IBM Security

Professional Certification Program

Exam Study Guide

C1000-129: IBM Security Verify Access V10.0

Deployment
Contents
Role Definition .......................................................................................................................................... 5
Key Areas of Competency ......................................................................................................................... 5
Prerequisite Knowledge ............................................................................................................................ 5
Purpose of Exam Objectives ..................................................................................................................... 6
Section 1: Planning.................................................................................................................................... 7
1.1 Conduct planning workshops......................................................................................................... 7
1.2 Identify feature requirements ....................................................................................................... 8
1.3 Plan firmware upgrade cycle ......................................................................................................... 9
1.4 Perform solution sizing .................................................................................................................. 9
1.5 Assess access control requirements ............................................................................................ 10
1.6 Assess log retention requirements .............................................................................................. 11
1.7 Assess federated single sign-on requirements............................................................................ 11
Section 2: Architecture and Design......................................................................................................... 13
2.1 Select deployment patterns and topology .................................................................................. 13
2.2 Design High Availability & Disaster Recovery architecture ........................................................ 13
2.3 Design deployment process (automated or manual) ................................................................. 14
2.4 Identify network requirements ................................................................................................... 15
2.5 Establish backup procedures ....................................................................................................... 16
2.6 Identify server connections ......................................................................................................... 16
2.7 Determine appropriate junction type ......................................................................................... 17
2.8 Identify required authentication methods.................................................................................. 17
2.9 Identify required session failover ................................................................................................ 18
Section 3: Installation.............................................................................................................................. 19
3.1 Find and download software and updates .................................................................................. 19
3.2 Create virtual machine ................................................................................................................. 19
3.3 Prepare user registry .................................................................................................................... 20
3.4 Prepare databases ........................................................................................................................ 21
3.5 Deploy Verify Access containers .................................................................................................. 21
3.6 Activate required offerings and install the support license ....................................................... 22
3.7 Perform network configuration ................................................................................................... 22
3.8 Import necessary personal and signer certificates ..................................................................... 23
pg. 2
Section 4: Configuration ......................................................................................................................... 25
4.1 Configure cluster .......................................................................................................................... 25
4.2 Configure base runtime component ............................................................................................ 26
4.3 Integrate federated directories ................................................................................................... 27
4.4 Configure web reverse proxy instance ........................................................................................ 28
4.5 Configure authorization server .................................................................................................... 30
4.6 Configure LMI external authentication and authorization ......................................................... 30
4.7 Configure base authorization policies ......................................................................................... 30
4.8 Create server connections ........................................................................................................... 31
4.9 Configure multi-factor authentication (MFA) ............................................................................. 31
4.10 Configure SCIM (System for Cross-domain Identity Management) ......................................... 32
4.11 Configure API protection (OAUTH/OIDC) .................................................................................. 33
4.12 Configure auditing ...................................................................................................................... 34
Section 5: System integration ................................................................................................................. 35
5.1 Configure Junction........................................................................................................................ 35
5.2 Protect API endpoints accessed by API clients ............................................................................ 36
5.3 Integrate with federated single sign-on partners ....................................................................... 36
5.4 Configure desktop SSO (SPNEGO)................................................................................................ 37
5.5 Configure token authentication................................................................................................... 37
5.6 Setup monitoring framework ...................................................................................................... 38
5.7 Configure external authentication interface ............................................................................... 39
5.8 Integrate with SIEM systems ....................................................................................................... 39
Section 6: Advanced customization ........................................................................................................ 40
6.1 Implement a context-based access control policy ...................................................................... 40
6.2 Create risk profile ......................................................................................................................... 41
6.3 Implement identity mapping ....................................................................................................... 42
6.4 Author custom policy information point (PIP) ............................................................................ 43
6.5 Configure and customize a user self-care flow ........................................................................... 44
6.6 Create JavaScript authentication mechanism ............................................................................. 46
6.7 Create HTTP transformation rules ............................................................................................... 47
6.8 Implement OAUTH/OIDC customization ..................................................................................... 48
6.9 Configure device registration (Fingerprint) ................................................................................. 49

pg. 3
 6.10 Modify default template files .................................................................................................... 51
6.11 Integrate custom login application through External Authentication Interface (EAI)............. 51
6.12 Implement advanced authenticated user mapping .................................................................. 52
6.13 Implement access policy ............................................................................................................ 53
6.14 Implement authorization (AUTHZ) rules for reverse proxy ...................................................... 54
6.15 Configure single sign-on using Federation STS .......................................................................... 55
6.16 Configure mobile multi-factor authentication .......................................................................... 56
Section 7: Testing, troubleshooting, and maintenance .......................................................................... 57
7.1 Apply interim fixes ....................................................................................................................... 57
7.2 Apply appliance firmware updates.............................................................................................. 57
7.3 Resolve common problems.......................................................................................................... 58
7.4 Prepare backup storage system................................................................................................... 59
7.6 Configure logging and tracing ...................................................................................................... 61
7.7 Engage with IBM Support ............................................................................................................ 62

pg. 4
Role Definition
This intermediate level certification is intended for deployment professionals working with IBM Security
Verify Access V10.0. These deployment professionals plan, install, configure, administer, tune and
troubleshoot Security Verify Access installations. It is expected that the deployment professional is
generally self-sufficient and can perform the tasks involved in the job role with limited assistance from
peers, product documentation, and vendor support services.

This role specifically does not include routine post-deployment administration tasks.

Key Areas of Competency

• Ability to deploy Security Verify Access in on-premise, IaaS, containerized, and hybrid
environments
• Knowledge of database and directory configuration for Verify Access integration
• Ability to configure Security Verify Access interfaces and networking for connectivity
• Ability to deploy Security Verify Access using common patterns
• Knowledge of Security Verify Access feature sets and components
• Knowledge of how to connect to and integration with target applications
• Ability to configure authentication and access control using Security Verify Access
• Knowledge of Federated Single Sign-on
• Knowledge of API protection using OAUTH
• Knowledge of advanced authentication and self-service flows
• Knowledge of context-based access control
• Ability to troubleshoot and conduct performance management tasks

Prerequisite Knowledge
Knowledge and foundational skills one must possess before acquiring skills measured on the
certification test. These foundational skills are NOT measured on the test.
• Knowledge of cloud architecture
• Concept of containers
• Working knowledge of databases and directories
• Understanding networking protocols and topology
• Knowledge of digital certificates, transport protocols and ciphers
• Knowledge of scripting languages including JavaScript, Python, XSLT
Knowledge of data formats such as YAML, XML, HTML, and JSON

pg. 5
Purpose of Exam Objectives

When a certification exam is being developed, a team of Subject Matter Experts work
together to define the job role the certified individual will fill. They define all the tasks and
knowledge that an individual would need to have in order to successfully perform that role.
This creates the foundation for the objectives and measurement criteria, the foundation of
the certification exam. The Certification item writers used these objectives write questions
that appear on the exam.

It is recommended that you review these objectives carefully. Do you know how to complete
the tasks in the objective? Do you know why that task needs to be done? Do you know what will
happen if you do it incorrectly? If you are not familiar with a task, then work through the
objective and perform that task in your own environment. Read more information about the
task. If there is an objective on a task, it is almost certain that you WILL see questions about it
on the actual exam.

After you have reviewed the objectives and completed your own research, don’t forget to
review the free sample questions for this exam on the IBM Certification website. These
sample question come complete with an answer key and will give you a feel for the type and
style of question on the actual exam.

After that, take the assessment exam. The questions on the assessment exam were
developed at the same time and by the same people who wrote the question on the actual
exam. The assessment exam is weighted to be equally difficult to the actual test so your
results should be predictive of your expected results on the actual test. While the assessment
exam will not tell which questions are answered incorrectly, it will tell you how you did on a
section-by-section basis so you will know where to focus your further studies.

pg. 6
Section 1: Planning
This section contains objectives that deal with preparing for an IBM Security Verify Access 10.0
deployment. These objectives include activities such as conducting planning workshops with the client,
identifying the solution requirements and sizing, documenting access control and log retention
requirements as well as those of federated single sign-on.

This section accounts for approximately 12% of the exam.

1.1 Conduct planning workshops

SUBTASKS:

1.1.1 Run project kick-off workshop

- Identify key stake holders

- Review solution environment

- Review high level requirements

- Solution overview

1.1.2 Run solution requirement workshop

- Identify platform requirements

- Identify network requirements

- Secure deployment considerations

1.1.3 Run integration workshop

- Identify integrations required

- Review access requirements

- Review single sign-on requirements

- Identify federation & API protection requirements

1.1.4 Run resource planning workshop

- Identify key resources

- Review resource availability

- Review project timelines

- Produce initial project plan

pg. 7
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-user-registry-considerations
• https://www.ibm.com/software/reports/compatibility/clarity/index.html
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-documentation-activation-level
• https://www.ibm.com/docs/en/sva/10.0.2?topic=monitoring-sending-statistics-statsd
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-configuring-snmp-monitoring
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-runtime-monitoring-using-prometheus

1.2 Identify feature requirements

SUBTASKS:

1.2.1 Determine requirement for Access Platform (Web)

- Web Reverse Proxy

- X-Force threat protection

- Distributed Session Cache

1.2.2 Determine requirement for Advanced Access Control Module

- Advanced authentication

- API protection

- Context-based access

- Device fingerprinting

- Device registration

- Fine-grained authorization

1.2.3 Determine requirement for Federation Module

- SAML 2.0 Federations

- Open ID Connect Federations

- Module chains (STS)

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=SSPREK_10.0.2/com.ibm.isva.doc/admin/cpt/help_authentication.h
tml
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-configuring-oauth-20-api-protection
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-openid-connect-federations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-saml-20
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-webseal-introduction

pg. 8
 • https://www.ibm.com/docs/en/sva/10.0.2?topic=authentication-methods

1.3 Plan firmware upgrade cycle

SUBTASKS:

1.3.1 Review Product Lifecycle

- Identify current versions

- Review end of support (EOS)

1.3.2 Review Software Product Compatibility Reports

- Operating systems

- Related software

- Hypervisors

- Hardware requirements

1.3.3 Review Software Release Cycle

1.3.4 Review Available Fixes

- Maintenance releases / firmware

- Fixes

- Review release notes

REFERENCES:
• https://www.ibm.com/software/reports/compatibility/clarity/softwareEos.html
• https://www.ibm.com/software/reports/compatibility/clarity/index.html
• https://www.ibm.com/support/fixcentral

1.4 Perform solution sizing

SUBTASKS:

1.4.1 Review Virtual Appliance specifications

- Disk

- Memory

- Network

- Hypervisors
pg. 9
1.4.2 Review Performance Tuning Guide

- Performance Tuning Guide

- Performance Tuning Scripts

1.4.3 Review Tuning Spreadsheet

- Tuning Guides

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-user-registry-considerations
• https://xsizer.dal1a.ciocloud.nonprod.intranet.ibm.com/sizer.html

1.5 Assess access control requirements

SUBTASKS:

1.5.1 Determine Web Authentication requirements

- Reverse Proxy authentication

1.5.2 Determine Web Authorization requirements

- Reverse Proxy authentication

1.5.3 Determine Authentication Mechanisms requirements

- Advanced Access Control

1.5.4 Determine Mapping Rule requirements

- Advanced Access Control

1.5.5 Determine Authentication Policy requirements

- Mapping rules

- Template pages

- Branches

1.5.6 Determine Access Control Policy requirements

- Custom application policy

1.5.7 Determine Access Policy requirements

- Conditional access

pg. 10
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.1?topic=concepts-spnego-protocol-kerberos-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=control-acl-entries
• https://www.ibm.com/docs/en/sva/10.0.1?topic=aacc-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=configuration-branching-authentication-policies

1.6 Assess log retention requirements

SUBTASKS:

1.6.1 Determine Retention Requirements

- Number and types or logs

- On appliance requirement

- Central / Syslog / SIEM

- Sending events / logs to syslog server

- Legal / compliance requirements

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.1?topic=entries-parameters-logcfg-entry
• https://www.ibm.com/docs/en/sva/10.0.1?topic=agents-sending-events-remote-syslog-server

1.7 Assess federated single sign-on requirements

SUBTASKS:

1.7.1 Determine Supported Federations

- Federation types

- Federation Roles

- Security Token Service (STS)

- Point of contact server

- High Volume Database

1.7.2 Determine SAML Federation Requirements

1.7.3 Determine OAuth 2.0 and OIDC Requirements

1.7.4 Determine Identity Mapping Requirements

pg. 11
1.7.5 Determine Token Exchange Requirements

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-federation-overview
• https://www.ibm.com/docs/en/sva/9.0?topic=profiles-saml-20-profile-initial-urls
• http://ibm.biz/isamfedcookbook
• https://www.ibm.com/docs/en/sva/9.0.6?topic=solutions-single-sign-security-token-service
• https://www.ibm.com/docs/en/sva/9.0?topic=federations-configuring-sts-modules
• https://www.ibm.com/docs/en/sva/9.0?topic=formats-alias-service

pg. 12
Section 2: Architecture and Design
This section contains objectives that deal with the architecture and design of the IBM Security Verify
Access 10.0 solution, including activities such as selecting appropriate deployment patterns and
topology, designing the HA and DR architecture, determining deployment processes, identifying network
requirements, backup procedures, server connectivity, junction types, authentication methods and
required session failover.

This section accounts for approximately 15% of the exam.

2.1 Select deployment patterns and topology

SUBTASKS:

2.1.1 Select Form Factor

- HW

- VM

- Containers

- Cloud vs. On-prem

2.1.2 Determine Deployment Pattern (Based on Form Factor selected)

- Cluster / Cluster Bubbles

- All-in-One

- Kubernetes / OpenShift

2.1.3 Select User Type (Basic User or Full imported secUser)

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-cluster-general-reference
• https://www.ibm.com/software/reports/compatibility/clarity-
reports/report/html/vesForProduct?deliverableId=B406C6E0555B11EBBBEA1195F7E6DF31&osPlatforms=&duCompo
nentIds=S002|S003|A001
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registries-configuring-runtime-authenticate-basic-users
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-docker-image-security-verify-access

2.2 Design High Availability & Disaster Recovery architecture

SUBTASKS:

2.2.1 Select HA Type

pg. 13
- Dual Data Center

- Cloud Regions

- Multiple Cloud Vendors

2.2.2 Select Disaster Recovery Type

- Active/Passive Data Center

- Rebuilds via RAPI

- Appliance snapshots

- Hypervisor snapshots

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-cluster-service-considerations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-failover-in-cluster
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-high-availability-policy-server
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-consistent-configuration-all-webseal-replica-servers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-failover-new-master
• https://www.ibm.com/docs/en/sva/10.0.2?topic=synchronization-cluster-restart
• https://www.ibm.com/docs/en/sva/10.0.2?topic=synchronization-configure-webseal-cluster-support
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-database
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-runtime-database
• https://www.ibm.com/docs/en/sva/10.0.2?topic=database-deploying-external-configuration
• https://www.ibm.com/docs/en/sva/10.0.2?topic=database-deploying-external-runtime
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-secure-deployment-considerations

2.3 Design deployment process (automated or manual)

SUBTASKS:

2.3.1 Determine Build Type

- LMI Only

- Simple REST API scripts

- Full automation (Ansible)

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.1?topic=configuring
• https://www.ibm.com/docs/en/sva/10.0.1?topic=administering
• https://www.ibm.com/docs/en/sva/10.0.1?topic=developing-rest-api-documentation
• https://www.ibm.com/docs/en/sva/10.0.1?topic=developing-rest-api-documentation-docker
pg. 14
 • https://github.com/IBM-Security/isam-ansible-collection
• http://learn.ibm.com/course/view.php?id=14099
• http://learn.ibm.com/course/view.php?id=14097

2.4 Identify network requirements

SUBTASKS:

2.4.1 Gather network details

- Identify DMZ Subnets

- Identify Trusted Zone Subnets

- Identify Application Subnets

- Identity SaaS Applications (May require forward proxy servers)

2.4.2 Identity Network Routes

- Identity Static Routes

- Identity IP Policy Routes

2.4.3 Select HW NIC Bonding Type

- balance-rr

- active-backup

- balance-xor

- broadcast

- 802.3ad

- balance-tlb

- balance-alb

REFERENCES:
• http://learn.ibm.com/course/view.php?id=14107
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-junction-types
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-runtime-parameters
• https://www.ibm.com/docs/en/sva/10.0.1?topic=settings-configuring-static-routes
• https://www.ibm.com/docs/en/sva/10.0.1?topic=routes-multiple-routing-tables
• https://www.ibm.com/docs/en/sva/10.0.1?topic=settings-configuring-aggregated-network-interfaces

pg. 15
2.5 Establish backup procedures
SUBTASKS:

2.5.1 Select Appliance Backup Method

- Snapshot (Cluster)

- Hypervisor Level (All-on-one)

2.5.2 Select Container Backup Method

- Configuration Container snapshot

- Persistent Volumes

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-managing-snapshots
• https://www.ibm.com/docs/en/sva/10.0.2?topic=maintenance-back-up-procedures
• https://www.ibm.com/docs/api/v1/content/SSPREK_10.0.1/com.ibm.isva.doc/develop/rapi/docker/Creating_a_new
_snapshot.xml
• https://www.ibm.com/docs/en/sva/10.0.1?topic=support-docker-image-security-verify-access

2.6 Identify server connections

SUBTASKS:

2.6.1 Determine Application Runtime Server Connection needs

- Oracle

- DB2

- Solid DB

- PostgreSQL

- LDAP

- SMTP

- Web Service

- Cloud Identity

- ISAM Runtime

REFERENCES:

pg. 16
 • https://www.ibm.com/docs/en/sva/10.0.1?topic=gs-server-connections
• https://www.ibm.com/docs/en/sva/10.0.1?topic=sc-server-connection-properties

2.7 Determine appropriate junction type

SUBTASKS:

2.7.1 Determine settings based on Frontend Traffic Type

- Load-balancer Terminated

- Load-balancer Pass-thru

- Direct access

2.7.2 Select Junction SSO methods

- Using -b option

- TFIM Junction

- JWT Junction

- Trust Association

- HTTP Headers

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=stanza-web-host-name
• https://www.ibm.com/docs/en/sva/10.0.2?topic=stanza-web-http-port
• https://www.ibm.com/docs/en/sva/10.0.2?topic=stanza-web-http-protocol
• https://www.ibm.com/docs/en/sva/10.0.2?topic=stanza-web-https-port
• https://www.ibm.com/docs/en/sva/10.0.2?topic=stanza-web-https-protocol
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-single-sign-solutions

2.8 Identify required authentication methods

SUBTASKS:

2.8.1 Gather Reverse Proxy Frontend Requirements

- Username/Password

- OAUTH / OIDC

- Certificate Authentication

- Domain cookies

pg. 17
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.1?topic=concepts-spnego-protocol-kerberos-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=interface-external-authentication-overview
• https://www.ibm.com/docs/en/sva/10.0.1?topic=methods-openid-connect-oidc-authentication
• https://www.ibm.com/docs/en/sva/10.0.1?topic=overview-saml-20
• https://www.ibm.com/docs/en/sva/10.0.1?topic=authentication-client-side-certificate-modes

2.9 Identify required session failover

SUBTASKS:

2.9.1 Determine Reverse Proxy Session Failover

- Failover Cookie

- Distributed Session Cache

- Redis Session Cache

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=concepts-failover-cookie
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-managing-distributed-session-cache-in-docker
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-advantages-using-distributed-session-cache
• https://www.ibm.com/docs/en/sva/10.0.2?topic=dsco-failover-environment
• https://www.ibm.com/docs/en/sva/10.0.2?topic=environments-option-3-failover-cookies
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-failover-environment

pg. 18
Section 3: Installation
This section contains objectives that deal with the installation of the IBM Security Verify Access 10.0
solution, including activities such as finding and installing updates, creating virtual machines, preparing
the user registry and databases, deploying containers, installing licenses and activating components,
configuring the network and importing certificates.

This section accounts for approximately 13% of the exam.

3.1 Find and download software and updates

SUBTASKS:

3.1.1 Check Fix Central for the latest software.

- Identify the latest firmware image

- Download the correct image for the platform being deployed to

- Identify any available interim fixes

REFERENCES:
• https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Securit
y+Verify+Access&release=All&platform=Linux&function=all

3.2 Create virtual machine

SUBTASKS:

3.2.1 Determine the requirements for running Verify Access in your target hypervisor.

- Review the system requirements and VM specifications

- Ensure you have the correct installation media or disk image for the target hypervisor

3.2.2 Install the Verify Access firmware.

- Create the virtual machine, attaching the installation media, ensuring the correct number of virtual
network adapters are attached, and any additional requirements in the documentation are followed

- Complete the installation process

3.2.3 Deploy the Verify Access disk image as a new virtual machine

- Create a new virtual machine using the pre-installed disk image

3.2.4 Complete the first steps setup and access the Local Management Interface

- Ensure the correct FIPS mode setting is selected

pg. 19
- Complete the first steps setup process using the command line

- Complete the first steps setup process using the Local Management Interface

- Complete the first steps setup process using the REST API

3.2.4 Verify connectivity to the management interfaces

- Verify that the Local Management Interface can be accessed via a web browser

- Verify that the command line interface can be accessed via SSH

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=started-virtual-appliance-tasks
• https://www.ibm.com/docs/en/sva/10.0.0?topic=tasks-command-line-interface-initial-appliance-settings-wizard
• https://www.ibm.com/docs/en/sva/10.0.0?topic=ct-security-verify-access-appliance-setup-wizard-by-using-local-
management-interface
• https://www.ibm.com/docs/en/sva/10.0.0?topic=appliance-local-management-interface
• https://www.ibm.com/docs/en/sva/10.0.0?topic=appliance-command-line-interface

3.3 Prepare user registry

SUBTASKS:

3.3.1 Install the Verify Access schema data

- Locate and download the correct Verify Access LDAP schema file for the target user registry using the
Local Management Interface

- Apply the LDAP schema to the user registry

- Create the default suffix

- Create additional suffixes for users

3.3.2 Secure the user registry

- No anonymous access

- TLS only, select reasonable ciphers

- Ensure password hashing is non-reversible

- Set appropriate ACLs

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=configuration-user-registry-server-installation

pg. 20
3.4 Prepare databases
SUBTASKS:

3.4.1 Prepare the runtime database

- Identify and download the correct database schema for the target database

- Execute the database schema SQL/import operation

3.4.2 Prepare the configuration database

- Identify and download the correct database schema for the target database

- Execute the database schema SQL/import operation

3.4.3 Secure the database(s)

- TLS only, select reasonable ciphers

- Ensure database is encrypted?

- Ensure certificates required are available

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=database-deploying-external-runtime
• https://www.ibm.com/docs/en/sva/10.0.0?topic=database-deploying-external-configuration

3.5 Deploy Verify Access containers

SUBTASKS:

3.5.1 Download the Verify Access container images from Docker Hub

3.5.2 Configure the Verify Access container properties

- Set up any required shared volumes

- Populate the shared volume with any required fix packs

- Determine the correct environment variables for each container

3.5.3 Ensure the Kubernetes environment is prepared for executing the Verify Access images

- Create the required secrets

- Create the required service account

- Apparmor requirements

pg. 21
3.5.4 Ensure the OpenShift environment is prepared for executing the Verify Access images

- Create the required security context

- Apply the security context to the created service account

3.5.4 Ensure connectivity is correct for accessing:

- the LMI (for administrative activities)

- the runtime containers (for external access where required)

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=support-docker-image-security-verify-access

3.6 Activate required offerings and install the support license

SUBTASKS:

3.6.1 Activate the required offerings to enable the required features.

- Download the activation codes from Passport Advantage

- Install the required activation codes using the Local Management Interface

3.6.2 Install the support license

- Download the support license from the IBM Security Systems License Key Center at
https://ibmss.flexnetoperations.com

- Install the support license using the Local Management Interface

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=orchestration-kubernetes-support
• https://www.ibm.com/docs/en/sva/10.0.0?topic=tasks-activating-product-buying-support

3.7 Perform network configuration

SUBTASKS:

3.7.1 Configure any external firewall rules

- Review the list of ports used by the appliance

- Configure any external firewalls to allow traffic to the required ports

pg. 22
3.7.2 Configure IP addresses

- Identify which addresses will be used for management and application traffic

- Add the IP addresses to each interface using the Local Management Interface

3.7.3 Configure routing

- Configure the default route

- Configure the routing rules for outbound traffic

- Configure source based routing

3.7.4 Configure DNS

- Configure the DNS server(s) using the Local Management Interface

- Configure any required static host entries using the Local Management Interface

3.7.4 Verify network connectivity

- Verify that hostnames can be resolved

- Verify that application servers, databases, the user registry, any required external services are
contactable

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-appliance-port-usage
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-configuring-interfaces
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-configuring-static-routes
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-configuring-dns
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-testing-connection

3.8 Import necessary personal and signer certificates

SUBTASKS:

3.8.1 Identify the required personal certificates and import them:

- Reverse proxy front ends

- AAC/Federation runtime

- AAC/Federation signing operations

- Local Management Interface

- Mutual TLS (client certs) for application servers, databases, the user registry, any required external
services
pg. 23
3.8.2 Identify the required signer certificates and import them:

- AAC/Federation signature verification

- Database server(s)

- User registry

- Downstream/junctioned applications

- Federation partners

- Other external services and APIs called from advanced customized flows (Google ReCAPTCHA, SMS API
gateways etc.)

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-viewing-updating-management-ssl-certificates

pg. 24
Section 4: Configuration
This section contains objectives that deal with the configuration of the IBM Security Verify Access 10.0
solution, including activities such as integrating federated directories, configuring the cluster, base
runtime component, web reverse proxy instance and numerous other components.

This section accounts for approximately 16% of the exam.

4.1 Configure cluster

SUBTASKS:

4.1.1 Configure Config database

- Internal or External DB

- Load certificates

- Supported DBs

- Collect the database server information, including the IP/port/username/password/etc.

- Data stored in config DB

4.1.2 Configure Runtime database (HVDB)

- Internal or External DB

- Load certificates

- Supported DBs

- Collect the database server information, including the IP/port/username/password/etc.

- Data stored in HVDB

- Failover support

4.1.3 Configure Primary Master

- Enable multi-node

- Set first port

- Export certificate file

4.1.4 Configure other nodes

- Select to join cluster

- Point to primary master

- Provide certificate file

pg. 25
- Monitor status of node

4.1.5 Configure Session Cache

4.1.6 Configure replication options

- Certificate keystores

- Runtime configuration

4.1.7 Configure Distributed Session Cache (DSC)

- set listening ports

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.1?topic=configuration-database
• https://www.ibm.com/docs/en/sva/10.0.1?topic=configuration-runtime-database
• https://www.ibm.com/docs/en/sva/10.0.1?topic=settings-managing-cluster-configuration
• https://www.ibm.com/docs/en/sva/10.0.1?topic=settings-managing-cluster-
configuration#tsk_manage_cluster_config__add_node
• https://www.ibm.com/docs/en/sva/10.0.1?topic=configuration-session-cache-reference
• https://www.ibm.com/docs/en/sva/10.0.1?topic=settings-managing-distributed-session-cache-in-docker

4.2 Configure base runtime component

SUBTASKS:

4.2.1 Load certificates for primary directory

4.2.2 Configure Policy Server

- Local or remote

- Management suffix

- Management domain

- SSL settings

4.2.3 Configure primary LDAP

- connection

- Bind DN

- SSL Settings

4.2.4 Advanced settings in ldap.conf

- embed bind-dn and password

pg. 26
- configuring replicas

- ciphers for secure transport

4.2.5 Basic user configuration

- enable

- prevent duplicates

- search priority

4.2.6 Create initial users and groups

- Create with UI

- Create with CLI

- Bulk import

- Registry Direct API

REFERENCES:
• None

4.3 Integrate federated directories

SUBTASKS:

4.3.1 Load certificates for federated directories

4.3.2 Determine level of access required to federated directory

- read only or read/write

4.3.3 Add federation directory

- connection information

- bind information

- SSL Settings

- Suffixes

4.3.4 Advanced settings in ldap.conf

- ignore-if-down

- change principal attribute

pg. 27
- mod uid on import

- configuring replicas

- ciphers for secure transport

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=concerns-federated-registry-support
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registries-configuring-runtime-authenticate-basic-users
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registries-managing-federated-directories

4.4 Configure web reverse proxy instance

SUBTASKS:

4.4.1 Create Reverse Proxy instance

- Transport settings

- Connect to policy server

- Connect to User Registry

4.4.2 Configure Interfaces - TLS/SSL

- Obtain trusted certificate

- Configure trusted certificate

- Separate junction keystore?

- Define additional interfaces

- Use of secondary listener for client certificates

- configure ciphers

- Use of IPv6

4.4.3 Configure built-in authentication

- Basic Authentication

- Form-based authentication

- Client certificate auth

- RSA SecurID token auth

- Kerberos Authentication

pg. 28
- OIDC Authentication

- OAuth Authentication

- LTPA

- Set authentication levels

4.4.4 Configure Sessions

- Timeouts

- Reauthentication

- Local session cache

- DSC/Redis

- Failover

4.4.5 Cookie management

- HTTP/Secure flags

- Cookie jar

- Cookie reset

- SameSite

4.4.6 Access Control

- HTTP method mapping

- Attach ACLs and POPs

- CORS

4.4.7 Other general configuration

- Replication

- P3P policy

- Proxy protocol

- Root junction processing

REFERENCES:
• None

pg. 29
4.5 Configure authorization server
SUBTASKS:

4.5.1 Create Authorization Server instance

- Listening Ports

- Connect to policy server

- Connect to User Registry

4.5.2 Configure Java Runtime components

- TAI++ and eTAI

- Custom apps with JavaRTE

REFERENCES:
• None

4.6 Configure LMI external authentication and authorization

SUBTASKS:

4.6.1 Configure management authentication with an external (LDAP) user registry

4.6.2 Create local users and groups in the embedded user registry

4.6.3 Select or create roles with appropriate levels of access for administrator accounts

4.6.4 Assign authorization roles to the administrative users and groups

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-configuring-management-authentication
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-roles-users-groups

4.7 Configure base authorization policies

SUBTASKS:

4.7.1 Create and attach ACLs

- Create ACLs

- Create ACL entries

- Set ACL permissions

pg. 30
- Attach ACLs

- Sparse ACL model

4.7.2 Create and attach POPs

- Network subnet policies

- Authentication level policy

- Privacy (require HTTPS)

- Auditing policy

- Extended attributes in POPs

- Attach POPs

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=entries-type-attribute
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registries-configuring-runtime-authenticate-basic-users
• https://www.ibm.com/docs/en/sva/10.0.2?topic=policy-changing-mapping-http-request-methods

4.8 Create server connections

SUBTASKS:

4.8.1 Create Server Connections using the Local Management Interface

4.8.2 Load the certificate(s) required for the server connections

4.8.3 Check connectivity to the hosts/ports referred to in the server connections

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-server-connections

4.9 Configure multi-factor authentication (MFA)

SUBTASKS:

4.9.1 Configure Mechanisms

- Set mechanism properties

- First factor mechanisms

pg. 31
- 2FA mechanisms

- Other mechanisms (EULA)

4.9.2 Create Policies

- Add mechanisms

- Set mechanism parameters

- Set credential attributes

- Configure branching

4.9.3 Set Point of Contact profile

- Choose appropriate profile

- Create new profile

4.9.4 Setup system to invoke policies

- path vs query for policyId

- Browser vs API clients

- Cookieless operation

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=configuration-branching-authentication-policies

4.10 Configure SCIM (System for Cross-domain Identity Management)

SUBTASKS:

4.10.1 Create a server connection to the LDAP/user registry where user profile data will be stored

4.10.2 Configure the SCIM service to use the LDAP/user registry:

- server connection

- ensure certificate is loaded

- search/user suffix

- user dn attribute

- configure LDAP objectclasses

4.10.3 Configure the mapping of SCIM profile attributes to LDAP attributes

pg. 32
4.10.4 Configure SCIM for Verify Access integration:

- Create ISAM Runtime server connection

- Enable Verify Access integration

4.10.5 Configure the Reverse Proxy as a point of contact for the SCIM service:

- Create transparent path /scim junction

- Pointed to the runtime

- BA with a user in the scim admin group

- Pass IV-USER, IV-GROUPS, IV-CREDS

- Enable URL filtering

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.1?topic=management-user-self-care-scim-api
• https://www.ibm.com/docs/en/sva/10.0.1?topic=configuration-user-profile
• https://www.ibm.com/docs/en/sva/10.0.1?topic=api-limitations#con_scim_limitation__unsupported_endpoints

4.11 Configure API protection (OAUTH/OIDC)

SUBTASKS:

4.11.1 Create OAuth/OIDC Provider Definition

- Select grant types

- Configure token management

- Configure consent

4.11.2 Enable definition for OIDC

- OIDC id_token settings

- Attribute mapping

- Dynamic client registration

- OIDC and FAPI compliance

- metadata endpoint

- Use of JWKS endpoint

4.11.3 Create clients

pg. 33
- static vs dynamic registration

- confidential vs public clients

- how clients authenticate

- PKCE

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=provider-configuring-reverse-proxy-oauth-oidc
• https://www.ibm.com/docs/en/sva/10.0.2?topic=protection-creating-api-definition
• https://ibm.biz/isamfedcookbook
• https://www.ibm.com/blogs/security-identity-access/oauth-saml-jwt-grant-type/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-oauth-20-oidc-workflows

4.12 Configure auditing

SUBTASKS:

4.12.1 Configure Appliance Events

- Configure System Alerts

4.12.2 Configure Base Runtime Events

- Configure Policy Server Events

- Configure Reverse Proxy Events

4.12.3 Configure Application Runtime Events

4.12.4 Write audit events from custom JavaScript

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-configuring-system-alerts
• https://www.ibm.com/docs/en/sva/10.0.1?topic=auditing
• https://www.ibm.com/docs/en/sva/10.0.1?topic=auditing-configuring-appliance

pg. 34
Section 5: System integration
This section contains objectives that deal with the systems integration of the IBM Security Verify Access
10.0 solution, including activities such as configuring the junction, protecting the API, integrating with
federated single sign-on partners, configuring SPNEGO, configuring token authentication, setting up the
monitoring framework, configuring external authentication interface and integrating with SIEM systems.

This section accounts for approximately 16% of the exam.

5.1 Configure Junction

SUBTASKS:

5.1.1 Determine Junction Type

- TCP

- SSL

- Mutual SSO

- Standard junctions

- Virtual host junctions

5.1.2 Determine Junction Attribute Requirements

- host & port

- junction name

- server/s & port/s

- passing user info

5.1.3 Apply Advanced junction configuration

- Stateful / not

- Fail-over behavior

- Mutually authenticated

5.1.4 Apply Access Control

- coarse-grained: pdadmin attach ACL

- fine-grained: query_contents

5.1.5 Apply Single Sign-on Solutions

- various

pg. 35
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-creating-mutual-junctions
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-standard-webseal-junctions
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-virtual-hosting
• https://www.ibm.com/docs/en/sva/10.0.2?topic=hosting-virtual
• https://www.ibm.com/docs/en/sva/10.0.2?topic=junctions-creation-junction-initial-server
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-client-identity-in-http-ba-headers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-forms-single-sign-concepts
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-ltpa-overview
• https://www.ibm.com/docs/en/sva/10.0.2?topic=junctions-mutually-authenticated-ssl-process-summary
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-pdadmin-server-task-create-command
• https://www.ibm.com/docs/en/sva/10.0.2?topic=headers-http-tag-value-extended-attribute-junctions
• https://www.ibm.com/docs/en/sva/10.0.2?topic=junctions-stateful-junction-concepts

5.2 Protect API endpoints accessed by API clients

SUBTASKS:

5.2.1 Create / Manage API protection definition

5.2.2 Register / Manage API protection client

5.2.3 Manage policy attachments

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.1?topic=support-oidc-dynamic-clients

5.3 Integrate with federated single sign-on partners

SUBTASKS:

5.3.1 Determine Federated single sign-on (SSO) Protocol & Role

- SAML 2.0

- WS-Federation

- OpenID Connect

- service providers (SP)

- identity provider (IdP)

5.3.2 Configure Identity Mapping

5.3.3 Create a Federation

pg. 36
5.3.4 Creating a Partner

5.3.5 Trigger SSO from Logon Pages

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-saml-federations-overview
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-customizing-saml-identity-mapping
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-saml-20-bindings
• https://www.ibm.com/docs/en/sva/10.0.2?topic=federations-managing-federation-partners

5.4 Configure desktop SSO (SPNEGO)

SUBTASKS:

5.4.1 Configure the Kerberos Client

5.4.2 Create WebSEAL Identity in AD

- Identity in Active Directory

- Mapping a Kerberos principal

- Verifying WebSEAL authentication

5.4.3 Add Service Name and Keytab

5.4.4 Enable SPNEGO for WebSEAL

5.4.5 Configure Browser for Desktop SSO

- Configure

- Test

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=sign-configure-embedded-kerberos-client
• https://www.ibm.com/docs/en/sva/10.0.2?topic=sign-create-identity-webseal-in-active-directory-domain
• https://www.ibm.com/docs/en/sva/10.0.2?topic=sign-map-kerberos-principal-active-directory-user
• https://www.ibm.com/docs/en/sva/10.0.2?topic=sign-verify-webseal-authentication-keytab-file
• https://www.ibm.com/docs/en/sva/10.0.2?topic=sign-add-service-name-keytab-file-entries
• https://www.ibm.com/docs/en/sva/10.0.2?topic=sign-enable-spnego-webseal
• https://www.ibm.com/docs/en/sva/10.0.2?topic=sign-configure-internet-explorer-client

5.5 Configure token authentication

SUBTASKS:
pg. 37
5.5.1 Update RSA SecurID Configuration

5.5.2 Enable Token Authentication

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-managing-rsa-securid-configuration
• https://www.ibm.com/docs/en/sva/10.0.2?topic=authentication-enabling-token

5.6 Setup monitoring framework

SUBTASKS:

5.6.1 Configure SNMP Monitoring

- Determine SNMP version

- Open ports to and from appliance in firewall

- Review available MIBs

5.6.2 Configure System Alerts

- Create an email alert object

- Create an SNMP alert object

- Create a remote syslog object

5.6.3 Configure AAC monitoring

- Review Prometheus support

- Review JVM monitoring

5.6.4 Utilize Reverse Proxy statistics

- Turn on Statistics

- Use logcfg entries to send to remote syslog

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=alerts-configuring-snmp-alert-objects
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-configuring-snmp-monitoring
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-runtime-monitoring-using-prometheus
• https://www.ibm.com/docs/en/sva/10.0.2?topic=monitoring-sending-statistics-statsd

pg. 38
5.7 Configure external authentication interface
SUBTASKS:

5.7.1 Enable External Authentication Interface

5.7.2 Configure External Authentication Interface Trigger URL

5.7.3 Set HTTP Headers for External Authentication Interface

5.7.4 Enable Validation of the User Identity

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=interface-external-authentication-http-header-reference

5.8 Integrate with SIEM systems

SUBTASKS:

5.8.1 Identify SIEM System

- Gather Host and Port information

- Gather Syslog related information

5.8.2 Send Reverse Proxy logs to SIEM

- Customize HTTP Request logs

- Configure Reverse Proxy 'logcfg' entries

5.8.3 Send application logs to SIEM

- Configure Remote Syslog Forwarder

- Add sources to forwarder instances

- Configure syslog information for sources

REFERENCES:
• https://www.ibm.com/blogs/sweeden/introduction-to-qradar-log-management-for-webseal-administrators/

pg. 39
Section 6: Advanced customization
This section contains objectives that deal with the advanced customization of the IBM Security Verify
Access 10.0 solution including numerous activities, such as implementing a context-based access control
policy, creating a risk profile, implementing identity mapping and many other tasks.

This section accounts for approximately 18% of the exam.

6.1 Implement a context-based access control policy

SUBTASKS:

6.1.1 Understand Access Control Policy

- Review documentation for usage

- Watch basic video from Security Learning Academy

6.1.2 Review available documentation

- Review documented policy scenarios

- Review support provided policy scenarios

6.1.3 Develop Access Control Policy

- Create new Policy

- Add rules to policy

- Determine whether Policy Sets are required

- Save Policy

6.1.4 Modify configuration to utilize Access Control Policy

- Attach access control policy

- Publish Access Control Policy

- Configure reverse proxy for authentication services

6.1.5 Validate changes work as expected

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=administration-access-control-policies
• https://www.ibm.com/docs/en/sva/10.0.2?topic=policies-policy-scenarios
• https://github.com/IBM-Security/isam-support/tree/master/config-example/aac/access-control-policy
• https://www.ibm.com/docs/en/sva/10.0.2?topic=policies-creating-access-control-policy
• https://www.ibm.com/docs/en/sva/10.0.2?topic=policies-managing-access-control-policy-sets

pg. 40
 • https://www.ibm.com/docs/en/sva/10.0.2?topic=policies-managing-access-control-policy-attachments
• https://www.ibm.com/docs/en/sva/10.0.2?topic=services-configuring-advanced-access-control-authentication-
reverse-proxy

6.2 Create risk profile

SUBTASKS:

6.2.1 Understand how the 'Risk Score' is calculated

- Risk score represents the variation from baseline set of attributes between previous registered devices
and the current 'device' context

6.2.2 Review predefined risk profiles

- 'Secure Access Control -> Policy -> Risk Profiles'

6.2.3 Review the attributes available for risk profiles

- ' Secure Access Control -> Policy -> Attributes'

- Filter with 'Risk' to find all Attributes of type 'Risk'

6.2.4 Create custom attributes if necessary

- 'Secure Access Control -> Policy -> Attributes ->> New Attribute'

- Mark the Checkbox for 'Risk' when creating the attribute

6.2.5 Determine whether a new Risk Profile is necessary

- Analyze default profiles

- Identify attributes of importance

- Define End User device capabilities in relation to attributes

- Gather necessary attributes

6.2.6 Create Risk Profile

- 'Secure Access Control -> Policy -> Risk Profiles ->> New Risk Profile'

- Gather identified Attributes

- Add attributes to new Risk Profile

- Assign attributes individual 'weight'

6.2.7 Set an Active Risk Profile

- 'Secure Access Control -> Policy -> Risk Profiles'

pg. 41
- Select risk profile from left panel

- Select 'Set Active' button

- Deploy pending changes

- Enable risk reports

- Review Risk Reports after validation

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-risk-score-calculation
• https://www.ibm.com/docs/en/sva/10.0.2?topic=profiles-predefined-risk
• https://www.ibm.com/docs/en/sva/10.0.2?topic=attributes-predefined
• https://www.ibm.com/docs/en/sva/10.0.2?topic=attributes-managing
• https://www.ibm.com/docs/en/sva/10.0.2?topic=profiles-managing-risk
• https://www.ibm.com/docs/en/sva/10.0.2?topic=overview-risk-reports

6.3 Implement identity mapping

SUBTASKS:

6.3.1 Identify identity exchange role

- Are we mapping an identity to a user's session

- Are we mapping a user's session to an identity

6.3.2 Download Java documentation reference

- 'System -> Secure Settings -> File Downloads ->> access_control -> doc -> ISVA-javadoc-10.0.1.zip'

6.3.3 Review example mapping rules

- Download from 'System -> Secure Settings -> File Downloads ->> access_control -> examples ->
mapping_rules -> ip_saml_20.js'

- Download from 'System -> Secure Settings -> File Downloads ->> access_control -> examples ->
mapping_rules -> sp_saml_20.js'

- Review example mapping rule for syntax and coding examples

6.3.4 Implement Attribute Sources

- Attributes values can be filled by identity sources

- Define Attribute sources to acquire attribute values from different data sources

6.3.5 Author JavaScript Mapping Rule

pg. 42
- Review JavaScript Allowlist to determine usable classes

- Compose JavaScript code that performs desired functionality

- Create mapping rule in appliance

6.3.6 Integrate with Social login providers

- Update Mapping rule to call social provider APIs

- Create social login provider Partners

- Update template/Login page to integrate with social login providers

6.3.7 Configure Federations to utilize Mapping rule

- Import mapping rule into appliance

- Update Federation Configuration to utilize mapping rule

6.3.8 Validate Identity Mapping

- Configure Reverse Proxy for Federation

- Perform a Federated SSO flow

- Use Browser Developer Tools/Tracing to review outgoing SAML Assertion

- Use pdweb.debug to view incoming Access Manager credential information

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.1?topic=csim-mapping-local-identity-saml-20-token

6.4 Author custom policy information point (PIP)

SUBTASKS:

6.4.1 Analyze available PIP Types

- 'Secure Access Control -> Policy -> Information Points ->> New'

6.4.2 Download Java documentation reference

- 'Manage System Settings -> Secure Settings -> File Downloads ->> access_control -> doc -> ISVA-
javadoc-10.0.2.zip'

6.4.3 Determine custom Policy Information Point (PIP) Type

- Review PIP reference

- Gather necessary details

pg. 43
6.4.4 Create Server Connections

- Navigate to 'Secure Access Control -> Global Settings -> Server Connections'

- Review Server Connection Properties

- Gather necessary values

- Create Connections for relevant PIP types

6.4.5 Author JavaScript PIP mapping rule

- Review JavaScript allowlist to determine available classes

- Define 'hasAttribute()' function based on default JavaScript PIP

- Define 'getAttribute()' function based on attribute needs

6.4.6 Create New PIP

- Secure Access Control -> Policy -> Information Points -> New'

- Gather PIP details

- Determine PIP name (This will be the value of the 'issuer' for custom attributes that are derived from
this PIP)

- Set attribute values

- Save and Deploy Changes

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=administration-policy-information-points
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-managing-file-downloads
• https://www.ibm.com/docs/en/sva/10.0.2?topic=points-managing-policy-information
• https://www.ibm.com/docs/en/sva/10.0.2?topic=points-server-connections
• https://www.ibm.com/docs/en/sva/10.0.2?topic=points-server-connection-properties
• https://www.ibm.com/docs/en/sva/10.0.2?topic=points-javascript-pip

6.5 Configure and customize a user self-care flow

SUBTASKS:

6.5.1 Analyze predefined User Self Care Policy

- Secure Access Control -> Policy -> Authentication ->> Policies'

- Filter using 'USC'

- Select a Policy and select 'Modify Authentication Policy'

pg. 44
- Review Authentication Mechanisms in Authentication Policy Workflow Steps

6.5.2 Determine necessary Authentication Mechanisms

- Review built-in Authentication Policies

- Determine whether any other mechanisms are needed for your desired workflow

6.5.3 Verify SCIM component configuration

- 'AAC -> Manage -> SCIM Configuration'

- Validate configuration

6.5.4 Create 'Web Service' server connection for SCIM configuration

- 'AAC -> Global Settings -> Server Connections ->> New ->> Web Service'

- Gather SCIM endpoint details

- Input details into server connection

6.5.5 Configure 'SCIM Config' Authentication Mechanism

- 'AAC -> Policies -> Authentication ->> Mechanisms ->> New Authentication Mechanism ->> SCIM
Config'

- Select Server Connection

- Input necessary details

6.5.6 Configure Authentication Mechanism Properties

- 'AAC -> Policy -> Authentication ->> Mechanisms'

- Select existing mechanism or create new mechanism

- Edit properties to match your needs

6.5.7 Create Custom Authentication Policy

- Customize the User self care policies if more or less steps are necessary

- Compare your needs to the built-in policies

- Add relevant mechanisms to Authentication Policy

6.5.8 Customize template files

- 'AAC -> Global Settings -> template Files ->> (Locale) -> authsvc -> usc'

- Edit HTML files to include custom themes or branding

pg. 45
REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=management-user-self-care-operations
• https://www.ibm.com/docs/en/sva/10.0.2?topic=administration-scim-configuration
• https://www.ibm.com/docs/en/sva/10.0.2?topic=connections-server-connection-properties
• https://www.ibm.com/docs/en/sva/10.0.2?topic=aacc-authentication
• https://www.ibm.com/docs/en/sva/10.0.2?topic=policies-managing-authentication-mechanisms
• https://www.ibm.com/docs/en/sva/10.0.2?topic=policies-creating-authentication-policy
• https://www.ibm.com/docs/en/sva/10.0.2?topic=files-managing-template

6.6 Create JavaScript authentication mechanism

SUBTASKS:

6.6.1 Download Java documentation reference

- Acquire from the appliance at 'System -> Secure Settings -> File Downloads ->> access_control -> doc ->
ISVA-javadoc-10.0.2.zip'

6.6.2 Review available parameters for 'infoMap'

- Understand available input data

- Understand available output data

6.6.3 Review example mapping rule

- Download from 'System -> Secure Settings -> File Downloads ->> access_control -> examples ->
mapping_rules -> infomap_username.js'

- Review example mapping rule for syntax and coding examples

6.6.4 Author JavaScript Mapping Rule

- Review JavaScript Allowlist to determine usable classes

- Compose JavaScript code that performs desired functionality

- Create mapping rule in appliance

6.6.5 Author Template file

- Review

default template files

- Customize template file with branding and necessary HTML elements

- Create template file(s) in Appliance for use

6.6.6 Create infoMap mechanism

pg. 46
- Navigate to 'AAC -> Policy -> Authentication ->> Mechanisms -> New Authentication Mechanism ->>
infoMap'

- Determine name

- Determine identifier

- Input custom properties

6.6.7 Create Custom Authentication Policy

- Define a policy name

- Define a policy identifier

- Add one or more mechanisms to accomplish the desired workflow

6.6.8 Update CAPTCHA settings on system

- Configure outbound Proxy

- Install latest Google Cert

- Configure Captcha mechanism

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-managing-file-downloads
• https://www.ibm.com/docs/en/sva/10.0.2?topic=mechanism-available-parameters-in-info-map
• https://www.ibm.com/docs/en/sva/10.0.2?topic=files-managing-template
• https://www.ibm.com/docs/en/sva/10.0.2?topic=authentication-configuring-info-map-mechanism
• https://www.ibm.com/docs/en/sva/10.0.2?topic=policies-creating-authentication-policy
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-runtime-parameters

6.7 Create HTTP transformation rules

SUBTASKS:

6.7.1 Review HTTP Transformation Documentation

- Understand HTTP transformation functionality

- Understand HTTP Transformation structure

6.7.2 Determine what elements of the HTTP Message need to be modified

- Review request format

- Review response format

- Identify endpoints that require transformation

pg. 47
6.7.3 Author the HTTP Transformation

- Review sample HTTP Transformation mapping rules

- Identify usable XSLT 1.0 functions

- Write XSLT Mapping Rule

6.7.4 Update the Reverse Proxy configuration for the HTTP Transformation

- Decide between POP and Configuration file updates

- Update configuration file to map HTTP Transformation to a stanza

- Update configuration file with request match syntax

6.7.5 Validate the HTTP Transformation works as expected

- Enable pdweb.debug and pdweb.http.transformation tracing

- Access URL

- Review tracing to confirm that transformation worked as expected

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=transformations-configuration
• https://www.ibm.com/docs/en/sva/10.0.0?topic=junctions-http-transformations
• https://www.ibm.com/docs/en/sva/10.0.0?topic=rules-replacing-http-response

6.8 Implement OAUTH/OIDC customization

SUBTASKS:

6.8.1 Determine what customization is needed for the API Protection Definition

- Identify grant types used

- Identify attributes needed

- Identify token types needed

6.8.2 Review available examples

- Review default mapping rules

- Understand mapping rule methods

- Review available examples from support github

6.8.3 Modify preToken JavaScript mapping rule

pg. 48
- Download copy of mapping rule

- Save original copy

- Make changes necessary for customizations

- Upload modified mapping rule

6.8.4 Modify postToken JavaScript mapping rule

- Download copy of mapping rule

- Save original copy

- Make changes necessary for customizations

- Upload modified mapping rule

6.8.5 Validate changes work as expected

- Configure Reverse Proxy for OAUTH

- Perform OAUTH flow

- Validate expected information is returned

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=registration-modifying-consent-template-pages
• https://www.ibm.com/docs/en/sva/10.0.2?topic=support-oauth-20-template-page-consent-authorize
• https://www.ibm.com/blogs/security-identity-access/federated-single-sign-on-access-policy/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=apoo-making-oauth-oidc-consent-decision-using-access-policy
• https://www.ibm.com/blogs/security-identity-access/oauth-api-gateways-and-isam/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=protection-oauth-introspection
• https://www.ibm.com/blogs/security-identity-access/oauth-jwt-access-token/

6.9 Configure device registration (Fingerprint)

SUBTASKS:

6.9.1 Select appropriate Risk Profile

- Identify Attributes that define your device fingerprint

- Review Risk profiles for a match

- Create a new risk profile if necessary

- Set desired risk profile as active

6.9.2 Create Access Control Policy that includes device registration

pg. 49
- Review documented device registration policy

- Determine device registration conditions

- Implement logic for device registration

6.9.3 Modify Reverse Proxy configuration to supply correct data

- Identify attribute type

- Gather attribute identifier

- Identify HTTP element that contains desired value

- Map attribute identifier to HTTP Element

6.9.4 Configure Attribute Collection Service

- Review documentation

- Update template files or HTML pages to include info.js file

6.9.5 Update Advanced Configuration to match device registration use case

- Review available advanced configuration

- Determine environmental parameters for device registration

- Update device registration advanced configuration as necessary

6.9.6 Validate that device is registered via workflow test

- Attach Access Control Policy to endpoint

- Use Browser to validate workflow

- Search for registered devices in LMI

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=profiles-managing-risk
• https://www.ibm.com/docs/en/sva/10.0.2?topic=profiles-predefined-risk
• https://www.ibm.com/docs/en/sva/10.0.2?topic=scenarios-registering-device-after-user-consent
• https://www.ibm.com/docs/en/sva/10.0.2?topic=administration-device-fingerprints
• https://www.ibm.com/docs/en/sva/10.0.2?topic=reference-user-attribute-definitions-stanza
• https://www.ibm.com/docs/en/sva/10.0.2?topic=reference-azn-decision-info-stanza
• https://www.ibm.com/docs/en/sva/10.0.2?topic=service-configuring-attribute-collection
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-advanced-properties#aac_advcfgprop__d252e782
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-advanced-properties#aac_advcfgprop__d252e990
• https://www.ibm.com/docs/en/sva/10.0.2?topic=policies-managing-access-control-policy-attachments
• https://www.ibm.com/docs/en/sva/10.0.2?topic=fingerprints-managing-device

pg. 50
6.10 Modify default template files
SUBTASKS:

6.10.1 Review default template files

- Identify what template files exist

- Determine which files need updates

- Identify macros used in template files

6.10.2 Analyze changes necessary

- Determine whether template file scripting is necessary

6.10.3 Compose template file changes outside of appliance

6.10.4 Update or create new template files in the appliance

- Update existing template files with changes

6.10.5 Replace or create necessary supporting files for branding

- Upload new files to appliance

6.10.6 Validate that changes work as expected

- Use browser to validate that template file changes work as expected

- Review JVM message logs for errors related to template files

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-template-files
• https://www.ibm.com/docs/en/sva/10.0.2?topic=files-template-file-macros
• https://www.ibm.com/docs/en/sva/10.0.2?topic=pages-template-page-wayf-page

6.11 Integrate custom login application through External Authentication Interface (EAI)
SUBTASKS:

6.11.1 Identify information needed for EAI to authenticate the user

- Determine username format

- Determine whether groups are returned

- Determine what attributes are returned

pg. 51
- Determine where data will be sourced

6.11.2 Determine header names that EAI application needs to return to authenticate user

- Review default Reverse Proxy configuration

- Review header documentation

- Deliver information to EAI developer

6.11.3 Create External Authentication Interface application to return specified headers and values

- Develop EAI application

- Deploy EAI application to application server

- Validate connectivity to EAI server

6.11.4 Update Reverse Proxy configuration to consume response headers

- Update '[eai]' stanza

- Update header configuration

- Update EAI trigger URLs

- Create junction to EAI application

- Attach unauthenticated ACL to EAI endpoint in Reverse Proxy objectspace

6.11.5 Validate external authentication works as expected

- Validate EAI junction is running as expected

- Perform authentication flow via browser

- Confirm that authenticated session cookie is issued

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-how-write-external-authentication-application
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-http-header-names-authentication-data
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-extracting-authentication-data-from-special-http-
headers
• https://www.ibm.com/docs/en/sva/10.0.2?topic=features-post-authentication-redirection-external-authentication-
interface
• https://www.ibm.com/docs/en/sva/10.0.2?topic=features-request-caching-external-authentication-interface

6.12 Implement advanced authenticated user mapping

SUBTASKS:

pg. 52
6.12.1 Determine Use Case

- Understand Authenticated User Mapping

6.12.2 Review documentation of Advanced User mapping

- Review language used

- Review data format

- Review XML Model

6.12.3 Author Advanced User Mapping XSLT rule

- Analyze support provided examples

- Analyze sample from documentation

- Review valid attributes

- Use external program to code XSLT rule

6.12.4 Configure Reverse Proxy to implement advanced user mapping

- Update configuration file

6.12.5 Validate advanced user mapping works

- Enable pdweb.cas.usermap tracing

- Attempt authentication flow

- Troubleshoot issues

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=methods-authenticated-user-mapping
• https://www.ibm.com/docs/en/sva/10.0.2?topic=mapping-authenticated-user-rule-language
• https://www.ibm.com/docs/en/sva/10.0.2?topic=mapping-umi-xml-document-model
• https://www.ibm.com/docs/en/sva/10.0.2?topic=mapping-containers-xml-umi-container-names
• https://www.ibm.com/docs/en/sva/10.0.2?topic=mapping-xml-user-model
• https://www.ibm.com/docs/en/sva/10.0.2?topic=evaluator-sample-user-mapping-rule
• https://www.ibm.com/docs/en/sva/10.0.2?topic=umre-format-constraints-rules
• https://www.ibm.com/docs/en/sva/10.0.2?topic=mapping-valid-user-attributes
• https://www.ibm.com/docs/en/sva/10.0.2?topic=mapping-enabling-authenticated-user
• https://www.ibm.com/docs/en/sva/10.0.2?topic=evaluator-troubleshooting-user-mapping-rule-problems

6.13 Implement access policy

SUBTASKS:

pg. 53
6.13.1 Determine use case for access policy

- Identify use case for access policy (Federation vs OIDC)

- Gather information necessary for access policy

6.13.2 Download Java documentation reference

- 'Manage System Settings -> Secure Settings -> File Downloads ->> access_control -> doc -> ISVA-
javadoc-10.0.2.zip'

6.13.3 Review example access policy scenarios

- Review documented examples

- Review examples from support github

6.13.4 Author access Policy

- Write code for access policy

6.13.5 Configure Federation/API Protection to use access policy

- Update Federation Configuration

- Update Federation Partner configuration

- Update API Protection Definitions

6.13.6 Validate access policy functionality

- Perform federated flow in browser

REFERENCES:
• https://www.ibm.com/blogs/security-identity-access/federated-single-sign-on-access-policy/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=settings-access-policies#access_policies

6.14 Implement authorization (AUTHZ) rules for reverse proxy

SUBTASKS:

6.14.1 Determine use case for Authorization Rules

- Understand when authorization rules are to be used

6.14.2 Review documentation for Authorization Rules

- Review authorization rule language

- Review authorization rule document model

pg. 54
- Understand format and constraints

6.14.3 Review examples

- Analyze documented examples

- Analyze support provided examples

6.14.4 Author Authorization XSLT rule

- Gather XSLT reference

6.14.5 Configure Reverse Proxy objectspace to utilize Authorization Rule

- Create Authorization Rule

- Attach to objectspace

- Update Reverse Proxy ADI configuration

6.14.6 Validate Authorization rule use cases and negative use cases

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=management-authorization-rules-overview
• https://www.ibm.com/docs/en/sva/10.0.2?topic=management-authorization-rule-language
• https://www.ibm.com/docs/en/sva/10.0.2?topic=language-adi-xml-document-model
• https://www.ibm.com/docs/en/sva/10.0.2?topic=are-format-constraints-rules
• https://www.ibm.com/docs/en/sva/10.0.2?topic=evaluator-examples-authorization-rules
• https://github.com/IBM-Security/isam-support/tree/master/config-example/webseal/authz_rule
• http://zvon.org/xxl/XSLTreference/Output/xpathFunctionIndex.html
• https://www.ibm.com/docs/en/sva/10.0.2?topic=rules-create-authorization-rule
• https://www.ibm.com/docs/en/sva/10.0.2?topic=rules-attach-authorization-rule-protected-object
• https://www.ibm.com/docs/en/sva/10.0.2?topic=management-configuration-file-initialization-attributes

6.15 Configure single sign-on using Federation STS

SUBTASKS:

6.15.1 Determine use case STS Junction

- Determine Token Type necessary

- Define Request Type

6.15.2 Configure Trust Service

- Create Chain Template

- Create Chain Module from Template

pg. 55
- Define Chain Lookup Properties

6.15.3 Configure Reverse Proxy

- Update junction to use TFIM Junction flag

- Update configuration file to create TFIM SSO Stanza for junction [tfimsso]

- Update Configuration File to create [tfim-cluster]' stanza

REFERENCES:
• https://www.ibm.com/blogs/sweeden/isam-9-0-2-the-jwt-sts-module-and-junction-sso-to-websphere-liberty/
• https://www.ibm.com/docs/en/sva/10.0.2?topic=tis-one-time-token
• https://www.ibm.com/docs/en/sva/10.0.2?topic=solutions-single-sign-security-token-service

6.16 Configure mobile multi-factor authentication

SUBTASKS:

6.16.1 Configure Mobile Multifactor Authentication

- Utilize wizard to configure MMFA

6.16.2 Validate MMFA configuration

- Perform MMFA Authenticator Registration

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.2?topic=configuration-general-settings
• https://www.ibm.com/docs/en/sva/10.0.2?topic=authentication-authenticator-registration

pg. 56
Section 7: Testing, troubleshooting, and maintenance
This section contains objectives that deal with the testing, troubleshooting and maintenance of the IBM
Security Verify Access 10.0 solution including activities, such as applying interim fixes, appliance
firmware updates, resolving common problems, configuring logging and tracing and other related
activities.

This section accounts for approximately 10% of the exam.

7.1 Apply interim fixes

SUBTASKS:

7.1.1 Check Fix Central for the latest software.

- Identify any available interim fixes

- Download the .fixpack file

7.1.2 Install an interim fix

- Install the fixpack using the Local Management Interface

- (Container only) place the fixpack on the shared volume

REFERENCES:
• https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Securit
y+Verify+Access&release=All&platform=Linux&function=all
• https://www.ibm.com/docs/en/sva/10.0.0?topic=licensing-installing-fix-pack

7.2 Apply appliance firmware updates

SUBTASKS:

7.2.1 Download the firmware update

- Review the release notes/What's New for any required actions or notable changes

- Download the firmware image from Fix Central

7.2.2 Backup the current active firmware

- Create a VM level snapshot (ONLY when the VM is stopped)

- Create a configuration snapshot

7.2.3 Install the new firmware image

- Upload the firmware pkg manually using the Local Management Interface
pg. 57
- OR Download the firmware update using the Available Updates page in the Local Management
Interface

- Start the firmware upgrade using the Local Management Interface

7.2.4 Perform any post-upgrade activities

- Apply any required database upgrades

- Validate the environment/testing

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=overview-whats-new-in-this-release
• https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Securit
y+Verify+Access&release=All&platform=Linux&function=all
• https://www.ibm.com/docs/en/sva/10.0.0?topic=licensing-managing-firmware-settings

7.3 Resolve common problems

SUBTASKS:

7.3.1 Resolve issues that occur with expired/missing certificates

- Diagnosing issue (viewing log files)

- Importing/updating the expired certificates

7.3.2 Unexpected Junction BA

- Review junction identity settings

7.3.3 Reverse Proxy doesn't start

- Review msg__webseald-instance.log

- Back out latest configuration

7.3.4 Error encountered during Federation flow

- Review Runtime JVM 'message.log'

- Find Error displayed to user

- Note thread

- Follow stack traces that match thread to original stack trace

7.3.5 Appliance is low on disk space

- Purge old log files

pg. 58
REFERENCES:
• None

7.4 Prepare backup storage system

SUBTASKS:

7.4.1 Manage appliance snapshots

- Create appliance snapshots

- Download appliance snapshots

- Upload appliance snapshots

- Apply appliance snapshots

7.4.2 Export Reverse Proxy instance configuration

- Download an exported Reverse Proxy instance configuration bundle

- Apply an exported Reverse Proxy instance configuration to a new Reverse Proxy instance

7.4.3 Automate snapshot generation and export

- Prepare backup system

- Validate adequate storage is available

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-snapshots
• https://www.ibm.com/docs/en/sva/10.0.0?topic=management-exporting-webseal-configuration
• https://www.ibm.com/docs/en/sva/10.0.0?topic=migration-migrating-existing-webseal-instance-appliance

7.5 Perform tuning

SUBTASKS:

7.5.1 Apply recommend tuning parameters from the tuning spreadsheet

- Database indexes

7.5.2 Identify your baseline performance metrics

- Gather pdweb.debug data

pg. 59
- Analyze pdweb.debug data with pdweb.debug-timing.pl script

7.5.3 Identify key configuration entries that control performance metrics

- Review Reverse Proxy worker threads configuration entries

- Review TLS Session Cache configuration entries

- Review User Session Cache configuration entries

- Review compression configuration entries

- Review cache configuration entries

7.5.4 Load Test(??)

- Setup apache jmeter or other load test tool

- Enable pdweb.debug traces

- Perform load test

- Analyze load test data

7.5.5 Validate database and user registry performance

- user registry (sds) perform 'runstats' command to identify current underlying database performance

- user registry (sds) perform 'reorg' to reorganize the underlying database

7.5.6 Update key configuration items

- Review Reverse Proxy worker threads configuration entries

- Review TLS Session Cache configuration entries

- Review User Session Cache configuration entries

- Review compression configuration entries

- Review cache configuration entries

7.5.7 Repeat as necessary

7.5.8 Reverse Proxy Tuning

- Timeouts

- Worker threads

- Rate limiting

REFERENCES:
pg. 60
 • https://www.ibm.com/support/pages/system/files/inline-files/$FILE/ISAM_PerfTuning_guide_90_v1_0.pdf
• https://www.ibm.com/docs/en/sva/10.0.2?topic=stanza-max-cached-persistent-connections
• https://www.ibm.com/support/pages/system/files/inline-files/$FILE/ISAM_PerfTuning_guide_90_v1_0.pdf
• https://www.ibm.com/support/pages/ibm-security-access-manager-appliance-available-tcp-tunings

7.6 Configure logging and tracing

SUBTASKS:

7.6.1 Use tracing to diagnose issue with the reverse proxy or proxied applications

- Enable trace components in the Reverse Proxy

- View or export Reverse Proxy trace logs using the Local Management Interface or command line
interface

7.6.2 Configure tracing for the AAC/Federation runtime

- Enable tracing for specific components using the Local Management Interface

- View or export the trace logs using the Local Management Interface or command line interface

7.6.3 View log files for the:

- Policy Server

- Reverse Proxy Instances

- Federation/AAC Runtime

- Local Management Interface

- System

7.6.4 Use packet tracing to diagnose issues

- Enable and disable packet tracing

- View or export the packet tracing capture using the Local Management Interface

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=administration-trace-data
• https://www.ibm.com/docs/en/sva/10.0.0?topic=administration-logging
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-runtime-parameters
• https://www.ibm.com/docs/en/sva/10.0.0?topic=monitoring-viewing-application-log-files
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-packet-tracing

pg. 61
7.7 Engage with IBM Support
SUBTASKS:

7.7.1 Generate support files to provide to IBM support

- Create support files using the Local Management Interface

- Download support files using the Local Management Interface

- Create support files using the command line interface

- Create support files using the command line (Containers only)

- Retrieve support files from the shared volume (Containers only)

REFERENCES:
• https://www.ibm.com/docs/en/sva/10.0.0?topic=settings-managing-support-files

pg. 62