WebSphere® Application Server provides
embedded IBM® Tivoli® Access Manager client
technology to secure your WebSphere Application Server-managed resources.
The benefits of using Tivoli Access Manager that are
described here are only applicable when Tivoli Access
Manager client code is used with the Tivoli Access
Manager server:
- Robust container-based authorization
- Centralized policy management
- Management of common identities, user profiles, and authorization
mechanisms
- Single-point security management for Java Platform,
Enterprise Edition (Java EE)
compliant and non-compliant Java EE
resources using the administrative console for Tivoli Access
Manager Web Portal Manager
- No requirements for coding or deployment changes to applications
- Easy management of users, groups, and roles using the WebSphere Application Server administrative
console
WebSphere Application Server supports
the Java Authorization Contract for Containers (JACC)
specification. JACC details the contract requirements for Java EE containers and authorization providers.
With this contract, authorization providers can perform the access
decisions for resources in Java EE
application servers such as WebSphere Application Server. The Tivoli Access
Manager security utility that is embedded within WebSphere Application Server is JACC-compliant
and is used to:
- Add security policy information when applications are deployed
- Authorize access to WebSphere Application Server-secured
resources.
When applications are deployed, the embedded Tivoli Access
Manager client takes any policy and or user and role information that
is stored within the application deployment descriptor or using annotations
and stores it within the Tivoli Access Manager Policy
Server.
The Tivoli Access Manager JACC provider is also
called when a user requests access to a resource that is managed by WebSphere Application Server.
Figure 1. Embedded Tivoli Access Manager client
architecture
The previous figure illustrates the following sequence of events:
- Users that access protected resources are authenticated using
the Tivoli Access Manager login module that is
configured for use when the embedded Tivoli Access
Manager client is enabled.
- The WebSphere Application Server container
uses information from the Java EE
application deployment descriptor and annotations to determine the
required role membership.
- WebSphere Application Server uses the
embedded Tivoli Access Manager client to request an
authorization decision from the Tivoli Access
Manager authorization server. Additional context information, when
present, is also passed to the authorization server. This context
information is comprised of the cell name, Java EE
application name, and Java EE
module name. If the Tivoli Access Manager policy
database has policies that are specified for any of the context information,
the authorization server uses this information to make the authorization
decision.
- The authorization server consults the permissions that are defined
for the specified user within the Tivoli Access
Manager-protected object space. The protected object space is part
of the policy database.
- The Tivoli Access Manager authorization server
returns the access decision to the embedded Tivoli Access
Manager client.
- WebSphere Application Server either
grants or denies access to the protected method or resource, based
on the decision that is returned from the Tivoli Access
Manager authorization server.
At its core, Tivoli Access Manager provides an authentication
and authorization framework. You can learn more about Tivoli Access
Manager, including the information that is necessary to make deployment
decisions, by reviewing the product documentation. The following guides
are available in the IBM Tivoli Access Manager for e-business Information
Center:
- IBM Tivoli Access Manager for e-business
Installation Guide
This guide describes how to plan, install,
and configure a Tivoli Access Manager secure domain. Using
a series of easy installation scripts, you can quickly deploy a fully
functional secure domain. These scripts are very useful when prototyping
the deployment of a secure domain.
To access this guide in the
IBM Tivoli Access Manager for e-business information center, click Access
Manager for e-business > Installation and upgrade information >
Installation Guide.
- IBM Tivoli Access Manager for e-business
Administration Guide
This document presents an overview of the Tivoli Access
Manager security model for managing protected resources. This guide
describes how to configure the Tivoli Access
Manager servers that make access control decisions. In addition, detailed
instructions describe how to perform important tasks, such as declaring
security policies, defining protected object spaces, and administering
user and group profiles.
To access this guide in the IBM Tivoli
Access Manager for e-business information center, click Access
Manager for e-business >Administration Information > Administration
Guide.
Figure 2. Tivoli Access Manager provides centralized
administration of multiple servers
The previous figure is an example architecture showing WebSphere Application Servers secured by Tivoli Access
Manager.
The participating WebSphere Application Servers
use a local replica of the Tivoli Access Manager policy
database to make authorization decisions for incoming requests. The
local policy databases are replicas of the master policy database.
The master policy database is installed as part of the Tivoli Access
Manager installation. Having policy database replicas on each participating WebSphere Application Server node optimizes
performance when making authorization decisions and provides failover
capability.
Although the authorization server can also be installed on the
same system as WebSphere Application Server,
this configuration is not illustrated in the diagram.
All instances of Tivoli Access Manager and WebSphere Application Server in the example
architecture share the Lightweight Directory Access Protocol (LDAP)
user registry on Machine E.
The LDAP registries that are supported by WebSphere Application Server are also supported
by Tivoli Access Manager.
It is possible to have separate
WebSphere Application Server profiles on the
same host that is configured for different Tivoli Access
Manager servers. Such an architecture requires that the profiles are
configured for separate Java SE
Runtime Environments (JRE 6) and therefore you need multiple JREs
installed on the same host.
Note: Even though all
WebSphere Application Server profiles on the
same host share a single JRE 6, you can configure separate
WebSphere Application Server profiles on the
same host for different Tivoli Access Manager servers.