Skip to main content

 
Professional certification
 alt="" height="6"
  >  
Certifications

  >  
Test information

Test 876: IBM Tivoli Access Manager for e-business V6.0 Implementation


Overview Objectives alt="" height="1" width="30" Test Preparation

Section 1 - Planning

  1. Given a Security Analysis Document, produce product deployment recommendations that meet security requirements as verified via review cycles.

    2. With emphasis on performing the following steps:
    1. Interview administrators, users, and security team.
    2. Determine the type of user registry used for secure domain.
    3. Determine authentication mechanisms -- user IDs/passwords (basic or forms-based), certificates, SecurID tokens, or custom authentication mechanisms.
    4. Identify customization requirements such as External Authorization Services, External Authentication C API, Policies etc).
    5. Identify auditing and logging requirements.
    6. Determine account and password management rules.

  2. Given Access Manager for e-business (AMeB) deployment recommendations and the customer's current network configuration, define an AMeB system layout and produce a deployment document containing a network topology diagram with placement of AMeB user registry and servers.

    3. With emphasis on performing the following steps:
    1. Identify capacity requirements (number of users, concurrent users, junctioned Web servers, ACLs required).
    2. Identify Reliability and Serviceability (RAS) requirements (24 hours x 7 days, throughput and recovery capability).
    3. Identify current network and security aspects (geography of LANs, firewalls, Internet, intranet, DMZ, etc.).
    4. Create logical configuration (number and type of Access Manager for e-business servers, number of load balancers, replicated Web servers, secure domains) and integrate with other applications.
    5. Create physical configuration (location of Access Manager for e-business servers, location of load balancers, and relationship to firewalls).
    6. Determine number and location of user registries.

  3. Given an existing Access Manager for e-business environment, define a migration strategy to maintain user data as well as security policy data.

    4. With emphasis on performing the following steps:
    1. Create roadmap defining the migration strategy.
    2. Identify required user registry migration or upgrade procedures.
    3. Identify migration and backup utilities required to perform migration.
    4. Identify Access Manager for e-business security policy data to be migrated and determine procedures to perform.

Section 2 - Installation

  1. Given a PKI product, configure a valid client-side certificate so that a user can successfully authenticate to Access Manager for e-business.

    2. With emphasis on performing the following steps:
    1. Load Certificate Authority (CA) root certificate(s) into WebSEAL (CA root comes from PKI product).
    2. Enable client-side certificate authentication.
    3. Configure client-side certificates.

  2. Given the Access Manager for e-business packages and necessary hardware, perform the AMeB installation to produce a working AMeB system.

    3. With emphasis on performing the following steps:
    1. Install Access Manager for e-business user registry if not installed.
    2. Complete Access Manager for e-business user registry customization.
    3. Install LDAP clients on the computers to be used for Access Manager for e-business servers.
    4. Install the Access Manager for e-business server components.
    5. Complete advanced Access Manager for e-business customization.

  3. Given user account information, create a registry useable by Access Manager for e-business.

    4. With emphasis on performing the following steps:
    1. Identify existing user registries.
    2. Determine integration options and benefits/pitfalls.
    3. Determine migration options and benefits/pitfalls.
    4. Decide user registry approach.
    5. If integration: Design and code External Authentication C API (& SYNC process), decide 1-1 or n-1, and validate results.
    6. If migration: Identify sources of information, build and run the migration tool, and validate results.

  4. Given an existing Access Manager for e-business environment, perform basic system tests to validate the environment is functioning correctly.

    5. With emphasis on performing the following steps:
    1. Check all processes are running.
    2. Perform logon and user/group ACL template creation administrative tasks.
    3. Verify WebSEAL works by attaching an ACL template to an HTML file and validate using a browser.

Section 3 - Configuration and Customization

  1. Given a firewall environment, create the proper rule setup so that a user can access Access Manager for e-business through the firewall.

    2. With emphasis on performing the following steps:
    1. Identify where to install/configure Access Manager for e-business in a firewall environment.
    2. Identify firewall changes for user registry and HTTP/HTTPS, and SSL Access Manager for e-business traffic.
    3. Install/configure Access Manager for e-business in a firewall environment.

  2. Given security requirements, define a security namespace that includes all objects to be protected.

    3. With emphasis on performing the following steps:
    1. Identify resources to be protected and identify explicit and default ACLs.
    2. Identify replication semantics.
    3. Identify non-static Web resources (JAVA, servlets, ActiveX).
    4. Identify how to apply protected object policies (POPs).
    5. Identify how to apply authorization rules.

  3. Given an organization's security policy, complete each task so that the policy database is configured successfully.

    4. With emphasis on performing the following steps:
    1. Create extended ACL permissions and action groups.
    2. Create Protected Object Policies (POPs).
    3. Identify how to apply protected object policies (POPs).
    4. Create authorization rules.
    5. Create secure domains.
    6. Create policy templates.
    7. Attach policy template to protected resource.
    8. Implement Delegated User Administration requirements.

  4. Given a completed Access Manager for e-business deployment document containing password rules, set up all AMeB administrators and users and configure the password rules for each.

    5. With emphasis on performing the following steps:
    1. Define password policy options, including delegation of password reset.
    2. Configure the Access Manager for e-business password policies.

  5. Given a Security Analysis Document and a Web application, configure Access Manager for e-business to achieve a secure, working solution.

    6. With emphasis on performing the following steps:
    1. Analyze application characteristics, plug-ins, applets, user registry, ACLs, JavaScript, absolute URLs, roles in use.
    2. Identify and analyze application security requirements.
    3. Design junctions (TCP, replication, encrypted, proxy, mutually authenticated, tag value, portal, transparent, virtual host) and required options.
    4. Design SSO (FSSO, GSO, LTPA, EAI, TAI).
    5. Describe junction mapping table usage.
    6. Populate namespace (query contents, DYNURLs, application objects).
    7. Design and create application security policy (EAS, ACLs, delegation, authorization rules).

  6. Given a business requirement to supplement the standard authorization process, implement external authorization services to impose additional authorization controls and conditions.

    7. With emphasis on performing the following steps:
    1. Register the EAS server with the Access Manager for e-business authorization service.
    2. Configure the attribute retrieval service plug-ins for connection to external sources.

  7. Given a deployment plan and details document, implement Web single sign-on such that cross domain and single domain requirements are met.

    8. With emphasis on performing the following steps:
    1. Ensure that e-community, cross domain and/or Web single sign-on has been configured in Access Manager for e-business.
    2. Create appropriate junctions to the candidate Web servers.
    3. Add GSO resources and/or GSO resource groups.
    4. Implement LTPA SSO for WebSphere and Domino targets.
    5. Implement TAI SSO for WebSphere.
    6. Implement FSSO and EAI.
    7. Implement Windows SPNEGO SSO for IIS or WebSEAL.
    8. Populate each user's resource credential information.
    9. Test Web SSO function (browser-to-Access Manager for e-business-to-Web server).
    10. Test resource credential and change password via admin console and via end user.

  8. Given a requirement for dynamic URLs, configure dynamic URL control to protect Web content.

    9. With emphasis on performing the following steps:
    1. Create a single static protected object file for dynamic URLs.
    2. Map ACL namespace objects to dynamic URLs.
    3. Update WebSEAL or Plug-ins for dynamic URLs.

  9. Given a requirement for container level integration, configure IBM Access Manager for WebSphere Application Server (AMWAS) to manage J2EE role-based security.

    10. With emphasis on performing the following steps:
    1. Migrate EAR files from WebSphere Application Server to Access Manager for e-business environment.
    2. Install and configure AMWAS under WebSphere Application Server.
    3. Administer J2EE roles using AMWAS.

  10. Given an existing Tivoli Access Manager for e-business environment with WebSphere Application Server, perform steps to validate that Common Audit and Reporting Service (CARS) server and client are functioning correctly.

    11. With emphasis on performing the following steps:
    1. Examine directories for cached files.
    2. Check that required processes are running.
    3. Check that appropriate applications are running in the WebSphere Application Server.
    4. Test connection from DB2 client to DB2 server.
    5. Establish connection with DB2 and query for event records.
    6. Perform administrative tasks in pdadmin to enable auditing.
    7. Create events that will be reported by CARS.
    8. Stage reports into tables.
    9. Create a report using any reporting utility that is able to query DB2.
    10. Verify configuration logs.

  11. Given an existing Tivoli Access Manager for e-business environment with Session Management Server (SMS) installed, gather requirements necessary for the configuration of an SMS environment.

    12. With emphasis on performing the following steps:
    1. Gather system information necessary for configuration of participating servers.
    2. Define configuration strategy (number and type of WebSEAL servers, number of load balancers, replicated Web servers, network information, physical and logical location of servers).

      3. Design replica sets and session realms.
    3. Define configuration parameters.
    4. Determine what roles will be delegate to specific users.
    5. Configure and test the configuration.

Section 4 - Programming

  1. Given an existing Access Manager for e-business environment with WebSEAL, configure external authentication C API to meet customer requirements.

    2. With emphasis on performing the following steps:
    1. Configure WebSEAL to use external authentication C API.

  2. Given a custom application that requires specific authorization checking, evaluate and explain the authorization programming options via the TAMe authorization APIs available to the development team, so they can design their application security architecture.

    3. With emphasis on performing the following steps:
    1. Identify the application level resources needing protection.
    2. Define and use the application namespace.
    3. Identify available programming tools (such as Java2/JAAS and aznAPI).
    4. Describe entitlement services.
    5. Decide how to obtain optimum performance.
    6. Decide how the credential inside the application will be obtained.

  3. Given requirements to programmatically manipulate the Access Manager user and policy repositories, design, code, and deploy an application using the administration API so that business requirements are met.

    4. With emphasis on performing the following steps:
    1. Identify APIs by function.
    2. Identify types of TAMeb objects which can be maintained using the administration APIs.
    3. Identify the components of the administration API.

  4. Given custom password requirements that exceed build-in functionality, design, code, and deploy a password strength module so that the custom password requirements are met.

    5. With emphasis on performing the following steps:
    1. ldentify the APIs by function.
    2. Configure password strength module to be used during authentication.

  5. Given a deployment plan and details document, implement a secure external authentication interface (EAI) to WebSEAL such that additional authorization controls and conditions are met.

    6. With emphasis on performing the following steps:
    1. Enabling and configuring the EAI authentication mechanism in WebSEAL
    2. Initiating the authentication process
    3. Error handling
    4. Writing the EAI authentication module

Section 5 - Maintenance and Troubleshooting

  1. Given user and organization audit requirements, set up and configure auditing so that log files are produced for events and authorizations.

    2. With emphasis on performing the following steps:
    1. Structure and enable the Access Manager for e-business audit processes.
    2. Manage the size of audit files.
    3. Capture audit and statistical data with information gathering tool.
    4. Analyze and interpret log and audit reports.

  2. Given user and organization logging requirements, set up and configure logging so that log file entries are produced for events and authorizations.

    3. With emphasis on performing the following steps:
    1. Structure and enable Access Manager for e-business logging functions -- tailor events logged.
    2. Manage the size of Access Manager for e-business log files.
    3. Capture log data with information gathering tool.
    4. Analyze log reports.
    5. Enable remote logging function.

  3. Given a valid Access Manager for e-business problem, perform troubleshooting tasks so that a successful problem resolution or workaround is found.

    4. With emphasis on performing the following steps:
    1. Qualify the problem.
    2. Collect debug information using TAMe trace facilities.
    3. Isolate problem.
    4. Consult knowledge base.
    5. Solve problem (if possible).

  4. Given an existing Access Manager for e-business environment, use command-line utilities to perform backup and recovery tasks.

    5. With emphasis on performing the following steps:
    1. commands and options for restoring data from an archive.
    2. commands and options for backup up data to an archive.
    3. information and files collected by the default backup configurations.
Test registration

Authorized Prometric test centers (worldwide testing)