First published by IBM developerWorks at http://www-106.ibm.com/developerworks/ibm/library/i-tivoli/
All rights retained by IBM and the author.
Introduction
Web portals centralize access to information, applications, and services for employees, customers, or partners. Web portals deliver a consolidated view that lets users access the most important electronic resources of the organization using a standard technology (a browser), simply and efficiently. Portals are often called the "desktop" for Web-based business.
Security, or the portal's ability to authenticate users and authorize access to the Web resources, has generally not been designed into the portal products. Security has been a late addition to existing products without the strength or flexibility many organizations require. Consequently, the quality of security services provided with enterprise portals rests in the degree of integration between the portal service and an enterprise security product.
Access Manager is an enterprise-level security product that provides a single point-of-user authentication and authorization administration. Its Web single sign-on makes it a player in the Web world. Access Manager provides a single point of authentication and authorization to Web-based resources, and provides standards-based APIs that allow Web application servers to access Access Manager's security services.
In this article, we outline the functions of Web portals and Access Manager, and discuss the general integration of Access Manager with Web based products by using its reverse Web proxy and security APIs. I then specifically address IBM WebSphere Portal Server (WPS), and outline the integration points of WPS with Access Manager.
Web portals
Organizations deploy a Web portal to give employees, partners, and customers easy access to the complete range of information and services in an organization, such as
- Documents
- Enterprise applications
- e-business
- Internet services
Employees, partners, and customers can also collaborate through a portal, yielding important business and technical information resources.
Many products are touted as being Web portals. The important distinction is that a Web portal can provide a single view of a range of information sources rather than being specific to a particular application or technology. Some products labeled as Web portals only provide access to specific vendor applications or services. These can be used to consolidate some information sources, but miss the target on providing a single consolidated view of all information sources an organization uses. Essentially, a Web portal authenticates a user and then queries a range of information sources to assemble and consolidate the view of information and services. This view can be customized for the individual, so users can personalize the delivery of information sources that are important to them.
Security for the Web portal falls into two service areas:
- Web single sign-on: When users first enter a portal, they're prompted to provide authentication information that lets the Web portal verify the identity of the user. Authentication is usually based around username and password, although other mechanisms, such as token based or biometric authentication, are also available.
- Authorization: Determining what resources an authenticated user can access. For example, a customer may only be able to access e-business applications from the Internet, whereas an employee might be able to also access corporate applications from the Internet.
In general, Web portals have focused on providing content consolidation and ease of access, and strong security is best provided by integration with security products.
Access Manager
Access Manager is a robust and secure policy management tool for e-business and distributed applications. It addresses the challenges of escalating costs for e-business security, growing complexity of enterprise security solutions, and the inability to implement security policies across platforms. Through its highly available centralized authorization service, Access Manager enables better management of business-critical distributed information. It provides simple, secure access to critical information, and enhances communications with customers, business partners, and others. Figure 1 shows the facets of Access Manager.
Access Manager provides authentication and access control services for Web resources. The WebSEAL server, a component of Access Manager, manages access to all Web servers, regardless of their platforms. This allows an organization to centrally control their Web resources as a single, logical Web space. Access Manager also adds security support for CORBA applications written with Visibroker or Orbix object request brokers (ORBs). Access Manager is also the backbone for Tivoli Privacy Manager, an access control product that helps implement e-business privacy policies.
For applications developed in-house, Access Manager also provides application APIs that give access to its services. Access Manager supports the J2EE standard Java Authentication and Authorization Service (JAAS) to allow native Java applications to access Access Manager for authorization decisions. Access Manager also provides an implementation of the Open Group's standard authorization C-language API (azn-API) to let applications that want to call out to a C API use the Access Manager authorization and entitlements services. Access Manager provides a robust Web-based delegated security administration utility that lets administrators delegate security administration to members of their e-community.
