IBM Tivoli Access Manager [EOL] Reviews

• Several SSO methods are supported out of box.
• Federation based SSO (SAML / Oauth / OpenID etc) setup is easy.
• Very good performance and scalability.
• The internal STS token service can be used for custom SSO tokens.
• It is highly scalable and can meet high loads and performances.
• Reverse proxy sits in front of the application and applications need only minimal changes to support SSO with ISAM.

Our customer had SSO requirements, as well as web-firewall and federation requirements that we fulfilled through this product.

Administration of the product can be improved a lot. IBM has taken care of this in good manner in release 9.0.

Product documentation, especially the new version 9.0, should be improved to give a quick understanding of product components and features.

I have been working on this solution for over seven years.

We did not encounter any stability issues.

We have not had scalability issues. It has good scalability features.

Technical support is good to excellent.

We used Novell eDir Access Manager.

Product setup is straightforward.

Licensing is good for this product as compared to other solutions in the market. It has competitive pricing.

We looked at OpenAM and Novell eDir Access Manager.

Choose a good implementation team and do not do an in-house implementation.

Tivoli Access Manager's proxy product (WebSEAL) is extremely fast. The configuration options are mysterious and old-school, but they are a rich and small enough set that you can comprehend them and get it working right. The auth and policy product has a reasonable LDAP implementation.

Step-up authentication in WebSEAL is a hook. You write a function to a particular spec, register it, and it gets called. The hook is in C, which makes sense because WebSEAL is fast and could not be written in an interpreted or high-level language.

Note that this is a way to improve WebSEAL modules, not a way to defer authentication to another server. For more, compare the second and last entries on this page.

There is only a single step-up authentication path, but I have sometimes seen the need for several steps or a divergent path. It’s getting hard to find people willing to admit that they still write in C programming language.

We have used this solution since 2003.

No stability issues. This solution fulfills the common expectations about IBM software. It is fussy to configure, but runs like iron once you’ve got it right.

No scalability issues. I get problems with the LDAP or the underlying machine first.

They provide very good technical support. Perimeter security is a hot-button topic and you can get some serious help if it’s not right.

While there are many products in this field, most companies use either this solution or CA SSO. I encountered others on rare occasions, such as Oracle, Entrust, Ping Identity, and NetIQ.

I am not an admin for this solution, but it holds no special terrors.

The issue is not how IBM licenses the product. You should think about how much of your traditional web traffic is going to migrate to your mobile/service gateways. If you are writing a lot of mobile apps and new JavaScript Frameworks UIs, then your traffic mix is going to change.

I am a consultant and typically work with the IBM stack.

This solution’s pricing is by usage, not by instance. That means you can set up as many instances as you like. Never craft a really complicated configuration. In other words, put functionality A over here, functionality B over there, and let your F5 (e.g.) direct the flow of traffic.

A number of new features, such as application firewall and load balancer, were added to this solution. These features are no longer available as a software version, but only as an appliance (virtual or hard).

The same appliance firmware allows you to enable more features, such as advanced access control and federation, for all of the components.

It acts as a reverse proxy, a single point for authentication and authorization. Advanced access control introduces adaptive or risk-based authentication. Federation makes it possible to federate using SAML and OAuth.

I would like to see the possibility to administer the appliances from one “master” appliance, instead of having to log in to each particular appliance.

If you have for example 4 appliances, two act as reverse proxy and two as master appliances (with policy server configured in HA) … If you want to administer these appliances, you must login into each particular appliance. It would be nice if you can administer all of them through that one ‘master’ appliance… avoiding to setup a direct connection as it is currently the case.

I have been using this solution for approximately 11 years.

There were some stability issues at the very beginning when we were moving from the software version to the appliance. IBM allowed customers and partners to interact directly with developers and others responsible for the product, so we could address issues, provide feedback, and get support.

The solution is very scalable, especially with the move to appliances. Adding reverse proxy appliances to existing appliance clusters is very straightforward.

I would give technical support a rating of 8 out of 10.

I have used several solutions in the past.

We chose this solution for the following reasons:

• It is very easy to set up.
• The policy server is not actively used during authentication and is solely used for administration.
• No plugin is required on any HTTP server.
• It comes with a standalone (no-plugin) reverse proxy. That is in contrast to some other web access management solutions.
• The IBM reverse proxy does not have a large support matrix upon which the HTTP-servers depend.

The implementation was straightforward and well documented as follows:

1. Deploying the appliances in the network infrastructure.
2. Configuring the network interfaces and routing tables.
3. Starting the configuration of WebSEAL and other required components (AAC or federation). Some background knowledge is required to set up WebSEAL.

The license model is pretty complex. Some other IBM products are included and are not dependent on the form factor of the appliance. (Dependent products are IBM Directory Server and Directory Integrator.)

A combination of hard and soft appliances may be beneficial instead of solely using hard appliances. (It might be overkill to host a simple policy server.)

We evaluated alternative solutions, such as: CA SiteMinder, ForgeRock AM, and Microsoft ISA Server.

It is a very stable and good product. The AAC-module becomes a necessity because authorization is moving from a static model (a static access control list based on static group membership) to a more dynamic model, based on user behavior and attributes.

Some of the valuable features are:

• Reverse proxy
• Protected object space
• Ease of integration
• Multiple and robust AuthN and AuthZ mechanisms built-in
• No single point of failure (SPOF)

It has improved the working of our organization by having:

• Multiple endpoints integrated
• One integration point with reverse proxy for multiple portals

The Tivoli Access Manager v6.1.1 (TAMeB) came in a software form factor. It needed a separate LDAP server; and usually separate servers for policy/AuthZ servers and WebSEAL. Besides, for scalability purposes, WebSEAL is usually deployed on multiple front-end servers that are load balanced. For a large user base in a standalone environment, TAMeB requires at least 3 servers. For a simple HA environment, it doubles that number to 6. Now these factors affect the regular maintenance schedule and it becomes quite "bulky" from an infrastructure perspective.

Besides this, TAMeB in its software form factor has multiple software components to be installed in a particular sequence.

Hence, from a TAMeB deployment perspective, both these factors have scope for improvement in its current form.

I have used this solution for five years.

It is highly stable. No issues were encountered by us.

The TAMeB policy server is not scalable.

I would rate the technical support a 8/10.

Before, no other policy-based AuthZ solution was in place at this client.

The initial setup was complex because:

• Bulky server infrastructure was needed.
• Complex installation procedure.
• Too many components to be installed in a particular sequence.

The pricing and licensing policy depends on the client deployment needs and the number of end users and servers.

The license for the product is expensive but flexible.

You can choose from the User Value Unit (UVU)- and Processor Value Unit (PVU)-based licensing models.

Before choosing, we looked at another solution, namely CA SiteMinder.

The subsequent version of this product comes in an appliance form factor. The appliance form factor is easy to work with. Thus, you have a choice to select from a virtual or hardware appliance form factor in order to implement this product.

Some valuable features in this product are: webSEAL policy, proxy servers, LDAP server (IBM TDS).

The modularity with which each component may run on a different host is valuable. In addition, multiple instances per component might be installed with load balancers. It provides good scalability and reliability, not to mention the overall availability of the service.

The entire security of the intranet and internet web applications has been covered by the TAM environment.

It happened from time to time, that is, after a long period without restart, the TDS/LDAP instances crashed and remained in a hanging state. A restart did solve the issue but the support was not able to find the cause, despite the fact that the latest fix pack was installed for TDS v6.3.

A similar issue came up when LDAP requests did cause performance issues on TDS or caused the TDS to crash.

As information on fixes and issues related to ITDS are publicly available, let me point you to the respective site:

You may notice, there are several issues listed, which lead to a crash.

Not sure, which one is/was ours, but please notice that TAM/SAM requires multiple software bundles to be installed (like GSKit, Java SDK, WAS, DB2) – each of them having issues.

I have used this solution for five years.

We experienced crashing of LDAP with some specific queries and it affected performance of the TDS proxy.

It is scalable via load balancers but there are some issues with sync while using several LDAP trees.

I would give the technical support a 8/10 rating. Sometimes, there are long running support tickets (for 6-8 months) and that is unacceptable from the customer's point of view.

We were not using any other solution before. We were partially using Apache reverse proxy along with LDAP.

The setup is complex. Without training and prior knowledge, it is hard to get a working environment.

As far as I know, the later versions of TAM (renamed to SAM), are working as appliances and with that, no experience is needed. My advice is to be careful and think twice.

Since a couple of versions back, the product moved to a different “mentality” I would say. Compared to when it was deployed as a software package, things are now much smoother in that direction. The product is coming as an appliance (either hardware either virtual). This method simplifies the management a lot, and the deployment as well. It provides SSO across applications, together with risk-based access and strong multi-factor authentication. Very flexible and scalable.

There are few things where there is room for improvement:

Log management via UI is one of the them. Automation can be achieved via REST API’s, for example, but in a small environment, when a customer is using the UI, for example, you cannot do a multiple selection of logs (to be deleted let’s say). Or a filtering of those.

A better/easier-to-use (user-friendly) interface. A more intuitive interface and menu navigation would be useful.

Rollback of FixPacks to be available via UI as well. At the moment, if you want to roll back a FP, you can do it only via LMI (appliance console).
Those would be my main requests to be improved.

I’ve been using the product since 2009.

I think in the earlier versions I was working with, there were (a few times) some small stability issues, but those were related more to the very custom environments on the customer side.

No scalability issues on this side.

Technical support is doing its job mostly. What I don’t particularly like is the flow duration. But it really depends on the magnitude of the problem you have. I would rate it as good to very good in most cases.

I did not previously use a different solution.

I haven’t used any other vendor’s products.

It is a simple-to-deploy solution, with many features that are supported out-of-the-box without complicated setup. But, depending on your requirements, it can become complex but not hard to manage.

The single sign-on configurations are unique to the product. They support multiple types of SSO configurations, including FSSO, HTTP, SAML. The most robust functionality for SSO is its EAI (External Authentication Interface) option. EAI allows customers to customize their authentication mechanisms as per their needs.

Access management for web resources is simple to configure but highly impenetrable. It can search all the resources in the protected system and allows you to manage user access with a few clicks.

The robust single sign-on feature allows business users to improve their productivity in their day-to-day tasks. It also provides end-user activity visibility on critical applications.

The user interface looks like it was designed for technical personnel only. The interface is part of the WebSphere Admin console. A lot of configuration, including those for SSO, are done through scripts and config files. The GUI could incorporate these configurations.

I have used it for four years.

If we talk about out-of-the-box functionality, the product is highly stable. For the areas in which the product allows customization, stability is dependent on the quality of customization done.

The product is highly scalable; very simple to increase the scale of deployment.

IBM provides prompt support on any issues faced. IBM is willing to go an extra mile to help meet their customers’ requirements.

This was the first product I have worked with.

Initial setup in older versions was quite complex, but with the newer versions it is quite simple. The product also comes with a pre-configured appliance.

I am more involved in the technical side, with limited knowledge of licensing and pricing.

I am part of an organization which is an IBM business partner and provides services using IBM products only.

This product is highly recommended to meet access management and web single sign-on requirements.

WebSEAL is a reverse proxy web server that performs authentication and authorizations. It is similar to CA SiteMinder Secure Proxy Server. The advantage of WebSEAL is that WebSEAL supports SPNEGO protocol and Kerberos authentication to support Windows desktop single sign-on. Actually, Apache HTTP server supports SPNEGO protocol, as well. However, TAM can map a user account in a domain controller to a web application's user account that has a different ID, in collaboration with IBM Tivoli Identity Manager (TIM).

The combination of TAM with IDM in IBM Tivoli Identity Manager helped us to realize robust and secure authentication infrastructure in accordance with industry regulations and laws.

1. Providing centralized authentication authority and enforce consistent authorization policies to users.
2. Realizing ease of user accesses using enterprise level single sign-on.
3. Improving traceability of application uses.

On the other hand, Tivoli Identity Manager known as TIM provides centralized ID lifecycle management as an IDM solution.

By using TIM together with TAM, the following benefits are served:

Many actual accounts in several LDAPs including TAM LDAP are managed by TIM LDAP. (LDAP directory tree supports a nest structure known as “Person has many accounts” model). In addition, person can have many attributes like; department code, Job grade, hiring date, resignation date in the future, etc.

By using these attributes, all accounts which belong to the person automatically are able to be activate/or inactivate. Specifically, account creation/deletion/update can execute automatically by using HR information. If someone reaches his/her retirement date, the account is inactivated by automate workflow process, without raising the account deletion request.

In addition, a process called “Reconciliation” checks several LDAPs (e.g. Active Directory), and can harmonize account information and its attributes between TIM and the LDAP. For example, if an improper account is directly created into Active Directory, scheduled Reconciliation process detects the account, and revoke the account based on pre-setting rules.

This is the reason I recommend to use TAM together with TIM.

Due to a constraint of the built-in browser in a Handy phone (called NTT i-Mode), the former version of TAM could not be used in the Japan market. The issue was resolved by the decline of Japan-specific Handy phones.

Cookies were not supported in i-Mode browser ver.1, which had the highest market share in Japan. Hence, sessions between that browser and WebSEAL could not maintain the session state using a cookie. The constraint had widespread implications. Some examples: re-authentication, session affinity, cookie-based failover mechanisms. Besides, IBM Japan declared that all browsers built in Handy phones were not supported officially in that version.

Rather than a weakness of the WebSEAL specification, that constraint was caused by the insufficient i-Mode browser specification, which was developed by NTT Docomo. Considering the negatives, we could not use WebSEAL for Handy-phone facing applications. (A workaround might exist, but the industry-standardized manner of using cookies was in our favor.)

An insurance company I left three years ago has been using TAM for 10 years.

I did not encounter any stability issues.

I did not encounter any special scalability issues, because Access Manager Policy Server offloads the access traffic to the Master authorization policy store to a replica on WebSEAL Server. Likewise, PD.Acld on a back-end web application acts as a proxy of Policy Server.

Technical support is 6/10.

Initial setup was complicated because TAM was implemented as a part of the IDM solution. It took me a long time to set up the directory integration among many user stores, e.g., Tivoli Identity Manager, Active Directory, Lotus Domino Directory, application user store using database.

The user-based licensing is relatively expensive in a large-scale enterprise. Therefore, proper understanding of the AAA solution by executive management is strongly needed to obtain the budget, in addition to discount negotiation.

I evaluated the following solutions:

• Password sync products
• Reverse proxy-based SSO products
• Agent-based SSO products

After the results, the company decided to use TAM, following my recommendation at that time.

It is essential to hire an SME who has the appropriate skills with the products, in order to avoid vendor lock-in.