© Copyright IBM Corp. 2002 xiii
Figures
1-1 Relationship between the protected object space, ACLs, and POPs . . . 9
1-2 Access Manager delegation model example . . . . . . . . . . . . . . . . . . . . . 11
1-3 Web Portal Manager architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1-4 WebSEAL architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1-5 Plug-In for Edge Server architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1-6 Access Manager Web server plug-in architecture . . . . . . . . . . . . . . . . . 24
1-7 Access Manager for Business Integration architecture . . . . . . . . . . . . . 26
1-8 WebSEAL EAS architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1-9 CDAS architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2-1 A typical basic Internet Web architecture. . . . . . . . . . . . . . . . . . . . . . . . 34
2-2 Typical advanced Web application architecture. . . . . . . . . . . . . . . . . . . 35
2-3 Access control subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2-4 WebSEAL interaction with other Access Manager components . . . . . . 42
2-5 Direct serving of Web content from WebSEAL . . . . . . . . . . . . . . . . . . . 43
2-6 Basic WebSEAL proxy functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2-7 Network zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2-8 Policy Server placement guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2-9 User registry placement guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2-10 Restricting network access to user registry . . . . . . . . . . . . . . . . . . . . . . 50
2-11 Separating user registry read and write functions . . . . . . . . . . . . . . . . . 51
2-12 Web Portal Manager placement guidelines . . . . . . . . . . . . . . . . . . . . . . 52
2-13 Restricting HTTP/HTTPS network traffic paths . . . . . . . . . . . . . . . . . . . 53
2-14 WebSEAL placement guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2-15 Web server placement guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2-16 Limiting network access to Web servers . . . . . . . . . . . . . . . . . . . . . . . . 57
2-17 An example Access Manager WebSEAL architecture. . . . . . . . . . . . . . 58
2-18 An example physical component layout. . . . . . . . . . . . . . . . . . . . . . . . . 60
3-1 Stocks-4u.com data network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3-2 Current Stocks-4u.com architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3-3 Initial WebSEAL architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3-4 WebSEAL security architecture with internal WebSEAL . . . . . . . . . . . . 74
3-5 Detailed WebSEAL security architecture with internal WebSEAL . . . . . 76
3-6 WebSEAL physical architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4-1 Initial Web architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4-2 Server replication to increase availability. . . . . . . . . . . . . . . . . . . . . . . . 84
4-3 WebSEAL availability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4-4 WebSEAL availability configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4-5 Authorization Server scenario for Stocks-4U.com . . . . . . . . . . . . . . . . . 89

Get Enterprise Business Portals with IBM Tivoli Access Manager now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.