![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
© Copyright International Business Machines Corporation 2003. All rights reserved.
This month we ask Raymond Neucom to answer your questions about integrating IBM ® of Tivoli® Access Manager with WebSphere® Portal and other IBM products. Tivoli Access Manager for e-Business provides security middleware for the rapid development of secure e-business solutions. Raymond Neucom is in the Advanced Technical Support team, specializing in the integration of Tivoli security products with other IBM and non-IBM products. For more information, see Tivoli Developer Domain.
Question: Can I use WPS 4.2.x with TAM 3.9 and with IBM Directory Server 4.1? Can I use TAM 3.9 with IBM Directory Server 4.1? (submitted by Asim Saddal, IBM)
Answer: WebSphere Portal Server 4.2 does not support TAM 3.9. TAM 3.9 will work and is supported with IBM Directory Server 4.1. However, the LDAP 4.1 server will have to be on a different machine than the TAM 3.9 component. You will need to use the LDAP 3.2.2 client on any system running a TAM 3.9 component.
Question: What versions of WebSphere Portal Server support what versions of TAM?
Answer: WebSphere Portal Server 4.1.x supports TAM 3.9. WebSphere Portal Server 4.2 supports TAM 4.1 (also requires WebSphere Portal Server e-fix PQ70837). WebSphere 4.2.1 supports TAM 4.1.
Question: Where can I find out details on how to integrate WPS and TAM?
Answer: Contact your local Tivoli Security Sales Engineer or Salesperson. They can provide a detailed integration cookbook for either WebSphere Portal Server 4.1.x and TAM 3.9, or WebSphere Portal Server 4.2.x and TAM 4.1.
Question: How do I handle WPS session timeout in an integrated WPS-TAM deployment?
Answer: In an integrated WebSphere Portal Server-Tivoli Access Manager system,
WebSEAL should really be controlling session expiry and reauthentication. To achieve this, I recommend
replacing the contents of the WebSphere Portal Server file,
C:\WebSphere\PortalServer\app\wps.ear\wps.war\screens\html\ErrorNotLoggedOut.jsp,
with the following:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<script language="Javascript">
<:!--
setTimeout("history.go(-1)", 2000)
//-->
</script>
<BR><BR>
Refreshing WebSphere Portal Server user credentials following inactivity timeout... select
<a href="javascript:history.go(-1)" target="_self">here</a> if your browser does not automatically
redirect after 2 seconds.
</body>
</html>
|
Except for the line beginning with "Refreshing", lines not beginning with "<" are continuations of the preceding line and should be entered as such. The above JSP displays a brief message and performs a "BACK" command that will display the previously displayed page. In displaying this page, the Trust Association Interceptor (TAI) automatically relogins the user and refreshes the user's WebSphere Portal Server credentials with minimal disruption.
Question: The WPS-TAM integration cookbooks use a TAI-based connection ("junction") from WebSEAL to the WebSphere Application Server. Is an LTPA junction a viable alternative and what are the relative strengths/weaknesses?
Answer: Both TAI and LTPA junctions will work between WebSEAL and the WebSphere Application Server server hosting WebSphere Portal Server. The choice taken in the WPS-TAM integration to use a Trust Association Interceptor (TAI) is somewhat arbitrary. With a TAI, WebSEAL adds the userid of the current user to the HTTP header sent to the WebSphere Application Server (through the IBM HTTP Server), where the TAI is then invoked. The TAI performs several checks to see if the request did indeed come from the WebSEAL server, and then creates a login context for the userid extracted from the HTTP header. With a TAI, an LTPA cookie is sent back to the browser with the response. WebSEAL (under its default configuration) converts this LTPA domain cookie to a host cookie as the response passes back to the browser. This removes any security exposures associated with domain cookies. With an LTPA junction, WebSEAL generates an LTPA cookie and sends it with the request to the WebSphere Application Server (through the IBM HTTP Server). WebSEAL caches the LTPA cookie for the user to avoid the overhead of recreating it on subsequent requests from the same user. The Application Server does not send the LTPA cookie back with the response because it assumes the caller still has it in its cookie jar. The LTPA cookie does not make it back to the browser.
Question: How does including WebSEAL into a solution change the network architecture?
Answer: WebSEAL has been designed to run in a DMZ as a "bastion host". In general, this allows the "junctioned" Web servers to be moved inside the primary firewall. As the WPS-TAM integration requires both a HTTP junction and a HTTPS junction, those organizations mandating that no unencrypted or unauthenticated HTTP is to pass through their primary firewall should leave the IBM HTTP server in the DMZ (still behind WebSEAL) and configure a HTTPS connection from the IBM HTTP Server to the WebSphere Application Server through the primary firewall.
Meet the Experts is a monthly feature on WSDD. We give you access to the best minds in IBM WebSphere, product experts and executives who are waiting to answer your questions. You submit the questions, and we post the answers to the most popular questions.
Table of contents
Next steps from IBM
Tags
Use the slider bar to see more or fewer tags.
For articles in technology zones (such as Java technology, Linux, Open source, XML), Popular tags shows the top tags for all technology zones. For articles in product zones (such as Info Mgmt, Rational, WebSphere), Popular tags shows the top tags for just that product zone.
For articles in technology zones (such as Java technology, Linux, Open source, XML), My tags shows your tags for all technology zones. For articles in product zones (such as Info Mgmt, Rational, WebSphere), My tags shows your tags for just that product zone.
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
