Distributed Security and High Availability with Tivoli Access Manager and WebSphere Application Server for z/OS.

Front cover -- Contents -- Figures -- Tables -- Notices -- Trademarks -- Preface -- The team that wrote this redbook -- Become a published author -- Comments welcome -- Chapter 1. Concepts and architecture -- 1.1 Security -- 1.1.1 Physical security -- 1.1.2 Logical security -- 1.2 Availability -- 1.2.1 Business impact of unplanned outages -- 1.2.2 A business need to extend service hours -- 1.2.3 Service level agreement -- 1.3 Scalability -- Chapter 2. Tivoli Access Manager and WebSphere Application Server for z/OS integration -- 2.1 Tivoli Access Manager -- 2.1.1 Tivoli Access Manager features -- 2.1.2 Tivoli Access Manager base components -- 2.1.3 Tivoli Access Manager blades -- 2.2 WebSphere Edge Components -- 2.2.1 WebSphere Edge Components Load Balancer -- 2.2.2 Load Balancer components -- 2.3 WebSphere Application Server for z/OS -- 2.3.1 WebSphere Application Server for z/OS differences with WebSphere Application Server distributed -- 2.3.2 WebSphere Application Server for z/OS terminology -- 2.4 Tivoli Access Manager and WebSphere Application Server for z/OS integration -- Chapter 3. Designing the TAM, WAS for z/OS integration architecture -- 3.1 Tivoli Access Manager and WebSphere Application Server integration capabilities -- 3.1.1 Shared user registry -- 3.1.2 Web SSO -- 3.1.3 Web SSO with Trust Association Interceptor -- 3.1.4 Web SSO with LTPA -- 3.1.5 Web SSO with GSO -- 3.1.6 Application integration with aznAPI -- 3.1.7 Application integration with PDPermission and JAAS -- 3.1.8 Application integration, J2EE security, and AMWAS -- 3.1.9 Integration scenario 1: Tivoli Access Manager authentication and LocalOS authorization for WebSphere Application Server -- 3.1.10 Integration scenario 2: Tivoli Access Manager authentication and authorization for WebSphere Application Server.

3.1.11 Integration scenario 3: Tivoli Access Manager authentication, authorization and native authentication for WebSphere Application Server -- 3.2 Things to consider -- 3.2.1 Security -- 3.2.2 Availability -- 3.2.3 Scalability -- 3.3 Generic architecture -- 3.3.1 Generic logical architecture: Functional -- 3.3.2 Generic logical architecture: Technical -- 3.3.3 Generic physical architecture -- 3.4 Security -- 3.4.1 Typical requirements -- 3.4.2 Web security principles -- 3.4.3 Network zones and component placement -- 3.4.4 SSL -- 3.5 Availability -- 3.5.1 Components of WebSphere Edge Server Load Balancer availability -- 3.5.2 WebSEAL availability -- 3.5.3 Tivoli Access Manager Policy Server availability -- 3.5.4 LDAP availability -- 3.5.5 zSeries and z/OS availability -- 3.5.6 HTTP Server for z/OS availability -- 3.5.7 WebSphere Application Server for z/OS availability -- 3.6 Scalability -- 3.6.1 WebSphere Edge components Load Balancer scalability -- 3.6.2 Tivoli Access Manager scalability -- 3.6.3 LDAP scalability -- 3.6.4 zSeries and z/OS scalability -- 3.6.5 HTTP Server for z/OS scalability -- 3.6.6 WebSphere Application Server for z/OS scalability -- 3.7 Solution affinity, sessions, and failover -- 3.7.1 WebSphere Edge Server Load Balancer affinity -- 3.7.2 WebSEAL affinity and sessions -- 3.7.3 HTTP Server for z/OS, WebSphere Application Server plug-in affinity -- 3.7.4 WebSphere Application Server for z/OS sessions -- Chapter 4. Project test environment -- 4.1 Project test environment: Functional view -- 4.1.1 Logical architecture: Functional view -- 4.1.2 Logical architecture: LDAP connections -- 4.2 Project test environment: Technical view -- 4.2.1 Logical architecture: Technical view with LDAP on AIX -- 4.2.2 Logical architecture: Technical view with LDAP on z/OS -- 4.2.3 Physical architecture: LDAP on AIX.

4.2.4 Physical architecture: LDAP on z/OS -- Chapter 5. Implementing the user repository: LDAP on AIX and LDAP on z/OS -- 5.1 LDAP on AIX -- 5.2 Prerequisites and dependencies -- 5.3 Installation -- 5.4 Configuration -- 5.4.1 Configuring the Tivoli Directory Server administrator -- 5.4.2 Configuring the database -- 5.4.3 Configuring the suffix -- 5.4.4 First initialization of Tivoli Directory Server -- 5.4.5 Configuring security for Tivoli Directory Server -- 5.4.6 Installing the fix pack on Tivoli Directory Server -- 5.4.7 Installing the Tivoli Directory Server Web Administration Tool -- 5.4.8 Installing the fix pack on the Web Administration Tool -- 5.4.9 Configuring Tivoli Directory Server for the SecTest application -- 5.4.10 Configuring replication in Tivoli Directory Server -- 5.4.11 Configuring the master server -- 5.4.12 Synchronizing the data between servers -- 5.4.13 Configuring the replica server -- 5.4.14 Checklist for the Tivoli Directory Server parameters -- 5.5 LDAP on z/OS -- 5.6 Prerequisites and dependencies -- 5.7 Installation -- 5.7.1 Finishing the installation of LDAP on z/OS -- 5.8 Configuration -- 5.8.1 Configuring LDAP on z/OS for the SecTest application -- 5.8.2 Configuring LDAP on z/OS for Tivoli Access Manager -- 5.8.3 Configuring LDAP on z/OS replication -- 5.8.4 Configuring Sysplex Distributor for WebSphere Application Server and LDAP on z/OS -- 5.8.5 Checklist for the LDAP on z/OS parameters -- Chapter 6. Implementing the security manager: Tivoli Access Manager -- 6.1 Tivoli Access Manager -- 6.2 Prerequisites and dependencies -- 6.3 Installation -- 6.4 Configuration -- 6.4.1 Configuring Tivoli Access Manager Runtime -- 6.4.2 Tivoli Access Manager failover capability for LDAP servers -- 6.4.3 Configuring the Policy Server -- 6.4.4 Configuring the Authorization Server -- 6.4.5 Configuring the Java Runtime Environment.

6.4.6 Configuring Web Portal Manager -- 6.4.7 Checklist for Tivoli Access Manager parameters -- Chapter 7. Implementing the security proxy: WebSEAL -- 7.1 WebSEAL -- 7.2 Prerequisites and dependencies -- 7.3 Installation -- 7.4 Configuration -- 7.4.1 Configuring Access Manager Runtime -- 7.4.2 Configuring WebSEAL -- 7.4.3 Editing the WebSEAL configuration file -- 7.4.4 Configuring failover authentication -- 7.4.5 Checklist for WebSEAL parameters -- Chapter 8. Implementing WebSphere Edge Components Load Balancer -- 8.1 Load Balancer -- 8.2 Prerequisites and dependencies -- 8.3 Installation -- 8.4 Configuration -- 8.4.1 LDAP Load Balancer configuration file -- 8.4.2 WebSEAL Load Balancer configuration file -- 8.4.3 Checklist for WebSphere Edge Components parameters -- Chapter 9. Implementing the application server: HTTP Server for z/OS and WAS for z/OS -- 9.1 HTTP Server for z/OS -- 9.2 Prerequisites and dependencies -- 9.3 Installation -- 9.3.1 Configuring HTTP Server for z/OS for high availability -- 9.3.2 Installing the WebSphere Application Server plug-in -- 9.3.3 Configuring the WebSphere Application Server plug-in -- 9.3.4 Configuring WebSphere Application Server plug-in affinity -- 9.4 WebSphere Application Server for z/OS -- 9.4.1 Configuring high availability in WebSphere Application Server for z/OS -- 9.4.2 Configuring WebSphere Application Server for z/OS HTTP Sessions replication -- 9.4.3 Checklist for HTTP Server for z/OS and WebSphere Application Server for z/OS -- Chapter 10. Implementing the TAM and WAS for z/OS integration -- 10.1 Installation -- 10.2 Prerequisites and dependencies -- 10.3 Tivoli Access Manager for WebSphere Application Server for z/OS integration -- 10.4 Configuration -- 10.4.1 Creating the Tivoli Access Manager administrative user for WebSphere Application Server.

10.4.2 Configuring Tivoli Access Manager Java Runtime Environment -- 10.4.3 Configuring Tivoli Access Manager for WebSphere Application Server for z/OS -- 10.4.4 Enabling WebSphere Application Server for z/OS security to use Tivoli Access Manager -- 10.5 Tivoli Access Manager and WebSphere Application Server for z/OS single signon -- 10.5.1 Adding certificates to WebSEAL -- 10.5.2 Registry attribute entitlement service -- 10.5.3 Creating an LTPA non-SSL junction -- 10.5.4 Creating an LTPA SSL junction -- 10.5.5 Creating a stateful LTPA SSL junction -- 10.5.6 Replicated front-end WebSEAL -- 10.5.7 Creating a stateful LTPA SSL junction with WebSEAL affinity -- 10.5.8 Creating TAI SSL junctions -- 10.5.9 Checklist for Tivoli Access Manager and z/WAS integration -- Chapter 11. Using and validating the TAM and WAS for z/OS integration solution -- 11.1 Application used in this redbook -- 11.1.1 SecTest -- 11.1.2 Swipe -- 11.2 Creating users and groups with Tivoli Access Manager -- 11.2.1 Creating a user -- 11.2.2 Creating a group -- 11.3 User access to J2EE roles with Tivoli Access Manager -- 11.3.1 Creating users and groups in such a configuration -- 11.3.2 Creating and securing roles J2EE roles -- 11.3.3 Granting users or groups access to J2EE roles -- 11.3.4 Deploying an application -- 11.4 Scenario to validate security -- 11.4.1 Step 1 -- 11.4.2 Step 2 -- 11.4.3 Step 3 -- 11.4.4 Step 4 -- 11.4.5 Step 5 -- 11.4.6 Step 6 -- 11.5 Validating security -- 11.5.1 Validating LTPA SSO -- 11.5.2 Validating Trust Association Interceptor SSO -- 11.6 Validating high availability, failover, and recovery -- 11.6.1 Validating WebSEAL -- 11.6.2 Validating LDAP -- 11.6.3 Validating HTTP Server for z/OS -- 11.6.4 Validating WebSphere Application Server for z/OS -- 11.6.5 Validating high availability for WebSphere Application Server for z/OS.

11.6.6 Validating the Policy Server.