Older versions of the CA SiteMinder® agent objects used a security model that featured a shared secret that is stored on the Policy Server and in the WebAgent.conf file. These agents are named 4.x type agents. You can specify support for 4.x agent functions when creating an agent object in the CA SiteMinder® Administrative UI.
Later versions of CA SiteMinder® use a trusted host object on the Policy Sever instead of the shared secret security model.
CA SiteMinder® supports using credential collectors between 4.x type and later agents. This usage of credential collectors is named mixed mode. Additional configuration steps are required for mixed mode deployments.
From CA SiteMinder® r6.x to CA SiteMinder® 12.52, the credential collectors operate differently than the older 4.x type credential collectors do. 4.x type credential collectors placed a cookie in the browser of the user, and then redirected the user back to the original agent.
In the newer CA SiteMinder® versions, the credential collector logs the user in to the Policy Server on behalf of the agent protecting the requested resource. Cookies are not used.
Note: We recommend using credential collectors to log users in directly rather than setting cookies. Using credential collectors to log users in better secures user credentials because these credentials are not being passed around the network in cookies.
A credential collector requires the following information to log a user in:
To learn the Agent name, a credential collector uses the following process:
Each mapping in the AgentName parameter specifies the name and IP address of a host using that collector for its protected resources.
This parameter is disabled by default, so the credential collector uses the value of the DefaultAgentName parameter as the agent name.
Consider the previous implications before configuring credential collectors in a mixed environment.
To process requests, the FCC and NTC rely on the user credentials and the name of the Web Agent that is protecting the requested resource. However, 4.x agents and third-party agents posting to the FCC and NTC do not pass the Agent name on the URL they send.
The following configuration options help FCCs and NTCs to operate with 4.x Web Agents:
Use Compatibility Mode—to enable a r5.x, r6.x, or 12.52 FCC/NTC to serve up forms for resources that are protected by 4.x agents or third-party applications, then enable the FCCCompatMode parameter. Traditional Web Agents have the FCCCompatMode parameter is enabled by default. Framework Agents have the FCCCompatMode parameter is disabled by default.
Enabling this parameter makes a r5.x, r6.x, or 12.52 Agent handle forms and NTLM credential collection like a 4.x Agent. This setting which means that a form or NTLM credential cookie is written to the browser of the user is redirected back to the Agent before logging in. This configuration permits the agents to interoperate.
When the value of the FCCCompatMode parameter is set to no, compatibility with 4.x Agents is disabled. In an 12.52 environment, set the value of the parameter to no.
Important! Setting this parameter to no removes support for version 4.x of the Netscape browser.
Example mappings:
myagent, 123.1.12.1
myagent, www.sitea.com
url?A=1&Target=http://www.nete.com/index.html
The www.nete.com portion of the Target string serves as the Agent name.
By default, this parameter is set to no. Consequently, the value of the DefaultAgentName parameter is used as the Agent name.
The following tables list guidelines for configuring r5.x, r6.x, or 12.52 and 4.x FCCs and NTCs, and describes how each behaves in a mixed environment:
Notes:
Web Agent Protecting Resources |
r5.x, r6.x, or 12.52 FCC in FCC Compatibility Mode |
r5.x, r6.x, or 12.52 FCC - FCC Compatibility Mode Disabled |
---|---|---|
r5.x, r6.x, or 12.52 |
|
|
Web Agent Protecting Resources |
4.x QMR 2/3/4 FCC |
|
4.x QMR 5 or 4.x QMR 6 |
|
|
r5.x, r6.x, or 12.52 |
|
Note: For more information about SSL Authentication Schemes, see the Policy Server documentation.
Web Agent Protecting Resources |
r5.x, r6.x, or 12.52 FCC in FCC Compatibility Mode |
r5.x, r6.x, or 12.52 FCC - FCC Compatibility Mode Disabled |
---|---|---|
4.x QMR 5 or 4.x QMR 6 |
|
|
r5.x, r6.x, or 12.52 |
|
|
Web Agent Protecting Resources |
4.x QMR 2/3/4 NTC |
---|---|
4.x QMR 5, 4.x QMR 6 |
|
r5.x, r6.x, or 12.52 |
|
To enable 4.x type Web Agents and r5.x, r6.x, or 12.52 SCCs to interoperate, do one of the following tasks:
For example, if the URL string is:
url?A=1&Target=http://www.nete.com/index.html
The www.nete.com portion of the Target string serves as the Agent name.
By default, this parameter is set to no. Consequently, the value of the DefaultAgentName parameter is used as the Agent name.
The following table shows how 4.x and r5.x, r6.x, or 12.52 Agents acting as SCCs operate in a mixed environment:
Web Agent Version |
4.x QMR 2/3/4 SCC |
r5.x, r6.x, or 12.52 SCC |
---|---|---|
4.x QMR 5 or |
|
|
r5.x, r6.x, or 12.52 |
|
|
Note: For more information about SSL Authentication Schemes, see the Policy Server documentation.
Copyright © 2013 CA.
All rights reserved.
|
|