Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Tivoli SecureWayPolicy Director WebSEAL\m8O
f> 3.8
Tivoli SecureWayPolicy Director WebSEAL\m8O
f> 3.8
Tivoli SecureWay Policy Director WebSEAL \m8O
f(yw
© Copyright IBM Corporation 2001. All rights reserved. vI@U Tivoli Systems m~mI$-i
(;V IBM m~mI$-i)9C,r_w* IBM M'-irmI$-iPX Tivoli z7D=<9C#4- IBM +>BHifmI,{9TNNN=rNNVN(gSD"z5D"E'D"
b'D"/'D"K$DHH)T>iDNN?VxP4F"+%"*<"f"Zlw53Pr-kINNFczoT#IBM +>ZhzFwv)zT:9CD2=4rNNICFcz&mDD5DP^mI,0aG?vbyD4F7y&XP IBM +>Df(yw#4- IBM +>BHifmI,;Zhf(PDd|({#>D5;G*zz<8D,"RGT0vK4,1Dy!a)D,;PNNN=D#$#XKywb}PX>D5DyP#$,|(JzTMJCZ3X(C>D#$#
U.S. Government Users Restricted Rights—Use, duplication or disclosure restricted by GSA ADPSchedule Contract with IBM Corporation.
Lj
IBM" IBM Uj"Tivol i"Tivol i Uj"AIX"Cross -S i te"NetView"OS/2"Plane tTivoli"RS/6000"Tivoli Certified"Tivoli Enterprise"Tivoli Enterprise Console"Tivoli Ready M TMEGzJL5zw+>r Tivoli Systems Inc. Z@zM/rd|zRrXxDLjr"aLj#
Microsoft"Windows"Windows NT M Windows UjG Microsoft Corporation Z@zM/rd|
zRrXxDLj#
UNIX G The Open Group Z@zMd|zRrXxD"aLj#
Java MyPyZ Java DLjG Sun Microsystems, Inc. Z@zM/rd|zRrX
xDLj#
yw
>vfoPya=D Tivoli Systems r IBM Dz7"Lrr~q";5>b)z7"Lrr~q+ZyPP Tivoli Systems r IBM 5qDzRrXxPa)#NNTb)z7"Lrr~qD}
C"GbZ5>v\9C Tivoli Systems r IBM Dz7"Lrr~q#;*;V8 Tivoli Systemsr IBM DP'*6z(rd|\(I#$D({,NN,H&\Dz7"Lrr~q,<ITC
4zfya=Dz7"Lrr~q#Zkd|z7aO9C1,}KG)I Tivoli Systems r IBMw78(Dz7.b,d@@Mi$yIC'TP:p#Tivoli Systems r IBM +>I\Q5Pr}Zjkk>D5Z]PXDwn({#a)>D5"4ZhC'9Cb)({DNNmI$#
PXmI$i/DBK,C'ITk IBM Director of Licensing, IBM Corporation, North Castle Drive,Armonk, New York 10504-1785, USA if*5#
?<
0T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
>8ODA_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
>8ODZ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Ve<( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
`XD Policy Director D5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
CJZ_D5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
):D5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
a)XZz7D5D4! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
*5M''V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Z1B WebSEAL Ev . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
9C WebSEAL #$ Web Ud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
j6#$DZ]`MM6p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
f.M5V2+T_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Kb WebSEAL O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
O$?D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Kb>$q! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
)9X(tT$i(EPAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Kb WebSEAL *a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
WebSEAL *aM Web >cIluT . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Z2B WebSEAL ~qwdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
;c~qwE" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
webseald.conf dCD~ri. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
WebSEAL 20Dy?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
WebSEAL ~qwy?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
t/M#9 WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
dC(EN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
* HTTP ksdC WebSEAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
iiiTivoli SecureWay Policy Director WebSEAL \m8O
* HTTPS ksdC WebSEAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
^F4TX( SSL f>D,S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
dC HTTP M HTTPS $wLr_L . . . . . . . . . . . . . . . . . . . . . . . . . . 22
HTTP/HTTPS (ED,1N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
=S WebSEAL ~qw,1N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
\m Web Ud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Web D5wDy?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
dC?<w} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Windows:CGI LrDD~|{<( . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
dC Web D5_Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
dC HTTP ms{" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
j'V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
\m(FD HTML 3f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
(F3fN}M5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
(F HTML 3fhv. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
\mM'zKM~qwKD$i. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Kb GSKit \?}]bD~`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
dC WebSEAL D\?}]bN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
9C iKeyman $i\m5CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
dC CRL li . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
dC1!#$6p. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
*%@wzMxgdC QOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
dCZ(}]b|BMV/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
dC|B(*l}. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
dCZ(}]bV/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4F0K WebSEAL ~qw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
dCj< HTTP G< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
tCM{C HTTP G<U> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8(1dAGD`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
8(U>D~*fP5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
8("BU>D~:exD5J. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
iv f> 3.8
dC request.log PG<DZ]$H . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
HTTP +2U>q=(CZ request.log) . . . . . . . . . . . . . . . . . . . . . . . . 48
T> request.log D~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
T> agent.log D~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
T> referer.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Z3B WebSEAL 2+T_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
X(Z WebSEAL D ACL _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
/WebSEAL/<host> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
/WebSEAL/<host>/<file>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
WebSEAL ACL mI(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
1! /WebSEAL ACL _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
}N%wG<_T. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
|no( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
\k?H_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
I pdadmin 5CLrhCD\k?H_T . . . . . . . . . . . . . . . . . . . . . . . 55
|no( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
P'M^'D\k>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
X(C'M+VhC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
O$?H POP _T(]}). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
dC]}O$D6p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
tC]}O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
]}G<m% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
]}O$c( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
]}O$"bBnM^F. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
yZxgDO$ POP _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
dCO$6p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
8( IP X7M6' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
y] IP X7{C]}O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
yZxgDO$c( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
yZxgO$"bBnM^F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
vTivoli SecureWay Policy Director WebSEAL \m8O
#$6p POP _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
&m4O$DC'(HTTP/HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
&m4Td{M'zDks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
?FC'G< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4O$ HTTPS D&C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
9C ACL/POP _TXF4O$C' . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Z4B WebSEAL O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
KbO$}L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
\'VDa0}]`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
\'VDO$=(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
j8dCE"N<. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
\ma04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
GSKit M WebSEAL a0_Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
dC WebSEAL >$_Y:f. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
dC GSKit SSL a0j6_Y:f. . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Ca0 cookie ,$4, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
7(P'Da0j6}]`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
dCJO*F cookie. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
O$dCEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
>XO$N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
b?(F CDAS O$N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
WebSEAL O$D1!dC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
dC`vO$=(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
a>G< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
"zM|D\k|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
dCy>O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
tCM{Cy>O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
hCr{F. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
dCy>O$zF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
dCu~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
vi f> 3.8
dCm%O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
tCM{Cm%O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
dCm%O$zF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
dCu~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
(F HTML l&m%. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
dCM'zK$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
s(:(}$i`%O$. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
WebSEAL bT$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
tCM{C$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
dC$iO$zF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
dCu~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
dC HTTP 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
tCM{C HTTP 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
8(7`M. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
dC HTTP 7O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
dCu~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
dC IP X7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
tCM{C IP X7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
dC IP X7O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
dCjGO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
tCM{CjGO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
dCjGO$zF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
'V`74C/Pzm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
P'Da0}]`MMO$=(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
MPA M`vM'zDO$xLw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
tCM{C MPA O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
4( MPA DC'J' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
+ MPA J'mS= webseal-mpa-servers i . . . . . . . . . . . . . . . . . . . . 102
MPA O$^F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Z5B gr"abv=8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
viiTivoli SecureWay Policy Director WebSEAL \m8O
dC CDSSO O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
/I(F CDMF 2mb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
9C CDMF D CDSSO O$xLw . . . . . . . . . . . . . . . . . . . . . . . . . . 104
tCM{C CDSSO O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
dC CDSSO O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
S\O$jG}] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
dCjG1dAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
mo CDSSO HTML 4S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
#$O$jG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
dCgSgx%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
gSgxXwM*s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
gSgxxLw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
mbgSgx Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
mb0$51ksM&p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
mb0$51jG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
S\0$51jG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
dCgSgx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Z6B WebSEAL *a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
WebSEAL *aEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
*a}]b;CMq= . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
&CV#HCJXF:** . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
&C8#HCJXF:** . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4( WebSEAL *aD8< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
WebSEAL ;'V HTTP 1.0 ;f*a. . . . . . . . . . . . . . . . . . . . . . . . . 127
WebSEAL *aD=SN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
9C0pdadmin server task14(*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
dCy> WebSEAL *a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
TCP `M*a. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
SSL `M*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
`%O$D SSL *a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
viii f> 3.8
WebSEAL i$sK~qw$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
(P{F(DN)%d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
9CM'z$iD WebSEAL O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
9C BA 7D WebSEAL O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
&m(}*aDM'zm]E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
4( TCP M SSL zm*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
(} SSL D WebSEAL A WebSEAL *a. . . . . . . . . . . . . . . . . . . . . . . . . 136
=S*a!n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
?FB*a(–f) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Z HTTP 7Pa)M'zm](–c) . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Z HTTP 7Pa)M'z IP X7(–r) . . . . . . . . . . . . . . . . . . . . . . . 140
+a0 Cookie "M=*aDE'x>~qw(–k) . . . . . . . . . . . . . . . 141
'V;xVs!4D URL(–i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
&m4TE>MM'zK&CLrD URL(–j). . . . . . . . . . . . . . . . . . 142
9C*a3d&m`TZ~qwD URL . . . . . . . . . . . . . . . . . . . . . . . . 146
4,#fac'V(–s"–u). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
*4,#fac8(sK~qw UUID(–u) . . . . . . . . . . . . . . . . . . . . 148
*a= Windows D~53(–w) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
9C WebSEAL *aD<u"M: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Z,;*aO20`v~qw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
}K4T*a~qwD2, HTML URL . . . . . . . . . . . . . . . . . . . . . . . 153
g}*a4PmI(Dl# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
g}*aD$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
ZZ}=~qwO9C query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
20 query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
ZZ}= UNIX ~qwO20 query_contents. . . . . . . . . . . . . . . . . . . . 156
ZZ}= Win32 ~qwO20 query_contents . . . . . . . . . . . . . . . . . . . 157
(F query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
#$ query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Z7B Web %;"abv=8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
ixTivoli SecureWay Policy Director WebSEAL \m8O
dC%;"abv=8D BA 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
%;"a(SSO)En . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Z BA 7Pa)M'zm] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
a)M'zm]M;c\k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
*"-<M'z BA 7E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
}%M'z BA 7E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
S GSO a)C'{M\k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
9C+V"a(GSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
3dO$E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
dCtC GSO D WebSEAL *a . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
dC GSO _Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
%;"aA IBM WebSphere(LTPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
dC LTPA *a. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
dC LTPA _Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
LTPA %;"aD<u"M: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Z8B &CLr/I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
'V CGI `L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Windows:'V WIN32 73d? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
'VsK~qwK&CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
tC/,LqJq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
S LDAP }]4(LqJq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
9((FvT/~q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
*vT/~qdC WebSEAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
vT/~q>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
a)T/, URL DCJXF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
/, URL i~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
+ ACL Ts3dA/, URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
*/, URL |B WebSEAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
bvTsUdPD/, URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
T POST ksdC^F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
x f> 3.8
\aM<u"M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
/, URL >}:Travel Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
&CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
SZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
2+T_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
2+M'z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
CJXF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
a[ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
=<A. webseald.conf N< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
=<B. WebSEAL *aN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
9C0pdadmin server task14(*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
*a|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
*u<~qw4(B*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
+=S~qwmS=VPD*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
=<C. 9C iKeyman \m$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
t/ iKeyman 5CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
r*1! WebSEAL \?}]b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
4(B\?}]b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
4(BT)}V$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
mSBy CA $i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
>}y CA $i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Z}]bd4F$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
+$ii!=D~;SD~mS$i . . . . . . . . . . . . . . . . . . . . . . . . . . 226
S}]b1S<k$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
+$i1S<v=}]b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
ks~qw$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
SU}V$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
>}}V$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
xiTivoli SecureWay Policy Director WebSEAL \m8O
8(B1!$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
|D}]b\k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
w} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
xii f> 3.8
0T
6-9C6Tivoli SecureWay Policy Director WebSEAL \m8O7#
Tivoli SecureWay Policy Director WebSEAL GyZ Web DJ4D Policy
Director J42+\mw#WebSEAL G_T\"`_LD Web ~qw,
T\#$D Web TsUd&C8#HD2+T_T#WebSEAL \a)
%;"abv=8,"+sK Web &CLr~qwJ4O"=d2+T
_TP#
>\m8Oa)\m2+ Web rJ4D+?}L0N<E"#>8O2
a)XZwV6'D WebSEAL &\DP[5D30MEnE"#
>8ODA_
>8ODA_|(:
¶ 2+\m1
¶ 5320M?p\m1
¶ xg53\m1
¶ IT hFK1
¶ &CLr*"_
xiiiTivoli SecureWay Policy Director WebSEAL \m8O
>8ODZ]
¶ Z 1 B:WebSEAL Ev
>Bi\ WebSEAL DX*EnM&\,}g:i/M#$TsU
d"O$">$q!M WebSEAL *a#
¶ Z 2 B:WebSEAL ~qwdC
>BG WebSEAL #fdCNqD<uN<,|(:\m Web U
d",1N}"\m$i"&m4O$C'MX(Z WebSEAL D
ACL M POP _T#
¶ Z 3 B:WebSEAL 2+T_T
>Ba)Z WebSEAL O(F2+T_TDj8<u}L,|(:
ACL M POP _T"#$6p"]}O$_T"yZxgDO$_
T"}N%wG<_TM\k?H_T#
¶ Z 4 B:WebSEAL O$
>Ba)hC WebSEAL T\mwVO$=(Dj8<u}L,|
,:C'{M\k"M'K$i"SecurID jG(PzkMXb HTTP
7}]#
¶ Z 5 B:gr"abv=8
>BV[ WebSEAL zmdCb?Dgr"abv=8 — ZM'z
M WebSEAL ~qw.d#
¶ Z 6 B:WebSEAL *a
>BGhCM9C WebSEAL *aD+f<uN<#
¶ Z 7 B:Web %;"abv=8
>BV[ WebSEAL zmdCZ?D%;"abv=8 — Z
WebSEAL ~qwMsK*aD&CLr~qw.d#
¶ Z 8 B:&CLr/I
>BP?`VCZ/IZ}=&CLr&\D WebSEAL \&#
¶ =< A:webseald.conf N<
¶ =< B:WebSEAL *aN<
¶ =< C:9C iKeyman \m$i
xiv f> 3.8
Ve<(
>8OTXbuoMYw9CK8VVe<(#b)<(D,egB:
VeV |n{FM!n"X|VMd|Xkj+4U-D9CDE
",TVeVT>#
1eV d?"|nTd?MzXka)D5,T1eVT>#vfo
DjbMy?wDXbJrLo2T1eVT>#
HmVe zk>}"|nP"A;dv"D~M?<{,T053{"
yTHmVeT>#
xvTivoli SecureWay Policy Director WebSEAL \m8O
`XD Policy Director D5Bm\aK;)ICD Policy Director D5,b)D5;Z Tivoli
SecureWay Policy Director 'V>cO:
Tivoli SecureWay Policy Director <uD5
208O
6Tivoli SecureWay Policy Director Base 208O7
6Tivoli SecureWay Policy Director WebSEAL 208O7
\m8O
6Tivoli SecureWay Policy Director Base \m8O7
6Tivoli SecureWay Policy Director WebSEAL \m8O7(>D5)
6Tivoli SecureWay Policy Director Edge Server e~\m8O7
6Tivoli SecureWay Policy Director Web Portal Manager \m8O7
*"_N<s+
Tivoli SecureWay Policy Director Authorization ADK Developer Reference
Tivoli SecureWay Policy Director Authorization API Java Wrappers Developer
Reference
Tivoli SecureWay Policy Director Administration API Developer Reference
6Tivoli SecureWay Policy Director WebSEAL *"_N<s+7
9dD5
6Tivoli SecureWay Policy Director "P5w7
Tivoli SecureWay Policy Director Performance Tuning Guide
Tivoli SecureWay Policy Director Capacity Planning Guide
CJZ_D5Tivoli Customer Support Web >c(http://www.tivoli.com/support/)a)
BPD5E"D4S:
¶ <uE",|("P5w"20MdC8O"\m8OM*"_N
<s+#
¶ #{Jbbp(FAQ)
¶ m~BXE"
xvi f> 3.8
IZ:http://www.tivoli.com/support/getting/ iR Customer Support
Handbook('V~q8O)#
IZ http://www.tivoli.com/support/documents/ CJZ_ Tivoli v
foDw}#%w Master Index IiRX(z7D'V3f#
I Z :
https://www.tivoli.com/secure/support/Prodman/html/AB.html#SecurityO(}z7f>(; Policy Director <uD5#
;)z7DD5a) PDF M HTML q=#3)z79a)-k}DD
5#
CJs?VDD5h*j6M\k#*q!Z'V Web >cO9CDj
6,k*A http://www.tivoli.com/support/getting/#
XZq! Tivoli <uD5M'VD|`E",-zL&N<
http://www.tivoli.com/support/smb/index.html#
XZq! Tivoli <uD5D|`E",L5oi&N<Zxviii3D:):
D5;#
xviiTivoli SecureWay Policy Director WebSEAL \m8O
):D5I ( } C J
http://www.tivoli.com/support/Prodman/html/pub_order.html Z_)
: Tivoli D5r&rTBg0.;I): Tivoli D5:
¶ @zM':(800) 879-2755
¶ SCsM':(800) 426-4968
a)XZz7D5D4!
RGG#Vbc}z9C Tivoli z7MD5DP\,"RG#6-za
)Dx(i#gPNNPXz7MD5Db{M(i,kTBP==.
;*5RG:
¶ "MgSJ~A [email protected]#
¶ Z http://www.tivoli.com/support/survey/ n4KM4!wim#
*5M''VTivoli Customer Support Handbook ;Z:
http://www.tivoli.com/support/handbook/
|a)XZ Tivoli M''VDw=fE",|(:
¶ "aMJq
¶ gNy]JbDOXT*5<u'V
¶ g0EkMgSJ~X7(!vZzyZDzRrXx)
¶ *5<u'V0&CQ/DE"
xviii f> 3.8
WebSEAL Ev
Tivoli SecureWay Policy Director WebSEAL G_T\"`_LD Web
~qw,T\#$D Web TsUd&C8#HD2+T_T#WebSEAL
\a)%;"abv=8,"+sK Web &CLr~qwJ4O"=d
2+T_TP#
>BEv+i\ WebSEAL ~qwDw*&\#
wbw}:
¶ :9C WebSEAL #$ Web Ud;
¶ Z43D:Kb WebSEAL O$;
¶ Z63D:Kb>$q!;
¶ Z83D:Kb WebSEAL *a;
9C WebSEAL #$ Web Ud
Tivoli SecureWay Policy Director WebSEAL GyZ Web DJ4D Policy
Director J42+\mw#
WebSEAL G_T\"`_LD Web ~qw,T\#$D Web TsU
d&C8#HD2+T_T#WebSEAL \a)%;"abv=8,"+
sK Web &CLr~qwJ4O"=d2+T_TP#
WebSEAL a)TB&\:
¶ 'V`VO$=(
1
1Tivoli SecureWay Policy Director WebSEAL \m8O
1.W
ebS
EA
LE
v
ZC=Me~=e5a9<a)'V`VO$zFDinT#
¶ S\ HTTP M HTTPS ks
¶ (} WebSEAL *a<u/IM#$sK~qwJ4
¶ \mCZ>XMsK~qw Web UdD8#HCJXF
y'VDJ4|(:URL"yZ URL D}rmo="CGI Lr"
HTML D~"Java !~qLrM Java `D~#
¶ w*fr Web zm4P
TZM'z,WebSEAL Iw* Web ~qw,xTZ}\d#$D
*asK~qw,WebSEAL Iw* Web /@w#
¶ a)%;"a&\
< 1. 9C WebSEAL #$ Web Ud
2 f> 3.8
j6#$DZ]`MM6pw* Web UdD2+\m1,zXk}7j6;,C'`MICDZ]
`M#;)Z]Xk\_H#$,;ICZX(DC';d|Z]IS
\#fD+2i4#?v2+T=8P;,D#$*sMX*D
WebSEAL dC#
zD0p*:
¶ Kb Web Z]
¶ j6*sCJCZ]DC'`M
¶ KbICZ#$KZ]D WebSEAL dC!nDEcMuc
Web Z]#$IV* 3 vs`:
1. +2Z] * CJ;h*#$
¶ (} HTTP D4O$M'zCJ
¶ TZJ4DCJXF9C4O$D>$
¶ y>D WebSEAL dC*s
2. +2Z] * CJ*s#\(S\)
¶ (} HTTPS D4O$M'zCJ
¶ #$&CLr~qw*sDtP}](}gEC(EMC'J'
E")h*S\
¶ TZJ4DCJXF9C4O$D>$
¶ WebSEAL dCh*#\
3. (CZ] * CJh*O$
¶ (} HTTP r HTTPS DQO$M'zCJ
¶ \m17(Gqh*S\
¶ TZJ4DCJXF9CQO$D>$;M'zXkZC'"a
mP(eJ'
¶ WebSEAL dC\4S,XkP8<GyP!nT7(2+T_T
D0l
3Tivoli SecureWay Policy Director WebSEAL \m8O
1.W
ebS
EA
LE
v
f.M5V2+T_Ts5D2+T_T7(K:
1. h*#$D Web J4
2. #$6p
Policy Director 9C Web J4Dibm>,4y=D\#$TsUd#
\#$TsUd|,m>xgP5JomJ4DTs#
(}Th*#$DTs&CJ1D2+zF,IT5V2+T_T#
2+zF|(:
¶ CJXFm(ACL)_T
ACL _T7(K;O*ITxPCJDC'`M,"8(JmTCT
sxPDYw#
¶ \#$Ts_T(POP)
POP 8(=Su~T\mT\#$TsDCJ,}g#\T"j{
T"sFM?U1dDCJ#
¶ )9tT
)9tTGCZTs"ACL r POP D=S5,IIZ}=&CLr
(}gb?Z(~q)A!MbM#
Policy Director DKDi~GZ(~q * |yZC'D>$MCZTs
DCJXF,Jmr\xT\#$Ts(J4)DCJ#
*I&5V2+T_T,Xk_-i/;,DZ]`M(g:f.M5
V2+T_T;Pyv)"&CJ1D ACL M POP _T#CJXF\
mI\G#4S,+Z]`MP8V`+9CYwdC]W;)#
Kb WebSEAL O$
O$G;V7("TG<=2+rD%vxLr5eD=(#1~qw
MM'z<*sO$1,C;;}LMGy=D`%O$#
4 f> 3.8
WebSEAL I*s?vM'za)m]$w,Sx5V2+rPD_H2
+T#1 WebSEAL XFT2+rP?vJ4DCJ1,WebSEAL D
O$MZ(*sIa)+fDxg2+T#
Z2+e5a9P,O$;,ZZ(#Z(7(;O$DC'GqP(
TX(J44PYw#O$7#vem]Df5T,+;TdTJ44
PYwD\&vNNPO#
TBu~&CZ WebSEAL O$:
¶ WebSEAL 'V;ij<DO$=(#
IT(F WebSEAL 'Vd|O$=(#
¶ WebSEAL }L@"ZO$=(#
¶ WebSEAL ;*sM'zm]#WebSEAL SKm]qCQO$D(r
4O$D)>$,Z(~qI9CC>$Jmr\xTJ4DC
J#
bVinDO$>6Jm2+T_TTL5hs"x;GTomxgX
Ka9*y!#
O$?Dd; WebSEAL @"ZO$}L,+|*sPO$Da{ * M'zm
]#O$}L+<BTBYw:
1. O$=(zzM'zm]
< 2. `%O$
5Tivoli SecureWay Policy Director WebSEAL \m8O
1.W
ebS
EA
LE
v
;P1C'_PZ Policy Director C'"amP(eDJ'1,M'
zO$EaI&#qr+8(C'*4qO$#
2. WebSEAL 9Cm]*CM'zq!>$
WebSEAL +QO$DM'zm]kQ"aD Policy Director C'`
%d#;s WebSEAL q!JCZKC'D>$#bMG>$q!#
>$|(C'{MC'_PdI1JqDNNi#
g{C'd{,WebSEAL +9(4O$D>$#
b)>$ICZZ(~q,C~qJmr\xCJ WebSEAL \#$
TsUdPQksDTs#
NN*sM'zE"D Policy Director ~q<I9C>$#>$Jm
Policy Director 2+X4P`V~q,}gZ("sFM/I#
PX'VX(O$=(Dx;=E",kNDZ693D:WebSEAL O
$;#
Kb>$q!
O$}LDw*?D.;MGq!hvM'zC'D>$E"#C'>
$GNk2+rn/Dw**s.;#
Policy Director xVC'O$M>$q!#C'm]@6G#?#+>$
* (eC'NkDirG+ * 4Gd?#X(ZOBDD>$If1
d|D#}g,1C'z}1,>$Xk43BD0p6p#
O$}L+zIX(Z=(DC'm]E"#+TU$tZ Policy
Director C'"am(1!ivB* LDAP)DC'J'E"TKE"x
Pli#WebSEAL +C'{MiDE"3d*+2r6'Dm>==,
dq=*0)9X(tT$i1(EPAC)#
6 f> 3.8
X(Z=(Dm]E",}g\k"jGM$i,m>C'Domm]
tT#KE"ICZ("k~qwD2+a0#
zID>$m>C'Z2+rPDX(,hvX(OBDPDC',R
vZa0P'ZZP'#
Policy Director >$|,C'm]MC'_PdI1JqDi#
)9X(tT$i(EPAC)>$INNh*XZM'zDE"D Policy Director ~q9C#
}g,Z(~q9C>$T7(GqQZ(C'T2+rPD\#$J
44PX(Yw#
EPAC |,0(;+Vj6{1(UUID),Policy Director h*|4&
mCJXFPm(ACL)#
Policy Director +>$CZd|~q,}g:
¶ sF~q
¶ WebSEAL *aPD/I\&
TB EPAC VNJCZ Policy Director:
tT hv
2+rj6 weDw2+rj6
< 3. +m]E"3d=>$
7Tivoli SecureWay Policy Director WebSEAL \m8O
1.W
ebS
EA
LE
v
tT hv
we UUID weD UUID
i UUID weytiD UUID
Kb WebSEAL *aPolicy Director a)xgDO$"Z(M\m~q#ZyZ Web Dxg
P,b)~qnCI;vr`v0K WebSEAL ~qwa),b)~q
w/IM#$;ZsK Web ~qwOD Web J4M&CLr#
WebSEAL ~qwMsK Web &CLr~qw.dD,SFw WebSEAL
*ar*a#WebSEAL *aG0K WebSEAL ~qwMsK~qw.
dD TCP/IP ,S#
sK~qwITGm;v WebSEAL ~qw,r_|#{X,GZ}=
Web &CLr~qw#sK~qw Web UdGZ WebSEAL {FUd
DXp8(D*a(20)ck WebSEAL ~qw0,S1D#
*aJm WebSEAL zmsK~qwa)#$~q#ZrsK~qw+
]ks.0,WebSEAL \T+?ks4PO$MZ(li#g{sK~
< 4. ,S WebSEAL MsK~qwD*a
8 f> 3.8
qwh*TTsD8#HCJXF,Xk4P=SDdC=h,r Policy
Director 2+~qhvZ}= Web Ud(kNDZ1553D:ZZ}=~
qwO9C query_contents;)#
*aa)IluD"2+D73,C73Ia):X=b"_ICTM
4,\m\& * +?TM'z8w4P#w*\m1,zIqfZbV
{FUdD/P\m#
WebSEAL *a(}_-X+sK~qwD Web UdM WebSEAL ~
qwD Web UdiOZ;pTa)=S5#-w~qwdD*azz%
@D"3;D"V<= Web Ud,|TC'G^lM8wD#
M'S;h**@ Web J4Dom;C#WebSEAL +_- URL X7
*;IsK~qwZ{DomX7#I+ Web TsS;v~qwF/=
m;v~qw,x;a0lM'zCJb)TsD==#
3;D Web Udr/K53\m1TyPJ4D\m#d|D\mEc
|(IluT":X=bM_ICT#
9Tivoli SecureWay Policy Director WebSEAL \m8O
1.W
ebS
EA
LE
v
s?VL5 Web ~qw;_P(e_- Web TsUdD\&#!kz
.,|GDCJXFGkomD~M?<a9,SD#WebSEAL *aI
w7(eTsUd,|43Ki/a9x;Gj< Web ~qwOv=D
omzwM?<a9#
WebSEAL *a2Jm4(%;"abv=8#%;"adCJmC'v
9C;Nu<G<CJJ4(kJ4D;C^X)#TNN4TsK~
qwDx;=G<*sD&mTC'<G8wD#
WebSEAL *aG9zD Web >cIluDX*$_#*aJmz(}
mS=SD~qw4l&T Web >cDv$D*s#
< 5. WebSEAL *azz3;D Web Ud
10 f> 3.8
WebSEAL *aM Web >cIluT9C WebSEAL *aI4(IluD Web >c#fET Web >c*
sDv$,I=cXmS|`D~qw,)d>cD]?#
IZTB-r,ImS=SD~qw:
¶ C=SZ])d>c
¶ *K:X=b"JO*FM_ICT\&x4FVPZ]
Q4FD0K WebSEAL ~qw
TsK~qwD*a'VCAY;v0K WebSEAL ~qw4t/#Q
4FD0K WebSEAL ~qwZs?hsZdr>ca):X=b#:
X=bzFIg, IBM Network Dispatcher r Cisco Local Director b
yDzF4&m#
0K4F9r>ca)JO*F&\ * g{~qwIZ3v-r'\,
#`D1>~qw+Lxa)T>cDCJ#I&D:X=bMJO*
F\&*>cC'x4_ICT#
11Tivoli SecureWay Policy Director WebSEAL \m8O
1.W
ebS
EA
LE
v
Z4F0K WebSEAL ~qw1,?v~qwXk|, Web UdM*
a}]bD+71>#
CZO$DJ'E"$tZ@"Z0K~qwDC'"amP#
'VsK~qw
Web >cZ]ITI WebSEAL ~qw>m"sK~qwr~_DiO
a)~q#WebSEAL *a'VsK~qw,Jm(}=SDZ]MJ4
lu Web >c#
?v(;DsK~qwXkk%@D*a(20)c*a#fET=S
Z]*sDvS,I(}*amS|`D~qw#K=8*ZZ}= Web
~qwOPO`VP6JDxga)Kbv=8#
< 6. Q4FD0K WebSEAL ~qw
12 f> 3.8
B<5w*agNa)3;D"_-DTsUd#C Web UdTZC'
G8wD,"RJm/P\m#
< 7. *asK~qw
13Tivoli SecureWay Policy Director WebSEAL \m8O
1.W
ebS
EA
LE
v
gB;Zyv,Q4FDsK~qwk`,D*ac*a#
4FDsK~qw
*+IluT&\)9=sK~qwdC,zIT4FsK~qw#g
,1>0K~qw,1>sK~qwXk|,%*5sD Web Ud#
WebSEAL 9C0nUP1wHc(Zw1>~qwPxP:X=b#K
c(+?vBDks(r=QP,S}nYD~qw#
1~qw1z1,WebSEAL 2+}7XxPJO*F;;)XBt/~
qw,WebSEAL 2+*<XB9CC~qw#
g{sK&CLr*s4,,$Z8v3fP,9C4,#facI7
#?va0<5XA,;vsK~qw#
< 8. 3;D Web Ud
14 f> 3.8
< 9. 4FDsK~qw
15Tivoli SecureWay Policy Director WebSEAL \m8O
1.W
ebS
EA
LE
v
16 f> 3.8
WebSEAL ~qwdC
>B|,hv#f\mMdCNqDE",zIT4Pb)Nq*xg
(F WebSEAL ~qw#
wbw}:
¶ Z183D:;c~qwE";
¶ Z203D:dC(EN};
¶ Z253D:\m Web Ud;
¶ Z313D:dC HTTP ms{";
¶ Z343D:\m(FD HTML 3f;
¶ Z353D:\mM'zKM~qwKD$i;
¶ Z403D:dC1!#$6p;
¶ Z423D:dCZ(}]b|BMV/;
¶ Z433D:4F0K WebSEAL ~qw;
¶ Z453D:dCj< HTTP G<;
2
17Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
;c~qwE"TBwZhvXZ WebSEAL ~qwD;cE":
¶ :webseald.conf dCD~ri;
¶ Z193D:WebSEAL 20Dy?<;
¶ Z203D:WebSEAL ~qwy?<;
¶ Z203D:t/M#9 WebSEAL;
webseald.conf dCD~riIT(}dC;Z webseald.conf dCD~DN}(F WebSEAL DY
w:CD~;ZTB?<:
UNIX:
/opt/pdweb/etc/
Windows:
C:\Program Files\Tivoli\PDWeb\etc\
Bm\aKw?VMwZ:
?V Z
WEBSEAL GENERAL [server]
LDAP [ldap]
SSL [ssl]
JUNCTION [junction] [filter-url] [filter-schemes]
[script-filtering] [gso-cache] [ltpa-cache]
AUTHENTICATION [ba ] [ fo rms] [ token ] [ce r t i f i ca t e ]
[http-headers] [auth-headers] [ipaddr]
[authentication-levels] [mpa] [cdsso]
[cdsso-peers] [failover] [e-community-sso]
[ i n t e r - d o m a i n - k e y s ]
[authentication-mechanisms] [ssl-qop]
[ s s l - q o p - m g m t - h o s t s ]
[ s s l - q o p - m g m t - n e t w o r k s ]
[ssl-qop-mgmt-default]
SESSION [session]
18 f> 3.8
?V Z
CONTENT [content] [acnt-mgt] [cgi] [cgi-types]
[ c g i - e n v i r o n m e n t - v a r i a b l e ]
[content-index-icons] [icons] [content-cache]
[content-mime-types] [content-encodings]
LOGGING [logging]
AUTHORIZATION API [ a z n a p i - c o n f i g u r a t i o n ]
[aznapi-entitlement-services]
POLICY DIRECTOR [policy-director]
kNDZ1953D:webseald.conf N<;#
":?N|D webseald.conf D~1,<XkV$XBt/ WebSEAL,
b y M I6p B D | D # k N D Z 2 0 3 D : t / M #9
WebSEAL;#
WebSEAL 20Dy?<WebSEAL LrD~20ZTBy?<P:
UNIX:
/opt/pdweb/
Windows:
C:\Program Files\Tivoli\PDWeb\
ITZ Policy Director Windows f20PdCC76#+;\Z Policy
Director D UNIX 20PdCC76#
>8O9C <install-path> d?zmbvy?<#
Z UNIX 20P,TB@"?<|,I)9DD~,}gsFMU>D
~:
/var/pdweb/
19Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
WebSEAL ~qwy?<webseald.conf dCD~PD server-root N}(et/1 WebSEAL ~
qwYwD;C#
[server]server-root = /opt/pdweb/www
webseald.conf dCD~Pm>DyP`T76{<G`TZKy?<
D#
":(#ivB,;&1|DK76{#
t/M#9 WebSEALITZ UNIX O9C pdweb_start |nT0Z Windows O9C0~
qXFfe1t/M#9 WebSEAL ~qwxL#
UNIX:
pdweb_start {start|stop|restart|status}
}g,*#9 WebSEAL ~qw,;sXBt/~qw,k9C:
# pdweb_start restart
pdweb_start |n;ZTB?<P:
/opt/pdweb/bin/
Windows:
Z0~qXFfe1Pj6 WebSEAL ~qwxL"9CJ1DXF4
%#
dC(EN}
TBwZhvXZ WebSEAL ~qwD;cE":
¶ Z213D:* HTTP ksdC WebSEAL;
¶ Z213D:* HTTPS ksdC WebSEAL;
¶ Z223D:^F4TX( SSL f>D,S;
20 f> 3.8
¶ Z223D:dC HTTP M HTTPS $wLr_L;
¶ Z233D:HTTP/HTTPS (ED,1N};
¶ Z243D:=S WebSEAL ~qw,1N};
* HTTP ksdC WebSEALWebSEAL (#&mm`4T4O$C'D HTTP ks#}g,(#J
md{C'T Web >cD+2?VOD!(D5xP;ACJ#
(} TCP &m HTTP ksDN};Z webseald.conf dCD~D
[server] ZP#
tC/{C HTTP CJ
Z WebSEAL dCZdtCr{C HTTP CJ:
http = {yes|no}
hC HTTP CJKZ5
HTTP CJD1!KZG 80:
http-port = 80
}g,*+KZ|D* 8080,khC:
http-port = 8080
* HTTPS ksdC WebSEALCZ&m SSL OD HTTP ks(HTTPS)DN};Z webseald.conf
dCD~D [server] ZP#
tC/{C HTTPS CJ
Z WebSEAL dCZdtCr{C HTTPS CJ:
https = {yes|no}
hC HTTPS CJKZ5
HTTPS CJD1!KZG 443:
https-port = 443
}g,*+KZ|D* 4343,khC:
https-port = 4343
21Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
^F4TX( SSL f>D,SIT@"XtCM{C SSL f> 2"SSL f> 3 M TLS f> 1 D,
S#XFX( SSL M TLS f>,SDN};Z webseald.conf dCD
~D [ssl] ZP#1!ivB,tCyP SSL M TLS f>#
[ssl]disable-ssl-v2 = nodisable-ssl-v3 = nodisable-tls-v1 = no
dC HTTP M HTTPS $wLr_LQdCD$wLr_L}?8(K~qwy\~qD"PxkksD}
?#1yP$wLr_LHO&1,=oDd|,S+xk:ex,1
=PICD$wLr_L*9#
IThC* WebSEAL Dxk,S~qDIC_L}#k+DdC$w
Lr_LD}?,r*|I\0lT\#
CdCN}";?F*s,1,SDO^}?#KN}r%X8(K_
L}?,IT*1ZD;\F^D$wSPa)~q#
ky]TxgD(E?M(E`MDKb,!q$wLr_LDnQ}
?#
fE_L}?DvS,jIksD=y1d;cGuYD#;x,vS
_L}?I\0ld|rX,b)rXaT~qwT\zz:f0l#
WebSEAL ,$%@D;c$wLrPmM$wLr_LX,T&m4T
M'zD9C TCP"SSL r GSSAPI (@Dks#bVv?DzF9
WebSEAL \;Z&m`1sD:X1v{DOYD53J4#
IT(}hC webseald.conf dCD~PD [server] Z?VPD
worker-threads N}dC$wLr_LXs!#
[server]worker-threads = 50
":?R(i;ZTT\JbxPJOoO1E|DKN}#
22 f> 3.8
HTTP/HTTPS (ED,1N}WebSEAL 9C SSL D IBM Global Security Kit(GSKit)5V#1
WebSEAL SU=4T HTTPS M'zDks1,GSKit SSL +("u
<UVEE",$a04,#
WebSEAL 'VTB HTTP M HTTPS (ED,1N}#b)N};Z
webseald.conf dCD~D [server] ZP#
¶ client-connect-timeout
;)QvVu<UVEE,rCN}+8>TZu< HTTP r
HTTPS ks,WebSEAL #V,Sr*D1d$H#1!5G 120
k#
[server]client-connect-timeout = 120
¶ persistent-con-timeout
CN}X(Z HTTP/1.1(G HTTP/1.0),S#ZZ;N HTTP/1.1
ksM~qwl&s,CN}XF WebSEAL XU.0#V HTTP/1.1
VC,Sr*Dnsk}#1!5* 5 k#
[server]persistent-con-timeout = 5
23Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
=S WebSEAL ~qw,1N}TB=S,1N}IZ webseald.conf dCD~PhC:
N} hv 1!5(k)
[junction] http-timeout (} TCP *arsK~qw"
M}]MS|A!}]D,1
5#
120
[junction] https-timeout (} SSL *arsK~qw"
M}]MS|A!}]D,1
5#
120
[cgi] cgi-timeout r>X CGI xL"M}]MS
|A!}]D,15#
120
[junction] ping-time WebSEAL *?v*aD~qw
(Z4Ps( ping,T7(|G
Gq}ZKP# WebSEAL n`
? 300 k ping ;N,;a|5
1(^[h(DGN5)#
300
< 10. HTTP M HTTPS (ED,1N}
24 f> 3.8
\m Web Ud
TBwZhv\m Web UdyhDNq:
¶ :Web D5wDy?<;
¶ Z263D:dC?<w};
¶ Z273D:Windows:CGI LrDD~|{<(;
¶ Z283D:dC Web D5_Y:f;
Web D5wDy?<Web D5w;CG`TZD5DD5wy?<DxT76,WebSEAL 9
b)D5I*ICD5#C76{I webseald.conf dCD~ [content]ZPD doc-root N}m>#nuZ WebSEAL 20Zd("1!;C:
UNIX:
doc-root = /opt/pdweb/www/docs
Windows:
doc-root = C:\Program Files\Tivoli\PDWeb\www\docs
C5;9C;N * 20sZ;Nt/ WebSEAL D1r#;sC5;
f"Z*a}]bP#TsZ webseald.conf PTC5Dx;=^DT
|;P0l#
20s,Xk9C pdadmin 5CLr4|DD5y?<;C5#TB>
}(~qw{F* websealA)5wKK}L:
1. G<= pdadmin:
# pdadminpdadmin> logindkC'j6:sec_masterdk\k:pdadmin>
2. 9C server task list |nT>yP10*ac:
pdadmin> server task websealA list/
3. 9C server task show |nT>*aDj8E":
25Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
pdadmin> server task websealA show /*ac:/`M:>X*a2^F:0 * 9C+V5*am^F:0 * 9C+V5n/D$wLr_L:0y?<:/opt/pdweb/www/docs
4. 4(BD>X*a4f;10*ac(h* -f !n4?F2GVP*
aDB*a):
pdadmin> server task websealA create -t local -f -d /tmp/docs /Created junction at /
5. PvB*a:
pdadmin> server task websealA list/
6. T>C*aDj8E":
pdadmin> server task websealA show /*ac:/`M:>X*a2^F:0 * 9C+V5*am^F:0 * 9C+V5n/D$wLr_L:0y?<:/tmp/docs
dC?<w}ksD URL mo=T?<{ax1,zIT8(I WebSEAL 5XD
1!D~D{F#g{C1!D~fZ,WebSEAL r+D~5XM'
z#g{D~;fZ,r WebSEAL +/,zI?<w}"+Pm5X
M'z#
CZdC?<w}D~DN};Z webseald.conf dCD~D [content]ZP#
w}D~D1!5*:
[content]directory-index = index.html
g{zD>c9C;,D<(,IT|DKD~{#}g:
[content]directory-index = homepage.html
26 f> 3.8
g{ksPD?<;|, directory-index N}(eDw}D~,r
WebSEAL +/,zI?<w}#zIDw}|,?<Z]Pm,xPA
?<PD?vu?D4S#v1M'zksCJTZC?<Z ACL O_
P0Pm1(l)mI(D?<1,EazIw}#
IT*zIDw}PPvD?vD~`MdCI WebSEAL 9CDX(
<N<j#webseald.conf dCD~PD [content-index-icons] Z|,
D5 MIME `MMT>DX* .gif D~DPm:
[content-index-icons]image/*= /icons/image2.gifvideo/* = /icons/movie.gifaudio/* = /icons/sound2.giftext/html = /icons/generic.giftext/* = /icons/text.gifapplication/x-tar = /icons/tar.gifapplication/* = /icons/binary.gif
ITdCKPmT*?;v MIME `M8(d|<j#2IT6L(;
<j#}g:
application/* = http://www.acme.com/icons/binary.gif
2ITdCTB=S<j5:
¶ CZm>S?<D<j:
[icons]diricon = /icons/folder2.gif
¶ CZm>8?<D<j:
[icons]backicon = /icons/back.gif
¶ CZm>4*D~`MD<j:
[icons]unknownicon = /icons/unknown.gif
Windows:CGI LrDD~|{<(|,Z webseald.conf dCD~D [cgi-types] ZPDN}Jmz8(
Windows D~)9`M,C`M+w* CGI Lr;6pM4P#
27Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
UNIX Yw53;h*D~)9{#+Xk* Windows Yw53(eD
~)9`M# [cgi-types] ZPvKyPP'D)9`M,"R(ZX*
1)+?v)9{3d=J1D CGI Lr#
[cgi-types]<extension> = <cgi-program>
1!ivB,;+G)xPkZPyPD~)9{%dDD~w* CGI
Lr4P#g{PmP;|,3v CGI LrD)9{,+;4PCL
r#
xP .exe )9{DD~+I Windows 1!w*Lr4P,;h*3
d#
":+G,^[N1k*Z Windows O20 .exe D~CZBX,<X
kX|{C)9{r+D~20*i5D~D;?V(}g .zip)#
zXk*zmbME>D~D)9{a)J1DbMLr#b))9{
`MD>}|(:shell E>(.sh M .ksh)"Perl E>(.pl)M Tcl
E>(.tcl)D~#
TB>}5wK;vdMD [cgi-types] ZdC:
[cgi-types]bat = cmdcmd = cmdpl = perlsh = shtcl = tclsh76
":Z .bat M .cmd D~D9CPaf0=OXD2+TJb#kww
9Cb)D~`M#
dC Web D5_Y:fIZ Web D5lwT\;Q,M'zI\a-#v=xgf!1dMD
~BX1d}$DJb#IZ WebSEAL ~qw}ZH}S*aDsK
~qwrYH|}D>Xf"wlwD~,rKa<BT\;Q#
Web D5_Y:f&\Jm++2CJD Web D5`Mf"Z
WebSEAL ~qwDZfP#LxksQ-_Y:fZ WebSEAL ~q
wPDD51,M'z+qClC`Dl&#
28 f> 3.8
_Y:fDD5I|(2,DD>D5M<N<q#+;\_Y:f/
,zzDD5,}g}]bi/a{ #
Web D5_Y:fa)KinT,ITS WebSEAL x;Gg=*aD
sK~qwqCD5#
_Y:fGZ MIME `MDy!O4PD#* Web D5_Y:fdC
WebSEAL 1,+j6TB}vN}:
¶ D5 MIME `M
¶ f"iJ`M
¶ f"iJs!
Z webseald.conf dCD~D [content-cache] ZP(e Web D5_
Y:f#&CTBo(:
<mime-type> = <cache-type>:<cache-size>
N} hv
mime-type zm HTTP0Content-Type:1l&7P+MDNNP' MIME
`M#C5IT|,(d{(*)#*/* 5zm1!DTs_Y
:f,|+#t;{OT=dCD_Y:fDNNTs#
cache-type 8(CZ_Y:fDf"iJ`M#Policy Director D>"P
f;'V0memory1_Y:f#
cache-size 8(Zy]0n|nY9C1c(}%Ts0,x(_Y:
fs!Iv$=Dns5(T KB F)#
>}:
text/html = memory:2000image/* = memory:5000*/* = memory:1000
Web D5_Y:fzF[lTBb)u~:
¶ ;Z(e_Y:f1"z_Y:f#
¶ 201;(e_Y:f#
29Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
¶ g{;8(1!_Y:f,+;a_Y:fkNNT=_Y:f;
%dDD5#
¶ T;T_Y:fE"DyPks4PZ(#
"ByP_Y:f
IT9C pdadmin 5CLr4"ByPQdCD_Y:f#C5CLr
;Jm"B%v_Y:f#
ZIT9C pdadmin .0,Xkw* Policy Director \m1
sec_master G<A2+r#
*"ByP Web D5_Y:f,kdkTB|n:
UNIX:
# pdadmin server task <server-name> cache flush all
Windows:
MSDOS> pdadmin server task <server-name> cache flush all
_Y:f3FE"
IT9C pdadmin 5CLr4a)10_Y:f9CivDy>3FE
"#3FE"m>_Y:fP#tDn}?MT?nDks}?#
ZIT9C pdadmin .0,Xkw* Policy Director \m1
sec_master G<A2+r#
*qC10_Y:f9CivD3FE",kdkTB|n:
UNIX:
# pdadmin server task <server-name> cache stat
Windows:
MSDOS> pdadmin server task <server-name> cache stat
30 f> 3.8
dC HTTP ms{"P1,WebSEAL ~qwT<*ks~q4'\#Pm`I\}p'\D
-r#}g:
¶ D~;fZ
¶ mI(hC{9CJ
¶ ;}7D UNIX D~mI(r`Fiv9C CGI Lr^(4P
~qks'\"z1,~qw+r/@w5Xms{",}g,Z HTML
ms3PD0403 ;{91#P8VICDms{";?v{"<f"Z
%@D HTML D~P#
b)D~f"ZTB?<P:
UNIX: <install-path>/www/lib/errors/<locale-dir>
Windows: <install-path>\www\lib\errors/<locale-dir>
errors ?<|,m`oT73S?<,|,ms{"D~D>X/f
>#
}g,@z/"o{"D?<76*:
UNIX: <install-path>/www/lib/errors/en_US
Windows: <install-path>\www\lib\errors/en_US
C?<PD{"T HTML q=#f,rK\Z/@wP}7T>#IT
`-b) HTML 3fT(F|GDZ]#D~{FGYw'\15XD
Z?mskD.yxF5#;\|Db)D~{#
Bm|,;)|Uims{"DD~{MZ]Pm:
31Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
D~{ jb hv HTTP m
sk
132120c8.html O$'\ ^(*9CDM'$ilw>$#I
\D-r|(:
¶ C'a)K;}7D$i
¶ $iQ;7{
¶ O$}]b1YC'>$
1354a2fa.html GU?< ksDYw*sp6GU?<#bG
G(Yw#
1898d259.html ^("aC' ksDJ4*s WebSEAL ~qw"a
C'Am;v Web ~qw#;x,1
WebSEAL T<lwE"1"zJb#
1898d25a.html C';P%;"aE
"
WebSEAL ^(*ksDJ4(; GSO
C'#
1898d25b.html C';P%;"a?
j
WebSEAL ^(*ksDJ4(; GSO
C'#
1898d25c.html C'P`v"a?j *ksDJ4(eK`v GSO ?j#
bG;vmsdC#
1898d25d.html h*G< ksDJ4I*aDsK Web ~qw
#$,*s WebSEAL "aC'AC
Web ~qw#*K,C'XkHG<
= WebSEAL#
1898d25e.html ^("aC' ksDJ4*s WebSEAL ~qwCC
'"a=m;v Web ~qw#+C'
JED"aE";}7#
1898d25f.html bbDO$aJ WebSEAL S*aDsK Web ~qw
SU=bbDO$aJ#
1898d421.html Y1F/ ksDJ4Q;Y1F/#(#"z
ZvVms&mDX(rDiv#
302
1898d424.html msks WebSEAL SU=^'D HTTP ks# 400
1898d425.html h*G< ksDJ4I WebSEAL #$,*CJ
|,XkHG<#
1898d427.html ;{C C';_PCJksDJ4DmI
(#
403
1898d428.html R;= ^((;ksDJ4# 404
32 f> 3.8
D~{ jb hv HTTP m
sk
1898d432.html ~q;IC WebSEAL yhDCTjIksD~q
10;IC#
503
1898d437.html ~qwRp WebSEAL ~qwQ;53\m1Y1
]R#Z\m1+~qw5Xx~q
0,+;&mks#
1898d439.html *'a0E" /@w/~qwD;%Gk;Yl&
D*aDsK~qwD4,a0#
WebSEAL h*C~qwOD~qTj
Iks#
1898d442.html ~q;IC WebSEAL *sD~q;Z*aDsK
~qwO,K~qwOD SSL `%O
$'\#
1898d7aa.html CGI Lr'\ CGI Lr^(}74P#
default.html ~qwms IZbbms,WebSEAL ^(jIk
s#
500
deletesuccess.html I& M'zt/D DELETE ksI&j
I#
200
putsuccess.html I& M'zt/D PUT YwI&jI# 200
relocated.html Y1F/ ksDJ4Q;Y1F/# 302
websealerror.html 400 WebSEAL ~qw
ms
WebSEAL ~qwZ?ms# 400
j'VTBjICZ(F0ZPPvD HTML ms3f#jI/,f;J1D
ICE"#
j hv
%ERROR_CODE% mskD}5#
%ERROR_TEXT% {"`?PkmskX*DD>#
%METHOD% M'zksD HTTP =(#
%URL% M'zksD URL#
%HOSTNAME% +^(wz{#
%HTTP_BASE% ~qwDy> HTTP URL0http://<host>:<tcpport>/1#
%HTTPS_BASE% ~qwDy> HTTPS URL0https://<host>:<sslport>/1#
33Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
j hv
%REFERER% 4TksDN<E"7D5,g{;Pr*04*D1#
%BACK_URL% 4TksDN<E"7D5,g{;Pr*0/1#
%BACK_NAME% g{ZksPPN<E"7,5*0BACK1,g{;P,5*
0HOME1#
\m(FD HTML 3f
Policy Director |,y> HTML m%,I;(F*|,X(Z>cD{
"r4PX(Z>cDYw#s?Vm%JCZ(} HTTP r HTTPS D
m%"jGM BA O$#
b)m%DD~;CI webseald.conf dCD~D [acnt-mgt] ZPD
mgt-pages-root N}(e#
mgt-pages-root = lib/html/<lang-dir>
5J9CD?<yZ>X/#1!D@z"o?<*:
lib/html/C
UooT73+D~(;Z:
lib/html/JP
(F3fN}M5
TBXbD HTML 3fN}M5;Z webseald.conf dCD~D
[acnt-mgt] ZP#;)3fvIa)m]E"Dm%G<=(9C#
N} 3f C(
login = login.html m%G<
logout = logout.html m%G<
account-locked = acct_locked.html NN=(
passwd-expired = passwd_exp.html NN=(
passwd-change = passwd.html NN=(
passwd-change-success = passwd_rep.html NN=(
passwd-change-failure = passwd.html NN=(
help = help.html NN=(
token-login = tokenlogin.html jGG<
34 f> 3.8
N} 3f C(
next-token = nexttoken.html jGG<
stepup-login = stepuplogin.html ]}O$
(F HTML 3fhv
m% hv
login.html C'{M\kDj<ksm%
logout.html I&"zsT>D3f#
acct_locked.html IZx(DJ'<BC'O$'\,xT>D3f#
passwd_exp.html IZ''\k<BC'O$'\,xT>D3f#
passwd.html |D\km%#g{\k|Dks'\,2aT>K3f#
passwd_rep.html g{\k|DksI&xT>D3f#
help.html |,AP'\m3fD4SD3f#
tokenlogin.html jGG<m%#
nexttoken.html B;vjGm%#
stepuplogin.html ]}O$G<m%#
P=vjICZb)3fP#I+b)jV{.ECZ#eD~P#j
+/,Xf;`&DD5#
j hv
%USERNAME% C'G<D{F#
%ERROR% S Policy Director 5XD2`kDms{"#
\mM'zKM~qwKD$i
>ZhvhC WebSEAL yhD\mMdCNq,Tc&mCZ(}
SSL O$DM'zKM~qwK}V$i#
WebSEAL h*$iCZTBiv:
¶ WebSEAL 9Cd~qwK$ir SSL M'zmwT:m]
¶ WebSEAL CM'zK$ir*aDsK~qw(*`%O$xd
C)mwT:m]
35Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
¶ WebSEAL iDdO$PD(CA)y$i}]b,Ti$9CM'z
K$ixPCJDM'z
¶ WebSEAL iDdO$PD(CA)y$i}]b,Ti$*`%O$
xdCD*aDsK~qw#
WebSEAL 9C SSL D IBM Global Security Kit(GSKit)5V4dC
M\m}V$i#GSKit a) iKeyman 5CLr4hCM\m$i\?
}]b,C}]bP|,;vr`v WebSEAL ~qw/M'z$iM
CA y$i#
WebSEAL Z201|,TBi~,Tc(}}V$i'V SSL O$:
¶ 1!\?}]b(pdsrv.kdb)
¶ 1!\?}]bf"D~(pdsrv.sth)M\k(0pdsrv1)
¶ ;)+2D CA y$i
¶ T)DbT$i,WebSEAL IC|r SSL M'zmwT:m]
FvS*{DO$PDjk#{D$i4f;CbT$i#
WebSEAL $i&mDdC|(:
¶ Z373D:dC WebSEAL D\?}]bN};
¶ Z393D:9C iKeyman $i\m5CLr;
¶ Z403D:dC CRL li;
Kb GSKit \?}]bD~`MIBM Key Management $_(iKeyman)9CBmP\aD8VD~`
M#
CMS \?}]bI;vxP .kdb )9{DD~MI\D=vr|`d
|D~9I#4(B\?}]b1,+4( .kdb D~#.kdb D~PD
\?G<ITG$irxPdS\D(C\?E"D$i#
4(B$iks1,+4( .rdb M .crl D~#Z{v CA $iks
}LP, .rdb D~<GXhD#
36 f> 3.8
D~`M hv
.kdb 0\?}]b1D~#f"vK$i"vK$iksM)p_$i#
}g,1! WebSEAL \?}]bD~G pdsrv.kdb#
.sth 0f"1D~#f"\?}]b\kDS\f>#KD~Dy{Fk
X*D .kdb D~D`,#
.rdb 0ks1}]bD~#4( .kdb \?}]bD~1,+T/4(KD
~#KD~Dy{FkX*D .kdb D~D`,#KD~|,4jID
$iks,94S CA SUXCks#1$iS CA 5X1,+Z
.rdb D~PQw%dD$iks(yZ+C\?)#g{R=%d,r
SUks"RS .rdb D~>}`&D$iks#g{R;=%d,r
\xSU$iD"T#$iksP|,+2{F"i/"V@X7M
d|ks18(DE",T0kksX*D+CM(C\?#
.crl 0$i7zPm1D~#KD~(#|,QIZ;Vrm;V-rx
!{D$iPm#;x,iKeyman ;*$i7zPma)NN'V,y
TKD~GUD#
.arm T ASCII `kD~xFD~#.arm D~|,$iT base-64 `kD
ASCII m>,|,d+C\?,+;|,(C\?#-<~xF$i}
]+*;* ASCII m>#1C'SU= .arm D~q=D$i1,
iKeyman + ASCII m>bk"+~xFm>EkJ1D .kdb D~P#
,y,1C'S .kdb D~i!$i1,iKeyman a+}]S~xF*
;* ASCII "+dEk .arm D~P#.arm D~PD ASCII }]G
$iks}LZdz"MA CA DZ]#"b:(} .arm b);*D
~>mGT Base64 `kDD~,IS\9CNND~`M#
.der 0(P`kfr1D~#.der D~|,$iD~xFm>,|,d+C
\?,+;|,(C\?#k .arm D~\`F,}Km>G~xF,
x;G ASCII#
.p12 0PKCS 121D~,dP PKCS m>0+C\?\kuj<1#.p12 D
~|,$iD~xFm>,|,d+C\?M(C\?#.p12 D~2I
\|,`v$i;}g,$i")"$iD CA D$i"CA $iD
)"_,T0{D)"_HH#r* .p12 D~|,(C\?,yT|
G\\k#$D#
dC WebSEAL D\?}]bN}WebSEAL $i\?D~:
37Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
201,WebSEAL a)1!D$i\?}]b# webseal-cert-keyfileN};Z webseald.conf dCD~D [ssl] Z,|CZj6KD~D{
FM;C:
[ssl]webseal-cert-keyfile = /var/pdweb/www/certs/pdsrv.kdb
IT9C iKeyman 5CLr44(B\?}]b#;x,XkZ
webseal-cert-keyfile N}PdkKB\?D~D{FM;C,Tc
WebSEAL \;iRM9CC}]bP|,D$i#
$i\?D~\k:
201,WebSEAL 9a)|, pdsrv.kdb \?D~\kD1!f"D
~#webseal-cert-keyfile-stash N}a+f"D~D;C(*
WebSEAL:
webseal-cert-keyfile-stash = /var/pdweb/www/certs/pdsrv.sth
Z C f " D~PS\ D 1!\ k * 0 p d s r v 1# 2 I T Z
webseal-cert-keyfile-pwd N}P+\kmv*?D>#}g:
webseal-cert-keyfile-pwd = pdsrv
2 01, W e b S E A L 9C f " D~4 q ! \ ? D~\ k #
webseal-cert-keyfile-pwd Q"Mt#9Cf"D~,I\bZ
webseald.conf dCD~P+\kT>*D>#
":!{zk*9CDX(\kN}D"M#g{,18(K\kMf
"D~,r+9CC\k5#
WebSEAL bT$i:
201,WebSEAL +a)G2+DT)bT$i#w*~qwK$iD
bT$iJm WebSEAL T SSL M'zmwT:m]#
*|CXXFKbT$iD9C,4+$i20*1!$i#xG9C
webseal-cert-keyfile-label N}+$i8(*n/D~qwK$i,"
2GZ\?D~}]bP8(*01!51DyPd|$i#
webseal-cert-keyfile-label = WebSEAL
38 f> 3.8
d;KbT$iJm WebSEAL TtC SSL D/@wkswvl&,+
;\I/@w(;|,J1Dy CA $i)i$$i#IZ?N
WebSEAL V"P<|,K1!$iD(C\?,K$i;a)f}D2
+(E#
Xk9C iKeyman 5CLr4zII;"MAO$PD(CA) D$i
ks#9C iKeyman 20"*5XD~qw$iSj)#
g{Td|=8(}g –K *a)9C;,D$i,rIT9C
iKeyman 5CLr4("20$i"*b)$iSj)#C\?D~j
);\|,Uq#
WebSEAL(1!ivBT user ivmgr KP)XkTb)\?}]bD
~_PA(r)mI(#
kND Z2173D:9C iKeyman \m$i;#
Z? Policy Director ~qw SSL (E:
webseald.conf dCD~D [ssl] Z|,Dv=SN},CZdC
WebSEAL CZkd| Policy Director ~qwxPZ? SSL (Ey9C
D\?D~#v&1(} pdconfig dCE>^Db)N}#
[ssl]ssl-keyfile =ssl-keyfile-pwd =ssl-keyfile-stash =ssl-keyfile-label =
9C iKeyman $i\m5CLriKeyman 5CLrG GSKit a)D$_,IC4\m WebSEAL 9C
D}V$i#+ iKeyman CZ:
¶ 4(;vr`v\?}]b
¶ |D\?}]b\k
¶ 4(B WebSEAL $i
¶ hCB1! WebSEAL $i
¶ 4(CZbTDT)$i
39Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
¶ ksMSU CA y$i
¶ r}]bmS$irS}]b>}$i
¶ +$iS;v}]b4F=m;v}]b
XZ9C iKeyman 4Pb)|nDj88>E",kNDZ2173D
:9C iKeyman \m$i;#
dC CRL li$i7zPm(CRL)G;V@9^C$iDi$D=(# CRL |,;
O*;IED$iDj6#WebSEAL 9CD SSL D GSKit 5V'V
CRL li# GSKit Jm WebSEAL TM'zK$iM4T SSL *a
D$i4P CRL li#
WebSEAL Xk*@CPmD;C,Tc4P CRL li#LDAP ~qw
;CDN}(IZ$iO$ZdN<KN}CZ CRL li)IZ
webseald.conf dCD~D [ssl] ZPR=:
[ssl]#ssl-ldap-server = <server-name>#ssl-ldap-server-port = <port-id>#ssl-ldap-user = <webseal-admin-name>#ssl-ldap-user-password = <admin-password>
1!ivB,CRL liG{CD(N};"Mt)#*Z$iO$Zdt
C CRL li,k!{?vN}D"b"dkJ1D5#
ssl-ldap-user DU5m> SSL O$zF&w*d{C's(= LDAP
~qw#
dC1!#$6p
(}dC#$6p(QOP)ITXF(} SSL(HTTPS)CJ WebSEAL
yhD1!S\6p#I9C webseald.conf dCD~D0SSL
QUALITY OF PROTECTION MANAGEMENT1?VPDN}XF1!
#$6p\m:
¶ 9C ssl-qop-mgmt N}tCM{C QOP \m
¶ Z [ssl-qop-mgmt-default] ZP8(JmDS\6p
40 f> 3.8
1. tC#$6p\m:
[ssl-qop]ssl-qop-mgmt = yes
2. 8( HTTPS CJD1!S\6p:
[ssl-qop-mgmt-default]# default = ALL | NONE | <cipher-level># ALL (enables all ciphers)# NONE (disables all ciphers and uses an MD5 MAC check sum)# DES-40# DES-56# DES-168# RC2-40# RC2-128# RC4-40# RC4-128default = ALL
":z2IT8(!(DS\==i:
[ssl-qop-mgmt-default]default = RC4-128default = RC2-128default = DES-168
*%@wzMxgdC QOPssl-qop-mgmt = yes N}2ItCvVZ [ssl-qop-mgmt-hosts] M
[ssl-qop-mgmt-networks] ZPDyPhC#b)ZJm(}X(wz
/xg/xgZk IP X7xxPD#$6p\m#
[ssl-qop-mgmt-default] ZPvKCZk [ssl-qop-mgmt-hosts] M
[ssl-qop-mgmt-networks] ZPDX7;%dDyP IP X7DS\=
=#
wzDdCo(>}:
[ssl-qop-mgmt-hosts]# <host-ip> = ALL | NONE | <cipher-level># ALL (enables all ciphers)# NONE (disables all ciphers and uses an MD5 MAC check sum)# DES-40# DES-56# DES-168# RC2-40# RC2-128
41Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
# RC4-40# RC4-128xxx.xxx.xxx.xxx = ALLyyy.yyy.yyy.yyy = RC2-128
xg/xgZkDdCo(>}:
[ssl-qop-mgmt-networks]# <network/netmask> = ALL | NONE | <cipher-level># ALL (enables all ciphers)# NONE (disables all ciphers and uses an MD5 MAC check sum)# DES-40# DES-56# DES-168# RC2-40# RC2-128# RC4-40# RC4-128xxx.xxx.xxx.xxx/255.255.255.0 = RC4-128yyy.yyy.yyy.yyy/255.255.0.0 = DES-56
a) [ssl-qop-mgmt-hosts] M [ssl-qop-mgmt-networks] ZvCZ
rsf]T#;Fv9C|GCZ Policy Director 3.8 dC#
dCZ(}]b|BMV/\m~qwCZ\mwZ(_T}]b,"R,$XZ2+rPd|
Policy Director ~qwD;CE"#Policy Director \m1IZNN1r
T2+rw2+T_T|D#^[N15V2+T_T|D1,\m~
qw<+TwZ(}]bwvX*Dw{#
1\m~qwTwZ(}]bw|D1,|I"vC|DD(*x2+
rP'V%@_T5)Lr(g WebSEAL)DyP1>}]b#;s_
T5)LrXkSwZ(}]bks5J}]b|B#
w*J4\mwM_T5)LrD WebSEAL _P}v!n,CZq!
XZZ(}]b|DDE":
¶ l}4T\m~qw|B(*(IdC"Z1!ivBtC)#
¶ T;(D1ddtli(V/)wZ(}]b(IdC"Z1!i
vB{C)#
¶ ,1tCl}MV/#
42 f> 3.8
webseald.conf dCD~D [aznapi-configuration] Z|,CZdC|
B(*l}M}]bV/DN}#
A WebSEAL D>X1>Z(_T}]bD76I db-file N}(e:
[aznapi-configuration]db-file = /var/pdweb/db/webseald.db
dC|B(*l}listen-flags N}CZtCM{CI WebSEAL 4PD|B(*l}#1
!ivB,+tCl}#*{Cl},kdk0disable1#
[aznapi-configuration]listen-flags = enable
tcp-port N}CZdCl}wD TCP KZ:
[aznapi-configuration]tcp-port = 12056
udp-port N}CZdCl}wD TCP KZ:
[aznapi-configuration]udp-port = 0
dCZ(}]bV/ITdC W e b S E A L (ZV/wZ(}]bTq!|BE"#
cache-refresh-interval N}IThC*0default1"0disable1rTkhC
X(1ddt#0default1hCHZ 600 k#1!ivB{CV/#
[aznapi-configuration]cache-refresh-interval = disable
4F0K WebSEAL ~qw
":TBE"If;ZT0D Policy Director Df>P9CDT0D
pdadmin server modify baseurl |n#
Z_:X73P,4F0K WebSEAL ~qwGP{D,Ia)|CD
:X=bMJO*F\F0K WebSEAL ~qw1,?v~qw
Xk|, Web Ud"*a}]bM dynurl }]bD+71>#
43Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
Policy Director DKf>'V4F0K WebSEAL ~qwDV$dC}
L#KNq;Y9C pdadmin |n#
TB>}P0WS11Gw WebSEAL ~qwDwz{#0WS21G1>
WebSEAL ~qwDwz{#
1. Z WS1 M WS2 ~qwO,120MdC WebSEAL#
2. Z WS2 O#9 WebSEAL#
3. Z WS2 O,+ webseald.conf dCD~PD server-name N}5
S0WS21|D*0WS11#
[server]server-name = WS1
4. Z WS2 OXBt/ WebSEAL#
WS2 ~qwVZ9CTs /WebSEAL/WS1 w*Z(@@Dy!#WS2 ~
qw2IT*$tZ /WebSEAL/WS1 BDTsl& object list M objectshow |n#
pdadmin 5CLrTa+ /WebSEAL/WS2 Tsw*TsUdD;?VP
v#KTsVZQ^be,IT}%|:
pdadmin> object delete /WebSEAL/WS2
u~:
¶ 3;DTsUd\m:d;%;TscNa9TZ\m1GI{
D,+yP4FD WebSEAL ~qw<*\=&CZCTscNa9
D\m|nD0l"RyP~qw<\l&b)|n#
¶ 3;DZ(@@:g{+~qw WS2 dC*~qw WS1 D1>,
r~qw WS2 +9C /WebSEAL/WS1 w*Z(@@Dy!#
¶ 3;DdC:*K90K WebSEAL 4F}75Vd&\,?(~q
wOD Web Ud"*a}]bM dynurl }]bdCXkG`,D#
44 f> 3.8
dCj< HTTP G<
WebSEAL ,$}v#fD HTTP U>D~,|GG<n/x;G{":
¶ request.log
¶ agent.log
¶ referer.log
1!ivB,b)U>D~,$ZTB?<B:
UNIX:/var/pdweb/www/log/
Windows: C:\Program Files\Tivoli\PDWeb\www\log\
dCj< HTTP G<U>DN};Z >webseald.conf dCD~D
[logging] ZP#
Bm5wK HTTP U>D~MdCD~N}dDX5:
U>D~ ;CN} tC/{CN}(= yesr no)
request.log requests-file requests
referer.log referers-file referers
agent.log agents-file agents
}g,request.log D~D1!;Cu?gB:
UNIX:
requests-file = /var/pdweb/www/log/request.log
Windows:
requests-file = \Program Files\Tivoli\PDWeb\www\log\request.log
tCM{C HTTP G<U>
1!ivB,tCyPD HTTP G<U>:
45Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
[logging]requests = yesreferers = yesagents = yes
I@"Zd|U>tCM{C?vU>#g{hCN}*0no1,r{
CCD~DG<#
8(1dAGD`MzIT!qx?vU>D~SO1dAG,1dICqV~Nj<1d
(GMT)fz>X1x4G<#1!ivB,9C>X1x:
[logging]gmt-time = no
*9C GMT 1dAG,hCgB:
gmt-time = yes
8(U>D~*fP5
max-size N}CZ8(?v HTTP U>D~ITv$Dnss!,|_
PTB1!5(TVZF):
[logging]max-size = 2000000
1U>D~=o8(D5 * 4y=D*fP5 * 10D~;8]=;
v,y{Fs=SP10UZM1dAGDD~P#;s+*<;vB
DU>D~#
;,DI\ max-size 5DbMgB:
¶ g{ max-size 5!Z 0(< 0),r+Z?NwCG<U>xLM
SC5}*<? 24 !1<4(BDU>D~#
¶ g{ max-size 5HZ 0(= 0),r;4P*fRU>D~^^v
$#g{U>D~Q-fZ,+=SOBD}]#
¶ g{ max-size 5sZ 0(> 0),r1U>D~o=dCDP51
+4P*f#g{t/1U>D~Q-fZ,+=SOBD}]#
46 f> 3.8
8("BU>D~:exD5JU>D~G4k:e}]wD#g{G51`SU>D~,zI\k|
D~qw4PU>D~:ex"BD5J#
1!ivB,U>D~? 20 k"B;N:
[logging]flush-time = 20
g{8(K:5,+Z?N4kG<s4P"B#
dC request.log PG<DZ]$HW e b S E A L T/SsK*aD&CLr~qw}K2, H T M L
URL#webseald.conf dCD~PD [filter-url] Z(eK WebSEAL S
sK~qwl&}KD URL tT#kNDZ1533D:}K4T*a~
qwD2, HTML URL;#
1SsK*aD~qwksDZ]|,6kD URL 1,WebSEAL +(
}Z760mS*ac4}K URL V{.#Z]5X/@w1,M'z
ITI&X9C URL#
rx5XA/@wDnU3fZ]$HaT"sZS*aD~qw5X
WebSEAL D-<Z]$H#
Policy Director WebSEAL DKf>JmzdC request.log D~(g
{QtC)G<DZ]$H#IT+ webseald.conf dCD~D
[logging] ZPD log-filtered-pages N}hC*G<cVZs!r4}
KDVZs!#
*G<4}KDVZs!,k+N}hC*0yes1(1!5):
[logging]log-filtered-pages = yes
*G<cVZs!,k+N}hC*0no1:
[logging]log-filtered-pages = no
47Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
HTTP +2U>q=(CZ request.log)Policy Director ~qw"MXD?vl&(I&r'\)<+9CgBD
HTTP +2U>q=G<Z request.log D~D;Pu?P:
host - authuser [date] request status bytes
dP:
host 8("vksDzwD IP X7#
authuser CVNqCQSUD HTTP ks From: 7D5#
0unauth15CZ4O$DC'#
date 8(ksDUZM1d#
request 8(4TM'zKDksDZ;P#
status 8("X="vksDzwD HTTP 4,k#
bytes 8("X="vksDzwDVZ}#K5 * 4}KD
Z]s!rcs! * 9C log-filtered-pages N}d
C#
T> request.log D~request.log G< HTTP ksDj<G<U>,}gXZksD URL D
E"MXZwvksDM'zDE"(}g IP X7)#
TB>}T>K request.log D~Dy>f>:
130.105.1.90 - - [26/Aug/2001:17:23:33 -0800]"GET /xsmith/private_html/ HTTP/1.0" 403 77
130.105.1.90 - - [26/Aug/2001:17:23:47 -0800]”GET /icons HTTP/1.0" 302 93
130.105.1.90 - - [26/Aug/2001:17:23:59 -0800]"GET /icons/ HTTP/1.0" 403 77
130.105.1.90 - - [26/Aug/2001:17:24:04 -0800]"GET /xsmith/private_html/ HTTP/1.0" 403 77
130.105.1.90 - - [26/Aug/2001:17:24:11 -0800]"GET /xsmith/ HTTP/1.0" 403 77
T> agent.log D~agent.log D~G< HTTP ksPD User_Agent: 7DZ]#CU>
T>?vksDM'/@wE",}ge5a9rf>E#
48 f> 3.8
TB>}T>K agent.log D~Dy>f>:
Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)
T> referer.logreferer.log G< HTTP ksD Referer: 7#TZ?vks,U>G
<K|,yksD5D4SDD5#
U>9CTBq=:
referer -> object
CE"TZzYb?=z Web UdD5D4S\PC#U>T>,I
referer 8(D4|,=3f object D4S#CU>JmzzY''4,
"iw-Z4(kzD5D4S#
TB>}T>K referer.log D~Dy>f>:
http://manuel/maybam/index.html -> /pics/tivoli_logo.gifhttp://manuel/maybam/pddl/index.html ->/pics/tivoli_logo.gifhttp://manuel/maybam/ -> /pddl/index.htmlhttp://manuel/maybam/ -> /pddl/index.htmlhttp://manuel/maybam/pddl/index.html ->/pics/tivoli_logo.gifhttp://manuel/maybam/ -> /pddl/index.html
49Tivoli SecureWay Policy Director WebSEAL \m8O
2.W
ebS
EA
L~
qw
dC
50 f> 3.8
WebSEAL 2+T_T
>B|,hvgNdCM(F WebSEAL 2+T_TDE"#
wbw}:
¶ :X(Z WebSEAL D ACL _T;
¶ Z533D:}N%wG<_T;
¶ Z543D:\k?H_T;
¶ Z583D:O$?H POP _T(]});
¶ Z633D:yZxgDO$ POP _T;
¶ Z663D:#$6p POP _T;
¶ Z673D:&m4O$DC'(HTTP/HTTPS);
X(Z WebSEAL D ACL _T
TB2+T"bBnJCZ\#$TsUdPD /WebSEAL ]w:
¶ WebSEAL TsGTsUdD WebSEAL xrP ACL LP4Dpc
¶ g{;&CNNd|T= ACL,KTs+((}LP)*{v Web
Ud(e2+T_T
¶ *CJKTs0CcTBDNNTs,Xk5PizmI(
XZ Policy Director ACL _TDj{E",kN<6Tivoli SecureWay
Policy Director Base \m8O7#
3
51Tivoli SecureWay Policy Director WebSEAL \m8O
3.W
ebS
EA
L2
+T
_T
/WebSEAL/<host>KSw|,X( WebSEAL ~qwD Web Ud#TB2+T"bBn
JCZKTs:
¶ *CJKTs0CcTBDNNTs,Xk5PizmI(
¶ g{;&CNNd|T= ACL,KTs+((}LP)*CzwOD
{vTsUd(e2+T_T
/WebSEAL/<host>/<file>bG* HTTP CJliDJ4Ts#liDmI(!vZ}ZksDY
w#
WebSEAL ACL mI(BmhvKJCZTsUdP WebSEAL xrD ACL mI(:
Yw hv
r A! i4 Web Ts#
x 4P KP CGI Lr#
d >} S Web UdP}% Web Ts#
m ^D EC HTTP Ts#(Z WebSEAL TsUdPEC *
"< * HTTP Ts#)
l Pm \m~qwh*|4zI Web UdDT/?<Pm#
CmI(,1\mZ1!D “index.html” 3f;fZ1
M'zGq\i4?<Z]Pm#
g /I T WebSEAL ~qwZhEN,9C~qwd1*M'
z"+ks+]x*aD WebSEAL ~qw#
1! /WebSEAL ACL _TWebSEAL ACL default-webseal DKDu?|,:
i iv-admin Tcmdbsvarxli webseal-servers TgmdbsrxlC' sec_master TcmdbsvarxlNbd| Trx4O$ T
201,C1! ACL =SATsUdPD /WebSEAL ]wTs#
52 f> 3.8
i webseal-servers |,2+rP?v WebSEAL ~qwDu?#1!
mI(Jm~qwl&/@wks#
izmI(Jmg Web Portal Manager y>DGy)9 Web Ud#P
mmI(Jm Web Portal Manager T> Web UdDZ]#
}N%wG<_T
}N%wG<_TICZyZ LDAP D Policy Director 20,9zIT
8('\G<"TDnsN}(n)MM#Tbx1d(x),}g,Z
“n” N'\DG<"Ts+KC'bx “x” k(r_{CKJE)#
}N%wG<_TCZh9Fcz\k%w#K_T4(K;vu~,
C'ZxP|`'\DG<"T0XkH};N1d#}g,_TIT
f(Z 3 N'\"Ts,h*H} 180 kDM#T1d#bVG<_T
`MITh9?kP`N"zFczfzzIDG<"T#
}N%wG<_Th*=v pdadmin policy |nhCD*O:
¶ '\G<"TDns}?
policy set max-login-failures
¶ ,}'\G<"ThCDM#
policy set disable-time-interval
M#hCIT|,J'bx1ddtr_J'Dj+{C#
}g,g{G<_ThCIZ}N'\"TsP;N8(DM#bx1
d,r1ZDN"T(}7r;}7)"zs,+vVms3f,C3
fywIZ\k_TD&C,KJ']1;IC#
1ddtCk8( * FvDn!1ddt* 60 k#
g{ disable-time-interval _T;hC*0disable1,C'+;bxZ
J'b,"RCC'D LDAP J'P'tT;hC*0q1#\m1(}
Web Portal Manager XBtCJ'#
":+ disable-time-interval hC*0disable1a<B=SD\m*z#
+J'P'E"4F= WebSEAL ~qw1,I[l=SY#bV
53Tivoli SecureWay Policy Director WebSEAL \m8O
3.W
ebS
EA
L2
+T
_T
iv!vZ LDAP 73#|BJ'P'DYwI\a<B3)
LDAP 5VvVT\5M#IZb)-r,Fvz9C,11dd
t#
|no(TBD pdadmin |nvJZk LDAP "am;p9C#
|n hv
policy set max-login-failures {<number>|unset} [-user <username>]
policy get max-login-failures [-user <username>]
\m_T,C_TXFZ5)M#0'\G<"TDns
N}#K|n!vZ policy set disable-time-interval |
nPhCDM##
w*\m1,I+K_T&C=X(C'r_+VTX&
C=Z LDAP "amPPvDyPC'#
1!hC* 10 N"T#
policy set disable-time-interval {<number>|unset|disable} [-user<username>]
policy get disable-time-interval [-user <username>]
\mM#_T,C_TXF1o="TG<'\Dns5
1KJ'+{CD1d\Z#
w*\m1,I+KM#_T&C=X(C'r_+VT
X&C=Z LDAP "amPPvDyPC'#
1!hC* 180 k#
\k?H_T
\k?H_TICZyZ LDAP D Policy Director 20,G8I\k_
TfrSx\ka9D<(# Policy Director a)=VXF\k?H_
TD=(:
¶ ev pdadmin \k_T|n
¶ Jm(F\k_TDIekO$#i(PAM)#
54 f> 3.8
kN<6Tivoli SecureWay Policy Director WebSEAL *"_N<s
+7#
I pdadmin 5CLrhCD\k?H_T(} pdadmin 5CLr5VDev\k?HtT|,:
¶ n!\k$H
¶ n!V8V{}
¶ n!GV8V{}
¶ nsX4V{}
¶ GqJmUq
9C pdadmin r Web Portal Manager 4(C',T09C pdadmin"
Web Portal Manager r pkmspasswd 5CLr|D\k1,+?F&
Cb)_T#
|no(TBD pdadmin |nvJZk LDAP "am;p9C#unset !n{
CK_TtT * 4;?F&C_T#
|n hv
policy set min-password-length {<number>|unset} [-user <username>]
policy get min-password-length [-user <username>]
\mXF\kn!$HD_T#
w*\m1,I+K_T&C=8(C',r_+VTX
&C=1!"amPPvDyPC'#
1!hC* 8#
policy set min-password-alphas {<number>|unset} [-user <username>]
policy get min-password-alphas [-user <username>]
\mXF\kPJmDV8V{n!}?D_T#
w*\m1,I+K_T&C=8(C',r_+VTX
&C=1!"amPPvDyPC'#
1!hC* 4#
55Tivoli SecureWay Policy Director WebSEAL \m8O
3.W
ebS
EA
L2
+T
_T
|n hv
policy set min-password-non-alphas {<number>|unset} [-user<username>]
policy get min-password-non-alphas [-user <username>]
\mXF\kPJmDGV8(}V)V{n!}?D_
T#
w*\m1,I+K_T&C=8(C',r_+VTX
&C=1!"amPPvDyPC'#
1!hC* 1#
policy set max-password-repeated-chars {<number>|unset} [-user<username>]
policy get max-password-repeated-chars [-user <username>]
\mXF\kPJmDX4V{}ns5D_T#
w*\m1,I+K_T&C=8(C',r_+VTX
&C=1!"amPPvDyPC'#
1!hC* 2#
policy set password-spaces {yes|no|unset} [-user <username>]
policy get password-spaces [-user <username>]
\mXF\kGqI|,UqD_T#
w*\m1,I+K_T&C=8(C',r_+VTX
&C=1!"amPPvDyPC'#
1!hC* unset#
1!_TN}5
BmPvK_TN}0d1!5:
N} 1!5
min-password-length 8
min-password-alphas 4
min-password-non-alphas 1
max-password-repeated-chars 2
password-spaces 4hC
56 f> 3.8
*4(Z Policy Director H0"PfPD\k_TYw,k+ unset !
n&CZOfPvDev\kPD?;v#
P'M^'D\k>}Bm5w;)\k>}M9Cbev pdadmin N}D1!5C=D_T
a{:
>} a{
password ^':XkAY|,;vGV8V{#
pass ^':XkAY|, 8 vV{#
passs1234 ^':|,=vTODX4V{#
12345678 ^':XkAY|, 4 vV8V{#
password3 P'#
X(C'M+VhC
(9C - user !n)I*X(C'hC pdadmin policy |n,(;
9C - user !n)I+VXhC pdadmin policy |n#NNX(Z
C'DhC<+2G_TD+VhC#2I{C(unset)3v_TN
},bb6ECN};|,NN5#;li";?F&CNNxP unset!nD_T#
}g:
pdadmin> policy set min-password-length 8
pdadmin> policy set min-password-length 4 -user matt
pdadmin> policy get min-password-length
n!\k$H:8
pdadmin> policy get min-password-length -user matt
n!\k$H:4
(C' matt _P 4 V{Dn!\k$H_T;yPd|C'_P 8 V
{Dn!\k$H_T#)
pdadmin> policy set min-password-length unset -user matt
(C' matt \^Z 8 V{D+Vn!\k$H_T#)
57Tivoli SecureWay Policy Director WebSEAL \m8O
3.W
ebS
EA
L2
+T
_T
pdadmin> policy set min-password-length unset
(yPC',|(C' matt,VZ;Pn!\k$H_T#)
O$?H POP _T(]})
O$?H POP _T9yZd9CDO$=(TTsxPXFCJI*I
\#
IT9Cbn&\ * P1F*]}O$ * 47#CJ|tPJ4DC
'9C|?DO$zF#IZ|sDG(CJ~2,zI\h*bnu
~#
}g,I(}&C]} POP _T4r Web UdD*axra)|sD
2+T,C_T*sHC'nuxk WebSEAL r19CDO$P|?
6pDO$#
O$?H_TZ POP _TD0IP KcO$=(1tTPhC#
dC]}O$D6pdCX(ZO$DCJDZ;=GdCy'VDO$=("7(b)=
(D?HNr#
CJ WebSEAL ~qwDNNM'z<PO$6p,}g04O$1r
0\k1#b)6pm>M'zO;Nr WebSEAL O$yCD=(#
3)ivB,PX*TCJ3) Web UdTsyhDO$?F9CnM
02+16p#}g,Z3v73B,IjG(Pzk4PDO$;O
*HIC'{M\k4PDO$|2+#d|73I\P;,Dj<#
1M'z;zcO$yhD6p1,]}O$zFxhM'zZ~Nz
a9Cyh=((6p)XBO$,x;G?FM'zXBt/k
WebSEAL Da0#
]}O$b6E1C'"TCJ*sHG<6p0|_1O$6pDJ
41,;a"LT>0\x1{"#`4X,+T>BDO$a>,*
s'V|_O$6pDE"#g{\;a)C6pDO$,-4Dks
+;Jm#
58 f> 3.8
Z]}O$zFP,WebSEAL 6p9CD 3 VO$=((6p):
¶ 4O$
¶ \k
¶ jG(
Z webseald.conf dCD~D [authentication-levels] ZPdCO$6
p#nu;dC=v6p:
[authentication-levels]level = unauthenticatedlevel = password
yZPmPD=(3r,*?V=(8(;v6pw},6'S 0 = 2#
¶ 04O$1=(Xk<UGPmPDZ;v,rK;Vd6pw}
0#
¶ sL=(I4NN3rEC#
kNDZ623D:]}O$"bBnM^F;#
¶ 1!ivB,0\k1GB;v6p * ;Vd6pw} 1#
¶ XkAYP=vu?4tC]}O$#
":XZhCyhO$zFDj8E",kNDZ693D:WebSEAL O
$;#
tC]}O$
]}O$(}SZTsOD POP _T45V,b)Ts*sTO$tP
DZ(#IT9C POP _TD0IP KcO$=(1tT#
pdadmin pop modify set ipauth |nZ0IP KcO$=(1tTP
8(JmDxgMXhDO$6p#
ydCDO$6pIk IP X76'`4S#C=(bZa)\min
T#g{C IP X7}KC'";X*,IT* anyothernw(NNd|
xg)hC%vu?#ChC+0lyPCJDC'(;\ IP X7*
N),"*s|GZ8(D6pO$#bG5V]}O$DnUi=
(#
59Tivoli SecureWay Policy Director WebSEAL \m8O
3.W
ebS
EA
L2
+T
_T
o(:
pdadmin> pop modify <pop-name> set ipauth anyothernw <level-index>
anyothernw u?;Cwxg6',|%dZ POP P;P8(DyPx
g#C=(;C44(1!u?,|IT\xyP;%dD IP X7rJ
mzcO$6p*sDyPKCJ#
1!ivB,anyothernw TO$6pw} 0 T>Z POP P#Cu?
Z pop show |nPT>*0NNd|xg1:
pdadmin> pop show test\#$Ts_T: testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:
anytime:localIP KcO$=(_T
NNd|xg 0
>}
1. Z webseald.conf PdCO$6p:
[authentication-levels]level = unauthenticatedlevel = token-card
2. dC0IP KcO$=(1POP tT:
pdadmin> pop modify test set ipauth anyothernw 1
pdadmin> pop show test\#$Ts_T: testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:mon, wed, fri:anytime:localIP KcO$=(_T
NNd|xg 1
TZu<T04O$1(6p 0)CJDyPC',C_T*s]}
=jG(O$=((6p 1)#+TyPCJ POP _T#$TsD4
O$C'T>a>,*sdkC'{MjG(Pzk#
60 f> 3.8
m{Z633D:yZxgDO$ POP _T;#
]}G<m%yksJ4D]} POP _T?FM'zXBO$1,WebSEAL +T>
Xbm%#C HTML m%D;CI webseald.conf dCD~ [acnt-mgt]ZPD stepup-login N}48(#
[acnt-mgt]stepup-login = stepuplogin.html
zITdCC HTML m%4zczD*s,d==kdC login.html r
tokenlogin.html m%D==`,#
CD~|,q=* %TEXT% rPDj,|G+;J1D5!z#Kfz
Z WebSEAL D#eD~&m/}Z?xP,"JmCm%CZq=}
7D\kMjGO$=(#JmZm%P*C'a)d|E",}gm
s{"M=({F(+]})#
< 11. C'{M\k]}DG<m%
61Tivoli SecureWay Policy Director WebSEAL \m8O
3.W
ebS
EA
L2
+T
_T
]}O$c(WebSEAL 9CTBc(&m POP PDu~:
1. li POP OD IP KcO$=(_T#
2. li ACL mI(#
3. li POP OD?U1d_T#
4. li POP ODsF6p_T#
]}O$"bBnM^F
1. ]}O$Z HTTP M HTTPS O<\'V#
2. ;\S HTTP -i]}= HTTPS#
3. 4O$(#XkG6pPmPDZ;v=(,;\vVZPmDd
|X=#
4. =(;\Z6pPmP8(;N#
5. $iO$;G]}O$D'V=(#
< 12. SecurID jG(Pzk]}DG<m%
62 f> 3.8
":]}O$5JO+M'zK$iw*;VXbiv&m#g{
M'z9CM'zKD$iCJ WebSEAL,R WebSEAL dC
*S\$i,rM'zw*4O$DM'zT}(6pw}*
0)#
S=(: I]}A:
4O$ \kjG(
\k jG(
jG( \k
6. O$6pIO$=(m>,bb6E;I\*C6pDO$8(+
7DO$zF#
O$=(ITI`VO$zF'V,|(>XO$LrM(FDb
?O$Lr#
dCK,;O$=(`MD`v5}1,WebSEAL q-X(Dfr
T7(!qDvO$Lr#
7. g{P 3 vQdCD6p,P'w}5*:0"1"2#g{dCKd
|w}5,Zks=SKC POP DTs1+T>vm3f#
8. webseald.conf dCD~P]}O$6pDmsdC+<B WebSEAL
P{C]}&\#KivI\<BbbDO$P*,}g*\ POP #
$DTszI\kG<3f,x POP *sjG(PzkO$=(#
dC]}O$6ps,kZ webseald.log D~PliNNdCms
(f#
yZxgDO$ POP _T
yZxgDO$ POP _T9yZC' IP X7TTsDXFCJI*I
\#IT9CC&\4@98(D IP X7(r IP X76')CJ2+
rPDNNJ4#
2ITTK_T&CO$dC,"*s?v8(D IP X76'DXbO
$=(#
yZxgDO$_TZ POP _TD0IP KcO$=(1tTPhC#X
kZCtTP8(=vX*u~:
63Tivoli SecureWay Policy Director WebSEAL \m8O
3.W
ebS
EA
L2
+T
_T
¶ O$6p
¶ JmDxg
dCO$6pZ]}O$zFP,WebSEAL 6p9CD 3 VO$=(:
¶ 4O$
¶ \k
¶ jG(
yZPmPD=(3r,*?V=(8(;v6pw},6'S 0 = 2#
Z webseald.conf dCD~D [authentication-levels] ZPdCO$6
p#nu;dC=v6p:
[authentication-levels]level = unauthenticatedlevel = password
ZdCyZxgDO$1IT9C1!hC#ZbVivB,04O
$1*6p 0,0\k1*6p 1#
m{Z583D:dC]}O$D6p;#
8( IP X7M6'VZXk8(C POP _TJmD IP X7M IP X76'#
pdadmin pop modify set ipauth add |nZ0IP KcO$=(1t
TP8(xg(rxg6')MXhDO$6p#
o(:
pdadmin> pop modify <pop-name> set ipauth add <network> <netmask> <level-index>
ydCDO$6pIk IP X76'`4S#C=(bZa)inT#g
{C IP X7}KC'";X*,IT* anyothernw(NNd|xg)
hC%vu?#ChC+0lyPCJDC'(;\ IP X7*N),"
*s|GZ8(D6pO$#
64 f> 3.8
o(:
pdadmin> pop modify <pop-name> set ipauth anyothernw <level-index>
`4X,g{#{vTO$6p,;kyZ IP X7Jmr\xCJ,I
TTJmxkD6'9C6p 0 xT\xD6'9C0forbidden1#
anyothernw u?Cwk4Z POP P8(DyPxg%dDxg6'#
C=(;C44(1!u?,|IT\xyP;%dD IP X7rJmz
cO$6p*sDyPKCJ#
1!ivB,anyothernw TO$6pw} 0 T>Z POP P#Cu?
Z pop show |nPT>*0NNd|xg1:
pdadmin> pop show test\#$Ts_T: testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:
anytime:localIP KcO$=(_T
NNd|xg 0
*qCPXhCO$6pDj8V[,kN<Z583D:dC]}O$
D6p;#
>}
*s IP X76'* 9.0.0.0 MxZk* 255.0.0.0 DC'9C6p 1 O
$(1!ivB*0\k1):
pdadmin> pop modify test set ipauth add 9.0.0.0 255.0.0.0 1
*sX(C'9C6p 0 O$:
pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.255 0
@9yPC'(}KZO}P8(DG)C')CJTs:
pdadmin> pop modify test set ipauth anyothernw forbidden
65Tivoli SecureWay Policy Director WebSEAL \m8O
3.W
ebS
EA
L2
+T
_T
y] IP X7{C]}O$
o(:
pdadmin> pop modify <pop-name> set ipauth remove <network> <netmask>
}g:
pdadmin> pop modify test set ipauth remove 9.0.0.0 255.0.0.0
yZxgDO$c(WebSEAL 9CTBc(&m POP PDu~:
1. li POP OD IP KcO$=(_T#
2. li ACL mI(#
3. li POP OD?U1d_T#
4. li POP ODsF6p_T#
yZxgO$"bBnM^F
WebSEAl CZ4PyZxgDO$_Ty9CD IP X7&C* TCP ,
S"E=D IP X7#g{xgXKa99C HTTP zm,r WebSEAL
T>DX7I\*zm~qwD IP X7#
ZbVivB,WebSEAL ^(w7j6f}DM'z IP X7#ZhC
yZxgDO$_T1Xk!D,C_TJmxgM'z1Sk
WebSEAL ~qw,S#
#$6p POP _T
#$6p POP tTJm8(TTs4PYw1yhD}]#$6p#
10,CtT;JCZ WebSEAL 73#
#$6p POP tTzfK0P1M0I1ACL mI(;,b=vmI(;
Z Policy Director T0Df>P$n#\TMj{T*s#CID#$
6p5V=(;\a)dV#$,"a0l53T\#
66 f> 3.8
#$6p POP tTJm%vBq,dPT ACL P(D0G1l&2|
,XhD#$6p#g{J4\mw(}g WebSEAL);\#$XhD
#$6p,+\xCks#
pdadmin> pop modify <pop-name> set qop {none|integrity|privacy}
QOP 6p hv
#\T *s}]S\(SSL)#
j{T 9C3vzFT7#}];P;|D#
}g:
pdadmin> pop modify test set qop privacy
&m4O$DC'(HTTP/HTTPS)
WebSEAL S\QO$M4O$DC'(} HTTP M HTTPS avDk
s#;s WebSEAL @?Z(~q,(}Jmr\xT\#$J4DC
J4?F&C2+T_T#
TBu~&CZ(} SSL CJD4O$C':
¶ 4O$C'M WebSEAL .dDE";;GS\D * g,kQO$
C';;E"#
¶ 4O$C'M WebSEAL .dD SSL ,S;*s~qwKO$#
&m4Td{M'zDks
1. d{M'z((} HTTP r HTTP)avksA WebSEAL#
2. WebSEAL *KM'z4(4O$D>$#
3. xPC>$DksLx"M=\#$D Web Ts#
4. Z(~qliKTsZ4O$D ACL u?ODmI(,"Jmr\
xksDYw#
5. TKTsDI&CJ!vTBu~:4O$D ACL u?AY|,A
!(r)Miz(T)mI(#
6. g{ks4(}Z(P(,C'+SU=;EG<m%(BA ryZ
m%)#
67Tivoli SecureWay Policy Director WebSEAL \m8O
3.W
ebS
EA
L2
+T
_T
?FC'G<(}T#$ksTsD ACL _TPD4O$u?}7hCJ1DmI
(,I?F4O$C'G<#
A!(r)Miz(T)mI(JmTTsxP4O$DCJ#
*?F4O$C'DG<,kS#$TsD ACL _TPD4O$u?O
}%A!(r)mI(#C'+SU=G<a>(BA ryZm%)#
4O$ HTTPS D&CPm`5JDLq-r,h*'V(} HTTPS T WebSEAL D4O$
CJ:
¶ P)&C;h*vKG<,+h*3)tPE",gX7MEC(
E#d>}|(Z_:rIz1Md|L7#
¶ P)&C*szZxPx;=;W.0*C5q"aJ'#YN,
tPE"(}xgxP+]#
9C ACL/POP _TXF4O$C'
":0+O$1u?`Mk0Nbd|1u?`MH[#
1. *Jm4O$C'CJ+2Ts,kCAY|,4O$DM+O$
u?DA!(r)Miz(T)mI(D ACL 4#$+CZ]:
4O$ Tr+O$ Tr
":17(mI(1,4O$u?G;vTU+O$u?DZk
(p;0k1Yw)#;P14O$mI(,1vVZ+O$u
?P1,EITZ(4O$DmI(#IZ4O$!vZ+O
$,|,4O$x;P+O$M;PbeK#g{ ACL 75|
,4O$x;P+O$,1!l&G;r4O$ZhmI(#
2. *qCS\(SSL),k9C\#$Ts_T(Protected Object
Policy,POP)#$Z],C_T+#\T8(*;vu~#
kNDZ663D:#$6p POP _T;#
68 f> 3.8
WebSEAL O$
>BV[K WebSEAL gN,$a04,T0&mO$}L#O$I&
s+zI;vzmC'D Policy Director m]#WebSEAL 9CKm]
*CC'q!>$#Z(~q9Cb)>$Jmr\xCJ\#$J
4#
wbw}:
¶ Z703D:KbO$}L;
¶ Z733D:\ma04,;
¶ Z833D:O$dCEv;
¶ Z873D:dCy>O$;
¶ Z893D:dCm%O$;
¶ Z913D:dCM'zK$iO$;
¶ Z953D:dC HTTP 7O$;
¶ Z973D:dC IP X7O$;
¶ Z973D:dCjGO$;
¶ Z983D:'V`74C/Pzm;
4
69Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
KbO$}LO$GT}Z"TG<=2+rD%vxLr5exPj6D=(#
¶ Z1!ivB WebSEAL 'V`VO$=(,IT(F WebSEAL 9
Cd|=(#
¶ T WebSEAL O$I&Da{MGzI Policy Director C'"am
m]#
¶ WebSEAL 9CKm]q!CC'D>$#
¶ Z(~qZTXF?vTsD_TD ACL mI(M POP u~xP
@@s,9CK>$Jmr\xCJ\#$Ts#
":ACL = CJXFPm_T POP = \#$Ts_T
O$Zd,WebSEAL +liTZTBE"DM'zks:
¶ a0}]
a0}]Gj6M'zM WebSEAL ~qw.dDX(,SDE"#
a0}]f"ZM'zORifCM'zDsLks#|CZXB
j6A WebSEAL ~qwDM'za0,\bK*?vks("Ba
0yCD*z#
¶ O$}]
O$}]G4TM'zDE",Ir WebSEAL ~qwj6CM'
z#O$}]`M|,M'zK$i"\kMjGzk#
Z WebSEAL SU=M'zkss,WebSEAL \GWHiRa0}],
;siRO$}]#u<M'zksv;a|,a0}]#
\'VDa0}]`MWebSEAL 'VTBa0}]`M:
1. SSL j6(I SSL -i(e)
2. X(Z~qwDa0 cookie
3. BA 7}]
4. HTTP 7}]
70 f> 3.8
5. IP X7
1 WebSEAL liM'zks1,|+TKPmP8(D3rQwa0
}]#
\'VDO$=(d; WebSEAL @"ZO$}LKw,+ WebSEAL 9C>$`S2+
rPNkDyPC'#*q!>$q!yhDm]E",WebSEAL @5
ZSO$}LqCDa{#
WebSEAL 'VTBO$=(CZ>$q!:
O$=( \'VD,S`M
1. JO*F cookie HTTP M HTTPS
2. CDSSO j6jG HTTP M HTTPS
3. M'zK$i HTTPS
4. jG(Pzk HTTP M HTTPS
5. m%O$(C'{M\k) HTTP M HTTPS
6. y>O$(C'{M\k) HTTP M HTTPS
7. HTTP 7 HTTP M HTTPS
8. IP X7 HTTP M HTTPS
1 WebSEAL liM'zks1,|+TKmP8(D3rQwO$}
]#
TZ HTTP M HTTPS +M<IT%@tCM{CO$=(#g{;P
*Xb+MtCO$=(,rTZ9CC+MDM'z,O$}LGG
n/D#
j8dCE"N<
¶ Z733D:\ma04,;
¶ Z833D:O$dCEv;
¶ Z873D:dCy>O$;
¶ Z893D:dCm%O$;
¶ Z913D:dCM'zK$iO$;
71Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
¶ Z953D:dC HTTP 7O$;
¶ Z973D:dC IP X7O$;
¶ Z973D:dCjGO$;
¶ Z983D:'V`74C/Pzm;
¶ CDAS O$
kN<6Tivoli SecureWay Policy Director WebSEAL *"_N<s+7
72 f> 3.8
\ma04,
ZM'zk~qw.dxP2+,Sra0*s~qw\;Gd * (}
s?ks * a0DTs#~qwXk_P3VN=Da04,E",C
E"j6Kk?vksX*DM'z#
g{M'zM~qw.d^Q("Da04,,rM'zM~qw.d
D(EXkT?NsLksxPXB-L#{Ca04,E"I(}{
}X4XUMXBr*M'z/~qw,S4DFT\#M'zIT;
NTG<"xPs?ks,x^hT?vksVp4PG<#
WebSEAL I&m HTTP M HTTPS (E#HTTP G0^4,1-i,
|";a)NNxpksD==#m;=f,SSL +M-iGXphF
D,|a)a0j6T,$a04,E"#IT(} SSL b0 HTTP (
E,9.I* HTTPS#
;x,WebSEAL Xk-#&m4T4O$M'zD HTTP (E#P1
9avV SSL a0j6;GJ1Dbv=8Div#rx,+
WebSEAL hF*9CNbTBE"`MT,$kM'zDa04,:
1. SSL j6
2. X(Z~qwDa0 cookie
3. BA 7}]
4. HTTP 7}]
5. IP X7
GSKit M WebSEAL a0_Y:fa0_Y:fJm~qwf"4T`vM'zDa0j6E"#P=v
a0_Y:fI) HTTPS M HTTP a04,E"9C#
¶ WebSEAL >$_Y:f
WebSEAL >$_Y:fIf"yP`MDa0j6E"(kNDO
vPm)M*?vM'zq!D>$E"#
+>$E"xP_Y:fI{}Z(liZdTC'"am}]b
DX4i/#
¶ GSKit SSL a0j6_Y:f
73Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
SSL a0j6E"CZ,$a04,1,GSKit a0_Y:f&m
HTTPS(SSL)(E#
GSKit _Y:f9I,$ WebSEAL M LDAP C'"am.dD
SSL ,SDa04,E"#
TZ?vJmzw{dT\D_Y:f,<P8vdCN}IC#B<
P\aKb)N}:
dC WebSEAL >$_Y:fTZ WebSEAL a0/>$_Y:f,TBdCNqIC:
¶ hCns"Pu?5
¶ hC_Y:fu?,15
¶ hC_Y:fu?Gn/,15
hCns"Pu?5
max-entires N};Z webseald.conf dCD~D [session] ZP,KN
}CZhC WebSEAL a0/>$_Y:fPDns"Pu?}#
< 13. a0_Y:fdCN}
74 f> 3.8
K5k"PG<a0}`X#1_Y:fs!o=K51,r+y]|
ZnY9Cc(S_Y:f}%u?TJmBxkDG<#
1!D"PG<a0}G 4096:
[session]max-entries = 4096
hC_Y:fu?,15
timeout N};Z webseald.conf dCD~D [session] ZP,KN}
CZhC WebSEAL a0/>$_Y:fPDnsP'Z,1#
WebSEAL ZZ?T>$E"xP_Y:f#a0_Y:f,1N}f(
K WebSEAL ODZfI#tZ(>$E"D1d$H#
CN}";GGn/,1#C53d*0>$P'Z1x;G3d*
0>$,11#|D?DGZo=8(D,1^F1,(}?FC'x
PXBO$4a_2+T#
1!G<a0,1(Tk*%;)* 3600:
[session]timeout = 3600
hC_Y:fu?Gn/,15
inactive-timeout N};Z webseald.conf dCD~D [session] ZP,
KN}CZhCG<a0Gn/D,15#
1!G<a0Gn/,15(Tk*%;)* 600:
[session]inactive-timeout = 600
*{CK,1&\,k+N}5hC*001#
dC GSKit SSL a0j6_Y:fTZ GSKit SSL a0j6_Y:f,TBdCNqIC:
¶ hC_Y:fu?,15
¶ hCns"Pu?5
75Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
hC_Y:fu?,15
CZhC GSKit SSL a0j6_Y:fPu?DnsP'Z,1DN}
;Z webseald.conf dCD~PD [ssl] ZP#P=vN}:;vCZ
SSL V2 ,S(ssl-v2-t imeout),m;vCZ SSL V3 ,S
(ssl-v3-timeout)#
1! SSL V2 a0,1(Tk*%;)G 100(I\D6'G 1 =
100):
[ssl]ssl-v2-timeout = 100
1! SSL V3 a0,1(Tk*%;)G 7200(I\D6'G 1 =
86400):
[ssl]ssl-v3-timeout = 7200
hCns"Pu?5
ssl-max-entries N};Z webseald.conf dCD~D [ssl] ZP,K
N}CZhC GSKit SSL a0j6_Y:fPDns"Pu?}#
K5k"PG<a0}`X#1_Y:fs!o=K51,r+y]|
ZnY9Cc(S_Y:f}%u?TJmBxkDG<#
1!D"PG<a0}G 4096:
[ssl]ssl-max-entries = 4096
Ca0 cookie ,$4,,$M'zk~qw.da04,D;V=(G9C cookie #tKa0
E"#~qw+XbM'zD4,E"r|Z cookie P,"+d"M=
M'zD/@w#TZ?vBks,/@w<(}+ cookie(xPa0E
")"X=~qw4XBj6|T:#
a0 cookie *M'z9CZ+L1dsXB-Ld SSL a0D/@w
iv,a)KI\bv=8#}g,3)f>D Microsoft Internet
Explorer /@w?=VSr}VSXB-L SSL a0#
76 f> 3.8
a0 cookie ;+M'zXBO$ACM'zH0QZ+L1dZ(s<
10 VS)O$AD%v"(;D~qw#CzFT0~qw cookie1*
y!,}zIC cookie Dzwb,;\+|+]=NNd|zw#
mb,a0 cookie ;|,fz5j6,Cj6CZw}=~qwDa0
_Y:fP#a0 cookie ;a)6d|E"#a0 cookie ;a#02
+T_T#
Kba0 CookiesWebSEAL 9CX(Z~qwD2+a0 cookie#TBu~JCZb;
cookie zF:
¶ Cookie ;|,a0E";|;|,m]E"
¶ Cookie ;$tZ/@wZfP(";+|4=ELOD/@w cookie
jar P)
¶ Cookie _PP^DP'Z(IdC)
¶ Cookie _P76MrN},b)N}{9d|~qw9C
tCM{Ca0j6 cookiessl-id-sessions N};Z webseald.conf dCD~D [session] ZP,
KN}CZtCM{Ca0 cookie#KN}IXF SSL a0j6GqC
Z*M'z(} HTTPS CJ,$G<a0#g{N}hC*0no1,r
a0 cookie ICZs?VO$=(#
[session]ssl-id-sessions = no
KN}D0no1 dChCa9(} HTTPS DM'zCJvVTBiv:
1. SSL a0j6@6;Cwa0j6}]#
2. Cookies +CZ,$kM'zO$Da0,CO$9CJO*F
cookie"CDSSO ID jG"m%C'{M\k"jG(PzkMM'
zK$i#
3. v1 use-same-session = yes(kNDBZ)1,cookie ECZy>
O$M'z#qr BA 7+CZa0j6}]#
4. HTTP 7Cw9C HTTP 7xPM'zO$Da0j6}]
77Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
5. IP X7Cw9C IP X7xPM'zO$Da0j6}]
9C cookie ,$a04,1,cookie v"MA/@w;N(zfZI&
G<s)#;x,;)/@wa?F^FIT""f"DZfPD cookie
}#Z;)73P,&CLrI+?vrDs?ZfPD cookie EC=
M'z53O#ZKivB,NbQdCD WebSEAL a0rJO*F
cookie ITr%XIm;v cookie f;#
dC WebSEAL 9Ca0 cookie(I\GJO*F cookie)1,ITZ
w e b s e a l d . c o n f dCD~PD [ s e s s i o n ] ZPhC
resend-webseal-cookies N},TcZZ?Nl&19 WebSEAL +
a0 cookie MJO*F cookie "MA/@w#KYwPzZ7#a0
cookie MJO*F cookie #tZ/@wZfP#
resend-webseal-cookies N}D1!hC*0no1:
[session]resend-webseal-cookies = no
+1!hC|D*0yes1IZ?Nl&1"M WebSEAL a0 cookie M
JO*F cookie#
tCM{C`,Da0
1M'z(};V+M`M(}g HTTP)G<"O*,S"(}m;V
+M`M(}g HTTPS)XBG<1,ITdC WebSEAL 9C`,D
a0j6}]#
use-same-session N};Z webseald.conf dCD~D [session] Z
P,KN}CZtCM{CT`,a0j6}]D6p#1!ivB,
KN}hC*0no1:
[session]use-same-session = no
9CKN}D0yes1 dChCavVTBiv:
1. a0 cookie CZj6TBM'z`M,CZ(}m;V+M==xP
sLG<:
a. JO*F cookies
78 f> 3.8
b. M'zK$i
c. CDSSO j6jG
d. jG(Pzk
e. m%C'{M\k
f. y>O$
2. TZ9C HTTP 7DM'zCJ9C HTTP 7#
3. TZ9C IP X7DM'zCJ,9C IP X7#
4. +vT ssl-id-sessions dC;|<BDP*k+ ssl-id-sessionshC*0no1x<BDP*`,#
r* HTTP M'z;I+ SSL a0j6Cwa0}],yTK_-
G\X*D#
5. r*T HTTP M HTTPS M'z,cookie <IC,yT;+b)
cookie j>*2+ cookie#
7(P'Da0j6}]`MCZ9CXbO$=(DM'zCJDa0}]`MITBdCN}D
X(iO7(:
¶ tCr{Ca0 cookie(ssl-id-sessions)
¶ 1M'zZ HTTP M HTTPS .dP;1,tCr{C9C`,a
0}]D\&(use-same-session)
Bm\aKiO ssl-id-sessions M use-same-session N}DyPx
(dCDP'a0j6}]:
HTTPS M'z
O$=( ssl-id-sessions =yes
ssl-id-sessions = nouse-same-session =
no
use-same-session =yes ssl-id-sessions
vT
JO*F cookie SSL j6 Cookie Cookie
$i SSL j6 Cookie Cookie
CDSSO SSL j6 Cookie Cookie
jG SSL j6 Cookie Cookie
79Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
HTTPS M'z
O$=( ssl-id-sessions =yes
ssl-id-sessions = nouse-same-session =
no
use-same-session =yes ssl-id-sessions
vT
m% SSL j6 Cookie Cookie
BA SSL j6 BA 7 Cookie
HTTP 7 SSL j6 HTTP 7 HTTP 7
IP X7 SSL j6 IP X7 IP X7
HTTP M'z
O$=( use-same-session =no
use-same-session =yes
JO*F cookie Cookie Cookie
CDSSO Cookie Cookie
jG Cookie Cookie
m% Cookie Cookie
BA BA 7 Cookie
HTTP 7 HTTP 7 HTTP 7
IP X7 IP X7 IP X7
dCJO*F cookieTBJO*F cookie &\(CZ HTTP M HTTPS)JCZ(}:X=
bzF,SA4FD0K WebSEAL ~qw:/DM'z#JO*F
cookie D?DG1kM'z.d_P-<a0D~qw;;d*;IC
1,I@9?FXBO$#
I{C0K WebSEAL :/*s?M'za)J4D_ICT#:X=
bzFI9XxkDks"(}ICD0K~qwV"ks#
KV[ZdIN<B<#
80 f> 3.8
M'z;*@4FD0K~qwdC#:X=bzFGksD URL D%
c*5#:X=bzFI+M'zkICD~qw(}g WS1),S#
a04,G9C WS1 ("D,"Ra+4TCM'zDyPsLks"
MA WS1#
JO*F cookie IbvDJbf0IZ;)-r(}g,53JOrI
\m14PDt_Yw)9 WS1 d*;IC1Div#g{ WS1 d*
;IC,r:X=bzFa+ksX(rAd|1>~qw(WS2 r
WS3).;#VZQ*'-<Da0A>$D3d#TZKfzD~q
wCM'zGBD,xR(#+YN?FO$CM'z#
ITdC4FD WebSEAL ~qwTZX(Z~qwD cookie PS\M
'z>$}]#1M'zWN,S1,cookie +ECZ/@wO#g{u
< WebSEAL ~qwd*Y1;IC,r cookie(MS\D>$E")
+a)xfz~qw#4FD WebSEAL ~qw2mIb\>$E"D
+2\?#VZM'zIT("k1> WebSEAL ~qwDBa0,x
;C?FXBO$#
cookie DN<cG:X=bzFD DNS#r* cookie GX(Z~qw
D cookie "R;GX(ZrD cookie,yTK%;N<c\X*#;P
k4( cookie D~qw_P`, DNS {FD~qwE\S\ cookie#
< 14. JO*F Cookie i05w
81Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
M'z;1(}:X=bzFwvks#rx,ZJO*FYwZd,
+;1S\ cookie,;s+d+]=B;vICD~qw#
tCJO*F cookie
failover-auth N};Z webseald.conf dCD~D [failover] ZP,
KN}CZtCr{CX(Z~qwDJO*F cookie:
¶ *tCJO*F cookies,kdk0http1"0https1r0both1#
¶ *{CJO*F cookie,kdk0none1(1!5)#
}g:
[failover]failover-auth = https
XkZ?v0K WebSEAL ~qwOhCKN}#
S\Mb\>$}]
*#$ cookie }],k9C WebSEAL a)D cdsso_key_gen 5C
Lr#K5CLrzI;vTF\?,C\?T cookie PD>$}]x
PS\Mb\#KP5CLr1,k8(\?D~D;C(xT76
{):
UNIX: # cdsso_key_gen <pathname>
Windows: MSDOS> cdsso_key_gen <pathname>
ZdP;v1>~qwOKP5CLr"+\?D~V$4F=?v#
`D1>~qwO#Z?v~qwD webseald.conf dCD~D
[failover] ZPdkK\?D~D;C#g{;8(\?D~,r{CC
~qwDJO*F cookie &\:
[failover]failover-cookies-keyfile = <absolute-pathname>
IT*\?D~a)NNJ1D{F,}g ws.key#
dC cookie P'Z
82 f> 3.8
cookie P'Z(TVS*%;)D5ZTBN}PhC:
failover-cookie-lifetime = 60
O$dCEv
ITZ?V=(Dy!OtCM{C HTTP M HTTPS M'zDO$#
WebSEAL 'VDyPO$=(DzF<GZ webseald.conf dCD~
D [authentication-mechanisms] ZPdCD#\'VDO$=(N}
|(:
¶ >X(ZC)O$Lr
> X O$L r D N}8( KJ1 D ZC2 m b ( U N I X ) r
DLL(Windows)D~#
¶ (FDb?O$Lr
WebSEAL a)#e~qwzk,ICZ9(M8((FDb?0g
rO$~q1(CDAS)~qw#
b? CDAS O$Lr+8(J1D(F2mb#
>XO$N}TBN}8(K>XZCO$Lr:
N} hv
m%My>O$
passwd-ldap M'z9C LDAP C'{M\kxPCJ#
jGO$
token-cdas M'z9C LDAP C'{M SecurID jG(Pzkx
PCJ#
M'zKD$iO$
cert-ssl M'z9CM'zK$i(} SSL xPCJ#
HTTP 7M/r IP X7O$
http-request M'z(}X( HTTP 7M/r IP X7xPCJ#
CDSSO j6jGO$
cdsso gr%;"aO$#
83Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
9C [authentication-mechanisms] ZdCO$=("TBPq=5
V:
<authentication-method-parameter> = <shared-library>
kNDZ713D:j8dCE"N<;#
b?(F CDAS O$N}TBN}ICZ8(b? CDAS ~qwD(F2mb:
N} hv
passwd-cdas M'z9CZ}="amDC'{M\kxPCJ#
token-cdas M'z9CC'{MjG(PzkxPCJ#
cert-cdas M'z9C(} SSL O$DM'zK$ixPCJ#
XZ9(MdC5V CDAS ~qwD(F2mbDj8E",kN<
6Tivoli SecureWay Policy Director WebSEAL *"_N<s+7#
WebSEAL O$D1!dC
1!ivB,+ WebSEAL hC*9Cy>O$(BA)C'{M\k
(LDAP "am)(} SSL O$M'z#
( # , T T C P M S S L C J < t C W e b S E A L # r x ,
[authentication-mechanisms] ZDdMdC|,'VC'{M\k
(LDAP "am)"'V(} SSL O$DM'zK$i#
TB>}zm [authentication-mechanisms] Z Solaris fDdMdC:
[authentication-mechanisms]passwd-ldap = libldapauthn.socert-ssl = libsslauthn.so
*dCd|O$=(,k9Cd2mb(r CDAS #i)mS`&DN
}#XZ?VO$=(Dj8dCE",kNDZ713D:j8dCE
"N<;#
84 f> 3.8
dC`vO$=(^D webseald.conf dCD~D [authentication-mechanism] ZT8
(CZyP\'VO$=(D2mb#dC`vO$=(1,I&CT
Bu~:
1. yPO$=(<IT`%@"XKP#IT*?v\'V=(dC
2mb#
2. ,1dC cert-cdas M cert-ssl =(DivB,0_+2Gs_#
XktCdP;V=('VM'zK$i#
3. 1dC`V\k`MO$Lr1,5J;9C;V#WebSEAL 9C
TBEH6Nrbv`vQdCD\kO$Lr:
a. passwd-cdas
b. passwd-ldap
4. I\*=V;,DO$=(dC,;v(Fb#}g,IT4(F
2mbT&mC'{/\kM HTTP 7O$#TZK>},IT9C
,;v2mbdC passwd-cdas M http-request N}#*"_D
0pG,$a04,"\b=V=(.dDe;#
a>G<ZTBu~B,WebSEAL a>M'zG<:
1. 4O$DM'zZ(li'\
2. m%ry>O$M'zZ(li'\
TBM'z`MavV0403 JO1ms:
1. 1Z(li'\1:
a. M'zK$i
b. JO*F cookie
c. CDSSO
d. IP X7
e. HTTP 7
2. 1M'zO$9CK WebSEAL {CD=(
85Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
"zM|D\k|nPolicy Director a)TB|nCZ'V(} HTTP r HTTPS O$DM
'z#
pkmslogout1M'z9C;T?vksa)O$}]DO$=(1,|GIT9C
pkmslogout |nS10a0"z#}g,pkmslogout ;ICZ9C
y>O$r IP X7O$DM'z#ZKivB,XkXU/@wT"
z#
pkmslogout |nJCZ(}M'zK$i"jG(Pzk"m%O$M
HTTP 7O$D3)5VDO$#
4TB=(KP|n:
https://www.tivoli.com/pkmslogout
/@waT> webseald.conf dCD~P(eD"zq=:
[acnt-mgt]logout = logout.html
IT4h*^D logout.html D~#
1xge5a9*sTS+;;,DsK53"zDC'9C;,Dv
ZA;1,pkmslogout 5CLr9'V`v"zl&3f#
TBmo=j6KX(l&D~:
https://www.tivoli.com/pkmslogout?filename=<custom_logout_file>
dP custom_logout_file G"zl&DD~{#KD~Xk$tZ|,
1! logout.html D~Md|y> HTML l&m%D`, lib/html/C
?<P#
pkmspasswd9Cy>O$(BA)rm%O$1IT9CK|n|DG<\k#K|
nTZ HTTP r HTTPS <GJCD#
}g:
86 f> 3.8
https://www.tivoli.com/pkmspasswd
1 BA k WebSEAL ;p9C1,*7#ns2+T,TZ BA M'
zK|n+4PTBP*:
1. |D\k#
2. M'zC'S10a0"z#
3. M'zxP=Sks1,/@w+ZM'zOT> BA a>{#
4. M'zXkXBG<TLx"vks#
Ki05wvJCZ9Cy>O$DM'z#
dCy>O$
y>O$(BA)G+C'{M\ka)xO$zFDj<=(#BA I
HTTP -i(e,"I(} HTTP M HTTPS 5V#
1!ivB,WebSEAL dC*9Cy>O$(BA)C'{M\k(}
HTTPS xPO$#
tCM{Cy>O$
ba-auth N},;Z webseald.conf dCD~PD [ba] ZP,CZt
CM{Cy>O$=(#
¶ *tCy>O$=(,kdk0http1"0https1r0both1#
¶ *{Cy>O$=(,kdk0none1#
}g:
[ba]ba-auth = https
hCr{Fr{FG1/@wa>C'dkG<}]1T>ZT0rPDD>#
hCr{FDdCN};Z webseald.conf dCD~PD [ba] ZP#
}g:
87Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
[ba]basic-auth-realm = Policy Director
dCy>O$zF
passwd-ldap N}8(CZ&mC'{M\kO$D2mb#
¶ Z UNIX O,a)ZC3d&\DD~GF* libldapauthn D2m
b#
¶ Z Windows O,a)ZC3d&\DD~GF* ldapauthn D
DLL#
O$zF 2mb
Solaris AIX Windows HP-UX
passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll libldapauthn.sl
IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx passwd-ldap N}dkX(Z=(D2mbD~{F4dCC'
{M\kO$zF#}g:
< 15. BA G<a>
88 f> 3.8
Solaris:
[authentication-mechanisms]passwd-ldap = libldapauthn.so
Windows:
[authentication-mechanisms]passwd-ldap = ldapauthn.dll
dCu~g{Q*X(+MtCKm%O$,r+vTC+MDy>O$hC#
dCm%O$
Policy Director a)m%O$)j<y>O$zF8C#bV=(IS
Policy Director zz(F HTML G<m%,x;GSy>O$aJzz
j<G<a>#
9CyZm%G<1,/@w";TC'{M\kE"xP_Y:f
(g|Zy>O$PyvDGy)#
tCM{Cm%O$
forms-auth N},;Z webseald.conf dCD~PD [forms] ZP,
CZtCM{Cm%O$=(#
¶ *tCm%O$=(,kdk0http1"0https1r0both1#
¶ *{Cm%O$=(,kdk0none1#
}g:
[forms]forms-auth = https
dCm%O$zF
passwd-ldap N}8(CZ&mC'{M\kO$D2mb#
¶ Z UNIX O,a)ZC3d&\DD~GF* libldapauthn D2m
b#
¶ Z Windows O,a)ZC3d&\DD~GF* ldapauthn D
DLL#
89Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
O$zF 2mb
Solaris AIX Windows HP-UX
passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll libldapauthn.sl
IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx passwd-ldap N}dkX(Z=(D2mbD~{F4dCC'
{M\kO$zF#}g:
Solaris:
[authentication-mechanisms]passwd-ldap = libldapauthn.so
Windows:
[authentication-mechanisms]passwd-ldap = ldapauthn.dll
dCu~g{Q*X(+MtCKm%O$,r+vTC+MDy>O$hC#
(F HTML l&m%m%O$*sz9C(FG<m%#1!ivB,y> login.html m%
;ZTB?<P:
<install-directory>/lib/html
IT(FKm%DZ]MhF#}g:
90 f> 3.8
XZzIT(FDIC HTML m%Dj8E",kNDZ343D:\m
(FD HTML 3f;#
dCM'zK$iO$
WebSEAL 'V9CM'zK}V$i(} SSL kM'zxP2+(
E#ZbVO$=(P,$iE"(}g0(P{F1r DN);3d*
Policy Director m]#
s(:(}$i`%O$
(}}V$ixPO$V*=vWN:
¶ WebSEAL 9Cd~qwK$ir SSL M'zmwT:m]
¶ WebSEAL 9CdO$PD(CA)y$iD}]bi$9CM'zK
$ixPCJDM'z
1. SSL M'zksk WebSEAL ~qw,S#
2. Zl&P,WebSEAL (}Q)pD~qwK$i"Md+2\?#
K$iH0QIIEDZ}=O$PD(CA))p#
3. M'zli|GqITENMS\C$iD"PL#M'zD/@
w(#|,4TIE CA Dy$iPm#g{ WebSEAL D$iO
D){kb)y$iPD3;v`%d,r~qwGIED#
< 16. y> WebSEAL G<m%
91Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
4. g{;P%dD){,/@w+(*dC',K$iGI;v4*
DO$PD)"D#;sS\r\xC$i+GC'D0p#
5. g{){k/@wDy$i}]bPD3vu?%d,M'zk
WebSEAL ~qw.d+Ta0\?xP2+-L#
K}LDnUa{Gzz2+(@,M'zITZC(@OxPO
$(}g(}C'{M\k)#O$I&.s,M'zM~qwI
TLx(}K(@xP2+(E#
6. VZM'zr+d+2\?$i"M= WebSEAL ~qw#
7. WebSEAL "T+M'z$iOD){kQ*D CA xP%d#k
M'z/@w`F,WebSEAL ~qw,$d\?}]bPIE CA
Dy$iPm#
8. g{;P%dD){,WebSEAL +zI SSL msk"+d"M=
M'z#
9. g{P%dD){,rM'zIE#g{xPM'zO$,r+C
= Policy Director m]#
10. a0\?GZM'zk WebSEAL ~qw.dS\2+-LD#K
}LDnUa{GZ`%O$DM'zk~qw.dzz2+xI
ED(E(@#
< 17. M'zi$ WebSEAL $i
92 f> 3.8
WebSEAL bT$i201,WebSEAL M|,KT)bT~qw$i#d;KbT$iJm
WebSEAL TtC SSL D/@wkswvl&,+;\I/@w(;|
,J1Dy CA $i)i$$i#IZ?N WebSEAL V"P<|,K
1!$iD(C\?,yTK$i;a)f}D2+(E#
*7#(} SSL D2+(E,SIEDO$PD(CA)"a0q!(;
D>c~qw$iG\X*D#IT9C GSKit iKeyman 5CLrzI
+"M= CA D$iks#2IT9C iKeyman 20B>c$i"*
dSj ) #9C w e b s e a l d . c o n f dCD~D [ s s l ] ZPD
webseal-cert-keyfile-label N}8(C$iw*n/D WebSEAL ~q
wK$i(KhC+2G\?D~}]bP8(*01!51DyP$
i)#
g{h*d|ivBD;,$i(}gCZ%O$*a),rIT9C
iKeyman 5CLr4("20b)=S$i"*dSj)#
kNDZ373D:dC WebSEAL D\?}]bN};#
kNDZ2173D:9C iKeyman \m$i;#
tCM{C$iO$
(}hC accept-client-certs N}(;Z webseald.conf dCD~D
[certificate] ZP),IT8( WebSEAL gN&m9C(} SSL O$
DM'zK$iDO$#
1!ivB,WebSEAL ;S\M'zK$i:
[certificate]accept-client-certs = never
KN}D=S5|, optional M required#
BmPv"hvK accept-client-certs N}DJm5:
5 hv
never ;*S\M'zD X.509 $i#
93Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
5 hv
optional rM'z*s X.509 $i,g{a)K$i,r9CyZ
$iDO$#
required rM'z*s X.509 $i,"9CyZ$iDO$#g{
M'z;a)$i,r;Jm,S#
dC$iO$zF
cert-ssl N}8(CZ3d$iO$E"D2mb#
¶ Z UNIX O,a)ZC3d&\DD~GF* libsslauthn D2m
b#
¶ Z Windows O,a)ZC3d&\DD~GF* sslauthn D
DLL#
O$zF 2mb
Solaris AIX Windows HP-UX
cert-ssl libsslauthn.so libsslauthn.a sslauthn.dll libsslauthn.sl
IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx cert-ssl N}dkX(Z=(D2mbD~{F4dC$iO$
zF#
Solaris:
[authentication-mechanisms]cert-ssl= libsslauthn.so
Windows:
[authentication-mechanisms]cert-ssl = sslauthn.dll
2mbD~a)D1!3d1S+$i DN 3d* LDAP DN#
dCu~g{M'zK$i&mhC*0required1,rTZ HTTPS M'z+v
TyPd|O$hC#
94 f> 3.8
dC HTTP 7O$
Policy Director 'V(}IM'zr/Pzma)D(F HTTP 7E"
xPO$#
CzFh*P3d&\(2mb),C3d&\+IED($O$D)
7}]3d* Policy Director m]#WebSEAL ITICKm]"*C
'4(>$#
WebSEAL YhH0QO$K(F HTTP 7}]#rK,(i(PX5
Vb;=( * ;tCd|O$=(##B(F HTTP 7}]GI\D#
1!ivB,9(K2mbG*KS/Pzm73d}]#
tCM{C HTTP 7O$
http-headers-auth N},;Z webseald.conf dCD~D
[http-headers] ZP,CZtCM{C HTTP 7O$=(#
¶ *tC HTTP 7O$=(,kdk0http1"0https1r0both1#
¶ *{C HTTP 7O$=(,kdk0none1#
}g:
[http-headers]http-headers-auth = https
8(7`MXkZ webseald.conf dCD~D [auth-headers] ZP8(yP\'
VD HTTP 7`M#
[auth-headers]header = <header-type>
1!ivB,+TKZC2mbxP2`kT'V/Pzm7}]#
[auth-headers]header = entrust-client
Xk(FKD~,9dO$d|`MDXb7}]M+K}]3d*
Policy Director m](I!)#XZ API J4,kN<6Tivoli SecureWay
Policy Director WebSEAL *"_N<s+7#
95Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
dC HTTP 7O$zF
http-request N}8(CZ3d HTTP O$7E"D2mb#
¶ Z UNIX O,a)ZC3d&\DD~GF* libhttpauthn D2m
b#
¶ Z Windows O,a)ZC3d&\DD~GF* httpauthn D
DLL#
O$zF 2mb
Solaris AIX Windows HP-UX
http-request libhttpauthn.so libhttpauthn.a httpauthn.dll libhttpauthn.sl
1!ivB,+TKZC2mbxP2`kT3d/Pzm7}]*P
'D Policy Director m]#Xk(FKD~,9dO$d|`MDXb
7}]M+K}]3d* Policy Director m](I!)#XZ API J4,
kN<6Tivoli SecureWay Policy Director WebSEAL *"_N<s+7#
IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx http-request N}dkX(Z=(D2mbD~{F4dC
HTTP 7O$zF#
}g:
Solaris:
[authentication-mechanisms]http-request = libhttpauthn.so
Windows:
[authentication-mechanisms]http-request = httpauthn.dll
dCu~
1. g{ ssl-id-sessions = no,r+;9Ca0j6 cookie ,$4,#
x9C(;D75,$4,#
2. g{M'zv=KZ(JO,rM'z+SU=0{913f
(HTTP 403)#
96 f> 3.8
dC IP X7O$
Policy Director 'V(}M'za)D IP X7DO$#
tCM{C IP X7O$
ipaddr-auth N},;Z webseald.conf dCD~D [ipaddr] ZP,
CZtCM{C IP X7O$=(#
¶ *tC IP X7O$=(,kdk0http1"0https1r0both1#
¶ *{C IP X7O$=(,kdk0none1#
}g:
[ipaddr]ipaddr-auth = https
dC IP X7O$zF
(} IP X7O$h*(F2mb#kTK2mb9C http-request N
}#
dCjGO$
Policy Director 'V(}M'za)DjG(PzkDO$#
tCM{CjGO$
token-auth N},;Z webseald.conf dCD~D [token] ZP,C
ZtCM{CjGO$=(#
¶ *tCjGO$=(,kdk0http1"0https1r0both1#
¶ *{CjGO$=(,kdk0none1#
}g:
[token]token-auth = https
dCjGO$zF
token-cdas N}8(CZ3djG(PzkO$E"D2mb#
¶ Z UNIX O,a)ZC3d&\DD~GF* libtokenauthn D2
mb#
97Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
¶ Z Windows O,a)ZC3d&\DD~GF* tokenauthn D
DLL#
O$zF 2mb
Solaris AIX Windows HP-UX
token-cdas libtokenauthn.so libtokenauthn.a tokenauthn.dll libtokenauthn.sl
1!ivB,+TKZC2mbxP2`kT3d SecurID jG(Pz
k}]#IT(FKD~O$d|`MDXbjG}],I!D,I+
K}]3d* Policy Director m]#XZ API J4,kN<6Tivoli
SecureWay Policy Director WebSEAL *"_N<s+7#
IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx token-cdas N}dkX(Z=(D2mbD~{F4dCjGO
$zF#
}g:
Solaris:
[authentication-mechanisms]token-cdas = libtokenauthn.so
Windows:
[authentication-mechanisms]token-cdas = tokenauthn.dll
'V`74C/Pzm
Policy Director *#$9C`74C/Pzm(MPA)Dxga)bv=
8#
j</Pzm(SPA)G'VM'zk-<~qwd?vM'za0
((} SSL r HTTP)DxX#WebSEAL ITTb)?vM'zDa
0&C}#D SSL r HTTP O$#
98 f> 3.8
`74C/Pzm(MPA)GwZ`vM'zCJDxX#1M'z(
}^_CJ-i(WAP)xPCJ1,P1b)xX;F* WAP xX#
xX("A-<~qwD%;O$(@,"(}K(@0+d1yPM
'zksMl&#
TZ WebSEAL,K(@ZD+?E"u<<T>*4T;vM'zD`
vks#WebSEAL Xk+ MPA ~qwO$k?v%@M'zD=SO
$xp*#
IZ WebSEAL * MPA ,$QO$Da0,rKXk,1*?vM'
zVp,$a0#rx,CZ MPA Da0}]MO$=(XkkM'z
9CDa0}]MO$=(X;;,#
P'Da0}]`MMO$=(MPA A WebSEAL 9CDa0}]`MXkkM'zA WebSEAL 9
CDa0}]`MX;;,#BmPvK MPA MM'zDP'a0`
M:
P'a0`M
MPA A WebSEAL M'zA WebSEAL
SSL a0j6
HTTP 7 HTTP 7
< 18. (} MPA xX(E
99Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
P'a0`M
MPA A WebSEAL M'zA WebSEAL
BA 7 BA 7
IP X7
Cookie Cookie
¶ M'z;\9C SSL a0j6w*a0}]`M#
¶ }g,g{TZa0}]`M MPA 9C BA 7,rM'zTa0
}]`MD!q;|, HTTP 7M cookie#
¶ g{TZa0}] MPA 9C HTTP 7,rM'zIT9C;,D
HTTP 7`M#
¶ X(Z~qwD cookie ;|,a0E";|;|,m]E"#
¶ g{tC MPA 'V,r+a|D ssl-id-sessions D&\#(#,
g{ ssl-id-sessions=yes,rv9C SSL a0j6,$ HTTPS M
'zDa0#*Jm MPA 9C SSL a0j6,$a0"9M'z
9Cm;V=(,$a0,k}%K^F#m{Z793D:7(P
'Da0j6}]`M;#
MPA A WebSEAL 9CDO$=(XkkM'zA WebSEAL 9CD
O$=(X;;,#BmPvK MPA MM'zDP'O$=(M:
P'O$`M
MPA A WebSEAL M'zA WebSEAL
y>O$ y>O$
m% m%
jG jG
HTTP 7 HTTP 7
$i
IP X7
¶ }g,g{ MPA 9Cy>O$,rM'zO$=(D!n|,m
%"jGM HTTP 7#
¶ TZM'zD9C,$iM IP X7O$=(G^'D#
100 f> 3.8
¶ (#,g{TX(+MtCm%(rjG)O$,r+T/TC+
M{Cy>O$(kNDZ883D:dCy>O$zF;)#g{t
CK MPA 'V,r+}%K^F#by+Jm MPA 9Cm%(r
jG)G<,"JmM'z9Cy>O$(}`,D+MG<#
MPA M`vM'zDO$xLw
1. WebSEAL \m14PTBu=dC:
¶ tCT`74C/PzmD'V
¶ *X( MPA xX4( Policy Director J'
¶ +K MPA J'mS= webseal-mpa-servers i
2. ,SA MPA xXDM'z#
3. xX+ks*;* HTTP ks#
4. xXO$M'z#
5. xX9CM'zks("k WebSEAL D,S#
6. A WebSEAL D MPA O$(9CkM'zX;;,D=(),*
MPA(Q-_P WebSEAL J')Izm]#
7. WebSEAL +i$ MPA Z webseal-mpa-servers iPDa1J
q#
8. * MPA 9(;v>$,"+dj>*_Y:fPDXb MPA `
M#
!\+4D?vM'zks<xPK MPA >$,+C>$";CZ
Tb)ksxPDZ(li#
9. by,WebSEAL h*x;=j6ksDyP_#
MPA \;xp`vM'zT}77IG<a>#
10. M'zG<MO$9CD=(kCZ MPA DO$`MX;;,#
11. WebSEAL SM'zO$}]9(>$#
12. ?vM'z9CDa0}]`MXkk MPA 9CDa0}]`MX
;;,#
101Tivoli SecureWay Policy Director WebSEAL \m8O
4.W
ebS
EA
LO
$
13. Z(~qyZC'>$MTsD ACL mI(mIr\xCJ\#$
Ts#
tCM{C MPA O$
;Z webseald.conf dCD~D [mpa] ZPD mpa N}CZtCM
{C MPA O$:
¶ *tC MPA O$=(,kdk0yes1#
¶ *{C MPA O$=(,kdk0no1#
}g:
[mpa]mpa = yes
4( MPA DC'J'XZ4(C'J'DE",kN<6Tivoli SecureWay Policy Director Base
\m8O7M Tivoli SecureWay Policy Director Web Portal Manager
Administration Guide#
+ MPA J'mS= webseal-mpa-servers iXZ\miDE",kN<6Tivoli SecureWay Policy Director Base \
m8O7M Tivoli SecureWay Policy Director Web Portal Manager
Administration Guide#
MPA O$^F
Policy Director Db;"Pf;T?v WebSEAL ~qw'V;v
MPA#
102 f> 3.8
gr"abv=8
1 WebSEAL w*zm~qw4PTa)T2+rD#$1,(#*s
a)%;"aAJ4Dbv=8#>BV[=Vgr%;"abv=
8#
wbw}:
¶ :dC CDSSO O$;
¶ Z1083D:dCgSgx%;"a;
dC CDSSO O$
Policy Director gr%;"a(CDSSO)a)K;VZ`v2+r.d*
FC'>$DzF#CDSSO Jm Web C'4P%;"a"Z=v@"
D2+r.d^lF/#CDSSO O$zF";@5ZwO$~qw(k
NDgSgx SSO)#
CDSSO (}Jm/I`v2+r,'VIluxge5a9D?D#}
g,ITC=vr`v(;DrhC;vsM2,b?x * ?v(;D
r<PT:DC'MTsUd#CDSSO JmC'9C%;"aZr.d
F/#
1C'ks;Zm;rPD3vJ41,CDSSO zF+QS\DC'm
]jGSZ;vr*F=Z~vr#by,Z~vrMC=KC'Dm
](QZZ;vrPO$),R;a?FC'4Pm;G<#
5
103Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
/I(F CDMF 2mbZm` CDSSO =8P,;,rDC'd1!D;T;3dI\;JOy
P?p*s#
gr3dr\(CDMF)GJmz9((F2mbD`LSZ,K2m
b\&m)9DC'tT"*C'm]a)3d~q#
CDMF `LSZJminX(F3dC'm]M&mC'tT#
9C CDMF D CDSSO O$xLwTBxLwhvZ<19P5w#
1. kNk`vrDNNC'XkZwrP_PP'C'J',RXk
Z?vNkD6LrP_PI3d*P'J'Dm]#
g{C';Pu<O$=|,C'J'Du<2+r(A),r;\
wC CDSSO &\#
2. C'(} Web 3fOD(F4S"vCJr B PDJ4Dks#
C4S|,;vXb CDSSO mo=:
/pkmscdsso?<destination-URL>
}g:
/pkmscdsso?https://www.domainB.com/index.html
3. b;ks+WHIr A PD WebSEAL ~qw&m#WebSEAL 9
(O$jG,|,C'D Policy Director m](rF)"10r
(0A1)"d|C'E"M1dAG#
d|C'E"G(}wC(FD CDMF 2mb
(cdmf_get_usr_attributes)q!D#Kb_Pa)C'tTD\
&,C'3d&mZdr B I9Cb)tT#
WebSEAL }v DES 9C cdsso_key_gen 5CLrzIDTF\
?S\KjG}]#K\?D~G2mD,|f"Zr A Mr B
WebSEAL ~qwOD webseald.conf dCD~D [cdsso-peers] Z
P#
C jG| , K I dCD ( e jGP ' Z D1dAG
(authtoken-lifetime)#}7dC1dAG1,IT@9X4%
w#
104 f> 3.8
4. r A WebSEAL ~qw+ksMQS\DjGX(rX/@w,;s
X(r=r B WebSEAL ~qw(HTTP X(r)#
5. r B WebSEAL ~qw9C`,f>D\?D~b\"i$4TN<
rDjG#
6. VZr B WebSEAL ~qwMwC CDSSO O$zFb#K CDSSO
b@NwC(FD4P5JC'3d(cdmf_map_usr)D CDMF
b#
CDMF b+C'm]Md|C'tTE"(s__P!qT)+]X
CDSSO b#CDSSO b9CKE"49(>$#
7. r B Z(~qmIr\xT\#$TsDCJ(yZC'>$Mkk
sDTs`X*DX( ACL mI()#
tCM{C CDSSO O$
cdsso-auth N},;Z webseald.conf dCD~D [cdsso] ZP,C
ZtCM{C CDSSO O$=(#
< 19. 9C CDMF Dgr%;"a}L
105Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
¶ *tC CDSSO O$=(,kdk0http1"0https1r0both1#
¶ *{C CDSSO O$=(,kdk0none1#
}g:
[cdsso]cdsso-auth = https
dC CDSSO O$zF
cdsso dCN}8(K3dO$E"D2`k2mb#
¶ Z UNIX O,a)ZC3d&\DD~GF* libcdssoauthn D2
mb#
¶ Z Windows O,a)ZC3d&\DD~GF* cdssoauthn D
DLL#
O$zF 2mb
Solaris AIX Windows HP-UX
cdsso libcdssoauthn.so libcdssoauthn.a cdssoauthn.dll libcdssoauthn.sl
IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx cdsso N}dkX(Z=(D2mbD~{F4dC CDSSO O
$zF#
}g:
Solaris:
[authentication-mechanisms]cdsso = libcdssoauthn.so
Windows:
[authentication-mechanisms]cdsso = cdssoauthn.dll
106 f> 3.8
S\O$jG}]WebSEAL Xk9C cdsso_key_gen 5CLrzID\?S\ECZ
jGPDO$}]#Xk(}kNkrD?v WebSEAL ~qw2m\
?D~0,=1K\?#wrPNkD?v WebSEAL ~qw<h*9
C`,D\?#
":4(MV"\?D~";G Policy Director CDSSO xLD;?V#
KP cdsso_key_gen 5CLr1,C5CLr*sz8(\?D~D
;C(xT76{):
UNIX: # cdsso_key_gen <absolute-pathname>
Windows: MSDOS> cdsso_key_gen <absolute-pathname>
ZwrDNk WebSEAL ~qwD webseald.conf dCD~D
[cdsso-peers] ZPdkK\?D~D;C#dq=|( WebSEAL z
w{FM\?D~;C:
[cdsso-peers]<webseal-machine-name> = <keyfile-location>
r A dC>}:
[cdsso-peers]www.domainB.com = <pathname>/A-B.key
r B dC>}:
[cdsso-peers]www.domainA.com = <pathname>/A-B.key
ZTO>}P,A-B.key D~+Z;vzw(}g WebSEAL A)Oz
I,"V$("2+)D4F=m;zw(}g WebSEAL B)#
dCjG1dAGCjG|,IdCD1dAG,|(eKm]jGDP'Z#;)1d
AG=Z,rO*CjG^',";h9C#(}+1dAGhC*c
;LD5,Sx@9KjGZdP'ZZ;AC"X49C,rK1d
AGICZoz@9X4%w#
107Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
authtoken-lifetime N},;Z webseald.conf dCD~PD [cdsso]ZP,CZhCjGP'ZD5#C5Tk*%;mo#1!5* 180:
[cdsso]authtoken-lifetime = 180
Xk<GNkn/Dr.dDNN1S+n#
mo CDSSO HTML 4S(z2+rJ4D HTML 4SXk|,XbD CDSSO mo=:
/pkmscdsso?<destination-URL>
}g:
/pkmscdsso?https://www.domainB.com/index.html
#$O$jG1O$jG;|,O$E"(}gC'{M\k)1,|5JO|,K
SUrZIEDC'm]#rK,Xk#$jGTm;;ACMX49
C#
(}9C SSL #$ WebSEAL ~qwkC'.dD(E,I@9jG;
k_AC#IThkSC'D/@wz7G<PACjG#jGOD1
dAG&c;L,9jGZdP'ZZ;I\;ACMX49C#
+`TZ1dAGxT,Q=ZDjGT;]W\=\kT%w#g{
"VKCZ+jGS\D\?rC\?\=p&,rPqbDC'I\
9({GT:DjG#
;sIT+b)jGek01 CDSSO w1#TZNk CDSSO rn/D
WebSEAL ~qw,b)jG+kf}DO$jGA^xp#rK,9X
k!D\mCZ#$jGD\?,"-#xP|D#
dCgSgx%;"a
gSgx%;"aG Policy Director 73PgrO$Dm;5V#gr
O$D?DGJmC'CJg`vrD`v~qwDJ4,x;XXB
O$#
108 f> 3.8
0gSgx1GNkLqX5D;i%;`,Dr(Policy Director r
DNS)#b)NkrIdC*;vLqD;?V(IZXm-r,I\
9C;,D DNS {F),rdC*k2mX5j+;,DLq(}g,
+>\?"KY#U+>MpZ\m+>)#
Z ? v = 8P, \ P ; v r8( * 0w( h o m e ) 1 r 0 y P _
(owner)1r#ZNkLqDivB,wr5P\mgSgxDLq
-(#
Zb=V=8P,XZNkgSgxDC'DO$E"(|(O$9C
DC'{M\k)<+ZwrP,$#b;2EJm\mJbD%vN
<c,}ggSgxPyP8rwrDoz(tP#
r_,2I9C Policy Director Web Portal Manager /I\mKE",
TcNkr_P\mT:DC'D0p#
B<PYK;vy>gSgx,|_P=vNkr:r A(dA.com)M
r B(dB.com)#ZK>}P,r A zmwrryP_r#r B GN
krr06L1r#
109Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
wr05P1C' * 4,|XFC'DO$E"#;\C'ZN&ks
J4,C'\GXkZwrO$#
TwO$~qw(MAS)* ;ZwrP"dC*O$yPC'D~qw
( r 1 > ~ q w/) * z z O$# <P+ M A S m>*
mas.dA.com#MAS D0p&^F*a)O$~q#MAS ;&|,TC
'ICDJ4#
;)C'I&O$= MAS,MAS +zI0$51jG#KjG++]
XC'("ksD~qw#~qw+K0$51jGS*C'QI&O
$= MAS "\NkgSgxD$]#
gSgxrdDE"*F+ZZ1123D:gSgxxLw;;ZPj
8hv#
< 20. gSgx#M
110 f> 3.8
gSgxXwM*s
¶ K#M'V(}+ URL(4SjG)8rJ4xPCJ#b;Xwk
@5Z(EdCD pkmscdsso 4SD CDSSO #MNITU(k
NDZ1033D:dC CDSSO O$;)#
¶ gSgxD5V*syPNkgSgxDrPDyP WebSEAL ~q
wDdC;B#
¶ NkgSgxDyPC'<h*ZwrPD%vwO$~qw
(MAS)OxPO$#
¶ g{C';P MAS DP'J'(}g,tZr B +;Nkr A *
r B gSgxDC'),rgSgxD5VJmZ6LrPxP0>
X1O$#
ZksG MAS rPDJ41,+*O$ MAS '\DC'a)=O
$A>X~qw("vksD~qw)D!n#
¶ MAS(T0ns6LrPd|!qD~qw)0$51C'O$D
m]#
¶ X(ZrD cookie CZj6Ia)0$51~qD~qw#bMJ
m6LrPD~qwZ>Xks0$51E"#gSgx cookie D
S\Z];|,C'm]r2+TE"#
¶ Q9C(EDjG4+]S\D0$51C'm]#0$51jG
;|,5JC'O$E"#I2mD\?(triple-DES)a)j{
T#jG|,K;v,1(P'Z)5,T^FjGP'TDVx
1d#
¶ gSgxD5VZ HTTP M HTTPS O<\'V#
¶ vpgSgxr\m|GT:DC'm]M`X*DX(#I9C
gr3d&\(CDMF)API +4T6LrDC'3d=>XrPD
P'C'#
g{gSgxr2m+VC'm],r;h*K3d&\#
¶ gSgxDdCZ?vNk WebSEAL ~qwD webseald.conf D
~PhC#
111Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
gSgxxLwgSgxIwO$ WebSEAL ~qw(MAS)M;ZwrM6LrPD
d| WebSEAL ~qw9I#MAS Iw* WebSEAL ~qwD%v5
}r;Z:X=bw(K&:X=bwj6* MAS)sfD WebSEAL
1>/fZ#
h*dCyPNkD>XM6L WebSEAL ~qw,T9CxPu<M
'zO$Dwr MAS#bGTwrP~qwD2T*sMT6LrP~
qwDmT*s#}g,IdC6LrPD;)~qw,T&m|GT
:DO$#b)~qwM|G#$DJ4I@"ZgSgxxPYw,
49|G;ZNkgSgxrP#
gSgxD5V("Z0$5153Dy!O#(#,1C'SC'4
("P'a0D WebSEAL ~qwksJ41,WebSEAL +a>C'
O$E"#ZgSgxdCP,WebSEAL ~qwj60$51~qw"
SC'QO$Db;0$51~qwksi$#
0$51~qw_PCC'DP'>$E"#TZC'DZ;Nks,
0$51~qw\G MAS#MAS Lx#1;ZwrPDJ4D0$51
~qw#1C'Lx(}gSgxD"vJ4ks1,?v6LrPD
%@~qwI*C'9(|T:D>$(yZ4T MAS DC'm]E
"),"*rPDJ4#10$51~qwG+#
0$51~qwDi$ksI!0$51jGDq=#0$51~qw
4(jG"+|5X=ksD WebSEAL ~qw#jGPDC'm]E
"GS\D#jG|,P'Z^F#
;SU=0$51jG,ks~qwM*CC'9(>$M>Xa0#
VZC'IyZ}#D(^XF4CJksDJ4#C'SPITC=
;XXBO$DC& * bGgSgx#MD?D#
5)>Z#`?VDgSgxxLw1,kN<TB<m#xLwhv
K=vI\D FIRST CJ=8(1 M 2)#SEG=vI\D NEXT C
J=8(3 M 4),|GtSE 2 r 3#=8 5 "zZu<CJsDN
N1d#
112 f> 3.8
0$51~qw
¶ MAS \GZC'Z;NCJgSgxNN?V1xPO$#
MAS ;&w*O$~qw4P,R;&GJ4a)_#MAS ;&d
C*wO$~qw4Yw,,12;\dC*CZ#$J4#K(
if0T\==f,|;G;v2+T*s#
¶ MAS \Gwr(K>}P*r A)D0$51~qw#
¶ X(ZrDgSgx cookie CZj6x(rPyPd|~qwD0$
51~qw#0$51~qwGrPS MAS ks0$51jGDZ
;v~qw#0$51~qw*rPDC'a)0$51E"#x
(6LrP0$51~qDsLksIIK~qw>X(",x;
GCJrbD MAS#ZwrP,gSgx cookie + MAS j6*
0$51~qw#
(1) FIRST gSgxCJ:WebSEAL 1(r A)
¶ C'ks\ WebSEAL 1(Z MAS D,;vrP)#$DJ4#/
@w;|,CrDgSgx cookie#WebSEAL 1 ;PC'D_Y:
fD>$#
< 21. gSgxxLw
113Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
¶ WebSEAL 1 dCtCgSgxO$,"8( MAS D;C#
WebSEAL 1 X(r/@wA MAS ODX(0$51URL#
¶ MAS SU0$51ks,"IZiRCC'D>$'\xa>C'G
<#
¶ ;)I&G<,MAS M*C'9(>$,+|f"Z_Y:fP,"
+/@wX(rX WebSEAL 1 OnuksD URL,K WebSEAL
1 _PS\D0$51jG#mb,X(Zr A DgSgx cookie
;EC=/@wO,Tj6Cr(ZKivB,* MAS)D0$51
~qw#
g{G<"T'\,r MAS 5Xm>'\4,D0$51jG#C
jGD9l9.^(kI&4,0$51jGxp#ks~qw+
'\4,DjGS*C'>XO$'\#
¶ WebSEAL 1 b\jG"*C'9(T:D>$#
":Z,;rP1,;a*sm]3d#g{*sm]3d,r
WebSEAL 1 Xk9Cgr3dr\(CDMF)#
¶ Z(~qmIr\xks#
(2) FIRST gSgxCJ:WebSEAL 3(r B)
¶ C'ks\ WebSEAL 3(6Lr B)#$DJ4#/@w;|,C
rDgSgx cookie#WebSEAL 3 ;PCC'D_Y:fD>$#
¶ WebSEAL 3 dCtCgSgxO$,"8( MAS D;C#
WebSEAL 3 X(r/@wA MAS ODX(0$51URL#
¶ MAS SU0$51ks,"IZiRCC'D>$'\xa>C'G
<#
¶ ;)I&G<,MAS M*C'9(>$,+|f"Z_Y:fP,"
+/@wX(rX WebSEAL 3 OnuksD URL,K WebSEAL
3 _PS\D0$51jG#mb,X(Zr A DgSgx cookie
;EC=/@wO,Tj6Cr(ZKivB,* MAS)D0$51
~qw#
114 f> 3.8
g{G<"T'\,r MAS 5Xm>'\4,D0$51jG#C
jGD9l9.^(kI&4,0$51jGxp#ks~qw+
'\4,DjGS*C'>XO$'\#
¶ WebSEAL 3 b\jG"*C'9(T:D>$#
¶ WebSEAL 3 Z/@wO4("hCm;vgSgx cookie(Tr B
P'),j6 WebSEAL 3 *r B D0$51~qw#
¶ Z(~qmIr\xks#
(3) NEXT gSgxCJ:WebSEAL 2(r A)
¶ C'ks\ WebSEAL 2(Z MAS D,;vrP)#$DJ4#/
@ w | , j6 M A S * 0$51 ~ q w D r A g S g x
cookie#WebSEAL 2 SUK cookie#WebSEAL 2 ;PC'D_Y
:fD>$#
¶ WebSEAL 2 dCtCgSgxO$,"8( MAS D;C#r A g
Sgx cookie DfZ+2G MAS ;CD WebSEAL 2 dC#cookie
* WebSEAL 2 a)K0$51~qwm]#(g{=8 2 H"z,
r/@wO2a,$r B cookie,|;a"MAr A ~qw#)
¶ WebSEAL 2 X(r/@wA cookie Pj6Dr A0$51~qw
(ZKivB* MAS,r* WebSEAL 2 Zr A P)ODXb0$
51URL#
¶ MAS SU0$51ks,"Z_Y:fPiRCC'D>$(b"z
Z=8 1 M 2 P)#
¶ MAS +/@wX(rX WebSEAL 2 OnuksD URL,K
WebSEAL 2 _PS\D0$51jG#
¶ WebSEAL 2 b\jG"*C'9(T:D>$#
¶ Z(~qmIr\xks#
(4) NEXT gSgxCJ:WebSEAL 4(r B)
¶ C'ks\ WebSEAL 4(6Lr B)#$DJ4#g{=8 2 H
"z,r/@w|,j6 WebSEAL 3 *0$51~qwDr B g
Sgx cookie#WebSEAL 4 ;PC'D_Y:fD>$#
115Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
¶ WebSEAL 4 dCtCgSgxO$,"8( MAS D;C#r B g
Sgx cookie DfZ+2G MAS ;CD WebSEAL 4 dC#cookie
* WebSEAL 4 a)K0$51~qwm]#(g{=8 1 H"z,
r/@wOva,$r A cookie,|;a"MAr B ~qw#+C
dCD MAS ;C4fz#;s WebSEAL 4 +F*r B D0$
51~qw#)
¶ g{=8 2 H"z,r WebSEAL 4 X(r/@wA cookie Pj
6Dr A0$51~qw(ZKivB* WebSEAL 3)ODXb
0$51URL#
¶ WebSEAL 3 SU0$51ks,"Z_Y:fPiRCC'D>$
(b"zZ=8 2 P)#
¶ WebSEAL 3 +/@wX(rX WebSEAL 4 OnuksD URL,
K WebSEAL 4 _PS\D0$51jG#
¶ WebSEAL 4 b\jG"*C'9(T:D>$#
¶ Z(~qmIr\xks#
(5) ANOTHER gSgxCJ:WebSEAL 2(r A)
¶ C'(}ks,S= WebSEAL 2(r A)#g{=8 3 "z,r
WebSEAL 2 _PC'D_Y:fD>$#
¶ Z(~qmIr\xks#
SgSgx"z
¶ g{C'(}XU/@w4"z,r+e}yP SSL a0MyPg
Sgx cookie#
¶ g{C'(} /pkmslogout 3f4"z,r+e}CrD SSL a
0MgSgx cookie#
mbgSgx Cookie¶ gSgx cookie GX(ZrD cookie,|I;v WebSEAL ~qw
hCsf"ZC'/@wZfP,"ZsLksP+M=d|
WebSEAL ~qw(Z,;rP)#
116 f> 3.8
¶ X(ZrD cookie |,0$51~qwD{F"gSgxm]"0$
51~qw0&\D;C(URL),T0P'ZD5#C cookie ;
|,C'E"#
¶ gSgx cookie JmNkrPD~qwZ>Xks0$51E"#
MAS $tDrDgSgx cookie G+M;Pb4X*K#
¶ cookie _P;vP'Z(,1)5,|Z webseald.conf dCD~
PhC#KP'Z58(6L~qw\*C'a)0$51E"D
1d$H#1 cookie P'Z=Z1,C'XkX(rA MAS xP
O$#
¶ XU/@w1+SZfPe} cookie#g{C'SX(r"z,rg
Sgx cookie +2G*U#KYw+P'XS/@w}% cookie#
mb0$51ksM&pgSgx0$51Ywh*(}=v(E9lD URL qCD(C&\,
b=v URL *0$51ksM0$51&p#b) URL GZyZ
webseald.conf PDdCE"X(rgSgx0$51HTTP }LP9l
D#
0$51ks
1C'S;|,CC'D>$E"D?j~qw(*gSgxxdC
D)ksJ41,+%"0$51ks#~qw"M HTTP X(rA
0$51~qw(MAS rgSgx cookie Pj6D~qw)#
0$51ks|,TBE":
https://<vouch-for-server>/pkmsvouchfor?<ecommunity-name>&<target-URL>
SU=~qwli ecommunity-name Ti$gSgxm]#SU=~q
wZ0$51&pP9C target-URL,X(r/@wXnuDks3f#
pkmsvouchfor0$51URL GIdCD#
}g:
https://mas.dA.com/pkmsvouchfor?companyABC&https://ws5.dB.com/index.html
0$51&p
117Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
0$51&pGS0$51~qwA?j~qwDl&#
0$51&p|,TBE":
https://<target-URL>?PD-VFHOST=<vouch-for-server>&PD-VF=<encrypted-token>
PD-VFHOST N}j64P0$51YwD~qw#SU(?j)~qw
9CKE"4!qb\0$51jG(PD-VF)h*D}7\?#
PD-VF N}m>S\D0$51jG#
}g:
https://w5.dB.com/index.html?PD-VFHOST=mas.dA.com&PD-VF=3qhe9fjkp...ge56wgb
mb0$51jG*K5Vgr%;"a,XkZ~qw.d+M;)C'm]E"#C
tPE"+9CX(r==4&m,b)X(r|,w* URL D;?V
xPS\Dm]E"#KS\D}]F*0$51jG#
¶ jG|,K0$51I&r'\4,"C'm](g{I&)"4
(jGD~qwD+^({F"gSgxm]M4(1d5#
¶ P'0$51jGDVP_I9CKjGZ~qwK("a0(M
>$/),x;Xw7O$AC~qw#
¶ KjGG9C2m}X DES \?S\D,Tc\i$df5T#
¶ /@wO;f"S\DjGE"#
¶ jG;+];N#SU=~qw9CKE"ZdT:D_Y:fP
9(C'>$#~qw+b)>$CZ,;a0PCC'+4Dk
s#
¶ jG_P;vP'Z(,1)5,|Z webseald.conf dCD~Ph
C#C5ITG#L(}k),TuYX49CDgU#
S\0$51jGWebSEAL Xk9C cdsso_key_gen 5CLrzID\?S\ECZ
jGPDO$}]#Xk(}kNkrPD?v WebSEAL ~qw2m
\?D~0,=1C\?#wrPD?vNk WebSEAL ~qw<h*
9C`,D\?#
118 f> 3.8
":4(MV"\?D~";G Policy Director gSgx}LD;?V#
Xk+\?V$2+4F=NkD~qw#
KP cdsso_key_gen 5CLr1,C5CLr*sz8(\?D~D
;C(xT76{):
UNIX: # cdsso_key_gen <absolute-pathname>
Windows: MSDOS> cdsso_key_gen <absolute-pathname>
CZ#$jG(b)jGZ,;r(wrr6Lr)PD~qw.d"
M)D\?D;CGw* intra-domain-key N}D5dkD,CN};
Z webseald.conf dCD~D [e-community-sso] ZP#
[e-community-sso]intra-domain-key = <absolute-pathname>
\?D~D;CGZ [inter-domain-keys] ZPdkD,b)\?D~C
Z#$Z MAS M6LrPD~qw.d"MDjG# MAS ,;vr
PDd|~qw;h* inter-domain-keys#MAS G(;h*k6LrP
D~qw(ED~qw#
[inter-domain-keys]<domain-name> = <absolute-pathname><domain-name> = <absolute-pathname
dCgSgx> Z + X K g S g x5V y h D y P dCN}# b ) N}; Z
webseald.conf D~P#XkP8*gSgxPD?vNk~qwdCC
D~#
e-community-sso-auth
K N}t C r { C g S g x O$# | D5| (
0http1"0https1"0both1r0none1#}g:
[e-community-sso]e-community-sso-auth = both
50http1"0https1M0both18(gSgxNk=9CD(E`M#
50none1{C~qwDgSgx#1!hC*0none1#
119Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
master-http-port
g{ e-community-sso-auth tC HTTP gSgxO$RwO$~q
wZ}j< HTTP KZ(KZ 80).bDKZOl} HTTP ks,r
h*9C master-http-port N}j6Gj<KZ#g{K~qwGwO
$~qw,rvTCN}#1!ivB,+{CCN}#
[e-community-sso]master-http-port = <port-number>
master-https-port
g{ e-community-sso-auth tC HTTPS gSgxO$RwO$~q
wZ}j< HTTP KZ(KZ 443).bDKZOl} HTTPS ks,
rh*9C master-http-port N}j6Gj<KZ#g{K~qwGw
O$~qw,rvTCN}#1!ivB,+{CCN}#
[e-community-sso]master-https-port = <port-number>
e-community-name
KN}j6yPNkrPyPNk~qwDgSgx3;{F#}g:
[e-community-sso]e-community-name = companyABC
e-community-name 5XkkNkgSgxDyPrPDyP WebSEAL
~qw<`,#
intra-domain-key
KN}j6CZS\Mb\jGD\?D~D;C,b)jGZ~qw
DrPxP;;#}g:
[e-community-sso]intra-domain-key = /abc/xyz/key.file
XkZ;v;C&zIK\?D~,;sV$("2+X)+CD~4
F=rPyPd| WebSEAL ~qwP8(D;C#
is-master-authn-server
120 f> 3.8
KN}j6C~qwGq* MAS#|D5|,0yes1r0no1#}g:
[e-community-sso]is-master-authn-server = yes
IdC`v WebSEAL w*wO$~qwxPYw,;sECZ:X=
bws#ZK=8P,gSgxPDyPd| WebSEAL ~qw<+:
X=bw06p1* MAS#
master-authn-server
g{ is-master-authn-server N}hC*0no1,rXk!{"M"8
(KN}#KN}j6 MAS D+^(r{#}g:
[e-community-sso]master-authn-server = mas.dA.com
vf-token-lifetime
KN}hC0$51jGDP'Z,15(Tk*%;)#+TU cookie
OAGD4(1dliC5#1!5* 180 k#Xk<GNk~qw.
dD1S+n#}g:
[e-community-sso]vf-token-lifetime = 180
vf-url
KN}8(0$51URL#C5XkT}1\(/)*7#1!5*
/pkmsvouchfor#}g:
[e-community-sso]vf-url = /pkmsvouchfor
2I9C)9D URL:
vf-url = /ecommA/pkmsvouchfor
ec-cookie-lifetime
KN}8(gSgxr cookie DnsP'Z(TVS*%;)#1!5*
300 VS#}g:
121Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
[e-community-sso]ec-cookie-lifetime = 300
Z?r\?
\?D~D;CZ [inter-domain-keys] ZP8(,S\Mb\ MAS M
6LrPDNk~qw.dDjGh*b)\?D~#Xk8(~qw
D+^(r{M\?D~;CDxT76{#
TB>}* MAS(r A)a)K\?D~,CZk=v6Lr(E:
[inter-domain-keys]dB.com = /abc/xyz/key.fileBdC.com = /abc/xyz/key.fileC
K>}P,key.fileB j6r A Mr B .d9CD\?D~#
key.fileC j6r A Mr C .d9CD\?D~#
?v6L~qw<+h*_8 MAS 9CD`&\?D~D1>#*k
MAS(r A);;jG,rr B PDyP~qw<h*P key.fileB D
1>#
[inter-domain-keys]dA.com = /efg/hij/key.fileB
*k MAS(r A);;jG,rr C PDyP~qw<h*P
key.fileC D1>#
[inter-domain-keys]dA.com = /efg/hij/key.fileC
dC CDSSO O$zF
gSgxdC*sztC cdsso O$zF#1ks~qwS|,Z0$
51jGPDm]E"9(C'>$1,h*KzF#cdsso dCN}
8(K3dO$E"D2`k2mb#
¶ Z UNIX O,a)ZC3d&\DD~GF* libcdssoauthn D2
mb#
¶ Z Windows O,a)ZC3d&\DD~GF* cdssoauthn D
DLL#
122 f> 3.8
O$zF 2mb
Solaris AIX Windows HP-UX
cdsso libcdssoauthn.so libcdssoauthn.a cdssoauthn.dll libcdssoauthn.sl
IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx cdsso N}dkX(Z=(D2mbD~{F4dC CDSSO O
$zF#
}g:
Solaris:
[authentication-mechanisms]cdsso = libcdssoauthn.so
Windows:
[authentication-mechanisms]cdsso = cdssoauthn.dll
123Tivoli SecureWay Policy Director WebSEAL \m8O
5.g
r"
ab
v=
8
124 f> 3.8
WebSEAL *a
WebSEAL ~qwMsK~qw.dD,SFw WebSEAL *a,r*
a# WebSEAL *aG0K WebSEAL ~qwMsK&CLr~qw.
dD TCP/IP ,S#*aJm WebSEAL #$;ZsK~qwD Web J
4#
IC pdadmin |nP5CLrr Web Portal Manager 4( WebSEAL
*a#>BV[dC WebSEAL *aD\`!nDj8E"#
wbw}:
¶ Z1263D:WebSEAL *aEv;
¶ Z1283D:9C0pdadmin server task14(*a;
¶ Z1293D:dCy> WebSEAL *a;
¶ Z1323D:`%O$D SSL *a;
¶ Z1353D:4( TCP M SSL zm*a;
¶ Z1363D:(} SSL D WebSEAL A WebSEAL *a;
¶ Z1373D:=S*a!n;
¶ Z1533D:9C WebSEAL *aD<u"M:;
¶ Z1553D:ZZ}=~qwO9C query_contents;
6
125Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
WebSEAL *aEv
IT4(TB WebSEAL *a`M:
¶ yZ TCP ,SD WebSEAL =sK~qwD*a
¶ yZ SSL ,SD WebSEAL =sK~qwD*a
¶ (} HTTP zm~qw"yZ TCP ,SD WebSEAL =sK~q
wD*a
¶ (} HTTPS zm~qw"yZ SSL ,SD WebSEAL =sK~q
wD*a
¶ yZ SSL ,SD WebSEAL = WebSEAL D*a
Z4(NN*a1,XkB&ZTB=vX"c:
1. v(Z WebSEAL TsUdPDN&*a(20)Web &CLr~
qw#
2. !q*a`M#
*a}]b;CMq=VZ WebSEAL *aE"f"Z XML q=D}]bD~P#*a}]
b?<D;CZ webseald.conf dCD~D [junction] ZP(e#C?
<`TZ WebSEAL ~qwy([server] ZPD server-root N}):
[junction]junction-db = jct
¶ ?v*a<ZxP .xml )9{D%@D~P(e#
¶ 9C pdadmin 5CLr4(M\m*aM!n#
¶ XML q=JmzV$4("`-"4FM8]*aD~#
&CV#HCJXF:**
1. 9C pdadmin 5CLrr Web Portal Manager 4( WebSEAL k
sK~qw.dD*a#
2. Z*acOECJ1D ACL _TTa)TsK~qwDV#HXF#
126 f> 3.8
&C8#HCJXF:**
1. 9C pdadmin 5CLrr Web Portal Manager 4( WebSEAL k
sK~qw.dD*a#
WebSEAL ;\T/0i41MmbZ}=D~53#Xk9CF*
query_contents DXb&CLr(*Z}=TsUdD WebSEAL,
f_|eiZ}= Web Ud"(f WebSEAL Da9MZ]#
2. 4F query_contents Lr=Z}=~qw#
3. + ACL _T&C=3;TsUdPDJ1TsO#
4( WebSEAL *aD8<TB8<\aK*aD0fr1:
¶ IZw WebSEAL TsUdPDNNX=mS*a#
¶ IZ,;20c*a`v1>~qw#
20Z,;*acOD`v1>~qwXk*,;`M * TCP r
SSL#
¶ Z}=~qw(}*aLP ACL _T#
¶ *ac;&C%d>X WebSEAL ~qw Web UdPDNN?<#
}g,g{ WebSEAL Pq=* /path/... DJ4,;*C`,D /path
4(*ac#
¶ g{4TsK~qwD HTML 3f|,Lr(}g JavaScript r
applet),"RCLrxP=C?<Dk~qwPXD URL,r*a
c;&%dsK~qw Web UdPDNN?<#}g,g{4Ts
K~qwD3f|, URL q=* /path/... DLr,r;*4({*
/path D*ac#
WebSEAL ;'V HTTP 1.0 ;f*aWebSEAL ;'V HTTP 1.0 ;f*a#C^Fa0lT\wZM?pZ
sK*a~qwOD&CLr*"#
,S y'VD-i RFC }
0K(M'z= WebSEAL) HTTP/1.0 M HTTP/1.1 RFC2068
sK(WebSEAL A*a~q
w)
v HTTP/1.0 RFC1945
127Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
":;P*0K,Sa) HTTP/1.00#V$n1'V#+G'V
HTTP/1.1 D HTTP VC,S#
WebSEAL *aD=SN<kNDZ83D:Kb WebSEAL *a;Tq! WebSEAL *aDEn
TEv#
XZ*a|n!nDj{E",kNDZ2093D:WebSEAL *aN
<;#
9C0pdadmin server task14(*aZ9C pdadmin 0,zXkw* sec_master \mC'G<=2+r#
}g:
UNIX:
# pdadminpdadmin> logindkC'j6:sec_masterdk\k:pdadmin>
Windows:
MSDOS> pdadminpdadmin> logindkC'j6:sec_masterdk\k:pdadmin>
*4( WebSEAL *a,k9C pdadmin server task |n:
pdadmin> server task <server-name> <task>
server-name N}G5Jzw{MC|n9CD Policy Director i~(H
g WebSEAL)Dj{mo=#
<policy-director-component>-<machine-name>
128 f> 3.8
}g,g{zw{* cruz R Policy Director i~* WebSEAL,r
server-name *:
webseald-cruz
9C server list |ni$ server-name mo=:
pdadmin> server listwebseald-cruz
dCy> WebSEAL *aWebSEAL 'V WebSEAL MsK Web &CLr~qw.dDj<
TCP(HTTP)M2+ SSL(HTTPS)*a#
WebSEAL MsK~qw.dD*a;@5ZM'zM WebSEAL ~q
w.dD,S`M(0d2+6p)#
9C pdadmin 4(y> WebSEAL *ayhD?F|n!n|(:
¶ sK&CLr~qwDwz{(–h !n)
¶ *a`M:tcp"ssl"tcpproxy"sslproxy"local(–t !n)
¶ *ac(20c)
pdadmin> server task <server-name> create –t <type> –h<host-name> <jct-point>
}g:
pdadmin> server task webseald-cruz create -t tcp -h doc.tivoli.com /pubs
TCP `M*a(} TCP ,SD WebSEAL *aa)K*aDy>tT,+;a)(
}*aD2+(E#
129Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
*4(2+ TCP *a"mSu<~qw,kx –t tcp !n9C create|n:
pdadmin> server task <server-name> create –t tcp –h <host-name>[–p <port>] <jct-point>
TCP *aD1!KZ5(g{;8()G 80#
SSL `M*aSSL *a&\M TCP *a\s,=S&\GS\yP WebSEAL Ms
K~qwdD(E#
SSL *aJm2+DK=K"/@w=&CLrBq;IT9C SSL #
$SM'z= WebSEAL MS WebSEAL =sK~qwD(E#9C
SSL *a1,sK~qwXktC HTTPS#
< 22. G2+ TCP(HTTP)*a
< 23. 2+ SSL(HTTPS)*a
130 f> 3.8
*4(2+ SSL *a"mSu<~qw,kx –t ssl !n9C create|n:
pdadmin> server task <server-name> create –t ssl –h <host-name>[–p <port>] <jct-point>
SSL *aD1!KZ5(g{;8()G 443#
i$sK~qw$i
1M'zkssK~qwODJ41,WebSEAL w*2+~qw,+z
mM'z4Pks#SSL -i8(KZTsK~qwavks1,~qw
Xk(}~qwK$ia)m]$w#
1 WebSEAL SsK~qwSU=K$i1,|Xk(}+$ik$i
}]bPy CA $iPmTU4i$f5T#
Policy Director 9C SSL D IBM Global Security Kit(GSKit)5V#
Xk9C GSKit iKeyman 5CLr4mS CA Dy$i,C CA )p
K WebSEAL $i\?D~(pdsvr.kdb)DsK~qw$i#
XZ\m$i\?}]bDj{E",kN<Z2173D:9C iKeyman
\m$i;#
SSL *a>}
(} SSL D,;Z*ac /sales D*awz sales.dascom.com:
pdadmin> server task <server-name> create –t ssl –hsales.tivoli.com /sales
":ZO}P,–t ssl !nf(K1!KZ 443#
(} SSL D,;Z*ac /travel KZ 4443 D*awz travel_svr:
pdadmin> server task <server-name> create –t ssl –p 4443–h travel_svr /travel
131Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
`%O$D SSL *aWebSEAL 'V(} SSL *aD WebSEAL ~qwMsK~qw.dD
`%O$(–t ssl r –t sslproxy)#TBEv\aK(} SSL D`%
O$'VD&\(+Z`&;CPv|n!n):
1. WebSEAL O$sK~qw(}#D SSL xL)
¶ WebSEAL i$4TsK~qwD~qw$i#kND:WebSEAL
i$sK~qw$i;#
¶ WebSEAL i$|,Z$iPD(P{F(DN)(–D)(I!,
+?RFv9CC!n)#kNDZ1333D:(P{F(DN)
%d;#
2. sK~qwO$ WebSEAL(=V=()
¶ sK~qwi$4T WebSEAL DM'z$i(–K)#kNDZ
1333D:9CM'z$iD WebSEAL O$;#
¶ sK~qwi$Zy>O$(BA)7PD WebSEAL m]E"
(–B"–U"–W)#kNDZ1343D:9C BA 7D WebSEAL
O$;#
XF(} SSL xP`%O$D|n!na)TB&\:
¶ I8(M'z$ir BA O$=(#
¶ IZ?v*ay!O&CO$=(#
Z1343D:&m(}*aDM'zm]E";PhvK+ –b !n(C
Z&m BA E")k(} SSL D`%O$`aODXb"bBn#
WebSEAL i$sK~qw$iWebSEAL y]j< SSL -ii$sK~qw$i#sK~qw+~q
w$i"M= WebSEAL#WebSEAL TUyO$PD(CA)$iD$(
ePmi$~qw$i#
WebSEAL 9CD\?}]bXk|,O$PD(CA)D$i,b)$i
9I&CLr~qw$i(S)p CA *<"|,y$i)DIE4#
132 f> 3.8
I9C iKeyman &CLr44(M\my CA $iD}]b#kND
Z2173D:9C iKeyman \m$i;#
(P{F(DN)%dI(}(P{F(DN)%d4v?~qwKD$ii$#*tC~q
w DN %d,XkZ4(AC~qwD SSL *a18(sK~qw
DN#d; DN %dGI!DdC,+?RFvC(} SSL *aD`%
O$45VC&\#
Z~qwK$ii$Zd,|,Z$iPD DN +k*a(eD DN x
PHO#g{b=v DN ;%d,=sK~qwD,S+'\#
*tC~qw DN %d,Z9C –D “<DN>” !n4( SSL *a1,
k8(sK~qw DN#*K#VV{.PDUq,k+K DN V{.
C+}E}p4#}g:
–D “/C=US/O=Tivoli/OU=SecureWay/CN=Policy Director”
–D !n;JOk –K r –B !n;p9C#
9CM'z$iD WebSEAL O$
9C –K !nItC(}M'z$i=*aDsK~qwD WebSEAL
O$#
–K “<key-label>”
C=8Du~|(:
¶ hCsK~qwTks9CM'z$ii$ WebSEAL m]#
¶ dC WebSEAL(webseald.conf)Tc9CX(DM'z$i4O$
sK~qw(ssl-keyfile-label)#
¶ ,1?RFvdCCZ DN %dD*a(–D)#
–K 9CN}48(f"Z GSKit \?}]bPDyh$iD key-label#
9C i K e y m a n 5C L r I mSB$iA\ ?}] b #9C
webseald.conf dCD~PD ssl-keyfile-label N}IdC key-label#
Xk+ key-label N}C}E}p4#}g:
–K “cert1_Tiv”
133Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
kNDZ373D:dC WebSEAL D\?}]bN};#
9C BA 7D WebSEAL O$
9C –B –U “<username>” –W “<password>” !n4tC(}y>
O$5VD WebSEAL O$#
–B –U “<username>” –W “<password>”
C=8Du~|(:
¶ hCsK~qwTks9C BA 7i$ WebSEAL m]#
¶ ;9C –b !ndC*a#(+ZZ?,–B !n9C –b filter#)
¶ dC WebSEAL *+ BA 7P}O$Dm]E""M=sK~qw#
¶ ?RFv,1dCCZ DN %dD*a(–D)#
Xk+C'{M\kC+}E}p4#}g:
–U “WS1” –W “abCde”
&m(}*aDM'zm]E"I+*ahC*Z BA 7P8(M'zm]E"#–b !nJm 4 vI
\DN}:filter"supply"ignore M gso#b)N}Dj8E"IZZ161
3D:dC%;"abv=8D BA 7;PiR#
–b !n+0lCZ`%O$D*ahC,Xk<G!nD}7iO#
9C –b supply
¶ (} BA 7D WebSEAL O$;JmkC!n,19C#C!n9
C BA 7TqC-<M'zC'{M0F*1\k#
¶ Jm(}M'z$iD WebSEAL O$kC!n,19C#
9C –b ignore
¶ (} BA 7D WebSEAL O$;JmkC!n,19C#C!n9
C BA 7TqC-<M'zC'{M\k#
¶ Jm(}M'z$iD WebSEAL O$kC!n,19C#
134 f> 3.8
9C –b gso
¶ (} BA 7D WebSEAL O$;JmkC!n,19C#C!n9
C BA 7TqC GSO ~qwa)DC'{M\kE"#
¶ Jm(}M'z$iD WebSEAL O$kC!n,19C#
9C –b filter
¶ ZZ?,Z WebSEAL O$hC*9C BA 7E"1,+9C –bfilter !n#
WebSEAL BA 7+CZyPsLD HTTP Bq#TZsK~qw,
WebSEAL mV*yP1d<GG<D#
¶ Jm(}M'z$iD WebSEAL O$kC!n,19C#
¶ g{sK~qw*s(S/@w)qC5JDM'zm],I9C
C G I d ? H T T P _ I V _ U S E R " H T T P _ I V _ G R O U P M
HTTP_IV_CREDS#TZE>M!&CLr,k9CT&D"X(
Z Policy Director D HTTP 7:iv-user"iv-groups"iv-creds#
4( TCP M SSL zm*aI4( WebSEAL *a,C*aJm9C HTTP r HTTPS zm~qw
izxgXKa9D WebSEAL (E#IdCC*a,Tc+ksw*
j<D TCP (Er\#$D SSL (E4&m#
create |nD type !n*sTBN}.;,Tc("(}zm~qw
D"yZ TCP r SSL D*a:
¶ –t tcpproxy
¶ –t sslproxy
create M add |nh*TB!nMN}4j6zm~qwM?j Web
~qw:
–H <host-name> zm~qwD DNS wz{r IP X7#
–P <port> zm~qwD TCP KZ#
–h <host-name> ?j Web ~qwD DNS wz{r IP X7#
135Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
–p <port> zm Web ~qwD TCP KZ#TZ TCP *a,
1!5* 80;TZ SSL *a,1!5* 443#
TCP zm*a>}(w*;Pdk):
pdadmin> server task <server-name> create –t tcpproxy–H clipper –P 8081 –h www.ibm.com –p 80 /ibm
SSL zm*a>}(w*;Pdk):
pdadmin> server task <server-name> create –t sslproxy–H clipper –P 8081 –h www.ibm.com –p 443 /ibm
(} SSL D WebSEAL A WebSEAL *aPolicy Director 'V0K WebSEAL ~qwMsK WebSEAL ~qw.
d(} SSL D*a#x –C !n9C create |nI(} SSL *a=
v WebSEAL ~qw"a)`%O$#
>}:
pdadmin> server task <server-name> create –t ssl –C –h serverA /jctA
`%O$"zZTB=V4,B:
< 24. zm*a>}
136 f> 3.8
¶ SSL -iJmsK WebSEAL ~qw(}d~qw$ir0K
WebSEAL ~qwO$#
¶ –C !n9C0K WebSEAL ~qwIT+y>O$(BA)7PDm
]E""M=sK WebSEAL ~qw#
mb,–C !ntC –c !nD&\,C!nJm+X(Z Policy Director
DM'zm]Mi1JqE"ECZTsK WebSEAL ~qw*?DX
DksD HTTP 7P#7N}|( iv-user"iv-groups M iv-creds#kN
DZ1393D:Z HTTP 7Pa)M'zm](–c);#
TBu~&CZ WebSEAL A WebSEAL *a:
¶ C*a;JOZ –t ssl r –t sslproxy *a`M#
¶ WebSEAL ~qwXk2m+2 LDAP r DCE "am#|Jms
K WebSEAL ~qwO$0K WebSEAL ~qwDm]E"#
=S*a!nI9C=S!na)TB=S WebSEAL *a&\:
¶ Z1383D:?FB*a(–f);
¶ Z1393D:Z HTTP 7Pa)M'zm](–c);
¶ Z1403D:Z HTTP 7Pa)M'z IP X7(–r);
¶ Z1413D:+a0 Cookie "M=*aDE'x>~qw(–k);
¶ Z1423D:'V;xVs!4D URL(–i);
¶ Z1423D:&m4TE>MM'zK&CLrD URL(–j);
¶ Z1463D:9C*a3d&m`TZ~qwD URL;
¶ Z1473D:4,#fac'V(–s"–u);
¶ Z1483D:*4,#fac8(sK~qw UUID(–u);
¶ Z1523D:*a= Windows D~53(–w);
137Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
?FB*a(–f)*?FB*a2GVP*a,Xk9C –f !n#
TB>}(~qw{F* websealA)5wKK}L:
1. G<= pdadmin:
# pdadminpdadmin> logindkC'j6:sec_masterdk\k:pdadmin>
2. 9C server task list |nT>yP10*ac:
pdadmin> server task websealA list/
3. 9C server task show |nT>*aDj8E":
pdadmin> server task websealA show /*ac:/`M:>X*a2^F:0 * 9C+V5*am^F:0 * 9C+V5n/D$wLr_L:0y?<:/opt/pdweb/www/docs
4. 4(BD>X*a4!z10*ac(h* -f !n4?F9CB*a
2GVP*a):
pdadmin> server task websealA create -t local -f -d /tmp/docs /QZ / 4(*a
5. PvB*a:
pdadmin> server task websealA list/
6. T>C*aDj8E":
pdadmin> server task websealA show /*ac:/`M:>X*a2^F:0 * 9C+V5*am^F:0 * 9C+V5n/D$wLr_L:0y?<:/tmp/docs
138 f> 3.8
Z HTTP 7Pa)M'zm](–c)–c !nJm+X(Z Policy Director DM'zm]Mi1JqE"ek
T*aDZ}=~qw*?DXDksD HTTP 7#Policy Director
HTTP 7E"tC*aDZ}=~qwOD&CLr,T4PyZM'z
D Policy Director m]D"X(ZC'DYw#
HTTP 7E"XkIsK~qwd;*73d?q=,TcIsK~qw
OD~q9C#7E"G(}CB._(_)!zF[E(-)"ZV{
.D*<&mS0HTTP1d;* CGI 73d?q=D# HTTP 7D5
I*B73d?D5#
X(Z PD D HTTP7VN
CGI 73d?H= hv
iv-user = HTTP_IV_USER = M'zDL{r${#g{M'z4O$
(r4*),r1!5*04O$1#
iv-groups = HTTP_IV_GROUPS = M'zytDiDPm#I:EVtD}E
}p4Du?9I#
iv-creds = HTTP_IV_CREDS = zm Policy Director >$DQ`k;8w}
]a9#r6L~qwa)>$,byPd
c&CLrMIT9CZ( API wCZ(~
q#kN< Tivoli SecureWay Policy Director
Authorization ADK Developer Reference#
X(Z Policy Director D HTTP 7u?IZ CGI LrPw*73d?
HTTP_IV_USER"HTTP_IV_GROUPS M HTTP_IV_CREDS#XZd
|&CLrr\z7,kNDz7D5,TqCS HTTP ksi!7D
8<E"#
–c o(
–c !n8(K"MD)X(Z Policy Director D HTTP 7}]AsK
&CLr~qw#
–c <header-types>
header-types Td?|(:all"iv_user"iv_user_l"iv_groups M
iv_creds#
139Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
N} hv
iv_user a)ZksD HTTP 7Pw* iv-user VNDC'{(L
q=)#
iv_user_l a)ZksD HTTP 7Pw* iv-user VNDC'j{ DN
($q=)#
iv_groups a)ZksD HTTP 7Pw* iv-groups VNDC'iP
m#
iv_creds a)ZksD HTTP 7Pw* iv-creds VNDC'>$E
"#
":9C iv-user r iv-user-l,+;*,19C|G#
–c all !n+yP}V`MDm]E"ek= HTTP 7P(ZKivB
9CL{Fq=(iv_user))#
":v9C:EVt`vN}#;*dkUq#
>}:
–c all
–c iv_creds
–c iv_user,iv_groups
–c iv_user_l,iv_groups,iv_creds
Z HTTP 7Pa)M'z IP X7(–r)–r !nJm+M'z IP X7E"ekT*aD&CLr~qw*?D
XDksD HTTP 7#Policy Director HTTP 7E"9C*aDZ}=
~qwOD&CLrIT4PyZK IP X7E"DYw#
HTTP 7E"XkIsK~qwd;*73d?q=,TcIsK~qw
OD~q9C#7E"G(}CB._(_)!zF[E(-)"ZV{
.D*<&mS0HTTP1d;* CGI 73d?q=D# HTTP 7D5
I*B73d?D5#
":IP X7D5";\Gm>4M'zDX7#IP X75Im>zm~
qwDX7rxgX7*;Lr(NAT)#
140 f> 3.8
X(Z PD D HTTP7VN
CGI 73d?H= hv
iv-remote-address HTTP_IV_REMOTE_ADDRESS
M'zD IP X7#C5Im>zm~qwD
IP X7rxgX7*;Lr(NAT)#
–r !n8("M=sK&CLr~qwDdkksD IP X7#C!n
;PNNTd?#
+a0 Cookie "M=*aDE'x>~qw(–k)Web E'x>Ga);zc:DvT/J4M~qD~qw#–k !nJ
mz+ Policy Director a0 cookie(nuZM'zM WebSEAL .d(
"D)"M=sKE'x>~qw#?0ivB,C!nDfZG*K
1S'V WebSEAL M Plumtree Corporate Portal bv=8D/I#
1M'zSE'x>~qwksvKJ4Pm1,E'x>~qw(}
CJ;Zd|'V&CLr~qw(,1\ WebSEAL #$)DJ4,
49(KPm#a0 cookie JmE'x>~qwzmM'z^l%;"
a=b)&CLr~qw#
4( WebSEAL MsKE'x>~qw.dD*a1,k|, –k !n,
;xTd?#
E'x>~qwdCh*<GDu~:
¶ TZ(}C'{M\kDCJ,h*q=O$#k;*9Cy>O
$(BA)#
¶ X k + webseald.conf dCD~D [ s e s s i o n ] ZPD
ssl-id-sessions N}hC*0no1#TZ HTTPS (E,KhC?F
9Ca0 cookie(x;G SSL a0j6)4,$a04,#
¶ g{E'x>~qwG WebSEAL :/D0K~qw,ktCJO*
F`M cookie#JO*F cookie |,S\D>$E",CE"Jm
O$TZ&mksDNN4FD WebSEAL ~qw<*I&#
141Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
'V;xVs!4D URL(–i)1!ivB,Policy Director Z&CCJXF1T URL xVs!4#9
C –i !nI8(Z&mT*aDsK~qwDks1,WebSEAL T
URL ;xVs!4#
1Z*aOhCC!n1,WebSEAL ZVv URL 1;xVs4M!4
V{#1!ivB,Web ~qwZ{xVs!4#
d;s?V HTTP ~qw'V+ URL (e*xVs!4D HTTP f
6,+G3) HTTP ~qwT URL ;xVs!4#
}g,Z;xVs!4D~qwO,TB=v URL:
http://server/sales/index.htm
http://server/SALES/index.HTM
I4w,;v URL#bVP*h*\m1T=v URL EC`,DCJ
XF(ACL)#
(}9C –i !n*aZ}=~qw,WebSEAL ;xV8rC~qwD
URL Ds!4#
&m4TE>MM'zK&CLrD URL(–j)>Zhv WebSEAL gN&mIE>zzD"=sK~qwJ4DxT
r`TZ~qwD4S#
¶ :JbD30;
¶ Z1443D:C*a cookie &m`TZ~qwD URL;
¶ Z1453D:CE>}K&mxT URL;
¶ Z1463D:9C*a3d&m`TZ~qwD URL;
JbD30
M'zCJ*aD Web ~qw1,5XE"ITGr%D HTML"M'
zK&CLr(!&CLr)rE>Da{# Web E>oT|(
Javascripts"VBscripts"ASP"JSP M ActiveX#
142 f> 3.8
HTML zID3f"E>r!&CLrI\|,=CsK~qwrd|X
=Dd|J4D4S(URL)# URL mo=I9CTBq=T>:
¶ xT
¶ `T
¶ `TZ~qw
;P1 URL *`TDr|,j6C*aDE"1,5X=sK~qwD
4SEaI&# WebSEAL XkliwVwyzIE"P|,D URL,
"ZJ1D1ra)*am]E"#
C`Tq=mvD URL ;h* WebSEAL DYw#IZ-< URL ;
|,C*aDE",TxTr`TZ~qwq=mvD=sK~qwD
4S;aI&#b)4S+;}7XT>*4T>X WebSEAL ~qw
ODTsDks#
`T URL mo=>}(4S;1aI&):
abc.html ../abc.html
./abc.html sales/abc.html
xT URL mo=>}(4Sh**aE"):
http://www.tivoli.com/abc.html
`TZ~qwD URL mo=>}(4Sh**aE"):
/abc.html /accounts/abc.html
WebSEAL 9CBP=(&m/,zIDxTM`TZ~qwD URL:
¶ 2, HTML 4
IZ HTML G?D>DR]WVv,WebSEAL aZJ1D1r$
HT/+}7D*aE"ECZ URL O#kNDZ1533D:}K4
T*a~qwD2, HTML URL;#
¶ E>MM'zK&CLr4
143Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
IZE>HO4S,9CZSsK~qw"M=M'zD}LP
WebSEAL ;\}KvdPDxTr`TZ~qwD URL mo=#
Xk+ WebSEAL dC*ZJ1D1ra)*aE"#
":DxyP Web E>DLr1*/,zID URL 9C`T4S(;
GxTr`TZ~qwD)#
C*a cookie &m`TZ~qwD URLZTB=8P,sK~qwODE>/,zI`TZ~qwD URL mo
=#Z+6k=zk"M=M'z1,WebSEAL ";Yw|#M'zO
* URL ;P}7mo,r*|;|,*aE"#
g{M'zksC4S8(DJ4,WebSEAL +;}7XYhC4S8
r>X3f#ZiRC3f'\s,|+rM'z5X0R;=1m
s#
–j !n*&m`TZ~qwD URL a)yZ cookie Dbv=8,C
URL I*a~qwOD Web E>zI"ZM'zOKP#
;co(:
pdadmin> server task <server-name> create ... –j ...
+*?vksrM'z"M*aj6{ cookie#C cookie |,TBd?
M5:
IV_JCT_<backend-server-name> = </junction-name>
< 25. E>zID;P}KD URL
144 f> 3.8
1M'z9CC URL avks,WebSEAL +9C URL D-<q=x
P&m#^((;J41,WebSEAL "49C cookie a)D*aE"
XTCks#9C URL mo=PD}7*aE",II&(;J4#
B<{vK}K`TZ~qwD URL Dbv=8
WebSEAL *&m`TZ~qwD URL a)KI!qD";yZ cookie
Dbv=8#kNDZ1463D:9C*a3d&m`TZ~qwD
URL;#
CE>}K&mxT URLWebSEAL h*=SdCT&m(}*aD"/,zIXxT URL#
webseald.conf dCD~|,tCr{CxT URL }KDN}:
[script-filtering]script-filter = no
1!ivB+{CE>}K#*tCE>}K,khC:
script-filter = yes
":Xk9C –j !n44(=sK~qwD*a#+rM'z"M*a
j6{ cookie * d;E>}KzF";h*|#
script-filter zF#{xT URL *j<#="~qwrJ4q=:
http://server/resource
< 26. }K`TZ~qwD URL
145Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
script-filter zF9C}7D*aE"zf4SD#=M~qw?V#
/junction-name/resource
Cbv=8h*=SD&m*z,"RaTT\zz:f0l#k+
script-filter N}D9C^Zh*xT URL }K'VD*a#
B<{vKb; URL }Kbv=8:
9C*a3d&m`TZ~qwD URL}yZ cookie Dbv=8b,Policy Director a)8C=8T}K`T
Z~qwD URL#IT4(M$n*a3dm,Cm+X(D?jJ4
3d=*a{F#
WebSEAL 9C*a3dmP|,D}]li`TZ~qwD URL PD
;CE"#g{ URL PD76E"%dmPDu?,WebSEAL +Ck
s8rkC;CX*D*a#
CmG{* jmt.conf D ASCII D>D~#webseald.conf dCD~D
[junction] ZP8(KCD~D;C:
jmt-map = lib/jmt.conf
< 27. }KxT URL
146 f> 3.8
mP}]u?Dq=I*a{F"UqMJ4;C#=9I#2I9C
(d{moJ4;C#=#
Z*a3ddCD~DTB>}P,=vsK~qwZ /jctA M /jctB k
WebSEAL *a:
#jmt.conf#<junction-name> <resource-location-pattern>/jctA /documents/release-notes.html/jctA /travel/index.html/jctB /accounts/*/jctB /images/weather/*.jpg
-< jmt.conf 3dmG;vUD~#ZrD~mS}]s,Xk9C
jmt load |n00k1}],Tc WebSEAL q*BE"#
pdadmin> server task <server-name> jmt loadQI&0k JMT m#
TBu~&CZ*a3dmbv=8:
¶ Cbv=8;h* -j !nr*a cookie
¶ h*hC3dm"I2+\m1$n
¶ Cbv=8;&mxT URL 4(D4S
¶ J4;C#=Z>X Web UdM*aD Web &CLr~qwOX
kG(;D#
¶ g{ZD~PPj+`,D#=u?,r+;0k3dm#+
WebSEAL +LxKP#
¶ g{Z0k3dm1vm,r3dm+;IC#+ WebSEAL +Lx
KP#
¶ g{3dm*UrmDu?Pms,r+;0kC3dm#+
WebSEAL +LxKP#
¶ 0k3dm1"zDNNms+<B WebSEAL ~qwU>D~
(webseald.log)PDJCTu?#
4,#fac'V(–s"–u)s?V Web tCD&CLr*4TM'zD HTTP ksrP,$04
,1#C4,CZ,}g:
147Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
¶ (} CGI LrzID}]u?q=VNzYC'xH
¶ 4P;5P}]bi/1,,$C'OBD
¶ ZZ_:o5&CLrP,$L7Pm,C'ITTI/@M!q
L74:r
I4FKPtC Web &CLrD~qw,Tc(}:XVda_T\#
1 WebSEAL ~qwa)=b)4FDsK~qwD*a1,|Xk#
$M'za0Z|,DyPks<;*"=}7D~qw,x;Gy]
:X=bfrZQ4FDsK~qwPV<#
1!ivB,Policy Director (}ZyPICD4F~qwOV<ks4
yb~qw:X# Policy Director 9C0nUP1c(#Cc(+?v
Bks8rVP,SnYD~qw#
create |n –s j>+2G:X=bfr"4(04,#fac1#C4
,#fac7#Z{va0Zd+M'zks*"=,;~qw#Z"
zu<M'zks1,WebSEAL MZ|,8(sK~qwD UUID D
M'z53OEC;v cookie#1M'zr,;J4avx;=Dks
1,C cookie D UUID E"+7#ks\G7I=,;vsK~qw#
–s !nJCZ`vsK~qwZ,;v*ac*a=%v0K WebSEAL
~qwD4v#k"b,;)+u<*a4(*4,#f,+9C;x
–s !nD add |n,+#`D1>sK~qw*a=,;v*ac#
g{C=8|,`v*a=,;vsK~qwD0K WebSEAL ~qw,
Xk9C –u !n}78(=?v0K WebSEAL ~qwDsK~qw
UUID#kND:*4,#fac8(sK~qw UUID(–u);#
*4,#fac8(sK~qw UUID(–u)Z4(=sK Web &CLr~qwDB*a1,WebSEAL (#zI(
;+Vj6{(Unique Universal Identifier,UUID)4j6sK~qw#
C UUID ZZ?9C,2C4,$4,#fac(create –s)#
148 f> 3.8
Z"zu<M'zks1,WebSEAL MZ|,8(sK~qwD UUID
DM'z53OEC;v cookie#1M'zr,;J4avx;=Dks
1,C cookie D UUID E"7#ks\G(r=,;vsK~qw#
1`v0K WebSEAL ~qw*a=`vsK~qw1,4,#fac
D&m+dC|S4S#(#,0K WebSEAL ~qwMsK~qw.
dD?v*a*sK~qwzI;v(;D UUID#bb6E;vsK~
qwZ?v0K WebSEAL ~qwOP;,D UUID#
`v0K~qwh*:X=bzFZ=v~qw.dV<:X#}g,
IT9CX(D UUID (} WebSEAL ~qw 1 4("=sK~qw
Du<04,1#
;x,g{4T,;M'zDsLksI:X=bzF7I*(}
WebSEAL ~qw 2,C04,1;YfZ,}G WebSEAL ~qw 2
9C`,D UUID 4j6,;vsK~qw#(#;aGbViv#
–u !nJmr?v0K WebSEAL ~qwa)X(sK~qwD,;v
UUID#
w*>},<GP=v4FD0K WebSEAL ~qw,|G<_P==
vsK~qwD4,#fac#Z4( WebSEAL ~qw 1 MsK~q
w 2 .dD4,#fac1,+zI(;D UUID(UUID A)4j6
sK~qw 2#+GZ4( WebSEAL ~qw 2 MsK~qw 2 .d
< 28. 9CsK~qw UUID D4,#f*a
149Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
D4,#fac1,+zI;,DB UUID(UUID B)4j6sK~q
w 2#
g{4TM'zDsLks7I(} WebSEAL ~qw 2,r(}
WebSEAL ~qw 1 ZM'zMsK~qw 2 .d("D04,1+'
\#
Z*a4(Zd,k&CTBxL48( UUID:
1. 4(S WebSEAL ~qw 1 =?vsK~qwD*a#
9C create –s M add#
2. PvZ0=h 11P*?vsK~qwzID UUID#
9C show#
3. 4(S WebSEAL ~qw 2 =?vsK~qwD*a"8(Z0=
h 21Pj6D UUID#
9C create –s –u M add –u#
B<P,WebSEAL-1 M WebSEAL-2 <+sK~qw 1 6p* UUID
1#WebSEAL-1 M WebSEAL-2 <+sK~qw 2 6p* UUID 2#
< 29. ;,D UUID
150 f> 3.8
>}:
ZTB>}P,
¶ WebSEAL-1 F* WS1
¶ WebSEAL-2 F* WS2
¶ sK~qw 1 F* APP1
¶ sK~qw 2 F* APP2
pdadmin> server task webseald-WS1 create –t tcp –h APP1 –s /mntpdadmin> server task webseald-WS1 add –h APP2 /mntpdadmin> server task webseald-WS1 show /mnt
(b+T> UUID1 M UUID2)
pdadmin> server task webseald-WS2 create –t tcp –h APP1 –u <UUID1> –s /mntpdadmin> server task webseald-WS2 add –h APP2 –u <UUID2> /mnt
1M'zksK~qw 2 ("4,#fac1,|+SU=|, UUID
2 D cookie#TO>}7#M'z\G,S=sK~qw 2,x;\Ts
DksG(} WebSEAL-1 9G WebSEAL-2 7ID#
< 30. *4,#fac8(sK~qw UUID
151Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
*a= Windows D~53(–w)WebSEAL TM'zKks4P2+Tli,b)ksGryZ URL P
8(DD~76PD*asK~qwavD#r* Win32 D~53a)
CJ$D~{D=V;,=(,Z2+TliPI\"z#02+DP
*#
Z;V=(7Oj{DD~{(abcdefghijkl.txt)#Z~V==9C
ID 8.3 D~{q=Ta)rsf]T(abcdef˜1.txt)#
Z Windows 73P4(*a1,+CJXF^(Z;vTsm>(,;
JmF}2+zFD0sE1GG#X*D#
–w !n;Jm 8.3 D~q=#C';\(}9CLD~{q=(8.3)
\b$D~{DT= ACL#~qwTZdkDNNLq=+D~{5X
0403 {C1ms#
Windows P,xPD~{0foo.1DD~+4wkD~{0foo1DD~G
;yD# –w !n+ZrsK~qw"Mks0,}% URL PDD~
{2fDc#ACL liGyZ;P2fcDD~{#
":Win32 ;xVs!4DJb(abcde.txt = AbCdE.txt)IT9C –i!nmv#kNDZ1423D:'V;xVs!4D URL(–i);#
>}:
Z Windows NT 4.0 O,9IT9CTB76CJD~ \Program
Files\Company Inc.\Release.Notes:
1. \program files\company inc.\release.notes
2. \program files\company inc\release.notes
3. \prograx1\companx2\releasx3.not
OfD>} 1 {vK –i !n(x;G –w)mvD0;xVs!41
D'{#
>} 2 {vK Windows NT gNvT2fD)9c#
152 f> 3.8
>} 3 {vK Windows NT gN4(p{(*K DOS f]T)#Cp
{ZD~{P;|,Uq,"{O 8.3 q=#
–w !nBvK>} 2 M 3 P{vD1Z2+T)4# –w !n8>
ITvT2fc,"RZC*a~qwDks URL P;JmCJ|,(
KE(˜)DuLDD~{#
9C WebSEAL *aD<u"M:
¶ :Z,;*aO20`v~qw;
¶ :}K4T*a~qwD2, HTML URL;
¶ Z1543D:g}*a4PmI(Dl#;
¶ Z1553D:g}*aD$iO$;
Z,;*aO20`v~qwITZ,;*ac20`v1>~qw#ITZ,;cO20Nb`v
~qw#
20Z,;*acODyP~qwXk*1>(5q Web Ud),"R
Xk9C`,D-i * HTTP r HTTPS#;*Z,;*acO20;
,D~qw#
Sw Policy Director ~qw Web UdCJtZ*a~qwD3f#z
&CITCJb)3f(1;*y]mI(),"Rb)3f&CT>
;B#g{<{P3fR;=r|D,rb6E;P}74F3f#
kliCD5fZ,"R4F~qwD5wPDD5`,#
}K4T*a~qwD2, HTML URLv}KG)S*a~qwSUD MIME `MD0text/html12,D5#
WebSEAL I|D=v URL /:xTDM`TZ~qwD URL /#
¶ `TZ~qwD URL m>k*a~qwDD5y`XD URL ;
C,}g:
/dir/file.html
153Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
|Db) URL I43*a~qwD*ac,}g:
/jct/dir/file.html
¶ xT URL m>k0wz1{r IP X70xgKZ`XD URL ;
C,}g:
http://servername[:port]/file.html,rhttps://servername[:port]/file.html
Iy]TBfr/|Db) URL:
1. g{ URL G HTTP,"Rwz/KZk TCP *aD~qw%d,
r+^D URL T43*ac,}g:
/jct/...
2. g{ URL G HTTPS,"Rwz/KZk SSL *aD~qw%d,
r+^D URL T43*ac,}g:
/jct/...
3. v}KZ iv.conf D~P(eDjG/tTTD URL#
4. (#+}K META jGT"Bks,}g:
5. g{ BASE j)|, HREF tT,rKj)+Sl&FAM'z#
}K(}*a~qwD URL DN};Z webseald.conf dCD~D
[filter-url] ;ZP#
[filter-url] ;Z|,K HTML jGPm,WebSEAL ~qw+}Kr^
Db)jGIw{S*a~qwq!DxT URL#
1!ivB+dC#C HTML jG#\m1I\h*mS|, URL D
=S HTML jG#
kNDZ1423D:&m4TE>MM'zK&CLrD URL(–j);#
g}*a4PmI(Dl#P) Policy Director mI(;\g}*a4P#}g,;\9C x mI
(XF CGI E>D4P,2;\9C l mI(4P?<Pm#}g,
<META HTTP-EQUIV=”Refresh” CONTENT=”5;URL=http://server/url”>
154 f> 3.8
WebSEAL ;\<77(sK~qwOksDTsG CGI LrD~"/
,?<Pm9G#fD HTTP Ts#
g}*aCJTs,CGI LrM?<Pm;\(} r mI(xPXF#
g}*aD$iO$
201,WebSEAL G9CG1!bT$idCD#bT$i(}
webseald.conf dCD~D [ssl] ZPD webseal-cert-keyfile-label N
}8(*n/D~qwK$i#
g{*aDsK&CLr~qw*s WebSEAL 9CM'zKD$ij
6T:,rXkWH9C iKeyman 5CLr4("20MjEC$i#
;s,9C –K <key-label> !ndC*a#kNDZ1323D:`%O
$D SSL *a;
g{;P9C –K dC*a,r GSKit (}T/"M|,Z\?D~}
]bPD01!1$i,&m`%O$Dks#g{b;GyhDl
&,rXk7#\?D~}]b(pdsrv.kdb)P;PjG*01!1
(GE)D$i#
\a:
¶ 9CjE{Fj6yPh*D$i#
¶ ;*+\?D~}]bPDNN$ijG*01!1#
¶ 9C webseal-cert-keyfile-label N}XF WebSEAL ~qwKD$
il&#
¶ (} –K *a!nXF WebSEAL M'zKD$il&#
ZZ}=~qwO9C query_contentsg{#{9C Policy Director 2+~q#$Z}=&CLr Web Ud
DJ4,Xkr WebSEAL a)XZZ}= Web UdZ]DE"#
{* query_contents D CGI Lr+a)CE"# query_contents L
rQwZ}= Web UdZ]"r WebSEAL OD Web Portal Manager
a)CbfE"# WebSEAL 20LrTxCLr,+GXkV$XZ
155Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
Z}=~qwO20#!vZZ}=~qwGyZ U N I X 9G
Windows,P;,DLrD~`MIC#
?Nzm*aD\#$TsUd?VZ0TsUd1\mfeO9*
1, W e b P o r t a l M a n a g e r D 0 T s Ud1 \ m w + T / K P
query_contents#H; Web Portal Manager *@XZZ}=&CLr
UdDZ],zITT>CE""TZOJDTs&C_T#e#
20 query_contents(#,20 query_contents HO]W#20|(S Policy Director ~
qw4F;vr=vD~=Z}=~qwT0`-dCD~#
TB Policy Director ?<|,KLr#e:
UNIX: <install-path>/www/lib/query_contents
Windows: <install-path>\www\lib\query_contents
?<Z]|(:
D~ hv
query_contents.exe CZ Win32 53Dw*I4PLr#&C20Z
Z}= Web ~qwD cgi-bin ?<B#
query_contents.sh CZ UNIX 53Dw*I4PLr#&C20ZZ
}= Web ~qwD cgi-bin ?<B#
query_contents.c 4zk#a)4zkG*Kzcr;zh*|D
query_contents DP*#s`}ivB,bG;
X*D#
query_contents.html HTML q=DozD~#
query_contents.cfg j> Web ~qwD5yD>}dCD~#
ZZ}= UNIX ~qwO20 query_contentsZTB?<PiR{* query_contents.sh DbGLrE>:
<install-path>/www/lib/query_contents
1. + query_contents.sh 4F=Z}= Web ~qwOpwCD
/cgi-bin ?<P#
156 f> 3.8
2. }% .sh )9{#
3. * Web ~qwD\mJ'hC UNIX 4P;#
ZZ}= Win32 ~qwO20 query_contentsZTB?<P,(;{* query_contents.exe DI4PLrM{*
query_contents.cfg DdCD~:
Windows: <install-path>\www\lib\query_contents
1. k7#Z}= Web ~qw_P}7dCD CGI ?<#
2. *KbT?D,k7#Z}= Web ~qwODD5yPfZP'D
D5#
3. + query_contents.exe 4F=Z}= Web ~qwD CGI ?<P#
4. + query_contents.cfg 4F= Windows ?<#
K?<D1!5gBmy>:
Yw53 Windows ?<
Windows 95 c:\windows
Windows NT 3.5x c:\winnt35
Windows NT 4.x c:\winnt
5. `- query_contents.cfg D~T}78(Z}= Web ~qwDD
5y?<#
CD~|, Microsoft Internet Information Server M Netscape FastTrack
~qwD>}u?#ZKD~P,TVE(;)*<DPG"M,+
; query_contents LrvT#
bTdC
1. Z Win32 zwD MS-DOS a>{B,4gB==4P CGI ?<P
D query_contents Lr:
MSDOS> query_contents dirlist=/
&1vVkTBdv`FDZ]:
157Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
100index.htmlcgi-bin//pics//
}V 100 Gm>I&D5X4,#nX*DGAY*4{}V 100 G
Z;v5("RI\G(;D;v)#
g{4{DGmsk,rCdCD~;Z}7D;Cr_;|,P
'DD5yu?#li query_contents.cfg D~DdC,"7#D
5yfZ#
2. Z/@wP,dkTB URL
http://<win32-machine-name>/cgi-bin/query_contents.exe?dirlist=/
C|n+5XkOv=h`,Da{#g{;5XCa{,r Web ~
qwD CGI dC;}7#kiD~qwDD5T|}CJb#
(F query_contentsquery_contents DNqG5X|,Z URL ksPD?<Z]#
}g,*qC~qw Web Udy?<DZ],/@w9CgB==Z
URL OKP query_contents:
http://third-party-server/cgi-bin/query_contents?dirlist=/
query_contents E>4PTBYw:
1. Aj< CGI 73d? $SERVER_SOFTWARE T7(~qw`M#
yZ Web ~qw`M,+d? $DOCROOTDIR hCIdMDD5
y;C#
2. SksD URL PA!73d? $QUERY_STRING,TqCksD
Yw"q!Ts76#
Yw5f"Zd? $OPERATION P,Ts76f"Z $OBJPATHP#ZO}P,$OPERATION * dirlist,$OBJPATH *0/1#
3. ZTs76O4P?<Pm(ls)"+a{dv=j<dv,Tc
Policy Director ~qw9C#m>S?<Du?_P=SD+1\
(//)#
158 f> 3.8
dMDdvgB:
100index.htmlcgi-bin//pics//
}V 100 Gm>I&D5X4,#
(FD5y?<
UNIX:
*dC UNIX ~qwD query_contents.sh,I\h*^DD5y?<
DhC#
g{ query_contents 5Xms4,(;,Z 100 D}),"R;PD
~Pv,kliE>"ZX*1^D $DOCROOTDIR d?,T%d~
qwdC#
g{}78(KD5y?<+E>T;'\,I\G cgi-bin ;Cf6;
}7#li $FULLOBJPATH d?"^DVdx|D5,T43}7D
cgi-bin ;C#
Windows:
* (F W i n d o w s ~ q w D q u e r y _ c o n t e n t s . e x e, k ^ D
query_contents.cfg D~#
=S&\
query_contents Lr(query_contents.c)D4zkG9C Policy
Director V"D,|;h*Xm(#
IrCLrmS=S&\,T'V3)Z}= Web ~qwDXb&\#
b)&\|(:
1. ?<3d * +;ZD5yBDS?<3d= Web Ud#
2. ;yZD~53D Web UdDzI#
bI\Gw\}]bD Web ~qwDiv#
159Tivoli SecureWay Policy Director WebSEAL \m8O
6.W
ebS
EA
L*
a
#$ query_contentsPolicy Director 9C query_contents CGI Lr4T> Web Portal
Manager P*aD Web ~qwTsUd##$CD~T@94Z(DC
'KPG\X*D#
XkhC2+T_T,vJm\m~qw(pdmgrd)m]_PCJ
query_contents LrD(^#TB>} ACL(query_contents_acl)zcKu~:
group ivmgrd-servers Tl
user sec_master dbxTrlcam
9C p d a d m i n 5C L r + K A C L =SA* a ~ q w O D
query_contents.sh(UNIX)r query_contents.exe(Windows)Ts#}g
(UNIX):
pdadmin> acl attach /WebSEAL/<host>/<junction-name>/query_contents.shquery_contents_acl
160 f> 3.8
Web %;"abv=8
1 WebSEAL w*zm~qw5VTa)T2+rD#$1,(#*s
a)%;"aA Web J4Dbv=8#>BV[ WebSEAL zmdC
D Web UdD%;"abv=8#}g,|,XbdCD*a"+V"
aM LTPA#
wbw}:
¶ :dC%;"abv=8D BA 7;
¶ Z1673D:9C+V"a(GSO);
¶ Z1713D:%;"aA IBM WebSphere(LTPA);
dC%;"abv=8D BA 7>ZV[9C –b !n4((} WebSEAL *aD%;"adCDI\
bv=8#
¶ Z1623D:%;"a(SSO)En;
¶ Z1623D:Z BA 7Pa)M'zm];
¶ Z1633D:a)M'zm]M;c\k;
¶ Z1653D:*"-<M'z BA 7E";
¶ Z1663D:}%M'z BA 7E";
¶ Z1663D:S GSO a)C'{M\k;
7
161Tivoli SecureWay Policy Director WebSEAL \m8O
7.W
eb%
;"
ab
v=
8
%;"a(SSO)EnZ\#$J4;ZsK Web &CLr~qwO1,I\a*sksCJ
4DM'z4P`NG< * ;NTZ WebSEAL ~qw,;NTZs
K~qw#?vG<I\h*;,DG<m]#
I9C%;"a(SSO)zFbv\mM,$`vG<m]DJb#%
;"abv=8JmC';9Cu<G<MITCJNN;CDJ4#
TNN4TsK~qwDx;=G<*sD&mTC'<G8wD#
Z BA 7Pa)M'zm]IdC WebSEAL *a,TrsK~qwa)-<r^DsDM'zm
]E"# –b !n/JmzZ HTTP y>O$(BA)7Pa)X(M'
zm]E"#
w*\m1,zXkVvxga9M2+hs,"7(TBJbDp
8:
1. sK~qwh*O$E"p?
(WebSEAL 9C HTTP y>O$7+oO$E"#)
2. g{sK~qwh*O$E",b)E"+SDy4?
(WebSEAL +Z HTTP 7PEC24E"?)
3. WebSEAL MsK~qw.dD,Sh*G2+Dp?
(G TCP 9G SSL *a?)
< 31. `vG<
162 f> 3.8
ZxPM'zM WebSEAL .dDu<O$s,WebSEAL I("BD
y>O$7#ks+ZLx(}*a=sK~qwZd9CKB7#I
9C –b !n4f(CB7a)D)X(DO$E"#
a)M'zm]M;c\k–b supply
–b supply !n8> WebSEAL a)xP2,";c(0F*1)\k
DQO$ Policy Director C'{(M'zD-<m])#C=8;9C-
<M'z\k#
;c\kE}K\k\m"'VyZ?vC'D&CLr#0F*1\
kGZ webseald.conf dCD~D basicauth-dummy-passwd N}P
hCD#
[junction]basicauth-dummy-passwd = <password>
C=8Y(sK~qwh*4T Policy Director m]DO$#(}+M
'zC'3d=Q*D Policy Director C',WebSEAL \msK~q
wDO$"a)r%DrZ%;"abv=8#
Cbv=8PTBu~:
¶ dC WebSEAL *rsK~qwa)-<M'zksP|,DC'{
M;c(0F*1)\k#
< 32. rsK~qwa)O$E"
163Tivoli SecureWay Policy Director WebSEAL \m8O
7.W
eb%
;"
ab
v=
8
¶ Z webseald.conf dCD~PdC0F*1\k#
¶ sK~qw"amXk6p HTTP BA 7Pa)D Policy Director m
]#
¶ r*(}*a+]tPDO$E"(C'{M\k),yT*aD
2+\X*#?RFv9C SSL *a#
^F
,;v Policy Director0F*1\k+CZyPks;yPC'ZsK~
qw"amP_P`,D\k#9C+C0F*1\k;P*&CLr
~qwa)y!,$w9CCC'{G<DM'z_PO(T#
g{M'z\G(} WebSEAL CJsK~qw,Cbv=8+;vV
NN2+Jb#;x,SomO#$sK~qwT\bd|DI\CJ
==G\X*D#
r*bV=8;P\k6D2+T,sK~qwXk~,XEN
WebSEAL Ti$M'zDO(T#
sK~qw"am2Xk6p Policy Director m]TS\|#
< 33. BA 7|,m]M0F*1\k
164 f> 3.8
*"-<M'z BA 7E"–b ignore
–b ignore !n8> WebSEAL +-<M'zy>O$(BA)7;\I
EX1S"M=sK~qw#I+ WebSEAL dC*O$C BA M'z
E"rvTM'za)D BA 7,"+7;S^DX*"=sK~qw#
":b;Gf}D%;"azF,xGTZ}=~qw(T WebSEAL 8
wD)X1SG<#
Cbv=8PTBu~:
¶ sK~qw(} BA *sM'zm]E"
sK~qw+y>O$aJ"MXM'z#M'zTC'{M\k
E"l&,b)E"I WebSEAL ;S^DX+]#
¶ sK~qw,$M'zT:a)D\k
¶ dC WebSEAL *rsK~qwa)-<M'zksP|,DC'{
M\k#
¶ r*(}*a+]tPDO$E"(C'{M\k),yT*aD
2+\X*#?RFv9C SSL *a#
< 34. WebSEAL *"-<M'zm]E"
165Tivoli SecureWay Policy Director WebSEAL \m8O
7.W
eb%
;"
ab
v=
8
}%M'z BA 7E"–b filter
–b filter !n8> WebSEAL Z+ks*"=sK~qw.0,}%y
P4TM'zksDy>O$7E"#Z>=8P,WebSEAL G%@D
2+T)&L#
Cbv=8PTBu~:
¶ ZM'zM WebSEAL .ddCy>O$
¶ sK~qw;h*y>O$
¶ ;\(} WebSEAL CJsK~qw
¶ WebSEAL zmsK~qw&mO$
g{zh*rsK~qwa)3)M'zE",ITiOC!nM –c !
nTc+ Policy Director M'zm]E"ek HTTP 7VN#kNDZ
1393D:Z HTTP 7Pa)M'zm](–c);#
S GSO a)C'{M\k–b gso
–b gso !n8> WebSEAL rsK~qwa)O$E"(C'{M\
k),b)E"S*&m+V"a(GSO)hCD~qwOqC#
< 35. }%M'z BA 7E"
166 f> 3.8
Cbv=8PTBu~:
¶ sK~qw&CLrh*;,DC'{M\k,|G;P|,Z
WebSEAL "amP#
¶ T WebSEAL MsK~qw45,2+T\X*#
r*(}*a+]tPDO$E"(C'{M\k),yT*aD2+
\X*#?RFv9C SSL *a#
CzF+Z:9C+V"a(GSO);Pj{hv#
9C+V"a(GSO)
Policy Director 'VinD%;"abv=8,Cbv=8_PrsK
Web &CLr~qwa)8CC'{M\kD\&#
y]y9CDC'"am`M,P=V=('VM4P%;"abv=
8:
¶ xP DCE "amD2+r * 9C Tivoli Global Global
Sign-On(GSO)z7
¶ xP LDAP "amD2+r * LDAP ?<a)+V"a'V
+V"aZ(C'CJQZ(9CDFcJ4 * (}%;G<# GSO
G*ss5hFD,b)s5I;,V`DV<=Fc73D`v53
M&CLr9I,GSO E}KnUC'\m`vC'{M\kDh*#
/IGI4( WebSEAL MsK~qw.dD0GSO b61*a45V
D#XkWH9C Web Portal Manager 4( GSO J4M GSO J4i#
1 WebSEAL SU=T*a~qwODJ4Dks1,WebSEAL +r
GSO ~qw*s`&DO$E"# GSO ~qw|,K;v3d}]b
* TZ?vQ"aDC' * C}]b*X(J4M&CLra)8C
C'{M\k#
B<{vKgN9C GSO zFlwsK&CLrJ4DC'{M\k#
167Tivoli SecureWay Policy Director WebSEAL \m8O
7.W
eb%
;"
ab
v=
8
1. M'zCCJsK~qwO&CLrJ4Dksr WebSEAL O$#
qC Policy Director m]#
":%;"axL@"Zu<O$=(#
2. WebSEAL + Policy Director m]"M= GSO r LDAP ~qw#
3. ~qw5XJOZC'MyksD&CLrJ4DC'{M\k#
4. WebSEAL ZksD HTTP y>O$7PekC'{M\kE",C
ks(}*a"M=sK~qw#
3dO$E"BfD>}{vK GSO gNr WebSEAL a)O$E"#g{C'
Michael kKP travel-app &CLrJ4(kN<<36),r WebSEAL
r GSO/LDAP ~qw*s Michael DO$E"#
< 36. +V"azF
168 f> 3.8
GSO/LDAP IC3dJ4AX(DO$E"Dq=,$j{DO$E"
}]b#O$E"GC'{/\kDiO,F*J4>$#;\*Q"
aDC'4(J4>$#
~qw|, Michael D}]b,|+J4 travel-app 3d*X(DJ4
>$#
Bm{vK GSO J4>$}]bDa9:
Michael Paul
J4: t r ave l - app use rname=mike
password=123
J4:travel-app username=bundy
password=abc
J4:payroll-app username=powell
password=456
J4:payroll-app username=jensen
password=xyz
ZC}P,GSO r WebSEAL 5XC'{0mike1M\k01231#
WebSEAL Z9l(}*a"MAsK~qwDksDy>O$719C
CE"#
dCtC GSO D WebSEAL *aGSO 'VGZ WebSEAL MsK~qw.dD*aPdCD#
*4(tC GSO D*a,k9Cx –b gso !nD create |n#B
fD>}{vK create |nDo(:
create –t tcp –h <host-name> –b gso –T <resource> <jct-point>
BfPvhC GSO *aD!n:
!n hv
–b gso 8( GSO *(}C*aDyPksa)O$E"#
– T < r e s o u r c e /resource-group>
8( GSO J4r GSO J4i#J4{CwC!nD
N},Xkk GSO }]bPPvDJ4{F+7%
d#gso *aPK*s#
Z4(*a1,(}=S&C –t ssl !n,I#$(} SSL D"Z
WebSEAL/GSO bv=8P9CD*a#
169Tivoli SecureWay Policy Director WebSEAL \m8O
7.W
eb%
;"
ab
v=
8
FvTZ GSO \G9C SSL *a47#>$MyP}]DS\#
tC GSO D WebSEAL *aD>}
+wz:sales_svr OD&CLrJ4:travel-app *a=*ac
/sales:
create –t tcp –b gso –T travel-app –h sales_svr /sales
+wz:adm_svr OD&CLrJ4:payroll-app *a=*ac
/admin "9C SSL #$C*a:
create –t ssl –b gso –T payroll-app –h adm_svr /admin
":ZO}P,–t ssl !nf(K1!KZ 443#
dC GSO _Y:f+V"a(GSO)_Y:f&\JmzZ_:X73PDF GSO *aD
T\#1!ivB,{C GSO _Y:f#g{;P_Y:fDv?,r
TZ GSO ?jE"(GSO C'{M GSO \k)D?Nlw,<h*
wC LDAP ~qw#
dC GSO _Y:fDN};Z webseald.conf dCD~D [gso-cache]ZP#XkWHtC_Y:f##`DN}CZdC?v_Y:fu?
D_Y:fs!M,15#O$DP'ZMGn/,15IDFT\,
+avSE")6Z WebSEAL ZfPDgU#g{zDxgbv=8
P49C GSO *a,r;*tC GSO _Y:f#
N} hv
gso-cache-enabled tCM{C GSO _Y:f&\#5|(
0yes1M0no1#1!5*0no1#
gso-cache-size hC_Y:f"PmJmDnsu?}#
hCK5T9|S|"PC'a0((}
GSO *aCJ&CLr)De5}#O_D
5a9C|`Zf,+a5VOlDE"
CJ#?v_Y:fu?+{Ds< 50 V
Z#
170 f> 3.8
N} hv
gso-cache-entry-lifetime Nb_Y:fu?IT#tZ_Y:fP
Dn`1d(TkF),;<GGqn
/#_Y:fu?=Zs,,;C'DB
;ksh*T LDAP ~qwxPBDwC#
gso-cache-entry-idle-timeout Gn/_Y:fu?IT#tZ_Y:f
PDn`1d(TkF)#
%;"aA IBM WebSphere(LTPA)
Policy Director WebSEAL ITT IBM WebSphere 73a)O$MZ(
~qT0#$#+ WebSEAL (;* WebSphere D#$0K1,CJM
'z+fY=v1ZDG<c#rx,WebSEAL 'V(} WebSEAL *
aA;vr`v IBM WebSphere ~qwD%;"abv=8#
WebSphere a)yZ cookie Da?6Z}=O$zF(LTPA)#ITd
C WebSEAL *a'V LTPA "*M'za)%;"abv=8#
1C'ks WebSphere J41,C'XkWHO$A WebSEAL,I&
O$s,WebSEAL +zIzmC'D LTPA cookie#w* WebSphere
DO$jG~qD LTPA cookie |,m]M\kE"#KE"9C
WebSEAL M WebSphere .d2mD\\k#$D\?S\#
WebSEAL ZksD HTTP 7Pek cookie,Cks(}*a"MA
WebSphere#sK WebSphere ~qwSUks"b\ cookie "yZ
cookie Pa)Dm]E"O$C'#
*DFT\,WebSEAL ITZ_Y:fPf" LTPA cookie "IZ,
;C'a0Zd*sLks9C-_Y:fD LTPA cookie#IT*_Y
:fD cookie dCP'Z,1MUP(Gn/),15#
dC LTPA *a(} LTPA cookie %;"aA WebSphere h*TBdCn:
1. tC LTPA zF#
2. a)CZS\m]E"D\?D~D;C#
171Tivoli SecureWay Policy Director WebSEAL \m8O
7.W
eb%
;"
ab
v=
8
3. a)K\?D~D\k#
b}vdChsZ*a create |nD}v=S!nP8(#
¶ –A !ntC*a'V LPTA cookie#
¶ –F <“keyfile”> !nMTd?8(CZS\|,Z cookie PDm]
E"D\?D~D+76{F;C(Z WebSEAL ~qwO)#2m
\?nuZ WebSphere ~qwO4("2+X4FA WebSEAL ~
qw#XZKNqDj8E",kN<`&D WebSphere D5#
¶ –Z <“keyfile-password”> 8(r*\?D~yhD\k#
\kZ*a XML D~Pw*S\DD>vV#
4( WebSEAL MsK WebSphere ~qw.dD*a1,9Cb)!n
T0d|XhD*a!n#}g:
create ... -A -F “/abc/xyz/key.file” -Z “abcdefg” ...
dC LTPA _Y:f4("S\Mb\ LTPA cookie ax4&m*z#LTPA _Y:f&\
JmzDF_:X73B LTPA *aDT\#1!ivB,tC LTPA
_Y:f#g{;P_Y:fT53&\Dv?,r+4(BD LTPA
cookie "*?vsLC'ksS\#
dC LTPA _Y:fDN};Z webseald.conf dCD~D
[ltpa-cache] ZP#N}CZ8(_Y:fs!M_Y:fu?D,1
5#O$DP'ZMGn/,15IDFT\,+avSE")6Z
WebSEAL ZfPDgU#
N} hv
ltpa-cache-enabled tCM{C LTPA _Y:f&\#5|(
0yes1M0no1#1!5*0no1#
ltpa-cache-size hC_Y:f"PmJmDnsu?}#
hCK5T9|S|"PC'a0((}
LTPA *aCJ&CLr)De5}#O_
D5a9C|`Zf,+a5VOlDE
"CJ#?v_Y:fu?+{Ds< 50
VZ#1!5* 4096 vu?#
172 f> 3.8
N} hv
ltpa-cache-entry-lifetime Nb_Y:fu?IT#tZ_Y:fP
Dn`1d(TkF),;<GGqn
/#_Y:fu?=Zs,,;C'DB
;ksh*4(B LDAP cookie#1!5*
3600 k#
ltpa-cache-entry-idle-timeout Gn/_Y:fu?IT#tZ_Y:f
PDn`1d(TkF)#1!5* 600
k#
LTPA %;"aD<u"M:
¶ \?D~|,XZX( WebSphere ~qwDE"#;v LTPA *a
X(Z;v WebSphere ~qw#g{+`v~qwmS=,;v*
ac,ryPD~qw<+2m,;v\?D~#
¶ *K9%;"aI&,WebSEAL M WebSphere ~qwXkT3V=
=2m,;"amE"#
¶ WebSphere ~qw:phC LTPA M4(2m\?#WebSEAL N
kf0*aM_Y:fdC#
173Tivoli SecureWay Policy Director WebSEAL \m8O
7.W
eb%
;"
ab
v=
8
174 f> 3.8
&CLr/I
WebSEAL (}73d?M/, URL \&'VZ}=&CLr/I#
WebSEAL )973d?M HTTP 7D6',tCZ}=&CLr"y
ZM'zm]4PYw#mb,WebSEAL ITa)T/, URL(}g
G)|,i/D>D URL)DCJXF#
wbw}:
¶ :'V CGI `L;
¶ Z1773D:'VsK~qwK&CLr;
¶ Z1783D:tC/,LqJq;
¶ Z1813D:9((FvT/~q;
¶ Z1833D:a)T/, URL DCJXF;
¶ Z1903D:/, URL >}:Travel Kingdom;
'V CGI `L*K'V CGI `L,WebSEAL Zj<D CGI d?/PmSK 3 v=
S73d?#b)73d?ITIG)Z>X WebSEAL ~qwr*a
DsK~qwOKPD CGI &CLr9C#b)d?r CGI &CLr
a)X(Z Policy Director DC'"iM>$E"#
Z>X WebSEAL ~qwO,b)73d?IT/CZ CGI Lr#
8
175Tivoli SecureWay Policy Director WebSEAL \m8O
8.&
CL
r/
I
IZ*aDZ}=~qwOKPD CGI &CLr9CD73d?GIS
WebSEAL +]=~qwD HTTP 7E"zzD#Xk9C –c !n4
4('V HTTP ksDX(Z Policy Director 7E"D*a,b) HTTP
ks+*+M=sK~qw#
m{Z1393D:Z HTTP 7Pa)M'zm](–c);#
d|X(Z Policy Director D73d?:
CGI 73d? hv
HTTP_IV_USER ks_D Policy Director C'JE{F#
HTTP_IV_GROUPS ks_ytD Policy Director i#8(*T:EV
tDiPm * ?i<(T+}E#
HTTP_IV_CREDS `kD;8w}]a9,m> Policy Director >
$#r6L~qwa)>$,byPdc&CLr
MIT9CZ( API wCZ(~q#kN< Policy
Director ADK Developer Reference#
>X WebSEAL ~qwOD REMOTE_USER d?:
Z\ WebSEAL XFD>X~qw73P,OfyPD HTTP_IV_USERd?D5Gw*j< REMOTE_USER d?D5a)D#k"b
REMOTE_USER d?I\ZKPZ*asK~qwOD CGI &CLr
73P2fZ#+ZbVivB,d5;\ WebSEAL XF#
CGI 73d? hv
REMOTE_USER |,k HTTP_IV_USER VN`,D5#
Windows:'V WIN32 73d?>Zv&CZ>X*a#
Windows ";T/X9dyP5373d?ICZg CGI &CLr.`
DxL#dMivB,*sD5373d?GfZD#
176 f> 3.8
+G,g{ CGI 73P;fZNN*sD Windows 5373d?,r
IT(} webseald.conf dCD~w7X9|GICZ CGI Lr#(k
"b0;ZPa=D Policy Director 73d?ZyP=(P<T/I
C)#
+yPh*D Windows 5373d?mS= webseald.conf dCD~
D [cgi-environment-variables] ZP#9CTBq=:
ENV = <variable-name>
}g:
[cgi-environment-variables]#ENV = SystemDriveENV = SystemRootENV = PATHENV = LANGENV = LC_ALLENV = LC_CTYPEENV = LC_MESSAGESENV = LOCPATHENV = NLSPATH
CGI 73+LPyP4"MP#
'VsK~qwK&CLrWebSEAL 9a)TI4PzkD'V,Czkw*sK Web ~qwD
6k=i~KP#b`~qwKI4PzkD>}|(:
¶ Java !~qLr
¶ CZ Oracle Web l}wDP
¶ ~qwKe~
9C –c !n4(AsK~qwD*a1, WebSEAL +X(Z Policy
Director DM'zm]Mi1JqE"ekTC~qw*?DXDksD
HTTP 7#
X(Z Policy Director D HTTP 7E"9C*aDZ}=~qwOD&
CLrITyZM'zD Policy Director m]4PX(ZC'DYw#
177Tivoli SecureWay Policy Director WebSEAL \m8O
8.&
CL
r/
I
WebSEAL a)TBX(Z Policy Director D HTTP 7:
X(Z PD D
HTTP 7VN
hv
iv-user = M'zDL{r${#g{M'z4O$(r4*),
r1!5*04O$1#
iv-groups = M'zytDiDPm#T:EVtD,}E}p4D
iPm8(#
iv-creds = `kD;8w}]a9,m> Policy Director >$#r6
L~qwa)>$,byPdc&CLrMIT9CZ
( API wCZ(~q#kN< Tivoli SecureWay Policy
Director Authorization ADK Developer Reference#
b) HTTP 7Iw*73d? HTTP_IV_USER"HTTP_IV_GROUPSM HTTP_IV_CREDS CZ CGI &CLr#TZd|G CGI &CLr
r\,*q!XZS HTTP ksi!7D8>E",kND`XDz7
D5#
m{Z1393D:Z HTTP 7Pa)M'zm](–c);#
tC/,LqJqLqs50doi(#h*2m+2Jq,ngoi}](ZLR=L
RX5P)rM'}](ZLR=M'X5P)#
¶ ;cJqGhva)~qD&CLryhE"DtT#K`tTD
>}|(M'J'E"MM'J%}]#
¶ 2+TJqGa)J4ksZ(P9CD8#Hu~DtT#K`
u~D>}|(C'5qG+"CJXF<xM(e3Woi-(
D5qfr#
(}grO$~q(CDAS)D)9,Policy Director a)KinDzF,
JmzZO$1T)9DjG/5tT+JqE"|,=C'>$P#
&CLrI1S9CZ( API S>$Pi!K}]#XZ5VK CDAS
)9Dx;=E",kN<6Tivoli Policy Director WebSEAL *"_N
<s+7#
178 f> 3.8
S LDAP }]4(LqJqWebSEAL a)KX(DZCJqzF,Jmz+C'(eD9d LDAP
E"w*)9tTek=C'>$P#;sb)tTIEk+(}*a
"M=sK&CLr~qwDksD HTTP 7P#
¶ 4TC' LDAP "amJ'NNVNDIC'(eD9d}]+w*
C' Policy Director >$D)9tTmS#
¶ WebSEAL ;dC*S>$Pi!K}],"+}]Ek+(}
WebSEAL *a"M=sK~qwDksD HTTP 7P#
¶ sK&CLrIS7Pi!}],x;h*(EzkrZ( API#
+9dD LDAP E"ek= HTTP 7PD WebSEAL dC|,=v=
h:
1. ZG<1,S LDAP "amlw9d}]"+C}]ek=C'>$
P#
2. yZT*ahCDX(u~,S>$Pi!`&D}],"+|e
k(}*a"MDksD HTTP 7P#
+9d LDAP }]ek=>$P
P=V=(+9d LDAP C'}]Ek>$P:
1. Z pd.conf dCD~D [ldap-ext-cred-tags] ZP4(u?,b)
u?+X( LDAP }]3d=>$PDVN#
K=(+Z>ZPhv#
2. `4(F CDAS #i,C#i+C'(eDNN}]3d=>$PD
VN#
XZ5VK CDAS )9DE",kND6Tivoli Policy Director
WebSEAL *"_N<s+7#
zIT9C pd.conf dCD~D [ldap-ext-cred-tags] Z,+4T
LDAPinetOrgPerson Ts`DX(}]3d=C'>$PC'(eDtT
VN#CZPDN}_PTBq=:
<custom-credential-field> = <inetOrgPerson-field>
179Tivoli SecureWay Policy Director WebSEAL \m8O
8.&
CL
r/
I
Z>$TmP,pd.conf dCD~P(eD?v custom-credential-field N
}D{F<TLo0tagvalue_1*0:#b;0:@9k>$PDd|
VPE"De;#}g:
4T inetOrgPerson Ts`D LDAP C'
}]:employeeNumber:09876
(F>$VN{: ldap-employee-number
[ldap-ext-cred-tags] ZPDN}u?:
ldap-employee-number = employeeNumber
C'>$PfEDu?M5:
tagvalue_ldap-employee-number:09876
¶ C&\*sC'(} LDAP C'{M\kxPO$#XktC
passwd-ldap O$zF#`k libldapauthn(ldapauthn)2mb,
TcZ pd.conf dCD~D [ldap-ext-cred-tags] ZPi4C'(
eD9d>$E"#
¶ LDAP }]I4T inetOrgPerson Ts`PDj<r(FVN#
¶ IZ [ldap-ext-cred-tags] ZPEk`vu?#
¶ ZDu?P8(DyPtT<+ZC'G<1Ek>$#
¶ LDAP tT{F;xVs!4#
¶ >$VN{FxVs!4#
+>$}]ek= HTTP 7P
Z0;BZP4(DC'(eD>$E"IEk(}*a"M=sK~
qwDksD HTTP 7P#KWN|,=vNq:
1. dC*aJmX(D9d>$}]#(}hC WebSEAL #$DTs
UdP*aTsDJ1)9tT,IjIKNq#
2. S>$Pi!`&D9dE","+}]ekksD HTTP 7P#
I(}9C*aTsD)9tT,4XFX(*a*sD>$}]Di
!#)9tTD{F* HTTP-Tag-Value#K)9tT9CTBq=:
<custom-credential-field>=<http-header-field>
180 f> 3.8
custom-credential-field N}DvVk|Z pd.conf dCD~D
[ldap-ext-cred-tags] Zj+`,#;|,0tagvalue_10:#KN}
GxVs!4D#http-header-field N}8(KCZf"}]D HTTP 7
D{F#}g:
*aTsOD HTTP-Tag-Value )9t
T:
ldap-employee-number=employee-id
C'>$PR=Du?M5:
tagvalue_ldap-employee-number:09876
HTTP 7PfEDu?M5: employee-id:09876
1 WebSEAL +C'ks+]=sK&CLr~qw1,|+iRZ*
aTsOdCDNN HTTP-Tag-Value )9tT#
I9C pdadmin object modify set attribute |nT)9tTdC*
a:
pdadmin> object modify <obj-name> set attribute <attr-name> <attr-value>
}g:
pdadmin> object modify /WebSEAL/WS1/junctionA set attributeHTTP-Tag-Value ldap-employee-number=employee-id
I(}9C`v pdadmin object modify set attribute |n8(`v
HTTP-Tag-Value )9tT(?v|n8(;vtT),+`vC'tT
}]+]=*aD~qw#
9((FvT/~qWeb E'x>rt/3fG/ID Web >c~q,|G+/,XzI
TX(C'ICD Web J4(FPm#b)J4I|,2,Z]"'V
~qM'0$_#E'x>dvm>yZXbC'CJmI(DJ4D
vT/Pm#t/3fvT>C'_P}7CJmI(DG)J4#
I9C WebSEAL dC!nMZ( API Jq~qZ Policy Director 7
3P9((FE'x>bv=8#
181Tivoli SecureWay Policy Director WebSEAL \m8O
8.&
CL
r/
I
9((F WebSEAL E'x>~qDxLw|,TBwn:
1. 4(\#$TsUdDX(xr,T(;E'x>J4Ts/#
2. +`&DT= ACL =S=?vJ4Ts#
3. `- WebSEAL dCD~,+ URL |,=E'x>~q"|,E'
x>J4DTsUd76MC'CJb)J4yhDmI(;#
4. TZ?vTE'x> URL DC'ks,WebSEAL 9C(^Jq~
q4QwKTsUd,"zIzcCC'Z(u~DJ4Pm#
5. WebSEAL +KE"EZ+"M=sK(*aD)E'x>~qwD
PD_PORTAL HTTP 7P#
6. ;ZsK~qwOD(FE'x>~q(}g CGI r!~qLr)A
! PD_PORTAL 7Z],"(}g)3db)Z]=+Z Web 3f
O*C'T>DhvM URL 4S#KE"m>yZCJXFmI(
TC'ICJ4DvT/Pm#
*vT/~qdC WebSEAL1. 4(=vT/~qDB WebSEAL *a#}g:
pdadmin> server task <server-name> create -t tcp-h portalhost.abc.com /portal-jct
2. `- webseald.conf dCD~,mSBD [portal-map] Z:
[portal-map]
3. CZPDu?j6E'x>~qLrD~qw`X URL M*ICD
\#$E'x>J4QwDTsUd,.szfDGCJyhDm
I(#bGEZ PD_PORTAL 7PDPm#
[portal-map]<URL> = <object-space-region>:<permission>
":Qw}LPv!q_PT=hC ACL(|,CC'mI(D%
d)DJ4Ts#
4. mSZM`&D3du?s,XkXBt/ WebSEAL(webseald)#
182 f> 3.8
vT/~q>}
¶ 4(AE'x>~qwD*a:
pdadmin> server task webseald-WS1 -t ssl -h PORTAL1 /portal
¶ (e WebSEAL \#$TsUdDxr,KUd|,TvT/~qI
CDJ4:
pdadmin> objectspace create /Resources“Portal Object Hierarchy” 10pdadmin> object create /Resources/Content ““ 10ispolicyattachable yespdadmin> object create /Resources/Support ““ 10ispolicyattachable yespdadmin> object create /Resources/Content/CGI ““ 11ispolicyattachable yespdadmin> object create /Resources/Support/Servlet ““ 11ispolicyattachable yes
":TZ?vJ4,0 ispol icyat tachable1Td?XkhC*
0yes1#QwzFv!q_PT=hC ACL D^(J4Ts#
¶ WebSEAL dC(webseald.conf):
[portal-map]/portal/servlet/PortalServlet = /Resources:r
¶ C'9CDE'x> URL:
https://WS1/portal/servlet/PortalServlet
a)T/, URL DCJXF
10 Web 733hC'TlY|DE"D"4CJ(#m` Web &C
LrZl&?vC'ks1/,XzI3;J4(;w(URL)#b)
/, URL I\;fZ\L1d#!\|G_PY1T,/, URL T;
h*?#$,T@9;k*D9CMCJ#
/, URL i~3)4SD Web &CLr$_9Cj< web /@w(} Web ~qw
D CGI SZk&CLr~qw(E#
yPb)$_<9C/, URL M~XDm%*XZksDYw(xPd
N}5)M&CLr~qw.d(E#/, URL 9CXZX(Yw0d
183Tivoli SecureWay Policy Director WebSEAL \m8O
8.&
CL
r/
I
N}5DE")dj< URL X7# URL Di/V{.?V* Web &
CLrSZa)Yw"N}M5#
+ ACL Ts3dA/, URLWebSEAL 9C\#$TsUd#MM_T#e(ACL)#$/,zID
URL,}gG)I}]bkszID URL#w*Z(xLDZ;=,?
v WebSEAL Dks<+bv*X(DTs#JCZTsD ACL f(
K3d=CTsDNN/, URL yhD#$#
r*/, URL vY1fZ,$dCDZ(_T}]bP;I\P|GD
u?#Policy Director (}a);V+m`/, URL 3d=%;2,\
#$TsDzFbvb;Jb#
STs=#=D3d#fZ?D>D~P:
/opt/PolicyDirector/www/lib/dynurl.conf
CD~D;C(`TZ~qwy?<)I webseald.conf dCD~D
[server] ZPD dynurl-map N}(e:
[server]dynurl-map = lib/dynurl.conf
Xk4(KD~;1!ivB,CD~;fZ#CD~(xPu?)D
fZtC/, URL T\#
< 37. (} URL +}]+]= CGI xX
184 f> 3.8
`-KD~I^Db)3d#D~Pu?Dq=G:
<object> <template>
Policy Director 9C UNIX bGLr#=%d(|((d{)DS/,
(e9ITsUdP;vTsDN}/#kG)N}%dDN;/,
URL <3d=CTs#
Policy Director 'VTB UNIX bGLr#=%dV{:
V{ hv
\ 41\sDV{GXbrPD;?V#}g, GFm{#2
ITwC**e{#
? %d%vV{D(d{#}g,V{.0abcde1kmo=
0ab?de1%d
* %dcvr`vV{D(d{#
[] (e;5PV{,I%d`v#}g,V{.0abcde1k
frmo=0ab[cty]de1%d#
^ 8>G{E#}g,mo= [^ab] k}0a1r0b1V{T
bDNbV{%d#
TB>}{vK4PEC=bi/D/, URL Dm%:
http://<server-name>/home-bank/owa/acct.bal?acc=<account-number>
m>K/, URL DTs+T>gB:
http://<server-name>/home-bank/owa/acct.bal?acc=*
P8liK>}PD/, URL,|T>KhvDX(JE#home-bank&J'acDTsT>,IZCu?(acc=*)Dns?V9C%dy
PV{DGE(d{, ACL mI(JCZNNJ'#
B<{vK3d=X(\#$TsDX(/, URL Dj{=8:
185Tivoli SecureWay Policy Director WebSEAL \m8O
8.&
CL
r/
I
*/, URL |B WebSEAL9C dynurl update |nI9C dynurl.conf dCD~P("Du?
|B WebSEAL \#$TsUd#
1. 4("`-r>} dynurl.conf dCD~PD/, URL u?#
2. xP|D.s,9C dynurl update |n|B~qw:
pdadmin> server task webseald-<server-name> dynurl update
server-name Td?m> WebSEAL zwD4^(Dwz{#
bvTsUdPD/, URLbv/, URL A;vTs!vZ dynurl.conf dCD~Pu?D3r#
Z"T+/, URL 3d=Tsu?1,+S%AW(h dynurl.conf D
~PD3dPm,1=R=Z;v%d#=*9#ZR=Z;v%dD
#=s,+9C`&DTsu?xP.sDZ(li#
< 38. /, URL OZ(
186 f> 3.8
g{R;=%dD#=,WebSEAL M9C URL >m,u%76D
http://<server> ?V#
k#Vkn\^FD ACL T&D3d&ZPmDOK#}g,g{z[
)%&CLrD book.sales }L+;^FZ;vi/cV?i,+z[
)%&CLrD#`?VITI+?C'CJ,r3d&4BmPT>
DNrEP:
TsUdu? URL #e
/ows/sales/bksale /ows/db-apps/owa/book.sales*
/ows/sales/general /ows/db-apps/owa/*
k"b,g{3du?&Zfr3r,/ows/db-apps/owa ?<Pf"D
+?}L<+3d* /ows/sales/general Ts#IZKmsDTsUd
bv,I\a<B2+T%f#
1+ URL }rmo=3d*TsUdu?1,URL &ICS GET =
(zzDq= * ^[}Z9C POST 9G GET =(#
Z}]+dD GET =(P,/,}](}g3vC'Zm%Pa)D}
])+=S= URL#
Z}]+dD POST =(P,ksDwePM|(K/,}]#
ACL @@
;)/, URL Qbv*TsUdu?,r+9Cj< ACL LP#M7
(Gq&&mr{9ks(IZX(;c)#
T POST ksdC^F
POST ksDZ]|,ZksweP#mb,POST ks9|,/@w(
eDZ]$H,"PvVZ5#
post-max-read
187Tivoli SecureWay Policy Director WebSEAL \m8O
8.&
CL
r/
I
webseald.conf dCD~D [server] ZPD post-max-read N}^F
s POST ksZ WebSEAL OD0l,|G(}+*AkDVZ\?8
(*4T POST ksweDZ]4^FD#WebSEAL AkDZ]+\
=(^li,g>Z0Dyv#
1 P O S T k s C Z / , U R L & m r q=O$1, * < G
post-max-read N}5#1!5* 4096 VZ:
[server]post-max-read = 4096
k"bKN}";^Fns POST Z]s!(|G;\^FD)#KN}
#$ WebSEAL,9.\b&ms!;OmD POST ks#
dynurl-allow-large-posts
!\ post-max-read N}^FK WebSEAL AM&mD POST Z]?,
+G|";j+@9ks+]=&CLr~qw#ZK=8P,4i$
DZ]++]=&CLr~qw#g{&CLr~qwTm;PZ(\
&,rKivI\a<B2+TgU#
dynurl-allow-large-posts N}JmzXF WebSEAL &m POST ks
(b)ksDZ]$HsZ max-post-read 8(D$H)D=(#g{
N}5hC*0no1(1!5),r WebSEAL +j+\xZ]$Hs
Z max-post-read 8($HDNN POST ks#
[server]dynurl-allow-large-posts = no
gNN}5hC*0yes1,r WebSEAL +S\{v POST ks,+G
vi$k max-post-read 5`HDZ]?#
[server]dynurl-allow-large-posts = yes
>} 1:
¶ SU=s POST ks(sZ post-max-read D5)#
¶ dynurl-allow-large-posts = no
¶ QtC/, URL#
188 f> 3.8
¶ a{:{9ms{"#
>} 2:
¶ SU=s POST ks(sZ post-max-read D5)#
¶ dynurl-allow-large-posts = yes
¶ QtC/, URL#
¶ a{:WebSEAL +3d post-max-read 58(Dn`Z]?=T
sUdu?,"yZCTs4P(^li##BDZ]";3d=
TsUdu?,R;4PkKTs`X*D(^li#
¶ TB#e|,K}ps POST kssCD#=%dEPD`M:
/rtpi153/webapp/examples/HitCount\?*action=reset*
\aM<u"M\a:
¶ *dC WebSEAL T2+X&m/, URL,k4(TBD~:
/opt/PolicyDirector/www/lib/dynurl.conf
¶ D~Xk|,;Pr`PTBq=DZ]:
<object> <template>
¶ g{D~;fZ,r*U,r+;tC/, URL &\#
¶ D~&ms,Ts{F+w*SJ4Z WebSEAL TsUdPvV#
¶ #eI|,j<#=%dV{DS/##e2ITG;P#=%d
V{D-V{.#
TBy> dynurl.conf D~(eK}vTs,|Gm>w* IBM
WebSphere z7D;?VD;)y> Web &CLr:
Tsu? URL #e
/app_showconfig /rtpi153/webapp/examples/ShowConfig*
/app_snoop /rtpi153/servlet/snoop
/app_snoop /rtpi025/servlet/snoop
/app_hitcount/ejb /rtpi153/webapp/examples/HitCount\?source=EJB
/app_hitcount /rtpi153/webapp/examples/HitCount*
189Tivoli SecureWay Policy Director WebSEAL \m8O
8.&
CL
r/
I
<u"M:
¶ I+`v URL #e3d=,;Ts(}g,app_snoop 3d=v;
,~qwOD URL)#
¶ TsI6W(}g app_hitcount M app_hitcount/ejb)#
¶ xk URL ks+4US%?=W?D3r,k#exPHO#g{
R=%d,r&m#9#rK,k+^FTO?D#eEZD~%
?#
¶ *$n dynurl.conf D~PD(e,I"v dynurl update |n
(9C pdadmin server task)#
+"4"z|B;Z"B\#$TsUdS<1,Web Portal Manager
P+vVb)Ts#
¶ Ts{Pk\b9Cs4V{#v9C!4V{#
¶ k;*9C\#$TsUdPQ-fZDTs{#
¶ Z>} dynurl.conf D~PDTs.0,k}%=SACTsDNN
ACL#
/, URL >}:Travel KingdomTB>}{vKs5Z?xgN#$I0Oracle Web l}w1zID
URL#
>>}P9CD/, URL Web ~qwG0Oracle Web l}w1#K<
u,yIT&CZd| URL Web ~qw#
&CLrTravel Kingdom G;vi/,|(}rXxrM'za)CN$)~q#
b;5qrcZ Web ~qwOYw=v Oracle }]b&CLr * I
S+>@p=Z?M(}rXxxPCJ#
1. CN$)53
190 f> 3.8
qZ(DKMITxP6L$),"i/{GD10$)#Travel
Kingdom $wK1IT*g0KMxP$)"&md|M4Pm`d
|Bq#IZb?KMCEC('6~q,CE"D+dXk\O
q#$#
2. \m\mw
kd|s`}+>`F,Travel Kingdom ,$D\m}]b|,=
."0;MDzE"#K}]9xP?v+>I1DU,#
SZdC0Oracle Web ~qw1a)T}]bPTBf"}LDCJ(:
/db-apps/owa/tr.browse 3hyPC'i/XZCN?DX"[qH
HD\&#
/db-apps/owa/tr.book CZxP$)(CNzmK1rqO$DK
M)#
/db-apps/owa/tr.change CZ4ir_|D10$)#
/db-apps/owa/admin.browse CZCNN$wK1i4G^FDK1E
",}g)9E,gSJ~X7MU,#
/db-apps/owa/admin.resume 3h$wK1i4r|D\m}]bP{G
T:DrzE"D\&#
/db-apps/owa/admin.update I\mK1CZ|BPX$wK1DE"#
Web Uda9
WebSEAL ~qwCZ* Travel Kingdom D3; Web Uda)2+S
Z#
¶ ("KT,1KPCN$)&CLrM\m&CLrD0Oracle Web
~qw1D*a(/ows)#
2+T_T*Kr Web J4a)J1D2+T,,1#tWZ9CD53,C5q
Q-("KTB2+T?j:
1. CNzmK1TyP$)_Pj+XF(#
2. qO$DKMIT4(M|D{GT:D$),+;\I$d|q
O$KMDCN}]#
191Tivoli SecureWay Policy Director WebSEAL \m8O
8.&
CL
r/
I
3. \m$wK1TyP\mE"_Pj+CJ(#
4. }\m?ETbDd| Travel Kingdom $wK1<IT|D{GT
:DrzE","i4d|$wK1D?VE"#
TsUd3dD/, URL*jIOv2+T?j,h*dCS/, URL = ACL Tsu?D3
d,gBmy>#
kG!,Tb)3dxPErG5V0f2=D2+T?jDX*?
V#
TsUdu? URL #=
/ows/tr/browse /ows/db-apps/owa/tr.browse\?dest=* &date=??/??/????
/ows/tr/auth /ows/db-apps/owa/tr.book\?dest=*&depart=??/??/????&return=??/??/????
/ows/tr/auth /ows/db-apps/owa/tr.change
/ows/admin/forall /ows/db-apps/owa/admin.resume
/ows/admin/forall /ows/db-apps/owa/admin.browse\?empid=[th]???
/ows/admin/auth /ows/db-apps/owa/admin.update\?empid=????
2+M'zM'z(}2+"S\D(@T WebSEAL xPO$#
k*9C Web SZDKM9Xkr Travel Kingdom Web \m1"a,
TSUJ'#
J'Mia9
Z53O4( 4 vi:
Staff Travel Kingdom i/DI1#
TKStaff Travel Kingdom CNzmK#
AdminStaff Travel Kingdom \m?EDK1#k"b\m$wK1
2Z Staff iP#
Customer k*(}rXxxPCN$)D Travel Kingdom DK
M#
192 f> 3.8
r?vC'3h2+rPD;vJ',byMII WebSEAL ~qw%
@j6#C'm]2++]=0Oracle Web ~qw1,Ta)+? Web
J4D%;"abv=8#
CJXF
BmPvK&C0fDE"szzDCJXF:
/ows/tr/browse 4O$ Tr +O$ Tr
/ows/tr/auth 4O$ - +O$ - i TKStaff Tr i
Customer PTr
/ows/admin/forall 4O$ - +O$ - i Staff Tr
/ows/admin/auth 4O$ - +O$ - i AdminStaff Tr
}KKMXkTE"S\(#\TmI()Tb,KMM TKStaff T$)
MCNF.,$Ts_P`,DX(,SxZ(};IEDrXxa;
tP}](}gEC(E")13hKMx;=D2+T#
a[Kr%>}{vK?p_PTB\&D53DEn:
¶ #$tPE"
¶ O$C'
¶ Z(CJtPE"
mb,WebSEAL ~qwM Oracle Web ~qw<*@53DqO$C'
Dm],Rb)m]ICZa)IsF"%;"abv=8#
193Tivoli SecureWay Policy Director WebSEAL \m8O
8.&
CL
r/
I
194 f> 3.8
webseald.conf N<
webseald.conf dCD~
`pMZ:
¶ WEBSEAL GENERAL
[server]
¶ LDAP
[ldap]
¶ SSL
[ssl]
¶ JUNCTION
[junction]
[filter-url]
[filter-schemes]
[script-filtering]
[gso-cache]
[ltpa-cache]
¶ AUTHENTICATION
[ba]
[forms]
[token]
A
195Tivoli SecureWay Policy Director WebSEAL \m8O
A.
web
seald.co
nf
N<
[certificate]
[http-headers]
[auth-headers]
[ipaddr]
[authentication-levels]
[mpa]
[cdsso]
[cdsso-peers]
[failover]
[e-community-sso]
[inter-domain-keys]
[authentication-mechanisms]
[ssl-qop]
[ssl-qop-mgmt-hosts]
[ssl-qop-mgmt-networks]
[ssl-qop-mgmt-default]
¶ SESSION
[session]
¶ CONTENT
[content]
[acnt-mgt]
[cgi]
[cgi-types]
[cgi-environment-variables]
[content-index-icons]
[icons]
[content-cache]
[content-mime-types]
[content-encodings]
196 f> 3.8
¶ LOGGING
[logging]
¶ AUTHORIZATION API
[aznapi-configuration]
[aznapi-entitlement-services]
¶ POLICY DIRECTOR
[policy-director]
[manager]
WEBSEAL GENERAL
N} hv
[server] Z
SYSTEM
unix-user WebSEAL ~qwD UNIX C'J'#
unix-group WebSEAL ~qwD UNIX iJ'#
unix-pid-file PID D~D;C#
server-root WebSEAL ~qwDy?<#
server-name WebSEAL ~qw5}{F#
THREADS AND CONNECTIONS
worker-threads WebSEAL $wLr_LD}?#
client-connect-timeout u<M'z,S,1#
persistent-con-timeout HTTP/1.1 VC,S,1#
HTTPS CLIENT
https Jm HTTPS CJ#
https-port CZ2+ HTTPS ksDKZ#
HTTP CLIENT
http JmG2+ HTTP(TCP)CJ#
http-port CZG2+ HTTP ksDKZ#
POST REQUESTS
post-max-read *S POST ksweAk(w*Z])Dns
VZ}#
DYNURL
dynurl-map URL *\#$Ts3dD~D;C#
197Tivoli SecureWay Policy Director WebSEAL \m8O
A.
web
seald.co
nf
N<
WEBSEAL GENERAL
N} hv
dynurl-allow-large-posts + WebSEAL \;A!D POST ks}^F
Z post-max-read 8(D}?.Z#
URI HANDLING
utf8-url-spport-enabled
LDAP
N} hv
[ldap] Z
ldap-server-config ldap.conf dCD~D;C(ZdCZdh
C)#
cache-enabled tCM{C>X LDAP _Y:f#
prefer-readwrite-server Jm!qI4D LDAP ~qw(IC1)#
auth-using-compare Jm9CHO\kYwx;G LDAP s(4
xP|lDO$li#
default-policy-override-support li1!_TrX(ZC'D_T#
user-and-group-in-same-suffix QwT\#m>ikC'GC`,D LDAP
s:(eD#
ssl-enabled * WebSEAL A LDAP (EtCM{C
SSL#
ssl-keyfile SSL \?D~D;C#
ssl-keyfile-dn SSL \?D~PD$ij)(g{P)#
ssl-keyfile-pwd SSL \?D~\k#
bind-dn WebSEAL X$LrD(P{F(ZdCZd
hC)#
bind-pwd WebSEAL X$LrD\k(ZdCZdh
C)#
enabled
host
port
SSL
N} hv
[ssl] Z
198 f> 3.8
SSL
N} hv
webseal-cert-keyfile 3v\?D~D;C,CD~|, WebSEAL
-L SSL a01"M=/@wD~qw$
i#
webseal-cert-keyfile-pwd WebSEAL $i(C\?\k#
webseal-cert-keyfile-stash WebSEAL (C\?\kf"D~D;C#
webseal-cert-keyfile-label *9CD WebSEAL $iG1!{F#
ssl-keyfile CZZ?(ED WebSEAL $i\?D~D;
C#
ssl-keyfile-pwd WebSEAL $i(C\?\k(CZZ?(
E)#
ssl-keyfile-stash WebSEAL (C\?\kf"D~D;C(C
ZZ?(E)#
ssl-keyfile-label *9CD$iG1!{F(CZZ?(E)#
disable-ssl-v2 !qTX{C SSL V2 'V#
disable-ssl-v3 !qTX{C SSL V3 'V#
disable-tls-v1 !qTX{C TLS V1 'V#
ssl-v2-timeout SSL V2 ,SD GSKit _Y:fa0j6,
1#
ssl-v3-timeout SSL V3 ,SD GSKit _Y:fa0j6,
1#
ssl-max-entries GSKit SSL a0j6_Y:fPDns""u
?}#
ssl-ldap-server CZ CRL liD LDAP ~qw#
ssl-ldap-server-port K LDAP ~qw*xP CRL lixl}1y
ZDKZE#
ssl-ldap-user LDAP ~qwD\mC'#
ssl-ldap-user-password LDAP ~qwD\mC'D\k#
ssl-auto-refresh
ssl-listening-port
ssl-pwd-life
ssl-authn-type
199Tivoli SecureWay Policy Director WebSEAL \m8O
A.
web
seald.co
nf
N<
JUNCTION
N} hv
[junction] Z
junction-db *a}]bD;C#
jmt-map *a * ks3dm(JMT)D;C#
http-timeout ryZ TCP D*a"MMSC*aA!1
yCD,1#
https-timeout ryZ SSL D*a"MMSC*aA!1
yCD,1#
ping-time WebSEAL * Q*a~qw ping }LD1
ddt#
basicauth-dummy-passwd (}0-b supply1*aa)y>O$}]1
D+V\k#
worker-thread-hard-limit *X(*a&mksD$wLr_L\}
DYVH#
worker-thread-soft-limit *X(*a&mksD$wLr_L\}
DYVH#
io-buffer-size S*aA!M4k*ayCD:exs
!#
DOCUMENT FILTERING
[filter-url] Z
<tag> = <attribute> WebSEAL ZQ*a~qwDl&P}KD
URL tT#
[filter-schemes] Z
scheme = <scheme-name> WebSEAL ZQ*a~qwDl&P}KD
URL #=DPm#
[script-filtering] Z
script-filter tCM{CT*aD~qwOE>DxT
URL D}K#
GSO CACHE
[gso-cache] Z
gso-cache-enabled tCM{C GSO _Y:f#
gso-cache-size GSO _Y:fPDu?}#
gso-cache-entry-lifetime GSO _Y:fu?Dn$P'Z#
gso-cache-entry-idle-timeout Gn/ GSO _Y:fu?Dn$P'Z#
LTPA CACHE
200 f> 3.8
JUNCTION
N} hv
[ltpa-cache] Z
ltpa-cache-enabled tCM{C LTPA _Y:f#
ltpa-cache-size LTPA _Y:fPDu?}#
ltpa-cache-entry-lifetime LTPA _Y:fu?Dn$P'Z#
ltpa-cache-entry-idle-timeout Gn/ LTAPA _Y:fu?Dn$P'
Z#
AUTHENTICATION
N} hv
BASIC AUTHENTICATION
[ba] Z
ba-auth tCM{Cy>O$zF#
basic-auth-realm Z/@w BA G<a>{PT>Dr{F#
FORMS
[forms] Z
forms-auth tCM{C9Cm%O$#
TOKEN
[token] Z
token-auth tCM{C9CjG(PzkO$#
CERTIFICATE
[certificate] Z
accept-client-certs dC WebSEAL M'zK$i&m#
HTTP HEADERS
[http-headers] Z
http-headers-auth tCM{C9C HTTP 7O$#
[auth-headers] Z
header CZO$DX( HTTP 7#
IP ADDRESS
[ipaddr] Z
ipaddr-auth tCM{C9C IP X7E"O$#
STEP UP
[authentication-levels] Z
201Tivoli SecureWay Policy Director WebSEAL \m8O
A.
web
seald.co
nf
N<
AUTHENTICATION
N} hv
level = unauthenticated level= password
]}O$dC#
MULTIPLEXING PROXY AGENTS
[mpa] Z
mpa tCM{CT(}`74C/PzmxPO
$D'V#
CDSSO
[cdsso] Z
cdsso-auth tCM{C9C CDSSO jGO$#
authtoken-lifetime CDSSO O$jGDnsP'Z5#
[cdsso-peers] Z
<machine-name> =<keyfile-location>
Nh CDSSO DTHr#
FAILOVER
[failover] Z
failover-auth tCM{CS\JO*F cookie#
failover-cookies-keyfile I cdsso_key_gen zID cookie S\\?
D;C(xT76{)#
failover-cookie-lifetime JO*F cookie Z]P'D1d^F#
enable-failover-cookie-for-domain
+JO*F cookie `MSX(Z~qwD
cookie |D*X(ZrD cookie#
e-COMMUNITY SSO
[e-community-sso] Z
e-community-sso-auth tCM{CgSgx SSO#
e-community-name vVZ0$51jGMksPDgSgx{
F#
intra-domain-key CZ#$ DNS rP WebSEAL 5}.d(E
D\?D~D;C#
is-master-authn-server +>Xzw8(*w WebSEAL O$~qw#
master-authn-server w WebSEAL O$~qw(g{;G>Xz
w)D{F#
master-http-port wO$~qwl}1yZDGj< HTTP K
Z#
202 f> 3.8
AUTHENTICATION
N} hv
master-https-port wO$~qwl}1yZDGj< HTTPS K
Z#
vf-token-lifetime 0$51jGP'Z5#
vf-url 0$51URL#
ec-cookie-lifetime gSgx cookie P'Z5#
[inter-domain-keys] Z
<domain-name> = <keyfile> NkgSgxDd|rD\?D~#
AUTHENTICATION MECHANISMS AND LIBRARIES
[authentication-mechanisms] Z
passwd-cdas passwd-ldappasswd-uraf token-cdasc e r t - s s l c e r t - c d a sh t t p - r e q u e s t c d s s op a s s w d - s t r e n g t hcred-ext-attrs
\'VDO$zFMX*D2mbDPm#
SSL QUALITY OF PROTECTION MANAGEMENT
[ssl-qop] Z
ssl-qop-mgmt tCM{C#$6p\m#
[ssl-qop-mgmt-hosts] Z
<ip-address> %@wzD QOP S\6p#
[ssl-qop-mgmt-networks] Z
<ip-address/mask> %@xgD QOP S\6p#
[ssl-qop-mgmt-default] Z
default yPd|;%dD IP X7D1! QOP S\
6p#
SESSION
N} hv
[session] Z
max-entries WebSEAL >$/a0_Y:fPDns""
u?}#
timeout WebSEAL >$/a0_Y:fPu?Dn$
P'Z#
203Tivoli SecureWay Policy Director WebSEAL \m8O
A.
web
seald.co
nf
N<
SESSION
N} hv
inactive-timeout WebSEAL >$_Y:fPGn/u?DP'
Z#
SSL CLIENT SESSIONS
ssl-id-sessions 9C SSL j6,$ HTTPS G<a0#
SHARING SESSIONS
use-same-session TZ HTTP M HTTPS .dP;DM'z9C
`,Da0j6#
SENDING SESSION COOKIES
resend-webseal-cookies Z?Nl&M'z1"MNbQdCa0M
JO*F cookie#
CONTENT
N} hv
[content] Z
LOCAL DIRECTORIES AND FILES
doc-root Web D5wDy?<#
directory-index ?<w}D~D{F#
delete-trash-dir \m1>}DD~DY1,xd?<#
LOCAL USER DIRECTORIES
user-dir ?<G|,+2 HTML D5DC'w?<
w#
ERROR PAGES
error-dir |, WebSEAL mshvD~D?<#
ACCOUNT MANAGEMENT PAGES
[acnt-mgt] Z
mgt-pages-root J'\m3fDy?<#
login j<G<m%D{F#
logout I&"zsT>D3f{F#
account-locked O$rx(DJ'x'\1T>D3fD{
F#
passwd-expired O$r''\kx'\1T>D3fD{
F#
passwd-change |DD\km%D{F#
204 f> 3.8
CONTENT
N} hv
passwd-change-success \k|DksI&1T>D3fD{F#
passwd-change-failure \k|Dks'\1T>D3fD{F#
help |,P'\m3fD4SD3fD{F#
token-login jGG<m%D{F#
next-token B;vjGm%D{F#
stepup-login ]}O$G<m%D{F#
LOCAL CGI
[cgi] Z
cgi-timeout 4kS CGI xLMSS CGI xLA!1yC
D,15#
[cgi-types] Z
bat = cmd cmd = cmd pl =perl sh = sh tcl = tclsh76
8((T Win32 ~qw)TXb CGI D~)
9{4PDLr#
[cgi-environment-variables] Z
ENV +I CGI LrLPD73d?#
ICONS
[content-index-icons] Z
image/* video/* audio/* text/html
t e x t / * a p p l i c a t i o n / x - t a r
application/*
8(?<w}I WebSEAL zI1(1;P
index.html 1"zbViv)*9CD<N<
j#
[icons] Z
diricon CZS?<D<j#
backicon CZ8?<D<j#
unknownicon CZ4*D~`MD<j#
DOCUMENT CACHING
[content-cache] Z
text/html image/* */* (e WebSEAL f"ZZfPDX(D5
MIME `MD_Y:f`MMs!#
MIME TYPES
[content-mime-types] Z
<extension> = <type> (eX(D5)9{D MIME `M#
deftype D5`M4Z3dmPPv1*9CD1!
MIME `M#
CONENT ENCODINGS
205Tivoli SecureWay Policy Director WebSEAL \m8O
A.
web
seald.co
nf
N<
CONTENT
N} hv
[content-encodings] Z
gz Z +D5)9{3d*'VZ]`kD/@w
D;V`k`M#
LOGGING
N} hv
[logging] Z
server-log ~qwmsU>D~D;C#
max-size HTTP U>DU>D~*fP5#
flush-time HTTP U>D~:exD"B5J#
requests tCM{C HTTP ksU>#
requests-file HTTP ksU>D;C#
referers tCM{C HTTP N<E"U>#
referers-file HTTP N<E"U>D;C#
agents tCM{C HTTP zmU>#
agents-file HTTP zmU>D;C#
gmt-time T GMT 1dx;G>X1xG<ks#
AUTHORIZATION API
N} hv
[aznapi-configuration] Z
db-file >XM'zD_T}]b_Y:fD~D;
C#
cache-refresh-interval (e|B(V/)wZ(~qwDli1d
dt#
listen-flags tCM{CSU_T_Y:f|B(*Dj
>#
tcp-port l}wD TCP KZ#
udp-port l}wD UDP KZ#
AUTHORIZATION API LOGGING
logclientid=webseald
logsize \msFU>DU>D~*fP5#
logflush \msFU>D~:exD"B5J#
206 f> 3.8
AUTHORIZATION API
N} hv
logaudit tCM{CsF#
auditlog sFU>D;C#
auditcfg = azn 6qZ(B~#
auditcfg = authn 6qO$B~#
auditcfg = wand 6q WebSEAL B~#
AZNAPI SERVICE DEFINITIONS
<service-id>
mode
azn-server-name
pd-user-name
[aznapi-entitlement-services] Z
AZN_ENT_EXT_ATTR
POLICY DIRECTOR
N} hv
[policy-director] Z
config-file pd.conf dCD~D;C#
[manager] Z
master-host
master-port
master-dn
207Tivoli SecureWay Policy Director WebSEAL \m8O
A.
web
seald.co
nf
N<
208 f> 3.8
WebSEAL *aN<
pdadmin 5CLra);%=|nPa>{,ITSCa>{4P
WebSEAL *aNq#
wbw}:
¶ :9C0pdadmin server task14(*a;
¶ Z2113D:*a|n;
¶ Z2123D:*u<~qw4(B*a;
¶ Z2143D:+=S~qwmS=VPD*a;
9C0pdadmin server task14(*aZ9C pdadmin 0,zXkw* sec_master \mC'G<=2+r#
}g:
UNIX:
# pdadminpdadmin> loginEnter User ID: sec_masterEnter Password:pdadmin>
Windows:
B
209Tivoli SecureWay Policy Director WebSEAL \m8O
B.
Web
SE
AL
*a
N<
MSDOS> pdadminpdadmin> loginEnter User ID: sec_masterEnter Password:pdadmin>
r_,9C_PTB!nD%|nPqC`,a{:
# pdadmin -a sec_master -p <password>pdadmin>
*4( WebSEAL *a,k9C pdadmin server task |n:
pdadmin> server task <server-name> <task>
server-name Td?G5Jzw{FMC|n9CD Policy Director i~
(}g WebSEAL)Dj+mo=#
<policy-director-component>-<machine-name>
}g,g{zw{F* cruz R Policy Director i~* WebSEAL,r
server-name *:
webseald-cruz
9C server list |ni$ server-name mo=:
pdadmin> server listwebseald-cruz
4(y> WebSEAL *aDXh|n!n|(:
¶ sK&CLr~qwDwz{(–h !n)
¶ *a`M * tcp"ssl"tcpproxy"sslproxy M local(–t !n)
¶ *ac(20c)
pdadmin> server task <server-name> create –t <type>–h <host-name> <jct-point>
210 f> 3.8
*a|n
TB*a|nT pdadmin server task IC:
|n hv
create *u<~qw4(B*a#
add +=S~qwmS=VPD*ac#
remove S*ac}%~qw#
o(:remove –i <server-id> <junction-point>
9C show |nI7(Xb~qwDj6#
delete }%*ac#
o(:delete <junction-point>
list PvK~qwODyP*ac#
o(:list
show T>*aDj8E"#
o(:show <junction-point>
jmt load jmt clear jmt load |n* WebSEAL a)*a3dm}]
(jmt.conf),IXF&m/,zID~qw`T
URL#
jmt clear |nrS WebSEAL }%*a3dm}]#
help Pv*a|n#
o(:help
help <command> T>XZX(*a|nDj8oz#
exit Kv pdadmin 5CLr#
o(:exit
b)|n0X*D!n+ZTBwZP[v#
211Tivoli SecureWay Policy Director WebSEAL \m8O
B.
Web
SE
AL
*a
N<
*u<~qw4(B*aYw:4(B*ac,"*au<~qw#
o(:
create –t <type> –h <host-name> [<options>] <junction-point>
*a`M
–t <type> ** Xh **
* a ` M # t c p " s s l "
tcpproxy"sslproxy"local .;#
–t tcp D1!KZ* 80#–t ssl D1!KZ*
443#
wz{
–h <host-name> ** Xh **
?jsK~qwD DNS wz{r IP X7#
!n
(} SSL D`%O$
–K <key-label> WebSEAL 9CM'z$iTsK~qwxPO
$#
–B WebSEAL 9C BA 7E"TsK~qwxP
O$#*s –U"–W M –b filter !n#
–U <“username”> WebSEAL C'{#k –B ;p9CI+ BA
7E""M=sK~qw#
–W <“password”> WebSEAL \k#k –B ;p9CI+ BA 7
E""M=sK~qw#
–D <“DN”> 8( s K ~ q w$iD ( P { F
(Distinguished Name)#K5k5JD$i DN
`%d,v?KO$#
zm*a!n(h* –t tcpproxy r –t sslproxy)
–H <host-name> zm~qwD DNS wz{r IP X7#
–P <port> zm~qwD TCP KZ#
a) BA 7E"
212 f> 3.8
–b <BA-value> (e WebSEAL ~qwgN+ HTTP BA O$
E"+]=sK~qw#*BP5.;:
filter(1!)"ignore"supply"gso
#C TCP M SSL *a!n
–c <id-types> + Policy Director M'zm]ek{v HTTP
7PD HTTP 7#id-types Td?I|,TB
Policy Director HTTP 7`MDNbiO:
iv-user"iv-user-l"iv-groups"iv-creds M all#
–i WebSEAL ~qw&m URL 1G;xVs!4
D#
–j a) cookie PD*aj6,&mE>zID~
qw`T URL#
–k "Ma0 cookie AsKE'x>~qw#
–p <port> sKZ}=~qwD TCP KZ#TZ TCP *
a,1!5* 80;TZ SSL *a,1!5*
443#
–q <url> query_contents E>D`T URL#Policy
Director Z /cgi_bin/ PiR query_contents#
g{K?<;,r query_contents D~QX
|{,9CK!nIr WebSEAL 8>D~D
B URL#
–r +dkD IP X7ek{v*aPD HTTP
7#
–s 8(*a&'V4,#f&CLr#1!iv
B,*a;G4,#fD#
– T < r e s o u r c e /
resource-group>
GSO J4rJ4iD{F#T –b gso !nG
XhD,2;k -b gso !n;p9C#
–u <UUID> 8((}4,#fac(–s)k WebSEAL ,
SDsK~qwD UUID#
213Tivoli SecureWay Policy Director WebSEAL \m8O
B.
Web
SE
AL
*a
N<
–v <virt-host-name> sK~qwOyzmDibwz{#K!n'
VsK~qwODibwzhC#
1sK*a~qwh*wz{D71,k9C
–v,r*b1z}Z*aC~qwD;vib
5}#/@wD1! HTTP 7ks";*@s
K~qw_P`v{FM`vib~qw#X
kdC WebSEAL ZTsK~qw(QhC*
ibwz)*?DXDksPa)nbD7E
"#
–w Win32 D~53'V#
LTPA *a
–A tCM{C LTPA *a#
–F <“keyfile”> C4S\ LTPA cookie }]D\?D~D;
C#
– Z
<“keyfile-password”>
\?D~D\k
WebSEAL * WebSEAL D SSL *a
–C 0K WebSEAL ~qwksK WebSEAL ~q
w.d(} SSL `%O$#*sP –t ssl r
–t sslproxy `M#
>X*a!n(k –t local ;p9C)
–d <dir> *aD>X?<#** Xh#**
–f ?Ff;VPD*a#
*ac
WebSEAL {FUdP*4(*aD;C#
+=S~qwmS=VPD*aYw:+=S~qwmS=VPD*ac#
o(:
add –h <host-name> [<options>] <junction-point>
wz{
214 f> 3.8
–h <host-name> ** Xh **
?jsK~qwD DNS wz{r IP X7#
!n
(} SSL D`%O$
–D <“DN”> 8(sK~qw$iD(P{F#K5k5J
D$i DN `%d,v?KO$#
zm*a!n(ZP –t tcpproxy M –t sslproxy 1GXhD)
–H <host-name> zm~qwD DNS wz{r IP X7#
–P <port> zm~qwD TCP KZ#
#C TCP M SSL *a!n
–i WebSEAL ~qw&m URL 1G;xVs!4
D#
–j a) cookie PD*aj6,&mE>zID~
qw`T URL#
–p <port> sKZ}=~qwD TCP KZ#TZ TCP *
a,1!5* 80;TZ SSL *a,1!5*
443#
–q <url> query_contents E>D`T URL#Policy
Director Z /cgi_bin/ PiR query_contents#
g{K?<;,r query_contents D~QX
|{,9CK!nIr WebSEAL 8>D~D
B URL#
–u <UUID> 8((}4,#fac(–s)k WebSEAL ,
SDsK~qwD UUID#
–v <virt-host-name> sK~qwOyzmDibwz{#K!n'
VsK~qwODibwzhC#
1sK*a~qwh*wz{D71,k9C
–v,r*b1z}Z*aC~qwD;vib
5}#/@wD1! HTTP 7ks";*@s
K~qw_P`v{FM`vib~qw#X
kdC WebSEAL ZTsK~qw(QhC*
ibwz)*?DXDksPa)nbD7E
"#
–w Win32 D~53'V#
*ac
+~qwmS=KVPD*ac#
215Tivoli SecureWay Policy Director WebSEAL \m8O
B.
Web
SE
AL
*a
N<
216 f> 3.8
9C iKeyman \m$i
iKeyman 5CLrG;V$_,IC4\m}V$i#9C iKeyman,
IT4(B\?}]b"BbT}V$i,+ CA root mS=}]b,
+$iS;v}]b4F=m;v}]b,r CA ksMSU}V$i,
hC1!\?M|D\k#
iKeyman 5CLrG Policy Director a)D Global Security
Kit(GSKit)m~|D?~#
wbw}:
¶ Z2183D:t/ iKeyman 5CLr;
¶ Z2193D:r*1! WebSEAL \?}]b;
¶ Z2213D:4(B\?}]b;
¶ Z2233D:4(BT)}V$i;
¶ Z2253D:mSBy CA $i;
¶ Z2253D:>}y CA $i;
¶ Z2263D:Z}]bd4F$i;
¶ Z2303D:ks~qw$i;
¶ Z2313D:SU}V$i;
¶ Z2323D:>}}V$i;
¶ Z2323D:8(B1!$i;
C
217Tivoli SecureWay Policy Director WebSEAL \m8O
C.
9C
iKeym
an\
m$
i
¶ Z2333D:|D}]b\k;
t/ iKeyman 5CLrSYw53|nPa>{t/ iKeyman 5CLr:
Windows:
MSDOS> /Program Files/IBM/gsk4/bin/gsk4ikm.exe
UNIX:
# /usr/bin/gsk4ikm
vV0IBM \?\m10Z#
< 39. 0IBM \?\m10Z
218 f> 3.8
r*1! WebSEAL \?}]b\?}]b|,~qwMM'zK$i0 WebSEAL &myZ$iDO
$yhDy CA $i#
201,WebSEAL a)1!$i\?}]b(pdsrv.kdb)#\?D~|
,1! WebSEAL $i(\?j) = Policy Director)MI)!qD+
2y CA $i#
*r*1! WebSEAL \?}]b,kq-b)=h:
1. S0IBM \?\m10Z,Z0\?}]bD~1K%!q0r*1#
2. S0r*1/@0Z,/@TB?<:
UNIX: /opt/PolicyDirector/lib/certs
Windows: C:\Program Files\Tivoli\Policy Director\lib\certs
3. !q:
pdsrv.kdb
4. %w0r*1#
vV0\ka>1T0r#
5. dk1! WebSEAL \k:
pdsrv
6. %w07(1#
}]bE"2k\m0Z#
k"b0vK$i10ZPvV1! WebSEAL $i#$iD\?j)
G “Policy Director”#Kj)s`vVGErj>C$i*1!$i#
kNDZ2203D<40#
+$i!nB-K%S0vK$i1|D*0){_$i1#vV+2
yO$PD(CA)$iDPm#
kNDZ2203D<41#
219Tivoli SecureWay Policy Director WebSEAL \m8O
C.
9C
iKeym
an\
m$
i
< 40. 1! WebSEAL pdsrv.kdb \?D~:WebSEAL $i
< 41. 1! WebSEAL pdsrv.kdb \?D~:){_$i
220 f> 3.8
4(B\?}]b\?}]b|,~qwMM'zK$i0 WebSEAL &myZ$iDO
$yhDy CA $i#
201,WebSEAL a)1!$i\?}]b(pdsrv.kdb)#\?D~|
,1! WebSEAL $i(\?j) = Policy Director)MI)!qD+
2y CA $i#
ITLx9CK1!\?}]b,r_4(B}]b#g{4(B}]
b"#{ WebSEAL +C}]bw*1!}]b9C,rXk(*
WebSEAL,bI(}dC secmgrd.conf D~PD ssl-keyfile N}4
xP#kNDZ373D:dC WebSEAL D\?}]bN};#
*4(B\?}]bD~,kq-b)=h:
1. S0IBM \?\m10Z,Z0\?}]bD~1K%!q0B
(1#
vV0B(1T0r#
2. Z0\?}]b`M1VN!q0CMS \?}]bD~1#
3. dk0D~{1,}g key.kdb#
4. S\0;C1VND1!5,rdkCVNDB5,r9C0/
@14%!qB5#
< 42. 0B(1T0r
221Tivoli SecureWay Policy Director WebSEAL \m8O
C.
9C
iKeym
an\
m$
i
5. %w07(1#
vV0\ka>10Z#
6. Z0\k1VNdk\k,"Z07O\k1VNPYNdkC\
k#
7. (I!)!P0hC''1d14!r,"dkJ1D5#
8. (I!)!P0+\kf"=D~14!r#
f"D~|,TB)9{:.sth
Xkr WebSEAL (*bvBf"D~,bI(}dC
secmgrd.conf dCD~PD ssl-keyfile-stash N}4xP#
kNDZ373D:dC WebSEAL D\?}]bN};#
9. %w07(1#
vV07O10Z,C0Zi$zGqQ-4(B\?}]b#
10. %w07(1#
zQ-I&4(B\?}]b#XBvV0IBM \?\m10Z#
VZD0IBM \?\m10Z43KzDB\?D~{,"T>){_
$i#
TB){_}V$iGI iKeyman a)D:
¶ RSA Secure Server CA
¶ Thawte Personal Premium CA
¶ Thawte Personal Freemail CA
¶ Thawte Personal Basic CA
¶ Thawte Premium Server CA
¶ Thawte Server CA
¶ VeriSign Class 1 Public Primary CA
¶ VeriSign Class 2 Public Primary CA
¶ VeriSign Class 3 Public Primary CA
¶ VeriSign Test CA Root Certificate
222 f> 3.8
b)){_}V$iGQ("DO$PD(CA)Dy$i#WebSEAL 9
Cb)y$ii$M'zK$i#
g{h*9C4ZKPmPvVD){_$i,rXkr CA ksC$
i,"+dmS=\?}]b#
kNDZ2253D:mSBy CA $i;#
":VeriSign Test CA Root Certificate GIEHOMD CA,+d|(
ZZG*KCZbT#&Z+\?}]b`Ekzz&CLr.0
}%bvy#
B}]b9h*|( CA )pD~qw$i,by WebSEAL MIT+
TmTM'zrd|~qwO$#K$iGf"Z0\m10ZD0v
K$i1?VD#
kNDZ2303D:ks~qw$i;#
kNDZ2313D:SU}V$i;#
4(BT)}V$i
*"zz&CLr1,zI\kZjIz7DbT.sYCf5D}V
$i4P$iO$#9C iKeyman,IT4(CZbTDT)}V$
i#T)}V$iGz"xT:DY1}V$i(TTm* CA)#
":;*"<xPT)}V$iDzz&CLr;;P/@wrM'z
\;6pzD~qwr2+Xk.(E#
201,WebSEAL a)F* “Policy Director” DT)$i#IT+K$
iCZbT,r_IT4(BT)$i#
*4(BDT)}V$i,kq-b)=h:
1. 9C iKeyman r* pdsrv.kdb \?D~,rr*m;v(F\?D
~#
0IBM \?\m10Zjb8T>K!(\?}]bD~D{F,"
8>CD~Qr*MMw#
223Tivoli SecureWay Policy Director WebSEAL \m8O
C.
9C
iKeym
an\
m$
i
2. SB-Pm!q0vK$i1#
3. %w0B(T)14%#
vV04(BDT)$i1T0r#
4. dk0\?j)1,}g “test-cert”#
5. dk0+C{F1M0i/1(=_y*Xh),"!q0zR/X
x1#TZd`VN,ITS\1!5,2ITdkr!qB5#
kND<43#
6. %w07(1#
0IBM \?\m10Z0vK$i1VNT>Kz4(DT)}V$
iD{F#
< 43. 4(BDT)$i
224 f> 3.8
mSBy CA $i
WHXkrX( CA ksBy$i,;sEIT*C CA mSK$i#
?v CA <_PKNqD(;}L#XZKE",k*5`&D CA#
r CA ks"U=y$i.s,I+dmS=\?}]b#s`}}V
y$i<9Cq= *.arm(}g cert.arm)#
*+y CA $imS=}]b,kq-b)=h:
1. Z0IBM \?\m10ZP,SB-Pm!q0){_$i1#
2. %w0mS1#
vV0SD~mS CA D$i10Z#
1. S0}]`M1B-K%!q0Base64 `kD ASCII }]1#
2. dky CA $iD0$iD~{1M0;C1,r_%w0/@1!
q{FM;C#
3. %w07(1#
vV0dkj)1T0r#
4. dky CA $iD\?j),}g VeriSign Root CA Certificate,"
%w07(1#
by,0){_$i1VN|,KzUmSDy CA $iDj)#
>}y CA $i
g{;kY'VzD){_$iPmPD3v)"_,rh*>}`&
Dy CA $i#
< 44. 0mS CA D$i1T0r
225Tivoli SecureWay Policy Director WebSEAL \m8O
C.
9C
iKeym
an\
m$
i
":>}y CA $i.0,H4(C$iD8]1>,by,TsIT
XB4(`,D CA y$i#
*S}]b>}y CA $i,kq-b)=h:
1. Z0IBM \?\m10ZP,SB-Pm!q0){_$i1#
2. !q(;vT>)*>}Dy CA $i#
3. %w0>}1#
vV07O10Z#
4. %w0G1#
zU>}Dy CA $iDj);YZ0){_$i1VNPvV#
Z}]bd4F$i
hC(CENxgr+T)$iCZbT1,zI\"Vh*+$iS
;v}]b4FMmS=m;v}]b#Z}]b.dF/$iD=(
P 3 V:
¶ +$ii!=D~;SD~mS$i
¶ S}]b1S<k$i
¶ +$i1S<v=}]b
+$ii!=D~;SD~mS$i*+$iS(4)\?}]bi!=D~,;s+C$imS=(?
j)\?}]b,kq-b)=h:
1. r*041\?}]b#
2. S0IBM \?\m10ZB-K%,!q*<vD$iD`M:0v
K1r0){_1#
3. !q*mS=m;}]bD$i#
4. g{!q0vK1,r%w0i!$i14%#g{!q0){
_1,r%w0i!14%#
vV0+$ii!=D~10Z#
5. S0}]`M1B-K%!q0Base64 `kD ASCII }]1#
226 f> 3.8
}] ` M h * k$iD~Pf " D$iD}] ` M ` % d #
iKeyman $_'V Base64 `kD ASCII D~M~xF DER `k
D$i#
6. dk$iD~{M*f"$iD;C,r_%w0/@1!q{F
M;C#
7. %w07(1#
+$i4=8(DD~#
*+$iSD~mS=?j}]b,kq-b)=h:
1. r*?j\?}]b#
2. !q+*mSD$iD`M:0vK1r0){_1#
3. T0){_1`M$i%w0mS1#T0vK1`M$i%w0S
U1#
4. dkzi!$i19CD0$iD~{1M0;C1#2IT9C
0/@14%#
5. %w07(1#
< 45. +$ii!=D~
< 46. SD~SU$i
227Tivoli SecureWay Policy Director WebSEAL \m8O
C.
9C
iKeym
an\
m$
i
6. 07O10Z*s!qK$iGq+w*1!$i#%w0G1r
0q1#
by,$iMmS=?j}]b,"vVZ$iDPmP#
S}]b1S<k$i*+$iS(4)\?}]b<k=(?j)\?}]b,kq-b)
=h:
1. r*0?j1\?}]b#
2. S0IBM \?\m10ZB-K%,!q*<vD$iD`M:0v
K1r0){_1#
3. %w0<v/<k14%#
T>0<v/<k\?10Z#
4. S0!qYw`M1!q0<k1#
5. S0\?1D~`MB-K%,!q CMS \?}]bD~#
6. dk4\?}]bD0D~{1M0;C1,C}]b|,z*<
kD$i#2IT9C0/@14%#
7. %w07(1#
T>0\ka>10Z#
8. dk\k"%w07(1#
vV0S\?j)Pm!q10Z#
9. !q*<kD$i"%w07(1#
< 47. <v/<k\?
228 f> 3.8
by,C$iMvVZ?j}]bDPmP#
+$i1S<v=}]b*+$iS(4)\?}]b<v=(?j)\?}]b,kq-b)
=h:
1. r*041\?}]b#
2. S0IBM \?\m10ZB-K%,!q*<vD$iD`M:0v
K1r0){_1#
3. !q(;vT>)*<vD$i#
4. %w0<v/<k14%#
T>0<v/<k\?10Z#
5. S0!qYw`M1!q0<v1#
6. S0\?1D~`MB-K%,!q CMS \?}]bD~#
7. dkz*"M$i1yZD?j\?}]bD0D~{1M0;
C1#2IT9C0/@14%#
":vVXZf;K}]bD~DIE{"#%w0G1#Q<v
D$i+;mS=?j}]b#;a*'NNE"#
8. %w07(1#
T>0\ka>10Z#
9. dk?j}]bD\k"%w07(1#
< 48. <v/<k\?
229Tivoli SecureWay Policy Director WebSEAL \m8O
C.
9C
iKeym
an\
m$
i
10. r*?j}]b1,Q<vD$i+vVZ$iDPmP#
ks~qw$i
WebSEAL *s CA )pD$i+dTmO$= SSL M'z#WebSEAL
I\*sP;,D$iI)d|DO$*s9C(}gl&9C
junctioncp –K xP*aD&CLr~qw)#
iKeyman 5CLrJmzI$iks,zIT+Cks"MA`&D
CA#
*zI$iks,kq-b)=h:
1. Z0IBM \?\m10ZP,SB-Pm!q0vK$iks1#
2. %w0B(1#
vV04(BD\?M$iks1T0r#
3. dk$iksD0\?j)1#
4. dk0+C{F1M0i/1,"!q0zR/Xx1#
< 49. 4(BD\?M$iks
230 f> 3.8
TZd`VN,ITS\1!5,2ITdkr!qB5#
5. Z0ZW?,dkD~D{FM;C#2IT9C0/@14%#
6. %w07(1#
vV07O10Z,C0Zi$zGqQ-I&4(B}V$iD
ks#
7. %w07(1#
0vK$iks1VNT>Kz4(DB}V$iksD\?j
)#
8. +D~"M=`&D CA IksB}V$i,r_+CksS CA D
Web >cty=ksm%#
SU}V$i
CA rz"MB)pD}V$i.s,zh*+|mS=\?}]b(S
C}]bzIks)#
*SU}V$i,kq-b)=h:
1. Z0IBM \?\m10ZP,SB-Pm!q0vK$i1#
2. %w0SU1#
vV0SD~SU$i10Z#
3. S0}]`M1B-K%P,!q0Base64 `kD ASCII }]1#
4. dkB}V$iD0$iD~{1M0;C1#2IT9C0/@1
4%#
":g{ CA +$iw*gSJ~{"D;?V"M,rXk+$i
ty=;v@"DD~#
5. %w07(1#
6. vV0dkj)10Z#
7. dkB$iDj)"%w07(1#
by,0vK$i1VNM|,KB}V$iDj)#
231Tivoli SecureWay Policy Director WebSEAL \m8O
C.
9C
iKeym
an\
m$
i
>}}V$i
g{;Yh*3v}V$i,rh*+dS}]bP>}#
":>}}V$i.0,k4(8]1>,T8TsXB4(}V$i
19C#
*>}}V$i,kq-b)=h:
1. Z0IBM \?\m10ZP,SB-Pm!q0vK$i1#
2. !q(;vT>)*>}D}V$i"%w0>}1#
vV07O10Z#
3. %w0G1#
!(}V$iDj)+;YvVZ0vK$i1VNP#
8(B1!$i
iKeyman 5CLrJm8(1!}V$i,T) WebSEAL Z\?}]
b|,`v0vK$i1u?19C#(g{zZH}!( CA DY=}
V$i1*<9C&CLrPDT)}V$i(CZbT),r}]b
PI\P`v}V$i#)
U=4T CA DQ)p}V$i.s,ITCT)}V$itZ}]b
P,"*<9C CA "vD}V$i,bIT(}+d8(*1!}V
$i4xP#}V$ij)0fPGE(*)r8>Cu?*1!}V
$i#
SU=DZ;v}V$irw*T)}V$i4(DZ;v}V$i+
T/jG*1!}V$i#?NSU;vB}V$ir4(;vT)}
V$i1,MCz!q+bvB}V$iw*1!}V$i#+z2I
Tf1w7X|D1!}V$i#
*|D1!}V$i,kq-b)=h:
1. Z0IBM \?\m10ZP,SB-Pm!q0vK$i1#
}V$ij)0fPGE(*)r8>Cu?*1!}V$i#
232 f> 3.8
2. !qz*hC*1!}V$iDm;}V$i"%w0i4/`
-1#2IT+wCu?#
T>$iD0\?E"10Z#
3. !P0+C$ihC*1!$i14!r"%w07(1#
by,C$iMT>*1!}V$i,dj)0fPGE(*)#
|D}]b\k
iKeyman $_Jm|D\?}]bD\k#
*|D\?}]b\k,kq-b)=h:
1. r*;v\?}]b#
2. S0\?}]bD~1B-K%P,!q0|D\k1#
vV0|D\k10Z#
3. Z0\k1VNdkB\k,"Z07O\k1VNPYNdkC
\k#
4. !P0hC''1d14!r(g{J1)#
5. !P0+\kf"=D~14!r(g{J1)#
6. %w07(1#
4,8PD{"8>ksQI&jI#
233Tivoli SecureWay Policy Director WebSEAL \m8O
C.
9C
iKeym
an\
m$
i
234 f> 3.8
w}
[A]2+T_T
f. 4
)9tT 4
\#$Ts_T 4
ACL _T 4
[B]#$6p 3
1!6p 40
xg 41
wz 41
#$6p POP _T 66
#$J4 3
jGO$ 97
j)5 178
m%O$ 89
[C]N<E" 45
,1 75
,1N}
HTTP M HTTPS 23
[D]zmLr 45
%;"a
gSgx 108
En 162
dC GSO _Y:f 170
+V"a(GSO) 167
Z BA 7Pa)M'zm] 162
CDSSO 103
LTPA(WebSphere) 171
-b filter 166
-b gso 166
-b ignore 165
-b supply 163
G<
a>u~ 85
G<a>
u~ 85
]}G< 61
]}O$ 58
gSgxO$ 108
gSgx cookie 116
S\0$51jG 118
xLw 112
dC 119
Xw 111
0$51jG 118
0$51ksM&p 117
gSgx cookie 116
/,LqJq 178
/, URL
T POST kshC^F 187
Ev 183
|B,dynurl update 186
bv 186
235Tivoli SecureWay Policy Director WebSEAL \m8O
w}
/, URL (x)
>} 190
a)CJXF 183
3d ACL Ts 184
\aM<u"M 189
dynurl-allow-large-posts 188
dynurl-map 184
GET M POST =( 187
post-max-read 187
[F]1>Z(}]b;C 43
4F0K WebSEAL ~qw 43
[G]_Y:f3FE" 30
vT/~q
Ev 181
dC WebSEAL 182
>} 183
y?<,WebSEAL 20 19
|B(*l} 42, 43
JO*F cookie,dC 80
}K2, HTML URL
xT URL 153
server-relative-URL 153
[H]sK&CLr'V 177
a0j6}]`M 79
a0_Y:f
GSKit 73
a0_Y:f (x)
WebSEAL 73
a0}]`M 70
a04,
\m 73
a0 cookie 76
tCa0 cookie 77
P'Da0j6}]`M 79
a0 cookie 76
tC 77
[J]y>O$
dC 87
yZxgDO$ POP _T 63
G<U>,HTTP 45
[K]IluT 11
4FDsK~qw 14
Q4FD0K~qw 11
[L]*a
20`v~qw 153
&m4TE>D URL(-j) 142
4(-r 127
zm*a(-H"-P) 135
Ev 8, 126
}K2, HTML URL 153
+a0 cookie "M=E'x>~qw
(-k) 141
236 f> 3.8
*a (x)
`M!n(-t) 129
*a3dm 146
|nN< 209
?FB*a(-f) 138
?FmI( 154
+V"a(GSO) 167
9C*a3d&m`TZ~qwD
URL 146
9C BA 7DO$(-B"-U"-W) 134
yh!n 129
`%O$(-D"-K"-B"-U"-W) 132
CE>}K&mxT URL 145
C cookie &m`TZ~qwD URL 144
Z HTTP 7Pa)M'zm](-c) 139
Z HTTP 7Pa)M'z IP X7
(-r) 140
$iO$ 155
'V;xVs!4D URL(-i) 142
8(sK UUID(-u) 148
wz!n(-h) 129
4,#fac'V(-s"-u) 147
DN %d(-D) 133
gso !n(-b gso,-T) 169
LTPA(-A,-F,-Z) 171
pdadmin server task 128
WebSEAL M'z$i(-K) 133
WebSEAL A WebSEAL(-C) 136
Windows D~53(-w) 152
-b !nTZ`%O$*aD0l 134
-b filter 166
-b gso 166
-b ignore 165
-b supply 163
V/ 42
V/Z(}]b 43
[M]\k?H_T 54
\?}]bD~`M 36
?<w}<j 27
[N]Z]$H,request.log 47
[P]>$
ek LDAP }] 179
)9tT 178
Z HTTP 7Pek}] 179
>$q!
Ev 6
EPAC 7
[Q]0K WebSEAL ~qw
4F 43
ks 45
+V"a(GSO) 167
[R]O$
jG 97
m% 89
G<a> 85
gSgx 108
237Tivoli SecureWay Policy Director WebSEAL \m8O
w}
O$ (x)
Ev 4
y>O$ 87
Kb}L 70
?D 5
dC`v=( 85
dCEv 83
\'VD=( 71
\'VDa0}]`M 70
$i 91
CDSSO 103
HTTP 7 95
IP X7 97
MPA 98
O$=(,\a 71
O$?H POP _T 58
[S]}N%wG<_T 53
Z(}]b1>;C 43
"B_Y:f 30
[T]7 95
[W]4O$DC',XF 67
D5_Y:f 28
_Y:f3FE" 30
"B_Y:f 30
D5y?<
|D;C 25
[X]`%O$D*a 132
[Y]&CLr'V,sK 177
[Z]$5ksM&p 117
$i
\m 35
\?}]bD~`M 36
GSKit 36
iKeyman 36
$iO$ 91
"z 86
Jq,/,Lq 178
Aaccept-client-certs 93
account-locked 34
acct_locked.html 35
ACL _T,X(Z WebSEAL 51
acnt-mgt Z 34
agents-file 45
agent.log 45
>} 48
authentication-levels Z 58, 64
authtoken-lifetime 107
aznapi-configuration Z 43
238 f> 3.8
Bbackicon 27
basicauth-dummy-passwd 163
basic-auth-realm 87
ba-auth 87
Ccache-refresh-interval 43
CDMF 2mb 104
cdsso 106
CDSSO O$ 103
cdssoauthn 106
cdsso-auth 105
cdsso-peers Z 107
cdsso_key_gen 82, 107, 118
cert-ssl 94
CGI `L
'V 175
'V WIN32 73d? 176
cgi-environment-variables Z 176
cgi-timeout 24
cgi-types Z 27
client-connect-timeout 23
content-caches Z 28
CRL li 40
Ddb-file 43
default-webseal ACL _T 52
directory-index 26
diricon 27
disable-ssl-v2 22
disable-ssl-v3 22
disable-tls-v1 22
doc-root 25
dynurl update 186
dynurl-allow-large-posts 188
dynurl-map 184
dynurl.conf 184
Eec-cookie-lifetime 121
entrust-client 95
e-community-name 120
e-community-sso-auth 119
Ffailover-auth 82
failover-cookies-keyfile 82
failover-cookie-lifetime 83
filter-url Z 47, 154
flush-time 47
forms-auth 89
GGET =( 187
gmt-time 46
GSKit 36
D~`M 36
GSKit a0_Y:f 73
dC 75
GSO 167
dC GSO _Y:f 170
GSO _Y:f,dC 170
gso-cache-enabled 170
gso-cache-entry-idle-timeout 170
239Tivoli SecureWay Policy Director WebSEAL \m8O
w}
gso-cache-lifetime 170
gso-cache-size 170
Hhelp 34
help.html 35
HTML (F3f 34
j'V 35
http 21
HTTP ms{" 31
j'V 33
HTTP +2U>q= 48
HTTP G< 45
HTTP 7O$ 95
HTTP 7PD LDAP }] 178
httpauthn 96
https 21
https-port 21
https-timeout(*a) 24
http-headers-auth 95
http-port 21
http-request 96
HTTP-Tag-Value 180
http-timeout(*a) 24
HTTP_IV_CREDS 139, 176, 178
HTTP_IV_GROUPS 139, 176, 178
HTTP_IV_REMOTE_ADDRESS 140
HTTP_IV_USER 139, 176, 178
IiKeyman 38
4(BD\?}]b 221
4(BDT)$i 223
r*1!\?}]b 219
iKeyman (x)
Ev 39
|D}]b\k 233
SU$i 231
t/ 218
ks~qw$i 230
>}y CA $i 225
>}$i 232
mSBy CA $i 225
`%O$ SSL *a 132
Z}]bd4F$i 226
8(B1!$i 232
SSL `M*a 131
WebSEAL bT$i 93
inactive-timeout 75
inter-domain-keys Z 118, 122
intra-domain-key 118, 120
IP X7O$ 97
ipaddr-auth 97
is-master-authn-server 120
iv-creds 139, 178
iv-groups 139, 178
iv-remote-address 140
iv-user 139, 178
Jjmt load 146
jmt-map 146
jmt.conf 146
junction-db 126
240 f> 3.8
Lldapauthn 88, 89
ldap-ext-cred-tags Z 179, 180
libcdssoauthn 106
libhttpauthn 96
libldapauthn 88, 89
libsslauthn 94
libtokenauthn 97
listen-flags 43
logging Z 47
login 34
login.html 35, 90
logout 34
logout.html 35
log-filtered-pages 47
LTPA _Y:f,dC 172
LTPA(WebSphere) 171
dC*a 171
dC LTPA _Y:f 172
ltpa-cache Z 172
ltpa-cache-enabled 172
ltpa-cache-entry-idle-timeout 172
ltpa-cache-entry-lifetime 172
ltpa-cache-size 172
Mmaster-authn-server 121
master-https-port 120
master-http-port 120
max-entries 74
max-size 46
mgt-pages-root 34
mpa 102
MPA O$ 98
Nnexttoken.html 35
next-token 34
Ppasswd-change 34
passwd-change-failure 34
passwd-change-success 34
passwd-expired 34
passwd-ldap 88, 89
passwd.html 35
passwd_exp.html 35
passwd_rep.html 35
pdadmin _T
disable-time-interval 53
max-login-failures 53
max-password-repeated-chars 54
min-password-alphas 54
min-password-length 54
min-password-non-alphas 54
password-spaces 54
pdadmin server task(*a) 128
pd.conf 179
PD_PORTAL header 182
pd_start |n 20
persistent-con-timeout 23
ping-time(*a) 24
pkmscdsso 108
pkmslogout 86
pkmspasswd 86
pkmsvouchfor 117, 121
POP _T
#$6p 66
yZxgDO$ 63
O$?H(]}) 58
portal-map Z 182
241Tivoli SecureWay Policy Director WebSEAL \m8O
w}
POST =( 187
dC^F 187
post-max-read 187
Qquery_contents 155
20 156
#$ 160
(F 158
query_contents.c 156
query_contents.cfg 156
query_contents.exe 156
query_contents.html 156
query_contents.sh 156
Rreferers-file 45
referer.log 45
>} 49
REMOTE_USER 176
requests-file 45
request.log 45
dCG<Z]$H 47
>} 48
resend-webseal-cookies 77
Sscript-filter 145
script-filtering Z 145
server-name 43
server-root 20
SSL a0j6 77
sslauthn 94
ssl-id-sessions 77
ssl-keyfile 39
ssl-keyfile-label 39
ssl-keyfile-pwd 39
ssl-keyfile-stash 39
ssl-ldap-server 40
ssl-ldap-server-port 40
ssl-ldap-user 40
ssl-ldap-user-password 40
ssl-max-entries 76
ssl-qop-mgmt 40
ssl-qop-mgmt-default Z 40
ssl-qop-mgmt-hosts Z 41
ssl-qop-mgmt-networks Z 41
ssl-v2-timeout 76
ssl-v3-timeout 76
stepuplogin.html 35, 61
stepup-login 34
Ttcp-port 43
tokenauthn 97
tokenlogin.html 35
token-auth 97
token-cdas 97
token-login 34
Uudp-port 43
unknownicon 27
use-same-session 77, 78
242 f> 3.8
Vvf-token-lifetime 121
vf-url 121
WWebSEAL
Ev 1
t/M#9~qw 20
WebSEAL a0_Y:f 73
dC 74
WebSEAL *a,kND*a 125
webseald.conf
N< 195
Ev 18
;C 18
webseal-cert-keyfile 37
webseal-cert-keyfile-label 37, 93, 155
webseal-cert-keyfile-pwd 37
webseal-cert-keyfile-stash 37
webseal-mpa-servers i 101, 102
WebSphere LTPA 171
WIN32 73d?,'V 176
worker-threads 22
243Tivoli SecureWay Policy Director WebSEAL \m8O
w}
244 f> 3.8
Pz!"
GB84-0408-01