Previous Topic: SiteMinder Agents OverviewNext Topic: How to Configure a Web Agent


Web Agent Configuration Overview

The two options for configuring a Web Agent are:

Central configuration

Indicates that the Web Agent is configured from the Policy Server. The policy store holds the set of configuration parameters to be used by a group of Web Agents. Parameters are configured using the Administrative UI.

The Agent configuration is specified in an Agent Configuration Object.

Note: Central configuration does not apply to RADIUS, EJB, Servlet, or Custom Agents—those Agents can only perform local configuration.

Local configuration

Indicates that the Web Agent is configured from a local configuration file on each web server where the Agent is installed.

You can store some parameters centrally and others locally.

Note: You can only enable and disable the Web Agent from the local Agent configuration file, not from the Policy Server. This is true whether you are configuring centrally or locally.

More information:

Combined Central and Local Configuration

Web Agent Components

Advantages of Centrally Configuring Web Agents

When you centrally configure Web Agents, the settings are stored in the policy store, not on a local configuration file on a Web Server.

Compared with local configuration, central configuration provides:

Improved Usability When Using Central Agent Configuration
Added Security with Central Agent Configuration
Web Agent Components

On the Agent-side of a CA SiteMinder® network, there are several main components involved in Web Agent operation:

CA SiteMinder® Web Agent

Virtual interface to a Web Server; triggers rules and enforces policies

Trusted Host

A client computer where one or more Web Agents is installed. It handles the connection to the Policy Server. The term trusted host refers to the physical system. You can have more than one trusted host on a physical server, but each must be identified by a unique name.

The trusted host is “trusted,” because it is registered with the Policy Server. You must register a trusted host so the Web Agents installed on that host can communicate with the Policy Server.

A trusted host is identified by the following data:

Web Agent Configuration File (WebAgent.conf or LocalConfig.conf)

Stored on the web server where the Agent resides, this file is used for local configuration. It holds the Agent configuration parameters for each Web Agent. All Web Agents use the WebAgent.conf file; however, the IIS 6.0 Web Agent uses WebAgent.conf file only for core settings needed for the Agent to start and connect to a Policy Server. For its configuration settings, the IIS 6.0 Web Agent uses the LocalConfig.conf file. There is a pointer to the LocalConfig.conf file in the IIS 6.0 WebAgent.conf file.

Host Configuration File (SmHost.conf)

Stored on the web Server where the Web Agent resides, this file holds initialization parameters for the trusted host. Once the trusted host connects to a Policy Server, the trusted host uses the settings in the Host Configuration Object stored at the Policy Server. The Host Configuration Object is named in the hostconfigobject parameter of this file.

More information:

Web Agent Configuration Overview

Policy Server Objects Related to Web Agents

On the Policy Server-side there are three policy objects related to Web Agent configuration:

Agent object

Names the Agent, establishing an Agent identity that can be mapped to a specific web server.

Agent Configuration Object

Contains the Web Agent configuration parameters. Use an Agent Configuration Object to centrally manage a group of Web Agents. Though this object is primarily for central Agent configuration, it also contains the parameter that tells the Policy Server to use local configuration. This object applies only to Web Agent.

Host Configuration Object

Contains the trusted host configuration parameters. Except for initialization parameters, trusted host parameters are always maintained in a Host Configuration Object.

Configuration objects are stored in the policy store. Use the Administrative UI to create, modify, and view configuration objects.

More information:

Web Agent Configuration Overview

Resource Protection with a SiteMinder Agent

You associate a configured Agent with a realm, which is a collection of resources that you want to protect. Realms are protected by rules, which get included in an access control policy.