IBM Tivoli Access Manager Plug-in for Edge Server. User s Guide. Version 3.9 GC

Transcription

1 IBM Tioli Access Manager Plug-in for Edge Serer User s Guide Version 3.9 GC

2

3 IBM Tioli Access Manager Plug-in for Edge Serer User s Guide Version 3.9 GC

4 Note Before using this information and the product it supports, read the information in Appendix D, Notices on page 67. Second Edition (April 2002) This edition replaces GC Copyright International Business Machines Corporation 2001, All rights resered. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Preface Who should read this book What this book contains Publications i IBM Tioli Access Manager i Related publications ix Accessing publications online x Ordering publications x Proiding feedback about publications xi Accessibility xi Contacting customer support xi Conentions used in this book xi Typeface conentions xi Chapter 1. Introducing the IBM Tioli Access Manager plug-in for Edge Serer System requirements Supported operating systems Software prerequisites Access Manager security model Plug-in for Edge Serer security enforcement Reerse proxy access control Forward proxy access control Chapter 2. Installing the plug-in for Edge Serer Installing the plug-in for Edge Serer on AIX Installing the plug-in for Edge Serer on Linux Installing the plug-in for Edge Serer on Solaris Installing the plug-in for Edge Serer on Windows Configuring the plug-in for Edge Serer Upgrading the plug-in for Edge Serer Chapter 3. Administering the plug-in for Edge Serer Managing user accounts Creating an Access Manager object space Creating an object space for the caching proxy Creating an object space for other Web serers Starting and stopping the plug-in for Edge Serer Configuration files Base configuration file (ibmwesas.conf) Object space definition configuration file (osdef.conf) User mapping configuration file (usermap.conf) Log files Chapter 4. Understanding the plug-in for Edge Serer configuration Serer configuration model Serer configuration concepts applied Object space configuration model Single signon configuration model Configuration procedure summarized Chapter 5. Deploying the plug-in for Edge Serer Designing the Web site Content distribution Single signon Copyright IBM Corp. 2001, 2002 iii

6 Configuring the Web site Chapter 6. Creating a Cross-domain Authentication Serice Authentication models Single authentication model Dispatched authentication model Building a custom shared library CDAS application deelopment kit Programming the custom shared library User authentication data Returning the client identity Compiling the custom shared library Configuring the plug-in for Edge Serer to use a custom shared library Configuring a custom shared library Custom shared library configuration scenario Configuring the demonstration library Loading the custom shared library CDAS core and utility functions CDAS API core function reference xauthn_authenticate xauthn_change_password xauthn_initialize xauthn_shutdown Chapter 7. Remoing the plug-in for Edge Serer Remoing the plug-in for Edge Serer on AIX Remoing the plug-in for Edge Serer on Linux Remoing the plug-in for Edge Serer on Solaris Remoing the plug-in for Edge Serer on Windows Appendix A. Base configuration file reference Appendix B. Object space definition configuration file reference Serer definitions Single signon definitions Appendix C. wesosm command reference Command syntax wesosm Appendix D. Notices Trademarks i IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

7 Preface Who should read this book What this book contains The IBM Tioli Access Manager (Access Manager) plug-in for IBM WebSphere Edge Serer (plug-in for Edge Serer) proides authentication and authorization security serices. Installed on the Edge Serer caching proxy, the plug-in for Edge Serer is the gateway between your clients and Web serers, implementing the security policies that protect your Web resources. The plug-in secures Web content and application serer resources at the caching proxy through irtual hosting, and proides single signon solutions for the protected Web serers. Note: IBM Tioli Access Manager is the new name of the preiously released software entitled Tioli SecureWay Policy Director. Also, for users familiar with the Tioli SecureWay Policy Director software and documentation, the term management serer is now referred to as policy serer. The IBM Tioli Access Manager Plug-in for Edge Serer User s Guide proides installation instructions, administration procedures, and technical reference information for securing your Web domain using the plug-in for Edge Serer. This guide is for system administrators responsible for the installation, deployment, and administration of the plug-in for Edge Serer. Readers should be familiar with the following: Microsoft Windows and UNIX operating systems Security management Internet protocols, including HTTP, HTTPS, and TCP/IP Lightweight Directory Access Protocol (LDAP) and directory serices Authentication and authorization Access Manager security model and its capabilities If you are enabling Secure Sockets Layer (SSL) communication, you also should be familiar with SSL protocol, key exchange (public and priate), digital signatures, cryptographic algorithms, and certificate authorities. This book contains the following sections: Chapter 1, Introducing the IBM Tioli Access Manager plug-in for Edge Serer on page 1 Describes the supported platforms, installation packages, and software prerequisites for the plug-in for Edge Serer. Also describes the Access Manager security model and the plug-in for Edge Serer security enforcement. Chapter 2, Installing the plug-in for Edge Serer on page 7 Proides installation and configuration instructions for all supported platforms. Chapter 3, Administering the plug-in for Edge Serer on page 11 Describes how to manage user accounts, create an Access Manager object space, and start and stop the plug-in. Also describes the plug-in for Edge Serer configuration and log files. Copyright IBM Corp. 2001, 2002

8 Chapter 4, Understanding the plug-in for Edge Serer configuration on page 19 Proides an oeriew of the plug-in for Edge Serer configuration. Chapter 5, Deploying the plug-in for Edge Serer on page 27 Describes an example deployment of the plug-in for Edge Serer in a Web commerce enironment. Chapter 6, Creating a Cross-domain Authentication Serice on page 31 Explains how to create a Cross-domain Authentication Serice (CDAS) shared library, which enables custom handling and processing of client authentication information. Also describes how to configure the plug-in for Edge Serer to recognize the specific type of authentication data being passed to the custom shared library. Chapter 7, Remoing the plug-in for Edge Serer on page 45 Describes how to unconfigure and remoe the plug-in for Edge Serer from each of the supported operating system platforms. Appendix A, Base configuration file reference on page 49 Appendix B, Object space definition configuration file reference on page 51 Appendix C, wesosm command reference on page 63 Publications This section lists publications in the Access Manager library and any other related documents. It also describes how to access Tioli publications online, how to order Tioli publications, and how to make comments on Tioli publications. IBM Tioli Access Manager The Access Manager library is organized into the following categories: Release information Base information WebSEAL information Web security information Deeloper reference information Supplemental technical information Publications in the product library are included in Portable Document Format (PDF) on the product CD. To access these publications using a Web browser, open the infocenter.html file, which is located in the /doc directory on the product CD. For additional sources of information about Access Manager and related topics, see the following Web sites: Release information IBM Tioli Access Manager for e-business Read Me First GI (am39_readme.pdf) Proides information for installing and getting started using Access Manager. IBM Tioli Access Manager for e-business Release Notes GI (am39_relnotes.pdf) i IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

9 Proides late-breaking information, such as software limitations, workarounds, and documentation updates. Base information IBM Tioli Access Manager Base Installation Guide GC (am39_install.pdf) Proides installation, configuration, and upgrade instructions for Access Manager base software, including the Web portal manager interface. IBM Tioli Access Manager Base Administrator s Guide GC (am39_admin.pdf) Describes the concepts and procedures for using Access Manager serices. Proides instructions for performing tasks from the Web portal manager interface and by using the pdadmin command. IBM Tioli Access Manager Base for Linux on zseries Installation Guide GC (am39_zinstall.pdf) Explains how to install and configure Access Manager Base for Linux on the zseries platform. WebSEAL information IBM Tioli Access Manager WebSEAL Installation Guide GC (amweb39_install.pdf) Proides installation, configuration, and upgrade instructions for the WebSEAL serer and the WebSEAL application deelopment kit. IBM Tioli Access Manager WebSEAL Administrator s Guide GC (amweb39_admin.pdf) Proides background material, administratie procedures, and technical reference information for using WebSEAL to manage the resources of your secure Web domain. IBM Tioli Access Manager WebSEAL Deeloper s Reference GC (amweb39_deref.pdf) Proides administration and programming information for the Cross-domain Authentication Serice (CDAS), the Cross-domain Mapping Framework (CDMF), and the Password Strength Module. IBM Tioli Access Manager WebSEAL for Linux on zseries Installation Guide GC (amweb39_zinstall.pdf) Proides installation, configuration, and remoal instructions for WebSEAL serer and the WebSEAL application deelopment kit for Linux on the zseries platform. Web security information IBM Tioli Access Manager for WebSphere Application Serer User s Guide GC (amwas39_user.pdf) Proides installation, configuration, and administration instructions for Access Manager for IBM WebSphere Application Serer. IBM Tioli Access Manager for WebLogic Serer User s Guide GC (amwls39_user.pdf) Proides installation, configuration, and administration instructions for Access Manager for BEA WebLogic Serer. IBM Tioli Access Manager Plug-in for Edge Serer User s Guide Preface ii

10 GC (amedge39_user.pdf) Proides installation, configuration, and administration instructions for the plug-in for Edge Serer application. IBM Tioli Access Manager Plug-in for Web Serers User s Guide GC (amws39_user.pdf) Proides installation, configuration, and administration instructions for securing your Web domain using the plug-in for Web serers application. Deeloper references IBM Tioli Access Manager Authorization C API Deeloper s Reference GC (am39_authc_deref.pdf) Proides reference material that describes how to use the Access Manager authorization C API and the Access Manager serice plug-in interface to add Access Manager security to applications. IBM Tioli Access Manager Authorization Jaa Classes Deeloper s Reference GC (am39_authj_deref.pdf) Proides reference information for using the Jaa language implementation of the authorization API to enable an application to use Access Manager security. IBM Tioli Access Manager Administration C API Deeloper s Reference GC (am39_adminc_deref.pdf) Proides reference information about using the administration API to enable an application to perform Access Manager administration tasks. This document describes the C implementation of the administration API. IBM Tioli Access Manager Administration Jaa Classes Deeloper s Reference SC (am39_adminj_deref.pdf) Proides reference information for using the Jaa language implementation of the administration API to enable an application to perform Access Manager administration tasks. IBM Tioli Access Manager WebSEAL Deeloper s Reference GC (amweb39_deref.pdf) Proides administration and programming information for the Cross-domain Authentication Serice (CDAS), the Cross-domain Mapping Framework (CDMF), and the Password Strength Module. Technical supplements IBM Tioli Access Manager Performance Tuning Guide GC (am39_perftune.pdf) Proides performance tuning information for an enironment consisting of Access Manager with IBM SecureWay Directory defined as the user registry. IBM Tioli Access Manager Capacity Planning Guide GC (am39_capplan.pdf) Assists planners in determining the number of WebSEAL, LDAP, and backend Web serers needed to achiee a required workload. IBM Tioli Access Manager Error Message Reference SC (am39_error_ref.pdf) Proides explanations and recommended actions for the messages produced by Access Manager. iii IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

11 The Tioli Glossary includes definitions for many of the technical terms related to Tioli software. The Tioli Glossary is aailable, in English only, at the following Web site: Related publications This section lists publications related to the Access Manager library. IBM DB2 Uniersal Database IBM DB2 Uniersal Database is required when installing IBM SecureWay Directory, z/os, and OS/390 SecureWay LDAP serers. DB2 information is aailable at the following Web site: IBM Global Security Toolkit Access Manager proides data encryption through the use of IBM Global Security Toolkit (GSKit). GSKit is shipped on the IBM Tioli Access Manager Base CD for your particular platform. The GSKit package installs the ikeyman key management utility (gsk5ikm), which enables you to create key databases, public-priate key pairs, and certificate requests. The following document is aailable in the /doc/gskit directory: SSL Introduction and ikeyman User s Guide (gskikm5c.pdf) Proides information for network or system security administrators who plan to enable SSL communication in their Access Manager secure domain. IBM SecureWay Directory IBM SecureWay Directory, Version 3.2.2, is shipped on the IBM Tioli Access Manager Base CD for your particular platform. If you plan to install the IBM SecureWay Directory serer as your user registry, the following documents are aailable in the /doc/directory path on the IBM Tioli Access Manager Base CD for your particular platform: IBM SecureWay Directory Installation and Configuration Guide (aparent.pdf, lparent.pdf, sparent.pdf, wparent.pdf) Proides installation, configuration, and migration information for IBM SecureWay Directory components on AIX, Linux, Solaris, and Microsoft Windows operating systems. IBM SecureWay Directory Release Notes (relnote.pdf) Supplements IBM SecureWay Directory, Version 3.2.2, product documentation and describes features and functions made aailable to you in this release. IBM SecureWay Directory Readme Addendum (addendum322.pdf) Proides information about changes and fixes that occurred after the IBM SecureWay Directory documentation had been translated. This file is in English only. IBM SecureWay Directory Serer Readme (serer.pdf) Proides a description of the IBM SecureWay Directory Serer, Version IBM SecureWay Directory Client Readme Preface ix

12 (client.pdf) Proides a description of the IBM SecureWay Directory Client SDK, Version This software deelopment kit (SDK) proides LDAP application deelopment support. IBM SecureWay Directory Configuration Schema (scparent.pdf) Describes the directory information tree (DIT) and the attributes that are used to configure the slapd32.conf file. In IBM SecureWay Directory Version 3.2, the directory settings are stored using the LDAP Directory Interchange Format (LDIF) in the slapd32.conf file. IBM SecureWay Directory Tuning Guide (tuning.pdf) Proides performance tuning information for IBM SecureWay Directory. Tuning considerations for directory sizes ranging from a few thousand entries to millions of entries are gien where applicable. For more information about IBM SecureWay Directory, see the following Web site: IBM WebSphere Application Serer IBM WebSphere Application Serer, Adanced Single Serer Edition 4.0.2, is installed with the Web portal manager interface. For information about IBM WebSphere Application Serer, see the following Web site: Accessing publications online Publications in the product library are included in Portable Document Format (PDF) on the product CD. To access these publications using a Web browser, open the infocenter.html file, which is located in the /doc directory on the product CD. When IBM publishes an updated ersion of one or more online or hardcopy publications, they are posted to the Tioli Information Center. The Tioli Information Center contains the most recent ersion of the publications in the product library in PDF or HTML format, or both. Translated documents are also aailable for some products. You can access the Tioli Information Center and other sources of technical information from the following Web site: Information is organized by product, including release notes, installation guides, user s guides, administrator s guides, and deeloper s references. Note: If you print PDF documents on other than letter-sized paper, select the Fit to page check box in the Adobe Acrobat Print dialog (which is aailable when you click File Print) to ensure that the full dimensions of a letter-sized page are printed on the paper that you are using. Ordering publications You can order many Tioli publications online at the following Web site: x IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

13 Accessibility cgibin/pbi.cgi You can also order by telephone by calling one of these numbers: In the United States: In Canada: In other countries, for a list of telephone numbers, see the following Web site: Proiding feedback about publications We are ery interested in hearing about your experience with Tioli products and documentation, and we welcome your suggestions for improements. If you hae comments or suggestions about our products and documentation, contact us in one of the following ways: Send an to pubs@tioli.com. Contacting customer support Complete our customer feedback surey at the following Web site: Accessibility features help a user who has a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. If you hae a problem with any Tioli product, you can contact Tioli Customer Support. See the Tioli Customer Support Handbook at the following Web site: The handbook proides information about how to contact Tioli Customer Support, depending on the seerity of your problem, and the following information: Registration and eligibility Conentions used in this book Telephone numbers and addresses, depending on the country in which you are located What information you should gather before contacting support This guide uses seeral conentions for special terms and actions, operating system-dependent commands and paths, and margin graphics. Typeface conentions The following typeface conentions are used in this book: Bold Italic Command names and options, keywords, and other information that you must use literally appear in bold. Variables, command options, and alues you must proide appear Preface xi

14 Monospace in italics. Titles of publications and special words or phrases that are emphasized also appear in italics. Code examples, command lines, screen output, file and directory names, and system messages appear in monospace font. xii IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

15 Chapter 1. Introducing the IBM Tioli Access Manager plug-in for Edge Serer System requirements The plug-in for Edge Serer adds authentication and authorization functionality to the IBM WebSphere Edge Serer product. When implemented as an authorization serice in your secure domain, this plug-in can proide single signon solutions to resources within that domain. This chapter describes the supported platforms, installation packages, and software prerequisites for the plug-in for Edge Serer. This chapter also describes the IBM Tioli Access Manager security model and the plug-in for Edge Serer security enforcement. Access Manager has specific software and hardware prerequisites that must be met before it can be installed and deemed fully functional. These include operating systems, hardware platforms, and so on. The requirements listed in the following sections constitute the recommended enironment for the plug-in for Edge Serer components at the time of publication. For the most current information, see the IBM Tioli Access Manager for e-business Release Notes. Supported operating systems The plug-in for Edge Serer is supported on the following platforms: IBM AIX and 5.1 Microsoft Windows 2000 Adanced Serer Red Hat Linux 7.1 Sun Solaris 2.7 and 2.8 Software prerequisites The plug-in for Edge Serer operates in a secure domain installed with Access Manager, Version 3.9. The plug-in for Edge Serer has the following software prerequisites. You must install and configure these prerequisites on the same system as the plug-in for Edge Serer. Note that if your system already runs Access Manager, Version 3.9, then the GSKit, IBM SecureWay Directory client, and Access Manager runtime are already installed and configured. Howeer, if you plan to install the plug-in on a new system that is not currently a part of your Access Manager secure domain, follow installation instructions in the IBM Tioli Access Manager Base Installation Guide. IBM WebSphere Edge Serer, Version 2.0, with program temporary fix (PTF) 1. To download the PTF 1, see the following Web address: manager.wss?rs=0&rt=1&cat=downloadable+files&r=10&mr=200&q= Edge+Serer&path=Product+Group%3DSoftware IBM Global Security Toolkit (GSKit), Version IBM SecureWay Directory, Version 3.2.2, client Copyright IBM Corp. 2001,

16 Access Manager runtime enironment Access Manager security model The plug-in for Edge Serer adds authentication and authorization control to the Edge Serer caching proxy. To administer the plug-in for Edge Serer, you need to be familiar the Access Manager model for enforcing security policies. The Access Manager model is based on understanding the business policies that must apply to users, programs, and data in a network enironment. To establish a secure enironment, Access Manager requires an administrator to define the following entities: Objects to be secured Actions permitted on each object Users permitted to perform the actions Access Manager manages each of these entities as follows: Objects are listed and defined in a hierarchal protected object name space or object space. Standard actions, such as read and write, are defined as permissions. Administrators can also define custom application-specific actions. Users and groups are defined in an Access Manager supported user registry. Access Manager combines these concepts to form access control lists (ACLs) that consist of combinations of specific users or groups and a list of the permissions (actions). The administrator attaches these ACLs to objects in the object space. For example, an administrator can control access to the contents of a Web serer by attaching an ACL to a file at the top of a hierarchal file system on a Web serer. The administrator can also choose to apply a more restrictie ACL further down in the file hierarchy. The more restrictie ACL oerrides the ACL that is attached at the top of the hierarchy. The plug-in for Edge Serer enforces access control by checking for the read (r), modify (m), or execute (x) permission on each requested object, based on the requested action. The Access Manager security model is flexible and supports many different configurations. Before you use the plug-in for Edge Serer, you need to be familiar with Access Manager capabilities. For more information, see the IBM Tioli Access Manager Base Administrator s Guide. Plug-in for Edge Serer security enforcement The plug-in for Edge Serer works with the IBM WebSphere Edge Serer to proide access control. It sits at the edge of an enterprise network where access requests from clients outside the firewall are ealuated. Edge Serer consists of two key components: Caching proxy Network dispatcher The plug-in is inoked by the caching proxy component on eery request to determine if the user is authorized to access the requested resource. The caching proxy subsequently enforces the authorization decision returned by the plug-in. 2 IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

17 Although the network dispatcher component is not required to run the plug-in, it can be used for load balancing across replicated serers in high olume enironments. Generally, when a user issues a request from a browser to a Web site, the object represented in the URL corresponds to an object on a Web serer. The plug-in for Edge Serer proides access control by erifying that the user is authorized to perform the requested action on the Web serer object. The plug-in does this by authenticating the user against the Access Manager user registry and authorizing the user against the Access Manager object space, as illustrated in Figure 1. The plug-in returns status information to the caching proxy indicating whether the user was authorized to perform the requested action on the object. The caching proxy uses this information to either deny or allow the requested action. When the security policy permits, the Edge Serer caching proxy caches the requested object to optimize performance. Browser Edge Serer Internet Gateway Caching Proxy Web Serer Access Manager Registry Serer Access Manager Plug-in Access Manager Policy Serer Figure 1. Example of plug-in for Edge Serer security enforcement The plug-in for Edge Serer proides access control for the following Edge Serer caching proxy configurations: Reerse proxy Forward proxy These concepts are discussed in the following sections. Reerse proxy access control The Edge Serer caching proxy functions as a reerse proxy when it is located between a client browser on the Internet and Web serers that are located behind a firewall. In this role, the caching proxy intercepts user requests arriing from the Internet, forwards them to the appropriate host Web serer, caches the returned data, and deliers that data to the client user across the Internet. The plug-in for Edge Serer can be used to proide access control to these inbound client requests. This is accomplished by configuring the public domain name of the Web site on the Edge Serer caching proxy machine and specifying a route to the corresponding backend Web serer, as illustrated in Figure 2 on page 4. Chapter 1. Introducing the IBM Tioli Access Manager plug-in for Edge Serer 3

18 Browser Edge Serer newbooks.com Internet Gateway Caching Proxy Web Serer backend1.com Access Manager Plug-in Figure 2. Plug-in for Edge Serer in a reerse proxy configuration In this example, the plug-in for Edge Serer is configured to proide access control to the objects on newbooks.com. After a user is authorized, the request is routed to the corresponding backend serer either by the plug-in for Edge Serer, or by a load balancing module, such as the content-based routing module of the Edge Serer network dispatcher. The plug-in for Edge Serer performs URL mapping, similar to the function proided by the Proxy statements in the Edge Serer caching proxy configuration file. You configure the plug-in for Edge Serer access control by setting alues for parameters in the plug-in configuration file, osdef.conf. For this example Web site, you would add the following entries: [Remote: /ESproxy/reerse/newbooks.com] domains = newbooks.com login_method = forms form_login_file = form_login_errorfile = form_logout_url = /pub/logout.html route = This entry configures the plug-in for Edge Serer to perform the following actions: Authorize all requests for newbooks.com and by consulting the ACLs that are attached to objects under the entry /ESproxy/reerse/newbooks.com in the Access Manager protected object name space. Use forms-based login as the login method Map eery URL to the following Web serer: backend1.com In this example, the administrator should attach the unauthenticated ACL on the /pub directory. For more information about the use of the unauthenticated ACL, see the IBM Tioli Access Manager Base Administrator s Guide. Note also that if the user submits a URL request that matches /pub/logout.html, the user is logged out. By default, the plug-in for Edge Serer checks /ESproxy/reerse/domain_name for reerse proxy requests. You can set additional options for this serer definition. If 4 IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

19 you do not specify a setting for an option, the setting for that option is inherited from the [Global] section of the osdef.conf configuration file. The plug-in for Edge Serer supports seeral login methods. In addition to the forms-based login shown in the sample configuration, you can also configure the plug-in for Edge Serer to use: Basic authentication Client certificate authentication For information about osdef.conf file options, see Appendix B, Object space definition configuration file reference on page 51. Forward proxy access control The Edge Serer caching proxy functions as a forward proxy when it is located between a client browser (behind a firewall) and the Internet. The client browsers are configured to direct requests to the Edge Serer caching proxy. The forward caching proxy forwards a client s request to a content host located across the Internet, caches the retrieed data, and deliers the retrieed data to the client. The plug-in for Edge Serer can be used to proide access control to these outbound client requests, as illustrated in Figure 3. Edge Serer Internet Gateway Web Serer Caching Proxy Browser Access Manager Plug-in Figure 3. Plug-in for Edge Serer in a forward proxy configuration By default, the plug-in for Edge Serer checks /ESproxy/forward/domain_name for forward proxy requests. You can oerride this default setting by creating one or more serer definitions in the object space definition configuration file as shown: [Remote: /ESproxy/forward/blockedsites] domains = games.com *.games.com *.competitor.com route = /pub/browsepolicy.html In this example, all browser requests matching the domain names games.com, *.games.com, or *.competitor.com are redirected to the company s browsing policy Web page located at the following Web address: backend2.com Alternatiely, you can attach an Access Manager ACL at this location in the object space. For example, this ACL could deny all users access to any of the listed Web sites. Chapter 1. Introducing the IBM Tioli Access Manager plug-in for Edge Serer 5

20 6 IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

21 Chapter 2. Installing the plug-in for Edge Serer This chapter describes how to install and configure the plug-in for Edge Serer on AIX, Solaris, and Windows platforms. Note that if your system is currently set up with supported ersions of GSKit, IBM SecureWay Directory client, and the IBM Tioli Access Manager runtime enironment, you need to install only the plug-in package. This chapter contains the following sections: Installing the plug-in for Edge Serer on AIX on page 7 Installing the plug-in for Edge Serer on Linux on page 7 Installing the plug-in for Edge Serer on Solaris on page 8 Installing the plug-in for Edge Serer on Windows on page 8 Configuring the plug-in for Edge Serer on page 8 Installing the plug-in for Edge Serer on AIX The following steps show you how to install components necessary for the plug-in for Edge Serer. Note: Before you install the plug-in package, ensure that you install prerequisite software in System requirements on page Log in to the system as root. 2. Insert the IBM Tioli Access Manager Web Security, Version 3.9, for AIX CD. 3. To install the Plug-in for Edge Serer package in the default location, enter the following: installp -c -a -g -X -d /de/cd0 PDPlgES 4. To complete the installation of the plug-in for Edge Serer, follow the instructions in Configuring the plug-in for Edge Serer on page 8. Installing the plug-in for Edge Serer on Linux The following steps show you how to install components necessary for the plug-in for Edge Serer. Note: Before you install the plug-in package, ensure that you install prerequisite software in System requirements on page Log in to the system as root. 2. Insert the IBM Tioli Access Manager Web Security, Version 3.9, for Linux CD. 3. Change to the directory /mnt/cdrom/linux, where /mnt/cdrom is the mount point for your CD. 4. To install the plug-in for Edge Serer package in the default location, enter the following: rpm -i --nodeps PDPlgES-PD i386.rpm 5. To complete the installation of the plug-in for Edge Serer, follow the instructions in Configuring the plug-in for Edge Serer on page 8. Copyright IBM Corp. 2001,

22 Installing the plug-in for Edge Serer on Solaris The following steps show you how to install components necessary for the plug-in for Edge Serer. Note: Before you install the plug-in package, ensure that you install prerequisite software in System requirements on page Log in to the system as root. 2. Insert the IBM Tioli Access Manager Web Security, Version 3.9, for Solaris CD. 3. Change to the /cdrom/cdrom0/solaris directory. 4. To install the plug-in for Edge Serer package, enter the following: pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDPlgES 5. To complete the installation of the Plug-in for Edge Serer, follow the instructions in Configuring the plug-in for Edge Serer on page 8. Installing the plug-in for Edge Serer on Windows The following steps show you how to install components necessary for the plug-in for Edge Serer. Note: Before you install the plug-in package, ensure that you install prerequisite software in System requirements on page Log in to the system as a user with administrator priileges. 2. Insert the IBM Tioli Access Manager Web Security, Version 3.9, for Windows CD. 3. Run the setup.exe file in the following location: cdrom_drie\windows\policydirector\diskimages\disk1 4. From the Select Packages window, select the plug-in for Edge Serer package. 5. To complete the installation of the plug-in for Edge Serer, follow the instructions in Configuring the plug-in for Edge Serer on page 8. Configuring the plug-in for Edge Serer The plug-in for Edge Serer proides a configuration utility named wslconfig.sh (on UNIX systems) or wslconfig.exe (on Windows systems). This utility accomplishes the following tasks: Creates an Access Manager identity for the plug-in for Edge Serer. Creates an Access Manager protected object space for the plug-in for Edge Serer. On the Windows platform only, configures the Edge Serer caching proxy to automatically load the plug-in for Edge Serer at application startup. To configure the plug-in for Edge Serer, follow these steps: 1. To start the configuration utility, enter the following: On UNIX systems: wslconfig.sh On Windows systems: wslconfig.exe Note: On Windows 2000 systems only, configuration of the plug-in for an Actie Directory user registry requires an administrator password for 8 IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

23 the configuration tool to perform successfully. When configuring, use the wslconfig command with the following parameter: wslconfig -adpwd Actie_Directory_admin_password 2. When prompted, enter the following information: The port number for the Edge Serer caching proxy. The default port number is 80. The Access Manager administratie user ID and password. For example, enter sec_master and its associated password. The configuration utility completes the following tasks: Creates registry objects for the serer. Adds the serer to the security groups, iacld-serers and SecurityGroup. Creates an SSL certificate. Obtains an SSL signed certificate from the Access Manager policy serer. Configures the Edge Serer caching proxy to use the plug-in for Edge Serer by setting directies in the Edge Serer caching proxy configuration file, ibmproxy.conf. Restarts the Edge Serer caching proxy process, ibmproxy. Next, the configuration utility starts the plug-in for Edge Serer object space manager utility, by using the wesosm command. This utility updates the Access Manager object space to create a new object space container for the plug-in for Edge Serer. Configuration of the plug-in for Edge Serer is now complete. The Edge Serer caching proxy is now running with the plug-in for Edge Serer loaded. The administratie user, sec_master, can be used to access the caching proxy s home page. Upgrading the plug-in for Edge Serer The configuration tool for the earlier ersions of the plug-in automatically replaced user configuration files during the unconfiguration process, which sometimes caused the loss of user configuration information. The plug-in for Edge Serer, Version 3.9, does not replace user configuration files during the unconfiguration process. When upgrading from an existing ersion of the plug-in for Edge Serer, you need to back up all user modified configuration files, such as ibmwesas.conf, osdef.conf, ibmproxy.conf, before unconfiguring the plug-in. Chapter 2. Installing the plug-in for Edge Serer 9

24 10 IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

25 Chapter 3. Administering the plug-in for Edge Serer Managing user accounts This chapter proides the concepts, administratie procedures, and technical reference information for using the plug-in for Edge Serer to manage the resources of your secure domain. This chapter contains the following sections: Managing user accounts on page 11 Creating an Access Manager object space on page 11 Starting and stopping the plug-in for Edge Serer on page 13 Configuration files on page 13 Log files on page 16 IBM Tioli Access Manager maintains and manages user accounts through the pdadmin command line interface. Users and groups are created, deleted, and modified using this interface. The plug-in authenticates a user by erifying that the submitted user information matches a user entry in the Access Manager registry. The plug-in also erifies that the user account status is alid. All password policies for users are set through Access Manager and coneyed to the plug-in during authentication. The plug-in does not maintain any password policy information but relies on Access Manager to maintain information such as max-login-failures, account-expiry-date, and max-password-age. During authentication, the plug-in erifies that the user account is alid and ensures that the user s password has not expired. If the user account is disabled, the user fails authorization. Howeer, if the password has expired and a change password form was configured for the plug-in, then the user is presented with the form to change the expired password. Creating an Access Manager object space Access Manager uses a protected object name space to represent objects that need to hae access control policies applied. The protected object space can include resources on a Web serer. The simplest way to add Web resources to the object space is to import the Web serer file system and apply Access Manager access control lists (ACLs) as needed. The plug-in for Edge Serer proides an object space manager utility that adds resources to the Access Manager object space. The utility is inoked with the wesosm command. You can use wesosm to generate the object space for both the Edge Serer caching proxy and for Web serers that the plug-in for Edge Serer protects. Note: For more information about the wesosm command, see Appendix C, wesosm command reference on page 63. The following sections describe how to add Web resources to the protected object space: Creating an object space for the caching proxy on page 12 Creating an object space for other Web serers on page 12 Copyright IBM Corp. 2001,

26 Creating an object space for the caching proxy Although the Edge Serer caching proxy is a proxy, it can function like a Web serer when requests are made directly to the primary domain name of the Edge Serer caching proxy machine. Typically, informational and error messages are stored in the Web space of the proxy. The plug-in for Edge Serer enforces access control to the objects that are managed by the Edge Serer caching proxy. Each object that needs to be secured must be defined in the Access Manager object space. There are two methods for adding objects to the object space. You can add objects to the object space manually by using the pdadmin command. The pdadmin command contains command line options for creating new object spaces and for adding, modifying, and deleting objects. For more information, see the IBM Tioli Access Manager Base Administrator s Guide. You can also add a series of Web resources to the object space by using the query_contents utility to get an inentory of the objects in a Web hierarchy. This method is discussed in Creating an object space for other Web serers on page 12. The following example serer definition in the configuration file osdef.conf represents an Edge Serer caching proxy named bookproxy.com: [Local: /ESproxy/bookproxy.com] domains = bookproxy.com query_command = When you configure the plug-in for Edge Serer at installation time, the wslconfig utility executes the wesosm command to generate the default object space for the Edge Serer caching proxy. The default object space contains the following container objects: /ESproxy /Esproxy/proxy_host_name /ESproxy/forward /ESproxy/reerse After the objects are created, you can place ACLs at the appropriate locations in the object space for the Edge Serer caching proxy. Creating an object space for other Web serers Use the object space manager wesosm command to query a remote Web serer s file system to create corresponding entries in the Access Manager object space. The object space manager reads the osdef.conf configuration file and creates object entries for each serer definition in the file. Use the query_contents utility to import a Web serer s file system into the protected object space. Place this utility in the cgi-bin directory on the target Web serer. Also, specify the root location of the Web serer s files. For more information about the query_contents utility, see the IBM Tioli Access Manager WebSEAL Administrator s Guide. After you hae configured the query_contents utility, add an entry to the object space definition configuration file that tells the wesosm command how to query the remote Web serer s file system. For example, add the following entry in the configuration file: 12 IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide

27 [Remote: /ESproxy/reerse/newbooks.com] domains = newbooks.com query_command = After the entry has been added to the configuration file, run the object space manager from the plug-in for Edge Serer machine as shown: wesosm -run -infile location_of_osdef.conf -erbose The wesosm command connects to the Web serer to query its file system. Next, it connects to the Access Manager policy serer to create entries in the object space underneath /ESproxy/reerse/newbooks.com. If a serer definition does not hae a query_contents utility associated with it, only the root branch is created. You can attach ACLs in appropriate locations after the object space has been created. You also can use the wesosm command to maintain the object space by pruning any obsolete entries that might accumulate oer time. To remoe obsolete entries from the object space, run the wesosm command with the following options: wesosm -run -infile location_of_osdef.conf -clean -erbose Starting and stopping the plug-in for Edge Serer To manually start the Edge Serer caching proxy and load the plug-in for Edge Serer, do one of the following: On UNIX systems, use the wslstartwte command. Note: You can add the wslstartwte utility to UNIX startup scripts to automatically start the Edge Serer caching proxy and the plug-in for Edge Serer wheneer a system restarts. On Windows systems, start the IBM Caching Proxy serice. Configuration files To stop the Edge Serer caching proxy UNIX systems, do one of the following: On UNIX systems, use the wslstopwte command: On Windows systems, stop the IBM Caching Proxy serice. The plug-in for Edge Serer configuration files are created and placed on the filesystem when the plug-in for Edge Serer is installed and configured. You can manually modify these files after initial configuration. The configuration files are located in one of the following directories: On UNIX systems: /opt/pdweb-lite/etc On Windows systems: install_dir\etc Configuration files are described in the following sections: Base configuration file (ibmwesas.conf) on page 14 Object space definition configuration file (osdef.conf) on page 14 User mapping configuration file (usermap.conf) on page 16 Chapter 3. Administering the plug-in for Edge Serer 13

28 Base configuration file (ibmwesas.conf) The base configuration file is named ibmwesas.conf. The wslconfig utility initializes this file when the plug-in for Edge Serer is installed and configured. This file contains entries that are used to initialize and start the plug-in for Edge Serer. Typically, you do not need to modify this file after initial configuration. The ibmwesas.conf file contains entries that specify the following alues: Access Manager Lightweight Directory Access Protocol (LDAP) configuration settings These include LDAP host and port numbers. When Access Manager communication with the LDAP serer is oer Secure Sockets Layer (SSL), the SSL configuration alues are included here. Access Manager configuration alues: Database replication mode (local or remote) Database location Audit file location Cache refresh interal Location of the SSL configuration file containing certificate information Lightweight Third Party Authentication (LTPA) cookie single signon settings WebSEAL cookie single signon settings Location of the osdef.conf object space definition file Location of the usermap.conf user mapping file For more information on the ibmwesas.conf file, see Appendix A, Base configuration file reference on page 49. Object space definition configuration file (osdef.conf) The object space definition configuration file is named osdef.conf. The osdef.conf file specifies configuration settings that the plug-in for Edge Serer uses to enforce access control for all client requests. The object space definition configuration file has its settings grouped into the following sections: [Global] Specifies settings that apply to all requests that are not explicitly oerwritten in another section ([Local] or [Remote]). [Local] Specifies settings that apply to requests for objects on the Edge Serer caching proxy. [Remote] Specifies settings that apply to requests for objects on remote Web serers. [SSO] Specifies single signon definitions and settings that the plug-in for Edge Serer can use to pass authentication information to a Web serer. The [Global] section of the osdef.conf file includes the following configuration options: Administrator name and password Enable or disable updating of the object space Object space locations for the object space root, forward proxy entries, and reerse proxy entries 14 IBM Tioli Access Manager Plug-in for Edge Serer: User s Guide