© Copyright IBM Corp. 2002 xiii
Figures
1-1 Relationship between the protected object space, ACLs, and POPs . . . 9
1-2 Access Manager delegation model example . . . . . . . . . . . . . . . . . . . . . 11
1-3 Web Portal Manager architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1-4 WebSEAL architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1-5 Plug-In for Edge Server architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1-6 Access Manager Web server plug-in architecture . . . . . . . . . . . . . . . . . 24
1-7 Access Manager for Business Integration architecture . . . . . . . . . . . . . 26
1-8 WebSEAL EAS architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1-9 CDAS architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2-1 A typical basic Internet Web architecture. . . . . . . . . . . . . . . . . . . . . . . . 34
2-2 Typical advanced Web application architecture. . . . . . . . . . . . . . . . . . . 35
2-3 Access control subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2-4 WebSEAL interaction with other Access Manager components . . . . . . 42
2-5 Direct serving of Web content from WebSEAL . . . . . . . . . . . . . . . . . . . 43
2-6 Basic WebSEAL proxy functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2-7 Network zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2-8 Policy Server placement guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2-9 User registry placement guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2-10 Restricting network access to user registry . . . . . . . . . . . . . . . . . . . . . . 50
2-11 Separating user registry read and write functions . . . . . . . . . . . . . . . . . 51
2-12 Web Portal Manager placement guidelines . . . . . . . . . . . . . . . . . . . . . . 52
2-13 Restricting HTTP/HTTPS network traffic paths . . . . . . . . . . . . . . . . . . . 53
2-14 WebSEAL placement guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2-15 Web server placement guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2-16 Limiting network access to Web servers . . . . . . . . . . . . . . . . . . . . . . . . 57
2-17 An example Access Manager WebSEAL architecture. . . . . . . . . . . . . . 58
2-18 An example physical component layout. . . . . . . . . . . . . . . . . . . . . . . . . 60
3-1 Stocks-4u.com data network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3-2 Current Stocks-4u.com architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3-3 Initial WebSEAL architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3-4 WebSEAL security architecture with internal WebSEAL . . . . . . . . . . . . 74
3-5 Detailed WebSEAL security architecture with internal WebSEAL . . . . . 76
3-6 WebSEAL physical architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4-1 Initial Web architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4-2 Server replication to increase availability. . . . . . . . . . . . . . . . . . . . . . . . 84
4-3 WebSEAL availability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4-4 WebSEAL availability configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4-5 Authorization Server scenario for Stocks-4U.com . . . . . . . . . . . . . . . . . 89

Get Enterprise Business Portals with IBM Tivoli Access Manager now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.