This section contains the following topics:
Policy Server Configuration and Management Interfaces
CA SiteMinder® consists of two core components:
The Policy Server provides policy management, authentication, authorization, and accounting.
Integrated with a standard Web server or application server, CA SiteMinder® Agents enable CA SiteMinder® to manage access to Web applications and content according to predefined security policies. Other types of CA SiteMinder® Agents allow CA SiteMinder® to control access to non-Web entities. For example, a CA SiteMinder® RADIUS Agent manages access to RADIUS devices, while a CA SiteMinder® Affiliate Agent manages information passed to an affiliate’s Web site from a portal site.
The Policy Server typically runs on a separate Windows or Solaris system to perform CA SiteMinder®’s key security operations. The Policy Server provides the following:
The Policy Server supports a range of authentication methods. It can authenticate users based on user names and passwords, via tokens, using forms based authentication, and through public-key certificates.
The Policy Server is responsible for managing and enforcing access control rules established by the Policy Server administrator. These rules define the operations that are allowed for each protected resource.
The Policy Server can be configured using the CA CA SiteMinder® Administrative UI. The Administration service of the Policy Server is what allows the Administrative UI to record configuration information in the Policy Store.
The Policy Server generates log files that contain auditing information about the events that occur within the system. These logs can be printed in the form of predefined reports, so that security events or anomalies can be analyzed.
The Policy Server provides features for monitoring activity throughout a CA SiteMinder® deployment.
The following figure illustrates a simple CA SiteMinder® environment.
In a Web implementation, a user requests a resource through a browser. That request is received by the Web Server and intercepted by the CA SiteMinder® Web Agent. The Web Agent determines whether or not the resource is protected, and if so, gathers the user’s credentials and passes them to the Policy Server. The Policy Server authenticates the user against native user directories, then verifies if the authenticated user is authorized for the requested resource based on rules and policies contained in the Policy Store. Once a user is authenticated and authorized, the Policy Server grants access to protected resources and delivers privilege and entitlement information.
Note: Other types of Agents can be created using the Agent API.
The majority of Policy Server configuration tasks are performed by manipulating Policy Server objects using the Administrative UI, as described in the remainder of this guide. However, there are some Policy Server management tasks that you perform using the Policy Server Management Console.
The management tasks that you perform using the Policy Server Management Console include the following:
Note: For more information on the Policy Server Management Console, see the Policy Server Administration Guide.
The Policy Server uses the following three main categories of objects:
You use infrastructure objects throughout a CA SiteMinder® deployment. Infrastructure objects include connections to existing user directories, administrators, Agents, authentication schemes, registration schemes, and password policies.
Infrastructure objects include:
An Agent is installed on web servers, application servers, or other network entities to secure access to resources. Once an Agent is installed on a server, configure a CA SiteMinder® object for the Agent in the Administrative UI.
An Agent group is a Policy Server object that points to a group of Agents. The Agents in the group can be installed on different servers, but all of the Agents protect the same resources. Typically Agent groups are configured in CA SiteMinder® for groups of servers that distribute the workload for access to a common set of resources.
An Agent Configuration Object holds configuration parameters for one or more Web Agents.
A Host Configuration Object holds configuration parameters for the Trusted host.
A user directory in CA SiteMinder® is an object that contains details for connecting to an existing user directory that is external to CA SiteMinder®. User directory connections let you configure a connection to an existing user directory, instead of replicating user information within CA SiteMinder®.
A policy domain is a logical grouping of one or more user directories, administrators, and realms. This Policy Server object is the basis for entitlement data. By creating policy domains, an administrator creates a container for entitlements that surround a particular group of resources (realm), and the users who can access the resources, and the administrator who sets up entitlements.
Affiliate domains are only for legacy federation. An affiliate domain is a logical grouping of SAML affiliates that is associated with one or more user directories and administrators.
Note: For more information about affiliate domains, see the CA SiteMinder® Federation Legacy Federation Guide.
An administrator is an object that contains profile information for a CA SiteMinder® administrator account. Everyone who logs in to CA SiteMinder® is considered an administrator. The privileges and activities of an administrator account vary by administrative role.
An authentication scheme is a Policy Server object that determines the credentials that a user requires to access a protected resource. Authentication schemes are assigned to realms or Applications. When a user tries to access a resource in a realm or Application, the assigned authentication scheme determines the credentials that a user must supply to access the resource.
A registration scheme is a Policy Server object that allows users to register themselves for access to a group of resources on a network and administrators to manage registered users. Registration schemes simplify the task of managing a large user database.
An Agent Type is a Policy Server object that defines the actions and response attributes that a type of Agent supports. For example, Web, Affiliate, RADIUS, or custom.
A SQL Query Scheme is an object that stores CA SiteMinder® SQL queries. These queries are used to retrieve information, such as a list of user groups, from relational databases that are used as CA SiteMinder® user directories.
Password policies are Policy Server objects that contain rules for passwords, including expiration dates, constraints, and composition requirements.
SAML affiliations are only for legacy federation. A SAML affiliation is a group of SAML 2.0 entities that share a name identifier for a single principal.
Note: Note: For more information about SAML affiliations, see the CA SiteMinder® Federation Legacy Federation Guide.
A Trusted Host object represents the client component that connects to the Policy Server.
You use policy objects to define security policies for resources.
Policy objects include the following
An application is a Policy Server object that defines a complete security policy for one or more related web services. Applications associate users or roles with entitlements (rules) to determine what user accounts can access what web service application resources.
Application objects provide a simplified enterprise policy management model that does not require an in-depth knowledge of CA SiteMinder®-specific concepts and object types.
A policy domain is a group of objects that deal with a specific domain of resources. For example, an organization may divide its web application resources by business unit, creating a policy domain for marketing, a separate policy domain for engineering, and so on. Domain objects are those objects that pertain to a specific policy domain. These objects include rules and policies for controlling access to resources.
Policy domains objects are the basis of the traditional CA SiteMinder® policy model. They are also the container for the following domain objects that define the security policy for the resources within the domain:
A realm is a Policy Server object that identifies a group of resources. Realms typically define a directory or folder and possibly its subdirectories.
A rule is a Policy Server object that identifies a resource and the actions that will be allowed or denied for the resource. Rules can also include actions associated with specific events, such as what to do if a user fails to authenticate correctly when asked for their credentials.
A rule group is a Policy Server object that contains multiple rules. Rule groups are used to tie together different rules that will be used in a single policy.
A response is a Policy Server object that determines a reaction to a rule. Responses are included in policies, and take place when a rule is triggered.
A response group is a Policy Server object that contains a logical grouping of responses. Response groups are most often used when many responses will be included in a policy.
A policy is a Policy Server object that binds users, rules, responses, and optionally, time restrictions and IP address restrictions together. Policies establish entitlements for a CA SiteMinder® protected entity. When a user attempts to access a resource, the policy is what CA SiteMinder® ultimately uses to resolve the request.
A variable is an object that can be resolved to a value which you can incorporate into the authorization phase of a request. The value of a variable object is the result of dynamic data and is evaluated at runtime.
In addition to configuring policies for specific resources in a domain, you can also configure global policy objects that apply to all resources.
Global objects include:
A global rule is a Policy Server object that specifies a filter used to apply a global policy to a large group of resources.
A global response is a Policy Server object that determines a reaction to a global rule. Global responses are included in global policies, and take place when a global rule is triggered.
A global policy is a Policy Server object that binds users, global rules, global responses, and optionally, time restrictions and IP address restrictions together. When a user attempts to access a resource, the global policy is what CA SiteMinder® ultimately uses to resolve the request.
CA SiteMinder® provides two policy management methods for securing your resources:
Application objects provide an intuitive method of defining a complete security policy for a web application (or website). Application objects associate resources with user roles to specify entitlement policies that determine what users can access what resources.
For Policy Server administrators already comfortable with earlier releases of CA SiteMinder®, traditional policy management — using policy domains and domain objects (realms, rules, responses, policies, and so on) — can still be used to configure security policies for your resources.
Traditional policy management must also be used to modify policies created traditionally and migrated from a previous CA SiteMinder® deployment.
Copyright © 2013 CA.
All rights reserved.
|
|