Configuration Guide › CA SiteMinder Integration › How Resources are Protected

How Resources are Protected

Advanced authentication requires you to use a SiteMinder Policy Server in your implementation. The application server hosting the CA IdentityMinder Server is on a different operating environment from Web Server. To provide forwarding services, the Web Server requires:

• An application server vendor provided plug-in.
• A SiteMinder agent to protect the CA IdentityMinder resources, such as the User Console, Self Registration, and the Forgotten Password feature.

The Web Agent controls the access of users who request CA IdentityMinder resources. Once the users are authenticated and authorized, the Web Agent allows the Web Server to process the requests.

When the Web Server receives the request, the application server plug-in forwards it to the application server hosting the CA IdentityMinder Server.

The Web Agent protects CA IdentityMinder resources that are exposed to users and administrators.

Overview of SiteMinder and CA IdentityMinder Integration

When the policy administrator and the identity administrator work together to integrate SiteMinder into an existing CA IdentityMinder installation, the CA IdentityMinder architecture expands to include the following components:

SiteMinder Web Agent

Protects the CA IdentityMinder Server. The Web Agent is installed on the system with the CA IdentityMinder Server.

SiteMinder Policy Server

Provides advanced authentication and authorization for CA IdentityMinder.

The following figure is an example of a CA IdentityMinder installation with a SiteMinder Policy Server and Web Agent:

Note: The components are installed on different platforms as examples. However, you can choose other platforms. The CA IdentityMinder databases are on Microsoft SQL Server and the user store is on the IBM directory Server. The SiteMinder Policy Store is on AD LDS on Windows.

Completing this process requires two roles: the CA IdentityMinder identity administrator and the SiteMinder policy administrator. In some organizations, one person fills both roles. When two people are involved, close collaboration is required to complete the procedures in this scenario. The policy administrator begins and ends this process; the identity administrator does all the steps in the middle.

Important! For CA IdentityMinder installations starting with Release12.5 SP7, the Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files (JCE libraries) are required. Download these libraries from the Oracle Web site. Load them into the following folder: <Java_path>\<jdk_version>\jre\lib\security\.

The following diagram illustrates the complete process of integrating SiteMinder into CA IdentityMinder:

Follow these steps:

1. Configure the SiteMinder Policy Store for CA IdentityMinder.
2. Import the CA IdentityMinder Schema into the Policy Store.
3. Create a SiteMinder 4.X agent object.
4. Export the CA IdentityMinder directories and environments.
5. Delete all directory and environment definitions.
6. Enable the SiteMinder Policy Server Resource Adapter.
7. Disable the native CA IdentityMinder Framework Authentication Filter.
8. Restart the application server.
9. Configure a data source for SiteMinder.
10. Import the directory definitions.
11. Update and import environment definitions.
12. Restart the application server.
13. Install the web proxy server plug-in.
14. Associate the SiteMinder Agent with an CA IdentityMinder domain.
15. Configure SiteMinder LogOffUrl Parameter.