IBM Security Access Manager for Web Version 7.0. Administration Guide SC

Transcription

1 IBM Security Access Manager for Web Version 7.0 Administration Guide SC

2

3 IBM Security Access Manager for Web Version 7.0 Administration Guide SC

4 Note Before using this information and the product it supports, read the information in Notices on page 415. Edition notice Note: This edition applies to version 7, release 0, modification 0 of IBM Security Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 1999, US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Figures ix Tables xi About this publication xiii Intended audience xiii Access to publications and terminology..... xiii Related publications xvi Accessibility xvii Technical training xviii Support information xviii Chapter 1. Security Access Manager overview Core technologies Authentication Authorization Quality of Protection Security standards configurations (compliance types) Scalability Accountability Centralized management Security policy overview Authorization API standard Authorization: conceptual model Benefits of a standard authorization service Security Access Manager authorization service overview Security Access Manager authorization service.. 12 Components Authorization service interfaces Replication for scalability and performance Implementation of a network security policy Definition and application of security policy.. 15 The authorization process: step-by-step Security Access Manager authorization API Authorization API examples Authorization API: remote cache mode Authorization API: local cache mode External authorization capability External authorization service Application of specific conditions on resource requests The process of implementing an external authorization service Deployment strategies Chapter 2. Web Portal Manager Types of administration Delegation of administration tasks Self-care Self-registration Web Portal Manager common tasks URL for the Web Portal Manager Mitigating cross-site request forgery attacks.. 29 Logging on and signing off Accessing online help Customizing the Web Portal Manager interface.. 30 Self-registration tasks Self-registration scenario Java Server Pages for self-registration Chapter 3. Security Access Manager administration Domains Protected object space Users and groups Security policy ACL policies Use of ACL policies with the authorization service Evaluation of ACL policies Protected object policies Authorization rules How authorization rules differ When to use authorization rules Guidelines for a secure object space Chapter 4. Default security policy Default administration users and groups iv-admin group sec_master user ivmgrd-servers group Administration users Definition and application of security policy ACL policies Protected object policies Authorization rules Sparse security policy model Security policy inheritance default-root ACL policy Control permission Traverse permission Resolution of an access request Application of ACL policies to different object types ACL policy inheritance example Default ACL policies default-root ACL policy default-management ACL policy default-replica ACL policy default-config ACL policy default-gso ACL policy default-policy ACL policy default-domain ACL policy default-proxy ACL policy /Management permissions /Management/ACL permissions Copyright IBM Corp. 1999, 2012 iii

6 /Management/Action permissions /Management/POP permissions /Management/Server permissions /Management/Config permissions /Management/Policy permissions /Management/Replica permissions /Management/Users permissions /Management/Groups permissions /Management/GSO permissions /Management/Rule permissions /Management/Domain permissions /Management/Proxy permissions Chapter 5. Manage domains Log on to domains Create a domain Modify the description for a domain List domains Delete a domain Chapter 6. Manage object spaces Create an object space List object spaces Copying an object space with Web Portal Manager 71 Importing object spaces with Web Portal Manager 72 Exporting object spaces with Web Portal Manager 72 Delete an object space Chapter 7. Manage protected objects 75 Create an object List objects Importing objects with Web Portal Manager Exporting objects with Web Portal Manager Delete an object Chapter 8. Manage access control ACL policies ACL entries Type attribute ID attribute Permissions attribute Action groups and actions Default permissions in the primary action group 84 Custom permissions in custom action groups.. 85 Manage ACL policies Create an ACL policy Modify the description of an ACL policy List ACL policies View an ACL policy Cloning an ACL policy Importing ACL policies Exporting all ACL policies Exporting a single ACL policy Exporting multiple ACL policies Attach an ACL policy to an object Detach an ACL policy from an object Locate where an ACL policy is attached Delete an ACL policy Manage ACL entries in ACL policies Create an ACL entry Modify permissions for an ACL entry Remove ACL entries from an ACL policy Manage extended attributes in ACL policies Create extended attributes for an ACL policy.. 98 Modifying extended attributes from an ACL policy with pdadmin List extended attributes of an ACL policy View extended attributes of an ACL policy Delete extended attributes from an ACL policy 101 Manage action groups Create action groups List action groups Delete an action group Manage actions Create actions in an action group List actions in an action group Delete actions from an action group Chapter 9. Protected object policy management Manage protected object policies Create a POP Modify a POP List POPs View a POP Cloning a POP Importing POPs Exporting all POPs Exporting a single POP Exporting multiple POPs Attach a POP to an object Detach a POP from an object Locate where a POP is attached Delete a POP Network-based authorization algorithm Network-based authorization policy Configure POP attributes Set a warning mode Set an audit level Set a time-of-day restriction Specify IP addresses and ranges Set a Quality of Protection level Step-up authentication Configure levels for step-up authentication Apply step-up authentication policy Distinguish step-up from multi-factor authentication Chapter 10. Authorization rules management Authorization rules overview Access decision information Sources for retrieving ADI Volatile versus nonvolatile data Authorization rule language ADI XML document model XML access decision information XML namespace definitions Authorization rules evaluator Format and constraints of rules iv IBM Security Access Manager for Web Version 7.0: Administration Guide

7 Examples of authorization rules Methods of providing ADI to the rules evaluator Reason codes for rule failures Configuration file and initialization attributes resource-manager-provided-adi dynamic-adi-entitlement-services input-adi-xml-prolog and xsl-stylesheet-prolog 143 [xmladi-attribute-definitions] Manage authorization rules Create an authorization rule Modify an authorization rule List authorization rules Attach an authorization rule to a protected object Detach an authorization rule Locate where an authorization rule is attached 151 Delete an authorization rule Chapter 11. Manage users and groups 153 Manage users Create a user List users Change a password Setting user policy Setting global user policy Import users Delete a user Manage groups Create a group List groups Import groups Delete a group Enabling dynamic group support LDAP registry Active Directory Chapter 12. Certificate and password management Initial configuration Key file and stash file renewal information Regenerating certificates Reconfiguring the PDCA on the policy server 173 Reconfiguring the certifications of Security Access Manager Java applications Reconfiguring the PDCA on the runtime systems Transferring the PDCA certificate to other systems Server certificate revocation Additional key file and stash file considerations 178 Chapter 13. Server management Security Access Manager servers Proxy server Server dependencies Security Access Manager utilities Security Access Manager servers tasks Starting and stopping servers on AIX, Linux, and Solaris operating systems Starting and stopping servers on Windows operating systems Server configuration file tasks Changing configuration settings Automatic server startup at boot time Policy server administration tasks Replicate the authorization database Use the server replicate command Set the number of update-notifier threads Set the notification delay time Chapter 14. High availability of the policy server Data integrity Primary and replica LDAP servers Active and passive policy servers Chapter 15. Multiple-tenancy policy server Chapter 16. Delegated administration 197 Overview of delegated administration Delegated role administration Administrative tasks for roles Delegated object space management Structure the object space for management delegation Default administration users and groups Example of management delegation Delegated user and group management Create group container objects Create groups ACL policies that affect group management ACL policies that affect user management Security policy for delegated administration Chapter 17. Diagnostics and auditing 211 Diagnostic events Auditing events Appendix A. Guidelines for changing configuration files General guidelines Default values Strings Defined strings File names Integers Boolean values Appendix B. Configuration file reference Location of configuration files IBM Security Access Manager runtime configuration file Authorization server configuration file Policy server configuration file Policy proxy server configuration file LDAP server configuration file Contents v

8 LDAP client with Active Directory server configuration file Active Directory server configuration file Web Portal Manager configuration file Common Auditing Service configuration files Resource manager configuration files Appendix C. Configuration file stanza reference [authentication-mechanisms] stanza cert-ldap cert-uraf passwd-ldap passwd-uraf [aznapi-admin-services] stanza service-id [aznapi-configuration] stanza audit-attribute azn-app-host azn-server-name cache-refresh-interval cred-attributes-entitlement-services db-file dynamic-adi-entitlement-services input-adi-xml-prolog listen-flags logcfg mode pd-user-name pd-user-pwd permission-info-returned policy-cache-size resource-manager-provided-adi xsl-stylesheet-prolog [aznapi-cred-modification-services] stanza service-id [aznapi-entitlement-services] stanza service-id [aznapi-external-authzn-services] stanza policy-trigger [aznapi-pac-services] stanza service-id [cars-client] stanza compress diskcachepath doaudit clientpassword clientusername errorfilepath flushinterval keyfilepath lowwater hiwater maxcachefiles maxcachefilesize maxerrorfiles maxerrorfilesize maxtracefiles maxtracefilesize numbercmthreads numbereqthreads vi IBM Security Access Manager for Web Version 7.0: Administration Guide numberretries queuesize rebindinterval retryinterval serverurl stashfilepath tracelevel tracefilepath transfersize usediskcache [cars-filter] stanza auditevent [configuration-database] stanza file [delegated-admin] stanza authorize-group-list [domains] and [domain=domain_name] stanzas allowed-registry-substrings database-path domain [ivacld] stanza log-file logcfg permit-unauth-remote-caller pid-file tcp-req-port unix-user unix-group [ivmgrd] stanza provide-last-login provide-last-pwd-change auto-database-update-notify ca-cert-download-enabled database-path log-file logcfg max-notifier-threads notifier-wait-time pid-file standby tcp-req-port unix-user unix-group am610compat [ldap] stanza enhanced-pwd-policy max-auth-connections enable-last-login auth-using-compare authn-timeout bind-dn cache-enabled cache-group-expire-time cache-group-membership cache-group-size cache-policy-expire-time cache-policy-size cache-return-registry-id cache-use-user-cache cache-user-expire-time cache-user-size

9 default-policy-override-support ldap-server-config login-failures-persistent max-search-size port prefer-readwrite-server search-timeout ssl-enabled ssl-keyfile ssl-keyfile-dn ssl-keyfile-pwd user-and-group-in-same-suffix [ldap] stanza for ldap.conf cache-enabled cache-account-policy connection-inactivity dynamic-groups-enabled enabled host ignore-suffix max-search-size max-server-connections novell-suffix-search-enabled port replica secauthority-suffix ssl-port cache-account-policy user-search-filter [manager] stanza management-domain master-host master-port [meta-info] stanza version [pdconfig] stanza LdapSSL LdapSSLKeyFile LdapSSLKeyFileDn LdapSSLKeyFilePwd [pdaudit-filter] stanza logcfg [pdmgrproxyd] stanza cache-database log-file pid-file tcp-req-port unix-group unix-user [pdrte] stanza boot-start-[instance-]ivacld boot-start-ivmgrd boot-start-pdproxyd configured ivacld-instances tivoli_common_dir user-reg-host user-reg-hostport user-reg-server user-reg-type [pdwpm] stanza aclmembership authmethod bannerfile changepassword debug infobargif jrtehost jrteprops logingif splashgif wasembedded [ssl] stanza ssl-authn-type ssl-auto-refresh ssl-cert-life disallow-trailing-spaced-usernames ssl-compliance ssl-enable-fips (deprecated) ssl-enhanced-security ssl-io-inactivity-timeout ssl-keyfile ssl-keyfile-label ssl-keyfile-stash ssl-listening-port ssl-local-domain ssl-maximum-worker-threads ssl-pwd-life ssl-v3-timeout ssl-v2-enabled ssl-session-cache-size ssl-v3-cipher-specs tls-v10-cipher-specs tls-v11-cipher-specs tls-v12-cipher-specs [uraf-registry] stanza bind-id cache-mode cache-lifetime cache-size uraf-registry-config uraf-return-registry-id [uraf-registry] stanza for activedir.conf dnforpd domain dynamic-groups-enabled enabled hostname multi-domain uraf-return-registry-id use- -as-user-id useencryption [uraf-registry] stanza for activedir_ldap.conf change-pwd-using-ldap-api dnforpd domain dynamic-groups-enabled enabled ldap-client-timeout max-connections-per-ad-domain multi-domain primary-domain Contents vii

10 ssl-keyfile ssl-keyfile-label ssl-keyfile-pwd uraf-return-registry-id use- -as-user-id ad-gc-server ad-gc-port UseSSL [xmladi-attribute-definitions] stanza AttributeName Appendix D. User registry differences 373 General concerns LDAP concerns Modifying Sun Java System Directory Server look-through limit Microsoft Active Directory Lightweight Directory Service (AD LDS) concerns URAF concerns Microsoft Active Directory Server concerns Length of names Appendix E. pdadmin to Web Portal Manager equivalents Appendix F. Managing user registries 387 LDAP-specific tasks LDAP failover configuration Valid characters for LDAP user and group names Applying Security Access Manager ACLs to new LDAP suffixes Setting the password history policy Active Directory-specific tasks Setting up Microsoft Windows 2008 Domain Name System for Active Directory Adding a domain name to a DNS Updating the Security Access Manager schema 406 Adding a Security Access Manager user to the Active Directory system group Using valid characters for Active Directory user, group, and distinguished names Importing dynamic groups to Security Access Manager Enabling change user password requests to be done with LDAP APIs Enabling support for the use of address or other alternate format as user identity Novell-specific tasks Updating the edirectory schema with ConsoleOne Updating the edirectory schema with Novell imanager Novell edirectory maintenance activities that can damage schema modifications applied by Security Access Manager Notices Index viii IBM Security Access Manager for Web Version 7.0: Administration Guide

11 Figures 1. General authorization model Security Access Manager server components Authorization service components Replicated authorization service components Explicit and inherited policies The Security Access Manager authorization process Example use of the authorization API Authorization API: remote cache mode Authorization API: local cache mode External authorization service with an application server Security Access Manager protected object space Regions of the Security Access Manager protected object space ACL policy Traverse permission ACL inheritance example ACL entry attributes Permissions for a custom print spooler Security Access Manager server components Proxy server Delegate administrators Structuring the object space for management delegation Management Delegation Example Group container object Copyright IBM Corp. 1999, 2012 ix

12 x IBM Security Access Manager for Web Version 7.0: Administration Guide

13 Tables 1. JVM system properties enabled by Security Access Manager POP attributes that are enforced by Security Access Manager /Management/ACL permissions /Management/Action permissions /Management/POP permissions /Management/Server permissions /Management/Config permissions /Management/Policy permissions /Management/Replica permissions /Management/Users permissions /Management/Groups permissions /Management/GSO permissions /Management/Rule permissions /Management/Domain permissions /Management/Proxy permissions Action bits, permissions, and Web Portal Manager category of the default primary action group POP attributes that Security Access Manager provides Audit levels Quality of Protection levels String identifiers returned by rules evaluation Server key and stash files pdadmin group create command syntax ACL permissions for group management ACL permissions for user management database-path default value by platform log-file default value by platform pid-file default value by platform [ivmgrd] stanza log-file default value by platform [ivmgrd] stanza pid-file default value by platform [ldap] stanza ssl-keyfile default value by platform [pdconfig] stanza LdapSSLKeyFile default value by platform [pdmgrpoxyd] stanza log-file default value by platform [pdmgrpoxyd] stanza pid-file default value by platform [uraf-registry] stanza for activedir_ldap.conf key-file default value by platform Maximum lengths for names by user registry and the optimum length across user registries Mapping between the pddamin utility and Web Portal Manager Master server configuration entities and values Replica server configuration entities and values Potential preference scenarios Copyright IBM Corp. 1999, 2012 xi

14 xii IBM Security Access Manager for Web Version 7.0: Administration Guide

15 About this publication Intended audience IBM Security Access Manager for Web, formerly called IBM Tivoli Access Manager for e-business, is a user authentication, authorization, and web single sign-on solution for enforcing security policies over a wide range of web and application resources. The IBM Security Access Manager for Web: Administration Guide provides a comprehensive set of procedures and for managing Security Access Manager servers and resources. This guide also provides you with valuable background and conceptual information about the wide range of Security Access Manager functionality. This guide is for system administrators responsible for the deployment and administration of base Security Access Manager software. Readers should be familiar with the following: v Microsoft Windows and UNIX operating systems v Database architecture and concepts v Security management v Internet protocols, including HTTP and TCP/IP v Lightweight Directory Access Protocol (LDAP) and directory services v Authentication and authorization v Security Access Manager security model and its capabilities You should also be familiar with SSL protocol, key exchange (public and private), digital signatures, cryptographic algorithms, and certificate authorities. Access to publications and terminology This section provides: v A list of publications in the IBM Security Access Manager for Web library. v Links to Online publications on page xv. v A link to the IBM Terminology website on page xvi. IBM Security Access Manager for Web library The following documents are in the IBM Security Access Manager for Web library: v IBM Security Access Manager for Web Quick Start Guide, GI Provides steps that summarize major installation and configuration tasks. v IBM Security Web Gateway Appliance Quick Start Guide Hardware Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Hardware Appliance, SC v IBM Security Web Gateway Appliance Quick Start Guide Virtual Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Virtual Appliance. Copyright IBM Corp. 1999, 2012 xiii

16 v IBM Security Access Manager for Web Installation Guide, GC Explains how to install and configure Security Access Manager. v IBM Security Access Manager for Web Upgrade Guide, SC Provides information for users to upgrade from version 6.0, or 6.1.x to version 7.0. v IBM Security Access Manager for Web Administration Guide, SC Describes the concepts and procedures for using Security Access Manager. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. v IBM Security Access Manager for Web WebSEAL Administration Guide, SC Provides background material, administrative procedures, and reference information for using WebSEAL to manage the resources of your secure Web domain. v IBM Security Access Manager for Web Plug-in for Web Servers Administration Guide, SC Provides procedures and reference information for securing your Web domain by using a Web server plug-in. v IBM Security Access Manager for Web Shared Session Management Administration Guide, SC Provides administrative considerations and operational instructions for the session management server. v IBM Security Access Manager for Web Shared Session Management Deployment Guide, SC Provides deployment considerations for the session management server. v IBM Security Web Gateway Appliance Administration Guide, SC Provides administrative procedures and technical reference information for the WebSEAL Appliance. v IBM Security Web Gateway Appliance Configuration Guide for Web Reverse Proxy, SC Provides configuration procedures and technical reference information for the WebSEAL Appliance. v IBM Security Web Gateway Appliance Web Reverse Proxy Stanza Reference, SC Provides a complete stanza reference for the IBM Security Web Gateway Appliance Web Reverse Proxy. v IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference, SC Provides a complete stanza reference for WebSEAL. v IBM Global Security Kit: CapiCmd Users Guide, SC Provides instructions on creating key databases, public-private key pairs, and certificate requests. v IBM Security Access Manager for Web Auditing Guide, SC Provides information about configuring and managing audit events by using the native Security Access Manager approach and the Common Auditing and Reporting Service. You can also find information about installing and configuring the Common Auditing and Reporting Service. Use this service for generating and viewing operational reports. v IBM Security Access Manager for Web Command Reference, SC xiv IBM Security Access Manager for Web Version 7.0: Administration Guide

17 v v v v v v v v Provides reference information about the commands, utilities, and scripts that are provided with Security Access Manager. IBM Security Access Manager for Web Administration C API Developer Reference, SC Provides reference information about using the C language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. IBM Security Access Manager for Web Administration Java Classes Developer Reference, SC Provides reference information about using the Java language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. IBM Security Access Manager for Web Authorization C API Developer Reference, SC Provides reference information about using the C language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Authorization Java Classes Developer Reference, SC Provides reference information about using the Java language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Web Security Developer Reference, SC Provides programming and reference information for developing authentication modules. IBM Security Access Manager for Web Error Message Reference, GI Provides explanations and corrective actions for the messages and return code. IBM Security Access Manager for Web Troubleshooting Guide, GC Provides problem determination information. IBM Security Access Manager for Web Performance Tuning Guide, SC Provides performance tuning information for an environment that consists of Security Access Manager with the IBM Tivoli Directory Server as the user registry. Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security Access Manager for Web Information Center The com.ibm.isam.doc_70/welcome.html site displays the information center welcome page for this product. IBM Publications Center The pbi.wss site offers customized search functions to help you find all the IBM publications that you need. About this publication xv

18 IBM Terminology website The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at software/globalization/terminology. Related publications This section lists the IBM products that are related to and included with the Security Access Manager solution. Note: The following middleware products are not packaged with IBM Security Web Gateway Appliance. IBM Global Security Kit Security Access Manager provides data encryption by using Global Security Kit (GSKit) version 8.0.x. GSKit is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. GSKit version 8 includes the command-line tool for key management, GSKCapiCmd (gsk8capicmd_64). GSKit version 8 no longer includes the key management utility, ikeyman (gskikm.jar). ikeyman is packaged with IBM Java version 6 or later and is now a pure Java application with no dependency on the native GSKit runtime. Do not move or remove the bundled java/jre/lib/gskikm.jar library. The IBM Developer Kit and Runtime Environment, Java Technology Edition, Version 6 and 7, ikeyman User's Guide for version 8.0 is available on the Security Access Manager Information Center. You can also find this document directly at: Note: 60/iKeyman.8.User.Guide.pdf GSKit version 8 includes important changes made to the implementation of Transport Layer Security required to remediate security issues. The GSKit version 8 changes comply with the Internet Engineering Task Force (IETF) Request for Comments (RFC) requirements. However, it is not compatible with earlier versions of GSKit. Any component that communicates with Security Access Manager that uses GSKit must be upgraded to use GSKit version , or or later. Otherwise, communication problems might occur. IBM Tivoli Directory Server IBM Tivoli Directory Server version 6.3 FP17 ( ISS-ITDS-FP0017) is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can find more information about Tivoli Directory Server at: xvi IBM Security Access Manager for Web Version 7.0: Administration Guide

19 IBM Tivoli Directory Integrator IBM Tivoli Directory Integrator version is included on the IBM Tivoli Directory Integrator Identity Edition V for Multiplatform product image or DVD for your particular platform. You can find more information about IBM Tivoli Directory Integrator at: IBM DB2 Universal Database IBM DB2 Universal Database Enterprise Server Edition, version 9.7 FP4 is provided on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can install DB2 with the Tivoli Directory Server software, or as a stand-alone product. DB2 is required when you use Tivoli Directory Server or z/os LDAP servers as the user registry for Security Access Manager. For z/os LDAP servers, you must separately purchase DB2. You can find more information about DB2 at: IBM WebSphere products The installation packages for WebSphere Application Server Network Deployment, version 8.0, and WebSphere extreme Scale, version , are included with Security Access Manager version 7.0. WebSphere extreme Scale is required only when you use the Session Management Server (SMS) component. WebSphere Application Server enables the support of the following applications: v Web Portal Manager interface, which administers Security Access Manager. v Web Administration Tool, which administers Tivoli Directory Server. v Common Auditing and Reporting Service, which processes and reports on audit events. v Session Management Server, which manages shared session in a Web security server environment. v Attribute Retrieval Service. You can find more information about WebSphere Application Server at: Accessibility Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Visit the IBM Accessibility Center for more information about IBM's commitment to accessibility. About this publication xvii

20 Technical training Support information For technical training information, see the following IBM Education website at IBM Support provides assistance with code-related problems and routine, short duration installation or usage questions. You can directly access the IBM Software Support site at The IBM Security Access Manager for Web Troubleshooting Guide provides details about: v What information to collect before you contact IBM Support. v The various methods for contacting IBM Support. v How to use IBM Support Assistant. v Instructions and problem-determination resources to isolate and fix the problem yourself. Note: The Community and Support tab on the product information center can provide more support resources. xviii IBM Security Access Manager for Web Version 7.0: Administration Guide

21 Chapter 1. Security Access Manager overview Core technologies Security Access Manager is an authentication and authorization solution for corporate web, client/server, and existing applications. Use Security Access Manager to control user access to protected information and resources. By providing a centralized, flexible, and scalable access control solution, Security Access Manager builds secure and easy-to-manage network-based applications and infrastructure. Security Access Manager supports authentication, authorization, data security, and resource management capabilities. You use Security Access Manager in conjunction with standard Internet-based applications to build highly secure and well-managed intranets. Security Access Manager provides the following frameworks: Authentication framework The Security Access Manager authentication service uses a wide range of built-in authenticators and supports external authenticators. Authorization framework The authorization service, accessed through a standard authorization application programming interface (API), provides permit and deny decisions on access requests for native Security Access Manager servers and other applications. The authorization service, together with resource managers, provides a standard authorization mechanism for business network systems. Security Access Manager can be integrated into existing and emerging infrastructures to provide secure, centralized policy management capability. The following resource managers are some of the existing resource managers: IBM Security Access Manager for Web WebSEAL Manages and protects web-based information and resources. WebSEAL is included with Security Access Manager. IBM Security Access Manager for Web for Operating Systems Provides a layer of authorization policy enforcement on Linux and UNIX operating systems in addition to that provided by the native operating system. Existing applications can take advantage of the Security Access Manager authorization service and provide a common security policy for the entire enterprise. The Security Access Manager network security management solution provides and supports several core technologies and features. v Authentication on page 2 v Authorization on page 2 v Quality of Protection on page 2 v Security standards configurations (compliance types) on page 3 Copyright IBM Corp. 1999,

22 v Scalability on page 6 v Accountability on page 6 v Centralized management on page 6 Authentication Authentication is the first step a user must take when making a request for a resource that is protected by Security Access Manager. During authentication, a user identity is validated. The authentication process depends on the specific requirements of the service-providing application. Security Access Manager allows a highly flexible approach to authentication through the use of the authorization API. Security Access Manager provides built-in support of user name and password authentication through the authorization API. Applications can build any custom authentication mechanism that uses the authorization API. Authorization Authorization enforces the security policy. v v The authorization process determines which objects a user can access and which actions a user can take on those objects. The authorization process grants appropriate access to the user. Security Access Manager handles authorization by using the following methods: v Security Access Manager authorization service. v Access control lists (ACLs), protected object policies (POPs), and authorization rules for fine-grained access control. v Standards-based authorization API, which uses the aznapi for C language applications, and the Java Authentication and Authorization Service (JAAS) for Java language applications. v External authorization service capability. Quality of Protection Quality of Protection (QoP) is the degree to which Security Access Manager protects any information that is transmitted between a client and a server. The quality of data protection is determined by the combined effect of encryption standards and modification-detection algorithms. The resource manager is responsible for ensuring that the quality of data protection is enforced. Security Access Manager supports the following levels of Quality of Protection: v Standard Transmission Control Protocol (TCP) communication (no protection) v Data integrity protects messages (data stream) from being modified during network communication v Data privacy protects messages from being modified or inspected during network communication Supported encryption ciphers Security Access Manager uses encryption ciphers from GSKit and Java Secure Socket Extension (JSSE). To learn about these encryption ciphers, see the GSKit and JSSE documentation. 2 IBM Security Access Manager for Web Version 7.0: Administration Guide

23 Secure communication Security Access Manager supports the data integrity and data privacy provided by the Secure Socket Layer (SSL) communication protocol and the Transport Layer Security (TLS) communication protocol. The SSL handshake protocol provides security and privacy over the Internet. SSL works with public key for authentication and secret key to encrypt data that is transferred over the SSL connection. The TLS protocol meets the Federal Information Processing Standards (FIPS) standard. The FIPS standard describes the requirements of the United States federal government for handling sensitive, but unclassified, use of information technology products. When FIPS mode is enabled in Security Access Manager, TLS version 1 (TLSv1) is used instead of SSL version 3 (SSLv3). Security Access Manager generates keys and certificates with FIPS-approved operations. The client- and server-side keys and certificates are always FIPS approved. To switch from SSL to TLS, you must change all server and remote run time configurations. In Security Access Manager, the protocol configuration specifies the FIPS mode. When FIPS mode is enabled, it uses the TLS protocol. When FIPS mode is disabled, it uses the SSL protocol. Note: SSL and TLS protocols cannot be mixed in a Security Access Manager environment. Previous releases of IBM Security Access Manager runtime that did not support TLS cannot communicate with a server that is enabled for FIPS. Security standards configurations (compliance types) You can configure Security Access Manager Base components to work with various security standards, including FIPS 140-2, SP , and Suite B. These security standards meet information security requirements that are required by the government. These security standards secure communications between the Security Access Manager Base components, LDAP servers, and syslog daemons. The policy server generates certificates that are appropriate for the specific security standard. The certificates are used during the communications between Security Access Manager Base components. To use certificates to communicate securely with other systems, such as with LDAP servers, provide the appropriate certificate for the configured compliance standard. The Security Access Manager Base components integrate cryptographic modules, which include IBM Global Security Kit (GSKit) 8, Java Secure Socket Extension (JSSE), and Java Cryptography Extension (JCE). Most of the requirements in the standards are handled in GSKit, JSSE, and JCE, which must undergo the certification process to meet government standards. Security Access Manager Base components must be configured to run with GSKit, JSSE, and JCE that are enabled for a particular standard. FIPS The Federal Information Processing Standards (FIPS) specify federal government requirements for cryptographic modules. FIPS is a National Institute of Standards and Technology standard. Chapter 1. Security Access Manager overview 3

24 The Security Access Manager Base components use certificates generated by the policy server to communicate securely in accordance with FIPS The key strength and algorithms that generate FIPS certificates are also used when Security Access Manager is not configured for a particular security mode. You can convert between these two modes without completely regenerating all the Security Access Manager certificates. The FIPS certificates are compatible with previous releases of Security Access Manager. Previous releases of Security Access Manager can communicate with Security Access Manager 7.0 policy servers. For more information about FIPS 140-2, see fips140-2/fips1402.pdf. SP a Special Publication a (SP a) is an information security standard of the National Institute of Standards and Technology (NIST). SP a requires longer key lengths and stronger cryptography than other standards. You can run SP a in two modes: transition and strict. Use the transition mode to move gradually towards a strict enforcement of SP a. The transition mode allows the use of weaker keys and algorithms than strict enforcement allows. The transition mode also allows the use of Transport Layer Security (TLS) v1.0 and v1.1. A strict enforcement of SP a of the Security Access Manager Base components requires the following configuration: v TLS v1.2 protocol for the Secure Sockets Layer (SSL) context v Certificates must have a minimum length of 2048 v Elliptical Curve (EC) certificates must have a minimum size of 244-bit curves v Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signature algorithms include: SHA256withRSA SHA384withRSA SHA512withRSA SHA256withECDSA SHA384withECDSA SHA512withECDSA v SP a approved cipher suites The Security Access Manager Base component communication uses certificates generated by the policy server. The policy server uses the same key strength and algorithms to create certificates for both the transition and strict versions of the SP a security mode. As a result, you can convert between the transition and strict modes without completely regenerating all Security Access Manager certificates. The SP a certificates are not compatible with previous releases of Security Access Manager. Previous release Security Access Manager clients cannot communicate with the Security Access Manager 7.0 policy server in SP a mode. 4 IBM Security Access Manager for Web Version 7.0: Administration Guide