Using Credential Collectors Between 4.x Type and Newer Type Agents

Web Agent Guides › Web Agent Configuration Guide › Forms Authentication › Using Credential Collectors Between 4.x Type and Newer Type Agents

Using Credential Collectors Between 4.x Type and Newer Type Agents

Older versions of the CA SiteMinder® agent objects used a security model that featured a shared secret that is stored on the Policy Server and in the WebAgent.conf file. These agents are named 4.x type agents. You can specify support for 4.x agent functions when creating an agent object in the CA SiteMinder® Administrative UI.

Later versions of CA SiteMinder® use a trusted host object on the Policy Sever instead of the shared secret security model.

CA SiteMinder® supports using credential collectors between 4.x type and later agents. This usage of credential collectors is named mixed mode. Additional configuration steps are required for mixed mode deployments.

Configure Credential Collectors in a Mixed Environment

From CA SiteMinder® r6.x to CA SiteMinder® 12.52, the credential collectors operate differently than the older 4.x type credential collectors do. 4.x type credential collectors placed a cookie in the browser of the user, and then redirected the user back to the original agent.

In the newer CA SiteMinder® versions, the credential collector logs the user in to the Policy Server on behalf of the agent protecting the requested resource. Cookies are not used.

Note: We recommend using credential collectors to log users in directly rather than setting cookies. Using credential collectors to log users in better secures user credentials because these credentials are not being passed around the network in cookies.

A credential collector requires the following information to log a user in:

The name of the agent protecting the requested resource.
The credentials that are supplied by the user.

To learn the Agent name, a credential collector uses the following process:

Use the SMAGENTNAME query parameter that the original Agent adds to the query string of the URL as it redirects to the credential collector.
If no Agent name is appended to the URL, use the mappings defined in the AgentName configuration parameter that is associated with the credential collector.
Each mapping in the AgentName parameter specifies the name and IP address of a host using that collector for its protected resources.
If no Agent name mappings are configured, use the fully qualified host name of the target URL as the Agent name. This behavior is determined by enabling the AgentNamesAreFQHostNames configuration parameter.
This parameter is disabled by default, so the credential collector uses the value of the DefaultAgentName parameter as the agent name.

Consider the previous implications before configuring credential collectors in a mixed environment.

Use FCCs and NTCs in a Mixed Environment

To process requests, the FCC and NTC rely on the user credentials and the name of the Web Agent that is protecting the requested resource. However, 4.x agents and third-party agents posting to the FCC and NTC do not pass the Agent name on the URL they send.

The following configuration options help FCCs and NTCs to operate with 4.x Web Agents:

Use Compatibility Mode—to enable a r5.x, r6.x, or 12.52 FCC/NTC to serve up forms for resources that are protected by 4.x agents or third-party applications, then enable the FCCCompatMode parameter. Traditional Web Agents have the FCCCompatMode parameter is enabled by default. Framework Agents have the FCCCompatMode parameter is disabled by default.

Enabling this parameter makes a r5.x, r6.x, or 12.52 Agent handle forms and NTLM credential collection like a 4.x Agent. This setting which means that a form or NTLM credential cookie is written to the browser of the user is redirected back to the Agent before logging in. This configuration permits the agents to interoperate.

When the value of the FCCCompatMode parameter is set to no, compatibility with 4.x Agents is disabled. In an 12.52 environment, set the value of the parameter to no.

Important! Setting this parameter to no removes support for version 4.x of the Netscape browser.

Specify Agent name mappings—FCC only: If you disable backward compatibility, map the AgentName parameter to the name and IP address of each host using that FCC for its protected resources. Set up these mappings in the configuration settings of the FCC.
Example mappings:

myagent, 123.1.12.1

myagent, www.sitea.com
Use Host Names as Agent Names—FCC only: If the first two options in the algorithm are not optimal, you can set the value of the AgentNamesAreFQHostNames parameter to yes. This setting instructs the FCC to use the fully qualified host name in the target URL as the Agent name. For example, if the URL string includes:
url?A=1&Target=http://www.nete.com/index.html

The www.nete.com portion of the Target string serves as the Agent name.

By default, this parameter is set to no. Consequently, the value of the DefaultAgentName parameter is used as the Agent name.

The following tables list guidelines for configuring r5.x, r6.x, or 12.52 and 4.x FCCs and NTCs, and describes how each behaves in a mixed environment:

Notes:

NTLM credential collectors can redirect users from non-IIS Web Servers to IIS Web Servers.
For framework Web Agents, refer only to the instructions where FCC compatibility mode is disabled.

Web Agent Protecting Resources	r5.x, r6.x, or 12.52 FCC in FCC Compatibility Mode	r5.x, r6.x, or 12.52 FCC - FCC Compatibility Mode Disabled
r5.x, r6.x, or 12.52	FCC issues a credential cookie. Certificate and Forms authentication are disabled. Certificate or Forms authentication are disabled.	FCC issues a session cookie Certificate and Forms authentication works. Certificate or Forms authentication works.
Web Agent Protecting Resources	4.x QMR 2/3/4 FCC
4.x QMR 5 or 4.x QMR 6	Agent issues a credential cookie Certificate and Forms authentication are disabled. Certificate or Forms authentication works
r5.x, r6.x, or 12.52	Agent issues a credential cookie Certificate and Forms authentication are disabled. Certificate or Forms authentication works

Note: For more information about SSL Authentication Schemes, see the Policy Server documentation.

Web Agent Protecting Resources	r5.x, r6.x, or 12.52 FCC in FCC Compatibility Mode	r5.x, r6.x, or 12.52 FCC - FCC Compatibility Mode Disabled
4.x QMR 5 or 4.x QMR 6	NTC issues a credential cookie.	NTC issues a session cookie
r5.x, r6.x, or 12.52	NTC issues a credential cookie.	NTC issues a session cookie

Web Agent Protecting Resources

r5.x, r6.x, or 12.52 FCC in FCC Compatibility Mode

r5.x, r6.x, or 12.52 FCC - FCC Compatibility Mode Disabled

4.x QMR 5 or

4.x QMR 6

NTC issues a credential cookie.

NTC issues a session cookie

r5.x, r6.x, or 12.52

NTC issues a credential cookie.

NTC issues a session cookie

Web Agent Protecting Resources	4.x QMR 2/3/4 NTC
4.x QMR 5, 4.x QMR 6	Agent issues a credential cookie
r5.x, r6.x, or 12.52	Agent issues a credential cookie

Use SCCs in a Mixed Environment

To enable 4.x type Web Agents and r5.x, r6.x, or 12.52 SCCs to interoperate, do one of the following tasks:

Specify Agent name mappings: Map the AgentName parameter to the host name and IP address of each host using that SCC for its protected resources. Create these mappings in the agent configuration parameters of the SCC.
Use Host Names as Agent Names: If you do not specify Agent name mappings, you can set the AgentNamesAreFQHostNames parameter to Yes. This setting instructs the SCC to use the fully qualified host name in the target URL as the Agent name.
For example, if the URL string is:
```
url?A=1&Target=http://www.nete.com/index.html
```
The www.nete.com portion of the Target string serves as the Agent name.

By default, this parameter is set to no. Consequently, the value of the DefaultAgentName parameter is used as the Agent name.

The following table shows how 4.x and r5.x, r6.x, or 12.52 Agents acting as SCCs operate in a mixed environment:

Web Agent Version	4.x QMR 2/3/4 SCC	r5.x, r6.x, or 12.52 SCC
4.x QMR 5 or 4.x QMR 6	Agent issues an SSL credential cookie. Certificates cannot be collected without redirecting requests, even if the original connection from the browser to server is over SSL.	Create mappings in the AgentName parameter or set AgentNamesAreFQHostNames to Yes. SCC issues a session cookie Certificates cannot be collected without redirecting requests, even if the original connection from the browser to server is over SSL.
r5.x, r6.x, or 12.52	Agent issues an SSL credential cookie. Certificates can be collected without redirecting requests.	SCC issues a session cookie Certificates can be collected without redirecting requests.

Note: For more information about SSL Authentication Schemes, see the Policy Server documentation.