Вы находитесь на странице: 1из 256

IBM Tivoli Access Manager for e-business

Plug-in for Web Servers Integration Guide

Version 5.1

SC32-1365-00

IBM Tivoli Access Manager for e-business

Plug-in for Web Servers Integration Guide

Version 5.1

SC32-1365-00

Note Before using this information and the product it supports, read the information in Appendix

Note Before using this information and the product it supports, read the information in Appendix F, “Notices,” on page 215.

this information and the product it supports, read the information in Appendix F, “Notices,” on page

First Edition (November 2003)

This edition applies to version 5, release 1, modification 0 of IBM Tivoli Access Manager (product number 5724-C08) and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 2000, 2003. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents

Figures .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

ix

Tables .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

xi

Preface

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

xiii

Who should read this book

Publications .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xiii

What this book contains

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xiii

. xiv

Release information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xv

. Web security information .

Base information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xv

. xv

Developer references .

Accessibility .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xvi

Technical supplements

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xvi

Related publications

Accessing publications online .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xvii

. xx

. xx

. Contacting software support

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xx

Conventions used in this book .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xx

. Operating system differences .

Typeface conventions .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. xx

. xxi

Chapter 1. Introducing IBM Tivoli Access Manager Plug-in for Web Servers

 

.

.

.

.

.

.

1

Tivoli Access Manager Plug-in for Web Servers technology .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

1

Basic operational components and architecture .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

1

Support for virtual hosts .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 2

Protecting your Web space with Tivoli Access Manager Plug-in for Web Servers

 

.

.

.

.

.

.

.

.

.

.

. 3

Tivoli Access Manager Plug-in for Web Servers authentication

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 4

Credential acquisition .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

5

Chapter 2. IBM Tivoli Access Manager Plug-in for Web Servers configuration .

 

.

.

.

.

.

7

General plug-in information

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

7

Root directory of the Tivoli Access Manager Plug-in for Web Servers installation .

. The pdwebpimgr.conf configuration file .

The pdwebpi.conf configuration file

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 7

. 8

. 9

. Starting and stopping Tivoli Access Manager Plug-in for Web Servers .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

. 9

HTTP error messages

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 9

Macro support

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 10

Forms related macros .

Configuring the Authorization Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 10

. 11

Configuring Worker Threads

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 11

Setting the Maximum Session Lifetime for IPC requests

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 12

Configuring error pages

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 12

Configuring for virtual host servers .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 13

Web-server-specific configuration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 15

Web server considerations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 17

Customizing object listings .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 18

Command Line Arguments .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 18

Output .

. Configuring switch user (SU) for administrators .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 19

. 19

Understanding the switch user process flow

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 20

Enabling switch user .

. Enabling and excluding users from switch user .

.

.

. Configuring the switch user HTML form

. Configuring the switch user authentication mechanism .

.

.

.

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 20

. 21

. 22

. 22

Impacting other plug-in functionality

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 23

Configuring fail-over for LDAP servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 24

Supporting Platform for Privacy Preferences (P3P) headers

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 25

Configuring P3P headers

. Configuring plug-in auditing, logging, tracing, and the cache database

.

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 26

. 28

Audit records

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 29

Auditing configuration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 30

Tracing Plug-in actions

Cache database settings .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 31

. 32

Configuring the authorization API service .

.

Credential refresh

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 33

. 33

Configuring credential refresh .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 33

Configuring HTTP request caching

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 34

Configuring server-side caching parameters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 35

Language support and character sets .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 35

Chapter 3. IBM Tivoli Access Manager Plug-in for Web Servers authentication and

 

request processing

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

39

The request handling process

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 39

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 41

The authentication process . Configuring authentication .

. Configuring authentication for virtual hosts

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 41

. 42

Configuring the order of authentication methods .

Managing session state

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 44

Configuring post-authorization processing

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 48

. 49

Configuring the plug-in session/credentials cache

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 50

Maintaining session state with the SSL session ID

.

.

.

.

.

.