In this section, we describe the physical components that are assembled for Tivoli Access Manager for Enterprise Single Sign-On. See Figure 2-6.
Figure 2-6 Physical base deployment architecture
AccessAgent
The AccessAgent gets deployed on user and administrator workstations either manually or by using software distribution mechanisms. Because the
AccessAgent features can be configured afterward, specifying any options during the AccessAgent software installation is not necessary. Although several configuration parameters, like the IMS Server URL or whether the GINA extension should be installed, can be predefined.
AccessAgent and GINA chaining
For AccessAgents installed with the GINA option enabled, a user logs on to the AccessAgent GINA first, with the required authentication factors, whereupon the AccessAgent automatically logs on the user to Windows with the user’s Windows account. The Windows GINA is not replaced and is always available as needed.
For AccessAgents installed without the GINA option enabled, the user usually logs on to Windows manually first, and then logs on separately to AccessAgent with the required authentication factors. But, this approach is not always the process, for example, for password-sync single-factor deployments, we can use the EnNetworkProvider to avoid the second login.
Availability constraints
If the AccessAgent has network connection to the IMS Server, it authenticates a user against the IMS Server by passing along the authentication credentials over HTTPS to IMS. However, if the AccessAgent is offline to the IMS, it then
authenticates the user's presented credentials against cached authentication data stored on the disk. The data volume for each class of data cached at the clients is estimated at the following values:
System data up to 300 - 400 KB
User data 50 - 100 KB per user Support for terminal services
The AccessAgent has a server mode for Microsoft Windows Terminal Server and Citrix Presentation Server. To use the single sign-on features on one of these systems, the AccessAgent simply has to be deployed on the server.
Hardware and software requirements
The AccessAgent requires a computer with a Windows operating system installed. For detailed hardware requirements, refer to the product documentation.
IMS Server
As the central repository and management point for all system and user data consumed by the AccessAgents, the Integrated Management System (IMS) performs the following functions:
Serves as a central repository and distribution point for AccessProfiles and other system data.
Serves as a central repository for all user data, including the credential Wallet and various authentication and access policies.
Provides a SOAP API for AccessAgents, as well as AccessAssistant and Web Workplace servers, to authenticate users, and to retrieve and synchronize system and user data.
Provides a SOAP API for AccessStudio to upload new or updated AccessProfiles for distribution to AccessAgents.
Provides a SOAP API for Tivoli Identity Manager to provision application credentials into user's Wallets and users into IMS.
Provides SOAP and RADIUS APIs for third-party software, such as VPN, to authenticate users through one-time passwords.
Provides a Web-based interface for administrators to manage users,
machines and system policies, as well as to query audit logs. The Web-based interface is named AccessAdmin.
The IMS Server consists of a group of Web-based applications developed in Java and run on top of an Apache Tomcat application server. During installation of the IMS Server software, the applications server is also installed.
Administration of the Tomcat application server itself is not necessary during IMS operation.
IMS database
The IMS Server stores all its data within a relational database. The IMS database contains these classes of data:
System data
The class of system data includes AccessProfiles, system policies, user and machine policy templates, and other system configuration data.
User data
The class of user data includes application credentials and user policies.
Machine data
The class of machine data includes any machine policies and information about deployed machines.
Audit logs
Every user and administration activity is stored in the database and even the SOAP call logs are stored in the IMS database.
Expected data volume
The expected data volume is important for the sizing of the IMS database server.
Based on the architecture and database design, the data volume for each class of data stored on IMS is estimated at:
System data is expected to be 10 MB or less.
User data can reach approximately about 200 KB per user.
Audit logs require no more than 7 GB per 1000 users for a log retention period of one year.
Supported database engines
The following types of relational databases are currently supported:
Microsoft SQL Server 2000
Microsoft SQL Server 2000 Desktop Engine (MSDE)
Microsoft SQL Server 2005
Microsoft SQL Express
Oracle Database 9i
Oracle Database 10g
IBM DB2 9.5 (available in the installation CD, but must be installed separately)
Note: The database can be created on an existing database server, or it can be installed on the same system where the IMS Server resides. If the IMS database and IMS Server are running on different machines, the system clocks must be synchronized. Furthermore, because the IMS Server performs all database operations on behalf of the user defined as the database
administrator, a database administrator account is required.