Skip to main content

 
Professional certification
 alt="" height="6"
  >  
Certifications

  >  
Test information

Test 891: IBM Tivoli Federated Identity Manager V6.1 Implementation


Overview Objectives alt="" height="1" width="30" Test Preparation

Section 1 - Planning for Federation

  1. Given a set of architecture documents, review the scenario described, review the customer's use cases, identify IBM Tivoli Federated Identity Manager V6.1 (ITFIM)function, and identify role of customer in Federation so that a valid use case and scenario document is prepared which details the ITFIM function and protocols in relation to the customer's role in the Federation.

    2. With emphasis on performing the following steps:
    1. Review scenario described.
    2. Review use cases.
    3. Identify ITFIM function.
    4. Identify customer role (identity provider/service provider).

  2. Given a valid use case and scenario document which describes the customers roles and customers usage requirements (for example: performance requirements), identify how the IBM Tivoli Federated Identity Manager V6.1 (ITFIM) components map to the customer's environment so that the details of the customer environment are qualified and required platforms are listed.

    3. With emphasis on performing the following steps:
    1. Identify authentication service (HTTP, direct).
    2. Identify session management (HTTP).
    3. Identify authorization services.
    4. Identify alias service.
    5. Identify Federated Single Sign-On identity services.
    6. Identify Identity manager providing endpoints.
    7. Determine platforms.
    8. Identify "point of contact" (SOAP) for mobile, what WAP gateway, LECP/ECP.

  3. Given the output of the mapping of the customer requirements to IBM Tivoli Federated Identity Manager V6.1 (ITFIM) Services and a list of the required platforms, determine the number of machines (and if any additional) so that a list of target machines is produced.

    4. With emphasis on performing the following steps:
    1. Get permission to install.
    2. Determine machine numbers and specs.
    3. Reconcile, determine additional platforms.

  4. Given the customer's security policy, determine audit and reports methodology (CARS or audit log), Federated Single Sign-On, Web Services Provisioning, and Web Services Security Management security policies so that audit log configuration is defined and high security level policy is outlined detailing signed components, encryption, authorization, authentication, and transport security for each ITFIM function.

    5. With emphasis on performing the following steps:
    1. Determine audit/log policy.
    2. Determine Federated Single Sign-On security requirements.
    3. Determine WS Provisioning security requirements.
    4. Determine Web Services Security Management security policy.

  5. Given the customer's use cases, selected partner identities, and target number of partners, determine partner functionality, evaluate partner's requirements, and define test environment so that a matrix of partner by functionality and requirements is created and generate a test plan.

    6. With emphasis on performing the following steps:
    1. Determine partner functionality.
    2. Evaluate partner's security policy.
    3. Determine partner ID map requirements.
    4. For Web Services Security Management, determine WS trust names pace.
    5. Define customer-partner test environment.
    6. Build test drivers.

  6. Given a matrix of partner by functionality and requirements, list of target machines, and details of customer environment, map IBM Tivoli Federated Identity Manager V6.1 (ITFIM) function to ITFIM components to target machines so that an installation plan is created.

    7. With emphasis on performing the following step:
    1. Identify ITFIM function, ITFIM component and target match.

  7. Given a list of federation partners with security policy and a matrix of partner by functionality, define the federations so that each partner is assigned to a federation and the function of each federation is listed.

    8. With emphasis on performing the following steps:
    1. Map partners to Federations.
    2. Create new Federations if required.

Section 2 - Planning for Federated Single Sign-On

  1. Given a mapping of Federated Single Sign-On partners to Federations, a definition of each Federation, the Federated Single Sign-On customer-partner security policy, and the additional attributes require in the Federated Single Sign-On tokens, refine the Federated Single Sign-On details so that the parameters for the customer's self-configuration and high level mapping of attributes requirements are documented for each Federated Single Sign-On Federation.

    2. With emphasis on performing the following steps:
    1. Define/determine encrypt and signing requirements for messages.
    2. Determine encryption requirements for messages.
    3. (If required) determine token types.
    4. Determine token security parameters.
    5. Determine 'message parameters": lifetime, nonce, etc.
    6. Define protocol/Federation specific endpoints.
    7. Determine ID mapping rules (high level).

Section 3 - Planning for Web Services Security Management

  1. Given a description of the Web Services Environment and applications, define the Web Services point of contact, type of services, login method for each application is identified so that a list of applications to be deployed in Web Services Security Management is generated.

    2. With emphasis on performing the following steps:
    1. Identify Web Services 'point of contact" (i.e.: XML framework, WSGW, etc.).
    2. Identify 'type' of Web Service (i.e.: SOAP/HTTP, SCAP/JMS, RMI/IIOP, etc.).
    3. Identify if Web Service endpoint or intermediary.
    4. Determine list of applications to be deployed with Web Services Security Management.
    5. If endpoint, login required?
    6. If intermediary, token exchange?

  2. Given a list of Web Services Security Management (WSSM) partners, the customer-partner WSSM security policy, and the information required to be in the incoming token (included with partner’s web services request), determine the requirements for authentication and authorization for each application and for each partner and identify the applications the partner can access so that the parameters of the local configuration of the WSSM Federation, application side and partner side of WSSM, and high level mapping of the requirements and rules are defined.

    3. With emphasis on performing the following steps:
    1. If required, determine applications token type vs. login.
    2. Determine requirements for encrypting message by application
    3. Define/determine requirements for signing messages by application.
    4. If required, determine requirements for encrypt/sign 'output' tokens.
    5. Determine authorization required by application.
    6. Define applications available to partners.
    7. Define ID mapping rules (high level) by partner.
    8. Determine requirements for encryption input tokens by partner.
    9. Determine requirements for signing input tokens by partner.
    10. If required, determine partners output token type.

Section 4 - Planning for Federated Provisioning

  1. Given a list of WS Provisioning partners with security policy, information in the token, and details about the local provisioning tool, identify the values that need to be exchanged, define the actions that need to happen on the values, and identify the Web Services Security Management requirements so that the IDI requirements, attribute mapping details, and local Web Services Security Management parameters are defined.

    2. With emphasis on performing the following steps:
    1. (Identity provider side) Identify IDI trigger type (i.e.: LDAP feed, IBM Tivoli Identity Manager feed, HTTP, etc.)
    2. (Identity provider side) Identify input markup language (if any); identify output markup language type.
    3. (Service provider side) Identify input (WS Provisioning) payload markup language and identify output format (i.e.: LDAP, DSML, etc.).
    4. (Service provider side) Identify output/provisioning destination.
    5. Identify attribute mapping requirements (in IDI).
    6. Identify attribute retrieval requirements (in IDI).
    7. Identify Web Services Security Management requirements.

Section 5 - Install Infrastructure and Components for Federated Single Sign-On, Web Services Security Management, Federated Provisioning

  1. Given the WebSphere Application Server (WAS) deployment strategy, WAS install media, WAS cluster info, and architecture document, run the WAS installation, crate the application server profile, create the deployment manager profile, a WAS cluster, a replication domain, and add the application server to the cluster so that WAS is installed and configured for ITFIM.

    2. With emphasis on performing the following steps:
    1. Install WAS.
    2. Create an application server profile.
    3. If using clustering, create deployment manager profile.
    4. Create a profile.
    5. If clustering, create cluster.
    6. If clustering, add other servers to cluster.

  2. Given the architecture document, directory information, IBM Tivoli Access Manager installation (ITAM), SSL keys, and proper access, install patches, GSKit, Access Manager Runtime Environment (AMRTE) filesets, and run 'pdconfig' with the correct information so that WebSEAL is successfully installed and configured into ITAM domain.

    3. With emphasis on performing the following steps:
    1. Identify OS patches to install.
    2. Install OS patches.
    3. Install GSKit.
    4. Install AMRTE.
    5. Install file sets.
    6. Configure WebSEAL into ITAM domain.

  3. Given ISC install media, verify that LDAP server is running and run the ISC install so that ISC is property installed and configured.

    4. With emphasis on performing the following steps:
    1. Verify that LDAP server is running.
    2. Install ITFIM Console.

  4. Given IBM Tivoli Federated Identity Manager V6.1 (ITFIM) media, ISC is installed and configured, and WebSphere Application Server (WAS) V6.1 server is running, run install program for ITFIM Console and ITFIM Runtime so that ITFIM Console and Runtime are successfully installed.

    5. With emphasis on performing the following steps:
    1. Verify that LDAP is running.
    2. Install ITFIM Runtime.
    3. Create domain.
    4. Deploy ITFIM Runtime.

  5. Given the installation media, install the filesets to successfully perform an IDI installation.

    6. With emphasis on performing the following step:
    1. Install filesets.

  6. Given the architecture document, the WAS ND install media, and the required patches, install WAS ND and apply the required patches to create a new WAS application profile and install the server integration business web services components to create a configured Web Services Gateway.

    7. With emphasis on performing the following steps:
    1. Install WAS ND.
    2. Create a new application profile.
    3. Install patches.
    4. Install the Service Integration Business Web Services components.

  7. Given the need for Common Audi Reporting Services (CARS) and the installation media, confirm all prerequisites have been met, run CARS install, so that CARS is installed.

    8. With emphasis on performing the following steps:
    1. Install DB2
    2. Configure DB2 Instance
    3. Install and Configure CARS Server
    4. Configure Common Event Infrastructure in WAS
    5. Install CARS Client
    6. Configure TAM for CARS
    7. Verify event data within DB2
    8. Install and Configure Crystal Reports(including prebuilt TAM reports)
    9. Generate TAM reports via Crystal Reports

Section 6 - Configure Federated Single Sign-On, Web Services Security Management, Federated Provisioning

  1. Given LDAP access information and the name of the new alias service and suffix, add the new suffix and restart WebSphere Application Server (WAS) to have LDAP configured for IBM Tivoli Federated Identity Manager V6.1 (ITFIM).

    2. With emphasis on performing the following steps:
    1. Stop LDAP.
    2. Add LDAP suffix for alias service.
    3. Start LDAP.

  2. Given attribute requirements for applications, role, user of group definitions, attribute schema, and XSLT authoring tool, use XSLT tool to successfully write and run a mapping rule.

    3. With emphasis on performing the following steps:
    1. Write XSLT (mapping) rule.
    2. Run XSLT (mapping) tool.

  3. Given the WebSEAL information, company information, protocol, role, token requirement, protocol specific configuration, and defined mapping rules, successfully create and configure a Federation.

    4. With emphasis on performing the following steps:
    1. Log in to Integrated Solutions Console (ISC) and click on "Create Federation"
    2. Follow Federation Creation wizard and input appropriate data.
    3. Send meta data to Federation partner.

  4. Given partner meta data and partner specific configuration, log in to console, define a partner and enable a partner for a configured working partner.

    5. With emphasis on performing the following steps:
    1. Log in to Integrated Solutions Console (ISC), select Federation, click on "Add Partner".
    2. Follow the Add Partner wizard.
    3. Enable partner.

  5. Given partner client certificate configuration, certificate authority certification for HTTPS connection, security requirements for WebSEAL to WAS communication, WebSphere Port info, role, Federation name, ITFIM FSSO endpoint, and user attribute info, configure WebSEAL for ITFIM so that a working WebSeal configuration for a specific Federation is created.

    6. With emphasis on performing the following steps:
    1. Configure tag value.
    2. Using the TFIMCFG tool a junction, configure EAI, assign ACLs.
    3. If role is service provider, modify login.html page to point to Single Sign-On endpoint.
    4. Configure single logout endpoint.
    5. Import partner client certificates into WebSEAL keystore.
    6. Increase WebSEAL POST cache size.
    7. Basic authentication user provisioning - create users as ITAM users at identity provider side.

  6. Given architecture document, IBM Tivoli Federated Identity Manager Application Developer Kit (ITFIM ADK) and Java Development Tool, write, test and install the code, so that custom code is successfully created to meet the customer's requirements.

    7. With emphasis on performing the following steps:
    1. Write code.
    2. Test code.
    3. Install code.

  7. Given architecture requirements, write, test and install custom token module, so that support is provided for a custom token type.

    8. With emphasis on performing the following steps:
    1. Write custom token code.
    2. Test custom token code.
    3. Install custom code.

  8. Given the required token types, attributes required, partner keys, self keys and configured mapping rules, log in to the console and add a WSSM partner. Follow the wizard and input the required data, so that a configured WSSM partner is created.

    9. With emphasis on performing the following steps:
    1. Log in to console and click on "Add WSSM Partner".
    2. Follow "Add WSSM Partner" wizard and input required data.

  9. Given the trust service endpoint info, the application WSDL, the required application token types, the customer application, required WAS patches and the WSDL2TFIM and WSDL2TAM tools, configure ITFIM WSSM in WAS to create a deployed application secured by WSSM.

    10. With emphasis on performing the following steps:
    1. Configure a JAAS login module for SAML.
    2. Create WebSphere shared library for WSSM classes.
    3. Configure WSSM PDJRTE.
    4. Deploy customer application.
    5. Run WSDL2TFIM and WSDL2TAM tools.
    6. Configure TAM policy.
    7. Apply WAS patches.

  10. Given architecture document, registry info, and IDI Toolkit, write, test and install code for a successful development of custom code.

    11. With emphasis on performing the following steps:
    1. Write Federated Provisioning/IDI code.
    2. Test Federated Provisioning/IDI code.
    3. Install Federated Provisioning/IDI code.

  11. Given the ITAM and WebSphere environment information and editor, update the assembly line properties and the Provisioning Service endpoint to successfully update the Provisioning Configuration.

    12. With emphasis on performing the following steps:
    1. Update provisioning service endpoint custom property.
    2. Update assembly line properties and constraints.

  12. Given attribute requirements for application, role, user and group definition, attributes schema, create and enable a Custom Mapping Module, so that the users identity is successfully mapped.

    13. With emphasis on performing the following steps:
  13. Given ITFIM and CARS are installed, configure ITFIM to send audit events to the CARS server, so that CARs can be used by ITFIM.

    14. With emphasis on performing the following steps:
    1. The CARS server root signer certificate must be imported to the IBM Tivoli Federated Identity Manager keystore.
    2. Navigate to Domain Management and click on Auditing in the console to display Audit Settings.
    3. Select the enable audit checkbox
    4. Select the Tivoli Common Audit and Report Server radio button.
    5. Type the address for the Common Audit and Report Server in the Web Service URL field.
    6. Click Web Service Security Settings
    7. Setup SSL keystore by selecting key. (CARS root signer certificate).
    8. Select the type of authentication. Basic Authentication or None. For Basic Authentication, the user id specified must belong to the EventSource role on the CARS server.
    9. Click on OK to save the configuration.

Section 7 - Test Federated Single Sign-On, Web Services Security Management, Federated

  1. Given a configured IBM Tivoli Federated Identity Manager V6.1(ITFIM) environment with Federated Single Sign-On (FSSO), authenticate with the Identity Provider, and connect to the linked account at the Service Provider, so that there is a working IBM Tivoli Federated Identity Manager environment with FSSO.

    2. With emphasis on performing the following steps:
    1. Authenticate with the identity provider.
    2. Connect to linked account at service provider.
    3. Test/verify Single Sign-On + account federation (Liberty, SAML 2.0).
    4. Test/verify Single Sign-On (push, pull).
    5. Test/verify HTTP-redirect, SOAP-HTTP profiles.
    6. Test/verify liberty "RNI"/"FT", "Name NIM" profiles.
    7. Test/verify "where are you from?".
    8. Test/verify Single Logout (local, global).

  2. Given a WSSM installed and configured environment and a deployed Web Services application with WS Security turned on, run the Web Services application and evaluate the results to successfully test the Web Service application with WSSM enabled.

    3. With emphasis on performing the following steps:
    1. Run Web Service application.
    2. Test unauthorized user.
    3. Test invalid password.
    4. Test encrypted Web Services invocation.
    5. Test signed Web Services invocation.
    6. Test signed and encrypted Web Services invocation.
    7. Test invocation of partner side of trust chain.
    8. Test that input token is valid (format, encrypt, signing).
    9. Test mapping rules.
    10. Test authorization decision regarding required input in IV-CRED.

  3. Given that IBM Tivoli Federated Identity Manager V6.1 (ITFIM) is configured with WS Provisioning, the IDI Assembly lines running at both Identity Provider and Service Provider, create local Provisioning trigger at Identity Provider, so that a local identity is provisioned at the Service Provider.

    4. With emphasis on performing the following steps:
    1. Test user create provisioning request.
    2. Test user attributes modify provisioning request.
    3. Test user remove deprovisioning request.

Section 8 - Troubleshoot Federated Single Sign-On, Web Services Security Management, Federated Provisioning

  1. Given that IBM Tivoli Directory Server (ITDS) is installed, perform a test LDAP search, check for errors in ibmslapd.log, check for configuration in ibmslapd.conf, verify that the LDAP service is listening on the proper SSL/non-SSL parts, and check for proper ACLs so that ITDS in integrated to IBM Tivoli Federated Identity Manager (ITFIM) and working properly.

    2. With emphasis on performing the following steps:
    1. Perform a test LDAP search.
    2. Check for errors in iblslapd.log .
    3. Check ibmslapd.conf for valid configuration.
    4. Verify that an LDAP service is listening on the proper ports for SSL and non-SSL communication.
    5. Check for proper ACLs.

  2. Given that WAS is installed, check for errors in the WebSphere logs, check for memory used by the Java process of WebSphere , check for the status of deployed applications, and check for WebSphere and deployed applications security settings validity, so that WAS is integrated with IBM Tivoli Federated Identity Manager V6.1 (ITFIM) and is working.

    3. With emphasis on performing the following steps:
    1. Check for WebSphere logs.
    2. Check for memory used by Java processes of WebSphere.
    3. Check for status of deployed application.
    4. Check for WebSphere and deployed application security configuration Java/J2EE.
    5. Debug clustering issues (dynacache).

  3. Given that IBM Tivoli Access Manager (ITAM) is installed and configured, verify that WebSEAL is communicating with the policy server, collect debug information using ITAM's trace facility, isolate and qualify the problem, so that TAM is integrated with IBM Tivoli Federated Identity Manager V6.1 (ITFIM) and is working.

    4. With emphasis on performing the following steps:
    1. Verify that WebSEAL is communicating with Policy server.
    2. Collect and debug information using ITAM trace facilities.
    3. Isolate problem.
    4. Qualify the problem.

  4. Given that the ISC is installed and configured, verify that the ISC login is available and verify connection with LDAP, so that the ISC is integrated with IBM Tivoli Federated Identity Manager V6.1 (ITFIM) and is working.

    5. With emphasis on performing the following steps:
    1. Verify ISC login page is available.
    2. Verify connection with LDAP.
    3. Look in the ISC logs.
    4. Verify that LDAP is correctly configured.

  5. Given that the IBM Tivoli Federated Identity Manager V6.1 (ITFIM) Trust Service is installed and configured, turn on tracing and review the trace logs for errors and/or stack traces, so that the ITFIM Trust Service is working.

    6. With emphasis on performing the following steps:
    1. Turn on tracing.
    2. Review the trace logs for errors and/or stack traces.
    3. Check the WebSphere Application Server/Web Services Gateway endpoint receiving the SOAP request.

  6. Given that IBM Tivoli Federated Identity Manager V6.1 (ITFIM) is configured for FSSO, turn on ITFIM tracing for the configured FSSO protocol and review the tracing data for errors and/or stack traces, so that ITFIM FSSO is working.

    7. With emphasis on performing the following steps:
    1. Turn on ITFIM tracing for configured FSSO protocol.
    2. Review tracing data and/or stack traces.

  7. Given IBM Tivoli Federated Identity Manager V6.1 (ITFIM) is configured with WSSM, run tcpmon and the check the output, check timestamps on tokens, and verify signatures, so that the ITFIM configuration of WSSM is working.

    8. With emphasis on performing the following steps:
    1. Run "tcpmon" and check output.
    2. Check timestamps on tokens.
    3. Verify signatures (if enabled).

  8. Given that Federated Provisioning and IDI are installed and configured, isolate and analyze the message generated from IBM Tivoli Federated Identity Manager V6.1 (ITFIM) for Federated Provisioning, check the communication between ITFIM and the IDI server, check that the WS Provisioning connector is in server mode and is enabled and running, and check the SOAP connector is configured correctly so that Federated Provisioning is working.

    9. With emphasis on performing the following steps:
    1. Isolate and analyze the message generated from ITFIM for Federated Provisioning.
    2. Check the communication between ITFIM and the IDI server.
    3. Check that the WS Provisioning connector is in server mode and is enabled and running.
    4. Check desmlv2 connector is in add/update mode and is enabled.

  9. Given that the IBM Tivoli Federated Identity Manager V6.1 (ITFIM) configuration has been modified and saved, backup the ITFIM configuration, so that the ITFIM configuration is successfully restored.

    10. With emphasis on performing the following step:
    1. Backup ITFIM configuration.

  10. Given that IBM Tivoli Federated Identity Manager V6.1 (ITFIM) installation has been customized, document only customizations, so that there are documented ITFIM customizations.

    11. With emphasis on performing the following step:
    1. Document the customization.
Test registration

Authorized Prometric test centers (worldwide testing)