This document describes how to configure the WebSEAL component of IBM Tivoli Access Manager for e-business to force users to login over the HTTPS protocol, while keeping all other application traffic over the less CPU-intensive HTTP protocol. This solution architecture is often considered for Intranet deployments of Tivoli Access Manager for e-business. It is not recommended for Internet deployments where clients are connecting over untrusted networks.
Key elements of the solution include:
- Redirecting to a known URL after WebSEAL login
- Sharing the user session across HTTP and HTTPS
- IBM Tivoli Access Manager for e-business V5.1 - Base Administration Guide
- IBM Tivoli Access Manager for e-business V5.1 - WebSEAL Administration Guide
Consider an organization that has a set of Web applications deployed in the intranet. The company requires a single sign-on solution across these applications, all of which are front-ended by a single employee portal. The intranet network is largely trusted, and so the need for data privacy for all requests is not necessary. However, authentication and password management should still occur over the HTTPS protocol so that passwords are never visibly transmitted.
The company has chosen IBM Tivoli Access Manager for e-business to meet the following security requirements:
- Application traffic is served over the HTTP protocol
- The application has some unsecured, and some secured content
- URL-level security is provided by Tivoli Access Manager
- User authentication must occur over HTTPS protocol
- Users authenticate with username and password
- After successful authentication, the user is redirected to a well-known secured URL, much like a secure portal.
About IBM Tivoli Access Manager
IBM Tivoli Access Manager is a robust and security rich policy management tool for e-business and distributed applications. It addresses the challenges of escalating costs for e-business security, growing complexity of enterprise security solutions, and the inability to implement security policies across platforms. Through its highly available centralized authorization service, IBM Tivoli Access Manager enables better management of business-critical distributed information. It provides simple, more secure access to critical information, and enhances communications with customers, business partners, and others.
IBM Tivoli Access Manager for e-business provides authentication and access control services for Web resources. The WebSEAL server, a component of IBM Tivoli Access Manager for e-business, manages access to all Web servers, regardless of their platforms. This allows an organization to centrally control their Web resources as a single, logical Web space.
IBM Tivoli Access Manager for Operating Systems provides fine-grained control of operating system resources on Linux® and UNIX® systems.
IBM Tivoli Access Manager for Business Integration provides protection for MQSeries® messages. It allows MQSeries applications to send data with confidentiality and integrity using keys associated with the sending and receiving users. The IBM Tivoli Access Manager authorization service provides access control to MQSeries-based services, restricting which users or processes can and cannot put messages on queues or get messages from queues.
IBM Tivoli Access Manager also provides application APIs to allow in-house developed applications to access IBM Tivoli Access Manager services. IBM Tivoli Access Manager supports the Java™ 2 Platform, Enterprise Edition (J2EE) standard Java Authentication and Authorization Service (JAAS) to allow native Java applications to access IBM Tivoli Access Manager for authorization decisions.
IBM Tivoli Access Manager provides a robust Web-based delegated security administration utility that allows delegate security administration to members of their online community.
Implementing the solution
The implementation of this scenario uses a new feature in Tivoli Access Manager V5.1 called login redirects. With this new function, all users are redirected to the same configured URL after successful authentication. In this example, username and password authentication using a form has been chosen.
- The description of this solution requires that a Tivoli Access Manager for e-business environment already be installed and configured. This includes at least one instance of the WebSEAL server.
- Define an ACL that requires authenticated access for the chosen secured resources. Remember that an ACL that is not attached to protected resources has no impact.
pdadmin> acl create secure-access-for-all
pdadmin> acl modify secure-access-for-all set any-other rTl
pdadmin> acl modify secure-access-for-all set unauthenticatedl
- Attach the ACL to the resources requiring authentication. The failure of an unauthenticated request when attempting to access this page will initiate the WebSEAL authentication processing. The precise objects the ACL will be attached to will depends upon the configuration of the environment, namely which host the WebSEAL server is on, and which instance is being used.
pdadmin> acl attach /WebSEAL/<webseal-host-and-instance>/portal/myportal secure-access-for-all
- Configure WebSEAL for forms-based authentication over HTTPS protocol by setting the
httpsin the [forms] stanza of the WebSEAL instance's configuration file, that is
<PDWEB>/etc/webseald-<instance>.conf. Note that this indirectly prevents login over HTTP.
- Configure WebSEAL to share the same user session across HTTP and HTTPS protocols. This change is made in the same configuration file as in the preceding step, by setting the value of the
use-same-sessionparameter of the [session] stanza to
- Configure WebSEAL to automatically redirect to the secure portal page over HTTP. This change is made in the same configuration file as in the preceding step, by setting the value of the
login-redirectparameter of the [acnt-mgt] stanza to
http://<webseal-host>:<port>/portal/myportal. Note that this resource must be accessible to all users, and so it is recommended that the secure-access-for-all ACL described in the first step of this procedure be attached to this resource.
- Configure WebSEAL to allow for automatic redirects when using the forms authentication method. This change is made in the same configuration file as in the preceding step, by setting the value of the
redirectparameter of the [enable-redirects] stanza to
- Customize the WebSEAL error page for
Forbidden(HTTP status code 403) to detect if the user has made the request over HTTP, and automatically redirect to HTTPS to login. Add the code fragment from listing 1 at the top of the file
- Restart the WebSEAL instance. On a machine with multiple instances, ensure that the correct instance is restarted.
Verifying the solution
After making the changes described in the preceding section and after accessing the WebSeal-secured URL over HTTP, verify the correct implementation of the solution as follows.
- Access the WebSEAL-secured URL over HTTP.
- WebSEAL will detect that authentication is required after consulting the access control policy, but because no authentication method is configured for use over the HTTP protocol, WebSEAL will return the error page for Forbidden (HTTP status code 403).
- The WebSEAL login form is presented, now over the HTTPS protocol.
- Assuming that the login succeeds, the user is then redirected to the portal URL over HTTP. A browser warning may be displayed to indicate to the user that they are switching back to an unencrypted transport. This warning can be suppressed in most browsers.
For intranet deployments, IBM Tivoli Access Manager for e-business is well-suited to provide an encrypted authentication exchange while allowing the majority of application traffic to use unencrypted HTTP protocol. This provides an ideal blend of performance and security for semi-trusted networks.
- Share your questions and views on this article with the author and other readers in the Tivoli Security Discussion Forum.
- To learn more about Tivoli Security, visit the developerWorks Tivoli zone. You'll find technical documentation, how-to articles, education, downloads, product information, and more.
- Get involved in the developerWorks community by participating in developerWorks blogs.