Tivoli SecureWay Policy Director Base Administration Guide Version 3.7

Transcription

1 Tivoli SecureWay Policy Director Base Administration Guide Version 3.7 January 2001

2 Tivoli SecureWay Policy Director Base Administration Guide Copyright Notice Copyright IBM Corporation 2001 All rights reserved. May only be used pursuant to a Tivoli Systems Software License Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without prior written permission of IBM Corporation. IBM Corporation grants you limited permission to make hardcopy or other reproductions of any machine-readable documentation for your own use, provided that each such reproduction shall carry the IBM Corporation copyright notice. No other rights under copyright are granted without prior written permission of IBM Corporation. The document is not intended for production and is furnished as is without warranty of any kind. All warranties on this document are hereby disclaimed, including the warranties of merchantability and fitness for a particular purpose. U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corporation. Trademarks IBM, the IBM logo, Tivoli, the Tivoli logo, AIX, Policy Director, and SecureWay are trademarks or registered trademarks of International Business Machines Corporation or Tivoli Systems Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Notices References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they will be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products, programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or services can be used. Subject to valid intellectual property or other legally protectable right of Tivoli Systems or IBM, any functionally equivalent product, program, or service can be used instead of the referenced product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, New York , U.S.A.

3 Contents Preface...xi Who Should Read This Guide...xi What This Guide Contains...xi Typeface Conventions...xii Related Policy Director Documents... xiii Accessing Online Documentation...xiv Ordering Documentation...xiv Providing Feedback about Product Documentation...xv Contacting Customer Support...xv Chapter 1 Policy Director Overview 1.1 Securing the Enterprise Network Network Security Technologies and Definitions Network Security Common Concerns Introducing Policy Director Policy Director Core Technologies Authentication Authorization Quality of (Data) Protection Scalability Accountability Centralized Management Policy Director Components Policy Director Management Console pdadmin Command Line Utility Security Server Management Server WebSEAL NetSEAT Client Authorization API Policy Director Authorization Server Global Services Kit (GSKit) Understanding Authorization: Conceptual Model The Benefits of a Standard Authorization Service Policy Director Base Administration Guide iii

4 1.4.2 Introducing the Policy Director Authorization Service The Policy Director Authorization Service Components Authorization Service Interfaces Replication for Scalability and Performance Implementing a Network Security Policy Defining the Network Security Policy The Protected Object Space Defining and Applying ACL and POP Policies Policy Administration: The Management Console The Authorization Process: Step-by-Step The Policy Director Authorization API Using the Authorization API: Two Examples Authorization API: Remote Cache Mode Authorization API: Local Cache Mode External Authorization Capability Extending the Authorization Service Imposing Conditions on Resource Requests The Authorization Evaluation Process Implementation Strategies Extensibility and Flexibility Chapter 2 Managing the Protected Object Space 2.1 Understanding the Protected Object Space Elements of the Protected Object Space Protected Object Space Hierarchy User-defined Object Space for Third-Party Applications Defining a Database Object Space Creating a New User-defined Container Object Creating and Deleting Objects Defining a Flat File Object Space Flat File Object Space Limitations Root Container Object Name and Map File Location Mapping File Format iv Version 3.7

5 Chapter 3 Using Access Control Policies 3.1 Introducing the ACL Policy ACL Policy Entries Creating and Naming ACL Policies ACL Entry Syntax Type Attribute ID Attribute Permissions (Actions) Attribute Default Policy Director Permissions (Actions) How the Authorization Service Uses ACL Policies Performing Operations on an Object Requirements for Custom Permissions Custom Action Example Custom Action Example Evaluating an ACL Evaluating Authenticated Requests Evaluating Unauthenticated Requests Example ACL Entries Sparse ACL Model: ACL Inheritance Understanding the Sparse ACL Model The Default Root ACL Policy Traverse Permission Resolving an Access Request Applying ACL Policies to Different Object Types ACL Policy Inheritance Example Guidelines for a Secure Object Space Creating Extended ACL Actions and Action Groups Creating a New Action Group Creating New Actions in an Action Group Entering Custom Actions into ACL Entries ACL Policies and the Protected Object Space Root ( / ) Container Object The Traverse Permission Policy Director Base Administration Guide v

6 3.8 WebSEAL Permissions /WebSEAL/<host> /WebSEAL/<host>/<file> WebSEAL Permissions NetSEAL Permissions /NetSEAL/<host> /NetSEAL/<host>/<service> NetSEAL Permissions Management Permissions /Management/ACL Permissions The Control Permission (c) /Management/Action Permissions /Management/POP Permissions /Management/Server Permissions /Management/Replica Permissions /Management/Users Permissions /Management/Groups Permissions Object and Object Space Permissions Default Administration ACL Policies Default Root ACL Policy Default /WebSEAL ACL Policy Default /NetSEAL ACL Policy Default /Management ACL Policy Default /Replica ACL Policy Chapter 4 Using Protected Object Policies 4.1 Introducing Protected Object Policies (POP) Creating and Deleting Protected Object Policies Applying POP Attributes to Protected Objects Configuring the POP Attributes Warning Mode Attribute Audit Level Attribute Time-of-Day Attribute Quality of Protection Attribute vi Version 3.7

7 4.2.5 IP Endpoint Authentication Method Attribute Chapter 5 Delegating Administration Tasks 5.1 Delegating Object Space Management Structuring the Object Space for Management Delegation Default Administration Users and Groups Creating Administration Users Example Administration ACL Templates Example: Management Delegation Delegating Group Management Creating Group Container Objects Creating Groups ACL Policies Affecting Group Management ACL Policies Affecting User Management Chapter 6 Managing the Policy Director Servers 6.1 Introducing the Policy Director Servers Server Dependencies Introducing Server Administration Tools Server Configuration Files UNIX: Stopping / Starting Policy Director Servers Stop the Policy Director Servers Using the iv Script Start the Policy Director Servers Using the iv Script Start the Policy Director Servers Manually Displaying Server Status Windows: Stopping / Starting Policy Director Servers Using the Services Control Panel to Stop / Start Servers Automating Server Startup at Boot Time Management Server Authorization Server Configuring RPC Worker Threads Worker Threads Overview Setting the RPC Worker Threads Pool Configuring Servers for Incoming RPC Requests Policy Director Base Administration Guide vii

8 6.6 Management Server (ivmgrd) Administration Setting the Number of Update Notifier Threads Setting the Notification Delay Time Chapter 7 Using the LDAP Registry 7.1 LDAP Overview LDAP: A Protocol for Directory Services LDAP Directories The LDAP Information Model LDAP Features LDAP Fail-over Configuration The Master-Slave Replication Model Policy Director Fail-over Capability for LDAP Servers Master Server Configuration Replica Server Configuration Setting Preference Values for Replica LDAP Servers Server Polling Chapter 8 Logging and Auditing Server Activity 8.1 Introduction to Logging and Auditing Log Files Audit Trail Files Documentation Convention: <install-path> Policy Director Server Log Files Enabling and Disabling Policy Director Server Log Files Example: secmgrd.log Directing Messages to Standard Output Debug Mode DCE Serviceability Messages Policy Director Audit Trail Files Enabling and Disabling Auditing Specifying the Log File Location Specifying Audit File Rollover Thresholds Specifying the Frequency for Flushing Audit File Buffers Specifying Audit Events Audit Trail File Format viii Version 3.7

9 8.6 Audit Trail File Contents Authorization Audit Records Authentication Audit Records WebSEAL Audit Records Management Audit Records Appendix A pdadmin Command Reference A.1 Introducing the pdadmin Utility...A-2 A.1.1 Starting the pdadmin Utility (login command)...a-2 A.1.2 Help Information...A-4 A.1.3 Exiting the pdadmin Utility...A-4 A.1.4 Using pdadmin in an LDAP Environment...A-4 A.1.5 Special Characters Disallowed for GSO Commands...A-4 A.1.6 Limitations When Naming GSO Resources...A-4 A.2 ACL Commands...A-5 A.2.1 Managing ACL Policy...A-5 A.2.2 Managing Extended Attributes for ACLs...A-8 A.3 Action Commands...A-9 A.3.1 Creating Custom ACL Actions...A-9 A.3.2 Creating Extended ACL Actions and Action Groups...A-10 A.4 NetSEAL Commands...A-11 A.4.1 Managing Protected Networks...A-11 A.4.2 Managing NetSEAL Junctions...A-12 A.4.3 Managing Protected Ports...A-13 A.4.4 Managing Protected Port Aliases...A-15 A.5 Object Commands...A-16 A.5.1 Managing a Custom Objectspace...A-16 A.5.2 Managing Protected Objects...A-17 A.5.3 Managing Extended Attributes for Protected Objects...A-19 A.6 Protected Object Policy (POP) Commands...A-20 A.6.1 Managing Protected Object Policies...A-20 A.6.2 Managing Extended Attributes for Protected Object Policies...A-22 A.7 Server Commands...A-23 A.8 Administration Information Command...A-27 Policy Director Base Administration Guide ix

10 A.9 User Management Commands (LDAP)...A-28 A.10 Group Management Commands (LDAP)...A-35 A.11 Resource Management Commands (LDAP)...A-39 A.11.1 Managing Resources...A-39 A.11.2 Managing Resource Groups...A-41 A.11.3 Managing Resource Credentials...A-43 A.12 Policy Management Commands (WebSEAL LDAP)...A-47 A.12.1 Managing Login Policies...A-47 A.12.2 Managing Password Policies...A-50 Appendix B ivmgrd.conf Configuration File Reference Appendix C ivacld.conf Configuration File Reference Appendix D ldap.conf Configuration File Reference Index x Version 3.7

11 Preface Preface Welcome to the Tivoli SecureWay Policy Director Base Administration Guide. Policy Director is a complete authorization solution for corporate Web, client/server, CORBA, MQ, and legacy applications. Policy Director authorization allows an organization to securely control user access to protected information and resources. You use Policy Director in conjunction with standard Internet-based applications to build highly secure and well-managed network-based applications. This administration guide provides a comprehensive set of procedures and reference information for managing Policy Director servers and resources. This guide also provides you with valuable background and concept information for the wide range of Policy Director functionality. Who Should Read This Guide The target audience for this guide includes: Security administrators System installation and deployment administrators Network system administrators IT architects Application developers What This Guide Contains Chapter 1: Policy Director Overview This chapter introduces you to important Policy Director concepts and functionality such as: Policy Director core technologies and components, the authorization service model, and implementing a security policy. Chapter 2: Managing the Protected Object Space This chapter discusses how Policy Director uses a virtual representation of resources in a protected object space. Two types of object spaces are supported: flat file and database. Policy Director Base Administration Guide xi

12 Preface Chapter 3: Using Access Control Policies This chapter is a complete reference to access control list (ACL) policies. Chapter 4: Using Protected Object Policies This chapter is a complete reference to protected object policies (POP). Chapter 5: Delegating Administration Tasks This chapter explains how Policy Director supports delegated management of the object space and group management. Chapter 6: Managing the Policy Director Servers This chapter is a technical reference to managing and customizing the operation of the Policy Director servers. Chapter 7: Using the LDAP Registry This chapter introduces the LDAP protocol / directory and provides detailed information on LDAP fail-over configuration. Chapter 8: Logging and Auditing Server Activity This chapter provides a complete reference to the Policy Director logging and auditing capabilities. Appendix A: pdadmin Command Reference Appendix B: ivmgrd.conf Configuration File Reference Appendix C: ivacld.conf Configuration File Reference Appendix D: ldap.conf Configuration File Reference Typeface Conventions This guide uses several typeface conventions for special terms and actions. These conventions have the following meaning: Bold Italics Monospace Command names and options, keywords, and other information that you must use literally appear in bold. Variables, command arguments, and values you must provide appear in italics. Titles of publications and special words or phrases that are emphasized also appear in italics. Code examples, command lines, screen output, and system messages appear in monospace font. xii Version 3.7

13 Related Policy Director Documents Preface The following table summarizes the available Policy Director documentation: Tivoli SecureWay Policy Director Technical Documents Installation Guides Tivoli SecureWay Policy Director Base for AIX Installation Guide Tivoli SecureWay Policy Director Base for HP-UX Installation Guide Tivoli SecureWay Policy Director Base for Solaris Installation Guide Tivoli SecureWay Policy Director Base for Windows Installation Guide Tivoli SecureWay Policy Director WebSEAL Installation Guide Tivoli SecureWay Policy Director NetSEAL Installation Guide Tivoli SecureWay Policy Director Management Console for Windows Installation Guide Administration Guides Tivoli SecureWay Policy Director Base Administration Guide (this document) Tivoli SecureWay Policy Director WebSEAL Administration Guide Tivoli SecureWay Policy Director NetSEAL Administration Guide Tivoli SecureWay Policy Director Management Console for Windows Administration Guide Developer References Tivoli SecureWay Policy Director Authorization ADK Developer Reference Tivoli SecureWay Policy Director WebSEAL Developer Reference Supplemental Documentation (updated regularly on the Tivoli support site) Tivoli SecureWay Policy Director Release Notes Tivoli SecureWay Policy Director Lotus Domino Registry Supplement Tivoli SecureWay Policy Director Performance Tuning Guide Policy Director Base Administration Guide xiii

14 Preface Accessing Online Documentation The Tivoli Customer Support Web site ( provides links to the following documentation information: Technical information, including release notes, installation and configuration guides, administration guides, and developer references. Frequently Asked Questions (FAQs) Software download information You can find the Customer Support Handbook (a guide to support services) at: You can access the index of online Tivoli publications at Click on Master Index to find product-specific support pages. You can locate Policy Director technical documentation, by product version, at: The documentation for some products is available in PDF and HTML formats. Translated documents are also available for some products. To access most of the documentation, you need an ID and a password. To obtain an ID for use on the support Web site, go to Resellers should refer to for more information about obtaining Tivoli technical documentation and support. Business Partners should refer to the Preface section entitled Ordering Documentation for more information about obtaining Tivoli technical documentation. Ordering Documentation Order Tivoli documentation online at or by calling one of the following telephone numbers: U.S. customers: (800) Canadian customers: (800) xiv Version 3.7

15 Providing Feedback about Product Documentation Preface We are very interested in hearing about your experience with Tivoli products and documentation, and we welcome your suggestions for improvements. If you have comments or suggestions about our products and documentation, contact us in one of the following ways: Send to Fill out our customer feedback survey at Contacting Customer Support The Tivoli Customer Support Handbook at: provides information about all aspects of Tivoli Customer Support, including the following: Registration and eligibility How to contact support, depending on the severity of your problem Telephone numbers and addresses, depending on the country you are in What information you should gather before contacting support Policy Director Base Administration Guide xv

16 Preface xvi Version 3.7

17 1 Policy Director Overview Policy Director is a complete authorization solution for corporate Web, client/server, CORBA, MQ, and legacy applications. Policy Director authorization allows an organization to securely control user access to protected information and resources. You use Policy Director in conjunction with standard Internet-based applications to build highly secure and well-managed network-based applications. Topic Index: 1.1 Securing the Enterprise Network 1.2 Policy Director Core Technologies 1.3 Policy Director Components 1.4 Understanding Authorization: Conceptual Model 1.5 The Policy Director Authorization Service 1.6 Implementing a Network Security Policy 1.7 The Policy Director Authorization API 1.8 External Authorization Capability Policy Director Base Administration Guide 1 1

18 Chapter 1: Policy Director Overview 1.1 Securing the Enterprise Network Many organizations now value the public Internet and private intranets as effective and vital mediums for global communication. Electronic commerce has rapidly become an essential component of many business marketing strategies. Educational institutions rely on the Internet for long-distance learning. On-line services allow individuals to send electronic mail and to tap the Web s vast encyclopedia of resources. Traditional applications, such as TELNET and POP3, still prevail as important network services. Businesses are realizing that they can use Internet technologies to enhance supply chain relationships, facilitate collaboration with business partners, and provide increased customer connectivity provided they can expose corporate resources with a high degree of security. Businesses want to use the Internet as a global commercial and distribution vehicle, but have been hindered by the lack of proven security policy mechanisms and management systems. Policy Director is an information policy management solution that provides organizations with centralized network security services where you can consistently implement and maintain corporate security policy. Policy Director provides the three primary requirements for balanced security solution: Provides a variety of solutions for creating a highly secure network environment Provides convenient and intuitive management tools for secure centralized administration Provides security mechanisms that do not hinder permitted client activity on the network Network Security Technologies and Definitions The following network security services and concepts are important to the discussion of Policy Director throughout this document: Secure Domain the group of users, systems, and resources that share common services and usually function with a common purpose Access Control List (ACL) policies the Policy Director security mechanism that provides users and groups the permissions to perform specific operations, or actions, on protected resources Authentication the process of identifying any individual attempting to login to a secure domain 1 2 Version 3.7

19 Securing the Enterprise Network Authorization the process (performed by the Authorization Service) of determining whether an individual has the right to perform an operation on a protected resource Credentials detailed information, acquired during authentication, describing the user, group associations (if any), and other security-related identity attributes Encryption the translation of electronic data into secret code that protects the data from being examined by unauthorized parties. Encryption facilitates the security condition known as privacy. Integrity the condition that electronic data is unmodified between the time it was sent and the time it was received Protected Object Policy (POP) the Policy Director security mechanism that dictates special conditions for accessing a protected resource after a successful ACL policy check Protected Object Space the virtual object representation of actual system resources that is used for applying ACL and POP policies and used by the Authorization Service Registry the datastore (LDAP, DCE, or Domino) that maintains the account information for users and groups that are allowed to participate in the secure domain Scalability the ability of a network system to respond to increasing numbers of users who access resources Quality of Protection the level of data security, determined by a combination of authentication, integrity, and privacy conditions Network Security Common Concerns Both the world-wide public Internet and company-private intranets connect to heterogeneous computer systems, applications, and networks. This mixture of dissimilar hardware and software usually impacts a network in the following ways: No centralized control of security for applications No unified resource location naming convention No common support for high availability of applications No common support for scalable growth New business models require organizations to expose their information resources to a previously unthought of degree. These businesses need to know that they can securely control access to those resources. Policy Director Base Administration Guide 1 3

20 Chapter 1: Policy Director Overview Managing policy and users across distributed networks has proven difficult for Information Technology (IT) managers, especially since individual application and system vendors implement authorization in their own proprietary fashion. Companies realize that developing new authorization services for each enterprise application is an expensive process that leads to a difficult-to-manage infrastructure. A centralized authorization service that is accessed by developers via a standardized API could greatly speed time to market and reduce total-cost-of-ownership. A centralized network security management system needs to fulfill requirements that include: Co-exist with and/or leverage existing firewall and authenticator architectures Integrate or co-exist with network and application management frameworks Be application-independent Introducing Policy Director Policy Director is a complete authorization and network security policy management solution that provides unsurpassed end-to-end protection of resources over geographically dispersed intranets and extranets. In addition to its state-of-the-art security policy management feature, Policy Director supports authentication, authorization, data security, and resource management capabilities. You use Policy Director in conjunction with standard Internet-based applications to build highly secure and well-managed intranets. At its core, Policy Director provides: Authentication framework Policy Director provides a wide range of built-in authenticators and supports external authenticators. Authorization framework The Policy Authorization Service, accessed via a standard Authorization API, provides permit and deny decisions on access requests for native Policy Director servers (WebSEAL, NetSEAL) and third-party applications. 1 4 Version 3.7

21 Securing the Enterprise Network With Policy Director, businesses can now securely manage access to private internal network-based resources and leverage the public Internet s broad connectivity and ease of use. Policy Director, in combination with a corporate firewall system, can fully protect the Enterprise intranet from unauthorized access and intrusion. The Authorization Service API Standard Authorization services are a critical part of an application s security architecture. After a user passes the authentication process, authorization services proceed to enforce the business policy by determining what services and information the user can access. For example, a user accessing a Web-based retirement fund would be able to view personal account information after an authorization server verifies the identity, credentials, and privilege attributes of that user. The standards-based Authorization API allows applications to make calls to the centralized Authorization Service, thus eliminating the necessity for developers to write authorization code for each new application. The Authorization API allows businesses to standardize all applications on a trusted authorization framework. With the Authorization API, businesses can provide more control over access to resources on their networks. Policy Director Base Administration Guide 1 5

22 Chapter 1: Policy Director Overview 1.2 Policy Director Core Technologies The Policy Director network security management solution provides and supports the following core technologies: Authentication (Section 1.2.1) Authorization (Section 1.2.2) Quality of (Data) Protection (Section 1.2.3) Scalability (Section 1.2.4) Accountability (Section 1.2.5) Centralized Management (Section 1.2.6) Authentication Built-in (local) Authenticators Username and password (LDAP, DCE, Domino registries supported) Client-side certificate Custom HTTP header Cross domain single sign-on (CDSSO) External Authentication Support Username SecurID token passcode Client-side certificate Username and password Authorization Authorization Service ACL and POP policies for fine-grained access control Standards-based Authorization API External authorization service capability 1 6 Version 3.7

23 Policy Director Core Technologies Quality of (Data) Protection Quality of Protection is the degree to which Policy Director protects any information transmitted between client and server. Quality of Protection is determined by the combined effect of tunnel mechanisms, encryption standards, and modification-detection algorithms. Quality of Protection levels, in order of increasing security, are: Standard TCP communication (no authentication) Authentication only verifies the user s identity Authentication plus data integrity protects messages (data stream) from being modified during network communication Authentication plus data integrity plus data privacy protects messages from being modified or inspected during network communication You use POP policies to specify the required levels of protection to be used on specific hosts and networks. Supported Encryption Standards Policy Director supports the following encryption ciphers over SSL: 40-bit RC2 128-bit RC2 40-bit RC4 128-bit RC4 40-bit DES 56-bit DES 168-bit triple DES Policy Director NetSEAL and Policy Director WebSEAL support 56-bit DES encryption over GSSAPI and DCE-RPC. Policy Director Base Administration Guide 1 7

24 Chapter 1: Policy Director Overview Tunnel Mechanisms Policy Director supports the following protocols for transmitting encrypted data: Secure Socket Layer (SSL) Generic Security Services Application Program Interface (GSSAPI) WebSEAL supports the data integrity and data privacy provided by the SSL encrypted tunnel. WebSEAL and NetSEAL support both RPCs and the GSSAPI. The GSSAPI tunnel enables independent control over the level of protection on traffic traveling in each direction. Use of integrity and timestamps with RPC and GSSAPI provides protection against playback attacks. GSSAPI The Generic Security Services Application Program Interface (GSSAPI) was proposed by the Common Authentication Technology (CAT) working group within the Internet Engineering Task Force (IETF) as a standard way to allow applications to access security services. The GSSAPI definition provides security services to callers in a generic fashion. It is supportable with a range of underlying mechanisms and technologies and hence, allows source-level portability of applications to different environments. The GSSAPI tunnel enables control over the level of protection on traffic travelling in both directions independently of each-other. For example, data travelling from the client to the server may be fully protected with bulk data encryption while data travelling from the server to the client may be unprotected. SSL The Secure Socket Layer (SSL) handshake protocol was developed by Netscape Communications Corporation to provide security and privacy over the Internet. SSL works by using public key for authentication and secret key to encrypt data that is transferred over the SSL connection. Policy Director WebSEAL supports SSL versions 2 and Version 3.7

25 Policy Director Core Technologies Scalability Scalability is the ability to respond to increasing numbers of users who access resources in the secure domain. Policy Director uses the following techniques to provide scalability: Replication of services Authentication services Authorization services Security policies Data encryption services Auditing services Front-end replicated WebSEAL servers Mirrored resources for high availability Load balancing client requests Back-end replicated servers Back-end servers can be WebSEAL or third-party Web servers Mirrored resources (unified object space) for high availability Additional content and resources Load balancing of incoming requests through smart junctions Optimized performance by allowing the off-loading of authentication and authorization services to separate servers Scaled deployment of services without increasing management overhead Policy Director Base Administration Guide 1 9

26 Chapter 1: Policy Director Overview SSL Client Internet SSL Client Load-Balancing mechanism WebSEAL Server Primary WebSEAL Server Replica Replicated Front-End Servers Replicated Engineering Servers Replicated Sales Servers Figure 1-1: Scalable Policy Director Architecture 1 10 Version 3.7

27 Policy Director Core Technologies Accountability Policy Director provides a number of logging and auditing capabilities. There are log files that capture any error and warning messages generated by Policy Director servers. There are also audit trail files that monitor Policy Director server activity. Log files: Policy Director server log files DCE serviceability messages Standard HTTP log files Audit trail files: Policy Director server audit trail files Centralized Management Management Console pdadmin command line utility Policy Director Base Administration Guide 1 11

28 Chapter 1: Policy Director Overview 1.3 Policy Director Components Policy Director includes software for both client and server systems. Policy Director is supported on UNIX (including Solaris, AIX, and HP-UX) and Windows NT /2000 operating system platforms. Server Management Console and pdadmin Command Line Utility Policy Director Server System Client SSL-enabled Browser Client Browser NetSEAT Security Server (authentication) User Registry (LDAP, DCE, Domino) Authorization Service (authorization) Management Server WebSEAL NetSEAL Authorization Server (third-party app support) Authorization API GSKit (IBM SSL implementation) Operating System Operating System Operating System Figure 1-2: Policy Director Components Policy Director Management Console The Management Console is a graphical application (Java) used to manage security policy for the Policy Director secure domain. From the Console, you can perform administrative tasks on the account registry and the master authorization policy database. Typical Console tasks include adding and deleting user and group accounts, and applying ACL and POP policies to objects. Management responsibilities can be delegated to the local level. For example, a specific security administrator can be assigned (and limited) to managing security policy for only those resources located in a designated portion of the protected object space Version 3.7

29 Policy Director Components pdadmin Command Line Utility The pdadmin command line utility provides a means for performing all Policy Director tasks. The Management Console only provides a limited range of tasks Security Server The Security Server is the LDAP or DCE server that provides authentication services and maintains a centralized registry database which contains account entries for all valid users who participate in the secure domain. The Security Server performs two important roles: Defines the groups and organizations to which the user belongs and the roles the user can assume. This information is stored in a centralized registry database. The Authorization Service considers this information when making authorization decisions. Provides authentication services for all login attempts. The Security Server can replicate the registry database throughout the secure domain to prevent a single point of failure. The Security Server is responsible for updating all replica databases whenever a change to the master registry occurs Management Server The Management Server (ivmgrd) maintains the master authorization policy database for the secure domain. It is also responsible for updating all authorization database replicas throughout the secure domain. The Management Server also maintains location information about the other Policy Director servers in the secure domain WebSEAL WebSEAL is a resource security manager that provides fine-grained HTTP and HTTPS access control. WebSEAL is a high performance, multi-threaded Web server that accepts HTTP and HTTPS requests. WebSEAL manages access control for such resources as: URLs, URL-based regular expressions, CGI programs, HTML files, Java servlets, and Java class files. Policy Director Base Administration Guide 1 13

30 Chapter 1: Policy Director Overview WebSEAL, as a junction server, secures and manages third-party Web servers through WebSEAL junction technology. WebSEAL junctions allow you to attach additional server file systems to the Web space and view the resources as a single, unified object space. WebSEAL can be used to provide single sign-on capabilities for Web-based resources. The user can authenticate to WebSEAL via standard SSL. WebSEAL then impersonates the user using HTTP basic and digest authentication. WebSEAL can also pass the user s identity as a CGI variable. NetSEAL NetSEAL is a resource security manager that provides coarse-grained TCP/IP access control. NetSEAL is a Virtual Private Network (VPN) solution for securing all incoming TCP/IP communication. NetSEAL performs access control based on the destination port and identity of the client. NetSEAL is the security solution for authorizing and securing traditional Internet services, such as TELNET and POP3, as well as various application packages, including database systems and network management tools. NetSEAL is a resource manager that controls a user s ability to connect to a particular port on the server (for example: port 23, TELNET). The NetSEAL component also accepts and authorizes TCP/IP traffic tunneled from the NetSEAT client. The NetSEAL server allows any network application server to be integrated with the Policy Director security services. The NetSEAL server provides a secure tunnel endpoint for all network communications. The user s authenticated identity, along with the original protocol request, is passed over this GSSAPI or SSL tunnel NetSEAT Client NetSEAT is a small, light-weight network support module that works seamlessly as a secure proxy for client applications, allowing end-to-end encryption over a GSSAPI tunnel of all client/server traffic. As a DLL implementation of a security client, NetSEAT allows users to take full advantage of Policy Director s features for securing data communications and providing high availability architecture Version 3.7

31 Policy Director Components NetSEAT ensures full integration with the Policy Director security mechanism and provides resource management for the client. NetSEAT provides protection to TCP/IP applications by transparently encrypting the application data into VPN tunnels (such as GSSAPI), which can be transported over unsecure links, such as the Internet. It can be configured to intercept all outgoing HTTP requests and forward those requests to the destination WebSEAL server. It transparently maps logical URLs to physical WebSEAL servers, allowing Web resources to be relocated or replicated without affecting the end-user. Note: NetSEAT is not required to interact with Policy Director. For example, client users can use SSL-enabled browsers to communicate directly with WebSEAL Authorization API The Policy Director Application Development Kit (ADK) includes an Authorization API that lets developers build Policy Director security and authorization directly into corporate applications. The Authorization API provides direct access to the Authorization Service, which means developers no longer need to write authorization code for each application. The Authorization API reduces application development time and cost. Because all network security is centrally managed by Policy Director, the total cost of ownership and likelihood of security breaches are both significantly reduced. The technology underlying the Authorization API has been accepted for fast-track standardization by unanimous vote of the Security Working Group of the Open Group Policy Director Authorization Server In remote cache authorization mode, applications use the function calls provided by the Authorization API to communicate to the Authorization Server (ivacld). The Authorization Server maintains a replica of the authorization policy database and functions as the authorization decision-making evaluator. Policy Director Base Administration Guide 1 15

32 Chapter 1: Policy Director Overview The API forwards an authorization decision request to the Authorization Server. The Authorization Server returns a recommendation based on security policy. The server can also write an audit record containing the details of the authorization request Global Services Kit (GSKit) Policy Director uses the GSKit implementation of the SSL protocol. Administrators manage X.509 certificates using the GSKit ikeyman utility Version 3.7

33 Understanding Authorization: Conceptual Model 1.4 Understanding Authorization: Conceptual Model When servers enforce security in a secure domain, each client must provide proof of its identity. In turn, security policy determines whether that client is permitted to perform an operation on a requested resource. Because access to every resource in a secure domain is controlled by a server, the server s demands for authentication and authorization can provide comprehensive network security. In security systems, authorization is distinct from authentication. Authorization determines whether an authenticated client has the right to perform an operation on a specific resource in a secure domain. Authentication ensures that the individual is who he or she claims to be, but says nothing about the rights to perform operations on a protected resource. In the Policy Director authorization model, authorization policy is implemented independently of the mechanism used for user authentication. Users can authenticate their identity using either public/private key, secret key, or customer-defined mechanisms. Part of the authentication process involves the acquisition of a credential that describes the identity of the client. Authorization decisions made by an authorization service are based on user credentials. The resources in a secure domain receive a level of protection as dictated by the security policy for the domain. The security policy defines the legitimate participants of the secure domain and the degree of protection surrounding each resource requiring protection. The basic components of the authorization process include: A resource manager responsible for implementing the requested operation when authorization is granted A component of the resource manager is a policy enforcer that directs the request to the authorization service for processing. An authorization service that performs the decision-making action on the request Policy Director Base Administration Guide 1 17

34 Chapter 1: Policy Director Overview Authorization Service Application Server Authorization Check Yes / No Authenticated Client Request for Resource Policy Enforcer Resource Manager Resources Figure 1-3: General Authorization Model Traditional applications bundle the policy enforcer and resource manager into one process. Examples of this structure include Policy Director WebSEAL and third-party applications. The independent functionality of these authorization components allows much flexibility in the design of the security enforcement strategy. For example, such independence allows the security administrator to control: Where the processes are located Who writes the code for the processes How the processes perform their tasks 1 18 Version 3.7

35 Understanding Authorization: Conceptual Model The Benefits of a Standard Authorization Service Authorization in most systems, both legacy and new, is tightly coupled to individual applications. Companies typically build applications over time to serve their business needs. Many of these applications require some specific form of authorization. The result is often a wide variety of applications with differing authorization implementations. These proprietary authorization implementations require separate administration, are difficult to integrate, and result in higher costs of ownership. A distributed authorization service can provide these independent applications with a standard authorization decision-making mechanism. Benefits of such a standard authorization service would include: Reduced cost of developing and managing access to applications Reduced total cost of ownership and management of separate authorization systems Leverage of existing security infrastructure Allow new businesses to open more securely Enable newer and different kinds of applications Allow shorter development cycles Share information securely Introducing the Policy Director Authorization Service Policy Director integrates into existing legacy and emerging infrastructures and provides secure, centralized policy management capability. The Policy Director Authorization Service together with WebSEAL and NetSEAL resource managers provides a standard authorization mechanism for business network systems. Existing applications can take advantage of the Authorization Service without modification of the application itself. Authorization policy is based on user or group roles and can be applied to network servers, individual transactions or database requests, specific Web-based information, management activities, and user-defined objects. The Authorization API (See Section 1.7: The Policy Director Authorization API ) allows existing applications to make calls to the Authorization Service which in turn makes decisions based on the corporate security policy. Policy Director Base Administration Guide 1 19

36 Chapter 1: Policy Director Overview The Authorization Service is also extensible and can be configured to call on other authorization services for additional processing using the IDL interface of the External Authorization Service. Policy Director Authorization Service Benefits The Authorization Service provides the following benefits: The service is application independent The service uses a standard authorization coding style that is language independent (the Authorization API) The service is centrally managed and therefore easy to administer the addition of a new employee, for example, requires modifying the privilege database in one central location, rather than across multiple systems The service addresses the application of security services in a heterogeneous cross-platform environment The service integrates existing non-policy Director authorization systems through an external authorization service capability The service has a scalable and flexible architecture that can be easily integrated with existing infrastructure The service enables multi-tiered authorization a credentials packet can be passed through the multiple layers of an application process or transaction The service uses a common and effective auditing model The service is independent of any authentication mechanism 1 20 Version 3.7

37 The Policy Director Authorization Service 1.5 The Policy Director Authorization Service The Policy Director Authorization Service is responsible for the authorization decision-making process that helps to enforce a network security policy. Authorization decisions made by the Authorization Service result in the approval or denial of client requests to perform operations on protected resources in the secure domain Components The Authorization Service is made up of three basic components: Master authorization policy database Management Server The authorization decision-making evaluator Master Authorization Policy Database The master authorization policy database contains the security policy information for all resources in the secure domain. The database also contains all necessary credential information associated with the participants of the secure domain. You use the Management Console to enter and modify the contents of this database. Management Server (ivmgrd) The Management Server maintains the master authorization policy database, replicates this policy information throughout the secure domain, and updates the database replicas whenever a change is made to the master. The Management Server also maintains location information about the other Policy Director and non-policy Director servers operating in the secure domain. Note: There must be only one instance of the Management Server in any secure domain. Policy Director Base Administration Guide 1 21