70 WebSphere Application Server V8.5 Concepts, Planning, and Design Guide
3.1 IBM Tivoli Access Manager for e-business
IBM Tivoli Access Manager for e-business provides a holistic security solution at the
enterprise level. This section provides information about the integration of Tivoli Access
Manager for e-business with WebSphere Application Server.
3.1.1 Features of Tivoli Access Manager for e-business
Tivoli Access Manager provides the following features:
Defines and manages centralized authentication, access, and audit policies for a broad
range of business initiatives.
Establishes a new audit and reporting service that collects audit data from multiple
enforcement points, and from other platforms and security applications.
Enables flexible single sign-on (SSO) to web-based applications that span multiple sites or
domains with a range of SSO options. These options can eliminate help-desk calls and
other security problems associated with multiple passwords
Uses a common security policy model with the Tivoli Access Manager family of products
to extend support to other resources.
Manages and secures business environments from existing hardware (mainframe, PCs,
servers) and operating system platforms, including Windows, Linux, AIX, Solaris, and
HP-UX.
Provides a modular authorization architecture that separates security code from
application code.
Automatically authenticates Microsoft Windows users with their Windows credentials in
WebSphere if they are connected to a Microsoft Active Directory.
Allows integration with Tivoli Identity Manager, which supports administering large
numbers of user accounts in enterprise environments.
In summary, Tivoli Access Manager provides centralized authentication and authorization
services to different products. Applications delegate authentication and authorization
decisions to Tivoli Access Manager.
For more information about Tivoli Access Manager for e-business, see:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/
3.1.2 Integration with WebSphere Application Server
WebSphere Application Server provides its own security infrastructure. This infrastructure
consists of mechanisms that are specific to WebSphere Application Server, many that use
open security technology standards. This security technology is widely proven, and the
software can integrate with other enterprise technologies. For more information about
WebSphere Application Server’s security infrastructure, see Chapter 15, “Security” on
page 469.
The WebSphere Application Server security infrastructure is adequate for many situations
and circumstances. However, integrating WebSphere Application Server with Tivoli Access
Manager allows for end-to-end integration of application security for the entire enterprise.
Chapter 3. Integration with other products 71
Using this approach at the enterprise level provides the following advantages:
Reduced risk through a consistent services-based security architecture
Lower administration costs through centralized administration and fewer security
subsystems
Reduced application development costs because developers do not have to develop
customized security subsystems
Built in, centralized, and configured handling of business concerns, such as privacy
requirements
WebSEAL
The WebSEAL server is a resource manager in the Tivoli Access Manager architecture that
you can use to manage and protect web content resources. WebSEAL works as a reverse
HTTP/HTTPS proxy server in front of the web servers or application servers. It connects to
the policy server for the access control list (ACL) as shown in Figure 3-1. Because it handles
the HTTP/HTTPS protocol, WebSEAL is independent of the web server or application server
implementation. With this feature, you can authenticate and authorize clients in a distributed,
multivendor integrated environment.
Figure 3-1 WebSEAL as a proxy in WebSphere integration
Repositories
In addition to WebSphere Application Server security, Tivoli Access Manager requires a user
repository. It supports different repositories, such as IBM Tivoli Directory Server and Microsoft
Active Directory. You can configure Tivoli Access Manager to use the same user repository as
WebSphere Application Server, so that you can share user identities with both Tivoli Access
Manager and WebSphere Application Server.
Tivoli Access Manager policy server
The Tivoli Access Manager policy server maintains the master authorization policy database.
This database contains the security policy information for all resources and the credentials
information of all participants in the secure domain, both users and servers. The authorization
database is replicated across all local authorization servers.
Tivoli Access Manager for WebSphere component
The Tivoli Access Manager server is bundled with WebSphere Application Server Network
Deployment.
Protected
Resources
Client
6. Response
1. Request
3. Authorization
check
4. Authorization
decision
(authAPI)
2. Request for
authorization
(authAPI)
5. Authorized
operation
Secure Domain
Authorization
Service
WebSEAL
Authorization
policy

Get WebSphere Application Server V8.5 Concepts, Planning, and Design Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.