CA SiteMinder - WebInterface


CA SiteMinder Implementation Guider12.5Second Edition

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred toas the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time.This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, withoutthe prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosedby you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governingyour use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you andCA.Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you mayprint or otherwise make available a reasonable number of copies of the Documentation for internal use by you and youremployees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproducedcopy.The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicablelicense for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility tocertify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANYKIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOSTINVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THEPOSSIBILITY OF SUCH LOSS OR DAMAGE.The use of any software product referenced in the Documentation is governed by the applicable license agreement and suchlicense agreement is not modified in any way by the terms of this notice.The manufacturer of this Documentation is CA.Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictionsset forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, ortheir successors.Copyright 2012 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong totheir respective companies.

CA Technologies Product ReferencesThis document references the following CA Technologies products: CA Arcot CA Arcot RiskFort CA Arcot WebFort CA Directory CA DLP Content Classification Service CA SiteMinder Contact CA TechnologiesContact CA SupportFor your convenience, CA Technologies provides one site where you can access theinformation that you need for your Home Office, Small Business, and Enterprise CATechnologies products. At, you can access the followingresources: Online and telephone contact information for technical assistance and customerservices Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your productProviding Feedback About Product DocumentationIf you have comments or questions about CA Technologies product documentation, youcan send a message to provide feedback about CA Technologies product documentation, complete ourshort customer survey which is available on the CA Support website at

Documentation ChangesThe following documentation updates have been made since the last release of thisdocumentation: Directory Servers and Databases (see page 23)—Removed a table that listed all ofthe directory servers and databases that SiteMinder supports. A cross reference tothe Platform Support Matrix replaced the table contents. Periodic Maintenance Tasks (see page 155)—Updated guidance for running XPSSweeper Utility (169270, 168658, 21175885:01).

ContentsChapter 1: SiteMinder Components9Purpose and Audience . 9SiteMinder Documentation. 9Documentation Roadmap . 10SiteMinder Components . 13Policy Server. 14SiteMinder Agents. 15CA Business Intelligence. 15Data Stores . 16SiteMinder Administrative UI. 20Chapter 2: Architectural Considerations21Your Enterprise Environment . 21Operating Systems . 21Web Server Vendors . 22Application Server Vendors. 23Enterprise Resource Planning Systems . 23Directory Servers and Databases . 23Implementation Considerations. 24Policy Management Models. 24Identify the Applications to Secure . 26Identify User Stores. 31Identify Authentication Methods. 32Identify Password Management Options. 33Identify Who Will Manage Your Web Agents . 34Identify Data Centers . 38Identify Resources to be Secured with Multiple Cookie Domains . 39Determine if Partnerships Require Federation Manager . 40Determine if Advanced Encryption Standards are Required . 42Determine if Virtualization is to be Used . 43Determine how to Manage Policy Servers . 43Determine how to Manage Web Agents . 46Architectural Use Cases. 46Simple Deployment . 47Simple Deployment with Optional Components . 48Simple Deployment with Optional Agents . 49Contents 5

Multiple Components for Operational Continuity . 50Clustered Components for Scale . 54Redundancy and High Availability . 56Chapter 3: Capacity Planning71Capacity Planning Introduced . 71Use Case: Capacity Planning. 72How to Estimate a Sustained Authentication Rate . 73Estimate Daily Authentications . 73Estimate a Sustained Authentication Rate . 75Estimate a Peak Authentication Rate . 77How to Estimate a Sustained Authorization Rate . 78Estimate Daily Authorizations . 79Estimate a Sustained Authorization Rate . 81Estimate a Peak Authorization Rate . 83Chapter 4: Configuration Considerations87Security Zones . 87Multiple Data Centers . 89Best Practices . 89Architectural Considerations. 89Multiple Data Center Use Cases. 90Authentication and a Centralized Login Server . 97Centralize Login Pages. 98Best Practices . 99Login Page Use Cases . 100Chapter 5: Performance Tuning105Performance Tuning Introduced . 105Performance Tuning Roadmap. 106Web Tier Performance . 107Server Performance . 108SiteMinder Agent Performance . 111Reduce Traffic between Your Agents and the Policy Server . 116Improve Agent Performance through Load Balancing . 123Application Tier Performance . 125SiteMinder Policy Design and Performance . 125SiteMinder Policy Objects and Performance Roadmap . 126Authentication Guidelines . 129Authorization Guidelines . 1336 Implementation Guide

Auditing and Performance . 138Load Balancing the Application Tier . 138Data Tier Performance . 139Data Tier Guidelines . 139User Store Capacity Planning . 142Periodic Maintenance Tasks. 155Chapter 6: Diagnose Implementation Issues157Diagnose Issues Introduced . 157Policy Server/Policy Store Connection Issues . 158Work with Support . 159Environment Information . 159Log Files . 160Policy Server Crash . 161Agent Crash . 164Resource Leaks. 165Functional Issues . 166Random Issues . 167Locate Knowledge Base Articles . 168Measure SiteMinder Performance. 168Network Sniffers . 169SiteMinder OneView Monitor . 169SiteMinder Test Tool . 170Directory Server Utilities and SQL Analyzers. 170Chapter 7: Product Integrations171CA Arcot WebFort and RiskFort . 171Authentication in an On–Premise Arcot Integration . 172Confidence Levels and SiteMinder Authorization . 173Risk Scores and Confidence Levels Compared . 175Enable Confidence Level Support for Authorization Decisions . 176CA Arcot Integration Use Cases. 176User Store Consideration . 181CA Arcot A-OK . 181Authentication in a Hosted CA Arcot Integration .

CA Arcot CA Arcot RiskFort CA Arcot WebFort CA Directory CA DLP Content Classification Service CA SiteMinder Contact CA Technologies Contact CA Support For your convenience, CA Technologies provides one site where you can access the information that you need for your Home O