In WebSeal, we will need to create two junctions, one connecting to the backend web application that will be protected with two-factor authentication using DualShield, and the other connecting to your DualShield SSO server. As an example in this document, the backend web application to be protected is www.thesafebank.com and the junction we’ll create for the application is called “/thesafebank”. The DualShield SSO server used in the example is dualshield.deepnetsecurity.com and the junction we’ll create for the DualShield SSO server is called “/dualshield”.
Create Junctions
First, create a junction, “/thesafebank”, from the WebSEAL Servers for the protected backend web applications as shown in Listing 1.
Listing 1. Create a junction for the backend web application
# pdadmin -a sec_master -p password pdadmin sec_master> server task default-webseald-Win2003-32-177 create -t tcp -h www.thesafebank.com -p 80 -f /thesafebank |
Note that default-webseald-Win2003-32-177 is the server name of the WebSeal.
Second, create a junction, “/dualshield”, from the WebSEAL server to the DualShield SSO server as shown in Listing 2.
Listing 2. Create an EAI junction for the DualShield SSO
# pdadmin -a sec_master -p password pdadmin sec_master> server task default-webseald-Win2003-32-177 create -t tcp -h dualshield.deepnetsecurity.com -p 8074 -c iv_user -f /dualshield |
Note the -c iv_user junction option.
Last, the junction for the DualShield SSO server should not be in the protected domain, because unauthenticated users need to access these URLs. In Listing 3, it shows how to create the unauthenticated ACL for allowing unauthenticated access to the junction.
Listing 3. Create the ACL for the unauthenticated users
pdadmin sec_master> acl create unauth pdadmin sec_master> acl modify unauth set group iv-admin TcmdbsvaBRrxl pdadmin sec_master> acl modify unauth set group webseal-servers Tgmdbsrxl pdadmin sec_master> acl modify unauth set user sec_master TcmdbsvaBRrxl pdadmin sec_master> acl modify unauth set any-other Trx pdadmin sec_master> acl modify unauth set unauthenticated Trxc |
Then, attach the above ACL to the DualShield junction as shown in Listing 4.
Listing 4. Attach the ACL to the junction for the DualShield SSO server
| pdadmin sec_master> acl attach /WebSEAL/Win2003-32-177-default/dualshield unauth |
Note that /WebSEAL/Win2003-32-177-default is the object name in the WebSeal server.
Modify Configuration File
Now, we are ready to start the last part of configuring the application the DualShield SSO server with WebSEAL. It is configured through the WebSEAL configuration file, webseald-default.conf. On the Windows OS platforms, this file is located in
C:\Program Files\Tivoli\PDWeb\etc\webseald-default.conf
First, enable the EAI authentication for HTTP and HTTPS sessions as shown in Listing 5.
Listing 5. Enable the EAI authentication
[eai] eai-auth=both |
Next, configure the authentication levels for step-up authentication. All levels of authentication will map to the EAI application:
Listing 6. Enable the EAI authentication
[authentication-levels] level = unauthenticated #level = password level=ext-auth-interface |
The next step is to specify the EAI authentication interface library in WebSEAL configuration file. Table 1 shows the EAI authentication module of different operating system.
Table 1. EAI authentication module
| Operating System | Module |
|---|---|
| Solaris™ | libeaiauthn.so |
| AIX® | libeaiauthn.a |
| HPUX | libeaiauthn.sl |
| Linux | libeaiauthn.so |
| Windows® | eaiauthn.dll |
As seen in Listing 7, this document chooses eaiauthn.dll as the authentication module because it uses WebSEAL on the Windows platform.
Listing 7. Configure the EAI authentication module
[authentication-mechanisms] # EXTERNAL AUTHENTICATION INTERFACE ext-auth-interface = C:\Program Files\Tivoli\PDWebRTE\bin\eaiauthn.dll |
The next step is to configure the trigger URL so that WebSEAL knows if the URL from the browser is for EAI authentication. Set the trigger URL as shown in Listing 8.
Listing 8. Configure the trigger URL
[eai-trigger-urls] trigger = /dualshield/appsso/defaultauthnresponsepage* |
Where /dualshield is the name of the junction for the DualShield SSO server.
Edit Login File
The next step is to edit the WebSeal’s default login file, login.html. Table 2 shows the location of login.html in different operating system.
Table 2. login.html
| Operating System | Module |
|---|---|
| AIX® | /opt/PDWeb/www-default/lib/html/C/ |
| Linux | /opt/PDWeb/www-default/lib/html/C/ |
| Windows® | \Program Files\Tivoli\PDWeb\www-default\lib\html\C\ |
Open login.html file in a text editor. Look for the </BODY> tag near the end of the file, and add the following lines before it:
Listing 9. Login.html
%EAIAUTHN% <script type="text/javascript" language="javascript"> if( ('%AUTHNLEVEL%' == '1') || ('%AUTHNLEVEL%' == '') ) window.location.href='/dualshield/appsso/login?authLevel=%AUTHNLEVEL%&pctx=/dualshield&dasapplicationname=webseal&entityID=WEBSEAL'; </script> |
Note that /dualshield is the name of the EAI junction that you created for the DualShield SSO server in Listing 2, webseal is the name of the application that you created in your DualShield server in section [Create Application], and WEBSEAL is the EntityID of the Service Provider that you created in section [Service Provider]
Finally, restart the WebSEAL server in order to make the changes effective.