Chapter 2. Planning 43
Some design considerations
Other design considerations that should be kept in mind when deploying Web
Portal Manager:
Multiple instances of WPM can be deployed for remote administrators, and so
on.
It is possible to provide access to the Web Portal Manager via a WebSEAL
junction or the Access Manager Plug-in for Web servers component, and
implement SSO (single sign-on) to the WPM.
2.4 Additional components
Along with core and management components, Access Manager for e-business
has additional components that are not mandatory for implementation, but in
many real-life implementations they carry important roles. In this section we
provide a high-level description of those components.
2.4.1 Policy Proxy Server
The Policy Proxy Server enables Access Manager applications and authorization
servers to connect to a Policy Proxy Server rather than the Policy Server. The
addition of a separate physical machine running Policy Proxy Server enables an
architecture to be created where the only incoming SSL sessions to the Policy
Server come from the Policy Proxy Server. This facilitates increased security
because a firewall protecting the Policy Server only has to allow inbound
connections from the Policy Proxy Server(s) rather than from all Tivoli Access
Manager applications or authorization servers. The SSL session from Access
Manager applications to the Policy Proxy Server(s) is independent of the SSL
session from the Policy Proxy Server to the Policy Server.
The only exception to this rule is if you are using an application that requires use
of the administration API. Because administration API applications typically
perform functions requiring write access to both the policy database and the
master Access Manager LDAP, these applications should be configured for direct
communication with the Access Manager Policy Server.
Note: Domains referenced in this table do not correspond to Access Manager
secure domains. Domains in the delegate function of Web Portal Manager are
simply groups of users and functionality and have nothing to do with the
separation of security policy between groups of Access Manager servers.