Exploring the Future Potential of AI-Enabled Smartphone Processors
Develop and deploy a secure portal solution using web sphere portal v5 and tivoli access manager v5.1 sg246325
1. Front cover
Develop and Deploy a
Secure Portal Solution
Using WebSphere Portal V5 and Tivoli Access Manager V5.1
Solution architecture and technologies
for a secure portal
Deploy a secure portal runtime
environment
Develop and deploy
secure portal application
John Ganci
Hinrich Boog
Melanie Fletcher
Brett Gordon
Ashwin Manekar
Normunds Saumanis
Kai Schwidder
Jonas Tingeborn
ibm.com/redbooks
2.
3. International Technical Support Organization
Develop and Deploy a Secure Portal Solution
Using WebSphere Portal V5 and Tivoli Access
Manager V5.1
August 2004
SG24-6325-00
16. Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX® HACMP™ Redbooks™
Balance® IBM® Redbooks (logo) ™
ClearCase® ibm.com® Sametime®
Cloudscape™ Lotus Notes® Tivoli®
developerWorks® Lotus® WebSphere®
Domino® NetView® xSeries®
DB2 Universal Database™ Notes®
DB2® Rational®
The following terms are trademarks of other companies:
Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other
countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.
xiv Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
18. Figure 1 The IBM Redbook team (left to right, 1st row: John Ganci, Normunds Saumanis; 2nd row: Brett
Gordon, Jonas Tingeborn, Melanie Fletcher, Hinrich Boog, Ashwin Manekar, Kai Schwidder)
John Ganci is a Senior Software Engineer, WebSphere Specialist at the IBM
ITSO, Raleigh Center. He writes extensively and teaches classes on WebSphere
and related topics. John has 14 years of experience in product and application
design, development, system testing, and consulting. His areas of expertise
include e-commerce, WebSphere Application Server, portals, pervasive
computing, Linux and Java™ programming.
Hinrich Boog is an IT Specialist in the IBM e-business Innovation Center
Hamburg, Germany. He has several years of experience in application
development and IT consulting for e-business solutions. He holds a degree in
Computer Science (major) and Russian language (minor) from Freie Universität
Berlin, Germany. His areas of expertise include J2EE applications, enterprise
portals and Web content management. He is a Sun Certified Web Component
Developer.
xvi Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
19. Melanie Fletcher is a Software Engineer in the Gold Coast IBM Tivoli® lab,
Australia. She has extensive experience with the Tivoli Access Manager security
products ranging from functional verification testing to consulting. She holds a
degree in Business and a Masters of Information Technology from the
Queensland University of Technology, Australia. Her areas of expertise include
security solutions using Tivoli Access Manager and Tivoli Identity Manager.
Brett Gordon is a Software Engineer in the IBM Software Group, USA. He has
over five years of experience in technical support for IBM Lotus® Software. He
holds a degree in international economics from the University of Texas at Austin,
and he is currently pursuing a Masters degree in Computer Networking from
North Carolina State University in Raleigh. His areas of expertise include
integration, security, and administration of WebSphere Portal and Lotus
Domino®. He is an IBM Certified System Administrator for WebSphere Portal
V5.
Ashwin Manekar is a Software Engineer in IBM Software Group Solution Test,
USA. He has eight years of experience in application development and IT
Consulting for e-business solutions. He holds a Masters degree in Computer
Science from the University of North Carolina at Charlotte, USA. His areas of
expertise include developing J2EE enterprise applications, portlet development,
Click-To-Action technolog,y and Web applications. He has published several
papers in the area of WebSphere Portal environment setup and portlet
development on the IBM developerWorks® technical forum.
Normunds Saumanis is an IT Architect in IBM Global Services, Latvia. He has
over 10 years experience in systems support, systems integration, application
development and IT consulting. He holds a degree in Computer Science from
Michigan State University, USA. His areas of expertise include AIX/UNIX®
systems support, IT infrastructure design and operations, systems integration,
Java, pervasive and Web applications, and IBM WebSphere.
Kai Schwidder is an IT Architect in the IBM Software Group, Switzerland. He
has 14 years of experience in the fields of consulting, application development,
and systems integration for e-business and e-commerce solutions. He holds a
degree in Computer Science from the Technical University in Berlin, Germany.
His areas of expertise include systems integration, application architecture and
development, business to technology consulting, technical team leadership,
WebSphere Portal, Tivoli Access Manager, WebSphere Commerce, and
WebSphere MQ.
Jonas Tingeborn is an IT Specialist in IBM Global Services, Sweden. He has
worked at IBM for six years, of which the last four spent at various e-business
engagements for different customers. His focus areas and previous project roles
include application development, e-business consulting, and configuration
management with WebSphere Portal, J2EE and Linux.
Preface xvii
20. Thanks to the following people for their contributions to this project:
Tinny Ng, IBM Canada
Michele Galic, IBM USA
Allison Halliday, IBM Sweeden
Andrew Hatzikyriacos, South Africa
Maria Munaro, IBM Venezuela
Sailaja Parepalli, Miraclesoftware Systems Inc., USA
David Yang, IBM USA
Gianluca Gargaro, IBM Italy
Steven Tuttle, IBM ITSO Raleigh Center, USA
William Tworek, IBM ITSO Cambridge Center, USA
Axel Buecker, IBM ITSO Austin Center, USA
Ray Neucom, IBM USA
Paul Kelsey, IBM USA
Masanobu Ida, IBM Japan
Stefan Schmitt, IBM Germany
Daniel Kipfer, IBM Switzerland
Julie Czubik, ITSO Poughkeepsie Center, USA
Become a published author
Join us for a two- to six-week residency program! Help write an IBM Redbook
dealing with specific products or solutions, while getting hands-on experience
with leading-edge technologies. You'll team with IBM technical professionals,
Business Partners and/or customers.
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you'll develop a network of contacts in IBM development labs, and
increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
xviii Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
21. We want our Redbooks™ to be as helpful as possible. Send us your comments
about this or other Redbooks in one of the following ways:
Use the online Contact us review redbook form found at:
ibm.com/redbooks
Send your comments in an Internet note to:
redbook@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HZ8 Building 662
P.O. Box 12195
Research Triangle Park, NC 27709-2195
Preface xix
22. xx Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
26. 1.1 Secure portal solution overview
This section includes an overview of the key concepts and solution architecture
of a secure portal solution.
1.1.1 Key concepts of a secure portal solution
This section includes a brief description of the key concepts of a secure portal
solution when using IBM WebSphere Portal and Tivoli Access Manager.
Authentication
Authentication is a process where the client identity is validated. The client can
be an end user, a machine or an application. Authentication uses the identity of
the user, authenticated or unauthenticated, to acquire the credentials of the user
with the objective of determining if the user has the proper permissions for the
requested resource.
Authorization
The authorization process provides the capability to permit or deny access to
resources based on the policies and users that access the resources. If the
resource is protected, the user will first be authenticated to determine their
identity, and then the privileges defined for the desired resource will be checked.
Shared LDAP user registry
The user registry is stored under a root LDAP suffix (for example,
dc=itso,dc=ibm,dc=com) in the LDAP repository. In a secure portal solution,
Tivoli Access Manager, WebSphere Portal and WebSphere Application Server
reference the same user registry, since they are configured to connect to and
use the same Tivoli Directory Server LDAP repository.
Single sign-on
Single sign-on provides users with the ability to log on once (authenticate) and
be able to access resources or applications within the enterprise the user has
been granted permissions.
Credential Vault
WebSphere Portal includes the Credential Service and Credential Vault features
to allow portlet applications to pass user credentials to a back-end application.
The Credential Vault is a portal service that helps portlets and portal users
manage multiple identities. When using Tivoli Access Manager with WebSphere
Portal to create a secure portal solution, the credential storage for the Credential
4 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
27. Vault can be moved to the Tivoli Access Manager Global Sign-on (GSO)
lockbox.
1.1.2 Secure portal solution high level architecture
There are many possible runtime topologies that can be implemented for a
secure portal solution, depending on the security, performance, scalability and
integration needs of the business. Figure 1-1 depicts the high level secure portal
solution architecture. The figure includes the ficticious ITSO Bank secure portal
application. The solution architecture can be applied to many types of
applications.
Outside Zone Demilitarized Zone Production Zone
Portal Server Backend Server
Public Key ITSO Bank ITSO Bank
Infrastructure Portlets EJBs
WebSphere WebSphere
Portal Application
I
Server
N
T Reverse
Web Request
E Proxy
WMM ITSO Bank
Protocol Firewall
Domain Firewall
Browser Response R
Client TAM
N WebSEAL
E
T
Policy Directory
Server Server
Domain Name TAM Tivoli Directory
Server Policy Server Server
TAM LDAP
Authorization User Registry
Server
Authorization
Figure 1-1 Secure portal solution high level architecture
The following example illustrates how a customer using a Web browser would
interact with the ITSO Bank secure portal solution to access a protected resource
such as a customer account balance. We will first log on to the ITSO Bank site to
outline the process of authentication, and then highlight the process of
authorization to the secure portal page.
1. Authenticate the customer.
a. The customer enters a URL in the Web browser to access a resource that
is protected by the WebSEAL.
Chapter 1. Introduction 5
28. b. The WebSEAL determines that the user has attempted to access a
protected resource and will prompt the user with a logon page.
c. The user enters her username and password in the logon form and then
submits them to the WebSEAL.
d. The WebSEAL then interacts with the Tivoli Access Manager Policy
Server and Tivoli Directory Server to validate the identity of the user in the
Tivoli Access Manager user registry.
e. The WebSEAL uses the validated identity to obtain a credential for that
user.
2. Authorized access to the secure resource.
In this example, the customer would like to view her account balance.
a. The WebSEAL interacts with the Tivoli Access Manager authorization
services with the user credentials to permit or deny access to protected
objects (for example, bank account balance) after evaluating the access
control list (ACL) permissions and protected object policy (POP).
b. WebSEAL forwards the request to WebSphere Portal.
c. The account balance portlet interacts with the back-end EJBs to retrieve
the customer account balance.
d. The WebSEAL sends the response to the Web browser client to display
the contents of the portal page.
1.2 Solution software
This section highlights the software we used in the ITSO working example
secure portal solution for both the runtime and development environments.
1.2.1 Runtime environment solution software
The majority of the runtime environment software used in the ITSO secure portal
solution are included in IBM WebSphere Portal Extend for Multiplatforms V5.0.2
and IBM Tivoli Access Manager for e-business V5.1. In addition, we used the
most current fixpack levels of software for these software suites, in some cases
to fix known problems and in others to fully validate the functionality when
integrated. We chose to use the Microsoft® Windows® 2000 Server with Service
Pack 4 as the operating system platform.
As described in Chapter 3, “Architecture and topology selection” on page 51,
there are many possible configurations for a secure portal depending on your
security, scalability and performance needs. In 3.2, “Runtime environment
topology selection” on page 69, we define three topologies (entry, enterprise,
6 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
29. extended enterprise). In addition, we provide guidance on selecting the
appropriate runtime topology, as well as define by node the software products
and levels.
Table 1-1 lists the software products and levels included with IBM Tivoli Access
Manager for e-business V5.1, as well as the fixpack levels we used to implement
the secure portal runtime environment for the ITSO working example.
Table 1-1 Software included with Tivoli Access Manager V5.1 and fixpack levels used by the ITSO
Tivoli Access Manager bundled software Tivoli Access Manager ITSO example
product name bundled software fixpack version
version
IBM DB2® UDB, Enterprise Server Edition 8.1 8.1.4.428
Note: 8.1 + Fixpack 4a
IBM GSKit 7.0.1.9 7.0.1.16
IBM Java Runtime Environment (JRE) 1.3.1 1.3.1
IBM WebSphere Application Server 5.0.2 5.0.2
Note: Used to host Web administration tools.
IBM Tivoli Directory Server 5.2 5.2
* Directory Server
* Directory Client SDK
* Web Administration Tool
IBM Tivoli Access Manager for e-business 5.1 5.1.0.2
* Access Manager Runtime Note: 5.1 + TAM Base
* Access Manager Java Runtime Environment Fixpack 2 + WebSEAL
(PDJRTE) Fixpack 2
* Access Manager Policy Server
* Access Manager Authorization Server
* Access Manager Web Portal Manager
* Access Manager Web Security Environment
*Access Manager WebSEAL
Table 1-2 lists the software products and levels included with IBM WebSphere
Portal Extend for Multiplatforms V5.0.2, as well as the fixpack levels we used to
implement the secure portal runtime environment for the ITSO working example.
Chapter 1. Introduction 7
30. Table 1-2 Software included with WebSphere Portal V5.0.2 Extend and fixpack levels used by the ITSO
WebSphere Portal Extend bundled software WebSphere Portal ITSO example
product name bundled software fixpack version
version
IBM DB2 UDB, Enterprise Server Edition 8.1.1 8.1.4.428
Note: 8.1 + Fixpack 4a
IBM WebSphere Application Server Enterprise
* WebSphere Application Server (Base) 5.0.2 5.0.2.3
Note: 5.0 + Fixpack 2 + Note: 5.0 + Fixpack 2 +
Fixes Cumulative Base Fix 3 +
Fixes
* Programming Module Enhancement (PME) 5.0.2 5.0.2.2
Note: 5.0 + Fixpack 2 Note: 5.0 + Fixpack 2 +
Cumulative PME Fix 2
IBM Tivoli Directory Server 5.1 5.2
* Directory Server
* Directory Client SDK
* Web Administration Tool
IBM WebSphere Portal Extend for 5.0.2 5.0.2.1
Multiplatforms Note: 5.0 + Fixpack 2 + Note: 5.0 + Fixpack 2 +
* WebSphere Portal Fixes Cumulative Fix 1 + Fixes
* WebSphere Portal Content Publisher
Note: Although we used IBM WebSphere Portal Extend for Multiplatforms
V5.0.2, the solution should also work with WebSphere Portal Enable.
1.2.2 Development environment solution software
Like the runtime environment, there are several possible configurations for
implementing a secure portal development environment. The development
environment topologies, software products, and levels are described in detail in
3.3, “Development environment topology selection” on page 81.
The software we used was included with IBM WebSphere Portal Extend for
Multiplatforms V5.0.2, IBM Tivoli Access Manager for e-business V5.1, and
fixpack downloads. In addition, we used IBM WebSphere Studio Application
Developer V5.1 in place of the WebSphere Portal supplied IBM WebSphere
Studio Site Developer V5.1, in large part because the ITSO Bank sample secure
portal application includes both front-end portlets and back-end EJBs, which
require the Application Developer Edition. We used both Microsoft Windows
2000 Professional and Server Editions, plus Service Pack 4 as the operating
system platform for the ITSO development environment.
8 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
31. For simplicity, we provide the software levels used for the ITSO-defined
all-in-one approach development environment. The all-in-one approach includes
one physical machine, and potentially two VMWare virtual machines to host the
unit testing nodes. For example, the ITSO all-in-one development environment
includes the following “nodes” on one physical system:
Development node - All application development-related software is installed
on the physical system. For details on the software components and levels
used refer to Table 1-3 on page 9.
Policy Server node - This VMWare virtual machine is used to host the Tivoli
Directory Server, Tivoli Access Manager Policy Server, and Authorization
Server for unit testing. The software levels used for this node are the same as
the Tivoli components listed in Table 1-1 on page 7.
Reverse Proxy node - This VMWare virtual machine is optionally used to host
the WebSEAL for unique testing scenarios needed in the development
environment. The software levels used for this node are the same as the
Tivoli components listed in Table 1-1 on page 7.
Note: Detailed procedures for implementing the ITSO all-in-one secure portal
development environment can be found in Chapter 8, “Implement the
development environment” on page 361.
Table 1-3 Development node
Software Version
Microsoft Windows 2000 2000 + Service Pack 4
IBM WebSphere Studio Application 5.1.1
Developer
IBM WebSphere Test Environment 5.0.2.3
included with WebSphere Studio Note: Fixpack 2 + Cumulative Fix 3 +
Application Developer Fixes
IBM WebSphere Portal Toolkit and Test 5.0.2.1
Environment
IBM Java Runtime Environment (JRE) 1.3.1
IBM Tivoli Access Manager for e-business 5.1.0.2
* Access Manager Java Runtime Note: 5.1 + Base Fixpack 2
Environment (PDJRTE)
Chapter 1. Introduction 9
32. Note: In the development environment, we chose to use the Cloudscape™
included with WebSphere Studio Application Developer to host the ITSO Bank
database. In the runtime environment we used DB2 UDB.
1.3 Target audience of redbook
This redbook includes architecture, design, development, integration,
deployment and administration topics. The target audience for this redbook can
be best matched by role to the topic of interest within the publication.
The secure portal solution found in this redbook is largely targeted at enterprise
customers. Tivoli Access Manager provides the secure portal solution a proven
authentication, authorization, and single sign-on solutions. SMB customers that
do not have the security and back-end integration requirements of an enterprise
business may opt for a secure portal solution without the use of Tivoli Access
Manager.
1.3.1 Roles and skills
This section includes a brief description of the roles needed for a team to execute
a secure portal project during the development life-cycle, with the objective of
mapping the redbook topics to roles and skills.
IT architect
The IT architect looks after the overall project technical architecture/design,
quality assurance of the solution, knowledge transfer to customer, and mentoring
to the project technical team members. The architect should have WebSphere
Portal and Tivoli Access Manager architecture and design skills.
Security architect
The role of a security architect is to eliminate or greatly reduce the possibility of
an intruder attack. When developing a strategy for providing a secure portal
solution it is critical that the security architect understand the areas of risk and
ensure that the solution architecture addresses the known risk categories.
IT specialist
The role of IT specialist represents a wide range of technical specialists,
including systems administrator, database administrator, pre-sales support,
technical support, and tester.
10 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
33. Portal developer
The portal developer is responsible for developing the portlets for the secure
portal solution. In small projects, a developer may perform several roles,
including J2EE application developer, portal developer, and Web designer.
J2EE developer
The J2EE developer is responsible for developing such application code as EJBs
and servlets for back-end applications.
Project manager
The project manager is responsible for managing and leading the project team
along all phases of the project and also acts as a contact point to interact with the
customer. The project manager should have an understanding of WebSphere
Portal and Tivoli Access Manager, and concepts of a secure portal solution.
Security administrator
The security administrator is responsible for implementing the access control list
(ACL) policies and protected object policies (POP) for protected resources.
Portal administrator
The portal administrator role is responsible for deploying portlets and managing
the portal server, including security-related tasks and troubleshooting.
1.3.2 Matching redbook topics to roles and skills
Table 1-4 provides a summary of the redbook topics by part and
chapter/appendix for the defined roles and skills.
Table 1-4 Matching redbook topics to roles and skills
Chapter/appendix Primary Secondary
Part 1, “Introduction to secure portal solutions” on page 1
Chapter 1, “Introduction” on page 3 All user roles
Chapter 2, “Security fundamentals” on page 13 All user roles
Chapter 3, “Architecture and topology selection” on IT architect All user roles
page 51 Security architect
Chapter 4, “Design and integration guidelines” on IT architect All user roles
page 93 Security architect
Part 2, “ITSO working example secure portal solution” on page 141
Chapter 1. Introduction 11
34. Chapter/appendix Primary Secondary
Chapter 5, “Requirements and solution design” on IT architect All user roles
page 143 Security architect
Project manager
Chapter 6, “Install the runtime environment” on IT specialist IT architect
page 175
Chapter 7, “Configure the runtime environment” on IT specialist IT architect
page 259 Security administrator Security architect
Portal administrator
Chapter 8, “Implement the development Portal developer IT architect
environment” on page 361 J2EE developer IT specialist
Chapter 9, “Develop the secure portal application” Portal developer IT architect
on page 395 J2EE developer
Chapter 10, “Deploy the secure portal application” IT specialist Portal developer
on page 433 Portal administrator J2EE developer
Security administrator IT architect
Chapter 11, “Security hardening” on page 471 IT specialist IT architect
Security administrator Security architect
Chapter 12, “Manage a secure portal solution” on Portal administrator IT specialist
page 503 Security administrator IT architect
Part 3, “Appendixes” on page 571
Appendix A, “Troubleshooting a secure portal IT specialist Portal developer
solution” on page 573 Portal administrator J2EE developer
Security administrator IT architect
Appendix B, “Configure single sign-on using LTPA” IT specialist IT architect
on page 597 Security administrator Security architect
Appendix C, “CVS configuration” on page 603 Portal developer IT architect
J2EE developer IT specialist
Appendix D, “Automate deployment tasks” on IT specialist Portal developer
page 613 Portal administrator J2EE developer
Security administrator IT architect
Appendix E, “Node descriptions for architecture IT architect All user roles
models” on page 645 Security architect
Appendix F, “Additional material” on page 683 IT specialist IT architect
Note: Sample configuration files and ITSO Bank Portal developer
sample secure portal application J2EE developer
12 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
36. 2.1 Security domain and risk management
Security is a very vast topic. When developing a strategy for providing a secure
environment for your company’s Web site and applications, it is critical to
understand the areas of security risk as well as how to reduce security risk.
Attention: The security focus in this redbook for the secure portal solution is
as follows (see Figure 2-1):
Applications
Middleware and application software
Both WebSphere Portal and Tivoli Access Manager include infrastructure
components and APIs to help implement authentication, single sign-on, and
authorization for the above-mentioned security categories. The remaining
security categories displayed in Figure 2-1 need to be addressed using other
tools and processes.
Security Policy
Security Policies and Procedure
Security Management and Audit
Risk Analysis
Logical Security
Applications
Vulnerability and
Intruder Reconnaissance Middleware and Application Software
Operating System
Network Software and Communications
Physical Security
Systems Hardware
Physical Network
Building and Access to Systems
Figure 2-1 Elements of the security domain
14 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
37. As you can see from Figure 2-1, many of these topics are common to all Web
applications. This section introduces the concepts of each security category and
provides reference information for further reading.
Tip: We recommend that you refer to the following reference information to
further understand the general security issues common to Web environments:
System Administration, Networking and Security Institute (SANS):
http://www.sans.org/
The Center for Internet Security (CIS):
http://www.cisecurity.org/
Enterprise Security Architecture Using IBM Tivoli Security Solutions,
SG24-6014
IBM WebSphere V5.0 Security, WebSphere Handbook Series, SG24-6573
Hacking Exposed: Network Security Secrets & Solutions, Third Edition,
Stuart McClure et al.
2.1.1 Source of vulnerability and intruder reconnaissance
The most common source of security problems is employees making mistakes.
The actual threat from hackers and viruses is much smaller than most people
would anticipate. Having policies and procedures in place helps you address
your risks. However, they will not directly cover the human factor errors.
Managing and auditing your security enables you to perform checks and
discover some errors and correct them. However, if discovered, they may have
already been the cause of a security breach.
Intruder reconnaissance
It is important that the security architect, IT architect, network administrator,
security administrator, and IT specialist understand that intruders are
opportunistic. Before your site is hacked, the intruder will often investigate your
organization. The intruder will look for known vulnerabilities in the network,
operating system, middleware software, and application architecture.
After the reconnaissance phase, the hacker will begin to systematically launch
an attack to gain access to your company’s systems and information. It is up to
you to understand the common vulnerabilities that intruders use and take
corrective action to deny the attack. The network administrator can use these
same techniques to discover what information may be gathered by an intruder.
Chapter 2. Security fundamentals 15
38. The reconnaissance information from your organization is gathered by using
systematic techniques such as the following:
Footprinting
Footprinting provides the intruder with the information about your systems
connected to the Internet gathered by probing the resources without actually
touching them. When the network administrator performs the footprinting
activity, they are looking to discover what knowledge the intruder could
obtain.
Some common examples of footprinting include Domain Name System
queries, searches, and traceroutes. This is all done with the objective of
building a detailed footprint of your network to be used for an attack.
Scanning
Once he has gained knowledge of the organization from footprinting, the
intruder uses this information for the next technique, called scanning.
Scanning is the process of interrogating your network systems for available
ports; resources such as shares, accounts, operating system types and
versions; and other opportunistic avenues to take advantage of your systems.
Some common examples of scanning include port scanning, ICMP scanning,
ping sweeps, and operating system detection. These techniques, alongside
many tools available to facilitate scanning, can provide an intruder a mapping
of your network by IP, and ports and services ready for attack. Properly
implementing firewalls can go a long way towards the prevention of scanning.
Enumeration
Enumeration is the process of directly interrogating a system to extract
account names or services from the system to launch a more refined attack.
The key distinction between this type of intrusion is the aggressive and active
nature on your system. The type of activity can often be logged, which is an
important element of security.
Common examples of enumeration are Windows network resources and
shares, Windows/UNIX/Linux users and groups, SNMP daemon or service
running without being tightly secured, and applications available to exploit.
Where to find more information
We recommend the following sources for more detailed information on intruder
reconnaissance, how to take corrective action, and tools available:
A good source for understanding how to identify vulnerability is the article
"Vulnerability Identification and Remediation Through Best Security
Practices", by BJ Bellemay Jr, SANS Institute Reading Room, December 7,
2001 found at:
http://rr.sans.org/practice/identification.php
16 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1
39. The book Hacking Exposed: Network Security Secrets & Solutions, Forth
Edition, by Stuart McClure et al, provides a good explanation of the process
and strategies used by intruders, as well as methods of denying the attack.
2.1.2 Physical security
Physical security does not often get very much attention, but it is an important
element of a security strategy. Physical security risks are those risks where there
is a real physical impact on your hardware and software. These risks are very
severe because most of them result in a total loss of hardware and data. If your
customer data is gone as a result of a fire or a stolen system, it does not matter
to your business how this happened. The fact is that it can be extremely
damaging to your business.
Physical security means protection against physical actions. It involves every
physical element around:
The system or machine(s) where the application is running
The room where the machines are operating, as well as access to the room
The building where the machines are installed
The site where the company is located
The listed elements have to be secured against intrusion and damage, be it
intentional or not.
Physical security also includes the protection of the physical communication
network:
Ground lines
Wireless connection
Routers and switches
Hardware firewalls
The communication network has to be protected against eavesdropping and
damage to the connection (cutting the line).
The subject of physical security goes much further than the objective of this book
allows. This short section is only intended as a reminder of the concept of
physical security.
2.1.3 Logical security
Logical security is related to particular IT solutions such as network, operating
systems, middleware and application software, and custom-built applications.
Chapter 2. Security fundamentals 17
40. Applications
The application architecture can provide intruders an opportunistic entry point. In
a secure portal application, there are many areas of application-level security
that need to be examined, including the infrastructure-provided security, as well
as the infrastructure application level APIs.
It is important that the security architect and portal developer understand the
security infrastructure capabilities provided by the middleware and application
software for such topics as authentication, authorization and single sign-on.
The middleware and application software also include security-related APIs that
can be used to further leveraged to secure the application and provide added
functionality.
Tivoli Access Manager Authorization API
The Tivoli Access Manager Java runtime component includes the Java language
version of a subset of the Tivoli Access Manager authorization API. The
authorization API consists of a set of classes and methods that provide Java
applications with the ability to interact with Tivoli Access Manager to make
authentication and authorization decisions.
Note: For more information on the Tivoli Access Manager authorization APIs,
refer to the following:
Section 9.3, “Using the Tivoli Access Manager APIs” on page 421,
includes an example of using the Tivoli Access Manager authorization
APIs for the ITSO Bank sample secure portal application.
Authorization Java Classes Developer Reference, IBM Tivoli Access
Manager V5.1, SC32-1350, product guide.
Enterprise Security Architecture Using IBM Tivoli Security Solutions,
SG24-6014.
WebSphere security
The IBM WebSphere Application Server V5 is a J2EE V1.3 compliant Java
application server, and it implements the required security services as they are
specified. IBM WebSphere Application Server security sits on top of the
operating system security and the security features provided by other
components, including the Java language, as shown in Figure 2-2.
18 Develop and Deploy a Secure Portal Solution Using WebSphere Portal V5 and Tivoli Access Manager V5.1