Docstoc

Security for enterprise web application

Document Sample
Security for enterprise web application Powered By Docstoc
					White Paper

eTrust SiteMinder r6
® ®

December 2006 Updated for eTrust SiteMinder r6 SP5

Table of Contents
The Challenge: Building and Managing Secure Websites and Applications ........................................................................................5 Building the Secure Website ....................................................................................................................................................................5 Choosing the correct authentication technology ................................................................................................................................5 Building the user directory ........................................................................................................................................................................6 Providing a quality single sign-on experience ..............................................................................................................................6 Managing the Secure Website ................................................................................................................................................................6 Enabling compliance auditing ..........................................................................................................................................................6 Implementing security for multiple web applications ................................................................................................................6 Managing the security infrastructure ............................................................................................................................................6 Keeping user administration costs down ......................................................................................................................................6 Choosing the correct technology partner......................................................................................................................................6 eTrust SiteMinder Features and Benefits........................................................................................................................................................7 Authentication Management....................................................................................................................................................................7 Federation Security Services ....................................................................................................................................................................7 Authorization Management ......................................................................................................................................................................7 Role based access control (RBAC) ..........................................................................................................................................................7 eTrust SiteMinder eTelligent Rules..................................................................................................................................................7 Auditing and Reporting ..............................................................................................................................................................................8 Enterprise Manageability ..........................................................................................................................................................................8 Performance, Availability, Reliability, Scalability ..........................................................................................................................................8 Performance ................................................................................................................................................................................................8 Availability and Reliability ........................................................................................................................................................................8 Scalability ......................................................................................................................................................................................................8 Security..........................................................................................................................................................................................................8 Broad Platform Support ............................................................................................................................................................................9 A Standards-Based Solution..............................................................................................................................................................................9 eTrust SiteMinder Architecture ........................................................................................................................................................................9 eTrust SiteMinder Policy Server ..............................................................................................................................................................9 Access control services in a single process ................................................................................................................................10 eTrust SiteMinder Agents........................................................................................................................................................................10 Web agents ........................................................................................................................................................................................10 Application server agents ..............................................................................................................................................................10 Enterprise application agents ........................................................................................................................................................10 Custom Agents ..................................................................................................................................................................................10 Secure Proxy Server ..................................................................................................................................................................................10 Native Directory Integration ....................................................................................................................................................................11 eTrust SiteMinder Authentication Management ........................................................................................................................................11 Authentication Methods ..........................................................................................................................................................................11 Strong authentication support ................................................................................................................................................................12 Authentication Policies ............................................................................................................................................................................12 Certificate Combinations and Alternatives..........................................................................................................................................12 Forms-based Certification ......................................................................................................................................................................12 Authentication Levels ..............................................................................................................................................................................12 Directory Mapping ....................................................................................................................................................................................12 Password Services......................................................................................................................................................................................13 Impersonation ............................................................................................................................................................................................13 eTrust SiteMinder Authorization Management ..........................................................................................................................................14 eTrust SiteMinder Policies ......................................................................................................................................................................14 Rules/Rule Groups ............................................................................................................................................................................15 Users ....................................................................................................................................................................................................15 Responses....................................................................................................................................................................................................15 IP addresses ........................................................................................................................................................................................15 Time restrictions ........................................................................................................................................................................................15 Active response..................................................................................................................................................................................15

2

Fine-grained authorization using eTelligent Rules..............................................................................................................................15 Global policies ............................................................................................................................................................................................15 Role based access control (RBAC) ........................................................................................................................................................16 Single Sign-On ....................................................................................................................................................................................................16 SSO in Single and Multiple Cookie Domains ..............................................................................................................................................16 SSO zones – support of multiple SSO environments ........................................................................................................................17 Enterprise SSO Integration ......................................................................................................................................................................17 Identity Federation ............................................................................................................................................................................................17 SiteMinder Federation Security Services (FSS) ..................................................................................................................................17 FSS IdP and SP support ............................................................................................................................................................................17 FSS Multi-protocal support ............................................................................................................................................................17 FSS SAML 2. 0 capabilities..............................................................................................................................................................17 FSS WS-Federation capabilities......................................................................................................................................................17 Federation Hub and Spoke solutions ....................................................................................................................................................17 SiteMinder Federation End Point............................................................................................................................................................18 Single Sign-on in the Windows Environment ..............................................................................................................................................18 Windows integrated security..........................................................................................................................................................18 Windows application login ......................................................................................................................................................................18 Auditing and Reporting ....................................................................................................................................................................................18 Auditing........................................................................................................................................................................................................18 Reporting ....................................................................................................................................................................................................18 Report drill down capabilities ........................................................................................................................................................19 Activity reports ..................................................................................................................................................................................19 Intrusion reports ................................................................................................................................................................................19 Administrative reports ....................................................................................................................................................................19 Time series reports ..........................................................................................................................................................................19 Enterprise Manageability ................................................................................................................................................................................19 OneView Monitor ......................................................................................................................................................................................19 Environment Collector ............................................................................................................................................................................20 Test Tool......................................................................................................................................................................................................20 Logging and policy profiling....................................................................................................................................................................20 Centralized Agent Management ............................................................................................................................................................21 Rapid Policy Deployment ........................................................................................................................................................................21 Unattended installations..................................................................................................................................................................................22 Command line interface ..................................................................................................................................................................................22 Performance, Reliability, Scalability and Availability ................................................................................................................................22 Performance ..............................................................................................................................................................................................22 Bulk operations..................................................................................................................................................................................22 Authentication and authorization ................................................................................................................................................23 Reliability, Availability and Scalability ..................................................................................................................................................23 Policy Server Clusters ......................................................................................................................................................................23 Security ..............................................................................................................................................................................................................24 Data Confidentiality ................................................................................................................................................................................24 Mutual Authentication ............................................................................................................................................................................24 Revocation of User Credentials ............................................................................................................................................................24 Encrypted Session Cookies ....................................................................................................................................................................24 Session and Idle Timeouts ......................................................................................................................................................................24 Rolling Keys ........................................................................................................................................................................................................24 Hardware Stored Encryption Keys ........................................................................................................................................................25 LDAP Protection from Denial-of-service Attacks ..............................................................................................................................25 Protection from Cross-Site Scripting ....................................................................................................................................................25 Unique Secure HTTP Header Passing ..................................................................................................................................................25 Advanced Web Agents ....................................................................................................................................................................................25 eTrust SiteMinder Developer Capabilities ..................................................................................................................................................25 Creating Custom Agents ........................................................................................................................................................................25 Single Sign-on Support for Custom Agents ........................................................................................................................................26

3

Managing the Policy Store ......................................................................................................................................................................26 Managing the User Store ........................................................................................................................................................................26 Creating a Custom Authentication Scheme................................................................................................................................................26 Flexible Authorization ..............................................................................................................................................................................26 Adding a Directory Provider ..................................................................................................................................................................26 Integrating with eTrust SiteMinder Events ........................................................................................................................................26 Session Server API ....................................................................................................................................................................................27 Creating a Secure Communication Tunnel ..................................................................................................................................................27 Summary..............................................................................................................................................................................................................27 Conclusion ..........................................................................................................................................................................................................27

4

The Challenge: Building and Managing Secure Websites
With its extended reach and power the Internet has fundamentally changed traditional business processes. E-business has ushered in the widespread deployment of intranets, business-to-business (B2B) extranets and e-commerce websites. These sites extend business processes to the furthest reaches of the Web, enabling partners, customers, and employees to access critical applications, information, services, and transactions anytime and anywhere. Organizations are redeploying the applications that they have built over the years with web front ends, as well as deploying new applications on web servers, J2EE based application servers, and even mainframe systems that include web servers. As they open up their businesses to new users through the web, they face new and complex challenges. Organizations must solve a new generation of manageability and compliance issues, from deployment of online resources throughout a global environment to enforcing policies, monitoring, and reporting of online activities for regulatory compliance. IT professionals need to support heterogeneous environments by providing flexible deployment approaches. They need to provide enterpriseclass performance, availability, and scalability to support potentially millions of users. And they must ensure a long life for these systems by embracing open standards and platforms. From the security and compliance perspective, there are several factors that must be carefully considered: • Authentication. Who will access the applications and data? Will multiple user communities, such as partners, customers, and employees, need access? How will authentication across multiple websites be handled? Is a simple password authentication sufficient, or are stronger credentials and controls needed? • Authorization. Organizations need powerful security policies that can be easily leveraged over multiple applications and services. They need to implement a single shared security service to simplify and speed administration, to ease compliance related auditing and reporting, and to reduce the security related burden on application developers. • Audit. Organizations must closely track how applications and data are used, and how the security system is helping to provide IT controls. System administrators need detailed system data to fine tune performance. Business managers need activity data to demonstrate compliance with security policies and regulations.

• Entitlement service. How can organizations tie in all of the entitlements, that is, profile characteristics of individual users, from multiple directories and user stores into a single, shared security service? • Enhancing the user experience. How can organizations provide a personal, easy to navigate online session for their users, and at a low cost? From a user perspective, these new generation Web applications must be: • Responsive. Delivering high performance applications, whether they're for customers, partners, or employees • Interactive. Providing the right users access to the right applications, data, services, and other resources • Simple. Providing a seamless user experience with cross-domain application access. Today, enterprise IT infrastructures are often insufficient to meet the demands of e-business and unable to manage multiple types of applications accessed by multiple types of users (employees, customers, suppliers and partners) using multiple types of devices (laptops, PDAs, cell phones). Many sites must accommodate millions of users and many millions of transactions without jeopardizing security. In particular, implementers face several challenging business and technical problems grouped into two major areas: first building the secure website and then managing the secure website.

Building the Secure Website
For web developers the process of building a secure website can be very complex. Whether it’s managing multiple user directories or creating a shared service for authentication, authorization and audit, they need new tools to design and provide robust security. Choosing the correct authentication technology Due to implementation and management challenges, security managers often struggle to define a unified authentication strategy across Internet and intranet applications. The result is that either high value applications are not protected by equally secure authentication systems or low value web applications are protected by authentication systems that might actually over do it and push users away. Companies need a single system on which to deploy and manage multiple authentication systems. Organizations need to provide a comprehensive strategy that ensures high value applications are protected by strong authentication while lower value applications are protected by simpler user name/password approaches.

5

Building the user directory Traditionally, security administrators have deployed an authentication system and access control list (ACL) with each application. For a small number of critical applications, these “siloed” authentication systems might be appropriate. However, as the number and complexity of applications increase, this approach quickly becomes unmanageable for all involved. With each application storing its own user privilege information within an application-specific repository or ACL, separate from any corporate user directory, redundant user administration and user databases are created. The user stores quickly get out of synchronization with the corporate directory, compromising both security and the user experience. Providing a quality single sign-on experience Successful websites need to provide users with the information and services they want, and that the organization wants them to see, in a personalized context that is easy to understand and navigate. If the content is not personalized, or if users must endure multiple signons to different applications, they become quickly frustrated and go elsewhere. In addition, organizations might forge relationships with any number of business partners whose sites offer complementary value to some portion of the organization’s users. Identity Federation enables organizations to provide users single sign-on by transparently linking partner resources to the organization’s website, from its partner websites. Single sign-on, whether of the internal or external variety (Identity Federation) lets users easily conduct business or obtain value-added access to applications and data.

development tools. Consequently, administration and authorization capabilities can vary greatly. These differences can lead to administrative problems as well as an inconsistent security deployments because these more complex environments are often more costly and time consuming to administer than single-platform environments. As a result, the quality of website security is often lower in heterogeneous IT environments, which is clearly an unacceptable outcome. Managing the security infrastructure It’s a daunting and expensive challenge to deploy largescale websites that can encompass hundreds of web servers, applications, and security policies as well as multiple types of authentication systems to enforce authentication and access control; all with 24x7 continuous availability. As the number of applications and users increase, administrative costs can spike drastically. As web applications continue to gain in strategic importance, the management and administration of these complex environments becomes a pressing IT challenge. Keeping user administration costs down Whether it’s expanding the customer base, adding suppliers to the extranet, reorganizing divisions or improving service quality, people are the center of every business initiative. But, as e-business websites grow the number of users interacting with the sites also grows, and those increases translate into a broad range of significant management challenges: • Assigning authentication methods to applications and users • Synchronizing IDs and passwords across multiple directories • Enabling self-registration and password management for users • Providing phone and online support to potentially millions of users, 24x7, around the globe Choosing the correct technology partner Total cost of ownership is directly related to the ability to support open standards that leverage existing IT investments, offer extensive partnership integration, avoid vendor dead-ends, and minimize expensive third-party integrations. It’s possible, of course, to achieve an impressive return on investment (ROI) by moving applications and the business processes they support, to the web, but the key is how to do so cost effectively. As new web applications are deployed, ROI numbers rise, but with each new application, access, security management, and scalability requirements and issues also arise. These can reduce ROI if not addressed. To solve this problem companies need comprehensive open application program interfaces (APIs), directory mapping, and a 24x7 redundant architecture.

Managing a Secure Website
From an operational perspective, security issues also play an important role in how organizations manage and operate websites. Key issues include enabling auditing for regulatory compliance, leveraging redundant points of administration, and managing the associated costs of supporting multiple applications and platforms. Enabling compliance auditing Driven by compliance regulations such as Sarbanes-Oxley, HIPAA, FFIEC, etc, enterprises need a way to consistently manage and enforce application access policies and provide compliance reports across heterogeneous systems, to answer such questions as who has access to what and who has accessed what. Without an enterprisewide access control solution, it can be very costly to prove compliance. Implementing security for multiple web applications Traditionally the approach for managing authentication and authorization for web resources often varies across web servers, application servers, operating systems and

6

The right solution removes authentication from each application and centralizes all Web Access Management (WAM) and security policy in one place. eTrust® SiteMinder® is the right solution: it provides corporate and consumer e-business sites with the secure, scalable and reliable identity and privilege management infrastructure they require for conducting business. It also provides centralized control that administrators need to efficiently manage and support that security infrastructure.

eTrust SiteMinder Features and Benefits
eTrust SiteMinder offers the type of solution organizations' need to meet the challenge of building and managing secure websites. eTrust SiteMinder provides the essential security services required to meet this challenge, while also including management features and technical capabilities that can reduce the total cost of ownership.

multi-protocol federation support by implementing standards-based technologies including SAML and WSFederation/ADFS. eTrust SiteMinder can act as an Identity Provider (IdP) that authenticates the user and produces a SAML assertion or WS-Federation security token to propagate to federation partner, or as a Servide Provider (SP) that consumes a SAML assertion or WS-Federation security token generated by a federation partner, to achieve SSO. As a result, eTrust SiteMinder provides a comprehensive, bi-directional federation hub that enables maximum interoperability among enterprises. Organizations with eTrust SiteMinder Federation Security Services can interoperate securely and more effectively with more sites, including sites that use other security solutions. Users experience a more seamless experience across affiliated sites, improving the chances for increased revenue and enhanced relationships.

Authorization Management
eTrust SiteMinder centralizes the management of user entitlements for customers, partners and employees across all web applications through a shared service. The eTrust SiteMinder advanced architecture and ability to enforce security policies across the enterprise eliminates the need for redundant user directories and applicationspecific security logic. Centralized authorization greatly reduces development costs by allowing developers to focus on the application business logic, not on encoding security policies. eTrust SiteMinder provides security and access management through its security policies, which are designed to accommodate the user and the user’s relationship to the protected resource. A policy protects resources by explicitly allowing or denying user access. It specifies the resources that are protected, the users, groups or roles that have access to these resources, the conditions under which this access should be granted, and the delivery method of those resources to authorized users. If a user is denied access to a resource, the policy also determines how that user should be handled from there. Role based access control (RBAC) eTrust SiteMinder, when used with CA Identity Manager, gives enterprises the ability to extend existing authorization policies to roles established for users in CA Identity Manager. Using CA Identity Manager, enterprises can map organizational structure as well as functional responsibilities to create and manage roles. eTrust SiteMinder can then bind security policies to roles for end-to-end identity and access management control. eTrust SiteMinder eTelligent Rules As a organization grows and changes existing security logic within applications will likely have to be modified or extended. With eTrust SiteMinder security administrators

Authentication Management
eTrust SiteMinder supports a broad range of authentication methods, including passwords, tokens, X.509 certificates, smartcards, custom forms, and biometrics, as well as combinations of authentication methods. It also supports certificate validation through either certificate revocation lists (CRL) or Online Certificate Status Protocol (OCSP). eTrust SiteMinder integrates with industry-leading directory services and user stores, eliminating redundant administration of user information. This integration simplifies administration and provides unique and comprehensive security capabilities. eTrust SiteMinder fully leverages existing user directories, from leading LDAP directories and relational databases, to mainframe security directories. With single sign-on (SSO) and federation users get a unified and personalized access to all available applications and data within and across enterprise boundaries. Organizations and their partners can provide their customers with all their available services; access to all relevant, authorized information; and access to multiple applications that run on multiple servers, multiple platforms, and across multiple internet domains. Single sign-on provides a rich user experience, increased security and reduced customer support costs due to lost passwords.

Federation Security Services
eTrust SiteMinder’s federation capability enable users to move across partner and affiliated websites, without having to be re-authenticated. eTrust SiteMinder provides

7

can use eTelligent Rules to make security logic changes outside the applications, without changing program code, further reducing reliance on programming. Most other security solutions would have to rely on applications being re-programmed, re-built and re-deployed.

available and accessible to the right users. Administrators can set up load balancing and failover so that if one eTrust SiteMinder component is unavailable, the next one will be used without interruption to the user. Even if an eTrust SiteMinder component fails, it will automatically be re-started to keep all operations going, all the time. eTrust SiteMinder administrators also have the option to cluster policy servers, that is, to group together policy servers based on criteria that are important to the security system implementation. Once policy servers are clustered, administrators can set up dynamic load balancing within the cluster and automatic failover among clusters to meet the increasing high performance, high availability requirements of a growing enterprise. Scalability eTrust SiteMinder can be scaled to meet security requirements for almost any website, both in terms of numbers of users and numbers of resources. With eTrust SiteMinder, security administrators don’t have to worry about their company’s new acquisitions or new partnerships. eTrust SiteMinder will be able to handle it: new users, new platforms, new applications, or additional languages. No portion of the enterprise would go unsecured, possibly leaving holes that unauthorized users could take advantage of. In terms of numbers of users, eTrust SiteMinder can work effectively and efficiently with many millions of users with information stored on a broad array of user stores. By centralizing user access management, security administrators can manage the security requirements for all categories of users throughout the enterprise, from a single location. In fact some customers of eTrust SiteMinder have reported using the system to support in excess of 20M users.

Auditing and Reporting
Auditing and reporting lets managers track user and administrative activity and analyze and correct security events and anomalies. eTrust SiteMinder lets companies define activities within the eTrust SiteMinder environment to be logged and where that information should be stored: in a file or in a relational database. Both the policy server and web agents (components of the SiteMinder architecture to be described later) provide separate audit logging and debug logging.

Enterprise Manageability
eTrust SiteMinder enables efficient management practices in all areas of security system operations, including responsive troubleshooting, fast day to day execution of routine operations, and easy to manage periodic operations. Daily activities, such as troubleshooting, password services and reporting, can be completed faster and better because eTrust SiteMinder provides centralized administration tools for the entire security environment. eTrust SiteMinder also provides tools that let administrators easily manage the deployment, including remote agents and security policies, regardless of the size of the security environment.

Performance, Availability, Reliability, Scalability
As more web applications are deployed and more business is conducted by more people online, organizations need a security solution that is efficient, available, reliable, and scalable. eTrust SiteMinder meets all these criteria, especially for very large deployments. Performance Based on independent third party comparisons against published data from other vendors, eTrust SiteMinder has proven its ability to provide significantly higher transaction rates than competing solutions. eTrust SiteMinder achieves these high levels of performance by optimizing the speed of its policy server, the component that runs the centralized security services. With quick start-up and fast runtime performance, the policy servers provide efficient security services capable of supporting millions of users and thousands of protected resources. Availability and Reliability eTrust SiteMinder reliably and effectively helps to ensure that the entire environment that is being secured remains

Security
eTrust SiteMinder offers the most secure communications architecture in the industry, with 128-bit encryption and hardware token-based encryption key management and storage. eTrust SiteMinder combines the best of security and manageability by supporting the deployment of a mix of eTrust SiteMinder Agents and eTrust SiteMinder Secure Proxy Servers across a single policy model. In addition, eTrust SiteMinder supports a comprehensive set of password services including password composition, dictionary checking and expiration rules allowing you to implement robust password management rules. When combined with CA Identity Manager, providing selfservice, forgotten password services, password synchronization, and other services, the combined solution provides a comprehensive set of password management automation services.

8

Broad Platform Support
To help achieve a higher return on investment (ROI) and lower total cost of ownership (TCO), eTrust SiteMinder leverages existing technology investments by supporting leading infrastructure components, including directories, Web servers, application servers, platforms and authentication methods. eTrust SiteMinder provides nativedirectory integration with existing directories and databases (LDAP, AD, NT Domain, MS SQL Server, Oracle, RDBMS and others) and integrates with a large number of leading enterprise applications, such as SAP, Siebel, PeopleSoft, and Oracle Applications. In addition, eTrust SiteMinder includes J2EE application server agents, enabling fine-grained access control of IBM WebSphere and BEA WebLogic Server hosted applications. eTrust SiteMinder extends its security management and single sign-on capabilities to the OS/390 mainframe platform with a web agent for the IBM HTTP web server and support for RACF and TopSecret/ACF2 security directories through the eTrust SiteMinder Security Bridge. What’s more, eTrust SiteMinder also supports authentication for network access devices, including firewalls, dialup servers, and other RADIUS-compliant devices. eTrust SiteMinder is fully multi-byte enabled and can be used to secure the deployment of multilingual sites.

eTrust SiteMinder consists of two primary components, the eTrust SiteMinder Policy Server and eTrust SiteMinder Agents. See Figure 1 for an overview of the architecture of eTrust SiteMinder.
Secured Applications

eTrust SiteMinder Secure Proxy Server

Destination Web Servers

Finance HR/Payroll Intranet Supply Chain

Users

User & Entitlement Stores

Employees Partners Customers

eTrust SiteMinder Policy Server

LDAP Databases Mainframes NT Domain

Secured Applications

Web Server

CRM Customer Service Partner Extranet e-Commerce

Figure 1. eTrust SiteMinder Architecture Overview.

The following steps give an overview of how eTrust SiteMinder works: 1. User attempts to access a protected resource.

A Standards-Based Solution
Even with extensive support for leading infrastructures and technologies, there are many legacy and custom applications that organizations want to integrate into their web security system. At the same time, technology investments must remain open to best-of-breed technologies and not be locked in to a limited number of vendors. eTrust SiteMinder is the industry’s leading Web access management product in adopting and supporting new technology standards as well as offering an extensive and well documented series of Java and C application programming interfaces (APIs) throughout the product. eTrust SiteMinder is developed on open standards. The eTrust SiteMinder development team was a leading designer of the Oasis XML security standard, known as Security Assertions Markup Language (SAML).

2. User is challenged for his credentials and presents them to the Web Agent or to the Secure Proxy Server. 3. The user’s credentials are passed to the policy server. 4. The user is authenticated against the appropriate user store. 5. The policy server evaluates the user’s entitlements and grants access. 6. User profile and entitlement information is passed to the application. 7. The user gets access to the secured application which delivers customized content to the user.

eTrust SiteMinder Architecture
eTrust SiteMinder is the industry’s leading directoryenabled Web access management system. eTrust SiteMinder enables administrators to assign authentication schemes, define and manage authorization privileges to specific resources, and create rules and policies to implement these authorization permissions. With eTrust SiteMinder can implement security policies to completely protect the content of an entire Web portal or set of applications.

eTrust SiteMinder Policy Server
The eTrust SiteMinder Policy Server is the “brain” of eTrust SiteMinder. The policy server provides the key security decision making operations for eTrust SiteMinder. This high-performance server provides load balancing, failover and caching for superior reliability and speed. Policy servers have been designed to be reliable, fast, and easy to manage, so they can be scaled to meet today’s and tomorrow’s business requirements. Policy server operations are optimized to get them initialized and running quickly.

9

Access Control Services in a Single Process The eTrust SiteMinder Policy Server is a single-process engine (policy decision point) that runs all four shared services that make up SiteMinder: authentication, authorization, administration and auditing. The single, multi-threaded process results in a highly efficient, simple to manage system. The run-time performance is very fast because the single process server requires a smaller total memory footprint than a multi-process server and thread context switches run faster than process context switches. eTrust SiteMinder Agents Agents provide the enforcement mechanisms (policy enforcement points) for policy-based authentication and access control. They integrate with web servers, application servers, enterprise applications or custom applications to enforce access control based on defined policies. Web Agents Web agents control access to web content and deliver a user’s security context, managed by eTrust SiteMinder, directly to any web application being accessed by the user. By placing an agent in a web server that is hosting protected web content or applications, administrators can coordinate security across a heterogeneous environment of systems and create a single sign-on domain for all users. For web servers, the web agent integrates through each web server’s extension API. It intercepts all requests for resources (URLs) and determines whether each resource is protected by eTrust SiteMinder. If the resource is not eTrust SiteMinder protected, the request is passed through to the web server for regular processing. If it is protected by eTrust SiteMinder, the web agent interacts with the policy server to authenticate the user and to determine if access to the specific resource is allowed. Depending on the policy for the requested resource, the web agent can also pass to the application a response that consists of the user’s attributes from the user directory and entitlement information. The application can use the entitlement information to personalize the page content according to the needs and entitlements of each user. The web agent caches extensive amounts of contextual information about the current user’s access. The caching parameters that control these services are fully tunable by the administrator to optimize performance and security. Application Server Agents To secure more fine-grained objects such as servlets, JSPs, or EJB components, which could comprise a full fledged distributed application, eTrust provides a family of eTrust SiteMinder application server agents (ASAs). ASAs are plug-ins that communicate with the eTrust SiteMinder Policy Server to extend single sign-on (SSO) across the enterprise, including J2EE application server-based

applications. ASAs also enable SiteMinder to centralize security policy management by externalizing J2EE authorization policies through standard interfaces such as those based on JSR 115. Enterprise Application Agents eTrust SiteMinder provides several agents that integrate directly with the most widely used enterprise applications. These agents are called ERP agents. The ERP agents extend Web SSO to ERP users. In addition, the eTrust SiteMinder ERP Agents provide ERP-based Web sites with the flexibility to choose the authentication security technology, verification of user session data within the application server, and enforced synchronization between eTrust SiteMinder and ERP application sessions. SiteMinder ERP agents include an SAP agent, PeopleSoft agent, Oracle agent, and Siebel agent. Custom Agents The eTrust SiteMinder Policy Server is a general purpose rules engine that can protect any resource that can be expressed as a string, as well as any operation on those resources. While web agents application server agents and ERP agents work with the standard features of eTrust SiteMinder, administrators can extend agent functionality by creating and configuring a custom agent using the Agent API and policy server Management Console. Custom agents can participate with standard eTrust SiteMinder agents to provide a comprehensive single signon environment. Custom agents work with the eTrust SiteMinder Policy Server to control access to a wide range of resources whether web based or not. For example, custom agents could be used to control access to an application, application function or a task performed by an application. A custom agent working with the policy server as the core engine can extend the types of resources that eTrust SiteMinder can protect.

Secure Proxy Server
The eTrust SiteMinder Secure Proxy Server is a turnkey, high performance, proxy gateway that secures a organizations backend servers, offering an alternative deployment model for eTrust SiteMinder. With Secure Proxy Server, eTrust SiteMinder offers two complementary policy enforcement strategies for a more flexible and secure web access architecture. Customers may choose to deploy traditional eTrust SiteMinder agents or the Secure Proxy Server. These SiteMinder components can be used singly, or in combination, to provide the optimum security and administration environment for any site.

10

Key benefits of the Secure Proxy Server include: • Increased Security. The Secure Proxy Server provides multiple authentication schemes, basic, forms-based and certificate-based, while providing a single access management policy enforcement point. It prevents non authenticated traffic from entering any point in the DMZ and eliminates the exposure of network topology to outside users. • Greater Deployment Flexibility. The Secure Proxy Server supports multiple-session schemes for cookie and cookie-less methods of session tracking. It provides security for any back-end server environment, as well as a platform for building out wireless solutions. Advanced proxy rules dynamically route incoming requests to the appropriate backend server. • Extensibility, Scalability and Robustness. The Secure proxy Server is an open and extensible solution, providing a set of Java APIs for providing custom session schemes. It is also fully integrated with eTrust SiteMinder’s scalable and robust architecture. The Secure Proxy Server is a self-contained reverse proxy solution consisting of two components, the proxy engine, with a fully integrated eTrust SiteMinder Agent, and an Apache-based HTTP web listener. The Secure Proxy Server accepts HTTP and HTTP over SSL (HTTPS) requests from web clients, passes those requests to enterprise back-end content servers, and returns resources to the requesting client. For further detailed information on the eTrust SiteMinder Secure Proxy Server, refer to the Secure Proxy Server white paper available at http:/ /www.ca.com/etrust

Even though the user and the policy store are logically separate, the ability to store both users and policies in the same physical directory provides easier administration and better performance. Directory Mapping lets an application authenticate users based on information from one directory and authorize users based on information from a different directory.

eTrust SiteMinder Authentication Management
eTrust SiteMinder offers unparalleled control over what type of authentication method is used to protect a resource and how that authentication method is deployed and managed. Traditionally, it is very challenging to successfully deploy and manage strong authentication systems (for example, two-factor certificates); therefore, most companies stick to using user names and passwords. By centrally managing all authentication systems and using the eTrust SiteMinder advanced authentication policy management capabilities, organizations can successfully deploy mixed authentication methods based on resource value and business needs instead of IT limitations.

Authentication Methods
No single authentication technique is appropriate for all users and all protected resources in all situations. That’s why authentication flexibility is an important requirement. eTrust SiteMinder offers a comprehensive password authentication management solution and integrates out of the box with most leading authentication methods. Since administrators often require varying levels of authentication security for different resources, eTrust SiteMinder supports a range of authentication mechanisms, including: • Passwords • Two-factor tokens • X.509 certificates • Passwords over SSL • Smart cards • Combination of methods • Forms-based • Custom methods • Full CRL and OCSP support • Biometric devices • Forms and/or certificates • SAML • WS-Federation/ADFS

Native Directory Integration
eTrust SiteMinder is integrated with industry leading directory services, eliminating redundant administration of user information. This integration simplifies administration and provides unique and comprehensive security capabilities. eTrust SiteMinder supports a range of leading LDAP directories and relational databases. eTrust SiteMinder also supports mainframe (OS/390) security directories, such as IBM RACF, eTrust CA ACF2 Security, and eTrust CA TopSecret Security. eTrust SiteMinder treats these directories as if they are regular LDAP user directories, and can provide both full authentication and authorization for users stored in these directories. Support for these directories is achieved through an add-on component called the eTrust SiteMinder Security Bridge. eTrust SiteMinder supports storage of policy information in a variety of LDAP enabled directories and SQL databases.

11

Certificate revocation is a critical component of a PKI strategy, since invalid certificates must be rejected by the authentication mechanism. eTrust SiteMinder supports CRL processing for all leading public key infrastructure (PKI) vendors, including the requirement that the CRL is located in a directory and searched to ensure the current certificate has not been revoked. In addition, eTrust SiteMinder supports the use of OCSP for real-time certificate validation.

Authentication Policies
Authentication policies give security administrators unique management capabilities to mix and match authentication methods and brand and customize the credentials collected. eTrust SiteMinder also enables administrators to classify resources into groups based on their value and assign different authentication methods to each level.

Certificate Combinations and Alternatives Strong Authentication Support
The FFIEC regulation (and similar ones in other countries) require online banking services in the USA to implement stronger authentication approaches than just simple user name and passwords for sensitive transactions. eTrust SiteMinder provides out of the box integration with multifactor authentication solutions including RSA SecureID and Secure Computing SafeWord, with solution modules for PassMark, and Tricipher, as well as others. There are a large number of strong authentication vendors providing and supporting out of the box integration of their products with eTrust SiteMinder. While eTrust SiteMinder remains authentication agnostic with open authentication APIs, CA will continue to add more out of the box integrations with strong authentication solutions to meet customer requirements. eTrust SiteMinder provides the capability for administrators to assign multiple authentications with different authentication strength to the same application or resource. The end user can select which one or which combinations to use for the same application when he logs in. For example, to use username/password, or SecureID, or username/password and cert combination, based on the security policy of the organization and the user’s preference. eTrust SiteMinder authorization policy can then incorporate authentication context, such as which authentication scheme the user authenticated through, as part of the security policy decision making. For example, one application may support both the use of username/ password and RSA SecureID authentication, but, if the user authenticates with SecureID, the user may be granted more permissions, such as a higher level of financial transactions. Similar to the way that eTrust SiteMinder can incorporate authentication context in its authorization decisions at run-time, eTrust SiteMinder can also incorporate risk profiling data as part of its authorization decision process through an eTelligent Rule callout to a 3rd-party risk analysis solution. Authentication method combinations, such as certificate and password, are very useful when stronger security is required for a specific set of resources. It is also a solution for enterprises where multiple administrators might share a secured machine. The certificate identifies the machine, while each operator has their own password. Alternative methods (certificate or password) are ideal when administrators require gradual deployment of certificates. When a certificate for authentication is installed, it is used; but, if a certificate is not present, eTrust SiteMinder reverts to regular password authentication.

Forms-based Certification
Forms-based authentication enables the implementation of an authentication screen that is tailored to individual needs. This is useful when a common brand identity is desired across all internal applications and sign-on screens. In addition, it supports custom attributes, such as a Social Security number or mother’s maiden name, for authentication. For attributes in the user directory, eTrust SiteMinder performs authentication checks automatically, providing much greater login security.

Authentication Levels
eTrust SiteMinder supports authentication levels. Each authentication method is associated with a particular level, ranging from a top priority of 1 to the lowest priority of 1000. When a user accesses a resource, the authentication method priority is compared with the authentication method priority level that was used to authenticate the user. If the level of the current method is higher than the level used to authenticate the user, then a new authentication, using the new resource’s associated method, must be performed. If the user has already been authenticated at a higher level, no re-authentication is required.

Directory Mapping
eTrust SiteMinder supports directory mapping, which enables applications to authenticate users with a specific directory, but authorize using attributes including group

12

information stored in a different directory. This is critical because it supports the needs of sites (such as ISPs) that centralize user identities in a single authentication directory, but manage group membership and application privileges in a separate, application-specific directory. It is also useful when authentication information is stored in a central directory, but authorization information is distributed in separate user directories that are associated with particular applications.

• Password Usage. eTrust SiteMinder includes a series of advanced password services that enforce the use of upper and lower case letters within a password: all uppercase, all lower case, case does not apply. The use of white spaces can also be specified: no white spaces, no white spaces before a character or after a character. • Password Services Self-registration and Management. eTrust SiteMinder enables end users to register as a new user, create a user name and password, set expirations to that password, and change the password whenever the user feels it necessary. When Password Services are active, eTrust SiteMinder invokes a password policy whenever a user is authenticated as well as when a user password is set or modified. The Password Services action depends on the context, which includes the user credentials and the policy. If the user is trying to create or modify the password and the new password does not meet the password policy requirements, the operation fails. If the user is attempting to authenticate with a password that has expired, or if the user account was marked inactive, actions such as disable the account or redirect to an information page, can also be specified in the password policy.

Password Services
Password management is a critical security and cost issue within most corporations. To maintain user security, passwords must be difficult to guess, must change frequently, and must not be reused. In addition, administrators need alerts if suspicious events occur, such as a user failing several successive login attempts. eTrust SiteMinder Password Services provide an additional layer of security to protected resources by enabling the management of user passwords in LDAP user directories or relational databases. To manage user passwords, administrators create password policies that define rules and restrictions for governing password expiration, composition, and usage. Password services can enforce multiple password polices through a priority list of passwords that apply for multiple applications being protected across one or more user directories. Password services also enable password selfservice for end-users. Developers can implement eTrust SiteMinder Password Services through either CGI with customizable HTML forms or through a servlet with customizable Java Server Pages (JSP-forms). Expanded password services can be leveraged through the combined use of eTrust SiteMinder and CA Identity Manager. • Directory Usage. Apply Password Services to an entire directory of users or to a subset. eTrust SiteMinder also supports nested groups within the name-space of a user directory. • Password Expiration. Set a maximum number of login failures and define inactive-password policies, that is, the time period after which an unused password expires. Expirations can also be set for user passwords based on time variables, thereby forcing users to reset current passwords. • Password Composition. eTrust SiteMinder enables the definition of minimum and maximum lengths of password characters and whether passwords should require numbers. Composition also uses a password dictionary. Regular expressions can be set in the dictionary and all valid passwords must either include or exclude the expressions set in the reference dictionary. Restrictions can be managed using dictionary reference. Reuse of older passwords can be denied, similar password structures can be denied, and specific words can also be restricted from use in a password.
13

Impersonation
eTrust SiteMinder supports impersonation, where one authorized user can access what another user can access. With impersonation, a customer service representative, for example, can act on behalf of users to run tasks for them that they otherwise might not want to, or know how to, run themselves. With impersonation, a previously authenticated user uses their identity to assume the identity of another user without presenting the other user’s credentials. Secure information, such as passwords, do not have to be transferred over the phone anymore. To start the impersonation the customer representative requests that a defined resource be mapped to the impersonation authentication scheme. Then the representative is prompted to enter the impersonation username. eTrust SiteMinder makes sure that impersonation is a secure operation, that only entitled users can impersonate other users: • Administrators set up impersonation as an eTrust SiteMinder rule in a policy. In this way, impersonation can be very finely controlled because policies can define exactly who can impersonate whom for which resources within a realm. • All impersonation sessions are audited to provide a history of events for record keeping and non-repudiation. Information from both the user who is impersonating and the user who is being impersonated is recorded. • Private information can be hidden from the impersonating subject, as necessary to protect a customer’s privacy.

eTrust SiteMinder includes impersonation templates that administrators can configure and brand, like any other eTrust SiteMinder HTML forms-based authentication scheme. As a result, impersonation is straightforward to set up and configure as well as being straightforward to use.

built around the user and the user’s relationship to the protected resource. A policy protects resources by explicitly allowing or denying user access. It specifies the resources that are protected, the users, groups or roles that have access to these resources, the conditions under which this access should be granted, and the delivery method of those resources to authorized users. If a user is denied access to a resource, the policy also determines how that user is treated. An eTrust SiteMinder policy binds rules and responses to users, groups and roles. The responses in a policy enable the application to customize the delivery of content for each user. Policies reside in the policy store, the database that contains all the eTrust SiteMinder entitlement information. The basic structure of a policy is shown in Figure 2. When a policy is constructed, it can include multiple ruleresponse pairs bound to individuals, user groups, roles, or an entire user directory. Administrators can also configure multiple policies to protect the same web resources for different sets of users, adding responses that enable the web application to further refine the web content shown to the user. One of the configuration options of a policy is a time restriction. If a time restriction is specified for a policy and a rule in that policy also contains a time restriction, the policy executes only during those times when both restrictions overlap. Today, line-of-business needs are driving IT security managers to use real time data, either entered by the user or by a third-party service, as part of the authorization process. To process real time data, security-related logic must be coded into back-end business applications. However, this security logic is expensive to maintain because it requires developers to implement separate security-code changes for each back-end application. What’s more, the custom security code typically does not solve the business requirement because the authorization data cannot be evaluated in real time by the application. Security administrators can use eTrust SiteMinder eTelligent Rules to build comprehensive expressions representing business logic and to utilize internal and external data for real time decision making. Variables, whose values are dynamically retrieved at runtime, can be used in the expressions. eTelligent Rules resolve values for variables in user attributes from user stores, data in forms users completed, or through web services calls to local or remote data sources. The values are then evaluated against the expression as part of the policy decision making process, together with other policy constraints.

eTrust SiteMinder Authorization Management
Entitlement management (authorization) is one of the most critical issues for web applications. Users need to access information, but must be authenticated and authorized based on their privileges before gaining access. Traditionally, the entitlement management model for web resources often varies across web servers, application servers, operating systems and development tools. Consequently, the administration of one server can differ from the administration of another, and entitlement management capabilities offered by these various servers and tools can differ. These differences can lead to administrative problems as well as an inconsistent security framework. eTrust SiteMinder provides centralized authorization management through its policies for all web resources, across web servers, application servers, and so on. Administrators work with the Policy Server Management Console to define policies that restrict access to specific web resources by user, role, group, dynamic group and exclusions. Centralized access control through policies provides very fine grained control to administrators, allowing them to implement access control at the file, page or object level. The Policy Server Management Console is a single, browser-based, administrative system that extends across all intranet and extranet applications. A consistent security policy simplifies the central management of multiple web applications. A centralized approach to security management provides the following advantages: • It eliminates the need to write complex code to manage security in each application • The time and cost to develop and maintain multiple security systems is eliminated; sites deploy only one security system for all applications • eTrust SiteMinder manages the security privileges of customers, business partners, and employees, whether they access the corporate network locally or remotely through the internet or a private network

eTrust SiteMinder Policies
eTrust SiteMinder provides security and access management based on policies that make access and security management more flexible and scalable because they are

14

eTrust SiteMinder Policy

Options
Rule or Rule Group Users or Groups in a Directory Response or Response Group eTelligent Rule Time IP Address Active Response

Determines User, Groups Action that occurs access to a Exclusions & Roles when a rule fires resource

Expression Time when the using external data policy can or cannot fire

IP address that policy applies to

Dynamic extension of the policy

Figure 2. eTrust SiteMinder Policy.

For example, in a financial services website, a user wants to access services that are available only to customers with a certain credit rating. eTelligent Rules can be implemented using web services calls to check the customer’s current credit rating with an external, online credit service. If the customer’s credit rating is adequate, then access is allowed (assuming all other security policy criteria are met). Rules/Rule Groups A rule identifies and allows or denies access to a specific resource or resources that are included in the policy. Users A policy specifies the users, groups of users, or roles that are included or excluded by the policy. Users or user groups are located in native directories linked to eTrust SiteMinder, and roles information (for RBAC) is stored in the eTrust SiteMinder Policy Store. Responses A response defines information (for example, user attributes) that can be passed to an application when a user is accessing the resource. The application may use this information to provide finer access control and/or customize the appearance of the resource. IP addresses A policy may be limited to specific user IP addresses. If a user attempts to access a resource from an IP address not specified in the policy, the user will not be allowed access. Time restrictions A policy may be limited to specific days or ranges of hours. A policy with a time restriction will not allow access outside specified times. Active response An Active Response allows business logic external to eTrust SiteMinder to be included in a policy definition enabling eTrust SiteMinder to interact with custom software created using the eTrust SiteMinder APIs.

Fine-grained authorization using eTelligent Rules
In addition to supporting static rules, administrators can configure eTelligent Rules, that is, an active policy that authorizes users based on dynamic data obtained from external business logic. Furthermore, multiple contexts can be evaluated using eTelligent Rules expressions to achieve fine-grained authorization. For example, a policy could limit access to a specific application to customers who have a current account balance of less than $1,000. In this way, application data that is often stored in transactional systems like a bank-transactions database can be included within the policy enforcement capabilities of eTrust SiteMinder.

Global Policies
The global policies of eTrust SiteMinder significantly improve how policies can be organized and they reduce redundant operations for configuring multiple policies in large enterprises. Global policies provide administrators with the ability to define policy objects, rules, and responses, with global scope separately from a policy domain. When separated from a domain, administrators can define common policy objects, rules, and responses once that apply across multiple domains. Then, they can easily update the common policy objects, rules, and responses without having to locate each item in each realm throughout the domains. In addition to improving policy administration, global policies can help ensure compliance with federal regulations or corporate rules because they can enforce those rules and regulations across the enterprise, if required. Each component of a global policy remains complementary to their domain-specific counterparts; that is, if there is a domain-specific policy object, rule or response with the same reference, the domain-specific item takes precedence over the global item. System level administrators can also disable global policies for any domain, if they so choose. Global policies allow time restrictions to be specified when rules are in effect.

15

For example, administrators define a policy in each realm to redirect users to the same web page when users are not authenticated or not authorized to access a resource. With global policies, administrators define a redirect policy once and that single global policy can be used by all realms. Without global policies, administrators have to define that same policy over and over for each realm. Global policies are managed by system-level administrators only using the Policy Server Management Console, the Policy Management API, or the Perl script interface to the Policy Management API.

SSO in Single and Multiple Cookie Domains
When a user authenticates with eTrust SiteMinder, an encrypted cookie is created that contains the necessary session information about the user. The cookie is encrypted with a 128-bit symmetric cipher. No user password information is ever kept within the cookie. When the user requests access to a different protected resource, eTrust SiteMinder decrypts the information in the cookie and securely identifies the current user. No additional authentication is required. See Figure 3 below. eTrust SiteMinder also supports cross-domain SSO. When users authenticate to a single Internet domain, eTrust SiteMinder eliminates the need to re-authenticate when they access protected resources or applications in a different domain. Cross-domain SSO is a critical capability, especially for large enterprises with multiple divisions or multinational businesses. See Figure 4 below.
Mycompany.com Web Server with eTrust SiteMinder Agent

Role Based Access Control (RBAC)
eTrust SiteMinder, used in conjunction with CA Identity Manager, provides enterprises with role based access control. Roles define job responsibilities, or a set of tasks that are associated with a job or business function. Each task corresponds to an operation in a business application. A single role can have one or more tasks defined in it and users can have one or more roles assigned to them. CA Identity Manager central administrator creates role and task definitions. Only after a user is assigned a role can they perform the tasks defined in that role. When CA Identity Manager is used with eTrust SiteMinder, eTrust SiteMinder extends the power of roles beyond job descriptors to access management. CA Identity Manager administrator works with the eTrust SiteMinder administrator to bind CA Identity Manager roles to eTrust SiteMinder policies. Once the roles are bound to eTrust SiteMinder policies, the user and access management link is established. CA Identity Manager manages the users and their roles; eTrust SiteMinder manages secure access to resources specified by their roles. The role based access control implementation is nonintrusive and flexible. CA Identity Manager roles can be used directly by eTrust SiteMinder without the need to modify user directories.

/app1/

User Authenticates Once
Employees Partners Customers

Mycompany.com eTrust SiteMinder® Policy Server Application Server with eTrust SiteMinder Agent

/servlet 1/

Figure 3. Single sign-on within a single cookie domain.

User entitlements Session identity

Cookie domain subsidiaryA.com

Authentication User entitlements Session identity

Cookie domain mycompany.com

Application Server with Protected Applications

Employees Partners Customers

Web Server Designed as the ìcookie providerî for the SSO Site User entitlements Session identity

Cookie domain subsidiaryB.com

Web Server with Protected Applications

Single Sign-On
One of the most common challenges Web site operators face is multiple user logins. No universal single sign-on (SSO) solution exists today, primarily because there are no formal standards to facilitate an open solution across all systems. eTrust SiteMinder supports SSO in several ways: single sign-on in single and multiple cookie domains, leveraging identity federation using SAML and WS-Federation/ADFS, and leveraging Microsoft Windows/Kerberos in a Windows environment. With its broad support for single sign-on, users get seamless access to resources across networks of websites.

Figure 4. Single sign-on across multiple cookie domains.

In an environment that includes resources across multiple cookie domains, eTrust SiteMinder supports single sign-on across applications running on heterogeneous web and application server platforms using a cookie provider, a specially configured eTrust SiteMinder Agent that passes a cookie containing the user’s identity and session information to other cookie domains in the SSO site. This enables eTrust SiteMinder to authenticate the user across the entire virtual website, even though it consists of multiple domains.

16

Within the SSO site, users enter their credentials upon their first attempt to access a protected resource. After they are authorized and authenticated, they can move freely between different realms that are protected by authentication schemes of an equal or lower protection level without re-entering their identification information. In Figure 4, the diagram shows SSO across multiple cookie domains. eTrust SiteMinder’s support for SSO improves the overall user experience simplifying access among servers and applications. It also lowers the administrative costs by allowing users to access the data they need using only one password.

the Security Assertion Markup Language (SAML) and WS-Federation/ADFS. FSS IdP and SP Support eTrust SiteMinder FSS can act as an Identity Provider (IdP) that authenticates the user and produces a SAML assertion or WS-Federation security token to propagate to a partner, or as a Servide Provider (SP) that consumes a SAML assertion or WS-Federation security token generated by a partner to achieve SSO.. As a result, eTrust SiteMinder provides a complete, bi-directional federation that enables maximum interoperability among enterprises. eTrust SiteMinder is perfectly situated to enable a federation hub with many different IdP & SP partners. FSS Multi-Protocal Support eTrust SiteMinder FSS provides multi-protocol federation support including SAML 1.0, SAML 1.1, SAML 2.0, and WS-Federation/ADFS, selectable through a pull down menu when configured with each federation partner, thus allowing an eTrust SiteMinder administrator to select the appropriate protocol and version for each partner. FSS SAML 2. 0 Capabilities For SAML 2.0, eTrust SiteMinder FSS supports Web SSO profiles (both Post and Artifact), Single Log Out, Identity Provider Discovery, and Enhanced Client/ Proxy SSO profiles. eTrust SiteMinder FSS also provides SAML attribute request and response services through the implementation of this portion of the SAML 2.0 specifications. eTrust SiteMinder FSS can act as an Attribute Authority that processes attribute queries and supplies an assertion with attributes for a user, and it can also act as a SAML Requester that requests a SAML assertion with attributes for a user. Attribute assertions can be used to pass user identity information for authorization, personalization, or provisioning purpose. FSS WS-Federation/ADFS Capabilities For WS-Federation/ADFS, eTrust SiteMinder FSS supports SSO, using the WS-Federation Passive profile Sign On service, and SLO, using the WS-Federation Passive profile Sign Out service, enabling the interoperability with Microsoft Active Directory Federation Services (ADFS). Both Microsoft ADFS and eTrust SiteMinder implementation supports the SAML 1.1 security token.

SSO Zones — Support Of Multiple SSO Environments
eTrust SiteMinder can enable multiple SSO environments within the same domain with the same eTrust SiteMinder deployment if the enterprise wants to partition its SSO environment into multiple zones. Administrators can group applications into specific security zones. End users can then be provided SSO within the same security zone. However, these same users will be re-challenged when attempting to access a different security zone. These security zones can be at the same level of authentication or may be different, it is totally flexible. The end user may have multiple eTrust SiteMinder cookies active for different security zones at the same time.

Enterprise SSO Integration
eTrust SiteMinder is integrated with the eTrust SSO component of the CA IAM solution to provide one fully integrated solution for web and non-web single sign-on. The user uses eTrust SSO to single sign-on to non-web applications, and at the same time, the user is able to seamlessly access eTrust SiteMinder protected web resources without being re-challenged. eTrust SiteMinder uses an authentication scheme to validate the user’s SSO session ticket behind the scenes without challenging the user for credentials. Furthermore, the SSO user may get access to external resources through identity federation capabilities of eTrust SiteMinder, described below.

Identity Federation
eTrust SiteMinder Federation Security Services (FSS)
eTrust SiteMinder Federation Security Services is designed to provide identity federation both within the company and with external business partners. With browser-based federation the end user visits web sites hosted by the host Web site’s business partners. Browser-based federation is provided by eTrust SiteMinder FSS through its support of

Federation Hub And Spoke Solutions
Built on top of eTrust SiteMinder, FSS inherits the reliability, availability, and scalability (RAS), as well as the manageability that is intrinsic with eTrust SiteMinder. eTrust SiteMinder is thus well suited to provide federation “hub” capabilities that enable customers to federate with a large number of their partners.

17

In addition to the eTrust SiteMinder FSS as a federation hub solution, to enable customers to federate with those partners that do not have a SAML/WS-Federation/ADFS compliant security infrastructure, CA provides a lightweight federation end point solution — the eTrust SiteMinder Federation End Point. The eTrust SiteMinder Federation End Point is a multi-protocol end point solution with IdP and SP capabilities.

SiteMinder Federation End Point
For eTrust SiteMinder FSS customers, the eTrust SiteMinder Federation End Point is a light-weight federation solution which enables their partners to federate with them when their partners do not have existing federation infrastructure. The eTrust SiteMinder Federation End Point provides the same level of protocol support as eTrust SiteMinder FSS provides and can act as an Identity Provider or Service Provider without requiring eTrust SiteMinder or an equivalent WAM solution be installed on the partner site. While the eTrust SiteMinder Federation End Point provides full federation functions and quick partner enablement, the following facts should be kept in mind: • It only interoperates with eTrust SiteMinder FSS, and is not intended to be a general purpose federation solution that interoperates with multiple other federation solutions. For that a full deployment of eTrust SiteMinder FSS is recommended. • It does not provide resource protection and access control capabilities like those provided by eTrust SiteMinder, and thus integration with applications or existing access control capabilities is generally needed. Alternatively a full deployment of eTrust SiteMinder is recommended for the partner. For detailed information on the eTrust SiteMinder Federation Security Services, refer to the Universal Federation Architecture white paper that is available at http:/ /www.ca.com/etrust

Windows Application Login eTrust SiteMinder also supports Windows application login, enabling a user to login to eTrust SiteMinder and subsequently launch Windows/COM+ web applications such as Microsoft Outlook Web Access and Microsoft Commerce Server. With Windows application login, administrators can enforce access control on non- eTrust SiteMinder-protected Windows applications for all eTrust SiteMinder users with a Windows identity (NTLM or LDAP) by initializing their application security context with eTrust SiteMinder.

Auditing and Reporting
Administrators need to know who is doing what and when. eTrust SiteMinder auditing logs all activity throughout the eTrust SiteMinder environment. eTrust SiteMinder stores the audit information in a flat file or relational database. When you set up eTrust SiteMinder to store information in a relational database, you can use commercial reporting solutions to present that auditing information in any format required. Changing federal laws, in-depth regulatory financial audits, and increased security threats from external hackers have all pushed access management auditing and reporting to the forefront of product feature sets. eTrust SiteMinder reporting supports granular information collection and analysis on access, activity, intrusion, and audit information to fulfill many of these reporting requirements.

Auditing
eTrust SiteMinder audits all user and site activity, including all authentications and authorizations, as well as administrative activity, and any changes to the policy store. eTrust SiteMinder also tracks user sessions so administrators can monitor the resources being accessed, how often users attempt access, and how many users are accessing the site. Additionally, eTrust SiteMinder provides the ability to filter audit events (for example, record only failed authorizations), allowing the administrator to only track events of interest.

Single Sign-On in the Windows/Kerberos Environment
eTrust SiteMinder single sign-on is especially important in the Microsoft Windows environment because internal users access many enterprise applications from their standard Windows desktop. Windows Integrated Security Users who login to their desktop using Windows NT authentication and use Internet Explorer to access Web applications deployed on any web server can login to eTrust SiteMinder without being re-challenged as long as there is at least one Microsoft IIS web server configured to use eTrust SiteMinder. With this capability, the user only has to remember their desktop password and they can be provided Web SSO widely.
18

Reporting
eTrust SiteMinder audit data can be used to build reports, leveraging the reporting solution that your company currently uses. eTrust SiteMinder provides stored procedures and sample Crystal Reports templates. If you integrate Crystal Reports with eTrust SiteMinder, you can take advantage of the sample report templates described below. If you use other commercial reporting solutions, you can use the eTrust SiteMinder provided stored procedures to easily access the audit information in the database and build your own reports. Regardless of your reporting solutions, eTrust SiteMinder provides you with the data you need to generate reports like those described in this section.

Report Drill Down Capabilities eTrust SiteMinder reports begin with a summary of the data in the report. Clicking on a summary item, such as a date, user, or agent, allows administrators to view more detailed information. Drill down details contain the following information: • Time. Lists the exact times when each event occurs from the oldest time to most recent • User. Contains the user name associated with the reported event • Agent. Lists the names of the agents where the report event occurred • Administrator. The eTrust SiteMinder Account Username is listed • Category. Describes the type of event that was logged • Description. Describes the actual event that occurred during the time noted in the Report. When any category of event is logged as a rejection or failure, the color of the text on the computer screen is red and indicated by an exclamation (!) mark. Activity Reports Activity reports show a variety of user, eTrust SiteMinder agent, and resource activity data at different levels of granularity. There are four types of Activity Reports: • All Activity Report. Transactions and failures of all users that occurred during the period of time covered by the report • Activity by User Report. Users and their sessions, including the number of transactions and failures that occurred during the period of time covered by the report • Activity by Agent Report. Lists active agents and provides information, such as the number of transactions and failures that occurred on each agent during the reporting period • Activity by Resource Report. Resources accessed during the reporting period, including host names, the number of resources accessed, the number of transactions, and the number of failed access attempts Intrusion Reports Intrusion Reports show failed authentication and authorization attempts by users and or agents at different levels of granularity. The main intrusion report is the All Failed Authentication and Authorization Attempts report, which lists all failed user authentication, authorization and administration attempts by date and time. This report is broken down into two sub-reports: • Failed Authentication and Authorization Attempts by User • Failed Authentication and Authorization Attempts by Agent

Administrative Reports The main administrative report is the All Administrative Activity report, which covers all administrative activity by date. It is broken down into two sub-reports: • Activity by Administrator Report. Covers all administrative activity by administrator • Activity by Object Report. Covers all administrative activity by object (Administrator, Agent, Policy, and so on) Each report contains columns of information including Time, Administrator, and a brief description of the activity. Time Series Reports Administrators can view two types of Time Series Reports: • Daily Transactions Report. Includes all successful and failed authentications and authorizations by day • Hourly Transactions Report. Breaks the data further down into successful and failed authentications by hour Time Series reports are displayed as bar charts. See Figure 5. Administrators can view a chart of all transactions, or view the authentications, authorizations, or administration transactions separately.
12

120 100 80
Transactions Transactions
10

8

60 40 20 0

6

4

2

10:00 am

4:00 am

2:00 pm

8:00 am

6:00 am

9:00 am

Date

Hour

Figure 5. Time series reports.

Enterprise Manageability
eTrust SiteMinder includes enterprise site manageability features that ease deployment and ongoing site administration through proactive centralized control of operating environments and monitoring of system availability and operating status.

OneView Monitor
eTrust SiteMinder OneView Monitor collects and displays real time operation status information, including failure alerts, about eTrust SiteMinder policy servers, agents, and other core components such as authentication and authorization services. Information is presented graphically so that administrators can rapidly assess an entire environment with multiple policy services, or the status of an individual component. When a problem is reported, administrators can scan summary information to review

19

3:00 pm

2:00 am

5:00 am

3:00 am

7:00 am

1:00 pm

1:00 am

1

2

3

4

5

6

7

8

9 10 11 12 13 14

12:00 pm

12:00 am

11:00 am

0

overall system status, identify components with failure alerts, and drill down to obtain detailed status information. In the event of a component failure, eTrust SiteMinder OneView Monitor can display and alert an administrator right away so that no time is wasted in reporting the problem. Administrators can then take proactive action to correct problems, possibly even before users experience any trouble. With the SNMP integration capability, administrators can set up automatic recovery procedures based on failure alerts. For example, a failure report can kickoff an email message or a pager message to the person who is closest to the problem. The recovery time can then be reduced even further because the responsible person is alerted as quickly as possible. eTrust SiteMinder OneView Monitor can be easily configured so that administrators can set up the displays to report information exactly as they need it. They can filter out data that might not be important to their environment; they can sort data according to their priority; and they can specify update intervals to make sure they have fresh data when they need it.

The Environment Collector collects the following information about a policy server: • User stores and databases being accessed by the policy server • Custom modules being used by the policy server • Agents that are interacting with the policy server • Registry information The type of information collected includes the name of the component, its version, patch levels, which policy server the component works with, how the components are connected, and other environment attributes that affect how eTrust SiteMinder operates. This information is stored in an XML file. After glancing through the XML file report, administrators can determine if any components require updating, if there are any version mismatches, and if the correct agents are deployed where needed. When working with the eTrust SiteMinder support team to resolve a problem, administrators can send eTrust SiteMinder Environment Collector information to the support team. With accurate and up-to-date data to work with, the support team will be able to work on reproducing and resolving the problem.

Environment Collector
When problems are reported, it is critical to have detailed information about all the operating components of the environment to help identify and isolate the root cause of the problem and, if necessary, to reproduce the problem in a testing lab. Because a security solution interacts with many critical systems distributed worldwide that are owned by different people or groups, it might take the security administrator days to contact the right people to get all the details they need about all the components connected to the security system. Even after the information is collected, it could go stale very quickly as components get upgraded. The eTrust SiteMinder Environment Collector provides a snapshot of the eTrust SiteMinder runtime environment for any policy server in the enterprise. When problems associated with a policy server crop up, administrators use eTrust SiteMinder Environment Collector information to assess exactly what components the policy server is working with. With up-to-the-minute environment information, the security administrator can resolve the situation much faster.

Test Tool
After a problem is reported, administrators must have the correct tool to identify and isolate the cause of the problem, so they can move quickly to resolve it. The eTrust SiteMinder Test Tool simulates agent operations so that a policy server can be isolated from the agent environment. Once isolated, the administrator can determine whether the policy server is creating the problem or another component in the environment where the policy server is running. The eTrust SiteMinder Test Tool can test the connection to the policy server to see if it is down. If the connection is available, the administrator can test the policies associated with the application that reported the problem. The administrator can run tests that check if the resource is protected, if the user is authenticated, and if the user is authorized for the resource. Debug information is also provided.

Logging and policy profiling
With useful logs of day-to-day system activities, administrators can prevent many problems from happening and troubleshoot problems quickly when they occur.

20

Policy server and agent logs are separate from tracing logs to make log files easier to manage. Because separate logs are smaller and easier to work with, administrators also have more precise control over log verbosity because they can specify different verbosity settings for each log. In addition, administrators can apply tracing and logging settings without restarting the policy server. For example, an administrator can add a data field in the trace logs and eTrust SiteMinder adds the field automatically without restarting the server. Policy server and agent logging include the following capabilities: • Agent and policy server logs can be correlated through a transaction ID allowing the administrator to follow both agent and policy server operations to more easily identify the problem. For example, when multiple agents are making requests to a policy server, having a single transaction ID allows administrators to isolate a call from a particular agent, providing more precise and relevant troubleshooting information • Logging profiles can be saved for quick retrieval and alternation between production and troubleshooting modes. The output can be sent to either a system console or a file Policy profiling, or trace logging, includes the following capabilities: • Policy profiler can trace policy server operations across policy server components • Administrators can configure trace logs to generate detailed and selective information. For example, they can configure trace logs to include feedback on selected operations in specified components, such as a source file or an IP address in data fields • Multiple output formats are available for easier parsing of trace information and integration with other trace reporting systems. Output formats include fixed width fields, XML, user-specified delimited fields, among others Error handling includes the following capabilities: • Accurate and comprehensive information about the operation of eTrust SiteMinder processes is recorded • System informational messages down to the functional level provide detail information • Administrators can filter errors by specifying precise criteria, such as severity

Centralized Agent Management
eTrust SiteMinder provides central agent management that enables central and dynamic control and configuration of web agents. Additionally, central agent management can logically group agents based on your organization. When a new agent is installed on a web server, the installation process establishes a secure connection with the policy server and receives default configuration settings. This increases security since the configuration information is moved from the web server in the DMZ and resides in the policy store. With this configuration, the possibility of a security compromise of the configuration information is significantly lower. Some of the key benefits of this capability are: • All configuration information is centralized and stored in the policy store, providing greater security for configuration information • It is easy to delegate administration for creating and managing the new centralized agent to the administrator who has organizational responsibility for the agent • Configuration templates make it very easy to configure multiple agents into logical groups • Web servers do not need to be re-booted when configuration changes are made

Rapid Policy Deployment
When new or modified policies are being deployed in a production environment, it’s important to fully test those policies offline before they “go live,” lest inadvertent errors appear in the policy specification that cause serious security problems later on. That’s why many enterprises use multiple staging environments for developing, testing and deploying new policies. However, as environments grow in size, the number of policies can often make management of these environments quite challenging. Since re-entering policies can be laborious and errorprone, administrators need an automated way to move policies from one environment to another to simplify management of larger environments. With the import/export tool, eTrust SiteMinder easily and automatically migrates entire policy structures from one environment to another. For example, operators can change policy names and attributes to accommodate the new environment, such as new machine names or IP addresses.

21

The import/export tool has the following capabilities: • First-Time Deployment. Copy an entire policy configuration from one environment to another and then edit the configuration before or after the import • Incremental Deployment. Export individual policy objects to new environments and overwrite the comparable object on the new system. Edit the configuration for first-time deployment, either before or after the import operation, simplifying re-testing and redeployment of individual policies • Flexible Scripting Capabilities. Develop scripts in a standard text editor and store them in source code control systems to maintain versioning • Import Object Mapping. Easily map, that is, rename, an imported object if the name is not unique

Performance, Reliability, Scalability and Availability
eTrust SiteMinder is used today in some of the world’s largest corporations and is designed to meet the needs of corporations requiring a fast, efficient, 24x7 security solution for their extensive user and application services.

Performance
eTrust SiteMinder provides extensive, fully tunable, caching facilities, so that all resource and policy information is available without requiring a call to either the policy server or a directory. The policy server provides two-level policy caching, so that recently accessed policy information is kept in a separate cache that is searched before the regular policy cache. In addition, eTrust SiteMinder caches user attributes to optimize LDAP calls. These caching facilities provide outstanding performance, even for very large number of users or policies. Through independent tests conducted by Mindcraft Inc., eTrust SiteMinder has demonstrated industry leading performance for user authentications and authorizations. Figure 6 summarizes the outstanding performance that eTrust SiteMinder offers.

Unattended Installations
In large enterprises, administrators install eTrust SiteMinder Policy Servers and agents on many systems. In many cases, these installations are the same from system to system. With unattended installations, eTrust SiteMinder administrators use Java-based installation templates to automate these installations. With automatic installations, eTrust SiteMinder can be rolled out faster to better meet the needs of rapidly expanding global businesses. The unattended installations use a platform-independent Java installer, which allows the installation to run the same way, with the same look and feel, on both UNIX® and Microsoft Windows operating systems. Administrators work with templates to specify how to install and configure a component, such as a web agent. Then, the templates can be re-used throughout the security environment to ensure a uniform and consistent installation and configuration of the component. Template re-use saves the administrator from countless, repetitive installation procedures.

120,000 100,000 Log-ins Per Minute 80,000 60,000 40,000 20,000 0 1 2 CPUís 4 iPlanet LDAP MS Active Directory

Command Line Interface
eTrust SiteMinder includes a full command line interface to leverage the power of Perl scripting and make it easier to dynamically control the system. All programmatic capabilities formerly available only to C and Java programmers are now accessible to developers using standard Perl scripts. Through the range of eTrust SiteMinder APIs, companies can use scripts to test and verify policies, examine configurations, and automate the routine chores commonly performed. The Command Line Interface offers a complete scripting interface to the eTrust SiteMinder Policy Server making customizations and proof-of-concepts easier and quicker.

Figure 6. eTrust SiteMinder performance data on Windows NT and UNIX.

Bulk Operations Operations for initializing the policy server and for auditing run in bulk to ensure efficient runtime performance. Each time the policy server starts, it is initialized by retrieving policy data from a policy store, which is defined in LDAP directory servers or ODBC databases. For ODBC database policy stores, the query (SQL) statement operations for retrieving policies are combined, resulting in a minimal number of retrieval operations and in quick initialization.

22

eTrust SiteMinder auditing transactions can be stored in a relational database using ODBC. When using a relational database, bulk SQL statements and asynchronous database management operations make the process of storing records as quick as possible. Authentication and Authorization When eTrust SiteMinder evaluates whether a resource is protected, a very fast binary search algorithm is used. This algorithm results in rapid transaction times when determining whether access control is required for a resource. The eTrust SiteMinder object cache groups rules with realms for a more efficient search of policies to make authorization decisions. The cache is bound by size, not by number of entries, providing a rapid and predictable search of policies.

• Load Balancing. eTrust SiteMinder supports automatic load balancing, which significantly improves the scalability and performance of eTrust SiteMinder in large deployments. The web agent distributes multiple user requests across multiple policy servers. The policy servers can also load balance their requests across a set of directory servers. In this way, eTrust SiteMinder can distribute its system load across other servers to improve overall system throughput. Policy Server Clusters Administrators can group multiple policy servers into a cluster that works with a set of agents. With clusters, administrators get powerful new features for managing clusters to derive the most efficient service from them. Any set of policy servers can be clustered, based on criteria that are important to the security system implementation. An administrator might choose to cluster policy servers for a number of reasons, including: physical location, resources they are protecting, organizations they are supporting, or machine speed and memory. For example, when clustering policy servers according to geography, an administrator can group policy servers in one area to make sure agent requests are handled locally. Policy servers in a cluster can be running on different platforms or physically located in different places. As a result, clustering is viable in both homogeneous and heterogeneous policy server environments. Clustering offers administrators these features: • Dynamic Load Balancing. Dynamic agent-to-policy server load balancing allows higher levels of processing loads to get allocated to faster servers within the cluster. More effective load balancing increases maximum system throughput because agents get served by the policy server that can provide the fastest response at any given time. Agents will be served by a policy server instance within the cluster that previously provided the best response time. • Automatic Failover. Agents are decoupled from policy servers. As a result, agents transparently failover from one cluster to another, according to criteria established by the administrator. When the number of available policy servers in cluster falls below the criteria, agent requests are automatically sent to another cluster without interrupting service. With these features, the administrator can easily scale policy servers to meet increasing service requests in growing enterprises.

Reliability, Availability and Scalability
These optimizations enable rapid run-time performance, especially when working with large policy stores. For example, tests indicate that the policy evaluation response time for a policy store with one realm is the same as the response time for a policy store with up to thousands of realms. eTrust SiteMinder has been designed specifically to meet the needs of e-business sites that must support a large number of users with high authentication and authorization rates. Though eTrust SiteMinder is easy to configure and deploy for small workgroup environments, it can scale to large installations that support very large user or resource populations. eTrust SiteMinder provides outstanding scalability due to the following capabilities: • Replication and Failover. Each web agent can be configured to communicate with multiple eTrust SiteMinder Policy Servers. If the current policy server becomes unavailable, the agent automatically establishes a connection with the next policy server and continues processing. This operation is transparent to the user. For increased availability, in the event of a failure, eTrust SiteMinder provides automatic restart of all server processes. eTrust SiteMinder also provides the failover mechanism for user directories, that is, if the current user directory is unavailable, the policy server automatically establishes a connection with the next user directory.

23

Security
A security system is only as strong as its weakest link. That’s why it’s critical that all components and communication paths be secure, so that intruders cannot compromise the overall system security by stealing passwords or impersonating other users. eTrust SiteMinder offers security at each point in its operation. More specifically, it provides several capabilities to ensure that data and applications are not compromised.

Encrypted Session Cookies
The eTrust SiteMinder session cookie is a RC4, 128-bitencrypted session ticket that has browser information, time, Distinguished Name, an encrypted seed, and other information not disclosed in this paper for security reasons. All these fields are encrypted and randomly ordered. eTrust SiteMinder does not embed IP or password information in the cookie sent back to the browser. Many homegrown and competing products make the mistake of including IP information, causing massive firewall problems in network address translation (NAT) environments. The eTrust SiteMinder session cookie has been tested and approved by the security committees of E*Trade, WellsFargo, Citigroup, American Express, BancOne, Bank of America and other large financial companies. In addition, eTrust SiteMinder offers an optional Reverse Proxy Server solution that enables a customer to use various means of session control: a standard eTrust SiteMinder session cookie, SSL ID, miniature cookie for wireless solutions, or encrypted URLs.

Data Confidentiality
eTrust SiteMinder encrypts all data and control information that passes among components. All traffic among the policy server, the web agent, and the administrative interface is sent over TCP using 128-bit RC4 encryption, providing very strong confidentiality. All user cookies are encrypted using RC2. Encryption keys are generated automatically and randomly by the policy server. This operation is totally transparent to the administrator, though a re-generation of the keys can be forced at any time, or at any regular interval, for added security.

Mutual Authentication
Administrators must ensure that a server is not an impostor collecting sensitive information such as, credit card numbers. Both the web agent and the policy server authenticate themselves to each other, using a shared secret to encrypt an authentication message. This secret is never passed over the network, even in encrypted form, and so cannot be stolen from the network. This technique ensures the structural integrity of the eTrust SiteMinder components themselves, so that an eavesdropper cannot steal useful information, nor impersonate an eTrust SiteMinder server or agent.

Session and Idle Timeouts
Companies can centrally define both idle and session timeouts for individual applications. For example, a sensitive finance application might have an idle timeout of two minutes when there is no browser action. The application can also have maximum user-session times which will automatically logout users after a specified period of time.

Rolling Keys
eTrust SiteMinder can centrally and automatically roll over all keys that agents use to encrypt/decrypt cookies. Without the eTrust SiteMinder automatic rollover, IT administrators would need developers to implement a rollover scheme themselves, which is extremely difficult to do. The rolling keys of eTrust SiteMinder makes its cookies extremely secure Administrators can automatically generate and reset trusted host keys by delivering them securely to the trusted hosts, without requiring that the policy server or agent be restarted. The administrator can specify how often shared secrets are reset according to a schedule that is best for their environment—hours, days, weeks or months. Administrators can disable automatic shared secret rollover for specific trusted hosts and continue to perform manual shared secret rollovers, if required.

Revocation of User Credentials
Some sites need to immediately revoke access control privileges of a specific user; for example, when an employee is terminated. eTrust SiteMinder supports a rapid response through the use of commands to flush specific information from the web agent cache. The following operations are available both through the administrative interface and through the API: • Flush the user cache • Flush the resource cache • Flush both caches • Flush all resources in a specific realm • Flush a specific user entry in the user cache

24

Hardware Stored Encryption Keys
eTrust SiteMinder has partnered with nCipher, the industry leader in hardware-based encryption, to implement storage of the host encryption key in hardware. This hardware technology adheres to industry standards and allows for highly secure yet flexible key management. nCipher’s HSMs incorporate the use of smart cards (“tokens”) and a card-reading device to securely manage the encryption keys. Using nCipher’s HSM, the key management functionality within the eTrust SiteMinder environment supports true random-number key generation, back-up, failover, and archiving capabilities in a FIPS 140-1 certified module.

can overwrite all other filters to ensure header validity. In addition, this inbound channel is not visible to external users in the DMZ. That means no firewall port, from the web server to the user store (LDAP, MS/SQL, Oracle, Novell), needs to be opened. eTrust SiteMinder can pass these user store attributes to the application through its encrypted channel. What’s more, the channel from the policy server to the web agent is RC4-128-encrypted.

Advanced Web Agents
eTrust SiteMinder does not put authentication or authorization logic on a web server, a common mistake of homegrown and competitor products. Instead eTrust SiteMinder employs unique web agent filters (NSAPI– Netegrity, ISAPI – Microsoft IIS, DSAPI – Domino and Apache Modules) that integrate with and operate as part of the web server. Web agent filters are much more secure than storing authorization and authentication processes on the web server. All security logic resides behind the DMZ in the protected eTrust SiteMinder Policy Server. This architecture ensures security by not exposing any access logic or policies in the DMZ.

LDAP Protection from Denial-of-service Attacks
As noted in Carnegie Mellon, CERT 2001-18 (http:/ /www.cert.org/advisories/CA-2001-18.html), LDAP directories are extremely susceptible to denial of service (DOS) attacks. eTrust SiteMinder eliminates these DOS attacks by placing a eTrust SiteMinder Policy Server between the web server and the LDAP directory. In addition, eTrust SiteMinder ensures that packets attempting authentication match the eTrust SiteMinderencrypted key before passing on authentication or authorization attempts to the policy server. This chokes off DOS attacks on the eTrust SiteMinder infrastructure.

eTrust SiteMinder Developer Capabilities
The eTrust SiteMinder Software Developers’ Kit (SDK) supports the development of custom applications to embed eTrust SiteMinder in their environment, and to extend the capabilities of eTrust SiteMinder. Java and C APIs are provided to offer developers a choice of programming languages. Both interfaces contain several sets of APIs. Each set lets developers implement a particular feature, such as developing a custom agent using the Java APIs or extending an authorization scheme using the C APIs. Both client-side and server-side APIs are provided in Java and C. Both C and Java agent APIs can also run on Linux.

Protection from Cross-Site Scripting
A cross-site scripting (CSS) attack can occur when the input text from the browser (typically, data from a post or data from query parameters on a URL) is displayed by an application without being filtered for characters that may form a valid, executable script when displayed at the browser. For example, an attack URL can be presented to unsuspecting users. When it is clicked, an application could return to the browser a display that includes the input characters, perhaps along with an error message about bad parameters on the query string. The display of these parameters at the browser can lead to an unwanted script being executed on the browser. eTrust SiteMinder agents support various options to filter attacks by bad characters in the URL. Using these agent configuration options, the administrator can specify bad CSS, URL and query characters that the agent uses to block or filter and prevent attacks.

Creating Custom Agents
The Agent API is used to build custom agents for enforcing access control and managing user sessions. Enforcing access control consists of authentication, authorization, and auditing of the user. The Agent API works in tandem with the policy server to greatly simplify application development while increasing application scalability with respect to the number of applications and resource-privilege pairs. Additional capabilities provided by the Agent API include full session management support, notifications for agent key rollovers, real time policy updates, policy server failover, load balancing and logout reason codes. With

Unique Secure HTTP Header Passing
Through the central eTrust SiteMinder user interface, administrators can pass user store attributes through HTTP headers to applications through the eTrust SiteMinder web agent into the inbound channel of the web server. Since the eTrust SiteMinder filter is the dominant filter, it

25

logout reason codes exposed, developers implement client applications that set finer granularity in reporting why a logout was initiated. In addition, logout codes can be used to write separate event handlers to handle the different logout events. The logout codes include: Idle Timeout, Session Timeout and Explicit Logout. The availability of these logout reason codes provides more and better auditing information about user activities.

functionality is implemented as a shared library and is configured within the eTrust SiteMinder Policy Server Management Console.

Creating a Custom Authentication Scheme
The Authentication API is used to develop plug-in modules to the policy server. These APIs are used to define new authentication schemes as well as custom implementations of known authentication schemes. Modules developed using this API are implemented as shared libraries and can be configured using the eTrust SiteMinder Policy Server Management Console. The Authentication API supports any type of user credentials:

Single Sign-on Support for Custom Agents
Custom agents built with the Agent API can participate in a single sign-on environment with standard eTrust SiteMinder web agents. Using the Cookie API, custom agents can also create third-party SMSESSION cookies that can be accepted by standard eTrust SiteMinder web agents. Customers have the option to enable or disable the capability for standard eTrust SiteMinder web agents to accept third-party cookies created by custom agents.

Flexible Authorization

Managing the Policy Store
The Policy Management API is used to manage all the objects within the eTrust SiteMinder Policy Store. With the Policy Management API, companies can develop custom Policy Management interfaces to eTrust SiteMinder. For example, a developer can write an application that allows administrators to manage policies, policy responses, global policy configuration, authentication schemes and password policies, shared secret rollover for trusted hosts, and affiliate and affiliate domain management functionality. Both programming and command line interfaces (CLI) are available.

The Authorization API is used to develop plug-in modules to the policy server for performing custom authorization functions. Modules developed using this API are implemented as shared libraries. The modules can be configured using the eTrust SiteMinder Policy Server Management Console to define active rules, active policies, and active responses.

Adding a Directory Provider
The Directory API is used to develop plug-in modules to the policy server for implementing a custom user store that eTrust SiteMinder does not support. eTrust SiteMinder supports the following namespaces for user directories: • LDAP • ODBC • Microsoft Windows NT • Custom Using the Directory API, an interface can be built to any custom user directory or database.

Managing the User Store
The DMS API enables management of objects within a eTrust SiteMinder user directory. Users of the DMS API can develop custom User Management applications using eTrust SiteMinder that enable privileged users to create, add, modify and delete organizations, groups or users. The DMS API performs the following tasks: • Manage directory entries • Discover user privileges • Enable/disable users • Grant DMS roles to users • Paging and sorting when search LDAP directories or ODBC databases Using the DMS Workflow API, developers can add preand post-process functionality for specific DMS API. The DMS APIs available for specifying the pre- and postprocess functionality include those used for modifications such as set, delete, and associations. The pre and post

Integrating with eTrust SiteMinder Events
The Event API lets customers build custom handlers for eTrust SiteMinder events. Through the Event API, eTrust SiteMinder can log events using outside sources, providers, or applications. Administrators can then access the logged information through these other sources, providers, or applications. Using the Event API, developers can build applications to alert administrators of eTrust SiteMinder activity. For example, an event handler can send an email to the administrator when the accounting server starts or someone creates a new policy.

26

Session Server API
The Session Server API allows enterprises to store application state information associated with the user and make it available to all applications as a shared service.

Creating a Secure Communication Tunnel
The Tunnel Service API provides secure transfer of data between an agent and a shared library on a policy server that supports the Tunnel Service. Use these APIs to develop tunnel services to securely communicate between the agents and the shared library on the policy server. When an agent sends a tunnel request to the policy server, the request contains: • The name of the service library • The function to be called in the service library • The data to be passed to the function The policy server initializes the appropriate service, invokes the requested function, and passes the data to the function. Once the service has performed its task, the policy server returns the results to the agent.

• Enhances the User’s Experience. eTrust SiteMinder’s single sign-on capabilities enables users to move from application to application, or site to site, without having to sign-on multiple times with different credentials. For employees, single sign-on lets workers get their work done more efficiently; and for customers, single sign-on lets users get the personalized information they need to do business easily and without frustration • Improve Security. eTrust SiteMinder provides centralized authorization and authentication services to remove security enforcement from many hundreds or thousands of applications. With centralized security enforcement, security is consistent, comprehensive, and reliable so that no holes are left open in an eTrust SiteMinder secured web environment • Improve Security System Manageability. With the auditing, logging and reporting capabilities of eTrust SiteMinder, administrators can keep it running smoothly and efficiently by analyzing system activities and preventing problems before they occur. When problems do occur the troubleshooting tools of eTrust SiteMinder give administrators the information they need to resolve the problem quickly so that security services remain available.

Summary
eTrust SiteMinder is the premier Web security solution for global organizations because it can securely and costeffectively provide a Web access management solution that lets business in while keeping risk out: • Enhance Compliance with Regulations. eTrust SiteMinder central policy management, enforcement, and auditing provide a tool that helps achieve IT control/data privacy and thus regulatory compliance • Reduce Administrative Costs. eTrust SiteMinder robust set of administration tools makes it one of the most manageable security systems available today. With centralized tools, security administrators can manage up to millions of users and secure thousands of resources across the world, 24 hours a day, 7 days a week • Reduce Development Costs. eTrust SiteMinder readily integrates with existing applications so that applications can take immediate advantage of its security services without having to be re-designed, re-built and redeployed. As a result, an eTrust SiteMinder security solution can be quickly deployed, without having to rely extensively on developers

Conclusion
With its extended reach and power, the Internet has fundamentally changed traditional business processes. E-business has ushered in the widespread deployment of intranets, business-to-business (B2B) extranets and e-commerce websites. These sites extend business processes to the furthest reaches of the Web, enabling partners, customers, and employees to access critical applications, information, services, and transactions anytime and anywhere. Given the critical nature of the business processes and data being handled by these systems, isn’t it imperative that they be secured using the most comprehensive, scalable, and reliable Web Access Management solution on the market? Providing this consistently over the years is what has made eTrust SiteMinder the “gold standard” in the WAM market year after year. For More Information eTrust Identity and Access Management Website: www.ca.com/etrust

27

Copyright © 2006 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “AS IS” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP279221206


				
DOCUMENT INFO
Shared By:
Categories:
Tags: WhitePaper
Stats:
views:551
posted:4/17/2008
language:English
pages:28