Fine-Tune the Agent Configuration Setup

Agent Guide › Configuring the SiteMinder Agent, SiteMinder-Side › Fine-Tune the Agent Configuration Setup

Fine-Tune the Agent Configuration Setup

By default, the SiteMinder Agent installation creates an Agent configuration file for each Agent module:

Module	Agent Configuration File
SiteMinder TAI	AsaAgent-assertion.conf
SiteMinder Login Module	AsaAgent-auth.conf
SiteMinder JACC Provider	AsaAgent-az.conf

The Agent configuration files are located in the ASA_HOME\conf directory, where ASA_HOME is the location where you installed the SiteMinder Agent. For example:

For Windows
C:\smwasasa\conf
For UNIX
/opt/smwasasa/conf

Each Agent configuration file is created with the following default configuration parameters/values:

Parameter	Default Value
EnableWebAgent	Yes (the SiteMinder Agent is enabled by default)
HostConfigFile	Local Host Configuration File (typically ASA_HOME\conf\SmHost.conf or the location of the existing SmHost.conf file you specified during Trusted Host registration)
AgentConfigObject	The Agent Configuration Object specified during installation

After installation, each Agent module has its own configuration file and all three configuration files reference the same Agent Configuration Object and Agent identity. However, you can change this arrangement to suit your needs by doing one of the following:

Creating separate Agent Configuration Objects for each module on the Policy Server and change the AgentConfigObject parameters in each Agent configuration file to reference the appropriate objects.
Creating a single, shared Agent configuration file (for example, named AsaAgent.conf) for all three modules.

Note: For TAI-only configurations, create and configure a single Agent Configuration Object and configure the AsaAgent-assertion.conf file that references it.

The following table describes the features, benefits, and drawbacks of each possible Agent configuration arrangement:

Configuration	Features	Benefits/Drawbacks
Each Agent module has a separate Agent configuration file. All configuration files reference the same Agent Configuration Object. (Default)	Module-specific Agent configuration parameters are defined locally in the Agent configuration files. Common Agent configuration parameters are defined centrally in the Agent Configuration Object on the Policy Server.	Benefits: Allows fine-grained configuration of cache settings. For example, you can configure an authorization cache size of 0 for the SiteMinder TAI and Login Modules (which do not perform authorization), but increase the cache size for the SiteMinder JACC Provider (which does). Allows Module-specific information to be written to separate log files. That is, you can configure separate log files for TAI messages, Login Module messages, and JACC Provider messages, increasing readability. Allows modules to be individually enabled/disabled. Drawback: Module-specific settings in local configuration files must be edited locally on each WebSphere host whenever a change is required.
Each Agent module has a separate Agent configuration file. Each Agent configuration file references a separate Agent Configuration Object.	Agent configuration parameters for each module are defined centrally in separate Agent Configuration Objects on the Policy Server. Module-specific configuration is encapsulated in that module's object.	Benefits: Allows fine-grained configuration of cache settings. For example, you can configure an authorization cache size of 0 for the SiteMinder TAI and Login Modules (which do not perform authorization), but increase the cache size for the SiteMinder JACC Provider (which does). Allows Module-specific information to be written to separate log files. That is, you can configure separate log files for TAI messages, Login Module message, and JACC Provider messages. Agent configuration settings can be applied on multiple hosts and managed centrally from the Policy Server. Drawback: Separate configuration objects must be maintained for each module even though most parameter values are common.
All Agent modules share the same Agent configuration file and reference the same Agent Configuration Object. (Not recommended)	Agent configuration parameters for all modules are defined centrally in the Agent Configuration Object on the Policy Server and applies to all modules.	Benefits: Simplest to maintain. Drawbacks: Cannot enable/disable individual modules. Hardest to troubleshoot; information from all modules is written to the same log file, decreasing readability. Does not allow fine-grained, module-specific configuration.

Configuration

Features

Benefits/Drawbacks

Each Agent module has a separate Agent configuration file.

All configuration files reference the same Agent Configuration Object.

(Default)

Module-specific Agent configuration parameters are defined locally in the Agent configuration files.
Common Agent configuration parameters are defined centrally in the Agent Configuration Object on the Policy Server.

Benefits:

Allows fine-grained configuration of cache settings. For example, you can configure an authorization cache size of 0 for the SiteMinder TAI and Login Modules (which do not perform authorization), but increase the cache size for the SiteMinder JACC Provider (which does).
Allows Module-specific information to be written to separate log files. That is, you can configure separate log files for TAI messages, Login Module messages, and JACC Provider messages, increasing readability.
Allows modules to be individually enabled/disabled.

Drawback:

Module-specific settings in local configuration files must be edited locally on each WebSphere host whenever a change is required.

Each Agent module has a separate Agent configuration file.

Each Agent configuration file references a separate Agent Configuration Object.

Agent configuration parameters for each module are defined centrally in separate Agent Configuration Objects on the Policy Server.
Module-specific configuration is encapsulated in that module's object.

Benefits:

Allows fine-grained configuration of cache settings. For example, you can configure an authorization cache size of 0 for the SiteMinder TAI and Login Modules (which do not perform authorization), but increase the cache size for the SiteMinder JACC Provider (which does).
Allows Module-specific information to be written to separate log files. That is, you can configure separate log files for TAI messages, Login Module message, and JACC Provider messages.
Agent configuration settings can be applied on multiple hosts and managed centrally from the Policy Server.

Drawback:

Separate configuration objects must be maintained for each module even though most parameter values are common.

All Agent modules share the same Agent configuration file and reference the same Agent Configuration Object.

(Not recommended)

Agent configuration parameters for all modules are defined centrally in the Agent Configuration Object on the Policy Server and applies to all modules.

Benefits:

Simplest to maintain.

Drawbacks:

Cannot enable/disable individual modules.
Hardest to troubleshoot; information from all modules is written to the same log file, decreasing readability.
Does not allow fine-grained, module-specific configuration.

Note: When using separate Agent Configuration Objects/Agent identities for each module, verify that the SiteMinder TAI and JACC Provider modules all authenticate/authorize against the same realms in the Policy Server. You can accomplish this by configuring them in an Agent group.

More information:

Preconfigure Policy Objects for the SiteMinder Agent

Email CA Technologies about this topic