Installation and Upgrade Guides › Policy Server Installation Guide › Installation Overview › Sample SiteMinder Installation

Sample SiteMinder Installation

Installing SiteMinder requires you to install and configure several components. The following diagram shows:

• The Policy Server and policy store are installed and configured on one system.

  Note: Although not illustrated, the SiteMinder key store and the SiteMinder certificate data store are collocated with the policy store.

• The SiteMinder Administrative UI (Administrative UI) installed on a second system.
• CA Business Intelligence (Report Server) installed and configured on a third system.
• The order in which you install and configure each component.

  

Policy Server

(Required) A SiteMinder Policy Server (Policy Server) acts as the Policy Decision Point (PDP). The purpose of the Policy Server is to evaluate and enforce access control policies, which it communicates to a SiteMinder Agent. A Policy Server provides the following:

• Policy-based user management
• Authentication services
• Authorization services
• Password services
• Session management
• Auditing services

The Policy Server interacts with all other major components to perform these tasks.

Policy Store

(Required) The SiteMinder policy store (policy store) is an entitlement store that resides in an LDAP directory server or ODBC database. The purpose of this component is to store all policy-related objects, including the:

• Resources SiteMinder is protecting
• Methods used to protect those resources
• Users or groups that can or cannot access those resources
• Actions that must take place when users are granted or denied access to protected resources

The Policy Server uses this information, collectively known as an Enterprise Policy Management (EPM) application or SiteMinder policy, to determine if a resource is protected and if an authenticated user is authorized to access the requested resources.

Key Store

(Required) The purpose of this component is to store the encryption keys that the Policy Servers and the agents use to encrypt sensitive data, which include:

• The keys that the agents use to encrypt SiteMinder cookies.
• The keys that the Policy Servers use to encrypt sensitive policy store information, such as administrator passwords.
• The keys the Policy Servers use to encrypt SiteMinder session tickets that contain credentials and other information that is related to user sessions.

You can collocate the key store with the policy store or you can store encryption keys in a separate directory or database. The need to deploy a separate key store depends on:

• How you implement Policy Servers and policy stores.
• Single sign–on requirements.

Note: If you use the Policy Server Configuration wizard to configure a policy store, the key store is automatically collocated with the policy store.

More information:

Documentation Roadmap

Certificate Data Store

(Optional) The SiteMinder certificate data store (CDS) makes the following components and functions available to a SiteMinder environment:

• Certificate authority (CA) certificates
• Public and private keys
• Certificate revocation lists (CRL)
• OCSP revocation checks

Note: SiteMinder federation features use the certificate data store. The user certificates that the X.509 certificate authentication scheme uses for authentication are not stored in the certificate data store. These user certificates are stored in an LDAP/AD user directory or ODBC store.

By default, the certificate data store is automatically configured and colocated with the policy store. As a result:

• A separate external store is not required.
• All Policy Servers sharing a common view into the same policy store have access to the same keys, certificates, and certificate revocation lists.
• All SiteMinder administrators that manage the same policy store can manage the certificate data store centrally using the Administrative UI.

SiteMinder Administrative UI

(Required) The SiteMinder Administrative UI (Administrative UI) is a web–based administration console that is installed independent of the Policy Server. The Administrative UI is intended for managing all tasks that are related to access control, reporting, and policy analysis.