White Paper

eTrust® SiteMinder® r6December 2006Updated for eTrust SiteMinder r6 SP5

Table of ContentsThe Challenge: Building and Managing Secure Websites and Applications ........................................................................................5

Building the Secure Website ....................................................................................................................................................................5Choosing the correct authentication technology ................................................................................................................................5Building the user directory ........................................................................................................................................................................6

Providing a quality single sign-on experience ..............................................................................................................................6Managing the Secure Website ................................................................................................................................................................6

Enabling compliance auditing ..........................................................................................................................................................6Implementing security for multiple web applications ................................................................................................................6Managing the security infrastructure ............................................................................................................................................6Keeping user administration costs down ......................................................................................................................................6Choosing the correct technology partner......................................................................................................................................6

eTrust SiteMinder Features and Benefits........................................................................................................................................................7Authentication Management....................................................................................................................................................................7Federation Security Services ....................................................................................................................................................................7Authorization Management ......................................................................................................................................................................7Role based access control (RBAC) ..........................................................................................................................................................7

eTrust SiteMinder eTelligent Rules..................................................................................................................................................7Auditing and Reporting ..............................................................................................................................................................................8Enterprise Manageability ..........................................................................................................................................................................8

Performance, Availability, Reliability, Scalability ..........................................................................................................................................8Performance ................................................................................................................................................................................................8Availability and Reliability ........................................................................................................................................................................8Scalability ......................................................................................................................................................................................................8Security..........................................................................................................................................................................................................8Broad Platform Support ............................................................................................................................................................................9

A Standards-Based Solution..............................................................................................................................................................................9eTrust SiteMinder Architecture ........................................................................................................................................................................9

eTrust SiteMinder Policy Server ..............................................................................................................................................................9Access control services in a single process ................................................................................................................................10

eTrust SiteMinder Agents........................................................................................................................................................................10Web agents ........................................................................................................................................................................................10Application server agents ..............................................................................................................................................................10Enterprise application agents ........................................................................................................................................................10Custom Agents ..................................................................................................................................................................................10

Secure Proxy Server ..................................................................................................................................................................................10Native Directory Integration ....................................................................................................................................................................11

eTrust SiteMinder Authentication Management ........................................................................................................................................11Authentication Methods ..........................................................................................................................................................................11Strong authentication support ................................................................................................................................................................12Authentication Policies ............................................................................................................................................................................12Certificate Combinations and Alternatives..........................................................................................................................................12Forms-based Certification ......................................................................................................................................................................12Authentication Levels ..............................................................................................................................................................................12Directory Mapping ....................................................................................................................................................................................12Password Services......................................................................................................................................................................................13Impersonation ............................................................................................................................................................................................13

eTrust SiteMinder Authorization Management ..........................................................................................................................................14eTrust SiteMinder Policies ......................................................................................................................................................................14

Rules/Rule Groups ............................................................................................................................................................................15Users ....................................................................................................................................................................................................15

Responses....................................................................................................................................................................................................15IP addresses........................................................................................................................................................................................15

Time restrictions ........................................................................................................................................................................................15Active response..................................................................................................................................................................................15

2

3

Fine-grained authorization using eTelligent Rules..............................................................................................................................15Global policies ............................................................................................................................................................................................15Role based access control (RBAC) ........................................................................................................................................................16

Single Sign-On ....................................................................................................................................................................................................16SSO in Single and Multiple Cookie Domains ..............................................................................................................................................16

SSO zones – support of multiple SSO environments ........................................................................................................................17Enterprise SSO Integration ......................................................................................................................................................................17

Identity Federation ............................................................................................................................................................................................17SiteMinder Federation Security Services (FSS) ..................................................................................................................................17FSS IdP and SP support ............................................................................................................................................................................17

FSS Multi-protocal support ............................................................................................................................................................17FSS SAML 2. 0 capabilities ..............................................................................................................................................................17FSS WS-Federation capabilities......................................................................................................................................................17

Federation Hub and Spoke solutions ....................................................................................................................................................17SiteMinder Federation End Point............................................................................................................................................................18

Single Sign-on in the Windows Environment ..............................................................................................................................................18Windows integrated security..........................................................................................................................................................18

Windows application login ......................................................................................................................................................................18Auditing and Reporting ....................................................................................................................................................................................18

Auditing........................................................................................................................................................................................................18Reporting ....................................................................................................................................................................................................18

Report drill down capabilities ........................................................................................................................................................19Activity reports ..................................................................................................................................................................................19Intrusion reports ................................................................................................................................................................................19Administrative reports ....................................................................................................................................................................19Time series reports ..........................................................................................................................................................................19

Enterprise Manageability ................................................................................................................................................................................19OneView Monitor ......................................................................................................................................................................................19Environment Collector ............................................................................................................................................................................20Test Tool......................................................................................................................................................................................................20Logging and policy profiling....................................................................................................................................................................20Centralized Agent Management ............................................................................................................................................................21Rapid Policy Deployment ........................................................................................................................................................................21

Unattended installations..................................................................................................................................................................................22Command line interface ..................................................................................................................................................................................22Performance, Reliability, Scalability and Availability ................................................................................................................................22

Performance ..............................................................................................................................................................................................22Bulk operations..................................................................................................................................................................................22Authentication and authorization ................................................................................................................................................23

Reliability, Availability and Scalability ..................................................................................................................................................23Policy Server Clusters ......................................................................................................................................................................23

Security ..............................................................................................................................................................................................................24Data Confidentiality ................................................................................................................................................................................24Mutual Authentication ............................................................................................................................................................................24Revocation of User Credentials ............................................................................................................................................................24Encrypted Session Cookies ....................................................................................................................................................................24Session and Idle Timeouts ......................................................................................................................................................................24

Rolling Keys ........................................................................................................................................................................................................24Hardware Stored Encryption Keys ........................................................................................................................................................25LDAP Protection from Denial-of-service Attacks ..............................................................................................................................25Protection from Cross-Site Scripting ....................................................................................................................................................25Unique Secure HTTP Header Passing ..................................................................................................................................................25

Advanced Web Agents ....................................................................................................................................................................................25eTrust SiteMinder Developer Capabilities ..................................................................................................................................................25

Creating Custom Agents ........................................................................................................................................................................25Single Sign-on Support for Custom Agents ........................................................................................................................................26

Managing the Policy Store ......................................................................................................................................................................26Managing the User Store ........................................................................................................................................................................26

Creating a Custom Authentication Scheme................................................................................................................................................26Flexible Authorization ..............................................................................................................................................................................26Adding a Directory Provider ..................................................................................................................................................................26Integrating with eTrust SiteMinder Events ........................................................................................................................................26Session Server API ....................................................................................................................................................................................27

Creating a Secure Communication Tunnel ..................................................................................................................................................27Summary..............................................................................................................................................................................................................27Conclusion ..........................................................................................................................................................................................................27

4

The Challenge: Building andManaging Secure Websites With its extended reach and power the Internet hasfundamentally changed traditional business processes.E-business has ushered in the widespread deploymentof intranets, business-to-business (B2B) extranets ande-commerce websites. These sites extend businessprocesses to the furthest reaches of the Web, enablingpartners, customers, and employees to access criticalapplications, information, services, and transactionsanytime and anywhere.

Organizations are redeploying the applications that theyhave built over the years with web front ends, as well asdeploying new applications on web servers, J2EE basedapplication servers, and even mainframe systems thatinclude web servers. As they open up their businesses tonew users through the web, they face new and complexchallenges.

Organizations must solve a new generation of manage-ability and compliance issues, from deployment of onlineresources throughout a global environment to enforcingpolicies, monitoring, and reporting of online activities forregulatory compliance. IT professionals need to supportheterogeneous environments by providing flexibledeployment approaches. They need to provide enterprise-class performance, availability, and scalability to supportpotentially millions of users. And they must ensure a longlife for these systems by embracing open standards andplatforms.

From the security and compliance perspective, there areseveral factors that must be carefully considered:

• Authentication. Who will access the applications anddata? Will multiple user communities, such as partners,customers, and employees, need access? How willauthentication across multiple websites be handled? Isa simple password authentication sufficient, or arestronger credentials and controls needed?

• Authorization. Organizations need powerful securitypolicies that can be easily leveraged over multipleapplications and services. They need to implement asingle shared security service to simplify and speedadministration, to ease compliance related auditing andreporting, and to reduce the security related burden onapplication developers.

• Audit. Organizations must closely track how applica-tions and data are used, and how the security system ishelping to provide IT controls. System administratorsneed detailed system data to fine tune performance.Business managers need activity data to demonstratecompliance with security policies and regulations.

• Entitlement service. How can organizations tie in all ofthe entitlements, that is, profile characteristics ofindividual users, from multiple directories and userstores into a single, shared security service?

• Enhancing the user experience. How can organizationsprovide a personal, easy to navigate online session fortheir users, and at a low cost?

From a user perspective, these new generation Webapplications must be:

• Responsive. Delivering high performance applications,whether they're for customers, partners, or employees

• Interactive. Providing the right users access to the rightapplications, data, services, and other resources

• Simple. Providing a seamless user experience withcross-domain application access.

Today, enterprise IT infrastructures are often insufficientto meet the demands of e-business and unable to managemultiple types of applications accessed by multiple typesof users (employees, customers, suppliers and partners)using multiple types of devices (laptops, PDAs, cellphones). Many sites must accommodate millions of usersand many millions of transactions without jeopardizingsecurity. In particular, implementers face severalchallenging business and technical problems grouped intotwo major areas: first building the secure website and thenmanaging the secure website.

Building the Secure Website For web developers the process of building a securewebsite can be very complex. Whether it’s managingmultiple user directories or creating a shared service forauthentication, authorization and audit, they need newtools to design and provide robust security.

Choosing the correct authentication technology Due to implementation and management challenges,security managers often struggle to define a unifiedauthentication strategy across Internet and intranetapplications. The result is that either high value applica-tions are not protected by equally secure authenticationsystems or low value web applications are protected byauthentication systems that might actually over do it andpush users away. Companies need a single system onwhich to deploy and manage multiple authenticationsystems. Organizations need to provide a comprehensivestrategy that ensures high value applications are protectedby strong authentication while lower value applications areprotected by simpler user name/password approaches.

5

development tools. Consequently, administration andauthorization capabilities can vary greatly. Thesedifferences can lead to administrative problems as well asan inconsistent security deployments because these morecomplex environments are often more costly and timeconsuming to administer than single-platform environ-ments. As a result, the quality of website security is oftenlower in heterogeneous IT environments, which is clearlyan unacceptable outcome.

Managing the security infrastructure It’s a daunting and expensive challenge to deploy large-scale websites that can encompass hundreds of webservers, applications, and security policies as well asmultiple types of authentication systems to enforceauthentication and access control; all with 24x7 contin-uous availability. As the number of applications and usersincrease, administrative costs can spike drastically. Asweb applications continue to gain in strategic importance,the management and administration of these complexenvironments becomes a pressing IT challenge.

Keeping user administration costs down Whether it’s expanding the customer base, addingsuppliers to the extranet, reorganizing divisions orimproving service quality, people are the center of everybusiness initiative. But, as e-business websites grow thenumber of users interacting with the sites also grows, andthose increases translate into a broad range of significantmanagement challenges:

• Assigning authentication methods to applications andusers

• Synchronizing IDs and passwords across multipledirectories

• Enabling self-registration and password managementfor users

• Providing phone and online support to potentiallymillions of users, 24x7, around the globe

Choosing the correct technology partner Total cost of ownership is directly related to the abilityto support open standards that leverage existing ITinvestments, offer extensive partnership integration, avoidvendor dead-ends, and minimize expensive third-partyintegrations. It’s possible, of course, to achieve animpressive return on investment (ROI) by movingapplications and the business processes they support, tothe web, but the key is how to do so cost effectively. Asnew web applications are deployed, ROI numbers rise, butwith each new application, access, security management,and scalability requirements and issues also arise. Thesecan reduce ROI if not addressed. To solve this problemcompanies need comprehensive open application programinterfaces (APIs), directory mapping, and a 24x7redundant architecture.

Building the user directory Traditionally, security administrators have deployed anauthentication system and access control list (ACL) witheach application. For a small number of critical applica-tions, these “siloed” authentication systems might beappropriate. However, as the number and complexity ofapplications increase, this approach quickly becomesunmanageable for all involved. With each applicationstoring its own user privilege information within anapplication-specific repository or ACL, separate from anycorporate user directory, redundant user administrationand user databases are created. The user stores quicklyget out of synchronization with the corporate directory,compromising both security and the user experience.

Providing a quality single sign-on experience Successful websites need to provide users with theinformation and services they want, and that theorganization wants them to see, in a personalized contextthat is easy to understand and navigate. If the content isnot personalized, or if users must endure multiple sign-ons to different applications, they become quicklyfrustrated and go elsewhere. In addition, organizationsmight forge relationships with any number of businesspartners whose sites offer complementary value to someportion of the organization’s users.

Identity Federation enables organizations to provide userssingle sign-on by transparently linking partner resourcesto the organization’s website, from its partner websites.Single sign-on, whether of the internal or external variety(Identity Federation) lets users easily conduct business orobtain value-added access to applications and data.

Managing a Secure Website From an operational perspective, security issues also playan important role in how organizations manage andoperate websites. Key issues include enabling auditing forregulatory compliance, leveraging redundant points ofadministration, and managing the associated costs ofsupporting multiple applications and platforms.

Enabling compliance auditingDriven by compliance regulations such as Sarbanes-Oxley,HIPAA, FFIEC, etc, enterprises need a way to consistentlymanage and enforce application access policies andprovide compliance reports across heterogeneoussystems, to answer such questions as who has access towhat and who has accessed what. Without an enterprise-wide access control solution, it can be very costly to provecompliance.

Implementing security for multiple web applications Traditionally the approach for managing authenticationand authorization for web resources often varies acrossweb servers, application servers, operating systems and

6

The right solution removes authentication from eachapplication and centralizes all Web Access Management(WAM) and security policy in one place. eTrust®

SiteMinder® is the right solution: it provides corporate andconsumer e-business sites with the secure, scalable andreliable identity and privilege management infrastructurethey require for conducting business. It also providescentralized control that administrators need to efficientlymanage and support that security infrastructure.

eTrust SiteMinder Featuresand Benefits eTrust SiteMinder offers the type of solution organi-zations' need to meet the challenge of building andmanaging secure websites. eTrust SiteMinder provides theessential security services required to meet this challenge,while also including management features and technicalcapabilities that can reduce the total cost of ownership.

Authentication Management eTrust SiteMinder supports a broad range of authenti-cation methods, including passwords, tokens, X.509certificates, smartcards, custom forms, and biometrics, aswell as combinations of authentication methods. It alsosupports certificate validation through either certificaterevocation lists (CRL) or Online Certificate StatusProtocol (OCSP).

eTrust SiteMinder integrates with industry-leadingdirectory services and user stores, eliminating redundantadministration of user information. This integrationsimplifies administration and provides unique andcomprehensive security capabilities. eTrust SiteMinderfully leverages existing user directories, from leadingLDAP directories and relational databases, to mainframesecurity directories.

With single sign-on (SSO) and federation users get aunified and personalized access to all available applica-tions and data within and across enterprise boundaries.Organizations and their partners can provide theircustomers with all their available services; access to allrelevant, authorized information; and access to multipleapplications that run on multiple servers, multipleplatforms, and across multiple internet domains. Singlesign-on provides a rich user experience, increased securityand reduced customer support costs due to lostpasswords.

Federation Security Services eTrust SiteMinder’s federation capability enable users tomove across partner and affiliated websites, withouthaving to be re-authenticated. eTrust SiteMinder provides

multi-protocol federation support by implementingstandards-based technologies including SAML and WS-Federation/ADFS. eTrust SiteMinder can act as an IdentityProvider (IdP) that authenticates the user and produces aSAML assertion or WS-Federation security token topropagate to federation partner, or as a Servide Provider(SP) that consumes a SAML assertion or WS-Federationsecurity token generated by a federation partner, toachieve SSO. As a result, eTrust SiteMinder provides acomprehensive, bi-directional federation hub that enablesmaximum interoperability among enterprises. Organiza-tions with eTrust SiteMinder Federation Security Servicescan interoperate securely and more effectively with moresites, including sites that use other security solutions.Users experience a more seamless experience acrossaffiliated sites, improving the chances for increasedrevenue and enhanced relationships.

Authorization Management eTrust SiteMinder centralizes the management of userentitlements for customers, partners and employeesacross all web applications through a shared service. TheeTrust SiteMinder advanced architecture and ability toenforce security policies across the enterprise eliminatesthe need for redundant user directories and application-specific security logic. Centralized authorization greatlyreduces development costs by allowing developers tofocus on the application business logic, not on encodingsecurity policies.

eTrust SiteMinder provides security and accessmanagement through its security policies, which aredesigned to accommodate the user and the user’srelationship to the protected resource. A policy protectsresources by explicitly allowing or denying user access.It specifies the resources that are protected, the users,groups or roles that have access to these resources, theconditions under which this access should be granted, andthe delivery method of those resources to authorized users.If a user is denied access to a resource, the policy alsodetermines how that user should be handled from there.

Role based access control (RBAC) eTrust SiteMinder, when used with CA Identity Manager,gives enterprises the ability to extend existing authori-zation policies to roles established for users in CA IdentityManager. Using CA Identity Manager, enterprises canmap organizational structure as well as functionalresponsibilities to create and manage roles. eTrustSiteMinder can then bind security policies to roles forend-to-end identity and access management control.

eTrust SiteMinder eTelligent Rules As a organization grows and changes existing securitylogic within applications will likely have to be modified orextended. With eTrust SiteMinder security administrators

7

can use eTelligent Rules to make security logic changesoutside the applications, without changing program code,further reducing reliance on programming. Most othersecurity solutions would have to rely on applications beingre-programmed, re-built and re-deployed.

Auditing and Reporting Auditing and reporting lets managers track user andadministrative activity and analyze and correct securityevents and anomalies. eTrust SiteMinder lets companiesdefine activities within the eTrust SiteMinder environmentto be logged and where that information should be stored:in a file or in a relational database. Both the policy serverand web agents (components of the SiteMinder archi-tecture to be described later) provide separate auditlogging and debug logging.

Enterprise Manageability eTrust SiteMinder enables efficient management practicesin all areas of security system operations, includingresponsive troubleshooting, fast day to day execution ofroutine operations, and easy to manage periodic opera-tions. Daily activities, such as troubleshooting, passwordservices and reporting, can be completed faster and betterbecause eTrust SiteMinder provides centralized adminis-tration tools for the entire security environment. eTrustSiteMinder also provides tools that let administratorseasily manage the deployment, including remote agentsand security policies, regardless of the size of the securityenvironment.

Performance, Availability, Reliability, Scalability As more web applications are deployed and morebusiness is conducted by more people online, organi-zations need a security solution that is efficient, available,reliable, and scalable. eTrust SiteMinder meets all thesecriteria, especially for very large deployments.

Performance Based on independent third party comparisons againstpublished data from other vendors, eTrust SiteMinder hasproven its ability to provide significantly higher transactionrates than competing solutions.

eTrust SiteMinder achieves these high levels ofperformance by optimizing the speed of its policy server,the component that runs the centralized security services.With quick start-up and fast runtime performance, thepolicy servers provide efficient security services capableof supporting millions of users and thousands of protectedresources.

Availability and Reliability eTrust SiteMinder reliably and effectively helps to ensurethat the entire environment that is being secured remains

available and accessible to the right users. Administratorscan set up load balancing and failover so that if one eTrustSiteMinder component is unavailable, the next one will beused without interruption to the user. Even if an eTrustSiteMinder component fails, it will automatically bere-started to keep all operations going, all the time.

eTrust SiteMinder administrators also have the option tocluster policy servers, that is, to group together policyservers based on criteria that are important to the securitysystem implementation. Once policy servers are clustered,administrators can set up dynamic load balancing withinthe cluster and automatic failover among clusters to meetthe increasing high performance, high availabilityrequirements of a growing enterprise.

Scalability eTrust SiteMinder can be scaled to meet securityrequirements for almost any website, both in terms ofnumbers of users and numbers of resources. With eTrustSiteMinder, security administrators don’t have to worryabout their company’s new acquisitions or new partner-ships. eTrust SiteMinder will be able to handle it: newusers, new platforms, new applications, or additionallanguages. No portion of the enterprise would gounsecured, possibly leaving holes that unauthorizedusers could take advantage of.

In terms of numbers of users, eTrust SiteMinder can workeffectively and efficiently with many millions of users withinformation stored on a broad array of user stores. Bycentralizing user access management, security adminis-trators can manage the security requirements for allcategories of users throughout the enterprise, from asingle location. In fact some customers of eTrust SiteMinderhave reported using the system to support in excess of20M users.

Security eTrust SiteMinder offers the most secure communicationsarchitecture in the industry, with 128-bit encryption andhardware token-based encryption key management andstorage. eTrust SiteMinder combines the best of securityand manageability by supporting the deployment of a mixof eTrust SiteMinder Agents and eTrust SiteMinder SecureProxy Servers across a single policy model. In addition,eTrust SiteMinder supports a comprehensive set ofpassword services including password composition,dictionary checking and expiration rules allowing you toimplement robust password management rules. Whencombined with CA Identity Manager, providing self-service, forgotten password services, password synchro-nization, and other services, the combined solutionprovides a comprehensive set of password managementautomation services.

8

Broad Platform Support To help achieve a higher return on investment (ROI) andlower total cost of ownership (TCO), eTrust SiteMinderleverages existing technology investments by supportingleading infrastructure components, including directories,Web servers, application servers, platforms and authen-tication methods. eTrust SiteMinder provides native-directory integration with existing directories anddatabases (LDAP, AD, NT Domain, MS SQL Server, Oracle,RDBMS and others) and integrates with a large numberof leading enterprise applications, such as SAP, Siebel,PeopleSoft, and Oracle Applications.

In addition, eTrust SiteMinder includes J2EE applicationserver agents, enabling fine-grained access control of IBMWebSphere and BEA WebLogic Server hosted applica-tions. eTrust SiteMinder extends its security managementand single sign-on capabilities to the OS/390 mainframeplatform with a web agent for the IBM HTTP web serverand support for RACF and TopSecret/ACF2 securitydirectories through the eTrust SiteMinder Security Bridge.What’s more, eTrust SiteMinder also supports authen-tication for network access devices, including firewalls,dialup servers, and other RADIUS-compliant devices.eTrust SiteMinder is fully multi-byte enabled and can beused to secure the deployment of multilingual sites.

A Standards-Based Solution Even with extensive support for leading infrastructuresand technologies, there are many legacy and customapplications that organizations want to integrate intotheir web security system. At the same time, technologyinvestments must remain open to best-of-breedtechnologies and not be locked in to a limited number ofvendors. eTrust SiteMinder is the industry’s leading Webaccess management product in adopting and supportingnew technology standards as well as offering an extensiveand well documented series of Java and C applicationprogramming interfaces (APIs) throughout the product.eTrust SiteMinder is developed on open standards. TheeTrust SiteMinder development team was a leadingdesigner of the Oasis XML security standard, known asSecurity Assertions Markup Language (SAML).

eTrust SiteMinder Architecture eTrust SiteMinder is the industry’s leading directory-enabled Web access management system. eTrustSiteMinder enables administrators to assign authentica-tion schemes, define and manage authorization privilegesto specific resources, and create rules and policies toimplement these authorization permissions. With eTrustSiteMinder can implement security policies to completelyprotect the content of an entire Web portal or set ofapplications.

eTrust SiteMinder consists of two primary components,the eTrust SiteMinder Policy Server and eTrust SiteMinderAgents. See Figure 1 for an overview of the architecture ofeTrust SiteMinder.

The following steps give an overview of how eTrustSiteMinder works:

1. User attempts to access a protected resource.

2. User is challenged for his credentials and presentsthem to the Web Agent or to the Secure Proxy Server.

3. The user’s credentials are passed to the policy server.

4. The user is authenticated against the appropriate userstore.

5. The policy server evaluates the user’s entitlements andgrants access.

6. User profile and entitlement information is passed tothe application.

7. The user gets access to the secured application whichdelivers customized content to the user.

eTrust SiteMinder Policy Server The eTrust SiteMinder Policy Server is the “brain” ofeTrust SiteMinder. The policy server provides the keysecurity decision making operations for eTrust SiteMinder.This high-performance server provides load balancing,failover and caching for superior reliability and speed.Policy servers have been designed to be reliable, fast, andeasy to manage, so they can be scaled to meet today’s andtomorrow’s business requirements. Policy serveroperations are optimized to get them initialized andrunning quickly.

9

Secured Applications

Users

EmployeesPartnersCustomers

eTrust SiteMinderSecure Proxy Server

Web Server

FinanceHR/PayrollIntranetSupply Chain

CRMCustomer ServicePartner Extranete-Commerce

Secured Applications

LDAPDatabasesMainframesNT Domain

User & Entitlement Stores

eTrust SiteMinderPolicy Server

DestinationWeb Servers

Figure 1. eTrust SiteMinder Architecture Overview.

Access Control Services in a Single Process The eTrust SiteMinder Policy Server is a single-processengine (policy decision point) that runs all four sharedservices that make up SiteMinder: authentication,authorization, administration and auditing. The single,multi-threaded process results in a highly efficient, simpleto manage system. The run-time performance is very fastbecause the single process server requires a smaller totalmemory footprint than a multi-process server and threadcontext switches run faster than process context switches.

eTrust SiteMinder Agents Agents provide the enforcement mechanisms (policyenforcement points) for policy-based authenticationand access control. They integrate with web servers,application servers, enterprise applications or customapplications to enforce access control based on definedpolicies.

Web Agents Web agents control access to web content and deliver auser’s security context, managed by eTrust SiteMinder,directly to any web application being accessed by the user.By placing an agent in a web server that is hosting protectedweb content or applications, administrators can coordi-nate security across a heterogeneous environment ofsystems and create a single sign-on domain for all users.

For web servers, the web agent integrates through eachweb server’s extension API. It intercepts all requests forresources (URLs) and determines whether each resourceis protected by eTrust SiteMinder. If the resource is noteTrust SiteMinder protected, the request is passedthrough to the web server for regular processing. If it isprotected by eTrust SiteMinder, the web agent interactswith the policy server to authenticate the user and todetermine if access to the specific resource is allowed.Depending on the policy for the requested resource, theweb agent can also pass to the application a response thatconsists of the user’s attributes from the user directoryand entitlement information. The application can use theentitlement information to personalize the page contentaccording to the needs and entitlements of each user.

The web agent caches extensive amounts of contextualinformation about the current user’s access. The cachingparameters that control these services are fully tunable bythe administrator to optimize performance and security.

Application Server Agents To secure more fine-grained objects such as servlets, JSPs,or EJB components, which could comprise a full fledgeddistributed application, eTrust provides a family of eTrustSiteMinder application server agents (ASAs). ASAs areplug-ins that communicate with the eTrust SiteMinderPolicy Server to extend single sign-on (SSO) across theenterprise, including J2EE application server-based

applications. ASAs also enable SiteMinder to centralizesecurity policy management by externalizing J2EEauthorization policies through standard interfaces such asthose based on JSR 115.

Enterprise Application Agents eTrust SiteMinder provides several agents that integratedirectly with the most widely used enterprise applications.These agents are called ERP agents. The ERP agentsextend Web SSO to ERP users. In addition, the eTrustSiteMinder ERP Agents provide ERP-based Web siteswith the flexibility to choose the authentication securitytechnology, verification of user session data within theapplication server, and enforced synchronization betweeneTrust SiteMinder and ERP application sessions.SiteMinder ERP agents include an SAP agent, PeopleSoftagent, Oracle agent, and Siebel agent.

Custom Agents The eTrust SiteMinder Policy Server is a general purposerules engine that can protect any resource that can beexpressed as a string, as well as any operation on thoseresources. While web agents application server agentsand ERP agents work with the standard features of eTrustSiteMinder, administrators can extend agent functionalityby creating and configuring a custom agent using theAgent API and policy server Management Console.Custom agents can participate with standard eTrustSiteMinder agents to provide a comprehensive single sign-on environment.

Custom agents work with the eTrust SiteMinder PolicyServer to control access to a wide range of resourceswhether web based or not. For example, custom agentscould be used to control access to an application, appli-cation function or a task performed by an application. Acustom agent working with the policy server as the coreengine can extend the types of resources that eTrustSiteMinder can protect.

Secure Proxy Server The eTrust SiteMinder Secure Proxy Server is a turnkey,high performance, proxy gateway that secures aorganizations backend servers, offering an alternativedeployment model for eTrust SiteMinder. With SecureProxy Server, eTrust SiteMinder offers two complementarypolicy enforcement strategies for a more flexible andsecure web access architecture. Customers may choose todeploy traditional eTrust SiteMinder agents or the SecureProxy Server. These SiteMinder components can be usedsingly, or in combination, to provide the optimum securityand administration environment for any site.

10

Key benefits of the Secure Proxy Server include:

• Increased Security. The Secure Proxy Server providesmultiple authentication schemes, basic, forms-basedand certificate-based, while providing a single accessmanagement policy enforcement point. It prevents nonauthenticated traffic from entering any point in theDMZ and eliminates the exposure of network topologyto outside users.

• Greater Deployment Flexibility. The Secure ProxyServer supports multiple-session schemes for cookieand cookie-less methods of session tracking. It providessecurity for any back-end server environment, as well asa platform for building out wireless solutions. Advancedproxy rules dynamically route incoming requests to theappropriate backend server.

• Extensibility, Scalability and Robustness. The Secureproxy Server is an open and extensible solution,providing a set of Java APIs for providing customsession schemes. It is also fully integrated with eTrustSiteMinder’s scalable and robust architecture.

The Secure Proxy Server is a self-contained reverse proxysolution consisting of two components, the proxy engine,with a fully integrated eTrust SiteMinder Agent, and anApache-based HTTP web listener. The Secure ProxyServer accepts HTTP and HTTP over SSL (HTTPS)requests from web clients, passes those requests toenterprise back-end content servers, and returnsresources to the requesting client.

For further detailed information on the eTrust SiteMinderSecure Proxy Server, refer to the Secure Proxy Server whitepaper available at http://www.ca.com/etrust

Native Directory Integration eTrust SiteMinder is integrated with industry leadingdirectory services, eliminating redundant administrationof user information. This integration simplifies adminis-tration and provides unique and comprehensive securitycapabilities.

eTrust SiteMinder supports a range of leading LDAPdirectories and relational databases. eTrust SiteMinderalso supports mainframe (OS/390) security directories,such as IBM RACF, eTrust CA ACF2 Security, and eTrustCA TopSecret Security. eTrust SiteMinder treats thesedirectories as if they are regular LDAP user directories,and can provide both full authentication and authorizationfor users stored in these directories. Support for thesedirectories is achieved through an add-on componentcalled the eTrust SiteMinder Security Bridge.

eTrust SiteMinder supports storage of policy informationin a variety of LDAP enabled directories and SQLdatabases.

Even though the user and the policy store are logicallyseparate, the ability to store both users and policies in thesame physical directory provides easier administrationand better performance. Directory Mapping lets an appli-cation authenticate users based on information from onedirectory and authorize users based on information from adifferent directory.

eTrust SiteMinder AuthenticationManagement eTrust SiteMinder offers unparalleled control over whattype of authentication method is used to protect aresource and how that authentication method is deployedand managed. Traditionally, it is very challenging tosuccessfully deploy and manage strong authenticationsystems (for example, two-factor certificates); therefore,most companies stick to using user names and passwords.By centrally managing all authentication systems andusing the eTrust SiteMinder advanced authenticationpolicy management capabilities, organizations cansuccessfully deploy mixed authentication methods basedon resource value and business needs instead of ITlimitations.

Authentication Methods No single authentication technique is appropriate for allusers and all protected resources in all situations. That’swhy authentication flexibility is an important requirement.eTrust SiteMinder offers a comprehensive passwordauthentication management solution and integrates out ofthe box with most leading authentication methods. Sinceadministrators often require varying levels of authen-tication security for different resources, eTrust SiteMindersupports a range of authentication mechanisms, including:

• Passwords

• Two-factor tokens

• X.509 certificates

• Passwords over SSL

• Smart cards

• Combination of methods

• Forms-based

• Custom methods

• Full CRL and OCSP support

• Biometric devices

• Forms and/or certificates

• SAML

• WS-Federation/ADFS

11

Certificate revocation is a critical component of a PKIstrategy, since invalid certificates must be rejected by theauthentication mechanism. eTrust SiteMinder supportsCRL processing for all leading public key infrastructure(PKI) vendors, including the requirement that the CRL islocated in a directory and searched to ensure the currentcertificate has not been revoked. In addition, eTrustSiteMinder supports the use of OCSP for real-timecertificate validation.

Strong Authentication Support The FFIEC regulation (and similar ones in other countries)require online banking services in the USA to implementstronger authentication approaches than just simple username and passwords for sensitive transactions. eTrustSiteMinder provides out of the box integration with multi-factor authentication solutions including RSA SecureIDand Secure Computing SafeWord, with solution modulesfor PassMark, and Tricipher, as well as others. There are alarge number of strong authentication vendors providingand supporting out of the box integration of their productswith eTrust SiteMinder. While eTrust SiteMinder remainsauthentication agnostic with open authentication APIs, CAwill continue to add more out of the box integrations withstrong authentication solutions to meet customerrequirements.

eTrust SiteMinder provides the capability for adminis-trators to assign multiple authentications with differentauthentication strength to the same application orresource. The end user can select which one or whichcombinations to use for the same application when helogs in. For example, to use username/password, orSecureID, or username/password and cert combination,based on the security policy of the organization and theuser’s preference.

eTrust SiteMinder authorization policy can thenincorporate authentication context, such as whichauthentication scheme the user authenticated through, aspart of the security policy decision making. For example,one application may support both the use of username/password and RSA SecureID authentication, but, if theuser authenticates with SecureID, the user may be grantedmore permissions, such as a higher level of financialtransactions.

Similar to the way that eTrust SiteMinder can incorporateauthentication context in its authorization decisions atrun-time, eTrust SiteMinder can also incorporate riskprofiling data as part of its authorization decision processthrough an eTelligent Rule callout to a 3rd-party riskanalysis solution.

Authentication Policies Authentication policies give security administratorsunique management capabilities to mix and matchauthentication methods and brand and customize thecredentials collected. eTrust SiteMinder also enablesadministrators to classify resources into groups based ontheir value and assign different authentication methods toeach level.

Certificate Combinations and Alternatives Authentication method combinations, such as certificateand password, are very useful when stronger security isrequired for a specific set of resources. It is also a solutionfor enterprises where multiple administrators might sharea secured machine. The certificate identifies the machine,while each operator has their own password.

Alternative methods (certificate or password) are idealwhen administrators require gradual deployment ofcertificates. When a certificate for authentication isinstalled, it is used; but, if a certificate is not present,eTrust SiteMinder reverts to regular passwordauthentication.

Forms-based Certification Forms-based authentication enables the implementationof an authentication screen that is tailored to individualneeds. This is useful when a common brand identity isdesired across all internal applications and sign-onscreens. In addition, it supports custom attributes, such asa Social Security number or mother’s maiden name, forauthentication. For attributes in the user directory, eTrustSiteMinder performs authentication checks automatically,providing much greater login security.

Authentication Levels eTrust SiteMinder supports authentication levels. Eachauthentication method is associated with a particularlevel, ranging from a top priority of 1 to the lowest priorityof 1000. When a user accesses a resource, the authen-tication method priority is compared with the authentica-tion method priority level that was used to authenticatethe user. If the level of the current method is higher thanthe level used to authenticate the user, then a newauthentication, using the new resource’s associatedmethod, must be performed. If the user has already beenauthenticated at a higher level, no re-authentication isrequired.

Directory Mapping eTrust SiteMinder supports directory mapping, whichenables applications to authenticate users with a specificdirectory, but authorize using attributes including group

12

information stored in a different directory. This is criticalbecause it supports the needs of sites (such as ISPs) thatcentralize user identities in a single authenticationdirectory, but manage group membership and applicationprivileges in a separate, application-specific directory. It isalso useful when authentication information is stored in acentral directory, but authorization information isdistributed in separate user directories that are associatedwith particular applications.

Password Services Password management is a critical security and cost issuewithin most corporations. To maintain user security,passwords must be difficult to guess, must changefrequently, and must not be reused. In addition, adminis-trators need alerts if suspicious events occur, such as auser failing several successive login attempts. eTrustSiteMinder Password Services provide an additional layerof security to protected resources by enabling themanagement of user passwords in LDAP user directoriesor relational databases. To manage user passwords,administrators create password policies that define rulesand restrictions for governing password expiration,composition, and usage.

Password services can enforce multiple password policesthrough a priority list of passwords that apply for multipleapplications being protected across one or more userdirectories. Password services also enable password self-service for end-users. Developers can implement eTrustSiteMinder Password Services through either CGI withcustomizable HTML forms or through a servlet withcustomizable Java Server Pages (JSP-forms). Expandedpassword services can be leveraged through the combineduse of eTrust SiteMinder and CA Identity Manager.

• Directory Usage. Apply Password Services to an entiredirectory of users or to a subset. eTrust SiteMinder alsosupports nested groups within the name-space of a userdirectory.

• Password Expiration. Set a maximum number of loginfailures and define inactive-password policies, that is,the time period after which an unused password expires.Expirations can also be set for user passwords based ontime variables, thereby forcing users to reset currentpasswords.

• Password Composition. eTrust SiteMinder enablesthe definition of minimum and maximum lengths ofpassword characters and whether passwords shouldrequire numbers. Composition also uses a passworddictionary. Regular expressions can be set in thedictionary and all valid passwords must either include orexclude the expressions set in the reference dictionary.Restrictions can be managed using dictionary reference.Reuse of older passwords can be denied, similarpassword structures can be denied, and specific wordscan also be restricted from use in a password.

• Password Usage. eTrust SiteMinder includes a seriesof advanced password services that enforce the use ofupper and lower case letters within a password: alluppercase, all lower case, case does not apply. The useof white spaces can also be specified: no white spaces,no white spaces before a character or after a character.

• Password Services Self-registration and Management.eTrust SiteMinder enables end users to register as anew user, create a user name and password, set expira-tions to that password, and change the passwordwhenever the user feels it necessary.

When Password Services are active, eTrust SiteMinderinvokes a password policy whenever a user is authen-ticated as well as when a user password is set or modified.The Password Services action depends on the context,which includes the user credentials and the policy. If theuser is trying to create or modify the password and thenew password does not meet the password policy require-ments, the operation fails. If the user is attempting toauthenticate with a password that has expired, or if theuser account was marked inactive, actions such as disablethe account or redirect to an information page, can also bespecified in the password policy.

Impersonation eTrust SiteMinder supports impersonation, where oneauthorized user can access what another user can access.With impersonation, a customer service representative,for example, can act on behalf of users to run tasks forthem that they otherwise might not want to, or know howto, run themselves.

With impersonation, a previously authenticated useruses their identity to assume the identity of another userwithout presenting the other user’s credentials. Secureinformation, such as passwords, do not have to be trans-ferred over the phone anymore. To start the impersonationthe customer representative requests that a definedresource be mapped to the impersonation authenticationscheme. Then the representative is prompted to enter theimpersonation username.

eTrust SiteMinder makes sure that impersonation is asecure operation, that only entitled users can impersonateother users:

• Administrators set up impersonation as an eTrustSiteMinder rule in a policy. In this way, impersonationcan be very finely controlled because policies can defineexactly who can impersonate whom for which resourceswithin a realm.

• All impersonation sessions are audited to provide ahistory of events for record keeping and non-repudiation.Information from both the user who is impersonatingand the user who is being impersonated is recorded.

• Private information can be hidden from the impersonat-ing subject, as necessary to protect a customer’s privacy.

13

eTrust SiteMinder includes impersonation templates thatadministrators can configure and brand, like any othereTrust SiteMinder HTML forms-based authenticationscheme. As a result, impersonation is straightforward to setup and configure as well as being straightforward to use.

eTrust SiteMinder AuthorizationManagement Entitlement management (authorization) is one of themost critical issues for web applications. Users need toaccess information, but must be authenticated andauthorized based on their privileges before gaining access.Traditionally, the entitlement management model for webresources often varies across web servers, applicationservers, operating systems and development tools.Consequently, the administration of one server can differfrom the administration of another, and entitlementmanagement capabilities offered by these various serversand tools can differ. These differences can lead toadministrative problems as well as an inconsistentsecurity framework.

eTrust SiteMinder provides centralized authorizationmanagement through its policies for all web resources,across web servers, application servers, and so on.Administrators work with the Policy Server ManagementConsole to define policies that restrict access to specificweb resources by user, role, group, dynamic group andexclusions. Centralized access control through policiesprovides very fine grained control to administrators,allowing them to implement access control at the file,page or object level.

The Policy Server Management Console is a single,browser-based, administrative system that extendsacross all intranet and extranet applications. A consistentsecurity policy simplifies the central management ofmultiple web applications. A centralized approach tosecurity management provides the following advantages:

• It eliminates the need to write complex code to managesecurity in each application

• The time and cost to develop and maintain multiplesecurity systems is eliminated; sites deploy only onesecurity system for all applications

• eTrust SiteMinder manages the security privileges ofcustomers, business partners, and employees, whetherthey access the corporate network locally or remotelythrough the internet or a private network

eTrust SiteMinder Policies eTrust SiteMinder provides security and access manage-ment based on policies that make access and securitymanagement more flexible and scalable because they are

built around the user and the user’s relationship to theprotected resource.

A policy protects resources by explicitly allowing ordenying user access. It specifies the resources that areprotected, the users, groups or roles that have access tothese resources, the conditions under which this accessshould be granted, and the delivery method of thoseresources to authorized users. If a user is denied accessto a resource, the policy also determines how that user istreated.

An eTrust SiteMinder policy binds rules and responses tousers, groups and roles. The responses in a policy enablethe application to customize the delivery of content foreach user. Policies reside in the policy store, the databasethat contains all the eTrust SiteMinder entitlementinformation. The basic structure of a policy is shown inFigure 2.

When a policy is constructed, it can include multiple rule-response pairs bound to individuals, user groups, roles, oran entire user directory. Administrators can also configuremultiple policies to protect the same web resources fordifferent sets of users, adding responses that enable theweb application to further refine the web content shownto the user.

One of the configuration options of a policy is a timerestriction. If a time restriction is specified for a policyand a rule in that policy also contains a time restriction,the policy executes only during those times when bothrestrictions overlap.

Today, line-of-business needs are driving IT securitymanagers to use real time data, either entered by the useror by a third-party service, as part of the authorizationprocess. To process real time data, security-related logicmust be coded into back-end business applications.However, this security logic is expensive to maintainbecause it requires developers to implement separatesecurity-code changes for each back-end application.What’s more, the custom security code typically does notsolve the business requirement because the authorizationdata cannot be evaluated in real time by the application.

Security administrators can use eTrust SiteMindereTelligent Rules to build comprehensive expressionsrepresenting business logic and to utilize internal andexternal data for real time decision making. Variables,whose values are dynamically retrieved at runtime, can beused in the expressions. eTelligent Rules resolve values forvariables in user attributes from user stores, data in formsusers completed, or through web services calls to local orremote data sources. The values are then evaluatedagainst the expression as part of the policy decisionmaking process, together with other policy constraints.

14

For example, in a financial services website, a user wantsto access services that are available only to customerswith a certain credit rating. eTelligent Rules can beimplemented using web services calls to check thecustomer’s current credit rating with an external, onlinecredit service. If the customer’s credit rating is adequate,then access is allowed (assuming all other security policycriteria are met).

Rules/Rule Groups A rule identifies and allows or denies access to a specificresource or resources that are included in the policy.

Users A policy specifies the users, groups of users, or roles thatare included or excluded by the policy. Users or usergroups are located in native directories linked to eTrustSiteMinder, and roles information (for RBAC) is stored inthe eTrust SiteMinder Policy Store.

Responses A response defines information (for example, userattributes) that can be passed to an application when auser is accessing the resource. The application may usethis information to provide finer access control and/orcustomize the appearance of the resource.

IP addresses A policy may be limited to specific user IP addresses. If auser attempts to access a resource from an IP address notspecified in the policy, the user will not be allowed access.

Time restrictions A policy may be limited to specific days or ranges ofhours. A policy with a time restriction will not allow accessoutside specified times.

Active response An Active Response allows business logic external toeTrust SiteMinder to be included in a policy definitionenabling eTrust SiteMinder to interact with customsoftware created using the eTrust SiteMinder APIs.

Fine-grained authorization using eTelligent RulesIn addition to supporting static rules, administrators canconfigure eTelligent Rules, that is, an active policy thatauthorizes users based on dynamic data obtained fromexternal business logic. Furthermore, multiple contextscan be evaluated using eTelligent Rules expressions toachieve fine-grained authorization. For example, a policycould limit access to a specific application to customerswho have a current account balance of less than $1,000.In this way, application data that is often stored in trans-actional systems like a bank-transactions database can beincluded within the policy enforcement capabilities ofeTrust SiteMinder.

Global Policies The global policies of eTrust SiteMinder significantlyimprove how policies can be organized and they reduceredundant operations for configuring multiple policies inlarge enterprises. Global policies provide administratorswith the ability to define policy objects, rules, andresponses, with global scope separately from a policydomain. When separated from a domain, administratorscan define common policy objects, rules, and responsesonce that apply across multiple domains. Then, they caneasily update the common policy objects, rules, andresponses without having to locate each item in eachrealm throughout the domains. In addition to improvingpolicy administration, global policies can help ensurecompliance with federal regulations or corporate rulesbecause they can enforce those rules and regulationsacross the enterprise, if required.

Each component of a global policy remainscomplementary to their domain-specific counterparts;that is, if there is a domain-specific policy object, rule orresponse with the same reference, the domain-specificitem takes precedence over the global item. System leveladministrators can also disable global policies for anydomain, if they so choose. Global policies allow timerestrictions to be specified when rules are in effect.

15

Options eTrust SiteMinder

Policy Rule or

Rule Group

Determines access to a

resource

Users or Groups in a Directory

User, Groups Exclusions & Roles

Action that occurs when a rule fires

Response or Response Group

eTelligent Rule

Expression using external data

Time

Time when the policy can or cannot fire

IP Address

IP address that policy applies to

Active Response

Dynamic extension of

the policy

Figure 2. eTrust SiteMinder Policy.

For example, administrators define a policy in each realmto redirect users to the same web page when users arenot authenticated or not authorized to access a resource.With global policies, administrators define a redirectpolicy once and that single global policy can be used byall realms. Without global policies, administrators have todefine that same policy over and over for each realm.

Global policies are managed by system-level adminis-trators only using the Policy Server Management Console,the Policy Management API, or the Perl script interface tothe Policy Management API.

Role Based Access Control (RBAC) eTrust SiteMinder, used in conjunction with CA IdentityManager, provides enterprises with role based accesscontrol. Roles define job responsibilities, or a set of tasksthat are associated with a job or business function. Eachtask corresponds to an operation in a business application.A single role can have one or more tasks defined in it andusers can have one or more roles assigned to them. CAIdentity Manager central administrator creates role andtask definitions. Only after a user is assigned a role canthey perform the tasks defined in that role.

When CA Identity Manager is used with eTrustSiteMinder, eTrust SiteMinder extends the power of rolesbeyond job descriptors to access management. CAIdentity Manager administrator works with the eTrustSiteMinder administrator to bind CA Identity Managerroles to eTrust SiteMinder policies. Once the roles arebound to eTrust SiteMinder policies, the user and accessmanagement link is established. CA Identity Managermanages the users and their roles; eTrust SiteMindermanages secure access to resources specified bytheir roles.

The role based access control implementation is non-intrusive and flexible. CA Identity Manager roles can beused directly by eTrust SiteMinder without the need tomodify user directories.

Single Sign-On One of the most common challenges Web site operatorsface is multiple user logins. No universal single sign-on(SSO) solution exists today, primarily because there areno formal standards to facilitate an open solution acrossall systems. eTrust SiteMinder supports SSO in severalways: single sign-on in single and multiple cookiedomains, leveraging identity federation using SAML andWS-Federation/ADFS, and leveraging MicrosoftWindows/Kerberos in a Windows environment. With itsbroad support for single sign-on, users get seamlessaccess to resources across networks of websites.

SSO in Single and Multiple Cookie Domains When a user authenticates with eTrust SiteMinder, anencrypted cookie is created that contains the necessarysession information about the user. The cookie isencrypted with a 128-bit symmetric cipher. No userpassword information is ever kept within the cookie.When the user requests access to a different protectedresource, eTrust SiteMinder decrypts the information inthe cookie and securely identifies the current user. Noadditional authentication is required. See Figure 3 below.

eTrust SiteMinder also supports cross-domain SSO. Whenusers authenticate to a single Internet domain, eTrustSiteMinder eliminates the need to re-authenticate whenthey access protected resources or applications in adifferent domain. Cross-domain SSO is a critical capability,especially for large enterprises with multiple divisions ormultinational businesses. See Figure 4 below.

Figure 4. Single sign-on across multiple cookie domains.

In an environment that includes resources across multiplecookie domains, eTrust SiteMinder supports single sign-onacross applications running on heterogeneous web andapplication server platforms using a cookie provider, aspecially configured eTrust SiteMinder Agent that passesa cookie containing the user’s identity and session infor-mation to other cookie domains in the SSO site. Thisenables eTrust SiteMinder to authenticate the user acrossthe entire virtual website, even though it consists ofmultiple domains.

16

Mycompany.com

Mycompany.com

/servlet 1/

/app1/

EmployeesPartnersCustomers

Application Serverwith eTrust

SiteMinder Agent

Web Serverwith eTrust

SiteMinder Agent

User Authenticates Once

eTrust SiteMinder®Policy Server

Figure 3. Single sign-on within a single cookie domain.

EmployeesPartnersCustomers

User entitlementsSession identity

User entitlementsSession identity

AuthenticationUser entitlementsSession identity

Cookie domainmycompany.com

Cookie domainsubsidiaryA.com

Cookie domainsubsidiaryB.comWeb Server Designed

as the ìcookie providerîfor the SSO Site

Web Serverwith ProtectedApplications

Application Serverwith ProtectedApplications

Within the SSO site, users enter their credentials upontheir first attempt to access a protected resource. Afterthey are authorized and authenticated, they can movefreely between different realms that are protected byauthentication schemes of an equal or lower protectionlevel without re-entering their identification information.In Figure 4, the diagram shows SSO across multiple cookiedomains.

eTrust SiteMinder’s support for SSO improves the overalluser experience simplifying access among servers andapplications. It also lowers the administrative costs byallowing users to access the data they need using onlyone password.

SSO Zones — Support Of Multiple SSOEnvironments eTrust SiteMinder can enable multiple SSO environmentswithin the same domain with the same eTrust SiteMinderdeployment if the enterprise wants to partition its SSOenvironment into multiple zones. Administrators cangroup applications into specific security zones. End userscan then be provided SSO within the same security zone.However, these same users will be re-challenged whenattempting to access a different security zone. Thesesecurity zones can be at the same level of authenticationor may be different, it is totally flexible. The end user mayhave multiple eTrust SiteMinder cookies active fordifferent security zones at the same time.

Enterprise SSO Integration eTrust SiteMinder is integrated with the eTrust SSOcomponent of the CA IAM solution to provide one fullyintegrated solution for web and non-web single sign-on.The user uses eTrust SSO to single sign-on to non-webapplications, and at the same time, the user is able toseamlessly access eTrust SiteMinder protected webresources without being re-challenged. eTrust SiteMinderuses an authentication scheme to validate the user’s SSOsession ticket behind the scenes without challenging theuser for credentials. Furthermore, the SSO user may getaccess to external resources through identity federationcapabilities of eTrust SiteMinder, described below.

Identity FederationeTrust SiteMinder Federation Security Services(FSS)eTrust SiteMinder Federation Security Services is designedto provide identity federation both within the companyand with external business partners. With browser-basedfederation the end user visits web sites hosted by the hostWeb site’s business partners. Browser-based federation isprovided by eTrust SiteMinder FSS through its support of

the Security Assertion Markup Language (SAML) andWS-Federation/ADFS.

FSS IdP and SP SupporteTrust SiteMinder FSS can act as an Identity Provider(IdP) that authenticates the user and produces a SAMLassertion or WS-Federation security token to propagate toa partner, or as a Servide Provider (SP) that consumes aSAML assertion or WS-Federation security tokengenerated by a partner to achieve SSO.. As a result, eTrustSiteMinder provides a complete, bi-directional federationthat enables maximum interoperability among enterprises.eTrust SiteMinder is perfectly situated to enable afederation hub with many different IdP & SP partners.

FSS Multi-Protocal SupporteTrust SiteMinder FSS provides multi-protocol federationsupport including SAML 1.0, SAML 1.1, SAML 2.0, andWS-Federation/ADFS, selectable through a pull downmenu when configured with each federation partner, thusallowing an eTrust SiteMinder administrator to select theappropriate protocol and version for each partner.

FSS SAML 2. 0 CapabilitiesFor SAML 2.0, eTrust SiteMinder FSS supports Web SSOprofiles (both Post and Artifact), Single Log Out, IdentityProvider Discovery, and Enhanced Client/ Proxy SSOprofiles.

eTrust SiteMinder FSS also provides SAML attributerequest and response services through the implementationof this portion of the SAML 2.0 specifications. eTrustSiteMinder FSS can act as an Attribute Authority thatprocesses attribute queries and supplies an assertionwith attributes for a user, and it can also act as a SAMLRequester that requests a SAML assertion with attributesfor a user. Attribute assertions can be used to pass useridentity information for authorization, personalization, orprovisioning purpose.

FSS WS-Federation/ADFS CapabilitiesFor WS-Federation/ADFS, eTrust SiteMinder FSS supportsSSO, using the WS-Federation Passive profile Sign Onservice, and SLO, using the WS-Federation Passive profileSign Out service, enabling the interoperability withMicrosoft Active Directory Federation Services (ADFS).Both Microsoft ADFS and eTrust SiteMinder imple-mentation supports the SAML 1.1 security token.

Federation Hub And Spoke Solutions Built on top of eTrust SiteMinder, FSS inherits thereliability, availability, and scalability (RAS), as well asthe manageability that is intrinsic with eTrust SiteMinder.eTrust SiteMinder is thus well suited to provide federation“hub” capabilities that enable customers to federate witha large number of their partners.

17

In addition to the eTrust SiteMinder FSS as a federationhub solution, to enable customers to federate with thosepartners that do not have a SAML/WS-Federation/ADFScompliant security infrastructure, CA provides alightweight federation end point solution — the eTrustSiteMinder Federation End Point. The eTrust SiteMinderFederation End Point is a multi-protocol end point solutionwith IdP and SP capabilities.

SiteMinder Federation End Point For eTrust SiteMinder FSS customers, the eTrustSiteMinder Federation End Point is a light-weightfederation solution which enables their partners tofederate with them when their partners do not haveexisting federation infrastructure. The eTrust SiteMinderFederation End Point provides the same level of protocolsupport as eTrust SiteMinder FSS provides and can act asan Identity Provider or Service Provider without requiringeTrust SiteMinder or an equivalent WAM solution beinstalled on the partner site.

While the eTrust SiteMinder Federation End Point providesfull federation functions and quick partner enablement,the following facts should be kept in mind:

• It only interoperates with eTrust SiteMinder FSS, and isnot intended to be a general purpose federation solutionthat interoperates with multiple other federationsolutions. For that a full deployment of eTrustSiteMinder FSS is recommended.

• It does not provide resource protection and accesscontrol capabilities like those provided by eTrustSiteMinder, and thus integration with applications orexisting access control capabilities is generally needed.Alternatively a full deployment of eTrust SiteMinder isrecommended for the partner.

For detailed information on the eTrust SiteMinderFederation Security Services, refer to the UniversalFederation Architecture white paper that is available athttp://www.ca.com/etrust

Single Sign-On in the Windows/KerberosEnvironment eTrust SiteMinder single sign-on is especially importantin the Microsoft Windows environment because internalusers access many enterprise applications from theirstandard Windows desktop.

Windows Integrated Security Users who login to their desktop using Windows NTauthentication and use Internet Explorer to access Webapplications deployed on any web server can login toeTrust SiteMinder without being re-challenged as long asthere is at least one Microsoft IIS web server configured touse eTrust SiteMinder. With this capability, the user onlyhas to remember their desktop password and they can beprovided Web SSO widely.

Windows Application Login eTrust SiteMinder also supports Windows applicationlogin, enabling a user to login to eTrust SiteMinder andsubsequently launch Windows/COM+ web applicationssuch as Microsoft Outlook Web Access and MicrosoftCommerce Server. With Windows application login,administrators can enforce access control on non- eTrustSiteMinder-protected Windows applications for all eTrustSiteMinder users with a Windows identity (NTLM orLDAP) by initializing their application security contextwith eTrust SiteMinder.

Auditing and Reporting Administrators need to know who is doing what and when.eTrust SiteMinder auditing logs all activity throughout theeTrust SiteMinder environment. eTrust SiteMinder storesthe audit information in a flat file or relational database.When you set up eTrust SiteMinder to store information ina relational database, you can use commercial reportingsolutions to present that auditing information in anyformat required.

Changing federal laws, in-depth regulatory financial audits,and increased security threats from external hackers haveall pushed access management auditing and reporting tothe forefront of product feature sets. eTrust SiteMinderreporting supports granular information collection andanalysis on access, activity, intrusion, and audit informa-tion to fulfill many of these reporting requirements.

Auditing eTrust SiteMinder audits all user and site activity,including all authentications and authorizations, as wellas administrative activity, and any changes to the policystore. eTrust SiteMinder also tracks user sessions soadministrators can monitor the resources being accessed,how often users attempt access, and how many users areaccessing the site. Additionally, eTrust SiteMinderprovides the ability to filter audit events (for example,record only failed authorizations), allowing theadministrator to only track events of interest.

Reporting eTrust SiteMinder audit data can be used to build reports,leveraging the reporting solution that your companycurrently uses. eTrust SiteMinder provides stored proce-dures and sample Crystal Reports templates. If you inte-grate Crystal Reports with eTrust SiteMinder, you can takeadvantage of the sample report templates described below.If you use other commercial reporting solutions, you canuse the eTrust SiteMinder provided stored procedures toeasily access the audit information in the database andbuild your own reports. Regardless of your reporting solu-tions, eTrust SiteMinder provides you with the data youneed to generate reports like those described in this section.

18

Report Drill Down Capabilities eTrust SiteMinder reports begin with a summary of thedata in the report. Clicking on a summary item, such as adate, user, or agent, allows administrators to view moredetailed information. Drill down details contain thefollowing information:

• Time. Lists the exact times when each event occursfrom the oldest time to most recent

• User. Contains the user name associated with thereported event

• Agent. Lists the names of the agents where the reportevent occurred

• Administrator. The eTrust SiteMinder AccountUsername is listed

• Category. Describes the type of event that was logged

• Description. Describes the actual event that occurredduring the time noted in the Report. When any categoryof event is logged as a rejection or failure, the color ofthe text on the computer screen is red and indicated byan exclamation (!) mark.

Activity Reports Activity reports show a variety of user, eTrust SiteMinderagent, and resource activity data at different levels ofgranularity. There are four types of Activity Reports:

• All Activity Report. Transactions and failures of all usersthat occurred during the period of time covered by thereport

• Activity by User Report. Users and their sessions,including the number of transactions and failures thatoccurred during the period of time covered by the report

• Activity by Agent Report. Lists active agents andprovides information, such as the number oftransactions and failures that occurred on each agentduring the reporting period

• Activity by Resource Report. Resources accessed duringthe reporting period, including host names, the numberof resources accessed, the number of transactions, andthe number of failed access attempts

Intrusion Reports Intrusion Reports show failed authentication andauthorization attempts by users and or agents at differentlevels of granularity. The main intrusion report is the AllFailed Authentication and Authorization Attempts report,which lists all failed user authentication, authorization andadministration attempts by date and time. This report isbroken down into two sub-reports:

• Failed Authentication and Authorization Attempts byUser

• Failed Authentication and Authorization Attempts byAgent

Administrative Reports The main administrative report is the All AdministrativeActivity report, which covers all administrative activity bydate. It is broken down into two sub-reports:

• Activity by Administrator Report. Covers alladministrative activity by administrator

• Activity by Object Report. Covers all administrativeactivity by object (Administrator, Agent, Policy, and so on)

Each report contains columns of information includingTime, Administrator, and a brief description of the activity.

Time Series Reports Administrators can view two types of Time Series Reports:

• Daily Transactions Report. Includes all successful andfailed authentications and authorizations by day

• Hourly Transactions Report. Breaks the data furtherdown into successful and failed authentications by hour

Time Series reports are displayed as bar charts. See Figure5. Administrators can view a chart of all transactions, orview the authentications, authorizations, or administrationtransactions separately.

Enterprise Manageability eTrust SiteMinder includes enterprise site manageabilityfeatures that ease deployment and ongoing siteadministration through proactive centralized control ofoperating environments and monitoring of systemavailability and operating status.

OneView Monitor eTrust SiteMinder OneView Monitor collects and displaysreal time operation status information, including failurealerts, about eTrust SiteMinder policy servers, agents,and other core components such as authentication andauthorization services. Information is presented graphicallyso that administrators can rapidly assess an entireenvironment with multiple policy services, or the status ofan individual component. When a problem is reported,administrators can scan summary information to review

19

0

20

40

60

80

100

120

1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4

Date

Tran

sact

ions

0

2

4

6

8

10

3:0

0 p

m

2:0

0 p

m

1:0

0 p

m

12:0

0 p

m

11:0

0 a

m

10:0

0 a

m

9:0

0 a

m

8:0

0 a

m

7:0

0 a

m

6:0

0 a

m

5:0

0 a

m

4:0

0 a

m

3:0

0 a

m

2:0

0 a

m

1:0

0 a

m

12:0

0 a

m

12

Hour

Tran

sact

ions

Figure 5. Time series reports.

overall system status, identify components with failurealerts, and drill down to obtain detailed statusinformation.

In the event of a component failure, eTrust SiteMinderOneView Monitor can display and alert an administratorright away so that no time is wasted in reporting theproblem. Administrators can then take proactive action tocorrect problems, possibly even before users experienceany trouble.

With the SNMP integration capability, administrators canset up automatic recovery procedures based on failurealerts. For example, a failure report can kickoff an emailmessage or a pager message to the person who is closestto the problem. The recovery time can then be reducedeven further because the responsible person is alerted asquickly as possible.

eTrust SiteMinder OneView Monitor can be easilyconfigured so that administrators can set up the displaysto report information exactly as they need it. They canfilter out data that might not be important to theirenvironment; they can sort data according to their priority;and they can specify update intervals to make sure theyhave fresh data when they need it.

Environment Collector When problems are reported, it is critical to have detailedinformation about all the operating components of theenvironment to help identify and isolate the root cause ofthe problem and, if necessary, to reproduce the problem ina testing lab. Because a security solution interacts withmany critical systems distributed worldwide that areowned by different people or groups, it might take thesecurity administrator days to contact the right people toget all the details they need about all the componentsconnected to the security system. Even after the infor-mation is collected, it could go stale very quickly ascomponents get upgraded.

The eTrust SiteMinder Environment Collector provides asnapshot of the eTrust SiteMinder runtime environmentfor any policy server in the enterprise. When problemsassociated with a policy server crop up, administratorsuse eTrust SiteMinder Environment Collector informationto assess exactly what components the policy server isworking with. With up-to-the-minute environmentinformation, the security administrator can resolve thesituation much faster.

The Environment Collector collects the followinginformation about a policy server:

• User stores and databases being accessed by the policyserver

• Custom modules being used by the policy server

• Agents that are interacting with the policy server

• Registry information

The type of information collected includes the name of thecomponent, its version, patch levels, which policy serverthe component works with, how the components areconnected, and other environment attributes that affecthow eTrust SiteMinder operates. This information isstored in an XML file.

After glancing through the XML file report, administratorscan determine if any components require updating, ifthere are any version mismatches, and if the correctagents are deployed where needed.

When working with the eTrust SiteMinder support teamto resolve a problem, administrators can send eTrustSiteMinder Environment Collector information to thesupport team. With accurate and up-to-date data to workwith, the support team will be able to work on reproducingand resolving the problem.

Test Tool After a problem is reported, administrators must havethe correct tool to identify and isolate the cause of theproblem, so they can move quickly to resolve it. The eTrustSiteMinder Test Tool simulates agent operations so that apolicy server can be isolated from the agent environment.Once isolated, the administrator can determine whetherthe policy server is creating the problem or anothercomponent in the environment where the policy serveris running.

The eTrust SiteMinder Test Tool can test the connectionto the policy server to see if it is down. If the connection isavailable, the administrator can test the policies associatedwith the application that reported the problem. Theadministrator can run tests that check if the resource isprotected, if the user is authenticated, and if the user isauthorized for the resource. Debug information is alsoprovided.

Logging and policy profiling With useful logs of day-to-day system activities, adminis-trators can prevent many problems from happening andtroubleshoot problems quickly when they occur.

20

Policy server and agent logs are separate from tracing logsto make log files easier to manage. Because separate logsare smaller and easier to work with, administrators alsohave more precise control over log verbosity because theycan specify different verbosity settings for each log. Inaddition, administrators can apply tracing and loggingsettings without restarting the policy server. For example,an administrator can add a data field in the trace logs andeTrust SiteMinder adds the field automatically withoutrestarting the server.

Policy server and agent logging include the followingcapabilities:

• Agent and policy server logs can be correlated througha transaction ID allowing the administrator to followboth agent and policy server operations to more easilyidentify the problem. For example, when multiple agentsare making requests to a policy server, having a singletransaction ID allows administrators to isolate a callfrom a particular agent, providing more precise andrelevant troubleshooting information

• Logging profiles can be saved for quick retrieval andalternation between production and troubleshootingmodes. The output can be sent to either a systemconsole or a file

Policy profiling, or trace logging, includes the followingcapabilities:

• Policy profiler can trace policy server operations acrosspolicy server components

• Administrators can configure trace logs to generatedetailed and selective information. For example, theycan configure trace logs to include feedback on selectedoperations in specified components, such as a sourcefile or an IP address in data fields

• Multiple output formats are available for easier parsingof trace information and integration with other tracereporting systems. Output formats include fixed widthfields, XML, user-specified delimited fields, amongothers

Error handling includes the following capabilities:

• Accurate and comprehensive information about theoperation of eTrust SiteMinder processes is recorded

• System informational messages down to the functionallevel provide detail information

• Administrators can filter errors by specifying precisecriteria, such as severity

Centralized Agent Management eTrust SiteMinder provides central agent managementthat enables central and dynamic control and config-uration of web agents. Additionally, central agentmanagement can logically group agents based on yourorganization.

When a new agent is installed on a web server, theinstallation process establishes a secure connection withthe policy server and receives default configurationsettings. This increases security since the configurationinformation is moved from the web server in the DMZ andresides in the policy store. With this configuration, thepossibility of a security compromise of the configurationinformation is significantly lower.

Some of the key benefits of this capability are:

• All configuration information is centralized and storedin the policy store, providing greater security forconfiguration information

• It is easy to delegate administration for creating andmanaging the new centralized agent to the adminis-trator who has organizational responsibility for theagent

• Configuration templates make it very easy to configuremultiple agents into logical groups

• Web servers do not need to be re-booted whenconfiguration changes are made

Rapid Policy Deployment When new or modified policies are being deployed in aproduction environment, it’s important to fully test thosepolicies offline before they “go live,” lest inadvertenterrors appear in the policy specification that cause serioussecurity problems later on. That’s why many enterprisesuse multiple staging environments for developing, testingand deploying new policies. However, as environmentsgrow in size, the number of policies can often makemanagement of these environments quite challenging.Since re-entering policies can be laborious and error-prone, administrators need an automated way to movepolicies from one environment to another to simplifymanagement of larger environments.

With the import/export tool, eTrust SiteMinder easily andautomatically migrates entire policy structures from oneenvironment to another. For example, operators canchange policy names and attributes to accommodate thenew environment, such as new machine names or IPaddresses.

21

The import/export tool has the following capabilities:

• First-Time Deployment. Copy an entire policyconfiguration from one environment to another andthen edit the configuration before or after the import

• Incremental Deployment. Export individual policyobjects to new environments and overwrite thecomparable object on the new system. Edit theconfiguration for first-time deployment, either before orafter the import operation, simplifying re-testing and re-deployment of individual policies

• Flexible Scripting Capabilities. Develop scripts in astandard text editor and store them in source codecontrol systems to maintain versioning

• Import Object Mapping. Easily map, that is, rename, animported object if the name is not unique

Unattended Installations In large enterprises, administrators install eTrustSiteMinder Policy Servers and agents on many systems.In many cases, these installations are the same fromsystem to system. With unattended installations, eTrustSiteMinder administrators use Java-based installationtemplates to automate these installations. With automaticinstallations, eTrust SiteMinder can be rolled out fasterto better meet the needs of rapidly expanding globalbusinesses.

The unattended installations use a platform-independentJava installer, which allows the installation to run the sameway, with the same look and feel, on both UNIX® andMicrosoft Windows operating systems. Administratorswork with templates to specify how to install and configurea component, such as a web agent. Then, the templatescan be re-used throughout the security environment toensure a uniform and consistent installation and config-uration of the component. Template re-use saves theadministrator from countless, repetitive installationprocedures.

Command Line Interface eTrust SiteMinder includes a full command line interfaceto leverage the power of Perl scripting and make it easierto dynamically control the system. All programmaticcapabilities formerly available only to C and Javaprogrammers are now accessible to developers usingstandard Perl scripts.

Through the range of eTrust SiteMinder APIs, companiescan use scripts to test and verify policies, examine config-urations, and automate the routine chores commonlyperformed. The Command Line Interface offers a completescripting interface to the eTrust SiteMinder Policy Servermaking customizations and proof-of-concepts easierand quicker.

Performance, Reliability, Scalabilityand Availability eTrust SiteMinder is used today in some of the world’slargest corporations and is designed to meet the needs ofcorporations requiring a fast, efficient, 24x7 securitysolution for their extensive user and application services.

Performance eTrust SiteMinder provides extensive, fully tunable,caching facilities, so that all resource and policy informa-tion is available without requiring a call to either the policyserver or a directory. The policy server provides two-levelpolicy caching, so that recently accessed policy infor-mation is kept in a separate cache that is searched beforethe regular policy cache. In addition, eTrust SiteMindercaches user attributes to optimize LDAP calls. Thesecaching facilities provide outstanding performance, evenfor very large number of users or policies.

Through independent tests conducted by Mindcraft Inc.,eTrust SiteMinder has demonstrated industry leadingperformance for user authentications and authorizations.Figure 6 summarizes the outstanding performance thateTrust SiteMinder offers.

Bulk Operations Operations for initializing the policy server and forauditing run in bulk to ensure efficient runtimeperformance. Each time the policy server starts, it isinitialized by retrieving policy data from a policy store,which is defined in LDAP directory servers or ODBCdatabases. For ODBC database policy stores, the query(SQL) statement operations for retrieving policies arecombined, resulting in a minimal number of retrievaloperations and in quick initialization.

22

0

20,000

40,000

60,000

80,000

100,000

120,000

1 2 4

iPlanet LDAP

MS Active Directory

Log-

ins

Per

Min

ute

CPUís

Figure 6. eTrust SiteMinder performance data on WindowsNT and UNIX.

eTrust SiteMinder auditing transactions can be stored in arelational database using ODBC. When using a relationaldatabase, bulk SQL statements and asynchronousdatabase management operations make the process ofstoring records as quick as possible.

Authentication and Authorization When eTrust SiteMinder evaluates whether a resource isprotected, a very fast binary search algorithm is used.This algorithm results in rapid transaction times whendetermining whether access control is required for aresource.

The eTrust SiteMinder object cache groups rules withrealms for a more efficient search of policies to makeauthorization decisions. The cache is bound by size, notby number of entries, providing a rapid and predictablesearch of policies.

Reliability, Availability and Scalability These optimizations enable rapid run-time performance,especially when working with large policy stores. Forexample, tests indicate that the policy evaluation responsetime for a policy store with one realm is the same as theresponse time for a policy store with up to thousandsof realms.

eTrust SiteMinder has been designed specifically to meetthe needs of e-business sites that must support a largenumber of users with high authentication and authoriza-tion rates. Though eTrust SiteMinder is easy to configureand deploy for small workgroup environments, it can scaleto large installations that support very large user orresource populations.

eTrust SiteMinder provides outstanding scalability due tothe following capabilities:

• Replication and Failover. Each web agent can beconfigured to communicate with multiple eTrustSiteMinder Policy Servers. If the current policy serverbecomes unavailable, the agent automaticallyestablishes a connection with the next policy server andcontinues processing. This operation is transparent tothe user. For increased availability, in the event of afailure, eTrust SiteMinder provides automatic restart ofall server processes. eTrust SiteMinder also provides thefailover mechanism for user directories, that is, if thecurrent user directory is unavailable, the policy serverautomatically establishes a connection with the nextuser directory.

• Load Balancing. eTrust SiteMinder supports automaticload balancing, which significantly improves thescalability and performance of eTrust SiteMinder inlarge deployments. The web agent distributes multipleuser requests across multiple policy servers. The policyservers can also load balance their requests across a setof directory servers. In this way, eTrust SiteMinder candistribute its system load across other servers toimprove overall system throughput.

Policy Server Clusters Administrators can group multiple policy servers into acluster that works with a set of agents. With clusters,administrators get powerful new features for managingclusters to derive the most efficient service from them.

Any set of policy servers can be clustered, based oncriteria that are important to the security system imple-mentation. An administrator might choose to clusterpolicy servers for a number of reasons, including: physicallocation, resources they are protecting, organizations theyare supporting, or machine speed and memory. Forexample, when clustering policy servers according togeography, an administrator can group policy servers inone area to make sure agent requests are handled locally.Policy servers in a cluster can be running on differentplatforms or physically located in different places. As aresult, clustering is viable in both homogeneous andheterogeneous policy server environments.

Clustering offers administrators these features:

• Dynamic Load Balancing. Dynamic agent-to-policyserver load balancing allows higher levels of processingloads to get allocated to faster servers within thecluster. More effective load balancing increasesmaximum system throughput because agents getserved by the policy server that can provide the fastestresponse at any given time. Agents will be served by apolicy server instance within the cluster that previouslyprovided the best response time.

• Automatic Failover. Agents are decoupled from policyservers. As a result, agents transparently failover fromone cluster to another, according to criteria establishedby the administrator. When the number of availablepolicy servers in cluster falls below the criteria, agentrequests are automatically sent to another clusterwithout interrupting service.

With these features, the administrator can easily scalepolicy servers to meet increasing service requests ingrowing enterprises.

23

Security A security system is only as strong as its weakest link.That’s why it’s critical that all components and communi-cation paths be secure, so that intruders cannot compromisethe overall system security by stealing passwords orimpersonating other users. eTrust SiteMinder offerssecurity at each point in its operation.

More specifically, it provides several capabilities to ensurethat data and applications are not compromised.

Data Confidentiality eTrust SiteMinder encrypts all data and control infor-mation that passes among components. All traffic amongthe policy server, the web agent, and the administrativeinterface is sent over TCP using 128-bit RC4 encryption,providing very strong confidentiality. All user cookies areencrypted using RC2. Encryption keys are generatedautomatically and randomly by the policy server. Thisoperation is totally transparent to the administrator,though a re-generation of the keys can be forced at anytime, or at any regular interval, for added security.

Mutual Authentication Administrators must ensure that a server is not animpostor collecting sensitive information such as, creditcard numbers. Both the web agent and the policy serverauthenticate themselves to each other, using a sharedsecret to encrypt an authentication message. This secretis never passed over the network, even in encrypted form,and so cannot be stolen from the network. This techniqueensures the structural integrity of the eTrust SiteMindercomponents themselves, so that an eavesdropper cannotsteal useful information, nor impersonate an eTrustSiteMinder server or agent.

Revocation of User Credentials Some sites need to immediately revoke access controlprivileges of a specific user; for example, when anemployee is terminated. eTrust SiteMinder supports arapid response through the use of commands to flushspecific information from the web agent cache.

The following operations are available both through theadministrative interface and through the API:

• Flush the user cache

• Flush the resource cache

• Flush both caches

• Flush all resources in a specific realm

• Flush a specific user entry in the user cache

Encrypted Session Cookies The eTrust SiteMinder session cookie is a RC4, 128-bit-encrypted session ticket that has browser information,time, Distinguished Name, an encrypted seed, and otherinformation not disclosed in this paper for securityreasons. All these fields are encrypted and randomlyordered.

eTrust SiteMinder does not embed IP or passwordinformation in the cookie sent back to the browser. Manyhomegrown and competing products make the mistake ofincluding IP information, causing massive firewallproblems in network address translation (NAT)environments.

The eTrust SiteMinder session cookie has been testedand approved by the security committees of E*Trade,WellsFargo, Citigroup, American Express, BancOne, Bankof America and other large financial companies. Inaddition, eTrust SiteMinder offers an optional ReverseProxy Server solution that enables a customer to usevarious means of session control: a standard eTrustSiteMinder session cookie, SSL ID, miniature cookie forwireless solutions, or encrypted URLs.

Session and Idle Timeouts Companies can centrally define both idle and sessiontimeouts for individual applications. For example, asensitive finance application might have an idle timeout oftwo minutes when there is no browser action. Theapplication can also have maximum user-session timeswhich will automatically logout users after a specifiedperiod of time.

Rolling Keys eTrust SiteMinder can centrally and automatically roll overall keys that agents use to encrypt/decrypt cookies.Without the eTrust SiteMinder automatic rollover, ITadministrators would need developers to implement arollover scheme themselves, which is extremely difficult todo. The rolling keys of eTrust SiteMinder makes its cookiesextremely secure

Administrators can automatically generate and resettrusted host keys by delivering them securely to thetrusted hosts, without requiring that the policy server oragent be restarted. The administrator can specify howoften shared secrets are reset according to a schedule thatis best for their environment—hours, days, weeks ormonths. Administrators can disable automatic sharedsecret rollover for specific trusted hosts and continue toperform manual shared secret rollovers, if required.

24

Hardware Stored Encryption Keys eTrust SiteMinder has partnered with nCipher, theindustry leader in hardware-based encryption, toimplement storage of the host encryption key in hardware.This hardware technology adheres to industry standardsand allows for highly secure yet flexible key management.nCipher’s HSMs incorporate the use of smart cards(“tokens”) and a card-reading device to securely managethe encryption keys. Using nCipher’s HSM, the keymanagement functionality within the eTrust SiteMinderenvironment supports true random-number key genera-tion, back-up, failover, and archiving capabilities in a FIPS140-1 certified module.

LDAP Protection from Denial-of-service Attacks As noted in Carnegie Mellon, CERT 2001-18(http://www.cert.org/advisories/CA-2001-18.html), LDAPdirectories are extremely susceptible to denial of service(DOS) attacks. eTrust SiteMinder eliminates these DOSattacks by placing a eTrust SiteMinder Policy Serverbetween the web server and the LDAP directory.

In addition, eTrust SiteMinder ensures that packetsattempting authentication match the eTrust SiteMinder-encrypted key before passing on authentication orauthorization attempts to the policy server. This chokesoff DOS attacks on the eTrust SiteMinder infrastructure.

Protection from Cross-Site Scripting A cross-site scripting (CSS) attack can occur when theinput text from the browser (typically, data from a post ordata from query parameters on a URL) is displayed by anapplication without being filtered for characters that mayform a valid, executable script when displayed at thebrowser. For example, an attack URL can be presented tounsuspecting users. When it is clicked, an applicationcould return to the browser a display that includes theinput characters, perhaps along with an error messageabout bad parameters on the query string. The display ofthese parameters at the browser can lead to an unwantedscript being executed on the browser.

eTrust SiteMinder agents support various options to filterattacks by bad characters in the URL. Using these agentconfiguration options, the administrator can specify badCSS, URL and query characters that the agent uses toblock or filter and prevent attacks.

Unique Secure HTTP Header Passing Through the central eTrust SiteMinder user interface,administrators can pass user store attributes through HTTPheaders to applications through the eTrust SiteMinderweb agent into the inbound channel of the web server.Since the eTrust SiteMinder filter is the dominant filter, it

can overwrite all other filters to ensure header validity. Inaddition, this inbound channel is not visible to externalusers in the DMZ. That means no firewall port, from theweb server to the user store (LDAP, MS/SQL, Oracle,Novell), needs to be opened. eTrust SiteMinder can passthese user store attributes to the application through itsencrypted channel. What’s more, the channel from thepolicy server to the web agent is RC4-128-encrypted.

Advanced Web Agents eTrust SiteMinder does not put authentication orauthorization logic on a web server, a common mistakeof homegrown and competitor products. Instead eTrustSiteMinder employs unique web agent filters (NSAPI–Netegrity, ISAPI – Microsoft IIS, DSAPI – Domino andApache Modules) that integrate with and operate as partof the web server. Web agent filters are much more securethan storing authorization and authentication processeson the web server. All security logic resides behind theDMZ in the protected eTrust SiteMinder Policy Server.This architecture ensures security by not exposing anyaccess logic or policies in the DMZ.

eTrust SiteMinder DeveloperCapabilities The eTrust SiteMinder Software Developers’ Kit (SDK)supports the development of custom applications toembed eTrust SiteMinder in their environment, and toextend the capabilities of eTrust SiteMinder. Java and CAPIs are provided to offer developers a choice ofprogramming languages. Both interfaces contain severalsets of APIs. Each set lets developers implement aparticular feature, such as developing a custom agentusing the Java APIs or extending an authorization schemeusing the C APIs. Both client-side and server-side APIs areprovided in Java and C. Both C and Java agent APIs canalso run on Linux.

Creating Custom Agents The Agent API is used to build custom agents forenforcing access control and managing user sessions.Enforcing access control consists of authentication,authorization, and auditing of the user. The Agent APIworks in tandem with the policy server to greatly simplifyapplication development while increasing applicationscalability with respect to the number of applications andresource-privilege pairs.

Additional capabilities provided by the Agent API includefull session management support, notifications for agentkey rollovers, real time policy updates, policy serverfailover, load balancing and logout reason codes. With

25

logout reason codes exposed, developers implement clientapplications that set finer granularity in reporting why alogout was initiated. In addition, logout codes can be usedto write separate event handlers to handle the differentlogout events. The logout codes include: Idle Timeout,Session Timeout and Explicit Logout. The availability ofthese logout reason codes provides more and betterauditing information about user activities.

Single Sign-on Support for Custom Agents Custom agents built with the Agent API can participatein a single sign-on environment with standard eTrustSiteMinder web agents. Using the Cookie API, customagents can also create third-party SMSESSION cookiesthat can be accepted by standard eTrust SiteMinder webagents. Customers have the option to enable or disablethe capability for standard eTrust SiteMinder web agentsto accept third-party cookies created by custom agents.

Managing the Policy Store The Policy Management API is used to manage all theobjects within the eTrust SiteMinder Policy Store. With thePolicy Management API, companies can develop customPolicy Management interfaces to eTrust SiteMinder. Forexample, a developer can write an application that allowsadministrators to manage policies, policy responses,global policy configuration, authentication schemes andpassword policies, shared secret rollover for trusted hosts,and affiliate and affiliate domain management functionality.Both programming and command line interfaces (CLI)are available.

Managing the User Store The DMS API enables management of objects within aeTrust SiteMinder user directory. Users of the DMS APIcan develop custom User Management applications usingeTrust SiteMinder that enable privileged users to create,add, modify and delete organizations, groups or users.

The DMS API performs the following tasks:

• Manage directory entries

• Discover user privileges

• Enable/disable users

• Grant DMS roles to users

• Paging and sorting when search LDAP directories orODBC databases

Using the DMS Workflow API, developers can add pre-and post-process functionality for specific DMS API. TheDMS APIs available for specifying the pre- and post-process functionality include those used for modificationssuch as set, delete, and associations. The pre and post

functionality is implemented as a shared library and isconfigured within the eTrust SiteMinder Policy ServerManagement Console.

Creating a Custom Authentication Scheme The Authentication API is used to develop plug-inmodules to the policy server. These APIs are used todefine new authentication schemes as well as customimplementations of known authentication schemes.Modules developed using this API are implemented asshared libraries and can be configured using the eTrustSiteMinder Policy Server Management Console.

The Authentication API supports any type of usercredentials:

Flexible Authorization

The Authorization API is used to develop plug-in modulesto the policy server for performing custom authorizationfunctions. Modules developed using this API areimplemented as shared libraries. The modules can beconfigured using the eTrust SiteMinder Policy ServerManagement Console to define active rules, activepolicies, and active responses.

Adding a Directory Provider The Directory API is used to develop plug-in modules tothe policy server for implementing a custom user storethat eTrust SiteMinder does not support.

eTrust SiteMinder supports the following namespaces foruser directories:

• LDAP

• ODBC

• Microsoft Windows NT

• Custom

Using the Directory API, an interface can be built to anycustom user directory or database.

Integrating with eTrust SiteMinder Events The Event API lets customers build custom handlers foreTrust SiteMinder events. Through the Event API, eTrustSiteMinder can log events using outside sources,providers, or applications. Administrators can then accessthe logged information through these other sources,providers, or applications. Using the Event API, developerscan build applications to alert administrators of eTrustSiteMinder activity. For example, an event handler cansend an email to the administrator when the accountingserver starts or someone creates a new policy.

26

Session Server API The Session Server API allows enterprises to store appli-cation state information associated with the user andmake it available to all applications as a shared service.

Creating a Secure Communication Tunnel The Tunnel Service API provides secure transfer of databetween an agent and a shared library on a policy serverthat supports the Tunnel Service. Use these APIs todevelop tunnel services to securely communicate betweenthe agents and the shared library on the policy server.

When an agent sends a tunnel request to the policyserver, the request contains:

• The name of the service library

• The function to be called in the service library

• The data to be passed to the function

The policy server initializes the appropriate service,invokes the requested function, and passes the data to thefunction. Once the service has performed its task, thepolicy server returns the results to the agent.

Summary eTrust SiteMinder is the premier Web security solution forglobal organizations because it can securely and cost-effectively provide a Web access management solutionthat lets business in while keeping risk out:

• Enhance Compliance with Regulations. eTrustSiteMinder central policy management, enforcement,and auditing provide a tool that helps achieve ITcontrol/data privacy and thus regulatory compliance

• Reduce Administrative Costs. eTrust SiteMinder robustset of administration tools makes it one of the mostmanageable security systems available today. Withcentralized tools, security administrators can manage upto millions of users and secure thousands of resourcesacross the world, 24 hours a day, 7 days a week

• Reduce Development Costs. eTrust SiteMinder readilyintegrates with existing applications so that applicationscan take immediate advantage of its security serviceswithout having to be re-designed, re-built and re-deployed. As a result, an eTrust SiteMinder securitysolution can be quickly deployed, without having to relyextensively on developers

• Enhances the User’s Experience. eTrust SiteMinder’ssingle sign-on capabilities enables users to move fromapplication to application, or site to site, without havingto sign-on multiple times with different credentials. Foremployees, single sign-on lets workers get their workdone more efficiently; and for customers, single sign-onlets users get the personalized information they need todo business easily and without frustration

• Improve Security. eTrust SiteMinder providescentralized authorization and authentication services toremove security enforcement from many hundreds orthousands of applications. With centralized securityenforcement, security is consistent, comprehensive, andreliable so that no holes are left open in an eTrustSiteMinder secured web environment

• Improve Security System Manageability. With theauditing, logging and reporting capabilities of eTrustSiteMinder, administrators can keep it running smoothlyand efficiently by analyzing system activities andpreventing problems before they occur. When problemsdo occur the troubleshooting tools of eTrust SiteMindergive administrators the information they need to resolvethe problem quickly so that security services remainavailable.

ConclusionWith its extended reach and power, the Internet hasfundamentally changed traditional business processes.E-business has ushered in the widespread deploymentof intranets, business-to-business (B2B) extranets ande-commerce websites. These sites extend businessprocesses to the furthest reaches of the Web, enablingpartners, customers, and employees to access criticalapplications, information, services, and transactionsanytime and anywhere.

Given the critical nature of the business processes anddata being handled by these systems, isn’t it imperativethat they be secured using the most comprehensive,scalable, and reliable Web Access Management solutionon the market? Providing this consistently over the yearsis what has made eTrust SiteMinder the “gold standard”in the WAM market year after year.

For More Information eTrust Identity and Access ManagementWebsite: www.ca.com/etrust

27

Copyright © 2006 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informationalpurposes only. To the extent permitted by applicable law, CA provides this document “AS IS” without warranty of any kind, including, without limitation, any implied warranties of merchantability,fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits,business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP279221206