Previous Topic: Introducing CA SiteMinder® Web Services SecurityNext Topic: Authentication Service Models


CA SiteMinder® Web Services Security Overview

CA SiteMinder® Web Services Security is a policy-based access management system for Service Oriented Architecture (SOA) environments. With CA SiteMinder® Web Services Security, you can protect "big" (XML transaction-processing) web services that are implemented in the following ways:

CA SiteMinder® Web Services Security protects XML resources in much the same way as CA SiteMinder protects HTML resources, allowing entitlement data to be obtained from any layer of the XML message, depending upon the authentication and authorization needs of the back-end applications.

CA SiteMinder® Web Services Security Architecture and Components

CA SiteMinder® Web Services Security extends SiteMinder® technology, using CA SiteMinder® Web Services Security (WSS) Agents and the Policy Server to protect web service resources hosted on web and application servers.

The following illustration shows a simple CA SiteMinder® Web Services Security environment in which a SiteMinder WSS Agent is deployed into a web or application server that is hosting web services.

Diagram showing SiteMinder WSS access control for a simple web service

More complex architectures can also be configured to support multiple web service implementations where SiteMinder WSS Agents are optionally deployed on web service endpoints to provide an additional layer of security.

Note: This guide describes only how to configure Policy Server infrastructure and policy objects to protect web service resources with CA SiteMinder® Web Services Security. For further information about configuring the Policy Server, see the CA SiteMinder® Policy Server Configuration Guide.

CA SiteMinder® Policy Server

The CA SiteMinder® 12.52 SP1 Policy Server provides a centralized, policy-based security management operating environment for securing your web resources. The CA SiteMinder® 12.52 SP1 Policy Server integrates with SiteMinder WSS Agents to secure SOAP-based web services and other CA SiteMinder® agent types to secure web applications and other resources. As such, the CA SiteMinder® 12.52 SP1 Policy Server can serve as the Policy Decision Point (PDP) in a CA SiteMinder® or CA SiteMinder® Web Services Security environment.

Note: The CA SiteMinder® 12.51 Policy Server was the first to include the CA SiteMinder® Web Services Security extensions that are required to integrate with SiteMinder WSS Agents to secure web services. Previously, only the CA SOA Security Manager Policy Server could integrate with SiteMinder WSS Agents.

The Policy Server provides the following features:

Authentication

The Policy Server supports a range of authentication methods.

Authorization

The Policy Server is responsible for managing and enforcing access control rules that are established by the Policy Server administrator. These rules define the operations that are allowed for each protected resource.

Administration

The Policy Server is configured using the CA SiteMinder® Administrative UI. The Administration service of the Policy Server allows the Administrative UI to record configuration information in the Policy Store.

Accounting

The Policy Server generates log files that contain auditing information about the events that occur within the system. These logs can be printed in the form of predefined reports, so that security events or anomalies can be analyzed.

Health Monitoring

The Policy Server provides features for monitoring activity throughout a CA SiteMinder® Web Services Security deployment.

In a CA SiteMinder® Web Services Security implementation, a web service client sends a web service request in the form of an XML/SOAP message. At the target server, an SiteMinder WSS Agent intercepts that request. The SiteMinder WSS Agent determines whether the resource is protected, and if so, gathers user credentials from the request and passes them to the Policy Server.

The Policy Server authenticates the user against native user directories, then verifies if the authenticated user is authorized for the requested resource using rules and policies that are contained in the policy store. Once a user is authenticated and authorized, the Policy Server grants access to protected resources and delivers permission and entitlement information.

Web Services Security (WSS) Agents

SiteMinder WSS Agents are the Policy Enforcement Points (PEPs) in the CA SiteMinder® Web Services Security environment, responsible for enforcing the policies defined on the Policy Server. Deployed at the end-points (web and application servers), they protect web services deployed in your SOA infrastructure.

SiteMinder WSS Agent for Web Servers

The SiteMinder WSS Agent for Web Servers is an XML-enabled version of the CA SiteMinder Web Agent. The SiteMinder WSS Agent integrates with a supported web server to authenticate and authorize requests for access to "big" web services bound to URLs served by that web server.

The SiteMinder WSS Agent for Web Servers recognizes requests that meet the following criteria as web service requests for CA SiteMinder® Web Services Security to handle:

All other requests are handled using the core Web Agent functionality of the Web Agent, letting you also protect other resources on a web server.

SiteMinder WSS Agent for IBM WebSphere

The SiteMinder WSS Agent for IBM WebSphere is a container-native agent for J2EE application servers that can be used to authenticate and authorize request messages sent over HTTP(S) transport to JAX-RPC resources hosted an IBM WebSphere Application Server.

The SiteMinder WSS Agent recognizes requests that meet the following criteria as web service requests for CA SiteMinder® Web Services Security to handle:

SiteMinder WSS Agent for Oracle WebLogic

The SiteMinder WSS Agent for Oracle WebLogic is a container-native agent for J2EE application servers that can be used to authenticate and authorize request messages sent over HTTP(S) or JMS transports to JAX-RPC resources hosted on an Oracle WebLogic Server.

The SiteMinder WSS Agent recognizes requests that meet the following criteria as web service requests for CA SiteMinder® Web Services Security to handle:

SiteMinder Agent for JBoss

The SiteMinder Agent for JBoss provides access control for web application and web service resources hosted on the JBoss Application Server, providing the following security interceptors:

SiteMinder WSS Agent Security Interceptor

When configured into a CA SiteMinder® Web Services Security environment, the SiteMinder WSS Agent Security Interceptor provides a SiteMinder WSS Agent solution that provides CA SiteMinder® Web Services Security access control for JAX-WS and JAX-RPC web service resources.

CA SiteMinder® Agent Security Interceptor

When configured into a SiteMinder environment, the SiteMinder Agent Security Interceptor provides a SiteMinder Agent solution that provides SiteMinder access control for web application resources (including servlets, HTML pages, JSP, image files) and EJBs.

Web Service Request Processing

CA SiteMinder® Web Services Security supports content-level, XML-based security for "big" web services. The following illustration illustrates the flow of data in a simple, single web service implementation secured with CA SiteMinder® Web Services Security.

Diagram illustrating the flow of data in SiteMinder Web Services Security

The data in the previous illustration flows as follows:

  1. A web service consumer (client) application creates a web service request in the form of an XML document and sends it to the web service provider site. An example document could be a purchase order. Credentials and authorization entitlements can be inserted in the message envelope or message body.
  2. At the web service provider’s site, the SiteMinder WSS Agent intercepts the request, based on its action and content type in the HTTP header, as shown in the following XML sample:
    POST /CreditRating HTTP/1.1
    Content-Type: text/xml
    Content-Length: nnnn
    SOAPAction:“someURI:CreditRating#GetCreditRating"
    
    <SOAP-ENV:Envelope>
    	<!-- request -->
    </SOAP-ENV:Envelope>
    
  3. The SiteMinder WSS Agent gathers the sender’s credentials from the XML message and passes this information to the CA Policy Server for authentication and authorization.
  4. The authorized message is passed to the back-end business application for processing.
  5. Optionally, the back-end application returns a response to the web service requester with the status of the payload (for example, indicating that the purchase order has been accepted and is being processed).
Authentication Schemes

Authentication schemes that require user intervention are generally not appropriate for securing web services. CA SiteMinder® Web Services Security provides four transport-level and message-level authentication schemes that do not require user intervention.

XML Document Credential Collector

Validates XML messages using credentials gathered from the message itself by mapping fields within the document to fields within a user directory.

XML Digital Signature

Validates XML documents digitally signed with valid X.509 certificates.

WS-Security

Validates XML messages using credentials gathered from WS-Security headers in a message’s SOAP envelope.

CA SiteMinder® Web Services Security can produce and consume WS-Security tokens. This enables you to use the WS-Security authentication scheme to deploy a multiple-web service implementation across federated sites.

SAML Session Ticket

Validates XML messages using credentials obtained from CA SiteMinder® Web Services Security synchronized-sessioning SAML assertions (which contain an encrypted combination of a CA SiteMinder session ticket and a CA SiteMinder user’s public key) placed in a message’s HTTP header, SOAP envelope, or a cookie.

CA SiteMinder® Web Services Security can generate and consume SAML Session Ticket assertions. This enables you to use the SAML Session Ticket authentication scheme to deploy a multiple-web service implementation within a single Policy Server domain.

Deciding which authentication scheme or schemes you intend to use to secure your web services is integral to how you design and implement your web services and is best made as part of the broader context of choosing an authentication service model.