1 / 15

Session Management in TAM

Session Management in TAM. Sunil K Verma May 12, 2012. Terminologies. Session Cookie transient persistence Stickiness Failover. Security Requirements. Unique session identifier Restrict attack Cookie Set with the "Secure" property Cookie Set with the “Http Only" property

colleen-burks
Download Presentation

Session Management in TAM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session Management in TAM Sunil K Verma May 12, 2012

  2. Terminologies Session Cookie transient persistence Stickiness Failover

  3. Security Requirements • Unique session identifier • Restrict attack • Cookie Set with the "Secure" property • Cookie Set with the “Http Only" property • Must not contain sensitive information • Must be subject to an inactivity timeout • Industry specific regulation for concurrent sessions per login

  4. Benefits of Session Management • Manages the state & life cycle of user session • Enforce idle timeout for inactivity • Login history information • Control over concurrent sessions per user • Administer(view/modify/delete) sessions • Sessions can be shared in secure distributed environment

  5. Session Management in TAM/WebSEAL • Maintain session state with both HTTP and HTTPS client using WebSEAL session key (session ID) • WebSEAL session ID can be provided in the following data types: • SSL session ID (defined by the SSL protocol) • Server-specific session cookie • HTTP – cookie PD-H-SESSION-ID • HTTPS – cookie PD-S-SESSION-ID • HTTP header data • IP address • Session is also managed by Session Management Server(Optional)

  6. Failover solution(failover cookie) • Mechanism for seamlessly reauthenticating the user & not a mechanism for maintaining session • Name : PD-ID cookie • Contains the following information • User credential information • Session inactivity timeout value • Session lifetime timeout value • Can be a server-specific cookie or a domain cookie

  7. Failover Cookie Advantages/Disadvantages • Easy deployment • Auto key renewal for encryption/decryption • No additional component maintenance • Does not require additional hardware or software • Less secure than SMS solution • Higher CPU on WebSEAL due to decryption of cookie • No concurrent session policy • Last login information stored in user registry(V6.1 +) • No central administration of sessions.

  8. Manage both user sessions & failover scenarios • Prevent forced login when one WebSEAL becomes unavailable • J2EE app runs on WebSphere App Server • Sessions storage Mechanism • Single Server • In-memory • Database • Cluster Server • In-memory using WebSphere extreme Scale • do not support database • Session replication using WebSphere extreme Scale Session Management Server

  9. SMS Advantages • More secure than failover cookies • Provides defense in depth approach - SMS behind DMZ • Concurrent session policy enforcement & Last login information available, • Central management of sessions including session termination • Session keys are automatically renewed between SMS and WebSEAL

  10. SMS Disadvantages • Complex deployment • Requires additional software/hardware Websphere Application Server cluster WebSphere eXtreme Scale • Requires additional maintenance • Performance impacts of replicating session data across multiple datacenters • SMS is required to be available for WebSEAL to provide service • Additional efforts requires patching of WAS, WXS, SMS components

  11. SMS Installation/Configuration Steps • Install WAS & WXS • Apply WXS FP04 • WXS profile augmentation • Application Server(ND) setup • Core Group Setup • Node Group Setup • LDAP Setup • Virtual Host Setup

  12. Contd… • DB2 Last Login Database Setup • DB2 Data Source JDBC Setup • ISC & SMS Installation/Configuration • Catalog Server Setup • Trust Association Interceptor • Security Role Setup • SSL setup for SMS & WebSEALs • WebSEAL configuration change for SSL comm.

  13. Known Issues • Change the permission of /var/pdsms to 777 • Run SMS deployment as WAS user(non-root) • WXS unsupported version issue • CTGSD0157E An error occurred during the configuration process: CTGSD0175E An unsupported version of WebSphere eXtreme Scale (7.1.1.0) was found on the WebSphere Application Server Deployment Manager. • Trust Association Interceptor Errors • During SMS configuration  com.tivoli.am.sms.tai.AMebCertificateTAI • Delete Default TAIs  • com.ibm.ws.security.spengo.TrustAssociationInterceptorImpl • com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus • Incorrect keystore generation(JCEKS) • Manually correct keystore type to PCKS12

  14. SMS Tuning • JVM(SMS & Catalog server) • min. heap size of 256 MB & a max. of 2 GB • Discovery & Failure detection Setting on DefaultCoreGroup & CatalogCoreGroup • Heartbeat transmission : 10000 ms (default:30000 ms) • Heartbeat timeout : 20000 ms (default:180000 ms) • Note : HBTimeout must be a multiple of Hbtransmission) • Auto Restart • NDM expand Servers > Server Types > WebSphere App Servers > For each App Server, expand Java & Process Management > Monitoring Policy > Uncheck Automatic Restart

  15. Questions ?

More Related