IBM Tivoli Access Manager (TAM) for e-business is an end-to-end security solution for e-business, focused on providing robust, policy-based security to a corporate web environment. Essential elements of IBM Tivoli Access Manager for e-Business include: authentication, control of access privileges, auditing, single sign-on, high availability, architecture flexibility, and logging.

Policy-based Access Control

TAM for e-Business enables you to define a comprehensive policy and administer security based on that policy, giving your employees, partners, suppliers, and customers specific access based on each user's responsibilities. You can group users and assign permissions to groups, simplifying administration of access control across multiple applications and resources. There is support for dynamic rules, dynamic business entitlements, and authorization decisions based on external data for applications that require it.

Flexible Authentication Framework

TAM for e-Business provides a set of default authentication mechanisms, in the form of built-in shared libraries, including LDAP-based userID and password, client-side certificate, RSA SecurID tokens, SPNEGO protocol (Kerberos authentication), IP address, and mobile and wireless identities. For special custom authentication requirements, TAM for e-Business supports a C-based (C API) custom authentication module that allows you to extend authentication beyond those mechanisms already supported. Similar to this capability, there is also an authentication option through the external authentication interface (EAI).

The external authentication interface allows third party-systems to send an authenticated identity over HTTP to Tivoli Access Manager’s WebSEAL (or the plug-ins). When using the external authentication interface, a remote service (application) handles the authentication process for WebSEAL and the plug-ins. The design, methodology, and code for the custom authentication application is entirely the responsibility of the application developer.

The external authentication interface can:

• Provide a more convenient and flexible authentication capability for many environments
• Be used with applications written in any language, including Java

TAM for e-Business features other authentication capabilities, such as re-authentication and definition of authentication strength policy (also called step-up authentication), that allow re-authenticating users with a stronger factor if access from a lower-to-higher security level application is requested.

Externalized Authorization

TAM for e-business provides centralized authorization and policy management to manage access control to applications from one unified interface. This includes tight integration within a J2EE environment in which TAM supports the OpenGroup aznAPI as well as the Java Authentication and Authorization Service (JAAS) at an API level.

For a J2EE container level security, TAM supports the WebSphere authorization table interface. When WebSphere and other security provider interfaces (such as BEA WebLogic) converge to Java Authorization Contract for Containers (JACC), TAM will also support this service provider interface. Implementing TAM enables organizations to enforce their security policy consistently across WebSphere and other web-based applications by providing a central interface for security management.

Flexible Authorization Criteria

TAM for e-Business allows users to access only information for which they are authorized. Web Portal Manager (administrative graphical user interface) presents a logical Web space for the association of access control information with resources.

TAM for e-Business maintains authorization policy in a central repository for administration purposes and provides replication of the policy out to local enforcement points. The solution allows you to define access control policies using three separate dimensions of authorization criteria.

• The first involves traditional static Access Control Lists that describe the principals (users and groups) allowed to access a resource and which permissions each of these principals possesses.
• The second dimension extends these capabilities to include parameters for time-of-day restrictions, requestor IP address/netmask filtering, and quality-of-protection requirements that allow you to mandate SSL sessions to access specific resources. This second dimension also enables policy-based auditing for your resources that overrides the global audit settings.
• The third and final dimension for access control authorization involves a dynamic rules engine that allows you to attach an XML-style assertion to your resources that will be evaluated at the time access is requested.
  

TAM for e-Business also allows for finer-grained authorization controls by providing identity-specific information to the backend secured applications. It enables target applications to perform user-specific actions based on the user’s TAM for e-Business credentials.

Single Sign-On

TAM for e-Business provides single sign-on to the corporate web space. The TAM for e-Business solution allows you to enable a flexible single sign-on (SSO) to Web-based applications that can span multiple sites or domains with a range of SSO options. This can help reduce help desk calls and other security issues associated with multiple passwords.

With TAM for e-business in place, users only need to log in once. Their credentials are built and passed on to the backend application while remaining transparent to the user. Users can then access all Web-based resources and Web applications for which they are authorized within Tivoli Access Manager secure domain.

TAM for e-Business also offers “Windows Desktop Single Sign-On.” This allows a user who is logged onto the Windows network to access any TAM for e-Business protected applications without having to re-authenticate. TAM for e-Business uses SPNEGO protocol and Kerberos authentication for the Windows Desktop SSO implementation.

Web-based Administration

With a Web-based tool called Web Portal Manager, administrators can manage users, groups, permissions, and policies. Web Portal Manager extends beyond delegated user management to deliver delegated security administration. The SSL-enabled management application program interfaces (APIs) used by Web Portal Manager are available if you need to integrate or build your own customer-care management applications. These include full support for Java, C, and C++.

Web Portal Manager enables administration over a broad range of target resources, including:

• Resources protected by a scalable proxy (the Tivoli Access Manager WebSEAL component)
• Resources protected by Tivoli Access Manager Web Server Plug-ins and J2EE resources
• .Net resources
• Custom applications that have been factored into the secure environment

All these resources are represented in a single protected object space that a single administrator or a coordinated team of delegated administrators can manage.

Delegated Administration

Multiple levels of delegated administration are possible with great flexibility in capabilities assigned to lower-level administrators. This allows banks or insurance companies, for example, to delegate certain administration responsibilities to their branch office personnel as desired.

Scalability and High Availability

TAM for e-Business addresses the requirements for reliability and scalability through replication of its individual components. Authentication and authorization are performed on the perimeter by the security proxy servers (WebSEALs) before any access to protected resources is ever permitted. Each WebSEAL proxy server component maintains a local cache of your authorization policy for high performance, removing the need to have the Master Policy server up and running. User authentication is always performed remotely against your LDAP user registry.

TAM for e-Business performs intelligent load balancing over replicated servers and can scale your server deployment through adding new WebSEAL replicas into the environment to increase authorization throughput as well as overall availability. Additional scalability can be achieved by having multiple WebSEAL server replicas located behind a network load balancing appliance to share the traffic load.

At the data level, the included IBM Tivoli Directory Server supports replication and clustering, further enhancing scalability and availability capabilities in TAM for e-Business solution.

Logging and Auditing

The ability to log and audit all access attempts is essential to securing the corporate intranet. Monitoring access attempts by all users allows administrators to detect security risks. TAM for e-Business centrally logs all access attempts using a standardized format. Audit logs contain data about system activities that affect the secure operation of the TAM for e-Business authorization process.

The data consists of audit records of authentication and authorization events that can include:

• Successful and unsuccessful access to resources
• Password changes
• Administrative or management events

TAM for e-Business can produce audit records for any defined policy (password variables, account lockout, inappropriate access, and so on). Whenever a policy is violated (such as exceeding the maximum login failures threshold), an audit record is generated. Each process is configured to specify exactly which audit events are to be captured.

These parameters include settings for:

• Authentication and authorization events
• Management commands
• HTTP request handling
• Defining the location and name of each process audit log file

Audit log files are monitored for such occurrences as growth beyond threshold settings, rollover to a new file, and so on. Support for standard HTTP logging enables you to see which IP addresses are submitting which types of requests. TAM for e-Business writes audit records in an XML-like format that enables easy parsing for extracting required information.

Furthermore, TAM for e-Business includes a component known as the Common Auditing and Reporting Service, which provides a common way for applications to centralize audit and compliance data.

For Tivoli Access Manager, it includes out-of-the-box reporting that can be expanded to cover multiple audit sources. Some of these reports include:

• Audit, authentication, and authorization event histories
• Event details
• Password change activity
• Resource access
• Server availability reports

Advantages with IBM Tivoli Access Manager for e-Business

TAM for e-Business has many advantages. It:

• Delivers unified authentication and authorization for online business initiatives
• Offers flexible authentication mechanisms that you can extend through C-based APIs or using an external authentication interface that allows you to offload the authentication process to an external service
• Supports web single sign-on that encompasses Web applications, Microsoft®, BEA, and many other portal and application environments
• Offers design flexibility through:
• Highly scalable proxy architecture and/or easy-to-install Web server plug-ins
• Rule- and role-based access control
• Support for leading user registries and platforms
• Advanced APIs that you can use to further customize security
• Achieves rapid and scalable deployment of Web applications with support for open industry standards and products, including:
• Java 2 Enterprise Edition (J2EE)
• Lightweight Directory Access Protocol (LDAP)
• SSL
• x.509 v3 client certificates
• Metadirectory implementations using IBM Tivoli Directory Integrator
• Provides improved support for mainframe applications with new support for Java 2 and Java Authentication and Authorization (JAAS) APIs on z/OS and WebSphere on z/OS (allowing container-level security for z/OS servlets)
• Helps lower application development, deployment, and management costs by delivering unified identity and security management
• Includes policy migration (export/import) features that help simplify deployments and migration steps (from testing to production environments)
• Helps quickly understand risks and address compliance challenges by including the Common Auditing and Reporting Service module
• Provides the base for cross-site inter-company authentication when using Tivoli Federated Identity Manager that supports SAML, Liberty Alliance, and Web Services Federation language (WS-Federation) industry protocols