150 likes | 363 Views
Session Management in TAM. Sunil K Verma May 12, 2012. Terminologies. Session Cookie transient persistence Stickiness Failover. Security Requirements. Unique session identifier Restrict attack Cookie Set with the "Secure" property Cookie Set with the “Http Only" property
E N D
Session Management in TAM Sunil K Verma May 12, 2012
Terminologies Session Cookie transient persistence Stickiness Failover
Security Requirements • Unique session identifier • Restrict attack • Cookie Set with the "Secure" property • Cookie Set with the “Http Only" property • Must not contain sensitive information • Must be subject to an inactivity timeout • Industry specific regulation for concurrent sessions per login
Benefits of Session Management • Manages the state & life cycle of user session • Enforce idle timeout for inactivity • Login history information • Control over concurrent sessions per user • Administer(view/modify/delete) sessions • Sessions can be shared in secure distributed environment
Session Management in TAM/WebSEAL • Maintain session state with both HTTP and HTTPS client using WebSEAL session key (session ID) • WebSEAL session ID can be provided in the following data types: • SSL session ID (defined by the SSL protocol) • Server-specific session cookie • HTTP – cookie PD-H-SESSION-ID • HTTPS – cookie PD-S-SESSION-ID • HTTP header data • IP address • Session is also managed by Session Management Server(Optional)
Failover solution(failover cookie) • Mechanism for seamlessly reauthenticating the user & not a mechanism for maintaining session • Name : PD-ID cookie • Contains the following information • User credential information • Session inactivity timeout value • Session lifetime timeout value • Can be a server-specific cookie or a domain cookie
Failover Cookie Advantages/Disadvantages • Easy deployment • Auto key renewal for encryption/decryption • No additional component maintenance • Does not require additional hardware or software • Less secure than SMS solution • Higher CPU on WebSEAL due to decryption of cookie • No concurrent session policy • Last login information stored in user registry(V6.1 +) • No central administration of sessions.
Manage both user sessions & failover scenarios • Prevent forced login when one WebSEAL becomes unavailable • J2EE app runs on WebSphere App Server • Sessions storage Mechanism • Single Server • In-memory • Database • Cluster Server • In-memory using WebSphere extreme Scale • do not support database • Session replication using WebSphere extreme Scale Session Management Server
SMS Advantages • More secure than failover cookies • Provides defense in depth approach - SMS behind DMZ • Concurrent session policy enforcement & Last login information available, • Central management of sessions including session termination • Session keys are automatically renewed between SMS and WebSEAL
SMS Disadvantages • Complex deployment • Requires additional software/hardware Websphere Application Server cluster WebSphere eXtreme Scale • Requires additional maintenance • Performance impacts of replicating session data across multiple datacenters • SMS is required to be available for WebSEAL to provide service • Additional efforts requires patching of WAS, WXS, SMS components
SMS Installation/Configuration Steps • Install WAS & WXS • Apply WXS FP04 • WXS profile augmentation • Application Server(ND) setup • Core Group Setup • Node Group Setup • LDAP Setup • Virtual Host Setup
Contd… • DB2 Last Login Database Setup • DB2 Data Source JDBC Setup • ISC & SMS Installation/Configuration • Catalog Server Setup • Trust Association Interceptor • Security Role Setup • SSL setup for SMS & WebSEALs • WebSEAL configuration change for SSL comm.
Known Issues • Change the permission of /var/pdsms to 777 • Run SMS deployment as WAS user(non-root) • WXS unsupported version issue • CTGSD0157E An error occurred during the configuration process: CTGSD0175E An unsupported version of WebSphere eXtreme Scale (7.1.1.0) was found on the WebSphere Application Server Deployment Manager. • Trust Association Interceptor Errors • During SMS configuration com.tivoli.am.sms.tai.AMebCertificateTAI • Delete Default TAIs • com.ibm.ws.security.spengo.TrustAssociationInterceptorImpl • com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus • Incorrect keystore generation(JCEKS) • Manually correct keystore type to PCKS12
SMS Tuning • JVM(SMS & Catalog server) • min. heap size of 256 MB & a max. of 2 GB • Discovery & Failure detection Setting on DefaultCoreGroup & CatalogCoreGroup • Heartbeat transmission : 10000 ms (default:30000 ms) • Heartbeat timeout : 20000 ms (default:180000 ms) • Note : HBTimeout must be a multiple of Hbtransmission) • Auto Restart • NDM expand Servers > Server Types > WebSphere App Servers > For each App Server, expand Java & Process Management > Monitoring Policy > Uncheck Automatic Restart