1.3 Tivoli Access Manager for e-business

1.3 Tivoli Access Manager for e-business

Tivoli Access Manager for e-business is security software that provides policy-based access control services for applications, particularly for those on the Web. It is a centrally managed, robust solution for enforcing and administering security policies for e-business applications.

Tivoli Access Manager for e-business is one of three Tivoli Access Manager products:

• Tivoli Access Manager for e-business - provides end-to-end security for e-business, including Web Single Sign-On, distributed Web-based administration, and policy-based security

• Tivoli Access Manager for Business Integration - provides access control end-to-end, application level data protection, and centralized security policy management for the IBM WebSphere MQ environment

• Tivoli Access Manager for Operating Systems - protects individual application and operating system resources by addressing system vulnerabilities surrounding UNIX/Linux super user or root accounts

Together, they are actually a part of a larger framework, the IBM Tivoli integrated identity management solution. Key areas of this identity management solution include:

• Identity Lifecycle Management - user self-care, enrollment and provisioning

• Identity Control - access and privacy control, Single Sign-On and auditing

• Identity Federation - sharing user authentication and attribute information between trusted Web services applications

• Identity Foundation - directory, directory integration and workflow

Figure 1-3: Identity management blueprint

Tivoli Access Manager for e-business focuses on issues of identity control: authentication, authorization, auditing, and Single Sign-On (SSO).

Tivoli Access Manager for e-business is not included in WebSphere Portal V5.0. However, Tivoli Access Manager for e-business does integrate with WebSphere Portal and WebSphere Application Server. It also supports many other enterprise applications including products from SAP, PeopleSoft, and Siebel.

Tivoli Access Manager for e-business consists of a set of servers and runtime libraries which together provide a security framework. The computing environment in which Tivoli Access Manager for e-business enforces your security policies is called the secure domain.

Figure 1-4: Example of systems in a secure domain for Tivoli Access Manager for e-business

Some of the important components of Tivoli Access Manager for e-business are:

• User registry - a supported Lightweight Directory Access Protocol (LDAP) server that contains the database of users and groups. Tivoli Access Manager for e-business stores information primarily under the suffix secAuthority=Default.

• Policy server - maintains the master authorization database for the secure domain. This server is key to the processing of access control, authentication and authorization requests.

• Access Manager runtime and Access Manager Java runtime environments - runtime libraries and supporting files which applications can use to access Tivoli Access Manager for e-business services. You must install the Access Manager runtime or the Access Manager Java runtime environment on every system in your secure domain.

• WebSEAL - a high performance, multi-threaded Web server proxy.

• Authorization server (optional) - offloads access control and authorization decisions from the policy server.

• Web Portal Manager (optional) - a Web-based graphical user interface (GUI) used for administration of Tivoli Access Manager for e-business. This component is not to be confused with the WebSphere Portal product.

1.3.1 IBM Directory Server

IBM Directory Server is IBM's implementation of an LDAP server. It can serve as a registry of user data across an e-business infrastructure. It is one of the components in the area of identity foundation in the IBM Tivoli integrated identity management solution.