Tech Tip – How to protect web app using ISAM Web Reverse Proxy


The IBM Security Access Manager appliance Web Reverse Proxy functionality is based on the technology included with the IBM Security Access Manager WebSEAL product.

In this guide, we will see configuration needed to protect your backend web resource using WebSEAL’s Web Reverse Proxy functionality.


  • ISAM 9.0.5 (on docker container)
  • For this demo, our backend web app is:


Login to LMI and Click Secure Web (WebSeal ) Settings –> Manage –> Reverse Proxy

Reverse Proxy

Click on the default instance (assuming this is already created) and click on Manage –> Junction Management

Junction Management

Click New –> Standard Junction and define junction as :

  • Junction Point Name : /community
  • Select “Create Transparent Path Junction” check box.
  • Select Junction Type = SSL


Click Server tab and define the backend web server as below and click Save.


At this point, you will probably get following error indicating that WebSeal is not able to connect with the specified backend server. This is expected because, we have not yet imported the junctioned server ( certificate and Root CA certs to WebSeal cert database, hence it is unable to establish a trusted connection with the backend.


Now, let’s go ahead and import the server and CA certs for our backend.

Click Manage –> SSL Certificates


Click the certificate database “pdsrv” and click Manage –> “Edit SSL Certificate Database”


Next, click Manage –> Load to load the certificate for our backend web server.

Load Certificate

Provide the details of the backend web server and click Load


You will now see a successful SSL certificate loading confirmation message.

Please ensure that you have the Root CA cert for the backend web server. To identify if the imported cert is Root CA, compare the Issuer and Subject. If they match, then it is Root CA else it is not Root CA.


In the above screenshot, the server certificate used by our backend is signed by Root CA : DST ROOT CA X3. You can usually download the certs for Root CA from the internet if they are public CA. For e.g the cert for DST Root CA X3 could be downloaded from here:


Now, let’s import the Root CA cert by clicking Manage –> Import


Now, let’s create some users. Click Secure Web (WebSeal ) settings –> Manage –> Policy Administrator

Policy Administration

Click User–>Create User and create following two users :

  • user1 (authorized to access)
  • user2 ( not authorized to access)


Now click ACL –> Create ACL and create ACL to allow user1 access to our web resource.



Click on the newly created ACL and click Create ACL Entry for User 1 to allow access for : Traverse, View, Read & Execute



Now, let’s attach this ACL to our object space.

Click Policy Administration –> Object Space –> Browse Object Space and select the Path (junction) that we created earlier. If it doesn’t display the newly created junction click Refresh.


Next, attach the ACL created earlier and click Apply.

That’s it, now all our changes are complete. We are now ready to deploy the changes and publish our configuration.

Click on the Home tab and click the notification.


Click Deploy to deploy the pending changes.


Click Container Management –> Publish Configuration.


Now, restart the WebSEAL docker container for it to pick up the new configuration.


Access Reverse Proxy URL appending our backend server URI: https://localhost:12443/community/ca-security/ca-single-sign-on/content.

Login with User1 (Authorized)



Login with User2 (Un-Authorized) :



Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply

Your email address will not be published.