92 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
4.1 Basic customization tasks
After the installation and initial configuration of the Access Manager security
environment there are numerous additional configuration and customization
tasks that need to be performed on Access Manager components. What tasks
you need to perform will depend on how you have planned and architected your
Access Manager deployment. Since the Access Manager environment may
include additional non-mandatory components, their configuration will have to be
performed as well.
Two configuration tasks are related to major services that the Access Manager
system performs: authorization and authentication. Some of the basic
configuration tasks related to the authorization service are:
Configuration of additional secure domains.
Every new secure domain has its own policy database.
Customization of the policy database that includes:
– Configuration of the protected object space.
– Definitions of security policies through use of ACLs, POPs, and
– Assigning users and groups to ACL, POPs, and authorization rules.
The customization of the authentication service depends on the type and number
of resource managers that are in use for the particular Access Manager secure
domain. Access Manager comes with some “out of the box” resource managers
that are introduced in Chapter 2, “Planning” on page 27. In this chapter, we
concentrate on the WebSEAL customization since this is the resource manager
offering the most customization options.
Some of the resource managers’ customization tasks (like, for example, creating
a WebSEAL junction) are again connected with the customization of the policy
database. Also in the policy database you can set up global user policies like
minimum password length, time of day access, and so on.
4.1.1 Secure domain
A secure domain consists of all the resources that require protection along with
the associated security policy used to protect those resources. The resources
that you can protect depend on the resource managers that are installed. The
concept of more than one secure domain is shown in Figure 2-4 on page 36. Any
security policy that is implemented in a domain affects only the objects in that
domain. Users with authority to perform tasks in one domain do not necessarily
have the authority to perform those tasks in other domains. For small and
moderately sized enterprises, one domain is usually sufficient. If only one