Automating WebSEAL junction management

Automating WebSEAL junction management

By Siva R Praturi

Tivoli Access Manager for e-Business is a Web single sign-on and access management solution. Tivoli Access Manager WebSEAL is the resource manager responsible for protecting Web-based resources. The most common deployment model uses WebSEAL to protect Web applications. WebSEAL junctions are WebSEAL’s link to the back-end resources in the environment. This connection is how WebSEAL knows where the applications are in the environment. Attributes of a junction include the Web server location (hostname, port and protocol) along with a number of other options that control how the Web server is accessed and how its content is processed by WebSEAL.

Content on the Web servers is then accessed via the WebSEAL server hostname, and with an additional path prefix. For example, a WebSEAL junction pointing to a WebSphere Application Server might have been created with the junction name of "/was". A user would then access "http[s]://<webseal-server>/was/" to access the root of the WebSphere Application Server content, rather than "http[s]://<was-server>/".

Management of WebSEAL junctions is performed using the standard IBM Tivoli Access Manager for e-Business administration interfaces, namely:

• Web Portal Manager: a browser-based application
• pdadmin: a command line program 

Creating a single junction is a simple task, but WebSEAL clusters, Configuration migration, Disaster recovery etc factors in a real IBM Tivoli Access Manager for e-Business environment complicate the larger management picture. So it is worth considering the following in any Tivoli Access Manager solution.

• Manage junction definitions across a range of environments, for example, development, system test, and production.
• Provide a mechanism to simplify the administration of WebSEAL junction definitions.

In my view, Automating WebSEAL junction management using pdadmin server task commands with windows batch / shell scripting is a good option to consider in any type of deployments. This approach has below advantages. 

• A supported method for junction management is used.
• Changes are immediate and do not require that the WebSEAL server be restarted.
• Familiar commands are easy for experienced IBM Tivoli Access Manager for e-Business administrators to read.
• Configuration errors are detected when the commands are processed.

I am sure all of you agree that, it is not a difficult task to automate webseal junction management using scripting support when we know related pdadmin server task command and its options. Below are some thumb rules which you can follow to make deployments across environments easier.

1. Define a properties file for every webseal junction with all required values (e.g. userid, password, webseal instance name, host, port etc)
2. Create deploy-junctions script which reads properties file and invokes webseal-junction-create script.
3. Create destroy-junctions script which reads properties file and invokes webseal-junction-delete script. 

You can also think of automating ‘Objectspaces’, ‘ACLs’  etc on similar lines after creating junctions. I have done this exercise and it saves ample amount of time during deployment.