IBM Tivoli Access Manager WebSEAL Setup with Forms Experience Builder 8.0

Added by

Shan Shan Duan | Edited by IBM contributor

Shan Shan Duan on September 11, 2012 | Version 9

Edit
More Actions ▼

1 comment

Abstract

The objective of this document is to detail the experiences of the IBM System Verification Test (SVT) team when enabling Forms Experience Builder (FEB) 8.0 with IBM Tivoli Access Manager WebSEAL 6.1.1. This document helps readers on how to integrate FEB with IBM WebSphere Tivoli Access Manager.

Tags: administering, advanced, Forms Experience Builder, integration

Overview
The components required to install and configure in this scenario are WebSphere Applications Server, IBM HTTP Server, DB2, Tivoli Directory Server and IBM Tivoli Access Manager WebSEAL. The operating system used in this environment is Windows 2008 R2 Operating System which is based on a WAS cluster scenario.

The environment included the following components:
•IBM WebSphere Application Server Network Deployment 8.0.0.0
•IBM DB2 Enterprise Server Edition Version 9.7 Fix Pack 1
•IBM HTTP Server V8.0
•IBM Tivoli Access Manager 6.1.1
•IBM Tivoli Directory Server 6.3

Infrastructure Diagram

Specification

The following table lists the specification for the computers used in the infrastructure.

Machine	OS	Software	Specs
DB2	Windows 2008 R2 Enterprise Server	IBM DB2 Enterprise Server Edition Version 9.7 Fix Pack 1	Processor Type: Intel(R) Xeon(R)CPU E5430 Quadcore Number Of Processors: 2 Processor Clock Speed: 2.7 GHz CPU Type: 64-bit Kernel Type: 64-bit Memory Size: 10GB
IBM WebSphere Deployment Manager and IBM HTTP Server	Windows 2008 R2 Enterprise Server	IBM WebSphere Applications Network Deployment 8.0.0.0 IBM HTTP Server 8.0	Same as above
IBM WebSphere Application node	Windows 2008 R2 Enterprise Server	IBM WebSphere Applications Network Deployment 8.0.0.0	Same as above
IBM WebSphere Application node	Windows 2008 R2 Enterprise Server	IBM WebSphere Applications Network Deployment 8.0.0.0	Same as above
LDAP	Windows 2008 R2 Enterprise Server	IBM Tivoli Directory Server 6.3	Same as above
TAM	Windows 2008 R2 Enterprise Server	IBM Tivoli Access Manager 6.1.1	Same as above

In this document, the TAM server is configured against Forms Experience Builder cluster environment, for how to setup FEB cluster, please refer to: Configuring IBM Forms Experience Builder 8.0 Cluster Environment.

Configuring the FEB Server with TAM

1. Pre-request: To configure TAM, please make sure below components installed and configured.
1.1. Install Tivoli Access Manager WebSEAL. For steps, refer to IBM Tivoli Access Manager for e-business Installation Guide.
1.2. Install Policy Server and integrate with TAM. For steps, refer to Setting up a policy server.

2. To support SSO with the Lightweight Third-Party Authentication (LTPA) key, the same key and password must be shared by the Tivoli Access Manager and WebSphere Application Server. To export the LTPA key from WebSphere Application Server, complete the following steps:
2.1.Log into the WebSphere Application Server Integrated Solutions Console as an administrator, expand Security, and then click Global security. In the Authentication mechanisms and expiration area, click LTPA.
2.2.In the Cross-cell single sign-on section, provide values for the following fields:
Password – Enter a secure password and then confirm the password. You'll need to provide this password later.
Fully qualified key file name – Specify a valid path and a file name for the exported key file.
For example: C:\WAS8_ltpa.key
2.3.Click Export keys.
Note: If you have modified your federated repository properties, such as the realm name of the federated repository, re-export your LTPA key and copy them to the Tivoli Access Manager server, to the same location that you used to create the Tivoli Access Manager junctions. See Step 5 for more details.

3. Use available authentication data when an unprotected URI is accessed: On the Global security page, expand Web and SIP security, and click General settings. Click Authenticate only when the URI is protected and select Use available authentication data when an unprotected URI is accessed, if it is not selected. Click Apply and then click OK.

4. Import your IBM HTTP Server certificate into the Tivoli Access Manager keystore for SSL communicating between HTTP Server and Tivoli Access Manager Server. You can refer to Tivoli Access Manager Information Center for more details.

5. Use the exported LTPA key to configure the transparent path junctions in Tivoli Access Manager. To do so, complete the following steps:
5.1.Copy the LTPA key that you exported in Step 2 to the Tivoli Access Manager server, for example: C:\WAS8_ltpa.key
5.2.Open the pdadmin command line utility, which is installed as part of the Tivoli Access Manager runtime package, login with admin user, like sec_master.
5.3.Configure one transparent path junction for each context root of Forms. Enter the following command once for each junction:

Note: Do not include the carriage returns in the command. They are added for display purposes.

 pdadmin> server task <WebSEAL-instance-name> create -t ssl -h <backend-server-name>  -p <backend-server-port> -i -b ignore -A -2 -F <ltpa-token> -Z <ltpa-password> -j -J trailer -k -x <transparent-path-jct>

where:
•<WebSEAL-instance-name> is the name of the WebSEAL server. Use the following syntax: <WebSEAL_instance>-webseald-<tam_server>
where <WebSEAL_instance> is the instance name of the WebSEAL server that setup to manage FEB, such as default, and <tam_server> is the host name of the Tivoli Access Manager server. For example: default-webseald-server.name.example.com
•<backend-server-name> is the domain name of the FEB server for which Tivoli Access Manager is managing authentication. For example, IBM HTTP Server configured for FEB.
•<backend-server-port> is the port used by the backend server
•<ltpa-token> is the full path(including file name) of the key file that you created and exported from WebSphere Application Server to store the keys. For example: C:\WAS8_ltpa.key
•<ltpa-password> is the password that you defined to encrypt the key file.
•<transparent-path-jct> is the transparent path junction for the application. This value must match the URL pattern and must be created once for each URL pattern.

/forms
/forms-basic

For example:

 pdadmin> server task default-webseald-server.name.example.com create -t ssl -h backend.server.name.example.com -p 443 -i -b ignore -A -2 -F C:\WAS8_ltpa.keys -Z <password>  -j -J trailer -k  -x /forms

Note:
•You can use -t tcp -p 80 to create the non-SSL junction, but this is less-secure, not recommend.
•The -2 parameter is needed only if you are using LTPA type 2. WebSphere Application Server allows both LTPA 1 and LTPA 2.
•If an invalid certificate error occurs, import your <backend-server-name>certificate into the WebSEAL certificate store before you create the junctions.

For more information about using the pdadmin command line utility, go to the Using pdadmin to create junctions web page in the Tivoli Access Manager information center.

6. Create a default IBM Forms Access Control List(ACL) to override the default WebSEAL ACL by running the following commands:
acl create <forms-default-acl>
acl modify <forms-default-acl> set user sec_master TcmdbsvaBRlrx
acl modify <forms-default-acl> set any-other Tmdrx
acl modify <forms-default-acl> set unauthenticated T
where <forms-default-acl> is the name of the access control list, for example, forms-acl-default

7. Attach default ACLs to resources that are protected by form-authentication.
Attach the default ACL to application root URLs:

 pdadmin> acl attach /WebSEAL/<tam_server>-<WebSEAL_instance>/<app_root> <forms-default-acl>

where:
<tam_server> is the host name of the Tivoli Access Manager server, for example: tam.example.com
<WebSEAL_instance> is the name of the instance of the WebSEAL server that is configured to manage FEB, for example: default
<app_root> is the root path to the IBM Forms applications, including

forms
forms-basic

<forms-default-acl> is the ACL that you defined in Step 6, for example: forms-acl-default

For example:

 pdadmin> acl attach /WebSEAL/tam.example.com-default/forms forms-acl-default

8. Define the unprotected access control list, attach unprotected resources and those resources that require basic-authentication to it using the pdadmin command line utility, so that
Tivoli Access Manager passes HTTP requests for these resources through WebSphere Application Server for authentication.

To define the unprotected access control list, enter the following commands:
acl create <forms-bypass-acl>
acl modify <forms-bypass-acl> set user sec_master TcmdbsvaBRlrx
acl modify <forms-bypass-acl> set any-other Tmdrx
acl modify <forms-bypass-acl> set unauthenticated Tmdrx
where <forms-bypass-acl> is the name of the unprotected access control list, for example, forms-acl-bypass

9. Attach the bypass ACL to resources that do not require authentication. Run the following commands:

 pdadmin> acl attach /WebSEAL/<tam_server>-<WebSEAL_instance>/<object-path> <forms-bypass-acl>

where:
•<tam_server> is the host name of the Tivoli Access Manager server.
•<WebSEAL_instance> is the instance name of the WebSEAL server that is configured to manage FEB, for example: default
•<object-path> is the path to those resource on that domain, including the following:

/forms/anon
/forms/open
/forms-basic/anon
/forms-basic/open

•<forms-bypass-acl> is the access control list that you defined in Step 8, for example, forms-acl-bypass

For example:

 pdadmin> acl attach /WebSEAL/tam.example.com-default/forms/anon forms-acl-bypass

10. Make following changes to the WebSEAL configuration file webseald-<server-name>.conf
Here <server-name> is the WebSEAL instance name you created during TAM installation, the default name is default. For example, webseald-default.conf
If you install WebSEAL in its default directory and create instance with the default name, the configuration file is in: C:\Program Files\Tivoli\PDWeb\etc\webseald-default.conf

10.1 Enable the auth-challenge-type and set its value like below:

auth-challenge-type = ba, forms

10.2 Add below settings under the line auth-challenge-type:

[server:/forms-basic]
auth-challenge-type = ba

[server:/forms]
auth-challenge-type = forms

Set the following line in the [ba] stanza:
ba-auth = both

Set the following line in the [forms] stanza:
forms-auth = both

10.3 Configure content filtering by adding the following lines to the webseald-<server-name>.conf file:

[filter-content-types]
type = text/xml
type = application/atom+xml
type = application/atom+json

[script-filtering]
script-filter = yes
rewrite-absolute-with-absolute = yes

10.4 Configure Tivoli Access Manager as the reverse proxy for IBM Forms:

Add the following line to the [server] stanza:
web-host-name = <fully-qualified-host-name>

Add the following line to the [session] stanza:
use-same-session = yes

Restart the WebSEAL instance from services.msc to take effect.

11. Import users from LDAP:
For example, use pdadmin to import:

pdadmin> user import User1 "cn=User1,cn=users,dc=yourcompany,dc=com"

pdadmin> user modify User1 account-valid yes

12. Configure the Logout link in Builder_Config.properties
Add this line into Builder_Config.properties to make users able to logout from TAM while clicking Logout in FEB.
ibm.nitro.LogoutServlet.postLogoutRedirectURL= https://<Webseal_server_host>/pkmslogout
Here <Webseal_server_host> is the hostname of your WebSEAL server, for example, https://tamserver.example.com/pkmslogout

13. To verify if TAM has been configured correctly, access URL https://<tam_server_host>/<junction> from a browser.
<tam_server_host> is the host name of your WebSEAL server, and <junction> is the junction name you created in Step 5.
For example, https://tamserver.example.com/forms

•The TAM authentication login page should show up and look like this:

•Input username and password in above login page can open FEB without entering username and password again. The FEB page should show up and look like this: