IBM TPM 5.1.1.x Security Technologies

converseoncologistInternet and Web Development

Aug 7, 2012 (5 years and 5 months ago)

456 views

© 2011 IBM Corporation

TPM 7.1.1 and TPM 5.1.1 Security
Technologies

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

2

TPM 5.1.1.x Security Technologies


TPM 5.1.1.x runs on WAS 6.0.x


TPM 5.1.1.x adopts the default to denied access security policy. That, user does not have
access to resources initially even where there is no restriction defined


It offers an OS authentication service so that user for the application can be an OS user
(Unix and Windows users)


TPM 5.1.1.x uses the Access Group for grouping the resources to be protected


LDAP is for role based security for UI security, access to menus and buttons in the UI page


Two modes are supported in TPM 5.1.1.x which use LDAP


Users and roles are in LDAP, authentication and authorization services obtain
information from LDAP directly


Only users are in LDAP, authenticating user consults LDAP. Roles information is
obtained in TPM database.


Support role base security for UI, access control, and workflow security


Web service interface entitles to access control and workflow security


Permissions for access control are part of the permissions in workflow security


Source:

If applicable, describe source origin

© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

3

TPM 7.1.1 Security Technologies


TPM 7.1.1.x runs on Maximo which runs on WAS 6.1.0.29


TPM 7.1.1.x is no longer a Web Application on its own


It adopts the default to granted access security policy, that is, user has access to all
resources if there is no restriction defined


It offers a maximo authentication service, it is a proprietary authentication service which
have users and user passwords stored in the database. Authentication is performed on
Maximo security service, no interface to WAS security required


It uses TPM provisioning group for security purpose


Static group


members in static groups are managed explicitly


Dynamic group


a query is defined for every dynamic group, and membership is
determined at run time by running the query (similar to sql query)


It supports two modes security services with LDAP


Users and roles are in LDAP, authentication and authorization services obtain
information from LDAP directly


Only users are in LDAP, authenticating user consults LDAP. Roles information is
obtained in Maximo database.

© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

4

TPM 7.1.1 Security Technologies
-

Continued


TPM 7.1.1 uses the notion of Security Group which is identified in LDAP


Security Group is for UI, access control, and workflow security


Web service interface entitles to access control and workflow security


Permissions for access control and workflow security are decoupled


Access control security uses Maximo security framework


Workflow security uses TPM internal security framework


FIPS enabled


PKCS 12 formatted keystore and truststore are supported


TLS is supported



© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

5

Major differences in TPM 5.1.1 and TPM 7.1.1

TPM 5.1.1

TPM 7.1.1

Default to denied access

Default to granted all access

Access Group (static) for protected resources

Provisioning groups (static or dynamic) for protected
resources. Provisioning groups can be typed

LDAP groups are for UI security only. Security for
access control and workflow are managed
separately

LDAP groups are used for all security measures;
including UI, access control, and workflow. Users in
the same group will obtain the set of permissions
granted to the same set of resources

Support OS authentication service

No OS authentication service

No proprietary authentication service supported

Support Maximo proprietary authentication service

Non
-
FIPS

FIPS supported with TLS protocol

© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

6

TPM 7.1.1 security overview


TPM 7.1.1 security consists of the following components


Maximo Security Service : the engine to perform security related tasks,
including authentication and authorization of users


Data restriction component : defines the data restrictions for accessing
the instances of object, read or write access


Security Group : Contains the security information for the Maximo
Security Service. Information includes user, permission, and resources
to be protected.


Provisioning Group : A TPM specific group to contain TPM objects, can
be used for security purpose.


© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

7

WebSphere

Security

Service

Role Base Security

Maximo Security

Service

Users and

Roles info

LDAP

1

2

3

4

6

7

5

© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

8

Control Flow of Authentication and Authorization

1.
User attempts to access TPM, and a challenge page is presented. User input username
and password. Control passes to the Maximo Security Service

2.
Maximo Security Service delegates the authentication service to WebSphere

3.
WebSphere contacts the LDAP to retrieve user information, including the roles the user is
a member of

4.
WebSphere performs a LDAP binding operation for the user, LDAP returns a response if
the user provides a valid username and password

5.
Suppose the user enters a valid username and password, WebSphere returns a successful
logon message to Maximo Security Service.

6.
Maximo Security Service consults the access control list for the TPM UI, the access control
list contains information on what UI the role of the user have access to

7.
Maximo Security Service renders the UI pages based on the roles the user has and the
access control lists of the UI for the roles


© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

9

Instance Access Security


There are two types of instance permissions


Read/Write permission: governs the readonly and write access to an object. User can
only write to an object if and only if he has write access to the instance of object.


Workflow Security: a workflow is protected when permission is required to run


Permissions required for a workflow is declared in the workflow definition


User is assigned to a security group


A permission group contains permissions


A provisioning group contains TPM objects to be protected


Example of protected workflow


@requirepermission

Software.Install clusterId

@requirepermission

Software.Start clusterId

logicaloperation

test.test (clusterId) LocaleInsensitive

invokeimplementation






© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

10

Example of running a Device Reboot workflow

Device reboot

Workflow

Device.Reboot

permission

Provisioning Group

(PG1)


server1

Provisioning Group

(PG2)

server2

User 1

User 2

Security Group

(SG1)


Security Group

(SG2)


Device.Reboot

permission

© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

11

Example of running a Device Reboot workflow


Security Group (SG1) has user members of user1 and user2


Security Group (SG2) has user member of user2


Provisioning group (PG1) contains sever1 which ties to Security Group (SG1)


Provisioning group (PG2) contains server2 which ties to Security Group (SG2)


Both security groups (SG1 and SG2) consists of the permission Device.Reboot


User1 is granted permission Device.Reboot on server server1


User2 is granted permission Device.Reboot on servers server1 and server2, since user2 is a
member of both security groups SG1 and SG2


When running a workflow that requires the permission Device.Reboot,


User1 can only execute the workflow on target server1


User2 can execute the workflow on both targets, i.e. sever1 and server2


© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

12

Role Mapping TPM 5.1.1.x to TPM 7.1.1

<?xml version=
"1.0"
?>


<Mapping>


<Roles>

<Role name=
"SystemAdministrator"
>


<ITUPRole>TPADMIN</ITUPRole>

</Role>

<Role name=
"InventorySpecialist"
>


<ITUPRole>TPCONFIGURATIONLIBRARIAN</ITUPRole>

</Role>

<Role name=
"SoftwareOperator"
>


<ITUPRole>TPCONFIGURATIONLIBRARIAN</ITUPRole>


<ITUPRole>TPCOMPLIANCEANALYST</ITUPRole>


<ITUPRole>TPDEPLOYMENTSPECIALIST</ITUPRole>

</Role>

<Role name=
"ChangeApprover"
>


<ITUPRole>TPCOMPLIANCEANALYST</ITUPRole>

</Role>

<Role name=
"AutomationPackageDeveloper"
>


<ITUPRole>TPDEVELOPER</ITUPRole>

</Role>

<Role name=
"ConfigurationAdministrator"
>


<ITUPRole>TPDEPLOYMENTSPECIALIST</ITUPRole>


<ITUPRole>TPCONFIGURATIONLIBRARIAN</ITUPRole>


<ITUPRole>TPCOMPLIANCEANALYST</ITUPRole>

</Role>

<Role name=
"ConfigurationOperator"
>


<ITUPRole>TPCONFIGURATIONLIBRARIAN</ITUPRole>

</Role>


</Roles>

</Mapping>

© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

13

Resource Links to security groups and application access rights


http://publib.boulder.ibm.com/infocenter/tivihelp/v28r1/topic/com.ibm.tivoli.tpm.scenario.doc/
security/rsec_secgroupapp.html


http://publib.boulder.ibm.com/infocenter/tivihelp/v28r1/topic/com.ibm.tivoli.tpm.scenario.doc/
security/csec_predefinedgroups.html

© 2011 IBM Corporation

Lewis Lo


TPM 7.1.1 and TPM 5.1.1 Security Technologies

23 Feb 2011

14

For more security information, please visit our:


TPM DeveloperWorks Wiki


Security and Audit


http://www.ibm.com/developerworks/wikis/display/tivoliprovisioningmanager/Security+an
d+Audit


TPM 7.2.0.1 Information Center


Security


http://publib.boulder.ibm.com/infocenter/tivihelp/v45r1/topic/com.ibm.tivoli.tpm.scenario.d
oc/security/csec_security.html