Distributed security and high availability with Tivoli Access Manager and WebSphere Application Server for z/OS / Saida Davies ... [et al.].

Format:

Book

Author/Creator:

Davies, Saida.

Contributor:

International Business Machines Corporation. International Technical Support Organization.

Series:

IBM redbooks.

Redbooks

Language:

English

Subjects (All):

Computer networks--Security measures.

Computer networks.

WebSphere.

Physical Description:

1 online resource (550 p.)

Edition:

1st ed.

Place of Publication:

Research Triangle Park, N.C. : IBM Corporation, International Technical Support Organization, c2005.

Language Note:

English

Contents:

Front cover

Contents

Figures

Tables

Notices

Trademarks

Preface

The team that wrote this redbook

Become a published author

Comments welcome

Chapter 1. Concepts and architecture

1.1 Security

1.1.1 Physical security

1.1.2 Logical security

1.2 Availability

1.2.1 Business impact of unplanned outages

1.2.2 A business need to extend service hours

1.2.3 Service level agreement

1.3 Scalability

Chapter 2. Tivoli Access Manager and WebSphere Application Server for z/OS integration

2.1 Tivoli Access Manager

2.1.1 Tivoli Access Manager features

2.1.2 Tivoli Access Manager base components

2.1.3 Tivoli Access Manager blades

2.2 WebSphere Edge Components

2.2.1 WebSphere Edge Components Load Balancer

2.2.2 Load Balancer components

2.3 WebSphere Application Server for z/OS

2.3.1 WebSphere Application Server for z/OS differences with WebSphere Application Server distributed

2.3.2 WebSphere Application Server for z/OS terminology

2.4 Tivoli Access Manager and WebSphere Application Server for z/OS integration

Chapter 3. Designing the TAM, WAS for z/OS integration architecture

3.1 Tivoli Access Manager and WebSphere Application Server integration capabilities

3.1.1 Shared user registry

3.1.2 Web SSO

3.1.3 Web SSO with Trust Association Interceptor

3.1.4 Web SSO with LTPA

3.1.5 Web SSO with GSO

3.1.6 Application integration with aznAPI

3.1.7 Application integration with PDPermission and JAAS

3.1.8 Application integration, J2EE security, and AMWAS

3.1.9 Integration scenario 1: Tivoli Access Manager authentication and LocalOS authorization for WebSphere Application Server

3.1.10 Integration scenario 2: Tivoli Access Manager authentication and authorization for WebSphere Application Server.

3.1.11 Integration scenario 3: Tivoli Access Manager authentication, authorization and native authentication for WebSphere Application Server

3.2 Things to consider

3.2.1 Security

3.2.2 Availability

3.2.3 Scalability

3.3 Generic architecture

3.3.1 Generic logical architecture: Functional

3.3.2 Generic logical architecture: Technical

3.3.3 Generic physical architecture

3.4 Security

3.4.1 Typical requirements

3.4.2 Web security principles

3.4.3 Network zones and component placement

3.4.4 SSL

3.5 Availability

3.5.1 Components of WebSphere Edge Server Load Balancer availability

3.5.2 WebSEAL availability

3.5.3 Tivoli Access Manager Policy Server availability

3.5.4 LDAP availability

3.5.5 zSeries and z/OS availability

3.5.6 HTTP Server for z/OS availability

3.5.7 WebSphere Application Server for z/OS availability

3.6 Scalability

3.6.1 WebSphere Edge components Load Balancer scalability

3.6.2 Tivoli Access Manager scalability

3.6.3 LDAP scalability

3.6.4 zSeries and z/OS scalability

3.6.5 HTTP Server for z/OS scalability

3.6.6 WebSphere Application Server for z/OS scalability

3.7 Solution affinity, sessions, and failover

3.7.1 WebSphere Edge Server Load Balancer affinity

3.7.2 WebSEAL affinity and sessions

3.7.3 HTTP Server for z/OS, WebSphere Application Server plug-in affinity

3.7.4 WebSphere Application Server for z/OS sessions

Chapter 4. Project test environment

4.1 Project test environment: Functional view

4.1.1 Logical architecture: Functional view

4.1.2 Logical architecture: LDAP connections

4.2 Project test environment: Technical view

4.2.1 Logical architecture: Technical view with LDAP on AIX

4.2.2 Logical architecture: Technical view with LDAP on z/OS

4.2.3 Physical architecture: LDAP on AIX.

4.2.4 Physical architecture: LDAP on z/OS

Chapter 5. Implementing the user repository: LDAP on AIX and LDAP on z/OS

5.1 LDAP on AIX

5.2 Prerequisites and dependencies

5.3 Installation

5.4 Configuration

5.4.1 Configuring the Tivoli Directory Server administrator

5.4.2 Configuring the database

5.4.3 Configuring the suffix

5.4.4 First initialization of Tivoli Directory Server

5.4.5 Configuring security for Tivoli Directory Server

5.4.6 Installing the fix pack on Tivoli Directory Server

5.4.7 Installing the Tivoli Directory Server Web Administration Tool

5.4.8 Installing the fix pack on the Web Administration Tool

5.4.9 Configuring Tivoli Directory Server for the SecTest application

5.4.10 Configuring replication in Tivoli Directory Server

5.4.11 Configuring the master server

5.4.12 Synchronizing the data between servers

5.4.13 Configuring the replica server

5.4.14 Checklist for the Tivoli Directory Server parameters

5.5 LDAP on z/OS

5.6 Prerequisites and dependencies

5.7 Installation

5.7.1 Finishing the installation of LDAP on z/OS

5.8 Configuration

5.8.1 Configuring LDAP on z/OS for the SecTest application

5.8.2 Configuring LDAP on z/OS for Tivoli Access Manager

5.8.3 Configuring LDAP on z/OS replication

5.8.4 Configuring Sysplex Distributor for WebSphere Application Server and LDAP on z/OS

5.8.5 Checklist for the LDAP on z/OS parameters

Chapter 6. Implementing the security manager: Tivoli Access Manager

6.1 Tivoli Access Manager

6.2 Prerequisites and dependencies

6.3 Installation

6.4 Configuration

6.4.1 Configuring Tivoli Access Manager Runtime

6.4.2 Tivoli Access Manager failover capability for LDAP servers

6.4.3 Configuring the Policy Server

6.4.4 Configuring the Authorization Server

6.4.5 Configuring the Java Runtime Environment.

6.4.6 Configuring Web Portal Manager

6.4.7 Checklist for Tivoli Access Manager parameters

Chapter 7. Implementing the security proxy: WebSEAL

7.1 WebSEAL

7.2 Prerequisites and dependencies

7.3 Installation

7.4 Configuration

7.4.1 Configuring Access Manager Runtime

7.4.2 Configuring WebSEAL

7.4.3 Editing the WebSEAL configuration file

7.4.4 Configuring failover authentication

7.4.5 Checklist for WebSEAL parameters

Chapter 8. Implementing WebSphere Edge Components Load Balancer

8.1 Load Balancer

8.2 Prerequisites and dependencies

8.3 Installation

8.4 Configuration

8.4.1 LDAP Load Balancer configuration file

8.4.2 WebSEAL Load Balancer configuration file

8.4.3 Checklist for WebSphere Edge Components parameters

Chapter 9. Implementing the application server: HTTP Server for z/OS and WAS for z/OS

9.1 HTTP Server for z/OS

9.2 Prerequisites and dependencies

9.3 Installation

9.3.1 Configuring HTTP Server for z/OS for high availability

9.3.2 Installing the WebSphere Application Server plug-in

9.3.3 Configuring the WebSphere Application Server plug-in

9.3.4 Configuring WebSphere Application Server plug-in affinity

9.4 WebSphere Application Server for z/OS

9.4.1 Configuring high availability in WebSphere Application Server for z/OS

9.4.2 Configuring WebSphere Application Server for z/OS HTTP Sessions replication

9.4.3 Checklist for HTTP Server for z/OS and WebSphere Application Server for z/OS

Chapter 10. Implementing the TAM and WAS for z/OS integration

10.1 Installation

10.2 Prerequisites and dependencies

10.3 Tivoli Access Manager for WebSphere Application Server for z/OS integration

10.4 Configuration

10.4.1 Creating the Tivoli Access Manager administrative user for WebSphere Application Server.

10.4.2 Configuring Tivoli Access Manager Java Runtime Environment

10.4.3 Configuring Tivoli Access Manager for WebSphere Application Server for z/OS

10.4.4 Enabling WebSphere Application Server for z/OS security to use Tivoli Access Manager

10.5 Tivoli Access Manager and WebSphere Application Server for z/OS single signon

10.5.1 Adding certificates to WebSEAL

10.5.2 Registry attribute entitlement service

10.5.3 Creating an LTPA non-SSL junction

10.5.4 Creating an LTPA SSL junction

10.5.5 Creating a stateful LTPA SSL junction

10.5.6 Replicated front-end WebSEAL

10.5.7 Creating a stateful LTPA SSL junction with WebSEAL affinity

10.5.8 Creating TAI SSL junctions

10.5.9 Checklist for Tivoli Access Manager and z/WAS integration

Chapter 11. Using and validating the TAM and WAS for z/OS integration solution

11.1 Application used in this redbook

11.1.1 SecTest

11.1.2 Swipe

11.2 Creating users and groups with Tivoli Access Manager

11.2.1 Creating a user

11.2.2 Creating a group

11.3 User access to J2EE roles with Tivoli Access Manager

11.3.1 Creating users and groups in such a configuration

11.3.2 Creating and securing roles J2EE roles

11.3.3 Granting users or groups access to J2EE roles

11.3.4 Deploying an application

11.4 Scenario to validate security

11.4.1 Step 1

11.4.2 Step 2

11.4.3 Step 3

11.4.4 Step 4

11.4.5 Step 5

11.4.6 Step 6

11.5 Validating security

11.5.1 Validating LTPA SSO

11.5.2 Validating Trust Association Interceptor SSO

11.6 Validating high availability, failover, and recovery

11.6.1 Validating WebSEAL

11.6.2 Validating LDAP

11.6.3 Validating HTTP Server for z/OS

11.6.4 Validating WebSphere Application Server for z/OS

11.6.5 Validating high availability for WebSphere Application Server for z/OS.

11.6.6 Validating the Policy Server.

Notes:

"September 2005."

Includes bibliographical references and index.

OCLC:

63685250