IBM Support

IZ17083: WEBSEAL STEP-UUP TO BASIC GIVES ERROR

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as documentation error.

Error description

  • environment
    
    TAM WebSeal 5.1 on Windows, reproduced at FP 27.
    
    
    Problem:
    
    Forcing WebSEAL to require BOTH client certificate AND
    username/password.
    
    
    1) First, you must setup client certificate authentication to be
    "required", per the administration guide...
    http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US
    /HTML/am
    51_webseal_guide58.htm#authn-client-side-cert
    
    2) The next step is to configure step-up authentication per the
    admin
    guide..
    http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US
    /HTML/am
    51_webseal_guide49.htm#auth-strength
    
    The key thing to watch out for when configuring step-up is the
    authentication levels. Since the user was already forced to
    provide a
    client certificate to setup the ssl connection, you want them to
    step-up
    to a password login next.
    
    [authentication-levels]
    level = unauthenticated
    level = ssl
    level = password
    
    Finally, to finish the step-up configuration, you should also
    create the
    POP per the instructions for authentication level 2, and attach
    it to
    the desired object where you want this step-up to take place.
    
    
    When form is used
    
    
    form-auth=both
    and
    ba-auth=none
    it works well
    
    When BA is used
    form-auth=none
    and
    ba-auth=both
    I have this error (typical when you try to access to a resource
    with bad
    protocol)
    
    ---------------------------------------------------------
    Forbidden
    The resource you have requested is secured by Access Manager
    WebSEAL.
    Explanation
    There are two possible reasons why this message appeared:
    
    You are not logged in to this secure domain.
    You are logged in to this secure domain, but do not have the
    correct
    permissions to access the resource.
    
    
    Solutions
    You have an account for this secure domain but need to log in:
    You must
    first access this resource via HTTPS (SSL) and login to the
    secure
    domain. Re-access the page using HTTPS.
    
    You do not have an account with this secure domain: Please
    contact your
    Account Administrator to obtain login and password information.
    
    You are logged in but still denied access to the page: If you
    continue
    to get this message, you probably do not have the correct
    permissions to
    access the resource. Please contact your Security Administrator
    for
    assistance.
    
    
    
    
    
    While TAM 6.0 WebSeal dmin guide says that step-up to basic
    authentication
    is not supported, ITAM 5.1 WebSeal admin guide says that both (
    form and basic ) are supported.
    

Local fix

Problem summary

  • Step-up to basic auth does not work.
    

Problem conclusion

  • The fix for this APAR is expected to be cont
    ained in the following maintenance delivery vehicles:
    | interim fix | 5.1.0-TIV-AWS-LA0037
    | fix pack | 5.1.0-TIV-AWS-FP0038
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ17083

  • Reported component name

    ACCESS MGR E-BU

  • Reported component ID

    5724C0800

  • Reported release

    510

  • Status

    CLOSED DOC

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-03-06

  • Closed date

    2008-05-29

  • Last modified date

    2008-05-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPREK","label":"IBM Security Access Manager for Web"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"510","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
29 December 2021