A CA SiteMinder® environment includes multiple components. Some components are required to secure resources, while others are optional, or only required to implement specific features. These components work with the resources, applications, directories, and databases in your organization to provide secure access to resources in your enterprise network.
All CA SiteMinder® components are supported on a number of operating environments. Your CA SiteMinder® implementation is highly dependent on the environment to which you are deploying it. Your implementation does not have to reflect the following diagram. Rather, the purpose of the following diagram is to illustrate the major components in a CA SiteMinder® environment and their general relationships with each other.
Use the previous diagram and the following component descriptions as a resource when considering the architectural questions detailed in this guide.
(Required) A CA SiteMinder® Policy Server (Policy Server) acts as the Policy Decision Point (PDP). The purpose of the Policy Server is to evaluate and enforce access control policies, which it communicates to a CA SiteMinder® Agent. A Policy Server provides the following:
The Policy Server interacts with all other major components to perform these tasks.
(Required) A CA SiteMinder® Agent can reside on a web server, a J2EE application server, an Enterprise Resource Planning (ERP) system, or custom application. An Agent acts as the Policy Enforcement Point (PEP), intercepting user requests for resources and communicating with a Policy Server to determine if the resource is protected.
If the resource is not protected, the Agent allows access. If the resource is protected, the Agent continues to communicate with the Policy Server to authenticate and authorize users. A successful authorization prompts the Agent to let the resource request proceed to the server. Agents also:
(Required for CA SiteMinder® Web Services Security) CA SiteMinder® Web Services Security (WSS) Agents act as Policy Enforcement Points (PEPs) that work with the following platforms:
WSS Agents intercept requests for "big" (SOAP-based) web services. The WSS Agents then communicate with a Policy Server to determine whether the resource is protected.
Note: The CA SiteMinder® Agent for JBoss includes CA SiteMinder® and WSS agent functionality. .
If the resource is not protected, the agent allows access. If the resource is protected, the agent continues to communicate with the Policy Server to authenticate and authorize users. A successful authorization prompts the agent to let the resource request proceed to the server.
Agents also perform the following other functions:
(Optional) CA Business Intelligence is a set of reporting and analytic software that various CA products use for the purposes of presenting information and supporting business decisions. CA products use CA Business Intelligence to integrate, analyze, and then present, through various reporting options, information required for effective enterprise IT management.
Included in CA Business Intelligence is SAP BusinessObjects Enterprise, a complete suite of information management, reporting, and query and analysis tools. CA Business Intelligence installs SAP BusinessObjects Enterprise as a stand–alone component. In this guide, this stand–alone component is referred to as the Report Server. Installing the Report Server is a separate step within the overall CA SiteMinder® installation process. Installing the Report Server separately from CA SiteMinder®–specific components lets other CA products share the same Business Intelligence Services.
The Report Server compiles reports to help you analyze your CA SiteMinder® environment. The purpose of this component it to create the following types of reports:
The Report Server communicates with the following components to compile reports:
A CA SiteMinder® implementation contains multiple data stores. Some stores are required, while others are optional, or only required to implement specific features.
The following descriptions detail:
(Required) The CA SiteMinder® policy store (policy store) is an entitlement store that resides in an LDAP directory server or ODBC database. The purpose of this component is to store all policy-related objects, including the:
The Policy Server uses this information, collectively known as an Enterprise Policy Management (EPM) application or CA SiteMinder® policy, to determine if a resource is protected and if an authenticated user is authorized to access the requested resources.
(Required) A CA SiteMinder® user store connection (user store connection) is a connection to an existing user directory or database in your enterprise network. You are not required to use a proprietary CA SiteMinder® user store. The purpose of the user store connection is to make user data available to the Policy Server, which includes the following:
The Policy Server uses these connections to:
Note: For more information about configuring a user store connection, see the documentation roadmap.
(Optional) By default, the Administrative UI uses the policy store as its source for CA SiteMinder® administrator credentials. This default configuration lets you manage the environment immediately after configuring a policy store and installing the Administrative UI. When you configure a policy store, the default CA SiteMinder® super user account (siteminder) is created. This account has maximum system privileges, and is used to access the Administrative UI for the first–time and to create additional CA SiteMinder® administrators.
You can configure the Administrative UI to use an external administrator user store, for example, a corporate directory. An external administrative user store is a connection to an LDAP directory server or ODBC database in your enterprise network. Consider the following:
Note: For more information about CA SiteMinder® administrators and configuring an external administrative user store, see the documentation roadmap.
(Required) The purpose of this component is to store the encryption keys that the Policy Servers and the agents use to encrypt sensitive data, which include:
You can collocate the key store with the policy store or you can store encryption keys in a separate directory or database. The need to deploy a separate key store depends on:
Note: If you use the Policy Server Configuration wizard to configure a policy store, the key store is automatically collocated with the policy store.
(Optional) The CA SiteMinder® certificate data store (CDS) makes the following components and functions available to a CA SiteMinder® environment:
Note: CA SiteMinder® federation features use the certificate data store. The user certificates that the X.509 certificate authentication scheme uses for authentication are not stored in the certificate data store. These user certificates are stored in an LDAP/AD user directory or ODBC store.
By default, the certificate data store is automatically configured and colocated with the policy store. As a result:
(Optional) By default, the Policy Server writes audit events to a text file, which is known as the Policy Server log. The purpose of audit logs is to track information about all user activity, including:
However, you can configure a stand–alone CA SiteMinder® audit database (audit database). When deciding where to store audit events, consider that:
Note: For more information about configuring an audit database, see the documentation roadmap.
(Optional) When CA SiteMinder® authenticates a user, the Policy Server issues a session ticket. A session ticket contains basic information about the user and authentication information for the user. By default, CA SiteMinder® implements session management through non–persistent sessions. If non–persistent sessions are enabled, an Agent writes the session ticket to a cookie on the browser of the users. However, some CA SiteMinder® features require persistent sessions.
If persistent sessions are enabled, an Agent must write the session ticket to a stand–alone database.
You deploy a CA SiteMinder® session store (session store) for the following primary reasons:
Agents use this information to identify users and provide session information to the Policy Server.
Note: For more information about configuring a session store, see the documentation roadmap.
(Required) The CA SiteMinder® Administrative UI (Administrative UI) is a web–based administration console that is installed independent of the Policy Server. The Administrative UI is intended for managing all tasks that are related to access control, reporting, and policy analysis.
|
Copyright © 2013 CA.
All rights reserved.
|
|