plug-in for web servers c 8o
TRANSCRIPT
"b
Z9C>JO0d'VDz7.0,kDAZ 103 3D=< D, :yw;PDE"#
Z;f(2002 j 4 B)
>f>JCZ IBM Tivoli Access Manager: Plug-in for Web Servers Df> 3.9(z7E 5724–C08)0yPsL"Pf,
1=ZBf>PmPyw*9#
© Copyright International Business Machines Corporation 2002. All rights reserved.
?<
< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
0T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi>ifrDA_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi>i|,DZ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xivfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
IBM Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii`Xvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xivZ_CJvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi):vfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvia)XZvfoD4! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
(z!n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii*5M''V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii>i9CD<(. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Ve<( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Z 1 B Access Manager Plug-in for Web Servers ri . . . . . . . . . . . . . . 1Kb Access Manager Plug-in for Web Servers <u . . . . . . . . . . . . . . . . . . . . . . 1
y>Ywi~Ma9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1'Vibwz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
9C Access Manager Plug-in for Web Servers #$zD Web Ud . . . . . . . . . . . . . . . . . 3f.M5V2+T_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Kb Access Manager Plug-in for Web Servers O$ . . . . . . . . . . . . . . . . . . . . . . 3O$?D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Kb>$q! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5)9X(tT$i(EPAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Z 2 B 20 IBM Tivoli Access Manager Plug-in for Web Servers . . . . . . . . . 7'VD=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7ELMZf*s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7X8m~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720 Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . . . . . . . . 8
Z AIX-IHS O20e~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Z Solaris Operating Environment-iPlanet O20e~ . . . . . . . . . . . . . . . . . . . . . 9Z Windows-IIS O20e~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
}% Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . . . . . . . . 12S Windows-IIS }%e~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12S AIX-IHS }%e~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12S Solaris Operating Environment-iPlanet }%e~ . . . . . . . . . . . . . . . . . . . . . 13
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers dC . . . . . . . . . 15#fe~E" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
pdwebpi.conf dCD~ri . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15pdwebpimgr.conf dCD~. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Access Manager Plug-in for Web Servers 20Dy?< . . . . . . . . . . . . . . . . . . . . 16t/M#9 Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . . . . . 16HTTP ms{" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
dC Authorization Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
© Copyright IBM Corp. 2002 iii
dC$wLr_L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18hCnsa0P'Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18dCms3f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
dCibwz~qw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19X(Z Web ~qwDdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21dCe~sF"G<U>"zYM_Y:f}]b . . . . . . . . . . . . . . . . . . . . . . . 22
KbsFG< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23sFdC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24zYe~Yw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25_Y:f}]bhC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
dCZ( API ~q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ . . . . . . . . . 27KbO$}L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
dCO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30\ma04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
dCe~a0/>$_Y:f . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359C SSL a0j6,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . 379Cy>O$,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379Ca0 Cookies ,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . 389C HTTP 7,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389C IP X7,$a04, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
\mO$N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39O$dCEv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39dCy>O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42dCm%O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43dC$iO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44dCnFO$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46dCJO*F cookie O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47dC IV 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49dC HTTP 7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50dC IP X7O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52dCjG5sZ(&m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
hCibwzDO$N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53'V`74C/PzmLr(MPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
P'a0}]`MMO$=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54MPA M`vM'zDO$xLw . . . . . . . . . . . . . . . . . . . . . . . . . . . 55tC MPA O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56* MPA 4(C'J' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57r pdwebpi-mpa-servers imS MPA J' . . . . . . . . . . . . . . . . . . . . . . . . 57
Z 5 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T . . . . . . 59X(Ze~DCJXFm(ACL)_T . . . . . . . . . . . . . . . . . . . . . . . . . . 59
/PDWebPI/host r virtual_host . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59e~ ACL mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591! /PDWebPI ACL _T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
}N%wG<_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61|no( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
\k?H_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62pdadmin 5CLrhCD\k?H_T . . . . . . . . . . . . . . . . . . . . . . . . . 62X(C'M+VhC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
O$?H\#$Ts_T(]}) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64dC]}O$6p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64tC]}O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65]}O$"bBnM^F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
XBO$\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
iv IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
0l POP XBO$Du~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674(M&CXBO$ POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
yZxgDO$\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688( IP X7M6'. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68{C4 IP X7D]}O$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69yZxgDO$c( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
#$6p\#$Ts_T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69&m4O$C'(HTTP/HTTPS). . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
&m4Td{M'zDks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70?FC'G< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70&C4O$ HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70C ACL/POP _TXF4O$C' . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Z 6 B Web %;"abv=8 . . . . . . . . . . . . . . . . . . . . . . . . . 73%;"aEn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73T/"a=\#$D&CLr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
dC%;"a9C HTTP 7#$&CLr . . . . . . . . . . . . . . . . . . . . . . . . 739C LTPA cookie %;"a= WebSphere Application Server . . . . . . . . . . . . . . . . . . 74
S WebSEAL rd|zm%;"a=e~ . . . . . . . . . . . . . . . . . . . . . . . . . 75dC IV 7%;"a= Access Manager Plug-in for Web Servers . . . . . . . . . . . . . . . . . 76
9CJO*F cookie xP%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . 76tC9CJO*F cookie D%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . 76dCJO*F cookie N} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Z 7 B gSgx%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79i\gSgx%;"a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79gSgx%;"a&\M*s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80gSgx%;"axLw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80mbgSgx cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81mb0$51ksM&p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
0$51ks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820$51&p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
mb0$51nF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82S\0$51nF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83dCgSgx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83dCgSgx%;"a * >} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
=< A. pdwebpi.conf N< . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
=< B. O$=(lYN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
=< C. |nlYN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
=< D. yw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Lj . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
w} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
?< v
<
1. e~M Access Manager i~;%wC# . . . . . . . . . . . . . . . . . . . . . . . . 22. Web ~qwCJv_# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293. 7(O$#iDe~wL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324. O$aJ}L_- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335. 7(a0#iDe~wL# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356. JO*F cookie DdM~qwe5a9# . . . . . . . . . . . . . . . . . . . . . . . 477. G<=gSgx# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818. gSgx%;"adC>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
© Copyright IBM Corp. 2002 vii
m
1. Access Manager EPAC VN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52. pdwebpi.conf Z** . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153. 'VDjf; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174. [proxy] ms3fdCN}# . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185. X(Z Web ~qwDdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . 216. O$sFG<VN(e# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237. sFdCN}(e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248. >XZCO$Lr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399. b? CDAS ~qwN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
10. BA 2mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4311. m%2mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4412. $i2mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4513. nF2mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4614. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4915. IV 72mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5016. HTTP 72mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5117. IP X72mbO$zF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5218. MPA DP'a0}]`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5419. P'D MPA O$`M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5520. e~ ACL mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6021. e~ WebDAV mI( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6022. pdadmin LDAP G<_T|n. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6123. pdadmin LDAP \k?H|n. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6224. \k>} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6325. QOP 6phv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6926. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7427. LTPA dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7528. IV 7VNhv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7629. #fdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8930. O$dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9131. a0dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9432. LDAP dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9433. zmdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9434. Z( API dCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9535. X(Z Web ~qwDdCN} . . . . . . . . . . . . . . . . . . . . . . . . . . . 9536. e~O$=(/#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9737. e~a0#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9838. e~sZ(#iN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9939. e~|nN< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
© Copyright IBM Corp. 2002 ix
0T
IBM® Tivoli® Access Manager Plug-in for Web Servers w*M'zM2+ Web Ud
.dDxX\mzyZ Web DJ4D2+T#e~5V#$z Web TsUdD2+
T_T#Ke~Ia)%;"abv=8,'Vw*ibwzKPD Web ~qw"+
Web &CLr~qwJ4O"=d2+T_TP#
6IBM Tivoli Access Manager Plug-in for Web Servers C'8O7a)208>E""
\m}LM9C Plug-in for Web Servers &CLr#$ Web rD<uN<E"#
>ifrDA_
>8O):p20"?pM\m Access Manager Plug-in for Web Servers D53\m
19C#
A_&1l$TBZ]:
v PC M UNIX® Yw53#
v }]be5a9MEn
v 2+\m
v rXx-i,|( HTTP"HTTPS M TCP/IP
v a?6?<CJ-i(LDAP)M?<~q
v 'VDC'"am
v O$MZ(
g{*tC2+WSVc(SSL)(E,r9&l$ SSL -i"\?;;(+CM(
C)"}V){"\kc(MO$PD#
>i|,DZ]
>i|,TBw?V:
v Z 1 B, :Access Manager Plug-in for Web Servers ri;
a) Access Manager Plug-in for Web Servers &CLrDri,xv53e5a9"
&\MYw73Dj8E"#
v Z 2 B, :20 IBM Tivoli Access Manager Plug-in for Web Servers;
Access Manager Plug-in for Web Servers D208>E",|(53*sE"M}%
}L#
v Z 3 B, :IBM Tivoli Access Manager Plug-in for Web Servers dC;
a)XZ Access Manager Plug-in for Web Servers DdC*sDE"#
v Z 4 B, :IBM Tivoli Access Manager Plug-in for Web Servers O$;
,$a04,"O$ksM'VsZ(&mDE"MdC8>E"#
v Z 5 B, :IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T;
XZdCM(F Access Manager Plug-in for Web Servers 2+T_TDE"#
v Z 6 B, :Web %;"abv=8;
© Copyright IBM Corp. 2002 xi
V[CZ Access Manager Plug-in for Web Servers #$D Web UdD%;"ab
v=8#
v Z 7 B, :gSgx%;"a;
V[ Access Manager Plug-in for Web Servers DgSgx%;"abv=8#
v =< A, :pdwebpi.conf N<;
Pv Access Manager Plug-in for Web Servers dCN}0X*Dhv#
v =< B, :O$=(lYN<;
PvyPe~O$"a0MsZ(=(0X*Dhv#
v =< C, :|nlYN<;
PvICe~5CLr0dy4PYwDhv#
vfo
>ZPvK IBM Tivoli Access Manager bPDvfoT0d|yP`XD5#,19
hvgNZ_CJ Tivoli vfo,gN): Tivoli vfo,T0gNT Tivoli vfo
xP@[#
IBM Tivoli Access ManagerAccess Manager b4TB`pi/:
v "PE"
v y>E"
v WebSEAL E"
v Web 2+TE"
v *"_N<E"
v 9d<uE"
z7bPDvfoTIF2D5q=(PDF)|,Zz7 CD O#*9C Web /@w
CJb)vfo,kr* infocenter.html D~,KD~;Zz7 CD OD /doc ?<P#
XZ Access Manager M`XwbD=SE"4,kNDTB Web >c:
http://www.ibm.com/redbooks
https://www.tivoli.com/secure/support/documents/fieldguides
"PE"
v 6IBM Tivoli Access Manager for e-business kHDA7
G152-0306(am39_readme.pdf)
a)20"*<9C Access Manager DE"#
v 6IBM Tivoli Access Manager for e-business "P5w7
G152-0313(am39_relnotes.pdf)
a)nBE",}gm~^F"X\k)MD5|B#
y>E"
v 6IBM Tivoli Access Manager Base 208O7
G152-0303(am39_install.pdf)
xii IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
5wgN20"dCM}6 Access Manager m~,|( Web Portal Manager gf#
v 6IBM Tivoli Access Manager Base \m18O7
G152-0304(am39_admin.pdf)
hv9C Access Manager ~qDEnM=h#a)S Web Portal Manager gfM
9C pdadmin |n4PNqD8>E"#
v IBM Tivoli Access Manager Base for Linux on zSeries™ Installation Guide
GC23-4796(am39_zinstall.pdf)
bMgNZ zSeries =(O20MdC Access Manager Base for Linux#
WebSEAL E"
v 6IBM Tivoli Access Manager WebSEAL 208O7
G152-0302(amweb39_install.pdf)
a) WebSEAL ~qwM WebSEAL &CLr*"$_dD20"dCM}%8>
E"#
v 6IBM Tivoli Access Manager WebSEAL \m18O7
G152-0305(amweb39_admin.pdf)
a)9C WebSEAL \m2+ Web rJ4D30JO"\m}LM<uN<E"#
v IBM Tivoli Access Manager WebSEAL Developer’s Reference
GC23-4683(amweb39_devref.pdf)
a)grO$~q(CDAS)"gr3dr\(CDMF)M\k?H#iD\mM`
LE"#
v IBM Tivoli Access Manager WebSEAL for Linux on zSeries Installation Guide
GC23-4796(amweb39_zinstall.pdf)
a)Z zSeries =(OCZ Linux D WebSEAL ~qwM WebSEAL &CLr*"
$_dD20"dCM}%8>E"#
Web 2+TE"
v 6IBM Tivoli Access Manager for WebSphere Application Server C'8O7
G152-0316(amwas39_user.pdf)
a) Access Manager for IBM WebSphere® Application Server D20"}%M\m
D8>E"#
v 6IBM Tivoli Access Manager for WebLogic Server C'8O7
G152-0317(amwls39_user.pdf)
a) Access Manager for BEA WebLogic Server D20"}%M\mD8>E"#
v 6IBM Tivoli Access Manager Plug-in for Edge Server C'8O7
G152-0307(amedge39_user.pdf)
hvgN20"dCM\m Plug-in for IBM WebSphere Edge Server &CLr#
v 6IBM Tivoli Access Manager Plug-in for Web Servers C'8O7
G152-0315(amws39_user.pdf)
a)208>E""\m}LM9C Plug-in for Web Servers #$zD Web rD
<uN<E"#
0T xiii
*"_N<s+
v IBM Tivoli Access Manager Authorization C API Developer’s Reference
GC32-0849(am39_authC_devref.pdf)
a)N<JO,CJOhvgN9C Access Manager Z( C API M Access Manager
~qe~SZr&CLrmS Access Manager 2+T#
v IBM Tivoli Access Manager Authorization Java Classes Developer’s Reference
GC23-4688 (am39_authJ_devref.pdf)
a)9CZ( API D Java™ oT5V49&CLr\;9C Access Manager 2+
TDN<E"#
v IBM Tivoli Access Manager Administration C API Developer’s Reference
GC32-0843(am39_adminC_devref.pdf)
a)9C\m API 9&CLr\;4P Access Manager \mNqDPXN<E"#
KD5hv\m API D C 5V#
v IBM Tivoli Access Manager Administration Java Classes Developer’s Reference
SC32-0842 (am39_adminJ_devref.pdf)
a)9C\m API D Java oT5V49&CLr\;4P Access Manager \mN
qDN<E"#
v IBM Tivoli Access Manager WebSEAL Developer’s Reference
GC23-4683(amweb39_devref.pdf)
a)grO$~q(CDAS)"gr3dr\(CDMF)M\k?H#iD\mM`
LE"#
<u9d
v 6IBM Tivoli Access Manager T\w38O7
G152-0309 (am39_perftune.pdf)
a)I+ IBM SecureWay Directory (e*C'"amD Access Manager y9I7
3DT\w{E"#
v 6IBM Tivoli Access Manager ]?f.8O7
G152-0308(am39_capplan.pdf)
ozf._7(*o=XhD$w:XyhD WebSEAL"LDAP MsK Web ~q
wD}?#
v 6IBM Tivoli Access Manager ms{"N<s+7
S152-0312(am39_error_ref.pdf)
a)T Access Manager yzI{"DbMM(iYw#
Tivoli Glossary |,k Tivoli m~`XDm`<uuoD(e#ZTB Web >cvT
"oa)K Tivoli Glossary:
http://www.tivoli.com/support/documents/glossary/termsm03.htm
`Xvfo
>ZPvKk IBM Tivoli Access Manager b`XDvfo#
xiv IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
IBM DB2® (C}]b20 IBM SecureWay® Directory"z/OS® M OS/390® LDAP ~qw1,IBM DB2 G
XhD#ZTB Web >ca)K DB2 E":
http://www-4.ibm.com/software/data/db2/
IBM Global Security ToolkitAccess Manager (}9C IBM Global Security Toolkit(GSKit)a)}]S\#GSKit
fCZzX(=(D IBM Tivoli Access Manager Base CD =x#
GSKit m~|20 iKeyman \?\m5CLr(gsk5ikm),Jmz4(\?}]b"
+C-(C\?TM$iks#Z /doc/GSKit ?<Pa)KTBD5:
v Secure Sockets Layer Introduction and iKeyman User’s Guide(gskikm5c.pdf)
*xgr532+\m1a)E",b)\m1f.Zd Access Manager 2+rP
tC SSL (E#
IBM SecureWay DirectoryIBM SecureWay Directory f> 3.2.2 GfCZzX(=(D IBM Tivoli Access Manager
Base CD =xD#g{F.20 IBM SecureWay Directory ~qww*zDC'"a
m,rISCZzDXb=(D IBM Tivoli Access Manager Base CD OD /doc/Directory
76Pq!TBD5#
v IBM SecureWay Directory Installation and Configuration Guide
(aparent.pdf"lparent.pdf"sparent.pdf"wparent.pdf)
a) AIX®"Linux"Solaris Operating Environment M Microsoft® Windows® Yw5
3OD IBM SecureWay Directory i~D20"dCM(FE"#
v IBM SecureWay Directory Release Notes
(relnote.pdf)
9d IBM SecureWay Directory f> 3.2.2 z7D5,"hvZK"PfPa)DX
TM&\#
v IBM SecureWay Directory Readme Addendum
(addendum322.pdf)
a)Z IBM SecureWay Directory D5Q-k.s"zD|DM^}PXE"#vT
"oa)KD~#
v IBM SecureWay Directory Server Readme
(server.pdf)
a)T IBM SecureWay Directory Server f> 3.2.2 Dhv#
v IBM SecureWay Directory Client Readme
(client.pdf)
a)T IBM SecureWay Directory Client f> 3.2.2 Dhv#Km~*"|(SDK)
a) LDAP &CLr*"'V#
v SSL Introduction and iKeyman User’s Guide
(gskikm5c.pdf)
*xgr532+\m1a)E",b)\m1f.Zd Access Manager 2+rP
tC SSL (E#
v IBM SecureWay Directory Configuration Schema
(scparent.pdf)
0T xv
hv?<E"w(DIT)MCZdC slapd32.conf D~DtT#Zf> 3.2 P,9C
LDAP Directory Interchange Format(LDIF)q=+?<hCf"Z slapd32.conf D
~P#
v IBM SecureWay Directory Tuning Guide
(tuning.pdf)
a) IBM SecureWay Directory DT\w{E"#ZJC.&xvK?<s!Dw{
"bBn,b)?<s!D6'S8'vu?=8Yrvu?#
XZ IBM SecureWay Directory D|`E",kNDTB Web >c:
http://www.software.ibm.com/network/directory/library/
IBM WebSphere Application ServerIBM WebSphere Application Server _6%~qwf 4.0.2 Gf Web portal manager g
f20D#XZ IBM WebSphere Application Server DPXE",kNDTB Web >
c:
http://www-4.ibm.com/software/webservers/appserv/infocenter.html
Z_CJvfo
z7bPDvfoTIF2D5q=(PDF)|,Zz7 CD O#*9C Web /@w
CJb)vfo,r* infocenter.html D~,CD~;Zz7 CD OD /doc ?<
P#
1 IBM "<;vr`vZ_r2=4vfoD|Bf>1,a+b)vfo"M=
Tivoli Information Center#Tivoli Information Center T PDF M/r HTML q=|,
z7bPvfoDnBf>#3)z79a)-k}DD5#
ITSTB Tivoli Customer Support Web >cPD Tivoli Information Center CJ|
BDvfo: http://www.tivoli.com/support/documents/
E"4z7i/,|,"P5w"208O"C'8O"\m18OM*"_N<s
+#
":g{ZGE=s!D=EOr! PDF D5,!qZ Adobe Acrobat Print T0r
(%w File → Print 1IC)PD Fit to page 4!r47#Zz9CD=EO
r!E=s!3fDj{_g#
):vfo
IZTB Web >cZ_):m` Tivoli vfo:
http://www.elink.ibmlink.ibm.com/public/applications/
publications/cgibin/pbi.cgi
2I&rTBb)Ek.;xP)::
v @z:800-879-2755
v SCs:800-426-4968
v Zd|zRrXx,XZg0EkDPm,kNDTB Web >c:
http://www.tivoli.com/inside/store/lit_order.html
xvi IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
a)XZvfoD4!
RGG#Vbc}z9C Tivoli z7MD5DP\,"RG#6-za)Dx(i#g
PNNPXz7MD5Db{M(i,kTBP==.;*5RG:
v r [email protected] "MgSJ~#
v ZTB Web >cn4KM4!ivwi:
http://www.tivoli.com/support/survey/
(z!n
(z!n&\ozPmeP2(}gP/;crS&O-)DC'I&9Cm~z
7#TZKz7,I9C(z<u}!M/@gf#2I9C|L4fzsj4P<
NC'gfDyP&\#
*5M''V
g{TZ Tivoli z7fZJb,I*5 Tivoli M''V#kNDBP Web >cD
Tivoli Customer Support Handbook:
http://www.tivoli.com/support/handbook/
CVaa)XZgNy]JbDOXT*5 Tivoli M''VDE"MBPE":
v "aMJq
v g0EkMgSJ~X7(!vZzyZDzRrXx)
v *5<u'V0&CU/DE"
>i9CD<(
>8OTXbuoMYw"Yw53`X|nM76T0T"<N9C8V<(#
Ve<(
>iP9CTBVe<(:
Ve |n{FM!n"X|VMd|Xkj+4U-D9CDE",TV
eVT>#
1e d?"|n!nMXka)D5T1eT>#vfojbT0?wD
XbJrLo2T1eT>#
HmVe zk>}"|nP"A;dv"D~M?<{FT053{"THm
VeT>#
0T xvii
Z 1 B Access Manager Plug-in for Web Servers ri
IBM Tivoli Access Manager(Access Manager)Plug-in for Web Servers G/Ibv=
8,|\c{CZzD\#$ Web UdD2+T_TD5VM\m#Ce~Gw*z
D Web ~qwD,;xLD;?V20D,`1ZM'zM\#$ Web Ud.dD
2+TxX#
>riBa)K Access Manager Plug-in for Web Servers <uDEv,xvK>z7
D<u*s"a)K9CCe~7# Web Ud2+TD}LDi\#
wbw}:
v :Kb Access Manager Plug-in for Web Servers <u;
v Z 3 3D:9C Access Manager Plug-in for Web Servers #$zD Web Ud;
v Z 3 3D:Kb Access Manager Plug-in for Web Servers O$;
v Z 5 3D:Kb>$q!;
Kb Access Manager Plug-in for Web Servers <u
Access Manager Plug-in for Web Servers w*zD Web ~qwD,;xLD;?VY
w,|9X=oD?vks"7(Gqh*Z(v_,"a)C'O$D=((g{
h*)#
Access Manager Plug-in for Web Servers /IK IBM Tivoli Access Manager &CL
rTa)CZ Web J4Dj{2+Tbv=8#Ce~Ia)%;"abv=8,"
+ Web &CLrJ4OI=d2+T_TP#
y>Ywi~Ma9
I=vy>a9i~9I Access Manager Plug-in for Web Servers * e~i~M
Authorization Server#e~i~&m Web ~qw_L,(}xLd(E(IPC)SZ+
?vksDj8E""M= Authorization Server#Authorization Server 4PxkDks
DO$MZ(#Authorization Server G>X==D AZNAPI &CLr,|S\"&m
© Copyright IBM Corp. 2002 1
4Te~Dks"xPl&,f_e~gN&m?vks#
Authorization Server 7(ksZDvibwzO07(g{ Web ~qwOfZibw
z)"7(ksGqh*Z(#TZ;h*Z(Dks,|Jm Web ~qw&mks#
Authorization Server *h*Z(Dks4PTBYw:
1. g{H0QO$ks,ri!O$ra0E"#
2. g{h*,t/kC';%wCDO$#
3. 9l Access Manager >$#
4. j6C'+CJDJ4,"+b)J43d=`&D Access Manager \#$Ts{
F#\#$Ts{FzmgS5e,}g Web >cD2+?Vr;Jm3)C'C
JD&CLr#
5. 7(Gqksrl&h*^D
6. (}+ cookie r7?VmS=ks/l&rzIl&(}gQO$Dl&r4Z(
Dl&)zIe~rwz Web ~qwyhDl&#
'Vibwz
ibwzG Web ~qwD&\,JmdTrXxT>*`vwz#Access Manager
Plug-in for Web Servers 'VD Web ~qw<'Vibwz&\#
Access Manager Plug-in for Web Servers a)Z?vibwzDy!O5V2+T_T
D&\#5VK&\yhD&CLr20Z>D5Dsf?VPDwbPV[#
< 1. e~M Access Manager i~;%wC#
2 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
9C Access Manager Plug-in for Web Servers #$zD Web Ud
Access Manager Plug-in for Web Servers a)TB&\:
v 'V`vO$=(,|(:y>O$"IP X7"nF"$iMm%O$HH#
v S\ HTTP M HTTPS ks
v (}yZi/_TO$MZ(C'ks4#$ Web ~qwJ4#
v 'Vibwz73PDksO$MZ(#
v \mT Web ~qwUdDCJXF#
\'VDJ4|( URL"yZ URL D}rmo="CGI Lr"HTML D~"Java
!~qLrM Java `D~#
v _Y:fa0M>$E",T\bZ(liZdTC'"am}]bDX4i/#
v a)%;"a&\
f.M5V2+T_T
+>2+T_Tj6h*#$D Web J4M?v Web J4yhD#$6p#Access
Manager 9Cb) Web J4Dibm>,F*\#$TsUd#\#$TsUd|,
zmxgPD5JomJ4DTs#(}+J1D2+zF&C=h*#$DTs5
V2+T_T#
2+zF|(:
v CJXFm(ACL)_T
ACL _Tj6C'`M,b)C'ITCJM8(?vC'`MDTsOJmDY
w#
v \#$Ts_T(POP)
POP 8('dT\#$TsDCJD=Su~,}g#\T"j{T"sFMCJD
?U1d#
v )9tT
)9tTGCZIT0lZ(v_DTs"ACL r POP D=S5#
Authorization Server Plug-in for Web Servers D Authorization Server i~CZyZC
'D>$MTZTsDCJXFJmr\xT\#$J4DCJ#*I&5V2+T
_T,XkZ>Xi/;,DZ]`M"&CJ1D ACL M POP _T#CJ\mI
\GO4SD,+2IT(}TZ]`MP8V`x9ddC]W#XZ Access
Manager D+fE"(|(hC_TDj8E")ITZ6IBM Tivoli Access Manager
Base \m18O7PR=#
Kb Access Manager Plug-in for Web Servers O$
O$Gj6"TG<=2+rD%@xLr5eD=(#Z(G7(qO$DC'G
qP(^TX(J44PYwD=(#O$7#vKm]Df5T,+;TdTJ4
4PYwD\&vNNPO#
Access Manager Plug-in for Web Servers *s?vM'za)m]$w45)2+rP
D_62+T#(}9 Access Manager Plug-in for Web Servers XFM'zDO$M
Z(,ITa)+fDxg2+T#
Z 1 B Access Manager Plug-in for Web Servers ri 3
TBu~JCZ Access Manager Plug-in for Web Servers O$:
v e~'VO$=(Dj</O#IT(Fe~T'Vd|O$=(#
v e~xL@"ZO$=(#
v e~vh*M'zm]#SCm],e~q!QO$(r4O$)D>$,
Authorization Server I9CC>$Jmr\xTJ4DCJ#
KinDO$=(Jm2+T_TyZ5q*s,x;GomxgXKa9#
O$?D
Access Manager Plug-in for Web Servers O$}L}pTBYw:
1. M'zO$zzM'zm]#
;PC'_P Access Manager C'"amP(eDJ'1,M'zO$EaI&#
qr+O*CC'4O$#
2. Access Manager Plug-in for Web Servers 9CM'zm]q!CM'zD>$#
e~+O$DM'zm]k"aD Access Manager C'%d#;se~+q!J1
DC'>$#bF*>$q!#
>$#$C'{0C'_PI1JqDNNi#e~I9Cb)>$4Jmr\x
T Access Manager \#$TsUdPDQksTsDCJ#
>$ICZNN Access Manager ~q,b)~qh*XZM'zDE"#>$9
Access Manager \;2+X4PwV~q,}gZ("sFM/I#
XZ'VX(O$=(Dx;=E",kNDZ 27 3DZ 4 B, :IBM Tivoli Access
Manager Plug-in for Web Servers O$;#
4 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
Kb>$q!
O$}LDw*?DGq!hvM'zC'D>$E"#C'>$GNk2+rDX
|*s#
Access Manager xpT}C'O$M>$q!#C'Dm]<UG;dD#;x,>$
((eC'NkDirG+)Gd?#X(ZOBDD>$ITfE1dDwEx|
D#}g,a}3K1,>$Xk5XBD0p6p#
O$}L+zzX(Z=(DC'm]E"#+kTZ$tZ Access Manager C'"
am(1!ivB* LDAP)DPDC'J'E"liKE"#Access Manager Plug-in
for Web Servers +C'{MiE"3d=F*)9X(tT$i(EPAC)D+2r6
'ZDm>Mq=#
X(Z=(Dm]E"(}g\k"jGM$i)zmC'Domm]tT#KE"
ICZ9C~qw("2+a0#
zzD>$(zm2+rPDC'X()hvX(OBDPDC',xRvZCa0
DP'ZZP'#
Access Manager >$|,C'm]MKC'_PI1JqDi#
)9X(tT$i(EPAC)
>$ICZNN Access Manager ~q,b)~qh*XZM'zDE"#}g,Access
Manager Authorization Server 9C>$47(GqZ(C'T2+rPD\#$J44
PX(Yw#>$9CZd|Nq,}gG<U>MsF#
EPAC |,(;(Cj6(UUID),Access Manager h*Cj64&mCJXFm
(ACL)#
TB EPAC VNJCZ Access Manager:
m 1. Access Manager EPAC VN
tT hv
2+rj6 weDw2+rj6
we UUID weD UUID
i UUID wetZDiD UUID
Z 1 B Access Manager Plug-in for Web Servers ri 5
Z 2 B 20 IBM Tivoli Access Manager Plug-in for WebServers
>Ba) IBM Tivoli Access Manager (Access Manager)Plug-in for Web Servers 2
0Dj8E"#|,2~Mm~*sE"T0j8D205w#
wbw}:
v :'VD=(;
v :ELMZf*s;
v :X8m~;
v Z 8 3D:20 Access Manager Plug-in for Web Servers;
v Z 12 3D:}% Access Manager Plug-in for Web Servers;
'VD=(
Access Manager Plug-in for Web Servers ZTB=(OkTB Web ~qw/I:
v Windows 2000 Server/Advanced Server * xP Internet Information Server(IIS)
f> 5.0 D Service pack 2
v xP iPlanet 6.0 D Solaris Operating Environment 7(sparc)
v xP IBM HTTP Server(IHS)1.3.19 D AIX 5L
":Tivoli Fv&C4T Web ~qw)&LDyP2+T^)#
ELMZf*s
Access Manager Plug-in for Web Servers PTB2~*s:
v kX8 Access Manager KP173aO9C1,nYh* 23MB ELUd
v Zf:nYh* 64 MB#Fv9C 256 MB#
k"bnY 64 MB G}X8 Access Manager KP173yhDnY 64 MB Zf
TbD#256 MB r|sD\Zf}+5VnEDT\a{#
X8m~
Access Manager Plug-in for Web Servers Gk Web ~qwm~/ID&CLr,|K
PZ Access Manager 2+rP#20Ce~0,XkhC Web ~qw"4( Access
Manager 2+r#
1z20 Access Manager m~1,+(" Access Manager 2+r#Km~f IBM
Tivoli Access Manager for e-business Base CD V"#
Z20 Access Manager Plug-in for Web Servers m~0,XkZ?j Web ~qwO
20TBm~:
v Web ~qwm~#*TBm~.;:
© Copyright IBM Corp. 2002 7
– CZ Windows 2000 Server/Advanced Server 73D IIS 5.0
– iPlanet 6.0 for Solaris Operating Environment 7(sparc)
– CZ AIX 5L 73D IHS 1.3.19#
v IBM Tivoli Access Manager KP173 v3.9
TB&CLr;h*20Z Web ~qwO * |Gw*(" Access Manager 2+r
D;?V20#|GXkfZZIIe~CJDxgPD3&#
v IBM Tivoli Access Manager Policy Server v3.9
v IBM Global Security Toolkit(GSKit)5.0.4.65
v g{9C LDAP,h*\'VD LDAP ~qw,}g IBM Secure Way Directory 3.2.2
20 Access Manager Plug-in for Web Servers>Za)Z}v\'V=(O20 Access Manager Plug-in for Web Servers D8>E
"#
Z AIX-IHS O20e~
*Z AIX O20MdC Access Manager Plug-in for Web Servers:
1. Z AIX 5L Web ~qwO,7#IZzD73P9CTBm~:
v IBM Tivoli Access Manager for e-business Policy Server v3.9#kN<6IBM Tivoli
Access Manager Base 208O7#
":Access Manager Policy Server ;h*$tZk Access Manager KP17
3`,DzwO#
2. 7#Q20TBm~:
v IHS Web ~qwm~#
v IBM Tivoli Access Manager for e-business KP173 v3.9#kN<6IBM Tivoli
Access Manager Base 208O7#
v IBM Global Security Toolkit(GSKit)5.0.4.65
v g{}Z9C LDAP C'"am,r20 IBM SecureWay Directory Client 3.2.2
3. Access Manager Plug-in for Web Servers 20+i!km~|dCV*#9C SMITZ AIX O20m~|#;s9Ce~dC5CLr pdwpicfg 4dC20#
w* root C'G<#
4. + IBM Tivoli Access Manager Web Security,f> 3.9 AIX f CD ek CD }
/w#
5. ZbGLra>BdkTB|n:
# smit
SMIT 5CLrt/#
6. !qm~20M,$#!q20M|Bm~#!qSnBICDm~20M|B
m~#
7. a>dkh81,dk20 CD D;C#
8. %wPm4%,T>*20Dm~#
`!Pm0ZT> IBM Tivoli Access Manager m~|#
8 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
9. !q Access Manager Plug-in for Web Servers m~|#%w7(#
10. T>SnBICDm~20M|Bm~T0r#
11. i$1!5GGqvVZj)*T/20X8m~VNP#
12. +d|VNhC*kzD20`&D5#Zs?VivB,zITS\1!5#
%w7(#
13. T>{"r/JzGq7(*20Km~|#%w7(#
20m~|D~#+T>;)4,{"#nsD4,{"8>I&jID~i
!#
14. TZ Access Manager Plug-in for IBM HTTP Server m~|,X4=h 8 =
=h 12#
15. %wjI#%w!{Kv SMIT#
16. g{94dC Access Manager KP173,rXkZKWNdC#XZdC Access
Manager KP173Dj8E",kN<6IBM Tivoli Access Manager Base 20
8O7#
17. *dCe~,F/= /opt/pdwebpi/bin "KP:
# ./pdwpicfg
dkV8 c#
18. T> Web ~qwQ*DyPibwzPm#zP}v!n:
v g{;k*Ce~#$;vibwz,rZT>DPmPdkkibwz`X
DEk#
v *#$`vibwz,dkkT>DPmPDibwz;C`XD5#CUq
t*dkDEk#
v dk all 9Ce~#$~qwODyPQ*ibwz#
19. dk Access Manager \m1j6M\k#
20. AZN |BGZ&CLrYwZd+_TE"v?|SZ(_T~qw*F#dkl
} AZN |BDKZE,r4 Return |,S\1!5#
21. dk Y/N tC/{Ck LDAP ~qwD SSL (E#Z Web ~qwM LDAP ~
qw$tZ`,2+xgPD73P,tC SSL I\;h*#g{IT7( Web
~qwM LDAP .d"MD}]Dj{T,r!q;9C SSL I(}}%2+T
*zxDFxgxm#
22. g{tCCe~M LDAP ~qw.dD SSL (E,ra>zdk LDAP SSL M
'z\?D~#
23. Access Manager Plug-in for Web Servers dC&1QI&jI#
Z Solaris Operating Environment-iPlanet O20e~
*Z Solaris Operating Environment O20MdC Access Manager Plug-in for Web
Servers:
1. Z Solaris Operating Environment Web ~qwO,7#IZzD73P9CTBm
~:
v IBM Tivoli Access Manager for e-business Policy Server v3.9#kN<6IBM Tivoli
Access Manager Base 208O7#
Z 2 B 20 IBM Tivoli Access Manager Plug-in for Web Servers 9
":Access Manager Policy Server ;h*$tZk Access Manager KP17
3`,DzwO#
2. 7#Q20TBm~:
v iPlanet Web ~qwm~#
v IBM Tivoli Access Manager for e-business KP173 v3.9#kN<6IBM Tivoli
Access Manager Base 208O7#
v IBM Global Security Toolkit(GSKit)5.0.4.65
v g{}Z9C LDAP C'"am,r20 IBM SecureWay Directory Client 3.2.2
3. e~20+D~i!Sm~|dCVk#9C pkgadd Z Solaris Operating
Environment O20m~|#;s9Ce~dC5CLr pdwpicfg 4dCe~#
w* root C'G<#
4. + IBM Tivoli Access Manager Web Security,f> 3.9 Solaris f CD 20=
/cdrom/cdrom0 O#
5. +?<|D= /cdrom/cdrom0/solaris
6. e~20h*mS=vm~|#4PTB|nT20e~:
# pkgadd -d . PDWPI PDWPIipl
a>1dk y "4 Return |#+S CD i!D~"+d20Z2LO#
7. *dCe~,F/= /opt/pdwebpi/bin "KP:
# ./pdwpicfg
8. dkV8 c dC&CLr#
9. dk iPlanet ~qwDy?<#
10. T> Web ~qwQ*DyPibwzPm#zP}v!n:
v g{;k*Ce~#$;vibwz,rZT>DPmPdkkibwz`X
DEk#
v *#$`vibwz,dkkT>DPmPDibwz;C`XD5,CUq
t*dkDEk#
v dk all 9Ce~#$~qwODyPQ*ibwz#
11. dk Access Manager \m1j6M\k#
12. AZN |BGZ&CLrYwZd+_TE"v?|SZ(_T~qw*F#dkl
} AZN |BDKZE,r4 Return |,S\1!5#
13. dk Y/N tC/{Ck LDAP ~qwD SSL (E#Z Web ~qwM LDAP ~
qw$tZ`,2+xgPD73P,tC SSL I\;h*#g{IT7( Web
~qwM LDAP .d"MD}]Dj{T,r!q;9C SSL I(}}%2+T
*zxDFxgxm#
14. g{tCCe~M LDAP ~qw.dD SSL (E,ra>zdk LDAP SSL M
'z\?D~#
15. Access Manager Plug-in for Web Servers dC&1QI&jI#
Z Windows-IIS O20e~
*Z Windows 2000 Server/Advanced Server Web ~qwO20 Access Manager Plug-in
for Web Servers:
1. Z Windows 2000 Web ~qwO,7#IZzD73P9CTBm~:
10 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
v IBM Tivoli Access Manager for e-business Policy Server v3.9#kN<6IBM Tivoli
Access Manager Base 208O7#
":Access Manager Policy Server ;h*$tZk Access Manager KP17
3`,DzwO#
2. 7#Q20TBm~:
v IIS Web ~qwm~#
v IBM Tivoli Access Manager for e-business KP173 v3.9#kN<6IBM Tivoli
Access Manager Base 208O7#
v IBM Global Security Toolkit(GSKit)5.0.4.65
v g{}Z9C LDAP C'"am,r20 IBM SecureWay Directory Client 3.2.2
3. w*_P Windows \m1X(DC'G<= Windows r#
4. + IBM Tivoli Access Manager Web Security,f> 3.9 Windows f CD ek CD
}/w#
5. +wTBD~(dPV8 E: G CD }/w)KP Access Manager Plug-in for Web
Servers InstallShield 20Lr#
E:\Windows\PolicyDirector\Disk Images\Disk1\setup.exe
6. S!qm~|0Z,!q Plug-in for Web Servers m~|"%w7(#
7. T>!qhCoTT0r#!qJ1DoT"%w7(#
8. InstallShield Lrt/"T>6-T0r#%wB;=#
9. T>mI$-iT0r#%wG,S\mI$-iDu~#
10. T>!qm~|T0r#9=v!n Access Manager Plug-in for Web ServersM Access Manager Plug-in for Microsoft Internet Information Services <
!P#%wB;=#
11. T>!q?DX;CT0r#S\1!20;Cr8(d|;C#%wB;=#
LrD~+i!=EL#+T>;u{",8>Q20m~#
12. %wjIKv20Lr#
13. S*<K%!q:Lr > Access Manager Plug-in for Web Servers > dC
T> Access Manager Plug-in for Web Servers dC!qT0r#
14. T> Web ~qwQ*DyPibwzPm#!q*#$Dibwz#%wB;=#
15. dk Access Manager \m1C'j6M\k#%wB;=#
16. AZN |BGZ&CLrYwZd+_TE"v?|SZ(_T~qw*F#dkl
} AZN |BDKZE,rS\1!5#%wB;=#
17. !qGrq,tC/{Ck LDAP ~qwD SSL (E#Z Web ~qwM LDAP
~qw$tZ`,2+xgPD73P,tC SSL I\;h*#g{IT7(
Web ~qwM LDAP .d"MD}]Dj{T,r!q;9C SSL I(}}%
2+T*zxDFxgxm#
g{!q9CCe~M LDAP ~qw.dD SSL (E:
a. dkCZS\ SSL D\?D~D76MD~{#
b. g{h*,dk$ij)#
c. dk\?D~\k#
!qB;=#
Z 2 B 20 IBM Tivoli Access Manager Plug-in for Web Servers 11
18. Access Manager Plug-in for Web Servers dC&1QI&jI#
19. XBt/ IIS#
}% Access Manager Plug-in for Web Servers>Zhv}% Access Manager Plug-in for Web Servers D}L#>Z;hv}% Access
Manager KP1r Access Manager Policy Server D}L#XZ}%KP1M Policy
Server Dj8E",kN<6IBM Tivoli Access Manager Base 208O7#
S Windows-IIS }%e~
}%Ce~0,Xk!{ddC#
*Z Windows O!{Ce~DdC:
1. w*_P\mX(D Windows C'G<#
2. S*<K%%w:Lr > Access Manager Plug-in for Web Servers > !{d
C
":g{S|na>KP,IT9C -f !nZ^(,S Management Server 15)
!{dC#
3. T>Ce~#$DyPibwzPm#!q*!{dCDibwz#%wB;=#
4. dk Access Manager C'j6M\k#!qB;=#
;)I&!{Ce~DdC,rT>4,{"#
*S Windows }%Ce~:
1. S Windows0XFfe1,%wmS/>}Lr#
T>mS/>}LrT0r,PvyPQ20Dm~#
2. !q Access Manager Plug-in for Microsoft Internet Information ServicesDu?#%w|D/>}4%#
3. InstallShield Lrt/,"}%Ce~#
4. %wjI#
S AIX-IHS }%e~
Z}%Ce~0,h*!{ddC#*Z AIX =(O!{Ce~DdC:
1. w* root C'G<#
2. KPTB|nS bin ?<t/e~dC5CLr:
# pdwpicfg
":Z^(,S Management Server 1,IT9C -f !n5)!{dC#
3. dk u T!{dC#
4. T>\#$ibwzDPm#!q*!{dCDibwz#
5. dk Access Manager \m1j6M\k#
6. !{dCjI1,T>{"#
*}%Ce~:
1. w* root C',t/ SMIT
12 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
2. !q(E&CLrM~q#
3. T>(E&CLrM~qK%#!q Access Manager#
4. S Access Manager K%!q Access Manager !{dC#T>QdCD IBM
Tivoli Access Manager m~|Pm#
5. !q Access Manager Plug-in for Web Servers#
a>1dk Access Manager \k#
6. TNNa>4 Enter |#
7. TZ Access Manager Plug-in for Web Servers IHS m~|,X4=h 3 =
7#
S Solaris Operating Environment-iPlanet }%e~
ZIT}%Ce~0,Xk!{ddC#*Z Solaris Operating Environment O!{C
e~DdC:
1. w* root C'G<#
2. KPTB|nS bin ?<t/e~dC5CLr:
# pdwpicfg
":Z^(,S Management Server 1,IT9C -f !n5)!{dC#
3. dk u T!{dC#
4. T>\#$ibwzDPm#!q*!{dCDibwz#
5. dk Access Manager \m1j6M\k#
6. !{dCjI1,T>{"#
*S Solaris Operating Environment O}%Ce~:
1. dk|n:
# pkgrm PDWPI PDWPIipl
aa>z7OzDv(#Za>Bdk y#
T>{"8>I&}%#
Z 2 B 20 IBM Tivoli Access Manager Plug-in for Web Servers 13
Z 3 B IBM Tivoli Access Manager Plug-in for WebServers dC
>Bhv#f\mMdCNq,IT4Pb)NqCZ(F IBM Tivoli Access
Manager(Access Manager)Plug-in for Web Servers#
wbw}:
v :#fe~E";
v Z 17 3D:dC Authorization Server;
v Z 19 3D:dCibwz~qw;
v Z 21 3D:X(Z Web ~qwDdC;
v Z 22 3D:dCe~sF"G<U>"zYM_Y:f}]b;
v Z 26 3D:dCZ( API ~q;
#fe~E"
TBwZhvKXZ Access Manager Plug-in for Web Servers D#fE":
v :pdwebpi.conf dCD~ri;
v Z 16 3D:pdwebpimgr.conf dCD~;
v Z 16 3D:Access Manager Plug-in for Web Servers 20Dy?<;
v Z 16 3D:t/M#9 Access Manager Plug-in for Web Servers;
v Z 17 3D:HTTP ms{";
pdwebpi.conf dCD~ri
IT(}dC;Z pdwebpi.conf dCD~DN}(Fe~DYw#CD~;ZTB?
<:
UNIX:
/opt/pdwebpi/etc/
Windows:
C:\Program Files\Tivoli\PDWebPI\etc\
Bm+dCD~DZV`#
m 2. pdwebpi.conf Z**
n Z
GENERAL [module-mgr][modules][wpiconfig][pdweb-plugins]
AUTHENTICATION [common-modules][authentication-levels][authentication-
mechanisms][BA] [failover] [forms][ltpa] [tag-value]
[token-card] [http-hdr] [iv-headers] [acctmgmt][ecsso]
[ecsso-domain-keys]
VIRTUAL HOSTS [virtual-host-name]
© Copyright IBM Corp. 2002 15
m 2. pdwebpi.conf Z** (x)
n Z
SESSIONS [sessions] [session-cookie]
LDAP [ldap]
PROXY [ipc][proxy]
AUTHORIZATION API [aznapi-entitlement-services][aznapi-admin-services][aznapi-
configuration]
WEB SERVER [ihs][iis][iis:minimum-post-data][iplanet]
XZ pdwebpi.conf dCD~PDIdCN}Dhv,kNDZ 89 3D=< A,
:pdwebpi.conf N<;#
":NN1LT pdwebpi.conf D~xP|D1,<XkV$XBt/ Access Manager
Plug-in for Web Servers,Tc6pBD|D#XZt/M#9&CLrDE",k
ND:t/M#9 Access Manager Plug-in for Web Servers;#
pdwebpimgr.conf dCD~
e~D UNIX 20|,dCD~ pdwebpimgr.conf#KdCD~|,CZZZ(X$L
r@#1T/XBt/|DN}#
CD~;ZTB?<:
/opt/pdwebpi/etc/
;h*|DKD~PDN}#
Access Manager Plug-in for Web Servers 20Dy?<
Access Manager Plug-in for Web Server DLrD~20ZTBy?<P:
UNIX:
/opt/pdwebpi/
Windows:
C:\Program Files\Tivoli\PDWebPI\
ITZCe~D Windows 20ZddCK76#;\Z UNIX 20PdCK76#>
8O9C install_path d?zmKy?<#
Z UNIX 20P,TB%@?<|,I)9DD~,}gsFMU>D~:
/var/pdwebpi/
t/M#9 Access Manager Plug-in for Web Servers*t/M#9e~xL,Z UNIX O9C pdwebpi_start |n,Z Windows O9C
0~qXFfe1#
UNIX:
pdwebpi_start {start|stop|restart|status}
}g,*#9e~,;sXBt/|,9C:
16 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
# pdwebpi_start restart
pdwebpi_start |n;ZTB?<P:
/opt/pdwebpi/sbin/
Windows:
j60~qXFfe1PDe~xL"9CJ1DXF4%#
HTTP ms{"
P1 Access Manager Plug-in for Web Servers "T*ks~q,"'\K#C'\I
\P\`-r#=Vn#{D'\-rG:
v D~;fZ
v mI(hC{9CJ
*ks~q'\1,e~+mszk5X= Web ~qw,C~qw9Xmszk"T
>`&Dms3f#
j'V
TBjICZ(F HTML ms3f#j+/,Xf;ICDJ1E"#
m 3. 'VDjf;
j hv
%USERNAME% G<C'D{F
%ERROR_CODE% kmsX*Dmszk}V
%ERROR_TEXT% kmsX*DmsD>
%URL% M'zksD URL
%HOSTNAME% +^(wz{
%HTTP_BASE% ~qwDy> HTTP URL:
http://host:tcpport/
%HTTPS_BASE% ~qwDy> HTTPS URL:
https://host:sslport/
%REFERER% 4TksDN<_7D5,r04*1(g{^)
%BACK_URL% 4TksDN<_7D5,r0/1(g{^)
%BACK_NAME% g{ksPfZN<_7,r5*0BACK1,g{^,r
*0HOME1#
dC Authorization ServerAuthorization Server &mZ(MO$Ds?V&m#Authorization Server a)$wLr
_LX,CXCZ:
v S\4Te~Dks
v +?vksDa{"MXe~
e~(}9C2mZf5VD IPC zFk Authorization Server (E#pdwebpi.conf d
CD~PD [ipc] Z8(XZe~M Authorization Server .d(EDdCN}#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers dC 17
dC$wLr_L
dCD~D [ipc] ZPD number-of-workers M worker-size N}8(ITw{C
Za)e~ Authorization Server DnQT\D5#hCb)5D=(+!vZzDx
gODw?D}?M`M#
[ipc]number-of-workers = 10worker-size = 10000cleanup-interval=300
number-of-workers N}8(IIe~~qD"PxkDks}#1yP$wLr_L
&1=oDks+EZ:exP,1=$wLr_LIC#KN}r%X8(ICZ
~q1Z4^($wSPD_L}#CN}&1y]z$F Web ~qw,1S\Dn
sks}xvS#Z UNIX =(OvSC5I\h*;(D^F#
(#vS_L}+auYjIksy(QD=y1d#;x,vS_L}a0l+T
~qwT\zz;{0lDd|rX#
worker-size N}(e*?v$wLr_L$VdDZf?(TVZ*%;)#
cleanup-interval G Authorization Server 2mZf=N,xe}.dDVS}#
":FvvZTT\JbxPJOoO1E|D cleanup-interval M worker-size N
}#
hCnsa0P'Z
pdwebpi.conf dCD~D [ipc] ZD max-session-lifetime N}hCe~H}4T
Authorization Server Dl&(Z,10)DVS}#g{"zK`,1,rms3f+
"M=M'z#+Ya"zK`,1#
[ipc]max-session-lifetime = 300
dCms3f
;Z pdwebpi.conf dCD~D [proxy] ZPDN}CZzmvm18(*T>D
HTML 3f#[proxy] ZPDN}hCG:error-page"acct-locked-page M
retry-limit-reached-page#fZb)N}D1!D~,ITT|GxP`-,r8(
BD~TJ&zDi/D*s#Bm\aKb)N}#
m 4. [proxy] ms3fdCN}#
N} hv
error-page vVbb~qwms1,ZC'/@wOT>D3fD
76#
acct-locked-page C'"TCJx(DJ'1,yT>3fD76#
retry-limit-reached-page o=JmDns'\G<"T}1,yT>3fD7
6#Z LDAP PhCKJmDnsG<'\N} * X
ZhCK5Dj8E",kN<Z 61 3D:}N%w
G<_T;#
1!ivB,y> HTML 3f;ZTB?< install_directory/nls/html/lang#
dP lang S NLS dCPq!#Z US "o20P,KN}hC* C#
18 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
dCibwz~qw
I pdwebpi.conf dCD~PD [pdweb-plugins] ZPhCDNb{F4T Access
Manager Plug-in for Web Servers j6ibwz#
e~ITy]ksD=vXw4&C@XD2+T_T:
v ksTd07DibwzDj6
v ks(}d=oD-i(http r https)
ibwzj6Swz Web ~qwDdCE"Iz,"RX(Z Web ~qw#|4T
Bu~7(:
IHS ibwzj64TBEH3rIz:
1. SZ6Z <VirtualHost....> iPD~qw{Fq!|;2MG <VirtualHostservername:port>
2. g{~qw{F4gOfZ,rS <VirtualHost....> iPD ServerName 1
8nq!ibwzj6;2MG Servername servername
3. g{~qw{FT;fZ,rS <VirtualHost....> ibD+V ServerName 1
8nq!ibwzj6;2MG ServerName servername
4. g{T;;P~qw{FfZ,rS fully_qualified_domain_name(gethostname())
q!ibwzj6
g{ibwzl}DKZ((#Z6Z <VirtualHost servername:port> P);G 80
r 443,rCKZE+=S=ibwzj6P(4,g{KZ* 8080,ribwz
j6+* servername:8080)
IIS Cj6k Internet Information Services \me~PT>D Web >c{Fj+{O#
}g,dC IIS 14(D1! Web >c|{*0Default Web Site1,rbMG
Access Manager Plug-in for Web Servers 9CDj6#
iPlanet Cj6kZ iPlanet dC GUI P4(ibwz18(Dibwz{Fj+{O#K
{C{Ff"Z server.xml D~D <VS id= > *XP#
Access Manager Plug-in for Web Servers TibwzDN=(e2+T_T#AccessManager Plug-in for Web Servers ibwzIOv(eDibwzj6M|&1#$
D-i/(http M/r https)4j6#ibwz(eO$#=/MEH3r"a0j
6#=MsZ(&m,C&m&1&CZ(}%dD-i"M= Web ~qwibw
zDks#ibwz9(e= Access Manager \#$TsUd{FD URI 3d#
Access Manager Plug-in for Web Servers ibwz(eZdCD~D [pdweb-plugins]ZP#IT+|G(e*\#$r;\#$#+;PNN2+T_TIT&CZ;\
#$Dibwz#g{SU=DkskNNQ(eD\#$r;\#$ibwz<;
%d,rZ Authorization Server DU>D~PzI;u/f{",8vibwzj6
MksD-i#by+c{TdCJbDoO#
\#$ibwzI [pdweb-plugins] ZD virtual-host N}(e#;\#$Dibw
zI [pdweb-plugins] ZD unprotected-virtual-host N}(e#9CDibwz{
F(#kKibwz%dDibwzj6`T&,+";;(<UGbViv#(e
Z [pdweb-plugins] ZPDibwz{FCZ(eX(ZibwzD2+T_T#
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers dC 19
XbibwzD2+T_TIxPCibwz{FDZP8(DdCtT(e#IT
(eZibwzZPDyPtT<_PJ1D1!5,yT;X*?vibwzhC
;Z#g{ibwzD2+T_Tk1!5;,,rvh**CibwzhC;Z#
ibwzD=VtTCZkxk=ibwzDks%d,Cibwz(eJCZks
D2+T_T#b)tTGj6M-i#
j6tT(eCibwz+%dDibwzj6#j6tTD1!5Gibwz{F
>m#
-itT(eibwz+%dD-i/#K5I\* http"https r both#1!5G
both#
ibwzDd`tT(eJCZkCibwz%dDksD2+T_T#
ibwzk\#$TsUdDXbSV'X*"ksD URI TCSV'*0:,T9
l\#$TsUd{F#K\#$TsUd{FCZwvZ(v_#branch dCN}
(eK\#$TsUdD{F#
[virtual_host_name]branch = /PDWebPI/virtual_host_id
branch N}D1!5* id N}D5#
TB>}T>K_PDvibwzD Web ~qwyhDdCN},bDvibwz|
(:foo.com"bar.com-HTTP"bar.com-HTTPS M moo.com#ibwz bar.com-HTTP M
bar.com-HTTPS Z2m,;V'15JG`,Dibwz;;x4UCJ`M(HTTP r
HTTPS)|GVG;,D#ZKivB,ITy]CJ`M;,XhCO$dC#e
~;#$ moo.com,R foo.com G,;~qwODm;vibwz#
[pdweb-plugins]virtual-host = foo.comvirtual-host = bar.com-HTTPSvirtual-host = bar.com-HTTPunprotected-virtual-host = moo.com
web-server = iplanet
[bar.com-HTTPS]id = bar.comprotocols = httpsbranch = /PDWebPI/bar.com
[bar.com-HTTP]id = bar.comprotocols = httpbranch = PDWebPI/bar.com
[foo.com]id = foo.comprotocols = http, httpsbranch = /PDWebPI/foo.com
**?v%@ibwzhCO$N},h*Z?vibwzDy!OxPx;=Dd
C#XZ*ibwzdCO$=(Dj8E",kN<Z 53 3D:hCibwzDO
$N};#
20 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
X(Z Web ~qwDdC
e~D3)YwGX(Z Web ~qwD,Ry]e~}ZYwD Web ~qw`M+
h*XbDdC#9C pdwebpi.conf dCD~ [pdweb-plugins] ;ZPD web-serverN}(e Web ~qw`M#P'5G ihs"iplanet r iis#}g:
[pdweb-plugins]web-server = ihs
X ( Z W e b ~ q w D d C n f Z Z pdwebpi.conf d C D~D [ i i s ] "
[iis:minimum-post-data]"[ihs] M [iplanet] ZP#
Bm5wKX( Web ~qw`MDIdCN}#
m 5. X(Z Web ~qwDdCN}
X(Z Web ~qw
N} hv
[ihs]
query-contents 8(CZ9C0pdadmin> object list1|n/@
IBM HTTP Server Web UdDi/Z]Lr#
(}Z{* [ihs:branch],2MG
[ihs:/PDWebPI/foo.bar.com] ZP*d8(5,I
TZ?vV'Dy!O2GKN}#
doc-root 8(a)4P0pdadmin> object list1|nyh
D Web Ud/@&\DD5y?<#KN}Z
hCibwz1IdC5CLrhC ** Z
[ i h s : b r a n c h ] Z , 2 MG
[ihs:/PDWebPI/foo.bar.com] PZ?v_TV'D
y!O8(CN}
[iis]
query contents 8(CZ pdadmin /@ IIS Web UdDi/Z
]Lr#(}Z{* [iis:branch],2MG
[iis:/PDWebPI/foo.com] ZP*d8(5,ITZ
?vV'Dy!O2GKN}#
post-data-required (e Authorization Server &myhDQa;
POST }]Dm%Pm#}gG<m%#;ak
T?vibwz2Gb)N}#
log-file *4T IIS e~DmsMzY{"(eU>D
~,*K7#D~D;BT,b)U>D~k
Authorization Server DU>D~%@#\#g{
8(*`T76,rK;C`TZ20?<D
log S?<#g{8(*xT76,r9CxT
76#
[iis:minimum-post-data]
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers dC 21
m 5. X(Z Web ~qwDdCN} (x)
X(Z Web ~qw
N} hv
form_uri =minimum_bytes_of_post_data_required
(eZh*s? POST }]DivB,X(m
%D POST }]?#}g:
/token.form = 20000
8>&m /token.form Da;1,Authorization
Server AYh* 20000 VZ DPOST }]#;
\kT?vibwz8(b)5#
[iplanet]
query contents 8(CZ pdadmin /@ iPlanet Web UdDi
/Z]Lr#(}Z{* [iplanet:branch],2M
G [iplanet:/PDWebPI/foo.com] ZP*d8(
5,ITZ?vV'Dy!O2GKN}#
doc-root 8(a)4P0pdadmin> object list1|nyh
D Web Ud/@&\DD5y?<#KN}Z
hCibwz1IdC5CLrhC * Z
[ i p l a n e t : b r a n c h ] Z , 2 MG
[iplanet:/PDWebPI/foo.bar.com]
PZ?v_TV'Dy!O8(CN}
ZBfD>}P,ibwz foo.com M bar.com <ZdCD~P_P`&DZ *
[iplanet:/PDWebPI/foo.com]
M
[iplanet:/PDWebPI/bar.com]
dP(eKX(dCN}#
[pdweb-plugins]virtual-host = foo.comvirtual-host = bar.com
web-server = iplanet
[iplanet]query-contents = /opt/pdweb/bin/wpi_iplanet_ls
[iplanet:/PDWebPI/foo.com]doc-root = /usr/local/foo.com/doc/root
[iplanet:/PDWebPI/bar.com]doc-root = /usr/local/bar.com/doc/root
dCe~sF"G<U>"zYM_Y:f}]b
G<U>MsF&\IT*za);)E",b)E"PzZzZv=PXe~DJ
b16pG)Jb#g{v='Q"h*ms{"D51S<,rZ0(9C
-foreground !nt/e~;4,
pdwebpi -foreground
22 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
4,Mms{"G<Z pdwebpi.conf dCD~D[pdweb-plugins] ZPD log-file"
logs M log-entries N}PdCDD~P#
e~sFM y > _ Y : f}] b d C9C p d w e b p i . c o n f d C D~P D
[aznapi-configuration] ZPDN}4P#
KbsFG<
Z( API Dy>~qJm6qO$(authn)MZ((azn)sFB~#
;xj<0authn1sFB~;b0XZO$"TDc;E",e~}Z#$`vwz
1,b0b)E"CZJm+b)B~kX(ibwz`X#IZK-r,e~5V
|T:DsFB~`pT6qX(ZibwzDO$E"#
j<0azn1sFB~y]9C /PDWebPI/virtual_host_name 0:9lD\#$Ts{F
6qke~`XDibwzE"#
e~X(O$sFB~G<ZgB9lDibwzX(sFB~XP:
wpi.virtual_host_name.authn.authentication_module_name
e~X(O$sFB~q-6IBM Tivoli Access Manager Base \m18O7PhvD
DTD (e#
ZBmPhvK XML y=D0wpi1sFG<D*X:
m 6. O$sFG<VN(e#
XML jG hv
<event> sFG<Db0jG#C*X|,hvG<D doc `M(e^
)DtT#
<date> B~"zDUZM1dDG<#
<outcome> |, status N}DjG*X,CN}j6 Access Manager r
e~Dmszk#C*XhvB~DwVa{#I\D5|
(:
v 0 = I&
v 1 = '\
v 2 = ]R
v 3 = 4*
<originator> sFG<DzI_ZD7jG#jG*X|, blade N},C
N}j6:pCB~D Access Manager 6,#
<component> CjGj66qsFG<Di~#Ci~TBPq=G<:
wpi. virtual_host_name.type_of_event.module_name
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers dC 23
m 6. O$sFG<VN(e# (x)
XML jG hv
<action> j6"TDO$=(#Ywzk0d`&DO$zF|(:
16961 * BA17236 * M'zK$i17731 * Ecsso17999 * JO*F cookie17997 * m%18504 * HTTP 718768 * IP X74806211 * IV 7:PAC >$4806229 * IV 7:C'{4806220 * IV 7:(P{F300609 * IV 7:IP X721579 * nF
<location> (eYwB~D~qw{F#
<accessor> sFG<DCJ_ZD7jG#jG*XIT|,CJ_D{
F#
<principal> |,N} auth wejG,CN}j6O$?<~q#CjG(
eQi$DC'{#
<target> ?jjG|,N} resource,CN}ITGTB5.;:
v 0 = Z(
v 1 = xL
v 2 = TCB
v 3 = >$
v 4 = #f
<object> #tTZO$}L;_PbeDsF}]#
<data> =SO$JOE"#}g,9C HTTP 7E"DO$"TZdD
JO+ZKVNPzzsFU>G<,G<'\D HTTP 7#
sFdC
BmT>KsFdCN}"5wd&\#
m 7. sFdCN}(e
N} hv
logsize U>D~}I*BD~Ds!(TVZ*%;)#g{hC*
0,r;}IU>D~#g{C5*:},r;\ds!x?l
}IU>#
logflush "BU>D1ddt(k)#n`* 6 !1,1!5* 20 k#
logaudit tCr{CsF#
auditlog 8(sFD~D{F#
auditcfg tCr{CZ(M/rO$sF#
}g:
[aznapi-configuration]logsize = 2000000logflush = 20logaudit = no
24 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
auditlog = audit.logauditcfg = azn#auditcfg = authnauditcfg = wpi
zYe~Yw
Access Manager Plug-in for Web Servers a)zYYwT0+a{f"ZD~PTcC
ZwTD\&#zYw*GI&CLr'V9CDVvMJboO$_,CZq!<
BJbDYwDj{S<#w*C',zI\"V3)e~zY$_\PC,d;d
PDs?V;aP24wC,}Gz*oO4SDJb#
pdadmin zY|n
PvzYi~
list |nzzITzYDyPe~YwDPm#
o(:
pdadmin> server task PDWebPI-server-name trace list [component]
PvDs?VzYNqGX(Z Access Manager D#e~X(zYnT
pdwebpi *0:#
hCzYi~
za"VP=vw*DzYnICZwT:
v pdwebpi.request
v pdwebpi.plugin
pdwebpi.request hC* 1,rzY(}e~D?vks#pdwebpi.plugin $ne~~qwPDzY#yP{"<"M= Web ~qwDU>D~rZ9C
IIS DivB,"M=;,Z Authorization Server 9CDU>#
zY set |nDo(gB:
pdadmin> server task PDWebPI-server-name trace set componentlevel [file path=file|other-log-agent-config]
dP component G list |nPvDzYi~D{F#*Ci~{FhCzY#
level G*zYU/Dj8E"?#6'G 1 = 9#1 8(nj8Ddv,x9
8(nrTDdv#I!D file path N}8(zYdvD;C#1!ivB,
+zYdv"M=j<dCDe~U>D~(}9Ci~ pdwebpi.plugin T
b)#IT9C -foreground !n+dv"M=A;#4*:
pdwebpi -foreground
T>zYi~
*T>zYi~,TBPq=9C show |n:
pdadmin> server task PDWebPI-server-name trace show [component]
_Y:f}]bhC
ITdCe~(ZV/wZ(}]bT|BE"#cache-refresh-interval N}ITh
C*0default1"0disable1rTk*%;DX(1ddt#0default1hCG{C#
[aznapi-configuration]cache-refresh-interval = 60
Z 3 B IBM Tivoli Access Manager Plug-in for Web Servers dC 25
db-file N}(e= ACL _Y:f}]bD+76#1!ivB#t*;hC#
[aznapi-configuration]db-file = /var/pdwebpi/db/pdwebpi.db
listen-flags N}tCr{C_T_Y:f|B(*DSU#0disable15{C(*l}
w#KN}I svrsslcfg 5CLrhC#
[aznapi-configuration]listen-flags = disable
dCZ( API ~q
pdwebpi.conf dCD~D [aznapi-entitlement-services] Z+~qj68(x~q#
?vZu?(e;,`MD aznAPI ~q#XZ|`E",kN< IBM Tivoli Access
Manager Administration C API Developer’s Reference#
?vu?Dq=*
service_id = path_to_dll [ & params ... ]
aznAPI M'z9C~qj64j6~q#1~qI aznAPI u</1,IT8(+]=
~qDN}#Zu?P,N}Z0&1{Es#
pdwebpi.conf dCD~D znapi-admin-services] Z+~qj68(x\m~q#X
Z|`E",kN< IBM Tivoli Access Manager Administration C API Developer’s
Reference#
26 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
Z 4 B IBM Tivoli Access Manager Plug-in for WebServers O$
>BV[ IBM Tivoli Access Manager(Access Manager)Plug-in for Web Servers g
N,$a04,"&mO$}LT04PZ(Da0yhDNNsZ(&m#
wbw}:
v :KbO$}L;
v Z 34 3D:\ma04,;
v Z 39 3D:\mO$N};
v Z 53 3D:hCibwzDO$N};
v Z 54 3D:'V`74C/PzmLr(MPA);
KbO$}L
O$Gj6"TG<=2+rD%@xLr5eD=(#I&O$+zzzmC'D
Access Manager m]#e~9CKm]q!CC'D>$#Authorization Server 9C>
$Jmr\xT\#$J4DCJ#
v 1!ivB Access Manager Plug-in for Web Servers 'V8VO$=(,"IT(
F*9Cd|=(#
v Te~DI&O$+zz Access Manager C'"amm]#
v e~9CKm]q!CC'D>$#
v Z@@'d?vTsD_TD ACL mI(M POP u~s,Authorization Server 9
CK>$Jmr\xT\#$TsDCJ#
":ACL = CJXFm_T
POP = \#$Ts_T
O$Zd,e~+liM'zksq!TBE":
v ibwzE"
ibwzE"|,ZxkksD7P#e~9CKE"j607Dibwz"+k
sk Access Manager _TE"%d#
v a0}]
a0}]Gj6M'zMe~.dDX(,SDE"#SksDtT7(a0}
]#C}]CZXBj6=e~DM'za0,"\b*?vks("Ba0D*
z#
v O$}]
O$}]G4TM'zDE",|CZre~j6M'z#O$}]`M|,M'
zK$i"\kMnFzk#
v sZ(}]
© Copyright IBM Corp. 2002 27
3)xkksI\CZ URL,b) URI h*;,Z}#ivD&m#sZ(&mC
Z&mh*XbO$=(Dks#byM##h*X(rAXbxL,CxLhF
CZO$K`ks#
BfDwL<T>*&mkswvDv_#
TZ?v=o Web ~qwDks,e~7(ksTZDibwzT0Gq+Cibw
zdC*#$#
=4dC*#$DibwzDks;Jm-},x;h*x;=D&m#TZ=dC
*#$DibwzDks,e~7(xPksDC'Dm]#g{I\,9CksP
D}]4PTC'Dj6,CksI\GQ-*d8(>$DVPa0D;?V#Z
KivB,IT9CVP>$4PZ(#g{;fZ>$,r9C4O$D>$Z(
ks#
g{ksQ;Z(,rzm7(Gqh*Tksrl&xP^D#K&mIsZ(#
i4P,C#iIT4PmS7r cookie =ks,rX(rC'=J1D3fHNq#
g{49C10>$Z(ks,rzm"T9CksPDO$E"(}g BA 7)9(
B>$#g{I&,rKO$E"ICZXB"TZ(#g{^O$E",rzm"
T*e~9(O$DaJl&#g{;I\rC'"MO$aJ,r5X{9CJ3
f#
28 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
dCO$
xPdX*2mb{FDyPICO$=(<(eZ pdwebpi.conf dCD~D
[modules] ZP#[modules] Z9PvKCZa0j6MsZ(&mD#i#b)#i
Zsfhv#2mbXkfZZ pdwebpi/lib ?<P#8(2mb{F1;xPNNX
(ZYw53D0:(}g lib)MNNX(ZYw53Ds:(}g dll)#}g:
BA = pdwpi-ba-module
ZOv>}P,BA #ibxv* pdwpi-ba-module#Z Windows O,e~0R{*
pdwpi-ba-module.dll DD~,Z Solaris Operating Environment O,|+0R{*
libpdwpi-ba-module.so DD~,Z AIX O,|0R{* libpdwpi-ba-module.a D
D~#
":bD~D8C1!Qw76IT(eZ [module-mgr] ZP#
[modules] ZP(eD?vj)_P|T:D`&Z,}g:[BA],[cert] M [token]#Zb)ZP8(?vO$=(DX(dCE","&CZCO$=(,K=(@"Z
wCdDibwz#g{h*Z?vibwzDy!OxPXbdC,rIT9C{
Cibwzj)^(#ij)DZ2G1!dC#}g:
[BA]basic-auth-realm = "Access Manager"
[BA:foo.com]basic-auth-realm = "foo.com"
ZOv>}P,9Cy>O$CJibwz foo.com DC'+~SZ [BA:foo.com] P
8(DdCN}#
dCO$=(Dns=hG8(O$=(#b)=(4U|GDEH3rZdCD~
D [common-modules] ZPhC#}g:
[common-modules]session = ssl-idsession = BAsession = session-cookie
authentication = certauthentication = BA
post-authzn = ltpa
ZOv>}P,dChC7#:
v W! SSL a0j6CZ,$a0E"#
v SSL a0j6;IC1,BA 7(g{IC)CZ,$a0E"#
v SSL a0j6r BA 7<;IC1,ns9Ca0 cookie ,$a0E"#
v W!$iCwO$=(#
v $i;IC1,9C BA O$#
v LTPA cookies w*sZ(&mD;?VmS=ks#
dCO$=(D3r
QdCDO$=(T>ZdCD~PD3rTZe~m~D}7YwG\X*D#h
*P8<G"T_PJO#$NR\5V2+T?jD==5Vz!qDO$=(`
M#
30 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
Access Manager Plug-in for Web Servers 'V`VO$=(,"IT^Db)=(TJ
&;,2+Th*D;,M'*s#
g>D5D0;Zy>,zITZ pdwebpi.conf dCD~D [modules] ZP8(*
9CDO$=(#dCD~D [authentication-levels] Z(e=xO$6p(kN<Z
64 3D:O$?H\#$Ts_T(]});),Z [modules] ZPdCO$=(D
3r#
g{4Z [authentication-levels] ZP(eu?,rO$=(D1!5*6p 1#;s
+ [authentication-levels] ZP(eDO$=(DO$3r7(*Sn_O$6p=n
MO$6p#g{O$6pI8v#i2m,r4U [modules] ZPT>D#i3r
7(S3r#
*Kbe~O$,kse~aT|&mD?vks/J=vJbaPzZzDmb:
1. RIT9CQdCDO$=(O$Kksp?
g{KJbDXpGq,re~+/JB;vJb#
2. RIT9CQdCDO$=(zIO$ksp?
}g,g{ BA GvPDQdCO$=(#4*:
[modules]authentication = BA
TZxkDks,g{ ACL ;Jm4Z(C',rC'O$GXhD#e~+ BA 4
wvPDQdCO$=(,+/J:0RIT9Cy>O$O$Kksp?1g{k
sGBD,rXpGq * e~;*@KC'#;se~+/J:0RIT9Cy>O
$zIO$ksp?1g{Q}7dCy>O$,rXp*G#e~+a>C'dk
j6M\k#
bG9Cy>O$Dr%O$>}#y]zDTsUdD2+T*s,zI\kdC
`vO$=(#
TBG_-D|j8>},Access Manager Plug-in for Web Servers 9C|xvXbO
$=(DEH6#
TBNdPV[DO$_-Yh4O$C';JmCJJ4,"RQ-Z pdwebpi.conf
dCD~PxPTBdC#
[modules]authentication = BAauthentication = failoverauthentication = forms
post-authzn = failover
[authentication-levels]1 = BA2 = failover
OvdC8(}VO$=(:BA"JO*F cookie Mm%,JO*F cookie CZs
Z(&m#Z [authentication-levels] ZPhCD6p7(TZO$kswCO$=(
D3r#g{4Z [authentication-levels] ZP(e6p,rm%O$D1!5*6p
1#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 31
9COvdC,e~ZSUks1iRks7PDJO*F cookie#e~+/J:0R
IT9CJO*F cookie O$Kksp?1g{H04O$ks,rXpGq,r*e
~H0;P*ks9lJO*F cookie#;se~+/JZ~vJb:0RIT9CJ
O*F cookie zIO$ksp?1Xpq,r*JO*F cookie #i^(*O$zI
ks#
e~+F/= [authentication-levels] ZPDB;vQdCO$=(,ZC>}P*
BA#e~+/J:0RIT9C BA 7O$Kksp?1g{H04O$ks,rX
pq#;se~+/J:0RIT9C BA zIO$ksp?1Xp\I\*G,ra
>C'dk|GDC'j6M\k#I&DO$+zzZ(Da0,RJO*F cookie
+ekks7"Cw,;a0ZdDsLksDZ;vO$=(#
g{ BA #i^(zIO$C'D=(,re~Z1!ivB+dCD~D [modules]ZPPvD=(Er#ZOvdC>}P,e~+8(O$=(DEH6,rx:
level 1 = BA, forms
level 2 = failover cookie
g{JO*F cookie M BA 4\a)C'O$D=(,re~+9Cm%O$#
BfDwL<T>CZ!qO$#iDe~_-#
e~TdC3rwC?vO$#i,1=#i.;5X Access Manager C'j6#;
sIT9CC'j64(C'D>$#g{;PNNQdCO$#i\;a)-i$
D Access Manager C'j6,rO$aJ+"M=C'Ta>{Ga)O$E"#
g{h*O$aJ,rwC4TQdCPmDZ;vJODO$#iTzIzzaJ
yhD|n("M=e~)#;GyPDO$#i<ITzIaJ#}g,TZks
HTTP 7,^aJ * b)7fZr;fZZksP#mb,O$#iI\;IC,r
< 3. 7(O$#iDe~wL#
32 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
*|Q-CZj6+ks*"=e~D/PzmLr#IT*C'zIaJDn#C
O$zFGy>O$(BA aJ+"M=C')MyZm%DO$(G<m%+"M=
C')#g{^O$=(IC,r^(O$C',Re~5X{9CJ3f#
BfDwL<T>!qO$=(T+aJ"MxC'D}L#
+4UdC3rli?vQdCDO$=(,1=R=zcyhDO$6pD;v=
(#g{R=zcO$u~D#i,rwC|T9("M=C'DaJ#g{;P;
vQdCO$=(JO,r;I\xPO$#e~+5X0{9CJ13fAC',
r*{G;_PCJksDJ4DmI(,R;I\r{G"MaJTc4yhD6
pxPO$#
dCsZ(&m
Z(kss,+wCQdCDsZ(#i#sZ(#i7(Z+ks+]Xe~Tc
Web ~qw&m0Gqh*4PNNd|Yw#+wCyPQdCDsZ(#iT7(
Gqh*Tks4PYw#
sZ(#iw*P}V`M:
v ^D SSO Dks * b)sZ(#i+mS Web &CLrCZj6C'DE"
(cookie r7),x;h*Z~NO$#
< 4. O$aJ}L_-
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 33
v ^Dl& * b)sZ(#i;^Dks,+8(*^DDl& * (#(}rdm
S7r cookie#}g,JO*F#i+JO*F cookie mS=l&#
v Xb&\ * b)sZ(#i+ksD URI 6p*3;Xb&\D%"w#b(#
b6ECksIe~&m#}g,eCSSO0$51ks#
dCibwzDO$
IT(}1SZ?vibwzZP8(=(,Z?vibwzDy!O5VO$=(
DdC#}g:
[pdweb-plugins]virtual-host = foo.com
[foo.com]....session = ssl-idsession = BAsession = session-cookie
authentication = certauthentication = BA
post-authzn = ltpa
8(ibwzDO$=(D8C==G*O$=(dC(e;Z#by+Jm`vi
bwz2m;v#idC##idCZIibwzZPD modules N}8(#}g:
[pdweb-plugins]virtual-host = foo.comvirtual-host = bar.com
[foo.com]modules = foo-bar-module-stanza
[bar.com]modules = foo-bar-module-stanza
[foo-bar-module-stanza]authentication = basession = bapost-authzn = ltpa
4ZdCD~P(e?vibwzy!ODO$=(dCD%@Z1,yPibwz
+9C [common-modules] ZPdCDN}#
\ma04,
e~9Ca04,E"j6xkksD4#1M'z4P;va0PDs?ks1,
e~9Cks4Dm],$M'zM~qw.dDa04,#g{M'zM~qw.
d;fZQ("a04,,rXk*?vsLksXB-LM'zM~qw.dD(
E#(}{}X4O$Dh*,a04,E"IDFT\#M'zITZ;NG<
s,"vs?ks,x;X*?vks4P%@DG<#
Access Manager Plug-in for Web Servers I&m HTTP M HTTPS (E#e~hFC
Z9CTBNNE"`M4,$kM'zDa0D4,#
1. SSL a0j6
2. y>O$
3. X(Z~qwDa0 cookie
34 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
4. HTTP 7}]
5. IP X7
e~@NwC?vQdCDa0#i#e~LxQwQdCDa0#i`M,1=P
;V`M5X>$#;se~+7(&CLrGq*N<`74C/PzmLr#g
{G%vD/PzmLr,r5JnUC'XkfZm;va0#*R=m;va
0,e~LxwCd`DQdCa0#i#"VQ-"zDC'O$DVPa01,
+5XC'>$#K>$CZZ(ks#g{^QdCa0#i5XC'>$,rC
a0GBD,r_G4(">$Da0#
dCe~a0/>$_Y:f
e~a0_Y:fJm~qwf"4T`vM'zDa0j6E"#a0_Y:f\
#f HTTPS M HTTP a04,E"#
e~_Y:ff"a0j6E"M*?vM'zq!D>$E"#_Y:f>$E"
IT{}Z(liZdTC'"am}]bDX4i/#e~_Y:f9,$e~M
LDAP C'"am.dD SSL ,SDa04,E"#
P8vdCN}ICZe~_Y:f,b)N}Jmzw{_Y:fDT\#
":pdwebpi.conf dCD~D [sessions] ZPdCD5I\Z [module_name] ZP
;2G,3)59I\Z [ module_name:virtual_host_name] ZP;x;=2G(Z
?vibwzDy!O)#
hCns"Pu?5
max-entries N}(;Z pdwebpi.conf dCD~D [sessions] ZP)hCe~Da
0/>$_Y:fPDns"Pu?}#
< 5. 7(a0#iDe~wL#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 35
K5k"PG<a0}`T&#_Y:fs!o=K51,+y]n|9CDc(S
_Y:f}%u?TJmBxkDG<#
1!"PG<a0}G 4096:
[sessions]max-entries = 4096
hC_Y:fu?,15
timeout N}(;Z pdwebpi.conf dCD~D [sessions] ZP)hCe~Da0/
>$_Y:fPu?DnsP'Z,1#
e~ZZ?_Y:f>$E",a0_Y:f,1N}8>Z(>$E"#tZZf
PD1d$H#
CN};G;n/,1#C53d=0>$P'Z1,x;G0>$,11#d?DG
Zo=8(,1^F1(}?FC'XBO$4v?2+T#
1!G<a0,1(Tk*%;)G 7200:
[sessions]timeout = 7200
IT+a0_Y:fP'ZdC*^[N1"zXBO$1<xP4;#?N"zX
BO$1,a0_Y:f timeout 5+4;#*dCa0_Y:fP'Z4;,9C
pdwebpi.conf dCD~D [sessions] ZPD reauth-lifetime-reset N}:
[sessions]reauth-lifetime-reset = yes
1!5G0no1#
C'}Z4PXBO$1,a0_Y:fP'Z5I\a=Z#ZXBO$G<m%
"M=C'.s,RZ5XjIDG<m%0,a0_Y:fP'Za=Z#a0_
Y:fP'Z5=Z1,+>}a0_Y:fu?#G<m%5X=e~s,;YP
CZCC'Da0#mb,yPQ_Y:fDC'ks}]+*'#g{XBO$Z
da0_Y:fP'Z=Z,IT*a0_Y:fP'ZdC1d)9,r0mS1
d1#
pdwebpi.conf dCD~D [sessions] ZPD reauth-grace-period N}a)K1d
)9,Tk*%;#}g:
[reauthentication]reauth-grace-period = 20
1!5001;*a0_Y:f,15a))9#reauth-grace-period N}JCZ_P
VPa0_Y:fu?Rh*XBO$DC'#}g:
v IZ POP 2+T_Tx4PXBO$DC'
v IZa0_Y:f;n/x4PXBO$DC'
v 4P=xO$DC'
reauth-grace-period !nCZk reauth-lifetime-reset = yes !naO9C#
36 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
hC_Y:fu?;n/,15
inactive-timeout N}(;Z pdwebpi.conf dCD~D [sessions] ZP)hCG<
a0;n/D,15#
1!G<a0;n/,1(Tk*%;)G 3600:
[sessions]inactive-timeout = 3600
*{CK,1&\,+N}5hC*001#
9C SSL a0j6,$a04,
Access Manager Plug-in for Web Servers IT9CxkD HTTPS ksD SSL a0j
6zYa0#K$_;ICZ IIS,r* IIS 9 SSL a0j6;ICZe~#
":SSL a0j6;CZO$ks#
pdwebpi.conf dCD~PD [common-modules] Z9C module_type = module-name
q=(eKTyPa0"O$MsZ(=(D9C#*9C SSL a0j6,$a04
,,+%J ssl-id 8(x session N},gBy>:
[common-modules]session = ssl-id
7#QZ pdwebpi.conf dCD~D [modules] ZP* ssl-id dCK2mb#4*:
[modules]ssl-id = pdwpi-sslsessid-module
9Cy>O$,$a04,
y>O$(BA)G(}C'{M\kDdkO$C'M,$a04,D=(#BA I
HTTP -i(e,RIT(} HTTP M HTTPS 5V#
y>O$(}+y>O$7DZ]G<xP_Y:f4,$a04,#
*9Cy>O$dCe~T,$a04,,9C pdwebpi.conf dCD~PD
[common-modules] Z#dkX|V session T05 BA,gBy>:
[common-modules]session = BA
g{ BA CZ,$a04,,r9h*+dCZC'O$#dCD~D [commonmodules] Z2&1*O$hC BA#
[common-modules]session = BAauthentication = BA
pdwebpi.conf D~PD [BA] Z(ey>O$r#CrGT>Z/@wa>C'dkG
<}]1T>DT0rPDD>#
[BA]basic-auth-realm = realm_name
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 37
9Ca0 Cookies ,$a04,
9Ca0 cookie #ta0E"G,$a04,;V=(,d;vZ;Pd|zFIC1
E9CC=(#~qw+XbM'zD4,E"r|= cookie P"+d"M=M'zD
/@w#TZ?vBDks,/@w(}+ cookie(xPa0E")"MX~qwXB
j6d>m#
ZM'z9C/@wZ\LD1dsXB-Ld SSL a0DivB,a0 cookie a)
I\Dbv=8#}g,3)f>D Microsoft Internet Explorer /@w?t=r}VS
MXB-L SSL a0#
a0 cookie vT%v"(;D~qwa)M'zDXBO$,M'zH0QZL1dZ
(s< 10 VS)rC~qwxPO$#CzFyZ0~qw cookie1,C cookie }
I+]=zI cookie Dzw^(+]=NNzw#
mb,a0 cookie v#$;vfz}j6,Cj6CZw}~qwa0_Y:fPD
cookie#;Pd|E")6Za0 cookie P#a0 cookie ;a962+T_T#
Access Manager Plug-in for Web Servers 9C2+DX(Z~qwDa0 cookie#T
Bu~JCZK cookie zF:
v Cookie v|,a0E";|;|,m]E"#
v Cookie v$t=/@wZfP(|;4kELOD/@w cookie jar)#
v Cookie _PP^DP'Z(IdC)#
v Cookie _P76Mh9d|~qw9CC cookie DrN}#
*dCe~9Ca0 cookie ,$a04,,9C pdwebpi.conf dCD~PD
[common-modules] Z#dkX|V session T05 session-cookie,gBy>:
[common-modules]session = session-cookie
resend-pdwebpi-cookies N}(;Z pdwebpi.conf dCD~D [sessions] ZP)
tCr{CZ?Nl&1+a0 cookie "M=/@w#KYwoz7#a0 cookie #
tZ/@wZfP#resend-pdwebpi-cookies N}D1!hC*0no1#
[sessions]resend-pdwebpi-cookies = no
+1!hC|D*0yes1,Z?Nl&1"Me~a0 cookie#
9C HTTP 7,$a04,
Access Manager Plug-in for Web Servers ITdC*9C HTTP 7E"j6a0M,
$a04,#
*8(`v HTTP 7,XkdC HTTP 7#iD`v5}#}g:
[modules]entrust-client-header = pdwpi-httphdr-modulesome-other-header = pdwpi-httphdr-module
[entrust-client-header]header = entrust-client
[some-other-header]header = some-other
38 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
e~IT9C HTTP 7CZzYa0T0O$C'#g{+e~dC*9C HTTP 7
zYa0,r9Xk+ddC*9C HTTP 7O$C'#;x,+e~dC*9C
HTTP 7O$xkDks;h*+e~dC*zYa0#XZdCe~9C HTTP 7C
ZM'zO$Dj8E",kN<Z 50 3D:dC HTTP 7O$;#
9C HTTP 7,$a04,1,pdwebpi.conf dCD~D [common-modules] Z+
xPTBu?:
[common-modules]authentication = http-hdrsession = http-hdr
9C IP X7,$a04,
Access Manager Plug-in for Web Servers IT9C IP X7j6MzYa0#
*dCe~9C IP X7zYa0,9C pdwebpi.conf PD [common-modules] Z#
dkX|V session T05 ip-addr#4:
[common-modules]session = ip-addr
7#QZ pdwebpi.conf dCD~D [modules] ZP* IP X7O$dCK2mb#
4*:
[modules]ip-addr = pdwpi-ipaddr-module
g{ IP X7CZ,$a04,,r9Xk+dCZO$xkDks#XZdC Access
Manager Plug-in for Web Servers 9C IP X7w*M'zO$=(Dj8E",kN
DZ 52 3D:dC IP X7O$;#;x9C IP X7CZO$M'z;h*+b)X
7Cwj6a0D=(#
\mO$N}
O$dCEv
Access Manager Plug-in for Web Servers 'VDyPO$=(DzFZ pdwebpi.conf
dCD~D [authentication-mechanisms] ZPdC#\'VDO$=(N}|(:
v >X(ZC)O$Lr
>XO$LrDN}8(J1DZC2mb(UNIX)r DLL(Windows)D~#
v (Fb?O$Lr
e~a)#e~qwzk,zIT9CCzk9(M8((Fb?;frO$~q
(CDAS)~qw#
b? CDAS O$Lr8(J1D(F2mb#
>XO$N}
TBN}8(>XZCO$Lr:
m 8. >XZCO$Lr.
N} hv
m%My>O$
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 39
m 8. >XZCO$Lr (x).
N} hv
passwd-ldap 9C LDAP C'{M\kxPM'zCJ#
M'zK$iO$
cert-ssl 9CM'zK$i(} SSL xPM'zCJ#
iv-remote-address Q$nD HTTP 7M/r IP X7O$M/r IV 7#
http-request (}Xb HTTP 7M/r IP X7M/r IV 7DM'zCJ,
iv-remote-address Q$n#
9C [authentication-mechanisms] ZdCO$=("TBPq=5V:
authentication_method_parameter = shared_library
b?(F CDAS O$N}
TBN}ICZ8(b? CDAS ~qwD(F2mb:
m 9. b? CDAS ~qwN}.
N} hv
passwd-cdas 9CZ}="amDC'{M\kxPM'zCJ#
token-cdas 9C LDAP C'{MnF(PzkxPM'zCJ#
cert-cdas 9CM'zK$i(} SSL xPM'zCJ#
}KO$b,9P=Vd|ICZe~Dj< Access Manager b:
v passwd-strength
Kbli\k|Dm%PdkDB\k#
v cred-ext-attrs
KbJm+(FtT({F/5T)8(*|,Z>$P#
XZ9(MdC5V CDAS ~qwD(F2mbDj8E",kN< IBM Tivoli Access
Manager WebSEAL Developer’s Reference#
e~D1!dC
1!ivB,e~hC*9Cy>O$(BA)C'{M\k(LDAP "am)O$M'
z#
e~(#,1* TCP M SSL CJtC#rx,[authentication-mechanisms] ZD
dMdC|('VC'{M\k(LDAP "am)M'V(} SSL DM'zK$i#
TB>}zm Solaris Operating Environment DdM [authentication-mechanisms] Z
dC:
[authentication-mechanisms]passwd-ldap = libldapauthn.so cert-ssl = pdwpi-sslauthn.so
*dCd|O$=(,mSJ1DN}0d2mb(r CDAS #i)#
40 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
dC`vO$=(
^D pdwebpi.conf dCD~D [authentication-mechanisms] Z,8(CZNN\
'VO$=(D2mb#dC`vO$=(1,&CTBu~:
1. yPO$=(<IT`%@"XP9&\#I\*?v\'VD=(dC2mb#
2. 1,1dC cert-cdas =(M cert-ssl =(1,0_+2Gs_#XktCb=v
=(.;4'VM'zK$i#
3. dC`vO$Lr1,5Jv9C;v\k`MO$Lr#e~9CTBEH63
r4bv`vQdCD\kO$Lr:
a. passwd-cdas
b. passwd-ldap
4. I\*=v;,DO$=(dC`,D(Fb#}g,IT`4;v(F2mb&
mC'{/\kM HTTP 7O$#TZK>},z+9C`,D2mbdC
passwd-cdas M http-request N}#*"_PpN,$a04,,"\b=V=
(.dDe;#
a>G<
ZBPu~B,e~a>M'zG<:
1. 4O$DM'zxPZ(li'\
2. m%ry>O$M'zxPZ(li'\
TBM'z`M+vV0403 JO1ms:
1. 1Z(li'\1:
a. M'zK$i
b. JO*F cookie
c. CDSSO
d. IP X7
e. HTTP 7
2. 1M'z9Ce~{CD=(O$1
"z"|D\kMoz|n
Access Manager a)TB|n4'V(} HTTP r HTTPS O$DM'z#
pkmslogout: 1M'z9CDO$=(;f?vksa)O$}]1,M'zIT9
C pkmslogout |nS10a0"z#}g pkmslogout ;ICZ9Cy>O$r IP
X7O$DM'z#ZKivB,XkXU/@wT"z#
pkmslogout |nJCZ(}M'zK$i"nF(Pzk"m%O$M HTTP 7O
$D3)5VDO$#
4TB=(KP|n:
https://www.tivoli.com/pkmslogout
/@wT>(eZ pdwebpi.conf dCD~PD"zm%:
[acctmgmt]logout-uri = /pkmslogoutlogout-success = logout_success.html
IT^D logout_success.html D~TJ&zD*s#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 41
1xga9h*`vKvA;CZC'Sj+;,Dibwz"z1,pkmslogout 5CLr9'V`v"zl&3f#
pkmspasswd: 9Cy>O$(BA)rm%O$1,IT9CK|n|DG<\k#
K|nJOZ HTTP r HTTPS O9C#
}g:
https://www.tivoli.com/pkmspasswd
C/@w+T>(eZ pdwebpi.conf dCD~PD\km%D|D:
[acctmgmt]password-change-form-uri = /pkmspasswd.formpassword-change-uri = /pkmspasswdpassword-change-success = password_change_success.htmlpassword-change-failure = password_change_failure.html
IT^D password_change_success.html M password_change_failure.html D~T
J&zD*s#
pkmshelp: IT9CK|nCJoz3f#K|nJOZ HTTP r HTTPS O9C#
oz3fD{FM;C(eZ pdwebpi.conf dCD~P:
[acctmgmt]help-uri = /pkmshelphelp-page = help.html
IT^D help.html D~TJ&zD*s#
dCy>O$
y>O$(BA)G+C'{M\ka)xO$zFDj<=(#BA I HTTP -i(
e,R(} HTTP M HTTPS 5V#
tCy>O$
1!ivB,*e~dC BA C'{M\k#pdwebpi.conf dCD~PD
[common-modules] Z(eK9C BA CZO$ks#4:
[common-modules]authentication = BA
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#y>O$Du?fZ;4:
[modules]BA = pdwpi-ba-module
1!ivB,BA O$zF*dCD~D [authentication levels] ZPD;v6p#
KhCkxkksDO$zFDEH6`X#
hCr{F
rC'aJC'{M\k1,CrT>Z/@wrC'a)DT0rP#r{F8(
x pdwebpi.conf dCD~D [BA] ZPD basic-auth-realm N}#
[BA]basic-auth-realm = realm_name
42 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
dCy>O$zF
passwd-ldap N}8(CZ&mC'{M\kO$D2mb#
v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libldapauthn#
v Z Windows O,a)ZC3d&\DD~G;v DLL,F* ldapauthn#
m 10. BA 2mbO$zF
O$zF
2mb
Solaris OperatingEnvironment
AIX Windows
passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll
IT(}Z pdwebpi.conf dCD~PD [authentication-mechanisms] ZPdk
passwd-ldap N}T02mbD~DX(=({F4dCC'{M\kO$zF,gB
y>:
Solaris Operating Environment:
[authentication-mechanisms]passwd-ldap = libldapauthn.so
Windows:
[authentication-mechanisms]passwd-ldap = ldapauthn.dll
dCm%O$
Access Manager a)m%O$w*j<y>O$zFD8C=(#K=(S Access
Manager zz(F HTML G<m%,x;GSy>O$aJzzj<G<a>#
9CyZm%DG<1,/@w;s9Cy>O$1Gy+C'{M\kE"xP_
Y:f#
tCm%O$
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*t
C(}m%DO$,+%J0forms18(x authentication N};4:
[common-modules]authentication = forms
9Cm%CZO$1,9Xk+e~dC*9Cm%CZsZ(&m#by+Jme
~+QO$DC'X(rX-<Dks URL#Z pdwebpi.conf dCD~D
[common-modules] ZP,mSN} post-authzn,gBy>:
[common-modules]authentication = formspost-authzn = forms
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#m%O$Du?fZ;4:
[modules]forms = pdwpi-forms-module
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 43
dCm%O$zF
passwd-ldap N}8(CZ&mC'{M\kO$D2mb#
v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libldapauthn#
v Z Windows O,a)ZC3d&\DD~G;v DLL,F* ldapauthn#
m 11. m%2mbO$zF
O$zF
2mb
Solaris OperatingEnvironment
AIX Windows
passwd-ldap libldapauthn.so libldapauthn.a ldapauthn.dll
IT(}Z pdwebpi.conf dCD~PD [authentication-mechanisms] ZPdk
passwd-ldap N}T02mbD~DX(=({F4dCC'{M\kO$zF,gB
y>:
Solaris Operating Environment:
[authentication-mechanisms]passwd-ldap = libldapauthn.so
Windows:
[authentication-mechanisms]passwd-ldap = ldapauthn.dll
(F HTML l&m%
m%O$h*z9C(FG<m%#1!ivB,y> login.html m%;ZTB?<:
install_directory/nls/html/lang #
dP lang S NLS dCPq!#Z US "o20P,KN}hC* C#
dCD~D [forms] ZD login-form N}(eG<Zda)xC'Dm%DD~{#
CD~D76&1`TZQ-kD pdwebpi HTML ?<;}g
pdwebpi/nls/html/lang#
[forms]login-form = login.html
dC$iO$
Access Manager Plug-in for Web Servers 'V9CM'zK}V$i(} SSL kM'
zxPD2+(E#ZKO$=(P,$iE"(}g(P{Fr DN)+3d*
Access Manager m]#
(}$i`%O$
Z=vWN"z(}}V$iDO$:
v e~$tD Web ~qw9Cd~qwK$ir SSL M'zj6dTm#
v Web ~qw9CdO$PD(CA)y$iD}]bi$9CM'zK$iCJDM
'z#
1. SSL M'zks(}e~k Web ~qwD,S#
2. w*l&,Web ~qw(})pD~qwK$i"Md+C\?#K$iH0QI
IEDZ}=O$PD(CA))p#
44 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
3. M'z+li$iD)p_GqGIERIS\D#M'zD/@w(#|,4
TIE CA Dy$iPm#g{ Web ~qwD$iOD){kb)y$i.;%
d,rITENC~qw#
4. g{;P){kd%d,r/@w(*dC',K$iI4*O$PD)p#;
s,C'PpNS\r\x$i#
5. g{C){k/@wDy$i}]bPDu?%d,r2+XZM'zM Web ~
qw.d-La0\?#
K}LDnUa{Gzz2+(@,9M'zIT(}dO$(}g,(}C'
{M\k)#I&O$s,M'zM~qwITLx2+X(}K(@(E#
6. VZM'z(}e~+d+C\?$i"M= Web ~qw#
7. Web ~qw"T9C Web ~qwD$if"+M'z$iOD){kQ* CA %
d#
8. g{;P){kd%d,rzI SSL mszk"+d"M=M'z#
9. g{P){kd%d,rITENCM'z#4PM'zO$s+zz Access
Manager m]#
10. +ZM'zM Web ~qw.d2+X-La0\?#K}LDnUa{GZ`%
O$DM'zM~qw.dzz2+MIED(EE@#
tC$iO$
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*t
C(}$iDO$,+%J0cert18(x authentication N};4:
[common-modules]authentication = cert
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0X*D2mb{
F#7#$iO$Du?fZ;4:
[modules]cert = pdwpi-certificate-module
dC$iO$zF
cert-ssl N}8(CZ3d$iO$E"D2mb#
Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libpdwpi-sslauthn#Z
Windows O,a)ZC3d&\DD~G;v DLL,F* sslauthn#
m 12. $i2mbO$zF
O$zF
2mb
Solaris OperatingEnvironment
AIX Windows
cert-ssl libpdwpi-sslauthn.so libpdwpi-sslauthn.a pdwpi-sslauthn.dll
IT(}Z pdwebpi.conf dCD~PD [authentication-mechanisms] ZPdk
cert-ssl N}T02mbD~DX(=({F4dC$iO$zF#
Solaris Operating Environment:
[authentication-mechanisms]cert-ssl= libpdwpi-sslauthn.so
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 45
Windows:
[authentication-mechanisms]cert-ssl = pdwpi-sslauthn.dll
2mbD~a)D1!3d1S+$i DN 3d= LDAP DN#
dCnFO$
Access Manager Plug-in for Web Servers 'V(}M'za)DnF(PzkDO$#
KO$9CyZ RSA SecureID® fobs D+rSU>#
tCnFO$
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*t
C(}nFDO$,+%J0token18(x authentication N};4:
tC9CnFDO$1,2Xk*sZ(&mdCnF#ZdCD~D [modules] Z
P,9( post-authzn N}"*d8(50token1#[common-modules] Z&1|,
TB=vu?:
[common-modules]authentication = tokenpost-authzn = token
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0X*D2mb{
F#7#nFO$Du?fZ;4:
[modules]token = pdwpi-token-module
dCnFO$zF
token-cdas N}8(CZ3dnF(PzkO$E"D2mb#
v Z UNIX O,a)ZC3d&\DD~G;v2mb,F* libtokenauthn#
v Z Windows O,a)ZC3d&\DD~G;v DLL,F* tokenauthn#
m 13. nF2mbO$zF
O$zF
2mb
Solaris OperatingEnvironment
AIX Windows
token-cdas libtokenauthn.so libtokenauthn.a tokenauthn.dll
Z1!ivB,KZC2mbG2`kD,CZ3d SecurID nF(Pzk}]#IT
(FKD~TO$d|`MDXbnF}],"I!q+K}]3d* Access Manager
m]#XZ API J4,kN< IBM Tivoli Access Manager WebSEAL Developer
Reference#
IT(}Z pdwebpi.conf dCD~PD [authentication-mechanisms] ZPdk
token-cdas N}T02mbD~DX(=({F4dCnFO$zF#
}g:
Solaris Operating Environment:
[authentication-mechanisms]token-cdas = libtokenauthn.so
46 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
Windows:
[authentication-mechanisms]token-cdas = tokenauthn.dll
(FnFl&3f
dCD~D [token-card] ZD token-login-form N}(enFG<Zda)xC'
M'zDm%DD~{#CD~D76&1`TZQ-kD pdwebpi HTML ?<;}
g pdwebpi/nls/html/lang#dP lang S NLS dCPq!#Z US "o20P,K
N}hC* C#
[token-card] ZPD next-token-form N}(eT>=C'M'zDm%TksZ~
vnF#1~qw^(SZ;vnFI&O$C'1,+*sM'zdkm;vn
F#^(O$C'I\I\`-r<B,n#{D-rGIZM'zM~qw1S;
,=#^(I&9CZ;vnFO$1,+T> next-token-form N}P8(D3f,
Ta>B;vnF#
token-card ZDq=gB:
[token-card]token-login-form = tokenlogin.htmlnext-token-form = nexttoken.html
dCJO*F cookie O$
JO*F cookie &\(#CZM'z(}:X=bzF,S=4FD0K Web ~q
w#1~qwMM'z.dD-<a0d*;IC1,JO*F cookie I@9?FDX
BO$#
Z*sZ(&mdCKJO*F cookie s,e~Z~qwX(DrGr6'D cookie
PS\>$}]#M'zZ;N,S1,cookie EZ/@wO#1u< Web ~qwa
0*'1,cookie +;xM'zXB(rDB;v~qw#cookie CZT/XBO$,
byM'z;X4PV/XBO$DNq#4FD~qwODe~2m;v+2\
?,|b\ cookie Py,D>$E""("BDa0#
O<T>KdMDe5a9,Ca9+SJO*F cookie D9Cqf#,; Web ~q
wD}v`,5};Z:X=b~qws,C~qwy]:XMICT+ks(r=
}v~qw.;#}g,Yh+ www.foo.com D?v5}dC*9CJO*F cookie
O$M'zCJ,9+ddC*9CJO*F cookie CZsZ(&m#M'z+CJ
www.foo.com,";8r~qwD5} 1,RI&O$#+S\M'zD>$"+df"
Zr6'D cookie P,C cookie f"ZM'z/@wP#g{Za0Zd,M'zh
< 6. JO*F cookie DdM~qwe5a9#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 47
*CJ www.foo.com D5} 2r5} 3(}g,g{5} 1 '\r*sdC+s),
rf"ZM'z/@wPDJO*F cookie +CZT/XBO$,x;h*C'xPI
f#
tC9CJO*F cookie DO$
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#IT
dCJO*F cookie 4PO$MsZ(Nq#
dC*9CJO*F cookie xPsZ(&mDe~T>$xPS\,"+dw*JO*
F cookie f"ZBql&P#
dC*9CJO*F cookie 4PO$De~,9CSBqksPR=DJO*F cookie
PDS\>$XBO$M'z#
*tC9CJO*F cookie DO$MsZ(,+u?0failover18(x authenticationM post-authzn N};4:
[common-modules]authentication = failoverpost-authzn = failover
":dCd|O$zFT0JO*F cookie 1,Xk+JO*F cookie O$dC*u
<O$=(#
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#JO*F cookie O$Du?fZ;4:
[modules]failover = pdwpi-failovercookie-module
dCJO*F cookie N}
JO*F cookie O$N}Z pdwebpi.conf dCD~D [failover] ZPdC#
failover-cookies-keyfile N}8(CZTJO*F cookie PD>$}]xPS\Mb
\DD~#}g:
[failover]failover-cookies-keyfile = failover.key
\?D~Xk9C;Z install_path/bin ?<PDLr pdwpi-cdsso-key-gen 4(#
C(:
./pdwpi-cdsso-key-gen key_file_name_to_create
failover-cookies-lifetime N}(eP'D failover-cookie P'Z(V)#bG8 cookie
4(M cookie {C.dD1d#1!5* 30 VS#
[failover]failover-cookies-lifetime = 30
enable-failover-cookie-for-domain N}tCr_{C cookie Z{vrPDP'T#
}g:
[failover]enable-failover-cookie-for-domain = false
48 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
dC IV 7O$
Access Manager (}f]M'zr/PzmLra)DZ?zID7E"'VO$#I
Zz7-r,b);F* IV(IntraVerse)7#1e~v?M Web ~qwSU=4T
IE&CLr(g WebSEAL r`74C/PzmLr)Dks1,IV 7I\aek
*S=e~zm~qwDksP#IV 7|,j6p<M'zDE",x;G*S~qw
DE"#7PDE"CZ9lp<M'zD>$,TCZZ(#,y,g{e~v?
M Web ~qw+ks*S=m;v6p IV 7D Access Manager ~qw,re~z
mITek IV 7Tj6p<M'z#
ITdCe~9C IV 7CZsZ(&mrO$ks#g{dCCZsZ(&m,re
~ZI&O$.s,(}ekM'zDf5m]w* IV 7^DBq#;sb)7I\
Ip< Web ~qw*"=m;v~qw#
g{dCe~9C IV 74PM'zO$,re~9CSBqksPR=D IV 7Pi
!Dm]4(M'z>$#IZM'z1l IV 7\]W,yTvZzm~qw(}Z
O$ksPhC09C~6O$Lr1j>8(T7DEN1E4(byD>$#
TZO$,ITdC IV 7Z(}zmSU1S\ksPD;v";)ryP
iv-user"iv-user-l"iv-creds r iv-remote-address 7,w*O$D$]#iv-remote-address
7CZG<C'Df56LX7#
g{dCCZsZ(&m,r IV 7f;v";)ryP iv-user"iv-user-l"
iv-creds"iv-groups M/r iv-remote-address"HTTP 7;pekks#
m 14. IV 7VNhv
IV 7VN hv
iv-user Access Manger C'DrL{F#g{M'z4O$(4*),
r1!*4O$#
iv-user-l C'Dj{r{($Mq=)#}g LDAP (P{F#
iv-groups C'ytiPm#
iv-creds `kD;8w}]a9,zmC'D Access Manager >$#
iv-remote-address M'zD IP X7#K5ITzmzm~qwrxgX7*;Lr
(NAT)D IP X7#
tC9C IV 7DO$
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*t
C9C IV 7DO$,k+}C iv-headers Vdx authentication N};4:
[common-modules]authentication = iv-headers
*tC IV 7CZsZ(&m,k+ post-authzn N}8(* pdwebpi.conf dCD
~P [common-modules] ZPDX|V5 iv-headers#4:
[common-modules]post-authzn = iv-headers
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7# IV 7O$u?fZ;4:
[modules]iv-headers = pdwpi-iv-headers-module
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 49
dC IV 7N}
IV 7O$N}Z pdwebpi.conf dCD~D [iv-headers] ZPdC#
accept N}8(S\CZ4P IV 7O$D IV 7`M#1!ivB,e~S\yP
`MD IV 7#P'!n*:all"iv-creds"iv-user"iv-user-l"iv-remote-address#*dk
`v7`M,k9C:EVt5#
}g:
[iv-headers]accept = iv-creds,iv-user
generate N}8(*"zmks1+zID IV 7`M#1!ivB,*"zmks
1e~zIyP`MD IV 7#P'!n*:all"iv-creds"iv-user"
iv-user-l"iv-remote-address#*dk`v7`M,k9C:EVt5#
dC iv-remote-address D IV 7O$zF
Z IV 7P9C iv-remote-address 1,zh*8(CZ3d HTTP O$7E"D2
mb#http-request N}8(CZ3d HTTP O$7E"D2mb#
v Z UNIX O,a)ZC3d&\DD~G{* libpdwpi-http-cdas D2mb#
v Z Windows O,a)ZC3d&\DD~G{* pdwpi-http-cdas D DLL#
m 15. IV 72mbO$zF
O$zF
2mb
Solaris OperatingEnvironment
AIX Windows
http-request libpdwpi-http-cdas.so libpdwpi-http-cdas.a pdwpi-http-cdas.dll
I T d C H T T P 7 O $ z F , = (GZ p d w e b p i . c o n f d C D~D
[authentication-mechanisms] ZPdk http-request N}T0X(Z=(D2mbD
~{,4:
Solaris Operating Environment:
[authentication-mechanisms]http-request = libpdwpi-http-cdas.so
Windows:
[authentication-mechanisms]http-request = pdwpi-http-cdas.dll
dC HTTP 7O$
Access Manager (}M'zr/PzmLra)D(F HTTP 7E"'VO$#
KzFh*;v3d/}(2mb),+IE($O$)7}]3dA Access Manager
j6#e~ITS\Kj6"*C'4(>$#
e~Y(H0QO$(FD HTTP 7}]#IZK-r,(i%@5VK=(,x;t
Cd|NNO$=(#Y0(F HTTP 7}]GI\D#
1!ivB,9(K2mb3d4T0/Pzm17D}]#
50 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
tC9C HTTP 7DO$
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*t
C9C HTTP 7DO$,k+}C0http-hdr1Vdx authentication N};4:
[common-modules]authentication = http-hdr
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7# HTTP 7O$u?fZ;4:
[modules]http-hdr = pdwpi-httphdr-module
8(7`M
XkZ pdwebpi.conf dCD~D [http-hdr] ZP8(yP'VD HTTP 7`M#
[http-hdr]header = header_type
HTTP 7Dj<dCvJm8(;v7#*8(`v HTTP 7,XkdC HTTP 7#
iD`v5}#
}g:
[modules]entrust-client-header = libpdwpi-http-header.sosome-other-header = libpdwpi-http-header.so
[entrust-client-header]header = entrust-client
[some-other-header]header = some-other
dC HTTP 7O$zF
http-request N}8(CZ3d HTTP O$7E"D2mb#
v Z UNIX O,a)ZC3d&\DD~G{* libpdwpi-http-cdas D2mb#
v Z Windows O,a)ZC3d&\DD~G{* pdwpi-http-cdas D DLL#
m 16. HTTP 72mbO$zF
O$zF
2mb
Solaris OperatingEnvironment
AIX Windows
http-request libpdwpi-http-cdas.so libpdwpi-http-cdas.a pdwpi-http-cdas.dll
1!ivB,KZC2mbG2`kD,CZ+0/Pzm17}]3d=P'D
Access Manager j6#Xk(FKD~,TO$d|`MDXb7}]"0+K}]3
d= Access Manager j6(I!)#XZ API J4,kN< IBM Tivoli Access Manager
WebSEAL Developer Reference#
I T d C H T T P 7 O $ z F , = (GZ p d w e b p i . c o n f d C D~D
[authentication-mechanisms] ZPdk http-request N}T0X(Z=(D2mbD
~{#
}g:
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 51
Solaris Operating Environment:
[authentication-mechanisms]http-request = libpdwpi-http-cdas.so
Windows:
[authentication-mechanisms]http-request = pdwpi-http-cdas.dll
dC IP X7O$
xkksD IP X7ITCZ9CM'zX77PD5,Va04,MO$M'zks#
g{;dCe~9C IP X7O$M'zks,rdCd9C IP X7,Va04,^
'#+G,g{e~;9C IP X7zYC'a0,r9C IP X7O$C'P'#
tC9C IP X7DO$
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*t
C9Cksp<_D IP X7DO$,k+}C0ip-addr1Vdx authentication N
},gBy>:
[common-modules]authentication = ip-addr
*tC9C IP X7zYC'a0,k+}C0ip-addr1Vdx session N},gBy
>:
[common-modules]session = ip-addr
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7# IP X7O$u?fZ,gBy>:
[modules]ip-addr = pdwpi-ipaddr-module
dC IP X7O$zF
IP X7O$zFM HTTP 7D`,#http-request N}8( IP X7O$zFD2m
b#
v Z UNIX O,a)ZC3d&\DD~G{* libpdwpi-http-cdas D2mb#
v Z Windows O,a)ZC3d&\DD~G{* pdwpi-http-cdas D DLL#
m 17. IP X72mbO$zF
O$zF
2mb
Solaris OperatingEnvironment
AIX Windows
http-request libpdwpi-http-cdas.so libpdwpi-http-cdas.a pdwpi-http-cdas.dll
ITdC IP X7O$zF,=(GZ pdwebpi.conf dCD~D
[authentication-mechanisms] ZPdk http-request N}T0X(Z=(D2mbD
~{#
}g:
Solaris Operating Environment:
52 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
[authentication-mechanisms]http-request = libpdwpi-http-cdas.so
Windows:
[authentication-mechanisms]http-request = pdwpi-http-cdas.dll
dCjG5sZ(&m
(#C'I\#{Z HTTP QO$ksD7P=S4T LDAP DC'X(E"(}g
g0Ek"gSJ~X7)#b9`v&CLrITCJ=SDE"x^k-#i/
LDAP ~qw#KE"DXwG|G`T2,D,@6;a;NN9C|D&CLr|
B#K}]w* ivauthn O$xLD;?VEkC'>$P#KE"2IT(}C'5
VD CDAS O$#i=S=C'>$P#
tCjG5&m
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*t
C9CjG5&m,k+}C0tag-value1Vdx post-authzn N};gBy>:
[common-modules]post-authzn = tag-value
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#jG5u?fZ,gBy>:
[modules]tag-value = pdwpi-tag-value-module
dCjG5N}
jG5N}Z pdwebpi.conf dCD~D [tag-value] ZPdC#
[tag-value]cache-definitions = yescache-refresh-interval = 60
cache-definitions N}tCr_{CT=S=TsUdODj)5(eD_Y:f#
cache-refresh-interval (e_Y:f(eD"B1ddt(k)#
hCibwzDO$N}
TB>}hC;vF* foo.com Dibwz,KwzZITDX=9C SSL a0j6,
Z;IT9C SSL j6+_P BA 7DX=9C BA 7,"R9Ca0 cookie w*
,$a0E"DnsVN#|Z'Vy>O$0'V$iO$,"RZO$I&1,
r+I Web ~qw&mDksmS;v LTPA cookie#>}vT>K&(eDN}#
[pdweb-plugins]virtual-host = foo.com
[modules]ssl-id = libpdwpi-ssl-id.sosession-cookie = libpdwpi-session-cookie.soba = libpdwpi-ba.socert = libpdwpi-cert.soltpa = libpdwpi-ltpa.so
[foo.com]session = ssl-idsession = basession = session-cookie
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 53
authenitcation = certauthentication = ba
post-authzn = ltpa
ITpv#iXdCO$=(,Tc;,D#iITZibwz.d2m;gBy
>:
[virtual_host_stanza]# Optional modules stanza name to allow sharing of module# configurations between virtual hostsmodules = new-modules-stanza
[new-modules-stanza]# Order sensitive session module list# first one has highest prioritysession = session_modulesession = session_module...# Order sensitive authentication module list# first one has highest priorityauthentication = authentication_moduleauthentication = authentication_module...
# Order sensitive post-authorization module list# first one has highest prioritypost-authzn = post_authorization_modulepost-authzn = post_authorization_module...
'V`74C/PzmLr(MPA)
Access Manager a)#$9C`74C/PzmLr(MPA)DxgDbv=8#`7
4C/PzmLr(MPA)Ga)`vM'zCJDxX#xX("=4~qwD%
;QO$(@,"(}K(@+MyPM'zksMl&#TZe~,(}K(@D
E"numV*4T;vM'zD`vks#e~XkxV MPA ~qwDO$M?v
%@M'zD=SO$#b`xXD;v#{>}G^_CJ-i(WAP)xX#9
Ckwz Web ~qwD*adCTJm WebSEAL Me~.dD%;"a1,Access
Manager WebSEAL 9w* MPA#*dCby;vbv=8,IT9C iv-header O$
#i#XZdC SSO D|`j8E",kNDZ 73 3DZ 6 B, :Web %;"ab
v=8;#
P'a0}]`MMO$=(
IZ Access Manager Plug-in for Web Server ,$ MPA DQO$a0,dXk,1
,$?vM'zD%@a0#rK,CZ MPA Da0}]MO$=(Xk;,ZM'
zy9CDa0}]MO$=(#BmPvCZ MPA MM'zDP'a0`M:
m 18. MPA DP'a0}]`M
P'a0`M
MPA =e~ M'z=e~
SSL a0j6
HTTP 7 HTTP 7
BA 7 BA 7
IP X7
54 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
m 18. MPA DP'a0}]`M (x)
P'a0`M
MPA =e~ M'z=e~
Cookie Cookie
v M'z;\9C SSL a0j6w*a0}]`M#
v }g,g{ MPA 9C BA 7w*a0}]`M,rM'zDa0}]`M!nv
|( HTTP 7M cookie#
v g{ MPA 9C HTTP 7w*a0}],rM'zIT9C;,D HTTP 7`M#
v X(Z~qwD cookie v|,a0E";;|,j6E"#
v g{tC MPA 'V,r9C SSL a0j6,$a04,a|D#(#,r*Qd
C SSL a0j6,$a04,,yTv SSL a0j6CZ,$ HTTP M'zDa
0#*Jm MPA ,$_P SSL a0j6Da0"9M'z9Cm;V=(,$a
0,r}%K^F#
MPA =e~y9CDO$=(Xk;,ZM'z=e~y9CDO$=(#BmPv
MPA MM'zDP'O$=(:
m 19. P'D MPA O$`M
P'O$`M
MPA =e~ M'z=e~
y>O$ y>O$
m% m%
nF nF
HTTP 7 HTTP 7
$i
IP X7
v w*>},g{ MPA 9Cy>O$,rM'zDO$=(!n|(m%"nFM
HTTP 7#
v $iM IP X7O$=(TM'z9C^'#
v (#,g{TX(+MtCm%(rnF)O$,rTK+MT/{Cy>O$#
g{tC MPA 'V,r}%K^F#}g,bJmZ,;v+MO MPA 9Cm%
(rnF)G<,RM'z9Cy>O$G<#
MPA M`vM'zDO$xLw
1. kxPTBdC|D:
v ZdCD~PtCT`74C/PzmLrD'V#
v *X(D MPA xX4( Access Manager J'#
v +KJ'Dzm([PDWebPI]p)CJ(ZhibwzD MPA #$Ts,zmk
s+8rKibwz#Z1!dCP,9C'I* pdwebpi-mpa-servers iD
I1I5VKYw#
2. M'z,S MPA xX#
3. xX+ks*;* HTTP ks#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 55
4. xXO$M'z#
5. xX9CM'zkske~(",S#
6. MPA O$e~(9CkM'z;,D=()"Iz MPA(Q_Pe~J')Dm
]#
7. e~i$ MPA Z pdwebpi-mpa-servers iPDI1Jq#
8. * MPA 9(>$"Z_Y:fP+dj>*XbD MPA `M#
!\K MPA >$ifTsD?vM'zks,+d";CZTb)ksDZ(l
i#
9. VZe~h*x;=j6ksDyP_#
MPA ITxV`vM'z,xPG<a>D}77I#
10. M'zG<"9C;,Z MPA yCO$`MD=(xPO$#
11. e~SM'zO$}]9(>$#
12. ?vM'z9CDa0}]`MXk;,Z MPA 9CDa0}]`M#
13. Authorization Server y]C'>$MTsD ACL mI(Jmr_\xT\#$T
sDCJ#
tC MPA O$
pdwebpi.conf dCD~D [pdweb-plugins] ZPD mpa-enabled N}tCr{C
MPA O$#P'hC* true M false,VpCZtCM{C MPA O$#1!iv
B,MPA O$G{CD#IT(}8(dCD~D [virtual_host] ZPD mpa-enabledN}*%vibwzhC MPA O$#
*+Ba0j6* MPA ("Dy>a0,wvZ(v(,bT MPA #$DTsDz
m([PDWebPI]p)mI(#1!ivB,MPA #$DTs(e* /PDWebPI#*2G
K 1!h C ( } g ( e ; , D w e/z m ? v i b w z D M P A ) , I T *
mpa-protected-object dCN}8(;v5#ITT?vibwz2GKN},=(G
ZdCD~D [virtual_host] ZP*d8(;v5#}g,*T foo.com ibwz(x
"G bar.com ibwz)tC MPA CJ,kZ pdwebpi.conf dCD~P9CTBh
C:
[pdmweb-plugins]virtual-host = foo.comvirtual-host = bar.com
[foo.com]mpa-enabled = yes
*+ foo-mpa-servers iDI1(e*T foo.com ibwzksD MPA "+
bar-mpa-servers iDI1(e*T bar.com ibwzksD MPA,k9CTBdC:
[pdweb-plugins]virtual-host = foo.comvirtual-host = bar.com
[foo.com]mpa-enabled = yesmpa-protected-object = /PDWebPI/foo.com
[bar.com]mpa-enabled = yesmpa-protected-object = /PDWebPI/bar.com
56 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
"(eTB Access Manager _T:
pdadmin> acl create foo-mpapdadmin> acl modify foo-mpa set group foo-mpa-servers T[PDWebPI]ppdadmin> acl create bar-mpapdadmin> acl modify bar-mpa set group bar-mpa-servers T[PDWebPI]ppdadmin> acl attach /PDWebPI/foo.com foo-mpapdadmin> acl attach /PDWebPI/bar.com bar-mpa
mpa-protected-object dCN}8(xPZ(v(yTUDTs#
* MPA 4(C'J'
XZ4(C'J'DE",kN< IBM Tivoli SecureWay Access Manager Base
Administration Guide M IBM Tivoli SecureWay Access Manager Web Portal Manager
Administration Guide#
r pdwebpi-mpa-servers imS MPA J'
Access Manager Plug-in for Web Servers 4(;vi,CZ=c\m MPA ~qw#
KiF* pdwebpi-mpa-servers#=SZ /PDWebPI OD default-pdwebpi ACL +
zm([PDWebPI]p)mI(Zh pdwebpi-mpa-servers iDI1#120ZAYdC
K;v WebSEAL D Access Manager 2+rP1,dC default-pdwebpi ACL 9d2
+zmmI(Zh webseal-servers M webseal-mpa-servers iDI1#zIT!
qT:DiM ACL,CZXFw*`74C/PzmLrDweDj6#
XZ\miDE",kN< IBM Tivoli SecureWay Access Manager Base Administration
Guide M IBM Tivoli SecureWay Access Manager Web Portal Manager Administration
Guide#
Z 4 B IBM Tivoli Access Manager Plug-in for Web Servers O$ 57
Z 5 B IBM Tivoli Access Manager Plug-in for WebServers 2+T_T
>B|,DE"hvgNITdC"(F IBM Tivoli Access Manager(Access
Manager)Plug-in for Web Servers 2+T_T#
wbw}:
v :X(Ze~DCJXFm(ACL)_T;
v Z 61 3D:}N%wG<_T;
v Z 62 3D:\k?H_T;
v Z 64 3D:O$?H\#$Ts_T(]});
v Z 67 3D:XBO$\#$Ts_T;
v Z 68 3D:yZxgDO$\#$Ts_T;
v Z 69 3D:#$6p\#$Ts_T;
v Z 70 3D:&m4O$C'(HTTP/HTTPS);
X(Ze~DCJXFm(ACL)_T
TB2+T"bBnJCZ\#$TsUdPD /PDWebPI ]w:
v Access Manager Plug-in for Web Servers TsGTsUdPe~xrD ACL LP
4Dpc#
v g{;&Cd|NNT= ACL,rKTs((}LP)(e{v Web UdD2+T
_T#
v *CJKTs0KcBDNNTs,h*izmI(#
XZ Access Manager ACL _TDj{E",kN<6IBM Tivoli Access Manager Base
\m18O7#
/PDWebPI/host r virtual_hostKSw|,X(e~5}DTsUd#TB2+T"bBnJCZKTs:
v *CJKcBDNNTs,h*izmI(#
v g{;&Cd|NNT= ACL,rKTs((}LP)(eKzwO{vTsUdD
2+T_T#
e~ ACL mI(
BmhvJCZTsUdD Access Manager Plug-in for Web Servers xrD ACL m
I(:
© Copyright IBM Corp. 2002 59
m 20. e~ ACL mI(
mI( Yw hv
[PDWebPI]r A! i4}?<bDNb*X#Nb HTTP GET r POST
ks<h*KmI(#TZks?<Pm(T / ax
D URL D GET),;PX(D0Pm1mI( *
b2C [PDWebPI]r mI(li#
[PDWebPI]d >} S Web UdP}% Web Ts#HTTP DELETE |
nh*KmI(#
[PDWebPI]m ^D Ze~TsUdPEC/"< HTTP Ts#HTTP
PUT ksh*KmI(#
T iz *CJKcBDNNTs,h*KmI(
e~2'V WebDAV Yw,gBy>#
m 21. e~ WebDAV mI(
Nq yhmI(
PROPFIND [PDWebPI]R
PROPPATCH [PDWebPI]M
MKCOL [PDWebPI]N
yZks URI(x;GyZ/OD%vI1)Z( WebDAV Yw#mb,?V'V;
)d|D WebDAV Yw:
v COPY * U/1h* [PDWebPI]R,TcITA!0A!T1#;li?DXDmI
(#
v MOVE * bITO*GHxP4F,;sxP>}#T}ZxPF/D/Oh*
[PDWebPI]Rd#;li?DXDmI(#
1! /PDWebPI ACL _T
Access Manager Plug-in for Web Servers ACL DKDu? default-pdwebpi |(:
Group iv-admin Tcmdbva[PDWebPI]rmdNRM
User sec_master Tcmdbva[PDWebPI]rmdNRM
Any-other T[PDWebPI]rmdNRM
Unauthenticated T[PDWebPI]rmdNRM
201,K1! ACL a=S=TsUdPD /PDWebPI ]wTs#
izmI(Jmg Web Portal Manager Py>)9 Web Ud#PmmI(Jm Web
Portal Manager T> Web UdDZ]#
60 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
}N%wG<_T
TyZ LDAP D Access Manager 20ICD}N%wG<_T,(}8('\G<"
TDnsN}MM#Tbx1d,9zIT@9Fcz\k%w#K_T4(;Vu
~,dPC'XkZxP|`D'\G<"T0H};N1d#}g,_TITf( 3
N'\"T,sz 180 kD&##bVG<_T`MIT@9?k`NvVDfzFc
zzIDG<"T#
}N%wG<_Th*=v pdadmin _T|nhCD2,wC:
v '\G<"TDnsN}
policy set max-login-failures
v ,}'\G<"ThCD&#
policy set disable-time-interval&#hCIT|,J'x(1ddtrTj+{CJ'#
g{G<_ThC(w*>})*}N'\"TszEX(x(1d&#,rZDN
"T(^[}7kq)+<Bms3f,5wJ'r\k_T]1;IC#
1ddtTk*%;8( * n!(i1ddt* 60 k#
g{ disable-time-interval _ThC*0disable1,rC';xZJ'.b,RKC'
D LDAP account valid tThC*0no1#\m1(} Web Portal Manager XBt
CJ'#
":+ disable-time-interval hC*0disable1<BnbD\m*z#+ account validE"4F=e~1IT[l=SY#bViv!vZ LDAP 73#mb,IZ
account valid |BYw,X(D LDAP 5VI\-zT\B5#IZb)-r,
(i9C,11ddt#
|no(
TB pdadmin |nvJOCZ LDAP "am#
m 22. pdadmin LDAP G<_T|n
|n hv
policy set max-login-failures {number|unset} [-user username]
policy get max-login-failures [-user username]
\mXF)S�yJmDns'\G<"TN}D
_T#K|n!vZ policy set disable-time-interval |
nPhCD&##
w*\m1,ITTX(C'&CK_T,rT LDAP
"amPPvDyPC'+V&CK_T#
1!hC* 10 N"T#
policy set disable-time-interval {number|unset|disable} [-user username]
policy get disable-time-interval [-user username]
Z 5 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 61
m 22. pdadmin LDAP G<_T|n (x)
|n hv
\m&#_T,XFg{=o'\G<"TnsN}s
J'&{CD1d\Z#
w*\m1,ITTX(C'&CK&#_T,rT
LDAP "amPPvDyPC'+V&CK_T#
1!hC* 180 k#
\k?H_T
Access Manager yZ LDAP D20a)=VXF\k9lD==:
v ev pdadmin \k_T|n
v Jm(F\k_TDIekO$#i(PAM)
kN< Access Manager Authorization C API Developer’s Reference
pdadmin 5CLrhCD\k?H_T
(} pdadmin 5CLr5VDev\k?HtT|(:
v n!\k$H
v n!V8V{}
v n!GV8V{}
v nsX4V{}
v JmUq
9C pdadmin r Web Portal Manager 4(C',9C pdadmin"Web Portal Manager
r pkmspasswd 5CLr|D\k1,5)b)_T#
|no(
TB pdadmin |nvJOCZ LDAP "am#unset hC!n{CK_TtT * 4
;5)K_T#
m 23. pdadmin LDAP \k?H|n
|n hv
policy set min-password-length {number|unset} [-user username]
policy get min-password-length [-user username]
\mXFn!\k$HD_T#
w*\m1,ITTX(C'&CK_T,rT1!"
amPPvDyPC'+V&CK_T#
1!hC* 8#
policy set min-password-alphas {number|unset} [-user username]
policy get min-password-alphas [-user username]
62 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
m 23. pdadmin LDAP \k?H|n (x)
|n hv
\mXF\kPJmDn!V8V{}D_T#
w*\m1,ITTX(C'&CK&#_T,rT1
!"amPPvDyPC'+V&CK_T#
1!hC* 4#
policy set min-password-non-alphas {number|unset} [-user username]
policy get min-password-non-alphas [-user username]
\mXF\kPJmDn!GV8(}V)V{}D_
T#
w*\m1,ITTX(C'&CK_T,rT1!"
amPPvDyPC'+V&CK_T#
1!hC* 1#
policy set max-password-repeated-chars {number|unset} [-user username]
policy get max-password-repeated-chars [-user username]
\mXF\kPJmDnsX4V{}D_T#
w*\m1,ITTX(C'&CK_T,rT1!"
amPPvDyPC'+V&CK_T#
1!hC* 2#
policy set password-spaces {yes|no|unset} [-user username]
policy get password-spaces [-user username]
\mXF\kPGqIT|,UqD_T#
w*\m1,ITTX(C'&CK_T,rT1!"
amPPvDyPC'+V&CK_T#
1!hC* unset#
P'M^'D\k>}: Bm{vyZev pdadmin N}1!5DtI\k>}M_
Ta{:
m 24. \k>}
>} a{
password ^':XkAY|,;vGV8V{#
pass ^':XkAY|, 8 vV{#
passs1234 ^':|,=vTODX4V{#
12345678 ^':XkAY|,DvV8V{#
password3 P'#
Z 5 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 63
X(C'M+VhC
ITTX(C'(9C - user !n)r+V((};C - user !n)hC pdadmin_T|n#NNX(ZC'DhC<2G_TD+VhC#2IT{C(unset)_T
N},bb6EKN};|,NN5#;lir5)NN_P unset !nD_T#
}g:
pdadmin> policy set min-password-length 8
pdadmin> policy set min-password-length 4 -user matt
pdadmin> policy get min-password-length
Minimum password length: 8
pdadmin> policy get min-password-length -user matt
Minimum password length: 4
(C' matt Dn!\k$H_T* 4 vV{;d|yPC'Dn!\k$H_TG 8
vV{#)
pdadmin> policy set min-password-length unset -user matt
(VZC' matt \= 8 vV{D+Vn!\k$H_TD\m#)
pdadmin> policy set min-password-length unset
(yPC',|(C' matt VZ^n!\k$H_T#)
O$?H\#$Ts_T(]})
O$?H\#$Ts_T(POP)9yZTs9CDO$=(XFTTsDCJI*
I\#
IT9CK&\(P1F*]}O$)7#CJ|*tPJ4DC'9C|?DO$
zF#IZ;1CJDOs~2,zI\#{9CKu~#
}g,IT(}&C]} POP _T(Zu<xke~r1h*HM'zy9CDO$
|_6pDO$)T Web UdDxra)|_D2+T#
2IT* Web ~qwOD?vX(ibwzhC]}O$,Jm%vibwz9Cd
T:D]}O$6p,x;X~S~qw6'D_T5V#
O$?H_TGZ POP _TD0IP KcO$=(1tTPhCD#
dC]}O$6p
dCX(ZO$DCJDZ;=GdC'VDO$=("7(3r,b)O$=(&
4K3rS*|?s#XZdCO$zFDj8E",kNDZ 27 3DZ 4 B, :IBM
Tivoli Access Manager Plug-in for Web Servers O$;#
(}e~CJ Web ~qwDNNM'z<_PO$6p,}g04O$1r0\k1,
8>M'zns;N(}e~O$19CD=(#
Z3)ivB,I\PX*5)CJX( Web UdTsyhDnM02+16pO$#
}g,Z373P,(}nF(PzkxPDO$ITS*H(}C'{M\kxP
DO$|2+#m;v73IT_P;,Dj<#
64 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
k?FM'zZ4zcXhDO$6p1XBt/da0;,,]}O$zFa)M
'zm;Nza9Cyh=((6p)xPXBO$#
]}O$b6EC'"TCJh*HdG<1_PDO$6p0|_1DO$6p
1,;a"4rdT>0\x1{"#xrdT>BDO$a>,ks'V|_O$
6pDE"#g{{GITa)KO$6p,rJmdu<ks#
Access Manager Plug-in for Web Servers 6p`VO$=((6p),CZ]}O$z
F:
v 4O$
v m%
v IP X7
v HTTP 7
v nF
v $i
v IV 7
v JO*F cookie
Z pdwebpi.conf dCD~D [authentication-levels] r
[authentication-levels:virtual_host_label] ZPdCO$6p#}g:
[authentication-levels]1 = BA2 = iv-headers3 = cert
y]PmP=(D3r,T?V=(Vd6pw}#
v 4O$Y(6p* 0#
v sL=(ITNb3rEC#kNDZ 66 3D:]}O$"bBnM^F;
v 1!ivB,y>O$dC*6p 1#
v *tC]}O$,XkAYP=vu?#
v (}9Cq=* [authentication-levels:virtual_host_name] DZ8(6p,IT*X
(ibwzhCO$zF6p#
":XZhCyhO$zFDj8E",kNDZ 27 3DZ 4 B, :IBM Tivoli Access
Manager Plug-in for Web Servers O$;#
tC]}O$
]}O$G(}Z*sO$tPZ(DTsOyECD POP _Tx5VD#9C POP
_TD0IP KcO$=(1tT#
pdadmin pop modify set ipauth |n8( IP KcO$=(tTPJmDxgMy
hDO$6p#
QdCDO$6pI4S= IP X76'#K=(D?DGa)\minT#g{4 IP
X7}KC'";X*,rIT anyothernw(Nbd|xg)hC%;u?#KhC
+0lyPCJC'(;\ IP X7),"*s{G48(6pxPO$#bG5V]
}O$Dn#C=(#
Z 5 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 65
o(:
pdadmin> pop modify pop_name set ipauth anyothernw level_index
anyothernw u?Cwxg6',K6'+k4Z POP PmP8(DyPxg%d#
K=(CZ4(1!u?,Ku?I\xyP;%dD IP X7,rJmzcO$6p
*sDNNKxPCJ#
1!ivB,anyothernw TO$6pw} 0 vVZ POP P#Z pop show |nP
Ku?T>*0Nbd|xg1:
pdadmin> pop show test\#$Ts_T:testhv:Test POP/f:nosF6p:none#$6p:none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:
anytime:localIP KcO$=(_TNbd|xg 0
>}
1. Z pdwebpi.conf PdCO$6p:
[authentication-levels] r [authentication-levels:virtual_host_label]1 = BA2 = token
2. dC0IP KcO$=(1POP tT:
pdadmin> pop modify test set ipauth anyothernw 2
pdadmin> pop show test\#$Ts_T:testhv:Test POP/f:nosF6p:none#$6p:none?UDCJ1d:mon, wed, fri:anytime:localIP KcO$=(_T
Nbd|xg 2
by,C'CJIbT POP #$DTsh*6p 2 O$,r_+?F9CnF=
(xPO$#
m{Z 68 3D:yZxgDO$\#$Ts_T;#
]}O$"bBnM^F
1. HTTP M HTTPS O<'V]}O$#
2. ;\S HTTP -i]}= HTTPS#
3. [authentication-levels] ZP48(DO$=(1!*6p 1#
4. O$=(;\Z6pPmP8(;N#
5. T]}O$6pDmsdC<B{Ce~PD]}&\#bVivI\}pbbD
O$P*,}gT POP #$DTs"v\kG<3f,K POP h*nF(Pzk
O$=(#
dC]}O$zFs,kli pdwebpi.log D~,Tq!XZNNdCmsD(f#
66 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
XBO$\#$Ts_T
Access Manager Plug-in for Web Servers IT?FC'4P=SG<(XBO$),T
7#CJ\#$J4DC'MnuZa0*<WNO$DG,;vK#\#$TsO
D\#$Ts_T(POP)ra0_Y:fGn/,15=Z<IT$nXBO$#
>ZV[ POP )9tT8(DyZ2+T_TDXBO$#XZdCa0/>$_Y
:fDj8E",kNDZ 35 3D:dCe~a0/>$_Y:f;#
0l POP XBO$Du~
?FDXBO$T2+rPDtPJ4a)=S#$#yZ2+T_TDXBO$I
POP PDX()9tT$n,K POP #$yksDJ4Ts#POP IT1S=S=T
sO,r_TsITS8TsLP POP u~#TBe~O$=('VXBO$:
v m%(C'{M\k)O$
v nFO$
mb,IT`4(FDC'{/\k CDAS T'VXBO$#
XBO$Y(C'-HQ-G<=2+r,"RfZKC'DP'>$#ZXBO$
xLP,C'Xk9CMzIVP>$`,Dm]xPG<#XBO$Zd,Access
Manager #tC'-HDa0E",|(>$#XBO$xLP;f;>$#
ZXBO$}LP,e~9_Y:fa>XBO$Dks#XBO$I&1,_Y:
f}]CZXB9(ks#
g{XBO$'\,re~YN5XG<a>#g{XBO$I&,+ ACL liTK
J4'\,r5X 4030{9CJ1"R\xC'TyksJ4DCJ#ZN;ivB,
C'S;"z#9CT;P'D>$,C'ITl#U9XBO$xL((}ksm
;v URL)"(}CJd|;h*XBO$DJ4@INk2+r#
IT9CdC4;e~a0_Y:fP'ZF1w#mb,9ITdCm^Z,Jm
XBO$xLPc;1dZa0_Y:fP'Z,1=Z.0jI#XZj8E",
kNDZ 35 3D:dCe~a0/>$_Y:f;#
4(M&CXBO$ POPyZ2+T_TD?FXBO$(}4(_P{*0reauth1DXb)9tTD\#$
Ts_T(POP)dC#IT+K POP =S=NNh*?FXBO$a)Dnb#$D
TsO#
kG!_P POP DTsDyPS2LP POP u~#?vksDSTsh*%@DX
BO$#
9C pdadmin pop create"pdadmin pop modify M pdadmin pop attach |n#
TB>}{vC reauth )9tT4({*0secure1D POP "+d=S=TsO:
pdadmin>pop create securepdadmin>pop modify secure set attribute reauth truepdadmin>pop attach /PDWebPI/hostA/budget.html secure
NN"TCJ budget.html DK<;?H9CMzIVP>$`,Dm]MO$=(x
PXBO$#
Z 5 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 67
g{ksJ4DC'4O$,r POP ?FC'xPO$#?NTXBO$_Ty#$
TsDCJ<h*XBO$#
g{?<PDs`}Ts<h*XBO$(!\P;);h*),nC+ POP =S=
{v?<,|(0reauth1)9tT#TZG);h*XBO$DTs,*d=Sk?
<`,D POP,+;|,0reauth1)9tT#
XZ pdadmin |nP5CLrDj8E"ITZ6IBM Tivoli Access Manager Base
\m18O7PR=#
yZxgDO$\#$Ts_T
yZxgDO$\#$Ts_T(POP)_T9CyZC'D IP X7XFTTsDC
JI*I\#IT9CK&\h9X( IP X7(r IP X76')CJ2+rPDN
NJ4#
2ITK_T&C]}O$dC,"T?v8(D IP X76'*sX(O$=(#
yZxgDO$_TGZ POP _TD0IP KcO$=(1tTPhCD#XkZKt
TP8(=v*s:
v O$6p
v JmDxg
XZ8(dC6pDj8E",kNDZ 64 3D:dC]}O$6p;
8( IP X7M6'
dCO$6p.s,Xk8(K POP _TyJmD IP X7M IP X76'#
pdadmin pop modify set ipauth add |nZ0IP KcO$=(1tTP,18(
Kxg(rxg6')MyhO$6p#
o(:
pdadmin> pop modify pop_name set ipauth add network netmask level_index
QdCDO$6p4S= IP X76'#K=(D?DGa)inT#g{4 IP X7
}KC'";X*,rIT anyothernw(Nbd|xg)hC%;u?#KhC+0
lyPCJC'(;\ IP X7),"*s{G48(6pxPO$#
o(:
pdadmin> pop modify pop_name set ipauth anyothernw level_index
`4,g{#{vTO$6p"Rv#{yZ IP X7Jmr\xCJ,rIT*Jm
D6'9C6p 0,T*\xD6'9C0forbidden1#
anyothernw u?Cwxg6',K6'k4Z POP PmP8(DyPxg%d#K
=(CZ4(1!u?,Ku?I\xyP;%dD IP X7,rJmzcO$6p*
sDNNKxPCJ#
1!ivB,anyothernw TO$6pw} 0 vVZ POP P#Z pop show |nP
Ku?T>*0Nbd|xg1:
68 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
pdadmin> pop show test\#$Ts_T:testhv:Test POP/f:nosF6p:none#$6p:none?UDCJ1d:sun, mon, tue, wed, thu, fri, sat:
anytime:localIP KcO$=(_TNbd|xg 0
XZhCO$6pD|j8V[,kNDZ 64 3D:dC]}O$6p;#
>}
*s IP X76'* 9.0.0.0 RxgZk* 255.0.0.0 DC'9C6p 1 O$(1!i
vBG0password1):
pdadmin> pop modify test set ipauth add 9.0.0.0 255.0.0.0 1
*sX(C'9C6p 0 O$:
pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.255 0
h9yPC'(}KgOv>}P8(DG))CJTs:
pdadmin> pop modify test set ipauth anyothernw forbidden
{C4 IP X7D]}O$
o(:
pdadmin> pop modify pop_name set ipauth remove network netmask
}g:
pdadmin> pop modify test set ipauth remove 9.0.0.0 255.0.0.0
yZxgDO$c(
Access Manager Plug-in for Web Servers 9CTBc(&m POP PDu~:
1. li POP PD IP KcO$=(_T#
2. li ACL mI(#
3. li POP PD?U1d_T#
4. li POP PDsF6p_T#
#$6p\#$Ts_T
#$6p\#$Ts_T(POP)tTJmz8(ZTsO4PYw1yhD}]#
$6p#
pdadmin> pop modify pop_name set qop {none|integrity|privacy}
m 25. QOP 6phv
QOP 6p hv
privacy *s}]S\(SSL)#
integrity 9C3)zF7#}]P4|D#
none 49CNN}]#$=(#
Z 5 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 69
}g:
pdadmin> pop modify test set qop privacy
T ACL v_D0G1l&2|,yhD#$6p1,#$6p POP tTJm5V%
vBq#g{e~^(#$yhD#$6p,r\xks#
&m4O$C'(HTTP/HTTPS)
Access Manager Plug-in for Web Servers S\4T HTTP M HTTPS OO$M4O$
C'Dks#;se~@5 Authorization Server 5)2+T_T,=(GJmr_\
xT\#$J4DCJ#
TBu~JCZT SSL _PCJ(D4O$C':
v 4O$C'Me~.dDE";;GS\D * g,kQO$C'D;;#
v 4O$C'Me~.dD SSL ,Svh*~qwKO$#
&m4Td{M'zDks
1. d{M'z(}e~r Web ~qwavks(9C HTTP r HTTPS)#
2. e~*KM'z4(4O$D>$#
3. ksT0K>$Lx=\#$D Web Ts#
4. Authorization Server liKTs ACL 4O$u?DmI(,Jmr\xyksD
Yw#
5. TKTsDI&CJ!vZAY|,A!(r)Miz(T)mI(D4O$ ACL u
?#
6. g{ks<BZ(v_'\,rM'zSU=G<m%(yZ BA rm%)#
?FC'G<
(}Z#$yksTsD ACL _TPD4O$u?O}7hCJ1mI(,IT?F
4O$C'G<#
A! [PDWebPI]r Miz(T)mI(JmTTsD4O$CJ#
*?F4O$C'G<,kS#$TsD ACL _TPD4O$u?P}%A!
[PDWebPI]r mI(#C'SU=G<a>(yZ BA rm%)#
&C4O$ HTTPS'VT HTTPS Oe~v?M Web ~qwD4O$CJPm`5JDL5mI:
v ;)&CLr;h*vKG<,4h*tPDE",}gX7MEC(E#>}|
(Z_:rIz1Md|L7#
v ;)&CLrh*ZITLxx;=;W.0H"aK5qDJ'#,y,Xk(
}xg+]tPE"#
C ACL/POP _TXF4O$C'
":0any-authenticated1u?`MH,Z0any-other1u?`M#
70 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
1. *Jm4O$C'CJ+2Ts,k9CAY|,4O$M+O$u?DA!
[PDWebPI]r Miz(T)mI(D ACL #$+2Z]#
unauthenticated T[PDWebPI]rany-authenticated T[PDWebPI]r
":7(mI(1,unauthenticated u?GT any-authenticated u?DZk(p
;0k1Yw)#v1 unauthenticated DmI(Z any-authenticated u?
P2vV1EZhKmI(#IZ unauthenticated !vZ
any-authenticated,yT ACL |, unauthenticated x;|,
any-authenticated Dbe;s#g{ ACL 75|, unauthenticated x;
|, any-authenticated,r1!l&G;r unauthenticated ZhNNmI
(#
2. **sS\(SSL),k9C8( privacy w*u~D\#$Ts_T(POP)#$
Z]#
kNDZ 69 3D:#$6p\#$Ts_T;#
Z 5 B IBM Tivoli Access Manager Plug-in for Web Servers 2+T_T 71
Z 6 B Web %;"abv=8
+ Access Manager Plug-in for Web Servers w*Z(~q5VTT2+ra)#$1,
(#h*a)%;"a=KrPJ4Dbv=8#>BV[CZ Access Manager Plug-in
for Web Servers #$D Web UdD%;"abv=8#
wbw}:
v :%;"aEn;
v :T/"a=\#$D&CLr;
v Z 75 3D:S WebSEAL rd|zm%;"a=e~;
v Z 76 3D:9CJO*F cookie xP%;"a;
%;"aEn
\#$J4;Ze~v?M Web &CLr~qwO1,IT*sksKJ4DM'z
ZCJ;,2+&CLr14P`NG<#?NG<\I\h*;,DG<j6#
\mM,$`vG<j6DJb(#ITC%;"a(SSO)zFbv#SSO JmC'
v9C;v-<G<CJJ4#Web ~qwOJ4DNNx;=G<ksD&mTC'
<G8wD#
10,Access Manager Plug-in for Web Servers 'VDVw*D%;"ae5a9#b
)e5a9*:
1. ;vT~qwOD`v2+&CLra)%;"aDe~5}#
2. S WebSEAL rd|/PzmLr(g WAP xX)%;"a=e~#
3. 9CJO*F cookie Z;,r.da)%;"a#
4. gSgx%;"a,dPC'O$;N""xnF,KnFJmdCJribgx
PDd|rx;h*XBO$#
>BPV[0}v SSO =8#ZDv=8GB;BDwb#
T/"a=\#$D&CLr
IT9C HTTP 7M LTPA cookie(&CLr* WebSphere Application Server 1)
q!T~qwO\e~5}#$D&CLrD SSO#
M'zDu<O$.s,e~IT9( HTTP 7,dP|,M'zm]E",ICZT
/O$T#$~qwOKPD&CLr#(}`F==,LTPA cookie ICZq!T
Web &CLr~qw(g WebSphere)D SSO#
dC%;"a9C HTTP 7#$&CLr
CZ"a=&CLrD HTTP 7I iv-headers sZ(#izI#IzID7/O\F
* IV 7#
© Copyright IBM Corp. 2002 73
I&Z(C'kss,e~IT+(eM'zj6D IV 7ekksP,)&CLr&
m#ksI\#$ Web ~qww\D&CLr&m1,K7E"ICwC'j6D$
w#?NCJBD2+&CLr1,C'MITb%G<DX*#
g{dCCZsZ(&m,r IV 7f;v";)ryP iv-user"iv-user-l"
iv-creds"iv-groups"iv-remote-address"HTTP 7`M;pek#BmPhvKb)7`
M#
m 26. IV 7VNhv
IV 7VN hv
iv-user Access Manager C'DrL{F#g{M'z4O$(4*),
r1!*4O$#
iv-user-l C'Dj{r{($Mq=)#}g LDAP (P{F#
iv-groups C'ytiPm#
iv-creds `kD;8w}]a9,zmC'D Access Manager >$#
iv-remote-address M'zD IP X7#K5ITzmzm~qwrxgX7*;Lr
(NAT)D IP X7#
tCM{CzI IV 7
*9e~IT+ IV 7ekQZ(Dks,h*dCe~9C IV 7xPsZ(&m#
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*t
C IV 7CZsZ(&m,k+ pdwebpi.conf dCD~P [common-modules] ZP
DX|V5 iv-headers VdxN} post-authzn#4:
[common-modules]post-authzn = iv-headers
dC IV 7N}
IV 7O$N}Z pdwebpi.conf dCD~D [iv-headers] ZPdC#
generate N}8(*"zmks1+zID IV 7`M#1!ivB,*"zmks
1e~zIyP`MD IV 7#P'!n*:all"iv-creds"iv-user"
iv-user-l"iv-remote-address#*dk`v7`M,k9C:EVt5#
}g:
[iv-headers]generate = iv-creds,iv-user,iv-user-1
9C LTPA cookie %;"a= WebSphere Application Server20e~w* WebSphere Application Server D#$c1,CJDM'zfT=v1Z
DG<c * WebSphere ~qDe~M2+&CLr#*ZKivB*a)%cG<,
ITdCe~zIyZ cookie Da?6Z}=O$(LTPA)zF,"Qd+]='V
LTPA cookie D Web &CLr~qw#
C'"vT~qwOJ4Dks1,C'XkWHTe~xPO$#O$I&1,e
~zmC'zI LTPA cookie#w* Web &CLr~qwDO$nFD LTPA cookie
|,C'j6M\kE"#KE"C;Ve~M&CLr~qw.d2mD\\k#
$D\?xPS\#
74 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
e~+ cookie ek=ksD HTTP 7P,Kks"M= Web &CLr~qw#&C
Lr~qwSUks,T cookie xPb\,"y] cookie Pa)Dj6E"O$C
'#
*a_T\,e~+ LTPA cookie f"Za0_Y:fP,"T,;C'a0ZdD
sxks9C_Y:fD LTPA cookie#XZhCa0_Y:fDN}Dj8E",k
NDZ 35 3D:dCe~a0/>$_Y:f;
dC9C LTPA cookie %;"a= WebSphere9C LTPA cookie 5V%;"a='V LTPA cookie D&CLr~qwGe~sZ(
&mD;?V#*tCK&\,kT pdwebpi.conf dCD~D [common-modules]ZPDN} post-authzn Pdk|5 ltpa;4:
[common-modules]post-authzn = ltpa
LTPA cookie dCGZ pdwebpi.conf dCD~D [ltpa] ZP4PD#TBN}h*
dC#
m 27. LTPA dCN}.
N} hv
ltpa-keyfile CZS\ cookie Py|,j6E"D\?D~D+76
{#
ltpa-stash-file \kf"D~D;C#g{^\kf"D~fZ,r&!{
"MKu?#
ltpa-password \kf"D~;fZ1*9CD\k#
ltpa-lifetime LTPA cookie DP'Z(k)#
LTPA %;"aD<u"bBn
v \?D~|,XZX( Web &CLr~qwDE"#g{r,;e~mS`v&C
Lr~qw,ryP~qw+2m`,D\?D~#
v *9%;"aI&,e~M&CLr~qwXkT3V==2m`,D"amE
"#
v &CLr~qw:phC LTPA M4(2mD\?#
S WebSEAL rd|zm%;"a=e~
1e~v?M Web ~qwSU=4TIE&CLr(g WebSEAL r`74C/Pz
mLr)Dks1,IV 7I\aek*S=e~DksP#IV 7|,j6p<M'z
DE",x;G*S~qwDE"#7PDE"CZ9lp<M'zD>$,TCZ
Z(#
g{dCe~9C IV 74PM'zO$,re~9CSBqksPR=D IV 7Pi
!Dm]4(M'z>$#IZM'z1l IV 7\]W,yTvZO$ksPhC09
C~6O$Lr1j>1E4(byD>$#
TZO$,ITdC IV 7Z(}zmSU1S\ksPD;v";)ryP
iv-user"iv-user-l"iv-creds r iv-remote-address 7,w*O$D$]#iv-remote-address
7CZG<C'Df}6LX7#b) IV 7`MI Access Manager M WebSEAL 6
Z 6 B Web %;"abv=8 75
p#
m 28. IV 7VNhv
IV 7VN hv
iv-user M'zDrL{F#g{M'z4O$(4*),r1!*4O
$#
iv-user-l C'Dj{r{($Mq=)#
iv-groups M'zytiPm#
iv-creds `kD;8w}]a9,zm Access Manager >$#
iv-remote-address M'zD IP X7#K5ITzmzm~qwrxgX7*;Lr
(NAT)D IP X7#
*Kw*M'zj6D$wS\,WebSEAL rd|zm>mXkQre~O$#b(
#G(}zmMe~#$D Web ~qw.d`%O$D SSL ,S5VD#
dC IV 7%;"a= Access Manager Plug-in for WebServers
tCM{C9C IV 7DO$
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*t
C9C IV 7DO$,k+}C0iv-header1Vdx authentication N};4:
[common-modules]authentication = iv-header
dC IV 7N}
IV 7O$N}Z pdwebpi.conf dCD~D [iv-headers] ZPdC#
accept N}8(S\CZ4P IV 7O$D IV 7`M#1!ivB,e~S\yP
`MD IV 7#P'!n*:all"iv-creds"iv-user"iv-user-l"iv-remote-address#*dk
`v7`M,k9C:EVt5#
}g:
[iv-headers]accept = iv-creds,iv-user
9CJO*F cookie xP%;"a
*sZ(&mdCJO*F cookie s,e~ZX(Z~qwrGr6'D cookie PT
M'zD>$}]xPS\#M'zZ;N,S1,cookie EZ/@wO#M'z"T
CJrPDm;v2+~qw1,cookie a)xM'zX(r=DB;v~qw#cookie
CZT/XBO$,byM'z;X4PV/XBO$DNq#Q4F~qwODe
~2m;+2\?,K\?b\ cookie Py,D>$E",("Ba0#
tC9CJO*F cookie D%;"a
ITdCJO*F cookie 4PO$MsZ(Nq#
dC*9CJO*F cookie xPsZ(&mDe~T>$xPS\,"+dw*JO*
F cookie f"ZBql&P#
76 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
dC*9CJO*F cookie 4PO$De~CBqksPR=DJO*F cookie PD
S\>$XBO$M'z#
*9CJO*F cookie tC SSO,XkdCJO*F#ixPO$MsZ(#+}C
0failover1VdxdCD~ [common-modules] ZPD authentication M
post-authzn N};4:
[common-modules]authentication = failoverpost-authzn = failover
":dCd|O$zFT0JO*F cookie 1,Xk+JO*F cookie O$dC*u
<O$=(#
dCJO*F cookie N}
JO*F cookie O$N}Z pdwebpi.conf dCD~D [failover] ZPdC#
failover-cookies-keyfile N}8(CZTJO*F cookie PD>$}]xPS\Mb
\DD~#}g:
[failover]failover-cookies-keyfile = failover.key
\?D~Xk9C;Z install_path/bin ?<PDLr pdwpi-cdsso-key-gen 4(#
C(:
./pdwpi-cdsso-key-gen key_file_name_to_create
failover-cookies-lifetime N}(eP'D failover-cookie P'Z(V)#bG8 cookie
4(M cookie {C.dD1d#1!5* 30 VS#
[failover]failover-cookies-lifetime = 30
enable-failover-cookie-for-domain N}tCr_{C cookie Z{vrPDP'T#
*q!TrPyP~qwD SSO,k+KN}hCI true#
}g:
[failover]enable-failover-cookie-for-domain = true
Z 6 B Web %;"abv=8 77
Z 7 B gSgx%;"a
5V Access Manager Plug-in for Web Servers Ta)T2+rD#$1,(#h*a
)TJ4%;"aDbv=8#>BV[e~gSgx%;"abv=8#
wbw}:
v :i\gSgx%;"a;
v Z 80 3D:gSgx%;"a&\M*s;
v Z 80 3D:gSgx%;"axLw;
v Z 81 3D:mbgSgx cookie;
v Z 82 3D:mb0$51ksM&p;
v Z 82 3D:mb0$51nF;
v Z 83 3D:S\0$51nF;
v Z 83 3D:dCgSgx;
v Z 85 3D:dCgSgx%;"a * >};
i\gSgx%;"a
Access Manager Plug-in for Web Servers gSgx%;"a&\JmC'CJ`vrP
`v~qwODJ4,x;h*XBO$#
0gSgx1G;iNkL5X5D;,Dr(Access Manager r DNS)#b)NkD
rITdC*;nL5D;?V("RIZXm-rI\9C;,D DNS {F),r
dC*5P2mX5D;,5q(}g+>\?"KY#U+>MFq\m+>)#
ZN;=8P,\P;vr8(*0w1r0yP_1r#ZNk5qDivB,w
r5P\mgSgxDL5-i#
Z=V=8P,XZNkgSgxDC'DO$E"(|(CZO$DC'{M\
k)GZwrP,$D#bV2EJmT\mJbD%c}C,}ggSgxPDo
z@fwC,|G<8rwr#
w*!q,ITC Access Manager Web Portal Manager /ITKE"D\m,byN
kr:p\mdT:DC'#
wr05P1C' * 4XFC'DO$E"#^[C'ZN&ksJ4,wr<UG
C'XkxPO$DX=#
TwO$~qw(MAS)xPO$ * ;ZwrP"RdC*O$yPC'D~qw
(r4F~qw/O)#MAS D0p&^F*a)O$~q#MAS ;C|,TC'I
CDJ4#
;)C'r MAS I&O$,MAS MzI0$51nF#KnF+XC'"vksD
~qw#~qw+K0$51nFS*$w,$5C'QI&r MAS O$"ITNk
gSgx#
© Copyright IBM Corp. 2002 79
gSgxr.dDE"*FZ:gSgx%;"axLw;;ZPj8hv
gSgx%;"a&\M*s
v gSgx&\'V(}1SJ4 URL(i))xPCJ#
v 5VgSgxh*TNkgSgxDyPrPDyPe~xP;BDdC#
v NkgSgxDyPC'T;ZwrPD%vwO$~qw(MAS)xPO$#
v g{C';P MAS DP'J',rgSgx5VJmZ6LrPxP0>X1O
$#
ksG MAS(+Nk)rPDJ41,r MAS O$'\DC'IT!qr"vk
sD>X~qwO$#
v MAS(nsG6LrPd|y!~qw)0$51C'DQO$j6#
v X(ZrD cookie CZj6ITa)0$51~qD~qw#bJm6LrPD~
qwZ>Xks0$51E"#gSgx cookie DS\Z];|,C'j6r2+
TE"#
v XbnFCZ+]S\D0$51C'j6#0$51nF;|,5JDC'O$E
"#j{TI2m\?a)(}6 DES)#nF|,^FnFP'TVx1dD,1
(P'Z)5#
v HTTP M HTTPS O<'VgSgx5V#
v %vgSgxr\mdT:C'Dj6MX*X(#IT9Cgr3d&\
(CDMF)API +6LrPDC'3d=>XrPDP'C'#
g{gSgxr2m+VC'j6,r;h*K3d&\#
v gSgxDdCZ?vNke~D pdwebpi.conf D~PhC#
gSgx%;"axLw
gSgxIe~v?MwO$~qw(MAS)Mw*gSgxD=Se~v?M~q
wiI#gSgxD5VyZ0$5153#(#,14O$C'(}e~ksJ4
1,aa>{Ga)O$E"#ZgSgxdCP,e~~qwj60$51~qw
"SK0$51~qwksC'QO$Di$#0$51~qwf"C'DP'>$
E"#
TZC'DZ;Nks,0$51~qw<UG MAS#MAS Lxw*;ZwrPDJ
4D0$51~qw#fEC'LxZgSgxZksJ4,?v6LrPD%v~
qw<IT*C'9(dT:D>$(y]4T MAS DC'j6E"),"#Ndr
80 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
PJ4D0$51~qwG+#
TO>}T>fZZgSgxPD=vr,MOO rM FOO r#TBxLZC'Z;
NG<=gSgxPD2+ Web >c1"z:
1. C'ksT Web ~qw ww1.moo.com ODJ4xPCJ#e~9Xks"7O
ww1.moo.com QdCI boo-foo-moo gSgxD;?V#S ww1.moo.com dCP
j6gSgxPD MAS ~qw#
2. ks+]= MAS * www.boo.com#MAS zm ww1.moo.com O$ks,""v
0$51nF,KnFI*C'DgSgxj6#nFPDC'j6E"GS\
D#
3. MAS +0$51nF"M= ww1.moo.com#ww1.moo.com +K0$51nFS*
$w,$5C'QI&r MAS O$,VZITyZ#fZ(XFCJyksDJ
4#
mbgSgx cookiev gSgx cookie GIe~hCDX(ZrD cookie /O,f"ZC'/@wDZf
P,"ZsxksP+M=d|e~5}(,;rP)#
v X(ZrD cookie |,0$51~qwD{F"gSgxj6"0$51~qwD
;C(URL)M&\T0P'Z5#cookie ;|,C'E"#
< 7. G<=gSgx#
Z 7 B gSgx%;"a 81
v gSgx cookie JmNkrPD~qwZ>Xks0$51E"#MAS y$tDr
DgSgx cookie DwC;Pb4X*#
v cookie _PZ pdwebpi.conf dCD~PhCDP'Z(,1)5#KP'Z58(
6L~qwIT*C'a)0$51E"D1d$H#cookie P'Z=Z1,C'X
kX(r MAS TxPO$#
v XU/@w1,cookie SZfe}#g{C'SX(rP"z,rgSgx cookie 2
G*U#KYwP'X+dS/@wP}%#
mb0$51ksM&p
gSgx0$51Ywh*(CD&\,K&\(}=vXb9lD URL CJ:0$
51ksM0$51&p#b) URL GZgSgx0$51HTTP X(rZdy]
pdwebpi.conf PDdCE"9lD#
0$51ksC'S;|,dNN>$E"D?j~qw(*gSgxdC)ksJ41,%"
0$51ks#~qwr0$51~qw(MAS rgSgx cookie P8(D~qw)
"M HTTP X(r#
0$51ks|,TBE":
https://vouch_for_server/pkmsvouchfor?ecommunity_name&target_url
SU=~qwli ecommunity_name Ti$gSgxj6#SU=~qw9C0$51
&pPD target_url +/@wX(r=-HksD3f#
pkmsvouchfor0$51URL GIdCD#
}g:
https://www.boo.com/pkmsvouchfor?companyABC&https://ww2.foo.com/index.html
0$51&p
0$51&pG0$51~qwT?j~qwDl&#
0$51&p|,TBE":
https://target_url?PD-VFHOST=vouch_for_server&PD-VF=encrypted_token
PD-VFHOST N}8(4P0$51YwD~qw#SU=(?j)~qw9CKE"
!qb\0$51nF(PD-VF)yhD}7\?#PD-VF N}zmS\D0$51n
F#
}g:
https://ww2.foo.com/index.html?PD-VFHOST=www.boo.com&PD-VF=3qhe9fjkp...ge56wgb
mb0$51nF
*5Vgr%;"a,XkZ~qw.d+];)C'j6E"#KtPE"IX(
r&m,X(r|,S\w* URL ;?VDj6E"#KS\}]F*0$51nF#
82 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
v nF|,0$51I&r'\4,"C'Dm](g{I&)"4(nFD~qw
D+^({F,gSgxj6T04(1d5#
v P'0$51nFDVP_IT9CKnFZ~qwO(";va0(T0>$/
O),x;XT=rK~qwO$#
v nF9C2mD}6 DES \?S\,rKITi$df5T#
v S\DnFE";f"Z/@wO#
v nF;+];N#SU=~qw9CKE"ZdT:D_Y:fP9(C'>$#
~qw+b)>$CZ,;a0PKC'TsavDks#
v nF_PZ pdwebpi.conf dCD~PhCDP'Z(,1)5#K5I\\L(8
k)TuYX4%wD#U#
S\0$51nF
Access Manager Plug-in for Web Servers XkTnFPECDO$}]xPS\,9C
D\?I;Z /bin ?<PD pdwpi-cdsso-key-gen 5CLrzI#Xk(}M?v
NkrPD?ve~~qw2m\?D~0,=1\??#?vrPD?vNkDe
~~qwh*9C,;\?#
":4(MV"\?D~;G Access Manager gSgxxLD;?V#XkV/+\
?2+4F=?vNkD~qw#
KP pdwpi-cdsso-key-gen 5CLr1,5CLrh*z8(\?D~D;C(xT
76{):
UNIX:
# pdwpi-cdsso-key-gen absolute_pathname
Windows:
MSDOS> pdwpi-cdsso-key-gen absolute_pathname
S\\?Z pdwebpi.conf dCD~D [ecsso-domain-keys] ZPdC#j8E"Z
B;Z:dCgSgx;PV[
dCgSgx
>Z4igSgx5Vh*DyPdCN}#b)N};Z pdwebpi.conf D~P#X
k*gSgxPD?ve~P8dCKD~#
tCM{CgSgxI1
pdwebpi.conf dCD~PD [common-modules] Z(eyPO$=(DC(#*9
e~~qwITZgSgxZxPYw,k+uo0ecsso1Vdx authentication M
post-authzn N},gBy>:
[common-modules]authentication = ecssopost-authzn = ecsso
pdwebpi.conf dCD~PD [modules] Z(eyPICDO$zF0dX*D2mb
{F#7#gSgx SSO u?fZ;4:
[modules]ecsso = pdwpi-ecsso
Z 7 B gSgx%;"a 83
e-community-namee-community-name N}j6~qwytDgSgxD{F#}g:
[ecsso]e-community-name = companyABC
gSgxyPI1D e-community-name 5Xk`,#
is-master-authn-serverKN}j6C~qwGqG MAS#5|( yes r no#TZgSgx MAS,N}h
CgB:
[ecsso]is-master-authn-server = yes
`ve~ITdC*wO$~qw,;sEZ:X=bw.s#ZK=8P,gSg
xPDd|yPe~~qw<+:X=bw6p* MAS#
g{ is-master-authn-server hCI0yes1,rK~qw+S\4Td|e~5}D
$5ks,b)e~5}D e-community-name `,,"Rdr\?PZ
[ecsso-domain-keys] ZP#
master-authn-serverg{ is-master-authn-server N}hC*0no1,rXk!{"M"8(
master-authn-server N}#KN}j6gSgx MAS D+^(r{#}g:
[ecsso]master-authn-server = www.boo.com
master-http-portVdwO$~qwCZSU HTTP ksDKZE#g{KZE;Gj<KZ 80,rX
kZK8(Gj<KZE#
[ecsso]master-http-port = port_number
master-https-portVdwO$~qwCZSU HTTPS ksDKZE#g{KZE;Gj<KZ 443,r
XkZK8(Gj<KZE#
[ecsso]master-https-port = port_number
vf-token-lifetimeKN}hC0$51nFDP'Z,15(k)#y] cookie OD4(1dAGliK
5#1!5* 180 k#Xk<GNk~qw.dD1S+n#1!ivB,N}hCg
B:
[ecsso]vf-token-lifetime = 180
vf-urlKN}8(0$51URL#K5XkT}1\(/)*<#1!hC5*:
[ecsso]vf-url = /pkmsvouchfor
2ITm>)9 URL:
vf-url = /ecommA/pkmsvouchfor
84 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
ecsso Domain KeysdCD~D [ecsso-domain-keys] ZP(eDG\?D~D;C,T MAS M6Lr
PNkD~qw.dDnFxPS\Mb\1h*b)\?D~#dC MAS |(*?
vdGwDr(e\?#dC MAS TbDgSgxI1|(*rM MAS (e\?#
Xk*~qw8(+^(r{,*\?D~;C8(xT76{#
TB MAS dC>}T MAS a)\?D~,CZM=v6Lr(E:
[ecsso-domain-keys]moo.com = /abc/xyz/moo-boo.keybar.com = /abc/xyz/foo-boo.key
dCrPD~qw|(8( MAS rMCZk MAS ;;E"D`&\?#rP~qw
.dD}] ; ; 2 h * \ ? # } g : N k g S g x D r P D ~ q w D
[ecsso-domain-keys] ZI\gB:
[ecsso-domain-keys]#the key for data exchange between the MAS (boo.com) and the moo.com domain serversboo.com = /abc/xyz/moo-boo.key#the key for data exchange between servers in the moo.com domainmoo.com = /abc/xyz/moo.key
dCgSgx%;"a * >}
TB>}P,P=vQdCDgSgx(foo-moo M bar-tar)T0O$b=vgxDk
sD%v MAS#
TBu~JCZK>}:
v www.boss.com G=vgSgxD MAS#
v foo-moo gSgxPfZ=v;,Dr(rcp{?vrPP;v~qw)* moo.com
M foo.com#CJb)rdP.;DC'IT;hXBO$MCJd|r,r*yP
DCJ<G(} MAS Z(D#
< 8. gSgx%;"adC>}
Z 7 B gSgx%;"a 85
v bar-tar gSgx|,=v;,Dr * bar.com M tar.com#CJb)rdP.;DC
'IT;hXBO$MCJd|r#
v CJ bar.com ~qw.;DC'IT9C0$51nFCJm;v~qw#ZKiv
B,%;"a;h MAS Z(CJMIT5V#
ZOv>}P,TBdCu~JC:
dC MAS * www.boss.comr* MAS G`vgSgxDXFPD,yTh*dC ecsso #iD=v;,
5}"(e MAS X~h*DgSgx{F#MAS h*Q8(dXFDyPg
xPDwrDyP\?#TBdCu~JC:
[modules]ecsso1 = pdwpi-ecsso-moduleecsso2 = pdwpi-ecsso-module
[common-modules]authentication = ecsso1authentication = ecsso2
post-authzn = ecsso1post-authzn = ecsso2
[ecsso1]e-community-name = foo-moois-master-authn-server = yes.....etc
[ecsso2]e-community-name = bar-taris-master-authn-server = yes.....etc
[ecsso1-domain-keys]# one key for each domain the MAS controlsmoo.com = /abc/bosskeys/boss-moo.keyfoo.com = /abc/bosskeys/boss-foo.keytar.com = /abc/bosskeys/boss-tar.keybar.com = /abc/bosskeys/boss-bar.key
dC www.moo.com
[modules]ecsso = pdwpi-ecsso-module
[common-modules]authentication = ecsso
post-authzn = ecsso
[ecsso]e-community-name = foo-moois-master-authn-server = nomaster-authn-server = www.boss.com.....etc
[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the moo.com domainmoo.com = /abc/moo-keys/moo.key#key for encrypting/decrypting data between#servers in the moo.com domain and the MASboss.com = /abc/moo-keys/boss-moo.key
86 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
dC www.foo.com}Kr\?+;,b,5VT www.foo.com xP%;"aDdCN}M*
www.moo.com dCDN}`,#www.foo.com Dr\?dCgB:
[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the foo.com domainfoo.com = /abc/foo-keys/foo.key#key for encrypting/decrypting data#between servers in the foo.com domain and the MASboss.com = /abc/foo-keys/boss-foo.key
dC www.tar.com
[modules]ecsso = pdwpi-ecsso-module
[common-modules]authentication = ecsso
post-authzn = ecsso
[ecsso]e-community-name = tar-baris-master-authn-server = nomaster-authn-server = www.boss.com.....etc
[ecsso-domain-keys]#key for encrypting/decrypting data#between servers in the tar.com domaintar.com = /abc/tar-keys/tar.key#key for encrypting/decrypting data between#servers in the tar.com domain and the MASboss.com = /abc/tar-keys/boss-tar.key
dC ww1.bar.comT ww1.bar.com DgSgx%;"adCM www.tar.com D`,#h*=v\
?,;vCZ MAS M bar.com r.d}]DS\/b\,m;v\?CZ
bar.com rZ?~qw.d}]DS\/b\(4K>}PD ww1.bar.com M
ww2.bar.com)#
[ecsso-domain-keys]bar.com = /abc/bar-keys/bar.keyboss.com = /abc/bar-keys/boss-bar.key
dC ww2.bar.comww2.bar.com D\?(eM ww1.bar.com D`,#
[ecsso-domain-keys]bar.com = /abc/bar-keys/bar.keyboss.com = /abc/bar-keys/boss-bar.key
Z 7 B gSgx%;"a 87
=< A. pdwebpi.conf N<
m 29. #fdCN}
#f
N} hv
[pdweb-plugins]
virtual-host j6|,XZX(ibwzDdCE"DStZ#
unprotected-virtual-host j6e~;*da)2+TDibwz#e~JmTb)
ibwzxPCJx;Tks4PO$MZ(#
CJ4#$Dibwz1,ZU>D~P4(;vu?#
web-server j6}Z9CD Web ~qwD`M#IS\D5P:
v iis(Microsoft Internet Information Services)
v ihs(IBM HTTP Server)
v iplanet(iPlanet Web Server)
KN}Z20ZdT/hC#
windows-file-system r Authorization Server 8v&I!@6k)\bk URI
(zm Windows D~53J4)`XD2+TJb#
g{hC* true,r{9T|,`F Windows 2000 rL
76{D76*XD URI yxPDyPCJ#XpGT ~
}VaxD76*X+;\x#Z Windows 53O,KN
}1!ivBhC* true#Z UNIX 53O,dhC*
false#
I T 4 ? v i b w z 2 G K N}, = (GZ ` & D
[virtual_host] ZP8(KN}#
case-sensative f* Authorization Server gN&m URI Ds!4#
g{hC* false,URI Z9l`&D Access Manager T
s{F1*;*!4,Z(v_}GTUKTs{Fwv
D#
Z UNIX 53O,KN}hC* true#Z Windows 53
O,dhC* false#
windows-file-system N}hC* true R case-sensitive4(e1,1!ivB+ URI *;*!4#
k"b,Ts{FD /PDWebPI/branch ?V"GgK*;
D#
I T 4 ? v i b w z 2 G K N}, = (GZ ` & D
[virtual_host] ZP8(KN}#
© Copyright IBM Corp. 2002 89
m 29. #fdCN} (x)
#f
N} hv
utf8-url-support-enabled XFzk3,9(`&D Access Manager \#$Ts{F
19CKzk3bM URL#
g{hC* true,rY(T Authorization Server a)D
URI C UTF8 `k,"RZCZ9l Access Manager \
#$Ts{.0*;* Authorization Server KP1y9C
Dzk3#
g{hC* false,rY(T Authorization Server a)D
URI GC Authorization Server KP1y9CDzk3`k
D#
g{hC* auto,rli?v URI PD`VZ UTF8 r
P#g{R=,rY( URI C UTF8 `k#g{lb=
^' UTF8 V{rP,rY( URI 9C Authorization
Server KP1y9CDzk3#
I T 4 ? v i b w z 2 G K N}, = (GZ ` & D
[virtual_host] ZP8(KN}#
log-file j6dP6qyP Authorization Server NqDU>D~D
D~{M76#
logs 8(ZXB9CZ;vU>D~.0*4(DU>D~
}#
log-entries 8(Zv/=BU>D~.0*4kDU>u?}#
mpa-enabled `74C/PzmLr(MPA)Ga)`vM'zCJD
xX#("kp<~qwD%;QO$(@,"(}K(
@"MyPM'zksMl&(E#
g{hC* true,rtC MPA \&#
g{hC* false,r{C MPA \&# IT4?vib
wz2GKN},=(GZ [virtual_host] ZP(eKN
}#
mpa-protected-object (exPZ(v_y@]D MPA Ts#
IT4?vibwz2GKN},=(GZ [virtual_host]ZP(eKN}#
user Z UNIX 53O,KN}(e Policy Manager M
Authorization Server xLDC'{#
group Z UNIX 53O,KN}(e Policy Manager M
Authorization Server xLDi{#
[module-mgr]
path |,#i2mbD~D76#Jm`v76u?,r*e
~+QwyPu?#
[wpiconfig]
server-type ZdC1hC,T(z!{dC#
install-dir ZdC1hC,T(z!{dC#
90 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
m 29. #fdCN} (x)
#f
N} hv
vhosts ZdC1hC,T(z!{dC#
m 30. O$dCN}
O$
N} hv
[modules]
module_name =shared_library_name
ywICO$=(M`X*Db#
acctmgmt J'\m
BA y>O$
cert $i
failover JO*F
forms m%
ip-addr IP X7
iv-headers IV 7
session-cookie a0 cookie
ssl-id SSL j6
tag-value jG5
http-hdr HTTP 7
token nF
[common-modules]
authentication 8(CZC'O$D=(#
session 8(CZ,Va04,D=(#
post-authzn 8(CZsZ(&mD=(#
[authentication-levels]
level = module_name [authentication-levels] Z(e]}O$6pM [modules]ZP(eDO$=(D3r#
g{4Td(eNNu?,rO$=(1!*6p 1#O$
3r7(*Q(eO$=(Dn_O$6p=nMO$6
p#g{O$6pItIO$#i2m,rS3r4U#
iZ [modules] ZPvVD3r7(#
[authentication-mechanisms]
=< A. pdwebpi.conf N< 91
m 30. O$dCN} (x)
O$
N} hv
passwd-cdaspasswd-ldap
passwd-uraftoken-cdas
cert-sslcert-cdas
http-requestcdsso
passwd-strengthcred-ext-attrs
y'VD=SO$zFMek Access Manager O$S53
DX*2mbPm#
[BA]
basic-auth-realm ywr{,K{F+vVZy>O$G<1TC'a)D
T0rO#
[failover]
failover-cookies-keyfile yw\?D~76,K\?D~+CZJO*F cookie P
D>$}]xPS\Mb\#
failover-cookies-lifetime JO*F cookie DP'Z(V)#
enable-failover-cookie-for-domain Z{vr6'ZtC/{CJO*F cookie#
[ltpa]
ltpa-keyfile LTPA \?D~D+76{#
ltpa-stash-file \kf"D~D;C
ltpa-password Zf"D~!yP9CD\k#
ltpa-lifetime LTPA cookie DP'Z(k)#
[forms]
login-form G<m%DD~{#
[tag-value]
cache-definitions tCr{CT=S=TsUdDjG5(eD_Y:f#
tC_Y:f1,?NTjG/5(exP|De~<h
*XBt/#
cache-refresh-interval T(exP_Y:fD"B1ddt(k)#
[token-card]
token-login-form nFG<3fDD~{#
next-token-form (erC'M'zT>DCZksB;vnFDm%#~
qw^(SZ;vnFI&O$C'1,ksM'zdk
m;vnF#
[http-hdr]
header +]=grO$~q(CDAS)CZO$D7{F#
[iv-headers]
92 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
m 30. O$dCN} (x)
O$
N} hv
accept w*4TzmDO$$wS\D7Pm#P'!nP:
v all * S\yP7`M#
v iv-creds * C'>$E"#
v iv-user * rLC'{#
v iv-user-l * $C'{#
v iv-remote-address * M'zD IP X7#
generate *"4TzmDks1*zID7Pm#P'!nP:
v all * zIyP7`M#
v iv-creds * C'>$E"#
v iv-user * rLC'{#
v iv-user-l * $C'{#
v iv-remote-address * M'zD IP X7#
[acctmgmt]
password-change-form C'ks|D\k1T>Dm%#
password-change-form-uri C'ks|D\k1CJD URI#
password-change-uri \k|DsD URI ?DX#
password-change-success C'I&jI\k|D1T>D3f#
password-change-failure C'^(I&G<1T>D3f#
logout-uri C'"zsD URI ?DX#
logout-success C'I&"z1T>D3f#
help-uri oz3fD;C#
help-page C'ksoz1T>Doz3fDD~{#
[ecsso]
e-community-name 0$51nFMksPvVDgSgx{F#
is-master-authn-server 8(~qwGw9G;ZgSgxP#g{hC* yes,
rK~qwS\4Td|e~5}D$5ks,b)e~
5}Dr\?PZ [ecsso-domain-keys] ZP#
master-authn-server gSgxPw~qwD{F#g{ is-master-authn-serverhC* no,rKN}GXhD#
master-http-port l}4Tw~qwD HTTP ksDKZE#
master-https-port l}4Tw~qwD HTTPS ksDKZE#
vf-token-lifetime $5nFP'Z(k)#
vf-url $5 URL#
[inter-domain-keys]
domain_name = key_file NkgSgxDd|rD\?D~;C#
=< A. pdwebpi.conf N< 93
m 31. a0dCN}
a0
N} hv
[sessions]
max-entries f"Za0#iD%v5}PDnsa0}#?vi
bwzD?va0#iDnsa0}#
timeout a0DnsP'Z(k)#
inactive-timeout a0Z,10h*DUP1d$H(k)#
resend-pdwebpi-cookies tCr_{CM?vks;p"M Web e~ cookie#
reauth-lifetime-reset XFa0P'ZF1w#g{hC*0yes1,ra0
P'ZF1w(4,1N}PhCD5)ZI&XB
O$14;#g{hC*0no1,rI&XBO$1
;4P4;#
reauth-grace-period hCM'z5PDm^\Z1d?(k),ZKZd
M'zCTI&4PXBO$,qr>$=Z#
m 32. LDAP dCN}
LDAP
N} hv
[ldap]
bind-pwd Web e~X$LrD\k(ZdC1hC)#
enabled tCr{C LDAP (E(ZdC1hC)#
host LDAP ~qwD{F(ZdC1hC)#
port LDAP DKZE(ZdC1hC)#
m 33. zmdCN}
zm
N} hv
[ipc]
number-of-workers &me~ksD$wLr_L}#
worker-size T?v&me~ksD$wLr_L$VdDZf}
?#
cleanup-interval ?NZfe}.dD1d(k)#
max-session-lifetime (ea0DnsP'Z#
[proxy]
error-page vVbb~qwms1,ZC'/@wOT>D3f
D76#
acct-locked-page C'"TCJx(DJ'1,yT>3fD76#
retry-limit-reached-page o=JmDns'\G<"T}1,yT>3fD7
6#Z LDAP P9C policy |nhCDnsJmG
<'\}#
94 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
m 34. Z( API dCN}
Z( API
N} hv
[aznapi-configuration]
sFMG<U>N}0dC
logsize U>s!(VZ),,vKs!r4(BU>D~#
g{hC* 0,r;4(BU>D~#
g{hC*:},r?l4(;vBU>D~,x;
\s!#
logflush "BU>D1ddt(k)#
ns5G 21600(6 !1)#
logaudit tC/{CsFG<U>#
auditlog sFD~D{F#
auditcfg tC/{Ci~X(DsFG<#4;
auditcfg = authn * 6qO$B~#
auditcfg = azn * 6qZ(B~#
db-file ACL }]b_Y:fD~D;C#
cache-refresh-interval liTw Authorization Server D|B.dD1ddt
(k)#
listen-flags tC/{CS\_T_Y:f|B(*Dj>#
Z( API ~q(e
[aznapi-entitlement-services]
service_id ?vZu?(e;,`MD aznAPI ~q#XZ|`E
",kN< Authorization API Programmers Guide#
AZN_ENT_EXT_ATTR bG;v;&|DD536pN}#KN}Jm9C
TsUdOD)9tT#
[aznapi-admin-services]
name = shared_library_name -pobjobject_space & args
dC\m~q#'VDN}P:
-r \#$D objectspace y
-d Web ~qwDD5y?<
-q CZ query_contents DLr
-v ibwzj6(KN}GI!D)
m 35. X(Z Web ~qwDdCN}
X(Z Web ~qw
N} hv
[ihs]
query-contents 8(CZ9C0pdadmin> object list1|n/@ IBM
HTTP Server Web UdDi/Z]Lr#(}Z{*
[ihs:branch] DZ(}g [ihs:/PDWebPI/foo.bar.com])
P*d8(5,IT4?vV'2GKN}
=< A. pdwebpi.conf N< 95
m 35. X(Z Web ~qwDdCN} (x)
X(Z Web ~qw
N} hv
doc-root 8(a)4P0pdadmin> object list1|nyhD Web
Ud/@&\DD5y?<#KN}ZhCibwz
1IdC5CLrhC * Z [ihs:branch] Z(}g
[ihs:/PDWebPI/foo.bar.com])P4?v_TV'8(
KN}
[iis]
query-contents 8(CZ pdadmin /@ IIS Web UdDi/Z]L
r # ( } Z { * [ i i s : b r a n c h ] D Z ( } g
[iis:/PDWebPI/foo.bar.com])P*d8(5,IT4
?vV'2GKN}
post-data-required (e Authorization Server &myhDQa; POST }
]Dm%Pm#}gG<m%#;akT?vibw
z2Gb)N}#
log-file *4T IIS e~DmsMzY{"(eU>D~,*
K7#D~D;BT,b)U>D~k Authorization
Server DU>D~%@#\#g{8(*`T76,
rK;C`TZ20?<D log S?<#g{8(*
xT76,r9CxT76#
[iis:minimum-post-data]
form_uri =minimum_bytes_of_post_data_required
(eZh*s? POST }]DivB,X(m%D
POST }]?#}g:
/token.form = 20000
8>&m /token.form Da;1,Authorization Server
AYh* 20000 VZD POST }]#;\kT?vi
bwz8(b)5#
[iplanet]
query-contents 8(CZ pdadmin /@ iPlanet Web UdDi/Z]
Lr#(}Z{* [iplanet:branch] DZ(}g
[iplanet:/PDWebPI/foo.bar.com])P*d8(5,IT
4?vV'2GKN}#
doc-root 8(a)4P0pdadmin> object list1|nyhD Web
Ud/@&\DD5y?<#KN}ZhCibwz
1IdC5CLrhC ** Z [iplanet:branch] Z
(}g [iplanet:/PDWebPI/foo.bar.com])P4?v_T
V'8(KN}
96 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
=< B. O$=(lYN<
m 36. e~O$=(/#iN<
O$=(/#i hv
BA
pdwpi-ba-module
0y>O$1O$#i#
2ITdC*a0MsZ(#i#
m%
pdwpi-forms-module
0HTML m%1O$#i#
9C(}m%a;DC'{M\kxPO$#
9C1,K#iXk,1dC*sZ(#i#
ip-addr
pdwpi-ipaddr-module
0M'z IP X71O$#i#
a)vyZM'z IP X7DO$#M'Xka) http k
sO$zF,T+ IP X7E"3d= Access Manager w
e#
2ITdC*a0#i#
http-hdr
pdwpi-httphdr-module
0HTTP 71O$#i#
a)vyZksP8(D HTTP 7D5DO$#M'Xk
a) http ksO$zF,T+7E"3d= Access
Manager we#
2ITdC*a0#i#
nF
pdwpi-token-module
0nF1O$#i#
Access Manager Plug-in for Web Servers 'V(}M'z
a)DnF(PzkDO$#KO$9CyZ RSA
SecureID fobs D+rSG<#
9C1,Xk,1dC*sZ(#i#
cert
pdwpi-certificate-module
0M'z$i1O$#i#
M'z$iDwb DN 3dI cert-ssl O$zF= Access
Manager we{F#cert-ssl O$zF*sM'z$iDw
b DN 1S3d=C'"amP Access Manager C'D
DN#
K#ivTT;G(} SSL a0=oDO$*sDks,
rKIT*&m HTTP M HTTPS ksDO$Dibwz
2+XdCK#i#
failover
pdwpi-failover-cookie-module
0JO*F cookie1O$#i#
K#iS\JO*F cookie TO$C'#
9C1,K#iXk,1dC*sZ(#i#
© Copyright IBM Corp. 2002 97
m 36. e~O$=(/#iN< (x)
O$=(/#i hv
iv-headers
pdwpi-iv-headers-module
0IV 71O$#i#
a)yZksPD iv-user" iv-user- l" iv-creds r
iv-remote-address HTTP 7D5DO$#C'Qr0Kzm
~qwO$1,bTZ%;"a= Access Manager Plug-in
for Web Servers G`1PCD#
* I * I E , k s X k ( } 0 K z m ~ q w ( } g
WebSEAL *a)DQO$a0=o#zmXkO$*_P
T } Z C J D i b w z\# $ T s UdV ' D z m
([PDWebPI]p)(^DC'#
TZ9C iv-remote-address 7DO$,M'Xka) http
ksO$zF,T+ IP X7E"3d= Access Manager
we#
K#i2ITdC*sZ(#i#
ecsso
pdwpi-ecsso-module
0gSgx%;"a1O$#i#
K#iXkdC*}wO$~qwTbNkgSgxDi
bwzDO$#i#
9C1,K#iXk,1dC*sZ(#i#
unauth
pdpwi-unauth-module
04O$C'1O$#i#
ZKPvK#iGvZj{T<G#K#i<U~=dC
*EH6nMDO$#i,"CZ*4O$C'zI>
$#
m 37. e~a0#iN<
#i hv
BA
pdwpi-ba-module
0y>O$1a0#i#
9C0y>O$Z(17D5w*a0\?#
9C1,Xk,1dC*O$#i#
2ITdC*sZ(#i#
ip-addr
pdwpi-ipaddr-module
0IP X71a0#i#
9CQO$DM'z IP X7w*a0\?#
9C1,Xk,1dC*O$#i#
http-hdr
pdwpi-httphdr-module
0HTTP 71a0#i#
9CQO$D HTTP 7w*a0\?#
9C1,Xk,1dC*O$#i#
98 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
m 37. e~a0#iN< (x)
#i hv
session-cookie
pdwpi-sesscookie-module
0a0 cookie1a0#i#
K#izI"S\ cookie,T)j6a019C#(#vC
wMEH6Da0j6zF#
ssl-id
pdwpi-sslsessid-module
0SSL a0j61a0#i#
9C0SSL a0j61w*a0\?#k"b,!\
Access Manager Plug-in for Web Servers D Windows V
<Pa)K#i,+ Microsoft Internet Information Services
Web Server ";re~a)0SSL a0j61E",r
K,0SSL a0j61;\Cw IIS Da0\?#
m 38. e~sZ(#iN<
#i hv
m%
pdwpi-forms-module
0HTML m%1sZ(#i#
K#i&myZ0HTML m%1DG<ZdDm%}]a
;#
9C1,Xk,1dC*O$#i#
BA
pdwpi-ba-module
0y>O$1sZ(#i#
dC*sZ(#i1,BA #iSksP}%yP4O$D
0y>O$Z(17#0y>O$1#i2ITdCIO
$Ma0#i#
nF
pdwpi-token-module
0nF1sZ(#i#
Access Manager Plug-in for Web Servers 'V(}M'z
a)DnF(PzkDO$#KO$9CyZ R S A
SecureID fobs D+rSG<#
9C1,nF#iXk,1dC*O$#i#
failover
pdwpi-failovercookie-module
0JO*F cookie1sZ(#i#
K#i*M'zzIJO*F cookie#
9C1,JO*F cookie #iXk,1dC*O$#i#
iv-headers
pdwpi-iv-headers-module
0IV 71 sZ(#i#
K#iZJm Web ~qw&mks0,+C'j6E"w
* IV 7ekksP#bTZT Web ~qww\D&CL
r a ) % ; " a ` 1 P C # I T mSD 7 P
iv-user"iv-user-l"iv-groups"iv-creds"iv-remote-address#
K#i2ITdC*O$#i#
tag-value
pdwpi-tag-value-module
0jG/51sZ(#i#
K#iZJm Web ~qw&mks0,+4TC'>$D
=S)9tTw* HTTP 7ekksP#b))9tT(#
MC'"amPDC'tT`T&#
=< B. O$=(lYN< 99
m 38. e~sZ(#iN< (x)
#i hv
acctmgmt
pdwpi-acct-mgmt-module
0J'\m1sZ(#i#
K # i a ) " z ( / p k m s l o g o u t ) " | D \ k
(/pkmspasswd)"oz(/pkmshelp)&\#
ltpa
pdwpi-ltpa-module
0LTPA Cookie1sZ(#i#
K#iZJm Web ~qw&mks0,+ WebSphere
A p p l i c a t i o n S e r v e r ( W A S ) a ?6Z } = O $
(LTPA)cookie ekksP#ba)KT Web ~qww
\D WAS D%;"a#
ecsso
pdpwi-ecsso-module
0gSgx%;"a1sZ(#i#
yPNkgSgxDibwz<Xk+ ecsso #idC*s
Z(#i#
K#iXk,1dC*wO$~qwTbyPNk_DO
$#i#
100 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
=< C. |nlYN<
m 39. e~|nN<
|n hv
pdwebpi_start t/M#9 UNIX 20ODe~xL#
P'!nP:
pdwebpi_start {start|stop|restart|status}
*#9e~;sYXBt/,k9C:
# pdwebpi_start restart
pdwebpi_start |n;ZTB?<P:
/opt/pdwebpi/sbin/
*t/M#9e~ Windows 20,kZ0~q1XFfePj
6e~xL"9CJ1DXF4%#
pdwpi-cdsso-key-gen 4(\?D~,CZTe~}](}gJO*F cookie E"M
0$51nF)xPS\0b\#
C(:
./pdwpi-cdsso-key-gen key_file_name_to_create
pdwpi-cdsso-key-gen |n;Z /bin ?<P#
pdwpi-version Pv20Df>Mf(E"#
pdwpi-version |n;Z /bin ?<P#
pdwpicfg t/5CLr,CZdCM!{dCe~#
pdwpicfg |n;Z /bin ?<P#
© Copyright IBM Corp. 2002 101
=< D. yw
>E"G*Z@za)Dz7M~q`4D# IBM I\Zd|zRrXx;a)>D
5PV[Dz7"~qr&\XT#PXz10yZxrDz7M~qDE",kr
z1XD IBM zmI/#NNT IBM z7"Lrr~qD}C"GbZw>r5>
;\9C IBM Dz7"Lrr~q#;*;V8 IBM D*6z(,NN,H&\D
z7"Lrr~q,<ITzf IBM z7"Lrr~q#+G,@@Mi$NNG
IBM z7"Lrr~q,rIC'TP:p#
IBM +>I\Q5Pr}Zjkk>D5Z]PXDwn({#a)>D5"4ZhC
'9Cb)({DNNmI$#zITCif==+mI$i/Dy:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.
PX+VZ(DBCS)E"DmI$i/,kkzyZzRrXxD IBM *6z(?E
*5,rCif==+i/Dy:
IBM World Trade Asia Corporation Licensing2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan
>un;JC*OuzrNNbyDunk1X(I;;BDzRrXx:zJL5
zw+>T04V41Dy!a)>vfo,;=PNNN=D(^[Gw>D,9
G,>D)#$,|((+;^Z)TGV(T"JzTMJCZ3X(C>D,>
#$#3)zRrXxZ3);WP;Jmb}w>r,>D#$#rK>unI\
;JCZz#
>E"PI\|,<u=f;;<7DX=r!"ms#K&DE"+(Z|D;b
)|D+`k>vfoDBf>P#IBM ITf1T>vfoPhvDz7M/rLr
xPDxM/r|D,x;mP(*#
>E"PTG IBM Web >cDNN}C<;G*K=cp{Ea)D,;TNN==
d1TG) Web >cD#$#C Web >cPDJO;G IBM z7JOD;?V,
9CG) Web >cx4DgU+IzTPP##
IBM IT4|O*J1DNN==9CrV"zya)DNNE"x^kTzP#NN
pN#
>LrD;mI=g{*KbPXLrDE"To=gB?D:(i)JmZ@"4(
DLrMd|Lr(|(>Lr).dxPE";;,T0(ii)JmTQ-;;DE
"xP`%9C,kkBPX7*5:
IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758U.S.A.
© Copyright IBM Corp. 2002 103
;*qXJ1Du~Mun,|(3)iNBD;(}?D6Q,<IqCb=fD
E"#
>JOPhvDmILr0dyPICDmIJOyI IBM @] IBM M'-i"IBM
zJLrmI$-irNN,H-iPDuna)#
K&|,DNNT\}]<GZ\X73PbCD#rK,Zd|Yw73PqCD
}]I\aPwTD;,#P)b?I\GZ*"6D53OxPD,rK;#$k
;cIC53OxPDb?a{`,#Kb,P)b?G(}Fcx@FD,5Ja
{I\aPnl#>D5DC'&1i$dX(73DJC}]#
f0G IBM z7DE"ISb)z7D)&L"dvf5wrd|I+*qCDJO
Pq!#IBM ;PTb)z7xPbT,2^(7OdT\D+7T"f]TrNNd
|XZG IBM z7Dyw#PXG IBM z7T\DJb&1rb)z7D)&La
v#
yPXZ IBM 44=rrbrDyw<If1|DrUX,x;mP(*,|Gvv
m>K?jMb8xQ#
>JOvCZF.#ZhvDz7vV.0,K&DE"I\|D#
>JO|,U#5qKwP9CD}]M(mD>}#*K!I\j{X{v|G,
>}P|,KvK"+>"7FMz7D{F#yPb){Fy5i9,gP5JD
s5{FMX7kKW,,?tIO#
g{}Zi4KE"Dm=4,rU,MJ+<}I\;aTV#
Lj
AIX
DB2
IBM
IBM(Uj)
Java
OS/390
SecureWay
Tivoli
Tivoli(Uj)
(C}]b
WebSphere
z/OS
zSeries
Microsoft"Windows G Microsoft Corporation Z@zM/rd|zRrXxDLj#
UNIX G The Open Group Z@zMd|zRrXxD"aLj#
d|+>"z7M~q{FI\Gd|+>DLjr~qjG#
104 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
w}
[A]2+T_T 3
20
X8m~ 7
Z AIX/IHS O 8
Z Solaris Operating Environment/iPlanet O 9
Z Windows/IIS O 10
20?< 16
[B]f>
Xhm~ 7
#$6p POP _T 69
>XO$N} 39
X8m~ 7
Xhm~ 7
jG5 53
m%O$ 43
[C]_T
#$6p POP 69
G< 61
]} 64
yZxgDO$ POP 68
XF4O$C' 70
\k 62
O$?H POP 64
ACL 60
e~
2+T_T 3
20 7
20?< 16
X8m~ 7
ELMZf*s 7
&\ 3
j'V 17
dC 17
t/M#9 16
O$ 3, 27
'VD=( 7
HTTP ms{" 17
e~xLw 1
XBO$ 67
vfo
): xii
4! xii
Z_ xii
}%
S AIX/IHS 12
S Solaris/iPlanet 13
S Windows/IIS 12
ELMZf*s 7
ms{" 17
[D]%;"a
gSgx 79
En 73
9CJO*F cookie 76
9C HTTP 7 73
9C LTPA cookie 74
WebSEAL 75
G<
?F 70
G<_T 61
G<,a> 41
]} 64
gSgx%;"a
&\M*s 80
S\$5nF 83
i\ 79
xLw 80
dC 83
cookie 81
gSJ~*5 xvii
):vfo xvi
`74C/PzmLr 54
[G]_Y:f}]b 22
y?< 16
zY 25
&\ 3
$wLr_L,dC 17
JO*F cookie 47
XZvfoD4! xvii
[H]j'V 17
sZ(
9CjG5 53
sZ(&m 33
a0,1 36
a0XBO$4; 36
© Copyright IBM Corp. 2002 105
a0_Y:f 35
a04,
\m 34
9Ca0 cookie 38
9Cy>O$ 37
9C HTTP 7 38
9C IP X7 39
9C SSL a0j6 37
a0 cookie 38
[J]y>O$ 37, 42
yZxgDO$ POP _T 68
G< 22
a9 1
Z,dCD~ 89
[K]M''V xvii
)9X(tT$i(EPAC) 5
[L]nF 46
nFO$ 46
nFl&3f 47
[M]\k_T 62
|n
oz 41
|D\k 41
"z 41
[N]Zf*s 7
[P]dC
N}
#f 89
zm 94
a0 94
O$ 91
Z( API 95
X(Z Web ~qw 95
LDAP 94
e~ 15
gSgx%;"a 83
dC (x)
~qwX( 21
_Y:f}]b 22
sZ( 33
a0Da0 cookie 38
a0D HTTP 7 38
a0D IP X7 39
a0D SSL a0j6 37
a0/>$_Y:f 35
Z 89
nFl&3f 47
1!5 40
O$ 30
O$Dy>O$ 42
O$=( 41
O$Ev 39
O$ibwz 34
U> 22
sFU> 22
ibwz 19
CZsZ(DjG5 53
CZa0Dy>O$ 37
CZO$Dm% 43
CZO$DJO*F cookie 47
CZO$DnF 46
CZO$D HTTP 7 50
CZO$D IP X7 52
CZO$D IV 7 49
$iO$ 44
API ~q 26
Authorization Server 17
pdwebpimgr.conf 16
pdwebpi.conf 15
>$
q! 5
[Q]t/e~ 16
[R]O$
m% 43
N} 91
]} 64
=( 30
lYN< 97
3r 30
s( 27
yZxgD POP _T 68
Kb 3
?D 4
dCEv 39
9CJO*F cookie 47
106 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O
O$ (x)
9Cy>O$ 42
9CnF 46
9C$i 44
9C HTTP 7 50
9C IP X7 52
9C IV 7 49
O$=( 41
O$zF 40
m% 44
y>O$ 43
nF 46
9C IP X7 52
9C IV 7 50
$i 45
HTTP 7 51
O$#i
lYN< 97
O$?H POP
a0D IP X7 64
[S]sF 22
Va
): xii
4! xii
Z_ xii
i.
): xii
4! xii
Z_ xii
[T]#9e~ 16
[W]4O$C' 70
[X]53*s 7
6X 12
ibwz
dC 19
O$N} 53
O$dC 34
'V 2
mI(,ACL 59
mI(,WebDAV 60
[Y]&C4O$ HTTPS 70
r{F,hC 42
[Z]Z_vfo xvi
$5nF 83
$5ksM&p 82
$i 44
'VD=( 7
i~ 1
AACL _T 59
ACL _T,1!5 60
AIX
20Z 8
}% 12
API ~q 26
Authorization Server
dC 17
CCDAS O$N} 40
cleanup-interval N} 18
EEPAC 5
HHTML l&m% 44
HTTP ms{" 17
HTTP 7 38, 50
Iid N} 17
IHS
20Z 8
Xhf> 7
}% 12
IIS
20Z 10
Xhf> 7
}% 12
IP X7 39, 52
ipc Z 17
w} 107
iPLanet
}% 13
iPlanet
20Z 9
Xhf> 7
IV 7 49
LLDAP,dCN} 94
Mmax-entries N} 35
max-session-lifetime 18
MPA 54
Nnumber-of-workers N} 17
Ppdwebpimgr.conf 16
pdwebpi.conf 15
pdweb-plugin Z 19
pkmshelp 42
pkmslogout 41
pkmspasswd 42
POP _T
#$6p 69
XBO$ 67
yZxgDO$ 68
O$?H * ]} 64
Rreauth-grace-period 36
reauth-lifetime-reset 36
SSolaris Operating Environment
20Z 9
}% 13
SSL a0j6 37
TTivoli M''V xvii
Uunprotected-virtual-host N} 19
Vvirtual-host N} 19
WWeb ~qwf>,Xh 7
WebDAV mI( 60
WebSEAL 75
Windows
20Z 10
}% 12
worker-size N} 17
108 IBM Tivoli Access Manager: Plug-in for Web Servers C'8O