publib.boulder.ibm.com · tCP;C' ..................................19 dCP;C' HTML m% .............................19 TP;C'tCME}C' .............................20 dCP;C'O$zF

IBM Tivoli Access Manager for e-business

Plug-in for Web Servers/I8O

f> 5.1

S152-0813-00

��

IBM Tivoli Access Manager for e-business

Plug-in for Web Servers/I8O

f> 5.1

S152-0813-00

��

"b

Z9C>JO0d'VDz7.0,kDAZ 193 3D=< F, :yw;PDE"#

Z;f(2003 j 11 B)

>f>JCZ IBM Tivoli Access Manager V5.1.0(z7E 5724-C08)T0yPsx"PfM^)f,1=ZBf>P

mPyw*9#

© Copyright International Business Machines Corporation 2000, 2003. All rights reserved.

?<

< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

0T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii>iDA_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii>iDZ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiivfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

"PE" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvBase E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvWeb 2+TE" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv*"_N<JO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi<u9d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi`Xvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiZ_CJvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

(z!n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx*5m~'V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx>i9CD<( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

VM<( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxYw53xp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

Z 1 B IBM Tivoli Access Manager Plug-in for Web Servers ri . . . . . . . . . 1Tivoli Access Manager Plug-in for Web Servers <u . . . . . . . . . . . . . . . . . . . . . . 1

y>Ywi~Me5a9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1'Vibwz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

9C Tivoli Access Manager Plug-in for Web Servers #$zD Web Ud . . . . . . . . . . . . . . . 3Tivoli Access Manager Plug-in for Web Servers O$ . . . . . . . . . . . . . . . . . . . . . . 3>$q! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC . . . . . . . . . 7#fe~E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Tivoli Access Manager Plug-in for Web Servers 20Dy?< . . . . . . . . . . . . . . . . . . 7pdwebpi.conf dCD~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8pdwebpimgr.conf dCD~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9t/M#9 Tivoli Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . . . 9HTTP ms{" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9j'V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10km%`XDj . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

dCZ(~qw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11dC$wLr_L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11hC IPC ksDnsa0P'Z . . . . . . . . . . . . . . . . . . . . . . . . . . . 11dCms3f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

dCibwz~qw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Web ~qwX(DdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Web ~qw"bBn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16(FTsPm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

|nPN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17dv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

*\m1dCP;C'(SU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18KbP;C'D&mwL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

© Copyright IBM Corp. 2000, 2003 iii

tCP;C' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19dCP;C' HTML m% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19TP;C'tCME}C' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20dCP;C'O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210ld|e~&\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

T LDAP ~qwdCJO*F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23'V~=W!n=((P3P)7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

dC P3P 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24dCe~sF"U>G<"zYM_Y:f}]b . . . . . . . . . . . . . . . . . . . . . . . 26

sFG< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27sFdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28zYe~Yw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28_Y:f}]bhC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

dCZ( API ~q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30>$"B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

dC>$"B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30dC HTTP ks_Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

dC~qwKD_Y:fN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32oT'VkV{/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m . . . . 35ks&m}L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35O$}L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36dCO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

dCibwzDO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38dCO$=(D3r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39dCZ(s&m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

\ma04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44dCe~a0/>$_Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459C SSL a0j6,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Cy>O$,Va04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Ca0 Cookies ,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . 479C HTTP 7,Va04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489C IP X7,Va04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499C LTPA cookie ,Va04, . . . . . . . . . . . . . . . . . . . . . . . . . . . 499C iv 7,Va04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

O$dCEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50>XO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50b?(F CDAS O$N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50e~D1!dC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51dC`vO$=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51"z"|D\kMoz|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

dCy>O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53tCy>O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53dCy>O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53hCr{F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53&m BA 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538(T BA 7xP UTF-8 `k . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

dCm%O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55tCm%O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55dCm%O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55(F HTML l&m% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56(Fm%G< URI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564( BA 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568(T BA 7xP UTF-8 `k . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

dC$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

iv IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O

9C$i%Ò$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57tC$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58dC$iO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

dCnFO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58SecurID nFO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58tCnFO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60dCnFO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61(FnFl&3f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

dC SPNEGO O$. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62=(MC'"am'V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62+ SPNEGO dCS V4.1 }6= V5.1 . . . . . . . . . . . . . . . . . . . . . . . . . 62V^T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Windows @f%;"adC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63JOoO<I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

dC NTLM O$(vkT IIS =() . . . . . . . . . . . . . . . . . . . . . . . . . . 68dC Web ~qwO$(vkT IIS =() . . . . . . . . . . . . . . . . . . . . . . . . . 69dCJO*FO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

JO*FO$En . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70JO*FO$dC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

dC IV 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83tC9C IV 7DO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84dC IV 7N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 848(T IV 7xP UTF-8 `k . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85dC iv-remote-address D IV 7O$zF . . . . . . . . . . . . . . . . . . . . . . . . 85

dC HTTP 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85tC9C HTTP 7DO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868(7`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86dC HTTP 7O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

dC IP X7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87tC9C IP X7DO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87dC IP X7O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

dC LTPA O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88tC LTPA O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88hC\?j8E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88dC LTPA Z(s&m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

dCG<sDC'X(r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88tCC'X(r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89dCC'X(rN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

*>$mS)9tT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89+)9tTmS=>$DzF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Z(~qdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

r HTTP 7mS LDAP )9DtT(jG5) . . . . . . . . . . . . . . . . . . . . . . . 92tCjG5&m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93dCjG5N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

'V`74CzmLr(MPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93P'a0}]`MMO$=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93MPA M`vM'zDO$xLw . . . . . . . . . . . . . . . . . . . . . . . . . . . 94tC MPA O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95* MPA 4(C'J' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96r pdwebpi-mpa-servers imS MPA J' . . . . . . . . . . . . . . . . . . . . . . . . 96

Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T . . . . . . 97e~X(DCJXFm(ACL)_T . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

/PDWebPI/host r virtual_host . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98e~ ACL mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991! /PDWebPI ACL _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

?< v

}N%wG<_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100\k?H_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

pdadmin 5CLrhCD\k?H_T . . . . . . . . . . . . . . . . . . . . . . . . . 101X(C'M+VhC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

O$?H\#$Ts_T(]}) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103dC]}=O$6p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103tC]}=O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104]}=O$"bBnM^F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

`rSO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106tC`rSO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

XBO$\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060l POP XBO$Du~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074(M&CXBO$ POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

yZxgDO$\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1088( IP X7M6' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108{C4 IP X7D]}O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109yZxgDO$c( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

#$6p\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109&m4O$C'(HTTP/HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

&m4Td{M'zDks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110?FC'G< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110&C4O$ HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110C ACL/POP _TXF4O$C' . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Z 5 B Web %;"abv=8 . . . . . . . . . . . . . . . . . . . . . . . . . 113%;"aEn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113T/"a=\#$D&CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

9C HTTP 7dCT2+&CLrD%;"a . . . . . . . . . . . . . . . . . . . . . . 1149C LTPA cookie %;"a= WebSphere Application Server . . . . . . . . . . . . . . . . . 115

S WebSEAL rd|zm%;"a=e~ . . . . . . . . . . . . . . . . . . . . . . . . . 116tCM{C9C IV 7DO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117dC IV 7N}. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

9CJO*F cookie xP%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . 117tC9CJO*F cookie D%;"a . . . . . . . . . . . . . . . . . . . . . . . . . 117

9C+V%;"a(GSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118dC+V%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

2+Ta)Lr NEGOtiation(SPNEGO)%;"a . . . . . . . . . . . . . . . . . . . . . . 1209Cm%D%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

m%%;"a&mwL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121&CLr'VD*s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122tCm%%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122dCm%%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123IBM HelpNow dCD~>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Z 6 B grG<bv=8 . . . . . . . . . . . . . . . . . . . . . . . . . . . 127gr%;"a(CDSSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

CDSSO DO$&mwL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127tCM{C CDSSO O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129S\O$nF}] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129dCnF1dAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130ZO$nFP|,>$tT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1308( sso-create M sso-consume b . . . . . . . . . . . . . . . . . . . . . . . . . . 131m> CDSSO 4S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131#$O$nF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

gSgx%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132gSgx%cO$&\M*s . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

vi IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O

gSgx%;"a&mwL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133gSgx cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134$5ksM&p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134$5nF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135S\$5DnF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135dCgSgx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135dCgSgx%;"a - >} . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Z 7 B &CLr/I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143,$M'zMsK&CLr.dDa04, . . . . . . . . . . . . . . . . . . . . . . . . . 143

tCC'a0j6\m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143+>$}]ek= HTTP 7P . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144U9C'a0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

a)T/, URL DCJXF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145dC/, URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Z 8 B Z(v_E"lw . . . . . . . . . . . . . . . . . . . . . . . . . . . 147ADI lwEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Se~M'zkslw ADI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

>}:Sks7lw ADI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148>}:Sksi/V{.lw ADI . . . . . . . . . . . . . . . . . . . . . . . . . . 149>}:Sks POST welw ADI . . . . . . . . . . . . . . . . . . . . . . . . . . 149

SC'>$lw ADI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150a)JO-r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150dC/, ADI lw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

dCe~T9C AMWebARS Web ~q . . . . . . . . . . . . . . . . . . . . . . . . 151

=< A. 9C pdbackup 8]e~}] . . . . . . . . . . . . . . . . . . . . . . 153&\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

8]e~}] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153V4e~}] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

o( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

UNIX >} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Windows >} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155pdinfo-pdwebpi.lst DZ]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156d|8]}] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

=< B. pdwebpi.conf N< . . . . . . . . . . . . . . . . . . . . . . . . . . 157#fdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157O$dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160a0dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168LDAP dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169zmdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Z( API dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170X(Z Web ~qwDdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

=< C. #ilYN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

=< D. |nlYN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181pdwebpi_start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182pdwebpi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184pdwpi-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185pdwpicfg –action config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186pdwpicfg –action unconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

?< vii

=< E. }rmo=PJmDXbV{ . . . . . . . . . . . . . . . . . . . . . . . 191

=< F. yw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Lj . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Jcm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

w} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

viii IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O

<

1. e~M Tivoli Access Manager i~D;%wC# . . . . . . . . . . . . . . . . . . . . . 22. 7(O$#iDe~wL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423. O$aJ}L_- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434. 7(a0#iDe~wL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455. JO*F cookie DdM~qwe5a9# . . . . . . . . . . . . . . . . . . . . . . . 716. 9C GSO T2+&CLrDC'CJ# . . . . . . . . . . . . . . . . . . . . . . . 1197. m%%;"a&mwL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1218. CDSSO &mwL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1289. G<=gSgx# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

10. gSgx%;"adC>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14011. tTlw~q&mwL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

© Copyright IBM Corp. 2000, 2003 ix

x IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O

m

1. Tivoli Access Manager EPAC VN . . . . . . . . . . . . . . . . . . . . . . . . . . 52. pdwebpi.conf Z** . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83. 'VDjf; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104. [proxy] ms3fdCN}# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125. Web ~qwX(DdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156. [p3p-header] N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247. O$sFG<VN(e# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278. sFdCN}(e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289. e~'VDoTT0'VD?<# . . . . . . . . . . . . . . . . . . . . . . . . . . 33

10. >XZCO$Lr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5011. b? CDAS ~qwN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5012. V4.1 M V5.1 D,H SPNEGO dC# . . . . . . . . . . . . . . . . . . . . . . . . 6213. JO*FO$bD~{ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7714. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8415. MPA DP'a0}]`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9416. P'D MPA O$`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9417. e~ ACL mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9918. e~ WebDAV mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9919. pdadmin LDAP G<_T|n . . . . . . . . . . . . . . . . . . . . . . . . . . . 10120. pdadmin LDAP \k?H|n . . . . . . . . . . . . . . . . . . . . . . . . . . . 10221. \k>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10222. QOP 6phv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10923. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11424. LTPA dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11625. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11626. #fdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15727. O$dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16028. a0dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16829. LDAP dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16930. zmdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16931. Z( API dCN}. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17032. X(Z Web ~qwDdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . 17133. e~O$=(/#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17534. X(Z Windows DO$#i . . . . . . . . . . . . . . . . . . . . . . . . . . . 17735. e~a0#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17736. e~Z(0#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17837. e~Z(s#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17938. l&#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

© Copyright IBM Corp. 2000, 2003 xi

xii IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O

0T

IBM® Tivoli® Access Manager Plug-in for Web Servers(>DPF*e~)w*M'z

M2+ Web Ud.dDxX4\mzDyZ Web DJ4D2+T#e~5V#$z

Web TsUdD2+T_T#e~Ia)%;"a,'V Web ~qww*ibwzK

P,"+ Web &CLr~qwJ4"k|D2+_T#

":PXe~D'V=("ELMZfhs"X8m~T0208>E"Dj8E

",kN<6Tivoli Access Manager for e-business Web Security 208O7#

IBM® Tivoli® Access Manager(Tivoli Access Manager)GKP IBM Tivoli Access

Manager z75PPD&CLryhDy!m~#|'V IBM Tivoli Access Manager

&CLrD/I,bya)Ks6'DZ(M\mbv=8#b)z7w*/Ibv

=8v[,|Ga)K;VCJXF\mbv=8,bV=8*gSLq&C/P\

mxgM&CLr2+T_T#

":IBM Tivoli Access Manager GH0"PDF* Tivoli SecureWay® Policy Director

m~DB{F#,y,TZl$ Tivoli SecureWay Policy Director m~MD5DC

'45,management server VZF* policy server#

6IBM Tivoli Access Manager for e-business Plug-in for Web Servers /I8O7a)

PX9C Plug-in for Web Servers &CLr4#$zD Web rD\m}LM<uN<

E"#

>iDA_

>8Ofr:p20"?pM\m Access Manager Plug-in for Web Servers D53\

m1#

A_&1l$TBZ]:

v PC M UNIX® Yw53#

v }]be5a9MEn#

v 2+\m#

v rXx-i,|( HTTP"HTTPS M TCP/IP#

v a?6?<CJ-i(LDAP)M?<~q#

v \'VDC'"am#

v O$MZ(#

g{*tC2+WSVc(SSL)(E,r9&l$ SSL -i"\?;;(+CM(

C)"}V){"\kc(MO$PD#

>iDZ]

>i|,TBw?V:

v Z 1 B, :IBM Tivoli Access Manager Plug-in for Web Servers ri;

© Copyright IBM Corp. 2000, 2003 xiii

a) Access Manager Plug-in for Web Servers &CLrDri,xv53e5a9"

&\MYw73Dj8E"#

v Z 2 B, :IBM Tivoli Access Manager Plug-in for Web Servers dC;

a)XZ Access Manager Plug-in for Web Servers DdChsDE"#

v Z 3 B, :IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m;

V[e~gN,Va04,"&mO$}LT0TZ(Da04PyPXhDZ(

s&m#

v Z 4 B, :IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T;

XZdCM(F Access Manager Plug-in for Web Servers 2+T_TDE"#

v Z 5 B, :Web %;"abv=8;

V[CZ Access Manager Plug-in for Web Servers #$D Web UdD%;"ab

v=8#

v Z 6 B, :grG<bv=8;

V[ Access Manager Plug-in for Web Servers Dgr%;"abv=8#

v Z 143 3DZ 7 B, :&CLr/I;

V[(}e~D73d?M HTTP 7D)95VDZ}=&CLr/IT0/, URL

\&#

v Z 147 3DZ 8 B, :Z(v_E"lw;

V[e~gNa)rq!@@Z(fr(CfrC4#$ Tivoli Access Manager r

PDJ4)yXhDZ(v_E"(ADI)#

v Z 153 3D=< A, :9C pdbackup 8]e~}];

PX9C pdbackup 5CLrDE"#

v =< B, :pdwebpi.conf N<;

Pv Access Manager Plug-in for Web Servers dCN}0X*Dhv#

v =< C, :#ilYN<;

PvyPe~O$"a0MZ(s=(0X*Dhv#

v =< D, :|nlYN<;

PvICe~5CLr0dy4PYwDhv#

v Z 191 3D=< E, :}rmo=PJmDXbV{;

Pv pdwebpi.conf dCD~P9CD}rmo=JmDXbV{#

vfo

4iT Tivoli Access Manager b"X8vfoT0`XvfoDhvT7(D)vf

oI\TzPoz#Z7(zh*Dvfo.s,kN<Z_CJvfoD8>E

"#

XZ IBM Tivoli Access Manager for e-business z7>mD=SE"IZTBX7R

=:

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

Tivoli Access Manager bITV*TBV`:

v Z xv 3D:"PE";

xiv IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

v :Base E";

v :Web 2+TE";

v Z xvi 3D:*"_N<JO;

v Z xvi 3D:<u9d;

"PE"

v 6IBM Tivoli Access Manager for e-business kHDA7(G152-0804-00)

a)20M*<9C Tivoli Access Manager DE"#

v 6IBM Tivoli Access Manager for e-business "P5w7(G152-0805-00)

a)nBE",}gm~V^"d(=(T0D5|B#

Base E"

v 6IBM Tivoli Access Manager Base 208O7(S152-0806-00)

5wgN20MdC Tivoli Access Manager Base m~,|( Web Portal Manager

gf#CiG6IBM Tivoli Access Manager for e-business Web Security 208O7

DS/,|CZd| Tivoli Access Manager z7(g IBM Tivoli Access Manager

for Business Integration M IBM Tivoli Access Manager for Operating Systems)#

v 6IBM Tivoli Access Manager Base \m8O7(S152-0807-00)

hv9C Tivoli Access Manager ~qDEnM}L#a)S Web Portal Manager g

fM(}9C pdadmin |n4PNqD8>E"#

Web 2+TE"

v 6IBM Tivoli Access Manager for e-business Web Security 208O7(S152-0808-00)

a)PX Tivoli Access Manager Base m~T0 Web Security i~D20"dCM

}%8>E"#CiG6IBM Tivoli Access Manager Base 208O7D)9/

(superset)#

v IBM Tivoli Access Manager Upgrade Guide(SC32-1369-00)

5wgNS Tivoli SecureWay Policy Director V3.8 r Tivoli Access Manager DH

0f>}6= Tivoli Access Manager V5.1#

v 6IBM Tivoli Access Manager for e-business WebSEAL \m8O7(S152-0809-00)

a)9C WebSEAL \m2+ Web rDJ4D30JO"\m}LT0<uN<E

"#

v 6IBM Tivoli Access Manager for e-business IBM WebSphere Application Server /

I8O7(S152-0810-00)

a)CZ+ Tivoli Access Manager k IBM WebSphere® Application Server /ID

20"}%M\m8>E"#

v IBM Tivoli Access Manager for e-business IBM WebSphere Edge Server Integration

Guide(SC32-1367-00)

a)CZ+ Tivoli Access Manager k IBM WebSphere Edge Server &CLr/I

D20"}%M\m8>E"#

v 6IBM Tivoli Access Manager for e-business Plug-in for Web Servers /I8O7

(S152-0813-00)

0T xv

a)9C Plug-in for Web Servers #$ Web r2+D208>E""\m}LT

0<uN<E"#

v 6IBM Tivoli Access Manager for e-business BEA WebLogic Server /I8O7

(S152-0811-00)

a)CZ+ Tivoli Access Manager k BEA WebLogic Server /ID20"}%M

\m8>E"#

v IBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager Provisioning

Fast Start Guide(SC32-1364-00)

a)k+ Tivoli Access Manager k Tivoli Identity Manager /I`XDNqDEv,

"5wgN9CM20 Provisioning Fast Start /O#

*"_N<JO

v IBM Tivoli Access Manager for e-business Authorization C API Developer

Reference(SC32-1355-00)

a)hvgN9C Tivoli Access Manager Z( C API M Tivoli Access Manager ~

qe~SZ+ Tivoli Access Manager 2+TmS=&CLrPDN<JO#

v IBM Tivoli Access Manager for e-business Authorization Java Classes Developer


a)9CZ( API D Java™ oT5V9&CLr\;9C Tivoli Access Manager

2+TDN<E"#

v IBM Tivoli Access Manager for e-business Administration C API Developer


a)XZ9C\m API 9&CLr\;4P Tivoli Access Manager \mNqDN

<E"#>D5hv\m API D C 5V#

v IBM Tivoli Access Manager for e-business Administration Java Classes Developer


a)9C\m API D Java oT5V9&CLr\;4P Tivoli Access Manager \

mNqDN<E"#

v IBM Tivol i Access Manager for e-bus iness Web Secur i ty Deve loper


a)PXgrO$~q(CDAS)"gr3dr\(CDMF)T0\k?H#iD\

mM`LE"#

<u9d

v IBM Tivoli Access Manager for e-business Command Reference(SC32-1354-00)

a)XZf Tivoli Access Manager a)D|nP5CLrME>DE"#

v IBM Tivoli Access Manager Error Message Reference(SC32-1353-00)

a) Tivoli Access Manager yzz{"D5wMFvDYw#

v IBM Tivo l i Acces s Manager for e -bus ines s Prob lem Determina t ion

Guide(SC32-1352-00)

a) Tivoli Access Manager D7(JbDE"#

v 6IBM Tivoli Access Manager for e-business T\w{8O7(S152-0812-00)

xvi IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O

a)IT IBM Tivoli Directory Server w*C'"amD Tivoli Access Manager y

9ID73DT\w{E"#

`Xvfo

b;?VPvKk Tivoli Access Manager b`XDvfo#

Tivoli Software Library a)K`V Tivoli vfo,}gW$i"}]m"]>"l$

iMyw/# Tivoli Software Library ITSTB Web >cq!:

http://www.ibm.com/software/tivoli/library/#

Tivoli Software Glossary |,m`k Tivoli m~`XD<uuoD(e#Tivoli Software

Glossary(v"of)ISTB Tivoli Software Library Web 3fOs_D Glossary4Sq!:http://www.ibm.com/software/tivoli/library/#

IBM Global Security KitTivoli Access Manager (}9C IBM Global Security Kit(GSKit)V7.0 a)}]S

\#GSKit |,ZT&ZzX(=(D IBM Tivoli Access Manager Base CD"IBM Tivoli

Access Manager Web Security CD"IBM Tivoli Access Manager Web Administration

Interfaces CD M IBM Tivoli Access Manager Directory Server CD O#

GSKit m~|a) iKeyman \?\m5CLr gsk7ikm,|CZ4(\?}]b"+

C-(C\?TT0$iks#TBD5IS Tivoli Information Center Web >cOk

IBM Tivoli Access Manager z7D5`,D?VPR=:

v IBM Global Secur i ty Ki t Secure Sockets Layer and iKeyman User’s

Guide(SC32-1363-00)

*F.Zd Tivoli Access Manager 73PtC SSL (EDxgr532+T\m

1a)KE"#

IBM Tivoli Directory ServerIBM Tivoli Directory Server V5.2 |,ZT&ZZ{DYw53D IBM Tivoli Access

Manager Directory Server CD O#

":IBM Tivoli Directory Server GH0"PD{FgBDm~DB{F:

v IBM Directory Server(V4.1 M V5.1)

v IBM SecureWay Directory Server(V3.2.2)

IBM Directory Server V4.1"IBM Directory Server V5.1 M IBM Tivoli Directory Server

V5.2 <\ IBM Tivoli Access Manager V5.1 D'V#

XZ IBM Tivoli Directory Server Dd|E"IZTBX7R=:

http://www.ibm.com/software/network/directory/library/

IBM DB2 (C}]bIBM DB2® Universal Database™((C}]b)s5~qwf V8.1 Z IBM Tivoli Access

Manager Directory Server CD Oa),"k IBM Tivoli Directory Server m~;p2

0#Z+ IBM Tivoli Directory Server"z/OS™ r OS/390® LDAP ~qwCw Tivoli

Access Manager DC'"am1,DB2 GXhD#

XZ DB2 Dd|E"IZTBX7R=:

0T xvii

http://www.ibm.com/software/tivoli/library/


http://www.ibm.com/software/network/directory/library/

http://www.ibm.com/software/data/db2/

IBM WebSphere Application ServerIBM WebSphere Application Server, Advanced Single Server Edition 5.0 |,ZT&Z

Z{DYw53D IBM Tivoli Access Manager Web Administration Interfaces CD O#

WebSphere Application Server tCT Web Portal Manager gf(CZ\m Tivoli Access

Manager)M Web \m$_(CZ\m IBM Tivoli Directory Server)b=_D'V#

IBM WebSphere Application Server Fix Pack 2 2G Tivoli Access Manager yXhD,

"Z IBM Tivoli Access Manager WebSphere Fix Pack CD Oa)#

XZ IBM WebSphere Application Server Dd|E"IZTBX7R=:

http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM Tivoli Access Manager for Business IntegrationIBM Tivoli Access Manager for Business Integration w*I%@):Dz7a),* IBM

MQSeries® V5.2 M IBM WebSphere® MQ V5.3 D{"a)K2+Tbv=8#IBM

Tivoli Access Manager for Business Integration Jm WebSphere MQSeries &CLr(

}9Ck"MMSU&CLrX*D\?X\X"Rj{X"M}]#s WebSEAL M

IBM Tivoli Access Manager for Operating Systems ;y,IBM Tivoli Access Manager

for Business Integration G9C IBM Tivoli Access Manager ~qDJ4\mw.;#

XZ IBM Tivoli Access Manager for Business Integration Dd|E"IZTBX7R

=:

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

TBk IBM Tivoli Access Manager for Business Integration V5.1 `XDD5IZ Tivoli

Information Center Web >cOR=:

v 6IBM Tivoli Access Manager for Business Integration \m8O7(S152-0085-01)

v 6IBM Tivoli Access Manager for Business Integration Jb7(8O7(G152-0676-00)

v 6IBM Tivoli Access Manager for Business Integration "P5w7(G152-0518-01)

v 6IBM Tivoli Access Manager for Business Integration kHDA7(G152-0675-00)

IBM Tivoli Access Manager for WebSphere BusinessIntegration BrokersIBM Tivoli Access Manager for WebSphere Business Integration Brokers w* IBM Tivoli

Access Manager for Business Integration D;?Va),* WebSphere Business Integration

Message Broker V5.0 M WebSphere Business Integration Event Broker V5.0 a)2+

Tbv=8#IBM Tivoli Access Manager for WebSphere Business Integration Brokers

(}a)yZ\kM>$DO$"/P(eDZ(MsF~q4k Tivoli Access Manager

-,YwT#$ JMS "</$)&CLr#

XZ IBM Tivoli Access Manager for WebSphere Integration Brokers Dd|E"IZ

TBX7R=:


TBk IBM Tivoli Access Manager for WebSphere Integration Brokers V5.1 `XDD

5IZ Tivoli Information Center Web >cOR=:

xviii IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O

http://www.ibm.com/software/data/db2/

http://www.ibm.com/software/webservers/appserv/infocenter.html



v 6IBM Tivoli Access Manager for WebSphere Business Integration Brokers \m8O7

(S152-0793-00)

v 6IBM Tivoli Access Manager for WebSphere Business Integration Brokers "P5w7

(G152-0794-00)

v 6IBM Tivoli Access Manager for Business Integration kHDA7(G152-0675-00)

IBM Tivoli Access Manager for Operating SystemsIBM Tivoli Access Manager for Operating Systems w*I%@):Dz7qC,a)

}K>zYw53ya)DZ]TbZ UNIX 53ODZ(_T5)c#IBM Tivoli

Access Manager for Operating Systems s WebSEAL M IBM Tivoli Access Manager

for Business Integration ;y,G9C IBM Tivoli Access Manager ~qDJ4\mw

.;#

XZ IBM Tivoli Access Manager for Operating Systems Dd|E"IZTBX7R=:

http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

TBk IBM Tivoli Access Manager for Operating Systems V5.1 `XDD5IZ Tivoli

Information Center Web >cOR=:

v 6IBM Tivoli Access Manager for Operating Systems 208O7(S152-0190-00)

v 6IBM Tivoli Access Manager for Operating Systems \m8O7(S152-0571-00)

v 6IBM Tivoli Access Manager for Operating Systems Jb7(8O7(S152-0179-00)

v 6IBM Tivoli Access Manager for Operating Systems "P5w7(G152-0185-00)

v 6IBM Tivoli Access Manager for Operating Systems kHDA7(G152-0186-00)

IBM Tivoli Identity ManagerIBM Tivoli Identity Manager V4.5 w*I%@):Dz7a),|9zIT/P\mC

'(gC'j6M\k)M)&(a)r7zT&CLr"J4rYw53DCJ)#

Tivoli Identity Manager IT(}9C Tivoli Access Manager zmLrxk Tivoli Access

Manager /IZ;p#k*5zD IBM M'zmTq!XZ:rCzmLrD|È

"#

XZ IBM Tivoli Identity Manager Dd|E"IZTBX7R=:

http://www.ibm.com/software/tivoli/products/identity-mgr/

Z_CJvfo

TB Tivoli software library PZ_a)>z7DIF2D5q=(PDF)M/r,D>

jGoT(HTML)q=Dvfo:http://www.ibm.com/software/tivoli/library

*ZbPR=z7vfo,k%wb3fs`D Product manuals 4S#;sZ Tivoli

Software Information Center 3fOR="%wz7{F#

z7vfo|("P5w"208O"C'8O"\m18OT0*"_N<s+#

":*7#\}7r! PDF vfo,kZ Adobe Acrobat0r!10Z(I(}%w

D~ → r!4T>C0Z)P!qJO3f4!r#

0T xix

http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

http://www.ibm.com/software/tivoli/products/identity-mgr/


(z!n

(z!n&\oz_PmePO(gP/;crS&O-)DC'I&9CwVm~

z7#TZ>z7,I9C(z<u}!M/@gf#2I9C|L4fzsj4P

<NC'gfDyP&\#

*5m~'V

ZM3;Jb*5 IBM Tivoli m~'V.0,k%w;ZTB Web >cD Tivolisupport 4STCJ IBM Tivoli m~'V>c: http://www.ibm.com/software/support/

g{h*d|oz,rk(}9CTB Web >cD IBM Software Support Guide Py

hvD=(4*5m~'V: http://techsupport.services.ibm.com/guides/handbook.html

C8Oa)KTBE":

v *C='VyhD"aMJq*s

v g0Ek(y]zyZDzRrXx)

v *5M''V.0&U/D;5PE"

>i9CD<(

>N<JOTXbuoMYwT0@5ZYw53D|nM769CKtI<(#

VM<(

>N<JOP9CKTBVM<(:

VeV QTk\'D>"X|V"N}"!n"Java `{T0TsxVD!4|nr

s!4lO|nyTVeVT>#

1eV d?"vfojbM&C?wDXb%JrLoyT1eVT>#

HmVM

QTk\'D>"53{""C'XkdkDD>T0N}r|n!nD5x

VDzk>}"|nP"A;dvT0D~{M?<{yTHmVMT>#

Yw53xp

>i9C UNIX <(8(73d?M?<{E#9C Windows |nP1,TZ73d

?kC %variable% f; $variable,"C41f;?<76PD?v}1\(/)#

g{Z Windows 53O9C bash shell,rIT9C UNIX <(#

xx IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O

http://www.ibm.com/software/support/

http://techsupport.services.ibm.com/guides/handbook.html

Z 1 B IBM Tivoli Access Manager Plug-in for WebServers ri

IBM Tivoli Access Manager(Tivoli Access Manager)Plug-in for Web Servers G;V

/Ibv=8,cZC'*\#$ Web Ud5VM\m2+_T#Ce~w*kzD

Web ~qw`,DxLD;?V20,d1EzDM'zM\#$ Web UdD2+T

xX#

>i\TBZa)K Tivoli Access Manager Plug-in for Web Servers <uDEv,5

wKz7D<u*s,"a)KT9Ce~7# Web Ud2+D}LDi\#

":PXKe~D'V=("ELMZfhs"X8m~T0208>E"Dj8E

",kN<6Tivoli Access Manager for e-business Web Security 208O7#P

X+ Tivoli Access Manager Plug-in for Web Servers }6= V5.1 Dj8E",

kN< IBM Tivoli Access Manager Upgrade Guide#

>i\TBZ|,TBwb:

v :Tivoli Access Manager Plug-in for Web Servers <u;

v Z 3 3D:9C Tivoli Access Manager Plug-in for Web Servers #$zD Web U

d;

v Z 3 3D:Tivoli Access Manager Plug-in for Web Servers O$;

v Z 4 3D:>$q!;

Tivoli Access Manager Plug-in for Web Servers <u

Tivoli Access Manager Plug-in for Web Servers Ik Tivoli Access Manager &CLr

/IZ;p*zD Web J4a)j{D2+Tbv=8#e~w* Web ~qw,;

xLD;?VKP,|9X=oD?vks,7(Gqh*Z(v_"a)C'O$

DVN(g{h*)#e~Ia)%;"abv=8"+ Web &CLrJ4"k|D2

+_T#

y>Ywi~Me5a9

=vy>9~iIK Tivoli Access Manager Plug-in for Web Servers - e~i~MZ

(~qw#e~i~k Web ~qw_L;pYw,(}xLd(E(IPC)SZ+?v

ksDj8E""M= Authorization Server#Z(~qw4PxkDksDO$MZ(#

Z(~qwG>X==D AZNAPI &CLr,|S\"&m4Te~Dks"xPl

&,f_e~gN&m?vks#

© Copyright IBM Corp. 2000, 2003 1

Z(~qw7(ks*07=DvibwzO(g{ Web ~qwOfZibwz)"

7(ksGqh*Z(#;h*Z(Dks1S+]x Web ~qwxP&m#h*Z

(DksIZ(~qwTBP==&m:

1. a0MO$E"SH0QO$DksPi!#

2. h*D0,t/kC'DO$;%wC#

3. 4( Tivoli Access Manager >$#

4. j6C'ITCJDJ4,;s+b)J43d=`&D Tivoli Access Manager \

#$Ts{F#;v\#$DTs{Fzm;vgS5e,}g Web >cD2+?

Vr;Jm3)C'CJD&CLr#

5. 7(Gqh*^Dksrl&#

6. (}rksrl&PmS cookie r7,r_zIl&(}g,QO$Dl&r4Z

(Dl&)4zIe~rwz Web ~qwyhDl&#

'Vibwz

Web ~qwDibwz&\9d\;ZrXxOw*`vwzvV#Tivoli Access

Manager Plug-in for Web Servers y'VD Web ~qw<a)ibw\&\#

Tivoli Access Manager Plug-in for Web Servers a)yZ?vibwz5V2+_TD

&\#5VK&\yhD&CLrhCZ>D5Dsf?VxPV[#

< 1. e~M Tivoli Access Manager i~D;%wC#

2 IBM Tivoli Access Manager for e-business: Plug-in for Web Servers /I8O

9C Tivoli Access Manager Plug-in for Web Servers #$zD WebUd

Tivoli Access Manager Plug-in for Web Servers a)TB&\:

v 'V`vO$=(,|(:y>O$"IP X7"nF"$iMm%HH#

v S\ HTTP M HTTPS ks#

v (}T@5Zi/_TDC'ksxPO$MZ(4#$ Web ~qwJ4#

v 'Vibwz73PDksO$MZ(#

v \mT Web ~qwUdDCJXF#\'VDJ4|( URL"yZ URL D}rm

o="CGI Lr"HTML D~"Java !~qLrM Java `D~#

v _Y:fa0M>$E",T\bZ(liZdTC'"am}]bDX4i/#

v a)%;"a&\

+>2+T_Tj6h*#$D Web J4M?v Web J4yhD#$6p#Tivoli

Access Manager 9Cb) Web J4Dibm>,F.*\#$TsUd#\#$Ts

Ud|,zmxgPD5JomJ4DTs#(}+J1D2+zF&C=h*#$

DTs5V2+T_T#

2+zF|(:

v CJXFm(ACL)_T

ACL _Tj6C'`M,b)C'ITCJM8(?vC'`MDTsOJmDY

w#

v \#$Ts_T(POP)

POP 8('dT\#$TsDCJD=Su~,}g#\T"j{T"sFMCJD

?U1d#

v Z(fr

Z(frG|,ZZ(_TPDu~,IC|G4yZtT(}gC'"&CLr

M73OBD)wvCJv_#

v )9tT

)9tTGCZIT0lZ(v_DTs"ACL r POP D=S5#

Tivoli Access Manager Plug-in for Web Servers DZ(~qwi~yZC'>$MkT

TsDCJXF4Jmr\xCJ\#$DJ4#*I&5V2+T_T,XkZ>

Xi/;,DZ]`M"&CJ1D ACL M POP _T#CJ\mI\GO4SD,

+IT(}TZ]`MP8V`x9ddC]W#XZ Tivoli Access Manager D+f

E"(|,hC_TDj8E")IZ6IBM Tivoli Access Manager Base \m18O7

PR=#

Tivoli Access Manager Plug-in for Web Servers O$

O$Gj6"TG<=2+rD%@xLr5eD=(#Z(G7(qO$DC'G

qP(^TX(J44PYwD=(#O$7#vKm]Df5T,+;TdTJ4

4PYwD\&vNNPO#

Z 1 B IBM Tivoli Access Manager Plug-in for Web Servers ri 3

Tivoli Access Manager Plug-in for Web Servers *s?vM'za)m]$w45)2

+rPD_62+T#(}9 Tivoli Access Manager Plug-in for Web Servers a)M

'zDO$MZ(,Ia)+fDxg2+T#

TBu~JCZ Tivoli Access Manager Plug-in for Web Servers O$:

v e~'VO$=(Dj</O#IT(Fe~T'Vd|O$=(#

v e~xL@"ZO$=(#

v e~vh*M'zm]#(}Cm],e~q!QO$(r4O$)D>$,Z(

~qwI9CC>$Jmr\xTJ4DCJ#

b;inDO$=(Jm2+T_TyZ5qhs,x;GomxgXKa9#

Tivoli Access Manager Plug-in for Web Servers O$}LzzTBYw:

1. M'zO$zzM'zm]#

;PC'_P Tivoli Access Manager C'"amP(eDJ'1,M'zO$Ea

I&#qr+CC'8(*4O$#

2. Tivoli Access Manager Plug-in for Web Servers 9CM'zm]4qCCM'zD

>$#

e~9O$DM'zm]k"aD Tivoli Access Manager C'%d#;se~q!

J1DC'>$#bF*>$q!#

>$|(C'{0C'_PI1JqDyPi#e~I9Cb)>$4Jmr\x

T Tivoli Access Manager \#$TsUdPyksTsDCJ#

>$ICZNN Tivoli Access Manager ~q,b)~qh*XZM'zDE"#>

$9 Tivoli Access Manager \;2+4Ps?~q,}gZ("sFM/I#

XZ'VX(O$=(Dx;=E",kNDZ 35 3DZ 3 B, :IBM Tivoli Access

Manager Plug-in for Web Servers O$Mks&m;#

>$q!

O$}LDw*?DGq!hvM'zC'D>$E"#C'>$GNk2+rDX

|*s#

Tivoli Access Manager xpT}C'O$M>$q!#C'Dm]<UG;dD#;x,

>$((eC'NkDirG+)GIdD#X(ZOBDD>$ITfE1dDw

Ex|D#}g,z}3K1,>$Xk5XBD0p6p#

O$}L+zzX(Z=(DC'm]E"#+CE"k$tZ Tivoli Access Manager

C'"am(1!ivB* LDAP)PDC'J'E"xPKT#Tivoli Access Manager

Plug-in for Web Servers +C'{MiE"3dI+2r6'ZDm>Mq=,F*)

9X(tT$i(EPAC)#

X(Z=(Dm]E"(}g\k"jGM$i)zmC'Domm]tT#KE"

IC4k~qw("2+a0#

nUC=D>$(zm2+rPDC'X()hvX(OBDPDC'"RvZCa

0DP'ZZP'#

Tivoli Access Manager >$|,C'm]MKC'_PI1JqDi#


>$ICZNN Tivoli Access Manager ~q,b)~qh*XZM'zDE"#}g,

Tivoli Access ManagerZ(~qw9C>$47(GqZ(C'T2+rPD\#$J

44PX(Yw#>$9CZd|Nq,}gG<U>MsF#

EPAC |,(;(Cj6(UUID),Tivoli Access Manager h*Cj64&mCJX

Fm(ACL)#

TB EPAC VNJCZ Tivoli Access Manager:

m 1. Tivoli Access Manager EPAC VN

tT hv

Secure Domain ID weDw2+rj6

Principal UUID weD UUID

Group UUIDs weytDiD UUID

I+ Tivoli Access Manager Plug-in for Web Servers dC*Z#VC'Da0G10

D,1"BC'D>$E"#1C'h*T3)2+&CLrxPnbDCJrz#

{^F3C'DCJ(x;h*9CC'S{GD10a0P"z,K&\G\PC

D#PXdCe~xP>$"BD|È",kNDZ 30 3D:>$"B;#

Z 1 B IBM Tivoli Access Manager Plug-in for Web Servers ri 5


Z 2 B IBM Tivoli Access Manager Plug-in for WebServers dC

>Bhv#f\mMdCNq,IT4Pb)NqCZ(F IBM Tivoli Access

Manager(Tivoli Access Manager)Plug-in for Web Servers#

>BP|(Dwb:

v :#fe~E";

v Z 11 3D:dCZ(~qw;

v Z 12 3D:dCibwz~qw;

v Z 15 3D:Web ~qwX(DdC;

v Z 17 3D:(FTsPm;

v Z 18 3D:*\m1dCP;C'(SU);

v Z 23 3D:T LDAP ~qwdCJO*F;

v Z 23 3D:'V~=W!n=((P3P)7;

v Z 26 3D:dCe~sF"U>G<"zYM_Y:f}]b;

v Z 30 3D:dCZ( API ~q;

v Z 30 3D:>$"B;

v Z 31 3D:dC HTTP ks_Y:f;

v Z 32 3D:oT'VkV{/;

#fe~E"

TBwZhvKXZ Tivoli Access Manager Plug-in for Web Servers dCD#fE":

v :Tivoli Access Manager Plug-in for Web Servers 20Dy?<;

v Z 8 3D:pdwebpi.conf dCD~;

v Z 9 3D:pdwebpimgr.conf dCD~;

v Z 9 3D:t/M#9 Tivoli Access Manager Plug-in for Web Servers;

v Z 9 3D:HTTP ms{";

v Z 10 3D:j'V;

v Z 10 3D:km%`XDj;

Tivoli Access Manager Plug-in for Web Servers 20Dy?

<

Tivoli Access Manager Plug-in for Web Server DLrD~20ZTBy?<P:

UNIX:

/opt/pdwebpi/

Windows:

C:\Program Files\Tivoli\PDWebPI\


ITZCe~D Windows 20ZddCK76#;\Z UNIX 20OdCK76#>

8O9C install_path d?zmKy?<#

Z UNIX 20P,TB%@?<|,I)9DD~,}gsFMU>D~:

/var/pdwebpi/

g{ZdC Tivoli Access Manager KP1Zd!qK+2 Tivoli ?<,r+U>D~

4kK?<#

pdwebpi.conf dCD~

IT(}dC;Z pdwebpi.conf dCD~DN}(Fe~DYw#CD~;ZTB?

<:

UNIX:

install_path/etc/

Windows:

install_path\etc\

BmTdCD~DZxPKV`#

m 2. pdwebpi.conf Z**

n Z

GENERAL [module-mgr] [modules] [wpiconfig] [pdweb-plugins]

[performance]

AUTHENTICATION [ c o m m o n - m o d u l e s ] [ a u t h e n t i c a t i o n - l e v e l s ]

[authentication-mechanisms] [user-agent] [acctmgmt] [BA]

[failover] [failover-add-attributes] [failover-restore-attributes]

[forms] [login-form-1] [ltpa] [tag-value] [token-card] [http-hdr]

[iv-headers] [login-redirect] [ntlm] [spnego] [boolean-rules]

[switch-user] [dynurl] [cred-refresh] [ext-auth-int] [auth-data]

[http-method-perms] [web-server-authn]

SINGLE SIGNON [fsso] [ecsso] [ecsso-domain-keys] [ecsso-token-attributes]

[ecsso-incoming-attributes] [cdsso] [cdsso-domain-keys]

[cdsso-token-attributes] [cdsso-incoming-attributes]

VIRTUAL HOSTS [virtual-host-name]

SESSIONS [sessions] [session-cookie]

LDAP [ldap]

LOGGING [web-log]

AUTHORIZATION SERVER [proxy-if] [proxy]

P3P [p3p-header]

AUTHORIZATION API [aznapi-entitlement-services] [aznapi-configuration]

WEB SERVER [ihs] [iis] [iplanet] [apache]

XZ pdwebpi.conf dCD~PDIdCN}Dhv,kNDZ 157 3D=< B,

:pdwebpi.conf N<;#


":^[N1T pdwebpi.conf D~xP|D,<XkV$XBt/ Tivoli Access

Manager Plug-in for Web Servers Tc6pBD|D#XZt/M#9&CLrD

E",kND:t/M#9 Tivoli Access Manager Plug-in for Web Servers;#

pdwebpimgr.conf dCD~

e~D UNIX 20|,dCD~ pdwebpimgr.conf#KdCD~|,C4ZZ(X$L

r'\1T/XBt/|DN}#

CD~;ZTB?<:

install_path/etc/

NNivB<;&|DKD~PDN}#

t/M#9 Tivoli Access Manager Plug-in for Web Servers*t/M#9e~xL,Z UNIX O9C pdwebpi_start |n,Z Windows O9C

0~qXFfe1#

UNIX:

pdwebpi_start {start|stop|restart|status}

}g,*#9e~;sXBt/|,9C:

# pdwebpi_start restart

pdwebpi_start |n;ZTB?<:

install_path/sbin/

Windows:

j60~qXFfe1PDe~xL"9CJ1DXF4%#

":pdwebpi GZ(~qwxL#Z UNIX 20P,xL pdwebpimgrd T/XB

t/Z(~qw(g{|'\)#Z Windows O,Z(~qwI Windows ~qT

/XBt/#

HTTP ms{"

Tivoli Access Manager Plug-in for Web Servers P1a"TT3vksa)~q"'\

K#C'\I\P\`-r#=Vn#{D'\-rG:

v D~;fZ

v mI(hC{9CJ

1"zTksa)~qD'\1,e~5Xmszkx Web ~qw,C Web ~qw

bMKmszk"T>`&Dms3f#

(F IIS ms{"DT>

IIS a)(FrM'zT>Dms3fDq=MZ]D\&#bTrM'zT>|`j8

DmsE"\PC#e~IT{C IIS PDb;ms(F$_#

9C pdwebpi.conf dCD~D [iis] ZPD use-error-pages N},zIT!qG+

IIS dCDms3f9G+j<mszk3f5XxM'z/@w#g{hC* yes,r

Z 2 B IBM Tivoli Access Manager Plug-in for Web Servers dC 9

use-error-pages N}9Ce~{CNN(FD IIS ms3f#g{hC* no,rT

Authorization Server v=DmsT>j<ms3f#use-error-pages N}Z1!iv

BhC* no#

":g{+ use-error-pages hC* yes,SxJmT Authorization server DmsT

>(FD IIS ms3f,a<Be~T\DTx5M#

j'V

TBjICZ(F HTML ms3f#j+/,Xf;ICDJ1E"#

m 3. 'VDjf;

j hv

%USERNAME% QG<C'D{F

%ERROR_CODE% kmsX*Dmszk}V

%ERROR_TEXT% kmsX*DmsD>

%URL% M'zksD URL

%HOSTNAME% +^(wz{

%HTTP_BASE% ~qwDy> HTTP URL:

http://host:tcpport/

%HTTPS_BASE% ~qwDy> HTTPS URL:

https://host:sslport/

%HTTP_BODY% ksDwe(g{fZ)#

%REFERER% 4TksDN<_7D5,r.4*/(g{^)

%BACK_URL% 4TksDN<_7D5,r.//(g{^)

%BACK_NAME% g{ksPfZN<_7,r5*.BACK/,g{^,r

*.HOME/#

%POST_URL% NN Tivoli Access Manager a)Dm%DQdC POST

URL#

%COOKIES% ZksPR=DNN cookie#

km%`XDj

Tivoli Access Manager Plug-in for Web Servers a)TBm%,|G;Z

/opt/pdwebpi/nls/html/lang/charset ?<P:

v P;C',

v nF,

v m%G<,

v |D\k#

QC %POST_URL% jdCb)m%#%POST_URL% jJme~XB"MNbI\

Q|,Z-<ksPD POST }]#g{;P %HTTP_BODY% j,;)e~axm

%&m,f-<ksa)DyP POST }]<+*'#

9+1!m%dC*_Y:fm%TmZDyPh*Da0}]#Ka0}]|(-

<ksD URL"-<ksD URL DN<_T0-<ksDwe#


dCZ(~qw

Z(~qw&mZ(MO$Ds?V&m#Z(~qwa)$wLr_LX,CXC

Z:

v Se~S\ks,

v +?vksDa{"MXe~#

e~(}9C2mZf5VD IPC zFkZ(~qw(E#pdwebpi.conf dCD~D

[proxy-if] Z8(JOZe~MZ(~qw.d(EDdCN}#

dC$wLr_L

dCD~D [proxy-if] ZPD number-of-workers M worker-size N}8(ITd

xPw{Ta)nEDe~Z(~qwT\D5#1hCb)51,k<GxgOE

"wD}?M`M#

[proxy-if]number-of-workers = 10worker-size = 10000cleanup-interval=300

number-of-workers N}8(IIe~~qD""xkDks}#1yP$wLr_L

&1=oDks+EZ:exP,1=$wLr_LIC#KN}r%X8(ICZ

~q1Z4^($wSPD_L}#&Cy]zZ{ Web ~qw,1S\Dnsks

}4vSKN}#Z UNIX =(O,Yw53I\TC5)S^F#

(#vS_L}+auYjIksy(QD=y1d#;x,vS_L}a0l+T

~qwT\zz;{0lDd|rX#

worker-size N}(e*?v$wLr_L$VdDZf?(TVZ*%;)#

cleanup-interval GZ(~qw2mZf=N,xe}.dDVS}#

":vv|D cleanup-interval M worker-size N}4TT\JbxPJOoO#

hC IPC ksDnsa0P'Z

pdwebpi.conf dCD~D [proxy-if] ZPD max-session-lifetime N}hCe~Z

,1.0+H}4TZ(~qwDl&D1d(k)#KN}vkZe~kZ(~qw

.d("D&mksDLZ0a01PX#g{"zbyD,1,rrM'z"M;

vms3f#+Ya"zK`,1#

[proxy-if]max-session-lifetime = 300

":max-session-lifetime N};XFQO$a0DP'Z#QO$a0DP'ZI

[sessions] ZPD timeout N}XF#

dCms3f

;Z pdwebpi.conf dCD~D [proxy] ZPDN}CZzmvm18(*T>D

HTML 3f#[proxy] ZPhCDN}P:error-page"acct-locked-page"

retry-limit-reached-page M login-success#fZb)N}D1!D~#IT`-b

) D ~ r 8 ( B D ~ 4 J & z D i / D h * # B m \ a K b ) N } #


m 4. [proxy] ms3fdCN}#

N} hv

error-page vVbb~qwms1,=C3fD76T>ZC'D

/@wO#

acct-locked-page C'"TCJx(DJ'1,T>=C3fD76#

retry-limit-reached-page o=JmDns'\G<"T}1,T>=C3fD7

6#nsJmG<'\}Z LDAP PhC - PXhC

C5Dj8E",kN<Z 100 3D:}N%wG<_

T;#

login-success ZI&Dm%rnFG<s,g{e~;P*+C'X

(rXD3f,r8(*T>D3f#I\Z9(+G

< POST }]1S"MXe~DG<m%1"zbVi

v#

1!ivB,y> HTML 3f;ZTB?<: install_path/nls/html/lang/charset#

dP:

v lang 4T NLS dC#Z@z"o20P#lang +hC* C#

v charset GCdT3fxP`kDV{/#1!5* utf-8#

XZe~oT'VDj8E",kN<Z 32 3D:oT'VkV{/;#

dCibwz~qw

C pdwebpi.conf dCD~D [pdweb-plugins] ZPhCDNb{F+ibwzj6

x Tivoli Access Manager Plug-in for Web Servers#

e~ITy]ksD=vXw4&C@XD2+T_T:

v ksTd07DibwzDj6,

v ks(}d=oD-i(http r https)#

ibwzj6Iwz Web ~qwDdCE"Izx4"RG Web ~qwX(D#|

4TBu~7(:

IHS M Apache C49libwzj6DdCc(gB:

1. g{ ServerName 18nfZZ <VirtualHost {hosta}:{port}

{hostb}:{port}...> iZ?,rC{FC4TibwzPmPD?vwz9l

TsUd#;xPNN"TT+a)D servername bvI+^(

hostname#

2. g{ VirtualHost iDZ?;fZ ServerName 18n,"RPmPD

wz{F;G}V IP X7,rxP"TTT?v{FxP+^(,;s

T?v;,Dwz{4(TsUd#

3. g{ VirtualHost iDZ?;fZ ServerName 18n,"RPmPD

wz{FG}V IP X7,rxP"TT+?v IP X7bvI+^(w

z{#

4. g{TI;fZwz{FxZ+V ServerName 18nP8(K;v{

F,r9CC{F(;xPbv)#

5. g{;fZ+V ServerName 18n,r9C53wz{D+^(N=#


IIS 5.0 M 6.0 Cj6k Internet Information Services \me~PT>D Web >c{Fj+

{O#}g,dC IIS 1y4(D1! Web >c{*0Default Web Site1,

bGI Tivoli Access Manager Plug-in for Web Servers 9CDj6#

Sun ONE WebServer(-{*

iPlanet)

Cj6kZ Sun ONE Web Server dC GUI P4(ibwz18(Dib

wz{j+{O#C{Ff"Z server.xml D~D <VS id= > *XP#

Tivoli Access Manager Plug-in for Web Servers y]ibwz(e2+_T#TivoliAccess Manager Plug-in for Web Servers ibwz(}Ov=(M|&C#$D-i

/(http"https r both)y(eDibwzj646p#ibwz(eO$#=/M

EH3r"a0j6#=MZ(s&m,C&m&1&CZ(}%dD-i"M=

Web ~qwibwzDks#ibwz9(e URI = Tivoli Access Manager \#

$TsUd{FD3d#

Tivoli Access Manager Plug-in for Web Servers ibwzZdCD~D [pdweb-plugins]ZP(e#IT+|G(e*\#$r;\#$#;\#$DibwzO;aP&C

=dOD Tivoli Access Manager 2+_T#g{S\=kNNQ(eD\#$r;\

#$Dibwz<;%dDks,rZ Authorization Server DU>D~PzI;u8

vibwzj6MksD-iD/f{","+CJ(Zhks#by+c{TdC

JbDoO#

\#$ibwzI [pdweb-plugins] ZD virtual-host N}(e#;\#$Dibw

zI [pdweb-plugins] ZD unprotected-virtual-host N}(e#9CDibwz{

F(#kCibwz%dDibwzj6`{,+;;(\GbViv#C4(ei

bwzX(D2+_TD}GZ [pdweb-plugins] ZP(eDibwz{F#

X(ibwzD2+_TI_Pibwz{FDZP8(DdCN}4(e#Zib

wzZPI\(eDyPN}<PJ1D1!5,rK;XC?vibwz<P;v

Z#;PZibwzD2+_T;,Z1!51EXkPbyDZ#

ibwzP=vN}C4+xkDksk(e&C&C=ksOD2+_TDibw

z%d#b=vN}G id M protocols#

id N}(e*Cibwz+*%dDibwzj6#id N}D1!5Gibwz{F

>m#

protocols N}(eibwz+*%dD-i/#d5I\G http"https r both#

1!5* both#

ibwzDd`N}(e&C&C=ksODkCibwz%dD2+_T#

ibwzk\#$TsUdDXbSV'X*"ksD URI TCSV'*0:,T9

l\#$TsUd{F#K\#$TsUd{FCZwvZ(v_#branch dCN}

(eK\#$TsUdD{F#

[virtual_host_name]branch = virtual_host_id

g{ibwzj65;P0<41\(/),rCu?D0:G /PDWebPI/#

branch N}1!*<B1!Ts{F0:* /PDWebPI/virtual-host-id D id N}D5#


bMDibwzV'

Ze~dCZd,4(;vF* /PDWebPI DTsUd#ZCTsUdP,*e~y#

$D?vibwz<4(u?#;vibwzTsBDTsUdIZibwzTsU

dP4PJ4DZ(v_De~Z(~qw5P#1!ivB,CZibwzDTs

UdDV'Sibwzj6qCd{F#g{*9C /PDWebPI TsUdD;,V',

r9C branch )94TdxP8(#V'ITZibwz.d2m#bVivZib

wz%*p{1I\"z#

":|DV'1,h*4(_PB{FDTs#IV'B,SDyP ACL #V,S=

VZQ;fZDTsO#

TB>}5wK Web ~qwyh*DdCN},K~qwPDvibwz:

v ibm.com,

v lotus.com-HTTP,

v lotus.com-HTTPS,

v domino.com#

ibwz lotus.com-HTTP M lotus.com-HTTPS IZ2m,;V',rK|G5JOG

`,Dibwz;+G(}CJ`M(HTTP r HTTPS)4xV|G#ZbVivB,

O$`MI\y]CJ`MD;,xhCC;,#domino.com ;\e~#$,x

ibm.com G,;v~qwOm;vibwz#

[pdweb-plugins]virtual-host = ibm.comvirtual-host = lotus.com-HTTPSvirtual-host = lotus.com-HTTPunprotected-virtual-host = domino.com

web-server = iplanet

[lotus.com-HTTPS]id = lotus.comprotocols = httpsprotocols = httpbranch = lotus.com

[lotus.com-HTTP]id = lotus.comid = lotus.comprotocols = httpbranch = lotus.com

[ibm.com]id = ibm.comid = ibm.comprotocols = http, httpsbranch = ibm.com

?NZ pdwebpi.conf dCD~PTibwzDdCxPK|Ds,k7#XBt/

Web ~qw#

**?v%@ibwzhCO$N},h*Z?vibwzDy!OxPx;=Dd

C#XZ*ibwzdCO$=(Dj8E",kN<Z 38 3D:dCibwzDO

$;#


Web ~qwX(DdC

e~D3)YwGX(Z Web ~qwD,rKh*y]e~KPD Web ~qw`M

xPXbdC#9C pdwebpi.conf dCD~PD [pdweb-plugins] ZPD web-serverN}(e Web ~qw`M#P'5* ihs"iplanet"iis r apache#}g:

[pdweb-plugins]web-server = ihs

Web-server-specific dCn;Z pdwebpi.conf dCD~PD [iis]"[ihs]"[apache] M

[iplanet] ZP#

(}rZP7Sj+DibwzV',IyZ?vV'hC;) Web ~qwdCN}#

}g,[iplanet:/PDWebPI/lotus.com]#k/@ Web Ud`XDN}IT(}K==

4dC#

Bm5wKX( Web ~qw`MDIdCN}#

m 5. Web ~qwX(DdCN}

N} hv

[ihs]

query-contents 8(CZ(}0pdadmin> object list1|n/@ IBM

HTTP Server Web UdDi/Z]Lr#(}Z{*

[ihs:branch] DZ(}g [ihs:/PDWebPI/lotus.com])P

8(;vN}5ITyZ?vV'4XhKN}#

query-log-file G<i/Z]Lrv=DmsDU>D~D;C#

doc-root 8(D5y,CD5ya)4P0pdadmin> object

list1|nyhD Web Ud/@\&#KN}IdC5

CLrZhCibwz1hC - |Z [ihs:branch] Z

P y Z ? v _ T V ' x P 8 ( , } g

[ihs:/PDWebPI/lotus.com]

[apache]

query-contents 8(CZ(}0pdadmin> object list1|n/@ Apache

W e b U d D i / Z ] L r # ( } Z { *

[ a p a c h e : b r a n c h ] D Z P 8 ( ; v 5 ( } g

[apache:/PDWebPI/lotus.com])ITyZ?vV'X

hKN}#



list1|nyhD Web Ud/@\&#KN}ZhCi

bwz1IdC5CLrhC - Z [apache:branch]Z P y Z ? v _ T V ' 8 ( K N } , } g

[apache:/PDWebPI/lotus.com]

[iis]

query-contents 8(CZ pdadmin /@ IIS Web UdDi/Z]L

r#(}Z{* [iis:branch] DZP8(;vN}5,

}g [iis:/PDWebPI/lotus.com],ITyZ?vV'Xh

KN}



m 5. Web ~qwX(DdCN} (x)

N} hv

log-file (e4T IIS e~DmsMzY{"DU>D~,C

D~#VkZ(~qwDU>D~;,Tc7#D~

D;BT#g{8(*`T76,r;Ck20?<

DU>S?<`X#g{8(*xT76,r9Cx

T76#

[iplanet]

query-contents 8(CZ pdadmin /@ Sun ONE(iPlanet)Web U

dDi/Z]Lr#(}Z{* [iplanet:branch] DZ

P 8 ( ; v N } 5 , } g

[iplanet:/PDWebPI/lotus.com],ITyZ?vV'Xh

KN}



list1|nyhD Web Ud/@\&#KN}IdCL

rZhCibwz1hC - |Z [iplanet:branch] Z

P y Z ? v _ T V ' x P 8 ( , } g

[iplanet:/PDWebPI/lotus.com]

ZTB>}P,ibwz ibm.com M lotus.com ZdCD~P<P`&DZ:

[iplanet:/PDWebPI/ibm.com] M [iplanet:/PDWebPI/lotus.com],dP(eX(Dd

CN}#

[pdweb-plugins]virtual-host = ibm.comvirtual-host = lotus.comweb-server = iplanet

[iplanet]query-contents = /opt/pdweb/bin/wpi_iplanet_ls

[iplanet:/PDWebPI/ibm.com]doc-root = /usr/local/ibm.com/doc/root

[iplanet:/PDWebPI/lotus.com]doc-root = /usr/local/lotus.com/doc/root

Web ~qw"bBn

IIS9C Web ~qwtTT0rPD?<2+T!n(dC IIS 2+ThC1,G!;)

IdCD2+ThCI(} Web UdcNa9LPG\X*D#

e~/,4(0ib1Web UdTs4&mwV&\#PXb)TsD2+ThC(#

\X*#Xkv=;|Db)TsD2+TtT#

ZtTT0rD?<2+T!n(P^D IIS 2+ThCs,T>LP2GT0r#L

P2GT0rPvK2GzUUhCD5DSZc#zP(!qD)Zc&C9CB

5#;\ZKT0rP!q PDWebPI Zc#


Apache M IHS

{C Multiviews: 9C Apache r IHS Web ~qw1,&{Cy?<BD

MultiViews 18n#tC MultiViews 18n+F} Tivoli Access Manager Plug-in for

Web Servers DO$li,bya#0 Web ~qwD2+T#

1!ivB,Z Apache PDD5y?<BtC Multiviews 18n#

dC PHP E>: Tivoli Access Manager Plug-in for Web Servers v1 PHP E>Z

Web ~qwZ?&m1}7$w,|9CdC*#i5VD PHP 'V#

(FTsPm

Tivoli Access Manager Plug-in for Web Servers T?v\'VD Web ~qwa);v

~xFD~,C~xFD~C47( pdadmin \mTsPmrTsT>|nDdv#

Bm8vj<~xF{FM|GD;C:

v iPlanet — install_path/bin/wpi_apache_ls

v IHS — install_path/bin/wpi_ihs_ls

v IIS — install_path/bin/wpi_iis_ls

g{zh*;Gj<&\D;?VDTs/@\&,rh**"zT:D(F~xF

D~Tf;e~a)D~xFD~#

1*";v(FD~xFD~1,k&CTB<r:

|nPN}

iPlanet"IHS"Apache

directory virtual_host log_file [-d]

dP:

directory *PvrT>D?<rD~DxT76#

virtual_host C?<rD~Dibwz#

log_file =|,yPIYwzIDmsE"DD~DxT76#

-d 8( -d !n1,4PTsT>x;GTsPm#

IIS

[-log log_file] -path directory -vhost virtual_host [-d]

dP:

log_file =|,yPIYwzIDmsE"DD~DxT76#

directory *PvrT>D?<rD~DxT76#

virtual_host C?<rD~Dibwz#

-d 8( -d !n1,4PTsT>x;GTsPm#


dv

TZ?vPvDu?,dvq=*:

<Object Type=[type] Description=[description] Attachable=[yes/no]> [name] </Object>

dP:

type 8vTs`MD}V#105|(:

v 0 4*

v 1 r

v 2 D~

v 3 Lr

v 4 ?<

v 5 ac

v 9 HTTP Server

v 10 ;fZDTs

v 11 ]w

v 12 6

v 14 &CLr]w

v 15 &CLr6

description TsDD>hv#

attachable _TGqI,S=Ts#

name TsDTs{#KTs{0f;&|,NN?<{F#

}g:

<Object Type=2 Description="File" Attachable="yes"> apache.gif </Object>

*\m1dCP;C'(SU)

Plug-in for Web Servers P;C'&\JmX(\m1IC Tivoli Access Manager 2

+rDI1DC'j6#P;C'5V`FZ UNIX 73PD su |n#Ze~73

P,\m1q!C'Df5>$"Tkf5C'j+`,D\&kJ4MsK&CL

r;%#

TZiRJOMJboO,P;C'G\PCD Help Desk $_#P;C'2ICZb

TC'TJ4DCJ(,"I4P&CLr/IbT#

TBwn;v5wKP;C'DX*Xw:

v P;C';h*C'\k#

v \m19C>$4m>f5C'#

v P;C'^ZXb\m1iI1#\m1;IP;C'=KiDNNd|I1#

v (}hCE}iPDI1Jq,IE} Tivoli Access Manager xL"sec_master M

d|!(C'DP;C'&\#

v 9C;vXbD HTML m%a)P;C'E""$nXbDO$zF,CzF5X

8(C'D>$x;h*\k#

v \m19C pkmslogout 5CLr4axP;C'a0#


KbP;C'D&mwL

TBrPhvKP;C'D&mwL:

1. CwLSw* su-admins iDI1DQO$\m1*<#

2. \m1,S=$dCDP;C' HTML m%#Km%vII su-admins iDI1

CJ#g{C';G su-admins iDI1,+5X;v0R;=13f#

3. jIP;C'm%"xPBPE"5X:C'{(\m1Q0P;=1KC')"

?j URL MO$=(#KYw<B;v POST ks"M= /pkmssu.form#

4. ZZ(P;.0*xP=Nli#

a. e~li0P;=1C'GqG su-admins iDI1#;vC';\0I*1

G su-admins iDI1Dm;vC'#

b. e~li0P;=1C'GqG su-excluded iDI1#;JmNNC'0I

*1 su-excluded iDI1#g{b=vliPDN;v'\,r5X;vm

s#+xPyPsxks,g,GI0P;=1C'"vD#

5. \m1#V*0P;=1C',1=Z0P;=1C'"z"R\m15X={G

D-<a01wCKj< Tivoli Access Manager /pkmslogout 5CLr#

tCP;C'

pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*

tCP;C'&\,h*+ switch-user #ihC*$Z(#i#bJmP;C'&\

Z4PZ(.0CJC'#

[common-modules]...pre-authzn = switch-user...

":g{ acctmgmt #iM switch-user #i<QhC*$Z(#i,rZPmP

switch-user #iXkT>Z acctmgmt #i.0#

7#Z pdwebpi.conf dCD~PD [modules] ZPfZP;C'u?#}g:

[modules]...switch-user = pdwpi-su-module...

dCP;C' HTML m%

P;C'm%(eZ pdwebpi.conf dCD~D [switch-user] ZP#

v switch-user-form N}8(D~D{F#1!ivB,D~{* switchuser.html,

;Z?< install_path/nls/html/lang/charsetP#Z@z"o53P,lang ?<

F* C,x charset * utf-8#

[switch-user]switch-user-form = switchuser.html

v switch-user-uri N}|,C4wCP;C'&\D URI#k"b,j<Z(_T;

JCZK URI#xPyZiDZ(li,x;G ACL li#

[switch-user]switch-user-uri = /switchuser.html

v switch-user-post-uri N}8(P;C'm%a;=D URI:


[switch-user]switch-user-post-uri = /pkmssu.form

I+P;C'm%`-*(FDb[M&\#m%|,TBwnDks:

v C'{(\m10P;=1KC')

KC';\G su-excluded"securitygroup r su-admins DI1#

v ?j URL

ZP;C'YwI&.sT>K3f#zI+KdC*|,J1Dw3rP;C'

I&7O3fD~Xdk#

v O$=(

O$=(7(C49(C'>$DE"`M#zI+KVNdC*~Xdk#XZ

P'O$=(N}DPm,kN<TB"M#

v j %CUSTOM% |,Z1!m%P,"IC4+yPQdCDP;C'O$zFT

/|,ZCm%P#

P;C'm%"M:

v Km%vT su-admins iDI1IC#ZKD~P;h* ACL#e~4PZ?2`

kDiI1Jqli#iI1Jqli'\1,e~5X;v 4040R;=1ms#

v C'{"?j URL MO$=(<GXhD}]#

v I+XhD}]w*~XVN9(=m%P#

v e~i$yPXhD}]<fZZQa;Dm%P#g{1Y}],m%+9Ch

vT{"5Xx\m1#

v O$=(DP'5|(:

su-passwordsu-token-cardsu-certificatesu-http-requestsu-cdsso

b)O$=(N}8(e~+9CD;VO$zF#

v +P;C'm%}]a;= /pkmssu.form Yw URL#

TP;C'tCME}C'

vw* su-admins iI1D\m1I9CP;C'&\MSUP;C' HTML m%#

ITG su-admins iI1DNbC'tCP;C'&\#

\m1IP;C'=}tZ3)iDC'bDNb Tivoli Access Manager J'#I(

}hC su-excluded iPDI1JqE}d| Tivoli Access Manager C'I*P;

C'#Kb,E} Tivoli Access Manager securitygroup iDI1DP;C'&\#

(#,sec_master M Tivoli Access Manager xLG securitygroup DI1#

ZP;C'Zd,e~ZyP}viO4Pli#z;\0P;=1w* su-admins"

su-excluded r securitygroup iDI1D3K#


dCP;C'O$zF

P;C'O$zF(;vZCD2mb)Dw*0pGyZya)DC'{MO$=

(x;h*4dkD\k44(zm0P;=1C'D>$#(F CDAS O$zFXk

{O,yD*s#

Z pdwebpi.conf dCD~D

[authentication-mechanisms] ZP8(P;C'O$zF#'VTBO$zF:

[authentication-mechanisms ]#su-password = su-password-library#su-token-card = su-token-card-library#su-certificate = su-certificate-library#su-http-request = su-http-request-library#su-cdsso = su-cdsso-library

Tivoli Access Manager a);v%;DP;C'b,CbICZZ1!DG(FD73

PtCNbOvO$zF#P;C'b;,Zj<O$b#Cb8(9CC'j6

(ZP;C'm%Pa))DO$zF,"rCC'5XP'D>$x;h*dkC

'\k#

Tivoli Access Manager a)DZCDP;C'2mbF*:

UNIX libsuauthn

Windowssuauthn

P;C'&\2'V(F CDAS O$zF#C'VG#X*,r*(F CDAS -#a

TC'>$a)=SE"#

'V;h*dkC'\kx5X>$Dhs1,z*:p`4#bVP CDAS P*D(

FP;C' CDAS#

49Z1!b(libsuauthn)CZ`vO$=(1,?vQdCDP;C'O$b2

Xk(;|{#

>}:

ZTB>}(CZ Solaris =()P,VP73QtC}vO$=(:

1. 9CZC libldapauthn bDm%O$

2. 9CZC libsslauthn bD$iO$

3. 9C(F CDAS zFDnFO$

VZC73Q)9*T}VO$=(PDNb;V<'VP;C'&\#XkZ

pdwebpi.conf dCD~PtCCZP;C'D}v=SO$N}#Kb,Xk`4BD

(F CDAS bT#bVPDnF CDAS "'VP;C'O$Dhs:

[authentication-mechanisms ]passwd-ldap =/opt/PolicyDirector/lib/libldapauthn.socert-ssl =/opt/PolicyDirector/lib/libsslauthn.sotoken-cdas =/opt/PolicyDirector/lib/libcustom.sosu-password =/opt/PolicyDirector/lib/libsuformauthn.sosu-certificate =/opt/PolicyDirector/lib/libsucert.sosu-token-card =/opt/PolicyDirector/lib/libsucustom.so


0ld|e~&\

Ta0_Y:f,1dCD0l

QdCDe~a0_Y:f;n/&\MzfZ,15;\P;C'YwD0l#;

n/4,MzfZ(1wk\m1a0_Y:fu?x;GZP;C'YwZd|D

Da0}]X*#

1\m1w*0P;=1C'4Pks1,a0;n/(1wLx4;#\m1ax

P;C'a01,;n/4,TX(D\m1a0T;P'#

P;C'Yw;a)9a0zfZ5#ZP;C'YwZd,\m1a0zfZ,1

I\a=Z#g{"z,1,r>}a0,"z\m1M0P;=1C'#\m1X

kXBO$"YN*<P;C'Yw#

O"]}=O$6p

2mbf6Zm%PIxP=SDN}:

library&arg1 arg2 ... argx

IZ6p}V0f9C –l !n8(]}=O$6p#}g:

su-password =/opt/PolicyDirector/lib/libsuformauthn.so&-l 1su-certificate =/opt/PolicyDirector/lib/libsucert.so&-l 0su-token-card =/opt/PolicyDirector/lib/libsucustom.so&-l 2

":TZ Tivoli Access Manager DKf>,\m1Xk*@C'\kE\I&4P]

}=O$#

'VXBO$

e~XBO$&\IP;C'Yw6p#g{ZP;C'YwZdh*XBO$,\

m1XkO$*0P;=1C'#

":TZ Tivoli Access Manager DKf>,\m1Xk*@0P;=1C'D\kE

\I&XBO$#

'VC'a0\m

P;C'Yw'VC'a0\m#\m1P(;D0C'a0j61#Kb,ZP;C

'YwZd,T0P;=1C'fZ;v(;D0C'a0j61#terminate single user

session NqM terminate all user sessions NqYwgB:

v 8(0P;=1a0j6rC'a0j61,0P;=1C'a0U9#

v 8(\m1a0j6rC'a0j61,\m1a0M0P;=1C'a0<U

9#

'V tag-value(#I CDAS 9CD tag-value &\IP;C'&\6pM'V#

ZP;C'ZdsF\m1

ZP;C'ZdITsF\m1#P;C'&\+)9tTmS=j6\m1D0P

;=1C'>$#f"Z>$PD)9tTF* tag_value_prefix_su-admin:

tag_value_prefix_su-admin = su-admin-name


dP tag_value_prefix_ zme~dCD~D [pdwebpi-plugins] ZPdCD

tag_value_prefix N}#K)9tTTyPsFzF<IC#

T LDAP ~qwdCJO*F

!vZEH6,1 Tivoli Access Manager plug-in for Web servers t/1,|kNN

ICD LDAP ~qw(wr1>),S#g{ LDAP w~qwrNN-r1z,re

~Xk\kICD LDAP 1>~qw,STxPNNAYw#bGj< Tivoli Access

Manager LDAP 1>dC#PX|`j8E",kN<6IBM Tivoli Access Manager Base

\m18O7#

IBM Directory(LDAP)'VfZ;vr`v;A1> LDAP ~qw#Sun ONE(-{

* iPlanet)Directory Server(LDAP)'VfZ;vr`vF*0{Q_1D;A1>

LDAP ~qw#zXkr pdwebpi.conf dCD~D [ldap] ZPmSP4j6yPI

CZe~D1>~qw#T?v1>9CBPo(:

replica =ldap_server,port,type,preference

dP:

ldap-server LDAP 1>~qwDxg{F#

port C~qwl}DKZ#(#,Tb\D(E9C 389,T SSL OD(E9C

636#

type 1>~qwD&\ - 0;A1r0A41#(#9C0;A1#0A41`M

+zmw~qw#

preference 1 – 10 .dD}V#!q_Pn_EH(5D~qwxP LDAP ,S#kN

D6IBM Tivoli Access Manager Base \m18O7PD:hC1> LDAP ~

qwDW!n5;#

>}:

replica =replica1.ldap.tivoli.com,389,readonly,5replica =replica2.ldap.tivoli.com,389,readonly,5

'V~=W!n=((P3P)7

~=W!n=((P3P)n?GC;V3;D==a)hvC'~=W!nM Web ~q

w~=_TE"D==Dr,x*Kj<#C'I9C P3P dC7(T Web ~qw+

*DE"MgN9Cb)E"D~=W!n#Web ~qwI9C P3P 8(|U/NV

C'~=_TE"M|+gN9Cb)E"#M'zITzwIAq=q! Web ~q

wD~=_T,b)M'zODtCK P3P D/@wIAC~=_T"+dkC'T:

D~=W!nxPHO#Web ~qwD~=_TMC'D~=dC;%d1,+TC'

"v/f#

P3P D(#C>G9/@w\;wvXZGqS\S Web ~qwSU=D cookie D

G\v_#Z Internet Explorer 6.0 P1!tCTK&\D'V#g{ Internet Explorer

6.0 SU=4T4"M P3P _Tr"MD_TkC'~=W!n;%dD>cD

cookie,r/@wITv(T/h{C cookie#

e~@5Z cookies 4,$a0E",T0}g#tJO*FE".`DE"#Internet

Explorer 9Cd1!hCh{ cookie,rK+;f"e~ cookie,byMP'X^FK


e~D&\#hCe~ cookie 1,e~a)8(k3f;p"MD9u P3P _Tod

D P3P dC!n#e~ P3P dC!nJmz4(kzDi/D~=_T%dD9u

P3P _T#;sIM'zv(GqJmhC Tivoli Access Manager cookie#

":;&+ P3P _TdC*kzDi/~=_T;%dTvJm Internet Explorer S

\ cookie#ZTe~ cookie tC P3P _T.0,k7#zl$ P3P f6"}7

mbgNywzDi/D~=_T#

dC P3P 7

e~a)dCN},b)N}k W3C P3P (iD9u_To(D(e%d#&+b)

N}dC*TZ,$zDi/D~=_TDj{TD,1Jme~ cookie#

dC P3P 7DZ;=GhC pdwebpi.conf dCD~PD [pdweb-plugins] PD

send-p3p-header N}#I(}ZC'(eD [virtual_host_name] ZP(eKu?4

yZ?vibwzhC|#+ send-p3p-header N}hC* true 48(e~Gq+

|,9u_TodD P3P 7mS=hCK cookie DyP HTTP l&#1!ivB,

{C P3P _TD"M#

g{zQtCK P3P 7D"M,r&hC [p3p-header] r [p3p-header:virtual_host]ZPDN}#b)N}(e&CZyP HTTP cookie /D9u_T#

KZPD1!hCJm+a0 cookie f"= Internet Explorer 6 /@wP - 49|

GT>*Z}= cookies#

m 6. [p3p-header] N}

N} 9C

p3p-element }9CKZPd|N}dCD9u_Tb,9I9CKN}48(T

j+ XML _TD}C#

TP p3p-element = policyref="/w3c/p3p.xml"

!{"M,8>/@w"MTj+ XML _TD8(}C#

":h*T /w3c ?<hCJm!{O$CJD ACL TJmCJC

_T#IZ Internet Explorer ;fks"MJmi4_TDO$E

",yTbGXhD#

access 8(C'_PDT|,Z cookie P"(} cookie 4SDE"DCJ

(#I\D5P:

none

all

nonident

contact-and-other

ident-contact

other-ident

disputes 8(j+ P3P _TGq|,;)E",b)E"XZT cookie P|,

DE"Dyi#P'5* true r false#KN}Z1!ivBhC*

false#


m 6. [p3p-header] N} (x)

N} 9C

remedies 8(yiDI\^4#I\D5|(:

correct

money

law

g{48(,r_TP;|(NN^4E"#

non-identifiable hC* true 1,KN}8(;TNN==C cookie PDE"r(}

cookie 4SDE"vT/Xj6C'#P'5G true r false#KN}

Z1!ivBhC* false#

purpose 8(Z cookie PM(} cookie 4SDE"DC>#I\D5|(:

current

admin

develop

tailoring

pseudo-analysis

pseudo-decision

individual-analysis

individual-decision

contact

historical

telemarketing

M other-purpose#

TyP} current TbD5,ITdC=S5w{#I\D5|(:

always

opt-in

opt-out#

T48(DC>,1!5* always#C5Z purpose s8(,C0EV

*,}g:

purpose = contact:opt-in

recipient 8(Z cookie PM(} cookie 4SDE"DU~K#I\D5|(:

ours

delivery

same

unrelated

public

other-recipient#

retention 8(Z cookie Pr(} cookie 4SDE"D#t1d#

I\D5|(:

no-retention

stated-purpose

legal-requirement

business-practices

indefinitely#


m 6. [p3p-header] N} (x)

N} 9C

categories 8(f"Z cookie Pr(} cookie 4SDE"D`M#

g{hC non-identifiable N}* true,r;h*dCNN`p#I\D

5|(:

physical

online

uniqueid

purchase

financial

computer

navigation

interactive

demographic

content

state

political

health

preference

location

government

other-category

P3P dCD>}:

[pdweb-plugins] r [virtual_host_name]send-p3p-header = true...[p3p-header] r [p3p-header:virtual_host_name]# p3p-element = policyref="/w3c/p3p.xml"access = nonedisputes = falsenon-identifiable = falsepurpose = currentpurpose = other-purpose:opt-inrecipient = oursretention = no-retentioncategories = uniqueid

dCe~sF"U>G<"zYM_Y:f}]b

U>G<MsFITrza)PzZ7(zI\v=DXZe~DyPJbDE"#

g{"VPJb"h*ms{"D51S<,rZ0(9C -foreground !nt/e

~:

pdwebpi -foreground

":TZ IIS OD20,ZT0(==t/e~.0XBt/ IIS 4MEyPVPD2

mZf#

4,Mms{"G<Z pdwebpi.conf dCD~D[pdweb-plugins] ZPD log-file"

logs M log-entries N}PdCDD~P#


e ~ s F M y > _ Y : f } ] b d C 9 C p d w e b p i . c o n f d C D ~ P D

[aznapi-configuration] ZPDN}4P#

sFG<

Z( API Dy>~qJm6qO$(authn)MZ((azn)sFB~#

;xj<0authn1sFB~;b0XZO$"TDc;E",e~}Z#$`vwz

1,b0b)E"CZJm+b)B~kX(ibwz`X#*K,e~4P|T:

DsFB~`pT6qibwzX(DO$E"#

j<0azn1sFB~y]9C /PDWebPI/virtual_host_name 0:9lD\#$Ts{F

6qke~`XDibwzE"#

e~X(DO$sFB~G<ZibwzX(DsFB~XP,9lgB:

wpi.virtual_host_name.authn.authentication_module_name

e~X(DO$sFB~{O6IBM Tivoli Access Manager Base \m18O7Phv

D DTD (e#

XML y=.wpi/sFG<D*XZBmPxPKhv#

m 7. O$sFG<VN(e#

XML jG hv

<event> sFG<Db0jG#C*X|,hvG<D doc `M(e^

)DtT#

<date> B~"zDUZM1dDG<#

<outcome> KjG*X|,j6 Tivoli Access Manager re~mszkD

status N}#C*XhvB~DwVa{#I\D5|(:

v 0 = I&

v 1 = '\

v 2 = ]R

v 3 = 4*

<originator> sFG<DzI_ZD7jG#KjG*X|,j6TB~:

pD Tivoli Access Manager blade D blade N}#

<component> CjGj66qsFG<Di~#Ci~TBPq=G<:

wpi. virtual_host_name.type_of_event.module_name

<action> j6"TDO$=(#Ywzk0d`&DO$zF|(:

16961 - BA17236 - M'zK$i17731 - Ecsso17999 - JO*F cookie17997 - m%18504 - HTTP 718768 - IP X74806211 - IV 7:PAC >$4806229 - IV 7:C'{4806220 - IV 7:(P{F300609 - IV 7:IP X721579 - nF

<location> (et/B~D~qw{F#


m 7. O$sFG<VN(e# (x)

XML jG hv

<accessor> sFG<DCJ_ZD7jG#jG*XIT|,CJ_D{

F#

<principal> principal jG|,j6}ZO$D?<~qDN} auth#Cj

G(eQi$DC'{#

<target> target jG|,ITGBP5.;DN} resource:

v 0 = Z(

v 1 = xL

v 2 = TCB

v 3 = >$

v 4 = #f

O$sFG<<UQbv5hC* 3 - >$#

<object> #tTZO$}L;_PbeDsF}]#

<data> =SO$JOE"#}g,9C HTTP 7E"DO$"TZdD

JO+ZKVNPzzsFU>G<,G<'\D HTTP 7#

sFdC

BmT>KsFdCN}"5wd&\#

m 8. sFdCN}(e

N} hv

logsize U>D~}I*BD~Ds!(TVZ*%;)#g{hC*

0,r;}IU>D~#g{C5*:},r;\ds!x?l

}IU>#

logflush "BU>D1ddt(k)#n`* 6 !1,1!5* 20 k#

logaudit tCr{CsF#

auditlog 8(sFD~D{F#

auditcfg tCr{CZ(M/rO$sF#

}g:

[aznapi-configuration]logsize = 2000000logflush = 20logaudit = nologaudit = noauditlog = audit.logauditcfg = azn#auditcfg = authnauditcfg = wpi

zYe~Yw

Tivoli Access Manager Plug-in for Web Servers a)zYYwM+a{f"ZD~PT

CZwTD\&#zYw*GI&CLr'V9CDVvMJboO$_,CZq!

<BJbDYwDj{S<#w*C',zI\"V,}GzZoO4SJb,3)

e~zY$_GPCD,!\s`}$_C&;s#


Ze~&zY HTTP {"GI\D#ba\PC,r*|7PXT>SC'U=DT0

5XxC'D{" - 49(EG(} HTTPS D#9Cj< pdadmin zY|n4r

*MXUzY#

IzYZ(v_DdkMa{Tc{Z(_TdCJbDoO#KzYT>C'>$

E",|({F"UUID"a0j6MtT#KzY9T>C4wvv_D Tivoli Access

Manager \#$TsD{FMh*DmI(#9aT>v_Da{T05XDNbv_

tT#

pdadmin zY|n

PvzYi~: list |nzzITzYDyPe~YwDPm#

o(:

pdadmin> server task PDWebPI-server-name trace list [component]

PvDs`}zYNqGX(Z Tivoli Access Manager D#e~X(DzYnT

pdwebpi *0:#

hCzYi~: zI\"V}vw*DzYnTwT\PC:

v pdwebpi.request

v pdwebpi.plugin

v pdwebpi.azn

p d w e b p i . r e q u e s t h C * 2 1 , T ? v ( } e ~ + ] D k s x P z Y #

pdwebpi.request hC* nine 1,ks7|,ZzYP#pdwebpi.plugin Ze~~

qwP$nzY#yP{"<"M= Web ~qwDU>D~P,rZ IIS DivB"

M=;,Z)Z(~qw9CDU>P#+ pdwebpi.azn hC*XZ?vZ(v_D

zYr*E",|(\#$Ts{F"mI(V{."C'{"a0j6"HTTP =("

HTTP URI Mv_a{#pdwebpi.azn hC* two 1,T=SD>$tTE"T0d

kdvv_tTxPzY#pdwebpi.azn hC* five 1,|(XZ]}=XBO$&

mD=SE"#

zY set |n_PBPo(:

pdadmin> server task PDWebPI-server-name trace set componentlevel [file path=file|other-log-agent-config]

dP component GI list |nT>DzYi~D{F#zYkTKi~xhC#level G

*zYU/Dj8E"?#6'G 1 = 9,1 m>n;j8,9 m>nj8#I!D

file path N}8(zYdvD;C#1!ivB,+zYdv"M=j<dCDe~U

>D~(}9Ci~ pdwebpi.plugin Tb)#TZ IIS 20,<U9CdCD~PD

[iis] ZPD log-file N}4dC+e~i~zY"M=DD~D{F#

I9C -foreground !n+dv"M=A;#4:

pdwebpi -foreground

T>zYi~: *T>zYi~,TBPq=9C show |n:

pdadmin> server task PDWebPI-server-name trace show [component]


_Y:f}]bhC

ITdCe~(ZV/wZ(}]bT|BE"#cache-refresh-interval N}ITh

C*0default1"0disable1rTk*%;DX(1ddt#0default1hCG{C#

[aznapi-configuration]cache-refresh-interval = 60

db-file N}(e= ACL _Y:f}]bD+76#1!ivB;hCKN}#

[aznapi-configuration]db-file = /var/pdwebpi/db/pdwebpi.db

listen-flags N}tCr{C_T_Y:f|B(*DSU#0disable15{C(*l}

w#KN}I svrsslcfg 5CLrhC#

[aznapi-configuration]listen-flags = disable

dCZ( API ~q

pdwebpi.conf dCD~D [aznapi-entitlement-services] ZT~q8(~qj6#?

vZu?(e;,`MD aznAPI ~q#XZ|È",kN< IBM Tivoli Access

Manager Administration C API Developer’s Reference#

?vu?ICBPq=:

service_id = path_to_dll [ & params ... ]

~qj6I aznAPI M'zC4j6wV~q#1~qI aznAPI u</1,IT8(

+]=~qDN}#Zu?P,N}Z0&1{Es#

>$"B

Za0Zd,C'O$1U/DE"+_Y:f=>$P,XZe~C'>$D|`

j8E",kNDZ 4 3D:>$q!;#

}GdC>$"B,qrTC'O$E"D4wvD|D(gSiPmSr}%C

');a43ZC'a0P,1=4(BDC'a0#

>$"B\PCD;)-r|(:

v zIT"BC'D>$x^h*s{G"z"XBG<=&CLr#by\9C'

|=cX9C&CLr#

v |*\m1a)Z10a0ZdTC'a)T2+ Web TsDnbCJ(D\&#

v g{\m1PmIÈC';PJ1XYw,|(}Jm\m1^FCC'Z10

a0ZdDCJmI(a_K2+T#

dC>$"B


tCO$"B&\,h*+ cred-refresh #idC*$O$#i#

[common-modules]...pre-authzn = cred-refresh...


7#Z pdwebpi.conf dCD~PD [modules] ZPfZ>$"Bu?;4:

[modules]...cred-refresh = pdwpi-cred-refresh-module...

"B>$1,zI\"VS-<>$#t;)XZC'DE"\PX*#}g,;v

(FtTI\G<KC'DG<1d,Z"B>$1#VC1d;dG\X*D#e

~JmzZ4P"P1dC*#tDtT#b)dCyZtT{F#

[cred-refresh] r [cred-refresh:virtual-host] Z8(*S-<>$#tDtTMZ"z

>$"BYw1*"B=B>$PDtT#Cq= preserve = attribute_pattern 8(5

CZ*S-<>$#tDtT#Cq= refresh = attribute_pattern 8(*"BD5#

j<e~#=%dfrJCZtT#=,+V{HOGxVs!4D#XZJmD%

dfrD|È",kN<Z 191 3D=< E, :}rmo=PJmDXbV{;#

TBfrJCZtTPm:

v ZZPvVCOgDfrEHZvVOmDfr#

v 1!ivB,"B;kNNtT%dDfr#

v ^[ [cred-refresh] ZgNdC,3)tT<U#t#b)tT*:

– AZN_CRED_AUTHNMECH_INFO,

– AZN_CRED_BROWSER_INFO,

– AZN_CRED_IP_ADDRESS,

– AZN_CRED_PRINCIPAL_NAME,

– AZN_CRED_QOP_INFO

v ^[ [cred-refresh] ZDZ]G24,<U#tI aznAPI jG*;ADtT#

v g{;vtTZ-<>$P;fZ,r^[KZgNdC,<;#tCtT#

":v13>$Z>$_Y:fP;fZ1,ES"am"BC>$#

;)dCK>$"B&\,zMIT9C pdadmin |nP5CLr4"BX(C'D

>$#TB>}T>+C'mS=Bi"ZC'T;&ZG<4,1"Bd>$D|

n,byMP'XZhKC'TCBiDCJmI(#

pdadmin> group modify group_name add user_namepdadmin> server task server_name refresh all_sessions user_name

":Z UNIX =(O,Zw{>$"BdCs^hXBt/e~#Z Windows O,g

,T pdwebpi.conf yvDyP|D,*9>$"BdC|Dz',h*XBt/

e~#

dC HTTP ks_Y:f

g{XBO$*sPOKks&mDjI,Z HTTP X(rZd,e~_Y:fks}

]"9CK_Y:fD}]X(ks#K&\PfZ POST M PUT ks,r*b)k

s`MI|(;,DE"VN#


1O$*sPOK;vks1,e~+_Y:fyPX*DE",TZXBO$sD

HTTP X(rZdX(Cks#_Y:fDksE"|( URL"METHOD"{"we"

i/V{.T0yP HTTP 7(|( cookie)#K}]]1f"Ze~>$/a0_Y

:fP#

I&O$(rXBO$)s,e~+ HTTP X(r"M=/@w#/@wq-A|,Z

X(rPD-< URL DX(r#e~9XX(r"9C_Y:fD}]X(ks#+

X(ks+]= URL ?j#

dC~qwKD_Y:fN}

Ze~dCD~PD [pdweb-plugins] ZPD max-cached-http-body N}8(K*

Nbx(Dks_Y:fD HTTP we}]Dns}?#1we}]D}?,vdCD

ns51,+OzyPwe}?#

[proxy- i f ] ZPD worker -s ize N}XFTNbx(ksVdDZf?#

max-cached-http-body Ds!AY&C{OTBc(:

max-cached-http-body * 4/3 * 2 + 3000 <= worker-size # #

Kc(Y( 3000 VZDZfcTfEksu%Nb POST }]M5XDm%u%_Y

:fD POST }]#g{ksDs!SO5Xm%Ds!I\,v 3000 VZ,r&C

vs worker-size u?ru! max-cached-http-body 5#

oT'VkV{/

Tivoli Access Manager Plug-in for Web Servers ITC'W!DoTT> Tivoli Access

Manager zID HTML 3f#HTML 3fPCZT>DoTS HTTP ksPR=D

j< Accept-Language 7qC#oT5C=vV{4m>#;CX(D5C=?VDq

=m>,8>oTMCoTf>y9CDzRrXx#>}|(:

v es(w`@o)

v de(Bo)

v en("o)

v it(bs{o)

v en-US("o/@z)

v en-GR("o/"z)

v es-ES(w`@o/w`@)

v es-MX(w`@o/+wg)

v pt-BR(OQ@o/Mw)

g{e~Z HTTP ksPR=;OJDoTzk,Z;fZ_PJqD=TDivB,

|XToTPm(}g es-MX XT* es)#g{T;R;=OJDoT,~qw+9C

"o#

;P|,Z install_path/nls/html/lang/charsetPD Tivoli Access Manager zI3

fET`VoTa)#b)3fD>}|(yP Tivoli Access Manager O$m%M

Tivoli Access Manager J'\m3f#


HTTP 7P Accept Language VN8(DoT1S3d=Z install_path/nls/html ?

<PR=D?<#IT(}4FoT?<4^D~qwTJ&oT5w{Dd/#*

^D~qw,&C4FD5JoT?<*:

am base install directory/nls/msg/langam webpi install directory/nls/html/lang/charsetam webpi install directory/nls/msg/lang/charset

BmPvKe~'VDoT0X*DS?<{F:

m 9. e~'VDoTT0'VD?<#

oT 53?<

"o(1!5) C

]Ko cs

Bo de

w`@o es

(o fr

Y@{o hu

bs{o it

Uo ja

+zo ko

(<o pl

MwOQ@o pt_BR

mo ru

PD(Pz) zh_CN

PD((e) zh_TW

HTTP 7PD Accept Language VNA`\6p.VoTf6#

x ( o T D ; , D V { / ; Z o T ' V B D ? < P # y Z S M ' z S U = D

accept-charset 7D5!q9CDV{/?<#g{R;=%d(rg{4hC7),

r9C utf-8 ?<#

IyZ accept-language M accept-charset 7tCM{CT;,oTMV{/D'

V#Z [pdweb-plugins] ZPdCb)N}D1!hC,+I(}9Cibwzj6

D{FZ3ZP(e|G4T?vibwzXhb)N}#

[pdweb-plugins] r [virtual-host]...use-accept-langauge-header = true...use-accept-charset-header = false

Z1!ivB,{C accept-charset 7#

"T(;zID HTML l&DoT1,use-accept-language-header N}tCr{

C accept-language HTTP 7#

" T ( ; + H T T P k s D * X b k T 0 z I H T M L l & D V { / 1 ,

use-accept-charset-header N}tCr{C accept-charset HTTP 7#1!5(g{

ZKdCD~PR;=D0)* false#


I+ user-agent 7Cw!qoTMV{/D accept-language M accept-charset 7D8

!n#user-agent 7|,ZQ*h8Dhs1IC4a)oTMV{E"DX(Zh8

DE"#v1R;= accept-language M/r accept-charset 71,rG)7;{C1,

E9C user-agent 7#

S user-agent =oTMV{/D1!3dZ [user-agent] ZPdC"IT?;vib

wzXh#CZ|(48(3rk user-agent 7Z]%dD#=Pm#PXICD(d

{DPm,kN<Z 191 3D=< E, :}rmo=PJmDXbV{;#g{R=%

d,r9C`&DoTMV{/D?<#}Tx(D user-agent #=8(oTMV{/

b,9I\8(;v?<#ZbVivB,"M Tivoli Access Manager 3f19C8

(D?<{x;GV{/D?<{#K?<Xk;Z8(DoT?<B#


Z 3 B IBM Tivoli Access Manager Plug-in for WebServers O$Mks&m

>BV[ IBM Tivoli Access Manager(Tivoli Access Manager) Plug-in for Web Servers

gN,Va04,"&mO$xLT0TZ(Da04PNNXhDsO$&m#

>B|(TBwb:

v :ks&m}L;

v Z 37 3D:dCO$;

v Z 44 3D:\ma04,;

v Z 50 3D:O$dCEv;

v Z 53 3D:dCy>O$;

v Z 55 3D:dCm%O$;

v Z 57 3D:dC$iO$;

v Z 58 3D:dCnFO$;

v Z 62 3D:dC SPNEGO O$;

v Z 68 3D:dC NTLM O$(vkT IIS =();

v Z 69 3D:dC Web ~qwO$(vkT IIS =();

v Z 70 3D:dCJO*FO$;

v Z 83 3D:dC IV 7O$;

v Z 85 3D:dC HTTP 7O$;

v Z 87 3D:dC IP X7O$;

v Z 88 3D:dC LTPA O$;

v Z 88 3D:dCG<sDC'X(r;

v Z 89 3D:*>$mS)9tT;

v Z 92 3D:r HTTP 7mS LDAP )9DtT(jG5);

v Z 93 3D:'V`74CzmLr(MPA);

ks&m}L

Tivoli Access Manager Plug-in for Web Servers Z?v Web ks=o Web ~qw1

TdxP&m#ks&m}L2PKv=h:

1. ibwzj6

ks&mDZ;=GTksykTDibwzxPj6#ZZ 12 3D:dCib

wz~qw;PV[KibwzDj6#

2. a0j6

;)7(Kibwz,MTksxPliTq!VPDQO$a0E"#KE"I

\Ga0 cookie,2I\G SSL a0j6#CZj6a0DE"IQdCDa0#

i7(#Z 44 3D:\ma04,;V[K?vICDa0#i#

3. O$


g{4j6NNVPa0,rliksTq!O$E"#KE"I\Gngy>O

$C'{M\k"G<m%a;rM'z$i.`DE"#CZO$M'zDE"

IQdCDO$#i7(#:O$}L;V[K?vICDO$#i#

g{ZksPfZP'O$E",r4(BDQO$C'a0#g{;fZO$E

",r+ksw*4O$Dks#g{ksPfZDG^'DO$E"RO$=(

'VO$E"DXBdk(}g,y>O$),ra*sC'YNa){GDO

$#g{O$=(;'VXBdk(}g,M'z$i),rTM'z5X;vm

s#

4. Z(0

Z3)ivB,ZZ(TksDJ4DCJ0,I\h*u<ks&m#NNQd

CDZ(0#iyI4PK&m#Z(0#ia);h*Z(D&\,r|G'V

h*ZZ(v_0CJksD\&#

5. Z(

ZZ(}LP,(}9Cka0`X*D>$E"4I/ Tivoli Access Manager _

TT7(Gq&Z(CJyksDJ4T0ZNVu~BxPZ(#b)(eC4

XFTJ4DCJD_TZZ 97 3DZ 4 B, :IBM Tivoli Access Manager Plug-in

for Web Servers 2+T_T;P(e#

6. O$}6

1C'DO$6p;JOCJyksDJ4rksG4O$D1r,YNliKk

sTq!ITy*sDO$6pO$C'DO$E"#g{;fZbyDE",R

dCKO$#i(C#i'Vby;V&\,C&\*sC'a)y*sDO$6

pDE"),r*sC'a)byDE"#g{^(+QO$DC'a0}6=c

;D6p4CJJ4,r\xCJ#

7. Z(s

ZxPZ(v_s,P12ah*xP3)&m:

v Z Web ~qw&m Web ks0,^D Web ks,}g,ek;v7

(header),

v ^D Web ~qwzID Web l&,}g,hC cookie,

v zIj{Dl&x;h* Web ~qw&mCks,}g,I&G<s+C'X(

r=X(3f#

IZZ(v_I\a0l&mksD==,rK+Z*@Z(}LDa{s4Pb

)Yw#b)&\IZ(s#ia)#

8. l&&m

ngm%%;"a(FSSO)Mb?O$SZ(EAI)&m.`D&\h*Ie~&

m Web ~qwzIDl&x;G+d"MAM'z#(#,9Cl&&m,e~I

Z+fzl&+]xC'0&m4T Web ~qwDl&#h*K&\D#iF*l

&#i#

O$}L

O$Gj6"TG<=2+rD%@xLr5eD=(#I&DO$azzzmC'

D Tivoli Access Manager m]#e~9CKm]q!CC'D>$#>$I

Authorization Server 9C,TcZT ACL mI("POP u~MZ(fr(|GXF?

vJ4D_T)xP@@sJmr\xCJ\#$DJ4#


":ACL = CJXFm_T

POP = \#$Ts_T

1!ivB,Tivoli Access Manager Plug-in for Web Servers 'V8VO$=(,"I

xP(FT9Cd|=(#

dCO$

yPICDO$=(0dX*D2mb{F<(eZ pdwebpi.conf dCD~D

[modules] ZP#[modules] Z9PvKCZa0j6MZ(s&mD#i#b)#i

Zsfhv#2mbXkfZZ pdwebpi/lib ?<P#8(2mb{1;xPNNYw

53X(D0:(g lib)MNNYw53X(Ds:(g dll)#}g:

BA = pdwpi-ba-module

Z0v>}P,BA #ib8(* pdwpi-ba-module#Z Windows O,e~a0R{

* pdwpi-ba-module.dll DD~,Z Solaris O,|+0R{* libpdwpi-ba-module.so

DD~,xZ AIX O,|+0R{* libpdwpi-ba-module.a DD~#

":bD~D8C1!Qw76IT(eZ [module-mgr] ZP#

[modules] ZP(eD?vj)<PdTm`&DZ,}g [BA]"[cert] M [token]#Zb)ZP8(?vO$=(DX(dCE","&CZCO$=(,K=(@"Z

wCdDibwz#g{h*Z?vibwzDy!OxPXbdC,rIT9C{

Cibwzj)^(#ij)DZ2G1!dC#}g:

[BA]basic-auth-realm = "Access Manager"

[BA:ibm.com]basic-auth-realm = "ibm.com"

ZOv>}P,9Cy>O$CJibwz ibm.com DC'+~S [BA:ibm.com] Z

P8(DdCN}#

#iDj<dC;Jm*x(DO$=(8(;v#ib5},}g:

[modules]BA = pdwpi-ba-module

;)20I\h*8(`vO$b5}#1T;,O$6ph*;,D#iP*1I

\4Pb;Yw#TB>}T>Km%O$#iD=v5}DdC#

[modules]BA = pdwpi-ba-moduleforms-authn-level1 = pdwpi-forms-moduleforms-authn-level2 = pdwpi-forms-module

[common-modules]authentication = forms-authn-level1authentication = forms-authn-level2authentication = BA

[forms-authn-level1]login-form = level1-form

[forms-authn-level2]login-form = level2-form

[BA]...

Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers O$Mks&m 37

dCO$=(Dns=hG8(O$=(#b)=(4U|GDEH3rZdCD~

D [common-modules] ZPhC#}g:

[common-modules]session = ssl-idsession = BAsession = session-cookie

authentication = certauthentication = BA

post-authzn = ltpa

ZOv>}P,dChC7#:

v W! SSL a0j6CZ,$a0E"#

v SSL a0j6;IC1,BA 7(g{IC)CZ,$a0E"#

v SSL a0j6r BA 7<;IC1,ns9Ca0 cookie ,$a0E"#

v W!$iCwO$=(#

v $i;IC1,9C BA O$#

v LTPA cookies w*Z(s&mD;?VmS=ks#

dCibwzDO$

(}Z?vibwzZP1S8(=(ITyZ?vibwz5VO$=(DdC#

}g:

[pdweb-plugins]virtual-host = ibm.com

[ibm.com]....session = ssl-idsession = BAsession = session-cookie

authentication = certauthentication = BA

post-authzn = ltpa

8(ibwzDO$=(D8C==G*O$=(dC(e;Z#by+Jm`vi

bwz2m;v#idC##idCZIibwzZPD modules N}8(#}g:

[pdweb-plugins]virtual-host = ibm.comvirtual-host = lotus.com

[ibm.com]modules = ibm-lotus-module-stanza

[lotus.com]modules = ibm-lotus-module-stanza

[ibm-lotus-module-stanza]authentication = BAsession = BApost-authzn = ltpa


g{4ZdCD~P(eyZ?vibwzDO$=(dCD%@Z,ryPibw

z9C [common-modules] ZPdCDN};4,modules N}D1!5G common

modules#

TB>}hC;vF* ibm.com Dibwz,+KwzdC*ZIT9C SSL a0j

6DX=9C SSL a0j6,Z;IT9C SSL j6+_P BA 7DX=9C BA

7,"R9Ca0 cookie w*,$a0E"DnsVN#|'VZy>O$.0xP$

iO$,"R;)O$I&c+ LTPA cookie mS=+I Web ~qw&mDksP#

>}vT>K&(eDN}#

[pdweb-plugins]virtual-host = ibm.com

[modules]ssl-id = pdwpi-ssl-idsession-cookie = pdwpi-session-cookieBA = pdwpi-bacert = pdwpi-certltpa = pdwpi-ltpa

[ibm.com]session = ssl-idsession = BAsession = session-cookie

authenitcation = cert

post-authzn = ltpa

(}4(ibwzX(DO$dCZ,ITyZ?vibwz5VO$N}Dx;=

dC#TB>}T>K=vibwz(ibm.com M lotus.com)DdC#?vibwz<

P#iX(DO$dC#


[modules]...

[ibm.com]session = BAsession = session-cookie

authenitcation = BAauthentication = forms

[lotus.com]session = session-cookie

authenitcation = BAauthentication = cert

[BA:ibm.com]basic-auth-realm = "Access Manager - ibm.com"

[BA:lotus.com]basic-auth-realm = "Access Manager - lotus.com"

dCO$=(D3r

QdCDO$=(T>ZdCD~PD3rTZe~m~D}7YwG\X*D#h

*P8<G!qDO$=(,"RT_PJO#$D==xP5)"5V2+?j#


Tivoli Access Manager Plug-in for Web Servers Z3VLHO'VwVO$=(,b)

=(ITkT;,DC'hsxP(FTzc;,D2+*s#

g>D5D0vwZPy{,pdwebpi.conf dCD~D [common-modules] Z8(

#{9CDO$=(#dCD~D [authentication-levels] Z(e]}=O$6p(k

N<Z 103 3D:O$?H\#$Ts_T(]});)T0 [common-modules] Z

PdCDO$=(DEr#

g{4Z [authentication-levels] ZP(eu?,rO$=(D1!5*6p 1#;s

+ [authentication-levels] ZP(eDO$=(DO$3r7(*Sn_O$6p=n

MO$6p#g{3vO$6pI`v#i2m,r4U#iZ [common-modules]ZPvVD3r47(S3r#

*Kbe~O$,<<e~aT|&mD?vks/J=vJbaPzZzDmb:

1. RIT9CQdCDO$=(O$Kksp?

g{KJbDXpGq,re~+/JB;vJb#

2. RIT9CQdCDO$=(zIO$ksp?

<GTBdC#

[common-modules]authentication = BA

TZ;vxkDks,g{ ACL ;Jm4-O$DC',rXkTC'xPO$#e

~+ BA 4wvPDQdCO$=(,+/J:0RIT9Cy>O$O$Kks

p?1g{ksGBDrXpq - e~;*@PbvC'#;se~+/J:0RI

T9Cy>O$zIO$ksp?1g{Q}7dCy>O$,rXp*G#e~+

a>C'dkj6M\k#

bG9Cy>O$Dr%O$>}#y]zDTsUdD2+T*s,zI\kdC

`vO$=(#

BfGb;_-Dm;vj8>},e~9CK_-TX(DO$=(8(EH6#

TBNdPV[DO$_-Y(;Jm4-O$DC'CJJ4,"Y(QT

pdwebpi.conf dCD~xPTBPdC#

[common-modules]authentication = BAauthentication = failoverauthentication = forms

post-authzn = failover

[authentication-levels]1 = BA2 = failover

OvdC8(K}VO$=(:BA"JO*F cookie Mm%,JO*F cookie C4

xPZ(s&m#[authentication-levels] ZPhCD6pv(TO$kswCO$=

(D3r#g{4Z [authentication-levels] ZP(e6p,rm%O$D1!5*6

p 1#


9COvdC,e~ZSUks1iRks7PDJO*F cookie#e~Z BA }].

0iRJO*F cookie GIZ [authentication-levels] ZP8(DJO*F6p*

2#[authentication-levels] ZEHZ [common-modules] ZPO$#i(eD3r#

e~+/J:0RIT9CJO*F cookie O$Kksp?1g{H04O$ks,r

Xpq,r*e~H0;P*ks9lJO*F cookie#;se~+/JZ~vJb:

0RIT9CJO*F cookie zIO$ksp?1Xpq,r*JO*F cookie #i

^(*O$zIks#

e~+F/= [authentication-levels] ZPDB;vQdCO$=(,ZC>}P*

BA#e~+/J:0RIT9C BA 7O$Kksp?1g{H04O$ks,rX

pq#;se~+/J:0RIT9C BA zIO$ksp?1Xp\I\*G,ra

>C'dkC'j6M\k#I&DO$+zzZ(Da0,RJO*F cookie +ek

ks7"Cw,;a0ZdDsLksDZ;vO$=(#

r; BA #i;\zIO$C'D=(,re~a1!*dCD~D

[common-modules] ZPPvD=(Er#ZOvdC>}P,e~+8(O$=(

DEH6,rx:

level 1 = BA, forms

level 2 = failover cookie

g{JO*F cookie M BA 4\a)C'O$D=(,re~+9Cm%O$#


BfDwL<T>CZ!qO$#iDe~_-#

e~4UydCD3rwC?vO$#i,1=#i.;5X;vC'>$#g{d

CDO$#iP;P;v\zI>$,rrC'"MO$aJ,a>{Ga)O$E

"#

g{O$aJGXhD,rwCQdCPmPDZ;vOJDO$#i4zIh*z

zaJD|n#;GyPDO$#i<ITzIaJ#}g,TZks HTTP 7;Pa

J - b)7fZr;fZZksP#Kb,O$#iI\;IC,r*|QC4j6

re~*"ksDzmLr#IT*C'zIaJDn#CO$zFGy>O$(BA a

J+"M=C')MyZm%DO$(G<m%+"M=C')#g{Ô$=(I

C,r^(O$C',Re~5X{9CJ3f#

< 2 PDwL<T>K!qO$=(TrC'"MaJD}L#

+4UdC3rli?vQdCDO$=(,1=R=zcyhDO$6pD;v=

(#g{R=zcO$u~D#i,rwC|49("MxC'DaJ#g{QdC

DO$=(P;P;vOJ,rI\;xPO$#e~rC'5X0{9CJ13

f,r*C';_PCJyksJ4h*DmI(,Sx;I\r{G"MaJTc

4yhD6pxPO$#

< 2. 7(O$#iDe~wL#


dCZ(s&m

Z(kss,+wCQdCDZ(s#i#Z(s#i7(Z+ks+]Xe~Tc

Web ~qw&m0Gqh*4PNNd|Yw#+wCyPQdCDZ(s#iT7(

Gqh*Tks4PYw#

Z(s#iITi*TBNb;`:

v ^D SSO Dks - b)Z(s#i+mS Web &CLrCZj6C'DE"

(cookie r7),x;h*Z~NO$#

v ^Dl& - (#,b)Z(s#i(#rl&mS7r cookie 4^Dl&#}g,

JO*F#i+JO*F cookie mS=l&#

v Xb/} - b)Z(s#i+yksD URI 6p*3;Xb&\D%"w#Xb

&\8>e~&mCks#}g,eCSSO $5ks#

Z(s#i4|GZdCD~PvVD3rwC#ZPmP8(0?s1DZ(s#

iP\&7zr2GI0fDZ(s#iyxPD|D#

}g;TBdC+<B;,De~P*,!vZZ [common-modules] ZP8(D BA

M forms D3r#

< 3. O$aJ}L_-


[common-modules]...post-authzn = BApost-authzn = forms

[BA]...strip-hdr = always

[forms]...create-ba-hdr = yes

OvdCG(}Z(s#iM#idCDErI\5V`sinTD;vr%>}#

\ma04,

e~9Ca04,E"j6xkksD4#1M'z4P;va0PDs?ks1,

e~9Cks4Dm],$M'zM~qw.dDa04,#g{M'zM~qw.

d;fZQ("a04,,rXk*?vsLksXB-LM'zM~qw.dD(

E#(}{}X4O$Dh*,a04,E"IDFT\#M'zITZ;NG<

s,"vs?ks,x;X*?vks4P%@DG<#

Tivoli Access Manager Plug-in for Web Servers &m HTTP M HTTPS D(E#e~

hFCZ9CTBNNE"`M4,$kM'zDa0D4,#

1. SSL a0j6

2. y>O$

3. X(Z~qwDa0 cookie

4. HTTP 7}]

5. IP X7

6. LTPA cookie

7. IV 7

e~@NwC?vQdCDa0#i#e~LxQwQdCDa0#i`M,1=P

;V`M5X>$#;se~+7(&CLrGq*N<`74CzmLr#g{|

G;vzmLr,rm;va0Xk*5JDnUC'xfZ#*iRCm;a0,

e~LxwC`BDQdCa0#i#"VQ-"zDC'O$DVPa01,+5

XC'>$#K>$CZZ(ks#g{QdCDa0#iP;P;v5XC'>


$,ra0*4GBa0,*4GP4(">$Da0#

dCe~a0/>$_Y:f

e~a0_Y:fJm~qwf"4T`vM'zDa0j6E"#a0_Y:f\

#f HTTPS M HTTP a04,E"#

e~_Y:ff"a0j6E"M*?vM'zq!D>$E"#_Y:f>$E"

IT{}Z(liZdTC'"am}]bDX4i/#e~_Y:f9,$e~M

LDAP C'"am.dD SSL ,SDa04,E"#

P8vdCN}ICZe~_Y:f,b)N}Jmzw{_Y:fDT\#

":pdwebpi.conf dCD~D [sessions] ZPdCD5I\Z [module_name] ZP

;2G,3)59I\Z [ module_name:virtual_host_name] ZP;x;=2G(Z

?vibwzDy!O)#

hCns""u?5

max-entries N};Z pdwebpi.conf dCD~D [sessions] ZP,|hC?va0

#iDa0/>$_Y:fP""u?Dns}?#

C5kX(a0#iD""G<a0}`T&#_Y:fs!o=K51,+y]n

|nY9CDc(S_Y:f}%u?TJmBxkDG<#

1!""G<a0}G 4096:

[sessions]max-entries = 4096

< 4. 7(a0#iDe~wL#


hC_Y:fu?,15

timeout N};Z pdwebpi.conf dCD~D [sessions] ZP,|Te~a0/>$

_Y:fPDu?hCnsP'Z,1#

e~ZZ?_Y:f>$E"#a0_Y:f,1N}8>Z(>$E"#tZZf

PD1d$H#

CN};G;n/,1#C53d=0>$P'Z1,x;G0>$,11#d?DG

Zo=8(,1^F1(}?FC'XBO$4v?2+T#

1!G<a0,1(k)* 3600:

[sessions]timeout = 3600

IT+a0_Y:fP'ZdC*^[N1"zXBO$1<xP4;#?N"zX

BO$1,a0_Y:f timeout 5+4;#*dCa0_Y:fP'Z4;,k9C

pdwebpi.conf dCD~D [sessions] ZPD reauth-lifetime-reset N}:

[sessions]reauth-lifetime-reset = yes

1!5G no#

C'}Z4PXBO$1,a0_Y:fP'Z5I\a=Z#ZXBO$G<m%

"M=C'.s,RZ5XjIDG<m%0,a0_Y:fP'Za=Z#a0_

Y:fP'Z5=Z1,+>}a0_Y:fu?#G<m%5X=e~s,;YP

CZCC'Da0#mb,yPQ_Y:fDC'ks}]+*'#g{XBO$Z

da0_Y:fP'Z}Z,zITTa0_Y:fP'ZdCS1rm^Z#

pdwebpi.conf dCD~D [sessions] ZPD reauth-grace-period N}a)K1d

)9,Tk*%;#}g:

[reauthentication]reauth-grace-period = 20

1!5 0 ;Ta0_Y:f,15a)S1#reauth-grace-period N}&CZ9CV

Pa0_Y:fu?DC'T0h*XBO$DC'#}g:

v IZ POP 2+_Tx4PXBO$DC',

v IZa0_Y:f;n/x4PXBO$DC',

v 4P]}=O$DC'#

reauth-grace-period !nC4M reauth-lifetime-reset = yes !naO9C#

hC_Y:fu?;n/,15

inactive-timeout N}(;Z pdwebpi.conf dCD~D [sessions] ZP)hCG<

a0;n/D,15#

1!G<a0Gn/,1(k)* 600:

[sessions]inactive-timeout = 600

*{CK,1&\,+N}5hC* 0#


9C SSL a0j6,$a04,

Tivoli Access Manager Plug-in for Web Servers IT9Cxk HTTPS ksD SSL a

0j6zYa0#K$_;ICZ IIS,r* IIS 9 SSL a0j6;ICZe~#

":SSL a0j6;CZO$ks#

pdwebpi.conf dCD~PD [common-modules] Z(eyPa0"O$MZ(s=

(DC>,9CDq=* module_type = module-name#*9C SSL a0j6,Va0

4,,+%J ssl-id 8(x session N},gBy>:

[common-modules]session = ssl-id

7#QZ pdwebpi.conf dCD~D [modules] ZP* ssl-id dCK2mb#4:

[modules]ssl-id = pdwpi-sslsessid-module

9Cy>O$,Va04,

y>O$(BA)G;V(}dkC'{M\kO$C'M,Va04,D=(#BA I

HTTP -i(e,RIT(} HTTP M HTTPS 5V#

y>O$(}+y>O$7DZ]G<xP_Y:f4,Va04,#

*9Cy>O$dCe~T,Va04,,9C pdwebpi.conf dCD~PD

[common-modules] Z#dkN} session,d5* BA,gBy>:

[common-modules]session = BA

g{ BA CZ,Va04,,r9h*+dCZC'O$#dCD~D [commonmodules] Z2&1*O$hC BA#

[common-modules]session = BAauthentication = BA

2+/f:

9Cy>O$Z(7j6a0a9 Web ~qwDC')6Z^^FD\kBb%w#

bGZZ(7P|,C'\kD HTTP y>O$#=DV^T#

1!ivB,;tC Tivoli Access Manager Plug-in for Web Servers#y>O$a0j

6&\G*G)*@ky>O$`X*DyP2+TgU(|(K2+TgUZZ)

D\m1a)D#

1e~#$D Web ~qwZ`74CzmLrs(}gZ WebSEAL acs)KP

1,(}9Cy>O$+TmO$=e~,I2+X9Cy>O$a0j6#ZbV

ivB`74CzmLr;a+y>O$Z(7SC'*"=e~,byM;I\\

=%w#

9Ca0 Cookies ,$a04,

9Ca0 cookie #fa0E"G,Ve~a04,D;V=(#~qw+XbM'zD

4,E"r|= cookie P"+d"M=M'zD/@w#TZ?vBDks,/@w(

}+ cookie(_Pa0j6)"MX~qwTXBj6|>m#


ZM'z9C/@wZ\LD1dsXB-Ld SSL a0DivB,a0 cookie a)

I\Dbv=8#}g,3)f>D Microsoft Internet Explorer /@w?t=r}VS

MXB-L SSL a0#

a0 cookie vZL1d(s<.VS)ZTO$M'zD~qwa)M'zDXBO

$#KzFGyZ0~qw cookie1D,C cookie ;\+]=kzIK cookie Dzw

;,DNNzw#

mb,a0 cookie |,;vC4Z~qwa0_Y:fPw}|Dfz}j6{ - ^

d|E"T>Za0 cookie P#a0 cookie ;a962+T_T#

Tivoli Access Manager Plug-in for Web Servers 9C2+D~qwX(Da0 cookie#

TBu~JCZK cookie zF:

v Cookie v|,a0E";|;|,m]E"#

v Cookie v;Z/@wZfP(|;a4=ELOD/@w cookie ]wP)#

v Cookie _PP^DP'Z(IdC)#

v Cookie _P76Mh9d|~qw9CC cookie DrN}#

*dCe~9Ca0 cookie ,Va04,,9C pdwebpi.conf dCD~PD

[common-modules] Z#dkN} session,d5* session-cookie,gBy>:

[common-modules]session = session-cookie

resend-pdwebpi-cookies N}(;Z pdwebpi.conf dCD~D [sessions] ZP)

tCr{CZ?Nl&1+a0 cookie "M=/@w#KYwoz7#a0 cookie #

tZ/@wZfP#resend-pdwebpi-cookies N}_P no D1!h5:

[sessions]resend-pdwebpi-cookies = no

+1!hC|D* yes TZ?Nl&1"Me~a0 cookie#

9C HTTP 7,Va04,

IT+ Tivoli Access Manager Plug-in for Web Servers dCI9C HTTP 7E"4

j6a0M,Va04,#

e~IT9C HTTP 7CZzYa0T0O$C'#g{+e~dC*9C HTTP 7

zYa0,r9Xk+ddC*9C HTTP 7O$C'#;x,+e~dC*9C

HTTP 7O$xkDks;h*+e~dC*zYa0#XZdCe~9C HTTP 7C

ZM'zO$Dj8E",kN<Z 85 3D:dC HTTP 7O$;#

19C HTTP 7,Va04,1,pdwebpi.conf dCD~D [common-modules] Z

XkdCPTB5:

[common-modules]authentication = http-hdrsession = http-hdr

HTTP 7Dj<dC;Jm8(;v7,}g:

[modules]http-hdr = pdwpi-httphdr-module

*8(`v HTTP 7,XkdC HTTP 7#iD`v5}#


}g:

[modules]entrust-client-header = pdwpi-httphdr-modulesome-other-header = pdwpi-httphdr-module

[entrust-client-header]header = entrust-client

[some-other-header]header = some-other

9C IP X7,Va04,

Tivoli Access Manager Plug-in for Web Servers IT9C IP X74j6MzYa0#

*dCe~9C IP X7zYa0,9C pdwebpi.conf PD [common-modules] Z#

dkN} session,d5* ip-addr#4:

[common-modules]session = ip-addr

7#QZ pdwebpi.conf dCD~D [modules] ZP* IP X7O$dCK2mb#

4:

[modules]ip-addr = pdwpi-ipaddr-module

g{9C IP X74,Va04,,|G9XkC4O$xkks#PXdC Tivoli

Access Manager Plug-in for Web Servers T+ IP X7CwM'zO$=(Dj8E",

kNDZ 87 3D:dC IP X7O$;#;x9C IP X7CZO$M'z;h*+b

)X7Cwj6a0D=(#

9C LTPA cookie ,Va04,

ITyZ3v LTPA cookie 9C LTPA O$4S\"xPO$#LTPA O$IT9C

Z?v HTTP ksPR=D LTPA cookie 4,Va04,#

*9C LTPA O$dCe~T,Va04,,k9C pdwebpi.conf dCD~PD

[common-modules] Z#dkN} session,d5* ltpa,gBy>:

[common-modules]session = ltpa

g{9C LTPA ,Va04,,|9h*kTC'O$xPdC#dCD~PD

[common-modules] Z2&C*O$hC LTPA#

[common-modules]authentication = ltpasession = ltpa

9C iv 7,Va04,

Tivoli Access Manager Plug-in for Web Servers IT_Y:f iv 7E"4DF53T

\#

pdwebpi.conf dCD~PD [common-modules] Z(eyPa0"O$MZ(s=

(DC>,9CDq=* module_type = module-name#*_Y5f iv 7E",k+5

iv-headers 8(x session N},gBy>:

[common-modules]session = iv-headers


7# iv 7D2mbdCZ pdwebpi.conf dCD~D [modules] ZP#4:

[modules]iv-headers = pdwpi-iv-headers-module

O$dCEv

}gZ 37 3D:dCO$;;ZP4=DGy,O$#i4PSksPi!O$E"

D}L#ksD5JO$Ii$O$E"DO$zF4P#O$#iMO$zF.d

DG+VkJm* WebSEAL `4D(F CDAS bke~;p9C#

Tivoli Access Manager Plug-in for Web Servers 'VDCZyPO$=(DzFZ

pdwebpi.conf dCD~D [authentication-mechanisms] ZPxPdC#\'VDO

$=(N}|(:

v >X(ZC)O$Lr

>XO$LrDN}8(J1DZC2mb(UNIX)r DLL(Windows)D~#

v (Fb?O$Lr

e~a)#e~qwzk,zIT9CCzk9(M8((Fb?;frO$~q

(CDAS)~qw#

b? CDAS O$Lr8(J1D(F2mb#

":M [modules] ZDdC;,DG,Z [authentication-mechanisms] ZPdC

zFD,1mS+D~{#4,|(D~0:MYw53X(D)9{#

>XO$zF

BPO$zFN}8(>XZCDO$Lr:

m 10. >XZCO$Lr.

N} hv

m%My>O$

passwd-ldap 9C LDAP C'{M\kxPM'zCJ#

M'zK$iO$

cert-ssl 9CM'zK$i(} SSL xPM'zCJ#

$nK iv-remote-address D HTTP 7"IP X7O$M IV 7#

http-request -I$nK iv-remote-address DXb HTTP 7"IP X7r IV 7D

M'zCJ#

9C [authentication-mechanisms] ZdCO$=("TBPq=5V:

authentication_method_parameter = shared_library

b?(F CDAS O$N}

TBN}ICZ8(b? CDAS ~qwD(F2mb:

m 11. b? CDAS ~qwN}.

N} hv

passwd-cdas 9CZ}="amDC'{M\kxPM'zCJ#


m 11. b? CDAS ~qwN} (x).

N} hv

token-cdas 9C LDAP C'{MnF(PzkxPM'zCJ#

cert-cdas 9CM'zK$i(} SSL xPM'zCJ#

}O$b.b9P=VICZe~Dd|j< Tivoli Access Manager b:

v passwd-strength

Kbli\k|Dm%PdkDB\k#

v cred-ext-attrs

KbJm+(FtT({F/5T)8(*|,Z>$P#

PX9(MdC5V CDAS ~qwD(F2mbDj8E",kN< IBM Tivoli Access

Manager for e-business Web Security Developer Reference#

e~D1!dC

1!ivB,e~hC*9Cy>O$(BA)C'{M\k(LDAP "am)O$M'

z#

e~(#,1* TCP M SSL CJtC#rx,[authentication-mechanisms] ZD

dMdC|('VC'{M\k(LDAP "am)M'V(} SSL DM'zK$i#

TB>}zm Solaris OD [authentication-mechanisms] ZDdMdC:

[authentication-mechanisms]passwd-ldap = libldapauthn.so cert-ssl = pdwpi-sslauthn.so

*dCd|O$=(,mSJ1DN}0d2mb(r CDAS #i)#

dC`vO$=(

^D pdwebpi.conf dCD~D [authentication-mechanisms] Z,8(CZNN\

'VO$=(D2mb#dC`vO$=(1,&CTBu~:

1. yPO$=(<IT`%@"XP9&\#I\*?v\'VD=(dC2mb#

2. 1,1dC cert-cdas =(M cert-ssl =(1,0_+2Gs_#XktCb=v

=(.;4'VM'zK$i#

3. dC`vO$Lr1,5Jv9C;v\k`MO$Lr#e~9CTBEH63

r4bv`vQdCD\kO$Lr:

a. passwd-cdas

b. passwd-ldap

4. I\*=v;,DO$=(dC`,D(Fb#}g,IT`4;v(F2mb&

mC'{/\kM HTTP 7O$#TZK>},z+9C`,D2mbdC

passwd-cdas M http-request N}#*"_PpN,$a04,,"\b=V=

(.dDe;#

"z"|D\kMoz|n

Tivoli Access Manager a)TB|n4'V(} HTTP r HTTPS O$DM'z#


pkmslogout1M'z9CDO$=(;f?vksa)O$}]1,M'zIT9C pkmslogout|nS10a0"z#19CDO$=(f?vksa)O$}]1,!\>$E"

TI|,Zks7P,pkmslogout |n<ae}a0_Y:f#ZbVivB,C'

XkXU/@wTj+Sa0"z#

pkmslogout |nJCZ9CnF(Pzk"m%O$M HTTP 7O$D3)5VD

O$#

4TB=(KP|n:

https://www.tivoli.com/pkmslogout

/@wT>(eZ pdwebpi.conf dCD~PD"zm%:

[acctmgmt]logout-success = logout_success.html

"zI&u?IT8(;v$(eD HTML D~(|,Zy>

install_path/nls/html/C ?<P)r;v URI#8(D URI I\G`T URI,r_

I\GxT URI#

1xga9h*`vKvA;CZC'Sj+;,Dibwz"z1,pkmslogout 5

CLr9'V`v"zl&3f#

pkmspasswd9Cy>O$(BA)rm%O$1,IT9CK|n|DG<\k#K|nJOZ

HTTP r HTTPS O9C#

}g:

https://www.tivoli.com/pkmspasswd

C/@w+T>(eZ pdwebpi.conf dCD~PD\km%D|D:

[acctmgmt]password-change-form-uri = /pkmspasswd.formpassword-change-uri = /pkmspasswdpassword-change-success = password_change_success.htmlpassword-change-failure = password_change_failure.html

IT^D password_change_success.html M password_change_failure.html D~T

J&zD*s#

pkmshelpIT9CK|nCJoz3f#K|nJOZ HTTP r HTTPS O9C#

oz3fD{FM;C(eZ pdwebpi.conf dCD~P:

[acctmgmt]help-uri = /pkmshelphelp-page = help.html

IT^D help.html D~TJ&zD*s#


dCy>O$

y>O$(BA)G+C'{M\ka)xO$zFDj<=(#BA I HTTP -i(

e,R(} HTTP M HTTPS 5V#

tCy>O$

1!ivB,*e~dC BA C'{M\k#pdwebpi.conf dCD~PD

[common-modules] Z(eK9C BA CZO$ks#4:

[common-modules]authentication = BA

pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb

{F#7#y>O$Du?fZ;4:


1!ivB,ZdCD~D [authentication levels] ZP8( BA O$zFD6p*

1#KhCkxkksDO$zFDEH6`X#

dCy>O$zF

passwd-ldap N}8(CZ&mC'{M\kO$D2mb#

v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libldapauthn#

v Z Windows O,a)ZC3d&\DD~G;v DLL,F* ldapauthn#

IT(}Z pdwebpi.conf dCD~PD [authentication-mechanisms] ZPdk

passwd-ldap N}T02mbD~DX(=({F4dCC'{M\kO$zF,gB

y>:

Solaris:

[authentication-mechanisms]passwd-ldap = libldapauthn.so

Windows:

[authentication-mechanisms]passwd-ldap = ldapauthn.dll

hCr{F

rT>ZI/@wJVxC'DT0rP,C4ksC'{M\k#r{8(x

pdwebpi.conf dCD~D [BA] ZPD basic-auth-realm N}#

[BA]basic-auth-realm = realm_name

&m BA 7

(}XF"Mx Web ~qwD BA 7DZ],zITdCe~4r\#$D&CLr

a)-<r^D}DM'zm]E"#SM'z"MDVP7IT:

v %}yPks"

v %}4-O$Dks"

v TyPks#V;dX+]#


TZ;a) BA 7DM'zr+]x Web ~qwDVPM'z7E"45,7E"I

T:

v hCIL(DC'{M\k"

v "ML(D\k(C'{w*QO$C'D{F+])"

v 9C4T Tivoli Access Manager GSO x(dPDE"xPhC#

*&mxkksD BA 7,e~XkdCIJm9Cy>O$xPZ(s&m#*4P

CYw,mSN} post-authzn "Z pdwebpi.conf dCD~D [common-modules]ZP+dhCI5 BA#4:

[common-modules]post-authzn = BA

strip-hdr |n8>e~4PTBN;Yw:

5 a{

ignore C7#t>4DyS#e~Q-<DM'z BA 7;-IfX+]xJ

4#by>O9ITJ4D1SG<,byTe~45G8wD(}g

1z#{F}e~O$1)#

":

1. K!n1ZXJm4-O$DC'r Web ~qw"M BA 7#;P

Zz7(h*K!n"mb2+TD,eDivBE&C9C|#

2. 1Ze~dCK BA O$R\#$J4"T9CT:D BA aJO$

M'z1,\#$J4+;S\C'D>$#Ze~dCDd|O$

zF(}gm%)+Q-<M'z BA 7;-IfX+]xJ4#

always Zr Web ~qw*"ks.0,<USyPM'zksP}%y>O$

7E"#ZbVivB,e~dI%;D2+Ta)Lr#g{zh*

a) Web ~qw;)M'zE",ITaOK!nk IV 7O$T+

Tivoli Access Manager M'zm]E"Ek HTTP 7VNP#

":g{\#$D~qwZtCK!nDivB"M BA aJ,rM'z

+4=;vO$/v0Z+G^(G<,r*|GDl&\G;}%#

unauth SM'zU=D BA 7+SyPksP}%,}KG)4TC'DQ-9

Cy>O$Ie~O$}Dks.b#bJmQO$DC'r Web ~q

w"MQO$DBA 7,+h94O$DC'byv#

dCD~D [BA] ZPD add-hdr N}JmzZ HTTP y>O$(BA)7Pa)M

'zm]E"#9C add-hdr N}Z HTTP BA 7Pa)M'zm]E""zZI

strip-hdr N}D&\5VDNN&m.s#add-hdr IThC*:none"gso r

supply#

v g{hC* none,BA 7;amS=ksP#

v g{hC* gso,GSO BA 7mS=ksP - kN<Z 118 3D:9C+V%;"

a(GSO);qCPXdCe~ GSO &\Dj8E"#

v g{hC* supply,2,\kMC'{mS= BA 7P#b)2,\kMC'{(e

ZdCD~D [BA] ZPD supply-password M supply-username N}P#

supply-username N}IThCIL(DC'{5#g{;hC supply-usernameN},BA 7PDC'{9C Tivoli Access Manager O$DC'{44(#ZbV

ivB,e~#$DJ4h*S Tivoli Access Manager m]xPO$#


1 add-hdr N}hCI supply "hCK supply-password M supply-usernameN}1,8(DC'{M\kCZyPks#+2C'{M\kD9C;T&CL

r~qwa)NN@]4$59CCC'{G<DM'zDO(T#g{M'z<

U(}e~4CJJ4,Kbv=8;fZNN2+TJb#+G,SomO#$

J49d;aPd|I\DCJ==x4D#UG\X*D#IZbViv^\k

6pD2+T,e~#$DJ4XkxTENe~Ti$M'zDO(T#C'"

am9Xk6p Tivoli Access Manager Dm]TcS\|#

g{4hC supply-username R4O$C',r;aP BA 7mS=ksP#

8(T BA 7xP UTF-8 `k

`-e~dCD~#8(e~Gq&T BA 7xP UTF-8 `k#

[BA]use-utf8 = true

1!5* true#

PXe~T UTF-8 `kD'VD|È",kNDZ 32 3D:oT'VkV{/;#

dCm%O$

Tivoli Access Manager a)m%O$w*j<y>O$zFD8C=(#C=(S Tivoli

Access Manager zz(FD HTML G<m%,x;GIy>O$aJzzDj<G<

a>#

9CyZm%DG<1,/@w;s9Cy>O$1Gy+C'{M\kE"xP_

Y:f#

tCm%O$


tC9Cm%DO$,+%J forms 8(xO$N};4:

[common-modules]authentication = forms

9Cm%CZO$1,9Xk+e~dC*9Cm%CZZ(s&m#9Cm%Jm

e~+QO$DC'X(rX-<Dks URL#Z pdwebpi.conf dCD~D

[common-modules] ZP,mSN} pre-authzn,gBy>:

[common-modules]authentication = formspre-authzn = forms


{F#7#m%O$Du?fZ;4:

[modules]forms = pdwpi-forms-module

dCm%O$zF

passwd-ldap N}8(CZ&mC'{M\kO$D2mb#

v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libldapauthn#


v Z Windows O,a)ZC3d&\DD~G;v DLL,F* ldapauthn#


passwd-ldap N}T02mbD~DX(=({F4dCC'{M\kO$zF,gB

y>:

Solaris:

[authentication-mechanisms]passwd-ldap = libldapauthn.so

Windows:

[authentication-mechanisms]passwd-ldap = ldapauthn.dll

(F HTML l&m%

m%O$h*z9C(FG<m%#1!ivB,y> login.html m%;ZTB?<:

install_path/nls/html/lang/charset#

dP lang S NLS dCPq!#Z@z"o53P,lang ?<F* C,charset *

utf-8#

dCD~D [forms] ZD login-form N}(eG<Zda)xC'Dm%DD~{#

D~76&Ck*;D pdwebpi HTML ?<(}g pdwebpi/nls/html/lang/charset)

`X#

[forms]login-form = login.html

":S login.html m%}% wpi_url VNa9fG<m%a;D POST }]w*

POST }]d?Z HTTP ksPIC#b|(KCZG<= Tivoli Access Manager

DC'{M\k#Kb,Sm%}% wpi_url VNa{CyPD POST }]_Y

:f&\Mj,}g %POST_URL% +;Y\'V#

(Fm%G< URII\_PZ%vibwzP9Cm%G<#iD`v5}#ZKìvB,XkZT

m%G<#iD?v%@5}a;G<m%1|D0+<1=dOD URI#[forms] Z

PD login-uri N}XFEK URI#g{QS1!5xPK|D,rXk|BI

login-form N}(ND:(F HTML l&m%;)8(Dm%T43v|D#

4( BA 7

m%O$a)yZG<m%Pa)DC'{M\k44( BA 7D\&#7D4(a)

aI%;D"azF,CzFITZsK&CLrh*y>O$,T0C'{M\k

k Tivoli Access Manager y9CDC'{M\k%d19C#

BA 7D4(Im%Z(s#i&m#+m%Z(s&mu?mS=e~dCD~D

[common-modules] Z:

[common-modules]post-authzn = forms

dCD~D [forms] ZPD create-ba-hdr N}tCr{C BA 7D4(,}g:


[forms]create-ba-hdr = yes

1!ivB,m%O$;4( BA 7 - create-ba-hdr hC* no#14I&O$C

'1;4( BA 7,"RC'\k}Z12;4( BA 7,kuyhCN}^X#

":g{ post-authzn PmPm%#i.sDm;v#i2GK BA 7(r}%K

|),rK&\;pwC#wGDv(G+m%#i8(* post-authzn PmPD

ns;v#i#

8(T BA 7xP UTF-8 `k

`-e~dCD~#8(e~Gq&T BA 7xP UTF-8 `k#

[forms]use-utf8 = true

1!5* true#


dC$iO$

Tivoli Access Manager Plug-in for Web Servers 'V(} SSL k9CM'zK}V$

iDM'zxP2+(E#ICb;O$=(,$iE"(g(P{Fr DN)3dI

Tivoli Access Manager m]#

9C$i%Ò$

9C}V$iDO$"zZ=vWN:

v e~yZD Web ~qw(}|D~qwK$ir SSL M'zj6|>m#

v Web ~qw9C|DO$PD(CA)y$i}]b4i$(}M'zK$iCJ~

qwDM'z#"zTB}L:

1. SSL M'z(}e~ksk Web ~qwD,S#

2. Web ~qwDl&G9CQ)pD~qwK$i"Md+C\?#K$iH0QI

IEDZ}=O$PD(CA))p#

3. M'z+li$iD)p_GqGIERIS\D#M'zD/@w(#|,4

TIE CA Dy$iPm#g{ Web ~qwD$iOD){kb)y$i.;%

d,rITENC~qw#

4. g{;P){kd%d,r/@w(*dC',K$iI4*O$PD)p#;

s,C'PpNS\r\x$i#

5. g{C){k/@wDy$i}]bPDu?%d,r2+XZM'zM Web ~

qw.d-La0\?#

K}LDnUa{GM'zIT(};v2+(@xPO$(}g,9CC'{

M\k)#I&O$s,M'zM~qwITLx2+X(}K(@(E#

6. VZM'z(}e~+d+C\?$i"M= Web ~qw#

7. Web ~qw"T9C Web ~qwD$if"+M'z$iOD){kQ* CA %

d#

8. g{;P){kd%d,rzI SSL mszk""MxM'z#


9. g{P){kd%d,rITENCM'z#"zM'zDO$,Sxzz;v

Tivoli Access Manager m]#

10. +ZM'zM Web ~qw.d2+X-La0\?#K}LDnUa{GZ`%

O$DM'zM~qw.dzz2+MIED(EE@#

tC$iO$


tC9C$iDO$,T authentication N}8(J0cert1:

[common-modules]authentication = cert

pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0X*D2mb{

F#7#$iO$u?fZ:

[modules]cert = pdwpi-certificate-module

":TZZ IHS OD20,zXkdC Web ~qwTSM'zks$i#

dC$iO$zF

cert-ssl N}8(CZ3d$iO$E"D2mb#

Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libpdwpi-sslauthn#Z

Windows O,a)ZC3d&\DD~G;v DLL,F* sslauthn#


cert-ssl N}T02mbD~DX(=({F4dC$iO$zF#

Solaris:

[authentication-mechanisms]cert-ssl= libpdwpi-sslauthn.so

Windows:

[authentication-mechanisms]cert-ssl = pdwpi-sslauthn.dll

":pdwpi-sslauthn CDAS h*C'$iPDwb DN 4j+%dC'D LDAP DN#

g{zh*9C|4SD3d,rh**"(FD CDAS#PX9( CDAS #i

D8>E",kN< IBM Tivoli Access Manager for e-business Web Security

Developer Reference,b)8>E"9JCZ Plug-in for Web Servers#

dCnFO$

Tivoli Access Manager Plug-in for Web Servers 'V(}M'za)DnF(PzkD

O$#

SecurID nFO$

e~nFO$}Lh*Z20e~D~qwO20MdC RSA SecurID M'z,Tk

6L RSA ~qwxP(E#\'VD SecurID M'zf>* 5.1#


RSA D ACE/Server O$8v;,DnF,|(m~nFMVV"&mwXFDh8#

SecurID m~nFGKPZ$w>OD~xFLr,|20ZG\(O,rw* Web /

@wDe~KP# SecurID m~nFIw*&CLrKP#C&CLrT>;v0Z,

C'IZK0ZPdkvK6pEk(PIN),;sm~nF+Fcv(Pzk#;s

C'I(}+(PzkdkG<m%4O$=e~#

SecurID nFndMDN=*VVh8#Kh8(#G?W4=D(key fob)rG\(

=D(slim card)#KnFIP;v PIN !|L,C'IZdPdk PIN,TzI(P

zk#g{nF;P PIN |L,(}+C'D PIN MnFzk,SZ;p4zI(P

zk#nFzkGT>Z?W4OD;O|DD}V#nFzkG SecurID nF4;V

SD1ddtzID}V#;sC'dk PIN MnFzk4O$= ACE/Server#

e~'V_=V RSA nF==:

v B;vnFzk==

1C'dkD PIN }7+nFzkms1,9CK==#(#,XkZ;PP}Nd

kmsDnFzkEa9nF(xkB;vnFzk==#1C'dk}7D(P

zk1,nFzkT/|D#C'H}BDnFzk,;sYNdk(Pzk#

v B PIN ==

1T8(ID PIN 1,nFI&ZB PIN ==#1\m1#{5)ns\kY|_

T1,nF+&ZK==#1 PIN ;e}rP48(1,nF2I&ZB PIN ==

P#B8(DnFI\9;P PIN#1C'|G PIN r3I|Q96,r\m1I

e}|#

SecurID PIN IT;,D==4(:

v C'(e

v 53zI

v C'!q

y]4(=(M8(\k4(Mh8`MN}Dfr(e PIN ==#

e~'VTB`MDC'(eD PIN:

v 4 - 8 vV8}VV{,G PINPAD nF

v 4 - 8 vV8}VV{,\k

v 5 - 7 v}VV{,G PINPAD nF

v 5 - 7 v}VV{,PINPAD nF

v 5 - 7 v}VV{,;IC 4 ;}VD PIN

v 5 - 7 v}VV{,;ICV8}V

e~;'VTB`MDB PIN:

v 53zID,G PINPAD nF

v 53zID,PINPAD nF

v C'!qD,G PINPAD nF

v C'!qD,PINPAD nF

Z ACE \m1;PHe}nFrP4+dCZB PIN ==1,nFC';\+{G

D PIN 4;#bb6E^(+_PP' PIN DC'+<x pkmspassword.form#"T

CJKm%a5X;vms{"#


B PIN ==BDnFO$$ww

TZB PIN ==BnFDO$,a"zTB}L:

1. M'z(/@w)ks;vh*nFO$D\#$ Web Ts#

2. e~5XO$3f,ksC'{M(Pzk#

3. C'nk{GDC'{MnFzk,"+m%a;=e~DO$b#1C';P PIN

1(I\Gr*nF(GBD,r\m1T PIN xPK4;),nFzkM(Pz

kG`,D#1C'_P PIN +nF(&ZB PIN ==1,C'dk PIN SO

nFzk#

4. e~DnFO$b+O$ks"MA ACE/Server#

5. ACE/Server 4gB==&mks:

a. g{O$;I&,r+a{5X=e~nFO$b,Cb+ms3fT>=M

'z(5XA=h 2)#

b. g{nF4&ZB PIN ==,rO$C'#e~nFO$b+I&{"5X=

e~,byM<mKksD\#$ Web Ts#(O$$wwax)#

c. g{nF&ZB PIN ==,r ACE/Server + NEW_PIN mszk5XAe~

nFO$b#

6. e~rC'a)\k=Zm%#

7. C'dknFzkr(PzkT0B PIN,"+B PIN +<xe~#

8. e~liGqQ?p\k?H~qw#

a. g{\k?H~qwP4?p,re~Lx4P=h 9#

b. g{Q?p\k?H~qw,re~liB PIN#g{ PIN P',re~Lx

4P=h 9#g{ PIN ^',re~5XA=h 6#

9. e~O$b+nFzkMB PIN "MA ACE/Server#

10. ACE/Server 5Xl&zk#

11. g{T ACE/Server D PIN set wCI&,re~+nuksD\#$ Web Ts

5XxM'z#g{ PIN set wC'\,rO$$ww5X=h 6#

T\k?H~qw9CnFO$

e~2'VX(ZO$zFD\k?H~qw#K'V9C2+ThF$L&IT;

9Ce~O$zF*;,DO$=(*";,D\k?H_T#}g,D;}D}V

PIN I\{O ACE/Server D*s,+G4;{O|OqD\k?H~qwD*s#

tCnFO$


tC9CnFDO$,+%J0token18(x authentication N};4:

t C 9 C n F D O $ 1 , 2 X k * Z ( s & m d C n F # Z d C D ~ D

[ c o m m o n - m o d u l e s ] Z P , 9 l K p o s t - a u t h z n N } " * d 8 ( 5

0token1#[common-modules] Z&1|,TB=vu?:

[common-modules]authentication = tokenpost-authzn = token

pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0X*D2mb{

F#7#nFO$u?fZ:


[modules]token = pdwpi-token-module

dCnFO$zF

token-cdas N}8(CZ3dnF(PzkO$E"D2mb#

v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libxtokenauthn#

v Z Windows O,a)ZC3d&\DD~G;v DLL,F* xtokenauthn#

nF2mbGw* Tivoli Access Manager Web Security Runtime(PDWebRTE)m~

|D;?V20D#K2mb;Z:

UNIX /opt/pdwebrte/lib

Windowsc:\Program Files\Tivoli\PDWebRTE\bin

1!ivB,KZC2mbG2`kD,CZ3d SecureID nF(Pzk}]#zI

T(FKD~4O$d|`MDXbnF}],"IT!q+K}]3dI Tivoli

Access Manager m]#XZ API J4DE",kN< IBM Tivoli Access Manager for

e-business Web Security Developer Reference#


token-cdas N}T02mbD~DX(=({F4dCnFO$zF#

}g:

Solaris:

[authentication-mechanisms]token-cdas = libxtokenauthn.so

Windows:

[authentication-mechanisms]token-cdas = xtokenauthn.dll

(FnFl&3f

dCD~D [token-card] ZD token-login-form N}(enFG<Zda)xC'

M'zDm%DD~{#D~76&Ck*;De~ HTML ?<`X(}g

pdwebpi/nls/html/lang/charset)#dP lang S NLS dCPq!#Z@z"o53

P,lang ?<F* C,x charset * utf-8#

[token-card] ZPD next-token-form N}(eT>=C'M'zDm%TksZ~

vnF#1~qwpu;\I&O$C'1,cksM'zdkm;vnF#;P\

&O$C'I\GIm`-rlID#+G,vmDn#{-rGr*M'zk~q

w1S;,=}pD#1O$9CZ;vnF^(Lx1,rT> next-token-form N

}P8(D3fTa>dkB;vnF#

token-card ZDq=gB:

[token-card]token-login-form = tokenlogin.htmlnext-token-form = nexttoken.html


dC SPNEGO O$

19C Internet Explorer CJ\#$Ts1,SPNEGO O$* Windows C'J'a)

%;"a(SSO)&\#Z SPNEGO O$P,e~4P-LD~qwK,Internet

Explorer r4PM'zK#

1C'ksCJ2+ Web ~qw1,Internet Explorer 9CC'D Windows G<>$

Nkk Web ~qwD-LT$5C'Df5T#;)~qw7OKC'Dm],rZ

zcTBu~DivBZh{GCJ(:

v C'*rDI1,

v QZ Authorization Server PtC SPNEGO,

v Authorization Server JmCJ#

CJIe~ SPNEGO O$#$DJ4,R;GrDI1r_}Z9CG Internet

Explorer D/@wDC'Xk9Cm;V=(xPO$,}gy>O$rm%#

":SPNEGO O$#i&\vZ+ Web ~qwdC*Jmd{CJ1EI}#KP#

Z9C IIS 1,Xk;!P/IG<,+*!Pd{CJ#Z9Cd| Web ~q

w1,&9Cj<dC#

=(MC'"am'V

SPNEGO O$zFZyP\'VD Web ~qw/=(/C'"amiOOyIC#

1 Active Directory ;G Tivoli Access Manager C'"am1,rXkZ Active

Directory "amM Access Manager C'"am.d4FC'#

+ SPNEGO dCS V4.1 }6= V5.1Tivoli Access Manager Plug–in for Web Servers V4.1 a)K spnego #i#Z V5.1

D e ~ P , K # i D & \ ; " k } v @ " D # i : s p n e g o " n t l m M

web-server-authn#^(T/+ 4.1 SPNEGO dCF= 5.1 - z+h*V$xPX

BdC#BmT>K`TZ V4.1 dChCD,H V5.1 dChC#

P=Viv:

v V4.1 dCD~D [spnego] ZP web-server-does-authn N}hC* true#

v V4.1 dCD~D [spnego] ZP web-server-does-authn N}hC* false#

m 12. V4.1 M V5.1 D,H SPNEGO dC#

V4.1 De~ V5.1 De~

[common-modules]authentication = spnegoauthentication = BA

session = spnegosession = session-cookie

[spnego]web-server-does-authn = true

[common-modules]authentication = web-server-authn

session = session-cookie

PX|`dC!n,kN<Z 69 3D:dC

Web ~qwO$(vkT IIS =();#


m 12. V4.1 M V5.1 D,H SPNEGO dC# (x)

V4.1 De~ V5.1 De~

[common-modules]authentication = spnegoauthentication = BA

session = spnegosession = session-cookie

[spnego]web-server-does-authn = false

[common-modules]authentication = spnegoauthentication = ntlmauthentication = BA

session = session-cookie

PXx;=DdC!n,kN<Z 68 3D

:dC NTLM O$(vkT IIS =();#

V^T

Z SPNEGO O$P;'VTBe~&\:

v yZ POP ra0(1wD SPNEGO QO$M'zDXBO$#

v T} Active Directory .bDC'"am9C pkmpasswd 4xP\k|D#

v (} CDAS xPDC'{3d#

v SPNEGO M'z^(Se~"z#M'zXkS$w>"z#CJe~ pkms |n3

fDM'z(}P;C'.b)SU= PKMS oz3f#

v TZ SPNEGO M'z,1Gn/a0(1w=Z1xPXBO$#>}C'_Y:

fu?,+#ta0j6#S SPNEGO M'zSUD7PDE"CZXBO$#M

'z;h*YNG<,+M'z+SUBDa0_Y:fu?#

v 1C'CJ;v=PXBO$_TDTs1xPXBO$#ZbVivB\xC

J,RC'U=;v5wh*XBO$D{"#

Windows @f%;"adC

>Z|,(}Te~9C SPNEGO O$45V Windows @f%;"ayXkjID

dC=h#";GT?v=(<h*yPD=h#*dC SPNEGO O$,jITB?

v=h:

=h 1:+e~~qwdC= Active Directory r

*Nk Kerberos M Internet Explorer .dD;;,e~~qwXkZ Active Directory

Kerberos rP_P;vm]#bh*r Active Directory rXFw"ae~#;s

Explorer browser /@wI{CC'D Windows G<>$4CJe~v?~qw#

PXgN+e~~qwwzDm]mS= Active Directory rD8>E",kND

Microsoft D5#

":

1. Z Windows P,1!e~~qw(Z;v~qw5})Zk Active Directory rX

Fw*519C>X~qJ'm]#

2. Z UNIX P,7#C'{ke~~qwwzDwz{`%d#k;*9C+r{#

}g,TZ53 diamond.subnet2.ibm.com,4(C' diamond#;h*C'ZB;

NG<1|D\k#k;*+\khC*=Z#


=h 2:+ Kerberos we3d= Active Directory C'

T Active Directory rXFwD Internet Explorer M'zksksCJ{FD kerberos

we:

HTTP/DNS_name_of_plug-in_server@Active_Directory_domain_name

Xk+C{F3d=zme~v?~qw5}D Active Directory C',gOf=h 1

P4(DC'Gy#

K3dh* ktpass 5CLr#1!ivB,Z Windows 53OI\40k ktpass5CLr#IS Windows CD D Windows 'V$_m~|Pq!K5CLr#

Windows: "ae~~qwD~qwe{F#Z Active Directory rXFwO,KP

ktpass |n#}g,1e~wz* diamond.subnet2.ibm.com R Active Directory r

* IBM.COM 1,|n*:

ktpass -princ HTTP/[email protected] -mapuser diamond

UNIX: kjITB=h:

1. Z UNIX 53P,}3dC'b,9Xk4( keytab D~TcZ"a= Kerberos

rP19CCD~#o(*(w*;Pdk):

ktpass -princ HTTP/DNS_name_of_WebPI_server@Active_Directory_domain_name-pass your_password -mapuser WebPI_server_instance-out full_path_to_keytab_file -mapOp set

ZOfD|nP,-mapuser !n8(DC'm]* Active Directory C'#K&8

(D\kXhK Active Director C'D\k#nC!q2+LHO_D\k,}g

fzzID\k# keytab D~I;ZNb;C##tK\k,TcZsfD=hP

CZbTzD Kerberos dC(1bTS UNIX zw= Active Directory \?V"

PDDO$1)#

2. + keytab D~+M= UNIX 53#7#9CDG2++M=(#(iD;C*:

/opt/pdwebpi/etc/key_tab_filename

3. *K5VnQD2+T,kS Windows 53>} keytab D~#

4. Z UNIX 53P,+CD~DyP(8(x pdwebpi,"^F keytab D~DmI

(,9C;PyP_EICJ|#}g:

# chown pdwebpi keytab_file# chgrp pdwebpi keytab_file# chmod 600 keytab_file

5. TZ UNIX ~qw,T?ve~5}X4TO=h#

=h 3:20 Kerberos KP1M'z(vkT UNIX)

20Ke~D~qwXk20 Kerberos KP1#Z Windows 53P,Kerberos KP

1M'zGYw53D;?V#;h*d|m~|#

Z UNIX 53O,20J1Dm~|:

v AIX

IBM Network Authentication Service M'z#

KM'zIZ AIX Expansion Pack PR=#

v Solaris

– IBM Network Authentication Service M'z#


KM'z|,Z Tivoli Access Manager Web Security CD P#9C pkgadd x

P20#

– SUN Kerberos Client SUNWkr5cl#

IBM Network Authentication Service M'zh*Cm~|#

Km~|G SEAM m~|D;?V,IS Sun Web >cOBX#

v Linux

MIT Kerberos V1.2.5

=h 4:dC Kerberos M'z(vkT UNIX)

XkdCO;=P20D Kerberos M'z#bh*4(r^D Kerberos dCD~#Z

Solaris M AIX P,CD~* /etc/krb5/krb5.conf,Z Linux P,CD~*

/etc/krb5.conf#jIJCZzDYw53D8>E":

AIX

9C mkkrb5clnt 5CLr#K5CLr4("jI /etc/krb5/krb5.conf#

1. KP mkkrb5clnt#o(*:

mkkrb5clnt -r Active_Directory_domain -c Active_Directory_controller_DNS-s Active_Directory_controller_DNS -d local_DNS_domain

}g:

mkkrb5clnt -r IBM.COM -c dc1.ibm.com -s dc1.ibm.com -d dns.com

2. V$`- krb5.conf T}%NN;\ Active Directory 'VD\khC#

[libdefaults]default_tkt_enctypes = des-cbc-md5 des-cbc-crcdefault_tgs_enctypes = des-cbc-md5 des-cbc-crc

K=h}% des3-cbc-sha1#

Solaris M Linux

V$`- krb5.conf#*zDr(domain)(FTBE":

v r(realm)#}g:IBM.COM

v Active Directory XFw~qw{#}g,dc1#

v r(domain){#}g,ibm.com#

v DNS {#}g,ibm.com#9CTO>}5,Kerberos dCD~DZ]+|,TBu

?:

Pv krb5.conf PD?Vn:

[libdefaults]default_realm = IBM.COMdefault_tkt_enctypes = des-cbc-md5 des-cbc-crcdefault_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]IBM.COM = {kdc = dc1.ibm.com:88admin_server = dc1.ibm.com:749default_domain = ibm.com}


[domain_realm]dc1.ibm.com = IBM.COM.ibm.com = IBM.COM

TO>}D~PDns;P(.ibm.com = IBM.COM)m>e~v?~qwZdPKPT

0C',S=D DNS r#k"bns;PPZ IBM r.0Ddc(.)#|w*

ibm.com rPyPSrMwzD(d{#

":Z9CKF* Heimdal D Kerberos f>D United Linux P,*cZbT,I\

h*+TBPmS= [libdefaults] ZP#

[libdefaults]default_etypes = des-cbc-md5 des-cbc-crcdefault_etypes_des = des-cbc-md5 des-cbc-crc

=h 5:i$ Web ~qwweDO$(vkT UNIX)

9C kinit Lr4i$e~v?~qwD Kerberos weGqIO$#9CZ=h 2 P

KP ktpass 18(D\k:

# /usr/krb5/bin/kinit [email protected] for [email protected]: server_password# klist

z&14= klist D3vdvT>K [email protected] D>$

":kinit 5CLrD;CI\ay]Yw53=(xPy;,#

=h 6:9C keytab D~i$e~O$(vkT UNIX)

9C=h 2 P4(D keytab D~i$e~GqIO$#T;,xPdkTB kinit |

n:

# kinit -k -t /var/pdweb/keytab-diamond/diamond_HTTP.keytabHTTP/[email protected]# klist

z&4= klist D3vdvT>K HTTP/[email protected] D>$

=h 7:Ze~ZtC SPENGO O$

*Ze~ZtC SPNEGO O$:

1. +5 spnego 8(xe~dCD~ pdwebpi.conf D [common-modules] ZPD

authentication N}#

[common-modules]authentication = spnego

2. Z [authentication-mechanisms] ZZ,+ kerberosv5 N}hC*2+T*;

cSZ(stli)2mbDxT76#}g:

AIX: kerberosv5 = /opt/PolicyDirector/lib/libstliauthn.a

d| UNIX:

kerberosv5 = /opt/PolicyDirector/lib/libstliauthn.so

Windows:

kerberosv5 = C:\PROGRA~1\Tivoli\POLICY~1\bin\stliauthn.dll

3. Z [spnego] ZZ,hC:

v spnego-krb-service-name * HTTP r

HTTP@fully_qualified_host_domain_name#


v spnego-krb5-keytab-file *e~9CD keytab D~D+76{#vZ UNIX =

(OEh*K5#Z Windows =(O,vTK!n#

=h 8:Z Web ~qwZtC SPENGO O$

** IIS tC SPNEGO,k7# Web ~qwDCJ_T(Z?<2+T!n(Ph

C)hC*d{#TZd| Web ~qw,IS\1!dC#

*Z Internet Explorer M'zZtC SPNEGO:

1. g{e~20Z UNIX O,r+>XZ?xxrdC*|, UNIX ~qwD{F:

a. !q$_ → rXx!n#

b. S2+T!n(!q>XZ?x → >c → _6rIE>c → >c#

c. dk}ZKPe~D UNIX ~qw#

2. dC/IG<P*:

a. !q$_ → rXx!n#

b. S2+T!n(%w(F6p#

c. rBv/=2+ThCT0rPDG<?V,;sy]zh*D&\!qT/...

ra>...#

":g{ZOfD=h 1 P!qKIE>c!n,+@;a>C'dkC'{M

\kE"#

3. g{M'z* Internet Explorer V6,rh*dC/I Windows G<#*jIKY

w:

a. !q$_ → rXx!n#

b. S_6!n(P,!PtC/I Windows G<#

c. XBt//@wT9|Dz'#

JOoO<IKerberos dC

v Jb:19C kinit bT* UNIX ~qw4(D keytab 1,vVms0q!u<>

$1,1S+n}`#1

bv=8:19C Kerberos 1,Xk#V1S,=#*@CbvKJb,IZzw

O?p3V1d,=~q#*Y1bvKJb,Iw{zwOD1S,9|G.d

Dsn;,};VS#

v Jb:19C kinit bT* UNIX ~qw4(D keytab 1,vVms0q!u<>

$1$O$'\1r0q!u<>$1\kms1#

bv=8:keytab D~PD\?;}7#7#}7zI keytab D~,"Rwe{F"

Active Directory C'{M76}7#

v Jb:1KP kinit -k -t 1 kinit @#

bv=8:1Z keytab D~P;PR=3;u?1,3)f>D kinit ;\}7&m

Jb#P8li keytab D~PGqPkz}Z+]x kinit Du?j+`,Du?#

Tivoli Access Manager Plug-in for Web Servers dC

v vVJb1,<GtCT SPNEGO DzY#+;vu?mS=7ID~#C7ID

~;Z20?<BD etc/routing P#u?>}:


bst:*.9:TEXTFILE:install_path/log/spnegotrace.log

Z UNIX O,e~1!20?<* /opt/pdwebpi#CC76f;zD20?<##

9"XBt/e~#ZzYD~PiRms{"#

v J b : e ~ ~ q w ; t / # U > D ~ | , m s { " 0 4 d C O $ = (

(kerberosv5)#1

bv=8:Ze~dCD~D [authentication-mechanisms] ZPtC kerberosv5

O$=(#

v Jb:e~;t/#ms{"*02+~q&\ gss_import_name 5Xw*msk

131072 MN*msk -1765328168#1

b v = 8 : Z d C D ~ P 8 ( D w e { F ^ ' # | D q = & *

0HTTP@host_name1,dP host_name GdC= kerberos r(realm)DFczD

+^( DNS {#

v Jb:e~~qw;t/#ms{"*:02+~q&\ gss_acquire_cred 5Xw*

msk 851968 MN*msk 397560331#

bv=8:dCD~PDwe{Fk8(D keytab D~PDNN\?y;%d#

keytab D~PD\?{F`FZ HTTP/host_name@REALM#we{FDq=&*

HTTP@host_name

v Jb:1C'"TCJe~1SU=ms0HPDIA0100E v=Z?ms#1e~zY

U>D~|,{"02+~q&\ gss_accept_sec_context 5Xw*msk 851968 M

N*msk5Xw*msk 851968 MN*msk -1765328347#1

bv=8:M'zOD531Ske~~qwOD531S;,=#19C Kerberos

1,Xk#V1S,=#*@CbvKJb,IZzwO?p1d,=~q#*Y

1bvKJb,Iw{zwOD1S,9|G.dDsn;,};VS#

vVJb1*liDd|dCn

v li keytab D~DD~mI(MyP(GqJme~ authorization server TdxP

CJ(gZ 64 3D:=h 2:+ Kerberos we3d= Active Directory C';Py

v)#

v (}9C ktutil 5CLrT>|,Z keytab D~PDE"4li keytab D~Gq

|,}7we{FDP'}]M\?#

v li{vr(rXFwMM'z)D DNS dCGq}7,R{FGq}7bv"k

;,;C(keytab D~"e~dCD~H)P~qwe{FdCnPD5%d# .

v liZrPDyP53O531SGq,=RV<=1d~qGq#V1S,=#

v lixgdCGq}7,R;Png5{"7Ims"{Fe;.`DJb#7#

H}1dZI]LD6'Z#7#@p="NAT T0d|xg2+~q;aIErD

Kw#

dC NTLM O$(vkT IIS =()

If>D Windows =(a)F* NT Lan Manager(NTLM)O$Dy>%;"a

(SSO)zF#KO$=(yZ"Pc(,Cc(a)ky>O$`FD2+T6p

MYw#e~'V NTLM O$,TcZHxD Windows =((XP"2000)kng

Windows NT HOg53.dDrsf]#e~vZ Windows IIS =(O'V NTLM,

x;'V UNIX =(#


*tC NTLM O$,+5 n t lm 8(xe~dCD~ pdwebpi.conf D

[common-modules] ZPD authentication N}#

[common-modules]authentication = ntlm

*tC NTLM O$,7# IIS Web ~qwDCJ_ThC*d{#

*dC Internet Explorer TNk NTLM(M SPNEGO);;:

1. dC/IG<P*:

a. !q$_ → rXx!n#

b. S2+T!n(%w(F6p#


ra>...#


\kE"#


w:

a. !q$_ → rXx!n


c. XBt//@wT9|Dz'#

e~dCD~D [ntlm] ZPD use-pre-windows-2000-logon-name N}ICZdC

Windows 2000 r Windows 2000 T0f>DC'{q=#1!ivB,Z Tivoli Access

Manager P ntlm #i9C Windows 2000 G<{m>QO$C'#|G

[email protected] G<{D username ?V#Z Tivoli Access Manager P

use-pre-windows-2000-logon-name N}JmC Windows 2000 T0f>DG<{m

>QO$C'#|G DOMAIN\USERNAME G<{D username ?V#g{ Tivoli

Access Manager 9C Active Directory w*|DC'"am,rvTKN}#TZ Active

Directory,C'D Tivoli Access Manager C'{<UG [email protected] G<{

D username ?V#

dC Web ~qwO$(vkT IIS =()

;) Web ~qwa)>z4PO$D\&#K\&D>}.;G IIS 4P/I

Windows G<(SPNEGO"NTLM r BA)D\&#e~IdC*9CK>z Web ~

qwO$,CO$È Web ~qwQdV4P2+O$li#e~D Web ~qwO

$10vZ IIS O\'V#

*Ze~PtC Web ~qwO$,+5 web_svr_authn 8(xe~dCD~

pdwebpi.conf D [common-modules] ZPD authentication N}#

[common-modules]authentication = web_svr_authn

*dC Internet Explorer TNk NTLM(M SPNEGO);;:

1. dC/IG<P*:

a. !q$_ → rXx!n#

b. S2+T!n(%w(F6p#



ra>...#


\kE"#


w:

a. !q$_ → rXx!n#


c. XBt/FczT9|Dz'#

I(}hCe~dCD~D [web-server-authn] ZPD

use-pre-windows-2000-logon-name N}+ web-server-authn O$#idC*9C

Windows 2000 r Windows 2000 T0f>DC'{q=#

1!ivB,Z Tivoli Access Manager P web-server-authn #i9C Windows 2000

G<{m>QO$C'#|G [email protected] G<{D username ?V#Z Tivoli

Access Manager P use-pre-windows-2000-logon-name N}JmC Windows 2000

T0f>DG<{m>QO$C'#|G DOMAIN\USERNAME G<{D username ?

V#g{ Tivoli Access Manager 9C Active Directory w*|DC'"am,rvT

KN}#TZ Active Directory,C'D Tivoli Access Manager C'{<UG

[email protected] G<{D username ?V#

dCJO*FO$

>Z|,TBwb:

v :JO*FO$En;

v Z 76 3D:JO*FO$dC;

JO*FO$En

e~a);VO$=(,1e~v?~qw;IC1,CO$=(ZM'zM*#t

De~v? Web ~qw.dtCQO$a0#K=(F*JO*FO$#JO*FO

$9M'z,S=m;ve~v? Web ~qw,"4(|,`,C'a0}]MC'

>$DO$a0#

JO*F cookie &\(#)M'C4(}:XybzF,S=4FD0K Web ~q

w#1~qwMM'z.dD-<a0d*;IC1,JO*F cookie I@9?FDX

BO$#

9C*Z(s&mdCDJO*F cookie,e~S\~qwX(Drr6'D cookie P

D>$}]#1M'zZ;N,S1,cookie GEZ/@wOD#g{u< Web ~q

wa0*',r9 cookie T>xM'z*X(rDB;v~qw#cookie CZT/D

XBO$,byM'zM;CV/4PXBO$DNqK#4FD~qwODe~2

m;v+2\?,|b\ cookie Py,D>$E""("BDa0#


O<T>KdMDe5a9,Ca9+SJO*F cookie D9Cqf#,; Web ~q

wD}v`,5};Z:X=b~qws,C~qwy]:XMICT+ks(r=

}v~qw.;#}g,Y(+ www.ibm.com D?v5}dCI9CJO*F cookie

O$M'zCJ,9+ddCI9CJO*F cookie xPZ(s&m#M'zCJ

www.ibm.com "(r=~qwD5} 1 4xPI&O$#+S\M'zD>$"+d

f"Zr6'D cookie P,C cookie f"ZM'z/@wP#g{Za0Zd,M'

zh*CJ www.ibm.com D5} 2 r5} 3(}g,g{5} 1 "zJOrhsd

C+s),r9Cf"ZM'z/@wPDJO*F cookie xPT/XBO$,x^h

C'I$#-<a0t/1df cookie #t,byZ"z=JO*F~qwDT/X(

r1a0zfZDj{T#VP'#

JO*FO$&C!O

w*JO*F&\D;?V,e~9CJO*F cookie 'VC'O$#JO*F cookie

GX(Z~qwD cookie rr cookie#JO*F cookie |,X(ZM'zD}],}

gC'{"cookie 4(1dAG"-<O$=(MtTPm#1!ivB,CtTPm

|,C'DO$6p#e~IdC*+X()9tTmS=tTPm#

e~TKX(ZM'zD}]xPS\#4FDe~v? Web ~qw2m;v+2\

?,C\?T cookie E"xPb\#14FDe~~qwU=K cookie 1,|T

cookie xPb\,"9CC'{MO$=(4XBzIM'zD>$#Ke~2IdC

*+Nb)9tTS cookie 4F=C'>$#VZM'zI("k1>e~v?~qw

.dDBa0,x;a;a>G<#

":JO*F cookie ICZ HTTP r HTTPS#

JO*FO$B~DB~3r*:

1. M'z(/@w)"TCJ\#$J4#M'zks=o:Xybw,C:Xyb

wXFT4FD~qwDCJ#

< 5. JO*F cookie DdM~qwe5a9#


2. :Xybw!q?j~qw"*"C'ks#

3. e~9C\'VDO$=(.;9M'zI&O$=~qw#

4. e~4(|,M'zO$E"DJO*FO$ cookie,;s+K cookie "MxM'

z#

5. M'z(}:Xybw+ cookie ,,?vsxDks"M=e~#e~&m?vk

s#

6. g{:Xybw"Ve~v?~qw;ICJ,r+M'zks(r=m;v4F

De~v?~qw#

7. +4FD~qwODe~dC*Z?N"TO$C'1liJO*FO$ cookie G

qfZ#

8. e~9C cookie PDE"4("kM'z.dDa0,x;h*M'zYNV$G

<#9(M'zDa0}]MC'>$,"&mT\#$J4Dks#

9. S;ve~v?~qw=m;ve~v?~qwDa0|DTZM'z45G8w

D#IZe~v?~qw|,j+`,DJ4,rKM'za0LxxPR;a\

=IE#

JO*FO$be~*?v\'VDO$=(a)ZCJO*FO$2mb#?vJO*F2mb*

`&DO$=(#b2mb,Kb,|9V4nu;ZC'>$PDNb)9tT#

1"zJO*FO$B~1,e~wCkC'Z-<~qw'\0ns;N9CDO

$=(`%dDJO*FO$b#

e~*TBO$=(a)JO*FO$&\:

v y>rm%O$(2F*\kO$)#

v nF(O$,

v $iO$,

v HTTP ksO$,

v gr%;"a(CDSSO),

v Kerberos O$(SPNEGO)#

e~a);vj<JO*F2mb,CZTOyPO$=(#Z UNIX 53O,KbF

* libfailoverauthn,Z Windows O,KbF* failoverauthn#

":r_,z2Ia);v(F CDAS b,Cba)zD73yh*DX(O$&\#

}g,I+e~dC*'Vm%O$MJO*FO$#1e~t/1,m%O$2m

bM0JO*F - m%1O$b<a;0k#C'9Cm%O$xPO$#e~~q

w+JO*FO$ cookie "Mx?vM'z(/@w)# cookie }]8( cookie Zm

%O$73P4(#

1e~v?~qw;IC1,+JO*F cookie "MxZ~ve~v?~qw#Z~v

~qw((#G4FD~qw)2aZe~P0km%O$2mbM0m% - JO*

F1b#ZZ~v~qwODe~5}SUJO*F cookie,"T|xPliT7(C

'DH0O$=(#ZZ~v~qwODe~wC0JO*F - m%1O$2mb4

S cookie Pi!XhD}],;s9CC}]O$C'"q!C'>$#


}g,1Z4FDe~73PtCKm%O$MJO*FO$1,XkZe~dCD

~PdC=v%@Db#;vb8(m%O$=(b#m;vb8(JO*FO$=

(b#dCD~u?>}*:

[authentication-mechanisms]passwd-ldap = /opt/pdweb/lib/libldapauthn.sofailover-password = /opt/pdweb/lib/libfailoverauthn.so

ZK}P,passwd-ldap Zu?8(e~DZCm%O$b#failover-password Zu

?8(e~DZCJO*FO$b#

rJO*F cookie PmS}]

e~T/+X(}]SC'a0mS=?vJO*FO$ cookie#e~IdC*S>$

_Y:fP#tDM'z}]mS=SE"#Kb,e~9IdC*mSX(Z?p

DC'(eD}]#}g,(FgrO$~qq!DC'tTImS= cookie P#

1!ivB,e~+TB}]mS=?v cookie:

v C'{

K{FkC4j6C'"amPC'D{F`{#

":1QO$C'9CKe~DP;C'&\4q!m;vC'DP'm]1,G

vC'Dm];amS= cookie P#;P-<DQO$C'm]EamS=

cookie P#

v O$=(

KO$=(CZ+C'O$=e~#

v Cookie 4(1d

1 cookie 4(1D531d#

e~94(|,=S}]DtTPm#1!ivB,tTPm|,;v5:

v O$6p

ke~DO$?H6p(2*{}5)`{D{}5,Z>Xe~v?~qwO+

C6p8(xO$=(#O$?H(2F*]}=O$)9C'IT;,DO$=

(O$x;h*"z#

e~(eKImS= cookie tTPmD=SC'}]:

v a0zfZ1dAG

1C'O$1,e~zYa0_Y:fPC'u?D9CZ^rzfZ#a0zf

Z1dAGI101dT0;Z|0fD"dCCZC'a0}]I#tZa0_

Y:fPDn$1dDk}iI#10531d,}1dAG51,e~9a0_

Y:fPDC'u?^'(|(C'>$)#

I+e~dC*+a0zfZ1dAGmS= cookie#1C1dAGmS= cookie

1,IgJO*FB~#ta0zfZ(1w#rK,1Z4FD~qwO("M

'za01,e~\m1I!qGq4;M'zDa0(1w#

k"b\qI&9CK&\!vZ4FDe~v?~qw.dD1S,=#g{1

SEE+n}`,a0+Z;#{D1d=Z#

v a0;n/1dAG

e~9zYe~a0_Y:fPC'u?&Z;n/4,D1d?#1C'a0&

Z;n/4,D1d$H,}K*a0;n/hCD5,re~9C'a0^'#


a0;n/1dAG2ImS=JO*FO$ cookie P#K1dAGke~a0_

Y:f#fDa0;n/1dAGTP;,#_Y:f#fD53;n/,1I(

}+=v5àOFc:

– 10531d

– C'a0I#V;n/4,Dnsk}#

1+K5mS=JO*FO$ cookie 1,|k;v=S5àO:

– JO*FO$ cookie D|B.dDnsk}(1ddt)

TJO*F cookie D|B.dD1ddtDhCa0lT\#\m1XkZnQT

\M cookie P;n/(1wDxT<7T.d!q;v=bc#*9;n/(1w

#VnQ<7T,&ZC'?N"vks1MT|xP|B#+G,cookie Z]D5

1|Ba<B*z}s,Sx9T\B5#

?v\m1Xk!qnJOe~?pD1ddt#Z3)ivB,?1C'"vk

s1MTJO*F cookie xP|BGOJD#Zm;)ivB,\m1I\!q@

;|BJO*F cookie PD;n/(1w#

v =S)9tT

\m1I+e~dC*+;i(FDtTekJO*F cookie#I%@8(tT,2

I4i8(tT#*8(;itT,ZdCD~u?P9C(d{#=%d#K&

\Z,y9C(FO$b(}ggrO$~qw)+X(tTekC'>$D?p

PGG#PCD#(}Ze~dCD~P8(b)tT,\m1I7#ZJO*F

O$}LPtTICZmS=XB4(DC'>$P#

":JO*FO$ cookie Dnss!* 4 'VZ(4096 VZ)#

SJO*F cookie Pi!}]

1"zJO*FO$B~1,e~SUJO*FO$ cookie "Z1!ivBS?v

cookie i!TB}]:

v C'{,

v O$=(,

v Cookie 4(1d#

e~WH(}S531du% cookie 4(1d"+K5kJO*F cookie zfZDe

~dCD~u?`HO47( cookie GqP'#

g{,}K cookie zfZ,r cookie ^',R;a"TxPJO*FO$#g{;P

,} cookie zfZ,re~9CC'{MO$=(4O$C'"9(C'>$#

;se~lidChCT7(Gq&i!"@@=S cookie }]#k"b1!ivBe

~;aSJO*FO$ cookie Pi!d|NNtT#XkZe~dCD~P8(?v*

i!D=StT#(d{#=%dICZq!tTi#

e~IdC*i!TB(eDtT:

v O$6p

1i!K51,e~9C|47#C'G(}#V8(O$6pyhDO$=(4

O$D#

k"be~IS8v;,DX=q!O$6p:


– JO*F cookie

– JO*FO$b

– grO$~q

– Z(~q

SJO*F cookie i!DO$6pEHZSd|X=q!DO$6p#

v a0zfZ1dAG

e~I9CK1dAG47(-<~qwa0_Y:fPDC'u?Gq=Z#g

{=Z,re~+OzK cookie 0dyPD1Z>$tT#;#ta0zfZ,R

a>C'G<#

v a0;n/1dAG

e~I9CK1dAG47(-<~qwa0_Y:fPDC'u?GqQ&Z;

n/4,P\$;N1dK#g{Gby,re~+OzK cookie 0dyPD1Z

>$tT#;#ta0zfZ,Ra>C'G<#

":I&9Cb)1dAGh*4FDe~~qw.dD1S,=#g{1SEE

+n}`,a0+Z;#{D1d=Zrd*;n/#

v =S)9tT

b)tT|(C'(eD(FtT,}ggrO$~qzIDtT#e~+b)t

TmS=C'>$P#

4Ze~dCD~P8(DtT+;vT,R;a;i!#Kb,\m1I8(ZJ

O*F cookie i!}LPXkvT3)tT#!\vT*1!P*,+K8(GPC

D,}g,I7#C'tTGSC'"amx;GSJO*F cookie q!D#

r6'ZDJO*FO$

e~'V;vI!dC,CdC9CJO*FO$ cookie ;jG*ZJO*FO$}L

PICZ Tivoli Access Manager rPNbT0d|yPe~v?~qw#KdC!n

9CJO*FO$ cookie ICZ;h*P:XybwM4FDe~v?~qwD?p#

1M'za0(}JO*FO$B~=o4FDe~v?~qw1,M'zLxCJ

,;i\#$J4#1M'za0(}JO*FO$B~=o"G4FDe~v?~

qw1,M'zI\aCJ;i;,DJ4#ZsM?pP,Tivoli Access Manager r

ZDJ4VxG\#{D#IvZT\M\m=fD?DxPVx#

1M'zDks9C|%ks^((}>X~qwCJDJ41,r6'ZDJO*

FO$ICZ+M'zX(r=m;v~qw#ZbVivB,+M'z(/@w)

X(r=m;ve~v?~qw#SUe~IdC*iRJO*FO$ cookie#e~"

TO$M'z,"6pJO*FO$ cookie#(}9C cookie,e~;h*a>M'z

a)G<E",+IT("kM'zDa0,"9l;iP'DC'>$#

rsf]T

V5.1 .0f>De~Imb"A!({D)V5.1 De~zIDJO*F cookie#,y,

V5.1 De~Imb"A!({D)Ogf>(V5.1 .0f>)De~zIDJO*F

cookie#4kOgf>(V5.1 .0f>)e~D(FJO*F cookie D CDAS #i+

k V5.1 De~;p$w#

*7#j+Drsf]T,a)TB&\:


v e~IdC*Z;fZa0zfZ1dAG1yZJO*F cookie Z]O$C'#

Z V5.1 .0DJO*FO$ cookie P;fZa0zfZ1dAG#

v e~IdC*Z;fZa0;n/1dAG1yZJO*F cookie Z]O$C'#

Z V5.1 .0f>DJO*FO$ cookie P;fZa0;n/1dAG#

v Q* V4.1 De~|BKCZS\JO*FO$ cookie PM'z}]Dc(#19

C V4.1 .0f>De~1,dCD~hCIhC*tCTOg`MD cookie DC

J#

v e~IdC*TJO*F cookie PDV{.;9C UTF-8 `k#(}T V5.1 De

~O4(D cookie ;9C UTF-8 `k,Ogf>(V5.1 .0f>)De~Imb

"A!({D)b) cookie#

}6JO*FO$

Ze~dCD~P,[failover-add-attributes] M [failover-restore-attributes]

Zf;K V5.1 .0f>D [failover-attributes] Z#

ZS Tivoli Access Manager V4.1 }6=10 Tivoli Access Manager f>D}LP,

[failover-attributes] Z0dZ];(F= [failover-add-attributes] ZP#

C}6}LGT/D,Z20e~1xP}6#;h*Tb)u?xPV$}6#

JO*FO$dC

>ZhvgNdCJO*FO$#

g{z;l$JO*FO$DEn,kXKZ 70 3D:JO*FO$En;#

*dCJO*FO$,jITBNq:

1. #9e~~qw#

2. *tCJO*FO$,kjITB?vNq:

a. Z 77 3D:tC9CJO*F cookie DO$;

b. Z 77 3D:8(JO*FO$b;

c. Z 78 3D:* cookie }]4(S\\?;

d. Z 78 3D:8( cookie zfZ;

e. Z 57 3D:8(T BA 7xP UTF-8 `k;

3. I!q+e~dC*gJO*FO$a0#Va04,#g{KdCJCZzD?

p,kjITB8>:

a. Z 80 3D:mSa0zfZ1dAG;

b. Z 80 3D:mSa0n/1dAG;

c. Z 80 3D:mS|Bn/1dAGD1ddt;

4. I!q+e~dC*+)9tTmS=JO*F cookie:

v Z 81 3D:mS)9tT;

5. 1+e~dC*+tTmS=JO*F cookie s,Xk+e~dC*ZA! cookie

1i!tT:

v Z 81 3D:8(i!DtT;


6. I!qtCJO*FO$ cookie CZrZDNbe~v?~qw#g{KdCJC

ZzD?p,kND

v Z 82 3D:tCr6'ZDJO*F cookie;

7. g{h*#Vrsf] V5.1 .0f>De~v?~qwzIDJO*FO$

cookie,kjITB8>:

a. Z 57 3D:8(T BA 7xP UTF-8 `k;

b. Z 82 3D:*si$zfZ1dAG;

c. Z 83 3D:*si$n/1dAG;

d. Z 83 3D:*S\tCrsf]T;

8. ZjIyPJCZzD?pD8>s,XBt/~qw#

tC9CJO*F cookie DO$

pdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#I

T+JO*F cookie dC*4PO$MZ(sNq#

dC*9CJO*F cookie xPZ(s&mDe~T>$xPS\,"+dw*JO*

F cookie f"ZBql&P#

dC*9CJO*F cookie 4PO$De~,9CSBqksPR=DJO*F cookie

PDS\>$XBO$M'z#

*tC9CJO*F cookie DO$MZ(s&m,k+}C0failover18(x

authentication M post-authzn N}:

[common-modules]authentication = failoverpost-authzn = failover


{F#7#JO*FO$u?fZ:

[modules]failover = pdwpi-failovercookie-module

8(JO*FO$b`-e~dCD~#Z [authentication-mechanisms] ZP,TXk'VJO*F

cookie DO$`Mu?!{"M#mSJCZYw53`MDe~JO*F cookie b

D{F#

1!dCD~u?*:

[authentication-mechanisms]#failover-password = failover_password_library_filename#failover-token-card = failover_token_card_filename#failover-certificate = failover_certificate_filename#failover-http-request = failover_http_request_filename#failover-cdsso = failover_cdsso_filename#failover-kerberosv5 = failover_kerberos_library

e~a);vj<JO*F2mb,CZTOyPO$=(#XZb{,kN<B

m:

m 13. JO*FO$bD~{

Solaris libfailoverauthn.so


m 13. JO*FO$bD~{ (x)

Linux libfailoverauthn.so

AIX libfailoverauthn.a

Windows failoverauthn.dll

}g,**nuZ Solaris O(}m%O$xPO$DM'ztCJO*FO$,T

failover-password u?!{"M"mSb{:

[authentication-mechanisms]failover-password = libfailoverauthn.so

r_,1*;vr`vO$=(*"K5VJO*FO$D(Ff>D CDAS b1,+

(F CDAS D{Fw*dCD~X|V5ek#}g,g{*m%O$*"K(F

CDAS,rdkxT76{:

[authentication-mechanisms]failover-password = /dir_name/custom_cdas_failover_library.so

* cookie }]4(S\\?

9C cdsso_key_gen 5CLr4#$ cookie }]#K5CLrzIT cookie PD

}]xPS\Mb\DTF\?#

/f: g{4+e~dC*TJO*FO$ cookie xPS\+QtCKJO*FO

$,re~+zIms"\xt/#XkTJO*FO$ cookie xPS\#

1. ZdP;v4FD~qwOKPC5CLr#S|nP8(k*4(D\?D~D

;C#Xk8(xT76{#

}g:

UNIX:

# /opt/pdwebrte/bin/cdsso_key_gen absolute_pathname_for_keyfile

Windows:

MSDOS> C:\Program Files\Tivoli\PDWebrte\bin\cdsso_key_genabsolute_pathname_for_keyfile

zI*\?D~8(NbOJD{F,}g /opt/pdwebrte/lib/wpi.key#

2. `-e~dCD~#Z [failover] ZP8(\?D~D;C#

[failover]failover-cookies-keyfile = absolute_pathname_for_keyfile

3. +\?D~V$4F=?v#`D4FD~qwP#

4 . Z?v4FD~qwO,`-e~dCD~,T* [failover] ZPD

failover-cookies-keyfile a)}7D76{#

8( cookie zfZ

`-e~dCD~#*JO*F cookie 8(P'zfZ#

[failover]failover-cookie-lifetime = 30

1!zfZ* 30 VS#

8(T cookie V{.xP UTF-8 `k

`-e~dCD~#8(e~Gq&TJO*F cookie ZDV{.9C UTF-8 `k#


[failover]use-utf8 = true

1!5* true#

1Ze~v?~qw}Z9CD,;zk3P4+ cookie PDC'{r>$tTxP`

k1,&9C UTF-8#1!ivB,e~'V UTF-8 `k#1e~?pPDyP~q

wy9C UTF-8 `k1,+K5#t*1!hC true#

rsf]T

V5.1 .0f>De~20;9C UTF-8 `k#rK,b)~qw4(D cookie ;T

dV{.9C UTF-8 `k#1e~5}k V5.1 .0f>De~;pKP1,e~;

&9C UTF-8 `k#

*5Vrsf]T,+ use-utf8 hC* false#

[failover]use-utf8 = false


8(O$6p

e~a)m`;,D=(48(O$6p#TZJO*F cookie,P=V=(I)9

C#;V=(GZJO*F cookie PhCO$6p#m;V=(GZwCJO*FO$

b1hC6p#

1=V=(<9C1,JO*F cookie PDO$6pEHZwCb1hCD6p#

g{=V=(<4dC,r(} [authentication-levels] Z+O$6phC*kJO*

F=(`X*DO$6p#

b=V=(*:

v ZJO*FO$ cookie P8(O$6p#

+O$6pmS=e~dCD~#Xk9CZu?X|V AUTHENTICATON_LEVEL:

[failover-add-attributes] r [failover-add-attributes:virtual-host]AUTHENTICATION_LEVEL = add

AUTHENTICATION_LEVEL D5J5*e~Z?zYD{}#;h*ZKZP8(C{

}#

*#VO$6pI"p=I!X0k cookie,Xk9CTBu?+C5dC*ZSU

K#t:

[failover-restore-attributes] r [failover-restore-attributes:virtual-host]AUTHENTICATION_LEVEL = preserve

v ZwCJO*FO$b18(O$6p#

1dCZCe~JO*FO$br CDAS b1,I!q8(O$6p,T+d8(

xQO$C'#O$6pG3d*X(O$=(D{},|Ge~O$?H&\D

;?V#

+|nPN}mS=J1DJO*FO$bDdCD~u?P#o(*:

[authentication-mechanisms]failover_authentication_method = failover_authentication_libary& -l level_number


level_number XkkZe~dCD~D [authentication-levels] ZP8(DP'{

}`{#

}g,*Z Solaris 53O*m%O$$nJO*FO$"+O$6p0318(xC

',k4(TBdCD~u?:

[authentication-mechanisms]failover-password = libfailoverauthn.so& -l 3

mSa0zfZ1dAG

e~(}+TB5àO4Fca0zfZ1dAG:

v 10531d#

v Jmu?fZZe~>$_Y:fPDn$zfZ(Tk*%;)#

Ze~dCD~D [session] ZP8(Kn$zfZ(Tk*%;):

[sessions]timeout = 3600

*+K5mS=JO*FO$ cookie,k+TBu?mS=e~dCD~:

[failover-add-attributes]session-lifetime-timestamp = add

k " b K t T ; I ( } ( d { % d 4 h C # X k d k 7 P D u ?

session-lifetime-timestamp#

mSa0n/1dAG

e~(}+b)5S=;p4Fca0n/1dAG:

v 531d#

v >$_Y:fP;n/u?Dn$zfZ#

ZdCD~D [sessions] ZPhC;n/u?Dn$zfZ:

[session]inactive-timeout = 600

1!5* 600 k#

v |BJO*FO$ cookie D1ddt#

Ze~dCD~D [failover] ZPhCC5:

[failover]failover-update-cookie = -1

1!5G -1 k#:{}m>vZxPO$r"B>$1E|BJO*F cookie#X

Z|È",kND:mS|Bn/1dAGD1ddt;#

*+K5mS=JO*FO$ cookie,k+TBu?mS=e~dCD~:

[failover-add-attributes]session-activity-timestamp = add

k " b K t T ; I ( } ( d { % d 4 h C # X k d k 7 P D u ?

session-activity-timestamp#

mS|Bn/1dAGD1ddt

I!qZC'a0}LPI|BJO*F cookie PDa0n/1dAG#


Ku?|,JO*F cookie Dn/1dAG|B.dD1ddtD{}5(Tk*%

;)#

1!u?*:

[failover]failover-update-cookie = -1

failover-update-cookie hC* 0 1,MZ?Nks1|Bn|;NDn/1dAG#

1 failover-update-cookie hC*!Z 0 D{}(Nb:})1,@;|Bn|;N

Dn/1dAG#

1 failover-update-cookie hC*sZ 0 D{}1,cookie PDa0n/1dAG

4Ck}D1ddtxP|B#

*>ZDu?!qD5a0l=T\#kNDZ 73 3D:rJO*F cookie PmS}

];#

mS)9tT

I!q+e~dC*+4TC'>$D8()9tTD1>EkJO*FO$ cookie#

1!ivB,;dC)9tT#

*mS)9tT,k+b)u?mS=e~dCD~D [failover-add-attributes] Z

P#o(*:

[failover-add-attributes]attribute_pattern = add

attribute_pattern I*X(tT{F,2I*k`vtT{F`%dD;xVs!4D(

d{mo=#}g,*8(yPx0: tagvalue_ DtT,rmSTBu?:

[failover-add-attributes]tagvalue_* = add

Zu?D3r\X*#Z [failover-add-attributes] POgvVDfrEHZOmC

ZKZPDfr#

;rJO*F cookie mSkNN(d{#=y;%dr4w78(DtT#

8(i!DtT

I!q+e~dC*SJO*FO$ cookie i!tT;s+|GEkC'>$#1!i

vB,;+tTdC*i!#

*i!DtTZe~dCD~D [failover-restore-attributes] ZPyw#o(*:

[failover-restore-attributes]attribute_pattern = {preserve|refresh}

5 preserve f_e~i!tT"+dmS=>$P#(}K=(hCD5XFZO$

CDAS 4(B>$1hCD,{tT#

5 refresh f_e~Pu~Xi!tT"+dmS=>$P(;P1O$ CDAS 4(

B>$14mS,{tT1)#

attribute_pattern I*X(tT{F,2I*k`vtT{F`%dD;xVs!4D(

d{mo=#}g,*i!yPx0: tagvalue_ DtT,rmSTBu?:


[failover-restore-attributes]tagvalue_* = preserve

;SJO*FO$ cookie i!k(} preserve 58(DNN#=y;%dDtT#

Zu?D3r\X*#Z [failover-restore-attributes] POgvVDfrEHZO

mCZKZPDfr#

TBtT;I(}(d{#=%d,+Xkw7(e*i!:

v O$6p

[failover-restore-attributes]AUTHENTICATION_LEVEL = preserve

v a0zfZ1dAG

[failover-restore-attributes]session-lifetime-timestamp = preserve

v a0;n/1dAG

[failover-restore-attributes]session-inactivity-timestamp = preserve

tCr6'ZDJO*F cookieIJmk4( cookie De~Z,;r(domain)PDNNe~9CJO*FO$

cookie#K&\(} [failover] ZPDZu?4XF#

1!ivB,r6'ZDJO*F cookie &\G{CD:

[failover]enable-failover-cookie-for-domain = false

*tCK&\,+ enable-failover-cookie-for-domain hC* true:

[failover]enable-failover-cookie-for-domain = true

PXtCKZu?D0lDE",kNDZ 75 3D:r6'ZDJO*FO$;#

*si$zfZ1dAG

I!q+e~dC**s?vJO*FO$ cookie |,a0zfZ1dAG#1!iv

B,;h*a0zfZ1dAG#1!dCD~u?*:

[failover]failover-require-lifetime-timestamp-validation = false

KZu?w*CZrsf]T#

/f: *5Vrsf] V5.1 .0f>De~4(DJO*F cookie,+Ku?hC

* false#V5.1 .0f>De~4(DJO*FO$ cookie ;|,C1dAG#

v 1K5* false,RJO*F cookie P1Ya0zfZ1dAG1,SU~qw+

C cookie SwP'#

v 1K5* true,RJO*F cookie P1Ya0zfZ1dAG1,SU~qw+C

cookie Sw^'#

v 1K5* false r true,RJO*F cookie PfZa0zfZ1dAG1,SU

~qw+@@C1dAG#g{K1dAG^',rO$'\#g{K1dAGP

',rxPO$}L#


":I@"Za0n/1dAGdCa0zfZ1dAG#

*si$n/1dAG

I!q+e~dC**s?vJO*FO$ cookie |,a0n/1dAG#1!iv

B,;h*a0n/1dAG#1!dCD~u?*:

[failover]failover-require-activity-timestamp-validation = false

KZu?w*CZrsf]T#

/f: *5Vrsf] V5.1 .0f>De~4(DJO*F cookie,+Ku?hC

* false#V5.1 .0f>De~4(DJO*FO$ cookie ;|,C1dAG#

v 1K5* false,RJO*F cookie P1Ya0n/1dAG1,SU~qw+C

cookie SwP'#

v 1K5* true,RJO*F cookie P1Ya0n/1dAG1,SU~qw+C

cookie Sw^'#

v 1K5* false r true,RJO*F cookie PfZa0n/1dAG1,SU~

qw+@@C1dAG#g{K1dAG^',rO$'\#g{K1dAGP

',rxPO$}L#

":I@"Za0zfZ1dAGdCa0n/1dAG#

*S\tCrsf]T

TZ Tivoli Access Manager V4.1,JO*FO$ cookie DS\2+6pQvS#KS

\c(;Grsf]D#g{z+JO*FO$ cookie k9C V4.1 .0f>D Tivoli

Access Manager De~v?~qw/I,zXkZe~dCD~P8(dCD~hC4

tCrsf]T#

1!ivB,;tCTOgDS\c(Drsf]:

[pdweb-plugins]pre-410-compatible-tokens = false

*tCrsf]T,+ pre-410-compatible-tokens hC* true:

[pdweb-plugins]pre-410-compatible-tokens = true

dC IV 7O$

Tivoli Access Manager 'V9CIf]M'zrzmLra)DZ?zID7E"xP

O$#IZz7-r,b);F* IV(IntraVerse)7#1e~v? Web ~qwSI

ED&CLr(}g WebSEAL r`74CzmLr)SUks1,IV 7I\aek

*Sxe~zm~qwDksP#

IV 7|,j6p<M'zDE",x;G*S~qwDE"#7PDE"CZ9lp<

M'zD>$,TCZZ(#,y,g{e~v? Web ~qw+ks*Sxm;v6

p IV 7D Tivoli Access Manager ~qw,re~zmITek IV 74j6p<D

M'z#


ITdCe~9C IV 7CZZ(s&mrO$ks#g{dCCZZ(s&m,re

~ZI&O$.s,(}ekM'zDf5m]w* IV 7^DBq#;sb)7II

p<D Web ~qw*"xm;v~qw#

g{dCe~9C IV 74PM'zO$,re~9CSBqksPR=D IV 7Pi

!Dm]4(M'z>$#IZM'z1l IV 7\]W,rKv1ksG(}IED

`74CzmLr(MPA)SUD1rE4(>$#kNDZ 93 3D:'V`74C

zmLr(MPA);#

*xPO$,I+ IV 7dCIZ(}zmSU1S\ksPD;v";)r+?

iv-user"iv-user-l"iv-creds r iv-remote-address 7,w*O$D$w#iv-remote-address

7CZG<C'Df56LX7#

g{dCCZZ(s&m,r IV 7f;v";)ryP

iv-user"iv-user-l"iv-creds"iv-groups M/r iv-remote-address"HTTP 7;pekks#

m 14. IV 7VNhv

IV 7VN hv

iv-user Access Manger C'DrL{F#g{M'z4O$(4*),

r1!*4O$#

iv-user-l C'Dj{r{($Mq=)#}g,LDAP (P{F#

iv-groups C'ytiPm#

iv-creds `kD;8w}]a9,zmC'D Tivoli Access Manager >$#

iv-remote-address M'zD IP X7#K5ITzmzm~qwrxgX7*;Lr

(NAT)D IP X7#

":Access Manager vENSIE0KSUD7#g{0K;6p*`74CzmLr

(MPA),rO*|GIED#XZdCe~T'V MPA Dj8E",kN<Z

93 3D:'V`74CzmLr(MPA);#

tC9C IV 7DO$


tC9C IV 7DO$,k+}C iv-headers 8(x authentication N}:

[common-modules]authentication = iv-headers

*TZ(s&mtC IV 7,+5 iv-headers 8(x pdwebpi.conf dCD~D

[common-modules] ZPD post-authzn N}:

[common-modules]post-authzn = iv-headers


{F#7# IV 7O$u?fZ:

[modules]iv-headers = pdwpi-iv-headers-module

dC IV 7N}

IV 7O$N}Z pdwebpi.conf dCD~D [iv-headers] ZPdC#


accept N}8(*4P IV 7O$xS\D IV 7`M#1!ivB,e~S\yP

D IV 7`M#P'!nG all"iv-creds"iv-user"iv-user-l M iv-remote-address#*d

k`v7`M,k9C:EVt5#

}g:

[iv-headers]accept = iv-creds,iv-user

generate N}8(*"zmks1+zID IV 7`M#1!ivB,*"zmks

1e~zIyP`MD IV 7#P'!n*:

all"iv-creds"iv-user"iv-user-l"iv-remote-address#*dk`v7`M,k9C:EV

t5#

8(T IV 7xP UTF-8 `k

`-e~dCD~#8(e~Gq&T IV 79C UTF-8 `k#

[iv-headers]use-utf8 = true

1!5* true#


dC iv-remote-address D IV 7O$zF

Z IV 7P9C iv-remote-address 1,zh*8(CZ3d HTTP O$7E"D2

mb#http-request O$zF8(2mb43d HTTP O$7E"#

v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libhttpauth#

v Z Windows O,a)ZC3d&\DD~G;v DLL,F* httpauthn.dll#

ITdC HTTP 7O$zF,=(GZ pdwebpi.conf dCD~D

[authentication-mechanisms] ZPdk http-request N}T0X(Z=(D2mbD

~{,4:

Solaris:

[authentication-mechanisms]http-request = libhttpauth.so

Windows:

[authentication-mechanisms]http-request = httpauthn.dll

dC HTTP 7O$

Tivoli Access Manager 'V(}IM'zrzmLra)D(F HTTP 7E"xPO

$#

CzFh*;V+IE($O$D)7}]3d* Tivoli Access Manager m]D3d

/}(2mb)#e~ITS\Kj6"*C'4(>$#


e~Y((F HTTP 7}]H0QIzmLrxPO$#rK,vZe~;ZQO$D

Web zmLr.s,"R [pdweb-plugins] ZPD mpa-enabled N}hC* true

1,#iEapwC#

1!ivB,9(K2mb3d4T0/Pzm17D}]#

tC9C HTTP 7DO$


tC9C HTTP 7DO$,k+}C http-hdr 8(x authentication N};4:

[common-modules]authentication = http-hdr


{F#7# HTTP 7O$u?fZ:


8(7`M

XkZ pdwebpi.conf dCD~D [http-hdr] ZP8(yP'VD HTTP 7`M#

[http-hdr]header = header_type

HTTP 7Dj<dC;Jm8(;v7,}g:


*8(`v HTTP 7,XkdC HTTP 7#iD`v5}#

}g:

[modules]entrust-client-header = pdwpi-httphdr-modulesome-other-header = pdwpi-httphdr-module

[entrust-client-header]header = entrust-client

[some-other-header]header = some-other

dC HTTP 7O$zF

http-request N}8(CZ3d HTTP O$7E"D2mb#

v Z UNIX O,a)ZC3d&\DD~G{* libpdwpi-http-cdas D2mb#

v Z Windows O,a)ZC3d&\DD~G{* pdwpi-http-cdas D DLL#

1!ivB,KZC2mbG2`kD,CZ+0/Pzm17}]3dIP'D Tivoli

Access Manager m]#zXk(FKD~4O$d|`MDXb7}],"RIT!q

+C}]3dI Tivoli Access Manager m]#XZ API J4DE",kN< IBM Tivoli

Access Manager for e-business Web Security Developer Reference#


ITdC HTTP 7O$zF,=(GZ pdwebpi.conf dCD~D


~{#

}g:

Solaris:

[authentication-mechanisms]http-request = libpdwpi-http-cdas.so

Windows:

[authentication-mechanisms]http-request = pdwpi-http-cdas.dll

dC IP X7O$

xkksD IP X7ITCZ9CM'zX77PD5,Va04,MO$M'zks#

Z9;PdCe~49C IP X7O$M'zksDivB,dCCe~49C IP X

7,Va04,G^'D#+G,g{e~;9C IP X7zYC'a0,r9C IP X

7O$C'GP'D#

tC9C IP X7DO$


9Ckst/LrD IP X7tCO$,k+}C ip-addr 8(x authentication N

},gBy>:

[common-modules]authentication = ip-addr

*tC IP X7zYC'a0,k+}C ip-addr 8(x session N},gBy>:

[common-modules]session = ip-addr


{F#7# IP X7O$u?fZ,gBy>:

[modules]ip-addr = pdwpi-ipaddr-module

dC IP X7O$zF

IP X7O$zFM HTTP 7D`,# http-request N}8( IP X7O$zFD2

mb#

v Z UNIX O,a)ZC3d&\DD~G{* libpdwpi-http-cdas D2mb#

v Z Windows O,a)ZC3d&\DD~G{* pdwpi-http-cdas D DLL#

ITdC IP X7O$zF,=(GZ pdwebpi.conf dCD~D


~{#

}g:


Solaris:

[authentication-mechanisms]http-request = libpdwpi-http-cdas.so

Windows:

[authentication-mechanisms]http-request = pdwpi-http-cdas.dll

dC LTPA O$

e~IT9C LTPA cookie O$C'#LTPA cookie II Tivoli Access Manager

WebSEAL rI IBM WebSphere ~qwa)#

tC LTPA O$

pdwebpi.conf dCD~PD [common-modules] Z(e9C LTPA 4O$ks#

[common-modules]authentication = ltpa


{#7#fZCZ LTPA O$Du?;4:

[modules]ltpa = pdwpi-ltpa-module

hC\?j8E"

U=D5J LTPA cookie I"M=S\#K cookie XkZIT"zO$.0b\#

pdwebpi.conf dCD~PD [ltpa] Z|,b\}Lh*D\?j8E":

[ltpa]ltpa-keyfile = \?D~D+76ltpa-stash-file = \kf"D~D;Cltpa-password = f"D~!yZD\k

dP:

v ltpa-keyfile u?8(Sp<zwa)D\?D~D{F#\?D~u?GXhD#

v ltpa-stash-file u?8(|,\?D~D\kDD~{F#Ku?GI!D,!\|

; f Z , + l t p a - p a s s w o r d u ? X k f Z # K u ? E H Z N N 8 ( D

ltpa-password#

v ltpa-password u?vZ ltpa-stash-file u?;fZ1GXhD#|&C|,8(

D\?D~DwD\k#

dC LTPA Z(s&m

*Z(s&mdC LTPA #iw* WebSphere Application Server D%;"abv=8

D;?V#kN<Z 115 3D:9C LTPA cookie %;"a= WebSphere Application

Server;q!dCDj8E"#

dCG<sDC'X(r

9C login-redirect #i,zITdCe~,TcZI&O$C'.s9C'X(r=

X(D URL#bI\Zz#{yPC'(r=3vE'x;G{GksD Web 3fD

ivB,r_rC'JV*z&CLrD6-3fr*<3fDivB\PC#


e~G<X(r&\@"ZC4O$C'D=(xpwC#T]}=O$rXBO$

;a"zX(r#

tCC'X(r


9C'Zu<G<MO$sX(r=X(D URI,k+N< login-redirect 8(x

pre-authzn N};gBy>:

[common-modules]pre-authzn = login-redirect

":9C login-redirect N}1,(i+|ECZZ(0#iPmPDZ;v;C;q

rm;vO$#iX(rI\a@H#


{F#7#fZ login-redirect u?,gBy>:

[modules]login-redirect = pdwpi-loginredirect-module

dCC'X(rN}

C'X(rN}Z pdwebpi.conf dCD~D [login-redirect] ZPdC#

[login-redirect]redirect-uri = redirect uri

ZI&G<.s,9C redirect-uri N}48(z#{C'8rD URI#8(D URI

ITG`T URI,r_GxT URI#

*>$mS)9tT

>Z|,TBwb:

v :+)9tTmS=>$DzF;

v Z 90 3D:Z(~qdC;

+)9tTmS=>$DzF

Tivoli Access Manager Plug-in for Web Servers O$}LCJ Tivoli Access Manager

C'"am"9(C'>$#K>$|,wvCJv_yhDC'E"#C'E"|

(ngC'{T0C'ytiDPm.`DE"#

e~'VJm\m1M&CLr*"_)9O$}LD8V;,DzF(~q)#1e

~4PO$}L1,|liGqQ5V"dCKNNb?~q#1Q5V"dCKb

)~qs,e~+T|GxPwC#b)~qI4P|GT:D&m49(PXC'

m]D)9tTPm#b))9tT+mS=C'>$#

'VTB`MD~q:

v >$tTZ(~q

1!ivB,TZ Tivoli Access Manager,KZ(~qGZCD#K~qSC'"a

m(}g LDAP C'"am)q!8(DC'E""+b)}]ekC'>$DtT

Pm#KZC>$tTZ(~q*;cZ(~q,IIm`J4\mw9C#K~

qzfKT0D=((C=(h*\m1+0tag/value1u?mS= pdwebpi.conf d


CD~D [ldap-ext-creds-tag] ZP)#Z V5.1 P,&9CZCZ(~qq! LDAP

C'"am}]#PXdCE",kND:Z(~qdC;

v (FD>$tTZ(~q

1ZC>$tTZ(~q^(a)zD?pyh*DyPE"1,I`4zT:D

>$tTZ(~q#Tivoli Access Manager 'VK&\w*Z( API D;?V#X

Z|È",kND IBM Tivoli Access Manager for e-business Authorization C API

Developer Reference#

v >$)9tTb?O$~q(CDAS)

e~a)IC4*"b?O$~qDb?O$ API SZ#b)~q(#F* CDAS

(grO$~q)#

I9Ce~Db?O$ API 4*"zT:Db?O$~q#1h*q!,vZ(E"

6'DC'O$E"1,I9CK&\#1&CLrh*CJvZO$1E\q!

DE",r&CLrh*+O$19CDC'j63d* Tivoli Access Manager C

'j61,Fv9C>$)9tT CDAS#XZ|È",kND IBM Tivoli Access

Manager for e-business Web Security Developer Reference#

Z(~qdC

*dCZ(~q,kjITBwZPD8>:

v :=h 1 - 7(*mS=>$DtT;

v :=h 2 - (eZ(~qD9C;

v :=h 3 - 8(*mS=>$DtT;

=h 1 - 7(*mS=>$DtT

XkZ Tivoli Access Manager dCD~P(ek*mS=C'>$D?vC'tT#

(#,Ze~dCD~PjIKYw#

*A Tivoli Access Manager C'"am(}g LDAP C'"am)#zI#{>$t

TZ(~qS"ami!"+dEkC'>$D?vC'"amu?{FDPm#z

9h*C' DN Mi DN#

=h 2 - (eZ(~qD9C

1. i$GqQdC>$tTZ(~q#e~dCD~P&fZTB1!u?:

[aznapi-entitlement-services]AZN_ENT_EXT_ATTR = azn_ent_ext_attr

k"b,e~T/q!5 azn_ent_ext_attr "iR`&D2mb#}g,Z Solaris O

G libazn_ent_ext_attr.so

2. mSZ( API ~q(eu?48(TZ(~qD9C#Z [aznapi-configuration]ZPmSu?#

Cu?Xk9CN} cred-attributes-entitlement-services#zI!q;v5,}

g TAM_CRED_ATTRS_SVC#}g:

[aznapi-configuration ]cred-attributes-entitlement-services = TAM_CRED_ATTRS_SVC

=h 3 - 8(*mS=>$DtT

*mS=>$DtTdCZtIZP#+KE"mS=e~dCD~#


":r_,IZ@"DD~P(etT,TcZ(~qTdxPwC#XZ|È

",kND IBM Tivoli Access Manager for e-business Authorization C API Developer

Reference#

4iTBu?>}#

[TAM_CRED_ATTRS_SVC]eperson = azn_cred_registry_idgroup = cn=enterprise, o=tivoli

[TAM_CRED_ATTRS_SVC:eperson]tagvalue_credattrs_lastname = sntagvalue_credattrs_employeetype = employeetypetagvalue_credattrs_address = homepostaladdresstagvalue_credattrs_email = email

[TAM_CRED_ATTRS_SVC:group]tagvalue_credattrs_businesscategory = businesscategory

Z{F [TAM_CRED_ATTRS_SVC] G~qj6#KZPG*lwDtTD4#4{

F(}gC'Mi)C4j6"amPD4;C#h*T|GxP(e#b)4D5

GfZZ"amPD"amj6#b)5ITGVPD>$tT{F#g{Gby,

r~qT/iR"9CwTD5#

Z%@ZP*~qZBD?v4dC"amtT#%@ZDo(G~qj6b{sz

0E(:),;sG4{F#IZZ,;vD~PIdC`v~q,rKh*K,S#

dCD~u?|,C'"amtT=C'(eD>$tTD3d#

}g,Z LDAP C'"amP,C'D DN ITG cn=joeuser, o=tivoli

TZCC',LDAP C'"amu?ITG:

sn=Smithemployeetype=banktellerhomepostaladdress="3004 Mission St Santa Cruz CA 95060"[email protected]=finance

9COfT>DdCu?>},5XDtTPm&*TBu?:

tT{F tT5

credattrs_lastname Smith

credattrs_employeetype bankteller

credattrs_address 3004 Mission St Santa Cruz CA 95060

credattrs_email [email protected]

credattrs_businesscategory finance

k"b~q"4MtTI*`5#g{8(DtT{FkZu?X|V`,,rlw

DtT+w*`5tTmS(49b)tT4T;,D4)#

}g,I+`vZ(~q4SZ;p#byM\S;v~qlwb)5#TCwm;

v~qDdk5#,y,ISC'"amPD`v DN lwtT#rK,g{z#{C

=C'iDyP businesscategory u?DPm,(}9COfD>},I+4T`vC

'(DN)D5mS=;v credattrs_businesscategory tTP#


}g,g{k*9(F* myemployeeinfo DtTT+dmS=>$P,"#{KtT

|,O$D?vKDUMM1`M,zIT(eTBu?:

[myID]source = azn_cred_authzn_id

[myID:source]myemployeeinfo = lastnamemyemployeeinfo = employeetype

r HTTP 7mS LDAP )9DtT(jG5)

(#,+4T LDAP DC'X(DE"(}g,g0EkMgSJ~X7)=S=

HTTP O$DksD7PG\PCD#b9`v&CLrITCJ=SDE"x^k-

#i/ LDAP ~qw#KE"DXwG|G`T2,D,@6;a;NN9C|D&C

Lr|B#K}]w* ivauthn O$xLD;?VEkC'>$P#KE"2IT(}

C'5VD CDAS O$#i=S=C'>$P#

TBwLhvKB~D3r:

v 4TC'D LDAP "amJ'PNNVNDC'(eD9d}]w*)9tT}]m

SZC'D Tivoli Access Manager >$P#

v 1*jG5Z(s&mxPdC1,e~i! LDAP )9tT}]"+dEZksD

HTTP 7P#

v sK&CLrITS7Pi!}],x^hXbzkrZ( API#

dCe~T+ LDAP )9DtTE"ek HTTP 7f0TB=h:

1. Z Web e~PdCjG5Z(s#PXgN4Pb;YwDj8E",kN<Z 93

3D:tCjG5&m;#

2. r Access Manager PD /PDWebPI/host TsmS)9tT#}g(dkI;P):

pdadmin> object modify /PDWebPI/hostset attribute HTTP-Tag-Value ldap-home-phone=homePhone

z9IT4(BD Tivoli Access Manager )9D>$ CDAS "+d8(*e~PD;

VO$zF#}g:

1. + [authentication-mechanisms] ZPD cred-ext-attrs N}hC*BD CDAS#

}g(dkI;P):

[authentication-mechanisms]cred-ext-attrs = /opt/PolicyDirector/lib/libextcredtags.so& /opt/pdwebpi/etc/pdwebpi.conf

(1!dCD~G pd.conf)

2. `- pdwebpi.conf,mSBDZ: [ldap-ext-attr-cdas-tags] MyhD LDAP )

9tT#}g:

[ldap-ext-attr-cdas-tags]ldap-home-phone = homePhone

3. XBt/e~

4. +)9tTmSA Tivoli Access Manager D /PDWebPI/host TsP#}g(dk

I;P):

pdadmin> object modify /PDWebPI/hostset attribute HTTP-Tag-Value ldap-home-phone=homePhone


tCjG5&m


tC9CjG5D&m,k+}C tag-value 8(x post-authzn N}:

[common-modules]post-authzn = tag-value


{F#7#jG5u?fZ,gBy>:

[modules]tag-value = pdwpi-tag-value-module

dCjG5N}

jG5N}Z pdwebpi.conf dCD~D [tag-value] ZPdC#

[tag-value]cache-definitions = yescache-refresh-interval = 60

cache-definitions N}tCr_{CT=S=TsUdODj)5(eD_Y:f#

cache-refresh-interval (e_Y:f(eD"B1ddt(k)#

g{h*,IdC;v0:,C0:+mS=CZ tag-value HTTP 7D>$tT{F

P#K0::

v ZQw>$tT1; tag-value #iw*QwV{.9C#

v ;mS=a0j6>$tTP#

v ;P;C'#imS=|C4f"\m1C'{D>$tTP#

9Ce~dCD~D [pdweb-plugins] ZPD tag-value-prefix N}8(C0:#

I(}kT3X(ibwz9C [virtual_host] Z4*CibwzXhKN}#1!P*

G^0:#

'V`74CzmLr(MPA)

Tivoli Access Manager a)wVbv=84#$9C`74CzmLr(MPA)Dx

g#`74CzmLr(MPA)Ga)`M'zCJDxX#xX("=2+D Web ~

qwD%;QO$(@,"(}C(@0+]1(tunnel)yPM'zksMl&#T

Ze~,(}K(@DE"numV*4T;vM'zD`vks#e~XkxV MPA

~qwDO$M?v%@M'zD=SO$#b`xXD;v#{>}G^_CJ-

i(WAP)xX#1 Tivoli Access Manager WebSEAL (};vacdCIwz Web

~qwTJmZ WebSEAL Me~.dxP%;"a1,|9d1;v MPA#*dC

by;vbv=8,IT9C iv-header O$#i#PXdC SSO D|`j8E",

kNDZ 113 3DZ 5 B, :Web %;"abv=8;#

P'a0}]`MMO$=(

IZ Tivoli Access Manager Plug-in for Web Servers * MPA ,$QO$Da0,|

Xk,1*?vM'z,$%@Da0#rK,CZ MPA Da0}]MO$=(Xk

;,ZM'zy9CDa0}]MO$=(#BmPvCZ MPA MM'zDP'a0

`M:


m 15. MPA DP'a0}]`M

P'a0`M

MPA =e~ M'z=e~

SSL a0j6

HTTP 7 HTTP 7

BA 7 BA 7

IP X7

Cookie Cookie

v M'z;\9C SSL a0j6w*a0}]`M#

v }g,g{ MPA 9C BA 7w*a0}]`M,rM'zDa0}]`M!nv

|( HTTP 7M cookie#

v g{ MPA 9C HTTP 7w*a0}],rM'zIT9C;,D HTTP 7`M#

v X(Z~qwD cookie v|,a0E";;|,j6E"#

v g{tC MPA 'V,r9C SSL a0j6,$a04,a|D#(#,r*Qd

C SSL a0j6,$a04,,yTv SSL a0j6CZ,$ HTTP M'zDa

0#*Jm MPA ,$_P SSL a0j6Da0"9M'z9Cm;V=(,$a

0,r}%K^F#

I0MPA =e~19CDO$=(Xkk0M'z=e~19CDO$=(;,#Bm

Pv MPA MM'zDP'O$=(:

m 16. P'D MPA O$`M

P'O$`M

MPA =e~ M'z=e~

y>O$ y>O$

m% m%

nF nF

HTTP 7 HTTP 7

$i

IP X7

v w*>},g{ MPA 9Cy>O$,rM'zDO$=(!n|(m%"nFM

HTTP 7#

v $iM IP X7O$=(TM'z9C^'#

v (#,g{TX(+MtCm%(rnF)O$,rTK+MT/{Cy>O$#

g{tC MPA 'V,r}%K^F#}g,bJmZ,;v+MO MPA 9Cm%

(rnF)G<,RM'z9Cy>O$G<#

MPA M`vM'zDO$xLw

TZ MPA M`vM'zO$,+4PTB&mwL#

1. kxPTBdC|D:

v ZdCD~PtCT`74CzmLrD'V#

v TX(D MPA xX4( Tivoli Access Manager J'#


v +KJ'Dzm([PDWebPI]p)CJ(ZhibwzD MPA #$Ts,zmk

s+8rKibwz#Z1!dCP,9C'I* pdwebpi-mpa-servers iD

I1I5VKYw#

2. M'z,S MPA xX#

3. xX+ks*;I HTTP ks#

4. xXO$M'z#

5. xX9CM'zkske~(",S#

6. MPA O$e~(9C;,ZM'zD=()"T MPA(Q5Pe~J')Izv

;vm]#

7. e~i$ MPA Z pdwebpi-mpa-servers iPDI1Jq#

8. * MPA 9(>$"Z_Y:fP+dj>*XbD MPA `M#

!\K MPA >$ifTsD?vM'zks,+d";CZTb)ksDZ(l

i#

9. VZe~h*x;=j6ksDyP_#

MPA ITxV`vM'z,xPG<a>D}77I#

10. M'zG<"9C;,Z MPA yCO$`MD=(xPO$#

11. e~SM'zO$}]9(>$#

12. ?vM'z9CDa0}]`MXk;,Z MPA 9CDa0}]`M#

13. Z(~qwy]C'>$MTsD ACL mI(Jmr_\xT\#$TsDCJ#

tC MPA O$

pdwebpi.conf dCD~D [pdweb-plugins] ZPD mpa-enabled N}tCr{C

MPA O$#P'hC* true M false,VpCZtCM{C MPA O$#1!ivB,

MPA O$G{CD#I(}ZdCD~D [virtual_host] ZP8( mpa-enabled N}

4*%@DibwzhC MPA O$#

*+Ba0j6* MPA ("Dwa0,CwvZ(v_,bT MPA #$DTsOD

zmLr([PDWebPI]p)mI(#1!ivB,MPA #$DTs(e* /PDWebPI#

*2GK1!hC(}g(e;,Dwe/zm?vibwzD MPA),IT*

mpa-protected-object dCN}8(;v5#ITT?vibwzXhKN},=(G

ZdCD~D [virtual_host] ZP*d8(;v5#}g,*T ibm.com ibwzxG

lotus.com ibwztC MPA CJ,kZ pdwebpi.conf dCD~P9CTBhC:

[pdmweb-plugins]virtual-host = ibm.comvirtual-host = lotus.com

[ibm.com]mpa-enabled = yes

*+ ibm-mpa-servers iDI1(e*T ibm.com ibwzksD MPA "+

lotus-mpa-servers iDI1(e*T lotus.com ibwzksD MPA,k9CTBdC:


[ibm.com]mpa-enabled = yesmpa-protected-object = /PDWebPI/ibm.com


[lotus.com]mpa-enabled = yesmpa-protected-object = /PDWebPI/lotus.com

"(eTB Tivoli Access Manager _T:

pdadmin> acl create ibm-mpapdadmin> acl modify ibm-mpa set group ibm-mpa-servers T[PDWebPI]ppdadmin> acl create lotus-mpapdadmin> acl modify lotus-mpa set group lotus-mpa-servers T[PDWebPI]ppdadmin> acl attach /PDWebPI/ibm.com ibm-mpapdadmin> acl attach /PDWebPI/lotus.com lotus-mpa

mpa-protected-object dCN}8(xPZ(v_yTUDTs#

* MPA 4(C'J'

PX4(C'J'DE",kN< IBM Tivoli Access Manager Base Administration Guide

M IBM Tivoli Access Manager Web Portal Manager Administration Guide#

r pdwebpi-mpa-servers imS MPA J'

Tivoli Access Manager Plug-in for Web Servers *cZ\mD MPA ~qw4(K;

vi#bviF* pdwebpi-mpa-servers#=SZ /PDWebPI OD default-pdwebpi ACL

+zm([PDWebPI]p)mI(Zh pdwebpi-mpa-servers iDI1#120ZAYd

CK;v WebSEAL D Tivoli Access Manager 2+rP1,h*dC default-pdwebpi

ACL Tc|I+zmmI(Z(x webseal-servers M webseal-mpa-servers iP

DI1#zIT!qT:DiM ACL,CZXFw*`74CzmLrDweDj6#

PX\miDE",kN<6IBM Tivoli Access Manager Base \m8O7M IBM Tivoli

Access Manager Web Portal Manager Administration Guide#


Z 4 B IBM Tivoli Access Manager Plug-in for WebServers 2+T_T

>B|,DE"hvKgNITdC"(F IBM Tivoli Access Manager(Tivoli Access

Manager)Plug-in for Web Servers 2+T_TD=(#

>B|(TBwb:

v :e~X(DCJXFm(ACL)_T;

v Z 100 3D:}N%wG<_T;

v Z 101 3D:\k?H_T;

v Z 103 3D:O$?H\#$Ts_T(]});

v Z 106 3D:`rSO$;

v Z 106 3D:XBO$\#$Ts_T;

v Z 108 3D:yZxgDO$\#$Ts_T;

v Z 109 3D:#$6p\#$Ts_T;

v Z 110 3D:&m4O$C'(HTTP/HTTPS);

e~X(DCJXFm(ACL)_T

TB2+T"bBnJCZ\#$TsUdPD /PDWebPI ]w:

v Access Manager Plug-in for Web Servers TsGTsUdPe~xrD ACL LP

4Dpc#

v g{;&Cd|NNT= ACL,rKTs((}LP)(e{v Web UdD2+T

_T#

v *CJKTs0K;CBDNNTs,h*izmI(#

XZ Tivoli Access Manager ACL _TDj{E",kN<6IBM Tivoli Access Manager

Base \m18O7#

":1C'ksP,Pv|(yT>?<D?<76D URL 1,Microsoft IIS Web ~

qwa)ZC?<P8(1! Web 3fD\&#

I Plug-in for Web Servers 4PD ACL livJCZZks URL P8(D?

<,x;JCZI IIS ~qwa)~qTl&CksD1! Web 3f#

1Z IIS =(O5V2+T_T1,z&CaO<GK ACL li^F#

`FD,IZ Web ~qwe~e5a9D>J,|;ah9z20ke~a)D

2+Te;Dd|#i#7#;aZ Web ~qwO20ke~e;D#iG Web

~qw\m1D0p#

}g,Apache M IHS Web ~qwPD0MultiViews1&\"T/,7(ksD

URL D)9{#}g,g{T www.tivoli.com/index xPKks,r Web ~qw

+d/,3d* www.tivoli.com/index.html(g{byDD~fZ)#


;RDG,K3dGZxPZ(.s"zD,bb6E+T index 4P(^lix

GT index.html#

ZbyDivB,(i{C0MultiViews1!n#rhC_T46qK3d#}

g,ACL I,S= /PDWebPI/www.tivoli.com,r_g{h*x;=D8V,r

ACL I,1,S= /PDWebPI/www.tivoli.com/index M

/PDWebPI/www.tivoli.com/index.html#

/PDWebPI/host r virtual_host/PDWebPI/host r virtual_host Sw|,X(e~5}DTsUd#TB2+T"bBn

JCZKTs:

v *CJK;CBDNNTs,h*izmI(#

v g{;&Cd|NNT= ACL,rKTs((}LP)(eKzwO{vTsUdD

2+T_T#


e~ ACL mI(

BmhvJCZTsUdD Tivoli Access Manager Plug-in for Web Servers xrD ACL

mI(:

m 17. e~ ACL mI(

mI( Yw hv

[PDWebPI]r A! i4}?<bDNb*X#Nb HTTP GET r POST

ks<h*KmI(#;PX(D0Pm1mI(C

Zks?<Pm(T / axD URL D GET)#

[PDWebPI]d >} S Web UdP}% Web Ts#HTTP DELETE |

nh*KmI(#

[PDWebPI]m ^D Ze~TsUdPEC/"< HTTP Ts#HTTP

PUT ksh*KmI(#

[PDWebPI]p zm 7(C'GqITd1`74Czm#XZ|`j8

E",kNDZ 96 3D:r pdwebpi-mpa-servers i

mS MPA J';#

T iz CJK;CBDNNTs1h*KmI(#

e~9'V WebDAV Yw,gBy>#

m 18. e~ WebDAV mI(

Nq yhmI(

PROPFIND [PDWebPI]R

PROPPATCH [PDWebPI]M

MKCOL [PDWebPI]N

yZks URI(x;GyZ/OD%vI1)Z( WebDAV Yw#mb9?V'V;

)d|D WebDAV Yw:

v COPY - U/1h* [PDWebPI]R,TcITA!.4F;C/#;li?DXD

mI(#

v MOVE - bITO*GHxP4F,;sxP>}#T}ZxPF/D/Oh*

[PDWebPI]Rd#;li?DXDmI(#

1! /PDWebPI ACL _T

Tivoli Access Manager Plug-in for Web Servers ACL DKDu? default-pdwebpi |

(:

Group iv-admin TcmdbsvaBR[PDWebPI]rR

User sec_master cmdbsvaBR[PDWebPI]rR

Any-other T[PDWebPI]rR

Unauthenticated T

Group pdwebpi-mpa-servers TBR[PDWebPI]p

Group webseal-servers TBR[PDWebPI]p

Group webseal-mpa-servers TBR[PDWebPI]p

Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 99

201,K1! ACL a=S=TsUdPD /PDWebPI ]wTs#

izmI(Jmg Web Portal Manager Py>)9 Web Ud#PmmI(Jm Web

Portal Manager T> Web UdDZ]#

}N%wG<_T

}N%wG<_TICZyZ LDAP D Tivoli Access Manager 20,(}8('\G

<"TDnsN}M&#x(1d,9zIT@9Fcz\k%w#K_T4(;V

u~,dPC'XkZxP|`D'\G<"T0H};N1d#}g,_TITf

( 3 N'\"T,sz 180 kD&#1d#bVG<_T`MIT@9?k`NvV

DFczfzzIDG<"T#

}N%wG<_Th*=v pdadmin _T|nhCD2,wC:

v '\G<"TDnsN}

policy set max-login-failures

v ,}'\G<"ThCD&#

policy set disable-time-interval&#hCIT|,J'x(1ddtrTJ'j+{C#

g{G<_ThC(w*>})*}N'\"TszEX(x(1d&#,rZDN

"T(^[}7kq)+<Bms3f,5wJ'r\k_TD-r]1;IC#

1ddtTk*%;8( - n!(i1ddt* 60 k#

g{ disable-time-interval _ThC* disable,rC';x(ZJ'.b,RKC

'D LDAPaccount valid tThC* no#\m1(} Web Portal Manager XBt

CJ'#

":+ disable-time-interval hC* disable <BnbD\m*z#+ accountvalidE"4F=e~1IT[l=SY#bViv!vZ LDAP 73#mb,IZ

account valid |BYw,3) LDAP 5VI\-zT\B5#IZb)-r,

(i9C,11ddt#


TB pdadmin |nvJOCZ LDAP "am#

m 19. pdadmin LDAP G<_T|n

|n hv

policy set max-login-failures {number|unset} [-user username]

policy get max-login-failures [-user username]

TXF)S&#0yJmDns'\G<"TN}D_

TxP\m#K|n!vZ policy set disable-time-interval

|nPhCD&##

w*\m1,ITTX(C'&CK_T,rT LDAP

"amPPvDyPC'+V&CK_T#

1!hC* 10 N"T#

policy set disable-time-interval {number|unset|disable} [-user username]

policy get disable-time-interval [-user username]

\m&#_T,C_TXFg{=o'\G<"Tns

N}sJ'&{CD1d\Z#

w*\m1,ITTX(C'&CK&#_T,rT

LDAP "amPPvDyPC'+V&CK_T#

1!hC* 180 k#

\k?H_T

Tivoli Access Manager yZ LDAP D20a)=VXF\k9lD==:

v ev pdadmin \k_T|n

v Jm(F\k_TDIekO$#i(PAM)

kN< Tivoli Access Manager Authorization C API Developer’s Reference

pdadmin 5CLrhCD\k?H_T

(} pdadmin 5CLr5VDev\k?HtT|(:

v n!\k$H

v n!V8V{}

v n!GV8V{}

v nsX4V{}

v JmUq

9C pdadmin r Web Portal Manager 4(C'T09C pdadmin"Web Portal

Manager r pkmspasswd 5CLr|D\k15)b)_T#

TB pdadmin |nvJCZ LDAP "am#unset hC!n{CK_TtT - 4;

5)K_T#


m 20. pdadmin LDAP \k?H|n

|n hv

policy set min-password-length {number|unset} [-user username]

policy get min-password-length [-user username]

\mXFn!\k$HD_T#

w*\m1,ITTX(C'&CK_T,rT1!"

amPPvDyPC'+V&CK_T#

1!hC* 8#

policy set min-password-alphas {number|unset} [-user username]

policy get min-password-alphas [-user username]

\mXF\kPJmDn!V8V{}D_T#

w*\m1,ITTX(C'&CK&#_T,rT1

!"amPPvDyPC'+V&CK_T#

1!hC* 4#

policy set min-password-non-alphas {number|unset} [-user username]

policy get min-password-non-alphas [-user username]

\mXF\kPJmDn!GV8(}V)V{}D_

T#


amPPvDyPC'+V&CK_T#

1!hC* 1#

policy set max-password-repeated-chars {number|unset} [-user username]

policy get max-password-repeated-chars [-user username]

\mXF\kPJmDnsX4V{}D_T#


amPPvDyPC'+V&CK_T#

1!hC* 2#

policy set password-spaces {yes|no|unset} [-user username]

policy get password-spaces [-user username]

\mXF\kPGqIT|,UqD_T#


amPPvDyPC'+V&CK_T#

1!hC* unset#

Bm5wyZev pdadmin N}D1!5D;)\k>}M_Ta{:

m 21. \k>}

>} a{

password ^':XkAY|,;vGV8V{#

pass ^':XkAY|, 8 vV{#


m 21. \k>} (x)

>} a{

passs1234 ^':|,=vTODX4V{#

12345678 ^':XkAY|,DvV8V{#

password3 P'#

X(C'M+VhC

ITTX(C'(9C - user !n)r+V(;9C - user !n)hC pdadmin _

T|n#NNX(ZC'DhC<2G_TD+VhC#2IT{C(unset)_TN

},bb6EKN};|,NN5#;lir5)NN_P unset !nD_T#

}g:

pdadmin> policy set min-password-length 8

pdadmin> policy set min-password-length 4 -user matt

pdadmin> policy get min-password-length

Minimum password length: 8

pdadmin> policy get min-password-length -user matt

Minimum password length: 4

C' matt Dn!\k$H_T* 4 vV{;d|yPC'Dn!\k$H_T* 8#

pdadmin> policy set min-password-length unset -user matt

VZC' matt I 8 vV{D+Vn!\k$H_TXF#

pdadmin> policy set min-password-length unset

yPC'(|(C' matt)VZ^n!\k$H_T#

O$?H\#$Ts_T(]})

O$?H\#$Ts_T(POP)9yZTs9CDO$=(XFTTsDCJI*

I\#

IT9CK&\(P1F*]}=O$)7#CJ|*tPJ4DC'9C|?DO

$zF#IZ;1CJDOs~2,zI\#{9CKu~#

}g,IT(}&C]} POP _T(Zu<xke~r1h*HM'zy9CDO$

|_6pDO$)T Web UdDxra)|_D2+T#

2IT* Web ~qwOD?vX(ibwzhC]}=O$,Jm%vibwz9C

dT:D]}=O$6p,x;X~S~qw6'D_T5V#

O$?H_TGZ POP _TD0IP KcO$=(1tTPhCD#

dC]}=O$6p

dCX(ZO$DCJDZ;=GdC'VDO$=("7(3r,b)O$=(&

4K3rS*|?s#XZdCO$zFDj8E",kN<Z 35 3DZ 3 B, :IBM

Tivoli Access Manager Plug-in for Web Servers O$Mks&m;#


(}e~CJ Web ~qwDNNM'z<_PO$6p,}g04O$1r0\k1,

8>M'zns;N(}e~O$y9CD=(#

Z3)ivB,I\PX*5)CJX( Web UdTsyhDnM02+16pO$#

}g,Z373P,(}nF(PzkxPDO$ITS*H(}C'{M\kxP

DO$|2+#m;v73IT_P;,Dj<#

k?FM'zZ4zcXhDO$6p1XBt/da0;,,]}O$zFa)M

'zm;Nza9Cyh=((6p)xPXBO$#

]}=O$b6EC'"TCJh*HdG<1_PDO$6p0|_1DO$6p

DJ41,;a"4rdT>0\x1{"#xrdT>BDO$a>,ks'V|

_O$6pDE"#g{{GITa)KO$6p,rJmdu<ks#

Z pdwebpi.conf dCD~D [authentication-levels] r

[authentication-levels:virtual_host_label] ZPdCO$6p#}g:

[authentication-levels]1 = BA2 = iv-headers3 = cert

y]PmP=(D3r,T?V=(8(6pw}#

v Y(4O$D6p* 0#

v sL=(ITNb3rEC#kNDZ 105 3D:]}=O$"bBnM^F;

v *tC]}=O$,XkAYP=vu?#

v ( } 9 C T B q = D Z I * X ( i b w z h C O $ z F D 6 p :

[authentication-levels:virtual_host_name]#

":XZhCyhO$zFDj8E",kNDZ 35 3DZ 3 B, :IBM Tivoli Access

Manager Plug-in for Web Servers O$Mks&m;#

tC]}=O$

]}O$G(}Z*sO$tPZ(DTsOyECD POP _Tx5VD#z+9C

POP _TD0IP KcO$=(1tT#

pdadmin pop modify set ipauth |n8( IP KcO$=(tTPJmDxgMy

hDO$6p#

QdCDO$6pI4S= IP X76'#K=(D?DGa)\minT#g{4 IP

X7}KC'";X*,rIT anyothernw(Nbd|xg)hC%;u?#KhC

+0lyPCJC'(;\ IP X7),"*s{G48(6pxPO$#bG5V]

}=O$Dn#C=(#

o(:

pdadmin> pop modify pop_name set ipauth anyothernw level_index

anyothernw u?Cwxg6',K6'+k4Z POP PmP8(DyPxg%d#

K=(CZ4(1!u?,Ku?I\xyP;%dD IP X7,rJmITzcO$

6p*sDNNKxPCJ#


1!ivB,anyothernw TO$6pw} 0 vVZ POP P#Z pop show |nP

Ku?T>*0Nbd|xg1:

pdadmin> pop show test\#$Ts_T:testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:

anytime:localIP KcO$=(_TNbd|xg 0

Z]}=O$Zd,I(}+ [module-mgr] ZPD verify-step-up-user N}hC*

true 4tCTa)DC'j6Di$#

[module-mgr]verify-step-up-user = true

tC verify-step-up-user N}7#Za>9C|_6pzFDXBO$1dkDj6

knudkDj6%d#g{j6;%d,+5X;v0403 {913f#

]}=O$>}

1. Z pdwebpi.conf PdCO$6p:

[authentication-levels] r [authentication-levels:virtual_host_label]1 = BA2 = token

2. dC0IP KcO$=(1POP tT:

pdadmin> pop modify test set ipauth anyothernw 2pdadmin> pop show test

\#$Ts_T:testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:mon, wed, fri:anytime:localIP KcO$=(_TNbd|xg 2

by,C'CJIbT POP #$DTsh*6p 2 O$,r_+?F9CnF=

(xPO$#

m{Z 108 3D:yZxgDO$\#$Ts_T;#

]}=O$"bBnM^F

v HTTP M HTTPS O<'V]}O$#

v ;\S HTTP -i]}= HTTPS#

v [authentication-levels] ZP48(DO$=(1!*6p 1#

v O$=(;\Z6pPmP8(;N#

v SPNEGO ;a]}=9C POST m%DNNO$=(#9C SPNEGO O$#id

C]}P*a<BrM'z5X;vms3f#

v T]}=O$6pDmsdC<B{Ce~PD]}&\#bVivI\}pbb

DO$P*,}gT POP #$DTs"v\kG<3f,K POP h*nF(Pz

kO$=(#


dC]}=O$zFs,kli pdwebpi.log D~,Tq!XZNNdCmsD(

f#

`rSO$

`rSO$&\G]}=O$&\D)9,|Jmz8(;v\#$Ts_T

(POP),C_T?FC'9CHQdCD POP O$6pMDyPO$zF4O$#4

*sC'ZZhCJ(.0DXh6pT0MZC6pDyP6pOxPO$#`r

SO$2IkXBO$aO9CT?F`rSXBO$#

yZj<O$6pDO$Jm_Tk;vTsX*,CTshCKZZhCJ(.0

Xko=DnMXhO$6p#ZdCPa)K\'VO$zFDEr,CEr8(

KwzFdD?uX5#C'WN*CJ;vTsxPO$1,T{Ga)yP{O

CTsXh6pDO$=(D!q#IC'v({G+9CD;V=(#

*5V`rSO$,h*4Z 103 3D:O$?H\#$Ts_T(]});PD[

vdC]}=O$#;)dCK]}=O$,Mh*+)9tT MULTI-FACTOR-AUTH

mS= Tivoli Access Manager Plug-in for Web Servers TsD\#$Ts_T(POP)

P#

hC MULTI-FACTOR-AUTH tTs,ZZ(CJJ40*s4P8(D POP O$6

pTB(|(C6p)DyPO$6p#

}g,Y(ZdCD~PhCKTBdC:

[authentication-levels]1 = cert2 = forms

TZTOhC,POP ,S=*sO$6p 2 DJ4"RBD MULTI-FACTOR-AUTH

tThC* true 1,ZxPyZm%DG<0C'XkWHa);vP'DM'z$

i#g{,S=J4D POP 4tC MULTI-FACTOR-AUTH tT,rv9CyZm%

DO$#

tC`rSO$

`rSO$G(}9CT*s`rSO$DTshCD POP _T5VD#

o(:

pdadmin> pop modify pop_name set attribute MULT-FACTOR_AUTH true

XBO$\#$Ts_T

Tivoli Access Manager Plug-in for Web Servers IT?FC'4P=SG<(XBO

$),T7#CJ\#$J4DC'MnuZa0*<WNO$DG,;vK#\#

$TsOD\#$Ts_T(POP)ra0_Y:fGn/,15=Z<IT$nX

BO$#>ZV[ POP )9tT8(DyZ2+T_TDXBO$#XZdCa0/

>$_Y:fDj8E",kNDZ 45 3D:dCe~a0/>$_Y:f;#


0l POP XBO$Du~

?FDXBO$T2+rPDtPJ4a)=S#$#yZ2+T_TDXBO$I

POP PDX()9tT$n,K POP #$yksDJ4Ts#POP IT1S=S=T

sO,r_TsITS8TsLP POP u~#TBe~O$=('VXBO$:

v m%(C'{M\k)O$

v nFO$

mb,IT`4(FDC'{/\k CDAS T'VXBO$#

XBO$Y(C'-HQ-G<=2+r,"RfZKC'DP'>$#ZXBO$

xLP,C'Xk9CMzIVP>$`,Dm]xPG<#XBO$Zd,Tivoli

Access Manager #tC'-HDa0E",|(>$#XBO$Zd;f;>$#

ZXBO$}LP,e~9_Y:fa>XBO$Dks#XBO$I&1,_Y:

f}]CZXB9(ks#

g{XBO$'\,re~YN5XG<a>#g{XBO$I&,+ ACL liTK

J4'\,r5X 4030{9CJ1{""R\xC'TyksJ4DCJ#ZN;i

vB,C'S;"z#9CT;P'D>$,C'ITU9XBO$xL((}ks

m;v URL)"(}CJd|;h*XBO$DJ4@INk2+r#

4(M&CXBO$ POPyZ2+T_TD?FXBO$(}4(_P{*0reauth1DXb)9tTD\#$

Ts_T(POP)dC#IT+K POP =S=NNh*?FXBO$a)Dnb#$D

TsO#

kG!_P POP DTsDyPS2LP POP u~#?vksDSTsh*%@DX

BO$#

9C pdadmin pop create"pdadmin pop modify M pdadmin pop attach |n#

TB>}{vC reauth )9tT4({*0secure1D POP "+d=S=TsO:

pdadmin>pop create securepdadmin>pop modify secure set attribute REAUTH truepdadmin>pop attach /PDWebPI/hostA/budget.html secure

NN"TCJ budget.html DK<;?H9CMzIVP>$`,Dm]MO$=(x

PXBO$#

g{ksJ4DC'4O$,r POP ?FC'xPO$#?NTXBO$_Ty#$

TsDCJ<h*XBO$#

Z?<PDs`}(+"G+?)Ts<*sXBO$DivB,nCG+ POP =S

={v?<P,|(0reauth1)9tT#TZG);h*XBO$DTs,*d=S

k?<`,D POP,+;|,0reauth1)9tT#

XZ pdadmin |nP5CLrDj8E"ITZ6IBM Tivoli Access Manager Base

\m18O7PR=#


yZxgDO$\#$Ts_T

yZxgDO$\#$Ts_T(POP)_T9CyZC'D IP X7XFTTsDC

JI*I\#IT9CK&\h9X( IP X7(r IP X76')CJ2+rPDN

NJ4#

2ITK_T&C]}O$dC,"T?v8(D IP X76'*sX(O$=(#

yZxgDO$_TGZ POP _TD0IP KcO$=(1tTPhCD#XkZKt

TP8(=v*s:

v O$6p

v JmDxg

XZ8(dC6pDj8E",kNDZ 103 3D:dC]}=O$6p;

8( IP X7M6'

dCO$6p.s,Xk8(K POP _TyJmD IP X7M IP X76'#

pdadmin pop modify set ipauth add |nZ0IP KcO$=(1tTP,18(

Kxg(rxg6')MyhO$6p#

o(:

pdadmin> pop modify pop_name set ipauth add network netmask level_index

QdCDO$6p4S= IP X76'#K=(D?DGa)inT#g{4 IP X7

}KC'";X*,rIT anyothernw(Nbd|xg)hC%;u?#KhC+0

lyPCJC'(;\ IP X7),"*s{G48(6pxPO$#

o(:

pdadmin> pop modify pop_name set ipauth anyothernw level_index

`4,g{#{vTO$6p"Rv#{yZ IP X7Jmr\xCJ,rIT*Jm

D6'9C6p 0,T*\xD6'9C0forbidden1#

anyothernw u?Cwxg6',K6'k4Z POP PmP8(DyPxg%d#K

=(ICZ4(1!u?,Ku?I\xyP;%dD IP X7,rJmzcO$6p

*sDNNKxPCJ#

1!ivB,anyothernw TO$6pw} 0 vVZ POP P#Z pop show |nP

Ku?T>*0Nbd|xg1:

pdadmin> pop show test\#$Ts_T:testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:

anytime:localIP KcO$=(_TNbd|xg 0

XZhCO$6pD|j8V[,kN<Z 103 3D:dC]}=O$6p;#


>}

*s IP X76'* 9.0.0.0 RxgZk* 255.0.0.0 DC'9C6p 1 O$(1!i

vBG0password1):

pdadmin> pop modify test set ipauth add 9.0.0.0 255.0.0.0 1

*sX(C'9C6p 0 O$:

pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.255 0

h9yPC'(}KgOv>}P8(DG))CJTs:

pdadmin> pop modify test set ipauth anyothernw forbidden

{C4 IP X7D]}O$

*(} IP X7{C]}=O$,kdkTB|n:

pdadmin> pop modify pop_name set ipauth remove network netmask

}g:

pdadmin> pop modify test set ipauth remove 9.0.0.0 255.0.0.0

yZxgDO$c(

Tivoli Access Manager Plug-in for Web Servers 9CTBc(&m POP PDu~:

1. li POP PD IP KcO$=(_T#

2. li ACL mI(#

3. li POP PD?U1d_T#

4. li POP PDsF6p_T#

#$6p\#$Ts_T

#$6p\#$Ts_T(POP)tTJmz8(ZTsO4PYw1yhD}]#

$6p#

pdadmin> pop modify pop_name set qop {none|integrity|privacy}

m 22. QOP 6phv

QOP 6p hv

privacy *s}]S\(SSL)#

integrity 9C3)zF7#}]P4|D#

none 49CNN}]#$=(#

}g:

pdadmin> pop modify test set qop privacy

1 ACL v_D0G1l&2|,yhD#$6p1,#$6p POP tTJm5V%

vBq#g{e~^(#$yhD#$6p,r\xks#


&m4O$C'(HTTP/HTTPS)

Tivoli Access Manager Plug-in for Web Servers S\4T HTTP M HTTPS OQO$

M4O$C'Dks#;se~@5Z(~qw5)2+T_T,=(GJmr_\

xT\#$J4DCJ#

TBu~JCZT SSL _PCJ(D4O$C':

v 4O$C'Me~.dDE";;GS\D - g,kQO$C'D;;#

v 4O$C'Me~.dD SSL ,Svh*~qwKO$#

&m4Td{M'zDks

1. d{M'z(}e~r Web ~qwavks(9C HTTP r HTTPS)#

2. e~*KM'z4(4O$D>$#

3. ks9CK>$Lx0x=\#$D Web Ts#

4. Z(~qwliKTs ACL 4O$u?DmI(,Jmr\xyksDYw#

5. TKTsDI&CJ!vZAY|,A(r)mI(D4O$ ACL u?#

6. g{ks<BZ(v_'\,rM'zSU=G<m%(yZ BA rm%)#

?FC'G<

(}Z#$yksTsD ACL _TPD4O$u?O}7hCJ1mI(,IT?F

4O$C'G<#

A! [PDWebPI]r mI(JmTTsD4O$CJ#

*?F4O$C'G<,kS#$TsD ACL _TPD4O$u?P}%A!

[PDWebPI]r mI(#

&C4O$ HTTPS'V(} HTTPS Te~v? Web ~qwxP4O$DCJGr*m`5JDL5-

r#b)-r|(:

v ;)&CLr;h*vKG<,4h*tPDE",}gX7MEC(E#>}|

(Z_:rIz1Md|L7#

v ;)&CLrh*ZITLxx;=;W.0H"aK5qDJ'#,y,Xk(

}xg+]tPE"#

C ACL/POP _TXF4O$C'

*C ACL/POP _TXF4O$C':

":0any-other1u?`M2F*0any-authenticated1u?`M#

1. *Jm4O$C'CJ+2Ts,k9CAY|,4O$M+O$u?DA!

[PDWebPI]r mI(D ACL 4#$+2Z]#

unauthenticated [PDWebPI]rany-other [PDWebPI]r

":7(mI(1,unauthenticated u?GT any-other u?DZk(p;0k1

Yw)#v1 unauthenticated DmI(Z any-other u?P2vV1EZh


KmI(#IZ unauthenticated !vZ any-other,yT ACL |,

unauthenticated x;|, any-other Dbe;s#g{ ACL 75|,

unauthenticated x;|, any-other,r1!l&G;r unauthenticatedZhNNmI(#

2. **sS\(SSL),k9C8( privacy w*u~D\#$Ts_T(POP)#$

Z]#

kNDZ 109 3D:#$6p\#$Ts_T;#



Z 5 B Web %;"abv=8

+ Tivoli Access Manager Plug-in for Web Servers w*Z(~q5VTT2+ra)

#$1,(#h*TCrPDJ4a)%;"abv=8#>BV[CZ Tivoli Access

Manager Plug-in for Web Servers #$D Web UdD%;"abv=8#

>B|(TBwb:

v :%;"aEn;

v Z 114 3D:T/"a=\#$D&CLr;

v Z 116 3D:S WebSEAL rd|zm%;"a=e~;

v Z 117 3D:9CJO*F cookie xP%;"a;

v Z 118 3D:9C+V%;"a(GSO);

v Z 120 3D:2+Ta)Lr NEGOtiation(SPNEGO)%;"a;

v Z 120 3D:9Cm%D%;"a;

%;"aEn

\#$J4;Ze~v? Web &CLr~qwO1,IT*sksKJ4DM'zZ

CJ;,2+&CLr14P`NG<#?NG<\I\h*;,DG<j6#

\mM,$`vG<j6DJb(#I(}%;"a(SSO)zFbv#SSO JmC'

v9C;v-<G<CJJ4#Web ~qwOJ4DNNx;=G<ksD&mTC'

<G8wD#

Tivoli Access Manager Plug-in for Web Servers 'Vs?;,D%;"ae5a9#b

)e5a9*:

1. ;ve~5}a)T~qwOD`v2+&CLrD%;"a#

2. S WebSEAL rd|zmLr(g WAP xX)%;"a=e~#

3. 9CJO*F cookie a);,Dr.dD%;"a#

4. 9C+V%;"a(GSO)x(d#ia)T9Cf"DC'>$E"D&CLr

DCJ(#

5. 9C2+Ta)Lr NEGOtiation(SPNEGO)4JmTyZ IIS D Web ~qwO

DJ4xPCJ#

6. +yZm%DO$w* SSO DzF#

7. a)g`v2+r+MC'>$DzFDgr%;"a#

8. gSgx%;"a,9CCzFC';hO$;N"aTC')"nF,KnFJ

mC'CJribgxPDd|rx;h*XBO$#

>BV[0 6 v SSO &C!O#Z_MZKv&C!OGB;BDwb#


T/"a=\#$D&CLr

IT9C HTTP 7M LTPA cookie(&CLr* WebSphere Application Server 1)

q!T~qwO\e~5}#$D&CLrD SSO#

M'zDu<O$.s,e~IT9( HTTP 7,dP|,M'zm]E",ICZT

/O$T#$~qwOKPD&CLr#(}`F==,LTPA cookie ICZq!T

Web &CLr~qw(g WebSphere)D SSO#

9C HTTP 7dCT2+&CLrD%;"a

CZ"a=&CLrD HTTP 7I iv-header Z(s#izI#IzID7/O\F*

IV 7#

I&Z(C'kss,e~IT+(eM'zj6D IV 7ekksP,)&CLr&

m#ksI\#$ Web ~qww\D&CLr&m1,K7E"ICwC'j6D$

w#?NCJBD2+&CLr1,C'MITb%G<DX*#

g{dCCZZ(s&m,r IV 7f;v";)ryP iv-user"iv-user-l"iv-creds"

iv-groups"iv-remote-address"HTTP 7`M;pek#BmPhvKb)7`M#

m 23. IV 7VNhv

IV 7VN hv

iv-user Tivoli Access Manager C'DrL{F#g{M'z4O$(4

*),r1!*4O$#

iv-user-l C'Dj{r{($Mq=),}g LDAP (P{F#

iv-groups C'ytiPm#

iv-creds `kD;8w}]a9,zmC'D Tivoli Access Manager >$#


(NAT)D IP X7#

tCM{CzI IV 7

*9e~IT+ IV 7ekQZ(Dks,h*dCe~9C IV 7xPZ(s&m#


tC IV 7CZZ(s&m,kZ pdwebpi.conf dCD~D [common-modules] Z

P+X|V5 iv-headers 8(x post-authzn N}#4:

[common-modules]post-authzn = iv-headers

dC IV 7N}


generate N}8(*"zmks1+zID IV 7`M#1!ivB,*"zmks

1e~zIyP`MD IV 7#P'!n*:all"iv-creds"iv-user"iv-user-l M

iv-remote-address#*dk`v7`M,k9C:EVt5#

}g:

[iv-headers]generate = iv-creds,iv-user,iv-user-1


9C LTPA cookie %;"a= WebSphere Application Server20e~w* WebSphere Application Server D#$c1,CJDM'zfT=v1Z

DG<c - WebSphere ~qDe~M2+&CLr#*ZKivB*a)%;"a,

ITdCe~zIyZ cookie Da?6Z}=O$(LTPA)zF,"Qd+]='V

LTPA cookie D Web &CLr~qw#

C'"vT~qwOJ4Dks1,XkWHTe~O$C'#O$I&s,e~z

IzmC'D LTPA cookie#w* Web &CLr~qwDO$nFD LTPA cookie |

,C'j6M\kE"#KE"C;Ve~M&CLr~qw.d2mD\\k#$

D\?xPS\#

e~+ cookie ek=ksD HTTP 7P,Kks"M= Web &CLr~qw#&C

Lr~qwSUks,T cookie xPb\,"y] cookie Pa)Dj6E"O$C

'#

*a_T\,e~+ LTPA cookie f"Za0_Y:fP,"T,;C'a0ZdD

sxks9C_Y:fD LTPA cookie#XZhCa0_Y:fDN}Dj8E",k

N<Z 45 3D:dCe~a0/>$_Y:f;#

T9C LTPA cookie %;"a= WebSphere xPdC

9C LTPA cookie 5V%;"a='V LTPA cookie D&CLr~qwGe~DZ(

s&mD;?V#*tCK&\,kT pdwebpi.conf dCD~PD

[common-modules] ZPDN} post-authzn dk|5 ltpa:

[common-modules]post-authzn = ltpa

Z 5 B Web %;"abv=8 115

LTPA cookie dCGZ pdwebpi.conf dCD~D [ltpa] ZP4PD#TBN}h*

dC#

m 24. LTPA dCN}

N} hv

ltpa-keyfile CZS\ cookie Py|,j6E"D\?D~D+76

{#

ltpa-stash-file \kf"D~D;C#g{^\kf"D~fZ,r&!{

"MKu?#

ltpa-password \kf"D~;fZ1*9CD\k#

ltpa-lifetime LTPA cookie DP'Z(k)#

LTPA %;"aD<u5w

v \?D~|,XZX( Web &CLr~qwDE"#g{r,;e~mS`v&C

Lr~qw,ryP~qw+2m`,D\?D~#

v *9%;"aI&,e~M&CLr~qwXkT3V==2m`,D"amE

"#

v &CLr~qw:phC LTPA M4(2mD\?#

S WebSEAL rd|zm%;"a=e~

1e~v? Web ~qwSU=4TIE&CLr(g WebSEAL r`74CzmL

r)Dks1,IV 7I\aek*S=e~DksP#IV 7|,j6p<M'zDE

",x;G*S~qwDE"#7PDE"CZ9lp<M'zD>$,TCZZ

(#

g{dCe~9C IV 74PM'zO$,re~9CSBqksPR=D IV 7Pi

!Dm]4(M'z>$#IZM'z1l IV 7\]W,yTvZO$ksPhC09

C~6O$Lr1j>1E4(byD>$#

TZO$,ITdC IV 7Z(}zmSU1S\ksPD;v";)ryP

iv-user"iv-user-l"iv-creds r iv-remote-address 7,w*O$D$]#iv-remote-address

7CZG<C'Df}6LX7#b) IV 7`MI Tivoli Access Manager M

WebSEAL 6p#

m 25. IV 7VNhv

IV 7VN hv

iv-user M'zDrL{F#g{M'z4O$(4*),r1!*4O

$#

iv-user-l C'Dj{r{($Mq=)#

iv-groups M'zytiPm#

iv-creds `kD;8w}]a9,zm Tivoli Access Manager >$#


(NAT)D IP X7#


":Access Manager vENSIE0KSUD7#g{0K;6p*`74CzmLr

(MPA),rO*|GIED#XZdCe~T'V MPA Dj8E",kN<Z

93 3D:'V`74CzmLr(MPA);#

*Kw*M'zj6D$wS\,WebSEAL rd|zm>mXkQre~O$#b(

#G(}zmMe~#$D Web ~qw.d`%O$D SSL ,S5VD#

tCM{C9C IV 7DO$


tC9C IV 7DO$,k+}C0iv-header18(x authentication N}:

[common-modules]authentication = iv-header

dC IV 7N}


accept N}8(S\CZ IV 7O$D IV 7`M#1!ivB,e~S\yP`M

D IV 7#P'!n*:all"iv-creds"iv-user"iv-user-l M iv-remote-address#*dk

`v7`M,k9C:EVt5#

}g:

[iv-headers]accept = iv-creds,iv-user

9CJO*F cookie xP%;"a

*Z(s&mdCJO*F cookie s,e~ZX(Z~qwrGr6'D cookie PT

M'zD>$}]xPS\#1M'zZ;N,S1,cookie GEZ/@wOD#M'

z"TCJrPDm;v2+~qw1,cookie a)xM'zX(r=DB;v~q

w#cookie CZT/DXBO$,byM'zM;CV/4PXBO$DNqK#4F

D~qwODe~2m;+2\?,K\?b\ cookie Py,D>$E",("Ba

0#

":kTJO*F cookie DzI,Ze~ 4.1 "PfPTnF2+TxPKDx#b

)Dx;\M Tivoli Access Manager 3.9 nF`k#=2,9C#*K\;Lx

k 3.9 Tivoli Access Manager Web 2+Tz72,9C,k+ [pdweb-plugins]ZPDdCN} pre-410-compatible-tokens hC* true#KN}GxL6D,

;\yZ?vibwz8(#

tC9CJO*F cookie D%;"a

IT+JO*F cookie dC*4PO$MZ(sNq#

dC*9CJO*F cookie xPZ(s&mDe~T>$xPS\,"+dw*JO*

F cookie f"ZBql&P#

dC*9CJO*F cookie 4PO$De~CBqksPR=DJO*F cookie PD

S\>$XBO$M'z#

*tC9CJO*F cookie D SSO,k+}C0failover18(xdCD~D

[common-modules] ZPD authentication M post-authzn N}:

Z 5 B Web %;"abv=8 117

[common-modules]authentication = failoverpost-authzn = failover

PXdCJO*F cookie O$Dx;=j8E",kN<Z 70 3D:dCJO*FO

$;#

9C+V%;"a(GSO)

ITdC Tivoli Access Manager Plug-in for Web Servers 4Z(C'CJFcJ4,

b)J4G(}%;G<Z(C'9CD#GSO kTI;,V`DV<=Fc73PD

`v53M&CLriIDsMs5xhF,|9nUC';Yh*\m`vC'{

M\k#

":iPlanet Web ~qw9Ck Tivoli Access Manager `,D LDAP 5}1,TZ

iPlanet Web ~qw,GSO ;GOJD%;"abv=8#

*4( GSO bv=8,XkWH9C Web E'\mwr pdadmin 5CLr44(

Tivoli Access Manager GSO J4M GSO J4i#PX4( GSO J4M GSO J4

iDj8E",kN<6IBM Tivoli Access Manager Base \m18O7#

ZQZ(3vks47(J4>$GqICZyksDJ4sawCy>O$(BA)

Z(s#i#J4>$G3d=?vJ4Mf"ZC'"amPDC'{/\kDi

O#BA Z(s#ilwJOZC'MyksD&CLrJ4DJ4>$,"9Clw

DJ4>$4( HTTP y>O$7,;s+C BA 7mS= HTTP ksP#vTZ;

vksSC'"amPlwJ4>$,TZyPsxks,J4>$lw*a0E

"#

B<5wKgN9C GSO zF4lwsK&CLrJ4DC'{M\k#


1. C' Michael ksCJ\#$DsK Web ~qw&CLr travel-app#Tivoli Access

Manager O$KM'SxqC Tivoli Access Manager m]#g{ksDJ4G;\

#$D,r+ks*"x Web ~qwxP&m#

":%;"a}L@"Zu<O$=(#

2. e~+ Tivoli Access Manager m]+]xC'"am~qw(LDAP r URAF)#

C'"am~qwT+J43dIX(O$E"DN=,${vO$E"D}]

b#O$E"GC'{/\kiO,F*J4>$#;\*Q"aC'4(J4>

$#

Bm5wK GSO J4>$}]bDa9:

Michael Jane

resource: travel-app

username=mike

password=123

resource: travel-app

username=Jane

password=abc

resource: payroll-app

username=smith

password=456

resource: payroll-app

username=Jones

password=xyz

3. "am+C'{0mike1M\k012315Xxe~#

4. e~+ Michael DC'{M\kE"ek"MX Web ~qwDksD HTTP y>

O$(BA)7P#

5. Web ~qwyZS 9 B 4 UekksPD BA 7P Michael D>$4O$ Michael

(TZ{QksDJ4),Mq|G4TM'z;y#

dC+V%;"a

*tC+V%;"a&\,h*dC pdwebpi.conf#Z [common-modules] ZPT

post-authzn N}8(5 BA,gB:

[common-modules]authentication = ...session = ...post-authzn = BA

7#Z modules ZPAY+ BA N}8(*1!#i,4:


Z pdwebpi.conf dCD~D [BA] ZP,Pm`N}ICZdC BA Z(s#i#b

)e5a9*:

v basic-auth-realm

v strip-hdr

v add-hdr

v gso-resource-name

v supply-password

v supply-username

< 6. 9C GSO T2+&CLrDC'CJ#

Z 5 B Web %;"abv=8 119

*5V=sK&CLrD GSO,h*dC add-hdr M gso-resource-name N}#d

| BA N}ZZ 53 3D:dCy>O$;PxPK|j8DV[#

;)ksQC=O$,add-hdr N}XFBD BA 7DmS#*5V GSO,k+CN

}hC*5 gso:

[BA:virtual_host1]...add-hdr = gso

+ add-hdr N}hC* gso 5b6EyZf"ZC'"amPDJ4E"+BD BA

7mS= HTTP ksP#dCD~D [BA] ZPD gso-resource-name N}8(*

tC GSO D Web ~qwJ4D{F#bITyZ?vibwzxP8(#f"ZC

'"amPDJ4>$3d=f"ZKC'"amPD?vJ4#

+ gso-resource-name N}hCI*tC GSO D Tivoli Access Manager J4D{

F#}g:

[BA:virtual_host1]...gso-resource-name = payroll-app

?vibwz;\8(;v GSO J4{F#g{4T gso-resource-name 8(5,

r9Cibwz{Fw* GSO J4{F#

":g{zZ Sun ONE(-{* iPlanet)M Tivoli Access Manager .d2m LDAP

"am,r^(9CkG)Z{O$x Sun ONE Web Server DC'{`,D?

jC'{TZ Tivoli Access Manager Z4( GSO J4>$#bGr*1O$C

';Qw}7D LDAP Ts`DTs1,Sun ONE Web Server ;\^( LDAP

Qwu~#

2+Ta)Lr NEGOtiation(SPNEGO)%;"a

Ze~Z+ SPNEGO CwO$zFIa)%;"a&\,byJmC';*u<G=

=rx;h*d|O$M\S Windows M'zCJ2+ IIS Web ~qwODJ4#

SPNEGO %;"aDYwMdCDj8E"|,ZZ 62 3D:dC SPNEGO O$;

P#

9Cm%D%;"a

%;"am%O$Jm Tivoli Access Manager Plug-in for Web Servers 9-O$D Tivoli

Access Manager C'8wXG<=*s9C HTML m%O$De~#$D Web ~q

w#

%;"am%O$'V9C HTML m%O$DVP&CLr,"R;\^D*1SE

NIe~4PDO$#yZe~m%D%;"aa)lYD/I=8,1*"v;v

|IE|_'DO$=(1,&+K=8Sw}Ibv=8#

tC%;"am%O$zzTBa{:

v e~POIsK&CLrt/DO$}L#

v e~a)G<m%yhD}]"zmC'a;G<m%#

v C';*@}Z"zZ~NG<#


v sK&CLr;*@G<m%"G1S4TC'#

e~XkdC*:

v 6pM9XG<m%

v nkJ1DO$}]

\m1(}dCgN6p"jIM&mG<m%4tCm%%;"a#

m%%;"a&mwL

TB&C!OY(e~QO$C'#

1. C'ks\#$ibwzODJ4#

2. e~+ks+]xsK&CLr#

3. r*sK&CLr*sC'O$,A&CLrG<3fDX(r"Xe~#

4. e~+X(r+]x/@w#

5. /@wq-CX(r"ksG<3f#

":=K1*9ZxLwP4PDyPYw<Gj<e~&\#

6. Q*e~dCm%%;"a#e~ FSSO #iyZ|,Ze~dCD~PDE"+

Cks6p*TG<3fDks#+ks"M=&CLr#

7. &CLr5XG<3f,I\95XX(Z&CLrD cookie#

< 7. m%%;"a&mwL#. m%%;"a&mwL#

Z 5 B Web %;"abv=8 121

8. e~9Xl&"bv5XD HTML T6pG<m%#1e~ZD5PR= HTML

m%1,|+m%PDYw URI ke~dCD~PD login-form-action N}5

wHO#g{fZ%d,re~9CR=Dm%,qre~LxQwd|m%#

g{ZC3fP;Pm%k4TdCD~DYw URI #=%d,re~l#U9

m%%;"a&m"+4^DDl&+X/@w#

g{R=G<m%,e~bvD5PDCm% HTML T6pks=("Yw URI

Mm%PDyPd|dkVN,#f|GT)=h 10 9C#;s,|r/@w"

MAG<m%DYw URI DX(r,C URI xP7S*i/D(;ksj6#y

PX(Z&CLrD cookie 2|,ZX(rP#

9. /@wq-CX(r"ksCYw URI#

10. e~(}d(;Di/V{.6pk>ks,"9C4TN}ZM=h 8 P#fD

}]zIO$ks#;s,jIDG<m%(O$ks)+"M=sK&CL

r#

11. &CLr9Ce~Zm%Pa)DO$}]xPO$#&CLr+X(r5X=

u<ksDJ4#

12. e~+X(r5X=/@w#

":bMjIKX(Zm% SSO D&\#

13. /@wq-X(r"ksJ4#

14. e~+ks+]=2+J4#

ZK}LP,/@wTe~"vDvks#SC'DGH44,v"vK;vTJ4

Dks#d|ks(} HTTP X(rT/"z#

&CLr'VD*sm%%;"aO$Z{OTB*sD&CLrO\'V:

1. XkIT9C;vr`v}rmo=j6G<3fr&CLrD3f#

2. G<3fI|,`v HTML m%#+G,G<m%Xk(}+;v}rmo=&C

Z?vG<3fDYw URI 4j6,r_G<m%GG<3fDZ;vm%#k"

b,19C0action1tT4j6G<3f1,0action1tT;a(}e~D HTML

}K#Z}K.0,}rmo=&kYw URI %d#

3. M'zKE>IC4i$dk}],+|;\^Ddk}]#bE}KT9C

Javascript 4/,zIG<m%rZC'D/@wPhC cookie D Web >cD'

V#

4. ZO$}LPG<}]va;;N#

5. ZO;ZD=h 8 P9XDG< URI Xkw*Wc Web ~qwD%;ksxP

&m#}g,Z Apache P,w*b?|nD PHP E>\zK`vSks"^(;

9X#

tCm%%;"a

FSSO #i&mm%%;"a}L#ZZ(ks.s,Web ~qwl&ks.0,h*

wCC#i#rKh*+ FSSO #idC* post-authzn #iM response #i#b

)<Z pdwebpi.conf dCD~PD [common-modules] ZP8(#4:

[common-modules]...response = fsso


response #iC46qI Web ~qwT>DG<m%,TcTdxP&m#


{F#7# fsso u?fZ:

[modules]fsso = pdwpi-fsso-module

IZe~Dw*G+G#$ Web J4;\4-Z(DCJ,yT49TJ4DyPk

sGyZm%D%;"a}LD;?V,2XkIe~T|GZ(#ZJmCJsK

&CLrG<3f.0,e~*li ACL }]b,ZJmCJm%Yw(ZdP"M

QjIDm%)P8(D URI 02*xPli#g{2+T_T4Zh10C'Tb

)3fDCJ(,ryZm%D%;"a+'\#

dCm%%;"a

m%%;"adCE";Z pdwebpi.conf dCD~PD [fsso] r [fsso:virtual-host]ZP#CZ|,;vr`v8rd|(F|{DZD login-page-stanza u?,b)(

F|{DZ|,ZsK&CLrOR=DG<3fDdCE"#

'V`vG<3fD\&G\X*D,r*~qwI\GtI&CLrDwz,x?

v&CLr9C;,DO$=(#

}g:

[fsso]login-page-stanza = login-from-1login-page-stanza = login-form-2

(FG<3fZ

?v(FG<3fZCZ9XXbD URL #=#CZI|,TBN}:

N} hv

login-page KN}9C;v}rmo=8((;j6&CLrG<3fD

ksD#=#+QdCD#=kks URI `HO#

login-form-action KN}9C;v}rmo=8(;v#=,C#=j6D;v

|,Z9XD3fPDm%G&CLrDG<m%#g{P`

vm%%dC#=,r9CZ;vm%#

argument-stanza KN}8rm;vPvjIG<m%yhDVNM}]D(F

Z#

gso-resource KN}a)Z0k arguments-stanza P(eD GSO 4}]1*

9CD Tivoli Access Manager J4D{F#T?v(FG<3

fZvI8(;v GSO J4{F#g{4T gso-resource 8

(5,r9Cibwz{w* GSO J4{F#

}g:

[login-form-1]login-page = /cgi-bin/getloginpage*login-form-action = *argument-stanza = form1-datagso-resource = payroll-app

XZ login-page N}: login-page N}D5G;v}rmo=,e~C|47(

xkDks5JOGqGTG<3fDks#g{GbViv,e~9XKks"*

<m%%;"a&m#

Z 5 B Web %;"abv=8 123

Z?v(FDG<3fZPvJm;v login-page N}#T?v=SD login-page N

},Xk4(;v=SD(FG<3fZ#

+ login-page }rmo=kks URI `HO#ZTB>}P,TF* myserver1 D

\#$ibwzDksD URI I\T>gB:

https://myserver1.mycompany.com/auth/login.html

K URL Pk login-page }rmo=HOD?V*:

/auth/login.html

XZ login-form-action N}: login-form-action N}CZj6IsK~qwq-

k login-page N}%dDks5XD3fODG<m%#Z?vZPvJm;v

login-form-action N}#

login-form-action N}D5G;v*k HTML form jGD action= tTDZ]HO

D}rmo=#C action tTGT`T76"~qw`T76rxT76m>D URI#

4TsK~qwD login-form-action N}XkkK76%d - 49Z|;*"xM

'z.0(#a;e~^D#

g{3fOD`v action tTkC}rmo=%d,rv+Z;v%dw*G<m%S

\#

g{ login-form-action }rmo=k3fODyPm%<;%d,r+;vms5X

/@w,(fR;=m%#

13f;|,;vG<m%1,IT+ login-form-action = * hC*;VkG<m%

%dDr%=(#

9C}rmo=: ZZ 191 3D=< E, :}rmo=PJmDXbV{;P(eK

m%%;"adCP9CD}rmo=PJmDXbV{#

s`}ivB;h*XbV{,r*G<3fksG%;Ij6D URI#Z3)iv

B,IZmo=Da29C0*1,by URI a2&DNNi/}]<;ah9G<3

f%d#

N}Z: (FN}ZCTBq=|,;vr`vu?:

name = method:value

name

+ name N}D5hC*HZ HTML input jGP name tTD5#}g:

<input name=uid type=text>Username</input>

KN}2I9C HTML select r textarea jGD nametTD5#

method:value

KN}iOlwm%yhDO$}]#O$}]I|,:

v DV.}]

string:text

9CDdkGD>V{.#


v GSO C'{M\k

gso:usernamegso:password

dkG10C'D GSO C'{M\k(4T(FG<3fZP8(D?j

gso-resource)#

v C'>$P;vtTD5

cred:cred-ext-attr-name

1!ivB,C>$|,ngC'D Tivoli Access Manager C'{M DN .`DE

"#*+C'D Tivoli Access Manager C'{Cwdk5,kgB8(C5:

cred:azn_cred_principal_name

ITgBCJC'D DN:

cred:azn_cred_authzn_id

2I9C(F>$tT(9Cj)/5zFmS)#

ZKZP;X8(~XdkVN#T/S HTML m%lwb)VN"+|GMO$k

s;pa;#

}g:

[form1-data]uid = string:brian

":

1. g{G<}Lh*zk,rZa;I\<BJbDm%.0,e~;4PE>zk

(Javascript"AxcitveX H)#g{KzkZa;.0;lidk,r;a"zJb,

+g{zk^DKC'dk,rI\"zJb#

2. d;yZm%D SSO I{C GSO }]bDE",+|;0lI BA #ia)D

GSO &\#

g{h*,I\P;v GSO ?jC4n4"M=sK~qwDy>O$7,9IZ

yZm%D SSO dCP8(m;v GSO ?j)n4G<m%19C#

IBM HelpNow dCD~>}

IBM HelpNow >cwCdT:DyZm%DG<,rKbGm%%;"abv=8g

NTdQGGDC'a)T>cD^lCJD>}#

>Z|,:

v m%?V,`FZI HelpNow &CLr5XD HTML G<3fO"MDm%

v C4&mKm%D(Fm%%;"adCD~

Z9XD HTML 3fPR=Dm%:

<form name="confirm" method="post" action="../files/wcls_hnb_welcomePage2.cgi"><p>Employee Serial Number:&nbp;<input name="data" size="10" maxlength="6"><p>Country Name:<select name="Cntselect" size="1"><OPTION value="notselected" selected>Select Country</OPTION><OPTION value=675>United Arab Emirates - IBM</OPTION>

Z 5 B Web %;"abv=8 125

<OPTION value=866>United Kingdom</OPTION><OPTION value=897>United States</OPTION><OPTION value=869>Uruguay</OPTION><OPTION value=871>Venezuela</OPTION><OPTION value=852>Vietnam</OPTION><OPTION value=707>Yugoslavia</OPTION><OPTION value=825>Zimbabwe</OPTION></select></p><input type=submit value=Submit></form>

C4&mKm%D(FdCD~:

helpnow FSSO configuration:[forms-sso-login-pages]login-page-stanza = helpnow

[helpnow]# The HelpNow site redirects you to this page# you are required to log in.login-page = /bluebase/bin/files/wcls_hnb_welcomePage1.cgi

# The login form is the first in the page, so we can just call it# ’*’.login-form-action = *

# The GSO resource, helpnow, contains the employee serial number.gso-resource = helpnow

# Authentication arguments follow.argument-stanza = auth-data

[auth-data]# The ’data’ field contains the employee serial number.data = gso:username

# The Cntselect field contains a number corresponding to the employee’s# country of origin. The string "897" corresponds to the USA.Cntselect = string:897


Z 6 B grG<bv=8

5V Tivoli Access Manager Plug-in for Web Servers Ta)T2+rD#$1,(#

h*a)TJ4xP%;"aDbv=8#>BV[g;,e~#$Dr5V%;"

aD=V=(;gSgx%;"aMgrD%;"a(CDSSO)#=Vbv=8<9C

IEDnFZ;,Dr.d+]C'O$E"#

!qD;Vbv=8!vZh*`sDinT#gSgx%;"a9CZ;,r.d

-w%;"a}LDPk~qw#9C CDSSO,r;PPkO$~qw,2;Pa)|

ìnTDT/X(r#

|(TBwb:

v :gr%;"a(CDSSO);

v Z 132 3D:gSgx%;"a;

gr%;"a(CDSSO)

Tivoli Access Manager gr%;"a(CDSSO)a)K;VzF4g`v2+r+MC

'>$#CDSSO (}Jm/I`v2+r4'VIluDxge5a9#}g,;vs

MDs5b?xIC=vr|`@XDrhC(?vrPdT:DC'MTsUd)#

CDSSO JmC'9C%;"aZrdF/#CDSSO O$zF;sZ 132 3D:gSg

x%;"a;Gy@5wO$~qw#

9C CDSSO,1C'T;Zm;vrDJ4"vks1,CDSSO zF+;vS\DC

'j6nFSZ;vr+M=Z~vr#VZZ~vrM_PKCC'Dj6(gZ

Z;vrPO$D;y),"RC';X4Pm;NG<#

CDSSO ryZ DNS r#Z,;v DNS rPDyP~qw2m,;vTF\?#*

KTm;v DNS r(I\Z,2I\;Z;,D Tivoli Access Manager rP)PD

~qw4P CDSSO,h*;v;,D\?#

CDSSO DO$&mwL

ZBfD<MD>PhvK CDSSO &mwL#NN#{Nk`vrDC'XkZwr

(ZK}P*r A)P_PP'DC'J'M;vI;3d*?vNkD6LrPP'

J'Dj6#4u<O$=|,CC'J'Du<2+r(A)DC';IwC CDSSO

&\#


1. C'9CZr A PD Web 3fOD(F4S"vCJr B PDJ4Dks#

2. C4S|,;vI pdwpi.conf dCD~PD [cdsso] ZPD uri N}8(DXb

CDSSO mo=#1!5* pkmscdsso:

/pkmscdsso?destination-URL

}g:

/pkmscdsso?https://www.domainB.com/index.html

WHIr A PDe~~qw&mCks#e~9(;v|,C'D Tivoli Access

Manager j6(L{F)"10r(0A1)"=SDC'E"M1dAGDO$n

F#

(}wC(FD CDMF 2mb(cdmf_get_usr_attributes)qC=SC'E"()

9tT)#Kb_PZC'3d}LZda)IIr B 9CDC'tTD\&#

e~}X DES 9CI cdsso_key_gen 5CLrzIDTF\?S\KnF}]#

2mK\?D~"+|f"Zr A Mr B De~v? Web ~qwOD

pdwebpi.conf dCD~PD [cdsso-domain-keys] ZP#

CnF|,;v(enFzfZDIdC1dAG(authtoken-lifetime)#}7d

CC1dAGI@9XE%w#

3. r A De~~qw+CksMS\DnFX(rX/@w,;sX(r=r B D

e~~qw(HTTP X(r)#

4. r B De~~qw9CdT:f>D,;\?D~4b\Mi$4TN<rDn

F#

VZr B De~~qwwC CDSSO O$zFb#SB4,K CDSSO bwC4

P5JC'3d(cdmf_map_usr)D(F CDMF b#

CDMF b+C'j6MyP)9tTE"+]X CDSSO b#CDSSO b9CKE

"9(>$#

5. r B DZ(~qyZC'>$MkksDTsX*DX( ACL mI(Jmr\x

T\#$TsDCJ#

< 8. CDSSO &mwL#.


tCM{C CDSSO O$


tC CDSSO O$,k+u? cdsso 8(xO$N}:

[common-modules]authentication = cdsso

9C CDSSO O$1,9XkdCe~CZ CDSSO Z(s&m#Z pdwebpi.conf d

CD~D [common-modules] ZPmSN} post-authzn,gBy>:

[common-modules]authentication = cdssopost-authzn = cdsso


{F#7#m%O$Du?fZ:

[modules]cdsso = pdwpi-cdsso-module

S\O$nF}]

e~Xk9CI cdsso_key_gen 5CLrzID\?TnFPDO$}]xPS\#

Xk(}Z?vNkrPD?ve~v? Web ~qw.d2m\?D~40,=1K

\?#?vrPD?vNkDe~~qwh*9C,;\?#

":4(MV"\?D~;G Tivoli Access Manager CDSSO }LD;?V#

KP cdsso_key_gen 5CLr1,CLr*s8(\?D~D;C(xT76{):

UNIX:# cdsso_key_gen absolute-pathname

Windows:MSDOS> cdsso_key_gen absolute-pathname

Z?vrPDNke~~qwD pdwebpi.conf dCD~PD [cdsso-domain-keys] Z

PdkK\?D~D;C#[cdsso-domain-keys] ZSZ [modules] ZP(eD

pdwpi-cdsso-module {FIzd{F#|Dq=* [cdsso-module-name-domain-keys]#I(}4( [cdsso-module-name-domain-keys:virtual-host-name] ZT?vibwz8(

Cr\?#Ku?Dq=|(r{M\?D~;C:

[cdsso-domain-keys]domain-name = keyfile-location

r A dC>}:

[cdsso-domain-keys]www.domainB.com = pathname/A-B.key

r B dC>}:

[cdsso-domaina-keys]www.domainA.com = pathname/A-B.key

ZTO>}P,IZ;(zw(}ge~ A)OzI A-B.key D~"V/("2+X)

+|4F=m;(zw(}ge~ B)#

Z 6 B grG<bv=8 129

dCnF1dAG

nF|,;vIdCD1dAG,C1dAG(eO$nFDzfZ#;)1dAG

Q}Z,MO*CnF^'"R;I9C#C1dAG(}hC;vc;LD5T@

9nF;T"ZdzfZZ;XE,4oz@9XE%w#

;Z pdwebpi.conf dCD~D [cdsso] ZPD authtoken-lifetime N}hCnFD

zfZ5#C5Tkm>#1!5* 180:

[cdsso]authtoken-lifetime =180

IT?vibwzXhK5#Xk<GNkDr.dD1S+n#

ZO$nFP|,>$tT

I(}Ze~dCD~D [cdsso-token-attributes] ZP8(>$tT4+|G|,Z

CDSSO nFP#*|,DtTIyZTHrr?vr8(#v1}Z9C1! SSO n

F4(M{Db1KZPPvD>$tTEG`XD#g{Z CDSSO $5nFP;h

*>$tT,rI+KZtU#

KZD1!{FSZ [modules] ZP(eD pdwpi-cdsso-module D#i{FIzx4#

|Dq=* [cdsso_module_name-token-attributes]#

1!ivB,[cdsso-token-attributes] ZPD5gyPibwz9C,"I(}4(

[cdsso_module_name -token-attributes:virtual_host] ZT?vibwzXhC5#

Cu?Dq=*:domain_name = pattern1, pattern2, ... pattern n#

k?jwzrrD8(#=%dD>$tT|,Z*C?jwzrr9lD CDSSO $

5nFP#T?vtTv9C;v5,"R;'VV{.5#+vTd|`MD>$

tT5#ICkZ 191 3D=< E, :}rmo=PJmDXbV{;P5wDV{.

%dD#=48(#=#

}g:

[cdsso-token-attributes]ibm.com = attrprefix_*, *name*tivoli.com = *_attrsuffix, some_exact_attribute

I9C>ZPD <default> u?4dC1!tT/#1;Pd|u?kX(D?jwz

%d1,r9CK1!tT/#g{ <default> u?;fZ,1!ivB;|,NNt

T#

S\M\x4T CDSSO O$nFD>$tT

I(}Z [cdsso-incoming-attributes] ZP8(5,8(*SxkD CDSSO O$n

FS\M\xD>$tT#k+vDtTdC;,,^(yZTHrr?vrdCx

ktT#vIdC;vtT#=/,"R^[4gN,b)#=<+&CZxkDn

F(x;\b)nF4TN=)#v1}Z9C1! SSO nF4(M{DbxPK&

m#KZD1!{FS [modules] ZP(eD pdwpi-cdsso-module D#i{FIzx

4#|Dq=* [cdsso_module_name-incoming-attributes]#1!ivB,KZPD5

g y P i b w z # + G , I ( } d C

[cdsso_module_name-incoming-attributes:virtual_host]ZT?vibwzXh|G#

KZPu?Dq=*:


attribute_pattern = preserve|refresh

ZwC CDMF bT+6LC'3d=>XrP0,S CDSSO nFP}%k refresh u

?%dDtT##tk preserve u?%dDtTrkNNu?<;%dDtT#g{4

dCNNu?,r#tyPtT#

8( sso-create M sso-consume b* 8 ( s s o - c r e a t e M s s o - c o n s u m e b , k ` - e ~ d C D ~ # Z

[authentication-mechanisms] ZP,!{ sso-create M sso-consume u?D"M"m

SJOZYw53`MDe~JO*F cookie bD{F#

1!dCD~u?*:

[authentication-mechanisms]sso-create = /opt/pdwebrte/lib/ibssocreate.sosso-consume = /opt/pdwebrte/lib/libssoconsume.so

r_,QzI;v5V sso-create M sso-consume &\D(Ff>D CDAS b1,+

(F CDAS D{Fw*dCD~X|V5ek#}g,g{T sso-create zIK;v

(FD CDAS,kdkxT76{:

[authentication-mechanisms]sso-create = /dir_name/custom_cdas_sso-create.so

m> CDSSO 4S

=Z~v2+rODJ4D4SXk|,;vXbD CDSSO mo=,Cmo=9Cd

CD~D [cdsso] ZPD uri N}dC#1!5* /pkmscdsso:

/pkmscdsso?destinationURL

1dC*Z(s#i1,T /pkmscdsso?remote-uri Dks+QM'zX(r=

remore-uri?PD-REFERER=this-host&argument=authentication-token

9C pdwebpi.conf dCD~PD [cdsso] ZPD cdsso-argument N}dC8(O

$nFDi/V{.N}D{F#1!5* PD-ID#IT?vibwzXhK5#

;&Z9C(F SSO 4(/{Db1|D cdsso-argument N}D1!5 PD-ID#

9Ca)D SSO 4(/{Db1,Xk9C1!5 PD-ID#

#$O$nF

1O$nF;|,O$E"(gC'{M\k)1,|;|,ZSUrPIEDC'

j6#rKXk#$nFTm;;T!MXE#

(}9C SSL 4#$e~v? Web ~qwMC'.dD(E,I#$nF;;S_

7PT!#nFI\;SC'D/@wz7G<P;[-TXT!#nFOD1dA

G&c;LT9CZnFDzfZZ;I\T!MXEnF#

+G,d1dAGQ=ZDnFT;W\\k%w#g{C4S\nFD\?;"V

r9\,rqbC'I9(dT:DnF#

;sI+b)nFek=0pseudo-CDSSO w1P#^(+|GM CDSSO rPNkD

e~~qwDf5O$nFxPxV#rK,2Xkww\mC4#$nFD\?,

"(ZxP|D#

Z 6 B grG<bv=8 131

gSgx%;"a

Tivoli Access Manager Plug-in for Web Servers gSgx%;"a&\JmC'g`v

rPD`v~qwCJJ4x^hXBO$#

0gSgx1G;iNkL5X5D;,Dr(Tivoli Access Manager r DNS)#b)

NkDrITdC*;nL5D;?V("RIZXm-rI\9C;,D DNS {

F),rdC*5P2mX5D;,5q(}g+>\?"KY#U+>MFq\m

+>)#

ZN;=8P,\P;vr8(*0w1r0yP_1r#ZNk5qDivB,w

r5P\mgSgxDL5-i#

Z=V=8P,XZNkgSgxDC'DO$E"(|(CZO$DC'{M\

k)GZwrP,$D#bV2EJmT\mJbD%c}C,}ggSgxPDo

z@fwC,|G<8rwr#

w*!q,ITC Tivoli Access Manager Web Portal Manager /ITKE"D\m,

byNkr:p\mdT:DC'#

wr05P1C' - 4XFC'DO$E"#^[C'ZN&ksJ4,wr<UG

C'XkxPO$DX=#

TwO$~qw(MAS)xPO$ - ;ZwrP"RdC*O$yPC'D~qw

(r1>~qw/O)#MAS D0p&^F*a)O$~q#MAS ;C|,TC'I

CDJ4#

C'r MAS I&O$.s,MAS zI$5nF#KnF+XC'"vksD~qw#

~qw+K$5nFS*$w,$5C'QI&r MAS O$"ITNkgSgx#

gSgxr.dDE"*FZZ 133 3D:gSgx%;"a&mwL;;ZPj8

hv#

gSgx%cO$&\M*sgSgx%;"aPgB&\M*s:

v gSgx&\'V9CJ4D1S URL(i))xPCJ#

v 5VgSgx*sTNkgSgxDyPrPDyPe~xP;BDdC#

v NkgSgxDyPC'T;ZwrPD%vwO$~qw(MAS)xPO$#

v g{C';P MAS DP'J',rgSgx5VJmZ6LrPxP0>X1O

$#

ksG MAS(+Nk)rPDJ41,r MAS O$'\DC'IT!qr"vk

sD>X~qwO$#

v MAS(nsG6LrPd|y!~qw)$5C'DQO$j6#

v rX(D cookie CZj6ITa)$5~qD~qw#bJm6LrPD~qwZ

>Xks$5E"#gSgx cookie DS\Z];|,C'j6r2+TE"#

v XbnFCZ+]S\D0$51C'j6#$5nF;|,5JDC'O$E"#

j{TI2m\?a)(}X DES)#nF|,^FnFP'TVx1dD,1(P

'Z)5#


v HTTP M HTTPS O<'VgSgx5V#

v gSgxDdCZ?vNke~D pdwebpi.conf D~PhC#

gSgx%;"a&mwL

gSgxIe~v?wO$~qw(MAS)Mw*gSgxD=Se~v?~qwi

I#gSgx%;"abv=89Ik WebSEAL #$DJ4;%Yw#

gSgxD5VyZ$553#(#,14O$C'(}e~ksJ41,aa>{

Ga)O$E"#ZgSgxdCP,e~~qwj6$5~qw"SK$5~qw

ksC'QO$Di$#$5~qwf"C'DP'>$E"#

TZC'DZ;Nks,$5~qw<UG MAS#MAS Lxd1;ZwrPDJ4D

$5~qw#fEC'LxZgSgxZksJ4,?v6LrPD%v~qw<I

T*C'9(dT:D>$(y]4T MAS DC'j6E"),"#NdrPJ4D

$5~qwG+#

TO>}T>fZZgSgxPD=vr,IBM rM Lotus r#TBxLZC'Z;

NG<=gSgxPD2+ Web >c1"z:

1. C'ksT Web ~qw ww1.ibm.com ODJ4xPCJ#e~9Xks"7O

ww1.moo.com QdCI Tivoli-IBM-Lotus gSgxD;?V#S ww1.ibm.com d

CPj6gSgxPD MAS ~qw#

2. ks+]= MAS - www.tivoli.com#MAS zm ww1.ibm.com O$ks,")"$

5nF,KnFI*C'DgSgxj6#nFPDC'j6E"GS\D#

< 9. G<=gSgx#

Z 6 B grG<bv=8 133

3. MAS +$5nF"M= ww1.ibm.com#ww1.ibm.com +K$5nFS*$w,$5

C'QI&r MAS O$,VZITyZ#fZ(XFCJyksDJ4#

gSgx cookiev gSgx cookie GIe~hCDX(ZrD cookie /O,f"ZC'/@wDZf

P,"ZsxksP+M=d|e~5}(,;rP)#

v X(ZrD cookie |,$5~qwD{F"gSgxj6"$5~qwD;C

(URL)M&\T0P'Z5#cookie ;|,C'E"#

v gSgx cookie JmNkrPD~qwZ>Xks$5E"#MAS y(;DrDg

Sgx cookie DwC;Pb4X*#

v cookie _PZ pdwebpi.conf dCD~PhCDP'Z(,1)5#KP'Z58(

6L~qwIT*C'a)$5E"D1d$H#cookie P'Z=Z1,C'XkX

(r MAS TxPO$#

v XU/@w1,cookie SZfe}#g{C'SX(rP"z,rgSgx cookie 2

G*U#KYwP'X+dS/@wP}%#

$5ksM&p

gSgx$5Ywh*(CD&\,K&\(}=vXb9lD URL CJ:$5ks

M$5&p#b) URL GZgSgx$5 HTTP X(rZdy] pdwebpi.conf PD

dCE"9lD#

$5ksC'S;|,dNN>$E"D?j~qw(*gSgxdC)ksJ41,%"$

5ks#~qwr$5~qw(MAS rgSgx cookie P8(D~qw)"M HTTP

X(r#

$5ks|,TBE":

https://vouch_for_server/pkmsvouchfor?ecommunity_name&target_url

SU=~qwli ecommunity_name Ti$gSgxj6#SU=~qw9C$5&p

PD target_url +/@wX(r=-HksD3f#

pkmsvouchfor $5 URL GIdCD#

}g:

https://www.tivoli.com/pkmsvouchfor?companyABC&https://ww2.lotus.com/index.html

$5&p

$5&pG$5~qwT?j~qwDl&#

$5&p|,TBE":

https://target_url?PD-VFHOST=vouch_for_server&PD-VF=encrypted_token

PD-VFHOST N}8(4P$5YwD~qw#SU=(?j)~qw9CKE"!q

b\$5nF(PD-VF)yhD}7\?#PD-VF N}zmS\D$5nF#

}g:

https://ww2.lotus.com/index.html?PD-VFHOST=www.tivoli.com&PD-VF=3qhe9fjkp...ge56wgb


$5nF

*5Vgr%c"a,XkZ~qw.d+d;)C'j6E"#KtPE"IX(

r&m,X(r|,S\w* URL ;?VDj6E"#KS\}]F*$5nF#

v nF|,$5I&r'\4,"C'Dm](g{I&)"4(nFD~qwD+

^({F,gSgxj6T04(1d5#

v P'$5nFDVP_IT9CKnFZ~qwO(";va0(T0>$/

O),x;XT=rK~qwO$#

v nF9C2mD}X DES \?S\,rKITi$df5T#

v S\DnFE";f"Z/@wO#

v nF;+];N#SU=~qw9CKE"ZdT:D_Y:fP9(C'>$#

~qw+b)>$CZ,;a0PKC'TsavDks#

v nF_PZ pdwebpi.conf dCD~PhCDP'Z(,1)5#K5I\\L(8

k)TuYXE%wD#U#

":nF2+TQZe~ 4.1 "PfPxPKDx#b)Dx;\M Tivoli Access

Manager 3.9 nF`k#=2,9C#*K\;Lxk 3.9 Tivoli Access Manager

W e b 2 + T z 7 2 , 9 C , k + [ p d w e b - p l u g i n s ] Z P D d C N }

pre-410-compatible-tokens hC* true#KN}GxL6D,;\yZ?vib

wz8(#

S\$5DnF

Tivoli Access Manager Plug-in for Web Servers Xk9CI;Z pdwebrte/bin ?<D

cdsso_key_gen 5CLrzID\?S\nFPDO$}]#Xk(}M?vNkr

PD?ve~~qw2m\?D~0,=1\??#?vrPD?vNkDe~~q

wh*9C,;\?#

":4(MV"\?D~;G Tivoli Access Manager gSgxxLD;?V#XkV

/+\?2+4F=?vNkD~qw#

KP cdsso_key_gen 5CLr1,CLr*sz8(K5CLrD+76M\?D~

D;C(xT76{):

UNIX:

# /opt/pdwebrte/bin/cdsso_key_gen absolute_pathname

Windows:

MSDOS> install_path/pdwebrte/bin/cdsso_key_gen absolute_pathname

S\\?Z pdwebpi.conf dCD~D [ecsso-domain-keys] ZPdC#KdCDj

8E"|,ZB;ZP,:dCgSgx;#

dCgSgx>Z4igSgx5Vh*DyPdCN}#b)N};Z pdwebpi.conf D~P#X

k*gSgxPD?ve~P8dCKD~#

Z 6 B grG<bv=8 135

tCM{CgSgxI1


9e~~qwIZgSgxZxPYw,k+u? ecsso 8(x authentication M

pre-authzn N},gBy>:

[common-modules]authentication = ecssopre-authzn = ecsso

*G MAS gSgxI1xPdC1,ecsso O$XkEHZd|O$zF;4,Xk

ZO$#iPmPDd|O$#=.08( ecsso#xR,g{ ecsso #iEHZCH

1!5 1 |_DO$6p8(DO$#i,r ecsso #i>mXkAYdC*,;O

$6p#


{F#7#gSgx SSO Du?fZ:

[modules]ecsso = pdwpi-ecsso-module

e-community-namee-community-name N}j6~qwytDgSgxD{F#}g:

[ecsso]e-community-name = companyABC

gSgxyPI1D e-community-name 5Xk`,#

is-master-authn-serverKN}j6C~qwGqG MAS#I\D5* yes r no#TZgSgx MAS,N}

hCgB:

[ecsso]is-master-authn-server = yes

`ve~ITdC*wO$~qw,;sEZ:X=bw.s#ZK=8P,gSg

xPDd|yPe~~qw<+:X=bw6p* MAS#

g{ is-master-authn-server hCI yes,rK~qw+S\4Td|e~5}D$5

k s , b ) e ~ 5 } D e - c o m m u n i t y - n a m e ` , , " R d r \ ? P Z

[ecsso-domain-keys] ZP#

master-authn-serverg { i s - m a s t e r - a u t h n - s e r v e r N } h C * n o , r X k ! { " M " 8 (

master-authn-server N}#KN}j6gSgx MAS D+^(r{#}g:

[ecsso]master-authn-server = www.tivoli.com

master-http-portVdwO$~qwCZSU HTTP ksDKZE#g{KZE;Gj<KZ 80,rX

kZK8(Gj<KZE#

[ecsso]master-http-port = port_number


master-https-portVdwO$~qwCZSU HTTPS ksDKZE#g{KZE;Gj<KZ 443,r

XkZK8(Gj<KZE#

[ecsso]master-https-port = port_number

vf-token-lifetimeKN}hC$5nFDP'Z,15(k)#y] cookie OD4(1dAGliK5#

1!5* 180 k#Xk<GNk~qw.dD1S+n#1!ivB,N}hCgB:

[ecsso]vf-token-lifetime = 180

vf-urlKN}8($5 URL#K5XkT}1\(/)*<#1!hC5*:

[ecsso]vf-url = /pkmsvouchfor

2ITm>)9 URL:

vf-url = /ecommA/pkmsvouchfor

vf-argumentvf-argument N}D5GvVZ$5&pPD$5nFDN}{#;P}Z9C(F4

(M{D#i"R9C;,DN}{4m>$5nF1,E&|D PD-VF D1!5#

MAS 9CC549($5&p,"INkD ECSSO ~qwC4+xkDksxp*

xP$5E"Dks#

[ecsso]vf-argument = PD-VF

allow-login-retry1C'4PK;I&DG<1,9CyZC'{/\kDO$#=D MAS _P=v!

n:|I\a>C'YNdkd>$,r_|I\9C'"4X(rX{Gnu"T

CJD~qw,x;$5KC'#Zs;VivB,?FC'1SrSt~qwO

$#allow-login-retry N}Z MAS &XFCP*#CN}vJCZ ecsso gxP MAS

DdC#

":C'IT"TXBhC=ZD\k#

Z MAS &"zDd|G<JO(}gJ'x()<B"4X(rXSt~qw,k

allow-login-retry N}D5^X#1!ivB,N}hCgB:

[ecsso]allow-login-retry = true

use-utf8KN}XF ECSSO $5nFMgSgx cookie ZDV{.`k#KN}D5;0l

I1! SSO 4(M{Db4(M{DD$5nF#

[ecsso]use-utf8 = true

ecsso r\?

dCD~D [ecsso-domain-keys] ZP(eDG\?D~D;C,T MAS M6Lr

PNkD~qw.dDnFxPS\Mb\1h*b)\?D~#dC MAS |(*?

Z 6 B grG<bv=8 137

vdGwDr(e\?#dC MAS TbDgSgxI1|(*rM MAS (e\?#

Xk*~qw8(+^(r{,"*\?D~;C8(xT76{#

TB MAS dC>}T;Z tivoli.com rZD MAS a)\?D~,CZk=v6Lr

(E:

[ecsso-domain-keys]ibm.com = /abc/xyz/ibm-tivoli.keylotus.com = /abc/xyz/lotus-tivoli.keytivoli = /abc/xyz/tivoli.key

":ZOv>}P,_PCZZ tivoli rPD~qw.d;;}]D tivoli.key G\X

|D#

dCrPD~qw|(8( MAS rMCZk MAS ;;E"D`&\?#rP~qw

. d D } ] ; ; 2 h * \ ? # } g : N k g S g x D r P D ~ q w D

[ecsso-domain-keys] ZI\gB:

[ecsso-domain-keys]#the key for data exchange between the MAS (tivoli.com)#and the ibm.com domain serverstivoli.com = /abc/xyz/ibm-tivoli.key#the key for data exchange between servers in the ibm.com domainibm.com = /abc/xyz/ibm.key

Z$5nFP|,>$tT

I(}Ze~dCD~D [ecsso-token-attributes] ZP8(>$tT+|G|,Z

eCSSO $5nFP#*|,DtTIyZTHrr?vr8(#v1}Z9C1! SSO

nF4(M{Db1KZPPvD>$tTEG`XD#g{Z eCSSO $5nFP;

h*>$tT,rI+KZ#t*U#

KZD1!{FSZ [modules] ZP(eD pdwpi-ecsso-module D#i{FIzx4#

|Dq=* [ecsso_module_name-token-attributes]#

1!ivB [ecsso-token-attributes] ZPD5gyPibwz,"I(}4(

[ecsso_module_name-token-attributes:virtual_host] ZT?vibwzXh#

Cu?Dq=*:domain_name = pattern1, pattern2, ... pattern n#

k?jwzrrD8(#=%dD>$tT|,Z*C?jwzrr9lD eCSSO $

5nFP#T?vtTv9C;v5,"R;'VV{.5#+vTd|`MD>$

tT5#ICkZ 191 3D=< E, :}rmo=PJmDXbV{;P5wDV{.

%dD#=48(#=#

}g:

[ecsso-token-attributes]ibm.com = attrprefix_*, *name*tivoli.com = *_attrsuffix, some_exact_attribute

I9C>ZPD <default> u?4dC1!tT/#1;Pd|u?kX(D?jwz

%d1,r9CK1!tT/#g{ <default> u?;fZ,1!ivB;|,NNt

T#

S\M\x4T$5nFD>$tT

I(}Z [ecsso-incoming-attributes] ZP8(5,8(*SxkD$5nFS\M

\xD>$tT#k+vDtTdC;,,^(yZTHrr?vrdCxktT#


vIdC;vtT#=/,"R^[4gN,b)#=<+&CZxkDnF(x;

\b)nF4TN=)#v1}Z9C1! SSO nF4(M{DbxPK&m#KZD

1!{FSZ [modules] ZP(eD pdwpi-ecsso-module D#i{FIzx4#|Dq

=* [ecsso_module_name-incoming-attributes]#1!ivB,KZPD5gyPib

wz#+G,I(}dC [ecsso_module_name-incoming-attributes:virtual_host] ZT?v

ibwzXhb)5#

KZPu?Dq=*:

attribute_pattern = preserve|refresh

ZwC CDMF bT+6LC'3d=>Xr0,S eCSSO $5nFP}%k refresh

u?%dDtT##tk preserve u?%dDtTrkNNu?<;%dDtT#g{

4dCNNu?,r#tyPtT#

8( sso-create M sso-consume b* 8 ( s s o - c r e a t e M s s o - c o n s u m e b , k ` - e ~ d C D ~ # Z

[authentication-mechanisms] ZP,!{ sso-create M sso-consume u?D"M"m

SJOZYw53`MDe~JO*F cookie bD{F#

1!dCD~u?*:

[authentication-mechanisms]sso-create = /opt/pdwebrte/lib/ibssocreate.sosso-consume = /opt/pdwebrte/lib/libssoconsume.so

r_,QzI;v5V sso-create M sso-consume &\D(Ff>D CDAS b1,+

(F CDAS D{Fw*dCD~X|V5ek#}g,g{T sso-create zIK;v

(FD CDAS,kdkxT76{:

[authentication-mechanisms]sso-create = /dir_name/custom_cdas_sso-create.so

t4\}7dC ecsso \?,re~U>D~PazI/f#

dCgSgx%;"a - >}

TB>}P,P=vQdCDgSgx(lotus-domino M ibm-db2)T0O$b=vg

xDksD%v MAS#

Z 6 B grG<bv=8 139

TBu~JCZK>}:

v www.tivoli.com G=vgSgxD MAS#

v lotus-domino gSgxPfZ=v;,Dr(rcp{?vrPP;v~qw)-

domino.com M lotus.com#CJb)rdP.;DC'IT;hXBO$MCJd|

r,r*yPDCJ<G(} MAS Z(D#

v ibm-db2 gSgx|,=v;,Dr - ibm.com M db2.com#CJb)rdP.;

DC'IT;hXBO$MCJd|r#

v CJ ibm.com ~qw.;DC'IT9C$5nFCJm;v~qw#ZKivB,

;h* MAS ZhCJ(MIT5V%;"a#

ZTO>}P,TBdC!nJC:

dC MAS - www.tivoli.comr* MAS G`vgSgxDXFPD,yTh*dC ecsso #iD=v;,

5}"(e MAS X~h*DgSgx{F#MAS h*Q8(dXFDyPg

xPDwrDyP\?#gBy>hCdC:

[modules]ecsso1 = pdwpi-ecsso-moduleecsso2 = pdwpi-ecsso-module

[common-modules]authentication = ecsso1authentication = ecsso2

pre-authzn = ecsso1pre-authzn = ecsso2

[ecsso1]e-community-name = lotus-dominois-master-authn-server = yes--HH

< 10. gSgx%;"adC>}


[ecsso2]e-community-name = ibm-db2is-master-authn-server = yes--HH

[ecsso1-domain-keys]# one key for each domain the MAS controlsdomino.com = /abc/tivolikeys/tivoli-domino.keylotus.com = /abc/tivolikeys/tivoli-lotus.keydb2.com = /abc/tivolikeys/tivoli-db2.keyibm.com = /abc/tivolikeys/tivoli-ibm.key

dC www.domino.com


[common-modules]authentication = ecsso

pre-authzn = ecsso

[ecsso]e-community-name = lotus-dominois-master-authn-server = nomaster-authn-server = www.tivoli.com.....etc

[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the domino.com domaindomino.com = /abc/domino-keys/domino.key#key for encrypting/decrypting data between#servers in the domino.com domain and the MAStivoli.com = /abc/domino-keys/tivoli-domino.key

dC www.lotus.com}Kr\?;,b,5VT www.lotus.com xP%;"aDdCN}M*

www.domino.com dCDN}`,#www.lotus.com Dr\?dCgB:

[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the lotus.com domainlotus.com = /abc/lotus-keys/lotus.key#key for encrypting/decrypting data#between servers in the lotus.com domain and the MAStivoli.com = /abc/lotus-keys/tivoli-lotus.key

dC www.db2.com


[common-modules]authentication = ecsso

pre-authzn = ecsso

[ecsso]e-community-name = ibm-db2is-master-authn-server = nomaster-authn-server = www.tivoli.com.....etc

[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the db2.com domaindb2.com = /abc/db2-keys/db2.key

Z 6 B grG<bv=8 141

#key for encrypting/decrypting data between#servers in the db2.com domain and the MAStivoli.com = /abc/db2-keys/tivoli-db2.key

dC ww1.ibm.comT ww1.ibm.com DgSgx%;"adCMT www.db2.com D`,#h*=

v\?,;vCZ MAS M ibm.com r.d}]DS\/b\,m;v\?C

Z ibm.com rZ?~qw.d}]DS\/b\(4K>}PD ww1.ibm.com

M ww2.ibm.com)#

[ecsso-domain-keys]ibm.com = /abc/ibm-keys/ibm.keytivoli.com = /abc/ibm-keys/tivoli-ibm.key

dC ww2.ibm.comww2.ibm.com D\?(eM ww1.ibm.com D`,#

[ecsso-domain-keys]ibm.com = /abc/ibm-keys/ibm.keytivoli.com = /abc/ibm-keys/tivoli-ibm.key


Z 7 B &CLr/I

Tivoli Plug-in for Web Servers (}73d?M/, URL \&'VZ}=&CLr/

I#e~)973d?M HTTP 7D6'T9Z}=&CLrITyZM'zj64P

Yw#Kb,e~Ia)T/, URL(gG)|,i/D>D URL)DCJXF#

>B|(TBwb:

v :,$M'zMsK&CLr.dDa04,;

v Z 145 3D:a)T/, URL DCJXF;

,$M'zMsK&CLr.dDa04,

gZZ 44 3D:\ma04,;Py>,Tivoli Access Manager for Web Servers I9

CwV;,DE"(} HTTP M HTTPS ,$kM'z.dDa0D4,#e~2IT

sK&CLra)C'a0E"TcsK&CLrI,$kM'z.dDa0D4

,#TbV==a)C'a0E",a)K;Vj6C'a0MZe~#$D&CL

rDksB>}C'a0D\&D=(#

g{M'zM~qw.d;fZQ("a04,,rXk*?vsLksXB-LM

'zM~qw.dD(E#(}{}TM'z/~qw,SDX4XUMX4r*,

a04,E"IDFT\#M'zI;NG<""vs?ks,x^h*?vks4

P%@DG<#

tCC'a0j6\m

e~dCD~D [performance] ZPD add-session-id-to-cred N}JmzZ"vk

sD?vM'z>$PtCM{C(;C'a0j6D4(#1!5* true(tC):

[performace]add-session-id-to-cred = true

*{C(;C'a0j6D4(,k+ add-session-id-to-cred hC* false#

(;C'a0j6w*xP;v{FM5D)9tTf"ZC'>$P:

tagvalue_user_session_id = user-session-id

Z>$TmP,>$)9tT{(user_session_id)xP0tag value10:T>,C0:

I9CdCD~D [pdweb-plugins] ZPD tag-value-prefix N}dC#8(0:I

@9k>$PDd|VPE""zNNe;#

C'a0j6D5G(;j6QO$C'DX(a0DV{.#CC'a0j6G;

v|(e~5}{(T'V`ve~>})MCC'Dj<e~a0j6D MIME-64 `

kV{.#

`NG<D%vC'(}g,S;,zwOG<)P`ve~a0j6#r*C'a

0j6yZe~a0j6,yTZ|G.dfZ;T;D3d#+(;DC'a0j

6f"*C'>$DtT#bJm+C5w* HTTP 7(9CjG - 5&\)gac

+],"9.TsK&CLrIC#


+>$}]ek= HTTP 7P

C'a0\mD?jGT&CLr~qwa)(;DC'a0j6#K?j(}dC

TsD HTTP-Tag-Value )9tT4jI#

9C pdadmin object modify set attribute |nZe~#$DTsUdPhCTsD)9

tT#

pdadmin> object modify object_name set attribute attr_name attr_value

tT(0attr-name1)9e~\;4PX(`MD&\#HTTP-Tag-Value tT9e~

\;S>$)9tTPi!5"Z HTTP 7P+C5"M=~qw#

HTTP-Tag-Value )9tTD59CTBq=:

credential_extended_attribute_name=http_header_name

TZC'a0j6}],credential_extended_attribute_name u?kZdCD~P8(D

user_session_id )9tT{F`,,+;PQdCD0:#Cu?;xVs!4#K)

9tTD5|,(;DC'a0j6#

http_header_name u?8(C4+]}]D HTTP 7D{F#ZK>}P,9CF*

PD-USER-SESSION-ID D7:

pdadmin> object modify /PDWebPI/host set attribute \HTTP-Tag-Value user_session_id=PD-USER-SESSION-ID

1 e ~ & m = s K & C L r ~ q w D C ' k s 1 , | i R T T s d C D N N

HTTP-Tag-Value )9tT#

Z K > } P , e ~ Z " v k s D C ' D > $ P i R " S C > $ P D

tagvalue_user_session_id )9tTi!C'a0j65,"+C5E= HTTP 7P,

gBy>:

PD-USER-SESSION-ID:user_session_id_number

\a:

Te~TshCD HTTP-Tag-ValuetTD5:

user_session_id=PD-USER-SESSION-ID

vVZC'>$PDtT{FM5: tagvalue_user_session_id:user_session_id_number

HTTP 7{FM5: PD-USER-SESSION-ID:user_session_id_number

g{sK&CLrG CGI &CLr,rC CGI f6TBPq=8v CGI LrI+

HTTP 7w*73d?q!:

HTTP_HTTP_header_name

}g:

HTTP_PD-USER-SESSION-ID=user_session_id

U9C'a0

C'a0j6\m&\IC4U9C'a0,Yha)K(;DC'a0j6r Tivoli

Access Manager C'{#IS PDADMIN |nP(9C~qwNq)KPb)|n,


+b)|nGhFCZ(} PDAdmin API IsK&CLr9CD#9CC'a0j6

U9a0+9e~!{CC'a0j6yj6D%va0#,;C'Dd|a0IL

x#

9C Tivoli Access Manager C'{U9a0+9e~!{x(C'{5PDyPa0#

g{CC'QS;,D;Cr;,D/@w`NG<,K|nI\axmà0#

C'I(} pkmslogout |nU910a0#Kb,C'a0j6PDE"Jm\m1

MsK&CLrzYM\mC'#TBhvGZ\m6pU9C'a0D=V=(:

\m1I9C pdadmin 5CLrU99CCC'j6D%vC'a0#

pdadmin> server task pdwebpi-plugin-instance-name terminate all_sessions user-id

gOy>9C all-sessions |n,ZCzwODyPibwzOU98(C'D?v

a0#

I9C -vhost N}E/K|n,TZX(ibwzOU9X(C'DC'a0,gBy

>(kw*;Pdk):

pdadmin> server task pdwebpi-plugin-instance-name terminate all_sessionsuser-id -vhost "virtual-host-name"

a)T/, URL DCJXF

Tivoli Access Manager Plug-in for Web Servers IyZ{vksV{.x;;GTsD

URL D#=%d+(^&CZ Web Ts#TZ/,zI URL Tl&?vT;h*P

&D#$T@9;Z{D9CrCJDC'ks,bG\PCD#bZ+;,DmI

(8(x;,DE>=(12\PC#

}g,i/V{. GET /cgi-bin/servercontrol?action=showstatus T GET/cgi-bin/servercontrol?action=shutdown I\P;,D2+T*s#I\h*ZTs

UdP(;Xm>b)ksPD?vks,TcI+;,D_T&C=?vks#

dynurl #iJm(e;v#=/,TkTxkDksxP%d##=k{vksV{.

%d,rKI\ki/V{.PDE"%d#T?v DynURL #=,(e;v Tivoli

Access Manager Ts#KTsvVZTsUdP,Tc_TIk|X*#ZKP1P,

9Ck dynurl #=X*DTsx;GzmC URL DTsTkC#=%dDNbks

xPZ(#(}(e@"%d;,i/V{.D;,#=,I9C;,D Tivoli Access

Manager Ts"&C;,D_T#

dC/, URLpdwebpi.conf dCD~PD [common-modules] Z(eKyPO$=(D9C#*

TxkDkstC/, URL D#=%d,h*+ dynurl #idC*$Z(#i#b

Jm dynurl #iZ=oZ(}f0|DksDTs#

[common-modules]...pre-authzn = dynurl...

7#Z pdwebpi.conf dCD~D [modules] ZPfZ/, URL Du?:

Z 7 B &CLr/I 145

[modules]...dynurl = pdwpi-dynurl-module...

[dynurl] Z(1!ivB,r_kQdCD#i{F%dDZ{)|,/, URL $Z

(#iD(e#IT?vibwzXhKZ,4 [dynurl:virtual-host]#Z [dynurl] Z

PDu?q=* object = pattern,?vu?Z%@DPP#PmD3r7(&mfrD

3r#ZCZPOgvVDu?EHZOmvVDu?#}g:

[dynurl]/servershutdown = /servercontrol.asp\?*action=shutdown*/serverreset = /servercontrol.asp\?*action=reset*/helppages = *help.html

k"b,Ts<T41\(0/1)*7#OvdCPDns;vu?T>K dynurl #

iDZ~N9C#ZK}P,#=k URL /(yPT help.html axD URL)%d#

ZK}P,DynURL }Z4PS URL = Tivoli Access Manager TsD`T;3d#

kT,;v Tivoli Access Manager TsTF* help.html(^[|GD76gN)D

3fDyPksZ(#Z_P`F{FDD~(I4#=4xPVi),R<P`,

D2+T*sDivB,bI\\PC#+G,k"b,?vQ(eD#=k?vk

s%d,yTu:K?vZ(#

9k"b,9C#= *help.html I\#f=E>D2+T,r*ks

/servercontrol.asp?action=some_other_action&pointless_variable_used_to_evade_acl_attached_to_server_control.asp=help.html

+k *help.html /, URL `%d#rK,+yZ /helppages Tsx;G

/servercontrol.asp Ts@@CJ#`FX,ks

/someotherscript?action=someaction&other_var=help.html

+yZ /helppages Tsx;G /someotherscript TsxP@@#

XZm%%;"adCD~P9CD}rmo=PJmDXbV{DPm,kN<Z

191 3D=< E, :}rmo=PJmDXbV{;#

s`}ivB;h*XbV{,r*G<3fksG%;Ij6D URI#Z3)iv

B,IZmo=Da29C0*1,by URI a2&DNNi/}]<;ah9G<3

f%d#


Z 8 B Z(v_E"lw

>B|,hv Tivoli Access Manager Plug-in for Web Servers IgNa)rq!Z(

v_E"(ADI)DE",b)Z(v_E"G@@#$ Tivoli Access Manager rP

DJ4DZ(fryXhD#

>B|(TBwb:

1. :ADI lwEv;

2. Z 148 3D:Se~M'zkslw ADI;

3. Z 150 3D:SC'>$lw ADI;

4. Z 150 3D:a)JO-r;

5. Z 150 3D:dC/, ADI lw;

ADI lwEv

Tivoli Access Manager Z(fr@@LryZ&CZX(CJv_E"(ADI)D<{

_-4PZ(v_#IZ6IBM Tivoli Access Manager Base \m8O7PR=XZZ

(fr(9C<{_-)D9lMZ(v_E"(ADI)Dj8E"#

ISTB4Plwfr@@yhD ADI:

v IZ(~qw* ADI a)xZ(frDZ(v_N}#

b)N}|(?jJ4(\#$Ts)MTJ44PDksDYw#XZKwbD

x;=E",kN<6IBM Tivoli Access Manager Base \m8O7#

v C'>$

C'>$<UfTZ(fr@@LrD/}wC|,,rK|"4IC#

v J4\mw73(&CLrOBD)

IdCJ4\mw(ge~)TSdTmD73a) ADI#}g,e~P\&a)|

,ZM'zksD3)?VPD ADI#ZZ(frP9CXbD0:T0%"1bV

`MD ADI 4#

v (}/, ADI lw~qDb?4#

I(} AMWebARS Web ~qSb?q! ADI#(}J4\mwDZ(~qwC

AMWebARS Web ~q#4Tb?4D ADI T XML q=5X=Z(fr@@L

r#

Zfr@@Zd,I(}wCQdCCZ/,lw ADI DX(Z(~q/,q!

ADI#wC?v/, ADI lw~q"+ ADI 55X=Z(fr@@Lr#Tivoli

Access Manager a)D/, ADI lw~qD>}G0"amtTZ(~q1(SC

'"amlw ADI 5)M AMWebARS Z(~q(9C AMWebARS web ~ql

w ADI 5)#b=v>}Z Tivoli Access Manager Authorization C Developer’s

Reference PP|j8DV[#


Se~M'zkslw ADII+Z(v_E"(ADI)|,Zks7"ksi/V{.Mks POST weP#I4

(}CKZ(v_E"(ADI)DZ(fr#9C}C*q!D ADI DX(Ze~D

XML ]w45VKYw#

pdwebpi.conf dCD~D [aznapi-configuration] ZPD

resource-manager-provided-adi N}(TZ(fr@@}L)8(ICZZ(fr8

(D]w{FPD0:#*8(`v0:,k9C resource-manager-provided-adi N

}D`vu?:

TB]w{F|,JCZCe~D0::

v AMWS_hd_name

ks7]w{F#+ HTTP ksD HTTP 7PD name D5w* ADI 5X=Z(

fr@@Lr#

v AMWS_qs_name

ksi/V{.]w{F#+ksi/V{.P name D5w* ADI 5X=Z(f

r@@Lr#

v AMWS_pb_name

ks POST we]w{F#+ks POST weP name D5w* ADI 5X=Z(

fr@@Lr#

0:ITX(ZNbJ4\mw#`&X,XkhFJ4\mwTJ1l&T ADI D

ks#

`48(M'zksyhD ADI DZ(fr#}g,g{h*+|,Z HTTP 7PD

wz{w* ADI,r+ AMWS_hd_ 0:CZfrP8(D XML ]w{F#KX(Ze

~D0:aQZ(@@}L:IZM'zksPq!yhD ADI,"Re~*@gNi

R"i!M5XK ADI#+ AMWS_hd_host ]w{F"M=e~#e~(}ZM'zk

sPiR0host17"i!kC7`X*D54l& AMWS_hd_host ]w{F#e~+

0host175(w* XML ]w)5X=Z(fr@@}L#Z(fr@@}LZdf

r@@P+C5w* ADI 9C#

>}:Sks7lw ADITBZ(fr>}h*M'zDwz{#hCM'zksTZksD0host17P|,

wz{5#ZfrP9C AMWS_hd_ 0:TaQZ(@@}L:IZM'zksPq!

yhD ADI,"Re~*@gNiR"i!M5XK ADI#

<xsl:if test=’AMWS_hd_host = "machineA"’>!TRUE!</xsl:if>

Q+e~hF**@gNSksPi! ADI E":

[aznapi-configuration]resource-manager-provided-adi = AMWS_hd_

e~*@IZks7{F host PR=KE"#e~i!|,Z0host17PD5"+|

5X=Z(@@}L#

g{ZksD0host17Pa)D5*0machineA1,r+Z(fr>}@@*f#


T`FD==,@@Z(fryhDE"I4TZks POST werksDi/V{

.#

>}:Sksi/V{.lw ADITBZ(fr>}h*(} GET ksDi/V{.+](*l&m%a;)DM'z

9uzkD{F#M'zkshC*Zksi/V{.D0zip1VNP|,9uzk

5#

https://www.service.com/location?zip=99999

ZfrP9C AMWS_qs_ 0:TaQZ(@@}L:IZM'zksPq!yhD

ADI,"Re~*@gNiR"i!M5XK ADI#

<xsl:if test=’AMWS_qs_zip = "99999"’>!TRUE!</xsl:if>


[aznapi-configuration]resource-manager-provided-adi = AMWS_qs_

e~*@IZVN{0zip1BDksi/V{.PR=KE"#e~i!|,Z

0zip1VNPD5"+|5XxZ(@@}L#

g{ZksDi/V{.0zip1VNPa)D5*099991,r+Z(fr>}@@

*f#

T`FD==,@@Z(fryhDE"I4TZks POST werks7#

>}:Sks POST welw ADITBZ(fr>}h*(} POST ksDwe+](*l&m%a;)D Web :o5

DM'z\:r?D{F#hCM'zksTZks POST wePD0purchase-total1

VNP|,\:r5#

ZfrP9C AMWS_pb_ 0:TaQZ(@@}L:IZM'zksPq!yhD

ADI,"Re~*@gNiR"i!M5XK ADI#

<xsl:if test=’AMWS_pb_purchase-total < "1000.00"’>!TRUE!</xsl:if>


[aznapi-configuration]resource-manager-provided-adi = AMWS_pb_

e~*@IZVN{0purchase-total1BDks POST wePR=KE"#e~i!|

,Z0purchase-total1VNPD5"+|5X=Z(@@}L#

g{ZksD POST we0purchase-total1VNPa)D5!Z01000.001,r+Z(

fr>}@@*f#

T`FD==,@@Z(fryhDE"I4TZks7rksDi/V{.#

Z 8 B Z(v_E"lw 149

SC'>$lw ADII`4Z(fr9C ADI w*>$D;?Vu<a)xZ(fr@@Lr#TZ(~

qDu<wC(azn_decision_access_allowed_ext())5JO|,KC'D>$E"#Z

(fr@@Lr<UiRK>$E"Tq!&mfryhDyP ADI#Z(frI9C

4T>$PDNbVND5,|(ZO$ZdmS=>$D)9tT#

ZZ 89 3D:*>$mS)9tT;P5wKZC'>$P4()9tTD<u#

a)JO-r

Z(frJmzhCXbD"(#G4SDC4XFCJ\#$J4D\&Du~#

+G,'\DZ(v_Dj<a{G#9TXFJ4D~q&CLrDksDxP,

"TM'zT>0{91{"#g{*`4Z(frT|,JO-r,"R(} Tivoli

Access Manager Z(fr@@Lr+Z(fr@@*0Y1,re~SZ(~qSUf

rDJO-rMj<0{91{"#(#vTJO-r"5)0{91v_#

I!q+e~dC*\xKj<l&"Jm\xDksLxKPsK~q&CLr#

CksxPZZ(frPa)DJO-r#;ssK~q&CLrPzakTCiv

LxdTmDl&#9C pdwebpi.conf D~PD [boolean-rules] ZPD

pass-on-rule-failure-reason N}8(KI!DdC#

(#+Z(frk~q&CLraO9C,C~q&CLrImb"&mK|4SD

CJXF6p#Z3)ivB,~q&CLrh*SU; Tivoli Access Manager Z(

~q\xDks#4kbyD&CLrTKbJO-rE",xRCLrIT9C Tivoli

Access Manager Z(fr'\Dksa)dTmDl&#

}g,:o5&CLrD)%&mi~IIZ(frXF,g{\:r[q,}C'

DEC^n,rCZ(fr\x)%Yw#:o5&CLrKb{vksMJO-r

G\X*D#VZ:o5&CLrIT:&mBq"a);vC'QCDl&,g(

iC'!{?V)%#+#tx;GPOkC'D;%#

k<UwX9CK!n#9C~q&CLrD\&,-wZ(frPDJO-rD9

CTbM"l&KE"G\X*D#z;#{bbXvV;Viv,ZCivBTI

^(}7l& AM_AZN_FAILURE 7D&CLryXFDJ4DCJxPZ(#

dC/, ADI lw

I4kh*3)Z(v_E"(ADI)Dfr,b)E"^(Z Tivoli Access Manager

Z(~qICJDNNE"PR=#Zb)ivB,PX*Sb?4lw ADI#Klw

II/, ADI Z(lw~q514P#10f WebSEAL tTlw~qa)D

AMWebARS Web ~qMG;VZ(lw~q#

tTlw~q(ARS)Ze~DZ(~qbMZ(v_E"Db?a)Lr.da)

(EMq=*;~q#B<5wK AMWEBARS Web ~qD&mwL:


&mwL:

1. M'z"vTIZ(fr#$DJ4Dks#

2. Z(fr@@Lr(Z(~qD;?V)7(h*X(Z(v_E"(ADI)Tj

IfrD@@#;\SC'>$"Z(~qre~q!ksD ADI#

3. (}Z(~qb+ ADI lwNq"M= AMWebARS Web ~q#K~q+T ADI

Dksq=/* SOAP ks#+ SOAP ks(} HTTP "M= AMWebARS Web

~qD Web ~qhvoT(WSDL)gf#

4. AMWebARS Web ~q+J1Xq=/Cks,TCZ+a) ADI Db?E*V

v~q#

5. b?E*Vv~q5XOJD ADI#

6. Zm;v SOAP ]wPq=/ ADI "+|5X=e~DZ(~q#VZZ(fr

@@LrQ_PyhDE",I@@fr"wvS\r\x-<M'zksDv

_#

XZ?ptTlw~qDE",kN<6Tivoli Access Manager WebSEAL \m18

O7#

dCe~T9C AMWebARS Web ~q

4PTBNqTdCe~9C AMWebARS Web ~q:

1. Z pdwebpi.conf dCD~P,8(Zfr@@Zdlb=D1YD ADI 1yi/

D/, ADI Z(lw~qDj6{F(ID)#ZKivB,8( AMWebARS Web

~q:

[aznapi-configuration]dynamic-adi-entitlements-services = AMWebARS

2. Z pdwebpi.conf dCD~P,+QdCD/, ADI Z(lw~qj6CwN}T

8(q=/v> ADI ksMbM+kl&DJ1DZCb:}g:

< 11. tTlw~q&mwL#.

Z 8 B Z(v_E"lw 151

[aznapi-entitlement-services]dynADI = azn_ent_amwebars

3. Z pdwebpi.conf dCD~P,8(=;Z WebSphere 73PD dynADI Web ~

qD URL(kw*;Pdk):

[amwebars]service-url = http://websphere_hostname:websphere_port \/dynadi/dynadi/ServiceToIServicePortAdapter

4. XBt/e~#


=< A. 9C pdbackup 8]e~}]

pdbackup 5CLr9zIT8]MV4 Tivoli Access Manager }]#pdbackup 5

CLr+8(h*8]DD~M?<D8]PmD~w*N}9C#?vw*D Tivoli

Access Manager i~(}g Base"WebSEAL Me~)<P|T:DPmD~#

pdinfo-pdwebpi.lst D~8( pdbackup 5CLr8]De~D~M?<#

>=<hvgN9C pdbackup 5CLr8]MV4e~}]#pdbackup 5CLr

Dj{N<;Z IBM Tivoli Access Manager Command Reference P#

&\

8]e~}]

pdbackup 5CLr8]|,Ze~8]PmD~ pdinfo-pdwebpi.lst PDD~M?

<DPm#

UNIX:

1!ivB,pdinfo-pdwebpi.lst ;Z /opt/pdwebpi/etc/ P#

1!ivB,zzD8]i5w*%v .tar D~f"Z /var/PolicyDirector/pdbackup

P#

9C8]PmD~{SOUZM1dAG49l1! .tar D~{:

list-file-name_ddmmyyy.hh_mm.tar

}g:

pdinfo-pdwebpi.lst_30jul2003.10_39.tar

r_,zIT8(:

v .tar D~D(FD~{(9C –file !n)

K(FD~{;|,UZM1dAG#

v .tar D~D(F?<;C(9C –path !n)

.tar D~DZ]b9u=TB?<:

opt/ var/ tmp/

Windows:

1!ivB,pdinfo-pdwebpi.lst D~;Z

C:\Program Files\Tivoli\PDWebpi\etc\

1!ivB,zzD8]i5w*?<wf"Z

C:\Program Files\Tivoli\PDWebpi\pdbackup\ ?<P#

1! .dar ?<{I8]PmD~{SOUZM1dAG49l:

list-file-name_ddmmmyyyy.hh_mm.dar


}g:

pdinfo-pdwebpi.lst_30jul2003.10_39.dar

.dar D~DZ]b9u=S?<MD~P:

%C%Registry

%C% ?<|,j{D8]w#K?<D{FIe~D~M?<yZD}/wDL{8(

7(#"amD~f""am|(.reg )9{)#

r_,zIT8(:

v .dar ?<i5D(FD~{(9C –file !n)

K(FD~{;|,UZM1dAG#

v .dar ?<i5D(F?<;C(9C –path !n)

V4e~}]

UNIX:

+i5D~M?<S .tar D~V4= /opt/pdwebpi ?<#

Windows:

+i5D~V4=dnuD20?<;C#

o(

PX pdbackup 5CLrDj{N<IZ IBM Tivoli Access Manager Command

Reference PR=#

pdbackup –a backup –l backup-list-pathname \[–path custom-pathname][–file archive-pathname] [–usage] [–?]

pdbackup –a restore –file archive-pathname \[–path custom-pathname] [–usage] [–?]

!n hv

–a [backup|restore|extract] 8(8]"V4ri!Yw#

–l backup-list-pathname 8(=8]PmD~(pdinfo-pdwebpi.lst)D+^

(76#

–path custom-pathname CZ8],8((Fi5?<;C#

–file archive-pathname CZ8],8(i5D~D(F{F#

CZV4,8(=*V4Di5D~D+^(7

6#

I9C|n!n{FDrLm>,+u4Xkw7#}g,Idk a m> action#+

G,b)!nDN}5;\u4#


>}

UNIX >}

1. TB>}9C1!54Pj<8]:

pdbackup -a backup -l /opt/pdwebpi/etc/pdinfo-pdwebpi.lst

bazz{* pdinfo-pdwebpi.lst_date.time.tar DD~,CD~f"Z

/var/PolicyDirector/pdbackup ?<P#

2. TB>}4P8],"+1!i5D~f"Z /var/backup ?<P:

pdbackup -a backup -l /opt/pdwebpi/etc/pdinfo-pdwebpi.lst -path /var/backup

bazz{* pdinfo-pdwebpi.lst_date.time.tar DD~,CD~;Z

/var/pdbackup ?<P#

3. TB>}4P8],"4({* amwebarchive.tar Di5D~:

pdbackup -a backup -l /opt/pdwebpi/etc/pdinfo-pdwebpi.lst -file amwebarchive

1!i5)9{(.tar)7S=(F amwebarchive D~{s#KD~f"Z1!

/var/PolicyDirector/pdbackup ?<P#

4. TB>}S1!?<;CV4Ki5D~:

pdbackup -a restore -file pdinfo-pdwebpi.lst_29Aug2003.07_24.tar

5. TB>}S /var/pdback ?<V4i5D~:

pdbackup -a restore -file /var/pdback/pdinfo-pdwebpi.lst_29Aug2003.07_25.tar

Windows >}

1. TB>}9C1!54Pj<8]:

pdbackup -a backup -l install_path\etc\pdinfo-pdwebpi.lst

bazz{* pdinfo-pdwebpi.lst_date.time.dar DD~,CD~;Ze~D

install_path\pdbackup ?<P#

2. TB>}9C1!i5D~{4P8],"+KD~f"Z C:\pdback ?<P:

pdbackup -a backup -l install_path\etc\pdinfo-pdwebpi.lst -path c:\pdback

3. TB>}4P8],"4({* pdarchive.dar DD~:

pdbackup -a backup -l install_path\etc\pdinfo-pdwebpi.lst -file pdarchive

1!i5)9{(.dar)CZ(F pdarchive D~{#KD~f"Z1!

install_path\pdbackup ?<P#

4. TB>}4P= F: }/wOD \pdback ?<D8]:

pdbackup -a backup -l pdinfo-pdwebpi.lst -path f:\pdback

5. TB>}S1!?<(T>Z=POD;v?<)V4i5D~:

pdbackup -a restore -file install_path\pdbackup\pdinfo-pdwebpi.lst_29Jun2003.07_24.dar

6. TB>}S H:\pdbackup ?<V4D~:

pdbackup -a restore -file h:\pdbackup\pdinfo-pdwebpi.lst_29Jun2003.07_25.dar

=< A. 9C pdbackup 8]e~}] 155

pdinfo-pdwebpi.lst DZ]

[UNIX FILES]# fully qualified file names./opt/pdwebpi/etc./var/pdwebpi/audit./var/pdwebpi/db./var/pdwebpi/keytab./var/pdwebpi/log

[UNIX CONF FILES]# configuration files that specify a file to include# file:stanza:option/opt/pdwebpi/etc/pdwebpi.conf:uraf-ad:ad-server-config/opt/pdwebpi/etc/pdwebpi.conf:uraf-domino:domino-server-config/opt/pdwebpi/etc/pdwebpi.conf:ldap:ldap-server-config/opt/pdwebpi/etc/pdwebpi.conf:ldap:ssl-keyfile/opt/pdwebpi/etc/pdwebpi.conf:ldap:ssl-keyfile-stash/opt/pdwebpi/etc/pdwebpi.conf:failover:failover-cookies-keyfile/opt/pdwebpi/etc/pdwebpi.conf:ltpa:ltpa-keyfile/opt/pdwebpi/etc/pdwebpi.conf:ltpa:ltpa-stash-file/opt/pdwebpi/etc/pdwebpi.conf:iis:query-log-file/opt/pdwebpi/etc/pdwebpi.conf:iis:log-file/opt/pdwebpi/etc/pdwebpi.conf:iplanet:query-log-file

[WINDOWS FILES]BASEDIR=SOFTWARE\Tivoli\Access Manager Plug-in for Web Servers:Path<BASEDIR>etc<BASEDIR>log<BASEDIR>audit<BASEDIR>db<BASEDIR>keytab

[WINDOWS CONF FILES]# configuration files that specify a file to include# file:stanza:option<BASEDIR>etc/pdwebpi.conf:uraf-ad:ad-server-config<BASEDIR>etc/pdwebpi.conf:uraf-domino:domino-server-config<BASEDIR>etc/pdwebpi.conf:ldap:ldap-server-config<BASEDIR>etc/pdwebpi.conf:ldap:ssl-keyfile<BASEDIR>etc/pdwebpi.conf:ldap:ssl-keyfile-stash<BASEDIR>etc/pdwebpi.conf:failover:failover-cookies-keyfile<BASEDIR>etc/pdwebpi.conf:ltpa:ltpa-keyfile<BASEDIR>etc/pdwebpi.conf:ltpa:ltpa-stash-file<BASEDIR>etc/pdwebpi.conf:iis:query-log-file<BASEDIR>etc/pdwebpi.conf:iis:log-file<BASEDIR>etc/pdwebpi.conf:iplanet:query-log-file

[WINDOWS REGISTRY]# specify keys to backupSOFTWARE\Tivoli

d|8]}]

TBwZMN}4Z pdinfo-pdwebpi.lst D~PPv,rx;aT/8]#g{h*

8 ] K } ] , r X k ` - p d i n f o - p d w e b p i . l s t " m S K E " # k q - Z

pdinfo-pdwebpi.lst D~*7hvDq=#

[cdsso-domain-keys]<domain name> = <key file>

[ecsso-domain-keys]<domain name> = <key file>


=< B. pdwebpi.conf N<

Tivoli Access Manager Plug-in for Web Servers 9C;Z pdwebpi.conf dCD~PD

N}xPdC#CD~;ZTB?<:

UNIX:

install_path/etc/

Windows:

install_path\etc\

TBwZa)T pdwebpi.conf dCD~P?vIdCN}Dhv#y]N}D9C+

|GVi*TBwm:

v #f,

v O$,

v a0,

v LDAP,

v zm,

v Z( API,

v X(Z Web ~qw#

#fdCN}

m 26. #fdCN}

#f

N} hv

[pdweb-plugins]

(e Tivoli Access Manager Plug-in for Web Servers +#$DibwzMd|+Vr1!dC

N}#

virtual-host j6|,XZX(ibwzDdCE"DStZ#

web-server j6y9CD Web ~qwD`M#IS\D5P:

v iis 8 Microsoft Internet Information Services

v ihs 8 IBM HTTP Server

v iplanet 8 Sun ONE(-{* iPlanet)Web Server

v apache 8 Apache

KN}Z20ZdT/hC#


m 26. #fdCN} (x)

#f

N} hv

windows-file-system 8>Z(~qw&I!$@k)\bk URI(zm

Windows D~53J4)`XD2+TJb#

g{hC* true,r{9T_P`F Windows 2000 L7

6{D76*XD URI xPNNCJ#XpGT ~}Va

xD76*X+;\x#Z Windows 53O,KN}1!

ivBhC* true#Z UNIX 53O,|hC* false#

ITyZ?vibwzXhKN},=(GZJ1D

[virtual_host] ZP8(KN}#

case-sensitive f_Z(~qwgN&m URI Ds!4#

g{hC* false,URI Z9l`&D Tivoli Access

Manager Ts{F1*;*!4,Z(v_}GTUKTs

{FwvD#

Z UNIX 53O,KN}hC* true#Z Windows 53

O,|hC* false#

windows-file-system N}hC* true R case-sensitive4(e1,1!ivB+ URI *;*!4#

k"b,Ts{FD /PDWebPI/branch ?V;axP*

;#

ITyZ?vibwzXhKN},=(GZJ1D

[virtual_host] ZP8(KN}#

log-file j6dP6qyPZ(~qwNqDU>D~DD~{M

76#Iw*xTr`T76{8(#

logs 8(ZXB9CZ;vU>D~.0*4(DU>D~

}#

log-entries 8(Zv/=BU>D~.0*4kDU>u?}#

mpa-enabled `74CzmLr(MPA)Ga)`M'zCJDxX#

("k4~qwD%;QO$(@,"(}K(@"My

PM'zksMl&(E#

g{hC* true,rtC MPA \&#

g{hC* false,r{C MPA \&# ITyZ?vib

wzXhKN},=(GZ [virtual_host] ZP(eKN

}#

mpa-protected-object (exPZ(v_y@]D MPA Ts#

ITyZ?vibwzXhKN},=(GZ [virtual_host]ZP(eKN}#

user Z UNIX 53O,KN}|,\mwMzmxL+*Td

KPDC'{F#

group Z UNIX 53O,KN}|,\mwMzmxL+*Td

KPDi{#


m 26. #fdCN} (x)

#f

N} hv

pre-410-compatible-tokens Z Tivoli Access Manager V4.1 M Tivoli Access Manager

3.9 PDnFv?&\.dtCr{Cf]T#g{hC*

true,rgSgx%;"aMJO*F cookie zIDnF

2+T+k Tivoli Access Manager 3.9 nF`k#=2,

wC#KN}GxL6D,;\yZ?vibwz8(#

use-accept-language-header 1"T(;zID HTML l&DoT1,tCr{C

accept-language HTTP 7#

use-accept-charset-header 1"T(;+ HTTP ksD*XxPbkrzI HTML

l&DV{/1,tCr{C accept-charset HTTP 7#

max-cached-http-body 8(TZNbx(ks+*_Y:fD HTTP we}]D

ns}]?#g{we}]?,}KdCDns5,+O

zyPwe}]#

send-p3p-header XF Tivoli Access Manager Plug-in for Web Servers Gq

+|,9u_TodD P3P 7mS=ZdPhCK cookie

DNN HTTP l&P#

tag-value-prefix 8(mS=CZ tag-value HTTP 7D>$tT{FDI!

0:#

use-uri-encoded-session-id XFGq&T terminate session \mNqP8(Da0j

6xP URI `k#

remove-headers 8(Z tag-value &m0Gq&Sks}% tag-value #i

I\hCDNN7#}%b)7I7#qbDC'zmL

r^(ekdP(g{ek,ra[->$PIzvD

5)#

/f!

{C}%7D\&I\axzD Web >cx42+T~

<#XkXB5V@5Z TAG-VALUE 7(TAG-VALUE

&m04Sks}% TAG-VALUE 7)D&CLrT\b

TAG-VALUE HTTP 7;qbC'zmLr[-DI\

T#

[module-mgr]

|,PXzm#i\mwDj8E"#

path |,#i2mbD~D76#Jm`v76u?,r*e

~+QwyPu?#

verify-step-up-user g{4P]}=Yw,7(BC'j6GqXkkNN$

HfZDC'j6%d#

[wpiconfig]

|,dCLr*-z!{dCxhCDE"#

server-type ZdC1hC,T-z!{dC#

install-dir ZdC1hC,T-z!{dC#

vhosts ZdC1hC,T-z!{dC#

[user-agent]

4(C'zmLr(I user-agent HTTP 7(e)MX(oT73.dD3d#q=*:

user-agent-pattern = locale string

=< B. pdwebpi.conf N< 159

O$dCN}

m 27. O$dCN}

O$

N} hv

[modules]

ywICDO$=(M`X*Db#q=*:

module_name = shared_library_name

acctmgmt J'\m

BA y>O$

cert $i

failover JO*F

forms m%

fsso m%%;"a

ip-addr IP X7

iv-headers IV 7

session-cookie a0 cookie

ssl-id SSL j6

tag-value jG5

http-hdr HTTP 7

token nF

ltpa LTPA cookie

ecsso gSgx%;"a

cdsso gr%;"a

login-redirect G<X(r

ntlm NTLM

spnego 2+Ta)Lr-L

web-log Web U>

boolean rules <{fr

switch-user P;C'

dynurl /, URL

cred-refresh >$"B

ext-auth-int b?O$SZ

[common-modules]

|, [common] #idC#CZDiIq=gB: module-type = module-name#'V#i|(:

Authentication 8(CZC'O$D=(#

Session 8(CZ,Va04,D=(#

Pre-authzn 8(CZC'Z(0yhDNN&mD=(#

Post-authzn 8(CZZ(s&mD=(#

Response 8(CZNNT4T Web ~qwDl&D&mD=(#

[authentication-levels]


m 27. O$dCN} (x)

O$

N} hv

[authentication-levels] Z(e]}=O$6pT0Z [modules] ZP(eDO$=(DEr#

q=*:

level = module_name

g{4Td(eNNu?,rO$=(1!*6p 1#O$3r7(*Q(eO$=(Dn_O

$6p5AnMO$6p#g{O$6pItIO$=(2m,rS3r4U#iZ [modules]ZPvVD3r7(#

[authentication-mechanisms]

passwd-cdaspasswd-ldap

passwd-uraftoken-cdas

cert-sslcert-cdas

http-requestsso-create

sso-consumepasswd-strength

cred-ext-attrskerberosv5

ext-auth-interfacefailover-password

cdssosu-passwordsu-token-cardsu-certificate

su-http-requestsu-cdsso

y'VD=SO$zFMek Tivoli Access Manager O$

S53DX*2mbDPm#

[sessions]

ywyPa0#i+CD1!5#

max-entries (eIf"Za0#iD%v5}PDnsa0}#

timeout (ea0DnszfZ(Tk*%;)#

inactive-timeout (ea0Z,10yhDUP1d$H(Tk*%;)#

resend-pdwebpi-cookies (e Web e~ cookie Gq&f?vks"M#

reauth-lifetime-reset g{* yes,rZXBO$I&14;>$zfZ(1w#

reauth-grace-period 8(M'zDm^Z(Tk*%;),ZKZdII&4

PXBO$,g{;\O$r>$Q=Z#

[performance]

|,wVPzZ"w53T\DdC!n#

enable-pop XFGq5) POP#

add-session-id-to-cred XFGq+a0j6mS=a0>$#

[user-agent]

CZ4(C'zmLr(I user-agent HTTP 7(e)MX(oT73.dD3d#kqUTB

q=:user-agent-pattern = locale-string#


m 27. O$dCN} (x)

O$

N} hv

[BA]

basic-auth-realm ywr{,K{F+vVZy>O$G<1TC'T>D

T0rO#|Xk(Z+}EP#

strip-hdr XFSksP}% BA 7#P'!nP:

v ignore - ;T BA 74PNNYw#

v always - SksP}% BA 7#

v unauth - g{ BA 74-O$,rSksP}%|#

add-hdr XF+BD BA 7mS=ksP#Ku?DP'!nP:

v none - ;+B BA 7mS=ks(1!5)#

v gso - rksmS GSO BA 7#

v supply - Z BA 7Pa)2,\kM/rC'{

gso-resource-name |,C44( GSO BA 7D GSO J4D{F#1

add-hdr hC* gso 18(3v5GI!D#1 add-hdrhC* gso R4hC gso-resource-name 1,9C&m

ksDibwzD{F#

supply-password g{ add-hdr hC* supply,r5GXhD#hCs,K

N}8(ZQ4(D BA 7P9CD2,\k#

supply-username |,ZQ4(D BA 7P9CD2,C'{#1 add-hdrN}hC* supply 1,KN}DhCGI!D#1hCK

supply N}RP4hC supply-username(4,|#V

"M4,)1,QO$C'D{FZ4(D BA 7P9

C#

[failover]

|,yPPXJO*F cookie O$MZ(s#iDj8dCE"#

failover-cookies-keyfile yw\?D~D76,K\?D~+CZS\Mb\JO

*F cookie PD>$}]#

failover-cookies-lifetime JO*F cookie DP'Z(VS)#

enable-failover-cookie-for-domain

Z{vr6'ZtC/{CJO*F cookie#

failover-update-cookie (eJO*F cookie n/1dAGD|B5J#g{hC

* 0,rJO*F cookie +Z?Nks1|B#g{hC

*}{},rJO*F cookie +ZC1dN(Tk*%

;)}s|B#g{hC*:{},rJO*F cookie ;

ZxPO$r"B>$1|B#


m 27. O$dCN} (x)

O$

N} hv

failover-require-lifetime-timestamp-validation

b)u?7(1dAGi$TZJO*FO$I&GqG

XhD#hC*:

true: 1dAGGXhD#g{1dAG1Yr^',

rJO*FO$+'\#

false: 1dAG;GXhD,+Gg{|fZR^',

rJO*FO$+'\#g{ Web e~h*S\

AMWebPI r AMWebSEAL DOgf>zIDJ

O*F cookie,rTZb=n,<h*9CK!

n#

failover-require-activity-timestamp-validation

use-utf8 (e9CNVV{/4TJO*F cookie xP`k#

[failover-add-attributes] |,+D)tTS-<>$mS=JO*F cookie Dd

C#

[failover-restore-attributes] |,C'9CJO*F cookie xPO$1+D)tTSJ

O*F cookie lw=>$DdC#

[ltpa]

|,yZ LTPA cookie DZ(s#iDyPj8E"#K#ihFCZJmT WebSphere ~q

wxP%;"a#

ltpa-keyfile LTPA \?D~D+76{#

ltpa-stash-file \kf"D~D;C

ltpa-password Zf"D~!yP9CD\k#

ltpa-lifetime LTPA cookie DP'Z(k)#

[forms]

|,yZm%DG<#iDyPj8E"#

login-form G<m%DD~{#

login-uri G<m%*rda;G<j8E"D URI#Xk9C POST

}]tT username P8(DC'{M POST }]tT

password P8(DC'\k+G<j8E"a;=K

URI#

create-ba-hdr 8>Z BA 7PGq&+xvDC'{M\ka)x?j

&CLrD<{5#

use-utf8 8>Gq&9C UTF-8 r>Xzk/T BA 7(g{Q

4()xP`k#1!5* true#

[fsso]

Pvm%%;"a#i9XDG<m%#

login-page-stanza G<;vr`vZD{F,|GZ|,*9XD?vG<

m%Dj8E"#

[login-form-1]

G<m%(};v 2 WND#=%d}L4j6# FSSO 9Xk login-page }rmo=%dD

yP3f#(}+ HTML m%*XDYwtTk login-form-action }rmo=`%d4(;b

)3fPDG<m%#


m 27. O$dCN} (x)

O$

N} hv

login-page KdCu?;Z login-page-stanza N}8(DZP#|

9C;v}rmo=8(#=,Z9Ce~Dm%%;"

a&\1,C#=(;j6&CLrG<3fks#+Q

dCD#=kks URI `HO#

login-form-action KN};Z login-page-stanza N}8(DZP#|9C

;v}rmo=8(#=,Z9Ce~Dm%%;"a&

\1,C#=j6|,Z9X3fPDDvm%*&CL

rDG<m%#g{P`vm%%dC#=,r9CZ;

v#

argument-stanza KN};Z login-page-stanza N}8(DZP#|8r

PvjIG<m%yhDVNM}]Dm;v(FZ#

[auth-data]

|,;vr`vm%u?:name = method:value#KN};Z argument-stanza N}8(DZ

P#

name kG<m%Pdk*XD name tT`%d#

method * cred"gso r string#

value |,y]=(59XDV{.#

[web-log]

|,PX#i(C#i8(+|,Z Web ~qwCJU>D~PDE")DyPj8E",9

|,PX SunONE"IHS M Apache Web ~qwT0 REMOTE_USER CGI d?DyPj8E

"#

format-string CZ9l Web U>C'{,2CZ SunONE"IHS M

Apache Web ~qwT0 REMOTE_USER CGI d?Dq

=V{.#

unauth-user-string CZm> Web ~qwCJU>D~P4O$D Acess

Manager C'(%u)DV{.#

unauth-server-user-string CZm> Web ~qwCJU>D~P4O$D Web ~q

wC'(%u)DV{.#

auth-type CZ*G)Jm8(O$`MD Web ~qw8(O$`M

Dq=V{.#JmCYwD(; Web ~qw* iPlanet#

[tag-value]

cache-definitions 8>GqT,S=TsUdDjG5(exP_Y:fD

<{5#g{Q_Y:f,rh*XBt/zmTqCT

jG/5(eDyP|D#

cache-refresh-interval T(exP_Y:fD"B1ddt(k)#

use-utf8 (e9CNVV{/4T tag-value }]xP`k#g{K

5hC* false,+9C>Xzk3T tag-value xP`k#

1!5* true#

use-uri-encoding (eGq4PT tag-value }]D URI `k#

[token-card]

nF(G<3f#


m 27. O$dCN} (x)

O$

N} hv

token-login-form nFG<3fDD~{#

next-token-form (erC'M'zT>DCZksB;vnFDm%#1

~qw^(SZ;vnFI&O$C'1,+ksM'z

dkm;vnF#

[http-hdr]

|, HTTP 7O$Ma0#iDyPj8E"#

header +]=grO$~q(CDAS)CZO$D7{F#

[iv-headers]

|, IV 7O$MZ(s#iDyPj8E"#

accept w*4TzmDO$$wS\D7Pm#P'!nP:

v all - S\yP7`M#

v iv-creds - C'>$E"#

v iv-user - LC'{#

v iv-user-l - $C'{#

v iv-groups

v iv-remote-address - M'zD IP X7#

v server-name

generate *"4TzmDks1*zID7Pm#P'!nP:

v all - zIyP7`M#

v iv-creds - C'>$E"#

v iv-user - LC'{#

v iv-user-l - $C'{#

v iv-remote-address - M'zD IP X7#

use-utf8 (eGq&9C UTF-8 r>Xzk/T iv 7xP`k#

g{ Web e~h*S\ AMWebPI r AMWebSEAL D

Ogf>zID iv 7,rh*+K5hC* false#

server-name-header 1 server-name fZZ*zID5DPmP19CD7D{

F#1!5* iv-server-name#

[acctmgmt]

|,J'\m1Z(s#iD}]#K#i:p\mJ'Yw,}g|DC'\kM"z#

password-change-form C'ks|D\k1T>Dm%#

password-change-form-uri C'ks|D\k1CJD URI#

password-change-uri \k|DsD URI ?DX#

password-change-success C'I&jI\k|D1T>D3f#

password-change-failure C'4\I&G<1T>D3f#

logout-uri C'"zsD URI ?DX#

help-uri oz3fD;C#

help-page C'ksoz1T>Doz3fDD~{#

logout-success C'I&"z1T>D URI rD~#

[ecsso]


m 27. O$dCN} (x)

O$

N} hv

gSgx%;"a#CZD{FXkk [modules] ZP(eD pdwpi-ecsso-module #i{F`

%d#*}7&mXZgSgx%;"aD"z URI(1!ivB* /pkmslogout), XkZd

C acct-mgmt Z(0#i.0dC ecsso Z(0#i#

e-community-name $5nFMksPvVDgSgx{F#

is-master-authn-server 8(~qwGw~qw9G;ZgSgxP#g{hC*

yes,rK~qwS\4Td|e~5}D$5ks,b

)e~5}Dr\?PZ [ecsso-domain-keys] ZP#

master-authn-server gSgxPw~qwD{F#g{ is-master-authn-server h

C* no,rKN}GXhD#

master-http-port Zl} HTTP ksDwO$~qwO8(KZ(}Kj<

KZ 80 Tb)#g{~qwGwO$~qw,rvTKN

}#

master-https-port Zl} HTTPS ksDwO$~qwO8(KZ(}Kj<

KZ 443 Tb)#g{~qwGwO$~qw,rvTKN

}#

vf-token-lifetime $5nFP'Z(k)#

vf-url $5 URL#

allow-login-retry 14-O$DC'X(r=w~qw1tCr{CC'G

<XTTxPO$#g{hC* true,rw~qwJmC'

Zu<'\"T.sXBdkdC'{/\k#g{hC

* false,r+C'X(rXS~qwx;$5KC'#

vf-argument 1$5nFvVZ$5&pP1,$5nFDN}{#

use-utf8 Z ECSSO $5nFMgSgx cookie ZtCr{C utf8

V{.`k#

[ecsso-token-attributes] r [ecsso_module_name-token-attributes:virtual_host]

domain_name = pattern1, pattern2,

... pattern n

8(+|,Z eCSSO $5nFPD>$tT#

[ecsso-incoming-attributes] or [ecsso_module_name-incoming-attributes]

attribute_pattern = preserve|refresh 8(*SxkD$5nFS\M\xD>$tT#

[ecsso-domain-keys]

(ek4TgSgxP8(rDNk_xP(E1y9CD\?#

CZD{FS [modules] ZP(eD pdwpi-ecsso-module D#i{FIzx4#|Dq=

* [ecsso-module-name-domain-keys]# q=*:domain-name = key-file

[cdsso]

uri 8> CDSSO X(rM%;"aDX( uri#

cdsso-argument 8(O$nFDi/V{.N}D{F#ZX(r uri P9

C|#

authtoken-lifetime O$nFDzfZ(Tk*%;)#

use-utf8 XF CDSSO nFZDV{.`k#K!n;0lI1!

SSO 4(M{Db4(M{DD CDSSO nF#1!iv

BC UTF-8 TnFxP`k#

[cdsso-token-attributes]


m 27. O$dCN} (x)

O$

N} hv

(e+*|,Z CDSSO O$nFPDtT/(yZ?vTHh8r?vr8()#v1}Z9

C1! SSO nF4(M{DbxPK&m#b)u?Dq=*:domain-name = pattern-1,pattern-2, ... pattern-n

[cdsso-incoming-attributes]

(e*SxkD CDSSO O$nFS\M\xDtT/#KZPDu?q=*:attributepattern=preserve | refresh

[cdsso-domain-keys]

(ek4TgSgxP8(rDNk_xP(E1y9CD\?#q=*:domain-name = key-file

CZD{FS [modules] ZP(eD pdwpi-ecsso-module D#i{FIzx4#|Dq=

* [ecsso-module-name-domain-keys]#

[login-redirect]

|,G<X(rZ(s#iDyPj8E"#*9K#i}7$w,XkZdCJ'\mZ(

0#i.0dC|#

redirect-uri C'ZI&O$s+X(r=dOD URI#

[spnego]

spnego-krb-service-name Z spnego Z(#iu</}LP+~q{Ff"=

AMWebPI ~qwO$D;C#

spnego-krb-keytab-file Kerberos dCD~D76{#

[ntlm]

use-pre-windows-2000-logon-name

Z Tivoli Access Manager PJmC Windows 2000 T0

f > D G < { m > Q O $ C ' # | G

DOMAIN\USERNAME G<{D username ?V#

[web-server-authn]

use-pre-windows-2000-logon-name

Z Tivoli Access Manager PJmC Windows 2000 T0

f > D G < { m > Q O $ C ' # | G

DOMAIN\USERNAME G<{D username ?V#

[boolean-rules]

|D<{Z(fr0lCJv_a{D==#

pass-on-rule-failure-reason hC*1!5 false r;fZ,g{<{Z(fr5X

!FALSE!,r\xCks#hC* true,+G,g{Z(f

r5X !FALSE! RxPk_T}]bPfrTs`X*D

'\-rV{.,rJmCJ,"+'\-rV{.ek

AM_AZN_FAILURE 7PD HTTP ks#

[http-method-perms]

(e9CX( HTTP =(4PksyhDmI(#

<default> (eZCZP;Pw78(DNN=(yhDmI(#

<default> u?Tm;P1!5,RZCZPXkw*GU

V{.8(Ku?#

[ext-auth-int]

JmyZsK&CLra)DE"4(>$#

auth-url 1rdCD2+_Tx%"O$B~1+C'X(r=D

URL#


m 27. O$dCN} (x)

O$

N} hv

trigger-url CZm>l&&C4zI>$D URL#

redirect-url-hdr-namepac-hdr-name

pac-svc-id-hdr-nameuser-id-hdr-name

user-auth-level-hdr-nameuser-qop-hdr-name

user-ext-attr-list-hdr-name

b)u?|,ZzI>$19CDl&7D{F#

[switch-user]

switch-user-form 8(T0su1xPks15X=M'zD HTML D~D{

F # K D ~ & ; Z ? <

/opt/pdwebpi/nls/html/lang/charset P#

switch-user-uri 8(CZwCP;C'&\D URI D{F#

switch-user-post-uri 8(0su1m%a;=D URI#

[dynurl]

8(/, URL Z(0#iD(e#q=*:

object = pattern

a0dCN}

m 28. a0dCN}

a0

N} hv

[sessions]

max-entries f"Za0#iD%v5}PDnsa0}#?vi

bwzD?va0#iDnsa0}#

timeout a0DnsP'Z(k)#

inactive-timeout a0Z,10h*DUP1d$H(k)#

resend-pdwebpi-cookies tCr_{Cf?vks;p"M Web e~ cookie#

reauth-lifetime-reset XFa0P'Z(1w#g{hC* yes,ra0P'

Z(1w(4,Z timeout N}PhCD5)ZI&D

XBO$s4;#g{hC* no,rI&XBO$s

;4P4;#

reauth-grace-period +M'z5PD1d?(k)hC*m^Z,ZKZ

dg{>$rd|-r=Z,M'zMaI&4PX

BO$#

[session-cookie]

use-same-session 8( HTTP M HTTPS -iGq&C9C,;a0#

[cred-refresh]

|,>$"BYw"z1+S-<>$#tT0"B=B>$DtTDdCE"#

preserve (e+S-<C'>$0#t1DtT#


m 28. a0dCN} (x)

a0

N} hv

refresh (e+ZB>$P"BDtT#

LDAP dCN}

m 29. LDAP dCN}

LDAP

N} hv

[ldap]

bind-pwd Web e~X$LrD\k(ZdC1hC)#

ssl-enabled 8>GqtC SSL#

ssl-keyfile 8> SSL \?D~D76/D~{#

ssl-keyfile-dn 8> SSL \?D~PD$ij)(g{PD0)#

ssl-keyfile-pwd 8> SSL \?D~\k#

cache-enabled tCM{C>X LDAP _Y:f#

ldap-server-config ldap.conf D~D;C#

auth-using-compare 8>Gq(}9C LDAP s(rHO\k44PO

$#

prefer-readwrite-server 8>Gq!qI4D LDAP ~qw(1~qwIC

1)#

bind-dn 8>X$xLD(P{F#

default-policy-override-support Xk* yes r no#* yes 1,;liC'_T,;l

i1!_T(#f3) LDAP Qw)#

user-and-group-in-same-suffix 8>GqCkC'`,D LDAP s:(ei#

zmdCN}

m 30. zmdCN}

zm

N} hv

[proxy-if]

id 8(zmgfDj6r2mZfD~{#Kj6Xk

ke~9CDj6%d#

number-of-workers &me~ksD$wLr_L}#

worker-size T?v&me~ksD$wLr_L$VdDZf}

?#

cleanup-interval ?NZfem.dD1d(k)#

max-session-lifetime Z,10,e~H}4TZ(~qwDl&Dk}#

[proxy]


m 30. zmdCN} (x)

zm

N} hv

error-page vVbb~qwms1,ZC'/@wOT>D3f

D76#

acct-locked-page C'"TCJx(DJ'1,T>=C3fD76#

retry-limit-reached-page o=JmDns'\G<"T}1,T>=C3fD

76#Z LDAP P9C policy |nhCnsJmG

<'\}#

login-success ZI&Dm%rnFG<s,g{e~;P*+C'

X(rXD3f,r8(*T>D3f#I\Z9(

+G< POST }]1S"MXe~DG<m%1"zb

Viv#

Z( API dCN}

m 31. Z( API dCN}

Z( API

N} hv

[aznapi-configuration]

sFMU>G<N}0dC#

logsize U>s!(VZ),,vKs!r4(BU>D~#

g{hC* 0,r;4(BU>D~#

g{hC*:},r?l4(;vBU>D~,x;

\s!#

logflush "BU>D1ddt(k)#

ns5G 21600(6 !1)#

logaudit tCr{CsFG<U>#

auditlog sFD~D{F#

auditcfg tCr{Ci~X(DsFG<#P'5*:

authn - 6qO$B~#

azn - 6qZ(B~#

db-file ACL }]b_Y:fD~D;C#

cache-refresh-interval liTwZ(~qwD|B.dD1ddt(k)#

listen-flags tCr{CS\_T_Y:f|B(*Dj>#

policy-cache-size Zf_T_Y:fDnss!#C5XFI_Y:f

`YE"#+Cs!8(*u?D}?#

resource-manager-provided-adi 8(S HTTP kslwDZ(v_E"D0:(e#

;&|DkKN}`XD5#


m 31. Z( API dCN} (x)

Z( API

N} hv

input-adi-xml-prolog +mS= XML D5%?DrT,C XML D5G9

C@@<{Z(fryhDCJv_E"(ADI)4

(D#

xsl-stylesheet-prolog +mS= XSL y=m%?DrT,C XSL y=mG

9C(e<{Z(frD XSL D>4(D#

dynamic-adi-entitlement-services KN}8(QdCDZ(~qj6(ZZ(fr@@

}LPg{lbv1Y ADI,rfr}fTb)Z(~

qj6xPi/)DPm#K&PvDZ(~qXk

q- Authorization Programmer’s Guide PEvD/,

ADI lw~qDdkMdvf6#1Zfr@@}LP

"V1Y ADI 1,43ri/QdCPmPD?v~

q#b)u?XkG8(}9CZ(~qdCZru

</tTPD~qu?0kDVPZ(~q#

cred-attribute-entitlement-services Z>$4(}LP*U/+*ekK>$DtTxw

CDQdCZ(~qj6DPm#

[aznapi-entitlement-services]

Z( API ~q(e#

service_id ?vZu?(e;,`MD aznAPI ~q#XZ|È

",kN< IBM Tivoli Access Manager Authorization

C API Developer’s Reference#

AZN_ENT_EXT_ATTR bG;v;&|DD536N}#KN}JmZTs

UdO9C)9tT#

X(Z Web ~qwDdCN}

m 32. X(Z Web ~qwDdCN}

X(Z Web ~qw

N} hv

[p3p-header]

8(JCZyP HTTP cookie /D P3P 9u_T#

p3p-element ZKZP,}9Cd|N}dCD9u_Tb,9I

CKN}48(Tj+ XML _TD}C#

TP p3p-element = policyref="/w3c/p3p.xml" !{

"M,+e~(r=j+ XML _T#

access 8(C'_PDT|,Z cookie P"(} cookie 4

SDE"DCJ(#I\D5P:

none

all

nonident

contact-and-other

ident-contact

other-ident


m 32. X(Z Web ~qwDdCN} (x)

X(Z Web ~qw

N} hv

disputes 8(j+ P3P _TGq|,;)E",b)E"XZ

T cookie P|,DE"Dyi#P'5* true r

false#1!ivB,KN}G{CD#

remedies 8(yiDI\^4#I\D5|(:

correct

money

law

g{48(,r_TP;|(NN^4E"#

non-identifiable hC* true 1,KN}8(;TNN==C cookie

PDE"r(} cookie 4SDE"vT/Xj6C

'#P'5G true r false#1!ivB,KN}G{

CD#

purpose 8(Z cookie PM(} cookie 4SDE"DC>#

I\D5|(:

current

admin

develop

tailoring

pseudo-analysis

pseudo-decision

individual-analysis

individual-decision

contact

historical

telemarketing

M other-purpose#

TyP} current TbD5,ITdC=S5w{#I

\D5|(:

always

opt-in

opt-out#

T48(DC>,1!5* always#C5Z purpose

s8(,C0EV*,}g:

purpose = contact:opt-in

recipient 8(Z cookie PM(} cookie 4SDE"DU~

K#I\D5|(:

ours

delivery

same

unrelated

public

other-recipient#



X(Z Web ~qw

N} hv

retention 8(Z cookie Pr(} cookie 4SDE"D#t1

d#

I\D5|(:

no-retention

stated-purpose

legal-requirement

business-practices

indefinitely#

categories 8(f"Z cookie Pr(} cookie 4SDE"D`

M#

g{hC non-identifiable N}* true,r;h*dC

NN`p#I\D5|(:

physical

online

uniqueid

purchase

financial

computer

navigation

interactive

demographic

content

state

political

health

preference

location

government

other-category

[ihs]

query-contents 8(CZ(}0pdadmin> object list1|n/@ IBM

HTTP Server Web UdDi/Z]Lr#(}Z{*

[ihs:branch] DZ(}g [ihs:/PDWebPI/foo.bar.com])

P8(;vN}5,ITyZ?vV'XhKN}




bwz1IdC5CLrhC - Z [ihs:branch] Z

(}g [ihs:/PDWebPI/foo.bar.com])PyZ?v_TV

'8(KN}

[apache]



X(Z Web ~qw

N} hv

query-contents 8(CZ(}0pdadmin> object list1|n/@ Apache

W e b U d D i / Z ] L r # ( } Z { *

[ a p a c h e : b r a n c h ] D Z P 8 ( ; v 5 ( } g

[apache:/PDWebPI/lotus.com])ITyZ?vV'X

hKN}#




bwz1IdC5CLrhC - Z [apache:branch]Z P y Z ? v _ T V ' 8 ( K N } , } g

[apache:/PDWebPI/lotus.com]

[iis]

query-contents 8(CZ pdadmin /@ IIS Web UdDi/Z]L

r # ( } Z { * [ i i s : b r a n c h ] D Z ( } g

[iis:/PDWebPI/foo.bar.com])P8(;vN}5,I

TyZ?vV'XhKN}


log-file *4T IIS e~DmsMzY{"(eU>D~#*

K7#D~D;BT,+b){"kZ(~qwDU

>D~V*#f#g{8(*`T76,rC;C`

TZ20?<D log S?<#g{8(*xT76,

r9CxT76#

use-error-pages XFG+mszkD IIS QdC3f"MXM'z,

9G+;)r%9lD3f"MXM'z#

[iplanet]

X(Z Tivoli Access Manager iPlanet Web Server Plug-in DdCN}#

query-contents 8(CZ pdadmin /@ Sun ONE Web UdDi/

Z]Lr#(}Z{* [iplanet:branch] DZ(}g

[iplanet:/PDWebPI/foo.bar.com])P8(;vN}5,

ITyZ?vV'XhKN}


doc-root 8(a)4P.pdadmin> object list/|nyhD Web

Ud/@&\DD5y#KN}ZhCibwz1I

dC5CLrhC - Z [iplanet:branch] Z(}g

[iplanet:/PDWebPI/foo.bar.com])PyZ?v_TV'

8(KN}


=< C. #ilYN<

O$Gj6"TG<=2+rD%@xLr5eD=(#verxLC4CJe~#

$DrDO$=(ITIC`VN=.;#IBM Tivoli Access Manager Plug-in for Web

Servers 'VmÒ$=(#BPwmPPvKb)O$=(0J1Dhv#

m 33. e~O$=(/#iN<

O$=(/#i hv

BA

pdwpi-ba-module

y>O$O$#i#

2ITdC*a0MZ(s#i#

m%

pdwpi-forms-module

HTML m%O$#i#

9C(}m%a;DC'{M\kxPO$#

9C1,K#iXk,1dC*Z(s#i#

ip-addr

pdwpi-ipaddr-module

M'z IP X7O$#i#

a)vyZM'z IP X7DO$#C'Xka) http k

sO$zF,T+ IP X7E"3d= Tivoli Access

Manager we#

2ITdC*a0#i#

http-hdr

pdwpi-httphdr-module

HTTP 7O$#i#

a)vyZksP8(D HTTP 7D5DO$#C'Xk

a) http ksO$zF,T+7E"3d= Tivoli Access

Manager we#

2ITdC*a0#i#

nF

pdwpi-token-module

nFO$#i#

Tivoli Access Manager Plug-in for Web Servers 'V(}

M'za)DnF(PzkDO$#KO$9CyZ RSA

SecureID fobs D+rSG<#

9C1,Xk,1dC*Z(s#i#

cert

pdwpi-certificate-module

M'z$iO$#i#

M'z$iDwb DN I cert-ssl O$zF3d= Tivoli

Access Manager we{F#cert-ssl O$zF*sM'z$

iDwb DN 1S3d=C'"amP Tivoli Access

Manager C'D DN#

K#ivTT(} SSL a04=oDksDO$,rKI

T*&m HTTP M HTTPS ksDZ(Dibwz2+X

dCK#i#


m 33. e~O$=(/#iN< (x)

O$=(/#i hv

JO*F

pdwpi-failovercookie-module

JO*F cookie O$#i#

K#iS\JO*F cookie TO$C'#

9C1,K#iXk,1dC*Z(s#i#

iv 7

pdwpi-iv-headers-module

IV 7O$#i#

a)yZksPD iv-user" iv-user- l" iv-creds r

iv-remote-address HTTP 7D5DO$#1C'Qr0Kz

m~qwO$1,bTZ9C%;"aT"a= Access

Manager Plug-in for Web Servers G`1PCD#

* q C E N , k s X k ( } 0 K z m ~ q w ( } g

WebSEAL ac)DQO$a0=o#zmXkO$*_P

T } Z C J D i b w z \ # $ T s U d V ' D z m

([PDWebPI]p)mI(DC'#

TZ9C iv-remote-address 7DO$,C'Xka) http

ksO$zF,T+ IP X7E"3d= Tivoli Access

Manager we#

K#i2ITdC*Z(s#iMa0#i#

ecsso

pdwpi-ecsso-module

gSgx%;"aO$#i#

K#iXkdC*}wO$~qwTbNkgSgxDi

bwzDO$#i#

9C1,K#iXk,1dC*Z(0#i#

unauth

pdpwi-unauth-module

4O$C'O$#i#

ZKPvK#iGvZj{T<G#K#i<U~=dC

*EH6nMDO$#i,"CZ*4O$C'zI>

$#

ltpa

pdwpi-ltpa-module

LTPA O$#i

yZ LTPA cookie S\MO$C'#LTPA cookie II

WebSEAL r WebSphere ~qwa)#

spnego

pdwpi-spnego-module

SPNEGO O$#i

9C Windows LAN rPDj< SPNEGO O$-i4q

CZ IIS Oe~D%;"abv=8D5V#

cdsso

pdwpi-cdsso-module

CDSSO O$#i

Jm;,Dr.dDgr%;"a#

ext-auth-int

pdwpi-ext-auth-int

-module

b?O$SZ#i#

JmyZsK&CLra)DE"4(>$#


m 34. X(Z Windows DO$#i

#i hv

ntlm

pdwpi-ntlm-module

NTLM O$#i#

NTLM GX(Z Windows DO$#i,Z Tivoli

Access Manager PC#i9C Windows 2000 G<{m

>QO$C'#

web-server-authn

pdwpi-websvrauth-module

Web ~qwO$#i#

Web ~qwO$#iGCZ Windows =(DO$#i#

Z Tivoli Access Manager PC#i9C Windows 2000 G

<{m>QO$C'#

m 35. e~a0#iN<

#i hv

BA

pdwpi-ba-module

y>O$a0#i#

9C0y>O$Z(17D5w*a0\?#

9C1,Xk,1dC*O$#i#

2ITdC*Z(s#i#

ip-addr

pdwpi-ipaddr-module

IP X7a0#i#

9CQO$DM'z IP X7w*a0\?#

9C1,Xk,1dC*O$#i#

http-hdr

pdwpi-httphdr-module

HTTP 7a0#i#

9CQO$D HTTP 7w*a0\?#

9C1,Xk,1dC*O$#i#

session-cookie

pdwpi-sesscookie-module

a0 cookie a0#i#

K#izI"S\ cookie,T)j6a019C#(#vC

wMEH6Da0j6zF#

ssl-id

pdwpi-sslsessid-module

SSL a0j6a0#i#

9C0SSL a0j61w*a0\?#k"b,!\ Tivoli

Access Manager Plug-in for Web Servers D Windows V

"Pa)K#i,+ Microsoft Internet Information Services

Web Server ";re~a)0SSL a0j61E",r

K,0SSL a0j61;\Cw IIS Da0\?#

iv-headers


IV 7a0#i

9C IV 7,Va04,#

ltpa

pdwpi-ltpa-module

LTPA a0#i#

9C LTPA cookie ,Va04,#

=< C. #ilYN< 177

m 36. e~Z(0#iN<

#i hv

boolean-rules

pdwpi-boolean-rules-module

<{frZ(0#i#

switch-user

pdwpi-switch-user-module

P;C'Z(0#i#

dynurl

pdwpi-dynurl-module

/, URL Z(0#i#

acctmgt

pdwpi-acct-mgmt-module

J'\mZ(0#i#

K # i a ) " z ( / p k m s l o g o u t ) " | D \ k

(/pkmspasswd)Moz(/pkmshelp)&\#

cred-refresh

pdwpi-cred-refresh-module

>$"BZ(0#i#

forms

pdwpi-forms-module

m%Z(0#i#

token

pdwpi-token-module

nFZ(0#i#

Tivoli Access Manager Plug-in for Web Servers 'V(}M

'za)DnF(PzkDO$#KO$9CyZ RSA

SecureID fobs D+rSG<#

9C1,nF#iXk,1dC*O$#i#

ext-auth-int

pdwpi-ext-auth-int-module

b?O$SZZ(0#i#

login-redirect

pdwpi-loginredirect-module

G<X(rZ(0#i#

19Ce~'VDNb;V=(4PG<1,;)O$I

&C'cX(r=QdCD3f#

ecsso

pdwpi-ecsso-module

gSgx%;"aZ(0#i#

yPNkgSgxDibwz<Xk+ ecsso #idC*Z

(s#i#

K#iXk,1dC*}wO$~qwTbyPNk_D

O$#i#


m 37. e~Z(s#iN<

#i hv

forms

pdwpi-forms-module

HTML m%Z(s#i#

K#i&myZ0HTML m%1DG<ZdDm%}]a

;#

9C1,Xk,1dC*O$#i#

K#i9ISa;DC'{M\k4hC BA 7#

BA

pdwpi-ba-module

y>O$Z(s#i#

^DI Web ~qw4=D BA 7r(}S GSO x(d}

]4(D BA 7#

failover

pdwpi-failovercookie-module

JO*F cookie Z(s#i#

K#i*M'zzIJO*F cookie#

9C1,JO*F cookie #iXk,1dC*O$#i#

iv-headers


IV 7Z(s#i#

K#iZJm Web ~qw&mks0,+C'j6E"w

* IV 7ekksP#bTZr Web ~qww\D&CL

r a ) % ; " a ` 1 P C # I T m S D 7 P

iv-user"iv-user-l"iv-groups"iv-creds M iv-remote-address#

K#i2ITdC*O$#iMa0#i#

tag-value

pdwpi-tag-value-module

0jG/51Z(s#i#

K#iZJm Web ~qw&mks0,+4TC'>$D

=S)9tTw* HTTP 7ekksP#b))9tT(#

MC'"amPDC'tT`T&#

ltpa

pdwpi-ltpa-module

LTPA cookie Z(s#i#

K#iZJm Web ~qw&mks0,+ WebSphere

A p p l i c a t i o n S e r v e r ( W A S ) a ? 6 Z } = O $

(LTPA)cookie ekksP#ba)KT Web ~qww

\D WAS D%;"a#

cdsso

pdwpi-cdsso-module

CDSSO Z(s#i#

boolean-rules

pdwpi-boolean-rules-module

<{frZ(s#i#

fsso

pdwpi-fsso-module

m%%;"a#i#

web-log

pdwpi-web-log-module

Web U>Z(s#i#

m 38. l&#iN<

#i hv

fsso

pdwpi-fsso-module

m%%;"al&#i#

=< C. #ilYN< 179

m 38. l&#iN< (x)

#i hv

ext-auth-int

pdwpi-ext-auth-int-module

b?O$SZl&#i#


=< D. |nlYN<


pdwebpi_startt/"XBt/M#9 UNIX 20OD Tivoli Access Manager Plug-in for Web Servers

xL#k"b,t/r#9 Tivoli Access Manager Base z71,Plug-in for Web Servers

T/t/M#9#"R,T>yP Web ~qwD4,#

":g{h*,I9C pdwebpi_start |n@"Z Tivoli Access Manager Base z7

XF Plug-in for Web Servers#

o(

pdwebpi_start start

pdwebpi_start stop

pdwebpi_start restart

pdwebpi_start status

N}

pdwebpi_start {start|stop|restart|status} dP:

startt/ UNIX 20OD Plug-in for Web Servers xL#

stop#9 UNIX 20OD Plug-in for Web Servers xL

restart#9;sXBt/ UNIX 20OD Plug-in for Web Servers xL

statusa) UNIX 20OD Plug-in for Web Servers 4,E"#

"M

*t/M#9e~D Windows 20,kZ0~q1XFfePR= Plug-in for Web

Servers xL"9CJ1DXF4%#

ICT

K|n;ZTB1!20?<:

v UNIX 53:

/opt/pdwebpi/sbin/

v Z Windows 53O:

C:\Program Files\Tivoli\pdwebpi\sbin\

1!qKG1!?<D20?<1,K5CLr;Z20?<BD sbin ?<P(}g,

install_dir\sbin\)#

5Xk

a5XTBKv4,k:


0 |nI&jI#

1 "zKms#

=< D. |nlYN< 183

pdwebpia) Tivoli Access Manager Plug-in for Web Servers f>E"#97(G+ Plug-in for

Web Servers w*X$xLKP9GZ0(KP#

o(

pdwebpi [–foreground] [–version]

N}

–foregroundZ0(KP Plug-in for Web Servers ~xFD~x;Gw*X$xLKP#

–versionT Plug-in for Web Servers 20a)f>E"#

ICT

K|n;ZTB1!20?<:

v UNIX 53:

/opt/pdwebpi/bin/

v Z Windows 53O:

C:\Program Files\Tivoli\pdwebpi\bin\

1!qKG1!?<D20?<1,K5CLr;Z20?<BD bin ?<P(}g,

install_dir\bin\)#

5Xk

a5XTBKv4,k:

0 |nI&jI#

1 |n'\#

|n'\1,a)mshvM.yxFq=Dms4,k(}g,0x14c012f2)#

kN< IBM Tivoli Access Manager Error Message Reference#KN<s+4.x

Fr.yxFzka)K Tivoli Access Manager ms{"DPm#


pdwpi-versionPv Tivoli Access Manager Plug-in for Web Servers 20Df>Mf(E"#

o(

pdwpi-version [–h] [–V] [–l | binary [binary ... ]]

N}

–h T>ozrC({"#

–l 8(PvyP~xFD~Df>(x;;Gm~|f>)D$Pm#

–VT> pdwpi-version ~xFD~Df>E"#

binary [binary]T>8(~xFD~Df>E",rg{;P8(~xFD~,rT>yPD~D

f>E"#

ICT

K|n;ZTB1!20?<:

v UNIX 53:

/opt/pdwebpi/bin/

v Z Windows 53O:



install_dir\bin\)#

5Xk

a5XTBKv4,k:

0 |nI&jI#

1 "zKms#

=< D. |nlYN< 185

pdwpicfg –action config

dC Tivoli Access Manager Plug-in for Web Servers#

o(

pdwpicfg –action config –admin_id admin_id –admin_pwd admin_pwd –auth_portauthorization_port_number –web_server {iis|iplanet|ihs|apache} –iis_filter {yes|no}–web_directory server_install_directory –vhosts virtual_host_id –ssl_enable {yes|no}–keyfile keyfile –key_pwd key_password –key_label key_label –ssl_port ssl_port_number

pdwpicfg –action config –interactive {yes|no}

pdwpicfg –action config –rspfile response_file

pdwpicfg –operations

pdwpicfg –help [ options]

pdwpicfg –usage

pdwpicfg –?

N}

–admin_id admin_id

8(\mC'j6((#G sec_master)#

–admin_pwd admin_pwd

8(\mC' admin_id D\k#

–auth_port authorization_port_number

8( authorization server DKZE#1!KZE5* 7237#

–help [options]Pv!n{FMrLhv#g{8(K;vr`v!n,|Pv?v!nM;vr

Lhv#

–interactive {yes|no}g{G yes,rT|ntC;%==;qrT|n{C;%==#1!5* yes#

–iis_filter {yes|no}g{G yes,rtC Internet Information Server(IIS)}K;qr,{C IIS }K#

–keyfile keyfile

8( LDAP SSL \?D~#;P1!5#4T;%==KPC|nRQZ Plug-in

for Web Servers M LDAP .dtC SSL 1,k8(K!n#

–key_label key_label

8( LDAP SSL \?j)#;P1!5#4T;%==KPC|nRQZ Plug-in

for Web Servers M LDAP .dtC SSL 1,k8(K!n#

–key_pwd key_password

8( LDAP SSL \?D~\k#


–operations;vS;vX;xhvPv?v!n{F#

–rspfile response_file

a) Plug-in for Web Servers l&D~D+^(76MD~{TZ2,20Zd9

C#l&D~ICZdCr!{dC#^1!l&D~{#l&D~|,ZM

option=value TZu?#*9Cl&D~,kND6IBM Tivoli Access Manager for

e-business Web Security 208O7PD}L#

–ssl_enable {yes|no}g{G yes,rtC9C LDAP D SSL (E;qr,{C9C LDAP D SSL (

E#1!5* yes#

–ssl_port ssl_port_number

8( LDAP SSL KZ#1!KZE5* 636#

–usageT>K|nD9Co(#9aT>;v>}#

–vhosts virtual_host_id

8(*#$Dibwz#C5Dq=&CGC:EVtD;5Pibwzj6#Z

ibwzj6.d;&PUq#

–web_directory server_install_directory

8( Web ~qw20?<#

–web_server {iis|iplanet|ihs|apache}8(20 Plug-in for Web Servers D Web ~qw`M#!n*:T Internet

Information Server 9C iis"T Sun ONE Server 9C iplanet "T IBM HTTP

Server 9C ihs rT Apache Server 9C apache#K!n1!*QdC Web ~

qwD`MM;C#

–? T>K|nD9Co(#9aT>;v>}#

ICT

K|n;ZTB1!20?<:

v UNIX 53:

/opt/pdwebpi/bin/

v Z Windows 53O:



install_dir\bin\)#

5Xk

a5XTBKv4,k:

0 |nI&jI#

1 |n'\#




=< D. |nlYN< 187

pdwpicfg –action unconfig

!{ Tivoli Access Manager Plug-in for Web Servers DdC#

o(

pdwpicfg –action unconfig –admin_id admin_id –admin_pwd admin_pwd –force{yes|no} –remove {none|acls|objspace|all} –vhosts virtual_host_id

pdwpicfg –action unconfig –interactive {yes|no}

pdwpicfg –action unconfig –rspfile response_file

pdwpicfg –operations

pdwpicfg –help [ options]

pdwpicfg –usage

pdwpicfg –?

N}

–admin_id admin_id

8(\mC'j6((#G sec_master)#

–admin_pwd admin_pwd

8(\mC' admin_id D\k#

–force {yes|no}49^(,S policy server,2?F!{dCxLTLx#1!5G no#

–help [options]Pv!n{FMrLhv#g{8(K;vr`v!n,|Pv?v!nM;vr

Lhv#

–interactive {yes|no}g{G yes,rT|ntC;%==;qrT|n{C;%==#1!5* yes#

–operations;vS;vX;xhvPv?v!n{F#

–remove {none|acls|objspace|all}8(Gqw*!{dCxLD;?V}%TsUdM/r ACL#1!5* none#

–rspfile response_file

a) Plug-in for Web Servers l&D~D+^(76MD~{TZ2,20Zd9

C#l&D~ICZdCr!{dC#^1!l&D~{#l&D~|,ZM

option=value TZu?#*9Cl&D~,kND6IBM Tivoli Access Manager for

e-business Web Security 208O7PD}L#

–usageT>K|nD9Co(#9aT>;v>}#


–vhosts virtual_host_id

8(*!{dCDibwzDj6#C5Dq=ITG:EVtD;5Pibwz

j6#Zibwzj6.d;&PUq#

–? T>K|nD9Co(#9aT>;v>}#

ICT

K|n;ZTB1!20?<:

v UNIX 53:

/opt/pdwebpi/bin/

v Z Windows 53O:



install_dir\bin\)#

5Xk

a5XTBKv4,k:

0 |nI&jI#

1 |n'\#




=< D. |nlYN< 189


=< E. }rmo=PJmDXbV{

BmPvK pdwebpi.conf dCD~P9CD}rmo=JmDXbV{#

* k 0 vr`vV{%d

? kNb;vV{%d

\ *eV{(}g,¿ k ? %d)

[acd] kV{ a"c r d %d(xVs!4)

[âcd] k} a"c r d .bDNNV{%d(xVs!4)

[a-z] k a = z .dDNNV{%d(!4V8)

[^0-9] k;Z 0 M 9 .dDNNV{%d(G}V)

[a-zA-Z] k a = z(!4)r A = Z(s4).dDNNV{%d



=< F. yw

>E"G*Z@za)Dz7M~q`4D#IBM I\Zd{zRrXx;a)>D5

PV[Dz7"~qr&\XT#PXz10yZxrDz7M~qDE",krz

1XD IBM zmI/#NNT IBM z7"Lrr~qD}C"GbZw>r5>;

\9C IBM Dz7"Lrr~q#;*;V8 IBM D*6z(,NN,H&\Dz

7"Lrr~q,<ITzf IBM z7"Lrr~q#+G,@@Mi$NNG IBM

z7"Lrr~q,rIC'TP:p#

IBM +>I\Q5Pr}Zjkk>D5Z]PXDwn({#a)>D5"4ZhC

'9Cb)({DNNmI#zITCif==+mIi/Dy:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

PX+VZ(DBCS)E"DmIi/,kkzyZzRrXxD IBM *6z(?E*

5,rCif==+i/Dy:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan

>un;JC"zrNNbyDunk1X(I;;BDzRrXx:International

Business Machines Corporation04V41a)>vfo,;=PNNV`D(^[Gw

>D9G5,D)#$,|(+;^Z5,DPXGV("JzMJCZ3VX(C

>D#$#3)zRrXxZ3);WP;Jmb}w>r5,D#$#rK>un

I\;JCZz#

>E"PI\|,<u=f;;<7DX=r!"ms#K&DE"+(Z|D;b

)|D+`k>vfoDBf>P#IBM ITf1T>vfoPhvDz7M/rLr

xPDxM/r|D,x;mP(*#

>E"PTG IBM Web >cDNN}C<;G*K=cp{Ea)D,;TNN==

d1TG) Web >cD#$#G) Web >cPDJO;G IBM z7JOD;?V,

9CG) Web >cx4DgU+IzTPP##

IBM IT4|O*J1DNN==9CrV"zya)DNNE"x^kTzP#NN

pN#

>LrD;mI=g{*KbPXLrDE"To=gB?D:(i)JmZ@"4(

DLrMd{Lr(|(>Lr).dxPE";;,T0(ii)JmTQ-;;DE

"xP`%9C,kkBPX7*5:

IBM Corporation2Z4A/10111400 Burnet Road


Austin, TX 78758U.S.A.

;*qXJ1Du~Mun,|(3)iNBD;(}?D6Q,<IqCb=fD

E"#

>JOPhvDmILr0dyPICDmIJOyI IBM @] IBM M'-i"IBM

zJm~mI-irNN,H-iPDuna)#

K&|,DNNT\}]<GZ\X73PbCD#rK,Zd{Yw73PqCD

}]I\aPwTD;,#P)b?I\GZ*"6D53OxPD,rK;#$k

;cIC53OxPDb?a{`,#Kb,P)b?G(}Fcx@FD,5Ja

{I\aPnl#>D5DC'&1i$dX(73DJC}]#

f0G IBM z7DE"ISb)z7D)&L"dvf5wrd{I+*qCDJO

Pq!#IBM ;PTb)z7xPbT,2^(7OdT\D+7T"f]TrNNd

{XZG IBM z7Dyw#PXG IBM z7T\DJb&1rb)z7D)&La

v#

yPXZ IBM 44=rrbrDyw<If1|DrUX,x;mP(*,|Gvv

m>K?jMb8xQ#

>JOvCZF.#ZhvDz7vV.0,K&DE"I\|D#

>JO|,U#5qKwP9CD}]M(mD>}#*K!I\j{X{v|G,

>}P|,KvK"+>"7FMz7D{F#yPb){Fy5i9,gP5JD

s5{FMX7kKW,,?tIO#

g{zZi4>JODm=4,<,MJ+<}I\^(T>#

Lj

BPuoG International Business Machines Corporation +>Z@zM/rd{zRr

XxDLjr"aLj:

AIX

DB2

IBM

IBM(Uj)

OS/390

SecureWay

Tivoli

Tivoli(Uj)

Universal Database

WebSphere

z/OS

zSeries

Microsoft M Windows G Microsoft Corporation Z@zM/rd{zRrXxDLj#

UNIX G The Open Group Z@zMd{zRrXxD"aLj#


d{+>"z7M~q{FI\Gd{+>DLjr~qjG#

=< F. yw 195


Jcm

2A3

2+\m(security management): ;V\m<x,+

3i/D\&/PZXFTCi/DI&\X|D&CL

rM}]yxPDCJ#

2+WSVc(secure sockets layer,SSL): a)(

E#\TD;V2+T-i#SSL 9M'z/~qw&C

Lr\;T3VhFC4@9T}"\DM1l{"D=

=xP(E#SSL GI Netscape Communications Corp. M

RSA Data Security, Inc *"D#

2B3

s((bind): 9j6kLrPDm;vTs`X;}

g,9j6k3v5"X7rm;vj6`X,r_9N

=N}k5JN}`X*#

#$6p(quality of protection): }]2+TD6

p,IO$"j{TM#\Tu~DiO7(#

2C3

Yw(action): ;VCJXFm(ACL)mI(tT#

m{CJXFm(access control list)#

_T(policy): &CZ\\J4D;ifr#

, D > + d - i ( h y p e r t e x t t r a n s f e rprotocol,HTTP): rXx-i/PCZ+d"T>,D

>D5D-i#

2D3

%;"a(single signon,SSO): C'G<;NM\

CJ`v&CLr"x^hVpG<=?v&CLrD\

&#m{+V"a(global signon)#

]}=O$(step-up authentication): ;V\#$T

s_T(POP),|@5Z$HdCDO$6pcNa

9,"y]J4OhCD_T5)X(6pDO$#]}

=O$ POP ;?FC'9C`vO$6pxPO$SxC

JNNx(J4,+*sC'AY9Ck#$CJ4D_

Ty*sD,HO$6pxPO$#

`74CzmLr(multiplexing proxy agent,MPA):

a)`vM'zCJD;VxX#1`vM'z9C WAP

CJ32+r1,b)xXP1;F*^_CJ-i

(Wireless Access Protocol,WAP)xX#xX("(r4

~qwD%vO$(@,"(}K(@dMyPM'zk

sMl&#

`rSO$(multi-factor authentication): ?FC'

9C=vr`vO$6pxPO$D;V\#$Ts_T

(POP)#}g,T3\#$J4DCJXFIT*sC

',19CC'{/\kMC'{/nF(PzkxPO

$#m{\#$Ts_T(protected object policy)#

2F3

CJXFm(access control list,ACL): ZFcz2

+TPk3vTs`X*D;vPm,|8vG)\;C

JCTsDyPweT0|GDCJ(#}g,CJXF

mGk3vD~X*DPm,CPmj6ITCJKD~

DC'"j6G)C'TKD~DCJ(#

CJXF(access control): ZFcz2+TP,7#

Fcz53DJ4;\IZ(C'TZ(==CJD}

L#

CJmI((access permission): JCZ{vTsD

CJX(#

~q(service): I~qwy4PDYw#~qITGT

*"Mrf"D}]xPDr%ks(}gTD~~q

w"HTTP ~qw"gSJ~~qwM8k~qwDk

s),2ITG|*4SDYw,}gr!~qwrxL

~qwDYw#

1>~qw(replica): |,m;v~qw;vr`v?

<D1>D~qw#1>~qw8]w~qw,Tcv?

T\ruLl&1d,"7#}]j{T#

2G3

+2xXSZ(common gateway interface,CGI): (

eX(E>DrXxj<,b)E>(} HTTP ksS

Web ~qwr&CLr+ME",4.`;# CGI E>G

;vCng PERL .`DE>`FoT`4D CGI Lr#

+C\?(public key): Fcz2+TPyPK<IC

D;V\?#k(C\?(private key)`T#

\m~q(administration service): ;VZ( API K

P1e~,IC4T Tivoli Access Manager J4\mw&

CLr4P\mks#\m~q+l& pdadmin |n"v


D6Lks,T4PngZ\#$TswPPvX(Zc

BDTs.`DNq#M'IT9CZ( ADK *"b)~

q#

\mr(management domain): ;v1!r,dP

Tivoli Access Manager ?F4PO$"Z(MCJXFD

2+_T#Cr4(ZdC policy server 1#m{r

(domain)#

fr(rule): ;urù_-od,b)od9B~~

qw\;6pB~.dDX5(B~`X),T0`&X

4PT/l&#

2H3

s:(suffix): j6>X#fD?<cNa9P%cu?

D;V(P{F#IZa?6?<CJ-i(LDAP)P

y9CD`T|{#=,Ks:JCZC?<cNa9P

D?vd|u?#;v?<~qwIT_P`vs:,?

;vs:<j6>X#fD?<cNa9#

2J3

y>O$(basic authentication): ;VO$=(,Z

ZhC'T32+Z_J4DCJ(.0*sC'dkP

'DC'{M\k#

yZxgDO$(network-based authentication): y

]C'DxJ-i(IP)X7XFTTsDCJD;V\

#$Ts_T(POP)#m{\#$Ts_T(protected

object policy)#

S\(encryption): ZFcz2+TP+}]*;*;

V^(bADN=D}L,9CK=(+^(q!-<}

]r_vI9Cb\}Lq!-<}]#

G+$n(role activation): TG+&CCJmI(D

}L#

G+8((role assignment): *C'8(G+D}L,

Sx9CC'_PTCG+y(eTsD`&DCJmI

(#

xLd(E(interprocess communication,IPC): (1)

Lrd%`(E",=dn/yhzDxL#Ej"EE

MZ?{"SPGxLd(ED#{=(# (2) ;VYw5

3zF,|CxL\;Z,;FczZr(}xgZ`%

.dxP(E#

2,20(silent installation): ;rXF("M{",

xGZU>D~Pf"{"MmsD;V20#Kb,2

,20IT9Cl&D~w*}]dk#m{l&D~

(response file)#

2K3

IluT(scalability): xg53T;Ov$DCJJ

4DC'}wvl&D\&#

IEy(trusted root): 2+WSVc(SSL)PO$P

D(CA)D+C\?T0X*D(P{F#

grO$~q(cross domain authent ica t ionservice,CDAS): a)2mbzFD;V WebSEAL ~

q,9z\;+1!D WebSEAL O$zFf;*r

WebSEAL 5X Tivoli Access Manager m]D(FxL#

m{ WebSEAL#

g r 3 d r \ ( c r o s s d o m a i n m a p p i n gframework,CDMF): ;V`LSZ,9*"_Z9C

WebSEAL gSgx SSO &\1\;TC'm]D3dT

0C'tTD&mxP(F#

2L3

,S(connection): (1) Z}](EP,("Z&\%

*.dCZ+ME"D;VX*# (2) Z TCP/IP P,Z

=v-i&CLr.da)I?}]w+]~qD;V7

6#ZrXxP,,SS;v53OD TCP &CLrSl

=m;v53OD TCP &CLr# (3) Z53(EP,I

TZ=v53.dr53kh8.d+]}]D;V_

7#

*a(junction): 0K WebSEAL ~qwMsK Web

&CLr~qw.dD;V HTTP r HTTPS ,S#

WebSEAL 9C*a4zmsK~qwa)#$TD~q#

nF(token): (1) VrxPD;V(^{E,|S;v

}]>,x+]=m;v>,T8>C>]1XF+di

J#?v}]><Pzaq!"9CnFTXFiJ#n

FGm>}+MmI(D;uX({"r;#=# (2) Vr

x(LAN)PX+diJS;vh8+]=m;vh8D

;rP#1nFs7S}]1,nFMI*!#

7ID~(routing file): |,XF{"dCD|nD;

V ASCII D~#

V/(polling): ;vxL,(}KxL(Z/J}]

b,T7(Gqh*+M}]#

2M3

E'x>(portal): ;V/ID Web >c,|y]X(

C'DCJmI(,/,zIICZCX(C'D Web J

4(}g4S"Z]r~q)D(FPm#

\k(cipher): ;VS\}],Z9C\?+d*;*

wk}](b\).0;IA#


\?T(key pair): Fcz2+TPD+C\?M(C

\?#1\?TCZS\1,"M=+9C+C\?TE

"xPS\,xSU=+9C(C\?TCE"xPb

\#1\?TCZ){1,){=+9C(C\?TE"

D3Vm>xPS\,xSU=+9C+C\?TCE"

DKVm>xPb\,Sxi$){#

\?7(key ring): Fcz2+TPD;VD~,|,

+C\?"(C\?"IEyM$i#

\?}]bD~(key database file): kND\?7

(key ring)#

\?D~(key file): kND\?7(key ring)#

\?(key): Fcz2+TPD;V{ErP,CZT}

]xPS\rb\D\kc(#kND(C\?(private

key)M+C\?(public key)#

#=(schema): T}](eoTm>D;iod,b)

odj{Xhv}]bDa9#ZX5}]bP,#=(

eKm"?vmPDVNMVNkm.dDX5#

?<#=(directory schema): ITZ?<PvVDP

'DtT`MMTs`#b)tT`MMTs`(eC?

<DtT5Do("XkfZDtTT0I\fZDt

T#

2P3

dC(configuration): (1) E"&m53Dm2~Di

/k%,==# (2) iI53"S53rxgDzw"h8

MLr#

>$^)~q(credentials modification service): ;

VIC4^D Tivoli Access Manager >$DZ( API K

P1e~#IM'Zb?*"D>$^)~qv^ZS>

$tTPm4PmSr}%Yw,"Rv^ZG)O*I

^DDtT#

>$(credential): ZO$}LPqCDj8E",hv

C'"NNiX*T0d|k2+T`XDm]tT#>

$ITCZ4Ps?~q,}gZ("sFM/I#

2Q3

(F(migration): 203LrDBf>rB"PfSx

f;OgDf>r"Pf#

a ? 6 Z } = O $ ( l i g h t w e i g h t t h i r d p a r t yauthentication,LTPA): ;VO$r\,JmZrXx

rPD;i Web ~qwZxP%;"a#

a?6?<CJ-i(lightweight directory accessprotocol,LDAP): {OTBu~D*E-i:(a)9

C TCP/IP a)T'V X.500 #MD?<DCJ,R(b)

;}"T|*4SD X.500 ?<CJ-iDJ4*s#9

C LDAP D&CLr(F*tC?<D&CLr)IT+

?<w*+2}]f"9C,2IT+dCZlwXZv

Kr~qDE",}ggSJ~X7"+C\?rX(Z

~qDdCN}#LDAP nuGZ RFC 1777 P8(D#

LDAP V3 GZ RFC 2251 P8(D,R IETF 9ZLx

*"=SDj<&\#3) IETF (eD LDAP j<#=

ITZ RFC 2256 PR=#

+V"a(global signon,GSO): ;VinD%;"

abv=8,9C'\rsK Web &CLr~qwa)8

CC'{M\k#+V"a+Z(C'(}%;G<CJ

QZ(d9CDFcJ4# GSO G*3)sMs5hF

D,b)s5I&Zl9DV<=Fc73D`v53M

&CLr9I,GSO 9C';X\m`vC'{M\k#

m{%;"a(single signon)#

2R3

O$PD(certificate authority,CA): )"$iDi

/#O$PDT$iyP_m]T0Z(CyP_9CD

~qxPO$")"B$i"x)VP$i,T07zt

Z;YZ(dLx9C$iDC'D$i#

O$(authentication): (1) ZFcz2+TP,TC'

m]rC'CJTsDJqDi$# (2) ZFcz2+T

P,i${"GqP4|Drp5# (3) ZFcz2+T

P,CZi$E"53r\#$J4DC'D}L#m{

`rSO$(multi-factor authentication)"yZxgDO$

(network-based authentication)M]}=O$(step-up

authentication)#

]wTs(container object): +TsUdi/*;,

D&\xrDa9/8(#

2S3

X$Lr(daemon): ;v^KU\KPDLr,CZ

4P,xDr\ZTD"536'ZDNq,gxgX

F#P)X$Lr\T/%"4PdNq;xP)r\Z

TKw#

\#$Ts_T(protected object policy,POP): ;

V2+_T,+=Su~?SZ ACL _TJmDYw,T

CJ\#$DTs#J4\mw:p?F4P POP u~#

m{CJXFm(access control list,ACL) "\#$Ts

(protected object)M\#$TsUd(protected object

space)#

Jcm 199

\#$TsUd(protected object space): 5J53

J4DibTsm>,|CZ&C ACL M POP T0Z(

C'CJ#m{\#$Ts(protected object)M\#$T

s_T(protected object policy)#

\#$Ts(protected object): 5J53J4D_-

m>,|CZ&C ACL M POP T0Z(C'CJ#m{

\#$Ts_T(protected object policy)M\#$TsU

d(protected object space)#

Z(~qe~(authorization service plug-in): ;v

I/,0kDb(DLL r2mb),ITI Tivoli Access

Manager Z( API KP1M'zZu</WN0k,T4

PZZ( API P)9~qSZDYw#10ICD~qS

Z|(\m"b?Z(">$^D"Z(M PAC YwS

Z#M'IT9CZ( ADK *"b)~q#

Z(~q(entitlement service): ;VICZSwer

u~/Db?45XZ(DZ( API KP1e~#Z((

#GX(Z&CLrD}],|+IJ4\mw&CLr

T3VN=9C,rmSAweD>$P,TcZZ(x

LPx;=9C#M'IT9CZ( ADK(Authorization

ADK)*"b)~q#

Z(fr(authorization rule): kNDfr(rule)#

Z((authorization): (1) ZFcz2+TP,ZhC

'k3Fcz53(Er9C3Fcz53D(^# (2) Z

hC'T3vTs"J4r&\Dj+r^FCJ(D}

L#

Z((entitlement): |,_e/D2+_TE"D}]

a9#Z(|,9CX(&CLrImbD==xPq=

/D_T}]M\&#

tTPm(attribute list): |,CZxPZ(v_D)

9E"D4SPm#tTPmGI;i name = value Ti

ID#

}V){(digital signature): ZgSLqP7S=3

}]%*rG3}]%*-}\k*;xID;V}],

9C}]%*DSU=\;i$C%*D4Mj{T"6

pI\vVD1l}]#

2T3

X(tT$i~q(privilege attribute certificateservice): +$(q=D PAC *;* Tivoli Access

Manager >$(4.`;)D;VZ( API KP1M'z

e~#b)~q2ITCZ*+d=2+rDd|I1x

T Tivoli Access Manager >$xPb0r}]`k#M'

IT9CZ( ADK(Authorization ADK)*"b)~q#

m{X(tT$i(privilege attribute certificate)#

X(tT$i(privilege attribute certificate): |,

weDO$"Z(tTMwe\&D}VD5#

3;J4j6(uniform resource identifier,URI): C

ZZrXxOj6Z]DV{.,|(J4{F(?<{

MD~{)"J4;C(?<{MD~{yZDFcz)

T0gNCJJ4(-i,}g HTTP)# URI D>}G

3;J4(;w,r URL#

3;J4(;w(uniform resource locator,URL):

m>FczOrxg(}grXx)PE"J4DV{r

P#KV{rP|,:(a)CZCJCE"J4D-i

Dr4{F,T0(b)C-iCZ(;KE"J4DE

"#}g,ZrXxOBDP,TBb)GCZCJwV

E " J 4 D 3 ) - i D r 4 { F :

http"ftp"gopher"telnet M news;xTBbvrG IBM w

3D URL:http://www.ibm.com#

2W3

b?Z(~q(external authorization service): ;V

Z( API KP1e~,IC49X(Z&CLrr73D

Z(v_I* Tivoli Access Manager Z(v_4D;?

V#M'IT9CZ( ADK *"b)~q#

xJ-i(Internet Protocol,IP): rXx-i/PD

;V^,S-i,(}xgr%,xg7I}],"d1

O_-ickomxg.dD=i#

D~+d-i(file transfer protocol,FTP): ZrX

x-i/P,9C+dXF-i(TCP)M Telnet ~qZ

zwrwz.d+dz?}]D~D;V&CLrc-

i#

2X3

l&D~(response file): |,TLryaJbD;i

$(eXpDD~,9CKD~M^h?NdkG)5P

.;#

ibw\(virtual hosting): Web ~qwD;V\&,

9d\;TrXxmV*`vwz#

mI((permission): CJ\#$Ts(}gD~r?

<)D\&#TsmI(D}?M,eGICJXFm

(ACL)(eD#m{CJXFm(access contro l

list,ACL)#

2Y3

5qZ((business entitlement): C'>$D9dt

T,CtThvICZTJ4DZ(ksD+8u~#


rXx-i/(Internet suite of protocols): *Zr

XxO9Cx*"D;i-i,(}rXx$LNqi/

(Internet Engineering Task Force,IETF)Tj<]8

(RFC)D=="<#

C ' " a m ( u s e r r e g i s t r y ) : k N D " a m

(registry)#

C'(user): 9CId|Tsya)~qDNNvK"

i/"xL"h8"Lr"-ir53#

r{(domain name): rXx-i/Pwz53D{

F#r{I;PT(gV{VtDS{iI#}g,g{

w z 5 3 D + ^ ( r { ( F Q D N ) G

as400.rchland.vnet.ibm.com,rTB?v{F<Gr{:

as400.rchland.vnet.ibm.com"vnet.ibm.com"ibm.com#

r(domain): (1) 2m+2~qR(#p+2C>wC

DC'"53MJ4D_-Vi# (2) FczxgD;?

V , Z d P } ] & m J 4 S \ + 2 X F # m { r {

(domain name)#

*}](metadata): hvyf"}]DXwD}]#

KP1(run time): 4PFczLrD1dN#KP1

73G;V4P73#

2Z3

$i(certificate): Fcz2+TPD;V}VD5,|

++C\?s(=$iyP_m],Sx9$iyP_\

;;O$#$iGIO$PD)"D#

wz(host): ,S=3vxg(}grXxr SNA x

g)"a)=CxgDCJcDFcz#Kb,wzIT

y]73a)TxgD/PXF#wzITGM'z"~

qwr,1w*M'zM~qw#

"am(registry): |,C'"53Mm~DCJ0dC

E"D}]f"#

(C\?(private key): Fcz2+TPvyP_*~

D;V\?#k+C\?(public key)`T#

(P{F(distinguished name,DN): (;j6?<

Pu?D{F#(P{FItT:5TiI,ddC:EV

t#

J4Ts(resource object): 5JxgJ4(}g~

q"D~MLr)Dm>#

T"a(self-registration): G;V}L,ZdPC'I

Tdk*sD}]"I* Tivoli Access Manager D"aC

',x^h\m1DNk#

A

ACL: kNDCJXFm(access control list,ACL)#

B

BA: kNDy>O$(basic authentication)#

blade: a)X(Z&CLrD~qMi~D;Vi~#

C

CA: kNDO$PD(certificate authority)#

C D A S : k N D g r O $ ~ q ( C r o s s D o m a i n

Authentication Service)#

CDMF: kNDgr3dr\(Cross Domain Mapping

Framework)#

CGI: kND+2xXSZ(common gateway interface)#

cookie: ~qwf"ZM'zORZfsDa0}LPC

JDE"#cookie 9~qw\;G!XZM'zDX(E

"#

D

DN: kND(P{F(distinguished name)#

E

EAS: kNDb?Z(~q(External Authorization

Service)#

G

GSO: kND+V"a(global signon)#

H

HTTP: kND,D>+d-i(Hypertext Transfer

Protocol)#

I

IP: kNDxJ-i(Internet Protocol)#

IPC: kNDxLd(E(Interprocess Communication)#

Jcm 201

L

LDAP: kNDa?6?<CJ-i(Lightweight Directory

Access Protocol)#

LTPA: kNDa?6Z}=O$(lightweight third party

authentication)#

M

management server: QOz#kND policy server#

P

PAC: kNDX(tT$i(pr i v i l ege a t t r i bu t e

certificate)#

policy server: ,$XZ2+rPd|~qwD;CE"

D Tivoli Access Manager ~qw#

POP: kND\#$Ts_T(protected object policy)#

R

RSA S\(RSA encryption): CZS\MO$D+C

\?S\53#K53GI Ron Rivest"Adi Shamir M

Leonard Adleman Z 1977 j"wD#K53D2+T!v

Z+=vsJ}DK}Vb*rSDQH#

S

SSL: kND2+WSVc(Secure Sockets Layer)#

SSO: kND%;"a(Single Signon)#

U

URI: kND3;J4j6(uniform resource identifier)#

URL: kND3;J4(;w(uni form resource

locator)#

W

Web Portal Manager(WPM): ;VyZ Web D<N

&CLr,CZZ2+rP\m Tivoli Access Manager

Base M WebSEAL 2+T_T#pdadmin |nPgfD

fzgf,K GUI 'V6L\m1CJ,"9\m1\;

4(/IDC'r,"8(/I\m1xb)r#

WebSEAL: ;V Tivoli Access Manager blade Lr#

WebSEAL G;V_T\"`_LD Web ~qw,|+2

+T_T&C=\#$TsUd#WebSEAL \;a)%;

"abv=8,"+sK Web &CLr~qwJ4iO=

2+T_TP#

WPM: kND Web Portal Manager#


w}

[A]2+T_T 3

20?< 7

[B]#$6p POP _T 109

8] 153

>XO$N} 50

jG5 89, 92

m%

%;"a 120

m%O$ 55

[C]_T

#$6p POP 109

XBO$ 106

4(M&C 107

u~ 107

G< 100

]} 103

yZxgDO$ POP 108

XF4O$C' 110

\k 101

O$?H POP 103

C'M+V 103

ACL 97, 99

IP X7 108

e~

2+T_T 3

20?< 7

&\ 3

j'V 10

dC 11

t/M#9 9

ks&m 35

O$ 3

HTTP ms{" 9

e~xLw 1

,1

_Y:fGn/ 46

XBO$ 106

4( BA 7 56

ms{" 9

ms3f

dC 11

ms,* IIS (F 9

[D]%;"a

m% 120

=zm 116

gSgx 132

En 113

gr 127

9CJO*F cookie 117

9C HTTP 7 114

9C LTPA cookie 115

9C SPNEGO 62

GSO 118

SPNEGO 120

WebSEAL 116

Windows 63

G<

?F 110

G<_T 100

G<sX(r 88

]} 103

tC 104

^F 105

I IP X7{C 109

gSgx%;"a

Ev 132

&\M*s 132

S\$5DnF 135

xLw 133

dC 135

dC>} 139

>} 139

cookie 134

/, ADI lw 150

/, URL

CJXF 145

TsPm 17

`74CzmLr 93

`rSO$ 106

òT'V 32

[G]Ev

ks&m}L 35

_Y:f

}]bhC 30

_Y:fGn/,1 46

_Y:f}]b 26

y?< 7

zY 28


zY (x)

pdadmin |n 29

&\ 3

$wLr_L,dC 11

JO-r

a) 150

JOoO

Kerberos 67

SPNEGO 67

JO*FO$ 70

b 72

dC 76

}6 76

rsf]T 75

r6' 75

JO*F cookie 70, 73, 74

%;"a 117

S\/b\ cookie }] 78

dC cookie zfZ 78

tCr6'ZD cookie 82

[H]j'V 10

sK&CLr

,$a04, 143

a0j6 35

a0,1 46

a0XBO$4; 46

a0_Y:f 45

a04,

\m 44

9Ca0 cookie 47

9Cy>O$ 47

9C HTTP 7 48

9C IP X7 49

9C iv 7 49

9C SSL a0j6 47

,$ 143

a0 cookie 47

[J]y>O$ 47, 53

yZxgDO$ POP _T 108

G< 26

Z,dCD~ 157

bMDibwzV' 14

[K]gr

%;"a 127

)9X(tT$i(EPAC) 4

[L]nF 58

nFO$ 58

nFl&3f 61

[M]\k_T 101

|n 181

|D\k 51

"z 51

help 51

#i 37

lYN< 175

[N]d{M'z&m 110

[P]dC

N}

#f 157

zm 169

a0 168

O$ 160

Z( API 170

X(Z Web ~qw 171

LDAP 169

e~ 8

ms3f 11

G<X(r 88

gSgx%;"a 135

TZ Web ~qw 15

~qwX( 15

_Y:f 30

_Y:f}]b 26

a0Da0 cookie 47

a0D HTTP 7 48

a0D iv 7 49

a0D SSL a0j6 47

a0/>$_Y:f 45

Z 157

nFl&3f 61

>$"B 30

P;C' 19

1!5 51

O$ 37

=( 39

O$Dy>O$ 53

O$=( 51

O$Ev 50

O$ibwz 38


dC (x)

U> 26

sF 28

sFU> 26

Z(~qw 11

Z(s 43

ibwz 12

CZa0Dy>O$ 47

CZO$Dm% 55

CZO$DJO*F cookie 70

CZO$DnF 58

CZO$D HTTP 7 85

CZO$D IP X7 87

CZO$D IV 7 83

CZZ(sDjG5 89, 92

$iO$ 57

API ~q 30

HTTP ks_Y:f 31

IP X7 49

Kerberos 65

LDAP DJO*F 23

LTPA cookie CZO$ 88

NTLM O$ 68

P3P 24

pdwebpimgr.conf 9

pdwebpi.conf 8

SPNEGO CZO$ 62

Web ~qwO$ 69

>$

q! 4

>$"B 30

[Q]t/e~ 9

P;C'

xLw 19

dC 18

tC 19

0l 22

ks&m}L

Ev 35

+V%;"a - GSO 118

[R]O$ 35

m% 55

N} 160

]} 103

`rS 106

=( 39

lYN< 175

3r 39

Ev 3

O$ (x)

yZxgD POP _T 108

?D 4

dCEv 37, 50

9CJO*F cookie 70

9Cy>O$ 53

9CnF 58

9C$i 57

9C HTTP 7 85

9C IP X7 87

9C IV 7 83

9C LTPA cookie 88

9C SPNEGO 62

ibwzDdC 38

NTLM 68

Web ~qw 69

O$=( 51

O$zF 50

m% 55

y>O$ 53

nF 61

P;C' 20

9C IP X7 87

9C IV 7 85

$i 58

HTTP 7 86

O$xL 36

O$#i

lYN< 175

O$?H POP

IP X7 103

O$}6}L 36

O$aJ

xLw 43

[S]sF 26

sFG< 27

5CLr

pdwebpi 184

pdwebpi_start 182

pdwpicfg -action config 186

pdwpicfg -action unconfig 188

pdwpi-version 185

Z(~qw

dC 11

Z(}L 36

Z(s

G<X(r 88

9CjG5 89, 92

Z(s&m 36, 43

Z(v_E"

Ev 147

lw 148

dClw 150

w} 205

Z(0&m 36

[T]XbV{ 191

e5a9 1

#9e~ 9

7

P3P 23

7`M

8( 86

[W]4O$D HTTPS 110

4O$C' 110

C_TXF 110

[X]`Xvfo xvii

l&&m 36

ibwz

dC 12

O$dC 38

'V 2

mI(

ACL 99

WebDAV 99

[Y]~==(7 23

&C4O$ HTTPS 110

oT

'V 32

r{F,hC 53

[Z]}rmo= 191

$5

nF 135

nFS\ 135

ksM&p 134

$i 57

U9C'a0 144

i~ 1

Aaccept N} 84

acct-locked-page N} 11

ACL _T 97

ACL _T (x)

1!5 99

ACL mI( 99

add-hdr 54

ADI 147

allow-login-retry 137

AMWebARS

dC 151

Apache

"bBn 16

API ~q 30

audit configuration 28

auditcfg N} 28

auditlog N} 28

authentication-levels stanza 39

BBA 7

&m 53

UTF-8 `k 57

branch N} 13

Ccache-definitions 93

cache-refresh-interval 93

cache-refresh-interval N} 30

CDAS O$N} 50

CDSSO 127

tC 129

cdsso >$tT 130

cdsso_key_gen 78

cert-cdas N} 50

cert-ssl N} 50

cleanup-interval N} 11

common-modules Z 37

create-ba-hdr 56

cred-ext-attrs 92

Ddb-file N} 30

doc-root 15

dynurl 145

Eecsso >$tT 138

ecsso r\? 137

enable-failover-cookie-for-domain 82

EPAC 4

error-page N} 11

e-community-name 135


Ffailover-cdsso 77

failover-certificate 77

failover-cookies-keyfile 78

failover-cookie-lifetime 78

failover-http-request 77

failover-password 77

failover-token-card 77

Ggenerate N} 84

GSO 118

HHTML l&m% 56

HTTP ms{" 9

HTTP ks_Y:f 31

HTTP 7 48

%;"a 114

O$ 85

http-request N} 50

Iid N} 11, 13

IHS

"bBn 16

ihs

X(dC 15

IIS

"bBn 16

iis

X(dC 15

IIS ms

(F 9

IP X7 49, 87

IP X7M6' 108

iplanet NDSun ONE 15

is-master-authn-server 135

IV 7 114

O$ 83

UTF-8 `k 85

iv 7 49

iv-creds 84

iv-groups 84

iv-remote-address 84

iv-user 84

iv-user-l 84

KKerberos 64

LLDAP

)9tT 89, 92

dCJO*F 23

LDAP DJO*F 23

LDAP,dCN} 169

ldap-ext-cred-tags stanza 92

libfailoverauthn 2mb 77

listen-flags N} 30

logaudit N} 28

logflush N} 28

login-form 56

login-redirect 88

login-success N} 11

login-uri 56

logsize N} 28

log-file 15

LTPA

Z(s&m 88

LTPA cookie 88, 115

ltpa-keyfile 88

ltpa-password 88

ltpa-stash-file 88

Mmaster-authn-server 136

master-https-port 137

master-http-port 136

max-entries N} 45

max-session-lifetime 11

max-session-lifetime N} 11

modules Z 37

modules dC 37

MPA 93

NNTLM O$ 68

number-of-workers N} 11

PP3P 23

dC 24

passwd-cdas N} 50

passwd-ldap N} 50

pdbackup 153

pdwebpi 184

pdwebpimgr.conf 9

pdwebpi.conf 8

pdwebpi_start 182

pdweb-plugin Z 12

pdweb-plugins Z 15

w} 207

pdwpicfg -action config 186

pdwpicfg -action unconfig 188

pdwpi-version 185

pkmshelp 52

pkmslogout 52

pkmspasswd 52

POP _T

#$6p 109

XBO$ 106

yZxgDO$ 108

O$?H - ]} 103

c( 109

protocols N} 13

proxy-if Z 11

Qquery-contents 15

query-log-file 15

Rreauth-grace-period 46

reauth-lifetime-reset 46

retry-limit-reached-page N} 11

Ssessions Z 45

SPNEGO 62, 120

%;"a 62

tC 66

SSL a0j6 47

strip-hdr 54

Sun ONE

X(dC 15

supply-password 54

supply-username 54

Ttimeout N} 11

token-cdas N} 50

Uunprotected-virtual-host N} 12

use-utf8 137

Vvf-argument 137

vf-token-lifetime 137

vf-url 137

virtual-host N} 12

WWeb ~qwO$ 69

WebDAV mI( 99

WebSEAL

%;"a= 116

worker-size N} 11


��

Pz!"

S152-0813-00

Documents

publib.boulder.ibm.com · tCP;C' ..................................19 dCP;C' HTML m% .............................19 TP;C'tCME}C' .............................20 dCP;C'O$zF