Presentation is loading. Please wait.

Presentation is loading. Please wait.

TPM and TPM Security Technologies

Published byNoreen Atkinson Modified over 6 years ago

Similar presentations

Presentation on theme: "TPM and TPM Security Technologies"— Presentation transcript:

1 TPM 7.1.1 and TPM 5.1.1 Security Technologies
Lewis Lo – TPM and TPM Security Technologies 23 Feb 2011 TPM and TPM Security Technologies

2 TPM 5.1.1.x Security Technologies
TPM x runs on WAS 6.0.x TPM x adopts the default to denied access security policy. That, user does not have access to resources initially even where there is no restriction defined It offers an OS authentication service so that user for the application can be an OS user (Unix and Windows users) TPM x uses the Access Group for grouping the resources to be protected LDAP is for role based security for UI security, access to menus and buttons in the UI page Two modes are supported in TPM x which use LDAP Users and roles are in LDAP, authentication and authorization services obtain information from LDAP directly Only users are in LDAP, authenticating user consults LDAP. Roles information is obtained in TPM database. Support role base security for UI, access control, and workflow security Web service interface entitles to access control and workflow security Permissions for access control are part of the permissions in workflow security Source: If applicable, describe source origin

3 TPM 7.1.1 Security Technologies
TPM x runs on Maximo which runs on WAS TPM x is no longer a Web Application on its own It adopts the default to granted access security policy, that is, user has access to all resources if there is no restriction defined It offers a maximo authentication service, it is a proprietary authentication service which have users and user passwords stored in the database. Authentication is performed on Maximo security service, no interface to WAS security required It uses TPM provisioning group for security purpose Static group – members in static groups are managed explicitly Dynamic group – a query is defined for every dynamic group, and membership is determined at run time by running the query (similar to sql query) It supports two modes security services with LDAP Users and roles are in LDAP, authentication and authorization services obtain information from LDAP directly Only users are in LDAP, authenticating user consults LDAP. Roles information is obtained in Maximo database.

4 TPM 7.1.1 Security Technologies - Continued
TPM uses the notion of Security Group which is identified in LDAP Security Group is for UI, access control, and workflow security Web service interface entitles to access control and workflow security Permissions for access control and workflow security are decoupled Access control security uses Maximo security framework Workflow security uses TPM internal security framework FIPS enabled PKCS 12 formatted keystore and truststore are supported TLS is supported

5 Major differences in TPM 5.1.1 and TPM 7.1.1
Default to denied access Default to granted all access Access Group (static) for protected resources Provisioning groups (static or dynamic) for protected resources. Provisioning groups can be typed LDAP groups are for UI security only. Security for access control and workflow are managed separately LDAP groups are used for all security measures; including UI, access control, and workflow. Users in the same group will obtain the set of permissions granted to the same set of resources Support OS authentication service No OS authentication service No proprietary authentication service supported Support Maximo proprietary authentication service Non-FIPS FIPS supported with TLS protocol

6 TPM security overview TPM security consists of the following components Maximo Security Service : the engine to perform security related tasks, including authentication and authorization of users Data restriction component : defines the data restrictions for accessing the instances of object, read or write access Security Group : Contains the security information for the Maximo Security Service. Information includes user, permission, and resources to be protected. Provisioning Group : A TPM specific group to contain TPM objects, can be used for security purpose.

7 Role Base Security Maximo Security Service WebSphere Security Service
6 Maximo Security Service 1 7 2 5 WebSphere Security Service Users and Roles info LDAP 3 4

8 Control Flow of Authentication and Authorization
User attempts to access TPM, and a challenge page is presented. User input username and password. Control passes to the Maximo Security Service Maximo Security Service delegates the authentication service to WebSphere WebSphere contacts the LDAP to retrieve user information, including the roles the user is a member of WebSphere performs a LDAP binding operation for the user, LDAP returns a response if the user provides a valid username and password Suppose the user enters a valid username and password, WebSphere returns a successful logon message to Maximo Security Service. Maximo Security Service consults the access control list for the TPM UI, the access control list contains information on what UI the role of the user have access to Maximo Security Service renders the UI pages based on the roles the user has and the access control lists of the UI for the roles

9 Instance Access Security
There are two types of instance permissions Read/Write permission: governs the readonly and write access to an object. User can only write to an object if and only if he has write access to the instance of object. Workflow Security: a workflow is protected when permission is required to run Permissions required for a workflow is declared in the workflow definition User is assigned to a security group A permission group contains permissions A provisioning group contains TPM objects to be protected Example of protected workflow @requirepermission Software.Install clusterId @requirepermission Software.Start clusterId logicaloperation test.test (clusterId) LocaleInsensitive invokeimplementation

10 Example of running a Device Reboot workflow
Provisioning Group (PG1) server1 Security Group (SG1) User 1 Device.Reboot permission User 2 Provisioning Group (PG2) server2 Security Group (SG2) Device reboot Workflow Device.Reboot permission

11 Example of running a Device Reboot workflow
Security Group (SG1) has user members of user1 and user2 Security Group (SG2) has user member of user2 Provisioning group (PG1) contains sever1 which ties to Security Group (SG1) Provisioning group (PG2) contains server2 which ties to Security Group (SG2) Both security groups (SG1 and SG2) consists of the permission Device.Reboot User1 is granted permission Device.Reboot on server server1 User2 is granted permission Device.Reboot on servers server1 and server2, since user2 is a member of both security groups SG1 and SG2 When running a workflow that requires the permission Device.Reboot, User1 can only execute the workflow on target server1 User2 can execute the workflow on both targets, i.e. sever1 and server2

12 Role Mapping TPM 5.1.1.x to TPM 7.1.1
<?xml version="1.0"?> <Mapping> <Roles> <Role name="SystemAdministrator"> <ITUPRole>TPADMIN</ITUPRole> </Role> <Role name="InventorySpecialist"> <ITUPRole>TPCONFIGURATIONLIBRARIAN</ITUPRole> <Role name="SoftwareOperator"> <ITUPRole>TPCOMPLIANCEANALYST</ITUPRole> <ITUPRole>TPDEPLOYMENTSPECIALIST</ITUPRole> <Role name="ChangeApprover"> <Role name="AutomationPackageDeveloper"> <ITUPRole>TPDEVELOPER</ITUPRole> <Role name="ConfigurationAdministrator"> <Role name="ConfigurationOperator"> </Roles> </Mapping>

13 Resource Links to security groups and application access rights

14 For more security information, please visit our:
TPM DeveloperWorks Wiki – Security and Audit TPM Information Center – Security

Download ppt "TPM and TPM Security Technologies"

Similar presentations

Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.

Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Chapter 5: Configuring Users and Groups. Types of User Accounts Administrator –Unrestricted access to performing administrative tasks –Use sparingly Standard.

Chapter 5: Configuring Users and Groups. Types of User Accounts Administrator –Unrestricted access to performing administrative tasks –Use sparingly Standard.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
EmpowHR EmpowHR Security Overview. 2 Application Security Administration Permission List Roles User Profiles Row level security Distributed Security Administration.

EmpowHR EmpowHR Security Overview. 2 Application Security Administration Permission List Roles User Profiles Row level security Distributed Security Administration.
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Microsoft Networking.

Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Microsoft Networking.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Overview What is SQL Server? Creating databases Administration Security Backup.

Overview What is SQL Server? Creating databases Administration Security Backup.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer Delivering an Internet-based platform of Next.

CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer "Delivering an Internet-based platform of Next.

Similar presentations

Ads by Google