CA SiteMinder WSS is a policy-based access management system for Service Oriented Architecture (SOA) environments. With CA SiteMinder WSS, you can protect "big" (XML transaction-processing) web services that are implemented in the following ways:
CA SiteMinder WSS protects XML resources in much the same way as CA SiteMinder protects HTML resources, allowing entitlement data to be obtained from any layer of the XML message, depending upon the authentication and authorization needs of the back-end applications.
CA SiteMinder WSS extends SiteMinder® technology, using CA SiteMinder WSS (WSS) Agents and the Policy Server to protect web service resources hosted on web and application servers.
The following illustration shows a simple CA SiteMinder WSS environment in which a SiteMinder WSS Agent is deployed into a web or application server that is hosting web services.
More complex architectures can also be configured to support multiple web service implementations where SiteMinder WSS Agents are optionally deployed on web service endpoints to provide an additional layer of security.
Note: This guide describes only how to configure Policy Server infrastructure and policy objects to protect web service resources with CA SiteMinder WSS. For further information about configuring the Policy Server, see the CA SiteMinder® Policy Server Configuration Guide.
The CA SiteMinder® 12.51 Policy Server provides a centralized, policy-based security management operating environment for securing your web resources. The CA SiteMinder® 12.51 Policy Server integrates with SiteMinder WSS Agents to secure SOAP-based web services and other CA SiteMinder® agent types to secure web applications and other resources. As such, the CA SiteMinder® 12.51 Policy Server can serve as the Policy Decision Point (PDP) in a CA SiteMinder® or CA SiteMinder WSS environment.
Note: The CA SiteMinder® 12.51 Policy Server is the first to include the CA SiteMinder WSS extensions that are required to integrate with SiteMinder WSS Agents to secure web services. Previously, only the CA SOA Security Manager Policy Server could integrate with SiteMinder WSS Agents.
The Policy Server provides the following features:
The Policy Server supports a range of authentication methods.
The Policy Server is responsible for managing and enforcing access control rules that are established by the Policy Server administrator. These rules define the operations that are allowed for each protected resource.
The Policy Server is configured using the CA SiteMinder® Administrative UI. The Administration service of the Policy Server allows the Administrative UI to record configuration information in the Policy Store.
The Policy Server generates log files that contain auditing information about the events that occur within the system. These logs can be printed in the form of predefined reports, so that security events or anomalies can be analyzed.
The Policy Server provides features for monitoring activity throughout a CA SiteMinder WSS deployment.
In a CA SiteMinder WSS implementation, a web service client sends a web service request in the form of an XML/SOAP message. At the target server, an SiteMinder WSS Agent intercepts that request. The SiteMinder WSS Agent determines whether the resource is protected, and if so, gathers user credentials from the request and passes them to the Policy Server.
The Policy Server authenticates the user against native user directories, then verifies if the authenticated user is authorized for the requested resource using rules and policies that are contained in the policy store. Once a user is authenticated and authorized, the Policy Server grants access to protected resources and delivers permission and entitlement information.
SiteMinder WSS Agents are the Policy Enforcement Points (PEPs) in the CA SiteMinder WSS environment, responsible for enforcing the policies defined on the Policy Server. Deployed at the end-points (web and application servers), they protect web services deployed in your SOA infrastructure.
SiteMinder WSS Agent for Web Servers
The SiteMinder WSS Agent for Web Servers is an XML-enabled version of the CA SiteMinder Web Agent. The SiteMinder WSS Agent integrates with a supported web server to authenticate and authorize requests for access to "big" web services bound to URLs served by that web server.
The SiteMinder WSS Agent for Web Servers recognizes requests that meet the following criteria as web service requests for CA SiteMinder WSS to handle:
All other requests are handled using the core Web Agent functionality of the Web Agent, letting you also protect other resources on a web server.
SiteMinder WSS Agent for IBM WebSphere
The SiteMinder WSS Agent for IBM WebSphere is a container-native agent for J2EE application servers that can be used to authenticate and authorize request messages sent over HTTP(S) transport to JAX-RPC resources hosted an IBM WebSphere Application Server.
The SiteMinder WSS Agent recognizes requests that meet the following criteria as web service requests for CA SiteMinder WSS to handle:
SiteMinder WSS Agent for Oracle WebLogic
The SiteMinder WSS Agent for Oracle WebLogic is a container-native agent for J2EE application servers that can be used to authenticate and authorize request messages sent over HTTP(S) or JMS transports to JAX-RPC resources hosted on an Oracle WebLogic Server.
The SiteMinder WSS Agent recognizes requests that meet the following criteria as web service requests for CA SiteMinder WSS to handle:
SiteMinder Agent for JBoss
The SiteMinder Agent for JBoss provides access control for web application and web service resources hosted on the JBoss Application Server, providing the following security interceptors:
When configured into a CA SiteMinder WSS environment, the SiteMinder WSS Agent Security Interceptor provides a SiteMinder WSS Agent solution that provides CA SiteMinder WSS access control for JAX-WS and JAX-RPC web service resources.
When configured into a SiteMinder environment, the SiteMinder Agent Security Interceptor provides a SiteMinder Agent solution that provides SiteMinder access control for web application resources (including servlets, HTML pages, JSP, image files) and EJBs.
CA SiteMinder WSS supports content-level, XML-based security for "big" web services. The following illustration illustrates the flow of data in a simple, single web service implementation secured with CA SiteMinder WSS.
The data in the previous illustration flows as follows:
POST /CreditRating HTTP/1.1 Content-Type: text/xml Content-Length: nnnn SOAPAction:“someURI:CreditRating#GetCreditRating" <SOAP-ENV:Envelope> <!-- request --> </SOAP-ENV:Envelope>
Authentication schemes that require user intervention are generally not appropriate for securing web services. CA SiteMinder WSS provides four transport-level and message-level authentication schemes that do not require user intervention.
Validates XML messages using credentials gathered from the message itself by mapping fields within the document to fields within a user directory.
Validates XML documents digitally signed with valid X.509 certificates.
Validates XML messages using credentials gathered from WS-Security headers in a message’s SOAP envelope.
CA SiteMinder WSS can produce and consume WS-Security tokens. This enables you to use the WS-Security authentication scheme to deploy a multiple-web service implementation across federated sites.
Validates XML messages using credentials obtained from CA SiteMinder WSS synchronized-sessioning SAML assertions (which contain an encrypted combination of a CA SiteMinder session ticket and a CA SiteMinder user’s public key) placed in a message’s HTTP header, SOAP envelope, or a cookie.
CA SiteMinder WSS can generate and consume SAML Session Ticket assertions. This enables you to use the SAML Session Ticket authentication scheme to deploy a multiple-web service implementation within a single Policy Server domain.
Deciding which authentication scheme or schemes you intend to use to secure your web services is integral to how you design and implement your web services and is best made as part of the broader context of choosing an authentication service model.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|