Front cover -- Contents -- Notices -- Trademarks -- Preface -- The team that wrote this redbook -- Become a published author -- Comments welcome -- Part 1 Introduction to secure portal solutions -- Chapter 1. Introduction -- 1.1 Secure portal solution overview -- 1.1.1 Key concepts of a secure portal solution -- 1.1.2 Secure portal solution high level architecture -- 1.2 Solution software -- 1.2.1 Runtime environment solution software -- 1.2.2 Development environment solution software -- 1.3 Target audience of redbook -- 1.3.1 Roles and skills -- 1.3.2 Matching redbook topics to roles and skills -- Chapter 2. Security fundamentals -- 2.1 Security domain and risk management -- 2.1.1 Source of vulnerability and intruder reconnaissance -- 2.1.2 Physical security -- 2.1.3 Logical security -- 2.1.4 Security policy -- 2.1.5 Security risk management -- 2.2 Method for Architecting Secure Solutions (MASS) -- 2.3 Security fundamentals -- 2.3.1 Public Key Infrastructure (PKI) -- 2.3.2 WebSphere Portal security model -- 2.3.3 Tivoli Access Manager security model -- 2.3.4 Authentication -- 2.3.5 Authorization -- 2.3.6 WebSphere Portal Credential Vault -- 2.3.7 Tivoli Access Manager Global Sign-on (GSO) -- Chapter 3. Architecture and topology selection -- 3.1 Topology definition and operational model -- 3.1.1 Operational model overview -- 3.1.2 Topology zones -- 3.1.3 Conceptual model -- 3.1.4 Specified model -- 3.1.5 Security interaction patterns -- 3.2 Runtime environment topology selection -- 3.2.1 Entry runtime topology -- 3.2.2 Enterprise runtime topology -- 3.2.3 Extended enterprise runtime topology -- 3.3 Development environment topology selection -- 3.3.1 Conceptual model -- 3.3.2 Specified model -- 3.3.3 All-in-one approach -- 3.3.4 Develop and deploy without debug -- 3.3.5 Develop, deploy, and remote debugging.

3.3.6 Develop using a shared security infrastructure -- Chapter 4. Design and integration guidelines -- 4.1 Security and design guidelines -- 4.1.1 Design principles -- 4.1.2 WebSphere Portal vs Tivoli Access Manager authorization -- 4.1.3 Single sign-on guidelines -- 4.1.4 Identity management -- 4.1.5 Adding an external Web server for WebSphere Portal -- 4.2 Product-specific integration guidelines -- 4.2.1 WebSEAL junctions -- 4.2.2 Junction considerations for use with TAI -- 4.2.3 Handling of back-end application cookies -- 4.2.4 Junction Mapping Table (JMT) -- 4.2.5 WebSEAL URL-based access control -- 4.2.6 Access control of WebSphere Portal resources -- 4.2.7 Access control of resources within portlet applications -- 4.2.8 WebSEAL and WebSphere Portal session considerations -- 4.3 Sequence diagrams for common access patterns -- 4.3.1 UCT1: Access unprotected portal page -- 4.3.2 UCT2: Access protected portal page, provide valid credentials -- 4.3.3 UCT3: Access protected portal page with existing valid session -- 4.3.4 UCT4: Access protected portal page with invalid credentials -- 4.3.5 UCT5: WebSEAL session times out before portal session -- 4.3.6 UCT6: Portal session times out before WebSEAL session -- 4.3.7 UCT7: Both WebSEAL and WebSphere Portal sessions time out -- 4.3.8 UCT8: WebSphere Portal logout after WebSEAL session timeout -- 4.4 Component connections -- Part 2 ITSO working example secure portal solution -- Chapter 5. Requirements and solution design -- 5.1 Business scenario -- 5.1.1 Initial context -- 5.1.2 Business challenges -- 5.2 Business requirements -- 5.2.1 Functional requirements -- 5.2.2 Non-functional requirements -- 5.3 Use case model -- 5.3.1 Use case overview -- 5.3.2 Front-end use cases -- 5.3.3 Administrative use cases -- 5.4 Architecture -- 5.4.1 Architecture overview -- 5.4.2 Architecture decisions.

5.4.3 Selected runtime environment -- 5.4.4 Selected development environment -- Chapter 6. Install the runtime environment -- 6.1 Planning -- 6.1.1 Hardware and software prerequisites -- 6.1.2 Hardware used within the ITSO runtime environment -- 6.1.3 Software used within the ITSO runtime environment -- 6.1.4 Software installation paths and variables -- 6.1.5 Using VMWare and Ghost -- 6.2 Implement the Policy Server node -- 6.2.1 Windows 2000 Server installation -- 6.2.2 DB2 Universal Database installation -- 6.2.3 IBM GSKit upgrade installation -- 6.2.4 Java Runtime Environment (JRE) V1.3.1 installation -- 6.2.5 Tivoli Directory Server installation -- 6.2.6 Tivoli Directory Server configuration -- 6.2.7 Tivoli Web Administration Tool installation -- 6.2.8 Configure Directory Server for Tivoli Access Manager -- 6.2.9 Tivoli Access Manager installation -- 6.2.10 Tivoli Access Manager configuration -- 6.2.11 Tivoli Access Manager Web Portal Manager installation -- 6.2.12 Tivoli Access Manager V5.1 Base Fixpack 2 installation -- 6.3 Implement the Reverse Proxy node -- 6.3.1 Windows 2000 Server installation -- 6.3.2 Install GSKit -- 6.3.3 Install Java Runtime Environment (JRE) -- 6.3.4 Install Tivoli Directory Client -- 6.3.5 Tivoli Access Manager - WebSEAL installation -- 6.3.6 Tivoli Access Manager - WebSEAL configuration -- 6.3.7 Tivoli Access Manager V5.1 Base Fixpack 2 installation -- 6.3.8 Tivoli Access Manager V5.1 WebSEAL Fixpack 2 installation -- 6.4 Implement the Portal Server node -- 6.4.1 Windows 2000 Server installation -- 6.4.2 WebSphere Portal Server V5.0 installation -- 6.4.3 WebSphere Application Server Enterprise V5 Fixpack 2 (V5.0.2) installation -- 6.4.4 WebSphere Application Server V5.0.2 Fixes installation -- 6.4.5 WebSphere Portal V5 Fixpack 2 (V5.0.2) installation.

6.4.6 WebSphere Application Server Enterprise V5.0.2 Cumulative Fix (V5.0.2.3) installation -- 6.4.7 WebSphere Portal V5.0.2 Cumulative Fix 1 (V5.0.2.1) installation -- 6.4.8 Java Runtime Environment (JRE) V1.3.1 installation -- 6.4.9 Tivoli Access Manager Java Runtime Environment installation -- 6.4.10 DB2 Universal Database installation -- Chapter 7. Configure the runtime environment -- 7.1 Configure WebSphere Portal for DB2 -- 7.2 Configure WebSphere Portal for IBM HTTP Server -- 7.3 Configure WebSphere Portal for LDAP -- 7.3.1 Create a suffix -- 7.3.2 Create LDIF file containing users and groups -- 7.3.3 Import the LDIF file (wp-itso.ldif) to create users and groups -- 7.3.4 Enable LDAP security for WebSphere Portal -- 7.3.5 Verify the LDAP configuration -- 7.4 Enable mutual SSL between WebSEAL and WebSphere Portal -- 7.4.1 IBM HTTP Server SSL configuration -- 7.4.2 Configure WebSphere Portal for SSL -- 7.4.3 Export IBM HTTP Server CA certificate -- 7.4.4 Import IBM HTTP Server certificate into WebSEAL keystore -- 7.4.5 Export WebSEAL certificate -- 7.4.6 Import WebSEAL certificate into IBM HTTP Server keystore -- 7.4.7 Enable mutual SSL for IBM HTTP Server -- 7.5 Configure portal authentication with TAM using TAI -- 7.5.1 Apply Tivoli Access Manager ACLs to new LDAP suffixes -- 7.5.2 Define additional MIME types for WebSphere Application Server -- 7.5.3 Create a WebSEAL junction -- 7.5.4 Enable forms authentication on WebSEAL -- 7.5.5 Configure WebSEAL to modify URLs to back-end systems -- 7.5.6 Configure additional WebSEAL parameters -- 7.5.7 Import WebSphere Portal users and groups into TAM -- 7.5.8 Define access controls for WebSphere Portal URIs -- 7.5.9 Configure the junction mapping table -- 7.5.10 Configure SSO for WebSEAL and WebSphere via TAI -- 7.5.11 Configure Portal login/logout for use with WebSEAL.

7.6 Configure Portal for authorization with TAM -- 7.6.1 Configure the SSL between WebSphere and TAM -- 7.6.2 Implement JAAS authentication -- 7.6.3 Modify WebSphere Portal configuration files -- 7.6.4 Verify entries in TAM for Portal external authorization -- 7.6.5 Example for externalizing a resource -- 7.7 Integrate the Credential Vault -- 7.7.1 Credential Vault overview -- 7.7.2 Configure the Credential Vault for Tivoli Access Manager -- 7.7.3 Verify the Credential Vault -- 7.8 Additional configuration -- 7.8.1 Configure WebSEAL and WebSphere Portal sesssion timeouts -- 7.8.2 Configure WebSEAL to handle favicon.ico -- Chapter 8. Implement the development environment -- 8.1 Planning -- 8.1.1 Architecture overview -- 8.1.2 Hardware used within the ITSO development environment -- 8.1.3 Software used within the ITSO development environment -- 8.1.4 VMWare -- 8.2 Implement the Repository node (optional) -- 8.3 Implement the Policy Server node -- 8.4 Implement the Reverse Proxy node (optional) -- 8.5 Implement the Development node -- 8.5.1 Windows 2000 installation -- 8.5.2 WebSphere Studio Application Developer V5.1.1 installation -- 8.5.3 WebSphere Studio Application Developer V5.1.1 Interim Fix 002 installation -- 8.5.4 WebSphere Studio Application Developer - WebSphere Test Environment fixpack installation -- 8.5.5 WebSphere Portal Toolkit and test environment installation -- 8.5.6 Verify the Portal Toolkit and Test Environment installation -- 8.5.7 Java Runtime Environment (JRE) V1.3.1 installation -- 8.5.8 Tivoli Access Manager Java Runtime Environment installation -- 8.5.9 Configure the SSL between the WTE and TAM -- 8.5.10 Verify the TAM configuration within WebSphere Studio -- 8.5.11 CVS client configuration for WebSphere Studio -- 8.6 Configure WebSphere Portal for LDAP -- 8.6.1 Create a suffix.

8.6.2 Import the LDIF file (wp-itso.ldif) to create users and groups.