Chapter 2. Planning 45
2.4.2 Authorization service
The foundation of Access Manager is its authorization service, which permits or
denies access to protected objects (resources) based on the user’s credentials
and the access controls placed on the objects.
The Policy Server provides an authorization service that may be leveraged by
applications and other Access Manager components that use the IBM Tivoli
Access Manager Authorization Application Programming Interface (aznAPI).
Optionally, additional Authorization Servers may be installed to offload these
authorization decisions from the Policy Server and provide for higher availability
of authorization functions. The Policy Server provides updates for authorization
database replicas maintained on each Authorization Server.
The Access Manager authorization service can also be embedded directly within
an application. In this case, the functions of an Authorization Server are
contained in the application itself.
2.4.3 Access Manager Session Management Server
Access Manager Session Management Server (SMS) is an optional Tivoli Access
Manager component that runs as an IBM WebSphere Application Server service.
It manages user sessions across complex clusters of Tivoli Access Manager
security servers, ensuring that session policy remains consistent across the
participating servers. Using the Session Management Server allows Access
Manager WebSEAL and Access Manager Plug-in for Web Servers to share a
unified view of all current sessions and permits an authorized user to monitor and
administer user sessions. The Session Management Server permits the sharing
of session information, makes session statistics available, and provides secure
and high-performance failover and single sign-on capabilities for clustered
environments.
The Session Management Server provides a user interface from which
authorized persons can administer and monitor user sessions. Administration of
the Session Management Server is performed using either the pdadmin
command line utility, or the Session Management Server Web-based graphical
user interface that is run from within the Web Portal Manager.
Figure 2-8 on page 46 shows how multiple security servers can achieve a single
session by using a common Session Management Server that provides a unified
backing store for session data. Each Web security server maintains a local copy
of the session data in its own session cache for performance reasons. A backup
or master copy is also maintained on the Session Management Server and this
data can be accessed by other Web security servers when necessary. The Web
security servers work with the Session Management Server to create, retrieve,
46 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
and update the shared session data. The Session Management Server provides
updates to Web servers that are participating in a given user session, alerting
them to urgent changes in the session data such as a user logging out.
Figure 2-8 Access Manager Session Management Server
Through the use of the Session Management Server, it is now possible to
present a consistent user experience across all Web security servers, as well as
providing the ability to strictly enforce security policy such as maximum number
of sessions.
The benefits of shared session management include that it:
Provides a distributed session cache to manage sessions across clustered
Web security servers
Provides a central point for maintaining login history information
Resolves session inactivity and session lifetime time out consistency issues in
a replicated Web security server environment
Provides secure failover and single sign-on among replicated Web security
servers
Provides controls over the maximum number of allowed concurrent sessions
per user
Provides single sign-on capabilities among other Web sites in the same DNS
domain
Provides performance and high availability protection to the server
environment in the event of hardware or software failure
Allows administrators to view and modify sessions on the WebSEAL server
www.abc.com
Load Balancer
WebSEAL replicas
replica1.abc.com
Session Data
Session Cache:
replica2.abc.com
Session Cache:
sales.abc.com
Session Cache:
Session Management Server
(SMS)
sales
replica2
Session
Data
participating servers
replica1
c
r
e
a
t
e
retrieve
u
p
d
a
t
e
Browser
Session Data
Session Data
Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
