Advanced Password Services (APS) Guide › Install and Configure SmPortal and SmTransact › SmPortal and SmTransact Introduced

SmPortal and SmTransact Introduced

A typical installation of SiteMinder places the Web Servers in the DMZ and the SiteMinder Policy Server inside the firewalls. They communicate with each other using secure, encrypted communications through any intervening firewalls.

Several services supplied by CA Professional Services should be run behind the firewall, such as Advanced Password Services (APS) and Distributed Directory Administration (DDA). These services require access to the underlying user directory, usually LDAP, which should not be exposed within the DMZ for security reasons.

The architecture to accomplish this securely, easily, and with minimal configuration, is implemented by the SmPortal/SmTransact tunnel.

The SiteMinder Agent API toolkit includes a service-processing tunnel called SmTransact. SmTransact allows an arbitrary block of data (limited to 32k in size) to be passed through the firewall to the Policy Server. The Policy Server then passes the data to a library called SmTransact. SmTransact can then pass back up to 32k of response data.

The problem with this system is that it can only process a single service. It is up to the caller(s) to identify the processing that is to occur on the back-end and to write an SmTransact library that can dispatch the service request to the correct application code.

The SmPortal/SmTransact libraries solve this problem. This is a layer, consisting of the SmPortal library on the client and SmTransact on the Policy Server, which allows multiple services to run through the Agent API tunnel. It also provides the following additional capabilities:

• Buffer blocking, which allows more than 32k blocks to be passed (either direction) through the tunnel.
• Simplified configuration, so that each service need not supply its own communications configuration utility.
• Session tracking, with application startup and cleanup.
• Data streaming. Applications using this tunnel can stream data across the tunnel, rather than moving an entire block at a time.
• Service provider preloading. Service libraries are preloaded on the Policy Server, which improves run-time performance.
• Any number of agent/server combinations for fault tolerance.

These features are primarily of concern to developers.

About Firewalls

This kit uses the same libraries that SiteMinder uses to communicate between its agents and the Policy Servers. The same ports are used for this communication and the same encryption methods are used.

If a SiteMinder Web Agent can communicate through the firewall, since SmPortal should be using the same port and such, no additional configuration should be required on the firewall.