338 Enterprise Business Portals with IBM Tivoli Access Manager
The items addressed here are:
DMZ re-engineering (do we need to re-model network zones and firewall
machines?)
System isolation (DMZ) and direct access to servers (is there any change
necessary to support access to the environment?)
Administrative networks (is there any change necessary to the management
network?)
VPN access (are there any changes necessary for external users coming
through VPN channels?)
Production
This affects the machines, software, operating system, and personnel that
maintain the environment. The items covered here include:
Any new hardware for the Access Manager environment (physical
requirements)
Technical support access (is there any technical support restriction?)
Production support access (can production support still operate the running
systems? Is there any new component to be monitored on a regular basis?)
15.5.2 Implementation considerations
For our first project, external Web resource protection, we outline the major
components and changes required to the running system. Figure 15-2 on
page 339 shows the new Access Manager components required in our
environment. The external WebSEAL server is the only entry point for external
users. The Access Manager Policy Server is the main component for security
policy administration. The Authorization Server is installed on the same machine.
Although you can optionally install the Access Manager WPM features to
manage most of the Access Manager resources using a graphical user interface
implemented on one of the Web application servers, in our scenario we use the
command line interface pdadmin to execute all the maintenance procedures as
described in the next sections. The following bullets summarize the major
changes in the environment:
There are no significant architectural changes for the application in this
phase. Since this is an add-on security implementation, there is little
complexity in modifying application behavior. On the other hand, the overall
system architecture now relies on a security reference monitor as part of the
standard core features that require installation, customization, and
maintenance to some extent.