SEC-007

TAMESSO: A Cool Tool, Easy to Deploy: Why & How

Speaker: MARCO ZANCHI Job Title: IBM Certified Instructor & Specialist PROW SRL www.prow.it

IBMIBM European Tivoli Technical Conference 2011 European Tivoli Technical Conference 2011 This Session
As part of the Tivoli Security portfolio, TAM E-SSO has now an important mission: solve the problem of too many passwords that users of small and large networks need to remember and manage. TAM E-SSO is a powerful yet easy to deploy solution to solve the pain of system administrator in keeping their users happy and passwords compliant to the new policies. From a general overview to a technical introduction, we are going to present the TAM E-SSO components, how they integrate with other solutions and how easy is to deploy them and put them to work.
2

IBM European Tivoli Technical Conference 2011

Introduction

IBM European Tivoli Technical Conference 2011 Session Agenda (1/3)

Introduction Overview
identity manager, access manager and tamesso: different goals Strong Authentication, SingleSignOn, Session Management, Auditing The Identity and Access Management suite from Tivoli Tamesso architecture Users provisioning: Tivoli Identity Manager The goal of the ITIM/E-SSO integration Authentication factors Second Authentication Factors
4

IBM European Tivoli Technical Conference 2011 Session Agenda (2/2) Technical Introduction
Product Components Platform Support Access Agent IMS Server deployment What are the Policies Access Admin Web Workplace Access Agent: Installation. The Wallet Access Studio: creating profiles
5

IBM European Tivoli Technical Conference 2011 Session Agenda (2/3) What else?
Integration with LDAP servers High Availability What is next? Tivoli Education path, Test Drive the official Course Useful Resources

IBM European Tivoli Technical Conference 2011

Overview

IBM European Tivoli Technical Conference 2011 TIVOLI IDENTITY MANAGER

Automates and centralizes access rights management and provisioning across multiple systems:
Applications Operating systems

Server / Adapter based architecture Features

Central control of privileged data Role-based access control (RBAC) Automated provisioning of access rights Web-based system for easy privilege changes User self-service and self-registration Integrated workflow engine to authorize users and accounts Report generation
8

IBM European Tivoli Technical Conference 2011 TIVOLI ACCESS MANAGER for E-BUSINESS
A flexible, scalable authentication and authorization solution that protects company Web resources Features
Provides an authentication and authorization framework Secures a variety of Web-based applications Centralizes administration of Web-based applications Enforces security policy defined by your organization Tracks user activity with auditing and reporting Provides quality of protection (QoP) for Web transactions
Integrity Privacy

IBM European Tivoli Technical Conference 2011 TIVOLI ACCESS MANAGER FOR E-SSO
Automate access to corporate information, strengthen security, and enforce compliance at the end-points Management of account credentials Credentials are stored in the ESSO Server (IMS) databaseand synchronized to the end user wallets on their desktop.
This allows the ESSO client (AccessAgent) to automatically login the end user to any application that is profiled in ESSO. End users do not need to know any of their IDs / Passwords for the applications profiled in ESSO.

10

IBM European Tivoli Technical Conference 2011 Access Agent & IMS Server
AccessAgent IMS Server
Strong Authentication E-SSO and Password Management Session Management and Workflow Automation Audit and Compliance

Provisioning and Role-Based Access Control Directory and Meta-Directory Service

11

IBM European Tivoli Technical Conference 2011 Strong authentication

TAM E-SSO provides strong authentication for all user groups inside and outside the corporate perimeter to prevent unauthorized access to confidential corporate information and IT networks. The solution leverages multi-factor authentication devices such as:
USB tokens; smart card tokens; building access badges; proximity cards (RFID); mobile devices; photo badges; Biometric readers (like fingerprint); one-time password (OTP) tokens (RSA).
12

IBM European Tivoli Technical Conference 2011 Enterprise single sign-on with workflow automation
With TAM E-SSO, users can enjoy fast access to all corporate applications (e.g. Web, desktop, TTY and legacy) and network resources with the use of a single, strong password on personal and shared workstations. This feature increase employee productivity, lower IT Help desk costs, and improve security levels by eliminating passwords and the effort of managing complex password policies. Users can automate the entire access workflow (e.g., application login, drive mapping, application launch, single sign-on, navigation to preferred screens, multi-step logins, etc.).
13

IBM European Tivoli Technical Conference 2011 Session management capability

As organizations deploy more shared workstations and kiosks, more users can roam and access information from anywhere without returning to their personal PCs. Shared and roaming scenarios pose severe security threats. TAM E-SSO increases user convenience and improve information security through session management or fast user switching capabilities Users can quickly signon and sign-off to shared workstations without using the Windows domain login process. Fast user switching on private desktops allows users to maintain multiple unique user desktops on the same workstation, preserving each users applications, documents, and network drive mappings.
14

IBM European Tivoli Technical Conference 2011 User access tracking for audit & compliance reporting
Combined strong authentication capabilities and usercentric audit logs ensure secure access to confidential corporate information and accountability at all times. The logs provide the meta-information that can guide to a detailed analysis for compliance Information are collated in a central relational database facilitating real-time monitoring and separate reporting with third party reporting tools. The end-point automation framework can be leveraged to audit custom access events for any application without modifying the application or leveraging the native audit functionalities.
15

IBM European Tivoli Technical Conference 2011 The Identity and Access Management suite
TAM E-SSO AccessAgent TAM E-SSO AccessAgent
TAM E-SSO AccessAgent

Web

Desktop
Strong Authentication Enterprise Single SignOn Workflow Automatio n Session Management

Citrix or Terminal Services Desktop Audit and Compliance Context Management User Provisioning

Strong Authentication
Building badge integration Active RFID Fingerprint biometric USB smart cards Cell phone authentication One-time password (OTP) iTag

Enterprise Single Sign-On

For Windows, Citrix, Terminal Services, and thin client platforms For Web, desktop, mainframe, and TTY applications Browser-based single sign-on (SSO) Automatic generation of SSO AccessProfiles

Workflow Automation
Application launch, drive mapping, single sign-off Automate any presentation layer event Automate walk away desktop security

TAM E-SSO IAM Platform

Profile Generation Centralized Administration Support and Self-Service Audit Reporting Directory DB Mgmt SOAP API

TAM E-SSO IMS Server

Support and Self-Service

Loss management User self-service
16

Centralized Administration
Web-based AccessAdmin Group-based and policy-driven management

Centralized Audit
Endpoint tracking Centralized SQL eporting

IBM European Tivoli Technical Conference 2011 Tamesso Architecture

17

IBM European Tivoli Technical Conference 2011 User Provisioning: Tivoli Identity Manager
TAM E-SSO combines with best-of-breed user provisioning technologies like TIVOLI IDENTITY MANAGER to provide end-to-end identity lifecycle management. After the users are provisioned, they can leverage single sign-on to access all their applications on shared and personal workstations with one password. Users are never required to register their user names and passwords individually as their credentials are automatically provisioned.

18

IBM European Tivoli Technical Conference 2011 The goal of the ITIM/ESSO integration
End to end management (and automation) of both physical accounts and the credentials for these accounts. Keeping account IDs and Passwords (stored in ESSO wallets) in sync with the physical accounts. The ability to bring onboard new employees, automatically provision their accounts and have their account credentials stored in their ESSO wallets. Allowing new employees to login to their desktop for the first time and be able to access all their resources.

19

IBM European Tivoli Technical Conference 2011 Authentication Factors

Authentication factors come in different forms and functions.
With the exception of password and fingerprint, users access systems and applications with a device that works like a key. This concept makes it easy for users to adopt to the system quickly.

Password
The password is used to secure access to a Wallet. The user specifies this password upon signing up with TAM E-SSO AccessAgent. Signing up with TAM E-SSO AccessAgent means registering the user with the IMS Server, and creating a Wallet.

Secret
The user is asked to enter a secret when signing up for a Wallet. A secret is a second password or a backup password. It is similar to the hint provided when the user forgets the password for a Web e-mail account, for example.
20

IBM European Tivoli Technical Conference 2011 Second Authentication Factors

Password can be fortified by a second authentication factor.
The combination of the password and a USB Key strengthens the users computers security because both authentication factors must be present to access the computer.

With TAMESSO you may use one of the following:

ActiveCode
short-term authentication codes that are controlled by the Tamesso system.

USB Keys
Can stores: a Serial Number; a Common Symmetric Key; Digital certificates for each certificate-enabled application

SmartCard RFID Card Fingerprint Identification Presence detectors

Sonar device & Active Proximity Badge
21

IBM European Tivoli Technical Conference 2011 Second Authentication Factors: Hardware
pcProxSonar

TAM ESSO integrates with RFIDeas pcProx and AIR ID devices to read proximity cards and contactless smart cards to provide strong user authentication and unified access to information, network, and resources. TAM ESSO also integrates with the pcProx Sonar for walk away security For more info visit http://rfideas.com
22

IBM European Tivoli Technical Conference 2011

Technical Introduction

23

IBM European Tivoli Technical Conference 2011 TAM E-SSO Product Components
WALLET
Stores the users access credentials (including user IDs, passwords, certificates, encryption keys). Each user has a Wallet. A cached Wallet is a copy of the users Wallet stored in the hard disk of the computer. The user can retrieve the cached Wallet during emergencies

AccessAgent
Client software that manages users identity Enables sign-on and sign-off automation

IMS Server
Identity management system that enables centralized management of user identities, AccessProfiles, and policies

AccessAdmin
IMS Server Management console for Administrator and Helpdesk
24

IBM European Tivoli Technical Conference 2011 TAM E-SSO Product Components ()
AccessAssistant
Web-based password self-help

AccessStudio
User interface for creating AccessProfiles required to support sign-on and sign-off automation

Service Module
Add-on modules that extend the capabilities of IMS IMS Bridge
IMS Service Modules that enable applications to use IMS as authentication server

IMS Connector
IMS Service Modules that enable IMS to interface with applications

25

IBM European Tivoli Technical Conference 2011 Platform Support

AccessAgent runs on the following client platforms: Microsoft Windows XP service packs 2 and 3 (32-bit and 64-bit) (Smart cards require SP3) Microsoft Windows 7 support in FixPack 1 Microsoft Windows Server 2003 (32-bit and 64-bit) Microsoft Windows Vista (32-bit and 64-bit) Microsoft Windows Server 2008 (32-bit and 64-bit) TAM E-SSO also supports thin client platforms. On these platforms, the AccessAgent runs on Citrix or Terminal Services:
Windows CE and XPE

IMS Server runs on Windows 2003 server and later

26

IBM European Tivoli Technical Conference 2011 Access Agent

Authentication Factors

IMS
Central Audit Central Administration

Strong Authentication

Single Sign-on

Access Workflow Automation

Session Management

Audit and Tracking

AccessAgent
Automated Actions Automation Triggers Observer Framework Plug-ins

Wallet

27

IBM European Tivoli Technical Conference 2011 IMS Server: deployment and tips
Since version 8.1 TAMESSO leverages the WebSphere Application Server platform, a solid and mission critical technology Database Server must be previously installed
DB2 9.5 or 9.7; MS SQL Server; Oracle 9i or 10g

IMS Server deployment is a 5 steps process:

1. Package installation: installs WebSphere Application Server and deployes the Java Enterprise Application that is TAM ESSO 2. HTTP Configuration 3. Database Creation 4. IMS Server Configuration
Data Source Enterprise Directory (Active Directory or LDAP)

5. Additional IMS Configuration

28

IBM European Tivoli Technical Conference 2011 What are the Policies
Control behavior of TAM E-SSO components Enable product to be configured to meet specific requirements Have different visibility and scope Are managed by different roles Critical Step of the Deployment process
Once IMS Server and AccessAdmin are installed, trough an Initial Configuration Wizard is necessary to configure the Access Admin and then define default system template with allowed authentication factors, shared workstation and more

3-29

IBM European Tivoli Technical Conference 2011 Policy types and scope
System policy
Global Configured using AccessAdmin Can be modified by an administrator Can be viewed by a helpdesk user

User policy
Affects only a specific user Configured using AccessAdmin Can be modified by an administrator or helpdesk user

Machine policy
Configured using AccessAdmin Can be modified by an administrator Can be viewed by a helpdesk user
3-30

IBM European Tivoli Technical Conference 2011 Access Admin

Is the management console used by Administrators and Help desk officers to manage users and policies on an IMS Server. Different access rights are given to the Administrator and Help desk roles. Certain configurations (for example, system policies) can only be viewed but not modified by Help desk. AccessAdmin has a left navigation panel for accessing various functions, such as:
User search and administration (to modify user policies, issue authorization code, unlock a locked Wallet, revoke user, etc.) Creating and maintaining policy templates (can only be created and maintained by an Administrator, but a Help desk officer can view and apply) Setting system and application policies (can only be modified by an Administrator, but a Help desk officer can view) Accessing logs and status information
31

IBM European Tivoli Technical Conference 2011 Access Admin

Access Admin runs on top of WebSphere Application Server and is accessed trough a specific link in the IMS web interface: https://<ims_server_name>/ims

32

IBM European Tivoli Technical Conference 2011 Web Workplace

A Web-based interface that gives users the ability to log on to enterprise Web applications by clicking on links, without the need to remember the passwords for individual applications. It can be integrated with the existing portal or SSL VPN.

33

IBM European Tivoli Technical Conference 2011 AccessAgent Installation

INSTALLATION
AccessAgent can be installed Manually or trough a Remote Installation using a group policy

CUSTOMIZATION
AccessAgent can be castomised both in the Configuration Process that in the Banner: The package can contain:
SetupHlp.ini: installation options DeploymentScript.vbs: code to be installed and run Any other file to be copied to the TAM E-SSO program files folder Additional configuration information for optional features, such as biometric (fingerprint) support
34

Banner Customization allows to show a picture for:

TAM E-SSO GINA welcome, logon, lock, and unlock windows Desktop AccessAgent window

IBM European Tivoli Technical Conference 2011 AccessAgent: a new GINA

After the AccessAgent is installed, a new TAM E-SSO GINA is inserted in front of the Windows GINA (chained not replaced)

35

IBM European Tivoli Technical Conference 2011 User sign up

If Enable automatic signup option is selected in system settings, users are automatically enrolled when they log on Alternatively, a Sign Up option is available on the TAM E-SSO GINA

4-36

IBM European Tivoli Technical Conference 2011 Secrets

Set by user during sign up by selecting questions from the pid_bind_secret_question_list policy Should be:
Easy to remember Permanent in nature Not easily made known to others

Used when password is not available, such as during a password reset

4-37

IBM European Tivoli Technical Conference 2011 The Wallet

Is stored on the IMS Server. However, some parts can also be stored in an authentication factor, such as a private key on smart card Roams to any point of access
Accessible with appropriate combination of authentication factors

Wallets can be:

In memory (does not contain certificate or OTP seed) Cached on hard disk or smart card (for offline access including offline bypass and password reset) AccessAgent creates a machine wallet (if it does not exist) when it starts

If the IMS Server is not reachable, policies and AccessProfiles are obtained from a local file The AccessAgent performs periodic synchronization with the IMS Server 4-38

IBM European Tivoli Technical Conference 2011 AccessStudio overview

Is the wizard-based tool used by the Administrator to create and manage AccessProfiles and enable SSO, sign-off, and workflow automation. Each application is represented by an AccessProfile, which is a set of instructions that defines the workflow for that particular application. Features include:
Support for standard and advanced modes for AccessProfiles of varying complexity Graphical user interface and XML editors Flexibility in editing AccessProfiles stored in any location Ability to import existing AccessProfiles from AccessAgent or IMS server Advanced credential and policy management Automatic validation of AccessProfile data Ability to test and debug AccessProfiles

7-39

IBM European Tivoli Technical Conference 2011 Simple AccessProfiles generation wizard
Used to generate AccessProfiles for applications
16-bit and 32-bit Windows Web pages Java applications and applets TTY and mainframe Owner-drawn

Supports the following workflows:

Logon (All types) Change password: Windows, Web, TTY, Mainframe (cursor-based) Logoff: Windows, Web, Mainframe (cursor-based) Other Tasks: Windows, Web, Mainframe (cursor-based)

Can be used when the .exe or Web page refer to only one authentication service User drags a selector to the relevant Windows or Web elements Automatically creates a new application Authentication service is automatically created, or can use an existing one
7-40

IBM European Tivoli Technical Conference 2011 Generating an AccessProfile

Open AccessStudio by navigating to Start > All Programs > Encentuate AccessStudio > AccessStudio

7-41

IBM European Tivoli Technical Conference 2011 Using the profile generator
Click New > New AccessProfile (using Generator)

7-42

IBM European Tivoli Technical Conference 2011 Creating a Windows profile

Enter the application name and select Windows for the application type

7-43

IBM European Tivoli Technical Conference 2011 Select the task to automate
Specify the task you will be automating Logon is the default

7-44

IBM European Tivoli Technical Conference 2011 Open the application

Open the application you are profiling

7-45

IBM European Tivoli Technical Conference 2011 Identify the fields

Drag the crosshairs to the relevant fields

7-46

IBM European Tivoli Technical Conference 2011

What else???

47

IBM European Tivoli Technical Conference 2011 Integrating with LDAP directories
TAM E-SSO can use enterprise directories other than Active Directory LDAP directories are now configurable using the IMS Configuration Utility setup assistant The LDAP schema must contain an attribute that represents the user ID to be used for the TAM E-SSO account The Tivoli Directory Server credential is only used during sign-up TAM E-SSO user passwords are managed by the IMS server after sign-up Password synchronization is not used

Installing IMS Server with Tivoli Directory Server

Identify a dedicated lookup user in LDAP or add one Ensure inetOrgPerson objects have a unique identifier and passwords Use the IMS Configuration Utilitys setup assistant and choose Generic LDAP as the enterprise directory type The initial TAM E-SSO administrator account can now be specified here
1048

IBM European Tivoli Technical Conference 2011 High availability

Components that require redundancy:
1. WebSphere server 2. Database server 3. Directory server 2

1049

IBM European Tivoli Technical Conference 2011 High Availability: WebSphere Server
IBM WebSphere Application Server uses Network Deployment Manager (NDM) for high availability
Multiple WebSphere Application Server nodes can be installed with the same applications and NDM handles which node responds to a request Application configuration changes (tuning and so on) are performed on the NDM and synchronized to available nodes

Each WebSphere Application Server node is configured with a node agent that allows communication with NDM Each WebSphere Application Server node is referred to as a cluster member

1050

IBM European Tivoli Technical Conference 2011 High availability example with DB2
Primary NodeDB2 Server

IMS Server DB2 Client

HADR Synchronization

Client Reroute

Failover Node DB2 Server

Directory server high availability

Load Balancer

Primary TDS

Secondary TDS

1051

IBM European Tivoli Technical Conference 2011 What is next? Education Path & Course Test Drive
Tivoli software training and certification
http://www-01.ibm.com/software/tivoli/education/

IBM Tivoli Access Manager for ESSO 8.1 Deployment and Administration (classroom)
http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=course_description&courseCode=TW172

IBM Tivoli Access Manager for ESSO 8.1 Deployment and Administration (Instructor Led Online)
http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=course_description&courseCode=8W172

Tivoli Access Manager for Enterprise Single Sign-On Overview DEMO

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-spsm-tiv-secdm&S_PKG=TAMESSO_Overview
52

IBM European Tivoli Technical Conference 2011 Useful Resources

Links to Useful Resources
http://www.ibm.com/developerworks/wikis/display/tivoliaccessmanagerforesso/Related+Resources

TAM ESSO Forum

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1592

Product Page & Free Trial Download

http://www-01.ibm.com/software/tivoli/products/access-mgr-esso/ http://www.ibm.com/developerworks/downloads/tiv/accessmanager/index.html

Information Center
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc/welcome.htm

Support Information
http://www-01.ibm.com/software/sysmgmt/products/support/IBMTivoliAccessManagerforEnterpriseSingleSignOn.html

TroubleShooting
http://www.ibm.com/developerworks/wikis/display/tivoliaccessmanagerforesso/Troubleshooting

Proximity and Contactless Card Reader for TAMESSO

http://rfideas.com/Software/
53

IBM European Tivoli Technical Conference 2011

THANK YOU!

marco.zanchi@prow.it
54