archoverview.ppt Page 1 of 8

© 2007 IBM Corporation

Updated September 5, 2007

®

IBM Tivoli TrainingIBM Tivoli Access Manager for e-business 6.0

Tivoli Access Manager architecture overview

IBM Tivoli Training for IBM Tivoli Access Manager for e-business 6.0. This is the architecture overview.

archoverview.ppt Page 2 of 8

Architecture overview © 2007 IBM Corporation

IBM Software Group | Tivoli software

2

Objectives

�Upon completion of this module, you should be able to:�Describe the Tivoli Access Manager for e-business

architecture.

In the brief overview the basic architecture required for authentication and authorization. Upon completion of this module, you will be able to: describe the Tivoli Access Manager for e-business architecture.

archoverview.ppt Page 3 of 8

Architecture overview © 2007 IBM Corporation

IBM Software Group | Tivoli software

3

Tivoli Access Manager components

� Tivoli Access Manager runtime

� Tivoli access manager Java runtime

� Tivoli Access Manager Web portal manager (WPM)

� Tivoli Access Manager WebSEAL server

� Tivoli Access Manager policy server

Although many components make up Tivoli Access Manager for e-business here are the 5 you need to get started using simple single sign-on:

The runtime which contains the administration libraries. The runtime requires GSkit and the LDAP client. Once you have installed the runtime you will be able to manage your Tivoli Access Manager environment from any machine where the runtime is installed.

The Java runtime is optional it is required if you intend to use the Web portal manager which is the graphical user interface for TAM administration. The Web portal manager has the advantage of being browser-based. You can access it from any machine with only a Web browser. You will need the WebSphere Application Server to deploy the WPM.

The next component is the WebSEAL Server which is IBM Tivoli Access Manager’s secure policy management solution. WebSEAL is a reverse proxy server that sits in the DMZ between the client and the resource begin requested. The WebSEAL server brokers the exchange of information between the client and the back-end resource. The Tivoli Access Manager policy server stores your organization security policy. The security policies are stored in the master authorization database. WebSEAL keeps a local copy of this database.

archoverview.ppt Page 4 of 8

Architecture overview © 2007 IBM Corporation

IBM Software Group | Tivoli software

4

Tivoli Access Manager prerequisites

� IBM Global Security Kit (GSKit)

� IBM Tivoli Directory Server (ITDS)

� ITDS Web administration tool (WAT)

� *IBM Tivoli Server Web administration tool (WAT)

� *IBM WebSphere Application Server

Here are prerequisites for IBM Tivoli Access Manager. IBM Global Security Kit (GSKit) provides Secure Sockets Layer (SSL) data encryption between IBM Tivoli Access Manager systems and supported directories. IBM Tivoli Directory Server is the supported directory server that ships the product. Web Administration Tool is the graphical user interface that comes with the Tivoli Directory Server. WebSphere also comes with Tivoli Access Manager. WebSphere is required for WAT and WPM.

archoverview.ppt Page 5 of 8

Architecture overview © 2007 IBM Corporation

IBM Software Group | Tivoli software

5

Architecture1. The user makes a request for a

Tivoli Access Manager protected resource. The policy enforcer (in this case WebSEAL) intercepts that request and collects the appropriate information from the user to verify his or her identity.

2. Once the user ID and password is verified against the user registry a second call is made to the user registry to create the user credential.

3. Once the user credential is created it is returned to the policy enforcer for authorization.

4. Authorization is performed using the authorization database replica that resides on the policy enforcer.

Here is the basic architecture for Tivoli Access Manager. It includes the components we just mentioned; the policy enforcer (also called the resource manager or WebSEAL), the policy server, the authorization database, the user registry, the protected resource and the replica authorization database.

archoverview.ppt Page 6 of 8

Architecture overview © 2007 IBM Corporation

IBM Software Group | Tivoli software

6

Training roadmap

� For IBM Tivoli Access Manager for e-business 6.0:

http://www.ibm.com/software/tivoli/education/edu_prd.html

Training roadmaps are available for all IBM Tivoli courses.

archoverview.ppt Page 7 of 8

Architecture overview © 2007 IBM Corporation

IBM Software Group | Tivoli software

7

Summary

�Key words to remember:�User registry

�Authorization database (master and replica)

�Policy enforcer (also called resource manager)

Some of the key words to remember are the user registry which authenticates or verifies the user’s identity. The authorization database which authorizes or gives permission to the user to access the requested resource. The policy enforcer (or WebSEAL) which that decides whether the user has been appropriated authenticated (at the user registry) and authorized by the database.

archoverview.ppt Page 8 of 8

Architecture overview © 2007 IBM Corporation

IBM Software Group | Tivoli software

8

Copyright and trademark information

© Copyright IBM Corporation 2000 - 2007. All rights reserved.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM web site pages may contain other proprietary notices and copyright information which should be observed.

IBM trademarks

http://www.ibm.com/legal/copytrade.shtml#ibm

Fair use guidelines for use and reference of IBM tr ademarks

http://www.ibm.com/legal/copytrade.shtml#fairuse

General rules for proper reference to IBM product n ames

http://www.ibm.com/legal/copytrade.shtml#general

Special attributionshttp://www.ibm.com/legal/copytrade.shtml#section-special