The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

Toughen Web application security

Build a multiphased authentication system with WebSEAL

Christopher Hockings (hockings@au1.ibm.com), Advanced Customer Engineering Team Member, IBM

Christopher Hockings is a member of the Advanced Customer Engineering team working in the Tivoli Security Business Unit (part of the IBM Software Group). He specializes in providing architecture and integration solutions for customers using the Tivoli Access Manager product suite. This includes building specialized development modules for customers based on the Access Manager product suite. Chris was a member of the DASCOM team when it was acquired by IBM. He has attained a bachelor's degree in engineering and bachelor's degree in information technology from Queensland University of Technology.

Summary: Carelessly chosen passwords have made many password-protected systems vulnerable to outside attack. This tutorial shows you how you can use Tivoli Access Manager WebSEAL to build a multiphased authentication system that locks Web applications down more tightly. The tutorial includes sample C code that you can use as a basis for your own applications.

Date: 01 May 2003
Level: Intermediate
PDF: A4 and Letter (120 KB | 19 pages)Get Adobe® Reader®

Activity: 7222 views
Comments:

Introduction

What is this tutorial about?

This tutorial explains how to implement multiphased authentication methods using Tivoli Access Manager (TAM) WebSEAL. It provides an overview of multiphased authentication systems support within TAM WebSEAL, and presents a coded example for extending the capabilities to include other multiphased authentication systems.

You'll see the implementation of a cross-domain authentication service (CDAS) within WebSEAL, and follow a practical example using the mobile phone Short Message Service (SMS). This example uses the token-cdas interface provided within WebSEAL to simulate the multiphased authentication process.

Who should take this tutorial?

Before you start this tutorial, you should be familiar with the following:

Tivoli Access Manager installation and configuration: You should have a solid understanding of the Tivoli Access Manager operating environment. This includes previous installation and configuration experience with the product. You should also be familiar with the CDAS interface, as this tutorial uses this interface to present an advanced authentication topic.
Solid C development: You should be able to read and understand C code so that you can adapt the sample code to your operating environment. This tutorial presents code that shows a real example of using the token CDAS interface.
General Web experience: Access to a SMS gateway is helpful. This tutorial uses a Web form to post a message to an SMS gateway.

Software requirements

To complete the examples shown in this tutorial, you will need the following installed on your system:

Windows development environment: To compile the example CDAS code provided. You'll need to install Microsoft Visual Studio C++ 6.0 and the Microsoft WinHTTP 5.0 development package; the latter is for testing the implementation with an HTTP-enabled SMS gateway.
Access Manager WebADK package and its prerequisites: This includes IBM Tivoli Access Manager Base V4.1 and IBM Tivoli Access Manager Web Security ADK V4.1
WebSEAL test environment: To unit-test the implementation. You'll need the following components for this environment:
- IBM Tivoli Access Manager Base V4.1: This includes a configured runtime and policy server. In this tutorial, we'll use the IBM Directory; however, any supported directory could be used in its place.
- IBM Tivoli Access Manager WebSEAL V4.1: This includes a configured WebSEAL instance.
There's a link from which you can download this Tivoli software in Resources. The following figure illustrates the test environment.
SMS gateway: This component is not mandatory. However, the tutorial code communicates with a gateway via HTTP to send the one-time password to the end user's mobile phone via SMS, so having such a gateway would be helpful.