24 IBM WebSphere Application Server V8 Concepts, Planning, and Design Guide
2.1 IBM Tivoli Access Manager for e-business
IBM Tivoli Access Manager provides a more holistic security solution at the enterprise level
than the standard security mechanisms that are found in WebSphere Application Server.
Tivoli Access Manager provides the following features:
򐂰 Defines and manages centralized authentication, access, and audit policy for a broad
range of business initiatives
򐂰 Establishes a new audit and reporting service that collects audit data from multiple
enforcement points and from other platforms and security applications
򐂰 Enables flexible single sign-on (SSO) to web-based applications that span multiple sites or
domains with a range of SSO options, to eliminate help-desk calls and other security
problems associated with multiple passwords
򐂰 Uses a common security policy model with the Tivoli Access Manager family of products
to extend support to other resources
򐂰 Manages and secures business environments from existing hardware (mainframe, PCs,
servers) and operating system platforms, including Windows, Linux, AIX, Solaris, and
HP-UX
򐂰 Provides a modular authorization architecture that separates security code from
application code
򐂰 Automatically authenticates Windows users with their Windows credentials in WebSphere,
if they are connected to a Microsoft Active Directory
򐂰 Can be integrated with Tivoli Identity Manager, which supports administering large number
of user accounts in enterprise environments
In summary, Tivoli Access Manager provides centralized authentication and authorization
services to different products. Applications delegate authentication and authorization
decisions to Tivoli Access Manager.
For more information about Tivoli Access Manager for e-business, see the product page at:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/
2.1.1 Integration with WebSphere Application Server
WebSphere Application Server provides its own security infrastructure. This infrastructure
consists of some mechanisms that are specific to WebSphere Application Server and many
that use open security technologies standards. This security technology is widely proven, and
the software can integrate with other enterprise technologies.
For more information about WebSphere Application Server’s security infrastructure, see
Chapter 12, “Security” on page 349.
The WebSphere Application Server security infrastructure is adequate for many situations
and circumstances. However, integrating WebSphere Application Server with Tivoli Access
Manager allows for end-to-end integration of application security across the entire enterprise.
Using this approach at the enterprise level provides the following advantages:
򐂰 Reduced risk through a consistent services-based security architecture
򐂰 Lower administration costs through centralized administration and fewer security
subsystems
Chapter 2. Integration with other products 25
򐂰 Faster development and deployment
򐂰 Reduced application development costs because developers do not have to develop
bespoke security subsystems
򐂰 Built-in, centralized, and configurable handling of legislative business concerns such as
privacy requirements
WebSEAL
The WebSEAL server is a resource manager in Tivoli Access Manager architecture for
managing and protecting web content resources. WebSEAL works as a reverse
HTTP/HTTPS proxy server in front of the web servers or application servers and connects to
the policy server for the access control lists (ACLs) as shown on Figure 2-1. Because it
handles the HTTP/HTTPS protocol, it is independent of the web server or application server
implementation. With this feature, customers can authenticate and authorize clients in a
distributed, multivendor integrated environment.
Figure 2-1 WebSEAL as a proxy in WebSphere integration
Repositories
In addition to WebSphere Application Server security, Tivoli Access Manager requires a user
repository too. It supports many different repositories, such as IBM Tivoli Directory Server
and Microsoft Active Directory. Tivoli Access Manager can be configured to use the same
user repository as WebSphere Application Server, so that you can share user identities with
both Tivoli Access Manager and WebSphere Application Server.
Tivoli Access Manager policy server
The Tivoli Access Manager policy server maintains the master authorization policy database.
This database contains the security policy information for all resources and the credentials
information of all participants in the secure domain, both users and servers. The authorization
database is then replicated across all local authorization servers.
Tivoli Access Manager for WebSphere component
The Tivoli Access Manager client is embedded in WebSphere Application Server and can be
configured by using the scripting and GUI management facilities of WebSphere Application
Server. To configure the embedded Tivoli Access Manager client, go to the WebSphere
Application Server Version 8.0 Information Center, and search for enabling embedded Tivoli
Access Manager:
http://publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp
Protected
Resources
Client
6. Response
1. Request
3. Authorization
check
4. Authorization
decision
(authAPI)
2. Request for
authorization
(authAPI)
5. Authorized
operation
Secure Domain
Authorization
Service
WebSEAL
Authorization
policy

Get IBM WebSphere Application Server V8 Concepts, Planning, and Design Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.