BLN DE CANAL UNO Y COMBATE DE RTS

In most IT environments, authentication and authorization is tightly coupled to individual applications. Companies typically build applications over time to serve their business needs. Many of these applications require some specific form of authorization. The result is often a wide variety of applications with differing authorization implementations. These proprietary authorization implementations require separate administration, are difficult to integrate, and result in higher costs of ownership. A distributed authorization service can provide these independent applications with a standard authorization decision-making

mechanism. The benefits of such a standard authorization service would include:

򐂰 Reduced cost of developing and managing access to applications

򐂰 Reduced total cost of ownership and management of separate authorization systems

򐂰 Leveraging the existing security infrastructure

Years ago, ABBC initiated a project to implement a centralized, solid, and easy-to-manage security architecture protecting ABBC’s assets from external and internal attacks. ABBC chose Tivoli Access Manager as the strategic product to implement their security policy. The IBM Redbook Enterprise Business Portals II with IBM Tivoli Access Manager, SG24-6885 describes the implementation of ABBC’s Access Manager infrastructure and how Access Manager protects external Web resources, internal communication links, and provides for

centralized security management. One of the most important goals was to create a solid platform for access control with the following advantages:

򐂰 A common base for storing and managing user accounts and passwords.

򐂰 The service is centrally managed and therefore easy to administer; the addition of a new employee, for example, requires modifying the privilege database in one central location, rather than across multiple systems.

򐂰 The service has a scalable and flexible architecture that can be easily integrated with an existing infrastructure.

򐂰 The service uses a common and effective auditing model.

򐂰 The service is independent of any authentication mechanism.

򐂰 Implementation of sophisticated password rules.

򐂰 Definition of allowed login times for administrators and users.

򐂰 Definition of maximum login attempts.

By default, the Security Compliance Manager server does not enforce any password rules or perform any password strength testing and no mechanism exists to recover a forgotten password. Consequently, ABBC’s project team decides to integrate Security Compliance Manager with the existing Tivoli Access

Manager environment and exploit its sophisticated access control mechanisms. The following sections describe the three installation and configuration steps:

򐂰 Install and configure Access Manager’s Java Runtime Environment (JRE).

򐂰 Configure Security Compliance Manager’s JRE for Access Manager authentication.

򐂰 Configure Security Compliance Manager server to use JAAS authentication.

Install and configure the Access Manager JRE

Installation, configuration, and testing the Access Manager Java Runtime Environment (JRE) on AIX consists of the following steps:

1. Install the Access Manager JRE on the Security Compliance Manager server node. Follow the instructions in Chapter 8, “Setting up a Java runtime environment system”, in the IBM Tivoli Access Manager Base Installation Guide Version 5.1, SC32-1362.

2. Make sure that you are not using the Security Compliance Manager’s Java environment, but the Java environment in /usr/java131/jre/bin using the command which java.

3. Configure the Access Manager JRE environment in the directory /usr/java131 using the command shown in Example 6-5.

Example 6-5 Configuration command for Access Manager’s JRE

java com.tivoli.pd.jcfg.SvrSslCfg -action config

-admin_id <master administration ID of your Access Manager environment> -admin_pwd <password for master administrator>

-appsvr_id <name of your SCM Server application, The application ID must be unique. Other instances of the application running on this or other systems must each be given a unique ID.>

-appsvr_pwd <password for the keystore file> -host <host name of SCM server>

-mode remote -port 900

-policysvr <host name of your policy server:7135:1> -authzsvr <host name of your authorization server:7136:1> -cfg_file <filename for configuration file to be created> -key_file <filename for keystore file>

4. Before integrating the Security Compliance Manager application, we recommend testing the Access Manager’s JRE setup using a sample application. You can use the example provided by Sun™’s JAAS Authentication Tutorial at:

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAc nOnly.html

If the authentication using Access Manager’s JRE works, you can continue with the integration of Security Compliance Manager and Access Manager.

Configure JRE for Access Manager authentication

Configuring Security Compliance Manager for Access Manager authentication consists of the following steps:

1. Change to the /opt/IBM/SCM/server/jre/lib/ext directory using the following command:

cd /opt/IBM/SCM/server/jre/lib/ext

2. Move the ibmjcaprovider.jar and indicim.jar to ibmjcaprovider.jar.SCM and indicim.jar.SCM using the following commands:

mv ibmjcaprovider.jar ibmjcaprovider.jar.SCM mv indicim.jar indicim.jar.SCM

Tivoli Access Manager will explicitly delete the ibmjcaprovider.jar without warning. Therefore, these libraries have to be renamed.

3. Configure the Access Manager’s Java environment to the Security Compliance Manager Java environment using the following syntax and command (Example 6-6):

pdjrtecfg –action config

-host <policy_server_host> [–port policy_server_port] [–java_home jre_home] [–domain domain_name] [–config_type full] [–enable_tcd [–tcd path]]

Example 6-6 Configuration command for Java environment

<PDJRTE_HOME>/sbin/pdjrtecfg -action config -host itsosec8.itsc.austin.ibm.com -java_home /opt/IBM/SCM/_jvm/jre

The output of the command is:

Configuration of Access Manager Java Runtime Environment is in progress. This might take several minutes.

Configuration of Access Manager Java Runtime Environment completed successfully.

4. Copy the configuration file PdPerm.properties from /usr/java131/jre into /opt/IBM/SCM/_jvm/jre.

5. Change to the /opt/IBM/SCM/jars directory using the following command:

cd /opt/IBM/SCM/jars

6. Move the Security Compliance Manager provided jaas.jar to jaas.jar.SCM using the following command:

mv jaas.jar jaas.jar.SCM

7. Link the ibmjcaprovider.jar.SCM and indicim.jar.SCM locally as JAR files using the following command:

ln -s /opt/IBM/SCM/server/jre/lib/ext/ibmjcaprovider.jar.SCM ibmjcaprovider.jar

ln -s /opt/IBM/SCM/server/jre/lib/ext/indicim.jar.SCM indicim.jar

8. Change to the /opt/IBM/SCM/jars/boot directory using the following command:

cd /opt/IBM/SCM/jars/boot

9. Move US_export_policy.jar, ibmjcefw.jar, ibmjceprovider.jar, ibmjsse.jar, and local_policy.jar to .SCM extensions using the following command:

mv US_export_policy.jar US_export_policy.jar.SCM mv ibmjcefw.jar ibmjcefw.jar.SCM

mv ibmjceprovider.jar ibmjceprovider.jar.SCM mv ibmjsse.jar ibmjsse.jar.SCM

mv local_policy.jar local_policy.jar.SCM

Configure server to use JAAS authentication

The final step is the re-configuration of the Security Compliance Manager server to use the JAAS authentication module.

1. Change to the /opt/IBM/SCM/server directory using the following command:

cd /opt/IBM/SCM/server

2. Copy the server.ini file to a backup file, and modify the server.ini file in a text editor so that: jac.security.authenticator=com.ibm.jac.server.JACAuthenticator becomes: #jac.security.authenticator=com.ibm.jac.server.JACAuthenticator and insert: jac.security.authenticator=com.ibm.jac.server.JACJaasAuthenticator jac.security.jaasconfiguration=JaasAuthentication

3. Change to the /opt/IBM/SCM/etc directory using the following command:

cd /opt/IBM/SCM/etc

4. Create a file named tamauthentication.config containing:

JaasAuthentication {

com.tivoli.mts.PDLoginModule required; };

5. Change to the /opt/IBM/SCM/server/_jvm/jre/lib/security directory using the following command:

cd /opt/IBM/SCM/server/_jvm/jre/lib/security

6. Copy the java.security to a backup file and modify java.security to append the following lines:

# Configure Access Manager for login

login.configuration.provider=com.ibm.security.auth.login.ConfigFile login.config.url.1=file:/opt/IBM/SCM/etc/tamauthentication.config

The file tamauthentication.config is the configuration file created during the Access Manager JRE configuration in Example 6-5 on page 147.

7. Restart the Security Compliance Manager server.

The user authentication will now be performed by Tivoli Access Manager. User passwords and user IDs have to be managed using Access Manager’s

administration and user tools.