IBM Tivoli Federated Identity Manager, Version 6.2.2

Configuring a WebSEAL point of contact server for the OAuth federation

If you use WebSEAL as the point of contact server for your OAuth federation, you must configure it using the configuration utility tool.

Before you begin

The information in this section applies to Tivoli® Federated Identity Manager package users. It also applies to organizations that already have Tivoli Access Manager for e-business in their computing environment.

Before starting this procedure:

The WebSEAL point of contact profile must be activated.
You must know the Tivoli Access Manager administration user (default: sec_master) and administration user password.

About this task

The Federation wizard provides a button that you can use to obtain the configuration utility tool. The procedure includes information on how to obtain and run the utility. The utility configures endpoints on the WebSEAL server, creates a WebSEAL junction, attaches the appropriate ACLs, and enables the necessary authentication methods.

The steps are applicable for OAuth 1.0 and 2.0 federations.

To configure WebSEAL as the point of contact server, complete the steps in this procedure:

Procedure

After creating the federation, click Load configuration changes to Tivoli Federated Identity Manager runtime to reload your changes.
Click Done to return to the Federations panel.
Click Download Tivoli Access Manager Configuration Tool.
Save the configuration tool to the file system on the computer that hosts the WebSEAL server.
Run the configuration tool from a command line. The syntax is:
```
java -jar /download_dir/tfimcfg.jar -action tamconfig
-cfgfile webseald-instance_name.conf 
```
Notes:
- If Federal Information Processing Standards (FIPS) is enabled, you must specify the secure socket connection factory. For example:
```
java -jar /download_dir/tfimcfg.jar -action tamconfig
-cfgfile webseald-instance_name.conf -sslfactory TLS
```
- For OAuth 1.0 federations: If an OAuth client sends OAuth protocol parameters through the HTTP Authorization header, the OAuth server must be able to accept the HTTP Authorization header. Use the -b ignore option on the junction between WebSEAL and Tivoli Federated Identity Manager to forward the HTTP Authorization header to the backend server. This option is not required on the junction if the OAuth client uses either the query string or POST body method.
- For OAuth 2.0 federations: If an OAuth client accesses a Policy Enforcement Point that expects an HTTP Authorization header, the OAuth server must be able to accept the HTTP Authorization header. Use the -b ignore option on the junction between WebSEAL and Policy Enforcement Point to forward the HTTP Authorization header to the backend server. This option is only necessary if the Policy Enforcement Point reading the OAuth Authorization header is on a server behind WebSEAL. It is not necessary to run the -b ignore option when using the WebSEAL EAS enforcement point for OAuth 2.0.

Example

For example, when you have placed tfimcfg.jar file in /tmp, and the WebSEAL instance name is default, the command is:

java -jar /tmp/tfimcfg.jar -action tamconfig -cfgfile webseald-default

For more information, see tfimcfg reference.

Feedback