The major components of the IBM Tivoli Access Manager (TAM) for e-Business architecture include the following:

• User Registry. Master LDAP server maintaining user data, plus LDAP replica servers
• Policy Server. Master database of all protected resources and access policy
• WebSEAL. Reverse proxy web server that performs authentication and authorizations; typically used for DMZ external access to backend content servers
• Plug-in for Web Servers. Plug-in that secures web servers; typically used for internal access

IBM Tivoli Access Manager for e-Business Architecture

The architecture of TAM for e-Business is designed on open standards, integrated technology, and components to leverage existing environments and be extremely flexible and distributed. TAM for e-Business includes a security proxy component called WebSEAL.

WebSEAL manages access to your Web servers regardless of platforms. WebSEAL manages the Web space centrally, linking all Web servers into one logical Web space. One of the main reasons for a focus on the WebSEAL, proxy-based approach is it can be used to enforce “defense in depth” protection. “Defense in depth” involves layering access enforcement points and separating an untrusted requester's network from a secure network with some sort of buffer network (often referred to as a demilitarized zone or DMZ).

TAM for e-Business also offers Plug-in for Web Servers, which largely cover WebSEAL functionality, but are implemented as a Web server security plug-in rather than a security proxy. The Plug-in for Web Servers component enables easy integration for securing Web servers. This approach, which does not require placing a proxy in the DMZ, instead places a piece of code on each web server to be secured. This allows for easy deployment of TAM for e-Business in those environments where existing architectures do not easily allow for the installation of a reverse proxy for business or technical reasons.

TAM for e-Business architectural options, WebSEAL proxy server, and Plug-in for WebServers will provide a typical user flow as follows:

1. User attempts to access a web based resource/application via browser and a URL.
2. User is prompted for authentication by either WebSEAL or the Plug-in.
3. Authentication is provided by any mechanism, including LDAP-based, SecurID, X.509 certificates, and custom (C API, external authentication interface).
4. Authorization is checked locally as the policy information is cached in memory at WebSEAL and the Plug-in, thus, providing superior performance and scalability.
5. If authentication and authorization are successful, a TAM for e-Business credential is created and provided for SSO and session management.

IBM Tivoli Access Manager for e-Business Platform Support

Various components of IBM Tivoli Access Manager (TAM) for e-Business support the following platforms:

• IBM AIX
• Sun Solaris
• Microsoft Windows 2003 Server (Standard Edition and Enterprise Edition)
• Hewlett-Packard HP-UX
• SuSE Linux Enterprise Server (x86, AMD64/EM64T, iSeries, pSeries, S/390, and zSeries)
• Red Hat Enterprise Linux (x86, AMD64/EM64T, iSeries, pSeries, S/390, and zSeries)
• United Linux (x86, iSeries, pSeries, S/390, and zSeries)
  The TAM for e-Business Plug-in for Web Servers component supports:
• Microsoft IIS
• Sun Java System Web Server
• IBM HTTP Server
• IBM WebSphere Edge Server
• Apache Web Server

The TAM for e-Business supports the following as user registry:

• IBM Tivoli Directory Server
• IBM z/OS LDAP Server
• IBM Lotus Domino Sever
• Microsoft Active Directory
• Sun Java System Directory Server
• Novell e-Directory

TAM for e-Business product documentation (also available online) can be reviewed for detailed information on supported platforms.