Beruflich Dokumente
Kultur Dokumente
Speaker: MARCO ZANCHI Job Title: IBM Certified Instructor & Specialist PROW SRL www.prow.it
IBMIBM European Tivoli Technical Conference 2011 European Tivoli Technical Conference 2011 This Session
As part of the Tivoli Security portfolio, TAM E-SSO has now an important mission: solve the problem of too many passwords that users of small and large networks need to remember and manage. TAM E-SSO is a powerful yet easy to deploy solution to solve the pain of system administrator in keeping their users happy and passwords compliant to the new policies. From a general overview to a technical introduction, we are going to present the TAM E-SSO components, how they integrate with other solutions and how easy is to deploy them and put them to work.
2
Introduction
IBM European Tivoli Technical Conference 2011 Session Agenda (2/2) Technical Introduction
Product Components Platform Support Access Agent IMS Server deployment What are the Policies Access Admin Web Workplace Access Agent: Installation. The Wallet Access Studio: creating profiles
5
IBM European Tivoli Technical Conference 2011 Session Agenda (2/3) What else?
Integration with LDAP servers High Availability What is next? Tivoli Education path, Test Drive the official Course Useful Resources
Overview
IBM European Tivoli Technical Conference 2011 TIVOLI ACCESS MANAGER for E-BUSINESS
A flexible, scalable authentication and authorization solution that protects company Web resources Features
Provides an authentication and authorization framework Secures a variety of Web-based applications Centralizes administration of Web-based applications Enforces security policy defined by your organization Tracks user activity with auditing and reporting Provides quality of protection (QoP) for Web transactions
Integrity Privacy
IBM European Tivoli Technical Conference 2011 TIVOLI ACCESS MANAGER FOR E-SSO
Automate access to corporate information, strengthen security, and enforce compliance at the end-points Management of account credentials Credentials are stored in the ESSO Server (IMS) databaseand synchronized to the end user wallets on their desktop.
This allows the ESSO client (AccessAgent) to automatically login the end user to any application that is profiled in ESSO. End users do not need to know any of their IDs / Passwords for the applications profiled in ESSO.
10
IBM European Tivoli Technical Conference 2011 Access Agent & IMS Server
AccessAgent IMS Server
Strong Authentication E-SSO and Password Management Session Management and Workflow Automation Audit and Compliance
IBM European Tivoli Technical Conference 2011 Enterprise single sign-on with workflow automation
With TAM E-SSO, users can enjoy fast access to all corporate applications (e.g. Web, desktop, TTY and legacy) and network resources with the use of a single, strong password on personal and shared workstations. This feature increase employee productivity, lower IT Help desk costs, and improve security levels by eliminating passwords and the effort of managing complex password policies. Users can automate the entire access workflow (e.g., application login, drive mapping, application launch, single sign-on, navigation to preferred screens, multi-step logins, etc.).
13
IBM European Tivoli Technical Conference 2011 User access tracking for audit & compliance reporting
Combined strong authentication capabilities and usercentric audit logs ensure secure access to confidential corporate information and accountability at all times. The logs provide the meta-information that can guide to a detailed analysis for compliance Information are collated in a central relational database facilitating real-time monitoring and separate reporting with third party reporting tools. The end-point automation framework can be leveraged to audit custom access events for any application without modifying the application or leveraging the native audit functionalities.
15
IBM European Tivoli Technical Conference 2011 The Identity and Access Management suite
TAM E-SSO AccessAgent TAM E-SSO AccessAgent
TAM E-SSO AccessAgent
Web
Desktop
Strong Authentication Enterprise Single SignOn Workflow Automatio n Session Management
Citrix or Terminal Services Desktop Audit and Compliance Context Management User Provisioning
Strong Authentication
Building badge integration Active RFID Fingerprint biometric USB smart cards Cell phone authentication One-time password (OTP) iTag
Workflow Automation
Application launch, drive mapping, single sign-off Automate any presentation layer event Automate walk away desktop security
Centralized Administration
Web-based AccessAdmin Group-based and policy-driven management
Centralized Audit
Endpoint tracking Centralized SQL eporting
17
IBM European Tivoli Technical Conference 2011 User Provisioning: Tivoli Identity Manager
TAM E-SSO combines with best-of-breed user provisioning technologies like TIVOLI IDENTITY MANAGER to provide end-to-end identity lifecycle management. After the users are provisioned, they can leverage single sign-on to access all their applications on shared and personal workstations with one password. Users are never required to register their user names and passwords individually as their credentials are automatically provisioned.
18
IBM European Tivoli Technical Conference 2011 The goal of the ITIM/ESSO integration
End to end management (and automation) of both physical accounts and the credentials for these accounts. Keeping account IDs and Passwords (stored in ESSO wallets) in sync with the physical accounts. The ability to bring onboard new employees, automatically provision their accounts and have their account credentials stored in their ESSO wallets. Allowing new employees to login to their desktop for the first time and be able to access all their resources.
19
Password
The password is used to secure access to a Wallet. The user specifies this password upon signing up with TAM E-SSO AccessAgent. Signing up with TAM E-SSO AccessAgent means registering the user with the IMS Server, and creating a Wallet.
Secret
The user is asked to enter a secret when signing up for a Wallet. A secret is a second password or a backup password. It is similar to the hint provided when the user forgets the password for a Web e-mail account, for example.
20
USB Keys
Can stores: a Serial Number; a Common Symmetric Key; Digital certificates for each certificate-enabled application
IBM European Tivoli Technical Conference 2011 Second Authentication Factors: Hardware
pcProxSonar
TAM ESSO integrates with RFIDeas pcProx and AIR ID devices to read proximity cards and contactless smart cards to provide strong user authentication and unified access to information, network, and resources. TAM ESSO also integrates with the pcProx Sonar for walk away security For more info visit http://rfideas.com
22
Technical Introduction
23
IBM European Tivoli Technical Conference 2011 TAM E-SSO Product Components
WALLET
Stores the users access credentials (including user IDs, passwords, certificates, encryption keys). Each user has a Wallet. A cached Wallet is a copy of the users Wallet stored in the hard disk of the computer. The user can retrieve the cached Wallet during emergencies
AccessAgent
Client software that manages users identity Enables sign-on and sign-off automation
IMS Server
Identity management system that enables centralized management of user identities, AccessProfiles, and policies
AccessAdmin
IMS Server Management console for Administrator and Helpdesk
24
IBM European Tivoli Technical Conference 2011 TAM E-SSO Product Components ()
AccessAssistant
Web-based password self-help
AccessStudio
User interface for creating AccessProfiles required to support sign-on and sign-off automation
Service Module
Add-on modules that extend the capabilities of IMS IMS Bridge
IMS Service Modules that enable applications to use IMS as authentication server
IMS Connector
IMS Service Modules that enable IMS to interface with applications
25
IMS
Central Audit Central Administration
Strong Authentication
Single Sign-on
Session Management
AccessAgent
Automated Actions Automation Triggers Observer Framework Plug-ins
Wallet
27
IBM European Tivoli Technical Conference 2011 IMS Server: deployment and tips
Since version 8.1 TAMESSO leverages the WebSphere Application Server platform, a solid and mission critical technology Database Server must be previously installed
DB2 9.5 or 9.7; MS SQL Server; Oracle 9i or 10g
IBM European Tivoli Technical Conference 2011 What are the Policies
Control behavior of TAM E-SSO components Enable product to be configured to meet specific requirements Have different visibility and scope Are managed by different roles Critical Step of the Deployment process
Once IMS Server and AccessAdmin are installed, trough an Initial Configuration Wizard is necessary to configure the Access Admin and then define default system template with allowed authentication factors, shared workstation and more
3-29
IBM European Tivoli Technical Conference 2011 Policy types and scope
System policy
Global Configured using AccessAdmin Can be modified by an administrator Can be viewed by a helpdesk user
User policy
Affects only a specific user Configured using AccessAdmin Can be modified by an administrator or helpdesk user
Machine policy
Configured using AccessAdmin Can be modified by an administrator Can be viewed by a helpdesk user
3-30
32
33
CUSTOMIZATION
AccessAgent can be castomised both in the Configuration Process that in the Banner: The package can contain:
SetupHlp.ini: installation options DeploymentScript.vbs: code to be installed and run Any other file to be copied to the TAM E-SSO program files folder Additional configuration information for optional features, such as biometric (fingerprint) support
34
35
4-36
4-37
If the IMS Server is not reachable, policies and AccessProfiles are obtained from a local file The AccessAgent performs periodic synchronization with the IMS Server 4-38
7-39
IBM European Tivoli Technical Conference 2011 Simple AccessProfiles generation wizard
Used to generate AccessProfiles for applications
16-bit and 32-bit Windows Web pages Java applications and applets TTY and mainframe Owner-drawn
Can be used when the .exe or Web page refer to only one authentication service User drags a selector to the relevant Windows or Web elements Automatically creates a new application Authentication service is automatically created, or can use an existing one
7-40
7-41
IBM European Tivoli Technical Conference 2011 Using the profile generator
Click New > New AccessProfile (using Generator)
7-42
7-43
IBM European Tivoli Technical Conference 2011 Select the task to automate
Specify the task you will be automating Logon is the default
7-44
7-45
7-46
What else???
47
IBM European Tivoli Technical Conference 2011 Integrating with LDAP directories
TAM E-SSO can use enterprise directories other than Active Directory LDAP directories are now configurable using the IMS Configuration Utility setup assistant The LDAP schema must contain an attribute that represents the user ID to be used for the TAM E-SSO account The Tivoli Directory Server credential is only used during sign-up TAM E-SSO user passwords are managed by the IMS server after sign-up Password synchronization is not used
1049
IBM European Tivoli Technical Conference 2011 High Availability: WebSphere Server
IBM WebSphere Application Server uses Network Deployment Manager (NDM) for high availability
Multiple WebSphere Application Server nodes can be installed with the same applications and NDM handles which node responds to a request Application configuration changes (tuning and so on) are performed on the NDM and synchronized to available nodes
Each WebSphere Application Server node is configured with a node agent that allows communication with NDM Each WebSphere Application Server node is referred to as a cluster member
1050
IBM European Tivoli Technical Conference 2011 High availability example with DB2
Primary NodeDB2 Server
HADR Synchronization
Client Reroute
Primary TDS
Secondary TDS
1051
IBM European Tivoli Technical Conference 2011 What is next? Education Path & Course Test Drive
Tivoli software training and certification
http://www-01.ibm.com/software/tivoli/education/
IBM Tivoli Access Manager for ESSO 8.1 Deployment and Administration (classroom)
http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=course_description&courseCode=TW172
IBM Tivoli Access Manager for ESSO 8.1 Deployment and Administration (Instructor Led Online)
http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=course_description&courseCode=8W172
Information Center
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc/welcome.htm
Support Information
http://www-01.ibm.com/software/sysmgmt/products/support/IBMTivoliAccessManagerforEnterpriseSingleSignOn.html
TroubleShooting
http://www.ibm.com/developerworks/wikis/display/tivoliaccessmanagerforesso/Troubleshooting
THANK YOU!
marco.zanchi@prow.it
54