Upload
dave-hay
View
2.654
Download
0
Tags:
Embed Size (px)
DESCRIPTION
WebSphere Portal and Security - All you need to know, in 22 slides ;-)
Citation preview
Dave HayPortal ArchitectIBM Software Services for [email protected]
18 March 2010
“Secure Portal” orWebSphere Portal – Security with Everything
2
● Definition of Terms● Moving away from the “Out Of The Box” experience● Federated Repositories● Custom User Registry● Authentication against a Corporate Directory● Authorisation and Personalisation via LDAP and Property Extension
Database● Desktop Single Sign-On in a Microsoft environment● Back-end SSO – in an all-IBM world● Back-End SSO – Using a Reverse Web Proxy server● Back-end SSO – Asserting identity in an open world● Further Reading
Agenda
3
LoadBalancer
WebServer
WebServer
DeliveryPortal
DeliveryPortal
Content / PortalDatabase
SiteVisitor
UserDirectory
ClusterManager
Cluster
ContentRendering
ContentAuthoring
Cluster
Content / PortalDatabase
Portal Operational Model (Production)
UserDirectory
4
● WebSphere Application Server (WAS)● WebSphere Portal (WP)● Authentication vs. Authorisation vs. Personalisation● Property Extension Database ( aka LookAside )● Virtual Member Manager (VMM)● WebSphere Identity Manager (WIM)● Custom User Registry (CUR)● Trust Association Interceptor (TAI)● Lightweight Third Party Authentication (LTPA)● Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)● Security Assertion Markup Language (SAML)● Kerberos● Shibboleth
Definition of Terms
5
Authentication etc.
6
Moving away from the “Out Of The Box” experience● Portal automatically secured against WAS via WIM File System
Repository● Optional during WAS installation; default during WP installation● Provides basic identity, profile and user information● Simple to manage via WAS/WP user interface and Java/API● Unwieldy – all user/group management is only via WAS/WP, and not
easily accessible to back-end systems without coding● Portal security cannot “reach out” to back-end resources e.g. no SSO
7
● WAS/WP 6.1 and beyond● Provides support for multiple user repositories, including WIM ( File
System ), LDAP, databases etc.● Useful for multiple user communities and use cases e.g. intranet and
internet and extranet● Fits well with virtualization e.g. Virtual Portal● Needs careful planning and consideration e.g. user/group filters,
realms, Single Sign-On domains,unique user identities etc.
Federated Repositories
8
● An option for authentication where requirements dictate non-LDAP approach
● Requires custom development● Good solution for certain use cases e.g. back-end application
integration, delegation of user access and management to corporate systems
● Examples of implementation include using mainframe-based application via CUR
Custom User Registry
9
Authentication against a Corporate Directory● Supported LDAPs
Lotus DominoMicrosoft Active DirectoryTivoli Directory ServerNovell eDirectorySun ONE Directory Server
● Supported vs. tested vs. unsupported● Read-only vs. Read/Write● Security Wizard● Alternative Security Tasks ( ConfigEngine )● Can be used stand-alone or as part of Federated Repository solution
10
Authorisation and Personalization via LDAP and Property Extension Database● Describe how LDAP groups and attributes can be used to provide
authorisation and personalized access to portal resources● Authorisation and Personalization can be two sides of the same coin;
both can be used to change the user experience based upon external attributes
● Authorization – where can I go now I'm in the portal ?● Personalization – what can I see ?● Authorisation – typically related to security e.g. permissions, user
groups, roles etc.● Personalization – typically related to attributes, events, user profile
choices● Customization – typically user controlled rather than externally
influenced
11
Single Sign-On
12
SSO Domain Concepts
13
Desktop Single Sign-On in a Microsoft environment● Provides seamless SSO to users once Windows login has completed● Requires Portal to use same Active Directory domain as user's
Windows desktops● SPNEGO is used to negotiate the authentication protocol between
client and server, using Kerberos● Works with Internet Explorer and Firefox● Active Directory and Kerberos ( Key Distribution Centre ) needs to be
configured● WebSphere Trust Association Interceptor (TAI) provided in WAS 6.1
and beyond● WAS needs to be configured● User browsers need to be configured● No longer requires front-end IIS server
14
SPNEGO/Kerberos/AD implementation
15
● Appropriate for requirements where back-end applications support the IBM Lightweight Third Party Authentication (LTPA) mechanism
● Examples include: -
WebSphere Application ServerWebSphere PortalLotus ConnectionsLotus DominoLotus QuickrLotus Sametime
● LTPA token generated by server following initial successful authentication; stored as cookie in browser
● Used to provide authentication to trusted servers; those participating in the same SSO environment (DNS domain) and sharing a common LTPA private key ( encrypted )
Back-end SSO – in an all-IBM world
16
Back-End SSO – Using a Reverse Web Proxy server● Examples are Tivoli Access Manager for e-Business (TAMeB) and Siteminder● IBM experiences tend towards TAMeB but Siteminder info is available● WebSEAL is the TAMeB web reverse proxy solution● WebSEAL intercepts all requests for secured, back-end web applications● Hides application URLs etc. from end-users increasing security● Authentication and authorisation ( to access web app. or not ) is made in
WebSEAL● If auth/auth sucessful, WebSEAL passes request to WAS/Portal● TAI deployed in WAS to support this delegated authentication● Junctions ( transparent or otherwise ) created in WebSEAL for Portal● LTPA cookie is generated by WebSEAL junction and stored in user's browser,
giving onwards SSO
17
TAM-eB Reference Architecture
18
1 An unauthenticated client issues a request.
2 WebSEAL issues an HTTP authentication challenge.
3 Client responds to challenge.4 WebSEAL authenticated user against
user registry.5 WebSEAL modifies the Header to include
(iv_creds, …)6 Request to WAS where TAI performs
authentication of tai_user7 User credentials are extracted from
header to construct a user principal.8 WAS sends the request the Portal9 Portal sends the Output to WebSEAL10 WebSEAL dispatches the output to the
client.
TAMeB implementation
19
Back-end SSO – Asserting identity in an open world● Requirement where SSO is required from WebSphere to an external
service● Can potentially be used in reverse using custom TAI – not supported by
IBM● Necessary to “prove” that WebSphere user has been authenticated● Open-standard mechanism for the assertion of the user's identity, with
implicit trust and security ( SAML )● SAML works by way of a paired set of servers – Identity Provider (IdP)
and Service Provider (SP)● Various implements of SSO via SAML including Shibboleth and Tivoli
Federated Identity Manager (TFIM)● Some entitlement to TFIM with WAS Network Deployment
http://www-01.ibm.com/software/tivoli/products/federated-identity-mgr-websphere/index.html
20
1) The User attempts to access a Shibboleth-protected resource on the Service Provider site.
2) The User is redirected to the federation WAYF.
3) The User select his or her home institution (*Identity Provider) from the list presented by the WAYF.
4) The Identity Provider, by whatever means it deems appropriate, ensures that the User is authenticated.
5) After successful authentication, a one-time Handle (session identifier) is generated for this User session and is sent to the Service Provider.
6) The Service Provider uses the Handle to request attribute information from the Identity Provider for this User.
7) The Identity Provider, on the basis of its Attribute Release Policy, allows or denies attribute information to be made available to this Service Provider.
8) Based on the attribute information made available to it, the Service Provider allows or refuses the User access to the resource.
Shibboleth implementation
21
IBM WebSphere Application Server V6.1 Security Handbook
http://www.redbooks.ibm.com/abstracts/sg246316.html?Open
IBM WebSphere Application Server V7.0 Security Guide
http://www.redbooks.ibm.com/abstracts/sg247660.html
WebSphere Portal Family Wiki
http://www-10.lotus.com/ldd/portalwiki.nsf
Tivoli Access Manager for e-Business
http://www-01.ibm.com/software/tivoli/products/access-mgr-e-bus/
Tivoli Federated Identity Manager
http://www.ibm.com/software/tivoli/products/federated-identity-mgr
Further Reading
22
Any Questions ?