®

Lab Exercises
Configuring External Authentication
Interface (EAI)
Course code LIL0310X

IBM Training
December 2017 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
ITIL is a Registered Trade Mark of AXELOS Limited.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.

© Copyright International Business Machines Corporation 2017.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Lab environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Lab startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Exercise 1 Configuring a standard junction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Exercise 2 Setting up the EAI application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Exercise 3 Creating an unauthenticated junction for EAI application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Exercise 4 Updating the reverse proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Exercise 5 Verifying EAI authentication to a protected resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Exercise 6 Authenticating using external users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

© Copyright IBM Corp. 2017 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Lab environment
The following two virtual machines are used to perform the exercises in this lab:
1. Access Manager Appliance VM
This primary VM hosts the IBM Access Manager (IAM) V9.0.3 appliance.

2. Windows VM
This Windows 2008 server VM hosts the resources required to demonstrate various Access
Manager scenarios. The users log on to this system to perform the lab exercises.

The major deployment components of the lab are summarized in the following diagram.

Use the information in the following tables to log on to the lab systems.

System details IP Address Host name

Appliance VM 192.168.42.191 iam.ibmemm.edu
Management interface
Windows VM 192.168.42.192 winagent.ibmemm.edu
Appliance VM 192.168.42.193 www.ibmemm.edu
Application interface

© Copyright IBM Corp. 2017 1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Lab environment
Lab startup

Uempty
Application/Server User Password
IAM Appliance login admin P@ssw0rd
Windows VM login IBMEMM\Administrator P@ssw0rd
Appliance dashboard admin P@ssw0rd
https://iam.ibmemm.edu

Lab startup
If the systems are not already powered on and available, complete these steps to start the systems:
1. Power on the iam and winagent VMs using the Play button as shown below.

Note: The startup order is not important.

2. Log in to the winagent VM as IBMEMM\Administrator and password P@ssw0rd.

3. Optionally, log in to the iam VM as admin and password P@ssw0rd.

Note: You do not need to log in to the iam VM as you are performing all exercises using the
winagent VM.

© Copyright IBM Corp. 2017 2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Lab environment
Lab startup

Uempty
Time synchronization steps

Important: You must follow these steps when your VMs are suspended due to inactivity. The VM
timestamps become out of synchronization when they get suspended.

1. Restore the suspended iam and winagent VMs using the Play button as shown below.

2. Log in to the winagent VM as IBMEMM\Administrator and password P@ssw0rd.

3. Open the command prompt and run the w32tm /resync command as shown in the following
figure.

Note: The iam VM does not need time synchronization steps.

© Copyright IBM Corp. 2017 3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Lab startup

Uempty

Exercises
The external authentication interface (EAI) extends the reverse proxy so that a remote application
or service can authenticate Access Manager users. This technique enables additional functionality
beyond what Access Manager is designed to do. The EAI can be used with applications written in
any language including Java. The external authentication interface returns the user identity
information in HTTP response headers. The reverse proxy uses these headers to build user
credentials.

This lab demonstrates steps to configure the Access Manager reverse proxy to redirect the
authentication process to the EAI application. The EAI used in this lab is a simple Perl program
test_sso.pl which performs a form based login using user name and password. Then, the EAI
posts the user identity using HTTP headers to the check_user.pl program which is configured as a
trigger URL. The reverse proxy uses the HTTP headers posted in the trigger URL to build user
credential internally and grant access to a protected resource.

The following diagram illustrates a typical EAI flow.

Important: To save time, the Access Manager appliance is already populated with users that are
used in the lab. The reverse proxy instance rp1 is also configured.

© Copyright IBM Corp. 2017 4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 1 Configuring a standard junction

Uempty
Exercise 1 Configuring a standard junction
In this exercise, you create a standard Reverse Proxy junction for the AMAuth-demo application
running on the IBM Liberty server. Later in this lab, you demonstrate the external authentication
interface (EAI) by accessing this junction.

Note: Verify that the iam and winagent systems are started before running the lab exercises.

Task 1 Starting the Liberty server

Because the back-end application AMAuth-demo is running on Liberty, you first start the Liberty
server.
1. Log on to the winagent system as IBMEMM\Administrator using password P@ssw0rd

2. Double-click startliberty.bat on the Windows desktop to start the Liberty server.

The following message appears in the window opened by the batch script indicating success.

Task 2 Creating a junction

Next, you create a junction for the AMAuth-demo application running on Liberty.

The instructions are given as pdadmin REST API. You can choose to create the junction using the
Access Manager appliance LMI located at https://iam.ibmemm.edu.

3. Double-click the Cygwin terminal icon ( ) on the Windows task-bar.

The Cygwin terminal window opens.

4. Run the following command:

pdadmin-lmi /studentfiles/config/create-amauth-demo-jct.pdadmin

© Copyright IBM Corp. 2017 5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 2 Setting up the EAI application

Uempty
You receive the following output after successful run:

Task 3 Testing the /AMAuth-demo junction

5. Open a Firefox browser ( ) and select the Reverse Proxy > AMAuth-demo App bookmark.
This bookmark opens the https://www.ibmemm.edu/AMAuth-demo URL.

6. Log in using chuck and P@ssw0rd.

The home page of the AMAuth-demo application opens.

7. Select the Reverse Proxy > Log Out bookmark to log out of the reverse proxy.

Exercise 2 Setting up the EAI application

In this exercise, you configure the EAI application to run on the IBM HTTP Server installed on the
Windows system. The EAI used in this lab consists of two Perl scripts: test_sso.pl and
check_user.pl. The test_sso.pl performs a form-based login using user name and password.
Then, it posts the user identity information in the HTTP headers to the check_user.pl script which is
configured as a trigger URL in the reverse proxy.
1. Open Windows File Explorer ( ) and go to the location C:\studentfiles\eai.

2. Copy files test_sso.pl and check_user.pl. Then, paste the files to location
C:\IBMHTTPServer\cgi-bin.

© Copyright IBM Corp. 2017 6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 3 Creating an unauthenticated junction for EAI application

Uempty
To verify that the EAI application is now running,

3. Open Firefox ( ) and go to the link: http://localhost/cgi-bin/test_sso.pl. Confirm that

an application login page comes up.

4. Close the Firefox browser.

Exercise 3 Creating an unauthenticated

junction for EAI application
In this exercise, because the EAI application is hosted on the IBM HTTP Server (IHS), you define a
Reverse Proxy junction for IHS. Then, permit unauthenticated access to the junction using an
existing ACL named unauth. The unauth ACL is already created in this lab.

The instructions are given as pdadmin commands. You can choose to create the junction and apply
an ACL using the Access Manager appliance LMI.
1. In the Cygwin terminal ( ), run the following command:
pdadmin-lmi /studentfiles/config/create-eai-allow-unauth.pdadmin

© Copyright IBM Corp. 2017 7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 4 Updating the reverse proxy configuration

Uempty
You receive the following output after successful run:

2. Close the Cygwin terminal.

To verify that you can access EAI junction without authentication challenge from the Reverse
Proxy,

3. In Firefox ( ), select the Reverse Proxy > EAI junction bookmark to open a link
https://www.ibmemm.edu/eai/cgi-bin/test_sso.pl.

4. Confirm that the EAI login page comes up instead of the Reverse Proxy login page.

5. Close Firefox.

Exercise 4 Updating the reverse proxy

configuration
This exercise details steps to update the reverse proxy configuration for EAI.
1. Start Internet Explorer (IE) ( ) and select the AM LMI bookmark. This bookmark opens the
Access Manager appliance web interface at https://iam.ibmemm.edu URL.
The appliance web console is also called Local Management Interface (LMI).

2. Log in as user admin with password P@ssw0rd.

The Appliance Dashboard is displayed.

3. Select Secure Web Settings from the top menu bar and navigate to Manage > Reverse
Proxy.

© Copyright IBM Corp. 2017 8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 4 Updating the reverse proxy configuration

Uempty
4. Select the rp1 instance.

The reverse proxy instance rp1 is already created in this lab.

5. Then, go to Manage > Configuration > Edit Configuration File.

The configuration file opens in the Advanced Configuration File Editor window.

6. Use CTRL+F in the File Editor window to search for the [authentication-levels] stanza.
Update it to add the ext-auth-interface level.
[authentication-levels]
level = unauthenticated
level = password
level = ext-auth-interface

7. Next, search for the [eai] stanza. Update the eai-auth property to support the https protocol.
eai-auth = https

8. Review the eai headers present in the [eai] stanza but do not change the headers.

9. Search for the [eai-trigger-urls] stanza. Add a new trigger to this stanza using a following line.
trigger = /eai/cgi-bin/check_user.pl

10. Search for property enable-local-response-redirect and enable it using value yes.
enable-local-response-redirect = yes

11. Search for the [local-response-redirect] stanza. Add a new property

local-response-redirect-uri using the following value.
local-response-redirect-uri = /eai/cgi-bin/test_sso.pl

12. Search for the [local-response-macros] stanza. Enable the following macros as they are
being used by the EAI application in this lab.
macro = TAM_OP
macro = USERNAME
macro = METHOD
macro = AUTHNLEVEL
macro = ERROR_CODE
macro = ERROR_TEXT

© Copyright IBM Corp. 2017 9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 4 Updating the reverse proxy configuration

Uempty
13. Search for the [enable-redirects] stanza. Enable the following redirect modes.
redirect = forms-auth
redirect = ext-auth-interface

14. To save the configuration file, click Save.

The appliance console now shows the yellow banner with the link Click here to review the
changes or apply them to the system.

15. To deploy the changes, select the link in the yellow banner as shown in the following figure.

16. Click Deploy to confirm the changes.

17. Notice the warning prompting you to restart the reverse proxy. Close the warning by clicking X
in the right corner.

18. To restart the reverse proxy, select the rp1 instance and click Restart.

The Changes are Active column for the rp1 instance changes from False to True after restart.

© Copyright IBM Corp. 2017 10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 5 Verifying EAI authentication to a protected resource

Uempty
Exercise 5 Verifying EAI authentication to a
protected resource
Now, you verify EAI configuration by logging on to the protected Liberty application junction
/AMAuth-demo.
1. Ensure that the Liberty server is running. If not, double-click startliberty.bat on Windows
desktop to start it.

2. In Firefox ( ), select the Reverse Proxy > AMAuth-demo bookmark. This bookmark opens
the https://www.ibmemm.edu/AMAuth-demo URL.

3. Confirm that the EAI login page comes up as shown in the following figure.

Note: If the login redirect mechanism is not configured properly, the reverse proxy login page is
displayed instead. Verify that the reverse proxy configuration file parameters are set as stated in
Exercise 4, Updating the reverse proxy configuration.

© Copyright IBM Corp. 2017 11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 5 Verifying EAI authentication to a protected resource

Uempty
4. Type a random username and password and select Login.

5. Confirm that you receive error as shown in the following figure.

This error comes up as the user is not present in the Access Manager LDAP registry.

6. Now, log on using an existing Access Manager user chuck and password P@ssw0rd.

7. Confirm that you are logged on to the AMAuth-demo application successfully.

8. Close Firefox.

Note: The EAI application is configured to pass the user name in a standard HTTP header
am-eai-user-id.

When WebSEAL receives the user identity in the am-eai-user-id header, it verifies that the user is
present in the Access Manager registry and builds the user credential. Then, logs you on to the
back-end application that you originally requested. For example, AMAuth-demo application

© Copyright IBM Corp. 2017 12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 6 Authenticating using external users

Uempty
Exercise 6 Authenticating using external users
In this exercise, you configure the EAI application to authenticate using users that are not present
in the local Access Manager registry.

Note: Access Manager allows authentication using external users if user name is supplied in the
HTTP header am-eai-ext-user-id. You can also supply a user’s group membership using the
am-eai-ext-user-groups header.

This is useful when users are stored in a different kind of registry, for example, a database, or
supplied via a different mechanism such as web services.

1. Open Windows File Explorer ( ) and go to location C:\IBMHTTPServer\cgi-bin.

2. Open the file check_user.pl using Notepad.

a. Search for generate Login header text.

b. Comment the line that prints am-eai-user-id by adding # in front of the line.

c. Uncomment the line that prints am-eai-ext-user-id by removing # from the front of the
line.

d. Save and close the file.

3. Close and Re-open Firefox ( ), if it was already open.

4. Select the Reverse Proxy > AMAuth-demo bookmark again.

The EAI login page appears.

© Copyright IBM Corp. 2017 13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Exercises
Exercise 6 Authenticating using external users

Uempty
5. Type a random username and password and select Login.

6. Notice that login to the AMAuth-demo application is successful this time despite the user not
being present in the Access Manager registry.

Note: The sample EAI application used in this lab is a crude program that does not perform an
authentication check for external users. However, you can write a custom logic as per the
business requirements to validate external users against corporate databases and registries.

© Copyright IBM Corp. 2017 14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0

Uempty

IBM Training

© Copyright IBM Corporation 201. All Rights Reserved.