Front cover Deployment Guide Series: IBM Tivoli Access Manager for Enterprise Single Sign-On 8.0 Learn how to install and configure the major components Plan an enterprise single sign-on deployment project Read about best practices and troubleshooting Axel Buecker Steve Lay Dirk Rahnenfuehrer Frank Sommer ibm.com/redbooks International Technical Support Organization Deployment Guide Series: IBM Tivoli Access Manager for Enterprise Single Sign-On 8.0 June 2009 SG24-7350-01 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. Second Edition (June 2009) This edition applies to Version 8.0 of IBM Tivoli Access Manager for Enterprise Single Sign-On © Copyright International Business Machines Corporation 2007, 2009. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . x Preface . xi The team that wrote this book . xi Become a published author . xiii Comments welcome. xiv Part 1. Architecture and design . 1 Chapter 1. Business context . 3 1.1 The single sign-on paradigm . 4 1.2 Enterprise single sign-on today . 4 1.2.1 Solve the password security paradox . 5 1.2.2 Manage passwords in a security-rich fashion . 6 1.2.3 High performance . 6 1.2.4 Easy to deploy. 6 1.2.5 Reduce help desk costs by empowering the user. 6 1.2.6 Integrate with an enterprise identity management system . 7 1.2.7 Bring single sign-on to kiosk machines . 7 1.2.8 Audit and reporting . 8 1.3 Considerations for deployment . 8 Chapter 2. Single sign-on architecture and component design . 11 2.1 Overview . 12 2.2 Logical component architecture . 13 2.2.1 AccessAgent . 14 2.2.2 Terminal Server or Citrix Presentation Server AccessAgent . 32 2.2.3 IMS Server . 32 2.2.4 IMS database . 35 2.2.5 AccessAdmin . 35 2.2.6 AccessStudio . 37 2.2.7 Provisioning bridge . 38 2.3 Additional components . 40 2.4 Security requirements . 41 2.4.1 Securing Wallets . 42 2.4.2 Recovering Wallets . 43 2.4.3 Strengthening the protection of Wallets . 44 2.4.4 How the private desktop feature ensures security . 44 © Copyright IBM Corp. 2007, 2009. All rights reserved. iii 2.5 Physical component architecture . 46 2.5.1 AccessAgent . 46 2.5.2 IMS Server . 47 2.5.3 IMS database . 48 2.5.4 Organization directory . 49 2.5.5 Initial deployment scenario . 51 2.5.6 IBM Tivoli Identity Manager integration. 52 2.5.7 Server deployment architectures . 54 2.6 Conclusion. 58 Chapter 3. Planning for customer engagement . 59 3.1 Services engagement preparation . 60 3.1.1 Implementation skills. 60 3.1.2 Available resources. 61 3.2 Basic solution definition. 62 3.3 Services engagement overview . 63 3.3.1 Executive assessment . 64 3.3.2 Demonstration system set up . 65 3.3.3 Analyze solution tasks. 65 3.3.4 Create a contract. 66 3.4 Defining solution tasks . 67 3.4.1 Deployment time estimation . 68 3.4.2 General assumptions . 68 3.4.3 Deployment tasks . 69 3.5 Conclusion. 70 Part 2. Customer environment. 71 Chapter 4. Tivoli Austin Airlines, Inc. 73 4.1 Company profile . 74 4.1.1 Geographic distribution of TAA . 74 4.1.2 Organization of TAA . 78 4.1.3 HR and personnel procedures . 79 4.2 Current IT architecture . 80 4.2.1 Overview of the TAA network . 80 4.2.2 TAA’s e-business initiative . 84 4.2.3 Security infrastructure for the e-business initiative . 84 4.2.4 Secured e-business initiative architecture. 86 4.2.5 User account management and emerging issues. 86 4.3 Corporate business vision and objectives . 88 4.4 Project layout and implementation phases . 89 4.5 Conclusion. 90 iv Deployment Guide Series: IBM Tivoli Access Manager for Enterprise Single Sign-On 8.0 Chapter 5. Enterprise single sign-on solution design . 91 5.1 Business requirements . 92 5.2 Functional requirements . 93 5.3 Design approach . 96 5.4 Implementation overview. 97 5.4.1 About project phases and deployment stages . 97 5.4.2 Project phases . 98 5.5 Conclusion. 99 Chapter 6. Base installation and configuration . 101 6.1 Design considerations . 102 6.1.1 System requirements . 103 6.1.2 Deployment architecture . 103 6.2 Installing and configuring base components . 105 6.2.1 Create administrative users . ..