Tivoli SecureWay Policy Director WebSEAL ¹ÜÀíÖ¸ÄÏpublib.boulder.ibm.com/tividd/td/SW_30/GC32-0684-01/zh_CN/PDF/ws-admguide.pdf6Tivoli SecureWay Policy Director WebSEAL 208O7

Tivoli SecureWayPolicy Director WebSEAL\m8O

f> 3.8

Tivoli SecureWayPolicy Director WebSEAL\m8O

f> 3.8

Tivoli SecureWay Policy Director WebSEAL \m8O

f(yw

© Copyright IBM Corporation 2001. All rights reserved. vI@U Tivoli Systems m~mI$-i

(;V IBM m~mI$-i)9C,r_w* IBM M'-irmI$-iPX Tivoli z7D=<9C#4- IBM +>BHifmI,{9TNNN=rNNVN(gSD"z5D"E'D"

b'D"/'D"K$DHH)T>iDNN?VxP4F"+%"*<"f"Zlw53Pr-kINNFczoT#IBM +>ZhzFwv)zT:9CD2=4rNNICFcz&mDD5DP^mI,0aG?vbyD4F7y&XP IBM +>Df(yw#4- IBM +>BHifmI,;Zhf(PDd|({#>D5;G*zz<8D,"RGT0vK4,1Dy!a)D,;PNNN=D#$#XKywb}PX>D5DyP#$,|(JzTMJCZ3X(C>D#$#

U.S. Government Users Restricted Rights—Use, duplication or disclosure restricted by GSA ADPSchedule Contract with IBM Corporation.

Lj

IBM" IBM Uj"Tivol i"Tivol i Uj"AIX"Cross -S i te"NetView"OS/2"Plane tTivoli"RS/6000"Tivoli Certified"Tivoli Enterprise"Tivoli Enterprise Console"Tivoli Ready M TMEGzJL5zw+>r Tivoli Systems Inc. Z@zM/rd|zRrXxDLjr"aLj#

Microsoft"Windows"Windows NT M Windows UjG Microsoft Corporation Z@zM/rd|

zRrXxDLj#

UNIX G The Open Group Z@zMd|zRrXxD"aLj#

Java MyPyZ Java DLjG Sun Microsystems, Inc. Z@zM/rd|zRrX

xDLj#

yw

>vfoPya=D Tivoli Systems r IBM Dz7"Lrr~q";5>b)z7"Lrr~q+ZyPP Tivoli Systems r IBM 5qDzRrXxPa)#NNTb)z7"Lrr~qD}

C"GbZ5>v\9C Tivoli Systems r IBM Dz7"Lrr~q#;*;V8 Tivoli Systemsr IBM DP'*6z(rd|\(I#$D({,NN,H&\Dz7"Lrr~q,<ITC

4zfya=Dz7"Lrr~q#Zkd|z7aO9C1,}KG)I Tivoli Systems r IBMw78(Dz7.b,d@@Mi$yIC'TP:p#Tivoli Systems r IBM +>I\Q5Pr}Zjkk>D5Z]PXDwn({#a)>D5"4ZhC'9Cb)({DNNmI$#

PXmI$i/DBK,C'ITk IBM Director of Licensing, IBM Corporation, North Castle Drive,Armonk, New York 10504-1785, USA if*5#

?<

0T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

>8ODA_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

>8ODZ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Ve<( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

`XD Policy Director D5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

CJZ_D5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

):D5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

a)XZz7D5D4! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

*5M''V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Z1B WebSEAL Ev . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

9C WebSEAL #$ Web Ud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

j6#$DZ]`MM6p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

f.M5V2+T_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Kb WebSEAL O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

O$?D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Kb>$q! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

)9X(tT$i(EPAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Kb WebSEAL *a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

WebSEAL *aM Web >cIluT . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Z2B WebSEAL ~qwdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

;c~qwE" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

webseald.conf dCD~ri. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

WebSEAL 20Dy?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

WebSEAL ~qwy?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

t/M#9 WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

dC(EN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

* HTTP ksdC WebSEAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

iiiTivoli SecureWay Policy Director WebSEAL \m8O

* HTTPS ksdC WebSEAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

^F4TX( SSL f>D,S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

dC HTTP M HTTPS $wLr_L . . . . . . . . . . . . . . . . . . . . . . . . . . 22

HTTP/HTTPS (ED,1N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

=S WebSEAL ~qw,1N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

\m Web Ud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Web D5wDy?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

dC?<w} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Windows:CGI LrDD~|{<( . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

dC Web D5_Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

dC HTTP ms{" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

j'V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

\m(FD HTML 3f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

(F3fN}M5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

(F HTML 3fhv. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

\mM'zKM~qwKD$i. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Kb GSKit \?}]bD~`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

dC WebSEAL D\?}]bN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

9C iKeyman $i\m5CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

dC CRL li . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

dC1!#$6p. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

*%@wzMxgdC QOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

dCZ(}]b|BMV/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

dC|B(*l}. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

dCZ(}]bV/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

4F0K WebSEAL ~qw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

dCj< HTTP G< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

tCM{C HTTP G<U> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

8(1dAGD`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

8(U>D~*fP5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

8("BU>D~:exD5J. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

iv f> 3.8

dC request.log PG<DZ]$H . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

HTTP +2U>q=(CZ request.log) . . . . . . . . . . . . . . . . . . . . . . . . 48

T> request.log D~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

T> agent.log D~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

T> referer.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Z3B WebSEAL 2+T_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

X(Z WebSEAL D ACL _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

/WebSEAL/<host> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

/WebSEAL/<host>/<file>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

WebSEAL ACL mI(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

1! /WebSEAL ACL _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

}N%wG<_T. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

|no( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

\k?H_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

I pdadmin 5CLrhCD\k?H_T . . . . . . . . . . . . . . . . . . . . . . . 55

|no( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

P'M^'D\k>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

X(C'M+VhC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

O$?H POP _T(]}). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

dC]}O$D6p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

tC]}O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

]}G<m% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

]}O$c( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

]}O$"bBnM^F. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

yZxgDO$ POP _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

dCO$6p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

8( IP X7M6' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

y] IP X7{C]}O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

yZxgDO$c( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

yZxgO$"bBnM^F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

vTivoli SecureWay Policy Director WebSEAL \m8O

#$6p POP _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

&m4O$DC'(HTTP/HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

&m4Td{M'zDks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

?FC'G< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

4O$ HTTPS D&C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

9C ACL/POP _TXF4O$C' . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Z4B WebSEAL O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

KbO$}L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

\'VDa0}]`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

\'VDO$=(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

j8dCE"N<. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

\ma04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

GSKit M WebSEAL a0_Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

dC WebSEAL >$_Y:f. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

dC GSKit SSL a0j6_Y:f. . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Ca0 cookie ,$4, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

7(P'Da0j6}]`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

dCJO*F cookie. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

O$dCEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

>XO$N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

b?(F CDAS O$N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

WebSEAL O$D1!dC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

dC`vO$=(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

a>G< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

"zM|D\k|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

dCy>O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

tCM{Cy>O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

hCr{F. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

dCy>O$zF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

dCu~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

vi f> 3.8

dCm%O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

tCM{Cm%O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

dCm%O$zF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

dCu~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

(F HTML l&m%. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

dCM'zK$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

s(:(}$i`%O$. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

WebSEAL bT$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

tCM{C$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

dC$iO$zF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

dCu~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

dC HTTP 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

tCM{C HTTP 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

8(7`M. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

dC HTTP 7O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

dCu~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

dC IP X7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

tCM{C IP X7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

dC IP X7O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

dCjGO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

tCM{CjGO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

dCjGO$zF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

'V`74C/Pzm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

P'Da0}]`MMO$=(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

MPA M`vM'zDO$xLw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

tCM{C MPA O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

4( MPA DC'J' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

+ MPA J'mS= webseal-mpa-servers i . . . . . . . . . . . . . . . . . . . . 102

MPA O$^F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Z5B gr"abv=8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

viiTivoli SecureWay Policy Director WebSEAL \m8O

dC CDSSO O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

/I(F CDMF 2mb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

9C CDMF D CDSSO O$xLw . . . . . . . . . . . . . . . . . . . . . . . . . . 104

tCM{C CDSSO O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

dC CDSSO O$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

S\O$jG}] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

dCjG1dAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

mo CDSSO HTML 4S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

#$O$jG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

dCgSgx%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

gSgxXwM*s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

gSgxxLw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

mbgSgx Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

mb0$51ksM&p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

mb0$51jG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

S\0$51jG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

dCgSgx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Z6B WebSEAL *a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

WebSEAL *aEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

*a}]b;CMq= . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

&CV#HCJXF:** . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

&C8#HCJXF:** . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

4( WebSEAL *aD8< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

WebSEAL ;'V HTTP 1.0 ;f*a. . . . . . . . . . . . . . . . . . . . . . . . . 127

WebSEAL *aD=SN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

9C0pdadmin server task14(*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

dCy> WebSEAL *a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

TCP `M*a. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

SSL `M*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

`%O$D SSL *a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

viii f> 3.8

WebSEAL i$sK~qw$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

(P{F(DN)%d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

9CM'z$iD WebSEAL O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

9C BA 7D WebSEAL O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

&m(}*aDM'zm]E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

4( TCP M SSL zm*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

(} SSL D WebSEAL A WebSEAL *a. . . . . . . . . . . . . . . . . . . . . . . . . 136

=S*a!n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

?FB*a(–f) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Z HTTP 7Pa)M'zm](–c) . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Z HTTP 7Pa)M'z IP X7(–r) . . . . . . . . . . . . . . . . . . . . . . . 140

+a0 Cookie "M=*aDE'x>~qw(–k) . . . . . . . . . . . . . . . 141

'V;xVs!4D URL(–i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

&m4TE>MM'zK&CLrD URL(–j). . . . . . . . . . . . . . . . . . 142

9C*a3d&m`TZ~qwD URL . . . . . . . . . . . . . . . . . . . . . . . . 146

4,#fac'V(–s"–u). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

*4,#fac8(sK~qw UUID(–u) . . . . . . . . . . . . . . . . . . . . 148

*a= Windows D~53(–w) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

9C WebSEAL *aD<u"M: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Z,;*aO20`v~qw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

}K4T*a~qwD2, HTML URL . . . . . . . . . . . . . . . . . . . . . . . 153

g}*a4PmI(Dl# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

g}*aD$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

ZZ}=~qwO9C query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

20 query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

ZZ}= UNIX ~qwO20 query_contents. . . . . . . . . . . . . . . . . . . . 156

ZZ}= Win32 ~qwO20 query_contents . . . . . . . . . . . . . . . . . . . 157

(F query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

#$ query_contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Z7B Web %;"abv=8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

ixTivoli SecureWay Policy Director WebSEAL \m8O

dC%;"abv=8D BA 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

%;"a(SSO)En . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Z BA 7Pa)M'zm] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

a)M'zm]M;c\k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

*"-<M'z BA 7E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

}%M'z BA 7E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

S GSO a)C'{M\k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

9C+V"a(GSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

3dO$E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

dCtC GSO D WebSEAL *a . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

dC GSO _Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

%;"aA IBM WebSphere(LTPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

dC LTPA *a. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

dC LTPA _Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

LTPA %;"aD<u"M: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Z8B &CLr/I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

'V CGI `L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Windows:'V WIN32 73d? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

'VsK~qwK&CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

tC/,LqJq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

S LDAP }]4(LqJq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

9((FvT/~q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

*vT/~qdC WebSEAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

vT/~q>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

a)T/, URL DCJXF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

/, URL i~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

+ ACL Ts3dA/, URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

*/, URL |B WebSEAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

bvTsUdPD/, URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

T POST ksdC^F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

x f> 3.8

\aM<u"M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

/, URL >}:Travel Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

&CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

SZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

2+T_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

2+M'z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

CJXF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

a[ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

=<A. webseald.conf N< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

=<B. WebSEAL *aN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

9C0pdadmin server task14(*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

*a|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

*u<~qw4(B*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

+=S~qwmS=VPD*a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

=<C. 9C iKeyman \m$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

t/ iKeyman 5CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

r*1! WebSEAL \?}]b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

4(B\?}]b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

4(BT)}V$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

mSBy CA $i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

>}y CA $i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Z}]bd4F$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

+$ii!=D~;SD~mS$i . . . . . . . . . . . . . . . . . . . . . . . . . . 226

S}]b1S<k$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

+$i1S<v=}]b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

ks~qw$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

SU}V$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

>}}V$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

xiTivoli SecureWay Policy Director WebSEAL \m8O

8(B1!$i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

|D}]b\k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

w} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

xii f> 3.8

0T

6-9C6Tivoli SecureWay Policy Director WebSEAL \m8O7#

Tivoli SecureWay Policy Director WebSEAL GyZ Web DJ4D Policy

Director J42+\mw#WebSEAL G_T\"`_LD Web ~qw,

T\#$D Web TsUd&C8#HD2+T_T#WebSEAL \a)

%;"abv=8,"+sK Web &CLr~qwJ4O"=d2+T

_TP#

>\m8Oa)\m2+ Web rJ4D+?}L0N<E"#>8O2

a)XZwV6'D WebSEAL &\DP[5D30MEnE"#

>8ODA_

>8ODA_|(:

¶ 2+\m1

¶ 5320M?p\m1

¶ xg53\m1

¶ IT hFK1

¶ &CLr*"_

xiiiTivoli SecureWay Policy Director WebSEAL \m8O

>8ODZ]

¶ Z 1 B:WebSEAL Ev

>Bi\ WebSEAL DX*EnM&\,}g:i/M#$TsU

d"O$">$q!M WebSEAL *a#

¶ Z 2 B:WebSEAL ~qwdC

>BG WebSEAL #fdCNqD<uN<,|(:\m Web U

d",1N}"\m$i"&m4O$C'MX(Z WebSEAL D

ACL M POP _T#

¶ Z 3 B:WebSEAL 2+T_T

>Ba)Z WebSEAL O(F2+T_TDj8<u}L,|(:

ACL M POP _T"#$6p"]}O$_T"yZxgDO$_

T"}N%wG<_TM\k?H_T#

¶ Z 4 B:WebSEAL O$

>Ba)hC WebSEAL T\mwVO$=(Dj8<u}L,|

,:C'{M\k"M'K$i"SecurID jG(PzkMXb HTTP

7}]#

¶ Z 5 B:gr"abv=8

>BV[ WebSEAL zmdCb?Dgr"abv=8 — ZM'z

M WebSEAL ~qw.d#

¶ Z 6 B:WebSEAL *a

>BGhCM9C WebSEAL *aD+f<uN<#

¶ Z 7 B:Web %;"abv=8

>BV[ WebSEAL zmdCZ?D%;"abv=8 — Z

WebSEAL ~qwMsK*aD&CLr~qw.d#

¶ Z 8 B:&CLr/I

>BP?`VCZ/IZ}=&CLr&\D WebSEAL \&#

¶ =< A:webseald.conf N<

¶ =< B:WebSEAL *aN<

¶ =< C:9C iKeyman \m$i

xiv f> 3.8

Ve<(

>8OTXbuoMYw9CK8VVe<(#b)<(D,egB:

VeV |n{FM!n"X|VMd|Xkj+4U-D9CDE

",TVeVT>#

1eV d?"|nTd?MzXka)D5,T1eVT>#vfo

DjbMy?wDXbJrLo2T1eVT>#

HmVe zk>}"|nP"A;dv"D~M?<{,T053{"

yTHmVeT>#

xvTivoli SecureWay Policy Director WebSEAL \m8O

`XD Policy Director D5Bm\aK;)ICD Policy Director D5,b)D5;Z Tivoli

SecureWay Policy Director 'V>cO:

Tivoli SecureWay Policy Director <uD5

208O

6Tivoli SecureWay Policy Director Base 208O7

6Tivoli SecureWay Policy Director WebSEAL 208O7

\m8O

6Tivoli SecureWay Policy Director Base \m8O7

6Tivoli SecureWay Policy Director WebSEAL \m8O7(>D5)

6Tivoli SecureWay Policy Director Edge Server e~\m8O7

6Tivoli SecureWay Policy Director Web Portal Manager \m8O7

*"_N<s+

Tivoli SecureWay Policy Director Authorization ADK Developer Reference

Tivoli SecureWay Policy Director Authorization API Java Wrappers Developer

Reference

Tivoli SecureWay Policy Director Administration API Developer Reference

6Tivoli SecureWay Policy Director WebSEAL *"_N<s+7

9dD5

6Tivoli SecureWay Policy Director "P5w7

Tivoli SecureWay Policy Director Performance Tuning Guide

Tivoli SecureWay Policy Director Capacity Planning Guide

CJZ_D5Tivoli Customer Support Web >c(http://www.tivoli.com/support/)a)

BPD5E"D4S:

¶ <uE",|("P5w"20MdC8O"\m8OM*"_N

<s+#

¶ #{Jbbp(FAQ)

¶ m~BXE"

xvi f> 3.8

IZ:http://www.tivoli.com/support/getting/ iR Customer Support

Handbook('V~q8O)#

IZ http://www.tivoli.com/support/documents/ CJZ_ Tivoli v

foDw}#%w Master Index IiRX(z7D'V3f#

I Z :

https://www.tivoli.com/secure/support/Prodman/html/AB.html#SecurityO(}z7f>(; Policy Director <uD5#

;)z7DD5a) PDF M HTML q=#3)z79a)-k}DD

5#

CJs?VDD5h*j6M\k#*q!Z'V Web >cO9CDj

6,k*A http://www.tivoli.com/support/getting/#

XZq! Tivoli <uD5M'VD|È",-zL&N<

http://www.tivoli.com/support/smb/index.html#

XZq! Tivoli <uD5D|È",L5oi&N<Zxviii3D:):

D5;#

xviiTivoli SecureWay Policy Director WebSEAL \m8O

):D5I ( } C J

http://www.tivoli.com/support/Prodman/html/pub_order.html Z_)

: Tivoli D5r&rTBg0.;I): Tivoli D5:

¶ @zM':(800) 879-2755

¶ SCsM':(800) 426-4968

a)XZz7D5D4!

RGG#Vbc}z9C Tivoli z7MD5DP\,"RG#6-za

)Dx(i#gPNNPXz7MD5Db{M(i,kTBP==.

;*5RG:

¶ "MgSJ~A [email protected]#

¶ Z http://www.tivoli.com/support/survey/ n4KM4!wim#

*5M''VTivoli Customer Support Handbook ;Z:

http://www.tivoli.com/support/handbook/

|a)XZ Tivoli M''VDw=fE",|(:

¶ "aMJq

¶ gNy]JbDOXT*5<u'V

¶ g0EkMgSJ~X7(!vZzyZDzRrXx)

¶ *5<u'V0&CQ/DE"

xviii f> 3.8

WebSEAL Ev

Tivoli SecureWay Policy Director WebSEAL G_T\"`_LD Web

~qw,T\#$D Web TsUd&C8#HD2+T_T#WebSEAL

\a)%;"abv=8,"+sK Web &CLr~qwJ4O"=d

2+T_TP#

>BEv+i\ WebSEAL ~qwDw*&\#

wbw}:

¶ :9C WebSEAL #$ Web Ud;

¶ Z43D:Kb WebSEAL O$;

¶ Z63D:Kb>$q!;

¶ Z83D:Kb WebSEAL *a;

9C WebSEAL #$ Web Ud

Tivoli SecureWay Policy Director WebSEAL GyZ Web DJ4D Policy

Director J42+\mw#

WebSEAL G_T\"`_LD Web ~qw,T\#$D Web TsU

d&C8#HD2+T_T#WebSEAL \a)%;"abv=8,"+

sK Web &CLr~qwJ4O"=d2+T_TP#

WebSEAL a)TB&\:

¶ 'V`VO$=(

1

1Tivoli SecureWay Policy Director WebSEAL \m8O

1.W

ebS

EA

LE

v

ZC=Me~=e5a9<a)'V`VO$zFDinT#

¶ S\ HTTP M HTTPS ks

¶ (} WebSEAL *a<u/IM#$sK~qwJ4

¶ \mCZ>XMsK~qw Web UdD8#HCJXF

y'VDJ4|(:URL"yZ URL D}rmo="CGI Lr"

HTML D~"Java !~qLrM Java `D~#

¶ w*fr Web zm4P

TZM'z,WebSEAL Iw* Web ~qw,xTZ}\d#$D

*asK~qw,WebSEAL Iw* Web /@w#

¶ a)%;"a&\

< 1. 9C WebSEAL #$ Web Ud

2 f> 3.8

j6#$DZ]`MM6pw* Web UdD2+\m1,zXk}7j6;,C'`MICDZ]

`M#;)Z]Xk\_H#$,;ICZX(DC';d|Z]IS

\#fD+2i4#?v2+T=8P;,D#$*sMX*D

WebSEAL dC#

zD0p*:

¶ Kb Web Z]

¶ j6*sCJCZ]DC'`M

¶ KbICZ#$KZ]D WebSEAL dC!nDEcMuc

Web Z]#$IV* 3 vs`:

1. +2Z] * CJ;h*#$

¶ (} HTTP D4O$M'zCJ

¶ TZJ4DCJXF9C4O$D>$

¶ y>D WebSEAL dC*s

2. +2Z] * CJ*s#$S$

¶ (} HTTPS D4O$M'zCJ

¶ #$&CLr~qw*sDtP}](}gEC(EMC'J'

E")h*S\

¶ TZJ4DCJXF9C4O$D>$

¶ WebSEAL dCh*#\

3. (CZ] * CJh*O$

¶ (} HTTP r HTTPS DQO$M'zCJ

¶ \m17(Gqh*S\

¶ TZJ4DCJXF9CQO$D>$;M'zXkZC'"a

mP(eJ'

¶ WebSEAL dC\4S,XkP8<GyP!nT7(2+T_T

D0l


1.W

ebS

EA

LE

v

f.M5V2+T_Ts5D2+T_T7(K:

1. h*#$D Web J4

2. #$6p

Policy Director 9C Web J4Dibm>,4y=D\#$TsUd#

\#$TsUd|,m>xgP5JomJ4DTs#

(}Th*#$DTs&CJ1D2+zF,IT5V2+T_T#

2+zF|(:

¶ CJXFm(ACL)_T

ACL _T7(K;O*ITxPCJDC'`M,"8(JmTCT

sxPDYw#

¶ \#$Ts_T(POP)

POP 8(=Su~T\mT\#$TsDCJ,}g#\T"j{

T"sFM?U1dDCJ#

¶ )9tT

)9tTGCZTs"ACL r POP D=S5,IIZ}=&CLr

(}gb?Z(~q)A!MbM#

Policy Director DKDi~GZ(~q * |yZC'D>$MCZTs

DCJXF,Jmr\xT\#$Ts(J4)DCJ#

*I&5V2+T_T,Xk_-i/;,DZ]`M(g:f.M5

V2+T_T;Pyv)"&CJ1D ACL M POP _T#CJXF\

mI\G#4S,+Z]`MP8V`+9CYwdC]W;)#

Kb WebSEAL O$

O$G;V7("TG<=2+rD%vxLr5eD=(#1~qw

MM'z<*sO$1,C;;}LMGy=D`%O$#

4 f> 3.8

WebSEAL I*s?vM'za)m]$w,Sx5V2+rPD_H2

+T#1 WebSEAL XFT2+rP?vJ4DCJ1,WebSEAL D

O$MZ(*sIa)+fDxg2+T#

Z2+e5a9P,O$;,ZZ(#Z(7(;O$DC'GqP(

TX(J44PYw#O$7#vem]Df5T,+;TdTJ44

PYwD\&vNNPO#

TBu~&CZ WebSEAL O$:

¶ WebSEAL 'V;ij<DO$=(#

IT(F WebSEAL 'Vd|O$=(#

¶ WebSEAL }L@"ZO$=(#

¶ WebSEAL ;*sM'zm]#WebSEAL SKm]qCQO$D(r

4O$D)>$,Z(~qI9CC>$Jmr\xTJ4DC

J#

bVinDO$>6Jm2+T_TTL5hs"x;GTomxgX

Ka9*y!#

O$?Dd; WebSEAL @"ZO$}L,+|*sPO$Da{ * M'zm

]#O$}L+<BTBYw:

1. O$=(zzM'zm]

< 2. `%O$


1.W

ebS

EA

LE

v

;P1C'_PZ Policy Director C'"amP(eDJ'1,M'

zO$EaI&#qr+8(C'*4qO$#

2. WebSEAL 9Cm]*CM'zq!>$

WebSEAL +QO$DM'zm]kQ"aD Policy Director C'`

%d#;s WebSEAL q!JCZKC'D>$#bMG>$q!#

>$|(C'{MC'_PdI1JqDNNi#

g{C'd{,WebSEAL +9(4O$D>$#

b)>$ICZZ(~q,C~qJmr\xCJ WebSEAL \#$

TsUdPQksDTs#

NN*sM'zE"D Policy Director ~q<I9C>$#>$Jm

Policy Director 2+X4P`V~q,}gZ("sFM/I#

PX'VX(O$=(Dx;=E",kNDZ693D:WebSEAL O

$;#

Kb>$q!

O$}LDw*?D.;MGq!hvM'zC'D>$E"#C'>

$GNk2+rn/Dw**s.;#

Policy Director xVC'O$M>$q!#C'm]@6G#?#+>$

* (eC'NkDirG+ * 4Gd?#X(ZOBDD>$If1

d|D#}g,1C'z}1,>$Xk43BD0p6p#

O$}L+zIX(Z=(DC'm]E"#+TU$tZ Policy

Director C'"am(1!ivB* LDAP)DC'J'E"TKE"x

Pli#WebSEAL +C'{MiDE"3d*+2r6'Dm>==,

dq=*0)9X(tT$i1(EPAC)#

6 f> 3.8

X(Z=(Dm]E",}g\k"jGM$i,m>C'Domm]

tT#KE"ICZ("k~qwD2+a0#

zID>$m>C'Z2+rPDX(,hvX(OBDPDC',R

vZa0P'ZZP'#

Policy Director >$|,C'm]MC'_PdI1JqDi#

)9X(tT$i(EPAC)>$INNh*XZM'zDE"D Policy Director ~q9C#

}g,Z(~q9C>$T7(GqQZ(C'T2+rPD\#$J

44PX(Yw#

EPAC |,0(;+Vj6{1(UUID),Policy Director h*|4&

mCJXFPm(ACL)#

Policy Director +>$CZd|~q,}g:

¶ sF~q

¶ WebSEAL *aPD/I\&

TB EPAC VNJCZ Policy Director:

tT hv

2+rj6 weDw2+rj6

< 3. +m]E"3d=>$


1.W

ebS

EA

LE

v

tT hv

we UUID weD UUID

i UUID weytiD UUID

Kb WebSEAL *aPolicy Director a)xgDO$"Z(M\m~q#ZyZ Web Dxg

P,b)~qnCI;vr`v0K WebSEAL ~qwa),b)~q

w/IM#$;ZsK Web ~qwOD Web J4M&CLr#

WebSEAL ~qwMsK Web &CLr~qw.dD,SFw WebSEAL

*ar*a#WebSEAL *aG0K WebSEAL ~qwMsK~qw.

dD TCP/IP ,S#

sK~qwITGm;v WebSEAL ~qw,r_|#{X,GZ}=

Web &CLr~qw#sK~qw Web UdGZ WebSEAL {FUd

DXp8(D*a(20)ck WebSEAL ~qw0,S1D#

*aJm WebSEAL zmsK~qwa)#$~q#ZrsK~qw+

]ks.0,WebSEAL \T+?ks4PO$MZ(li#g{sK~

< 4. ,S WebSEAL MsK~qwD*a

8 f> 3.8

qwh*TTsD8#HCJXF,Xk4P=SDdC=h,r Policy

Director 2+~qhvZ}= Web Ud(kNDZ1553D:ZZ}=~

qwO9C query_contents;)#

*aa)IluD"2+D73,C73Ia):X=b"_ICTM

4,\m\& * +?TM'z8w4P#w*\m1,zIqfZbV

{FUdD/P\m#

WebSEAL *a(}_-X+sK~qwD Web UdM WebSEAL ~

qwD Web UdiOZ;pTa)=S5#-w~qwdD*azz%

@D"3;D"V<= Web Ud,|TC'G^lM8wD#

M'S;h**@ Web J4Dom;C#WebSEAL +_- URL X7

*;IsK~qwZ{DomX7#I+ Web TsS;v~qwF/=

m;v~qw,x;a0lM'zCJb)TsD==#

3;D Web Udr/K53\m1TyPJ4D\m#d|D\mEc

|(IluT":X=bM_ICT#


1.W

ebS

EA

LE

v

s?VL5 Web ~qw;_P(e_- Web TsUdD\&#!kz

.,|GDCJXFGkomD~M?<a9,SD#WebSEAL *aI

w7(eTsUd,|43Ki/a9x;Gj< Web ~qwOv=D

omzwM?<a9#

WebSEAL *a2Jm4(%;"abv=8#%;"adCJmC'v

9C;Nu<G<CJJ4(kJ4D;C^X)#TNN4TsK~

qwDx;=G<*sD&mTC'<G8wD#

WebSEAL *aG9zD Web >cIluDX*$_#*aJmz(}

mS=SD~qw4l&T Web >cDv$D*s#

< 5. WebSEAL *azz3;D Web Ud

10 f> 3.8

WebSEAL *aM Web >cIluT9C WebSEAL *aI4(IluD Web >c#fET Web >c*

sDv$,I=cXmS|`D~qw,)d>cD]?#

IZTB-r,ImS=SD~qw:

¶ C=SZ])d>c

¶ *K:X=b"JO*FM_ICT\&x4FVPZ]

Q4FD0K WebSEAL ~qw

TsK~qwD*a'VCAY;v0K WebSEAL ~qw4t/#Q

4FD0K WebSEAL ~qwZs?hsZdr>ca):X=b#:

X=bzFIg, IBM Network Dispatcher r Cisco Local Director b

yDzF4&m#

0K4F9r>ca)JO*F&\ * g{~qwIZ3v-r'\,

#`D1>~qw+Lxa)T>cDCJ#I&D:X=bMJO*

F\&*>cC'x4_ICT#


1.W

ebS

EA

LE

v

Z4F0K WebSEAL ~qw1,?v~qwXk|, Web UdM*

a}]bD+71>#

CZO$DJ'E"$tZ@"Z0K~qwDC'"amP#

'VsK~qw

Web >cZ]ITI WebSEAL ~qw>m"sK~qwr~_DiO

a)~q#WebSEAL *a'VsK~qw,Jm(}=SDZ]MJ4

lu Web >c#

?v(;DsK~qwXkk%@D*a(20)c*a#fET=S

Z]*sDvS,I(}*amS|`D~qw#K=8*ZZ}= Web

~qwOPO`VP6JDxga)Kbv=8#

< 6. Q4FD0K WebSEAL ~qw

12 f> 3.8

B<5w*agNa)3;D"_-DTsUd#C Web UdTZC'

G8wD,"RJm/P\m#

< 7. *asK~qw


1.W

ebS

EA

LE

v

gB;Zyv,Q4FDsK~qwk`,D*ac*a#

4FDsK~qw

*+IluT&\)9=sK~qwdC,zIT4FsK~qw#g

,1>0K~qw,1>sK~qwXk|,%*5sD Web Ud#

WebSEAL 9C0nUP1wHc(Zw1>~qwPxP:X=b#K

c(+?vBDks(r=QP,S}nYD~qw#

1~qw1z1,WebSEAL 2+}7XxPJO*F;;)XBt/~

qw,WebSEAL 2+*<XB9CC~qw#

g{sK&CLr*s4,,$Z8v3fP,9C4,#facI7

#?va0<5XA,;vsK~qw#

< 8. 3;D Web Ud

14 f> 3.8

< 9. 4FDsK~qw


1.W

ebS

EA

LE

v

16 f> 3.8

WebSEAL ~qwdC

>B|,hv#f\mMdCNqDE",zIT4Pb)Nq*xg

(F WebSEAL ~qw#

wbw}:

¶ Z183D:;c~qwE";

¶ Z203D:dC(EN};

¶ Z253D:\m Web Ud;

¶ Z313D:dC HTTP ms{";

¶ Z343D:\m(FD HTML 3f;

¶ Z353D:\mM'zKM~qwKD$i;

¶ Z403D:dC1!#$6p;

¶ Z423D:dCZ(}]b|BMV/;

¶ Z433D:4F0K WebSEAL ~qw;

¶ Z453D:dCj< HTTP G<;

2


2.W

ebS

EA

L~

qw

dC

;c~qwE"TBwZhvXZ WebSEAL ~qwD;cE":

¶ :webseald.conf dCD~ri;

¶ Z193D:WebSEAL 20Dy?<;

¶ Z203D:WebSEAL ~qwy?<;

¶ Z203D:t/M#9 WebSEAL;

webseald.conf dCD~riIT(}dC;Z webseald.conf dCD~DN}(F WebSEAL DY

w:CD~;ZTB?<:

UNIX:

/opt/pdweb/etc/

Windows:

C:\Program Files\Tivoli\PDWeb\etc\

Bm\aKw?VMwZ:

?V Z

WEBSEAL GENERAL [server]

LDAP [ldap]

SSL [ssl]

JUNCTION [junction] [filter-url] [filter-schemes]

[script-filtering] [gso-cache] [ltpa-cache]

AUTHENTICATION [ba ] [ fo rms] [ token ] [ce r t i f i ca t e ]

[http-headers] [auth-headers] [ipaddr]

[authentication-levels] [mpa] [cdsso]

[cdsso-peers] [failover] [e-community-sso]

[ i n t e r - d o m a i n - k e y s ]

[authentication-mechanisms] [ssl-qop]

[ s s l - q o p - m g m t - h o s t s ]

[ s s l - q o p - m g m t - n e t w o r k s ]

[ssl-qop-mgmt-default]

SESSION [session]

18 f> 3.8

?V Z

CONTENT [content] [acnt-mgt] [cgi] [cgi-types]

[ c g i - e n v i r o n m e n t - v a r i a b l e ]

[content-index-icons] [icons] [content-cache]

[content-mime-types] [content-encodings]

LOGGING [logging]

AUTHORIZATION API [ a z n a p i - c o n f i g u r a t i o n ]

[aznapi-entitlement-services]

POLICY DIRECTOR [policy-director]

kNDZ1953D:webseald.conf N<;#

":?N|D webseald.conf D~1,<XkV$XBt/ WebSEAL,

b y M I6p B D | D # k N D Z 2 0 3 D : t / M #9

WebSEAL;#

WebSEAL 20Dy?<WebSEAL LrD~20ZTBy?<P:

UNIX:

/opt/pdweb/

Windows:

C:\Program Files\Tivoli\PDWeb\

ITZ Policy Director Windows f20PdCC76#+;\Z Policy

Director D UNIX 20PdCC76#

>8O9C <install-path> d?zmbvy?<#

Z UNIX 20P,TB@"?<|,I)9DD~,}gsFMU>D

~:

/var/pdweb/


2.W

ebS

EA

L~

qw

dC

WebSEAL ~qwy?<webseald.conf dCD~PD server-root N}(et/1 WebSEAL ~

qwYwD;C#

[server]server-root = /opt/pdweb/www

webseald.conf dCD~Pm>DyP`T76{<G`TZKy?<

D#

":(#ivB,;&1|DK76{#

t/M#9 WebSEALITZ UNIX O9C pdweb_start |nT0Z Windows O9C0~

qXFfe1t/M#9 WebSEAL ~qwxL#

UNIX:

pdweb_start {start|stop|restart|status}

}g,*#9 WebSEAL ~qw,;sXBt/~qw,k9C:

# pdweb_start restart

pdweb_start |n;ZTB?<P:

/opt/pdweb/bin/

Windows:

Z0~qXFfe1Pj6 WebSEAL ~qwxL"9CJ1DXF4

%#

dC(EN}

TBwZhvXZ WebSEAL ~qwD;cE":

¶ Z213D:* HTTP ksdC WebSEAL;

¶ Z213D:* HTTPS ksdC WebSEAL;

¶ Z223D:^F4TX( SSL f>D,S;

20 f> 3.8

¶ Z223D:dC HTTP M HTTPS $wLr_L;

¶ Z233D:HTTP/HTTPS (ED,1N};

¶ Z243D:=S WebSEAL ~qw,1N};

* HTTP ksdC WebSEALWebSEAL (#&mm`4T4O$C'D HTTP ks#}g,(#J

md{C'T Web >cD+2?VOD!(D5xP;ACJ#

(} TCP &m HTTP ksDN};Z webseald.conf dCD~D

[server] ZP#

tC/{C HTTP CJ

Z WebSEAL dCZdtCr{C HTTP CJ:

http = {yes|no}

hC HTTP CJKZ5

HTTP CJD1!KZG 80:

http-port = 80

}g,*+KZ|D* 8080,khC:

http-port = 8080

* HTTPS ksdC WebSEALCZ&m SSL OD HTTP ks(HTTPS)DN};Z webseald.conf

dCD~D [server] ZP#

tC/{C HTTPS CJ

Z WebSEAL dCZdtCr{C HTTPS CJ:

https = {yes|no}

hC HTTPS CJKZ5

HTTPS CJD1!KZG 443:

https-port = 443

}g,*+KZ|D* 4343,khC:

https-port = 4343


2.W

ebS

EA

L~

qw

dC

^F4TX( SSL f>D,SIT@"XtCM{C SSL f> 2"SSL f> 3 M TLS f> 1 D,

S#XFX( SSL M TLS f>,SDN};Z webseald.conf dCD

~D [ssl] ZP#1!ivB,tCyP SSL M TLS f>#

[ssl]disable-ssl-v2 = nodisable-ssl-v3 = nodisable-tls-v1 = no

dC HTTP M HTTPS $wLr_LQdCD$wLr_L}?8(K~qwy\~qD"PxkksD}

?#1yP$wLr_LHO&1,=oDd|,S+xk:ex,1

=PICD$wLr_L*9#

IThC* WebSEAL Dxk,S~qDIC_L}#k+DdC$w

Lr_LD}?,r*|I\0lT\#

CdCN}";?F*s,1,SDO^}?#KN}r%X8(K_

L}?,IT*1ZD;\F^D$wSPa)~q#

ky]TxgD(E?M(E`MDKb,!q$wLr_LDnQ}

?#

fE_L}?DvS,jIksD=y1d;cGuYD#;x,vS

_L}?I\0ld|rX,b)rXaT~qwT\zz:f0l#

WebSEAL ,$%@D;c$wLrPmM$wLr_LX,T&m4T

M'zD9C TCP"SSL r GSSAPI (@Dks#bVv?DzF9

WebSEAL \;Z&m`1sD:X1v{DOYD53J4#

IT(}hC webseald.conf dCD~PD [server] Z?VPD

worker-threads N}dC$wLr_LXs!#

[server]worker-threads = 50

":?R(i;ZTT\JbxPJOoO1E|DKN}#

22 f> 3.8

HTTP/HTTPS (ED,1N}WebSEAL 9C SSL D IBM Global Security Kit(GSKit)5V#1

WebSEAL SU=4T HTTPS M'zDks1,GSKit SSL +("u

<UVEE",$a04,#

WebSEAL 'VTB HTTP M HTTPS (ED,1N}#b)N};Z

webseald.conf dCD~D [server] ZP#

¶ client-connect-timeout

;)QvVu<UVEE,rCN}+8>TZu< HTTP r

HTTPS ks,WebSEAL #V,Sr*D1d$H#1!5G 120

k#

[server]client-connect-timeout = 120

¶ persistent-con-timeout

CN}X(Z HTTP/1.1(G HTTP/1.0),S#ZZ;N HTTP/1.1

ksM~qwl&s,CN}XF WebSEAL XU.0#V HTTP/1.1

VC,Sr*Dnsk}#1!5* 5 k#

[server]persistent-con-timeout = 5


2.W

ebS

EA

L~

qw

dC

=S WebSEAL ~qw,1N}TB=S,1N}IZ webseald.conf dCD~PhC:

N} hv 1!5(k)

[junction] http-timeout (} TCP *arsK~qw"

M}]MS|A!}]D,1

5#

120

[junction] https-timeout (} SSL *arsK~qw"

M}]MS|A!}]D,1

5#

120

[cgi] cgi-timeout r>X CGI xL"M}]MS

|A!}]D,15#

120

[junction] ping-time WebSEAL *?v*aD~qw

(Z4Ps( ping,T7(|G

Gq}ZKP# WebSEAL n`

? 300 k ping ;N,;a|5

1(^[h(DGN5)#

300

< 10. HTTP M HTTPS (ED,1N}

24 f> 3.8

\m Web Ud

TBwZhv\m Web UdyhDNq:

¶ :Web D5wDy?<;

¶ Z263D:dC?<w};

¶ Z273D:Windows:CGI LrDD~|{<(;

¶ Z283D:dC Web D5_Y:f;

Web D5wDy?<Web D5w;CG`TZD5DD5wy?<DxT76,WebSEAL 9

b)D5I*ICD5#C76{I webseald.conf dCD~ [content]ZPD doc-root N}m>#nuZ WebSEAL 20Zd("1!;C:

UNIX:

doc-root = /opt/pdweb/www/docs

Windows:

doc-root = C:\Program Files\Tivoli\PDWeb\www\docs

C5;9C;N * 20sZ;Nt/ WebSEAL D1r#;sC5;

f"Z*a}]bP#TsZ webseald.conf PTC5Dx;=^DT

|;P0l#

20s,Xk9C pdadmin 5CLr4|DD5y?<;C5#TB>

}(~qw{F* websealA)5wKK}L:

1. G<= pdadmin:

# pdadminpdadmin> logindkC'j6:sec_masterdk\k:pdadmin>

2. 9C server task list |nT>yP10*ac:

pdadmin> server task websealA list/

3. 9C server task show |nT>*aDj8E":


2.W

ebS

EA

L~

qw

dC

pdadmin> server task websealA show /*ac:/`M:>X*a2^F:0 * 9C+V5*am^F:0 * 9C+V5n/D$wLr_L:0y?<:/opt/pdweb/www/docs

4. 4(BD>X*a4f;10*ac(h* -f !n4?F2GVP*

aDB*a):

pdadmin> server task websealA create -t local -f -d /tmp/docs /Created junction at /

5. PvB*a:


6. T>C*aDj8E":

pdadmin> server task websealA show /*ac:/`M:>X*a2^F:0 * 9C+V5*am^F:0 * 9C+V5n/D$wLr_L:0y?<:/tmp/docs

dC?<w}ksD URL mo=T?<{ax1,zIT8(I WebSEAL 5XD

1!D~D{F#g{C1!D~fZ,WebSEAL r+D~5XM'

z#g{D~;fZ,r WebSEAL +/,zI?<w}"+Pm5X

M'z#

CZdC?<w}D~DN};Z webseald.conf dCD~D [content]ZP#

w}D~D1!5*:

[content]directory-index = index.html

g{zD>c9C;,D<(,IT|DKD~{#}g:

[content]directory-index = homepage.html

26 f> 3.8

g{ksPD?<;|, directory-index N}(eDw}D~,r

WebSEAL +/,zI?<w}#zIDw}|,?<Z]Pm,xPA

?<PD?vu?D4S#v1M'zksCJTZC?<Z ACL O_

P0Pm1(l)mI(D?<1,EazIw}#

IT*zIDw}PPvD?vD~`MdCI WebSEAL 9CDX(

<N<j#webseald.conf dCD~PD [content-index-icons] Z|,

D5 MIME `MMT>DX* .gif D~DPm:

[content-index-icons]image/*= /icons/image2.gifvideo/* = /icons/movie.gifaudio/* = /icons/sound2.giftext/html = /icons/generic.giftext/* = /icons/text.gifapplication/x-tar = /icons/tar.gifapplication/* = /icons/binary.gif

ITdCKPmT*?;v MIME `M8(d|<j#2IT6L(;

<j#}g:

application/* = http://www.acme.com/icons/binary.gif

2ITdCTB=S<j5:

¶ CZm>S?<D<j:

[icons]diricon = /icons/folder2.gif

¶ CZm>8?<D<j:

[icons]backicon = /icons/back.gif

¶ CZm>4*D~`MD<j:

[icons]unknownicon = /icons/unknown.gif

Windows:CGI LrDD~|{<(|,Z webseald.conf dCD~D [cgi-types] ZPDN}Jmz8(

Windows D~)9`M,C`M+w* CGI Lr;6pM4P#


2.W

ebS

EA

L~

qw

dC

UNIX Yw53;h*D~)9{#+Xk* Windows Yw53(eD

~)9`M# [cgi-types] ZPvKyPP'D)9`M,"R(ZX*

1)+?v)9{3d=J1D CGI Lr#

[cgi-types]<extension> = <cgi-program>

1!ivB,;+G)xPkZPyPD~)9{%dDD~w* CGI

Lr4P#g{PmP;|,3v CGI LrD)9{,+;4PCL

r#

xP .exe )9{DD~+I Windows 1!w*Lr4P,;h*3

d#

":+G,^[N1k*Z Windows O20 .exe D~CZBX,<X

kX|{C)9{r+D~20*i5D~D;?V(}g .zip)#

zXk*zmbME>D~D)9{a)J1DbMLr#b))9{

`MD>}|(:shell E>(.sh M .ksh)"Perl E>(.pl)M Tcl

E>(.tcl)D~#

TB>}5wK;vdMD [cgi-types] ZdC:

[cgi-types]bat = cmdcmd = cmdpl = perlsh = shtcl = tclsh76

":Z .bat M .cmd D~D9CPaf0=OXD2+TJb#kww

9Cb)D~`M#

dC Web D5_Y:fIZ Web D5lwT\;Q,M'zI\a-#v=xgf!1dMD

~BX1d}$DJb#IZ WebSEAL ~qw}ZH}S*aDsK

~qwrYH|}D>Xf"wlwD~,rKa<BT\;Q#

Web D5_Y:f&\Jm++2CJD Web D5`Mf"Z

WebSEAL ~qwDZfP#LxksQ-_Y:fZ WebSEAL ~q

wPDD51,M'z+qClC`Dl&#

28 f> 3.8

_Y:fDD5I|(2,DD>D5M<N<q#+;\_Y:f/

,zzDD5,}g}]bi/a{ #

Web D5_Y:fa)KinT,ITS WebSEAL x;Gg=*aD

sK~qwqCD5#

_Y:fGZ MIME `MDy!O4PD#* Web D5_Y:fdC

WebSEAL 1,+j6TB}vN}:

¶ D5 MIME `M

¶ f"iJ`M

¶ f"iJs!

Z webseald.conf dCD~D [content-cache] ZP(e Web D5_

Y:f#&CTBo(:

<mime-type> = <cache-type>:<cache-size>

N} hv

mime-type zm HTTP0Content-Type:1l&7P+MDNNP' MIME

`M#C5IT|,(d{(*)#*/* 5zm1!DTs_Y

:f,|+#t;{OT=dCD_Y:fDNNTs#

cache-type 8(CZ_Y:fDf"iJ`M#Policy Director D>"P

f;'V0memory1_Y:f#

cache-size 8(Zy]0n|nY9C1c(}%Ts0,x(_Y:

fs!Iv$=Dns5(T KB F)#

>}:

text/html = memory:2000image/* = memory:5000*/* = memory:1000

Web D5_Y:fzF[lTBb)u~:

¶ ;Z(e_Y:f1"z_Y:f#

¶ 201;(e_Y:f#


2.W

ebS

EA

L~

qw

dC

¶ g{;8(1!_Y:f,+;a_Y:fkNNT=_Y:f;

%dDD5#

¶ T;T_Y:fE"DyPks4PZ(#

"ByP_Y:f

IT9C pdadmin 5CLr4"ByPQdCD_Y:f#C5CLr

;Jm"B%v_Y:f#

ZIT9C pdadmin .0,Xkw* Policy Director \m1

sec_master G<A2+r#

*"ByP Web D5_Y:f,kdkTB|n:

UNIX:

# pdadmin server task <server-name> cache flush all

Windows:

MSDOS> pdadmin server task <server-name> cache flush all

_Y:f3FE"

IT9C pdadmin 5CLr4a)10_Y:f9CivDy>3FE

"#3FE"m>_Y:fP#tDn}?MT?nDks}?#

ZIT9C pdadmin .0,Xkw* Policy Director \m1

sec_master G<A2+r#

*qC10_Y:f9CivD3FE",kdkTB|n:

UNIX:

# pdadmin server task <server-name> cache stat

Windows:

MSDOS> pdadmin server task <server-name> cache stat

30 f> 3.8

dC HTTP ms{"P1,WebSEAL ~qwT<*ks~q4'\#PmÌ\}p'\D

-r#}g:

¶ D~;fZ

¶ mI(hC{9CJ

¶ ;}7D UNIX D~mI(r`Fiv9C CGI Lr^(4P

~qks'\"z1,~qw+r/@w5Xms{",}g,Z HTML

ms3PD0403 ;{91#P8VICDms{";?v{"<f"Z

%@D HTML D~P#

b)D~f"ZTB?<P:

UNIX: <install-path>/www/lib/errors/<locale-dir>

Windows: <install-path>\www\lib\errors/<locale-dir>

errors ?<|,mòT73S?<,|,ms{"D~D>X/f

>#

}g,@z/"o{"D?<76*:

UNIX: <install-path>/www/lib/errors/en_US

Windows: <install-path>\www\lib\errors/en_US

C?<PD{"T HTML q=#f,rK\Z/@wP}7T>#IT

`-b) HTML 3fT(F|GDZ]#D~{FGYw'\15XD

Z?mskD.yxF5#;\|Db)D~{#

Bm|,;)|Uims{"DD~{MZ]Pm:


2.W

ebS

EA

L~

qw

dC

D~{ jb hv HTTP m

sk

132120c8.html O$'\ ^(*9CDM'$ilw>$#I

\D-r|(:

¶ C'a)K;}7D$i

¶ $iQ;7{

¶ O$}]b1YC'>$

1354a2fa.html GU?< ksDYw*sp6GU?<#bG

G(Yw#

1898d259.html ^("aC' ksDJ4*s WebSEAL ~qw"a

C'Am;v Web ~qw#;x,1

WebSEAL T<lwE"1"zJb#

1898d25a.html C';P%;"aE

"

WebSEAL ^(*ksDJ4(; GSO

C'#

1898d25b.html C';P%;"a?

j

WebSEAL ^(*ksDJ4(; GSO

C'#

1898d25c.html C'P`v"a?j *ksDJ4(eK`v GSO ?j#

bG;vmsdC#

1898d25d.html h*G< ksDJ4I*aDsK Web ~qw

#$,*s WebSEAL "aC'AC

Web ~qw#*K,C'XkHG<

= WebSEAL#

1898d25e.html ^("aC' ksDJ4*s WebSEAL ~qwCC

'"a=m;v Web ~qw#+C'

JED"aE";}7#

1898d25f.html bbDO$aJ WebSEAL S*aDsK Web ~qw

SU=bbDO$aJ#

1898d421.html Y1F/ ksDJ4Q;Y1F/#(#"z

ZvVms&mDX(rDiv#

302

1898d424.html msks WebSEAL SU=^'D HTTP ks# 400

1898d425.html h*G< ksDJ4I WebSEAL #$,*CJ

|,XkHG<#

1898d427.html ;{C C';_PCJksDJ4DmI

(#

403

1898d428.html R;= ^((;ksDJ4# 404

32 f> 3.8

D~{ jb hv HTTP m

sk

1898d432.html ~q;IC WebSEAL yhDCTjIksD~q

10;IC#

503

1898d437.html ~qwRp WebSEAL ~qwQ;53\m1Y1

]R#Z\m1+~qw5Xx~q

0,+;&mks#

1898d439.html *'a0E" /@w/~qwD;%Gk;Yl&

D*aDsK~qwD4,a0#

WebSEAL h*C~qwOD~qTj

Iks#

1898d442.html ~q;IC WebSEAL *sD~q;Z*aDsK

~qwO,K~qwOD SSL `%O

$'\#

1898d7aa.html CGI Lr'\ CGI Lr^(}74P#

default.html ~qwms IZbbms,WebSEAL ^(jIk

s#

500

deletesuccess.html I& M'zt/D DELETE ksI&j

I#

200

putsuccess.html I& M'zt/D PUT YwI&jI# 200

relocated.html Y1F/ ksDJ4Q;Y1F/# 302

websealerror.html 400 WebSEAL ~qw

ms

WebSEAL ~qwZ?ms# 400

j'VTBjICZ(F0ZPPvD HTML ms3f#jI/,f;J1D

ICE"#

j hv

%ERROR_CODE% mskD}5#

%ERROR_TEXT% {"`?PkmskX*DD>#

%METHOD% M'zksD HTTP =(#

%URL% M'zksD URL#

%HOSTNAME% +^(wz{#

%HTTP_BASE% ~qwDy> HTTP URL0http://<host>:<tcpport>/1#

%HTTPS_BASE% ~qwDy> HTTPS URL0https://<host>:<sslport>/1#


2.W

ebS

EA

L~

qw

dC

j hv

%REFERER% 4TksDN<E"7D5,g{;Pr*04*D1#

%BACK_URL% 4TksDN<E"7D5,g{;Pr*0/1#

%BACK_NAME% g{ZksPPN<E"7,5*0BACK1,g{;P,5*

0HOME1#

\m(FD HTML 3f

Policy Director |,y> HTML m%,I;(F*|,X(Z>cD{

"r4PX(Z>cDYw#s?Vm%JCZ(} HTTP r HTTPS D

m%"jGM BA O$#

b)m%DD~;CI webseald.conf dCD~D [acnt-mgt] ZPD

mgt-pages-root N}(e#

mgt-pages-root = lib/html/<lang-dir>

5J9CD?<yZ>X/#1!D@z"o?<*:

lib/html/C

UooT73+D~(;Z:

lib/html/JP

(F3fN}M5

TBXbD HTML 3fN}M5;Z webseald.conf dCD~D

[acnt-mgt] ZP#;)3fvIa)m]E"Dm%G<=(9C#

N} 3f C(

login = login.html m%G<

logout = logout.html m%G<

account-locked = acct_locked.html NN=(

passwd-expired = passwd_exp.html NN=(

passwd-change = passwd.html NN=(

passwd-change-success = passwd_rep.html NN=(

passwd-change-failure = passwd.html NN=(

help = help.html NN=(

token-login = tokenlogin.html jGG<

34 f> 3.8

N} 3f C(

next-token = nexttoken.html jGG<

stepup-login = stepuplogin.html ]}O$

(F HTML 3fhv

m% hv

login.html C'{M\kDj<ksm%

logout.html I&"zsT>D3f#

acct_locked.html IZx(DJ'<BC'O$'\,xT>D3f#

passwd_exp.html IZ''\k<BC'O$'\,xT>D3f#

passwd.html |D\km%#g{\k|Dks'\,2aT>K3f#

passwd_rep.html g{\k|DksI&xT>D3f#

help.html |,AP'\m3fD4SD3f#

tokenlogin.html jGG<m%#

nexttoken.html B;vjGm%#

stepuplogin.html ]}O$G<m%#

P=vjICZb)3fP#I+b)jV{.ECZ#eD~P#j

+/,Xf;`&DD5#

j hv

%USERNAME% C'G<D{F#

%ERROR% S Policy Director 5XD2`kDms{"#

\mM'zKM~qwKD$i

>ZhvhC WebSEAL yhD\mMdCNq,Tc&mCZ(}

SSL O$DM'zKM~qwK}V$i#

WebSEAL h*$iCZTBiv:

¶ WebSEAL 9Cd~qwK$ir SSL M'zmwT:m]

¶ WebSEAL CM'zK$ir*aDsK~qw(*`%O$xd

C)mwT:m]


2.W

ebS

EA

L~

qw

dC

¶ WebSEAL iDdO$PD(CA)y$i}]b,Ti$9CM'z

K$ixPCJDM'z

¶ WebSEAL iDdO$PD(CA)y$i}]b,Ti$*`%O$

xdCD*aDsK~qw#

WebSEAL 9C SSL D IBM Global Security Kit(GSKit)5V4dC

M\m}V$i#GSKit a) iKeyman 5CLr4hCM\m$i\?

}]b,C}]bP|,;vr`v WebSEAL ~qw/M'z$iM

CA y$i#

WebSEAL Z201|,TBi~,Tc(}}V$i'V SSL O$:

¶ 1!\?}]b(pdsrv.kdb)

¶ 1!\?}]bf"D~(pdsrv.sth)M\k(0pdsrv1)

¶ ;)+2D CA y$i

¶ T)DbT$i,WebSEAL IC|r SSL M'zmwT:m]

FvS*{DO$PDjk#{D$i4f;CbT$i#

WebSEAL $i&mDdC|(:

¶ Z373D:dC WebSEAL D\?}]bN};

¶ Z393D:9C iKeyman $i\m5CLr;

¶ Z403D:dC CRL li;

Kb GSKit \?}]bD~`MIBM Key Management $_(iKeyman)9CBmP\aD8VD~`

M#

CMS \?}]bI;vxP .kdb )9{DD~MI\D=vr|`d

|D~9I#4(B\?}]b1,+4( .kdb D~#.kdb D~PD

\?G<ITG$irxPdS\D(C\?E"D$i#

4(B$iks1,+4( .rdb M .crl D~#Z{v CA $iks

}LP, .rdb D~<GXhD#

36 f> 3.8

D~`M hv

.kdb 0\?}]b1D~#f"vK$i"vK$iksM)p_$i#

}g,1! WebSEAL \?}]bD~G pdsrv.kdb#

.sth 0f"1D~#f"\?}]b\kDS\f>#KD~Dy{Fk

X*D .kdb D~D`,#

.rdb 0ks1}]bD~#4( .kdb \?}]bD~1,+T/4(KD

~#KD~Dy{FkX*D .kdb D~D`,#KD~|,4jID

$iks,94S CA SUXCks#1$iS CA 5X1,+Z

.rdb D~PQw%dD$iks(yZ+C\?)#g{R=%d,r

SUks"RS .rdb D~>}`&D$iks#g{R;=%d,r

\xSU$iD"T#$iksP|,+2{F"i/"V@X7M

d|ks18(DE",T0kksX*D+CM(C\?#

.crl 0$i7zPm1D~#KD~(#|,QIZ;Vrm;V-rx

!{D$iPm#;x,iKeyman ;*$i7zPma)NN'V,y

TKD~GUD#

.arm T ASCII `kD~xFD~#.arm D~|,$iT base-64 `kD

ASCII m>,|,d+C\?,+;|,(C\?#-<~xF$i}

]+*;* ASCII m>#1C'SU= .arm D~q=D$i1,

iKeyman + ASCII m>bk"+~xFm>EkJ1D .kdb D~P#

,y,1C'S .kdb D~i!$i1,iKeyman a+}]S~xF*

;* ASCII "+dEk .arm D~P#.arm D~PD ASCII }]G

$iks}LZdz"MA CA DZ]#"b:(} .arm b);*D

~>mGT Base64 `kDD~,IS\9CNND~`M#

.der 0(P`kfr1D~#.der D~|,$iD~xFm>,|,d+C

\?,+;|,(C\?#k .arm D~\`F,}Km>G~xF,

x;G ASCII#

.p12 0PKCS 121D~,dP PKCS m>0+C\?\kuj<1#.p12 D

~|,$iD~xFm>,|,d+C\?M(C\?#.p12 D~2I

\|,`v$i;}g,$i")"$iD CA D$i"CA $iD

)"_,T0{D)"_HH#r* .p12 D~|,(C\?,yT|

G\\k#$D#

dC WebSEAL D\?}]bN}WebSEAL $i\?D~:


2.W

ebS

EA

L~

qw

dC

201,WebSEAL a)1!D$i\?}]b# webseal-cert-keyfileN};Z webseald.conf dCD~D [ssl] Z,|CZj6KD~D{

FM;C:

[ssl]webseal-cert-keyfile = /var/pdweb/www/certs/pdsrv.kdb

IT9C iKeyman 5CLr44(B\?}]b#;x,XkZ

webseal-cert-keyfile N}PdkKB\?D~D{FM;C,Tc

WebSEAL \;iRM9CC}]bP|,D$i#

$i\?D~\k:

201,WebSEAL 9a)|, pdsrv.kdb \?D~\kD1!f"D

~#webseal-cert-keyfile-stash N}a+f"D~D;C(*

WebSEAL:

webseal-cert-keyfile-stash = /var/pdweb/www/certs/pdsrv.sth

Z C f " D~PS\ D 1!\ k * 0 p d s r v 1# 2 I T Z

webseal-cert-keyfile-pwd N}P+\kmv*?D>#}g:

webseal-cert-keyfile-pwd = pdsrv

2 01, W e b S E A L 9C f " D~4 q ! \ ? D~\ k #

webseal-cert-keyfile-pwd Q"Mt#9Cf"D~,I\bZ

webseald.conf dCD~P+\kT>*D>#

":!{zk*9CDX(\kN}D"M#g{,18(K\kMf

"D~,r+9CC\k5#

WebSEAL bT$i:

201,WebSEAL +a)G2+DT)bT$i#w*~qwK$iD

bT$iJm WebSEAL T SSL M'zmwT:m]#

*|CXXFKbT$iD9C,4+$i20*1!$i#xG9C

webseal-cert-keyfile-label N}+$i8(*n/D~qwK$i,"

2GZ\?D~}]bP8(*01!51DyPd|$i#

webseal-cert-keyfile-label = WebSEAL

38 f> 3.8

d;KbT$iJm WebSEAL TtC SSL D/@wkswvl&,+

;\I/@w(;|,J1Dy CA $i)i$$i#IZ?N

WebSEAL V"P<|,K1!$iD(C\?,K$i;a)f}D2

+(E#

Xk9C iKeyman 5CLr4zII;"MAO$PD(CA) D$i

ks#9C iKeyman 20"*5XD~qw$iSj)#

g{Td|=8(}g –K *a)9C;,D$i,rIT9C

iKeyman 5CLr4("20$i"*b)$iSj)#C\?D~j

);\|,Uq#

WebSEAL(1!ivBT user ivmgr KP)XkTb)\?}]bD

~_PA(r)mI(#

kND Z2173D:9C iKeyman \m$i;#

Z? Policy Director ~qw SSL (E:

webseald.conf dCD~D [ssl] Z|,Dv=SN},CZdC

WebSEAL CZkd| Policy Director ~qwxPZ? SSL (Ey9C

D\?D~#v&1(} pdconfig dCE>^Db)N}#

[ssl]ssl-keyfile =ssl-keyfile-pwd =ssl-keyfile-stash =ssl-keyfile-label =

9C iKeyman $i\m5CLriKeyman 5CLrG GSKit a)D$_,IC4\m WebSEAL 9C

D}V$i#+ iKeyman CZ:

¶ 4(;vr`v\?}]b

¶ |D\?}]b\k

¶ 4(B WebSEAL $i

¶ hCB1! WebSEAL $i

¶ 4(CZbTDT)$i


2.W

ebS

EA

L~

qw

dC

¶ ksMSU CA y$i

¶ r}]bmS$irS}]b>}$i

¶ +$iS;v}]b4F=m;v}]b

XZ9C iKeyman 4Pb)|nDj88>E",kNDZ2173D

:9C iKeyman \m$i;#

dC CRL li$i7zPm(CRL)G;V@9^C$iDi$D=(# CRL |,;

O*;IED$iDj6#WebSEAL 9CD SSL D GSKit 5V'V

CRL li# GSKit Jm WebSEAL TM'zK$iM4T SSL *a

D$i4P CRL li#

WebSEAL Xk*@CPmD;C,Tc4P CRL li#LDAP ~qw

;CDN}(IZ$iO$ZdN<KN}CZ CRL li)IZ

webseald.conf dCD~D [ssl] ZPR=:

[ssl]#ssl-ldap-server = <server-name>#ssl-ldap-server-port = <port-id>#ssl-ldap-user = <webseal-admin-name>#ssl-ldap-user-password = <admin-password>

1!ivB,CRL liG{CD(N};"Mt)#*Z$iO$Zdt

C CRL li,k!{?vN}D"b"dkJ1D5#

ssl-ldap-user DU5m> SSL O$zF&w*d{C's(= LDAP

~qw#

dC1!#$6p

(}dC#$6p(QOP)ITXF(} SSL(HTTPS)CJ WebSEAL

yhD1!S\6p#I9C webseald.conf dCD~D0SSL

QUALITY OF PROTECTION MANAGEMENT1?VPDN}XF1!

#$6p\m:

¶ 9C ssl-qop-mgmt N}tCM{C QOP \m

¶ Z [ssl-qop-mgmt-default] ZP8(JmDS\6p

40 f> 3.8

1. tC#$6p\m:

[ssl-qop]ssl-qop-mgmt = yes

2. 8( HTTPS CJD1!S\6p:

[ssl-qop-mgmt-default]# default = ALL | NONE | <cipher-level># ALL (enables all ciphers)# NONE (disables all ciphers and uses an MD5 MAC check sum)# DES-40# DES-56# DES-168# RC2-40# RC2-128# RC4-40# RC4-128default = ALL

":z2IT8(!(DS\==i:

[ssl-qop-mgmt-default]default = RC4-128default = RC2-128default = DES-168

*%@wzMxgdC QOPssl-qop-mgmt = yes N}2ItCvVZ [ssl-qop-mgmt-hosts] M

[ssl-qop-mgmt-networks] ZPDyPhC#b)ZJm(}X(wz

/xg/xgZk IP X7xxPD#$6p\m#

[ssl-qop-mgmt-default] ZPvKCZk [ssl-qop-mgmt-hosts] M

[ssl-qop-mgmt-networks] ZPDX7;%dDyP IP X7DS\=

=#

wzDdCo(>}:

[ssl-qop-mgmt-hosts]# <host-ip> = ALL | NONE | <cipher-level># ALL (enables all ciphers)# NONE (disables all ciphers and uses an MD5 MAC check sum)# DES-40# DES-56# DES-168# RC2-40# RC2-128


2.W

ebS

EA

L~

qw

dC

# RC4-40# RC4-128xxx.xxx.xxx.xxx = ALLyyy.yyy.yyy.yyy = RC2-128

xg/xgZkDdCo(>}:

[ssl-qop-mgmt-networks]# <network/netmask> = ALL | NONE | <cipher-level># ALL (enables all ciphers)# NONE (disables all ciphers and uses an MD5 MAC check sum)# DES-40# DES-56# DES-168# RC2-40# RC2-128# RC4-40# RC4-128xxx.xxx.xxx.xxx/255.255.255.0 = RC4-128yyy.yyy.yyy.yyy/255.255.0.0 = DES-56

a) [ssl-qop-mgmt-hosts] M [ssl-qop-mgmt-networks] ZvCZ

rsf]T#;Fv9C|GCZ Policy Director 3.8 dC#

dCZ(}]b|BMV/\m~qwCZ\mwZ(_T}]b,"R,$XZ2+rPd|

Policy Director ~qwD;CE"#Policy Director \m1IZNN1r

T2+rw2+T_T|D#^[N15V2+T_T|D1,\m~

qw<+TwZ(}]bwvX*Dw{#

1\m~qwTwZ(}]bw|D1,|I"vC|DD(*x2+

rP'V%@_T5)Lr(g WebSEAL)DyP1>}]b#;s_

T5)LrXkSwZ(}]bks5J}]b|B#

w*J4\mwM_T5)LrD WebSEAL _P}v!n,CZq!

XZZ(}]b|DDE":

¶ l}4T\m~qw|B(*(IdC"Z1!ivBtC)#

¶ T;(D1ddtli(V/)wZ(}]b(IdC"Z1!i

vB{C)#

¶ ,1tCl}MV/#

42 f> 3.8

webseald.conf dCD~D [aznapi-configuration] Z|,CZdC|

B(*l}M}]bV/DN}#

A WebSEAL D>X1>Z(_T}]bD76I db-file N}(e:

[aznapi-configuration]db-file = /var/pdweb/db/webseald.db

dC|B(*l}listen-flags N}CZtCM{CI WebSEAL 4PD|B(*l}#1

!ivB,+tCl}#*{Cl},kdk0disable1#

[aznapi-configuration]listen-flags = enable

tcp-port N}CZdCl}wD TCP KZ:

[aznapi-configuration]tcp-port = 12056

udp-port N}CZdCl}wD TCP KZ:

[aznapi-configuration]udp-port = 0

dCZ(}]bV/ITdC W e b S E A L (ZV/wZ(}]bTq!|BE"#

cache-refresh-interval N}IThC*0default1"0disable1rTkhC

X(1ddt#0default1hCHZ 600 k#1!ivB{CV/#

[aznapi-configuration]cache-refresh-interval = disable

4F0K WebSEAL ~qw

":TBE"If;ZT0D Policy Director Df>P9CDT0D

pdadmin server modify baseurl |n#

Z_:X73P,4F0K WebSEAL ~qwGP{D,Ia)|CD

:X=bMJO*F\&#4F0K WebSEAL ~qw1,?v~qw

Xk|, Web Ud"*a}]bM dynurl }]bD+71>#


2.W

ebS

EA

L~

qw

dC

Policy Director DKf>'V4F0K WebSEAL ~qwDV$dC}

L#KNq;Y9C pdadmin |n#

TB>}P0WS11Gw WebSEAL ~qwDwz{#0WS21G1>

WebSEAL ~qwDwz{#

1. Z WS1 M WS2 ~qwO,120MdC WebSEAL#

2. Z WS2 O#9 WebSEAL#

3. Z WS2 O,+ webseald.conf dCD~PD server-name N}5

S0WS21|D*0WS11#

[server]server-name = WS1

4. Z WS2 OXBt/ WebSEAL#

WS2 ~qwVZ9CTs /WebSEAL/WS1 w*Z(@@Dy!#WS2 ~

qw2IT*$tZ /WebSEAL/WS1 BDTsl& object list M objectshow |n#

pdadmin 5CLrTa+ /WebSEAL/WS2 Tsw*TsUdD;?VP

v#KTsVZQ^be,IT}%|:

pdadmin> object delete /WebSEAL/WS2

u~:

¶ 3;DTsUd\m:d;%;TscNa9TZ\m1GI{

D,+yP4FD WebSEAL ~qw<*\=&CZCTscNa9

D\m|nD0l"RyP~qw<\l&b)|n#

¶ 3;DZ(@@:g{+~qw WS2 dC*~qw WS1 D1>,

r~qw WS2 +9C /WebSEAL/WS1 w*Z(@@Dy!#

¶ 3;DdC:*K90K WebSEAL 4F}75Vd&\,?(~q

wOD Web Ud"*a}]bM dynurl }]bdCXkG`,D#

44 f> 3.8

dCj< HTTP G<

WebSEAL ,$}v#fD HTTP U>D~,|GG<n/x;G{":

¶ request.log

¶ agent.log

¶ referer.log

1!ivB,b)U>D~,$ZTB?<B:

UNIX:/var/pdweb/www/log/

Windows: C:\Program Files\Tivoli\PDWeb\www\log\

dCj< HTTP G<U>DN};Z >webseald.conf dCD~D

[logging] ZP#

Bm5wK HTTP U>D~MdCD~N}dDX5:

U>D~ ;CN} tC/{CN}(= yesr no)

request.log requests-file requests

referer.log referers-file referers

agent.log agents-file agents

}g,request.log D~D1!;Cu?gB:

UNIX:

requests-file = /var/pdweb/www/log/request.log

Windows:

requests-file = \Program Files\Tivoli\PDWeb\www\log\request.log

tCM{C HTTP G<U>

1!ivB,tCyPD HTTP G<U>:


2.W

ebS

EA

L~

qw

dC

[logging]requests = yesreferers = yesagents = yes

I@"Zd|U>tCM{C?vU>#g{hCN}*0no1,r{

CCD~DG<#

8(1dAGD`MzIT!qx?vU>D~SO1dAG,1dICqV~Nj<1d

(GMT)fz>X1x4G<#1!ivB,9C>X1x:

[logging]gmt-time = no

*9C GMT 1dAG,hCgB:

gmt-time = yes

8(U>D~*fP5

max-size N}CZ8(?v HTTP U>D~ITv$Dnss!,|_

PTB1!5(TVZF):

[logging]max-size = 2000000

1U>D~=o8(D5 * 4y=D*fP5 * 10D~;8]=;

v,y{Fs=SP10UZM1dAGDD~P#;s+*<;vB

DU>D~#

;,DI\ max-size 5DbMgB:

¶ g{ max-size 5!Z 0(< 0),r+Z?NwCG<U>xLM

SC5}*<? 24 !1<4(BDU>D~#

¶ g{ max-size 5HZ 0(= 0),r;4P*fRU>D~^^v

$#g{U>D~Q-fZ,+=SOBD}]#

¶ g{ max-size 5sZ 0(> 0),r1U>D~o=dCDP51

+4P*f#g{t/1U>D~Q-fZ,+=SOBD}]#

46 f> 3.8

8("BU>D~:exD5JU>D~G4k:e}]wD#g{G51`SU>D~,zI\k|

D~qw4PU>D~:ex"BD5J#

1!ivB,U>D~? 20 k"B;N:

[logging]flush-time = 20

g{8(K:5,+Z?N4kG<s4P"B#

dC request.log PG<DZ]$HW e b S E A L T/SsK*aD&CLr~qw}K2, H T M L

URL#webseald.conf dCD~PD [filter-url] Z(eK WebSEAL S

sK~qwl&}KD URL tT#kNDZ1533D:}K4T*a~

qwD2, HTML URL;#

1SsK*aD~qwksDZ]|,6kD URL 1,WebSEAL +(

}Z760mS*ac4}K URL V{.#Z]5X/@w1,M'z

ITI&X9C URL#

rx5XA/@wDnU3fZ]$HaT"sZS*aD~qw5X

WebSEAL D-<Z]$H#

Policy Director WebSEAL DKf>JmzdC request.log D~(g

{QtC)G<DZ]$H#IT+ webseald.conf dCD~D

[logging] ZPD log-filtered-pages N}hC*G<cVZs!r4}

KDVZs!#

*G<4}KDVZs!,k+N}hC*0yes1(1!5):

[logging]log-filtered-pages = yes

*G<cVZs!,k+N}hC*0no1:

[logging]log-filtered-pages = no


2.W

ebS

EA

L~

qw

dC

HTTP +2U>q=(CZ request.log)Policy Director ~qw"MXD?vl&(I&r'\)<+9CgBD

HTTP +2U>q=G<Z request.log D~D;Pu?P:

host - authuser [date] request status bytes

dP:

host 8("vksDzwD IP X7#

authuser CVNqCQSUD HTTP ks From: 7D5#

0unauth15CZ4O$DC'#

date 8(ksDUZM1d#

request 8(4TM'zKDksDZ;P#

status 8("X="vksDzwD HTTP 4,k#

bytes 8("X="vksDzwDVZ}#K5 * 4}KD

Z]s!rcs! * 9C log-filtered-pages N}d

C#

T> request.log D~request.log G< HTTP ksDj<G<U>,}gXZksD URL D

E"MXZwvksDM'zDE"(}g IP X7)#

TB>}T>K request.log D~Dy>f>:

130.105.1.90 - - [26/Aug/2001:17:23:33 -0800]"GET /xsmith/private_html/ HTTP/1.0" 403 77

130.105.1.90 - - [26/Aug/2001:17:23:47 -0800]”GET /icons HTTP/1.0" 302 93

130.105.1.90 - - [26/Aug/2001:17:23:59 -0800]"GET /icons/ HTTP/1.0" 403 77

130.105.1.90 - - [26/Aug/2001:17:24:04 -0800]"GET /xsmith/private_html/ HTTP/1.0" 403 77

130.105.1.90 - - [26/Aug/2001:17:24:11 -0800]"GET /xsmith/ HTTP/1.0" 403 77

T> agent.log D~agent.log D~G< HTTP ksPD User_Agent: 7DZ]#CU>

T>?vksDM'/@wE",}ge5a9rf>E#

48 f> 3.8

TB>}T>K agent.log D~Dy>f>:

Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)Mozilla/4.01 [en] (WinNT; U)

T> referer.logreferer.log G< HTTP ksD Referer: 7#TZ?vks,U>G

<K|,yksD5D4SDD5#

U>9CTBq=:

referer -> object

CE"TZzYb?=z Web UdD5D4S\PC#U>T>,I

referer 8(D4|,=3f object D4S#CU>JmzzY''4,

"iw-Z4(kzD5D4S#

TB>}T>K referer.log D~Dy>f>:

http://manuel/maybam/index.html -> /pics/tivoli_logo.gifhttp://manuel/maybam/pddl/index.html ->/pics/tivoli_logo.gifhttp://manuel/maybam/ -> /pddl/index.htmlhttp://manuel/maybam/ -> /pddl/index.htmlhttp://manuel/maybam/pddl/index.html ->/pics/tivoli_logo.gifhttp://manuel/maybam/ -> /pddl/index.html


2.W

ebS

EA

L~

qw

dC

50 f> 3.8

WebSEAL 2+T_T

>B|,hvgNdCM(F WebSEAL 2+T_TDE"#

wbw}:

¶ :X(Z WebSEAL D ACL _T;

¶ Z533D:}N%wG<_T;

¶ Z543D:\k?H_T;

¶ Z583D:O$?H POP _T(]});

¶ Z633D:yZxgDO$ POP _T;

¶ Z663D:#$6p POP _T;

¶ Z673D:&m4O$DC'(HTTP/HTTPS);

X(Z WebSEAL D ACL _T

TB2+T"bBnJCZ\#$TsUdPD /WebSEAL ]w:

¶ WebSEAL TsGTsUdD WebSEAL xrP ACL LP4Dpc

¶ g{;&CNNd|T= ACL,KTs+((}LP)*{v Web

Ud(e2+T_T

¶ *CJKTs0CcTBDNNTs,Xk5PizmI(

XZ Policy Director ACL _TDj{E",kN<6Tivoli SecureWay

Policy Director Base \m8O7#

3


3.W

ebS

EA

L2

+T

_T

/WebSEAL/<host>KSw|,X( WebSEAL ~qwD Web Ud#TB2+T"bBn

JCZKTs:

¶ *CJKTs0CcTBDNNTs,Xk5PizmI(

¶ g{;&CNNd|T= ACL,KTs+((}LP)*CzwOD

{vTsUd(e2+T_T

/WebSEAL/<host>/<file>bG* HTTP CJliDJ4Ts#liDmI(!vZ}ZksDY

w#

WebSEAL ACL mI(BmhvKJCZTsUdP WebSEAL xrD ACL mI(:

Yw hv

r A! i4 Web Ts#

x 4P KP CGI Lr#

d >} S Web UdP}% Web Ts#

m ^D EC HTTP Ts#(Z WebSEAL TsUdPEC *

"< * HTTP Ts#)

l Pm \m~qwh*|4zI Web UdDT/?<Pm#

CmI(,1\mZ1!D “index.html” 3f;fZ1

M'zGq\i4?<Z]Pm#

g /I T WebSEAL ~qwZhEN,9C~qwd1*M'

z"+ks+]x*aD WebSEAL ~qw#

1! /WebSEAL ACL _TWebSEAL ACL default-webseal DKDu?|,:

i iv-admin Tcmdbsvarxli webseal-servers TgmdbsrxlC' sec_master TcmdbsvarxlNbd| Trx4O$ T

201,C1! ACL =SATsUdPD /WebSEAL ]wTs#

52 f> 3.8

i webseal-servers |,2+rP?v WebSEAL ~qwDu?#1!

mI(Jm~qwl&/@wks#

izmI(Jmg Web Portal Manager y>DGy)9 Web Ud#P

mmI(Jm Web Portal Manager T> Web UdDZ]#

}N%wG<_T

}N%wG<_TICZyZ LDAP D Policy Director 20,9zIT

8('\G<"TDnsN}(n)MM#Tbx1d(x),}g,Z

“n” N'\DG<"Ts+KC'bx “x” k(r_{CKJE)#

}N%wG<_TCZh9Fcz\k%w#K_T4(K;vu~,

C'ZxP|`'\DG<"T0XkH};N1d#}g,_TIT

f(Z 3 N'\"Ts,h*H} 180 kDM#T1d#bVG<_T

`MITh9?kP`N"zFczfzzIDG<"T#

}N%wG<_Th*=v pdadmin policy |nhCD*O:

¶ '\G<"TDns}?

policy set max-login-failures

¶ ,}'\G<"ThCDM#

policy set disable-time-interval

M#hCIT|,J'bx1ddtr_J'Dj+{C#

}g,g{G<_ThCIZ}N'\"TsP;N8(DM#bx1

d,r1ZDN"T(}7r;}7)"zs,+vVms3f,C3

fywIZ\k_TD&C,KJ']1;IC#

1ddtCk8( * FvDn!1ddt* 60 k#

g{ disable-time-interval _T;hC*0disable1,C'+;bxZ

J'b,"RCC'D LDAP J'P'tT;hC*0q1#\m1(}

Web Portal Manager XBtCJ'#

":+ disable-time-interval hC*0disable1a<B=SD\m*z#

+J'P'E"4F= WebSEAL ~qw1,I[l=SY#bV


3.W

ebS

EA

L2

+T

_T

iv!vZ LDAP 73#|BJ'P'DYwI\a<B3)

LDAP 5VvVT\5M#IZb)-r,Fvz9C,11dd

t#

|no(TBD pdadmin |nvJZk LDAP "am;p9C#

|n hv

policy set max-login-failures {<number>|unset} [-user <username>]

policy get max-login-failures [-user <username>]

\m_T,C_TXFZ5)M#0'\G<"TDns

N}#K|n!vZ policy set disable-time-interval |

nPhCDM##

w*\m1,I+K_T&C=X(C'r_+VTX&

C=Z LDAP "amPPvDyPC'#

1!hC* 10 N"T#

policy set disable-time-interval {<number>|unset|disable} [-user<username>]

policy get disable-time-interval [-user <username>]

\mM#_T,C_TXF1o="TG<'\Dns5

1KJ'+{CD1d\Z#

w*\m1,I+KM#_T&C=X(C'r_+VT

X&C=Z LDAP "amPPvDyPC'#

1!hC* 180 k#

\k?H_T

\k?H_TICZyZ LDAP D Policy Director 20,G8I\k_

TfrSx\ka9D<(# Policy Director a)=VXF\k?H_

TD=(:

¶ ev pdadmin \k_T|n

¶ Jm(F\k_TDIekO$#i(PAM)#

54 f> 3.8

kN<6Tivoli SecureWay Policy Director WebSEAL *"_N<s

+7#

I pdadmin 5CLrhCD\k?H_T(} pdadmin 5CLr5VDev\k?HtT|,:

¶ n!\k$H

¶ n!V8V{}

¶ n!GV8V{}

¶ nsX4V{}

¶ GqJmUq

9C pdadmin r Web Portal Manager 4(C',T09C pdadmin"

Web Portal Manager r pkmspasswd 5CLr|D\k1,+?F&

Cb)_T#

|no(TBD pdadmin |nvJZk LDAP "am;p9C#unset !n{

CK_TtT * 4;?F&C_T#

|n hv

policy set min-password-length {<number>|unset} [-user <username>]

policy get min-password-length [-user <username>]

\mXF\kn!$HD_T#

w*\m1,I+K_T&C=8(C',r_+VTX

&C=1!"amPPvDyPC'#

1!hC* 8#

policy set min-password-alphas {<number>|unset} [-user <username>]

policy get min-password-alphas [-user <username>]

\mXF\kPJmDV8V{n!}?D_T#


&C=1!"amPPvDyPC'#

1!hC* 4#


3.W

ebS

EA

L2

+T

_T

|n hv

policy set min-password-non-alphas {<number>|unset} [-user<username>]

policy get min-password-non-alphas [-user <username>]

\mXF\kPJmDGV8(}V)V{n!}?D_

T#


&C=1!"amPPvDyPC'#

1!hC* 1#

policy set max-password-repeated-chars {<number>|unset} [-user<username>]

policy get max-password-repeated-chars [-user <username>]

\mXF\kPJmDX4V{}ns5D_T#


&C=1!"amPPvDyPC'#

1!hC* 2#

policy set password-spaces {yes|no|unset} [-user <username>]

policy get password-spaces [-user <username>]

\mXF\kGqI|,UqD_T#


&C=1!"amPPvDyPC'#

1!hC* unset#

1!_TN}5

BmPvK_TN}0d1!5:

N} 1!5

min-password-length 8

min-password-alphas 4

min-password-non-alphas 1

max-password-repeated-chars 2

password-spaces 4hC

56 f> 3.8

*4(Z Policy Director H0"PfPD\k_TYw,k+ unset !

n&CZOfPvDev\kPD?;v#

P'M^'D\k>}Bm5w;)\k>}M9Cbev pdadmin N}D1!5C=D_T

a{:

>} a{

password ^':XkAY|,;vGV8V{#

pass ^':XkAY|, 8 vV{#

passs1234 ^':|,=vTODX4V{#

12345678 ^':XkAY|, 4 vV8V{#

password3 P'#

X(C'M+VhC

(9C - user !n)I*X(C'hC pdadmin policy |n,(;

9C - user !n)I+VXhC pdadmin policy |n#NNX(Z

C'DhC<+2G_TD+VhC#2I{C(unset)3v_TN

},bb6ECN};|,NN5#;li";?F&CNNxP unset!nD_T#

}g:

pdadmin> policy set min-password-length 8

pdadmin> policy set min-password-length 4 -user matt

pdadmin> policy get min-password-length

n!\k$H:8

pdadmin> policy get min-password-length -user matt

n!\k$H:4

(C' matt _P 4 V{Dn!\k$H_T;yPd|C'_P 8 V

{Dn!\k$H_T#)

pdadmin> policy set min-password-length unset -user matt

(C' matt \^Z 8 V{D+Vn!\k$H_T#)


3.W

ebS

EA

L2

+T

_T

pdadmin> policy set min-password-length unset

(yPC',|(C' matt,VZ;Pn!\k$H_T#)

O$?H POP _T(]})

O$?H POP _T9yZd9CDO$=(TTsxPXFCJI*I

\#

IT9Cbn&\ * P1F*]}O$ * 47#CJ|tPJ4DC

'9C|?DO$zF#IZ|sDG(CJ~2,zI\h*bnu

~#

}g,I(}&C]} POP _T4r Web UdD*axra)|sD

2+T,C_T*sHC'nuxk WebSEAL r19CDO$P|?

6pDO$#

O$?H_TZ POP _TD0IP KcO$=(1tTPhC#

dC]}O$D6pdCX(ZO$DCJDZ;=GdCy'VDO$=("7(b)=

(D?HNr#

CJ WebSEAL ~qwDNNM'z<PO$6p,}g04O$1r

0\k1#b)6pm>M'zO;Nr WebSEAL O$yCD=(#

3)ivB,PX*TCJ3) Web UdTsyhDO$?F9CnM

02+16p#}g,Z3v73B,IjG(Pzk4PDO$;O

*HIC'{M\k4PDO$|2+#d|73I\P;,Dj<#

1M'z;zcO$yhD6p1,]}O$zFxhM'zZ~Nz

a9Cyh=((6p)XBO$,x;G?FM'zXBt/k

WebSEAL Da0#

]}O$b6E1C'"TCJ*sHG<6p0|_1O$6pDJ

41,;a"LT>0\x1{"#`4X,+T>BDO$a>,*

s'V|_O$6pDE"#g{\;a)C6pDO$,-4Dks

+;Jm#

58 f> 3.8

Z]}O$zFP,WebSEAL 6p9CD 3 VO$=((6p):

¶ 4O$

¶ \k

¶ jG(

Z webseald.conf dCD~D [authentication-levels] ZPdCO$6

p#nu;dC=v6p:

[authentication-levels]level = unauthenticatedlevel = password

yZPmPD=(3r,*?V=(8(;v6pw},6'S 0 = 2#

¶ 04O$1=(Xk<UGPmPDZ;v,rK;Vd6pw}

0#

¶ sL=(I4NN3rEC#

kNDZ623D:]}O$"bBnM^F;#

¶ 1!ivB,0\k1GB;v6p * ;Vd6pw} 1#

¶ XkAYP=vu?4tC]}O$#

":XZhCyhO$zFDj8E",kNDZ693D:WebSEAL O

$;#

tC]}O$

]}O$(}SZTsOD POP _T45V,b)Ts*sTO$tP

DZ(#IT9C POP _TD0IP KcO$=(1tT#

pdadmin pop modify set ipauth |nZ0IP KcO$=(1tTP

8(JmDxgMXhDO$6p#

ydCDO$6pIk IP X76'`4S#C=(bZa)\min

T#g{C IP X7}KC'";X*,IT* anyothernw(NNd|

xg)hC%vu?#ChC+0lyPCJDC'(;\ IP X7*

N),"*s|GZ8(D6pO$#bG5V]}O$DnUi=

(#


3.W

ebS

EA

L2

+T

_T

o(:

pdadmin> pop modify <pop-name> set ipauth anyothernw <level-index>

anyothernw u?;Cwxg6',|%dZ POP P;P8(DyPx

g#C=(;C44(1!u?,|IT\xyP;%dD IP X7rJ

mzcO$6p*sDyPKCJ#

1!ivB,anyothernw TO$6pw} 0 T>Z POP P#Cu?

Z pop show |nPT>*0NNd|xg1:

pdadmin> pop show test\#$Ts_T: testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:

anytime:localIP KcO$=(_T

NNd|xg 0

>}

1. Z webseald.conf PdCO$6p:

[authentication-levels]level = unauthenticatedlevel = token-card

2. dC0IP KcO$=(1POP tT:

pdadmin> pop modify test set ipauth anyothernw 1

pdadmin> pop show test\#$Ts_T: testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:mon, wed, fri:anytime:localIP KcO$=(_T

NNd|xg 1

TZu<T04O$1(6p 0)CJDyPC',C_T*s]}

=jG(O$=((6p 1)#+TyPCJ POP _T#$TsD4

O$C'T>a>,*sdkC'{MjG(Pzk#

60 f> 3.8

m{Z633D:yZxgDO$ POP _T;#

]}G<m%yksJ4D]} POP _T?FM'zXBO$1,WebSEAL +T>

Xbm%#C HTML m%D;CI webseald.conf dCD~ [acnt-mgt]ZPD stepup-login N}48(#

[acnt-mgt]stepup-login = stepuplogin.html

zITdCC HTML m%4zczD*s,d==kdC login.html r

tokenlogin.html m%D==`,#

CD~|,q=* %TEXT% rPDj,|G+;J1D5!z#Kfz

Z WebSEAL D#eD~&m/}Z?xP,"JmCm%CZq=}

7D\kMjGO$=(#JmZm%P*C'a)d|E",}gm

s{"M=({F(+]})#

< 11. C'{M\k]}DG<m%


3.W

ebS

EA

L2

+T

_T

]}O$c(WebSEAL 9CTBc(&m POP PDu~:

1. li POP OD IP KcO$=(_T#

2. li ACL mI(#

3. li POP OD?U1d_T#

4. li POP ODsF6p_T#

]}O$"bBnM^F

1. ]}O$Z HTTP M HTTPS O<\'V#

2. ;\S HTTP -i]}= HTTPS#

3. 4O$(#XkG6pPmPDZ;v=(,;\vVZPmDd

|X=#

4. =(;\Z6pPmP8(;N#

5. $iO$;G]}O$D'V=(#

< 12. SecurID jG(Pzk]}DG<m%

62 f> 3.8

":]}O$5JO+M'zK$iw*;VXbiv&m#g{

M'z9CM'zKD$iCJ WebSEAL,R WebSEAL dC

*S\$i,rM'zw*4O$DM'zT}(6pw}*

0)#

S=(: I]}A:

4O$ \kjG(

\k jG(

jG( \k

6. O$6pIO$=(m>,bb6E;I\*C6pDO$8(+

7DO$zF#

O$=(ITI`VO$zF'V,|(>XO$LrM(FDb

?O$Lr#

dCK,;O$=(`MD`v5}1,WebSEAL q-X(Dfr

T7(!qDvO$Lr#

7. g{P 3 vQdCD6p,P'w}5*:0"1"2#g{dCKd

|w}5,Zks=SKC POP DTs1+T>vm3f#

8. webseald.conf dCD~P]}O$6pDmsdC+<B WebSEAL

P{C]}&\#KivI\<BbbDO$P*,}g*\ POP #

$DTszI\kG<3f,x POP *sjG(PzkO$=(#

dC]}O$6ps,kZ webseald.log D~PliNNdCms

(f#

yZxgDO$ POP _T

yZxgDO$ POP _T9yZC' IP X7TTsDXFCJI*I

\#IT9CC&\4@98(D IP X7(r IP X76')CJ2+

rPDNNJ4#

2ITTK_T&CO$dC,"*s?v8(D IP X76'DXbO

$=(#

yZxgDO$_TZ POP _TD0IP KcO$=(1tTPhC#X

kZCtTP8(=vX*u~:


3.W

ebS

EA

L2

+T

_T

¶ O$6p

¶ JmDxg

dCO$6pZ]}O$zFP,WebSEAL 6p9CD 3 VO$=(:

¶ 4O$

¶ \k

¶ jG(

yZPmPD=(3r,*?V=(8(;v6pw},6'S 0 = 2#

Z webseald.conf dCD~D [authentication-levels] ZPdCO$6

p#nu;dC=v6p:

[authentication-levels]level = unauthenticatedlevel = password

ZdCyZxgDO$1IT9C1!hC#ZbVivB,04O

$1*6p 0,0\k1*6p 1#

m{Z583D:dC]}O$D6p;#

8( IP X7M6'VZXk8(C POP _TJmD IP X7M IP X76'#

pdadmin pop modify set ipauth add |nZ0IP KcO$=(1t

TP8(xg(rxg6')MXhDO$6p#

o(:

pdadmin> pop modify <pop-name> set ipauth add <network> <netmask> <level-index>

ydCDO$6pIk IP X76'`4S#C=(bZa)inT#g

{C IP X7}KC'";X*,IT* anyothernw(NNd|xg)

hC%vu?#ChC+0lyPCJDC'(;\ IP X7*N),"

*s|GZ8(D6pO$#

64 f> 3.8

o(:

pdadmin> pop modify <pop-name> set ipauth anyothernw <level-index>

`4X,g{#{vTO$6p,;kyZ IP X7Jmr\xCJ,I

TTJmxkD6'9C6p 0 xT\xD6'9C0forbidden1#

anyothernw u?Cwk4Z POP P8(DyPxg%dDxg6'#

C=(;C44(1!u?,|IT\xyP;%dD IP X7rJmz

cO$6p*sDyPKCJ#

1!ivB,anyothernw TO$6pw} 0 T>Z POP P#Cu?

Z pop show |nPT>*0NNd|xg1:

pdadmin> pop show test\#$Ts_T: testhv: Test POP/f: nosF6p: none#$6p: none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:

anytime:localIP KcO$=(_T

NNd|xg 0

*qCPXhCO$6pDj8V[,kN<Z583D:dC]}O$

D6p;#

>}

*s IP X76'* 9.0.0.0 MxZk* 255.0.0.0 DC'9C6p 1 O

$(1!ivB*0\k1):

pdadmin> pop modify test set ipauth add 9.0.0.0 255.0.0.0 1

*sX(C'9C6p 0 O$:

pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.255 0

@9yPC'(}KZO}P8(DG)C')CJTs:

pdadmin> pop modify test set ipauth anyothernw forbidden


3.W

ebS

EA

L2

+T

_T

y] IP X7{C]}O$

o(:

pdadmin> pop modify <pop-name> set ipauth remove <network> <netmask>

}g:

pdadmin> pop modify test set ipauth remove 9.0.0.0 255.0.0.0

yZxgDO$c(WebSEAL 9CTBc(&m POP PDu~:

1. li POP OD IP KcO$=(_T#

2. li ACL mI(#

3. li POP OD?U1d_T#

4. li POP ODsF6p_T#

yZxgO$"bBnM^F

WebSEAl CZ4PyZxgDO$_Ty9CD IP X7&C* TCP ,

S"E=D IP X7#g{xgXKa99C HTTP zm,r WebSEAL

T>DX7I\*zm~qwD IP X7#

ZbVivB,WebSEAL ^(w7j6f}DM'z IP X7#ZhC

yZxgDO$_T1Xk!D,C_TJmxgM'z1Sk

WebSEAL ~qw,S#

#$6p POP _T

#$6p POP tTJm8(TTs4PYw1yhD}]#$6p#

10,CtT;JCZ WebSEAL 73#

#$6p POP tTzfK0P1M0I1ACL mI(;,b=vmI(;

Z Policy Director T0Df>P$n#\TMj{T*s#CID#$

6p5V=(;\a)dV#$,"a0l53T\#

66 f> 3.8

#$6p POP tTJm%vBq,dPT ACL P(D0G1l&2|

,XhD#$6p#g{J4\mw(}g WebSEAL);\#$XhD

#$6p,+\xCks#

pdadmin> pop modify <pop-name> set qop {none|integrity|privacy}

QOP 6p hv

#\T *s}]S\(SSL)#

j{T 9C3vzFT7#}];P;|D#

}g:

pdadmin> pop modify test set qop privacy

&m4O$DC'(HTTP/HTTPS)

WebSEAL S\QO$M4O$DC'(} HTTP M HTTPS avDk

s#;s WebSEAL @?Z(~q,(}Jmr\xT\#$J4DC

J4?F&C2+T_T#

TBu~&CZ(} SSL CJD4O$C':

¶ 4O$C'M WebSEAL .dDE";;GS\D * g,kQO$

C';;E"#

¶ 4O$C'M WebSEAL .dD SSL ,S;*s~qwKO$#

&m4Td{M'zDks

1. d{M'z((} HTTP r HTTP)avksA WebSEAL#

2. WebSEAL *KM'z4(4O$D>$#

3. xPC>$DksLx"M=\#$D Web Ts#

4. Z(~qliKTsZ4O$D ACL u?ODmI(,"Jmr\

xksDYw#

5. TKTsDI&CJ!vTBu~:4O$D ACL u?AY|,A

!(r)Miz(T)mI(#

6. g{ks4(}Z(P(,C'+SU=;EG<m%(BA ryZ

m%)#


3.W

ebS

EA

L2

+T

_T

?FC'G<(}T#$ksTsD ACL _TPD4O$u?}7hCJ1DmI

(,I?F4O$C'G<#

A!(r)Miz(T)mI(JmTTsxP4O$DCJ#

*?F4O$C'DG<,kS#$TsD ACL _TPD4O$u?O

}%A!(r)mI(#C'+SU=G<a>(BA ryZm%)#

4O$ HTTPS D&CPm`5JDLq-r,h*'V(} HTTPS T WebSEAL D4O$

CJ:

¶ P)&C;h*vKG<,+h*3)tPE",gX7MEC(

E#d>}|(Z_:rIz1Md|L7#

¶ P)&C*szZxPx;=;W.0*C5q"aJ'#YN,

tPE"(}xgxP+]#

9C ACL/POP _TXF4O$C'

":0+O$1u?`Mk0Nbd|1u?`MH[#

1. *Jm4O$C'CJ+2Ts,kCAY|,4O$DM+O$

u?DA!(r)Miz(T)mI(D ACL 4#$+CZ]:

4O$ Tr+O$ Tr

":17(mI(1,4O$u?G;vTU+O$u?DZk

(p;0k1Yw)#;P14O$mI(,1vVZ+O$u

?P1,EITZ(4O$DmI(#IZ4O$!vZ+O

$,|,4O$x;P+O$M;PbeK#g{ ACL 75|

,4O$x;P+O$,1!l&G;r4O$ZhmI(#

2. *qCS\(SSL),k9C\#$Ts_T(Protected Object

Policy,POP)#$Z],C_T+#\T8(*;vu~#

kNDZ663D:#$6p POP _T;#

68 f> 3.8

WebSEAL O$

>BV[K WebSEAL gN,$a04,T0&mO$}L#O$I&

s+zI;vzmC'D Policy Director m]#WebSEAL 9CKm]

*CC'q!>$#Z(~q9Cb)>$Jmr\xCJ\#$J

4#

wbw}:

¶ Z703D:KbO$}L;

¶ Z733D:\ma04,;

¶ Z833D:O$dCEv;

¶ Z873D:dCy>O$;

¶ Z893D:dCm%O$;

¶ Z913D:dCM'zK$iO$;

¶ Z953D:dC HTTP 7O$;

¶ Z973D:dC IP X7O$;

¶ Z973D:dCjGO$;

¶ Z983D:'V`74C/Pzm;

4


4.W

ebS

EA

LO

$

KbO$}LO$GT}Z"TG<=2+rD%vxLr5exPj6D=(#

¶ Z1!ivB WebSEAL 'V`VO$=(,IT(F WebSEAL 9

Cd|=(#

¶ T WebSEAL O$I&Da{MGzI Policy Director C'"am

m]#

¶ WebSEAL 9CKm]q!CC'D>$#

¶ Z(~qZTXF?vTsD_TD ACL mI(M POP u~xP

@@s,9CK>$Jmr\xCJ\#$Ts#

":ACL = CJXFPm_T POP = \#$Ts_T

O$Zd,WebSEAL +liTZTBE"DM'zks:

¶ a0}]

a0}]Gj6M'zM WebSEAL ~qw.dDX(,SDE"#

a0}]f"ZM'zORifCM'zDsLks#|CZXB

j6A WebSEAL ~qwDM'za0,\bK*?vks("Ba

0yCD*z#

¶ O$}]

O$}]G4TM'zDE",Ir WebSEAL ~qwj6CM'

z#O$}]`M|,M'zK$i"\kMjGzk#

Z WebSEAL SU=M'zkss,WebSEAL \GWHiRa0}],

;siRO$}]#u<M'zksv;a|,a0}]#

\'VDa0}]`MWebSEAL 'VTBa0}]`M:

1. SSL j6(I SSL -i(e)

2. X(Z~qwDa0 cookie

3. BA 7}]

4. HTTP 7}]

70 f> 3.8

5. IP X7

1 WebSEAL liM'zks1,|+TKPmP8(D3rQwa0

}]#

\'VDO$=(d; WebSEAL @"ZO$}LKw,+ WebSEAL 9C>$`S2+

rPNkDyPC'#*q!>$q!yhDm]E",WebSEAL @5

ZSO$}LqCDa{#

WebSEAL 'VTBO$=(CZ>$q!:

O$=( \'VD,S`M

1. JO*F cookie HTTP M HTTPS

2. CDSSO j6jG HTTP M HTTPS

3. M'zK$i HTTPS

4. jG(Pzk HTTP M HTTPS

5. m%O$(C'{M\k) HTTP M HTTPS

6. y>O$(C'{M\k) HTTP M HTTPS

7. HTTP 7 HTTP M HTTPS

8. IP X7 HTTP M HTTPS

1 WebSEAL liM'zks1,|+TKmP8(D3rQwO$}

]#

TZ HTTP M HTTPS +M<IT%@tCM{CO$=(#g{;P

*Xb+MtCO$=(,rTZ9CC+MDM'z,O$}LGG

n/D#

j8dCE"N<

¶ Z733D:\ma04,;

¶ Z833D:O$dCEv;

¶ Z873D:dCy>O$;

¶ Z893D:dCm%O$;

¶ Z913D:dCM'zK$iO$;


4.W

ebS

EA

LO

$

¶ Z953D:dC HTTP 7O$;

¶ Z973D:dC IP X7O$;

¶ Z973D:dCjGO$;

¶ Z983D:'V`74C/Pzm;

¶ CDAS O$

kN<6Tivoli SecureWay Policy Director WebSEAL *"_N<s+7

72 f> 3.8

\ma04,

ZM'zk~qw.dxP2+,Sra0*s~qw\;Gd * (}

s?ks * a0DTs#~qwXk_P3VN=Da04,E",C

E"j6Kk?vksX*DM'z#

g{M'zM~qw.d^Q("Da04,,rM'zM~qw.d

D(EXkT?NsLksxPXB-L#{Ca04,E"I(}{

}X4XUMXBr*M'z/~qw,S4DFT\#M'zIT;

NTG<"xPs?ks,x^hT?vksVp4PG<#

WebSEAL I&m HTTP M HTTPS (E#HTTP G0^4,1-i,

|";a)NNxpksD==#m;=f,SSL +M-iGXphF

D,|a)a0j6T,$a04,E"#IT(} SSL b0 HTTP (

E,9.I* HTTPS#

;x,WebSEAL Xk-#&m4T4O$M'zD HTTP (E#P1

9avV SSL a0j6;GJ1Dbv=8Div#rx,+

WebSEAL hF*9CNbTBE"`MT,$kM'zDa04,:

1. SSL j6

2. X(Z~qwDa0 cookie

3. BA 7}]

4. HTTP 7}]

5. IP X7

GSKit M WebSEAL a0_Y:fa0_Y:fJm~qwf"4T`vM'zDa0j6E"#P=v

a0_Y:fI) HTTPS M HTTP a04,E"9C#

¶ WebSEAL >$_Y:f

WebSEAL >$_Y:fIf"yP`MDa0j6E"(kNDO

vPm)M*?vM'zq!D>$E"#

+>$E"xP_Y:fI{}Z(liZdTC'"am}]b

DX4i/#

¶ GSKit SSL a0j6_Y:f


4.W

ebS

EA

LO

$

SSL a0j6E"CZ,$a04,1,GSKit a0_Y:f&m

HTTPS(SSL)(E#

GSKit _Y:f9I,$ WebSEAL M LDAP C'"am.dD

SSL ,SDa04,E"#

TZ?vJmzw{dT\D_Y:f,<P8vdCN}IC#B<

P\aKb)N}:

dC WebSEAL >$_Y:fTZ WebSEAL a0/>$_Y:f,TBdCNqIC:

¶ hCns"Pu?5

¶ hC_Y:fu?,15

¶ hC_Y:fu?Gn/,15

hCns"Pu?5

max-entires N};Z webseald.conf dCD~D [session] ZP,KN

}CZhC WebSEAL a0/>$_Y:fPDns"Pu?}#

< 13. a0_Y:fdCN}

74 f> 3.8

K5k"PG<a0}`X#1_Y:fs!o=K51,r+y]|

ZnY9Cc(S_Y:f}%u?TJmBxkDG<#

1!D"PG<a0}G 4096:

[session]max-entries = 4096

hC_Y:fu?,15

timeout N};Z webseald.conf dCD~D [session] ZP,KN}

CZhC WebSEAL a0/>$_Y:fPDnsP'Z,1#

WebSEAL ZZ?T>$E"xP_Y:f#a0_Y:f,1N}f(

K WebSEAL ODZfI#tZ(>$E"D1d$H#

CN}";GGn/,1#C53d*0>$P'Z1x;G3d*

0>$,11#|D?DGZo=8(D,1^F1,(}?FC'x

PXBO$4a_2+T#

1!G<a0,1(Tk*%;)* 3600:

[session]timeout = 3600

hC_Y:fu?Gn/,15

inactive-timeout N};Z webseald.conf dCD~D [session] ZP,

KN}CZhCG<a0Gn/D,15#

1!G<a0Gn/,15(Tk*%;)* 600:

[session]inactive-timeout = 600

*{CK,1&\,k+N}5hC*001#

dC GSKit SSL a0j6_Y:fTZ GSKit SSL a0j6_Y:f,TBdCNqIC:

¶ hC_Y:fu?,15

¶ hCns"Pu?5


4.W

ebS

EA

LO

$

hC_Y:fu?,15

CZhC GSKit SSL a0j6_Y:fPu?DnsP'Z,1DN}

;Z webseald.conf dCD~PD [ssl] ZP#P=vN}:;vCZ

SSL V2 ,S(ssl-v2-t imeout),m;vCZ SSL V3 ,S

(ssl-v3-timeout)#

1! SSL V2 a0,1(Tk*%;)G 100(I\D6'G 1 =

100):

[ssl]ssl-v2-timeout = 100

1! SSL V3 a0,1(Tk*%;)G 7200(I\D6'G 1 =

86400):

[ssl]ssl-v3-timeout = 7200

hCns"Pu?5

ssl-max-entries N};Z webseald.conf dCD~D [ssl] ZP,K

N}CZhC GSKit SSL a0j6_Y:fPDns"Pu?}#

K5k"PG<a0}`X#1_Y:fs!o=K51,r+y]|

ZnY9Cc(S_Y:f}%u?TJmBxkDG<#

1!D"PG<a0}G 4096:

[ssl]ssl-max-entries = 4096

Ca0 cookie ,$4,,$M'zk~qw.da04,D;V=(G9C cookie #tKa0

E"#~qw+XbM'zD4,E"r|Z cookie P,"+d"M=

M'zD/@w#TZ?vBks,/@w<(}+ cookie(xPa0E

")"X=~qw4XBj6|T:#

a0 cookie *M'z9CZ+L1dsXB-Ld SSL a0D/@w

iv,a)KI\bv=8#}g,3)f>D Microsoft Internet

Explorer /@w?=VSr}VSXB-L SSL a0#

76 f> 3.8

a0 cookie ;+M'zXBO$ACM'zH0QZ+L1dZ(s<

10 VS)O$AD%v"(;D~qw#CzFT0~qw cookie1*

y!,}zIC cookie Dzwb,;\+|+]=NNd|zw#

mb,a0 cookie ;|,fz5j6,Cj6CZw}=~qwDa0

_Y:fP#a0 cookie ;a)6d|E"#a0 cookie ;a#02

+T_T#

Kba0 CookiesWebSEAL 9CX(Z~qwD2+a0 cookie#TBu~JCZb;

cookie zF:

¶ Cookie ;|,a0E";|;|,m]E"

¶ Cookie ;$tZ/@wZfP(";+|4=ELOD/@w cookie

jar P)

¶ Cookie _PP^DP'Z(IdC)

¶ Cookie _P76MrN},b)N}{9d|~qw9C

tCM{Ca0j6 cookiessl-id-sessions N};Z webseald.conf dCD~D [session] ZP,

KN}CZtCM{Ca0 cookie#KN}IXF SSL a0j6GqC

Z*M'z(} HTTPS CJ,$G<a0#g{N}hC*0no1,r

a0 cookie ICZs?VO$=(#

[session]ssl-id-sessions = no

KN}D0no1 dChCa9(} HTTPS DM'zCJvVTBiv:

1. SSL a0j6@6;Cwa0j6}]#

2. Cookies +CZ,$kM'zO$Da0,CO$9CJO*F

cookie"CDSSO ID jG"m%C'{M\k"jG(PzkMM'

zK$i#

3. v1 use-same-session = yes(kNDBZ)1,cookie ECZy>

O$M'z#qr BA 7+CZa0j6}]#

4. HTTP 7Cw9C HTTP 7xPM'zO$Da0j6}]


4.W

ebS

EA

LO

$

5. IP X7Cw9C IP X7xPM'zO$Da0j6}]

9C cookie ,$a04,1,cookie v"MA/@w;N(zfZI&

G<s)#;x,;)/@wa?F^FIT""f"DZfPD cookie

}#Z;)73P,&CLrI+?vrDs?ZfPD cookie EC=

M'z53O#ZKivB,NbQdCD WebSEAL a0rJO*F

cookie ITr%XIm;v cookie f;#

dC WebSEAL 9Ca0 cookie(I\GJO*F cookie)1,ITZ

w e b s e a l d . c o n f dCD~PD [ s e s s i o n ] ZPhC

resend-webseal-cookies N},TcZZ?Nl&19 WebSEAL +

a0 cookie MJO*F cookie "MA/@w#KYwPzZ7#a0

cookie MJO*F cookie #tZ/@wZfP#

resend-webseal-cookies N}D1!hC*0no1:

[session]resend-webseal-cookies = no

+1!hC|D*0yes1IZ?Nl&1"M WebSEAL a0 cookie M

JO*F cookie#

tCM{C`,Da0

1M'z(};V+M`M(}g HTTP)G<"O*,S"(}m;V

+M`M(}g HTTPS)XBG<1,ITdC WebSEAL 9C`,D

a0j6}]#

use-same-session N};Z webseald.conf dCD~D [session] Z

P,KN}CZtCM{CT`,a0j6}]D6p#1!ivB,

KN}hC*0no1:

[session]use-same-session = no

9CKN}D0yes1 dChCavVTBiv:

1. a0 cookie CZj6TBM'z`M,CZ(}m;V+M==xP

sLG<:

a. JO*F cookies

78 f> 3.8

b. M'zK$i

c. CDSSO j6jG

d. jG(Pzk

e. m%C'{M\k

f. y>O$

2. TZ9C HTTP 7DM'zCJ9C HTTP 7#

3. TZ9C IP X7DM'zCJ,9C IP X7#

4. +vT ssl-id-sessions dC;|<BDP*k+ ssl-id-sessionshC*0no1x<BDP*`,#

r* HTTP M'z;I+ SSL a0j6Cwa0}],yTK_-

G\X*D#

5. r*T HTTP M HTTPS M'z,cookie <IC,yT;+b)

cookie j>*2+ cookie#

7(P'Da0j6}]`MCZ9CXbO$=(DM'zCJDa0}]`MITBdCN}D

X(iO7(:

¶ tCr{Ca0 cookie(ssl-id-sessions)

¶ 1M'zZ HTTP M HTTPS .dP;1,tCr{C9C`,a

0}]D\&(use-same-session)

Bm\aKiO ssl-id-sessions M use-same-session N}DyPx

(dCDP'a0j6}]:

HTTPS M'z

O$=( ssl-id-sessions =yes

ssl-id-sessions = nouse-same-session =

no

use-same-session =yes ssl-id-sessions

vT

JO*F cookie SSL j6 Cookie Cookie

$i SSL j6 Cookie Cookie

CDSSO SSL j6 Cookie Cookie

jG SSL j6 Cookie Cookie


4.W

ebS

EA

LO

$

HTTPS M'z

O$=( ssl-id-sessions =yes

ssl-id-sessions = nouse-same-session =

no

use-same-session =yes ssl-id-sessions

vT

m% SSL j6 Cookie Cookie

BA SSL j6 BA 7 Cookie

HTTP 7 SSL j6 HTTP 7 HTTP 7

IP X7 SSL j6 IP X7 IP X7

HTTP M'z

O$=( use-same-session =no

use-same-session =yes

JO*F cookie Cookie Cookie

CDSSO Cookie Cookie

jG Cookie Cookie

m% Cookie Cookie

BA BA 7 Cookie

HTTP 7 HTTP 7 HTTP 7

IP X7 IP X7 IP X7

dCJO*F cookieTBJO*F cookie &\(CZ HTTP M HTTPS)JCZ(}:X=

bzF,SA4FD0K WebSEAL ~qw:/DM'z#JO*F

cookie D?DG1kM'z.d_P-<a0D~qw;;d*;IC

1,I@9?FXBO$#

I{C0K WebSEAL :/*s?M'za)J4D_ICT#:X=

bzFI9XxkDks"(}ICD0K~qwV"ks#

KV[ZdIN<B<#

80 f> 3.8

M'z;*@4FD0K~qwdC#:X=bzFGksD URL D%

c*5#:X=bzFI+M'zkICD~qw(}g WS1),S#

a04,G9C WS1 ("D,"Ra+4TCM'zDyPsLks"

MA WS1#

JO*F cookie IbvDJbf0IZ;)-r(}g,53JOrI

\m14PDt_Yw)9 WS1 d*;IC1Div#g{ WS1 d*

;IC,r:X=bzFa+ksX(rAd|1>~qw(WS2 r

WS3).;#VZQ*'-<Da0A>$D3d#TZKfzD~q

wCM'zGBD,xR(#+YN?FO$CM'z#

ITdC4FD WebSEAL ~qwTZX(Z~qwD cookie PS\M

'z>$}]#1M'zWN,S1,cookie +ECZ/@wO#g{u

< WebSEAL ~qwd*Y1;IC,r cookie(MS\D>$E")

+a)xfz~qw#4FD WebSEAL ~qw2mIb\>$E"D

+2\?#VZM'zIT("k1> WebSEAL ~qwDBa0,x

;C?FXBO$#

cookie DN<cG:X=bzFD DNS#r* cookie GX(Z~qw

D cookie "R;GX(ZrD cookie,yTK%;N<c\X*#;P

k4( cookie D~qw_P`, DNS {FD~qwE\S\ cookie#

< 14. JO*F Cookie i05w


4.W

ebS

EA

LO

$

M'z;1(}:X=bzFwvks#rx,ZJO*FYwZd,

+;1S\ cookie,;s+d+]=B;vICD~qw#

tCJO*F cookie

failover-auth N};Z webseald.conf dCD~D [failover] ZP,

KN}CZtCr{CX(Z~qwDJO*F cookie:

¶ *tCJO*F cookies,kdk0http1"0https1r0both1#

¶ *{CJO*F cookie,kdk0none1(1!5)#

}g:

[failover]failover-auth = https

XkZ?v0K WebSEAL ~qwOhCKN}#

S\Mb\>$}]

*#$ cookie }],k9C WebSEAL a)D cdsso_key_gen 5C

Lr#K5CLrzI;vTF\?,C\?T cookie PD>$}]x

PS\Mb\#KP5CLr1,k8(\?D~D;C(xT76

{):

UNIX: # cdsso_key_gen <pathname>

Windows: MSDOS> cdsso_key_gen <pathname>

ZdP;v1>~qwOKP5CLr"+\?D~V$4F=?v#

`D1>~qwO#Z?v~qwD webseald.conf dCD~D

[failover] ZPdkK\?D~D;C#g{;8(\?D~,r{CC

~qwDJO*F cookie &\:

[failover]failover-cookies-keyfile = <absolute-pathname>

IT*\?D~a)NNJ1D{F,}g ws.key#

dC cookie P'Z

82 f> 3.8

cookie P'Z(TVS*%;)D5ZTBN}PhC:

failover-cookie-lifetime = 60

O$dCEv

ITZ?V=(Dy!OtCM{C HTTP M HTTPS M'zDO$#

WebSEAL 'VDyPO$=(DzF<GZ webseald.conf dCD~

D [authentication-mechanisms] ZPdCD#\'VDO$=(N}

|(:

¶ >X(ZC)O$Lr

> X O$L r D N}8( KJ1 D ZC2 m b ( U N I X ) r

DLL(Windows)D~#

¶ (FDb?O$Lr

WebSEAL a)#e~qwzk,ICZ9(M8((FDb?0g

rO$~q1(CDAS)~qw#

b? CDAS O$Lr+8(J1D(F2mb#

>XO$N}TBN}8(K>XZCO$Lr:

N} hv

m%My>O$

passwd-ldap M'z9C LDAP C'{M\kxPCJ#

jGO$

token-cdas M'z9C LDAP C'{M SecurID jG(Pzkx

PCJ#

M'zKD$iO$

cert-ssl M'z9CM'zK$i(} SSL xPCJ#

HTTP 7M/r IP X7O$

http-request M'z(}X( HTTP 7M/r IP X7xPCJ#

CDSSO j6jGO$

cdsso gr%;"aO$#


4.W

ebS

EA

LO

$

9C [authentication-mechanisms] ZdCO$=("TBPq=5

V:

<authentication-method-parameter> = <shared-library>

kNDZ713D:j8dCE"N<;#

b?(F CDAS O$N}TBN}ICZ8(b? CDAS ~qwD(F2mb:

N} hv

passwd-cdas M'z9CZ}="amDC'{M\kxPCJ#

token-cdas M'z9CC'{MjG(PzkxPCJ#

cert-cdas M'z9C(} SSL O$DM'zK$ixPCJ#

XZ9(MdC5V CDAS ~qwD(F2mbDj8E",kN<

6Tivoli SecureWay Policy Director WebSEAL *"_N<s+7#

WebSEAL O$D1!dC

1!ivB,+ WebSEAL hC*9Cy>O$(BA)C'{M\k

(LDAP "am)(} SSL O$M'z#

( # , T T C P M S S L C J < t C W e b S E A L # r x ,

[authentication-mechanisms] ZDdMdC|,'VC'{M\k

(LDAP "am)"'V(} SSL O$DM'zK$i#

TB>}zm [authentication-mechanisms] Z Solaris fDdMdC:

[authentication-mechanisms]passwd-ldap = libldapauthn.socert-ssl = libsslauthn.so

*dCd|O$=(,k9Cd2mb(r CDAS #i)mS`&DN

}#XZ?VO$=(Dj8dCE",kNDZ713D:j8dCE

"N<;#

84 f> 3.8

dC`vO$=(^D webseald.conf dCD~D [authentication-mechanism] ZT8

(CZyP\'VO$=(D2mb#dC`vO$=(1,I&CT

Bu~:

1. yPO$=(<IT`%@"XKP#IT*?v\'V=(dC

2mb#

2. ,1dC cert-cdas M cert-ssl =(DivB,0_+2Gs_#

XktCdP;V=('VM'zK$i#

3. 1dC`V\k`MO$Lr1,5J;9C;V#WebSEAL 9C

TBEH6Nrbv`vQdCD\kO$Lr:

a. passwd-cdas

b. passwd-ldap

4. I\*=V;,DO$=(dC,;v(Fb#}g,IT4(F

2mbT&mC'{/\kM HTTP 7O$#TZK>},IT9C

,;v2mbdC passwd-cdas M http-request N}#*"_D

0pG,$a04,"\b=V=(.dDe;#

a>G<ZTBu~B,WebSEAL a>M'zG<:

1. 4O$DM'zZ(li'\

2. m%ry>O$M'zZ(li'\

TBM'z`MavV0403 JO1ms:

1. 1Z(li'\1:

a. M'zK$i

b. JO*F cookie

c. CDSSO

d. IP X7

e. HTTP 7

2. 1M'zO$9CK WebSEAL {CD=(


4.W

ebS

EA

LO

$

"zM|D\k|nPolicy Director a)TB|nCZ'V(} HTTP r HTTPS O$DM

'z#

pkmslogout1M'z9C;T?vksa)O$}]DO$=(1,|GIT9C

pkmslogout |nS10a0"z#}g,pkmslogout ;ICZ9C

y>O$r IP X7O$DM'z#ZKivB,XkXU/@wT"

z#

pkmslogout |nJCZ(}M'zK$i"jG(Pzk"m%O$M

HTTP 7O$D3)5VDO$#

4TB=(KP|n:

https://www.tivoli.com/pkmslogout

/@waT> webseald.conf dCD~P(eD"zq=:

[acnt-mgt]logout = logout.html

IT4h*^D logout.html D~#

1xge5a9*sTS+;;,DsK53"zDC'9C;,Dv

ZA;1,pkmslogout 5CLr9'V`v"zl&3f#

TBmo=j6KX(l&D~:

https://www.tivoli.com/pkmslogout?filename=<custom_logout_file>

dP custom_logout_file G"zl&DD~{#KD~Xk$tZ|,

1! logout.html D~Md|y> HTML l&m%D`, lib/html/C

?<P#

pkmspasswd9Cy>O$(BA)rm%O$1IT9CK|n|DG<\k#K|

nTZ HTTP r HTTPS <GJCD#

}g:

86 f> 3.8

https://www.tivoli.com/pkmspasswd

1 BA k WebSEAL ;p9C1,*7#ns2+T,TZ BA M'

zK|n+4PTBP*:

1. |D\k#

2. M'zC'S10a0"z#

3. M'zxP=Sks1,/@w+ZM'zOT> BA a>{#

4. M'zXkXBG<TLx"vks#

Ki05wvJCZ9Cy>O$DM'z#

dCy>O$

y>O$(BA)G+C'{M\ka)xO$zFDj<=(#BA I

HTTP -i(e,"I(} HTTP M HTTPS 5V#

1!ivB,WebSEAL dC*9Cy>O$(BA)C'{M\k(}

HTTPS xPO$#

tCM{Cy>O$

ba-auth N},;Z webseald.conf dCD~PD [ba] ZP,CZt

CM{Cy>O$=(#

¶ *tCy>O$=(,kdk0http1"0https1r0both1#

¶ *{Cy>O$=(,kdk0none1#

}g:

[ba]ba-auth = https

hCr{Fr{FG1/@wa>C'dkG<}]1T>ZT0rPDD>#

hCr{FDdCN};Z webseald.conf dCD~PD [ba] ZP#

}g:


4.W

ebS

EA

LO

$

[ba]basic-auth-realm = Policy Director

dCy>O$zF

passwd-ldap N}8(CZ&mC'{M\kO$D2mb#

¶ Z UNIX O,a)ZC3d&\DD~GF* libldapauthn D2m

b#

¶ Z Windows O,a)ZC3d&\DD~GF* ldapauthn D

DLL#

O$zF 2mb

Solaris AIX Windows HP-UX

passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll libldapauthn.sl

IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx passwd-ldap N}dkX(Z=(D2mbD~{F4dCC'

{M\kO$zF#}g:

< 15. BA G<a>

88 f> 3.8

Solaris:

[authentication-mechanisms]passwd-ldap = libldapauthn.so

Windows:

[authentication-mechanisms]passwd-ldap = ldapauthn.dll

dCu~g{Q*X(+MtCKm%O$,r+vTC+MDy>O$hC#

dCm%O$

Policy Director a)m%O$)j<y>O$zF8C#bV=(IS

Policy Director zz(F HTML G<m%,x;GSy>O$aJzz

j<G<a>#

9CyZm%G<1,/@w";TC'{M\kE"xP_Y:f

(g|Zy>O$PyvDGy)#

tCM{Cm%O$

forms-auth N},;Z webseald.conf dCD~PD [forms] ZP,

CZtCM{Cm%O$=(#

¶ *tCm%O$=(,kdk0http1"0https1r0both1#

¶ *{Cm%O$=(,kdk0none1#

}g:

[forms]forms-auth = https

dCm%O$zF

passwd-ldap N}8(CZ&mC'{M\kO$D2mb#

¶ Z UNIX O,a)ZC3d&\DD~GF* libldapauthn D2m

b#

¶ Z Windows O,a)ZC3d&\DD~GF* ldapauthn D

DLL#


4.W

ebS

EA

LO

$

O$zF 2mb


passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll libldapauthn.sl

IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx passwd-ldap N}dkX(Z=(D2mbD~{F4dCC'

{M\kO$zF#}g:

Solaris:

[authentication-mechanisms]passwd-ldap = libldapauthn.so

Windows:

[authentication-mechanisms]passwd-ldap = ldapauthn.dll

dCu~g{Q*X(+MtCKm%O$,r+vTC+MDy>O$hC#

(F HTML l&m%m%O$*sz9C(FG<m%#1!ivB,y> login.html m%

;ZTB?<P:

<install-directory>/lib/html

IT(FKm%DZ]MhF#}g:

90 f> 3.8

XZzIT(FDIC HTML m%Dj8E",kNDZ343D:\m

(FD HTML 3f;#

dCM'zK$iO$

WebSEAL 'V9CM'zK}V$i(} SSL kM'zxP2+(

E#ZbVO$=(P,$iE"(}g0(P{F1r DN);3d*

Policy Director m]#

s(:(}$i`%O$

(}}V$ixPO$V*=vWN:

¶ WebSEAL 9Cd~qwK$ir SSL M'zmwT:m]

¶ WebSEAL 9CdO$PD(CA)y$iD}]bi$9CM'zK

$ixPCJDM'z

1. SSL M'zksk WebSEAL ~qw,S#

2. Zl&P,WebSEAL (}Q)pD~qwK$i"Md+2\?#

K$iH0QIIEDZ}=O$PD(CA))p#

3. M'zli|GqITENMS\C$iD"PL#M'zD/@

w(#|,4TIE CA Dy$iPm#g{ WebSEAL D$iO

D){kb)y$iPD3;v`%d,r~qwGIED#

< 16. y> WebSEAL G<m%


4.W

ebS

EA

LO

$

4. g{;P%dD){,/@w+(*dC',K$iGI;v4*

DO$PD)"D#;sS\r\xC$i+GC'D0p#

5. g{){k/@wDy$i}]bPD3vu?%d,M'zk

WebSEAL ~qw.d+Ta0\?xP2+-L#

K}LDnUa{Gzz2+(@,M'zITZC(@OxPO

$(}g(}C'{M\k)#O$I&.s,M'zM~qwI

TLx(}K(@xP2+(E#

6. VZM'zr+d+2\?$i"M= WebSEAL ~qw#

7. WebSEAL "T+M'z$iOD){kQ*D CA xP%d#k

M'z/@w`F,WebSEAL ~qw,$d\?}]bPIE CA

Dy$iPm#

8. g{;P%dD){,WebSEAL +zI SSL msk"+d"M=

M'z#

9. g{P%dD){,rM'zIE#g{xPM'zO$,r+C

= Policy Director m]#

10. a0\?GZM'zk WebSEAL ~qw.dS\2+-LD#K

}LDnUa{GZ`%O$DM'zk~qw.dzz2+xI

ED(E(@#

< 17. M'zi$ WebSEAL $i

92 f> 3.8

WebSEAL bT$i201,WebSEAL M|,KT)bT~qw$i#d;KbT$iJm

WebSEAL TtC SSL D/@wkswvl&,+;\I/@w(;|

,J1Dy CA $i)i$$i#IZ?N WebSEAL V"P<|,K

1!$iD(C\?,yTK$i;a)f}D2+(E#

*7#(} SSL D2+(E,SIEDO$PD(CA)"a0q!(;

D>c~qw$iG\X*D#IT9C GSKit iKeyman 5CLrzI

+"M= CA D$iks#2IT9C iKeyman 20B>c$i"*

dSj ) #9C w e b s e a l d . c o n f dCD~D [ s s l ] ZPD

webseal-cert-keyfile-label N}8(C$iw*n/D WebSEAL ~q

wK$i(KhC+2G\?D~}]bP8(*01!51DyP$

i)#

g{h*d|ivBD;,$i(}gCZ%O$*a),rIT9C

iKeyman 5CLr4("20b)=S$i"*dSj)#

kNDZ373D:dC WebSEAL D\?}]bN};#

kNDZ2173D:9C iKeyman \m$i;#

tCM{C$iO$

(}hC accept-client-certs N}(;Z webseald.conf dCD~D

[certificate] ZP),IT8( WebSEAL gN&m9C(} SSL O$

DM'zK$iDO$#

1!ivB,WebSEAL ;S\M'zK$i:

[certificate]accept-client-certs = never

KN}D=S5|, optional M required#

BmPv"hvK accept-client-certs N}DJm5:

5 hv

never ;*S\M'zD X.509 $i#


4.W

ebS

EA

LO

$

5 hv

optional rM'z*s X.509 $i,g{a)K$i,r9CyZ

$iDO$#

required rM'z*s X.509 $i,"9CyZ$iDO$#g{

M'z;a)$i,r;Jm,S#

dC$iO$zF

cert-ssl N}8(CZ3d$iO$E"D2mb#

¶ Z UNIX O,a)ZC3d&\DD~GF* libsslauthn D2m

b#

¶ Z Windows O,a)ZC3d&\DD~GF* sslauthn D

DLL#

O$zF 2mb


cert-ssl libsslauthn.so libsslauthn.a sslauthn.dll libsslauthn.sl

IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx cert-ssl N}dkX(Z=(D2mbD~{F4dC$iO$

zF#

Solaris:

[authentication-mechanisms]cert-ssl= libsslauthn.so

Windows:

[authentication-mechanisms]cert-ssl = sslauthn.dll

2mbD~a)D1!3d1S+$i DN 3d* LDAP DN#

dCu~g{M'zK$i&mhC*0required1,rTZ HTTPS M'z+v

TyPd|O$hC#

94 f> 3.8

dC HTTP 7O$

Policy Director 'V(}IM'zr/Pzma)D(F HTTP 7E"

xPO$#

CzFh*P3d&\(2mb),C3d&\+IED($O$D)

7}]3d* Policy Director m]#WebSEAL ITICKm]"*C

'4(>$#

WebSEAL YhH0QO$K(F HTTP 7}]#rK,(i(PX5

Vb;=( * ;tCd|O$=(##B(F HTTP 7}]GI\D#

1!ivB,9(K2mbG*KS/Pzm73d}]#

tCM{C HTTP 7O$

http-headers-auth N},;Z webseald.conf dCD~D

[http-headers] ZP,CZtCM{C HTTP 7O$=(#

¶ *tC HTTP 7O$=(,kdk0http1"0https1r0both1#

¶ *{C HTTP 7O$=(,kdk0none1#

}g:

[http-headers]http-headers-auth = https

8(7`MXkZ webseald.conf dCD~D [auth-headers] ZP8(yP\'

VD HTTP 7`M#

[auth-headers]header = <header-type>

1!ivB,+TKZC2mbxP2`kT'V/Pzm7}]#

[auth-headers]header = entrust-client

Xk(FKD~,9dO$d|`MDXb7}]M+K}]3d*

Policy Director m](I!)#XZ API J4,kN<6Tivoli SecureWay

Policy Director WebSEAL *"_N<s+7#


4.W

ebS

EA

LO

$

dC HTTP 7O$zF

http-request N}8(CZ3d HTTP O$7E"D2mb#

¶ Z UNIX O,a)ZC3d&\DD~GF* libhttpauthn D2m

b#

¶ Z Windows O,a)ZC3d&\DD~GF* httpauthn D

DLL#

O$zF 2mb


http-request libhttpauthn.so libhttpauthn.a httpauthn.dll libhttpauthn.sl

1!ivB,+TKZC2mbxP2`kT3d/Pzm7}]*P

'D Policy Director m]#Xk(FKD~,9dO$d|`MDXb

7}]M+K}]3d* Policy Director m](I!)#XZ API J4,

kN<6Tivoli SecureWay Policy Director WebSEAL *"_N<s+7#

IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx http-request N}dkX(Z=(D2mbD~{F4dC

HTTP 7O$zF#

}g:

Solaris:

[authentication-mechanisms]http-request = libhttpauthn.so

Windows:

[authentication-mechanisms]http-request = httpauthn.dll

dCu~

1. g{ ssl-id-sessions = no,r+;9Ca0j6 cookie ,$4,#

x9C(;D75,$4,#

2. g{M'zv=KZ(JO,rM'z+SU=0{913f

(HTTP 403)#

96 f> 3.8

dC IP X7O$

Policy Director 'V(}M'za)D IP X7DO$#

tCM{C IP X7O$

ipaddr-auth N},;Z webseald.conf dCD~D [ipaddr] ZP,

CZtCM{C IP X7O$=(#

¶ *tC IP X7O$=(,kdk0http1"0https1r0both1#

¶ *{C IP X7O$=(,kdk0none1#

}g:

[ipaddr]ipaddr-auth = https

dC IP X7O$zF

(} IP X7O$h*(F2mb#kTK2mb9C http-request N

}#

dCjGO$

Policy Director 'V(}M'za)DjG(PzkDO$#

tCM{CjGO$

token-auth N},;Z webseald.conf dCD~D [token] ZP,C

ZtCM{CjGO$=(#

¶ *tCjGO$=(,kdk0http1"0https1r0both1#

¶ *{CjGO$=(,kdk0none1#

}g:

[token]token-auth = https

dCjGO$zF

token-cdas N}8(CZ3djG(PzkO$E"D2mb#

¶ Z UNIX O,a)ZC3d&\DD~GF* libtokenauthn D2

mb#


4.W

ebS

EA

LO

$

¶ Z Windows O,a)ZC3d&\DD~GF* tokenauthn D

DLL#

O$zF 2mb


token-cdas libtokenauthn.so libtokenauthn.a tokenauthn.dll libtokenauthn.sl

1!ivB,+TKZC2mbxP2`kT3d SecurID jG(Pz

k}]#IT(FKD~O$d|`MDXbjG}],I!D,I+

K}]3d* Policy Director m]#XZ API J4,kN<6Tivoli

SecureWay Policy Director WebSEAL *"_N<s+7#

IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx token-cdas N}dkX(Z=(D2mbD~{F4dCjGO

$zF#

}g:

Solaris:

[authentication-mechanisms]token-cdas = libtokenauthn.so

Windows:

[authentication-mechanisms]token-cdas = tokenauthn.dll

'V`74C/Pzm

Policy Director *#$9C`74C/Pzm(MPA)Dxga)bv=

8#

j</Pzm(SPA)G'VM'zk-<~qwd?vM'za0

((} SSL r HTTP)DxX#WebSEAL ITTb)?vM'zDa

0&C}#D SSL r HTTP O$#

98 f> 3.8

`74C/Pzm(MPA)GwZ`vM'zCJDxX#1M'z(

}^_CJ-i(WAP)xPCJ1,P1b)xX;F* WAP xX#

xX("A-<~qwD%;O$(@,"(}K(@0+d1yPM

'zksMl&#

TZ WebSEAL,K(@ZD+?E"u<<T>*4T;vM'zD`

vks#WebSEAL Xk+ MPA ~qwO$k?v%@M'zD=SO

$xp*#

IZ WebSEAL * MPA ,$QO$Da0,rKXk,1*?vM'

zVp,$a0#rx,CZ MPA Da0}]MO$=(XkkM'z

9CDa0}]MO$=(X;;,#

P'Da0}]`MMO$=(MPA A WebSEAL 9CDa0}]`MXkkM'zA WebSEAL 9

CDa0}]`MX;;,#BmPvK MPA MM'zDP'a0`

M:

P'a0`M

MPA A WebSEAL M'zA WebSEAL

SSL a0j6

HTTP 7 HTTP 7

< 18. (} MPA xX(E


4.W

ebS

EA

LO

$

P'a0`M


BA 7 BA 7

IP X7

Cookie Cookie

¶ M'z;\9C SSL a0j6w*a0}]`M#

¶ }g,g{TZa0}]`M MPA 9C BA 7,rM'zTa0

}]`MD!q;|, HTTP 7M cookie#

¶ g{TZa0}] MPA 9C HTTP 7,rM'zIT9C;,D

HTTP 7`M#

¶ X(Z~qwD cookie ;|,a0E";|;|,m]E"#

¶ g{tC MPA 'V,r+a|D ssl-id-sessions D&\#(#,

g{ ssl-id-sessions=yes,rv9C SSL a0j6,$ HTTPS M

'zDa0#*Jm MPA 9C SSL a0j6,$a0"9M'z

9Cm;V=(,$a0,k}%K^F#m{Z793D:7(P

'Da0j6}]`M;#

MPA A WebSEAL 9CDO$=(XkkM'zA WebSEAL 9CD

O$=(X;;,#BmPvK MPA MM'zDP'O$=(M:

P'O$`M


y>O$ y>O$

m% m%

jG jG

HTTP 7 HTTP 7

$i

IP X7

¶ }g,g{ MPA 9Cy>O$,rM'zO$=(D!n|,m

%"jGM HTTP 7#

¶ TZM'zD9C,$iM IP X7O$=(G^'D#

100 f> 3.8

¶ (#,g{TX(+MtCm%(rjG)O$,r+T/TC+

M{Cy>O$(kNDZ883D:dCy>O$zF;)#g{t

CK MPA 'V,r+}%K^F#by+Jm MPA 9Cm%(r

jG)G<,"JmM'z9Cy>O$(}`,D+MG<#

MPA M`vM'zDO$xLw

1. WebSEAL \m14PTBu=dC:

¶ tCT`74C/PzmD'V

¶ *X( MPA xX4( Policy Director J'

¶ +K MPA J'mS= webseal-mpa-servers i

2. ,SA MPA xXDM'z#

3. xX+ks*;* HTTP ks#

4. xXO$M'z#

5. xX9CM'zks("k WebSEAL D,S#

6. A WebSEAL D MPA O$(9CkM'zX;;,D=(),*

MPA(Q-_P WebSEAL J')Izm]#

7. WebSEAL +i$ MPA Z webseal-mpa-servers iPDa1J

q#

8. * MPA 9(;v>$,"+dj>*_Y:fPDXb MPA `

M#

!\+4D?vM'zks<xPK MPA >$,+C>$";CZ

Tb)ksxPDZ(li#

9. by,WebSEAL h*x;=j6ksDyP_#

MPA \;xp`vM'zT}77IG<a>#

10. M'zG<MO$9CD=(kCZ MPA DO$`MX;;,#

11. WebSEAL SM'zO$}]9(>$#

12. ?vM'z9CDa0}]`MXkk MPA 9CDa0}]`MX

;;,#


4.W

ebS

EA

LO

$

13. Z(~qyZC'>$MTsD ACL mI(mIr\xCJ\#$

Ts#

tCM{C MPA O$

;Z webseald.conf dCD~D [mpa] ZPD mpa N}CZtCM

{C MPA O$:

¶ *tC MPA O$=(,kdk0yes1#

¶ *{C MPA O$=(,kdk0no1#

}g:

[mpa]mpa = yes

4( MPA DC'J'XZ4(C'J'DE",kN<6Tivoli SecureWay Policy Director Base

\m8O7M Tivoli SecureWay Policy Director Web Portal Manager

Administration Guide#

+ MPA J'mS= webseal-mpa-servers iXZ\miDE",kN<6Tivoli SecureWay Policy Director Base \

m8O7M Tivoli SecureWay Policy Director Web Portal Manager

Administration Guide#

MPA O$^F

Policy Director Db;"Pf;T?v WebSEAL ~qw'V;v

MPA#

102 f> 3.8

gr"abv=8

1 WebSEAL w*zm~qw4PTa)T2+rD#$1,(#*s

a)%;"aAJ4Dbv=8#>BV[=Vgr%;"abv=

8#

wbw}:

¶ :dC CDSSO O$;

¶ Z1083D:dCgSgx%;"a;

dC CDSSO O$

Policy Director gr%;"a(CDSSO)a)K;VZ`v2+r.d*

FC'>$DzF#CDSSO Jm Web C'4P%;"a"Z=v@"

D2+r.d^lF/#CDSSO O$zF";@5ZwO$~qw(k

NDgSgx SSO)#

CDSSO (}Jm/I`v2+r,'VIluxge5a9D?D#}

g,ITC=vr`v(;DrhC;vsM2,b?x * ?v(;D

r<PT:DC'MTsUd#CDSSO JmC'9C%;"aZr.d

F/#

1C'ks;Zm;rPD3vJ41,CDSSO zF+QS\DC'm

]jGSZ;vr*F=Z~vr#by,Z~vrMC=KC'Dm

](QZZ;vrPO$),R;a?FC'4Pm;G<#

5


5.g

r"

ab

v=

8

/I(F CDMF 2mbZm` CDSSO =8P,;,rDC'd1!D;T;3dI\;JOy

P?p*s#

gr3dr\(CDMF)GJmz9((F2mbD`LSZ,K2m

b\&m)9DC'tT"*C'm]a)3d~q#

CDMF `LSZJminX(F3dC'm]M&mC'tT#

9C CDMF D CDSSO O$xLwTBxLwhvZ<19P5w#

1. kNk`vrDNNC'XkZwrP_PP'C'J',RXk

Z?vNkD6LrP_PI3d*P'J'Dm]#

g{C';Pu<O$=|,C'J'Du<2+r(A),r;\

wC CDSSO &\#

2. C'(} Web 3fOD(F4S"vCJr B PDJ4Dks#

C4S|,;vXb CDSSO mo=:

/pkmscdsso?<destination-URL>

}g:

/pkmscdsso?https://www.domainB.com/index.html

3. b;ks+WHIr A PD WebSEAL ~qw&m#WebSEAL 9

(O$jG,|,C'D Policy Director m](rF)"10r

(0A1)"d|C'E"M1dAG#

d|C'E"G(}wC(FD CDMF 2mb

(cdmf_get_usr_attributes)q!D#Kb_Pa)C'tTD\

&,C'3d&mZdr B I9Cb)tT#

WebSEAL }v DES 9C cdsso_key_gen 5CLrzIDTF\

?S\KjG}]#K\?D~G2mD,|f"Zr A Mr B

WebSEAL ~qwOD webseald.conf dCD~D [cdsso-peers] Z

P#

C jG| , K I dCD ( e jGP ' Z D1dAG

(authtoken-lifetime)#}7dC1dAG1,IT@9X4%

w#

104 f> 3.8

4. r A WebSEAL ~qw+ksMQS\DjGX(rX/@w,;s

X(r=r B WebSEAL ~qw(HTTP X(r)#

5. r B WebSEAL ~qw9C`,f>D\?D~b\"i$4TN<

rDjG#

6. VZr B WebSEAL ~qwMwC CDSSO O$zFb#K CDSSO

b@NwC(FD4P5JC'3d(cdmf_map_usr)D CDMF

b#

CDMF b+C'm]Md|C'tTE"(s__P!qT)+]X

CDSSO b#CDSSO b9CKE"49(>$#

7. r B Z(~qmIr\xT\#$TsDCJ(yZC'>$Mkk

sDTs`X*DX( ACL mI()#

tCM{C CDSSO O$

cdsso-auth N},;Z webseald.conf dCD~D [cdsso] ZP,C

ZtCM{C CDSSO O$=(#

< 19. 9C CDMF Dgr%;"a}L


5.g

r"

ab

v=

8

¶ *tC CDSSO O$=(,kdk0http1"0https1r0both1#

¶ *{C CDSSO O$=(,kdk0none1#

}g:

[cdsso]cdsso-auth = https

dC CDSSO O$zF

cdsso dCN}8(K3dO$E"D2`k2mb#

¶ Z UNIX O,a)ZC3d&\DD~GF* libcdssoauthn D2

mb#

¶ Z Windows O,a)ZC3d&\DD~GF* cdssoauthn D

DLL#

O$zF 2mb


cdsso libcdssoauthn.so libcdssoauthn.a cdssoauthn.dll libcdssoauthn.sl

IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx cdsso N}dkX(Z=(D2mbD~{F4dC CDSSO O

$zF#

}g:

Solaris:

[authentication-mechanisms]cdsso = libcdssoauthn.so

Windows:

[authentication-mechanisms]cdsso = cdssoauthn.dll

106 f> 3.8

S\O$jG}]WebSEAL Xk9C cdsso_key_gen 5CLrzID\?S\ECZ

jGPDO$}]#Xk(}kNkrD?v WebSEAL ~qw2m\

?D~0,=1K\?#wrPNkD?v WebSEAL ~qw<h*9

C`,D\?#

":4(MV"\?D~";G Policy Director CDSSO xLD;?V#

KP cdsso_key_gen 5CLr1,C5CLr*sz8(\?D~D

;C(xT76{):

UNIX: # cdsso_key_gen <absolute-pathname>

Windows: MSDOS> cdsso_key_gen <absolute-pathname>

ZwrDNk WebSEAL ~qwD webseald.conf dCD~D

[cdsso-peers] ZPdkK\?D~D;C#dq=|( WebSEAL z

w{FM\?D~;C:

[cdsso-peers]<webseal-machine-name> = <keyfile-location>

r A dC>}:

[cdsso-peers]www.domainB.com = <pathname>/A-B.key

r B dC>}:

[cdsso-peers]www.domainA.com = <pathname>/A-B.key

ZTO>}P,A-B.key D~+Z;vzw(}g WebSEAL A)Oz

I,"V$("2+)D4F=m;zw(}g WebSEAL B)#

dCjG1dAGCjG|,IdCD1dAG,|(eKm]jGDP'Z#;)1d

AG=Z,rO*CjG^',";h9C#(}+1dAGhC*c

;LD5,Sx@9KjGZdP'ZZ;AC"X49C,rK1d

AGICZoz@9X4%w#


5.g

r"

ab

v=

8

authtoken-lifetime N},;Z webseald.conf dCD~PD [cdsso]ZP,CZhCjGP'ZD5#C5Tk*%;mo#1!5* 180:

[cdsso]authtoken-lifetime = 180

Xk<GNkn/Dr.dDNN1S+n#

mo CDSSO HTML 4S(z2+rJ4D HTML 4SXk|,XbD CDSSO mo=:

/pkmscdsso?<destination-URL>

}g:

/pkmscdsso?https://www.domainB.com/index.html

#$O$jG1O$jG;|,O$E"(}gC'{M\k)1,|5JO|,K

SUrZIEDC'm]#rK,Xk#$jGTm;;ACMX49

C#

(}9C SSL #$ WebSEAL ~qwkC'.dD(E,I@9jG;

k_AC#IThkSC'D/@wz7G<PACjG#jGOD1

dAG&c;L,9jGZdP'ZZ;I\;ACMX49C#

+`TZ1dAGxT,Q=ZDjGT;]W\=\kT%w#g{

"VKCZ+jGS\D\?rC\?\=p&,rPqbDC'I\

9({GT:DjG#

;sIT+b)jGek01 CDSSO w1#TZNk CDSSO rn/D

WebSEAL ~qw,b)jG+kf}DO$jGA^xp#rK,9X

k!D\mCZ#$jGD\?,"-#xP|D#

dCgSgx%;"a

gSgx%;"aG Policy Director 73PgrO$Dm;5V#gr

O$D?DGJmC'CJg`vrD`v~qwDJ4,x;XXB

O$#

108 f> 3.8

0gSgx1GNkLqX5D;i%;`,Dr(Policy Director r

DNS)#b)NkrIdC*;vLqD;?V(IZXm-r,I\

9C;,D DNS {F),rdC*k2mX5j+;,DLq(}g,

+>\?"KY#U+>MpZ\m+>)#

Z ? v = 8P, \ P ; v r8( * 0w( h o m e ) 1 r 0 y P _

(owner)1r#ZNkLqDivB,wr5P\mgSgxDLq

-(#

Zb=V=8P,XZNkgSgxDC'DO$E"(|(O$9C

DC'{M\k)<+ZwrP,$#b;2EJm\mJbD%vN

<c,}ggSgxPyP8rwrDoz(tP#

r_,2I9C Policy Director Web Portal Manager /I\mKE",

TcNkr_P\mT:DC'D0p#

B<PYK;vy>gSgx,|_P=vNkr:r A(dA.com)M

r B(dB.com)#ZK>}P,r A zmwrryP_r#r B GN

krr06L1r#


5.g

r"

ab

v=

8

wr05P1C' * 4,|XFC'DO$E"#;\C'ZN&ks

J4,C'\GXkZwrO$#

TwO$~qw(MAS)* ;ZwrP"dC*O$yPC'D~qw

( r 1 > ~ q w/) * z z O$# <P+ M A S m>*

mas.dA.com#MAS D0p&^F*a)O$~q#MAS ;&|,TC

'ICDJ4#

;)C'I&O$= MAS,MAS +zI0$51jG#KjG++]

XC'("ksD~qw#~qw+K0$51jGS*C'QI&O

$= MAS "\NkgSgxD$]#

gSgxrdDE"*F+ZZ1123D:gSgxxLw;;ZPj

8hv#

< 20. gSgx#M

110 f> 3.8

gSgxXwM*s

¶ K#M'V(}+ URL(4SjG)8rJ4xPCJ#b;Xwk

@5Z(EdCD pkmscdsso 4SD CDSSO #MNITU(k

NDZ1033D:dC CDSSO O$;)#

¶ gSgxD5V*syPNkgSgxDrPDyP WebSEAL ~q

wDdC;B#

¶ NkgSgxDyPC'<h*ZwrPD%vwO$~qw

(MAS)OxPO$#

¶ g{C';P MAS DP'J'(}g,tZr B +;Nkr A *

r B gSgxDC'),rgSgxD5VJmZ6LrPxP0>

X1O$#

ZksG MAS rPDJ41,+*O$ MAS '\DC'a)=O

$A>X~qw("vksD~qw)D!n#

¶ MAS(T0ns6LrPd|!qD~qw)0$51C'O$D

m]#

¶ X(ZrD cookie CZj6Ia)0$51~qD~qw#bMJ

m6LrPD~qwZ>Xks0$51E"#gSgx cookie D

S\Z];|,C'm]r2+TE"#

¶ Q9C(EDjG4+]S\D0$51C'm]#0$51jG

;|,5JC'O$E"#I2mD\?(triple-DES)a)j{

T#jG|,K;v,1(P'Z)5,T^FjGP'TDVx

1d#

¶ gSgxD5VZ HTTP M HTTPS O<\'V#

¶ vpgSgxr\m|GT:DC'm]M`X*DX(#I9C

gr3d&\(CDMF)API +4T6LrDC'3d=>XrPD

P'C'#

g{gSgxr2m+VC'm],r;h*K3d&\#

¶ gSgxDdCZ?vNk WebSEAL ~qwD webseald.conf D

~PhC#


5.g

r"

ab

v=

8

gSgxxLwgSgxIwO$ WebSEAL ~qw(MAS)M;ZwrM6LrPD

d| WebSEAL ~qw9I#MAS Iw* WebSEAL ~qwD%v5

}r;Z:X=bw(K&:X=bwj6* MAS)sfD WebSEAL

1>/fZ#

h*dCyPNkD>XM6L WebSEAL ~qw,T9CxPu<M

'zO$Dwr MAS#bGTwrP~qwD2T*sMT6LrP~

qwDmT*s#}g,IdC6LrPD;)~qw,T&m|GT

:DO$#b)~qwM|G#$DJ4I@"ZgSgxxPYw,

49|G;ZNkgSgxrP#

gSgxD5V("Z0$5153Dy!O#(#,1C'SC'4

("P'a0D WebSEAL ~qwksJ41,WebSEAL +a>C'

O$E"#ZgSgxdCP,WebSEAL ~qwj60$51~qw"

SC'QO$Db;0$51~qwksi$#

0$51~qw_PCC'DP'>$E"#TZC'DZ;Nks,

0$51~qw\G MAS#MAS Lx#1;ZwrPDJ4D0$51

~qw#1C'Lx(}gSgxD"vJ4ks1,?v6LrPD

%@~qwI*C'9(|T:D>$(yZ4T MAS DC'm]E

"),"*rPDJ4#10$51~qwG+#

0$51~qwDi$ksI!0$51jGDq=#0$51~qw

4(jG"+|5X=ksD WebSEAL ~qw#jGPDC'm]E

"GS\D#jG|,P'Z^F#

;SU=0$51jG,ks~qwM*CC'9(>$M>Xa0#

VZC'IyZ}#D(^XF4CJksDJ4#C'SPITC=

;XXBO$DC& * bGgSgx#MD?D#

5)>Z#`?VDgSgxxLw1,kN<TB<m#xLwhv

K=vI\D FIRST CJ=8(1 M 2)#SEG=vI\D NEXT C

J=8(3 M 4),|GtSE 2 r 3#=8 5 "zZu<CJsDN

N1d#

112 f> 3.8

0$51~qw

¶ MAS \GZC'Z;NCJgSgxNN?V1xPO$#

MAS ;&w*O$~qw4P,R;&GJ4a)_#MAS ;&d

C*wO$~qw4Yw,,12;\dC*CZ#$J4#K(

if0T\==f,|;G;v2+T*s#

¶ MAS \Gwr(K>}P*r A)D0$51~qw#

¶ X(ZrDgSgx cookie CZj6x(rPyPd|~qwD0$

51~qw#0$51~qwGrPS MAS ks0$51jGDZ

;v~qw#0$51~qw*rPDC'a)0$51E"#x

(6LrP0$51~qDsLksIIK~qw>X(",x;

GCJrbD MAS#ZwrP,gSgx cookie + MAS j6*

0$51~qw#

(1) FIRST gSgxCJ:WebSEAL 1(r A)

¶ C'ks\ WebSEAL 1(Z MAS D,;vrP)#$DJ4#/

@w;|,CrDgSgx cookie#WebSEAL 1 ;PC'D_Y:

fD>$#

< 21. gSgxxLw


5.g

r"

ab

v=

8

¶ WebSEAL 1 dCtCgSgxO$,"8( MAS D;C#

WebSEAL 1 X(r/@wA MAS ODX(0$51URL#

¶ MAS SU0$51ks,"IZiRCC'D>$'\xa>C'G

<#

¶ ;)I&G<,MAS M*C'9(>$,+|f"Z_Y:fP,"

+/@wX(rX WebSEAL 1 OnuksD URL,K WebSEAL

1 _PS\D0$51jG#mb,X(Zr A DgSgx cookie

;EC=/@wO,Tj6Cr(ZKivB,* MAS)D0$51

~qw#

g{G<"T'\,r MAS 5Xm>'\4,D0$51jG#C

jGD9l9.^(kI&4,0$51jGxp#ks~qw+

'\4,DjGS*C'>XO$'\#

¶ WebSEAL 1 b\jG"*C'9(T:D>$#

":Z,;rP1,;a*sm]3d#g{*sm]3d,r

WebSEAL 1 Xk9Cgr3dr\(CDMF)#

¶ Z(~qmIr\xks#

(2) FIRST gSgxCJ:WebSEAL 3(r B)

¶ C'ks\ WebSEAL 3(6Lr B)#$DJ4#/@w;|,C

rDgSgx cookie#WebSEAL 3 ;PCC'D_Y:fD>$#

¶ WebSEAL 3 dCtCgSgxO$,"8( MAS D;C#

WebSEAL 3 X(r/@wA MAS ODX(0$51URL#

¶ MAS SU0$51ks,"IZiRCC'D>$'\xa>C'G

<#

¶ ;)I&G<,MAS M*C'9(>$,+|f"Z_Y:fP,"

+/@wX(rX WebSEAL 3 OnuksD URL,K WebSEAL

3 _PS\D0$51jG#mb,X(Zr A DgSgx cookie

;EC=/@wO,Tj6Cr(ZKivB,* MAS)D0$51

~qw#

114 f> 3.8

g{G<"T'\,r MAS 5Xm>'\4,D0$51jG#C

jGD9l9.^(kI&4,0$51jGxp#ks~qw+

'\4,DjGS*C'>XO$'\#


¶ WebSEAL 3 Z/@wO4("hCm;vgSgx cookie(Tr B

P'),j6 WebSEAL 3 *r B D0$51~qw#

¶ Z(~qmIr\xks#

(3) NEXT gSgxCJ:WebSEAL 2(r A)

¶ C'ks\ WebSEAL 2(Z MAS D,;vrP)#$DJ4#/

@ w | , j6 M A S * 0$51 ~ q w D r A g S g x

cookie#WebSEAL 2 SUK cookie#WebSEAL 2 ;PC'D_Y

:fD>$#

¶ WebSEAL 2 dCtCgSgxO$,"8( MAS D;C#r A g

Sgx cookie DfZ+2G MAS ;CD WebSEAL 2 dC#cookie

* WebSEAL 2 a)K0$51~qwm]#(g{=8 2 H"z,

r/@wO2a,$r B cookie,|;a"MAr A ~qw#)

¶ WebSEAL 2 X(r/@wA cookie Pj6Dr A0$51~qw

(ZKivB* MAS,r* WebSEAL 2 Zr A P)ODXb0$

51URL#

¶ MAS SU0$51ks,"Z_Y:fPiRCC'D>$(b"z

Z=8 1 M 2 P)#

¶ MAS +/@wX(rX WebSEAL 2 OnuksD URL,K

WebSEAL 2 _PS\D0$51jG#


¶ Z(~qmIr\xks#

(4) NEXT gSgxCJ:WebSEAL 4(r B)

¶ C'ks\ WebSEAL 4(6Lr B)#$DJ4#g{=8 2 H

"z,r/@w|,j6 WebSEAL 3 *0$51~qwDr B g

Sgx cookie#WebSEAL 4 ;PC'D_Y:fD>$#


5.g

r"

ab

v=

8

¶ WebSEAL 4 dCtCgSgxO$,"8( MAS D;C#r B g

Sgx cookie DfZ+2G MAS ;CD WebSEAL 4 dC#cookie

* WebSEAL 4 a)K0$51~qwm]#(g{=8 1 H"z,

r/@wOva,$r A cookie,|;a"MAr B ~qw#+C

dCD MAS ;C4fz#;s WebSEAL 4 +F*r B D0$

51~qw#)

¶ g{=8 2 H"z,r WebSEAL 4 X(r/@wA cookie Pj

6Dr A0$51~qw(ZKivB* WebSEAL 3)ODXb

0$51URL#

¶ WebSEAL 3 SU0$51ks,"Z_Y:fPiRCC'D>$

(b"zZ=8 2 P)#

¶ WebSEAL 3 +/@wX(rX WebSEAL 4 OnuksD URL,

K WebSEAL 4 _PS\D0$51jG#


¶ Z(~qmIr\xks#

(5) ANOTHER gSgxCJ:WebSEAL 2(r A)

¶ C'(}ks,S= WebSEAL 2(r A)#g{=8 3 "z,r

WebSEAL 2 _PC'D_Y:fD>$#

¶ Z(~qmIr\xks#

SgSgx"z

¶ g{C'(}XU/@w4"z,r+e}yP SSL a0MyPg

Sgx cookie#

¶ g{C'(} /pkmslogout 3f4"z,r+e}CrD SSL a

0MgSgx cookie#

mbgSgx Cookie¶ gSgx cookie GX(ZrD cookie,|I;v WebSEAL ~qw

hCsf"ZC'/@wZfP,"ZsLksP+M=d|

WebSEAL ~qw(Z,;rP)#

116 f> 3.8

¶ X(ZrD cookie |,0$51~qwD{F"gSgxm]"0$

51~qw0&\D;C(URL),T0P'ZD5#C cookie ;

|,C'E"#

¶ gSgx cookie JmNkrPD~qwZ>Xks0$51E"#

MAS $tDrDgSgx cookie G+M;Pb4X*K#

¶ cookie _P;vP'Z(,1)5,|Z webseald.conf dCD~

PhC#KP'Z58(6L~qw\*C'a)0$51E"D

1d$H#1 cookie P'Z=Z1,C'XkX(rA MAS xP

O$#

¶ XU/@w1+SZfPe} cookie#g{C'SX(r"z,rg

Sgx cookie +2G*U#KYw+P'XS/@w}% cookie#

mb0$51ksM&pgSgx0$51Ywh*(}=v(E9lD URL qCD(C&\,

b=v URL *0$51ksM0$51&p#b) URL GZyZ

webseald.conf PDdCE"X(rgSgx0$51HTTP }LP9l

D#

0$51ks

1C'S;|,CC'D>$E"D?j~qw(*gSgxxdC

D)ksJ41,+%"0$51ks#~qw"M HTTP X(rA

0$51~qw(MAS rgSgx cookie Pj6D~qw)#

0$51ks|,TBE":

https://<vouch-for-server>/pkmsvouchfor?<ecommunity-name>&<target-URL>

SU=~qwli ecommunity-name Ti$gSgxm]#SU=~q

wZ0$51&pP9C target-URL,X(r/@wXnuDks3f#

pkmsvouchfor0$51URL GIdCD#

}g:

https://mas.dA.com/pkmsvouchfor?companyABC&https://ws5.dB.com/index.html

0$51&p


5.g

r"

ab

v=

8

0$51&pGS0$51~qwA?j~qwDl&#

0$51&p|,TBE":

https://<target-URL>?PD-VFHOST=<vouch-for-server>&PD-VF=<encrypted-token>

PD-VFHOST N}j64P0$51YwD~qw#SU(?j)~qw

9CKE"4!qb\0$51jG(PD-VF)h*D}7\?#

PD-VF N}m>S\D0$51jG#

}g:

https://w5.dB.com/index.html?PD-VFHOST=mas.dA.com&PD-VF=3qhe9fjkp...ge56wgb

mb0$51jG*K5Vgr%;"a,XkZ~qw.d+M;)C'm]E"#C

tPE"+9CX(r==4&m,b)X(r|,w* URL D;?V

xPS\Dm]E"#KS\D}]F*0$51jG#

¶ jG|,K0$51I&r'\4,"C'm](g{I&)"4

(jGD~qwD+^({F"gSgxm]M4(1d5#

¶ P'0$51jGDVP_I9CKjGZ~qwK("a0(M

>$/),x;Xw7O$AC~qw#

¶ KjGG9C2m}X DES \?S\D,Tc\i$df5T#

¶ /@wO;f"S\DjGE"#

¶ jG;+];N#SU=~qw9CKE"ZdT:D_Y:fP

9(C'>$#~qw+b)>$CZ,;a0PCC'+4Dk

s#

¶ jG_P;vP'Z(,1)5,|Z webseald.conf dCD~Ph

C#C5ITG#L(}k),TuYX49CDgU#

S\0$51jGWebSEAL Xk9C cdsso_key_gen 5CLrzID\?S\ECZ

jGPDO$}]#Xk(}kNkrPD?v WebSEAL ~qw2m

\?D~0,=1C\?#wrPD?vNk WebSEAL ~qw<h*

9C`,D\?#

118 f> 3.8

":4(MV"\?D~";G Policy Director gSgx}LD;?V#

Xk+\?V$2+4F=NkD~qw#

KP cdsso_key_gen 5CLr1,C5CLr*sz8(\?D~D

;C(xT76{):

UNIX: # cdsso_key_gen <absolute-pathname>

Windows: MSDOS> cdsso_key_gen <absolute-pathname>

CZ#$jG(b)jGZ,;r(wrr6Lr)PD~qw.d"

M)D\?D;CGw* intra-domain-key N}D5dkD,CN};

Z webseald.conf dCD~D [e-community-sso] ZP#

[e-community-sso]intra-domain-key = <absolute-pathname>

\?D~D;CGZ [inter-domain-keys] ZPdkD,b)\?D~C

Z#$Z MAS M6LrPD~qw.d"MDjG# MAS ,;vr

PDd|~qw;h* inter-domain-keys#MAS G(;h*k6LrP

D~qw(ED~qw#

[inter-domain-keys]<domain-name> = <absolute-pathname><domain-name> = <absolute-pathname

dCgSgx> Z + X K g S g x5V y h D y P dCN}# b ) N}; Z

webseald.conf D~P#XkP8*gSgxPD?vNk~qwdCC

D~#

e-community-sso-auth

K N}t C r { C g S g x O$# | D5| (

0http1"0https1"0both1r0none1#}g:

[e-community-sso]e-community-sso-auth = both

50http1"0https1M0both18(gSgxNk=9CD(E`M#

50none1{C~qwDgSgx#1!hC*0none1#


5.g

r"

ab

v=

8

master-http-port

g{ e-community-sso-auth tC HTTP gSgxO$RwO$~q

wZ}j< HTTP KZ(KZ 80).bDKZOl} HTTP ks,r

h*9C master-http-port N}j6Gj<KZ#g{K~qwGwO

$~qw,rvTCN}#1!ivB,+{CCN}#

[e-community-sso]master-http-port = <port-number>

master-https-port

g{ e-community-sso-auth tC HTTPS gSgxO$RwO$~q

wZ}j< HTTP KZ(KZ 443).bDKZOl} HTTPS ks,

rh*9C master-http-port N}j6Gj<KZ#g{K~qwGw

O$~qw,rvTCN}#1!ivB,+{CCN}#

[e-community-sso]master-https-port = <port-number>

e-community-name

KN}j6yPNkrPyPNk~qwDgSgx3;{F#}g:

[e-community-sso]e-community-name = companyABC

e-community-name 5XkkNkgSgxDyPrPDyP WebSEAL

~qw<`,#

intra-domain-key

KN}j6CZS\Mb\jGD\?D~D;C,b)jGZ~qw

DrPxP;;#}g:

[e-community-sso]intra-domain-key = /abc/xyz/key.file

XkZ;v;C&zIK\?D~,;sV$("2+X)+CD~4

F=rPyPd| WebSEAL ~qwP8(D;C#

is-master-authn-server

120 f> 3.8

KN}j6C~qwGq* MAS#|D5|,0yes1r0no1#}g:

[e-community-sso]is-master-authn-server = yes

IdC`v WebSEAL w*wO$~qwxPYw,;sECZ:X=

bws#ZK=8P,gSgxPDyPd| WebSEAL ~qw<+:

X=bw06p1* MAS#

master-authn-server

g{ is-master-authn-server N}hC*0no1,rXk!{"M"8

(KN}#KN}j6 MAS D+^(r{#}g:

[e-community-sso]master-authn-server = mas.dA.com

vf-token-lifetime

KN}hC0$51jGDP'Z,15(Tk*%;)#+TU cookie

OAGD4(1dliC5#1!5* 180 k#Xk<GNk~qw.

dD1S+n#}g:

[e-community-sso]vf-token-lifetime = 180

vf-url

KN}8(0$51URL#C5XkT}1\(/)*7#1!5*

/pkmsvouchfor#}g:

[e-community-sso]vf-url = /pkmsvouchfor

2I9C)9D URL:

vf-url = /ecommA/pkmsvouchfor

ec-cookie-lifetime

KN}8(gSgxr cookie DnsP'Z(TVS*%;)#1!5*

300 VS#}g:


5.g

r"

ab

v=

8

[e-community-sso]ec-cookie-lifetime = 300

Z?r\?

\?D~D;CZ [inter-domain-keys] ZP8(,S\Mb\ MAS M

6LrPDNk~qw.dDjGh*b)\?D~#Xk8(~qw

D+^(r{M\?D~;CDxT76{#

TB>}* MAS(r A)a)K\?D~,CZk=v6Lr(E:

[inter-domain-keys]dB.com = /abc/xyz/key.fileBdC.com = /abc/xyz/key.fileC

K>}P,key.fileB j6r A Mr B .d9CD\?D~#

key.fileC j6r A Mr C .d9CD\?D~#

?v6L~qw<+h*_8 MAS 9CD`&\?D~D1>#*k

MAS(r A);;jG,rr B PDyP~qw<h*P key.fileB D

1>#

[inter-domain-keys]dA.com = /efg/hij/key.fileB

*k MAS(r A);;jG,rr C PDyP~qw<h*P

key.fileC D1>#

[inter-domain-keys]dA.com = /efg/hij/key.fileC

dC CDSSO O$zF

gSgxdC*sztC cdsso O$zF#1ks~qwS|,Z0$

51jGPDm]E"9(C'>$1,h*KzF#cdsso dCN}

8(K3dO$E"D2`k2mb#

¶ Z UNIX O,a)ZC3d&\DD~GF* libcdssoauthn D2

mb#

¶ Z Windows O,a)ZC3d&\DD~GF* cdssoauthn D

DLL#

122 f> 3.8

O$zF 2mb


cdsso libcdssoauthn.so libcdssoauthn.a cdssoauthn.dll libcdssoauthn.sl

IT(}Z webseald.conf dCD~D [authentication-mechanism]ZPx cdsso N}dkX(Z=(D2mbD~{F4dC CDSSO O

$zF#

}g:

Solaris:

[authentication-mechanisms]cdsso = libcdssoauthn.so

Windows:

[authentication-mechanisms]cdsso = cdssoauthn.dll


5.g

r"

ab

v=

8

124 f> 3.8

WebSEAL *a

WebSEAL ~qwMsK~qw.dD,SFw WebSEAL *a,r*

a# WebSEAL *aG0K WebSEAL ~qwMsK&CLr~qw.

dD TCP/IP ,S#*aJm WebSEAL #$;ZsK~qwD Web J

4#

IC pdadmin |nP5CLrr Web Portal Manager 4( WebSEAL

*a#>BV[dC WebSEAL *aD\`!nDj8E"#

wbw}:

¶ Z1263D:WebSEAL *aEv;

¶ Z1283D:9C0pdadmin server task14(*a;

¶ Z1293D:dCy> WebSEAL *a;

¶ Z1323D:`%O$D SSL *a;

¶ Z1353D:4( TCP M SSL zm*a;

¶ Z1363D:(} SSL D WebSEAL A WebSEAL *a;

¶ Z1373D:=S*a!n;

¶ Z1533D:9C WebSEAL *aD<u"M:;

¶ Z1553D:ZZ}=~qwO9C query_contents;

6


6.W

ebS

EA

L*

a

WebSEAL *aEv

IT4(TB WebSEAL *a`M:

¶ yZ TCP ,SD WebSEAL =sK~qwD*a

¶ yZ SSL ,SD WebSEAL =sK~qwD*a

¶ (} HTTP zm~qw"yZ TCP ,SD WebSEAL =sK~q

wD*a

¶ (} HTTPS zm~qw"yZ SSL ,SD WebSEAL =sK~q

wD*a

¶ yZ SSL ,SD WebSEAL = WebSEAL D*a

Z4(NN*a1,XkB&ZTB=vX"c:

1. v(Z WebSEAL TsUdPDN&*a(20)Web &CLr~

qw#

2. !q*a`M#

*a}]b;CMq=VZ WebSEAL *aE"f"Z XML q=D}]bD~P#*a}]

b?<D;CZ webseald.conf dCD~D [junction] ZP(e#C?

<`TZ WebSEAL ~qwy([server] ZPD server-root N}):

[junction]junction-db = jct

¶ ?v*a<ZxP .xml )9{D%@D~P(e#

¶ 9C pdadmin 5CLr4(M\m*aM!n#

¶ XML q=JmzV$4("`-"4FM8]*aD~#

&CV#HCJXF:**

1. 9C pdadmin 5CLrr Web Portal Manager 4( WebSEAL k

sK~qw.dD*a#

2. Z*acOECJ1D ACL _TTa)TsK~qwDV#HXF#

126 f> 3.8

&C8#HCJXF:**

1. 9C pdadmin 5CLrr Web Portal Manager 4( WebSEAL k

sK~qw.dD*a#

WebSEAL ;\T/0i41MmbZ}=D~53#Xk9CF*

query_contents DXb&CLr(*Z}=TsUdD WebSEAL,

f_|eiZ}= Web Ud"(f WebSEAL Da9MZ]#

2. 4F query_contents Lr=Z}=~qw#

3. + ACL _T&C=3;TsUdPDJ1TsO#

4( WebSEAL *aD8<TB8<\aK*aD0fr1:

¶ IZw WebSEAL TsUdPDNNX=mS*a#

¶ IZ,;20c*a`v1>~qw#

20Z,;*acOD`v1>~qwXk*,;`M * TCP r

SSL#

¶ Z}=~qw(}*aLP ACL _T#

¶ *ac;&C%d>X WebSEAL ~qw Web UdPDNN?<#

}g,g{ WebSEAL Pq=* /path/... DJ4,;*C`,D /path

4(*ac#

¶ g{4TsK~qwD HTML 3f|,Lr(}g JavaScript r

applet),"RCLrxP=C?<Dk~qwPXD URL,r*a

c;&%dsK~qw Web UdPDNN?<#}g,g{4Ts

K~qwD3f|, URL q=* /path/... DLr,r;*4({*

/path D*ac#

WebSEAL ;'V HTTP 1.0 ;f*aWebSEAL ;'V HTTP 1.0 ;f*a#C^Fa0lT\wZM?pZ

sK*a~qwOD&CLr*"#

,S y'VD-i RFC }

0K(M'z= WebSEAL) HTTP/1.0 M HTTP/1.1 RFC2068

sK(WebSEAL A*a~q

w)

v HTTP/1.0 RFC1945


6.W

ebS

EA

L*

a

":;P*0K,Sa) HTTP/1.00#V$n1'V#+G'V

HTTP/1.1 D HTTP VC,S#

WebSEAL *aD=SN<kNDZ83D:Kb WebSEAL *a;Tq! WebSEAL *aDEn

TEv#

XZ*a|n!nDj{E",kNDZ2093D:WebSEAL *aN

<;#

9C0pdadmin server task14(*aZ9C pdadmin 0,zXkw* sec_master \mC'G<=2+r#

}g:

UNIX:


Windows:

MSDOS> pdadminpdadmin> logindkC'j6:sec_masterdk\k:pdadmin>

*4( WebSEAL *a,k9C pdadmin server task |n:

pdadmin> server task <server-name> <task>

server-name N}G5Jzw{MC|n9CD Policy Director i~(H

g WebSEAL)Dj{mo=#

<policy-director-component>-<machine-name>

128 f> 3.8

}g,g{zw{* cruz R Policy Director i~* WebSEAL,r

server-name *:

webseald-cruz

9C server list |ni$ server-name mo=:

pdadmin> server listwebseald-cruz

dCy> WebSEAL *aWebSEAL 'V WebSEAL MsK Web &CLr~qw.dDj<

TCP(HTTP)M2+ SSL(HTTPS)*a#

WebSEAL MsK~qw.dD*a;@5ZM'zM WebSEAL ~q

w.dD,S`M(0d2+6p)#

9C pdadmin 4(y> WebSEAL *ayhD?F|n!n|(:

¶ sK&CLr~qwDwz{(–h !n)

¶ *a`M:tcp"ssl"tcpproxy"sslproxy"local(–t !n)

¶ *ac(20c)

pdadmin> server task <server-name> create –t <type> –h<host-name> <jct-point>

}g:

pdadmin> server task webseald-cruz create -t tcp -h doc.tivoli.com /pubs

TCP `M*a(} TCP ,SD WebSEAL *aa)K*aDy>tT,+;a)(

}*aD2+(E#


6.W

ebS

EA

L*

a

*4(2+ TCP *a"mSu<~qw,kx –t tcp !n9C create|n:

pdadmin> server task <server-name> create –t tcp –h <host-name>[–p <port>] <jct-point>

TCP *aD1!KZ5(g{;8()G 80#

SSL `M*aSSL *a&\M TCP *a\s,=S&\GS\yP WebSEAL Ms

K~qwdD(E#

SSL *aJm2+DK=K"/@w=&CLrBq;IT9C SSL #

$SM'z= WebSEAL MS WebSEAL =sK~qwD(E#9C

SSL *a1,sK~qwXktC HTTPS#

< 22. G2+ TCP(HTTP)*a

< 23. 2+ SSL(HTTPS)*a

130 f> 3.8

*4(2+ SSL *a"mSu<~qw,kx –t ssl !n9C create|n:

pdadmin> server task <server-name> create –t ssl –h <host-name>[–p <port>] <jct-point>

SSL *aD1!KZ5(g{;8()G 443#

i$sK~qw$i

1M'zkssK~qwODJ41,WebSEAL w*2+~qw,+z

mM'z4Pks#SSL -i8(KZTsK~qwavks1,~qw

Xk(}~qwK$ia)m]$w#

1 WebSEAL SsK~qwSU=K$i1,|Xk(}+$ik$i

}]bPy CA $iPmTU4i$f5T#

Policy Director 9C SSL D IBM Global Security Kit(GSKit)5V#

Xk9C GSKit iKeyman 5CLr4mS CA Dy$i,C CA )p

K WebSEAL $i\?D~(pdsvr.kdb)DsK~qw$i#

XZ\m$i\?}]bDj{E",kN<Z2173D:9C iKeyman

\m$i;#

SSL *a>}

(} SSL D,;Z*ac /sales D*awz sales.dascom.com:

pdadmin> server task <server-name> create –t ssl –hsales.tivoli.com /sales

":ZO}P,–t ssl !nf(K1!KZ 443#

(} SSL D,;Z*ac /travel KZ 4443 D*awz travel_svr:

pdadmin> server task <server-name> create –t ssl –p 4443–h travel_svr /travel


6.W

ebS

EA

L*

a

`%O$D SSL *aWebSEAL 'V(} SSL *aD WebSEAL ~qwMsK~qw.dD

`%O$(–t ssl r –t sslproxy)#TBEv\aK(} SSL D`%

O$'VD&\(+Z`&;CPv|n!n):

1. WebSEAL O$sK~qw(}#D SSL xL)

¶ WebSEAL i$4TsK~qwD~qw$i#kND:WebSEAL

i$sK~qw$i;#

¶ WebSEAL i$|,Z$iPD(P{F(DN)(–D)(I!,

+?RFv9CC!n)#kNDZ1333D:(P{F(DN)

%d;#

2. sK~qwO$ WebSEAL(=V=()

¶ sK~qwi$4T WebSEAL DM'z$i(–K)#kNDZ

1333D:9CM'z$iD WebSEAL O$;#

¶ sK~qwi$Zy>O$(BA)7PD WebSEAL m]E"

(–B"–U"–W)#kNDZ1343D:9C BA 7D WebSEAL

O$;#

XF(} SSL xP`%O$D|n!na)TB&\:

¶ I8(M'z$ir BA O$=(#

¶ IZ?v*ay!O&CO$=(#

Z1343D:&m(}*aDM'zm]E";PhvK+ –b !n(C

Z&m BA E")k(} SSL D`%O$àODXb"bBn#

WebSEAL i$sK~qw$iWebSEAL y]j< SSL -ii$sK~qw$i#sK~qw+~q

w$i"M= WebSEAL#WebSEAL TUyO$PD(CA)$iD$(

ePmi$~qw$i#

WebSEAL 9CD\?}]bXk|,O$PD(CA)D$i,b)$i

9I&CLr~qw$i(S)p CA *<"|,y$i)DIE4#

132 f> 3.8

I9C iKeyman &CLr44(M\my CA $iD}]b#kND

Z2173D:9C iKeyman \m$i;#

(P{F(DN)%dI(}(P{F(DN)%d4v?~qwKD$ii$#*tC~q

w DN %d,XkZ4(AC~qwD SSL *a18(sK~qw

DN#d; DN %dGI!DdC,+?RFvC(} SSL *aD`%

O$45VC&\#

Z~qwK$ii$Zd,|,Z$iPD DN +k*a(eD DN x

PHO#g{b=v DN ;%d,=sK~qwD,S+'\#

*tC~qw DN %d,Z9C –D “<DN>” !n4( SSL *a1,

k8(sK~qw DN#*K#VV{.PDUq,k+K DN V{.

C+}E}p4#}g:

–D “/C=US/O=Tivoli/OU=SecureWay/CN=Policy Director”

–D !n;JOk –K r –B !n;p9C#

9CM'z$iD WebSEAL O$

9C –K !nItC(}M'z$i=*aDsK~qwD WebSEAL

O$#

–K “<key-label>”

C=8Du~|(:

¶ hCsK~qwTks9CM'z$ii$ WebSEAL m]#

¶ dC WebSEAL(webseald.conf)Tc9CX(DM'z$i4O$

sK~qw(ssl-keyfile-label)#

¶ ,1?RFvdCCZ DN %dD*a(–D)#

–K 9CN}48(f"Z GSKit \?}]bPDyh$iD key-label#

9C i K e y m a n 5C L r I mSB$iA\ ?}] b #9C

webseald.conf dCD~PD ssl-keyfile-label N}IdC key-label#

Xk+ key-label N}C}E}p4#}g:

–K “cert1_Tiv”


6.W

ebS

EA

L*

a


9C BA 7D WebSEAL O$

9C –B –U “<username>” –W “<password>” !n4tC(}y>

O$5VD WebSEAL O$#

–B –U “<username>” –W “<password>”

C=8Du~|(:

¶ hCsK~qwTks9C BA 7i$ WebSEAL m]#

¶ ;9C –b !ndC*a#(+ZZ?,–B !n9C –b filter#)

¶ dC WebSEAL *+ BA 7P}O$Dm]E""M=sK~qw#

¶ ?RFv,1dCCZ DN %dD*a(–D)#

Xk+C'{M\kC+}E}p4#}g:

–U “WS1” –W “abCde”

&m(}*aDM'zm]E"I+*ahC*Z BA 7P8(M'zm]E"#–b !nJm 4 vI

\DN}:filter"supply"ignore M gso#b)N}Dj8E"IZZ161

3D:dC%;"abv=8D BA 7;PiR#

–b !n+0lCZ`%O$D*ahC,Xk<G!nD}7iO#

9C –b supply

¶ (} BA 7D WebSEAL O$;JmkC!n,19C#C!n9

C BA 7TqC-<M'zC'{M0F*1\k#

¶ Jm(}M'z$iD WebSEAL O$kC!n,19C#

9C –b ignore


C BA 7TqC-<M'zC'{M\k#


134 f> 3.8

9C –b gso


C BA 7TqC GSO ~qwa)DC'{M\kE"#


9C –b filter

¶ ZZ?,Z WebSEAL O$hC*9C BA 7E"1,+9C –bfilter !n#

WebSEAL BA 7+CZyPsLD HTTP Bq#TZsK~qw,

WebSEAL mV*yP1d<GG<D#


¶ g{sK~qw*s(S/@w)qC5JDM'zm],I9C

C G I d ? H T T P _ I V _ U S E R " H T T P _ I V _ G R O U P M

HTTP_IV_CREDS#TZE>M!&CLr,k9CT&D"X(

Z Policy Director D HTTP 7:iv-user"iv-groups"iv-creds#

4( TCP M SSL zm*aI4( WebSEAL *a,C*aJm9C HTTP r HTTPS zm~qw

izxgXKa9D WebSEAL (E#IdCC*a,Tc+ksw*

j<D TCP (Er\#$D SSL (E4&m#

create |nD type !n*sTBN}.;,Tc("(}zm~qw

D"yZ TCP r SSL D*a:

¶ –t tcpproxy

¶ –t sslproxy

create M add |nh*TB!nMN}4j6zm~qwM?j Web

~qw:

–H <host-name> zm~qwD DNS wz{r IP X7#

–P <port> zm~qwD TCP KZ#

–h <host-name> ?j Web ~qwD DNS wz{r IP X7#


6.W

ebS

EA

L*

a

–p <port> zm Web ~qwD TCP KZ#TZ TCP *a,

1!5* 80;TZ SSL *a,1!5* 443#

TCP zm*a>}(w*;Pdk):

pdadmin> server task <server-name> create –t tcpproxy–H clipper –P 8081 –h www.ibm.com –p 80 /ibm

SSL zm*a>}(w*;Pdk):

pdadmin> server task <server-name> create –t sslproxy–H clipper –P 8081 –h www.ibm.com –p 443 /ibm

(} SSL D WebSEAL A WebSEAL *aPolicy Director 'V0K WebSEAL ~qwMsK WebSEAL ~qw.

d(} SSL D*a#x –C !n9C create |nI(} SSL *a=

v WebSEAL ~qw"a)`%O$#

>}:

pdadmin> server task <server-name> create –t ssl –C –h serverA /jctA

`%O$"zZTB=V4,B:

< 24. zm*a>}

136 f> 3.8

¶ SSL -iJmsK WebSEAL ~qw(}d~qw$ir0K

WebSEAL ~qwO$#

¶ –C !n9C0K WebSEAL ~qwIT+y>O$(BA)7PDm

]E""M=sK WebSEAL ~qw#

mb,–C !ntC –c !nD&\,C!nJm+X(Z Policy Director

DM'zm]Mi1JqE"ECZTsK WebSEAL ~qw*?DX

DksD HTTP 7P#7N}|( iv-user"iv-groups M iv-creds#kN

DZ1393D:Z HTTP 7Pa)M'zm](–c);#

TBu~&CZ WebSEAL A WebSEAL *a:

¶ C*a;JOZ –t ssl r –t sslproxy *a`M#

¶ WebSEAL ~qwXk2m+2 LDAP r DCE "am#|Jms

K WebSEAL ~qwO$0K WebSEAL ~qwDm]E"#

=S*a!nI9C=S!na)TB=S WebSEAL *a&\:

¶ Z1383D:?FB*a(–f);

¶ Z1393D:Z HTTP 7Pa)M'zm](–c);

¶ Z1403D:Z HTTP 7Pa)M'z IP X7(–r);

¶ Z1413D:+a0 Cookie "M=*aDE'x>~qw(–k);

¶ Z1423D:'V;xVs!4D URL(–i);

¶ Z1423D:&m4TE>MM'zK&CLrD URL(–j);

¶ Z1463D:9C*a3d&m`TZ~qwD URL;

¶ Z1473D:4,#fac'V(–s"–u);

¶ Z1483D:*4,#fac8(sK~qw UUID(–u);

¶ Z1523D:*a= Windows D~53(–w);


6.W

ebS

EA

L*

a

?FB*a(–f)*?FB*a2GVP*a,Xk9C –f !n#

TB>}(~qw{F* websealA)5wKK}L:

1. G<= pdadmin:


2. 9C server task list |nT>yP10*ac:


3. 9C server task show |nT>*aDj8E":

pdadmin> server task websealA show /*ac:/`M:>X*a2^F:0 * 9C+V5*am^F:0 * 9C+V5n/D$wLr_L:0y?<:/opt/pdweb/www/docs

4. 4(BD>X*a4!z10*ac(h* -f !n4?F9CB*a

2GVP*a):

pdadmin> server task websealA create -t local -f -d /tmp/docs /QZ / 4(*a

5. PvB*a:


6. T>C*aDj8E":

pdadmin> server task websealA show /*ac:/`M:>X*a2^F:0 * 9C+V5*am^F:0 * 9C+V5n/D$wLr_L:0y?<:/tmp/docs

138 f> 3.8

Z HTTP 7Pa)M'zm](–c)–c !nJm+X(Z Policy Director DM'zm]Mi1JqE"ek

T*aDZ}=~qw*?DXDksD HTTP 7#Policy Director

HTTP 7E"tC*aDZ}=~qwOD&CLr,T4PyZM'z

D Policy Director m]D"X(ZC'DYw#

HTTP 7E"XkIsK~qwd;*73d?q=,TcIsK~qw

OD~q9C#7E"G(}CB._(_)!zF[E(-)"ZV{

.D*<&mS0HTTP1d;* CGI 73d?q=D# HTTP 7D5

I*B73d?D5#

X(Z PD D HTTP7VN

CGI 73d?H= hv

iv-user = HTTP_IV_USER = M'zDL{r${#g{M'z4O$

(r4*),r1!5*04O$1#

iv-groups = HTTP_IV_GROUPS = M'zytDiDPm#I:EVtD}E

}p4Du?9I#

iv-creds = HTTP_IV_CREDS = zm Policy Director >$DQ`k;8w}

]a9#r6L~qwa)>$,byPd

c&CLrMIT9CZ( API wCZ(~

q#kN< Tivoli SecureWay Policy Director

Authorization ADK Developer Reference#

X(Z Policy Director D HTTP 7u?IZ CGI LrPw*73d?

HTTP_IV_USER"HTTP_IV_GROUPS M HTTP_IV_CREDS#XZd

|&CLrr\z7,kNDz7D5,TqCS HTTP ksi!7D

8<E"#

–c o(

–c !n8(K"MD)X(Z Policy Director D HTTP 7}]AsK

&CLr~qw#

–c <header-types>

header-types Td?|(:all"iv_user"iv_user_l"iv_groups M

iv_creds#


6.W

ebS

EA

L*

a

N} hv

iv_user a)ZksD HTTP 7Pw* iv-user VNDC'{(L

q=)#

iv_user_l a)ZksD HTTP 7Pw* iv-user VNDC'j{ DN

($q=)#

iv_groups a)ZksD HTTP 7Pw* iv-groups VNDC'iP

m#

iv_creds a)ZksD HTTP 7Pw* iv-creds VNDC'>$E

"#

":9C iv-user r iv-user-l,+;*,19C|G#

–c all !n+yP}V`MDm]E"ek= HTTP 7P(ZKivB

9CL{Fq=(iv_user))#

":v9C:EVt`vN}#;*dkUq#

>}:

–c all

–c iv_creds

–c iv_user,iv_groups

–c iv_user_l,iv_groups,iv_creds

Z HTTP 7Pa)M'z IP X7(–r)–r !nJm+M'z IP X7E"ekT*aD&CLr~qw*?D

XDksD HTTP 7#Policy Director HTTP 7E"9C*aDZ}=

~qwOD&CLrIT4PyZK IP X7E"DYw#

HTTP 7E"XkIsK~qwd;*73d?q=,TcIsK~qw

OD~q9C#7E"G(}CB._(_)!zF[E(-)"ZV{

.D*<&mS0HTTP1d;* CGI 73d?q=D# HTTP 7D5

I*B73d?D5#

":IP X7D5";\Gm>4M'zDX7#IP X75Im>zm~

qwDX7rxgX7*;Lr(NAT)#

140 f> 3.8

X(Z PD D HTTP7VN

CGI 73d?H= hv

iv-remote-address HTTP_IV_REMOTE_ADDRESS

M'zD IP X7#C5Im>zm~qwD

IP X7rxgX7*;Lr(NAT)#

–r !n8("M=sK&CLr~qwDdkksD IP X7#C!n

;PNNTd?#

+a0 Cookie "M=*aDE'x>~qw(–k)Web E'x>Ga);zc:DvT/J4M~qD~qw#–k !nJ

mz+ Policy Director a0 cookie(nuZM'zM WebSEAL .d(

"D)"M=sKE'x>~qw#?0ivB,C!nDfZG*K

1S'V WebSEAL M Plumtree Corporate Portal bv=8D/I#

1M'zSE'x>~qwksvKJ4Pm1,E'x>~qw(}

CJ;Zd|'V&CLr~qw(,1\ WebSEAL #$)DJ4,

49(KPm#a0 cookie JmE'x>~qwzmM'z^l%;"

a=b)&CLr~qw#

4( WebSEAL MsKE'x>~qw.dD*a1,k|, –k !n,

;xTd?#

E'x>~qwdCh*<GDu~:

¶ TZ(}C'{M\kDCJ,h*q=O$#k;*9Cy>O

$(BA)#

¶ X k + webseald.conf dCD~D [ s e s s i o n ] ZPD

ssl-id-sessions N}hC*0no1#TZ HTTPS (E,KhC?F

9Ca0 cookie(x;G SSL a0j6)4,$a04,#

¶ g{E'x>~qwG WebSEAL :/D0K~qw,ktCJO*

F`M cookie#JO*F cookie |,S\D>$E",CE"Jm

O$TZ&mksDNN4FD WebSEAL ~qw<*I&#


6.W

ebS

EA

L*

a

'V;xVs!4D URL(–i)1!ivB,Policy Director Z&CCJXF1T URL xVs!4#9

C –i !nI8(Z&mT*aDsK~qwDks1,WebSEAL T

URL ;xVs!4#

1Z*aOhCC!n1,WebSEAL ZVv URL 1;xVs4M!4

V{#1!ivB,Web ~qwZ{xVs!4#

d;s?V HTTP ~qw'V+ URL (e*xVs!4D HTTP f

6,+G3) HTTP ~qwT URL ;xVs!4#

}g,Z;xVs!4D~qwO,TB=v URL:

http://server/sales/index.htm

http://server/SALES/index.HTM

I4w,;v URL#bVP*h*\m1T=v URL EC`,DCJ

XF(ACL)#

(}9C –i !n*aZ}=~qw,WebSEAL ;xV8rC~qwD

URL Ds!4#

&m4TE>MM'zK&CLrD URL(–j)>Zhv WebSEAL gN&mIE>zzD"=sK~qwJ4DxT

r`TZ~qwD4S#

¶ :JbD30;

¶ Z1443D:C*a cookie &m`TZ~qwD URL;

¶ Z1453D:CE>}K&mxT URL;

¶ Z1463D:9C*a3d&m`TZ~qwD URL;

JbD30

M'zCJ*aD Web ~qw1,5XE"ITGr%D HTML"M'

zK&CLr(!&CLr)rE>Da{# Web E>oT|(

Javascripts"VBscripts"ASP"JSP M ActiveX#

142 f> 3.8

HTML zID3f"E>r!&CLrI\|,=CsK~qwrd|X

=Dd|J4D4S(URL)# URL mo=I9CTBq=T>:

¶ xT

¶ `T

¶ `TZ~qw

;P1 URL *`TDr|,j6C*aDE"1,5X=sK~qwD

4SEaI&# WebSEAL XkliwVwyzIE"P|,D URL,

"ZJ1D1ra)*am]E"#

C`Tq=mvD URL ;h* WebSEAL DYw#IZ-< URL ;

|,C*aDE",TxTr`TZ~qwq=mvD=sK~qwD

4S;aI&#b)4S+;}7XT>*4T>X WebSEAL ~qw

ODTsDks#

`T URL mo=>}(4S;1aI&):

abc.html ../abc.html

./abc.html sales/abc.html

xT URL mo=>}(4Sh**aE"):

http://www.tivoli.com/abc.html

`TZ~qwD URL mo=>}(4Sh**aE"):

/abc.html /accounts/abc.html

WebSEAL 9CBP=(&m/,zIDxTM`TZ~qwD URL:

¶ 2, HTML 4

IZ HTML G?D>DR]WVv,WebSEAL aZJ1D1r$

HT/+}7D*aE"ECZ URL O#kNDZ1533D:}K4

T*a~qwD2, HTML URL;#

¶ E>MM'zK&CLr4


6.W

ebS

EA

L*

a

IZE>HO4S,9CZSsK~qw"M=M'zD}LP

WebSEAL ;\}KvdPDxTr`TZ~qwD URL mo=#

Xk+ WebSEAL dC*ZJ1D1ra)*aE"#

":DxyP Web E>DLr1*/,zID URL 9C`T4S(;

GxTr`TZ~qwD)#

C*a cookie &m`TZ~qwD URLZTB=8P,sK~qwODE>/,zI`TZ~qwD URL mo

=#Z+6k=zk"M=M'z1,WebSEAL ";Yw|#M'zO

* URL ;P}7mo,r*|;|,*aE"#

g{M'zksC4S8(DJ4,WebSEAL +;}7XYhC4S8

r>X3f#ZiRC3f'\s,|+rM'z5X0R;=1m

s#

–j !n*&m`TZ~qwD URL a)yZ cookie Dbv=8,C

URL I*a~qwOD Web E>zI"ZM'zOKP#

;co(:

pdadmin> server task <server-name> create ... –j ...

+*?vksrM'z"M*aj6{ cookie#C cookie |,TBd?

M5:

IV_JCT_<backend-server-name> = </junction-name>

< 25. E>zID;P}KD URL

144 f> 3.8

1M'z9CC URL avks,WebSEAL +9C URL D-<q=x

P&m#^((;J41,WebSEAL "49C cookie a)D*aE"

XTCks#9C URL mo=PD}7*aE",II&(;J4#

B<{vK}K`TZ~qwD URL Dbv=8

WebSEAL *&m`TZ~qwD URL a)KI!qD";yZ cookie

Dbv=8#kNDZ1463D:9C*a3d&m`TZ~qwD

URL;#

CE>}K&mxT URLWebSEAL h*=SdCT&m(}*aD"/,zIXxT URL#

webseald.conf dCD~|,tCr{CxT URL }KDN}:

[script-filtering]script-filter = no

1!ivB+{CE>}K#*tCE>}K,khC:

script-filter = yes

":Xk9C –j !n44(=sK~qwD*a#+rM'z"M*a

j6{ cookie * d;E>}KzF";h*|#

script-filter zF#{xT URL *j<#="~qwrJ4q=:

http://server/resource

< 26. }K`TZ~qwD URL


6.W

ebS

EA

L*

a

script-filter zF9C}7D*aE"zf4SD#=M~qw?V#

/junction-name/resource

Cbv=8h*=SD&m*z,"RaTT\zz:f0l#k+

script-filter N}D9C^Zh*xT URL }K'VD*a#

B<{vKb; URL }Kbv=8:

9C*a3d&m`TZ~qwD URL}yZ cookie Dbv=8b,Policy Director a)8C=8T}K`T

Z~qwD URL#IT4(M$n*a3dm,Cm+X(D?jJ4

3d=*a{F#

WebSEAL 9C*a3dmP|,D}]li`TZ~qwD URL PD

;CE"#g{ URL PD76E"%dmPDu?,WebSEAL +Ck

s8rkC;CX*D*a#

CmG{* jmt.conf D ASCII D>D~#webseald.conf dCD~D

[junction] ZP8(KCD~D;C:

jmt-map = lib/jmt.conf

< 27. }KxT URL

146 f> 3.8

mP}]u?Dq=I*a{F"UqMJ4;C#=9I#2I9C

(d{moJ4;C#=#

Z*a3ddCD~DTB>}P,=vsK~qwZ /jctA M /jctB k

WebSEAL *a:

#jmt.conf#<junction-name> <resource-location-pattern>/jctA /documents/release-notes.html/jctA /travel/index.html/jctB /accounts/*/jctB /images/weather/*.jpg

-< jmt.conf 3dmG;vUD~#ZrD~mS}]s,Xk9C

jmt load |n00k1}],Tc WebSEAL q*BE"#

pdadmin> server task <server-name> jmt loadQI&0k JMT m#

TBu~&CZ*a3dmbv=8:

¶ Cbv=8;h* -j !nr*a cookie

¶ h*hC3dm"I2+\m1$n

¶ Cbv=8;&mxT URL 4(D4S

¶ J4;C#=Z>X Web UdM*aD Web &CLr~qwOX

kG(;D#

¶ g{ZD~PPj+`,D#=u?,r+;0k3dm#+

WebSEAL +LxKP#

¶ g{Z0k3dm1vm,r3dm+;IC#+ WebSEAL +Lx

KP#

¶ g{3dm*UrmDu?Pms,r+;0kC3dm#+

WebSEAL +LxKP#

¶ 0k3dm1"zDNNms+<B WebSEAL ~qwU>D~

(webseald.log)PDJCTu?#

4,#fac'V(–s"–u)s?V Web tCD&CLr*4TM'zD HTTP ksrP,$04

,1#C4,CZ,}g:


6.W

ebS

EA

L*

a

¶ (} CGI LrzID}]u?q=VNzYC'xH

¶ 4P;5P}]bi/1,,$C'OBD

¶ ZZ_:o5&CLrP,$L7Pm,C'ITTI/@M!q

L74:r

I4FKPtC Web &CLrD~qw,Tc(}:XVda_T\#

1 WebSEAL ~qwa)=b)4FDsK~qwD*a1,|Xk#

$M'za0Z|,DyPks<;*"=}7D~qw,x;Gy]

:X=bfrZQ4FDsK~qwPV<#

1!ivB,Policy Director (}ZyPICD4F~qwOV<ks4

yb~qw:X# Policy Director 9C0nUP1c(#Cc(+?v

Bks8rVP,SnYD~qw#

create |n –s j>+2G:X=bfr"4(04,#fac1#C4

,#fac7#Z{va0Zd+M'zks*"=,;~qw#Z"

zu<M'zks1,WebSEAL MZ|,8(sK~qwD UUID D

M'z53OEC;v cookie#1M'zr,;J4avx;=Dks

1,C cookie D UUID E"+7#ks\G7I=,;vsK~qw#

–s !nJCZ`vsK~qwZ,;v*ac*a=%v0K WebSEAL

~qwD4v#k"b,;)+u<*a4(*4,#f,+9C;x

–s !nD add |n,+#`D1>sK~qw*a=,;v*ac#

g{C=8|,`v*a=,;vsK~qwD0K WebSEAL ~qw,

Xk9C –u !n}78(=?v0K WebSEAL ~qwDsK~qw

UUID#kND:*4,#fac8(sK~qw UUID(–u);#

*4,#fac8(sK~qw UUID(–u)Z4(=sK Web &CLr~qwDB*a1,WebSEAL (#zI(

;+Vj6{(Unique Universal Identifier,UUID)4j6sK~qw#

C UUID ZZ?9C,2C4,$4,#fac(create –s)#

148 f> 3.8

Z"zu<M'zks1,WebSEAL MZ|,8(sK~qwD UUID

DM'z53OEC;v cookie#1M'zr,;J4avx;=Dks

1,C cookie D UUID E"7#ks\G(r=,;vsK~qw#

1`v0K WebSEAL ~qw*a=`vsK~qw1,4,#fac

D&m+dC|S4S#(#,0K WebSEAL ~qwMsK~qw.

dD?v*a*sK~qwzI;v(;D UUID#bb6E;vsK~

qwZ?v0K WebSEAL ~qwOP;,D UUID#

`v0K~qwh*:X=bzFZ=v~qw.dV<:X#}g,

IT9CX(D UUID (} WebSEAL ~qw 1 4("=sK~qw

Du<04,1#

;x,g{4T,;M'zDsLksI:X=bzF7I*(}

WebSEAL ~qw 2,C04,1;YfZ,}G WebSEAL ~qw 2

9C`,D UUID 4j6,;vsK~qw#(#;aGbViv#

–u !nJmr?v0K WebSEAL ~qwa)X(sK~qwD,;v

UUID#

w*>},<GP=v4FD0K WebSEAL ~qw,|G<_P==

vsK~qwD4,#fac#Z4( WebSEAL ~qw 1 MsK~q

w 2 .dD4,#fac1,+zI(;D UUID(UUID A)4j6

sK~qw 2#+GZ4( WebSEAL ~qw 2 MsK~qw 2 .d

< 28. 9CsK~qw UUID D4,#f*a


6.W

ebS

EA

L*

a

D4,#fac1,+zI;,DB UUID(UUID B)4j6sK~q

w 2#

g{4TM'zDsLks7I(} WebSEAL ~qw 2,r(}

WebSEAL ~qw 1 ZM'zMsK~qw 2 .d("D04,1+'

\#

Z*a4(Zd,k&CTBxL48( UUID:

1. 4(S WebSEAL ~qw 1 =?vsK~qwD*a#

9C create –s M add#

2. PvZ0=h 11P*?vsK~qwzID UUID#

9C show#

3. 4(S WebSEAL ~qw 2 =?vsK~qwD*a"8(Z0=

h 21Pj6D UUID#

9C create –s –u M add –u#

B<P,WebSEAL-1 M WebSEAL-2 <+sK~qw 1 6p* UUID

1#WebSEAL-1 M WebSEAL-2 <+sK~qw 2 6p* UUID 2#

< 29. ;,D UUID

150 f> 3.8

>}:

ZTB>}P,

¶ WebSEAL-1 F* WS1

¶ WebSEAL-2 F* WS2

¶ sK~qw 1 F* APP1

¶ sK~qw 2 F* APP2

pdadmin> server task webseald-WS1 create –t tcp –h APP1 –s /mntpdadmin> server task webseald-WS1 add –h APP2 /mntpdadmin> server task webseald-WS1 show /mnt

(b+T> UUID1 M UUID2)

pdadmin> server task webseald-WS2 create –t tcp –h APP1 –u <UUID1> –s /mntpdadmin> server task webseald-WS2 add –h APP2 –u <UUID2> /mnt

1M'zksK~qw 2 ("4,#fac1,|+SU=|, UUID

2 D cookie#TO>}7#M'z\G,S=sK~qw 2,x;\Ts

DksG(} WebSEAL-1 9G WebSEAL-2 7ID#

< 30. *4,#fac8(sK~qw UUID


6.W

ebS

EA

L*

a

*a= Windows D~53(–w)WebSEAL TM'zKks4P2+Tli,b)ksGryZ URL P

8(DD~76PD*asK~qwavD#r* Win32 D~53a)

CJ$D~{D=V;,=(,Z2+TliPI\"z#02+DP

*#

Z;V=(7Oj{DD~{(abcdefghijkl.txt)#Z~V==9C

ID 8.3 D~{q=Ta)rsf]T(abcdef˜1.txt)#

Z Windows 73P4(*a1,+CJXF^(Z;vTsm>(,;

JmF}2+zFD0sE1GG#X*D#

–w !n;Jm 8.3 D~q=#C';\(}9CLD~{q=(8.3)

\b$D~{DT= ACL#~qwTZdkDNNLq=+D~{5X

0403 {C1ms#

Windows P,xPD~{0foo.1DD~+4wkD~{0foo1DD~G

;yD# –w !n+ZrsK~qw"Mks0,}% URL PDD~

{2fDc#ACL liGyZ;P2fcDD~{#

":Win32 ;xVs!4DJb(abcde.txt = AbCdE.txt)IT9C –i!nmv#kNDZ1423D:'V;xVs!4D URL(–i);#

>}:

Z Windows NT 4.0 O,9IT9CTB76CJD~ \Program

Files\Company Inc.\Release.Notes:

1. \program files\company inc.\release.notes

2. \program files\company inc\release.notes

3. \prograx1\companx2\releasx3.not

OfD>} 1 {vK –i !n(x;G –w)mvD0;xVs!41

D'{#

>} 2 {vK Windows NT gNvT2fD)9c#

152 f> 3.8

>} 3 {vK Windows NT gN4(p{(*K DOS f]T)#Cp

{ZD~{P;|,Uq,"{O 8.3 q=#

–w !nBvK>} 2 M 3 P{vD1Z2+T)4# –w !n8>

ITvT2fc,"RZC*a~qwDks URL P;JmCJ|,(

KE(˜)DuLDD~{#

9C WebSEAL *aD<u"M:

¶ :Z,;*aO20`v~qw;

¶ :}K4T*a~qwD2, HTML URL;

¶ Z1543D:g}*a4PmI(Dl#;

¶ Z1553D:g}*aD$iO$;

Z,;*aO20`v~qwITZ,;*ac20`v1>~qw#ITZ,;cO20Nb`v

~qw#

20Z,;*acODyP~qwXk*1>(5q Web Ud),"R

Xk9C`,D-i * HTTP r HTTPS#;*Z,;*acO20;

,D~qw#

Sw Policy Director ~qw Web UdCJtZ*a~qwD3f#z

&CITCJb)3f(1;*y]mI(),"Rb)3f&CT>

;B#g{<{P3fR;=r|D,rb6E;P}74F3f#

kliCD5fZ,"R4F~qwD5wPDD5`,#

}K4T*a~qwD2, HTML URLv}KG)S*a~qwSUD MIME `MD0text/html12,D5#

WebSEAL I|D=v URL /:xTDM`TZ~qwD URL /#

¶ `TZ~qwD URL m>k*a~qwDD5y`XD URL ;

C,}g:

/dir/file.html


6.W

ebS

EA

L*

a

|Db) URL I43*a~qwD*ac,}g:

/jct/dir/file.html

¶ xT URL m>k0wz1{r IP X70xgKZ`XD URL ;

C,}g:

http://servername[:port]/file.html,rhttps://servername[:port]/file.html

Iy]TBfr/|Db) URL:

1. g{ URL G HTTP,"Rwz/KZk TCP *aD~qw%d,

r+^D URL T43*ac,}g:

/jct/...

2. g{ URL G HTTPS,"Rwz/KZk SSL *aD~qw%d,

r+^D URL T43*ac,}g:

/jct/...

3. v}KZ iv.conf D~P(eDjG/tTTD URL#

4. (#+}K META jGT"Bks,}g:

5. g{ BASE j)|, HREF tT,rKj)+Sl&FAM'z#

}K(}*a~qwD URL DN};Z webseald.conf dCD~D

[filter-url] ;ZP#

[filter-url] ;Z|,K HTML jGPm,WebSEAL ~qw+}Kr^

Db)jGIw{S*a~qwq!DxT URL#

1!ivB+dC#C HTML jG#\m1I\h*mS|, URL D

=S HTML jG#

kNDZ1423D:&m4TE>MM'zK&CLrD URL(–j);#

g}*a4PmI(Dl#P) Policy Director mI(;\g}*a4P#}g,;\9C x mI

(XF CGI E>D4P,2;\9C l mI(4P?<Pm#}g,

<META HTTP-EQUIV=”Refresh” CONTENT=”5;URL=http://server/url”>

154 f> 3.8

WebSEAL ;\<77(sK~qwOksDTsG CGI LrD~"/

,?<Pm9G#fD HTTP Ts#

g}*aCJTs,CGI LrM?<Pm;\(} r mI(xPXF#

g}*aD$iO$

201,WebSEAL G9CG1!bT$idCD#bT$i(}

webseald.conf dCD~D [ssl] ZPD webseal-cert-keyfile-label N

}8(*n/D~qwK$i#

g{*aDsK&CLr~qw*s WebSEAL 9CM'zKD$ij

6T:,rXkWH9C iKeyman 5CLr4("20MjEC$i#

;s,9C –K <key-label> !ndC*a#kNDZ1323D:`%O

$D SSL *a;

g{;P9C –K dC*a,r GSKit (}T/"M|,Z\?D~}

]bPD01!1$i,&m`%O$Dks#g{b;GyhDl

&,rXk7#\?D~}]b(pdsrv.kdb)P;PjG*01!1

(GE)D$i#

\a:

¶ 9CjE{Fj6yPh*D$i#

¶ ;*+\?D~}]bPDNN$ijG*01!1#

¶ 9C webseal-cert-keyfile-label N}XF WebSEAL ~qwKD$

il&#

¶ (} –K *a!nXF WebSEAL M'zKD$il&#

ZZ}=~qwO9C query_contentsg{#{9C Policy Director 2+~q#$Z}=&CLr Web Ud

DJ4,Xkr WebSEAL a)XZZ}= Web UdZ]DE"#

{* query_contents D CGI Lr+a)CE"# query_contents L

rQwZ}= Web UdZ]"r WebSEAL OD Web Portal Manager

a)CbfE"# WebSEAL 20LrTxCLr,+GXkV$XZ


6.W

ebS

EA

L*

a

Z}=~qwO20#!vZZ}=~qwGyZ U N I X 9G

Windows,P;,DLrD~`MIC#

?Nzm*aD\#$TsUd?VZ0TsUd1\mfeO9*

1, W e b P o r t a l M a n a g e r D 0 T s Ud1 \ m w + T / K P

query_contents#H; Web Portal Manager *@XZZ}=&CLr

UdDZ],zITT>CE""TZOJDTs&C_T#e#

20 query_contents(#,20 query_contents HO]W#20|(S Policy Director ~

qw4F;vr=vD~=Z}=~qwT0`-dCD~#

TB Policy Director ?<|,KLr#e:

UNIX: <install-path>/www/lib/query_contents

Windows: <install-path>\www\lib\query_contents

?<Z]|(:

D~ hv

query_contents.exe CZ Win32 53Dw*I4PLr#&C20Z

Z}= Web ~qwD cgi-bin ?<B#

query_contents.sh CZ UNIX 53Dw*I4PLr#&C20ZZ

}= Web ~qwD cgi-bin ?<B#

query_contents.c 4zk#a)4zkG*Kzcr;zh*|D

query_contents DP*#s`}ivB,bG;

X*D#

query_contents.html HTML q=DozD~#

query_contents.cfg j> Web ~qwD5yD>}dCD~#

ZZ}= UNIX ~qwO20 query_contentsZTB?<PiR{* query_contents.sh DbGLrE>:

<install-path>/www/lib/query_contents

1. + query_contents.sh 4F=Z}= Web ~qwOpwCD

/cgi-bin ?<P#

156 f> 3.8

2. }% .sh )9{#

3. * Web ~qwD\mJ'hC UNIX 4P;#

ZZ}= Win32 ~qwO20 query_contentsZTB?<P,(;{* query_contents.exe DI4PLrM{*

query_contents.cfg DdCD~:

Windows: <install-path>\www\lib\query_contents

1. k7#Z}= Web ~qw_P}7dCD CGI ?<#

2. *KbT?D,k7#Z}= Web ~qwODD5yPfZP'D

D5#

3. + query_contents.exe 4F=Z}= Web ~qwD CGI ?<P#

4. + query_contents.cfg 4F= Windows ?<#

K?<D1!5gBmy>:

Yw53 Windows ?<

Windows 95 c:\windows

Windows NT 3.5x c:\winnt35

Windows NT 4.x c:\winnt

5. `- query_contents.cfg D~T}78(Z}= Web ~qwDD

5y?<#

CD~|, Microsoft Internet Information Server M Netscape FastTrack

~qwD>}u?#ZKD~P,TVE(;)*<DPG"M,+

; query_contents LrvT#

bTdC

1. Z Win32 zwD MS-DOS a>{B,4gB==4P CGI ?<P

D query_contents Lr:

MSDOS> query_contents dirlist=/

&1vVkTBdv`FDZ]:


6.W

ebS

EA

L*

a

100index.htmlcgi-bin//pics//

}V 100 Gm>I&D5X4,#nX*DGAY*4{}V 100 G

Z;v5("RI\G(;D;v)#

g{4{DGmsk,rCdCD~;Z}7D;Cr_;|,P

'DD5yu?#li query_contents.cfg D~DdC,"7#D

5yfZ#

2. Z/@wP,dkTB URL

http://<win32-machine-name>/cgi-bin/query_contents.exe?dirlist=/

C|n+5XkOv=h`,Da{#g{;5XCa{,r Web ~

qwD CGI dC;}7#kiD~qwDD5T|}CJb#

(F query_contentsquery_contents DNqG5X|,Z URL ksPD?<Z]#

}g,*qC~qw Web Udy?<DZ],/@w9CgB==Z

URL OKP query_contents:

http://third-party-server/cgi-bin/query_contents?dirlist=/

query_contents E>4PTBYw:

1. Aj< CGI 73d? $SERVER_SOFTWARE T7(~qw`M#

yZ Web ~qw`M,+d? $DOCROOTDIR hCIdMDD5

y;C#

2. SksD URL PA!73d? $QUERY_STRING,TqCksD

Yw"q!Ts76#

Yw5f"Zd? $OPERATION P,Ts76f"Z $OBJPATHP#ZO}P,$OPERATION * dirlist,$OBJPATH *0/1#

3. ZTs76O4P?<Pm(ls)"+a{dv=j<dv,Tc

Policy Director ~qw9C#m>S?<Du?_P=SD+1\

(//)#

158 f> 3.8

dMDdvgB:

100index.htmlcgi-bin//pics//

}V 100 Gm>I&D5X4,#

(FD5y?<

UNIX:

*dC UNIX ~qwD query_contents.sh,I\h*^DD5y?<

DhC#

g{ query_contents 5Xms4,(;,Z 100 D}),"R;PD

~Pv,kliE>"ZX*1^D $DOCROOTDIR d?,T%d~

qwdC#

g{}78(KD5y?<+E>T;'\,I\G cgi-bin ;Cf6;

}7#li $FULLOBJPATH d?"^DVdx|D5,T43}7D

cgi-bin ;C#

Windows:

* (F W i n d o w s ~ q w D q u e r y _ c o n t e n t s . e x e, k ^ D

query_contents.cfg D~#

=S&\

query_contents Lr(query_contents.c)D4zkG9C Policy

Director V"D,|;h*Xm(#

IrCLrmS=S&\,T'V3)Z}= Web ~qwDXb&\#

b)&\|(:

1. ?<3d * +;ZD5yBDS?<3d= Web Ud#

2. ;yZD~53D Web UdDzI#

bI\Gw\}]bD Web ~qwDiv#


6.W

ebS

EA

L*

a

#$ query_contentsPolicy Director 9C query_contents CGI Lr4T> Web Portal

Manager P*aD Web ~qwTsUd##$CD~T@94Z(DC

'KPG\X*D#

XkhC2+T_T,vJm\m~qw(pdmgrd)m]_PCJ

query_contents LrD(^#TB>} ACL(query_contents_acl)zcKu~:

group ivmgrd-servers Tl

user sec_master dbxTrlcam

9C p d a d m i n 5C L r + K A C L =SA* a ~ q w O D

query_contents.sh(UNIX)r query_contents.exe(Windows)Ts#}g

(UNIX):

pdadmin> acl attach /WebSEAL/<host>/<junction-name>/query_contents.shquery_contents_acl

160 f> 3.8

Web %;"abv=8

1 WebSEAL w*zm~qw5VTa)T2+rD#$1,(#*s

a)%;"aA Web J4Dbv=8#>BV[ WebSEAL zmdC

D Web UdD%;"abv=8#}g,|,XbdCD*a"+V"

aM LTPA#

wbw}:

¶ :dC%;"abv=8D BA 7;

¶ Z1673D:9C+V"a(GSO);

¶ Z1713D:%;"aA IBM WebSphere(LTPA);

dC%;"abv=8D BA 7>ZV[9C –b !n4((} WebSEAL *aD%;"adCDI\

bv=8#

¶ Z1623D:%;"a(SSO)En;

¶ Z1623D:Z BA 7Pa)M'zm];

¶ Z1633D:a)M'zm]M;c\k;

¶ Z1653D:*"-<M'z BA 7E";

¶ Z1663D:}%M'z BA 7E";

¶ Z1663D:S GSO a)C'{M\k;

7


7.W

eb%

;"

ab

v=

8

%;"a(SSO)EnZ\#$J4;ZsK Web &CLr~qwO1,I\a*sksCJ

4DM'z4P`NG< * ;NTZ WebSEAL ~qw,;NTZs

K~qw#?vG<I\h*;,DG<m]#

I9C%;"a(SSO)zFbv\mM,$`vG<m]DJb#%

;"abv=8JmC';9Cu<G<MITCJNN;CDJ4#

TNN4TsK~qwDx;=G<*sD&mTC'<G8wD#

Z BA 7Pa)M'zm]IdC WebSEAL *a,TrsK~qwa)-<r^DsDM'zm

]E"# –b !n/JmzZ HTTP y>O$(BA)7Pa)X(M'

zm]E"#

w*\m1,zXkVvxga9M2+hs,"7(TBJbDp

8:

1. sK~qwh*O$E"p?

(WebSEAL 9C HTTP y>O$7+oO$E"#)

2. g{sK~qwh*O$E",b)E"+SDy4?

(WebSEAL +Z HTTP 7PEC24E"?)

3. WebSEAL MsK~qw.dD,Sh*G2+Dp?

(G TCP 9G SSL *a?)

< 31. `vG<

162 f> 3.8

ZxPM'zM WebSEAL .dDu<O$s,WebSEAL I("BD

y>O$7#ks+ZLx(}*a=sK~qwZd9CKB7#I

9C –b !n4f(CB7a)D)X(DO$E"#

a)M'zm]M;c\k–b supply

–b supply !n8> WebSEAL a)xP2,";c(0F*1)\k

DQO$ Policy Director C'{(M'zD-<m])#C=8;9C-

<M'z\k#

;c\kE}K\k\m"'VyZ?vC'D&CLr#0F*1\

kGZ webseald.conf dCD~D basicauth-dummy-passwd N}P

hCD#

[junction]basicauth-dummy-passwd = <password>

C=8Y(sK~qwh*4T Policy Director m]DO$#(}+M

'zC'3d=Q*D Policy Director C',WebSEAL \msK~q

wDO$"a)r%DrZ%;"abv=8#

Cbv=8PTBu~:

¶ dC WebSEAL *rsK~qwa)-<M'zksP|,DC'{

M;c(0F*1)\k#

< 32. rsK~qwa)O$E"


7.W

eb%

;"

ab

v=

8

¶ Z webseald.conf dCD~PdC0F*1\k#

¶ sK~qw"amXk6p HTTP BA 7Pa)D Policy Director m

]#

¶ r*(}*a+]tPDO$E"(C'{M\k),yT*aD

2+\X*#?RFv9C SSL *a#

^F

,;v Policy Director0F*1\k+CZyPks;yPC'ZsK~

qw"amP_P`,D\k#9C+C0F*1\k;P*&CLr

~qwa)y!,$w9CCC'{G<DM'z_PO(T#

g{M'z\G(} WebSEAL CJsK~qw,Cbv=8+;vV

NN2+Jb#;x,SomO#$sK~qwT\bd|DI\CJ

==G\X*D#

r*bV=8;P\k6D2+T,sK~qwXk~,XEN

WebSEAL Ti$M'zDO(T#

sK~qw"am2Xk6p Policy Director m]TS\|#

< 33. BA 7|,m]M0F*1\k

164 f> 3.8

*"-<M'z BA 7E"–b ignore

–b ignore !n8> WebSEAL +-<M'zy>O$(BA)7;\I

EX1S"M=sK~qw#I+ WebSEAL dC*O$C BA M'z

E"rvTM'za)D BA 7,"+7;S^DX*"=sK~qw#

":b;Gf}D%;"azF,xGTZ}=~qw(T WebSEAL 8

wD)X1SG<#

Cbv=8PTBu~:

¶ sK~qw(} BA *sM'zm]E"

sK~qw+y>O$aJ"MXM'z#M'zTC'{M\k

E"l&,b)E"I WebSEAL ;S^DX+]#

¶ sK~qw,$M'zT:a)D\k

¶ dC WebSEAL *rsK~qwa)-<M'zksP|,DC'{

M\k#

¶ r*(}*a+]tPDO$E"(C'{M\k),yT*aD

2+\X*#?RFv9C SSL *a#

< 34. WebSEAL *"-<M'zm]E"


7.W

eb%

;"

ab

v=

8

}%M'z BA 7E"–b filter

–b filter !n8> WebSEAL Z+ks*"=sK~qw.0,}%y

P4TM'zksDy>O$7E"#Z>=8P,WebSEAL G%@D

2+T)&L#

Cbv=8PTBu~:

¶ ZM'zM WebSEAL .ddCy>O$

¶ sK~qw;h*y>O$

¶ ;\(} WebSEAL CJsK~qw

¶ WebSEAL zmsK~qw&mO$

g{zh*rsK~qwa)3)M'zE",ITiOC!nM –c !

nTc+ Policy Director M'zm]E"ek HTTP 7VN#kNDZ

1393D:Z HTTP 7Pa)M'zm](–c);#

S GSO a)C'{M\k–b gso

–b gso !n8> WebSEAL rsK~qwa)O$E"(C'{M\

k),b)E"S*&m+V"a(GSO)hCD~qwOqC#

< 35. }%M'z BA 7E"

166 f> 3.8

Cbv=8PTBu~:

¶ sK~qw&CLrh*;,DC'{M\k,|G;P|,Z

WebSEAL "amP#

¶ T WebSEAL MsK~qw45,2+T\X*#

r*(}*a+]tPDO$E"(C'{M\k),yT*aD2+

\X*#?RFv9C SSL *a#

CzF+Z:9C+V"a(GSO);Pj{hv#

9C+V"a(GSO)

Policy Director 'VinD%;"abv=8,Cbv=8_PrsK

Web &CLr~qwa)8CC'{M\kD\&#

y]y9CDC'"am`M,P=V=('VM4P%;"abv=

8:

¶ xP DCE "amD2+r * 9C Tivoli Global Global

Sign-On(GSO)z7

¶ xP LDAP "amD2+r * LDAP ?<a)+V"a'V

+V"aZ(C'CJQZ(9CDFcJ4 * (}%;G<# GSO

G*ss5hFD,b)s5I;,V`DV<=Fc73D`v53

M&CLr9I,GSO E}KnUC'\m`vC'{M\kDh*#

/IGI4( WebSEAL MsK~qw.dD0GSO b61*a45V

D#XkWH9C Web Portal Manager 4( GSO J4M GSO J4i#

1 WebSEAL SU=T*a~qwODJ4Dks1,WebSEAL +r

GSO ~qw*s`&DO$E"# GSO ~qw|,K;v3d}]b

* TZ?vQ"aDC' * C}]b*X(J4M&CLra)8C

C'{M\k#

B<{vKgN9C GSO zFlwsK&CLrJ4DC'{M\k#


7.W

eb%

;"

ab

v=

8

1. M'zCCJsK~qwO&CLrJ4Dksr WebSEAL O$#

qC Policy Director m]#

":%;"axL@"Zu<O$=(#

2. WebSEAL + Policy Director m]"M= GSO r LDAP ~qw#

3. ~qw5XJOZC'MyksD&CLrJ4DC'{M\k#

4. WebSEAL ZksD HTTP y>O$7PekC'{M\kE",C

ks(}*a"M=sK~qw#

3dO$E"BfD>}{vK GSO gNr WebSEAL a)O$E"#g{C'

Michael kKP travel-app &CLrJ4(kN<<36),r WebSEAL

r GSO/LDAP ~qw*s Michael DO$E"#

< 36. +V"azF

168 f> 3.8

GSO/LDAP IC3dJ4AX(DO$E"Dq=,$j{DO$E"

}]b#O$E"GC'{/\kDiO,F*J4>$#;\*Q"

aDC'4(J4>$#

~qw|, Michael D}]b,|+J4 travel-app 3d*X(DJ4

>$#

Bm{vK GSO J4>$}]bDa9:

Michael Paul

J4: t r ave l - app use rname=mike

password=123

J4:travel-app username=bundy

password=abc

J4:payroll-app username=powell

password=456

J4:payroll-app username=jensen

password=xyz

ZC}P,GSO r WebSEAL 5XC'{0mike1M\k01231#

WebSEAL Z9l(}*a"MAsK~qwDksDy>O$719C

CE"#

dCtC GSO D WebSEAL *aGSO 'VGZ WebSEAL MsK~qw.dD*aPdCD#

*4(tC GSO D*a,k9Cx –b gso !nD create |n#B

fD>}{vK create |nDo(:

create –t tcp –h <host-name> –b gso –T <resource> <jct-point>

BfPvhC GSO *aD!n:

!n hv

–b gso 8( GSO *(}C*aDyPksa)O$E"#

– T < r e s o u r c e /resource-group>

8( GSO J4r GSO J4i#J4{CwC!nD

N},Xkk GSO }]bPPvDJ4{F+7%

d#gso *aPK*s#

Z4(*a1,(}=S&C –t ssl !n,I#$(} SSL D"Z

WebSEAL/GSO bv=8P9CD*a#


7.W

eb%

;"

ab

v=

8

FvTZ GSO \G9C SSL *a47#>$MyP}]DS\#

tC GSO D WebSEAL *aD>}

+wz:sales_svr OD&CLrJ4:travel-app *a=*ac

/sales:

create –t tcp –b gso –T travel-app –h sales_svr /sales

+wz:adm_svr OD&CLrJ4:payroll-app *a=*ac

/admin "9C SSL #$C*a:

create –t ssl –b gso –T payroll-app –h adm_svr /admin

":ZO}P,–t ssl !nf(K1!KZ 443#

dC GSO _Y:f+V"a(GSO)_Y:f&\JmzZ_:X73PDF GSO *aD

T\#1!ivB,{C GSO _Y:f#g{;P_Y:fDv?,r

TZ GSO ?jE"(GSO C'{M GSO \k)D?Nlw,<h*

wC LDAP ~qw#

dC GSO _Y:fDN};Z webseald.conf dCD~D [gso-cache]ZP#XkWHtC_Y:f##`DN}CZdC?v_Y:fu?

D_Y:fs!M,15#O$DP'ZMGn/,15IDFT\,

+avSE")6Z WebSEAL ZfPDgU#g{zDxgbv=8

P49C GSO *a,r;*tC GSO _Y:f#

N} hv

gso-cache-enabled tCM{C GSO _Y:f&\#5|(

0yes1M0no1#1!5*0no1#

gso-cache-size hC_Y:f"PmJmDnsu?}#

hCK5T9|S|"PC'a0((}

GSO *aCJ&CLr)De5}#O_D

5a9C|`Zf,+a5VOlDE"

CJ#?v_Y:fu?+{Ds< 50 V

Z#

170 f> 3.8

N} hv

gso-cache-entry-lifetime Nb_Y:fu?IT#tZ_Y:fP

Dn`1d(TkF),;<GGqn

/#_Y:fu?=Zs,,;C'DB

;ksh*T LDAP ~qwxPBDwC#

gso-cache-entry-idle-timeout Gn/_Y:fu?IT#tZ_Y:f

PDn`1d(TkF)#

%;"aA IBM WebSphere(LTPA)

Policy Director WebSEAL ITT IBM WebSphere 73a)O$MZ(

~qT0#$#+ WebSEAL (;* WebSphere D#$0K1,CJM

'z+fY=v1ZDG<c#rx,WebSEAL 'V(} WebSEAL *

aA;vr`v IBM WebSphere ~qwD%;"abv=8#

WebSphere a)yZ cookie Da?6Z}=O$zF(LTPA)#ITd

C WebSEAL *a'V LTPA "*M'za)%;"abv=8#

1C'ks WebSphere J41,C'XkWHO$A WebSEAL,I&

O$s,WebSEAL +zIzmC'D LTPA cookie#w* WebSphere

DO$jG~qD LTPA cookie |,m]M\kE"#KE"9C

WebSEAL M WebSphere .d2mD\\k#$D\?S\#

WebSEAL ZksD HTTP 7Pek cookie,Cks(}*a"MA

WebSphere#sK WebSphere ~qwSUks"b\ cookie "yZ

cookie Pa)Dm]E"O$C'#

*DFT\,WebSEAL ITZ_Y:fPf" LTPA cookie "IZ,

;C'a0Zd*sLks9C-_Y:fD LTPA cookie#IT*_Y

:fD cookie dCP'Z,1MUP(Gn/),15#

dC LTPA *a(} LTPA cookie %;"aA WebSphere h*TBdCn:

1. tC LTPA zF#

2. a)CZS\m]E"D\?D~D;C#


7.W

eb%

;"

ab

v=

8

3. a)K\?D~D\k#

b}vdChsZ*a create |nD}v=S!nP8(#

¶ –A !ntC*a'V LPTA cookie#

¶ –F <“keyfile”> !nMTd?8(CZS\|,Z cookie PDm]

E"D\?D~D+76{F;C(Z WebSEAL ~qwO)#2m

\?nuZ WebSphere ~qwO4("2+X4FA WebSEAL ~

qw#XZKNqDj8E",kN<`&D WebSphere D5#

¶ –Z <“keyfile-password”> 8(r*\?D~yhD\k#

\kZ*a XML D~Pw*S\DD>vV#

4( WebSEAL MsK WebSphere ~qw.dD*a1,9Cb)!n

T0d|XhD*a!n#}g:

create ... -A -F “/abc/xyz/key.file” -Z “abcdefg” ...

dC LTPA _Y:f4("S\Mb\ LTPA cookie ax4&m*z#LTPA _Y:f&\

JmzDF_:X73B LTPA *aDT\#1!ivB,tC LTPA

_Y:f#g{;P_Y:fT53&\Dv?,r+4(BD LTPA

cookie "*?vsLC'ksS\#

dC LTPA _Y:fDN};Z webseald.conf dCD~D

[ltpa-cache] ZP#N}CZ8(_Y:fs!M_Y:fu?D,1

5#O$DP'ZMGn/,15IDFT\,+avSE")6Z

WebSEAL ZfPDgU#

N} hv

ltpa-cache-enabled tCM{C LTPA _Y:f&\#5|(

0yes1M0no1#1!5*0no1#

ltpa-cache-size hC_Y:f"PmJmDnsu?}#

hCK5T9|S|"PC'a0((}

LTPA *aCJ&CLr)De5}#O_

D5a9C|`Zf,+a5VOlDE

"CJ#?v_Y:fu?+{Ds< 50

VZ#1!5* 4096 vu?#

172 f> 3.8

N} hv

ltpa-cache-entry-lifetime Nb_Y:fu?IT#tZ_Y:fP

Dn`1d(TkF),;<GGqn

/#_Y:fu?=Zs,,;C'DB

;ksh*4(B LDAP cookie#1!5*

3600 k#

ltpa-cache-entry-idle-timeout Gn/_Y:fu?IT#tZ_Y:f

PDn`1d(TkF)#1!5* 600

k#

LTPA %;"aD<u"M:

¶ \?D~|,XZX( WebSphere ~qwDE"#;v LTPA *a

X(Z;v WebSphere ~qw#g{+`v~qwmS=,;v*

ac,ryPD~qw<+2m,;v\?D~#

¶ *K9%;"aI&,WebSEAL M WebSphere ~qwXkT3V=

=2m,;"amE"#

¶ WebSphere ~qw:phC LTPA M4(2m\?#WebSEAL N

kf0*aM_Y:fdC#


7.W

eb%

;"

ab

v=

8

174 f> 3.8

&CLr/I

WebSEAL (}73d?M/, URL \&'VZ}=&CLr/I#

WebSEAL )973d?M HTTP 7D6',tCZ}=&CLr"y

ZM'zm]4PYw#mb,WebSEAL ITa)T/, URL(}g

G)|,i/D>D URL)DCJXF#

wbw}:

¶ :'V CGI `L;

¶ Z1773D:'VsK~qwK&CLr;

¶ Z1783D:tC/,LqJq;

¶ Z1813D:9((FvT/~q;

¶ Z1833D:a)T/, URL DCJXF;

¶ Z1903D:/, URL >}:Travel Kingdom;

'V CGI `L*K'V CGI `L,WebSEAL Zj<D CGI d?/PmSK 3 v=

S73d?#b)73d?ITIG)Z>X WebSEAL ~qwr*a

DsK~qwOKPD CGI &CLr9C#b)d?r CGI &CLr

a)X(Z Policy Director DC'"iM>$E"#

Z>X WebSEAL ~qwO,b)73d?IT/CZ CGI Lr#

8


8.&

CL

r/

I

IZ*aDZ}=~qwOKPD CGI &CLr9CD73d?GIS

WebSEAL +]=~qwD HTTP 7E"zzD#Xk9C –c !n4

4('V HTTP ksDX(Z Policy Director 7E"D*a,b) HTTP

ks+*+M=sK~qw#

m{Z1393D:Z HTTP 7Pa)M'zm](–c);#

d|X(Z Policy Director D73d?:

CGI 73d? hv

HTTP_IV_USER ks_D Policy Director C'JE{F#

HTTP_IV_GROUPS ks_ytD Policy Director i#8(*T:EV

tDiPm * ?i<(T+}E#

HTTP_IV_CREDS `kD;8w}]a9,m> Policy Director >

$#r6L~qwa)>$,byPdc&CLr

MIT9CZ( API wCZ(~q#kN< Policy

Director ADK Developer Reference#

>X WebSEAL ~qwOD REMOTE_USER d?:

Z\ WebSEAL XFD>X~qw73P,OfyPD HTTP_IV_USERd?D5Gw*j< REMOTE_USER d?D5a)D#k"b

REMOTE_USER d?I\ZKPZ*asK~qwOD CGI &CLr

73P2fZ#+ZbVivB,d5;\ WebSEAL XF#

CGI 73d? hv

REMOTE_USER |,k HTTP_IV_USER VN`,D5#

Windows:'V WIN32 73d?>Zv&CZ>X*a#

Windows ";T/X9dyP5373d?ICZg CGI &CLr.`

DxL#dMivB,*sD5373d?GfZD#

176 f> 3.8

+G,g{ CGI 73P;fZNN*sD Windows 5373d?,r

IT(} webseald.conf dCD~w7X9|GICZ CGI Lr#(k

"b0;ZPa=D Policy Director 73d?ZyP=(P<T/I

C)#

+yPh*D Windows 5373d?mS= webseald.conf dCD~

D [cgi-environment-variables] ZP#9CTBq=:

ENV = <variable-name>

}g:

[cgi-environment-variables]#ENV = SystemDriveENV = SystemRootENV = PATHENV = LANGENV = LC_ALLENV = LC_CTYPEENV = LC_MESSAGESENV = LOCPATHENV = NLSPATH

CGI 73+LPyP4"MP#

'VsK~qwK&CLrWebSEAL 9a)TI4PzkD'V,Czkw*sK Web ~qwD

6k=i~KP#b`~qwKI4PzkD>}|(:

¶ Java !~qLr

¶ CZ Oracle Web l}wDP

¶ ~qwKe~

9C –c !n4(AsK~qwD*a1, WebSEAL +X(Z Policy

Director DM'zm]Mi1JqE"ekTC~qw*?DXDksD

HTTP 7#

X(Z Policy Director D HTTP 7E"9C*aDZ}=~qwOD&

CLrITyZM'zD Policy Director m]4PX(ZC'DYw#


8.&

CL

r/

I

WebSEAL a)TBX(Z Policy Director D HTTP 7:

X(Z PD D

HTTP 7VN

hv

iv-user = M'zDL{r${#g{M'z4O$(r4*),

r1!5*04O$1#

iv-groups = M'zytDiDPm#T:EVtD,}E}p4D

iPm8(#

iv-creds = `kD;8w}]a9,m> Policy Director >$#r6

L~qwa)>$,byPdc&CLrMIT9CZ

( API wCZ(~q#kN< Tivoli SecureWay Policy

Director Authorization ADK Developer Reference#

b) HTTP 7Iw*73d? HTTP_IV_USER"HTTP_IV_GROUPSM HTTP_IV_CREDS CZ CGI &CLr#TZd|G CGI &CLr

r\,*q!XZS HTTP ksi!7D8>E",kND`XDz7

D5#

m{Z1393D:Z HTTP 7Pa)M'zm](–c);#

tC/,LqJqLqs50doi(#h*2m+2Jq,ngoi}](ZLR=L

RX5P)rM'}](ZLR=M'X5P)#

¶ ;cJqGhva)~qD&CLryhE"DtT#K`tTD

>}|(M'J'E"MM'J%}]#

¶ 2+TJqGa)J4ksZ(P9CD8#Hu~DtT#K`

u~D>}|(C'5qG+"CJXF<xM(e3Woi-(

D5qfr#

(}grO$~q(CDAS)D)9,Policy Director a)KinDzF,

JmzZO$1T)9DjG/5tT+JqE"|,=C'>$P#

&CLrI1S9CZ( API S>$Pi!K}]#XZ5VK CDAS

)9Dx;=E",kN<6Tivoli Policy Director WebSEAL *"_N

<s+7#

178 f> 3.8

S LDAP }]4(LqJqWebSEAL a)KX(DZCJqzF,Jmz+C'(eD9d LDAP

E"w*)9tTek=C'>$P#;sb)tTIEk+(}*a

"M=sK&CLr~qwDksD HTTP 7P#

¶ 4TC' LDAP "amJ'NNVNDIC'(eD9d}]+w*

C' Policy Director >$D)9tTmS#

¶ WebSEAL ;dC*S>$Pi!K}],"+}]Ek+(}

WebSEAL *a"M=sK~qwDksD HTTP 7P#

¶ sK&CLrIS7Pi!}],x;h*(EzkrZ( API#

+9dD LDAP E"ek= HTTP 7PD WebSEAL dC|,=v=

h:

1. ZG<1,S LDAP "amlw9d}]"+C}]ek=C'>$

P#

2. yZT*ahCDX(u~,S>$Pi!`&D}],"+|e

k(}*a"MDksD HTTP 7P#

+9d LDAP }]ek=>$P

P=V=(+9d LDAP C'}]Ek>$P:

1. Z pd.conf dCD~D [ldap-ext-cred-tags] ZP4(u?,b)

u?+X( LDAP }]3d=>$PDVN#

K=(+Z>ZPhv#

2. `4(F CDAS #i,C#i+C'(eDNN}]3d=>$PD

VN#

XZ5VK CDAS )9DE",kND6Tivoli Policy Director

WebSEAL *"_N<s+7#

zIT9C pd.conf dCD~D [ldap-ext-cred-tags] Z,+4T

LDAPinetOrgPerson Ts`DX(}]3d=C'>$PC'(eDtT

VN#CZPDN}_PTBq=:

<custom-credential-field> = <inetOrgPerson-field>


8.&

CL

r/

I

Z>$TmP,pd.conf dCD~P(eD?v custom-credential-field N

}D{F<TLo0tagvalue_1*0:#b;0:@9k>$PDd|

VPE"De;#}g:

4T inetOrgPerson Ts`D LDAP C'

}]:employeeNumber:09876

(F>$VN{: ldap-employee-number

[ldap-ext-cred-tags] ZPDN}u?:

ldap-employee-number = employeeNumber

C'>$PfEDu?M5:

tagvalue_ldap-employee-number:09876

¶ C&\*sC'(} LDAP C'{M\kxPO$#XktC

passwd-ldap O$zF#`k libldapauthn(ldapauthn)2mb,

TcZ pd.conf dCD~D [ldap-ext-cred-tags] ZPi4C'(

eD9d>$E"#

¶ LDAP }]I4T inetOrgPerson Ts`PDj<r(FVN#

¶ IZ [ldap-ext-cred-tags] ZPEk`vu?#

¶ ZDu?P8(DyPtT<+ZC'G<1Ek>$#

¶ LDAP tT{F;xVs!4#

¶ >$VN{FxVs!4#

+>$}]ek= HTTP 7P

Z0;BZP4(DC'(eD>$E"IEk(}*a"M=sK~

qwDksD HTTP 7P#KWN|,=vNq:

1. dC*aJmX(D9d>$}]#(}hC WebSEAL #$DTs

UdP*aTsDJ1)9tT,IjIKNq#

2. S>$Pi!`&D9dE","+}]ekksD HTTP 7P#

I(}9C*aTsD)9tT,4XFX(*a*sD>$}]Di

!#)9tTD{F* HTTP-Tag-Value#K)9tT9CTBq=:

<custom-credential-field>=<http-header-field>

180 f> 3.8

custom-credential-field N}DvVk|Z pd.conf dCD~D

[ldap-ext-cred-tags] Zj+`,#;|,0tagvalue_10:#KN}

GxVs!4D#http-header-field N}8(KCZf"}]D HTTP 7

D{F#}g:

*aTsOD HTTP-Tag-Value )9t

T:

ldap-employee-number=employee-id

C'>$PR=Du?M5:

tagvalue_ldap-employee-number:09876

HTTP 7PfEDu?M5: employee-id:09876

1 WebSEAL +C'ks+]=sK&CLr~qw1,|+iRZ*

aTsOdCDNN HTTP-Tag-Value )9tT#

I9C pdadmin object modify set attribute |nT)9tTdC*

a:

pdadmin> object modify <obj-name> set attribute <attr-name> <attr-value>

}g:

pdadmin> object modify /WebSEAL/WS1/junctionA set attributeHTTP-Tag-Value ldap-employee-number=employee-id

I(}9C`v pdadmin object modify set attribute |n8(`v

HTTP-Tag-Value )9tT(?v|n8(;vtT),+`vC'tT

}]+]=*aD~qw#

9((FvT/~qWeb E'x>rt/3fG/ID Web >c~q,|G+/,XzI

TX(C'ICD Web J4(FPm#b)J4I|,2,Z]"'V

~qM'0$_#E'x>dvm>yZXbC'CJmI(DJ4D

vT/Pm#t/3fvT>C'_P}7CJmI(DG)J4#

I9C WebSEAL dC!nMZ( API Jq~qZ Policy Director 7

3P9((FE'x>bv=8#


8.&

CL

r/

I

9((F WebSEAL E'x>~qDxLw|,TBwn:

1. 4(\#$TsUdDX(xr,T(;E'x>J4Ts/#

2. +`&DT= ACL =S=?vJ4Ts#

3. `- WebSEAL dCD~,+ URL |,=E'x>~q"|,E'

x>J4DTsUd76MC'CJb)J4yhDmI(;#

4. TZ?vTE'x> URL DC'ks,WebSEAL 9C(^Jq~

q4QwKTsUd,"zIzcCC'Z(u~DJ4Pm#

5. WebSEAL +KE"EZ+"M=sK(*aD)E'x>~qwD

PD_PORTAL HTTP 7P#

6. ;ZsK~qwOD(FE'x>~q(}g CGI r!~qLr)A

! PD_PORTAL 7Z],"(}g)3db)Z]=+Z Web 3f

O*C'T>DhvM URL 4S#KE"m>yZCJXFmI(

TC'ICJ4DvT/Pm#

*vT/~qdC WebSEAL1. 4(=vT/~qDB WebSEAL *a#}g:

pdadmin> server task <server-name> create -t tcp-h portalhost.abc.com /portal-jct

2. `- webseald.conf dCD~,mSBD [portal-map] Z:

[portal-map]

3. CZPDu?j6E'x>~qLrD~qw`X URL M*ICD

\#$E'x>J4QwDTsUd,.szfDGCJyhDm

I(#bGEZ PD_PORTAL 7PDPm#

[portal-map]<URL> = <object-space-region>:<permission>

":Qw}LPv!q_PT=hC ACL(|,CC'mI(D%

d)DJ4Ts#

4. mSZM`&D3du?s,XkXBt/ WebSEAL(webseald)#

182 f> 3.8

vT/~q>}

¶ 4(AE'x>~qwD*a:

pdadmin> server task webseald-WS1 -t ssl -h PORTAL1 /portal

¶ (e WebSEAL \#$TsUdDxr,KUd|,TvT/~qI

CDJ4:

pdadmin> objectspace create /Resources“Portal Object Hierarchy” 10pdadmin> object create /Resources/Content ““ 10ispolicyattachable yespdadmin> object create /Resources/Support ““ 10ispolicyattachable yespdadmin> object create /Resources/Content/CGI ““ 11ispolicyattachable yespdadmin> object create /Resources/Support/Servlet ““ 11ispolicyattachable yes

":TZ?vJ4,0 ispol icyat tachable1Td?XkhC*

0yes1#QwzFv!q_PT=hC ACL D^(J4Ts#

¶ WebSEAL dC(webseald.conf):

[portal-map]/portal/servlet/PortalServlet = /Resources:r

¶ C'9CDE'x> URL:

https://WS1/portal/servlet/PortalServlet

a)T/, URL DCJXF

10 Web 733hC'TlY|DE"D"4CJ(#m` Web &C

LrZl&?vC'ks1/,XzI3;J4(;w(URL)#b)

/, URL I\;fZ\L1d#!\|G_PY1T,/, URL T;

h*?#$,T@9;k*D9CMCJ#

/, URL i~3)4SD Web &CLr$_9Cj< web /@w(} Web ~qw

D CGI SZk&CLr~qw(E#

yPb)$_<9C/, URL M~XDm%*XZksDYw(xPd

N}5)M&CLr~qw.d(E#/, URL 9CXZX(Yw0d


8.&

CL

r/

I

N}5DE")dj< URL X7# URL Di/V{.?V* Web &

CLrSZa)Yw"N}M5#

+ ACL Ts3dA/, URLWebSEAL 9C\#$TsUd#MM_T#e(ACL)#$/,zID

URL,}gG)I}]bkszID URL#w*Z(xLDZ;=,?

v WebSEAL Dks<+bv*X(DTs#JCZTsD ACL f(

K3d=CTsDNN/, URL yhD#$#

r*/, URL vY1fZ,$dCDZ(_T}]bP;I\P|GD

u?#Policy Director (}a);V+m`/, URL 3d=%;2,\

#$TsDzFbvb;Jb#

STs=#=D3d#fZ?D>D~P:

/opt/PolicyDirector/www/lib/dynurl.conf

CD~D;C(`TZ~qwy?<)I webseald.conf dCD~D

[server] ZPD dynurl-map N}(e:

[server]dynurl-map = lib/dynurl.conf

Xk4(KD~;1!ivB,CD~;fZ#CD~(xPu?)D

fZtC/, URL T\#

< 37. (} URL +}]+]= CGI xX

184 f> 3.8

`-KD~I^Db)3d#D~Pu?Dq=G:

<object> <template>

Policy Director 9C UNIX bGLr#=%d(|((d{)DS/,

(e9ITsUdP;vTsDN}/#kG)N}%dDN;/,

URL <3d=CTs#

Policy Director 'VTB UNIX bGLr#=%dV{:

V{ hv

\ 41\sDV{GXbrPD;?V#}g, GFm{#2

ITwC**e{#

? %d%vV{D(d{#}g,V{.0abcde1kmo=

0ab?de1%d

* %dcvr`vV{D(d{#

[] (e;5PV{,I%d`v#}g,V{.0abcde1k

frmo=0ab[cty]de1%d#

^ 8>G{E#}g,mo= [âb] k}0a1r0b1V{T

bDNbV{%d#

TB>}{vK4PEC=bi/D/, URL Dm%:

http://<server-name>/home-bank/owa/acct.bal?acc=<account-number>

m>K/, URL DTs+T>gB:

http://<server-name>/home-bank/owa/acct.bal?acc=*

P8liK>}PD/, URL,|T>KhvDX(JE#home-bank&J'acDTsT>,IZCu?(acc=*)Dns?V9C%dy

PV{DGE(d{, ACL mI(JCZNNJ'#

B<{vK3d=X(\#$TsDX(/, URL Dj{=8:


8.&

CL

r/

I

*/, URL |B WebSEAL9C dynurl update |nI9C dynurl.conf dCD~P("Du?

|B WebSEAL \#$TsUd#

1. 4("`-r>} dynurl.conf dCD~PD/, URL u?#

2. xP|D.s,9C dynurl update |n|B~qw:

pdadmin> server task webseald-<server-name> dynurl update

server-name Td?m> WebSEAL zwD4^(Dwz{#

bvTsUdPD/, URLbv/, URL A;vTs!vZ dynurl.conf dCD~Pu?D3r#

Z"T+/, URL 3d=Tsu?1,+S%AW(h dynurl.conf D

~PD3dPm,1=R=Z;v%d#=*9#ZR=Z;v%dD

#=s,+9C`&DTsu?xP.sDZ(li#

< 38. /, URL OZ(

186 f> 3.8

g{R;=%dD#=,WebSEAL M9C URL >m,u%76D

http://<server> ?V#

k#Vkn\^FD ACL T&D3d&ZPmDOK#}g,g{z[

)%&CLrD book.sales }L+;^FZ;vi/cV?i,+z[

)%&CLrD#`?VITI+?C'CJ,r3d&4BmPT>

DNrEP:

TsUdu? URL #e

/ows/sales/bksale /ows/db-apps/owa/book.sales*

/ows/sales/general /ows/db-apps/owa/*

k"b,g{3du?&Zfr3r,/ows/db-apps/owa ?<Pf"D

+?}L<+3d* /ows/sales/general Ts#IZKmsDTsUd

bv,I\a<B2+T%f#

1+ URL }rmo=3d*TsUdu?1,URL &ICS GET =

(zzDq= * ^[}Z9C POST 9G GET =(#

Z}]+dD GET =(P,/,}](}g3vC'Zm%Pa)D}

])+=S= URL#

Z}]+dD POST =(P,ksDwePM|(K/,}]#

ACL @@

;)/, URL Qbv*TsUdu?,r+9Cj< ACL LP#M7

(Gq&&mr{9ks(IZX(;c)#

T POST ksdC^F

POST ksDZ]|,ZksweP#mb,POST ks9|,/@w(

eDZ]$H,"PvVZ5#

post-max-read


8.&

CL

r/

I

webseald.conf dCD~D [server] ZPD post-max-read N}^F

s POST ksZ WebSEAL OD0l,|G(}+*AkDVZ\?8

(*4T POST ksweDZ]4^FD#WebSEAL AkDZ]+\

=(^li,g>Z0Dyv#

1 P O S T k s C Z / , U R L & m r q=O$1, * < G

post-max-read N}5#1!5* 4096 VZ:

[server]post-max-read = 4096

k"bKN}";^Fns POST Z]s!(|G;\^FD)#KN}

#$ WebSEAL,9.\b&ms!;OmD POST ks#

dynurl-allow-large-posts

!\ post-max-read N}^FK WebSEAL AM&mD POST Z]?,

+G|";j+@9ks+]=&CLr~qw#ZK=8P,4i$

DZ]++]=&CLr~qw#g{&CLr~qwTm;PZ(\

&,rKivI\a<B2+TgU#

dynurl-allow-large-posts N}JmzXF WebSEAL &m POST ks

(b)ksDZ]$HsZ max-post-read 8(D$H)D=(#g{

N}5hC*0no1(1!5),r WebSEAL +j+\xZ]$Hs

Z max-post-read 8($HDNN POST ks#

[server]dynurl-allow-large-posts = no

gNN}5hC*0yes1,r WebSEAL +S\{v POST ks,+G

vi$k max-post-read 5`HDZ]?#

[server]dynurl-allow-large-posts = yes

>} 1:

¶ SU=s POST ks(sZ post-max-read D5)#

¶ dynurl-allow-large-posts = no

¶ QtC/, URL#

188 f> 3.8

¶ a{:{9ms{"#

>} 2:

¶ SU=s POST ks(sZ post-max-read D5)#

¶ dynurl-allow-large-posts = yes

¶ QtC/, URL#

¶ a{:WebSEAL +3d post-max-read 58(Dn`Z]?=T

sUdu?,"yZCTs4P(^li##BDZ]";3d=

TsUdu?,R;4PkKTs`X*D(^li#

¶ TB#e|,K}ps POST kssCD#=%dEPD`M:

/rtpi153/webapp/examples/HitCount\?*action=reset*

\aM<u"M\a:

¶ *dC WebSEAL T2+X&m/, URL,k4(TBD~:

/opt/PolicyDirector/www/lib/dynurl.conf

¶ D~Xk|,;Pr`PTBq=DZ]:

<object> <template>

¶ g{D~;fZ,r*U,r+;tC/, URL &\#

¶ D~&ms,Ts{F+w*SJ4Z WebSEAL TsUdPvV#

¶ #eI|,j<#=%dV{DS/##e2ITG;P#=%d

V{D-V{.#

TBy> dynurl.conf D~(eK}vTs,|Gm>w* IBM

WebSphere z7D;?VD;)y> Web &CLr:

Tsu? URL #e

/app_showconfig /rtpi153/webapp/examples/ShowConfig*

/app_snoop /rtpi153/servlet/snoop

/app_snoop /rtpi025/servlet/snoop

/app_hitcount/ejb /rtpi153/webapp/examples/HitCount\?source=EJB

/app_hitcount /rtpi153/webapp/examples/HitCount*


8.&

CL

r/

I

<u"M:

¶ I+`v URL #e3d=,;Ts(}g,app_snoop 3d=v;

,~qwOD URL)#

¶ TsI6W(}g app_hitcount M app_hitcount/ejb)#

¶ xk URL ks+4US%?=W?D3r,k#exPHO#g{

R=%d,r&m#9#rK,k+^FTO?D#eEZD~%

?#

¶ *$n dynurl.conf D~PD(e,I"v dynurl update |n

(9C pdadmin server task)#

+"4"z|B;Z"B\#$TsUdS<1,Web Portal Manager

P+vVb)Ts#

¶ Ts{Pk\b9Cs4V{#v9C!4V{#

¶ k;*9C\#$TsUdPQ-fZDTs{#

¶ Z>} dynurl.conf D~PDTs.0,k}%=SACTsDNN

ACL#

/, URL >}:Travel KingdomTB>}{vKs5Z?xgN#$I0Oracle Web l}w1zID

URL#

>>}P9CD/, URL Web ~qwG0Oracle Web l}w1#K<

u,yIT&CZd| URL Web ~qw#

&CLrTravel Kingdom G;vi/,|(}rXxrM'za)CN$)~q#

b;5qrcZ Web ~qwOYw=v Oracle }]b&CLr * I

S+>@p=Z?M(}rXxxPCJ#

1. CN$)53

190 f> 3.8

qZ(DKMITxP6L$),"i/{GD10$)#Travel

Kingdom $wK1IT*g0KMxP$)"&md|M4Pm`d

|Bq#IZb?KMCEC('6~q,CE"D+dXk\O

q#$#

2. \m\mw

kd|s`}+>`F,Travel Kingdom ,$D\m}]b|,=

."0;MDzE"#K}]9xP?v+>I1DU,#

SZdC0Oracle Web ~qw1a)T}]bPTBf"}LDCJ(:

/db-apps/owa/tr.browse 3hyPC'i/XZCN?DX"[qH

HD\&#

/db-apps/owa/tr.book CZxP$)(CNzmK1rqO$DK

M)#

/db-apps/owa/tr.change CZ4ir_|D10$)#

/db-apps/owa/admin.browse CZCNN$wK1i4G^FDK1E

",}g)9E,gSJ~X7MU,#

/db-apps/owa/admin.resume 3h$wK1i4r|D\m}]bP{G

T:DrzE"D\&#

/db-apps/owa/admin.update I\mK1CZ|BPX$wK1DE"#

Web Uda9

WebSEAL ~qwCZ* Travel Kingdom D3; Web Uda)2+S

Z#

¶ ("KT,1KPCN$)&CLrM\m&CLrD0Oracle Web

~qw1D*a(/ows)#

2+T_T*Kr Web J4a)J1D2+T,,1#tWZ9CD53,C5q

Q-("KTB2+T?j:

1. CNzmK1TyP$)_Pj+XF(#

2. qO$DKMIT4(M|D{GT:D$),+;\I$d|q

O$KMDCN}]#


8.&

CL

r/

I

3. \m$wK1TyP\mE"_Pj+CJ(#

4. }\m?ETbDd| Travel Kingdom $wK1<IT|D{GT

:DrzE","i4d|$wK1D?VE"#

TsUd3dD/, URL*jIOv2+T?j,h*dCS/, URL = ACL Tsu?D3

d,gBmy>#

kG!,Tb)3dxPErG5V0f2=D2+T?jDX*?

V#

TsUdu? URL #=

/ows/tr/browse /ows/db-apps/owa/tr.browse\?dest=* &date=??/??/????

/ows/tr/auth /ows/db-apps/owa/tr.book\?dest=*&depart=??/??/????&return=??/??/????

/ows/tr/auth /ows/db-apps/owa/tr.change

/ows/admin/forall /ows/db-apps/owa/admin.resume

/ows/admin/forall /ows/db-apps/owa/admin.browse\?empid=[th]???

/ows/admin/auth /ows/db-apps/owa/admin.update\?empid=????

2+M'zM'z(}2+"S\D(@T WebSEAL xPO$#

k*9C Web SZDKM9Xkr Travel Kingdom Web \m1"a,

TSUJ'#

J'Mia9

Z53O4( 4 vi:

Staff Travel Kingdom i/DI1#

TKStaff Travel Kingdom CNzmK#

AdminStaff Travel Kingdom \m?EDK1#k"b\m$wK1

2Z Staff iP#

Customer k*(}rXxxPCN$)D Travel Kingdom DK

M#

192 f> 3.8

r?vC'3h2+rPD;vJ',byMII WebSEAL ~qw%

@j6#C'm]2++]=0Oracle Web ~qw1,Ta)+? Web

J4D%;"abv=8#

CJXF

BmPvK&C0fDE"szzDCJXF:

/ows/tr/browse 4O$ Tr +O$ Tr

/ows/tr/auth 4O$ - +O$ - i TKStaff Tr i

Customer PTr

/ows/admin/forall 4O$ - +O$ - i Staff Tr

/ows/admin/auth 4O$ - +O$ - i AdminStaff Tr

}KKMXkTE"S\(#\TmI()Tb,KMM TKStaff T$)

MCNF.,$Ts_P`,DX(,SxZ(};IEDrXxa;

tP}](}gEC(E")13hKMx;=D2+T#

a[Kr%>}{vK?p_PTB\&D53DEn:

¶ #$tPE"

¶ O$C'

¶ Z(CJtPE"

mb,WebSEAL ~qwM Oracle Web ~qw<*@53DqO$C'

Dm],Rb)m]ICZa)IsF"%;"abv=8#


8.&

CL

r/

I

194 f> 3.8

webseald.conf N<

webseald.conf dCD~

`pMZ:

¶ WEBSEAL GENERAL

[server]

¶ LDAP

[ldap]

¶ SSL

[ssl]

¶ JUNCTION

[junction]

[filter-url]

[filter-schemes]

[script-filtering]

[gso-cache]

[ltpa-cache]

¶ AUTHENTICATION

[ba]

[forms]

[token]

A


A.

web

seald.co

nf

N<

[certificate]

[http-headers]

[auth-headers]

[ipaddr]

[authentication-levels]

[mpa]

[cdsso]

[cdsso-peers]

[failover]

[e-community-sso]

[inter-domain-keys]

[authentication-mechanisms]

[ssl-qop]

[ssl-qop-mgmt-hosts]

[ssl-qop-mgmt-networks]

[ssl-qop-mgmt-default]

¶ SESSION

[session]

¶ CONTENT

[content]

[acnt-mgt]

[cgi]

[cgi-types]

[cgi-environment-variables]

[content-index-icons]

[icons]

[content-cache]

[content-mime-types]

[content-encodings]

196 f> 3.8

¶ LOGGING

[logging]

¶ AUTHORIZATION API

[aznapi-configuration]

[aznapi-entitlement-services]

¶ POLICY DIRECTOR

[policy-director]

[manager]

WEBSEAL GENERAL

N} hv

[server] Z

SYSTEM

unix-user WebSEAL ~qwD UNIX C'J'#

unix-group WebSEAL ~qwD UNIX iJ'#

unix-pid-file PID D~D;C#

server-root WebSEAL ~qwDy?<#

server-name WebSEAL ~qw5}{F#

THREADS AND CONNECTIONS

worker-threads WebSEAL $wLr_LD}?#

client-connect-timeout u<M'z,S,1#

persistent-con-timeout HTTP/1.1 VC,S,1#

HTTPS CLIENT

https Jm HTTPS CJ#

https-port CZ2+ HTTPS ksDKZ#

HTTP CLIENT

http JmG2+ HTTP(TCP)CJ#

http-port CZG2+ HTTP ksDKZ#

POST REQUESTS

post-max-read *S POST ksweAk(w*Z])Dns

VZ}#

DYNURL

dynurl-map URL *\#$Ts3dD~D;C#


A.

web

seald.co

nf

N<

WEBSEAL GENERAL

N} hv

dynurl-allow-large-posts + WebSEAL \;A!D POST ks}^F

Z post-max-read 8(D}?.Z#

URI HANDLING

utf8-url-spport-enabled

LDAP

N} hv

[ldap] Z

ldap-server-config ldap.conf dCD~D;C(ZdCZdh

C)#

cache-enabled tCM{C>X LDAP _Y:f#

prefer-readwrite-server Jm!qI4D LDAP ~qw(IC1)#

auth-using-compare Jm9CHO\kYwx;G LDAP s(4

xP|lDO$li#

default-policy-override-support li1!_TrX(ZC'D_T#

user-and-group-in-same-suffix QwT\#m>ikC'GC`,D LDAP

s:(eD#

ssl-enabled * WebSEAL A LDAP (EtCM{C

SSL#

ssl-keyfile SSL \?D~D;C#

ssl-keyfile-dn SSL \?D~PD$ij)(g{P)#

ssl-keyfile-pwd SSL \?D~\k#

bind-dn WebSEAL X$LrD(P{F(ZdCZd

hC)#

bind-pwd WebSEAL X$LrD\k(ZdCZdh

C)#

enabled

host

port

SSL

N} hv

[ssl] Z

198 f> 3.8

SSL

N} hv

webseal-cert-keyfile 3v\?D~D;C,CD~|, WebSEAL

-L SSL a01"M=/@wD~qw$

i#

webseal-cert-keyfile-pwd WebSEAL $i(C\?\k#

webseal-cert-keyfile-stash WebSEAL (C\?\kf"D~D;C#

webseal-cert-keyfile-label *9CD WebSEAL $iG1!{F#

ssl-keyfile CZZ?(ED WebSEAL $i\?D~D;

C#

ssl-keyfile-pwd WebSEAL $i(C\?\k(CZZ?(

E)#

ssl-keyfile-stash WebSEAL (C\?\kf"D~D;C(C

ZZ?(E)#

ssl-keyfile-label *9CD$iG1!{F(CZZ?(E)#

disable-ssl-v2 !qTX{C SSL V2 'V#

disable-ssl-v3 !qTX{C SSL V3 'V#

disable-tls-v1 !qTX{C TLS V1 'V#

ssl-v2-timeout SSL V2 ,SD GSKit _Y:fa0j6,

1#

ssl-v3-timeout SSL V3 ,SD GSKit _Y:fa0j6,

1#

ssl-max-entries GSKit SSL a0j6_Y:fPDns""u

?}#

ssl-ldap-server CZ CRL liD LDAP ~qw#

ssl-ldap-server-port K LDAP ~qw*xP CRL lixl}1y

ZDKZE#

ssl-ldap-user LDAP ~qwD\mC'#

ssl-ldap-user-password LDAP ~qwD\mC'D\k#

ssl-auto-refresh

ssl-listening-port

ssl-pwd-life

ssl-authn-type


A.

web

seald.co

nf

N<

JUNCTION

N} hv

[junction] Z

junction-db *a}]bD;C#

jmt-map *a * ks3dm(JMT)D;C#

http-timeout ryZ TCP D*a"MMSC*aA!1

yCD,1#

https-timeout ryZ SSL D*a"MMSC*aA!1

yCD,1#

ping-time WebSEAL * Q*a~qw ping }LD1

ddt#

basicauth-dummy-passwd (}0-b supply1*aa)y>O$}]1

D+V\k#

worker-thread-hard-limit *X(*a&mksD$wLr_L\}

DYVH#

worker-thread-soft-limit *X(*a&mksD$wLr_L\}

DYVH#

io-buffer-size S*aA!M4k*ayCD:exs

!#

DOCUMENT FILTERING

[filter-url] Z

<tag> = <attribute> WebSEAL ZQ*a~qwDl&P}KD

URL tT#

[filter-schemes] Z

scheme = <scheme-name> WebSEAL ZQ*a~qwDl&P}KD

URL #=DPm#

[script-filtering] Z

script-filter tCM{CT*aD~qwOE>DxT

URL D}K#

GSO CACHE

[gso-cache] Z

gso-cache-enabled tCM{C GSO _Y:f#

gso-cache-size GSO _Y:fPDu?}#

gso-cache-entry-lifetime GSO _Y:fu?Dn$P'Z#

gso-cache-entry-idle-timeout Gn/ GSO _Y:fu?Dn$P'Z#

LTPA CACHE

200 f> 3.8

JUNCTION

N} hv

[ltpa-cache] Z

ltpa-cache-enabled tCM{C LTPA _Y:f#

ltpa-cache-size LTPA _Y:fPDu?}#

ltpa-cache-entry-lifetime LTPA _Y:fu?Dn$P'Z#

ltpa-cache-entry-idle-timeout Gn/ LTAPA _Y:fu?Dn$P'

Z#

AUTHENTICATION

N} hv

BASIC AUTHENTICATION

[ba] Z

ba-auth tCM{Cy>O$zF#

basic-auth-realm Z/@w BA G<a>{PT>Dr{F#

FORMS

[forms] Z

forms-auth tCM{C9Cm%O$#

TOKEN

[token] Z

token-auth tCM{C9CjG(PzkO$#

CERTIFICATE

[certificate] Z

accept-client-certs dC WebSEAL M'zK$i&m#

HTTP HEADERS

[http-headers] Z

http-headers-auth tCM{C9C HTTP 7O$#

[auth-headers] Z

header CZO$DX( HTTP 7#

IP ADDRESS

[ipaddr] Z

ipaddr-auth tCM{C9C IP X7E"O$#

STEP UP

[authentication-levels] Z


A.

web

seald.co

nf

N<

AUTHENTICATION

N} hv

level = unauthenticated level= password

]}O$dC#

MULTIPLEXING PROXY AGENTS

[mpa] Z

mpa tCM{CT(}`74C/PzmxPO

$D'V#

CDSSO

[cdsso] Z

cdsso-auth tCM{C9C CDSSO jGO$#

authtoken-lifetime CDSSO O$jGDnsP'Z5#

[cdsso-peers] Z

<machine-name> =<keyfile-location>

Nh CDSSO DTHr#

FAILOVER

[failover] Z

failover-auth tCM{CS\JO*F cookie#

failover-cookies-keyfile I cdsso_key_gen zID cookie S\\?

D;C(xT76{)#

failover-cookie-lifetime JO*F cookie Z]P'D1d^F#

enable-failover-cookie-for-domain

+JO*F cookie `MSX(Z~qwD

cookie |D*X(ZrD cookie#

e-COMMUNITY SSO

[e-community-sso] Z

e-community-sso-auth tCM{CgSgx SSO#

e-community-name vVZ0$51jGMksPDgSgx{

F#

intra-domain-key CZ#$ DNS rP WebSEAL 5}.d(E

D\?D~D;C#

is-master-authn-server +>Xzw8(*w WebSEAL O$~qw#

master-authn-server w WebSEAL O$~qw(g{;G>Xz

w)D{F#

master-http-port wO$~qwl}1yZDGj< HTTP K

Z#

202 f> 3.8

AUTHENTICATION

N} hv

master-https-port wO$~qwl}1yZDGj< HTTPS K

Z#

vf-token-lifetime 0$51jGP'Z5#

vf-url 0$51URL#

ec-cookie-lifetime gSgx cookie P'Z5#

[inter-domain-keys] Z

<domain-name> = <keyfile> NkgSgxDd|rD\?D~#

AUTHENTICATION MECHANISMS AND LIBRARIES

[authentication-mechanisms] Z

passwd-cdas passwd-ldappasswd-uraf token-cdasc e r t - s s l c e r t - c d a sh t t p - r e q u e s t c d s s op a s s w d - s t r e n g t hcred-ext-attrs

\'VDO$zFMX*D2mbDPm#

SSL QUALITY OF PROTECTION MANAGEMENT

[ssl-qop] Z

ssl-qop-mgmt tCM{C#$6p\m#

[ssl-qop-mgmt-hosts] Z

<ip-address> %@wzD QOP S\6p#

[ssl-qop-mgmt-networks] Z

<ip-address/mask> %@xgD QOP S\6p#

[ssl-qop-mgmt-default] Z

default yPd|;%dD IP X7D1! QOP S\

6p#

SESSION

N} hv

[session] Z

max-entries WebSEAL >$/a0_Y:fPDns""

u?}#

timeout WebSEAL >$/a0_Y:fPu?Dn$

P'Z#


A.

web

seald.co

nf

N<

SESSION

N} hv

inactive-timeout WebSEAL >$_Y:fPGn/u?DP'

Z#

SSL CLIENT SESSIONS

ssl-id-sessions 9C SSL j6,$ HTTPS G<a0#

SHARING SESSIONS

use-same-session TZ HTTP M HTTPS .dP;DM'z9C

`,Da0j6#

SENDING SESSION COOKIES

resend-webseal-cookies Z?Nl&M'z1"MNbQdCa0M

JO*F cookie#

CONTENT

N} hv

[content] Z

LOCAL DIRECTORIES AND FILES

doc-root Web D5wDy?<#

directory-index ?<w}D~D{F#

delete-trash-dir \m1>}DD~DY1,xd?<#

LOCAL USER DIRECTORIES

user-dir ?<G|,+2 HTML D5DC'w?<

w#

ERROR PAGES

error-dir |, WebSEAL mshvD~D?<#

ACCOUNT MANAGEMENT PAGES

[acnt-mgt] Z

mgt-pages-root J'\m3fDy?<#

login j<G<m%D{F#

logout I&"zsT>D3f{F#

account-locked O$rx(DJ'x'\1T>D3fD{

F#

passwd-expired O$r''\kx'\1T>D3fD{

F#

passwd-change |DD\km%D{F#

204 f> 3.8

CONTENT

N} hv

passwd-change-success \k|DksI&1T>D3fD{F#

passwd-change-failure \k|Dks'\1T>D3fD{F#

help |,P'\m3fD4SD3fD{F#

token-login jGG<m%D{F#

next-token B;vjGm%D{F#

stepup-login ]}O$G<m%D{F#

LOCAL CGI

[cgi] Z

cgi-timeout 4kS CGI xLMSS CGI xLA!1yC

D,15#

[cgi-types] Z

bat = cmd cmd = cmd pl =perl sh = sh tcl = tclsh76

8((T Win32 ~qw)TXb CGI D~)

9{4PDLr#

[cgi-environment-variables] Z

ENV +I CGI LrLPD73d?#

ICONS

[content-index-icons] Z

image/* video/* audio/* text/html

t e x t / * a p p l i c a t i o n / x - t a r

application/*

8(?<w}I WebSEAL zI1(1;P

index.html 1"zbViv)*9CD<N<

j#

[icons] Z

diricon CZS?<D<j#

backicon CZ8?<D<j#

unknownicon CZ4*D~`MD<j#

DOCUMENT CACHING

[content-cache] Z

text/html image/* */* (e WebSEAL f"ZZfPDX(D5

MIME `MD_Y:f`MMs!#

MIME TYPES

[content-mime-types] Z

<extension> = <type> (eX(D5)9{D MIME `M#

deftype D5`M4Z3dmPPv1*9CD1!

MIME `M#

CONENT ENCODINGS


A.

web

seald.co

nf

N<

CONTENT

N} hv

[content-encodings] Z

gz Z +D5)9{3d*'VZ]`kD/@w

D;V`k`M#

LOGGING

N} hv

[logging] Z

server-log ~qwmsU>D~D;C#

max-size HTTP U>DU>D~*fP5#

flush-time HTTP U>D~:exD"B5J#

requests tCM{C HTTP ksU>#

requests-file HTTP ksU>D;C#

referers tCM{C HTTP N<E"U>#

referers-file HTTP N<E"U>D;C#

agents tCM{C HTTP zmU>#

agents-file HTTP zmU>D;C#

gmt-time T GMT 1dx;G>X1xG<ks#

AUTHORIZATION API

N} hv

[aznapi-configuration] Z

db-file >XM'zD_T}]b_Y:fD~D;

C#

cache-refresh-interval (e|B(V/)wZ(~qwDli1d

dt#

listen-flags tCM{CSU_T_Y:f|B(*Dj

>#

tcp-port l}wD TCP KZ#

udp-port l}wD UDP KZ#

AUTHORIZATION API LOGGING

logclientid=webseald

logsize \msFU>DU>D~*fP5#

logflush \msFU>D~:exD"B5J#

206 f> 3.8

AUTHORIZATION API

N} hv

logaudit tCM{CsF#

auditlog sFU>D;C#

auditcfg = azn 6qZ(B~#

auditcfg = authn 6qO$B~#

auditcfg = wand 6q WebSEAL B~#

AZNAPI SERVICE DEFINITIONS

<service-id>

mode

azn-server-name

pd-user-name

[aznapi-entitlement-services] Z

AZN_ENT_EXT_ATTR

POLICY DIRECTOR

N} hv

[policy-director] Z

config-file pd.conf dCD~D;C#

[manager] Z

master-host

master-port

master-dn


A.

web

seald.co

nf

N<

208 f> 3.8

WebSEAL *aN<

pdadmin 5CLra);%=|nPa>{,ITSCa>{4P

WebSEAL *aNq#

wbw}:

¶ :9C0pdadmin server task14(*a;

¶ Z2113D:*a|n;

¶ Z2123D:*u<~qw4(B*a;

¶ Z2143D:+=S~qwmS=VPD*a;

9C0pdadmin server task14(*aZ9C pdadmin 0,zXkw* sec_master \mC'G<=2+r#

}g:

UNIX:

# pdadminpdadmin> loginEnter User ID: sec_masterEnter Password:pdadmin>

Windows:

B


B.

Web

SE

AL

*a

N<

MSDOS> pdadminpdadmin> loginEnter User ID: sec_masterEnter Password:pdadmin>

r_,9C_PTB!nD%|nPqC`,a{:

# pdadmin -a sec_master -p <password>pdadmin>

*4( WebSEAL *a,k9C pdadmin server task |n:

pdadmin> server task <server-name> <task>

server-name Td?G5Jzw{FMC|n9CD Policy Director i~

(}g WebSEAL)Dj+mo=#

<policy-director-component>-<machine-name>

}g,g{zw{F* cruz R Policy Director i~* WebSEAL,r

server-name *:

webseald-cruz

9C server list |ni$ server-name mo=:

pdadmin> server listwebseald-cruz

4(y> WebSEAL *aDXh|n!n|(:

¶ sK&CLr~qwDwz{(–h !n)

¶ *a`M * tcp"ssl"tcpproxy"sslproxy M local(–t !n)

¶ *ac(20c)

pdadmin> server task <server-name> create –t <type>–h <host-name> <jct-point>

210 f> 3.8

*a|n

TB*a|nT pdadmin server task IC:

|n hv

create *u<~qw4(B*a#

add +=S~qwmS=VPD*ac#

remove S*ac}%~qw#

o(:remove –i <server-id> <junction-point>

9C show |nI7(Xb~qwDj6#

delete }%*ac#

o(:delete <junction-point>

list PvK~qwODyP*ac#

o(:list

show T>*aDj8E"#

o(:show <junction-point>

jmt load jmt clear jmt load |n* WebSEAL a)*a3dm}]

(jmt.conf),IXF&m/,zID~qw`T

URL#

jmt clear |nrS WebSEAL }%*a3dm}]#

help Pv*a|n#

o(:help

help <command> T>XZX(*a|nDj8oz#

exit Kv pdadmin 5CLr#

o(:exit

b)|n0X*D!n+ZTBwZP[v#


B.

Web

SE

AL

*a

N<

*u<~qw4(B*aYw:4(B*ac,"*au<~qw#

o(:

create –t <type> –h <host-name> [<options>] <junction-point>

*a`M

–t <type> ** Xh **

* a ` M # t c p " s s l "

tcpproxy"sslproxy"local .;#

–t tcp D1!KZ* 80#–t ssl D1!KZ*

443#

wz{

–h <host-name> ** Xh **

?jsK~qwD DNS wz{r IP X7#

!n

(} SSL D`%O$

–K <key-label> WebSEAL 9CM'z$iTsK~qwxPO

$#

–B WebSEAL 9C BA 7E"TsK~qwxP

O$#*s –U"–W M –b filter !n#

–U <“username”> WebSEAL C'{#k –B ;p9CI+ BA

7E""M=sK~qw#

–W <“password”> WebSEAL \k#k –B ;p9CI+ BA 7

E""M=sK~qw#

–D <“DN”> 8( s K ~ q w$iD ( P { F

(Distinguished Name)#K5k5JD$i DN

`%d,v?KO$#

zm*a!n(h* –t tcpproxy r –t sslproxy)



a) BA 7E"

212 f> 3.8

–b <BA-value> (e WebSEAL ~qwgN+ HTTP BA O$

E"+]=sK~qw#*BP5.;:

filter(1!)"ignore"supply"gso

#C TCP M SSL *a!n

–c <id-types> + Policy Director M'zm]ek{v HTTP

7PD HTTP 7#id-types Td?I|,TB

Policy Director HTTP 7`MDNbiO:

iv-user"iv-user-l"iv-groups"iv-creds M all#

–i WebSEAL ~qw&m URL 1G;xVs!4

D#

–j a) cookie PD*aj6,&mE>zID~

qw`T URL#

–k "Ma0 cookie AsKE'x>~qw#

–p <port> sKZ}=~qwD TCP KZ#TZ TCP *

a,1!5* 80;TZ SSL *a,1!5*

443#

–q <url> query_contents E>D`T URL#Policy

Director Z /cgi_bin/ PiR query_contents#

g{K?<;,r query_contents D~QX

|{,9CK!nIr WebSEAL 8>D~D

B URL#

–r +dkD IP X7ek{v*aPD HTTP

7#

–s 8(*a&'V4,#f&CLr#1!iv

B,*a;G4,#fD#

– T < r e s o u r c e /

resource-group>

GSO J4rJ4iD{F#T –b gso !nG

XhD,2;k -b gso !n;p9C#

–u <UUID> 8((}4,#fac(–s)k WebSEAL ,

SDsK~qwD UUID#


B.

Web

SE

AL

*a

N<

–v <virt-host-name> sK~qwOyzmDibwz{#K!n'

VsK~qwODibwzhC#

1sK*a~qwh*wz{D71,k9C

–v,r*b1z}Z*aC~qwD;vib

5}#/@wD1! HTTP 7ks";*@s

K~qw_P`v{FM`vib~qw#X

kdC WebSEAL ZTsK~qw(QhC*

ibwz)*?DXDksPa)nbD7E

"#

–w Win32 D~53'V#

LTPA *a

–A tCM{C LTPA *a#

–F <“keyfile”> C4S\ LTPA cookie }]D\?D~D;

C#

– Z

<“keyfile-password”>

\?D~D\k

WebSEAL * WebSEAL D SSL *a

–C 0K WebSEAL ~qwksK WebSEAL ~q

w.d(} SSL `%O$#*sP –t ssl r

–t sslproxy `M#

>X*a!n(k –t local ;p9C)

–d <dir> *aD>X?<#** Xh#**

–f ?Ff;VPD*a#

*ac

WebSEAL {FUdP*4(*aD;C#

+=S~qwmS=VPD*aYw:+=S~qwmS=VPD*ac#

o(:

add –h <host-name> [<options>] <junction-point>

wz{

214 f> 3.8

–h <host-name> ** Xh **

?jsK~qwD DNS wz{r IP X7#

!n

(} SSL D`%O$

–D <“DN”> 8(sK~qw$iD(P{F#K5k5J

D$i DN `%d,v?KO$#

zm*a!n(ZP –t tcpproxy M –t sslproxy 1GXhD)



#C TCP M SSL *a!n

–i WebSEAL ~qw&m URL 1G;xVs!4

D#

–j a) cookie PD*aj6,&mE>zID~

qw`T URL#

–p <port> sKZ}=~qwD TCP KZ#TZ TCP *

a,1!5* 80;TZ SSL *a,1!5*

443#

–q <url> query_contents E>D`T URL#Policy

Director Z /cgi_bin/ PiR query_contents#

g{K?<;,r query_contents D~QX

|{,9CK!nIr WebSEAL 8>D~D

B URL#

–u <UUID> 8((}4,#fac(–s)k WebSEAL ,

SDsK~qwD UUID#

–v <virt-host-name> sK~qwOyzmDibwz{#K!n'

VsK~qwODibwzhC#

1sK*a~qwh*wz{D71,k9C

–v,r*b1z}Z*aC~qwD;vib

5}#/@wD1! HTTP 7ks";*@s

K~qw_P`v{FM`vib~qw#X

kdC WebSEAL ZTsK~qw(QhC*

ibwz)*?DXDksPa)nbD7E

"#

–w Win32 D~53'V#

*ac

+~qwmS=KVPD*ac#


B.

Web

SE

AL

*a

N<

216 f> 3.8

9C iKeyman \m$i

iKeyman 5CLrG;V$_,IC4\m}V$i#9C iKeyman,

IT4(B\?}]b"BbT}V$i,+ CA root mS=}]b,

+$iS;v}]b4F=m;v}]b,r CA ksMSU}V$i,

hC1!\?M|D\k#

iKeyman 5CLrG Policy Director a)D Global Security

Kit(GSKit)m~|D?~#

wbw}:

¶ Z2183D:t/ iKeyman 5CLr;

¶ Z2193D:r*1! WebSEAL \?}]b;

¶ Z2213D:4(B\?}]b;

¶ Z2233D:4(BT)}V$i;

¶ Z2253D:mSBy CA $i;

¶ Z2253D:>}y CA $i;

¶ Z2263D:Z}]bd4F$i;

¶ Z2303D:ks~qw$i;

¶ Z2313D:SU}V$i;

¶ Z2323D:>}}V$i;

¶ Z2323D:8(B1!$i;

C


C.

9C

iKeym

an\

m$

i

¶ Z2333D:|D}]b\k;

t/ iKeyman 5CLrSYw53|nPa>{t/ iKeyman 5CLr:

Windows:

MSDOS> /Program Files/IBM/gsk4/bin/gsk4ikm.exe

UNIX:

# /usr/bin/gsk4ikm

vV0IBM \?\m10Z#

< 39. 0IBM \?\m10Z

218 f> 3.8

r*1! WebSEAL \?}]b\?}]b|,~qwMM'zK$i0 WebSEAL &myZ$iDO

$yhDy CA $i#

201,WebSEAL a)1!$i\?}]b(pdsrv.kdb)#\?D~|

,1! WebSEAL $i(\?j) = Policy Director)MI)!qD+

2y CA $i#

*r*1! WebSEAL \?}]b,kq-b)=h:

1. S0IBM \?\m10Z,Z0\?}]bD~1K%!q0r*1#

2. S0r*1/@0Z,/@TB?<:

UNIX: /opt/PolicyDirector/lib/certs

Windows: C:\Program Files\Tivoli\Policy Director\lib\certs

3. !q:

pdsrv.kdb

4. %w0r*1#

vV0\ka>1T0r#

5. dk1! WebSEAL \k:

pdsrv

6. %w07(1#

}]bE"2k\m0Z#

k"b0vK$i10ZPvV1! WebSEAL $i#$iD\?j)

G “Policy Director”#Kj)s`vVGErj>C$i*1!$i#

kNDZ2203D<40#

+$i!nB-K%S0vK$i1|D*0){_$i1#vV+2

yO$PD(CA)$iDPm#

kNDZ2203D<41#


C.

9C

iKeym

an\

m$

i

< 40. 1! WebSEAL pdsrv.kdb \?D~:WebSEAL $i

< 41. 1! WebSEAL pdsrv.kdb \?D~:){_$i

220 f> 3.8

4(B\?}]b\?}]b|,~qwMM'zK$i0 WebSEAL &myZ$iDO

$yhDy CA $i#

201,WebSEAL a)1!$i\?}]b(pdsrv.kdb)#\?D~|

,1! WebSEAL $i(\?j) = Policy Director)MI)!qD+

2y CA $i#

ITLx9CK1!\?}]b,r_4(B}]b#g{4(B}]

b"#{ WebSEAL +C}]bw*1!}]b9C,rXk(*

WebSEAL,bI(}dC secmgrd.conf D~PD ssl-keyfile N}4

xP#kNDZ373D:dC WebSEAL D\?}]bN};#

*4(B\?}]bD~,kq-b)=h:

1. S0IBM \?\m10Z,Z0\?}]bD~1K%!q0B

(1#

vV0B(1T0r#

2. Z0\?}]b`M1VN!q0CMS \?}]bD~1#

3. dk0D~{1,}g key.kdb#

4. S\0;C1VND1!5,rdkCVNDB5,r9C0/

@14%!qB5#

< 42. 0B(1T0r


C.

9C

iKeym

an\

m$

i

5. %w07(1#

vV0\ka>10Z#

6. Z0\k1VNdk\k,"Z07O\k1VNPYNdkC\

k#

7. (I!)!P0hC''1d14!r,"dkJ1D5#

8. (I!)!P0+\kf"=D~14!r#

f"D~|,TB)9{:.sth

Xkr WebSEAL (*bvBf"D~,bI(}dC

secmgrd.conf dCD~PD ssl-keyfile-stash N}4xP#


9. %w07(1#

vV07O10Z,C0Zi$zGqQ-4(B\?}]b#

10. %w07(1#

zQ-I&4(B\?}]b#XBvV0IBM \?\m10Z#

VZD0IBM \?\m10Z43KzDB\?D~{,"T>){_

$i#

TB){_}V$iGI iKeyman a)D:

¶ RSA Secure Server CA

¶ Thawte Personal Premium CA

¶ Thawte Personal Freemail CA

¶ Thawte Personal Basic CA

¶ Thawte Premium Server CA

¶ Thawte Server CA

¶ VeriSign Class 1 Public Primary CA



¶ VeriSign Test CA Root Certificate

222 f> 3.8

b)){_}V$iGQ("DO$PD(CA)Dy$i#WebSEAL 9

Cb)y$ii$M'zK$i#

g{h*9C4ZKPmPvVD){_$i,rXkr CA ksC$

i,"+dmS=\?}]b#

kNDZ2253D:mSBy CA $i;#

":VeriSign Test CA Root Certificate GIEHOMD CA,+d|(

ZZG*KCZbT#&Z+\?}]bÈkzz&CLr.0

}%bvy#

B}]b9h*|( CA )pD~qw$i,by WebSEAL MIT+

TmTM'zrd|~qwO$#K$iGf"Z0\m10ZD0v

K$i1?VD#

kNDZ2303D:ks~qw$i;#

kNDZ2313D:SU}V$i;#

4(BT)}V$i

*"zz&CLr1,zI\kZjIz7DbT.sYCf5D}V

$i4P$iO$#9C iKeyman,IT4(CZbTDT)}V$

i#T)}V$iGz"xT:DY1}V$i(TTm* CA)#

":;*"<xPT)}V$iDzz&CLr;;P/@wrM'z

\;6pzD~qwr2+Xk.(E#

201,WebSEAL a)F* “Policy Director” DT)$i#IT+K$

iCZbT,r_IT4(BT)$i#

*4(BDT)}V$i,kq-b)=h:

1. 9C iKeyman r* pdsrv.kdb \?D~,rr*m;v(F\?D

~#

0IBM \?\m10Zjb8T>K!(\?}]bD~D{F,"

8>CD~Qr*MMw#


C.

9C

iKeym

an\

m$

i

2. SB-Pm!q0vK$i1#

3. %w0B(T)14%#

vV04(BDT)$i1T0r#

4. dk0\?j)1,}g “test-cert”#

5. dk0+C{F1M0i/1(=_y*Xh),"!q0zR/X

x1#TZd`VN,ITS\1!5,2ITdkr!qB5#

kND<43#

6. %w07(1#

0IBM \?\m10Z0vK$i1VNT>Kz4(DT)}V$

iD{F#

< 43. 4(BDT)$i

224 f> 3.8

mSBy CA $i

WHXkrX( CA ksBy$i,;sEIT*C CA mSK$i#

?v CA <_PKNqD(;}L#XZKE",k*5`&D CA#

r CA ks"U=y$i.s,I+dmS=\?}]b#s`}}V

y$i<9Cq= *.arm(}g cert.arm)#

*+y CA $imS=}]b,kq-b)=h:

1. Z0IBM \?\m10ZP,SB-Pm!q0){_$i1#

2. %w0mS1#

vV0SD~mS CA D$i10Z#

1. S0}]`M1B-K%!q0Base64 `kD ASCII }]1#

2. dky CA $iD0$iD~{1M0;C1,r_%w0/@1!

q{FM;C#

3. %w07(1#

vV0dkj)1T0r#

4. dky CA $iD\?j),}g VeriSign Root CA Certificate,"

%w07(1#

by,0){_$i1VN|,KzUmSDy CA $iDj)#

>}y CA $i

g{;kY'VzD){_$iPmPD3v)"_,rh*>}`&

Dy CA $i#

< 44. 0mS CA D$i1T0r


C.

9C

iKeym

an\

m$

i

":>}y CA $i.0,H4(C$iD8]1>,by,TsIT

XB4(`,D CA y$i#

*S}]b>}y CA $i,kq-b)=h:

1. Z0IBM \?\m10ZP,SB-Pm!q0){_$i1#

2. !q(;vT>)*>}Dy CA $i#

3. %w0>}1#

vV07O10Z#

4. %w0G1#

zU>}Dy CA $iDj);YZ0){_$i1VNPvV#

Z}]bd4F$i

hC(CENxgr+T)$iCZbT1,zI\"Vh*+$iS

;v}]b4FMmS=m;v}]b#Z}]b.dF/$iD=(

P 3 V:

¶ +$ii!=D~;SD~mS$i

¶ S}]b1S<k$i

¶ +$i1S<v=}]b

+$ii!=D~;SD~mS$i*+$iS(4)\?}]bi!=D~,;s+C$imS=(?

j)\?}]b,kq-b)=h:

1. r*041\?}]b#

2. S0IBM \?\m10ZB-K%,!q*<vD$iD`M:0v

K1r0){_1#

3. !q*mS=m;}]bD$i#

4. g{!q0vK1,r%w0i!$i14%#g{!q0){

_1,r%w0i!14%#

vV0+$ii!=D~10Z#

5. S0}]`M1B-K%!q0Base64 `kD ASCII }]1#

226 f> 3.8

}] ` M h * k$iD~Pf " D$iD}] ` M ` % d #

iKeyman $_'V Base64 `kD ASCII D~M~xF DER `k

D$i#

6. dk$iD~{M*f"$iD;C,r_%w0/@1!q{F

M;C#

7. %w07(1#

+$i4=8(DD~#

*+$iSD~mS=?j}]b,kq-b)=h:

1. r*?j\?}]b#

2. !q+*mSD$iD`M:0vK1r0){_1#

3. T0){_1`M$i%w0mS1#T0vK1`M$i%w0S

U1#

4. dkzi!$i19CD0$iD~{1M0;C1#2IT9C

0/@14%#

5. %w07(1#

< 45. +$ii!=D~

< 46. SD~SU$i


C.

9C

iKeym

an\

m$

i

6. 07O10Z*s!qK$iGq+w*1!$i#%w0G1r

0q1#

by,$iMmS=?j}]b,"vVZ$iDPmP#

S}]b1S<k$i*+$iS(4)\?}]b<k=(?j)\?}]b,kq-b)

=h:

1. r*0?j1\?}]b#


K1r0){_1#

3. %w0<v/<k14%#

T>0<v/<k\?10Z#

4. S0!qYw`M1!q0<k1#

5. S0\?1D~`MB-K%,!q CMS \?}]bD~#

6. dk4\?}]bD0D~{1M0;C1,C}]b|,z*<

kD$i#2IT9C0/@14%#

7. %w07(1#

T>0\ka>10Z#

8. dk\k"%w07(1#

vV0S\?j)Pm!q10Z#

9. !q*<kD$i"%w07(1#

< 47. <v/<k\?

228 f> 3.8

by,C$iMvVZ?j}]bDPmP#

+$i1S<v=}]b*+$iS(4)\?}]b<v=(?j)\?}]b,kq-b)

=h:

1. r*041\?}]b#


K1r0){_1#

3. !q(;vT>)*<vD$i#

4. %w0<v/<k14%#

T>0<v/<k\?10Z#

5. S0!qYw`M1!q0<v1#

6. S0\?1D~`MB-K%,!q CMS \?}]bD~#

7. dkz*"M$i1yZD?j\?}]bD0D~{1M0;

C1#2IT9C0/@14%#

":vVXZf;K}]bD~DIE{"#%w0G1#Q<v

D$i+;mS=?j}]b#;a*'NNE"#

8. %w07(1#

T>0\ka>10Z#

9. dk?j}]bD\k"%w07(1#

< 48. <v/<k\?


C.

9C

iKeym

an\

m$

i

10. r*?j}]b1,Q<vD$i+vVZ$iDPmP#

ks~qw$i

WebSEAL *s CA )pD$i+dTmO$= SSL M'z#WebSEAL

I\*sP;,D$iI)d|DO$*s9C(}gl&9C

junctioncp –K xP*aD&CLr~qw)#

iKeyman 5CLrJmzI$iks,zIT+Cks"MA`&D

CA#

*zI$iks,kq-b)=h:

1. Z0IBM \?\m10ZP,SB-Pm!q0vK$iks1#

2. %w0B(1#

vV04(BD\?M$iks1T0r#

3. dk$iksD0\?j)1#

4. dk0+C{F1M0i/1,"!q0zR/Xx1#

< 49. 4(BD\?M$iks

230 f> 3.8

TZd`VN,ITS\1!5,2ITdkr!qB5#

5. Z0ZW?,dkD~D{FM;C#2IT9C0/@14%#

6. %w07(1#

vV07O10Z,C0Zi$zGqQ-I&4(B}V$iD

ks#

7. %w07(1#

0vK$iks1VNT>Kz4(DB}V$iksD\?j

)#

8. +D~"M=`&D CA IksB}V$i,r_+CksS CA D

Web >cty=ksm%#

SU}V$i

CA rz"MB)pD}V$i.s,zh*+|mS=\?}]b(S

C}]bzIks)#

*SU}V$i,kq-b)=h:

1. Z0IBM \?\m10ZP,SB-Pm!q0vK$i1#

2. %w0SU1#

vV0SD~SU$i10Z#

3. S0}]`M1B-K%P,!q0Base64 `kD ASCII }]1#

4. dkB}V$iD0$iD~{1M0;C1#2IT9C0/@1

4%#

":g{ CA +$iw*gSJ~{"D;?V"M,rXk+$i

ty=;v@"DD~#

5. %w07(1#

6. vV0dkj)10Z#

7. dkB$iDj)"%w07(1#

by,0vK$i1VNM|,KB}V$iDj)#


C.

9C

iKeym

an\

m$

i

>}}V$i

g{;Yh*3v}V$i,rh*+dS}]bP>}#

":>}}V$i.0,k4(8]1>,T8TsXB4(}V$i

19C#

*>}}V$i,kq-b)=h:


2. !q(;vT>)*>}D}V$i"%w0>}1#

vV07O10Z#

3. %w0G1#

!(}V$iDj)+;YvVZ0vK$i1VNP#

8(B1!$i

iKeyman 5CLrJm8(1!}V$i,T) WebSEAL Z\?}]

b|,`v0vK$i1u?19C#(g{zZH}!( CA DY=}

V$i1*<9C&CLrPDT)}V$i(CZbT),r}]b

PI\P`v}V$i#)

U=4T CA DQ)p}V$i.s,ITCT)}V$itZ}]b

P,"*<9C CA "vD}V$i,bIT(}+d8(*1!}V

$i4xP#}V$ij)0fPGE(*)r8>Cu?*1!}V

$i#

SU=DZ;v}V$irw*T)}V$i4(DZ;v}V$i+

T/jG*1!}V$i#?NSU;vB}V$ir4(;vT)}

V$i1,MCz!q+bvB}V$iw*1!}V$i#+z2I

Tf1w7X|D1!}V$i#

*|D1!}V$i,kq-b)=h:


}V$ij)0fPGE(*)r8>Cu?*1!}V$i#

232 f> 3.8

2. !qz*hC*1!}V$iDm;}V$i"%w0i4/`

-1#2IT+wCu?#

T>$iD0\?E"10Z#

3. !P0+C$ihC*1!$i14!r"%w07(1#

by,C$iMT>*1!}V$i,dj)0fPGE(*)#

|D}]b\k

iKeyman $_Jm|D\?}]bD\k#

*|D\?}]b\k,kq-b)=h:

1. r*;v\?}]b#

2. S0\?}]bD~1B-K%P,!q0|D\k1#

vV0|D\k10Z#

3. Z0\k1VNdkB\k,"Z07O\k1VNPYNdkC

\k#

4. !P0hC''1d14!r(g{J1)#

5. !P0+\kf"=D~14!r(g{J1)#

6. %w07(1#

4,8PD{"8>ksQI&jI#


C.

9C

iKeym

an\

m$

i

234 f> 3.8

w}

[A]2+T_T

f. 4

)9tT 4

\#$Ts_T 4

ACL _T 4

[B]#$6p 3

1!6p 40

xg 41

wz 41

#$6p POP _T 66

#$J4 3

jGO$ 97

j)5 178

m%O$ 89

[C]N<E" 45

,1 75

,1N}

HTTP M HTTPS 23

[D]zmLr 45

%;"a

gSgx 108

En 162

dC GSO _Y:f 170

+V"a(GSO) 167

Z BA 7Pa)M'zm] 162

CDSSO 103

LTPA(WebSphere) 171

-b filter 166

-b gso 166

-b ignore 165

-b supply 163

G<

a>u~ 85

G<a>

u~ 85

]}G< 61

]}O$ 58

gSgxO$ 108

gSgx cookie 116

S\0$51jG 118

xLw 112

dC 119

Xw 111

0$51jG 118

0$51ksM&p 117

gSgx cookie 116

/,LqJq 178

/, URL

T POST kshC^F 187

Ev 183

|B,dynurl update 186

bv 186


w}

/, URL (x)

>} 190

a)CJXF 183

3d ACL Ts 184

\aM<u"M 189

dynurl-allow-large-posts 188

dynurl-map 184

GET M POST =( 187

post-max-read 187

[F]1>Z(}]b;C 43

4F0K WebSEAL ~qw 43

[G]_Y:f3FE" 30

vT/~q

Ev 181

dC WebSEAL 182

>} 183

y?<,WebSEAL 20 19

|B(*l} 42, 43

JO*F cookie,dC 80

}K2, HTML URL

xT URL 153

server-relative-URL 153

[H]sK&CLr'V 177

a0j6}]`M 79

a0_Y:f

GSKit 73

a0_Y:f (x)

WebSEAL 73

a0}]`M 70

a04,

\m 73

a0 cookie 76

tCa0 cookie 77

P'Da0j6}]`M 79

a0 cookie 76

tC 77

[J]y>O$

dC 87

yZxgDO$ POP _T 63

G<U>,HTTP 45

[K]IluT 11

4FDsK~qw 14

Q4FD0K~qw 11

[L]*a

20`v~qw 153

&m4TE>D URL(-j) 142

4(-r 127

zm*a(-H"-P) 135

Ev 8, 126

}K2, HTML URL 153

+a0 cookie "M=E'x>~qw

(-k) 141

236 f> 3.8

*a (x)

`M!n(-t) 129

*a3dm 146

|nN< 209

?FB*a(-f) 138

?FmI( 154

+V"a(GSO) 167

9C*a3d&m`TZ~qwD

URL 146

9C BA 7DO$(-B"-U"-W) 134

yh!n 129

`%O$(-D"-K"-B"-U"-W) 132

CE>}K&mxT URL 145

C cookie &m`TZ~qwD URL 144

Z HTTP 7Pa)M'zm](-c) 139

Z HTTP 7Pa)M'z IP X7

(-r) 140

$iO$ 155

'V;xVs!4D URL(-i) 142

8(sK UUID(-u) 148

wz!n(-h) 129

4,#fac'V(-s"-u) 147

DN %d(-D) 133

gso !n(-b gso,-T) 169

LTPA(-A,-F,-Z) 171

pdadmin server task 128

WebSEAL M'z$i(-K) 133

WebSEAL A WebSEAL(-C) 136

Windows D~53(-w) 152

-b !nTZ`%O$*aD0l 134

-b filter 166

-b gso 166

-b ignore 165

-b supply 163

V/ 42

V/Z(}]b 43

[M]\k?H_T 54

\?}]bD~`M 36

?<w}<j 27

[N]Z]$H,request.log 47

[P]>$

ek LDAP }] 179

)9tT 178

Z HTTP 7Pek}] 179

>$q!

Ev 6

EPAC 7

[Q]0K WebSEAL ~qw

4F 43

ks 45

+V"a(GSO) 167

[R]O$

jG 97

m% 89

G<a> 85

gSgx 108


w}

O$ (x)

Ev 4

y>O$ 87

Kb}L 70

?D 5

dC`v=( 85

dCEv 83

\'VD=( 71

\'VDa0}]`M 70

$i 91

CDSSO 103

HTTP 7 95

IP X7 97

MPA 98

O$=(,\a 71

O$?H POP _T 58

[S]}N%wG<_T 53

Z(}]b1>;C 43

"B_Y:f 30

[T]7 95

[W]4O$DC',XF 67

D5_Y:f 28

_Y:f3FE" 30

"B_Y:f 30

D5y?<

|D;C 25

[X]`%O$D*a 132

[Y]&CLr'V,sK 177

[Z]$5ksM&p 117

$i

\m 35

\?}]bD~`M 36

GSKit 36

iKeyman 36

$iO$ 91

"z 86

Jq,/,Lq 178

Aaccept-client-certs 93

account-locked 34

acct_locked.html 35

ACL _T,X(Z WebSEAL 51

acnt-mgt Z 34

agents-file 45

agent.log 45

>} 48

authentication-levels Z 58, 64

authtoken-lifetime 107

aznapi-configuration Z 43

238 f> 3.8

Bbackicon 27

basicauth-dummy-passwd 163

basic-auth-realm 87

ba-auth 87

Ccache-refresh-interval 43

CDMF 2mb 104

cdsso 106

CDSSO O$ 103

cdssoauthn 106

cdsso-auth 105

cdsso-peers Z 107

cdsso_key_gen 82, 107, 118

cert-ssl 94

CGI `L

'V 175

'V WIN32 73d? 176

cgi-environment-variables Z 176

cgi-timeout 24

cgi-types Z 27

client-connect-timeout 23

content-caches Z 28

CRL li 40

Ddb-file 43

default-webseal ACL _T 52

directory-index 26

diricon 27

disable-ssl-v2 22

disable-ssl-v3 22

disable-tls-v1 22

doc-root 25

dynurl update 186

dynurl-allow-large-posts 188

dynurl-map 184

dynurl.conf 184

Eec-cookie-lifetime 121

entrust-client 95

e-community-name 120

e-community-sso-auth 119

Ffailover-auth 82

failover-cookies-keyfile 82

failover-cookie-lifetime 83

filter-url Z 47, 154

flush-time 47

forms-auth 89

GGET =( 187

gmt-time 46

GSKit 36

D~`M 36

GSKit a0_Y:f 73

dC 75

GSO 167

dC GSO _Y:f 170

GSO _Y:f,dC 170

gso-cache-enabled 170

gso-cache-entry-idle-timeout 170


w}

gso-cache-lifetime 170

gso-cache-size 170

Hhelp 34

help.html 35

HTML (F3f 34

j'V 35

http 21

HTTP ms{" 31

j'V 33

HTTP +2U>q= 48

HTTP G< 45

HTTP 7O$ 95

HTTP 7PD LDAP }] 178

httpauthn 96

https 21

https-port 21

https-timeout(*a) 24

http-headers-auth 95

http-port 21

http-request 96

HTTP-Tag-Value 180

http-timeout(*a) 24

HTTP_IV_CREDS 139, 176, 178

HTTP_IV_GROUPS 139, 176, 178

HTTP_IV_REMOTE_ADDRESS 140

HTTP_IV_USER 139, 176, 178

IiKeyman 38

4(BD\?}]b 221

4(BDT)$i 223

r*1!\?}]b 219

iKeyman (x)

Ev 39

|D}]b\k 233

SU$i 231

t/ 218

ks~qw$i 230

>}y CA $i 225

>}$i 232

mSBy CA $i 225

`%O$ SSL *a 132

Z}]bd4F$i 226

8(B1!$i 232

SSL `M*a 131

WebSEAL bT$i 93

inactive-timeout 75

inter-domain-keys Z 118, 122

intra-domain-key 118, 120

IP X7O$ 97

ipaddr-auth 97

is-master-authn-server 120

iv-creds 139, 178

iv-groups 139, 178

iv-remote-address 140

iv-user 139, 178

Jjmt load 146

jmt-map 146

jmt.conf 146

junction-db 126

240 f> 3.8

Lldapauthn 88, 89

ldap-ext-cred-tags Z 179, 180

libcdssoauthn 106

libhttpauthn 96

libldapauthn 88, 89

libsslauthn 94

libtokenauthn 97

listen-flags 43

logging Z 47

login 34

login.html 35, 90

logout 34

logout.html 35

log-filtered-pages 47

LTPA _Y:f,dC 172

LTPA(WebSphere) 171

dC*a 171

dC LTPA _Y:f 172

ltpa-cache Z 172

ltpa-cache-enabled 172

ltpa-cache-entry-idle-timeout 172

ltpa-cache-entry-lifetime 172

ltpa-cache-size 172

Mmaster-authn-server 121

master-https-port 120

master-http-port 120

max-entries 74

max-size 46

mgt-pages-root 34

mpa 102

MPA O$ 98

Nnexttoken.html 35

next-token 34

Ppasswd-change 34

passwd-change-failure 34

passwd-change-success 34

passwd-expired 34

passwd-ldap 88, 89

passwd.html 35

passwd_exp.html 35

passwd_rep.html 35

pdadmin _T

disable-time-interval 53

max-login-failures 53

max-password-repeated-chars 54

min-password-alphas 54

min-password-length 54

min-password-non-alphas 54

password-spaces 54

pdadmin server task(*a) 128

pd.conf 179

PD_PORTAL header 182

pd_start |n 20

persistent-con-timeout 23

ping-time(*a) 24

pkmscdsso 108

pkmslogout 86

pkmspasswd 86

pkmsvouchfor 117, 121

POP _T

#$6p 66

yZxgDO$ 63

O$?H(]}) 58

portal-map Z 182


w}

POST =( 187

dC^F 187

post-max-read 187

Qquery_contents 155

20 156

#$ 160

(F 158

query_contents.c 156

query_contents.cfg 156

query_contents.exe 156

query_contents.html 156

query_contents.sh 156

Rreferers-file 45

referer.log 45

>} 49

REMOTE_USER 176

requests-file 45

request.log 45

dCG<Z]$H 47

>} 48

resend-webseal-cookies 77

Sscript-filter 145

script-filtering Z 145

server-name 43

server-root 20

SSL a0j6 77

sslauthn 94

ssl-id-sessions 77

ssl-keyfile 39

ssl-keyfile-label 39

ssl-keyfile-pwd 39

ssl-keyfile-stash 39

ssl-ldap-server 40

ssl-ldap-server-port 40

ssl-ldap-user 40

ssl-ldap-user-password 40

ssl-max-entries 76

ssl-qop-mgmt 40

ssl-qop-mgmt-default Z 40

ssl-qop-mgmt-hosts Z 41

ssl-qop-mgmt-networks Z 41

ssl-v2-timeout 76

ssl-v3-timeout 76

stepuplogin.html 35, 61

stepup-login 34

Ttcp-port 43

tokenauthn 97

tokenlogin.html 35

token-auth 97

token-cdas 97

token-login 34

Uudp-port 43

unknownicon 27

use-same-session 77, 78

242 f> 3.8

Vvf-token-lifetime 121

vf-url 121

WWebSEAL

Ev 1

t/M#9~qw 20

WebSEAL a0_Y:f 73

dC 74

WebSEAL *a,kND*a 125

webseald.conf

N< 195

Ev 18

;C 18

webseal-cert-keyfile 37

webseal-cert-keyfile-label 37, 93, 155

webseal-cert-keyfile-pwd 37

webseal-cert-keyfile-stash 37

webseal-mpa-servers i 101, 102

WebSphere LTPA 171

WIN32 73d?,'V 176

worker-threads 22


w}

244 f> 3.8

Pz!"

GB84-0408-01

Documents

Tivoli SecureWay Policy Director WebSEAL ¹ÜÀíÖ¸ÄÏpublib.boulder.ibm.com/tividd/td/SW_30/GC32-0684-01/zh_CN/PDF/ws-admguide.pdf6Tivoli SecureWay Policy Director WebSEAL 208O7