IBM Tivoli Access Manager for E-business
The IBMT ivoli Access Manager for e-business DSM for JSA accepts access, audit, and HTTP events forwarded from IBM Tivoli Access Manager.
JSA collects audit, access, and HTTP events from IBM Tivoli Access Manager for e-business using syslog. Before you can configure JSA, you must configure Tivoli Access Manager for e-business to forward events to a syslog destination.
Tivoli Access Manager for e-business supports WebSEAL, a server that applies fine-grained security policy to the Tivoli Access Manager protected Web object space.
Configure Tivoli Access Manager for E-business
You can configure syslog on your Tivoli Access Manager for e-business to forward events.
- Log in to Tivoli Access Manager's IBM Security Web Gateway.
- From the navigation menu, select Secure Reverse Proxy
Settings >Manage >Reverse Proxy.
The Reverse Proxy pane is displayed.
- From the Instance column, select an instance.
- Click the Manage list and select Configuration
>Advanced.
The text of the WebSEAL configuration file is displayed.
- Locate the Authorization API Logging configuration.
The remote syslog configuration begins with
logcfg.For example, to send authorization events to a remote syslog server:
# logcfg = audit.azn:rsyslog server=<IP address>,port=514,log_id=<log name> - Copy the remote syslog configuration (
logcfg) to a new line without the comment (#) marker. - Edit the remote syslog configuration.
For example,
logcfg = audit.azn:rsyslog server=<IP address>,port=514,log_id=<log name> logcfg = audit.authn:rsyslog server=<IP address>,port=514,log_id=<log name> logcfg = http:rsyslog server=<IP address>,port=514,log_id=<log name>Where:
<IP address> is the IP address of your JSA console or Event Collector.
<Log name> is the name assigned to the log that is forwarded to JSA. For example,
log_id=WebSEAL-log.
- Customize
the
request.logfile .For example,
request-log-format = isam-http-request-log|client-ip=%a|server-ip=%A|clientlogname=% l|remote-user=%u|time=%t|port=%p|protocol=%P|request-method=%m|response-status= %s|url=%U|bytes=%b|remote-host=%h|request=%r - Click Submit.
The Deploy button is displayed in the navigation menu.
- From the navigation menu, click Deploy.
- Click Deploy.
You must restart the reverse proxy instance to continue.
- From the Instance column, select your instance configuration.
- Click the Manage list and select Control
>Restart.
A status message is displayed after the restart completes. For more information on configuring a syslog destination, see your IBM Tivoli Access Manager for e-business vendor documentation. You are now ready to configure a log source in JSA.
Configuring a Log Source
JSA Risk Manager automatically discovers syslog audit and access events, but does not automatically discover HTTP events that are forwarded from IBM Tivoli Access Manager for e-business.
Since JSA automatically discovers audit and access events, you are not required to create a log source. However, you can manually create a log source for JSA to receive IBM Tivoli Access Manager for e-business syslog events. The following configuration steps for creating a log source are optional.
- Log in to JSA.
- Click the Admin tab.
- Click the Log Sources icon.
- Click Add.
- In the Log Source Name field, type a name for the log source.
- In the Log Source Description field, type a description for the log source.
- From the Log Source Type list, select IBM Tivoli Access Manager for e-business.
- From the Protocol Configuration list, select Syslog.
- Configure the following values:
Table 1: IBM Tivloi Access Manager for E-business Syslog Configuration
Parameter
Description
Log Source Identifier
Type the IP address or host name for your IBM Tivoli Access Manager for e-business appliance.
The IP address or host name identifies your IBM Tivoli Access Manager for e-business as a unique event source in JSA.
- Click Save.
- On the Admin tab, click Deploy Changes.