Test 000-596: IBM Security Access Manager for Enterprise Single Sign-On V8.2 Implementation

Tab navigation

Section 1:Planning

Given access to the customer, their hardware, applications, and policies, collect and analyze the customer requirements so that a solution document is created.
With emphasis on performing the following tasks:
1. Arrange a kick-off meeting with stakeholders.
2. Interview the appropriate personnel.
3. Review the security infrastructure of the customer.
4. Identify and understand customer's Single Sign-On (SSO) requirements.
  1. Determine key objectives for enterprise SSO project.
  2. Collect the list of applications to be included in project.
  3. Analyze the customer's environment.
5. Determine the secrets for passwords.
6. Identify the auditing requirements.
7. Create a solution document.
Given the topology of the client network (number of PCs, subnets, etc), the number of users and the network link capacity, measure the network performance and analyze IBM Security Access Manager for Enterprise Single Sign-On V8.2 (ISAM ESSO)'s impact on the environment so that an estimate of the maximum network bandwidth consumed is available.
With emphasis on performing the following tasks:
1. Identify the most active period of time when users tend to log into ISAM ESSO.
2. Identify replication bandwidth requirement for clustered databases distributed geographically if needed.
3. Estimate the number of users involved.
4. Estimate the size of their wallets by taking into account the number of accounts stored, number of profiles, etc.
5. Estimate the average number of automatic fill of credentials that are done over the same period.
6. Identify the synchronization interval.
7. By using this information, generate an estimate of the maximum network bandwidth consumed.
Given the customer's environment, explain the solution architecture so that a solution document with minimum hardware and software requirements for the solution is created.
With emphasis on performing the following tasks:
1. Arrange a meeting with customers.
2. Explain the use of LDAP or AD.
3. Explain the type of information stored and managed by the database.
4. Explain the functionality of the IMS Server.
5. Explain the purpose of the TIM AD adapter.
6. Explain the Tivoli Common Reporting tool.
7. Explain the purpose of Load Balancer.
8. Explain several administration tools that an administrator can use for different purposes (AccessAdmin, AccessAssistant, AccessStudio).
9. Explain where the AccessAgent has to be installed and the purpose.
10. Explain the single sign-on and automation workflows which are accomplished through AccessStudio.
11. Explain the minimum hardware and software requirements for each component including supported clients.
12. Explain the Virtual Appliance solution.
13. Explain any consideration regarding network requirements for supported clients and supported servers.
14. Explain types of desktop applications supported.
15. Explain supported Web browsers.
16. Explain supported thin clients
17. Explain how ESSO can be used with other Tivoli products for provisioning purposes.
18. Create a document with minimum hardware and software requirements for the solution.
Given access to the customer applications, collect and analyze the customer application requirements so that application profile checklist/document is created.
With emphasis on performing the following tasks:
1. Arrange a kick-off meeting with stakeholders.
2. Get a representative desktop and application list.
  1. Review the customer applications in scope.
  2. Identify and understand customer's specific application requirements.
  3. Determine which applications are Web, Windows, mainframe, Java, others.
  4. Determine which applications password change workflow is required.
  5. Determine password policies for each application.
  6. Determine if any applications share authentication services.
  7. Identify any potentially "challenging" applications. #Identify mechanisms and personnel for password resets/expiry.
3. Obtain or create credentials on the applications for testing purposes.
4. Create an application profile checklist/document.
Given access to the customer's test servers, applications, and test credentials, and ISAM ESSO installers, collate the data so that the components of the staging environment are determined and documented.
With emphasis on performing the following tasks:
1. Identify test server, test workstations, AccessAgent, AccessStudio, and ISAM ESSO software.
2. Identify test applications that should be installed on the test workstations.
3. Identify test user accounts.
  1. Verify which accounts to use for ISAM ESSO administrator account.
  2. Verify which accounts to use for ISAM ESSO lookup account.
  3. Verify which accounts to use for ISAM ESSO user accounts.
  4. Verify which accounts to use for ISAM ESSO databases account
  5. Verify which accounts to use for application profile creation/testing.
4. Determine hostname/URL to be used for staging IMS Server.
5. Identify the database to be used and obtain valid database credentials.
6. Identify the directory server to be used and obtain valid credentials.
7. Create a staging environment document.
Given access to the customer's SSO project manager, their hardware, network administrator, and an estimate of the maximum network bandwidth consumed, determine High Availability (HA) and load balancing environment requirements so that a HA design document is created.
With emphasis on performing the following tasks:
1. Arrange a meeting with SSO project manager, Enterprise n/w Administrator and Infrastructure personnel.
2. Collect information on existing network bandwidth and usage statistics and load infrastructure existing in the customer environment.
3. Collect information needed to estimate hardware sizing for HA.
  1. Collect peak hour traffic estimates for One Time Password login and AA logins/secondDetermine peak installation and user sign-up rates
  2. Collect IMS database utilization and clustering requirements
  3. Collect load balancing architecture requirements
4. Size hardware requirements for HA.
5. Architect HA solution for ISAM ESSO components.
6. Create a HA design document.
Given access to the AA installer, the domain controller, client machine and a network share accessible to all clients, create an AA Installation Group Policy Object (GPO) and deploy it to the client machines.
With emphasis on performing the following tasks:
1. Review the Active Directory infrastructure.
2. Modify the Setup help .ini file.
3. Modify the installer package according to the customer requirements.
4. Create a new GPO or identify an existing GPO to setup for AA Installation.
5. Configure changes to the GPO.
6. Verify connectivity between clients and IMS Server (80 and 443).
7. Install the agent and add the client machine into the scope of this GPO.
8. Verify the agent was installed.
9. Restart the client machine.
Given the business requirement document, determine a windows session management strategy so that a deployment recommendation for session management in the customer environment is created.
With emphasis on performing the following tasks:
1. Review the security infrastructure of the customer.
2. Identify and understand customer's session management requirements.
  1. Determine system hardware so appropriate policies can be implemented.
  2. Determine key objectives for shared/roaming and personal workstation.
  3. Collect the usage of fast user switching in the environment.
  4. Collect the usage of kiosk environment.
  5. Collect the second factor authentication information.
3. Create the windows session management strategy document.
Given the authentication mechanisms, IMS deployment, second factor options and access to customer's authentication requirement, determine a strong authentication strategy so that a strong authentication strategy is documented.
With emphasis on performing the following tasks:
1. Analyze customer's authentication requirements.
2. Identify required authentication setup.
3. Identify the second factor(s) to use, if applicable
4. Identify and Validate appropriate reader for second factor authentication, if applicable.
  1. Identify the readers that are available, compatible and supported with the ISAM ESSO environment being deployed.
  2. Validate the readers that are identified as compatible and supported with the ISAM ESSO environment being deployed.
  3. Document the list of readers to be considered for deployment.
5. Document the strong authentication strategy.
Given customer requirements, determine need and identify resources for any integration with ISAM ESSO API so as to define an integration strategy (if needed).
With emphasis on performing the following tasks:
1. Determine whether any customer requirements need integration with ISAM ESSO API.
2. Identify the ISAM ESSO API that can meet the requirement (e.g. ISAM ESSO Provisioning API).
3. Define and document the strategy and provide implementer (possibly self) information/documentation needed to implement the integration.
Given requirements for upgrade, analyze the existing ISAM ESSO environment so that an appropriate upgrade strategy is created.
With emphasis on performing the following tasks:
1. Identify existing infrastructure that will be affected by the upgrade.
2. Identify key stakeholders in upgrade.
3. Identify what, if any, new features will be implemented with the upgrade
4. Identify ISAM ESSO downtime during upgrade.
5. Determine upgrade steps.
6. Create update strategy document containing above information with a notification plan.

Section 2:Installation

Given the IBM Security Access Manager for Enterprise Single Sign-On V8.2 (ISAM ESSO) server architecture requirements, set up the middleware components so that the IMS Server is installed successfully.
With emphasis on performing the following tasks:
1. Verify the operating system prerequisite and free disk space have been met.
2. Install WebSphere Application Server according to documented server architecture.
3. Install IBM HTTP Server and plug-ins.
4. Configure IHS as a front end to WebSphere Application Server.
5. Test communication of connections between HIS and WebSphere Application Server.
6. Document configuration.
Given the ISAM ESSO server installer, set up the server component so that the IMS Server is installed successfully.
With emphasis on performing the following tasks:
1. Verify the IMS prerequisites.
2. Run the installer of the server.
3. Configure the enterprise directory and database instance details during the installation.
4. Verify that IMS application components have been mapped to servers.
5. Verify the IMS Server is installed on the system.
6. Document installation parameters in the Planning Worksheet.
Given the ISAM ESSO IMS application has been installed, upgrade ISAM ESSO so that the IMS Server has been upgraded successfully.
With emphasis on performing the following tasks:
1. Upgrade from a existing ISAM ESSO server WAS Standalone server.
  1. Upgrade the IMS Server setting.
  2. Restart the WebSphere Application Server.
  3. Update the ISAM ESSO IMS module mapping.
  4. Restart the WebSphere Application Server.
  5. Verify if the upgrade is successful.
2. Upgrade from a existing ISAM ESSO server WAS network deployment.
  1. Start the WebSphere Application Server Deployment Manager.
  2. Install the IMS Server on the deployment manager.
  3. Stop the nodes.
  4. Upgrade the IMS Server setting.
  5. Restart the WebSphere Deployment Manager.
  6. Update the ISAM ESSO IMS module mapping.
  7. Overide session management for ISAM ESSO IMS.
  8. Sync the nodes.
  9. Restart the cluster.
3. Upgrade to a new server.
  1. Prepare all middleware for the new ISAM ESSO IMS Server version 8.2.
  2. Prepare and install the new IMS Server with the installer for an upgrade.
  3. Install and deploy the IMS Server to WebSphere® Application Server with the IMS Server installer.
  4. Stop the node agent and server on the new server installation
  5. Export the current configuration and import into new server.
  6. Run the IMS Configuration Wizard to upgrade the IMS Server settings.
  7. Configuring the IMS Server to use directory servers.
  8. Configure the SSL Certificates after an updates on the IBM HTTP Server.
  9. Verify if the upgrade is successful.
Given the new AccessAgent and AccessStudio installer, a test workstation, customer requirement ,and an existing IMS Server, set up the client workstations or endpoints so that the new AccessAgent and AccessStudio are installed successfully.
With emphasis on performing the following tasks:
1. Upgrade AccessAgent.
  1. Prepare custom scripts that the installer runs before and after upgrading the AccessAgent.
  2. Upgrade the AccessAgent directly or with prepackaged installer on designed client computers.
2. Upgrade the AccessStudio.
  1. Uninstall the existing AccessStudio 8.x.
  2. Install the AccessStudio on designated client computers.
3. Verify a successful upgrade is completed on each server and client component to ensure that the upgrade is complete and it works.
Given configured and available database, directory server, and virtual server environment, deploy a virtual appliance containing configured software prerequisites with the IMS Server in a single virtual image so that the Virtual Appliance running successfully.
With emphasis on performing the following tasks:
1. Extract and deploy the virtual appliance on VMware ESXi.
2. Activate and configure the virtual appliance.
3. Provision the IMS Server administrator.
4. Verify the IMS Server configuration.
5. Replicate the virtual appliance deployment and configuration, for High Availability (optional).
Given a test workstation, customer requirement, an existing IMS Server and client communication via IMS Server hostname, install ISAM ESSO AccessAgent on the workstation with the required configurations so that the AccessAgent is installed successfully on test workstation.
With emphasis on performing the following tasks:
1. Verify the operating system prerequisite and free disk space on test workstation.
2. Ensure that the workstation will get the correct machine policy template as defined by the requirements.
3. Ensure that an AccessAgent installer package is available and has been customized for the deployment.
4. Ensure that second factor hardware is configured and connected, if needed.
5. Install the AccessAgent software
  1. On the workstation run AccessAgent installer package.
  2. Restart workstation.
  3. Verify connectivity with the IMS Server.
6. Document procedure used to do install.
Given a test workstation, customer requirement, user with administrative role, and an existing IMS Server, install ISAM ESSO AccessAgent on the workstation with the required configurations.
With emphasis on performing the following tasks:
1. Verify the operating system prerequisite and free disk space.
2. Verify AccessAgent connectivity to IMS Server.
3. Install the Access Studio software.
  1. On the workstation run Access Studio installer package.
  2. Restart workstation.
  3. Verify Access Studio is installed on the system.
4. Verify connectivity with the IMS Server.
5. Document procedure used to do install.
Given an installed ISAM ESSO system and the Tivoli Common Reporting (TCR) installer, set up TCR so that the Administrator View Reports for ISAM ESSO activities is available.
With emphasis on performing the following tasks:
1. Install the TCR.
2. Install reporting tool with proper database parameter.
3. View reports.
4. Document installation parameters in the Planning Worksheet.

Section 3:Configuration

Given an enterprise directory, implement the directory integration between IBM Security Access Manager for Enterprise Single Sign-On V8.2 (ISAM ESSO) and the enterprise directory structure.
With emphasis on performing the following tasks:
1. Obtain relevant access to manipulate the Enterprise Directory Structure by IMS Server.
2. Identify Enterprise Directory Servers to be used.
  1. Verify connectivity from IMS Server.
  2. Verify credentials are functional.
3. Configure the enterprise directory by using Enterprise Directory Configuration Utility.
  1. Choose the type of directory to be connected with.
  2. Supply Authentication settings.
  3. Supply Attribute settings.
  4. For Active Direcotry deployments, enable "AD password sync" where appropriate.-If SSL not being used, Install and configure AD Agent on Domain Controller.-If SSL in use configure settings as appropriate.
4. Test the enterprise directory.
5. Document procedure and settings used.
Given the prerequisites for databases, prepare the database so that the database is ready for IMS Server installation.
With emphasis on performing the following tasks:
1. Identify customer database requirements.
2. Prepare the database for the IMS Server installation.
3. Verify the network connection between the IMS Server and the database server if those are in different workstation or servers.
4. Obtain relevant access to create the DB instance to be used by IMS Server.
5. Determine the path of the database (where it is installed).
6. Synchronize the system clocks if IMS database and IMS Server would be running on different machines.
Given a running IMS Server, run the IMS Configuration Utility so that the IMS Server is configured.
With emphasis on performing the following tasks:
1. Open the IMS Configuration Utility.
2. Set up new or upgrade a existing IMS Server.
3. Enter data source information.
4. Create IMS DB Schema if new.
5. Choose DB type.
6. Configure DB connection info.
7. Provide root Certification Authority (CA) details.
8. Configure IMS services URL.
9. Configure enterprise directory.
Given customer strong authentication requirement and ISAM ESSO second factor supported options, configure strong authentication for second factor so that strong authentication for second factor can be implemented
With emphasis on performing the following tasks:
1. Identify the second factor(s) to be configured.
2. Ensure that second factor hardware is available and connected, if needed
3. Ensure that the drivers for second factor hardware are installed on server or client, if needed.
4. Install any third party components required for second factor support prior to AccessAgent install.
5. Verify hardware and software for second factor(s) are set up properly.
6. Configure a strong authentication for second factor setup.
7. Test the configuration according to use cases.
Given the organization security policy, configure the IMS system policy so that IMS system policy is configured successfully.
With emphasis on performing the following tasks:
1. Review the default system policy settings.
2. Modify the default system policy settings according to customer requirements through AccessAdmin.
3. Wait for the system policy to be replicated on to the agent.
4. Verify IMS Server policy is configured successfully.
5. Document parameters in the Planning Worksheet.
Given an installed IMS Server, implement machine policies for workstations so that ISAM ESSO now has workstation policies available for assignment.
With emphasis on performing the following tasks:
1. Identify Workstation types based on customer requirements.
2. Configure identified workstation policies.
3. Configure identifying attribute for each policy.
4. Wait for the system policy to be replicated on to the agent.
5. Test policy configuration on test workstation.
6. Document parameters in the Planning Worksheet.
Given the organization security policy, configure the IMS user policy so that IMS user policy is configured successfully.
With emphasis on performing the following tasks:
1. Review the default user policy setting.
2. Modify the default user policy setting according to the customer requirements through the Access Admin.
3. Verify the IMS user policy is configured successfully.
4. Test policy configuration on test workstation.
5. Document parameters in the Planning Worksheet.
Given the requirements for ISAM ESSO IMS Server integration with a provisioning system, and installed IBM Java 1.5 or above, implement the provisioning bridge so that the user provisioning workflows are implemented successfully.
With emphasis on performing the following tasks:
1. Identify the minimum requirements for both, the provisioning system and IMS Server that can integrate with the IMS.
2. Create an IMS Bridge account at IMS for use by the provisioning bridge.
3. Configure a key store for the IMS provisioning bridge on the Provisioning Server.
4. Configure the IMS provisioning bridge (to point to right key-store and IMS, etc).
5. Test the system for successful integration with the provisioning bridge.
6. Document parameters in the Planning Worksheet.
Given the ISAM ESSO solution and installed IBM Java 1.5 or above, implement the provisioning agent so that the provisioning agent is implemented on the customer environment.
With emphasis on performing the following tasks:
1. Identify the minimum requirements for both the provisioning system and IMS Server that can integrate with the IMS.
2. Create the ISAM ESSO Adapter.
3. Create an IMS Bridge account at IMS for use by the provisioning bridge.
4. Configure SSL between ITDI and IMS Bridge.
5. Configure the IMS provisioning bridge.
6. Configure workflow extension/operations.
7. Create/Configure ISAM ESSO service instance.
8. Test the system for successful integration with the provisioning bridge.
Given access to the solution document and customer's ISAM ESSO environment on a test workstation, configure workstation usage workflows so that the desired workstation usage workflows are created.
With emphasis on performing the following tasks:
1. Configure usage workflows for personal workstation.
2. Implement personal workstation lock, unlock, logon and logoff scripts - if needed.
3. Configure usage workflows for private desktop.
4. Implement shared shared desktop lock, unlock, logon and logoff scripts - if needed.
5. Implement shared private desktop lock, unlock, logon and logoff scripts - if needed.
6. Configure usage workflows for roaming desktop.
7. Implement roaming desktop for Citrix/TS environment.
Given access to the requirement analysis document and customer's ISAM ESSO environment, define the machine policy templates and assignments so that the desired Machine Policy Template with assignments is created.
With emphasis on performing the following tasks:
1. Create new Machine Policy Templates based on customer requirements.
  1. Configure initial system settings for sign up and self-service.
  2. Configure Authentication policy (based on second factors).
  3. Configure Wallet policy.
  4. Configure Signup policy .
  5. Configure Shared Workstation and Desktop type policies.
  6. AccessAgent policy for Citrix or Terminal Server.
  7. Configure RFID logon.
  8. Configure Hybrid smart card logon.
  9. Create the rules for assignment.
2. Select one of the new Machine Policy Template as the default policy to be used.
3. Change the template assignment of existing machines if reassignment is required.
Given a functional IMS Server and client requirements for the thin client, deploy the corresponding thin client solution so that a working thin client system (Citrix Server) with published applications enabled.
With emphasis on performing the following tasks:
1. Analyze customer requirements and determine the type of remote server (Terminal server or Citrix).
2. Define and update the Citrix and Terminal Server Machine Policy Template to the Citrix or Terminal Server.
3. Develop a virtual channel connector to deploy single sign-on and authentication services on a Citrix Server.
4. Install AccessAgent on the remote server and ensure it is configured as a shared single session workstation.
5. Set the server's AccessAgent policies.
6. Enable port redirection and mapping if using RFID.
7. Test the published application for Single Sign-on (or other automation) on Citrix.
8. Document parameters in the Planning Worksheet.
Given access to customer's audit requirement, configure and generate the audit logs so that the Audit log report is created.
With emphasis on performing the following tasks:
1. Search or define custom audit logs to be generated by the agents, if necessary.
2. Configure the audit log events listed on the server interface.
3. Define audit log event generation conditions.
  1. Select the search criteria for audit logs.
  2. Define the specific duration for which the audit logs are required and generate the report.
4. Use published log database schema to generate reports using an external reporting tool, if necessary.
5. Print the Audit log report.
Given access to customer's audit requirement, configure and view the audit logs and customize it to the appropriate Audit report.
With emphasis on performing the following tasks:
1. Obtain support version of Tivoli Common Reporting utility.
2. Define audit report type and custom audit logs to be generated by the server, if necessary.
3. Configure the audit report content listed on the server interface.
4. Determine and define audit report generating criterion.
  1. Select the search criteria for audit reports.
  2. Define the specific duration for which the audit reports are required and generate the report in support format and language.
5. Use published log database schema to generate reports using an external reporting tool, if necessary.
6. Print the Audit log report.
Given the customer requirements, customize ISAM ESSO so that the requirements are met and the system can be implemented successfully.
With emphasis on performing the following tasks:
1. Customize the ISAM ESSO IMS Server.
  1. Modify the IMS configuration settings to address requirements such as enterprise directories to be integrated (SSL or non-SSL connection), AccessAdmin user interface customizations, housekeeping, etc.
  2. Install any required TAM or TIM adapters for ISAM ESSO Wallet manager provisioning or AD for SSL connection with the AD enterprise directory, if necessary.
  3. Ensure the ISAM ESSO IMSConfig and ISAM ESSO IMS WebSphere Enterprise Application service is running. Run through the Setup Assistant on AccessAdmin to configure the default user policy template, machine policy templates and assignments and system policies.
  4. Review the system policies, machine policy templates (and assignments) and user policy templates (and assignments). Create new ones if needed.
  5. Review and create the required saved Audit searches.
2. Customize the ISAM ESSO AccessAgent Package.
  1. Review and make changes to the package based on GINA, Logon Banner, IMS Server fully qualified domain name (FQDN), etc. requirements in the INI file.
  2. Review and make changes to default registry settings in the deployment options registry file.
  3. Add in any files or scripts to be distributed with the installer in the Config folder.
  4. Review and make changes to the MSI installer file based on software distribution mechanism.
  5. Install any third party components required for second factor support prior to AccessAgent install.
  6. Set up any thin client solution components required for the customer prior to AccessAgent install
3. Develop and customize the ISAM ESSO AccessProfiles.
  1. Review the application screens and SSO workflow requirements for each application and profile them accordingly.
4. Test the customizations and obtain the customer's sign off.
5. Document parameters in the Planning Worksheet.
Given the requirements for an application's authentication to be augmented using ISAM ESSO One Time Password (OTP) functionality, implement a solution so that the OTP authentication by using third-party token requirements is addressed.
With emphasis on performing the following tasks:
1. Configure the IMS Server to enable OTP (time-based, OATH-based OTP, OTP by VASCO) for the authentication service to be strengthened.
2. Configure OTP settings and install OTP token support on the IMS via WebSphere.
3. Configure RADIUS authentication for the application (server) whose authentication service is to be strengthened.
4. Configure to enable users sign up (registration) through AccessAdmin.
5. Define necessary Authentication policies and configure Authentication modes to support OTP options via AccessAssistant.
6. Set the ActiveCode enabled bindings for each token user.
7. Set the requisite User and System policy settings.
8. For OATH based OTP tokens, set the OATH look-ahead number and token reset window.
9. Configure the bypass option for OTP authentication for AccessAssistant and Web Workplace Policies in the system scope.
Given the requirements for an application's authentication to be augmented using ISAM ESSO Mobile Active Code functionality, implement a solution so that the MAC authentication requirements are addressed.
With emphasis on performing the following tasks:
1. Enable MAC support by configure MAC settings on the IMS Server.
2. Configure the IMS Configuration Utility to define settings for the ActiveCode deployment including Allowed ActiveCode client IPs, the IMS Server address, OTP token reset window, enable the MAC-only registration of users, set to true.
3. Configure an existing or SMTP message connector on the IMS Server for the selected MAC delivery channel. (Or develop a new message connector).
4. Configure and set up the Authentication service. This is to configure the IMS Server's RADIUS Authentication interface if the application supports RADIUS authentication.
  1. Configure the Application's Authentication Server to perform RADIUS authentication with the IMS's RADIUS server.
  2. Configure the Application's Server to direct the client to display the MAC challenge screen on first authentication step success.
  3. Customize the Application's client user interface to show appropriate messaging on the MAC challenge screen.
  4. Set the selected user whom will utilize MAC authentication.
5. For non-RADIUS authentication supporting applications.
  1. Customize the application logon interface to include a request for MAC or provide a separate MAC request page.
  2. Develop a SOAP client with the ability to make authentication calls and MAC request calls to the IMS.
6. Configure the AccessAssistant and Web Workplace policies to use MAC.
  1. Configure necessary system policies.
7. Configure the machine, system and user-related policies to employ MAC in AccessAdmin.
8. Configure MAC options for selected users.
9. Configure a bypass option for MAC authentication.
Given access to the Solution Document, customer's ISAM ESSO Environment and system policies, define the self-service functionality so that the self-service functionality is defined.
With emphasis on performing the following tasks:
1. Enable self-service functionality and set the corresponding policies required to authorize.
  1. Enable self-service password reset.
  2. Enable self-service second factor registration.
  3. Enable self-service for authorization code generation.
2. Test and deploy the self-service functionality.
3. Include the self-service definitions in the user policy templates.
Given a functional IMS Server and the customer requirements, configure user access to AccessAssistant so that AccessAssistant is configured.
With emphasis on performing the following tasks:
1. Configure AccessAssistant-related policies in user policy templates.
2. Configure AccessAssistant-related policies in system policies.
3. Test access for users.
4. Document parameters in the Planning Worksheet.
Given access to customer environment and business requirements, set policy priorities so that the policy priority is implemented.
With emphasis on performing the following tasks:
1. Analyze customer's policy requirements.
2. Determine the scope of the policy (such as Machine, User or System policy)..
3. If a policy is defined for two scopes, define which takes higher priority.
4. Execute the command-line tool to modify the policy priorities.
Given the customer requirements regarding application screens and workflows (Application Design Document) and an existing AccessProfile, modify an existing AccessProfile so that each application can be profiled successfully to meet the requirements.
With emphasis on performing the following tasks:
1. Determine the modifications required in order to make the existing AccessProfile work accordingly.
2. Determine details like Account Data Template, Authentication service (and groups), to be used in the AccessProfile.
3. Complete the Application Design Template based on the options determined.
Given an IMS Server installation and customer requirements, define additional IMS Server administrators and set up the roles for User, Helpdesk and Administrator so that the users have been assigned roles.
With emphasis on performing the following tasks:
1. Log on to the AccessAdmin as the administrator.
2. Search for users.
3. Select a user to change his role.
4. Open administrative policies.
5. Change the role user and update.
6. Assign default HelpDesk users through user policy templates.
7. Enable the automatic role assignment for large deployments if it is necessary.
  1. Run the IMS Configuration Utility. -Specify the attribute name and attribute value for automatic role assignment.-Restart the IMS Server.
Given end user availability, and functional AccessAgent and IMS components, utilize AccessAgent or AccessAssistant sign-up functionality so that users are successfully signed up with ISAM ESSO.
With emphasis on performing the following tasks:
1. Verify user account in directory server.
2. Verify default policy.
3. Sign up users with:
  1. The AccessAgent sign up process.
  2. AccessAssistant.
  3. External provisioning system.
Given customer requirements, IMS Server details, Tivoli Federated Identity Manager STS service, install, configure, and troubleshoot Web API's and security trust chain to enable credential management.
With emphasis on performing the following tasks:
1. Identify customer requirement for credential management.
2. Install and configure Web API's.
3. Install Tivoli Federated Identity Manager.
4. If Tivoli Federated Identity Manager and Web API are installed in different WebSphere Application Servers, enable SSL between the two WebSphere instances.
5. Deploy and configure security token service modules.
6. Configure Tivoli Federated Identity manager STS modules.
7. Testing the security trust chain.

Section 4:Administration

Given AccessStudio, administrative privileges on the IMS Server, access to applications and notification when applications are modified, the review and update the Accessprofiles so that they are always up to date and working correctly.
With emphasis on performing the following tasks:
1. Evaluate applications which are to be updated or changed to validate if the AccessProfile remains functional.
2. Test in a staging environment.
3. Deploy to production IMS Server once new profile is working correctly.
Given access to the solution document, the customer's ISAM ESSO environment and disaster recovery site, determine and establish a disaster recovery regime so that an effective failover to Disaster Recovery (DR) environment is achieved in the event of a failure in the production environment
With emphasis on performing the following tasks:
1. Determine failover and recovery criteria for ISAM ESSO components.
2. Determine backup and restore strategy for IMS database.
3. Set up DR environment in a separate site or location.
4. Test DR environment for failover situations.
5. Prepare DR Invocation document.
Given the IMS Server is up , review trace or audit logs and reports through the IMS , Tivoli Common Reporting (TCR) , and WebSphere so that audit logs and reports can be viewed by the Administrator.
With emphasis on performing the following tasks:
1. Search the audit logs based on the query.
2. Save the query for the audit logs.
3. Search the reports on the IMS Server based on user activity.
4. Search the reports on the TCR server based on user information, token, user information ,and Helpdesk activity.
5. Manage the reports based on the page size.
6. Enable trace logs on WebSphere
7. Review logs and trace logs on WebSphere.
Given IMS Server is up and running, maintain the IMS Server so that the IMS Server is maintained.
With emphasis on performing the following tasks:
1. Configure and manage system policy.
2. Configure and manage machine policy.
3. Configure and manage user policy.
4. Manage the roles of users and Helpdesk.
5. Manage Second Factors.
6. Provision, revoke, and delete the users.
7. Stop and start the services of IMS Server.

Section 5:Performance Tuning/Problem Determination

Given an existing ISAM ESSO installation, identify and implement measures for improving performance so that the server and client components perform at optimal levels.
With emphasis on performing the following tasks:
1. Identify and address opportunities for Improving Server performance, for example, configure the LDAP lookup timeout on a directory connector.
2. Identify and address opportunities for Improving agent performance, for example, performance may be tuned by removing unnecessary application proflies, lowering the log level, excluding AccessAgent installation folder from certain runtime scans, adjust the synch interval between client and server, adjust communication timeouts etc.
3. Identify and address opportunities for improving database performance, for example, log pruning, changing memory allocated to database, create indexes.
Given an issue with the ISAM ESSO IMS Server functionality, troubleshoot the server utilizing tools provided so that the issue can be identified.
With emphasis on performing the following tasks:
1. Identify that the problem at hand is an IMS Server issue, and obtain the result-code provided in the IMS error logs (or on the Status page in AccessAdmin).
2. Identify the cause of the specific error code in the diagnostics pages.
3. If the result-code is related to integration with the enterprise directory, utilize the enterprise directory troubleshooting capability provided by the diagnostics pages.
4. Identify the issue.
Given a ISAM ESSO installation with lost connectivity to the IMS Server, troubleshoot IMS connectivity issues so that the connectivity problem can be identified.
With emphasis on performing the following tasks:
1. Determine if the client machine is on the network.
2. Determine if certificates between the IMS and the agent are set up correctly.
3. Determine if an intervening firewall between the client machine and IMS Server.
4. Determine if any network configuration issue, such as DNS problems.
5. Determine if an intervening application protector between the client machine and IMS Server.
6. Determine if some personal firewall or anti-spyware is blocking traffic from winlogon.exe.
7. Determine if the registry settings are corrupted or configured incorrectly, if AccessAgent is pointing to the wrong IMS Server.
8. Check to see if agent machine can ping Web Server.
9. Check to see if the IMS Server is up and running (ping test, visual inspection, etc) .
10. Check to ensure the IMS application is running.
11. Try to "Set IMS Server Location" from a client workstation.
12. Identify the connectivity issue.
Given ISAM ESSO operation issues with users, computers or servers, recover from common user/computer situations so that the issue is resolved.
With emphasis on performing the following tasks:
1. Understand common issues affecting:
  1. Users, for example, user forgets password, user forgets key.
  2. Computers, for example, the user tries to log on to AccessAgent and unlock the computer but is unsuccessful.
  3. Servers, for example, IMS Server has crashed, database has crashed.
2. Start the appropriate recovery workflow.
3. Resolve the issue.
Given an AccessProfile that is not working as it should, review the logs and make changes so that the AccessProfile works correctly.
With emphasis on performing the following tasks:
1. From AccessStudio and import current AccessProfiles from the IMS Server.
2. Use the test function of AccessStudio.
3. Launch the application with AccessProfiles that you want to test.
4. Perform the relevant actions on the application (i.e. login) to verify if the AccessProfile is executed correctly.
5. Stop the test.
6. Review the results of the test provided in the Messages pane and make changes to the AccessProfile as required.
Given an existing ISAM ESSO installation, improve the Access Agent performance on Citrix server with Lightweight mode so that there is optimal server and client performance on Citrix environment.
With emphasis on performing the following tasks:
1. Identify and measure the performance overhead introduced by AccessAgent on Terminal/Citrix server, for example: memory consumption, network traffic, application loading time, AccessAgent response time.
2. Understand customer requirement and identify whether and which Lightweight mode can be deployed, for example: no lightweight mode, enforced lightweight mode, automatic mode.
3. Configure Lightweight mode on Terminal/Citrix server and verify performance improvement.

Register for a test

IBM at Prometric

Test 000-596: IBM Security Access Manager for Enterprise Single Sign-On V8.2 Implementation

Tab navigation

Register for a test

Content navigation

Related links