IBM Tivoli Access Manager [EOL] Review

Acts as a reverse proxy, a single point for authentication and authorization. Advanced access control introduces adaptive or risk-based authentication.


What is most valuable?

A number of new features, such as application firewall and load balancer, were added to this solution. These features are no longer available as a software version, but only as an appliance (virtual or hard).

The same appliance firmware allows you to enable more features, such as advanced access control and federation, for all of the components.

How has it helped my organization?

It acts as a reverse proxy, a single point for authentication and authorization. Advanced access control introduces adaptive or risk-based authentication. Federation makes it possible to federate using SAML and OAuth.

What needs improvement?

I would like to see the possibility to administer the appliances from one “master” appliance, instead of having to log in to each particular appliance.

If you have for example 4 appliances, two act as reverse proxy and two as master appliances (with policy server configured in HA) … If you want to administer these appliances, you must login into each particular appliance. It would be nice if you can administer all of them through that one ‘master’ appliance… avoiding to setup a direct connection as it is currently the case.

For how long have I used the solution?

I have been using this solution for approximately 11 years.

What do I think about the stability of the solution?

There were some stability issues at the very beginning when we were moving from the software version to the appliance. IBM allowed customers and partners to interact directly with developers and others responsible for the product, so we could address issues, provide feedback, and get support.

What do I think about the scalability of the solution?

The solution is very scalable, especially with the move to appliances. Adding reverse proxy appliances to existing appliance clusters is very straightforward.

How is customer service and technical support?

I would give technical support a rating of 8 out of 10.

Which solutions did we use previously?

I have used several solutions in the past.

We chose this solution for the following reasons:

  • It is very easy to set up.
  • The policy server is not actively used during authentication and is solely used for administration.
  • No plugin is required on any HTTP server.
  • It comes with a standalone (no-plugin) reverse proxy. That is in contrast to some other web access management solutions.
  • The IBM reverse proxy does not have a large support matrix upon which the HTTP-servers depend.

What about the implementation team?

The implementation was straightforward and well documented as follows:

  1. Deploying the appliances in the network infrastructure.
  2. Configuring the network interfaces and routing tables.
  3. Starting the configuration of WebSEAL and other required components (AAC or federation). Some background knowledge is required to set up WebSEAL.

What's my experience with pricing, setup cost, and licensing?

The license model is pretty complex. Some other IBM products are included and are not dependent on the form factor of the appliance. (Dependent products are IBM Directory Server and Directory Integrator.)

A combination of hard and soft appliances may be beneficial instead of solely using hard appliances. (It might be overkill to host a simple policy server.)

Which other solutions did I evaluate?

We evaluated alternative solutions, such as: CA SiteMinder, ForgeRock AM, and Microsoft ISA Server.

What other advice do I have?

It is a very stable and good product. The AAC-module becomes a necessity because authorization is moving from a static model (a static access control list based on static group membership) to a more dynamic model, based on user behavior and attributes.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are an IBM Business Partner.
Add a Comment
Guest
Sign Up with Email