Enabling authentication with WebSEAL

Edit online

Enabling authentication with WebSEAL eliminates the need for a separate password to access IBM Verify Identity Governance.

Procedure

  1. Follow the instructions in Configuration of IBM Verify Identity Governance for single sign-on with WebSphere Trust Association Interceptor and IBM Security Verify Access WebSEAL
    Use the following modifications for web services.
  2. Create an ACL that requires authenticated access to associate with the WebSEAL junction.
    For example,
    pdadmin> acl create SSOAPP-ACL
  3. Grant access to the ACL.
    For example,
    pdadmin> acl modify SSOAPP-ACL set group ITIM-Group Trx
         acl modify SSOAPP-ACL set any-other T 
         acl modify SSOAPP-ACL set unauthenticated T
  4. Create the junction between WebSEAL and the back-end WebSphere server
    If you are installing the SSO application on an IBM Verify Identity Governance cluster, the LTPA token must be enabled at the WebSEAL junction. To enable the LTPA token at the junction to the SSO application, you must provide the following information.
    • The location of the key file that is used to encrypt the identity information.
    • The password to this key file.
    Web services configuration requirements are specified in three extra options to the server task create command that is used to create the junction.
    -A
    Enables the LTPA cookies.
    -F keyfile
    Specifies the full path name location on the WebSEAL server of the key file that is used to encrypt the identity information that is contained in the cookie. The shared key is originally created on the WebSphere server and copied securely to the WebSEAL server. See the appropriate WebSphere documentation for specific details about this task.
    -Z keyfile-password
    Specifies the password that is needed to open the key file. The password appears as encrypted text in the junction XML file.

    Use these options and the other junction options when you create the junction between WebSEAL and the back-end WebSphere server.

    For example,

    server task default-webseald-tam60-server create -b supply -t tcp -s -j -e utf8_uri -c iv-creds -A -F "/abc/xyz/key.file" -Z "abcdefg" -p 9080 -h ITIMServer.ondemandinc.com/isimserver

  5. Associate the WebSEAL junction to the ACLs.
    For example,
    acl attach /WebSEAL/tam60-server-default/itimserver/itim_ws SSOAPP-ACL