WebSEAL External Authentication Interface

External Authentication Interface (EAI)

By Siva R Praturi

External authentication interface extends the functionality of WebSEAL authentication process. It allows third-party systems to supply an authenticated identity to WebSEAL. This technique enables additional functionality beyond what WebSEAL is designed to do.  EAI can be used with applications written in any language including Java.

EAI process flow

EAI is a mechanism to outsource the responsibility for authentication from WebSEAL to a third party product / application. The way it works is shown in the following diagram.

The diagram describes the following process flow: 

1.       The user attempts to connect to protected application on back-end server. Webseal redirects the request to EAI server, which may be on a separate computer from WebSEAL.

2.       WebSEAL allows unauthenticated access to the EAI server. This is necessary, because the user is not authenticated at this point.

3.       The user and the EAI server communicate. This communication can be as long and as involved as necessary.

4.       The user, based on an HTML page from the EAI server, retrieves a trigger URL, which is a URL that is configured in WebSEAL as one that might contain the EAI output.

5.       The EAI server sends back a reply, which has an HTTP header that contains the user identity and possibly additional information.

6.       WebSEAL creates the credential for the user.

7.       WebSEAL allows the user to access a back-end server.

  

Configuring WebSEAL for EAI

Add the authentication mechanism library

The list of libraries used for authentication is in the [authentication-mechanisms] stanza of the WebSEAL configuration file. To enable EAI, add the following line (all on one line):

• ext-auth-interface = /opt/pdwebrte/lib/libeaiauthn.so

The [eai] stanza

The eai-auth stanza entry in the [eai] stanza of the WebSEAL configuration file enables or disables external authentication interface. To use EAI for HTTP(S) connections, use this line to set the eai-auth value:

• eai-auth = http/https/both

You also must specify the name of the HTTP Headers to match those from your application

• eai-pac-header = am-eai-pac

• eai-pac-svc-header = am-eai-pac-svc

The [eai-trigger-urls] stanza

This stanza specifies the trigger URLs. A trigger URL is a URL whose response can include the EAI server’s reply in HTTP headers. Trigger URLs can also be specified using a wildcard pattern.

• trigger = /eailogin/cgi-bin/eai*.pl 

Server junction and access control list

WebSEAL sees the EAI server as another HTTP server. To allow users to access this HTTP server, WebSEAL requires a junction. Use the following pdadmin command to create the junction. Note that the command is all one line.

s t <instance>-webseald-<webseal computer> create -t tcp-h <eai computer> /eailogin

Users are unauthenticated while they are communicating with the EAI server. To allow unauthenticated access, run the following pdadmin commands. Ignore error message HPDAC0757E about ACL permissions when you get it.

acl create eaiacl

acl modify eaiacl set any-other Trx

acl modify eaiacl set unauthenticated Trx

acl attach /WebSEAL/<webseal computer>-<instance>/eailogin eaiacl

Automating WebSEAL junction management

Automating WebSEAL junction management

By Siva R Praturi

Tivoli Access Manager for e-Business is a Web single sign-on and access management solution. Tivoli Access Manager WebSEAL is the resource manager responsible for protecting Web-based resources. The most common deployment model uses WebSEAL to protect Web applications. WebSEAL junctions are WebSEAL’s link to the back-end resources in the environment. This connection is how WebSEAL knows where the applications are in the environment. Attributes of a junction include the Web server location (hostname, port and protocol) along with a number of other options that control how the Web server is accessed and how its content is processed by WebSEAL.

Content on the Web servers is then accessed via the WebSEAL server hostname, and with an additional path prefix. For example, a WebSEAL junction pointing to a WebSphere Application Server might have been created with the junction name of "/was". A user would then access "http[s]://<webseal-server>/was/" to access the root of the WebSphere Application Server content, rather than "http[s]://<was-server>/".

Management of WebSEAL junctions is performed using the standard IBM Tivoli Access Manager for e-Business administration interfaces, namely:

• Web Portal Manager: a browser-based application
• pdadmin: a command line program 

Creating a single junction is a simple task, but WebSEAL clusters, Configuration migration, Disaster recovery etc factors in a real IBM Tivoli Access Manager for e-Business environment complicate the larger management picture. So it is worth considering the following in any Tivoli Access Manager solution.

• Manage junction definitions across a range of environments, for example, development, system test, and production.
• Provide a mechanism to simplify the administration of WebSEAL junction definitions.

In my view, Automating WebSEAL junction management using pdadmin server task commands with windows batch / shell scripting is a good option to consider in any type of deployments. This approach has below advantages. 

• A supported method for junction management is used.
• Changes are immediate and do not require that the WebSEAL server be restarted.
• Familiar commands are easy for experienced IBM Tivoli Access Manager for e-Business administrators to read.
• Configuration errors are detected when the commands are processed.

I am sure all of you agree that, it is not a difficult task to automate webseal junction management using scripting support when we know related pdadmin server task command and its options. Below are some thumb rules which you can follow to make deployments across environments easier.

1. Define a properties file for every webseal junction with all required values (e.g. userid, password, webseal instance name, host, port etc)
2. Create deploy-junctions script which reads properties file and invokes webseal-junction-create script.
3. Create destroy-junctions script which reads properties file and invokes webseal-junction-delete script. 

You can also think of automating ‘Objectspaces’, ‘ACLs’  etc on similar lines after creating junctions. I have done this exercise and it saves ample amount of time during deployment.