Download
Abstract
This extension to the embedded Trust Association Interceptor component provides single sign-on to WebSphere Application Server by IBM Security Access Manager for Web.
Download Description
This adapter enables single sign-on (SSO) to WebSphere Application Server by configuring WebSphere Application Server to allow trust associations.
The traditional Trust Association Interceptor++ (TAI++) accepts an iv-creds HTTP request header from IBM Security Access Manager for Web and a trust password in a Basic Authentication header. The traditional TAI++ embedded with WebSphere authenticates the trust password and consumes the iv-creds HTTP request header to build the credential of the original user.
The Extended Trust Association Interceptor++ (ETAI) includes more capabilities:
- Removes the need for any Security Access Manager configuration on WebSphere Application Server.
- Map the credential attributes of the original user to different registry formats or add no credentials at all.
- Process Tivoli Federated Identity Manager security tokens.
- More trust mechanism based on mutual authentication over SSL and validation of incoming certificate chain.
- Works with iv-user only, in the absence of iv-creds.
- Propagate rich identity to JAX-WS, LTPA, RMI/IIOP in the form of Security Access Manager binary security token.
- Propagate Security Access Manager security attributes to the JAAS authorization that uses a login module.
- Consume SAML 2.0 security tokens without requiring iv-creds or iv-user header.
- Signature validation of SAML 2.0 assertions that uses a local keystore and remote Security Token Service (STS) such as Tivoli Federated Identity Manager.
Prerequisites
One of the following versions:
- IBM Security Verify Access 10.0.0, 10.0.1, 10.0.2, 10.0.3*, and 10.0.4*
- IBM Security Access Manager 9.0.7.2 with latest fix-pack
***NOTE*** The upgrade to ISVA 10.0.3 and later uses OpenJDK 11 instead of IBM JRE 8 for the ISVA Java Runtime. A WebSphere environment running with IBM JRE 8 can use PD.jar from 10.0.2 to communicate with an ISVA 10.0.3 Policy Server or Authorization Server. Contact Support if you need pdjrte-10.0.2.0.zip.
With one of the following versions:
- IBM WebSphere Application Server 8.5.X
- IBM WebSphere Application Server 9.X
Ensure that the underlying products such as IBM Security Verify Access and IBM WebSphere Application Server are compatible with each other when you configure the Extended Trust Association Interceptor.
***NOTE*** Updated JAR files for v2.6 are attached and must be used with Java 1.8. There is no ETAI v2.7. The JAR files in both the original download and the updates end with _7.0.
AMExtTAI2.6_JVM8_JAR_FILES.zip
This file does not contain the PDF documentation and contains an extra file (com.tivoli.pd.amas.etai_7.0.jar). The com.tivoli.pd.amas.etai_7.0.jar file is only needed if you were previously using it. Obtain the PDF from the main download link.
WebSphere Application Server maintenance longer updates the traditional embedded TAI++ JAR file.
See the PDF document in the main download package for any more prerequisites.
Installation Instructions
See the PDF document in the download package for installation instructions.
Download Package
Existing ETAI v2.5 installations do not require upgrading unless the SAML feature set is required.
|
Primary Features
|
||
|
ETAI Version
|
ETAI
|
ETAI (SAML support)
|
| ETAI v2.5 |
Y
|
-
|
| ETAI v2.6 |
Y
|
Y
|
Technical Support
This download is offered free of charge to existing IBM Security Access Manager customers. Support for this download is available through the normal IBM Security Access Manager support channels. Open a case with IBM Security Verify Access and mention component ID TIVOIAM00.
This integration is supported on the platforms and product versions listed in this document.
Was this topic helpful?
Document Information
Modified date:
24 August 2022
UID
swg24016601