Develop and deploy a secure portal solution using web sphere portal v5 and tivoli access manager v5.1 sg246325
•
0 likes•4,882 views
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Similar to Develop and deploy a secure portal solution using web sphere portal v5 and tivoli access manager v5.1 sg246325
Similar to Develop and deploy a secure portal solution using web sphere portal v5 and tivoli access manager v5.1 sg246325 (20)
More from Banking at Ho Chi Minh city
More from Banking at Ho Chi Minh city (20)
Recently uploaded
Recently uploaded (20)
Develop and deploy a secure portal solution using web sphere portal v5 and tivoli access manager v5.1 sg246325
- 1. Front cover Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1 Solution architecture and technologies for a secure portal Deploy a secure portal runtime environment Develop and deploy secure portal application John Ganci Hinrich Boog Melanie Fletcher Brett Gordon Ashwin Manekar Normunds Saumanis Kai Schwidder Jonas Tingeborn ibm.com/redbooks
- 3. International Technical Support Organization Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1 August 2004 SG24-6325-00
- 4. Note: Before using this information and the product it supports, read the information in “Notices” on page xiii. First Edition (August 2004) This edition applies to IBM WebSphere Portal Extend for Multiplatforms V5.0.2.1 and IBM Tivoli Access Manager for e-business V5.1.0.2 on the Microsoft Windows platform. © Copyright International Business Machines Corporation 2004. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
- 5. Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv The team that wrote this redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii Part 1. Introduction to secure portal solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Secure portal solution overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.1 Key concepts of a secure portal solution . . . . . . . . . . . . . . . . . . . . . . 4 1.1.2 Secure portal solution high level architecture . . . . . . . . . . . . . . . . . . . 5 1.2 Solution software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2.1 Runtime environment solution software . . . . . . . . . . . . . . . . . . . . . . . 6 1.2.2 Development environment solution software . . . . . . . . . . . . . . . . . . . 8 1.3 Target audience of redbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.3.1 Roles and skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.3.2 Matching redbook topics to roles and skills. . . . . . . . . . . . . . . . . . . . 11 Chapter 2. Security fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1 Security domain and risk management . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.1.1 Source of vulnerability and intruder reconnaissance . . . . . . . . . . . . 15 2.1.2 Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.1.3 Logical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.1.4 Security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.1.5 Security risk management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.2 Method for Architecting Secure Solutions (MASS) . . . . . . . . . . . . . . . . . . 25 2.3 Security fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.3.1 Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.3.2 WebSphere Portal security model. . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.3.3 Tivoli Access Manager security model . . . . . . . . . . . . . . . . . . . . . . . 35 2.3.4 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.5 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.3.6 WebSphere Portal Credential Vault . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.3.7 Tivoli Access Manager Global Sign-on (GSO) . . . . . . . . . . . . . . . . . 46 Chapter 3. Architecture and topology selection. . . . . . . . . . . . . . . . . . . . . 51 © Copyright IBM Corp. 2004. All rights reserved. iii
- 6. 3.1 Topology definition and operational model . . . . . . . . . . . . . . . . . . . . . . . . 52 3.1.1 Operational model overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 3.1.2 Topology zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.1.3 Conceptual model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.1.4 Specified model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.1.5 Security interaction patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.2 Runtime environment topology selection . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.2.1 Entry runtime topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.2.2 Enterprise runtime topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 3.2.3 Extended enterprise runtime topology . . . . . . . . . . . . . . . . . . . . . . . 79 3.3 Development environment topology selection. . . . . . . . . . . . . . . . . . . . . . 81 3.3.1 Conceptual model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 3.3.2 Specified model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 3.3.3 All-in-one approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 3.3.4 Develop and deploy without debug . . . . . . . . . . . . . . . . . . . . . . . . . . 87 3.3.5 Develop, deploy, and remote debugging . . . . . . . . . . . . . . . . . . . . . 88 3.3.6 Develop using a shared security infrastructure . . . . . . . . . . . . . . . . . 90 Chapter 4. Design and integration guidelines . . . . . . . . . . . . . . . . . . . . . . 93 4.1 Security and design guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 4.1.1 Design principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 4.1.2 WebSphere Portal vs Tivoli Access Manager authorization . . . . . . . 95 4.1.3 Single sign-on guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 4.1.4 Identity management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 4.1.5 Adding an external Web server for WebSphere Portal . . . . . . . . . . 107 4.2 Product-specific integration guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 107 4.2.1 WebSEAL junctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 4.2.2 Junction considerations for use with TAI. . . . . . . . . . . . . . . . . . . . . 109 4.2.3 Handling of back-end application cookies. . . . . . . . . . . . . . . . . . . . 110 4.2.4 Junction Mapping Table (JMT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 4.2.5 WebSEAL URL-based access control . . . . . . . . . . . . . . . . . . . . . . 112 4.2.6 Access control of WebSphere Portal resources . . . . . . . . . . . . . . . 113 4.2.7 Access control of resources within portlet applications . . . . . . . . . . 113 4.2.8 WebSEAL and WebSphere Portal session considerations . . . . . . . 114 4.3 Sequence diagrams for common access patterns . . . . . . . . . . . . . . . . . 115 4.3.1 UCT1: Access unprotected portal page . . . . . . . . . . . . . . . . . . . . . 116 4.3.2 UCT2: Access protected portal page, provide valid credentials . . . 117 4.3.3 UCT3: Access protected portal page with existing valid session . . 119 4.3.4 UCT4: Access protected portal page with invalid credentials . . . . . 120 4.3.5 UCT5: WebSEAL session times out before portal session . . . . . . . 121 4.3.6 UCT6: Portal session times out before WebSEAL session. . . . . . . 124 4.3.7 UCT7: Both WebSEAL and WebSphere Portal sessions time out . 127 4.3.8 UCT8: WebSphere Portal logout after WebSEAL session timeout. 131 iv Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 7. 4.4 Component connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Part 2. ITSO working example secure portal solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Chapter 5. Requirements and solution design. . . . . . . . . . . . . . . . . . . . . 143 5.1 Business scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 5.1.1 Initial context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 5.1.2 Business challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 5.2 Business requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 5.2.1 Functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 5.2.2 Non-functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 5.3 Use case model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 5.3.1 Use case overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 5.3.2 Front-end use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 5.3.3 Administrative use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 5.4 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 5.4.1 Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 5.4.2 Architecture decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 5.4.3 Selected runtime environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 5.4.4 Selected development environment . . . . . . . . . . . . . . . . . . . . . . . . 174 Chapter 6. Install the runtime environment . . . . . . . . . . . . . . . . . . . . . . . 175 6.1 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 6.1.1 Hardware and software prerequisites . . . . . . . . . . . . . . . . . . . . . . . 177 6.1.2 Hardware used within the ITSO runtime environment . . . . . . . . . . 178 6.1.3 Software used within the ITSO runtime environment . . . . . . . . . . . 178 6.1.4 Software installation paths and variables . . . . . . . . . . . . . . . . . . . . 181 6.1.5 Using VMWare and Ghost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 6.2 Implement the Policy Server node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 6.2.1 Windows 2000 Server installation . . . . . . . . . . . . . . . . . . . . . . . . . . 183 6.2.2 DB2 Universal Database installation. . . . . . . . . . . . . . . . . . . . . . . . 184 6.2.3 IBM GSKit upgrade installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 6.2.4 Java Runtime Environment (JRE) V1.3.1 installation . . . . . . . . . . . 192 6.2.5 Tivoli Directory Server installation. . . . . . . . . . . . . . . . . . . . . . . . . . 193 6.2.6 Tivoli Directory Server configuration . . . . . . . . . . . . . . . . . . . . . . . . 195 6.2.7 Tivoli Web Administration Tool installation . . . . . . . . . . . . . . . . . . . 196 6.2.8 Configure Directory Server for Tivoli Access Manager . . . . . . . . . . 206 6.2.9 Tivoli Access Manager installation . . . . . . . . . . . . . . . . . . . . . . . . . 207 6.2.10 Tivoli Access Manager configuration . . . . . . . . . . . . . . . . . . . . . . 208 6.2.11 Tivoli Access Manager Web Portal Manager installation . . . . . . . 213 6.2.12 Tivoli Access Manager V5.1 Base Fixpack 2 installation . . . . . . . 216 6.3 Implement the Reverse Proxy node . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 6.3.1 Windows 2000 Server installation . . . . . . . . . . . . . . . . . . . . . . . . . . 219 6.3.2 Install GSKit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Contents v
- 8. 6.3.3 Install Java Runtime Environment (JRE) . . . . . . . . . . . . . . . . . . . . 219 6.3.4 Install Tivoli Directory Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 6.3.5 Tivoli Access Manager - WebSEAL installation . . . . . . . . . . . . . . . 220 6.3.6 Tivoli Access Manager - WebSEAL configuration. . . . . . . . . . . . . . 222 6.3.7 Tivoli Access Manager V5.1 Base Fixpack 2 installation . . . . . . . . 225 6.3.8 Tivoli Access Manager V5.1 WebSEAL Fixpack 2 installation . . . . 226 6.4 Implement the Portal Server node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 6.4.1 Windows 2000 Server installation . . . . . . . . . . . . . . . . . . . . . . . . . . 228 6.4.2 WebSphere Portal Server V5.0 installation. . . . . . . . . . . . . . . . . . . 228 6.4.3 WebSphere Application Server Enterprise V5 Fixpack 2 (V5.0.2) installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 6.4.4 WebSphere Application Server V5.0.2 Fixes installation . . . . . . . . 237 6.4.5 WebSphere Portal V5 Fixpack 2 (V5.0.2) installation . . . . . . . . . . . 240 6.4.6 WebSphere Application Server Enterprise V5.0.2 Cumulative Fix (V5.0.2.3) installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 6.4.7 WebSphere Portal V5.0.2 Cumulative Fix 1 (V5.0.2.1) installation. 251 6.4.8 Java Runtime Environment (JRE) V1.3.1 installation . . . . . . . . . . . 254 6.4.9 Tivoli Access Manager Java Runtime Environment installation . . . 255 6.4.10 DB2 Universal Database installation . . . . . . . . . . . . . . . . . . . . . . . 257 Chapter 7. Configure the runtime environment . . . . . . . . . . . . . . . . . . . . 259 7.1 Configure WebSphere Portal for DB2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 7.2 Configure WebSphere Portal for IBM HTTP Server . . . . . . . . . . . . . . . . 264 7.3 Configure WebSphere Portal for LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . 266 7.3.1 Create a suffix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 7.3.2 Create LDIF file containing users and groups . . . . . . . . . . . . . . . . . 267 7.3.3 Import the LDIF file (wp-itso.ldif) to create users and groups . . . . . 268 7.3.4 Enable LDAP security for WebSphere Portal . . . . . . . . . . . . . . . . . 269 7.3.5 Verify the LDAP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 7.4 Enable mutual SSL between WebSEAL and WebSphere Portal . . . . . . 276 7.4.1 IBM HTTP Server SSL configuration . . . . . . . . . . . . . . . . . . . . . . . 277 7.4.2 Configure WebSphere Portal for SSL . . . . . . . . . . . . . . . . . . . . . . . 281 7.4.3 Export IBM HTTP Server CA certificate . . . . . . . . . . . . . . . . . . . . . 283 7.4.4 Import IBM HTTP Server certificate into WebSEAL keystore . . . . . 284 7.4.5 Export WebSEAL certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 7.4.6 Import WebSEAL certificate into IBM HTTP Server keystore . . . . . 287 7.4.7 Enable mutual SSL for IBM HTTP Server . . . . . . . . . . . . . . . . . . . . 288 7.5 Configure portal authentication with TAM using TAI . . . . . . . . . . . . . . . . 289 7.5.1 Apply Tivoli Access Manager ACLs to new LDAP suffixes . . . . . . . 290 7.5.2 Define additional MIME types for WebSphere Application Server . 296 7.5.3 Create a WebSEAL junction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 7.5.4 Enable forms authentication on WebSEAL . . . . . . . . . . . . . . . . . . . 300 7.5.5 Configure WebSEAL to modify URLs to back-end systems . . . . . . 301 vi Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 9. 7.5.6 Configure additional WebSEAL parameters . . . . . . . . . . . . . . . . . . 303 7.5.7 Import WebSphere Portal users and groups into TAM . . . . . . . . . . 303 7.5.8 Define access controls for WebSphere Portal URIs . . . . . . . . . . . . 304 7.5.9 Configure the junction mapping table . . . . . . . . . . . . . . . . . . . . . . . 307 7.5.10 Configure SSO for WebSEAL and WebSphere via TAI . . . . . . . . 308 7.5.11 Configure Portal login/logout for use with WebSEAL . . . . . . . . . . 313 7.6 Configure Portal for authorization with TAM . . . . . . . . . . . . . . . . . . . . . . 322 7.6.1 Configure the SSL between WebSphere and TAM. . . . . . . . . . . . . 322 7.6.2 Implement JAAS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 7.6.3 Modify WebSphere Portal configuration files . . . . . . . . . . . . . . . . . 331 7.6.4 Verify entries in TAM for Portal external authorization . . . . . . . . . . 336 7.6.5 Example for externalizing a resource . . . . . . . . . . . . . . . . . . . . . . . 337 7.7 Integrate the Credential Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 7.7.1 Credential Vault overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 7.7.2 Configure the Credential Vault for Tivoli Access Manager . . . . . . . 348 7.7.3 Verify the Credential Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 7.8 Additional configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 7.8.1 Configure WebSEAL and WebSphere Portal sesssion timeouts . . 356 7.8.2 Configure WebSEAL to handle favicon.ico . . . . . . . . . . . . . . . . . . . 359 Chapter 8. Implement the development environment . . . . . . . . . . . . . . . 361 8.1 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 8.1.1 Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 8.1.2 Hardware used within the ITSO development environment . . . . . . 363 8.1.3 Software used within the ITSO development environment . . . . . . . 364 8.1.4 VMWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 8.2 Implement the Repository node (optional) . . . . . . . . . . . . . . . . . . . . . . . 366 8.3 Implement the Policy Server node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 8.4 Implement the Reverse Proxy node (optional) . . . . . . . . . . . . . . . . . . . . 366 8.5 Implement the Development node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 8.5.1 Windows 2000 installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 8.5.2 WebSphere Studio Application Developer V5.1.1 installation. . . . . 369 8.5.3 WebSphere Studio Application Developer V5.1.1 Interim Fix 002 installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 8.5.4 WebSphere Studio Application Developer - WebSphere Test Environment fixpack installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 8.5.5 WebSphere Portal Toolkit and test environment installation. . . . . . 378 8.5.6 Verify the Portal Toolkit and Test Environment installation. . . . . . . 380 8.5.7 Java Runtime Environment (JRE) V1.3.1 installation . . . . . . . . . . . 381 8.5.8 Tivoli Access Manager Java Runtime Environment installation . . . 381 8.5.9 Configure the SSL between the WTE and TAM . . . . . . . . . . . . . . . 383 8.5.10 Verify the TAM configuration within WebSphere Studio . . . . . . . . 384 8.5.11 CVS client configuration for WebSphere Studio . . . . . . . . . . . . . . 386 Contents vii
- 10. 8.6 Configure WebSphere Portal for LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . 386 8.6.1 Create a suffix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 8.6.2 Import the LDIF file (wp-itso.ldif) to create users and groups . . . . . 387 8.6.3 Enable LDAP security for WebSphere Portal . . . . . . . . . . . . . . . . . 388 8.6.4 Stop/start servers in WebSphere Test Environment . . . . . . . . . . . . 392 8.6.5 Verify the LDAP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 8.6.6 Disable LDAP security in WebSphere Portal . . . . . . . . . . . . . . . . . 394 8.7 Additional configuration (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Chapter 9. Develop the secure portal application . . . . . . . . . . . . . . . . . . 395 9.1 Architecture and design of the ITSO example. . . . . . . . . . . . . . . . . . . . . 396 9.1.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 9.1.2 Deployment units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 9.1.3 Method level security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 9.2 Prepare the workbench for the ITSO Bank example . . . . . . . . . . . . . . . . 401 9.2.1 ITSO Bank sample code download and unpack . . . . . . . . . . . . . . . 402 9.2.2 Import the sample project into the workbench . . . . . . . . . . . . . . . . 402 9.2.3 Team development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 9.2.4 Prepare the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 9.2.5 Prepare the back-end EJB server . . . . . . . . . . . . . . . . . . . . . . . . . . 412 9.2.6 Prepare the front-end portal server . . . . . . . . . . . . . . . . . . . . . . . . . 418 9.2.7 Run the ITSO Bank application in the test environment . . . . . . . . . 420 9.3 Using the Tivoli Access Manager APIs . . . . . . . . . . . . . . . . . . . . . . . . . . 421 9.3.1 The portlet application without Tivoli Access Manager . . . . . . . . . . 422 9.3.2 The portlet application using Tivoli Access Manager . . . . . . . . . . . 423 9.4 Using the WebSphere Portal Credential Vault . . . . . . . . . . . . . . . . . . . . 425 Chapter 10. Deploy the secure portal application . . . . . . . . . . . . . . . . . . 433 10.1 ITSO Bank application overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 10.2 Deploy the ITSO Bank back-end application. . . . . . . . . . . . . . . . . . . . . 434 10.2.1 Create an application server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 10.2.2 ITSO Bank sample code download and unpack . . . . . . . . . . . . . . 436 10.2.3 Create the ITSO Bank application database . . . . . . . . . . . . . . . . . 437 10.2.4 Add ITSOid attribute to the LDAP schema . . . . . . . . . . . . . . . . . . 437 10.2.5 Create the groups and users for the ITSO Bank application. . . . . 438 10.2.6 Create the ITSOBankDataSource data source . . . . . . . . . . . . . . . 440 10.2.7 Deploy the back-end application EAR. . . . . . . . . . . . . . . . . . . . . . 443 10.3 Deploy the ITSO Bank portal application . . . . . . . . . . . . . . . . . . . . . . . 446 10.3.1 ITSO Bank sample code download and unpack . . . . . . . . . . . . . . 446 10.3.2 Modify properties files and repackage WAR . . . . . . . . . . . . . . . . . 446 10.3.3 Modify the wmmLDAPServerAttributes.xml file. . . . . . . . . . . . . . . 449 10.3.4 Install portlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 10.3.5 Create portal pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 viii Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 11. 10.3.6 Add portlets to pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 10.3.7 Modify resource permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 10.3.8 Verify ITSO Bank application . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 10.3.9 Externalize the ITSO Bank resources . . . . . . . . . . . . . . . . . . . . . . 467 Chapter 11. Security hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 11.1 Configure CSIv2 SSL settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 11.1.1 Create SSL keys for CSIv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 11.1.2 Configure the SSL repertoire for CSIv2 . . . . . . . . . . . . . . . . . . . . 474 11.2 Enable SSL for LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 11.2.1 Enable LDAP server for SSL connections . . . . . . . . . . . . . . . . . . 476 11.2.2 Enable SSL for Tivoli Access Manager LDAP connections . . . . . 478 11.2.3 Enable SSL for WebSEAL LDAP connections . . . . . . . . . . . . . . . 480 11.2.4 Enable SSL for WebSphere LDAP connection . . . . . . . . . . . . . . . 481 11.2.5 Enable SSL for WebSphere Portal LDAP connections . . . . . . . . . 484 11.2.6 Enable SSL for Web Admin Tool LDAP connection . . . . . . . . . . . 487 11.2.7 Configure Tivoli Directory Server client utilities for SSL . . . . . . . . 488 11.2.8 Disable non-SSL access to Tivoli Directory Server. . . . . . . . . . . . 489 11.3 Replace the default SSL certificates for the SOAP connector . . . . . . . 490 11.3.1 Configure SSL certificate and repertoire for SOAP connector . . . 491 11.3.2 Configure WebSphere administration utilities . . . . . . . . . . . . . . . . 494 11.3.3 Configure WebSphere Portal SOAP connection credentials . . . . 495 11.4 Additional security hardening guidelines . . . . . . . . . . . . . . . . . . . . . . . . 501 11.4.1 Secure a WebSphere Network Deployment environment. . . . . . . 501 11.4.2 Disable the IBM HTTP Server Administration service. . . . . . . . . . 502 11.4.3 Disable the IBM HTTP Server on the Policy Server node. . . . . . . 502 Chapter 12. Manage a secure portal solution. . . . . . . . . . . . . . . . . . . . . . 503 12.1 Tivoli administration tools and common tasks . . . . . . . . . . . . . . . . . . . . 504 12.1.1 Tivoli Directory Server processes . . . . . . . . . . . . . . . . . . . . . . . . . 504 12.1.2 Tivoli Directory Server - Configuration Tool (ldapxcfg) . . . . . . . . . 506 12.1.3 Tivoli Directory Server - Web Administration Tool . . . . . . . . . . . . 507 12.1.4 Tivoli Directory Server - Command line utilities . . . . . . . . . . . . . . 510 12.1.5 Tivoli Access Manager - Servers . . . . . . . . . . . . . . . . . . . . . . . . . 511 12.1.6 Tivoli Access Manager - pdadmin . . . . . . . . . . . . . . . . . . . . . . . . . 511 12.1.7 Tivoli Access Manager - Web Portal Manager . . . . . . . . . . . . . . . 513 12.1.8 User management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 12.1.9 Customize the WebSEAL HTML pages . . . . . . . . . . . . . . . . . . . . 519 12.1.10 Externalized role management . . . . . . . . . . . . . . . . . . . . . . . . . . 524 12.1.11 Favicon configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 12.2 WebSphere administration tools and common tasks . . . . . . . . . . . . . . 531 12.2.1 WebSphere Application Server - Administrative console . . . . . . . 531 12.2.2 WebSphere Application Server - Scripting program . . . . . . . . . . . 532 Contents ix
- 12. 12.2.3 WebSphere Application Server - Command-line tools . . . . . . . . . 533 12.2.4 WebSphere Portal - Web administration . . . . . . . . . . . . . . . . . . . . 535 12.2.5 WebSphere Portal - XMLAccess. . . . . . . . . . . . . . . . . . . . . . . . . . 544 12.2.6 Externalize virtual resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 12.3 Start and stop servers for ITSO example nodes . . . . . . . . . . . . . . . . . . 548 12.4 Back up and restore of key configuration files and databases . . . . . . . 549 12.4.1 Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 12.4.2 Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 12.5 Verifying the ITSO Bank application and runtime . . . . . . . . . . . . . . . . . 557 12.5.1 Banking application login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 12.5.2 Add user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 12.5.3 Modify user information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 12.5.4 View account balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566 12.5.5 Transfer funds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Part 3. Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Appendix A. Troubleshooting a secure portal solution. . . . . . . . . . . . . . 573 Common issues encountered in a secure portal . . . . . . . . . . . . . . . . . . . . . . 574 Common problems and solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Secure portal tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Runtime log files for server components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 Logs - WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 Logs - WebSphere Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 Logs - Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 Gathering runtime tracing for security issues . . . . . . . . . . . . . . . . . . . . . . . . . 591 Tracing authentication issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 Tracing authorization issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 Tracing Credential Vault issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 Problems fixed in the portal for external access control . . . . . . . . . . . . . . . . . 594 WebSphere Portal V5 Fixpack 2 (V5.0.2) . . . . . . . . . . . . . . . . . . . . . . . . . 594 WebSphere Portal V5.0.2 Cumulative Fix 1 (V5.0.2.1) . . . . . . . . . . . . . . . 595 Individual fixes for WebSphere Portal V5.0.2.1. . . . . . . . . . . . . . . . . . . . . 596 Appendix B. Configure single sign-on using LTPA . . . . . . . . . . . . . . . . . 597 Prerequisite steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 LTPA configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Apply Tivoli Access Manager ACLs to new LDAP suffix . . . . . . . . . . . . . . 598 Define additional MIME types for WebSphere Application Server . . . . . . 599 Export LTPA encryption keys from the WebSphere Application Server . . 599 Create a WebSEAL junction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 Enable forms authentication on WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . 601 Configure WebSEAL to modify URLs to back-end systems . . . . . . . . . . . 601 Configure additional WebSEAL parameters . . . . . . . . . . . . . . . . . . . . . . . 601 x Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 13. Import WebSphere Portal users and groups into TAM . . . . . . . . . . . . . . . 601 Define access controls for WebSphere Portal URIs . . . . . . . . . . . . . . . . . 602 Configure the junction mapping table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 Configure Portal login/logout for WebSEAL . . . . . . . . . . . . . . . . . . . . . . . 602 Appendix C. CVS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 CVS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 CVSNT Server implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 CVS Server installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 CVS Server repository configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 Create CVS users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 CVS Client configuration for WebSphere Studio Application Developer . . . . 610 Set CVS DTD file extension to ASCII . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 Label decorations for CVS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 Setting up the repository location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 Appendix D. Automate deployment tasks. . . . . . . . . . . . . . . . . . . . . . . . . 613 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 Tooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 Deployment walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Solution structuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Populating the solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621 Concepts and background discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625 Component types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625 ITSO WebSphere Portal development starter kit . . . . . . . . . . . . . . . . . . . 627 wpdsk-util command reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 Appendix E. Node descriptions for architecture models . . . . . . . . . . . . 645 Conceptual model node description for the runtime environment . . . . . . . . . 646 Specified model node description for the runtime environment . . . . . . . . . . . 656 Conceptual model node descriptions for development . . . . . . . . . . . . . . . . . 670 Specified model node description for development and test environment . . . 676 Appendix F. Additional material. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 Locating the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 Using the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 System requirements for downloading the Web material . . . . . . . . . . . . . 684 How to use the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 Description of sample code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 Contents xi
- 14. Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686 Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 xii Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 15. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. © Copyright IBM Corp. 2004. All rights reserved. xiii
- 16. Trademarks The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: AIX® HACMP™ Redbooks™ Balance® IBM® Redbooks (logo) ™ ClearCase® ibm.com® Sametime® Cloudscape™ Lotus Notes® Tivoli® developerWorks® Lotus® WebSphere® Domino® NetView® xSeries® DB2 Universal Database™ Notes® DB2® Rational® The following terms are trademarks of other companies: Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others. xiv Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 17. Preface Portals provide a personalized single point of access to applications, content, and processes through a Web interface. Secure portal solutions are needed to address the common security challenges, such as authentication, authorization and single sign-on. This IBM Redbook and sample code will provide IT architects, developers, IT specialists, and administrators with the critical knowledge the design, develop, deploy and manage a secure portal solution using IBM® Tivoli Access Manager V5.1.0.2 and IBM WebSphere® Portal V5.0.2.1. Part 1, “Introduction to secure portal solutions” on page 1, introduces key concepts and provides an in-depth look at the secure portal solution architecture, topology selection, design and integration guidelines. Part 2, “ITSO working example secure portal solution” on page 141, describes how to implement an end-to-end secure portal solution. This part includes a business scenario, requirements, design, implementation of the runtime and development environments, application development and deployment, and administration of the secure portal solution. The team that wrote this redbook This redbook was produced by a team of specialists from around the world working at the International Technical Support Organization, Raleigh Center. © Copyright IBM Corp. 2004. All rights reserved. xv
- 18. Figure 1 The IBM Redbook team (left to right, 1st row: John Ganci, Normunds Saumanis; 2nd row: Brett Gordon, Jonas Tingeborn, Melanie Fletcher, Hinrich Boog, Ashwin Manekar, Kai Schwidder) John Ganci is a Senior Software Engineer, WebSphere Specialist at the IBM ITSO, Raleigh Center. He writes extensively and teaches classes on WebSphere and related topics. John has 14 years of experience in product and application design, development, system testing, and consulting. His areas of expertise include e-commerce, WebSphere Application Server, portals, pervasive computing, Linux and Java™ programming. Hinrich Boog is an IT Specialist in the IBM e-business Innovation Center Hamburg, Germany. He has several years of experience in application development and IT consulting for e-business solutions. He holds a degree in Computer Science (major) and Russian language (minor) from Freie Universität Berlin, Germany. His areas of expertise include J2EE applications, enterprise portals and Web content management. He is a Sun Certified Web Component Developer. xvi Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 19. Melanie Fletcher is a Software Engineer in the Gold Coast IBM Tivoli® lab, Australia. She has extensive experience with the Tivoli Access Manager security products ranging from functional verification testing to consulting. She holds a degree in Business and a Masters of Information Technology from the Queensland University of Technology, Australia. Her areas of expertise include security solutions using Tivoli Access Manager and Tivoli Identity Manager. Brett Gordon is a Software Engineer in the IBM Software Group, USA. He has over five years of experience in technical support for IBM Lotus® Software. He holds a degree in international economics from the University of Texas at Austin, and he is currently pursuing a Masters degree in Computer Networking from North Carolina State University in Raleigh. His areas of expertise include integration, security, and administration of WebSphere Portal and Lotus Domino®. He is an IBM Certified System Administrator for WebSphere Portal V5. Ashwin Manekar is a Software Engineer in IBM Software Group Solution Test, USA. He has eight years of experience in application development and IT Consulting for e-business solutions. He holds a Masters degree in Computer Science from the University of North Carolina at Charlotte, USA. His areas of expertise include developing J2EE enterprise applications, portlet development, Click-To-Action technolog,y and Web applications. He has published several papers in the area of WebSphere Portal environment setup and portlet development on the IBM developerWorks® technical forum. Normunds Saumanis is an IT Architect in IBM Global Services, Latvia. He has over 10 years experience in systems support, systems integration, application development and IT consulting. He holds a degree in Computer Science from Michigan State University, USA. His areas of expertise include AIX/UNIX® systems support, IT infrastructure design and operations, systems integration, Java, pervasive and Web applications, and IBM WebSphere. Kai Schwidder is an IT Architect in the IBM Software Group, Switzerland. He has 14 years of experience in the fields of consulting, application development, and systems integration for e-business and e-commerce solutions. He holds a degree in Computer Science from the Technical University in Berlin, Germany. His areas of expertise include systems integration, application architecture and development, business to technology consulting, technical team leadership, WebSphere Portal, Tivoli Access Manager, WebSphere Commerce, and WebSphere MQ. Jonas Tingeborn is an IT Specialist in IBM Global Services, Sweden. He has worked at IBM for six years, of which the last four spent at various e-business engagements for different customers. His focus areas and previous project roles include application development, e-business consulting, and configuration management with WebSphere Portal, J2EE and Linux. Preface xvii
- 20. Thanks to the following people for their contributions to this project: Tinny Ng, IBM Canada Michele Galic, IBM USA Allison Halliday, IBM Sweeden Andrew Hatzikyriacos, South Africa Maria Munaro, IBM Venezuela Sailaja Parepalli, Miraclesoftware Systems Inc., USA David Yang, IBM USA Gianluca Gargaro, IBM Italy Steven Tuttle, IBM ITSO Raleigh Center, USA William Tworek, IBM ITSO Cambridge Center, USA Axel Buecker, IBM ITSO Austin Center, USA Ray Neucom, IBM USA Paul Kelsey, IBM USA Masanobu Ida, IBM Japan Stefan Schmitt, IBM Germany Daniel Kipfer, IBM Switzerland Julie Czubik, ITSO Poughkeepsie Center, USA Become a published author Join us for a two- to six-week residency program! Help write an IBM Redbook dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You'll team with IBM technical professionals, Business Partners and/or customers. Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you'll develop a network of contacts in IBM development labs, and increase your productivity and marketability. Find out more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.html Comments welcome Your comments are important to us! xviii Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 21. We want our Redbooks™ to be as helpful as possible. Send us your comments about this or other Redbooks in one of the following ways: Use the online Contact us review redbook form found at: ibm.com/redbooks Send your comments in an Internet note to: redbook@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HZ8 Building 662 P.O. Box 12195 Research Triangle Park, NC 27709-2195 Preface xix
- 22. xx Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 23. Part 1 Part 1 Introduction to secure portal solutions © Copyright IBM Corp. 2004. All rights reserved. 1
- 24. 2 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 25. 1 Chapter 1. Introduction Nearly every e-business needs a secure infrastructure for hosting Web-based applications such as a secure portal. There are several common challenges that businesses face when implementing secure portal solutions. First, the site needs to provide a means of determining who is accessing the site (authentication). Second, the site needs the capability to permit or deny access to resources based on the policies and users/groups who access the resources (authorization). Third, users desire to only log on once for access to applications to which they have been granted access (single sign-on). In some cases, businesses have tried to pioneer these solutions on their own. This can be a very costly and risky approach to Web-based security. As the complexity of Web sites increases to meet e-business needs, there is a growing expectation for IT shops to deploy solutions in a very timely fashion. To solve these infrastructure and security needs, many companies look to leverage middleware software technologies that provide an integrated solution for authentication, authorization and single sign-on. When companies invest in secure portal solutions from IBM using Tivoli Access Manager and WebSphere Portal, they get a proven production-ready secure portal solution that can dramatically accelerate their time to market. The focus of this chapter is to introduce the key concepts of a secure portal solution, outline the solution software, and define the target audience of the publication. © Copyright IBM Corp. 2004. All rights reserved. 3
- 26. 1.1 Secure portal solution overview This section includes an overview of the key concepts and solution architecture of a secure portal solution. 1.1.1 Key concepts of a secure portal solution This section includes a brief description of the key concepts of a secure portal solution when using IBM WebSphere Portal and Tivoli Access Manager. Authentication Authentication is a process where the client identity is validated. The client can be an end user, a machine or an application. Authentication uses the identity of the user, authenticated or unauthenticated, to acquire the credentials of the user with the objective of determining if the user has the proper permissions for the requested resource. Authorization The authorization process provides the capability to permit or deny access to resources based on the policies and users that access the resources. If the resource is protected, the user will first be authenticated to determine their identity, and then the privileges defined for the desired resource will be checked. Shared LDAP user registry The user registry is stored under a root LDAP suffix (for example, dc=itso,dc=ibm,dc=com) in the LDAP repository. In a secure portal solution, Tivoli Access Manager, WebSphere Portal and WebSphere Application Server reference the same user registry, since they are configured to connect to and use the same Tivoli Directory Server LDAP repository. Single sign-on Single sign-on provides users with the ability to log on once (authenticate) and be able to access resources or applications within the enterprise the user has been granted permissions. Credential Vault WebSphere Portal includes the Credential Service and Credential Vault features to allow portlet applications to pass user credentials to a back-end application. The Credential Vault is a portal service that helps portlets and portal users manage multiple identities. When using Tivoli Access Manager with WebSphere Portal to create a secure portal solution, the credential storage for the Credential 4 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 27. Vault can be moved to the Tivoli Access Manager Global Sign-on (GSO) lockbox. 1.1.2 Secure portal solution high level architecture There are many possible runtime topologies that can be implemented for a secure portal solution, depending on the security, performance, scalability and integration needs of the business. Figure 1-1 depicts the high level secure portal solution architecture. The figure includes the ficticious ITSO Bank secure portal application. The solution architecture can be applied to many types of applications. Outside Zone Demilitarized Zone Production Zone Portal Server Backend Server Public Key ITSO Bank ITSO Bank Infrastructure Portlets EJBs WebSphere WebSphere Portal Application I Server N T Reverse Web Request E Proxy WMM ITSO Bank Protocol Firewall Domain Firewall Browser Response R Client TAM N WebSEAL E T Policy Directory Server Server Domain Name TAM Tivoli Directory Server Policy Server Server TAM LDAP Authorization User Registry Server Authorization Figure 1-1 Secure portal solution high level architecture The following example illustrates how a customer using a Web browser would interact with the ITSO Bank secure portal solution to access a protected resource such as a customer account balance. We will first log on to the ITSO Bank site to outline the process of authentication, and then highlight the process of authorization to the secure portal page. 1. Authenticate the customer. a. The customer enters a URL in the Web browser to access a resource that is protected by the WebSEAL. Chapter 1. Introduction 5
- 28. b. The WebSEAL determines that the user has attempted to access a protected resource and will prompt the user with a logon page. c. The user enters her username and password in the logon form and then submits them to the WebSEAL. d. The WebSEAL then interacts with the Tivoli Access Manager Policy Server and Tivoli Directory Server to validate the identity of the user in the Tivoli Access Manager user registry. e. The WebSEAL uses the validated identity to obtain a credential for that user. 2. Authorized access to the secure resource. In this example, the customer would like to view her account balance. a. The WebSEAL interacts with the Tivoli Access Manager authorization services with the user credentials to permit or deny access to protected objects (for example, bank account balance) after evaluating the access control list (ACL) permissions and protected object policy (POP). b. WebSEAL forwards the request to WebSphere Portal. c. The account balance portlet interacts with the back-end EJBs to retrieve the customer account balance. d. The WebSEAL sends the response to the Web browser client to display the contents of the portal page. 1.2 Solution software This section highlights the software we used in the ITSO working example secure portal solution for both the runtime and development environments. 1.2.1 Runtime environment solution software The majority of the runtime environment software used in the ITSO secure portal solution are included in IBM WebSphere Portal Extend for Multiplatforms V5.0.2 and IBM Tivoli Access Manager for e-business V5.1. In addition, we used the most current fixpack levels of software for these software suites, in some cases to fix known problems and in others to fully validate the functionality when integrated. We chose to use the Microsoft® Windows® 2000 Server with Service Pack 4 as the operating system platform. As described in Chapter 3, “Architecture and topology selection” on page 51, there are many possible configurations for a secure portal depending on your security, scalability and performance needs. In 3.2, “Runtime environment topology selection” on page 69, we define three topologies (entry, enterprise, 6 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 29. extended enterprise). In addition, we provide guidance on selecting the appropriate runtime topology, as well as define by node the software products and levels. Table 1-1 lists the software products and levels included with IBM Tivoli Access Manager for e-business V5.1, as well as the fixpack levels we used to implement the secure portal runtime environment for the ITSO working example. Table 1-1 Software included with Tivoli Access Manager V5.1 and fixpack levels used by the ITSO Tivoli Access Manager bundled software Tivoli Access Manager ITSO example product name bundled software fixpack version version IBM DB2® UDB, Enterprise Server Edition 8.1 8.1.4.428 Note: 8.1 + Fixpack 4a IBM GSKit 7.0.1.9 7.0.1.16 IBM Java Runtime Environment (JRE) 1.3.1 1.3.1 IBM WebSphere Application Server 5.0.2 5.0.2 Note: Used to host Web administration tools. IBM Tivoli Directory Server 5.2 5.2 * Directory Server * Directory Client SDK * Web Administration Tool IBM Tivoli Access Manager for e-business 5.1 5.1.0.2 * Access Manager Runtime Note: 5.1 + TAM Base * Access Manager Java Runtime Environment Fixpack 2 + WebSEAL (PDJRTE) Fixpack 2 * Access Manager Policy Server * Access Manager Authorization Server * Access Manager Web Portal Manager * Access Manager Web Security Environment *Access Manager WebSEAL Table 1-2 lists the software products and levels included with IBM WebSphere Portal Extend for Multiplatforms V5.0.2, as well as the fixpack levels we used to implement the secure portal runtime environment for the ITSO working example. Chapter 1. Introduction 7
- 30. Table 1-2 Software included with WebSphere Portal V5.0.2 Extend and fixpack levels used by the ITSO WebSphere Portal Extend bundled software WebSphere Portal ITSO example product name bundled software fixpack version version IBM DB2 UDB, Enterprise Server Edition 8.1.1 8.1.4.428 Note: 8.1 + Fixpack 4a IBM WebSphere Application Server Enterprise * WebSphere Application Server (Base) 5.0.2 5.0.2.3 Note: 5.0 + Fixpack 2 + Note: 5.0 + Fixpack 2 + Fixes Cumulative Base Fix 3 + Fixes * Programming Module Enhancement (PME) 5.0.2 5.0.2.2 Note: 5.0 + Fixpack 2 Note: 5.0 + Fixpack 2 + Cumulative PME Fix 2 IBM Tivoli Directory Server 5.1 5.2 * Directory Server * Directory Client SDK * Web Administration Tool IBM WebSphere Portal Extend for 5.0.2 5.0.2.1 Multiplatforms Note: 5.0 + Fixpack 2 + Note: 5.0 + Fixpack 2 + * WebSphere Portal Fixes Cumulative Fix 1 + Fixes * WebSphere Portal Content Publisher Note: Although we used IBM WebSphere Portal Extend for Multiplatforms V5.0.2, the solution should also work with WebSphere Portal Enable. 1.2.2 Development environment solution software Like the runtime environment, there are several possible configurations for implementing a secure portal development environment. The development environment topologies, software products, and levels are described in detail in 3.3, “Development environment topology selection” on page 81. The software we used was included with IBM WebSphere Portal Extend for Multiplatforms V5.0.2, IBM Tivoli Access Manager for e-business V5.1, and fixpack downloads. In addition, we used IBM WebSphere Studio Application Developer V5.1 in place of the WebSphere Portal supplied IBM WebSphere Studio Site Developer V5.1, in large part because the ITSO Bank sample secure portal application includes both front-end portlets and back-end EJBs, which require the Application Developer Edition. We used both Microsoft Windows 2000 Professional and Server Editions, plus Service Pack 4 as the operating system platform for the ITSO development environment. 8 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 31. For simplicity, we provide the software levels used for the ITSO-defined all-in-one approach development environment. The all-in-one approach includes one physical machine, and potentially two VMWare virtual machines to host the unit testing nodes. For example, the ITSO all-in-one development environment includes the following “nodes” on one physical system: Development node - All application development-related software is installed on the physical system. For details on the software components and levels used refer to Table 1-3 on page 9. Policy Server node - This VMWare virtual machine is used to host the Tivoli Directory Server, Tivoli Access Manager Policy Server, and Authorization Server for unit testing. The software levels used for this node are the same as the Tivoli components listed in Table 1-1 on page 7. Reverse Proxy node - This VMWare virtual machine is optionally used to host the WebSEAL for unique testing scenarios needed in the development environment. The software levels used for this node are the same as the Tivoli components listed in Table 1-1 on page 7. Note: Detailed procedures for implementing the ITSO all-in-one secure portal development environment can be found in Chapter 8, “Implement the development environment” on page 361. Table 1-3 Development node Software Version Microsoft Windows 2000 2000 + Service Pack 4 IBM WebSphere Studio Application 5.1.1 Developer IBM WebSphere Test Environment 5.0.2.3 included with WebSphere Studio Note: Fixpack 2 + Cumulative Fix 3 + Application Developer Fixes IBM WebSphere Portal Toolkit and Test 5.0.2.1 Environment IBM Java Runtime Environment (JRE) 1.3.1 IBM Tivoli Access Manager for e-business 5.1.0.2 * Access Manager Java Runtime Note: 5.1 + Base Fixpack 2 Environment (PDJRTE) Chapter 1. Introduction 9
- 32. Note: In the development environment, we chose to use the Cloudscape™ included with WebSphere Studio Application Developer to host the ITSO Bank database. In the runtime environment we used DB2 UDB. 1.3 Target audience of redbook This redbook includes architecture, design, development, integration, deployment and administration topics. The target audience for this redbook can be best matched by role to the topic of interest within the publication. The secure portal solution found in this redbook is largely targeted at enterprise customers. Tivoli Access Manager provides the secure portal solution a proven authentication, authorization, and single sign-on solutions. SMB customers that do not have the security and back-end integration requirements of an enterprise business may opt for a secure portal solution without the use of Tivoli Access Manager. 1.3.1 Roles and skills This section includes a brief description of the roles needed for a team to execute a secure portal project during the development life-cycle, with the objective of mapping the redbook topics to roles and skills. IT architect The IT architect looks after the overall project technical architecture/design, quality assurance of the solution, knowledge transfer to customer, and mentoring to the project technical team members. The architect should have WebSphere Portal and Tivoli Access Manager architecture and design skills. Security architect The role of a security architect is to eliminate or greatly reduce the possibility of an intruder attack. When developing a strategy for providing a secure portal solution it is critical that the security architect understand the areas of risk and ensure that the solution architecture addresses the known risk categories. IT specialist The role of IT specialist represents a wide range of technical specialists, including systems administrator, database administrator, pre-sales support, technical support, and tester. 10 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 33. Portal developer The portal developer is responsible for developing the portlets for the secure portal solution. In small projects, a developer may perform several roles, including J2EE application developer, portal developer, and Web designer. J2EE developer The J2EE developer is responsible for developing such application code as EJBs and servlets for back-end applications. Project manager The project manager is responsible for managing and leading the project team along all phases of the project and also acts as a contact point to interact with the customer. The project manager should have an understanding of WebSphere Portal and Tivoli Access Manager, and concepts of a secure portal solution. Security administrator The security administrator is responsible for implementing the access control list (ACL) policies and protected object policies (POP) for protected resources. Portal administrator The portal administrator role is responsible for deploying portlets and managing the portal server, including security-related tasks and troubleshooting. 1.3.2 Matching redbook topics to roles and skills Table 1-4 provides a summary of the redbook topics by part and chapter/appendix for the defined roles and skills. Table 1-4 Matching redbook topics to roles and skills Chapter/appendix Primary Secondary Part 1, “Introduction to secure portal solutions” on page 1 Chapter 1, “Introduction” on page 3 All user roles Chapter 2, “Security fundamentals” on page 13 All user roles Chapter 3, “Architecture and topology selection” on IT architect All user roles page 51 Security architect Chapter 4, “Design and integration guidelines” on IT architect All user roles page 93 Security architect Part 2, “ITSO working example secure portal solution” on page 141 Chapter 1. Introduction 11
- 34. Chapter/appendix Primary Secondary Chapter 5, “Requirements and solution design” on IT architect All user roles page 143 Security architect Project manager Chapter 6, “Install the runtime environment” on IT specialist IT architect page 175 Chapter 7, “Configure the runtime environment” on IT specialist IT architect page 259 Security administrator Security architect Portal administrator Chapter 8, “Implement the development Portal developer IT architect environment” on page 361 J2EE developer IT specialist Chapter 9, “Develop the secure portal application” Portal developer IT architect on page 395 J2EE developer Chapter 10, “Deploy the secure portal application” IT specialist Portal developer on page 433 Portal administrator J2EE developer Security administrator IT architect Chapter 11, “Security hardening” on page 471 IT specialist IT architect Security administrator Security architect Chapter 12, “Manage a secure portal solution” on Portal administrator IT specialist page 503 Security administrator IT architect Part 3, “Appendixes” on page 571 Appendix A, “Troubleshooting a secure portal IT specialist Portal developer solution” on page 573 Portal administrator J2EE developer Security administrator IT architect Appendix B, “Configure single sign-on using LTPA” IT specialist IT architect on page 597 Security administrator Security architect Appendix C, “CVS configuration” on page 603 Portal developer IT architect J2EE developer IT specialist Appendix D, “Automate deployment tasks” on IT specialist Portal developer page 613 Portal administrator J2EE developer Security administrator IT architect Appendix E, “Node descriptions for architecture IT architect All user roles models” on page 645 Security architect Appendix F, “Additional material” on page 683 IT specialist IT architect Note: Sample configuration files and ITSO Bank Portal developer sample secure portal application J2EE developer 12 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 35. 2 Chapter 2. Security fundamentals This chapter introduces categories of security in the security domain, with the objective of communicating the scope of the topics addressed in this redbook. Once the security topics are defined a risk analysis can be performed. Security risks can be greatly reduced by adopting a defined and proven security methodology such as the IBM Method for Architecting Secure Solutions (MASS). Lastly, this chapter includes a detailed description of how authentication, authorization, and single sign-on work when using Tivoli Access Manager and WebSphere Portal. This chapter is organized into the following sections: Security domain and risk management Method for Architecting Secure Solutions (MASS) Security fundamentals © Copyright IBM Corp. 2004. All rights reserved. 13
- 36. 2.1 Security domain and risk management Security is a very vast topic. When developing a strategy for providing a secure environment for your company’s Web site and applications, it is critical to understand the areas of security risk as well as how to reduce security risk. Attention: The security focus in this redbook for the secure portal solution is as follows (see Figure 2-1): Applications Middleware and application software Both WebSphere Portal and Tivoli Access Manager include infrastructure components and APIs to help implement authentication, single sign-on, and authorization for the above-mentioned security categories. The remaining security categories displayed in Figure 2-1 need to be addressed using other tools and processes. Security Policy Security Policies and Procedure Security Management and Audit Risk Analysis Logical Security Applications Vulnerability and Intruder Reconnaissance Middleware and Application Software Operating System Network Software and Communications Physical Security Systems Hardware Physical Network Building and Access to Systems Figure 2-1 Elements of the security domain 14 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 37. As you can see from Figure 2-1, many of these topics are common to all Web applications. This section introduces the concepts of each security category and provides reference information for further reading. Tip: We recommend that you refer to the following reference information to further understand the general security issues common to Web environments: System Administration, Networking and Security Institute (SANS): http://www.sans.org/ The Center for Internet Security (CIS): http://www.cisecurity.org/ Enterprise Security Architecture Using IBM Tivoli Security Solutions, SG24-6014 IBM WebSphere V5.0 Security, WebSphere Handbook Series, SG24-6573 Hacking Exposed: Network Security Secrets & Solutions, Third Edition, Stuart McClure et al. 2.1.1 Source of vulnerability and intruder reconnaissance The most common source of security problems is employees making mistakes. The actual threat from hackers and viruses is much smaller than most people would anticipate. Having policies and procedures in place helps you address your risks. However, they will not directly cover the human factor errors. Managing and auditing your security enables you to perform checks and discover some errors and correct them. However, if discovered, they may have already been the cause of a security breach. Intruder reconnaissance It is important that the security architect, IT architect, network administrator, security administrator, and IT specialist understand that intruders are opportunistic. Before your site is hacked, the intruder will often investigate your organization. The intruder will look for known vulnerabilities in the network, operating system, middleware software, and application architecture. After the reconnaissance phase, the hacker will begin to systematically launch an attack to gain access to your company’s systems and information. It is up to you to understand the common vulnerabilities that intruders use and take corrective action to deny the attack. The network administrator can use these same techniques to discover what information may be gathered by an intruder. Chapter 2. Security fundamentals 15
- 38. The reconnaissance information from your organization is gathered by using systematic techniques such as the following: Footprinting Footprinting provides the intruder with the information about your systems connected to the Internet gathered by probing the resources without actually touching them. When the network administrator performs the footprinting activity, they are looking to discover what knowledge the intruder could obtain. Some common examples of footprinting include Domain Name System queries, searches, and traceroutes. This is all done with the objective of building a detailed footprint of your network to be used for an attack. Scanning Once he has gained knowledge of the organization from footprinting, the intruder uses this information for the next technique, called scanning. Scanning is the process of interrogating your network systems for available ports; resources such as shares, accounts, operating system types and versions; and other opportunistic avenues to take advantage of your systems. Some common examples of scanning include port scanning, ICMP scanning, ping sweeps, and operating system detection. These techniques, alongside many tools available to facilitate scanning, can provide an intruder a mapping of your network by IP, and ports and services ready for attack. Properly implementing firewalls can go a long way towards the prevention of scanning. Enumeration Enumeration is the process of directly interrogating a system to extract account names or services from the system to launch a more refined attack. The key distinction between this type of intrusion is the aggressive and active nature on your system. The type of activity can often be logged, which is an important element of security. Common examples of enumeration are Windows network resources and shares, Windows/UNIX/Linux users and groups, SNMP daemon or service running without being tightly secured, and applications available to exploit. Where to find more information We recommend the following sources for more detailed information on intruder reconnaissance, how to take corrective action, and tools available: A good source for understanding how to identify vulnerability is the article "Vulnerability Identification and Remediation Through Best Security Practices", by BJ Bellemay Jr, SANS Institute Reading Room, December 7, 2001 found at: http://rr.sans.org/practice/identification.php 16 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
- 39. The book Hacking Exposed: Network Security Secrets & Solutions, Forth Edition, by Stuart McClure et al, provides a good explanation of the process and strategies used by intruders, as well as methods of denying the attack. 2.1.2 Physical security Physical security does not often get very much attention, but it is an important element of a security strategy. Physical security risks are those risks where there is a real physical impact on your hardware and software. These risks are very severe because most of them result in a total loss of hardware and data. If your customer data is gone as a result of a fire or a stolen system, it does not matter to your business how this happened. The fact is that it can be extremely damaging to your business. Physical security means protection against physical actions. It involves every physical element around: The system or machine(s) where the application is running The room where the machines are operating, as well as access to the room The building where the machines are installed The site where the company is located The listed elements have to be secured against intrusion and damage, be it intentional or not. Physical security also includes the protection of the physical communication network: Ground lines Wireless connection Routers and switches Hardware firewalls The communication network has to be protected against eavesdropping and damage to the connection (cutting the line). The subject of physical security goes much further than the objective of this book allows. This short section is only intended as a reminder of the concept of physical security. 2.1.3 Logical security Logical security is related to particular IT solutions such as network, operating systems, middleware and application software, and custom-built applications. Chapter 2. Security fundamentals 17
- 40. Applications The application architecture can provide intruders an opportunistic entry point. In a secure portal application, there are many areas of application-level security that need to be examined, including the infrastructure-provided security, as well as the infrastructure application level APIs. It is important that the security architect and portal developer understand the security infrastructure capabilities provided by the middleware and application software for such topics as authentication, authorization and single sign-on. The middleware and application software also include security-related APIs that can be used to further leveraged to secure the application and provide added functionality. Tivoli Access Manager Authorization API The Tivoli Access Manager Java runtime component includes the Java language version of a subset of the Tivoli Access Manager authorization API. The authorization API consists of a set of classes and methods that provide Java applications with the ability to interact with Tivoli Access Manager to make authentication and authorization decisions. Note: For more information on the Tivoli Access Manager authorization APIs, refer to the following: Section 9.3, “Using the Tivoli Access Manager APIs” on page 421, includes an example of using the Tivoli Access Manager authorization APIs for the ITSO Bank sample secure portal application. Authorization Java Classes Developer Reference, IBM Tivoli Access Manager V5.1, SC32-1350, product guide. Enterprise Security Architecture Using IBM Tivoli Security Solutions, SG24-6014. WebSphere security The IBM WebSphere Application Server V5 is a J2EE V1.3 compliant Java application server, and it implements the required security services as they are specified. IBM WebSphere Application Server security sits on top of the operating system security and the security features provided by other components, including the Java language, as shown in Figure 2-2. 18 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1