This section contains the following topics:
Identify the Web Services to Secure
Identify Authentication Methods
Identify Who Will Manage Your SiteMinder WSS Agents
Determine if Advanced Encryption Standards are Required
Determine if Virtualization is to be Used
Determine how to Manage Policy Servers
Determine how to Manage SiteMinder WSS Agents
CA SiteMinder® Web Services Security access management models let you define access permissions for applications and their respective user populations. An access management model establishes the following:
Almost all CA SiteMinder® Web Services Security functionality is available, regardless of which model you use. The primary difference between the models is the level of CA SiteMinder® knowledge required to configure each. The following Administrative UI objects represent the policy management models:
Note: The following CA SiteMinder® core objects are required to configure an application object or CA SiteMinder® domain policy:
For more information about these objects, see the Policy Server Configuration Guide.
The recommended method for creating and managing new security policies for your CA SiteMinder® Web Services Security environment is to define application objects that represent one or more related web services and then generate the component and resource settings that define what to protect from associated WSDL files.
Note: Application objects do not support policy expressions using variable objects. Content-based authorization using variables must be implemented using policy domains and policies.
For Policy Server administrators already comfortable with CA SOA Security Manager or CA SiteMinder®, policy management using policy domains and domain objects (realms, rules, responses, policies, and so on) — can still be used to perform manual configuration of security policies for web service resources.
Domains and domain objects must also be used in the following situations:
Which web services are you planning to secure? How do they map to the CA SiteMinder® Web Services Security policy management methods?
Begin thinking about the individual web services in your organization and the sets of operations within each web service that require the same level of protection. We recommend identifying the following:
Note: Identifying the web services that require protection also aids in capacity planning.
CA SiteMinder® Web Services Security can authenticate and authorize users through one or more connections to existing user stores in your enterprise network. After you identify the web services to secure, consider the following questions:
Identifying the stores each web service uses helps you to:
Note: For more information about configuring user store connections within a domain, see the Policy Server Configuration Guide.
Note: For more information about directory mapping, see the Policy Server Configuration Guide.
When gathering information about each web service, use a table similar to the following to organize information:
User Store Name |
User Store Type |
Authentication? |
Authorization? |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CA SiteMinder® Web Services Security supports four authentication methods to meet the varying levels and types of protection your resources require:
Validates XML messages using credentials gathered from the message itself by mapping fields within the document to fields within a user directory.
Validates XML documents digitally signed with valid X.509 certificates.
Validates XML messages using credentials gathered from WS‑Security headers in the SOAP envelope of an incoming message.
CA SiteMinder® Web Services Security can produce and consume WS‑Security tokens, enabling you to use the WS‑Security authentication scheme to deploy a multiple-web service implementation across federated sites.
Validates XML messages using credentials obtained from CA SiteMinder® Web Services Security synchronized-sessioning SAML assertions (which contain an encrypted combination of a CA SiteMinder session ticket and a CA SiteMinder user public key) placed in the message HTTP header, SOAP envelope, or cookie.
CA SiteMinder® Web Services Security can generate and consume SAML Session Ticket assertions. This enables you to use the SAML Session Ticket authentication scheme to deploy a multiple-web service implementation within a single Policy Server domain.
After you identify the web services to secure, in which we recommend identifying web service operations that share the same security requirements, consider the following questions:
Answering these types of questions helps you to
Note: For more information about configuring authentication schemes, see the Policy Server Configuration Guide.
SiteMinder WSS Agents connect to a Policy Server upon startup. The Policy Server contains an Agent Configuration Object (ACO), which directs the associated SiteMinder WSS Agent to the location of its configuration parameters.
How your web services are deployed throughout your organization can help you determine the most efficient method of storing the configuration parameters for your SiteMinder WSS Agents. Consider the following questions:
CA SiteMinder® Web Services Security offers the following configuration methods:
If you answered yes to questions one or two in the previous list, try central configuration in which one or more SiteMinder WSS Agents are managed from an Agent Configuration Object (ACO) that resides in the Policy Server. With central configuration, you can update the parameter settings of several SiteMinder WSS Agents at once. Generally, each distinct web service uses a separate ACO, whose settings are shared among all the SiteMinder WSS Agents that protect the web service. For example, if you have five SiteMinder WSS Agents protecting one accounting web service, you can create one ACO with the settings for the web service. All five SiteMinder WSS Agents would use the parameter settings from the same ACO.
For different applications, we recommend using separate Agent Configuration Objects. For example, if you want to protect a human resources web service with stricter security requirements, create a separate ACO for the human resources web service.
When a SiteMinder WSS Agent starts, it reads the value of the AllowLocalConfig parameter of its associated ACO. If the value is set to no, then the SiteMinder WSS Agent uses the parameter settings from the ACO.
Note: We recommend using central agent configuration (wherever possible) because it simplifies agent configuration and maintenance.
If you answered yes to questions three or four in the previous list, try local configuration in which each SiteMinder WSS Agent is managed individually using a file installed on the server itself. When a SiteMinder WSS Agent starts, it reads the value of the AllowLocalConfig parameter of its associated Agent Configuration Object (ACO). If the value is set to yes, then the SiteMinder WSS Agent uses the parameter settings from LocalConfig.conf file on the application or web server. The parameter settings from the LocalConfig.conf file override any settings stored in an ACO on the Policy Server.If you answered yes to questions three or four in the previous list, try the following configuration method:
Note: For more information about the location of the LocalConfig.conf file on your application or web server, see the corresponding SiteMinder WSS Agent Guide.
You can also use a combination of central and local configuration to meet your needs. For example, you can manage three similar web servers with central configuration, while managing the other two servers with local configuration.
The following questions can help you identify other situations where local agent configuration better serves the needs of your enterprise:
For example, you want to protect your internal resources with a large group of SiteMinder WSS Agents, while implementing XML gateways in a few locations. You can use local configuration to manage the custom SiteMinder WSS Agents on XML gateways.
For example, your organization uses CA SiteMinder® to manage and enforce security policies, but allows application and web server administrators in remote offices to customize their log on and log off pages. You can add individual parameters to the value of the AllowLocalConfig parameter of the ACO to allow the administrators to change only those settings for the customized pages but no others.
Multiple factors, which are discussed later, can influence how you decide to implement CA SiteMinder® components across multiple data centers. Identifying the data centers and the purpose each is to serve in your CA SiteMinder® environment prepares you to make informed decisions when determining how to implement CA SiteMinder® components. Consider the following questions:
When gathering information about each data center, use a resource table similar to the following to organize your results:
Data Center Name |
Location |
Purpose |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Does your organization require the use of Federal Information Processing Standard (FIPS) 140–2 compliant algorithms?
The CA SiteMinder® implementation of the Advanced Encryption Standard (AES) supports the FIPS 140–2 standard. FIPS is a US government computer security standard used to accredit cryptographic modules that meet the AES.
The Policy Server uses certified FIPS 140–2 compliant cryptographic libraries. These cryptographic libraries provide a FIPS mode of operation when a CA SiteMinder® environment only uses AES–compliant algorithms to encrypt sensitive data. A CA SiteMinder® environment can operate in one of the following FIPS modes of operation.
Note: For more information about the cryptographic libraries CA SiteMinder® uses and the AES algorithms used to encrypt sensitive data in FIPS–only mode, see the Policy Server Administration Guide. For more information about the FIPS modes of operation and which to use when installing the Policy Server, see the Policy Server Installation Guide.
If you are implementing AES encryption through FIPS-only mode, consider the following:
Note: For more information about your vendors ability to support the FIPS 140–2 standard, see the vendor-specific documentation.
Important! An environment that is running in FIPS–only mode cannot operate with and is not backward compatible to earlier versions of CA SiteMinder®. This requirement includes all agents, custom software using older versions of the CA SiteMinder® Web Services Security SDK. Re–link all such software with the 12.52 versions of the SDK to achieve the required support for FIPS–only mode.
Will CA SiteMinder® be implemented to a virtual environment?
Consider the following before implementing CA SiteMinder® to a virtual environment:
Note: For more information about performance tuning the virtual environment, see the vendor–specific documentation.
Should individual business units be responsible for managing Policy Servers? Or can a single business unit manage all Policy Servers centrally?
If individual business units manage Policy Servers and policy stores locally, consider that local Policy Server management:
If a single business unit is to manage Policy Servers centrally, consider that central Policy Server management:
Note: As illustrated, individual business units can continue to manage the CA SiteMinder® Agents protecting their applications.
If you have several SiteMinder WSS Agents which will be configured identically, then using an Agent Configuration object on the Policy Server will make managing those Agents easier. A single Agent configuration object can be shared among an unlimited number of SiteMinder WSS Agents. Configuration changes made on the Policy Server are automatically applied to any SiteMinder WSS Agents which use the configuration object.
Note: For more detailed information about how to configure Agent-related objects, see the CA SiteMinder® Web Services Security Policy Configuration Guide and the SiteMinder WSS Agent Guide for your SiteMinder WSS Agent type.
Copyright © 2013 CA.
All rights reserved.
|
|