Installing Web Server and Web Services Security Service Modules
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
This section covers tasks that you must perform after completing the post-installation tasks for the Web Server Security Service Module. The following topics are covered in this section:
Developing a policy for a web application typically begins by determining which resources you want to protect. You then create the resources, authorization mapping policies to define access privileges and roles for each resource, and under what specific conditions. Next, you create role mapping policies that control which users and groups have membership in the defined roles, and under what conditions.
In this section, you are instructed in how to create resources and define authorization and role mapping policies for protecting a sample web server application. Later on in this section you are instructed to deploy this policy to the Web Services SSM that you will use to control access to sample web server application resources.
AquaLogic Enterprise Security provides three tools for configuring application policy, the Administration Console, the Policy Import Tool, and Business Logic Manager (BLM). In this section you are directed to use the Administration Console to configure policy.
For more information on how to use the Administration Console to configure policy, see the Policy Managers Guide and Console Help.
For instructions on how to use the Policy Import Tool to import policy files, see the Importing Policy section in the Policy Managers Guide.
For information on the BLM, see the BLM API Javadocs.
To configure and deploy policy for the Web Server SSM, perform the following tasks:
This section describes how to use the Administration Console to create resources for the sample web server application resource.
Figure 5-1 shows the resources that you must create for the sample IIS Web Server configuration. You create the same resources for the Apache Web Server, except that you assign the NamePassword a file extension of .html
, instead of .acc
.
Figure 5-1 Resources Tree for the IIS Web Server
To create these resources, perform the following steps:
ssmws
, select Binding from the Type drop-down list box, and click Ok. The ssmws
resource appears under the Policy node.Note: The favicon.ico
file is an icon requested by the Internet Explorer and Mozilla browsers for book marking a URL.
This section describes how to use the Administration Console to create authorization and role mapping policies to protect the sample web server application resources. It includes authorization policies for the html files and role mapping policies to assign membership to those roles.
Table 5-1 lists and describes the authorization policies that you have to create to protect the sample web server application resources. This authorization policy allows users who are members of the Everyone
role the Get
access privilege to the favicon.ico
and GET
and POST
access privileges to NamePasswordForm.acc
(so users who have membership in the Everyone
role can access the username/password form when authentication for a protected resource is needed). The policy also restricts access to foo.html
to users in the Admin
role.
To create the authorization polices listed in Table 5-1, perform the following steps.
GET
privilege from the Select Privileges from Group list box and add it to the Selected Privileges box. favicon.ico
resource from the Child Resource box and add it to the Selected Resources box. Everyone
role from the Roles List box, add it to the Selected Policy Subjects box, and click Ok. Admin
role is assigned to the foo.html
resource.This section describes how to use the Administration Console to modify the role mapping policies that will be used to control access to the sample Web Server application resources.
To modify the Admin
and Everyone
role mapping policies, perform the following steps:
For the sample web server application, the Application Deployment Parent setting on the ASI Authorization provider and the ASI Role Mapping provider must be set to //app/policy/ssmws
and bound to the provider.
To configure these providers, perform the following steps:
To configure the ALES Identity Assertion and ALES Credential Mapping providers, perform the following steps:
Note: The ALES Identity Assertion provider and the ALES Credential Mapping provider work with one another so you must ensure that their configuration settings match.
Distribute the policy and security configuration to the Web Server SSM.
For information on how to distribute policy and security configuration, see the Console Help. Be sure to verify the results of your distribution.
The Web Server Environmental Binding configuration procedures vary depending on the type of web server SSM you are configuring. BEA AquaLogic Enterprise Security supports two web server SSMs that require configuration of the Web Server Environmental Binding, the Microsoft IIS Web Server SSM and the Apache Web Server SSM. For configuration instructions, see to the appropriate topic below:
To configure the environmental binding for Microsoft IIS Web Server, perform the following tasks:
Note: This task assumes you have created an instance of the IIS Web Server SSM according instructions provided in Creating an Instance of the Web Server Security Service Module.
The IIS Web Server Binding Plug-in file is named wles_isapi.dll
. This file is located in the BEA_HOME
\ales21-ssm\iis-ssm\lib
directory.
To configure the Microsoft IIS Web Binding plug-in, perform the following steps:
Figure 5-2 IIS Web Site Properties Dialog
wles_isapi.dll
file, which is located in BEA_HOME
\ales21-ssm\iis-ssm\lib
directory, and click Ok. Figure 5-3 Authentication Methods Dialog
Read
and Read/Execute
permissions on the following directories:
BEA_HOME
\ales21-ssm\iis-ssm\libBEA_HOME
\ales21-ssm\iis-ssm\instance\iisssmdemo\sslBEA_HOME
\ales21-ssm\iis-ssm\instance\iisssmdemo\config
NamePasswordForm.acc
file in a virtual directory, repeat the previous step for the virtual directory as well.Figure 5-4 IIS Web Site Home Directory Dialog
Figure 5-5 IIS Web Site Application Configuration Dialog
Figure 5-6 IIS Web Site Add/Edit Application Extension Mapping Dialog
wles_isapi.dll
file to the Executable field, fill in the other fields as shown in Figure 5-6, and click Ok.wles_isapi.dll
file again and start the IIS Web Server.Note: Be sure to start the IIS web server with IIS SSM after you have started the Web Services SSM and ARME.
Configure the NamePasswordForm.acc
file for the IIS Web Server as follows:
To set up the sample web application, perform the following steps:
Note: The Web Services SSM must be started before you perform this task because the filter and extension attempts to connect to the Web Services SSM when they are loaded by the Web Server.
IIS Server/wwwroot/test
directory as shown in Figure 5-7 and copy the following files to the test
directory:NamePasswordForm.acc
foo.html
atnfailure.html
atzfailure.html
Note: The NamePassword.acc
file is provided in the BEA_HOME
\ales21-ssm\iis-ssm\instance\<
instancename
>\templates
directory. The foo.html
, atnfailure.html
and atzfailure.html
files are not provided in the product installation kit. You should use your own versions of these files.
Figure 5-7 Deploying the Sample Application on the IIS Web Server
To configure the Apache Web Server, perform the following tasks:
To download and install the Apache Web Server software, perform the following steps:
where ServerRoot
is the Apache installation directory.
Note: The Apache Web Server Security Service Module (SSM) requires that the above two modules be included in the Apache installation; otherwise the Secure Sockets Layer (SSL) and the Security Assertion Markup Language (SAML) server-server include (SSI) related functions will not work.
Note: You may build your own 2.0.x version of the Apache Web Server with the above mentioned modules. If the modules are built into Apache, there may be no such files.
Note: This task assumes you have created an instance of the Apache Web Server SSM according instructions provided in Creating an Instance of the Web Server Security Service Module.
The ALES module contains only one file. For Windows, the file name is mod_wles.dll
. For Sun Solaris and Linux, the file name is mod_wles.so.
To install and configure the ALES module, perform one of the following steps:
ServerRoot
/conf/httpd.conf
file and add a LoadModule
directive. There are several LoadModule
directives in the LoadModule section of the httpd.conf
file. Add the following line to the end of the LoadModule section:
LoadModule wles_module <
APACHE_SSM_HOME
>/lib/modules/mod_wles.so
where <
APACHE_SSM_HOME
>
is the Apache Web Server SSM installation directory.
LoadModule wles_module c:\bea\ales21-ssm\apache-ssm\lib\mod_wles.dll
LoadModule wles_module /home/tiger/bea/ales21-ssm/apache-ssm/lib/mod_wles.so
<IfModule mod_wles.cpp>
ALESConfigDir <APACHE_SSM_HOME
>/instance/<
instance_name
>/config
</IfModule>
Where the config
directory is the directory that contains the default.properties
file.
Note: In the IfModule
condition, be sure to specify mod_ales.cpp
, not mod_ales.c
.
ServerName
to Apache, for example:ServerName www.yourservername.com:8080
LD_LIBRARY_PATH="/www/apache/lib:$LD_LIBRARY_PATH:<
APACHE_SSM_HOME
>/lib"
Note: This step ensures that the Apache Web Server can load the dependency libraries for the mod_wles
file.
Configure the NamePasswordForm.html
file for the Apache Web Server as follows:
<FORM METHOD=POST ACTION="test/NamePasswordForm.html">
To set up the sample web application, perform the following steps:
Apache Server/wwwroot/test
directory as shown in Figure 5-8 and copy the following files to the test
directory:NamePasswordForm.html
foo.html
atnfailure.html
atzfailure.html
Note: The NamePassword.html
file is provided in the BEA_HOME
\ales21-ssm\apache-ssm\instance\<
instancename
>\templates
directory. The foo.html
, atnfailure.html
and atzfailure.html
files are not provided in the product installation kit. You should use your own versions of these files.
Figure 5-8 Deploying the Sample Application on the Apache Web Server
You can configure web single sign-on (SSO) for the following use cases:
With SSO configured, any user that authenticates to one Web Server SSM can access any other Web Server SSM in the cookie domain without having to re-authenticate.
With SSO configured, any user that authenticates to one Web Server SSM can access any other WebLogic Server 8.1 SSM in the cookie domain without having to re-authenticate. However, a user that authenticates to a WebLogic Server 8.1 SSM cannot access another WebLogic Server 8.1 SSM or another Web Server SSM without re-authenticating.
For configuration instructions, see the following topics:
To configure Web Server SSM to Web Server SSM to support web single sign-on, perform the following steps:
For instructions on how to perform the above steps, see the Console Help for the Administration Console.
To configure Web Server SSM to WebLogic Server 8.1 SSM to support web single sign-on, perform the following steps:
For instructions on how to perform the above steps, see the Console Help.
You have completed the configuration tasks for the Web Server Security Service Module (SSM).
Refer the Policy Managers Guide for instructions on how to write security policy.
![]() ![]() |
![]() |
![]() |