Client identity and generic password

As an administrator, you must know how client identity and passwords are handled so that you understand how WebSEAL manages authentication in some scenarios.

The –b supply option instructs WebSEAL to supply the authenticated Verify Identity Access user name (client's original identity) with a static, generic (dummy) password. The original client password is not used in this scenario.

A generic password eliminates password administration and supports the application on a per-user basis. The dummy password is set in the basicauth-dummy-passwd stanza entry of the WebSEAL configuration file:
[junction]
basicauth-dummy-passwd = password

This scenario assumes that the back-end server requires authentication from a Verify Identity Access identity. By mapping a client user to a known Verify Identity Access user, WebSEAL manages authentication for the back-end server and provides a simple domain-wide single signon solution.

The following conditions exist for this solution:

  • WebSEAL is configured to supply the back-end server with the user name contained in the original client request plus a generic dummy password.
  • The dummy password is configured in the WebSEAL configuration file.
  • The back-end server registry must recognize the Verify Identity Access identity that is supplied in the HTTP BA header.
  • Because sensitive authentication information (user name and password) is passed across the junction, the security of the junction is important. Therefore, an SSL junction is appropriate.
Figure 1. BA Header contains identity and dummy password

BA Header contains identity and dummy password