Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
eTrust SiteMinder r6
® ®
December 2006
Updated for eTrust SiteMinder r6 SP5
Table of Contents
The Challenge: Building and Managing Secure Websites and Applications ........................................................................................5
Building the Secure Website ....................................................................................................................................................................5
Choosing the correct authentication technology ................................................................................................................................5
Building the user directory ........................................................................................................................................................................6
Providing a quality single sign-on experience ..............................................................................................................................6
Managing the Secure Website ................................................................................................................................................................6
Enabling compliance auditing ..........................................................................................................................................................6
Implementing security for multiple web applications ................................................................................................................6
Managing the security infrastructure ............................................................................................................................................6
Keeping user administration costs down ......................................................................................................................................6
Choosing the correct technology partner......................................................................................................................................6
eTrust SiteMinder Features and Benefits........................................................................................................................................................7
Authentication Management....................................................................................................................................................................7
Federation Security Services ....................................................................................................................................................................7
Authorization Management ......................................................................................................................................................................7
Role based access control (RBAC) ..........................................................................................................................................................7
eTrust SiteMinder eTelligent Rules..................................................................................................................................................7
Auditing and Reporting ..............................................................................................................................................................................8
Enterprise Manageability ..........................................................................................................................................................................8
Performance, Availability, Reliability, Scalability ..........................................................................................................................................8
Performance ................................................................................................................................................................................................8
Availability and Reliability ........................................................................................................................................................................8
Scalability ......................................................................................................................................................................................................8
Security..........................................................................................................................................................................................................8
Broad Platform Support ............................................................................................................................................................................9
A Standards-Based Solution..............................................................................................................................................................................9
eTrust SiteMinder Architecture ........................................................................................................................................................................9
eTrust SiteMinder Policy Server ..............................................................................................................................................................9
Access control services in a single process ................................................................................................................................10
eTrust SiteMinder Agents........................................................................................................................................................................10
Web agents ........................................................................................................................................................................................10
Application server agents ..............................................................................................................................................................10
Enterprise application agents ........................................................................................................................................................10
Custom Agents ..................................................................................................................................................................................10
Secure Proxy Server ..................................................................................................................................................................................10
Native Directory Integration ....................................................................................................................................................................11
eTrust SiteMinder Authentication Management ........................................................................................................................................11
Authentication Methods ..........................................................................................................................................................................11
Strong authentication support ................................................................................................................................................................12
Authentication Policies ............................................................................................................................................................................12
Certificate Combinations and Alternatives..........................................................................................................................................12
Forms-based Certification ......................................................................................................................................................................12
Authentication Levels ..............................................................................................................................................................................12
Directory Mapping ....................................................................................................................................................................................12
Password Services......................................................................................................................................................................................13
Impersonation ............................................................................................................................................................................................13
eTrust SiteMinder Authorization Management ..........................................................................................................................................14
eTrust SiteMinder Policies ......................................................................................................................................................................14
Rules/Rule Groups ............................................................................................................................................................................15
Users ....................................................................................................................................................................................................15
Responses....................................................................................................................................................................................................15
IP addresses ........................................................................................................................................................................................15
Time restrictions ........................................................................................................................................................................................15
Active response..................................................................................................................................................................................15
2
Fine-grained authorization using eTelligent Rules..............................................................................................................................15
Global policies ............................................................................................................................................................................................15
Role based access control (RBAC) ........................................................................................................................................................16
Single Sign-On ....................................................................................................................................................................................................16
SSO in Single and Multiple Cookie Domains ..............................................................................................................................................16
SSO zones – support of multiple SSO environments ........................................................................................................................17
Enterprise SSO Integration ......................................................................................................................................................................17
Identity Federation ............................................................................................................................................................................................17
SiteMinder Federation Security Services (FSS) ..................................................................................................................................17
FSS IdP and SP support ............................................................................................................................................................................17
FSS Multi-protocal support ............................................................................................................................................................17
FSS SAML 2. 0 capabilities..............................................................................................................................................................17
FSS WS-Federation capabilities......................................................................................................................................................17
Federation Hub and Spoke solutions ....................................................................................................................................................17
SiteMinder Federation End Point............................................................................................................................................................18
Single Sign-on in the Windows Environment ..............................................................................................................................................18
Windows integrated security..........................................................................................................................................................18
Windows application login ......................................................................................................................................................................18
Auditing and Reporting ....................................................................................................................................................................................18
Auditing........................................................................................................................................................................................................18
Reporting ....................................................................................................................................................................................................18
Report drill down capabilities ........................................................................................................................................................19
Activity reports ..................................................................................................................................................................................19
Intrusion reports ................................................................................................................................................................................19
Administrative reports ....................................................................................................................................................................19
Time series reports ..........................................................................................................................................................................19
Enterprise Manageability ................................................................................................................................................................................19
OneView Monitor ......................................................................................................................................................................................19
Environment Collector ............................................................................................................................................................................20
Test Tool......................................................................................................................................................................................................20
Logging and policy profiling....................................................................................................................................................................20
Centralized Agent Management ............................................................................................................................................................21
Rapid Policy Deployment ........................................................................................................................................................................21
Unattended installations..................................................................................................................................................................................22
Command line interface ..................................................................................................................................................................................22
Performance, Reliability, Scalability and Availability ................................................................................................................................22
Performance ..............................................................................................................................................................................................22
Bulk operations..................................................................................................................................................................................22
Authentication and authorization ................................................................................................................................................23
Reliability, Availability and Scalability ..................................................................................................................................................23
Policy Server Clusters ......................................................................................................................................................................23
Security ..............................................................................................................................................................................................................24
Data Confidentiality ................................................................................................................................................................................24
Mutual Authentication ............................................................................................................................................................................24
Revocation of User Credentials ............................................................................................................................................................24
Encrypted Session Cookies ....................................................................................................................................................................24
Session and Idle Timeouts ......................................................................................................................................................................24
Rolling Keys ........................................................................................................................................................................................................24
Hardware Stored Encryption Keys ........................................................................................................................................................25
LDAP Protection from Denial-of-service Attacks ..............................................................................................................................25
Protection from Cross-Site Scripting ....................................................................................................................................................25
Unique Secure HTTP Header Passing ..................................................................................................................................................25
Advanced Web Agents ....................................................................................................................................................................................25
eTrust SiteMinder Developer Capabilities ..................................................................................................................................................25
Creating Custom Agents ........................................................................................................................................................................25
Single Sign-on Support for Custom Agents ........................................................................................................................................26
3
Managing the Policy Store ......................................................................................................................................................................26
Managing the User Store ........................................................................................................................................................................26
Creating a Custom Authentication Scheme................................................................................................................................................26
Flexible Authorization ..............................................................................................................................................................................26
Adding a Directory Provider ..................................................................................................................................................................26
Integrating with eTrust SiteMinder Events ........................................................................................................................................26
Session Server API ....................................................................................................................................................................................27
Creating a Secure Communication Tunnel ..................................................................................................................................................27
Summary..............................................................................................................................................................................................................27
Conclusion ..........................................................................................................................................................................................................27
4
• Entitlement service. How can organizations tie in all of
The Challenge: Building and the entitlements, that is, profile characteristics of
Managing Secure Websites individual users, from multiple directories and user
stores into a single, shared security service?
With its extended reach and power the Internet has
fundamentally changed traditional business processes. • Enhancing the user experience. How can organizations
E-business has ushered in the widespread deployment provide a personal, easy to navigate online session for
of intranets, business-to-business (B2B) extranets and their users, and at a low cost?
e-commerce websites. These sites extend business
processes to the furthest reaches of the Web, enabling From a user perspective, these new generation Web
partners, customers, and employees to access critical applications must be:
applications, information, services, and transactions • Responsive. Delivering high performance applications,
anytime and anywhere. whether they're for customers, partners, or employees
• Interactive. Providing the right users access to the right
Organizations are redeploying the applications that they
applications, data, services, and other resources
have built over the years with web front ends, as well as
deploying new applications on web servers, J2EE based • Simple. Providing a seamless user experience with
application servers, and even mainframe systems that cross-domain application access.
include web servers. As they open up their businesses to
Today, enterprise IT infrastructures are often insufficient
new users through the web, they face new and complex
to meet the demands of e-business and unable to manage
challenges.
multiple types of applications accessed by multiple types
Organizations must solve a new generation of manage- of users (employees, customers, suppliers and partners)
ability and compliance issues, from deployment of online using multiple types of devices (laptops, PDAs, cell
resources throughout a global environment to enforcing phones). Many sites must accommodate millions of users
policies, monitoring, and reporting of online activities for and many millions of transactions without jeopardizing
regulatory compliance. IT professionals need to support security. In particular, implementers face several
heterogeneous environments by providing flexible challenging business and technical problems grouped into
deployment approaches. They need to provide enterprise- two major areas: first building the secure website and then
class performance, availability, and scalability to support managing the secure website.
potentially millions of users. And they must ensure a long
life for these systems by embracing open standards and
Building the Secure Website
platforms.
For web developers the process of building a secure
From the security and compliance perspective, there are website can be very complex. Whether it’s managing
several factors that must be carefully considered: multiple user directories or creating a shared service for
authentication, authorization and audit, they need new
• Authentication. Who will access the applications and
tools to design and provide robust security.
data? Will multiple user communities, such as partners,
customers, and employees, need access? How will Choosing the correct authentication technology
authentication across multiple websites be handled? Is Due to implementation and management challenges,
a simple password authentication sufficient, or are security managers often struggle to define a unified
stronger credentials and controls needed? authentication strategy across Internet and intranet
• Authorization. Organizations need powerful security applications. The result is that either high value applica-
policies that can be easily leveraged over multiple tions are not protected by equally secure authentication
applications and services. They need to implement a systems or low value web applications are protected by
single shared security service to simplify and speed authentication systems that might actually over do it and
administration, to ease compliance related auditing and push users away. Companies need a single system on
reporting, and to reduce the security related burden on which to deploy and manage multiple authentication
application developers. systems. Organizations need to provide a comprehensive
• Audit. Organizations must closely track how applica- strategy that ensures high value applications are protected
tions and data are used, and how the security system is by strong authentication while lower value applications are
helping to provide IT controls. System administrators protected by simpler user name/password approaches.
need detailed system data to fine tune performance.
Business managers need activity data to demonstrate
compliance with security policies and regulations.
5
Building the user directory development tools. Consequently, administration and
Traditionally, security administrators have deployed an authorization capabilities can vary greatly. These
authentication system and access control list (ACL) with differences can lead to administrative problems as well as
each application. For a small number of critical applica- an inconsistent security deployments because these more
tions, these “siloed” authentication systems might be complex environments are often more costly and time
appropriate. However, as the number and complexity of consuming to administer than single-platform environ-
applications increase, this approach quickly becomes ments. As a result, the quality of website security is often
unmanageable for all involved. With each application lower in heterogeneous IT environments, which is clearly
storing its own user privilege information within an an unacceptable outcome.
application-specific repository or ACL, separate from any
corporate user directory, redundant user administration Managing the security infrastructure
and user databases are created. The user stores quickly It’s a daunting and expensive challenge to deploy large-
get out of synchronization with the corporate directory, scale websites that can encompass hundreds of web
compromising both security and the user experience. servers, applications, and security policies as well as
multiple types of authentication systems to enforce
Providing a quality single sign-on experience authentication and access control; all with 24x7 contin-
Successful websites need to provide users with the uous availability. As the number of applications and users
information and services they want, and that the increase, administrative costs can spike drastically. As
organization wants them to see, in a personalized context web applications continue to gain in strategic importance,
that is easy to understand and navigate. If the content is the management and administration of these complex
not personalized, or if users must endure multiple sign- environments becomes a pressing IT challenge.
ons to different applications, they become quickly
frustrated and go elsewhere. In addition, organizations Keeping user administration costs down
might forge relationships with any number of business Whether it’s expanding the customer base, adding
partners whose sites offer complementary value to some suppliers to the extranet, reorganizing divisions or
portion of the organization’s users. improving service quality, people are the center of every
business initiative. But, as e-business websites grow the
Identity Federation enables organizations to provide users number of users interacting with the sites also grows, and
single sign-on by transparently linking partner resources those increases translate into a broad range of significant
to the organization’s website, from its partner websites. management challenges:
Single sign-on, whether of the internal or external variety • Assigning authentication methods to applications and
(Identity Federation) lets users easily conduct business or users
obtain value-added access to applications and data.
• Synchronizing IDs and passwords across multiple
directories
Managing a Secure Website • Enabling self-registration and password management
From an operational perspective, security issues also play for users
an important role in how organizations manage and
• Providing phone and online support to potentially
operate websites. Key issues include enabling auditing for
millions of users, 24x7, around the globe
regulatory compliance, leveraging redundant points of
administration, and managing the associated costs of Choosing the correct technology partner
supporting multiple applications and platforms. Total cost of ownership is directly related to the ability
to support open standards that leverage existing IT
Enabling compliance auditing
investments, offer extensive partnership integration, avoid
Driven by compliance regulations such as Sarbanes-Oxley,
vendor dead-ends, and minimize expensive third-party
HIPAA, FFIEC, etc, enterprises need a way to consistently
integrations. It’s possible, of course, to achieve an
manage and enforce application access policies and
impressive return on investment (ROI) by moving
provide compliance reports across heterogeneous
applications and the business processes they support, to
systems, to answer such questions as who has access to
the web, but the key is how to do so cost effectively. As
what and who has accessed what. Without an enterprise-
new web applications are deployed, ROI numbers rise, but
wide access control solution, it can be very costly to prove
with each new application, access, security management,
compliance.
and scalability requirements and issues also arise. These
Implementing security for multiple web applications can reduce ROI if not addressed. To solve this problem
Traditionally the approach for managing authentication companies need comprehensive open application program
and authorization for web resources often varies across interfaces (APIs), directory mapping, and a 24x7
web servers, application servers, operating systems and redundant architecture.
6
The right solution removes authentication from each multi-protocol federation support by implementing
application and centralizes all Web Access Management standards-based technologies including SAML and WS-
(WAM) and security policy in one place. eTrust® Federation/ADFS. eTrust SiteMinder can act as an Identity
SiteMinder® is the right solution: it provides corporate and Provider (IdP) that authenticates the user and produces a
consumer e-business sites with the secure, scalable and SAML assertion or WS-Federation security token to
reliable identity and privilege management infrastructure propagate to federation partner, or as a Servide Provider
they require for conducting business. It also provides (SP) that consumes a SAML assertion or WS-Federation
centralized control that administrators need to efficiently security token generated by a federation partner, to
manage and support that security infrastructure. achieve SSO. As a result, eTrust SiteMinder provides a
comprehensive, bi-directional federation hub that enables
maximum interoperability among enterprises. Organiza-
eTrust SiteMinder Features tions with eTrust SiteMinder Federation Security Services
can interoperate securely and more effectively with more
and Benefits sites, including sites that use other security solutions.
eTrust SiteMinder offers the type of solution organi- Users experience a more seamless experience across
zations' need to meet the challenge of building and affiliated sites, improving the chances for increased
managing secure websites. eTrust SiteMinder provides the revenue and enhanced relationships.
essential security services required to meet this challenge,
while also including management features and technical
capabilities that can reduce the total cost of ownership. Authorization Management
eTrust SiteMinder centralizes the management of user
entitlements for customers, partners and employees
Authentication Management across all web applications through a shared service. The
eTrust SiteMinder supports a broad range of authenti- eTrust SiteMinder advanced architecture and ability to
cation methods, including passwords, tokens, X.509 enforce security policies across the enterprise eliminates
certificates, smartcards, custom forms, and biometrics, as the need for redundant user directories and application-
well as combinations of authentication methods. It also specific security logic. Centralized authorization greatly
supports certificate validation through either certificate reduces development costs by allowing developers to
revocation lists (CRL) or Online Certificate Status focus on the application business logic, not on encoding
Protocol (OCSP). security policies.
eTrust SiteMinder integrates with industry-leading eTrust SiteMinder provides security and access
directory services and user stores, eliminating redundant management through its security policies, which are
administration of user information. This integration designed to accommodate the user and the user’s
simplifies administration and provides unique and relationship to the protected resource. A policy protects
comprehensive security capabilities. eTrust SiteMinder resources by explicitly allowing or denying user access.
fully leverages existing user directories, from leading It specifies the resources that are protected, the users,
LDAP directories and relational databases, to mainframe groups or roles that have access to these resources, the
security directories. conditions under which this access should be granted, and
the delivery method of those resources to authorized users.
With single sign-on (SSO) and federation users get a If a user is denied access to a resource, the policy also
unified and personalized access to all available applica- determines how that user should be handled from there.
tions and data within and across enterprise boundaries.
Organizations and their partners can provide their Role based access control (RBAC)
customers with all their available services; access to all eTrust SiteMinder, when used with CA Identity Manager,
relevant, authorized information; and access to multiple gives enterprises the ability to extend existing authori-
applications that run on multiple servers, multiple zation policies to roles established for users in CA Identity
platforms, and across multiple internet domains. Single Manager. Using CA Identity Manager, enterprises can
sign-on provides a rich user experience, increased security map organizational structure as well as functional
and reduced customer support costs due to lost responsibilities to create and manage roles. eTrust
passwords. SiteMinder can then bind security policies to roles for
end-to-end identity and access management control.
7
can use eTelligent Rules to make security logic changes available and accessible to the right users. Administrators
outside the applications, without changing program code, can set up load balancing and failover so that if one eTrust
further reducing reliance on programming. Most other SiteMinder component is unavailable, the next one will be
security solutions would have to rely on applications being used without interruption to the user. Even if an eTrust
re-programmed, re-built and re-deployed. SiteMinder component fails, it will automatically be
re-started to keep all operations going, all the time.
Auditing and Reporting eTrust SiteMinder administrators also have the option to
Auditing and reporting lets managers track user and cluster policy servers, that is, to group together policy
administrative activity and analyze and correct security servers based on criteria that are important to the security
events and anomalies. eTrust SiteMinder lets companies system implementation. Once policy servers are clustered,
define activities within the eTrust SiteMinder environment administrators can set up dynamic load balancing within
to be logged and where that information should be stored: the cluster and automatic failover among clusters to meet
in a file or in a relational database. Both the policy server the increasing high performance, high availability
and web agents (components of the SiteMinder archi- requirements of a growing enterprise.
tecture to be described later) provide separate audit
logging and debug logging. Scalability
eTrust SiteMinder can be scaled to meet security
requirements for almost any website, both in terms of
Enterprise Manageability numbers of users and numbers of resources. With eTrust
eTrust SiteMinder enables efficient management practices SiteMinder, security administrators don’t have to worry
in all areas of security system operations, including about their company’s new acquisitions or new partner-
responsive troubleshooting, fast day to day execution of ships. eTrust SiteMinder will be able to handle it: new
routine operations, and easy to manage periodic opera- users, new platforms, new applications, or additional
tions. Daily activities, such as troubleshooting, password languages. No portion of the enterprise would go
services and reporting, can be completed faster and better unsecured, possibly leaving holes that unauthorized
because eTrust SiteMinder provides centralized adminis- users could take advantage of.
tration tools for the entire security environment. eTrust
SiteMinder also provides tools that let administrators In terms of numbers of users, eTrust SiteMinder can work
easily manage the deployment, including remote agents effectively and efficiently with many millions of users with
and security policies, regardless of the size of the security information stored on a broad array of user stores. By
environment. centralizing user access management, security adminis-
trators can manage the security requirements for all
categories of users throughout the enterprise, from a
Performance, Availability, Reliability, Scalability single location. In fact some customers of eTrust SiteMinder
As more web applications are deployed and more have reported using the system to support in excess of
business is conducted by more people online, organi- 20M users.
zations need a security solution that is efficient, available,
reliable, and scalable. eTrust SiteMinder meets all these
criteria, especially for very large deployments. Security
eTrust SiteMinder offers the most secure communications
Performance architecture in the industry, with 128-bit encryption and
Based on independent third party comparisons against hardware token-based encryption key management and
published data from other vendors, eTrust SiteMinder has storage. eTrust SiteMinder combines the best of security
proven its ability to provide significantly higher transaction and manageability by supporting the deployment of a mix
rates than competing solutions. of eTrust SiteMinder Agents and eTrust SiteMinder Secure
Proxy Servers across a single policy model. In addition,
eTrust SiteMinder achieves these high levels of eTrust SiteMinder supports a comprehensive set of
performance by optimizing the speed of its policy server, password services including password composition,
the component that runs the centralized security services. dictionary checking and expiration rules allowing you to
With quick start-up and fast runtime performance, the implement robust password management rules. When
policy servers provide efficient security services capable combined with CA Identity Manager, providing self-
of supporting millions of users and thousands of protected service, forgotten password services, password synchro-
resources. nization, and other services, the combined solution
provides a comprehensive set of password management
Availability and Reliability
automation services.
eTrust SiteMinder reliably and effectively helps to ensure
that the entire environment that is being secured remains
8
Broad Platform Support eTrust SiteMinder consists of two primary components,
To help achieve a higher return on investment (ROI) and the eTrust SiteMinder Policy Server and eTrust SiteMinder
lower total cost of ownership (TCO), eTrust SiteMinder Agents. See Figure 1 for an overview of the architecture of
leverages existing technology investments by supporting eTrust SiteMinder.
leading infrastructure components, including directories,
Web servers, application servers, platforms and authen- Secured Applications
RDBMS and others) and integrates with a large number Supply Chain
of leading enterprise applications, such as SAP, Siebel, Users User & Entitlement Stores
9
Access Control Services in a Single Process applications. ASAs also enable SiteMinder to centralize
The eTrust SiteMinder Policy Server is a single-process security policy management by externalizing J2EE
engine (policy decision point) that runs all four shared authorization policies through standard interfaces such as
services that make up SiteMinder: authentication, those based on JSR 115.
authorization, administration and auditing. The single,
multi-threaded process results in a highly efficient, simple Enterprise Application Agents
to manage system. The run-time performance is very fast eTrust SiteMinder provides several agents that integrate
because the single process server requires a smaller total directly with the most widely used enterprise applications.
memory footprint than a multi-process server and thread These agents are called ERP agents. The ERP agents
context switches run faster than process context switches. extend Web SSO to ERP users. In addition, the eTrust
SiteMinder ERP Agents provide ERP-based Web sites
eTrust SiteMinder Agents with the flexibility to choose the authentication security
Agents provide the enforcement mechanisms (policy technology, verification of user session data within the
enforcement points) for policy-based authentication application server, and enforced synchronization between
and access control. They integrate with web servers, eTrust SiteMinder and ERP application sessions.
application servers, enterprise applications or custom SiteMinder ERP agents include an SAP agent, PeopleSoft
applications to enforce access control based on defined agent, Oracle agent, and Siebel agent.
policies.
Custom Agents
Web Agents The eTrust SiteMinder Policy Server is a general purpose
Web agents control access to web content and deliver a rules engine that can protect any resource that can be
user’s security context, managed by eTrust SiteMinder, expressed as a string, as well as any operation on those
directly to any web application being accessed by the user. resources. While web agents application server agents
By placing an agent in a web server that is hosting protected and ERP agents work with the standard features of eTrust
web content or applications, administrators can coordi- SiteMinder, administrators can extend agent functionality
nate security across a heterogeneous environment of by creating and configuring a custom agent using the
systems and create a single sign-on domain for all users. Agent API and policy server Management Console.
Custom agents can participate with standard eTrust
For web servers, the web agent integrates through each SiteMinder agents to provide a comprehensive single sign-
web server’s extension API. It intercepts all requests for on environment.
resources (URLs) and determines whether each resource
is protected by eTrust SiteMinder. If the resource is not Custom agents work with the eTrust SiteMinder Policy
eTrust SiteMinder protected, the request is passed Server to control access to a wide range of resources
through to the web server for regular processing. If it is whether web based or not. For example, custom agents
protected by eTrust SiteMinder, the web agent interacts could be used to control access to an application, appli-
with the policy server to authenticate the user and to cation function or a task performed by an application. A
determine if access to the specific resource is allowed. custom agent working with the policy server as the core
Depending on the policy for the requested resource, the engine can extend the types of resources that eTrust
web agent can also pass to the application a response that SiteMinder can protect.
consists of the user’s attributes from the user directory
and entitlement information. The application can use the
entitlement information to personalize the page content Secure Proxy Server
according to the needs and entitlements of each user. The eTrust SiteMinder Secure Proxy Server is a turnkey,
high performance, proxy gateway that secures a
The web agent caches extensive amounts of contextual organizations backend servers, offering an alternative
information about the current user’s access. The caching deployment model for eTrust SiteMinder. With Secure
parameters that control these services are fully tunable by Proxy Server, eTrust SiteMinder offers two complementary
the administrator to optimize performance and security. policy enforcement strategies for a more flexible and
secure web access architecture. Customers may choose to
Application Server Agents deploy traditional eTrust SiteMinder agents or the Secure
To secure more fine-grained objects such as servlets, JSPs, Proxy Server. These SiteMinder components can be used
or EJB components, which could comprise a full fledged singly, or in combination, to provide the optimum security
distributed application, eTrust provides a family of eTrust and administration environment for any site.
SiteMinder application server agents (ASAs). ASAs are
plug-ins that communicate with the eTrust SiteMinder
Policy Server to extend single sign-on (SSO) across the
enterprise, including J2EE application server-based
10
Key benefits of the Secure Proxy Server include: Even though the user and the policy store are logically
• Increased Security. The Secure Proxy Server provides separate, the ability to store both users and policies in the
multiple authentication schemes, basic, forms-based same physical directory provides easier administration
and certificate-based, while providing a single access and better performance. Directory Mapping lets an appli-
management policy enforcement point. It prevents non cation authenticate users based on information from one
authenticated traffic from entering any point in the directory and authorize users based on information from a
DMZ and eliminates the exposure of network topology different directory.
to outside users.
• Greater Deployment Flexibility. The Secure Proxy
Server supports multiple-session schemes for cookie
eTrust SiteMinder Authentication
and cookie-less methods of session tracking. It provides Management
security for any back-end server environment, as well as
eTrust SiteMinder offers unparalleled control over what
a platform for building out wireless solutions. Advanced
type of authentication method is used to protect a
proxy rules dynamically route incoming requests to the
resource and how that authentication method is deployed
appropriate backend server.
and managed. Traditionally, it is very challenging to
• Extensibility, Scalability and Robustness. The Secure successfully deploy and manage strong authentication
proxy Server is an open and extensible solution, systems (for example, two-factor certificates); therefore,
providing a set of Java APIs for providing custom most companies stick to using user names and passwords.
session schemes. It is also fully integrated with eTrust By centrally managing all authentication systems and
SiteMinder’s scalable and robust architecture. using the eTrust SiteMinder advanced authentication
policy management capabilities, organizations can
The Secure Proxy Server is a self-contained reverse proxy successfully deploy mixed authentication methods based
solution consisting of two components, the proxy engine, on resource value and business needs instead of IT
with a fully integrated eTrust SiteMinder Agent, and an limitations.
Apache-based HTTP web listener. The Secure Proxy
Server accepts HTTP and HTTP over SSL (HTTPS)
requests from web clients, passes those requests to Authentication Methods
enterprise back-end content servers, and returns No single authentication technique is appropriate for all
resources to the requesting client. users and all protected resources in all situations. That’s
why authentication flexibility is an important requirement.
For further detailed information on the eTrust SiteMinder eTrust SiteMinder offers a comprehensive password
Secure Proxy Server, refer to the Secure Proxy Server white authentication management solution and integrates out of
paper available at http://www.ca.com/etrust the box with most leading authentication methods. Since
administrators often require varying levels of authen-
tication security for different resources, eTrust SiteMinder
Native Directory Integration
supports a range of authentication mechanisms, including:
eTrust SiteMinder is integrated with industry leading
directory services, eliminating redundant administration • Passwords
of user information. This integration simplifies adminis- • Two-factor tokens
tration and provides unique and comprehensive security
• X.509 certificates
capabilities.
• Passwords over SSL
eTrust SiteMinder supports a range of leading LDAP • Smart cards
directories and relational databases. eTrust SiteMinder
also supports mainframe (OS/390) security directories, • Combination of methods
such as IBM RACF, eTrust CA ACF2 Security, and eTrust • Forms-based
CA TopSecret Security. eTrust SiteMinder treats these • Custom methods
directories as if they are regular LDAP user directories,
• Full CRL and OCSP support
and can provide both full authentication and authorization
for users stored in these directories. Support for these • Biometric devices
directories is achieved through an add-on component • Forms and/or certificates
called the eTrust SiteMinder Security Bridge.
• SAML
eTrust SiteMinder supports storage of policy information • WS-Federation/ADFS
in a variety of LDAP enabled directories and SQL
databases.
11
Certificate revocation is a critical component of a PKI Authentication Policies
strategy, since invalid certificates must be rejected by the Authentication policies give security administrators
authentication mechanism. eTrust SiteMinder supports unique management capabilities to mix and match
CRL processing for all leading public key infrastructure authentication methods and brand and customize the
(PKI) vendors, including the requirement that the CRL is credentials collected. eTrust SiteMinder also enables
located in a directory and searched to ensure the current administrators to classify resources into groups based on
certificate has not been revoked. In addition, eTrust their value and assign different authentication methods to
SiteMinder supports the use of OCSP for real-time each level.
certificate validation.
12
information stored in a different directory. This is critical • Password Usage. eTrust SiteMinder includes a series
because it supports the needs of sites (such as ISPs) that of advanced password services that enforce the use of
centralize user identities in a single authentication upper and lower case letters within a password: all
directory, but manage group membership and application uppercase, all lower case, case does not apply. The use
privileges in a separate, application-specific directory. It is of white spaces can also be specified: no white spaces,
also useful when authentication information is stored in a no white spaces before a character or after a character.
central directory, but authorization information is • Password Services Self-registration and Management.
distributed in separate user directories that are associated eTrust SiteMinder enables end users to register as a
with particular applications. new user, create a user name and password, set expira-
tions to that password, and change the password
whenever the user feels it necessary.
Password Services
Password management is a critical security and cost issue When Password Services are active, eTrust SiteMinder
within most corporations. To maintain user security, invokes a password policy whenever a user is authen-
passwords must be difficult to guess, must change ticated as well as when a user password is set or modified.
frequently, and must not be reused. In addition, adminis- The Password Services action depends on the context,
trators need alerts if suspicious events occur, such as a which includes the user credentials and the policy. If the
user failing several successive login attempts. eTrust user is trying to create or modify the password and the
SiteMinder Password Services provide an additional layer new password does not meet the password policy require-
of security to protected resources by enabling the ments, the operation fails. If the user is attempting to
management of user passwords in LDAP user directories authenticate with a password that has expired, or if the
or relational databases. To manage user passwords, user account was marked inactive, actions such as disable
administrators create password policies that define rules the account or redirect to an information page, can also be
and restrictions for governing password expiration, specified in the password policy.
composition, and usage.
13
eTrust SiteMinder includes impersonation templates that built around the user and the user’s relationship to the
administrators can configure and brand, like any other protected resource.
eTrust SiteMinder HTML forms-based authentication
scheme. As a result, impersonation is straightforward to set A policy protects resources by explicitly allowing or
up and configure as well as being straightforward to use. denying user access. It specifies the resources that are
protected, the users, groups or roles that have access to
these resources, the conditions under which this access
eTrust SiteMinder Authorization should be granted, and the delivery method of those
resources to authorized users. If a user is denied access
Management to a resource, the policy also determines how that user is
Entitlement management (authorization) is one of the treated.
most critical issues for web applications. Users need to
An eTrust SiteMinder policy binds rules and responses to
access information, but must be authenticated and
users, groups and roles. The responses in a policy enable
authorized based on their privileges before gaining access.
the application to customize the delivery of content for
Traditionally, the entitlement management model for web
each user. Policies reside in the policy store, the database
resources often varies across web servers, application
that contains all the eTrust SiteMinder entitlement
servers, operating systems and development tools.
information. The basic structure of a policy is shown in
Consequently, the administration of one server can differ
Figure 2.
from the administration of another, and entitlement
management capabilities offered by these various servers When a policy is constructed, it can include multiple rule-
and tools can differ. These differences can lead to response pairs bound to individuals, user groups, roles, or
administrative problems as well as an inconsistent an entire user directory. Administrators can also configure
security framework. multiple policies to protect the same web resources for
different sets of users, adding responses that enable the
eTrust SiteMinder provides centralized authorization
web application to further refine the web content shown
management through its policies for all web resources,
to the user.
across web servers, application servers, and so on.
Administrators work with the Policy Server Management One of the configuration options of a policy is a time
Console to define policies that restrict access to specific restriction. If a time restriction is specified for a policy
web resources by user, role, group, dynamic group and and a rule in that policy also contains a time restriction,
exclusions. Centralized access control through policies the policy executes only during those times when both
provides very fine grained control to administrators, restrictions overlap.
allowing them to implement access control at the file,
page or object level. Today, line-of-business needs are driving IT security
managers to use real time data, either entered by the user
The Policy Server Management Console is a single, or by a third-party service, as part of the authorization
browser-based, administrative system that extends process. To process real time data, security-related logic
across all intranet and extranet applications. A consistent must be coded into back-end business applications.
security policy simplifies the central management of However, this security logic is expensive to maintain
multiple web applications. A centralized approach to because it requires developers to implement separate
security management provides the following advantages: security-code changes for each back-end application.
• It eliminates the need to write complex code to manage What’s more, the custom security code typically does not
security in each application solve the business requirement because the authorization
• The time and cost to develop and maintain multiple data cannot be evaluated in real time by the application.
security systems is eliminated; sites deploy only one
Security administrators can use eTrust SiteMinder
security system for all applications
eTelligent Rules to build comprehensive expressions
• eTrust SiteMinder manages the security privileges of representing business logic and to utilize internal and
customers, business partners, and employees, whether external data for real time decision making. Variables,
they access the corporate network locally or remotely whose values are dynamically retrieved at runtime, can be
through the internet or a private network used in the expressions. eTelligent Rules resolve values for
variables in user attributes from user stores, data in forms
eTrust SiteMinder Policies users completed, or through web services calls to local or
eTrust SiteMinder provides security and access manage- remote data sources. The values are then evaluated
ment based on policies that make access and security against the expression as part of the policy decision
management more flexible and scalable because they are making process, together with other policy constraints.
14
eTrust Options
SiteMinder Rule or Users or Groups Response or eTelligent Active
Policy Rule Group in a Directory Response Group Rule Time IP Address Response
Determines User, Groups Action that occurs Expression Time when the IP address Dynamic
access to a Exclusions & Roles when a rule fires using external data policy can or that policy extension of
resource cannot fire applies to the policy
For example, in a financial services website, a user wants Fine-grained authorization using eTelligent Rules
to access services that are available only to customers In addition to supporting static rules, administrators can
with a certain credit rating. eTelligent Rules can be configure eTelligent Rules, that is, an active policy that
implemented using web services calls to check the authorizes users based on dynamic data obtained from
customer’s current credit rating with an external, online external business logic. Furthermore, multiple contexts
credit service. If the customer’s credit rating is adequate, can be evaluated using eTelligent Rules expressions to
then access is allowed (assuming all other security policy achieve fine-grained authorization. For example, a policy
criteria are met). could limit access to a specific application to customers
who have a current account balance of less than $1,000.
Rules/Rule Groups In this way, application data that is often stored in trans-
A rule identifies and allows or denies access to a specific actional systems like a bank-transactions database can be
resource or resources that are included in the policy. included within the policy enforcement capabilities of
eTrust SiteMinder.
Users
A policy specifies the users, groups of users, or roles that
are included or excluded by the policy. Users or user Global Policies
groups are located in native directories linked to eTrust The global policies of eTrust SiteMinder significantly
SiteMinder, and roles information (for RBAC) is stored in improve how policies can be organized and they reduce
the eTrust SiteMinder Policy Store. redundant operations for configuring multiple policies in
large enterprises. Global policies provide administrators
Responses
with the ability to define policy objects, rules, and
A response defines information (for example, user
responses, with global scope separately from a policy
attributes) that can be passed to an application when a
domain. When separated from a domain, administrators
user is accessing the resource. The application may use
can define common policy objects, rules, and responses
this information to provide finer access control and/or
once that apply across multiple domains. Then, they can
customize the appearance of the resource.
easily update the common policy objects, rules, and
IP addresses responses without having to locate each item in each
A policy may be limited to specific user IP addresses. If a realm throughout the domains. In addition to improving
user attempts to access a resource from an IP address not policy administration, global policies can help ensure
specified in the policy, the user will not be allowed access. compliance with federal regulations or corporate rules
because they can enforce those rules and regulations
Time restrictions across the enterprise, if required.
A policy may be limited to specific days or ranges of
hours. A policy with a time restriction will not allow access Each component of a global policy remains
outside specified times. complementary to their domain-specific counterparts;
that is, if there is a domain-specific policy object, rule or
Active response response with the same reference, the domain-specific
An Active Response allows business logic external to item takes precedence over the global item. System level
eTrust SiteMinder to be included in a policy definition administrators can also disable global policies for any
enabling eTrust SiteMinder to interact with custom domain, if they so choose. Global policies allow time
software created using the eTrust SiteMinder APIs. restrictions to be specified when rules are in effect.
15
For example, administrators define a policy in each realm SSO in Single and Multiple Cookie Domains
to redirect users to the same web page when users are When a user authenticates with eTrust SiteMinder, an
not authenticated or not authorized to access a resource. encrypted cookie is created that contains the necessary
With global policies, administrators define a redirect session information about the user. The cookie is
policy once and that single global policy can be used by encrypted with a 128-bit symmetric cipher. No user
all realms. Without global policies, administrators have to password information is ever kept within the cookie.
define that same policy over and over for each realm. When the user requests access to a different protected
resource, eTrust SiteMinder decrypts the information in
Global policies are managed by system-level adminis- the cookie and securely identifies the current user. No
trators only using the Policy Server Management Console, additional authentication is required. See Figure 3 below.
the Policy Management API, or the Perl script interface to
the Policy Management API. eTrust SiteMinder also supports cross-domain SSO. When
users authenticate to a single Internet domain, eTrust
SiteMinder eliminates the need to re-authenticate when
Role Based Access Control (RBAC) they access protected resources or applications in a
eTrust SiteMinder, used in conjunction with CA Identity different domain. Cross-domain SSO is a critical capability,
Manager, provides enterprises with role based access especially for large enterprises with multiple divisions or
control. Roles define job responsibilities, or a set of tasks multinational businesses. See Figure 4 below.
that are associated with a job or business function. Each
task corresponds to an operation in a business application. Mycompany.com
Web Server
with eTrust
A single role can have one or more tasks defined in it and SiteMinder Agent
16
Within the SSO site, users enter their credentials upon the Security Assertion Markup Language (SAML) and
their first attempt to access a protected resource. After WS-Federation/ADFS.
they are authorized and authenticated, they can move
freely between different realms that are protected by FSS IdP and SP Support
authentication schemes of an equal or lower protection eTrust SiteMinder FSS can act as an Identity Provider
level without re-entering their identification information. (IdP) that authenticates the user and produces a SAML
In Figure 4, the diagram shows SSO across multiple cookie assertion or WS-Federation security token to propagate to
domains. a partner, or as a Servide Provider (SP) that consumes a
SAML assertion or WS-Federation security token
eTrust SiteMinder’s support for SSO improves the overall generated by a partner to achieve SSO.. As a result, eTrust
user experience simplifying access among servers and SiteMinder provides a complete, bi-directional federation
applications. It also lowers the administrative costs by that enables maximum interoperability among enterprises.
allowing users to access the data they need using only eTrust SiteMinder is perfectly situated to enable a
one password. federation hub with many different IdP & SP partners.
17
In addition to the eTrust SiteMinder FSS as a federation Windows Application Login
hub solution, to enable customers to federate with those eTrust SiteMinder also supports Windows application
partners that do not have a SAML/WS-Federation/ADFS login, enabling a user to login to eTrust SiteMinder and
compliant security infrastructure, CA provides a subsequently launch Windows/COM+ web applications
lightweight federation end point solution — the eTrust such as Microsoft Outlook Web Access and Microsoft
SiteMinder Federation End Point. The eTrust SiteMinder Commerce Server. With Windows application login,
Federation End Point is a multi-protocol end point solution administrators can enforce access control on non- eTrust
with IdP and SP capabilities. SiteMinder-protected Windows applications for all eTrust
SiteMinder users with a Windows identity (NTLM or
LDAP) by initializing their application security context
SiteMinder Federation End Point with eTrust SiteMinder.
For eTrust SiteMinder FSS customers, the eTrust
SiteMinder Federation End Point is a light-weight
federation solution which enables their partners to Auditing and Reporting
federate with them when their partners do not have
existing federation infrastructure. The eTrust SiteMinder Administrators need to know who is doing what and when.
Federation End Point provides the same level of protocol eTrust SiteMinder auditing logs all activity throughout the
support as eTrust SiteMinder FSS provides and can act as eTrust SiteMinder environment. eTrust SiteMinder stores
an Identity Provider or Service Provider without requiring the audit information in a flat file or relational database.
eTrust SiteMinder or an equivalent WAM solution be When you set up eTrust SiteMinder to store information in
installed on the partner site. a relational database, you can use commercial reporting
solutions to present that auditing information in any
While the eTrust SiteMinder Federation End Point provides format required.
full federation functions and quick partner enablement,
the following facts should be kept in mind: Changing federal laws, in-depth regulatory financial audits,
and increased security threats from external hackers have
• It only interoperates with eTrust SiteMinder FSS, and is
all pushed access management auditing and reporting to
not intended to be a general purpose federation solution
the forefront of product feature sets. eTrust SiteMinder
that interoperates with multiple other federation
reporting supports granular information collection and
solutions. For that a full deployment of eTrust
analysis on access, activity, intrusion, and audit informa-
SiteMinder FSS is recommended.
tion to fulfill many of these reporting requirements.
• It does not provide resource protection and access
control capabilities like those provided by eTrust
SiteMinder, and thus integration with applications or Auditing
existing access control capabilities is generally needed. eTrust SiteMinder audits all user and site activity,
Alternatively a full deployment of eTrust SiteMinder is including all authentications and authorizations, as well
recommended for the partner. as administrative activity, and any changes to the policy
store. eTrust SiteMinder also tracks user sessions so
For detailed information on the eTrust SiteMinder administrators can monitor the resources being accessed,
Federation Security Services, refer to the Universal how often users attempt access, and how many users are
Federation Architecture white paper that is available at accessing the site. Additionally, eTrust SiteMinder
http://www.ca.com/etrust provides the ability to filter audit events (for example,
record only failed authorizations), allowing the
administrator to only track events of interest.
Single Sign-On in the Windows/Kerberos
Environment
eTrust SiteMinder single sign-on is especially important Reporting
in the Microsoft Windows environment because internal eTrust SiteMinder audit data can be used to build reports,
users access many enterprise applications from their leveraging the reporting solution that your company
standard Windows desktop. currently uses. eTrust SiteMinder provides stored proce-
dures and sample Crystal Reports templates. If you inte-
Windows Integrated Security
grate Crystal Reports with eTrust SiteMinder, you can take
Users who login to their desktop using Windows NT
advantage of the sample report templates described below.
authentication and use Internet Explorer to access Web
If you use other commercial reporting solutions, you can
applications deployed on any web server can login to
use the eTrust SiteMinder provided stored procedures to
eTrust SiteMinder without being re-challenged as long as
easily access the audit information in the database and
there is at least one Microsoft IIS web server configured to
build your own reports. Regardless of your reporting solu-
use eTrust SiteMinder. With this capability, the user only
tions, eTrust SiteMinder provides you with the data you
has to remember their desktop password and they can be
need to generate reports like those described in this section.
provided Web SSO widely.
18
Report Drill Down Capabilities Administrative Reports
eTrust SiteMinder reports begin with a summary of the The main administrative report is the All Administrative
data in the report. Clicking on a summary item, such as a Activity report, which covers all administrative activity by
date, user, or agent, allows administrators to view more date. It is broken down into two sub-reports:
detailed information. Drill down details contain the • Activity by Administrator Report. Covers all
following information: administrative activity by administrator
• Time. Lists the exact times when each event occurs • Activity by Object Report. Covers all administrative
from the oldest time to most recent activity by object (Administrator, Agent, Policy, and so on)
• User. Contains the user name associated with the
reported event Each report contains columns of information including
Time, Administrator, and a brief description of the activity.
• Agent. Lists the names of the agents where the report
event occurred Time Series Reports
• Administrator. The eTrust SiteMinder Account Administrators can view two types of Time Series Reports:
Username is listed • Daily Transactions Report. Includes all successful and
• Category. Describes the type of event that was logged failed authentications and authorizations by day
• Description. Describes the actual event that occurred • Hourly Transactions Report. Breaks the data further
during the time noted in the Report. When any category down into successful and failed authentications by hour
of event is logged as a rejection or failure, the color of
the text on the computer screen is red and indicated by Time Series reports are displayed as bar charts. See Figure
an exclamation (!) mark. 5. Administrators can view a chart of all transactions, or
view the authentications, authorizations, or administration
Activity Reports transactions separately.
Activity reports show a variety of user, eTrust SiteMinder
agent, and resource activity data at different levels of 12
120
granularity. There are four types of Activity Reports: 10
100
Transactions
60 6
report 40 4
10:00 am
12:00 pm
12:00 am
11:00 am
1 2 3 4 5 6 7 8 9 10 11 12 13 14
4:00 am
2:00 pm
6:00 am
8:00 am
9:00 am
3:00 pm
2:00 am
5:00 am
3:00 am
7:00 am
1:00 pm
1:00 am
occurred during the period of time covered by the report Date
Hour
19
overall system status, identify components with failure The Environment Collector collects the following
alerts, and drill down to obtain detailed status information about a policy server:
information. • User stores and databases being accessed by the policy
server
In the event of a component failure, eTrust SiteMinder
OneView Monitor can display and alert an administrator • Custom modules being used by the policy server
right away so that no time is wasted in reporting the • Agents that are interacting with the policy server
problem. Administrators can then take proactive action to
• Registry information
correct problems, possibly even before users experience
any trouble. The type of information collected includes the name of the
component, its version, patch levels, which policy server
With the SNMP integration capability, administrators can
the component works with, how the components are
set up automatic recovery procedures based on failure
connected, and other environment attributes that affect
alerts. For example, a failure report can kickoff an email
how eTrust SiteMinder operates. This information is
message or a pager message to the person who is closest
stored in an XML file.
to the problem. The recovery time can then be reduced
even further because the responsible person is alerted as After glancing through the XML file report, administrators
quickly as possible. can determine if any components require updating, if
there are any version mismatches, and if the correct
eTrust SiteMinder OneView Monitor can be easily
agents are deployed where needed.
configured so that administrators can set up the displays
to report information exactly as they need it. They can When working with the eTrust SiteMinder support team
filter out data that might not be important to their to resolve a problem, administrators can send eTrust
environment; they can sort data according to their priority; SiteMinder Environment Collector information to the
and they can specify update intervals to make sure they support team. With accurate and up-to-date data to work
have fresh data when they need it. with, the support team will be able to work on reproducing
and resolving the problem.
Environment Collector
When problems are reported, it is critical to have detailed Test Tool
information about all the operating components of the After a problem is reported, administrators must have
environment to help identify and isolate the root cause of the correct tool to identify and isolate the cause of the
the problem and, if necessary, to reproduce the problem in problem, so they can move quickly to resolve it. The eTrust
a testing lab. Because a security solution interacts with SiteMinder Test Tool simulates agent operations so that a
many critical systems distributed worldwide that are policy server can be isolated from the agent environment.
owned by different people or groups, it might take the Once isolated, the administrator can determine whether
security administrator days to contact the right people to the policy server is creating the problem or another
get all the details they need about all the components component in the environment where the policy server
connected to the security system. Even after the infor- is running.
mation is collected, it could go stale very quickly as
components get upgraded. The eTrust SiteMinder Test Tool can test the connection
to the policy server to see if it is down. If the connection is
The eTrust SiteMinder Environment Collector provides a available, the administrator can test the policies associated
snapshot of the eTrust SiteMinder runtime environment with the application that reported the problem. The
for any policy server in the enterprise. When problems administrator can run tests that check if the resource is
associated with a policy server crop up, administrators protected, if the user is authenticated, and if the user is
use eTrust SiteMinder Environment Collector information authorized for the resource. Debug information is also
to assess exactly what components the policy server is provided.
working with. With up-to-the-minute environment
information, the security administrator can resolve the
situation much faster. Logging and policy profiling
With useful logs of day-to-day system activities, adminis-
trators can prevent many problems from happening and
troubleshoot problems quickly when they occur.
20
Policy server and agent logs are separate from tracing logs Centralized Agent Management
to make log files easier to manage. Because separate logs eTrust SiteMinder provides central agent management
are smaller and easier to work with, administrators also that enables central and dynamic control and config-
have more precise control over log verbosity because they uration of web agents. Additionally, central agent
can specify different verbosity settings for each log. In management can logically group agents based on your
addition, administrators can apply tracing and logging organization.
settings without restarting the policy server. For example,
an administrator can add a data field in the trace logs and When a new agent is installed on a web server, the
eTrust SiteMinder adds the field automatically without installation process establishes a secure connection with
restarting the server. the policy server and receives default configuration
settings. This increases security since the configuration
Policy server and agent logging include the following information is moved from the web server in the DMZ and
capabilities: resides in the policy store. With this configuration, the
• Agent and policy server logs can be correlated through possibility of a security compromise of the configuration
a transaction ID allowing the administrator to follow information is significantly lower.
both agent and policy server operations to more easily
Some of the key benefits of this capability are:
identify the problem. For example, when multiple agents
are making requests to a policy server, having a single • All configuration information is centralized and stored
transaction ID allows administrators to isolate a call in the policy store, providing greater security for
from a particular agent, providing more precise and configuration information
relevant troubleshooting information • It is easy to delegate administration for creating and
• Logging profiles can be saved for quick retrieval and managing the new centralized agent to the adminis-
alternation between production and troubleshooting trator who has organizational responsibility for the
modes. The output can be sent to either a system agent
console or a file • Configuration templates make it very easy to configure
multiple agents into logical groups
Policy profiling, or trace logging, includes the following
capabilities: • Web servers do not need to be re-booted when
configuration changes are made
• Policy profiler can trace policy server operations across
policy server components
• Administrators can configure trace logs to generate Rapid Policy Deployment
detailed and selective information. For example, they When new or modified policies are being deployed in a
can configure trace logs to include feedback on selected production environment, it’s important to fully test those
operations in specified components, such as a source policies offline before they “go live,” lest inadvertent
file or an IP address in data fields errors appear in the policy specification that cause serious
security problems later on. That’s why many enterprises
• Multiple output formats are available for easier parsing
use multiple staging environments for developing, testing
of trace information and integration with other trace
and deploying new policies. However, as environments
reporting systems. Output formats include fixed width
grow in size, the number of policies can often make
fields, XML, user-specified delimited fields, among
management of these environments quite challenging.
others
Since re-entering policies can be laborious and error-
Error handling includes the following capabilities: prone, administrators need an automated way to move
policies from one environment to another to simplify
• Accurate and comprehensive information about the
management of larger environments.
operation of eTrust SiteMinder processes is recorded
• System informational messages down to the functional With the import/export tool, eTrust SiteMinder easily and
level provide detail information automatically migrates entire policy structures from one
• Administrators can filter errors by specifying precise environment to another. For example, operators can
criteria, such as severity change policy names and attributes to accommodate the
new environment, such as new machine names or IP
addresses.
21
The import/export tool has the following capabilities:
Performance, Reliability, Scalability
• First-Time Deployment. Copy an entire policy
configuration from one environment to another and and Availability
then edit the configuration before or after the import eTrust SiteMinder is used today in some of the world’s
• Incremental Deployment. Export individual policy largest corporations and is designed to meet the needs of
objects to new environments and overwrite the corporations requiring a fast, efficient, 24x7 security
comparable object on the new system. Edit the solution for their extensive user and application services.
configuration for first-time deployment, either before or
after the import operation, simplifying re-testing and re-
deployment of individual policies
Performance
eTrust SiteMinder provides extensive, fully tunable,
• Flexible Scripting Capabilities. Develop scripts in a caching facilities, so that all resource and policy informa-
standard text editor and store them in source code tion is available without requiring a call to either the policy
control systems to maintain versioning server or a directory. The policy server provides two-level
• Import Object Mapping. Easily map, that is, rename, an policy caching, so that recently accessed policy infor-
imported object if the name is not unique mation is kept in a separate cache that is searched before
the regular policy cache. In addition, eTrust SiteMinder
caches user attributes to optimize LDAP calls. These
Unattended Installations caching facilities provide outstanding performance, even
In large enterprises, administrators install eTrust for very large number of users or policies.
SiteMinder Policy Servers and agents on many systems.
In many cases, these installations are the same from Through independent tests conducted by Mindcraft Inc.,
system to system. With unattended installations, eTrust eTrust SiteMinder has demonstrated industry leading
SiteMinder administrators use Java-based installation performance for user authentications and authorizations.
templates to automate these installations. With automatic Figure 6 summarizes the outstanding performance that
installations, eTrust SiteMinder can be rolled out faster eTrust SiteMinder offers.
to better meet the needs of rapidly expanding global
businesses.
120,000
The unattended installations use a platform-independent
100,000
Java installer, which allows the installation to run the same
Log-ins Per Minute
way, with the same look and feel, on both UNIX® and 80,000
Microsoft Windows operating systems. Administrators
60,000
work with templates to specify how to install and configure
a component, such as a web agent. Then, the templates 40,000
can be re-used throughout the security environment to iPlanet LDAP
20,000
ensure a uniform and consistent installation and config- MS Active Directory
uration of the component. Template re-use saves the 0
administrator from countless, repetitive installation 1 2 4
CPUís
procedures.
Figure 6. eTrust SiteMinder performance data on Windows
NT and UNIX.
Command Line Interface
eTrust SiteMinder includes a full command line interface
to leverage the power of Perl scripting and make it easier
to dynamically control the system. All programmatic Bulk Operations
capabilities formerly available only to C and Java Operations for initializing the policy server and for
programmers are now accessible to developers using auditing run in bulk to ensure efficient runtime
standard Perl scripts. performance. Each time the policy server starts, it is
initialized by retrieving policy data from a policy store,
Through the range of eTrust SiteMinder APIs, companies which is defined in LDAP directory servers or ODBC
can use scripts to test and verify policies, examine config- databases. For ODBC database policy stores, the query
urations, and automate the routine chores commonly (SQL) statement operations for retrieving policies are
performed. The Command Line Interface offers a complete combined, resulting in a minimal number of retrieval
scripting interface to the eTrust SiteMinder Policy Server operations and in quick initialization.
making customizations and proof-of-concepts easier
and quicker.
22
eTrust SiteMinder auditing transactions can be stored in a • Load Balancing. eTrust SiteMinder supports automatic
relational database using ODBC. When using a relational load balancing, which significantly improves the
database, bulk SQL statements and asynchronous scalability and performance of eTrust SiteMinder in
database management operations make the process of large deployments. The web agent distributes multiple
storing records as quick as possible. user requests across multiple policy servers. The policy
servers can also load balance their requests across a set
Authentication and Authorization of directory servers. In this way, eTrust SiteMinder can
When eTrust SiteMinder evaluates whether a resource is distribute its system load across other servers to
protected, a very fast binary search algorithm is used. improve overall system throughput.
This algorithm results in rapid transaction times when
determining whether access control is required for a Policy Server Clusters
resource. Administrators can group multiple policy servers into a
cluster that works with a set of agents. With clusters,
The eTrust SiteMinder object cache groups rules with administrators get powerful new features for managing
realms for a more efficient search of policies to make clusters to derive the most efficient service from them.
authorization decisions. The cache is bound by size, not
by number of entries, providing a rapid and predictable Any set of policy servers can be clustered, based on
search of policies. criteria that are important to the security system imple-
mentation. An administrator might choose to cluster
policy servers for a number of reasons, including: physical
Reliability, Availability and Scalability location, resources they are protecting, organizations they
These optimizations enable rapid run-time performance, are supporting, or machine speed and memory. For
especially when working with large policy stores. For example, when clustering policy servers according to
example, tests indicate that the policy evaluation response geography, an administrator can group policy servers in
time for a policy store with one realm is the same as the one area to make sure agent requests are handled locally.
response time for a policy store with up to thousands Policy servers in a cluster can be running on different
of realms. platforms or physically located in different places. As a
result, clustering is viable in both homogeneous and
eTrust SiteMinder has been designed specifically to meet
heterogeneous policy server environments.
the needs of e-business sites that must support a large
number of users with high authentication and authoriza- Clustering offers administrators these features:
tion rates. Though eTrust SiteMinder is easy to configure
• Dynamic Load Balancing. Dynamic agent-to-policy
and deploy for small workgroup environments, it can scale
server load balancing allows higher levels of processing
to large installations that support very large user or
loads to get allocated to faster servers within the
resource populations.
cluster. More effective load balancing increases
eTrust SiteMinder provides outstanding scalability due to maximum system throughput because agents get
the following capabilities: served by the policy server that can provide the fastest
response at any given time. Agents will be served by a
• Replication and Failover. Each web agent can be
policy server instance within the cluster that previously
configured to communicate with multiple eTrust
provided the best response time.
SiteMinder Policy Servers. If the current policy server
becomes unavailable, the agent automatically • Automatic Failover. Agents are decoupled from policy
establishes a connection with the next policy server and servers. As a result, agents transparently failover from
continues processing. This operation is transparent to one cluster to another, according to criteria established
the user. For increased availability, in the event of a by the administrator. When the number of available
failure, eTrust SiteMinder provides automatic restart of policy servers in cluster falls below the criteria, agent
all server processes. eTrust SiteMinder also provides the requests are automatically sent to another cluster
failover mechanism for user directories, that is, if the without interrupting service.
current user directory is unavailable, the policy server
With these features, the administrator can easily scale
automatically establishes a connection with the next
policy servers to meet increasing service requests in
user directory.
growing enterprises.
23
Security Encrypted Session Cookies
The eTrust SiteMinder session cookie is a RC4, 128-bit-
A security system is only as strong as its weakest link. encrypted session ticket that has browser information,
That’s why it’s critical that all components and communi- time, Distinguished Name, an encrypted seed, and other
cation paths be secure, so that intruders cannot compromise information not disclosed in this paper for security
the overall system security by stealing passwords or reasons. All these fields are encrypted and randomly
impersonating other users. eTrust SiteMinder offers ordered.
security at each point in its operation.
eTrust SiteMinder does not embed IP or password
More specifically, it provides several capabilities to ensure information in the cookie sent back to the browser. Many
that data and applications are not compromised. homegrown and competing products make the mistake of
including IP information, causing massive firewall
problems in network address translation (NAT)
Data Confidentiality environments.
eTrust SiteMinder encrypts all data and control infor-
mation that passes among components. All traffic among The eTrust SiteMinder session cookie has been tested
the policy server, the web agent, and the administrative and approved by the security committees of E*Trade,
interface is sent over TCP using 128-bit RC4 encryption, WellsFargo, Citigroup, American Express, BancOne, Bank
providing very strong confidentiality. All user cookies are of America and other large financial companies. In
encrypted using RC2. Encryption keys are generated addition, eTrust SiteMinder offers an optional Reverse
automatically and randomly by the policy server. This Proxy Server solution that enables a customer to use
operation is totally transparent to the administrator, various means of session control: a standard eTrust
though a re-generation of the keys can be forced at any SiteMinder session cookie, SSL ID, miniature cookie for
time, or at any regular interval, for added security. wireless solutions, or encrypted URLs.
24
Hardware Stored Encryption Keys can overwrite all other filters to ensure header validity. In
eTrust SiteMinder has partnered with nCipher, the addition, this inbound channel is not visible to external
industry leader in hardware-based encryption, to users in the DMZ. That means no firewall port, from the
implement storage of the host encryption key in hardware. web server to the user store (LDAP, MS/SQL, Oracle,
This hardware technology adheres to industry standards Novell), needs to be opened. eTrust SiteMinder can pass
and allows for highly secure yet flexible key management. these user store attributes to the application through its
nCipher’s HSMs incorporate the use of smart cards encrypted channel. What’s more, the channel from the
(“tokens”) and a card-reading device to securely manage policy server to the web agent is RC4-128-encrypted.
the encryption keys. Using nCipher’s HSM, the key
management functionality within the eTrust SiteMinder
environment supports true random-number key genera- Advanced Web Agents
tion, back-up, failover, and archiving capabilities in a FIPS eTrust SiteMinder does not put authentication or
140-1 certified module. authorization logic on a web server, a common mistake
of homegrown and competitor products. Instead eTrust
SiteMinder employs unique web agent filters (NSAPI–
LDAP Protection from Denial-of-service Attacks Netegrity, ISAPI – Microsoft IIS, DSAPI – Domino and
As noted in Carnegie Mellon, CERT 2001-18 Apache Modules) that integrate with and operate as part
(http://www.cert.org/advisories/CA-2001-18.html), LDAP of the web server. Web agent filters are much more secure
directories are extremely susceptible to denial of service than storing authorization and authentication processes
(DOS) attacks. eTrust SiteMinder eliminates these DOS on the web server. All security logic resides behind the
attacks by placing a eTrust SiteMinder Policy Server DMZ in the protected eTrust SiteMinder Policy Server.
between the web server and the LDAP directory. This architecture ensures security by not exposing any
access logic or policies in the DMZ.
In addition, eTrust SiteMinder ensures that packets
attempting authentication match the eTrust SiteMinder-
encrypted key before passing on authentication or eTrust SiteMinder Developer
authorization attempts to the policy server. This chokes
off DOS attacks on the eTrust SiteMinder infrastructure. Capabilities
The eTrust SiteMinder Software Developers’ Kit (SDK)
supports the development of custom applications to
Protection from Cross-Site Scripting embed eTrust SiteMinder in their environment, and to
A cross-site scripting (CSS) attack can occur when the
extend the capabilities of eTrust SiteMinder. Java and C
input text from the browser (typically, data from a post or
APIs are provided to offer developers a choice of
data from query parameters on a URL) is displayed by an
programming languages. Both interfaces contain several
application without being filtered for characters that may
sets of APIs. Each set lets developers implement a
form a valid, executable script when displayed at the
particular feature, such as developing a custom agent
browser. For example, an attack URL can be presented to
using the Java APIs or extending an authorization scheme
unsuspecting users. When it is clicked, an application
using the C APIs. Both client-side and server-side APIs are
could return to the browser a display that includes the
provided in Java and C. Both C and Java agent APIs can
input characters, perhaps along with an error message
also run on Linux.
about bad parameters on the query string. The display of
these parameters at the browser can lead to an unwanted
script being executed on the browser. Creating Custom Agents
The Agent API is used to build custom agents for
eTrust SiteMinder agents support various options to filter
enforcing access control and managing user sessions.
attacks by bad characters in the URL. Using these agent
Enforcing access control consists of authentication,
configuration options, the administrator can specify bad
authorization, and auditing of the user. The Agent API
CSS, URL and query characters that the agent uses to
works in tandem with the policy server to greatly simplify
block or filter and prevent attacks.
application development while increasing application
scalability with respect to the number of applications and
Unique Secure HTTP Header Passing resource-privilege pairs.
Through the central eTrust SiteMinder user interface,
Additional capabilities provided by the Agent API include
administrators can pass user store attributes through HTTP
full session management support, notifications for agent
headers to applications through the eTrust SiteMinder
key rollovers, real time policy updates, policy server
web agent into the inbound channel of the web server.
failover, load balancing and logout reason codes. With
Since the eTrust SiteMinder filter is the dominant filter, it
25
logout reason codes exposed, developers implement client functionality is implemented as a shared library and is
applications that set finer granularity in reporting why a configured within the eTrust SiteMinder Policy Server
logout was initiated. In addition, logout codes can be used Management Console.
to write separate event handlers to handle the different
logout events. The logout codes include: Idle Timeout,
Session Timeout and Explicit Logout. The availability of Creating a Custom Authentication Scheme
these logout reason codes provides more and better The Authentication API is used to develop plug-in
auditing information about user activities. modules to the policy server. These APIs are used to
define new authentication schemes as well as custom
implementations of known authentication schemes.
Single Sign-on Support for Custom Agents Modules developed using this API are implemented as
Custom agents built with the Agent API can participate shared libraries and can be configured using the eTrust
in a single sign-on environment with standard eTrust SiteMinder Policy Server Management Console.
SiteMinder web agents. Using the Cookie API, custom
agents can also create third-party SMSESSION cookies The Authentication API supports any type of user
that can be accepted by standard eTrust SiteMinder web credentials:
agents. Customers have the option to enable or disable
the capability for standard eTrust SiteMinder web agents
Flexible Authorization
to accept third-party cookies created by custom agents.
The Authorization API is used to develop plug-in modules
to the policy server for performing custom authorization
Managing the Policy Store functions. Modules developed using this API are
The Policy Management API is used to manage all the implemented as shared libraries. The modules can be
objects within the eTrust SiteMinder Policy Store. With the configured using the eTrust SiteMinder Policy Server
Policy Management API, companies can develop custom Management Console to define active rules, active
Policy Management interfaces to eTrust SiteMinder. For policies, and active responses.
example, a developer can write an application that allows
administrators to manage policies, policy responses,
Adding a Directory Provider
global policy configuration, authentication schemes and
The Directory API is used to develop plug-in modules to
password policies, shared secret rollover for trusted hosts,
the policy server for implementing a custom user store
and affiliate and affiliate domain management functionality.
that eTrust SiteMinder does not support.
Both programming and command line interfaces (CLI)
are available. eTrust SiteMinder supports the following namespaces for
user directories:
Managing the User Store • LDAP
The DMS API enables management of objects within a • ODBC
eTrust SiteMinder user directory. Users of the DMS API • Microsoft Windows NT
can develop custom User Management applications using
eTrust SiteMinder that enable privileged users to create, • Custom
add, modify and delete organizations, groups or users. Using the Directory API, an interface can be built to any
The DMS API performs the following tasks: custom user directory or database.
26
Session Server API • Enhances the User’s Experience. eTrust SiteMinder’s
The Session Server API allows enterprises to store appli- single sign-on capabilities enables users to move from
cation state information associated with the user and application to application, or site to site, without having
make it available to all applications as a shared service. to sign-on multiple times with different credentials. For
employees, single sign-on lets workers get their work
done more efficiently; and for customers, single sign-on
Creating a Secure Communication Tunnel lets users get the personalized information they need to
The Tunnel Service API provides secure transfer of data do business easily and without frustration
between an agent and a shared library on a policy server
• Improve Security. eTrust SiteMinder provides
that supports the Tunnel Service. Use these APIs to
centralized authorization and authentication services to
develop tunnel services to securely communicate between
remove security enforcement from many hundreds or
the agents and the shared library on the policy server.
thousands of applications. With centralized security
When an agent sends a tunnel request to the policy enforcement, security is consistent, comprehensive, and
server, the request contains: reliable so that no holes are left open in an eTrust
SiteMinder secured web environment
• The name of the service library
• Improve Security System Manageability. With the
• The function to be called in the service library
auditing, logging and reporting capabilities of eTrust
• The data to be passed to the function SiteMinder, administrators can keep it running smoothly
and efficiently by analyzing system activities and
The policy server initializes the appropriate service, preventing problems before they occur. When problems
invokes the requested function, and passes the data to the do occur the troubleshooting tools of eTrust SiteMinder
function. Once the service has performed its task, the give administrators the information they need to resolve
policy server returns the results to the agent. the problem quickly so that security services remain
available.
Summary
eTrust SiteMinder is the premier Web security solution for Conclusion
global organizations because it can securely and cost- With its extended reach and power, the Internet has
effectively provide a Web access management solution fundamentally changed traditional business processes.
that lets business in while keeping risk out: E-business has ushered in the widespread deployment
• Enhance Compliance with Regulations. eTrust of intranets, business-to-business (B2B) extranets and
SiteMinder central policy management, enforcement, e-commerce websites. These sites extend business
and auditing provide a tool that helps achieve IT processes to the furthest reaches of the Web, enabling
control/data privacy and thus regulatory compliance partners, customers, and employees to access critical
• Reduce Administrative Costs. eTrust SiteMinder robust applications, information, services, and transactions
set of administration tools makes it one of the most anytime and anywhere.
manageable security systems available today. With
Given the critical nature of the business processes and
centralized tools, security administrators can manage up
data being handled by these systems, isn’t it imperative
to millions of users and secure thousands of resources
that they be secured using the most comprehensive,
across the world, 24 hours a day, 7 days a week
scalable, and reliable Web Access Management solution
• Reduce Development Costs. eTrust SiteMinder readily on the market? Providing this consistently over the years
integrates with existing applications so that applications is what has made eTrust SiteMinder the “gold standard”
can take immediate advantage of its security services in the WAM market year after year.
without having to be re-designed, re-built and re-
deployed. As a result, an eTrust SiteMinder security For More Information
solution can be quickly deployed, without having to rely eTrust Identity and Access Management
extensively on developers Website: www.ca.com/etrust
27
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational
purposes only. To the extent permitted by applicable law, CA provides this document “AS IS” without warranty of any kind, including, without limitation, any implied warranties of merchantability,
fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits,
business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP279221206