60 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
򐂰 Production (restricted zone)
򐂰 Management (secured zone)
The position of Access Manager components depends on the number of zones.
Figure 2-11 summarizes the general Access Manager component type
relationships to the network zones.
Since firewalls are usually deployed between zones to filter network traffic on
different ports, a thorough understanding of the communication ports used for all
Access Manager components is essential. The default listening ports for Access
Manager components (which can be changed in real implementations) are as
follows:
򐂰 Policy Server port: 7135
򐂰 Authorization Server port:
Authorization request port 7136
Administration request port: 7137.
򐂰 Policy Proxy Server:
Policy request port: 7138.
Authorization request port: 7139.
򐂰 WebSEAL listening 7234
Along with those listening ports, Access Manager also communicates with
additional ports like 389 for LDAP non-SSL communication, and 636 for LDAP
SSL communication. Also, all ports for HTTP and HTTPS transport should be
specified. Default ports are 80 for non-SSL and 443 for SSL. Note that HTTP(S)
traffic is not only used between WebSEAL and the client, but also between
WebSEAL and back-end servers (using junction), between WebSEAL and the
Session Management Server, and others.
2.6.1 IBM Global Security Kit (GSKit)
Tivoli Access Manager components communicate in a secure way over the
network. Tivoli Access Manager provides data encryption through the use of the
IBM Global Security Kit (GSKit) version 7.0.
The GSKit package also installs the iKeyman key management utility (gsk7ikm),
which enables you to create key databases, public-private key pairs, and
certificate requests. In other words, GSKit can be used to build a (somewhat
trivial) PKI infrastructure. You must install GSKit before installing most other
Tivoli Access Manager components. GSKit is a prerequisite to the Access
Manager Runtime component, which is required on all Tivoli Access Manager
systems with the exception of the Access Manager Attribute Retrieval Service,
Access Manager for WebLogic Server, Access Manager Runtime for Java, or
Access Manager Web Portal Manager.
Chapter 2. Planning 61
The GSKit tool is often used to manage certificates that are used for WebSEALs
HTTPS communication. For performance improvement, WebSEAL supports SSL
hardware acceleration. Utilizing the functionality of GSKit7, hardware
acceleration can minimize the CPU impact of SSL communications, improving
the overall performance of the system.
FIPS enablement
In Tivoli Access Manager 6.0, Federal Information Processing Standard 140-2
(FIPS 140-2) enablement is introduced. FIPS enablement means Tivoli Access
Manager uses only government-approved cryptography wherever cryptography
is required. Tivoli Access Manager uses cryptography in the following areas:
򐂰 Creation and replacement of internal, self-signed certificates. These
certificates are used by Access Manager Runtime and Tivoli Access Manager
security servers to authenticate with each other.
򐂰 Runtime and servers utilize a secure communication protocol to communicate
between each other.
Federal Information Processing Standard 140-2 (FIPS 140-2) is a standard that
describes U.S. Federal Government requirements that IT products should meet
for Sensitive but Unclassified (SBU) use. The standard defines the security
requirements that must be satisfied by a cryptographic module used in a security
system protecting unclassified information within IT systems. There are four
levels of security, from Level 1 (lowest) to Level 4 (highest). These levels are
intended to cover the wide range of potential applications and environments in
which cryptographic modules can be deployed. The security requirements cover
areas related to the secure design and implementation of a cryptographic
module. These areas include basic design and documentation, module
interfaces, authorized roles and services, physical security, software security,
operating system security, key management, cryptographic algorithms,
electromagnetic interference/electromagnetic compatibility (EMI/EMC), and
self-testing. For more information on FIPS 140-2, see:
http://csrc.nist.gov/cryptval/140-2.htm
Enablement of FIPS for Tivoli Access Manager is only meant to satisfy the
requirement of the Tivoli Access Manager’s cryptographic operations from an
application aspect. Tivoli Access Manager is not responsible for other products or
prerequisite products enablement of FIPS. If in FIPS mode, Transport Layer
Security version 1 (TLS v1) will be used as the secure communication protocol
instead of SSL v3. To communicate with the Tivoli Access Manager Policy
Server using a secure communication protocol, TLS is the required protocol. An
attempt to communicate using SSL v3 (non-FIPS mode) when the Policy Server
is configured in FIPS mode will result in a socket-closed exception.

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.