WebSphere PaaS and SOA Security -as-a-Ser vice from IBM Tivoli supporting a WebSphere Business...

Nicholas J. Parks M.S.W.E

WebSphere PaaS and SOA Security Security-as-a-Service from IBM Tivoli supporting a WebSphere Business

Integration Environment for Application Hosting

Submitted by

Nicholas J. Parks M.S.W.E

To

Whoever will find this document useful

Training and Education Publication

This draft has been altered for mass dissemination

This is draft version 3 of 5

SOA IAM Integrated Application Security Draft Version .5 WebSphere Tivoli Training and Education

Agile Enterprise Collection 2 Foundation Infrastructure Nicholas J. Parks, M.S.W.E

Contents Introduction .................................................................................................................................................. 4

Background ............................................................................................................................................... 4

Scope ......................................................................................................................................................... 5

Reference Solution ........................................................................................................................................ 6

Products in the Reference Example .......................................................................................................... 6

Products Explicitly Discussed in this document .................................................................................... 6

Products implied but not discussed ...................................................................................................... 8

Tivoli/WebSphere & SOA Security ................................................................................................................ 8

About WebSphere PaaS ............................................................................................................................ 8

Tivoli provided Security for Applications ................................................................................................ 11

Deployment of a Composite Application ................................................................................................ 13

Sample Composite Application ........................................................................................................... 15

Deploying and Securing ...................................................................................................................... 16

Value Added Components: ..................................................................................................................... 18

Identity Bus ......................................................................................................................................... 18

PIV/CAC/TWIC/Other Self Service ....................................................................................................... 18

After thoughts ............................................................................................................................................. 18

Notable Variations & Additions .............................................................................................................. 19

Business Process Manager .................................................................................................................. 19

WebSphere Enterprise Service Bus ..................................................................................................... 19

Hybrid: AWS, Cast Iron, Smart Cloud ..................................................................................................... 19

Summary ..................................................................................................................................................... 20

Appendix ..................................................................................................................................................... 21

Appendix A: Related Documents ............................................................................................................ 21

Appendix B: Notes on ITIM Cluster Configuration .................................................................................. 21

Appendix C: Notes on TAM/TFIM Configurations ................................................................................... 21

Appendix D: Notes on IaaS Components ................................................................................................ 21



Introduction This document discusses the capabilities of an in production environment to deliver externalized

application security. This document will describe how IBM delivers SOA Security with its WebSphere business integration and Tivoli service delivery brands.

Background Organizations are examining their current information technology environments that have

evolved during past decade. In the beginning of the century, there were several competing technologies and methodologies to deliver information technology value to enterprise customers. There were several ways applications where delivered to enterprises whether being upgrades to existing mainframe solutions or new applications built for the desktop or hosted in application environments (web servers, java application servers, Microsoft technology, etc.). Additionally, this variability in application delivery resulted in several different approaches to providing security to the enterprise. As imagined, this created a hodge-podge of solutions hindering business agility.

The described technical solution in this document was built in response to an un-retractable position in regards to an organization’s IT capabilities. At the beginning of this century, the IT organization assembled working solutions to handle the business needs of the organization. Unfortunately, the IT organization was not capable of updating and upgrading their operational capabilities1

The technical solution described in this document was meant to fit within the specific business needs and operation requirements. Of which some are:

through business processes that hobbled agility. Thus, the senior leadership of the organization made the command decision to refresh their entire IT infrastructure in several phases (or segments). Before the described solution was built, there were foundational segments that will not be described in this document. These segments encompassed some of the basic IaaS components. Some of these basic items included network flexibility, storage capabilities, and basic computing platform based on blades. The solution described herein delivered the final foundation capabilities while delivering a common application hosting environment.

1. Allow for 100k simultaneously active authenticated subjects 2. Support RSA and Generic smart card via self-service with some limitations. 3. Application access from mobile devices 4. Support inbound and outbound front channel federation and support federation brokerage

among partners 5. Support COTS and Custom composite applications targeted to different platforms 6. Provide a migration destination for existing applications and support lifecycle management

of said applications 7. Provide application hosting environment including the hosting of business and community

partner applications

1 This is the polite way the IT organization has been described



The purpose of this document is to provide educational information to anyone in reference to IBM’s various software technology offerings. This document provides details of a system(s) in production along with information from consultations with IBM subject matter experts.

Scope This document describes the components of a production SOA security solution based on IBM

offerings This document does NOT describe the types of applications deployed to the hosting

environment This document will identify solution specific design choices that may not be common This document will stay consistent with the product capabilities and versions available at

purchase time but may identify updated capabilities where appropriate. The reader should assume product acquisition ended January 2011.

This document may be used as a source for solution design material if edited and branded appropriately

Even though this document does NOT, discuss the identity or monitoring components in detail one should assume they are foundational to the last IaaS (runtime security environment) deliverable required for a successful enterprise wide PaaS solution

It IS assumed that the reader is familiar with basic of identity and access management technology from at least one of the major IAM vendors in the marketplace



Reference Solution

Figure 1: Reference Data Center

This document discusses IBM products in turn and how those products work together to deliver value to various enterprises. The above figure represents an actual production environment that heavily relies on IBM brand products. Of course, this reference example is a simplification of said deployment. Thus, this document will not focus on the networking, storage, and various forms of persistence. The example deployment is meant to illustrate how the products work together and does not show all the possible connections required for success.

Products in the Reference Example

Products Explicitly Discussed in this document 1. WebSphere Application Server 7 (WAS7)

a. Typical JavaEE application hosting environment with the minimally required Servlet Container and EJB (Object Request Broker) container per EE SPEC, WAS7 meets EE5 Specification

b. Also includes a portlet container and a some other features that may be unique to WebSphere



c. Basis of WebSphere Business Integration brand2

2. WebSphere Portal Server 7 (WPS7)

a. IBM specific portal server and portal engine providing unique capabilities not found in other Portal Server products

b. IBM portal engine state persistence unique for the portal product category c. A proper full installation requires directory, database, service repository, and RTSS

configured 3. Tivoli Access Manager WebSeal 4. Tivoli Federated Identity Manager 5. Tivoli Security Policy Manager

a. Including the Runtime Security Service (RTSS) deployed to WAS/WPS nodes to provide authorization granularity and fine tuning of authorizations in the view-tier leveraging XACML based SOA security policies

6. WebSphere DataPower Xi50 a. External Appliance

i. Web Service Proxy ii. Extends ESB (Enterprise Service Bus) beyond the datacenter to business

partners in this deployment iii. Load Balancer iv. Communicate with External Certificate Authorities to validate X509 certificates

from various smart cards v. Connects with TAM authentication repository to support web service based

logins vi. Deployed in this environment for boundary protection as described by

provisioned security policies and roles on the access/edge vii. Even though the Xi50 was used in this environment (and may be no longer

purchasable), B2B XML services integration choices include XG45, and XB62. The XE82 is a choice as the access/edge appliance in the illustration and would extend the same XACML based authorization policy controls and remove a load balancer from the infrastructure

b. Internal Appliance i. Functions as ESB appliance in this environment

ii. Provides leading messaging conversion/translation and transaction support iii. Uses WSRR to get service/endpoint definitions and enforcement policies from

Tivoli Security Policy Manager 7. RSA SecurID Appliances

a. In this deployment the TAM/WebSeal External Authentication Interface and RSA SecurID appliance’s SOAP interface where leveraged to deliver adaptive risk based authentication and to support the RSA SecurID token for browser based login

b. Another appliance was reserved for token issuance

2 IBM WebSphere Data Power SOA Appliance(s) have a different heritage but are shipped in a box branded “WebSphere Appliance”



c. Logically deployed for two separate purposes, the appliances are physically adjacent in the datacenter, both appliances perform both functions and redundant to each other

8. WebSphere Service Registry and Repository (WSRR)3

a. As the name suggests, a registry of services deployed throughout the enterprise

b. Supports endpoint and service versioning in the ability to provide dynamic endpoint selection at design-time and runtime

c. Integrates with Rational brand of products for software development and delivery d. Provides storage for Governance policies throughout the organization, include policies

defined in TSPM

Products implied but not discussed 1. Tivoli Access Manager Components other than WebSeal 2. WebSphere Mobile Portal Accelerator

a. Deployed on some WPS7 nodes 3. Tivoli Identity Manager 4. Tivoli Directory Server 5. DB2 6. Tivoli Monitoring Family of products

a. This includes Tivoli Composite Application Manager 7. IBM/Lotus Web Content Management (WCM)

a. Delivers Enterprise content and customer engagement capabilities b. Integrates with WPS7

Tivoli/WebSphere & SOA Security

About WebSphere PaaS

Web Container EJB Container

Other Platform Services

JVM Instance

OptionalContainers

Figure 2: High Level View of a Typical Java EE Application Server

3 Not sure if version deployed was WSRR or WSRR ALE



The above figure represents the typical major components of a Java EE server. For clarification, TOMCAT is NOT a Java EE Application server since it only contains the Web (Servlet) container. However, most Java EE applications servers leverage the open source Tomcat implementation to deliver the servlet container capability. Essentially, a Java EE Application Server must provide the Web container, the EJB container and certain platform services. It is important to note that the EJB container is the de-facto business integration environment for Java and has been the EJB container’s primary goal/function since inception in 1999. The commercial vendors will often bundle other containers with their offering. Additionally, some container definitions have variability in integration. For example, the portlet container connects with this environment in either two ways. Some vendors choose to extend/nest the portlet container with the servlet container. This makes sense since the portlet container extends many of the servlet container features. Other vendors provide the portlet container as a completely separate container. Luckily for the developer, the relevance in the degree in variability has been decreasing and one of the goals of JSR 342 it to make Java the preferred PaaS technology including removal of vendor’s idiosyncratic behaviors4

As a business integration platform, WebSphere supports the Platform-as-a-Service model through the creation of WAS “Cells”. A WAS Cell is an IBM management construct for managing a collection of WAS server instances.

.

4 Java EE7 is slated to release in the summer of 2013 with a cloud enabling focus, see http://jcp.org/en/jsr/detail?id=342

http://jcp.org/en/jsr/detail?id=342�



Prepare VM’s

Create Deployment

Manager

Install & Upgrade WAS on VM A

Install & Upgrade WAS on VM B

Install & Upgrade WAS on VM C

Associate WAS instances with Deployment Manager

Create WAS Clusters

Build/Install Process Complete

Install & Upgrade WAS on VM ...N

Figure 3: Build WAS PaaS environment

The above figure shows the generic process of creating WAS Administrative cells. In the figure, a single deployment manager is used to manage an N number of WAS instances on standard virtual machine images. In this production example, the OS of the virtual machines where of a popular Linux distribution with some first boot configuration intelligence. Thus, providing the capability to clone a pre-canned and pre-configured WAS node without repeating the installation step5

5 For this specific capability the Hypervisor edition of WAS is preferred. The hypervisor edition delivers true private cloud PaaS capability when compared with competitors’ offerings. See also IBM WebSphere Cast Iron

. Additionally, when WAS nodes are managed by a deployment manager the Object-request-broker (often part of the EJB container) component of each WAS instance has its resource injection search space rooted at the cell which is an important capability. This ability to search for and leverage enterprise modules at runtime across WAS instances allows for deployment flexibility and code leverage which is a capability any successful Java based PaaS environment must provide.



Figure 4: Detail of Hosting Environment

The above figure elaborates on the application-hosting environment described in the reference illustration.

Tivoli provided Security for Applications To deliver SOA security for the described PaaS environment, this solution relies heavily on the

Tivoli brand of identity and access management solutions.

Figure 5: Single Object for Principal representation



For the application-hosting environment, it was very important that the principal that appears in the application-hosting environment is consistent across all access types and the same attributes are available regardless of access where the asserted principal should not be unique to the authentication method used by a user. The access components have the burden of mapping all the inbound attributes to a common defined set. In essence, applications are blind and dumb to how the user is authenticated6. Thus, the mapping and attribute definition activity will consume more man-hours than standing up and getting the access system operational. If there are instances where the type of authentication is relevant to an application (IE smart card usage implies a NIST authentication level), this data is conveyed as just an attribute of the principal assertion. Therefore, beyond this production environment supporting simple RBAC, the attribute content checking thus implies that ABAC is a system requirement the access control system must deliver7.

Figure 6: Course & Fined grained controls and application resources

The course-grained protection for web access is provided at the external boundary by Tivoli Access Manager WebSeal integrated with Tivoli Federated Identity Manager. The course-grained protection configuration supports binary yes/no authorizations to resources inside the application network. The external data-power is configured similarly with a few modifications. The external data power will not advertise services that are not available external to the enterprise. Additionally, for some of the services that are made known to external partners, some of the methods of the services are not available from the external data-power. The external data power can obtain lists of services from several sources. This environment leveraged the internal data power’s direct relationship with WSRR to manage the list for the external data power. Both data-power appliances receive the policy configurations from XACML pushes from the Tivoli Security Policy Manager (TSPM), which functions as the Policy Administration Point (PAP). Since data-power appliances contain robust policy engines, they make

6 Important Tenant of SOA Security from the application’s perspective, otherwise why would you externalize authentication and authorization? 7 Details provided separately since describing the Tivoli entitlement story would require its own document



decisions and enforce authorizations. Thus, the data-power appliances are both PDPs (Policy Decisions Points) and PEPs (Policy Enforcement Points) for b2b integration.

The fine-grained resource protection begins from where the course grained protections ended. The same TSPM instance used as the PAP in the external configuration performs this role internal to the enterprise. The internal data-power functions as both a PDP and PEP just like the external data-power. The internal data-power also delivers ESB capabilities to this environment; however, “bus” security is not in scope of this document. All applications (internal or external) access web services (SOAP/REST) through the internal data-power appliance. This internal appliance performs both fine and coursed-grain protection for web services. Additionally, the internal appliance performs the fine-grained resource protection for the already course-grained approved access from the external data-power’s approved access requests.

Another fine-grained resource protection component is the Runtime Security Services (RTSS) bundled with TSPM. RTSS delivers externalized authorization decisions to applications (including SharePoint). The RTSS provides an API and a JSP tag library that applications can use to make authorization decisions. Thus, the RTSS is a PDP and allows applications to externalize authorizations decisions. Finally, the master policy store is WSRR.

Deployment of a Composite Application This section will discuss how to leverage the full capabilities of this environment by deploying a

sample composite application. This application will take advantage of the modularity of the Java Enterprise System including the specific execution and security capabilities of this environment. The following figure provides more detail about the enterprise containers and their tiered configuration. Applications that already exist and/are developed classically were (or to be) deployed in the legacy group of servers. That legacy portion of the environment will only support the course-grained authorizations provided by WebSeal/TFIM. Each legacy application will most likely need its own WebSeal Junction. Any WebService defined in the legacy application platform will still have security controls through WSRR and TSPM.



Figure 7: Tiered Application hosting Environment

Outside of supporting legacy systems, the primary portions of the hosting environment are the view-tier, compute tier, and content repository. The view tier nodes accept the TAM provided principal assertion at the first level of credential delegation. The type of applications deployed here are simple applications with trivial compute capabilities. These applications characteristically have higher user IO as opposed to compute. Additionally, this is the platform where composite applications should have portlets deployed. Simple portal applications (again mostly view-tier) are wholly deployed to the view-tier nodes. IBM Mobile Portal Accelerator is deployed on these nodes.

This hosting environment also has a dedicated compute tier to support applications that are computationally intensive and perform asynchronous actions. These server nodes can consume a delegated credential from the view-tier. One can assume that the applications in question are of the analytic variety.



Sample Composite Application

JSR 286 Portlet(s)

Struts MVC

JAX-WS / JAX-RS WebService

JPA

Session and MDBs

Figure 8: Sample Composite Application

The figure shows our sample application is composed of several modules8

1. There is an independent view tier that leverages the Struts framework. It is not important the solution uses the struts framework (could have been simple JSP or JSF), rather that this composite application provides its own view tier.

that work together to deliver some business value to the enterprise. As shown, this generic application has some business integration components the hosting environment needs to support and provide the appropriate security capabilities. The application is composed of five portions:

2. The generic composite application also delivers some portlets that will be rendered by the Portal Servers.

3. This applications also provides a SOAP (JAX-WS) and/or REST (JAX-RS) web services 4. There is some sort of persistence represented through JPA. A successful JavaEE PaaS

environment provides generic persistence providers. The developer’s application request persistence from the environment

5. Business logic is represented in the session beans and message driven beans for asynchronous (or Synchronous) communication among other applications (or portions of itself) using a JMS topic/queue

There are several ways this application can be divided up and deployed and those various combinations will not be examined. However, let’s make some assumptions about this representative composite application and how it can be deployed.

1. The Session/MDB components rely on JPA being local to the same JavaEE instance. 2. The Struts component is directly dependent on the JPA and the Session/MDB components but

not the other two pieces. Thus, those portions are deployed together into any WAS cluster.

8 There will be instances where some of the modules are leveraged from an existing application and not part of a new deployment; which, has been a Java technology capability since 2001



3. The web services portion depends on the Session/MDB component so wherever JavaEE instance those portions are deployed the web services are deployed also. These services are available internally to the enterprise and externally to business partners were not all operations are available to both internal and external parties.

4. The Portlet components use the TSPM provided tag library and indirectly reference the Session/MDB components. Essentially the porlet components must be deployed on a portal server with the TSPM tag library (and possibly RTSS installed in local mode).

With those assumptions, one can deploy the composite application as follows.

1. Everything but the portlet component on a generic set of WAS clusters. 2. Portlet component on primary WPS clusters with the ORB able to locate the beans the portlets

reference on other WAS instances.

The mechanics of getting to code on the servers is beyond the scope of this document. An organization interested in the details of the mechanics should consider examining how IBM’s Rational software delivery brand provides tools for this environment.

Finally, let’s assume the following security requirements.

1. The webservices need protecting based on how they are accessed (partner application, generic internal use, external connectivity)

2. The Struts component uses course grained roles so simple WebSeal junction needed and TAI++ was determined to be not required. The Struts component is accessible internally and externally.

3. The Portlet’s usage of the TSPM’s tag library implied fine grain controls are required for this application. Since it will be deployed on the portal server the basic webaccess control is already in place.

Deploying and Securing



Figure 9: Security Configuration Applied upon application deployment

The steps in the figure are:

1. Deploy application: The code that composes the application are deployed to the appropriate JavaEE servers.

2. Add service endpoints: The web services are added to WSRR and optionally the struts web URL 3. Auto Discovery: TSPM and the Internal Data power automatically detect the change in WSRR.

a. Variation: The Application Hosting Security Engineer may have created entries already 4. Internal XACML Push: The web service endpoint is enabled at the internal Data Power once the

appropriate XACML polices have been applied. The Portlet component of the application becomes operational once policy configuration is received and this portion of the view-tier is enabled. Additionally, the web service is accessible for internal consumption.

5. Auto Detect Service Endpoint: Once the internal Data Power enabled and advertised the new service endpoints the external data power became aware of the web services

6. External XACML Push: The policy configuration is applied to the external datapower enabling external business integration.

7. Access/Edge Enable: Once the WebSeal (not shown) junction was created for the Struts portion, it was not accessible externally until the Access/Edge appliance became aware of the URL.



The above sequence of actions has variations in sequence and automation. The application hosting security team can have much of this process automated. Conversely, many of the steps can be manual and some pre-loaded in anticipation of the new application. However, what should be evident in this example deployment sequence is how security can be applied and unapplied in relation to the type of service the deployed application provides to the enterprise and its partners. IT should be apparent that an enterprise may consider and investment in Model-Driven development capabilities (or Process-Driven)9

Value Added Components:

.

Identity Bus This solution was augmented with an identity webservice that provided an integrated view as part of delivering self-service portlets deployed with portal server. These portlets where rather simple and provided additional functional demonstrations of composite applications integrating with existing business services. However, the identity webservice existed to provide value beyond these simple portlets. One can use the webservice to query the various IT systems and view a complete user profile. For example, query details on oneself may return information in the authentication store, Active Directory, binary jpeg image from some gallery, and what PACS access an individual may have. The service itself used various technologies to query various systems and was a deployed application sample application described previously.

Like other enterprise services, this web service had appropriate XACML controls to protect and discriminate who/how it was being accessed. For example, federated users had no use for “profile updates” thus the portlet that uses this capability was not available. Additionally, most of the SOAP methods where not available to the external data power appliance.

PIV/CAC/TWIC/Other Self Service This solution, through custom extensions of COTS products, allowed for various smart cards to be used as hardware token authenticators. Since a wide selection of hardware access authenticators was supported, the custom modifications enabled users to individually register their smart cards with the appropriate IAM components. There where limitations, the certificate authority must already be trusted and the smart card should assert unique user details that could be associated with a system user. Thus, only those with locally hosted accounts managed by ITIM had this capability. Users that federated with an attributed that suggested a hardware token (thus implied NIST authentication level) had this attribute removed by the access control system before granting access to hosted resources.10

After thoughts

9 See also: Model Driven Architecture or Process Driven Development 10 Business not technical decision, position taken that this IAM system did not see the token and some other IAMS system is “declaring” it did.



Notable Variations & Additions This SOA Security solution extended beyond the basic IAMS capabilities in certain areas. In delivering a functioning application hosting environment, only a couple additional components would enable the process driven enterprise. Additionally, IBM provides some options and variations in delivering value.

Business Process Manager With the various consulting and software offerings from IBM, there would be some sort of enterprise orchestration or related business process enabling product. IBM offers Business Process Manager (formerly WebSphere Process Server) as a means to deliver business process management to the enterprise.

In the deployment scenario, an orchestration would connect approvals with the deployment task. The product owner can initiate the deployment with the application hosting security team approving the automated deployment steps as they happen

WebSphere Enterprise Service Bus11

WAS ESB is another enterprise integration and messaging product from IBM. With WASESB one can leverage the ability to invoke and EJB interface from any WAS cell in the enterprise. Therefore, using JMS and dependency injection (CDI)

12

In the deployment example, JAX-WS and JAX-RS interfaces were created to leverage standards-based technology agnostic SOAP and REST interfaces to the business value the application delivered. This meant that throughput was lost in translating from Java binary to SOAP back to Java binary. If WASESB was present the EJB’s behind the SOAP/REST interfaces would be accessible through the service bus directly. If a SOAP/REST interface was desired, WASESB can be used to manifest such an interface on be hath of the application. Additionally, the internal data-power appliance in this solution can be replaced by WASESB clusters and there are obvious integrations with WSRR and IBM Business Process Manager.

allows for high throughput interaction of business modules using native Java technology without translating Java binary payloads for the benefits of none-Java systems if no such systems are integration points are desired.

Hybrid: AWS, Cast Iron, Smart Cloud What may not be readily apparent in this solution is how the memory-to-memory principal assertion enables an organization to leverage remote compute capabilities. When an individual is authenticated locally and principal assertion propagated (as a delegated credential to another WAS server, or pseudo-federation using openSSO/OpenAM) to remote computation resources, this means the remote compute sources do not need to query the “home” environment for details of the individual. This assumes enough attributes where propagated along with principal assertion to where an application deployed in a dynamically sized remote compute facility do not need additional details about the user. Of course, IaaS vendors like AWS also provide IAM solutions and Just-in-Time identity provisioning for transient user access with various access controls.

11 IBM also offers Message Broker and MQ 12 Context and Dependency Injection, at the enterprise scale this is not for use by novices



Additionally, an organization may want to consider the SaaS capabilities IBM offers through their 2010 acquisition of Cast Iron. Cast Iron allows of the integration of application and services with a high level of abstraction to tie your on-premise applications with hosted applications.

Summary This document described a SOA-security solution built using IBM Tivoli and related software components. It is hoped that this document provided some insight into how one uses IBM products to deliver externalized application security for an enterprise application hosting environment.



Appendix

Appendix A: Related Documents This document is part of a pseudo-collection meant to educate technical business leaders. The following is a listing of documents in order of development. Some articles reference each and build on each other

• OpenSource JavaEE Clusters on HP Blades (2008): A two part document focusing on how an organization would use HP C-Class blades and HP Insight Control for Linux to deliver High Performance JavaEE computer clusters using RHEL/SLES/Debian and JBoss. The first part covered bare metal OS provisioning to deliver maximum throughput for science applications based on java technology. The second part discussed JavaEE container density using virtual machines on blades. Developed for HP and under the prevue of their distribution and may no longer be available.

• IT Infrastructure for Java Developers (2009): Explains to software engineers how to develop high-available application in a “Rip and Replace” blade centric environment. Deprecated

• WebSphere PaaS and SOA Security (2011): Given an appropriate IaaS environment, this document describes a sample enterprise hosting environment that provides externalized application security capabilities. Publicly available with some appendices removed.

• Survey Regarding Java Professionals and Application Security (2011): a privately funded research initiative whose public summary was made available to JSR351 Expert group http://java.net/projects/identity-api-spec/pages/Home

• SMAC case study using AWS and agile processes (2013): A simple application for a small user community is developed with an eye to delivery with little owned infrastructure cost. Solution will leverage AWS’s DynamoDB, Elastic Compute Cloud, Elasctic BeanStalk, Simple Storage Service, and other IaaS offerings for a small team development effort using agile processes.

Appendix B: Notes on ITIM Cluster Configuration Omitted from this Edition

Appendix C: Notes on TAM/TFIM Configurations Omitted from this Edition

Appendix D: Notes on IaaS Components Omitted from this Edition

http://java.net/projects/identity-api-spec/pages/Home�

WebSphere PaaS and SOA Security -as-a-Ser vice from IBM Tivoli supporting a WebSphere Business...

Documents

Transcript of WebSphere PaaS and SOA Security -as-a-Ser vice from IBM Tivoli supporting a WebSphere Business...