IBM Tivoli Access Manager [EOL] Reviews

From my experience, most of the product features are meant for specific purpose(s) of its own demand and need. Implementing the feature depends on case to case, considering the organization's enterprise/middleware infrastructure design.

TAM component integration and their SSO capabilities and transparency are the most valuable features I have found.

It applies access controls on an organization's web space while running on its components independently, while being highly available. We can isolate our organization infrastructure from security considerations, as we have our entire organization security policy centralized, organised & administered from its API.

Older TAM versions are not compatible for connecting to a DB. I'm not sure if it is available in iSAM 8/9.

However, since iSAM 9 was released as an appliance model, I don't think having a DB as a TAM database directly makes any difference for the users.

I have used it for five years.

We have not encountered any deployment issues. There were a few challenges while implementing ETAI, and ETAI++ integration with the existing infrastructure.

Kerberos setup/run time & virtual hosting concepts have some limitations.

We have not encountered many stability issues.

We have not encountered many scalability issues.

Customer service is 8/10.

Technical support is 8/10.

I have used CA SiteMinder, as well.

I don't see any technical reason for switching a strategic product from IBM TAM. However, considering the iSAM way of making an appliance model, which creates dependency on the cloud for infrastructure, we may think of other options.

Initial setup is straightforward, but we might have to consider the solution architecture to make full use of its components' capacity.

Implementations were in-house projects.

Before choosing this product, we evaluated CA SiteMinder and Oracle Access Manager.

It is a very good security product to integrate with any middleware infrastructure.

A number of new features, such as application firewall and load balancer, were added to this solution. These features are no longer available as a software version, but only as an appliance (virtual or hard).

The same appliance firmware allows you to enable more features, such as advanced access control and federation, for all of the components.

It acts as a reverse proxy, a single point for authentication and authorization. Advanced access control introduces adaptive or risk-based authentication. Federation makes it possible to federate using SAML and OAuth.

I would like to see the possibility to administer the appliances from one “master” appliance, instead of having to log in to each particular appliance.

If you have for example 4 appliances, two act as reverse proxy and two as master appliances (with policy server configured in HA) … If you want to administer these appliances, you must login into each particular appliance. It would be nice if you can administer all of them through that one ‘master’ appliance… avoiding to setup a direct connection as it is currently the case.

I have been using this solution for approximately 11 years.

There were some stability issues at the very beginning when we were moving from the software version to the appliance. IBM allowed customers and partners to interact directly with developers and others responsible for the product, so we could address issues, provide feedback, and get support.

The solution is very scalable, especially with the move to appliances. Adding reverse proxy appliances to existing appliance clusters is very straightforward.

I would give technical support a rating of 8 out of 10.

I have used several solutions in the past.

We chose this solution for the following reasons:

• It is very easy to set up.
• The policy server is not actively used during authentication and is solely used for administration.
• No plugin is required on any HTTP server.
• It comes with a standalone (no-plugin) reverse proxy. That is in contrast to some other web access management solutions.
• The IBM reverse proxy does not have a large support matrix upon which the HTTP-servers depend.

The implementation was straightforward and well documented as follows:

1. Deploying the appliances in the network infrastructure.
2. Configuring the network interfaces and routing tables.
3. Starting the configuration of WebSEAL and other required components (AAC or federation). Some background knowledge is required to set up WebSEAL.

The license model is pretty complex. Some other IBM products are included and are not dependent on the form factor of the appliance. (Dependent products are IBM Directory Server and Directory Integrator.)

A combination of hard and soft appliances may be beneficial instead of solely using hard appliances. (It might be overkill to host a simple policy server.)

We evaluated alternative solutions, such as: CA SiteMinder, ForgeRock AM, and Microsoft ISA Server.

It is a very stable and good product. The AAC-module becomes a necessity because authorization is moving from a static model (a static access control list based on static group membership) to a more dynamic model, based on user behavior and attributes.

Tivoli Access Manager's proxy product (WebSEAL) is extremely fast. The configuration options are mysterious and old-school, but they are a rich and small enough set that you can comprehend them and get it working right. The auth and policy product has a reasonable LDAP implementation.

Step-up authentication in WebSEAL is a hook. You write a function to a particular spec, register it, and it gets called. The hook is in C, which makes sense because WebSEAL is fast and could not be written in an interpreted or high-level language.

Note that this is a way to improve WebSEAL modules, not a way to defer authentication to another server. For more, compare the second and last entries on this page.

There is only a single step-up authentication path, but I have sometimes seen the need for several steps or a divergent path. It’s getting hard to find people willing to admit that they still write in C programming language.

We have used this solution since 2003.

No stability issues. This solution fulfills the common expectations about IBM software. It is fussy to configure, but runs like iron once you’ve got it right.

No scalability issues. I get problems with the LDAP or the underlying machine first.

They provide very good technical support. Perimeter security is a hot-button topic and you can get some serious help if it’s not right.

While there are many products in this field, most companies use either this solution or CA SSO. I encountered others on rare occasions, such as Oracle, Entrust, Ping Identity, and NetIQ.

I am not an admin for this solution, but it holds no special terrors.

The issue is not how IBM licenses the product. You should think about how much of your traditional web traffic is going to migrate to your mobile/service gateways. If you are writing a lot of mobile apps and new JavaScript Frameworks UIs, then your traffic mix is going to change.

I am a consultant and typically work with the IBM stack.

This solution’s pricing is by usage, not by instance. That means you can set up as many instances as you like. Never craft a really complicated configuration. In other words, put functionality A over here, functionality B over there, and let your F5 (e.g.) direct the flow of traffic.

The automation of provisioning has reduced the time it takes for creating a user or an employee in our organization.

Flexibility to connect with different environments and product stability are the best features.

• Connection: There are a number of players in the market and most of them have challenges with being able to connect seamlessly without customization to various data providers, such as queues or databases. Since IBM's Identity and Access management has been in the market for a long time, the connectivity has improved over time.
• Stability: An application that is not stable enough will never succeed in the market. I have seen less down time.

Microsoft has active file handling where you can access different types of documents from the browser itself. This is not supported anywhere other than with Microsoft products. This is desirable, but not a show-stopper.

AngularJS is not yet supported. This could be a cause of worry, since we are seeing the emergence of many AngularJS scripts in webpages. I am sure IBM is working towards enabling it.

There is Java process that hangs in WebSphere almost every month.

We have had no problems with scalability.

I would give technical support a rating of 4/5.

I have always worked with IBM products. This solution was from Tivoli before IBM acquired it.

Compared to the Oracle setup, the initial setup was straightforward.

Pricing is competitive and is lower than other players in the market.

We evaluated Oracle, SailPoint, and ForgeRock.

Go for it. It will be good for your business.

Some valuable features in this product are: webSEAL policy, proxy servers, LDAP server (IBM TDS).

The modularity with which each component may run on a different host is valuable. In addition, multiple instances per component might be installed with load balancers. It provides good scalability and reliability, not to mention the overall availability of the service.

The entire security of the intranet and internet web applications has been covered by the TAM environment.

It happened from time to time, that is, after a long period without restart, the TDS/LDAP instances crashed and remained in a hanging state. A restart did solve the issue but the support was not able to find the cause, despite the fact that the latest fix pack was installed for TDS v6.3.

A similar issue came up when LDAP requests did cause performance issues on TDS or caused the TDS to crash.

As information on fixes and issues related to ITDS are publicly available, let me point you to the respective site:

You may notice, there are several issues listed, which lead to a crash.

Not sure, which one is/was ours, but please notice that TAM/SAM requires multiple software bundles to be installed (like GSKit, Java SDK, WAS, DB2) – each of them having issues.

I have used this solution for five years.

We experienced crashing of LDAP with some specific queries and it affected performance of the TDS proxy.

It is scalable via load balancers but there are some issues with sync while using several LDAP trees.

I would give the technical support a 8/10 rating. Sometimes, there are long running support tickets (for 6-8 months) and that is unacceptable from the customer's point of view.

We were not using any other solution before. We were partially using Apache reverse proxy along with LDAP.

The setup is complex. Without training and prior knowledge, it is hard to get a working environment.

As far as I know, the later versions of TAM (renamed to SAM), are working as appliances and with that, no experience is needed. My advice is to be careful and think twice.

Since a couple of versions back, the product moved to a different “mentality” I would say. Compared to when it was deployed as a software package, things are now much smoother in that direction. The product is coming as an appliance (either hardware either virtual). This method simplifies the management a lot, and the deployment as well. It provides SSO across applications, together with risk-based access and strong multi-factor authentication. Very flexible and scalable.

There are few things where there is room for improvement:

Log management via UI is one of the them. Automation can be achieved via REST API’s, for example, but in a small environment, when a customer is using the UI, for example, you cannot do a multiple selection of logs (to be deleted let’s say). Or a filtering of those.

A better/easier-to-use (user-friendly) interface. A more intuitive interface and menu navigation would be useful.

Rollback of FixPacks to be available via UI as well. At the moment, if you want to roll back a FP, you can do it only via LMI (appliance console).
Those would be my main requests to be improved.

I’ve been using the product since 2009.

I think in the earlier versions I was working with, there were (a few times) some small stability issues, but those were related more to the very custom environments on the customer side.

No scalability issues on this side.

Technical support is doing its job mostly. What I don’t particularly like is the flow duration. But it really depends on the magnitude of the problem you have. I would rate it as good to very good in most cases.

I did not previously use a different solution.

I haven’t used any other vendor’s products.

It is a simple-to-deploy solution, with many features that are supported out-of-the-box without complicated setup. But, depending on your requirements, it can become complex but not hard to manage.

I like the primary function of this product allowing the administration of user/network accounts with a fair amount of ease.

Tracks and assists us with Roles associated to each user.

Need better documentation on usage and admin tasks.

It has been used for at least five years but I have only been working with it since August 2014.

We have had stability issues lately with the hardware and SAN that the product runs on.

We implemented this through a vendor.

Protection of web applications

Simplified deployment of web applications. The ISAM products centralises authentication and authorization giving a shorter time-to-market in the development of new web sites/applications

Since ISAM 7, and especially version 8 IBM has moved from software-install to appliance based (virtual or hardware) this really improves the speed of new patches and releases. IBM promised to release a new appliance-firmware every quarter, so far they kept their promise.

10+ years.

You do need to train to add to your skill set, and need to fully understand the possibilities and features which takes a while. Since I've been using it for over 10 years it is no longer difficult for me to deploy. Of course with new version some things change, so reading the documentation is quite useful sometimes.

Since its birth it is an unbelievable stable product. I know of a deployment that did not receive any maintenance for several years and it was still working.

Nope, it is designed to be very flexible. It can handle any size website.

We as a Premium Business Partner have some advantages in being able to contact the developers more easily. Our customers can raise tickets, and depending on their contract, they are suitably assisted by IBM.

It has been good for long time.

Nope, somehow I ended up a IBM Business Partners, always using ISAM. But are also using IBM Security Identity Manager, IBM Security Directory Server, IBM Security Directory Integrator, IBM Federated Identity Manager. Basically all IBM Security Identity and Access Management offerings except IBM Tivoli Access Manager for ESSO (confusing naming, but a really different product that does not really combine with all the others in my humble opinion).

With the firmware appliance it is easy as pie.

I'm part of a IBM Premium Business Partner, we are specialised in IBM IAM deployments. In many occasions IBM Netherlands is requesting our services to get the job done.

An ROI, is for most customers not easy to make being a security solution. It gives more hassle than not using it, insurance-wise you could say. Once a customer has chosen it they stick with it, I did not see many customers abandoning it due to ISAM not performing or not being satisfied.

Ensure you got your team trained and get external expertise for your architectural design and first deployments. While learning on the job, your team can take over after a while.