I've been having this problem ever since placing TIM behind WebSEAL. When changes occur to accounts of TIM users, they will receive emails informing them of the changes and such. The problem is that the graphics in the emails are broken because TIM is protected behind WebSEAL. I'm trying to figure out how to handled this and so far I have found nothing on the IBM web site to give me a clue for this specifically.
One option I guess is to change the email template so that these graphics are not part of the template. Maybe moving the graphics somewhere where anonymous users can access will help. Still some of these we may want to be functional like the Logon button for TIM. Maybe we will change the standard Tivoli banner to a company banner, etc.... So far I haven't spent much time researching this option, but I imagine there is a place where we can customize this email template.
Another option I did spend some time on was Dynamic URL's. Chapter 34 of the WebSEAL Admin Guide goes into detail about how to control access to dynamic content using the dynurl.conf file. Supposedly I should be able to add entries for the location of the ITIM graphics and then after restarting WebSEAL, these .gif files should show up in the TAM Object Space. Then I can add ACLs to just the graphics allowing anonymous users to see them which would theoretically allow them to be visible in the ITIM emails. The Dynamic URL chapter does not mention how to handle static files like these .gifs especially when they are part of an application like TIM. In other words they are buried in a .ear file on the TIM server so I'm not sure if this is even on the right track to fix this problem.