Hot Topics - Messmer The Brain House
Hot Topics - Messmer The Brain House
Hot Topics - Messmer The Brain House
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Tivoli<br />
Identity<br />
Manager<br />
IVS<br />
DB2<br />
MQ<br />
RACF<br />
User<br />
registry<br />
WebSphere<br />
Application<br />
Server<br />
AMWAS<br />
z/OS<br />
WebSphere<br />
Application<br />
Server<br />
AMWAS<br />
to configure two “junctions”—one for each<br />
of the application servers to be contacted<br />
by the reverse proxy on behalf of the<br />
connecting user. When you configure these<br />
junctions, specify:<br />
• Tivoli Access Manager credentials (ivcred)<br />
to be passed to the downstream<br />
application<br />
• <strong>The</strong> URL of the two applications<br />
• Any other configuration settings.<br />
In addition to handling user<br />
authentication, the reverse proxy servers<br />
handle two other important functions:<br />
• Session management: <strong>The</strong> user’s<br />
authenticated state is maintained<br />
at the reverse proxy server allowing<br />
the user to move from application to<br />
application without re-authenticating.<br />
• Authorization: Tivoli Access<br />
Manager access control settings can<br />
be employed to serve as one layer of<br />
access control checking at the URL<br />
level to protect applications that are<br />
accessible by certain users.<br />
TAM<br />
Reverse<br />
proxy<br />
Tivoli<br />
Access<br />
Manager<br />
User<br />
administration<br />
Figure 1 - <strong>The</strong> Computing Environment using Tivoli Access Manager, Tivoli Identity<br />
Manager, WebSphere Application Server, and RACF.<br />
AIX<br />
Application<br />
access<br />
Easing the burden with Tivoli<br />
Identity Manager<br />
<strong>The</strong> use of Tivoli Access Manager for<br />
multiple applications simplifies their use<br />
while adding layers of protection in front of<br />
these applications. However, there remains<br />
the issue of managing corresponding user<br />
information across two separate user/group<br />
registries (RACF and an LDAP-accessible<br />
directory). To ease the administrative<br />
burden, you can use Tivoli Identity<br />
Manager, configured with two “services.”<br />
A Tivoli Identity Manager deployment<br />
requires a DB2 database, LDAP directory,<br />
and WebSphere Application Server<br />
deployment in order to run the Tivoli<br />
Identity Manager application. When these<br />
are installed and configured, you can<br />
configure Tivoli Identity Manager with a<br />
service definition that communicates with<br />
RACF on z/OS and a service definition<br />
that communicates with the LDAPaccessible<br />
directory server. <strong>The</strong>se two<br />
services, one using Tivoli Identity Manager’s<br />
RACF agent and one using Tivoli Identity<br />
Manager’s Tivoli Access Manager agent,<br />
allow Tivoli Identity Manager to maintain<br />
a correspondence between user definitions<br />
in the two separate registries. By setting<br />
up a policy in Tivoli Identity Manager to<br />
create users in both user registries when<br />
you add them to the environment as well<br />
as placing these users into pre-defined<br />
group definitions based on their job<br />
responsibilities, you can use a single set of<br />
processing that maintains a detailed log<br />
of operations and manage the two user<br />
registries in concert.<br />
To cover end user password change and<br />
reset, users can utilize the Tivoli Identity<br />
Manager browser-based user interface to<br />
request password changes and resets. Tivoli<br />
Identity Manager supports a wide variety<br />
of password policy checks and can be<br />
configured with multiple challenge-response<br />
type questions that must be answered before<br />
a password reset is performed.<br />
Putting it all together<br />
As Figure 1 shows, this environment<br />
provides ease of use for both end users<br />
and administrators, while providing<br />
for additional layers of access control<br />
checking and a more feature rich set<br />
of processing for password change and<br />
reset. Furthermore, because Tivoli<br />
Access Manager can be configured for<br />
a wide variety of single and multi-factor<br />
authentication mechanisms, access to<br />
the applications can be set up such that<br />
the right people can access the right<br />
applications from the right locations.<br />
Indeed, the whole of this deployment<br />
is greater than the sum of its individual<br />
parts, simplifying usage and administration<br />
while increasing the set of security controls<br />
available for use.<br />
February 2006 z/OS HOT TOPICS Newsletter, Issue 14 7