SEC-007 TAMESSO a Cool Tool, Easy to Deploy - Why & How
-
Upload
marco-zanchi -
Category
Documents
-
view
223 -
download
3
Transcript of SEC-007 TAMESSO a Cool Tool, Easy to Deploy - Why & How
SEC-007
TAMESSO: A Cool Tool, Easy to Deploy:
Why & How
Speaker: MARCO ZANCHIJob Title: IBM Certified Instructor & Specialist
PROW SRL www.prow.it
IBM European Tivoli Technical Conference 2011
2
This Session
As part of the Tivoli Security portfolio, TAM E-SSO has now an
important mission: solve the problem of too many passwords
that users of small and large networks need to remember and
manage.
TAM E-SSO is a powerful yet easy to deploy solution to solve
the pain of system administrator in keeping their users happy
and passwords compliant to the new policies.
From a general overview to a technical introduction, we are
going to present the TAM E-SSO components, how they
integrate with other solutions and how easy is to deploy them
and put them to work.
IBM European Tivoli Technical Conference 2011
IBM European Tivoli Technical Conference 2011
Introduction
3
IBM European Tivoli Technical Conference 2011
Session Agenda (1/3)
• Introduction
• Overview
– identity manager, access manager and tamesso: different goals
– Strong Authentication, SingleSignOn, Session Management,
Auditing
– The Identity and Access Management suite from Tivoli
– Tamesso architecture
– Users provisioning: Tivoli Identity Manager
– The goal of the ITIM/E-SSO integration
– Authentication factors
– Second Authentication Factors
4
IBM European Tivoli Technical Conference 2011
Session Agenda (2/2)
• Technical Introduction
–Product Components
–Platform Support
–Access Agent
– IMS Server deployment
–What are the Policies
–Access Admin
–Web Workplace
–Access Agent: Installation.
–The Wallet
–Access Studio: creating profiles
5
IBM European Tivoli Technical Conference 2011
Session Agenda (2/3)
• What else?
– Integration with LDAP servers
–High Availability
–What is next? Tivoli Education path, Test Drive the official
Course
– Useful Resources
6
IBM European Tivoli Technical Conference 2011
Overview
7
IBM European Tivoli Technical Conference 2011
TIVOLI IDENTITY MANAGER
• Automates and centralizes access rights management and provisioning across multiple systems:
– Applications
– Operating systems
• Server / Adapter based architecture
• Features
– Central control of privileged data
– Role-based access control (RBAC)
– Automated provisioning of access rights
– Web-based system for easy privilege changes
– User self-service and self-registration
– Integrated workflow engine to authorize users and accounts
– Report generation
8
IBM European Tivoli Technical Conference 2011
TIVOLI ACCESS MANAGER for E-BUSINESS
• A flexible, scalable authentication and authorization solution that protects company Web resources
• Features
– Provides an authentication and authorization framework
– Secures a variety of Web-based applications
– Centralizes administration of Web-based applications
– Enforces security policy defined by your organization
– Tracks user activity with auditing and reporting
– Provides quality of protection (QoP) for Web transactions
• Integrity
• Privacy
9
IBM European Tivoli Technical Conference 2011
TIVOLI ACCESS MANAGER FOR E-SSO
• Automate access to corporate information, strengthen security, and enforce compliance at the end-points
• Management of account credentials
• Credentials are stored in the ESSO Server (IMS) database…and synchronized to the end user wallets on their desktop.
– This allows the ESSO client (AccessAgent) to automatically
login the end user to any application that is profiled in ESSO.
– End users do not need to know any of their ID’s / Passwords for
the applications profiled in ESSO.
10
IBM European Tivoli Technical Conference 2011
Access Agent & IMS Server
11
Audit and Compliance
Provisioning and Role-Based Access Control
Session Management and Workflow Automation
E-SSO and Password Management
Directory and Meta-Directory Service
Strong Authentication
AccessA
gen
tIM
S S
erv
er
IBM European Tivoli Technical Conference 2011
Strong authentication
• TAM E-SSO provides strong authentication for all user
groups – inside and outside the corporate perimeter – to
prevent unauthorized access to confidential corporate
information and IT networks.
• The solution leverages multi-factor authentication devicessuch as:
– USB tokens;
– smart card tokens;
– building access badges;
– proximity cards (RFID);
– mobile devices; photo badges;
– Biometric readers (like fingerprint);
– one-time password (OTP) tokens (RSA).
12
IBM European Tivoli Technical Conference 2011
Enterprise single sign-on with workflow automation
• With TAM E-SSO, users can enjoy fast access to all
corporate applications (e.g. Web, desktop, TTY and legacy)
and network resources with the use of a single, strong
password on personal and shared workstations.
• This feature increase employee productivity, lower IT Help
desk costs, and improve security levels by eliminating
passwords and the effort of managing complex password
policies.
• Users can automate the entire access workflow (e.g.,
application login, drive mapping, application launch, single
sign-on, navigation to preferred screens, multi-step logins,
etc.).
13
IBM European Tivoli Technical Conference 2011
Session management capability
• As organizations deploy more shared workstations and
kiosks, more users can roam and access information from
anywhere without returning to their personal PCs. Shared
and roaming scenarios pose severe security threats.
• TAM E-SSO increases user convenience and improve
information security through session management or fast user switching capabilities
• Users can quickly signon and sign-off to shared workstations
without using the Windows domain login process.
• Fast user switching on private desktops allows users to
maintain multiple unique user desktops on the same
workstation, preserving each user’s applications, documents,
and network drive mappings.
14
IBM European Tivoli Technical Conference 2011
User access tracking for audit & compliance reporting
• Combined strong authentication capabilities and usercentricaudit logs ensure secure access to confidential corporate
information and accountability at all times. The logs provide
the meta-information that can guide to a detailed analysis for
compliance
• Information are collated in a central relational database facilitating real-time monitoring and separate reporting with
third party reporting tools.
• The end-point automation framework can be leveraged to
audit custom access events for any application – without
modifying the application or leveraging the native audit
functionalities.
15
IBM European Tivoli Technical Conference 2011
The Identity and Access Management suite
16
ProfileGeneration
CentralizedAdministration
Support andSelf-Service
AuditReporting
DirectoryDB Mgmt
SOAP API
TAM E-SSO IAM Platform
Context
Management
UserProvisioning
EnterpriseSingle Sign-
On
SessionManagement
Audit andCompliance
TAM E-SSOAccessAgent
Web
TAM E-SSOAccessAgent
Citrix or Terminal Services Desktop
TAM E-SSOAccessAgent
StrongAuthentication
WorkflowAutomatio
n
Strong Authentication
� Building badge integration
� Active RFID
� Fingerprint biometric
� USB smart cards
� Cell phone authentication
� One-time password (OTP) iTag
Enterprise Single Sign-On
� For Windows, Citrix, Terminal Services, and thin client platforms
� For Web, desktop, mainframe, and TTY applications
� Browser-based single sign-on (SSO)
� Automatic generation of SSO AccessProfiles
Workflow Automation
� Application launch, drive mapping, single sign-off
� Automate any presentation layer event
� Automate walk away desktop security
Centralized Administration
� Web-based AccessAdmin
� Group-based and policy-driven management
Support and Self-Service
� Loss management
� User self-service
Centralized Audit
� Endpoint tracking
� Centralized SQL eporting
TAM E-SSO IMS Server
Desktop
IBM European Tivoli Technical Conference 2011
Tamesso Architecture
17
IBM European Tivoli Technical Conference 2011
User Provisioning: Tivoli Identity Manager
• TAM E-SSO combines with best-of-breed user provisioning technologies like TIVOLI IDENTITY MANAGER to provide
end-to-end identity lifecycle management.
• After the users are provisioned, they can leverage single
sign-on to access all their applications on shared and
personal workstations with one password.
• Users are never required to register their user names and
passwords individually as their credentials are automatically
provisioned.
18
IBM European Tivoli Technical Conference 2011
The goal of the ITIM/ESSO integration
• End to end management (and automation) of both physical
accounts and the credentials for these accounts.
• Keeping account IDs and Passwords (stored in ESSO
wallets) in sync with the physical accounts.
• The ability to bring onboard new employees, automatically
provision their accounts and have their account credentials
stored in their ESSO wallets.
…Allowing new employees to login to their desktop for the
first time and be able to access all their resources.
19
IBM European Tivoli Technical Conference 2011
Authentication Factors
• Authentication factors come in different forms and functions.
– With the exception of password and fingerprint, users access systems and applications with a device that works like a key. This concept makes it easy for users to adopt to the system quickly.
• Password
– The password is used to secure access to a Wallet. The user specifies this password upon signing up with TAM E-SSO AccessAgent. Signing up with TAM E-SSO AccessAgent means registering the user with the IMS Server, and creating a Wallet.
• Secret
– The user is asked to enter a secret when signing up for a Wallet. A secret is a second password or a backup password. It is similar to the “hint” provided when the user forgets the password for a Web e-mail account, for example.
20
IBM European Tivoli Technical Conference 2011
Second Authentication Factors
• Password can be fortified by a second authentication factor.
– The combination of the password and a USB Key strengthens the user’s computer’s security because both authentication factors must be present to access the computer.
• With TAMESSO you may use one of the following:
– ActiveCode
• short-term authentication codes that are controlled by the Tamesso system.
– USB Keys
• Can stores: a Serial Number; a Common Symmetric Key; Digital certificates
for each certificate-enabled application
– SmartCard
– RFID Card
– Fingerprint Identification
– Presence detectors
• Sonar device & Active Proximity Badge 21
IBM European Tivoli Technical Conference 2011
Second Authentication Factors: Hardware
22
pcProxSonar
TAM ESSO integrates with RFIDeas pcProx and AIR ID devices to read proximity cards and contactless smart cards to provide strong user authentication and
unified access to information, network, and resources.
TAM ESSO also integrates with the pcProx Sonar for walk away security
For more info visit http://rfideas.com
IBM European Tivoli Technical Conference 2011
Technical
Introduction
23
IBM European Tivoli Technical Conference 2011
TAM E-SSO Product Components
• WALLET
– Stores the user’s access credentials (including user IDs, passwords, certificates, encryption keys). Each user has a Wallet.
– A “cached” Wallet is a copy of the user’s Wallet stored in the hard disk of the computer. The user can retrieve the cached Wallet during emergencies
• AccessAgent
– Client software that manages user’s identity
– Enables sign-on and sign-off automation
• IMS Server
– Identity management system that enables centralized management of user identities, AccessProfiles, and policies
• AccessAdmin
– IMS Server Management console for Administrator and Helpdesk
24
IBM European Tivoli Technical Conference 2011
TAM E-SSO Product Components (…)
• AccessAssistant
– Web-based password self-help
• AccessStudio
– User interface for creating AccessProfiles required to support sign-on and sign-off automation
• Service Module
– Add-on modules that extend the capabilities of IMS
– IMS Bridge
IMS Service Modules that enable applications to use IMS as
authentication server
– IMS Connector
IMS Service Modules that enable IMS to interface with applications
25
IBM European Tivoli Technical Conference 2011
Platform Support
• AccessAgent runs on the following client platforms:
– Microsoft Windows XP service packs 2 and 3 (32-bit and
64-bit) (Smart cards require SP3)
– Microsoft Windows 7 support in FixPack 1
– Microsoft Windows Server 2003 (32-bit and 64-bit)
– Microsoft Windows Vista (32-bit and 64-bit)
– Microsoft Windows Server 2008 (32-bit and 64-bit)
• TAM E-SSO also supports thin client platforms. On these
platforms, the AccessAgent runs on Citrix or Terminal Services:– Windows CE and XPE
• IMS Server runs on Windows 2003 server and later
26
IBM European Tivoli Technical Conference 2011
Access Agent
27
AuthenticationFactors
IMS
Central Audit
CentralAdministration
AccessAgent
Observer Framework
Automated Actions
Automation Triggers
Plug-ins
Wallet
StrongAuthentication
SingleSign-on
AccessWorkflow
Automation
Session Management
Audit andTracking
IBM European Tivoli Technical Conference 2011
IMS Server: deployment and tips
• Since version 8.1 TAMESSO leverages the WebSphereApplication Server platform, a solid and mission critical
technology
• Database Server must be previously installed • DB2 9.5 or 9.7; MS SQL Server; Oracle 9i or 10g
• IMS Server deployment is a 5 steps process:
1. Package installation: installs WebSphere Application Server and deployes the Java Enterprise Application that is TAM ESSO
2. HTTP Configuration
3. Database Creation
4. IMS Server Configuration
• Data Source
• Enterprise Directory (Active Directory or LDAP)
5. Additional IMS Configuration
28
IBM European Tivoli Technical Conference 2011
3-29
What are the Policies
• Control behavior of TAM E-SSO components
• Enable product to be configured to meet specific
requirements
• Have different visibility and scope
• Are managed by different roles
• Critical Step of the Deployment process
– Once IMS Server and AccessAdmin are installed, trough an Initial Configuration Wizard is necessary to configure the Access Admin and then define default system template with allowed authentication factors, shared workstation and more
IBM European Tivoli Technical Conference 2011
3-30
Policy types and scope
• System policy
– Global
– Configured using AccessAdmin
– Can be modified by an administrator
– Can be viewed by a helpdesk user
• User policy
– Affects only a specific user
– Configured using AccessAdmin
– Can be modified by an administrator or helpdesk user
• Machine policy
– Configured using AccessAdmin
– Can be modified by an administrator
– Can be viewed by a helpdesk user
IBM European Tivoli Technical Conference 2011
Access Admin
• Is the management console used by Administrators and Help
desk officers to manage users and policies on an IMS
Server.
• Different access rights are given to the Administrator and
Help desk roles. Certain configurations (for example, system
policies) can only be viewed but not modified by Help desk.
• AccessAdmin has a left navigation panel for accessing
various functions, such as:• User search and administration (to modify user policies, issue authorization
code, unlock a locked Wallet, revoke user, etc.)
• Creating and maintaining policy templates (can only be created and main-
tained by an Administrator, but a Help desk officer can view and apply)
• Setting system and application policies (can only be modified by an Adminis-
trator, but a Help desk officer can view)
• Accessing logs and status information 31
IBM European Tivoli Technical Conference 2011
Access Admin
• Access Admin runs on top of WebSphere Application Server
and is accessed trough a specific link in the IMS web
interface: https://<ims_server_name>/ims
32
IBM European Tivoli Technical Conference 2011
Web Workplace
• A Web-based interface that gives users the ability to log on
to enterprise Web applications by clicking on links, without
the need to remember the passwords for individual
applications. It can be integrated with the existing portal or
SSL VPN.
33
IBM European Tivoli Technical Conference 2011
AccessAgent Installation
• INSTALLATION
– AccessAgent can be installed Manually or trough a Remote Installation using a group policy
• CUSTOMIZATION
– AccessAgent can be castomised both in the Configuration Process that in the Banner:
– The package can contain:
• SetupHlp.ini: installation options
• DeploymentScript.vbs: code to be installed and run
• Any other file to be copied to the TAM E-SSO program files folder
• Additional configuration information for optional features, such as biometric
(fingerprint) support
– Banner Customization allows to show a picture for:
• TAM E-SSO GINA welcome, logon, lock, and unlock windows
• Desktop AccessAgent window
34
IBM European Tivoli Technical Conference 2011
AccessAgent: a new GINA
35
After the AccessAgent is installed, a new TAM E-SSO GINA
is inserted in front of the Windows GINA (chained not
replaced)
IBM European Tivoli Technical Conference 2011
4-36
User sign up
• If Enable automatic signup option is selected in system
settings, users are automatically enrolled when they log on
• Alternatively, a Sign Up option is available on the
TAM E-SSO GINA
IBM European Tivoli Technical Conference 2011
4-37
Secrets
• Set by user during sign up by
selecting questions from the
pid_bind_secret_question_list policy
• Should be:
– Easy to remember
– Permanent in nature
– Not easily made known to others
• Used when password is not
available, such as during a
password reset
IBM European Tivoli Technical Conference 2011
4-38
The Wallet
• Is stored on the IMS Server. However, some parts can also
be stored in an authentication factor, such as a private key
on smart card
• Roams to any point of access
– Accessible with appropriate combination of authentication factors
• Wallets can be:
– In memory (does not contain certificate or OTP seed)
– Cached on hard disk or smart card (for offline access including offline bypass and password reset) AccessAgent creates a machine wallet (if it does not exist) when it starts
• If the IMS Server is not reachable, policies and
AccessProfiles are obtained from a local file
• The AccessAgent performs periodic synchronization with
the IMS Server
IBM European Tivoli Technical Conference 2011
7-39
AccessStudio overview
• Is the wizard-based tool used by the Administrator to
create and manage AccessProfiles and enable SSO,
sign-off, and workflow automation.
• Each application is represented by an AccessProfile,
which is a set of instructions that defines the workflow for
that particular application.
• Features include:• Support for standard and advanced modes for AccessProfiles of varying
complexity
• Graphical user interface and XML editors
• Flexibility in editing AccessProfiles stored in any location
• Ability to import existing AccessProfiles from AccessAgent or IMS server
• Advanced credential and policy management
• Automatic validation of AccessProfile data
• Ability to test and debug AccessProfiles
IBM European Tivoli Technical Conference 2011
7-40
Simple AccessProfiles generation wizard
• Used to generate AccessProfiles for applications
� 16-bit and 32-bit Windows
� Web pages
� Java applications and applets
� TTY and mainframe
� Owner-drawn
• Supports the following workflows:
� Logon (All types)
� Change password: Windows, Web, TTY, Mainframe (cursor-based)
� Logoff: Windows, Web, Mainframe (cursor-based)
� Other Tasks: Windows, Web, Mainframe (cursor-based)
• Can be used when the .exe or Web page refer to only one authentication service
• User drags a selector to the relevant Windows or Web elements
• Automatically creates a new application
• Authentication service is automatically created, or can use an existing one
IBM European Tivoli Technical Conference 2011
7-41
Generating an AccessProfile
Open AccessStudio by navigating to Start > All Programs > Encentuate AccessStudio > AccessStudio
IBM European Tivoli Technical Conference 2011
7-42
Using the profile generator
Click New > New AccessProfile (using Generator)
IBM European Tivoli Technical Conference 2011
7-43
Creating a Windows profile
Enter the application name and select Windows for the
application type
IBM European Tivoli Technical Conference 2011
7-44
Select the task to automate
• Specify the task you will be automating
• Logon is the default
IBM European Tivoli Technical Conference 2011
7-45
Open the application
Open the application you are profiling
IBM European Tivoli Technical Conference 2011
7-46
Identify the fields
Drag the crosshairs to the relevant fields
IBM European Tivoli Technical Conference 2011
What else???
47
IBM European Tivoli Technical Conference 2011
10-
48
Integrating with LDAP directories
– TAM E-SSO can use enterprise directories other than Active Directory
– LDAP directories are now configurable using the IMS Configuration Utility setup assistant
– The LDAP schema must contain an attribute that represents the user ID to be used for the TAM E-SSO account
– The Tivoli Directory Server credential is only used during sign-up
– TAM E-SSO user passwords are managed by the IMS server after sign-up
– Password synchronization is not used
• Installing IMS Server with Tivoli Directory Server
– Identify a dedicated lookup user in LDAP or add one
– Ensure inetOrgPerson objects have a unique identifier and passwords
– Use the IMS Configuration Utility’s setup assistant and choose Generic LDAP as the enterprise directory type The initial TAM E-SSO administrator account can now be specified here
IBM European Tivoli Technical Conference 2011
10-
49
High availability
Components that require redundancy:1. WebSphere server
2. Database server
3. Directory server2
3
1
IBM European Tivoli Technical Conference 2011
10-
50
High Availability: WebSphere Server
• IBM WebSphere Application Server uses Network
Deployment Manager (NDM) for high availability
– Multiple WebSphere Application Server nodes can be installed with the same applications and NDM handles which node responds to a request
– Application configuration changes (tuning and so on) are performed on the NDM and synchronized to available nodes
• Each WebSphere Application Server node is configured with
a node agent that allows communication with NDM
• Each WebSphere Application Server node is referred to as a
‘cluster member’
IBM European Tivoli Technical Conference 2011
10-
51
Directory server high availability
Primary TDS Secondary TDS
High availability example with DB2DB2 Server
DB2 Server
IMS Server
DB2 Client
Primary Node
Failover Node
HADR Synchronization
Client Reroute
Load Balancer
IBM European Tivoli Technical Conference 2011
What is next? Education Path & Course Test Drive
• Tivoli software training and certificationhttp://www-01.ibm.com/software/tivoli/education/
• IBM Tivoli Access Manager for ESSO 8.1 Deployment and Administration (classroom)http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=course_description&courseCode=TW172
• IBM Tivoli Access Manager for ESSO 8.1 Deployment and Administration (Instructor Led Online)http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=course_description&courseCode=8W172
• Tivoli Access Manager for Enterprise Single Sign-On Overview DEMOhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-spsm-tiv-sec-
dm&S_PKG=TAMESSO_Overview
52
IBM European Tivoli Technical Conference 2011
Useful Resources
• Links to Useful Resourceshttp://www.ibm.com/developerworks/wikis/display/tivoliaccessmanagerforesso/Related+Resources
• TAM ESSO Forumhttp://www.ibm.com/developerworks/forums/forum.jspa?forumID=1592
• Product Page & Free Trial Downloadhttp://www-01.ibm.com/software/tivoli/products/access-mgr-esso/
http://www.ibm.com/developerworks/downloads/tiv/accessmanager/index.html
• Information Centerhttp://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc/welcome.htm
• Support Informationhttp://www-01.ibm.com/software/sysmgmt/products/support/IBMTivoliAccessManagerforEnterpriseSingleSignOn.html
• TroubleShootinghttp://www.ibm.com/developerworks/wikis/display/tivoliaccessmanagerforesso/Troubleshooting
• Proximity and Contactless Card Reader for TAMESSOhttp://rfideas.com/Software/
53