Policy Server Management Overview

Policy Server Guides › Policy Server Administration Guide › Policy Server Management › Policy Server Management Overview

Policy Server Management Overview

The Policy Server provides a platform for access control that operates in conjunction with other CA products, including:

CA SiteMinder®—Combines the Policy Server with CA SiteMinder® Agents to provide access control for web servers.
CA SiteMinder WSS—Combines the Policy Server with SiteMinder WSS Agents to provide access control for XML-based web services. If you have purchased this product, see the CA SiteMinder WSS Policy Configuration Guide for more information.
CA Identity Manager—Provides identity management services, see the CA Identity Manager Administration Guide for more information.

Note: For information about SiteMinder and policy-based resource management, see the Policy Server Configuration Guide.

Policy Server Components

A Policy Server environment consists of two core components:

Policy Server—Provides policy management, authentication, authorization, and accounting services.
Policy Store—Contains all Policy Server data.

Additional components are included with various CA products, for example, CA SiteMinder® Agents. CA SiteMinder® Agents are integrated with a standard Web server or application server. They enable CA SiteMinder® to manage access to Web applications and content according to predefined security policies. Other types of CA SiteMinder® Agents allow CA SiteMinder® to control access to non-Web entities. For example, a CA SiteMinder® RADIUS Agent manages access to RADIUS devices, while a CA SiteMinder® Affiliate Agent manages information passed to an affiliate’s Web site from a portal site.

Policy Server Operations

The Policy Server provide access control and single sign-on. It typically runs on a separate Windows or UNIX system, and performs the following key security operations:

Authentication—The Policy Server supports a range of authentication methods. It can authenticate users based on user names and passwords, using tokens, using forms based authentication, and through public-key certificates.
Authorization—The Policy Server is responsible for managing and enforcing access control rules established by Policy Server administrators. These rules define the operations that are allowed for each protected resource.
Administration—The Policy Server can be configured using the Administrative UI. The Administration service of the Policy Server is what enables the UI to record configuration information in the Policy Store. The Policy Store is the database that contains entitlement information.
Accounting—The Policy Server generates log files that contain auditing information about the events that occur within the system. These logs can be printed in the form of predefined reports, so that security events or anomalies can be analyzed.
Health Monitoring—Policy Server provides health monitoring components.

The following diagram illustrates a simple implementation of a Policy Server in a SiteMinder environment that includes a single SiteMinder Web Agent.

Graphic showing a Policy Server implementation in a SiteMinder environment including an agent

In a Web implementation, a user requests a resource through a browser. That request is received by the Web Server and intercepted by the SiteMinder Web Agent. The Web Agent determines whether or not the resource is protected, and if so, gathers the user’s credentials and passes them to the Policy Server. The Policy Server authenticates the user against native user directories, then verifies if the authenticated user is authorized for the requested resource based on rules and policies contained in the Policy Store. When a user is authenticated and authorized, the Policy Server grants access to protected resources and delivers privilege and entitlement information.

Note: Custom Agents can be created using the SiteMinder Agent API. For more information, see the Programming Guide for C.

Policy Server Administration

The following diagram illustrates the Policy Server administrative model:

Graphic showing the Policy Server administrative model

Policy Server—The Policy Server provides policy management, authentication, authorization, and accounting services.
Policy store ‑ The policy store contains all of the Policy Server data. You can configure a policy store in a supported LDAP or relational database.
Administrative UI—You use the Administrative UI to manage CA SiteMinder® administrator accounts, objects, and policy data through the Policy Server. You configure a directory XML file, an administrator user store, and an object store when installing the Administrative UI:
- Object store—The Administrative UI is an asynchronous application that is event and task-based. The object store stores this information. You configure an object store in either a Microsoft SQL Server or Oracle database.
- Administrator user store—The Administrative UI authenticates CA SiteMinder® administrator accounts using the administrator user store. All of your administrator accounts must be stored in a single administrator user store. You configure an administrator user store in a supported LDAP directory server or ODBC database when installing the Administrative UI.
Report server and databases—You can create and manage a collection of CA SiteMinder® policy analysis and audit reports from the Administrative UI. A report server and report database are required to use the reporting feature. The report server and report database are required to run policy analysis reports. The report server and audit database are required to run audit-based reports.