Previous Topic: Tune the Performance of the FCCNext Topic: Configure Apache-based Agents for FCC-based Password Services in Japanese Environments


Using Credential Collectors Between 4.x Type and Newer Type Agents

Older versions of the CA SiteMinder® agent objects used a security model that featured a shared secret that is stored on the Policy Server and in the WebAgent.conf file. These agents are named 4.x type agents. You can specify support for 4.x agent functions when creating an agent object in the CA SiteMinder® Administrative UI.

Later versions of CA SiteMinder® use a trusted host object on the Policy Sever instead of the shared secret security model.

CA SiteMinder® supports using credential collectors between 4.x type and later agents. This usage of credential collectors is named mixed mode. Additional configuration steps are required for mixed mode deployments.

Configure Credential Collectors in a Mixed Environment

From CA SiteMinder® r6.x to CA SiteMinder® 12.52 SP1, the credential collectors operate differently than the older 4.x type credential collectors do. 4.x type credential collectors placed a cookie in the browser of the user, and then redirected the user back to the original agent.

In the newer CA SiteMinder® versions, the credential collector logs the user in to the Policy Server on behalf of the agent protecting the requested resource. Cookies are not used.

Note: We recommend using credential collectors to log users in directly rather than setting cookies. Using credential collectors to log users in better secures user credentials because these credentials are not being passed around the network in cookies.

A credential collector requires the following information to log a user in:

To learn the Agent name, a credential collector uses the following process:

  1. Use the SMAGENTNAME query parameter that the original Agent adds to the query string of the URL as it redirects to the credential collector.
  2. If no Agent name is appended to the URL, use the mappings defined in the AgentName configuration parameter that is associated with the credential collector.

    Each mapping in the AgentName parameter specifies the name and IP address of a host using that collector for its protected resources.

  3. If no Agent name mappings are configured, use the fully qualified host name of the target URL as the Agent name. This behavior is determined by enabling the AgentNamesAreFQHostNames configuration parameter.

    This parameter is disabled by default, so the credential collector uses the value of the DefaultAgentName parameter as the agent name.

Consider the previous implications before configuring credential collectors in a mixed environment.

Use FCCs and NTCs in a Mixed Environment

To process requests, the FCC and NTC rely on the user credentials and the name of the Web Agent that is protecting the requested resource. However, 4.x agents and third-party agents posting to the FCC and NTC do not pass the Agent name on the URL they send.

The following configuration options help FCCs and NTCs to operate with 4.x Web Agents:

Use Compatibility Mode—to enable a r5.x, r6.x, or 12.52 SP1 FCC/NTC to serve up forms for resources that are protected by 4.x agents or third-party applications, then enable the FCCCompatMode parameter. Traditional Web Agents have the FCCCompatMode parameter is enabled by default. Framework Agents have the FCCCompatMode parameter is disabled by default.

Enabling this parameter makes a r5.x, r6.x, or 12.52 SP1 Agent handle forms and NTLM credential collection like a 4.x Agent. This setting which means that a form or NTLM credential cookie is written to the browser of the user is redirected back to the Agent before logging in. This configuration permits the agents to interoperate.

When the value of the FCCCompatMode parameter is set to no, compatibility with 4.x Agents is disabled. In an 12.52 SP1 environment, set the value of the parameter to no.

Important! Setting this parameter to no removes support for version 4.x of the Netscape browser.

The following tables list guidelines for configuring r5.x, r6.x, or 12.52 SP1 and 4.x FCCs and NTCs, and describes how each behaves in a mixed environment:

Notes:

Web Agent Protecting Resources

r5.x, r6.x, or 12.52 SP1 FCC in FCC Compatibility Mode

r5.x, r6.x, or 12.52 SP1 FCC - FCC Compatibility Mode Disabled

r5.x, r6.x, or 12.52 SP1

  • FCC issues a credential cookie.
  • Certificate and Forms authentication are disabled.
  • Certificate or Forms authentication are disabled.
  • FCC issues a session cookie
  • Certificate and Forms authentication works.
  • Certificate or Forms authentication works.

Web Agent Protecting Resources

4.x QMR 2/3/4 FCC

4.x QMR 5 or

4.x QMR 6

  • Agent issues a credential cookie
  • Certificate and Forms authentication are disabled.
  • Certificate or Forms authentication works

r5.x, r6.x, or 12.52 SP1

  • Agent issues a credential cookie
  • Certificate and Forms authentication are disabled.
  • Certificate or Forms authentication works

Note: For more information about SSL Authentication Schemes, see the Policy Server documentation.

Web Agent Protecting Resources

r5.x, r6.x, or 12.52 SP1 FCC in FCC Compatibility Mode

r5.x, r6.x, or 12.52 SP1 FCC - FCC Compatibility Mode Disabled

4.x QMR 5 or

4.x QMR 6

  • NTC issues a credential cookie.
  • NTC issues a session cookie

r5.x, r6.x, or 12.52 SP1

  • NTC issues a credential cookie.
  • NTC issues a session cookie

Web Agent Protecting Resources

4.x QMR 2/3/4 NTC

4.x QMR 5, 4.x QMR 6

  • Agent issues a credential cookie

r5.x, r6.x, or 12.52 SP1

  • Agent issues a credential cookie

Use SCCs in a Mixed Environment

To enable 4.x type Web Agents and r5.x, r6.x, or 12.52 SP1 SCCs to interoperate, do one of the following tasks:

The following table shows how 4.x and r5.x, r6.x, or 12.52 SP1 Agents acting as SCCs operate in a mixed environment:

Web Agent Version

4.x QMR 2/3/4 SCC

r5.x, r6.x, or 12.52 SP1 SCC

4.x QMR 5 or
4.x QMR 6

  • Agent issues an SSL credential cookie.
  • Certificates cannot be collected without redirecting requests, even if the original connection from the browser to server is over SSL.
  • Create mappings in the AgentName parameter or set AgentNamesAreFQHostNames to Yes.
  • SCC issues a session cookie
  • Certificates cannot be collected without redirecting requests, even if the original connection from the browser to server is over SSL.

r5.x, r6.x, or 12.52 SP1

  • Agent issues an SSL credential cookie.
  • Certificates can be collected without redirecting requests.
  • SCC issues a session cookie
  • Certificates can be collected without redirecting requests.

Note: For more information about SSL Authentication Schemes, see the Policy Server documentation.