Tivoli 891: IBM Tivoli Federated Identity Manager V6.1 Implementation

:

1 - Planning for Federation

1.1: Given a set of architecture documents, review the scenario described, review the customer's use cases, identify IBM Tivoli Federated Identity Manager V6.1 (ITFIM)function, and identify role of customer in Federation so that a valid use case and scenario document is prepared which details the ITFIM function and protocols in relation to the customer's role in the Federation.

With emphasis on performing the following steps:

  • Review scenario described.
  • Review use cases.
  • Identify ITFIM function.
  • Identify customer role (identity provider/service provider).

1.2: Given a valid use case and scenario document which describes the customers roles and customers usage requirements (for example: performance requirements), identify how the IBM Tivoli Federated Identity Manager V6.1 (ITFIM) components map to the customer's environment so that the details of the customer environment are qualified and required platforms are listed.

With emphasis on performing the following steps:

  • Identify authentication service (HTTP, direct).
  • Identify session management (HTTP).
  • Identify authorization services.
  • Identify alias service.
  • Identify Federated Single Sign-On identity services.
  • Identify Identity manager providing endpoints.
  • Determine platforms.
  • Identify "point of contact" (SOAP) for mobile, what WAP gateway, LECP/ECP.

1.3: Given the output of the mapping of the customer requirements to IBM Tivoli Federated Identity Manager V6.1 (ITFIM) Services and a list of the required platforms, determine the number of machines (and if any additional) so that a list of target machines is produced.

With emphasis on performing the following steps:

  • Get permission to install.
  • Determine machine numbers and specs.
  • Reconcile, determine additional platforms.

1.4: Given the customer's security policy, determine audit and reports methodology (CARS or audit log), Federated Single Sign-On, Web Services Provisioning, and Web Services Security Management security policies so that audit log configuration is defined and high security level policy is outlined detailing signed components, encryption, authorization, authentication, and transport security for each ITFIM function.

With emphasis on performing the following steps:

  • Determine audit/log policy.
  • Determine Federated Single Sign-On security requirements.
  • Determine WS Provisioning security requirements.
  • Determine Web Services Security Management security policy.

1.5: Given the customer's use cases, selected partner identities, and target number of partners, determine partner functionality, evaluate partner's requirements, and define test environment so that a matrix of partner by functionality and requirements is created and generate a test plan.

With emphasis on performing the following steps:

  • Determine partner functionality.
  • Evaluate partner's security policy.
  • Determine partner ID map requirements.
  • For Web Services Security Management, determine WS trust names pace.
  • Define customer-partner test environment.
  • Build test drivers.

1.6: Given a matrix of partner by functionality and requirements, list of target machines, and details of customer environment, map IBM Tivoli Federated Identity Manager V6.1 (ITFIM) function to ITFIM components to target machines so that an installation plan is created.

With emphasis on performing the following step:

  • Identify ITFIM function, ITFIM component and target match.

1.7: Given a list of federation partners with security policy and a matrix of partner by functionality, define the federations so that each partner is assigned to a federation and the function of each federation is listed.

With emphasis on performing the following steps:

  • Map partners to Federations.
  • Create new Federations if required.

2 - Planning for Federated Single Sign-On

2.1: Given a mapping of Federated Single Sign-On partners to Federations, a definition of each Federation, the Federated Single Sign-On customer-partner security policy, and the additional attributes require in the Federated Single Sign-On tokens, refine the Federated Single Sign-On details so that the parameters for the customer's self-configuration and high level mapping of attributes requirements are documented for each Federated Single Sign-On Federation.

With emphasis on performing the following steps:

Define/determine encrypt and signing requirements for messages.

  • Determine encryption requirements for messages.
  • (If required) determine token types.
  • Determine token security parameters.
  • Determine 'message parameters": lifetime, nonce, etc.
  • Define protocol/Federation specific endpoints.
  • Determine ID mapping rules (high level).

3 - Planning for Web Services Security Management

3.1: Given a description of the Web Services Environment and applications, define the Web Services point of contact, type of services, login method for each application is identified so that a list of applications to be deployed in Web Services Security Management is generated.

With emphasis on performing the following steps:

  • Identify Web Services 'point of contact" (i.e.: XML framework, WSGW, etc.).
  • Identify 'type' of Web Service (i.e.: SOAP/HTTP, SCAP/JMS, RMI/IIOP, etc.).
  • Identify if Web Service endpoint or intermediary.
  • Determine list of applications to be deployed with Web Services Security Management.
  • If endpoint, login required?
  • If intermediary, token exchange?

3.2: Given a list of Web Services Security Management (WSSM) partners, the customer-partner WSSM security policy, and the information required to be in the incoming token (included with partners web services request), determine the requirements for authentication and authorization for each application and for each partner and identify the applications the partner can access so that the parameters of the local configuration of the WSSM Federation, application side and partner side of WSSM, and high level mapping of the requirements and rules are defined.

With emphasis on performing the following steps:

  • If required, determine applications token type vs. login.
  • Determine requirements for encrypting message by application
  • Define/determine requirements for signing messages by application.
  • If required, determine requirements for encrypt/sign 'output' tokens.
  • Determine authorization required by application.
  • Define applications available to partners.
  • Define ID mapping rules (high level) by partner.
  • Determine requirements for encryption input tokens by partner.
  • Determine requirements for signing input tokens by partner.
  • If required, determine partners output token type.

4 - Planning for Federated Provisioning

4.1: Given a list of WS Provisioning partners with security policy, information in the token, and details about the local provisioning tool, identify the values that need to be exchanged, define the actions that need to happen on the values, and identify the Web Services Security Management requirements so that the IDI requirements, attribute mapping details, and local Web Services Security Management parameters are defined.

With emphasis on performing the following steps:

  • (Identity provider side) Identify IDI trigger type (i.e.: LDAP feed, IBM Tivoli Identity Manager feed, HTTP, etc.)
  • (Identity provider side) Identify input markup language (if any); identify output markup language type.
  • (Service provider side) Identify input (WS Provisioning) payload markup language and identify output format (i.e.: LDAP, DSML, etc.).
  • (Service provider side) Identify output/provisioning destination.
  • Identify attribute mapping requirements (in IDI).
  • Identify attribute retrieval requirements (in IDI).
  • Identify Web Services Security Management requirements.

5 - Install Infrastructure and Components for Federated Single Sign-On, Web Services Security Management, Federated Provisioning

5.1: Given the WebSphere Application Server (WAS) deployment strategy, WAS install media, WAS cluster info, and architecture document, run the WAS installation, crate the application server profile, create the deployment manager profile, a WAS cluster, a replication domain, and add the application server to the cluster so that WAS is installed and configured for ITFIM.

With emphasis on performing the following steps:

  • Install WAS.
  • Create an application server profile.
  • If using clustering, create deployment manager profile.
  • Create a profile.
  • If clustering, create cluster.
  • If clustering, add other servers to cluster.

5.2: Given the architecture document, directory information, IBM Tivoli Access Manager installation (ITAM), SSL keys, and proper access, install patches, GSKit, Access Manager Runtime Environment (AMRTE) filesets, and run 'pdconfig' with the correct information so that WebSEAL is successfully installed and configured into ITAM domain.

With emphasis on performing the following steps:

  • Identify OS patches to install.
  • Install OS patches.
  • Install GSKit.
  • Install AMRTE.
  • Install file sets.
  • Configure WebSEAL into ITAM domain.

5.3: Given ISC install media, verify that LDAP server is running and run the ISC install so that ISC is property installed and configured.

With emphasis on performing the following steps:

  • Verify that LDAP server is running.
  • Install ITFIM Console.

5.4: Given IBM Tivoli Federated Identity Manager V6.1 (ITFIM) media, ISC is installed and configured, and WebSphere Application Server (WAS) V6.1 server is running, run install program for ITFIM Console and ITFIM Runtime so that ITFIM Console and Runtime are successfully installed.

With emphasis on performing the following steps:

  • Verify that LDAP is running.
  • Install ITFIM Runtime.
  • Create domain.
  • Deploy ITFIM Runtime.

5.5: Given the installation media, install the filesets to successfully perform an IDI installation.

With emphasis on performing the following step:

  • Install filesets.

5.6: Given the architecture document, the WAS ND install media, and the required patches, install WAS ND and apply the required patches to create a new WAS application profile and install the server integration business web services components to create a configured Web Services Gateway.

With emphasis on performing the following steps:

  • Install WAS ND.
  • Create a new application profile.
  • Install patches.
  • Install the Service Integration Business Web Services components.

5.7: Given the need for Common Audi Reporting Services (CARS) and the installation media, confirm all prerequisites have been met, run CARS install, so that CARS is installed.

With emphasis on performing the following steps:

  • Install DB2
  • Configure DB2 Instance
  • Install and Configure CARS Server
  • Configure Common Event Infrastructure in WAS
  • Install CARS Client
  • Configure TAM for CARS
  • Verify event data within DB2
  • Install and Configure Crystal Reports(including prebuilt TAM reports)
  • Generate TAM reports via Crystal Reports

6 - Configure Federated Single Sign-On, Web Services Security Management, Federated Provisioning

6.1: Given LDAP access information and the name of the new alias service and suffix, add the new suffix and restart WebSphere Application Server (WAS) to have LDAP configured for IBM Tivoli Federated Identity Manager V6.1 (ITFIM).

With emphasis on performing the following steps:

Stop LDAP.

  • Add LDAP suffix for alias service.
  • Start LDAP.

6.2: Given attribute requirements for applications, role, user of group definitions, attribute schema, and XSLT authoring tool, use XSLT tool to successfully write and run a mapping rule.

With emphasis on performing the following steps:

  • Write XSLT (mapping) rule.
  • Run XSLT (mapping) tool.

6.3: Given the WebSEAL information, company information, protocol, role, token requirement, protocol specific configuration, and defined mapping rules, successfully create and configure a Federation.

With emphasis on performing the following steps:

  • Log in to Integrated Solutions Console (ISC) and click on "Create Federation"
  • Follow Federation Creation wizard and input appropriate data.
  • Send meta data to Federation partner.

6.4: Given partner meta data and partner specific configuration, log in to console, define a partner and enable a partner for a configured working partner.

With emphasis on performing the following steps:

  • Log in to Integrated Solutions Console (ISC), select Federation, click on "Add Partner".
  • Follow the Add Partner wizard.
  • Enable partner.

6.5: Given partner client certificate configuration, certificate authority certification for HTTPS connection, security requirements for WebSEAL to WAS communication, WebSphere Port info, role, Federation name, ITFIM FSSO endpoint, and user attribute info, configure WebSEAL for ITFIM so that a working WebSeal configuration for a specific Federation is created.

With emphasis on performing the following steps:

  • Configure tag value.
  • Using the TFIMCFG tool a junction, configure EAI, assign ACLs.
  • If role is service provider, modify login.html page to point to Single Sign-On endpoint.
  • Configure single logout endpoint.
  • Import partner client certificates into WebSEAL keystore.
  • Increase WebSEAL POST cache size.
  • Basic authentication user provisioning - create users as ITAM users at identity provider side.

6.6: Given architecture document, IBM Tivoli Federated Identity Manager Application Developer Kit (ITFIM ADK) and Java Development Tool, write, test and install the code, so that custom code is successfully created to meet the customer's requirements.

With emphasis on performing the following steps:

  • Write code.
  • Test code.
  • Install code.

6.7: Given architecture requirements, write, test and install custom token module, so that support is provided for a custom token type.

With emphasis on performing the following steps:

  • Write custom token code.
  • Test custom token code.
  • Install custom code.

6.8: Given the required token types, attributes required, partner keys, self keys and configured mapping rules, log in to the console and add a WSSM partner. Follow the wizard and input the required data, so that a configured WSSM partner is created.

With emphasis on performing the following steps:

  • Log in to console and click on "Add WSSM Partner".
  • Follow "Add WSSM Partner" wizard and input required data.

6.9: Given the trust service endpoint info, the application WSDL, the required application token types, the customer application, required WAS patches and the WSDL2TFIM and WSDL2TAM tools, configure ITFIM WSSM in WAS to create a deployed application secured by WSSM.

With emphasis on performing the following steps:

  • Configure a JAAS login module for SAML.
  • Create WebSphere shared library for WSSM classes.
  • Configure WSSM PDJRTE.
  • Deploy customer application.
  • Run WSDL2TFIM and WSDL2TAM tools.
  • Configure TAM policy.
  • Apply WAS patches.

6.10: Given architecture document, registry info, and IDI Toolkit, write, test and install code for a successful development of custom code.

With emphasis on performing the following steps:

  • Write Federated Provisioning/IDI code.
  • Test Federated Provisioning/IDI code.
  • Install Federated Provisioning/IDI code.

6.11: Given the ITAM and WebSphere environment information and editor, update the assembly line properties and the Provisioning Service endpoint to successfully update the Provisioning Configuration.

With emphasis on performing the following steps:

  • Update provisioning service endpoint custom property.
  • Update assembly line properties and constraints.

6.12 Given attribute requirements for application, role, user and group definition, attributes schema, create and enable a Custom Mapping Module, so that the users identity is successfully mapped.

With emphasis on performing the following steps:

6.13 Given ITFIM and CARS are installed, configure ITFIM to send audit events to the CARS server, so that CARs can be used by ITFIM.

With emphasis on performing the following steps:

  • The CARS server root signer certificate must be imported to the IBM Tivoli Federated Identity Manager keystore.
  • Navigate to Domain Management and click on Auditing in the console to display Audit Settings.
  • Select the enable audit checkbox
  • Select the Tivoli Common Audit and Report Server radio button.
  • Type the address for the Common Audit and Report Server in the Web Service URL field.
  • Click Web Service Security Settings
  • Setup SSL keystore by selecting key. (CARS root signer certificate).
  • Select the type of authentication. Basic Authentication or None. For Basic Authentication, the user id specified must belong to the EventSource role on the CARS server.
  • Click on OK to save the configuration.

7 - Test Federated Single Sign-On, Web Services Security Management, Federated

7.1: Given a configured IBM Tivoli Federated Identity Manager V6.1(ITFIM) environment with Federated Single Sign-On (FSSO), authenticate with the Identity Provider, and connect to the linked account at the Service Provider, so that there is a working IBM Tivoli Federated Identity Manager environment with FSSO.

With emphasis on performing the following steps:

  • Authenticate with the identity provider.
  • Connect to linked account at service provider.
  • Test/verify Single Sign-On + account federation (Liberty, SAML 2.0).
  • Test/verify Single Sign-On (push, pull).
  • Test/verify HTTP-redirect, SOAP-HTTP profiles.
  • Test/verify liberty "RNI"/"FT", "Name NIM" profiles.
  • Test/verify "where are you from?".
  • Test/verify Single Logout (local, global).

7.2: Given a WSSM installed and configured environment and a deployed Web Services application with WS Security turned on, run the Web Services application and evaluate the results to successfully test the Web Service application with WSSM enabled.

With emphasis on performing the following steps:

  • Run Web Service application.
  • Test unauthorized user.
  • Test invalid password.
  • Test encrypted Web Services invocation.
  • Test signed Web Services invocation.
  • Test signed and encrypted Web Services invocation.
  • Test invocation of partner side of trust chain.
  • Test that input token is valid (format, encrypt, signing).
  • Test mapping rules.
  • Test authorization decision regarding required input in IV-CRED.

7.3: Given that IBM Tivoli Federated Identity Manager V6.1 (ITFIM) is configured with WS Provisioning, the IDI Assembly lines running at both Identity Provider and Service Provider, create local Provisioning trigger at Identity Provider, so that a local identity is provisioned at the Service Provider.

With emphasis on performing the following steps:

  • Test user create provisioning request.
  • Test user attributes modify provisioning request.
  • Test user remove deprovisioning request.

8 - Troubleshoot Federated Single Sign-On, Web Services Security Management, Federated Provisioning

8.1: Given that IBM Tivoli Directory Server (ITDS) is installed, perform a test LDAP search, check for errors in ibmslapd.log, check for configuration in ibmslapd.conf, verify that the LDAP service is listening on the proper SSL/non-SSL parts, and check for proper ACLs so that ITDS in integrated to IBM Tivoli Federated Identity Manager (ITFIM) and working properly.

With emphasis on performing the following steps:

  • Perform a test LDAP search.
  • Check for errors in iblslapd.log .
  • Check ibmslapd.conf for valid configuration.
  • Verify that an LDAP service is listening on the proper ports for SSL and non-SSL communication.
  • Check for proper ACLs.

8.2: Given that WAS is installed, check for errors in the WebSphere logs, check for memory used by the Java process of WebSphere , check for the status of deployed applications, and check for WebSphere and deployed applications security settings validity, so that WAS is integrated with IBM Tivoli Federated Identity Manager V6.1 (ITFIM) and is working.

With emphasis on performing the following steps:

  • Check for WebSphere logs.
  • Check for memory used by Java processes of WebSphere.
  • Check for status of deployed application.
  • Check for WebSphere and deployed application security configuration Java/J2EE.
  • Debug clustering issues (dynacache).

8.3: Given that IBM Tivoli Access Manager (ITAM) is installed and configured, verify that WebSEAL is communicating with the policy server, collect debug information using ITAM's trace facility, isolate and qualify the problem, so that TAM is integrated with IBM Tivoli Federated Identity Manager V6.1 (ITFIM) and is working.

With emphasis on performing the following steps:

  • Verify that WebSEAL is communicating with Policy server.
  • Collect and debug information using ITAM trace facilities.
  • Isolate problem.
  • Qualify the problem.

8.4: Given that the ISC is installed and configured, verify that the ISC login is available and verify connection with LDAP, so that the ISC is integrated with IBM Tivoli Federated Identity Manager V6.1 (ITFIM) and is working.

With emphasis on performing the following steps:

  • Verify ISC login page is available.
  • Verify connection with LDAP.
  • Look in the ISC logs.
  • Verify that LDAP is correctly configured.

8.5: Given that the IBM Tivoli Federated Identity Manager V6.1 (ITFIM) Trust Service is installed and configured, turn on tracing and review the trace logs for errors and/or stack traces, so that the ITFIM Trust Service is working.

With emphasis on performing the following steps:

  • Turn on tracing.
  • Review the trace logs for errors and/or stack traces.
  • Check the WebSphere Application Server/Web Services Gateway endpoint receiving the SOAP request.

8.6: Given that IBM Tivoli Federated Identity Manager V6.1 (ITFIM) is configured for FSSO, turn on ITFIM tracing for the configured FSSO protocol and review the tracing data for errors and/or stack traces, so that ITFIM FSSO is working.

With emphasis on performing the following steps:

  • Turn on ITFIM tracing for configured FSSO protocol.
  • Review tracing data and/or stack traces.

8.7: Given IBM Tivoli Federated Identity Manager V6.1 (ITFIM) is configured with WSSM, run tcpmon and the check the output, check timestamps on tokens, and verify signatures, so that the ITFIM configuration of WSSM is working.

With emphasis on performing the following steps:

  • Run "tcpmon" and check output.
  • Check timestamps on tokens.
  • Verify signatures (if enabled).

8.8: Given that Federated Provisioning and IDI are installed and configured, isolate and analyze the message generated from IBM Tivoli Federated Identity Manager V6.1 (ITFIM) for Federated Provisioning, check the communication between ITFIM and the IDI server, check that the WS Provisioning connector is in server mode and is enabled and running, and check the SOAP connector is configured correctly so that Federated Provisioning is working.

With emphasis on performing the following steps:

  • Isolate and analyze the message generated from ITFIM for Federated Provisioning.
  • Check the communication between ITFIM and the IDI server.
  • Check that the WS Provisioning connector is in server mode and is enabled and running.
  • Check desmlv2 connector is in add/update mode and is enabled.

8.9: Given that the IBM Tivoli Federated Identity Manager V6.1 (ITFIM) configuration has been modified and saved, backup the ITFIM configuration, so that the ITFIM configuration is successfully restored.

With emphasis on performing the following step:

  • Backup ITFIM configuration.

8.10: Given that IBM Tivoli Federated Identity Manager V6.1 (ITFIM) installation has been customized, document only customizations, so that there are documented ITFIM customizations.

With emphasis on performing the following step:

  • Document the customization.

:

:

Course title: Coming Soon - IBM Tivoli Federated Identity Manager 6.1 Deployment and Administration
Course duration: 4 days
Course number: Course numbers vary depending on the education delivery arm used in each geography. Please refer to the Web site below to find the appropriate course number according to the education delivery vendor chosen.
Geo education page: Worldwide schedules available at Tivoli software education.
IBM PartnerWorld "You Pass We Pay": YPWP information is currently not available for this course. Please check with IBM PartnerWorld.
Abstract: IBM Tivoli Federated Identity Manager employs a loosely-coupled model for managing identities and access across security, company, or organizational domains. Instead of replicating identity and security administration in multiple places, IBM Tivoli Federated Identity Manager provides a simple trust model for managing identities and access to information and services. IBM Tivoli Federated Identity Manager also provides policy-based integrated security management for federated Web services. In this 50% hands-on course, students will learn to deploy and administer secure business-to-business and single sign-on federated environments.

Course Objectives:

  • Plan the appropriate federated architecture based on partner goals, environment, user attributes and so forth.
  • Install and configure IBM Tivoli Federated Identity Manager.
  • Configure a SAML 1.1 (Security Assertion Markup Language) single sign-on federation.
  • Configure a WS-Federation single sign-on federation.
  • Configure the alias service.
  • Configure a SAML 2.0 single sign-on federation.
  • Configure Web Services Security Manager for business-to-business transactions.
  • Troubleshoot IBM Tivoli Federated Identity Manager issues.

For information on pricing, scheduling and course registration: Course names and/or course numbers vary depending on the education delivery arm used in each geography. Please refer to the Tivoli software education Web site to find the appropriate course and education delivery vendor for each geography.

:

Publication title: Redbook - Federated Identity Management with IBM Tivoli Security Solutions
Publication order number: SG24-6394-00
Abstract: This IBM Redbook discusses the Federated Identity Management (FIM) architecture and the integration with Web services security standards and IBM Tivoli Security Solutions. In a federated environment, a user can log on through his identity provider in order to conduct transactions or easily access resources in external domains. Partners in a federated identity management environment depend on each other to authenticate their respective users and vouch for their access to services. Federated identity standards, like those being produced by the Liberty Alliance or the Web services security specifications, form an encapsulation layer over local identity and security environments of different domains. This encapsulation layer provides the ingredients for interoperability between disparate security systems inside and across domains, thus enabling federation.

IBMs Tivoli federated identity management solution extends identity management for both the identity provider and service provider infrastructure. IBM Tivoli federated identity management solution builds on the current Tivoli identity and security offerings.

This publication is a valuable resource for security officers, administrators and architects who wish to understand and implement federated identity management solutions.

Publication title: Redbook - Enterprise Security Architecture Using IBM Tivoli Security Solutions
Publication order number: SG24-6014-02
Abstract: This IBM Redbook looks at Tivoli's overall Enterprise Security Architecture, focusing on the integration of audit and compliance, access control, identity management, and federation throughout extensive e-business enterprise implementations. The available security product diversity in the marketplace challenges everybody in charge of designing single secure solutions or an overall enterprise security architecture. With Access Manager, Identity Manager, Privacy Manager, Risk Manager, Federated Identity Manager, Security Compliance Manager, Directory Server, and Directory Integrator, Tivoli offers a complete set of products designed to address these challenges.

This redbook describes the major logical and physical components of each of the Tivoli products and it depicts several e-business scenarios with different security challenges and requirements.

By matching the desired Tivoli security product criteria, it describes appropriate security implementations that meet the targeted requirements.

This book is a valuable resource for security officers, administrators, and architects who wish to understand and implement enterprise security following architectural guidelines.

To order publication access IBM Publications Center on the Web or by phone: (note publication order number):

IBM Publications Center
(http://www.ibm.com/shop/publications/order)

or call IBM Direct Publications: 1-800-879-2755 (US) 1-800-426-4968 (Canada) or from any non-IBM bookstore

:

Self-Study: IBM Tivoli Federated Identity Manager V6.1 Product Information and Related Links
Abstract: Detailed information and documentation about IBM Tivoli Federated Identity Manager V6.0 can be found at the Web sites listed below. The documents contained on this Web page are product manuals, Redbooks, Whitepapers and downloads. The product Online Help is a useful guide to refer to as well. Reviewing these documents in addition to hands-on experience and skills with the product will help prepare a candidate for certification testing.

: . . .

1. You are configuring an IBM Tivoli Federated Identity Manager (ITFIM) Federated-Single Sign-On (F-SSO) environment for a company acting as a Service Provider. The company requests that Common Audit and Reporting Services (CARS) be used to maintain all audit information. The corporate security policy requires that an audit record be generated for the creation, deletion and modification of all Federations and Partners within ITFIM.

Which event type within CARS generates an audit record for all of these activities?

A. IBM_POLICY_AUDIT

B. IBM_POLICY_ADMIN

C. IBM_SECURITY_FEDERATION

D. IBM_SECURITY_MGMT_POLICY

2. A Web Service application is deployed on a WebSphere Network Deployment V6 cluster. The application requires a JAAS Subject containing attributes, which uniquely identify the user. Multiple clients are accessing this application from different partners. The WebSphere Web Services Gateway (WSGW) is deployed at the network boundary to prevent unauthorized requests from getting to the Web Service.

Which deployment scenario is correct?

A. The WS-Security runtime is configured for the Web Service. The Web Services Security Management (WSSM) SAMLA STS module is deployed to the WSGW. Custom trust chains are set up to handle the different partners and token types.

B. The WSSM Token Generator is configured at the WSGW. Custom trust chains are configured to handle the different partners and token types. The Web Services Security Management (WSSM) SAMLA Login module is deployed on the WebSphere Application Server (WAS) node hosting the Web Service application.

C. The Web Services Security Management (WSSM) SAMLA Login Module is deployed to the WebSphere Application Server (WAS) node hosting the Web Service. The WS-Security runtime is configured on the WSGW for the Web Service application. The WSSM Tivoli Access Manager Authorization module is deployed to the WAS application server hosting the Web Service.

D. A Shared Library is configured on the WSGW to include the WSSM libraries. The wsdl2tfim tool is run on the Web Service WSDL to generate the Tivoli Access Manager authorization namespace. The Web Services Security Management (WSSM) SAMLA Login module is configured in the IBM Tivoli Federated Identity Manager Trust Service to extract the required attributes to uniquely identify the user.

3. Which path shows the hierarchy of a protected object space that represents a Web Service?

A. /itfim-wssm/wssm-default/servicename/operation

B. /itfim-wssm/wssm-default/container/servicename/porttype

C. /itfim-wssm/wssm-default/servicename/porttype/operation

D. /itfim-wssm/wssm-default/container/servicename/porttype/operation

4. Which WebSphere Application Server command is used to enable Service integration Bus Web Services?

A. wsadmin

B. ejbdeploy

C. uddiDeploy

D. wasprofile

5. Which two tasks are required to configure a Service Integration Bus for inbound services? (Choose two.)

A. create a Bus

B. configure a messaging engine

C. create a destination in the Bus

D. install a SOAP over HTTP listener

E. create the Endpoint listener and connect it to the Bus

6. If the customer does not want to use the EAI header, how would you control whether or not IBM Tivoli Federated Identity Manager (ITFIM) will use the EAI header for Single Log-Out (SLO) when talking to WebSEAL?

A. edit the sps.xml file to use the PdAdmin module

B. edit the Runtime Custom Properties to Force ITFIM to use PdAdmin

C. under eai stanza in the WebSEAL conf file, comment out the entry for the entry EAI-logout

D. under eai stanza in the WebSEAL conf file, change the value for the entry EAI-logout to false

7. In order to write a plug-in that implements a custom Alias service, what are the two required public interfaces that need to be implemented? (Choose two.)

A. com.tivoli.am.fim.service.CustomService

B. com.tivoli.am.fim.alias.service.AliasServiceClient

C. com.tivoli.am.fim.identity.service.client.IdServiceClient

D. com.tivoli.am.fim.alias.service.AliasServiceClientFactory

E. com.tivoli.am.fim.identity.service.client.IdServiceClientFactory

8. FIM_WS_Provisioning assembly line is configured for WS-Provisioning using IBM Tivoli Federated Identity Management (ITFIM) and stored in the /opt/custom/FIM/IDI/FIM_AL.xml file. IBM Tivoli Directory Integrator is installed under /opt/IBM/IBMDirectoryIntegrator on Solaris Platform.

Which command runs the assembly line FIM_WS_Provisioning on a Solaris platform?

A. /opt/IBM/IBMDirectoryIntegrator/ibmdisrv -c /opt/custom/FIM/IDI/FIM_AL.xml -r FIM_WS_Provsioning

B. /opt/IBM/IBMDirectoryIntegrator/ibmditk -c /opt/custom/FIM/IDI/FIM_AL.xml -r FIM_WS_Provsioning

C. /opt/IBM/IBMDirectoryIntegrator/bin/ibmdisrv -c /opt/custom/FIM/IDI/FIM_AL.xml -r FIM_WS_Provsioning

D. /opt/IBM/IBMDirectoryIntegrator/bin/ibmditk -c /opt/custom/FIM/IDI/FIM_AL.xml -r FIM_WS_Provsioning

9. A SAML V1.1 Federation is configured on Identity Provider (IDP) with a base URL of https://www.mycompany.com/FIM

The following error is received:

FBTSML005E The current user making the request is not authenticated.

What is a possible reason for this error?

A. The user account password is invalid.

B. Authentication of the user failed at IDP.

C. The junction is not configured to pass username.

D. The user account in IBM Tivoli Access Manager for e-business is disabled.

Answer Key:

5. D

6. B

7. D

8. A

9. AE

10. B

11. CE

12. A

13. C


 http://www.interface.ru
 http://www.interface.ru/home.asp?artId=5364