IBM Tivoli Access Manager [EOL] Reviews

Web security.

It keeps our web applications secure.

Web Portal Manager does not implement the full set of functions found in the command line

Nine years.

There are some challenges between major version upgrades. We usually wait for the first fix pack before evaluating the system for an upgrade.

Early versions had issues but since version 5.1 it has been very stable.

No issues encountered.

Very good.

It depends on who you get. Some Level One technicians are better than others. When you get to Level Two and Three it's much improved. We've dealt directly with the developers on several occasions and those folks are the best.

No previous solution was used.

I was not involved in the initial roll-out but did participate in the upgrades from v4.1 to v5.1 and from v5.1 to v6.1. Junction file format changed from v5.1 to v6.1 which cause some challenges.

In-house implementation.

IBM directory server offers the best roll-out experience. We are just beginning to look at using Active Directory for our repository,

• Several SSO methods are supported out of box.
• Federation based SSO (SAML / Oauth / OpenID etc) setup is easy.
• Very good performance and scalability.
• The internal STS token service can be used for custom SSO tokens.
• It is highly scalable and can meet high loads and performances.
• Reverse proxy sits in front of the application and applications need only minimal changes to support SSO with ISAM.

Our customer had SSO requirements, as well as web-firewall and federation requirements that we fulfilled through this product.

Administration of the product can be improved a lot. IBM has taken care of this in good manner in release 9.0.

Product documentation, especially the new version 9.0, should be improved to give a quick understanding of product components and features.

I have been working on this solution for over seven years.

We did not encounter any stability issues.

We have not had scalability issues. It has good scalability features.

Technical support is good to excellent.

We used Novell eDir Access Manager.

Product setup is straightforward.

Licensing is good for this product as compared to other solutions in the market. It has competitive pricing.

We looked at OpenAM and Novell eDir Access Manager.

Choose a good implementation team and do not do an in-house implementation.

The automation of provisioning has reduced the time it takes for creating a user or an employee in our organization.

Flexibility to connect with different environments and product stability are the best features.

• Connection: There are a number of players in the market and most of them have challenges with being able to connect seamlessly without customization to various data providers, such as queues or databases. Since IBM's Identity and Access management has been in the market for a long time, the connectivity has improved over time.
• Stability: An application that is not stable enough will never succeed in the market. I have seen less down time.

Microsoft has active file handling where you can access different types of documents from the browser itself. This is not supported anywhere other than with Microsoft products. This is desirable, but not a show-stopper.

AngularJS is not yet supported. This could be a cause of worry, since we are seeing the emergence of many AngularJS scripts in webpages. I am sure IBM is working towards enabling it.

There is Java process that hangs in WebSphere almost every month.

We have had no problems with scalability.

I would give technical support a rating of 4/5.

I have always worked with IBM products. This solution was from Tivoli before IBM acquired it.

Compared to the Oracle setup, the initial setup was straightforward.

Pricing is competitive and is lower than other players in the market.

We evaluated Oracle, SailPoint, and ForgeRock.

Go for it. It will be good for your business.

Tivoli Access Manager's proxy product (WebSEAL) is extremely fast. The configuration options are mysterious and old-school, but they are a rich and small enough set that you can comprehend them and get it working right. The auth and policy product has a reasonable LDAP implementation.

Step-up authentication in WebSEAL is a hook. You write a function to a particular spec, register it, and it gets called. The hook is in C, which makes sense because WebSEAL is fast and could not be written in an interpreted or high-level language.

Note that this is a way to improve WebSEAL modules, not a way to defer authentication to another server. For more, compare the second and last entries on this page.

There is only a single step-up authentication path, but I have sometimes seen the need for several steps or a divergent path. It’s getting hard to find people willing to admit that they still write in C programming language.

We have used this solution since 2003.

No stability issues. This solution fulfills the common expectations about IBM software. It is fussy to configure, but runs like iron once you’ve got it right.

No scalability issues. I get problems with the LDAP or the underlying machine first.

They provide very good technical support. Perimeter security is a hot-button topic and you can get some serious help if it’s not right.

While there are many products in this field, most companies use either this solution or CA SSO. I encountered others on rare occasions, such as Oracle, Entrust, Ping Identity, and NetIQ.

I am not an admin for this solution, but it holds no special terrors.

The issue is not how IBM licenses the product. You should think about how much of your traditional web traffic is going to migrate to your mobile/service gateways. If you are writing a lot of mobile apps and new JavaScript Frameworks UIs, then your traffic mix is going to change.

I am a consultant and typically work with the IBM stack.

This solution’s pricing is by usage, not by instance. That means you can set up as many instances as you like. Never craft a really complicated configuration. In other words, put functionality A over here, functionality B over there, and let your F5 (e.g.) direct the flow of traffic.

Some valuable features in this product are: webSEAL policy, proxy servers, LDAP server (IBM TDS).

The modularity with which each component may run on a different host is valuable. In addition, multiple instances per component might be installed with load balancers. It provides good scalability and reliability, not to mention the overall availability of the service.

The entire security of the intranet and internet web applications has been covered by the TAM environment.

It happened from time to time, that is, after a long period without restart, the TDS/LDAP instances crashed and remained in a hanging state. A restart did solve the issue but the support was not able to find the cause, despite the fact that the latest fix pack was installed for TDS v6.3.

A similar issue came up when LDAP requests did cause performance issues on TDS or caused the TDS to crash.

As information on fixes and issues related to ITDS are publicly available, let me point you to the respective site:

You may notice, there are several issues listed, which lead to a crash.

Not sure, which one is/was ours, but please notice that TAM/SAM requires multiple software bundles to be installed (like GSKit, Java SDK, WAS, DB2) – each of them having issues.

I have used this solution for five years.

We experienced crashing of LDAP with some specific queries and it affected performance of the TDS proxy.

It is scalable via load balancers but there are some issues with sync while using several LDAP trees.

I would give the technical support a 8/10 rating. Sometimes, there are long running support tickets (for 6-8 months) and that is unacceptable from the customer's point of view.

We were not using any other solution before. We were partially using Apache reverse proxy along with LDAP.

The setup is complex. Without training and prior knowledge, it is hard to get a working environment.

As far as I know, the later versions of TAM (renamed to SAM), are working as appliances and with that, no experience is needed. My advice is to be careful and think twice.

Since a couple of versions back, the product moved to a different “mentality” I would say. Compared to when it was deployed as a software package, things are now much smoother in that direction. The product is coming as an appliance (either hardware either virtual). This method simplifies the management a lot, and the deployment as well. It provides SSO across applications, together with risk-based access and strong multi-factor authentication. Very flexible and scalable.

There are few things where there is room for improvement:

Log management via UI is one of the them. Automation can be achieved via REST API’s, for example, but in a small environment, when a customer is using the UI, for example, you cannot do a multiple selection of logs (to be deleted let’s say). Or a filtering of those.

A better/easier-to-use (user-friendly) interface. A more intuitive interface and menu navigation would be useful.

Rollback of FixPacks to be available via UI as well. At the moment, if you want to roll back a FP, you can do it only via LMI (appliance console).
Those would be my main requests to be improved.

I’ve been using the product since 2009.

I think in the earlier versions I was working with, there were (a few times) some small stability issues, but those were related more to the very custom environments on the customer side.

No scalability issues on this side.

Technical support is doing its job mostly. What I don’t particularly like is the flow duration. But it really depends on the magnitude of the problem you have. I would rate it as good to very good in most cases.

I did not previously use a different solution.

I haven’t used any other vendor’s products.

It is a simple-to-deploy solution, with many features that are supported out-of-the-box without complicated setup. But, depending on your requirements, it can become complex but not hard to manage.

I like the primary function of this product allowing the administration of user/network accounts with a fair amount of ease.

Tracks and assists us with Roles associated to each user.

Need better documentation on usage and admin tasks.

It has been used for at least five years but I have only been working with it since August 2014.

We have had stability issues lately with the hardware and SAN that the product runs on.

We implemented this through a vendor.

Protection of web applications

Simplified deployment of web applications. The ISAM products centralises authentication and authorization giving a shorter time-to-market in the development of new web sites/applications

Since ISAM 7, and especially version 8 IBM has moved from software-install to appliance based (virtual or hardware) this really improves the speed of new patches and releases. IBM promised to release a new appliance-firmware every quarter, so far they kept their promise.

10+ years.

You do need to train to add to your skill set, and need to fully understand the possibilities and features which takes a while. Since I've been using it for over 10 years it is no longer difficult for me to deploy. Of course with new version some things change, so reading the documentation is quite useful sometimes.

Since its birth it is an unbelievable stable product. I know of a deployment that did not receive any maintenance for several years and it was still working.

Nope, it is designed to be very flexible. It can handle any size website.

We as a Premium Business Partner have some advantages in being able to contact the developers more easily. Our customers can raise tickets, and depending on their contract, they are suitably assisted by IBM.

It has been good for long time.

Nope, somehow I ended up a IBM Business Partners, always using ISAM. But are also using IBM Security Identity Manager, IBM Security Directory Server, IBM Security Directory Integrator, IBM Federated Identity Manager. Basically all IBM Security Identity and Access Management offerings except IBM Tivoli Access Manager for ESSO (confusing naming, but a really different product that does not really combine with all the others in my humble opinion).

With the firmware appliance it is easy as pie.

I'm part of a IBM Premium Business Partner, we are specialised in IBM IAM deployments. In many occasions IBM Netherlands is requesting our services to get the job done.

An ROI, is for most customers not easy to make being a security solution. It gives more hassle than not using it, insurance-wise you could say. Once a customer has chosen it they stick with it, I did not see many customers abandoning it due to ISAM not performing or not being satisfied.

Ensure you got your team trained and get external expertise for your architectural design and first deployments. While learning on the job, your team can take over after a while.