IBM Tivoli Access Manager for E-business
The IBMT ivoli Access Manager for e-business DSM for JSA accepts access, audit, and HTTP events forwarded from IBM Tivoli Access Manager.
JSA collects audit, access, and HTTP events from IBM Tivoli Access Manager for e-business using syslog. Before you can configure JSA, you must configure Tivoli Access Manager for e-business to forward events to a syslog destination.
Tivoli Access Manager for e-business supports WebSEAL, a server that applies fine-grained security policy to the Tivoli Access Manager protected Web object space.
Configuring Tivoli Access Manager for E-business
You can configure syslog on your Tivoli Access Manager for e-business to forward events.
Log in to Tivoli Access Manager's IBM Security Web Gateway.
From the navigation menu, select Secure Reverse Proxy Settings >Manage >Reverse Proxy.
The Reverse Proxy pane is displayed.
From the Instance column, select an instance.
Click the Manage list and select Configuration >Advanced.
The text of the WebSEAL configuration file is displayed.
Locate the Authorization API Logging configuration.
The remote syslog configuration begins with logcfg.
For example, to send authorization events to a remote syslog server:
# logcfg = audit.azn:rsyslog server=<IP address>,port=514,log_id=<log name>Copy the remote syslog configuration (logcfg) to a new line without the comment (
#) marker.Edit the remote syslog configuration.
For example,
logcfg = audit.azn:rsyslog server=<IP address>,port=514,log_id=<log name> logcfg = audit.authn:rsyslog server=<IP address>,port=514,log_id=<log name> logcfg = http:rsyslog server=<IP address>,port=514,log_id=<log name>Where:
<IP address> is the IP address of your JSA console or Event Collector.
<Log name> is the name assigned to the log that is forwarded to JSA. For example, log_id=WebSEAL-log.
Click Submit.
The Deploy button is displayed in the navigation menu.
From the navigation menu, click Deploy.
Click Deploy.
You must restart the reverse proxy instance to continue.
From the Instance column, select your instance configuration.
Click the Manage list and select Control >Restart.
A status message is displayed after the restart completes. For more information on configuring a syslog destination, see your IBM Tivoli Access Manager for e-business vendor documentation. You are now ready to configure a log source in JSA.
Syslog Log Source Parameters for IBM Tivoli Access Manager for e-business
If JSA does not automatically detect the log source, add an IBM Tivoli Access Manager for e-business log source on the JSA Console by using the Syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from IBM Tivoli Access Manager for e-business:
Parameter |
Value |
|---|---|
Log Source name |
Type a name of your log source. |
Log Source description |
Type a description for your log source. |
Log Source type |
IBM Tivoli Access Manager for e-business |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for your IBM Tivoli Access Manager for e-business appliance. The IP address or host name identifies your IBM Tivoli Access Manager for e-business as a unique event source in JSA. |
IBM Tivoli Access Manager for e-business Sample Event Message
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
IBM Tivoli Access Manager for e-business Sample Message when you use the Syslog Protocol
The following sample event message shows that an HTTP GET request received a response with a status code of 200, indicating a successful request.
|
JSA field name |
Highlighted field name |
|---|---|
|
Source IP |
X-Forwarded-For Note:
If this field is not present, the client-ip field is used instead. |
|
Destination IP |
server-ip |