SEC-007 TAMESSO a Cool Tool, Easy to Deploy - Why & How

SEC-007

TAMESSO: A Cool Tool, Easy to Deploy:

Why & How

Speaker: MARCO ZANCHIJob Title: IBM Certified Instructor & Specialist

PROW SRL www.prow.it

IBM European Tivoli Technical Conference 2011

2

This Session

As part of the Tivoli Security portfolio, TAM E-SSO has now an

important mission: solve the problem of too many passwords

that users of small and large networks need to remember and

manage.

TAM E-SSO is a powerful yet easy to deploy solution to solve

the pain of system administrator in keeping their users happy

and passwords compliant to the new policies.

From a general overview to a technical introduction, we are

going to present the TAM E-SSO components, how they

integrate with other solutions and how easy is to deploy them

and put them to work.



Introduction

3


Session Agenda (1/3)

• Introduction

• Overview

– identity manager, access manager and tamesso: different goals

– Strong Authentication, SingleSignOn, Session Management,

Auditing

– The Identity and Access Management suite from Tivoli

– Tamesso architecture

– Users provisioning: Tivoli Identity Manager

– The goal of the ITIM/E-SSO integration

– Authentication factors

– Second Authentication Factors

4



• Technical Introduction

–Product Components

–Platform Support

–Access Agent

– IMS Server deployment

–What are the Policies

–Access Admin

–Web Workplace

–Access Agent: Installation.

–The Wallet

–Access Studio: creating profiles

5



• What else?

– Integration with LDAP servers

–High Availability

–What is next? Tivoli Education path, Test Drive the official

Course

– Useful Resources

6


Overview

7


TIVOLI IDENTITY MANAGER

• Automates and centralizes access rights management and provisioning across multiple systems:

– Applications

– Operating systems

• Server / Adapter based architecture

• Features

– Central control of privileged data

– Role-based access control (RBAC)

– Automated provisioning of access rights

– Web-based system for easy privilege changes

– User self-service and self-registration

– Integrated workflow engine to authorize users and accounts

– Report generation

8


TIVOLI ACCESS MANAGER for E-BUSINESS

• A flexible, scalable authentication and authorization solution that protects company Web resources

• Features

– Provides an authentication and authorization framework

– Secures a variety of Web-based applications

– Centralizes administration of Web-based applications

– Enforces security policy defined by your organization

– Tracks user activity with auditing and reporting

– Provides quality of protection (QoP) for Web transactions

• Integrity

• Privacy

9


TIVOLI ACCESS MANAGER FOR E-SSO

• Automate access to corporate information, strengthen security, and enforce compliance at the end-points

• Management of account credentials

• Credentials are stored in the ESSO Server (IMS) database…and synchronized to the end user wallets on their desktop.

– This allows the ESSO client (AccessAgent) to automatically

login the end user to any application that is profiled in ESSO.

– End users do not need to know any of their ID’s / Passwords for

the applications profiled in ESSO.

10


Access Agent & IMS Server

11

Audit and Compliance

Provisioning and Role-Based Access Control

Session Management and Workflow Automation

E-SSO and Password Management

Directory and Meta-Directory Service

Strong Authentication

AccessA

gen

tIM

S S

erv

er


Strong authentication

• TAM E-SSO provides strong authentication for all user

groups – inside and outside the corporate perimeter – to

prevent unauthorized access to confidential corporate

information and IT networks.

• The solution leverages multi-factor authentication devicessuch as:

– USB tokens;

– smart card tokens;

– building access badges;

– proximity cards (RFID);

– mobile devices; photo badges;

– Biometric readers (like fingerprint);

– one-time password (OTP) tokens (RSA).

12


Enterprise single sign-on with workflow automation

• With TAM E-SSO, users can enjoy fast access to all

corporate applications (e.g. Web, desktop, TTY and legacy)

and network resources with the use of a single, strong

password on personal and shared workstations.

• This feature increase employee productivity, lower IT Help

desk costs, and improve security levels by eliminating

passwords and the effort of managing complex password

policies.

• Users can automate the entire access workflow (e.g.,

application login, drive mapping, application launch, single

sign-on, navigation to preferred screens, multi-step logins,

etc.).

13


Session management capability

• As organizations deploy more shared workstations and

kiosks, more users can roam and access information from

anywhere without returning to their personal PCs. Shared

and roaming scenarios pose severe security threats.

• TAM E-SSO increases user convenience and improve

information security through session management or fast user switching capabilities

• Users can quickly signon and sign-off to shared workstations

without using the Windows domain login process.

• Fast user switching on private desktops allows users to

maintain multiple unique user desktops on the same

workstation, preserving each user’s applications, documents,

and network drive mappings.

14


User access tracking for audit & compliance reporting

• Combined strong authentication capabilities and usercentricaudit logs ensure secure access to confidential corporate

information and accountability at all times. The logs provide

the meta-information that can guide to a detailed analysis for

compliance

• Information are collated in a central relational database facilitating real-time monitoring and separate reporting with

third party reporting tools.

• The end-point automation framework can be leveraged to

audit custom access events for any application – without

modifying the application or leveraging the native audit

functionalities.

15


The Identity and Access Management suite

16

ProfileGeneration

CentralizedAdministration

Support andSelf-Service

AuditReporting

DirectoryDB Mgmt

SOAP API

TAM E-SSO IAM Platform

Context

Management

UserProvisioning

EnterpriseSingle Sign-

On

SessionManagement

Audit andCompliance

TAM E-SSOAccessAgent

Web


Citrix or Terminal Services Desktop


StrongAuthentication

WorkflowAutomatio

n

Strong Authentication

� Building badge integration

� Active RFID

� Fingerprint biometric

� USB smart cards

� Cell phone authentication

� One-time password (OTP) iTag

Enterprise Single Sign-On

� For Windows, Citrix, Terminal Services, and thin client platforms

� For Web, desktop, mainframe, and TTY applications

� Browser-based single sign-on (SSO)

� Automatic generation of SSO AccessProfiles

Workflow Automation

� Application launch, drive mapping, single sign-off

� Automate any presentation layer event

� Automate walk away desktop security

Centralized Administration

� Web-based AccessAdmin

� Group-based and policy-driven management

Support and Self-Service

� Loss management

� User self-service

Centralized Audit

� Endpoint tracking

� Centralized SQL eporting

TAM E-SSO IMS Server

Desktop


Tamesso Architecture

17


User Provisioning: Tivoli Identity Manager

• TAM E-SSO combines with best-of-breed user provisioning technologies like TIVOLI IDENTITY MANAGER to provide

end-to-end identity lifecycle management.

• After the users are provisioned, they can leverage single

sign-on to access all their applications on shared and

personal workstations with one password.

• Users are never required to register their user names and

passwords individually as their credentials are automatically

provisioned.

18


The goal of the ITIM/ESSO integration

• End to end management (and automation) of both physical

accounts and the credentials for these accounts.

• Keeping account IDs and Passwords (stored in ESSO

wallets) in sync with the physical accounts.

• The ability to bring onboard new employees, automatically

provision their accounts and have their account credentials

stored in their ESSO wallets.

…Allowing new employees to login to their desktop for the

first time and be able to access all their resources.

19


Authentication Factors

• Authentication factors come in different forms and functions.

– With the exception of password and fingerprint, users access systems and applications with a device that works like a key. This concept makes it easy for users to adopt to the system quickly.

• Password

– The password is used to secure access to a Wallet. The user specifies this password upon signing up with TAM E-SSO AccessAgent. Signing up with TAM E-SSO AccessAgent means registering the user with the IMS Server, and creating a Wallet.

• Secret

– The user is asked to enter a secret when signing up for a Wallet. A secret is a second password or a backup password. It is similar to the “hint” provided when the user forgets the password for a Web e-mail account, for example.

20


Second Authentication Factors

• Password can be fortified by a second authentication factor.

– The combination of the password and a USB Key strengthens the user’s computer’s security because both authentication factors must be present to access the computer.

• With TAMESSO you may use one of the following:

– ActiveCode

• short-term authentication codes that are controlled by the Tamesso system.

– USB Keys

• Can stores: a Serial Number; a Common Symmetric Key; Digital certificates

for each certificate-enabled application

– SmartCard

– RFID Card

– Fingerprint Identification

– Presence detectors

• Sonar device & Active Proximity Badge 21


Second Authentication Factors: Hardware

22

pcProxSonar

TAM ESSO integrates with RFIDeas pcProx and AIR ID devices to read proximity cards and contactless smart cards to provide strong user authentication and

unified access to information, network, and resources.

TAM ESSO also integrates with the pcProx Sonar for walk away security

For more info visit http://rfideas.com


Technical

Introduction

23


TAM E-SSO Product Components

• WALLET

– Stores the user’s access credentials (including user IDs, passwords, certificates, encryption keys). Each user has a Wallet.

– A “cached” Wallet is a copy of the user’s Wallet stored in the hard disk of the computer. The user can retrieve the cached Wallet during emergencies

• AccessAgent

– Client software that manages user’s identity

– Enables sign-on and sign-off automation

• IMS Server

– Identity management system that enables centralized management of user identities, AccessProfiles, and policies

• AccessAdmin

– IMS Server Management console for Administrator and Helpdesk

24


TAM E-SSO Product Components (…)

• AccessAssistant

– Web-based password self-help

• AccessStudio

– User interface for creating AccessProfiles required to support sign-on and sign-off automation

• Service Module

– Add-on modules that extend the capabilities of IMS

– IMS Bridge

IMS Service Modules that enable applications to use IMS as

authentication server

– IMS Connector

IMS Service Modules that enable IMS to interface with applications

25


Platform Support

• AccessAgent runs on the following client platforms:

– Microsoft Windows XP service packs 2 and 3 (32-bit and

64-bit) (Smart cards require SP3)

– Microsoft Windows 7 support in FixPack 1

– Microsoft Windows Server 2003 (32-bit and 64-bit)

– Microsoft Windows Vista (32-bit and 64-bit)

– Microsoft Windows Server 2008 (32-bit and 64-bit)

• TAM E-SSO also supports thin client platforms. On these

platforms, the AccessAgent runs on Citrix or Terminal Services:– Windows CE and XPE

• IMS Server runs on Windows 2003 server and later

26


Access Agent

27

AuthenticationFactors

IMS

Central Audit

CentralAdministration

AccessAgent

Observer Framework

Automated Actions

Automation Triggers

Plug-ins

Wallet

StrongAuthentication

SingleSign-on

AccessWorkflow

Automation

Session Management

Audit andTracking


IMS Server: deployment and tips

• Since version 8.1 TAMESSO leverages the WebSphereApplication Server platform, a solid and mission critical

technology

• Database Server must be previously installed • DB2 9.5 or 9.7; MS SQL Server; Oracle 9i or 10g

• IMS Server deployment is a 5 steps process:

1. Package installation: installs WebSphere Application Server and deployes the Java Enterprise Application that is TAM ESSO

2. HTTP Configuration

3. Database Creation

4. IMS Server Configuration

• Data Source

• Enterprise Directory (Active Directory or LDAP)

5. Additional IMS Configuration

28


3-29

What are the Policies

• Control behavior of TAM E-SSO components

• Enable product to be configured to meet specific

requirements

• Have different visibility and scope

• Are managed by different roles

• Critical Step of the Deployment process

– Once IMS Server and AccessAdmin are installed, trough an Initial Configuration Wizard is necessary to configure the Access Admin and then define default system template with allowed authentication factors, shared workstation and more


3-30

Policy types and scope

• System policy

– Global

– Configured using AccessAdmin

– Can be modified by an administrator

– Can be viewed by a helpdesk user

• User policy

– Affects only a specific user


– Can be modified by an administrator or helpdesk user

• Machine policy


– Can be modified by an administrator

– Can be viewed by a helpdesk user


Access Admin

• Is the management console used by Administrators and Help

desk officers to manage users and policies on an IMS

Server.

• Different access rights are given to the Administrator and

Help desk roles. Certain configurations (for example, system

policies) can only be viewed but not modified by Help desk.

• AccessAdmin has a left navigation panel for accessing

various functions, such as:• User search and administration (to modify user policies, issue authorization

code, unlock a locked Wallet, revoke user, etc.)

• Creating and maintaining policy templates (can only be created and main-

tained by an Administrator, but a Help desk officer can view and apply)

• Setting system and application policies (can only be modified by an Adminis-

trator, but a Help desk officer can view)

• Accessing logs and status information 31


Access Admin

• Access Admin runs on top of WebSphere Application Server

and is accessed trough a specific link in the IMS web

interface: https://<ims_server_name>/ims

32


Web Workplace

• A Web-based interface that gives users the ability to log on

to enterprise Web applications by clicking on links, without

the need to remember the passwords for individual

applications. It can be integrated with the existing portal or

SSL VPN.

33


AccessAgent Installation

• INSTALLATION

– AccessAgent can be installed Manually or trough a Remote Installation using a group policy

• CUSTOMIZATION

– AccessAgent can be castomised both in the Configuration Process that in the Banner:

– The package can contain:

• SetupHlp.ini: installation options

• DeploymentScript.vbs: code to be installed and run

• Any other file to be copied to the TAM E-SSO program files folder

• Additional configuration information for optional features, such as biometric

(fingerprint) support

– Banner Customization allows to show a picture for:

• TAM E-SSO GINA welcome, logon, lock, and unlock windows

• Desktop AccessAgent window

34


AccessAgent: a new GINA

35

After the AccessAgent is installed, a new TAM E-SSO GINA

is inserted in front of the Windows GINA (chained not

replaced)


4-36

User sign up

• If Enable automatic signup option is selected in system

settings, users are automatically enrolled when they log on

• Alternatively, a Sign Up option is available on the

TAM E-SSO GINA


4-37

Secrets

• Set by user during sign up by

selecting questions from the

pid_bind_secret_question_list policy

• Should be:

– Easy to remember

– Permanent in nature

– Not easily made known to others

• Used when password is not

available, such as during a

password reset


4-38

The Wallet

• Is stored on the IMS Server. However, some parts can also

be stored in an authentication factor, such as a private key

on smart card

• Roams to any point of access

– Accessible with appropriate combination of authentication factors

• Wallets can be:

– In memory (does not contain certificate or OTP seed)

– Cached on hard disk or smart card (for offline access including offline bypass and password reset) AccessAgent creates a machine wallet (if it does not exist) when it starts

• If the IMS Server is not reachable, policies and

AccessProfiles are obtained from a local file

• The AccessAgent performs periodic synchronization with

the IMS Server


7-39

AccessStudio overview

• Is the wizard-based tool used by the Administrator to

create and manage AccessProfiles and enable SSO,

sign-off, and workflow automation.

• Each application is represented by an AccessProfile,

which is a set of instructions that defines the workflow for

that particular application.

• Features include:• Support for standard and advanced modes for AccessProfiles of varying

complexity

• Graphical user interface and XML editors

• Flexibility in editing AccessProfiles stored in any location

• Ability to import existing AccessProfiles from AccessAgent or IMS server

• Advanced credential and policy management

• Automatic validation of AccessProfile data

• Ability to test and debug AccessProfiles


7-40

Simple AccessProfiles generation wizard

• Used to generate AccessProfiles for applications

� 16-bit and 32-bit Windows

� Web pages

� Java applications and applets

� TTY and mainframe

� Owner-drawn

• Supports the following workflows:

� Logon (All types)

� Change password: Windows, Web, TTY, Mainframe (cursor-based)

� Logoff: Windows, Web, Mainframe (cursor-based)

� Other Tasks: Windows, Web, Mainframe (cursor-based)

• Can be used when the .exe or Web page refer to only one authentication service

• User drags a selector to the relevant Windows or Web elements

• Automatically creates a new application

• Authentication service is automatically created, or can use an existing one


7-41

Generating an AccessProfile

Open AccessStudio by navigating to Start > All Programs > Encentuate AccessStudio > AccessStudio


7-42

Using the profile generator

Click New > New AccessProfile (using Generator)


7-43

Creating a Windows profile

Enter the application name and select Windows for the

application type


7-44

Select the task to automate

• Specify the task you will be automating

• Logon is the default


7-45

Open the application

Open the application you are profiling


7-46

Identify the fields

Drag the crosshairs to the relevant fields


What else???

47


10-

48

Integrating with LDAP directories

– TAM E-SSO can use enterprise directories other than Active Directory

– LDAP directories are now configurable using the IMS Configuration Utility setup assistant

– The LDAP schema must contain an attribute that represents the user ID to be used for the TAM E-SSO account

– The Tivoli Directory Server credential is only used during sign-up

– TAM E-SSO user passwords are managed by the IMS server after sign-up

– Password synchronization is not used

• Installing IMS Server with Tivoli Directory Server

– Identify a dedicated lookup user in LDAP or add one

– Ensure inetOrgPerson objects have a unique identifier and passwords

– Use the IMS Configuration Utility’s setup assistant and choose Generic LDAP as the enterprise directory type The initial TAM E-SSO administrator account can now be specified here


10-

49

High availability

Components that require redundancy:1. WebSphere server

2. Database server

3. Directory server2

3

1


10-

50

High Availability: WebSphere Server

• IBM WebSphere Application Server uses Network

Deployment Manager (NDM) for high availability

– Multiple WebSphere Application Server nodes can be installed with the same applications and NDM handles which node responds to a request

– Application configuration changes (tuning and so on) are performed on the NDM and synchronized to available nodes

• Each WebSphere Application Server node is configured with

a node agent that allows communication with NDM

• Each WebSphere Application Server node is referred to as a

‘cluster member’


10-

51

Directory server high availability

Primary TDS Secondary TDS

High availability example with DB2DB2 Server

DB2 Server

IMS Server

DB2 Client

Primary Node

Failover Node

HADR Synchronization

Client Reroute

Load Balancer


What is next? Education Path & Course Test Drive

• Tivoli software training and certificationhttp://www-01.ibm.com/software/tivoli/education/

• IBM Tivoli Access Manager for ESSO 8.1 Deployment and Administration (classroom)http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=course_description&courseCode=TW172

• IBM Tivoli Access Manager for ESSO 8.1 Deployment and Administration (Instructor Led Online)http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=course_description&courseCode=8W172

• Tivoli Access Manager for Enterprise Single Sign-On Overview DEMOhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-spsm-tiv-sec-

dm&S_PKG=TAMESSO_Overview

52


Useful Resources

• Links to Useful Resourceshttp://www.ibm.com/developerworks/wikis/display/tivoliaccessmanagerforesso/Related+Resources

• TAM ESSO Forumhttp://www.ibm.com/developerworks/forums/forum.jspa?forumID=1592

• Product Page & Free Trial Downloadhttp://www-01.ibm.com/software/tivoli/products/access-mgr-esso/

http://www.ibm.com/developerworks/downloads/tiv/accessmanager/index.html

• Information Centerhttp://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc/welcome.htm

• Support Informationhttp://www-01.ibm.com/software/sysmgmt/products/support/IBMTivoliAccessManagerforEnterpriseSingleSignOn.html

• TroubleShootinghttp://www.ibm.com/developerworks/wikis/display/tivoliaccessmanagerforesso/Troubleshooting

• Proximity and Contactless Card Reader for TAMESSOhttp://rfideas.com/Software/

53


THANK YOU!

[email protected]

SEC-007 TAMESSO a Cool Tool, Easy to Deploy - Why & How

Documents

Transcript of SEC-007 TAMESSO a Cool Tool, Easy to Deploy - Why & How