How do I use SiteMinder With Pramati Server?

Enterprises can tightly secure applications running on the Server using Netegrity SiteMinder solution and have single sign-on capability, using the custom Pramati Application Server Agent for SiteMinder. This replaces the standard procedure provided by Netegrity, which uses its reverse proxy server to intercept, authenticate, authorize, and forward Web requests to the Server. Both scenarios are described in this document.

Note: SiteMinder users can now try the Custom Pramati Application Server Agent.

Key Terminologies

Table 1: Key Terminologies

Key Term Description

SiteMinder Identity Management Solution.

Pramati Server Application Server that processes and serves Web requests.

Policy Server SiteMinder component providing authorization and authentication service to applications.

Agent Web Agent of SiteMinder that authorizes requests for a secured resource and forwards requests to SiteMinder.

Custom Agent Single Custom Pramati Application Server Agent replaces the Agent and Reverse Proxy Server softwares. This component quickly integrates Netegrity SiteMinder with applications running on Pramati Server.

Software Requirements

Netegrity SiteMinder 6.0.
Pramati Server 4.1 and above. (Scenario I given below, works with Pramati Server 3.5 SP1 onwards).
Custom Agent jar (server_patch.jar).
J2SE 1.4.1 required by SiteMinder 6.0.

Pramati Server can be integrated with SiteMinder running in the following environment:

Windows 2000 Professional
Microsoft IIS 5.0 (required by SiteMinder adminstrator)
ServletExec for running servlets (required by SiteMinder administrator)
J2SE 1.4.1 for SiteMinder
SunOne LDAP Server 5.2 as the policy store
Oracle 9.0 as the data store using driver SiteMinder Oracle Wire Protocol 4.20.00.09

What is SiteMinder?

The Netegrity SiteMinder is an enterprise security solution that provides:

Centralized privilege management
Broad range of authentication methods
Scalability and high availability
Single sign-on
Delegated management services

SiteMinder has two main components:

Policy Server
Agent

Policy Server

Policy Server forms the core of SiteMinder and usually runs on a separate Windows NT or Unix system. It manages all key security operations for SiteMinder, and provides the following services:

Authentication - Authenticates users based on selected authentication techniques.
Authorization - Manages and enforces access control rules established by the administrator. These rules define operations allowed for protected resources.
Auditing - Generates logs with auditing information about events in the system.

What is a SiteMinder Agent?

SiteMinder Agent is a component residing with the Web Server or Application Server hosting the resource to be protected and communicates with the Policy Server in order to enforce policies for user access to protected resources. Netegrity publishes information on several types of Agents that can be used with SiteMinder.

What is Custom Pramati Application Server Agent?

Custom Pramati Application Server Agent replaces the Agent and Reverse Proxy Server softwares. This component quickly integrates Netegrity SiteMinder with applications running on Pramati Server. The Custom Agent combines the security framework of Pramati Server with the installed SiteMinder infrastructure to provide rapid deployment applications that run on Pramati Server and use SiteMinder single sign-on features.

The Custom Agent is implemented as a JAAS LoginModule on Pramati Server that hosts resource to be secured. It uses the security interceptor in Pramati Server Web Container that intercepts all requests for secured resources, and determines if SiteMinder is registered to protect a resource.

If yes, the Custom Agent talks to the SiteMinder Policy Server and authenticates the user. If not, the request passes through for regular processing on Pramati Server.

The Custom Agent sets a cookie on the client that allows page content to be personalized. Subsequent requests from the authorized client carry request header parameters set by Pramati Server. The headers includes the following parameters:

SM_USER
SM_USERSESSIONID
SM_USERSESSIONSPEC
SM_USERIPADDRESS
SM_USERDN

What are the Various Usage Scenarios?

SiteMinder and Pramati Server can be used together in two possible configurations:

Standard Configuration using SiteMinder Web Agent
Pramati Configuration using Custom Agent

Scenario I: Standard Configuration Using SiteMinder Web Agent

Pramati Server works outside the box and requires no extra configuration. SiteMinder Web Agent is configured to redirect requests to Pramati Server that hosts the secured resources. SiteMinder provides authorization, authentication, and auditing for Pramati Server.

This is the basic topology of SiteMinder where all requests from clients are intercepted by a Reverse Proxy Server that is integrated with the SiteMinder Web Agent. The agent then talks with the Policy Server for authenticating the client for accessing the secured resource on some server.

The configuration is simple and requires only SiteMinder changes. This does not involve any configuration on Pramati Server. To configure SiteMinder Web Agent, use the Netegrity Policy Server Administration Tool as detailed below:

Start the Netgerity Policy Server Administration Tool.
Right click and select Create Agent Type.
Add the agent type as pramati application server agent type and add ''get'' and ''post'' as two actions for accessing the resources.
Right click and select Create Agent.
Add pramati_agent as the name. This name has to be provided in the web-config.xml in Pramati Server as explained in the Pramati Web container specific configurations shown in the following sections. Also select the check box for Support 4.x Agents.
Select the agent type as pramati application server agent type.
Add the IP address information and the shared secret text value. The shared secret is configured in the web-config.xml.

Scenario II: Configuring Pramati Server Using Custom Agent

Pramati Server replaces the Reverse Proxy Server. All Web requests are intercepted by the security interceptor in Pramati Web Container and, if the resource is secured using SiteMinder, the Custom Agent uses SiteMinder Policy Server for authorization and authentication.

Here the reverse proxy server is replaced by Pramati Server that now intercepts all Web requests coming from the client. The following steps assume that SiteMinder is running with the Web Agent type configured, as described in Scenario I: Configuring SiteMinder for Pramati Server. Also, see the software requirements for SiteMinder host environment details:

Install Pramati Server with Custom Agent
Configure Pramati Server Web Container with SiteMinder
Configure Custom Agent (SiteMinder LoginModule)
Copy security configuration files
Start Server and verify configuration

Step 1: Installing Pramati Server With Custom Agent

Install Pramati Server.
Start Server by executing runserver script from the directory <install_dir>\server\bin. This is required for applying the Custom Agent jar on an existing Server installation.
Stop Server. Change setup.bat in the directory <install_dir>\server\bin as follows:

set sm =\webagent\java set CLASSPATH=%sm%\smconapi.jar;%sm%\dms.jar;%sm%\env.jar; %sm%\jsafe.jar;%sm%\smconapi.jar;%sm%\smjavaagentapi.jar; %sm%\smjavasdk2.jar;\c:\j2sdk1.4.2_10\lib\tools.jar; %install.root%\lib\pramati\server_patch.jar; %install.root%\lib\pramati\classpath.jar;

Step 2: Configuring Pramati Server Web Container for SiteMinder

To work, the Custom Agent must receive calls from security interceptor in the Web Container. To configure the Web Container, add the following snippet to the web-config.xml in the directory <install_dir>\server\nodes\default\config. The complete tags in the XMLs are reproduced in the appendix. Here, the tags are explained in parts for clarity.

What is the Custom Agent Classname?

The Server loads this class while initializing the Custom Agent at start-up.

com.pramati.web.sso.siteminder.SMWebAgent Custom Pramati Application Server Agent ...

security. enabled = true or false determines if the Custom Agent is to be used.
can-check-for-protected-resources = true or false. If true, Custom Agent is asked if the resource is secured, which means that any J2EE deployment descriptor-based security constraint will not apply. The Custom Agent will contact SiteMinder or use its configured set of URLs. If false, J2EE security constraint rules apply.
can-authorize-roles = true or false. If true, the Custom Agent is responsible also for authorization, not just authentication.
classname is the class name of Custom Agent.

What is the Shared Name for Custom Agent?

This is a case-sensitive and unique name that SiteMinder uses to identity its agents. The name of the agent is also configured on SiteMinder. See Scenario I: Configuring SiteMinder for Pramati Server for configuring the agent-name as pramati_agent on SiteMinder. The two names must match.

<entry> <key>agent-name</key> <value>pramati_agent</value> </entry>

How do I Establish Connection Between Pramati Server and SiteMinder?

The connection details between Pramati Server and SiteMinder, such as shared names, ports, and location of policy server, are entered in the form of key value pairs.

The SiteMinder IP address:

<entry> <key>policy-server-ip</key> <value>192.168.1.45</value> </entry>

The minimum number of connections used by SiteMinder:

<entry> <key>connection-min</key> <value>1</value> </entry>

The maximum number of connections used by SiteMinder:

<entry> <key>connection-max</key> <value>100</value> </entry>

The increment value for connections to be used by SiteMinder:

<entry> <key>connection-step</key> <value>1</value> </entry>

The timeout value for the connections to be used by SiteMinder:

<entry> <key>timeout</key> <value>20</value> </entry>

SiteMinder's authorization port:

<entry> <key>authorization-port</key> <value>44443</value> </entry>

SiteMinder's authentication port:

<entry> <key>authentication-port</key> <value>44442</value> </entry>

SiteMinder's accounting port:

<entry> <key>accounting-port</key> <value>44441</value> </entry>

How do I Add Shared Secret for Custom Agent?

Shared secret is a string that matches the value provided while configuring this agent in SiteMinder:

<entry> <key>shared-secret</key> <value>pramati</value> </entry>

What is the Realm for Applications That Use SiteMinder?

Realm of the application that should use SiteMinder for authentication (can be an existing realm):

<entry> <key>realm-name</key> <value>siteminder</value> </entry>

How do I set the Domain for Single Sign-on Cookie?

The domain to set on the single sign-on cookie is as follows:

<entry> <key>single-sign-on-cookie-domain</key> <value>.pramati.com</value> </entry>

List of Protected URLs

A ";" separated list of URLs that are protected. This is optional. If this entry is not provided the agent will access SiteMinder to check if the resource is protected.

<entry> <key>protected-resources</key> <value>/jspDeskWeb/numguess.jsp;/jspDeskWeb/gameofeight.jsp</value> </entry> </details> </security-interceptor-webagent>

Step 3: How do I Configure Custom Agent (SiteMinder LoginModule)?

Add the realm information and the SiteMinder LoginModule information in security-config.xml located in the directory <install_dir>/server/nodes/default/config:

Realm Name

<realm>  <realm-name>siteminder</realm-name> </user-manager> .... </realm>

What is User Manager Class?

Class name of the user manager class to be used for the realm. By default system realm uses XML-based user manager. User can define his own user manager for a realm. This class must implement com.pramati.services.security.spi.UserManager.

<class-name>com.pramati.security.loginmodules.xml.XMLUserManager</class-name>

What are Start-up Options?

The init-options define map of key-value pair that are passed to the initialize method of the class.

... ... <init-options> <entry> <name>securityXML</name> <value>$NODE_DIR\config\system-security1.xml</value> </entry> <entry> <name>algotype</name> <value>encrypt</value> </entry> <entry> <name>algoname</name> <value>DES</value> </entry> </init-options> </user-manager> </realm>

How do I Configure LoginModule?

The SiteMinder Login Module configuration is located under this tag in the security-config.xml:

<login-module-configuration>  <realm-name>siteminder</realm-name>  <config-entry>  <class-name>com.pramati.web.sso.siteminder.SiteMinderLoginModule</class-name>  <flag>optional</flag> </config-entry> </login-module-configuration>

Step 4: How do I Copy Security Configuration Files?

Copy system-security.xml from the <install_dir>\templates to $NODE_DIR\config\ and rename to system-security1.xml.

Step 5: How do I Start Pramati Server and Verify Configuration?

Start Server by running the runserver script.

To verify the SiteMinder configuration, check the Server log for the string Pramati Application Server Agent for SiteMinder installation successful.

The log is located under <install_dir>\server\nodes\<node_name>\logs\servermsg\.xml.

Related Topics:

Key Term	Description

SiteMinder	Identity Management Solution.
Pramati Server	Application Server that processes and serves Web requests.
Policy Server	SiteMinder component providing authorization and authentication service to applications.
Agent	Web Agent of SiteMinder that authorizes requests for a secured resource and forwards requests to SiteMinder.
Custom Agent	Single Custom Pramati Application Server Agent replaces the Agent and Reverse Proxy Server softwares. This component quickly integrates Netegrity SiteMinder with applications running on Pramati Server.


© Pramati Technologies 2007	Runs on Pramati Server \| Feedback \| Legal