IBM Security Access Manager TIM Integration How To

How to do web SSO into ITIM and WPM (pdadmin)

Enrole: First configure webseal to provide forms based sso on both http and https/
Edit F:\Tivoli\PDWeb\etc\webseald-default.conf, set

ba-auth=none
forms-auth=both
restart webseal service

in pdadmin create the itim.manager user (could create thru TIM but to much hassle)

user id: itim manager
common name: itim.manager
surname: ITIMManager

Use real itimmanager password
dn: cn=itim.manager,c=us

Check "no password policy", click create.

• create junctions
• check iv-user (user name (short)) and iv-cred (credentials)
• make it transparent
• encoding should be utf8_bin (not url)
• check the case insensitive and windows filesystem boxes
• do that both for /enrole and /pdadmin (/enrole only needs iv-user)
• add any additional servers (like pitim and sitim as needed)
• on ITIM change "D:\Program Files\IBM\itim\data\"ui.properties set

enrole.ui.ssoEnabled=true
no need to restart enrole

TAMWPM integration edit
X:\Program Files\IBM\WebSphere\AppServer\profiles\default\installedApps\IAM-appNode01Cell\TAMWPM.ear\classes\"

set
authMethod=SSO

• Restart TAMWPM webapp thru the websphere admin interface http://sever:9060/admin
• Try accessing it thru webseal http://tamserver/pdadmin
• modify the logout and timeout pages for itim, in ui.properties

enrole.ui.logoffURL=websealLogout.jsp
enrole.ui.timeoutURL=websealLogout.jsp

How to allow TIM images to show up from the TIM administrative e-mail via TAM SSO

In order to allow TIM images to come through TAM in an e-mail do the following:

• Login as sec_master
• Create a new ACL :

acl create UnAuth_ACL

• Modify the newly create UnAuth_ACL with these permission:

Group iv-admin TcmdbsvaBRrxl
Group webseal-servers Tgmdbsrxl
User sec_master TcmdbsvaBRrxl
Any-other Trx
Unauthenticated Trx

NOTE This ACL is basically a copy of the default-webseal ACL but adding the read and execute bits to the Unauthenticated entry. Apply the newly created acl to the following objects:

pdadmin> acl attach /WebSEAL/<server-name>/enrole/images UnAuth_ACL
pdadmin> acl attach /WebSEAL/<server-name>/enrole/en/images UnAuth_ACL

WebSEAL will dynamically create objects when needed, so you can attach the ACL to non visible objects where it is required

How to expose ITIM challenge response through WebSEAL

The security of the solution is provided by TAM allowing unauthenticated access only to the Challenge/response, password change pages, images and javascript libraries required for it to work.

The pages beyond the challenge/response page are further protected by TIM itself. I.e. unless the user answers to the challenges correctly no access is given to the password change or any other TIM functionality. The feature of the solution is that user is required to enter the TAM password to go anywhere else where authenticated access is required. The publicly available javascript libraries are executed on the browser and not server thus reducing the security risk

• Create an ACL for unauthenticated users (ACL-read-unauth)

    sec_master User     Tc-mdbsvaB-R--I---
    iv-admin Group      Tc-mdbsvaB-RrxI---
        Any-other   T--------------rx-----
        Unauthenticated T-------------rx-----

• On a webseal run the following script:

pdadmin -a sec_master openup_itim.pd

contents of the openup_itim.pd:

    object create /WebSEAL/ProdCluster/enrole/question Desc 8
    object create /WebSEAL/ProdCluster/enrole/login_scripts.js Desc 8
    object create /WebSEAL/ProdCluster/enrole/en/images Desc 8
    object create /WebSEAL/ProdCluster/enrole/change_password Desc 8
    object create /WebSEAL/ProdCluster/enrole/images Desc 8
    object create /WebSEAL/ProdCluster/enrole/script_library.js Desc 8
    object create /WebSEAL/ProdCluster/enrole/help.js Desc 8
    object create /WebSEAL/ProdCluster/enrole/image_cache.js Desc 8
    object create /WebSEAL/ProdCluster/enrole/adhoc.js Desc 8
    acl attach /WebSEAL/ProdCluster/enrole/question ACL-read-unauth
    acl attach /WebSEAL/ProdCluster/enrole/login_scripts.js ACL-read-unauth
    acl attach /WebSEAL/ProdCluster/enrole/en/images ACL-read-unauth
    acl attach /WebSEAL/ProdCluster/enrole/change_password ACL-read-unauth
    acl attach /WebSEAL/ProdCluster/enrole/images ACL-read-unauth
    acl attach /WebSEAL/ProdCluster/enrole/script_library.js ACL-read-unauth
    acl attach /WebSEAL/ProdCluster/enrole/help.js ACL-read-unauth
    acl attach /WebSEAL/ProdCluster/enrole/image_cache.js ACL-read-unauth
    acl attach /WebSEAL/ProdCluster/enrole/adhoc.js ACL-read-unauth

• Replace login.html pages on all webseals with the login page containing a link to /enrole/question

@HowTo @TAM