Establishing a secured session based on a proxy security server
To execute the client application in a secured session based on a proxy security server infrastructure, you must complete the following steps:
▪ Configuring the application
▪ Configuring the security server
▪ Executing the application
After Completing This Task: The supported security server to manage the session is Tivoli Access Manager WebSEAL but other standard security servers that use a basic authentication mechanism based on cookies should also work. If you are using a different security server, you need to adjust the procedures accordingly.
To execute the client application in a secure session based on a proxy security server infrastructure, set the serverName setting the client configuration in the client dsesrvce.xml file.
The following example shows how to implement Tivoli Access Manager WebSEAL as the security server infrastructure:
Replace <WebSEAL_Host_Name> and <port> with the name or IP address of the WebSEAL server and the port on which the server is listening. You must always provide a port number.
You may need to configure the security server to function with the toolkit server. In the case of WebSEAL, set the following parameters in the webseald.conf configuration file:
use-same-session = yes ba-auth = both or ba-auth = http
When creating the Junction, set the following parameters:
Junction type: tcp Junction name: <context root for the web application>
Setting the context root for the application in the Junction name parameter is only required when WebSphere Application Server is managing the client session (the cookies parameter is set to true.) Setting it to the context root prevents path problems. Otherwise, if the toolkit is managing the session internally, you can set the Junction name parameter to any value.
The way you execute the application depends on what type of Java-based client the application is using. The client can either run as a Java application or within a Web browser.
To execute an application that uses a Java application for its client, you need to set up the application to avoid the HTTP 401 Security Errors. To do this:
1 Have the application provide the user ID and password for the proxy security infrastructure.
You can do this in the following ways:
▪ Specify the ID and password in the client dsesrvce.xml file:
This information enables the proxy security infrastructure to generate the security cookie to identify the user. The CSClient service performs the base64 encode internally.
2 Establish the session as usual but expect an HTTP error code 401 security error.
try{ if (!createNewSession){
((CSClientService)CSClient.getCSClient("realCSClient")).establishSession(false); } else ((CSClientService)CSClient.getCSClient("realCSClient")).establishSession(); }catch (DSECSException exc){ String httpError = exc.getHttpErrorCode(); if(httpError.equals("401")){ //Security Challenge //Do it here or in the dse.ini client configuration file.
((CSClientService)CSClient.getCSClient("realCSClient")).setServerCredentials("userID:password"); if ((!createNewSession){
If the user ID or password are not valid or the use did not provide them, the security proxy sends HTTP 401 Security Error. The application should catch the exception again and set the right user and password values using the setServerCredentials() method as shown in step 1. The application should then try to re-establish the session. A possible implementation is to loop the reconnections a number of times before aborting.
3 Reset the data provided in the step 1 to prevent the user ID and password from appearing in the request headers of all the client requests:
To execute an application that uses a Java client within a Web browser, the application may need to provide the client with a security cookie before it can establish the session. This occurs when the browser performs the authentication due to a security challenge that occurs before the client application takes control. In this case, the application needs to obtain one or more cookies from the proxy security infrastructure and then provide the CSClient service with the cookie.
To provide the CSClient with a single cookie, use code like the following example: