Identity and Access Management in a WebSphere env.

decorumgroveInternet and Web Development

Aug 7, 2012 (4 years and 10 months ago)

404 views

Identity and Access
Management in a
WebSphere Environment


Mano Cheema

Copyright Kewhill Limited 2004

2

What your sponsor wants


I want a log
-
in page…

Copyright Kewhill Limited 2004

3

What your sponsor needs


An application access control framework
which is flexible and can provide access
control for a variety of resources


Usually as part of an enterprise integration
exercise

Copyright Kewhill Limited 2004

4

What your sponsor is really asking for


Secure access to resources of many different types


Discrimination between resource types


Discrimination between user types (roles)


Ability to manage disparate resources


Single sign
-
on (SSO)


A single security code base


A single security model


Separation of security code from application logic

Copyright Kewhill Limited 2004

5

Islands of security

Web sites/portals

ERP

In
-
house apps.

CRM

Third party apps.

Copyright Kewhill Limited 2004

6

Integration Scenario Stage I

Supplier

Customer

B2B

B2C

Intermediary

Intranet

Extranet

Db

ERP

CRM

In
-
House

Portal or

WebSphere

Portal

Server

WebSphere

Application

Server

Internal
User

Copyright Kewhill Limited 2004

7

Integration Scenario Stage II

Supplier

Customer

B2B

B2C

Intermediary

Intranet

Extranet

Db

ERP

CRM

WAS

Access Control

Internal
User

Copyright Kewhill Limited 2004

8

Integration Scenario Stage III

Supplier

Customer

B2B

B2C

Intermediary

Intranet

Extranet

CICS

ERP

CRM

LDAP

Mgmt.server

WebSEAL

TAM

Internal
User

Copyright Kewhill Limited 2004

9

Role Based Access Control

(RBAC)


Associate access rights with role in the
organisation


Assign multiple roles to an individual


Change access rights by role


Map organisational disposition to access
rights


Centralise management


Copyright Kewhill Limited 2004

10

Other benefits


“Early binding” to the user


Immediate lookup to a scalable directory
service


Integration with multiple directory services


Personalisation


Integration with a user provisioning system

Copyright Kewhill Limited 2004

11

Components


Reverse proxy
-

WebSEAL


Management Server


Policy Server


Authorization Server


LDAP server(s)

Copyright Kewhill Limited 2004

12

WebSEAL


A WebSEAL is:



a bastion web and certificate server


an engine for authentication


an engine for authorisation decisions


a means for creating secure tunnels or junctions to
many types of back
-
end resource


a reverse proxy with caching facilities


a unified entry point to all secured resources


scalable


a logging/auditing engine


WebSEAL

Copyright Kewhill Limited 2004

13

Management Server


The Management Server:


Comprises an authorisation server and a policy server



holds user credentials


maintains pointers to LDAP entries


allows TAM user administration


Maintains protected object policies, e.g. TOD


controls credential caching and replication


… and other functions


Copyright Kewhill Limited 2004

14

LDAP server(s)


LDAP servers:


hold user data as InetOrgPerson objects


store user ids, passwords and group memberships in
a private area


store relationship id with management server


can be used to hold other data


can be replicated and or load balanced


Can have hierarchical preference values (0
-
10)

Copyright Kewhill Limited 2004

15

LDAP: Key design issues


Do not use a common node for all users!


Spend as much effort as possible on structure
and taxonomy


Map LDAP to disposition of organisation


Functional


…and/or geographical


This will pay dividends in many (sometimes
unforeseeable) ways!


Copyright Kewhill Limited 2004

16

Architecture I

WebSEAL

WebSEAL

Load Balancing Layer

App.Server

App.Server

Copyright Kewhill Limited 2004

17

Mgmt.Server

Architecture II

WebSEAL

WebSEAL

Load Balancing Layer

App.Server

App.Server

Mgmt.Server

Authorisation &
Credentials Stores

Local caches at
start,update and
replication intervals

Copyright Kewhill Limited 2004

18

Mgmt.Server

Architecture III

WebSEAL

WebSEAL

Load Balancing Layer

App.Server

App.Server

Mgmt.Server

LDAP Server

LDAP Server

LDAP Server

Copyright Kewhill Limited 2004

19

Architecture IV
-

LDAP

LDAP Server

LDAP Server

LDAP Server


Master/Replicated architecture

1. Update/Delete on Master

2. Update/Delete on Replica(s)

3. Fail over to next Replica

Copyright Kewhill Limited 2004

20

Architecture V
-

LDAP

LDAP Server

LDAP Server


Load Balanced/Peered architecture

1. Update/Delete on any

2. Update/Delete on Peers

3. Annealing after failure

LDAP Server

Load Balancer

R
e
p
l
i
c
a
t
i
o
n

Copyright Kewhill Limited 2004

21

Authentication/Authorisation
Scenario

Supplier

Customer

B2B

B2C

Intermediary

Intranet

Extranet

ERP

IIS

WAS

LDAP

Mgmt.server

WebSEAL

TAM

Internal
User

Protected object?

Credentials
and
protected
object
policies

UserID

Password

Group memberships

Smart Junction

Log in

Copyright Kewhill Limited 2004

22

TAM/Application Interaction


Header information


User id


Group memberships


Serialised credential object (access via API)


C and Java APIs


JAAS


JAAS LoginModule to obtain credentials from TAM


PDPermission class to request authorisation decisions


Container
-
managed authorisation (TAM for
WebSphere)

Copyright Kewhill Limited 2004

23

Single Sign
-
On (SSO) options


GSO junctions


Mapping between TAM identity and another
id/password


Trust Association Interceptors (TAI)


Intercepts HTTP requests from reverse proxy and
delegates trust from WebSphere to TAM


LTPA cookies


Encrypted cookie shared by WAS and TAM


Remove authentication from back
-
end resource
and pass this responsibility to TAM

Copyright Kewhill Limited 2004

24

Case Study: Intranet


40,000 users


1000+ geographical nodes


5000+ organisational nodes


50+ applications


Default applications for each role type


SecurID tokens used for login


Packaged applications, Multiple OS, Mainframe
and MQSeries


Comprehensive LDAP design led to many new
functions


Copyright Kewhill Limited 2004

25

WebSphere Portal Server


TAM is the external security provider


There is no concept of a URI or URL


A TAI is used to delegate authorisation


The TAM LDAP repository is directly
accessed by WPS


Page/Place access control is managed
within WPS


Some flexibility is lost

Copyright Kewhill Limited 2004

26

User Provisioning options


Provide consistent workflows for user
management


Custom WebSphere application


Tivoli Identity Manager


Web Portal Manager

Copyright Kewhill Limited 2004

27

Deployment Issues


Ownership


Deployment package contents


Development guidelines for internal teams


Development guidelines for suppliers

Copyright Kewhill Limited 2004

28

I want a log
-
in page…