Tivoli SecureWay Policy Director WebSEAL −ÇŠš…K…C…h

Bản ghi

1 Tivoli SecureWay Policy Director WebSEAL 3.8

2

3 Tivoli SecureWay Policy Director WebSEAL 3.8

4 4mU! \q"*hs\q,5]<h9k=jr4hqkjk0k"xc-v`yk"kll*j \^Ke"kKX9k4U+d46[O"!N URL J*" \ IBM /TN^Ke"kO$s?<MCHP3Gb4X~$?@1^9#\7/O NV4m8KD$FWr4w/@5$# (URL O"Q9KJklg,"j^9)!6 5' GC Tivoli SecureWay Policy Director WebSEAL Administration Guide Version 3.8!/ T' \"$&S<&(`t0qR!4 v' J7gJk&is2<8&5]<H h1~ N8qGO"?.@+N W3"?.@+N W9"?.Q47C/N W3"?.Q47C/N W5"*hS?.Q47C/N W7rHQ7F$^9#3N (qn*) O"(b) \,J(qH HQ@sryk7HQ7F$kbNG9#U)sHH7F5G#=9k3HOX_5lF$^ 9# * W3 W9 W3 W5 W7 Copyright IBM Japan 2001

5 xn"=( Copyright IBM Corporation All rights reserved. 3NWm0i`O"Tivoli Systems jj NVTivoli Systems Software License AgreementW^?O IBM VTivoli =JKX9k,'WK>CFN_HQG-^9# IBM Corporation +inqlkhk v0n1u,"klgr -"\qn$+jkt,b"er*"!#*"'$*"wx*"j nh^?o=n>n$+jka0^?ojjkhcfb"#="w.">l"]8"!w79 Corporation O"*RM4+H,HQ9k\*GO<I3T<^?O!#DID=J8qN#= *rn.9k)b5l?"xrvz7^9,"=n#=*ko9yf"ibm Corporation Nxn "=(ru9kbnh7^9#xn"kpe/=n>n"xo"ibm Corporation NqLKhk v0nvzj7ku?5lk3ho"j^;s#\qo"8:*jhqru^9kbngoj /"^?"Cj*H7F=89k^^NuVGs!5l"&J-N]Z"Cj\*,g-N] b,q5l^;s#3n8qko"&j-n]z"cj\*,g-n]z*hs!'enls 4]U$r^a"$+Jk]Zb,Q5l^;s# &8 IBM"IBM m4"tivoli"tivoli m4"aix" Cross-Site"NetView"OS/2"Planet Tivoli" RS/6000"Tivoli Certified"Tivoli Enterprise" Tivoli Enterprise Console"Tivoli Ready"*hS TME O" IBM ^?O Tivoli Systems Inc. NFq*hS=N>NqK*1k&8^?OP?& 8G9# Microsoft"Windows"Windows NT"*hS Windows m4o Microsoft Corporation NFq*h S=N>NqK*1k&8G9# UNIX O"The Open Group,i$;s97F$kFq*hS=N>NqK*1kP?&8G 9# Java *hs9yfn Java X"N&8*hSm4O" Sun Microsystems, Inc. NF q*hs=n>nqk*1k&8g9# Tivoli SecureWay Policy Director WebSEAL I},$I iii

6 C-v` \qk*$f" \GO/=5lF$J$ Tivoli Systems ^?O IBM N=J"Wm0i`" Nh&J Tivoli Systems ^?O IBM N=J"Wm0i`"^?O5<S9r \G/=9k U^,"k3Hr,:7b(9bNGO"j^;s#\qG"Tivoli Systems ^?O IBM N= 0i`"^?O5<S9N_,HQD=G"k3HrU#9kbNGO"j^;s#3liN =J"Wm0i`"^?O5<S9Ke(F" Tivoli Systems ^?O IBM NN*j-"r/ 29k3HNJ$!=*K1yJ>RN=J"Wm0i`"^?O5<S9rHQ9k3H, Systems -"3liN=J"W -^9# Tivoli Systems ^?O IBM (C vpjr^`)"&8""^?oxn"rj-7f$klg,"j^9#\qns!o"*rm K3liNCv"KD$FB\"rvz9k3HrU#9kbNGO"j^;s#B\""H ) l~tah;\z 3 z\ 2-31 AP vhj IBM World Trade Asia Corporation Intellectual Property Law & Licensing iv P<8gs 3.8

7 ^(,-... xv \qnp]t... xv \qn=.... xvi qnn,'.... xvii Policy Director NX"qA... xviii *RM5]<HXNd$go;... xviii h1o WebSEAL N5b... 1 WebSEAL Khk Web 9Z<9N]n sFsD&?$W*hS]nlYkN1L... 4 ;-ejf#<&]j7<nwh*hs$swjash... 5 WebSEAL 'ZNb@... 6 'ZN4<k... 8 /jgs7cknh@nb@... 9 H%C"0-Z@q (EPAC) WebSEAL 8cs/7gsNb@ WebSEAL 8cs/7gs*hS Web 5$HNH%FW h2o WebSEAL 5<P<= <P<NlLps webseald.conf =.U!$kNRp WebSEAL,$s9H<k5lF$kk<H&G#l/Hj< WebSEAL Server Nk<H&G#l/Hj< WebSEAL N+O*hSd_ L.Qia<?<N= HTTP WaQN WebSEAL N= HTTPS WaQN WebSEAL N= CjN SSL P<8gsN\3N)B HTTP H HTTPS No<+<&9lCIN= Tivoli SecureWay Policy Director WebSEAL I},$I v

8 HTTP/HTTPS L.QN?$`"&H&Qia<?< ICN WebSEAL 5<P<&?$`"&H&Qia<?< Web 9Z<9NI} Web 8qDj<Nk<H&G#l/Hj< G#l/Hj<wzU1N= Windows: CGI Wm0i`QNU!$k?>,' Web 8q-cC7eN= HTTP (i<&ac;<8n= ^/m&5]<h ?` HTML Z<8NI} ?`&Z<8NQia<?<*hSM ?` HTML Z<8-R GSKit 43 WebSEAL QN-<&G<?Y<9&Qia<?<N= ikeyman 47 CRL!:N= ]nlykngu)khjan= D9N[9H*hSMCHo</QN QOP N= vdg<?y<9n97*hs]<js0n= LN listen N= vdg<?y<9&]<js0n= UmsH(sI WebSEAL 5<P<N#= ` HTTP m.s0n= HTTP m.s0nhqd== / HQTD=... 55?$`&9?sW&?$WNXj m0&u!$k&m<k*<p<7-$mnxj m0&u!$k&pcu!<nuic7eqynxj request.log K-?5lk3sFsDN95N= HTTP &Lm0A0 (request.log Q) request.log U!$kN=( vi P<8gs 3.8

9 agent.log U!$kN=( referer.log N=( h3o WebSEAL ;-ejf#<&]j7< WebSEAL G-N ACL ]j7< /WebSEAL/<host> /WebSEAL/<host>/<file> WebSEAL ACL vd GU)kH /WebSEAL ACL ]j7< j<&9Hi$/&m0$s&]j7< ^sI= Q9o<I&9Hls09&]j7< pdadmin f<f#jf#<khj_j5lkq9o<i&9hls0 9&]j7< ^sI= zjq9o<ih5zjq9o<inc CjNf<6<KP9k_jH0m<Pk_j 'Z9Hls09 POP ]j7< (9FCW"CW) FCW"CW'ZKP9klYkN= FCW"CW'ZNHQD== FCW"CW&m0$sq FCW"CW'Z"k4j:` FCW"CW'Z}0H)B MCHo</&Y<9N'Z POP ]j7< 'ZlYkN= IP "Il9HOONXj IP "Il9Khk9FCW"CW'ZNHQTD= MCHo</&Y<9N'Z"k4j:` MCHo</&Y<9N'ZNmU*hS)B POP ]j7<n]nnja s'zf<6<nh} (HTTP/HTTPS) Tivoli SecureWay Policy Director WebSEAL I},$I vii

10 ?>/i$"sh+inwanh} f<6<&m0$sn/) s'z HTTPS N"Wj1<7gs ACL/POP ]j7<khks'zf<6<n3shm<k h4o WebSEAL 'Z ]<H5lF$k;C7gs&G<?&?$W ]<H5lk'Z} \YJ=.psN2H ;C7gsuVNI} GSKit *hs WebSEAL ;C7gs&-cC7e WebSEAL /jgs7ck&-cc7en= GSKit SSL ;C7gs ID -cc7en= ;C7gs Cookie KhkuVN]} zj;c7gs ID G<?&?$WN=L U'$k*<P< Cookie N= 'Z=.N5W m<+k'zqia<?< t+9?` CDAS 'ZQia<?< WebSEAL 'ZNGU)kH= ?E'Z}0N= m0$snwmswh m0"&h*hsq9o<iq93^si p\'zn= p\'znhqd==*hshqtd= lk`>n_j p\'za+k:`n= =.ro q0'zn= q0'znhqd==*hshqtd= viii P<8gs 3.8

11 q0'za+k:`n= =.ro HTML ~zq0n+9?^$: XJ: 113 WebSEAL =.ro HTTP 117 HTTP HTTP 119 =.ro IP "Il9'ZN= IP "Il9'ZNHQD==*hSHQTD= IP "Il9'Za+K:`N= H</s'ZN= H</s'ZNHQD==*hSHQTD= H</s'Za+K:`N= ?E}0Wm-7<&(<8'sHN5]<H zj;c7gs&g<?&?$wh'z} MPA *hs#t/i$"shn'zwm;9&um< MPA 'ZNHQD==*hSHQTD= MPA Nf<6<&"+&sHrn.9k MPA "+&shr webseal-mpa-servers 0k<WKIC9k MPA 'ZKD$FN)Bv` h5o /m9ia$s&5$s*s&=je<7gs CDSSO 'ZN= ?` CDMF &Qi$Vij<N}g Tivoli SecureWay Policy Director WebSEAL I},$I ix

12 CDMF rhq7? CDSSO N'ZWm;9&Um< CDSSO 'ZNHQD==*hSHQTD= CDSSO 'Za+K:`N= 'ZH</s&G<?NEf= H</s&?$`&9?sWN= CDSSO HTML js/n== 'ZH</sN]n e-community 7s0k&5$s*sN= e-community N!=*hSWo e-community Wm;9&Um< e-community Cookie V]ZWH</sNEf= e-community N= h6o WebSEAL 8cs/7gs WebSEAL 8cs/7gsKD$FN5W cs/7gs&G<?Y<9NljHA g^+j"/;9&3shm<kn,q: Ws Y+$"/;9&3sHm<kN,Q: Ws WebSEAL 8cs/7gsrn.9k?aNXK WebSEAL O#tN8cs/7gsKo?k HTTP 1.0 N_r5]< H WebSEAL 8cs/7gsNICjU!ls Vpdadmin server taskwrhq7?8cs/7gsnn p\ WebSEAL 8cs/7gsN= TCP?$WN8cs/7gs SSL?$WN8cs/7gs j_'z5lk SSL 8cs/7gs WebSEAL 164 1L> (DN) NM-go; x P<8gs 3.8

13 WebSEAL 'Z BA WebSEAL 'Z cs/7gsVKo?k/i$"sH1LNh} TCP *hs SSL NWm-7<&8cs/7gsNn SSL rp7? WebSEAL +i WebSEAL XN8cs/7gs IC8cs/7gs&*W7gs ,8cs/7gsN/) (-f) HTTP (-c) HTTP IP "Il9Ns! (-r) cs/7gsh]<?k&5<P<XN;C7gs Cookie Nw. (-k) g8z.8zrhl7j$ URL N5]<H (-i) /jWH*hS/i$"sH&"Wj1<7gsN URL Nh} (-j) 178 8cs/7gs&^CTs0Khk5<P<jP URL Nh} F<HUk&8cs/7gs&5]<H (-s"-u) F<HUk&8cs/7gsN?aNPC/(sI&5<P< UUID NXj Windows U!$k&79F`XN8cs/7gs (-w) WebSEAL 192 #tn5<p<n1l8cs/7gsxn^&sh cs/7gsh5<P<+iNE* HTML URL NU#k?< #tn8cs/7gsko?cfvdrb\9klgnc h0t5<p<k*1k query_contents NHQ query_contents r$s9h<k9k h0t UNIX 5<P<XN query_contents N$s9H<k h0t Win32 5<P<XN query_contents N$s9H<k query_contents N+9?^$: query_contents N]n h7o Web 7s0k&5$s*s&=je<7gs s0k&5$s*s&=je<7gsN?aN BA 203 Tivoli SecureWay Policy Director WebSEAL I},$I xi

14 7s0k&5$s*s (SSO) N BA 204 /i$"sh1l*hsmnq9o<ins! N/i$"sH BA 208 /i$"sh BA n GSO +inf<6<>hq9o<ins! m<Pk&5$s*s (GSO) NHQ 'ZpsN^CTs GSO HQD== WebSEAL 8cs/7gsN= GSO -cc7en= IBM WebSphere (LTPA) XN7s0k&5$s*s LTPA 8cs/7gsN= LTPA -cc7en= LTPA 219 h8o "Wj1<7gsN}g CGI Wm0i_s0N5]<H Windows: WIN32 D-QtN5]<H PC/(sI&5<P<&"Wj1<7gsN5]<H *S8M9qJNHQD== LDAP G<?+iNS8M9qJNn ?`DMps_j5<S DMps_j5<S9N?aN WebSEAL N= DMps_j5<S9Nc * URL XN"/;9&3sHm<kNs! * URL 3s]<MsH ACL *V8'/HN0* URL XN^CTs * URL QN WebSEAL N *V8'/H&9Z<9K*1k0* URL Nrh POST WaN)BN= xii P<8gs 3.8

15 0* URL Nc: The Travel Kingdom RNlg "Wj1<7gs $s?<u'< ;-ejf#<&]j7< ;-e"&/i$"sh "/;9&3sHm<k U?A. webseald.conf rb U?B. WebSEAL 8cs/7gsrb Vpdadmin server taskwrhq7?8cs/7gsnn Junction 3^sI i 5<P<QN7,8cs/7gsNn {8N8cs/7gsXN7?J5<P<NIC U?C. ikeyman KhkZ@qNI} ikeyman f<f#jf#<n+o GU)kH WebSEAL -<&G<?Y<9N*<Ws ,-<&G<?Y<9Nn ,+Jp>G#8?kZ@qNn ,k<H CA Z@qNIC k<h CA Z@qNo G<?Y<9VGNZ@qN3T< U!$kXNZ@qNjP"U!$k+iNZ@qNIC G<?Y<9+iZ@qr>\$s]<H9k G<?Y<9KZ@qr>\(/9]<H9k <P<Z@qNWa G#8?kZ@qNu1hj G#8?kZ@qNo ,GU)kHZ@qNdjvF Tivoli SecureWay Policy Director WebSEAL I},$I xiii

16 G<?Y<9&Q9o<INQ wz xiv P<8gs 3.8

17 Tivoli SecureWay Policy Director WebSEAL I},$I Kh&3=# Tivoli SecureWay Policy Director WebSEAL O"Web ry<9h9k j=<9k~1? Policy Director j=<9&;-ejf#<&^m< 8c<G9#WebSEAL O"O$QU)<^s9G+D^kA9lC I=5l? Web 5<P<G"j"]n Web *V8'/H&9Z< 9KP7F-aY+$;-ejF#<&]j7<r,Q7^9# WebSEAL O"7s0k&5$s*s&=je<7gsrs!7"P C/(sI Web "Wj1<7gs&5<P<&j=<9r=N;- ejf#<&]j7<khj~`3h,g-^9# 3NI},$IO"f<6<N;-e" Web Ia$sNj=<9r I}9k?aNqg*Jl"NWm7<8c<H2Hpsrs!7^ 9#^?"}N-$ WebSEAL!=N.EJPC/0i&sIH50 psbs!7^9# \qnp]toj<nh*jg9# ;-ejf#<&"i_k9hl<?< 79F`&$s9H<k*hSGWm$asH&"I_K9Hl <?< MCHo</&79F`&"I_K9Hl<?< IT kht "Wj1<7gs+/T Tivoli SecureWay Policy Director WebSEAL I},$I xv

18 h 1 O: WebSEAL N5b 3NOGO"*V8'/H&9Z<9NT.*hS]n"'Z" /jgs7cknh@"*hs WebSEAL 8cs/7gsJIN EWJ WebSEAL 50H!=rRp7^9# h 2 O: WebSEAL 5<P<=. 3NOO"lL*J WebSEAL =.?9/NF/K+k&jU! ls9g9#3lko"web 9Z<9NI}"?$`"&H&Q ia<?<"z@qni}"s'zf<6<nh}"*hs WebSEAL G-N ACL *hs POP ]j7<,^^l^9# h 3 O: WebSEAL ;-ejf#<&]j7< 3NOGO"WebSEAL KX9k;-ejF#<&]j7<r+ 9?^$:9k?aN\YJF/K+k&Wm7<8c<KD$ Fb@7^9#3lKO"ACL *hs POP ]j7<"]nnj A"9FCW"CW'Z]j7<"MCHo</&Y<9N'Z ]j7<"9j<&9hi$/&m0$s&]j7<"*hsq 9o<I&9Hls09&]j7<,^^l^9# h 4 O: WebSEAL 'Z 3NOGO"WebSEAL r_j7ffon'z}0ri}9k? an\yjf/k+k&wm7<8c<kd$fb@7^9#3 lko"f<6<>*hsq9o<i"/i$"sh&z@q" SecurID H</s&Q93<I"*hSClJ HTTP XC@<& G<?,^^l^9# h 5 O: /m9ia$s&5$s*s&=je<7gs 3NOGO" WebSEAL Wm-7<=.N0t5$I (/i$" shh WebSEAL 5<P<V) N?aN/m9Ia$s&5$s *s&=je<7gskd$fb@7^9# h 6 O: WebSEAL 8cs/7gs 3NOO"WebSEAL 8cs/7gsr_j"HQ9k?aN0 4JF/K+k&jU!ls9G9# h 7 O: Web 7s0k&5$s*s&=je<7gs xvi P<8gs 3.8

19 3NOGO" WebSEAL Wm-7<=.Nbt5$I (WebSEAL 5<P<H8cs/7gs5l?PC/(sI&"Wj1<7g s&5<p<v) N?aN7s0k&5$s*s&=je<7g h 8 O: "Wj1<7gsN}g 3NOGO"h0T"Wj1<7gs!=r}g9k?aNFo WebSEAL!=KD$Fb@7^9# U? A: webseald.conf rb U? B: WebSEAL 8cs/7gsrb U? C: ikeyman KhkZ@qNI} \qgo"cljql*hs"/7gskp7f$/d+nqn,' $?jc/ (monospace) 3^sI>H*W7gs"-<o<I"*hS=N^^HQ 7J1lPJiJ$>NpsO"@zG=5l^9# Xj,,WJQt"3^sIz-t"*hSMO"$?jC / G=5l^9#qAN?$Hk*hS/45lkClJ Ql^?Ogb"$?jC/ G=5l^9# 3<G#s0c"3^sIT"hLPO"U!$kHG#l /Hj<>"*hS79F`&aC;<8O (monospace) U)sHG=5l^9# Tivoli SecureWay Policy Director WebSEAL I},$I xvii

20 Policy Director J<N=O"Tivoli SecureWay Policy Director 5]<H&5$HK" k~jd=j Policy Director qanwsg9# Tivoli SecureWay Policy Director N;QqA $s9h<k&,$i Tivoli SecureWay Policy Director Base $s9h<k&,$i Tivoli SecureWay Policy Director WebSEAL $s9h<k&,$i I},$I Tivoli SecureWay Policy Director Base I},$I Tivoli SecureWay Policy Director WebSEAL I},$I (\q) Tivoli SecureWay Policy Director Plug-in for Edge Server I},$I Tivoli SecureWay Policy Director Web Portal Manager I},$I GYmCQ< ju!ls9 Tivoli SecureWay Policy Director Authorization ADK GYmCQ< ju!l s9 Tivoli SecureWay Policy Director Authorization API Java Wrappers Developer Reference Tivoli SecureWay Policy Director Administration API Developer Reference Tivoli SecureWay Policy Director WebSEAL GYmCQ< ju!ls9 d-qa Tivoli SecureWay Policy Director jj<9&n<h Tivoli SecureWay Policy Director Performance Tuning Guide Tivoli SecureWay Policy Director Capacity Planning Guide xviii P<8gs 3.8

21 1 WebSEAL 1. WebSEAL Tivoli SecureWay Policy Director WebSEAL O"O$QU)<^s9 +D^kA9lCI=5l? Web 5<P<G"j"]n Web *V 8'/H&9Z<9KP7F-aY+$;-ejF#<&]j7<r,Q7^9# WebSEAL O"7s0k&5$s*s&=je<7gs rs!7"pc/(si Web "Wj1<7gs&5<P<&j=< 9r=N;-ejF#<&]j7<KH_~`3H,G-^9# 3NOGO"WebSEAL 5<P<NgJ!=rRp7^9# HTC/NwzO"J<NH*jG9# XWebSEAL Khk Web 9Z<9N]nY 6Z<8NXWebSEAL 11Z<8NXWebSEAL WebSEAL Web Tivoli SecureWay Policy Director WebSEAL O"Web ry<9h9k j=<9k~1? Policy Director j=<9&;-ejf#<&^m< 8c<G9# WebSEAL O"O$QU)<^s9+D^kA9lCI=5l? Web 5<P<G"j"]n Web *V8'/H&9Z<9KP7F-aY +$;-ejf#<&]j7<r,q7^9#webseal O"7s0 Tivoli SecureWay Policy Director WebSEAL I},$I 1

22 k&5$s*s&=je<7gsrs!7"pc/(si Web "W j1<7gs&5<p<&j=<9r=n;-ejf#<&]j7< KH_~`3H,G-^9# WebSEAL O!Nh&J!=rs!7^9# #tn'z}0r5]<h7^9# H_~_"<-F/Ac<HWi0$s&"<-F/Ac<Kh HTTP *hs HTTPS Waru1~l^9# WebSEAL 8cs/7gs&F/Nm8<rp7FPC/(s I&5<P<&j=<9r}g"]n7^9# m<+k*hspc/(si&5<p< Web 9Z<9N?aN -ay+$"/;9&3shm<kri}7^9# 5]<H5lF$kj=<9KO"URL"URL Y<9NLo0" CGI Wm0i`"HTML U!$k"Java 5<VlCH*hS Java /i9&u!$k,"j^9# jp<9 Web Wm-7<H7FBT7^9# WebSEAL O"/i$"sHKP7FO Web 5<P<H7FN rrl7"]n7f$k8cs/7gshpc/(si&5<p <KP7FO Web Vi&6<H7FNrrL7^9# 7s0k&5$s*s!=rs!7^9# 2 P<8gs 3.8

23 1. WebSEAL ^ 1. WebSEAL Khk Web 9Z<9N]n Tivoli SecureWay Policy Director WebSEAL I},$I 3

24 f<6<o"web 9Z<9N;-ejF#<&"I_K9Hl<?< H7F"IN?$WNf<6<,IN?$WN3sFsDK"/;9 G-k+H$&3Hr5NKD.7F*+J1lPJj^;s#lt N3sFsDO"7EK]n9k,W,"j"CjNf<6<N_, HQG-kh&K7J1lPJj^;s7""k3sFsDOlLK x+9k3h,g-^9#;-ejf#<&7jj*khcf"]n Wo,[Jj"=lK<CF[Jk WebSEAL =.,,WKJj^ 9# f<6<o"j<n3hrtj&u$,"j^9# f<6<,4+,n Web 3sFsDrNk# 3N3sFsDX"/;99kf<6<N?$Wr1L9k# 3N3sFsDr]n9k?aK,WJ WebSEAL =.*W7g Web 3sFsDN]nO"J<Ng-J 3 DN+F4j<K,`5 l^9# 1. x+3sfsd - "/;9KO]nr,WH7^;s# HTTP rp7?s'z/i$"sh&"/;9 j=<9xn"/;9&3shm<kkhq9ks'z/jg s7ck p\ WebSEAL =.Wo 2. x+3sfsd - "/;9KOWi$P7< (Ef=) r,wh 7^9# HTTPS rp7?s'z/i$"sh&"/;9 "Wj1<7gs&5<P<,,WH9k"!)G<?r]n 9k?aK,WJEf= (/l8ch&+<ivfdf<6 <&"+&shpsji) j=<9xn"/;9&3shm<kkhq9ks'z/jg s7ck 4 P<8gs 3.8

25 Wi$P7<r]Z9k WebSEAL =. 3. sx+3sfsd - "/;9KO'Zr,WH7^9# HTTP ^?O HTTPS rp7?s'z/i$"sh&"/;9 "I_K9Hl<?<,Ef=N,W-r=L7^9# j=<9xn"/;9&3shm<kkhq9k'z/jgs 7ck#/i$"sHOf<6<&l89Hj<KjA5l? "+&shr}cf$j1lpjj^;s# 1. WebSEAL WebSEAL =.O#(JNG"9YFN*W7gsr5EK! $7";-ejF#<&]j7<NFAr=L9k,W,"j ^9# kh;-ejf#<&]j7<o"j<r1l7^9# 1. ]nr,wh9k Web j=<9 2. ]nnlyk Policy Director O"3liN Web j=<9kp7f"]n*v8' /H&9Z<9HFPlk>[N==rHQ7^9#]n*V8'/ H&9Z<9KO"f<6<NMCHo</bNB]N*}j=<9 r=9*v8'/h,~j^9# f<6<o"]nr,wh9k*v8'/hk",zj;-ejf# <&a+k:`r,q9k3hkhcf";-ejf#<&]j7< r$swjash7^9# ;-ejf#<&a+k:`ko"j<nbn,"j^9# "/;9&3sHm<k&j9H (ACL) ]j7< ACL ]j7<o"f<6<&?$wr1l7""/;9rvd9 Y-+I&+r=G7F"=N*V8'/HKP7FvD5l? `nrxj7^9# ]n*v8'/h&]j7< (POP) Tivoli SecureWay Policy Director WebSEAL I},$I 5

26 POP O"Wi$P7<"]4-"F:*hS~o"/;9JI N"]n*V8'/HXN"/;9r)f9k"=N>Nror Xj7^9# H%0- H%0-O"h0T"Wj1<7gs (0tvD5<S9JI) K hcfi_hj^?ora,d=j*v8'/hd"acl ^?O POP ek[v5lkicnmg9# Policy Director Nf4HJk3s]<MsHOvD5<S9G9#3 N5<S9O"f<6<N/jGs7ckH*V8'/HeK_j5 l?"/;9&3shm<kkpe$f"]n*v8'/h (j=< 9) XN"/;9rvD^?Oq]7^9# ;-ejf#<&]j7<r5ok$swjash9kko"fon 3sFsD&?$Wr@}*KT.7 (5Z<8NX;-ejF#<& ]j7<nwh*hs$swjashyr2h)",zj ACL *hs POP ]j7<r,q9k,w,"j^9#"/;9&3shm<ki }OKaF#(Jlg,"j^9,"3sFsD&?$Wr5EK, `9k3HKhCF"Ok+KJ1KJj^9# WebSEAL 'ZO";-e"&Ia$sKm0$s7h&H9kDLNWm;9 ^?O(sF#F#<r1L9k}0G9#5<P<H/i$"sH N>},'Zr,WH9klg"r9Oj_'ZHFPl^9# 6 P<8gs 3.8

27 1. WebSEAL ^ 2. j_'z WebSEAL O"F/i$"sHKP7"1LNZ@rWa9k3HK hcf";-e"&ia$sbgbyn;-ejf#<rb\g-^ 9#;-e"&Ia$sbNFj=<9XN"/;9r WebSEAL, 3sHm<k9klg"'ZHvDraak WebSEAL NWaKh j"kafqg*jmcho</&;-ejf#<,b=g-^9# ;-ejf#<&"<-f/ac<go"'z (authentication) OvD (authorization) HhL5l^9#vDO"'Z5l?f<6<KCj Nj=<9r7&"x,"k+I&+=G7^9#'ZO"=NDM,+,G>hCF$k\MG"k3HrN'7^9,"j=<9K` nrbt9k"xkx7fo?b@$^;s# WebSEAL 'ZKOJ<Nro,,Q5l^9# WebSEAL O"l"N8`N'Z}0r5]<H7^9# =N>N'Z}0r5]<H9kh&K WebSEAL r+9?^$ :9k3HbG-^9# WebSEAL Wm;9O'Z}0HOLDNbNG9# WebSEAL O/i$"sH1L@1rWa7^9#3N1L+ i"webseal O"j=<9XN"/;9rvD^?Oq]9k?aK"vD5<S9,HQG-k'Z (^?Os'Z) /jgs 7ckrh@7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 7

28 m8<goj/"s8m9nwakpe$?;-ejf#<&]j7 <,D=KJj^9# WebSEAL O'ZWm;9HOLDNbNG9,"WebSEAL O'Z NkL"9JoA/i$"sH1Lr,WH7^9#'ZWm;9N klo"j<n"/7gskjj^9# 1. 'Z}0NkL"/i$"sH,1L5l^9# /i$"sh'zo"f<6<, Policy Director f<6<&l8 9Hj<KjA5l?"+&sHr}CF$klgKBj".y 7^9#=&GJ$lg"f<6<Os'ZG"kH+J5l^ 9# 2. WebSEAL O1LrHQ7F=N/i$"sHN/jGs7ckr WebSEAL O"'Z/i$"sH1LHP?Q_ Policy Director f<6<rm-go;^9#!k WebSEAL O"3Nf<6<K /jgs7ckko"f<6<>h"f<6<,asp<7cw r}d$un0k<w,^^lf$^9# f<6<,?>nlg"webseal Os'Z/jGs7ckrn. 7^9# 3liN/jGs7ckO"vD5<S9KHQ9k3H,G- ^9#3N5<S9O"WebSEAL ]n*v8'/h&9z<9b NWa5l?*V8'/HXN"/;9rvD^?Oq]7^ 9# /jgs7cko"/i$"shkd$fnpsr,wh9k9yf N Policy Director 5<S9KhCFHQ5l^9#/jGs7ckr HQ9kH"Policy Director OvD"F:"*hSQ$JIN?/N 5<S9rB4KBT9k3H,G-^9# CjN'Z}0KP9k5]<HKD$FO" 87Z<8N XWebSEAL 'ZYr2H7F/@5$# 8 P<8gs 3.8

29 'ZWm;9NgWJ4<kN 1 DO"/i$"sH&f<6<r -R9k/jGs7ckpsrh@9k3HG9#f<6<&/jG s7cko";-e"&ia$sk2c9k?anewjwon 1 DG9# Policy Director O"f<6<N'ZH"/jGs7ckNh@Hrh L7^9#f<6<N ID OoKljG9#7+7"f<6<,2C 7F$k0k<W^?OrdrjA9k/jGs7ckOQ=7^ 9#8.KG-J/jGs7ckO~VNPaKDlFQ=7^9#?H(P""kM,:J9lP"/jGs7ckO77$U$lYk r?g7j1lpjj^;s# 1. WebSEAL 'ZWm;9O"}0G-Nf<6<1Lpsrb?i7^9#3N pso"policy Director f<6<&l89hj< (GU)kHGO LDAP) K"kf<6<&"+&sHpsHM-go5l^9# WebSEAL O"f<6<>H0k<Wpsr"&LIa$s4NN= -HH%C"0-Z@q (EPAC) HFPlkq0K^CW7^9# ^ 3. 1LpsN/jGs7ckXN^CTs0 Q9o<I"H</s"*hSZ@qJIN}0G-N1LpsO" f<6<n*}*1lwmqf#<r=7^9#3npso"5<p <HNB4J;C7gsrN)9k?aKHQ5l^9# Tivoli SecureWay Policy Director WebSEAL I},$I 9

30 3NkLN/jGs7ckO";-e"&Ia$sbNf<6<NC "r=7"cjn8.gf<6<r-r7^9#/jgs7cko3 N;C7gsN83 VfN_-zG9# Policy Director /jgs7ckko"f<6<1lh"3nf<6<,asp<7cwr}d0k<w,^^lf$^9# (EPAC) /jgs7cko"/i$"shkd$fnpsr,wh9k9yf N Policy Director 5<S9KhCFHQ5l^9#?H(P"vD5<S9O/jGs7ckrHQ7F"f<6<,; -e"&ia$sbn]n5l?j=<9kcjn`nrt&3h, vd5lf$k+i&+r=l7^9# EPAC KO""/;9&3sHm<k&j9H (ACL) rq$fnh r9k]k Policy Director,,WH9kG-FQ ID (UUID),~C F$^9# Policy Director O"J<Nh&J>N5<S9Kb/jGs7ckr HQ7^9# F:5<S9 WebSEAL 8cs/7gsGN"BQy!=!N EPAC U#<kI,"Policy Director GHQ5l^9# 0- b@ ;-e"&ia$s ID Wjs7QkN[<`&;-e"&Ia$s ID Wjs7Qk UUID Wjs7QkN UUID 0k<W UUID Wjs7Qk,09k0k<WN UUID (1 DJ e) 10 P<8gs 3.8

31 WebSEAL Policy Director O"MCHo</KX7F'Z5<S9"vD5<S 9"I}5<S9rs!7^9# Web Y<9NMCHo</GO" 3liN5<S9O"PC/(sI Web 5<P<eKV+l? Web j=<9h"wj1<7gsr}g"]n9k 1 DJeNUmsH (si WebSEAL 5<P<KhCFs!5lkN,G1G9# WebSEAL 5<P<HPC/(sI Web "Wj1<7gs&5<P <HN\3O"WebSEAL 8cs/7gs"^?O8cs/7gsH FPlF$^9# WebSEAL 8cs/7gsHO"UmsH(sI WebSEAL 5<P<HPC/(sI&5<P<NVN TCP/IP \3N 3HG9# 1. WebSEAL PC/(sI&5<P<O"LN WebSEAL 5<P<Gb""k$O hjll*ko"h0t Web "Wj1<7gsGb=$^;s#P C/(sI&5<P< Web 9Z<9O"WebSEAL M<`&9Z< 9bNCLKXj5l?8cs/7gs (^&sh) ]$shg" WebSEAL 5<P<KV\35lFW$^9# ^ 4. 8cs/7gsKhCF WebSEAL rpc/(si&5<p<k\39k 8cs/7gsKhj"WebSEAL,PC/(sI&5<P<Keo CF"]n5<S9rs!G-^9#WebSEAL O"9YFNWaK D$F"=NWarPC/(sI&5<P<KO90K"'Z!:H Tivoli SecureWay Policy Director WebSEAL I},$I 11

32 vd!:rbtg-^9#pc/(si&5<p<,*v8'/hk D$F-aY+$"/;9&3sHm<kr,WH9klgO"IC N=.9FCWrBT7F" Policy Director ;-e"&5<s9kp 7h0T Web 9Z<9r-R9k,W,"j^9 (196Z<8NXh 0T5<P<K*1k query_contents NHQYr2H)# N!=,"9YF/i$"sH+i)a*KBTG-^9#f<6< O""I_K9Hl<?<H7F"3NM<`&9Z<9N8fI} WebSEAL 8cs/7gsKhCF"WebSEAL 5<P<N Web 9 Z<9rPC/(sI&5<P<N Web 9Z<9K@}*Kkg9 kh$&ucam,@il^9#"h5<p<vn8cs/7gsn klh7f"1ln"}l5l?"7<`l9+d"f<6<k)a *J,6 Web 9Z<9,G-ej^9# /i$"sh, Web j=<9n*}*jljrnk,wo^c?/ "j^;s#webseal O"@} URL "Il9rPC/(sI&5 <P<, T9k*}"Il9KQ97^9#Web *V8'/HO" 5<P<VG\0G-^9,"=lKhCF/i$"sHKhk"/ ;9N}!KFA,88k3HO"j^;s# Web 9Z<9,}l5lF$k3HKhj"79F`&"I_K9H l<?<khcf"9yfnj=<9ni},1c=5l^9#i} enx@h7fo"3lkc(f"h%fw-"m<i&pis7s 0"bDQ-,"j^9# 12 P<8gs 3.8

33 1. WebSEAL ^ 5. WebSEAL 8cs/7gsNkLH7F Web 9Z<9,}l5lk [HsIN&HQ Web 5<P<KO"@} Web *V8'/H&9 Z<9rjAG-k!=O"j^;s#=NeojK"=N"/; 9&3sHm<kO*}U!$kHG#l/Hj<=$K\35lF $^9# WebSEAL 8cs/7gsGO"8`*J Web 5<P<N lg"h/"kh&j"*}^7shg#l/hj<=$r?g9k NGOJ/"H%=$r?G9k*V8'/H&9Z<9r)a*K jag-^9# ^?"WebSEAL 8cs/7gsKhlP"7s0k&5$s*s& =je<7gsnn.bg-^9#7s0k&5$s*s=.rhq 9kH"f<6<O"1 sni m0$srhq9k@1g"j=< Tivoli SecureWay Policy Director WebSEAL I},$I 13

34 9NljKX8J/"j=<9K"/;9G-^9#PC/(sI& 5<P<+iNm0$sWo,5iK"CFb"f<6<+iO)a *Kh}5l^9# WebSEAL 8cs/7gsO"Web 5$HNH%rFWK9k?aN EWJD<kG9#8cs/7gsKhCF"ICN5<P<r\3 9k3HKhj"Web 5$HeG}(31k{WK~(k3H,G- ^9# WebSEAL Web H%,FWJ Web 5$Hrn.9klgO"WebSEAL 8cs/7 gsrhq7^9# Web 5$HeN{WN}gK~8F"5<P< rj1kicg-kng"5$hn=orh%g-^9# J<r\*H7FICN5<P<rICG-^9# ICN3sFsDKhj5$HrH%9k?a {8N3sFsDr#=9k3HKhCF"m<I&Pis7s 0"U'<k*<P<"bDQ-N=OrN]9k?a WebSEAL PC/(sI&5<P<KP9k8cs/7gs&5]<HO"/J /Hb 1 fnumsh(si WebSEAL 5<P<+iO^j^9# #=UmsH(sI WebSEAL 5<P<O"5$HKP9kWa,. _g&~ Km<I&Pis7s0rs!7^9#m<I&Pis7 s0&a+k:`o"ibm Network Dispatcher ^?O Cisco Local Director JINa+K:`KhCFh}5l^9# ^?"UmsH(sI#=KhCF5$HKU'<k*<P<!=, s!5lf$k?a"?i+n}3g5<p<kc2,/3cfb" DjNlWj+&5<P<KhCFz-3-5$HXN"/;9,@ il^9#m<i&pis7s0hu'<k*<p<n!=,5ok /1P"kL*Kf<6<KHCF5$HNbDQ-,N]5l^ 9# 14 P<8gs 3.8

35 1. WebSEAL ^ 6. #=UmsH(sI WebSEAL 5<P< UmsH(sI WebSEAL 5<P<r#=9klgO"5<P<4H K"=l>l Web 9Z<9N5NJ3T<H8cs/7gs&G<?Y<9r}CF$k,W,"j^9# 'ZN?aN"+&sHpsO"UmsH(sI&5<P<HOLD Nf<6<&l89Hj<bK"j^9# Web 5$H&3sFsDO"WebSEAL 5<P<+N"PC/(s I&5<P<"^?O=N>}NH_go;Khk5<S9ru1k 3H,G-^9#PC/(sI&5<P<KX9k WebSEAL 8cs /7gs&5]<HrHQ9kH"ICN3sFsDHj=<9Kh CF Web 5$HrH%G-^9# G-NPC/(sI&5<P<O=l>l"L9N8cs/7gs& ]$sh (^&sh&]$sh) K8cs/7gs5lJ1lPJj ^;s#8cs/7gskhj"icn3sfsdkp9k{wn} gk~8f"5<p<ricg-^9#3&9lp"h0t Web 5 Tivoli SecureWay Policy Director WebSEAL I},$I 15

36 <P<KP9k{8Njq,g-$MCHo</KP9k=je<7 ^ 7. }*V8'/H&9Z<9,@ilk+,(7F"j^9#3N Web 9Z<9O"f<6<KO)a*G"j"8fI}KPhG-^9# 16 P<8gs 3.8

37 1. WebSEAL ^ 8. }l5l? Web 9Z<9 #=PC/(sI&5<P<O"!NaGb@9kh&K"188c s/7gs&]$shk8cs/7gs5l^9# H%FW-!=rPC/(sI&5<P<=.K,Q9klgO"P C/(sI&5<P<r#=G-^9##=UmsH(sI&5<P <NlgH18h&K"#=PC/(sI&5<P<KO"=l>l,j_K_i<&$a<8HJk Web 9Z<9,8_7J1lPJ j^;s# WebSEAL GO"VlV9$F$kW918e<js0&"k4j: `rhq7f"#=5<p<vnm<i&pis7s0r^j^9# 3N"k4j:`KhCF"F7,WaO"9GKJTfN\3,G b/j$5<p<kw.5l^9# WebSEAL O^?"5<P<,@&s7?lgK57/U'<k*< P<7"=N5<P<,$C?sFO07?i"FHQr+O7^ 9# PC/(sI&"Wj1<7gs,"#tNZ<8KOCFuVr] }9k3Hr,WH9klgO"9F<HUk&8cs/7gsrH Tivoli SecureWay Policy Director WebSEAL I},$I 17

38 Q7F"F;C7gs,,:18PC/(sI&5<P<Kakh& K9k3H,G-^9# ^ 9. #=PC/(sI&5<P< 18 P<8gs 3.8

39 2 WebSEAL in?9/rbt9lp"f<6<nmcho</kgo;f WebSEAL 5<P<r+9?^$:9k3H,G-^9# HTC/NwzO"J<NH*jG9# X5<P<NlLpsY 23Z<8NXL.Qia<?<N=.Y 2. WebSEAL 28Z<8NXWeb 9Z<9NI}Y 35Z<8NXHTTP (i<&ac;<8n=.y 40Z<8NX+9?` HTML Z<8NI}Y 49Z<8NX]nlYkNGU)kHJAN=.Y 51Z<8NXvDG<?Y<9N97*hS]<js0N=.Y 52Z<8NXUmsH(sI WebSEAL 5<P<N#=Y 54Z<8NX8` HTTP m.s0n=.y J<N;/7gsK"lL*J WebSEAL j^9# 20Z<8NXwebseald.conf =.U!$kNRpY Tivoli SecureWay Policy Director WebSEAL I},$I 19

40 21Z<8NXWebSEAL,$s9H<k5lF$kk<H&G# l/hj<y 22Z<8NXWebSEAL Server Nk<H&G#l/Hj<Y 22Z<8NXWebSEAL N+O*hSd_Y webseald.conf webseald.conf =.U!$kbK"kQia<?<r=.9k3HK hcf"webseal N`nr+9?^$:G-^9#3NU!$k O"!NG#l/Hj<K"j^9# UNIX: /opt/pdweb/etc/ Windows: C: Program Files Tivoli PDWeb etc J<N=O";/7gsH9?s6NWsG9# ;/7gs 9?s6 WEBSEAL GENERAL [server] LDAP [ldap] SSL [ssl] JUNCTION [junction] [filter-url] [filter-schemes] [script-filtering] [gso-cache] [ltpa-cache] AUTHENTICATION [ba] [forms] [token] [certificate] [http-headers] [auth-headers] [ipaddr] [authentication-levels] [mpa] [cdsso] [cdsso-peers] [failover] [e-community-sso] [inter-domain-keys] [authentication-mechanisms] [ssl-qop] [ssl-qop-mgmt-hosts] [ssl-qop-mgmt-networks] [ssl-qop-mgmt-default] SESSION [session] 20 P<8gs 3.8

41 ;/7gs 9?s6 CONTENT [content] [acnt-mgt] [cgi] [cgi-types] [cgi-environment-variable] [content-index-icons] [icons] [content-cache] [content-mime-types] [content-encodings] LOGGING [logging] AUTHORIZATION API [aznapi-configuration] [aznapi-entitlement-services] POLICY DIRECTOR [policy-director] 247Z<8NXwebseald.conf m: webseald.conf U!$krQ99klgO"77$Q9bF,' 15lkh&K",: WebSEAL 22Z<8NXWebSEAL N+O*hSd_Y $# WebSEAL WebSEAL Wm0i`&U!$kO"!Nk<H&G#l/Hj<K $s9h<k5l^9# 2. WebSEAL UNIX: /opt/pdweb/ Windows: C: Program Files Tivoli PDWeb 3NQ9O"Policy Director for Windows,$s9H<k5lF$k 79F`eK=.9k3H,G-^9#3NQ9O"Policy Director,$s9H<k5lF$k UNIX 79F`eK=.9k3HOG- ^;s# \qgo"<install-path> QtrHQ7F"3Nk<H&G#l/Hj <r=7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 21

42 UNIX N$s9H<k&79F`GO"J<NLDNG#l/Hj< K"F:U!$kdm0&U!$kJINH%D=U!$k,"j^ 9# /var/pdweb/ WebSEAL Server webseald.conf =.U!$kbN server-root Qia<?<O"+O ~K WebSEAL 5<P<NT/ljrjA7^9# [server] server-root = /opt/pdweb/www webseald.conf =.U!$kGHQ7F$kjPQ9>O"9YF3 Nk<H&G#l/Hj<KX"U1ilF$^9# m: Lo"3NQ9>OQ97J$G/@5$# WebSEAL WebSEAL 5<P<&Wm;9O"UNIX GO pdweb_start 3^s IrHQ7" Windows GOV3sHm<k UNIX: pdweb_start {start stop restart status}?h(p"webseal 5<P<rd_7"!$G=N5<P<rFO 09klgO"J<rHQ7^9# # pdweb_start restart pdweb_start 3^sIOJ<NG#l/Hj<K"j^9# /opt/pdweb/bin/ Windows: V3sHm<k QMkWNV5<S9W@$"m0&\C/9G WebSEAL 5<P<&Wm;9r1L7",ZJ)f\?srHQ7 ^9# 22 P<8gs 3.8

43 J<N;/7gsK"lL*J WebSEAL j^9# XHTTP WaQN WebSEAL N=.Y 24Z<8NXHTTPS WaQN WebSEAL N=.Y 24Z<8NXCjN SSL P<8gsN\3N)BY 24Z<8NXHTTP H HTTPS No<+<&9lCIN=.Y 25Z<8NXHTTP/HTTPS L.QN?$`"&H&Qia<? <Y 27Z<8NXICN WebSEAL 5<P<&?$`"&H&Qia <?<Y HTTP WebSEAL WebSEAL O"Lo"'Z5lF$J$f<6<+iN?tN HTTP Warh}7^9#?H(P"f<6<Nx+ Web 5$HK"k* r5l?qakp7fo"?>f<6<+ini_hjlq"/;9 rd=k9k3h,ll*g9# 2. WebSEAL TCP rp7f HTTP Warh}9k?aNQia<?<O" webseald.conf =.U!$kN [server] 9?s6K~CF$^9# HTTP / WebSEAL =.N]"HTTP "/;9rHQD=^?OHQTDK9 kko"!nh&k7^9# http = {yes no} HTTP HTTP "/;9QNGU)kH&]<HO 80 G9# http-port = 80?H(P"]<H 8080 KQ99klgO"!Nh&K_j7^9# http-port = 8080 Tivoli SecureWay Policy Director WebSEAL I},$I 23

44 HTTPS WebSEAL SSL (HTTPS) rp7f HTTP Warh}9k?aNQia<?< O"webseald.conf =.U!$kN [server] 9?s6K~CF$^ 9# HTTPS / WebSEAL =.N]"HTTPS "/;9rHQD=^?OHQTDK 9kKO"!Nh&K7^9# https = {yes no} HTTPS HTTPS "/;9QNGU)kH&]<HO 443 G9# https-port = 443?H(P"]<H 4343 KQ99klgO"!Nh&K_j7^9# https-port = 4343 SSL SSL P<8gs 2"SSL P<8gs 3"*hS TLS P<8gs 1 N\3O"L9KHQD==*hSHQTD=G-^9#CjN SSL *hs TLS P<8gsN\3r)f9kQia<?<O" webseald.conf =.U!$kN [ssl] 9?s6K"j^9#GU)k HGO"SSL *hs TLS N9YFNP<8gs,HQD=KJCF $^9# [ssl] disable-ssl-v2 = no disable-ssl-v3 = no disable-tls-v1 = no HTTP HTTPS =.5l?o<+<&9lCINtO"5<P<,5<S9G-k1 ~e.wantrxj7^9#9yfno<+<&9lci,hqf G"klgK~e9k>N\3O"o<+<&9lCI,HQD=K Jk^GPCU!<K~lil^9# 24 P<8gs 3.8

45 WebSEAL XNe.\3KP7F5<S9rs!G-kHQD=J9 lcintrxjg-^9#o<+<&9lcintoqu)<^s 9KFA9kD=-,"k?a"=N=.OmU</T&,W,"j ^9# 3N=.Qia<?<,1~\3NtKeBr_1k3HO"j^; o<+<&9lcing,tn*ro"mcho</enhiu#c /NLH?$WKD$FNN1KpE$FT$^9# 9lCINtr}d;P"lL*KO"Wah}N0;K++k?Q H">NWxKbFA,ZS"=N?aK5<P<&QU)<^s9 K-FAr88k2l,"j^9# WebSEAL KO"1lNmNo<+<&j9H,]}5l"TCP" SSL"^?O GSSAPI HsMjs0rHQ9k/i$"sH+iNW arh}9k?an"o<+<&9lci&w<kb]}5lf$^ 9#3NH%a+K:`,"k?a"WebSEAL GO"hj7&m< I,g}K}(Fb"HQ9k79F`&j=<9O/J/FQ_^ 9# 2. WebSEAL webseald.conf =.U!$kN [server] 9?s6t,N worker-threads Qia<?<r_j9k3HKhCF"o<+<& 9lCI&W<k&5$:r=.G-^9# [server] worker-threads = 50 m: 3NQia<?<O"QU)<^s9eNdjNHiVk7e< F#s0rT&lgKN_Q99k3Hr//*+a7^9# HTTP/HTTPS WebSEAL O"SSL N IBM Global Security Kit (GSKit) $swja sf<7gsrhq7^9# WebSEAL, HTTPS /i$"sh+ Tivoli SecureWay Policy Director WebSEAL I},$I 25

46 iwaru1hkh-o" GSKit SSL,i OsI7'</rN) 7";C7gsuVr]i7^9# WebSEAL O"HTTP *hs HTTPS L.QKJ<N?$`"&H& Qia<?<r5]<H7^9#3liNQia<?<O" webseald.conf =.U!$kN [server] 9?s6K~CF$^9# client-connect-timeout i OsI7'</,TolkH"3NQia<?<O" WebSEAL,i HTTP ^?O HTTPS WaN?aK\3r+$ F*/95rX(7^9#GU)kHO 120 CG9# [server] client-connect-timeout = 120 persistent-con-timeout 3NQia<?<O"HTTP/1.1 (HTTP/1.0 GOJ$) \3KG- NbNG9#GiN HTTP/1.1 WaH5<P<~zNeG" WebSEAL,7cCH@&s5lk0K HTTP/1.1 }3\3r* <WsK7F*/GgCtr"3NQia<?<,3sHm<k 7^9# GU)kHMO 5 CG9# [server] persistent-con-timeout = 5 26 P<8gs 3.8

47 ^ 10. HTTP *hs HTTPS L.QN?$`"&H&Qia<?< WebSEAL webseald.conf =.U!$kKO"J<NICN?$`"&H&Qi a<?<,_j5lf$^9# 2. WebSEAL Qia<?< GU)kHM (C) [junction] http-timeout TCP 8cs/7gsrL7F 120 T&PC/(sI&5<P< KP9kw.HI_hjN? $`"&HM# [junction] https-timeout [cgi] cgi-timeout SSL 8cs/7gsrL7F T&PC/(sI&5<P< KP9kw.HI_hjN? $`"&HM# m<+k CGI Wm;9KP9 kw.hi_hjn?$`" &HM# Tivoli SecureWay Policy Director WebSEAL I},$I 27

48 Qia<?< GU)kHM (C) [junction] ping-time WebSEAL GO"F8cs/ 7gsh5<P<Nj *P C/0i&sI PING rbt 7F"T/7F$k+I&+ =L7^9# WebSEAL,3 lrn_kqyo"300 C (^?O"_j5lF$kM) K 1 sj<g9# 300 Web J<NaKO"Web 9Z<9NI}K,WJ?9/KD$FNb@, "j^9# XWeb 8qDj<Nk<H&G#l/Hj<Y 30Z<8NXG#l/Hj<wzU1N=.Y 31Z<8NXWindows: CGI Wm0i`QNU!$k?>,'Y 32Z<8NXWeb 8q-cC7eN=.Y Web Web 8qDj<LVO"WebSEAL KhCFHQD=K5lF$k8 qkx9k8qdj<nk<hxndpq9g9#3nq9>o" webseald.conf =.U!$kN [content] 9?s6K~CF$k doc-root Qia<?<KhCF=5l^9# GU)kHLVO" WebSEAL N$s9H<k~KGiKN)5l^9# UNIX: doc-root = /opt/pdweb/www/docs Windows: doc-root = C: Program Files Tivoli PDWeb www docs 28 P<8gs 3.8

49 3NMO"$s9H<keKiaF WebSEAL r+o9klgk"l bk]i5l^9#-h"webseald.conf bn3nmrq97fb" 4/FAO"j^;s# $s9h<ke"3nk<h&g#l/hj<lvnmrq99kk O"pdadmin f<f#jf#<rhq9k,w,"j^9#3nj gr"j<nc (5<P<>O webseala) G(7^9# 1. J<Nh&K7F pdadmin Km0$s7^9# # pdadmin pdadmin> login Enter User ID: sec_master Enter Password: pdadmin> 2. server task list 3^sIrHQ7F"=T8cs/7gs&] $shr9yf=(7^9# pdadmin> server task webseala list / 3. server task show 3^sIrHQ7F"8cs/7gsN\Y r=(7^9# pdadmin> server task webseala show / Junction point: / Type: Local Junction hard limit: 0 - using global value Junction soft limit: 0 - using global value Active worker threads: 0 Root Directory: /opt/pdweb/www/docs 2. WebSEAL 4. 7,m<+k&8cs/7gsrn.7F"=T8cs/7g s&]$shrv-9(^9 (77$8cs/7gs,{8N8c s/7gsr*<p<i$i9kh&/)9kko" -f *W7g s,,wg9)# pdadmin> server task webseala create -t local -f -d /tmp/docs / Created junction at / 5. 7,8cs/7gs&]$sHrlw=(7^9# pdadmin> server task webseala list / 6. 3N8cs/7gsN\Yr=(7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 29

50 pdadmin> server task webseala show / Junction point: / Type: Local Junction hard limit: 0 - using global value Junction soft limit: 0 - using global value Active worker threads: 0 Root Directory: /tmp/docs WaN URL 0,G#l/Hj<>G*oCF$klgO"WebSEAL KhCFa5lkGU)kH&U!$kN>0rXjG-^9# 3 NGU)kH&U!$kO"8_7F$lP WebSEAL +i/i$" shka5l^9#u!$k,8_7j$lg" WebSEAL O0*K G#l/Hj<wzr8.7F=Nj9Hr/i$"sHKV7^ 9# G#l/Hj<wzU!$kr=.9k?aNQia<?<O" webseald.conf =.U!$kN [content] 9?s6KV+l^9# 3NwzU!$kNGU)kHMO!NH*jG9# [content] directory-index = index.html 5$HGHQ7F$k,',[Jklg"3NU!$k>OQ9G- ^9#?H(P"!NH*jG9# [content] directory-index = homepage.html WaNfNG#l/Hj<K"directory-index Qia<?<KhC FjA5l?wzU!$k,J$lgO" WebSEAL,0*KG#l /Hj<wzr8.7^9#n.5lkwzKO"G#l/Hj<& 3sFsDNj9HH"G#l/Hj<bNF(sHj<XNjs/,^^l^9#wzO"G#l/Hj<XN"/;9rWa9k/i $"sh,"=ng#l/hj<n ACL NVj9HW(l) vdr} CF$klgKN_n.5l^9# 8.5l?wzKj9H5lF$kFU!$k&?$W4HK" WebSEAL,CjN0iU#+k&"$3srHQ9kh&K=.9 k3h,g-^9# webseald.conf =.U!$kN 30 P<8gs 3.8

51 [content-index-icons] 9?s6KO"8q MIME?$WH"=(5 lk=lkx"7?.gif U!$kNj9H,~CF$^9# [content-index-icons] image/*= /icons/image2.gif video/* = /icons/movie.gif audio/* = /icons/sound2.gif text/html = /icons/generic.gif text/* = /icons/text.gif application/x-tar = /icons/tar.gif application/* = /icons/binary.gif f<6<o3nj9hr=.7f"f MIME?$WKP7FLN" $3srXj9k3H,G-^9#"$3sOjb<HK[V5lF $Fb=$^;s#?H(P"!NH*jG9# application/* = J<NICN"$3sMr=.9k3HbG-^9# 5VG#l/Hj<=(QKHQ5lk"$3s# [icons] diricon = /icons/folder2.gif FG#l/Hj<N=(QKHQ5lk"$3s# [icons] backicon = /icons/back.gif 2. WebSEAL T@NU!$k&?$W=(QKHQ5lk"$3s# [icons] unknownicon = /icons/unknown.gif Windows: CGI webseald.conf =.U!$kN [cgi-types] 9?s6K~CF$kQ ia<?<rhq9kh"cgi Wm0i`H7F'1"BT5lk Windows U!$kH%R?$WrXjG-^9# UNIX *Zl<F#s0&79F`KO"U!$k>H%RWoO" j^;s#?@7"windows *Zl<F#s0&79F`NlgO" H%R?$WrjA9k,W,"j^9# [cgi-types] 9?s6K O"-zJH%R?$W,9YFj9H5l"FH%Rr,ZJ CGI Wm0i`K^CW7F"j^9 (,WJH-)# Tivoli SecureWay Policy Director WebSEAL I},$I 31

52 [cgi-types] <extension> = <cgi-program> GU)kHGO"H%R,9?s6Kj9H5lF$kH%RHlW 9kU!$k@1, CGI Wm0i`H7FBT5l^9#CGI Wm 0i`NH%R,3Nj9HK^^lF$J$lg"Wm0i`OB T5l^;s# H%R.exe,U$F$kU!$kO"Windows NGU)kHGWm 0i`H7FBT5l"^CTs0N,WO"j^;s# m: 7+7"Windows eg@&sm<iqk.exe U!$kr$s9 H<k9klgO"H%Rr>0Q99k+"=NU!$kr" <+$VNlt (.zip JI) H7F$s9H<k9k,W,"j ^9# H%R,ra5l?9/jWH&U!$kr=9lgO",ZJra Wm0i`rs!9k,W,"j^9#H%R?$WNcH7FO" 7'k&9/jWH (.sh H.ksh)"Perl 9/jWH (.pl)"tcl 9/ jwh (.tcl) U!$k,"j^9#!NcKO"e=*J [cgi-types] 9?s6=.,(7F"j^9# [cgi-types] bat = cmd cmd = cmd pl = perl sh = sh tcl = tclsh76 m:.bat U!$k*hS.cmd U!$kNHQKO"EgJ;-ej F#<dj,<$^9# 3liNU!$k&?$WrHQ9k] KOmU,,WG9# Web /i$"sho"web 8q!wNQU)<^s9,c$?a"MCH o</n"/;9~vhu!$kn@&sm<i~v,9z/3hr 7P7PP37^9#QU)<^s9Nc<O"8cs/7gshP 32 P<8gs 3.8

53 C/(sI&5<P<+i8q,!w5lkNr WebSEAL 5<P<,TCF$?j""k$O"m<+k&9Hl<8Nh},Y$lg Kb/87^9# Web 8q-cC7e!=rHQ9k3HKhCF"&L*K"/;9 5lk Web 8q?$Wr WebSEAL 5<P<Nabj<K]I9k 3H,G-^9#WebSEAL 5<P<bK8qr-cC7e7F*1 P"8qKP9kWaK"Ga/~z,VCF-^9# -cc7e5l?8qko"e*f-9h8qh0iu#c/&$a <8r~lk3H,G-^9#G<?Y<9HqNkLJI"0*K 8.5l?8qO-cC7eG-^;s# Web 8qN-cC7erxQ9lP"8cs/7gsrL7F"PC /(si&5<p<+igoj/"webseal +im<+kg8qk -cc7eo"mime?$wkpe$fbt5l^9#web 8qcC7eQK WebSEAL r=.9klgo"j<n 3 DNQia<?<rN'7F/@5$# 2. WebSEAL 8q MIME?$W 9Hl<8&aG#"N?$W 9Hl<8&aG#"N5$: webseald.conf =.U!$kN [content-cache] 9?s6K Web 8 q-cc7erja7^9#,q5lk=8o"!nh*jg9# <mime-type> = <cache-type>:<cache-size> Qia<?< mime-type b@ HTTPVContent-Type:W~zXC@<KA#5l?$:l +N-zJ MIME?$Wr=7^9#3NMKO"o$ ki+<i ( * ) rh&3h,g-^9# */* H$&M O"@(*K=.5l?-cC7eKP~7J$$:l+ N*V8'/Hr]}9kGU)kH&*V8'/H&- cc7er=7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 33

54 Qia<?< cache-type cache-size -cc7ekhq9k9hl<8&ag#"n?$wrx j7^9#policy Director N\jj<9,5]<H7F$ VLRUW"k4j:`K>CF*V8'/H,o 5lk 0K"?(il?-cC7e,}C7?lgNGg5$: r (K P$HG) Xj7^9# : text/html = memory:2000 image/* = memory:5000 */* = memory:1000 Web 8q-cC7e&a+K:`O"J<NrorFk7^9# -cc7e,ja5lf$klgkbj"-cc7e,tolk 3H# $s9h<k~k-cc7e,ja5lf$j$3h# GU)kH&-cC7erjA7F$J$lg"IN@(*-c C7eKblW7J$8qO"-cC7e5lJ$3H# vdo"-cc7e5l?pskp9k9yfnwakd$f" z-3-b\5lk3h# pdadmin f<f#jf#<rhq7f"9yfn=.q_-cc7 eruic7eg-^9# 3Nf<F#jF#<rHQ7Fb"D 9N-cC7erUiC7e9k3HOG-^;s# Policy Director "I_K9Hl<?< sec_master H7F;-e"& Ia$sKm0$s7J$H" pdadmin rhqg-^;s# 9YFN Web 8q-cC7erUiC7e9kKO"!N3^sI r~o7^9# UNIX: # pdadmin server task <server-name> cache flush all 34 P<8gs 3.8

55 Windows: MSDOS> pdadmin server task <server-name> cache flush all pdadmin f<f#jf#<rhq7f"-cc7en=_nhqk }WpsO"-cC7eb K]}5l?`\NtH"F`\KP7FP5l?WaNtr(7F $^9# Policy Director "I_K9Hl<?< sec_master H7F;-e"& Ia$sKm0$s7J$H" pdadmin rhqg-^;s# r~o7^9# UNIX: # pdadmin server task <server-name> cache stat Windows: MSDOS> pdadmin server task <server-name> cache stat 2. WebSEAL HTTP WaKP9k WebSEAL 5<P<N5<S9Nn_O"~K:T9k lg,"j^9#3nh&j:tko?/n6x,m(il^9#? H(P"!NH*jG9# U!$k,8_7J$# vd_j,"/;9rx8f$k# UNIX U!$kvD,mjG"k+"1oNmjKhj"CGI W m0i`rbtg-j$# 5<P<O"WaKP9kP~K:T9kH"HTML (i<&z<8 bk"(i<&ac;<8 (?H(P"V403 ForbiddenWJI) rv i&6<ka7^9#hqd=j(i<&ac;<8,$/d+"j ^9,"FaC;<8OL9N HTML U!$kK]I5lF$^ 9# Tivoli SecureWay Policy Director WebSEAL I},$I 35

56 3liNU!$kO"!NG#l/Hj<K]I5lF$^9# UNIX: <install-path>/www/lib/errors/<locale-dir> Windows: <install-path> www lib errors/<locale-dir> errors G#l/Hj<KO"?tNm1<k&5VG#l/Hj<,"j^9,"3N5VG#l/Hj<KO"FqlG(i<&aC ;<8&U!$k,~CF$^9#?H(P"FqQl / QlaC;<8NG#l/Hj<&Q9O"! NH*jG9# UNIX: <install-path>/www/lib/errors/en_us Windows: <install-path> www lib errors/en_us 3NG#l/Hj<K~CF$kaC;<8O"Vi&6<K57/ =(5lkh&"HTML A0KJCF$^9#3liN HTML Z< 8O"T87F=NbFr+9?^$:G-^9#U!$kN>0 O"`nN:T~JIKa5lkbt(i<&3<IN 16 JMG 9#3liNU!$k>O"Q9G-^;s# fs*h/=(5lkltn(i<&ac;<8nu!$k>hbf,"!n=kj9h7f"j^9# 36 P<8gs 3.8

57 U!$k>?$Hk HTTP (i<& 3<I c8.html Authentication Failed jgs7ckr!wg-^;sg7?#m(ilk}3o"j<nh* jg9# f<6<n/jgs7ck,'z G<?Y<9+ign7F$k# 1354a2fa.html Non-Empty Directory Wa7?`nKO"uGJ$G#l /Hj<N n,,wg9#3l O"mC?`nG9# 1898d259.html 1898d25a.html 1898d25b.html 1898d25c.html Could Not Sign User On User Has No Single Sign-on Information No Single Sign-on Target for User Multiple Sign-on Targets for User Wa5l?j=<9GO"WebSEAL 5<P<,f<6<rLN Web 5 <P<K5$s*s5;k3Hr, WH7F$^9#7+7"WebSEAL,psN!wrnTfK"dj,/ 87^7?# WebSEAL GO"Wa5l?j=< 9N GSO f<6<r+u1il^ ;sg7?# WebSEAL GO"Wa5l?j=< 9N GSO?<2CHr+U1il ^;sg7?# Wa5l?j=<9KX7F"#t N GSO?<2CH,jA5lF$ ^9#3lOmC?=.G9# 2. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 37

58 U!$k>?$Hk HTTP (i<& 3<I 1898d25d.html Login Required Wa5l?j=<9,8cs/7g shpc/(si Web 5<P<K hcf]n5lf*j" WebSEAL,f<6<r=N Web 5<P<K 5$s*s5;k,W,"j^9# =N?aKO"f<6<,^: WebSEAL Km0$s9k3H,, WG9# 1898d25e.html 1898d25f.html Could Not Sign User On Unexpected Authentication Challenge Wa5l?j=<9GO"WebSEAL,f<6<rLN Web 5<P<K 5$s*s5;k3Hr,WH7F $^9#7+7"=Nf<6<KX 9k5$s*spsKmj,"j^ 9# WebSEAL,"= 7J$'ZKh kf<6<n'r8cs/7gsh PC/(sI Web 5<P<+iu.7^7?# 1898d421.html Moved Temporarily Wa7?j=<9,l~*K\05 Hh}rmC?lgK/87^9# 1898d424.html Bad Request WebSEAL,5zN HTTP Waru.7^7?# 1898d425.html Login Required Wa5l?j=<9O WebSEAL K hcf]n5lf$kng""/; 99k?aKO"^:m0$s9k,W,"j^9# 1898d427.html Forbidden Wa5l?j=<9K"/;99k vd,f<6<k?(ilf$^; s# 1898d428.html Not Found Wa5l?j=<9,+U+j^; s# P<8gs 3.8

59 U!$k>?$Hk HTTP (i<& 3<I 1898d432.html Service Unavailable WebSEAL,WaNh}r0;9k?aK,WH9k5<S9,"=_ OHQTDG9# d437.html Server Suspended WebSEAL 5<P<,"79F`& "I_K9Hl<?<KhCFl~ *KfGuVK5lF$^9#5< P<,"I_K9Hl<?<KhC F5<S9Ka5lk^G"WaO h}5l^;s# 1898d439.html Session Information Lost Vi&6< / 5<P<PC,"~z 7J/JCF$k8cs/7gsh PC/(sI&5<P<HN9F< HUk&;C7gsG7?# WebSEAL GO"3N5<P<eK "k5<s9,"wanh}r0; 9k3Hr,WH7F$^9# 1898d442.html Service Unavailable WebSEAL,,WH9k5<S9O 8cs/7gshPC/(sI&5 <P<eK"j^9,"33GN SSL j_'zkc2,/-f$^ 9# 1898d7aa.html CGI Program Failed CGI Wm0i`,57/BT5l^ ;sg7?# default.html Server Error = 7J$(i<KhCF" WebSEAL,War0;G-^;s G7?# deletesuccess.html Success /i$"sh,+o7? DELETE Wa,5oK0;7^7?# putsuccess.html Success /i$"sh,+o7? PUT `n,5ok0;7^7?# relocated.html Temporarily Moved Wa7?j=<9,l~*K\05 l^7?# websealerror.html 400 WebSEAL Server Error WebSEAL 5<P<Nbt(i<G 9# WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 39

60 0N;/7gsGj9H5lF$k HTML (i<&z<8n+9? ^$:KO"J<N^/m,HQG-^9#^/mO"HQD=Jp sr0*kv97^9# ^/m %ERROR_CODE% (i<&3<intm# %ERROR_TEXT% ac;<8&+?m0bn(i<&3<ikp~9kf-9h# %METHOD% /i$"shkhcfwa5lk HTTP }0# %URL% /i$"shkhcfwa5lk URL# %HOSTNAME% 04$~[9H># %HTTP_BASE% 5<P<Vhttp://<host>:<tcpport>/WNp\ HTTP URL# %HTTPS_BASE% 5<P<Vhttps://<host>:<sslport>/WNp\ HTTPS URL# %REFERER% %BACK_URL% %BACK_NAME% HTML Policy Director KO"5sWk HTML q0,"j^9#3n5sw kr+9?^$:7f"5$hc-nac;<8r~l?j"5$h C-N"/7gsrBT9k3H,G-^9#[HsINq0O" HTTP ^?O HTTPS GNq0"H</s"*hS BA 'ZK,7 F$^9# 3liNq0QNU!$kNljO" webseald.conf =.U!$k N [acnt-mgt] 9?s6bN mgt-pages-root Qia<?<KhCF ja5l^9# mgt-pages-root = lib/html/<lang-dir> HQ5lkB]NG#l/Hj<O"m<+i$:KpE$Fh^j ^9#GU)kHNFqQlG#l/Hj<O"!NH*jG9# lib/html/c \lnm1<ko"!ng#l/hj<bnu!$kk"j^9# 40 P<8gs 3.8

61 lib/html/jp J<NClJ HTML Z<8&Qia<?<HMO" webseald.conf =.U!$kN [acnt-mgt] 9?s6K~CF$^9#ltNZ<8 O"1Lpsrs!9kq0m0$s}0KhCFN_HQ5l^ 9# Qia<?< Z<8 HQ! login = login.html q0m0$s logout = logout.html q0m0$s account-locked = acct_locked.html 9YFNa=CI passwd-expired = passwd_exp.html 9YFNa=CI passwd-change = passwd.html 9YFNa=CI passwd-change-success = passwd_rep.html 9YFNa=CI passwd-change-failure = passwd.html 9YFNa=CI help = help.html 9YFNa=CI token-login = tokenlogin.html H</s&m0$s next-token = nexttoken.html H</s&m0$s stepup-login = stepuplogin.html 9FCW"CW'Z 2. WebSEAL HTML q0 login.html logout.html acct_locked.html passwd_exp.html passwd.html passwd_rep.html help.html tokenlogin.html nexttoken.html b@ f<6<>hq9o<in8`waq0# m0"&h,5oktol?ek=(5lkz<8# "+&sh,mc/5lf$??akf<6<'z,:t7? lgk=(5lkz<8# Q9o<IN-z B,ZlF$??aKf<6<'Z,:T 7?lgK=(5lkZ<8# Q9o<IQ9q0#Q9o<IQ9Wa,:T7?lgKb =(5l^9# Q9o<IQ9Wa,5oKTol?lgK=(5lkZ< 8# -zji}z<8xnjs/,^^lf$kz<8# H</s&m0$sq0#!NH</sNq0# Tivoli SecureWay Policy Director WebSEAL I},$I 41

62 q0 stepuplogin.html 9FCW"CW'Zm0$sq0# ^?"3liNZ<8GHQG-k^/m, 2 D"j^9#3li N^/m&9Hjs0O"FsWl<H&U!$kK~lk3H,G -^9#,ZJMG0*KV99k^/m# ^/m %USERNAME% %ERROR% b@ m0$s7?f<6<n>0 Policy Director +ia5l?o<i&3<g#s 0&(i<&aC;<8 3NaGO"/i$"sH&H5<P<&NG#8?kZ@qrh} 9k?aN WebSEAL N;CH"CWK,WJI}?9/H=.?9 /KD$Fb@7^9#G#8?kZ@qO"SSL rp7f'zkh Q5l^9# WebSEAL GO"J<NuVKP9kZ@qr,WH7^9# WebSEAL,5<P<&Z@qrHQ7F"SSL /i$"shk P7F=l+Hr1L9k# WebSEAL,/i$"sH&Z@qrHQ7F"8cs/7gs hpc/(si&5<p< (j_'zqk=.q_) KP7F=l +Hr1L9k# WebSEAL,=NG<?Y<9'ZI (CA) Nk<HZ@qr2 H7F"/i$"sH&Z@qrHQ7F"/;99k/i$" shnev-!:rtj&# WebSEAL,=NG<?Y<9'ZI (CA) Nk<HZ@qr2 H7F"j_'ZQK=.5l?8cs/7gshPC/(s I&5<P<NEv-!:rTJ&# WebSEAL O"SSL N IBM Global Security Kit (GSKit) $swja sf<7gsrhq7f"g#8?kz@qr=.*hsi}7^ 42 P<8gs 3.8

63 9# GSKit O"1 DJeN WebSEAL 5<P< / /i$"shz@ qh CA k<hz@q,~cf$kz@qn-<&g<?y<9r; CH"CW*hSI}9k?aN ikeyman f<f#jf#<rs! 7^9# WebSEAL KO"$s9H<k~K"G#8?kZ@qrp7F SSL 'Zr5]<H9kJ<N3s]<MsH,~j^9# GU)kHN-<&G<?Y<9 (pdsrv.kdb) GU)kHN-<&G<?Y<9 stash U!$k (pdsrv.sth) * hsq9o<i (VpdsrvW) $/D+N&L9k CA k<hz@q WebSEAL, SSL /i$"shkp7f"=l+hr1l9k? akhqg-k"+jp>f9hz@q {NN'ZI/TN"&L7F'15lkZ@qr=A7F"3 NF9HZ@qHhjX(k3Hr*+a7^9# WebSEAL Z@qrh}9k?aN=.O"J<NH*jG9# 2. WebSEAL 45Z<8NXWebSEAL QN-<&G<?Y<9&Qia<?< N=.Y 47Z<8NXiKeyman Z@qI}f<F#jF#<NHQY 48Z<8NXCRL!:N=.Y GSKit IBM 0I}D<k (ikeyman) O"J<N=KWs5lF$k$/D +NU!$k&?$WrHQ7^9# CMS -<&G<?Y<9KO"H%R.kdb,U$?U!$kH"* =i/>n#tnu!$k,^^l^9#.kdb U!$kO"77$ -<&G<?Y<9rn.9kH-Kn.5l^9#.kdb U!$k Tivoli SecureWay Policy Director WebSEAL I},$I 43

64 .rdb *hs.crl U!$kO"77$'ZWarn.9kH-Kn.5l^9#.rdb U!$kO"4 CA 'ZWaWm;9G,WH5 l^9# U!$k&?$W.kdb.sth.rdb.crl.arm WebSEAL -<&G<?Y<9&U!$kO pdsrv.kdb G9# VstashWU!$k#Ef=GN-<&G<?Y<9&Q9o<Ir ]I7^9#3NU!$kNl4>O"X"7?.kdb U!$kH 18G9# VWaWG<?Y<9&U!$k#.kdb -<&G<?Y<9&U!$krn.9kH+0*Kn.5l^9#3NU!$kNl4> O"X"7?.kdb U!$kH18G9#3NU!$kKO"$r CA CA +ia5lkh"'zwarm-go;k?ak.rdb U! $k, (x+0rpk7f)!w5l^9#lw,!p5lkh" U!$ k+io hm&h9kn_oq]5l^9#'zwako"wa~kxj5 l?&l>"h%"vo"*hs=n>npskc("3nwak X"7?x+*hSk)0,H_~^lF$^9# ikeyman ukjj^9# ASCII (s3<i&p$jj<&u!$k#.arm U!$kKO" base-64 (s3<i ASCII ASCII =-KQ95lF$^9#f<6<,.arm ikeyman, ASCII =-rg3<i7f"=n P$Jj<=-r,ZJ.kdb U!$kK~l^9#1MK"f< 6<,.kdb ikeyman,= NG<?rP$Jj<+i ASCII KQ97"=lr.arm U!$k K~l^9#.arm U!$kbN ASCII G<?O"f<6<,'Z WaWm;9fK CA Kw.9kbNG9#m: U!$k=NbN, Base64 (s3<i&u!$kg"lp"isju!$k&?$ W (.arm J0) NHQbvF5l^9# 44 P<8gs 3.8

65 U!$k&?$W.der V1L(s3<I&k<kWU!$k#.der U!$kKO"P$J ^^l^;s)#3lo"=-, ASCII GOJ/P$Jj<G"k 1P".arm U!$kHh/wF$^9#.p12 VPKCS 12WU!$k (PKCS O"VPublic-Key Cryptography Standards (x+0ef}08`)wr=7^9)#.p12 U!$kK l^9#.p12 CA"=N CA U!$ kkok)0,^^lkng"3nq9o<io]n5lf$^ 9# WebSEAL WebSEAL $s9h<k~k"webseal <9rs!7^9#webseal-cert-keyfile Qia<?<O" webseald.conf =.U!$kN [ssl] 9?s6K"j"3NU!$k N>0Hljr1L7^9# [ssl] webseal-cert-keyfile = /var/pdweb/www/certs/pdsrv.kdb 2. WebSEAL ikeyman f<f#jf#<rhq7f"7,-<&g<?y<9r n.g-^9#?@7"webseal-cert-keyfile Qia<?<K3N7,-<&U!$kN>0Hljr~O7F" WebSEAL,=NG<? Y<9bK"kZ@qr!w7"HQG-kh&K7F*+J1lP Jj^;s# Z@q-<&U!$kNQ9o<I: $s9h<k~k"webseal OGU)kH stash U!$kbs!7 ^9#3NU!$kKO"pdsrv.kdb -<&U!$kNQ9o<I, ~CF$^9# webseal-cert-keyfile-stash Qia<?<O" WebSEAL K stash U!$kNljrNi;^9# webseal-cert-keyfile-stash = /var/pdweb/www/certs/pdsrv.sth Tivoli SecureWay Policy Director WebSEAL I},$I 45

66 3N stash U!$kKEf=5lF$kGU)kH&Q9o<IO" VpdsrvWG9#Q9o<IO"webseal-cert-keyfile-pwd Qia<?<bKWl<s&F-9H (?8) G=93HbG-^9#?H( P"!NH*jG9# webseal-cert-keyfile-pwd = pdsrv $s9h<k~k"webseal O stash U!$krHQ7F-<&U!$kNQ9o<Irh@7^9#webseal-cert-keyfile-pwd O3a shu-g9# stash U!$krHQ9kH"Q9o<I, webseald.conf =.U!$kbNF-9HG=(5lJ$h&K9k 3H,G-^9# m: HQ7?$CjNQ9o<I&Qia<?<@13asHr07 F/@5$#Q9o<IH stash U!$kN>}rXj9kH" Q9o<IM,HQ5l^9# WebSEAL F9HZ@q: $s9h<k~"webseal O]n5lJ$+Jp>F9HZ@qr s!7^9#f9hz@qo5<p<&nz@qh7f/-" WebSEAL O3lKhCF+Jr SSL /i$"shkp7f@i+ K9k3H,G-^9# 3NF9HZ@qNHQ!Nhjh$)fN?a"3NZ@qOGU )khz@qh7fo$s9h<k5l^;s#=neoj" webseal-cert-keyfile-label Qia<?<,3NZ@qr"/F# V&5<P<&NZ@qH7FXj7"-<&U!$k&G<?Y< 9GVdefaultWH7FXj5lF$k>NZ@qr*<P<i$I7 ^9# webseal-cert-keyfile-label = WebSEAL 3NF9HZ@qO"WebSEAL,"SSL HQD=Vi&6<NWa K~zG-kh&K7^9,"3lr (,ZJk<H CA Z@qr^ ^J$) WebSEAL [[K^^lF$k?a"3N Z@qGO"?KB4JL.Os+7F$^;s# 46 P<8gs 3.8

67 ikeyman f<f#jf#<rhq7f"'zi (CA) Kw.G-k 9H<k7FiYkU19kKO"iKeyman rhq7^9# >N7Jj* (-K 8cs/7gsJI) 9klgO" ikeyman rn."$s9h<k"*hsiyku19k3h,g-^9#3n keyfile iykko"9z<9r~lfojj^;s# WebSEAL (GU)kHG user ivmgr H7FBT5lk) O"3li -<&G<?Y<9&U!$kKP9kI_hj (r) vdr}cf$ k,w,"j^9# 273Z<8NXiKeyman bt Policy Director 5<P< SSL L.: webseald.conf =.U!$kN [ssl] 9?s6KO" WebSEAL, >N Policy Director 5<P<HNbt SSL L.N?aKHQ9k- <&U!$kr=.9k?aKHQ5lk 4 DNICQia<?<,^^lF$^9#3liNQia<?<O"pdconfig =.9/j WHKhCFN_Q9G-^9# [ssl] ssl-keyfile = ssl-keyfile-pwd = ssl-keyfile-stash = ssl-keyfile-label = ikeyman ikeyman f<f#jf#<o"gskit Gs!5lkD<kG"j" WebSEAL,HQ9kG#8?kZ@qNI}KHQ9k3H,G- ^9#iKeyman OJ<rT&?aKHQ7^9# 1 DJeN-<&G<?Y<9rn.9k 2. WebSEAL -<&G<?Y<9NQ9o<IrQ99k 7, WebSEAL Z@qrn.9k 7,GU)kH WebSEAL Z@qr_j9k Tivoli SecureWay Policy Director WebSEAL I},$I 47

68 CA o 9k G<?Y<9+iG<?Y<9KZ@qr3T<9k ikeyman rhq7?3lin?9/nbtkx9k\yjb@kd $FO" 273Z<8NXiKeyman CRL Z@qhjC7j9H (CRL) O"T,WJZ@qNEv-!:rJ /}0G9#CRL KO".j-,J$H+J5lkZ@qN1L, ~CF$^9#WebSEAL,HQ9k SSL N GSKit $swjasf <7gsO"CRL!:r5]<H7^9#GSKit rhq9kh"/ i$"sh&z@qh SSL 8cs/7gs+iNZ@qN CRL! :r WebSEAL,BTG-kh&KJj^9# WebSEAL O"CRL!:rTJ&?aK3Nj9HNljr'17F $J1lPJj^;s#Z@qN'ZfK CRL!:N?aK2HG -k LDAP 5<P<NLVKP9kQia<?<O"webseald.conf =.U!$kN [ssl] 9?s6K~CF$^9# [ssl] #ssl-ldap-server = <server-name> #ssl-ldap-server-port = <port-id> #ssl-ldap-user = <webseal-admin-name> #ssl-ldap-user-password = <admin-password> GU)kHGO"CRL!:OHQTDKJCF$^9 (Qia<?< KO3asH,U$F$^9)#Z@qN'ZfK CRL!:rHQD =K9kKO"FQia<?<N3asHr07F",ZJMr~O 7F/@5$# ssl-ldap-user NM,LkNH-O"SSL 'Za+K:`,?>f< 6<H7F LDAP 5<P<KP$sI5lJ1lPJiJ$3Hr (7F$^9# 48 P<8gs 3.8

69 SSL (HTTPS) rp7f WebSEAL K"/;99k?aK,WJEf =NGU)kH&lYkO"]nNJA (QOP) r=.9k3hkh CF)fG-^9#GU)kHN]nNJANI}O" webseald.conf =.U!$kNVSSL QUALITY OF PROTECTION MANAGEMENTW;/7gsNQia<?<rHQ7FJ<NWNG )f7^9# ssl-qop-mgmt Qia<?<rQ$F QOP I}rHQD=*h SHQTDK9k [ssl-qop-mgmt-default] 9?s6rHQ7FvD5lkEf=l YkrXj9k 1. ]ni}rhqd=k9kko"!nh&k7^9# [ssl-qop] ssl-qop-mgmt = yes 2. HTTPS "/;9NGU)kHEf=lYkrXj9kKO"!N h&k7^9# [ssl-qop-mgmt-default] # default = ALL NONE <cipher-level> # ALL (enables all ciphers) # NONE (disables all ciphers and uses an MD5 MAC check sum) # DES-40 # DES-56 # DES-168 # RC2-40 # RC2-128 # RC4-40 # RC4-128 default = ALL 2. WebSEAL *rq_nefn0k<wrxj9k3hbg-^9# [ssl-qop-mgmt-default] default = RC4-128 default = RC2-128 default = DES-168 QOP ssl-qop-mgmt = yes Qia<?<O^?" [ssl-qop-mgmt-hosts] *hs [ssl-qop-mgmt-networks] 9?s6bK"k_jbHQD= Tivoli SecureWay Policy Director WebSEAL I},$I 49

70 K7^9#3liN9?s6rHQ9lP"CjN[9H / MCHo </ / MCH^9/ IP "Il94HK]nNJANI}rT&3H,G-^9# [ssl-qop-mgmt-default] 9?s6KO" [ssl-qop-mgmt-hosts] * hs [ssl-qop-mgmt-networks] 9?s6bKlW9kbN,J$ IP "Il99YFKHQ5lkEf,j9H5l^9# [9HQN=.=8Nc: [ssl-qop-mgmt-hosts] # <host-ip> = ALL NONE <cipher-level> # ALL (enables all ciphers) # NONE (disables all ciphers and uses an MD5 MAC check sum) # DES-40 # DES-56 # DES-168 # RC2-40 # RC2-128 # RC4-40 # RC4-128 xxx.xxx.xxx.xxx = ALL yyy.yyy.yyy.yyy = RC2-128 MCHo</ / MCH^9/QN=.=8Nc: [ssl-qop-mgmt-networks] # <network/netmask> = ALL NONE <cipher-level> # ALL (enables all ciphers) # NONE (disables all ciphers and uses an MD5 MAC check sum) # DES-40 # DES-56 # DES-168 # RC2-40 # RC2-128 # RC4-40 # RC4-128 xxx.xxx.xxx.xxx/ = RC4-128 yyy.yyy.yyy.yyy/ = DES-56 [ssl-qop-mgmt-hosts] *hs [ssl-qop-mgmt-networks] 9?s6 O"e}_9-N_N?aKw(ilF$^9# Policy Director 3.8 N=.K3lrHQ9k3HO*+a7^;s# 50 P<8gs 3.8

71 I}5<P<O"^9?<vD]j7<&G<?Y<9rI}7"; -e"&ia$sbn>n Policy Director 5<P<KX9km1<7 gspsr]i7^9# Policy Director "I_K9Hl<?<O"$ DGb;-e"&Ia$sN;-ejF#<&]j7<rQ9G-^ 9#;-ejF#<&]j7<NQ9,$sWjasH5lk?S4 HK"I}5<P<,^9?<vDG<?Y<9K,WJ40r\7 ^9# I}5<P<O"^9?<vDG<?Y<9KQ9rC(kH-K" D9N]j7<B\gN (WebSEAL JI) r5]<h9k;-e "&Ia$sbN9YFNlWj+&G<?Y<9K3NQ9NLN rw.7^9#]j7<b\gno"=ne^9?<vdg<?y< 9+iNB]NG<?Y<997rWa9k,W,"j^9# j=<9&^m<8c<*hs]j7<b\gnh7f" WebSEAL 3 DN *W7gs,"j^9# I}5<P<+iN97LNr listen 9k (=.D=G"GU) khghqd=)# 2. WebSEAL j *K^9?<vDG<?Y<9r!: (]<js0) 9k (=.D=G"GU)kHGOHQTD)# listen H]<js0N>}rHQD=K9k# webseald.conf =.U!$kN [aznapi-configuration] 9?s6K O"97LN listen HG<?Y<9&]<js0r=.9k?aNQ ia<?<,^^lf$^9# WebSEAL Nm<+k&lWj+vD]j7<&G<?Y<9Nlj O"db-file Qia<?<KhCFjA5l^9# [aznapi-configuration] db-file = /var/pdweb/db/webseald.db Tivoli SecureWay Policy Director WebSEAL I},$I 51

72 listen listen-flags Qia<?<O" WebSEAL Khk97LN listen rh QD=*hSHQTDK7^9# listen OGU)kHGHQD=KJ CF$^9# listen rhqtdk9kko"vdisablewh~o7^ 9# [aznapi-configuration] listen-flags = enable tcp-port Qia<?<O"listener QN TCP ]<Hr=.7^9# [aznapi-configuration] tcp-port = udp-port Qia<?<O"listener QN TCP ]<Hr=.7^9# [aznapi-configuration] udp-port = 0 f<6<o"webseal,^9?<vdg<?y<9n97psrj *K]<js09kh&K3lr=.G-^9# cache-refresh-interval Qia<?<KO"VdefaultW"VdisableW"^?OCjN~VVV (C1L) r_jg-^9#vdefaultw_jo" 600 CG9#]<js0OGU)kHGOHQTDG9# [aznapi-configuration] cache-refresh-interval = disable WebSEAL m: J<NpsO"J0NP<8gsN Policy Director GHQ5lF $? pdadmin server modify baseurl 3^sIKV-9okb NG9# iyng-$d-go"m<i&pis7s0*hsu'$k*<p <!=rbak?ak"umsh(si WebSEAL 5<P<r#=9 kno-wg9#umsh(si WebSEAL 5<P<r#=9klg O"F5<P<K Web 9Z<9"junction G<?Y<9"*hS dynurl G<?Y<9N5NJ3T<,~CF$J1lPJj^;s# 52 P<8gs 3.8

73 3NP<8gsN Policy Director O"UmsH(sI WebSEAL 5 <P<r#=9k?aNj0N=.jgr5]<H7F$^9#3N?9/K pdadmin 3^sIOHQ5lJ/Jj^7?#!NcK*$F"VWS1WO 1! WebSEAL 5<P<N[9H>G 9#VWS2WOlWj+ WebSEAL 5<P<N[9H>G9# 1. WS1 *hs WS2 N>}N5<P<eK WebSEAL r$s9h< k7f=.7^9# 2. WS2 N WebSEAL rd_7^9# 3. WS2 G"webseald.conf =.U!$kbN server-name Qia <?<rvws2w+ivws1wkq97^9# [server] server-name = WS1 4. WS2 N WebSEAL rfo07^9# 3lG"WS2 5<P<O*V8'/H /WebSEAL/WS1 rvd>an p\h7fhq9kh&kjj^9# WS2 5<P<O" /WebSEAL/WS1 N<K"k*V8'/HKP9k object list *hs object show 3^sIKb~zG-^9# 2. WebSEAL pdadmin f<f#jf#<o"^@ /WebSEAL/WS2 *V8'/Hr *V8'/H&9Z<9NltH7Fj9H7F$^9#3N*V8 '/HObOdU#r}?J$NG"!Nh&K7F ng-^9# pdadmin> object delete /WebSEAL/WS2 ro: *V8'/H&9Z<9I}N}g: "I_K9Hl<?<KO 1lN*V8'/H,X,=(5l^9,"=N*V8'/H, XK,Q5lkI}3^sIO"#=5l?9YFN WebSEAL 5<P<KFA7"9YFN5<P<,3liN3^sIK~z G-^9# vd>an}g: 5<P< WS2,5<P< WS1 NlWj+H 7F=.5lF$klg"5<P< WS2 O /WebSEAL/WS1 rv D>ANp\H7FHQ7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 53

74 =.N}g: UmsH(sI WebSEAL #=,57/!=9kK O"F5<P<eN Web 9Z<9"junction G<?Y<9"*h S dynurl G<?Y<9N=.,1lGJ1lPJj^;s# HTTP WebSEAL KO"!Nh&J 3 DN_h? HTTP m0&u!$k, ]i5lf$f"ac;<8goj/"h0,-?5l^9# request.log agent.log referer.log GU)kHGO"3liNm0&U!$kOJ<NG#l/Hj<N bhk]i5lf$^9# UNIX: /var/pdweb/www/log/ Windows: C: Program Files Tivoli PDWeb www log 8` HTTP m.s0r=.9kqia<?<o" webseald.conf =.U!$kN [logging] 9?s6K~CF$^9#!N=KO"HTTP m0&u!$kh=.u!$k&qia<?<n VNX8,(7F"j^9# m0&u!$k ljqia<?< HQD== / HQTD =Qia<?< (= yes ^?O no) request.log requests-file requests referer.log referers-file referers agent.log agents-file agents?h(p"request.log U!$kNGU)kHljKP9k(sHj <O!Nh&KJj^9# 54 P<8gs 3.8

75 UNIX: requests-file = /var/pdweb/www/log/request.log Windows: requests-file = Program Files Tivoli PDWeb www log request.log HTTP / GU)kHGO"HTTP m.s0ohqd==5lf$^9# [logging] requests = yes referers = yes agents = yes =l>lnm0o"h+khqd==7?j"hqtd=9k3h, G-^9#$:l+NQia<?<,VnoWK_j5lF$kH"= NU!$kKX9km.s0OHQTD=5l^9#?$`&9?sW,m0r=O~VSGJ/"0jKC88`~ (GMT) G-?9kh&K9k3HbG-^9#GU)kHGO"=O ~VS,HQ5l^9# [logging] gmt-time = no 2. WebSEAL GMT?$`&9?sWrHQ9klgO"!Nh&K_j7^9# gmt-time = yes max-size Qia<?<O"=l>lN HTTP m0&u!$k,}g 7?lgNGg5$:rXj7^9#GU)kHM (P$Ht) O! NH*jG9# [logging] max-size = m0&u!$k,m<k*<p<7-$mhfplkxjnmk~# 9kH"{8NU!$k,"18>0NU!$kKPC/"CW5l ^9#3NU!$kKO"=N~@N UH?$`&9?sW,UC 5l^9#3$F7,m0&U!$k,+O5l^9# Tivoli SecureWay Policy Director WebSEAL I},$I 55

76 FoN max-size MO"J<Nh&Kra5l^9# max-size M,<mhj.5$ (< 0) lgo"m.s0&wm; 9,/05lk?SK"^?"=l+i 24 ~V4HK7,m 0&U!$k,n.5l^9# max-size M,<mKy7$ (= 0) lgo"m<k*<p<ob T5l:"m0&U!$kO5BK}g7^9#m0&U!$k,9GK8_9klgO"7,G<?,=lKIC5l^9# max-size M,<mhjg-$ (> 0) lgo"m0&u!$k, =.5l?7-$MK~#9kHm<k*<P<,BT5l^ 9# O0~Km0&U!$k,9GK8_9klgO"7,G<?,=lKIC5l^9# m0&u!$ko"pcu!<5l?g<?&9hj<`kq-~^ l^9#m0&u!$krj"k?$`gbk?<7f$klgo" 5<P<,m0&U!$k&PCU!<NUiC7er/)9kQY rq99k3hbg-^9# GU)kHGO"m0&U!$kO 20 C4HKUiC7e5l^ 9# [logging] flush-time = 20 inmrxj9kh"=l>ln-?,q-~^l?eguic7e,/)5l^9# request.log WebSEAL O"PC/&(sIN8cs/7gsh"Wj1<7g s&5<p<+ine* HTML URL r+0*ku#k?<`n7^ 9# webseald.conf =.U!$kbN [filter-url] 9?s6O" WebSEAL,U#k?<`n9k"PC/(sI&5<P<+iN~ zbn URL 0-rjA7^9# 193Z<8NX8cs/7gsh5 <P<+iNE* HTML URL NU#k?<Y r2h7f/@5 $# 56 P<8gs 3.8

77 Wa5l?"PC/(sIN8cs/7gsh5<P<+iN3sF sdk"h_~_ URL,^^lF$klg" WebSEAL OQ9N0 K8cs/7gs&]$sHrUC9k3HKhCF URL 9Hjs 0rU#k?<`n7^9#3l,Vi&6<Ka5llP"/i$ "sho5ok3n URL rhq9k3h,g-^9# 7?,CF"Vi&6<Ka5lkG**JZ<8N3sFsD9 O"8cs/7gsh5<P<+i WebSEAL Ka5lk5N3sF sdhjb$/vs9/jj^9# 3NP<8gsN Policy Director WebSEAL GO"f<6<," request.log U!$k (HQD=Jlg) K-?5lk3sFsD9 r=.9k3h,g-^9# webseald.conf =.U!$kN [logging] 9?s6bN log-filtered-pages Qia<?<r_j7 F"<m&P$H&5$:^?O$U#k?<&P$H&5$:r-?9k3H,G-^9# $U#k?<&P$H&5$:r-?9kKO"3NQia<?<K VyesW(GU)kH) r_j7^9# [logging] log-filtered-pages = yes 2. WebSEAL <m&p$h&5$:r-?9kko"3nqia<?<kvnowr _j7^9# [logging] log-filtered-pages = no HTTP (request.log ) Policy Director 5<P<+iVw5lk~z (.y^?o:t) O" =l>l!nh&j HTTP &Lm0A0rHQ9k request.log U!$kbN 1 TN(sHj<H7F-?5l^9# host - authuser [date] request status bytes 33G" host authuser Wa^7sN IP "Il9rXj7^9# 3NU#<kIO"u.5l? HTTP WaN From: Tivoli SecureWay Policy Director WebSEAL I},$I 57

78 <6<KP7FHQ5l^9# date request status WaN ~rxj7^9# WaNGiNTr"/i$"sH+iNWaI*jK Xj7^9# Wa5^7sKVw5lk HTTP u73<irxj 7^9# bytes Wa5^7sKVw5lkP$HtrXj7^9#3 NM ($U#k?<&3sFsD&5$:^?O< m&5$:n$:l+) O"log-filtered-pages Qi a<?<g=.5l^9# request.log request.log KO"Wa5l? URL KX9kpsH"WarTJC?/i$"sHKX9kps (?H(P"IP "Il9) JIN" HTTP WaN8`m.s0,-?5l^9#!NcO"request.log U!$kN5sWk&P<8gsr(7^ 9# [26/Aug/2001:17:23: ] "GET /xsmith/private_html/ HTTP/1.0" [26/Aug/2001:17:23: ] GET /icons HTTP/1.0" [26/Aug/2001:17:23: ] "GET /icons/ HTTP/1.0" [26/Aug/2001:17:24: ] "GET /xsmith/private_html/ HTTP/1.0" [26/Aug/2001:17:24: ] "GET /xsmith/ HTTP/1.0" agent.log agent.log U!$kKO" HTTP WabN User_Agent: XC@< NbF,-?5l^9# 3Nm0GO"=l>lNWa4HK"" <-F/Ac<dP<8gsVfJI"/i$"sH&Vi&6<K D$FNps,(5l^9#!NcO"agent.log U!$kN5sWk&P<8gsr(7^9# 58 P<8gs 3.8

79 Mozilla/4.01 [en] (WinNT; U) Mozilla/4.01 [en] (WinNT; U) Mozilla/4.01 [en] (WinNT; U) Mozilla/4.01 [en] (WinNT; U) referer.log referer.log KO" HTTP WaN Referer: 9# =l>lnwa4hk"wa5l?8qxnjs/,^^lf $?8q,m0K-?5l^9# 3Nm0GO"!NA0,HQ5l^9# referer -> object 3Nps,r)DNO"Web 9Z<9bN8qXN0tjs/rIW 9klgG9#3Nm0GO"referer G(5lk=<9K"Z< 8&*V8'/HXNjs/,~CF$k3H,(5l^9# 3N m0rhq9kh":zjs/riw7"8qxnjs/rn.7f $kvvtr!pg-^9#!nco"referer.log U!$kN5sWk&P<8gsr(7^ 9# -> /pics/tivoli_logo.gif ->/pics/tivoli_logo.gif -> /pddl/index.html -> /pddl/index.html ->/pics/tivoli_logo.gif -> /pddl/index.html 2. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 59

80 60 P<8gs 3.8

81 3 WebSEAL 3NOGO"WebSEAL HTC/NwzO"J<NH*jG9# XWebSEAL G-N ACL ]j7<y 64Z<8NX9j<&9Hi$/&m0$s&]j7<Y 66Z<8NXQ9o<I&9Hls09&]j7<Y 71Z<8NX'Z9Hls09 POP ]j7< (9FCW"C W)Y 78Z<8NXMCHo</&Y<9N'Z POP ]j7<y 82Z<8NXPOP ]j7<n]nnjay 83Z<8NXs'Zf<6<Nh} (HTTP/HTTPS)Y WebSEAL ACL ]n*v8'/h&9z<9bn /WebSEAL 3sFJ<KO"J< Nh&J;-ejF#<NM8v`,,Q5l^9# 3. WebSEAL WebSEAL *V8'/HO"*V8'/H&9Z<9N WebSEAL NhKP9k ACL Q5NA'<srO07^9# Tivoli SecureWay Policy Director WebSEAL I},$I 61

82 >N ACL Web 9Z<94NN;-ejF#<&]j7<rjA7^9 (Q 5KhCF)# 3N*V8'/H*hS3N]$sHN<K"kIN*V8'/ HX"/;99kKb"#G (T) vdrhq9k,w,"j^ 9# Policy Director ACL ]j7<kx9k4pskd$fo" Tivoli SecureWay Policy Director Base I},$I /WebSEAL/<host> 3N5VDj<KO"CjN WebSEAL 5<P<N Web 9Z<9, ^^lf$^9#!nh&j;-ejf#<nm8v`,3n*v8 '/HK,Q5l^9# 3N]$sHN<K"k$:lN*V8'/HX"/;99kK b"#g (T) vdrhq9k,w,"j^9# >N ACL N^7sN*V8'/H&9Z<94NN;-ejF#<&]j 7<rjA9k3HKJj^9 (Q5KhCF)# /WebSEAL/<host>/<file> 3lO"HTTP "/;9N]K!:5lkj=<9&*V8'/HG 9#!:5lkvDO"Wa5l?`nKhCF[Jj^9# WebSEAL ACL J<N=O"*V8'/H&9Z<9N WebSEAL NhK,Q5lk ACL `n r I_hj Web *V8'/Hr=(7^9# x BT CGI Wm0i`rBT7^9# d o Web 9Z<9+i Web *V8'/Hr n7^ 9# m Q9 HTTP *V8'/Hr PUT 7^9 (HTTP *V8' /Hr WebSEAL *V8'/H&9Z<9K~l" x=9k)# 62 P<8gs 3.8

83 `n l j9h I}5<P<, Web 9Z<9NG#l/Hj<N j9hr+0*kn.9k]k,wkjj^9# 3NvDO"GU)kHNVindex.htmlWZ<8,J $lgk"/i$"sh,g#l/hj<bfnj 9Hr+ilk+I&+b)f7^9# g et /i$"shneojkhvrhkh&" WebSEAL 5<P<KHi9HrdjvF"8cs /7gs5l? WebSEAL 5<P<K=NWarO 7^9# /WebSEAL ACL WebSEAL ACL N3"&(sHj< default-webseal KO"J<, ^^l^9# Group iv-admin Group webseal-servers User sec_master Any-other Unauthenticated Tcmdbsvarxl Tgmdbsrxl Tcmdbsvarxl Trx T 3NGU)kH ACL O"$s9H<k~K*V8'/H&9Z<9 bn /WebSEAL 3sFJ<&*V8'/HKUC5l^9# 0k<W webseal-servers KO";-e"&Ia$sbNF WebSEAL 5<P<KP~9k(sHj<,^^l^9#GU)kH vdo"3lin5<p<,vi&6<wak~z9k3hr'af $^9# #GvDO"Web Portal Manager bk=(5l? Web 9Z<9NH %rvd9kbng9#j9hvdo"web Portal Manager K Web 9Z<9N3sFsDr=(9k3HrvD7^9# 3. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 63

84 9j<&9Hi$/&m0$s&]j7<O"LDAP Y<9N Policy Director,$s9H<k5lF$k79F`GHQG-^9#3N] j7<rhq9kh"f<6<om0$sntn:t,v5lkgg st (n) H"ZJkF#<&mC/"&H~V (x) rxjg-kh& KJj^9#D^j"VnWsm0$sNnTK:T7?f<6<,"VxWCVmC/"&H5lk (9JoA"+&sH,HQTD= 5lk) h&k9k3h,g-^9# 9j<&9Hi$/&m0$s&]j7<O"3sTe<?<NQ9 o<i,6b5lknri0?akhq5l^9#3n]j7<g O":T7?m0$sNnTrFYTJ(kh&KJk?aNljN ~Vrjak3H,G-^9#?H(P"]j7<O"3 sm0$s NnTK:T7?eK" 180 CVNZJkF#<rJ93H,G- ^9#3NoNm0$s&]j7<O"3sTe<?<rHQ7Fi 1 CVK?sbnT5lkNrI03H,G- ^9# 9j<&9Hi$/&m0$s&]j7<GO"!N 2 DN pdadmin policy 3^sI_jrkg7F!=5;k,W,"j^ 9# m0$sntn:t,v5lkggst policy set max-login-failures _j5lf$km0$sntn:t,v5lkstr6(?lg NZJkF#< policy set disable-time-interval ZJkF#<N_jKO""+&sH,mC/"&H5lk~V VVNXjd"+&sHr04KHQTD=9k_j,"j^ 9# m0$s&]j7< (?H(P"nT, 3 s:t7?lgn]j7 <),_j5lf$klgo"cjnmc/"&h~vnzjkf# <,J5l"4 s\nntn]ko"=l,57$+vccf$k+ 64 P<8gs 3.8

85 KX8J/"Q9o<I&]j7<KhCF""+&sH,l~*K HQG-J/JCF$k3Hr(9(i<&Z<8,=(5l^9# ~VVVO"C1LGXj5l^9#d)5lkG.~VVVO 60 CG9# disable-time-interval ]j7<,vdisablewk_j5lf$kh"f <6<O"+&sH+imC/"&H5l"3Nf<6<N LDAP account valid 0-OVnoWK_j5l^9#"I_K9Hl<?< O"Web Portal Manager rp7f"+&shrfshqd=k7^ 9# m: disable-time-interval rvdisablewk_j9kh"=nkl"i }*<P<XCI,}(^9#account valid psr WebSEAL 5<P<K#=9k]KYl,8:k3Hb"j^9#3Nu7 O"f<6<N LDAP D-KhCF[Jj^9#5iK"lj N LDAP $swjasf<7gsrtj&h"account valid 97`nNkLH7F"QU)<^s9,c<9k3H,"j^ 9# 3&7?}3Khj"?$`"&HVVrHQ9k3Hr* +a7^9# J<N pdadmin 3^sIO"LDAP l89hj<hhbkhq9k lgkn_,7f$^9# 3^sI b@ policy set max-login-failures {<number> unset} [-user <username>] policy get max-login-failures [-user <username>] 3. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 65

86 3^sI 5lk+r3sHm<k9k]j7<rI}7^9#3 N3^sIO"policy set disable-time-interval 3^ sik_j5l?zjkf#<n_jkm87^9# "I_K9Hl<?<O"3N]j7<rCjNf<6 <KP7F,Q9k3Hb" LDAP l89hj<kj 9H5lF$k9YFNf<6<KP7F0m<PkK,Q9k3HbG-^9# GU)kHN_jO 10 sg9# policy set disable-time-interval {<number> unset disable} [-user <username>] policy get disable-time-interval [-user <username>] m0$sntn:tnst,ggmk#7?lgk"" +&sh,hqtdk5lk~vvvr3shm<k9 kzjkf#<&]j7<ri}7^9# "I_K9Hl<?<O"3NZJkF#<&]j7< rcjnf<6<kp7f,q9k3hb"^?o LDAP l89hj<kj9h5lf$k9yfnf<6 <KP7F0m<PkK,Q9k3HbG-^9# GU)kHN_jO 180 CG9# Q9o<I&9Hls09&]j7<O"LDAP Y<9N Policy Director,$s9H<k5lF$k79F`GHQG-^9#3N] j7<o"q9o<i&]j7<,'khkq9o<inn.k]7 F,Q5lk,jN3HG9#Policy Director K"J<Nh&J"Q 9o<I&9Hls09&]j7<rn.9k 2 DN}!rs!7 ^9# 5 DN pdadmin Q9o<I&]j7<&3^sI f<6<,q9o<i&]j7<r+9?^$:g-kh&k9 k"wi0$sp~'zb8e<k (PAM) 66 P<8gs 3.8

87 Tivoli SecureWay Policy Director WebSEAL GYmCQ< ju! ls9 pdadmin pdadmin f<f#jf#<khj$swjash5lk 5 DNQ9 o<i&9hls090-o"j<nh*jg9# G.Q9o<I9 G.Qzt G.sQzt Gg? 8zt v5lk9z<9 3liN]j7<O"pdadmin ^?O Web Portal Manager Gf< 6<rn.9klg""k$O pdadmin"web Portal Manager"^?O pkmspasswd f<f#jf#<khcfq9o<i,q95l klgkhqg-^9# J<N pdadmin 3^sIO"LDAP l89hj<hhbkhq9k lgkn_,7f$^9#unset *W7gsO"3N]j7<0-r HQTDK7^9#3N*W7gs,HQ5lkH]j7<OB\5 l^;s# 3^sI b@ policy set min-password-length {<number> unset} [-user <username>] policy get min-password-length [-user <username>] 3. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 67

88 3^sI Q9o<ING;N95r3sHm<k9k]j7<r I}7^9# "I_K9Hl<?<O"3N]j7<rCjNf<6 <KP7F,Q9k3Hb"GU)kH&l89Hj< Kj9H5lF$k9YFNf<6<KP7F0m<P kk,q9k3hbg-^9# GU)kHN_jO 8 G9# policy set min-password-alphas {<number> unset} [-user <username>] policy get min-password-alphas [-user <username>] Q9o<IbGHQG-kQzNG.tr3sHm<k 9k]j7<rI}7^9# "I_K9Hl<?<O"3N]j7<rCjNf<6 <KP7F,Q9k3Hb"GU)kH&l89Hj< Kj9H5lF$k9YFNf<6<KP7F0m<P kk,q9k3hbg-^9# GU)kHN_jO 4 G9# policy set min-password-non-alphas {<number> unset} [-user <username>] policy get min-password-non-alphas [-user <username>] Q9o<IbGHQG-ksQz (tz) NG.tr3 shm<k9k]j7<ri}7^9# "I_K9Hl<?<O"3N]j7<rCjNf<6 <KP7F,Q9k3Hb"GU)kH&l89Hj< Kj9H5lF$k9YFNf<6<KP7F0m<P kk,q9k3hbg-^9# GU)kHN_jO 1 G9# policy set max-password-repeated-chars {<number> unset} [-user <username>] policy get max-password-repeated-chars [-user <username>] 68 P<8gs 3.8

89 3^sI Q9o<IbGHQG-kGg? 8ztr3sHm< k9k]j7<ri}7^9# "I_K9Hl<?<O"3N]j7<rCjNf<6 <KP7F,Q9k3Hb"GU)kH&l89Hj< Kj9H5lF$k9YFNf<6<KP7F0m<P kk,q9k3hbg-^9# GU)kHN_jO 2 G9# policy set password-spaces {yes no unset} [-user <username>] policy get password-spaces [-user <username>] Q9o<IK9Z<9r~lFh$+I&+r3sHm <k9k]j7<ri}7^9# "I_K9Hl<?<O"3N]j7<rCjNf<6 <KP7F,Q9k3Hb"GU)kH&l89Hj< Kj9H5lF$k9YFNf<6<KP7F0m<P kk,q9k3hbg-^9# GU)kHN_jO unset G9#!N=KO"]j7<&Qia<?<HGU)kHM,-\5lF$ ^9# Qia<?< GU)kHM min-password-length 8 min-password-alphas 4 min-password-non-alphas 1 max-password-repeated-chars 2 password-spaces _j7j$ 3. WebSEAL Policy Director NJ0Njj<9H18h&KQ9o<I&]j7< r0n5;kko"e-j9hn 5 DNQ9o<I&Qia<?< K=l>l unset *W7gsr,Q7F/@5$# Tivoli SecureWay Policy Director WebSEAL I},$I 69

90 J<N=O"5 DN pdadmin Qia<?<KGU)kHM,_j5 lf$klgn]j7<nklr"$/d+nckhcf(7?bn G9# c password kl 5z: GcGb 1 8zJeNsQz,^^lF$J1 lpjj^;s# pass 5z: G;Gb 8 8zGJ1lPJj^;s# passs1234 5z:? 8z, 3 DJeHQ5lF$^9# z: GcGb 4 8zNQz,^^lF$J1lPJ j^;s# password3 -z# pdadmin policy 3^sIO"CjNf<6<KP7F_j9k (- user *W7gsrHQ) 3Hb"0m<PkK_j9k (- user *W7gsrHQ7J$) 3HbG-^9#f<6<G-N_jO" 9YF]j7<N0m<Pk_jr*<P<i$I7^9#]j7 <&Qia<?<O"HQTD (unset) K9k3HbG-^9#3l O"Qia<?<KM,^^lJ$3HrU#7^9#unset *W7 gso"!:b/)b5l^;s#?h(p"!nh&kjj^9# pdadmin> policy set min-password-length 8 pdadmin> policy set min-password-length 4 -user matt pdadmin> policy get min-password-length Minimum password length: 8 pdadmin> policy get min-password-length -user matt Minimum password length: 4 70 P<8gs 3.8

91 (f<6< matt KO"G;NQ9o<I9r 4 8zH9k]j7<,,Q5l">N9YFNf<6<KO"Q9o<I9r 8 8zH 9k]j7<,,Q5l^9#) pdadmin> policy set min-password-length unset -user matt (f<6< matt Kb"G;NQ9o<I9r 8 8zH9k0m<P kn]j7<,,q5lkh&kjj^9#) pdadmin> policy set min-password-length unset (f<6< matt r^`9yfnf<6<kp7f"g;nq9o<i 9rjak]j7<O,Q5lJ/Jj^9#) POP ( ) 'Z9Hls09 POP ]j7<rhq9kh"*v8'/h,hq 9k'Z}0KpE$F*V8'/HXN"/;9r3sHm<kG -kh&kjj^9# 3N!= (9FCW"CW'ZHFPlk3H,"j^9) rhq9 kh"f<6<,hj!)-nb$j=<9k"/;99k]k"h j/oj'za+k:`rhqg-kh&kjj^9#t5j"/; 9N<R,b^kfG"3NrorHQ9k3Hb"j^9#?H(P"9FCW"CW POP ]j7<o/i$"sh,gik WebSEAL Ia$sK~O7?H-HQ7?bNhj/OJlYkN 'Zr,WH7^9#3N]j7<r,Q9k3HKhCF"Web 9 Z<9N8cs/7gsNhK"hj/OJ;-ejF#<rs!G -^9# 'Z9Hls09&]j7<O"POP ]j7<n IP (si]$sh 'Z}00-bK_j5l^9# 'ZG-N"/;9N=.K*1kGiN9FCWO"5]<H5l F$k'Z}0r=.7"3liN'Z}0,hj//Jkh&Jg xrhj9k3hg9# 3. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 71

92 WebSEAL 5<P<K"/;99k/i$"sHO"/Gb"Vs' ZW^?OVQ9o<IWJIN'ZlYkr}CF$^9#3li O"WebSEAL,GeK/i$"sHr'Z7?H-N}0r(7F $^9# lgkhcfo""k Web 9Z<9&*V8'/HXN"/;9K,WJGcBNVB4JW'ZlYkrB\7J1lPJiJ$3H b"j^9#?h(p""kd-go"h</s&q93<ikhk 'Z,"f<6<>HQ9o<IKhk'ZhjB4G"kHM(i l^9#lnd-go"p`,[jkd=-,"j^9# 9FCW"CW'Za+K:`O"/i$"sH,,WJlYkN' Zr~?7F$J$lgK"WebSEAL rhcf/)*k;c7gs rfo05;kngoj/"/i$"shkp7f",wj}0 (l Yk) 9FCW"CW'ZO"f<6<,m0$sKHQ7?bNhjV5 ikbyjw'zlyk,,wjj=<9k"/;97h&h7?h -K"Vq]5l^7?WH$&aC;<8r90KO=(7J$3 HrU#7^9#=NeojK"f<6<KO"hjbYJ'ZlY kr5]<h9k?anpsrwa9k7,'zwmswh,p5l ^9#f<6<,3NlYkN'Zrs!G-lP"bHNWaOv D5l^9# WebSEAL O"J<Nh&J"9FCW"CW'Za+K:`GHQ 9k 3 DN'Z}0 (lyk) r'17^9# s'z Q9o<I H</s&+<I 'ZlYkO"webseald.conf =.U!$kN [authentication-levels] 9?s6bK=.7^9# GiK=.5l kno"j<n 2 DNlYk@1G9# [authentication-levels] level = unauthenticated level = password 72 P<8gs 3.8

93 j9hbn}0ngxk>cf"f}0k 0 A 2 ^GNlYkNw z,djvfil^9# Vs'ZW}0O"oKj9HNh,GJ1lPJiJ$NG" lykwz 0,djvFil^9# JeN}0O"$UNgxK9k3H,G-^9# 77Z<8NX9FCW"CW'Z}0H)BYr2H7F/@5 $# GU)kHGO"VQ9o<IW,!NlYkG"lYkwzO 1 KJCF$^9# 9FCW"CW'Z,G-kh&K9kKO"Gc 2 DN(sH j<,,wg9# m:,wj'za+k:`n_jkd$fn\yo" 87Z<8N XWebSEAL 'ZYr2H7F/@5$# 9FCW"CW'ZO"'ZKE@rV$?vD,,WJ*V8'/ HeN POP ]j7<rp7f$swjash5l^9#f<6< O"POP ]j7<n IP (si]$sh'z}00-rhq7^9# pdadmin pop modify set ipauth 3^sIO"vD5l?MCHo </H"IP (si]$sh'z}00-bn,wj'zlykn>} rxj7^9# =.5l?'ZlYkO"IP "Il9NOOKjs/G-^9#3N }0O"I}K@p-r}?;k?aNbNG9#IP "Il9Khk f<6<nu#k?<,ewgj$lgo"anyothernw (=N>N $UNMCHo</) K1lN(sHj<r_jG-^9#3N_j O"IP "Il9KX8J/""/;9rT&9YFNf<6<KFA rz\7"xjnlykg'z9k3hrf<6<kwa7^9#3 lo9fcw"cw'zr$swjash9k]ngbll*j}! G9# 3. WebSEAL =8O"!NH*jG9# pdadmin> pop modify <pop-name> set ipauth anyothernw <level-index> Tivoli SecureWay Policy Director WebSEAL I},$I 73

94 anyothernw (shj<o"pop KXj5lF$J$$:lNMC Ho</KblW9kMCHo</OOH7FHQ7^9#3N}0 rhq7fgu)kh&(shj<rn.7"lw7j$ IP "Il 9r9YFq]7?j""k$O"'ZlYkNWor~?7F$l P/Gb"/;9G-kh&K9k3H,G-^9# GU)kHGO"anyothernw O POP bg'zlykwz 0 H= (5l^9#(sHj<O"!Nh&K"pop show 3^sIN VAny Other NetworkWH7F=(5l^9# pdadmin> pop show test Protected object policy: test Description: Test POP Warning: no Audit level: none Quality of protection: none Time of day access: sun, mon, tue, wed, thu, fri, sat: anytime:local IP Endpoint Authentication Method Policy Any Other Network 0 1.!Nh&K7F"webseald.conf bk'zlykr=.7^9# [authentication-levels] level = unauthenticated level = token-card 2.!Nh&K7F"IP (si]$sh'z}0n POP 0-r=. 7^9# pdadmin> pop modify test set ipauth anyothernw 1 pdadmin> pop show test Protected object policy: test Description: Test POP Warning: no Audit level: none Quality of protection: none Time of day access: mon, wed, fri:anytime:local IP Endpoint Authentication Method Policy Any Other Network 1 3N]j7<GO"GiVs'ZW(lYk 0) H7F"/;97?9YFNf<6<KP7F"H</s&+<I'Z}0 (lyk 74 P<8gs 3.8

95 1) K9FCW"CW9k,W,"j^9#3N POP ]j7<k hcf*v8'/hk"/;97h&h9k9yfns'zf< 6<KO"f<6<>HH</s&Q93<Ir~O9kh&" WmsWH,P5l^9# 78Z<8NXMCHo</&Y<9N'Z POP ]j7<yb2h WebSEAL O"Wa5l?j=<9KX9k9FCW"CW POP ] j7<,"/i$"shk/)*kf'z5;klgk"cljq0 rs(7^9#3n HTML q0nljo" webseald.conf =.U! $kn [acnt-mgt] 9?s6bN stepup-login Qia<?<KhC FXj5l^9# [acnt-mgt] stepup-login = stepuplogin.html 3N HTML q0o"login.html q0d tokenlogin.html q0r=.9 knh18}!g"f<6<nwokg&h&k=.g-^9# 3NU!$kKO"%TEXT% 7<1s9q0N^/m,^^lF$ ^9#3N^/mO",ZJMKV-9(il^9#3NV9O" WebSEAL NFsWl<H&U!$kh}!=bGTJol^9," 3lKhCF"57/U)<^CH5l?Q9o<IHH</sN' Z}0N>}KP7F3Nq0rHQG-kh&KJj^9#^?" (i<&ac;<8*hs}0> (9FCW"CW9k) JIN=N >Npsr"f<6<QNq0Ks!9k3HbG-^9# 3. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 75

96 ^ 11. f<6<>*hsq9o<i&9fcw"cwqnm0$sq0 ^ 12. SecurID H</s&Q93<I&9FCW"CWQNm0$sq0 76 P<8gs 3.8

97 WebSEAL O"J<N"k4j:`rHQ7F"POP bnrorh} 7^9# 1. POP KX9k IP (si]$sh'z}0]j7<r!:9k# 2. ACL vdr!:9k# 3. POP KX9k~o]j7<r!:9k# 4. POP KX9kF:lYk&]j7<r!:9k# 1. 9FCW"CW'ZO"HTTP H HTTPS N>}G5]<H5l F$^9# 2. HTTP WmH3k+i HTTPS K9FCW"CW9k3HOG- ^;s# 3. s'zo"lyk&j9hbnokgin}0gj1lpji :"j9hbn>ningxkb~lk3hog-^;s# 4. }0O"lYk&j9HbGlY7+XjG-^;s# 5. Z@q'ZO"9FCW"CW'ZK5]<H5lka=CIG O"j^;s# m: 9FCW"CW'ZO"B]KO"/i$"sH&NZ@qr WebSEAL K"/;99klgG" WebSEAL,Z@qru1hkh&K=.5lF$kH-O"=N/i$ "sholykwz 0 r}ds'zh7fhj7ol^9# 5Na=CI: s'z Q9o<I H</s&+<I 9FCW"CWD=JlYk: Q9o<I&H</s&+<I H</s&+<I Q9o<I 3. WebSEAL 6. 'ZlYkO"'Z}0G=5l^9#3lO"=NlYkN' ZKP7F5NJ'Za+K:`rXjG-J$H$&3HrU #7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 77

98 'Z}0O"m<+k&*<;sF#1<?<H+9?`0t* <;sf#1<?<r^a"#tn'za+k:`khcf5] <H5lk3H,"j^9# WebSEAL O"'Z}0N?$W,18G"k$s9?s9,#t =.5lF$kH-K"IN*<;sF#1<?<r*r9k+ rhaklgk"cjn,'k>$^9# 7. =.5lF$klYk, 3 D"klg"-zJwzMO 0"1"2 G9# =N>NwzM,=.5lF$klg"WebSEAL O"= N POP,UC5lF$k*V8'/H,Wa5lkH",:(i <&Z<8r=(7^9# 8. webseald.conf =.U!$kbN9FCW"CW'ZlYkN=.,57/J$H" WebSEAL bn9fcw"cw!=ohqg -J/Jj^9#3NlgO"H</s&Q93<I'Za=C Ir,WH9k POP KhCF]n5l?*V8'/HKP7FQ 9o<I&m0$s&Z<8,/T5lkH$C?"= 7J$ 'Z0n,/89kD=-,"j^9# 9FCW"CW'ZlYkr=.7?i" webseald.log U!$ kr!:7f=.(i<nsp,j$+4yf/@5$# POP MCHo</&Y<9N'Z POP ]j7<rhq9kh"f<6< N IP "Il9KpE$F*V8'/HXN"/;9r3sHm<k G-^9#3N!=rHQ7F"CjN IP "Il9 (^?O IP " Il9NOO),;-e"&Ia$sbNj=<9K"/;9G-J $h&k9k3h,g-^9# ^?"3N]j7<K9FCW"CW'Z=.r,Q7"Xj5l? =l>ln IP "Il9NOOKP7FCjN'Z}0,,WKJk h&k9k3hbg-^9# MCHo</&Y<9N'Z]j7<O"POP ]j7<n IP (si ]$sh'z}00-bk_j5l^9#3n0-bko"j<n 2 DNWorXj9k,W,"j^9# 'ZlYk 78 P<8gs 3.8

99 vd5lkmcho</ WebSEAL O"J<Nh&J"9FCW"CW'Za+K:`GHQ 9k 3 DN'Z}0r'17^9# s'z Q9o<I H</s&+<I j9hbn}0ngxk>cf"f}0k 0 A 2 ^GNlYkNw z,djvfil^9# 'ZlYkO"webseald.conf =.U!$kN [authentication-levels] 9?s6bK=.7^9# GiK=.5l kno"j<n 2 DNlYk@1G9# [authentication-levels] level = unauthenticated level = password MCHo</&Y<9N'Zr=.9klgO"3liNGU)kH _jrhqg-^9#3nlg"vs'zwolyk 0 G"VQ9 o<iwolyk 1 G9# 71Z<8NX9FCW"CW'ZKP9klYkN=.Yb2H7F /@5$# IP 33G"3N POP ]j7<gvd5lk IP "Il9H IP "Il 9NOOrXj9k,W,"j^9# 3. WebSEAL pdadmin pop modify set ipauth add 3^sIO"MCHo</ (^?OMCHo</NOO) H IP (si]$sh'z}00-bn,wj'zlykn>}rxj7^9# =8O"!NH*jG9# pdadmin> pop modify <pop-name> set ipauth add <network> <netmask> <level-index> Tivoli SecureWay Policy Director WebSEAL I},$I 79

100 =.5l?'ZlYkO"IP "Il9NOOKjs/5l^9#3N "Il9Kh kf<6<nu#k?<,ewgj$lgo"anyothernw (=N> N$UNMCHo</) K1lN(sHj<r_jG-^9#3N_ jo"ip "Il9KX8J/""/;99k9YFNf<6<KFA rz\9ng"f<6<oxjnlykg'z9k3h,,wkjj ^9# =8O"!NH*jG9# pdadmin> pop modify <pop-name> set ipauth anyothernw <level-index>?pk"'zlykr5k7f"ip "Il9KpE$F"/;9rv FOlYk 0 r"q]7?$ookp7fovforbiddenwrhq9k 3H,G-^9# anyothernw (shj<o"pop KXj5lF$J$$:lNMC Ho</KblW9kMCHo</OOH7FHQ7^9#3N}0 rhq7fgu)kh&(shj<rn.7"lw7j$ IP "Il 9r9YFq]7?j"'ZlYkNWor~?7F$lP/Gb" /;9G-kh&K9k3H,G-^9# GU)kHGO"anyothernw O POP bg'zlykwz 0 H= (5l^9#(sHj<O"!Nh&K"pop show 3^sIN VAny Other NetworkWH7F=(5l^9# pdadmin> pop show test Protected object policy: test Description: Test POP Warning: no Audit level: none Quality of protection: none Time of day access: sun, mon, tue, wed, thu, fri, sat: anytime:local IP Endpoint Authentication Method Policy Any Other Network 0 'ZlYkN_jKD$FN\YO"71Z<8NX9FCW"CW' ZKP9klYkN=.Yr2H7F/@5$# 80 P<8gs 3.8

101 lyk 1 N'Z (GU)kHGOVQ9o<IW) rhq9klg O"!Nh&K"f<6<N IP "Il9NOO, ig" MCH^9/, G"k,W,"j^9# pdadmin> pop modify test set ipauth add CjNf<6<O"!Nh&K"lYk 0 N'ZrHQ9k,W, "j^9# pdadmin> pop modify test set ipauth add !Nh&K"9YFNf<6< (e-ncgxj5lf$kf<6< J0),*V8'/HK"/;9G-J$h&K7^9# pdadmin> pop modify test set ipauth anyothernw forbidden IP =8O"!NH*jG9# pdadmin> pop modify <pop-name> set ipauth remove <network> <netmask>?h(p"!nh&kjj^9# pdadmin> pop modify test set ipauth remove WebSEAL O"J<N"k4j:`rHQ7F"POP bnrorh} 7^9# 1. POP KX9k IP (si]$sh'z}0]j7<r!:9k# 2. ACL vdr!:9k# 3. POP KX9k~o]j7<r!:9k# 4. POP KX9kF:lYk&]j7<r!:9k# MCHo</&Y<9N'Z]j7<rB\9k?aK WebSEAL, HQ9k IP "Il9O"TCP \3N*j8M<?<N IP "Il9 GJ1lPJj^;s#MCHo</&H]m8<, HTTP Wm- 7<rHQ7F$kH"WebSEAL K=(5lk"Il9,Wm-7 <&5<P<N IP "Il9G"k3H,"j^9# 3. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 81

102 3Nlg"WebSEAL O\vN/i$"sHN IP 1LG-^;s#MCHo</&/i$"sH,>\ WebSEAL 5< P<K\3G-kh&JMCHo</&Y<9N'Z]j7<r_j 9klgO"mU,,WG9# POP POP 0-N]nNJAKhCF"*V8'/HKD$FN`nrT& lgk"inlykng<?]n,,wg"k+rxj9k3h,g -^9# =_"3N0-O"WebSEAL D-KN_,7F$^9# POP 0-N]nNJAO" Policy Director NJ0NP<8gsGW i$p7<h]4-nwor"/f#v=7?vpw*hsviwacl vdschnv-9(g9#3ne$}n]nnjan$swjas F<7gsO"sz(*G79F`&QU)<^s9KFAr?(k bng7?# POP 0-N]nNJAKhCF"1lNHis6/7gs,vD5l hjkp9kvyeswn~z,",wj ]nnjanlykb^sg$klgkbil^9#j=<9&^m <8c< (WebSEAL JI),,WJ]nNlYkr]ZG-J$ H"WaOq]5l^9# pdadmin> pop modify <pop-name> set qop {none integrity privacy} QOP lyk Wi$P7< G<?Ef=,,WG9 (SSL)# ]4-?i+Na+K:`rHQ7F"G<?,Q95lF$J pdadmin> pop modify test set qop privacy 82 P<8gs 3.8

103 (HTTP/HTTPS) WebSEAL O"HTTP H HTTPS rp7f"'zf<6<hs'zf <6<N>}+iNWaru1~l^9#!$G WebSEAL O"v D5<S9rHQ7F"]nj=<9XN"/;9rvD^?Oq] 9k3HKhj";-ejF#<&]j7<rB\7^9# J<NroO"SSL rp7f"/;99ks'zf<6<k,q5l ^9# s'zf<6<h WebSEAL NVNpsNr9O"'Zf<6< NlgH4/18h&KEf=5lk# s'zf<6<h WebSEAL HN SSL \3K,WJNO"5< P<&N'Z@1G"k# 1.?>/i$"sH, (HTTP ^?O HTTPS rp7f) WebSEAL KWarP7^9# 2. WebSEAL,3N/i$"sHKP7Fs'Z/jGs7ckrn.7^9# 3. Wa,"3N/jGs7ckKhCF]n Web *V8'/HKw il^9# 4. vd5<s9,3n*v8'/hkp9k ACL Ns'Z(sH j<kd$fnvdr!:7"wa5l?`nrvd^?oq] 7^9# 5. 3N*V8'/HXN"/;9,5oKTJolk+I&+O" /J/HbI_hj (r) H#G (T) vdr^`s'z ACL (s Hj<KhCFh^j^9# 3. WebSEAL 6. Wa,vDN=LK:T9kH"/i$"sHOm0$sq0 (BA ^?Oq0Y<9) ru1hj^9# Wa5l?*V8'/Hr]n9k ACL ]j7<bns'z(sh j<kx9k,zjvdr57/_j9k3hkhcf"s'zf< 6<r/)*Km0$s5;k3H,G-^9# Tivoli SecureWay Policy Director WebSEAL I},$I 83

104 I_hj (r) *hs#g (T) vdkhcf"*v8'/hxns'z "/;9,vD5l^9# s'zf<6<r/)*km0$s5;kko"*v8'/hr]n 9k ACL ]j7<bns'z(shj<+ii_hj (r) vdr n7^9#f<6<om0$s&wmswh (BA ^?Oq0Y<9) ru1hj^9# HTTPS J<Nh&J"HTTPS rp7? WebSEAL XNs'Z"/;9r5 ]<H9k?/NB)*JS8M9eN}3,"j^9# ltn"wj1<7gso"dm*m0$sr,wh7^;s,""il9d/l8ch+<ivfjin!)psr,wh7 ^9#cKO"*si$sKhkRutJIN&JNX~,^^ lf$^9# ltn"wj1<7gsgo"f<6<,s8m9k<&"+& shxp?7f+igj$h"hzrhkjailj$h&kj CF$^9#3Nlgb"MCHo</rp7F!)psrs! 9k,W,"j^9# ACL/POP m: Vany-authenticatedW(sHj<&?$WO"Vany-otherW(sH j<&?$wh18g9# 1. s'zf<6<k&l*v8'/hxn"/;9rvd9k?a KO"ACL ACL O"J<Nh&K/J/Hbs'Z (unauthenticated) (sh j<h4'z (any-authenticated) (shj<kp9ki_hj (r) vdh#g (T) vdr}cf$j1lpjj^;s# unauthenticated Tr any-authenticated Tr m: s'z(shj<o"vdrhj9kh-n"4'z(shj <KP9k^9/ (SCHA0NVandWi;) G9# s'z KP9kvDO"vD,4'Z(sHj<NfKbPF/kH 84 P<8gs 3.8

105 G"ACL,4'ZJ7Ns'Zr}D3HO"U#r.7^ ;s#4'z,j$nk ACL Ks'Z,^^lF$klgN GU)kHN~zO"s'ZKvDrU?7J$"H$&3H KJj^9# 2. Ef= (SSL),,WJlgO"roKWi$P7<HXj9k] $# 82Z<8NXPOP ]j7<n]nnjay 3. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 85

106 86 P<8gs 3.8

107 4 WebSEAL 4. WebSEAL 3NOGO"WebSEAL,;C7gsuVr]i7F'ZWm;9r Policy Director 1L,n.5l^9# WebSEAL O"3N1LrHQ O"vD5<S9Khj"]nj=<9KP9k"/;9rvD7? j"q]7?j9k?ak"hq5l^9# HTC/NwzOJ<NH*jG9# 91Z<8NX;C7gsuVNI}Y 103Z<8NX'Z=.N5WY 109Z<8NXp\'ZN=.Y 111Z<8NXq0'ZN=.Y 117Z<8NXHTTP 120Z<8NXIP "Il9'ZN=.Y 121Z<8NXH</s'ZN=.Y 122Z<8NX?E}0Wm-7<&(<8'sHN5]<HY Tivoli SecureWay Policy Director WebSEAL I},$I 87

108 'ZO";-e"&Ia$sKm0$s7h&H9kDLNWm;9 ^?O(sF#F#<r1L9k}0G9# WebSEAL O"GU)kHGFoN'Z}0r5]<H7F* j">n}0rhq9kh&+9?^$:9k3h,g-^9# WebSEAL KP9k'Z,.y9kH"Policy Director f<6 <&l89hj<1l,n.5l^9# WebSEAL O"3N1LrHQ7F"=Nf<6<N/jGs7 vd5<s9o"*v8'/h4hn]j7<ri}9k ACL vd*hs POP ror>a7?ek"3n/jgs7ckrh Q7F"]n*V8'/HKP9k"/;9rvD7?jq]7?j7^9# m: ACL = "/;9&3sHm<k&j9H&]j7<"POP = ] n*v8'/h&]j7< 'ZN]"WebSEAL O/i$"sHWaNJ<Npsr!:7^ 9# ;C7gs&G<? ;C7gs&G<?O"/i$"sHH WebSEAL 5<P<VN CjN\3r1L9kpsG9#;C7gs&G<?O"/i$ "shh&k]i5l"=n/i$"shkhkenwakbh Q5l^9#3lO"WebSEAL 5<P<XN/i$"sH&; C7gsrF1L7F"WaN?SK77$;C7gsrN)9 kh$&jvrj/?akhq5l^9# 'ZG<? 'ZG<?O"/i$"sH+iNpsG"j"WebSEAL 5< P<KP7F=N/i$"sHr1L9kbNG9#'ZG<?&?$WKO"/i$"sH&Z@q"Q9o<I"H</ s&3<i,"j^9# 88 P<8gs 3.8

109 WebSEAL,/i$"sHWaru1hkH-"WebSEAL O$Db GiK;C7gs&G<?r57"=N!K'ZG<?r57^9# i /i$"shwak";c7gs&g<?,^^lk3ho"j ^;s# WebSEAL O"J<N;C7gs&G<?&?$Wr5]<H7F$ ^9# 4. WebSEAL 1. SSL ID (SSL WmH3kGjA5lF$k) 2. 5<P<G-N;C7gs Cookie 3. BA XC@<&G<? 4. HTTP XC@<&G<? 5. IP "Il9 WebSEAL O"/i$"sHWar!:9kH-"3Nj9HGXj 5lF$kgxG;C7gs&G<?r!w7^9# WebSEAL O'ZWm;9HOH)7F!=7^9," WebSEAL O ;-e"&ia$sk2c7f$k9yfnf<6<r"/jgs7 ckrhq7fbk?<7^9# WebSEAL O"/jGs7ckM@ N?aK,WJ1Lpsrh@9kH-"'ZWm;9+i@ilk pskjj^9# WebSEAL KhCF5]<H5lF$k/jGs7ckM@N?aN 'Z}0OJ<NH*jG9# 'Z}0 5]<H5lk \3?$W 1. U'$k*<P< cookie HTTP *hs HTTPS 2. CDSSO ID H</s HTTP *hs HTTPS 3. /i$"sh&z@q HTTPS 4. H</s&Q93<I HTTP *hs HTTPS 5. q0'z (f<6<>*hsq9o<i) HTTP *hs HTTPS 6. p\'z (f<6<>*hsq9o<i) HTTP *hs HTTPS Tivoli SecureWay Policy Director WebSEAL I},$I 89

110 'Z}0 5]<H5lk \3?$W 7. HTTP HTTP *hs HTTPS 8. IP "Il9 HTTP *hs HTTPS WebSEAL O"/i$"sHWar!:9kH-"3N=GXj5l F$kgxG'ZG<?r!w7^9# HTTP His9]<HH HTTPS His9]<HNIAiNlgG b"'z}0oh)7fhqd=*hshqtdk9k3h,g-^ 9#CjNHis9]<HKP7FHQD=K5lF$k'Z}0, 4/J$lg"=NHis9]<HrHQ7F$k/i$"sHN' ZWm;9Os"/F#VKJj^9# 91Z<8NX;C7gsuVNI}Y 103Z<8NX'Z=.N5WY 109Z<8NXp\'ZN=.Y 111Z<8NXq0'ZN=.Y 117Z<8NXHTTP 120Z<8NXIP "Il9'ZN=.Y 121Z<8NXH</s'ZN=.Y 122Z<8NX?E}0Wm-7<&(<8'sHN5]<HY CDAS Khk'Z Tivoli SecureWay Policy Director WebSEAL GYmCQ< ju! ls9 90 P<8gs 3.8

111 /i$"shh5<p<nvn;-e"\3^?o;c7gso"5 <P<KP7F"?tNWa4NNf+i"PC7F$kjjr-1 7F*/!=rWa7^9#5<P<KO"FWaKX"U1il? /i$"shr1l9k"?i+nq0khk;c7gsuvps, J1lPJj^;s# 4. WebSEAL /i$"shh5<p<nvkn)5l?;c7gsuv,j$l g"/i$"shh5<p<vnl.o"=nenwan?skf^ W5lJ1lPJj^;s#;C7gsuVps,"lP"/i$" sh/5<p<\3n/m<:hf*<ws,+jv5lk3hoj/ JkNG"QU)<^s9,~e7^9#/i$"sHO 1 Ym0 $s7?i?tnwart&3h,g-"wan?skm0$srb T9k,WO"j^;s# WebSEAL O HTTP H HTTPS N>}NL.rh}7^9# HTTP O"V9F<Hl9WWmH3kG"j""kWarLNWaHhL 9kjJOQU7F$^;s#l}"SSL His9]<H&WmH3 ko"ck;c7gs ID rs!7f;c7gsuvpsr]i9k?ak_w5lf$^9# HTTP L.O"SSL G+W;k=5lF HTTPS KJk3H,"j^9# 7+7"WebSEAL O7P7Ps'Z/i$"sH+iN HTTP L. rh}7j1lpjj^;s#^?"ssl ;C7gs ID,,ZJ= je<7gshojij$lgb"j^9#=n?a"webseal O"J<N$:l+Nps?$WrHQ7F/i$"sHN;C7g suvr]i9kh&k_w5lf$^9# 1. SSL ID 2. 5<P<G-N;C7gs Cookie 3. BA XC@<&G<? 4. HTTP XC@<&G<? 5. IP "Il9 Tivoli SecureWay Policy Director WebSEAL I},$I 91

112 GSKit WebSEAL ;C7gs&-cC7eKhj"5<P<O?tN/i$"sH+i N;C7gs ID psr]i9k3h,g-^9# HTTPS *hs HTTP N>}N;C7gsuVpsr}F9k 2 DN;C7gs& -cc7e,hqd=g9# WebSEAL /jgs7ck&-cc7e WebSEAL /jgs7ck&-cc7eko"9yfn?$wn ;C7gs ID ps (e-nj9hr2h) KC(F"F/i$" shkx7fh@5l?/jgs7ckps,]i5l^9# 'Z!:N]O"f<6<&l89Hj<&G<?Y<9KP9 khq,?ybtolj$h&k9k?ak'zps,-cc7 e5l^9# GSKit SSL ;C7gs ID -cc7e GSKit ;C7gs&-cC7eO";C7gsuVN]iK SSL ;C7gs ID ps,hq5lkh-n"https (SSL) L.rh }7^9# 5iK GSKit -cc7eo" WebSEAL H LDAP f<6<&l 89Hj<NVN SSL \3N;C7gsuVpsb]i7^9# F-cC7eKO"f<6<Khk=N-cC7eNQU)<^s9 N40rD=K9k"HQD=J$/D+N=.Qia<?<,"j ^9#3liNQia<?<O"J<N^KWs7F"j^9# 92 P<8gs 3.8

113 4. WebSEAL ^ 13. ;C7gs&-cC7e=.Qia<?< WebSEAL WebSEAL ;C7gs / /jgs7ck&-cc7eko"j<n=.?9/,hqg-^9# BT(sHj<NGgMN_j -cc7e&(shj<n?$`"&hmn_j -cc7e&(shj<s"/f#v&?$`"&hmn_j webseald.conf =.U!$kN [session] 9?s6K"k max-entires Qia<?<O" WebSEAL ;C7gs / /jgs7c k&-cc7ebnbt(shj<nggtr_j7^9# 3NMOBTm0$s&;C7gsNtKjv7^9#-cC7e& 5$:,3NMK#9kH"7,e.m0$srvD9k?aKGb E/KHQ5l?"k4j:`KP~9k-cC7e+i(sHj<, n5l^9# GU)kHNBTm0$s&;C7gstO"4096 G9# Tivoli SecureWay Policy Director WebSEAL I},$I 93

114 [session] max-entries = 4096 webseald.conf =.U!$kN [session] 9?s6K"k timeout Qia<?<O" WebSEAL ;C7gs / /jgs7ck&-cc 7ebN(sHj<NGg83~V?$`"&Hr_j7^9# WebSEAL GO"bt*K/jGs7ckpsr-cC7eK~l^ 9#;C7gs&-cC7e&?$`"&H&Qia<?<O"vD Z@qps, WebSEAL enabj<bkhi^k~vn95rx( 7^9# 3NQia<?<O"s"/F#V&?$`"&HGO"j^;s# 3NMO"V/jGs7ck&?$`"&HWGOJ/"V/jGs 7ck83~VWK^CW5l^9#3N\*O"Xj5l??$` "&HB&K#7?~@Gf<6<KF'Zr/)9k3HKhC F";-ejF#<r/=9k3HG9# GU)kHNm0$s&;C7gs&?$`"&H (Ct) O 3600 G9# [session] timeout = 3600 webseald.conf =.U!$kN [session] 9?s6K"k inactive-timeout Qia<?<O"m0$s&;C7gss"/F# VN?$`"&HMr_j7^9# GU)kHNm0$s&;C7gss"/F#V&?$`"&H (C t) O 600 G9# [session] inactive-timeout = 600 3N?$`"&H!=rHQTDK9kKO"Qia<?<Mr 0 K_j7^9# 94 P<8gs 3.8

115 GSKit SSL ID GSKit SSL ;C7gs ID -cc7eko"j<n=.?9/,hq G-^9# -cc7e&(shj<&?$`"&hmn_j BT(sHj<NGgMN_j GSKit SSL ;C7gs ID -cc7ebn(shj<ngg83~v?$`"&hr_j9k?anqia<?<o" webseald.conf =.U!$kN [ssl] 9?s6K"j^9# SSL V2 \3Q (ssl-v2-timeout) H SSL V3 \3Q (ssl-v3-timeout) N 2 DNQi a<?<,"j^9# 4. WebSEAL GU)kH SSL V2 ;C7gs&?$`"&H (Ct) O 100 G9 (-zooo 1 A 100)# [ssl] ssl-v2-timeout = 100 GU)kH SSL V3 ;C7gs&?$`"&H (Ct) O 7200 (- zooo 1 A 86400)# [ssl] ssl-v3-timeout = 7200 webseald.conf =.U!$kN [ssl] 9?s6bN ssl-max-entries Qia<?<O" GSKit SSL ;C7gs ID -cc7ebnbt( shj<nggtr_j7^9# 3NMOBTm0$s&;C7gsNtKjv7^9#-cC7e& 5$:,3NMK#9kH"7,e.m0$srvD9k?aKGb E/KHQ5l?"k4j:`KP~9k-cC7e+i(sHj<, n5l^9# GU)kHNBTm0$s&;C7gstO"4096 G9# [ssl] ssl-max-entries = 4096 Tivoli SecureWay Policy Director WebSEAL I},$I 95

116 Cookie /i$"shh5<p<nvn;c7gsuvpsr]}9kldn }0O" cookie rhq7f3n;c7gspsr]}9k3hg 9#5<P<O"CjN/i$"sHNuVpsr cookie KQC1 <87F"=lr/i$"sHNVi&6<Kw.7^9#7,Wa 4HK"Vi&6<O (;C7gspsr]-7?) cookie r5<p <KV.9k3HKhCF+JrF1L7^9# ;C7gs cookie O"/i$"sH,"KaF;~Ve"=N SSL ;C7gsKD$FF^W9kVi&6<rHQ7F$klgKM( ilk=je<7gsg9#?h(p" Microsoft Internet Explorer Vi&6<NP<8gsKhCFO"2,+i 3,4HK SSL ;C 7gsKD$FF^W7^9# ;C7gs cookie O"/i$"sH,{K'ZQ_G"k"1lN G-5<P<KP7FN_";~V (s 10,) G/i$"sHNF 'ZrT$^9#3Na+K:`O"cookie r8.7?^7sj0k OIN^7sKbO;J$V5<P< cookiewrp`k7f$^9# 5iK"3N;C7gs cookie KOpt O"5<P<N;C7gs&-cC7eKwzrnk?aKHQ5l ^9#;C7gs cookie Gx+5lkpsO">KO?b"j^; s#;c7gs cookie O";-ejF#<&]j7<rm1K5i 93HOG-^;s# Cookie WebSEAL O";-e"&5<P<CjN;C7gs cookie rhq 7^9#3N cookie a+k:`ko"j<nro,,q5l^9# Cookie ;s# Cookie O"Vi&6<&abj<KN_8_9k (G#9/eN Vi&6< cookie jar KOn.5l^;s)# Cookie KO"Bj5l?83~V,"k (=.D=)# Cookie KO">N5<P<KhkHQrX_9kQ9*hSIa $s&qia<?<,"k# 96 P<8gs 3.8

117 ID Cookie webseald.conf =.U!$kN [session] 9?s6K"k ssl-id-sessions Qia<?<O";C7gs cookie rhqd=*h SHQTDK7^9#3NQia<?<O" HTTPS rp7f"/; 99k/i$"sHNm0$s&;C7gsN]iK SSL ;C7g s ID rhq9k+i&+r3shm<k7^9#3nqia<?< KVnoW,_j5lF$klgO"[HsIN'Z}0K;C7gs cookie,hq5l^9# [session] ssl-id-sessions = no 4. WebSEAL 3NQia<?<KP9k=._j,VnoWNlg" HTTPS rp7 F"/;99k/i$"sHKX7FJ<Nro,/87^9# 1. SSL ;C7gs ID O";C7gs ID G<?H7FHQ5l^ ;s# 2. U'$k*<P< cookie"cdsso ID H</s"q0f<6<> *hsq9o<i"h</s&q93<i"*hs/i$"sh &Z@qrHQ7F'Z9k/i$"sHN;C7gsN]iK cookie,hq5l^9# 3. use-same-session = yes,_j5lf$klgk@1p\'z/ i$"shk cookie,hq5l^9 (!N;/7gsr2H)#= lj0nlgo"ba XC@<,;C7gs ID G<?H7FH Q5l^9# 4. HTTP XC@<rHQ7F'Z9k/i$"sHNlgO"HTTP XC@<,;C7gs ID G<?H7FHQ5l^9# 5. IP "Il9rHQ7F'Z9k/i$"sHNlgO"IP "Il 9,;C7gs ID G<?H7FHQ5l^9# cookie rhq7f;c7gsuvr]i9klg"cookie Om0$s,5oKTol?e 1 Y@1Vi&6<Kw.5l^9#?@7" ltnvi&6<ko"bt7f]ig-kabj<b cookie Nt K)B,"j^9#"Wj1<7gs, 1 DNIa$sKP7F? tnabj<b cookie r/i$"sh&79f`ekv/3hng Tivoli SecureWay Policy Director WebSEAL I},$I 97

118 -kd-b"j^9#3nlg"=.5lf$k WebSEAL ;C7g s cookie ^?OU'$k*<P< cookie O">N cookie GFWK V-9(k3H,G-^9# WebSEAL r=.7f;c7gs cookie (*hs*=i/u'$k* <P< cookie) rhq9klg" webseald.conf =.U!$kN [session] 9?s6K"k resend-webseal-cookies Qia<?< r_j9lp"~z4hk WebSEAL K";C7gs cookie *hs U'$k*<P< cookie rvi&6<xw.5;k3h,g-^ 9#3N"/7gsKhj";C7gs cookie *hsu'$k*< P< cookie ONBKVi&6<&abj<bKDj^9# resend-webseal-cookies Qia<?<NGU)kH_jOVnoWG 9# [session] resend-webseal-cookies = no ~z4hk WebSEAL ;C7gs cookie *hsu'$k*<p< cookie rw.9kko"gu)kh_jrvyeswkq97^9# /i$"sh, 1 DN?$WNHis9]<H (?H(P HTTP) r p7fm0$s7"zg7"ln?$wnhis9]<h (?H(P HTTPS) rp7ffm0$s9kh-k18;c7gs ID G<?r HQ9kh& WebSEAL r=.g-^9# webseald.conf =.U!$kN [session] 9?s6K"k use-same-session Qia<?<O"1l;C7gs ID G<?N' 1rHQD=*hSHQTDK7^9#GU)kHGO"3NQia <?<OVnoWK_j5l^9# [session] use-same-session = no 3NQia<?<KP9k=._j,VyesWNlg"J<Nro,/ 87^9# 1. LNHis9]<Hrp7?eNm0$sGNJ<N/i$"s H&?$WN1LKO";C7gs cookie,hq5l^9# 98 P<8gs 3.8

119 a. U'$k*<P< cookie b. c. CDSSO ID H</s d. H</s&Q93<I e. q0f<6<>*hsq9o<i f. p\'z 4. WebSEAL 2. HTTP 3. IP "Il9rHQ7F"/;99k/i$"sHKO"IP "Il 9,HQ5l^9# 4. ssl-id-sessions =.O5k5l"kLH7F0nO ssl-id-sessions KVnoW,_j5l?lgH18KJj^9# HTTP /i$"shko;c7gs&g<?h7fhqg-k SSL ;C7gs 5. cookie O HTTP H HTTPS N>}N/i$"sHKHQD=JN G"3liK;-e" cookie H7FNUi0,)Filk3HO "j^;s# ID CjN'Z}0rHQ7F"/;99k/i$"sHQN;C7g s&g<?&?$wo"j<n=.qia<?<ncjnh_go; KhCF=L5l^9# ;C7gs cookie NHQD==^?OHQTD= (ssl-id-sessions) /i$"sh, HTTP H HTTPS HNVGZjXokH-K1l N;C7gs&G<?rHQ9k!=NHQD==^?OHQT D= (use-same-session) J<N=O" ssl-id-sessions *hs use-same-session Qia<?<rkg7F$kCjN=.KP9k-z;C7gs ID NWsG 9# Tivoli SecureWay Policy Director WebSEAL I},$I 99

120 'Z}0 ssl-id-sessions = yes HTTPS /i$"sh ssl-id-sessions = no use-same-session = no use-same-session = yes ssl-id-sessions ignored U'$k*<P< SSL ID Cookie Cookie cookie Z@q SSL ID Cookie Cookie CDSSO SSL ID Cookie Cookie H</s SSL ID Cookie Cookie q0 SSL ID Cookie Cookie BA SSL ID BA XC@< Cookie HTTP XC@< SSL ID HTTP XC@< HTTP XC@< IP "Il9 SSL ID IP "Il9 IP "Il9 HTTP /i$"sh 'Z}0 use-same-session = no use-same-session = yes U'$k*<P< Cookie Cookie cookie CDSSO Cookie Cookie H</s Cookie Cookie q0 Cookie Cookie BA BA XC@< Cookie HTTP XC@< HTTP XC@< HTTP XC@< IP "Il9 IP "Il9 IP "Il9 Cookie J<NU'$k*<P< cookie!= (HTTP *hs HTTPS Q) O" m<i&pis7s0&a+k:`rl7f#=5l?umsh(s I WebSEAL 5<P<&/i9?<K\39k/i$"sHK,7F $^9#U'$k*<P< cookie N\*O"/i$"sHHN5N ;C7gsr}D5<P<,M3HQTDKJC?lgN/)F'Z rr1k3hg9# 100 P<8gs 3.8

121 ?tn/i$"shqnj=<9ndq-rbakko"umsh( si WebSEAL /i9?<r$swjash7^9#m<i&pis 7s0&a+K:`O"e.WareTu.7"=NWarHQD= JUmsH(sI&5<P<K[[7^9# 4. WebSEAL ^ 14. U'$k*<P< Cookie 7Jj* /i$"sho"#=umsh(si&5<p<n=.o'17^; s#m<i&pis7s0&a+k:`o"wa5lf$k URL X N 1 DN\@G9#m<I&Pis7s0&a+K:`O"/i$ "shrhqd=j5<p< (WS1 JI) K\37^9# WS1 HN ;C7gsuV,N)5l"3N/i$"sH+iNeNWaO9Y F WS1 Kw.5l^9# U'$k*<P< cookie KhCFrhG-kdjKO" WS1,? i+n}3ghqtdkjku7 (?H(P"79F`c2d"I_ K9Hl<?<Khks~+iNZG),"j^9# WS1,HQT DKJkH"m<I&Pis7s0&a+K:`,>N$:l+N# =5<P< (WS2 ^?O WS3) KWar>w7^9#5N;C7g Tivoli SecureWay Policy Director WebSEAL I},$I 101

122 s+i/jgs7ckxn^cts0o:ol^9#3nv95<p <KHCF/i$"sHO7,G"j"LoOb& 1 Y'Z9k3 Hr/)5l^9# f<6<o"#= WebSEAL 5<P<,5<P<G-N cookie bn /i$"shn/jgs7ck&g<?ref=9kh&=.g-^ 9# cookie O"/i$"sH,GiK\39kH-KVi&6<e KV+l^9#GiN WebSEAL 5<P<,l~*KHQG-J/J klgko"3n cookie (Ef=5l?/jGs7ckpsr^`),eX5<P<Ks!5l^9##= WebSEAL 5<P<O"/jG s7ckpsref=r 9k&L-<r&Q7^9#=lG/i$ "sho"f'zr/)5lk3hj/lwj+ WebSEAL 5<P< HN7,;C7gsrN)9k3H,G-^9# cookie N2H@O"m<I&Pis7s0&a+K:`N DNS G 9# cookie O5<P<G- cookie G"CF"Ia$sG- cookie GOJ$NG"3N1lN2H@OEWG9# cookie O"=N cookie rn.7?5<p<h18 DNS >r}d5<p<k7+u. 5l^;s#/i$"sHOoKm<I&Pis7s0&a+K:` rl7fwart$^9#7?,cf"u'$k*<p<`nn]" cookie O$Dbu.5lkHHQD=J!N5<P<KO5l^9# U'$k*<P< Cookie NHQD== webseald.conf =.U!$kN [failover] 9?s6K"k failover-auth Qia<?<O"5<P<G-NU'$k*<P< cookie rhqd=^?ohqtdk7^9# U'$k*<P< cookie rhqd=k9kko"vhttpw" VhttpsW"^?OVbothWr~O7^9# U'$k*<P< cookie rhqtdk9kko"vnonew(gu )kh) r~o7^9# c: [failover] failover-auth = https 102 P<8gs 3.8

123 3NQia<?<O"FUmsH(sI WebSEAL 5<P<4HK_ jg-^9# /jgs7ck&g<?nef=*hsef=r cookie G<?r]n9kKO"WebSEAL GQU5lF$k cdsso_key_gen f<f#jf#<rhq7^9#3nf<f#jf #<O" cookie NfN/jGs7ck&G<?rEf=9kPN- <r8.7^9#3nf<f#jf#<rbt9k]ko"j<nh &K"-<&U!$kNlj (dpq9>) rxj7^9# 4. WebSEAL UNIX: # cdsso_key_gen <pathname> Windows: MSDOS> cdsso_key_gen <pathname> $:l+n#=5<p<gf<f#jf#<rbt7"-<&u!$ krdjn=l>ln#=5<p<kj0g3t<7^9#f5<p <N webseald.conf =.U!$kN [failover] 9?s6K"3N- <&U!$kNljr~O7^9#-<&U!$krXj7J$H" =N5<P<NU'<k*<P< cookie!=ohqtdkjj^ 9# [failover] failover-cookies-keyfile = <absolute-pathname> -<&U!$kKO"ws.key JIN$UN,ZJ>0rU1k3H,G-^9# Cookie 83~VN=. cookie 83~VNM (,1L) O"J<NQia<?<G_j5l^ 9# failover-cookie-lifetime = 60 'ZO"HTTP H HTTPS NIAiN/i$"sHKP9klgG b"}0lkhqd=*hshqtdk9k3h,g-^9# Tivoli SecureWay Policy Director WebSEAL I},$I 103

124 WebSEAL,5]<H9k9YFN'Z}0Na+K:`O" webseald.conf =.U!$kN [authentication-mechanisms] 9? s6g=.5l^9#5]<h5lk'z}0qia<?<o"j< NH*jG9# m<+k (H_~_) *<;sf#1<?< m<+k&*<;sf#1<?<nqia<?<o",zjh_ ~_&Qi$Vij<&U!$k (UNIX) + DLL U!$k (Windows) rxj7^9# +9?`0t*<;sF#1<?< WebSEAL KO"FsWl<H&5<P<&3<I,QU5lF *j"=lrhq7f"+9?`0t/m9ia$s'z5<s 9 (CDAS) 5<P<r=[7FXj9k3H,G-^9# 0t CDAS *<;sf#1<?<o",zj+9?`&qi$v ij<rxj7^9# J<NQia<?<O"m<+kH_~_*<;sF#1<?<rX j7^9# Qia<?< q0*hsp\'z passwd-ldap H</s'Z token-cdas b@ LDAP f<6<>hq9o<ikhk/i$"s H&"/;9# LDAP f<6<>h SecurID H</s&Q93<I Khk/i$"sH&"/;9# /i$"sh&z@q'z cert-ssl SSL Khj/i$"sH&Z@qrHQ7?/i$ "sh&"/;9# HTTP XC@<^?O IP "Il9'Z""k$O=N>} http-request CjN HTTP XC@<^?O IP "Il9 ("k$ O=N>}) Khk/i$"sH&"/;9# CDSSO ID H</s'Z cdsso /m9ia$s&7s0k&5$s*skhk' Z# 104 P<8gs 3.8

125 [authentication-mechanisms] 9?s6rHQ7F"!Nq0G'Z }0*hS$sWjasF<7gsr=.7^9# <authentication-method-parameter> = <shared-library> 90Z<8NX\YJ=.psN2HYr2H7F/@5$# CDAS 0t CDAS 5<P<QN+9?`&Qi$Vij<NXjKHQG -kqia<?<oj<nh*jg9# 4. WebSEAL Qia<?< passwd-cdas token-cdas cert-cdas b@ h0tn?anf<6<>hq9o<ikhk/i$" sh&"/;9# f<6<>hh</s&q93<ikhk/i$"s H&"/;9# SSL Khj/i$"sH&Z@qrHQ7?/i$"s H&"/;9# CDAS 5<P<r$sWjasH9k+9?`&Qi$Vij<Nn.H=.KD$F\7/O" Tivoli SecureWay Policy Director WebSEAL GYmCQ< ju!ls9 r2h7f/@5$# WebSEAL GU)kHGO"WebSEAL O"p\'Z (BA) Nf<6<>HQ9 o<i (LDAP l89hj<) rhq7f"ssl Khj/i$"sH r'z9kh&k_j5lf$^9# WebSEAL O"Lo"TCP H SSL N>}N"/;9QKHQD== 5l^9#7?,CF"[authentication-mechanisms] 9?s6NL on=.ko" (LDAP l89hj<n) f<6<>hq9o<in 5]<H"*hS SSL rp7?/i$"sh&z@qn5]<h, ^^l^9#!nco"solaris GN [authentication-mechanisms] 9?s6Nl L*J=.r=7F$^9# Tivoli SecureWay Policy Director WebSEAL I},$I 105

126 [authentication-mechanisms] passwd-ldap = libldapauthn.so cert-ssl = libsslauthn.so =N>N'Z}0r=.9kKO"=N&Qi$Vij< (^?O CDAS b8e<k) HloK,ZJQia<?<rIC7F/@5 $#F'Z}0KX9k\7$=.psKD$FO"90Z<8NX\ YJ=.psN2HYr2H7F/@5$# 5]<H5lF$k$UN'Z}0KP7FHQ9k&Qi$Vij <rxj9kko" webseald.conf =.U!$kN [authentication-mechanism] 9?s6rQ97^9##tN'Z} 0rXj9klgO"J<Nro,,Q5l^9# 1. 'Z}0O9YF"_$KH)7F!=5;k3H,G-^9# &Qi$Vij<O"5]<H5lF$kF'Z}04HK=. 9k3H,G-^9# 2. cert-cdas H cert-ssl N>}0,=.5lF$klgO" cert-cdas }0, cert-ssl }0r*<P<i$I7^9# 3l in}0n$:l+khj"/i$"sh&z@qr5]<hg -kh&k7j1lpjj^;s# 3. #tn*<;sf#1<?<,=.5lf$klgo"1 DNQ 9o<I&?$WN*<;sF#1<?<@1,B]KHQ5l ^9# WebSEAL O"J<N%hgLrHQ7F"?E=.5l F$kQ9o<I&*<;sF#1<?<rrh7^9# a. passwd-cdas b. passwd-ldap 4. 2 DN[Jk'Z}0KP7F18+9?`&i$Vij<r=.9k3H,G-^9#?H(P"f<6<> / Q9o<IH HTTP XC@<'ZN>}rh}9k+9?`&Qi$Vij< rn.g-^9#3nlgo"passwd-cdas H http-request N >}NQia<?<r18&Qi$Vij<rQ$F=.9k3 HKJj^9#;C7gsuVN]iH 2 DN}0NVN7bN sro"+/tnu$gtcf$?@-^9# 106 P<8gs 3.8

127 WebSEAL O"J<NlgK"f<6<KP7Fm0$sr%9Wm swhrp7^9# 1. s'z/i$"sh,vd!:k:t 2. q0^?op\'z/i$"sh,vd!:k:t J<N/i$"sH&?$WK"V403 failurew(i<,=(5l^ 9# 4. WebSEAL 1. vd!:,:t9klg: a. b. U'$k*<P< cookie c. CDSSO d. IP "Il9 e. HTTP 2. /i$"sh,"webseal KhCFHQTDK5lF$k}0G 'Z9klg Policy Director KO"J<N3^sI,"j"/i$"sH,"HTTP ^?O HTTPS rp7f'zrt&3hr5]<h7f$^9# pkmslogout /i$"sho"wan?sk'zg<?rxj7j$'z}0rh Q7F$kH-K=T;C7gs+im0"&H9klgK" pkmslogout 3^sIrHQ7^9# pkmslogout O"?H(Pp \'Zd IP "Il9'ZrHQ7F$k/i$"sHKO!=7^ ;s#3nlg"m0"&h9kkovi&6<r/m<:7j1l PJj^;s# pkmslogout <I"q0'Z"*hS HTTP F<7gsrp7?'ZK,7F$^9# Tivoli SecureWay Policy Director WebSEAL I},$I 107

128 3^sIOJ<Nh&KBT7^9# Vi&6<K"webseald.conf =.U!$kGjA5lF$km0" &Hq0,=(5l^9# [acnt-mgt] logout = logout.html logout.html U!$kO"f<6<NWor~?9h&KQ9G-^ 9# pkmslogout f<f#jf#<o"f<6<,@i+k[jkpc/ (si&79f`+im0"&h9klgn?ak"mcho</n OGLN*;hLr,WH9kH-"#tm0"&H~zZ<8b5 ]<H7^9#!Nq0KhCF"CjN~zU!$kr1L7^9# 33G"custom_logout_file O"m0"&H~zNU!$k>G 9#3NU!$kO"GU)kHN logout.html U!$kH=N> N5sWk HTML ~zq0r}d"18 lib/html/c G#l/Hj <K8_7J1lPJj^;s# pkmspasswd p\'z (BA) ^?,q0'zrhq7f$klgo"m0$s&q 9o<IrQ99k?aK"3N3^sIrHQ9k3H,G-^ 9#3N3^sIO"HTTP ^?O HTTPS KO,ZG9# c: WebSEAL G BA,HQ5lk]NGgN;-ejF#<r]Z9k?a"3N3^sIO BA /i$"shkp7fj<nh&j0nr }A^9# 1. Q9o<I,Q95l^9# 108 P<8gs 3.8

129 2. /i$"sh&f<6<,=t;c7gs+im0"&h7^ 9# 3. /i$"sh,icwart&h"vi&6<o/i$"shk P7F BA WmsWHrP7^9# 4. Q37FWarT&lg"/i$"sHOFYm0$s7J1l PJj^;s# 4. WebSEAL 3N7Jj*O"p\'ZrHQ9k/i$"sHKN_,Q5l^ 9# p\'z (BA) O"'Za+K:`KP7Ff<6<>HQ9o<I rs(9klgn8`}0g9# BA O"HTTP WmH3kKhjj A5l"HTTP *hs HTTPS rp7f$swjash9k3h,g -^9# GU)kHG"WebSEAL O" HTTPS rp7?p\'z (BA) Nf <6<>HQ9o<IKhk'Z,T(kh&K=.5lF$^9# webseald.conf =.U!$kN [ba] 9?s6K"k ba-auth Qi a<?<o"p\'z}0rhqd=*hshqtdk7^9# p\'z}0rhqd=k9kko"vhttpw"vhttpsw"^?o VbothWr~O7^9# p\'z}0rhqtdk9kko"vnonewr~o7^9# c: [ba] ba-auth = https lk`>o"vi&6<,f<6<km0$s&g<?raakwm swhrp9h-k=lk@$"m0&\c/9k=(5lkf-9 HG9# Tivoli SecureWay Policy Director WebSEAL I},$I 109

130 lk`>r_j9k=.qia<?<o" webseald.conf =.U! $kn [ba] 9?s6K"j^9# c: [ba] basic-auth-realm = Policy Director ^ 15. BA m0$s&wmswh passwd-ldap Qia<?<O"f<6<>HQ9o<IKhk'Z rh}9k?akhq5lk&qi$vij<rxj7^9# UNIX GO"H_~_^CTs0!=rQU7F$kU!$k O"libldapauthn HFPlk&Qi$Vij<G9# Windows GO"H_~_^CTs0!=rQU7F$kU!$k O"ldapauthn HFPlk DLL G9# 'Za+K:` &Qi$Vij< Solaris AIX Windows HP-UX passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll libldapauthn.sl 110 P<8gs 3.8

131 webseald.conf =.U!$kN [authentication-mechanism] 9?s 6K"WiCHU)<`CjN&Qi$Vij<&U!$k>rXj 7? passwd-ldap Qia<?<r~O7F"f<6<>HQ9o< IKhk'ZNa+K:`r=.9k3H,G-^9#c: Solaris: [authentication-mechanisms] passwd-ldap = libldapauthn.so 4. WebSEAL Windows: [authentication-mechanisms] passwd-ldap = ldapauthn.dll CjNHis9]<HKP7Fq0'Z,HQD=KJCF$kl g"=nhis9]<hkp9kp\'z_jo5k5l^9# Policy Director KO"8`p\'Za+K:`Keok}0H7F" q0'z,qu5lf$^9#3n}0go"p\'zkhkf<6 <N'NkLH7F8`m0$s&WmsWH,P5lkeojK" Policy Director +i+9?` HTML m0$sq0,8.5l^9# q0y<9&m0$srhq9kh"p\'znlgho[jj"v i&6<,f<6<>hq9o<inpsr-cc7ek~lk3h O"j^;s# webseald.conf =.U!$kN [forms] 9?s6K"k forms-auth Qia<?<O"q0'ZrHQD=*hSHQTDK7^9# q0'z}0rhqd=k9kko"vhttpw"vhttpsw"^?o VbothWr~O7^9# q0'z}0rhqtdk9kko"vnonewr~o7^9# c: Tivoli SecureWay Policy Director WebSEAL I},$I 111

132 [forms] forms-auth = https passwd-ldap Qia<?<O"f<6<>HQ9o<IKhk'Z rh}9k?akhq5lk&qi$vij<rxj7^9# UNIX GO"H_~_^CTs0!=rQU7F$kU!$k O"libldapauthn HFPlk&Qi$Vij<G9# Windows GO"H_~_^CTs0!=rQU7F$kU!$k O"ldapauthn HFPlk DLL G9# 'Za+K:` &Qi$Vij< Solaris AIX Windows HP-UX passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll libldapauthn.sl webseald.conf =.U!$kN [authentication-mechanism] 9?s 6K"WiCHU)<`CjN&Qi$Vij<&U!$k>rXj 7? passwd-ldap Qia<?<r~O7F"f<6<>HQ9o< IKhk'ZNa+K:`r=.9k3H,G-^9#c: Solaris: [authentication-mechanisms] passwd-ldap = libldapauthn.so Windows: [authentication-mechanisms] passwd-ldap = ldapauthn.dll CjNHis9]<HKP7Fq0'Z,HQD=KJCF$kl g"=nhis9]<hkp9kp\'z_jo5k5l^9# HTML q0'zgo"+9?`&m0$sq0rhq9k,w,"j^9# 5sWkN login.html q0o"gu)khgj<ng#l/hj< K"j^9# <install-directory>/lib/html 112 P<8gs 3.8

133 3Nq0NbFH_WO"+9?^$:9k3H,G-^9#?H( P"!Nh&KJj^9# 4. WebSEAL ^ 16. 5sWk WebSEAL m0$sq0 +9?^$:G-kHQD=J HTML q0kd$f"\7/o"40 Z<8NX+9?` HTML Z<8NI}Yr2H7F/@5$# WebSEAL O"SSL rp7?/i$"sh&g#8?kz@qrhq 7F"/i$"sHHN;-e"L.r5]<H7^9#3N'Z} 0GO"Z@qps (1L>"D^j DN), Policy Director 1LK ^CW5l^9# : G#8?kZ@qKhk'ZO"!N 2 DNU'<:GBT5l^ 9# WebSEAL,5<P<&Z@qrHQ7F"SSL /i$"shk P7F=l+Hr1L9k# WebSEAL O"/i$"sH&Z@qKhCF"/;99k/i $"shnev-!:rt&?ak"'zi (CA) k<hz@q NG<?Y<9rHQ7^9# 1. SSL /i$"sho"webseal 5<P<HN\3rWa7^ 9# Tivoli SecureWay Policy Director WebSEAL I},$I 113

134 2. 3lK~z7F"WebSEAL T'ZI (CA) Np>ru1F$^9# 3. JjjG"k+I&+r!:7^9#/i$"sHNVi&6< KO"Lo"Hi9FCI CA 9# WebSEAL l+hlw7f$klgko"=n5<p<o.jg-^9# ^ 17. /i$"shkhk WebSEAL Z@qNEv-!: 4. p>,lw7j$lgko"vi&6<o"3nz@q,t@j 'ZIKhj/T5l?bNG"k3Hrf<6<KNi;^ 9#3lG"Z@qru1~lk+"q]9k+O"f<6<N U$GT&3HKJj^9# 5. 3Np>,"Vi&6<Nk<HZ@qG<?Y<9N(sHj <HlW9klg">}N;C7gs&-<KD$F"/i$" shh WebSEAL 5<P<NVGB4K^W,Tol^9# 3NWm;9,*;7?kL"(?H(P"f<6<>HQ9o< IKhj)"/i$"sH,'ZD=+DB4JAcMk,N)5 l^9#'z,.y9kh"/i$"sh*hs5<p<o"3 NAcMkrp7FB4KL.r3TG-^9# 6. 33G"/i$"sHO"=Nx+0Z@qr WebSEAL 5<P <Kw.7^9# 114 P<8gs 3.8

135 7. WebSEAL CA HM-g o;h&h7^9#/i$"sh&vi&6<h1mk" WebSEAL 5<P<b"=N-<&G<?Y<9NHi9FCI CA 8. p>,lw7j$lg"webseal O"SSL (i<&3<ir8.7f"=lr/i$"shkw.7^9# 9. p>,lw9klg"=n/i$"sho5'5l^9#/i$ "shn'z,tolkh"=nkl"policy Director 1L,n.5l^9# 4. WebSEAL 10. >}N;C7gs&-<KD$F"/i$"sHH WebSEAL 5 <P<NVGB4K^W,Tol^9#3NWm;9,*;7? kl"j_'z5l?/i$"shh5<p<nvkb4+d. jg-kl.acmk,n)5l^9# WebSEAL $s9h<k~" WebSEAL KO"+Jp>F9H&5<P<Z@q,^^lF$^9#3NF9HZ@qO"WebSEAL,"SSL HQD =Vi&6<NWaK~zG-kh&K7^9,"3lr (,ZJk <H CA Z@qr^^J$) Vi&6<G!:9k3HOG-^; s#3ngu)khz@qnk)0o""ifk WebSEAL [[K^ ^lf$k?a"3nz@qgo"?kb4jl.os+7f$^; s# SSL K*1k;-e"L.rNBK9k?aKO"Hi9FCI'Z I (CA) +ing-n5$h&5<p<z@qrp?7fh@7f* /3H,soKEWG9#GSKit ikeyman f<f#jf#<rhq 7F" CA Kw.5lk'ZWar8.9k3H,G-^9#77$ 5$HNZ@qr$s9H<k7FiYkU19klgKb" ikeyman rhq7^9#z@qr"/f#v WebSEAL 5<P<& Z@qH7FXj9k (3N_jKhj" keyfile G<?Y<9G VdefaultWH7FXj5lF$kZ@qO*<P<i$I5l^9) KO" webseald.conf =.U!$kN [ssl] 9?s6K"k webseal-cert-keyfile-label Qia<?<rHQ7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 115

136 >N7Jj* (j0g'z5l?8cs/7gsji) KP7F[J ikeyman f<f#jf#<rhq7f= 45Z<8NXWebSEAL 273Z<8NXiKeyman webseald.conf =.U!$kN [certificate] 9?s6K"k accept-client-certs Qia<?<r_j9k3HKhj" WebSEAL, SSL 9# J<K(9h&K"GU)kHGO"WebSEAL [certificate] accept-client-certs = never 3NQia<?<NICMKO"optional H required,"j^9#!nf<vk&j9hgo"accept-client-certs Qia<?<GvD 5lF$kMKD$Fb@7^9# M never optional required b@ /i$"sh+i X.509 Z@qru1~l^;s# /i$"shk X.509 Z@qrWa7"Z@q,s( 5l?i"Z@qY<9N'ZrHQ7^9# /i$"shk X.509 Z@qHZ@qY<9N'ZN HQrWa7^9# /i$"sh,z@qrs(7j $lgo"\3rvd7^;s# cert-ssl Qia<?<O"Z@q'Zpsr^CW9k?aN&Qi $Vij<rXj7^9# 116 P<8gs 3.8

137 UNIX GO"H_~_^CTs0!=rw(?U!$kO" libsslauthn HFPlk&Qi$Vij<G9# Windows GO"H_~_^CTs0!=rw(?U!$kO" sslauthn HFPlk DLL G9# 'Za+K:` &Qi$Vij< Solaris AIX Windows HP-UX cert-ssl libsslauthn.so libsslauthn.a sslauthn.dll libsslauthn.sl 4. WebSEAL webseald.conf =.U!$kN [authentication-mechanism] 9?s 6K"WiCHU)<`CjN&Qi$Vij<&U!$k>rXj 7? cert-ssl Solaris: [authentication-mechanisms] cert-ssl= libsslauthn.so Windows: [authentication-mechanisms] cert-ssl = sslauthn.dll &Qi$Vij<&U!$kKw(ilF$kGU)kH&^CTs 0O"Z@q DN r LDAP DN K>\^CW7^9# /i$"sh&z@qnh}kvrequiredw,_j5lf$klg" HTTPS /i$"shkp9k>n'z_jo9yf5k5l^9# HTTP Policy Director O"+9?` HTTP XC@<psKhk'Zr5]< H7^9#3NXC@<psO/i$"sH^?OWm-7<&(< 8'sHKhjXj5l^9# 3Na+K:`GO"Hi9FCI (v0'zq_) XC@<&G<?r Policy Director 1LK^CW9k^CTs0!= (&Qi$Vi Tivoli SecureWay Policy Director WebSEAL I},$I 117

138 j<) r,wh7^9# WebSEAL 6<QN/jGs7ckrn.7^9# WebSEAL O"+9?` HTTP "k3h0sh7f$^9#3n?ak"=n>khqd=j'z} 0OS 9#+9?` HTTP G9# GU)kHGO"3N&Qi$Vij<O"Entrust Proxy ing<?r^cw9kh&kn.5l^9# HTTP webseald.conf =.U!$kN [http-headers] 9?s6K"k http-headers-auth Qia<?<O" HTTP =*hshqtdk7^9# HTTP VhttpsW"^?OVbothWr~O7^9# HTTP 7^9# c: [http-headers] http-headers-auth = https webseald.conf =.U!$kN [auth-headers] 9?s6K"5]< H5lk9YFN HTTP XC@<&?$WrXj7J1lPJj^ ;s# [auth-headers] header = <header-type> GU)kHGO"3NH_~_i$Vij<O"Entrust Proxy XC@ <&G<?r5]<H9kh&KO<I3<IG#s05lF$^ 9# [auth-headers] header = entrust-client 118 P<8gs 3.8

139 G<?r Policy Director 1LK^CW9kh&K"3NU!$kr+ 9?^$:7J1lPJj^;s# API j=<9kd$fo" Tivoli SecureWay Policy Director WebSEAL GYmCQ< ju!ls 9 r2h7f/@5$# HTTP http-request Qia<?<O" HTTP XC@<'Zpsr^CW9 k?an&qi$vij<rxj7^9# 4. WebSEAL UNIX GO"H_~_^CTs0!=rw(?U!$kO" libhttpauthn HFPlk&Qi$Vij<G9# Windows GO"H_~_^CTs0!=rw(?U!$kO" httpauthn HFPlk DLL G9# 'Za+K:` &Qi$Vij< Solaris AIX Windows HP-UX http-request libhttpauthn.so libhttpauthn.a httpauthn.dll libhttpauthn.sl GU)kHGO"3NH_~_&Qi$Vij<O"Entrust Proxy X C@<&G<?r-zJ Policy Director 1LK^CW9kh&KO< I3<G#s05lF$^9#CjNXC@<&G<?N=N>N? r'z7"*w7gsg"3ng<?r Policy Director 1LK^CW 9kh&K"3NU!$kr+9?^$:7J1lPJj^;s# API j=<9kd$fo" Tivoli SecureWay Policy Director WebSEAL GYmCQ< ju!ls9 r2h7f/@5$# webseald.conf =.U!$kN [authentication-mechanism] 9?s 6K"WiCHU)<`CjN&Qi$Vij<&U!$k>rXj 7? http-request Qia<?<r~O7F" HTTP XC@<'Za +K:`r=.9k3H,G-^9# c: Solaris: [authentication-mechanisms] http-request = libhttpauthn.so Tivoli SecureWay Policy Director WebSEAL I},$I 119

140 Windows: [authentication-mechanisms] http-request = httpauthn.dll 1. ssl-id-sessions = no Nlg"u7N]iK;C7gs ID cookie OHQ5l^;s#u7N]iKO"G-NXC@<M, HQ5l^9# 2. /i$"sho"vdk:t9kh"vforbiddenwz<8 (HTTP 403) ru1hj^9# IP Policy Director O"/i$"sHKhCFs!5lk IP "Il9r p7?'zr5]<h7f$^9# IP webseald.conf =.U!$kN [ipaddr] 9?s6K"k ipaddr-auth Qia<?<O" IP "Il9'Z}0rHQD=*h SHQTDK7^9# IP "Il9'Z}0rHQD=K9kKO"VhttpW" VhttpsW"^?OVbothWr~O7^9# IP "Il9'Z}0rHQTDK9kKO"VnoneWr~O7^ 9# c: [ipaddr] ipaddr-auth = https IP IP "Il9rp7?'ZKO"+9?`&Qi$Vij<,,WG 9#3N&Qi$Vij<KO"http-request Qia<?<rHQ7 ^9# 120 P<8gs 3.8

141 Policy Director O"/i$"sHKhCFs!5lkH</s&Q9 3<Irp7?'Zr5]<H7F$^9# webseald.conf =.U!$kN [token] 9?s6K"k token-auth Qia<?<O"H</s'Z}0rHQD=*hSHQTDK7^ 9# 4. WebSEAL H</s'Z}0rHQD=K9kKO"VhttpW"VhttpsW"^?OVbothWr~O7^9# H</s'Z}0rHQTDK9kKO"VnoneWr~O7^ 9# c: [token] token-auth = https token-cdas Qia<?<O"H</s&Q93<I'Zpsr^C W9k?aN&Qi$Vij<rXj7^9# UNIX GO"H_~_^CTs0!=rw(?U!$kO" libtokenauthn HFPlk&Qi$Vij<G9# Windows GO"H_~_^CTs0!=rw(?U!$kO" tokenauthn HFPlk DLL G9# 'Za+K:` &Qi$Vij< Solaris AIX Windows HP-UX token-cdas libtokenauthn.so libtokenauthn.a tokenauthn.dll libtokenauthn.sl GU)kHGO"3NH_~_&Qi$Vij<O"SecurID H</ s&q93<i&g<?r^cw9kh&ko<i3<ig#s05 lf$^9#cjnh</s&g<?n=n>n?r'z7"*w7 gsg"3ng<?r Policy Director 1LK^CW9kKO"3NU Tivoli SecureWay Policy Director WebSEAL I},$I 121

142 !$kr+9?^$:7^9# API j=<9kd$fo" Tivoli SecureWay Policy Director WebSEAL GYmCQ< ju!ls9 r 2H7F/@5$# webseald.conf =.U!$kN [authentication-mechanism] 9?s 6K"WiCHU)<`CjN&Qi$Vij<&U!$k>rXj 7? token-cdas Qia<?<r~O7F"H</s'Za+K:` r=.9k3h,g-^9# c: Solaris: [authentication-mechanisms] token-cdas = libtokenauthn.so Windows: [authentication-mechanisms] token-cdas = tokenauthn.dll Policy Director O"?E}0Wm-7<&(<8'sH (MPA) rh Q9kMCHo</r]n9k?aN=je<7gsrs!7^9# 8`Wm-7<&(<8'sH (SPA) O"SSL ^?O HTTP K*1 k/i$"shh*j8s&5<p<nvn/i$"shl;c7g sr5]<h9k2<h&'$g9#webseal O"3liN/i$ "shl;c7gsklon SSL ^?O HTTP 'Zr,Q9k3H,G-^9#?E}0Wm-7<&(<8'sH (MPA) O"?E/i$"sH& "/;9KP~9k2<H&'$G9#3liN2<H&'$O"H -K"/i$"sH, Wireless Access Protocol (WAP) rp7f"/ ;99k]N WAP 2<H&'$H7FbNilF$^9#2<H& '$O"*j8s&5<P<KP9k1lN'ZQ_AcMkrN) 7F"3NAcMkrLCF"9YFN/i$"sHWa*hS~z rvhsmkw7^9# 122 P<8gs 3.8

143 WebSEAL +i+kh"3nacmkroc?pso"gi"1 DN /i$"sh+in?ewanh&k'15l^9# WebSEAL O" MPA 5<P<N'ZHFDL/i$"sHNIC'ZHrhL9k,W,"j^9# 4. WebSEAL ^ 18. MPA 2<H&'$rp7?L. WebSEAL O"MPA KP9k'ZQ_;C7gsr]}7F$kN G"=lH1~KF/i$"sH4HKLDN;C7gsr]}9k,Wb"j^9#7?,CF"MPA KHQ5lk;C7gs&G<?*hS'Z}0O"/i$"sHKhCFHQ5lk;C7gs& G<?*hS'Z}0HOhL5lJ1lP ([JCF$J1lP) Jj^;s# MPA, WebSEAL KP7FHQ9k;C7gs&G<?&?$W O"/i$"sH, WebSEAL KP7FHQ9k;C7gs&G<?&?$WHOhL5lJ1lP ([JCF$J1lP) Jj^; s#j<n=ko"mpa *hs/i$"shqn-z;c7gs&?$wrj9h7f$^9# -z;c7gs&?$w MPA P WebSEAL /i$"shp WebSEAL SSL ;C7gs ID Tivoli SecureWay Policy Director WebSEAL I},$I 123

144 -z;c7gs&?$w MPA P WebSEAL /i$"shp WebSEAL HTTP XC@< HTTP XC@< BA XC@< BA XC@< IP "Il9 Cookie Cookie /i$"sho"ssl ;C7gs ID r;c7gs&g<?&? $WH7FHQ9k3HOG-^;s# ch7f"mpa,;c7gs&g<?&?$wh7f BA HTTP XC@<H 9# MPA,;C7gs&G<?H7F HTTP XC@<rHQ7F$ klgo"/i$"sholn HTTP XC@<&?$WrHQG -^9# 5<P<G- cookie KO;C7gsps@1,^^l"1Lps O^^l^;s# MPA 5]<H,HQD=JlgO"ssl-id-sessions N!=,Q 95l^9#aL"ssl-id-sessions=yes Nlg" HTTPS /i $"shkp9k;c7gsn]iko SSL ;C7gs ID N _,HQ5l^9# MPA, SSL ;C7gs ID rq$f;c 7gsr]i9k3HrvD7"/i$"sHK>N}0rHQ 7F;C7gsr]i5;klgO"3N)sOhj +l^ 9# 99Z<8NX-zJ;C7gs ID G<?&?$WN=LY b2h7f/@5$# MPA, WebSEAL KP7FHQ9k'Z}0O"/i$"sH, WebSEAL KP7FHQ9k'Z}0HOhL5lJ1lP ([JC F$J1lP) Jj^;s#J<N=KO"MPA *hs/i$"s HQN-z'Z}0rj9H7F$^9# 124 P<8gs 3.8

145 -z'z}0 MPA P WebSEAL p\'z q0 H</s HTTP XC@< Z@q IP "Il9 /i$"shp WebSEAL p\'z q0 H</s HTTP XC@< 4. WebSEAL ch7f"mpa,p\'zrhq7f$klg"/i$"sh, 'Z}0H7F*rG-kNO"q0"H</s"*hS HTTP XC@<G9# Z@q*hS IP "Il9'Z}0O"/i$"sHOHQG- ^;s# Lo"q0 (^?OH</s) 'Z,CjNHis9]<HKP7 FHQD=G"klg"p\'ZO=NHis9]<HKOHQ TDKJj^9 (110Z<8NXp\'Za+K:`N=.Yr2 H)# MPA 5]<H,HQD=JlgO"3N)BOhj +l ^9#=NlgO"MPA,?H(Pq0 (^?OH</s) rh Q7Fm0$s7"18His9]<Hrp7F/i$"sH, p\'zrhq7fm0$s9k3h,g-^9# MPA 1. WebSEAL "I_K9Hl<?<O"J<Nv0`wN=.rB T7^9#?E}0Wm-7<&(<8'sHN5]<HrHQD== 9k CjN MPA 2<H&'$KD$F Policy Director "+&s Hrn.9k 3N MPA "+&shr webseal-mpa-servers 0k<WK IC9k 2. #tn/i$"sh, MPA 2<H&'$K\35l^9# 3. 2<H&'$,War HTTP WaKQ97^9# Tivoli SecureWay Policy Director WebSEAL I},$I 125

146 4. 2<H&'$Khj/i$"sHN'ZrT$^9# 5. 2<H&'$,"/i$"sHWar}D WebSEAL HN\3r N)7^9# 6. MPA O (/i$"shho[jk}0rhq7f) WebSEAL K P7F'Z7" (9GK WebSEAL "+&shrh@7f$k) MPA N1L,4-P5l^9# 7. WebSEAL,"webseal-mpa-servers 0k<WN MPA Nas P<7CWr!:7^9# 8. MPA KD$F/jGs7ckrn.7"=lKP7F"-cC 7ebKCjN MPA?$WH7FNUi0r)F^9# 3N MPA /jgs7cko"#enf/i$"shwak<$ ^9,"3liNWaNvD!:KOHQ5l^;s# 9. 33G"WebSEAL O"WaNj-Tr5iK1L9k,W," j^9# MPA O"m0$s&WmsWHN,5Jk<F#s0rT&? an"#tn/i$"shrhl9k3h,g-^9# 10. /i$"shom0$s7"mpa KP7FHQ5lF$k'Z?$WHO[JC?}0rHQ7F'Z7^9# 11. WebSEAL O/i$"sH'ZG<?+i/jGs7ckrn. 7^9# 12. F/i$"sH,HQ9k;C7gs&G<?&?$WO" MPA,HQ9k;C7gs&G<?&?$WHO[JCF$k,W,"j^9# 13. vd5<s9o"f<6<n/jgs7ckh*v8'/hn ACL vdkpe$f"]n*v8'/hxn"/;9rvd7?j"q]7?j7^9# MPA webseald.conf =.U!$kN [mpa] 9?s6K"k mpa Qia <?<O" MPA 'ZrHQD=*hSHQTDK7^9# MPA 'Z}0rHQD=K9kKO"VyesWr~O7^9# 126 P<8gs 3.8

147 MPA 'Z}0rHQTDK9kKO"VnoWr~O7^9# c: [mpa] mpa = yes MPA f<6<&"+&shnn.kd$fo" Tivoli SecureWay Policy Director Base I},$I *hs Tivoli SecureWay Policy Director Web Portal Manager I},$I r2h7f/@5$# MPA webseal-mpa-servers 0k<WNI}KD$FO" Tivoli SecureWay Policy Director Base I},$I *hs Tivoli SecureWay Policy Director Web Portal Manager I},$I r2h7f/@5$# MPA \jj<9n Policy Director O"WebSEAL 5<P<4HK 1 DN 4. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 127

148 128 P<8gs 3.8

149 5 WebSEAL,;-e"&Ia$sr]n9kWm-7<&5<P<H 7F$sWjasH5lF$klgO"j=<9XN7s0k&5$ s*sn?an=je<7gsrw(k,w,7p7p88^9#3 NOGO"2 DN/m9Ia$s&7s0k&5$s*s&=je< HTC/NwzOJ<NH*jG9# 5. XCDSSO 'ZN=.Y CDSSO 136Z<8NXe-Community 7s0k&5$s*sN=.Y Policy Director /m9ia$s&7s0k&5$s*s (CDSSO) K O"#tN;-e"&Ia$sVGf<6<&/jGs7ckr>w 9k?aNa+K:`,"j^9# CDSSO Khj"Web f<6< O"7s0k&5$s*srBTG-k?a"2 DNDL;-e"& Ia$sVr7<`l9K\09k3H,G-^9# CDSSO 'Za +K:`O"^9?<'Z5<P< (e-community SSO r2h) KM 87^;s# CDSSO O"#tN;-e"&Ia$sr}gG-kh&K7F"9 1<iVkJMCHo</NOH$&\8rYg7^9#?H(P" 2 DJeNG-Ia$s (=l>lh+nf<6<*hs*v8'/ Tivoli SecureWay Policy Director WebSEAL I},$I 129

150 H&9Z<9r}D) Khj"gkHN(/9HiMCHr_j9k 3H,G-^9#CDSSO Khj"7s0k&5$s*sr}DIa $svgnf<6<n\0,d=kjj^9# f<6<,">nia$sk"kj=<9xnwarp9h"cdsso a+k:`o" 1 V\NIa$s+i 2 V\NIa$sK"Ef= 5l?f<6< ID H</sr>w7^9# 2 V\NIa$sO" f<6<n1l (1 V\NIa$sG'Zru1?NG) r}d3h KJj"f<6<O"5iJkm0$srBT9kh&K/)5lk 3HO"j^;s# CDMF?/N CDSSO 7Jj*GO"L9NIa$sbK$kf<6<VG NGU)kHN 1 P 1 N^CTs0O"9YFNGWm$asHW oko=0oj$+b7l^;s# /m9ia$s&^cts0&ul<`o</ (CDMF) O"H%f <6<0-rh}7Ff<6<1LN^CTs0&5<S9rs!9 k+9?`&qi$vij<rf<6<,=[9k3hrd=k9k Wm0i_s0&$s?<U'<9G9# CDMF Wm0i_s0&$s?<U'<9GO"@pKf<6<1L N^CTs0r+9?^$:7"f<6<N0-rh}9k3H,G -^9# CDMF CDSSO J<NWm;9&Um<Nb@O"^19 K^(5lF$^9# 1. #tnia$sk2c7?$f<6<o$:lb"1!ia$s bk-zjf<6<&"+&shr}a"5ikf2cjb< H&Ia$sbN-zJ"+&sHK^CW5lk1Lr}CF $J1lPJj^;s# f<6<o"f<6<n"+&shr^`gin;-e"&ia $s (A) KP7FGiK'ZrToJ1lP" CDSSO!=r/ 09k3HOG-^;s# 2. f<6<o"web Z<8eN+9?`&js/rp7FIa$s B bnj=<9k"/;99kwarn.7^9# 130 P<8gs 3.8

151 3Njs/KO"J<Nh&J"CLN CDSSO q0,~cf$ ^9# /pkmscdsso?<destination-url> c: /pkmscdsso? 3. WaOGiKIa$s A N WebSEAL 5<P<KhCFh}5 l^9# WebSEAL Of<6<N Policy Director 1L (;L >)"=TIa$s (VAW)"ICf<6<ps"*hS?$`& 9?sWr^`'ZH</srn.7^9# ICf<6<psO"+9?^$: CDMF &Qi$Vij<rF SP9 (cdmf_get_usr_attributes) 3HKhCFh@5l^9# 3Ni$Vij<KO"f<6<&^CTs0&Wm;9fKI a$s B KhCFHQ5lkf<6<0-rs!9k!=,"j ^9# WebSEAL N triple-des O"cdsso_key_gen f<f#jf#< Khj8.5lkPN-<rHCF"3NH</s&G<?rE f=7^9#3n-<&u!$ko"ia$s A HIa$s B N>}N WebSEAL 5<P<eN webseald.conf =.U!$kN [cdsso-peers] 9?s6G"&Q5lF]I5l^9# H</sKO"H</sN83~VrjA9k=.D=J?$ `&9?sW (authtoken-lifetime),~cf$^9#?$`&9?sw,57/=.5lf$kh"3lkhj"jwl$6br I03H,G-^9# Ia$s A N WebSEAL 5<P<O"WaHEf=5l?H< /srvi&6<k>w7fa7"5ikia$s B N WebSEAL 5<P<K>w7^9 (HTTP >w)# 5. Ia$s B N WebSEAL 5<P<O"3NP<8gsN18- <&U!$krHQ7F"2H7F$kIa$s+iH</s, ~e9k?sk"=nh</sref=r 7F"Ev-!:r T$^9# 6. 33G"Ia$s B WebSEAL 5<P<O"CDSSO 'Za+K :`&i$vij<rfsp7^9#!$g CDSSO i$vij Tivoli SecureWay Policy Director WebSEAL I},$I 131

152 <O"B]Nf<6<&^CTs0rBT9k+9?` CDMF i $Vij<rFSP7 (cdmf_map_usr) ^9# CDMF i$vij<of<6<n1lh"*w7gsg"icf <6<0-psr CDSSO i$vij<ko7fa7^9# CDSSO i$vij<o3npsrhq7f/jgs7ckrn. 7^9# 7. Ia$s B NvD5<S9O"f<6<N/jGs7ckH"W a5lf$k*v8'/hkx"7?cjn ACL vdkpe$ F"]n*V8'/HXN"/;9rvD7?jq]7?j7^ 9# ^ 19. CDMF rhq7?/m9ia$s&7s0k&5$s*s&wm;9 CDSSO webseald.conf =.U!$kN [cdsso] 9?s6K"k cdsso-auth Qia<?<O" CDSSO 'Z}0rHQD=*hSHQTDK7^ 9# 132 P<8gs 3.8

153 CDSSO 'Z}0rHQD=K9kKO"VhttpW"VhttpsW"^?OVbothWr~O7^9# CDSSO 'Z}0rHQTDK9kKO"VnoneWr~O7^9# c: [cdsso] cdsso-auth = https CDSSO cdsso =.Qia<?<O"'Zpsr^CW9k?aKO<I3< G#s05l?&Qi$Vij<rXj7^9# UNIX GO"H_~_^CTs0!=rQU7F$kU!$k O"libcdssoauthn HFPlk&Qi$Vij<G9# Windows GO"H_~_^CTs0!=rQU7F$kU!$k O"cdssoauthn HFPlk DLL G9# 'Za+K:` &Qi$Vij< Solaris AIX Windows HP-UX cdsso libcdssoauthn.so libcdssoauthn.a cdssoauthn.dll libcdssoauthn.sl 5. webseald.conf =.U!$kN [authentication-mechanism] 9?s 6K"WiCHU)<`CjN&Qi$Vij<&U!$k>rXj 7? cdsso Qia<?<r~O7F" CDSSO 'Za+K:`r=.9k3H,G-^9# c: Solaris: [authentication-mechanisms] cdsso = libcdssoauthn.so Windows: [authentication-mechanisms] cdsso = cdssoauthn.dll Tivoli SecureWay Policy Director WebSEAL I},$I 133

154 WebSEAL O"cdsso_key_gen f<f#jf#<g8.5l?-< rhq7f"h</sbn'zg<?ref=7j1lpjj^; s#f2cia$sbnf WebSEAL 5<P<H-<&U!$kr& Q7F"3N-<rV1 =W7J1lPJj^;s#FIa$sK 2C7F$kF WebSEAL 5<P<O"18-<rHQ9k,W," j^9# m: -<&U!$kNn.H[[O"Policy Director N CDSSO Wm ;9NfGOTol^;s# cdsso_key_gen f<f#jf#<go"3nf<f#jf#<nb T~K"-<&U!$kNlj (dpq9>) rxj9k3h,,w G9# UNIX: # cdsso_key_gen <absolute-pathname> Windows: MSDOS> cdsso_key_gen <absolute-pathname> FIa$sK2C7F$k WebSEAL 5<P<N webseald.conf =.U!$kN [cdsso-peers] 9?s6K"3N-<&U!$kNl jr~o7^9# 3Nq0KO"WebSEAL ^7s>H-<&U!$ knlj,~cf$^9# [cdsso-peers] <webseal-machine-name> = <keyfile-location> Ia$s A =.c: [cdsso-peers] = <pathname>/a-b.key Ia$s B =.c: [cdsso-peers] = <pathname>/a-b.key e-ncgo"a-b.key U!$kO 1 DN^7s (?H(P" WebSEAL A) K8.5l"jnHG (7+bB4K) >N^7s (? H(P"WebSEAL B) K3T<5lF$^9# 134 P<8gs 3.8

155 H</sKO"1LH</sN83~VrjA9k=.D=J?$ `&9?sW,~CF$^9#?$`&9?sWN-z B,Zlk H"=NH</sO5zG"kH=G5l"HQ5lJ/Jj^9# H</s,p^lF"=N83~VbKF85lk3HrI_9k? ak"?$`&9?swko"=,k;$mr_j7f"jwl$6 webseald.conf =.U!$kN [cdsso] 9?s6K"k authtoken-lifetime Qia<?<O"H</s83~VNMr_j7 ^9#MO"C1LG=5l^9#GU)kHMO 180 CG9# [cdsso] authtoken-lifetime = 180 2CIa$sVN~VN:lrM87J1lPJj^;s# CDSSO HTML 2! ;-e"&ia$senj=<9kp9k HTML js/ko" J<Nh&JCjN CDSSO q0,^^lf$j1lpjj^;s# /pkmscdsso?<destination-url> 5. c: /pkmscdsso? 'ZH</sKO"'Zps (f<6<>hq9o<iji) O~C F$^;s,"u.Ia$sbG.jG-kf<6<1LO~CF$ ^9#7?,CF"H</s+Nr"pqHjWl$+i]n9k, W,"j^9# H</sO"WebSEAL 5<P<Hf<6<NVNL.r]n9k? ako"ssl rhq9k3hkhj"s~enp0+i]n7^9# H</sO"f<6<NVi&6<zr+ip^lk3HbM(il ^9#H</s,H</sN83~VbKp^lFjWl$5lkD =-,J$h&K9k?aK"H</sN?$`&9?sWO"=, K;/7F*/,W,"j^9# Tivoli SecureWay Policy Director WebSEAL I},$I 135

156 7+7"=N?$`&9?sWKX7F-z B,Zl?H</s KHQ5l?-<,+U+C?j"!=,eail?j9kH"-U r}c?f<6<,"=nh+nh</srn.7+m^;s# 3liNH</sO"5iKV6 CDSSO Um<WK^~5lkD= -b"j^9#3linh</so"cdsso Ia$sK2C7F$ k WebSEAL 5<P<KP9k\*N'ZH</sH+,1,D-^ ;s#3n?ak"5ik"h</sr]n9k?akhq7?-< r7eki}7f"j *KQ99k,W,"j^9# e-community E-community 7s0k&5$s*sO" Policy Director D-K*1k /m9ia$s'znb& 1 DN$sWjasF<7gsG9#/ m9ia$s'zn\*o"f<6<,"#tnia$sbn#tn 5<P<K6_9kj=<9K"F'ZrTo:K"/;9G-kh &K9k3HG9# Ve-communityWO"S8M9X8K2C9k"CLJIa$s (Policy Director ^?O DNS) N0k<WG9#3liN2CIa$ so""ks8m9nlth7f (=7F*=i/O}*}3Kh j"[jk DNS rhq7f) +"&QX8r}D\A*K[JC? S8M9 (?H(P"\R"8?]1qR"*hSb;I}qRJI) H7F=.9k3H,G-^9# $:ln7jj*k*$fb",:vhomew^?ovownerwia$ sh7fxj5lk 1 DNIa$s,"j^9#S8M9K2C9 klg"[<`&ia$so e-community r)f9ks8m9@sr j-7^9# IAiN7Jj*Gb" e-community K2C9kf<6<KX9k' Zps ('ZKHQ5l?f<6<>HQ9o<Ir^`) O"[< `&Ia$sK]}5l^9#3N[VKhj"e-community bnx kw&g9/fsp7 (3liO9YF[<`&Ia$sr2H9k) JINh&J"I}djN?aN1l2H@N8_,D=KJCF$ ^9# 136 P<8gs 3.8

157 ^?"f<6<o Policy Director Web Portal Manager rhq7f3 NpsNI}rQ$9k3HKhj"2CIa$s,+HNf<6< NI}KP7FU$ri&h&K9k3HbG-^9# J<N^O"Ia$s A (da.com) HIa$s B (db.com) H$& 2 DN2CIa$sr}D5sWk e-community r(7f$^9#3n cg"ia$s A O[<`^?O*<J<&Ia$sG9#Ia$ s B O2C^?OVjb<HWIa$sG9# 5. ^ 20. e-community bgk [<`&Ia$sOf<6<rVj-W9k"D^j"f<6<N' Zpsr3sHm<k7^9#f<6<,I3Gj=<9NWarT &+KX8J/"[<`&Ia$sOoKf<6<,'ZrT&,W N"kljG9# 'ZO"^9?<'Z5<P< (MAS)([<`&Ia$sK"CF" 9YFNf<6<r'Z9kh&K=.5lF$k5<P< (^?O Tivoli SecureWay Policy Director WebSEAL I},$I 137

158 l"nlwj+&5<p<)) KP7FTol^9#3N^GO MAS, mas.da.com H7F=(5lF$^9# MAS N$3O"'Z5< MAS K"f<6<KP 7FHQD=Jj=<9,^^lF$FOJj^;s# f<6<, MAS KP7F5oK'Z5lkH"MAS OH</sH 7FV]ZWr8.7^9#3NH</sO"f<6<,WarTC F$k5<P<Ka5l^9#5<P<O3NV]ZWH</sr" f<6<, MAS KP7F5oK'Z5l"e-community e-community Ia$sVGNpsN>wKD$FO" 139Z<8N Xe-Community $^9# e-community URL (VC/^</) rp7?j=<9x N"/;9r5]<H7F$^9#3N!=O"CLK=.5l? pkmscdsso js/km89k CDSSO bgk (129Z<8N XCDSSO 'ZN=.Yr2H) HPHr.7^9# e-community $swjasf<7gsko" e-community K2C 7F$k9YFNIa$sbN9YFN WebSEAL 5<P<HN VG0g7?=.,,WG9# e-community K2C9k9YFNf<6<O"[<`&Ia$s K"k1l^9?<'Z5<P< (MAS) KP7F'Z9k,W,"j^9# e-community $swjasf<7gsgo"f<6<, MAS K -z"+&shr}?j$ (?H(P"Ia$s B K07F$k,Ia$s A NIa$s B e-community KO2C7F$J$f <6<) lgojb<h&ia$sgvm<+kw'zrt&3 H,G-^9# MAS GOJ$ (,2CO7F$k) Ia$sbNj=<9NWa N]K"MAS HN'ZK:T7?f<6<KO"WahNm<+ k&5<p<kp7f'zrt&h$&*w7gs,?(il^ 9# 138 P<8gs 3.8

159 MAS (*hsg**ko"jb<h&ia$sbn*r5l?> N5<P<) O"f<6<N'Z1LrV]ZW7^9# V]ZW5<S9rs!G-k5<P<r1L9k?aK"Ia $sg- cookie,hq5l^9#3lkhcf"jb<h&ia $sbn5<p<om<+kgv]zwpsrwag-^9#e f=5l? e-community cookie NbFK"f<6<1Ld;-e jf#<pso^^l^;s# Ef=5l?V]ZWf<6<1LrO9?aK"CLJH</ s,hq5l^9#v]zwh</sko"b]nf<6<'z pso^^l^;s#&qk)0 (triple-des) KhCF]4-, ]?l^9#h</sko"h</s,-zkjk Vr)B9 k?$`"&h (83~V) M,^^l^9# e-community $swjasf<7gso"http H HTTPS N> }G5]<H5l^9# D9N e-community Ia$sO"+JNf<6<1LHX"C" ri}7^9#jb<h&ia$snf<6<rm<+k&ia $sn-zf<6<k^cw9kko"/m9ia$s&^ct s0!= (CDMF) API rhq7^9# e-community Ia$s,0m<Pk&f<6<1Lr&Q7F$ klgo"3n^cts0!=otwg9# 5. e-community N=.O"F2C WebSEAL 5<P<N webseald.conf U!$kG_j5l^9# e-community e-community O"[<`&Ia$sHjb<H&Ia$sK"k^9?<'Z WebSEAL 5<P< (MAS) HICN WebSEAL 5<P< +i=.5l^9# MAS O"WebSEAL 5<P<N1l$s9?s 9+"m<I&Pis5<NXeK"k WebSEAL lwj+n;ch H7F8_7^9 (m<i&pis5<o MAS H7F1L5l^ 9)# m<+khjb<hn9yfn2c WebSEAL 5<P<O"i /i $"sh'zk[<`&ia$s MAS rhq9kh&k=.9k, W,"j^9#3lO"[<`&Ia$sbN5<P<KP9kO< Tivoli SecureWay Policy Director WebSEAL I},$I 139

160 IWoG"j"jb<H&Ia$sbN5<P<KP9k=UHWo G9#?H(P"jb<H&Ia$sbN5<P<N$/D+O"+ JN'Zrh}9kh&K=.9k3H,G-^9#3liN5<P <H"3li,]n9kj=<9O" e-community Ia$sbK"C?H7Fb"e-community HOH)7F`nG-^9# e-community $swjasf<7gso"v]zw79f`kpe- ^9#Lo"f<6<,-z;C7gsrN)7F$J$ WebSEAL 5<P<+iNj=<9rWa9klg" WebSEAL Of<6<KP 7F'ZpsraakWmsWHrP7^9# e-community =.G O"WebSEAL 5<P<OV]ZW5<P<r1L7"f<6<,' ZQ_G"k3Hr!Z9kh&3NV]ZW5<P<KWa7^ 9# V]ZW5<P<KO"=Nf<6<N-zJ/jGs7ckps, "j^9#f<6<nginwago"v]zw5<p<o$db MAS G9# MAS O"z-3-[<`&Ia$sbNj=<9QN V]ZW5<P<H7F!=7^9#f<6<, e-community GNj =<9War3T9klg"Fjb<H&Ia$sbND9N5<P <O"f<6<KP9k=NH+N/jGs7ckrn. (MAS + inf<6<1lpsrpk7f) 7F"=NIa$sbNj=<9 NV]ZW5<P<Nrdr4&3H,G-^9# V]ZW5<P<KWa5l?!ZO"V]ZWH</sNA0rh j^9#v]zw5<p<oh</srn.7f"wa& WebSEAL 5<P<K=lra7^9#H</sNfNf<6<1LpsO"E f=5l^9#h</sko83 VBY,^^l^9# V]ZWH</sru1hkH"Wa&5<P<O/jGs7ckH =Nf<6<KP9km<+k&;C7gsr=[7^9#3lGf <6<Op\'Z3sHm<krpKWaj=<9K"/;9G-k h&kjj^9#f'zn,woj/jj (e-community bgkn\ 8) f<6<kowhjj^9# 3/3N;/7gsN e-community Wm;9&Um<r*I_KJk ]O"J<N^r2H7F/@5$#3NWm;9&Um<GO"B TD=J 2 DNVisW"/;9&7Jj* (1 *hs 2) KD$F 140 P<8gs 3.8

161 ^?O 3 N90eKBTG-k 2 D NV!sW"/;9&7Jj* (3 *hs 4) KD$Fb@7^9# 7Jj* 5 O$DGbi "/;9NeK/87^9# 5. ^ 21. e-community Wm;9&Um< V]ZW5<P< e-community N$:l+Nt,KiaF"/;99kf<6<N 'ZKO"oK MAS,HQ5l^9# MAS O'Z5<P<H7FN_BT7F$kY-G"j"j=< 9s!TH7FBT7F$kY-GO"j^;s# MAS,"^ 9?<'Z5<P<H7FNrdr4$J,i1~Kj=<9b ]n9kh&k=.9k3ho7j$g/@5$#3n+po" QU)<^s9KX"7?vAK++okbNG"j";-ej F#<WoGO"j^;s# MAS OoK[<`&Ia$s (3NcGOIa$s A) NV] ZW5<P<G9#?(il?Ia$sbN>N9YFN5<P<QNV]ZW5< P<N1LKO"Ia$sG- e-community cookie,hq5l^ 9#V]ZW5<P<O"MAS KV]ZWH</srWa9kI Tivoli SecureWay Policy Director WebSEAL I},$I 141

162 a$sbngin5<p<g9#v]zw5<p<o"ia$s bnf<6<nv]zwpsrs!7^9#?(il?jb< H&Ia$sGN=NeNV]ZW5<S9NWaO"Ia$s N0N MAS K"/;97FGOJ/"3N5<P<+im<+ kkt&3h,g-^9#[<`&ia$sgo"e-community cookie O MAS rv]zw5<p<h7f1l7^9# (1)VisWe-Community "/;9: WebSEAL 1 (Ia$s A) f<6<o WebSEAL 1 (MAS H18Ia$sb) KhCF]n 5l?j=<9rWa7^9#Vi&6<KO"3NIa$sQ N e-community cookie O^^l^;s# WebSEAL 1 KO"3 Nf<6<KD$FN-cC7e5l?/jGs7ckO"j^ ;s# WebSEAL 1 =.GO"e-community 'Z,HQD=KJj" MAS Nlj,Xj5lF$^9# WebSEAL 1 O"Vi&6< r MAS encljv]zwurl K>w7^9# MAS OV]ZWWaru1hj"=Nf<6<QN/jGs7c kn!wk:t9kh"f<6<km0$sr%9wmswhr P7^9# m0$s,5oktolkh"mas Of<6<QN/jGs7c krn.7"3lr-cc7ek]i7f"vi&6<r"ef =5l?V]ZWH</sH&K WebSEAL 1 en5nwa URL K>w7Fa7^9#5iK"Vi&6<KO"3NIa$ s (3NcGO MAS) QNV]ZW5<P<r1L9kIa$s A G-N e-community cookie,"j^9# m0$snn_,:t9klg"mas Oc2uVr(9V]ZW H</sra7^9#3NH</sO"5ouVNV]ZWH< /shhlg-j$h&k=.5lf$^9#wa&5<p< O"c2uVKP7F"f<6<,m<+k'ZK:T7?lg H1MK?~7^9# WebSEAL 1 OH</srEf=r 7"f<6<KD$FN= NH+N/jGs7ckrn.7^9# 142 P<8gs 3.8

163 m: 18Ia$sbGN1L^CTs0O,W"j^;s#1L ^CTs0,,WJlg" WebSEAL 1 O/m9Ia$s& ^CTs0&Ul<`o</ (CDMF) rhq9k,w,"j ^9# 'Z5<S9,WarvD^?Oq]7^9# (2)VisWe-Community "/;9: WebSEAL 3 (Ia$s B) f<6<o WebSEAL 3 (jb<h&ia$s B) KhCF]n5 l?j=<9rwa7^9#vi&6<ko"3nia$sqn e-community cookie O^^l^;s# WebSEAL 3 KO"3Nf <6<KD$FN-cC7e5l?/jGs7ckO"j^; s# WebSEAL 3 =.GO"e-community 'Z,HQD=KJj" MAS Nlj,Xj5lF$^9# WebSEAL 3 O"Vi&6< r MAS encljv]zwurl K>w7^9# MAS OV]ZWWaru1hj"=Nf<6<QN/jGs7c kn!wk:t9kh"f<6<km0$sr%9wmswhr P7^9# 5. m0$s,5oktolkh" MAS Of<6<QN/jGs7 ckrn.7"3lr-cc7ek]i7f"vi&6<r"e f=5l?v]zwh</sh&k WebSEAL 3 en5nwa URL K>w7Fa7^9#5iK"Vi&6<KO"3NIa$ s (3NcGO MAS) QNV]ZW5<P<r1L9kIa$s A G-N e-community cookie,"j^9# m0$snn_,:t9klg"mas Oc2uVr(9V]ZW H</sra7^9#3NH</sO"5ouVNV]ZWH< /shhlg-j$h&k=.5lf$^9#wa&5<p< O"c2uVKP7F"f<6<,m<+k'ZK:T7?lg H1MK?~7^9# WebSEAL 3 OH</srEf=r 7"f<6<KD$FN= NH+N/jGs7ckrn.7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 143

164 WebSEAL 3 OVi&6<eK 2 V\N e-community cookie (I a$s B KP7F-z) rn.7f_j7" WebSEAL 3 ri a$s B NV]ZW5<P<H7F1L7^9# 'Z5<S9,WarvD^?Oq]7^9# (3)V!sWe-Community "/;9: WebSEAL 2 (Ia$s A) f<6<o WebSEAL 2 (MAS H18Ia$sb) KhCF]n 5l?j=<9rWa7^9#Vi&6<KO" MAS rv] ZW5<P<H7F1L9kIa$s A e-community cookie,^ ^lf$^9# WebSEAL 2 O3N cookie ru1hj^9# WebSEAL 2 KO"3Nf<6<KD$FN-cC7e5l?/ jgs7cko"j^;s# WebSEAL 2 =.GO"e-community 'Z,HQD=KJj" MAS Nlj,Xj5lF$^9#Ia$s A e-community cookie N8_Khj"MAS NljKX9k WebSEAL 2 N=. O*<P<i$I5l^9# cookie O WebSEAL 2 KV]ZW 5<P<N1Lrs!7^9# (7Jj* 2,GiKTol?l g"vi&6<koia$s B cookie b]}5lf$^9," 3lOIa$s A 5<P<KOw.5l^;s#) WebSEAL 2 O"Vi&6<r"cookie NfG1L5lF$kI a$s A V]ZW5<P< (WebSEAL 2 OIa$s A NfK "kng"3nlgo MAS) encljv]zwurl K>w7 ^9# MAS OV]ZWWaru1hj"-cC7e (3lO7Jj* 1 *hs 2 G/8) Nf+i=Nf<6<QN/jGs7ckr! w7^9# MAS OVi&6<r"Ef=5l?V]ZWH</sH&K WebSEAL 2 en5nwa URL K>w7Fa7^9# WebSEAL 2 OH</srEf=r 7"f<6<KD$FN= NH+N/jGs7ckrn.7^9# 'Z5<S9,WarvD^?Oq]7^9# (4)V!sWe-Community "/;9: WebSEAL 4 (Ia$s B) 144 P<8gs 3.8

165 f<6<o WebSEAL 4 (jb<h&ia$s B) KhCF]n5 l?j=<9rwa7^9#7jj* 2,hKBT5l?lg" Vi&6<KO"WebSEAL 3 rv]zw5<p<h7f1l9 kia$s B e-community cookie,^^lf$^9# WebSEAL 4 KO"3Nf<6<KD$FN-cC7e5l?/jGs7c ko"j^;s# WebSEAL 4 =.GO"e-community 'Z,HQD=KJj" MAS Nlj,Xj5lF$^9#Ia$s B e-community cookie N8_Khj"MAS NljKX9k WebSEAL 4 N=. O*<P<i$I5l^9# cookie O WebSEAL 4 KV]ZW 5<P<N1Lrs!7^9# (7Jj* 1,hKBT5l?l g"vi&6<ko"ia$s B 5<P<KOw.5lJ$Ia $s A cookie 7+]}5lF$^;s#=.5lF$k MAS Nlj,eojKHQ5l^9#=7F"WebSEAL 4,Ia$ s B NV]ZW5<P<KJj^9#) 7Jj* 2,hKBT5l?lgO" WebSEAL 4 O"Ia$ s B cookie KhCF1L5l?Ia$s B V]ZW5<P< (3NlgO WebSEAL 3) encljv]zwurl KVi&6< r>w7^9# 5. WebSEAL 3 OV]ZWWaru1hj"-cC7e (3lO7J j* 2 G/8) Nf+i=Nf<6<QN/jGs7ckr!w 7^9# WebSEAL 3 OVi&6<r"Ef=5l?V]ZWH</sH &K WebSEAL 4 en5nwa URL K>w7Fa7^9# WebSEAL 4 OH</srEf=r 7"f<6<KD$FN= NH+N/jGs7ckrn.7^9# 'Z5<S9,WarvD^?Oq]7^9# (5)V=N>We-Community "/;9: WebSEAL 2 (Ia$s A) f<6<owarp7f WebSEAL 2 (Ia$s A) K\37^ 9#7Jj* 3,BT5l?lg"WebSEAL 2 KO"f<6< KD$FN-cC7e5l?/jGs7ck,^^lF$^9# 'Z5<S9,WarvD^?Oq]7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 145

166 e-community +inm0"&h Vi&6<r/m<:9k3HKhCFm0"&H9kH"9Y FN SSL ;C7gsH9YFN e-community cookie,cn5l ^9# /pkmslogout Z<8rp7Fm0"&H9klgO"=NIa$ sqn SSL ;C7gsH e-community cookie,cn5l^9# e-community Cookie e-community cookie O"1 DN WebSEAL 5<P<KhCF_j 5l"f<6<NVi&6<Nabj<K]I5l"eNWaG (18Ia$sbN) >N WebSEAL 5<P<KAw5lkIa$ sg- cookie G9# Ia$sG- cookie KO"V]ZW5<P<N>0" e-community 1L"V]ZW5<P<Nlj (URL) H!="*h S83~VNM,^^l^9# cookie K"f<6<psO^^l ^;s# e-community cookie Khj"2CIa$sbN5<P<OV] ZWpsrm<+kKWa9k3H,G-^9# MAS NIa$ sqn e-community cookie KO"=l[IEWJrdO"j^; s# cookie KO"webseald.conf =.U!$kG_j5lF$k83 ~V (?$`"&H) M,^^lF$^9#83~VMO"jb< H&5<P<,Il/i$9/f<6<QNV]ZWpsrs! G-k+rXj7^9# cookie 83~V,~;9kH"=Nf< 6<O'ZN?aK MAS K>w5lJ1lPJj^;s# cookie O"Vi&6<,/m<:5lkHabj<+iCn5l ^9#f<6<,CjNIa$s+im0"&HH9kH" e-community cookie O*<P<i$I5lFuKJj^9#3N "/7gsKhj"3lOzL*KVi&6<+i n5l^ 9# e-communityv]zw`nko"clk=.5l? 2 DN URL (V] ZWWa*hSV]ZW~z) rl7f"/;95lklq!=,, 146 P<8gs 3.8

167 WG9#3liN URL O" webseald.conf bn=.pskpe/ e-communityv]zwhttp >wn]k=.5l^9# V]ZWWa V]ZWWaO"f<6<,"=Nf<6<N/jGs7ckpsr ^^J$ (e-community QK=.5l?)?<2CH&5<P<Kj =<9rWa9kH6/5l^9#5<P<,V]ZW5<P< (MAS ^?O e-community cookie bg1l5lf$k5<p<) K HTTP >wrw.7^9# V]ZWWaKO"J<Nps,^^l^9# u.&5<p<o"ecommunity-name r!:7f e-community 1LN Ev-!:rT$^9#u.&5<P<O"V]ZW~zbN target-url rhq7f5nwaz<8kvi&6<>w7fa7^ 9# pkmsvouchforv]zwurl O=.D=G9# 5. c: V]ZW~z V]ZW~zO"V]ZW5<P<+i?<2CH&5<P<XN~ zg9# V]ZW~zKO"J<Nps,^^l^9# PD-VFHOST Qia<?<O"V]ZW`nrBT7?5<P<r1 L7^9#u.& (?<2CH) 5<P<O"3NpsrHQ7F V]ZWH</s (PD-VF) NEf=r rt&?ak,wj57$ -<r*r7^9# PD-VF Qia<?<O"Ef=5l?V]ZW H</sr(7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 147

168 c: /m9ia$s&7s0k&5$s*srt&ko"$/i+nf< 6<1Lps,5<P<VGAw5lk,W,"j^9#3N!)p so"url 7Fh}5l^9#3NEf=5l?G<?O" V]ZWH</s HFPl^9# H</sKO"V]ZWN5o^?Oc2uV"f<6<N1L (5oNlg)"H</srn.7?5<P<N04$~>" e-community 1L"*hSn.~oM,^^l^9# -zjv]zwh</snj-to"3nh</srhq9k3 <G;C7gs (*hsl"n/jgs7ck) rn)9k3h, G-^9# H</sO"=N'Z,!:G-kh&K"Triple-DES k)0r HQ7FEf=5l^9# Ef=5l?H</spsOVi&6<KO]I5l^;s# H</sO 1 s@1o5l^9#u.&5<p<o3npsrh Q7F"=NH+N-cC7ebKf<6<N/jGs7ckr n.7^9#5<p<o"18;c7gsfn-hn=nf<6 <KhkWaG3liN/jGs7ckrHQ7^9# H</sKO"webseald.conf =.U!$kG_j5lF$k8 3~V (?$`"&H) M,^^lF$^9#jWl$6bNj9 /O"3NMrsoK;/ (C1L) 9k3HGZ:G-^9# WebSEAL O"cdsso_key_gen f<f#jf#<g8.5l?-< rhq7f"h</sbn'zg<?ref=7j1lpjj^; s#f2cia$sbnf WebSEAL 5<P<H-<&U!$kr& Q7F"3N-<rV1 =W7J1lPJj^;s#FIa$sK 2C7F$kF WebSEAL 5<P<O"18-<rHQ9k,W," j^9# 148 P<8gs 3.8

169 m: -<&U!$kNn.H[[O"Policy Director N e-community Wm;9NfGOTol^;s#F2C5<P<KO"f<6<,j0GB4K-<r3T<7J1lPJj^;s# cdsso_key_gen f<f#jf#<go"3nf<f#jf#<nb T~K"-<&U!$kNlj (dpq9>) rxj9k3h,,w G9# UNIX: # cdsso_key_gen <absolute-pathname> Windows: MSDOS> cdsso_key_gen <absolute-pathname> 1lNIa$s ([<`^?Ojb<H) bn5<p<vgw.5l?h</sr]n9k?akhq5lk-<nljo" webseald.conf =.U!$kN [e-community-sso] 9?s6bN" intra-domain-key Qia<?<NMH7F~O5l^9# [e-community-sso] intra-domain-key = <absolute-pathname> MAS Hjb<H&Ia$sbN5<P<HNVGw.5l?H</ sr]n9k?akhq5lk-<&u!$knljo" [inter-domain-keys] 9?s6bK~O5l^9# MAS H18Ia $sbn>n5<p<ko"inter-domain-keys OTWG9# MAS O"jb<H&Ia$sbN5<P<HL.9k,WN"k#lN5 <P<G9# [inter-domain-keys] <domain-name> = <absolute-pathname> <domain-name> = <absolute-pathname e-community 3N;/7gsGO"e-community $swjasf<7gsk,wj 9YFN=.Qia<?<KD$FF!$7^9#3liNQia<?<O" webseald.conf U!$kbK"j^9#3NU!$kO" e-community bnf2c5<p<4hkmu</=.9k,w,"j ^9# 5. e-community-sso-auth Tivoli SecureWay Policy Director WebSEAL I},$I 149

170 3NQia<?<O"e-community 'ZrHQD=^?OHQTDK 7^9#MO"VhttpW"VhttpsW"VbothW"^?OVnoneWKJj ^9#?H(P"!NH*jG9# [e-community-sso] e-community-sso-auth = both MVhttpW"VhttpsW"*hSVbothWO" e-community 2CTKh CFHQ5lkL.N?$WrXj7^9#VnoneWO"=N5<P <N e-community rhqtdk7^9#gu)kh_jovnonewg 9# master-http-port e-community-sso-auth, HTTP e-community 'ZrHQD=K 7"^9?<'Z5<P<,8` HTTP ]<HJ0N]<H (]<H 80) G HTTP War listen 9klg" master-http-port Qia<? <O8`J0N]<Hr1L7^9#3N5<P<,^9?<'Z5 <P<Nlg"3NQia<?<O5k5l^9#GU)kHGO" 3NQia<?<OHQTDG9# [e-community-sso] master-http-port = <port-number> master-https-port e-community-sso-auth, HTTPS e-community 'ZrHQD=K 7"^9?<'Z5<P<,8` HTTP ]<H (]<H 443) J0N ]<HG HTTPS War listen 9klg" master-http-port Qia <?<O8`J0N]<Hr1L7^9#3N5<P<,^9?<' Z5<P<Nlg"3NQia<?<O5k5l^9#GU)kHG O"3NQia<?<OHQTDG9# [e-community-sso] master-https-port = <port-number> e-community-name 150 P<8gs 3.8

171 3NQia<?<O"9YFN2CIa$sbN9YFN2C5<P <KP9k e-community N}g>r1L7^9#?H(P"!NH* jg9# [e-community-sso] e-community-name = companyabc e-community-name MO" e-community K2C7F$k9YFNI a$sbn9yfn WebSEAL 5<P<KP7F18GJ1lPJj ^;s# intra-domain-key 3NQia<?<O"3N5<P<NIa$sbGr95l?H</ snef=*hsef=r KHQ5lk-<&U!$kNljr1 L7^9#?H(P"!NH*jG9# [e-community-sso] intra-domain-key = /abc/xyz/key.file f<6<o"3n-<&u!$kr 1 DNljK8.7"=NeI a$sbn>n9yfn WebSEAL 5<P<bNXj5l?ljKj 0G (B4K) 3T<7J1lPJj^;s# 5. is-master-authn-server 3NQia<?<O"3N5<P<, MAS +I&+r1L7^9# MO"VyesW+VnoWG9#?H(P"!NH*jG9# [e-community-sso] is-master-authn-server = yes #tn WebSEAL r"^9?<'z5<p<h7f//h&=.7 F"m<I&Pis5<NXeK[V9k3H,G-^9#3N7J j*go"m<i&pis5<o"e-community bn>n9yfn WebSEAL 5<P<KhCF MAS H7FV'1W5l^9# master-authn-server Tivoli SecureWay Policy Director WebSEAL I},$I 151

172 is-master-authn-server Qia<?<KVnoW,_j5lF$klg O"3NQia<?<r3asHr07FXj9k,W,"j^9# Qia<?<O MAS N04$~Ia$s&M<`r1L7^9#? H(P"!NH*jG9# [e-community-sso] master-authn-server = mas.da.com vf-token-lifetime 3NQia<?<O"V]ZWH</sN83~V?$`"&HM (C1L) r_j7^9#3nmo"cookie Nn.?$`&9?sWH M-go;F!:5l^9#GU)kHMO 180 CG9# 2C5< P<VN~VN:lrM87J1lPJj^;s#?H(P"!N H*jG9# [e-community-sso] vf-token-lifetime = 180 vf-url 3NQia<?<OV]ZWURL rxj7^9#3nmo9ic7 e (/) GO^CF$J1lPJj^;s#GU)kHMO /pkmsvouchfor G9#?H(P"!NH*jG9# [e-community-sso] vf-url = /pkmsvouchfor H% URL b==g-^9# vf-url = /ecomma/pkmsvouchfor ec-cookie-lifetime 3NQia<?<O"e-community Ia$s cookie NGg83~V (,1L) rxj7^9#gu)khmo 300,G9#?H(P"! NH*jG9# [e-community-sso] ec-cookie-lifetime = 300 btia$s&-< 152 P<8gs 3.8

173 MAS Hjb<H&Ia$sbN2C5<P<HNVGNH</sN Ef=*hSEf=r K,WJ-<&U!$kNljO" [inter-domain-keys] 9?s6GXj5l^9#5<P<N04$~ Ia$s>H"-<&U!$kNljNdPQ9>rXj9k,W, "j^9#!ncgo" MAS (Ia$s A) K"2 DNjb<H&Ia$sH L.9k?aN-<&U!$krXj7F$^9# [inter-domain-keys] db.com = /abc/xyz/key.fileb dc.com = /abc/xyz/key.filec 3NcG" key.fileb OIa$s A HIa$s B HNVGHQ5 lk-<&u!$kr1l7" key.filec OIa$s A HIa$s C HNVGHQ5lk-<&U!$kr1L7F$^9# Fjb<H&5<P<O"MAS KhCFHQ5lk,ZJ-<&U!$kN3T<r}CF$k,W,"j^9#Ia$s B bn9y FN5<P<O"MAS (Ia$s A) HH</srr99k?aK O" key.fileb N3T<r}CF$J1lPJj^;s# [inter-domain-keys] da.com = /efg/hij/key.fileb 5. Ia$s C bn9yfn5<p<o"mas (Ia$s A) HH</ srr99k?ako" key.filec N3T<r}CF$J1lPJ j^;s# [inter-domain-keys] da.com = /efg/hij/key.filec CDSSO e-community =.GO" cdsso 'Za+K:`rHQD=K9k, W,"j^9#3Na+K:`O"Wa&5<P<,V]ZWH</ sk^^lk1lps+if<6<&/jgs7ckrn.9kh- K,WKJj^9# cdsso =.Qia<?<O"'Zpsr^CW 9k?aKO<I3<G#s05l?&Qi$Vij<rXj7^ 9# Tivoli SecureWay Policy Director WebSEAL I},$I 153

174 UNIX GO"H_~_^CTs0!=rQU7F$kU!$k O"libcdssoauthn HFPlk&Qi$Vij<G9# Windows GO"H_~_^CTs0!=rQU7F$kU!$k O"cdssoauthn HFPlk DLL G9# 'Za+K:` &Qi$Vij< Solaris AIX Windows HP-UX cdsso libcdssoauthn.so libcdssoauthn.a cdssoauthn.dll libcdssoauthn.sl webseald.conf =.U!$kN [authentication-mechanism] 9?s 6K"WiCHU)<`CjN&Qi$Vij<&U!$k>rXj 7? cdsso Qia<?<r~O7F" CDSSO 'Za+K:`r=.9k3H,G-^9# c: Solaris: [authentication-mechanisms] cdsso = libcdssoauthn.so Windows: [authentication-mechanisms] cdsso = cdssoauthn.dll 154 P<8gs 3.8

175 6 WebSEAL WebSEAL 5<P<HPC/(sI Web "Wj1<7gs&5<P <HNVN\3O"WebSEAL 8cs/7gs"^?O8cs/7g shfplf$^9# WebSEAL 8cs/7gsHO"UmsH(s I WebSEAL 5<P<HPC/(sI Web "Wj1<7gs&5< P<NVN TCP/IP \3N3HG9#8cs/7gsKhj" WebSEAL O"PC/(sI&5<P<eN Web j=<9r]n9 k3h,g-^9# WebSEAL 8cs/7gsO"pdadmin 3^sITf<F#jF# <^?O Web Portal Manager rhcfn.9k3h,g-^9#3 NOGO"WebSEAL 8cs/7gsr=.9k?tN*W7gsK D$F"\7/b@7^9# HTC/NwzOJ<NH*jG9# 156Z<8NXWebSEAL 8cs/7gsKD$FN5WY 159Z<8NXVpdadmin server taskwrhq7?8cs/7gs Nn.Y 160Z<8NXp\ WebSEAL 8cs/7gsN=.Y 6. WebSEAL 163Z<8NXj_'Z5lk SSL 8cs/7gsY 169Z<8NXTCP *hs SSL NWm-7<&8cs/7gsN n.y 170Z<8NXSSL rp7? WebSEAL +i WebSEAL XN8c s/7gsy Tivoli SecureWay Policy Director WebSEAL I},$I 155

176 171Z<8NXIC8cs/7gs&*W7gsY 192Z<8NXWebSEAL 8cs/7gsrHQ9klgN;Qe 196Z<8NXh0T5<P<K*1k query_contents NHQY WebSEAL J<N WebSEAL 8cs/7gs&?$Wrn.9k3H,G-^ 9# WebSEAL +ipc/(si&5<p<xn TCP \3 WebSEAL +ipc/(si&5<p<xn SSL \3 WebSEAL +ipc/(si&5<p<xn HTTP Wm-7<& 5<P<P3N TCP \3 WebSEAL +ipc/(si&5<p<xn HTTPS Wm-7 <&5<P<P3N SSL \3 WebSEAL +i WebSEAL XN SSL \3 $:ln8cs/7gsnn.~kb"j<n 2 DNv`KD$F mu7j1lpjj^;s# 1. WebSEAL *V8'/H&9Z<9bN Web "Wj1<7gs& 5<P< (#tnlgb"k) N8cs/7gs (^&sh) Nl jrha^9# 2. 8cs/7gsN?$Wr*r7^9# WebSEAL 8cs/7gspsO=_ XML A0NG<?Y<9&U!$kK]I5lF$^9#8cs/7gs&G<?Y<9&G#l /Hj<NljO" webseald.conf =.U!$kN [junction] 9? s6bgja5l^9#g#l/hj<o WebSEAL 5<P<Nk< H ([server] 9?s6bN server-root Qia<?<) KX"U1i lf$^9# [junction] junction-db = jct 156 P<8gs 3.8

177 F8cs/7gsO".xml H%RNU$?LDNU!$kGjA 5l^9# 8cs/7gsH*W7gsrn.*hSI}9kKO" pdadmin f<f#jf#<rhq7^9# XML A0G"k?a"8cs/7gs&U!$kOj0Gn." T8"#="*hSPC/"CWG-^9# : 1. pdadmin f<f#jf#<^?o Web Portal Manager rhq7 F"WebSEAL HPC/(sI&5<P<NVN8cs/7gsr n.7^9# 2.,ZJ ACL ]j7<r8cs/7gs&]$shk[v7f" PC/(sI&5<P<Kg^+J3sHm<krB\7^9# : 1. pdadmin f<f#jf#<^?o Web Portal Manager rhq7 F"WebSEAL HPC/(sI&5<P<NVN8cs/7gsr n.7^9# WebSEAL O"h0TU!$k&79F`r+0*KV2H7 FW"}r9k3HOG-^;s# query_contents HFPlk CjN"Wj1<7gsrHQ7F"WebSEAL rh0t*v8' /H&9Z<9KLN7J1lPJj^;s#3N"Wj1<7 gso"h0t Web 9Z<9r4Y"WebSEAL KP7F=$H 3sFsDrsp9kbNG9# 2. query_contents Wm0i`rh0T5<P<K3T<7^9# 3. }g*v8'/h&9z<9n,zj*v8'/hk ACL ]j 7<r,Q7^9# WebSEAL J<NXKKO"8cs/7gsKX9kV,'WrWs7F"j^ 9# 8cs/7gsO"1! WebSEAL *V8'/H&9Z<9bN I3KGbICG-^9# 6. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 157

178 18^&sH&]$sHK#tNlWj+&5<P<r8cs/ 7gsG-^9# #tnlwj+&5<p<,188cs/7gs&]$shk^ &sh5lklgo"18?$w (TCP + SSL) GJ1lPJj ^;s# ACL ]j7<o"8cs/7gsrpfh0t5<p<kq55 l^9# 8cs/7gs&]$sHO"m<+k WebSEAL 5<P<N Web 9Z<9NING#l/Hj<HblW7FOJj^;s#?H(P"WebSEAL K /path/... H$&q0Nj=<9,"kl go"/path H$&>0r}D8cs/7gs&]$sHOn.7 J$G/@5$# =N5<P<+iN HTML Z<8K"=NG#l/Hj<XN 5<P<jP URL r}dwm0i` (Javascript ^?O"WlC HJI),^^lF$klgKO"8cs/7gs&]$sH O"PC/(sI&5<P<N Web 9Z<9N"ING#l/ Hj<HblW7FOJj^;s#?H(P"PC/(sI&5 <P<+iNZ<8K"/path/... H$&q0N URL r}dwm0 i`,^^lf$klgo" /path H$&>0N8cs/7g s&]$shon.7j$g/@5$# WebSEAL HTTP 1.0 WebSEAL O"#tN8cs/7gsKo?k HTTP 1.0 N_r5] <H7^9#3N)Bv`O"PC/(sI&8cs/7gs&5< P<K[V5lF$k"Wj1<7gsNQU)<^s9&Ae<K s0*hs+/kfar?(kd=-,"j^9# \3 5]<H5lk WmH3k UmsH(sI (/i$"shh WebSEAL) PC/(sI (WebSEAL H 8cs/7gs&5<P<) HTTP/1.0 *hs HTTP/1.1 HTTP/1.0 N_ RFC Vf RFC2068 RFC P<8gs 3.8

179 m: HTTP/1.0V-<W"i$VWO"UmsH(sI\3GO5]< H5lF$^;s# HTTP J3\3O"HTTP/1.1 G5]<H5 lf$^9# WebSEAL WebSEAL 8cs/7gsN50KD$FN5WO"11Z<8N XWebSEAL 8cs/7gs&3^sI&*W7gsKX9k04JpsKD$F O"263Z<8NXWebSEAL $# pdadmin server task pdadmin rhq9k0k"sec_master I}f<6<H7F;-e "&Ia$sKm0$s7J1lPJj^;s#?H(P"!NH*jG9# UNIX: # pdadmin pdadmin> login Enter User ID: sec_master Enter Password: pdadmin> Windows: MSDOS> pdadmin pdadmin> login Enter User ID: sec_master Enter Password: pdadmin> 6. WebSEAL WebSEAL 8cs/7gsrn.9kKO" pdadmin server task 3^sIrHQ7^9# pdadmin> server task <server-name> <task> Tivoli SecureWay Policy Director WebSEAL I},$I 159

180 server-name z-to"b]n^7s>h3n3^sikhcfhq 5lk Policy Director 3s]<MsH (WebSEAL JI) N040G 9# <policy-director-component>-<machine-name>?h(p"^7s>, cruz G Policy Director 3s]<MsH, WebSEAL G"klgN server-name OJ<NH*jG9# webseald-cruz server-name 0r!:9kKO"server list 3^sIrHQ7^9# pdadmin> server list webseald-cruz WebSEAL WebSEAL O"WebSEAL HPC/(sI Web "Wj1<7gs& 5<P<HNVG"8` TCP (HTTP) 8cs/7gsH;-e" SSL (HTTPS) 8cs/7gsN>}r5]<H7^9# WebSEAL HPC/(sI&5<P<NVN8cs/7gsO"/i $"shh WebSEAL 5<P<HNVN\3?$W (*hs"=n; -ejf#<&lyk) HOLDNbNG9# pdadmin rhq7f"p\ WebSEAL 8cs/7gsrn.9kN K,WJ,\3^sI&*W7gsKO"J<NbN,"j^9# PC/(sI&"Wj1<7gs&5<P<N[9H> ( -h * W7gs) 8cs/7gs&?$W: tcp"ssl"tcpproxy"sslproxy"local ( -t *W7gs) 8cs/7gs&]$sH (^&sh&]$sh) pdadmin> server task <server-name> create -t <type> -h <host-name> <jct-point>?h(p"!nh*jg9# pdadmin> server task webseald-cruz create -t tcp -h doc.tivoli.com /pubs 160 P<8gs 3.8

181 TCP TCP \3Khk WebSEAL 8cs/7gsO"8cs/7gsNp \WmQF#<OQU7F$^9,"8cs/7gs4NN;-e" \3OQU7F$^;s# ^ 22. s;-e" TCP (HTTP) 8cs/7gs ;-e" TCP 8cs/7gsrn.7"i 5<P<rIC9kl go"j<nh&k"-t tcp *W7gsrXj7? create 3^sI rhq7^9# pdadmin> server task <server-name> create -t tcp -h <host-name> [-p <port>] <jct-point> TCP 8cs/7gsNGU)kH&]<HM (]<HM,Xj5lF $J$lg) O 80 G9# SSL SSL 8cs/7gsO"TCP 8cs/7gsH^C?/1MK!= 7^9,"WebSEAL HPC/(sI&5<P<NVNL.,9YF Ef=5lkH$&UCAM,Coj^9# 6. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 161

182 ^ 23. ;-e" SSL (HTTPS) 8cs/7gs SSL 8cs/7gsKhj"(sID<(sI&Vi&6<H"Wj 1<7gsNB4JHis6/7gs,D=KJj^9#f<6<O SSL rhq7f"/i$"sh+i WebSEAL XNL.H" WebSEAL +ipc/(si&5<p<xnl.r]n9k3h,g -^9#SSL 8cs/7gsrHQ9klgO"PC/(sI&5< P<, HTTPS HQD=GJ1lPJj^;s# ;-e" SSL 8cs/7gsrn.7"i 5<P<rIC9kl go"j<nh&k"-t ssl *W7gsrXj7? create 3^sI rhq7^9# pdadmin> server task <server-name> create -t ssl -h <host-name> [-p <port>] <jct-point> SSL 8cs/7gsNGU)kH&]<HM (]<HM,Xj5lF $J$lg) O 443 G9# /i$"sh,"pc/(si&5<p<enj=<9kp7fwa rp9h";-ejf#<&5<p<h7f!=9k WebSEAL," /i$"shkeocf=nwarbt7^9# SSL WmH3kG O"PC/(sI&5<P<KWa,P5l?H-K"=N5<P<,"=NbNG"k3Hr"5<P<&Z@qKhjZ@7J1lP JiJ$HXj7F$^9# 162 P<8gs 3.8

183 WebSEAL CA s# Policy Director O"SSL N IBM Global Security Kit (GSKit) $sw jasf<7gsrhq7^9#gskit ikeyman f<f#jf#< rhq7f"pc/(si&5<p<z@qkp>7? CA Nk<H Z@qr WebSEAL Z@q-<&U!$k (pdsvr.kdb) KIC7J 1lPJj^;s# Z@q-<&G<?Y<9NI}KD$FN04JpsO"273Z< 8NXiKeyman KhkZ@qNI}Yr2H7F/@5$# SSL J<Nh&KXj7F"SSL WmH3krHQ9k8cs/7gs& ]$sh /sales G[9H sales.tivoli.com r8cs/7gs7^ 9# pdadmin> server task <server-name> create -t ssl -h sales.tivoli.com /sales m: e-ncgo"-t ssl *W7gsGGU)kH&]<H 443, X(5lF$^9# J<Nh&KXj7F"SSL WmH3krHQ9k8cs/7gs& ]$sh /travel G"]<H 4443 N[9H travel_svr r8cs /7gs7^9# pdadmin> server task <server-name> create -t ssl -p h travel_svr /travel SSL WebSEAL O"SSL 8cs/7gs (-t ssl ^?O -t sslproxy) K *1k WebSEAL 5<P<HPC/(sI&5<P<Nj_'Zr5 ]<H7^9#J<NW@O"SSL (,9"3^sI&*W7gs, j9h5l^9) K*1kj_'ZN?aK5]<H5lF$k!= KD$FWs7?bNG9# 6. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 163

184 1. WebSEAL O"PC/(sI&5<P<N'ZrT$^9 (LoN SSL Wm;9)# WebSEAL NEv-!:rT$^9#XWebSEAL KhkPC/(sI& WebSEAL (DN) r!:7^9 (-D) (*W7gsG9,"Xj7F*/3Hr//*+a7^ 9)# 165Z<8NX1L> (DN) NM-go;Yr2H7F 2. PC/(sI&5<P<O"WebSEAL N'ZrT$^9 (2D N}0,"j^9)# PC/(sI&5<P<O"WebSEAL (-K)#166Z<8NX/i$"s WebSEAL PC/(sI&5<P<O"p\'Z (BA) WebSEAL N1LpsNEv-!:rT$^9 (-B"-U" -W)#166Z<8NXBA WebSEAL 'ZYr SSL K*1kj_'Zr3sHm<k9k3^sI&*W7gsK O"J<N!=,"j^9# BA 'Z}0rXjG-^9# 8cs/7gs4HK'Z}0r,QG-^9# SSL K*$F -b *W7gs (BA psrh}9k) rj_'zhh 9# WebSEAL WebSEAL O"8` SSL WmH3kK>CF"PC/(sI&5< 164 P<8gs 3.8

185 WebSEAL Kw.7^9# WebSEAL O"k<H'ZI (CA) (p>7f $k CA ra.9k'zi (CA) O"WebSEAL,HQ9k-<&G<?Y<9KH_~^lF$J1 lpjj^;s# ikeyman f<f#jf#<rhq7f"k<h CA Y<9rn.7FI}7^9# 273Z<8NXiKeyman (DN) 1L> (DN) :r/=9k3h,g-^9#5<p< DN NM-go;rHQD ==9kKO"v:5<P<KP7F SSL 8cs/7gsrn.9 k]k"pc/(si&5<p< DN rxj7j1lpjj^; s#dn NM-go;O"*W7gsN=.G9,"SSL 8cs/7 gsrp7fj_'zhlok3n!=r$swjash7f*/3 Hr//*+a7^9# DN H" 8cs/7gsKhjjA5lF$k DN H,fS5l^9#3N 2 DN DN,lW7J$H"PC/(sI&5<P<XN\3O: T7^9# 5<P< DN NM-go;rHQD==9kKO"SSL 8cs/7 gsnn.~k" -D <DN> *W7gsrHQ7F"PC/(s I&5<P< DN rxj7^9#9hjs0bkvis/&9z< 9r~l?$lgO"DN 9Hjs0rsEzQdGO_^9#?H (P"!NH*jG9# -D /C=US/O=Tivoli/OU=SecureWay/CN=Policy Director 6. WebSEAL -D *W7gsO" -K ^?O -B *W7gsHloKHQ9klg KN_,7F$^9# Tivoli SecureWay Policy Director WebSEAL I},$I 165

186 WebSEAL -K 7gs&PC/(sI&5<P<KD$FN WebSEAL 'ZrHQD ==7^9# -K <key-label> 3N7Jj*NroO"J<NH*jG9# WebSEAL N1LN!:r,WH9kh&K;CH"CW7^ 9# WebSEAL si&5<p<n'zrt& (ssl-keyfile-label) h&k=.7^ 9 (webseald.conf)# DN NM-go;rM87?8cs/7gsr=.9k3Hb/ /*+a7^9 (-D)# -K *W7gsO"GSKit -<&G<?Y<9K]I5lF$kH* jk",\nz@qn-<&lykrxj9kz-trhq7^9# ikeyman f<f#jf#<rhq7f"-<&g<?y<9k7, Z@qrIC7^9#webseald.conf =.U!$kN ssl-keyfile-label Qia<?<rHQ7F"-<&lYkr=.7^ 9# -<&lykz-to"zqdgo^j1lpjj^;s#?h( P"!NH*jG9# -K cert1_tiv 45Z<8NXWebSEAL QN-<&G<?Y<9&Qia<?<N=.Yr2H7F/@5$# BA WebSEAL -B -U <username> -W <password> *W7gsrHQ7F" p\'zkhk WebSEAL 'ZrHQD=K7^9# -B -U <username> -W <password> 166 P<8gs 3.8

187 3N7Jj*NroO"J<NH*jG9# PC/(sI&5<P<O"BA WebSEAL N1 LN!:r,WH9kh&K;CH"CW7^9# IN -b 5$ *W7gsO -b filter rhq7 ^9)# WebSEAL O"+,N1LLNr BA (si&5<p<n'zrt&h&k=.7^9# DN NM-go;rM87?8cs/7gsb=.9k3Hr/ /*+a7^9 (-D)# f<6<>z-thq9o<iz-to"sezqdgo^j1lp Jj^;s#?H(P"!NH*jG9# -U WS1 -W abcde 8cs/7gsO"BA h&k;ch"cwg-^9#-b *W7gsKhj"D=-N"k 4 DNz-t"filter"supply"ignore"gso,HQG-kh&KJj^ 9#3liNz-tKD$F"\7/O"203Z<8NX7s0k& 5$s*s&=je<7gsN?aN BA XC@<N=.YG2HG -^9# -b *W7gsKO"j_'ZNlgN8cs/7gs_jKFAr?(kNG"57$H_go;rM87J1lPJj^;s# -b supply 3N*W7gsrHQ7? BA XC@<Khk WebSEAL 'Z OvD5lF$^;s#3N*W7gsO"5N/i$"sH& f<6<>hv@_<wq9o<ikd$f BA XC@<rHQ 7^9# 6. WebSEAL 3N*W7gsrHQ7?/i$"sHZ@qKhk WebSEAL 'ZOvD5lF$^9# Tivoli SecureWay Policy Director WebSEAL I},$I 167

188 -b ignore 3N*W7gsrHQ7? BA WebSEAL 'Z OvD5lF$^;s#3N*W7gsO"5N/i$"sH& f<6<>hq9o<ikd$f BA WebSEAL 'ZOvD5lF$^9# -b gso 3N*W7gsrHQ7? BA WebSEAL 'Z OvD5lF$^;s#3N*W7gsO"GSO 5<P<Khj Xj5l?f<6<>HQ9o<INpsKD$F BA rhq7^9# WebSEAL 'ZOvD5lF$^9# -b filter bt*ko"-b filter *W7gsO"WebSEAL 'Z, BA WebSEAL N BA XC@<O"e3N9YFN HTTP His6 /7gsGHQ5l^9#PC/(sI&5<P<+i+kH" WebSEAL Ko~m0*s7F$kh&K'15l^9# 3N*W7gsrHQ7?/i$"sHZ@qKhk WebSEAL 'ZOvD5lF$^9# PC/(sI&5<P<,"(Vi&6<+iN) B]N/i$" sh1lr,wh9klgko"cgi QtN HTTP_IV_USER" HTTP_IV_GROUP"*hS HTTP_IV_CREDS rhqg-^9#9 /jwh*hs5<vlchnlgo"p~9k Policy Director G-N HTTP XC@<"9JoA iv-user"iv-groups"iv-creds r HQ7F/@5$# 168 P<8gs 3.8

189 TCP SSL L., HTTP ^?O HTTPS Wm-7<&5<P<rHQ9kh& JMCHo</&H]m8<r#GG-k WebSEAL 8cs/7gs rn.g-^9#8` TCP L.^?O]n SSL L.H7FWar h}9kh&k8cs/7gsr=.g-^9# Wm-7<&5<P<rp7F"TCP Y<9^?O SSL Y<9N8 cs/7gsrn)9kko"create 3^sIN type *W7gs KJ<N$:l+Nz-tr,WH7^9# -t tcpproxy -t sslproxy Wm-7<&5<P<*hS?<2CH Web 5<P<r1L9kK O" create *hs add 3^sIO$:lb"J<N*W7gs* hsz-tr,wh7^9# -H <host-name> Wm-7<&5<P<N DNS [9H>^?O IP "Il9# -P <port> Wm-7<&5<P<N TCP ]<H# -h <host-name>?<2ch Web 5<P<N DNS [9H>^? O IP "Il9# -p <port>?<2ch Web 5<P<N TCP ]<H#GU )kho"tcp 8cs/7gs, 80 G"SSL 8cs/7gs, 443 G9# TCP Wm-7<&8cs/7gsNc (1 TG~O7^9) O"J< NH*jG9# pdadmin> server task <server-name> create -t tcpproxy -H clipper -P h -p 80 /ibm 6. WebSEAL SSL Wm-7<&8cs/7gsNc (1 TG~O7^9) O"J< NH*jG9# pdadmin> server task <server-name> create -t sslproxy -H clipper -P h -p 443 /ibm Tivoli SecureWay Policy Director WebSEAL I},$I 169

190 ^ 24. Wm-7<&8cs/7gsNc SSL WebSEAL WebSEAL Policy Director GO"UmsH(sI WebSEAL 5<P<HPC/( si WebSEAL 5<P<NVN SSL 8cs/7gsr5]<H7F $^9# create 3^sIN -C *W7gsrHQ7F"SSL rp7? 2 DN WebSEAL 5<P<r8cs/7gs7Fj_'Z9kh &K7F/@5$# c: pdadmin> server task <server-name> create -t ssl -C -h servera /jcta j_'zo"j<n 2 DNJ,G/87^9# SSL WmH3krQ$lP"PC/(sI WebSEAL 5<P<,"UmsH(sI WebSEAL -C *W7gsrXj9kH"UmsH(sI WebSEAL 5<P <,"=N1Lpsrp\'Z (BA) XC@<K~lF"PC/ (si WebSEAL 5<P<KO93H,G-^9# 5iK"-C *W7gsO"-c *W7gsN!=rHQD==7^ 9#3lKhCFf<6<O"Policy Director G-N/i$"sH1 170 P<8gs 3.8

191 L*hS0k<W&asP<7CWpsrPC/(sI WebSEAL 5 <P<K"F?WaN HTTP XC@<K[VG-kh&KJj^ 9#XC@<&Qia<?<KO"iv-user"iv-groups"*hS iv-creds,"j^9#173z<8nxhttp XC@<XN/i$"sH1LN s! (-c)yr2h7f/@5$# J<Nro,"WebSEAL +i WebSEAL XN8cs/7gsK,Q 5l^9# 3N8cs/7gs,,7F$kNO"-t ssl ^?O -t sslproxy 8cs/7gs&?$W@1G9# IAiN WebSEAL 5<P<b&LN LDAP ^?O DCE l8 9Hj<r&Q7J1lPJj^;s#3lKhj"PC/(s I WebSEAL 5<P<O"UmsH(sI WebSEAL 5<P< 1LpsN'ZrT&3H,G-^9# f<6<o"j<nic WebSEAL 8cs/7gs!=KIC*W7 gsrxj7f"hq9k3h,g-^9# 172Z<8NX7,8cs/7gsN/) (-f)y 173Z<8NXHTTP XC@<XN/i$"sH1LNs! (-c)y 175Z<8NXHTTP XC@<XN/i$"sH IP "Il9Ns! (-r)y 176Z<8NX8cs/7gsh]<?k&5<P<XN;C7g s Cookie Nw. (-k)y 177Z<8NXg8z.8zrhL7J$ URL N5]<H (-i)y 178Z<8NX9/jWH*hS/i$"sH&"Wj1<7gs N URL Nh} (-j)y 6. WebSEAL 183Z<8NX8cs/7gs&^CTs0Khk5<P<jP URL Nh}Y 185Z<8NX9F<HUk&8cs/7gs&5]<H (-s"-u)y Tivoli SecureWay Policy Director WebSEAL I},$I 171

192 186Z<8NX9F<HUk&8cs/7gsN?aNPC/(s I&5<P< UUID NXjY 190Z<8NXWindows U!$k&79F`XN8cs/7gs (-w)y (-f) 77$8cs/7gs,{8N8cs/7gsreq-9kh&/) 9klgO" -f *W7gsrHQ9k,W,"j^9# 3Njgr"J<Nc (5<P<>O webseala) G(7^9# 1. J<Nh&K7F pdadmin Km0$s7^9# # pdadmin pdadmin> login Enter User ID: sec_master Enter Password: pdadmin> 2. server task list 3^sIrHQ7F"=T8cs/7gs&] $shr9yf=(7^9# pdadmin> server task webseala list / 3. server task show 3^sIrHQ7F"8cs/7gsN\Y r=(7^9# pdadmin> server task webseala show / Junction point: / Type: Local Junction hard limit: 0 - using global value Junction soft limit: 0 - using global value Active worker threads: 0 Root Directory: /opt/pdweb/www/docs 4. 7,m<+k&8cs/7gsrn.7F"=T8cs/7g s&]$shrv-9(^9 (77$8cs/7gs,{8N8c s/7gsreq-9kh&/)9kko" -f *W7gs,,W G9)# pdadmin> server task webseala create -t local -f -d /tmp/docs / Created junction at / 5. 7,8cs/7gs&]$sHrlw=(7^9# 172 P<8gs 3.8

193 pdadmin> server task webseala list / 6. 3N8cs/7gsN\Yr=(7^9# pdadmin> server task webseala show / Junction point: / Type: Local Junction hard limit: 0 - using global value Junction soft limit: 0 - using global value Active worker threads: 0 Root Directory: /tmp/docs HTTP (-c) -c *W7gsrHQ9kH"Policy Director CjN/i$"sH1L psh0k<w&asp<7cwpsr"8cs/7gs5lkh0 T5<P<K"F?WaN HTTP XC@<K^~9k3H,G-^ 9# Policy Director HTTP XC@<psKhCF"8cs/7gs5 lkh0t5<p<en"wj1<7gso"/i$"shn Policy Director 1LKpE$?f<6<G-N"/7gsrBTG-^9# HTTP XC@<psO"PC/(sI&5<P<eN5<S9GHQ G-kh&"D-QtA0KQ99k,W,"j^9#@C7e (-) r9yf<~ (_) GV-9("9Hjs0Nh,K HTTP ruc 9k3HKhCF"XC@<psr CGI D-QtA0KQ97^ 9# HTTP XC@<NMO"77$D-QtNMKJj^9# PD Cj HTTP XC CGI D-QtNyA0 iv-user = HTTP_IV_USER = /i$"shn;$>0h9$>0#/i $"sh,'z5lf$j$ (T@N) l g"gu)khgo Unauthenticated G 9# iv-groups = HTTP_IV_GROUPS = /i$"sh,09k0k<wnj9h# 3s^GhZil?zQ(sHj<G=. 5l^9# 6. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 173

194 PD Cj HTTP XC CGI D-QtNyA0 iv-creds = HTTP_IV_CREDS = Policy Director /jgs7ckr=9"( s3<i5l?t)@g<?=$#jb< H&5<P<K/jGs7ckrs!9k NG"fXN"Wj1<7gsGO"vD API rhq7fvd5<s9rfsp;^ 9# Tivoli SecureWay Policy Director Authorization ADK GYmCQ< ju!l s9 r2h7f/@5$# Policy Director G-N HTTP XC@<&(sHj<O"D-Qt HTTP_IV_USER"HTTP_IV_GROUPS *hs HTTP_IV_CREDS H 7F"CGI Wm0i`+iHQG-^9#=N>N"Wj1<7g s&ul<`o</&wm@/hnlg"http Wa+iXC@<r 4-P9}!KD$FO":v9kWm@/HNqAr2H7F/@ 5$# -c -c *W7gsO"PC/(sI&"Wj1<7gs&5<P<Kw. 5lk Policy Director CjN HTTP XC@<&G<?rXj7^ 9# -c <header-types> header-types z-tko" all"iv_user"iv_user_l"iv_groups"*h S iv_creds,"j^9# z-t iv_user iv_user_l iv_groups iv_creds b@ WaN HTTP XC@<N iv-user U#<kIH7F" f<6<> (;$>0) rxj7^9# WaN HTTP XC@<N iv-user U#<kIH7F" f<6<n DN > (9$>0) rxj7^9# WaN HTTP XC@<N iv-groups U#<kIH7 F"0k<WNf<6<&j9HrXj7^9# WaN HTTP XC@<N iv-creds U#<kIH7F" f<6<n/jgs7ckpsrxj7^9# 174 P<8gs 3.8

195 m: iv_user ^?O iv_user_l N$:l+rHQ7">}OHQ7J$ -c all *W7gsO" 3 DN9YF?$WN1Lpsr HTTP (3NlgO;L>A0 (iv_user ),HQ5l^ 9)# m: #tnz-to"3s^@1ghzj^9#9z<9o~lj$ G/@5$# c: -c all -c iv_creds -c iv_user,iv_groups -c iv_user_l,iv_groups,iv_creds HTTP IP (-r) -r *W7gsrHQ9kH"8cs/7gsh"Wj1<7gs&5 <P<"FNWaN HTTP XC@<K/i$"sHN IP "Il9p sr^~9k3h,g-^9# Policy Director HTTP XC@<psK hcf"8cs/7gs5lkh0t5<p<en"wj1<7gs O"3N IP "Il9psrpK"/7gsrBTG-^9# HTTP XC@<psO"PC/(sI&5<P<eN5<S9GHQ G-kh&"D-QtA0KQ99k,W,"j^9#@C7e (-) r9yf<~ (_) GV-9("9Hjs0Nh,K HTTP ruc 9k3HKhCF"XC@<psr CGI D-QtA0KQ97^ 9# HTTP XC@<NMO"77$D-QtNMKJj^9# m: IP "Il9NMO"oK/./i$"sH&^7sN"Il9r =9HOBj^;s# IP "Il9MO"Wm-7<&5<P< ^?OMCHo</&"Il9Q9Wm0i` (NAT) N"Il 9r(93H,"j^9# 6. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 175

196 PD Cj HTTP iv-remote-address CGI D-QtNyA0 HTTP_IV_REMOTE_ ADDRESS /i$"shn IP "Il9#3NMO" Wm-7<&5<P<^?OMCHo< /&"Il9Q9Wm0i` (NAT) N IP "Il9r(93H,"j^9# -r *W7gsO"e.WaN IP "Il9,PC/(sI&"Wj1 <7gs&5<P<Kw.5lk3Hr(7^9#3N*W7gs O"z-trHo:K==5l^9# Cookie (-k) Web ]<?ko"dl_j5l?j=<9*hs5<s9r}-/s!9k5<p<g9# -k *W7gsrHQ9lP" (/i$"sh H WebSEAL HNVKGiKN)5l?) Policy Director ;C7gs cookie rpc/(si&]<?k&5<p<kw.9k3h,g-^ 9#3N*W7gsO=_" Plumtree Corporate Portal =je<7g shn WebSEAL N}gr>\5]<H9k?aK8_7F$^9# /i$"sh,]<?k&5<p<kdmqj=<9&j9hrwa 9kH"]<?k&5<P<O"WebSEAL Kb]n5lF$k5] <H7F$k>N"Wj1<7gs&5<P<K"kj=<9K"/ ;99k3HKhCF3Nj9Hrn.7^9#;C7gs cookie Khj"]<?k&5<P<O"/i$"sHKeoCF"3liN "Wj1<7gs&5<P<KP7F7<`l9J7s0k&5$s *srbt9k3h,g-^9# z-tnj$ -k *W7gsO" WebSEAL HPC/(sI&]<? k&5<p<hnvk8cs/7gsrn.9kh-kh_~_^ 9# ]<?k&5<p<=.gm89y-ro: f<6<>hq9o<ikhk"/;9ko"q0'z,,wg 9#p\'Z (BA) OHQ7J$G/@5$# 176 P<8gs 3.8

197 webseald.conf =.U!$kN [session] 9?s6K"k ssl-id-sessions Qia<?<O"VnoWK_j5lF$k,W, "j^9# HTTPS L.NlgO"3N_jKhCF";C7g su7n]ik SSL ;C7gs ID GOJ/;C7gs cookie,hq5lkh&/)5l^9# ]<?k&5<p<, WebSEAL /i9?<numsh(sig "klgo"u'$k*<p<&?$w cookie rhqd=k7f cookie KO"Warh}9k#= WebSEAL 5<P<HN'Z,5oKTolk3HrvD9kE f=5l?/jgs7ckps,^^lf$^9# URL (-i) GU)kHGO"Policy Director O""/;9&3sHm<kr,Q 9k]K"URL rg8z.8zrhl9kbnh7fh}7^9# -i *W7gsrXj9kH"8cs/7gs5lkPC/(sI&5 <P<XNWarh}9k]K"WebSEAL,"g8z.8zrhL 7J$G URL rh}9k3h,g-^9# 8cs/7gsG3N*W7gsr_j9kH"WebSEAL O"URL N=8rOrT&]K"g8zH.8zrhL7^;s#GU)kH GO"Web 5<P<,g8z.8zrhL9k3Hr[j7F$^ 9# [HsIN HTTP 5<P<GO"URL rg8z.8zrhl9kh &KjA9k HTTP EMr5]<H7F$^9,"HTTP 5<P< KhCFO"g8z.8zrhL7J$h&K URL rh}9kbn b"j^9#?h(p"g8z.8zrhl7j$5<p<ego"!n 2 DN URL O"18 URL H7F=(5l^9# 6. WebSEAL 3N6kq$Khj""I_K9Hl<?<O">}N URL K*$ F18"/;9&3sHm<k (ACL) r,q9k,w,"j^9# Tivoli SecureWay Policy Director WebSEAL I},$I 177

198 -i *W7gsrXj7F"h0T5<P<r8cs/7gs9kH" WebSEAL O"=N5<P<Kw.5lk URL r"g8z.8zr hl7j$gh}7^9# URL (-j) 3NaGO"PC/(sI&5<P<eNj=<9KP9k9/jW HG8.5l?dPjs/*hS5<P<jPjs/r WebSEAL, XdjNXJY 180Z<8NX8cs/7gs Cookie Khk5<P<jP URL Nh}Y 181Z<8NX9/jWH&U#k?<KhkdP URL Nh}Y 183Z<8NX8cs/7gs&^CTs0Khk5<P<jP URL Nh}Y /i$"sh,"8cs/7gs5l? Web 5<P<X"/;99 kh"ajpso"wl<sj HTML"/i$"sH&"Wj1<7 gs ("WlCH)"^?O9/jWHN$:l+KJkD=-,"j ^9#Web JSP"*hS ActiveX,"j^9# HTML Khj8.5lk$UNZ<8"9/jWH"^?O"WlC HO"*=i/PC/(sI&5<P<eN>Nj=<9d=N>N ljxnjs/ (URL) r}cf$^9#url ==O"J<NA0K JCF$k3H,"j^9# dp jp 5<P<jP PC/(sI&5<P<Kakjs/,.y9kNO"URL,jP ==KJCF$k+"8cs/7gsr1L9kpsr}CF$kl 178 P<8gs 3.8

199 gn_g9#webseal O"3N?tKo?k8.psK~CF$k URL r4yf",9"8cs/7gs1lpsrs!9k,w," j^9# jpa0g==5lf$k URL O"WebSEAL Khk`nr?b, WH7^;s#dP^?O5<P<jPA0G==5lkPC/(s I&5<P<KP9kjs/O"5N URL K8cs/7gsKX9 kps,^^lf$j$ng.y7^;s# 3liNjs/O"m <+k WebSEAL 5<P<eK"k*V8'/H+iNWaNh&K +(^9,=&GO"j^;s# jp URL ==Nc (js/o,:.y9kh&kjcf$^9) O"J<NH*jG9# abc.html../abc.html./abc.html sales/abc.html dp URL ==Nc (js/ko8cs/7gsps,,wg9) O J<NH*jG9# 5<P<jP URL ==Nc (js/ko8cs/7gsps,,w G9) OJ<NH*jG9# /abc.html /accounts/abc.html WebSEAL O"J<N}!G"0*K8.5lkdP URL *hs5 <P<jP URL rh}7^9# E* HTML =<9 HTML O"Wl<s&F-9HG"CF"J1K=8rO5lk?a"WebSEAL O",9"+0*K57$8cs/7gsps r URL N0KU1^9#193Z<8NX8cs/7gsh5<P <+ine* HTML URL NU#k?<Yr2H7F/@5$# 6. WebSEAL 9/jWH*hS/i$"sH&"Wj1<7gs&=<9 9/jWHO#(JNG"WebSEAL H_~_dP URL *hs 5<P<jP URL ==,PC/(sI&5<P<+i/i$" Tivoli SecureWay Policy Director WebSEAL I},$I 179

200 shko5lk]"webseal,3lin URL ru#k?<` n9kn,sz(kjj^9# WebSEAL O",9"8cs/7 gspsrs(9kh&k"=.9k,w,"j^9# m: Web 9/jWHNWm0i^<O9YF"0*K8.5lk URL KP7F"jPjs/ (dpjs/gb5<p<jpjs/ GbJ$) rhq9kh&"*+a7^9# Cookie URL!N7Jj*GO"PC/(sI&5<P<eK"k9/jWH," 5<P<jP URL ==r0*k8.7f$^9#3nh_~_3< I,/i$"sHKO5lk]"WebSEAL,=lr`n9k3HO G-^;s#/i$"sHO"8cs/7gspsr^sG$J$? ak57/==5lf$j$ URL r2h7^9# ^ 25. U#k?<`n,TolJ$9/jWH8. URL /i$"sh,"3njs/gxj5l?j=<9rwa9kh" WebSEAL O"=Njs/,m<+k&Z<8r57/Xj7F$k H"VcCF[j7^9#Z<8N!PK:T9kH"WebSEAL O"/i$"sHKVNot FoundW(i<ra7^9# -j *W7gsKO"8cs/7gs5l?5<P<eN Web 9/j WHKhCF0*K8.5l"/i$"sH&^7sGBT5lk5 <P<jP URL rh}9k?an"cookie Y<9N=je<7gs,QU5lF$^9# ll*j=8: pdadmin> server task <server-name> create... -j P<8gs 3.8

201 Wa4HK"8cs/7gs1LR cookie,"/i$"shkw. 5l^9# cookie KO"J<NQtHM,~CF$^9# IV_JCT_<backend-server-name> = </junction-name> /i$"sh,"3n URL rhq7fwarn.9kh"webseal O"=N5Nq0G URL rh}7^9# j=<9n[vk:t9 kh"webseal O"cookie Khjs!5lk8cs/7gspsr HQ7F"=NWar>AKFnT7^9#URL ==N57$8c s/7gspsrhq9kh"j=<9o5ok[v5l^9#!n^o"5<p<jp URL ru#k?<`n9k3n=je<7 gsr(7f$^9# ^ 26. 5<P<jP URL NU#k?< WebSEAL GO"5<P<jP URL rh}9k?ans cookie Y <9NeX=je<7gsrQU7F$^9#183Z<8NX8cs /7gs&^CTs0Khk5<P<jP URL Nh}Yr2H7F /@5$# 6. WebSEAL URL WebSEAL O"8cs/7gsrp7F0*K8.5lkdP URL rh}9kic=.r,wh7^9#webseald.conf =.U!$kK O"J<Nh&K"dP URL NU#k?<`nrHQD==K9k +"HQTD=K9kQia<?<,~CF$^9# Tivoli SecureWay Policy Director WebSEAL I},$I 181

202 [script-filtering] script-filter = no 9/jWH&U#k?<O"GU)kHGOHQTD=5lF$^ 9#9/jWH&U#k?<rHQD=K9kKO"!Nh&K_j 7^9# script-filter = yes m: PC/(sI&5<P<XN8cs/7gsrn.9kKO"-j *W7gsbHQ7J1lPJj^;s# 9/jWH&U#k? <&a+k:`+iwa5lj/fb"8cs/7gs1lr cookie O"/i$"sHKw.5l^9# script-filter a+k:`o"!nh&j"8`9-<^"5<p<" j=<9a0rxj7?dp URL r[j7f$^9# script-filter a+k:`o"js/n9-<^*hs5<p<t,r 57$8cs/7gspsGV-9(^9# /junction-name/resource 3N=je<7gsO"5iKh}N*<P<XCIr,WH7"Q U)<^s9KiNFAr?(kD=-,"j^9#script-filter Q ia<?<nhqo"dp URL U#k?<N5]<Hr,WH9k 8cs/7gsKP7FN_KBj7F/@5$#!N^O"3N URL U#k?<&=je<7gsr(7^9# 182 P<8gs 3.8

203 ^ 27. dp URL NU#k?< URL Policy Director KO"cookie Y<9N=je<7gsKeok}!H 7F"5<P<jP URL NU#k?<,QU5lF$^9#f<6 <OCjN?<2CH&j=<9r8cs/7gs>K^CW9k8 cs/7gs&^cts0&f<vkrn.7f""/f#v=9k 3H,G-^9# WebSEAL O"8cs/7gs&^CTs0&F<VkK~CF$k G<?r^`5<P<jP URL Nm1<7gspsr!:7^9# URL bnq9ps,f<vkbn(shj<hlw9klgko" WebSEAL O"=Nm1<7gsKX"9k8cs/7gsKWar w.7^9# 8cs/7gs&^CTs0&F<VkO"jmt.conf HFPlk ASCII F-9H&U!$kG9# webseald.conf =.U!$kN [junction] 9?s6K"3NU!$kNlj,Xj5l^9# jmt-map = lib/jmt.conf 6. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 183

204 F<VkbNG<?&(sHj<NA0O"8cs/7gs>"9Z <9"*hSj=<9&m1<7gs&Q?<s+i=.5l^9# j=<9&m1<7gs&q?<so"o$ki+<i8zrhq7 F==9k3HbG-^9# 8cs/7gs&^CTs0=.U!$kN!NcGO"2 DNPC /(si&5<p<,"/jcta H /jctb K"k WebSEAL K8cs/ 7gs5lF$^9# #jmt.conf #<junction-name> <resource-location-pattern> /jcta /documents/release-notes.html /jcta /travel/index.html /jctb /accounts/* /jctb /images/weather/*.jpg 5N jmt.conf ^CTs0&F<VkO"uNU!$kG9#U!$ kkg<?ric7?i"webseal K7,psNN1r}?;k? a"jmt load 3^sIrHQ7F"G<?rVm<IW7J1lP Jj^;s# pdadmin> server task <server-name> jmt load JMT table successfully loaded. J<Nro,"8cs/7gs&^CTs0&F<Vk&=je<7 gsk,q5l^9# 3N=je<7gsKO"-j *W7gsb8cs/7gs cookie b,w"j^;s# ^CTs0&F<VkO";-ejF#<&"I_K9Hl<? <Khk;CH"CWH"/F#V=,,WG9# 3N=je<7gsO"dP URL Gn.5l?js/Oh}7 ^;s# j=<9&m1<7gs&q?<so"m<+k Web 9Z<9 4NKo?CFG-GJ1lPJi:"^?8cs/7gs5l? Web "Wj1<7gs&5<P<4NKo?CFbG-GJ 1lPJj^;s# 184 P<8gs 3.8

205 U!$kKE#7?Q?<s&(sHj<,"klgKO"^C OBT rq37^9# ^CTs0&F<VkNm<IG(i<,"klgKO"^CT OBTr Q37^9# ^CTs0&F<Vk,uG"k+"F<Vk&(sHj<K( OBTrQ37^9# ^CTs0&F<Vkrm<I9k]K(i<,/89kH" WebSEAL 5<P<&m0&U!$k (webseald.log) N]iFW -(shj<kjj^9# (-s -u) [HsIN Web D="Wj1<7gsGO"/i$"sHNl"N HTTP WaKX9kVuV (9F<H)Wr]}7^9#3NuVrH Q7F"?H(P"J<N3HrT$^9# CGI Wm0i`KhCF8.5lkG<?&(sHj<A0bN U#<kIKhj"f<6<NJTuVrIW9k# l"ng<?y<9hqnbt~k"f<6<n3sf-9hr ]i9k# J"*si$s&7gCTs0&+<H&"Wj1<7gsbK J\Nj9Hr]i9k# m<i[,khkqu)<^s9n~er^k?ak"web D="W j1<7gsrbt9k5<p<r#=g-^9#webseal 5<P <+i"3lin#=5l?pc/(si&5<p<k8cs/7g s,s!5lklgo"/i$"sh&;c7gsk^^l?9yf NWa,"57$5<P<K>w5l"m<I&Pis7s0,'K >CF"#=5l?PC/(sI&5<P<VGO[,5lJ$3H,]Z5lJ1lPJj^;s# 6. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 185

206 GU)kHGO"Policy Director O"HQD=J#=5<P<9YF Ko?CFWar[,9k3HKhCF"PC/(sI&5<P<N m<i&pis7s0rt$^9#policy Director O"VlVu$F $kw"k4j:`rhq7^9#3n"k4j:`o"{kjtf N\3t,Gb/J$5<P<KF7,Warw.7^9# create 3^sIN -s Ui0O"3Nm<I&Pis7s0,'r* <P<i$I7F"/i$"sHNWa,"1 k&8cs/7gswrn.7^9#gin/i$"shwa,/8 9kH"WebSEAL O"Xj5l?PC/(sI&5<P<N UUID r^`/i$"sh&79f`k cookie r[v7^9#/i$"s H,"18j=<9KP7F=Ne"WarT&H-O"cookie N UUID pskhj"wa,ok18pc/(si&5<p<kk<f #s05lk3h,]z5l^9# -s *W7gsO"188cs/7gs&]$sHG8cs/7gs5 lk#tnpc/(si&5<p<rw(? 1 DNUmsH(sI WebSEAL 5<P<K,7F$^9#$C?sGiN8cs/7gs,9F<HUkH7Fn.5lkH"#=5l?^^NPC/(s I&5<P<r188cs/7gs&]$sHK8cs/7gs9k?aK"-s *W7gsrXj7J$ add 3^sI,HQ5lkNG mu7f/@5$# 9YF18PC/(sI&5<P<K8cs/7gs5l?#tNU msh(si WebSEAL 5<P<,7Jj*K^^lF$klg O"-u *W7gsrHQ7F"FPC/(sI&5<P< UUID r FUmsH(sI WebSEAL 5<P<K57/Xj7J1lPJj^ ;s# X9F<HUk&8cs/7gsN?aNPC/(sI&5 <P< UUID NXjYr2H7F/@5$# UUID PC/(sI Web "Wj1<7gs&5<P<KP7F7,8cs /7gsrn.9k]"WebSEAL OLo"FQG- ID (UUID) r 186 P<8gs 3.8

207 8.7F"=NPC/(sI&5<P<r1L7^9#3N UUID ObtK"9F<HUk&8cs/7gsr]i9k?aKHQ5l ^9 (create -s)# GiN/i$"sHWa,/89kH"WebSEAL O"Xj5l?P C/(sI&5<P<N UUID r^`/i$"sh&79f`k cookie r[v7^9# /i$"sh,"18j=<9kp7f=n e"wart&h-o"cookie N UUID pskhj"wa,ok1 8PC/(sI&5<P<Kk<F#s05lk3H,]Z5l^ 9# ^ 28. 9F<HUk&8cs/7gsOPC/(sI&5<P< UUID rhq9k #tnpc/(si&5<p<k8cs/7gs5lk#tnums H(sI WebSEAL 5<P<,8_9kH-O"9F<HUk&8c s/7gsnh}o"5ik#(kjj^9# Lo"1 DNUms H(sI WebSEAL 5<P<H 1 DNPC/(sI&5<P<NV N8cs/7gs4HK"PC/(sI&5<P<OG-N UUID r8.7^9#9joa"1lnpc/(si&5<p<o"ums H(sI WebSEAL 5<P<4HK[Jk UUID r}d3hkjj ^9# 6. WebSEAL #tnumsh(si&5<p<o"2 DN5<P<VNm<Ir, [9k?aK"m<I&Pis7s0&a+K:`r,WH7^9#?H(P"CjN UUID rhq7"webseal 5<P< 1 rp7f PC/(sI&5<P<KP7F"i VuVWrN)9k3H,G -^9# Tivoli SecureWay Policy Director WebSEAL I},$I 187

208 7+7"18/i$"sH+iN#eNWa,"m<I&Pis7s 0&a+K:`Khj"WebSEAL 5<P< 2 rp7fk<f#s0 5lklg"WebSEAL 5<P< 2 G18 UUID rhq7f"18 PC/(sI&5<P<r1L7J$Bj"VuVWO8_7J/J j^9#lo"3&$&djo/-^;s# -u *W7gsrQ$lP"FUmsH(sI WebSEAL 5<P<K P7F"CjNPC/(sI&5<P<N18 UUID rxj9k3 H,G-^9# ch7f"2 DN#=UmsH(sI WebSEAL 5<P<G"=l> l 2 DNPC/(sI&5<P<K9F<HUk&8cs/7gs rw(f$kbnrm(f_f/@5$#webseal 5<P< 1 HP C/(sI&5<P< 2 NVK9F<HUk&8cs/7gsrn.9kH"G-N UUID (UUID A),8.5l"PC/(sI&5< P< 2 r1l7^9#7+7"webseal 5<P< 2 HPC/(s I&5<P< 2 NVK9F<HUk&8cs/7gs,n.5lk H"7,N[Jk UUID (UUID B),8.5l"PC/(sI&5< P< 2 r1l7^9# ^ 29. [Jk UUID 188 P<8gs 3.8

209 WebSEAL 5<P< 1 rpf"/i$"shhpc/(si&5<p < 2 NVKN)5l?VuVWO"/i$"sH+iN!NWa,"WebSEAL 5<P< 2 rp7fk<f#s05l?lgo:t7 ^9# 8cs/7gsNn.~K UUID rxj9k?a"j<nh}r, Q7F/@5$# 1. WebSEAL 5<P< 1 +ifpc/(si&5<p<xn8cs /7gsrn.7^9# create -s H add rhq7^9# 2. 9FCW 1 G"PC/(sI&5<P<4HK8.5lk UUID rj9h7^9# show rhq7^9# 3. WebSEAL 5<P< 2 +ifpc/(si&5<p<xn8cs /7gsrn.7F"9FCW 2 G1L5lk UUID rxj7 ^9# create -s -u H add -u rhq7^9#!n^go"pc/(si&5<p< 1 O"UUID 1 H7F" WebSEAL-1 H WebSEAL-2 N>}G'15lF$^9#PC/(s I&5<P< 2 O"UUID 2 H7F"WebSEAL-1 H WebSEAL-2 N>}G'15lF$^9# 6. WebSEAL ^ 30. 9F<HUk&8cs/7gsN?aNPC/(sI&5<P< UUID NXj Tivoli SecureWay Policy Director WebSEAL I},$I 189

210 : J<NcK*$F" WebSEAL-1 O WS1 HFS^9 WebSEAL-2 O WS2 HFS^9 PC/(sI&5<P< 1 O APP1 HFS^9 PC/(sI&5<P< 2 O APP2 HFS^9 pdadmin> server task webseald-ws1 create -t tcp -h APP1 -s /mnt pdadmin> server task webseald-ws1 add -h APP2 /mnt pdadmin> server task webseald-ws1 show /mnt (3lKhj"UUID1 H UUID2,@NKJj^9) pdadmin> server task webseald-ws2 create -t tcp -h APP1 -u <UUID1> -s /mnt pdadmin> server task webseald-ws2 add -h APP2 -u <UUID2> /mnt /i$"sho"pc/(si&5<p< 2 HN9F<HUk\3 rn)9k]k"uuid2 r^` cookie ru1hj^9#e-ncg O"#eNWa, WebSEAL-1 ^?O WebSEAL-2 rp7fk<f #s05lk+i&+kx8j/"/i$"sho"ok"pc/( si&5<p< 2 K\35lk3H,]Z5l^9# Windows (-w) WebSEAL GO"URL KXj5lF$kU!$k&Q9KpE$F" 8cs/7gshPC/(sI&5<P<KP9k/i$"sHWa N;-ejF#<!:,BT5l^9#Win32 U!$k&79F`G O"9$U!$k>XN"/;9QK 2 o`n}0,qu5lf$ k?a"3n;-ejf#<!:,kb5lk3h,"j^9# GiN}0O"U!$k>4N (abcdefghijkl.txt) rn'7^9#2 V\N}0O"e}_9-rN]9k?aK"l 8.3 U!$k>A0 rhq7^9 (abcdefx1.txt)# 190 P<8gs 3.8

211 Windows D-G8cs/7gsrn.9kH-O"1 DN*V8'/ F#<&a+K:`rP$Q99kV"}WND=-rvD7J$h &K9k3H,EWG9# -w *W7gsGO"8.3 U!$k>A0rvD7F$^;s# f< 6<O"U!$k>G;$ (8.3) A0rHQG-^;s#9$U!$ ACL >,~O5lkH"5<P<OV403 ForbiddenW(i<ra7^9# Windows GO"U!$k>Vfoo.Wr}DU!$kO"U!$k> VfooWH18bNH7F7ol^9#-w *W7gsO"WarPC /(si&5<p<kw.9k0k"url bnu!$k>+ieq -ICHr n7^9#acl!:o"eq-ichnj$u!$k >rpk7f$^9# : m: -i *W7gsO"Win32 Gg8z.8zNhLr7J$3H (abcde.txt = AbCdE.txt) KhkdjKPh7^9# 177Z<8 NXg8z.8zrhL7J$ URL N5]<H (-i)yr2h7 F/@5$# Windows NT 4.0 GO"J<NQ9rp7FbU!$k Program Files Company Inc. Release.Notes K"/;9G-^9# 1. program files company inc. release.notes 2. program files company inc release.notes 3. prograx1 companx2 releasx3.not e-nc 1 GO"-i *W7gs (-w GJ$) KhjPh5lkVg 8z.8zrhL7J$3HWNFAr(7F$^9# c 2 KO"Windows NT,INh&K7Feq-H%RICHr5 k9k+,(5lf$^9# 6. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 191

212 c 3 KO"Windows NT,"U!$k>K9Z<9r^^:"8.3 A0K`r9kL> (DOS _9-) rn.9k}!,(5lf$^ 9# -w *W7gsO"c 2 Hc 3 K(5lF$kx_*;-ejF# <Ne@KPh7^9#-w *W7gsO"3N8cs/7gs5l?5<P<KP9kWaN URL K*$F"eq-ICHr5k9k 3H"*hS"F#kI8z (x) r^`;$u!$k>xn"/;9 rvd7j$3hrx(7^9# WebSEAL X#tN5<P<N1l8cs/7gsXN^&sHY 193Z<8NX8cs/7gsh5<P<+iNE* HTML URL NU#k?<Y 194Z<8NX#tN8cs/7gsKo?CFvDrB\9kl gnc0y 195Z<8NX8cs/7gsrp7?Z@q'ZY #tn#=5<p<r1l8cs/7gs&]$shk^&shg- ^9#1l]$sHK^&sHG-k5<P<NtK)BO"j^; s# 1l8cs/7gs&]$sHK^&sH5lk5<P<O9YF" lwj+ (_i<js05l? Web 9Z<9) GJ1lPJi:" 18WmH3k (HTTP + HTTPS) rhq7j1lpjj^;s#1 l8cs/7gs&]$shk[jk5<p<r^&sh9k3ho G-^;s# 1! Policy Director 5<P<N Web 9Z<9+i"8cs/7gs h5<p< (#tnlgb"k) K09kZ<8K"/;97^9# 3liNZ<8KO (vdr@f$k3h,rog) "/;9G-k 192 P<8gs 3.8

213 ,W,"j"3liNZ<8KOlS-,"kh&K+(k,W," j^9#z<8,!pg-j+c?j"q9g-j+c?j9k3h,"klgo"=nz<8,57/#=5lj+c?h$&3hru #7^9# 8q,8_7">#=5<P<N8qDj<G18G"k+!:7^ 9# HTML URL 8cs/7gsh5<P<+iu.5lk MIME?$WVtext/htmlW WebSEAL,Q9G-k URL KO"dP URL H5<P<jP URL N 2 DN;CH,"j^9# 5<P<jP URL O"8cs/7gsh5<P<N8qk<H HNX8G URL LVr(7^9#?H(P"!Nh&KJj^ 9# /dir/file.html 3liN URL rq97f"8cs/7gsh5<p<n8cs /7gs&]$sHr?G5;^9#?H(P"!Nh&KJj ^9# /jct/dir/file.html dp URL GO"HOST >+ IP "Il9HMCHo</&]< HN>}HNX8G"URL LVr(7^9#?H(P"!Nh& KJj^9# or 6. WebSEAL 3liN URL O"J<Nl"N,'K>CFQ95l^9# 1. URL, HTTP G"CF"[9H+]<H, TCP 8cs/7gs h5<p<klw9klg"url O"=N8cs/7gs&]$ shr?g9kh&kq95l^9#?h(p"!nh&kjj ^9# Tivoli SecureWay Policy Director WebSEAL I},$I 193

214 /jct/ URL, HTTPS G"CF"[9H+]<H, SSL 8cs/7g sh5<p<klw9klg"url O"=N8cs/7gs&] $shr?g9kh&kq95l^9#?h(p"!nh&kj j^9# /jct/ iv.conf U!$kbGjA5lF$k?0H0-NZ"N 1,U#k?<`n5l^9# 4. META?0O"jUlC7eWaNlg"oKU#k?<`n5 l^9#?h(p"!nh&kjj^9# <META HTTP-EQUIV= Refresh CONTENT= 5;URL= > 5. BASE?0K HREF 0-,~CF$klgO"?0O/i$"s HXN~z+i n5l^9# 8cs/7gsh5<P<rp7F URL ru#k?<`n9kqi a<?<o"webseald.conf =.U!$kN [filter-url] 9?s6K [V5l^9# [filter-url] 9?s6KO"WebSEAL 5<P<,8cs/7gsh5 <P<Khjh@5lkdP URL r409k?aku#k?<`n ^?OQ99k"HTML?0Nj9H,~CF$^9# Lo"HQ5lk HTML?0O9YF"GU)kHG=.5lF$ ^9#"I_K9Hl<?<O"URL r}dicn HTML?0rI C9k,W,"klgb"j^9# 178Z<8NX9/jWH*hS/i$"sH&"Wj1<7gsN URL Nh} (-j)yb2h7f/@5$# Policy Director vdkhcfo"8cs/7gsr[(fb\g-j $bnb"j^9#?h(p"x vdr}d CGI 9/jWH"^? O l vdr}dg#l/hj<&j9hnbto3shm<kg-^ 194 P<8gs 3.8

215 ;s# WebSEAL KO"?H(P"PC/(sI&5<P<eNWa 5l?*V8'/H,"CGI Wm0i`&U!$kJN+"0*G# l/hj<&j9hjn+"lon HTTP *V8'/HJN+r5 NK=L9kjJO"j^;s# CGI Wm0i`dG#l/Hj<&j9HJI"#tN8cs/7g sko?k*v8'/hxn"/;9o"r vdgn_3shm<k G-^9# $s9h<k~"webseal =.U!$kN [ssl] 9?s6bN webseal-cert-keyfile-label Qia<?<KhC 8cs/7gs5l?PC/(sI&"Wj1<7gs&5<P< G" K5;k,W,"klgO"^: ikeyman f<f#jf#<rhq j^;s#=neg"-k <key-label> *W7gsrHQ7F8cs /7gsr=.7^9# 163Z<8NXj_'Z5lk SSL 8cs 8cs/7gs, -K rq$f=.5lf$j$lgo" GSKit, +0*K-<&U!$k&G<?Y<9K^^lF$kVGU)k 3N~zr,WH7J$lgO"-<&U!$k&G<?Y<9 (pdsrv.kdb) KVGU)kHWH7F^</ ("9?j9/&^</) Ws: 6. F^</7J$# webseal-cert-keyfile-label Qia<?<rHQ7F WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 195

216 -K 8cs/7gs&*W7gsrHQ7F WebSEAL /i$" query_contents Policy Director ;-ejf#<&5<s9rhq7f"h0t"wj 1<7gsN Web 9Z<9Nj=<9r]n7?$lgO"h0T Web 9Z<9NbFKD$FNpsr WebSEAL Ks(9k,W, "j^9# query_contents HFPlk CGI Wm0i`KhCF"3Nps, s!5l^9#query_contents Wm0i`GO"h0T Web 9Z <9bFr!w7"3N$sYsHj<psr WebSEAL N Web Portal Manager Ks!7^9#3NWm0i`O"WebSEAL N$s 9H<k~K<~5l^9,"h0T5<P<Kj0G$s9H<k 7J1lPJj^;s#xQG-kWm0i`&U!$k&?$W O"h0T5<P<r UNIX GHQ9k+"Windows GHQ9k+ KhCF[Jj^9# ]n*v8'/h&9z<9n8cs/7gsr=9t,,"*v8 '/H&9Z<9I}QMkeK8+5lkH-OoK" Web Portal Manager N*V8'/H&9Z<9&^M<8c<KhCF" query_contents,+0*kbt5l^9#3&7f"h0t"wj 1<7gs&9Z<9NbF, Web Portal Manager K,+C?N G"f<6<O3Npsr=(5;":v9k*V8'/HK]j7 <&FsWl<Hr,QG-^9# query_contents Lo"query_contents N$s9H<kOsoKJ1G9#$s9H <kn]k"policy Director 5<P<+ih0T5<P<K 1 D^? O 2 DNU!$kN3T<H"=.U!$kNT8rT$^9#!N Policy Director G#l/Hj<K"Wm0i`NFsWl<H, ~CF$^9# UNIX: <install-path>/www/lib/query_contents 196 P<8gs 3.8

217 Windows: <install-path> www lib query_contents G#l/Hj<NbFKO"!NbN,"j^9# U!$k -R query_contents.exe Win32 79F`QNBTD=JgWm0i`# h0t Web 5<P<N cgi-bin G#l/Hj <K$s9H<k9k,W,"j^9# query_contents.sh UNIX 79F`QNBTD=JgWm0i`# h0t Web 5<P<N cgi-bin G#l/Hj <K$s9H<k9k,W,"j^9# query_contents.c =<9&3<I#=<9,s!5lkNO" query_contents N6kq$rQ99k,W, "klgg9#[hsinlg"3lo,w" j^;s# query_contents.html HTML A0NXkW&U!$k# query_contents.cfg Web 5<P<N8qk<Hr1L9k5sWk =.U!$k# UNIX query_contents query_contents.sh H$&>0N7'k&9/jWHr"J<NG# l/hj<g+u1^9# <install-path>/www/lib/query_contents 1. h0t Web 5<P<N!= /cgi-bin G#l/Hj<K query_contents.sh r3t<7^9# 2..sh H%Rr n7^9# 3. Web 5<P<NI}"+&sHH7F UNIX BTSCHr_j7 ^9# Win32 query_contents J<NG#l/Hj<G"query_contents.exe H$&>0NBTD =Wm0i`H query_contents.cfg H$&>0N=.D=U!$k r+u1^9# 6. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 197

218 Windows: <install-path> www lib query_contents 1. h0t Web 5<P<K CGI G#l/Hj<,57/=.5lF $k+n'7^9# 2. F9HN?aK"h0T Web 5<P<N8qk<HK"-zJ8 q,8_7f$k+n'7^9# 3. h0t Web 5<P<N CGI G#l/Hj<K query_contents.exe r3t<7^9# 4. Windows G#l/Hj<K query_contents.cfg r3t<7^ 9#!N=K"3NG#l/Hj<NGU)kHMr(7^9# *Zl<F#s0&79F` Windows 95 Windows NT 3.5x Windows NT 4.x Windows G#l/Hj< c: windows c: winnt35 c: winnt 5. h0t Web 5<P<N8qk<H&G#l/Hj<r57/Xj 9kh&K"query_contents.cfg U!$krT87^9# U!$kKO"=_"Microsoft $s?<mchps5<p<h Netscape FastTrack 5<P<KX9k5sWk&(sHj<,~C F$^9#3NU!$kN;_3ms (;) GO^kTO3asH G"j"query_contents Wm0i`GO5k5l^9# 1. Win32 ^7seN MS-DOS WmsWHK>CF"J<Nh&K CGI G#l/Hj<+i query_contents Wm0i`rBT7^ 9# MSDOS> query_contents dirlist=/!nh&jpo,=(5lko:g9# 100 index.html cgi-bin// pics// 198 P<8gs 3.8

219 Vf 100 O"5oKBT5l?3Hr(9aju7G9#/J/ HbVf 100,Gi (G"#l) NMG"k3HrN'9kNO sokgzg9# eojk(i<&3<i,=(5l?lgo"=.u!$k,5 7$ljKJ$+"-zJ8qk<H&(sHj<,^^lF$ ^;s# query_contents.cfg U!$kN=.r!:7"8qk 2. Vi&6<+i"!N URL r~o7^9# 3lKhCF"0N9FCWH18kL,a5lJ1lPJj^ ;s#3nkl,a5lj$lgo"web 5<P<N CGI =. Kmj,"j^9#5<P<NqAr2H7F"djr{57^ 9# query_contents query_contents N8gVO"URL WaKH_~^lF$kG#l /Hj<NbFra9?aNbNG9#?H(P"5<P<N Web 9Z<9Nk<H&G#l/Hj<Nb Fr~j9klgO"Vi&6<G"!Nh&J URL N query_contents rbt7^9# query_contents 9/jWHO"!N"/7gsrBT7^9# 1. 8` CGI D-Qt"$SERVER_SOFTWARE ri_hcf"5 <P<&?$Wr=L7^9# Web 5<P<&?$WKpE$F"Qt $DOCROOTDIR rlo N8qk<HLVK_j7^9# 6. WebSEAL 2. Wa5l? URL +id-qt $QUERY_STRING ri_hc F"Wa5l?`nrh@7"*V8'/H&Q9r~j7^ 9# Tivoli SecureWay Policy Director WebSEAL I},$I 199

220 `nmo"$operation QtK]I5l"*V8'/H&Q9 O"$OBJPATH K]I5l^9#e-NcGO"$OPERATION O dirlist G" $OBJPATH OV/WG9# 3. *V8'/H&Q9KP7FG#l/Hj<&j9Hn. (ls) r BT7" Policy Director 5<P<KhkHQKw(F"kLr8 (//),UC5lF$^9# LoNPOO"J<NH*jG9# 100 index.html cgi-bin// pics// Vf 100 O"5oKBT5l?3Hr(9aju7G9# UNIX: UNIX 5<P<Kgo;F query_contents.sh r+9?^$:9k KO"8qk<H&G#l/Hj<N_jNQ9r,WH9klg, "j^9# query_contents,(i<u7 (100 J0NVf) ra7"u!$k Nj9Hrn.7J$lgO"9/jWHr4YF",WG"lP" 5<P<N=.HlW9kh&K $DOCROOTDIR QtrQ97^ 9# 8qk<H&G#l/Hj<r57/Xj7F$Fb"9/jWH, :T9klgO"cgi-bin LVNXj,T5NG"kD=-,"j^ 9#$FULLOBJPATH Qtr4YF"57$ cgi-bin LVr?G9 kh&k"qtkdjvfilf$kmrq97f/@5$# Windows: Windows 5<P<N query_contents.exe r+9?^$:9kko" query_contents.cfg U!$krQ97^9# 200 P<8gs 3.8

221 query_contents Wm0i`N=<9&3<I (query_contents.c) O"Policy Director KU07F"CvHQAJ7G[[5l^9# IC!=O"3NWm0i`KIC7F"$/D+Nh0T Web 5 <P<NCl!=r5]<H9k3H,G-^9#3liN!=K O"!Nh&JbN,"j^9# 1. G#l/Hj<&^CTs0GO"8qk<Hhj<GOJ$5 VG#l/Hj<,"Web 9Z<9K^CW5l^9# 2. U!$k&79F`&Y<9GJ$ Web 9Z<9N8.# G<?Y<9&[9H Web 5<P<NlgK:v9kD=-," j^9# query_contents query_contents CGI Wm0i`O" Policy Director,"8cs/ 7gs5lF$k Web 5<P<N*V8'/H&9Z<9r Web Portal Manager K=(9k?aKHQ7^9#vD5lF$J$f< 6<,3lrBT9kNrI0?a"3NU!$kr]n9k3HO EWG9# I}5<P< (pdmgrd) 1L@1K query_contents Wm0i`K "/;99k3HrvD9k;-ejF#<&]j7<r_j9k, W,"j^9#J<N ACL (query_contents_acl) NcO3Np` r~?7^9# group ivmgrd-servers Tl user sec_master dbxtrlcam 3N ACL r8cs/7gsh5<p<n query_contents.sh (UNIX) ^?O query_contents.exe (Windows) *V8'/HKUC9kKO" pdadmin f<f#jf#<rhq7^9#?h(p"!nh&k7 ^9 (UNIX Nlg)# pdadmin> acl attach /WebSEAL/<host>/<junction-name>/query_contents.sh query_contents_acl 6. WebSEAL Tivoli SecureWay Policy Director WebSEAL I},$I 201

222 202 P<8gs 3.8

223 7 Web 7. Web WebSEAL,;-e"&Ia$sr]n9kWm-7<&5<P<H 7F$sWjasH5lF$klgO" Web j=<9xn7s0 k&5$s*sn?an=je<7gsrw(k3h,7p7p,w KJj^9#3NOGO"WebSEAL Wm-7<=.N Web 9Z< 9#cKO"CLK=.5l?8cs/7gs"0m<Pk&5$s *s"*hs LTPA,"j^9# HTC/NwzOJ<NH*jG9# X7s0k&5$s*s&=je<7gsN?aN BA N=.Y 211Z<8NX0m<Pk&5$s*s (GSO) NHQY 216Z<8NXIBM WebSphere (LTPA) XN7s0k&5$s* sy BA 3NaGO"-b *W7gsrHQ7"WebSEAL N#tN8cs/7 gsko?cf"7s0k&5$s*s=.rn.9klgkm(i 204Z<8NX7s0k&5$s*s (SSO) N50Y Tivoli SecureWay Policy Director WebSEAL I},$I 203

224 XBA 206Z<8NX/i$"sH1L*hSmNQ9o<INs!Y 208Z<8NX5N/i$"sH BA 209Z<8NX/i$"sH BA ny 210Z<8NXGSO +inf<6<>hq9o<ins!y (SSO) ]nj=<9,"pc/(si Web "Wj1<7gs&5<P<K 8_9klgO"=Nj=<9r,WH9k/i$"sHO"#ts Nm0$srToJ1lPJiJ$3H,"j^9#9JoA WebSEAL 5<P<K 1 s*hspc/(si&5<p<k 1 sh $&qgg9#*=i/"=l>lnm0$s4hk"[jkm0$ s1l,,wg9# ^ 31. #tsnm0$s #tnm0$s1lni}h]indjo"7s0k&5$s*s (SSO) a+k:`nhqkhj"?$f$rhg-^9#7s0k& 5$s*s&=je<7gsKhCF"f<6<O"j=<9Nlj KOX8J/"1 sni m0$s@1rhq7f"j=<9k"/ ;9G-^9#PC/(sI&5<P<+iNm0$sWo,5iK "CFb"f<6<+iO)a*Kh}5l^9# BA f<6<opc/(si&5<p<kp7f5n/i$"sh1lp s^?oq9en/i$"sh1lpsrs!9kh&"webseal 204 P<8gs 3.8

225 8cs/7gsr=.9k3H,G-^9# -b *W7gsr_j9 kh"cjn/i$"sh1lpsr HTTP p\'z (BA) <K~lk3H,G-^9# f<6<o"i_k9hl<?<h7f"mcho</no*hs; -ejf#<wor,o7"j<ndjnszrhj7j1lpjj ^;s# 1. PC/(sI&5<P<O"'Zpsr,WH9k+ (WebSEAL O"HTTP A(^9)# 7. Web 2. PC/(sI&5<P<,"'Zpsr,WH9kJiP"3N psn=<9oi3+ (WebSEAL O HTTP XC@<KIsJpsr~lkN+) 3. WebSEAL HPC/(sI&5<P<NVN\3O";-e"\3 G"k,W,"k+ (TCP 8cs/7gs+ SSL 8cs/7gs+) /i$"shh WebSEAL NVNi 'Z,Tol?eK" WebSEAL O7,p\'ZXC@<rn.7^9#WaO"3N8c s/7gsrlj"pc/(si&5<p<^gt/v"3n7,x C@<rHQ7^9#f<6<O 3N7,XC@<K~lkCjN 'ZpsrX(9k?a -b *W7gsrHQ7^9# ^ 32. PC/(sI&5<P<XN'ZpsNs! Tivoli SecureWay Policy Director WebSEAL I},$I 205

226 -b supply -b supply *W7gsO"'Z5l? Policy Director f<6<> (/ i$"shn5n1l) r"e*jmn Q9o<IH loks!9kh&"webseal KX(7^9# 5N/i$"sH& Q9o<IO"3N7Jj*GOHQ7^;s# mnq9o<ikhcf"q9o<ii}n,w,j/jj""wj I,"J<Nh&K"webseald.conf =.U!$kN basicauth-dummy-passwd Qia<?<K_j5l^9# [junction] basicauth-dummy-passwd = <password> 3N7Jj*GO"PC/(sI&5<P<, Policy Director 1L+ in'zr,wh9k3hr[j7f$^9#/i$"sh&f<6 <r{nn Policy Director f<6<k^cw9k3hkhcf" WebSEAL O"PC/(sI&5<P<KX9k'ZrI}7F"J 1JIa$sN7s0k&5$s*s&=je<7gsrs(7^ 9# 3N=je<7gsKO"J<Nro,"j^9# 5N/i$"sHWaK~CF$kf<6<>KC(F"mN (V@_<W) Q9o<IrPC/(sI&5<P<Ks!9kh &K" WebSEAL r=.7^9# webseald.conf =.U!$kbKV@_<WQ9o<Ir=.7 ^9# PC/(sI&5<P<&l89Hj<O"HTTP BA XC@< bks!5lk Policy Director 1Lr'1G-J1lPJj^; s#!)'zps (f<6<>hq9o<i) O"8cs/7gsrp 7FO5lk?a"8cs/7gsN;-ejF#<OEWG 9# SSL 8cs/7gsK9k3Hr//*+a7^9# 206 P<8gs 3.8

227 7. Web ^ 33. 1LHV@_<WQ9o<I,^^lk BA XC@< Policy Director O"9YFNWaKP7F18V@_<WQ9o<I rhq7^9#9yfnf<6<opc/(si&5<p<&l89 Hj<bK18Q9o<IrbCF$^9#&LNV@_<WQ9o <IrHQ7?NGO""Wj1<7gs&5<P<,"=Nf<6 <>rhq7fm0$s9k]n/i$"shn5v-rz@9k, rkojj^;s# /i$"sh,pc/(si&5<p<k"/;99klgk",: WebSEAL rlkh&k9lp"3n=je<7gsk?i;-ej F#<eNdj,88k3HO"j^;s#?@7"M(ilk>N "/;9jJ+i"PC/(sI&5<P<r*}*K]n9k3H bewg9# 3N7Jj*GO"Q9o<I&lYkN;-ejF#<,J$? a"pc/(si&5<p<,e[*k WebSEAL r.q7f"/i $"shn5v-r!z7j1lpjj^;s# PC/(sI&5<P<&l89Hj<O"Policy Director 1Lru 1~lk?aKO"=N1Lb'19k,W,"j^9# Tivoli SecureWay Policy Director WebSEAL I},$I 207

228 BA -b ignore -b ignore *W7gsO"82ru1k3HJ/"5N/i$"sH Np\'Z (BA) & WebSEAL KX(7^9#3N BA /i$"shpsn'zrt &h&k WebSEAL r=.9k3hb"/i$"shns!9k BA K>w9kh&K WebSEAL r=.9k3hbg-^9# m: 3lO?N7s0k&5$s*s&a+K:`GOJ/"`7 m"webseal +io)a*ktolkh0t5<p<xn>\ m0$sg9# 3N=je<7gsKO"J<Nro,"j^9# PC/(sI&5<P<O"BA Khk/i$"sH1Lpsr Wa7^9# PC/(sI&5<P<O"p\'ZNAcls8r/i$"s HKVw7^9#/i$"sHO"WebSEAL 5<P<,Q9r C(J$GO9f<6<>psHQ9o<Ipsr<&~zrV 7^9# PC/(sI&5<P<O"H+N/i$"sHs!NQ9o< Ir]}7^9# 5N/i$"sHWaK~CF$kf<6<>HQ9o<IrP C/(sI&5<P<Ks!9kh&K"WebSEAL r=.7^ 9#!)'Zps (f<6<>hq9o<i) O"8cs/7gsrp 7FO5lk?a"8cs/7gsN;-ejF#<OEWG 9# SSL 8cs/7gsK9k3Hr//*+a7^9# 208 P<8gs 3.8

229 7. Web ^ 34. WebSEAL O5N/i$"sH1Lpsr>w9k BA -b filter -b filter *W7gsO"/i$"sHWarPC/(sI&5<P< K>w9k0K"/i$"sHWa+ip\'ZXC@<r9YF n9kh& WebSEAL KX(7^9#3N7Jj*GO"WebSEAL O"1l;-ejF#<&WmP$@<KJj^9# 3N=je<7gsKO"J<Nro,"j^9# /i$"shh WebSEAL NVKp\'Z,=.5lF$k# PC/(sI&5<P<O"p\'Zr,WH7J$# PC/(sI&5<P<KO"WebSEAL rp7fn_"/;9 G-k# WebSEAL,"PC/(sI&5<P<KeCF'ZrT&# Tivoli SecureWay Policy Director WebSEAL I},$I 209

230 ^ 35. /i$"sh BA n PC/(sI&5<P<KP7F?i+N/i$"sHpsrs!9 k,w,"klgo"3n*w7gsh -c *W7gsrH_go; F"Policy Director /i$"sh1lpsr HTTP kik^~9k3h,g-^9#173z<8nxhttp /i$"sh1lns! (-c)y GSO -b gso -b gso *W7gsO"'Zps (f<6<>hq9o<i) rpc/ (si&5<p<xs!9kh&k WebSEAL KX(7^9#3N' ZpsO"0m<Pk&5$s*s (GSO) rh}9kh&k;ch 3N=je<7gsKO"J<Nro,"j^9# PC/(sI&5<P<&"Wj1<7gsO"WebSEAL l8 9Hj<K~CF$J$"[Jkf<6<>HQ9o<Ir,W H7^9# WebSEAL HPC/(sI&5<P<N$:lKHCFb";- ejf#<oewg9#!)'zps (f<6<>hq9o<i) O"8cs/7gsrp7 FO5lk?a"8cs/7gsN;-ejF#<OEWG9# SSL 8cs/7gsK9k3Hr//*+a7^9# 210 P<8gs 3.8

231 3Na+K:`KD$F"\7/O"X0m<Pk&5$s*s (GSO) (GSO) Policy Director GO"PC/(sI Web "Wj1<7gs&5<P 7s0k&5$s*s&=je<7gsr5]<H7F$^9# 3N7s0k&5$s*s&=je<7gsO"HQ5lkf<6 <&l89hj<n?$wk>cf"j<n 2 LjN}!G5]< H5lF"$sWjasH5l^9# 7. Web DCE l89hj<r}d;-e"&ia$s - Tivoli 0m<P k&5$s*s (GSO) =JrHQ9k# LDAP l89hj<r}d;-e"&ia$s - LDAP G#l/ Hj<O0m<Pk&5$s*sr5]<H9k# 0m<Pk&5$s*sO"HQrvD5lF$k3sTe<F#s 0&j=<9Kf<6<, 1 snm0$sg""/;99k3hr 'D7^9#GSO O"[!o.gN,63sTe<F#s0D- G"#tN79F`*hS"Wj1<7gs+i=.5lF$kgk H~1K_W5lF*j"(sI&f<6<O#tNf<6<>HQ 9o<IrI}9k,W,J/Jj^9# 3N}gO"WebSEAL HPC/(sI Web 5<P<NVKVGSO ru17?w8cs/7gsrn.9k3hg#.5l^9#^:g ik"web Portal Manager rhq7f"gso j=<9h GSO j= <9&0k<Wrn.7J1lPJj^;s# WebSEAL,8cs/7gsh5<P<eNj=<9KP9kWar u.9kh"webseal O GSO 5<P<KP7F"=N,ZJ'Z psrwa7^9#gso 5<P<KO"P?f<6<4HK^CT s0rt&g<?y<9,~cf$^9#3lo"cjnj=<9* hs"wj1<7gskexf<6<>hq9o<irs(7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 211

232 J<N^O"GSO a+k:`rhq7f"pc/(si&"wj1 <7gs&j=<9QNf<6<>HQ9o<Ir!w9k}!r( 7F$^9# 1. PC/(sI&5<P<eN"Wj1<7gs&j=<9XN" /;9WaKD$F"/i$"sHO WebSEAL KP7F'Zr T$^9# Policy Director m: 7s0k&5$s*s&Wm;9O"i 'Z}0HOLDN bng9# 2. WebSEAL, Policy Director 1Lr GSO ^?O LDAP 5<P< KO7^9# 3. 5<P<O"f<6<HWa5l?"Wj1<7gs&j=<9 K,7?"f<6<>HQ9o<Ira7^9# 4. WebSEAL,"8cs/7gsrp7FPC/(sI&5<P<K w.5lkwan HTTP Q9o<Ipsr^~7^9# ^ 36. 0m<Pk&5$s*s&a+K:` 212 P<8gs 3.8

233 !NcKO"GSO, WebSEAL K'Zpsrs!9k}!,(7F "j^9#f<6< Michael, travel-app "Wj1<7gs&j= <9 (212Z<8N^36 r2h) rbt7?$lg"webseal, GSO / LDAP 5<P<K Michael N'ZpsrWa7^9# GSO / LDAP 5<P<O"CjN'ZpsXNj=<9&^CTs0 NA0G'ZpsN04JG<?Y<9r]i7F$^9#'Zps O"f<6<>HQ9o<INH_go;G"j"j=<9&/jG s7ckhfpl^9# j=<9&/jgs7cko"p?q_f <6<KD$FN_n.G-^9# 7. Web 3N5<P<KO"j=<9 travel-app rcjnj=<9&/jg s7ckk^cw9k Michael QNG<?Y<9,~CF$^9#!N=K"GSO j=<9&/jgs7ck&g<?y<9n=$, (7F"j^9# Michael resource: travel-app username=mike password=123 resource: payroll-app username=powell password=456 Paul resource: travel-app username=bundy password=abc resource: payroll-app username=jensen password=xyz 3NcGO"GSO,"f<6<>VmikeWHQ9o<IV123Wr WebSEAL Ka7^9# WebSEAL,3NpsrHQ9kNO"8c s/7gsrp7fpc/(si&5<p<kw.5lkwabkp \'ZXC@<r=.9klgG9# GSO WebSEAL GSO KP9k5]<HO"WebSEAL HPC/(sI&5<P<NV N8cs/7gsK=.5l^9# GSO rhqd==9k8cs/7gsrn.9klgo"create 3 ^sirhq7f -b gso *W7gsrXj7^9#!NcK" create 3^sIN=8,(7F"j^9# Tivoli SecureWay Policy Director WebSEAL I},$I 213

234 create -t tcp -h <host-name> -b gso -T <resource> <jct-point> GSO 8cs/7gsr;CH"CW9k?aN*W7gsKD$ F"J<Kj9H7^9# *W7gs -b gso 3N8cs/7gsrLa9k9YFNWaKX7 F"GSO,'Zpsrs!9k,W,"k3Hr Xj7^9# -T <resource/ resource-group> GSO j=<9^?oj=<9&0k<wrxj7 ^9#3N*W7gsNz-tH7FHQ5lkj =<9>O" GSO G<?Y<9bKj9H5lF $kj=<9>k5nklw9k,w,"j^9# GSO 8cs/7gsNlgO,\G9# WebSEAL/GSO =je<7gsghq5lk8cs/7gso"8c s/7gsnn.~k -t ssl *W7gsrICG,Q7"SSL rl 7FB4rN]9k3H,G-^9# SSL 8cs/7gsO",: GSO HloKHQ7F"/jGs7c kh9yfng<?rnbkef=9k3hr*+a7^9# GSO WebSEAL J<Nh&KXj7F"[9H sales_svr N"Wj1<7gs&j =<9 travel-app r8cs/7gs&]$sh /sales K8cs/ 7gs7^9# create -t tcp -b gso -T travel-app -h sales_svr /sales J<Nh&KXj7F"[9H adm_svr N"Wj1<7gs&j= <9 payroll-app r8cs/7gs&]$sh /admin K8cs/7 gs7"ssl rhcf8cs/7gsrb4k7^9# create -t ssl -b gso -T payroll-app -h adm_svr /admin m: e-ncgo"-t ssl *W7gsGGU)kH&]<H 443, X(5lF$^9# 214 P<8gs 3.8

235 GSO 0m<Pk&5$s*s (GSO) -cc7e!=rq$lp"iyn g-jd-gn GSO 8cs/7gsNQU)<^s9r~19k3 H,G-^9# GSO -cc7eogu)khghqtdg9#-c C7eN!=/=r7J$lgO" GSO?<2CHps (GSO f< 6<>*hS GSO Q9o<I) N!wN?SK LDAP 5<P<K P9kFSP7rT&,W,"j^9# GSO -cc7er=.9kqia<?<o" webseald.conf =.U!$kN [gso-cache] 9?s6K~CF$^9#GiK-cC7e rhqd=k9k,w,"j^9#djnqia<?<o"-cc7 e&(shj<kp9k-cc7e&5$:h?$`"&hmr=. 7^9#83~V*hSs"/F#V&?$`"&HNM,g-1l PQU)<^s9O~e7^9," WebSEAL abj<xnpsn* PH$&j9/,}g7^9#MCHo</&=je<7gsK GSO 8cs/7gsrHQ7J$lgO" GSO -cc7eohq 7. Web Qia<?< gso-cache-enabled gso-cache-size GSO -cc7e!=rhqd=*hsh QTDK7^9#MO"VyesW*hS VnoWG9#GU)kHOVnoWG9# -cc7e&oc7e&f<vkk^a k3hng-k(shj<nggtr_ j7^9#3nmo" GSO 8cs/7 gsrp7f"wj1<7gsk"/; 99k1~f<6<&;C7gsN** g-$h?/nabj<,hq5l^9,"psxn"/;9o./jj^9# F-cC7e&(sHj<Os 50 P$ HrCq7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 215

236 Qia<?< gso-cache-entry-lifetime gso-cache-entry-idle-timeout "/F#SF#<KO5X8K"-cC 7e&(sHj<,-cC7ebK1^ k3hng-kgg~v (C1L)#-c C7e&(sHj<N-z B,Zlk H"=N18f<6<Khk!NWaG O"LDAP 5<P<KP9k77$FS P7,,WKJj^9# s"/f#v&-cc7e&(shj<,-cc7ebk1^k3hng-kg g~v (C1L)# IBM WebSphere (LTPA) Policy Director WebSEAL O"'ZHvD5<S9"*hS IBM WebSphere D-N]nrs!7^9# WebSEAL, WebSphere KP 9k]nUmsH(sIH7F[V5lF$klg""/;99k/ i$"sho 2 DNm0$s&]$sHKPL9kD=-,"j^ 9#=N?a WebSEAL O" WebSEAL 8cs/7gsrp7? 1 DJeN IBM WebSphere 5<P<KP9k7s0k&5$s*s& =je<7gsr5]<h7f$^9# WebSphere KO"cookie Y<9N Lightweight Third Party Authentication a+k:` (LTPA),"j^9#f<6<O" WebSEAL 8cs/7gs, LTPA r5]<h7"/i$"shn? an7s0k&5$s*s&=je<7gsrs!9kh&=.9k 3H,G-^9# f<6<, WebSphere j=<9nwart&h-o"=nf<6<,^: WebSEAL KP7F'Z7"'Z,5oKTolkH" WebSEAL,f<6<N?aK LTPA cookie r8.7^9# WebSphere N'ZH</sH7F// LTPA cookie KO"f<6< 1L*hSQ9o<INps,^^l^9#3NpsO"WebSEAL H WebSphere HNVG&Q5lk"Q9o<I]n5l?k)0r HQ7FEf=5l^9# 216 P<8gs 3.8

237 WebSEAL O"8cs/7gsrp7F WebSphere Kw.5lkW an HTTP cookie r^~7^9#pc/(si WebSphere 5<P<OWaru1hj" cookie ref=r 7" cookie NfK"k1LpsKpE$Ff<6<r'Z7^9# QU)<^s9r~19k?a" WebSEAL O LTPA cookie r-c C7eK]I7F"18f<6<&;C7gsGN=NeNWaK" -cc7e5l?=n LTPA cookie rhq9k3h,g-^9#- cc7e5l? cookie N83~V?$`"&HH"$Ik (s"/ F#V)?$`"&HNMO=.D=G9# LTPA LTPA cookie rp7? WebSphere XN7s0k&5$s*sKO" J<N=.`\,,WG9# 1. LTPA a+k:`nhqd==# 7. Web 2. 1LpsNEf=KHQ5lk-<&U!$kNljNXj# 3. 3N-<&U!$kKP9kQ9o<INXj# 3li 3 DN=.WoO"8cs/7gs create 3^sIXN 3 DNIC*W7gsGXj5l^9# -A *W7gsO"LPTA cookie r5]<h9k8cs/7gsr HQD=K7^9# -F < keyfile > *W7gsHz-tO" cookie K^^lkps NEf=KHQ5lk-<&U!$kNdPQ9>Nlj (WebSEAL 5<P<e) rxj7^9#&--<o"gik WebSphere 5<P<eKn.5l"WebSEAL 5<P<eKB4 K3T<5l^9#3N?9/NCjNv`KX9k\YKD$ FO",ZJ WebSphere qar2h7f/@5$# -Z < keyfile-password > O"-<&U!$kr*<Ws9k? ak,wjq9o<irxj7^9# Q9o<IO"8cs/7gs XML U!$kbK"Ef=5l?F-9HH7F=(5l^9# Tivoli SecureWay Policy Director WebSEAL I},$I 217

238 WebSEAL HPC/(sI WebSphere 5<P<HNVK8cs/7 gsrn.9k]o"3lin*w7gsr">n,\8cs/7g ^9# create... -A -F /abc/xyz/key.file -Z abcdefg... LTPA LTPA cookie Nn."Ef="*hSEf=r O"h}*<P<X CIrz-/37^9# LTPA -cc7e!=rq$lp"iyn g-jd-gn LTPA 8cs/7gsNQU)<^s9r~19k 3H,G-^9# LTPA -cc7eogu)khghqd=g9# -cc7en!=/=r7j$lgo"enf<6<wan?sk7 7$ LTPA cookie,n.5lfef=5l^9# LTPA -cc7er=.9kqia<?<o" webseald.conf =. U!$kN [ltpa-cache] 9?s6K~CF$^9#Qia<?< O"-cC7e&(sHj<KP9k-cC7e&5$:H?$`" &HMr=.7^9#83~V*hSs"/F#V&?$`"&HN M,g-1lPQU)<^s9O~e7^9," WebSEAL abj< XNpsN*PH$&j9/,}g7^9# Qia<?< ltpa-cache-enabled ltpa-cache-size LTPA -cc7e!=rhqd=*hs HQTDK7^9#MO"VyesW*hS VnoWG9#GU)kHMOVyesWG 9# -cc7e&oc7e&f<vkk^a k3hng-k(shj<nggtr_ j7^9#3nmo" LTPA 8cs/7 gsrp7f"wj1<7gsk"/; 99k1~f<6<&;C7gsN** g-$h?/nabj<,hq5l^9,"psxn"/;9o./jj^9# F-cC7e&(sHj<Os 50 P$ HrCq7^9# GU)kHMO 4096 (shj<g9# 218 P<8gs 3.8

239 Qia<?< ltpa-cache-entry-lifetime ltpa-cache-entry-idle-timeout "/F#SF#<KO5X8K"-cC 7e&(sHj<,-cC7ebK1^ k3hng-kgg~v (C1L)#-c C7e&(sHj<N-z B,Zlk H"=N18f<6<Khk!NWaG O"77$ LDAP cookie Nn.,,W KJj^9#GU)kHMO 3600 CG 9# s"/f#v&-cc7e&(shj<,-cc7ebk1^k3hng-kg g~v (C1L)# GU)kHMO 600 CG9# 7. Web LTPA -<&U!$kKO"CjN WebSphere 5<P<KD$FNps,^^l^9# LTPA 8cs/7gsO"1 DN WebSphere 5 <P<KP7FG-G9#188cs/7gs&]$sHK#t N5<P<rIC9klg"9YFN5<P<O1lN-<&U!$kr&Q9k3HKJj^9# 7s0k&5$s*sr5oKT&KO" WebSEAL H WebSphere 5<P<,"18l89Hj<psr"kxY&Q7 J1lPJj^;s# LTPA N;CH"CWH&Qk)0Nn.O WebSphere 5<P<,4v7^9# WebSEAL NX?9kbNO"8cs/7gsH -cc7en=.g9# Tivoli SecureWay Policy Director WebSEAL I},$I 219

240 220 P<8gs 3.8

241 8 WebSEAL O"D-QtH0* URL!=Khkh0T"Wj1<7 gsn}gr5]<h7^9#webseal GO"D-QtH HTTP X C@<NOOrH%7F"h0T"Wj1<7gs,"/i$"sH N1LKpE$?`nrT(kh&K7^9#5iK"WebSEAL O"0* URL (?H(P"HqF-9H,~CF$kbNJI) KP 9k"/;9&3sHm<krs!G-^9# HTC/NwzO"J<NH*jG9# 8. XCGI Wm0i_s0N5]<HY 224Z<8NXPC/(sI&5<P<&"Wj1<7gsN5] <HY 225Z<8NX0*S8M9qJNHQD==Y 229Z<8NX+9?`DMps_j5<S9Y 232Z<8NX0* URL XN"/;9&3sHm<kNs!Y 241Z<8NX0* URL Nc: The Travel Kingdom RNlgY CGI CGI Wm0i_s0r5]<H9k?aK"WebSEAL GO"8`; CHN CGI QtK"77$D-Qtr 3 DIC7F$^9#3li ND-QtO"m<+k WebSEAL 5<P<H8cs/7gshPC /(si&5<p<niai+gbt5lk CGI "Wj1<7gs Tivoli SecureWay Policy Director WebSEAL I},$I 221

242 KhCFHQ5l^9#3liNQtO"Policy Director G-Nf< 6<ps"0k<Wps"/jGs7ckpsr CGI "Wj1<7 gsks!7^9# m<+k WebSEAL 5<P<eGO"3liND-Qtr+0*K CGI Wm0i`+iHQG-kh&KJj^9# 8cs/7gshh0T5<P<GT/9k CGI "Wj1<7gs,HQ9kD-QtO"WebSEAL +i5<p<ko5l? HTTP X C@<ps+i8.5l^9#f<6<O -c *W7gsrHQ7 F"Policy Director G-NXC@<psrPC/(sI&5<P<" FN HTTP WaK^~9k8cs/7gsrn.7J1lPJj^ ;s# 173Z<8NXHTTP XC@<XN/i$"sH1LNs! (-c)yb 2H7F/@5$# ICN Policy Director G-ND-Qt CGI D-Qt HTTP_IV_USER HTTP_IV_GROUPS HTTP_IV_CREDS b@ Wa&N Policy Director f<6<&"+&sh ># Wa&,09k Policy Director 0k<W#3s ^GhZil?0k<WNj9HH7FXj5l ^9#F0k<WO"sEzQdGO_^9# Policy Director /jgs7ckr=9"(s3< I5l?T)@G<?=$#jb<H&5<P< K/jGs7ckrs!9kNG"fXN"Wj 1<7gsGO"vD API rhq7fvd5< S9rFSP;^9# Policy Director ADK GY mcq< ju!ls9 r2h7f/@5$# m<+k WebSEAL 5<P<eN REMOTE_USER Qt WebSEAL N3sHm<k<K"km<+k&5<P<D-GO"e -N HTTP_IV_USER QtNM,"8` REMOTE_USER QtNM H7Fs!5l^9#J*"REMOTE_USER QtO"8cs/7g 222 P<8gs 3.8

243 shpc/(si&5<p<gbt5lk CGI "Wj1<7gsN r3shm<k9k3ho"j^;s# CGI D-Qt REMOTE_USER HTTP_IV_USER U#<kIH18M,~j^9# Windows: WIN32 3N;/7gsO"m<+k&8cs/7gsKN_,Q5l^9# Windows KhCF"9YFN79F`D-Qt," CGI "Wj1< 7gsJINWm;9G+0*KHQD=KJko1GO"j^; s#lo"f<6<,,wh9k79f`d-qto8_7^9# 7+7"f<6<,,WH9k Windows 79F`D-Qt, CGI D-K8_7J$lgO" webseald.conf =.U!$krp7F CGI Policy Director D-QtO"9YF $#) 8.,WJ Windows 79F`D-Qtr webseald.conf =.U!$kN [cgi-environment-variables] 9?s6KIC7^9#!Nq0rH Q7^9# ENV = <variable-name>?h(p"!nh*jg9# [cgi-environment-variables] #ENV = SystemDrive ENV = SystemRoot ENV = PATH ENV = LANG ENV = LC_ALL ENV = LC_CTYPE ENV = LC_MESSAGES ENV = LOCPATH ENV = NLSPATH 3asHr 7?TO"CGI D-KhCFQ55l^9# Tivoli SecureWay Policy Director WebSEAL I},$I 223

244 WebSEAL KO"PC/(sI Web 5<P<NH_~_3s]<M shh7ft/9kbtd=3<ikp9k5]<hbqu5lf$ ^9#3Nh&J5<P<&BTD=3<INcH7FO"!Nh& JbN,"j^9# Java servlet Oracle Web Listener Q+<HjC8 5<P<&Wi0$s -c *W7gsrHQ7FPC/(sI&5<P<K8cs/7gsr n.9kh"webseal,=n5<p<"fn HTTP K"Policy Director G-N/i$"sH1LpsH0k<W&asP <7CWpsr^~7^9# Policy Director G-N HTTP hh0t5<p<en"wj1<7gso"/i$"shn Policy Director 1LKpE$?f<6<G-N"/7gsrBTG-^9# WebSEAL GO"J<Nh&J Policy Director G-N HTTP <rs!7^9# PD G-N HTTP U#<kI iv-user = iv-groups = b@ /i$"shn7g<h&m<`^?oms0&m< `#/i$"sh,'z5lf$j$ (T@N) l g"gu)khgo Unauthenticated G9# /i$"sh,09k0k<wnj9h#zqdnu $?0k<Wr3s^GhZC?j9HH7FXj5 l^9# 224 P<8gs 3.8

245 PD G-N HTTP U#<kI iv-creds = b@ Policy Director /jgs7ckr=9"(s3<i5 l?t)@g<?=$#jb<h&5<p<k/jg s7ckrs!9kng"fxn"wj1<7gsg O"vD API rhq7fvd5<s9rfsp;^ 9# Tivoli SecureWay Policy Director Authorization ADK GYmCQ< ju!ls9 r2h7f/@5 $# 3liN HTTP XC@<O"D-Qt HTTP_IV_USER" HTTP_IV_GROUPS *hs HTTP_IV_CREDS H7F"CGI "Wj 1<7gs,HQG-^9#=N>Ns CGI "Wj1<7gs&U l<`o</nlgn HTTP Wa+iXC@<r4-P9}!KD $FO":v9kWm@/HNqAr2H7F/@5$# 173Z<8NXHTTP XC@<XN/i$"sH1LNs! (-c)yb 2H7F/@5$# 8. khh=nq<hj<o"7p7pq<hj<&g<? (khv (B2B) X8Nlg) d\rg<? (khp\rnx8nlg) JIN &LqJr&Q9k,W,"k3H,"j^9# llqjo"5<s9rs!9k"wj1<7gsk,wh5l kpsrb@9k0-g9#3non0-ncko"\r"+& shpsd\raag<?,"j^9# ;-ejf#<qjo"j=<9nwanvdkhq5lky+ JrorXj9k0-G9#3NoNroNcKO"f<6<& S8M9rd""/;9&3sHm<k)B"*hShzh@s rja9ks8m9,',"j^9# /m9ia$s'z5<s9 (CDAS) NH%rL7" Policy Director O"'Z~Kf<6<,qJpsrH%?0 / M0-NAGf<6 <&/jgs7ckkh_~`3hrd=k9k@pja+k:`r Tivoli SecureWay Policy Director WebSEAL I},$I 225

246 s!7f$^9#"wj1<7gsovd API rhq7f3ng<?r/jgs7ck+i>\jp9k3h,g-^9#3n CDAS H%N$sWjasHKD$F\7/O" Tivoli Policy Director WebSEAL GYmCQ< ju!ls9 LDAP WebSEAL Kw(ilF$kCLJH_~_qJa+K:`Khj" f<6<jand-*j LDAP psrh%0-h7ff<6<&/ jgs7ckk^~9k3h,g-^9#3lin0-o"8cs/ 7gsrp7FPC/(sI&"Wj1<7gs&5<P<Kw.5 lkwan HTTP f<6<jad-g<?o"f<6<n LDAP l89hj<&" +&shn$:lnu#<ki+inbngb"h%0-h7f f<6<n Policy Director /jgs7ckkic5l^9# WebSEAL O3NG<?r/jGs7ck+ijP7"=lr WebSEAL 8cs/7gsrp7FPC/(sI&5<P<KT /WaN!HTTP PG-"=lKCLJ3<IdvD API O,W"j^;s# d- LDAP psr HTTP WebSEAL =.KO"J<N 2 DN9FCW,<$^9# 1. LDAP l89hj<+id-g<?r!w7"3ng<?rm0 $s~kf<6<&/jgs7ckk^~9k# 2. 8cs/7gsKP7F]5lF$kCjNroKpE$F"/ jgs7ck+i,zjg<?rjp7"=lr8cs/7gs rp7fw.5lkwan HTTP XC@<K^~9k# LDAP d- LDAP f<6<&g<?r/jgs7ckx~lkko"j< N 2 DN}!,"j^9# 1. CjN LDAP G<?r/jGs7ckbNU#<kIK^CW9 k pd.conf =.U!$kN [ldap-ext-cred-tags] 9?s6bK( shj<rn.9k# 226 P<8gs 3.8

247 2. $UNf<6<&G<?r/jGs7ckbNU#<kIK^C W9k+9?` CDAS b8e<krn.9k# 3N CDAS H%N$sWjasHKD$FO" Tivoli Policy Director WebSEAL GYmCQ<&jU!ls9 5$# LDAP inetorgperson *V8'/H&/i9NCjNG<?rf<6 <&/jgs7ckj$nf<6<ja0-u#<kik^cw9k KO" pd.conf =.U!$kN [ldap-ext-cred-tags] 9?s6rH Q7^9#3N9?s6NQia<?<OJ<NA0rhj^9# <custom-credential-field> = <inetorgperson-field> /jgs7ck=nbnnfgo" pd.conf =.U!$kGjA5 lf$kf custom-credential-field Qia<?<O"h,K Vtagvalue_WH$&g,U1il^9#3N\,tO"/jGs7c kbn>n{8pshn%gri.^9#?h(p"!nh*jg 9# 8. inetorgperson *V8'/H/i9N! LDAP f<6<&g<?: +9?`&/jGs7ck&U#<k I>: [ldap-ext-cred-tags] 9?s6bNQi a<?<&(shj<: ldap-employee-number = employeenumber f<6<&/jgs7ckk~lil?(shj<*hsm: tagvalue_ldap-employee-number:09876 employeenumber:09876 ldap-employee-number 3N!=GO"f<6<O LDAP f<6<>hq9o<ikhc F'Z9k,W,"j^9# passwd-ldap 'Za+K:`rH QD=K9k,W,"j^9# libldapauthn (ldapauthn) &Q i$vij<o" pd.conf =.U!$kN [ldap-ext-cred-tags] 9?s6Gd-f<6<jA/jGs7ckpsr2H9kh& K3<G#s05lF$^9# Tivoli SecureWay Policy Director WebSEAL I},$I 227

248 LDAP G<?O"inetOrgPerson *V8'/H&/i9bN8`^?O+9?`&U#<kI+ihk3H,G-^9# [ldap-ext-cred-tags] 9?s6KO#tN(sHj<r~lk3 H,G-^9# 9?s6&(sHj<GXj5lF$k0-O9YF"f<6 <&m0$s~k/jgs7ckk~lil^9# LDAP 0->O"g8z.8z,hL5l^;s# /jgs7ck&u#<ki>o"g8z.8z,hl5l^ 9# HTTP 0N;/7gsGn.7?f<6<jA/jGs7ckpsO"8c s/7gsrp7fpc/(si&5<p<kw.5lkwan HTTP 2 DN?9/,<$^9# 1. CjNd-/jGs7ck&G<?rvD9k8cs/7gsr =.9k#3N?9/O" WebSEAL ]n*v8'/h&9z< 9bN8cs/7gs&*V8'/HN,ZJH%0-r_j9 k3hkhcf#.5l^9# 2. /jgs7ck+i,zjd-psrjp7"=ng<?rwa N HTTP XC@<K^~9k# CjN8cs/7gsGN,WJG<?NjPO"=N8cs/7g s&*v8'/hnh%0-rhq9k3hkhcf3shm<kg -^9#H%0-N>0O"HTTP-Tag-Value G9#3NH%0- O"J<NA0rHQ7^9# <custom-credential-field>=<http-header-field> custom-credential-field Qia<?<O" pd.conf =.U!$kN [ldap-ext-cred-tags] 9?s6K=(5lF$kH*jK=(5l^ 9# tagvalue_ \,to^ail^;s#3nqia<?<o"g 8z.8z,hL5l^9# http-header-field Qia<?<O"G<?N]IKHQ5lk HTTP XC@<N>0rXj7^9#?H( P"!NH*jG9# 228 P<8gs 3.8

249 8cs/7gs&*V8'/HbN HTTP-Tag-Value H%0-# ldap-employee-number=employee-id f<6<&/jgs7ckbk"k(s Hj<*hSM: tagvalue_ldap-employee-number:09876 HTTP *hsm: employee-id:09876 WebSEAL O"PC/(sI&"Wj1<7gs&5<P<KWar O9H-"8cs/7gs&*V8'/HKP7F=.5lF$k HTTP-Tag-Value H%0-r2H7^9# 8cs/7gsrH%0-rQ$F=.9kKO"pdadmin object modify set attribute 3^sIrHQ7^9# pdadmin> object modify <obj-name> set attribute <attr-name> <attr-value>?h(p"!nh*jg9# pdadmin> object modify /WebSEAL/WS1/junctionA set attribute HTTP-Tag-Value ldap-employee-number=employee-id 8. 8cs/7gsh5<P<K#tNf<6<0-G<?rO9KO" #tn pdadmin object modify set attribute 3^sIrHQ7F #tn HTTP-Tag-Value H%0-rXj7^9 (1 DN3^sIK P7F 1 DN0-rXj7^9)# Web ]<?k^?oisa&z<8o"cjnf<6<khqd=j Web j=<9n+9?^$:&j9hr0*k8.9k}g5l? Web 5$H&5<S9G9#j=<9KO"kH3sFsD"5]< H&5<S9"*hSX,D<k,^^l^9#]<?kPOO"C jnf<6<n"/;9vdkpe$fdmps_j5l?j=<9 Nj9Hr(7^9#isA&Z<8KO"=Nf<6<QN57$ "/;9vDr}Dj=<9@1,=(5l^9# Tivoli SecureWay Policy Director WebSEAL I},$I 229

250 Policy Director D-GN+9?`&]<?k&=je<7gsrn. 9kKO" WebSEAL =.*W7gsHvD API qj5<s9rh Q7^9# +9?` WebSEAL ]<?k&5<s9rn.9k?anwm;9& Um<KO"J<N`\,^^l^9# 1. ]n*v8'/h&9z<9ncjnnhrn.7f"]<? k&j=<9&*v8'/hn;chr[v7^9# ACL r3linfj=<9&*v8'/hkuc7 ^9# 3. WebSEAL =.U!$krT87"]<?k&5<S9XN URL"]<?k&j=<9r^`*V8'/H&9Z<9NQ 9"*hS3liNj=<9K"/;99k?aKf<6<K, WKJkvDSCHr^a^9# 4. ]<?k URL KP7Ff<6<Wa,Tolk?SK" WebSEAL OvDqJ5<S9rHQ7F3N*V8'/H&9Z <9r!w7"=Nf<6<NvDroKgC?j=<9Nj9 Hr8.7^9# 5. WebSEAL O3Npsr"PC/(sI (8cs/7gsh) ]<?k&5<p<kw.5lk PD_PORTAL HTTP ^9# 6. PC/(sI&5<P<eK"k+9?`&]<?k&5<S9 (CGI ^?O servlet JI) O" PD_PORTAL DrI_hj"?H(P"3sFsDr"Web Z<8eGf<6 URL js/k^cw7^9#3nps O""/;9&3sHm<kvDKpE$FDMps_j5l?"f<6<KP7FHQD=Jj=<9Nj9Hr=7^9# WebSEAL 1. DMps_j5<S9KP9k7,8cs/7gsrn.7^ 9#?H(P"!NH*jG9# pdadmin> server task <server-name> create -t tcp -h portalhost.abc.com /portal-jct 230 P<8gs 3.8

251 2. webseald.conf =.U!$krT87F"7, [portal-map] 9? s6ric7^9# [portal-map] 3. 3N9?s6bN(sHj<O"]<?k&5<S9&Wm0i `N5<P<jP URL H"HQD=J]n]<?k&jj<9 r57f!w5lk*v8'/h&9z<9nnh"*hs"/ ;9K,WJvDr1L7^9#3lO"PD_PORTAL K~lilkj9HG9# [portal-map] <URL> = <object-space-region>:<permission> m:!wn]o"=nf<6<k,g7?vdr^` ACL,@( *K_j5l?j=<9&*V8'/H@1,*r5l^9# 4. 9?s6*hS,ZJ(sHj<rIC7?eO"WebSEAL (webseald) rfo09k,w,"j^9# ]<?k&5<p<kp9k8cs/7gsnn.: pdadmin> server task webseald-ws1 -t ssl -h PORTAL1 /portal 8. DMps_j5<S9KHQD=Jj=<9r^` WebSEAL ] n*v8'/h&9z<9nnhnja: pdadmin> objectspace create /Resources Portal Object Hierarchy 10 pdadmin> object create /Resources/Content 10 ispolicyattachable yes pdadmin> object create /Resources/Support 10 ispolicyattachable yes pdadmin> object create /Resources/Content/CGI 11 ispolicyattachable yes pdadmin> object create /Resources/Support/Servlet 11 ispolicyattachable yes m: VispolicyattachableWz-tO"Fj=<9KP7FVyesWK _j5lk,w,"j^9#!wa+k:`o"acl,@( *K_j5l?Bjj=<9&*V8'/H@1r*r7^ 9# WebSEAL =. (webseald.conf): Tivoli SecureWay Policy Director WebSEAL I},$I 231

252 [portal-map] /portal/servlet/portalservlet = /Resources:r f<6<,hq9k]<?k URL: URL =TN Web D-GO"f<6<O^cKQ=9kpsK(~K"/ ;9G-^9#?/N Web "Wj1<7gsO"=l>lNf<6 <WaKP9k~zH7F"0*K URL r8.7^9#3nh&j 0* URL O";~V7+8_7J$lg,"j^9# 0* URL O"\A*Kl~*JbNKOc$"j^;s,">^7/J$HQ d"/;9kp7f/oj]n,,wg"k3hkqojo"j^; s# URL ltn:*j Web "Wj1<7gs&D<kGO"8` Web Vi &6<rHQ7"Web 5<P<N CGI $s?<u'<9rp7f" Wj1<7gs&5<P<HL.7^9# 3Nh&JD<kO9YF"0* URL H#7q0(lasHrHQ 7F"Wa5l?*Zl<7gsr (=NQia<?<MH&K) " Wj1<7gs&5<P<KA(^9#0* URL O"CjN*Zl <7gsH=NQia<?<MG8` URL "Il9rd-7^9# URL NHq9Hjs0t,O"Web "Wj1<7gs&$s?<U '<9K*Zl<7gs"Qia<?<*hSMrs!7^9# 232 P<8gs 3.8

253 ^ 37. URL rp7f CGI 2<H&'$KG<?rO9 ACL URL WebSEAL GO"]n*V8'/H&9Z<9&bGkH]j7<& FsWl<H (ACL) rhq7f"g<?y<9wakhj8.5l k URL JI"0*K8.5l? URL r]n7^9# WebSEAL X NFWaO"vDWm;9NGiN9FCWH7F"CjN*V8' /HKrh5l^9#*V8'/HK,Q5l? ACL O"0* URL,=N*V8'/HK^CW5lkH"=lKP9k,WJ] nrx(7^9# 8. 0* URL Ol~*K8_9k@1G"k?a"v0=.vD]j7 <&G<?Y<9&(sHj<r_1F*/3HOG-^;s# Policy Director O"?/N0* URL re*]n*v8'/hk^c W9ka+K:`rw(k3HKhCF"3Ndjrrh7F$^ 9# *V8'/H+iQ?<sXN^CTs0O"!Nh&JWl<s& F-9H&U!$kK]}5l^9# /opt/policydirector/www/lib/dynurl.conf 3NU!$k (server-root KX"U1ilF$k) NljO" webseald.conf =.U!$kN [server] 9?s6bN dynurl-map Qia<?<KhCFjA5l^9# Tivoli SecureWay Policy Director WebSEAL I},$I 233

254 [server] dynurl-map = lib/dynurl.conf J*"3NU!$kO"GU)kHGO8_7J$?a"f<6<, n.7j1lpjj^;s# ((shj<r^s@) 3NU!$k, 8_9kh&KJkH"0* URL!=,HQD=KJj^9# 3NU!$krT87F"3liN^CTs0rQ97^9#U!$ kbn(shj<na0o"!nh*jg9# <object> <template> Policy Director GO"*V8'/H&9Z<9bK 1 DN*V8'/ Hr=.9kQia<?<N;CHrjA9k?aK" UNIX 7' k&q?<s&^cas0 (o$ki+<ir^`) N5V;CHr HQ7^9#3Nh&JQia<?<KlW9k0* URL O"9Y F=N*V8'/HK^CW5l^9# Policy Director,5]<H9k UNIX 7'k&Q?<s&^CAs0 8zO"J<NH*jG9# 8z b@ _-fnek3/8zo"cl7<1s9nltg9#?h(p" t O TAB 8zG9#^?"(91<W8z H7Fb!=7^9#? 1lN8zKP~9ko$kI+<I#?H(P"9H js0 abcde KO"== ab?de GP~7^9# * <mdjen8zkp~9ko$ki+<i# [] IlGbP~G-klHN8zrjA7^9#?H( P"9Hjs0 abcde KO"5,== ab[cty]de GP ~7^9# ^ ]jr(7^9#?h(p"== [^ab] G" a ^?O b J0N9YFN8zKP~7^9#!NcKO"_}Db!wrBT9k0* URL Nq0r(7F"j ^9# P<8gs 3.8

255 3N0* URL r=9*v8'/ho"!nh&kjj^9# 3NcN0* URL rj)k!$7f_kh"cjn}bvfr-r 7F$k3H,,+j^9#home-bank N}BDbr=9*V8' /HO"ACL vd,in }BKb,Q5lk3Hr(7F$^9# IN}BDbKb,Q5lk}3O"(sHj< (acc=*) NGeNt,K"9?j9/&o$kI+<I,HQ5lF*j"3lO9YF N8zKP~9k+iG9#!N^GO"CjN]n*V8'/HK^CW5l?CjN0* URL NbGk&1<9r=N^^(7F$^9# 8. ^ 38. 0* URL KP9kvD URL WebSEAL WebSEAL ]n*v8'/h&9z<9r dynurl.conf =.U!$k bk-~5lk(shj<g979klgo" dynurl update 3^ sirhq7f/@5$# Tivoli SecureWay Policy Director WebSEAL I},$I 235

256 1. dynurl.conf =.U!$kbN0* URL (shj<rn."t 8"^?Oo 9k# 2. Q9rC(*(?i"dynurl update 3^sIrHQ7F5<P <r979k# pdadmin> server task webseald-<server-name> dynurl update server-name z-to"webseal ^7sN$~5lF$J$[9 H>r=7^9# URL *V8'/HXN0* URL NrhO"dynurl.conf =.U!$kb N(sHj<N[sKhCF[Jj^9# *V8'/H&(sHj<XN0* URL N^CWrn_kH" dynurl.conf U!$kbN^CTs0Nj9H,9-cs5l^9# U!$kN9-csO"GiNlWQ?<s,+D+k^G"e+i <^GTol^9# GiNlW,+D+kH"P~9k*V8'/ H&(sHj<rHQ7?e3NvD!:,Tol^9# lw,+u+ij$lgo" WebSEAL O"URL +N+iQ9N t,r $?bnrhq7^9# BjY,b$ ACL KP~9k^CTs0[Ij9HNeLK]}7 ^9#?H(P"umh}"Wj1<7gsN book.sales Wm7< Numh}"Wj1<7gsO9YFNf<6<KhCF"/;9D =G"kH$&lgO"^CTs0O!N=K(9gxGToJ1l PJj^;s# *V8'/H&9Z<9& (shj< /ows/sales/bksale /ows/sales/general URL FsWl<H /ows/db-apps/owa/book.sales* /ows/db-apps/owa/* ^CTs0&(sHj<,UNgxG"C?H9kH" /ows/db-apps/owa G#l/Hj<bN9YFN9H"<I&Wm7 236 P<8gs 3.8

257 <8c<," /ows/sales/general *V8'/HK^CW9k3HK Jj^9#3NlgO"3N*V8'/H&9Z<9rhNmjN? a";-ejf#<n/2r7/d=-,"j^9# URL 5,==r*V8'/H&9Z<9&(sHj<K^CW9k H"URL A0GO"POST }0+ GET }0N$:lrHQ7F$k +KX8J/"A0, GET }0KhCF8.5l?bNH[j9k O:G9# GET }0NG<?AwGO"0*G<? (A0bNf<6<s!NG <?JI), URL KUC5l^9# POST }0NG<?AwGO"0*G<?,WaN\NKH_~^l ^9# ACL 0* URL,*V8'/H&9Z<9&(sHj<Krh5l?e O"8` ACL Q5bGkrHQ7F"Warh}9k+X_9k+,hj5l^9 (C",T=,G"k?a)# POST POST WaN3sFsDOWaN\8K^^l^9#5iK"POST WaO"Vi&6<KhCFhail?3N3sFsDN95r^ _"M rp$hgj9h7^9# 8. post-max-read webseald.conf =.U!$kN [server] 9?s6bN post-max-read Qia<?<O" POST WaN\8+i3sFsD H7FI_~`P$HNGgtrXj9k3HKhCF" WebSEAL GNg,OJ POST WaNFAr)B7^9# WebSEAL KhCF I_~^lk3sFsDO"3N;/7gsG0R7?vD!:NP ]KJj^9# 0* URL h}^?oq0'zk POST Wa,HQ5lk]KO" post-max-read Qia<?<M,M85l^9#GU)kHMO 4096 P$HG9# Tivoli SecureWay Policy Director WebSEAL I},$I 237

258 [server] post-max-read = NQia<?<O"Gg POST 3sFsD&5$: (3lK)BO "j^;s) r)b9kbngoj$h$&@k4mu/@5$#3 NQia<?<O"!0J5$:N POST Warh}9k3H+i WebSEAL r]n7^9# dynurl-allow-large-posts post-max-read Qia<?<O" WebSEAL KhCFI_hilF h}5lk POST 3sFsDNLr)B7^9,"Wa,"Wj1 <7gs&5<P<KO5lk3Hr04KK`o1GO"j^; s#3n7jj*go"ev-!:5lj$3sfsdo"wj1< 7gs&5<P<KO5l^9#"Wj1<7gs&5<P<K=N H+NvD!=,J$lg"3NuVO;-ejF#<&j9/KD J,kD=-,"j^9# dynurl-allow-large-posts Qia<?<rHQ9lP"3sFsDN 95, max-post-read GXj5lF$k95hjb9$ POST Wa r WebSEAL,h}9k}!r3sHm<kG-^9#3NQia<?<MKVnoW (GU)kH),_j5lF$klg" WebSEAL O"3sFsD9, max-post-read GXj5lF$k95hjb9 $ POST WaO$:lb4NH7Fq]7^9# [server] dynurl-allow-large-posts = no Qia<?<MKVyesW,_j5lF$klg"WebSEAL O POST Wa4Nru1~l^9," max-post-read MHy7$3sFsD LN_rEv-!:7^9# [server] dynurl-allow-large-posts = yes c 1: g,oj POST Wa (post-max-read Mhjg) ru1hj^ 9# dynurl-allow-large-posts = no 238 P<8gs 3.8

259 0* URL rhqd=k7^9# kl:vforbiddenw(i<&ac;<8# c 2: g,oj POST Wa (post-max-read Mhjg) ru1hj^ 9# dynurl-allow-large-posts = yes 0* URL rhqd=k7^9# kl: WebSEAL O" post-max-read M^GN3sFsDLr* V8'/H&(sHj<K^CW7"=N*V8'/HKpE$ FvD!:rBT7^9#DjN3sFsDO"*V8'/H& 9Z<9&(sHj<K^CW5l:"3N*V8'/HKX" 7?vD!:OBT5l^;s# J<NFsWl<HO"g,OJ POST WaKhkmQrz-/ 39Q?<s&^CAs0[VN?$Wr^sG$^9# /rtpi153/webapp/examples/hitcount?*action=reset* Ws: WebSEAL,B4K0* URL rh}9kh&=.9kko"j <NU!$krn.7^9# /opt/policydirector/www/lib/dynurl.conf 8. U!$kKO"J<NA0NT, 1 DJe^^lF$k,W," j^9# <object> <template> U!$k,8_7J$lgduNlgO"0* URL OHQD= KJj^;s# U!$k,h}5lkH"*V8'/H>, WebSEAL *V8' /H&9Z<9bNRj=<9H7F=(5l^9# Tivoli SecureWay Policy Director WebSEAL I},$I 239

260 FsWl<HKO"8`Q?<s&^CAs08zN5V;CH r^ak3h,g-^9#fswl<ho"q?<s&^cas 08zr^^J$04lW9Hjs0K9k3HbG-^9# J<N5sWk dynurl.conf U!$kO" IBM WebSphere =JN ltg"k$/d+n5swk Web "Wj1<7gsr=9 3 DN *V8'/HrjA7F$^9# *V8'/H& (shj< /app_showconfig /app_snoop /app_snoop /app_hitcount/ejb /app_hitcount URL FsWl<H /rtpi153/webapp/examples/showconfig* /rtpi153/servlet/snoop /rtpi025/servlet/snoop /rtpi153/webapp/examples/hitcount?source=ejb /rtpi153/webapp/examples/hitcount* ;QeNmU@: #tn URL FsWl<Hr1lN*V8'/HK^CW9k (?H(P"app_snoop r 2 DN[Jk5<P<eN URL K^C W9kJI) 3H,G-^9# *V8'/HOM9HG-^9 (?H(P"app_hitcount *hs app_hitcount/ejb)# e. URL WaO"e+i<NgKFsWl<HHfS5l^ 9#lW,!P5lklg"h}Od_7^9#7?,CF"B jynb$fswl<hou!$knh,kv$f/@5$# dynurl.conf U!$kbNjArh0=9kKO" dynurl update 3^sIr/T7^9 (pdadmin server task rhq)# ]n*v8'/h&9z<9&se<rg7=(9kh"(~k 97,Tol" Web Portal Manager K*V8'/H,=(5l ^9# *V8'/H>KQg8zOHQ7J$G/@5$#.8zN_ rhq7f/@5$# 240 P<8gs 3.8

261 ]n*v8'/h&9z<9bk9gk8_7f$k*v8'/ dynurl.conf U!$kbN*V8'/Hro 9kH"=N*V 8'/HKUC5lF$k ACL Ohj +l^9# URL : The Travel Kingdom!NcKO"Oracle Web Listener KhCF8.5l? URL r"i& 9lPkH$sHiMCHG]nG-k+,(5lF$^9# 3NcGHQ5lF$k0* URL Web 5<P<O"Oracle Web Listener G9#3NF/Nm8<O">N0* URL Web 5<P<K b~qg-^9# Travel Kingdom O"$s?<MCHrL7F\RK9T=s5<S9 rs!9kh%g9#=3g"+rn Web 5<P<eG 2 DN Oracle G<?Y<9&"Wj1<7gsr?Q7"1 DO+RU!$ "&)<kb+i"b& 1 DO$s?<MCHrL7F"=l>l "/;9G-kh&K9k=jG9# T=s79F` vd5l?\rnlgo"jb<hg=s7"+,n=sn=7 KD$FHqG-^9#Travel Kingdom N>Hwb"ECKhk \RKP9k=srT$"Q9rh}7"=N>Kb?/NHi s6/7gsrbtg-^9#0tn\ro"5<s9kp7f /l8ch&+<ighq9k?a"=&7?psnawr7c +j]n9k,w,"j^9# 2. I}^M<8c< [HsINkH,=&G"kh&K"Travel Kingdom Gb"k?"OL"P3KX9kps,~CF$kI}G<?Y<9r] i7f$^9#3ng<?ko"f>hwnl?bu$f$^ 9# Tivoli SecureWay Policy Director WebSEAL I},$I 241

262 G<?Y<9K~CF$k!Nh&J9H"<I&Wm7<8c<X N"/;9rs!G-kh&"Oracle Web Server r=.g-^9# /db-apps/owa/tr.browse /db-apps/owa/tr.book /db-apps/owa/tr.change 9YFNf<6<,9Th"9TebJI KD$FHqG-kh&K7^9# =srt&lgkhq7^9 (9Te}H tg>hwh'z\r)# =_N=sr!$7Q99klgKHQ7 ^9# /db-apps/owa/admin.browse /db-apps/owa/admin.resume /db-apps/owa/admin.update >Hw,"b~Vf" "Il9"L?JINh&J")B,_1ilF$J$ >Hwpsr+klgKHQ7^9# >Hw,I}G<?Y<9K~CF$k+,Nzrqpsr=(5;F+?j"Q9 7?jG-kh&K7^9# I}tg>Hw,>HwKX9kpsr9 79klgKHQ7^9# Web WebSEAL 5<P<rHQ7F" Travel Kingdom N}l Web 9Z <9XN;-e"&$s?<U'<9rs!7^9# 9T=s"Wj1<7gsHI}"Wj1<7gsN>}rBT 9k Oracle Web 5<P<XN8cs/7gs (/ows),g-^ 9# H$d9$79F`r]}7J,ib"Web j=<9k,zj;-e jf#<rb\9k?ak"qroj<nh&j;-ejf#<\8 r_1^7?# 1. 9Te}Htg>HwO"9YFN=sr04K3sHm<kG -k# 242 P<8gs 3.8

263 2. 'ZQ_\RO"=NM+HN=srT&3HbQ99k3Hb G-k,"=NMJ0N'ZQ_\RN9TG<?K3D9k3 HOG-J$# 3. I}tg>HwO"I}psN9YFKP7F04J"/;9" r}d# 4. Travel Kingdom NI}tgJ0N>HwO"+,+HNzrqp srq99k3h,g-"+,j0n>hwnt,*jpsr+ k3h,g-k# URL ;-ejf#<&]j7<\8r#.9k?ako"!n=k(9h &K"0* URL +i ACL *V8'/H&(sHj<XN^CTs 0r=.9k,W,"j^9# *V8'/H& 9Z<9&(sHj< /ows/tr/browse /ows/tr/auth /ows/tr/auth /ows/admin/forall /ows/admin/forall /ows/admin/auth 3Nh&J^CTs0N[s (gxu1),";-ejf#<\8n URL Q?<s /ows/db-apps/owa/tr.browse?dest=*&date=??/??/???? /ows/db-apps/owa/tr.book?dest=*&depart=??/??/????&return=??/??/???? /ows/db-apps/owa/tr.change /ows/db-apps/owa/admin.resume /ows/db-apps/owa/admin.browse?empid=[th]??? /ows/db-apps/owa/admin.update?empid=???? 8. /i$"sho"b4jef=5l?acmkrl7f WebSEAL K 'Z5l^9# Web $s?<u'<9rhq7?$\rnlgo"5ik Travel Kingdom Web ^9?<KP?7F""+&sHru1hk,W," j^9# 79F`eKJ<N 4 DN0k<W,n.5l^9# Tivoli SecureWay Policy Director WebSEAL I},$I 243

264 Staff TKStaff AdminStaff Customer Travel Kingdom NH%K09k>Hw Travel Kingdom N9Te}9 Travel Kingdom NI}tg>Hw#J*"I}tg >HwO"Staff 0k<WKb~CF$^9# $s?<mchkhk9tn=sru>9k Travel Kingdom N\R# Ff<6<KO"WebSEAL 5<P<,D9Kf<6<r1LG-k h&k;-e"&ia$sbk=l>l"+&sh,?(il^9# f<6<n1lo Oracle Web 5<P<KO5l"Web j=<9n 9YFK7s0k&5$s*s&=je<7gs,G-kh&KJj ^9#!N=KO"0-Npsr,Q7?kLG"k"/;9&3sHm< k,j9h5lf$^9# /ows/tr/browse /ows/tr/auth /ows/admin/forall /ows/admin/auth s'z Tr any_authenticated Tr s'z - any_authenticated - group TKStaff Tr group Customer PTr s'z - any_authenticated - group Staff Tr s'z - any_authenticated - group AdminStaff Tr Customer H TKStaff O"=sH9TWhN]i*V8'/HKX7 F"18C"r}CF$^9#?@7"c0H7F"Customer Nlg O"psrEf=7 (Wi$P7<vD)"sHi9FCI&$s?< MCHrL7F!)G<? (/l8ch&+<ipsji) rs!9 k]"5ijk;-ejf#<rn]9k,w,"j^9# 3N1cJcG(7?NO"J<rT&3H,G-k79F`r8+ 9k50G9#!)psr!)]n9k# 244 P<8gs 3.8

265 f<6<r'z9k#!)psxn"/;9rvd9k# 5iK"79F`'Zf<6<N1LO"WebSEAL H Oracle Web 5<P<N>}K'15l"F:D=J"7s0k&5$s*s&= je<7gsrs!9k?akhq5l^9# 8. Tivoli SecureWay Policy Director WebSEAL I},$I 245

266 246 P<8gs 3.8

267 A webseald.conf webseald.conf =.U!$k +F4j<*hS9?s6: WEBSEAL GENERAL [server] LDAP [ldap] SSL [ssl] JUNCTION [junction] [filter-url] [filter-schemes] [script-filtering] [gso-cache] [ltpa-cache] AUTHENTICATION [ba] [forms] [token] Tivoli SecureWay Policy Director WebSEAL I},$I 247 A. webseald.conf

268 [certificate] [http-headers] [auth-headers] [ipaddr] [authentication-levels] [mpa] [cdsso] [cdsso-peers] [failover] [e-community-sso] [inter-domain-keys] [authentication-mechanisms] [ssl-qop] [ssl-qop-mgmt-hosts] [ssl-qop-mgmt-networks] [ssl-qop-mgmt-default] SESSION [session] CONTENT [content] [acnt-mgt] [cgi] [cgi-types] [cgi-environment-variables] [content-index-icons] [icons] [content-cache] [content-mime-types] [content-encodings] 248 P<8gs 3.8

269 LOGGING [logging] AUTHORIZATION API [aznapi-configuration] [aznapi-entitlement-services] POLICY DIRECTOR [policy-director] [manager] WEBSEAL GENERAL Qia<?< [server] 9?s6 SYSTEM unix-user WebSEAL 5<P<KP9k UNIX f<6 <&"+&sh# unix-group WebSEAL 5<P<KP9k UNIX 0k< W&"+&sH# unix-pid-file PID U!$kNlj# server-root WebSEAL 5<P<KP9kk<H&G# l/hj<# server-name WebSEAL 5<P<&$s9?s9># THREADS AND CONNECTIONS worker-threads WebSEAL o<+<&9lcint# client-connect-timeout i /i$"sh\3?$`"&h# persistent-con-timeout HTTP/1.1 }3\3?$`"&H# HTTPS CLIENT https HTTPS "/;9NvD# https-port ;-e" HTTPS WaQKHQ9k]< H# HTTP CLIENT http s;-e" HTTP (TCP) "/;9NvD# http-port s;-e" HTTP WaQKHQ9k]< H# POST REQUESTS Tivoli SecureWay Policy Director WebSEAL I},$I 249 A. webseald.conf

270 Qia<?< post-max-read DYNURL dynurl-map dynurl-allow-large-posts URI HANDLING utf8-url-spport-enabled WEBSEAL GENERAL POST WaN\8H7FI_~^lkP$ HNGgt# URL H]n*V8'/HVN^CTs0& U!$kNlj# post-max-read GXj5lF$k95hj 9$ POST WarI_hk WebSEAL N! =r)b7^9# Qia<?< [ldap] 9?s6 ldap-server-config LDAP ldap.conf =.U!$kNlj (=.~K_ j5lk)# cache-enabled m<+k LDAP -cc7erhqd=*h SHQTDK7^9# prefer-readwrite-server HQD=Jlg"q-~_D= LDAP 5< P<N*rrvD7^9# auth-using-compare default-policy-overridesupport user-and-group-in-samesuffix fsq9o<i`nrhq7f"ldap P $sihjb.j'z!:,t(kh&k 7^9# GU)kH&]j7<^?Of<6<jA ]j7<r!:7^9#!wqu)<^s9#0k<w,f<6< H18 LDAP \xtgja5lf$k3h r(7^9# ssl-enabled WebSEAL P LDAP NL.QK SSL rh QD=*hSHQTDK7^9# ssl-keyfile SSL -<&U!$kNlj# ssl-keyfile-dn SSL -<&U!$kbNZ@qiYk (" lp)# ssl-keyfile-pwd SSL -<&U!$k&Q9o<I# 250 P<8gs 3.8

271 Qia<?< bind-dn bind-pwd enabled host port LDAP WebSEAL G<bsN1L> (=.~K_j 5lk)# WebSEAL G<bsNQ9o<I (=.~K _j5lk)# Qia<?< [ssl] 9?s6 webseal-cert-keyfile webseal-cert-keyfile-pwd webseal-cert-keyfile-stash webseal-cert-keyfile-label ssl-keyfile ssl-keyfile-pwd ssl-keyfile-stash ssl-keyfile-label disable-ssl-v2 disable-ssl-v3 disable-tls-v1 SSL Tivoli SecureWay Policy Director WebSEAL I},$I SSL ;C7gsN^WN]K WebSEAL K WebSEAL Z@qk)0Q9o<I# WebSEAL k)0q9o<i stash U!$ knlj# HQ9k"GU)kHJ0N WebSEAL btl.khq5lk WebSEAL Z@q- <&U!$kNlj# (btl.qn) WebSEAL Z@qk)0Q 9o<I# (btl.qn) WebSEAL k)0q9o< I stash U!$kNlj# (btl.k) HQ9k"GU)kHJ0N Z@qN>0# *r*k SSL V2 5]<HrHQTDK7 ^9# *r*k SSL V3 5]<HrHQTDK7 ^9# *r*k TLS V1 5]<HrHQTDK7 ^9# 251 A. webseald.conf

272 Qia<?< ssl-v2-timeout ssl-v3-timeout ssl-max-entries ssl-ldap-server ssl-ldap-server-port ssl-ldap-user ssl-ldap-user-password ssl-auto-refresh ssl-listening-port ssl-pwd-life ssl-authn-type SSL SSL V2 \3KP9k GSKit -cc7e& ;C7gs ID?$`"&H# SSL V3 \3KP9k GSKit -cc7e& ;C7gs ID?$`"&H# GSKit SSL ;C7gs ID -cc7ebn 1~(sHj<NGgt# CRL!:KHQ9k LDAP 5<P<# CRL!:QK3N LDAP 5<P<, listen 7F$k]<HVf# LDAP 5<P<KP9kI}f<6<# LDAP 5<P<NI}f<6<NQ9o< I# Qia<?< [junction] 9?s6 junction-db jmt-map http-timeout https-timeout ping-time basicauth-dummy-passwd JUNCTION 8cs/7gs&G<?Y<9Nlj# 8cs/7gsHWaHNVN^CTs 0&F<Vk (JMT) Nlj# TCP Y<9&8cs/7gsKP9kw.HI_hjN?$`"&H# SSL Y<9&8cs/7gsKP9kw.HI_hjN?$`"&H# WebSEAL 8cs/7gsh5<P<V ping k<askp9k$s?<pk# V-b supplyw8cs/7gsrp7fp \'ZG<?rs!9k]N0m<P k&q9o<i# 252 P<8gs 3.8

273 Qia<?< worker-thread-hard-limit worker-thread-soft-limit io-buffer-size DOCUMENT FILTERING [filter-url] 9?s6 <tag> = <attribute> [filter-schemes] 9?s6 scheme = <scheme-name> [script-filtering] 9?s6 script-filter GSO CACHE [gso-cache] 9?s6 gso-cache-enabled gso-cache-size gso-cache-entry-lifetime gso-cache-entry-idle-timeout LTPA CACHE [ltpa-cache] 9?s6 ltpa-cache-enabled JUNCTION Tivoli SecureWay Policy Director WebSEAL I},$I b@ CjN8cs/7gsKP9k"War h}9kgwo<+<&9lcinq< ;sh# CjN8cs/7gsKP9k"War h}9kgwo<+<&9lcinq< ;sh# 8cs/7gsKP7FI_hj*hS q-~_rt&?anpcu!<&5$ :# 8cs/7gsh5<P<+iN~zN fg WebSEAL,U#k?<`n9k URL 0-# 8cs/7gsh5<P<+iN~zN fg WebSEAL,U#k?<`n9k URL 9-<^Nj9H# 8cs/7gsh5<P<eN9/jW H+iNdP URL NU#k?<NHQ D=*hSHQTDK7^9# GSO -cc7erhqd=*hshqt DK7^9# GSO -cc7ebn(shj<nt# GSO -cc7e&(shj<ngg83 ~V# s"/f#v GSO -cc7e&(sh j<ngg83~v# LTPA -cc7erhqd=*hshq TDK7^9# 253 A. webseald.conf

274 Qia<?< ltpa-cache-size ltpa-cache-entry-lifetime ltpa-cache-entry-idle-timeout JUNCTION LTPA -cc7ebn(shj<nt# LTPA -cc7e&(shj<ngg8 3~V# s"/f#v LTPA -cc7e&(sh j<ngg83~v# AUTHENTICATION Qia<?< BASIC AUTHENTICATION [ba] 9?s6 ba-auth p\'za+k:`rhqd=*hshq TDK7^9# basic-auth-realm Vi&6< BA m0$s&wmswhk= (5lklk`># FORMS [forms] 9?s6 forms-auth q0rhq7?'zrhqd=*hshq TDK7^9# TOKEN [token] 9?s6 token-auth H</s&Q93<IrHQ7?'ZrH QD=*hSHQTDK7^9# CERTIFICATE [certificate] 9?s6 accept-client-certs WebSEAL =.7^9# HTTP HEADERS [http-headers] 9?s6 http-headers-auth HTTP *hshqtdk7^9# [auth-headers] 9?s6 header 'ZKHQ5lkCjN HTTP IP ADDRESS [ipaddr] 9?s6 254 P<8gs 3.8

275 Qia<?< ipaddr-auth AUTHENTICATION IP "Il9psrHQ7?'ZrHQD= *hshqtdk7^9# STEP UP [authentication-levels] 9?s6 level = unauthenticated 9FCW"CW'Z=.# level = password MULTIPLEXING PROXY AGENTS [mpa] 9?s6 mpa?e}0wm-7<&(<8'shkhk 'ZN5]<HrHQD=*hSHQTD K7^9# CDSSO [cdsso] 9?s6 cdsso-auth CDSSO H</srHQ7?'ZrHQD= *hshqtdk7^9# authtoken-lifetime CDSSO 'ZH</sNGg83~V# [cdsso-peers] 9?s6 <machine-name> = CDSSO K2C7F$kIa$s&T"# <keyfile-location> FAILOVER [failover] 9?s6 failover-auth U'$k*<P< cookie Nu.rD=*h STDK7^9# failover-cookies-keyfile cdsso_key_gen G8.5l? cookie Ef 0Nlj (dpq9>)# failover-cookie-lifetime U'$k*<P< cookie 3sFsD,-z G"k~VN~V)B# enable-failover-cookie-fordomain e-community SSO [e-community-sso] 9?s6 e-community-sso-auth Tivoli SecureWay Policy Director WebSEAL I},$I U'$k*<P< cookie?$wr"5<p <G- cookie +iia$sg- cookie K Q97^9# e-community SSO rhqd=*hshqt DK7^9# 255 A. webseald.conf

276 Qia<?< e-community-name AUTHENTICATION V]ZWH</s*hSWabK=(5l k e-community ># intra-domain-key DNS Ia$sbN WebSEAL $s9?s 9VNL.r]n9k?aKHQ5lk- <&U!$kNlj# is-master-authn-server m<+k&^7sr^9?< WebSEAL ' Z5<P<H7FXj7^9# master-authn-server ^9?< WebSEAL 'Z5<P<N>0 (m<+k&^7sgj$lg)# master-http-port ^9?<'Z5<P<, listen 9k"8` GOJ$ HTTP ]<H# master-https-port ^9?<'Z5<P<, listen 9k"8` GOJ$ HTTPS ]<H# vf-token-lifetime V]ZWH</s83~VM# vf-url V]ZWURL# ec-cookie-lifetime e-community cookie 83~VM# [inter-domain-keys] 9?s6 <domain-name> = <keyfile> e-community K2C7F$k>NIa$sQ N-<&U!$k# AUTHENTICATION MECHANISMS AND LIBRARIES [authentication-mechanisms] 9?s6 passwd-cdas passwd-ldap passwd-uraf token-cdas cert-ssl cert-cdas http-request cdsso passwd-strength cred-ext-attrs 5]<H5lk'Za+K:`HX"9k &Qi$Vij<Nj9H# SSL QUALITY OF PROTECTION MANAGEMENT [ssl-qop] 9?s6 ssl-qop-mgmt ]nnjani}rhqd=*hshqt DK7^9# [ssl-qop-mgmt-hosts] 9?s6 <ip-address> D9N[9HKP9k QOP Ef=lY k# [ssl-qop-mgmt-networks] 9?s6 256 P<8gs 3.8

277 Qia<?< <ip-address/mask> AUTHENTICATION D9NMCHo</KP9k QOP Ef= lyk# [ssl-qop-mgmt-default] 9?s6 default "s^can>n9yfn IP "Il9K P9kGU)kH QOP Ef=lYk# Qia<?< [session] 9?s6 max-entries timeout inactive-timeout SSL CLIENT SESSIONS ssl-id-sessions SHARING SESSIONS use-same-session SENDING SESSION COOKIES resend-webseal-cookies SESSION WebSEAL /jgs7ck / ;C7gs& -cc7ebn1~(shj<nggt# WebSEAL /jgs7ck / ;C7gs& -cc7ebn(shj<ngg83~ V# WebSEAL /jgs7ck&-cc7eb Ns"/F#V&(sHj<N83~V# SSL ID rhq7f HTTPS m0$s&;c 7gsr]i7^9# HTTP H HTTPS HNVGZjXok/i $"shkp7f18;c7gs ID rh Q7^9# /i$"shxn~zn?sk"=.q_ N;C7gsHU'$k*<P< cookie r w.7^9# CONTENT Qia<?< [content] 9?s6 LOCAL DIRECTORIES AND FILES Tivoli SecureWay Policy Director WebSEAL I},$I b@ 257 A. webseald.conf

278 Qia<?< doc-root directory-index delete-trash-dir LOCAL USER DIRECTORIES user-dir ERROR PAGES error-dir CONTENT Web 8qDj<Nk<H&G#l/Hj <# G#l/Hj<wzU!$kN>0# "I_K9Hl<?<KhCFo 5l? U!$kQNl~ trash G#l/Hj<# G#l/Hj<O"&L!HTML 8qr^ `f<6<n[<`&dj<g9# WebSEAL l/hj<# ACCOUNT MANAGEMENT PAGES [acnt-mgt] 9?s6 mgt-pages-root "+&shi}z<8nk<h# login 8`m0$sq0N>0# logout m0"&h,5oktol?ek=(5l kz<8n>0# account-locked "+&sh,mc/5lf$??ak'z,:t7?lgk=(5lkz<8n> 0# passwd-expired Q9o<IN-z B,ZlF$??aK f<6<'z,:t7?lgk=(5lk Z<8N>0# passwd-change Q9o<IQ9q0N>0# passwd-change-success Q9o<IQ9Wa,5oKTol?lg K=(5lkZ<8N>0# passwd-change-failure Q9o<IQ9Wa,:T7?lgK=( 5lkZ<8N>0# help -zji}z<8xnjs/,^^lf$ kz<8n>0# token-login H</s&m0$sq0N>0# next-token!nh</sq0n>0# stepup-login 9FCW"CW'Zm0$sq0N>0# LOCAL CGI 258 P<8gs 3.8

279 Qia<?< [cgi] 9?s6 cgi-timeout CONTENT R CGI Wm;9KP9kq-~_*hSI _hjn?an?$`"&hm# [cgi-types] 9?s6 bat = cmd cmd = cmd pl Win32 5<P<Nlg"CjN CGI U! = perl sh = sh tcl = $kh%gbt9kwm0i`rxj7^ tclsh76 9# [cgi-environment-variables] 9?s6 ENV CGI Wm0i`KhCFQ55lkD-Q t# ICONS [content-index-icons] 9?s6 image/* video/* audio/* text/html text/* application/x-tar application/* [icons] 9?s6 diricon backicon unknownicon DOCUMENT CACHING [content-cache] 9?s6 text/html image/* */* WebSEAL KhkG#l/Hj<wzN8.~KHQ9k0iU#C/&"$3sr Xj7^9 (index.html,j$lgk/ 8)# 5VG#l/Hj<QKHQ9k"$3 s# FG#l/Hj<QKHQ9k"$3s# T@NU!$k&?$WQKHQ9k"$ 3s# WebSEAL,abj<bK]I9kCjN 8q MIME?$WN-cC7e&?$WH 5$:rjA7^9# MIME TYPES [content-mime-types] 9?s6 <extension> = <type> CjN8qH%N MIME?$WrXj7^ 9# deftype 8q?$W,^CTs0&F<VkKj9 H5lF$J$H-KHQ9k"GU)k HN MIME?$W# Tivoli SecureWay Policy Director WebSEAL I},$I 259 A. webseald.conf

280 CONTENT Qia<?< CONENT ENCODINGS [content-encodings] 9?s6 gz Z 3sFsDN(s3<Ir5]<H9kV i&6<n(s3<i&?$wk8qh% r^cw7^9# Qia<?< [logging] 9?s6 server-log max-size flush-time requests requests-file referers referers-file agents agents-file gmt-time LOGGING b@ 5<P<&(i<&m0&U!$kNl j# HTTP m0kp9km0&u!$k&m< k*<p<7-$m# HTTP m0&u!$k&pcu!<nui C7eQY# HTTP Wam0rHQD=*hSHQTD K7^9# HTTP Wam0Nlj# HTTP 2Hm0rHQD=*hSHQTD K7^9# HTTP 2Hm0Nlj# HTTP (<8'sH&m0rHQD=*h SHQTDK7^9# HTTP (<8'sH&m0Nlj# =O~VSGOJ/ GMT (0jKC88` ~) ~V GNm0Wa# AUTHORIZATION API Qia<?< b@ [aznapi-configuration] 9?s6 db-file m<+k&/i$"shn]j7<&g<?y<9&-cc7e&u!$knlj# 260 P<8gs 3.8

281 Qia<?< cache-refresh-interval AUTHORIZATION API ^9?<'Z5<P<KP9k97 (]<j s0) N?aN!:NVVrjA7^9# listen-flags ]j7<&-cc7e97lnnu1hj KP9k"HQD==*hSHQTD=U i0# tcp-port listener Q TCP ]<H# udp-port listener Q UDP ]<H# AUTHORIZATION API LOGGING logclientid=webseald logsize I}F:m0KP9km0&U!$k&m <k*<p<7-$m# logflush I}F:m0&U!$k&PCU!<NU ic7eqy# logaudit F:rHQD=*hSHQTDK7^9# auditlog F:m0Nlj# auditcfg = azn vd$yshnhj~_# auditcfg = authn 'Z$YsHNhj~_# auditcfg = wand WebSEAL $YsHNhj~_# AZNAPI SERVICE DEFINITIONS <service-id> mode azn-server-name pd-user-name [aznapi-entitlement-services] 9?s6 AZN_ENT_EXT_ATTR POLICY DIRECTOR Qia<?< b@ [policy-director] 9?s6 config-file pd.conf =.U!$kNlj# [manager] 9?s6 master-host master-port Tivoli SecureWay Policy Director WebSEAL I},$I 261 A. webseald.conf

282 Qia<?< master-dn POLICY DIRECTOR 262 P<8gs 3.8

283 B WebSEAL pdadmin f<f#jf#<ko"pc03^sitwmswh,q U5lF*j"=3+i8cs/7gs&?9/rBTG-^9# HTC/NwzOJ<NH*jG9# XVpdadmin server taskwrhq7?8cs/7gsnn.y 265Z<8NXJunction 3^sIY 266Z<8NXi 5<P<QN7,8cs/7gsNn.Y 270Z<8NX{8N8cs/7gsXN7?J5<P<NICY pdadmin server task pdadmin rhq9k0k"sec_master I}f<6<H7F;-e "&Ia$sKm0$s7J1lPJj^;s#?H(P"!Nh&K7^9# UNIX: # pdadmin pdadmin> login Enter User ID: sec_master Enter Password: pdadmin> Windows: Tivoli SecureWay Policy Director WebSEAL I},$I 263 B. WebSEAL

284 MSDOS> pdadmin pdadmin> login Enter User ID: sec_master Enter Password: pdadmin> 3N>"J<N*W7gsrHQ9k1l3^sITrQ$Fb18 # pdadmin -a sec_master -p <password> pdadmin> WebSEAL 8cs/7gsrn.9kKO" pdadmin server task 3^sIrHQ7^9# pdadmin> server task <server-name> <task> server-name z-to"b]n^7s>h3n3^sikhcfhq 5lk Policy Director 3s]<MsH (WebSEAL JI) N040G 9# <policy-director-component>-<machine-name>?h(p"^7s>, cruz G Policy Director 3s]<MsH, WebSEAL G"klgN server-name OJ<NH*jG9# webseald-cruz server-name 0r!:9kKO"server list 3^sIrHQ7^9# pdadmin> server list webseald-cruz p\ WebSEAL 8cs/7gsrn.9kNK,WJ,\3^sI& *W7gsKO"J<NbN,"j^9# PC/(sI&"Wj1<7gs&5<P<N[9H> (-h *W 7gs) 8cs/7gs&?$W -- tcp"ssl"tcpproxy"sslproxy"local (-t *W7gs) 8cs/7gs&]$sH (^&sh&]$sh) pdadmin> server task <server-name> create -t <type> -h <host-name> <jct-point> 264 P<8gs 3.8

285 Junction pdadmin server task H&KJ<N junction 3^sI,HQG-^ 9# 3^sI create add remove i 5<P<QH7F7,8cs/7gsrn.7 ^9# {8N8cs/7gs&]$sHKICN5<P< (1 DJe) ric7^9# 8cs/7gs&]$sH+i5<P<r n7^ 9# =8: remove -i <server-id > <junction-point> delete list show jmt load jmt clear show 3^sIrHQ7F"CjN5<P<N ID r=l7^9# 8cs/7gs&]$sHr n7^9# =8: delete <junction-point > 3N5<P<eN48cs/7gs&]$sHrj 9H7^9# =8: list 8cs/7gsN\Yr=(7^9# =8: show < junction-point> jmt load 3^sIKhCF"0*K8.5l?5 <P<jP URL Nh}rT&?aN WebSEAL K 8cs/7gs&^CTs0&F<Vk&G<? (jmt.conf),s!5l^9# help help <command> jmt clear 3^sIO"WebSEAL +i8cs/7 gs&^cts0&f<vk&g<?r n7^ 9# junction 3^sIrj9H7^9# =8: help Tivoli SecureWay Policy Director WebSEAL I},$I CjN junction 3^sIKX7F\YJXkWr= (7^9# 265 B. WebSEAL

286 exit 3^sI pdadmin f<f#jf#<r*;7^9# =8: exit 3liN3^sI"*hSX"9k*W7gsKD$FO"J<Na `n: 7,8cs/7gs&]$sHrn.7"i 5<P<r8c s/7gs7^9# =8O"!NH*jG9# create -t <type> -h <host-name> [<options>] <junction-point> 8cs/7gs&?$W -t <type> **,\ ** 8cs/7gsN?$W# tcp"ssl" tcpproxy"sslproxy"local N$:l+G 9# -t tcp NGU)kH&]<HO 80 G9# -t ssl NGU)kH&]<HO 443 G9# [9H> -h <host-name> **,\ **?<2CH&PC/(sI&5<P<N DNS [9H>^?O IP "Il9# *W7gs SSL rp7?j_'z -K <key-label> WebSEAL C/(sI&5<P<KP7F'Z7^9# -B WebSEAL O BA XC@<psrHQ7P C/(sI&5<P<KP7F'Z7^9# -U"-W"*hS -b U#k?<&*W7gs,,WG9# 266 P<8gs 3.8

287 -U < username > WebSEAL f<6<># -B H&KHQ7 F"BA P<Kw.7^9# -W < password > WebSEAL Q9o<I# -B H&KHQ7 F"BA P<Kw.7^9# -D < DN > DN HN M-go;Khj"'Z,H%5l^9# Wm-7<&8cs/7gs&*W7gs (-t tcpproxy ^?O -t sslproxy,,w) -H <host-name> Wm-7<&5<P<N DNS [9H>^? O IP "Il9# -P <port> Wm-7<&5<P<N TCP ]<H# BA XC@<psNs! -b <BA-value> WebSEAL 5<P<,PC/(sI&5<P <K HTTP BA 'ZpsrO9}!rjA 7^9#!N$:l+ 1 DKJj^9# filter (default), ignore, supply, gso ll*j TCP *hs SSL 8cs/7gsN*W7gs -c <id-types> Policy Director /i$"sh1lr8cs/ 7gsrp7F HTTP XC@<K^~7^ 9# id-types z-tko"j<n Policy Director HTTP XC@<&?$WN$UNH _go;r~lk3h,g-^9#9joa iv-user"iv-user-l"iv-groups"iv-creds"all G 9# -i WebSEAL 5<P<K URL rg8z.8z rhl;:kh}5;^9# -j 9/jWH8.5<P<jP URL rh}9 k?a cookie bk8cs/7gs1lrs!7^9# -k PC/(sI&]<?k&5<P<K;C7 gs cookie rw.7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 267 B. WebSEAL

288 -p <port> PC/(sIh0T5<P<N TCP ]< H#GU)kHO"TCP 8cs/7gs, 80 G"SSL 8cs/7gs, 443 G9# -q <url> query_contents 9/jWHNjP URL# Policy Director O" /cgi_bin/ bg query_contents r5w7^9#3ng#l /Hj<,[Jk+" query_contents U!$k,>0Q95lF$kH-O"3N* W7gsrHQ7F"WebSEAL KU!$k XN7, URL r(7^9# -r e. IP "Il9r8cs/7gsrp7F HTTP -s 8cs/7gs,9F<HUk&"Wj1< 7gsr5]<H9k3HrXj7^9#G U)kHGO"8cs/7gsO9F<HU kgo"j^;s# -T <resource/ resource-group> GSO j=<9^?oj=<9&0k<wn >0# -b gso *W7gsNlgK,\G" 3N*W7gsGN_HQ5l^9# -u <UUID> 9F<HUk&8cs/7gs (-s) rp7 F WebSEAL K\35l?PC/(sI& 5<P<N UUID rxj7^9# 268 P<8gs 3.8

289 -v <virt-host-name> PC/(sI&5<P<eG=5l?>[[ 9H>#3N*W7gsO"PC/(sI& 5<P<eG>[[9H&;CH"CWr5 ]<H7^9# f<6<opc/(si&8cs/7gs& 5<P<N 1 DN>[$s9?s9K8c s/7gs7f$k?a"=n5<p<,[ 9H>XC@<r= 9klgO"-v rh Q7^9# Vi&6<+iNGU)kHN HTTP XC@<WaO"PC/(sI&5< P<,#tN>0H#tN>[5<P<r} CF$k3Hr'17F$^;s#>[[9 HH7F;CH"CW5l?PC/(sI& 5<P<K8F?WabNICNXC@<p srs!9kh&k" WebSEAL r=.9 k,w,"j^9# -w Win32 U!$k&79F`&5]<H# LTPA 8cs/7gs -A LTPA 8cs/7gsrHQD=*hSHQ TDK7^9# -F < keyfile > LTPA cookie G<?NEf=KHQ5lk- <&U!$kNlj# -Z -<&U!$kNQ9o<I < keyfile-password > WebSEAL V SSL 8cs/7gs -C SSL rp7?umsh(si WebSEAL 5 <P<HPC/(sI WebSEAL 5<P< NVNj_'Z# -t ssl ^?O -t sslproxy?$w,,wg9# m<+k&8cs/7gs&*w7gs (-t local GHQ) -d <dir> 8cs/7gsXNm<+k&G#l/Hj <# **,\ ** -f {8N8cs/7gsNV-9(r/)7^ 9# 8cs/7gs&]$sH 8cs/7gsrn.9k?aN WebSEAL M<`9Z<9bNl j# Tivoli SecureWay Policy Director WebSEAL I},$I 269 B. WebSEAL

290 `n: {8N8cs/7gs&]$sHK7?J5<P<rIC7^ 9# =8O"!NH*jG9# add -h <host-name> [<options>] <junction-point> [9H> -h <host-name> **,\ **?<2CH&PC/(sI&5<P<N DNS [9H>^?O IP "Il9# *W7gs SSL rp7?j_'z -D < DN > j7^9# DN HN M-go;Khj"'Z,H%5l^9# Wm-7<&8cs/7gs&*W7gs (-t tcpproxy *hs -t sslproxy G,W) -H <host-name> Wm-7<&5<P<N DNS [9H>^? O IP "Il9# -P <port> Wm-7<&5<P<N TCP ]<H# ll*j TCP *hs SSL 8cs/7gsN*W7gs -i WebSEAL 5<P<K URL rg8z.8z rhl;:kh}5;^9# -j 9/jWH8.5<P<jP URL rh}9 k?a cookie bk8cs/7gs1lrs!7^9# -p <port> PC/(sIh0T5<P<N TCP ]< H#GU)kHO"TCP 8cs/7gs, 80 G"SSL 8cs/7gs, 443 G9# 270 P<8gs 3.8

291 -q <url> query_contents 9/jWHNjP URL# Policy Director O" /cgi_bin/ bg query_contents r5w7^9#3ng#l /Hj<,[Jk+" query_contents U!$k,>0Q95lF$kH-O"3N* W7gsrHQ7F"WebSEAL KU!$k XN7, URL r(7^9# -u <UUID> 9F<HUk&8cs/7gs (-s) rp7 F WebSEAL K\35l?PC/(sI& 5<P<N UUID rxj7^9# -v <virt-host-name> PC/(sI&5<P<eG=5l?>[[ 9H>#3N*W7gsO"PC/(sI& 5<P<eG>[[9H&;CH"CWr5 ]<H7^9# f<6<opc/(si&8cs/7gs& 5<P<N 1 DN>[$s9?s9K8c s/7gs7f$k?a"=n5<p<,[ 9H>XC@<r= 9klgO"-v rh Q7^9# Vi&6<+iNGU)kHN HTTP XC@<WaO"PC/(sI&5< P<,#tN>0H#tN>[5<P<r} CF$k3Hr'17F$^;s# >[[ 9HH7F;CH"CW5l?PC/(s I&5<P<K8F?WabNICNXC@ <psrs!9kh&k" WebSEAL r=.9k,w,"j^9# -w Win32 U!$k&79F`&5]<H# 8cs/7gs&]$sH 3N{8N8cs/7gs&]$sHK5<P<rIC7^9# Tivoli SecureWay Policy Director WebSEAL I},$I 271 B. WebSEAL

292 272 P<8gs 3.8

293 C ikeyman ikeyman HQG-kD<kG9# ikeyman rhq9kh"7,-<&g<? CA CA +in SQ9o<INQ9rT&3H,G-^9# ikeyman f<f#jf#<o" Policy Director Ks!5lF$k Global Security Kit (GSKit) QC1<8NltG9# HTC/NwzOJ<NH*jG9# 274Z<8NXiKeyman f<f#jf#<n+oy 275Z<8NXGU)kH WebSEAL -<&G<?Y<9N*< WsY 277Z<8NX7,-<&G<?Y<9Nn.Y 283Z<8NX7,k<H CA 284Z<8NXk<H CA Y 290Z<8NX5<P<Z@qNWaY Tivoli SecureWay Policy Director WebSEAL I},$I 273 C. ikeyman

294 Y 293Z<8NX7,GU)kHZ@qNdjvFY 294Z<8NXG<?Y<9&Q9o<INQ9Y ikeyman ikeyman f<f#jf#<o"!nh&k"*zl<f#s0&7 9F`N3^sITWmsWH+i+O7^9# Windows: MSDOS> /Program Files/IBM/gsk4/bin/gsk4ikm.exe UNIX: # /usr/bin/gsk4ikm VIBM Key Management (IBM -<I})W&#sI&,=(5l^ 9# ^ 39. IBM Key Management (IBM -<I}) &#si& 274 P<8gs 3.8

295 WebSEAL Sk<H CA $s9h<k~k"webseal <9 (pdsrv.kdb) rs!7^9#-<&u!$kko"gu)kh WebSEAL (-<&iyk = Policy Director) H*r5l?& Lk<H CA Z@q,~CF$^9# GU)kH WebSEAL -<&G<?Y<9r*<Ws9kKO"J< N9FCWK>CF/@5$# 1. VIBM Key Management (IBM -<I})W&#sI&G"VKey Database File (-<&G<?Y<9&U!$k)WaKe<+i VOpen (*<Ws)Wr*r9k# 2. VOpen browse (*<Ws&Vi&:)W&#sI&+i"!NG# l/hj<kjs2<h9k# UNIX: /opt/policydirector/lib/certs Windows: C: Program Files Tivoli Policy Director lib certs 3.!r*r9k# pdsrv.kdb 4. VOpen (*<Ws)Wr/jC/9k# VPassword Prompt (Q9o<I&WmsWH)W@$"m0&\C /9,=(5l^9# 5.!Nh&K"GU)kH WebSEAL Q9o<Ir~O9k# pdsrv 6. VOKWr/jC/9k# G<?Y<9psKhCF"I}&#sI&,hj~^l^9# Tivoli SecureWay Policy Director WebSEAL I},$I 275 C. ikeyman

296 GU)kHN WebSEAL Certificates <&iykovpolicy ^9# ^40 Certificates Certificates k<h'zi (CA) 277Z<8N^41 ^ 40. GU)kH WebSEAL pdsrv.kdb -<&U!$k: WebSEAL 276 P<8gs 3.8

297 ^ 41. GU)kH WebSEAL pdsrv.kdb -<&U!$k: Sk<H CA $s9h<k~k"webseal <9 (pdsrv.kdb) rs!7^9#-<&u!$kko"gu)kh WebSEAL (-<&iyk = Policy Director) H*r5l?& Lk<H CA Z@q,~CF$^9# 3N-<&G<?Y<9r31FHQ9k3Hb"7,G<?Y<9 rn.9k3hbg-^9#7,g<?y<9rn.7f"webseal K3lrGU)kH&G<?Y<9H7FHQ5;kKO" secmgrd.conf =.U!$kN ssl-keyfile Qia<?<r=.7F" WebSEAL KLN9k,W,"j^9# 45Z<8NXWebSEAL QN -<&G<?Y<9&Qia<?<N=.Yr2H7F/@5$# Tivoli SecureWay Policy Director WebSEAL I},$I 277 C. ikeyman

298 7,-<&G<?Y<9&U!$krn.9kKO"J<N9FCW K>$^9# 1. VIBM Key Management (IBM -<I})W&#sI&G"VKey Database File (-<&G<?Y<9&U!$k)WaKe<+i VNew (7,)Wr*r9k# VNew ^ 42. New 2. VKey database type (-<&G<?Y<9&?$W)WU#<kI G"VCMS key database file (CMS -<&G<?Y<9&U!$ k)wr*r9k# 3. VFile Name (U!$k>)WK key.kdb Nh&K~O9k# 4. VLocation (lj)wu#<kikp7fgu)khmru1~l k+"=nu#<kik7,mr~o9k+""k$ovbrowse (Vi&:)W\?srHQ7F7,Mr*r9k# 5. VOKWr/jC/9k# VPassword Prompt (Q9o<I&WmsWH)W&#sI&,= (5l^9# 6. VPassword (Q9o<I)WU#<kIKQ9o<Ir~O7"= NQ9o<IrVConfirm Password (Q9o<IN')WU#<k IKFY~O9k# 7. (*W7gsN)VSet expiration time (-z B~or_j)WA' C/&\C/9r*r7",ZJMr~O7^9# 278 P<8gs 3.8

299 8. (*W7gsN)VStash the password to a file (U!$kKQ9o <Ir stash)wa'c/&\c/9r*r9k# stash U!$kKO".sth H$&H%R,^^lF$^9# secmgrd.conf =.U!$kN ssl-keyfile-stash Qia<?<r =.7F"3N7, stash U!$kr WebSEAL KLN9k,W,"j^9# 45Z<8NXWebSEAL QN-<&G<?Y<9&Qia<?< N=.Yr2H7F/@5$# 9. VOKWr/jC/9k# N'&#sI&,=(5l"7,-<&G<?Y<9,n.5l?3H,N'5l^9# 10. VOKWr/jC/9k# 7,-<&G<?Y<9,5oKn.5l^7?#VIBM Key Management (IBM -<I})W&#sI&,F=(5l^9# VIBM Key Management (IBM -<I})W&#sI&KO"7,- <&U!$k>,?G5l"p>TZ@q,=(5l^9# ikeyman KO"J<Np>TG#8?kZ@q,s!5lF$^9# RSA Secure Server CA Thawte Personal Premium CA Thawte Personal Fre CA Thawte Personal Basic CA Thawte Premium Server CA Thawte Server CA VeriSign Class 1 Public Primary CA VeriSign Class 2 Public Primary CA VeriSign Class 3 Public Primary CA VeriSign Test CA Root Certificate Tivoli SecureWay Policy Director WebSEAL I},$I 279 C. ikeyman

300 (CA) /TN WebSEAL O" CA K=N/TrWa7"=lr+,N-<&G<?Y<9KI C7J1lPJj^;s# 283Z<8NX7,k<H CA m: VeriSign Test CA Root Certificate O"F9H\*GH_~^lk c]z CA G9#-<&G<?Y<9&/i9rB0"Wj1< 7gsK~lk0K"3Nk<Hr n7f*/,w,"j^ 9# 7,G<?Y<9KO"WebSEAL,/i$"sHd=N>N5<P <K=l+Nr'Z5;ilkh&K"CA VPersonal Certificates B0"Wj1<7gsr+/7F$klgO"=JNF9Hr0;9 b"j^9#ikeyman rhq9lp"f9hkhq9k+jp>g 6<+H, CA qg9# m: <6<N5<P<r'17J/JC?j"5<P<HL.G-J /JC?j7^9# 280 P<8gs 3.8

301 $s9h<k~k"webseal OVPolicy DirectorWH$&+Jp>Z $^9# 1. ikeyman rhq7f" pdsrv.kdb -<&U!$k"^?OLN +9?`&-<&U!$kr*<Ws9k# VIBM Key Management (IBM -<I})W&#sI&N?$H k&p<k"*r5l?-<&g<?y<9&u!$kn>0, =(5l^9#3lO"U!$k,*<Ws5l"$DGbHQ G-k3Hr(7^9# 2. Certificates 3. VNew Self-Signed (7,+Jp>)W\?sr/jC/9k# VCreate New Self-Signed Certificate 4. VKey Label (-<&iyk)wk test-cert Nh&K~O9k# 5. VCommon Name (&L>)WHVOrganization (H%)W(&K,\) r~o7"vcountry (q)wr*r9k#djnu#<kikp7 FO"GU)kHMru1~lk+"7,Mr~O^?O*r7 ^9# 282Z<8N^43 6. VOKWr/jC/9k# VIBM Key Management (IBM -<I})W&#sI&NVPersonal Certificates Tivoli SecureWay Policy Director WebSEAL I},$I 281 C. ikeyman

302 ^ 43. Create New Self Signed Certificate 282 P<8gs 3.8

303 CA CjN CA CA K 3NZ@qr/T9kh&Wa7J1lPJj^;s#F CA KO" 3N?9/KP9kG-NWm7<8c<,"j^9#\YKD$F O",ZJ CA K"m7F/@5$# WarTCF CA +ik<hz@qru1hc?i"=lr-<&g <?Y<9KICG-^9#[HsING#8?k&k<HZ@q O"q0 *.arm (?H(P" cert.arm) rhq7f$^9# k<h CA Z@qrG<?Y<9KIC9kKO"J<N9FCWK >$^9# 1. VIBM Key Management (IBM -<I})W&#sI&G"Wk@ &s&j9h+ivsigner Certificates (p>tz@q)wr*r9 k# 2. VAdd (IC)Wr/jC/9k# VAdd CA s Certificate from a File (U!$k+iN CA NZ@q NIC)W&#sI&,=(5l^9# ^ 44. Add CA s Certificate (CA 1. VData type (G<?&?$W)WWk@&s&aKe<+i VBase64-encoded ASCII data (Base64 (s3<i ASCII G<?)Wr*r9k# 2. k<h CA Z@qNVCertificate file name (Z@qU!$k>)W *hsvlocation (lj)wk~o9k+"vbrowse (Vi&:)W r/jc/7f>0hljr*r9k# Tivoli SecureWay Policy Director WebSEAL I},$I 283 C. ikeyman

304 3. VOKWr/jC/9k# VEnter a Label (iykn~o)w@$"m0&\c/9,=(5 l^9# 4. k<h CA Z@qN-<&iYkK VeriSign Root CA Certificate Nh&K~O7"VOKWr/jC/9k# 3lG"VSigner Certificates (p>tz@q)wu#<kik"ic 7?P+jNk<H CA Z@qNiYk,~j^9# CA p>tz@qj9hk"5]<h9k,w,j/jc?p>t,"k lgo":v9kk<h CA Z@qro 7J1lPJj^;s# m: k<h CA Z@qro 9k0K"eG=N18 CA 7F*$F/@5$# G<?Y<9+ik<H CA Z@qro 9kKO"J<N9FCW K>$^9# 1. VIBM Key Management (IBM -<I})W&#sI&G"Wk@ &s&j9h+ivsigner Certificates (p>tz@q)wr*r9 k# 2. o 7?$k<H CA Z@qr*r (/4=() 9k# 3. VDelete (o )Wr/jC/9k# VConfirm (N')W&#sI&,=(5l^9# 4. VYes (O$)Wr/jC/9k# o 7?k<H CA Z@qNiYkO"VSigner Certificates (p >TZ@q)WU#<kIK=(5lJ/Jj^9# 284 P<8gs 3.8

305 dqhi9h&mcho</r;ch"cw7?j"f9h\*g+ <7F"LNG<?Y<9KIC7J1lPJiJ$3H,"j^ 3 LjN}!,"j^9# G<?Y<9+iZ@qr>\$s]<H9k (=<9) NZ@qr (?<2CH) -<&G<?Y<9KIC9kKO"J< N9FCWK>$^9# 1. V=<9W-<&G<?Y<9r*<Ws9k# 2. VIBM Key Management (IBM s&ake<+i"(/9]<h7?$z@qn?$wr*r9 k (VPersonal (DM)W^?OVSigner (p>t)w)# 3. LNG<?Y<9KIC7?$Z@qr*r9k# 4. VPersonal (DM)Wr*r9klgO"VExtract Certificate (Z@ qnjp)w\?sr/jc/9k#vsigner (p>t)wr*r9 klgo"vextract (jp)w\?sr/jc/7^9# VExtract a Certificate to a File (Z@qNU!$kXNjP)W& #si&,=(5l^9# 5. VData type (G<?&?$W)WWk@&s&aKe<+i VBase64-encoded ASCII data (Base64 (s3<i ASCII G<?)Wr*r9k# G<?&?$WO"Z@qU!$kK]I5lF$kZ@qNG <?&?$WKlW7F$J1lPJj^;s#iKeyman D<k O" Base64 (s3<i ASCII U!$kHP$Jj< DER (s 3<IZ@qr5]<H7F$^9# Tivoli SecureWay Policy Director WebSEAL I},$I 285 C. ikeyman

306 6. (V i&:)wr/jc/7f>0hljr*r9k# ^ 45. Extract Certificate to a File (Z@qNU!$kXNjP) 7. VOKWr/jC/9k# Z@q,CjNU!$kKq-~^l^9# U!$k+i?<2CH&G<?Y<9KZ@qrIC9kKO"J <N9FCWK>$^9# 1.?<2CH&-<&G<?Y<9r*<Ws9k# 2. IC7?$Z@qN?$Wr*r9k (VPersonal (DM)W^?O VSigner (p>t)w)# 3. VSigner (p>t)wz@qnlgovadd (IC)Wr/jC/9 k#vpersonal (DM)W?$WNZ@qNlgO"VReceive (u1 hj)wr/jc/7^9# 4. Z@qrjP7?H-KHQ7?VCertificate file name (Z@qU!$k>)WHVLocation (lj)wr~o9k#vbrowse (Vi& :)W\?srHQ9k3HbG-^9# ^ 46. Receive Certificate from a File (U!$k+iNZ@qNu1hj) 5. VOKWr/jC/9k# 286 P<8gs 3.8

307 6. VConfirm (O$)W^?O VNo Nj9HK=(5l^9# (=<9) -<&G<?Y<9+i (?<2CH) -<&G<?Y<9 1. V?<2CHW-<&G<?Y<9r*<Ws9k# 2. VIBM Key Management (IBM k (VPersonal (DM)W^?OVSigner (p>t)w)# 3. VExport/Import ((/9]<H / $s]<h)w\?sr/jc/ 9k# VExport/Import Key (-<N(/9]<H / $s]<h)w&#s I&,=(5l^9# 4. VChoose Action Type ("/7gs&?$WN*r)W+iVImport ($s]<h)wr*r9k# 5. VKey file type (-<&U!$k&?$W)WWk@&s&aKe< +ivcms key database file (CMS -<&G<?Y<9&U!$ k)wr*r9k# 6. $s]<h7?$z@q,~cf$k=<9&-<&g<?y< 9NVFile name (U!$k>)WHVLocation (lj)wr~o9 k#vbrowse (Vi&:)W\?srHQ9k3HbG-^9# Tivoli SecureWay Policy Director WebSEAL I},$I 287 C. ikeyman

308 ^ 47. Export/Import Key (-<N(/9]<H / $s]<h) 7. VOKWr/jC/9k# VPassword Prompt (Q9o<I&WmsWH)W&#sI&,=( 5l^9# 8. Q9o<Ir~O7F"VOKWr/jC/9k# VSelect From Key Label List (-<&iyk&j9h+in* r)w&#si&,=(5l^9# 9. $s]<h7?$z@qr*r7f"vokwr/jc/9k# 3lG"Z@q,?<2CH&G<?Y<9Nj9HK=(5l ^9# (=<9) -<&G<?Y<9+i (?<2CH) -<&G<?Y<9 KZ@qr(/9]<H9kKO"J<N9FCWK>$^9# 1. V=<9W-<&G<?Y<9r*<Ws9k# 2. VIBM Key Management (IBM -<I})W&#sI&NWk@& s&ake<+i"(/9]<h7?$z@qn?$wr*r9 k (VPersonal (DM)W^?OVSigner (p>t)w)# 3. (/9]<H7?$Z@qr*r (/4=() 9k# 4. VExport/Import ((/9]<H / $s]<h)w\?sr/jc/ 9k# VExport/Import Key (-<N(/9]<H / $s]<h)w&#s I&,=(5l^9# 288 P<8gs 3.8

309 5. VChoose Action Type ("/7gs&?$WN*r)W+i VExport ((/9]<H)Wr*r9k# 6. VKey file type <+ivcms key database file (CMS -<&G<?Y<9&U! $k)wr*r9k# 7. name (U!$k>)WHVLocation (lj)wr~o9k#vbrowse (Vi&:)W\?srHQ9k3HbG-^9# m: SfG"3NG<?Y<9&U!$kNV-9(KX9ka C;<8,=(5l^9#VYes ^ 48. Export/Import Key (-<N(/9]<H / $s]<h) 8. VOKWr/jC/9k# VPassword Prompt (Q9o<I&WmsWH)W&#sI&,= (5l^9# 9.?<2CH&G<?Y<9KP9kQ9o<Ir~O7F" VOKWr/jC/9k# 10.?<2CH&G<?Y<9r*<Ws9kH"(/9]<H5l?Z@q,Z@qj9HK=(5l^9# Tivoli SecureWay Policy Director WebSEAL I},$I 289 C. ikeyman

310 WebSEAL O"CA SSL /i$"shk P7F'Z9k3HrWa7^9#WebSEAL O">N'ZWo (junctioncp -K G8cs/7gs5l?"Wj1<7gs&5<P <KP~9kbNJI) ikeyman f<f#jf#<rhq9kh",zj CA Kw.G-k 1. VIBM Key Management (IBM &s&j9h+ivpersonal Certificate Requests a)wr*r9k# 2. VNew (7,)Wr/jC/9k# VCreate New Key and Certificate Request ^ 49. Create New Key and Certificate Request (7,-<*hSWaNn.) 290 P<8gs 3.8