SiteMinder Web Agents and Application Server Agents

A SiteMinder Agent is a software component residing with the Web Server or Application Server hosting the resource to be protected and communicates with the Policy Server in order to enforce policies for user access to generic resources. There are several types of Agents that can be used with SiteMinder:

Web Agent

  • It intercepts all requests for resources (URLs), and determines whether SiteMinder protects a resource. If not, the request is passed through to the Web server for regular processing.
  • The Web Agent interacts with the Policy Server to authenticate the user, and to determine if access to the specific resource should be allowed.
  • The Web Agent also passes to the application (through the Web server) a “Response” that allows page content to be personalized to the needs and entitlements of each user.
  • The Web agent also passes any information to the web application and redirects the user to specific web pages with custom error messages.

Application Server Agent

  • Application Server Agents provide more fine-grained access control for objects such as Servlets, JSPs and EJBs.
  • SiteMinder Application Server Agents (ASA) is a set of servlets that communicate with the SiteMinder Policy Server via the SiteMinder Agent API.
  • These Agents are designed to protect resources hosted in an application server, such as servlets, JavaServer Pages, and EJB components.
  • The SiteMinder Application Server Agent protects resources on Java application servers that follow the Java 2 Enterprise Edition standard. These resources can be Java servlets, JavaServer Pages (JSPs), and Enterprise JavaBeans (EJBs).
  • When a user requests a resource from an application server, the Agent intercepts the request and determines whether the resource is protected by SiteMinder.
  • The SiteMinder Application Server Agent consists of two components:
    • Java Servlet Agent — a collection of servlets that communicates with the Policy Server via the SiteMinder Agent API.
    • EJB Agent — a component that integrates with the application server and communicates with the Policy Server like the servlet Agent. The EJB Agent protects only EJBs.
    • In the absence of an Application Server Agent, you can use a Web Agent to protect application server resources; however, the Application Server Agent can protect resources at a more fine-grained level than a Web Agent.

Differences Between SiteMinder Web Agents and Application Server Agents:

 SiteMinder Web Agent For HTTP Server                                                     SiteMinder Application Server Agent For Application Servers
Will not protect WAS directly Protects WAS directly
No support for WebSphere SSO Bi-directional support for WebSphere SSO
No protection for EJB container and Web container SiteMinder AppServer Agent protects WebSphere Web container and EJB container
No integration with WebSphere Application Server Integrates with WebSphere Application Server Security Mechanism
Supportability is easy Supporting WebSphere Application Server Agent is difficult when compared to the Web Agent
Security Integration is loosely coupled between Web Server and Application Server Provides tight security integration for WebSphere Application Server
Provides advanced Authentication mechanisms – Form based, Certificate based, RSA token authentication etc Provides basic Authentication scheme only
Provides advanced Authentication mechanisms – Form based, Certificate based, RSA token authentication etc Provides basic Authentication scheme only; Needs another Web Server with SiteMinder Web Agent for Advanced Authentication Schemes
No Audit/logs are generated for WebSphere Application Server. Logs are generated only at IBM HTTP Server Audit/Logs are generated at WebSphere Application Server level
Easy to troubleshoot Support and troubleshoot needs higher level of experience with SiteMinder Application Server Agent and WebSphere Application Server
No need to restart Application Server when changes are made to SiteMinder Web Agent; The Web Server needs a restart Application Server needs a restart when changes are made to the SiteMinder Application Server Agent

Custom Agents

Custom agents together with the SiteMinder Policy Server can provide access control for a wide range of resources that extend beyond Web resources. The Agent API provided by SiteMinder enables creation of a custom Agent that can implement security for any type of resource.

Affiliate Agents

A SiteMinder Affiliate Agent provides a seamless connection from a main portal to an affiliate site without requiring a user to re-identify or provide additional information about them. The affiliate site can determine that the user has been registered at the main portal, and optionally, that the user has an active SiteMinder session. Based on policies configured at the portal for the affiliate, information can be passed to the affiliate and set as cookies or header variables for applications at the affiliate Web server.

Note:

  1. Web Agents are SiteMinder Agents that operate with Web servers.
  2. Affiliate agents are used for Federation Security Services solution. Federation Security Services enables business to share security information across multiple domains.
  3. EJB agent and Servlet agent comes under Application server agents for securing WebLogic and WebSphere application server resources. The Application Server Agent integrates SiteMinder with the J2EE platform.
  4. RADIUS agent (Remote Authentication Dial-In User Service) is used for Network Access Control.
  5. Siteminder web agent is used for Web Access Control.

10 Responses to“SiteMinder Web Agents and Application Server Agents”

  1. chinna
    September 14, 2012 at 3:32 AM #

    What are prequisites for Agent configuration? What are the objects required for agent configuration?

    • September 14, 2012 at 4:42 PM #

      Before installing the Web Agent, you must have installed a Policy Server. Additionally, you must prepare and configure the Policy Server for the Web Agent Installation. To do this, you need to:
      1. Create a SiteMinder Administrator (optional)
      Note: The SiteMinder Super User has rights to install Web Agents, so you only need to perform this step if you want to create another user.
      2. Create a Host Configuration Object
      Edit the Host Configuration Object’s policyserver setting to configure it for a single or multiple policy servers.
      3. Create an Agent
      4. Create an Agent Configuration Object
      Edit the Agent Configuration Object to register the Agent name in either the DefaultAgentName or AgentName parameter.The Agent name must exactly match what is provided during ACO configuration.
      5. Create a web agent group (optional)

    • chinna
      September 15, 2012 at 4:55 PM #

      Thanks vaibhav..

  2. chinna
    September 15, 2012 at 4:56 PM #

    how to move siteminder from one data center to another one, means bring back failover policy server in picture… how will you tackle replication between policy store ?

  3. chinna
    September 15, 2012 at 4:57 PM #

    I’m new for IAM.

  4. September 15, 2012 at 7:35 PM #

    Hi Chinna,I have tried to answer your query in my new post.Please check
    http://vaibhav181.wordpress.com/2012/09/15/siteminder-policy-server-in-failover-mode/

  5. chinna
    September 16, 2012 at 2:25 PM #

    Thanks vaibhav. i’m go through it . and get back to you

  6. srujan
    April 9, 2013 at 7:40 PM #

    Hi vaibhav…i am new to siteminder…i have some basic doubts…how load balancing between multiple web agents happen….and can i install two or more web agents when i have multiple apache instances on single host…..hope u reply…thanks in advance.

  7. srujan
    April 9, 2013 at 7:48 PM #

    for instance i have an application deployed in apache web server…and i have very heavy load which my web agent is unable to take…in this case can i install another apache and webagent on different physical server …..if i can install how to configure my sitminder in this case to protect my single application which resides on my first webserver…..if this case does not work then what i have to do to process huge number of requests….hope u understand my point….thanks in advance.

  8. karthik
    June 5, 2015 at 7:18 PM #

    Hi,

    What is the difference between web agents and custom agents? How to configure custom agents in policy server

Leave a Reply

Your email address will not be published. Required fields are marked *

(Required)

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com