WebSphere® Application Server provides embedded IBM® Tivoli® Access Manager client technology to secure your WebSphere Application Server-managed resources.
WebSphere Application Server supports the Java Authorization Contract for Containers (JACC) specification. JACC details the contract requirements for Java EE containers and authorization providers. With this contract, authorization providers can perform the access decisions for resources in Java EE application servers such as WebSphere Application Server. The Tivoli Access Manager security utility that is embedded within WebSphere Application Server is JACC-compliant and is used to:
When applications are deployed, the embedded Tivoli Access Manager client takes any policy and or user and role information that is stored within the application deployment descriptor or using annotations and stores it within the Tivoli Access Manager Policy Server.
The Tivoli Access Manager JACC provider is also called when a user requests access to a resource that is managed by WebSphere Application Server.
Embedded Tivoli Access Manager client architecture
This guide describes how to plan, install, and configure a Tivoli Access Manager secure domain. Using a series of easy installation scripts, you can quickly deploy a fully functional secure domain. These scripts are very useful when prototyping the deployment of a secure domain.
To access this guide in the IBM Tivoli Access Manager for e-business information center, click Access Manager for e-business > Installation and upgrade information > Installation Guide.
This document presents an overview of the Tivoli Access Manager security model for managing protected resources. This guide describes how to configure the Tivoli Access Manager servers that make access control decisions. In addition, detailed instructions describe how to perform important tasks, such as declaring security policies, defining protected object spaces, and administering user and group profiles.
To access this guide in the IBM Tivoli Access Manager for e-business information center, click Access Manager for e-business >Administration Information > Administration Guide.
Tivoli Access Manager provides centralized administration of multiple servers.
The previous figure is an example architecture showing WebSphere Application Servers secured by Tivoli Access Manager.
The participating WebSphere Application Servers use a local replica of the Tivoli Access Manager policy database to make authorization decisions for incoming requests. The local policy databases are replicas of the master policy database. The master policy database is installed as part of the Tivoli Access Manager installation. Having policy database replicas on each participating WebSphere Application Server node optimizes performance when making authorization decisions and provides failover capability.
Although the authorization server can also be installed on the same system as WebSphere Application Server, this configuration is not illustrated in the diagram.
All instances of Tivoli Access Manager and WebSphere Application Server in the example architecture share the Lightweight Directory Access Protocol (LDAP) user registry on Machine E.
The LDAP registries that are supported by WebSphere Application Server are also supported by Tivoli Access Manager.