Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Why do it?
The Tivoli Access Manager for e-business WebSEAL component is an HTTP reverse proxy that receives an HTTP connection from a browser. If an action is authorized, WebSEAL opens a separate HTTP connection to the back-end server. This principle is depicted in Figure 1.
Figure 1 HTTP flow between browser, Web SEAL and back-end server
ibm.com/redbooks
WebSEAL does not just transfer the information from one connection to the other. It also modifies the URL to interpret junctions. It adds information to the HTTP header for the back-end connection and cookies for the front-end connection. Those changes might cause problems. The easiest way to trace them is to look at the HTTP connections. To find out more about WebSEAL junctions and links refer to the IBM Redpaper publication IBM Tivoli Access Manager for e-business: Junctions and Links, REDP-4621.
GET the file /junc/index.html using version 1.1 of the HTTP protocol.
The request is followed by the HTTP header fields. Some of these fields are optional, and they can appear in any order. The following line is the host part of the URL (and the port number, if specified): host: tam The host name is useful in the case of virtual host junctions, where this field determines the junction and the back-end server. The following line is the identity of the browser that sent the request: user-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071015 SUSE/2.0.0.10-0.11 Firefox/2.0.0.10 The following line specifies the end of the entry, in this case the request from the browser. ---------------------------------------------------
This code is all on one line and sets a cookie called PD-S-SESSION-ID that stores the session ID. To modify the cookie name, change the ssl-session-cookie-name (or, for HTTP, tcp-session-cookie-name) in the [session] section of the instance configuration file. The information after the semicolon (;) is the cookie attributes. The Path attribute specifies that this cookie should be sent back with any request that starts with a slash (/), which means any request. The Secure attribute specifies that the cookie needs to be secure, for example, not to be sent back in clear text. For more information about cookies, see the draft specifications that are available at the following URL: http://web.archive.org/web/20060424004149/wp.netscape.com/newsref/std/cookie_spec. html
This is one of a number of HTTP header fields that could be inserted by WebSEAL when communicating with the back end. It is specified in the server_name property of the [header-names] stanza of the instance configuration file. iv_server_name: default-webseald-tam.ibm.com If the junction had been created with the -c parameter, you would see the user identification fields: iv-user, iv-user-l, iv-groups, and iv-creds.
Back-end response
The back-end server responds to the request. The following text, all on one line, shows that the response goes from the back-end server to PD (WebSEAL). 2009-04-28-19:48:46.102-05:00I----- thread(4) trace.pdweb.debug:2 /project/amweb610/build/amweb610/src/pdweb/webseald/ras/trace/debug_log.cpp:178: ----------------- PD <=== BackEnd ----------------The following field identifies the server, which can be useful in verifying that junctions direct to the correct back-end server. server: IBM_HTTP_Server
user-agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.19; X11) KHTML/3.5.5 (like Gecko) (Debian package 4:3.5.5a.dfsg.1-5) accept-charset: iso-8859-1, utf-8;q=0.5, *;q=0.5 cache-control: no-cache pragma: no-cache The browser posts to /pkmslogin.form, presumably the logon information. However, it does not return the cookie. The problem might be that the cookies are turned off in the browser. Forms authentication cannot work without cookies.
0x0000 0x0010 0x0020 0x0030 0x0040 0x0050 0x0060 0x0070 0x0080 0x0090 0x00a0
4854 2046 642c 393a 7665 7276 6e67 6374 6e74 2f68 736f
5450 6f75 2032 3238 723a 6572 7468 696f 656e 746d 2d38
2f31 6e64 3920 3a30 2049 0d0a 3a20 6e3a 742d 6c3b 3835
2e31 0d0a 4170 3020 424d 436f 3238 2063 5479 2063 392d
2034 4461 7220 474d 5f48 6e74 310d 6c6f 7065 6861 310d
3034 7465 3230 540d 5454 656e 0a43 7365 3a20 7273 0a0d
204e 3a20 3039 0a53 505f 742d 6f6e 0d0a 7465 6574 0a3c
6f74 5765 2031 6572 5365 4c65 6e65 436f 7874 3d69 2144
HTTP/1.1.404.Not .Found..Date:.We d,.29.Apr.2009.1 9:28:00.GMT..Ser ver:.IBM_HTTP_Se rver..Content-Le ngth:.281..Conne ction:.close..Co ntent-Type:.text /html;.charset=i so-8859-1....<!D
The lines show an HTTP header (the error message is 404, which means a file requested from the server was not found). To preserve the column format, non printable characters, such as new line, are printed as dots. You can identify them by looking at the bytes in hexadecimal. The characters, 0d0a, would be in the location corresponding to a new line. Notice the two consecutive new lines (shown in bold). They mark the end of the header and the beginning of the message body. 0x00b0 0x00c0 0x00d0 0x00e0 0x00f0 0x0100 0x0110 0x0120 0x0130 0x0140 0x0150 0x0160 0x0170 0x0180 0x0190 0x01a0 0x01b0 0x01c0 4f43 4943 2048 3c68 746c 643c 3e3c 466f 6520 2f69 2077 6e20 703e 7373 6572 6b65 6472 6874 5459 2022 544d 746d 653e 2f74 626f 756e 7265 6d61 6173 7468 0a3c 3e49 2053 6e64 6573 6d6c 5045 2d2f 4c20 6c3e 3430 6974 6479 643c 7175 6765 206e 6973 6872 424d 6572 2050 733e 3e0a 2048 2f49 322e 3c68 3420 6c65 3e0a 2f68 6573 732f 6f74 2073 202f 5f48 7665 6f72 0a3c 544d 4554 302f 6561 4e6f 3e0a 3c68 313e 7465 6f64 2066 6572 3e0a 5454 7220 7420 2f62 4c20 462f 2f45 643e 7420 3c2f 313e 0a3c 6420 6f74 6f75 7665 3c61 505f 6174 3831 6f64 5055 2f44 4e22 0a3c 466f 6865 4e6f 703e 5552 2e6a 6e64 722e 6464 5365 2062 3c2f 793e 424c 5444 3e0a 7469 756e 6164 7420 5468 4c20 7067 206f 3c2f 7265 7276 6163 6164 3c2f OCTYPE.HTML.PUBL IC.-//IETF//DTD .HTML.2.0//EN>. <html><head>.<ti tle>404.Not.Foun d</title>.</head ><body>.<h1>Not. Found</h1>.<p>Th e.requested.URL. /images/odot.jpg .was.not.found.o n.this.server.</ p>.<hr./>.<addre ss>IBM_HTTP_Serv er.Server.at.bac kend.Port.81</ad dress>.</body></ html>.
These lines show the HTML, which is the HTTP message body. To make the HTML easier to read, put the lines together and translate the control characters, as listed in Table 1.
Table 1 Control characters Hexadecimal Byte 09 0a 0d 20 Character Tab New line Ignore Space
By translating 0a to a new line and 20 to a space, you can make the HTML easier to read. <!DOCTYPE HTML PUBLIC "-//IEFT//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <o>The requested URL /images/odot.jpg was not found on this server.</p> <hr /> <address>IBM_HTTP_Server Server at backend Port 81</address> </body></html>
Summary
You should now be able to view the information passing through WebSEAL and use it to troubleshoot HTTP-related problems.
Resources
For more information consult the following resources. More information about the IBM Tivoli Access Manager for e-business architecture and components can be found in the IBM Redbooks publication Enterprise Security Architecture Using IBM Tivoli Security Solutions, SG24-6014. http://www.redbooks.ibm.com/abstracts/sg246014.html?Open The HTTP protocol is defined in RFC 2616, available at the following URL: http://tools.ietf.org/html/rfc2616 Cookies are explained in the draft specifications, available at the following URL: http://web.archive.org/web/20060424004149/wp.netscape.com/newsref/std/cookie_sp ec.html An explanation of P3P is available at the following URL: http://www.w3.org/P3P
10
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
Copyright International Business Machines Corporation 2009. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
11
This document REDP-4622-00 was created or updated on December 3, 2009. Send us your comments in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an email to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400 U.S.A.
Redpaper
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol ( or ), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
IBM RACF Redbooks Redpaper Redbooks (logo) Tivoli
Other company, product, or service names may be trademarks or service marks of others.
12