Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alain Bethuyne Web Security Architect BNPParibas Fortis

Published byDana Gibbs Modified over 7 years ago

Similar presentations

Presentation on theme: "Alain Bethuyne Web Security Architect BNPParibas Fortis"— Presentation transcript:

1 Alain Bethuyne Web Security Architect BNPParibas Fortis
TAMeB 6.x to ISAM 8 Alain Bethuyne Web Security Architect BNPParibas Fortis

2 Environment Multiple TAMeB 6.0 and 6.1.1. domains. Target environment
Employees from intranet (+150 application) from internet (2 applications) Customers Mobile & internet banking (+ 15 applications) ATMs (Debit cards, Credit Cards, ATMs) Deployments in other operational entities (Italy, France, ...) Target environment ISAM 8 on multiple VMWare ESX servers to cover PROD, NON-PROD, DMZ and Fully Trusted Area. ISAM Repository on zOS

3 Main steps of the migration
Setup ISAM domain(s) Configure ISAM components - LDAP, Runtime, Reverse Proxy, Syslog, FW rules … - for each ISAM domain (11 domains). Preparation (more in detail on next slides) Modify existing services of the TAMeB 6.x infrastructure that are not supported on ISAM 8. Develop scripts to help deployment of the ISAM appliance and reverse proxy servers. Migration Configure instances, junctions, ACLs...) parts in each environment (DEV to PROD). Using the migration procedure described by IBM: scripts export configurations from TAMeB. Validate new infrastructure Activate new environment Gradually migrate users to new infrastructure

4 CDAS modules are not supported on ISAM 8
As is CMAN (CDAS library/SecurIT) is used to interact with external authentication servers. To be Login pages are modified to send authentication data to an EAI Application. This performs interaction with authentication servers and returns identity information for the WebSEAL session using EAI HTTP-response headers. Where possible, EAI will return an IV-CREDS to WebSEAL. This allows to have a session for the authenticated user without having information for that user in the LDAP. Rationale: EAI interface is recommended by IBM for integrating back-end servers into the authentication process. EAI application is already in use for several mobile- and internet banking applications. Cost benefit and simplify the infrastructure by removing user & group information from the LDAP.

5 CDAS modules are not supported on ISAM 8
Repository (ISAM LDAP …) EAI Application Orchestration Validation Transformation Requestor (ISAM WebSEAL) Authentication Server (XBSCS, …) Secure Token Service (Tivoli Fed. Id. Mgr.)

6 Replace NTLM by Kerberos authentication.
As is WebSEAL, running on Solaris, delegates the NTLM authentication of employees, to IIS Windows servers. These servers redirect the authenticated user information to WebSEAL using the eCommunity-SSO. To be: WebSEAL authenticates the employees using the Kerberos protocol. Rationale Simplify infrastructure: remove TAM Plug-in and Windows servers that perform the NTLM authentication Reduce number calls to the ISAM LDAP repository on z/OS

7 Replace LTPA by Kerberos SSO
As is Credential propagation to .net applications using LTPA. This requires the installation of the TAMeB plugin to validates the LTPA token and to impersonate it into a Windows credential. To be Propagate user identity using Kerberos tokens. ISAM 8 allows to implement this using S4U2Self (impersonation based on a supplied user identity) and S4U2Proxy (KCD allows a Kerberos service ticket to be created for consumption by a separate identity) modules. Rationale Simplify: remove ISAM specific components from backend application servers.

8 ISAM provisioning using LDAP & rgyJava API.
As is Identity management system transfers files with employee information to a file system, where .ksh scripts perform provisioning of the TAMeB 6.x repository using pdadmin and LDAP commands. To be In cases where we still require the users in the LDAP, we are building an iSDI application to perform provisioning using LDAP and rgyJava API. This is till the case for employee applications on WebSphere which rely on LTPA for the identity propagation from WebSEAL. Rationale Real time provisioning High availability of the provisioning (we don’t need the PdMgr anymore)

9 Provisioning using LDAP & rgyJava API.
iSDI ISAM LDAP Identity System LDAP Validate Transform Monitor and control (TPS) LDAP ISAM LDAP rgyJava Directory Integrator exposes a standard LDAP interface Directory Integrator provisions the ISAM repository using the LDAP (for user attributes and some secAuthority attributs) and rgyJava API

10 Centralized logging and monitoring
As is WebSEAL request, system, audit .. log files are written to the local file system. Scripts extract specific content, handle archiving and perform SFTP to a centralized location. Scripts monitor WebSEAL instances and configuration data (e.g. certificate validity, junction status, ...) using PDAdmin commands. To be WebSEAL log to remote to syslog servers. Adapt monitoring scripts to use the ISAM REST service API Rationale Centralize log files from all instances and components Control access to log files

11 Improvements for the ISAM 8 Virtual appliance
Centralised configuration, deployment & monitoring tool. Central DB to store infrastructure & configuration information REST services allow to manage the Central DB REST services to manage deployment Possibility to run our own code on the appliance. Run WebSphere application on the appliance Transform external exposed web services and APIs to internal services Convert between SOAP messages, REST JSON web services, XML messages Perform authentication and authorization for REST Web Services ...

12 Centralised configuration and deployment.

Download ppt "Alain Bethuyne Web Security Architect BNPParibas Fortis"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Implementing and Administering AD FS

Implementing and Administering AD FS
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Identity and Access Management

Identity and Access Management
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Similar presentations

Ads by Google