Tivoli Access Manager
IBM Tivoli Access Manager for e-business (Access Manager) is a policy-based access control solution that allows an enterprise to control access to enterprise applications without multiple and possibly conflicting security policies. Rather than application-specific security, a common and consistent security policy is implemented using common security services and infrastructure.
Network identity is controlled by identifying a user once via authentication and passing that identity together with credentials through to the other components of the infrastructure.
The externalized security provided by Access Manager includes strategies to include legacy applications in Single Sign-On solutions through integration with pre-existing user registries and authorization databases.
Access Manager Secure Domain
The Access Manager Secure Domain provides a secure computing environment for enforcing security policies for authentication, authorization, and access control.
IBM Tivoli Access Manager V5.1 is bundled with IBM Tivoli Directory Server V5.2 and IBM DB2 Universal Database the user registry, but can also use directories such as Microsoft Active Directory, iPlanet.
The Access Manager Policy Server maintains the master authorization policy database which contains the security policy information for all resources and all credentials information of all participants within the secure domain, both users and servers. A secure domain contains physical resources requiring protection. These resources include programs, files and directories. A virtual representation of these resources, protected by attaching ACL and POP entries, is stored by the Policy Server.
The Policy Server replicates this database to all the local authorization servers, including WebSEAL, throughout the domain, publishing updates as required. The Policy Server also maintains location information about the other Access Manager and non-Access Manager servers operating in the secure domain. There can be only one Policy Server active within a domain.
Access Manager provides C and Java authentication and authorization APIs which can be used programmatically within other applications and clients. Client calls for authorization decisions, through the Access Manager runtime service, which must be on every server participating in the secure domain, are always referred to an Authorization Server. Programmatically made calls can be local or remote; they will be passed to an Authorization Server. When running local node API, the application communicates to the security server (Access Manager), no authorization server is required.
Authorization servers are the decision-making servers that determines a client's ability to access a protected resource based on the security policy. Each server has a local replica of the policy database. There must be at least one within a Secure Domain.
Web Portal Manager, a WebSphere-hosted application is provided to enter and modify the contents of the policy store and the user registry. There is also a command line utility, pdadmin, which extends the commands available to include the creation and registration of authentication blades such as WebSEAL which will be described a little later.
Access Manager can be configured to integrate with many of the WebSphere branded products and ships with explicit plug-ins for the following products:
WebSphere Application Server
WebSphere Edge Server
Web Server Plug-in supporting IBM HTTP Server (IHS) For details of the supported operating systems for every component consult the Tivoli Information Center.
The table below shows the components that were installed for the sample configurations in the book. The components were installed in a mixture of AIX, Linux and Windows servers.
Server Required Component Tivoli Directory Server V5.2 Directory Server Directory Client DB2 Universal Database Edition Global Security Toolkit Tivoli Access Manager Policy Server V5.1 Access Manager Runtime Access Manager policy Server Global Security Toolkit Tivoli Directory Client Tivoli Access Manager Authorization Server V5.1 Access Manager Authorization Server Access Manager Runtime Global Security Toolkit Tivoli Directory Client Tivoli Access Manager Web Portal Manager V5.1 Web Portal Manager (WebSphere enterprise application) WebSphere Application Server Global Security Toolkit Directory Client Access Manager Runtime Tivoli Access Manager WebSEAL Server V5.1 Access Manager WebSEAL Server Access Manager Runtime Global Security Toolkit Tivoli Directory Client
