Chapter 2. Planning 43
Some design considerations
Other design considerations that should be kept in mind when deploying Web
Portal Manager:
򐂰 Multiple instances of WPM can be deployed for remote administrators, and so
򐂰 It is possible to provide access to the Web Portal Manager via a WebSEAL
junction or the Access Manager Plug-in for Web servers component, and
implement SSO (single sign-on) to the WPM.
2.4 Additional components
Along with core and management components, Access Manager for e-business
has additional components that are not mandatory for implementation, but in
many real-life implementations they carry important roles. In this section we
provide a high-level description of those components.
2.4.1 Policy Proxy Server
The Policy Proxy Server enables Access Manager applications and authorization
servers to connect to a Policy Proxy Server rather than the Policy Server. The
addition of a separate physical machine running Policy Proxy Server enables an
architecture to be created where the only incoming SSL sessions to the Policy
Server come from the Policy Proxy Server. This facilitates increased security
because a firewall protecting the Policy Server only has to allow inbound
connections from the Policy Proxy Server(s) rather than from all Tivoli Access
Manager applications or authorization servers. The SSL session from Access
Manager applications to the Policy Proxy Server(s) is independent of the SSL
session from the Policy Proxy Server to the Policy Server.
The only exception to this rule is if you are using an application that requires use
of the administration API. Because administration API applications typically
perform functions requiring write access to both the policy database and the
master Access Manager LDAP, these applications should be configured for direct
communication with the Access Manager Policy Server.
Note: Domains referenced in this table do not correspond to Access Manager
secure domains. Domains in the delegate function of Web Portal Manager are
simply groups of users and functionality and have nothing to do with the
separation of security policy between groups of Access Manager servers.
44 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Figure 2-7 Communication flows using the Policy Proxy Server
Figure 2-7 shows the connections (and the direction of flow) between the Policy
Server, a Policy Proxy Server and an Access Manager application or
authorization server.
All requests inbound destined for the Policy Server go via the Policy Proxy
Server, except for applications using the administration API. All requests
outbound from the real Policy Server go directly to the Access Manager
Policy Server database caching
In addition to providing a simple proxy service, the Tivoli Access Manager Policy
Proxy Server can also offload database replication tasks from the Policy Server
by caching the Policy Server databases that it serves to Access Manager
applications. If several Access Manager applications make requests for the same
database, then the database is only transferred from the Policy Server to the
Policy Proxy Server one time.
The ACL database is cached in memory for security. There is no authorization
database stored on the disk of the Policy Proxy Server that could be read (or
modified) if the Policy Proxy Server were compromised.
The currency of the ACL database in the Policy Proxy Server cache is checked
every time a replication request is made so that there is no chance of an Access
Manager application receiving an out-of-date cached version of the Policy Server
Note: The Policy Proxy Server does not perform any Policy Server functions; it
simply forwards requests to the Policy Server. This means that the Policy
Server is still the authoritative source for Policy Server database and user
repository updates.
ACL database update notification
DB pull DB pull
Access Manager
Policy Server
Access Manager
application or
Policy Proxy
Server task commands
(includes objectspace query)
Admin API application

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.