http://www-03.ibm.com/certify/tests/obj039.shtml
Section 1:Planning
- Given access to the customer, gather customer requirements so that a high level solution design document is produced.
With emphasis on performing the following tasks:- Identify the Web resources to be protected.
- Classify applications that need to be integrated with WebSEAL. (integration requirements & by what method)
- Classify Web applications to be protected. (JEE vs those that use query_contents)
- Identify log on requirements.
- Identify current applications - authentication and authorization mechanism currently employed.
- Classify the log on method for single sign-on. (basic authentication vs. forms single sign-on vs. LTPA vs. TAI++)
- Classify the credential to be provided. (same as when logging on the WebSEAL vs. dummy password vs. global sign-on)
- Identify architecture of existing client network. (type of access)
- Classify User type - internal users (Intranet users)or external users. (Internet)
- Identify policy role and authorization requirements.
- Identify Platform or technology used for the application to be protected by Tivoli Access Manager/WebSEAL.
- Identify HA and Load balancing requirement.
- Understand future business needs and plan for the scalability.
- Determine the expectation of Tivoli Access Manager - Coarse grained vs fine grained authorization.
- Identify Audit and Reporting requirements.
- Obtain a blue print of the network security and system security polices of the client.
- Produce a high-level solution design document.
- Given access to the current network configuration of the customer, determine the security set up which can be deployed so that a Deployment document can be produced.
With emphasis on performing the following tasks:- Determine the User Registry to be used.
- Identify the deployment of current LDAP stores or any other authentication mechanisms being used.
- Identify the customization (schema, attributes) needs.
- Determine the supported user registry which will be deployed.-Determine the EAI integration requirements.
- Determine the location and number of user registries to be used.
- Determine the User Registry replication requirements. (one server vs. multiple servers, peer to peer vs. single master)
- Determine the security requirements for the User Registry. (SSL vs Non-SSL)
- Determine the Directory Information Tree (DIT) structure - Standard vs Minimal Model.
- Determine the Web Security set up.
- Determine the Web Security mechanism to be used - WebSEAL vs Web Plug-in or a combination of both.
- Identify if multiple instances of WebSEAL will be required on the same server.
- Determine Security requirements for connection to backend servers.
- Identify if there is need to use stateful junctions.
- Identify need for step-up authentication.
- Determine federation requirements, if any.
- Determine Single Sign-on (SSO) requirements.
- Determine the Certificate to be used for Web Security. ( Self Signed vs Trusted CA implementation for WebSEAL client certificates)
- Determine the need for SSL Hardware Acceleration.
- Determine the need for Session Management Server.
- Determine the placement of Tivoli Access Manager components.
- Identify if Policy Proxy Server is required.
- Determine the need for Authorization Server.
- Identify the administration interface which will be used to administer the solution. (WPM vs pdadmin)
- Determine the User Registry to be used.
- Given the high-level solution design document and access to the customer, determine hardware and operating system requirements so that the requirements are documented.
With emphasis on performing the following tasks:- Identify the memory, disk space, and CPU requirements.
- Confirm supported platforms and software levels.
- Confirm supported Java levels for the installation.
- Document the requirements.
- Given access to the customer, identify the type of reporting functionality required so that the customer can achieve a common format of reports.
With emphasis on performing the following tasks:- Identify Security reporting.
- Identify Business Critical reporting.
- Identify User access or provisioning reporting.
- Identify Logging and auditing data reporting.
- Identify Content management reporting.
- Given high level solution design document, determine infrastructure configuration for solution deployment so that a high level configuration document is produced.
With emphasis on performing the following tasks:- Determine Network zone requirements.
- Identify geography of LANs.
- Identify firewalls.
- Identify Internet, Intranet and DMZ.
- Determine logical configuration and integrate with other applications.
- Determine number, replication type and location of user registries.
- Identify number and type of IBM Tivoli Access Manager for e-Business servers.
- Identify the requirements for an SMS server.
- Identify number of load balancers.
- Identify replicated Web servers.
- Identify secure domains and ACLs.
- Identify password policies in Tivoli Access Manager (also in LDAP if required).
- Determine WebSEAL cluster is required.
- Determine physical configuration.
- Identify location of IBM Tivoli Access Manager for e-business servers.
- Identify location of load balancers.
- Identify location of Web servers and relationship to firewalls.
- Identify location of SMS server.
- Identify the WebSEAL to WebSEAL junction replication.
- Identify the install location and ports to use for the environment.
- Determine Network zone requirements.
Section 2:Installation
- Given the high-level solution design document, the IBM Tivoli Access Manager for e-business V6.1.1 (Tivoli Access Manager) release notes, and access to the servers where Tivoli Access Manager will be installed, verify the software and hardware prerequisites so that the servers are ready for Tivoli Access Manager installation.
With emphasis on performing the following tasks:- Identify the required operating system in the high-level solution design document.
- Identify the current OS and hardware configuration of the server.
- Identify the hardware configuration on Windows.
- Identify the hardware configuration on Linux.
- Identify the hardware configuration on AIX.
- Identify the OS level and patches on Windows.
- Identify the OS level and patches on Linux.
- Identify the OS level and patches on AIX.
- Upgrade the operating system if required.
- Upgrade the operating system on Windows.
- Upgrade the operating system on Linux.
- Upgrade the operating system on AIX.
- Given all the required software packages, and a supported platform, install Tivoli Access Manager components so that Tivoli Access Manager is successfully installed.
With emphasis on performing the following tasks:- Install IBM Global Security Kit (GSKit).
- Install IBM Tivoli Directory Server client base.
- Install Tivoli Security Utilities.
- Install Access Manager License.
- Install Tivoli Access Manager Runtime.
- Install Tivoli Access Manager Policy server.
- Install Tivoli Access Manager Authorization server.
- Install Tivoli Access Manager Web Security Runtime.
- Install Tivoli Access Manager WebSEAL.
- Install plug-in for Web servers.
- Install Web Portal Manager.
- Install Session management server.
- Install CARS.
Section 3:Configuration
- Given access to customer's computer with installed software, registry server information is available, and low level design document, configure IBM Tivoli Access Manager for e-business V6.1.1 (Tivoli Access Manager) components so that a working set up of Tivoli Access Manager is available.
With emphasis on performing the following tasks:- Set up a Runtime system.
- Set up the policy server.
- Set up the authorization server.
- Set up a Web Portal Manager system.
- Set up policy proxy servers if required.
- Given a primary instance of each component and secondary hardware systems, configure Tivoli Access Manager HA environment so that HA Tivoli Access Manager components are configured.
With emphasis on performing the following tasks:- Configure LDAP replicas.
- Configure HACMP/replicated Policy Servers.
- Set up and configure replicated WebSEAL.
- Configure multiple failover authorization servers for Java applications.
- Configure Java applications in locale mode for policy cache.
- Given access to installed WebSEAL, network connectivity with appropriate firewall policy for backend systems, configure WebSEAL so that backend Web servers are protected by WebSEAL.
With emphasis on performing the following tasks:- Configure Web Security Runtime.
- Configure additional WebSEAL instances on the same computer.
- Configure LDAP failover.
- Configure http or https.
- Configure thread limits (global and per junction).
- Configure time out for various components.
- Configure authentication mechanism.
- Configure junctions.
- Configure Dynurl.
- Configure JMT.
- Configure MIME cache settings.
- Configure HTTP compression setting for MIME types.
- Configure WebSEAL virtual host junction configuration.
- Configure OCSP or CRL.
- Configure http header authentication.
- Configure IP authentication.
- Configure Setup authentication.
- Configure eCSSO or CDSSO.
- Configure P3P compact policy.
- Configure Dynamic ADI Entitlement Services.
- Set up the Access Manager Attribute Retrieval Service.
- Given a running Tivoli Access Manager base environment and supported J2EE application servers are running, set up Web security so that Web security is configured for backend servers.
With emphasis on performing the following tasks:- Set up the plug-in for Edge Server.
- Set up the plug-in for Web servers.
- Set up session management system installation.
- Set up a Web security development system.
- Propagate J2EE configuration from a backend server to Tivoli Access Manager.
- Import roles from WAS apps to Tivoli Access Manager if needed.
- Configure Tivoli Access Manager to provide JACC services to WAS.
- Set up an Access Manger Runtime for Java system.
- Given the security policy of the customer organization, create and configure policies in the Tivoli Access Manager policy database so that the policy database in Tivoli Access Manager is configured.
With emphasis on performing the following tasks:- Create Tivoli Access Manager groups.
- Create and configure Access Control lists (ACL).
- Create and Configure protected object policies (POP).
- Create and configure Authorization Rules.
- Configure account and password management policies.
- Update object space.
- Given a high-level Design document, system installation, and customer access, configure the Tivoli Access Manager registry so a user can be created, modified, and policy can be set in the secure domain.
With emphasis on performing the following tasks:- Update schema.
- Configure SSL or SASL.
- Create suffix.
- Update ACLs for Tivoli Access Manager access.
- Import users and groups.
- Configure domains and user registry type.
- Configure Tivoli Directory Server password policy.
- Configure Tivoli Directory Server replication.
- Given an installed Tivoli Access Manager system and the Tivoli common directory log properties file, configure log rotation and log archive so that log rotation and archiving is configured for Tivoli Access Manager components.
With emphasis on performing the following tasks:- Identify the Tivoli common directory folders.
- Edit the Log property file appropriately.
- Specify the logging format.
- Specify the maximum size of log files.
- Specify the fully qualified log file name and path.
- Specify the maximum number of files.
- Given a running WebSEAL and backend EAI application, configure Tivoli Access Manager for EAI server so that WebSEAL is configured for EAI.
With emphasis on performing the following tasks:- Configure unauth junction to EAI server.
- Configure trigger URL in WebSEAL config.
- Configure EAI with http or https.
- Review demo EAI application.
- Configure response headers as required by WebSEAL.
- Determine multi-step authentication requirement.
- Given the high-level solution design document, access to the Tivoli Access Manager server, and access to the backend servers, create junctions so that WebSEAL will be configured to allow access to the backend servers.
With emphasis on performing the following tasks:- Create junctions using pdadmin or the Web Portal Manager
- Standard (TCP or SSL)
- Stateful
- Transparent path
- Virtual Host
- Kerberos
- Create SSL junctions.
- Locate the junction file.
- Obtain the certificate from the backend server.
- Import the certificate to the junction file.
- Create the junction using pdadmin or Web Portal Manager to create SSL junctions.
- Create junctions that use basic authentication to log on to the back end server.
- Create junctions that log on with the user name and password provided to WebSEAL using pdadmin or the Web Portal Manager.
- Create junctions that log on with the user name and a dummy password using pdadmin or the Web Portal Manager.
- Create junctions can use a GSO resource to log on to a back end servers using pdadmin or the Web Portal Manager.
- Create junctions that log on to the back end server using a log on form.
- Customize an FSSO file.-Identify the log on form.-Fill out the FSSO file for the log on form.
- Create a junction that uses FSSO using pdadmin or the Web Portal Manage.
- Create junctions that connect to multiple backend servers.
- Add a host to an existing junction using pdadmin or the Web Portal Manager.
- Remove a host from an existing junction using pdadmin or the Web Portal Manager.
- Create junctions using pdadmin or the Web Portal Manager
- Given access to Customer Network Architecture and Tivoli Access Manager component placement, propose firewall policies so that Tivoli Access Manager components can communicate successfully.
With emphasis on performing the following tasks:- Open the appropriate port for non-SSL to LDAP communication from WebSEAL in DMZ.
- Open the appropriate port for SSL to LDAP communication from WebSEAL in DMZ.
- Open the appropriate port for SSL communication to Policy server from WebSEAL in DMZ.
- Open the appropriate port for SSL communication to WebSEAL instances from Policy server.
- Open appropriate HTTP/HTTPS Ports for WebSEAL to Backend server communication.
- Open appropriate HTTP/HTTPS Ports for Client to WebSEAL communication.
- Given Multiple replicated WebSEAL instances configured with failover cookie and load balancer configured in load distribution mode, Configure Load Balancing for Tivoli Access Manager WebSEAL so that WebSEAL allows high availability of the backend servers and minimizes disruption.
With emphasis on performing the following tasks:- Configure WebSEAL for load balancing:
- Sticky ( or stateful/ server affinity)
- Non-sticky /stateless server affinity)
- Confirm if extended attribute to be stored in failover cookie.
- Configure non-sticky failover.
- Configures sticky failover.
- Configure WebSEAL for load balancing:
- Given a working set up of Tivoli Access Manager and WebSEAL, perform certificate management at WebSEAL to ensure secure communication between WebSEAL and Clients, Backend and User Registry.
With emphasis on performing the following tasks:- Import certificates from backend servers for SSL junctions.
- Import certificate from User registry for secure LDAP communication.
- Import CA certificates to set up secure communication between Browser and WebSEAL.
Section 4:Administration
- Given access to a IBM Tivoli Access Manager for e-business V6.1.1 (Tivoli Access Manager) environment, perform backup and restore activity so that service disruption is minimized.
With emphasis on performing the following tasks:- Configure pdbackup utility.
- Back up WebSEAL policies, policies, configuration files, key databases.
- Restore Policy Server, WebSEAL from backup.
- Given the list of Tivoli Access Manager data export or backup with the same level of setup, export data from one environment and import in another so that user successfully exports Tivoli Access Manager data for other Tivoli Access Manager environments.
With emphasis on performing the following tasks:- Define the list file appropriately for Tivoli Access Manager components to be backup or export or use default file for migration process.
- Identify the fully qualified location for archive files.
- Use the PDBACKUP utility with appropriate parameters option for exporting or backup the Tivoli Access Manager components.
- Verify the exporting ITivoli Access Manager Data and transfer to QA/Production environment.
- Use the PDBACKUP utility with appropriate parameters option to restore the data in QA/Production.
- Verify appropriately, the data successfully restored.
- Given organization audit requirements, set up and configure auditing so that log files are produced for events and authorizations.
With emphasis on performing the following tasks:- Structure and enable the Tivoli Access Manager audit processes.
- Manage the size of audit files.
- Capture audit and statistical data with information gathering tool.
- Analyze and interpret log and audit reports.
- Given the organization's security requirements, a working Tivoli Access Manager system, and the Secure Domain Admin password, configure delegated administration to create accounts so that they are able to perform the subset of administrative activities as required by the organization
With emphasis on performing the following tasks:- Identify whether to use enterprise domains or subdomains.
- Create enterprise domains.
- Create subdomains.
- Identify the correct permission level for an administrator in a subdomain.
- Create subdomain administrators.
- Given all the required compatible software packages and fix pack levels, upgrade Tivoli Access Manager so that Tivoli Access Manager is successfully upgraded.
With emphasis on performing the following tasks:- Upgrade IBM Tivoli Directory Server.
- Upgrade the Runtime.
- Upgrade the Policy server.
- Upgrade the Authorization server.
- Upgrade the WebSEAL.
- Upgrade the Runtime for Java.
- Upgrade the Policy Proxy server.
- Upgrade the Session management server.
- Upgrade the Session management command line.
- Upgrade the Session management Web interface.
- Upgrade a plug-in for Web servers.
- Upgrade Web Portal Manager.
- Given third-party CA certificates and intermediate CA certificates configure WebSEAL with third-party Certificate for client authentication so that WebSEAL is configured to accept third-party client certificates.
With emphasis on performing the following tasks:- Configuring Java and then iKeyman.
- Change key database password.
- Request and receive CA root certificate.
- Update CA and intermediate CA certificate in WebSEAL KDB.
- Given access Tivoli Access Manager base components are running, server with WebSEAL installed and a valid WebSEAL backup is available, restore the WebSEAL Server so that maximum availability in the WebSEAL environment is ensured.
With emphasis on performing the following tasks:- Set up new or existing server and OS for restoration.
- Use pdbackup to restore WebSEAL data from an archive file.
- Extract the archived WebSEAL Data.
- Given access to the high level configuration document, configure response pages so that a WebSEAL response is configured.
With emphasis on performing the following tasks:- Configure static HTML server response pages.
- Configure server response page locations.
- Configure account management page location.
- Configure error message page location.
- Configure server response page modification.
- Define macro resources for customizing HTML response page.
- Adding macros in a template.
- Handling response pages from old releases of WebSEAL.
- Configure account management page.
- Configure stanza entries and values.
- Configuring the account expiration error message.
- Configure error massage page.
- Configure time of day error page.
- Create new HTML error message pages.
- Handling error pages from old releases of WebSEAL.
- Configure multi-locale support for server responses.
- Configure the location URL format in redirect responses.
- Configure local response redirection.
- Specifying the URI for local response redirection.
- Specifying the operation for local response redirection.
- Specifying macro support for local response redirection.
- Given a running WebSEAL and a WebSphere Application Server instance, install, configure and administer reporting to generate the reports required by the enterprise.
With emphasis on performing the following tasks:- Install CAS on WAS.
- Install TCR.
- Configure TCR to read from the correct database.
- Download the Tivoli Access Manager reports from IBM's site.
- Import the Tivoli Access Manager reports into TCR.
- Configure WebSEAL to send events to CAR.
- Stage audit information in the database.
- Select the appropriate report.
- Generate reports.
- Archive and delete old information.
- Prune the staging tables.
- Troubleshooting reporting.
- Verify that CAS is running.
- Verify that entries are written to the XML data store in the database.
- Verify that entries are staged.
- Given that Tivoli Access Manager components are running and customer encounters problem, perform Tivoli Access Manager tracing and log collection so that Tivoli Access Manager tracing and debugging information is available for problem troubleshooting
With emphasis on performing the following tasks:- Configure message logging through config files.
- Configure Tivoli common directory logging.
- Gather MustGather for each required Tivoli Access Manager component.
- Edit the routing file for per process tracing and restart Tivoli Access Manager components.
- Enable pdweb tracing through pdadmin.
- Enable core collection for crash analysis.
- Collect debug information using Tivoli Access Manager trace facilities.
- Consult knowledge base.
- Trace HTTP connections in WebSEAL debug and snoop trace for troubleshooting.
- Install and Deploy ISA.
- Disable tracing using routing file or/and pdadmin.
- Given a working set up of Tivoli Access Manager, analyze the current settings of the directory server on the UNIX operating system environment so that a report of the current settings and suggested parameters which can be tuned is available.
With emphasis on performing the following tasks:- Analyze the operating system parameters of each server where Tivoli Access Manager component is deployed.
- Analyze the operating system parameters like process limit, memory allocation, and environmental variables.
- Analyze unlimited.
- Analyze the User Registry parameters.
- Analyze User Registry parameters like cache, connection time out.
- Analyze the DB2 buffer pool if using Tivoli Directory Server.
- Analyze the operating system parameters of each server where Tivoli Access Manager component is deployed.
- Given access to the customer, identify the OS environment and other limitation for installation so that user determines the mode of installation.
With emphasis on performing the following tasks:- Identify the OS environment and any other limitations for installation.
- Review the modes of installation:
- Graphical mode
- Text-based (non-graphical) console mode
- file (silent) mode
- Select the appropriate mode.
Section 5:Performance Tuning and Problem Determination
- Given access to an installed and configured IBM Tivoli Access Manager for e-business V6.1.1 (Tivoli Access Manager) system, Tivoli Access Manager Performance tuning Guide and Result of Load testing, perform tuning of Tivoli Access Manager so that the Tivoli Access Manager environment is optimized.
With emphasis on performing the following tasks:- Analyze the current settings of the directory server and the operating system components.
- Performance tuning of Operating system.
- Performance tuning of User registry.
- Performance tuning of IRA cache on Tivoli Access Manager servers.
- Performance tuning for each Tivoli Access Manager components.
- Configuring environment variables and variables in the Tivoli Access Manager startup scripts.
- Tune the Directory Server caches and DB2 buffer pools.
- Configure Java heap settings.
- Configure WebSEAL worker threads.
- Configure WebSEAL time-outs and MIME cache settings.
- Given a configured Tivoli Access Manager system, configure and analyze log reports so that statistical information on Tivoli Access Manager components is available.
With emphasis on performing the following tasks:- Identify components to collect stats upon.
- Enable statistics on the required component.
- Enable using static method.
- Enable using dynamic method.
- Disable statistics.
- Gather statistical information for Tivoli Access Manager components.
- Given a working WebSEAL and backend server, measure the load on the Web Server to produce load measurements.
With emphasis on performing the following tasks:- Enable statistics collection.
- Get the total values.
- Get the values for a specific junction.
- Interpret the values.
- Given running Tivoli Access Manager components and alternate routing file input, enable environment variables for tracing without restarting Tivoli Access Manager so that trace output redirected to alternative output file without restarting Tivoli Access Manager.
With emphasis on performing the following tasks:- Identify the location of routing file.
- Identify the routing file for each component appropriately.
- Set the $PD_SVC_ROUTING_FILE Environment variable for alternative routing file.