IBM Tivoli Access Manager [EOL] Reviews

A number of new features, such as application firewall and load balancer, were added to this solution. These features are no longer available as a software version, but only as an appliance (virtual or hard).

The same appliance firmware allows you to enable more features, such as advanced access control and federation, for all of the components.

It acts as a reverse proxy, a single point for authentication and authorization. Advanced access control introduces adaptive or risk-based authentication. Federation makes it possible to federate using SAML and OAuth.

I would like to see the possibility to administer the appliances from one “master” appliance, instead of having to log in to each particular appliance.

If you have for example 4 appliances, two act as reverse proxy and two as master appliances (with policy server configured in HA) … If you want to administer these appliances, you must login into each particular appliance. It would be nice if you can administer all of them through that one ‘master’ appliance… avoiding to setup a direct connection as it is currently the case.

I have been using this solution for approximately 11 years.

There were some stability issues at the very beginning when we were moving from the software version to the appliance. IBM allowed customers and partners to interact directly with developers and others responsible for the product, so we could address issues, provide feedback, and get support.

The solution is very scalable, especially with the move to appliances. Adding reverse proxy appliances to existing appliance clusters is very straightforward.

I would give technical support a rating of 8 out of 10.

I have used several solutions in the past.

We chose this solution for the following reasons:

• It is very easy to set up.
• The policy server is not actively used during authentication and is solely used for administration.
• No plugin is required on any HTTP server.
• It comes with a standalone (no-plugin) reverse proxy. That is in contrast to some other web access management solutions.
• The IBM reverse proxy does not have a large support matrix upon which the HTTP-servers depend.

The implementation was straightforward and well documented as follows:

1. Deploying the appliances in the network infrastructure.
2. Configuring the network interfaces and routing tables.
3. Starting the configuration of WebSEAL and other required components (AAC or federation). Some background knowledge is required to set up WebSEAL.

The license model is pretty complex. Some other IBM products are included and are not dependent on the form factor of the appliance. (Dependent products are IBM Directory Server and Directory Integrator.)

A combination of hard and soft appliances may be beneficial instead of solely using hard appliances. (It might be overkill to host a simple policy server.)

We evaluated alternative solutions, such as: CA SiteMinder, ForgeRock AM, and Microsoft ISA Server.

It is a very stable and good product. The AAC-module becomes a necessity because authorization is moving from a static model (a static access control list based on static group membership) to a more dynamic model, based on user behavior and attributes.

Some of the valuable features are:

• Reverse proxy
• Protected object space
• Ease of integration
• Multiple and robust AuthN and AuthZ mechanisms built-in
• No single point of failure (SPOF)

It has improved the working of our organization by having:

• Multiple endpoints integrated
• One integration point with reverse proxy for multiple portals

The Tivoli Access Manager v6.1.1 (TAMeB) came in a software form factor. It needed a separate LDAP server; and usually separate servers for policy/AuthZ servers and WebSEAL. Besides, for scalability purposes, WebSEAL is usually deployed on multiple front-end servers that are load balanced. For a large user base in a standalone environment, TAMeB requires at least 3 servers. For a simple HA environment, it doubles that number to 6. Now these factors affect the regular maintenance schedule and it becomes quite "bulky" from an infrastructure perspective.

Besides this, TAMeB in its software form factor has multiple software components to be installed in a particular sequence.

Hence, from a TAMeB deployment perspective, both these factors have scope for improvement in its current form.

I have used this solution for five years.

It is highly stable. No issues were encountered by us.

The TAMeB policy server is not scalable.

I would rate the technical support a 8/10.

Before, no other policy-based AuthZ solution was in place at this client.

The initial setup was complex because:

• Bulky server infrastructure was needed.
• Complex installation procedure.
• Too many components to be installed in a particular sequence.

The pricing and licensing policy depends on the client deployment needs and the number of end users and servers.

The license for the product is expensive but flexible.

You can choose from the User Value Unit (UVU)- and Processor Value Unit (PVU)-based licensing models.

Before choosing, we looked at another solution, namely CA SiteMinder.

The subsequent version of this product comes in an appliance form factor. The appliance form factor is easy to work with. Thus, you have a choice to select from a virtual or hardware appliance form factor in order to implement this product.

Some valuable features in this product are: webSEAL policy, proxy servers, LDAP server (IBM TDS).

The modularity with which each component may run on a different host is valuable. In addition, multiple instances per component might be installed with load balancers. It provides good scalability and reliability, not to mention the overall availability of the service.

The entire security of the intranet and internet web applications has been covered by the TAM environment.

It happened from time to time, that is, after a long period without restart, the TDS/LDAP instances crashed and remained in a hanging state. A restart did solve the issue but the support was not able to find the cause, despite the fact that the latest fix pack was installed for TDS v6.3.

A similar issue came up when LDAP requests did cause performance issues on TDS or caused the TDS to crash.

As information on fixes and issues related to ITDS are publicly available, let me point you to the respective site:

You may notice, there are several issues listed, which lead to a crash.

Not sure, which one is/was ours, but please notice that TAM/SAM requires multiple software bundles to be installed (like GSKit, Java SDK, WAS, DB2) – each of them having issues.

I have used this solution for five years.

We experienced crashing of LDAP with some specific queries and it affected performance of the TDS proxy.

It is scalable via load balancers but there are some issues with sync while using several LDAP trees.

I would give the technical support a 8/10 rating. Sometimes, there are long running support tickets (for 6-8 months) and that is unacceptable from the customer's point of view.

We were not using any other solution before. We were partially using Apache reverse proxy along with LDAP.

The setup is complex. Without training and prior knowledge, it is hard to get a working environment.

As far as I know, the later versions of TAM (renamed to SAM), are working as appliances and with that, no experience is needed. My advice is to be careful and think twice.

Since a couple of versions back, the product moved to a different “mentality” I would say. Compared to when it was deployed as a software package, things are now much smoother in that direction. The product is coming as an appliance (either hardware either virtual). This method simplifies the management a lot, and the deployment as well. It provides SSO across applications, together with risk-based access and strong multi-factor authentication. Very flexible and scalable.

There are few things where there is room for improvement:

Log management via UI is one of the them. Automation can be achieved via REST API’s, for example, but in a small environment, when a customer is using the UI, for example, you cannot do a multiple selection of logs (to be deleted let’s say). Or a filtering of those.

A better/easier-to-use (user-friendly) interface. A more intuitive interface and menu navigation would be useful.

Rollback of FixPacks to be available via UI as well. At the moment, if you want to roll back a FP, you can do it only via LMI (appliance console).
Those would be my main requests to be improved.

I’ve been using the product since 2009.

I think in the earlier versions I was working with, there were (a few times) some small stability issues, but those were related more to the very custom environments on the customer side.

No scalability issues on this side.

Technical support is doing its job mostly. What I don’t particularly like is the flow duration. But it really depends on the magnitude of the problem you have. I would rate it as good to very good in most cases.

I did not previously use a different solution.

I haven’t used any other vendor’s products.

It is a simple-to-deploy solution, with many features that are supported out-of-the-box without complicated setup. But, depending on your requirements, it can become complex but not hard to manage.

The single sign-on configurations are unique to the product. They support multiple types of SSO configurations, including FSSO, HTTP, SAML. The most robust functionality for SSO is its EAI (External Authentication Interface) option. EAI allows customers to customize their authentication mechanisms as per their needs.

Access management for web resources is simple to configure but highly impenetrable. It can search all the resources in the protected system and allows you to manage user access with a few clicks.

The robust single sign-on feature allows business users to improve their productivity in their day-to-day tasks. It also provides end-user activity visibility on critical applications.

The user interface looks like it was designed for technical personnel only. The interface is part of the WebSphere Admin console. A lot of configuration, including those for SSO, are done through scripts and config files. The GUI could incorporate these configurations.

I have used it for four years.

If we talk about out-of-the-box functionality, the product is highly stable. For the areas in which the product allows customization, stability is dependent on the quality of customization done.

The product is highly scalable; very simple to increase the scale of deployment.

IBM provides prompt support on any issues faced. IBM is willing to go an extra mile to help meet their customers’ requirements.

This was the first product I have worked with.

Initial setup in older versions was quite complex, but with the newer versions it is quite simple. The product also comes with a pre-configured appliance.

I am more involved in the technical side, with limited knowledge of licensing and pricing.

I am part of an organization which is an IBM business partner and provides services using IBM products only.

This product is highly recommended to meet access management and web single sign-on requirements.

WebSEAL is a reverse proxy web server that performs authentication and authorizations. It is similar to CA SiteMinder Secure Proxy Server. The advantage of WebSEAL is that WebSEAL supports SPNEGO protocol and Kerberos authentication to support Windows desktop single sign-on. Actually, Apache HTTP server supports SPNEGO protocol, as well. However, TAM can map a user account in a domain controller to a web application's user account that has a different ID, in collaboration with IBM Tivoli Identity Manager (TIM).

The combination of TAM with IDM in IBM Tivoli Identity Manager helped us to realize robust and secure authentication infrastructure in accordance with industry regulations and laws.

1. Providing centralized authentication authority and enforce consistent authorization policies to users.
2. Realizing ease of user accesses using enterprise level single sign-on.
3. Improving traceability of application uses.

On the other hand, Tivoli Identity Manager known as TIM provides centralized ID lifecycle management as an IDM solution.

By using TIM together with TAM, the following benefits are served:

Many actual accounts in several LDAPs including TAM LDAP are managed by TIM LDAP. (LDAP directory tree supports a nest structure known as “Person has many accounts” model). In addition, person can have many attributes like; department code, Job grade, hiring date, resignation date in the future, etc.

By using these attributes, all accounts which belong to the person automatically are able to be activate/or inactivate. Specifically, account creation/deletion/update can execute automatically by using HR information. If someone reaches his/her retirement date, the account is inactivated by automate workflow process, without raising the account deletion request.

In addition, a process called “Reconciliation” checks several LDAPs (e.g. Active Directory), and can harmonize account information and its attributes between TIM and the LDAP. For example, if an improper account is directly created into Active Directory, scheduled Reconciliation process detects the account, and revoke the account based on pre-setting rules.

This is the reason I recommend to use TAM together with TIM.

Due to a constraint of the built-in browser in a Handy phone (called NTT i-Mode), the former version of TAM could not be used in the Japan market. The issue was resolved by the decline of Japan-specific Handy phones.

Cookies were not supported in i-Mode browser ver.1, which had the highest market share in Japan. Hence, sessions between that browser and WebSEAL could not maintain the session state using a cookie. The constraint had widespread implications. Some examples: re-authentication, session affinity, cookie-based failover mechanisms. Besides, IBM Japan declared that all browsers built in Handy phones were not supported officially in that version.

Rather than a weakness of the WebSEAL specification, that constraint was caused by the insufficient i-Mode browser specification, which was developed by NTT Docomo. Considering the negatives, we could not use WebSEAL for Handy-phone facing applications. (A workaround might exist, but the industry-standardized manner of using cookies was in our favor.)

An insurance company I left three years ago has been using TAM for 10 years.

I did not encounter any stability issues.

I did not encounter any special scalability issues, because Access Manager Policy Server offloads the access traffic to the Master authorization policy store to a replica on WebSEAL Server. Likewise, PD.Acld on a back-end web application acts as a proxy of Policy Server.

Technical support is 6/10.

Initial setup was complicated because TAM was implemented as a part of the IDM solution. It took me a long time to set up the directory integration among many user stores, e.g., Tivoli Identity Manager, Active Directory, Lotus Domino Directory, application user store using database.

The user-based licensing is relatively expensive in a large-scale enterprise. Therefore, proper understanding of the AAA solution by executive management is strongly needed to obtain the budget, in addition to discount negotiation.

I evaluated the following solutions:

• Password sync products
• Reverse proxy-based SSO products
• Agent-based SSO products

After the results, the company decided to use TAM, following my recommendation at that time.

It is essential to hire an SME who has the appropriate skills with the products, in order to avoid vendor lock-in.

Identity management

We have managed to automate the creation of all employees, and the company's clients and then assign the accounts/accesses according to business need.

TIM logging

Three and a half years.

Little issues that were quick to resolve. I don't understand why they have to separate the deployment, as I have used other products that make the deployment as easy as possible.

Never.

Never.

Good.

I have only ever used this product.

The initial set-up is a bit complex for a novice as the Linux version of it needs you to be somewhat good with Linux. There are certain OS requirements which if you are not familiar with Linux, you going to struggle a bit.

Through a vendor team, and their level of expertise was very high.

No other options were evaluated.

It is a very good product to implement.

Web security.

It keeps our web applications secure.

Web Portal Manager does not implement the full set of functions found in the command line

Nine years.

There are some challenges between major version upgrades. We usually wait for the first fix pack before evaluating the system for an upgrade.

Early versions had issues but since version 5.1 it has been very stable.

No issues encountered.

Very good.

It depends on who you get. Some Level One technicians are better than others. When you get to Level Two and Three it's much improved. We've dealt directly with the developers on several occasions and those folks are the best.

No previous solution was used.

I was not involved in the initial roll-out but did participate in the upgrades from v4.1 to v5.1 and from v5.1 to v6.1. Junction file format changed from v5.1 to v6.1 which cause some challenges.

In-house implementation.

IBM directory server offers the best roll-out experience. We are just beginning to look at using Active Directory for our repository,

Reverse proxy component, known as WebSEAL. It provides large number of authentication options that are out of the box.

I am a consultant and work on designing and implementing this tool for our customers. It has helped them to improve and control web and mobile application security.

This product is also available in the appliance offering which has not yet matured and has many issues. Most of the time application of fix-packs cause problems to existing functionality. Also, all the features of the product are not available in the appliance version. Lastly, there is huge room to improve the administration UI to make more user friendly.

10 years.

Deployment is quite easy, and the only issues that were faced were with fix pack applications afterwards.

Not really.

No issues encountered.

Overall, it's decent. Many times it depends on the IBM support team member handling the customers' issue.

Overall, it's decent. Many times it depends on the IBM support team member handling the customers' issue.

I have not used a different solution.

Initial set-up is straightforward.

It's one of the best available products of its class. Worth investing in.

• Junctions access control
• Transparency to the user

Provided more secure computing.

The whole product could be made into one suite instead of multiple components which are essentially a part of the same infrastructure.

Six years.

Yes, the deployment has many issues like: the sequence of components installation, connectivity and most of all, certificates.

Yes, the applications depend on each other to function. Each application becomes a single point of failure.

No issues encountered.

8/10.

8/10.

No solution was used previously.

Many components needed to be installed with even more prerequisites. Each component had a sequence to follow.

It was implemented by an in-house team.

We also looked at Siteminder.

Go for Siteminder.