WebSealandCLM < Deployment

r6 - 2015-07-20 - 10:52:55 - Main.sbeardYou are here: TWiki >

Deployment Web > DeploymentInstallingUpgradingAndMigrating > WebSealandCLM

<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%">
---+!! Using !WebSEAL in a CLM environment 
%DKGRAY% Authors: Main.SimonWashbrook<br>
Build basis: CLM 5.0.2
%ENDCOLOR%</div></sticky>

<!-- Page contents top of page on right hand side in box -->
<sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;">
%TOC{title="Page contents"}%
</div></sticky>

<sticky><div style="margin:15px;"></sticky>

WebSEAL is a high performance, multi-threaded reverse proxy that is a component of IBM Tivoli Access Manager for e-business. It applies fine-grained security policy to the Tivoli Access Manager protected Web object space and can provide single sign-on to back-end web servers. It can be used to provide an extra layer of security in front of a CLM application.

The product documentation on IBM Tivoli Access Manager for e-business Version 6.1.1 can be found [[http://www-01.ibm.com/support/knowledgecenter/SSPREK_6.1.1/KC_ditamaps/welcome.html][here]].

The product documentation on the successor product, IBM Security Access Manager for Web, can be found [[http://www-01.ibm.com/support/knowledgecenter/SSPREK/welcome][here]].
---++ Setting up !WebSEAL in a CLM environment

Refer to the formal IBM Tivoli Access Manager for e-business/IBM Security Access Manager for Web documentation for how to configure !WebSEAL as the reverse proxy in front of CLM.

---++ Known issues when using !WebSEAL in a CLM environment

---+++ Managing RTC cookies in !WebSEAL

A ‘Junction’ is the definition of a connection between !WebSEAL and a back-end web server. 

By default, !WebSEAL modifies the name of cookies returned in responses from back-end applications across certain junctions - thus it creates unique cookie names in order to prevent possible naming conflicts with cookies returned across other junctions. It prepends the name attribute of a Set-Cookie header with a special string: the string contains the identifier AMWEBJCT, plus the name of the specific junction responsible for delivering the response (with cookie). When the cookies are sent back from the browser to the server !WebSEAL will remove the junction name and identifier so the server receives the original cookie name that it sent. 

This would not normally be a problem - however from version 5.0 onwards there is a new cookie sent from the CLM server to the web browser and there is new !JavaScript code that reads the value of this cookie. As !WebSEAL has renamed the cookie this !JavaScript raises an exception that prevents the CLM application from being displayed in the browser.

The symptoms are:

   1. The web pages shows a message "Loading..." that never finishes
   1. CLM in the web browser does not work but CLM in the Eclipse client does.

Resolution:

The following page in the !WebSEAL documentation explains how !WebSEAL renames cookies and how to prevent the renaming:

http://www-01.ibm.com/support/knowledgecenter/api/content/SSPREK_6.1.0/com.ibm.itame.doc_6.1/am61_webseal_admin591.htm#preserve-cookie-name?locale=en

The known cookies used by CLM are (they may be others):
   * x-com-ibm-team-scenario
   * !LtpaToken
   * redirectURL
   * JSESSIONID
   * JSESSIONIDjazz
   * X-com-ibm-team-foundation-auth-loop-avoidance
   * JAZZ_AUTH_TOKEN

The renaming of the ‘x-com-ibm-team-scenario’ cookie is known to cause the problem described above. Thus the =[preserve-cookie-names]= stanza of the !WebSEAL configuration file would be edited as follows:
<verbatim>
[preserve-cookie-names]
name = x-com-ibm-team-scenario
</verbatim>

If necessary, the names of other cookies can be added to the list, by adding other lines with the format =name = cookie-name=.


---+++ Managing Doors Next Generation cookies in !WebSEAL

By default !WebSEAL will add !JavaScript code to force the setting of a cookie on all HTML requests. Doors Next generation (formerly Rational Requirements Composer) requests HTML from the server via !JavaScript and parses the results. The !JavaScript added by !WebSEAL causes Doors NG to error when parsing the results.

The symptoms are:

   1. A popup window with an error "Invalid template ..." message, see below.<br />
     <img src="%ATTACHURLPATH%/cookie_renamed_by_webseal_in_doors_ng.png" alt="cookie_renamed_by_webseal_in_doors_ng.png" width="441" height="304" /><br />
     Note the name of the cookie on the line "document.cookie = " contains "IV_JCT" which is a sign that the cookie has been renamed as well.

Resolution:

You need to change the way that !WebSEAL adds !JavaScript: instead of adding at the end of the HTML code (mode trailer) you need to use mode "inhead" or "onfocus". See the following !WebSEAL help page on how to change this parameter:

http://www-01.ibm.com/support/knowledgecenter/api/content/SSPREK_6.1.0/com.ibm.itame.doc_6.1/am61_webseal_admin585.htm#junction-cookie-java-xhtml10

---++ Further Information

---+++++!! Related topics: [[DeploymentWebHome][Deployment web home]], 

---+++++!! External links:          

   * [[http://www-01.ibm.com/support/knowledgecenter/SSPREK_6.1.1/com.ibm.itame.doc_6.1.1/am611_webseal_admin20.htm%23am-intro][Tivoli Access Manager introduction]]
   * [[http://www-01.ibm.com/support/knowledgecenter/SSPREK_6.1.1/KC_ditamaps/welcome.html][Formal product documentation for IBM Tivoli Access Manager for e-business Version 6.1.1]]
   * [[http://www-01.ibm.com/support/knowledgecenter/SSPREK/welcome][The product documentation on the successor product, IBM Security Access Manager for Web]]

---+++++!! Additional contributors: Main.SimonWashbrook Main.VaughanHarper

<sticky></div></sticky>

Attachments

Topic attachments
I	Attachment	Action	Size	Date	Who	Comment
png	cookie_renamed_by_webseal_in_doors_ng.png	manage	15.1 K	2015-04-20 - 09:39	UnknownUser	Error message showing that a cookie has been renamed by WebSeal

Deployment

Community information and contribution guidelines

Status icon key:

To do
Under construction
New
Updated
Constant change
None - stable page

Smaller versions of status icons for inline text:

Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.