Access Manager for e-business Version Administration Guide SC

Transcription

1 Tivoli Access Manager for e-business Version Administration Guide SC

2

3 Tivoli Access Manager for e-business Version Administration Guide SC

4 Note Before using this information and the product it supports, read the information in Appendix H, Notices, on page 379. Edition notice This edition applies to version 6, release 1, modification 1 of IBM Tivoli Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. All rights reserved. Copyright IBM Corporation 1999, US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents About this publication ix Intended audience ix Publications ix IBM Tivoli Access Manager for e-business library ix Related products and publications xi Accessing terminology online xii Accessing publications online xii Ordering publications xii Accessibility xiii Tivoli technical training xiii Tivoli user groups xiii Support information xiii Conventions used in this publication..... xiv Typeface conventions xiv Operating system-dependent variables and paths xiv Chapter 1. Tivoli Access Manager overview Core technologies Authentication Authorization Quality of Protection Scalability Accountability Centralized management Security policy overview Authorization API standard Authorization: conceptual model The benefits of a standard authorization service. 7 Tivoli Access Manager authorization service overview Tivoli Access Manager authorization service Components Authorization service interfaces Replication for scalability and performance Implementing a network security policy Defining and applying security policy The authorization process: step-by-step Tivoli Access Manager authorization API Using the authorization API: examples Authorization API: remote cache mode Authorization API: local cache mode External authorization capability Extending the authorization service Imposing conditions on resource requests The authorization evaluation process Implementing an external authorization service 20 Deployment strategies Chapter 2. Web Portal Manager Types of administration Delegate administration tasks Self-care Self-registration Web Portal Manager common tasks Starting Web Portal Manager Logging in and signing off Accessing online help Customizing the Web Portal Manager interface.. 28 Customizing the images Self-registration tasks Performing self-registration Changing Java Server Pages Chapter 3. Tivoli Access Manager administration Domains Protected object space Users and groups Security policy ACL policies Using ACL policies with the authorization service 38 Evaluating ACL policies Protected object policies Authorization rules How authorization rules differ When to use authorization rules Guidelines for a secure object space Chapter 4. Default security policy Default administration users and groups iv-admin group sec_master user ivmgrd-servers group Administration users Defining and applying security policy ACL policies Protected object policies Authorization rules Sparse security policy model Security policy inheritance default-root ACL policy Control permission Traverse permission Resolving an access request Applying ACL policies to different object types 50 ACL policy inheritance example Default ACL policies default-root ACL policy default-management ACL policy default-replica ACL policy default-config ACL policy default-gso ACL policy default-policy ACL policy default-domain ACL policy default-proxy ACL policy /Management permissions /Management/ACL permissions /Management/Action permissions Copyright IBM Corp. 1999, 2010 iii

6 /Management/POP permissions /Management/Server permissions /Management/Config permissions /Management/Policy permissions /Management/Replica permissions /Management/Users permissions /Management/Groups permissions /Management/GSO permissions /Management/Rule permissions /Management/Domain permissions /Management/Proxy permissions Chapter 5. Managing domains Logging in to domains Creating a domain Modifying the description for a domain Listing domains Deleting a domain Chapter 6. Managing object spaces.. 65 Creating an object space Listing object spaces Copying an object space Importing object spaces Exporting object spaces Deleting an object space Chapter 7. Managing protected objects 71 Creating an object Listing objects Importing objects Exporting objects Deleting an object Chapter 8. Managing access control.. 77 ACL policies ACL entries Type attribute ID attribute Permissions attribute Action groups and actions Default permissions in the primary action group 80 Custom permissions in custom action groups.. 81 Managing ACL policies Creating an ACL policy Modifying the description of an ACL policy.. 84 Listing ACL policies Viewing an ACL policy Cloning an ACL policy Importing ACL policies Exporting all ACL policies Exporting a single ACL policy Exporting multiple ACL policies Attaching an ACL policy to an object Detaching an ACL policy from an object Locating where an ACL policy is attached Deleting an ACL policy Managing ACL entries in ACL policies Creating an ACL entry Modifying permissions for an ACL entry Removing ACL entries from an ACL policy Managing extended attributes in ACL policies Creating extended attributes for an ACL policy 92 Modifying extended attributes from an ACL policy Listing extended attributes of an ACL policy.. 93 Viewing extended attributes of an ACL policy.. 94 Deleting extended attributes from an ACL policy 94 Deleting extended attribute values from an ACL policy Managing action groups Creating action groups Listing action groups Deleting an action group Managing actions Creating actions in an action group Listing actions in an action group Deleting actions from an action group Chapter 9. Protected object policy management Managing protected object policies Creating a POP Modifying a POP Listing POPs Viewing a POP Cloning a POP Importing POPs Exporting all POPs Export a single POP Exporting multiple POPs Attaching a POP to an object Detaching a POP from an object Locating where a POP is attached Deleting a POP Network-based authorization algorithm Network-based authorization policy Configuring POP attributes Setting a warning mode Setting an audit level Setting a time-of-day restriction Specifying IP addresses and ranges Setting a Quality of Protection level Step-up authentication Configuring levels for step-up authentication 115 Applying step-up authentication policy Distinguishing step-up from multi-factor authentication Chapter 10. Authorization rules management Authorization rules overview Access decision information Sources for retrieving ADI Volatile versus nonvolatile data Authorization rule language ADI XML document model XML access decision information Defining an XML namespace Authorization rules evaluator iv Administration Guide

7 Format and constraints of rules Examples of authorization rules Methods of providing ADI to the rules evaluator Reason codes for rule failures Configuration file and initialization attributes resource-manager-provided-adi dynamic-adi-entitlement-services input-adi-xml-prolog and xsl-stylesheet-prolog 136 [xmladi-attribute-definitions] Managing authorization rules Creating an authorization rule Modifying an authorization rule Listing authorization rules Cloning an authorization rule Importing authorization rules Exporting all authorization rules Exporting a single authorization rule Exporting multiple authorization rules Attaching an authorization rule to a protected object Detaching an authorization rule Locating where an authorization rule is attached 143 Deleting an authorization rule Chapter 11. Managing users and groups Managing users Creating a user Listing users Changing a password Setting user policy Setting global user policy Importing users Deleting a user Managing groups Creating a group Listing groups Importing groups Deleting a group Enabling dynamic group support LDAP registry Active Directory Chapter 12. Certificate and password management Initial configuration Key file and stash file renewal information Trust determination Reconfiguring the PDCA on the policy server 163 Reconfiguring the PDCA on the runtime machines Transferring the PDCA certificate to other machines Server certificate revocation Additional key and stash file considerations Chapter 13. Server management Tivoli Access Manager servers Proxy server Server dependencies Tivoli Access Manager utilities Tivoli Access Manager servers tasks Starting and stopping servers on Linux and UNIX operating systems Starting and stopping servers on Windows operating systems Server configuration file tasks Changing configuration settings Automating server startup at boot time Policy server administration tasks Replicating the authorization database Using the server replicate command Setting the number of update-notifier threads 175 Setting the notification delay time Chapter 14. High availability of the policy server Data integrity Primary and replica LDAP servers Active and passive policy servers High availability management Verify the policy server setup for high availability Review log files Chapter 15. Multiple-tenancy policy server Chapter 16. Delegated administration 183 Overview of delegated administration Delegated role administration Administrative tasks for roles Delegated object space management Structuring the object space for management delegation Default administration users and groups Example of management delegation Delegated user and group management Creating group container objects Creating groups ACL policies affecting group management ACL policies affecting user management Security policy for delegated administration Chapter 17. Diagnostics and auditing 197 Diagnostic events Auditing events Appendix A. Guidelines for changing configuring files General guidelines Default values Strings Defined strings File names Integers Boolean values Contents v

8 Appendix B. Configuration file reference Location of configuration files Tivoli Access Manager runtime configuration file 205 Authorization server configuration file Policy server configuration file Policy proxy server configuration file LDAP server configuration file LDAP client with Active Directory server configuration file Active Directory server configuration file Domino server configuration file Web Portal Manager configuration file Common audit service configuration files Resource manager configuration files Appendix C. Configuration file stanza reference [authentication-mechanisms] stanza cert-ldap cert-uraf passwd-ldap passwd-uraf [aznapi-admin-services] stanza service-id [aznapi-configuration] stanza audit-attribute azn-app-host azn-server-name cache-refresh-interval cred-attributes-entitlement-services db-file dynamic-adi-entitlement-services input-adi-xml-prolog listen-flags logcfg mode pd-user-name pd-user-pwd permission-info-returned policy-cache-size resource-manager-provided-adi xsl-stylesheet-prolog [aznapi-cred-modification-services] stanza service-id [aznapi-entitlement-services] stanza service-id [aznapi-external-authzn-services] stanza policy-trigger [aznapi-pac-services] stanza service-id [cars-client] stanza compress diskcachepath doaudit clientpassword clientusername errorfilepath flushinterval keyfilepath lowwater hiwater maxcachefiles maxcachefilesize maxerrorfiles maxerrorfilesize maxtracefiles maxtracefilesize numbercmthreads numbereqthreads numberretries queuesize rebindinterval retryinterval serverurl stashfilepath tracelevel tracefilepath transfersize usediskcache [cars-filter] stanza auditevent [configuration-database] stanza file [delegated-admin] stanza authorize-group-list [domains] and [domain=domain_name] stanzas allowed-registry-substrings database-path domain [ivacld] stanza log-file logcfg permit-unauth-remote-caller pid-file tcp-req-port unix-user unix-group [ivmgrd] stanza provide-last-login provide-last-pwd-change auto-database-update-notify ca-cert-download-enabled database-path log-file logcfg max-notifier-threads notifier-wait-time pid-file standby tcp-req-port unix-user unix-group [ldap] stanza enhanced-pwd-policy max-auth-connections enable-last-login auth-using-compare authn-timeout bind-dn cache-enabled vi Administration Guide

9 cache-group-expire-time cache-group-membership cache-group-size cache-policy-expire-time cache-policy-size cache-return-registry-id cache-use-user-cache cache-user-expire-time cache-user-size default-policy-override-support ldap-server-config login-failures-persistent max-search-size port prefer-readwrite-server search-timeout ssl-enabled ssl-keyfile ssl-keyfile-dn ssl-keyfile-pwd user-and-group-in-same-suffix [ldap] stanza for ldap.conf cache-enabled connection-inactivity dynamic-groups-enabled enabled host ignore-suffix max-search-size max-server-connections novell-suffix-search-enabled port replica secauthority-suffix ssl-port [manager] stanza management-domain master-host master-port [meta-info] stanza version [pdconfig] stanza LdapSSL LdapSSLKeyFile LdapSSLKeyFileDn LdapSSLKeyFilePwd [pdaudit-filter] stanza logcfg [pdmgrproxyd] stanza cache-database log-file pid-file tcp-req-port unix-group unix-user [pdrte] stanza boot-start-ivacld boot-start-ivmgrd boot-start-pdproxyd configured tivoli_common_dir user-reg-host user-reg-hostport user-reg-server user-reg-type [pdwpm] stanza aclmembership authmethod bannerfile changepassword debug infobargif jrtehost jrteprops logingif splashgif wasembedded [ssl] stanza ssl-authn-type ssl-auto-refresh ssl-cert-life ssl-enable-fips ssl-io-inactivity-timeout ssl-keyfile ssl-keyfile-label ssl-keyfile-stash ssl-listening-port ssl-local-domain ssl-maximum-worker-threads ssl-pwd-life ssl-v3-timeout [ssl] stanza for ldap.conf ssl-local-domain [uraf-registry] stanza bind-id cache-mode cache-lifetime cache-size uraf-registry-config [uraf-registry] stanza for domino.conf enabled NAB PDM server uraf-return-registry-id [uraf-registry] stanza for activedir.conf dnforpd domain dynamic-groups-enabled enabled hostname multi-domain uraf-return-registry-id use- -as-user-id useencryption [uraf-registry] stanza for activedir_ldap.conf change-pwd-using-ldap-api dnforpd domain dynamic-groups-enabled enabled ldap-client-timeout Contents vii

10 max-connections-per-ad-domain multi-domain primary-domain ssl-keyfile ssl-keyfile-label ssl-keyfile-pwd uraf-return-registry-id use- -as-user-id ad-gc-server ad-gc-port UseSSL [xmladi-attribute-definitions] stanza AttributeName Appendix D. User registry differences 329 General concerns LDAP concerns Sun Java System Directory Server concerns Microsoft Active Directory Application Mode (ADAM) concerns URAF concerns Lotus Domino Server concerns Microsoft Active Directory Server concerns Length of names Appendix E. pdadmin to Web Portal Manager equivalents Appendix F. Managing user registries 345 LDAP-specific tasks LDAP failover configuration Using valid characters for LDAP user and group names Applying Tivoli Access Manager ACLs to new LDAP suffixes Setting the password history policy Active Directory-specific tasks Setting up Microsoft Windows 2003 Domain Name System for Active Directory Adding a new domain name to a DNS Updating the Tivoli Access Manager schema 363 Adding a Tivoli Access Manager user to the Active Directory system group Using valid characters for Active Directory user, group, and distinguished names Importing dynamic groups to Tivoli Access Manager Enabling change user password requests to be performed using LDAP APIs Enabling support for the use of address or other alternate format as user identity Novell-specific tasks Updating the edirectory schema Novell edirectory maintenance activities that can damage schema modifications applied by Tivoli Access Manager Appendix G. Support information Searching knowledge bases Searching information centers Searching the Internet Obtaining fixes Registering with IBM Software Support Receiving weekly software updates Contacting IBM Software Support Determining the business impact Describing problems and gathering information 376 Submitting problems Appendix H. Notices Trademarks Glossary Index viii Administration Guide

11 About this publication Intended audience Publications IBM Tivoli Access Manager for e-business provides an access control management solution to centralize network and application security policy for e-business applications. The IBM Tivoli Access Manager for e-business: Administration Guide provides a comprehensive set of procedures and for managing Tivoli Access Manager servers and resources. This guide also provides you with valuable background and conceptual information about the wide range of Tivoli Access Manager functionality. This guide is for system administrators responsible for the deployment and administration of base Tivoli Access Manager software. Readers should be familiar with the following: v Microsoft Windows and UNIX operating systems v Database architecture and concepts v Security management v Internet protocols, including HTTP and TCP/IP v Lightweight Directory Access Protocol (LDAP) and directory services v Authentication and authorization v Tivoli Access Manager security model and its capabilities You should also be familiar with SSL protocol, key exchange (public and private), digital signatures, cryptographic algorithms, and certificate authorities. This section lists publications in the IBM Tivoli Access Manager for e-business library and related documents. The section also describes how to access Tivoli publications online and how to order Tivoli publications. IBM Tivoli Access Manager for e-business library The following documents are in the Tivoli Access Manager for e-business library: v IBM Tivoli Access Manager for e-business: Quick Start Guide, GI Provides steps that summarize major installation and configuration tasks. v IBM Tivoli Access Manager for e-business: Release Notes, GC Provides information about installing and getting started, system requirements, and known installation and configuration problems. v IBM Tivoli Access Manager for e-business: Installation Guide, GC Explains how to install and configure Tivoli Access Manager for e-business. v IBM Tivoli Access Manager for e-business: Upgrade Guide, SC Upgrade from version 5.0, 6.0, or 6.1 to version v IBM Tivoli Access Manager for e-business: Administration Guide, SC Copyright IBM Corp. 1999, 2010 ix

12 v v v v v v v v v v v Describes the concepts and procedures for using Tivoli Access Manager. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide, SC Provides background material, administrative procedures, and for using WebSEAL to manage the resources of your secure Web domain. IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide, SC Provides instructions for integrating Tivoli Access Manager with the IBM WebSphere Edge Server application. IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide, SC Provides procedures and for securing your Web domain using a Web server plug-in. IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide, SC Provides deployment considerations and operational instructions for the session management server. IBM Global Security Kit: Secure Sockets Layer Introduction and ikeyman User's Guide, SC Provides information for enabling SSL communication in the Tivoli Access Manager environment. IBM Tivoli Access Manager for e-business: Auditing Guide, SC Provides information about configuring and managing audit events using the native Tivoli Access Manager approach and the Common Auditing and Reporting Service. You can also find information about installing and configuring the Common Auditing and Reporting Service. Use this service for generating and viewing operational reports. IBM Tivoli Access Manager for e-business: Command Reference, SC Provides about the commands, utilities, and scripts that are provided with Tivoli Access Manager. IBM Tivoli Access Manager for e-business: Administration C API Developer Reference, SC Provides about using the C language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference, SC Provides about using the Java language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference, SC Provides about using the C language implementation of the authorization API to enable an application to use Tivoli Access Manager security. IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference, SC Provides about using the Java language implementation of the authorization API to enable an application to use Tivoli Access Manager security. x Administration Guide

13 v IBM Tivoli Access Manager for e-business: Web Security Developer Reference, SC Provides programming and for developing authentication modules. v IBM Tivoli Access Manager for e-business: Troubleshooting Guide, GC Provides problem determination information. v IBM Tivoli Access Manager for e-business: Error Message Reference, GI Provides explanations and recommended actions for the messages and return code. v IBM Tivoli Access Manager for e-business: Performance Tuning Guide, SC Provides performance tuning information for an environment consisting of Tivoli Access Manager with the IBM Tivoli Directory Server as the user registry. Related products and publications This section lists the IBM products that are related to and included with a Tivoli Access Manager solution. IBM Global Security Kit Tivoli Access Manager provides data encryption through the use of the Global Security Kit (GSKit), version 7.0. GSKit is included on the IBM Tivoli Access Manager Base CD for your particular platform, as well as on the IBM Tivoli Access Manager Web Security CDs, the IBM Tivoli Access Manager Shared Session Management CDs, and the IBM Tivoli Access Manager Directory Server CDs. The GSKit package provides the ikeyman key management utility, gsk7ikm, which creates key databases, public-private key pairs, and certificate requests. The IBM Global Security Kit: Secure Sockets Layer Introduction and ikeyman User's Guide is available on the Tivoli Information Center Web site in the same section as the Tivoli Access Manager product documentation. IBM Tivoli Directory Server IBM Tivoli Directory Server, version 6.1, is included on the IBM Tivoli Access Manager Directory Server set of CDs for the required operating system. You can find additional information about Tivoli Directory Server at: IBM Tivoli Directory Integrator IBM Tivoli Directory Integrator, version 6.1.1, is included on the IBM Tivoli Directory Integrator CD for the required operating system. You can find additional information about IBM Tivoli Directory Integrator at: IBM DB2 Universal Database IBM DB2 Universal Database Enterprise Server Edition, version 9.1, is provided on the IBM Tivoli Access Manager Directory Server set of CDs and is installed with the Tivoli Directory Server software. DB2 is required when using Tivoli Directory Server or z/os LDAP servers as the user registry for Tivoli Access Manager. For z/os LDAP servers, you must separately purchase DB2. You can find additional information about DB2 at: About this publication xi

14 IBM WebSphere Application Server WebSphere Application Server, version 6.1, is included on the IBM Tivoli Access Manager WebSphere Application Server set of CDs for the required operating system. WebSphere Application Server enables the support of the following applications: v Web Portal Manager interface, which administers Tivoli Access Manager. v Web Administration Tool, which administers Tivoli Directory Server. v v v Common Auditing and Reporting Service, which processes and reports on audit events. Session management server, which manages shared session in a Web security server environment. Attribute Retrieval Service. You can find additional information about WebSphere Application Server at: Accessing terminology online The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available at the following Tivoli software library Web site: The IBM Terminology Web site consolidates the terminology from IBM product libraries in one convenient location. You can access the Terminology Web site at Accessing publications online The documentation CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. Refer to the readme file on the CD for instructions on how to access the documentation. The product CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. To access the publications using a Web browser, open the infocenter.html file. The file is in the appropriate publications directory on the product CD. IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli Documentation Central Web site at Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper. Ordering publications You can order many Tivoli publications online at You can also order by telephone by calling one of these numbers: v In the United States: xii Administration Guide

15 v In Canada: In other countries, contact your software account representative to order Tivoli publications. To locate the telephone number of your local representative, perform the following steps: 1. Go to 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representative. Accessibility Tivoli technical training Tivoli user groups Support information Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Visit the IBM Accessibility Center at accessibility/ for more information about IBM's commitment to accessibility. For additional information, see the Accessibility Appendix in IBM Tivoli Access Manager for e-business Installation Guide. For Tivoli technical training information, refer to the following IBM Tivoli Education Web site at Tivoli user groups are independent, user-run membership organizations that provide Tivoli users with information to assist them in the implementation of Tivoli Software solutions. Through these groups, members can share information and learn from the knowledge and experience of other Tivoli users. Tivoli user groups include the following members and groups: v 23,000+ members v 144+ groups Access the link for the Tivoli Users Group at If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: Online Access the Tivoli Software Support site at sysmgmt/products/support/index.html?ibmprd=tivman. Access the IBM Software Support site at probsub.html. IBM Support Assistant The IBM Support Assistant is a free local software serviceability workbench that helps you resolve questions and problems with IBM software About this publication xiii

16 products. The Support Assistant provides quick access to support-related information and serviceability tools for problem determination. To install the Support Assistant software, go to support/isa. Troubleshooting Guide For more information about resolving problems, see the IBM Tivoli Access Manager for e-business Installation Guide. Conventions used in this publication This publication uses several conventions for special terms and actions, operating system-dependent commands, and paths. Typeface conventions This publication uses the following typeface conventions: Bold Italic v v v v v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) Keywords and parameters in text Citations (examples: titles of publications, diskettes, and CDs Words defined in text (example: a nonswitched line is called a point-to-point line) v Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictive clause."; letters as letters example: "The LUN address must start with the letter L.") v New terms in text (except in a definition list): a view is a frame in a workspace that contains data. v Variables and values you must provide:... where myname represents... Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options Operating system-dependent variables and paths This publication uses the UNIX convention for specifying environment variables and for directory notation. When using the Windows command line, replace $variable with % variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in the Windows and UNIX environments. For example, %TEMP% in Windows environments is equivalent to $TMPDIR in UNIX environments. xiv Administration Guide

17 Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions. About this publication xv

18 xvi Administration Guide

19 Chapter 1. Tivoli Access Manager overview Core technologies Tivoli Access Manager is an authentication and authorization solution for corporate Web, client/server, and existing applications. Tivoli Access Manager allows you to control user access to protected information and resources. By providing a centralized, flexible, and scalable access control solution, Tivoli Access Manager allows you to build secure and easy-to-manage network-based applications and e-business infrastructure. Tivoli Access Manager supports authentication, authorization, data security, and resource management capabilities. You use Tivoli Access Manager in conjunction with standard Internet-based applications to build highly secure and well-managed intranets. Tivoli Access Manager provides the following frameworks: Authentication framework The Tivoli Access Manager authentication service uses a wide range of built-in authenticators and supports external authenticators. Authorization framework The Tivoli Access Manager authorization service, accessed through a standard authorization application programming interface (API), provides permit and deny decisions on access requests for native Tivoli Access Manager servers and other applications. The authorization service, together with resource managers, provides a standard authorization mechanism for business network systems. Tivoli Access Manager can be integrated into existing and emerging infrastructures to provide secure, centralized policy management capability. The following resource managers are some of the existing resource managers: IBM Tivoli Access Manager WebSEAL Manages and protects Web-based information and resources. WebSEAL is included with Tivoli Access Manager for e-business. IBM Tivoli Access Manager for Operating Systems Provides a layer of authorization policy enforcement on Linux and UNIX operating systems in addition to that provided by the native operating system. Existing applications can take advantage of the Tivoli Access Manager authorization service as well as provide a common security policy for the entire enterprise. The Tivoli Access Manager network security management solution provides and supports the following core technologies: v Authentication v Authorization v Quality of Protection Copyright IBM Corp. 1999,

20 v v v Scalability Accountability Centralized management Authentication Authentication is the first step a user must take when making a request for a resource that is protected by Tivoli Access Manager. During authentication, a user identity is validated. The authentication process is usually dependent on the specific requirements of the service-providing application. Tivoli Access Manager allows a highly flexible approach to authentication through the use of the authorization API. Tivoli Access Manager provides built-in support of user name and password authentication through the authorization API. Applications can build any custom authentication mechanism that uses the authorization API. Authorization Authorization enforces the security policy by determining what objects a user can access and what actions a user can take on those objects and then granting appropriate access to the user. Tivoli Access Manager handles authorization through the use of the following: v Tivoli Access Manager authorization service v v v Access control lists (ACLs), protected object policies (POPs), and authorization rules for fine-grained access control Standards-based authorization API, using the aznapi for C language applications, and the Java Authentication and Authorization Service (JAAS) for Java language applications External authorization service capability Quality of Protection Quality of Protection (QoP) is the degree to which Tivoli Access Manager protects any information that is transmitted between a client and a server. The quality of data protection is determined by the combined effect of encryption standards and modification-detection algorithms. The resource manager is responsible for ensuring that the quality of data protection is enforced. Tivoli Access Manager supports the following levels of Quality of Protection: v Standard Transmission Control Protocol (TCP) communication (no protection) v Data integrity protects messages (data stream) from being modified during network communication v Data privacy protects messages from being modified or inspected during network communication Supported encryption ciphers Tivoli Access Manager uses encryption ciphers that are provided by GSKit and Java Secure Socket Extension (JSSE). To learn about these encryption ciphers, see the GSKit and JSSE documentation. Secure communication Tivoli Access Manager supports the data integrity and data privacy provided by the Secure Socket Layer (SSL) communication protocol and the Transport Layer Security (TLS) communication protocol. 2 Administration Guide

21 The SSL handshake protocol provides security and privacy over the Internet. SSL works by using public key for authentication and secret key to encrypt data that is transferred over the SSL connection. The TLS protocol meets the Federal Information Processing Standards (FIPS) standard that describes United States Federal government requirements for sensitive, but unclassified use of information technology products. When FIPS mode is enabled in Tivoli Access Manager, TLS version 1 (TLSv1) is used instead of SSL version 3 (SSLv3). Tivoli Access Manager generates keys and certificates using FIPS-approved operations. Therefore, the client- and server-side keys and certificates are always FIPS approved. To switch from SSL to TLS, all server and remote runtime configurations must be changed. In Tivoli Access Manager this indicates whether FIPS mode is enabled or disabled in the environment. When FIPS mode is enabled, the desired protocol is TLS. When FIPS mode is not enabled, the desired protocol is SSL. Note: SSL and TLS protocols cannot be mixed in a Tivoli Access Manager environment. If a previous release of Tivoli Access Manager runtime did not support TLS (currently communicating with SSL), these runtimes cannot communicate with a server that is enabled for FIPS (now communicating with TLS). Scalability Scalability is the ability to respond to increasing numbers of users who access resources in the domain. Tivoli Access Manager uses the following techniques to provide scalability: v Replication of services Authentication services Authorization services Security policies Data encryption services Auditing services v Front-end replicated servers Mirrored resources for high availability Load balancing client requests v Back-end replicated servers Back-end servers can be Tivoli Access Manager WebSEAL, Tivoli Access Manager for Operating Systems, Tivoli Access Manager for Business Integration, or other application servers Mirrored resources (unified object space) for high availability Additional content and resources Load balancing of incoming requests v v Optimized performance by allowing for the off-loading of authentication services and authorization services to separate servers Scaled deployment of services without increasing management overhead Chapter 1. Tivoli Access Manager overview 3

22 Accountability Tivoli Access Manager provides a number of logging and auditing capabilities. Log files capture any error and warning messages generated by Tivoli Access Manager servers. Audit trail files monitor Tivoli Access Manager server activity. Centralized management The following methods are provided for managing security policy and the Tivoli Access Manager servers: v v v pdadmin command line interface Web Portal Manager graphical user interface (GUI) Administration API You can accomplish most tasks using any of these methods. However, some tasks cannot be performed using Web Portal Manager. pdadmin command interface The pdadmin command line interface is used for Tivoli Access Manager administration. This interface provides commands for managing users, groups, roles, permissions, policies, domains, and servers, as well as for performing other tasks. This interface can be used in scripts or batch files to automate processing. This interface is installed as part of the Tivoli Access Manager runtime package. For specific task information, see the task-specific chapters in this guide. For detailed syntax information about the pdadmin command line interface, see the IBM Tivoli Access Manager for e-business: Command Reference. Web Portal Manager Web Portal Manager is an optional Web-based interface used for Tivoli Access Manager administration. Web Portal Manager allows you to perform administrative tasks, such as managing users, groups, roles, permissions, policies, domains, and servers. This optional interface must be installed separately from the Tivoli Access Manager Web Portal Manager CD for your operating system. A key advantage to using Web Portal Manager is that you can perform these tasks remotely using any supported Web browser. You do not need any special network configuration. For specific task information, refer to chapters in this guide. For more information on using Web Portal Manager, see the Web Portal Manager online help. Administration API The administration API provided by Tivoli Access Manager is a set of programming interfaces that allow you to write applications to manage users, groups, roles, permissions, policies, domains, and servers. Both C and Java language versions of these functions are available. Details on the administration API are provided in the IBM Tivoli Access Manager for e-business: Administration C API Developer Reference and the IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference. 4 Administration Guide

23 Security policy overview Authorization API standard The goal of any security policy is to adequately protect business assets and resources with a minimal amount of administrative effort. First, you must define what resources need to be protected. These could be any type of data object, such as files, directories, network servers, messages, databases, or Web pages. Then, you must decide what users and groups of users should have access to these protected resources. You also need to decide what type of access to these resources should be permitted. Finally, you must apply the proper security policy on these resources to ensure that only the right users can access them. The enforcement of the security policy is the job of the resource manager. The resource manager calls the Tivoli Access Manager authorization service with the credentials of the user making the request, the type of access desired, and the object to be accessed. The credential provides detailed information, acquired during authentication, that describes the user, any group associations, and other security-related identity attributes. Credentials can be used to perform a multitude of services, such as authorization, auditing, and delegation. The authorization service, also known as the authorization engine, uses the security policy to determine whether the request should be allowed, denied, or conditionally allowed pending additional verification by the resource manager. The resource manager takes the recommendation of the authorization service, performs any additional verification actions, and ultimately either denies the request, or permits the request to be processed. For example, suppose that Todd wants to access a particular Web page that is located on a Web site protected by Tivoli Access Manager WebSEAL. WebSEAL is a resource manager that is responsible for managing and protecting Web-based information and resources and must decide whether or not Todd can access that page. The resource manager obtains the credentials for Todd, and then asks the authorization service whether Todd has read access to the Web page. The authorization service checks the security policy and determines that Todd should be permitted access, so it recommends to the resource manager that the request be granted. The resource manager then directs Todd's request to the appropriate back-end Web server, which provides the Web page. The security policy in Tivoli Access Manager is defined through the use of access control lists (ACLs), protected object policies (POPs), and authorization rules. Authorization services are a critical part of the security architecture of an application. After a user passes the authentication process, authorization services proceed to enforce the business policy by determining what services and information the user can access. For example, a user accessing a Web-based retirement fund could view personal account information after an authorization server verifies the identity, credentials, and privilege attributes of that user. The standards-based authorization API (aznapi) allows applications to call the centralized authorization service, thus eliminating the necessity for developers to write authorization code for each new application. Chapter 1. Tivoli Access Manager overview 5