Protecting Tivoli Access Manager Policy Server

Using Tivoli Access Manager Policy Proxy Server

This article explains the purpose, advantages, limitations, installation, configuration, and customization of a policy proxy server. This article also provides a combination of theory and practical experience you need for a general understanding of this component.

Mr. Mandar Vilas Deshmukh (mandar_deshmukh@in.ibm.com), Tivoli Access Manager for e-business L3 Engineer, IBM

Mandar is Staff Software Engineer, currently working with Tivoli® Directory Server Java development team as Technical lead. He has total 5+ years of experience in IBM® India Pvt. Ltd. He is Tivoli Certified Advanced Deployment Professional - Tivoli Security Management Solutions (ITAM, ITIM, ITIL Foundation Certified). He is also EC-Council certified Ethical Hacker, Sun certified Java Professional and IBM® Certified DB2 V 8.1 Associate.



01 June 2006

Introduction

As the name suggests, Policy Proxy Server is a proxy server used to isolate and protect the IBM® Tivoli® Access Manager (TAM) Policy Server from direct access. It acts as a client to the policy server. An initial request from a user is forwarded to the policy server and the authorization data is cached in the memory for faster authorization validation. Subsequent requests from the same user are processed and served by the proxy server by using the cached data. The following figures give you a better understanding of a Policy Proxy Server.

Figure 1. Tivoli Access Manager Policy Server without Policy Proxy Server
Environment without Policy Proxy Server

Purpose

The Policy Proxy Server enables Tivoli Access Manager applications and authorization servers to connect to a Policy Proxy Server rather than the Policy Server.

Advantages

  • Only incoming Secure Sockets Layer (SSL) sessions to the Policy Server come from the physical Policy Proxy Server. This provides increased security.
  • The Policy Proxy Server offloads database replication tasks from the Policy Server by caching the Policy Server databases that it serves to Access Manager applications.
  • The Policy Proxy Server does not perform authorization. It forwards requests for authorization to the policy server.
  • The ACL database is cached in memory for security. There is no authorization database stored on the disk of the Policy Proxy Server that can be read (or modified) if the Policy Proxy Server is compromised.
Figure 2. Tivoli Access Manager Policy Server with Policy Proxy Server
Environment without Policy Proxy Server

Limitations

If you are using an application that uses the administration API there is an exception. Because administration API applications use the SSL protocol to communicate with the Tivoli Access Manager Policy Server, you have to allow direct communication between these applications and the Policy Server.

Figure 3. Policy Proxy Server communication flow
Policy Proxy Server Communication

Figure 3 shows the connections (and the direction of flow) between the Policy Server, a Policy Proxy Server and an Access Manager application or authorization server.

Note: The SSL session from Access Manager applications to the Policy Proxy Server(s) is independent from the SSL session from the Policy Proxy Server to the Policy Server.

Installation

There are three methods of installation.

  • Native
  • Installation Wizard
  • IBM Tivoli Configuration Manager software package defination (SPD) More information regarding installation on different operating systems can be obtained from link Tivoli Access Manager for e-business


Installation of every TAM component will provide you certain configuration files.

  • PDRTE
    • ldap.conf
    • activedir.conf
    • activedir_ldap.conf
    • domino.conf
    • pd.conf
  • PDMgr
    • ivmgrd.conf
  • PDMgrPrxy
    • pdmgrproxyd.conf
  • PDAcld
    • ivacld.conf
  • PDWeb
    • webseald-instance_name.conf
  • PDWebPI
    • pdwebpi.conf

The following tables show the configuration file names with their corresponding component.

Table 1: TAM registry-related components and configuration files
Component nameConfiguration file
Ldapldap.conf
Active Directoryactivedir.conf
Active Directory LDAPactivedir_ldap.conf
Dominodomino.conf
Table 2: TAM base components and configuration files
Component nameConfiguration file
PDRTEpd.conf
PDMgrivmgrd.conf
PDMgrPrxypdmgrproxyd.conf
PDAcldivacld.conf
Table 3: TAM Web component and configuration files
Component nameConfiguration file
WebSEALwebseald-instance.conf
Table 4: TAM plug-in component and configuration files
Component nameConfiguration file
WebPIpdwebpi.conf

Configuration

Fresh configuration
Assumption: User registry and Policy Server installed and configured.
Installation:

  1. Install base components : PDRTE, PDMgrPrxy
  2. Install web components: PDWebRTE, PDWeb
  3. Install webpi components: PDWebPI

Configuration using "pdconfig"

  • Configure TAM Runtime Environment with Policy Server.
  • Configure TAM Policy Proxy Server with Policy Server.
  • Make the following changes in stanza [manager] of file pd.conf
    • Change master-host from policy server hostname to policy proxy server hostname.
    • Change master-port from policy server port to policy proxy server port.
  • Restart the server with the command "pd_start restart".
  • Continue with "pdconfig" and now by default "pdconfig" will take policy proxy server hostname and 7138 to configure webseal, webpi and so on.
Figure 4. [manager] stanza
Policy Proxy Server Communication



Reconfiguration:
Assumption: User registry, Policy server, WebSEAL, WebPI installed and configured.
Installation:

  • Install base components : PDMgrPrxy

Configuration using "pdconfig":

  • Configure Policy Proxy Server with existing policy server.
  • Stop all TAM servers using pd_start stop.
  • Make the following changes to [manager] stanza of pd.conf, webseald-instance.conf, pdwebpi.conf.
    • Change master-host from policy server hostname to policy proxy server hostname.
    • Change master-port from policy server port to policy proxy server port.
  • Start all TAM servers using "pd_start start".

Links

  • See Resources for more information about Tivoli Access Manager.
  • See Figure 1 for Policy Server without Policy Proxy Server.
  • See Figure 2 for Policy Server with Policy Proxy Server.
  • See Figure 3 for Policy Proxy Server communication flow.
  • See Figure 3 for {manager] stanza of configuration files.
  • See Table 1 for TAM registry-related components and configuration files.
  • See Table 2 for TAM Base components and configuration files.
  • See Table 3 for TAM Web component and configuration files.
  • See Table 4 for TAM Plug-in component and configuration files.

References

For information on installing Base:
IBM Tivoli Access Manager for e-business 5.1, Base Installation and Configuration Guide
For information on installing WebSEAL:
IBM Tivoli Access Manager for e-business 5.1, WebSEAL Installation and Configuration Guide
For information on configuring base components and other aspects of base components:
IBM Tivoli Access Manager for e-business 5.1, base Administrators Guide
For information on configuring WebSEAL:
IBM Tivoli Access Manager for e-business 5.1, WebSEAL Administrators Guide
For information on installing and configuring the Web Server Plug-ins:
IBM Tivoli Access Manager for e-business 5.1, Plug-in for Web Servers User's Guide

Resources

Learn

Get products and technologies

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Tivoli (service management) on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Tivoli (service management), Tivoli
ArticleID=107004
ArticleTitle=Protecting Tivoli Access Manager Policy Server
publish-date=06012006