pdwebpi.conf d C D~D [ i i s ] "

[iis:minimum-post-data]"[ihs] M [iplanet] ZP#

Bm5wKX( Web ~qw`MDIdCN}#

m 5. X(Z Web ~qwDdCN}

X(Z Web ~qw

N} hv

[ihs]

query-contents 8(CZ9C0pdadmin> object list1|n/@

IBM HTTP Server Web UdDi/Z]Lr#

(}Z{* [ihs:branch],2MG

[ihs:/PDWebPI/foo.bar.com] ZP*d8(5,I

TZ?vV'Dy!O2GKN}#

doc-root 8(a)4P0pdadmin> object list1|nyh

D Web Ud/@&\DD5y?<#KN}Z

hCibwz1IdC5CLrhC ** Z

[ i h s : b r a n c h ] Z , 2 MG

[ihs:/PDWebPI/foo.bar.com] PZ?v_TV'D

y!O8(CN}

[iis]

query contents 8(CZ pdadmin /@ IIS Web UdDi/Z

]Lr#(}Z{* [iis:branch],2MG

[iis:/PDWebPI/foo.com] ZP*d8(5,ITZ

?vV'Dy!O2GKN}#

post-data-required (e Authorization Server &myhDQa;

POST }]Dm%Pm#}gG<m%#;ak

T?vibwz2Gb)N}#

log-file *4T IIS e~DmsMzY{"(eU>D

~,*K7#D~D;BT,b)U>D~k

Authorization Server DU>D~%@#\#g{

8(*`T76,rK;C`TZ20?<D

log S?<#g{8(*xT76,r9CxT

76#

[iis:minimum-post-data]

m 5. X(Z Web ~qwDdCN} (x)

X(Z Web ~qw

N} hv

form_uri =minimum_bytes_of_post_data_required

(eZh*s? POST }]DivB,X(m

%D POST }]?#}g:

/token.form = 20000

8>&m /token.form Da;1,Authorization

Server AYh* 20000 VZ DPOST }]#;

\kT?vibwz8(b)5#

[iplanet]

query contents 8(CZ pdadmin /@ iPlanet Web UdDi

/Z]Lr#(}Z{* [iplanet:branch],2M

G [iplanet:/PDWebPI/foo.com] ZP*d8(

5,ITZ?vV'Dy!O2GKN}#

doc-root 8(a)4P0pdadmin> object list1|nyh

D Web Ud/@&\DD5y?<#KN}Z

hCibwz1IdC5CLrhC * Z

[ i p l a n e t : b r a n c h ] Z , 2 MG

[iplanet:/PDWebPI/foo.bar.com]

PZ?v_TV'Dy!O8(CN}

ZBfD>}P,ibwz foo.com M bar.com <ZdCD~P_P`&DZ *

[iplanet:/PDWebPI/foo.com]

M

[iplanet:/PDWebPI/bar.com]

dP(eKX(dCN}#

[pdweb-plugins]virtual-host = foo.comvirtual-host = bar.com

web-server = iplanet

[iplanet]query-contents = /opt/pdweb/bin/wpi_iplanet_ls

[iplanet:/PDWebPI/foo.com]doc-root = /usr/local/foo.com/doc/root

[iplanet:/PDWebPI/bar.com]doc-root = /usr/local/bar.com/doc/root

dCe~sF"G"zYM_Y:f}]b

GMsF&\IT*za);)E",b)E"PzZzZv=PXe~DJ

b16pG)Jb#g{v='Q"h*ms{"D51S<,rZ0(9C

-foreground !nt/e~;4,

pdwebpi -foreground

4,Mms{"G<Z pdwebpi.conf dCD~D[pdweb-plugins] ZPD log-file"

logs M log-entries N}PdCDD~P#

e~sFM y > _ Y : f}] b d C9C p d w e b p i . c o n f d C D~P D

[aznapi-configuration] ZPDN}4P#

KbsFG<

Z( API Dy>~qJm6qO$(authn)MZ((azn)sFB~#

;xj<0authn1sFB~;b0XZO$"TDc;E",e~}Z#$`vwz

1,b0b)E"CZJm+b)B~kX(ibwz`X#IZK-r,e~5V

|T:DsFB~`pT6qX(ZibwzDO$E"#

j<0azn1sFB~y]9C /PDWebPI/virtual_host_name 0:9lD\#$Ts{F

6qke~`XDibwzE"#

e~X(O$sFB~G<ZgB9lDibwzX(sFB~XP:

wpi.virtual_host_name.authn.authentication_module_name

e~X(O$sFB~q-6IBM Tivoli Access Manager Base \m18O7PhvD

DTD (e#

ZBmPhvK XML y=D0wpi1sFG<D*X:

m 6. O$sFG<VN(e#

XML jG hv

<event> sFG<Db0jG#C*X|,hvG<D doc `M(e^

)DtT#

<date> B~"zDUZM1dDG<#

<outcome> |, status N}DjG*X,CN}j6 Access Manager r

e~Dmszk#C*XhvB~DwVa{#I\D5|

(:

v 0 = I&

v 1 = '\

v 2 = ]R

v 3 = 4*

<originator> sFG<DzI_ZD7jG#jG*X|, blade N},C

N}j6:pCB~D Access Manager 6,#

<component> CjGj66qsFG<Di~#Ci~TBPq=G<:

wpi. virtual_host_name.type_of_event.module_name

m 6. O$sFG<VN(e# (x)

XML jG hv

<action> j6"TDO$=(#Ywzk0d`&DO$zF|(:

16961 * BA17236 * M'zK$i17731 * Ecsso17999 * JO*F cookie17997 * m%18504 * HTTP 718768 * IP X74806211 * IV 7:PAC >$4806229 * IV 7:C'{4806220 * IV 7:(P{F300609 * IV 7:IP X721579 * nF

<location> (eYwB~D~qw{F#

<accessor> sFG<DCJ_ZD7jG#jG*XIT|,CJ_D{

F#

<principal> |,N} auth wejG,CN}j6O$?<~q#CjG(

eQi$DC'{#

<target> ?jjG|,N} resource,CN}ITGTB5.;:

v 0 = Z(

v 1 = xL

v 2 = TCB

v 3 = >$

v 4 = #f

<object> #tTZO$}L;_PbeDsF}]#

<data> =SO$JOE"#}g,9C HTTP 7E"DO$"TZdD

JO+ZKVNPzzsFU>G<,G<'\D HTTP 7#

sFdC

BmT>KsFdCN}"5wd&\#

m 7. sFdCN}(e

N} hv

logsize U>D~}I*BD~Ds!(TVZ*%;)#g{hC*

0,r;}IU>D~#g{C5*:},r;\ds!x?l

}IU>#

logflush "BU>D1ddt(k)#n`* 6 !1,1!5* 20 k#

logaudit tCr{CsF#

auditlog 8(sFD~D{F#

auditcfg tCr{CZ(M/rO$sF#

}g:

[aznapi-configuration]logsize = 2000000logflush = 20logaudit = no

auditlog = audit.logauditcfg = azn#auditcfg = authnauditcfg = wpi

zYe~Yw

Access Manager Plug-in for Web Servers a)zYYwT0+a{f"ZD~PTcC

ZwTD\&#zYw*GI&CLr'V9CDVvMJboO$_,CZq!<

BJbDYwDj{S<#w*C',zI\"V3)e~zY$_\PC,d;d

PDs?V;aP24wC,}Gz*oO4SDJb#

pdadmin zY|n

PvzYi~

list |nzzITzYDyPe~YwDPm#

o(:

pdadmin> server task PDWebPI-server-name trace list [component]

PvDs?VzYNqGX(Z Access Manager D#e~X(zYnT

pdwebpi *0:#

hCzYi~

za"VP=vw*DzYnICZwT:

v pdwebpi.request

v pdwebpi.plugin

pdwebpi.request hC* 1,rzY(}e~D?vks#pdwebpi.plugin $ne~~qwPDzY#yP{"<"M= Web ~qwDU>D~rZ9C

IIS DivB,"M=;,Z Authorization Server 9CDU>#

zY set |nDo(gB:

pdadmin> server task PDWebPI-server-name trace set componentlevel [file path=file|other-log-agent-config]

dP component G list |nPvDzYi~D{F#*Ci~{FhCzY#

level G*zYU/Dj8E"?#6'G 1 = 9#1 8(nj8Ddv,x9

8(nrTDdv#I!D file path N}8(zYdvD;C#1!ivB,

+zYdv"M=j<dCDe~U>D~(}9Ci~ pdwebpi.plugin T

b)#IT9C -foreground !n+dv"M=A;#4*:

pdwebpi -foreground

T>zYi~

*T>zYi~,TBPq=9C show |n:

pdadmin> server task PDWebPI-server-name trace show [component]

_Y:f}]bhC

ITdCe~(ZV/wZ(}]bT|BE"#cache-refresh-interval N}ITh

C*0default1"0disable1rTk*%;DX(1ddt#0default1hCG{C#

[aznapi-configuration]cache-refresh-interval = 60

db-file N}(e= ACL _Y:f}]bD+76#1!ivB#t*;hC#

[aznapi-configuration]db-file = /var/pdwebpi/db/pdwebpi.db

listen-flags N}tCr{C_T_Y:f|B(*DSU#0disable15{C(*l}

w#KN}I svrsslcfg 5CLrhC#

[aznapi-configuration]listen-flags = disable

dCZ( API ~q

pdwebpi.conf dCD~D [aznapi-entitlement-services] Z+~qj68(x~q#

?vZu?(e;,`MD aznAPI ~q#XZ|`E",kN< IBM Tivoli Access

Manager Administration C API Developer’s Reference#

?vu?Dq=*

service_id = path_to_dll [ & params ... ]

aznAPI M'z9C~qj64j6~q#1~qI aznAPI u</1,IT8(+]=

~qDN}#Zu?P,N}Z0&1{Es#

pdwebpi.conf dCD~D znapi-admin-services] Z+~qj68(x\m~q#X

Z|`E",kN< IBM Tivoli Access Manager Administration C API Developer’s

Reference#

Z 4 B IBM Tivoli Access Manager Plug-in for WebServers O$

>BV[ IBM Tivoli Access Manager(Access Manager)Plug-in for Web Servers g

N,$a04,"&mO$}LT04PZ(Da0yhDNNsZ(&m#

wbw}:

v :KbO$}L;

v Z 34 3D:\ma04,;

v Z 39 3D:\mO$N};

v Z 53 3D:hCibwzDO$N};

v Z 54 3D:'V`74C/PzmLr(MPA);

KbO$}L

O$Gj6"TG<=2+rD%@xLr5eD=(#I&O$+zzzmC'D

Access Manager m]#e~9CKm]q!CC'D>$#Authorization Server 9C>

$Jmr\xT\#$J4DCJ#

v 1!ivB Access Manager Plug-in for Web Servers 'V8VO$=(,"IT(

F*9Cd|=(#

v Te~DI&O$+zz Access Manager C'"amm]#

v e~9CKm]q!CC'D>$#

v Z@@'d?vTsD_TD ACL mI(M POP u~s,Authorization Server 9

CK>$Jmr\xT\#$TsDCJ#

":ACL = CJXFm_T

POP = \#$Ts_T

O$Zd,e~+liM'zksq!TBE":

v ibwzE"

ibwzE"|,ZxkksD7P#e~9CKE"j607Dibwz"+k

sk Access Manager _TE"%d#

v a0}]

a0}]Gj6M'zMe~.dDX(,SDE"#SksDtT7(a0}

]#C}]CZXBj6=e~DM'za0,"\b*?vks("Ba0D*

z#

v O$}]

O$}]G4TM'zDE",|CZre~j6M'z#O$}]`M|,M'

zK$i"\kMnFzk#

v sZ(}]

3)xkksI\CZ URL,b) URI h*;,Z}#ivD&m#sZ(&mC

Z&mh*XbO$=(Dks#byM##h*X(rAXbxL,CxLhF

CZO$K`ks#

BfDwL<T>*&mkswvDv_#

TZ?v=o Web ~qwDks,e~7(ksTZDibwzT0Gq+Cibw

zdC*#$#

=4dC*#$DibwzDks;Jm-},x;h*x;=D&m#TZ=dC

*#$DibwzDks,e~7(xPksDC'Dm]#g{I\,9CksP

D}]4PTC'Dj6,CksI\GQ-*d8(>$DVPa0D;?V#Z

KivB,IT9CVP>$4PZ(#g{;fZ>$,r9C4O$D>$Z(

ks#

g{ksQ;Z(,rzm7(Gqh*Tksrl&xP^D#K&mIsZ(#

i4P,C#iIT4PmS7r cookie =ks,rX(rC'=J1D3fHNq#

g{49C10>$Z(ks,rzm"T9CksPDO$E"(}g BA 7)9(

B>$#g{I&,rKO$E"ICZXB"TZ(#g{^O$E",rzm"

T*e~9(O$DaJl&#g{;I\rC'"MO$aJ,r5X{9CJ3

f#

< 2. Web ~qwCJv_#

Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 29

dCO$

xPdX*2mb{FDyPICO$=(<(eZ pdwebpi.conf dCD~D

[modules] ZP#[modules] Z9PvKCZa0j6MsZ(&mD#i#b)#i

Zsfhv#2mbXkfZZ pdwebpi/lib ?<P#8(2mb{F1;xPNNX

(ZYw53D0:(}g lib)MNNX(ZYw53Ds:(}g dll)#}g:

BA = pdwpi-ba-module

ZOv>}P,BA #ibxv* pdwpi-ba-module#Z Windows O,e~0R{*

pdwpi-ba-module.dll DD~,Z Solaris Operating Environment O,|+0R{*

libpdwpi-ba-module.so DD~,Z AIX O,|0R{* libpdwpi-ba-module.a D

D~#

":bD~D8C1!Qw76IT(eZ [module-mgr] ZP#

[modules] ZP(eD?vj)_P|T:D`&Z,}g:[BA],[cert] M [token]#Zb)ZP8(?vO$=(DX(dCE","&CZCO$=(,K=(@"Z

wCdDibwz#g{h*Z?vibwzDy!OxPXbdC,rIT9C{

Cibwzj)^(#ij)DZ2G1!dC#}g:

[BA]basic-auth-realm = "Access Manager"

[BA:foo.com]basic-auth-realm = "foo.com"

ZOv>}P,9Cy>O$CJibwz foo.com DC'+~SZ [BA:foo.com] P

8(DdCN}#

dCO$=(Dns=hG8(O$=(#b)=(4U|GDEH3rZdCD~

D [common-modules] ZPhC#}g:

[common-modules]session = ssl-idsession = BAsession = session-cookie

authentication = certauthentication = BA

post-authzn = ltpa

ZOv>}P,dChC7#:

v W! SSL a0j6CZ,$a0E"#

v SSL a0j6;IC1,BA 7(g{IC)CZ,$a0E"#

v SSL a0j6r BA 7<;IC1,ns9Ca0 cookie ,$a0E"#

v W!$iCwO$=(#

v $i;IC1,9C BA O$#

v LTPA cookies w*sZ(&mD;?VmS=ks#

dCO$=(D3r

QdCDO$=(T>ZdCD~PD3rTZe~m~D}7YwG\X*D#h

*P8<G"T_PJO#$NR\5V2+T?jD==5Vz!qDO$=(`

M#

Access Manager Plug-in for Web Servers 'V`VO$=(,"IT^Db)=(TJ

&;,2+Th*D;,M'*s#

g>D5D0;Zy>,zITZ pdwebpi.conf dCD~D [modules] ZP8(*

9CDO$=(#dCD~D [authentication-levels] Z(e=xO$6p(kN<Z

64 3D:O$?H\#$Ts_T(]});),Z [modules] ZPdCO$=(D

3r#

g{4Z [authentication-levels] ZP(eu?,rO$=(D1!5*6p 1#;s

+ [authentication-levels] ZP(eDO$=(DO$3r7(*Sn_O$6p=n

MO$6p#g{O$6pI8v#i2m,r4U [modules] ZPT>D#i3r

7(S3r#

*Kbe~O$,kse~aT|&mD?vks/J=vJbaPzZzDmb:

1. RIT9CQdCDO$=(O$Kksp?

g{KJbDXpGq,re~+/JB;vJb#

2. RIT9CQdCDO$=(zIO$ksp?

}g,g{ BA GvPDQdCO$=(#4*:

[modules]authentication = BA

TZxkDks,g{ ACL ;Jm4Z(C',rC'O$GXhD#e~+ BA 4

wvPDQdCO$=(,+/J:0RIT9Cy>O$O$Kksp?1g{k

sGBD,rXpGq * e~;*@KC'#;se~+/J:0RIT9Cy>O

$zIO$ksp?1g{Q}7dCy>O$,rXp*G#e~+a>C'dk

j6M\k#

bG9Cy>O$Dr%O$>}#y]zDTsUdD2+T*s,zI\kdC

`vO$=(#

TBG_-D|j8>},Access Manager Plug-in for Web Servers 9C|xvXbO

$=(DEH6#

TBNdPV[DO$_-Yh4O$C';JmCJJ4,"RQ-Z pdwebpi.conf

dCD~PxPTBdC#

[modules]authentication = BAauthentication = failoverauthentication = forms

post-authzn = failover

[authentication-levels]1 = BA2 = failover

OvdC8(}VO$=(:BA"JO*F cookie Mm%,JO*F cookie CZs

Z(&m#Z [authentication-levels] ZPhCD6p7(TZO$kswCO$=(

D3r#g{4Z [authentication-levels] ZP(e6p,rm%O$D1!5*6p

1#

9COvdC,e~ZSUks1iRks7PDJO*F cookie#e~+/J:0R

IT9CJO*F cookie O$Kksp?1g{H04O$ks,rXpGq,r*e

~H0;P*ks9lJO*F cookie#;se~+/JZ~vJb:0RIT9CJ

O*F cookie zIO$ksp?1Xpq,r*JO*F cookie #i^(*O$zI

ks#

e~+F/= [authentication-levels] ZPDB;vQdCO$=(,ZC>}P*

BA#e~+/J:0RIT9C BA 7O$Kksp?1g{H04O$ks,rX

pq#;se~+/J:0RIT9C BA zIO$ksp?1Xp\I\*G,ra

>C'dk|GDC'j6M\k#I&DO$+zzZ(Da0,RJO*F cookie

+ekks7"Cw,;a0ZdDsLksDZ;vO$=(#

g{ BA #i^(zIO$C'D=(,re~Z1!ivB+dCD~D [modules]ZPPvD=(Er#ZOvdC>}P,e~+8(O$=(DEH6,rx:

level 1 = BA, forms

level 2 = failover cookie

g{JO*F cookie M BA 4\a)C'O$D=(,re~+9Cm%O$#

BfDwL<T>CZ!qO$#iDe~_-#

e~TdC3rwC?vO$#i,1=#i.;5X Access Manager C'j6#;

sIT9CC'j64(C'D>$#g{;PNNQdCO$#i\;a)-i$

D Access Manager C'j6,rO$aJ+"M=C'Ta>{Ga)O$E"#

g{h*O$aJ,rwC4TQdCPmDZ;vJODO$#iTzIzzaJ

yhD|n("M=e~)#;GyPDO$#i<ITzIaJ#}g,TZks

HTTP 7,^aJ * b)7fZr;fZZksP#mb,O$#iI\;IC,r

< 3. 7(O$#iDe~wL#

*|Q-CZj6+ks*"=e~D/PzmLr#IT*C'zIaJDn#C

O$zFGy>O$(BA aJ+"M=C')MyZm%DO$(G<m%+"M=

C')#g{^O$=(IC,r^(O$C',Re~5X{9CJ3f#

BfDwL<T>!qO$=(T+aJ"MxC'D}L#

+4UdC3rli?vQdCDO$=(,1=R=zcyhDO$6pD;v=

(#g{R=zcO$u~D#i,rwC|T9("M=C'DaJ#g{;P;

vQdCO$=(JO,r;I\xPO$#e~+5X0{9CJ13fAC',

r*{G;_PCJksDJ4DmI(,R;I\r{G"MaJTc4yhD6

pxPO$#

dCsZ(&m

Z(kss,+wCQdCDsZ(#i#sZ(#i7(Z+ks+]Xe~Tc

Web ~qw&m0Gqh*4PNNd|Yw#+wCyPQdCDsZ(#iT7(

Gqh*Tks4PYw#

sZ(#iw*P}V`M:

v ^D SSO Dks * b)sZ(#i+mS Web &CLrCZj6C'DE"

(cookie r7),x;h*Z~NO$#

< 4. O$aJ}L_-

v ^Dl& * b)sZ(#i;^Dks,+8(*^DDl& * (#(}rdm

S7r cookie#}g,JO*F#i+JO*F cookie mS=l&#

v Xb&\ * b)sZ(#i+ksD URI 6p*3;Xb&\D%"w#b(#

b6ECksIe~&m#}g,eCSSO0$51ks#

dCibwzDO$

IT(}1SZ?vibwzZP8(=(,Z?vibwzDy!O5VO$=(

DdC#}g:

[pdweb-plugins]virtual-host = foo.com

[foo.com]....session = ssl-idsession = BAsession = session-cookie

authentication = certauthentication = BA

post-authzn = ltpa

8(ibwzDO$=(D8C==G*O$=(dC(e;Z#by+Jm`vi

bwz2m;v#idC##idCZIibwzZPD modules N}8(#}g:


[foo.com]modules = foo-bar-module-stanza

[bar.com]modules = foo-bar-module-stanza

[foo-bar-module-stanza]authentication = basession = bapost-authzn = ltpa

4ZdCD~P(e?vibwzy!ODO$=(dCD%@Z1,yPibwz

+9C [common-modules] ZPdCDN}#

\ma04,

e~9Ca04,E"j6xkksD4#1M'z4P;va0PDs?ks1,

e~9Cks4Dm],$M'zM~qw.dDa04,#g{M'zM~qw.

d;fZQ("a04,,rXk*?vsLksXB-LM'zM~qw.dD(

E#(}{}X4O$Dh*,a04,E"IDFT\#M'zITZ;NG<

s,"vs?ks,x;X*?vks4P%@DG<#

Access Manager Plug-in for Web Servers I&m HTTP M HTTPS (E#e~hFC

Z9CTBNNE"`M4,$kM'zDa0D4,#

1. SSL a0j6

2. y>O$

3. X(Z~qwDa0 cookie

4. HTTP 7}]

5. IP X7

e~@NwC?vQdCDa0#i#e~LxQwQdCDa0#i`M,1=P

;V`M5X>$#;se~+7(&CLrGq*N<`74C/PzmLr#g

{G%vD/PzmLr,r5JnUC'XkfZm;va0#*R=m;va

0,e~LxwCd`DQdCa0#i#"VQ-"zDC'O$DVPa01,

+5XC'>$#K>$CZZ(ks#g{^QdCa0#i5XC'>$,rC

a0GBD,r_G4(">$Da0#

dCe~a0/>$_Y:f

e~a0_Y:fJm~qwf"4T`vM'zDa0j6E"#a0_Y:f\

#f HTTPS M HTTP a04,E"#

e~_Y:ff"a0j6E"M*?vM'zq!D>$E"#_Y:f>$E"

IT{}Z(liZdTC'"am}]bDX4i/#e~_Y:f9,$e~M

LDAP C'"am.dD SSL ,SDa04,E"#

P8vdCN}ICZe~_Y:f,b)N}Jmzw{_Y:fDT\#

":pdwebpi.conf dCD~D [sessions] ZPdCD5I\Z [module_name] ZP

;2G,3)59I\Z [ module_name:virtual_host_name] ZP;x;=2G(Z

?vibwzDy!O)#

hCns"Pu?5

max-entries N}(;Z pdwebpi.conf dCD~D [sessions] ZP)hCe~Da

0/>$_Y:fPDns"Pu?}#

< 5. 7(a0#iDe~wL#

K5k"PG<a0}`T&#_Y:fs!o=K51,+y]n|9CDc(S

_Y:f}%u?TJmBxkDG<#

1!"PG<a0}G 4096:

[sessions]max-entries = 4096

hC_Y:fu?,15

timeout N}(;Z pdwebpi.conf dCD~D [sessions] ZP)hCe~Da0/

>$_Y:fPu?DnsP'Z,1#

e~ZZ?_Y:f>$E",a0_Y:f,1N}8>Z(>$E"#tZZf

PD1d$H#

CN};G;n/,1#C53d=0>$P'Z1,x;G0>$,11#d?DG

Zo=8(,1^F1(}?FC'XBO$4v?2+T#

1!G<a0,1(Tk*%;)G 7200:

[sessions]timeout = 7200

IT+a0_Y:fP'ZdC*^[N1"zXBO$1<xP4;#?N"zX

BO$1,a0_Y:f timeout 5+4;#*dCa0_Y:fP'Z4;,9C

pdwebpi.conf dCD~D [sessions] ZPD reauth-lifetime-reset N}:

[sessions]reauth-lifetime-reset = yes

1!5G0no1#

C'}Z4PXBO$1,a0_Y:fP'Z5I\a=Z#ZXBO$G<m%

"M=C'.s,RZ5XjIDG<m%0,a0_Y:fP'Za=Z#a0_

Y:fP'Z5=Z1,+>}a0_Y:fu?#G<m%5X=e~s,;YP

CZCC'Da0#mb,yPQ_Y:fDC'ks}]+*'#g{XBO$Z

da0_Y:fP'Z=Z,IT*a0_Y:fP'ZdC1d)9,r0mS1

d1#

pdwebpi.conf dCD~D [sessions] ZPD reauth-grace-period N}a)K1d

)9,Tk*%;#}g:

[reauthentication]reauth-grace-period = 20

1!5001;*a0_Y:f,15a))9#reauth-grace-period N}JCZ_P

VPa0_Y:fu?Rh*XBO$DC'#}g:

v IZ POP 2+T_Tx4PXBO$DC'

v IZa0_Y:f;n/x4PXBO$DC'

v 4P=xO$DC'

reauth-grace-period !nCZk reauth-lifetime-reset = yes !naO9C#

hC_Y:fu?;n/,15

inactive-timeout N}(;Z pdwebpi.conf dCD~D [sessions] ZP)hCG<

a0;n/D,15#

1!G<a0;n/,1(Tk*%;)G 3600:

[sessions]inactive-timeout = 3600

*{CK,1&\,+N}5hC*001#

9C SSL a0j6,$a04,

Access Manager Plug-in for Web Servers IT9CxkD HTTPS ksD SSL a0j

6zYa0#K$_;ICZ IIS,r* IIS 9 SSL a0j6;ICZe~#

":SSL a0j6;CZO$ks#

pdwebpi.conf dCD~PD [common-modules] Z9C module_type = module-name

q=(eKTyPa0"O$MsZ(=(D9C#*9C SSL a0j6,$a04

,,+%J ssl-id 8(x session N},gBy>:

[common-modules]session = ssl-id

7#QZ pdwebpi.conf dCD~D [modules] ZP* ssl-id dCK2mb#4*:

[modules]ssl-id = pdwpi-sslsessid-module

9Cy>O$,$a04,

y>O$(BA)G(}C'{M\kDdkO$C'M,$a04,D=(#BA I

HTTP -i(e,RIT(} HTTP M HTTPS 5V#

y>O$(}+y>O$7DZ]G<xP_Y:f4,$a04,#

*9Cy>O$dCe~T,$a04,,9C pdwebpi.conf dCD~PD

[common-modules] Z#dkX|V session T05 BA,gBy>:

[common-modules]session = BA

g{ BA CZ,$a04,,r9h*+dCZC'O$#dCD~D [commonmodules] Z2&1*O$hC BA#

[common-modules]session = BAauthentication = BA

pdwebpi.conf D~PD [BA] Z(ey>O$r#CrGT>Z/@wa>C'dkG

<}]1T>DT0rPDD>#

[BA]basic-auth-realm = realm_name

9Ca0 Cookies ,$a04,

9Ca0 cookie #ta0E"G,$a04,;V=(,d;vZ;Pd|zFIC1

E9CC=(#~qw+XbM'zD4,E"r|= cookie P"+d"M=M'zD

/@w#TZ?vBDks,/@w(}+ cookie(xPa0E")"MX~qwXB

j6d>m#

ZM'z9C/@wZ\LD1dsXB-Ld SSL a0DivB,a0 cookie a)

I\Dbv=8#}g,3)f>D Microsoft Internet Explorer /@w?t=r}VS

MXB-L SSL a0#

a0 cookie vT%v"(;D~qwa)M'zDXBO$,M'zH0QZL1dZ

(s< 10 VS)rC~qwxPO$#CzFyZ0~qw cookie1,C cookie }

I+]=zI cookie Dzw^(+]=NNzw#

mb,a0 cookie v#$;vfz}j6,Cj6CZw}~qwa0_Y:fPD

cookie#;Pd|E")6Za0 cookie P#a0 cookie ;a962+T_T#

Access Manager Plug-in for Web Servers 9C2+DX(Z~qwDa0 cookie#T

Bu~JCZK cookie zF:

v Cookie v|,a0E";|;|,m]E"#

v Cookie v$t=/@wZfP(|;4kELOD/@w cookie jar)#

v Cookie _PP^DP'Z(IdC)#

v Cookie _P76Mh9d|~qw9CC cookie DrN}#

*dCe~9Ca0 cookie ,$a04,,9C pdwebpi.conf dCD~PD

[common-modules] Z#dkX|V session T05 session-cookie,gBy>:

[common-modules]session = session-cookie

resend-pdwebpi-cookies N}(;Z pdwebpi.conf dCD~D [sessions] ZP)

tCr{CZ?Nl&1+a0 cookie "M=/@w#KYwoz7#a0 cookie #

tZ/@wZfP#resend-pdwebpi-cookies N}D1!hC*0no1#

[sessions]resend-pdwebpi-cookies = no

+1!hC|D*0yes1,Z?Nl&1"Me~a0 cookie#

9C HTTP 7,$a04,

Access Manager Plug-in for Web Servers ITdC*9C HTTP 7E"j6a0M,

$a04,#

*8(`v HTTP 7,XkdC HTTP 7#iD`v5}#}g:

[modules]entrust-client-header = pdwpi-httphdr-modulesome-other-header = pdwpi-httphdr-module

[entrust-client-header]header = entrust-client

[some-other-header]header = some-other

e~IT9C HTTP 7CZzYa0T0O$C'#g{+e~dC*9C HTTP 7

zYa0,r9Xk+ddC*9C HTTP 7O$C'#;x,+e~dC*9C

HTTP 7O$xkDks;h*+e~dC*zYa0#XZdCe~9C HTTP 7C

ZM'zO$Dj8E",kN<Z 50 3D:dC HTTP 7O$;#

9C HTTP 7,$a04,1,pdwebpi.conf dCD~D [common-modules] Z+

xPTBu?:

[common-modules]authentication = http-hdrsession = http-hdr

9C IP X7,$a04,

Access Manager Plug-in for Web Servers IT9C IP X7j6MzYa0#

*dCe~9C IP X7zYa0,9C pdwebpi.conf PD [common-modules] Z#

dkX|V session T05 ip-addr#4:

[common-modules]session = ip-addr

7#QZ pdwebpi.conf dCD~D [modules] ZP* IP X7O$dCK2mb#

4*:

[modules]ip-addr = pdwpi-ipaddr-module

g{ IP X7CZ,$a04,,r9Xk+dCZO$xkDks#XZdC Access

Manager Plug-in for Web Servers 9C IP X7w*M'zO$=(Dj8E",kN

DZ 52 3D:dC IP X7O$;#;x9C IP X7CZO$M'z;h*+b)X

7Cwj6a0D=(#

\mO$N}

O$dCEv

Access Manager Plug-in for Web Servers 'VDyPO$=(DzFZ pdwebpi.conf

dCD~D [authentication-mechanisms] ZPdC#\'VDO$=(N}|(:

v >X(ZC)O$Lr

>XO$LrDN}8(J1DZC2mb(UNIX)r DLL(Windows)D~#

v (Fb?O$Lr

e~a)#e~qwzk,zIT9CCzk9(M8((Fb?;frO$~q

(CDAS)~qw#

b? CDAS O$Lr8(J1D(F2mb#

>XO$N}

TBN}8(>XZCO$Lr:

m 8. >XZCO$Lr.

N} hv

m%My>O$

m 8. >XZCO$Lr (x).

N} hv

passwd-ldap 9C LDAP C'{M\kxPM'zCJ#

M'zK$iO$

cert-ssl 9CM'zK$i(} SSL xPM'zCJ#

iv-remote-address Q$nD HTTP 7M/r IP X7O$M/r IV 7#

http-request (}Xb HTTP 7M/r IP X7M/r IV 7DM'zCJ,

iv-remote-address Q$n#

9C [authentication-mechanisms] ZdCO$=("TBPq=5V:

authentication_method_parameter = shared_library

b?(F CDAS O$N}

TBN}ICZ8(b? CDAS ~qwD(F2mb:

m 9. b? CDAS ~qwN}.

N} hv

passwd-cdas 9CZ}="amDC'{M\kxPM'zCJ#

token-cdas 9C LDAP C'{MnF(PzkxPM'zCJ#

cert-cdas 9CM'zK$i(} SSL xPM'zCJ#

}KO$b,9P=Vd|ICZe~Dj< Access Manager b:

v passwd-strength

Kbli\k|Dm%PdkDB\k#

v cred-ext-attrs

KbJm+(FtT({F/5T)8(*|,Z>$P#

XZ9(MdC5V CDAS ~qwD(F2mbDj8E",kN< IBM Tivoli Access

Manager WebSEAL Developer’s Reference#

e~D1!dC

1!ivB,e~hC*9Cy>O$(BA)C'{M\k(LDAP "am)O$M'

z#

e~(#,1* TCP M SSL CJtC#rx,[authentication-mechanisms] ZD

dMdC|('VC'{M\k(LDAP "am)M'V(} SSL DM'zK$i#

TB>}zm Solaris Operating Environment DdM [authentication-mechanisms] Z

dC:

[authentication-mechanisms]passwd-ldap = libldapauthn.so cert-ssl = pdwpi-sslauthn.so

*dCd|O$=(,mSJ1DN}0d2mb(r CDAS #i)#

dC`vO$=(

^D pdwebpi.conf dCD~D [authentication-mechanisms] Z,8(CZNN\

'VO$=(D2mb#dC`vO$=(1,&CTBu~:

1. yPO$=(<IT`%@"XP9&\#I\*?v\'VD=(dC2mb#

2. 1,1dC cert-cdas =(M cert-ssl =(1,0_+2Gs_#XktCb=v

=(.;4'VM'zK$i#

3. dC`vO$Lr1,5Jv9C;v\k`MO$Lr#e~9CTBEH63

r4bv`vQdCD\kO$Lr:

a. passwd-cdas

b. passwd-ldap

4. I\*=v;,DO$=(dC`,D(Fb#}g,IT`4;v(F2mb&

mC'{/\kM HTTP 7O$#TZK>},z+9C`,D2mbdC

passwd-cdas M http-request N}#*"_PpN,$a04,,"\b=V=

(.dDe;#

a>G<

ZBPu~B,e~a>M'zG<:

1. 4O$DM'zxPZ(li'\

2. m%ry>O$M'zxPZ(li'\

TBM'z`M+vV0403 JO1ms:

1. 1Z(li'\1:

a. M'zK$i

b. JO*F cookie

c. CDSSO

d. IP X7

e. HTTP 7

2. 1M'z9Ce~{CD=(O$1

"z"|D\kMoz|n

Access Manager a)TB|n4'V(} HTTP r HTTPS O$DM'z#

pkmslogout: 1M'z9CDO$=(;f?vksa)O$}]1,M'zIT9

C pkmslogout |nS10a0"z#}g pkmslogout ;ICZ9Cy>O$r IP

X7O$DM'z#ZKivB,XkXU/@wT"z#

pkmslogout |nJCZ(}M'zK$i"nF(Pzk"m%O$M HTTP 7O

$D3)5VDO$#

4TB=(KP|n:

https://www.tivoli.com/pkmslogout

/@wT>(eZ pdwebpi.conf dCD~PD"zm%:

[acctmgmt]logout-uri = /pkmslogoutlogout-success = logout_success.html

IT^D logout_success.html D~TJ&zD*s#

1xga9h*`vKvA;CZC'Sj+;,Dibwz"z1,pkmslogout 5CLr9'V`v"zl&3f#

pkmspasswd: 9Cy>O$(BA)rm%O$1,IT9CK|n|DG<\k#

K|nJOZ HTTP r HTTPS O9C#

}g:

https://www.tivoli.com/pkmspasswd

C/@w+T>(eZ pdwebpi.conf dCD~PD\km%D|D:

[acctmgmt]password-change-form-uri = /pkmspasswd.formpassword-change-uri = /pkmspasswdpassword-change-success = password_change_success.htmlpassword-change-failure = password_change_failure.html

IT^D password_change_success.html M password_change_failure.html D~T

J&zD*s#

pkmshelp: IT9CK|nCJoz3f#K|nJOZ HTTP r HTTPS O9C#

oz3fD{FM;C(eZ pdwebpi.conf dCD~P:

[acctmgmt]help-uri = /pkmshelphelp-page = help.html

IT^D help.html D~TJ&zD*s#

dCy>O$

y>O$(BA)G+C'{M\ka)xO$zFDj<=(#BA I HTTP -i(

e,R(} HTTP M HTTPS 5V#

tCy>O$

1!ivB,*e~dC BA C'{M\k#pdwebpi.conf dCD~PD

[common-modules] Z(eK9C BA CZO$ks#4:

[common-modules]authentication = BA

pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb

{F#7#y>O$Du?fZ;4:

[modules]BA = pdwpi-ba-module

1!ivB,BA O$zF*dCD~D [authentication levels] ZPD;v6p#

KhCkxkksDO$zFDEH6`X#

hCr{F

rC'aJC'{M\k1,CrT>Z/@wrC'a)DT0rP#r{F8(

x pdwebpi.conf dCD~D [BA] ZPD basic-auth-realm N}#

[BA]basic-auth-realm = realm_name

dCy>O$zF

passwd-ldap N}8(CZ&mC'{M\kO$D2mb#

v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libldapauthn#

v Z Windows O,a)ZC3d&\DD~G;v DLL,F* ldapauthn#

m 10. BA 2mbO$zF

O$zF

2mb

Solaris OperatingEnvironment

AIX Windows

passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll

IT(}Z pdwebpi.conf dCD~PD [authentication-mechanisms] ZPdk

passwd-ldap N}T02mbD~DX(=({F4dCC'{M\kO$zF,gB

y>:

Solaris Operating Environment:

[authentication-mechanisms]passwd-ldap = libldapauthn.so

Windows:

[authentication-mechanisms]passwd-ldap = ldapauthn.dll

dCm%O$

Access Manager a)m%O$w*j<y>O$zFD8C=(#K=(S Access

Manager zz(F HTML G<m%,x;GSy>O$aJzzj<G<a>#

9CyZm%DG<1,/@w;s9Cy>O$1Gy+C'{M\kE"xP_

Y:f#

tCm%O$

pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*t

C(}m%DO$,+%J0forms18(x authentication N};4:

[common-modules]authentication = forms

9Cm%CZO$1,9Xk+e~dC*9Cm%CZsZ(&m#by+Jme

~+QO$DC'X(rX-<Dks URL#Z pdwebpi.conf dCD~D

[common-modules] ZP,mSN} post-authzn,gBy>:

[common-modules]authentication = formspost-authzn = forms


{F#7#m%O$Du?fZ;4:

[modules]forms = pdwpi-forms-module

dCm%O$zF

passwd-ldap N}8(CZ&mC'{M\kO$D2mb#

v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libldapauthn#

v Z Windows O,a)ZC3d&\DD~G;v DLL,F* ldapauthn#

m 11. m%2mbO$zF

O$zF

2mb


AIX Windows

passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll


passwd-ldap N}T02mbD~DX(=({F4dCC'{M\kO$zF,gB

y>:


[authentication-mechanisms]passwd-ldap = libldapauthn.so

Windows:

[authentication-mechanisms]passwd-ldap = ldapauthn.dll

(F HTML l&m%

m%O$h*z9C(FG<m%#1!ivB,y> login.html m%;ZTB?<:

install_directory/nls/html/lang #

dP lang S NLS dCPq!#Z US "o20P,KN}hC* C#

dCD~D [forms] ZD login-form N}(eG<Zda)xC'Dm%DD~{#

CD~D76&1`TZQ-kD pdwebpi HTML ?<;}g

pdwebpi/nls/html/lang#

[forms]login-form = login.html

dC$iO$

Access Manager Plug-in for Web Servers 'V9CM'zK}V$i(} SSL kM'

zxPD2+(E#ZKO$=(P,$iE"(}g(P{Fr DN)+3d*

Access Manager m]#

(}$i`%O$

Z=vWN"z(}}V$iDO$:

v e~$tD Web ~qw9Cd~qwK$ir SSL M'zj6dTm#

v Web ~qw9CdO$PD(CA)y$iD}]bi$9CM'zK$iCJDM

'z#

1. SSL M'zks(}e~k Web ~qwD,S#

2. w*l&,Web ~qw(})pD~qwK$i"Md+C\?#K$iH0QI

IEDZ}=O$PD(CA))p#

3. M'z+li$iD)p_GqGIERIS\D#M'zD/@w(#|,4

TIE CA Dy$iPm#g{ Web ~qwD$iOD){kb)y$i.;%

d,rITENC~qw#

4. g{;P){kd%d,r/@w(*dC',K$iI4*O$PD)p#;

s,C'PpNS\r\x$i#

5. g{C){k/@wDy$i}]bPDu?%d,r2+XZM'zM Web ~

qw.d-La0\?#

K}LDnUa{Gzz2+(@,9M'zIT(}dO$(}g,(}C'

{M\k)#I&O$s,M'zM~qwITLx2+X(}K(@(E#

6. VZM'z(}e~+d+C\?$i"M= Web ~qw#

7. Web ~qw"T9C Web ~qwD$if"+M'z$iOD){kQ* CA %

d#

8. g{;P){kd%d,rzI SSL mszk"+d"M=M'z#

9. g{P){kd%d,rITENCM'z#4PM'zO$s+zz Access

Manager m]#

10. +ZM'zM Web ~qw.d2+X-La0\?#K}LDnUa{GZ`%

O$DM'zM~qw.dzz2+MIED(EE@#

tC$iO$


C(}$iDO$,+%J0cert18(x authentication N};4:

[common-modules]authentication = cert

pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0X*D2mb{

F#7#$iO$Du?fZ;4:

[modules]cert = pdwpi-certificate-module

dC$iO$zF

cert-ssl N}8(CZ3d$iO$E"D2mb#

Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libpdwpi-sslauthn#Z

Windows O,a)ZC3d&\DD~G;v DLL,F* sslauthn#

m 12. $i2mbO$zF

O$zF

2mb


AIX Windows

cert-ssl libpdwpi-sslauthn.so libpdwpi-sslauthn.a pdwpi-sslauthn.dll


cert-ssl N}T02mbD~DX(=({F4dC$iO$zF#


[authentication-mechanisms]cert-ssl= libpdwpi-sslauthn.so


Windows:

[authentication-mechanisms]cert-ssl = pdwpi-sslauthn.dll

2mbD~a)D1!3d1S+$i DN 3d= LDAP DN#

dCnFO$

Access Manager Plug-in for Web Servers 'V(}M'za)DnF(PzkDO$#

KO$9CyZ RSA SecureID® fobs D+rSU>#

tCnFO$


C(}nFDO$,+%J0token18(x authentication N};4:

tC9CnFDO$1,2Xk*sZ(&mdCnF#ZdCD~D [modules] Z

P,9( post-authzn N}"*d8(50token1#[common-modules] Z&1|,

TB=vu?:

[common-modules]authentication = tokenpost-authzn = token

pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0X*D2mb{

F#7#nFO$Du?fZ;4:

[modules]token = pdwpi-token-module

dCnFO$zF

token-cdas N}8(CZ3dnF(PzkO$E"D2mb#

v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libtokenauthn#

v Z Windows O,a)ZC3d&\DD~G;v DLL,F* tokenauthn#

m 13. nF2mbO$zF

O$zF

2mb


AIX Windows

token-cdas libtokenauthn.so libtokenauthn.a tokenauthn.dll

Z1!ivB,KZC2mbG2`kD,CZ3d SecurID nF(Pzk}]#IT

(FKD~TO$d|`MDXbnF}],"I!q+K}]3d* Access Manager

m]#XZ API J4,kN< IBM Tivoli Access Manager WebSEAL Developer

Reference#


token-cdas N}T02mbD~DX(=({F4dCnFO$zF#

}g:


[authentication-mechanisms]token-cdas = libtokenauthn.so

Windows:

[authentication-mechanisms]token-cdas = tokenauthn.dll

(FnFl&3f

dCD~D [token-card] ZD token-login-form N}(enFG<Zda)xC'

M'zDm%DD~{#CD~D76&1`TZQ-kD pdwebpi HTML ?<;}

g pdwebpi/nls/html/lang#dP lang S NLS dCPq!#Z US "o20P,K

N}hC* C#

[token-card] ZPD next-token-form N}(eT>=C'M'zDm%TksZ~

vnF#1~qw^(SZ;vnFI&O$C'1,+*sM'zdkm;vn

F#^(O$C'I\I\`-r<B,n#{D-rGIZM'zM~qw1S;

,=#^(I&9CZ;vnFO$1,+T> next-token-form N}P8(D3f,

Ta>B;vnF#

token-card ZDq=gB:

[token-card]token-login-form = tokenlogin.htmlnext-token-form = nexttoken.html

dCJO*F cookie O$

JO*F cookie &\(#CZM'z(}:X=bzF,S=4FD0K Web ~q

w#1~qwMM'z.dD-<a0d*;IC1,JO*F cookie I@9?FDX

BO$#

Z*sZ(&mdCKJO*F cookie s,e~Z~qwX(DrGr6'D cookie

PS\>$}]#M'zZ;N,S1,cookie EZ/@wO#1u< Web ~qwa

0*'1,cookie +;xM'zXB(rDB;v~qw#cookie CZT/XBO$,

byM'z;X4PV/XBO$DNq#4FD~qwODe~2m;v+2\

?,|b\ cookie Py,D>$E""("BDa0#

O<T>KdMDe5a9,Ca9+SJO*F cookie D9Cqf#,; Web ~q

wD}v`,5};Z:X=b~qws,C~qwy]:XMICT+ks(r=

}v~qw.;#}g,Yh+ www.foo.com D?v5}dC*9CJO*F cookie

O$M'zCJ,9+ddC*9CJO*F cookie CZsZ(&m#M'z+CJ

www.foo.com,";8r~qwD5} 1,RI&O$#+S\M'zD>$"+df"

Zr6'D cookie P,C cookie f"ZM'z/@wP#g{Za0Zd,M'zh

< 6. JO*F cookie DdM~qwe5a9#

*CJ www.foo.com D5} 2r5} 3(}g,g{5} 1 '\r*sdC+s),

rf"ZM'z/@wPDJO*F cookie +CZT/XBO$,x;h*C'xPI

f#

tC9CJO*F cookie DO$

pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#IT

dCJO*F cookie 4PO$MsZ(Nq#

dC*9CJO*F cookie xPsZ(&mDe~T>$xPS\,"+dw*JO*

F cookie f"ZBql&P#

dC*9CJO*F cookie 4PO$De~,9CSBqksPR=DJO*F cookie

PDS\>$XBO$M'z#

*tC9CJO*F cookie DO$MsZ(,+u?0failover18(x authenticationM post-authzn N};4:

[common-modules]authentication = failoverpost-authzn = failover

":dCd|O$zFT0JO*F cookie 1,Xk+JO*F cookie O$dC*u

<O$=(#


{F#7#JO*F cookie O$Du?fZ;4:

[modules]failover = pdwpi-failovercookie-module

dCJO*F cookie N}

JO*F cookie O$N}Z pdwebpi.conf dCD~D [failover] ZPdC#

failover-cookies-keyfile N}8(CZTJO*F cookie PD>$}]xPS\Mb

\DD~#}g:

[failover]failover-cookies-keyfile = failover.key

\?D~Xk9C;Z install_path/bin ?<PDLr pdwpi-cdsso-key-gen 4(#

C(:

./pdwpi-cdsso-key-gen key_file_name_to_create

failover-cookies-lifetime N}(eP'D failover-cookie P'Z(V)#bG8 cookie

4(M cookie {C.dD1d#1!5* 30 VS#

[failover]failover-cookies-lifetime = 30

enable-failover-cookie-for-domain N}tCr_{C cookie Z{vrPDP'T#

}g:

[failover]enable-failover-cookie-for-domain = false

dC IV 7O$

Access Manager (}f]M'zr/PzmLra)DZ?zID7E"'VO$#I

Zz7-r,b);F* IV(IntraVerse)7#1e~v?M Web ~qwSU=4T

IE&CLr(g WebSEAL r`74C/PzmLr)Dks1,IV 7I\aek

*S=e~zm~qwDksP#IV 7|,j6p<M'zDE",x;G*S~qw

DE"#7PDE"CZ9lp<M'zD>$,TCZZ(#,y,g{e~v?

M Web ~qw+ks*S=m;v6p IV 7D Access Manager ~qw,re~z

mITek IV 7Tj6p<M'z#

ITdCe~9C IV 7CZsZ(&mrO$ks#g{dCCZsZ(&m,re

~ZI&O$.s,(}ekM'zDf5m]w* IV 7^DBq#;sb)7I\

Ip< Web ~qw*"=m;v~qw#

g{dCe~9C IV 74PM'zO$,re~9CSBqksPR=D IV 7Pi

!Dm]4(M'z>$#IZM'z1l IV 7\]W,yTvZzm~qw(}Z

O$ksPhC09C~6O$Lr1j>8(T7DEN1E4(byD>$#

TZO$,ITdC IV 7Z(}zmSU1S\ksPD;v";)ryP

iv-user"iv-user-l"iv-creds r iv-remote-address 7,w*O$D$]#iv-remote-address

7CZG<C'Df56LX7#

g{dCCZsZ(&m,r IV 7f;v";)ryP iv-user"iv-user-l"

iv-creds"iv-groups M/r iv-remote-address"HTTP 7;pekks#

m 14. IV 7VNhv

IV 7VN hv

iv-user Access Manger C'DrL{F#g{M'z4O$(4*),

r1!*4O$#

iv-user-l C'Dj{r{($Mq=)#}g LDAP (P{F#

iv-groups C'ytiPm#

iv-creds `kD;8w}]a9,zmC'D Access Manager >$#

iv-remote-address M'zD IP X7#K5ITzmzm~qwrxgX7*;Lr

(NAT)D IP X7#

tC9C IV 7DO$


C9C IV 7DO$,k+}C iv-headers Vdx authentication N};4:

[common-modules]authentication = iv-headers

*tC IV 7CZsZ(&m,k+ post-authzn N}8(* pdwebpi.conf dCD

~P [common-modules] ZPDX|V5 iv-headers#4:

[common-modules]post-authzn = iv-headers


{F#7# IV 7O$u?fZ;4:

[modules]iv-headers = pdwpi-iv-headers-module

dC IV 7N}

IV 7O$N}Z pdwebpi.conf dCD~D [iv-headers] ZPdC#

accept N}8(S\CZ4P IV 7O$D IV 7`M#1!ivB,e~S\yP

`MD IV 7#P'!n*:all"iv-creds"iv-user"iv-user-l"iv-remote-address#*dk

`v7`M,k9C:EVt5#

}g:

[iv-headers]accept = iv-creds,iv-user

generate N}8(*"zmks1+zID IV 7`M#1!ivB,*"zmks

1e~zIyP`MD IV 7#P'!n*:all"iv-creds"iv-user"

iv-user-l"iv-remote-address#*dk`v7`M,k9C:EVt5#

dC iv-remote-address D IV 7O$zF

Z IV 7P9C iv-remote-address 1,zh*8(CZ3d HTTP O$7E"D2

mb#http-request N}8(CZ3d HTTP O$7E"D2mb#

v Z UNIX O,a)ZC3d&\DD~G{* libpdwpi-http-cdas D2mb#

v Z Windows O,a)ZC3d&\DD~G{* pdwpi-http-cdas D DLL#

m 15. IV 72mbO$zF

O$zF

2mb


AIX Windows

http-request libpdwpi-http-cdas.so libpdwpi-http-cdas.a pdwpi-http-cdas.dll

I T d C H T T P 7 O $ z F , = (GZ p d w e b p i . c o n f d C D~D

[authentication-mechanisms] ZPdk http-request N}T0X(Z=(D2mbD

~{,4:


[authentication-mechanisms]http-request = libpdwpi-http-cdas.so

Windows:

[authentication-mechanisms]http-request = pdwpi-http-cdas.dll

dC HTTP 7O$

Access Manager (}M'zr/PzmLra)D(F HTTP 7E"'VO$#

KzFh*;v3d/}(2mb),+IE($O$)7}]3dA Access Manager

j6#e~ITS\Kj6"*C'4(>$#

e~Y(H0QO$(FD HTTP 7}]#IZK-r,(i%@5VK=(,x;t

Cd|NNO$=(#Y0(F HTTP 7}]GI\D#

1!ivB,9(K2mb3d4T0/Pzm17D}]#


tC9C HTTP 7DO$


C9C HTTP 7DO$,k+}C0http-hdr1Vdx authentication N};4:

[common-modules]authentication = http-hdr


{F#7# HTTP 7O$u?fZ;4:

[modules]http-hdr = pdwpi-httphdr-module

8(7`M

XkZ pdwebpi.conf dCD~D [http-hdr] ZP8(yP'VD HTTP 7`M#

[http-hdr]header = header_type

HTTP 7Dj<dCvJm8(;v7#*8(`v HTTP 7,XkdC HTTP 7#

iD`v5}#

}g:

[modules]entrust-client-header = libpdwpi-http-header.sosome-other-header = libpdwpi-http-header.so

[entrust-client-header]header = entrust-client

[some-other-header]header = some-other

dC HTTP 7O$zF

http-request N}8(CZ3d HTTP O$7E"D2mb#



m 16. HTTP 72mbO$zF

O$zF

2mb


AIX Windows


1!ivB,KZC2mbG2`kD,CZ+0/Pzm17}]3d=P'D

Access Manager j6#Xk(FKD~,TO$d|`MDXb7}]"0+K}]3

d= Access Manager j6(I!)#XZ API J4,kN< IBM Tivoli Access Manager

WebSEAL Developer Reference#

I T d C H T T P 7 O $ z F , = (GZ p d w e b p i . c o n f d C D~D


~{#

}g:

Windows:


dC IP X7O$

xkksD IP X7ITCZ9CM'zX77PD5,Va04,MO$M'zks#

g{;dCe~9C IP X7O$M'zks,rdCd9C IP X7,Va04,^

'#+G,g{e~;9C IP X7zYC'a0,r9C IP X7O$C'P'#

tC9C IP X7DO$


C9Cksp<_D IP X7DO$,k+}C0ip-addr1Vdx authentication N

},gBy>:

[common-modules]authentication = ip-addr

*tC9C IP X7zYC'a0,k+}C0ip-addr1Vdx session N},gBy

>:

[common-modules]session = ip-addr


{F#7# IP X7O$u?fZ,gBy>:

[modules]ip-addr = pdwpi-ipaddr-module

dC IP X7O$zF

IP X7O$zFM HTTP 7D`,#http-request N}8( IP X7O$zFD2m

b#



m 17. IP X72mbO$zF

O$zF

2mb


AIX Windows


ITdC IP X7O$zF,=(GZ pdwebpi.conf dCD~D


~{#

}g:


Windows:


dCjG5sZ(&m

(#C'I\#{Z HTTP QO$ksD7P=S4T LDAP DC'X(E"(}g

g0Ek"gSJ~X7)#b9`v&CLrITCJ=SDE"x^k-#i/

LDAP ~qw#KE"DXwG|G`T2,D,@6;a;NN9C|D&CLr|

B#K}]w* ivauthn O$xLD;?VEkC'>$P#KE"2IT(}C'5

VD CDAS O$#i=S=C'>$P#

tCjG5&m


C9CjG5&m,k+}C0tag-value1Vdx post-authzn N};gBy>:

[common-modules]post-authzn = tag-value


{F#7#jG5u?fZ,gBy>:

[modules]tag-value = pdwpi-tag-value-module

dCjG5N}

jG5N}Z pdwebpi.conf dCD~D [tag-value] ZPdC#

[tag-value]cache-definitions = yescache-refresh-interval = 60

cache-definitions N}tCr_{CT=S=TsUdODj)5(eD_Y:f#

cache-refresh-interval (e_Y:f(eD"B1ddt(k)#

hCibwzDO$N}

TB>}hC;vF* foo.com Dibwz,KwzZITDX=9C SSL a0j6,

Z;IT9C SSL j6+_P BA 7DX=9C BA 7,"R9Ca0 cookie w*

,$a0E"DnsVN#|Z'Vy>O$0'V$iO$,"RZO$I&1,

r+I Web ~qw&mDksmS;v LTPA cookie#>}vT>K&(eDN}#

[pdweb-plugins]virtual-host = foo.com

[modules]ssl-id = libpdwpi-ssl-id.sosession-cookie = libpdwpi-session-cookie.soba = libpdwpi-ba.socert = libpdwpi-cert.soltpa = libpdwpi-ltpa.so

[foo.com]session = ssl-idsession = basession = session-cookie


authenitcation = certauthentication = ba

post-authzn = ltpa

ITpv#iXdCO$=(,Tc;,D#iITZibwz.d2m;gBy

>:

[virtual_host_stanza]# Optional modules stanza name to allow sharing of module# configurations between virtual hostsmodules = new-modules-stanza

[new-modules-stanza]# Order sensitive session module list# first one has highest prioritysession = session_modulesession = session_module...# Order sensitive authentication module list# first one has highest priorityauthentication = authentication_moduleauthentication = authentication_module...

# Order sensitive post-authorization module list# first one has highest prioritypost-authzn = post_authorization_modulepost-authzn = post_authorization_module...

'V`74C/PzmLr(MPA)

Access Manager a)#$9C`74C/PzmLr(MPA)DxgDbv=8#`7

4C/PzmLr(MPA)Ga)`vM'zCJDxX#xX("=4~qwD%

;QO$(@,"(}K(@+MyPM'zksMl&#TZe~,(}K(@D

E"numV*4T;vM'zD`vks#e~XkxV MPA ~qwDO$M?v

%@M'zD=SO$#b`xXD;v#{>}G^_CJ-i(WAP)xX#9

Ckwz Web ~qwD*adCTJm WebSEAL Me~.dD%;"a1,Access

Manager WebSEAL 9w* MPA#*dCby;vbv=8,IT9C iv-header O$

#i#XZdC SSO D|`j8E",kNDZ 73 3DZ 6 B, :Web %;"ab

v=8;#

P'a0}]`MMO$=(

IZ Access Manager Plug-in for Web Server ,$ MPA DQO$a0,dXk,1

,$?vM'zD%@a0#rK,CZ MPA Da0}]MO$=(Xk;,ZM'

zy9CDa0}]MO$=(#BmPvCZ MPA MM'zDP'a0`M:

m 18. MPA DP'a0}]`M

P'a0`M

MPA =e~ M'z=e~

SSL a0j6

HTTP 7 HTTP 7

BA 7 BA 7

IP X7


m 18. MPA DP'a0}]`M (x)

P'a0`M

MPA =e~ M'z=e~

Cookie Cookie

v M'z;\9C SSL a0j6w*a0}]`M#

v }g,g{ MPA 9C BA 7w*a0}]`M,rM'zDa0}]`M!nv

|( HTTP 7M cookie#

v g{ MPA 9C HTTP 7w*a0}],rM'zIT9C;,D HTTP 7`M#

v X(Z~qwD cookie v|,a0E";;|,j6E"#

v g{tC MPA 'V,r9C SSL a0j6,$a04,a|D#(#,r*Qd

C SSL a0j6,$a04,,yTv SSL a0j6CZ,$ HTTP M'zDa

0#*Jm MPA ,$_P SSL a0j6Da0"9M'z9Cm;V=(,$a

0,r}%K^F#

MPA =e~y9CDO$=(Xk;,ZM'z=e~y9CDO$=(#BmPv

MPA MM'zDP'O$=(:

m 19. P'D MPA O$`M

P'O$`M

MPA =e~ M'z=e~

y>O$ y>O$

m% m%

nF nF

HTTP 7 HTTP 7

$i

IP X7

v w*>},g{ MPA 9Cy>O$,rM'zDO$=(!n|(m%"nFM

HTTP 7#

v $iM IP X7O$=(TM'z9C^'#

v (#,g{TX(+MtCm%(rnF)O$,rTK+MT/{Cy>O$#

g{tC MPA 'V,r}%K^F#}g,bJmZ,;v+MO MPA 9Cm%

(rnF)G<,RM'z9Cy>O$G<#

MPA M`vM'zDO$xLw

1. kxPTBdC|D:

v ZdCD~PtCT`74C/PzmLrD'V#

v *X(D MPA xX4( Access Manager J'#

v +KJ'Dzm([PDWebPI]p)CJ(ZhibwzD MPA #$Ts,zmk

s+8rKibwz#Z1!dCP,9C'I* pdwebpi-mpa-servers iD

I1I5VKYw#

2. M'z,S MPA xX#

3. xX+ks*;* HTTP ks#

4. xXO$M'z#

5. xX9CM'zkske~(",S#

6. MPA O$e~(9CkM'z;,D=()"Iz MPA(Q_Pe~J')Dm

]#

7. e~i$ MPA Z pdwebpi-mpa-servers iPDI1Jq#

8. * MPA 9(>$"Z_Y:fP+dj>*XbD MPA `M#

!\K MPA >$ifTsD?vM'zks,+d";CZTb)ksDZ(l

i#

9. VZe~h*x;=j6ksDyP_#

MPA ITxV`vM'z,xPG<a>D}77I#

10. M'zG<"9C;,Z MPA yCO$`MD=(xPO$#

11. e~SM'zO$}]9(>$#

12. ?vM'z9CDa0}]`MXk;,Z MPA 9CDa0}]`M#

13. Authorization Server y]C'>$MTsD ACL mI(Jmr_\xT\#$T

sDCJ#

tC MPA O$

pdwebpi.conf dCD~D [pdweb-plugins] ZPD mpa-enabled N}tCr{C

MPA O$#P'hC* true M false,VpCZtCM{C MPA O$#1!iv

B,MPA O$G{CD#IT(}8(dCD~D [virtual_host] ZPD mpa-enabledN}*%vibwzhC MPA O$#

*+Ba0j6* MPA ("Dy>a0,wvZ(v(,bT MPA #$DTsDz

m([PDWebPI]p)mI(#1!ivB,MPA #$DTs(e* /PDWebPI#*2G

K 1!h C ( } g ( e ; , D w e/z m ? v i b w z D M P A ) , I T *

mpa-protected-object dCN}8(;v5#ITT?vibwz2GKN},=(G

ZdCD~D [virtual_host] ZP*d8(;v5#}g,*T foo.com ibwz(x

"G bar.com ibwz)tC MPA CJ,kZ pdwebpi.conf dCD~P9CTBh

C:

[pdmweb-plugins]virtual-host = foo.comvirtual-host = bar.com

[foo.com]mpa-enabled = yes

*+ foo-mpa-servers iDI1(e*T foo.com ibwzksD MPA "+

bar-mpa-servers iDI1(e*T bar.com ibwzksD MPA,k9CTBdC:


[foo.com]mpa-enabled = yesmpa-protected-object = /PDWebPI/foo.com

[bar.com]mpa-enabled = yesmpa-protected-object = /PDWebPI/bar.com

"(eTB Access Manager _T:

pdadmin> acl create foo-mpapdadmin> acl modify foo-mpa set group foo-mpa-servers T[PDWebPI]ppdadmin> acl create bar-mpapdadmin> acl modify bar-mpa set group bar-mpa-servers T[PDWebPI]ppdadmin> acl attach /PDWebPI/foo.com foo-mpapdadmin> acl attach /PDWebPI/bar.com bar-mpa

mpa-protected-object dCN}8(xPZ(v(yTUDTs#

* MPA 4(C'J'

XZ4(C'J'DE",kN< IBM Tivoli SecureWay Access Manager Base

Administration Guide M IBM Tivoli SecureWay Access Manager Web Portal Manager

Administration Guide#

r pdwebpi-mpa-servers imS MPA J'

Access Manager Plug-in for Web Servers 4(;vi,CZ=c\m MPA ~qw#

KiF* pdwebpi-mpa-servers#=SZ /PDWebPI OD default-pdwebpi ACL +

zm([PDWebPI]p)mI(Zh pdwebpi-mpa-servers iDI1#120ZAYdC

K;v WebSEAL D Access Manager 2+rP1,dC default-pdwebpi ACL 9d2

+zmmI(Zh webseal-servers M webseal-mpa-servers iDI1#zIT!

qT:DiM ACL,CZXFw*`74C/PzmLrDweDj6#

XZ\miDE",kN< IBM Tivoli SecureWay Access Manager Base Administration

Guide M IBM Tivoli SecureWay Access Manager Web Portal Manager Administration

Guide#

Z 5 B IBM Tivoli Access Manager Plug-in for WebServers 2+T_T

>B|,DE"hvgNITdC"(F IBM Tivoli Access Manager(Access

Manager)Plug-in for Web Servers 2+T_T#

wbw}:

v :X(Ze~DCJXFm(ACL)_T;

v Z 61 3D:}N%wG<_T;

v Z 62 3D:\k?H_T;

v Z 64 3D:O$?H\#$Ts_T(]});

v Z 67 3D:XBO$\#$Ts_T;

v Z 68 3D:yZxgDO$\#$Ts_T;

v Z 69 3D:#$6p\#$Ts_T;

v Z 70 3D:&m4O$C'(HTTP/HTTPS);

X(Ze~DCJXFm(ACL)_T

TB2+T"bBnJCZ\#$TsUdPD /PDWebPI ]w:

v Access Manager Plug-in for Web Servers TsGTsUdPe~xrD ACL LP

4Dpc#

v g{;&Cd|NNT= ACL,rKTs((}LP)(e{v Web UdD2+T

_T#

v *CJKTs0KcBDNNTs,h*izmI(#

XZ Access Manager ACL _TDj{E",kN<6IBM Tivoli Access Manager Base

\m18O7#

/PDWebPI/host r virtual_hostKSw|,X(e~5}DTsUd#TB2+T"bBnJCZKTs:

v *CJKcBDNNTs,h*izmI(#

v g{;&Cd|NNT= ACL,rKTs((}LP)(eKzwO{vTsUdD

2+T_T#

e~ ACL mI(

BmhvJCZTsUdD Access Manager Plug-in for Web Servers xrD ACL m

I(:

m 20. e~ ACL mI(

mI( Yw hv

[PDWebPI]r A! i4}?<bDNb*X#Nb HTTP GET r POST

ks<h*KmI(#TZks?<Pm(T / ax

D URL D GET),;PX(D0Pm1mI( *

b2C [PDWebPI]r mI(li#

[PDWebPI]d >} S Web UdP}% Web Ts#HTTP DELETE |

nh*KmI(#

[PDWebPI]m ^D Ze~TsUdPEC/"< HTTP Ts#HTTP

PUT ksh*KmI(#

T iz *CJKcBDNNTs,h*KmI(

e~2'V WebDAV Yw,gBy>#

m 21. e~ WebDAV mI(

Nq yhmI(

PROPFIND [PDWebPI]R

PROPPATCH [PDWebPI]M

MKCOL [PDWebPI]N

yZks URI(x;GyZ/OD%vI1)Z( WebDAV Yw#mb,?V'V;

)d|D WebDAV Yw:

v COPY * U/1h* [PDWebPI]R,TcITA!0A!T1#;li?DXDmI

(#

v MOVE * bITO*GHxP4F,;sxP>}#T}ZxPF/D/Oh*

[PDWebPI]Rd#;li?DXDmI(#

1! /PDWebPI ACL _T

Access Manager Plug-in for Web Servers ACL DKDu? default-pdwebpi |(:

Group iv-admin Tcmdbva[PDWebPI]rmdNRM

User sec_master Tcmdbva[PDWebPI]rmdNRM

Any-other T[PDWebPI]rmdNRM

Unauthenticated T[PDWebPI]rmdNRM

201,K1! ACL a=S=TsUdPD /PDWebPI ]wTs#

izmI(Jmg Web Portal Manager Py>)9 Web Ud#PmmI(Jm Web

Portal Manager T> Web UdDZ]#

}N%wG<_T

TyZ LDAP D Access Manager 20ICD}N%wG<_T,(}8('\G<"

TDnsN}MM#Tbx1d,9zIT@9Fcz\k%w#K_T4(;Vu

~,dPC'XkZxP|`D'\G<"T0H};N1d#}g,_TITf( 3

N'\"T,sz 180 kD&##bVG<_T`MIT@9?k`NvVDfzFc

zzIDG<"T#

}N%wG<_Th*=v pdadmin _T|nhCD2,wC:

v '\G<"TDnsN}

policy set max-login-failures

v ,}'\G<"ThCD&#

policy set disable-time-interval&#hCIT|,J'x(1ddtrTj+{CJ'#

g{G<_ThC(w*>})*}N'\"TszEX(x(1d&#,rZDN

"T(^[}7kq)+<Bms3f,5wJ'r\k_T]1;IC#

1ddtTk*%;8( * n!(i1ddt* 60 k#

g{ disable-time-interval _ThC*0disable1,rC';xZJ'.b,RKC'

D LDAP account valid tThC*0no1#\m1(} Web Portal Manager XBt

CJ'#

":+ disable-time-interval hC*0disable1<BnbD\m*z#+ account validE"4F=e~1IT[l=SY#bViv!vZ LDAP 73#mb,IZ

account valid |BYw,X(D LDAP 5VI\-zT\B5#IZb)-r,

(i9C,11ddt#

|no(

TB pdadmin |nvJOCZ LDAP "am#

m 22. pdadmin LDAP G<_T|n

|n hv

policy set max-login-failures {number|unset} [-user username]

policy get max-login-failures [-user username]

\mXF)S&#0yJmDns'\G<"TN}D

_T#K|n!vZ policy set disable-time-interval |

nPhCD&##

w*\m1,ITTX(C'&CK_T,rT LDAP

"amPPvDyPC'+V&CK_T#

1!hC* 10 N"T#

policy set disable-time-interval {number|unset|disable} [-user username]

policy get disable-time-interval [-user username]

Z 5 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 61

m 22. pdadmin LDAP G<_T|n (x)

|n hv

\m&#_T,XFg{=o'\G<"TnsN}s

J'&{CD1d\Z#

w*\m1,ITTX(C'&CK&#_T,rT

LDAP "amPPvDyPC'+V&CK_T#

1!hC* 180 k#

\k?H_T

Access Manager yZ LDAP D20a)=VXF\k9lD==:

v ev pdadmin \k_T|n

v Jm(F\k_TDIekO$#i(PAM)

kN< Access Manager Authorization C API Developer’s Reference

pdadmin 5CLrhCD\k?H_T

(} pdadmin 5CLr5VDev\k?HtT|(:

v n!\k$H

v n!V8V{}

v n!GV8V{}

v nsX4V{}

v JmUq

9C pdadmin r Web Portal Manager 4(C',9C pdadmin"Web Portal Manager

r pkmspasswd 5CLr|D\k1,5)b)_T#

|no(

TB pdadmin |nvJOCZ LDAP "am#unset hC!n{CK_TtT * 4

;5)K_T#

m 23. pdadmin LDAP \k?H|n

|n hv

policy set min-password-length {number|unset} [-user username]

policy get min-password-length [-user username]

\mXFn!\k$HD_T#

w*\m1,ITTX(C'&CK_T,rT1!"

amPPvDyPC'+V&CK_T#

1!hC* 8#

policy set min-password-alphas {number|unset} [-user username]

policy get min-password-alphas [-user username]

m 23. pdadmin LDAP \k?H|n (x)

|n hv

\mXF\kPJmDn!V8V{}D_T#

w*\m1,ITTX(C'&CK&#_T,rT1

!"amPPvDyPC'+V&CK_T#

1!hC* 4#

policy set min-password-non-alphas {number|unset} [-user username]

policy get min-password-non-alphas [-user username]

\mXF\kPJmDn!GV8(}V)V{}D_

T#


amPPvDyPC'+V&CK_T#

1!hC* 1#

policy set max-password-repeated-chars {number|unset} [-user username]

policy get max-password-repeated-chars [-user username]

\mXF\kPJmDnsX4V{}D_T#


amPPvDyPC'+V&CK_T#

1!hC* 2#

policy set password-spaces {yes|no|unset} [-user username]

policy get password-spaces [-user username]

\mXF\kPGqIT|,UqD_T#


amPPvDyPC'+V&CK_T#

1!hC* unset#

P'M^'D\k>}: Bm{vyZev pdadmin N}1!5DtI\k>}M_

Ta{:

m 24. \k>}

>} a{

password ^':XkAY|,;vGV8V{#

pass ^':XkAY|, 8 vV{#

passs1234 ^':|,=vTODX4V{#

12345678 ^':XkAY|,DvV8V{#

password3 P'#


X(C'M+VhC

ITTX(C'(9C - user !n)r+V((};C - user !n)hC pdadmin_T|n#NNX(ZC'DhC<2G_TD+VhC#2IT{C(unset)_T

N},bb6EKN};|,NN5#;lir5)NN_P unset !nD_T#

}g:

pdadmin> policy set min-password-length 8

pdadmin> policy set min-password-length 4 -user matt

pdadmin> policy get min-password-length

Minimum password length: 8

pdadmin> policy get min-password-length -user matt

Minimum password length: 4

(C' matt Dn!\k$H_T* 4 vV{;d|yPC'Dn!\k$H_TG 8

vV{#)

pdadmin> policy set min-password-length unset -user matt

(VZC' matt \= 8 vV{D+Vn!\k$H_TD\m#)

pdadmin> policy set min-password-length unset

(yPC',|(C' matt VZ^n!\k$H_T#)

O$?H\#$Ts_T(]})

O$?H\#$Ts_T(POP)9yZTs9CDO$=(XFTTsDCJI*

I\#

IT9CK&\(P1F*]}O$)7#CJ|*tPJ4DC'9C|?DO$

zF#IZ;1CJDOs~2,zI\#{9CKu~#

}g,IT(}&C]} POP _T(Zu<xke~r1h*HM'zy9CDO$

|_6pDO$)T Web UdDxra)|_D2+T#

2IT* Web ~qwOD?vX(ibwzhC]}O$,Jm%vibwz9Cd

T:D]}O$6p,x;X~S~qw6'D_T5V#

O$?H_TGZ POP _TD0IP KcO$=(1tTPhCD#

dC]}O$6p

dCX(ZO$DCJDZ;=GdC'VDO$=("7(3r,b)O$=(&

4K3rS*|?s#XZdCO$zFDj8E",kNDZ 27 3DZ 4 B, :IBM

Tivoli Access Manager Plug-in for Web Servers O$;#

(}e~CJ Web ~qwDNNM'z<_PO$6p,}g04O$1r0\k1,

8>M'zns;N(}e~O$19CD=(#

Z3)ivB,I\PX*5)CJX( Web UdTsyhDnM02+16pO$#

}g,Z373P,(}nF(PzkxPDO$ITS*H(}C'{M\kxP

DO$|2+#m;v73IT_P;,Dj<#

k?FM'zZ4zcXhDO$6p1XBt/da0;,,]}O$zFa)M

'zm;Nza9Cyh=((6p)xPXBO$#

]}O$b6EC'"TCJh*HdG<1_PDO$6p0|_1DO$6p

1,;a"4rdT>0\x1{"#xrdT>BDO$a>,ks'V|_O$

6pDE"#g{{GITa)KO$6p,rJmdu<ks#

Access Manager Plug-in for Web Servers 6p`VO$=((6p),CZ]}O$z

F:

v 4O$

v m%

v IP X7

v HTTP 7

v nF

v $i

v IV 7

v JO*F cookie

Z pdwebpi.conf dCD~D [authentication-levels] r

[authentication-levels:virtual_host_label] ZPdCO$6p#}g:

[authentication-levels]1 = BA2 = iv-headers3 = cert

y]PmP=(D3r,T?V=(Vd6pw}#

v 4O$Y(6p* 0#

v sL=(ITNb3rEC#kNDZ 66 3D:]}O$"bBnM^F;

v 1!ivB,y>O$dC*6p 1#

v *tC]}O$,XkAYP=vu?#

v (}9Cq=* [authentication-levels:virtual_host_name] DZ8(6p,IT*X

(ibwzhCO$zF6p#

":XZhCyhO$zFDj8E",kNDZ 27 3DZ 4 B, :IBM Tivoli Access

Manager Plug-in for Web Servers O$;#

tC]}O$

]}O$G(}Z*sO$tPZ(DTsOyECD POP _Tx5VD#9C POP

_TD0IP KcO$=(1tT#

pdadmin pop modify set ipauth |n8( IP KcO$=(tTPJmDxgMy

hDO$6p#

QdCDO$6pI4S= IP X76'#K=(D?DGa)\minT#g{4 IP

X7}KC'";X*,rIT anyothernw(Nbd|xg)hC%;u?#KhC

+0lyPCJC'(;\ IP X7),"*s{G48(6pxPO$#bG5V]

}O$Dn#C=(#

o(:

pdadmin> pop modify pop_name set ipauth anyothernw level_index

anyothernw u?Cwxg6',K6'+k4Z POP PmP8(DyPxg%d#

K=(CZ4(1!u?,Ku?I\xyP;%dD IP X7,rJmzcO$6p

*sDNNKxPCJ#

1!ivB,anyothernw TO$6pw} 0 vVZ POP P#Z pop show |nP

Ku?T>*0Nbd|xg1:

pdadmin> pop show test\#$Ts_T:testhv:Test POP/f:nosF6p:none#$6p:none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:

anytime:localIP KcO$=(_TNbd|xg 0

>}

1. Z pdwebpi.conf PdCO$6p:

[authentication-levels] r [authentication-levels:virtual_host_label]1 = BA2 = token

2. dC0IP KcO$=(1POP tT:

pdadmin> pop modify test set ipauth anyothernw 2

pdadmin> pop show test\#$Ts_T:testhv:Test POP/f:nosF6p:none#$6p:none?UDCJ1d:mon, wed, fri:anytime:localIP KcO$=(_T

Nbd|xg 2

by,C'CJIbT POP #$DTsh*6p 2 O$,r_+?F9CnF=

(xPO$#

m{Z 68 3D:yZxgDO$\#$Ts_T;#

]}O$"bBnM^F

1. HTTP M HTTPS O<'V]}O$#

2. ;\S HTTP -i]}= HTTPS#

3. [authentication-levels] ZP48(DO$=(1!*6p 1#

4. O$=(;\Z6pPmP8(;N#

5. T]}O$6pDmsdC<B{Ce~PD]}&\#bVivI\}pbbD

O$P*,}gT POP #$DTs"v\kG<3f,K POP h*nF(Pzk

O$=(#

dC]}O$zFs,kli pdwebpi.log D~,Tq!XZNNdCmsD(f#

XBO$\#$Ts_T

Access Manager Plug-in for Web Servers IT?FC'4P=SG<(XBO$),T

7#CJ\#$J4DC'MnuZa0*<WNO$DG,;vK#\#$TsO

D\#$Ts_T(POP)ra0_Y:fGn/,15=Z<IT$nXBO$#

>ZV[ POP )9tT8(DyZ2+T_TDXBO$#XZdCa0/>$_Y

:fDj8E",kNDZ 35 3D:dCe~a0/>$_Y:f;#

0l POP XBO$Du~

?FDXBO$T2+rPDtPJ4a)=S#$#yZ2+T_TDXBO$I

POP PDX()9tT$n,K POP #$yksDJ4Ts#POP IT1S=S=T

sO,r_TsITS8TsLP POP u~#TBe~O$=('VXBO$:

v m%(C'{M\k)O$

v nFO$

mb,IT`4(FDC'{/\k CDAS T'VXBO$#

XBO$Y(C'-HQ-G<=2+r,"RfZKC'DP'>$#ZXBO$

xLP,C'Xk9CMzIVP>$`,Dm]xPG<#XBO$Zd,Access

Manager #tC'-HDa0E",|(>$#XBO$xLP;f;>$#

ZXBO$}LP,e~9_Y:fa>XBO$Dks#XBO$I&1,_Y:

f}]CZXB9(ks#

g{XBO$'\,re~YN5XG<a>#g{XBO$I&,+ ACL liTK

J4'\,r5X 4030{9CJ1"R\xC'TyksJ4DCJ#ZN;ivB,

C'S;"z#9CT;P'D>$,C'ITl#U9XBO$xL((}ksm

;v URL)"(}CJd|;h*XBO$DJ4@INk2+r#

IT9CdC4;e~a0_Y:fP'ZF1w#mb,9ITdCm^Z,Jm

XBO$xLPc;1dZa0_Y:fP'Z,1=Z.0jI#XZj8E",

kNDZ 35 3D:dCe~a0/>$_Y:f;#

4(M&CXBO$ POPyZ2+T_TD?FXBO$(}4(_P{*0reauth1DXb)9tTD\#$

Ts_T(POP)dC#IT+K POP =S=NNh*?FXBO$a)Dnb#$D

TsO#

kG!_P POP DTsDyPS2LP POP u~#?vksDSTsh*%@DX

BO$#

9C pdadmin pop create"pdadmin pop modify M pdadmin pop attach |n#

TB>}{vC reauth )9tT4({*0secure1D POP "+d=S=TsO:

pdadmin>pop create securepdadmin>pop modify secure set attribute reauth truepdadmin>pop attach /PDWebPI/hostA/budget.html secure

NN"TCJ budget.html DK<;?H9CMzIVP>$`,Dm]MO$=(x

PXBO$#

g{ksJ4DC'4O$,r POP ?FC'xPO$#?NTXBO$_Ty#$

TsDCJ<h*XBO$#

g{?<PDs`}Ts<h*XBO$(!\P;);h*),nC+ POP =S=

{v?<,|(0reauth1)9tT#TZG);h*XBO$DTs,*d=Sk?

<`,D POP,+;|,0reauth1)9tT#

XZ pdadmin |nP5CLrDj8E"ITZ6IBM Tivoli Access Manager Base

\m18O7PR=#

yZxgDO$\#$Ts_T

yZxgDO$\#$Ts_T(POP)_T9CyZC'D IP X7XFTTsDC

JI*I\#IT9CK&\h9X( IP X7(r IP X76')CJ2+rPDN

NJ4#

2ITK_T&C]}O$dC,"T?v8(D IP X76'*sX(O$=(#

yZxgDO$_TGZ POP _TD0IP KcO$=(1tTPhCD#XkZKt

TP8(=v*s:

v O$6p

v JmDxg

XZ8(dC6pDj8E",kNDZ 64 3D:dC]}O$6p;

8( IP X7M6'

dCO$6p.s,Xk8(K POP _TyJmD IP X7M IP X76'#

pdadmin pop modify set ipauth add |nZ0IP KcO$=(1tTP,18(

Kxg(rxg6')MyhO$6p#

o(:

pdadmin> pop modify pop_name set ipauth add network netmask level_index

QdCDO$6p4S= IP X76'#K=(D?DGa)inT#g{4 IP X7

}KC'";X*,rIT anyothernw(Nbd|xg)hC%;u?#KhC+0

lyPCJC'(;\ IP X7),"*s{G48(6pxPO$#

o(:

pdadmin> pop modify pop_name set ipauth anyothernw level_index

`4,g{#{vTO$6p"Rv#{yZ IP X7Jmr\xCJ,rIT*Jm

D6'9C6p 0,T*\xD6'9C0forbidden1#

anyothernw u?Cwxg6',K6'k4Z POP PmP8(DyPxg%d#K

=(CZ4(1!u?,Ku?I\xyP;%dD IP X7,rJmzcO$6p*

sDNNKxPCJ#

1!ivB,anyothernw TO$6pw} 0 vVZ POP P#Z pop show |nP

Ku?T>*0Nbd|xg1:

pdadmin> pop show test\#$Ts_T:testhv:Test POP/f:nosF6p:none#$6p:none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:

anytime:localIP KcO$=(_TNbd|xg 0

XZhCO$6pD|j8V[,kNDZ 64 3D:dC]}O$6p;#

>}

*s IP X76'* 9.0.0.0 RxgZk* 255.0.0.0 DC'9C6p 1 O$(1!i

vBG0password1):

pdadmin> pop modify test set ipauth add 9.0.0.0 255.0.0.0 1

*sX(C'9C6p 0 O$:

pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.255 0

h9yPC'(}KgOv>}P8(DG))CJTs:

pdadmin> pop modify test set ipauth anyothernw forbidden

{C4 IP X7D]}O$

o(:

pdadmin> pop modify pop_name set ipauth remove network netmask

}g:

pdadmin> pop modify test set ipauth remove 9.0.0.0 255.0.0.0

yZxgDO$c(

Access Manager Plug-in for Web Servers 9CTBc(&m POP PDu~:

1. li POP PD IP KcO$=(_T#

2. li ACL mI(#

3. li POP PD?U1d_T#

4. li POP PDsF6p_T#

#$6p\#$Ts_T

#$6p\#$Ts_T(POP)tTJmz8(ZTsO4PYw1yhD}]#

$6p#

pdadmin> pop modify pop_name set qop {none|integrity|privacy}

m 25. QOP 6phv

QOP 6p hv

privacy *s}]S\(SSL)#

integrity 9C3)zF7#}]P4|D#

none 49CNN}]#$=(#


}g:

pdadmin> pop modify test set qop privacy

T ACL v_D0G1l&2|,yhD#$6p1,#$6p POP tTJm5V%

vBq#g{e~^(#$yhD#$6p,r\xks#

&m4O$C'(HTTP/HTTPS)

Access Manager Plug-in for Web Servers S\4T HTTP M HTTPS OO$M4O$

C'Dks#;se~@5 Authorization Server 5)2+T_T,=(GJmr_\

xT\#$J4DCJ#

TBu~JCZT SSL _PCJ(D4O$C':

v 4O$C'Me~.dDE";;GS\D * g,kQO$C'D;;#

v 4O$C'Me~.dD SSL ,Svh*~qwKO$#

&m4Td{M'zDks

1. d{M'z(}e~r Web ~qwavks(9C HTTP r HTTPS)#

2. e~*KM'z4(4O$D>$#

3. ksT0K>$Lx=\#$D Web Ts#

4. Authorization Server liKTs ACL 4O$u?DmI(,Jmr\xyksD

Yw#

5. TKTsDI&CJ!vZAY|,A!(r)Miz(T)mI(D4O$ ACL u

?#

6. g{ks<BZ(v_'\,rM'zSU=G<m%(yZ BA rm%)#

?FC'G<

(}Z#$yksTsD ACL _TPD4O$u?O}7hCJ1mI(,IT?F

4O$C'G<#

A! [PDWebPI]r Miz(T)mI(JmTTsD4O$CJ#

*?F4O$C'G<,kS#$TsD ACL _TPD4O$u?P}%A!

[PDWebPI]r mI(#C'SU=G<a>(yZ BA rm%)#

&C4O$ HTTPS'VT HTTPS Oe~v?M Web ~qwD4O$CJPm`5JDL5mI:

v ;)&CLr;h*vKG<,4h*tPDE",}gX7MEC(E#>}|

(Z_:rIz1Md|L7#

v ;)&CLrh*ZITLxx;=;W.0H"aK5qDJ'#,y,Xk(

}xg+]tPE"#

C ACL/POP _TXF4O$C'

":0any-authenticated1u?`MH,Z0any-other1u?`M#

1. *Jm4O$C'CJ+2Ts,k9CAY|,4O$M+O$u?DA!

[PDWebPI]r Miz(T)mI(D ACL #$+2Z]#

unauthenticated T[PDWebPI]rany-authenticated T[PDWebPI]r

":7(mI(1,unauthenticated u?GT any-authenticated u?DZk(p

;0k1Yw)#v1 unauthenticated DmI(Z any-authenticated u?

P2vV1EZhKmI(#IZ unauthenticated !vZ

any-authenticated,yT ACL |, unauthenticated x;|,

any-authenticated Dbe;s#g{ ACL 75|, unauthenticated x;

|, any-authenticated,r1!l&G;r unauthenticated ZhNNmI

(#

2. **sS\(SSL),k9C8( privacy w*u~D\#$Ts_T(POP)#$

Z]#

kNDZ 69 3D:#$6p\#$Ts_T;#


Z 6 B Web %;"abv=8

+ Access Manager Plug-in for Web Servers w*Z(~q5VTT2+ra)#$1,

(#h*a)%;"a=KrPJ4Dbv=8#>BV[CZ Access Manager Plug-in

for Web Servers #$D Web UdD%;"abv=8#

wbw}:

v :%;"aEn;

v :T/"a=\#$D&CLr;

v Z 75 3D:S WebSEAL rd|zm%;"a=e~;

v Z 76 3D:9CJO*F cookie xP%;"a;

%;"aEn

\#$J4;Ze~v?M Web &CLr~qwO1,IT*sksKJ4DM'z

ZCJ;,2+&CLr14P`NG<#?NG<\I\h*;,DG<j6#

\mM,$`vG<j6DJb(#ITC%;"a(SSO)zFbv#SSO JmC'

v9C;v-<G<CJJ4#Web ~qwOJ4DNNx;=G<ksD&mTC'

<G8wD#

10,Access Manager Plug-in for Web Servers 'VDVw*D%;"ae5a9#b

)e5a9*:

1. ;vT~qwOD`v2+&CLra)%;"aDe~5}#

2. S WebSEAL rd|/PzmLr(g WAP xX)%;"a=e~#

3. 9CJO*F cookie Z;,r.da)%;"a#

4. gSgx%;"a,dPC'O$;N""xnF,KnFJmdCJribgx

PDd|rx;h*XBO$#

>BPV[0}v SSO =8#ZDv=8GB;BDwb#

T/"a=\#$D&CLr

IT9C HTTP 7M LTPA cookie(&CLr* WebSphere Application Server 1)

q!T~qwO\e~5}#$D&CLrD SSO#

M'zDu<O$.s,e~IT9( HTTP 7,dP|,M'zm]E",ICZT

/O$T#$~qwOKPD&CLr#(}`F==,LTPA cookie ICZq!T

Web &CLr~qw(g WebSphere)D SSO#

dC%;"a9C HTTP 7#$&CLr

CZ"a=&CLrD HTTP 7I iv-headers sZ(#izI#IzID7/O\F

* IV 7#

I&Z(C'kss,e~IT+(eM'zj6D IV 7ekksP,)&CLr&

m#ksI\#$ Web ~qww\D&CLr&m1,K7E"ICwC'j6D$

w#?NCJBD2+&CLr1,C'MITb%G<DX*#

g{dCCZsZ(&m,r IV 7f;v";)ryP iv-user"iv-user-l"

iv-creds"iv-groups"iv-remote-address"HTTP 7`M;pek#BmPhvKb)7`

M#

m 26. IV 7VNhv

IV 7VN hv

iv-user Access Manager C'DrL{F#g{M'z4O$(4*),

r1!*4O$#

iv-user-l C'Dj{r{($Mq=)#}g LDAP (P{F#

iv-groups C'ytiPm#

iv-creds `kD;8w}]a9,zmC'D Access Manager >$#


(NAT)D IP X7#

tCM{CzI IV 7

*9e~IT+ IV 7ekQZ(Dks,h*dCe~9C IV 7xPsZ(&m#


C IV 7CZsZ(&m,k+ pdwebpi.conf dCD~P [common-modules] ZP

DX|V5 iv-headers VdxN} post-authzn#4:

[common-modules]post-authzn = iv-headers

dC IV 7N}


generate N}8(*"zmks1+zID IV 7`M#1!ivB,*"zmks

1e~zIyP`MD IV 7#P'!n*:all"iv-creds"iv-user"

iv-user-l"iv-remote-address#*dk`v7`M,k9C:EVt5#

}g:

[iv-headers]generate = iv-creds,iv-user,iv-user-1

9C LTPA cookie %;"a= WebSphere Application Server20e~w* WebSphere Application Server D#$c1,CJDM'zfT=v1Z

DG<c * WebSphere ~qDe~M2+&CLr#*ZKivB*a)%cG<,

ITdCe~zIyZ cookie Da?6Z}=O$(LTPA)zF,"Qd+]='V

LTPA cookie D Web &CLr~qw#

C'"vT~qwOJ4Dks1,C'XkWHTe~xPO$#O$I&1,e

~zmC'zI LTPA cookie#w* Web &CLr~qwDO$nFD LTPA cookie

|,C'j6M\kE"#KE"C;Ve~M&CLr~qw.d2mD\\k#

$D\?xPS\#

e~+ cookie ek=ksD HTTP 7P,Kks"M= Web &CLr~qw#&C

Lr~qwSUks,T cookie xPb\,"y] cookie Pa)Dj6E"O$C

'#

*a_T\,e~+ LTPA cookie f"Za0_Y:fP,"T,;C'a0ZdD

sxks9C_Y:fD LTPA cookie#XZhCa0_Y:fDN}Dj8E",k

NDZ 35 3D:dCe~a0/>$_Y:f;

dC9C LTPA cookie %;"a= WebSphere9C LTPA cookie 5V%;"a='V LTPA cookie D&CLr~qwGe~sZ(

&mD;?V#*tCK&\,kT pdwebpi.conf dCD~D [common-modules]ZPDN} post-authzn Pdk|5 ltpa;4:

[common-modules]post-authzn = ltpa

LTPA cookie dCGZ pdwebpi.conf dCD~D [ltpa] ZP4PD#TBN}h*

dC#

m 27. LTPA dCN}.

N} hv

ltpa-keyfile CZS\ cookie Py|,j6E"D\?D~D+76

{#

ltpa-stash-file \kf"D~D;C#g{^\kf"D~fZ,r&!{

"MKu?#

ltpa-password \kf"D~;fZ1*9CD\k#

ltpa-lifetime LTPA cookie DP'Z(k)#

LTPA %;"aD<u"bBn

v \?D~|,XZX( Web &CLr~qwDE"#g{r,;e~mS`v&C

Lr~qw,ryP~qw+2m`,D\?D~#

v *9%;"aI&,e~M&CLr~qwXkT3V==2m`,D"amE

"#

v &CLr~qw:phC LTPA M4(2mD\?#

S WebSEAL rd|zm%;"a=e~

1e~v?M Web ~qwSU=4TIE&CLr(g WebSEAL r`74C/Pz

mLr)Dks1,IV 7I\aek*S=e~DksP#IV 7|,j6p<M'z

DE",x;G*S~qwDE"#7PDE"CZ9lp<M'zD>$,TCZ

Z(#

g{dCe~9C IV 74PM'zO$,re~9CSBqksPR=D IV 7Pi

!Dm]4(M'z>$#IZM'z1l IV 7\]W,yTvZO$ksPhC09

C~6O$Lr1j>1E4(byD>$#

TZO$,ITdC IV 7Z(}zmSU1S\ksPD;v";)ryP

iv-user"iv-user-l"iv-creds r iv-remote-address 7,w*O$D$]#iv-remote-address

7CZG<C'Df}6LX7#b) IV 7`MI Access Manager M WebSEAL 6

Z 6 B Web %;"abv=8 75

p#

m 28. IV 7VNhv

IV 7VN hv

iv-user M'zDrL{F#g{M'z4O$(4*),r1!*4O

$#

iv-user-l C'Dj{r{($Mq=)#

iv-groups M'zytiPm#

iv-creds `kD;8w}]a9,zm Access Manager >$#


(NAT)D IP X7#

*Kw*M'zj6D$wS\,WebSEAL rd|zm>mXkQre~O$#b(

#G(}zmMe~#$D Web ~qw.d`%O$D SSL ,S5VD#

dC IV 7%;"a= Access Manager Plug-in for WebServers

tCM{C9C IV 7DO$


C9C IV 7DO$,k+}C0iv-header1Vdx authentication N};4:

[common-modules]authentication = iv-header

dC IV 7N}


accept N}8(S\CZ4P IV 7O$D IV 7`M#1!ivB,e~S\yP

`MD IV 7#P'!n*:all"iv-creds"iv-user"iv-user-l"iv-remote-address#*dk

`v7`M,k9C:EVt5#

}g:

[iv-headers]accept = iv-creds,iv-user

9CJO*F cookie xP%;"a

*sZ(&mdCJO*F cookie s,e~ZX(Z~qwrGr6'D cookie PT

M'zD>$}]xPS\#M'zZ;N,S1,cookie EZ/@wO#M'z"T

CJrPDm;v2+~qw1,cookie a)xM'zX(r=DB;v~qw#cookie

CZT/XBO$,byM'z;X4PV/XBO$DNq#Q4F~qwODe

~2m;+2\?,K\?b\ cookie Py,D>$E",("Ba0#

tC9CJO*F cookie D%;"a

ITdCJO*F cookie 4PO$MsZ(Nq#

dC*9CJO*F cookie xPsZ(&mDe~T>$xPS\,"+dw*JO*

F cookie f"ZBql&P#


dC*9CJO*F cookie 4PO$De~CBqksPR=DJO*F cookie PD

S\>$XBO$M'z#

*9CJO*F cookie tC SSO,XkdCJO*F#ixPO$MsZ(#+}C

0failover1VdxdCD~ [common-modules] ZPD authentication M

post-authzn N};4:

[common-modules]authentication = failoverpost-authzn = failover

":dCd|O$zFT0JO*F cookie 1,Xk+JO*F cookie O$dC*u

<O$=(#

dCJO*F cookie N}

JO*F cookie O$N}Z pdwebpi.conf dCD~D [failover] ZPdC#

failover-cookies-keyfile N}8(CZTJO*F cookie PD>$}]xPS\Mb

\DD~#}g:

[failover]failover-cookies-keyfile = failover.key

\?D~Xk9C;Z install_path/bin ?<PDLr pdwpi-cdsso-key-gen 4(#

C(:


failover-cookies-lifetime N}(eP'D failover-cookie P'Z(V)#bG8 cookie

4(M cookie {C.dD1d#1!5* 30 VS#

[failover]failover-cookies-lifetime = 30

enable-failover-cookie-for-domain N}tCr_{C cookie Z{vrPDP'T#

*q!TrPyP~qwD SSO,k+KN}hCI true#

}g:

[failover]enable-failover-cookie-for-domain = true

Z 6 B Web %;"abv=8 77

Z 7 B gSgx%;"a

5V Access Manager Plug-in for Web Servers Ta)T2+rD#$1,(#h*a

)TJ4%;"aDbv=8#>BV[e~gSgx%;"abv=8#

wbw}:

v :i\gSgx%;"a;

v Z 80 3D:gSgx%;"a&\M*s;

v Z 80 3D:gSgx%;"axLw;

v Z 81 3D:mbgSgx cookie;

v Z 82 3D:mb0$51ksM&p;

v Z 82 3D:mb0$51nF;

v Z 83 3D:S\0$51nF;

v Z 83 3D:dCgSgx;

v Z 85 3D:dCgSgx%;"a * >};

i\gSgx%;"a

Access Manager Plug-in for Web Servers gSgx%;"a&\JmC'CJ`vrP

`v~qwODJ4,x;h*XBO$#

0gSgx1G;iNkL5X5D;,Dr(Access Manager r DNS)#b)NkD

rITdC*;nL5D;?V("RIZXm-rI\9C;,D DNS {F),r

dC*5P2mX5D;,5q(}g+>\?"KY#U+>MFq\m+>)#

ZN;=8P,\P;vr8(*0w1r0yP_1r#ZNk5qDivB,w

r5P\mgSgxDL5-i#

Z=V=8P,XZNkgSgxDC'DO$E"(|(CZO$DC'{M\

k)GZwrP,$D#bV2EJmT\mJbD%c}C,}ggSgxPDo

z@fwC,|G<8rwr#

w*!q,ITC Access Manager Web Portal Manager /ITKE"D\m,byN

kr:p\mdT:DC'#

wr05P1C' * 4XFC'DO$E"#^[C'ZN&ksJ4,wr<UG

C'XkxPO$DX=#

TwO$~qw(MAS)xPO$ * ;ZwrP"RdC*O$yPC'D~qw

(r4F~qw/O)#MAS D0p&^F*a)O$~q#MAS ;C|,TC'I

CDJ4#

;)C'r MAS I&O$,MAS MzI0$51nF#KnF+XC'"vksD

~qw#~qw+K0$51nFS*$w,$5C'QI&r MAS O$"ITNk

gSgx#

gSgxr.dDE"*FZ:gSgx%;"axLw;;ZPj8hv

gSgx%;"a&\M*s

v gSgx&\'V(}1SJ4 URL(i))xPCJ#

v 5VgSgxh*TNkgSgxDyPrPDyPe~xP;BDdC#

v NkgSgxDyPC'T;ZwrPD%vwO$~qw(MAS)xPO$#

v g{C';P MAS DP'J',rgSgx5VJmZ6LrPxP0>X1O

$#

ksG MAS(+Nk)rPDJ41,r MAS O$'\DC'IT!qr"vk

sD>X~qwO$#

v MAS(nsG6LrPd|y!~qw)0$51C'DQO$j6#

v X(ZrD cookie CZj6ITa)0$51~qD~qw#bJm6LrPD~

qwZ>Xks0$51E"#gSgx cookie DS\Z];|,C'j6r2+

TE"#

v XbnFCZ+]S\D0$51C'j6#0$51nF;|,5JDC'O$E

"#j{TI2m\?a)(}6 DES)#nF|,^FnFP'TVx1dD,1

(P'Z)5#

v HTTP M HTTPS O<'VgSgx5V#

v %vgSgxr\mdT:C'Dj6MX*X(#IT9Cgr3d&\

(CDMF)API +6LrPDC'3d=>XrPDP'C'#

g{gSgxr2m+VC'j6,r;h*K3d&\#

v gSgxDdCZ?vNke~D pdwebpi.conf D~PhC#

gSgx%;"axLw

gSgxIe~v?MwO$~qw(MAS)Mw*gSgxD=Se~v?M~q

wiI#gSgxD5VyZ0$5153#(#,14O$C'(}e~ksJ4

1,aa>{Ga)O$E"#ZgSgxdCP,e~~qwj60$51~qw

"SK0$51~qwksC'QO$Di$#0$51~qwf"C'DP'>$

E"#

TZC'DZ;Nks,0$51~qw<UG MAS#MAS Lxw*;ZwrPDJ

4D0$51~qw#fEC'LxZgSgxZksJ4,?v6LrPD%v~

qw<IT*C'9(dT:D>$(y]4T MAS DC'j6E"),"#Ndr

PJ4D0$51~qwG+#

TO>}T>fZZgSgxPD=vr,MOO rM FOO r#TBxLZC'Z;

NG<=gSgxPD2+ Web >c1"z:

1. C'ksT Web ~qw ww1.moo.com ODJ4xPCJ#e~9Xks"7O

ww1.moo.com QdCI boo-foo-moo gSgxD;?V#S ww1.moo.com dCP

j6gSgxPD MAS ~qw#

2. ks+]= MAS * www.boo.com#MAS zm ww1.moo.com O$ks,""v

0$51nF,KnFI*C'DgSgxj6#nFPDC'j6E"GS\

D#

3. MAS +0$51nF"M= ww1.moo.com#ww1.moo.com +K0$51nFS*

$w,$5C'QI&r MAS O$,VZITyZ#fZ(XFCJyksDJ

4#

mbgSgx cookiev gSgx cookie GIe~hCDX(ZrD cookie /O,f"ZC'/@wDZf

P,"ZsxksP+M=d|e~5}(,;rP)#

v X(ZrD cookie |,0$51~qwD{F"gSgxj6"0$51~qwD

;C(URL)M&\T0P'Z5#cookie ;|,C'E"#

< 7. G<=gSgx#

Z 7 B gSgx%;"a 81

v gSgx cookie JmNkrPD~qwZ>Xks0$51E"#MAS y$tDr

DgSgx cookie DwC;Pb4X*#

v cookie _PZ pdwebpi.conf dCD~PhCDP'Z(,1)5#KP'Z58(

6L~qwIT*C'a)0$51E"D1d$H#cookie P'Z=Z1,C'X

kX(r MAS TxPO$#

v XU/@w1,cookie SZfe}#g{C'SX(rP"z,rgSgx cookie 2

G*U#KYwP'X+dS/@wP}%#

mb0$51ksM&p

gSgx0$51Ywh*(CD&\,K&\(}=vXb9lD URL CJ:0$

51ksM0$51&p#b) URL GZgSgx0$51HTTP X(rZdy]

pdwebpi.conf PDdCE"9lD#

0$51ksC'S;|,dNN>$E"D?j~qw(*gSgxdC)ksJ41,%"

0$51ks#~qwr0$51~qw(MAS rgSgx cookie P8(D~qw)

"M HTTP X(r#

0$51ks|,TBE":

https://vouch_for_server/pkmsvouchfor?ecommunity_name&target_url

SU=~qwli ecommunity_name Ti$gSgxj6#SU=~qw9C0$51

&pPD target_url +/@wX(r=-HksD3f#

pkmsvouchfor0$51URL GIdCD#

}g:

https://www.boo.com/pkmsvouchfor?companyABC&https://ww2.foo.com/index.html

0$51&p

0$51&pG0$51~qwT?j~qwDl&#

0$51&p|,TBE":

https://target_url?PD-VFHOST=vouch_for_server&PD-VF=encrypted_token

PD-VFHOST N}8(4P0$51YwD~qw#SU=(?j)~qw9CKE"

!qb\0$51nF(PD-VF)yhD}7\?#PD-VF N}zmS\D0$51n

F#

}g:

https://ww2.foo.com/index.html?PD-VFHOST=www.boo.com&PD-VF=3qhe9fjkp...ge56wgb

mb0$51nF

*5Vgr%;"a,XkZ~qw.d+];)C'j6E"#KtPE"IX(

r&m,X(r|,S\w* URL ;?VDj6E"#KS\}]F*0$51nF#


v nF|,0$51I&r'\4,"C'Dm](g{I&)"4(nFD~qw

D+^({F,gSgxj6T04(1d5#

v P'0$51nFDVP_IT9CKnFZ~qwO(";va0(T0>$/

O),x;XT=rK~qwO$#

v nF9C2mD}6 DES \?S\,rKITi$df5T#

v S\DnFE";f"Z/@wO#

v nF;+];N#SU=~qw9CKE"ZdT:D_Y:fP9(C'>$#

~qw+b)>$CZ,;a0PKC'TsavDks#

v nF_PZ pdwebpi.conf dCD~PhCDP'Z(,1)5#K5I\\L(8

k)TuYX4%wD#U#

S\0$51nF

Access Manager Plug-in for Web Servers XkTnFPECDO$}]xPS\,9C

D\?I;Z /bin ?<PD pdwpi-cdsso-key-gen 5CLrzI#Xk(}M?v

NkrPD?ve~~qw2m\?D~0,=1\??#?vrPD?vNkDe

~~qwh*9C,;\?#

":4(MV"\?D~;G Access Manager gSgxxLD;?V#XkV/+\

?2+4F=?vNkD~qw#

KP pdwpi-cdsso-key-gen 5CLr1,5CLrh*z8(\?D~D;C(xT

76{):

UNIX:

# pdwpi-cdsso-key-gen absolute_pathname

Windows:

MSDOS> pdwpi-cdsso-key-gen absolute_pathname

S\\?Z pdwebpi.conf dCD~D [ecsso-domain-keys] ZPdC#j8E"Z

B;Z:dCgSgx;PV[

dCgSgx

>Z4igSgx5Vh*DyPdCN}#b)N};Z pdwebpi.conf D~P#X

k*gSgxPD?ve~P8dCKD~#

tCM{CgSgxI1

pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*9

e~~qwITZgSgxZxPYw,k+uo0ecsso1Vdx authentication M

post-authzn N},gBy>:

[common-modules]authentication = ecssopost-authzn = ecsso


{F#7#gSgx SSO u?fZ;4:

[modules]ecsso = pdwpi-ecsso

Z 7 B gSgx%;"a 83

e-community-namee-community-name N}j6~qwytDgSgxD{F#}g:

[ecsso]e-community-name = companyABC

gSgxyPI1D e-community-name 5Xk`,#

is-master-authn-serverKN}j6C~qwGqG MAS#5|( yes r no#TZgSgx MAS,N}h

CgB:

[ecsso]is-master-authn-server = yes

`ve~ITdC*wO$~qw,;sEZ:X=bw.s#ZK=8P,gSg

xPDd|yPe~~qw<+:X=bw6p* MAS#

g{ is-master-authn-server hCI0yes1,rK~qw+S\4Td|e~5}D

$5ks,b)e~5}D e-community-name `,,"Rdr\?PZ

[ecsso-domain-keys] ZP#

master-authn-serverg{ is-master-authn-server N}hC*0no1,rXk!{"M"8(

master-authn-server N}#KN}j6gSgx MAS D+^(r{#}g:

[ecsso]master-authn-server = www.boo.com

master-http-portVdwO$~qwCZSU HTTP ksDKZE#g{KZE;Gj<KZ 80,rX

kZK8(Gj<KZE#

[ecsso]master-http-port = port_number

master-https-portVdwO$~qwCZSU HTTPS ksDKZE#g{KZE;Gj<KZ 443,r

XkZK8(Gj<KZE#

[ecsso]master-https-port = port_number

vf-token-lifetimeKN}hC0$51nFDP'Z,15(k)#y] cookie OD4(1dAGliK

5#1!5* 180 k#Xk<GNk~qw.dD1S+n#1!ivB,N}hCg

B:

[ecsso]vf-token-lifetime = 180

vf-urlKN}8(0$51URL#K5XkT}1\(/)*<#1!hC5*:

[ecsso]vf-url = /pkmsvouchfor

2ITm>)9 URL:

vf-url = /ecommA/pkmsvouchfor

ecsso Domain KeysdCD~D [ecsso-domain-keys] ZP(eDG\?D~D;C,T MAS M6Lr

PNkD~qw.dDnFxPS\Mb\1h*b)\?D~#dC MAS |(*?

vdGwDr(e\?#dC MAS TbDgSgxI1|(*rM MAS (e\?#

Xk*~qw8(+^(r{,*\?D~;C8(xT76{#

TB MAS dC>}T MAS a)\?D~,CZM=v6Lr(E:

[ecsso-domain-keys]moo.com = /abc/xyz/moo-boo.keybar.com = /abc/xyz/foo-boo.key

dCrPD~qw|(8( MAS rMCZk MAS ;;E"D`&\?#rP~qw

.dD}] ; ; 2 h * \ ? # } g : N k g S g x D r P D ~ q w D

[ecsso-domain-keys] ZI\gB:

[ecsso-domain-keys]#the key for data exchange between the MAS (boo.com) and the moo.com domain serversboo.com = /abc/xyz/moo-boo.key#the key for data exchange between servers in the moo.com domainmoo.com = /abc/xyz/moo.key

dCgSgx%;"a * >}

TB>}P,P=vQdCDgSgx(foo-moo M bar-tar)T0O$b=vgxDk

sD%v MAS#

TBu~JCZK>}:

v www.boss.com G=vgSgxD MAS#

v foo-moo gSgxPfZ=v;,Dr(rcp{?vrPP;v~qw)* moo.com

M foo.com#CJb)rdP.;DC'IT;hXBO$MCJd|r,r*yP

DCJ<G(} MAS Z(D#

< 8. gSgx%;"adC>}

Z 7 B gSgx%;"a 85

v bar-tar gSgx|,=v;,Dr * bar.com M tar.com#CJb)rdP.;DC

'IT;hXBO$MCJd|r#

v CJ bar.com ~qw.;DC'IT9C0$51nFCJm;v~qw#ZKiv

B,%;"a;h MAS Z(CJMIT5V#

ZOv>}P,TBdCu~JC:

dC MAS * www.boss.comr* MAS G`vgSgxDXFPD,yTh*dC ecsso #iD=v;,

5}"(e MAS X~h*DgSgx{F#MAS h*Q8(dXFDyPg

xPDwrDyP\?#TBdCu~JC:

[modules]ecsso1 = pdwpi-ecsso-moduleecsso2 = pdwpi-ecsso-module

[common-modules]authentication = ecsso1authentication = ecsso2

post-authzn = ecsso1post-authzn = ecsso2

[ecsso1]e-community-name = foo-moois-master-authn-server = yes.....etc

[ecsso2]e-community-name = bar-taris-master-authn-server = yes.....etc

[ecsso1-domain-keys]# one key for each domain the MAS controlsmoo.com = /abc/bosskeys/boss-moo.keyfoo.com = /abc/bosskeys/boss-foo.keytar.com = /abc/bosskeys/boss-tar.keybar.com = /abc/bosskeys/boss-bar.key

dC www.moo.com

[modules]ecsso = pdwpi-ecsso-module

[common-modules]authentication = ecsso

post-authzn = ecsso

[ecsso]e-community-name = foo-moois-master-authn-server = nomaster-authn-server = www.boss.com.....etc

[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the moo.com domainmoo.com = /abc/moo-keys/moo.key#key for encrypting/decrypting data between#servers in the moo.com domain and the MASboss.com = /abc/moo-keys/boss-moo.key


dC www.foo.com}Kr\?+;,b,5VT www.foo.com xP%;"aDdCN}M*

www.moo.com dCDN}`,#www.foo.com Dr\?dCgB:

[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the foo.com domainfoo.com = /abc/foo-keys/foo.key#key for encrypting/decrypting data#between servers in the foo.com domain and the MASboss.com = /abc/foo-keys/boss-foo.key

dC www.tar.com

[modules]ecsso = pdwpi-ecsso-module

[common-modules]authentication = ecsso

post-authzn = ecsso

[ecsso]e-community-name = tar-baris-master-authn-server = nomaster-authn-server = www.boss.com.....etc

[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the tar.com domaintar.com = /abc/tar-keys/tar.key#key for encrypting/decrypting data between#servers in the tar.com domain and the MASboss.com = /abc/tar-keys/boss-tar.key

dC ww1.bar.comT ww1.bar.com DgSgx%;"adCM www.tar.com D`,#h*=v\

?,;vCZ MAS M bar.com r.d}]DS\/b\,m;v\?CZ

bar.com rZ?~qw.d}]DS\/b\(4K>}PD ww1.bar.com M

ww2.bar.com)#

[ecsso-domain-keys]bar.com = /abc/bar-keys/bar.keyboss.com = /abc/bar-keys/boss-bar.key

dC ww2.bar.comww2.bar.com D\?(eM ww1.bar.com D`,#

[ecsso-domain-keys]bar.com = /abc/bar-keys/bar.keyboss.com = /abc/bar-keys/boss-bar.key

Z 7 B gSgx%;"a 87

=< A. pdwebpi.conf N<

m 29. #fdCN}

#f

N} hv

[pdweb-plugins]

virtual-host j6|,XZX(ibwzDdCE"DStZ#

unprotected-virtual-host j6e~;*da)2+TDibwz#e~JmTb)

ibwzxPCJx;Tks4PO$MZ(#

CJ4#$Dibwz1,ZU>D~P4(;vu?#

web-server j6}Z9CD Web ~qwD`M#IS\D5P:

v iis(Microsoft Internet Information Services)

v ihs(IBM HTTP Server)

v iplanet(iPlanet Web Server)

KN}Z20ZdT/hC#

windows-file-system r Authorization Server 8v&I!@6k)\bk URI

(zm Windows D~53J4)`XD2+TJb#

g{hC* true,r{9T|,`F Windows 2000 rL

76{D76*XD URI yxPDyPCJ#XpGT ~

}VaxD76*X+;\x#Z Windows 53O,KN

}1!ivBhC* true#Z UNIX 53O,dhC*

false#

I T 4 ? v i b w z 2 G K N}, = (GZ ` & D

[virtual_host] ZP8(KN}#

case-sensative f* Authorization Server gN&m URI Ds!4#

g{hC* false,URI Z9l`&D Access Manager T

s{F1*;*!4,Z(v_}GTUKTs{Fwv

D#

Z UNIX 53O,KN}hC* true#Z Windows 53

O,dhC* false#

windows-file-system N}hC* true R case-sensitive4(e1,1!ivB+ URI *;*!4#

k"b,Ts{FD /PDWebPI/branch ?V"GgK*;

D#

I T 4 ? v i b w z 2 G K N}, = (GZ ` & D

m 29. #fdCN} (x)

#f

N} hv

utf8-url-support-enabled XFzk3,9(`&D Access Manager \#$Ts{F

19CKzk3bM URL#

g{hC* true,rY(T Authorization Server a)D

URI C UTF8 `k,"RZCZ9l Access Manager \

#$Ts{.0*;* Authorization Server KP1y9C

Dzk3#

g{hC* false,rY(T Authorization Server a)D

URI GC Authorization Server KP1y9CDzk3`k

D#

g{hC* auto,rli?v URI PD`VZ UTF8 r

P#g{R=,rY( URI C UTF8 `k#g{lb=

^' UTF8 V{rP,rY( URI 9C Authorization

Server KP1y9CDzk3#

I T 4 ? v i b w z 2 G K N}, = (GZ ` & D


log-file j6dP6qyP Authorization Server NqDU>D~D

D~{M76#

logs 8(ZXB9CZ;vU>D~.0*4(DU>D~

}#

log-entries 8(Zv/=BU>D~.0*4kDU>u?}#

mpa-enabled `74C/PzmLr(MPA)Ga)`vM'zCJD

xX#("kp<~qwD%;QO$(@,"(}K(

@"MyPM'zksMl&(E#

g{hC* true,rtC MPA \&#

g{hC* false,r{C MPA \&# IT4?vib

wz2GKN},=(GZ [virtual_host] ZP(eKN

}#

mpa-protected-object (exPZ(v_y@]D MPA Ts#

IT4?vibwz2GKN},=(GZ [virtual_host]ZP(eKN}#

user Z UNIX 53O,KN}(e Policy Manager M

Authorization Server xLDC'{#

group Z UNIX 53O,KN}(e Policy Manager M

Authorization Server xLDi{#

[module-mgr]

path |,#i2mbD~D76#Jm`v76u?,r*e

~+QwyPu?#

[wpiconfig]

server-type ZdC1hC,T(z!{dC#

install-dir ZdC1hC,T(z!{dC#

m 29. #fdCN} (x)

#f

N} hv

vhosts ZdC1hC,T(z!{dC#

m 30. O$dCN}

O$

N} hv

[modules]

module_name =shared_library_name

ywICO$=(M`X*Db#

acctmgmt J'\m

BA y>O$

cert $i

failover JO*F

forms m%

ip-addr IP X7

iv-headers IV 7

session-cookie a0 cookie

ssl-id SSL j6

tag-value jG5

http-hdr HTTP 7

token nF

[common-modules]

authentication 8(CZC'O$D=(#

session 8(CZ,Va04,D=(#

post-authzn 8(CZsZ(&mD=(#

[authentication-levels]

level = module_name [authentication-levels] Z(e]}O$6pM [modules]ZP(eDO$=(D3r#

g{4Td(eNNu?,rO$=(1!*6p 1#O$

3r7(*Q(eO$=(Dn_O$6p=nMO$6

p#g{O$6pItIO$#i2m,rS3r4U#

iZ [modules] ZPvVD3r7(#

[authentication-mechanisms]

=< A. pdwebpi.conf N< 91

m 30. O$dCN} (x)

O$

N} hv

passwd-cdaspasswd-ldap

passwd-uraftoken-cdas

cert-sslcert-cdas

http-requestcdsso

passwd-strengthcred-ext-attrs

y'VD=SO$zFMek Access Manager O$S53

DX*2mbPm#

[BA]

basic-auth-realm ywr{,K{F+vVZy>O$G<1TC'a)D

T0rO#

[failover]

failover-cookies-keyfile yw\?D~76,K\?D~+CZJO*F cookie P

D>$}]xPS\Mb\#

failover-cookies-lifetime JO*F cookie DP'Z(V)#

enable-failover-cookie-for-domain Z{vr6'ZtC/{CJO*F cookie#

[ltpa]

ltpa-keyfile LTPA \?D~D+76{#

ltpa-stash-file \kf"D~D;C

ltpa-password Zf"D~!yP9CD\k#

ltpa-lifetime LTPA cookie DP'Z(k)#

[forms]

login-form G<m%DD~{#

[tag-value]

cache-definitions tCr{CT=S=TsUdDjG5(eD_Y:f#

tC_Y:f1,?NTjG/5(exP|De~<h

*XBt/#

cache-refresh-interval T(exP_Y:fD"B1ddt(k)#

[token-card]

token-login-form nFG<3fDD~{#

next-token-form (erC'M'zT>DCZksB;vnFDm%#~

qw^(SZ;vnFI&O$C'1,ksM'zdk

m;vnF#

[http-hdr]

header +]=grO$~q(CDAS)CZO$D7{F#

[iv-headers]

m 30. O$dCN} (x)

O$

N} hv

accept w*4TzmDO$$wS\D7Pm#P'!nP:

v all * S\yP7`M#

v iv-creds * C'>$E"#

v iv-user * rLC'{#

v iv-user-l * $C'{#

v iv-remote-address * M'zD IP X7#

generate *"4TzmDks1*zID7Pm#P'!nP:

v all * zIyP7`M#

v iv-creds * C'>$E"#

v iv-user * rLC'{#

v iv-user-l * $C'{#

v iv-remote-address * M'zD IP X7#

[acctmgmt]

password-change-form C'ks|D\k1T>Dm%#

password-change-form-uri C'ks|D\k1CJD URI#

password-change-uri \k|DsD URI ?DX#

password-change-success C'I&jI\k|D1T>D3f#

password-change-failure C'^(I&G<1T>D3f#

logout-uri C'"zsD URI ?DX#

logout-success C'I&"z1T>D3f#

help-uri oz3fD;C#

help-page C'ksoz1T>Doz3fDD~{#

[ecsso]

e-community-name 0$51nFMksPvVDgSgx{F#

is-master-authn-server 8(~qwGw9G;ZgSgxP#g{hC* yes,

rK~qwS\4Td|e~5}D$5ks,b)e~

5}Dr\?PZ [ecsso-domain-keys] ZP#

master-authn-server gSgxPw~qwD{F#g{ is-master-authn-serverhC* no,rKN}GXhD#

master-http-port l}4Tw~qwD HTTP ksDKZE#

master-https-port l}4Tw~qwD HTTPS ksDKZE#

vf-token-lifetime $5nFP'Z(k)#

vf-url $5 URL#

[inter-domain-keys]

domain_name = key_file NkgSgxDd|rD\?D~;C#

m 31. a0dCN}

a0

N} hv

[sessions]

max-entries f"Za0#iD%v5}PDnsa0}#?vi

bwzD?va0#iDnsa0}#

timeout a0DnsP'Z(k)#

inactive-timeout a0Z,10h*DUP1d$H(k)#

resend-pdwebpi-cookies tCr_{CM?vks;p"M Web e~ cookie#

reauth-lifetime-reset XFa0P'ZF1w#g{hC*0yes1,ra0

P'ZF1w(4,1N}PhCD5)ZI&XB

O$14;#g{hC*0no1,rI&XBO$1

;4P4;#

reauth-grace-period hCM'z5PDm^\Z1d?(k),ZKZd

M'zCTI&4PXBO$,qr>$=Z#

m 32. LDAP dCN}

LDAP

N} hv

[ldap]

bind-pwd Web e~X$LrD\k(ZdC1hC)#

enabled tCr{C LDAP (E(ZdC1hC)#

host LDAP ~qwD{F(ZdC1hC)#

port LDAP DKZE(ZdC1hC)#

m 33. zmdCN}

zm

N} hv

[ipc]

number-of-workers &me~ksD$wLr_L}#

worker-size T?v&me~ksD$wLr_L$VdDZf}

?#

cleanup-interval ?NZfe}.dD1d(k)#

max-session-lifetime (ea0DnsP'Z#

[proxy]

error-page vVbb~qwms1,ZC'/@wOT>D3f

D76#

acct-locked-page C'"TCJx(DJ'1,yT>3fD76#

retry-limit-reached-page o=JmDns'\G<"T}1,yT>3fD7

6#Z LDAP P9C policy |nhCDnsJmG

<'\}#

m 34. Z( API dCN}

Z( API

N} hv

[aznapi-configuration]

sFMGN}0dC

logsize U>s!(VZ),,vKs!r4(BU>D~#

g{hC* 0,r;4(BU>D~#

g{hC*:},r?l4(;vBU>D~,x;

\s!#

logflush "BU>D1ddt(k)#

ns5G 21600(6 !1)#

logaudit tC/{CsFG#

auditlog sFD~D{F#

auditcfg tC/{Ci~X(DsFG<#4;

auditcfg = authn * 6qO$B~#

auditcfg = azn * 6qZ(B~#

db-file ACL }]b_Y:fD~D;C#

cache-refresh-interval liTw Authorization Server D|B.dD1ddt

(k)#

listen-flags tC/{CS\_T_Y:f|B(*Dj>#

Z( API ~q(e

[aznapi-entitlement-services]

service_id ?vZu?(e;,`MD aznAPI ~q#XZ|`E

",kN< Authorization API Programmers Guide#

AZN_ENT_EXT_ATTR bG;v;&|DD536pN}#KN}Jm9C

TsUdOD)9tT#

[aznapi-admin-services]

name = shared_library_name -pobjobject_space & args

dC\m~q#'VDN}P:

-r \#$D objectspace y

-d Web ~qwDD5y?<

-q CZ query_contents DLr

-v ibwzj6(KN}GI!D)

m 35. X(Z Web ~qwDdCN}

X(Z Web ~qw

N} hv

[ihs]

query-contents 8(CZ9C0pdadmin> object list1|n/@ IBM

HTTP Server Web UdDi/Z]Lr#(}Z{*

[ihs:branch] DZ(}g [ihs:/PDWebPI/foo.bar.com])

P*d8(5,IT4?vV'2GKN}

m 35. X(Z Web ~qwDdCN} (x)

X(Z Web ~qw

N} hv

doc-root 8(a)4P0pdadmin> object list1|nyhD Web

Ud/@&\DD5y?<#KN}ZhCibwz

1IdC5CLrhC * Z [ihs:branch] Z(}g

[ihs:/PDWebPI/foo.bar.com])P4?v_TV'8(

KN}

[iis]

query-contents 8(CZ pdadmin /@ IIS Web UdDi/Z]L

r # ( } Z { * [ i i s : b r a n c h ] D Z ( } g

[iis:/PDWebPI/foo.bar.com])P*d8(5,IT4

?vV'2GKN}

post-data-required (e Authorization Server &myhDQa; POST }

]Dm%Pm#}gG<m%#;akT?vibw

z2Gb)N}#

log-file *4T IIS e~DmsMzY{"(eU>D~,*

K7#D~D;BT,b)U>D~k Authorization

Server DU>D~%@#\#g{8(*`T76,

rK;C`TZ20?<D log S?<#g{8(*

xT76,r9CxT76#

[iis:minimum-post-data]

form_uri =minimum_bytes_of_post_data_required

(eZh*s? POST }]DivB,X(m%D

POST }]?#}g:

/token.form = 20000

8>&m /token.form Da;1,Authorization Server

AYh* 20000 VZD POST }]#;\kT?vi

bwz8(b)5#

[iplanet]

query-contents 8(CZ pdadmin /@ iPlanet Web UdDi/Z]

Lr#(}Z{* [iplanet:branch] DZ(}g

[iplanet:/PDWebPI/foo.bar.com])P*d8(5,IT

4?vV'2GKN}#

doc-root 8(a)4P0pdadmin> object list1|nyhD Web

Ud/@&\DD5y?<#KN}ZhCibwz

1IdC5CLrhC ** Z [iplanet:branch] Z

(}g [iplanet:/PDWebPI/foo.bar.com])P4?v_T

V'8(KN}

=< B. O$=(lYN<

m 36. e~O$=(/#iN<

O$=(/#i hv

BA

pdwpi-ba-module

0y>O$1O$#i#

2ITdC*a0MsZ(#i#

m%

pdwpi-forms-module

0HTML m%1O$#i#

9C(}m%a;DC'{M\kxPO$#

9C1,K#iXk,1dC*sZ(#i#

ip-addr

pdwpi-ipaddr-module

0M'z IP X71O$#i#

a)vyZM'z IP X7DO$#M'Xka) http k

sO$zF,T+ IP X7E"3d= Access Manager w

e#

2ITdC*a0#i#

http-hdr

pdwpi-httphdr-module

0HTTP 71O$#i#

a)vyZksP8(D HTTP 7D5DO$#M'Xk

a) http ksO$zF,T+7E"3d= Access

Manager we#

2ITdC*a0#i#

nF

pdwpi-token-module

0nF1O$#i#

Access Manager Plug-in for Web Servers 'V(}M'z

a)DnF(PzkDO$#KO$9CyZ RSA

SecureID fobs D+rSG<#

9C1,Xk,1dC*sZ(#i#

cert

pdwpi-certificate-module

0M'z$i1O$#i#

M'z$iDwb DN 3dI cert-ssl O$zF= Access

Manager we{F#cert-ssl O$zF*sM'z$iDw

b DN 1S3d=C'"amP Access Manager C'D

DN#

K#ivTT;G(} SSL a0=oDO$*sDks,

rKIT*&m HTTP M HTTPS ksDO$Dibwz

2+XdCK#i#

failover

pdwpi-failover-cookie-module

0JO*F cookie1O$#i#

K#iS\JO*F cookie TO$C'#

m 36. e~O$=(/#iN< (x)

O$=(/#i hv

iv-headers

pdwpi-iv-headers-module

0IV 71O$#i#

a)yZksPD iv-user" iv-user- l" iv-creds r

iv-remote-address HTTP 7D5DO$#C'Qr0Kzm

~qwO$1,bTZ%;"a= Access Manager Plug-in

for Web Servers G`1PCD#

* I * I E , k s X k ( } 0 K z m ~ q w ( } g

WebSEAL *a)DQO$a0=o#zmXkO$*_P

T } Z C J D i b w z\# $ T s UdV ' D z m

([PDWebPI]p)(^DC'#

TZ9C iv-remote-address 7DO$,M'Xka) http

ksO$zF,T+ IP X7E"3d= Access Manager

we#

K#i2ITdC*sZ(#i#

ecsso

pdwpi-ecsso-module

0gSgx%;"a1O$#i#

K#iXkdC*}wO$~qwTbNkgSgxDi

bwzDO$#i#


unauth

pdpwi-unauth-module

04O$C'1O$#i#

ZKPvK#iGvZj{T<G#K#i<U~=dC

*EH6nMDO$#i,"CZ*4O$C'zI>

$#

m 37. e~a0#iN<

#i hv

BA

pdwpi-ba-module

0y>O$1a0#i#

9C0y>O$Z(17D5w*a0\?#

9C1,Xk,1dC*O$#i#

2ITdC*sZ(#i#

ip-addr

pdwpi-ipaddr-module

0IP X71a0#i#

9CQO$DM'z IP X7w*a0\?#

9C1,Xk,1dC*O$#i#

http-hdr

pdwpi-httphdr-module

0HTTP 71a0#i#

9CQO$D HTTP 7w*a0\?#

9C1,Xk,1dC*O$#i#

m 37. e~a0#iN< (x)

#i hv

session-cookie

pdwpi-sesscookie-module

0a0 cookie1a0#i#

K#izI"S\ cookie,T)j6a019C#(#vC

wMEH6Da0j6zF#

ssl-id

pdwpi-sslsessid-module

0SSL a0j61a0#i#

9C0SSL a0j61w*a0\?#k"b,!\

Access Manager Plug-in for Web Servers D Windows V

<Pa)K#i,+ Microsoft Internet Information Services

Web Server ";re~a)0SSL a0j61E",r

K,0SSL a0j61;\Cw IIS Da0\?#

m 38. e~sZ(#iN<

#i hv

m%

pdwpi-forms-module

0HTML m%1sZ(#i#

K#i&myZ0HTML m%1DG<ZdDm%}]a

;#

9C1,Xk,1dC*O$#i#

BA

pdwpi-ba-module

0y>O$1sZ(#i#

dC*sZ(#i1,BA #iSksP}%yP4O$D

0y>O$Z(17#0y>O$1#i2ITdCIO

$Ma0#i#

nF

pdwpi-token-module

0nF1sZ(#i#

Access Manager Plug-in for Web Servers 'V(}M'z

a)DnF(PzkDO$#KO$9CyZ R S A

SecureID fobs D+rSG<#

9C1,nF#iXk,1dC*O$#i#

failover

pdwpi-failovercookie-module

0JO*F cookie1sZ(#i#

K#i*M'zzIJO*F cookie#

9C1,JO*F cookie #iXk,1dC*O$#i#

iv-headers

pdwpi-iv-headers-module

0IV 71 sZ(#i#

K#iZJm Web ~qw&mks0,+C'j6E"w

* IV 7ekksP#bTZT Web ~qww\D&CL

r a ) % ; " a ` 1 P C # I T mSD 7 P

iv-user"iv-user-l"iv-groups"iv-creds"iv-remote-address#

K#i2ITdC*O$#i#

tag-value

pdwpi-tag-value-module

0jG/51sZ(#i#

K#iZJm Web ~qw&mks0,+4TC'>$D

=S)9tTw* HTTP 7ekksP#b))9tT(#

MC'"amPDC'tT`T&#

=< B. O$=(lYN< 99

m 38. e~sZ(#iN< (x)

#i hv

acctmgmt

pdwpi-acct-mgmt-module

0J'\m1sZ(#i#

K # i a ) " z ( / p k m s l o g o u t ) " | D \ k

(/pkmspasswd)"oz(/pkmshelp)&\#

ltpa

pdwpi-ltpa-module

0LTPA Cookie1sZ(#i#

K#iZJm Web ~qw&mks0,+ WebSphere

A p p l i c a t i o n S e r v e r ( W A S ) a ?6Z } = O $

(LTPA)cookie ekksP#ba)KT Web ~qww

\D WAS D%;"a#

ecsso

pdpwi-ecsso-module

0gSgx%;"a1sZ(#i#

yPNkgSgxDibwz<Xk+ ecsso #idC*s

Z(#i#

K#iXk,1dC*wO$~qwTbyPNk_DO

$#i#

=< C. |nlYN<

m 39. e~|nN<

|n hv

pdwebpi_start t/M#9 UNIX 20ODe~xL#

P'!nP:

pdwebpi_start {start|stop|restart|status}

*#9e~;sYXBt/,k9C:

# pdwebpi_start restart

pdwebpi_start |n;ZTB?<P:

/opt/pdwebpi/sbin/

*t/M#9e~ Windows 20,kZ0~q1XFfePj

6e~xL"9CJ1DXF4%#

pdwpi-cdsso-key-gen 4(\?D~,CZTe~}](}gJO*F cookie E"M

0$51nF)xPS\0b\#

C(:


pdwpi-cdsso-key-gen |n;Z /bin ?<P#

pdwpi-version Pv20Df>Mf(E"#

pdwpi-version |n;Z /bin ?<P#

pdwpicfg t/5CLr,CZdCM!{dCe~#

pdwpicfg |n;Z /bin ?<P#

=< D. yw

>E"G*Z@za)Dz7M~q`4D# IBM I\Zd|zRrXx;a)>D

5PV[Dz7"~qr&\XT#PXz10yZxrDz7M~qDE",kr

z1XD IBM zmI/#NNT IBM z7"Lrr~qD}C"GbZw>r5>

;\9C IBM Dz7"Lrr~q#;*;V8 IBM D*6z(,NN,H&\D

z7"Lrr~q,<ITzf IBM z7"Lrr~q#+G,@@Mi$NNG

IBM z7"Lrr~q,rIC'TP:p#

IBM +>I\Q5Pr}Zjkk>D5Z]PXDwn({#a)>D5"4ZhC

'9Cb)({DNNmI$#zITCif==+mI$i/Dy:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

PX+VZ(DBCS)E"DmI$i/,kkzyZzRrXxD IBM *6z(?E

*5,rCif==+i/Dy:

IBM World Trade Asia Corporation Licensing2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan

>un;JC*OuzrNNbyDunk1X(I;;BDzRrXx:zJL5

zw+>T04V41Dy!a)>vfo,;=PNNN=D(^[Gw>D,9

G,>D)#$,|((+;^Z)TGV(T"JzTMJCZ3X(C>D,>

#$#3)zRrXxZ3);WP;Jmb}w>r,>D#$#rK>unI\

;JCZz#

>E"PI\|,<u=f;;<7DX=r!"ms#K&DE"+(Z|D;b

)|D+`k>vfoDBf>P#IBM ITf1T>vfoPhvDz7M/rLr

xPDxM/r|D,x;mP(*#

>E"PTG IBM Web >cDNN}C<;G*K=cp{Ea)D,;TNN==

d1TG) Web >cD#$#C Web >cPDJO;G IBM z7JOD;?V,

9CG) Web >cx4DgU+IzTPP##

IBM IT4|O*J1DNN==9CrV"zya)DNNE"x^kTzP#NN

pN#

>LrD;mI=g{*KbPXLrDE"To=gB?D:(i)JmZ@"4(

DLrMd|Lr(|(>Lr).dxPE";;,T0(ii)JmTQ-;;DE

"xP`%9C,kkBPX7*5:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758U.S.A.

;*qXJ1Du~Mun,|(3)iNBD;(}?D6Q,<IqCb=fD

E"#

>JOPhvDmILr0dyPICDmIJOyI IBM @] IBM M'-i"IBM

zJLrmI$-irNN,H-iPDuna)#

K&|,DNNT\}]<GZ\X73PbCD#rK,Zd|Yw73PqCD

}]I\aPwTD;,#P)b?I\GZ*"6D53OxPD,rK;#$k

;cIC53OxPDb?a{`,#Kb,P)b?G(}Fcx@FD,5Ja

{I\aPnl#>D5DC'&1i$dX(73DJC}]#

f0G IBM z7DE"ISb)z7D)&L"dvf5wrd|I+*qCDJO

Pq!#IBM ;PTb)z7xPbT,2^(7OdT\D+7T"f]TrNNd

|XZG IBM z7Dyw#PXG IBM z7T\DJb&1rb)z7D)&La

v#

yPXZ IBM 44=rrbrDyw<If1|DrUX,x;mP(*,|Gvv

m>K?jMb8xQ#

>JOvCZF.#ZhvDz7vV.0,K&DE"I\|D#

>JO|,U#5qKwP9CD}]M(mD>}#*K!I\j{X{v|G,

>}P|,KvK"+>"7FMz7D{F#yPb){Fy5i9,gP5JD

s5{FMX7kKW,,?tIO#

g{}Zi4KE"Dm=4,rU,MJ+<}I\;aTV#

Lj

AIX

DB2

IBM

IBM(Uj)

Java

OS/390

SecureWay

Tivoli

Tivoli(Uj)

(C}]b

WebSphere

z/OS

zSeries

Microsoft"Windows G Microsoft Corporation Z@zM/rd|zRrXxDLj#

UNIX G The Open Group Z@zMd|zRrXxD"aLj#

d|+>"z7M~q{FI\Gd|+>DLjr~qjG#

w}

[A]2+T_T 3

20

X8m~ 7

Z AIX/IHS O 8

Z Solaris Operating Environment/iPlanet O 9

Z Windows/IIS O 10

20?< 16

[B]f>

Xhm~ 7

#$6p POP _T 69

>XO$N} 39

X8m~ 7

Xhm~ 7

jG5 53

m%O$ 43

[C]_T

#$6p POP 69

G< 61

]} 64

yZxgDO$ POP 68

XF4O$C' 70

\k 62

O$?H POP 64

ACL 60

e~

2+T_T 3

20 7

20?< 16

X8m~ 7

ELMZf*s 7

&\ 3

j'V 17

dC 17

t/M#9 16

O$ 3, 27

'VD=( 7

HTTP ms{" 17

e~xLw 1

XBO$ 67

vfo

): xii

4! xii

Z_ xii

}%

S AIX/IHS 12

S Solaris/iPlanet 13

S Windows/IIS 12

ELMZf*s 7

ms{" 17

[D]%;"a

gSgx 79

En 73

9CJO*F cookie 76

9C HTTP 7 73

9C LTPA cookie 74

WebSEAL 75

G<

?F 70

G<_T 61

G<,a> 41

]} 64

gSgx%;"a

&\M*s 80

S\$5nF 83

i\ 79

xLw 80

dC 83

cookie 81

gSJ~*5 xvii

):vfo xvi

`74C/PzmLr 54

[G]_Y:f}]b 22

y?< 16

zY 25

&\ 3

$wLr_L,dC 17

JO*F cookie 47

XZvfoD4! xvii

[H]j'V 17

sZ(

9CjG5 53

sZ(&m 33

a0,1 36

a0XBO$4; 36

a0_Y:f 35

a04,

\m 34

9Ca0 cookie 38

9Cy>O$ 37

9C HTTP 7 38

9C IP X7 39

9C SSL a0j6 37

a0 cookie 38

[J]y>O$ 37, 42

yZxgDO$ POP _T 68

G< 22

a9 1

Z,dCD~ 89

[K]M''V xvii

)9X(tT$i(EPAC) 5

[L]nF 46

nFO$ 46

nFl&3f 47

[M]\k_T 62

|n

oz 41

|D\k 41

"z 41

[N]Zf*s 7

[P]dC

N}

#f 89

zm 94

a0 94

O$ 91

Z( API 95

X(Z Web ~qw 95

LDAP 94

e~ 15

gSgx%;"a 83

dC (x)

~qwX( 21

_Y:f}]b 22

sZ( 33

a0Da0 cookie 38

a0D HTTP 7 38

a0D IP X7 39

a0D SSL a0j6 37

a0/>$_Y:f 35

Z 89

nFl&3f 47

1!5 40

O$ 30

O$Dy>O$ 42

O$=( 41

O$Ev 39

O$ibwz 34

U> 22

sFU> 22

ibwz 19

CZsZ(DjG5 53

CZa0Dy>O$ 37

CZO$Dm% 43

CZO$DJO*F cookie 47

CZO$DnF 46

CZO$D HTTP 7 50

CZO$D IP X7 52

CZO$D IV 7 49

$iO$ 44

API ~q 26

Authorization Server 17

pdwebpimgr.conf 16

pdwebpi.conf 15

>$

q! 5

[Q]t/e~ 16

[R]O$

m% 43

N} 91

]} 64

=( 30

lYN< 97

3r 30

s( 27

yZxgD POP _T 68

Kb 3

?D 4

dCEv 39

9CJO*F cookie 47

O$ (x)

9Cy>O$ 42

9CnF 46

9C$i 44

9C HTTP 7 50

9C IP X7 52

9C IV 7 49

O$=( 41

O$zF 40

m% 44

y>O$ 43

nF 46

9C IP X7 52

9C IV 7 50

$i 45

HTTP 7 51

O$#i

lYN< 97

O$?H POP

a0D IP X7 64

[S]sF 22

Va

): xii

4! xii

Z_ xii

i.

): xii

4! xii

Z_ xii

[T]#9e~ 16

[W]4O$C' 70

[X]53*s 7

6X 12

ibwz

dC 19

O$N} 53

O$dC 34

'V 2

mI(,ACL 59

mI(,WebDAV 60

[Y]&C4O$ HTTPS 70

r{F,hC 42

[Z]Z_vfo xvi

$5nF 83

$5ksM&p 82

$i 44

'VD=( 7

i~ 1

AACL _T 59

ACL _T,1!5 60

AIX

20Z 8

}% 12

API ~q 26

Authorization Server

dC 17

CCDAS O$N} 40

cleanup-interval N} 18

EEPAC 5

HHTML l&m% 44

HTTP ms{" 17

HTTP 7 38, 50

Iid N} 17

IHS

20Z 8

Xhf> 7

}% 12

IIS

20Z 10

Xhf> 7

}% 12

IP X7 39, 52

ipc Z 17

w} 107

iPLanet

}% 13

iPlanet

20Z 9

Xhf> 7

IV 7 49

LLDAP,dCN} 94

Mmax-entries N} 35

max-session-lifetime 18

MPA 54

Nnumber-of-workers N} 17

Ppdwebpimgr.conf 16

pdwebpi.conf 15

pdweb-plugin Z 19

pkmshelp 42

pkmslogout 41

pkmspasswd 42

POP _T

#$6p 69

XBO$ 67

yZxgDO$ 68

O$?H * ]} 64

Rreauth-grace-period 36

reauth-lifetime-reset 36

SSolaris Operating Environment

20Z 9

}% 13

SSL a0j6 37

TTivoli M''V xvii

Uunprotected-virtual-host N} 19

Vvirtual-host N} 19

WWeb ~qwf>,Xh 7

WebDAV mI( 60

WebSEAL 75

Windows

20Z 10

}% 12

worker-size N} 17


Pz!"

G152-0315-00

Plug-in for Web Servers C 8O

Documents

Transcript of Plug-in for Web Servers C 8O