CA eTrust SiteMinder Policy Server Management

More documents

Recommendations

Info

Session Ticket Keys ■ User Tracking If user tracking is turned on, the Policy Server uses the static key to encrypt user identity information. ■ Single Sign-on Across Multiple Key Stores In a SiteMinder deployment that includes multiple key stores, the static key may be used for single sign-on. In this situation, SiteMinder Agents use the static key for all cookie encryption. Note: If you change the static key, any cookies created with the former static key are invalid. Users may be forced to reauthenticate, and user tracking information becomes invalid. In addition, if the static key is used for single sign-on, users will be challenged for credentials when they attempt to access resources in another cookie domain. More information: Multiple Policy Stores with Separate Key Stores (see page 56) Change Static Keys (see page 61) Agent Keys (see page 47) Session Ticket Keys When a user successfully logs into a protected resource, the Policy Server creates a session ticket. The session ticket is what the Policy Server uses to determine how long a user’s authentication remains valid. This session ticket is encrypted using the session ticket key and cached in the Agent User Cache. You can choose to have the Policy Server generate the session ticket key using an algorithm, or you can enter a session ticket key in the SiteMinder Key Management dialog box. For security reasons, the randomly generated key is recommended. However, if your SiteMinder implementation includes multiple key stores in a single sign-on environment, you must enter the same session ticket key for all key stores. More information: Cache Management Overview (see page 83) Manage the Session Ticket Key (see page 63) 50 Policy Server Management
Key Management Scenarios Key Management Scenarios There are three types of scenarios for key management based on how you implement Policy Servers, policy stores and key stores, along with your single sign-on requirements. These scenarios include: ■ Common Policy Store and Key Store In this scenario, a group of Policy Servers shares a single policy store and key store, providing access control and single sign-on in a single cookie domain. The policy store data is maintained in a single policy store. Key data is maintained in a single key store. The key store may be part of the policy store, or may be a separate store. Both policy store and key store data may be replicated for failover purposes. Replication must be configured based on the database or directory type selected for the policy store. For information about replication schemes, consult the documentation provided by your database or directory vendor. ■ Multiple Policy Stores with a Common Key Store In this scenario, groups of Policy Servers connect to separate policy stores, but share a common key store, providing access control and single sign-on across multiple cookie domains. The policy store data for each group of Policy Servers is maintained in a single policy store. Key data for all groups of Policy Servers is maintained in a single key store. The separate key store allows Agents associated with all Policy Servers to share keys, enabling single sign-on across separate cookie domains. Both policy store and key store data may be replicated for failover purposes. Replication must be configured based on the database or directory type selected for the policy store. For information about replication schemes, consult the documentation provided by your database or directory vendor. Chapter 6: Configuring and Managing Encryption Keys 51
Page 1 and 2: CA eTrust ® SiteMinder ® Policy S
Page 3: CA Product References This document
Page 6 and 7: Specify a Netscape Certificate Data
Page 8 and 9: Chapter 12: User Session and Accoun
Page 10 and 11: SiteMinder Global Settings Dialog P
Page 12 and 13: Define the Realm ..................
Page 15 and 16: Chapter 1: Policy Server Management
Page 17 and 18: Policy Server Management Overview T
Page 19 and 20: Policy Server Management Tools Star
Page 21 and 22: Chapter 2: Starting and Stopping th
Page 23 and 24: Configure the Policy Server Executi
Page 25: Configure the Policy Server Executi
Page 28 and 29: Configure the Policy Store Database
Page 30 and 31: Configure a Separate Database for t
Page 32 and 33: Configure a Database for the Sessio
Page 34 and 35: Configure LDAP Storage Options Conf
Page 36 and 37: Configure ODBC Storage Options Conf
Page 38 and 39: Specify a Netscape Certificate Data
Page 40 and 41: Configure Policy Server Settings Co
Page 43: Chapter 5: Changing the Policy Serv
Page 46 and 47: Policy Server Encryption Keys Overv
Page 48 and 49: Dynamic Agent Key Rollover More inf
Page 52 and 53: Key Management Scenarios ■ Multip
Page 54 and 55: Key Management Scenarios The follow
Page 56 and 57: Key Management Scenarios Multiple P
Page 58 and 59: Manage Agent Keys More information:
Page 60 and 61: Manage Agent Keys 3. Click OK. Note
Page 62 and 63: Manage Agent Keys To change the sta
Page 64 and 65: Manage the Session Ticket Key Gener
Page 66 and 67: Shared Secret for a Trusted Host Sh
Page 68 and 69: Shared Secret for a Trusted Host No
Page 70 and 71: Report Logging Problems to the Syst
Page 72 and 73: Configure the Policy Server Profile
Page 74 and 75: Manually Roll Over the Profiler Tra
Page 77: Chapter 9: Configuring Administrati
Page 80 and 81: Enable Nested Security Enable Neste
Page 83 and 84: Chapter 11: Cache Management This s
Page 85 and 86: Flush Caches To flush all caches 1.
Page 87: Flush Caches 3. In the Resource Cac
Page 90 and 91: Manage User Accounts Manage User Ac
Page 92 and 93: Auditing User Authorizations 9. To
Page 95 and 96: Chapter 13: Clustering Policy Serve
Page 97 and 98: Clustered Policy Servers Failover T
Page 99 and 100: Configure Clusters 11. When you fin
Page 101:
Point Clustered Policy Servers to t
Page 104 and 105:
OneView Monitor Overview The follow
Page 106 and 107:
Policy Server Data Component Path P
Page 108 and 109:
Web Agent Data Update Version numbe
Page 110 and 111:
Web Agent Data LoginAvgTime Average
Page 112 and 113:
Web Agent Data Apache and iPlanet 4
Page 114 and 115:
Configure the OneView Monitor Confi
Page 116 and 117:
Access the OneView Viewer View Moni
Page 118 and 119:
Access the OneView Viewer Sort Tabl
Page 121 and 122:
Chapter 15: Monitoring SiteMinder U
Page 123 and 124:
SNMP Monitoring Dependencies The Si
Page 125 and 126:
SiteMinder MIB The upper part of th
Page 127 and 128:
SiteMinder MIB Authentication Serve
Page 129 and 130:
SiteMinder MIB Object Name SNMP Typ
Page 131 and 132:
SiteMinder MIB Object Name SNMP Typ
Page 133 and 134:
Configure the SiteMinder Event Mana
Page 135 and 136:
Start and Stop SiteMinder SNMP Supp
Page 137:
Troubleshooting the SiteMinder SNMP
Page 140 and 141:
How to View Sample Reports Using Cr
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 153 and 154:
Chapter 17: Policy Server Managemen
Page 155 and 156:
Policy Server Management Console Pr
Page 157 and 158:
Policy Server Management Console
Page 159 and 160:
Policy Server Management Console Pe
Page 161 and 162:
Policy Server Management Console St
Page 163 and 164:
Policy Server Management Console Ne
Page 165 and 166:
Policy Server Management Console Co
Page 167 and 168:
Policy Server Management Console RA
Page 169 and 170:
Policy Server Management Console Mo
Page 171 and 172:
Policy Server Profiler Dialog Box P
Page 173 and 174:
Policy Server Profiler Dialog Box L
Page 175 and 176:
Policy Server Profiler Dialog Box H
Page 177 and 178:
Policy Server Profiler Filters Dial
Page 179 and 180:
Chapter 18: System Settings Referen
Page 181 and 182:
SiteMinder Cache Management Dialog
Page 183 and 184:
Key Management Key Management SiteM
Page 185 and 186:
Key Management SiteMinder Key Manag
Page 187 and 188:
Manage User Accounts Dialog Rollove
Page 189:
Manage User Accounts Dialog Value S
Page 192 and 193:
Command Line Troubleshooting of the
Page 194 and 195:
Check the Installed JDK Version -st
Page 196 and 197:
LDAP Referrals Handled by the LDAP
Page 198 and 199:
Error -- Optional Feature Not Imple
Page 201 and 202:
Appendix B: Scaling Your SiteMinder
Page 203 and 204:
How to Determine When to Add Web Ag
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
How to Determine When to Add Policy
Page 213 and 214:
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
Database and Directory Consideratio
Page 221 and 222:
UNIX Server Tuning UNIX Server Tuni
Page 223 and 224:
Appendix C: Using the Policy Server
Page 225 and 226:
Policies in RADIUS Environments 1.
Page 227 and 228:
Policies in RADIUS Environments Pol
Page 229 and 230:
Policies in RADIUS Environments The
Page 231 and 232:
Responses in RADIUS Policy Domains
Page 233 and 234:
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
Deploy SiteMinder in a RADIUS Envir
Page 241 and 242:
How to Authenticate Users in a Homo
Page 243 and 244:
Page 245 and 246:
Page 247 and 248:
Authenticate Users in Heterogeneous
Page 249 and 250:
Page 251 and 252:
Page 253 and 254:
How to Authenticate Users in Hetero
Page 255 and 256:
Group RADIUS Agents Define Agents f
Page 257 and 258:
Group RADIUS Agents The following e
Page 259 and 260:
Troubleshoot and Test RADIUS Respon
Page 261 and 262:
Troubleshoot and Test RADIUS To use
Page 263 and 264:
Appendix D: Log File Descriptions T
Page 265 and 266:
smaccesslog4 Field Name Description
Page 267 and 268:
smaccesslog4 Field Name Description
Page 269 and 270:
smobjlog4 Field Name Description Nu
Page 271:
smobjlog4 Field Name Description Nu
Page 274 and 275:
Published Data This key is located
Page 276 and 277:
Published Data Published Policy Ser
Page 278 and 279:
Published Data TAG Contains Descrip
Page 280 and 281:
Published Data The following table
Page 282 and 283:
Published Data Published User DIrec
Page 284 and 285:
Published Data Published Agent XML
Page 286 and 287:
Published Data Published Custom Mod
Page 289 and 290:
Appendix F: Error Messages This sec
Page 291 and 292:
Authentication Message Function Des
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303 and 304:
Page 305 and 306:
Authorization Error Message Functio
Page 307 and 308:
Server Message Function Description
Page 309 and 310:
Page 311 and 312:
Page 313 and 314:
Page 315 and 316:
Page 317 and 318:
Page 319 and 320:
Page 321 and 322:
Java API Message Function Descripti
Page 323 and 324:
Java API Error Message Function Des
Page 325 and 326:
Page 327 and 328:
Page 329 and 330:
LDAP Error Message Function Descrip
Page 331 and 332:
Page 333 and 334:
Page 335 and 336:
Page 337 and 338:
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
ODBC ODBC Error Message Function De
Page 357 and 358:
Directory Access Error Message Func
Page 359 and 360:
Directory Access Message Message ID
Page 361 and 362:
Directory Access Message Message ID
Page 363 and 364:
Tunnel Error Message Function Descr
Page 365 and 366:
Index A access accept • 237 acces
Page 367 and 368:
Configure ODBC Storage Options •
Page 369 and 370:
Flush Resource Caches • 87 Flush
Page 371 and 372:
Management Console--Keys Tab • 16
Page 373 and 374:
Published Agent XML Output Format
Page 375 and 376:
SiteMinder Global Settings Dialog P
Page 377:
terminating • 84 User Session and
show all

CA eTrust SiteMinder Policy Server Management

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?