Webopedia resources cover technology definitions, educational guides, and software reviews that are accessible to all researchers regardless of technical background. Property of TechnologyAdvice. All Rights Reserved Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear.
TechnologyAdvice does not include all companies or all types of products available in the marketplace. Sign in. Log into your account. Forgot your password? Password recovery. Provide your System Administrator with the above information to assist in troubleshooting the problem. Email Address:. Website Built with WordPress. If you want to use desktop SSO and use a fallback to Forms based authentication when that fails, you need to make sure you have a few settings right: Assuming you have all the desktop SSO configured properly.
Under the [server] stanza, set the order of the authentication mechanisms. Read this link for configuration steps Stack Overflow for Teams — Collaborate and share knowledge with a private group.
Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. WebSeal authentication how to get started Ask Question. Asked 5 years, 9 months ago. Active 5 years, 6 months ago. Viewed 1k times. Improve this question. Coding Duchess Coding Duchess 5, 13 13 gold badges 86 86 silver badges bronze badges. A session cookie provides re-authentication of a client only to the single, unique server that the client had previously authenticated to within a short time period around ten minutes.
The mechanism is based on a "server cookie" that cannot be passed to any machine other than the one that generated the cookie. In addition, the session cookie contains only a random number identifier that is used to index the server's session cache. There is no other information exposed in the session cookie.
The session cookie cannot compromise security policy. WebSEAL uses a secure server-specific session cookie.
The following conditions apply to this cookie mechanism:. The ssl-id-sessions parameter, located in the [session] stanza of the webseald. If the parameter is set to "no", session cookies are used for most authentication methods. A configuration setting of no for this parameter results in the following conditions for clients accessing over HTTPS:.
When ssl-id-sessions is set to yes , several different values determine the timeout for the session. The session cache entry lifetime timeout is set in the timeout entry in the [session] stanza , and the session inactivity timeout is set by inactive-timeout in the same stanza.
SSL timeouts are set in the [ssl] stanza, where both ssl-v2-timeout and ssl-v3-timeout are declared. When you use cookies to maintain session state, the cookie is sent to the browser only once, following a successful login. However, some browsers enforce a limit on the number of in-memory cookies they can store concurrently. In some environments, applications can place a large number of in-memory cookies per domain on client systems. In this case, any configured WebSEAL session cookie or failover cookie can be easily replaced by another cookie.
When you configure WebSEAL to use session cookies and perhaps failover cookies , you can set the resend-webseal-cookies parameter, located in the [session] stanza of the webseald. This action helps to ensure that the session cookie and the failover cookie remain in the browser memory.
Change the default setting to "yes" to send WebSEAL session cookies and failover cookies with every response. The use-same-session parameter, located in the [session] stanza of the webseald. By default, this parameter is set to "no":.
The session data type for a client accessing with a particular authentication method is determined by specific combinations of the following configuration parameters:. The following tables summarizes the valid session ID data for any given configuration that combines the ssl-id-sessions and use-same-session parameters:.
The purpose of a failover cookie is to prevent forced re-authentication when the server that has the original session with the client suddenly becomes unavailable. A front-end WebSEAL cluster can be implemented to provide high availability of resources for large numbers of clients. The load-balancing mechanism intercepts the incoming requests and distributes the requests across the available front-end servers.
The client is not aware of the replicated front-end server configuration. The load-balancing mechanism is the single point of contact for the requested URL. The load-balancing mechanism connects a client with an available server such as WS1. A session state is established with WS1 and all subsequent requests from that client are sent to WS1.
The problem that can be solved by failover cookies involves a situation when WS1 becomes unavailable for some reason for example, system failure or taken off line by an administrator. If WS1 becomes unavailable, the load-balancing mechanism redirects the request to one of the other replicated servers WS2 or WS3. The original session-to-credential mapping is now lost. The client is new to this substitute server and is normally forced to authenticate again.
You can configure the replicated WebSEAL servers to encrypt client identification data in a server-specific cookie. The cookie is placed on the browser when the client first connects. If the initial WebSEAL server becomes temporarily unavailable, the cookie with the encrypted identity information is presented to the substitute server. The failover cookie contains the user name, time stamp, and original authentication method.
When the substitute WebSEAL server receives this cookie, it can use the user name and authentication method to re-generate the client's credential, including any extended attributes. The client can now establish a new session with a replica WebSEAL sever without being forced to re-authenticate. The reference point for the cookie is the DNS of the load-balancing mechanism. This single point of reference is important because the cookie is a server-specific cookie, and not a domain-specific cookie.
The cookie is accepted only by a server with the same DNS name as the server that created the cookie. The client always makes requests through the load-balancing mechanism. Therefore, the cookie is always accepted and then passed to the next available server during a failover operation.
The failover-auth parameter, located in the [failover] stanza of the webseald. For each supported authentication method in the WebSEAL cluster environment, you must also enable an equivalent failover method parameter in the [authentication-mechanisms] stanza of the webseald.
Each failover authentication method parameter points to a special authentication shared library that mimics the original authentication shared library and, additionally, recovers any extended attributes that were originally placed in the user's credential. The following failover authentication method parameters are available:. WebSEAL supplies one standard failover shared library that functions for all the above authentication methods.
This library is called:. You can, alternatively, supply a custom CDAS library that provides specific authentication capabilities required by your environment. Additionally, a chained CDAS module adds other extended attributes to the user's credential via its cred-ext-attrs library.
Then the user identity is passed to the custom cred-ext-attrs library that supplies its additional extended attributes. If the environment for this example also includes support for certificate authentication, the [authentication-mechanisms] stanza would appear as follows:.
This utility generates a symmetric key that encrypts and decrypts the data in the cookie. Specify the location absolute pathname of the key file when you run the utility. You must also use a full path name to run this utility:. Run the utility on one of the replicated servers and manually copy the key file to each of the remaining replicated servers.
Enter this key file location in the [failover] stanza of the webseald. If you do not specify a key file, the failover cookie functionality is disabled for that server:. The value for the failover cookie lifetime in minutes is set with the failover-cookie-lifetime parameter:. You can allow failover cookies to be sent to any server within the same domain as the WebSEAL server by setting the enable-failover-cookie-for-domain parameter equal to "yes".
By default, domain-wide failover cookie functionality is disabled:. In this release of Tivoli Access Manager, the level of security has been increased for the encryption of the cookie data. The new encryption algorithm is not backward compatible. If you are integrating failover cookies with servers using previous versions of Tivoli Access Manager, you must enable the precompatible-tokens parameter in the [server] stanza of the webseald.
For example:. The mechanisms for all authentication methods supported by WebSEAL are configured in the [authentication-mechanisms] stanza of the webseald. Supported authentication method parameters include:. You use the [authentication-mechanisms] stanza to configure the authentication method and the implementation in the following format:.
The following additional parameters and the parameters listed in the section above are available to specify custom shared libraries for external CDAS servers:. Therefore, a typical configuration of the [authentication-mechanisms] stanza includes support for username and password LDAP registry and support for client-side certificates over SSL. The following example represents the typical configuration of the [authentication-mechanisms] stanza for Solaris:.
0コメント