Tivoli Access Manager WebSEAL
- IBM Security Verify Governance. Network appliance-based integrated identity governance solution. This solution employs business-centric rules, activities, and processes. It empowers line-of-business managers, auditors, and risk managers to govern access and evaluate regulatory compliance across enterprise applications and services.
- IBM Security Verify Access V10. Previously known as IBM Security Access Manager (ISAM). Compatible with earlier versions for all single sign-on information sent over HTTP to applications behind WebSEAL junctions. Applications written to for previous versions of the product can use the same information by Version 10.0.*. This compatibility applies to both custom applications and IBM applications such as the WebSphere Appication Server Trust Association Interceptors.
- IBM Security Identity Manager (ISIM) has been around forever too, but it has always been a heavyweight beast of a product that requires significant investment and therefore is used by huge organisations only. I don't know how many ISIM customers there are out there, but I'm guessing it is a dwindling list given that IGI is seen as the long-term replacement.
- Configuration of ISIM for single sign-on with appserver TAI and ISAM WebSEAL
- Installing on a separate system than where the ISIM is installed
- Preparing WebSphere Application Server
- Secure communication with supported middleware
- IBM Security Identity Manager web services in a single sign-on environment
- IBM Tivoli Directory Integrator (ITDI). More a development tool than an off-the-shelf end user product. It is also bundled with products such as Tivoli Identity Manager (TIM). Generates the most interest - and by a country mile! TDI is truly wonderful, flexible and easy to get to grips with.
- OpenID Connect which uses OAuth
- Other options: Sailpoint IdentityIQ, CA, OIM, Aveksa
For reviews, see: Top User Provisioning Software
- Run WAS security configuration report
- Query webseald.conf to get info on existing configurion for LDAP, junctions, authentication (certs, http-headers, etc), content (redirects, mime-types, etc, logging, and policy director.
- Copy the WebSEAL certificate file to a temporary directory:
# cp /opt/pdweb/www/certs/pdsrv.kdb /<temporary_directory>
IBM Tivoli Access Manager WebSEAL is a Web server that applies fine-grained security policy to the Tivoli Access Manager protected Web object space. Provides single sign-on solutions and authentication/authorization control.
ACL policies provide the authorization service with information to make a "yes" or "no" answer on a request to access a protected object and perform some operation on that object.
Protected object policies (POP) contain additional conditions on the request that are passed back to Tivoli Access Manager Base and the resource manager (such as WebSEAL) along with the "yes" ACL policy decision from the authorization service.
Web Portal Manager graphical tool to manage security policy. The pdadmin command line utility provides the same, and more, administration capabilities.
The authentication method results in a client identity. Client authentication is successful only if the user has an account defined in the Tivoli Access Manager user registry or is processed successfully by a Cross-domain Authentication Service (CDAS)
Document root doc-root = /opt/pdweb/www/docs
Start and stop:
ACL policies: /WebSEAL/<host>/<file>
Set up certificates