plug-in for web servers integration guide -...
TRANSCRIPT
-
IBM
Tivoli
Access
Manager
for
e-business
Plug-in
for
Web
Servers
Integration
Guide
Version
5.1
SC32-1365-00
-
IBM
Tivoli
Access
Manager
for
e-business
Plug-in
for
Web
Servers
Integration
Guide
Version
5.1
SC32-1365-00
-
Note
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
Appendix
F,
Notices,
on
page
215.
First
Edition
(November
2003)
This
edition
applies
to
version
5,
release
1,
modification
0
of
IBM
Tivoli
Access
Manager
(product
number
5724-C08)
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions.
Copyright
International
Business
Machines
Corporation
2000,
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
-
Contents
Figures
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Tables
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xi
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Who
should
read
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
What
this
book
contains
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiv
Release
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
Base
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
Web
security
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xv
Developer
references
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xvi
Technical
supplements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xvi
Related
publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xvii
Accessing
publications
online
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xx
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xx
Contacting
software
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xx
Conventions
used
in
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xx
Typeface
conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xx
Operating
system
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xxi
Chapter
1.
Introducing
IBM
Tivoli
Access
Manager
Plug-in
for
Web
Servers
.
.
.
.
.
. 1
Tivoli
Access
Manager
Plug-in
for
Web
Servers
technology
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Basic
operational
components
and
architecture
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Support
for
virtual
hosts
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Protecting
your
Web
space
with
Tivoli
Access
Manager
Plug-in
for
Web
Servers
.
.
.
.
.
.
.
.
.
.
.
.
. 3
Tivoli
Access
Manager
Plug-in
for
Web
Servers
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 4
Credential
acquisition
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
Chapter
2.
IBM
Tivoli
Access
Manager
Plug-in
for
Web
Servers
configuration
.
.
.
.
.
. 7
General
plug-in
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 7
Root
directory
of
the
Tivoli
Access
Manager
Plug-in
for
Web
Servers
installation
.
.
.
.
.
.
.
.
.
.
. 7
The
pdwebpi.conf
configuration
file
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
The
pdwebpimgr.conf
configuration
file
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Starting
and
stopping
Tivoli
Access
Manager
Plug-in
for
Web
Servers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
HTTP
error
messages
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Macro
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 10
Forms
related
macros
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 10
Configuring
the
Authorization
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 11
Configuring
Worker
Threads
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 11
Setting
the
Maximum
Session
Lifetime
for
IPC
requests
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
Configuring
error
pages
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
Configuring
for
virtual
host
servers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
Web-server-specific
configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
Web
server
considerations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Customizing
object
listings
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
Command
Line
Arguments
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
Output
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Configuring
switch
user
(SU)
for
administrators
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Understanding
the
switch
user
process
flow
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
Enabling
switch
user
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
Configuring
the
switch
user
HTML
form
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
Enabling
and
excluding
users
from
switch
user
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
Configuring
the
switch
user
authentication
mechanism
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
Copyright
IBM
Corp.
2000,
2003
iii
-
Impacting
other
plug-in
functionality
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
Configuring
fail-over
for
LDAP
servers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Supporting
Platform
for
Privacy
Preferences
(P3P)
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Configuring
P3P
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
Configuring
plug-in
auditing,
logging,
tracing,
and
the
cache
database
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 28
Audit
records
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
Auditing
configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
Tracing
Plug-in
actions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 31
Cache
database
settings
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 32
Configuring
the
authorization
API
service
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
Credential
refresh
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
Configuring
credential
refresh
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
Configuring
HTTP
request
caching
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
Configuring
server-side
caching
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
Language
support
and
character
sets
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
Chapter
3.
IBM
Tivoli
Access
Manager
Plug-in
for
Web
Servers
authentication
and
request
processing
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 39
The
request
handling
process
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 39
The
authentication
process
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
Configuring
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
Configuring
authentication
for
virtual
hosts
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 42
Configuring
the
order
of
authentication
methods
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 44
Configuring
post-authorization
processing
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
Managing
session
state
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
Configuring
the
plug-in
session/credentials
cache
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 50
Maintaining
session
state
with
the
SSL
session
ID
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 52
Maintaining
session
state
using
Basic
Authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 52
Maintaining
session
state
with
Session
Cookies
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 53
Maintaining
session
state
using
HTTP
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 54
Maintaining
session
state
using
IP
addresses
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 54
Maintaining
session
state
using
LTPA
cookies
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 55
Maintaining
session
state
using
iv-headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 55
Authentication
configuration
overview
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 55
Local
authentication
mechanisms
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 56
External
custom
CDAS
authentication
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 56
Default
configuration
for
plug-ins
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 57
Configuring
multiple
authentication
methods
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 57
Logout,
change
of
password
and
help
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 57
Configuring
Basic
Authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 59
Enabling
Basic
Authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 59
Configuring
the
Basic
Authentication
mechanism
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 59
Setting
the
realm
name
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 59
Manipulating
BA
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 60
Specify
UTF-8
encoding
of
BA
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 61
Configuring
forms
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 61
Enabling
forms
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 62
Configuring
the
forms
authentication
mechanism
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 62
Customizing
HTML
response
forms
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 62
Customizing
the
forms
login
URI
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 63
Creating
a
BA
Header
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 63
Specify
UTF-8
encoding
on
BA
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 63
Configuring
certificate
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 64
Mutual
authentication
using
certificates
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 64
Enabling
certificate
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
Configuring
the
certificate
authentication
mechanism
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
Configuring
token
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
SecurID
Token
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
Enabling
token
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 68
Configuring
the
token
authentication
mechanism
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 68
Customizing
token
response
pages
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 69
iv
IBM
Tivoli
Access
Manager
for
e-business:
Plug-in
for
Web
Servers
Integration
Guide
-
Configuring
SPNEGO
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 69
Platform
and
user
registry
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 69
Upgrading
SPNEGO
configuration
from
version
4.1
to
5.1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 70
Limitations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 70
Windows
desktop
single
signon
configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 71
Troubleshooting
tips
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 75
Configuring
NTLM
authentication
(IIS
platforms
only)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 76
Configuring
Web
server
authentication
(IIS
platforms
only)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 77
Configuring
Failover
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 78
Failover
authentication
concepts
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 78
Failover
authentication
configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 85
Configuring
IV
header
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 93
Enabling
authentication
using
IV
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 94
Configuring
IV
header
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 94
Specify
UTF-8
encoding
of
IV
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 95
Configuring
the
IV
header
authentication
mechanism
for
iv-remote-address
.
.
.
.
.
.
.
.
.
.
.
.
. 95
Configuring
HTTP
header
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 95
Enabling
authentication
using
HTTP
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 96
Specifying
header
types
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 96
Configuring
the
HTTP
header
authentication
mechanism
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 96
Configuring
IP
address
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 97
Enabling
authentication
using
the
IP
address
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 97
Configuring
the
IP
address
authentication
mechanism
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 97
Configuring
LTPA
Authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 98
Enabling
LTPA
Authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 98
Setting
the
Key
Details
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 98
Configuring
LTPA
post-authorization
processing
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 98
Configuring
the
redirection
of
users
after
logon
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 99
Enabling
user
redirection
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 99
Configuring
user
redirection
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 99
Adding
extended
attributes
for
credentials
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 99
Mechanisms
for
adding
extended
attributes
to
a
credential
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 99
Entitlement
service
configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 100
Adding
LDAP
extended
attributes
to
the
HTTP
header
(tag
value)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 102
Enabling
tag
value
processing
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 103
Configuring
tag
value
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 103
Supporting
Multiplexing
Proxy
Agents
(MPA)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 104
Valid
session
data
types
and
authentication
methods
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 104
Authentication
process
flow
for
MPA
and
multiple
clients
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 105
Enabling
MPA
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 106
Create
a
user
account
for
the
MPA
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 107
Add
the
MPA
account
to
the
pdwebpi-mpa-servers
group
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 107
Chapter
4.
IBM
Tivoli
Access
Manager
Plug-in
for
Web
Servers
security
policy
.
.
.
. 109
Plug-in-specific
Access
Control
List
(ACL)
policies
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 109
/PDWebPI/host
or
virtual_host
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 110
Plug-in
ACL
permissions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 111
Default
/PDWebPI
ACL
policy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 111
Three
strikes
logon
policy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 112
Password
strength
policy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 113
Password
strength
policy
set
by
the
pdadmin
utility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 113
Specific
user
and
global
settings
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 115
Authentication-strength
Protected
Object
Policy
(Step-up)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 116
Configuring
levels
for
step-up
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 116
Enabling
step-up
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 117
Step-up
authentication
notes
and
limitations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 118
Multi-factor
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 118
Enabling
multi-factor
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 119
Reauthentication
Protected
Object
Policy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 119
Conditions
affecting
POP
reauthentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 119
Creating
and
applying
the
reauthentication
POP
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 120
Contents
v
-
Network-based
authentication
Protected
Object
Policy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 121
Specifying
IP
addresses
and
ranges
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 121
Disabling
step-up
authentication
by
IP
address
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 122
Network-based
authentication
algorithm
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 122
Quality-of-protection
Protected
Object
Policy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 122
Handling
unauthenticated
users
(HTTP/HTTPS)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 123
Processing
a
request
from
an
anonymous
client
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 123
Forcing
user
log
on
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 123
Applying
unauthenticated
HTTPS
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 123
Controlling
unauthenticated
users
with
ACL/POP
policies
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 124
Chapter
5.
Web
single
sign-on
solutions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 125
Single
sign-on
concepts
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 125
Automatically
signing-on
to
a
secured
application
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 126
Configuring
single
sign-on
to
secure
applications
using
HTTP
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
. 126
Single
sign-on
to
WebSphere
application
server
using
LTPA
cookies
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 127
Single
sign-on
to
the
plug-in
from
WebSEAL
or
other
proxy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 128
Enabling
and
disabling
authentication
using
IV
headers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 129
Configuring
IV
header
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 129
Using
the
Failover
cookie
for
single
sign-on
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 129
Enabling
single
sign-on
using
Failover
cookies
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 130
Using
Global
single
sign-on
(GSO)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 130
Configuring
Global
single
sign-on
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 132
Security
Provider
NEGOtiation
(SPNEGO)
single
sign-on
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 133
Single
sign-on
using
forms
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 133
Forms
single
sign-on
process
flow
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 133
Requirements
for
application
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 135
Enabling
forms
single
sign-on
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 135
Configuring
forms
single
sign-on
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 136
Example
configuration
file
for
IBM
HelpNow
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 139
Chapter
6.
Cross-domain
sign-on
solutions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 141
Cross
domain
single
sign-on
(CDSSO)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 141
Authentication
process
flow
for
CDSSO
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 141
Enabling
and
disabling
CDSSO
authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 143
Encrypting
the
authentication
token
data
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 143
Configuring
the
token
time
stamp
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 144
Including
credential
attributes
in
the
authentication
tokens
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 144
Specify
the
sso-create
and
sso-consume
libraries
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 145
Expressing
CDSSO
links
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 145
Protecting
the
authentication
token
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 146
e-Community
single
sign-on
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 146
e-Community
single
sign-on
features
and
requirements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 147
e-Community
single
sign-on
process
flow
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 148
The
e-community
cookie
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 149
The
vouch-for
request
and
reply
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 149
The
vouch-for
token
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 150
Encrypting
the
vouch-for
token
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 150
Configuring
an
e-community
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 151
Configuring
e-community
single
sign-on
-
an
example
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 155
Chapter
7.
Application
integration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 159
Maintaining
session
state
between
the
client
and
back-end
applications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 159
Enabling
user
session
ID
management
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 159
Inserting
credential
data
into
the
HTTP
header
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 160
Terminating
user
sessions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 161
Providing
access
control
to
dynamic
URLs
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 161
Configuring
dynamic
URLs
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 162
Chapter
8.
Authorization
decision
information
retrieval
.
.
.
.
.
.
.
.
.
.
.
.
.
. 165
vi
IBM
Tivoli
Access
Manager
for
e-business:
Plug-in
for
Web
Servers
Integration
Guide
-
Overview
of
ADI
retrieval
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 165
Retrieving
ADI
from
the
plug-in
client
request
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 166
Example:
Retrieving
ADI
from
the
request
header
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 166
Example:
Retrieving
ADI
from
the
request
query
string
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 167
Example:
Retrieving
ADI
from
the
request
POST
body
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 167
Retrieving
ADI
from
the
user
credential
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 168
Supplying
a
failure
reason
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 168
Configuring
dynamic
ADI
retrieval
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 169
Configuring
the
plug-in
to
use
the
AMWebARS
Web
service
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 170
Appendix
A.
Using
pdbackup
to
backup
plug-in
data
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 171
Functionality
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 171
Backing
up
plug-in
data
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 171
Restoring
plug-in
data
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 172
Syntax
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 172
Examples
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 173
UNIX
examples
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 173
Windows
examples
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 173
Contents
of
pdinfo-pdwebpi.lst
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 174
Additional
backup
data
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 174
Appendix
B.
pdwebpi.conf
reference
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 175
General
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 175
Authentication
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 178
Sessions
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 188
LDAP
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 189
Proxy
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 189
Authorization
API
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 190
Web
server
specific
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 192
Appendix
C.
Module
quick
reference
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 197
Appendix
D.
Command
quick
reference
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 203
pdwebpi_start
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 204
pdwebpi
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 206
pdwpi-version
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 207
pdwpicfg
action
config
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 208
pdwpicfg
action
unconfig
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 210
Appendix
E.
Special
characters
allowed
in
regular
expressions
.
.
.
.
.
.
.
.
.
.
. 213
Appendix
F.
Notices
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 215
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 216
Glossary
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 219
Index
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 225
Contents
vii
-
viii
IBM
Tivoli
Access
Manager
for
e-business:
Plug-in
for
Web
Servers
Integration
Guide
-
Figures
1.
Plug-in
and
Tivoli
Access
Manager
component
interaction.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
2.
Plug-in
process
flow
for
determining
authentication
module.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
3.
Authentication
challenge
process
logic.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
4.
Plug-in
process
flow
for
determining
session
module.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 50
5.
Typical
server
architecture
for
failover
cookies.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 79
6.
User
access
to
secure
applications
using
GSO.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 131
7.
Forms
single
sign-on
process
flow.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 134
8.
CDSSO
process
flow.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 142
9.
Logging
into
an
e-community.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 148
10.
e-Community
single
sign-on
configuration
example
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 155
11.
Attribute
retrieval
service
process
flow.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 169
Copyright
IBM
Corp.
2000,
2003
ix
-
x
IBM
Tivoli
Access
Manager
for
e-business:
Plug-in
for
Web
Servers
Integration
Guide
-
Tables
1.
Tivoli
Access
Manager
EPAC
fields
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
2.
pdwebpi.conf
section
summary
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
3.
Supported
Macro
Substitutions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 10
4.
[proxy]
error
page
configuration
parameters.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
5.
Web-server-specific
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 16
6.
[p3p-header]
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
7.
Authentication
audit
record
field
definitions.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
8.
Auditing
configuration
parameter
definitions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
9.
Plug-in
supported
languages
with
supported
directory.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
10.
Local
Built-in
Authenticators
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 56
11.
External
CDAS
Server
Parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 56
12.
Equivalent
SPNEGO
configuration
between
version
4.1
and
5.1.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 70
13.
Failover
authentication
library
file
names
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 87
14.
IV
header
field
descriptions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 94
15.
Valid
session
data
types
for
MPA
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 104
16.
Valid
MPA
authentication
types
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 105
17.
Plug-in
ACL
permissions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 111
18.
Plug-in
WebDAV
permissions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 111
19.
pdadmin
LDAP
logon
policy
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 113
20.
pdadmin
LDAP
password
strength
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 114
21.
Password
examples
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 115
22.
QOP
level
descriptions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 122
23.
IV
header
field
descriptions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 126
24.
LTPA
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 128
25.
IV
header
field
descriptions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 128
26.
General
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 175
27.
Authentication
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 178
28.
Sessions
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 188
29.
LDAP
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 189
30.
Proxy
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 189
31.
Authorization
API
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 190
32.
Web
server
specific
configuration
parameters
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 192
33.
Plug-in
authentication
method/module
reference
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 197
34.
Windows-specific
authentication
modules
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 199
35.
Plug-in
session
module
reference
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 199
36.
Plug-in
pre-authorization
module
reference
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 200
37.
Plug-in
post-authorization
module
reference
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 201
38.
Response
module
reference
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 202
Copyright
IBM
Corp.
2000,
2003
xi
-
xii
IBM
Tivoli
Access
Manager
for
e-business:
Plug-in
for
Web
Servers
Integration
Guide
-
Preface
IBM
Tivoli
Access
Manager
Plug-in
for
Web
Servers
manages
the
security
of
your
Web-based
resources
by
acting
as
the
gateway
between
your
clients
and
secure
Web
space.
The
plug-in
implements
the
security
policies
that
protect
your
Web
object
space.
The
plug-in
can
provide
single
sign-on,
support,
Web
servers
running
as
virtual
hosts,
and
incorporate
Web
application
server
resources
into
its
security
policy.
Note:
For
details
on:
supported
platforms,
disk
and
memory
requirements,
software
prerequisites
and
installation
instructions
for
the
plug-in,
refer
to
the
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide.
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
is
the
base
software
that
is
required
to
run
applications
in
the
IBM
Tivoli
Access
Manager
product
suite.
It
enables
the
integration
of
IBM
Tivoli
Access
Manager
applications
that
provide
a
wide
range
of
authorization
and
management
solutions.
Sold
as
an
integrated
solution,
these
products
provide
an
access
control
management
solution
that
centralizes
network
and
application
security
policy
for
e-business
applications.
Note:
IBM
Tivoli
Access
Manager
is
the
new
name
of
the
previously
released
software
entitled
Tivoli
SecureWay
Policy
Director.
Also