Professional Documents
Culture Documents
C1000-129 Stu
C1000-129 Stu
Exam C1000-129
It is recommended that you review these objectives carefully. Do you know how
to complete the tasks in the objective? Do you know why that task needs to be
done? Do you know what will happen if you do it incorrectly? If you are not
familiar with a task, then work through the objective and perform that task in your
own environment. Read more information about the task. If there is an objective
on a task, it is almost certain that you WILL see questions about it on the actual
exam.
After you have reviewed the objectives and completed your own research,
don’t forget to review the free sample questions for this exam on the IBM
Certification website. These sample question come complete with an answer
key and will give you a feel for the type and style of question on the actual
exam.
After that, take the assessment exam. The questions on the assessment exam
were developed at the same time and by the same people who wrote the
question on the actual exam. The assessment exam is weighted to be equally
difficult to the actual test so your results should be predictive of your expected
results on the actual test. While the assessment exam will not tell which
questions are answered incorrectly, it will tell you how you did on a section-by-
section basis so you will know where to focus your further studies.
pg. 2
Contents
Role Definition .......................................................................................................................................... 6
Key Areas of Competency ......................................................................................................................... 6
Prerequisite Knowledge ............................................................................................................................ 6
Section 1: Planning.................................................................................................................................... 7
TASK: 1.1 Conduct planning workshops ............................................................................................... 7
TASK: 1.2 Identify feature requirements .............................................................................................. 7
TASK: 1.3 Plan firmware upgrade cycle ................................................................................................ 8
TASK: 1.4 Perform solution sizing ......................................................................................................... 9
TASK: 1.5 Assess access control requirements ..................................................................................... 9
TASK: 1.6 Assess log retention requirements ..................................................................................... 10
TASK: 1.7 Assess federated single sign-on requirements ................................................................... 10
Section 2: Architecture and Design......................................................................................................... 12
TASK: 2.1 Select deployment patterns and topology ......................................................................... 12
TASK: 2.2 Design High Availability & Disaster Recovery architecture ................................................ 12
TASK: 2.3 Design deployment process (automated or manual) ......................................................... 13
TASK: 2.4 Identify network requirements .......................................................................................... 13
TASK: 2.5 Establish backup procedures .............................................................................................. 13
TASK: 2.6 Identify server connections ................................................................................................ 14
TASK: 2.7 Determine appropriate junction type ................................................................................ 14
TASK: 2.8 Identify required authentication methods ......................................................................... 15
TASK: 2.9 Identify required session failover ....................................................................................... 15
Section 3: Installation.............................................................................................................................. 17
TASK: 3.1 Find and download software and updates ......................................................................... 17
TASK: 3.2 Create virtual machine ....................................................................................................... 17
TASK: 3.3 Prepare user registry .......................................................................................................... 18
TASK: 3.4 Prepare database(s)............................................................................................................ 18
TASK: 3.5 Deploy Verify Access containers......................................................................................... 19
TASK: 3.6 Activate required offerings and install the support license ............................................... 19
TASK: 3.7 Perform network configuration.......................................................................................... 19
TASK: 3.8 Import necessary personal and signer certificates............................................................. 20
Section 4: Configuration ......................................................................................................................... 22
pg. 3
TASK: 4.1 Configure cluster ................................................................................................................ 22
TASK: 4.2 Configure base runtime component .................................................................................. 23
TASK: 4.3 Integrate federated directories .......................................................................................... 24
TASK: 4.4 Configure reverse proxy instance ....................................................................................... 24
TASK: 4.5 Configure authorization server........................................................................................... 26
TASK: 4.6 Configure LMI external authentication and authorization................................................. 26
TASK: 4.7 Configure base authorization policies ................................................................................ 26
TASK: 4.8 Create server connections .................................................................................................. 27
TASK: 4.9 Configure multi-factor authentication (MFA) .................................................................... 27
TASK: 4.10 Configure SCIM (System for Cross-domain Identity Management) ................................. 28
TASK: 4.11 Configure API protection (OAUTH/OIDC) ......................................................................... 29
TASK: 4.12 Configure auditing ............................................................................................................ 29
Section 5: System integration ................................................................................................................. 31
TASK: 5.1 Configure Junction .............................................................................................................. 31
TASK: 5.2 Protect API endpoints accessed by API clients ................................................................... 32
TASK: 5.3 Integrate with federated single sign-on partners .............................................................. 32
TASK: 5.4 Configure desktop SSO (SPNEGO) ...................................................................................... 32
TASK: 5.5 Configure token authentication ......................................................................................... 33
TASK: 5.6 Setup monitoring framework ............................................................................................. 33
TASK: 5.7 Configure external authentication interface ...................................................................... 33
TASK: 5.8 Integrate with SIEM systems .............................................................................................. 34
Section 6: Advanced customization ........................................................................................................ 35
TASK: 6.1 Implement a context-based access control policy ............................................................. 35
TASK: 6.2 Create risk profile ............................................................................................................... 35
TASK: 6.3 Implement identity mapping .............................................................................................. 36
TASK: 6.4 Author custom policy information point (PIP) ................................................................... 38
TASK: 6.5 Configure and customize a user self-care flow .................................................................. 38
TASK: 6.6 Create JavaScript authentication mechanism .................................................................... 40
TASK: 6.7 Create HTTP transformation rules ...................................................................................... 41
TASK: 6.8 Implement OAUTH/OIDC customization ............................................................................ 42
TASK: 6.9 Configure device registration (Fingerprint) ........................................................................ 42
TASK: 6.10 Modify default template files ........................................................................................... 43
TASK: 6.11 Integrate custom login application through External Authentication Interface (EAI) ..... 44
pg. 4
TASK: 6.12 Implement advanced authenticated user mapping ......................................................... 45
TASK: 6.13 Implement access policy................................................................................................... 46
TASK: 6.14 Implement authorization (AUTHZ) rules for reverse proxy .............................................. 46
TASK: 6.15 Configure single sign-on using Federation STS ................................................................. 47
TASK: 6.16 Configure mobile multi-factor authentication ................................................................. 47
Section 7: Testing, troubleshooting, and maintenance .......................................................................... 49
TASK: 7.1 Apply interim fixes .............................................................................................................. 49
TASK: 7.2 Apply appliance firmware updates..................................................................................... 49
TASK: 7.3 Resolve common problems ................................................................................................ 50
TASK: 7.4 Prepare backup storage system ......................................................................................... 50
TASK: 7.6 Configure logging and tracing............................................................................................. 52
TASK: 7.7 Engage with IBM Support ................................................................................................... 52
pg. 5
Role Definition
This intermediate level certification is intended for deployment professionals working with IBM Security
Verify Access V10.0. These deployment professionals plan, install, configure, administer, tune and
troubleshoot Security Verify Access installations. It is expected that the deployment professional is
generally self-sufficient and can perform the tasks involved in the job role with limited assistance from
peers, product documentation, and vendor support services.
This role specifically does not include routine post-deployment administration tasks.
Prerequisite Knowledge
Knowledge and foundational skills one needs to possess before acquiring skills measured on
the certification test. These foundational skills are NOT measured on the test.
• knowledge of cloud architecture
• concept of containers
• Working knowledge of databases and directories
• Understand networking protocols and topology
• Knowledge of digital certificates, transport protocols and ciphers
• Knowledge of scripting languages including JavaScript, Python, XSLT
• Knowledge of data formats such as YAML, XML, HTML, and JSON
pg. 6
Section 1: Planning
This section contains objectives that deal with preparing for an IBM Security Verify Access 10.0
deployment. These objectives include activities such as conducting planning workshops with the client,
identifying the solution requirements and sizing, documenting access control and log retention
requirements as well as those of federated single sign-on.
- Solution overview
pg. 7
1.2.1 Determine requirement for Access Platform (Web)
- Advanced authentication
- API protection
- Context-based access
- Device fingerprinting
- Device registration
- Fine-grained authorization
- Operating systems
- Related software
- Hypervisors
- Hardware requirements
pg. 8
- Fixes
- Disk
- Memory
- Network
- Hypervisors
- Tuning Guides
- Mapping rules
- Template pages
pg. 9
- Branches
- Conditional access
- On appliance requirement
- Federation types
- Federation Roles
REFERENCES:
pg. 10
• https://www.ibm.com/software/reports/compatibility/clarity/index.html
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-user-registry-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-documentation-activation-level
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-configuring-snmp-monitoring
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-runtime-monitoring-using-prometheus
• https://www.ibm.com/docs/en/sva/10.0.2?topic=monitoring-sending-statistics-statsd
• https://www.ibm.com/docs/en/sva/10.0.2?topic=SSPREK_10.0.2/com.ibm.isva.doc/admin/cpt/help_authentication.h
tml
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-configuring-oauth-20-api-protection
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-openid-connect-federations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-saml-20
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-webseal-introduction
• https://www.ibm.com/docs/en/sva/10.0.2?topic=authentication-methods
• https://xsizer.dal1a.ciocloud.nonprod.intranet.ibm.com/sizer.html
• https://www.ibm.com/docs/en/sva/10.0.1?topic=concepts-spnego-protocol-kerberos-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=control-acl-entries
• https://www.ibm.com/docs/en/sva/10.0.1?topic=aacc-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=configuration-branching-authentication-policies
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-federation-overview
• https://www.ibm.com/docs/en/sva/9.0?topic=profiles-saml-20-profile-initial-urls
• http://ibm.biz/isamfedcookbook
• https://www.ibm.com/docs/en/sva/9.0?topic=formats-alias-service
• https://www.ibm.com/docs/en/sva/9.0.6?topic=solutions-single-sign-security-token-service
• https://www.ibm.com/docs/en/sva/9.0?topic=federations-configuring-sts-modules
pg. 11
Section 2: Architecture and Design
This section contains objectives that deal with the architecture and design of the IBM Security Verify
Access 10.0 solution, including activities such as selecting appropriate deployment patterns and
topology, designing the HA and DR architecture, determining deployment processes, identifying network
requirements, backup procedures, server connectivity, junction types, authentication methods and
required session failover.
- HW
- VM
- Containers
- All-in-One
- Kubernetes / OpenShift
- Cloud Regions
- Appliance snapshots
pg. 12
- Hypervisor snapshots
- LMI Only
- balance-rr
- active-backup
- balance-xor
- broadcast
- 802.3ad
- balance-tlb
- balance-alb
pg. 13
2.5.1 Select Appliance Backup Method
- Snapshot (Cluster)
- Persistent Volumes
- Oracle
- DB2
- Solid DB
- PostgreSQL
- LDAP
- SMTP
- Web Service
- Cloud Identity
- ISAM Runtime
- Load-balancer Terminated
- Load-balancer Pass-thru
- Direct access
- Using -b option
- TFIM Junction
pg. 14
- JWT Junction
- Trust Assocation
- HTTP Headers
- Username/Password
- OAUTH / OIDC
- Certificate Authentication
- Domain cookies
- Failover Cookie
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-cluster-general-reference
• https://www.ibm.com/software/reports/compatibility/clarity-
reports/report/html/vesForProduct?deliverableId=B406C6E0555B11EBBBEA1195F7E6DF31&osPlatforms=&duCompo
nentIds=S002|S003|A001
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registries-configuring-runtime-authenticate-basic-users
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-docker-image-security-verify-access
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-high-availability-policy-server
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-cluster-service-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-failover-in-cluster
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-consistent-configuration-all-webseal-replica-servers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=synchronization-cluster-restart
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-failover-new-master
• https://www.ibm.com/docs/en/sva/10.0.2?topic=synchronization-configure-webseal-cluster-support
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-database
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-secure-deployment-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=database-deploying-external-configuration
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-runtime-database
pg. 15
• https://www.ibm.com/docs/en/sva/10.0.2?topic=database-deploying-external-runtime
• https://www.ibm.com/docs/en/sva/10.0.1?topic=concepts-spnego-protocol-kerberos-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=interface-external-authentication-overview
• https://www.ibm.com/docs/en/sva/10.0.1?topic=overview-saml-20
• https://www.ibm.com/docs/en/sva/10.0.1?topic=methods-openid-connect-oidc-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=authentication-client-side-certificate-modes
• https://www.ibm.com/docs/en/sva/10.0.2?topic=concepts-failover-cookie
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-managing-distributed-session-cache-in-docker
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-advantages-using-distributed-session-cache
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-option-3-failover-cookies
• https://www.ibm.com/docs/en/sva/10.0.2?topic=dsco-failover-environment
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-failover-environment
pg. 16
Section 3: Installation
This section contains objectives that deal with the installation of the IBM Security Verify Access 10.0
solution, including activities such as finding and installing updates, creating virtual machines, preparing
the user registry and databases, deploying containers, installing licenses and activating components,
configuring the network and importing certificates.
3.2.1 Determine the requirements for running Verify Access in your target hypervisor.
- Ensure you have the correct installation media or disk image for the target hypervisor
- Create the virtual machine, attaching the installation media, ensuring the correct number of virtual
network adapters are attached, and any additional requirements in the documentation are followed
3.2.3 Deploy the Verify Access disk image as a new virtual machine
3.2.4 Complete the first steps setup and access the Local Management Interface
- Complete the first steps setup process using the command line
- Complete the first steps setup process using the Local Management Interface
- Complete the first steps setup process using the REST API
pg. 17
- Verify that the Local Management Interface can be accessed via a web browser
- Verify that the command line interface can be accessed via SSH
- Locate and download the correct Verify Access LDAP schema file for the target user registry using the
Local Management Interface
- No anonymous access
- Identify and download the correct database schema for the target database
- Identify and download the correct database schema for the target database
pg. 18
TASK: 3.5 Deploy Verify Access containers
SUBTASKS:
3.5.1 Download the Verify Access container images from Docker Hub
3.5.3 Ensure the Kubernetes environment is prepared for executing the Verify Access images
- Apparmor requirements
3.5.4 Ensure the OpenShift environment is prepared for executing the Verify Access images
TASK: 3.6 Activate required offerings and install the support license
SUBTASKS:
- Install the required activation codes using the Local Management Interface
- Download the support license from the IBM Security Systems License Key Center at
https://ibmss.flexnetoperations.com
pg. 19
3.7.1 Configure any external firewall rules
- Identify which addresses will be used for management and application traffic
- Add the IP addresses to each interface using the Local Management Interface
- Configure any required static host entries using the Local Management Interface
- Verify that application servers, databases, the user registry, any required external services are
contactable
- AAC/Federation runtime
- Mutual TLS (client certs) for application servers, databases, the user registry, any required external
services
- Database server(s)
pg. 20
- User registry
- Downstream/junctioned applications
- Federation partners
- Other external services and APIs called from advanced customized flows (Google ReCAPTCHA, SMS API
gateways etc.)
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=configuration-user-registry-server-installation
• https://www.ibm.com/docs/en/sva/10.0.0?topic=support-docker-image-security-verify-access
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-viewing-updating-management-ssl-certificates
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-cluster-general-reference
• https://www.ibm.com/software/reports/compatibility/clarity-
• reports/report/html/vesForProduct?deliverableId=B406C6E0555B11EBBBEA1195F7E6DF31&osPlatforms=&duCompo
nentIds=S002|S003|A001
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registries-configuring-runtime-authenticate-basic-users
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-docker-image-security-verify-access
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-high-availability-policy-server
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-cluster-service-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-failover-in-cluster
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-consistent-configuration-all-webseal-replica-servers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=synchronization-cluster-restart
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-failover-new-master
• https://www.ibm.com/docs/en/sva/10.0.2?topic=synchronization-configure-webseal-cluster-support
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-database
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-secure-deployment-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=database-deploying-external-configuration
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-runtime-database
• https://www.ibm.com/docs/en/sva/10.0.2?topic=database-deploying-external-runtime
• https://www.ibm.com/docs/en/sva/10.0.1?topic=concepts-spnego-protocol-kerberos-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=interface-external-authentication-overview
• https://www.ibm.com/docs/en/sva/10.0.1?topic=overview-saml-20
• https://www.ibm.com/docs/en/sva/10.0.1?topic=methods-openid-connect-oidc-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=authentication-client-side-certificate-modes
• https://www.ibm.com/docs/en/sva/10.0.2?topic=concepts-failover-cookie
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-managing-distributed-session-cache-in-docker
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-advantages-using-distributed-session-cache
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-option-3-failover-cookies
• https://www.ibm.com/docs/en/sva/10.0.2?topic=dsco-failover-environment
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-failover-environment
pg. 21
Section 4: Configuration
This section contains objectives that deal with the configuration of the IBM Security Verify Access 10.0
solution, including activities such as integrating federated directories, configuring the cluster, base
runtime component, web reverse proxy instance and numerous other components.
- Internal or External DB
- Load certificates
- Supported DBs
- Internal or External DB
- Load certificates
- Supported DBs
- Failover support
- Enable multi-node
pg. 22
4.1.5 Configure Session Cache
- Certificate keystores
- Runtime configuration
- Local or remote
- Management suffix
- Management domain
- SSL settings
- connection
- Bind DN
- SSL Settings
- configuring replicas
- enable
- prevent duplicates
- search priority
- Create with UI
pg. 23
- Create with CLI
- Bulk import
- connection information
- bind information
- SSL Settings
- Suffixes
- ignore-if-down
- configuring replicas
- Transport settings
pg. 24
- Configure trusted certificate
- configure ciphers
- Use of IPv6
- Basic Authentication
- Form-based authentication
- Kerberos Authentication
- OIDC Authentication
- OAuth Authentication
- LTPA
- Timeouts
- Reauthentication
- DSC/Redis
- Failover
- HTTP/Secure flags
- Cookie jar
- Cookie reset
- SameSite
pg. 25
- Attach ACLs and POPs
- CORS
- Replication
- P3P policy
- Proxy protocol
- Listening Ports
4.6.2 Create local users and groups in the embedded user registry
4.6.3 Select or create roles with appropriate levels of access for administrator accounts
- Create ACLs
pg. 26
- Set ACL permissions
- Attach ACLs
- Auditing policy
- Attach POPs
- 2FA mechanisms
- Add mechanisms
- Configure branching
pg. 27
4.9.3 Set Point of Contact profile
- Cookieless operation
4.10.1 Create a server connection to the LDAP/user registry where user profile data will be stored
- server connection
- search/user suffix
- user dn attribute
4.10.5 Configure the Reverse Proxy as a point of contact for the SCIM service:
pg. 28
TASK: 4.11 Configure API protection (OAUTH/OIDC)
SUBTASKS:
- Configure consent
- Attribute mapping
- metadata endpoint
- PKCE
pg. 29
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.1?topic=management-user-self-care-scim-api
• https://www.ibm.com/docs/en/sva/10.0.1?topic=configuration-user-profile
• https://www.ibm.com/docs/en/sva/10.0.1?topic=api-limitations#con_scim_limitation__unsupported_endpoints
• https://www.ibm.com/docs/en/sva/10.0.2?topic=provider-configuring-reverse-proxy-oauth-oidc
• https://www.ibm.com/docs/en/sva/10.0.2?topic=protection-creating-api-definition
• ibm.biz/isamfedcookbook
• https://www.ibm.com/blogs/security-identity-access/oauth-saml-jwt-grant-type/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-oauth-20-oidc-workflows
• https://www.ibm.com/docs/en/sva/10.0.2?topic=concerns-federated-registry-support
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registries-configuring-runtime-authenticate-basic-users
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registries-managing-federated-directories
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-configuring-management-authentication
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-roles-users-groups
• https://www.ibm.com/docs/en/sva/10.0.2?topic=entries-type-attribute
• https://www.ibm.com/docs/en/sva/10.0.2?topic=policy-changing-mapping-http-request-methods
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-server-connections
• https://www.ibm.com/docs/en/sva/10.0.0?topic=configuration-branching-authentication-policies
pg. 30
Section 5: System integration
This section contains objectives that deal with the systems integration of the IBM Security Verify Access
10.0 solution, including activities such as configuring the junction, protecting the API, integrating with
federated single sign-on partners, configuring SPNEGO, configuring token authentication, setting up the
monitoring framework, configuring external authentication interface and integrating with SIEM systems.
- TCP
- SSL
- Mutual SSO
- Standard junctions
- junction name
- Stateful / not
- Fail-over behavior
- Mutually authenticated
- fine-grained: query_contents
- various
pg. 31
TASK: 5.2 Protect API endpoints accessed by API clients
SUBTASKS:
- SAML 2.0
- WS-Federation
- OpenID Connect
- Configure
pg. 32
- Test
- Turn on Statistics
pg. 33
TASK: 5.8 Integrate with SIEM systems
SUBTASKS:
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-standard-webseal-junctions
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-virtual-hosting
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-creating-mutual-junctions
• https://www.ibm.com/docs/en/sva/10.0.2?topic=hosting-virtual
• https://www.ibm.com/docs/en/sva/10.0.2?topic=junctions-creation-junction-initial-server
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-client-identity-in-http-ba-headers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-ltpa-overview
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-forms-single-sign-concepts
• https://www.ibm.com/docs/en/sva/10.0.2?topic=junctions-mutually-authenticated-ssl-process-summary
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-pdadmin-server-task-create-command
• https://www.ibm.com/docs/en/sva/10.0.2?topic=headers-http-tag-value-extended-attribute-junctions
• https://www.ibm.com/docs/en/sva/10.0.2?topic=junctions-stateful-junction-concepts
• https://www.ibm.com/docs/en/sva/10.0.1?topic=support-oidc-dynamic-clients
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-saml-federations-overview
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-customizing-saml-identity-mapping
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-saml-20-bindings
• https://www.ibm.com/docs/en/sva/10.0.2?topic=federations-managing-federation-partners
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-configuring-snmp-monitoring
• https://www.ibm.com/docs/en/sva/10.0.2?topic=alerts-configuring-snmp-alert-objects
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-runtime-monitoring-using-prometheus
• https://www.ibm.com/docs/en/sva/10.0.2?topic=monitoring-sending-statistics-statsd
• https://www.ibm.com/docs/en/sva/10.0.0?topic=interface-external-authentication-http-header-reference
• https://www.ibm.com/blogs/sweeden/introduction-to-qradar-log-management-for-webseal-administrators/
pg. 34
Section 6: Advanced customization
This section contains objectives that deal with the advanced customization of the IBM Security Verify
Access 10.0 solution including numerous activities, such as implementing a context-based access control
policy, creating a risk profile, implementing identity mapping and many other tasks.
- Save Policy
- Risk score represents the variation from baseline set of attributes between previous registered devices
and the current 'device' context
pg. 35
- 'Secure Access Control -> Policy -> Risk Profiles'
- 'Secure Access Control -> Policy -> Attributes ->> New Attribute'
- 'Secure Access Control -> Policy -> Risk Profiles ->> New Risk Profile'
pg. 36
- Are we mapping a user's session to an identity
- 'System -> Secure Settings -> File Downloads ->> access_control -> doc -> ISVA-javadoc-10.0.1.zip'
- Download from 'System -> Secure Settings -> File Downloads ->> access_control -> examples ->
mapping_rules -> ip_saml_20.js'
- Download from 'System -> Secure Settings -> File Downloads ->> access_control -> examples ->
mapping_rules -> sp_saml_20.js'
- Define Attribute sources to acquire attribute values from different data sources
pg. 37
TASK: 6.4 Author custom policy information point (PIP)
SUBTASKS:
- 'Secure Access Control -> Policy -> Information Points ->> New'
- 'Manage System Settings -> Secure Settings -> File Downloads ->> access_control -> doc -> ISVA-
javadoc-10.0.2.zip'
- Navigate to 'Secure Access Control -> Global Settings -> Server Connections'
- Secure Access Control -> Policy -> Information Points -> New'
- Determine PIP name (This will be the value of the 'issuer' for custom attributes that are derived from
this PIP)
pg. 38
- Secure Access Control -> Policy -> Authentication ->> Policies'
- Determine whether any other mechanisms are needed for your desired workflow
- Validate configuration
- 'AAC -> Global Settings -> Server Connections ->> New ->> Web Service'
- 'AAC -> Policies -> Authentication ->> Mechanisms ->> New Authentication Mechanism ->> SCIM
Config'
- Customize the User self care policies if more or less steps are necessary
- 'AAC -> Global Settings -> template Files ->> (Locale) -> authsvc -> usc'
pg. 39
- Edit HTML files to include custom themes or branding
- Acquire from the appliance at 'System -> Secure Settings -> File Downloads ->> access_control -> doc ->
ISVA-javadoc-10.0.2.zip'
- Download from 'System -> Secure Settings -> File Downloads ->> access_control -> examples ->
mapping_rules -> infomap_username.js'
- Review
- Navigate to 'AAC -> Policy -> Authentication ->> Mechanisms -> New Authentication Mechanism ->>
infoMap'
- Determine name
- Determine identifier
pg. 40
- Define a policy name
6.7.4 Update the Reverse Proxy configuration for the HTTP Transformation
- Access URL
pg. 41
TASK: 6.8 Implement OAUTH/OIDC customization
SUBTASKS:
6.8.1 Determine what customization is needed for the API Protection Definition
pg. 42
- Identify Attributes that define your device fingerprint
- Review documentation
pg. 43
- Determine which files need updates
TASK: 6.11 Integrate custom login application through External Authentication Interface (EAI)
SUBTASKS:
6.11.2 Determine header names that EAI application needs to return to authenticate user
6.11.3 Create External Authentication Interface application to return specified headers and values
pg. 44
- Update '[eai]' stanza
- Troubleshoot issues
pg. 45
TASK: 6.13 Implement access policy
SUBTASKS:
- 'Manage System Settings -> Secure Settings -> File Downloads ->> access_control -> doc -> ISVA-
javadoc-10.0.2.zip'
pg. 46
- Analyze documented examples
- Attach to objectspace
6.14.6 Validate Authorization rule use cases and negative use cases
- Update configuration file to create TFIM SSO Stanza for junction [tfimsso]
pg. 47
- Perform MMFA Authenticator Registration
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-template-files
• https://www.ibm.com/docs/en/sva/10.0.2?topic=files-template-file-macros
• https://www.ibm.com/docs/en/sva/10.0.2?topic=pages-template-page-wayf-page
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-how-write-external-authentication-application
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-http-header-names-authentication-data
• https://www.ibm.com/docs/en/sva/10.0.2?topic=features-post-authentication-redirection-external-authentication-
interface
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-extracting-authentication-data-from-special-http-
headers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=features-request-caching-external-authentication-interface
• https://www.ibm.com/blogs/security-identity-access/federated-single-sign-on-access-policy/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-access-policies#access_policies
• https://www.ibm.com/blogs/sweeden/isam-9-0-2-the-jwt-sts-module-and-junction-sso-to-websphere-liberty/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=tis-one-time-token
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-single-sign-security-token-service
• https://www.ibm.com/docs/en/sva/10.0.1?topic=csim-mapping-local-identity-saml-20-token
• https://www.ibm.com/docs/en/sva/10.0.0?topic=transformations-configuration
• https://www.ibm.com/docs/en/sva/10.0.0?topic=rules-replacing-http-response
• https://www.ibm.com/docs/en/sva/10.0.0?topic=junctions-http-transformations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registration-modifying-consent-template-pages
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-oauth-20-template-page-consent-authorize
• https://www.ibm.com/docs/en/sva/10.0.2?topic=apoo-making-oauth-oidc-consent-decision-using-access-policy
• https://www.ibm.com/blogs/security-identity-access/oauth-api-gateways-and-isam/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=protection-oauth-introspection
• https://www.ibm.com/blogs/security-identity-access/oauth-jwt-access-token/
pg. 48
Section 7: Testing, troubleshooting, and maintenance
This section contains objectives that deal with the testing, troubleshooting and maintenance of the IBM
Security Verify Access 10.0 solution including activities, such as applying interim fixes, appliance
firmware updates, resolving common problems, configuring logging and tracing and other related
activities.
- Review the release notes/What's New for any required actions or notable changes
- Upload the firmware pkg manually using the Local Management Interface
- OR Download the firmware update using the Available Updates page in the Local Management
Interface
pg. 49
- Validate the environment/testing
- Review msg__webseald-instance.log
- Note thread
pg. 50
- Apply an exported Reverse Proxy instance configuration to a new Reverse Proxy instance
SUBTASKS:
- Database indexes
- user registry (sds) perform 'runstats' command to identify current underlying database performance
pg. 51
- Review User Session Cache configuration entries
- Timeouts
- Worker threads
- Rate limiting
7.6.1 Use tracing to diagnose issue with the reverse proxy or proxied applications
- View or export Reverse Proxy trace logs using the Local Management Interface or command line
interface
- Enable tracing for specific components using the Local Management Interface
- View or export the trace logs using the Local Management Interface or command line interface
- Policy Server
- Federation/AAC Runtime
- System
- View or export the packet tracing capture using the Local Management Interface
pg. 52
7.7.1 Generate support files to provide to IBM support
REFERENCES:
• https://www.ibm.com/support/pages/system/files/inline-files/$FILE/ISAM_PerfTuning_guide_90_v1_0.pdf
• https://www.ibm.com/docs/en/sva/10.0.2?topic=stanza-max-cached-persistent-connections
• https://www.ibm.com/support/pages/system/files/inline-files/$FILE/ISAM_PerfTuning_guide_90_v1_0.pdf
• https://www.ibm.com/support/pages/ibm-security-access-manager-appliance-available-tcp-tunings
• https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Securit
y+Verify+Access&release=All&platform=Linux&function=all
• https://www.ibm.com/docs/en/sva/10.0.0?topic=licensing-installing-fix-pack
• https://www.ibm.com/docs/en/sva/10.0.0?topic=overview-whats-new-in-this-release
• https://www.ibm.com/docs/en/sva/10.0.0?topic=licensing-managing-firmware-settings
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-snapshots
• https://www.ibm.com/docs/en/sva/10.0.0?topic=management-exporting-webseal-configuration
• https://www.ibm.com/docs/en/sva/10.0.0?topic=migration-migrating-existing-webseal-instance-appliance
• https://www.ibm.com/docs/en/sva/10.0.2?topic=troubleshooting-indexing-optimization-oracle-high-volume-
database
• https://github.com/IBM-Security/isam-support/blob/master/diagnostic/pdweb/pdweb.debug-timings.pl
• https://www.ibm.com/support/pages/node/237819
• https://www.ibm.com/docs/en/sva/10.0.0?topic=administration-trace-data
• https://www.ibm.com/docs/en/sva/10.0.0?topic=administration-logging
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-runtime-parameters
• https://www.ibm.com/docs/en/sva/10.0.0?topic=monitoring-viewing-application-log-files
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-packet-tracing
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-support-files
pg. 53