Direct links to fixes
5.1.0-TIV-TAM-IF0043-WIN
5.1.0-TIV-TAM-IF0043-LIN
5.1.0-TIV-TAM-IF0043-PPC
5.1.0-TIV-TAM-IF0043-SOL
5.1.0-TIV-TAM-IF0043-S390
5.1.0-TIV-TAM-IF0043-HP
5.1.0-TIV-TAM-IF0043-AIX
Tivoli Access Manager for e-Business WebSEAL, Patch 5.1.0-TIV-AWS-FP0039
Tivoli Access Manager for e-Business WebSEAL, Patch 5.1.0.39-TIV-AWS-IF0040
Tivoli Access Manager for e-Business WebSEAL, Patch 5.1.0-TIV-AWS-FP0041
Tivoli Access Manager for e-Business WebSEAL, Patch 5.1.0-TIV-AWS-FP0042
APAR status
Closed as documentation error.
Error description
environment TAM WebSeal 5.1 on Windows, reproduced at FP 27. Problem: Forcing WebSEAL to require BOTH client certificate AND username/password. 1) First, you must setup client certificate authentication to be "required", per the administration guide... http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US /HTML/am 51_webseal_guide58.htm#authn-client-side-cert 2) The next step is to configure step-up authentication per the admin guide.. http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US /HTML/am 51_webseal_guide49.htm#auth-strength The key thing to watch out for when configuring step-up is the authentication levels. Since the user was already forced to provide a client certificate to setup the ssl connection, you want them to step-up to a password login next. [authentication-levels] level = unauthenticated level = ssl level = password Finally, to finish the step-up configuration, you should also create the POP per the instructions for authentication level 2, and attach it to the desired object where you want this step-up to take place. When form is used form-auth=both and ba-auth=none it works well When BA is used form-auth=none and ba-auth=both I have this error (typical when you try to access to a resource with bad protocol) --------------------------------------------------------- Forbidden The resource you have requested is secured by Access Manager WebSEAL. Explanation There are two possible reasons why this message appeared: You are not logged in to this secure domain. You are logged in to this secure domain, but do not have the correct permissions to access the resource. Solutions You have an account for this secure domain but need to log in: You must first access this resource via HTTPS (SSL) and login to the secure domain. Re-access the page using HTTPS. You do not have an account with this secure domain: Please contact your Account Administrator to obtain login and password information. You are logged in but still denied access to the page: If you continue to get this message, you probably do not have the correct permissions to access the resource. Please contact your Security Administrator for assistance. While TAM 6.0 WebSeal dmin guide says that step-up to basic authentication is not supported, ITAM 5.1 WebSeal admin guide says that both ( form and basic ) are supported.
Local fix
Problem summary
Step-up to basic auth does not work.
Problem conclusion
The fix for this APAR is expected to be cont ained in the following maintenance delivery vehicles: | interim fix | 5.1.0-TIV-AWS-LA0037 | fix pack | 5.1.0-TIV-AWS-FP0038
Temporary fix
Comments
APAR Information
APAR number
IZ17083
Reported component name
ACCESS MGR E-BU
Reported component ID
5724C0800
Reported release
510
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2008-03-06
Closed date
2008-05-29
Last modified date
2008-05-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPREK","label":"IBM Security Access Manager for Web"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"510","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
29 December 2021