Client identity information across junctions

A junction can be set up to specify client identity information in BA headers. You must know the available options so that you can use the correct combination of options.

The –b option allows four possible arguments: filter, supply, ignore, global signon.

The –b option has an impact on the junction settings for mutual authentication and you must consider the correct combination of options.

-b supply

• WebSEAL authentication with a BA header is not allowed with this option. This option uses the BA header for the original client user name and a dummy password.
• WebSEAL authentication with a client certificate is allowed with this option.

-b ignore

• WebSEAL authentication with a BA header is not allowed with this option. This option uses the BA header for the original client user name and password.
• WebSEAL authentication with a client certificate is allowed with this option.

-b gso

• WebSEAL authentication with a BA header is not allowed with this option. This option uses the BA header for user name and password information that is supplied by the GSO server.
• WebSEAL authentication with a client certificate is allowed with this option.

-b filter

• Internally, the –b filter option is used when WebSEAL authentication is set to use BA header information.

  The WebSEAL BA header is used for all subsequent HTTP transactions. To the back-end server, WebSEAL appears logged on always.

• WebSEAL authentication with a client certificate is allowed with this option.
• If the back-end server requires actual client identity (from the browser), the CGI variables HTTP_IV_USER, HTTP_IV_GROUP, and HTTP_IV_CREDS can be used. For scripts and servlets, use the corresponding Security Access Manager HTTP headers: iv-user, iv-groups, iv-creds.