Web Services Security Guides › CA SiteMinder WSS Agent for IBM WebSphere Guide › SiteMinder WSS Agent for IBM WebSphere Introduction

SiteMinder WSS Agent for IBM WebSphere Introduction

This section contains the following topics:

SiteMinder WSS Agent for IBM WebSphere Overview

Required Background Information

SiteMinder WSS Agent for IBM WebSphere Components

Recommended Reading List

Installation Location References

SiteMinder WSS Agent for IBM WebSphere Overview

The SiteMinder Web Services Security (WSS) Agent for IBM WebSphere resides in a WebSphere Application Server, enabling you to protect WebSphere-hosted JAX-RPC web service resources.

The SiteMinder WSS Agent for IBM WebSphere intercepts all SOAP messages sent over HTTP or HTTPS transport to JAX-RPC web services deployed on the Websphere Application Server. The SiteMinder WSS Agent then communicates with the Policy Server to authenticate and authorize the message sender and, upon successful authentication and authorization, passes the SOAP message on to the addressed web service.

A high-level overview of the SiteMinder WSS Agent for IBM WebSphere Server architecture is shown in the following figure.

The SiteMinder WSS Agent for IBM WebSphere provides the following features:

• CA SiteMinder WSS Integration with the J2EE platform
• Fine-grained access control of JAX-RPC web service resources
• Support for bi-directional CA SiteMinder WSS/CA SiteMinder® and WebSphere single sign-on (SSO)
• Support for WebSphere clustering

The SiteMinder WSS Agent additionally supports:

• J2EE RunAs identity
• Multi-byte character usernames
• User mapping to support environments in which WebSphere and CA SiteMinder WSS are not configured to use the same user store
• Centralized and dynamic agent configurations
• Caching of resource protection decisions and authentication and authorization decisions
• Logging
• Authorization auditing

Required Background Information

This guide assumes that you have the following technical knowledge:

• An understanding of Java, J2EE standards, J2EE application servers, and multi-tier architecture
• An understanding of JAX-RPC web service implementations and JAX-RPC handlers
• Experience with the IBM WebSphere Application Server, its architecture and security infrastructure.
• Familiarity with Java Authentication and Authorization Server (JAAS) and WebSphere security-related topics
• Familiarity with CA SiteMinder WSS concepts, terms, and Policy Server configuration tasks

Additionally, to effectively plan your security infrastructure, you must be familiar with the web services that you plan to protect with CA SiteMinder WSS.

SiteMinder WSS Agent for IBM WebSphere Components

The SiteMinder WSS Agent for IBM WebSphere consists of two modules that plug into WebSphere's security infrastructure.

• SiteMinder WSS Agent JAX-RPC Handler
• SiteMinder WSS Agent Login Module

  

SiteMinder WSS Agent JAX-RPC Handler

The SiteMinder WSS Agent JAX-RPC Handler is a custom JAX-RPC Handler that, when added to the deployment descriptor of a JAX-RPC web service, intercepts SOAP message requests for JAX-RPC web services and diverts them to the SiteMinder WSS Agent Login Module for authentication and authorization decisions.

SiteMinder WSS Agent Login Module

The SiteMinder WSS Agent Login Module is a JAAS Login Module that performs authentication and authorization for JAX-RPC web services protected by the SiteMinder WSS Agent for IBM WebSphere.

The SiteMinder WSS Agent Login Module authenticates credentials obtained from the following request types against associated user directories configured in CA SiteMinder WSS:

• SOAP requests intercepted by the SiteMinder WSS Agent JAX-RPC Handler .
• Requests for web service resources from users with pre-established CA SiteMinder WSS and SiteMinder sessions (validating the session and obtaining user names from associated SiteMinder session ticket cookies)
• System login (such as J2EE RunAs identity) requests.

If CA SiteMinder WSS authentication is successful, the SiteMinder WSS Agent Login Module populates a JAAS Subject with a CA SiteMinder WSS Principal that contains the username and associated CA SiteMinder WSS session data.

The SiteMinder WSS Agent Login Module then determines whether an authenticated user is allowed to access a protected WebSphere resource, based on associated CA SiteMinder WSS authorization policies.

Recommended Reading List

To learn about the WebSphere Application Server and Java, see the following resources:

• IBM Redbooks Online

  http://www.redbooks.ibm.com/Redbooks.nsf/redbooks/

• IBM WebSphere Application Server Information Center

  http://www-306.ibm.com/software/webservers/appserv/was/

• Sun Microsystems, Inc., online documentation

  http://java.sun.com.

Installation Location References

In this guide:

• WSS_HOME refers to the location where CA SiteMinder WSS is installed.
• WAS_HOME refers to the installed location of the WebSphere Application Server.