IBM Security Verify

 View Only
  • 1.  Webseal to Webseal junction without shared registry

    Posted Mon August 08, 2022 04:16 AM
    Hi everybody,

    Does anyone have an advice or idea what would be the easiest and best approach to build W2W junction on 2 independent webseals without having the shared registry?
    In the official docs it is stated as mandatory requirement, however I am interested to explore if there are any easy workarounds worthwhile exploring and implementing.

    Thank you in advance for your feedbacks.

    Best,
    Dean





    ------------------------------
    Dean Ivosevic
    ------------------------------


  • 2.  RE: Webseal to Webseal junction without shared registry

    Posted Mon August 08, 2022 04:19 PM

    Dean,

     

    WebSEAL will use the iv-creds header (which is a streamed version of the user credential) to pass the user identity from the front-end WebSEAL to the back-end WebSEAL.  So, the back-end WebSEAL must be able to consume the supplied iv-creds, hence the requirement for a shared registry.

     

    Having said this, in recent times WebSEAL has introduced the concept of external users (allowing an EAI to authenticate a user which does not exist in the ISVA user registry).  So, if the user credential was established as an external user I don't believe that the registries would need to be shared.

     

    I hope that this helps.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 3.  RE: Webseal to Webseal junction without shared registry

    Posted Tue August 09, 2022 04:30 AM
    Hi Scott,

    thanks for your reply.

    We indeed use external users on Webseal 1 and thus don't rely on registry for that.
    However, my concern was more related to the BA header supplied by W1 to W2, for which I suspect the shared registry is needed.
    It seems BA header contains default Webseal user and password contained in the LDAP, and W2 will not know about them, except if it is shared.
    Maybe there is a way to specify manually the BA data, or extract the data which W1 will use.
    I am not familiar how that would be done, or if there is anything else that could be done to go around that.

    Thanks!
    Dean


    ------------------------------
    Dean Ivosevic
    ------------------------------



  • 4.  RE: Webseal to Webseal junction without shared registry

    Posted Tue August 09, 2022 04:18 PM

    Dean,

     

    The front-end WebSEAL will pass the username/password of the WebSEAL server itself in the BA header.  So, providing the back-end WebSEAL can authenticate this BA header the flow should work.  The credential information which is used by the front-end WebSEAL server is located in the WebSEAL configuration file within the pd-user-name and pd-user-pwd configuration entries within the '[aznapi-configuration]' stanza.  I suspect however that this configuration is filtered by the LMI and so you might need to get creative in how you obtain the credential information (e.g. enable pdweb.snoop tracing to determine the BA header which is being sent).

     

    I hope that this helps.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">