Siteminder Best Practices
• Firewall Considerations – For Secure Environment, placing the Web Server in the De-Militarized Zone (DMZ) behind a firewall is recommended. It is also recommended to place the application, database and SiteMinder Policy Servers behind a second firewall.
• Policy store and Key Store considerations – For faster access of stored data, LDAP is advised as the policy and key store. However Oracle and SQLServer Databases are also highly scalable, powerful and secure.
• Storing User Profile Information – There are several advantages of using LDAP as the user information store compared to ODBC or Windows NTDomain. LDAP provides faster access to user Information than ODBC data sources or WinNT Domain. If the schema needs to be extended to add additional attributes then WinNT Domain cannot be used. LDAP can be configured for Load balancing and Fail Over for better performance, however using ODBC data sources you can only configure Fail Over.
• Audit log storage – For better security, storing Audit log in ODBC databases is preferred.
• Replicating policy stores and configuring fail over – For providing uninterrupted access to the policy store, it is recommended that we replicate the policy store onto a secondary server and enable fail over mechanism using the policy server interface.
Implementing Authentication Schemes – SiteMinder provides schemes like Basic, Basic over SSL, Forms, and Forms over SSL, x509 certificates etc. For better grouping of resources, we can create realms nested within other realms. Each nested realm shares the same Agent, however a realm nested under another (parent) realm can have higher protection level than its parent for better security considerations. While the user accesses the parent realm, he is authenticated by a particular Authentication Scheme say basic. Later when he accesses some resource, which is protected by the child realm, he needs to authenticate using a different authentication scheme with greater confidentiality level say X509certificate scheme.
• Single Sign On Considerations – The protection level rules need to be maintained such that when an user moves from one Web server to another in the same domain, protection level of the resource in the second web server must be equal to that of or less than the previously encountered protection level.
• Clustering with Application Server Agents – If you do not use a shared file system, you must install the Application Server Agent on every server in the cluster. The Application Server Agent can support a multi-tier clustering architecture.
I hope these points may prove helpfull ,next time you consider Siteminder for your rescue.