C1000-129 Stu

IBM Professional Certification Program
Study Guide Series
Exam C1000-129
IBM Security Verify Access V10.0 Deployment

Purpose of Exam Objectives
When a certification exam is being developed, a team of Subject Matter
Experts work together to define the job role the certified individual will fill. They
define all the tasks and knowledge that an individual would need to have in
order to successfully perform that role. This creates the foundation for the
objectives and measurement criteria, the foundation of the certification exam.
The Certification item writers used these objectives write questions that appear
on the exam.
It is recommended that you review these objectives carefully. Do you know how
to complete the tasks in the objective? Do you know why that task needs to be
done? Do you know what will happen if you do it incorrectly? If you are not
familiar with a task, then work through the objective and perform that task in your
own environment. Read more information about the task. If there is an objective
on a task, it is almost certain that you WILL see questions about it on the actual
exam.
After you have reviewed the objectives and completed your own research,
don’t forget to review the free sample questions for this exam on the IBM
Certification website. These sample question come complete with an answer
key and will give you a feel for the type and style of question on the actual
exam.
After that, take the assessment exam. The questions on the assessment exam
were developed at the same time and by the same people who wrote the
question on the actual exam. The assessment exam is weighted to be equally
difficult to the actual test so your results should be predictive of your expected
results on the actual test. While the assessment exam will not tell which
questions are answered incorrectly, it will tell you how you did on a section-by-
section basis so you will know where to focus your further studies.
pg. 2
Contents
Role Definition .......................................................................................................................................... 6
Key Areas of Competency ......................................................................................................................... 6
Prerequisite Knowledge ............................................................................................................................ 6
Section 1: Planning.................................................................................................................................... 7
TASK: 1.1 Conduct planning workshops ............................................................................................... 7
TASK: 1.2 Identify feature requirements .............................................................................................. 7
TASK: 1.3 Plan firmware upgrade cycle ................................................................................................ 8
TASK: 1.4 Perform solution sizing ......................................................................................................... 9
TASK: 1.5 Assess access control requirements ..................................................................................... 9
TASK: 1.6 Assess log retention requirements ..................................................................................... 10
TASK: 1.7 Assess federated single sign-on requirements ................................................................... 10
Section 2: Architecture and Design......................................................................................................... 12
TASK: 2.1 Select deployment patterns and topology ......................................................................... 12
TASK: 2.2 Design High Availability & Disaster Recovery architecture ................................................ 12
TASK: 2.3 Design deployment process (automated or manual) ......................................................... 13
TASK: 2.4 Identify network requirements .......................................................................................... 13
TASK: 2.5 Establish backup procedures .............................................................................................. 13
TASK: 2.6 Identify server connections ................................................................................................ 14
TASK: 2.7 Determine appropriate junction type ................................................................................ 14
TASK: 2.8 Identify required authentication methods ......................................................................... 15
TASK: 2.9 Identify required session failover ....................................................................................... 15
Section 3: Installation.............................................................................................................................. 17
TASK: 3.1 Find and download software and updates ......................................................................... 17
TASK: 3.2 Create virtual machine ....................................................................................................... 17
TASK: 3.3 Prepare user registry .......................................................................................................... 18
TASK: 3.4 Prepare database(s)............................................................................................................ 18
TASK: 3.5 Deploy Verify Access containers......................................................................................... 19
TASK: 3.6 Activate required offerings and install the support license ............................................... 19
TASK: 3.7 Perform network configuration.......................................................................................... 19
TASK: 3.8 Import necessary personal and signer certificates............................................................. 20
Section 4: Configuration ......................................................................................................................... 22
pg. 3
TASK: 4.1 Configure cluster ................................................................................................................ 22
TASK: 4.2 Configure base runtime component .................................................................................. 23
TASK: 4.3 Integrate federated directories .......................................................................................... 24
TASK: 4.4 Configure reverse proxy instance ....................................................................................... 24
TASK: 4.5 Configure authorization server........................................................................................... 26
TASK: 4.6 Configure LMI external authentication and authorization................................................. 26
TASK: 4.7 Configure base authorization policies ................................................................................ 26
TASK: 4.8 Create server connections .................................................................................................. 27
TASK: 4.9 Configure multi-factor authentication (MFA) .................................................................... 27
TASK: 4.10 Configure SCIM (System for Cross-domain Identity Management) ................................. 28
TASK: 4.11 Configure API protection (OAUTH/OIDC) ......................................................................... 29
TASK: 4.12 Configure auditing ............................................................................................................ 29
Section 5: System integration ................................................................................................................. 31
TASK: 5.1 Configure Junction .............................................................................................................. 31
TASK: 5.2 Protect API endpoints accessed by API clients ................................................................... 32
TASK: 5.3 Integrate with federated single sign-on partners .............................................................. 32
TASK: 5.4 Configure desktop SSO (SPNEGO) ...................................................................................... 32
TASK: 5.5 Configure token authentication ......................................................................................... 33
TASK: 5.6 Setup monitoring framework ............................................................................................. 33
TASK: 5.7 Configure external authentication interface ...................................................................... 33
TASK: 5.8 Integrate with SIEM systems .............................................................................................. 34
Section 6: Advanced customization ........................................................................................................ 35
TASK: 6.1 Implement a context-based access control policy ............................................................. 35
TASK: 6.2 Create risk profile ............................................................................................................... 35
TASK: 6.3 Implement identity mapping .............................................................................................. 36
TASK: 6.4 Author custom policy information point (PIP) ................................................................... 38
TASK: 6.5 Configure and customize a user self-care flow .................................................................. 38
TASK: 6.6 Create JavaScript authentication mechanism .................................................................... 40
TASK: 6.7 Create HTTP transformation rules ...................................................................................... 41
TASK: 6.8 Implement OAUTH/OIDC customization ............................................................................ 42
TASK: 6.9 Configure device registration (Fingerprint) ........................................................................ 42
TASK: 6.10 Modify default template files ........................................................................................... 43
TASK: 6.11 Integrate custom login application through External Authentication Interface (EAI) ..... 44
pg. 4
TASK: 6.12 Implement advanced authenticated user mapping ......................................................... 45
TASK: 6.13 Implement access policy................................................................................................... 46
TASK: 6.14 Implement authorization (AUTHZ) rules for reverse proxy .............................................. 46
TASK: 6.15 Configure single sign-on using Federation STS ................................................................. 47
TASK: 6.16 Configure mobile multi-factor authentication ................................................................. 47
Section 7: Testing, troubleshooting, and maintenance .......................................................................... 49
TASK: 7.1 Apply interim fixes .............................................................................................................. 49
TASK: 7.2 Apply appliance firmware updates..................................................................................... 49
TASK: 7.3 Resolve common problems ................................................................................................ 50
TASK: 7.4 Prepare backup storage system ......................................................................................... 50
TASK: 7.6 Configure logging and tracing............................................................................................. 52
TASK: 7.7 Engage with IBM Support ................................................................................................... 52
pg. 5
Role Definition
This intermediate level certification is intended for deployment professionals working with IBM Security
Verify Access V10.0. These deployment professionals plan, install, configure, administer, tune and
troubleshoot Security Verify Access installations. It is expected that the deployment professional is
generally self-sufficient and can perform the tasks involved in the job role with limited assistance from
peers, product documentation, and vendor support services.
This role specifically does not include routine post-deployment administration tasks.
Key Areas of Competency

• Ability to deploy Security Verify Access in on-premise, IaaS, containerized, and hybrid
environments
• Knowledge of database and directory configuration for Verify Access integration
• Ability to configure Security Verify Access interfaces and networking for connectivity
• Ability to deploy Security Verify Access using common patterns
• Knowledge of Security Verify Access feature sets and components
• Knowledge of how to connect to and integration with target applications
• Ability to configure authentication and access control using Security Verify Access
• Knowledge of Federated Single Sign-on
• Knowledge of API protection using OAUTH
• Knowledge of advanced authentication and self-service flows
• Knowledge of context-based access control
• Ability to troubleshoot and conduct performance management tasks
Prerequisite Knowledge
Knowledge and foundational skills one needs to possess before acquiring skills measured on
the certification test. These foundational skills are NOT measured on the test.
• knowledge of cloud architecture
• concept of containers
• Working knowledge of databases and directories
• Understand networking protocols and topology
• Knowledge of digital certificates, transport protocols and ciphers
• Knowledge of scripting languages including JavaScript, Python, XSLT
• Knowledge of data formats such as YAML, XML, HTML, and JSON
pg. 6
Section 1: Planning
This section contains objectives that deal with preparing for an IBM Security Verify Access 10.0
deployment. These objectives include activities such as conducting planning workshops with the client,
identifying the solution requirements and sizing, documenting access control and log retention
requirements as well as those of federated single sign-on.
This section accounts for approximately 12% of the exam.
TASK: 1.1 Conduct planning workshops

SUBTASKS:
1.1.1 Run project kick-off workshop
- Identify key stake holders
- Review solution environment
- Review high level requirements
- Solution overview
1.1.2 Run solution requirement workshop
- Identify platform requirements
- Identify network requirements
- Secure deployment considerations
1.1.3 Run integration workshop
- Identify integrations required
- Review access requirements
- Review single sign-on requirements
- Identify federation & API protection requirements
1.1.4 Run resource planning workshop
- Identify key resources
- Review resource availability
- Review project timelines
- Produce initial project plan
TASK: 1.2 Identify feature requirements

SUBTASKS:
pg. 7
1.2.1 Determine requirement for Access Platform (Web)
- Web Reverse Proxy
- X-Force threat protection
- Distributed Session Cache
1.2.2 Determine requirement for Advanced Access Control Module
- Advanced authentication
- API protection
- Context-based access
- Device fingerprinting
- Device registration
- Fine-grained authorization
1.2.3 Determine requirement for Federation Module
- SAML 2.0 Federations
- Open ID Connect Federations
- Module chains (STS)
TASK: 1.3 Plan firmware upgrade cycle

SUBTASKS:
1.3.1 Review Product Lifecycle
- Identify current versions
- Review end of support (EOS)
1.3.2 Review Software Product Compatibility Reports
- Operating systems
- Related software
- Hypervisors
- Hardware requirements
1.3.3 Review Software Release Cycle
1.3.4 Review Available Fixes
- Maintenance releases / firmware
pg. 8
- Fixes
- Review release notes
TASK: 1.4 Perform solution sizing

SUBTASKS:
1.4.1 Review Virtual Appliance specifications
- Disk
- Memory
- Network
- Hypervisors
1.4.2 Review Performance Tuning Guide
- Performance Tuning Guide
- Performance Tuning Scripts
1.4.3 Review Tuning Spreadsheet
- Tuning Guides
TASK: 1.5 Assess access control requirements

SUBTASKS:
1.5.1 Determine Web Authentication requirements
- Reverse Proxy authentication
1.5.2 Determine Web Authorization requirements
- Reverse Proxy authentication
1.5.3 Determine Authentication Mechanisms requirements
- Advanced Access Control
1.5.4 Determine Mapping Rule requirements
- Advanced Access Control
1.5.5 Determine Authentication Policy requirements
- Mapping rules
- Template pages
pg. 9
- Branches
1.5.6 Determine Access Control Policy requirements
- Custom application policy
1.5.7 Determine Access Policy requirements
- Conditional access
TASK: 1.6 Assess log retention requirements

SUBTASKS:
1.6.1 Determine Retention Requirements
- Number and types or logs
- On appliance requirement
- Central / Syslog / SIEM
- Sending events / logs to syslog server
- Legal / compliance requirements
TASK: 1.7 Assess federated single sign-on requirements

SUBTASKS:
1.7.1 Determine Supported Federations
- Federation types
- Federation Roles
- Security Token Service (STS)
- Point of contact server
- High Volume Database
1.7.2 Determine SAML Federation Requirements
1.7.3 Determine OAuth 2.0 and OIDC Requirements
1.7.4 Determine Identity Mapping Requirements
1.7.5 Determine Token Exchange Requirements
REFERENCES:
pg. 10
• https://www.ibm.com/software/reports/compatibility/clarity/index.html
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-user-registry-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-documentation-activation-level
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-configuring-snmp-monitoring
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-runtime-monitoring-using-prometheus
• https://www.ibm.com/docs/en/sva/10.0.2?topic=monitoring-sending-statistics-statsd
• https://www.ibm.com/docs/en/sva/10.0.2?topic=SSPREK_10.0.2/com.ibm.isva.doc/admin/cpt/help_authentication.h
tml
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-configuring-oauth-20-api-protection
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-openid-connect-federations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-saml-20
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-webseal-introduction
• https://www.ibm.com/docs/en/sva/10.0.2?topic=authentication-methods
• https://xsizer.dal1a.ciocloud.nonprod.intranet.ibm.com/sizer.html
• https://www.ibm.com/docs/en/sva/10.0.1?topic=concepts-spnego-protocol-kerberos-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=control-acl-entries
• https://www.ibm.com/docs/en/sva/10.0.1?topic=aacc-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=configuration-branching-authentication-policies
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-federation-overview
• https://www.ibm.com/docs/en/sva/9.0?topic=profiles-saml-20-profile-initial-urls
• http://ibm.biz/isamfedcookbook
• https://www.ibm.com/docs/en/sva/9.0?topic=formats-alias-service
• https://www.ibm.com/docs/en/sva/9.0.6?topic=solutions-single-sign-security-token-service
• https://www.ibm.com/docs/en/sva/9.0?topic=federations-configuring-sts-modules
pg. 11
Section 2: Architecture and Design
This section contains objectives that deal with the architecture and design of the IBM Security Verify
Access 10.0 solution, including activities such as selecting appropriate deployment patterns and
topology, designing the HA and DR architecture, determining deployment processes, identifying network
requirements, backup procedures, server connectivity, junction types, authentication methods and
required session failover.
TASK: 2.1 Select deployment patterns and topology

SUBTASKS:
2.1.1 Select Form Factor
- HW
- VM
- Containers
- Cloud vs. On-prem
2.1.2 Determine Deployment Pattern (Based on Form Factor selected)
- Cluster / Cluster Bubbles
- All-in-One
- Kubernetes / OpenShift
2.1.3 Select User Type (Basic User or Full imported secUser)
TASK: 2.2 Design High Availability & Disaster Recovery architecture

SUBTASKS:
2.2.1 Select HA Type
- Dual Data Center
- Cloud Regions
- Multiple Cloud Vendors
2.2.2 Select Disaster Recovery Type
- Active/Passive Data Center
- Rebuilds via RAPI
- Appliance snapshots
pg. 12
- Hypervisor snapshots
TASK: 2.3 Design deployment process (automated or manual)

SUBTASKS:
2.3.1 Determine Build Type
- LMI Only
- Simple REST API scripts
- Full automation (Ansible)
TASK: 2.4 Identify network requirements

SUBTASKS:
2.4.1 Gather network details
- Identify DMZ Subnets
- Identify Trusted Zone Subnets
- Identify Application Subnets
- Identity SaaS Applications (May require forward proxy servers)
2.4.2 Identity Network Routes
- Identity Static Routes
- Identity IP Policy Routes
2.4.3 Select HW NIC Bonding Type
- balance-rr
- active-backup
- balance-xor
- broadcast
- 802.3ad
- balance-tlb
- balance-alb
TASK: 2.5 Establish backup procedures

SUBTASKS:
pg. 13
2.5.1 Select Appliance Backup Method
- Snapshot (Cluster)
- Hypervisor Level (All-on-one)
2.5.2 Select Container Backup Method
- Configuration Container snapshot
- Persistent Volumes
TASK: 2.6 Identify server connections

SUBTASKS:
2.6.1 Determine Application Runtime Server Connection needs
- Oracle
- DB2
- Solid DB
- PostgreSQL
- LDAP
- SMTP
- Web Service
- Cloud Identity
- ISAM Runtime
TASK: 2.7 Determine appropriate junction type

SUBTASKS:
2.7.1 Determine settings based on Frontend Traffic Type
- Load-balancer Terminated
- Load-balancer Pass-thru
- Direct access
2.7.2 Select Junction SSO methods
- Using -b option
- TFIM Junction
pg. 14
- JWT Junction
- Trust Assocation
- HTTP Headers
TASK: 2.8 Identify required authentication methods

SUBTASKS:
2.8.1 Gather Reverse Proxy Frontend Requirements
- Username/Password
- OAUTH / OIDC
- Certificate Authentication
- Domain cookies
TASK: 2.9 Identify required session failover

SUBTASKS:
2.9.1 Determine Reverse Proxy Session Failover
- Failover Cookie
- Distributed Session Cache
- Redis Session Cache
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-cluster-general-reference
• https://www.ibm.com/software/reports/compatibility/clarity-
reports/report/html/vesForProduct?deliverableId=B406C6E0555B11EBBBEA1195F7E6DF31&osPlatforms=&duCompo
nentIds=S002|S003|A001
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registries-configuring-runtime-authenticate-basic-users
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-docker-image-security-verify-access
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-high-availability-policy-server
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-cluster-service-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-failover-in-cluster
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-consistent-configuration-all-webseal-replica-servers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=synchronization-cluster-restart
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-failover-new-master
• https://www.ibm.com/docs/en/sva/10.0.2?topic=synchronization-configure-webseal-cluster-support
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-database
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-secure-deployment-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=database-deploying-external-configuration
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-runtime-database
pg. 15
• https://www.ibm.com/docs/en/sva/10.0.2?topic=database-deploying-external-runtime
• https://www.ibm.com/docs/en/sva/10.0.1?topic=interface-external-authentication-overview
• https://www.ibm.com/docs/en/sva/10.0.1?topic=methods-openid-connect-oidc-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=authentication-client-side-certificate-modes
• https://www.ibm.com/docs/en/sva/10.0.2?topic=concepts-failover-cookie
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-managing-distributed-session-cache-in-docker
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-advantages-using-distributed-session-cache
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-option-3-failover-cookies
• https://www.ibm.com/docs/en/sva/10.0.2?topic=dsco-failover-environment
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-failover-environment
pg. 16
Section 3: Installation
This section contains objectives that deal with the installation of the IBM Security Verify Access 10.0
solution, including activities such as finding and installing updates, creating virtual machines, preparing
the user registry and databases, deploying containers, installing licenses and activating components,
configuring the network and importing certificates.
TASK: 3.1 Find and download software and updates

SUBTASKS:
3.1.1 Check Fix Central for the latest software.
- Identify the latest firmware image
- Download the correct image for the platform being deployed to
- Identify any available interim fixes
TASK: 3.2 Create virtual machine

SUBTASKS:
3.2.1 Determine the requirements for running Verify Access in your target hypervisor.
- Review the system requirements and VM specifications
- Ensure you have the correct installation media or disk image for the target hypervisor
3.2.2 Install the Verify Access firmware.
- Create the virtual machine, attaching the installation media, ensuring the correct number of virtual
network adapters are attached, and any additional requirements in the documentation are followed
- Complete the installation process
3.2.3 Deploy the Verify Access disk image as a new virtual machine
- Create a new virtual machine using the pre-installed disk image
3.2.4 Complete the first steps setup and access the Local Management Interface
- Ensure the correct FIPS mode setting is selected
- Complete the first steps setup process using the command line
- Complete the first steps setup process using the Local Management Interface
- Complete the first steps setup process using the REST API
3.2.4 Verify connectivity to the management interfaces
pg. 17
- Verify that the Local Management Interface can be accessed via a web browser
- Verify that the command line interface can be accessed via SSH
TASK: 3.3 Prepare user registry

SUBTASKS:
3.3.1 Install the Verify Access schema data
- Locate and download the correct Verify Access LDAP schema file for the target user registry using the
Local Management Interface
- Apply the LDAP schema to the user registry
- Create the default suffix
- Create additional suffixes for users
3.3.2 Secure the user registry
- No anonymous access
- TLS only, select reasonable ciphers
- Ensure password hashing is non-reversible
- Set appropriate ACLs
TASK: 3.4 Prepare database(s)

SUBTASKS:
3.4.1 Prepare the runtime database
- Identify and download the correct database schema for the target database
- Execute the database schema SQL/import operation
3.4.2 Prepare the configuration database
- Identify and download the correct database schema for the target database
- Execute the database schema SQL/import operation
3.4.3 Secure the database(s)
- TLS only, select reasonable ciphers
- Ensure database is encrypted?
- Ensure certificates required are available
pg. 18
TASK: 3.5 Deploy Verify Access containers
SUBTASKS:
3.5.1 Download the Verify Access container images from Docker Hub
3.5.2 Configure the Verify Access container properties
- Set up any required shared volumes
- Populate the shared volume with any required fix packs
- Determine the correct environment variables for each container
3.5.3 Ensure the Kubernetes environment is prepared for executing the Verify Access images
- Create the required secrets
- Create the required service account
- Apparmor requirements
3.5.4 Ensure the OpenShift environment is prepared for executing the Verify Access images
- Create the required security context
- Apply the security context to the created service account
3.5.4 Ensure connectivity is correct for accessing:
- the LMI (for administrative activities)
- the runtime containers (for external access where required)
TASK: 3.6 Activate required offerings and install the support license
SUBTASKS:
3.6.1 Activate the required offerings to enable the required features.
- Download the activation codes from Passport Advantage
- Install the required activation codes using the Local Management Interface
3.6.2 Install the support license
- Download the support license from the IBM Security Systems License Key Center at
https://ibmss.flexnetoperations.com
- Install the support license using the Local Management Interface
TASK: 3.7 Perform network configuration

SUBTASKS:
pg. 19
3.7.1 Configure any external firewall rules
- Review the list of ports used by the appliance
- Configure any external firewalls to allow traffic to the required ports
3.7.2 Configure IP addresses
- Identify which addresses will be used for management and application traffic
- Add the IP addresses to each interface using the Local Management Interface
3.7.3 Configure routing
- Configure the default route
- Configure the routing rules for outbound traffic
- Configure source based routing
3.7.4 Configure DNS
- Configure the DNS server(s) using the Local Management Interface
- Configure any required static host entries using the Local Management Interface
3.7.4 Verify network connectivity
- Verify that hostnames can be resolved
- Verify that application servers, databases, the user registry, any required external services are
contactable
TASK: 3.8 Import necessary personal and signer certificates

SUBTASKS:
3.8.1 Identify the required personal certificates and import them:
- Reverse proxy front ends
- AAC/Federation runtime
- AAC/Federation signing operations
- Local Management Interface
- Mutual TLS (client certs) for application servers, databases, the user registry, any required external
services
3.8.2 Identify the required signer certificates and import them:
- AAC/Federation signature verification
- Database server(s)
pg. 20
- User registry
- Downstream/junctioned applications
- Federation partners
- Other external services and APIs called from advanced customized flows (Google ReCAPTCHA, SMS API
gateways etc.)
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=configuration-user-registry-server-installation
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-viewing-updating-management-ssl-certificates
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-cluster-general-reference
• https://www.ibm.com/software/reports/compatibility/clarity-
• reports/report/html/vesForProduct?deliverableId=B406C6E0555B11EBBBEA1195F7E6DF31&osPlatforms=&duCompo
nentIds=S002|S003|A001
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-high-availability-policy-server
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-cluster-service-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-failover-in-cluster
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-consistent-configuration-all-webseal-replica-servers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=synchronization-cluster-restart
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-failover-new-master
• https://www.ibm.com/docs/en/sva/10.0.2?topic=synchronization-configure-webseal-cluster-support
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-database
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-secure-deployment-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=database-deploying-external-configuration
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-runtime-database
• https://www.ibm.com/docs/en/sva/10.0.2?topic=database-deploying-external-runtime
• https://www.ibm.com/docs/en/sva/10.0.1?topic=interface-external-authentication-overview
• https://www.ibm.com/docs/en/sva/10.0.1?topic=methods-openid-connect-oidc-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=authentication-client-side-certificate-modes
• https://www.ibm.com/docs/en/sva/10.0.2?topic=concepts-failover-cookie
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-managing-distributed-session-cache-in-docker
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-advantages-using-distributed-session-cache
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-option-3-failover-cookies
• https://www.ibm.com/docs/en/sva/10.0.2?topic=dsco-failover-environment
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-failover-environment
pg. 21
Section 4: Configuration
This section contains objectives that deal with the configuration of the IBM Security Verify Access 10.0
solution, including activities such as integrating federated directories, configuring the cluster, base
runtime component, web reverse proxy instance and numerous other components.
TASK: 4.1 Configure cluster

SUBTASKS:
4.1.1 Configure Config database
- Internal or External DB
- Load certificates
- Supported DBs
- Collect the database server information, including the IP/port/username/password/etc.
- Data stored in config DB
4.1.2 Configure Runtime database (HVDB)
- Internal or External DB
- Load certificates
- Supported DBs
- Collect the database server information, including the IP/port/username/password/etc.
- Data stored in HVDB
- Failover support
4.1.3 Configure Primary Master
- Enable multi-node
- Set first port
- Export certificate file
4.1.4 Configure other nodes
- Select to join cluster
- Point to primary master
- Provide certificate file
- Monitor status of node
pg. 22
4.1.5 Configure Session Cache
4.1.6 Configure replication options
- Certificate keystores
- Runtime configuration
4.1.7 Configure Distributed Session Cache (DSC)
- set listening ports
TASK: 4.2 Configure base runtime component

SUBTASKS:
4.2.1 Load certificates for primary directory
4.2.2 Configure Policy Server
- Local or remote
- Management suffix
- Management domain
- SSL settings
4.2.3 Configure primary LDAP
- connection
- Bind DN
- SSL Settings
4.2.4 Advanced settings in ldap.conf
- embed bind-dn and password
- configuring replicas
- ciphers for secure transport
4.2.5 Basic user configuration
- enable
- prevent duplicates
- search priority
4.2.6 Create initial users and groups
- Create with UI
pg. 23
- Create with CLI
- Bulk import
- Registry Direct API
TASK: 4.3 Integrate federated directories

SUBTASKS:
4.3.1 Load certificates for federated directories
4.3.2 Determine level of access required to federated directory
- read only or read/write
4.3.3 Add federation directory
- connection information
- bind information
- SSL Settings
- Suffixes
4.3.4 Advanced settings in ldap.conf
- ignore-if-down
- change principal attribute
- mod uid on import
- configuring replicas
- ciphers for secure transport
TASK: 4.4 Configure web reverse proxy instance

SUBTASKS:
4.4.1 Create Reverse Proxy instance
- Transport settings
- Connect to policy server
- Connect to User Registry
4.4.2 Configure Interfaces - TLS/SSL
- Obtain trusted certificate
pg. 24
- Configure trusted certificate
- Separate junction keystore?
- Define additional interfaces
- Use of secondary listener for client certificates
- configure ciphers
- Use of IPv6
4.4.3 Configure built-in authentication
- Basic Authentication
- Form-based authentication
- Client certificate auth
- RSA SecurID token auth
- Kerberos Authentication
- OIDC Authentication
- OAuth Authentication
- LTPA
- Set authentication levels
4.4.4 Configure Sessions
- Timeouts
- Reauthentication
- Local session cache
- DSC/Redis
- Failover
4.4.5 Cookie management
- HTTP/Secure flags
- Cookie jar
- Cookie reset
- SameSite
4.4.6 Access Control
- HTTP method mapping
pg. 25
- Attach ACLs and POPs
- CORS
4.4.7 Other general configuration
- Replication
- P3P policy
- Proxy protocol
- Root junction processing
TASK: 4.5 Configure authorization server

SUBTASKS:
4.5.1 Create Authorization Server instance
- Listening Ports
- Connect to policy server
- Connect to User Registry
4.5.2 Configure Java Runtime components
- TAI++ and eTAI
- Custom apps with JavaRTE
TASK: 4.6 Configure LMI external authentication and authorization

SUBTASKS:
4.6.1 Configure management authentication with an external (LDAP) user registry
4.6.2 Create local users and groups in the embedded user registry
4.6.3 Select or create roles with appropriate levels of access for administrator accounts
4.6.4 Assign authorization roles to the administrative users and groups
TASK: 4.7 Configure base authorization policies

SUBTASKS:
4.7.1 Create and attach ACLs
- Create ACLs
- Create ACL entries
pg. 26
- Set ACL permissions
- Attach ACLs
- Sparse ACL model
4.7.2 Create and attach POPs
- Network subnet policies
- Authentication level policy
- Privacy (require HTTPS)
- Auditing policy
- Extended attributes in POPs
- Attach POPs
TASK: 4.8 Create server connections

SUBTASKS:
4.8.1 Create Server Connections using the Local Management Interface
4.8.2 Load the certificate(s) required for the server connections
4.8.3 Check connectivity to the hosts/ports referred to in the server connections
TASK: 4.9 Configure multi-factor authentication (MFA)

SUBTASKS:
4.9.1 Configure Mechanisms
- Set mechanism properties
- First factor mechanisms
- 2FA mechanisms
- Other mechanisms (EULA)
4.9.2 Create Policies
- Add mechanisms
- Set mechanism parameters
- Set credential attributes
- Configure branching
pg. 27
4.9.3 Set Point of Contact profile
- Choose appropriate profile
- Create new profile
4.9.4 Setup system to invoke policies
- path vs query for policyId
- Browser vs API clients
- Cookieless operation
TASK: 4.10 Configure SCIM (System for Cross-domain Identity Management)

SUBTASKS:
4.10.1 Create a server connection to the LDAP/user registry where user profile data will be stored
4.10.2 Configure the SCIM service to use the LDAP/user registry:
- server connection
- ensure certificate is loaded
- search/user suffix
- user dn attribute
- configure LDAP objectclasses
4.10.3 Configure the mapping of SCIM profile attributes to LDAP attributes
4.10.4 Configure SCIM for Verify Access integration:
- Create ISAM Runtime server connection
- Enable Verify Access integration
4.10.5 Configure the Reverse Proxy as a point of contact for the SCIM service:
- Create transparent path /scim junction
- Pointed to the runtime
- BA with a user in the scim admin group
- Pass IV-USER, IV-GROUPS, IV-CREDS
- Enable URL filtering
pg. 28
TASK: 4.11 Configure API protection (OAUTH/OIDC)
SUBTASKS:
4.11.1 Create OAuth/OIDC Provider Definition
- Select grant types
- Configure token management
- Configure consent
4.11.2 Enable definition for OIDC
- OIDC id_token settings
- Attribute mapping
- Dynamic client registration
- OIDC and FAPI compliance
- metadata endpoint
- Use of JWKS endpoint
4.11.3 Create clients
- static vs dynamic registration
- confidential vs public clients
- how clients authenticate
- PKCE
TASK: 4.12 Configure auditing

SUBTASKS:
4.12.1 Configure Appliance Events
- Configure System Alerts
4.12.2 Configure Base Runtime Events
- Configure Policy Server Events
- Configure Reverse Proxy Events
4.12.3 Configure Application Runtime Events
4.12.4 Write audit events from custom JavaScript
pg. 29
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.1?topic=management-user-self-care-scim-api
• https://www.ibm.com/docs/en/sva/10.0.1?topic=configuration-user-profile
• https://www.ibm.com/docs/en/sva/10.0.1?topic=api-limitations#con_scim_limitation__unsupported_endpoints
• https://www.ibm.com/docs/en/sva/10.0.2?topic=provider-configuring-reverse-proxy-oauth-oidc
• https://www.ibm.com/docs/en/sva/10.0.2?topic=protection-creating-api-definition
• ibm.biz/isamfedcookbook
• https://www.ibm.com/blogs/security-identity-access/oauth-saml-jwt-grant-type/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-oauth-20-oidc-workflows
• https://www.ibm.com/docs/en/sva/10.0.2?topic=concerns-federated-registry-support
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registries-managing-federated-directories
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-configuring-management-authentication
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-roles-users-groups
• https://www.ibm.com/docs/en/sva/10.0.2?topic=entries-type-attribute
• https://www.ibm.com/docs/en/sva/10.0.2?topic=policy-changing-mapping-http-request-methods
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-server-connections
• https://www.ibm.com/docs/en/sva/10.0.0?topic=configuration-branching-authentication-policies
pg. 30
Section 5: System integration
This section contains objectives that deal with the systems integration of the IBM Security Verify Access
10.0 solution, including activities such as configuring the junction, protecting the API, integrating with
federated single sign-on partners, configuring SPNEGO, configuring token authentication, setting up the
monitoring framework, configuring external authentication interface and integrating with SIEM systems.
TASK: 5.1 Configure Junction

SUBTASKS:
5.1.1 Determine Junction Type
- TCP
- SSL
- Mutual SSO
- Standard junctions
- Virtual host junctions
5.1.2 Determine Junction Attribute Requirements
- host & port
- junction name
- server/s & port/s
- passing user info
5.1.3 Apply Advanced junction configuration
- Stateful / not
- Fail-over behavior
- Mutually authenticated
5.1.4 Apply Access Control
- coarse-grained: pdadmin attach ACL
- fine-grained: query_contents
5.1.5 Apply Single Sign-on Solutions
- various
pg. 31
TASK: 5.2 Protect API endpoints accessed by API clients
SUBTASKS:
5.2.1 Create / Manage API protection definition
5.2.2 Register / Manage API protection client
5.2.3 Manage policy attachments
TASK: 5.3 Integrate with federated single sign-on partners

SUBTASKS:
5.3.1 Determine Federated single sign-on (SSO) Protocol & Role
- SAML 2.0
- WS-Federation
- OpenID Connect
- service providers (SP)
- identity provider (IdP)
5.3.2 Configure Identity Mapping
5.3.3 Create a Federation
5.3.4 Creating a Partner
5.3.5 Trigger SSO from Logon Pages
TASK: 5.4 Configure desktop SSO (SPNEGO)

SUBTASKS:
5.4.1 Configure the Kerberos Client
5.4.2 Create WebSEAL Identity in AD
- Identity in Active Directory
- Mapping a Kerberos principal
- Verifying WebSEAL authentication
5.4.3 Add Service Name and Keytab
5.4.4 Enable SPNEGO for WebSEAL
5.4.5 Configure Browser for Desktop SSO
- Configure
pg. 32
- Test
TASK: 5.5 Configure token authentication

SUBTASKS:
5.5.1 Update RSA SecurID Configuration
5.5.2 Enable Token Authentication
TASK: 5.6 Setup monitoring framework

SUBTASKS:
5.6.1 Configure SNMP Monitoring
- Determine SNMP version
- Open ports to and from appliance in firewall
- Review available MIBs
5.6.2 Configure System Alerts
- Create an email alert object
- Create an SNMP alert object
- Create a remote syslog object
5.6.3 Configure AAC monitoring
- Review Prometheus support
- Review JVM monitoring
5.6.4 Utilize Reverse Proxy statistics
- Turn on Statistics
- Use logcfg entries to send to remote syslog
TASK: 5.7 Configure external authentication interface

SUBTASKS:
5.7.1 Enable External Authentication Interface
5.7.2 Configure External Authentication Interface Trigger URL
5.7.3 Set HTTP Headers for External Authentication Interface
5.7.4 Enable Validation of the User Identity
pg. 33
TASK: 5.8 Integrate with SIEM systems
SUBTASKS:
5.8.1 Identify SIEM System
- Gather Host and Port information
- Gather Syslog related information
5.8.2 Send Reverse Proxy logs to SIEM
- Customize HTTP Request logs
- Configure Reverse Proxy 'logcfg' entries
5.8.3 Send application logs to SIEM
- Configure Remote Syslog Forwarder
- Add sources to forwarder instances
- Configure syslog information for sources
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-standard-webseal-junctions
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-virtual-hosting
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-creating-mutual-junctions
• https://www.ibm.com/docs/en/sva/10.0.2?topic=hosting-virtual
• https://www.ibm.com/docs/en/sva/10.0.2?topic=junctions-creation-junction-initial-server
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-client-identity-in-http-ba-headers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-ltpa-overview
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-forms-single-sign-concepts
• https://www.ibm.com/docs/en/sva/10.0.2?topic=junctions-mutually-authenticated-ssl-process-summary
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-pdadmin-server-task-create-command
• https://www.ibm.com/docs/en/sva/10.0.2?topic=headers-http-tag-value-extended-attribute-junctions
• https://www.ibm.com/docs/en/sva/10.0.2?topic=junctions-stateful-junction-concepts
• https://www.ibm.com/docs/en/sva/10.0.1?topic=support-oidc-dynamic-clients
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-saml-federations-overview
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-customizing-saml-identity-mapping
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-saml-20-bindings
• https://www.ibm.com/docs/en/sva/10.0.2?topic=federations-managing-federation-partners
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-configuring-snmp-monitoring
• https://www.ibm.com/docs/en/sva/10.0.2?topic=alerts-configuring-snmp-alert-objects
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-runtime-monitoring-using-prometheus
• https://www.ibm.com/docs/en/sva/10.0.2?topic=monitoring-sending-statistics-statsd
• https://www.ibm.com/docs/en/sva/10.0.0?topic=interface-external-authentication-http-header-reference
• https://www.ibm.com/blogs/sweeden/introduction-to-qradar-log-management-for-webseal-administrators/
pg. 34
Section 6: Advanced customization
This section contains objectives that deal with the advanced customization of the IBM Security Verify
Access 10.0 solution including numerous activities, such as implementing a context-based access control
policy, creating a risk profile, implementing identity mapping and many other tasks.
TASK: 6.1 Implement a context-based access control policy

SUBTASKS:
6.1.1 Understand Access Control Policy
- Review documentation for usage
- Watch basic video from Security Learning Academy
6.1.2 Review available documentation
- Review documented policy scenarios
- Review support provided policy scenarios
6.1.3 Develop Access Control Policy
- Create new Policy
- Add rules to policy
- Determine whether Policy Sets are required
- Save Policy
6.1.4 Modify configuration to utilize Access Control Policy
- Attach access control policy
- Publish Access Control Policy
- Configure reverse proxy for authentication services
6.1.5 Validate changes work as expected
TASK: 6.2 Create risk profile

SUBTASKS:
6.2.1 Understand how the 'Risk Score' is calculated
- Risk score represents the variation from baseline set of attributes between previous registered devices
and the current 'device' context
6.2.2 Review predefined risk profiles
pg. 35
- 'Secure Access Control -> Policy -> Risk Profiles'
6.2.3 Review the attributes available for risk profiles
- ' Secure Access Control -> Policy -> Attributes'
- Filter with 'Risk' to find all Attributes of type 'Risk'
6.2.4 Create custom attributes if necessary
- 'Secure Access Control -> Policy -> Attributes ->> New Attribute'
- Mark the Checkbox for 'Risk' when creating the attribute
6.2.5 Determine whether a new Risk Profile is necessary
- Analyze default profiles
- Identify attributes of importance
- Define End User device capabilities in relation to attributes
- Gather necessary attributes
6.2.6 Create Risk Profile
- 'Secure Access Control -> Policy -> Risk Profiles ->> New Risk Profile'
- Gather identified Attributes
- Add attributes to new Risk Profile
- Assign attributes individual 'weight'
6.2.7 Set an Active Risk Profile
- 'Secure Access Control -> Policy -> Risk Profiles'
- Select risk profile from left panel
- Select 'Set Active' button
- Deploy pending changes
- Enable risk reports
- Review Risk Reports after validation
TASK: 6.3 Implement identity mapping

SUBTASKS:
6.3.1 Identify identity exchange role
- Are we mapping an identity to a user's session
pg. 36
- Are we mapping a user's session to an identity
6.3.2 Download Java documentation reference
- 'System -> Secure Settings -> File Downloads ->> access_control -> doc -> ISVA-javadoc-10.0.1.zip'
6.3.3 Review example mapping rules
- Download from 'System -> Secure Settings -> File Downloads ->> access_control -> examples ->
mapping_rules -> ip_saml_20.js'
mapping_rules -> sp_saml_20.js'
- Review example mapping rule for syntax and coding examples
6.3.4 Implement Attribute Sources
- Attributes values can be filled by identity sources
- Define Attribute sources to acquire attribute values from different data sources
6.3.5 Author JavaScript Mapping Rule
- Review JavaScript Allowlist to determine usable classes
- Compose JavaScript code that performs desired functionality
- Create mapping rule in appliance
6.3.6 Integrate with Social login providers
- Update Mapping rule to call social provider APIs
- Create social login provider Partners
- Update template/Login page to integrate with social login providers
6.3.7 Configure Federations to utilize Mapping rule
- Import mapping rule into appliance
- Update Federation Configuration to utilize mapping rule
6.3.8 Validate Identity Mapping
- Configure Reverse Proxy for Federation
- Perform a Federated SSO flow
- Use Browser Developer Tools/Tracing to review outgoing SAML Assertion
- Use pdweb.debug to view incoming Access Manager credential information
pg. 37
TASK: 6.4 Author custom policy information point (PIP)
SUBTASKS:
6.4.1 Analyze available PIP Types
- 'Secure Access Control -> Policy -> Information Points ->> New'
- 'Manage System Settings -> Secure Settings -> File Downloads ->> access_control -> doc -> ISVA-
javadoc-10.0.2.zip'
6.4.3 Determine custom Policy Information Point (PIP) Type
- Review PIP reference
- Gather necessary details
6.4.4 Create Server Connections
- Navigate to 'Secure Access Control -> Global Settings -> Server Connections'
- Review Server Connection Properties
- Gather necessary values
- Create Connections for relevant PIP types
6.4.5 Author JavaScript PIP mapping rule
- Review JavaScript allowlist to determine available classes
- Define 'hasAttribute()' function based on default JavaScript PIP
- Define 'getAttribute()' function based on attribute needs
6.4.6 Create New PIP
- Secure Access Control -> Policy -> Information Points -> New'
- Gather PIP details
- Determine PIP name (This will be the value of the 'issuer' for custom attributes that are derived from
this PIP)
- Set attribute values
- Save and Deploy Changes
TASK: 6.5 Configure and customize a user self-care flow

SUBTASKS:
6.5.1 Analyze predefined User Self Care Policy
pg. 38
- Secure Access Control -> Policy -> Authentication ->> Policies'
- Filter using 'USC'
- Select a Policy and select 'Modify Authentication Policy'
- Review Authentication Mechanisms in Authentication Policy Workflow Steps
6.5.2 Determine necessary Authentication Mechanisms
- Review built-in Authentication Policies
- Determine whether any other mechanisms are needed for your desired workflow
6.5.3 Verify SCIM component configuration
- 'AAC -> Manage -> SCIM Configuration'
- Validate configuration
6.5.4 Create 'Web Service' server connection for SCIM configuration
- 'AAC -> Global Settings -> Server Connections ->> New ->> Web Service'
- Gather SCIM endpoint details
- Input details into server connection
6.5.5 Configure 'SCIM Config' Authentication Mechanism
- 'AAC -> Policies -> Authentication ->> Mechanisms ->> New Authentication Mechanism ->> SCIM
Config'
- Select Server Connection
- Input necessary details
6.5.6 Configure Authentication Mechanism Properties
- 'AAC -> Policy -> Authentication ->> Mechanisms'
- Select existing mechanism or create new mechanism
- Edit properties to match your needs
6.5.7 Create Custom Authentication Policy
- Customize the User self care policies if more or less steps are necessary
- Compare your needs to the built-in policies
- Add relevant mechanisms to Authentication Policy
6.5.8 Customize template files
- 'AAC -> Global Settings -> template Files ->> (Locale) -> authsvc -> usc'
pg. 39
- Edit HTML files to include custom themes or branding
TASK: 6.6 Create JavaScript authentication mechanism

SUBTASKS:
- Acquire from the appliance at 'System -> Secure Settings -> File Downloads ->> access_control -> doc ->
ISVA-javadoc-10.0.2.zip'
6.6.2 Review available parameters for 'infoMap'
- Understand available input data
- Understand available output data
6.6.3 Review example mapping rule
mapping_rules -> infomap_username.js'
- Review example mapping rule for syntax and coding examples
6.6.4 Author JavaScript Mapping Rule
- Review JavaScript Allowlist to determine usable classes
- Compose JavaScript code that performs desired functionality
- Create mapping rule in appliance
6.6.5 Author Template file
- Review
default template files
- Customize template file with branding and necessary HTML elements
- Create template file(s) in Appliance for use
6.6.6 Create infoMap mechanism
- Navigate to 'AAC -> Policy -> Authentication ->> Mechanisms -> New Authentication Mechanism ->>
infoMap'
- Determine name
- Determine identifier
- Input custom properties
6.6.7 Create Custom Authentication Policy
pg. 40
- Define a policy name
- Define a policy identifier
- Add one or more mechanisms to accomplish the desired workflow
6.6.8 Update CAPTCHA settings on system
- Configure outbound Proxy
- Install latest Google Cert
- Configure Captcha mechanism
TASK: 6.7 Create HTTP transformation rules

SUBTASKS:
6.7.1 Review HTTP Transformation Documentation
- Understand HTTP transformation functionality
- Understand HTTP Transformation structure
6.7.2 Determine what elements of the HTTP Message need to be modified
- Review request format
- Review response format
- Identify endpoints that require transformation
6.7.3 Author the HTTP Transformation
- Review sample HTTP Transformation mapping rules
- Identify usable XSLT 1.0 functions
- Write XSLT Mapping Rule
6.7.4 Update the Reverse Proxy configuration for the HTTP Transformation
- Decide between POP and Configuration file updates
- Update configuration file to map HTTP Transformation to a stanza
- Update configuration file with request match syntax
6.7.5 Validate the HTTP Transformation works as expected
- Enable pdweb.debug and pdweb.http.transformation tracing
- Access URL
- Review tracing to confirm that transformation worked as expected
pg. 41
TASK: 6.8 Implement OAUTH/OIDC customization
SUBTASKS:
6.8.1 Determine what customization is needed for the API Protection Definition
- Identify grant types used
- Identify attributes needed
- Identify token types needed
6.8.2 Review available examples
- Review default mapping rules
- Understand mapping rule methods
- Review available examples from support github
6.8.3 Modify preToken JavaScript mapping rule
- Download copy of mapping rule
- Save original copy
- Make changes necessary for customizations
- Upload modified mapping rule
6.8.4 Modify postToken JavaScript mapping rule
- Download copy of mapping rule
- Save original copy
- Make changes necessary for customizations
- Upload modified mapping rule
6.8.5 Validate changes work as expected
- Configure Reverse Proxy for OAUTH
- Perform OAUTH flow
- Validate expected information is returned
TASK: 6.9 Configure device registration (Fingerprint)

SUBTASKS:
6.9.1 Select appropriate Risk Profile
pg. 42
- Identify Attributes that define your device fingerprint
- Review Risk profiles for a match
- Create a new risk profile if necessary
- Set desired risk profile as active
6.9.2 Create Access Control Policy that includes device registration
- Review documented device registration policy
- Determine device registration conditions
- Implement logic for device registration
6.9.3 Modify Reverse Proxy configuration to supply correct data
- Identify attribute type
- Gather attribute identifier
- Identify HTTP element that contains desired value
- Map attribute identifier to HTTP Element
6.9.4 Configure Attribute Collection Service
- Review documentation
- Update template files or HTML pages to include info.js file
6.9.5 Update Advanced Configuration to match device registration use case
- Review available advanced configuration
- Determine environmental parameters for device registration
- Update device registration advanced configuration as necessary
6.9.6 Validate that device is registered via workflow test
- Attach Access Control Policy to endpoint
- Use Browser to validate workflow
- Search for registered devices in LMI
TASK: 6.10 Modify default template files

SUBTASKS:
6.10.1 Review default template files
- Identify what template files exist
pg. 43
- Determine which files need updates
- Identify macros used in template files
6.10.2 Analyze changes necessary
- Determine whether template file scripting is necessary
6.10.3 Compose template file changes outside of appliance
6.10.4 Update or create new template files in the appliance
- Update existing template files with changes
6.10.5 Replace or create necessary supporting files for branding
- Upload new files to appliance
6.10.6 Validate that changes work as expected
- Use browser to validate that template file changes work as expected
- Review JVM message logs for errors related to template files
TASK: 6.11 Integrate custom login application through External Authentication Interface (EAI)
SUBTASKS:
6.11.1 Identify information needed for EAI to authenticate the user
- Determine username format
- Determine whether groups are returned
- Determine what attributes are returned
- Determine where data will be sourced
6.11.2 Determine header names that EAI application needs to return to authenticate user
- Review default Reverse Proxy configuration
- Review header documentation
- Deliver information to EAI developer
6.11.3 Create External Authentication Interface application to return specified headers and values
- Develop EAI application
- Deploy EAI application to application server
- Validate connectivity to EAI server
6.11.4 Update Reverse Proxy configuration to consume response headers
pg. 44
- Update '[eai]' stanza
- Update header configuration
- Update EAI trigger URLs
- Create junction to EAI application
- Attach unauthenticated ACL to EAI endpoint in Reverse Proxy objectspace
6.11.5 Validate external authentication works as expected
- Validate EAI junction is running as expected
- Perform authentication flow via browser
- Confirm that authenticated session cookie is issued
TASK: 6.12 Implement advanced authenticated user mapping

SUBTASKS:
6.12.1 Determine Use Case
- Understand Authenticated User Mapping
6.12.2 Review documentation of Advanced User mapping
- Review language used
- Review data format
- Review XML Model
6.12.3 Author Advanced User Mapping XSLT rule
- Analyze support provided examples
- Analyze sample from documentation
- Review valid attributes
- Use external program to code XSLT rule
6.12.4 Configure Reverse Proxy to implement advanced user mapping
- Update configuration file
6.12.5 Validate advanced user mapping works
- Enable pdweb.cas.usermap tracing
- Attempt authentication flow
- Troubleshoot issues
pg. 45
TASK: 6.13 Implement access policy
SUBTASKS:
6.13.1 Determine use case for access policy
- Identify use case for access policy (Federation vs OIDC)
- Gather information necessary for access policy
- 'Manage System Settings -> Secure Settings -> File Downloads ->> access_control -> doc -> ISVA-
javadoc-10.0.2.zip'
6.13.3 Review example access policy scenarios
- Review documented examples
- Review examples from support github
6.13.4 Author access Policy
- Write code for access policy
6.13.5 Configure Federation/API Protection to use access policy
- Update Federation Configuration
- Update Federation Partner configuration
- Update API Protection Definitions
6.13.6 Validate access policy functionality
- Perform federated flow in browser
TASK: 6.14 Implement authorization (AUTHZ) rules for reverse proxy

SUBTASKS:
6.14.1 Determine use case for Authorization Rules
- Understand when authorization rules are to be used
6.14.2 Review documentation for Authorization Rules
- Review authorization rule language
- Review authorization rule document model
- Understand format and constraints
6.14.3 Review examples
pg. 46
- Analyze documented examples
- Analyze support provided examples
6.14.4 Author Authorization XSLT rule
- Gather XSLT reference
6.14.5 Configure Reverse Proxy objectspace to utilize Authorization Rule
- Create Authorization Rule
- Attach to objectspace
- Update Reverse Proxy ADI configuration
6.14.6 Validate Authorization rule use cases and negative use cases
TASK: 6.15 Configure single sign-on using Federation STS

SUBTASKS:
6.15.1 Determine use case STS Junction
- Determine Token Type necessary
- Define Request Type
6.15.2 Configure Trust Service
- Create Chain Template
- Create Chain Module from Template
- Define Chain Lookup Properties
6.15.3 Configure Reverse Proxy
- Update junction to use TFIM Junction flag
- Update configuration file to create TFIM SSO Stanza for junction [tfimsso]
- Update Configuration File to create [tfim-cluster]' stanza
TASK: 6.16 Configure mobile multi-factor authentication

SUBTASKS:
6.16.1 Configure Mobile Multifactor Authentication
- Utilize wizard to configure MMFA
6.16.2 Validate MMFA configuration
pg. 47
- Perform MMFA Authenticator Registration
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-template-files
• https://www.ibm.com/docs/en/sva/10.0.2?topic=files-template-file-macros
• https://www.ibm.com/docs/en/sva/10.0.2?topic=pages-template-page-wayf-page
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-how-write-external-authentication-application
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-http-header-names-authentication-data
• https://www.ibm.com/docs/en/sva/10.0.2?topic=features-post-authentication-redirection-external-authentication-
interface
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-extracting-authentication-data-from-special-http-
headers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=features-request-caching-external-authentication-interface
• https://www.ibm.com/blogs/security-identity-access/federated-single-sign-on-access-policy/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-access-policies#access_policies
• https://www.ibm.com/blogs/sweeden/isam-9-0-2-the-jwt-sts-module-and-junction-sso-to-websphere-liberty/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=tis-one-time-token
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-single-sign-security-token-service
• https://www.ibm.com/docs/en/sva/10.0.1?topic=csim-mapping-local-identity-saml-20-token
• https://www.ibm.com/docs/en/sva/10.0.0?topic=transformations-configuration
• https://www.ibm.com/docs/en/sva/10.0.0?topic=rules-replacing-http-response
• https://www.ibm.com/docs/en/sva/10.0.0?topic=junctions-http-transformations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registration-modifying-consent-template-pages
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-oauth-20-template-page-consent-authorize
• https://www.ibm.com/docs/en/sva/10.0.2?topic=apoo-making-oauth-oidc-consent-decision-using-access-policy
• https://www.ibm.com/blogs/security-identity-access/oauth-api-gateways-and-isam/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=protection-oauth-introspection
• https://www.ibm.com/blogs/security-identity-access/oauth-jwt-access-token/
pg. 48
Section 7: Testing, troubleshooting, and maintenance
This section contains objectives that deal with the testing, troubleshooting and maintenance of the IBM
Security Verify Access 10.0 solution including activities, such as applying interim fixes, appliance
firmware updates, resolving common problems, configuring logging and tracing and other related
activities.
TASK: 7.1 Apply interim fixes

SUBTASKS:
7.1.1 Check Fix Central for the latest software.
- Identify any available interim fixes
- Download the .fixpack file
7.1.2 Install an interim fix
- Install the fixpack using the Local Management Interface
- (Container only) place the fixpack on the shared volume
TASK: 7.2 Apply appliance firmware updates

SUBTASKS:
7.2.1 Download the firmware update
- Review the release notes/What's New for any required actions or notable changes
- Download the firmware image from Fix Central
7.2.2 Backup the current active firmware
- Create a VM level snapshot (ONLY when the VM is stopped)
- Create a configuration snapshot
7.2.3 Install the new firmware image
- Upload the firmware pkg manually using the Local Management Interface
- OR Download the firmware update using the Available Updates page in the Local Management
Interface
- Start the firmware upgrade using the Local Management Interface
7.2.4 Perform any post-upgrade activities
- Apply any required database upgrades
pg. 49
- Validate the environment/testing
TASK: 7.3 Resolve common problems

SUBTASKS:
7.3.1 Resolve issues that occur with expired/missing certificates
- Diagnosing issue (viewing log files)
- Importing/updating the expired certificates
7.3.2 Unexpected Junction BA
- Review junction identity settings
7.3.3 Reverse Proxy doesn't start
- Review msg__webseald-instance.log
- Back out latest configuration
7.3.4 Error encountered during Federation flow
- Review Runtime JVM 'message.log'
- Find Error displayed to user
- Note thread
- Follow stack traces that match thread to original stack trace
7.3.5 Appliance is low on disk space
- Purge old log files
TASK: 7.4 Prepare backup storage system

SUBTASKS:
7.4.1 Manage appliance snapshots
- Create appliance snapshots
- Download appliance snapshots
- Upload appliance snapshots
- Apply appliance snapshots
7.4.2 Export Reverse Proxy instance configuration
- Download an exported Reverse Proxy instance configuration bundle
pg. 50
- Apply an exported Reverse Proxy instance configuration to a new Reverse Proxy instance
7.4.3 Automate snapshot generation and export
- Prepare backup system
- Validate adequate storage is available
TASK: 7.5 Perform tuning
SUBTASKS:
7.5.1 Apply recommend tuning parameters from the tuning spreadsheet
- Database indexes
7.5.2 Identify your baseline performance metrics
- Gather pdweb.debug data
- Analyze pdweb.debug data with pdweb.debug-timing.pl script
7.5.3 Identify key configuration entries that control performance metrics
- Review Reverse Proxy worker threads configuration entries
- Review TLS Session Cache configuration entries
- Review User Session Cache configuration entries
- Review compression configuration entries
- Review cache configuration entries
7.5.4 Load Test(??)
- Setup apache jmeter or other load test tool
- Enable pdweb.debug traces
- Perform load test
- Analyze load test data
7.5.5 Validate database and user registry performance
- user registry (sds) perform 'runstats' command to identify current underlying database performance
- user registry (sds) perform 'reorg' to reorganize the underlying database
7.5.6 Update key configuration items
- Review Reverse Proxy worker threads configuration entries
- Review TLS Session Cache configuration entries
pg. 51
- Review User Session Cache configuration entries
- Review compression configuration entries
- Review cache configuration entries
7.5.7 Repeat as necessary
7.5.8 Reverse Proxy Tuning
- Timeouts
- Worker threads
- Rate limiting
TASK: 7.6 Configure logging and tracing

SUBTASKS:
7.6.1 Use tracing to diagnose issue with the reverse proxy or proxied applications
- Enable trace components in the Reverse Proxy
- View or export Reverse Proxy trace logs using the Local Management Interface or command line
interface
7.6.2 Configure tracing for the AAC/Federation runtime
- Enable tracing for specific components using the Local Management Interface
- View or export the trace logs using the Local Management Interface or command line interface
7.6.3 View log files for the:
- Policy Server
- Reverse Proxy Instances
- Federation/AAC Runtime
- Local Management Interface
- System
7.6.4 Use packet tracing to diagnose issues
- Enable and disable packet tracing
- View or export the packet tracing capture using the Local Management Interface
TASK: 7.7 Engage with IBM Support

SUBTASKS:
pg. 52
7.7.1 Generate support files to provide to IBM support
- Create support files using the Local Management Interface
- Download support files using the Local Management Interface
- Create support files using the command line interface
- Create support files using the command line (Containers only)
- Retrieve support files from the shared volume (Containers only)
REFERENCES:
• https://www.ibm.com/support/pages/system/files/inline-files/$FILE/ISAM_PerfTuning_guide_90_v1_0.pdf
• https://www.ibm.com/docs/en/sva/10.0.2?topic=stanza-max-cached-persistent-connections
• https://www.ibm.com/support/pages/system/files/inline-files/$FILE/ISAM_PerfTuning_guide_90_v1_0.pdf
• https://www.ibm.com/support/pages/ibm-security-access-manager-appliance-available-tcp-tunings
• https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Securit
y+Verify+Access&release=All&platform=Linux&function=all
• https://www.ibm.com/docs/en/sva/10.0.0?topic=licensing-installing-fix-pack
• https://www.ibm.com/docs/en/sva/10.0.0?topic=overview-whats-new-in-this-release
• https://www.ibm.com/docs/en/sva/10.0.0?topic=licensing-managing-firmware-settings
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-snapshots
• https://www.ibm.com/docs/en/sva/10.0.0?topic=management-exporting-webseal-configuration
• https://www.ibm.com/docs/en/sva/10.0.0?topic=migration-migrating-existing-webseal-instance-appliance
• https://www.ibm.com/docs/en/sva/10.0.2?topic=troubleshooting-indexing-optimization-oracle-high-volume-
database
• https://github.com/IBM-Security/isam-support/blob/master/diagnostic/pdweb/pdweb.debug-timings.pl
• https://www.ibm.com/support/pages/node/237819
• https://www.ibm.com/docs/en/sva/10.0.0?topic=administration-trace-data
• https://www.ibm.com/docs/en/sva/10.0.0?topic=administration-logging
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-runtime-parameters
• https://www.ibm.com/docs/en/sva/10.0.0?topic=monitoring-viewing-application-log-files
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-packet-tracing
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-support-files
pg. 53

C1000-129 Stu

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

C1000-129 Stu

Uploaded by

Copyright:

Available Formats

IBM Professional Certification Program

Study Guide Series

IBM Security Verify Access V10.0 Deployment

Key Areas of Competency

This section accounts for approximately 12% of the exam.

TASK: 1.1 Conduct planning workshops

1.1.1 Run project kick-off workshop

- Identify key stake holders

- Review solution environment

- Review high level requirements

1.1.2 Run solution requirement workshop

- Identify platform requirements

- Identify network requirements

- Secure deployment considerations

1.1.3 Run integration workshop

- Identify integrations required

- Review access requirements

- Review single sign-on requirements

- Identify federation & API protection requirements

1.1.4 Run resource planning workshop

- Identify key resources

- Review resource availability

- Review project timelines

- Produce initial project plan

TASK: 1.2 Identify feature requirements

- Web Reverse Proxy

- X-Force threat protection

- Distributed Session Cache

1.2.2 Determine requirement for Advanced Access Control Module

1.2.3 Determine requirement for Federation Module

- SAML 2.0 Federations

- Open ID Connect Federations

- Module chains (STS)

TASK: 1.3 Plan firmware upgrade cycle

1.3.1 Review Product Lifecycle

- Identify current versions

- Review end of support (EOS)

1.3.2 Review Software Product Compatibility Reports

1.3.3 Review Software Release Cycle

1.3.4 Review Available Fixes

- Maintenance releases / firmware

- Review release notes

TASK: 1.4 Perform solution sizing

1.4.1 Review Virtual Appliance specifications

1.4.2 Review Performance Tuning Guide

- Performance Tuning Guide

- Performance Tuning Scripts

1.4.3 Review Tuning Spreadsheet

TASK: 1.5 Assess access control requirements

1.5.1 Determine Web Authentication requirements

- Reverse Proxy authentication

1.5.2 Determine Web Authorization requirements

- Reverse Proxy authentication

1.5.3 Determine Authentication Mechanisms requirements

- Advanced Access Control

1.5.4 Determine Mapping Rule requirements

- Advanced Access Control

1.5.5 Determine Authentication Policy requirements

1.5.6 Determine Access Control Policy requirements

- Custom application policy

1.5.7 Determine Access Policy requirements

TASK: 1.6 Assess log retention requirements

1.6.1 Determine Retention Requirements