IBM 6.2.2.7 Risk-Based Access Tivoli Federated Identity Manager Installation, Configuration, and Administration Guide

IBM 6.2.2.7 Risk-Based Access Tivoli Federated Identity Manager Installation, Configuration, and Administration Guide

IBM Tivoli Federated Identity Manager 6.2.2.7 helps you to improve security during authentication and authorization of business transactions, assess risk based on static, contextual, and analytically calculated attributes, calculate a risk score based on multiple weighted attributes, and determine whether an access request must be permitted, denied, or challenged.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

IBM Tivoli Federated Identity Manager 6.2.2.7 Risk-Based Access Installation, Configuration, and Administration Guide | Manualzz
IBM Tivoli Federated Identity Manager
Version 6.2.2.7
Installation, Configuration, and
Administration Guide for Risk-Based
Access
SC27-4445-02
IBM Tivoli Federated Identity Manager
Version 6.2.2.7
Installation, Configuration, and
Administration Guide for Risk-Based
Access
SC27-4445-02
Edition notice
Note: This edition applies to version 6, release 2, modification 2.7 of IBM Tivoli Federated Identity Manager
(product number 5724-L73) and to all subsequent releases and modifications until otherwise indicated in new
editions.
© Copyright IBM Corporation 2012, 2013.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Figures . . . . . . . . . . . . . . . v
Tables . . . . . . . . . . . . . . . vii
About this publication . . . . . . . . ix
Access to publications
Accessibility . . .
Technical training. .
Support information .
and terminology
. . . . . .
. . . . . .
. . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
. x
. x
. x
Chapter 1. Roadmap for getting started
with risk-based access . . . . . . . . 1
Chapter 2. Overview of risk-based
access . . . . . . . . . . . . . . . 3
Business scenarios .
Features . . . . .
Functional overview .
Transaction flow . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3
4
4
6
Chapter 3. Installing . . . . . . . . . 9
Software requirements . . . . . . . .
Installation Prerequisites . . . . . . .
Database considerations . . . . . . .
Using the embedded solidDB database .
Manually configuring the database . .
Installing risk-based access . . . . . .
Enabling language support for EAS messages
Deploying risk-based access . . . . . .
Uninstalling risk-based access . . . . .
Known issues and workarounds . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
10
10
11
11
12
13
14
16
17
Chapter 4. Configuring . . . . . . . . 19
Configuration roadmap . .
Enabling logs and traces . .
Verifying the configuration .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
. 20
. 21
Chapter 5. Administering . . . . . . . 23
Risk management . . . . . . . . . . . .
Risk score calculation . . . . . . . . . .
Runtime security services external authorization
service . . . . . . . . . . . . . . .
Configuring the runtime security services
external authorization service in WebSEAL . .
Sample configuration data for runtime
security services external authorization service
Session configuration . . . . . . . . . .
Attribute collection service . . . . . . .
Configuring the attribute collection service . .
Risk profile configuration. . . . . . . . .
Configuring the risk profile . . . . . . .
© Copyright IBM Corp. 2012, 2013
23
25
26
27
29
32
32
34
35
35
Attribute storage . . . . . . . . . .
Attribute matchers . . . . . . . . . .
Configuring the location matcher . . . .
Configuring the IP address matcher . . .
Configuring the login time matcher . . .
Implementing custom attribute matchers
Configuring the hash algorithm for attribute
storage . . . . . . . . . . . . . .
Policy management. . . . . . . . . . . .
Authorization policy generation language . . .
Sample script for risk-based access policy rules
Creating a risk-based access policy . . . . .
Policy management with IBM Tivoli Security
Policy Manager . . . . . . . . . . . .
Enabling risk-based access in IBM Tivoli
Security Policy Manager . . . . . . . .
Migrating policies to IBM Tivoli Security
Policy Manager . . . . . . . . . . .
Creating risk-based access policies with IBM
Tivoli Security Policy Manager . . . . . .
Device registration . . . . . . . . . . . .
Silent device registration . . . . . . . . .
Consent-based device registration . . . . . .
Configuring consent-based device registration
Configuring the number of devices registered for
a user . . . . . . . . . . . . . . .
37
38
38
40
42
43
45
46
46
48
49
50
50
52
53
55
55
55
55
58
Chapter 6. Auditing . . . . . . . . . 59
Managing audit log settings .
Audit logs . . . . . . .
Chapter 7. Reference
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 59
. 60
. . . . . . . . 63
Command reference . . . . . . . . . .
manageRbaConfiguration command . . . .
Response file example for
manageRbaConfiguration command . . .
manageRbaDevices command . . . . . .
manageRbaPolicy command . . . . . . .
Response file example for manageRbaPolicy
command . . . . . . . . . . . .
manageRbaRiskProfile command . . . . .
Response file example for
manageRbaRiskProfile command . . . .
manageRbaSessions command . . . . . .
Configuration properties . . . . . . . . .
Attributes for risk profiles and policies . . . .
. 63
. 63
. 67
. 68
. 70
. 73
. 73
.
.
.
.
76
77
78
85
Chapter 8. Error message reference . . 89
Notices . . . . . . . . . . . . . . 95
Index . . . . . . . . . . . . . . . 107
iii
iv
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Figures
1.
2.
Risk-based access architecture . . . . . .
Risk-based access transaction flow example
© Copyright IBM Corp. 2012, 2013
. 4
6
3.
The closest points, midpoints, and farthest
points on the accuracy ranges of two locations . 40
v
vi
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Tables
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Roadmap for getting started with risk-based
access . . . . . . . . . . . . . . . 1
Checklist of installation prerequisites . . . . 10
Roadmap for configuring risk-based access
19
Runtime security services EAS access decisions 26
List of logical operators . . . . . . . . 47
Audit event elements . . . . . . . . . 60
Required and optional parameters for
operators of the manageRbaConfiguration
command . . . . . . . . . . . . . 64
Required and optional parameters for
operators of the manageRbaDevices command . 68
Required and optional parameters for
operators of the manageRbaPolicy command. . 71
Required and optional parameters for
operators of the manageRbaRiskProfile
command . . . . . . . . . . . . . 74
© Copyright IBM Corp. 2012, 2013
11.
12.
13.
14.
15.
16.
17.
Required and optional parameters for
operators of the manageRbaSessions command
Use and characteristics of policy and context
attributes: authorization credential . . . .
Use and characteristics of policy and context
attributes: device fingerprint . . . . . .
Use and characteristics of policy and context
attributes: risk score. . . . . . . . .
Use and characteristics of policy and context
attributes: Runtime security services audit .
Use and characteristics of policy and context
attributes: session . . . . . . . . .
Use and characteristics of policy and context
attributes: user metadata . . . . . . .
. 77
. 85
. 86
. 86
. 87
. 87
. 88
vii
viii
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
About this publication
Risk-based access is a pluggable and configurable component for IBM® Tivoli®
Federated Identity Manager. Risk-based access provides access decision and
enforcement that is based on a dynamic risk assessment or confidence level of a
transaction.
The IBM Tivoli Federated Identity Manager Installation, Configuration, and
Administration Guide for Risk-Based Access describes the procedures for installing,
configuring, and administering risk-based access. It includes an overview of the
process and functions of risk-based access and reference information for
implementing risk-based access.
Access to publications and terminology
This section provides:
v A list of publications in the “IBM Tivoli Federated Identity Manager library.”
v Links to “Online publications.”
v A link to the “IBM Terminology website” on page x.
IBM Tivoli Federated Identity Manager library
The publications in the IBM Tivoli Federated Identity Manager library are:
v IBM Tivoli Federated Identity Manager Quick Start Guide, CF38BML
v
v
v
v
v
v
v
v
IBM Tivoli Federated Identity Manager Installation Guide, GC27-2718-01
IBM Tivoli Federated Identity Manager Configuration Guide, GC27-2719-01
IBM Tivoli Federated Identity Manager Administration Guide, SC23-6191-02
IBM Tivoli Federated Identity Manager Installation, Configuration, and Administration
Guide for Risk-Based Access, SC27-4445-00
IBM Tivoli Federated Identity Manager Web Services Security Management Guide,
GC32-0169-04
IBM Tivoli Federated Identity Manager Auditing Guide, GC32-2287-04
IBM Tivoli Federated Identity Manager Error Message Reference, GC32-2289-04
IBM Tivoli Federated Identity Manager Troubleshooting Guide, GC27-2715-01
Online publications
IBM posts product publications when the product is released and when the
publications are updated at the following locations:
IBM Tivoli Federated Identity Manager Information Center
The http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tivoli.fim.doc_6.2.2/ic/ic-homepage.html site displays the
information center welcome page for this product.
IBM Security Information Center
The http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp site
displays an alphabetical list of and general information about all IBM
Security product documentation.
© Copyright IBM Corp. 2012, 2013
ix
IBM Publications Center
The http://www-05.ibm.com/e-business/linkweb/publications/servlet/
pbi.wss site offers customized search functions to help you find all the IBM
publications you need.
IBM Terminology website
The IBM Terminology website consolidates terminology for product libraries in one
location. You can access the Terminology website at http://www.ibm.com/
software/globalization/terminology.
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate all features of the graphical user
interface.
Technical training
For technical training information, see the following IBM Education website at
http://www.ibm.com/software/tivoli/education.
Support information
IBM Support provides assistance with code-related problems and routine, short
duration installation, or usage questions. You can directly access the IBM Software
Support site at http://www.ibm.com/software/support/probsub.html.
Note: The Community and Support tab on the product information center can
provide additional support resources.
x
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Chapter 1. Roadmap for getting started with risk-based
access
Before you begin to use risk-based access, familiarize yourself with key concepts,
tasks, and requirements.
The following process describes how to understand and work with risk-based
access.
Table 1. Roadmap for getting started with risk-based access
Task
For more information
Read the overview of risk-based access and
its features.
See:
v Chapter 2, “Overview of risk-based
access,” on page 3.
v “Business scenarios” on page 3.
v “Features” on page 4.
Study the architecture diagrams and
information about risk-based access
transactions.
See:
Understand the concepts and process of risk
score calculation.
See:
v “Functional overview” on page 4.
v “Transaction flow” on page 6.
v “Risk management” on page 23.
v
Risk score calculation.
Verify that you meet the software
requirements.
See “Software requirements” on page 9.
Ensure that the prerequisites are fulfilled.
See “Installation Prerequisites” on page 10.
Install and deploy risk-based access.
See:
v “Installing risk-based access” on page 12.
v “Deploying risk-based access” on page 14.
Configure the risk-based access components, See “Configuration roadmap” on page 19.
attributes, properties, and policies.
Verify your installation and configuration.
See “Verifying the configuration” on page
21.
Use the risk-based access command-line
interface to manage devices, policies,
attributes, and properties.
See “Command reference” on page 63.
© Copyright IBM Corp. 2012, 2013
1
2
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Chapter 2. Overview of risk-based access
Risk-based access provides access decision and enforcement that is based on a
dynamic risk assessment or confidence level of a transaction. Risk-based access
uses behavioral and contextual data analytics to calculate risk.
Risk-based access is a pluggable and configurable component for IBM Tivoli
Federated Identity Manager.
Risk-based access:
v Improves security during authentication and authorization of business
transactions.
v Assesses risk based on static, contextual, and analytically calculated attributes.
v Calculates a risk score based on multiple weighted attributes.
v Provides policy rules that determine whether an access request must be
permitted, denied, or challenged.
You can configure risk-based access to:
v Silently register or require users to register devices that they commonly use.
v Associate the registered devices with user credentials.
v Present a challenge or request additional authentication, if the user attempts to
authenticate with the same credentials from another unregistered device.
v Use the behavioral patterns of the user as a factor in risk score calculation. For
example, a user might attempt to access a protected resource at a time outside of
normal business hours. You can configure the risk-based access policy to deny
access or force the user access to authenticate with a secondary challenge.
Business scenarios
Business transactions that have an increased security risk factor can benefit by
implementing risk-based access.
The following examples are some scenarios where you can use risk-based access to
provide a higher level of confidence for the transaction:
v A user tries to access sensitive information where a simple user ID and
password authentication is not sufficient. However, the data is not sensitive
enough to use a more complex authentication mechanism, such as token IDs.
v Users require access from remote locations that are not trusted and they use
devices such as mobile devices and notebooks. To ensure that mobile users are
authenticated sufficiently, the business requires a second factor authentication.
v Users need to access an application that provides sensitive business information.
They might access the information outside of their regular work patterns.
v A user accesses a resource from a device that the user previously used and
maintains typical usage patterns. Risk-based access improves the user experience
by limiting secondary authentication mechanisms.
© Copyright IBM Corp. 2012, 2013
3
Features
Risk-based access provides several capabilities to identify potential risk and limit
the ability for an attacker to use stolen credentials.
v Silent device registration where the system does not require any user interaction.
v Ready-to-use policy attributes that are specific to risk-based access.
v A risk-scoring engine that calculates a risk score for the current transaction. The
risk score is based on configurable weights that are assigned to context attributes
and behavior attributes. If the risk score is high, further challenges are presented
to the user or access is denied. If the risk score is low, the user is permitted
access.
v Command-line interface for configuring and managing the risk-based access
policies and policy attributes. The commands are available through the
WebSphere® Application Server AdminTask framework, which supports Jacl
scripting, Jython scripting, and programmatic Java™ API.
Functional overview
Risk-based access includes an external authorization service (EAS), runtime
authorization service, and attribute collection service.
The following diagram illustrates the architecture of risk-based access. The diagram
also shows how the various components plug into WebSEAL in IBM Tivoli Access
Manager for e-business and into IBM Tivoli Federated Identity Manager.
Figure 1. Risk-based access architecture
Risk-based access runtime services
Risk-based access provides the following runtime services:
Authorization service
The risk-based access authorization service is a component of the
IBM Tivoli Federated Identity Manager runtime environment. The
4
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
runtime authorization service stores the policy, calculates the risk
score, and makes the access decision. The authorization service
exposes an XACML over SOAP web service that third-party
enforcement points can call to get authorization decisions.
Attribute collection service
The attribute collection service is a Representational State Transfer
(REST) service that collects web browser and location attributes
from the user. The attribute collection service is a push service. You
can configure the risk-based access runtime service to use the
collected attributes as the policy attributes for calculating risk. You
can also use the Java ADK to plug in your custom implementation
for a pull service that retrieves attributes from the user.
Risk-scoring engine
The risk-scoring engine calculates the risk or confidence level. It provides a
single integer that represents the risk score for the current transaction in
the form of a percentage. The risk score is calculated based on the weights
that are assigned to one or more of the following policy attributes:
v Device identification or fingerprint, such as details of hardware, IP
address, location information, operating system, web browser type, web
browser version, and screen resolution.
v Behavioral patterns, such as frequency of login, time of access, frequency
of access, and type of transactions.
v Custom attributes that you can configure and manage through a
pluggable interface. The risk-based access authorization service is
extensible and can also include external sources for attributes.
The risk engine returns the final risk score as a policy attribute, which is
the basis of the final authorization decision.
Policy enforcement point (PEP)
WebSEAL is the policy enforcement point for risk-based access. Risk-based
access integrates with the existing WebSEAL authentication mechanisms,
such as cross domain authentication service (CDAS) and external
authentication interface (EAI). Risk-based access also integrates with both
custom and IBM Business Partner implementations. Third-party
enforcement points are supported. For example, a custom application can
be used as an enforcement point.
External authorization service
The runtime security services EAS plug-in for WebSEAL enforces the
policy decision. The EAS takes the request data and sends an authorization
decision request to the risk-based access authorization service. The
authorization service maps the authorization decision response to the
appropriate WebSEAL action, such as permit, deny, or step-up
authentication. You can manage the EAS with entries in the webseald.conf
file with the WebSEAL stanza syntax.
Policy information points (PIPs)
Policy information points are components of the risk-based access
authorization service. They provide all the policy attributes that are not
provided in the initial access request. The risk score and attributes that are
pushed to the attribute collection service are provided to the authorization
service through PIPs.
You can configure PIPs with the runtime authorization service of IBM
Tivoli Federated Identity Manager. The interface collects third-party policy
attributes to provide data to the policy decision processor and other PIPs.
Chapter 2. Overview of risk-based access
5
Risk-based access includes ready-to-use PIP implementations that provide
the policy attributes that are required. You can also provide custom policy
attributes to the authorization service through a custom PIP.
Policy decision point (PDP)
The runtime authorization service is the policy decision point for
risk-based access. This service is configured to use the PEP risk-based
access plug-in. The authorization decision is based on an authorization
policy that uses policy attributes and PIPs that are specific to risk-based
access. The PIPs provide information, such as risk score, user location, and
device type.
The policy administration point (PAP)
IBM Tivoli Federated Identity Manager is the policy administration point
for risk-based access. Risk-based access provides wsadmin commands for
configuring and managing the policies, rules, attributes, and weights,
which are required for calculating risk.
Note: If you are an existing user of IBM Tivoli Security Policy Manager,
you can continue to use it to manage risk-based access policies.
Transaction flow
In a typical risk-based transaction, the user requests access to a protected resource.
Risk-based access calculates the risk score and determines whether access is
permitted, denied, or permitted with an obligation.
In the following example of a risk-based access transaction, the risk score indicates
that the user must be presented with a challenge. The user successfully completes
the challenge and receives permission to access the protected resource.
Figure 2. Risk-based access transaction flow example
6
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
The following process explains the flow of the transaction in the example scenario:
1. The user interacts through a web browser to submit authentication
information and requests access to a protected resource. The protected
resource is a junctioned web application that WebSEAL protects.
2. WebSEAL inspects the request.
WebSEAL is the reverse proxy server that interacts with all transactions. For
the protected resource that the user requests, the WebSEAL policy (POP) is
configured to call the runtime security services EAS plug-in to authorize the
request. The EAS is a shared library plug-in, which is internal to the
WebSEAL process, so there is no on-the-wire callout between WebSEAL and
the EAS.
3. The EAS first checks the local access manager policy.
a. If the access manager denies access, then the EAS returns the response and
does not continue with a forbidden response.
b. If the access manager permits access, the EAS collects the context
information about the user and the request. The WebSEAL
azn-decision-info stanza has the specifications to create an XACML over
SOAP authorization decision request.
c. The EAS sends the request to the risk-based access runtime authorization
service of IBM Tivoli Federated Identity Manager for the authorization
decision.
4. The runtime authorization service (PDP) runs the configured policy and calls
the appropriate PIPs based on the current policy.
a. If a risk-score policy attribute is requested, then the risk engine is called.
b. The risk engine takes the context details, requests additional policy
attributes, if required, and then calculates a risk score.
c. The authorization service applies the risk score policy attribute against the
authorization policy and returns an appropriate decision response to the
runtime security services EAS.
d. The EAS supports three decision types: permit, deny, and permit with
obligation. In this example, a decision to permit with obligation is
returned.
1) If the policy decision is a simple permit or deny, the decision is
mapped to the WebSEAL permit and not_permit decisions. The
WebSEAL decisions are returned from the
azn_svc_decision_access_allowed_ext call.
2) If the response is to permit access, WebSEAL permits the request to
continue to the requested resource.
3) If the response is to deny access, WebSEAL displays an error page,
which indicates that access is forbidden.
5. The runtime security services EAS parses the response and returns one of the
following EAS responses to WebSEAL: permit, deny, step-up authentication
levels, or reauthenticate. In this example, the response is to step-up
authentication levels, so that WebSEAL can enforce the appropriate
authentication challenge.
The risk-based access EAS also provides a configuration to map the returned
obligation to a specific WebSEAL external authentication interface (EAI)
mechanism. The EAI can be either a WebSEAL EAI or CDAS external
authentication mechanism, which the customer or IBM Business Partner can
implement.
6. WebSEAL specifies the appropriate authentication mechanism to the user.
Chapter 2. Overview of risk-based access
7
7. The user is redirected to the authentication mechanism, which builds a
challenge response.
8. The challenge response is presented to the user.
9. The user responds to the challenge.
10. If the response of the user to the challenge request is successful, the challenge
is processed. The EAI application returns the credentials of the user and a
successful step-up level in the HTTP response to WebSEAL.
11. WebSEAL updates the session of the user with the new credential details that
the EAI application provides and redirects the user to the protected resource.
12. The request from the user to access the protected resource is sent via 302
redirect. The request does not require any user interaction.
13. WebSEAL inspects the request and directs the request to the runtime security
services EAS for authorization.
14. The EAS collects all context information about the user and the request and
creates an XACML over SOAP decision request. The EAS sends the request to
the runtime authorization service.
15. The risk-based access runtime service takes the context and other policy
attributes and calculates a risk score. The runtime service applies the risk
score against the configured authorization policy and returns a policy decision
response to permit access.
16. The runtime security services EAS interprets the response and returns the
permit decision to WebSEAL.
17. WebSEAL permits the original request to continue without going back to the
web browser of the user. The user is not aware of the transaction process.
8
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Chapter 3. Installing
Use the IBM Update Installer for WebSphere Software to install risk-based access.
After you install risk-based access, use the manageRbaConfiguration command to
deploy the various components.
Software requirements
Before you install and configure risk-based access, you must ensure that your
environment meets the requirements for operating systems, databases, and web
browsers.
Supported operating systems for servers
AIX®
v AIX 6.1 POWER® System
v AIX 7.1 POWER System
Linux
v Red Hat Enterprise Linux Server Version 6, on x86-64
v Red Hat Enterprise Linux Version 5 Advanced Platform, on x86-64
v SUSE Linux Enterprise Server Version 10, on x86-64
v SUSE Linux Enterprise Server Version 11, on x86-64
Microsoft Windows
v Microsoft Windows Server 2008 Enterprise Edition, on x86-64
v Microsoft Windows Server 2008 R2 Enterprise Edition, on x86-64
Supported web browsers
v Mozilla Firefox 11.0 or later
v Google Chrome
v Microsoft Internet Explorer 8 or later
Note: If you plan to use location attributes for risk score calculation, you require
Internet Explorer Version 9 or later, which supports the Geolocation API.
Supported databases
v IBM DB2®, Enterprise Server Edition, Version 9.7 with fix pack 2 or later
v IBM solidDB® Version 7.0
© Copyright IBM Corp. 2012, 2013
9
Installation Prerequisites
Before you install risk-based access, you must prepare your environment by
installing and configuring prerequisite software.
Complete the following tasks before you install risk-based access.
Table 2. Checklist of installation prerequisites
Task
For more information
Download and install the latest version of
the IBM Update Installer for WebSphere
Software.
See the IBM support page
http://www-01.ibm.com/support/
docview.wss?uid=swg24020448.
Install WebSphere Application Server,
Network Deployment, Version 7.0 with fix
pack 15 or later.
Note: If WebSphere Application Server is in
a clustered environment, you must install
WebSphere Application Server, Network
Deployment, Version 7.0 with fix pack 23 or
later.
See the WebSphere Application Server
Version 7.0 Information Center at
http://pic.dhe.ibm.com/infocenter/
wasinfo/v7r0/index.jsp. Search for installing
the product.
Start the WebSphere Application Server if
you did not already do so.
Install IBM Tivoli Access Manager for
e-business Version 6.1.1 with fix pack 6 or
later and the WebSEAL component.
Install IBM Tivoli Federated Identity
Manager Version 6.2.2 with fix pack 1 or
later.
See the IBM Tivoli Federated Identity
Manager Version 6.2.2 Information Center at
http://publib.boulder.ibm.com/infocenter/
tivihelp/v2r1/topic/
com.ibm.tivoli.fim.doc_6.2.2/ic/ichomepage.html.
Create a domain and deploy the runtime
node for IBM Tivoli Federated Identity
Manager.
See the Configuration Guide in the IBM Tivoli
Federated Identity Manager Version 6.2.2
Information Center at http://
publib.boulder.ibm.com/infocenter/tivihelp/
v2r1/topic/com.ibm.tivoli.fim.doc_6.2.2/ic/
ic-homepage.html. Search for creating and
deploying a new domain.
Decide if you want to do an automatic or
manual setup of your database.
See “Database considerations.”
See also “Manually configuring the
database” on page 11.
Database considerations
The risk-based access database stores the configuration properties, device
fingerprints, and session attributes. You can choose between an automatic setup of
an embedded solidDB database or manual setup of a supported database.
Risk-based access provides the following two options to set up the database:
Embedded solidDB database setup
This setup is a quick and easy solution that is ready for immediate use. It
10
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
does not require any manual installation or configuration of a database.
However, this setup works only in a stand-alone WebSphere Application
Server configuration.
Manual database setup
This setup is preferred for a production environment. It requires you to
install and configure your database, and manually set up the database
schema. This setup is possible regardless of whether you have a
WebSphere Application Server stand-alone configuration or Network
Deployment with clustered setups.
Using the embedded solidDB database
The embedded solidDB database setup does not require any manual installation or
configuration of a database.
About this task
Note: This automatic setup of embedded solidDB database works only in a
stand-alone WebSphere Application Server configuration.
Procedure
1. Before you deploy risk-based access, ensure that you do not create the JNDI
context named jdbc/rba in WebSphere Application Server.
2. If the deploy operation does not detect any database that is installed and
pre-configured with the JDNI name jdbc/rba, a solidDB database is
automatically installed.
3. The database schema is also automatically created in the solidDB database. No
further manual steps to run scripts to set up the schema are required.
4. Optional: After you run the deploy operation, it is suggested that you
immediately change the embedded solidDB database password. Use the
following manageRbaConfiguration command:
$AdminTask manageRbaConfiguration {-operation create
-propertyName dbpassword -propertyValue new-password}
What to do next
Install and deploy risk-based access.
Manually configuring the database
If you are not using the embedded solidDB database, you must install and
configure the database and setup the schema. This manual database setup is
preferred for a production environment.
Before you begin
Important: If you chose the automatic setup of the embedded solidDB database,
you are not required to complete this procedure for manual setup.
Procedure
1. Install a supported database.
2. Create and configure a JNDI context named jdbc/rba in WebSphere
Application Server. For more information, see the WebSphere Application
Server Version 7.0 Information Center at http://pic.dhe.ibm.com/infocenter/
wasinfo/v7r0/index.jsp. Search for configuring a data source.
Chapter 3. Installing
11
3. Set custom schema properties by completing the following steps:
a. In the administrative console, click Resources > JDBC > Data sources.
b. Click the name of the data source that was created in step 2 on page 11 to
open the Configuration page.
c. Click Custom properties.
d. Click currentSchema.
e. In the Value field, type RBA_DB.
f. Click OK.
g. Click Save directly to the master configuration.
4. Run the script to create the database schema for risk-based access.
AIX® or Linux systems
The scripts to create the database are in the /opt/IBM/FIM/rba/
dbscripts/ directory.
a. Run the create_schema.sh shell script that is in the folder that
corresponds to your database.
b. When you run the script, specify the database user name, which is a
required parameter. For example, for DB2:
/opt/IBM/FIM/rba/dbscripts/db2/create_schema.sh database_user_name
Windows systems
The SQL files and the batch file to create the database schema are in the
C:\Program Files\IBM\FIM\rba\dbscripts\ directory.
a. Edit the create_schema.sql file and replace &DBUSER with the
database user name.
b. Run the create_schema.bat batch file that is in the folder that
corresponds to your database. Specify the create_schema.sql file as
the input parameter. For example, for DB2:
C:\Program Files\IBM\FIM\rba\dbscripts\db2\create_schema.bat create_schema.sql
5. When the SQL script starts executing, you are prompted for a password. Enter
the password of the database user to proceed.
What to do next
Install and deploy risk-based access.
Installing risk-based access
Use the Update Installer for WebSphere Software to install the components and
plug-ins for risk-based access.
Before you begin
Complete the installation prerequisites.
Procedure
1. Take one of the following actions, based on your operating system:
AIX® or Linux systems
Log in as root.
Windows systems
Log in as a member of the administrator group.
12
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
2. Download the 6.2.2.-TIV-ITFIM-FP0000-RBA.pak file from
http://www.ibm.com/support/docview.wss?uid=swg24032796.
3. To start the Update Installer wizard, run the update.sh shell script or
update.exe application file from the root directory of the Update Installer.
For example:
AIX® or Linux systems
/opt/IBM/WebSphere/UpdateInstaller/update.sh
Windows systems
C:\Program Files\IBM\WebSphere\UpdateInstaller\update.exe
Note: During the installation process, the Update Installer might display
warning or information messages. Ignore the messages and proceed with the
installation.
4. On the Welcome page, click Next.
5. In the Directory Path field, specify the IBM Tivoli Federated Identity Manager
home directory and click Next.
For example:
AIX® or Linux systems
/opt/IBM/FIM
Windows systems
C:\Program Files\IBM\FIM
6. Select Install maintenance package and click Next.
7. Specify the directory where you placed the 6.2.2-TIV-ITFIM-FP0000-RBA.pak
file and click Next.
8. Select 6.2.2-TIV-ITFIM-FP0000-RBA.pak and click Next.
9. Select Verify my permissions to perform the installation, confirm the
installation specifications, and click Next.
10. When the installation completes, click Finish.
11. Restart the application server or the deployment node in which you installed
risk-based access. You must restart because the command-line interface
extends the AdminTask framework of the WebSphere Application Server.
Results
Risk-based access is now installed.
What to do next
Deploy risk-based access..
Enabling language support for EAS messages
To enable language support for external authorization services (EAS) messages, set
your locale in the operating system.
Before you begin
Install risk-based access.
Chapter 3. Installing
13
About this task
Even though a different language locale is specified, the messages that are related
to the runtime security services EAS are displayed in English. You can enable
messages in a different language for the runtime security services EAS.
Procedure
1. Create the following directory if it does not exist:
AIX or Linux operating systems
/opt/pdwebrte/nls
Windows operating systems
C:\Program Files\Tivoli\PDWeb\nls
2. Extract the contents of FIM_INSTALL_DIRECTORY/rba/eas/nls.zip to that
directory.
3. Set your locale in the operating system by updating the environment variables.
For example, to enable Czech on a Linux operating system, set:
v LC_ALL=cs_CZ
v LANG=cs_CZ
4. Restart your workstation if it is required by your operating system.
What to do next
Verify that your EAS messages now display in the specified language.
Deploying risk-based access
After you install risk-based access, use the deploy operation of the
manageRbaConfiguration command to set up the risk-based access database and
deploy the various components.
Before you begin
1. Install risk-based access.
2. For the installation to take effect, restart the application server or the
deployment node in which you installed risk-based access.
3. Decide if you want to do an automatic or manual setup of your database. See
“Database considerations” on page 10.
About this task
The wsadmin commands for risk-based access are called by a Deployment Manager
node in a managed environment with clusters.
If the deploy operation detects that the runtime security service is configured with
IBM Tivoli Security Policy Manager, the existing instance of the runtime security
service is not overwritten. In such a scenario, you can use IBM Tivoli Security
Policy Manager as the policy administration point (PAP) for managing risk-based
access policies. You cannot use the manageRbaPolicy command to manage polices.
Some manageRbaPolicy operations are disabled in this scenario. The runtime
security services of IBM Tivoli Federated Identity Manager and the runtime
security services of IBM Tivoli Security Policy Manager must share the WebSphere
Application Server profile for risk-based access.
14
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Procedure
1. Open a command window and access the directory where your WebSphere
Application Server profile is located. For example:
AIX® or Linux systems
/opt/IBM/WebSphere/AppServer70/profiles/AppSrv01/bin
Windows systems:
C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\bin
2. Start the wsadmin tool with one of the following commands:
AIX® or Linux systems
./wsadmin.sh -username username -password password
Windows systems:
wsadmin.bat -username username -password password
3. To deploy the risk-based access runtime environment and plug-ins run the
following wsadmin command:
$AdminTask manageRbaConfiguration {-operation deploy}
A message states that risk-based access is deployed successfully.
4. Enable security for the runtime security services.
a. In WebSphere Application Server, create a group.
b. On the WebSphere Application Server administrative console, select
Applications > Application Types > WebSphere enterprise applications >
IBM Tivoli Runtime Security Services.
c. Under Detail properties, click Security role to user/group mapping. A list of
roles is displayed.
a.
b.
c.
d.
Select the tscc-admin role and click Map Groups.
Select the group that you created and click OK.
Click OK and save the configuration.
Use the manageRbaConfiguration command to configure the
rtss.admin.basic.authn.username and rtss.admin.basic.authn.pwd
properties to match the user name and password in the group that you
assigned to the tscc-admin role.
$AdminTask manageRbaConfiguration {-operation create
-propertyName rtss.admin.basic.authn.username -propertyValue user_name}
$AdminTask manageRbaConfiguration {-operation create
-propertyName rtss.admin.basic.authn.pwd -propertyValue password}
5. Secure the RTSS service URL if these conditions apply to your IBM Tivoli
Federated Identity Manager deployment:
v RTSS is deployed on the server.
v The product is junctioned behind WebSEAL.
If these conditions apply, attach an access control list to /FIM/rtss/admin by
using IBM Tivoli Access Manager for e-business, version 6.1.1 or later.
Attaching an access control list ensures that the page is not available to
everyone.
See the IBM Tivoli Access Manager for e-business documentation.
Results
Risk-based access is deployed.
Chapter 3. Installing
15
If no database is installed and configured with the JNDI context name, jdbc/rba,
an embedded solidDB database is installed, and the schema is created.
What to do next
Configure the risk-based access attributes, policies, and runtime properties.
Uninstalling risk-based access
Use the manageRbaConfiguration command to remove the risk-based access
components. After you remove the components, use the IBM® Update Installer for
WebSphere Software to uninstall risk-based access.
About this task
If the undeploy operation detects that the runtime security service is configured
with IBM Tivoli Security Policy Manager, then the instance of runtime security
service is not removed or undeployed.
Procedure
1. To remove the runtime configuration files and plug-ins, run the following
command:
$AdminTask manageRbaConfiguration {-operation undeploy}
A message states that risk-based access is undeployed successfully.
Note: If you are using the embedded solidDB database, the undeploy operation
creates a backup of the database at FIM_install_dir/rba/solidDB/backuptimeStampInteger.
2. To uninstall risk-based access, start the Update Installer wizard. Run the
update.sh shell script or update.exe application file from the root directory of
the Update Installer. For example:
AIX® or Linux systems
/opt/IBM/WebSphere/UpdateInstaller/update.sh
Windows systems
C:\Program Files\IBM\WebSphere\UpdateInstaller\update.exe
3. On the Welcome page, clickNext
4. In the Directory path field, specify the directory where risk-based access is
installed and click Next. For example:
AIX® or Linux systems
/opt/IBM/FIM
Windows systems
C:\Program Files\IBM\FIM
5. Select Uninstall maintenance package and click Next.
6. Select RBAFP0000.pak and click Next.
7. Review the summary information and click Next.
8. When the uninstallation completes, click Finish.
9. Manually delete the Java Archive (JAR) file that contains the command-line
interface for risk-based access. The uninstallation wizard cannot remove this file
until the application server is stopped. The file is locked because the
application server is using the classes in the JAR file.
16
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
a. When the application server is stopped, go to the plugins directory in the
WebSphere Application Server installation directory. For example:
AIX® or Linux systems
/opt/IBM/WebSphere/AppServer/plugins
Windows systems
C:\Program Files\IBM\WebSphere\AppServer\plugins
b. Delete the JAR file named com.tivoli.am.rba.cli_7.0.0.jar.
Known issues and workarounds
Risk-based access issues can include problems with retrieving or collecting
attributes, connection errors, and performance issues. Use the workarounds to
troubleshoot issues that you might encounter when you use risk-based access.
Geographic location attributes not retrieved
Problem
Location attributes are not retrieved from a device with a wired internet
connection after you configure the attribute collection service to collect
location attributes.
Workaround
To retrieve location attributes, ensure that the global positioning service
(GPS) on the device of the user is enabled.
If the device does not have GPS, then ensure that the device is connected
to a WiFi network to retrieve location attributes.
Connection not available
Problem
Errors that are similar to the following message are found in the
SystemOut.log file: Connection not available, timed out waiting for. .
.
Workaround
In WebSphere Application Server, increase the maximum connection pool
size to a value that is greater than three times the expected maximum
concurrent load.
For example, if you expect a maximum of 10 concurrent users at any point
in time, set the maximum connection pool size as higher than 30.
Ensure that your maximum thread pool size is at least twice the maximum
connection pool size.
For more information, see the WebSphere Application Server Version 7.0
Information Center at http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/
index.jsp. Search for connection pool settings and thread pool settings.
Attribute retrieval error
Problem
The SystemOut.log file contains errors that are related to the retrieval of
risk-related attributes.
Workaround
In WebSphere Application Server Java virtual machine settings, increase
your Java heap size.
Chapter 3. Installing
17
Set the initial heap size to 1 GB and the maximum heap size to 2 GB.
For more information, see the WebSphere Application Server Version 7.0
Information Center at http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/
index.jsp. Search for Java virtual machine settings.
JavaScript file fails to load
Problem
The info.js fails to load.
Workaround
In WebSphere Application Server Java virtual machine settings, increase
your Java heap size.
Set the initial heap size to 1 GB and the maximum heap size to 2 GB.
For more information, see the WebSphere Application Server Version 7.0
Information Center at http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/
index.jsp. Search for Java virtual machine settings.
Too many open files
Problem
WebSphere Application Server processes requests slowly. The error
message Too many open files is displayed several times in the
SystemOut.log file.
Workaround
Increase the limit for the number of open file descriptors.
In AIX and Linux systems, run the ulimit command:
ulimit -n nnnn
where nnnn is the required number of files, for example, 4096.
After you update ulimit, restart WebSphere Application Server from the
same shell.
Risk-based access does not present a basic authentication
challenge
Problem
When risk-based access does not present a basic authentication challenge,
the external authorization service (EAS) and runtime security service
experience a communication failure. Modifying the SSL settings solves this
problem.
Workaround
1. Go to the WebSphere Application Server administrative console.
2. Select SSL Certificate and Key Management > SSL Configurations >
Node Default SSL Settings > Quality of Protection.
3. Set Client Authentication to Supported.
4. Set Protocol to SSL_TLS.
5. Select Global Security > Web Security – General Settings.
6. Ensure that the following option is selected: Default to basic
authentication when certificate authentication for the HTTPS client
fails.
18
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Chapter 4. Configuring
You must configure your standard authentication and authorization mechanisms to
include risk-based access decisions. You can verify that your configuration is
successful by accessing a resource that is protected by risk-based access. Confirm
that your device is registered and the session attributes are captured for risk score
calculation.
Configuration roadmap
Before you start to use risk-based access, you must configure the external
authorization service (EAS), attribute collection service, the required attributes,
properties, and policies.
After you install and deploy risk-based access, you must complete the following
configuration tasks.
Table 3. Roadmap for configuring risk-based access
Task
For more information
Configure the WebSEAL runtime security
services EAS.
See “Configuring the runtime security
services external authorization service in
WebSEAL” on page 27.
Configure the attribute collection service.
See “Configuring the attribute collection
service” on page 34.
Configure the attributes that you require for
risk score calculation.
See “Configuring the risk profile” on page
35.
Use the sample script to create a policy for
risk-based access. The ready-to-use sample
script in the authorization policy generation
language provides basic rules for an
end-to-end functioning policy.
Note: If you are an existing user of IBM
Tivoli Security Policy Manager, you can
continue to use it as the policy
administration point to manage risk-based
access policies. For more information, see
“Policy management with IBM Tivoli
Security Policy Manager” on page 50.
See:
v “Sample script for risk-based access policy
rules” on page 48.
v “Creating a risk-based access policy” on
page 49.
Enable logs and traces.
See “Enabling logs and traces” on page 20.
Verify the configuration.
See “Verifying the configuration” on page
21.
Note: After you use the manageRbaConfiguration or manageRbaRiskProfile
commands to configure properties or attributes, you must run the
manageRbaConfiguration command with the reload option for the changes to take
effect.
© Copyright IBM Corp. 2012, 2013
19
Enabling logs and traces
After you install risk-based access, you must enable the tracing and logging
functions for risk-based access components in WebSEAL and IBM Tivoli Federated
Identity Manager. Use the information in log files to isolate and debug problems.
Procedure
1. Enable logging for the runtime security services external authorization service
(EAS) in WebSEAL.
Use the pdadmin shell to enable trace and logs for the EAS.
pdadmin> server task webseal_server_name
trace set EAS_component_name 9 file path=log_file_path
For example:
pdadmin> server task default-webseald-epcloud127
trace set pdweb.rtss 9 file path=/tmp/rtss.log
Note: The setting is not persistent. The tracing is disabled when you restart
WebSEAL.
The log file is at the absolute file path of the location that you specified.
2. Use the WebSphere Application Server administrative console to enable logging
for the IBM Tivoli Federated Identity Manager runtime security service.
a. On the WebSphere Application Server console, select Troubleshooting >
Logs and Trace > server_name.
b. Click the Change Log Detail Levels link.
c. Under Additional properties, click Change Log Detail Levels.
d. On the Runtime tab, add the following trace string:
*=info:com.ibm.tscc.rtss.*=all:com.tivoli.am.rba.*=all:com.ibm.sec.authz.*=all
e. Select Save runtime changes to configuration as well.
f. Click Apply and save the changes.
g. Restart WebSphere Application Server.
You can find the log file at the following location: WAS_HOME/profiles/
profile_name/logs/server1/trace.log.
3. To enable fine-grained logging of database operations, set the
db.logging.enabled property to true.
$AdminTask manageRbaConfiguration {-operation update
-propertyName db.logging.enabled -propertyValue true}
The WebSphere Application Server trace file starts logging every individual
query along with connection information.
4. To troubleshoot issues related to risk calculation, set the
generate.risk.calculation.reports property to true.
$AdminTask manageRbaConfiguration {-operation update
-propertyName generate.risk.calculation.reports
-propertyValue true}
Every time that risk is calculated, HTML risk reports are generated. The report
files are stored in the temporary directory of the WebSphere Application Server
Java virtual machine (JVM) in a folder named rba. The value of the
java.io.tmpdir system property indicates the path of the JVM temporary
directory. For example, on AIX® or Linux systems the files might be stored in
the /tmp/rba directory.
20
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
What to do next
Verify the configuration of risk-based access.
Verifying the configuration
Verify that risk-based access services are running and devices are registered
successfully. If the verification steps are successful, risk-based access is installed
and configured correctly on your system.
Before you begin
v
v
v
v
v
Install and deploy risk-based access.
Configure the WebSEAL runtime security services EAS.
Configure the attribute collection service.
Configure the attributes that you require for risk score calculation.
Create a policy and configure it for risk-based access.
v Enable logs and traces.
Procedure
1. Verify that the runtime security service is configured to load the risk-based
access plug-in.
In the WAS_HOME/profiles/profile_name/logs/server1/trace.log file, search for
the following entries:
AuthzRuntimeS 3
AuthzRuntimeS 3
AuthzRuntimeS 3
Successful registry finder : RBA AttributeSession PIP
Successful registry finder : USER FINGERPRINT COUNT PIP
Successful registry finder : RBA RiskCalculator PIP
If the entries exist, the risk-based access plug-in is loaded successfully.
If you do not see the entries, verify that the trace setting for the IBM Tivoli
Federated Identity Manager runtime security service is correct. See “Enabling
logs and traces” on page 20.
2. If you configured the ready-to-use sample policy, verify that the risk-based
access policy is working.
a. Visit the URL that you configured as a protected resource and log in. You
are presented with a secondary challenge such as a one-time password
(OTP). After you respond successfully with the secondary challenge, you
would be given access to the resource. Your device fingerprint is registered
in the risk-based access database and the risk score is initialized to zero.
The runtime security services EAS logs would show the authorization
decisions that are received from the policy decision point (PDP).
b. Log out and log in again with the same user ID that you used in the
previous step and from the same device. You would be given access to the
resource without any secondary challenge.
c. With the same user ID that you used in the previous step, access the same
resource from a different device. If a secondary challenge is presented, the
risk-based access step-up authentication is working. When the attributes do
not match the stored fingerprint, a potential risk is identified and the user is
presented with a challenge. Only after the user responds to the challenge
successfully, the new device is registered. The runtime security services EAS
logs would indicate that a request for a secondary challenge was received
from the PDP.
3. Verify that your device fingerprint is registered. Run the following wsadmin
command to list registered devices:
Chapter 4. Configuring
21
$AdminTask manageRbaDevices {-operation search}
4. Verify that your session attributes are collected. Run the following wsadmin
command to list session attributes:
$AdminTask manageRbaSessions {-operation search}
22
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Chapter 5. Administering
Manage the various components of risk-based access, such as the external
authorization service (EAS), attribute collection service, session attributes, devices,
and policies.
Risk management
Risk-based access policy decisions are based on the risk score. The risk score is
calculated based on attributes that are retrieved from the user.
The following process describes the key aspects of risk management:
1. Decide on a set of attributes that you require for risk-score calculation.
2. Configure the methods to retrieve them.
v You can retrieve many of these attributes from standard HTTP headers.
Configure these attributes in the WebSEAL configuration file. See “Runtime
security services external authorization service” on page 26.
v For some attributes, you might require client-side JavaScript. To collect these
special attributes, use the attribute collection service, which is a
Representational State Transfer (REST) service. The attribute collection service
provides read-to-use JavaScript, which captures the attributes that you
configure. See “Attribute collection service” on page 32.
v You might require other attributes that cannot be retrieved from standard
HTTP headers or attributes that the attribute collection service does not
capture. For such attributes, write custom JavaScript that provides attribute
data to the attribute collection service. You can also use a SWF file for
collecting information from web browsers that support the SWF format.
3. Configure and set weights for all attributes regardless of how they are
retrieved. Use the manageRbaRiskProfile command to configure attributes. See
“Configuring the risk profile” on page 35.
4. Specify how you want to store the attributes. See “Attribute storage” on page
37.
5. Configure the properties that specify settings for attribute matchers, such as
location, IP address, and login time matchers. See “Attribute matchers” on page
38.
Risk score calculation
Risk score calculation is the process by which the risk engine determines a risk
score. The risk score demonstrates the level of risk that is associated with
permitting a request to access the resource. This risk score is compared to a
threshold score that is set in a policy. A decision is made based on the result of this
comparison.
Overview
The risk engine determines a risk score by comparing sets of attributes that
identify devices. These sets of attributes are called device fingerprints. Device
fingerprint attributes include items such as IP address, location, and screen size.
© Copyright IBM Corp. 2012, 2013
23
Each registered device has one device fingerprint. Because the user accesses the
resource in different locations and on different devices, the user can have many
registered devices.
The following process describes how risk assessment works:
1. The incoming device requests access to the resource.
2. The risk engine collects as many device fingerprint attributes as it can from the
request device.
3. After the attributes are collected, the risk engine:
v Determines the device fingerprint.
v Calculates the risk score. The risk score
– Is a number.
– Represents the amount of risk that is associated with the incoming
request.
– Indicates the likelihood that the incoming request represents the user.
4. The risk engine:
v Compares the incoming fingerprint with each registered device fingerprint.
v Uses the attributes that are contained in the larger fingerprint for each
comparison.
v Calculates a risk score for each comparison.
5. To determine the final risk score, the risk engine:
v Chooses the lowest risk score of the comparisons between the incoming
fingerprint and the registered fingerprint.
v Measures the final risk score against a threshold score or range that the
administrator sets in a policy.
6. Depending on the way the administrator writes the policy, one of the following
outcomes occurs:
Permit
The risk score for the incoming request is well below the threshold
score. The user is granted access to the resource. For example, the risk
score is 30, and the threshold score that is set by the administrator is
40.
Permit with obligation
The user is asked to complete an extra security measure, such as step
up authentication. For example, the risk score is 40, and the policy that
the administrator wrote requires users that operate devices with scores
30 - 90 to step up.
Deny
The risk score for the incoming request is above the threshold score or
range. The user is denied access to the resource. For example, the risk
score is 50, and the threshold score that is set by the administrator is
40.
The risk score is calculated through the following formula:
Risk Score = (total weight of mismatched attributes /
total weight of all attributes) × 100
When the values that belong to the incoming device fingerprint and the registered
device fingerprint are the same, the values are matched. When the values that
belong to the incoming device fingerprint and the registered device fingerprint are
not the same, the values are mismatched.
24
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Sometimes, the fingerprints contain attributes that are not matched or mismatched.
These attributes are called indeterminate attributes. When there are indeterminate
attributes present, the following formula is used to calculate the risk score:
Risk Score = (total weight of mismatched attributes /
(total weight of all attributes−total weight of indeterminate attributes)) × 100
Scenarios
The following example scenarios demonstrate risk score calculation.
Both scenarios assume that the administrator
v Wrote a policy that specifies that any risk score at or below 40 is permitted, and
any risk score above 40 is denied.
v Gave equal weight values to all of the attributes in the tables.
– The attributes in the tables have the same weight value of 10.
Scenario 1: Authentication is permitted
The example information in the table is used to calculate the risk score.
Attribute names
Weight
values
Incoming device
fingerprint values
Registered device
fingerprint values
platform
10
Win32
Win32
screenHeight
10
1080
1080
screenWidth
10
1920
1920
colorDepth
10
32
32
userAgent
10
Mozilla/5.0 (Windows
NT 6.1; WOW64;
rv:15.0)
Gecko/20120427
Firefox/15.0a1
Mozilla/5.0 (Windows
NT 6.1)
AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/28.0.1468.0
Safari/537.36
language
10
en-US
en-US
ipaddress
10
42.29.144.5
42.29.144.5
v All of the fingerprint attribute values match except for the incoming device
fingerprint values and existing device fingerprint values for userAgent.
v Because userAgent is the only attribute that has any mismatched values, the total
weight of the mismatched attributes is 10.
v The total weight of all of the attributes is 70 because each attribute has a weight
value of 10.
v According to the risk score calculation formula: (10/70)×100=14. Therefore, the
risk score is 14.
v Because the risk score is below 40, authentication is permitted.
Scenario 2: Authentication is denied
The example information in the table is used to calculate the risk score.
Attribute names
Weight
values
Incoming device
fingerprint values
Registered device
fingerprint values
platform
10
Linux
Win32
screenHeight
10
1050
1080
Chapter 5. Administering
25
The example information in the table is used to calculate the risk score.
Attribute names
Weight
values
Incoming device
fingerprint values
Registered device
fingerprint values
screenWidth
10
1680
1920
colorDepth
10
24
32
userAgent
10
Mozilla/5.0 (X11;
Linux i686 (x86_64))
AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/27.0.1453.93
Safari/537.36
Mozilla/5.0 (Windows
NT 6.1)
AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/28.0.1468.0
Safari/537.36
language
10
en-US
en-US
ipaddress
10
9.53.18.164
42.29.144.5
v None of the fingerprint attribute values match except for the incoming device
fingerprint value and existing device fingerprint value for language.
v Because all of the attributes except for language have mismatched values, the
collective weight of the mismatched attributes is 60.
v The total weight of all of the attributes is 70 because each attribute has a weight
value of 10.
v According to the risk score calculation formula: (60/70)×100=86. Therefore, the
risk score is 86.
v Because the risk score is above 40, authentication is denied.
Runtime security services external authorization service
The runtime security services external authorization service (EAS) for risk-based
access is a modular authorization service plug-in. You can use IBM Tivoli Access
Manager for e-business authorization as an add-on to your own authorization
models when you have the EAS.
The runtime security services EAS provides the policy enforcement point (PEP)
functionality for risk-based access. You can configure the runtime security services
EAS to include risk-based access decisions as part of the standard authorization on
WebSEAL requests. WebSEAL becomes the authorization enforcement point for
access to resources that risk-based access protects.
The runtime security services EAS plug-in uses the IBM Tivoli Federated Identity
Manager risk-based access capabilities. For more information about EAS, see the
Authorization C API Developer Reference Guide in the IBM Tivoli Access Manager for
e-business Version 6.1.1 Information Center at http://publib.boulder.ibm.com/
infocenter/tivihelp/v2r1/topic/com.ibm.itame.doc/welcome.htm. Search for
External authorization service plug-ins.
The runtime security services EAS constructs a request that it sends to the policy
decision point (PDP), which is IBM Tivoli Federated Identity Manager. Based on
the policy decision that is received from the PDP, the EAS takes one of the
following actions:
Table 4. Runtime security services EAS access decisions
26
Action
Description
Permit
Grants access to the protected resource.
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Table 4. Runtime security services EAS access decisions (continued)
Action
Description
Permit with
obligations
Grants access to the protected resource, after the user successfully
authenticates with a secondary challenge.
Deny
Denies access to the protected resource.
You must configure the WebSEAL runtime security services EAS to enforce policy
decisions that the PDP returns.
Configuring the runtime security services external authorization
service in WebSEAL
Configure the runtime security services external authorization service (EAS) to
enforce the policy decisions that the policy decision point (PDP) returns. Use the
tfimcfg tool to update the WebSEAL configuration file.
Before you begin
v Install and deploy risk-based access.
v Ensure that IBM Tivoli Access Manager for e-business Version 6.1.1 or later is
installed with the WebSEAL component. If version 6.1.1 is installed, ensure that
fix pack 6 or later is applied.
v To run the tfimcfg.jar file, use PDJrte to configure the JRE, which starts the
tool.
v To use the tfimcfg tool with IBM Security Access Manager for Web Version 7.0
or later, you must meet the following conditions:
– Obtain an IBM JRE, version 6.0, Update 10 or later.
– Configure the com.ibm.security.cmskeystore.CMSProvider provider in the
java.security file, which is in $JAVA_HOME/lib/security, of the IBM JRE.
– Use PDJrte to configure the JRE, which starts the tool, into the Security
Access Manager domain.
– The ikeyman tool in the $JAVA_HOME/bin must be on the path before you run
the tool.
v Run the tool on the same computer where the WebSEAL instance is configured.
v If you are using WebSEAL Version 6.1.1, copy the runtime security services EAS
shared library from the risk-based access installation directory to the WebSEAL
installation directory.
For example:
AIX systems
Copy the /opt/IBM/FIM/rba/eas/6.1.1/platform_name/librtsseas.a file
to the /opt/pdwebrte/lib directory.
Linux systems
Copy the /opt/IBM/FIM/rba/eas/6.1.1/platform_name/librtsseas.so
file to the /opt/pdwebrte/lib directory.
Windows systems
Copy the C:\Program Files\IBM\FIM\rba\eas\6.1.1\WIN\rtsseas.dll
file to the C:\Program Files\Tivoli\PDWebrte\lib directory.
About this task
The tfimcfg tool ensures that the correct data is passed to the runtime security
services EAS for each request.
Chapter 5. Administering
27
To include risk-based access decisions as part of the standard authorization on
WebSEAL requests, use the tfimcfg tool. Then, manually update the configuration
file and attach the POP. This process is described in the following procedure.
Procedure
1. (Optional) Copy the issuer certificate from the WebSphere Application Server
instance that hosts the runtime security service to a key database file. This step
is part of the server-side SSL authentication configuration.
Note the location of this file so that you can specify it for the Optional runtime
security services SSL keyfile within the tfimcfg tool in step 2.
2. Run the tfimcfg tool.
Use the following tfimcfg attributes:
v For a WebSEAL server:
java -jar tfimcfg.jar -action tamconfig -cfgfile WebSEAL_filename
v For a Web Gateway Appliance server:
java -jar tfimcfg.jar -action wgaconfig -cfgurl Web_Gateway_Appliance_URL
See the “tfimcfg reference” for information about the tool parameters in the
Federated Identity Manager Information Center.
If you are using the JRE provided with WebSphere Application Server, version
8.0 or later, you might encounter an error when you use tfimcfg. See the Fix
Pack 6 readme file for information about more parameters tfimcfg requires.
While you are running this tool, note the following risk-based access specific
prompts:
a. For the Federation to configure prompt, select Risk-based access.
Note: The tool configures the same ACLs for federations and risk-based
access. Also, the itfim_rba_anyauth ACL is attached to the attribute
collection service.
b. Provide the following runtime security services parameters:
v Runtime security services user
v
v
v
v
v
Runtime security services password
Runtime security services URL
Optional runtime security services SSL keyfile
Optional runtime security services SSL stash file
Optional runtime security services SSL keyfile label
The tfimcfg tool attempts to connect to the runtime security services server.
If the connection is invalid, you are prompted to enter the parameters again.
If you want to configure server-side SSL authentication, specify the SSL
parameters.
3. Attach the POP, rba-pop, to the resource that risk-based access must protect.
For example, if MyJct is the resource to protect, run the following command:
#pdadmin -a sec_master
Enter password: passw0rd
pop attach /WebSEAL/localhost-default/MyJct rba-pop
server replicate
quit
Note: Attach the POP in the object tree such that the runtime security services
EAS is used only for the resources that are protected by risk-based access. If
you attach the risk-based POP to a root object in the object space, the POP is
28
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
used for every request, including administrative tasks. Most of these calls to the
runtime security services EAS are not required and might result in lowered
performance throughput.
4. Update the WebSEAL configuration file to append the [obligations-levelsmapping] stanza. Specify the mapping between obligation levels that the PDP
returns and the authentication levels in WebSEAL. For example, append:
[obligations-levels-mapping]
otp=3
consent=4
See the WebSEAL Administration Guide in the IBM Tivoli Access Manager for
e-business Version 6.1.1 Information Center. Search for “specifying
authentication levels”.
5. Verify that each header that was configured by the tfimcfg tool under
the [azn-decision-info] stanza has a corresponding attribute configuration in
the risk-based access database. The values that are specified after the equal sign
(=) in the entries must match the attributes that you configure with the
manageRbaRiskProfile command.
Ensure that the case of the attribute matches the corresponding entry under the
[azn-decision-info] stanza because the entries are case-sensitive. The
Subject-UUID entry is an exception. You do not have to configure
cookie:ac.uuid as an attribute with the manageRbaRiskProfile command. The
Subject-UUID entry is required only for the attribute collection service to work
with the runtime security services EAS.
See the WebSEAL Administration Guide in the IBM Tivoli Access Manager for
e-business Version 6.1.1 Information Center. Search for “azn-decision-info”.
Results
v The POP, rba-pop, is created.
v The itfim_rba_anyauth ACL is attached to the attribute collection service.
v The runtime security services EAS is configured.
What to do next
See “Configuring the attribute collection service” on page 34.
Sample configuration data for runtime security services external
authorization service
The sample [rtss-eas] stanza contains the configuration details for the runtime
security services external authorization service (EAS) to enforce policy decisions.
Add the sample entries under the [rtss-eas] stanza in the default WebSEAL
configuration file named webseald-default.conf.
Note: The formatting, commenting, and line breaks in the following code might
change when you copy and paste from a PDF file. Compare the code that you
copied and pasted with the following code to ensure that it conforms to the correct
syntax.
[rtss-eas]
# Specify the name of the IBM Tivoli Access Manager for e-business
# trace component that the EAS uses
trace-component = pdweb.rtss
#
#
#
#
Set this property to true if you want the EAS
to first check with IBM Tivoli Access Manager for e-business
whether the user has permission to access the resource based
on the ACL set.
Chapter 5. Administering
29
apply-tam-native-policy = true
# Specify the context-id that is used in the requests that are
# sent by the EAS to the runtime security service.
# If the context-id parameter is not set, the WebSEAL server-name is used
# as the default value.
#
#context-id =
#
# Specify the audit logging configuration. This entry consists
# of an agent identifier that is followed by a comma-separated list
# of key-value pairs of attributes that are associated with the agent.
#
# For example, to configure the auditing of records to a file:
# audit-log-cfg = file path=/tmp/rtss-audit.log,flush=20,
#
rollover=2000000,buffer_size=8192,queue_size=48
# To send audit logs to STDOUT:
# audit-log-cfg = STDOUT
#
# If this attribute is missing or not configured, no audit
# events are logged.
# audit-log-cfg =
#
#
#
#
Specify the name of the runtime security services SOAP cluster
that contains this runtime security services SOAP service.
Also specify a corresponding [rtss-cluster:cluster]
stanza with the definition of the cluster.
[rtss-cluster:cluster1]
# Specify the definitions for a cluster of runtime security services
# SOAP servers in this stanza.
#
#
#
#
#
#
#
#
#
Define the specifications of the server that you use to communicate
with a single runtime security services SOAP server,
which is a member of this cluster.
Values for this entry are defined as:
{[0-9],}URL
where the first digit (if present) represents the priority of the server
in the cluster (9 being the highest, 0 being lowest). A priority of 9 is assumed
if you do not specify a priority. The URL can be any
well-formed HTTP or HTTPS URL.
# You can specify multiple server entries for failover and load balancing
# purposes. The complete set of these server entries defines the
# membership of the cluster for failover and load balancing.
server = 9,https://localhost:9443/rtss/authz/services/AuthzService
# Specify the maximum number of cached handles that are used when
# communicating with runtime security services SOAP.
handle-pool-size = 10
# Specify the length of time, in seconds, before an idle handle is removed
# from the handle pool cache.
handle-idle-timeout = 240
# Specify the length of time, in seconds, to wait for a response from
# runtime security services SOAP.
timeout = 240
# You can use the following optional configuration entries if
# the runtime security services SOAP server is configured to require
30
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
# basic authentication. If you leave these entries blank,
# the basic authentication header is not provided when communicating
# with the runtime security services SOAP server.
# Specify the name of the user for the basic authentication header.
basic-auth-user =
#
#
#
#
#
#
#
#
#
#
#
#
Specify the password for the basic authentication header.
Note: To obfuscate the the value of a stanza/key,
use the following pdadmin command:
pdadmin> config modify keyvalue set -obfuscate
config-file stanza key value
For example:
pdadmin> config modify keyvalue set -obfuscate
/opt/pdweb/etc/webseald-default.conf
rtss-eas basic-auth-passwd passw0rd
For more information about obfuscation, see Command Reference in
the IBM Tivoli Access Manager for e-business information center.
Search for config modify in the pdadmin commands section.
basic-auth-passwd =
# The following SSL entries are optional and are only required if:
#
1. At least one server entry indicates that SSL is to be used,
#
that is, it starts with https:)
#
2. A certificate other than what is used by this server is required
#
when communicating with the policy server. The details of the
#
default certificate can be found in the [ssl] stanza of this
#
configuration file.
# If these entries are required and are not found under this stanza,
# the default [ssl] stanza is searched.
# The name of the key database file that houses the client certificate
# that must be used.
# ssl-keyfile =
# The name of the password stash file for the key database file.
# ssl-keyfile-stash =
# The label of the client certificate in the key database.
# ssl-keyfile-label =
#
#
#
#
#
This configuration entry specifies the distinguished name (DN) of the
server (obtained from the server SSL certificate) that is accepted.
If no entry is configured all DNs are considered as valid.
Multiple DNs can be specified by including multiple
configuration entries of this name.
# ssl-valid-server-dn =
#
#
#
#
This entry controls whether Federal Information Processing
Standard (FIPS) communication is enabled. If no configuration entry
is present, the global FIPS setting (as determined by
the IBM Tivoli Access Manager policy server) takes effect.
# ssl-fips-enabled =
#
#
#
#
Define the mappings between the obligation levels that the policy decision
point (PDP) returns and the WebSEAL step-up authentication levels.
The mapping must be one-to-one and the user must be permitted to authenticate
only through the appropriate obligation mechanisms. These entries ensure that the
Chapter 5. Administering
31
# EAS maps the obligations to the authentication levels and vice versa correctly.
[obligations-levels-mapping]
otp=3
consent=4
Session configuration
You can capture the session attributes of a user with the attribute collection service.
Risk-based access uses these static and contextual attributes to calculate the risk
score.
Attribute collection service
The attribute collection service is a Representational State Transfer (REST) service.
It can collect web browser and location information from the user for calculating
the risk score.
Process overview
The following process describes the attribute collection service and how to use it:
1. Make REST calls to store and delete attributes in the database. The initial
request to the service receives a correlation ID. The correlation ID is used to
make further REST calls.
2. Use JavaScript to collect the web browser attributes. You can place the HTML
page that calls the JavaScript functions on any server.
v Ajax collects information in the background. It does not slow down page
loading.
v You can make standard Ajax requests only to the same domain. With Cross
Origin Resource Sharing (CORS), you can make Ajax requests across
domains.
v The CORS response header contains the settings for the following
specifications:
– The server from which requests are accepted.
– The types of requests that are accepted.
3. Configure the attributes that you want to collect for risk score calculation. They
are collected and listed in FIM_install_dir/pages/C/ac/info.js.
Request types
GET and Post requests create a correlation ID to identify the session in the
database. A correlation ID is a UUID that is stored in a cookie. The attribute
collection service process uses the following request types:
GET
Retrieves information about an attribute session from the database. GET
requests are disabled by default. Requests use a URL with a REST path,
such as https://webseal/FIM/sps/ac/rest/UUID.
POST
Creates an attribute session in the database. POST requests use a URL such
as https://webseal/FIM/sps/ac/UUID.
The session attributes are sent as a JSON string with the request. In a
response, the server sets a cookie that contains the correlation ID.
For example, the POST /sps/ac/9d37e806-24cf-4398-a3b9-d7f13fb2231f
request creates a session in the database with the UUID of
9d37e806-24cf-4398-a3b9-d7f13fb2231f.
32
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
You can also configure the risk-based access properties to use an existing
cookie.
DELETE Deletes an attribute session from the database.
Risk-based access runtime properties
Use the manageRbaConfiguration command to configure the risk-based access
properties that are required for attribute collection service.
The following properties specify information about the server from which requests
are received and the location of the attribute collection service:
ac.request.server
The server from which requests are received.
For example: http://mywebsealhost.company.com.
ac.service.location
The location of the attribute collection service.
For example: http://mywebsealhost.company.com/webseal-junction-name.
session.timeout
A numeric value that represents the number of seconds before a risk-based
access session automatically expires unless the session is updated.
If any attribute in the session is updated, the expiry time for the session is
extended by the number of seconds specified in this property. The default
value is 3600.
This value must be greater than or equal to the WebSEAL maximum
session lifetime. If not, collected device attributes expire, and the RBA
policies fail.
The following configuration properties are used by the attribute collection service
to access the GET method of the REST service:
ac.get.attributes.enabled
Indicates whether access to the GET method is allowed.
The default value is false.
ac.get.attributes.allowed.clients
A comma-separated list of IP addresses or host names that can access the
GET method.
If this property is not set and ac.get.attributes.enabled is set to true,
anyone can access the GET method.
If this property is set but ac.get.attributes.enabled is set to false, then
this property is ignored.
Use the manageRbaConfiguration command to set these properties and their values
in the risk-based access runtime configuration file. For more information, see
“manageRbaConfiguration command” on page 63.
JavaScript functions
Use the JavaScript functions in the FIM_install_dir/pages/C/ac/info.js file to
make requests to the server. Include the info.js file in the HTML login page of
your application. When info.js is loaded, it calls the following functions:
Chapter 5. Administering
33
sendSession()
Makes a POST request to the delegate service.
The sendSession() function collects the web browser attributes and sends
them to the server. They are stored in the database. Call this function when
a user logs in.
deleteSession()
Makes a DELETE request for a specified correlation ID.
The POST request from the sendSession() returns a correlation ID. Based on
the correlation ID, the deleteSession() function deletes the attributes from
the database. Call this function when the user logs out or when the current
session times out.
getLocation()
Detects the location of the device from which the requests are made. If the
location information is sent to the server, call the getLocation() function
before the sendSession() function. The following web browsers support
the detection of location: Mozilla Firefox, Google Chrome, Opera, Apple
Safari, and Microsoft Internet Explorer 9.
Note: For the JavaScript functions to work in Microsoft Internet Explorer, include
the following statement in the HTML page from which you call the function. The
following statement forces Microsoft Internet Explorer to use the standards mode:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
For configuration steps and examples, see “Configuring the attribute collection
service.”
Configuring the attribute collection service
Before you can collect risk calculation information, you must specify the server and
location of the collection service. You also must specify a JavaScript file to collect
the session attributes.
Before you begin
Run the tfimcfg tool to configure the runtime security services EAS. See
“Configuring the runtime security services external authorization service in
WebSEAL” on page 27.
Procedure
1. To publish pages and plug-ins and load the Tivoli Federated Identity Manager
runtime environment, run the following command:
$AdminTask manageRbaConfiguration {-operation reload}
2. Create and configure the risk-based access properties for the attribute collection
service.
a. Create and configure ac.request.server to specify the location of the
attribute collection service. Run the following command and replace the
variable in italics with your values:
$AdminTask manageRbaConfiguration {-operation create
-propertyName ac.request.server
-propertyValue request_server_url}
34
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Note: The value of request_server url is a space-separated list of hosts from
which requests are permitted. Host names must begin with http:// or
https://.
The following command shows a sample value for the property:
$AdminTask manageRbaConfiguration {-operation create
-propertyName ac.request.server
-propertyValue http://mywebsealhost.company.com}
b. Create and configure ac.service.location to specify the location of the
attribute collection service. Run the following command and replace the
variable in italics with your values:
$AdminTask manageRbaConfiguration {-operation create
-propertyName ac.service.location
-propertyValue https://host_name/webseal-junction-name}
The following command shows a sample value for the property:
$AdminTask manageRbaConfiguration {-operation create
-propertyName ac.service.location
-propertyValue https://mywebsealhost.company.com/FIM}
3. Add the URL of info.js to the <head> block in the HTML landing page of your
application. The info.js file calls functions that are required to collect session
attributes. Follow this format:
<script src="https://host_name/webseal-junction-name/sps/ac/js/info.js"></script>
Note: When the info.js file is included on an HTML page, attribute collection
by Ajax calls can take time to complete. To avoid issues, attribute collection
must end before you move away from the page. For example, if the attribute
collection is still running, and a user name and password are entered, the
policy fails to resolve session attributes. To prevent this issue, modify the
JavaScript to prevent the user from continuing until after the Ajax call
completes.
Results
The basic configuration of the attribute collection service for risk-based access is
complete. For more information, see “Attribute collection service” on page 32.
What to do next
Configure attributes and the weights that you require for risk score calculation. For
more information, see “manageRbaRiskProfile command” on page 73.
Risk profile configuration
You must create risk attributes and specify their weights. You can also configure
the ready-to-use attribute matchers or write your own custom attribute matcher.
Configuring the risk profile
You can retrieve attributes from standard HTTP headers or use the attribute
collection service to collect attributes. To use these attributes for risk score
calculation, you must set appropriate weights for each attribute.
Before you begin
Complete the following configuration steps:
v “Configuring the runtime security services external authorization service in
WebSEAL” on page 27
v “Configuring the attribute collection service” on page 34
Chapter 5. Administering
35
About this task
Use the manageRbaRiskProfile command to create the attributes and configure
weights for the attributes that you require for risk score calculation.
Procedure
1. Create the attributes and specify weights for the attributes that you configured
in the WebSEAL configuration file named webseald-default.conf for the
runtime security services external authorization service (EAS). The attributes
that you configure must be a subset of the entries that you added in the
[azn-decision-info] stanza.
Use the following examples to configure the attributes that are captured from
standard HTTP headers:
$AdminTask manageRbaRiskProfile {-operation create
-attributeId header:user-agent
-weight 75}
$AdminTask manageRbaRiskProfile {-operation create
-attributeId header:content-type
-weight 50}
$AdminTask manageRbaRiskProfile {-operation create
-attributeId header:accept-charset
-weight 80}
2. Create the attributes that you want the attribute collection service to retrieve
and specify weights for the attributes.
Use the following examples to configure the attributes and weights:
$AdminTask manageRbaRiskProfile
-weight 95}
$AdminTask manageRbaRiskProfile
-weight 60}
$AdminTask manageRbaRiskProfile
-weight 25}
$AdminTask manageRbaRiskProfile
-weight 80}
{-operation create -attributeId language
{-operation create -attributeId platform
{-operation create -attributeId plugins
{-operation create -attributeId fonts
Note: If you configure the fonts attribute, you must also add the
fcollector.swf SWF object in the login page of your application, for example,
the WebSEAL login.html page. Add the following object element in the body
element of your login page at the end, just before the </BODY> end tag. Replace
the variables in italics with your values:
<object width="1" height="1">
<param name="movie" value="https://host_name/webseal_junction_name/sps/ac/js/fcollector.swf">
<embed src="https://host_name/webseal_junction_name/sps/ac/js/fcollector.swf" width="1" height="1">
</embed>
</object>
For example:
<object width="1" height="1">
<param name="movie" value="https://myservicehost.company.com/FIM/sps/ac/js/fcollector.swf">
<embed src="https://myservicehost.company.com/FIM/sps/ac/js/fcollector.swf" width="1" height="1">
</embed>
</object>
3. Optional: To enable risk-based access based on location, IP address or login
time, you can configure the following additional attributes. These attributes are
required for ready-to-use matchers that are provided with risk-based access. For
more information, see “Attribute matchers” on page 38.
Use the following examples to configure the attributes for the specified
attribute matchers:
36
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Location matcher
$AdminTask manageRbaRiskProfile {-operation create
-attributeId longitude -weight 75}
$AdminTask manageRbaRiskProfile {-operation create
-attributeId latitude -weight 75}
$AdminTask manageRbaRiskProfile {-operation create
-attributeId accuracy -weight 75}
IP address matcher
$AdminTask manageRbaRiskProfile {-operation create
-attributeId ipaddress -weight 50}
Login time matcher
$AdminTask manageRbaRiskProfile {-operation create
-attributeId accessTime -weight 45 –behavior true}
$AdminTask manageRbaRiskProfile {-operation create
-attributeId urn:oasis:names:tc:xacml:1.0:resource:resource-id
-weight 0 –behavior true}
$AdminTask manageRbaRiskProfile {-operation create
-attributeId cookie:ac.uuid -weight 0 –behavior true}
What to do next
1. Configure the specific properties that are required for the following attribute
matchers:
v IP address matcher
v Location matcher
v Login time matcher
2. Create and configure a risk-based access policy. Use one of the following
methods:
v Specify the policy rules in a script with the authorization policy generation
language. The ready-to-use sample script in the authorization policy
generation language provides basic rules for an end-to-end functioning
policy. Use the script to create a risk-based access policy and configure it for
use with risk-based access.
v If you are an existing user of IBM Tivoli Security Policy Manager, you can
continue to use it as the policy administration point to manage risk-based
access policies. For more information, see “Policy management with IBM
Tivoli Security Policy Manager” on page 50.
Attribute storage
Risk-based access uses the device fingerprint, behavior, and session attributes of
the user to calculate the risk score. These attributes are persisted or stored in the
risk-based access database.
Device fingerprint data
Consists of attributes that are stored when a device is registered. The
incoming device fingerprint is compared against this stored repository of
trusted device fingerprints.
Session data
Consists of the session attributes of the user that are stored temporarily
until the session times out. However, if the device is registered, the session
attributes are also stored as part of the device fingerprint.
Behavior data
Is historic data that is stored in the database and used for behavior-based
attribute matching. For example, the login timestamps of the user over the
previous three months.
Chapter 5. Administering
37
When you configure attributes with the manageRbaRiskProfile command, you can
also specify how each attribute must be stored in the risk-based access database.
Use the -device, -session, and -behavior parameters to store the attributes as
device fingerprint, session, or behavior attributes.
For example, if you want the browser attribute to be stored as behavior data, run
the following command:
$AdminTask manageRbaRiskProfile {-operation create -attributeId browser
-weight 75 –behavior true}
For more information, see “manageRbaRiskProfile command” on page 73.
Attribute matchers
An attribute matcher compares the values of a specified attribute in the incoming
device fingerprint with the existing device fingerprint of the user. Risk-based
access uses the information returned by the attribute matchers to calculate the risk
score.
The exact matcher is the default attribute matcher. It is used if you do not
configure any attribute matcher. It checks whether the values of a single attribute
are the same in both the incoming and existing device fingerprints.
In some scenarios, multiple attributes or a set of composite attributes must be
matched. For example, longitude, latitude, and accuracy are three attributes that
are related to location. Assume that two device fingerprints are considered a match
if the distance between two location points is not greater than a specified threshold
value. In this scenario, the comparison of only the longitude attribute does not
provide accurate results. The matcher must do a more complex comparison or
composite matching, where it matches multiple attributes from both fingerprints.
The matcher either returns a match or a mismatch result. A mismatch increases the
risk score based on the weight assigned to the attributes.
The matcher might abstain from being a part of the risk calculation in the
following situations:
v The incoming device fingerprint does not contain the required attributes.
v The historical data is not available for a matcher to make a match or mismatch
decision.
Risk-based access provides ready-to-use attribute matchers that compare composite
attributes or analyze a range of attribute values. You can configure one or more of
the attribute matchers that are described in the following sections.
Configuring the location matcher:
The location matcher checks whether the location of a device is within a specific
distance from the previous known locations of the device. Configure the location
matcher properties to specify the accuracy range and how to compare the location
information.
38
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
About this task
Procedure
1. Add the longitude, latitude, and accuracy attributes to the fingerprint
configuration and specify a numeric value for the weights that you require. Use
the following syntax for the manageRbaRiskProfile command:
$AdminTask manageRbaRiskProfile {-operation create -attributeId unique_ID
-weight weight}
Limitation: The retrieval of location attributes depends on the web browser
and the settings that the user specifies in the web browser. The web browser
must support the Geolocation API. Also, in some web browsers, an error might
occur if a user tries to access a protected resource from a device with a wired
internet connection.
Note: The location-based analysis processes all three location attributes
(longitude, latitude, and accuracy) collectively when it determines the match
for the location. Though weights are assigned to all three attributes, the weight
for only the longitude attribute is considered. The weights assigned to the
supporting latitude and accuracy attributes are ignored.
2. Configure the following risk-based access properties for the location matcher:
location.comparison
Indicates how you want the attribute matcher to calculate the accuracy
range of the location coordinates.
Set the property to one of the following values:
v Specify the value as closest to calculate the distance between the
closest points on the accuracy range of two locations. This calculation
is the most restrictive calculation.
v Specify the value as midpoint to calculate the distance between the
midpoints of the circles without considering accuracy.
v Specify the value as farthest to calculate the distance between the
farthest points on the accuracy ranges of the two locations. This
calculation is the least restrictive calculation.
The following figure illustrates the closest points, midpoints, and
farthest points of the accuracy ranges of two locations. In this figure,
the circle represents the accuracy range and the center of the circle
represents the location.
Chapter 5. Administering
39
Figure 3. The closest points, midpoints, and farthest points on the accuracy ranges of two locations
location.allowable.distance
The maximum distance between the new location and the historic
locations. The unit of the numeric value is kilometers.
The default value is 40.
Use the following syntax for the manageRbaConfiguration command to
configure these properties:
$AdminTask manageRbaConfiguration {-operation create -propertyName property_name
-propertyValue property_value}
Example
The following example shows how to configure the risk-based access properties for
the location matcher:
$AdminTask manageRbaConfiguration {-operation create
-propertyName location.comparison -propertyValue midpoint}
$AdminTask manageRbaConfiguration {-operation create
-propertyName location.allowable.distance -propertyValue 100}
Configuring the IP address matcher:
Configure properties that specify IP address lists so that you can use IP addresses
as attribute matchers to calculate the risk score.
About this task
The IP address matcher compares the IP address of a request with a white list
(inclusion list) or black list (exclusion list) of IP addresses or with the historical IP
addresses of the device.
40
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Procedure
1. Add the ipaddress attribute to the fingerprint configuration and specify a
numeric value for the weight that you require. Use the following syntax for the
manageRbaRiskProfile command:
$AdminTask manageRbaRiskProfile {-operation create -attributeId unique_ID
-weight weight}
2. Configure the following risk-based access properties for the IP address matcher:
ip.whitelist
A list of comma-separated IP addresses or subnets that you want to
permit. Include X.X.X.X as a value for -propertyValue to compare the
incoming IP address with the IP address with which the device is
registered.
ip.whitelist.netmask
A list of comma-separated netmasks for the IP addresses that you listed
in the ip.whitelist property. Specify the list of netmasks in the same
order that you specified the list of IP addresses. The total number of
netmasks must correspond exactly to the total number of IP addresses.
ip.blacklist
A list of comma-separated IP addresses that you want do not want to
permit.
ip.blacklist.netmask
A list of comma-separated netmasks for the IP addresses that you listed
in the ip.blacklist property. Specify the list of netmasks in the same
order that you specified the list of IP addresses. The total number of
netmasks must correspond exactly to the total number of IP addresses.
Use the following syntax for the manageRbaConfiguration command to
configure these properties:
$AdminTask manageRbaConfiguration {-operation create -propertyName property_name
-propertyValue property_value}
Example
Use these examples to configure the risk-based access properties for the IP address
matcher.
The following configuration permits requests that are made from any IP address in
the 9.0.0.0 subnet, except for IP addresses that begin with 9.5:
$AdminTask manageRbaConfiguration {-operation create
-propertyName ip.whitelist -propertyValue 9.0.0.0}
$AdminTask manageRbaConfiguration {-operation create
-propertyName ip.whitelist.netmask -propertyValue 255.0.0.0}
$AdminTask manageRbaConfiguration {-operation create
-propertyName ip.blacklist -propertyValue 9.5.0.0}
$AdminTask manageRbaConfiguration {-operation create
-propertyName ip.blacklist.netmask -propertyValue 255.255.0.0}
To compare the incoming IP address with previous IP addresses of the device, add
an address with X for the numbers in the ip.whitelist and ip.whitelist.netmask
values.
The following configuration permits requests that are made from the 9.0.0.0 subnet,
except for requests from the 9.5.0.0 subnet. The configuration also permits requests
from IP addresses whose first three numbers are the same as the historical device
fingerprints.
Chapter 5. Administering
41
$AdminTask manageRbaConfiguration {-operation
-propertyName ip.whitelist
-propertyValue 9.0.0.0, X.X.X.X}
$AdminTask manageRbaConfiguration {-operation
-propertyName ip.whitelist.netmask
-propertyValue 255.0.0.0, 255.255.255.0}
$AdminTask manageRbaConfiguration {-operation
-propertyName ip.blacklist
-propertyValue 9.5.0.0}
$AdminTask manageRbaConfiguration {-operation
-propertyName ip.blacklist.netmask
-propertyValue 255.255.0.0}
create
create
create
create
Configuring the login time matcher:
Use the login time matcher to compare and analyze historical login time data of
the user with the current login time of the user. You can use the data as input for
risk score calculation.
About this task
The login time matcher primarily detects the logins per session that is based on the
attribute called accessTime.
The first of the several access times that are captured within the session is
considered the login time of the user. The result of the analysis determines the
probability of a fraudulent user.
Procedure
1. Configure the following attributes as behavior attributes and specify their
weights by using the manageRbaRiskProfile command:
v accessTime attribute with the weight that you require.
v urn:oasis:names:tc:xacml:1.0:resource:resource-id attribute with 0 as its
weight.
v cookie:ac.uuid attribute with 0 as its weight.
For example:
$AdminTask manageRbaRiskProfile {-operation create
-attributeId accessTime -weight weight –behavior true}
$AdminTask manageRbaRiskProfile {-operation create
-attributeId urn:oasis:names:tc:xacml:1.0:resource:resource-id
-weight 0 –behavior true}
$AdminTask manageRbaRiskProfile {-operation create
-attributeId cookie:ac.uuid -weight 0 –behavior true}
Note: The cookie:ac.uuid property enables the login time matcher to be aware
of session boundaries for the access times that are captured. If you specified a
value other than ac.uuid for the ac.uuid configuration property, then you must
use that value as the attribute name instead of cookie:ac.uuid. For example, if
you set ac.uuid to ac_cookie_name, then run the following command:
$AdminTask manageRbaRiskProfile {-operation create
-attributeId cookie:ac_cookie_name -weight 0 –behavior true}
2. Configure the login probability value:
$AdminTask manageRbaConfiguration {-operation create
-propertyName login.time.probability.threshold
-propertyValue property_value}
42
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Where property_value specifies the login probability as a numeric value from 0
to 1. The default value is .3.
This value indicates how probable it is for a user to log in within an hour of
the previous login times. With a lower value, the odds of the matcher returning
true are higher, and the risk score is lower. With a higher value, the odds of the
matcher returning true are lower, and risk score is higher. For example, if you
set a value of .5, the matcher almost always returns false.
3. Configure the number of times a user must log in before the matcher provides
a result:
$AdminTask manageRbaConfiguration {-operation create
-propertyName min.usage.history.required
-propertyValue property_value}
Where property_value specifies the number of times the same user must login
before the matcher provides input for risk score calculation. The default value
is 8. The default value means the login time analysis collects data for eight
login times by the same user before it provides input for risk score calculation.
Until this value is met, the login time matcher returns an INDETERMINATE result,
and its weight is considered as zero.
4. Load the login time matcher changes:
$AdminTask manageRbaConfiguration {-operation reload}
Implementing custom attribute matchers:
Create custom JavaScript to specify attributes and processing instructions that the
JavaScriptMatcher must follow instead of the default attribute matcher processing.
The results are included in the risk score calculation.
Before you begin
Custom matching works only with attributes that are stored as session attributes.
For example, to include a device attribute, you must first store it as a session
attribute. See “Attribute storage” on page 37.
About this task
You can use multiple JavaScript files for custom matchers. However, do not use
multiple scripts to process the same attribute.
An example script is provided for assistance.
You can reference the following parameters in the custom file:
IFingerprint source
The existing device fingerprint from the database. Use with device attributes.
IFingerprint target
The device fingerprint from the current login session. Use with session
attributes.
IUsageData[] history
An array that contains all of the historical attributes that are stored in the
database for the user. Use with behavior attributes.
String attributeName
The name of the attribute to match.
Chapter 5. Administering
43
boolean processed
Indicates whether the JavaScript processed the current attribute. Set processed
to true in the custom script.
string matched
The result that is returned by the matcher. Valid values are MATCHED,
MISMATCHED, and INDETERMINATE.
Procedure
1. Create a JavaScript file to identify the attributes and processing actions that you
want to complete according to your instructions. Follow these guidelines when
you write the JavaScript file:
a. Import the following packages:
v Packages.com.tivoli.am.rba.fingerprinting
v Packages.com.tivoli.am.rba.extensions
b. Identify the name of the attribute by including the following code:
if(attributeName.equals("attribute_name"))
where attribute_name is the attribute that you want to create a custom match
specification.
c. Identify the value of each attribute by including one of the following lines
of code:
For session attributes:
if(target.getValue(attributeName).equals("attribute_value"))
For device attributes:
if(source.getValue(attributeName).equals("attribute_value"))
For behavior attributes:
if(history[0].getValue(attributeName).equals("attribute_value"))
where 0 is any index in the array of IUsageData objects.
d. Set each attribute to processed = true to ensure the JavaScriptMatcher uses
your specifications instead of the default processing.
e. Set the matched property to indicate your attribute match preference. Valid
values are MATCHED, MISMATCHED, and INDETERMINATE.
2. Save the JavaScript file in the following directory:
WAS_PROFILE_HOME/config/itfim/rba/javascript/matchers/
3. Run the following command to enter the attributes that are identified in the
custom JavaScript file into the javascript.attributes runtime property:
$AdminTask manageRbaConfiguration {-operation create -propertyName javascript.attributes
-propertyValue attribute_name,attribute_name}
where attribute_name is the name of the attribute.
Note: Separate multiple attributes by comma. For example, if you want to
check language and color, enter the following commands:
$AdminTask manageRbaConfiguration {-operation create
-propertyName javascript.attributes -propertyValue language,color}
This step ensures that the processor uses the custom instructions for identified
attributes instead of the default processing.
4. Load the property changes:
$AdminTask manageRbaConfiguration {-operation reload}
44
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Results
Attributes that are identified in the custom file and set to processed = true are
now processed according to your specifications.
After a JavaScript file successfully processes a specified attribute and returns a
result, the remaining JavaScript files are not evaluated for that attribute. Because
the processing sequence of the files is not defined, you might not be able to
identify the JavaScript that processed the attribute.
Example
A sample JavaScript file is in the following directory:
/WAS_PROFILE_HOME/config/itfim/rba/javascript/matchers/language.js
This code checks if your language is United States English. If it is, a value of
"MATCHED" is returned. If it is not, a value of "MISMATCHED" is returned.
importPackage(Packages.com.tivoli.am.rba.fingerprinting);
importPackage(Packages.com.tivoli.am.rba.extensions);
if(attributeName.equals("language")) {
processed = true;
if(target.getValue(attributeName).equals("en-US")) {
matched = "MATCHED";
}
else {
matched = "MISMATCHED";
}
}
Configuring the hash algorithm for attribute storage
Hashing encodes a character string as a fixed-length bit string for comparison.
Risk-based access hashes certain attributes by default. You can change the hash
algorithm and specify additional attributes that you want to hash.
About this task
By default, when attributes are stored in the risk-based access database, the
attributes that exceed the maximum length according to the schema are hashed.
You can also specify any other attribute that you require to be hashed. For
example, you might want to hash values that are considered confidential or
private.
The default hash algorithm that risk-based access uses for storing these attributes
is SHA256. You can specify any other hash algorithm that Java Security supports.
Procedure
1. Use the manageRbaConfiguration command to specify the name of the hash
algorithm that you want to use.
For example:
$AdminTask manageRbaConfiguration {-operation create
-propertyName attributes.hash.algorithm
-propertyValue SHA256}
2. Specify the additional attributes for which you want to enable hashing. Use the
manageRbaConfiguration command to specify a comma-separated list of
attributes.
For example:
Chapter 5. Administering
45
$AdminTask {manageRbaConfiguration -operation create
-propertyName attributes.hash.enabled
-propertyValue header:user-agent,fonts,plugins}
Policy management
Use the authorization policy generation language to author policy rules. You can
create and configure an authorization policy based on these rules for risk-based
access.
Note: If you are an existing user of IBM Tivoli Security Policy Manager, you can
continue to use it as the policy administration point to manage risk-based access
policies. You can either create a risk-based access policy with IBM Tivoli Security
Policy Manager or import the existing risk-based access policies.
Authorization policy generation language
The authorization policy generation language is a simplified format that helps you
specify the policy rules in a script. You can use this script to create and configure
an authorization policy for risk-based access.
Use any text editor to create the script. The script consists of the following main
parts:
v “Policy”
v “Rule”
v “Variables” on page 47
v “Logic” on page 47
See “Sample script for risk-based access policy rules” on page 48.
Policy
Every authorization policy has an outermost Policy block where you must specify
the properties and rules of the policy. Use the Policy block in the authorization
policy generation language to create a policy set in the policy file that contains one
or more policies.
Specify the following properties in the Policy block:
Name The name of the policy.
In an IBM Tivoli Access Manager for e-business environment that uses
WebSEAL, the policy name must match the server name specified in the
WebSEAL configuration file. For example, localhost-default.
Rule
Define the policy rules in the Rule block, which is in the Policy block. The Rule
block must contain the following properties:
Name The name of the rule.
Target The subject, action, and resource for the scope of the rule.
Subject
The users, groups, or roles to which the rule applies.
To specify that the rule applies to anyone who tries to log in, use
the value any.
46
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
To specify users, groups, or roles, use the following
comma-separated list format:
Subject = {user: username1, username2, . . .
group: groupname1, groupname2, . . .
role: rolename1, rolename2, . . .
}
The subject block must contain at least one user, group, or role.
Action
The actions that are permitted for the resources to which the rule
applies.
Specify the value as any, a specific action, or a comma-separated
list of actions.
Resource
One or more resources to which the rule applies.
Specify the value as any, a specific resource, or a comma-separated
list of multiple resources.
Variables
Variables are defined just before the logic of the rules.
Use the following syntax for defining a variable:
resource|action|subject|environment integer|double|date|time variable_name
A variable has three parts:
v The part of the request from where the variable comes. Valid values are
resource, action, subject, and environment.
v The data type of the variable. Valid values are integer, double, date, and time.
v The name of the variable. Valid values are alphanumeric characters and
underscore. The variable name must begin with an alphabet or an underscore.
For example, action integer Risk declares an integer named Risk found in the
action part of the request.
Logic
After you define the name, target, and variables, you must define the logic for the
rules as a series of if-else statements.
Each if and else statement corresponds to a separate rule.
The following table lists the logical operators that you can use in the authorization
policy generation language.
Table 5. List of logical operators
Logical operators
Symbol
And
&
Or
|
Comparison operators
Symbol
Greater than
>
Lesser than
<
Chapter 5. Administering
47
Table 5. List of logical operators (continued)
Logical operators
Symbol
Greater than or equal to
>=
Lesser than or equal to
<=
Equal to
==
Not equal to
!=
When you compare two values, ensure that they are of the same data type,
otherwise an error occurs.
The results of the if-else statements can be one of the following decisions:
permit
The request must be permitted to pass.
deny
The request must be denied and not permitted to pass.
permit-with-obligation
The user is required to do something before the request is permitted to
pass.
In the obligation block, declare a name that is a Uniform Resource Locator
(URL) or Uniform Resource Name (URN). The URL or URN must specify
what must be done for the request to be permitted.
Optional: You can also define a series of attributes. Each attribute must
have a name, type, and value, which are returned with the obligation. The
name and type must be a URL or URN.
The following example shows the format of an obligation declaration:
permit obligation {
name=urn:oasis:names:tc:xacml:example:obligation:email
attribute {
name=xyz
type=http://www.w3.org/2001/XMLSchema#string
value=qwerty
}
}
After you write the script with policy rules, you can use the script to create a
risk-based access policy.
Sample script for risk-based access policy rules
Write a script in the authorization policy generation language and use the script to
generate a risk-based access policy. The ready-to-use sample script defines the basic
rules that are required for an end-to-end functioning policy.
The sample script has the following policy rules:
v If there are no devices registered for the user and the authentication level is 3,
for example, when a user logs in for the first time:
– Register the device silently.
– Permit the user to access the resource after successfully responding to a
secondary challenge.
v If there are one or more registered devices for the user and the authentication
level is 3, permit access to the resource.
v If the risk score is equal to or lesser than 40, permit access to the resource.
48
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
v If the risk score is greater than 40, permit access to the resource after the user
responds successfully to the secondary challenge.
Policy {
name = localhost-default
Rule {
name = RBADemoApplicationPolicyRule1
Target {
subject = any
action = any
resource = any
}
resource integer http://security.ibm.com/attributes/resource/riskScore
subject integer http://security.ibm.com/attributes/subject/registeredDeviceCount
subject string AUTHENTICATION_LEVEL
if http://security.ibm.com/attributes/subject/registeredDeviceCount == 0 & AUTHENTICATION_LEVEL == "3"
permit obligation {
name=http://security.ibm.com/obligations/registerDevice
}
if http://security.ibm.com/attributes/subject/registeredDeviceCount >= 1 & AUTHENTICATION_LEVEL == "3"
permit
if http://security.ibm.com/attributes/resource/riskScore <= 40 & AUTHENTICATION_LEVEL == "1"
permit
if http://security.ibm.com/attributes/resource/riskScore > 40 & AUTHENTICATION_LEVEL == "1"
permit obligation {
name=otp
}
}
}
For more information about the script elements, see “Authorization policy
generation language” on page 46. Use the policy rule script to create a risk-based
access policy.
Creating a risk-based access policy
After you write a script that specifies the policy rules, you must create and
configure the authorization policy for risk-based access.
Procedure
1. Use the manageRbaConfiguration command to configure the runtime security
service. Run the following commands to create properties and replace the
sample values in italics with the values that you require.
$AdminTask manageRbaConfiguration {-operation create
-propertyName rtss.admin.basic.authn.pwd
-propertyValue passw0rd}
$AdminTask manageRbaConfiguration {-operation create
-propertyName rtss.admin.basic.authn.username
-propertyValue wasadmin}
$AdminTask manageRbaConfiguration {-operation create
-propertyName rtss.admin.port
-propertyValue 9080}
$AdminTask manageRbaConfiguration {-operation create
-propertyName rtss.admin.ws.host
-propertyValue localhost}
2. Use the policy generation language to create a script that specifies the policy
rules. For more information, see “Authorization policy generation language” on
page 46.
3. Use the manageRbaPolicy command to create the policy. Specify the path and
file name of the script file as the value of the policyFile parameter.
For example:
$AdminTask manageRbaPolicy {-operation create -policyFile /tmp/rbapolicy}
Note: You cannot use the manageRbaPolicy command to manage risk-based
access policies, if the runtime security service is configured with IBM Tivoli
Security Policy Manager as the policy administration point. For more
information, see “Policy management with IBM Tivoli Security Policy Manager”
on page 50.
Chapter 5. Administering
49
Results
The output is an authorization policy file that is based on the rules that you
specified in the script. Risk-based access is now configured to use the authorization
policy file.
What to do next
Enable logs and traces for risk-based access.
Policy management with IBM Tivoli Security Policy Manager
If the runtime security service is configured with IBM Tivoli Security Policy
Manager, you can use it as the policy administration point (PAP) to manage
risk-based access policies.
You must first configure IBM Tivoli Security Policy Manager for risk-based access
policy management.
You can then author a risk-based access policy with IBM Tivoli Security Policy
Manager or import existing risk-based access policies.
Note: You cannot use the manageRbaPolicy command to manage risk-based access
policies if the runtime security service is configured with IBM Tivoli Security
Policy Manager as the policy administration point.
For detailed information about creating and managing policies with IBM Tivoli
Security Policy Manager, see:
v The IBM Tivoli Security Policy Manager Version 7.1 Information Center at
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.tspm.doc_7.1/
welcome.html
v The IBM Tivoli Security Policy Manager wiki at https://www.ibm.com/
developerworks/wikis/display/tivolisecuritypolicymanager/Home
Enabling risk-based access in IBM Tivoli Security Policy
Manager
Before you create and manage policies, you must configure the risk-based access
policy information points (PIPs) and create the required services, obligations, and
rule parameters.
Before you begin
Install and deploy risk-based access.
Note: When you deploy risk-based access, the deploy operation detects that the
runtime security service is configured with IBM Tivoli Security Policy Manager.
The existing instance of the runtime security service is not overwritten. The
runtime security services of IBM Tivoli Federated Identity Manager and the
runtime security services of IBM Tivoli Security Policy Manager must share the
same WebSphere Application Server profile for risk-based access.
Procedure
1. Ensure that the runtime security services server is registered as a policy
distribution target (PDT). For detailed steps, see the Configuration Guide in the
IBM Tivoli Security Policy Manager Version 7.1 Information Center at
50
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for registering the runtime security
services server.
2. Enable the risk-based access PIPs in IBM Tivoli Security Policy Manager.
a. Stop the WebSphere Application Server instance where IBM Tivoli Security
Policy Manager is installed.
b. To configure the PIPs, modify the security-services.xmi file in the
WAS_profiles_dir/config/cells/cell_name/rtss directory. Add the
following information in the <subComponents
name="AttributeRetrievalServices"> section:
<subComponents name="AttributeRetrievalServices">
<items name="RBA AttributeSession PIP">
<properties>
<values name="return.section" value="Resource" type="java.lang.String"/>
<values name="type" value="custom" type="java.lang.String"/>
<values name="id" value="com.tivoli.am.rba.pip.AttributeSessionPIP"
type="java.lang.String"/>
<values name="enabled" value="true" type="java.lang.String"/>
</properties>
</items>
<items name="RBA RiskCalculator PIP">
<properties>
<values name="return.section" value="Resource" type="java.lang.String"/>
<values name="return.attributeId" value="risk.score" type="java.lang.String"/>
<values name="type" value="custom" type="java.lang.String"/>
<values name="id" value="com.tivoli.am.rba.pip.RiskCalculatorPIP"
type="java.lang.String"/>
<values name="enabled" value="true" type="java.lang.String"/>
</properties>
</items>
<items name="USER FINGERPRINT COUNT PIP">
<properties>
<values name="return.section" value="Resource" type="java.lang.String"/>
<values name="type" value="custom" type="java.lang.String"/>
<values name="id" value="com.tivoli.am.rba.pip.UserFingerprintsCountPIP"
type="java.lang.String"/>
<values name="enabled" value="true" type="java.lang.String"/>
</properties>
</items>
</subComponents>
For information about the precautions that you must take before editing the
security-services.xmi file, see the Configuration Guide in the IBM Tivoli
Security Policy Manager Version 7.1 Information Center at
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for the security-services.xmi file.
c. Save a copy of this updated security-services.xmi file for your reference.
d. Restart IBM Tivoli Security Policy Manager or restart WebSphere
Application Server.
e. Check the security-services.xmi file to ensure that the changes you made
still exist. Also check the WebSphere Application Server server log files to
verify that the PIP plug-in JAR file is loaded successfully.
3. Add the rule parameters that are required for risk-based access policy
attributes.
The following predefined rule parameters that are specific to risk-based access
policies are provided with IBM Tivoli Security Policy Manager, Version 7.1 with
fix pack 4 or later:
IBM Security risk score
The risk score that is computed by the risk-based access
RiskCalculatorPIP. This policy information point (PIP) computes the
risk associated with an incoming request.
IBM Security registered device count
The device count that is computed by the risk-based access
Chapter 5. Administering
51
UserFingerprintCountPIP. This PIP computes the count of devices that
are registered for a specific user ID in the risk-based access database.
a. To enable the predefined rule parameters, copy the required Java archive
(JAR) file from the following location:
TSPM_install_dir/rba/com.ibm.tspm.osgi.policy.rba.attributes_7.1.0.jar
Copy the JAR file to the following WebSphere Application Server directory
where IBM Tivoli Security Policy Manager is installed:
WAS_profiles_dir/config/tspm/eclipse/plugins
b. IBM Security risk score and IBM Security registered device count are
now available in the Rule parameter list in the IBM Tivoli Security Policy
Manager console.
c. Add any custom rule parameters that you might require for the risk-based
access policy rules. For example: TRANSACTION_AMOUNT. See the Administration
Guide in the IBM Tivoli Security Policy Manager Version 7.1 Information
Center at http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for adding a rule parameter and
follow the steps to create custom rule parameters for risk-based access.
4. Create a service for risk-based access. See the Administration Guide in the IBM
Tivoli Security Policy Manager Version 7.1 Information Center at
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for creating a new service and
complete the steps to create a service for risk-based access. The following
details are specific to risk-based access:
a. On the Name and Description page, enter the WebSEAL server name in the
Application name and Application ID fields. For example:
localhost-default.
b. On the Specify Actions page, select No actions defined (define below).
c. On the Service Structure page, in the Element ID field, enter the resource
that must be protected by risk-based access, for example, the WebSEAL
junction name, /FIM.
5. Add the required obligations.
a. On the IBM Tivoli Security Policy Manager console, click Identity and
Access > Obligations.
b. On the Obligations page, click Add.
c. Specify the name, identifier, and description of the obligation. For example:
Name: Device Registration
Identifier: http://security.ibm.com/obligations/registerDevice
Description: Register device
What to do next
You can either migrate existing risk-based access policies or author risk-based
access policies in the IBM Tivoli Security Policy Manager console.
Migrating policies to IBM Tivoli Security Policy Manager
If the runtime security service is configured with IBM Tivoli Security Policy
Manager, you can use it as the policy administration point to manage risk-based
access policies. You can export the policies from the risk-based access runtime
security services, import them into IBM Tivoli Security Policy Manager.
52
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Before you begin
v Install and deploy risk-based access.
v Enable risk-based access in IBM Tivoli Security Policy Manager.
Procedure
1. To export all of the policies in the risk-based access runtime security service,
run the following command:
$AdminTask manageRbaPolicy {-operation export -fileId file_path}
where the variable file_path represents the path and file name of the Java
archive (JAR) file, for example /tmp/policy.jar.
The policies are exported in XML format to a JAR file.
2. Extract the individual policies from the JAR file.
3. Import the individual policies into IBM Tivoli Security Policy Manager. See the
Administration Guide in the IBM Tivoli Security Policy Manager Version 7.1
Information Center at http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for importing an authorization policy
and follow the steps to import the XML policy files.
4. Attach the imported policies to a service. See the Administration Guide in the
IBM Tivoli Security Policy Manager Version 7.1 Information Center at
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for attaching a service to an existing
policy. The following steps describe how you can attach multiple policies to a
service:
a. In the IBM Tivoli Security Policy Manager console, click Identity and
Access > Services.
b. On the Services page, click the service that you created for risk-based
access. For example: localhost-default.
c. Under Policies, add the risk-based access policies that you imported.
5. Deploy the risk-based access polices. See the Administration Guide in the IBM
Tivoli Security Policy Manager Version 7.1 Information Center at
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for deploying authorization policies
and follow the tasks to configure and distribute authorization policies.
6. Use IBM Tivoli Security Policy Manager to manage the risk-based access
policies. For more information, see the Administration Guide in the IBM Tivoli
Security Policy Manager Version 7.1 Information Center at
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for managing authorization policies.
What to do next
You can also create risk-based access policies with IBM Tivoli Security Policy
Manager.
Creating risk-based access policies with IBM Tivoli Security
Policy Manager
If the runtime security service is configured with IBM Tivoli Security Policy
Manager, you can use it to author and manage risk-based access policies.
Chapter 5. Administering
53
Before you begin
v Install and deploy risk-based access.
v Enable risk-based access in IBM Tivoli Security Policy Manager.
About this task
Note: You cannot use the manageRbaPolicy command to create risk-based access
policies if the runtime security service is configured with IBM Tivoli Security
Policy Manager as the policy administration point.
Procedure
1. Create an authorization policy. See the Administration Guide in the IBM Tivoli
Security Policy Manager Version 7.1 Information Center at
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for creating a rule authorization
policy and complete the steps to create a policy for risk-based access. The
following details are specific to risk-based access:
a. In the Name field, enter the name of the risk-based access policy. You must
prefix the policy name with the string RPS:. For example:
RPS:RBA_OneTimePassword.
b. Under Policy Definition, in the Services section, specify the service that you
created for risk-based access. For example: localhost-default.
c. Define the Rules by using predefined rule parameters or custom rule
parameters that you created for risk-based access. For example:
If
IBM Security risk score > 40
and
IBM Security registered device count <= 70
and
AUTHENTICATION_LEVEL=1
Then Permit access
Note: You can use the following predefined rule parameters that are
specific to risk-based access policies. These parameters are provided with
IBM Tivoli Security Policy Manager, Version 7.1 with fix pack 4 or later:
IBM Security risk score
The risk score that is computed by the risk-based access
RiskCalculatorPIP. This policy information point (PIP) computes
the risk associated with an incoming request.
IBM Security registered device count
The device count that is computed by the risk-based access
UserFingerprintCountPIP. This PIP computes the count of devices
that are registered for a specific user ID in the risk-based access
database.
Restriction: The != (not equal to) operator is not supported in the IBM
Tivoli Security Policy Manager console.
d. Specify the Obligations. For example: Return “Device Registration” on
permit.
2. Deploy the risk-based access polices. See the Administration Guide in the IBM
Tivoli Security Policy Manager Version 7.1 Information Center at
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for deploying authorization policies
and follow the tasks to configure and distribute authorization policies.
3. Use IBM Tivoli Security Policy Manager to manage the risk-based access
policies. For more information, see the Administration Guide in the IBM Tivoli
54
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Security Policy Manager Version 7.1 Information Center at
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tspm.doc_7.1/welcome.html. Search for managing authorization policies.
Device registration
Device registration is the process that stores the device fingerprint of the user in
the risk-based access database. The device fingerprint contains information
required for risk score calculation.
The rules that you specify in the risk-based access policy determine whether a
device is registered silently or only after the user consents to the registration. Use
one of the end-to-end sample policies to specify the basic rules for either silent or
consent-based registration.
You can also configure the maximum number of devices that can be registered for
a user.
Silent device registration
Silent device registration is the process of registering the device after the user
responds successfully to a secondary challenge. Silent registration does not require
any further interaction or consent from the user. The risk-based access policy that
you configure determines whether a device must be registered silently.
You can use the “Sample script for risk-based access policy rules” on page 48 to
configure a policy that silently registers the device of the user. The ready-to-use
script defines the basic rules that are required for an end-to-end functioning policy.
Consent-based device registration
Consent-based device registration is the process of registering the device
fingerprint only after the user consents to the device registration. Use the sample
rules to configure a policy that allows the user to specify whether to add the
device to the list of registered devices.
A typical scenario that would require consent-based device registration is when a
user attempts to access a protected resource from a public access environment. For
example, a user might log in from an internet café or airport kiosk. After the user
logs in and successfully responds to the secondary challenge, a consent form is
presented. The consent form can be an HTML page where users can specify that
they consent to the device registration.
v If the user consents to the registration of the device, the device is registered and
access is permitted. The next time that the user logs in from the same device, the
consent form is not presented because the device is already registered.
v If the user does not consent to the registration of the device, the device is not
registered and the access is permitted. If the user logs in from the same device
again, the secondary challenge and the consent form are presented again. The
process is repeated because the risk score is high when a user logs in from a
device that is not registered.
Configuring consent-based device registration
Configure the required attributes and properties so that you can prompt a user for
consent to register a device.
Chapter 5. Administering
55
Before you begin
Update the WebSEAL configuration file:
1. Append the [obligations-levels-mapping] stanza. Specify the mapping
between obligation levels that the PDP returns and the authentication levels in
WebSEAL. For example, append:
[obligations-levels-mapping]
otp=3
consent=4
2. Enter a new trigger URL in the [eai-trigger-urls] stanza for the consent
form. Use the same URL as the one used for step 12 on page 57. For example,
enter:
trigger = /FIM/sps/ac/html/consent-form.html*
3. Update the [authentication-levels] stanza to specify that the consent
authentication level must use EAI. The examples in this procedure show an
authentication level of 4. For example, to specify an EAI authentication level of
4, enter the following text:
level
level
level
level
level
=
=
=
=
=
unauthenticated
password
ext-auth-interface
ext-auth-interface
ext-auth-interface
See the WebSEAL Administration Guide in the IBM Tivoli Access Manager for
e-business information center for more information.
Procedure
1. Enable consent-based registration by adding http://security.ibm.com/
attributes/environment/userConsent as a session attribute:
$AdminTask manageRbaRiskProfile {-operation create
-attributeId http://security.ibm.com/attributes/environment/userConsent
-weight 0 -session true -device false}
2. Configure the property for the external authentication interface (EAI) header
for the authentication level. The property value must match the value that is
set for eai-auth-level-header in the [eai] stanza of the WebSEAL
configuration file.
$AdminTask manageRbaConfiguration {-operation create
-propertyName eai.header.auth.level -propertyValue am-eai-auth-level}
3. Configure the property for the EAI header for the user ID. The property value
must match the value that is set for eai-user-id-header in the [eai] stanza of
the WebSEAL configuration file.
$AdminTask manageRbaConfiguration {-operation create
-propertyName eai.header.user.id -propertyValue am-fim-eai-user-id}
4. Optional: Create a device.name attribute so that the user can choose any
device name to represent their device during consent-based device
registration.
$AdminTask manageRbaRiskProfile {-operation create
-attributeId device.name -weight 0 -session true -device true}
5. Load the changes:
$AdminTask manageRbaConfiguration {-operation reload}
6. Create a policy that contains consent-based registration rules. The following
sample policy shows rules for consent-based registration. This example calls
an extra external authentication interface, such as a consent form, if the device
is not registered in the risk-based access database.
56
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Policy {
name = localhost-default
Rule {
name = RBADemoApplicationPolicyRule1
Target {
subject = any
action = any
resource = any
}
resource integer http://security.ibm.com/attributes/resource/riskScore
subject string AUTHENTICATION_LEVEL
environment string http://security.ibm.com/attributes/environment/userConsent
if AUTHENTICATION_LEVEL == "1" & http://security.ibm.com/attributes/resource/riskScore > 40
permit obligation {
name=otp
}
if AUTHENTICATION_LEVEL == "3"
permit obligation {
name=consent
}
if AUTHENTICATION_LEVEL == "4" & http://security.ibm.com/attributes/environment/userConsent ==
"true" & http://security.ibm.com/attributes/resource/riskScore > 40
permit obligation {
name=http://security.ibm.com/obligations/registerDevice
}
if AUTHENTICATION_LEVEL == "4" & http://security.ibm.com/attributes/environment/userConsent == "false"
permit
if http://security.ibm.com/attributes/resource/riskScore < 40
permit
}
7. Save the policy.
8. Make the policy changes active by running one of the following commands:
v For a new policy, run the following command:
$AdminTask manageRbaPolicy {-operation create -policyFile policy_file}
v For an updated policy, run the following command:
$AdminTask manageRbaPolicy {-operation update -policyFile policy_file}
where policy_file is the path and policy file name that was updated or created.
9. Create a protected object policy (POP) to define the authentication level for a
protected resource.
pdadmin> pop create pop_name
10. Modify the authentication level in the POP to restrict access to the resource to
only users with an authentication level of 3:
pdadmin> pop modify pop_name set ipauth anyothernw 3
11. Attach the POP to the protected resource:
pdadmin> pop attach object_name pop_name
where object_name is the name of the protected resource, such as
/WebSEAL/webseal_instance/webseal_junction_name/sps/ac/html/consentform.html.
12. Use the following URL to redirect the user to the ready-to-use consent HTML
form that is provided with risk-based access:
http://myhost.company.com/FIM/sps/ac/html/consent-form.html?eai-auth-level=stepup_level
where:
v myhost.company.com is the host name.
v eai-auth-level matches the property value of eai-auth-level-header in
the [eai] stanza of the WebSEAL configuration file.
v stepup_level is the value that maps to the consent obligation, which is
specified in the WebSEAL configuration file under the [obligationslevels-mapping] stanza.
Results
The user is now prompted to provide consent to register a device.
Chapter 5. Administering
57
If you used the option in step 4 on page 56, the user can register their device by
using a device name of their choice.
Configuring the number of devices registered for a user
To minimize the risk of fraudulent access, a limit must be set on the maximum
number of devices that are registered for a user. By default, a maximum of 10
devices are registered for each user. You can change this number by modifying the
value of the max.no.of.registered.devices configuration property.
Procedure
Use the manageRbaConfiguration command to configure the
max.no.of.registered.devices property. Specify a value that indicates the
maximum number of devices that a user can register. The default value is 10. Valid
values are 1 to 20.
For example:
$AdminTask manageRbaConfiguration {-operation update
-propertyName max.no.of.registered.devices -propertyValue 12}
Results
When a user registers a device, risk-based access counts the number of devices that
are already registered for the user and takes the following actions:
v If the count is equal to or greater than the value of the
max.no.of.registered.devices property, the registration information for the
oldest device is deleted. The new device is then registered.
v If the count is lesser than the value of the max.no.of.registered.devices
property, the new device is registered.
58
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Chapter 6. Auditing
Risk-based access generates audit records of critical events. The audit records are
written to the audit log file. Use the audit logs to monitor the activities and track
potential security problems that are related to risk-based access.
Audit records are generated for commands that manage the risk-based access
configuration, policies, attributes, and sessions. Audit records are also generated
for critical operations related to risk-based access policy information points (PIPs)
and device registration.
Managing audit log settings
You can use specific configuration properties to enable or disable auditing and to
change the default audit log settings. For example, you can change the settings for
the name, location, and maximum size of the audit log files.
About this task
By default, auditing is enabled for risk-based access. Default settings are specified
for the audit log files. You can use the following configuration properties if you
want to change the default audit settings:
com.tivoli.am.rba.audit.enableAuditing
Enables or disables auditing.
The default value is true.
com.tivoli.am.rba.audit.file.name
Specifies how the audit log files are named.
The default prefix of the log file name is rba_audit_log.
com.tivoli.am.rba.audit.file.location
Specifies the location of the audit log file.
The default location is the rba_audit directory in the WebSphere
Application Server default logs directory.
AIX® or Linux systems
/opt/IBM/WebSphere/AppServer/profiles/profile_name/logs/
rba_audit
Windows systems
C:\Program Files\IBM\WebSphere\AppServer\profiles\
profile_name\logs\rba_audit
The location that you specify for the
com.tivoli.am.rba.audit.file.location property is relative to the default
logs directory for WebSphere Application Server.
For example, on a Windows system, if you specify the value as rba, then
the log files are stored in the C:\Program Files\IBM\WebSphere\AppServer\
profiles\profile_name\logs\rba directory.
com.tivoli.am.rba.audit.file.size
© Copyright IBM Corp. 2012, 2013
59
Specifies the maximum audit file size in megabytes (MB).
The default value is 100000 MB.
com.tivoli.am.rba.audit.number.of.files
Specifies the maximum number of audit files that are created before the
oldest file is overwritten.
The default value is 10.
Procedure
1. Use the manageRbaConfiguration command to configure the risk-based access
properties for auditing.
$AdminTask manageRbaConfiguration {-operation update
[-propertyName property_name]
[-propertyValue property_value]}
Where:
property_name is one of the properties described in About this task.
property_value is the associated value for the property described in About this
task.
2. To configure audit records for runtime security services external authorization
service (EAS) requests, specify the audit-log-cfg entry under the [rtss-eas]
stanza of the default WebSEAL configuration file named websealddefault.conf. For example, you can add the following entry:
audit-log-cfg = file path=/tmp/rtss-audit.log,flush=20,rollover=2000000,
buffer_size=8192,queue_size=48
For more information, see “Sample configuration data for runtime security
services external authorization service” on page 29.
Audit logs
The audit log files are generated in eXtensible Markup Language (XML). The log
files contain elements that record the details of each audit event, such as the user,
time, action, and outcome.
For information about how to locate the audit log files, see the description of the
com.tivoli.am.rba.audit.file.location property in “Managing audit log
settings” on page 59.
The following table lists the audit elements for the audit events of risk-based
access.
Table 6. Audit event elements
Audit event element
Description
userInfoList
The user who triggered the event
creationTime
The date and time when the event was
generated
actionInfo
The event name, which indicates the
operation
For example: POLICY_CREATE_EVENT
outcome
60
The outcome of the operation specified as
SUCCESSFUL or FAILURE
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Table 6. Audit event elements (continued)
Audit event element
Description
globalInstanceId
The identifier for the audit event
extensionName
The name of the event type
For example, for risk-based access auditing,
the event type is SECURITY_RBA_AUDIT_AUTHZ.
messages
Message details of the event action
The following risk-based access operations are recorded in the example snippet of
the audit log file:
v Attribute search was successful.
v Creation of an attribute failed.
v Risk score was calculated successfully.
v Device was registered successfully.
v Device registration information was deleted successfully.
<CommonBaseEvent creationTime="2012-08-01 04:45:56 CDT" extensionName="SECURITY_RBA_AUDIT_AUTHZ"
globalInstanceId="uuiddc425c98-0138-1039-b7ba-882c9b14694c"
msg="The command manageRbaConfiguration’s operation was succuessful with the given arguments
{operation=search}"
version="1.0.1">
<extendedDataElements name="AUDIT_SCHEMA_VERSION" type="string">
<values>1.1</values>
</extendedDataElements>
<extendedDataElements name="actionInfo" type="noValue">
<children name="urn:oasis:names:tc:xacml:1.0:action:action-id" type="string">
<values>RUNTIME_CONFIGURATION_SEARCH_EVENT</values>
</children>
</extendedDataElements>
<extendedDataElements name="outcome" type="noValue">
<children name="result" type="string">
<values>SUCCESSFUL</values>
</children>
</extendedDataElements>
<extendedDataElements name="userInfoList" type="noValue">
<children name="appUserName" type="string">
<values>defaultWIMFileBasedRealm/wasadmin</values>
</children>
</extendedDataElements>
</CommonBaseEvent>
<CommonBaseEvent creationTime="2012-08-01 04:45:56 CDT" extensionName="SECURITY_RBA_AUDIT_AUTHZ"
globalInstanceId="uuiddc51c52c-0138-1620-b4ab-882c9b14694c"
msg="The command manageRbaConfiguration’s operation was unsuccuessful with the given arguments
{operation=create}" version="1.0.1">
<extendedDataElements name="AUDIT_SCHEMA_VERSION" type="string">
<values>1.1</values>
</extendedDataElements>
<extendedDataElements name="actionInfo" type="noValue">
<children name="urn:oasis:names:tc:xacml:1.0:action:action-id" type="string">
<values>RUNTIME_CONFIGURATION_CREATE_EVENT</values>
</children>
</extendedDataElements>
<extendedDataElements name="outcome" type="noValue">
<children name="result" type="string">
<values>FAILURE</values>
</children>
</extendedDataElements>
<extendedDataElements name="userInfoList" type="noValue">
<children name="appUserName" type="string">
<values>defaultWIMFileBasedRealm/wasadmin</values>
</children>
</extendedDataElements>
</CommonBaseEvent>
<CommonBaseEvent creationTime="2012-08-01 04:45:56 CDT" extensionName="SECURITY_RBA_AUDIT_AUTHZ"
globalInstanceId="uuid93126693-0137-1b69-9a86-ae316fbc293b"
msg="FBTRBA200I Calculated risk percentage: "100"." version="1.0.1">
<extendedDataElements name="AUDIT_SCHEMA_VERSION" type="string">
<values>1.1</values>
</extendedDataElements>
<extendedDataElements name="actionInfo" type="noValue">
<children name="urn:oasis:names:tc:xacml:1.0:action:action-id" type="string">
<values>CALCULATE_RISK_SCORE_EVENT</values>
</children>
</extendedDataElements>
Chapter 6. Auditing
61
<extendedDataElements name="outcome" type="noValue">
<children name="result" type="string">
<values>SUCCESSFUL</values>
</children>
</extendedDataElements>
<extendedDataElements name="userInfoList" type="noValue">
<children name="appUserName" type="string">
<values>cn=SecurityMaster,secAuthority=Default1,dc=ibm,dc=com</values>
</children>
</extendedDataElements>
</CommonBaseEvent>
<CommonBaseEvent creationTime="2012-08-01 04:45:56 CDT" extensionName="SECURITY_RBA_AUDIT_AUTHZ"
globalInstanceId="uuid93126720-0137-1684-923c-ae316fbc293b"
msg="FBTRBA201I A new device registered for user:
"cn=SecurityMaster,secAuthority=Default1,dc=ibm,dc=com"." version="1.0.1">
<extendedDataElements name="AUDIT_SCHEMA_VERSION" type="string">
<values>1.1</values>
</extendedDataElements>
<extendedDataElements name="actionInfo" type="noValue">
<children name="urn:oasis:names:tc:xacml:1.0:action:action-id" type="string">
<values>DEVICE_REGISTRATION_EVENT</values>
</children>
</extendedDataElements>
<extendedDataElements name="outcome" type="noValue">
<children name="result" type="string">
<values>SUCCESSFUL</values>
</children>
</extendedDataElements>
<extendedDataElements name="userInfoList" type="noValue">
<children name="appUserName" type="string">
<values>cn=SecurityMaster,secAuthority=Default1,dc=ibm,dc=com</values>
</children>
</extendedDataElements>
</CommonBaseEvent>
<CommonBaseEvent creationTime="2012-08-01 04:45:56 CDT" extensionName="SECURITY_RBA_AUDIT_AUTHZ"
globalInstanceId="uuid9312b115-0137-1a81-a981-ae316fbc293b"
msg="FBTRBA203I A device deleted for user:
"cn=SecurityMaster,secAuthority=Default1,dc=ibm,dc=com"." version="1.0.1">
<extendedDataElements name="AUDIT_SCHEMA_VERSION" type="string">
<values>1.1</values>
</extendedDataElements>
<extendedDataElements name="actionInfo" type="noValue">
<children name="urn:oasis:names:tc:xacml:1.0:action:action-id" type="string">
<values>DEVICE_DELETION_EVENT</values>
</children>
</extendedDataElements>
<extendedDataElements name="outcome" type="noValue">
<children name="result" type="string">
<values>SUCCESSFUL</values>
</children>
</extendedDataElements>
<extendedDataElements name="userInfoList" type="noValue">
<children name="appUserName" type="string">
<values>cn=SecurityMaster,secAuthority=Default1,dc=ibm,dc=com</values>
</children>
</extendedDataElements>
</CommonBaseEvent>
The following log is an example of an audit record for a runtime security services
external authorization service (EAS) request. One audit record is generated for each
EAS request.
<rtss-event>
<operation>r</operation>
<pdp-decision>Permit</pdp-decision>
<pdp-obligation>otp</pdp-obligation>
<protected-resource>/WebSEAL/localhost-Default2/WAS</protected-resource>
<server-name>localhost-Default2</server-name>
<stepup-level>3</stepup-level>
<tam-policy-decision>AZN_C_PERMITTED</tam-policy-decision>
<timestamp>2012-05-06 13:55:22 GMT</timestamp>
<user>sec_master</user>
<user-agent>Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.1 (KHTML, like Gecko)
Chrome/21.0.1145.0 Safari/537.1</user-agent>
</rtss-event>
62
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Chapter 7. Reference
Reference information is organized to help you locate particular facts quickly. It
includes information about the commands to manage risk-based access, attributes
for configuring the risk profile, and properties for configuring risk-based access.
Command reference
The risk-based access command-line interface uses the wsadmin command
framework. Use the command syntax and examples to configure and manage
attributes, policies, runtime properties, fingerprints, and devices for risk-based
access.
manageRbaConfiguration command
Use the manageRbaConfiguration command to create and configure risk-based
access properties. The properties specify the configuration for the database,
attribute collection service, runtime security service, attribute matchers, and other
risk-based access components.
Purpose
Use the manageRbaConfiguration command to create, update, delete, or search for
configuration properties. You can also use this command to deploy or undeploy
risk-based access and load or reset configuration settings.
For a list of all risk-based access properties, see “Configuration properties” on page
78.
Note: If you configure a property with a name that ends with assword or pwd, the
value of the property is obfuscated when it is stored in the database.
Syntax
$AdminTask manageRbaConfiguration {-operation operator [-propertyName property_name]
[-propertyValue property_value] [-fileId response_file_path]}
Parameters
Use the following parameters with the manageRbaConfiguration command:
-operation operator
Specifies the operation for risk-based access configuration. This parameter is
required.
The valid values are deploy, undeploy, configure, create, delete, update,
unconfigure, search, reload, and createResponseFile.
© Copyright IBM Corp. 2012, 2013
63
Table 7. Required and optional parameters for operators of the manageRbaConfiguration
command
Operator
Description
Required parameters Optional parameters
deploy
Deploys risk-based
access by installing
the runtime EAR file
and configuration
files on the
application server.
None
None
Undeploys risk-based None
access by removing
the runtime EAR file
and the risk-based
access configuration
files from the
configuration
repository of the
application server.
None
For more
information, see
“Deploying
risk-based access” on
page 14.
Note: If the deploy
operation detects that
the runtime security
service is configured
with IBM Tivoli
Security Policy
Manager, the existing
instance of the
runtime security
service is not
overwritten.
undeploy
Note: If the undeploy
operation detects that
the runtime security
service is configured
with IBM Tivoli
Security Policy
Manager, then the
instance of runtime
security service is not
removed or
undeployed.
64
create
Creates a risk-based
access configuration
property and sets its
value.
-propertyName,
-propertyValue
None
delete
Deletes a risk-based
access configuration
property.
-propertyName
None
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Table 7. Required and optional parameters for operators of the manageRbaConfiguration
command (continued)
Operator
Description
Required parameters Optional parameters
update
Updates an existing
risk-based access
configuration
property.
-propertyName,
-propertyValue
None
unconfigure
Unconfigures or
resets the risk-based
access configuration
settings.
None
None
search
Searches for a
specified property or
lists all properties
and values.
None
-propertyName
reload
Publishes pages and None
plug-ins and reloads
the Tivoli Federated
Identity Manager
runtime environment.
None
createResponseFile
Creates a response
file template.
-fileId
None
configure
Configures risk-based -fileId
access by using a
response file to run
batch operations for
configuration
properties.
None
-propertyName property_name
The name of the risk-based access configuration property, for example,
dbdatasource.
-propertyValue property_value
The value of the risk-based access configuration property.
-fileId response_file_path
The path of the input or output response file:
v To output an XML response file template for the manageRbaConfiguration
command, use the createResponseFile operator with the fileId parameter.
v To input an XML response file to configure risk-based access, use the
configure operator with the fileId parameter. The specified response file
must contain the information that you would typically specify on the
command line. You can edit the XML response file with a text editor to
specify the values that you require. For more information, see “Response file
example for manageRbaConfiguration command” on page 67.
Note: You can use the fileId parameter only with the operator parameter.
Any other parameters that you specify are ignored.
Examples
The following examples show the correct syntax for various operations of the
manageRbaConfiguration command:
Deploy risk-based access:
Chapter 7. Reference
65
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation deploy}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation deploy]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’deploy’])
For more information, see “Deploying risk-based access” on page 14.
Undeploy risk-based access:
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation undeploy}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation undeploy]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’undeploy’])
Configure risk-based access:
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation configure -fileId /tmp/resp.xml}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation configure -fileId /tmp/resp.xml]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’configure’,
’-fileId’, ’/tmp/resp.xml’])
Unconfigure or reset the risk-based access configuration settings:
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation unconfigure}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation unconfigure]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’unconfigure’])
Create a risk-based access configuration property and specify its value:
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation create -propertyName dbdatasource
-propertyValue jdbc/rbadb}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation create -propertyName dbdatasource
-propertyValue jdbc/rbadb]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’create’,
’-propertyName’, ’dbdatasource’, ’-propertyValue’, ’jdbc/rbadb’])
Update the value of an existing risk-based access configuration property:
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation update -propertyName dbdatasource
-propertyValue jdbc/rba2db}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation update -propertyName dbdatasource
-propertyValue jdbc/rba2db]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’update’,
’-propertyName’, ’dbdatasource’, ’-propertyValue’, ’jdbc/rba2db’])
Delete a risk-based access configuration property and its value:
66
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation delete -propertyName dbdatasource}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation delete -propertyName dbdatasource]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’delete’,
’-propertyName’, ’dbdatasource’])
Search for a specified property to view the property and its value:
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation search -propertyName dbdatasource}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation search -propertyName dbdatasource]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’search’,
’-propertyName’, ’dbdatasource’])
View all risk-based access properties and their values:
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation search}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation search]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’search’])
Publish pages and plug-ins and reload the Tivoli Federated Identity Manager
runtime environment:
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation reload}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation reload]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’reload’])
Create a response file template for this command:
v Using Jacl:
$AdminTask manageRbaConfiguration {-operation createResponseFile
-fileId /tmp/resp.xml}
v Using Jython string:
$AdminTask manageRbaConfiguration(’[-operation createResponseFile
-fileId /tmp/resp.xml]’)
v Using Jython list:
$AdminTask manageRbaConfiguration([’-operation’, ’createResponseFile’,
’-fileId’, ’/tmp/resp.xml’])
Note: After you use the manageRbaConfiguration command to change
configuration properties, you must run the manageRbaConfiguration command
with the reload option for the changes to take effect.
Response file example for manageRbaConfiguration command
Use a response file to run batch operations for the manageRbaConfiguration
command. The response file contains information that you would normally specify
on the command line. Using a response file helps you automate your configuration
process.
Chapter 7. Reference
67
To create a response file template, use the fileId parameter with the
createResponseFile operator of the manageRbaConfiguration command. Edit the
response file template to specify the values that you require. For more information
about the fileId parameter, see “manageRbaConfiguration command” on page 63.
The following response file example shows how to create a configuration property
for the data source and specify the value of the configuration property:
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.5.0" class="java.beans.XMLDecoder">
<object class="java.util.Properties">
<void method="put">
<string>dbdatasource</string>
<string>jdbc/rbadb</string>
</void>
</object>
</java>
manageRbaDevices command
Use the manageRbaDevices command to manage the registered devices and the
device fingerprints. The device fingerprint consists of the user ID and key-value
pairs of attributes, which are stored in the risk-based access database.
Purpose
Use the manageRbaDevices command to create, search, or delete device registration
information.
Syntax
$AdminTask manageRbaDevices {-operation operator [-userId unique_user_ID]
[-deviceId unique_device_ID] [-attributes attribute_list]}
Parameters
Use the following parameters with the manageRbaDevices command:
-operation operator
Specifies the operation for the attribute. This parameter is required.
The valid values are create, delete, and search.
Table 8. Required and optional parameters for operators of the manageRbaDevices command
68
Operator
Description
Required parameters Optional parameters
create
Creates registration
information for a
device.
-userId, -attributes -delimiter
delete
Deletes the
Either -userId or
-userId, -deviceId
-deviceId is required
registration
information of a
specified device or all
devices of a specified
user
search
Lists all the
registered devices or
searches for the
devices that are
registered for a
specified user.
None
-userId
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
-userId unique_user_ID
An alphanumeric value that is the unique ID of the user.
If you do not specify the user ID for a search operation, all registered devices
are listed.
-deviceId unique_device_ID
An alphanumeric value that is the unique ID of a device.
If you do not specify the device ID for a delete operation, all of the
registration information for the specified user ID is deleted.
-attributes attribute_list
A list of key-value pairs of attributes.
The default delimiter is the percent symbol (%).
-delimiter delimiter
The character that delimits the key-value pairs in the list of attributes.
Use the -delimiter parameter to specify the delimiter when you register a
device with the -attributes parameter.
If you do not specify the delimiter parameter, the percent symbol (%) is the
default delimiter.
Examples
The following examples show the correct syntax for various operations of the
manageRbaDevices command:
Create registration information for a device. The following example uses the
default delimiter, which is the percent symbol (%):
v Using Jacl:
$AdminTask manageRbaDevices {-operation create -userId user1
-attributes attribute1=value1%attribute2=value2%attribute3=value3}
v Using Jython string:
$AdminTask manageRbaDevices(’[-operation create -userId user1
-attributes attribute1=value1%attribute2=value2%attribute3=value3]’)
v Using Jython list:
$AdminTask manageRbaDevices([’-operation’, ’create’, ’-userId’, ’user1’,
’-attributes’ ’attribute1=value1%attribute2=value2%attribute3=value3’])
Create registration for a device and specify a delimiter for the list of attributes.
The following example uses a comma (,) as the delimiter:
v Using Jacl:
$AdminTask manageRbaDevices {-operation create -userId user1 -delimiter ,
-attributes attribute1=value1,attribute2=value2,attribute3=value3}
v Using Jython string:
$AdminTask manageRbaDevices(’[-operation create -userId user1 -delimiter ,
-attributes attribute1=value1,attribute2=value2,attribute3=value3]’)
v Using Jython list:
$AdminTask manageRbaDevices([’-operation’, ’create’, ’-userId’, ’user1’,
’-delimiter’ ’,’
’-attributes’ ’attribute1=value1,attribute2=value2,attribute3=value3’])
List all of the registered devices:
v Using Jacl:
$AdminTask manageRbaDevices {-operation search}
v Using Jython string:
$AdminTask manageRbaDevices(’[-operation search]’)
Chapter 7. Reference
69
v Using Jython list:
$AdminTask manageRbaDevices([’-operation’, ’search’])
Search for the devices that are registered for a specific user:
v Using Jacl:
$AdminTask manageRbaDevices {-operation search -userId user1}
v Using Jython string:
$AdminTask manageRbaDevices(’[-operation search -userId user1]’)
v Using Jython list:
$AdminTask manageRbaDevices([’-operation’, ’search’, ’-userId’, ’user1’])
Delete the registration information of all devices for a specified user:
v Using Jacl:
$AdminTask manageRbaDevices {-operation delete -userId user1}
v Using Jython string:
$AdminTask manageRbaDevices(’[-operation delete -userId user1]’)
v Using Jython list:
$AdminTask manageRbaDevices([’-operation’, ’delete’, ’-userId’, ’user1’])
Delete the registration information of a specified device:
v Using Jacl:
$AdminTask manageRbaDevices {-operation delete -deviceId device1}
v Using Jython string:
$AdminTask manageRbaDevices(’[-operation delete -deviceId device1]’)
v Using Jython list:
$AdminTask manageRbaDevices([’-operation’, ’delete’, ’-deviceId’, ’device1’])
manageRbaPolicy command
After you write a script with policy rules, you must use the manageRbaPolicy
command to create and configure an authorization policy for risk-based access.
Purpose
Use the manageRbaPolicy command to create, update, delete, and search for
policies.
Before you create a policy, you must write a script that specifies the policy rules in
the “Authorization policy generation language” on page 46.
Note: You cannot use the manageRbaPolicy command to manage risk-based access
policies if the runtime security service is configured with IBM Tivoli Security
Policy Manager as the policy administration point. For more information, see
“Policy management with IBM Tivoli Security Policy Manager” on page 50.
Syntax
$AdminTask manageRbaPolicy {-operation operator [-policyId unique_ID]
[-policyFile file_name] [-serviceName service_name] [-fileId response_file_path]}
Parameters
Use the following parameters with the manageRbaPolicy command:
-operation operator
Specifies the operation for the policy. This parameter is required.
70
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
The valid values are create, update, delete, search, export, and
createResponseFile.
Table 9. Required and optional parameters for operators of the manageRbaPolicy command
Operator
Description
Required parameters Optional parameters
create
Creates a policy.
-policyFile
-policyId, -fileId
update
Updates a policy.
-policyFile
-policyId, -fileId
delete
Deletes a policy.
-serviceName
-policyId, -fileId
search
Searches for policies.
None
-policyId,
-serviceName
export
Exports a policy to a
Java archive (JAR)
file.
-fileId
None
createResponseFile
-fileId
Creates a response
file template or uses
a response file to run
batch operations.
None
-policyId unique_ID
An alphanumeric value that is the unique ID of the policy.
Note: In an IBM Tivoli Access Manager for e-business environment that uses
WebSEAL, the value of the -policyId parameter is typically the same as the
-serviceName parameter. In such cases, the runtime security services stores the
policy with _DEFAULT_ as the policy ID. Hence, when you search for a specified
policy, you must search with the -policyId value as _DEFAULT_ along with the
-serviceName parameter.
-policyFile file_path
The path and file name of the policy.
-serviceName
The service name that the policy uses.
In an IBM Tivoli Access Manager for e-business environment that uses
WebSEAL, the service name is the same as the WebSEAL server name, for
example, localhost-default.
You can use the service name to search for a specific policy.
-fileId response_file_path
The path of the input or output response file or exported policy file:
v To output an XML response file template for the manageRbaPolicy command,
use the createResponseFile operator with the fileId parameter.
v To input an XML response file to configure policies, use the create, update,
or delete operators with the fileId parameter. The specified response file
must contain the information that you would typically specify on the
command line. Edit the XML response file with a text editor to specify the
values that you require. For more information, see “Response file example
for manageRbaPolicy command” on page 73.
v To export all the policies in the runtime security service that is configured
for risk-based access, use the export operator with the fileId parameter.
The policies are exported in XML format to a JAR file.
Note: You can use the fileId parameter only with the operator parameter.
Any other parameters that you specify are ignored.
Chapter 7. Reference
71
Examples
The following examples show the correct syntax for various operations of the
manageRbaPolicy command:
Create a policy:
v Using Jacl:
$AdminTask manageRbaPolicy {-operation create -policyId RBA_policy
-policyFile /tmp/policy001}
v Using Jython string:
$AdminTask manageRbaPolicy(’[-operation create -policyId RBA_policy
-policyFile /tmp/policy001]’)
v Using Jython list:
$AdminTask manageRbaPolicy([’-operation’, ’create’, ’-policyId’, ’RBA_policy’,
’-policyFile’ ’/tmp/policy001’])
Modify a policy:
v Using Jacl:
$AdminTask manageRbaPolicy {-operation update -policyFile /tmp/policy001}
v Using Jython string:
$AdminTask manageRbaPolicy(’[-operation update -policyFile /tmp/policy001]’)
v Using Jython list:
$AdminTask manageRbaPolicy([’-operation’, ’update’, ’-policyFile’, ’/tmp/policy001’])
Search for a policy by its ID:
v Using Jacl:
$AdminTask manageRbaPolicy {-operation search -policyId RBA_policy}
v Using Jython string:
$AdminTask manageRbaPolicy(’[-operation search -policyId RBA_policy]’)
v Using Jython list:
$AdminTask manageRbaPolicy([’-operation’, ’search’, ’-policyId’, ’RBA_policy’])
Search for all policies:
v Using Jacl:
$AdminTask manageRbaPolicy {-operation search}
v Using Jython string:
$AdminTask manageRbaPolicy(’[-operation search]’)
v Using Jython list:
$AdminTask manageRbaPolicy([’-operation’, ’search’])
Delete a policy
v Using Jacl:
$AdminTask manageRbaPolicy {-operation delete -serviceName localhost-default}
v Using Jython string:
$AdminTask manageRbaPolicy(’[-operation delete -serviceName localhost-default]’)
v Using Jython list:
$AdminTask manageRbaPolicy([’-operation’, ’delete’, ’-serviceName’, ’localhost-default’])
Export policies to a JAR file:
v Using Jacl:
$AdminTask manageRbaPolicy {-operation export -fileId /tmp/policy.jar}
v Using Jython string:
$AdminTask manageRbaPolicy(’[-operation export -fileId /tmp/policy.jar]’)
v Using Jython list:
$AdminTask manageRbaPolicy([’-operation’, ’export’, ’-fileId’, ’/tmp/policy.jar’])
72
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Create a response file template for this command:
v Using Jacl:
$AdminTask manageRbaPolicy {-operation createResponseFile -fileId /tmp/resp.xml}
v Using Jython string:
$AdminTask manageRbaPolicy(’[-operation createResponseFile -fileId /tmp/resp.xml]’)
v Using Jython list:
$AdminTask manageRbaPolicy([’-operation’, ’createResponseFile’,
’-fileId’, ’/tmp/resp.xml’])
Create a policy by using a response file as input:
v Using Jacl:
$AdminTask manageRbaPolicy {-operation create -fileId /tmp/resp.xml}
v Using Jython string:
$AdminTask manageRbaPolicy(’[-operation create -fileId /tmp/resp.xml]’)
v Using Jython list:
$AdminTask manageRbaPolicy([’-operation’, ’create’, ’-fileId’, ’/tmp/resp.xml’])
Response file example for manageRbaPolicy command
Use a response file to run batch operations for the manageRbaPolicy command. The
response file contains information that you would normally specify on the
command line. Using a response file helps you automate your configuration
process.
To create a response file template, use the fileId parameter with the
createResponseFile operator of the manageRbaPolicy command. Edit the response
file template to specify the values that you require. For more information about the
fileId parameter, see “manageRbaPolicy command” on page 70.
The following response file example shows how to create a policy named
rbapolicy and specify policy properties such as policyId and policyFile:
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.5.0" class="java.beans.XMLDecoder">
<object class="java.util.ArrayList">
<void method="add">
<object class="com.tivoli.am.rba.cli.CLIPolicyParameters">
<void property="policyId">
<string>rbapolicy</string>
</void>
<void property="policyFile">
<string>/tmp/policy001.xml</string>
</void>
</object>
</void>
</object>
</java>
manageRbaRiskProfile command
Use the manageRbaRiskProfile command to manage and configure weights for the
risk attributes. Risk score calculation is based on the weights that you specify for
the attributes.
Purpose
Use the manageRbaRiskProfile command to create, update, delete, and search for
attributes.
Chapter 7. Reference
73
For a list of all risk-based access attributes, see “Attributes for risk profiles and
policies” on page 85.
Syntax
$AdminTask manageRbaRiskProfile {-operation operator [-attributeId unique_ID]
[-weight weight] [-device true|false] [-session true|false]
[-behavior true|false] [-fileId response_file_path]}
Parameters
Use the following parameters with the manageRbaRiskProfile command:
-operation operator
Specifies the operation for the attribute. This parameter is required.
The valid values are create, update, delete, search, and createResponseFile.
Note: An error occurs if you attempt to delete an attribute that is stored in the
database as part of a registered device fingerprint. A device fingerprint consists
of a user ID and a set of key-value pairs of attributes that identify a particular
user. You can delete only the attributes that are not registered as part of any
device fingerprint in the database.
Table 10. Required and optional parameters for operators of the manageRbaRiskProfile
command
Operator
Description
Required parameters Optional parameters
create
Creates an attribute
and specify its
weight.
-attributeId,
-weight
-fileId, -device,
-session, -behavior
update
Updates an existing
attribute.
-attributeId,
-weight
-fileId, -device,
-session, -behavior
delete
Deletes an attribute.
-attributeId
-fileId
search
Searches for a
specific attribute or
lists all attributes.
None
-attributeId,
-fileId
createResponseFile
Creates a response
-fileId
file template or uses
a response file to run
batch operations.
None
-attributeId unique_ID
An alphanumeric value that is the unique ID of the attribute.
If you do not specify the attribute ID for a search operation, the search is done
on all of the attributes.
-weight weight
A numeric value that is the weight of the attribute.
Risk-based access uses the weight to calculate the risk score.
-device true|false
Indicates whether the attribute must be stored as part of the device fingerprint.
The default value of this parameter is true.
-session true|false
Indicates whether the attribute must be stored as a session attribute.
74
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
The default value of this parameter is true.
-behavior true|false
Indicates whether the attribute must be stored as a behavior attribute in the
historical storage area.
The default value of this parameter is false.
-fileId response_file_path
The path of the input or output response file:
v To output an XML response file template for the manageRbaRiskProfile
command, use the createResponseFile operator with the fileId parameter.
v To input an XML response file to configure attributes, use the create,
update, delete, or search operators with the fileId parameter. The specified
response file must contain the information that you would typically specify
on the command line. Edit the XML response file with a text editor to
specify the values that you require. For more information, see “Response file
example for manageRbaRiskProfile command” on page 76.
Note: Use the fileId parameter only with the operator parameter. Any other
parameters that you specify are ignored.
Examples
The following examples show the correct syntax for various operations of the
manageRbaRiskProfile command:
Create an attribute:
v Using Jacl:
$AdminTask manageRbaRiskProfile {-operation create -attributeId browser
-weight 75}
v Using Jython string:
$AdminTask manageRbaRiskProfile(’[-operation create -attributeId browser
-weight 75]’)
v Using Jython list:
$AdminTask manageRbaRiskProfile([’-operation’, ’create’, ’-attributeId’, ’browser’,
’-weight’, ’75’])
Search for a specific attribute:
v Using Jacl:
$AdminTask manageRbaRiskProfile {-operation search -attributeId browser}
v Using Jython string:
$AdminTask manageRbaRiskProfile(’[-operation search -attributeId browser]’)
v Using Jython list:
$AdminTask manageRbaRiskProfile([’-operation’, ’search’, ’-attributeId’, ’browser’])
List all attributes:
v Using Jacl:
$AdminTask manageRbaRiskProfile {-operation search}
v Using Jython string:
$AdminTask manageRbaRiskProfile(’[-operation search]’)
v Using Jython list:
$AdminTask manageRbaRiskProfile([’-operation’, ’search’])
Modify the weight of an existing attribute:
v Using Jacl:
Chapter 7. Reference
75
$AdminTask manageRbaRiskProfile {-operation update -attributeId browser
-weight 25}
v Using Jython string:
$AdminTask manageRbaRiskProfile(’[-operation update -attributeId browser
-weight 25]’)
v Using Jython list:
$AdminTask manageRbaRiskProfile([’-operation’, ’update’, ’-attributeId’, ’browser’,
’-weight’, ’25’])
Delete an attribute:
v Using Jacl:
$AdminTask manageRbaRiskProfile {-operation delete -attributeId browser}
v Using Jython string:
$AdminTask manageRbaRiskProfile(’[-operation delete -attributeId browser]’)
v Using Jython list:
$AdminTask manageRbaRiskProfile([’-operation’, ’delete’, ’-attributeId’, ’browser’])
Create a response file template for this command:
v Using Jacl:
$AdminTask manageRbaRiskProfile {-operation createResponseFile -fileId /tmp/resp.xml}
v Using Jython string:
$AdminTask manageRbaRiskProfile(’[-operation createResponseFile
-fileId /tmp/resp.xml]’)
v Using Jython list:
$AdminTask manageRbaRiskProfile([’-operation’, ’createResponseFile’,
’-fileId’, ’/tmp/resp.xml’])
Create several attributes with a response file as input:
v Using Jacl:
$AdminTask manageRbaRiskProfile {-operation create -fileId /tmp/resp.xml}
v Using Jython string:
$AdminTask manageRbaRiskProfile(’[-operation create -fileId /tmp/resp.xml]’)
v Using Jython list:
$AdminTask manageRbaRiskProfile([’-operation’, ’create’, ’-fileId’, ’/tmp/resp.xml’])
Note: After you use the manageRbaRiskProfile command to change attributes, you
must run the manageRbaConfiguration command with the reload option for the
changes to take effect.
Response file example for manageRbaRiskProfile command
Use a response file to run batch operations for the manageRbaRiskProfile
command. The response file contains information that you would normally specify
on the command line. Using a response file helps you automate your configuration
process.
To create a response file template, use the fileId parameter with the
createResponseFile operator of the manageRbaRiskProfile command. Edit the
response file template to specify the values that you require. For more information
about the fileId parameter, see “manageRbaRiskProfile command” on page 73.
The following response file example shows how to create an attribute called
browser and specify its weight:
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.5.0" class="java.beans.XMLDecoder">
<object class="java.util.ArrayList">
<void method="add">
<object class="com.tivoli.am.rba.cli.CLIConfigParameters">
76
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
<void property="attrId">
<string>browser</string>
</void>
<void property="weight">
<string>80</string>
</void>
</object>
</void>
</object>
</java>
manageRbaSessions command
Use the manageRbaSessions command to manage the session attributes that the
attribute collection service collects. The session attributes of the user are stored
temporarily until the session times out. However, if the device is registered, the
session attributes are also stored as part of the device fingerprint.
Purpose
Use the manageRbaSessions command to list, search for, or delete session attributes.
Syntax
$AdminTask manageRbaSessions {-operation operator [-userId unique_user_ID]}
Parameters
Use the following parameters with the manageRbaSessions command:
-operation operator
Specifies the operation for the session attributes. This parameter is required.
The valid values are search and delete.
Table 11. Required and optional parameters for operators of the manageRbaSessions
command
Operator
Required parameters
Optional parameters
search
Lists all session attributes or
searches for the session
attributes of a specified user.
-userId
delete
Deletes the session attributes
of a specified user or all
session attributes from the
database.
-userId
-userId unique_user_ID
The unique ID of the user.
Examples
The following examples show the correct syntax for various operations of the
manageRbaSessions command:
List all of the session attributes:
v Using Jacl:
$AdminTask manageRbaSessions {-operation search}
v Using Jython string:
$AdminTask manageRbaSessions(’[-operation search]’)
Chapter 7. Reference
77
v Using Jython list:
$AdminTask manageRbaSessions([’-operation’, ’search’])
Search for the session attributes of a specified user:
v Using Jacl:
$AdminTask manageRbaSessions {-operation search -userId myname}
v Using Jython string:
$AdminTask manageRbaSessions(’[-operation search -userId myname]’)
v Using Jython list:
$AdminTask manageRbaSessions([’-operation’, ’search’, ’-userId’, ’myname’])
Delete all of the session attributes:
v Using Jacl:
$AdminTask manageRbaSessions {-operation delete}
v Using Jython string:
$AdminTask manageRbaSessions(’[-operation delete]’)
v Using Jython list:
$AdminTask manageRbaSessions([’-operation’, ’delete’])
Delete the session attributes of a specified user:
v Using Jacl:
$AdminTask manageRbaSessions {-operation delete -userId myname}
v Using Jython string:
$AdminTask manageRbaSessions(’[-operation delete -userId myname]’)
v Using Jython list:
$AdminTask manageRbaSessions([’-operation’, ’delete’, ’-userId’, ’myname’])
Configuration properties
Specify properties to configure various risk-based access components, such as the
database, attribute collection service, runtime security service, and attribute
matchers.
You can use the “manageRbaConfiguration command” on page 63 to create and
configure the following risk-based access properties.
Important: After you use the manageRbaConfiguration command to change
configuration properties, you must restart WebSphere Application Server for the
changes to take effect.
Note: If you configure a property with a name that ends with password or pwd, the
value of the property is obfuscated when it is stored in the database.
Properties for attribute collection service
ac.uuid
The name of the cookie that stores the correlation ID.
The correlation ID is a UUID that is stored in a cookie, which is used by the
attribute collection service. This cookie contains the session data of the user.
The session data can be captured even before the user passes the first level of
authentication. As the session data cannot always be stored, the cookie stores
session data.
The default value is ac.uuid.
78
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
ac.request.server
The server from which requests are received.
The value is the host name of the server where the info.js file is located. The
info.js file is the JavaScript file of the attribute collection service that is served
to the browser of the user.
The default value is rbademo.ibm.com.
ac.service.location
The location of the attribute collection service.
The value is the base URL of the IBM Tivoli Federated Identity Manager
attribute collection service. It hosts the attribute collection service and the
supporting JavaScript and SWF file to capture attributes.
The default value is http://rbademo.ibm.com/FIM/sps/ac/.
session.timeout
A numeric value that represents the number of seconds before a risk-based
access session automatically expires unless the session is updated. If any
attribute in the session is updated, the expiry time for the session is extended
by the number of seconds specified in this property.
The default value is 3600.
ac.get.attributes.enabled
A boolean property that indicates whether access to the GET method of the
Representational State Transfer (REST) service is allowed.
The default value is false.
ac.get.attributes.allowed.clients
A comma-separated list of IP addresses or host names that can access the GET
method of the REST service.
If this property is not set and the ac.get.attributes.enabled property is set to
true, anyone can access the GET method.
If this property is set but the ac.get.attributes.enabled property is set to
false, then this property is ignored.
Properties for attribute value storage
attributes.hash.algorithm
Determines the algorithm that is used to hash the attributes.
For example: SHA256
attributes.hash.enabled
A comma-separated list of values that must be hashed.
Properties for auditing
com.tivoli.am.rba.audit.file.name
Specifies how the audit log files are named.
The default prefix of the log file name is rba_audit_log.
com.tivoli.am.rba.audit.enableAuditing
Indicates whether auditing is enabled or disabled.
The default value is true.
com.tivoli.am.rba.audit.file.location
The location of the audit log file.
Chapter 7. Reference
79
The default location is the /rba_audit directory in the WebSphere Application
Server default logs directory.
The location that you specify for the com.tivoli.am.rba.audit.file.location
property is relative to the default logs directory for WebSphere Application
Server.
For example, on a Windows system, if you specify the value as rba, then the
log files are stored in the C:\Program Files\IBM\WebSphere\AppServer\
profiles\profile_name\logs\rba directory.
com.tivoli.am.rba.audit.file.size
A numeric value that specifies the maximum audit file size in megabytes (MB).
The default value is 100000.
com.tivoli.am.rba.audit.number.of.files
A numeric value that specifies the maximum number of audit files that are
created before the oldest file is overwritten.
The default value is 10.
Properties for database configuration
dbdatasource
The JNDI data source name for database access, which is configured in
WebSphere Application Server.
The default value is jdbc/rba. Use this property to specify another JNDI name
only if there is a problem with the default value.
dbpassword
A special property so that users can set the password of the database. This
property works only if you are using the embedded solidDB database;
otherwise it is ignored.
Properties for device registration
subject.id.attribute.name
The name of the attribute in the subject section of the incoming request from
EAS, which provides the user ID to risk-based access.
When a device is registered, the attribute provides the ID of the user who is
logged in.
The default value is AZN_CRED_PRINCIPAL_NAME.
max.no.of.registered.devices
A numerical value that specifies the maximum number of device fingerprints
that can be registered for a user.
The default value is 10.
Valid values are 1 to 20. Values that exceed this range default to 20.
Properties for external authentication interface (EAI) and
consent-based registration
Risk-based access provides a ready-to-use EAI implementation that supports
consent-based registration. The following properties primarily apply to the
consent-based registration function.
eai.header.auth.level
The EAI header for authentication level.
80
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
This value must match the value of the corresponding WebSEAL EAI
configuration property.
For example: am-eai-auth-level.
eai.header.user.id
The EAI header for user ID.
This value must match the value of the corresponding WebSEAL EAI
configuration property.
For example: am-eai-user-id.
user.consent.attribute.id
The session attribute ID that indicates the consent decision of the user for
device registration.
The default value is http://security.ibm.com/attributes/environment/
userConsent.
device.name
The name of the device as specified by the user.
This value is captured as part of consent-based device registration.
The default value is device.name.
consent.application.attribute.id
The application that captures the consent of the user.
The default value is http://security.ibm.com/attributes/environment/
consentApplication.
Properties for logging and reporting
db.logging.enabled
Indicates whether fine-grained logging is enabled for database SQL statements
that are fired by risk-based access.
The default value is false.
generate.risk.calculation.reports
Indicates whether risk calculation reports must be generated.
The default value is false.
If the value is true, the reports are stored in the temporary directory of the
WebSphere Application Server Java virtual machine (JVM) in a folder named
rba. The value of the java.io.tmpdir system property indicates the path of the
JVM temporary directory. For example, on AIX or Linux systems the files
might be stored in the /tmp/rba directory.
Properties for matchers
The following sections list the configuration properties that are required for the
various ready-to-use matchers and the JavaScript matcher for writing custom
matchers.
Properties for IP address matcher
The IP address matcher processes the ipaddress attribute.
ip.whitelist
A list of comma-separated IP addresses or subnets that you want to permit.
Chapter 7. Reference
81
Include X.X.X.X as a value for -propertyValue to compare the incoming IP
address with the IP address with which the device is registered.
ip.whitelist.netmask
A comma-separated list of netmasks for the IP addresses that are listed in the
ip.whitelist property.
The list of netmasks must be specified in the same order as the list of IP
addresses in the ip.whitelist property. The total number of netmasks must
correspond exactly to the total number of IP addresses.
ip.blacklist
A comma-separated list of IP addresses that must not be permitted.
ip.blacklist.netmask
A comma-separated list of netmasks for the IP addresses that are listed in the
ip.blacklist property.
The list of netmasks must be specified in the same order as the list of IP
addresses in the ip.blacklist property. The total number of netmasks must
correspond exactly to the total number of IP addresses.
Properties for the location matcher
The location matcher attribute processes the longitude, latitude, accuracy, and
altitude attributes.
location.comparison
Indicates how you want the attribute matcher to calculate the accuracy range
of the location coordinates.
Valid values are closest, midpoint, and farthest.
The default value is midpoint.
location.allowable.distance
The maximum distance between the new location and the historic locations.
The unit of the numeric value is kilometers.
The default value is 40.
Properties for the login time matcher
The login time matcher is a behavior-based matcher that uses historical access
times to determine the probability of a fraudulent user. The access times are
recorded in the risk-based access database.
login.time.probability.threshold
Represents the probability that a user might log in at a particular time.
Valid values are 0 to 1 of double data type.
The default value is .3.
Properties for the JavaScript matcher
The JavaScript matcher processes all of the attributes that are identified by the
value of the javascript.attributes property.
javascript.attributes
A comma-separated list of JavaScript attributes that are processed by the
JavaScript attribute matcher.
82
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
For example: userLanguage,fonts,screenHeight,plugins,userAgent.
Properties for behavior matchers
min.usage.history.required
This property controls how many usage data records must be considered as
sufficient for behavior matchers such as the login time matcher.
The default value is 8. When less than eight logins are detected in the usage
data, then the login time matcher returns an INDETERMINATE result, which
means that its weight is considered as zero.
usage.data.cap.per.user
The maximum number of usage data records that the system can store for each
user.
The default value is 1000.
Properties for password obfuscation
Some runtime configuration properties are automatically obfuscated by risk-based
access. For example, if you configure a property with a name that ends with
assword or pwd, the value of the property is obfuscated by default when it is stored
in the database.
obfuscator.default
Identifies the property that specifies the name of the default obfuscator class.
For example: Password.ClassName.MyObfuscator.
If the value of this property is not specified, the default obfuscator that is
provided with risk-based access is used.
obfuscator.filename
The name of Java archive (JAR) file that contains one or more obfuscator
classes.
If this file is not found in the WebSphere Application Server lib directory,
custom obfuscators are loaded. The custom obfuscators are identified by
properties with names that resemble obfuscator.classname.*. A maximum of
10 properties can be configured to specify various password obfuscators that
risk-based access can use.
For example:
obfuscator.classname.MyObfuscator=com.xyz.MyObfuscator
obfuscator.classname.1=com.xyz.PasswordObfuscator1
obfuscator.classname.2=com.xyz.PasswordObfuscator2
obfuscator.classname.3=com.xyz.PasswordObfuscator3
Properties for policy information points (PIPs)
pip.attributes.user.fingerprint.count
Stores the attribute ID of the device count that is computed by the risk-based
access UserFingerprintCountPIP. This PIP computes the count of devices that
are registered for a specific user ID in the risk-based access database.
The default value is http://security.ibm.com/attributes/subject/
registeredDeviceCount.
pip.attributes.risk.score
Stores the attribute ID of the risk score that is computed by the risk-based
access RiskCalculatorPIP, which computes the risk that is associated with an
incoming request.
Chapter 7. Reference
83
The default value is http://security.ibm.com/attributes/resource/
riskScore.
Properties for runtime security service
rtss.admin.ws.host
The host name where the runtime security service is located.
For example: rbademo.ibm.com.
rtss.admin.port
The administration port number of the runtime security service.
rtss.admin.wssecurity.enabled
Indicates whether security is enabled for the runtime security service.
rtss.admin.keystore.alias
The alias of the runtime security service keystore.
rtss.admin.keystore.file
The file name of the runtime security service keystore.
rtss.admin.keystore.file.pwd
The password for the runtime security service keystore file.
rtss.admin.keystore.key.pwd
The password to the runtime security service key in the keystore.
rtss.admin.keystore.type
The type of the keystore that is used by the runtime security service server.
rtss.admin.truststore.file
The location of the truststore file for the runtime security service server.
rtss.admin.truststore.file.pwd
The password to the truststore for the runtime security service server.
rtss.admin.truststore.file.type
The type of the truststore.
rtss.admin.basic.authn.username
The user name to access the runtime security service server with basic
authentication.
rtss.admin.basic.authn.pwd
The password to access the runtime security service server with basic
authentication.
policy.service.name
The policy service name in the runtime security service.
For example: webseald-localhost-default.
The service name must match the top-level context ID of all the risk-based
access policies. All incoming requests from the runtime security services
external authorization service (EAS) in WebSEAL contain the instance name of
the WebSEAL server as the context ID. You can customize the service name in
the WebSEAL configuration file. If this value does not match the context ID
coming from EAS, then the policies are not applied to the incoming requests
from the EAS.
84
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Attributes for risk profiles and policies
Risk-based access stores user and device-related data in the form of attributes.
These attributes are used to calculate risk. Use the following attributes to author or
customize policies and policy information providers (PIPs):
The following tables show all the attributes for risk profiles and policies:
v Authorization credential attributes
v Device fingerprint attributes
v Risk score attributes
v Runtime security services audit attributes
v Session attributes
v User metadata attributes
Table 12. Use and characteristics of policy and context attributes: authorization credential.
Contains information about the identity and authorization capability of the subject of the credential.
Stored in the authorization credential of the user.
Attributes
Category
Data type
Description
AUTHENTICATION_LEVEL
Subject
String
Authentication level of a user.
AZN_CRED_AUTHNMECH_INFO
Subject
String
Authentication mechanism.
AZN_CRED_AUTHZN_ID
Subject
String
Registry name of the user.
AZN_CRED_AUTH_METHOD
Subject
String
Method of authentication used. For example: password.
AZN_CRED_BROWSER_INFO
Subject
String
User agent.
AZN_CRED_GROUPS
Subject
String
Groups that the user is a member of.
AZN_CRED_GROUP_REGISTRY_IDS
Subject
String
Registry IDs of the groups the user is a member of.
AZN_CRED_GROUP_UUIDS
Subject
String
Universally Unique Identifer (UUID) of the groups the user is a
member of.
AZN_CRED_IP_FAMILY
Subject
String
IP family.
AZN_CRED_MECH_ID
Subject
String
Mechanism ID.
AZN_CRED_NETWORK_ADDRESS_BIN
Subject
String
Binary representation of the IP.
AZN_CRED_NETWORK_ADDRESS_STR
Subject
String
String representation of the IP
AZN_CRED_PRINCIPAL_DOMAIN
Subject
String
Domain that the user is authenticated in.
AZN_CRED_PRINCIPAL_NAME
Subject
String
User name.
AZN_CRED_PRINCIPAL_UUID
Subject
String
UUID of the user.
AZN_CRED_QOP_INFO
Subject
String
Quality of protection information.
AZN_CRED_REGISTRY_ID
Subject
String
ID of the user in the registry.
AZN_CRED_USER_INFO
Subject
String
Extra information about the user. For example: name.
AZN_CRED_VERSION
Subject
String
Credential version.
tagvalue_login_user_name
Subject
String
Credential attribute that records the user name.
tagvalue_session_index
Subject
String
Session index in the user credential.
tagvalue_user_session_id
Subject
String
Name and value of the user session ID in the user credential.
urn:oasis:names:tc:xacml:
1.0:subject:group-id
Subject
String or
X500Name
Groups that the user is a part of.
For example: sec_master.
For example:
cn=SecurityGroup,1.3.6.1.4.1.4228.1.3=Default1,dc=ibm,dc=com
Chapter 7. Reference
85
Table 12. Use and characteristics of policy and context attributes: authorization credential (continued).
Contains information about the identity and authorization capability of the subject of the credential.
Stored in the authorization credential of the user.
Attributes
Category
Data type
Description
urn:oasis:names:tc:xacml:
1.0:subject:subject-id
Subject
String or
X500Name
Identity of the requester.
For example:
cn=SecurityMaster,secAuthority=Default1,dc=ibm,dc=com
Table 13. Use and characteristics of policy and context attributes: device fingerprint.
Retrieved from standard HTTP headers.
Configure the attributes that you want to retrieve in the [azn-decision-info] stanza of the WebSEAL configuration
file.
The configured attributes are provided when an access request is routed from the external authorization service
(EAS) to the runtime security service. For more information, see Runtime security services external authorization
service.
Attributes
Category
Data type
Description
header:Accept
Environment
String
Content-types that acceptable.
header:Accept-Charset
Environment
String
Character sets that are acceptable.
header:Accept-Encoding
Environment
String
Encoding types that are acceptable.
header:Accept-Language
Environment
String
Languages that are acceptable.
header:Authorization
Environment
String
Authentication credentials.
header:Cache-Control
Environment
String
Used to specify the directives that must be obeyed by all
caching mechanisms along the request chain and response
chain.
header:Connection
Environment
String
Type of connection that the user-agent prefers.
header:Content-Type
Environment
String
MIME type of the request body.
header:Host
Environment
String
Requested host.
header:Pragma
Environment
String
Implementation-specific headers that might have various effects
anywhere along the request-response chain.
header:rspcode
Environment
String
Response code.
header:Transfer-Encoding
Environment
String
Encoding type of the response.
header:User-Agent
Environment
String
String that gives you information about the environment from
which you access the resource. For example: browser
information or version information.
header:X-Requested-With
Environment
String
Identifies Ajax requests.
method
Environment
String
Type of request that is made. For example: GET or POST.
scheme
Environment
String
Type of protocol that the request is using. For example: HTTP or
HTTPS.
uri
Environment
String
Requested resource. The query string is included with the URI.
Table 14. Use and characteristics of policy and context attributes: risk score. Contains the calculated risk score.
Attributes
Category
Data type
Description
http://security.ibm.com/attributes/resource/riskScore
Resource
Integer
Calculated risk score.
86
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Table 15. Use and characteristics of policy and context attributes: Runtime security services audit.
Used by the runtime security services policy decision point (PDP).
Not used for authoring policies.
Attributes
Category
Data type
Description
urn:oasis:names:tc:xacml:1.0:action:action-id
Action
String
Action that is performed on the
resource. For example: read.
urn:oasis:names:tc:xacml:1.0:environment:current-date
Environment
Date
Date of the request.
urn:oasis:names:tc:xacml:1.0:environment:current-time
Environment
Time
Time of the request.
urn:oasis:names:tc:xacml:1.0:resource:resource-id
Resource
String
ID of the resource that is accessed.
urn:oasis:names:tc:xacml:1.0:subject:subject-id
Subject
String
Subject that accesses the resource.
Table 16. Use and characteristics of policy and context attributes: session. Uses the functions that are provided in
the info.js file to collect session attributes. Complete the following steps to employ:
1. Embed JavaScript code that calls the functions in the info.js file in the landing page of your application.
2. Use themanageRbaRiskProfile command to configure the attributes and their weights for risk score calculation.
Attributes
Category
Data type
Description
accessTime
Environment
String
Time that a request is made.
accuracy
Environment
String
Radius around the latitude and longitude that contains the
actual location of the device in meters.
altitude
Environment
String
Altitude of the device.
availableHeight
Environment
String
Indicates the height of the requesting device’s screen without
the Windows toolbar.
availableWidth
Environment
String
Indicates the width of the requesting device’s screen without
the Windows toolbar.
colorDepth
Environment
String
Indicates the bit depth of the device’s color palette.
fonts
Environment
String
Determines all of the installed fonts in the browser.
ipaddress
Environment
String
Contains the IP address of the incoming request.
language
Environment
String
Determines the language that the device is using.
latitude
Environment
String
Latitude of the device that is based on the w3c geolocation
standard.
longitude
Environment
String
Longitude of the device that is based on the w3c geolocation
standard.
platform
Environment
String
Determines the operating system (OS) the device is running.
plugins
Environment
String
All of the installed plug-ins in the browser.
screenHeight
Environment
String
Indicates the height of the screen of the requesting device.
screenWidth
Environment
String
Indicates the width of the screen of the requesting device.
urn:oasis:names:tc:xacml:1.0:
action:action-id
Action
String
Action that must be taken on the resource.
Typically, the action is an HTTP method, such as GET, POST, or
OPTIONS.
urn:oasis:names:tc:xacml:1.0:
resource:resource-id
Resource
String
URI of the resource on which the action must be taken.
Does not include the query string.
Usually the same as the uri attribute.
userAgent
Environment
String
Indicates the user agent.
Chapter 7. Reference
87
Table 17. Use and characteristics of policy and context attributes: user metadata. Contains information about
registered attributes.
Attributes
Category
Data
type
http://security.ibm.com/attributes/subject/registeredDeviceCount
Subject
Integer
88
Description
Number of registered user
devices.
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Chapter 8. Error message reference
Messages indicate events that occur during the operation of the system. Depending
on their purpose, messages might be displayed on the screen. By default, all
informational, warning, and error messages are written to the message logs. You
can review the logs later to determine what events occurred, see what corrective
actions were taken, and audit the actions taken.
The following types of messages are used:
Informational messages
Indicate conditions that are worthy of noting but that do not require you to
take any precautions or actions.
Warning messages
Indicate that a condition is detected, about which you must be aware, but
does not necessarily require any action.
Error messages
Indicates that a condition occurred, which requires your action.
Use the explanation of the error messages to troubleshoot problems that might
occur.
DPWBA0300W A general error occurred: exception
message.
Explanation: This error might be due to a missing
configuration entry for the runtime security services
cluster definition.
Explanation: An error occurred when attempting to
process the authorization decision request. The
WebSEAL logs might contain more information.
Administrator response: Verify that all configuration
entries are present and have correct values.
Administrator response: Check the WebSEAL logs for
more details.
DPWBA0303E A required configuration entry, entry
name, under the stanza name stanza is
missing from the configuration file.
Explanation: See message.
Administrator response: Add the specified missing
entry to the configuration file.
DPWBA0304E Unable to determine whether the
IBM Tivoli Access Manager policy
needs to be applied: error code.
Explanation: An error occurred when parsing the IBM
Tivoli Access Manager policy value as Boolean. The
WebSEAL trace logs might contain more details.
Administrator response: Ensure that the configuration
value for setting the IBM Tivoli Access Manager policy
is set to either true or false.
DPWBA0305E Initialization of cluster manager
failed: error code.
© Copyright IBM Corp. 2012, 2013
DPWBA0306E Failed to add cluster to cluster
manager: error code.
Explanation: This error might be due to a missing
configuration entry for the runtime security services
cluster definition.
Administrator response: Verify that all configuration
entries are present and have correct values.
DPWBA0307W The stanza stanza name in file file
name is not found.
Explanation: An error occurred when looking up the
specified stanza in the file.
Administrator response: Ensure that the specified
stanza is present.
DPWBA0308W The header key name is missing for
the app_context_data key: key.
Explanation: A header key name (the custom ones
specified on the LHS by users) is missing in the
configuration file, but is present in an IBM Tivoli
Access Manager structure.
89
DPWBA0309W • FBTRBA008E
Administrator response: Check the WebSEAL logs for
more details.
DPWBA0309W The authentication level is missing
for the obligation: obligation.
Explanation: An entry is missing in the
[obligations-levels-mapping] stanza in WebSEAL.
Administrator response: Add the missing entry that
maps the obligation to its authentication level and
restart WebSEAL.
DPWBA0310W An error occurred when trying to
retrieve the obligation ID from the
runtime security services response.
DPWBA0314E
The URL is invalid.
Explanation: A client request contained a URL that
does not conform to HTTP specifications.
Administrator response: Verify the request from the
client and ensure that it conforms to HTTP
specifications.
FBTRBA001E A database error occurred.
Explanation: An unrecoverable database error
occurred.
System action: Command execution is halted.
Administrator response: Check the server logs for
more details to trace the cause of the error.
Explanation: The obligation ID sent by the runtime
security services could not be parsed successfully. The
error is due to an issue either with the runtime security
services server or the runtime security services external
authorization service (EAS).
FBTRBA002E An error occurred when managing the
policy.
Administrator response: If the problem persists,
contact IBM support.
System action: Command execution is halted.
DPWBA0311W Unable to contact runtime security
services.
Explanation: Unable to make a SOAP call to the
runtime security service, which might be because the
service is down or due to a malformed request.
Explanation: See message.
Administrator response: Check the server logs for
more details to trace the cause of the error.
FBTRBA003E An error occurred during command
execution.
Explanation: See message.
Administrator response: Verify that the runtime
security services server is up and running. Also check
the WebSEAL logs for more details.
System action: Command execution is halted.
DPWBA0312W The attribute name attribute could not
be extracted from a credential: API error:
error string (API error code [major error
code:minor error code]).
FBTRBA005E
Explanation: The specified attribute could not be
extracted from a credential. This error might be due to
resource exhaustion, and as such be transient.
System action: Command execution is halted.
Administrator response: If the problem persists, check
IBM Electronic Support for additional information at
http://www.ibm.com/software/sysmgmt/products/
support/index.html?ibmprd=tivman.
Administrator response: Check the server logs for
more details to trace the cause of the error.
A required parameter parameter name is
missing or invalid.
Explanation: See message.
Administrator response: Check the server logs for
more details to trace the cause of the error.
FBTRBA007E The policy file does not exist.
Explanation: See message.
System action: Command execution is halted.
DPWBA0313E
Cannot allocate memory.
Explanation: Memory allocation operation failed.
Administrator response: Check memory limits on
your machine, and increase available memory if
possible.
Administrator response: Specify a policy file that
exists and run the command again.
FBTRBA008E Creation of database connection failed.
Check the database configuration and
network connectivity to the database
server.
Explanation: The database connection could not be
created.
90
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
FBTRBA009E • FBTRBA020E
System action: Command execution is halted.
more details to trace the cause of the error.
Administrator response: Ensure that the database is
configured correctly. Also check that the network
connectivity to the database server is available.
FBTRBA014E
FBTRBA009E
Unable to modify the application
parameter task or role name.
Explanation: An attempt to locate and modify a
particular set of application parameters failed during
deployment.
The risk-based access deployment
failed because the following
configuration directory could not be
created: Configuration Directory.
Explanation: See message.
System action: Command execution is halted.
Administrator response: Check the server logs for
more details to trace the cause of the error.
System action: Command execution is halted.
Administrator response: Check the server logs for
more details to trace the cause of the error.
FBTRBA010E
The IBM Tivoli Federated Identity
Manager runtime is not deployed.
Deploy the IBM Tivoli Federated
Identity Manager runtime before
continuing.
Explanation: The risk-based access runtime requires
that the IBM Tivoli Federated Identity Manager runtime
be deployed first.
FBTRBA017E
Explanation: See message.
System action: Command execution is halted.
Administrator response: Check the server logs for
more details to trace the cause of the error.
FBTRBA018E
System action: Command execution is halted.
Administrator response: Deploy the IBM Tivoli
Federated Identity Manager runtime before proceeding.
FBTRBA011E
The risk-based access deployment
failed.
Explanation: An error occurred during risk-based
access deployment.
System action: Command execution is halted.
The risk-based access deployment
failed because it could not determine
the directory in which IBM Tivoli
Federated Identity Manager is installed.
Explanation: See message.
System action: Command execution is halted.
Administrator response: Check the server logs for
more details to trace the cause of the error.
FBTRBA013E
The risk-based access deployment
failed because the runtime security
services EAR is not found at the
following location: RTSS Ear path.
Explanation: See message.
The risk-based access deployment
failed because the runtime security
services archive file is not found at the
following location: RTSS archive path.
Explanation: See message.
System action: Command execution is halted.
Administrator response: Check the server logs for
more details to trace the cause of the error.
FBTRBA019E
Administrator response: Check the server logs for
more details to trace the cause of the error.
FBTRBA012E
The risk-based access deployment
failed because the configuration
repository directory could not be
determined.
The risk-based access deployment
task failed because the risk-based access
runtime security services plugins
directory is not found at the following
location: rba plugins path.
Explanation: See message.
System action: Command execution is halted.
Administrator response: Check the server logs for
more details to trace the cause of the error.
FBTRBA020E
The risk-based access deployment
failed because a required file is not
found at the following location: path to
file.
Explanation: See message.
System action: Command execution is halted.
Administrator response: Check the server logs for
more details to trace the cause of the error.
System action: Command execution is halted.
Administrator response: Check the server logs for
Chapter 8. Error message reference
91
FBTRBA021E • FBTRBA069E
FBTRBA021E
An error occurred during the
risk-based access redeployment. Check
the application server logs for more
details.
Explanation: See message.
System action: Command execution is halted.
Administrator response: Check the server logs for
more details to trace the cause of the error.
FBTRBA028E Deserialization of the response file
failed.
Administrator response: Configure the attribute.
FBTRBA060E
The policies are not exported to
location.
Explanation: An error occurred when exporting
policies to the specified location.
System action: Command execution is halted.
Administrator response: Check the server logs for
more details to trace the cause of the error.
FBTRBA061E
Explanation: See message.
An error occurred when parsing the
XACML rules file.
System action: Command execution is halted.
Explanation: The XACML rules file could not be
parsed successfully, probably due to improper syntax.
Administrator response: Check the XML response file
to verify that it is valid and try again.
System action: Command execution is halted.
FBTRBA029E
The risk-based access deployment
failed because the risk-based access
JavaScript directory is not found at the
following location: rbajavascript path.
Administrator response: Check the syntax of the
XACML rules file and try again. Also check the server
logs for more details to trace the cause of the error.
FBTRBA062E
Explanation: See message.
An unknown operation operation name
is specified.
System action: Command execution is halted.
Explanation: An invalid operation is specified by the
user.
Administrator response: Check the server logs for
more details to trace the cause of the error.
System action: Command execution is halted.
FBTRBA049E
The runtime property ac.request.server
is not configured.
Explanation: To make cross-domain AJAX requests,
the runtime property ac.request.server must be
configured.
System action: The CORS headers are not set in the
HTTP response.
Administrator response: Configure the runtime
property ac.request.server.
Administrator response: Run the command with a
correct operation as specified in the documentation.
FBTRBA065E
Explanation: A subcomponent returned an error
during the reload attempt.
System action: Command execution is halted.
Administrator response: Check the logs for more
details to trace the cause of the error.
FBTRBA066E
FBTRBA057E
The attribute string is formatted
incorrectly.
Explanation: Attributes must be formatted as
key=value and separated by the specified delimiter or a
percent symbol (%).
Reloading of the configuration failed.
The device ID is invalid.
Explanation: The device ID is not formatted correctly.
It must be an integer value.
System action: Command execution is halted.
Administrator response: Verify the device ID.
System action: Command execution is halted.
Administrator response: Ensure that the attribute
string is formatted correctly.
FBTRBA058E
The attribute name, name, is invalid
and is not configured.
FBTRBA069E
The type for the attribute id is not
specified.
Explanation: An attribute and its type must be
specified must be specified before referencing the
attribute. Valid types are integer, double, string, time,
or date.
Explanation: The attribute validation failed because
the attribute is not configured.
System action: Command execution is halted.
System action: Command execution is halted.
Administrator response: Specify the type for the
92
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
FBTRBA075E • FBTRBA078E
attribute in the XACML rules file.
FBTRBA075E
The operation operation is not allowed
because runtime security service was
installed by IBM Tivoli Security Policy
Manager.
Explanation: The runtime security service was
deployed by IBM Tivoli Security Policy Manager; so
policy creation and deletion must be done using IBM
Tivoli Security Policy Manager.
System action: Command execution is halted.
Administrator response: Use IBM Tivoli Security
Policy Manager to create, delete, or update policies.
FBTRBA077E
Service name missing. To specify the
service name, use the -serviceName
parameter, or add
serviceNameConfigPropertyName to the
risk-based access configuration.
Explanation: The default service name was not
configured, and a value was not provided through the
serviceName parameter.
System action: Command execution is halted.
Administrator response: Add a default service name
to the risk-based access configuration, or specify one
using the the serviceName parameter.
FBTRBA078E
The risk-based access deployment
task failed because the risk-based access
matchers directory was not found at this
location: rba matchers path
Explanation: The risk-based access deployment
encountered an error and could not continue.
System action: The risk-based access deployment task
is halted.
Administrator response: Check the system logs for
more details and ensure that the risk-based access
installation step has completed.
Chapter 8. Error message reference
93
94
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law :
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain
transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
© Copyright IBM Corp. 2012, 2013
95
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurement may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to
change before the products described become available.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which
illustrate programming techniques on various operating platforms. You may copy,
modify, and distribute these sample programs in any form without payment to
96
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating
platform for which the sample programs are written. These examples have not
been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or
imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM for the purposes of developing, using, marketing, or distributing application
programs conforming to IBM's application programming interfaces.
If you are viewing this information in softcopy form, the photographs and color
illustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at "Copyright and
trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and
Telecommunications Agency which is now part of the Office of Government
Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office
of Government Commerce, and is registered in the U.S. Patent and Trademark
Office.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
Notices
97
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the
United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are
trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
98
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Glossary
This glossary includes terms and definitions for
risk-based access.
The following cross-references are used in this
glossary:
v See refers you from a term to a preferred
synonym, or from an acronym or abbreviation
to the defined full form.
v See also refers you to a related or contrasting
term.
To view glossaries for other IBM products, go to
www.ibm.com/software/globalization/
terminology (opens in new window).
A
access control
In computer security, the process of
ensuring that users can access only those
resources of a computer system for which
they are authorized.
access control list (ACL)
In computer security, a list associated
with an object that identifies all the
subjects that can access the object and
their access rights.
ACL
See access control list.
attribute
A characteristic or trait of an entity that
describes the entity. See also risk-related
attribute.
attribute configuration
In risk-based access, the configuration of
a risk attribute to specify its weight and
indicate whether the attribute is required
for risk calculation. See also risk-related
attribute.
attribute list
A linked list that contains extended
information that is used to make
authorization decisions. Attribute lists
consist of a set of key-value pairs.
attribute collection service
In risk-based access, a Representational
© Copyright IBM Corp. 2012, 2013
State Transfer (REST) service that collects
web browser and location information
from the user.
attribute matcher
In risk-based access, a feature that
compares the attribute values in the
incoming device fingerprint with the
existing device fingerprint of the user. The
ready-to-use attribute matchers that are
provided with risk-based access are the
location matcher, IP address matcher, and
login time matcher.
audit event
A record of an operation in the audit log
or change history; for example, an audit
entry is created when an attribute or
property is modified.
audit log
A log file that contains a record of system
events and responses. The audit log
maintains the history of significant
operations that modify metadata or
configuration data, including operations
that fail to complete successfully.
authentication
In computer security, the process that
verifies identity and provides proof that a
user of a computer system is genuinely
who that person claims to be. Common
mechanisms for implementing this service
are passwords and digital signatures.
Authentication is distinct from
authorization; authorization is concerned
with granting and denying access to
resources.
authorization
The process of granting a user, system, or
process either complete or restricted
access to an object, resource, or function.
authorization policy generation language
In risk-based access, a simplified format
that specifies the policy rules in a script,
which can be used to generate an
authorization policy for risk-based access.
authorization service
A dynamic or shared library that can be
loaded by the authorization API runtime
client at initialization time. It is used for
99
subsequent sessions. Cookies allow
servers to remember specific information
about clients.
operations that extend a service interface
in the Authorization API.
automatic device registration
See silent device registration.
B
batch operation
A predefined group of processing actions
that are submitted to the system. The
actions are taken with little or no
interaction between the user and the
system.
behavioral pattern
In risk-based access, the pattern derived
from the historical access data of a user.
For example, a behavioral pattern can
indicate that a specified user regularly
accesses a protected resource only during
business hours on weekdays.
C
challenge
A request for certain information to a
system. The information, which is sent
back in response to this request, is
necessary for authentication.
correlation ID
A UUID that is stored in a cookie.
credentials
Detailed information that is acquired
during authentication, which describes
the user, any group associations, and
other security-related identity attributes.
For example, a user ID and password are
credentials that allow access to network
and system resources.
D
data source
The means by which an application
accesses data from a database.
DB2
A family of IBM licensed programs for
relational database management.
demilitarized zone (DMZ)
A configuration that includes multiple
firewalls to add layers of protection
between a corporate intranet and a public
network, such as the Internet.
deploy
To place files or install software into an
operational environment. In Java
Platform, Enterprise Edition (Java EE),
deploying involves creating a deployment
descriptor suitable to the type of
application that is being deployed.
class path
A list of directories and JAR files that
contain resource files or Java classes that
a program can load dynamically at run
time.
configuration property
In risk-based access, a property that
specifies the configuration for various
components of risk-based access. For
example, properties are used to configure
the database, attribute collection service,
runtime security services, and attribute
matchers.
device fingerprint
In risk-based access, a set of attributes
that is part of the request that comes from
a device. A device fingerprint consists of a
user ID and a set of key-value pairs of
attributes that identify a particular user.
consent-based device registration
In risk-based access, the process of
registering the device fingerprint only if
the user consents to have the device
registered. The risk-based access policy
can be configured to present an HTML
form that requests the consent of the user
before the device is registered.
DMZ
cookie Information that a server stores on a
client system and accesses during
100
device registration
In risk-based access, the process of storing
the incoming device fingerprint in the
database. See also device fingerprint.
See demilitarized zone.
domain
1. An object, icon, or container that
contains other objects, which represent
the resources of a domain. The
domain object can be used to manage
those resources.
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
2. A logical grouping of resources in a
network for common management
and administration. For example, a
deployment of the Tivoli Federated
Identity Manager runtime component
on WebSphere Application Server.
releases. It is intended to allow customers
to move to a specific maintenance level.
H
hash
E
EAS
See external authorization service.
element
In markup languages, a basic unit that
consists of a start tag, end tag, attributes
and their values, and any text between
the start and end tags.
event
Any significant change in the state of a
system resource, network resource, or
network application. An event can be
generated for a problem, for the
resolution to a problem, or for the
successful completion of a task.
eXtensible Access Control Markup Language
(XACML)
A standard for access control policy
language. It provides a syntax that is
defined in XML for managing access to
resources.
Extensible Markup Language (XML)
A standard meta-language for defining
markup languages that is based on
Standard Generalized Markup Language
(SGML).
external authorization service (EAS)
An authorization API runtime plug-in
that can be used to make application- or
environment-specific authorization
decisions as part of the authorization
decision chain. Risk-based access uses the
runtime security services EAS plug-in to
enforce policy decisions.
In computer security, a number generated
from a string of text that is used to ensure
that transmitted messages arrived intact.
hashing
The process of encoding a character string
as a fixed-length bit string for
comparison.
host name
In Internet communication, the name that
is given to a computer. The host name
might be a fully qualified domain name,
such as mycomputer.city.company.com, or
it might be a specific subname, such as
mycomputer.
HTTP See hypertext transfer protocol.
hypertext transfer protocol (HTTP)
In the Internet suite of protocols, the
protocol that is used to transfer and
display documents.
I
identifier
The name of an item in a program that is
written in the Java language.
Internet protocol (IP)
In the Internet suite of protocols, a
connectionless protocol that routes data
through a network or interconnected
networks. IP acts as an intermediary
between the higher protocol layers and
the physical network.
IP
See internet protocol.
J
F
failover
An automatic operation that switches to a
redundant or standby system in the event
of a software, hardware, or network
interruption.
fix pack
A cumulative collection of fixes that is
made available between scheduled refresh
packs, manufacturing refreshes, or
Java Database Connectivity (JDBC)
An industry standard for
database-independent connectivity
between the Java platform and a wide
range of databases. The JDBC interface
provides a call level interface for
SQL-based and XQuery-based database
access.
Java Naming and Directory Interface (JNDI)
An extension to the Java platform that
Glossary
101
provides a standard interface for
heterogeneous naming and directory
services.
JDBC See Java Database Connectivity.
See Java Naming and Directory Interface.
JNDI
junction
A logical connection that is created to
establish a path from one server to
another.
K
persistence
A characteristic of data that is maintained
across session boundaries. Data
persistence is typically available in
nonvolatile storage, such as a database
system.
PIP
See policy information point.
plug-in
A separately installable software module
that adds function to an existing program,
application, or interface.
policy
key-value pair
Information that is expressed as a paired
set.
1. A set of considerations that influence
the behavior of a managed resource or
a user.
N
2. A set of conditions that, after they are
evaluated, determine access decisions.
naming service
An implementation of the Java Naming
and Directory Interface (JNDI) standard.
policy decision point (PDP)
A policy decision component that
evaluates and determines the results an
access request.
O
policy enforcement point (PEP)
A policy decision component that receives
a request, notifies the policy decision
point of the request, receives a decision,
and enforces the decision.
object In object-oriented design or programming,
a concrete realization (instance) of a class
that consists of data and the operations
associated with that data. An object
contains the instance data that is defined
by the class, but the class owns the
operations that are associated with the
data.
one-time password (OTP)
A password that is valid for a single login
session or transaction.
See one-time password.
OTP
policy generation language
See authorization policy generation
language.
policy information point (PIP)
A policy decision component that
provides additional information about a
request.
POP
See protected object policy.
port
As defined in a Web Services Description
Language (WSDL) document, a single
endpoint that is defined as a combination
of a binding and a network address.
P
PDP
See policy decision point.
PEP
See policy enforcement point.
permission
Authorization for activities, such as
reading and writing local files, creating
network connections, and loading native
code.
persist
To be maintained across session
boundaries, typically in nonvolatile
storage, such as a database system or a
directory.
102
port number
In Internet communications, the identifier
for a logical connector between an
application entity and the transport
service.
profile
Data that describes the characteristics of a
user, group, resource, program, device, or
remote location.
property
A characteristic of an object that describes
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
the object. A property can be changed or
modified. Properties can describe an
object name, type, value, or behavior,
among other things.
protected object policy (POP)
A security policy that imposes additional
conditions on the operation permitted by
the ACL policy to access a protected
object. It is the responsibility of the
resource manager to enforce the POP
conditions.
pull
A network operation that initiates an
action by requesting the action from a
resource.
push
A network operation that sends
information to resources.
R
Risk-related attribute
In risk-based access, an attribute that is
used to calculate the risk score.
Risk-related attributes are collected from
HTTP headers, captured by attribute
collection service, or with custom
JavaScript.
risk score
In risk-based access, a numerical value
that represents the amount of risk that is
associated with a request to access a
protected resource. The risk score
indicates the confidence level that the
user who is using the device is actually
the authenticated user. The risk score is
computed on a scale of 1 to 100. The risk
score determines whether access to a
protected resource is permitted, denied, or
permitted with further authentication
proof.
Repository
A persistent storage area for data and
other application resources.
run time
The time period during which a computer
program is running.
Representational State Transfer (REST)
A software architectural style for
distributed hypermedia systems like the
World Wide Web. REST is a simple
interface that uses XML (or YAML, JSON,
plain text) over HTTP without an
additional messaging layer, such as SOAP.
See also RESTful.
runtime environment
A subset of an application development
kit (ADK) that contains the executable
files and other supporting files that
comprise the operational environment of
the platform.
response file
A file that contains predefined values,
such as parameters and values used to
control the actions of a component in a
predetermined manner. For example, in
risk-based access, the XML response file
for a command contains the information
that you would otherwise specify on the
command line.
runtime security services
A software component that, depending on
its configuration, can do the functions of a
policy decision point, policy enforcement
point, and policy distribution target.
runtime security services EAS
In risk-based access, a plug-in that
provides the policy enforcement point
(PEP) functionality.
rule
REST See Representational State Transfer.
RESTful
Pertaining to applications and services
that conform to Representational State
Transfer (REST) constraints. See also
Representational State Transfer.
risk-based access
A pluggable and configurable component
for IBM Tivoli Access Manager for
e-business. Risk-based access provides
access decision and enforcement that is
based on a dynamic risk assessment or
confidence level of a transaction.
A condition that is used in the evaluation
of a policy.
S
schema
The set of statements, expressed in a data
definition language, that completely
describes the structure of data that is
stored in a database, directory, or file. A
schema provides a logical classification of
database objects.
script
A series of commands, combined in a file,
Glossary
103
that carry out a particular function when
the file is run. Scripts are interpreted as
they are run.
secondary challenge
In risk-based access, the additional
challenge that is presented to the user for
authentication when the risk score is high.
See also challenge.
security
The protection of data, system operations,
and devices from accidental or intentional
ruin, damage, or exposure.
security policy
A written document that defines the
security controls that you institute for
your computer systems. A security policy
describes the risks that you intend these
controls to minimize and the actions that
must be taken if someone breaches your
security controls.
service
A resource, such as a web service, to
which access requests are made and that
can be protected by policies.
session
In Java EE, an object used by a servlet to
track user interaction with a web
application across multiple HTTP
requests. A session consists of a series of
requests to a server or application that
originate from the same user at the same
browser.
session attribute
In risk-based access, an attribute that the
attribute collection service captures
during a user session. The session
attributes are stored in the risk-based
access database when the device of the
user is registered.
shared library file
A file that consists of a symbolic name, a
Java class path, and a native path for
loading Java Native Interface (JNI)
libraries. Applications that are deployed
on the same node as this file can access
this information.
silent device registration
In risk-based access, the process of
registering the device fingerprint after the
user successfully authenticates with a
secondary challenge. Silent registration
does not require any further interaction or
104
consent from the user. See also secondary
challenge, device registration, and
consent-based device registration.
SOAP A lightweight, XML-based protocol for
exchanging information in a
decentralized, distributed environment.
SOAP can be used to query and return
information and invoke services across
the Internet.
stanza A group of lines in a file that together
have a common function or define a part
of the system. Stanzas are separated by
blank lines or colons, and each stanza has
a name.
step-up authentication
A protected object policy (POP) that relies
on a preconfigured hierarchy of
authentication levels. It enforces a specific
level of authentication according to the
policy set on a resource. The step-up
authentication POP does not force the
user to authenticate with multiple levels
of authentication to access a resource. It
requires the user to authenticate at a level
at least as high as the level required by
the policy that protects a resource. See
also protected object policy.
string In programming languages, the form of
data used for storing and manipulating
text.
syntax The rules for the construction of a
command or statement.
T
target The destination for an action or operation.
throughput
The measure of the amount of work done
by a device over a time period, for
example, the number of jobs per day.
token A particular message or bit pattern that
signifies permission or temporary control
to transmit over a network.
U
Uniform Resource Identifier (URI)
1. A compact string of characters for
identifying an abstract or physical
resource.
2. A unique address that is used to
identify content on the web, such as a
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
page of text, video, sound clip, image,
or program. The most common form
of URI is the web page address, which
is a particular form or subset of URI
called a Uniform Resource Locator
(URL). A URI typically describes how
to access the resource, the computer
that contains the resource, and the
name of the resource.
Uniform Resource Locator (URL)
The unique address of an information
resource that is accessible in a network,
such as the Internet. The URL includes
the abbreviated name of the protocol that
is used to access the information resource.
The URL also includes the information
used by the protocol to locate the
information resource.
discovered, and invoked over a network
that uses standard network protocols.
Typically, XML is used to tag the data,
and SOAP is used to transfer the data. A
WSDL is used for describing the services
available, and UDDI is used for listing
what services are available.
WebSEAL
A high performance, multi-threaded Web
server that applies a security policy to a
protected object space. WebSEAL can
provide single sign-on solutions and
incorporate back-end Web application
server resources into its security policy.
weight
In risk-based access, a numerical value
that is assigned to an attribute. The
weight of an attribute indicates its
importance from a risk perspective and is
used for calculating the risk score.
Uniform Resource Name (URN)
A name that uniquely identifies a web
service to a client.
Universally Unique Identifier (UUID)
The 128-bit numeric identifier that is used
to ensure that two components do not
have the same identifier.
URI
See Uniform Resource Identifier.
URL
See Uniform Resource Locator.
URN
See Uniform Resource Name.
X
XACML
See eXtensible Access Control Markup
Language.
XML
See Extensible Markup Language.
UUID See Universally Unique Identifier.
V
variable
A representation of a changeable value.
W
web application
An application that is accessible by a web
browser and that provides some function
beyond static display of information.
Common components of a web
application include HTML pages, JSP
pages, and servlets.
web server
A software program that can service
Hypertext Transfer Protocol (HTTP)
requests.
web service
A self-contained, self-describing modular
application that can be published,
Glossary
105
106
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Index
A
accessibility x
attribute collection service
configuration
application login page 34
JavaScript functions 34
session attributes 34
definition 4, 32
JavaScript functions
deleteSession() 32
getLocation() 32
sendSession() 32
request types
DELETE 32
GET 32
POST 32
session attributes 32
attribute comparison 38
attribute matchers
configuration 35, 78
custom matchers 43
default attribute matcher 38
definition 38
exact matcher 38
IP address matcher
configuration 40, 78
properties for configuration 78
location matcher
configuration 39, 78
properties for configuration 78
login time matcher
configuration 42
properties for configuration 78
attribute weights
configuration 35
attributes
behavior 23, 37, 73
configuration 35, 78
device fingerprint 23, 37, 73
dynamic creation 23
manageRbaRiskProfile command 73
response file 76
persistence 37, 73
policies 85
properties for configuration 78
risk profiles 85
session 23, 37, 73
session attributes
manageRbaSessions command 77
storage 37, 73
weights 35
attributes from HTTP headers
configuration 35
audit
configuration 59
definition 59
enabling 59
logs
file name 59
format 60
location 59
© Copyright IBM Corp. 2012, 2013
audit (continued)
logs (continued)
maximum number 59
maximum size 59
runtime security services external
authorization service (EAS) 59,
60
sample 60
settings 59
authorization policy
configuration 49
creation 49
language 46, 48
properties for configuration 49
rules 46, 48
sample 48
script 46, 48, 49
C
commands
manageRbaConfiguration 63
response file 68
manageRbaDevices 68
manageRbaPolicy 70
response file 73
manageRbaRiskProfile 73
response file 76
manageRbaSessions 77
configuration
application login page 34
attribute collection service 19, 34
attribute matchers 23, 35, 39, 40, 42
attribute weights 35
attributes 19
manageRbaRiskProfile
command 73
manageRbaSessions command 77
session attributes 77
attributes from HTTP headers 35
audit logs 59
database 10, 11, 19
database schema 10, 11
device
fingerprint 68
manageRbaDevices command 68
registration 68
hash algorithm 19, 45
IP address matcher 35, 40
location matcher 35, 39
login time matcher 35, 42
logs 19
logs and traces, enabling 20
manageRbaConfiguration command
response file 68
number of devices per user 58
policies
manageRbaPolicy command 70
policy 19, 49
properties
attribute matchers 78
configuration (continued)
properties (continued)
attributes 78
database 78
IP address matcher 78
location matcher 78
manageRbaConfiguration
command 63
runtime security service 78
session 78
risk profile 23
risk score calculation 35
risk-based access policy 49
RTSS EAS in WebSEAL 27
runtime security services external
authorization service (EAS) 19, 29
session attributes 23, 35
manageRbaSessions command 77
traces 19
verification 21
weights of attributes 23, 35
manageRbaRiskProfile
command 73
consent-based device registration 55
configure 56
sample policy 55
custom matchers 43
D
database
configuration 10, 11, 78
properties for configuration 78
default attribute matcher 38
deployment 14
device
consent-based registration 55
fingerprint 55, 68
manageRbaDevices command 68
registration 55, 68
number of devices per user 58
one-time password 21
secondary challenge 21
silent 21
silent registration 55
Device fingerprint 23
E
EAS messages
language support 13
education x
exact matcher 38
external authorization service (EAS)
logs and traces, enabling 20
risk-based access 26
rtss-eas stanza 29
runtime security services external
authorization service (EAS) 26, 29
107
External authorization service (EAS)
definition 4
online (continued)
terminology ix
G
P
glossary
99
H
hash algorithm
configuration
45
I
IBM
Software Support x
Support Assistant x
installation
deployment 14
prerequisites 10
procedure 12
software requirements 9
IP address matcher
configuration 35, 40, 78
properties for configuration
78
L
language support 13
list registered devices 21, 68
location attributes
attribute collection service 32
location matcher
configuration 35, 39, 78
properties for configuration 78
login time matcher
configuration 35, 42
logs and traces, enabling 20
M
manageRbaConfiguration command 63
deploy 14
response file 68
undeploy 16
manageRbaDevices command 68
manageRbaPolicy command 70
response file 73
manageRbaRiskProfile command 73
response file 76
manageRbaSessions command 77
messages
EAS
language support 13
N
number of devices per user
configuration 58
O
online
publications
108
ix
policies
attributes 85
manageRbaPolicy command 70
response file 73
policy
configuration 49
creation 49
generation language 46, 48
properties for configuration 49
risk-based access 46, 48
rules 46, 48
sample 48
script 49
Policy administration point (PAP)
definition 4
Policy decision point (PDP)
definition 4
Policy enforcement point (PEP)
definition 4
Policy information points (PIPs)
definition 4
prerequisites 10
problem-determination x
properties
attribute matchers
IP address matcher 78
location matcher 78
attributes 78
configuration 78
database 78
manageRbaConfiguration
command 63
response file 68
runtime security service 78
sessions 78
publications
accessing online ix
list of for this product ix
R
Representational State Transfer (REST)
service
attribute collection service 32
response file
manageRbaConfiguration
command 68
manageRbaPolicy command 73
manageRbaRiskProfile command 76
risk profile
configuration 23
risk profiles
attributes 85
Risk score calculation 23
risk-based access
architecture 4
business scenarios 3
components 4
configuration 19
verification 21
database 10, 11
risk-based access (continued)
definition 3
deployment 14
features 4
getting started 1
installation 12
logs 20
overview 3
functional 4
process 6
runtime security services external
authorization service (EAS)
definition 26
sample configuration 29
schema 10, 11
traces 20
transaction flow 6
troubleshooting 17
uninstallation 16
risk-scoring engine
definition 4
rtss-eas stanza
sample configuration 29
runtime security service
configuration 78
properties for configuration 78
runtime security services
logs and traces, enabling 20
runtime security services external
authorization service (EAS)
definition 26
risk-based access 26
rtss-eas stanza 29
sample configuration 29
S
sample
audit logs 60
consent-based registration 55
generation language for policy 48
policy 48
risk-based access policy 48
rules for policy 48
runtime security services external
authorization service (EAS)
rtss-eas stanza 29
runtime security services external
authorization service (EAS) audit
records 60
script 48
silent registration 55
Scenarios
Risk score calculation 23
schema
database 10, 11
database schema 10, 11
session
configuration 78
properties for configuration 78
session attributes
attribute collection service 32, 34
configuration 35
location attributes 32
manageRbaSessions command 77
web browser attributes 32
silent device registration 55
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
silent device registration (continued)
sample policy 55
software requirements 9
T
terminology ix
tfimcfg 27
training x
troubleshooting x
known issues 17
location attributes
workarounds 17
17
U
uninstallation
16
W
web browser attributes
attribute collection service 32
WebSEAL
configuring RTSS EAS 27
default configuration file 26, 29
policy enforcement point (PEP)
runtime security services external
authorization service (EAS) 26
risk-based access 26
runtime security services external
authorization service (EAS) 26, 29
weights
manageRbaRiskProfile command 73
response file 76
weights of attributes
configuration 35
Index
109
110
IBM Tivoli Federated Identity Manager: Installation, Configuration, and Administration Guide for Risk-Based Access
Printed in USA
SC27-4445-02

advertisement

Key Features

  • Dynamic risk assessment
  • Access decision and enforcement
  • Behavioral and contextual data analytics
  • Risk score calculation
  • Policy rules for access control
  • Device registration & management
  • Integration with IBM Tivoli Access Manager
  • Command-line interface for configuration
  • Extensible architecture for custom attributes
  • WebSphere Application Server integration

Frequently Answers and Questions

What is IBM Tivoli Federated Identity Manager 6.2.2.7?
It is a software component for IBM Tivoli Federated Identity Manager which provides access decision and enforcement based on a dynamic risk assessment of a transaction. It analyzes behavior and contextual data to calculate risk.
How does this software improve security?
It uses a risk score, calculated based on multiple attributes, to determine if access should be allowed, denied, or require additional authentication. This helps to mitigate threats from stolen credentials or unusual access patterns.
What are some use cases for this tool?
It is useful for securing access to sensitive information, managing access from remote locations and mobile devices, and enforcing stricter authentication based on user behavior and device context.
How are user devices registered and associated with user credentials?
You can configure risk-based access to silently register devices used by users or require explicit consent. Registered devices are linked with user credentials for more secure access.
Does this software integrate with other IBM products?
Yes, it integrates with IBM Tivoli Access Manager for e-business, providing a comprehensive security solution. You can use the command-line interface to manage policies and attributes within the WebSphere Application Server framework.

Related manuals

Download PDF

advertisement