Skip to main content

 spacer
Professional certification
spacer
  >  		spacer
Certifications
spacer
  >  		spacer
Test information
spacer

Test 000-936: IBM Tivoli Access Manager for e-business V6.1 Implementation


spacer
spacer
spacer Overview spacerObjectives spacer Test Preparationspacer
spacer
spacer

SECTION 1: PLANNING

  1. Given a Security Analysis Document, produce product deployment recommendations that meet security requirements as verified through review cycles. With emphasis on the following steps:
    1. Interview administrators, users, and security team.
    2. Determine the type of user registry used for secure domain.
    3. Determine authentication mechanisms -- user IDs/passwords (basic or forms-based), certificates, SecurID tokens, or custom authentication mechanisms.
    4. Identify customization requirements such as External Authorization Services, Cross Domain Authentication Services, Policies.
    5. Identify auditing and logging requirements (Common Auditing and Reporting Service (CARS) or Tivoli Common Reporting Solution).
    6. Determine account and password management rules.

  2. Given IBM Tivoli Access Manager for e-business deployment recommendations and the customer's current network configuration, define an IBM Tivoli Access Manager for e-business system layout and produce a deployment document containing a network topology diagram with placement of IBM Tivoli Access Manager for e-business user registry and servers. With emphasis on the following steps:
    1. Identify capacity requirements (number of users, concurrent users, junctioned Web servers, Web traffic, SSL).
    2. Identify Reliability and Serviceability (RAS) requirements (24 hours, 7 days, throughput and recovery capability.)
    3. Identify current network and security aspects (geography of LANs, firewalls, Internet, intranet, DMZ).
    4. Create logical configuration (number and type of IBM Tivoli Access Manager for e-Business servers, number of load balancers, replicated Web servers, secure domains and ACLs) and integrate with other applications.
    5. Create physical configuration (location of IBM Tivoli Access Manager for e-Business servers, location of load balancers, location of Web servers and relationship to firewalls).
    6. Determine number, replication type and location of user registries.

  3. Given an existing IBM Tivoli Access Manager for e-Business environment, define a migration strategy to maintain user data as well as security policy data. With emphasis on the following steps:
    1. Create roadmap defining the migration strategy.

      2. Identify required user registry migration or upgrade procedures.
    2. Identify migration and backup utilities required to perform migration.

      3. Populate Import/Export of the Object Space features
    3. Identify the prerequisite components and the correct versions for migration.
    4. Identify IBM Tivoli Access Manager for e-Business security policy data to be migrated and determine procedures to perform.

SECTION 2: INSTALLATION

  1. Given a PKI product, configure a valid client-side certificate so that a user can successfully authenticate to IBM Tivoli Access Manager for e-business. With emphasis on the following steps:
    1. Install and use GSKit.
    2. Load Certificate Authority (CA) root certificate(s) into WebSEAL. @Enable client-side certificate authentication.
    3. Configure client-side certificates.


  2. Given the IBM Tivoli Access Manager for e-business packages and necessary hardware, perform the IBM Tivoli Access Manager for e-business installation to produce a working IBM Tivoli Access Manager for e-business system. With emphasis on the following steps:
    1. Verify operating system prerequisites and free disk space.
    2. Install a supported user registry for IBM Tivoli Access Manager for e-business, if not installed.
    3. Complete user registry customization.
    4. Install LDAP clients on the computers to be used for IBM Tivoli Access Manager for e-business servers.
    5. If the graphical management interface will be used, install the WebSphere Application Server, determining which browsers are supported.
    6. Install the IBM Tivoli Access Manager for e-Business server components in the appropriate network zone using either Wizard or Silent installation.
    7. Determine the installation location and default ports
    8. Determine the requirements of the Policy Proxy Server.
    9. Install the Policy Proxy Server.
    10. Create a software package distribution using the template files.
    11. Complete basic IBM Tivoli Access Manager for e-Business customization.

  3. Given user account information, create a registry useable by IBM Tivoli Access Manager for e-business. With emphasis on the following steps:
    1. Identify existing user registries in their environment.
    2. Determine supported registries.
    3. Determine options, benefits and pitfalls of using an existing registry .
    4. Determine options, benefits and pitfalls of a migration.
    5. Decide user registry approach, either Minimal or Traditional
    6. Determine if user registry will use SSL.

  4. Given an existing IBM Tivoli Access Manager for e-business environment, perform basic system tests to validate the environment is functioning correctly. With emphasis on the following steps:
    1. Verify the IBM Tivoli Access Manager for e-Business splash page is available.
    2. Verify all processes are running.
    3. Perform logon and user/group ACL template creation administrative tasks.
    4. Verify WebSEAL works by attaching an ACL template to an HTML file and validate using a browser.

  5. Given a firewall environment, create the proper rule setup so that a user can access IBM Tivoli Access Manager for e-business through the firewall. With emphasis on the following steps:
    1. Identify where to install/configure IBM Tivoli Access Manager for e-Business in a firewall environment.
    2. Identify firewall changes for user registry and HTTP/HTTPS, and SSL IBM Tivoli Access Manager for e-Business traffic.
    3. Install/configure IBM Tivoli Access Manager for e-Business in a firewall environment.

  6. Given a business requirement for 24x7 availability of the IBM Tivoli Access Manager environment, set up and configure high availability, so that an IBM Tivoli Access Manager for e-business environment is consistently available. With emphasis on the following steps:
    1. Determine the requirements for high availability
    2. Set up and configure replicated WebSEALs
    3. Set up and configure a replicated Policy Server (prerequisites and HACMP)
    4. Set up and configure replicated Directory Server, determining type of replication

SECTION 3: CONFIGURATION

  1. Given security requirements, define a security namespace that includes all objects to be protected. With emphasis on the following steps:
    1. Identify resources to be protected and identify explicit and default ACLs.
    2. Identify replication semantics.
    3. Identify non-static Web resources (JAVA, servlets, ActiveX)
    4. Identify how to apply protected object policies.
    5. Identify how to apply authorization rules.

  2. Given an organization's security policy, complete each task so that the policy database is configured successfully. With emphasis on the following steps:
    1. Create extended ACL permissions and action groups.
    2. Create protected object policies.
    3. Identify how to apply protected object policies.
    4. Create authorization rules.
    5. Create secure domains.
    6. Create and clone policy templates.
    7. Explain the security model based on inheritance.
    8. Attach policy template to protected resource.
    9. Implement Delegated User Administration requirements.

  3. Given a completed IBM Tivoli Access Manager for e-business deployment document containing password rules, set up all IBM Tivoli Access Manager for e-business administrators and users and configure the password rules for each. With emphasis on the following steps:
    1. Define password policy options, including delegation of password reset.
    2. Configure the IBM Tivoli Access Manager for e-Business password policies.

  4. Given a Security Analysis Document and a Web application, configure IBM Tivoli Access Manager for e-business to achieve a secure, working solution. With emphasis on the following steps:
    1. Analyze application characteristics, plug-ins, applets, user registry, ACLs, JavaScript, absolute URLs, roles in use.
    2. Identify and analyze application security requirements.
    3. Determine authentication mechanisms (BA, Forms, Certificates, SecurID, tokens, SPNEGO, External Authentication Interface (EAI)).
    4. Define type of junction (standard, virtual host, transparent).
    5. Design junctions (TCP, SSL, GSO, LTPA, TAI and TAI++, SPNEGO, multi-homed host, replication, state, encrypted, proxy, mutually authenticated, tag value, portal) and required options.
    6. Work with the Web developers at the customer site to determine which option is optimal for authorization and URL filtering specific to a customer application
    7. Describe junction mapping table usage.
    8. Configure worker threads and throttling usage
    9. Populate namespace (query contents, DYNURLs, application objects.)
    10. Design and create application security policy (External Authorization Service (EAS), ACLs, delegation, authorization rules).
    11. Configure extended attributes for credentials.

  5. Given a business requirement to supplement the standard authorization process, implement external authorization services to impose additional authorization controls and conditions. With emphasis on the following steps:
    1. Register the EAS server with the IBM Tivoli Access Manager for e-business authorization service.
    2. Configure the attribute retrieval service plug-ins for connection to external sources.

  6. Given a deployment plan and details document, implement Web single sign-on such that cross domain and single domain requirements are met. With emphasis on the following steps:
    1. Ensure that e-community, cross domain and/or Web single sign-on has been configured in IBM Tivoli Access Manager for e-business.
    2. Create appropriate junctions to the candidate Web servers.
    3. Add GSO resources and/or GSO resource groups.
    4. Implement LTPA SSO for WebSphere and Domino targets.
    5. Implement TAI or TAI++ SSO for WebSphere.
    6. Implement Windows SPNEGO SSO for IIS or WebSEAL.
    7. Implement Local Response Redirect.
    8. Install and configure multi-locale support.
    9. Use Macros in the login/error pages.
    10. Populate each user's resource credential information.
    11. Test Web SSO function (browser-to- IBM Tivoli Access Manager for e-business -to-Web server).
    12. Test resource credential and change password via admin console and via end user.

  7. Given a requirement for dynamic URLs, configure dynamic URL control to protect Web content. With emphasis on the following steps:
    1. Create a single static protected object file for dynamic URLs.
    2. Map ACL namespace objects to dynamic URLs.
    3. Update WebSEAL or Plug-ins for dynamic URLs.

  8. Given a requirement for container level integration, configure IBM Tivoli Access Manager for e-business to manage J2EE role-based security using Java authorization contract for containers (JACC). With emphasis on the following steps:
    1. Import roles from WebSphere Application Server applications to IBM Tivoli Access Manager for e-business environment.
    2. Configure IBM Tivoli Access Manager for e-business to provide JACC services to WAS.
    3. Administer J2EE roles using IBM Tivoli Access Manager for e-business.
    4. Configure WAS to use IBM Tivoli Access Manager for e-business as a JACC provider

  9. Given a business requirement for a unified view and control of all sessions of all Web traffic, install and configure the session management server so that session failover is enabled. With emphasis on the following steps:
    1. Determine the possibilities of the session management server
    2. Verify prerequisites.
    3. Install and configure the WebSphere Application Server
    4. Install and configure the relational database
    5. Configure WebSEAL
    6. Configure Session Management Server junction
    7. Configure integration with CARS and Session Management Server

  10. Given a government regulation for auditing and reporting, install and configure reporting software so that auditing is enabled. With emphasis on the following steps:
    1. Determine the standards and legal requirements and reports that will be needed.
    2. Determine the reporting framework (Common Auditing and Reporting Service (CARS), Tivoli Common Reporting Solution, Tivoli Compliance Insight Manager) to be used
    3. Install and configure the reporting framework.

SECTION 4: PROGRAMMING

  1. Given an existing IBM Tivoli Access Manager for e-business environment with WebSEAL, configure CDAS (Shared Libraries) to handle password, X.509 certificate information, or SecurID tokens to meet customer requirements. Additionally, given the need for high availability and load balancing, from the network and server layout, configure CDAS to replicate CDAS servers to meet customer requirements. With emphasis on the following steps:
    1. Configure WebSEAL to use a CDAS.
    2. Configure a CDAS that responds to username and password.
    3. Configure a CDAS that responds to X.509 certificate information.
    4. Configure a CDAS that supports both username and password authentication and X.509 certificate-based authentication.
    5. Configure CDAS server for high availability and load balancing purposes.
    6. Configure a CDAS that responds to SecurID tokens.
    7. Configure a CDAS that uses step-up authentication.

  2. Given an existing IBM Tivoli Access Manager for e-business environment with WebSEAL, configure External Authentication Interface (EAI) to extend the authentication interface and to allow a remote application to handle the authentication process of WebSEAL to meet customer requirements. With emphasis on the following steps:
    1. Configure WebSEAL to use an EAI.
    2. Configure EAI trigger URLs.
    3. Configure EAI protocols and the HTTP header data.
    4. Configure EAI to perform credential replacement.
    5. Configure EAI to use IBM Tivoli Directory Integrator.

  3. Given a custom application that requires specific authorization checking, evaluate and explain the authorization programming options via the IBM Tivoli Access Manager for e-business Authorization APIs available to the development team, so the application security architecture can be designed. With emphasis on the following steps:
    1. Identify the application level resources needing protection.
    2. Define and use the application namespace.
    3. Identify available programming tools (such as Java2/JAAS and aznAPI).
    4. Describe entitlement services.
    5. Decide how to obtain optimum performance.
    6. Decide how the credential inside the application will be obtained.

  4. Given requirements to programmatically manipulate the IBM Tivoli Access Manager user and policy repositories, design, code, and deploy an application using the Administration API so that business requirements are met. With emphasis on the following steps:
    1. Identify APIs by function.
    2. Identify types of IBM Tivoli Access Manager for e-business objects which can be maintained using the Administration APIs.
    3. Identify the components of the Administration API.

  5. Given custom password requirements that exceed build-in functionality, design, code, and deploy a password strength module so that the custom password requirements are met. With emphasis on the following steps:
    1. identify the APIs by function.
    2. Configure password strength module to be used during authentication.

SECTION 5: MAINTENANCE AND PERFORMANCE TUNING

  1. Given an installed IBM Tivoli Access Manager for e-business environment, use the command line so that day-to-day operations are performed. With emphasis on the following steps:
    1. Use the pdadmin command for administrative tasks

      2. Use pdadmin modes
    2. Use pdbackup for backup and restore
    3. Use pdconfig for configuration

  2. Given user and organization audit requirements, set up and configure auditing so that log files are produced for events and authorizations. With emphasis on the following steps:
    1. Structure and enable the IBM Tivoli Access Manager for e-Business audit processes.
    2. Manage the size of audit files.
    3. Capture audit and statistical data with information gathering tool.
    4. Analyze and interpret log and audit reports.

  3. Given user and organization logging requirements, set up and configure logging so that log file entries are produced for events and authorizations. With emphasis on the following steps:
    1. Structure and enable IBM Tivoli Access Manager for e-business logging functions -- tailor events logged.
    2. Manage the size of IBM Tivoli Access Manager for e-business log files.
    3. Capture log data with information gathering tool.
    4. Analyze log reports.
    5. Enable remote logging function.

  4. Given a valid IBM Tivoli Access Manager for e-business problem, perform troubleshooting tasks so that a successful problem resolution or workaround is found. With emphasis on the following steps:
    1. Qualify the problem.
    2. Collect debug information using IBM Tivoli Access Manager for e-business trace facilities.
    3. Isolate problem.
    4. Consult knowledge base.
    5. Solve problem (if possible).

  5. Given an existing IBM Tivoli Access Manager for e-business environment, perform backup and restore of IBM Tivoli Access Manager for e-business components so that downtime is reduced. With emphasis on the following steps:
    1. Back up IBM Tivoli Access Manager for e-business policy database.
    2. Back up WebSEAL junctions and policies.
    3. Back up IBM Tivoli Access Manager for e-business configuration data, WebSEAL key databases.

  6. Given the need for system tuning, perform tuning steps on the Directory Server database and operating components so that optimized system performance is ensured. With emphasis on the following steps:
    1. Analyze the current settings of the directory server and the operating system components.
    2. Determine if a Directory Server proxy could lessen the loads.
    3. Add an extra Directory Server machine into the replication scenario.
    4. Tune the Directory Server caches, buffer pools, heap variables.
    5. Tune the operating system process limit, ulimit, memory allocation, and environmental variables.

spacer
Test registration

Authorized Prometric test centers (worldwide testing)