Security authentication mechanism in AIX

Authentication mechanism verifies which users are allowed to access a
system. Administrator can define authentication protocol; based on that
protocol, users’ credentials are verified, and users are given access to the
system. AIX provides several authentication and identification modules. A
user’s authentication and identification are done based on the user’s
attributes on AIX. This article covers the user’s authentication and
identification attributes, load modules available in AIX, and a new authentication attribute introduced AIX 6.1 Tl07 and AIX 7.1 Tl1 releases.

Related:

  • No Related Posts

Java web services: WS-Trust and WS-SecureConversation

WS-Security adds enterprise-level security features to SOAP message exchanges, but with a substantial performance cost. WS-Trust builds on WS-Security to provide a way of exchanging security tokens, and WS-SecureConversation builds on WS-Security and WS-Trust to improve performance for
ongoing message exchanges. Dennis Sosnoski continues his Java web services column series with an introduction to WS-Trust and WS-SecureConversation.

Related:

Understanding single sign-on (SSO) between IBM Lotus Domino and IBM WebSphere Portal

This white paper provides an in-depth explanation of how the single
sign-on (SSO) feature works between IBM Lotus Domino and IBM WebSphere Portal.
Learn the basics of how cookies are written to―and used in―Internet browsers,
how the cookies are used to enable SSO, and exactly what is in the token and
why it’s needed for SSO between two servers. Included are specific details of
where the WebSphere Portal and Lotus Domino servers configure each part of the
cookie used for SSO, the LTPAToken. Editor’s Note: This white paper is the
first in a three-part series on SSO to be published over the next few months.
See the second paper, “Configuring single sign-on (SSO) between IBM WebSphere
Portal and IBM Lotus Domino.”

Related:

Managing OpenID trusted sites with Tivoli Federated Identity Manager

IBM Tivoli Federated Identity Manager 6.2 (TFIM) introduces support for OpenID 1.1 and 2.0 authentication protocols. When configured in the role of an OpenID Provider (Identity Provider), TFIM allows end users to record choices about authenticating to trusted relying-party sites. For example a user may select “Allow authentication forever” to a particular relying-party, and may select which attributes they are willing to share with that site. By default TFIM stores these choices in persistent cookies on the user’s browser. The cookie technique is effective, but not portable for users across different browsers. This article will demonstrate how to write your own plug-in for the storage and retrieval of user choices (for example to a database) via the TFIM TrustedSitesManager extension point.

Related:

  • No Related Posts

User Centric Identity with Tivoli Federated Identity Manager, Part 2: Self registration and account recovery using information cards and OpenID

Attracting users to register at your retail Web site has always been a challenge. Not only do you need to have a fantastic service to offer, you also need to make the on-boarding process as simple and convenient as possible.
Traditional federation technologies like Liberty and SAML allowed companies to collaborate with tightly-coupled user bases by establishing 1:1 or many:few relationships; however, that model does not scale to the true retail space.
User Centric Identity management technologies like OpenID and Information Cards allow people to manage their own identity attributes at distributed “Identity Providers” (including self-issued Information Cards).
This article will demonstrate how to implement self-registration using an Information Card or OpenID (with the simple registration extension – SREG). Automated recovery of an account is also implemented, such as when
the user centric credential with which it was registered is lost. Sample code is provided to rapidly enable these capabilities with IBM Tivoli Federated Identity Manager 6.2.

Related:

  • No Related Posts

Secure replication in IBM Tivoli Directory Server

The article describes how to easily configure different replication topologies in IBM Tivoli Directory Server (TDS) using simple shell scripts. These scripts can be used to configure all known replication topologies (like Peer-peer, Master-Replica-Forwarder, Gateways etc) using simple bind, SSL with certificates or Kerberos authentication mechanism. The information in this article applies to TDS version 5.2 and later.

Related:

TAMeb and portals: Single sign-on concepts and considerations

The prevalence of portal products introduces interesting challenges to IT architects
requiring a single sign-on (SSO) solution that incorporates their enterprise portal and the enterprise
applications. One such challenge is determining the method of sign-on to both the portal and the
portal-managed content where access to enterprise applications is via an authenticating reverse proxy,
such as Tivoli Access Manager WebSEAL. This article outlines the architecture and concepts involved in
performing single sign-on from the browser, through the portal to the enterprise applications

Related:

  • No Related Posts

ASP.NET Authentication using LTPA and Tivoli Federated Identity Manager (TFIM)

In this article, we show you how to enable your ASP.NET applications for federated single sign-on utilizing the IBM Tivoli Federated Identity Manager (TFIM) 6.1.1.1 to translate LTPA cookies set by IBM WebSphere Application Server. We show how to create an ASP.NET HTTP module that extracts the LTPA cookie then uses TFIM to translate the token into a username via WS-Trust.Background

Related:

Intranet Single Sign-On for Windows and Tivoli Access Manager

Microsoft Windows based intranets provide the ability to use desktop credentials to sign-on to intranet infrastructure based on Microsoft Internet Information Services (IIS). This is implemented using Microsoft’s SPNEGO HTTP authentication protocol to sign-on using NTLM or Kerberos credentials. Until IBM Tivoli Access Manager for e-business (TAM) 4.1 was released there was no way to achieve the same sign-on to TAM’s WebSEAL web resource authorization engine. With TAM 4.1 this sign-on can be achieved by combining the SPNEGO sign-on capability of TAM Plugin for IIS with e-Community single sign-on capabilities of WebSEAL. This article describes in detail the configuration steps required to make this work.

Related: