Write external authentication interface servers on Tivoli Access Manager for e-business

Allow WebSEAL to outsource authentication decisions to a separate module


IBM expert Ori Pomerantz has been securing computer networks (and showing others how to do it too) since 1995. Pomerantz joined IBM in 2003 and since then, he has written classes on several IBM security products, including IBM Security zSecure™. He is also a co-author of the IBM Press publication Mainframe Basics for Security Professionals: Getting Started with RACF, 2007. In this whitepaper, "IBM Tivoli Access Manager for e-business 6.1: Writing External Authentication Interface Servers," Pomerantz helps you learn how to use external authentication interfaces with WebSEAL to extend WebSEAL's/Tivoli® Access Manager for e-business's capabilities for e-business authentication.

See Download for the full white paper. The following sections outline what you will learn in the full paper.

What is an external authentication interface?

An external authentication interface is a mechanism to outsource the responsibility for authentication from WebSEAL to a third-party product. The process works like this:

  1. The user attempts to connect to the EAI server, which may be on a separate computer from WebSEAL.
  2. WebSEAL allows unauthenticated access to the EAI server. This is necessary because the user is not authenticated at this point.
  3. The user and the EAI server communicate, which can be as long and as involved as necessary.
  4. The user, based on an HTML page from the EAI server, retrieves a trigger URL, a URL that is configured in WebSEAL as one that might contain the EAI output.
  5. The EAI server sends back a reply that has an HTTP header that contains the user identity and possibly additional information.
  6. WebSEAL creates the credential for the user.
  7. WebSEAL lets the user access a back-end server.

By using an EAI, Tivoli Access Manager for e-business can handle more exotic authentication mechanisms. It also adds an additional layer of authentication that Tivoli Access Manager for e-business can use.

The steps you'll learn

Pomerantz covers the following instructions in this paper:

  • How to configure WebSEAL to access an EAI. This includes adding an authentication mechanisms library, setting usage and header-include triggers, and adding (and controlling) a junction that lets users access the EAI.
  • How to write a simple EAI server, how to debug it, and how to integrate it with WebSEAL. This includes using and testing it and how to enable automatic redirection.
  • How to enable the EAI server to negotiate authentication with users using scripting.
  • How to write EAI servers in PHP.
  • How EAI can send extended attributes to WebSEAL to add to the stored credentials.

Pomerantz also explains step-up authentication, the ability to monitor actions at specific authentication levels. WebSEAL allows for web resources to require different authentication levels, which is useful if a particular application is very sensitive and requires two-factor authentication. An EAI server can report the level at which it authenticated a user. Pomerantz explains how to configure WebSEAL and resources to enable this extra layer of authentication.

Downloadable resources

Related topics


Sign in or register to add and subscribe to comments.

ArticleTitle=Write external authentication interface servers on Tivoli Access Manager for e-business