CA SiteMinder® Web Services Security is a policy-based access management system for Service Oriented Architecture (SOA) environments. With CA SiteMinder® Web Services Security, you can protect "big" (XML transaction-processing) web services that are implemented in the following ways:
CA SiteMinder® Web Services Security protects XML resources in much the same way as CA SiteMinder protects HTML resources, allowing entitlement data to be obtained from any layer of the XML message, depending upon the authentication and authorization needs of the back-end applications.
CA SiteMinder® Web Services Security extends SiteMinder® technology, using CA SiteMinder® Web Services Security (WSS) Agents and the Policy Server to protect web service resources hosted on web and application servers.
The following illustration shows a simple CA SiteMinder® Web Services Security environment in which a SiteMinder WSS Agent is deployed into a web or application server that is hosting web services.
More complex architectures can also be configured to support multiple web service implementations where SiteMinder WSS Agents are optionally deployed on web service endpoints to provide an additional layer of security.
Note: This guide describes only how to configure Policy Server infrastructure and policy objects to protect web service resources with CA SiteMinder® Web Services Security. For further information about configuring the Policy Server, see the CA SiteMinder® Policy Server Configuration Guide.
The CA SiteMinder® 12.52 Policy Server provides a centralized, policy-based security management operating environment for securing your web resources. The CA SiteMinder® 12.52 Policy Server integrates with SiteMinder WSS Agents to secure SOAP-based web services and other CA SiteMinder® agent types to secure web applications and other resources. As such, the CA SiteMinder® 12.52 Policy Server can serve as the Policy Decision Point (PDP) in a CA SiteMinder® or CA SiteMinder® Web Services Security environment.
Note: The CA SiteMinder® 12.51 Policy Server was the first to include the CA SiteMinder® Web Services Security extensions that are required to integrate with SiteMinder WSS Agents to secure web services. Previously, only the CA SOA Security Manager Policy Server could integrate with SiteMinder WSS Agents.
The Policy Server provides the following features:
The Policy Server supports a range of authentication methods.
The Policy Server is responsible for managing and enforcing access control rules that are established by the Policy Server administrator. These rules define the operations that are allowed for each protected resource.
The Policy Server is configured using the CA SiteMinder® Administrative UI. The Administration service of the Policy Server allows the Administrative UI to record configuration information in the Policy Store.
The Policy Server generates log files that contain auditing information about the events that occur within the system. These logs can be printed in the form of predefined reports, so that security events or anomalies can be analyzed.
The Policy Server provides features for monitoring activity throughout a CA SiteMinder® Web Services Security deployment.
In a CA SiteMinder® Web Services Security implementation, a web service client sends a web service request in the form of an XML/SOAP message. At the target server, an SiteMinder WSS Agent intercepts that request. The SiteMinder WSS Agent determines whether the resource is protected, and if so, gathers user credentials from the request and passes them to the Policy Server.
The Policy Server authenticates the user against native user directories, then verifies if the authenticated user is authorized for the requested resource using rules and policies that are contained in the policy store. Once a user is authenticated and authorized, the Policy Server grants access to protected resources and delivers permission and entitlement information.
SiteMinder WSS Agents are the Policy Enforcement Points (PEPs) in the CA SiteMinder® Web Services Security environment, responsible for enforcing the policies defined on the Policy Server. Deployed at the end-points (web and application servers), they protect web services deployed in your SOA infrastructure.
SiteMinder WSS Agent for Web Servers
The SiteMinder WSS Agent for Web Servers is an XML-enabled version of the CA SiteMinder Web Agent. The SiteMinder WSS Agent integrates with a supported web server to authenticate and authorize requests for access to "big" web services bound to URLs served by that web server.
The SiteMinder WSS Agent for Web Servers recognizes requests that meet the following criteria as web service requests for CA SiteMinder® Web Services Security to handle:
All other requests are handled using the core Web Agent functionality of the Web Agent, letting you also protect other resources on a web server.
Note: For more information about protecting web resources using CA SiteMinder, see the CA SiteMinder Web Agent Configuration Guide.
SiteMinder WSS Agent for IBM WebSphere
The SiteMinder WSS Agent for IBM WebSphere is a container-native agent for J2EE application servers that can be used to authenticate and authorize request messages sent over HTTP(S) transport to JAX-RPC resources hosted an IBM WebSphere Application Server.
The SiteMinder WSS Agent recognizes requests that meet the following criteria as web service requests for CA SiteMinder® Web Services Security to handle:
Note: For more information about the SiteMinder WSS Agent for IBM WebSphere, see the CA SiteMinder WSS Agent for IBM WebSphere Guide.
SiteMinder WSS Agent for Oracle WebLogic
The SiteMinder WSS Agent for Oracle WebLogic is a container-native agent for J2EE application servers that can be used to authenticate and authorize request messages sent over HTTP(S) or JMS transports to JAX-RPC resources hosted on an Oracle WebLogic Server.
The SiteMinder WSS Agent recognizes requests that meet the following criteria as web service requests for CA SiteMinder® Web Services Security to handle:
Note: For more information about the SiteMinder WSS Agent for Oracle WebLogic, see the CA SiteMinder WSS Agent for Oracle WebLogic Guide.
SiteMinder Agent for JBoss
The SiteMinder Agent for JBoss provides access control for web application and web service resources hosted on the JBoss Application Server, providing the following security interceptors:
When configured into a CA SiteMinder® Web Services Security environment, the SiteMinder WSS Agent Security Interceptor provides a SiteMinder WSS Agent solution that provides CA SiteMinder® Web Services Security access control for JAX-WS and JAX-RPC web service resources.
When configured into a SiteMinder environment, the SiteMinder Agent Security Interceptor provides a SiteMinder Agent solution that provides SiteMinder access control for web application resources (including servlets, HTML pages, JSP, image files) and EJBs.
Note: The SiteMinder Agent for JBoss is sold separately and not included in the CA SiteMinder® installation kit. To obtain SiteMinder Agent for JBoss, contact your CA account representative. For more information about the SiteMinder Agent for JBoss, see the CA SiteMinder Agent for JBoss Guide.
CA SiteMinder® Web Services Security supports content-level, XML-based security for "big" web services. The following illustration illustrates the flow of data in a simple, single web service implementation secured with CA SiteMinder® Web Services Security.
The data in the previous illustration flows as follows:
POST /CreditRating HTTP/1.1 Content-Type: text/xml Content-Length: nnnn SOAPAction:“someURI:CreditRating#GetCreditRating" <SOAP-ENV:Envelope> <!-- request --> </SOAP-ENV:Envelope>
Authentication schemes that require user intervention are generally not appropriate for securing web services. CA SiteMinder® Web Services Security provides four transport-level and message-level authentication schemes that do not require user intervention.
Validates XML messages using credentials gathered from the message itself by mapping fields within the document to fields within a user directory.
Validates XML documents digitally signed with valid X.509 certificates.
Validates XML messages using credentials gathered from WS-Security headers in a message’s SOAP envelope.
CA SiteMinder® Web Services Security can produce and consume WS-Security tokens. This enables you to use the WS-Security authentication scheme to deploy a multiple-web service implementation across federated sites.
Validates XML messages using credentials obtained from CA SiteMinder® Web Services Security synchronized-sessioning SAML assertions (which contain an encrypted combination of a CA SiteMinder session ticket and a CA SiteMinder user’s public key) placed in a message’s HTTP header, SOAP envelope, or a cookie.
CA SiteMinder® Web Services Security can generate and consume SAML Session Ticket assertions. This enables you to use the SAML Session Ticket authentication scheme to deploy a multiple-web service implementation within a single Policy Server domain.
Deciding which authentication scheme or schemes you intend to use to secure your web services is integral to how you design and implement your web services and is best made as part of the broader context of choosing an authentication service model.
|
Copyright © 2013 CA.
All rights reserved.
|
|