Siteminder Agents and Virtual Servers

We know that for protecting web resources using CA Siteminder ,we have to install the Agents on the servers on which the resources are hosted.But what happens if there are multiple virtual servers on a single physical server.Lets discuss what features does Siteminder have to deal with Virtual Servers.

Each virtual server is a logical entity and acts as an independent server.Suppose, using virtual servers, we set up a single server to host both www.abc.com and www.xyz.com. One can assign a unique IP address to a virtual server or an IP address that is shared with the physical server or another virtual server.

Although we configure only one Web Agent per Web Server, we can configure Agent identities to protect our virtual servers. If one user tries to access the protected resources on the server through www.abc.com and another user tries through the server  www.xyz.com , each server is protected by an agent identity. The advantage of creating an agent identity for each virtual server is that we can define unique realms and rules for each site.
The settings that we define for the Web Agent apply to all virtual servers that we define for that Web server instance; however, each virtual server processes requests independently and the Policy Server treats each virtual server request
separately. However, if we have more than one instance of the iPlanet Web server, such as a server for HTTP communication and a server for HTTPS communication, two WebAgent.conf files exist. Each file can have multiple agent identities.

To configure support for virtual servers, we need to do one of the following three:

  1. ? Define and add an Agent identity for each virtual server, specify an agent name and assign it the IP address of a virtual server.
  2. ? Define an Agent identity only for virtual servers that need to be uniquely identified.
  3. ? Use the DefaultAgentName parameter.

Defining Agent Identities for Virtual Servers:
The Agent Name parameter and its associated IP address provide mapping for Web server interfaces to agent names as defined in the policy store. Web Agents need to make Agent API calls in the proper agent name context in order for the correct set of rules and policies to apply. If no Agent name or IP address is assigned for mapping to the policy store, then the Web Agent will use the default agent name.
To protect virtual servers using unique Agent identities, add a Web Agent for each virtual server in the Agent Name parameter. Adding separate Web Agents for each virtual server enables we to define unique realms and rules for each
virtual server.
To add a Web Agent identity:
1. Enter the name of the agent and the IP address, separated by a comma.
2. Optionally, specify the port number associated with the IP address (for example: 112.12.12.1:8080). We may want to specify the port number if our virtual servers share the same IP address, but use different ports.
To add more than one Agent, place each entry on a separate line. For example:
agentname=”agent1,123.123.12.12:8080″
agentname=”agent2,123.123.12.12:8081″
agentname=”agent3,123.123.12.13″
If we add an Agent Identity, also define it in the Policy Server User Interface with the same configuration. Make sure that the Agent Identity is defined in Policy Server User Interface exactly as it is defined for the Agent configuration

5 Responses to“Siteminder Agents and Virtual Servers”

  1. satya
    January 21, 2013 at 6:07 PM #

    Is it possible to use the similar approach when virtual web servers configured using specific ports rather than with unique IP address.

  2. January 22, 2013 at 2:44 PM #

    Yes Satya,as.I have mentioned in the last few lines “Optionally, specify the port number associated with the IP address (for example: 112.12.12.1:8080). We may want to specify the port number if our virtual servers share the same IP address, but use different ports.” ,we can use the similar approach if we have virtualised the servers using specific ports.

    Let me know if you find this helpfull.. 🙂

    • satya
      February 4, 2013 at 7:46 PM #

      Thanks Vaibhav.

  3. Palash
    May 4, 2013 at 10:19 PM #

    Vaibhav ..is it possible for different web agents to connect to different policy servers (e.g. one agent connecting to policy server which authenticates a customer and another tat authenticates employees )

  4. December 24, 2015 at 10:57 PM #

    Not really can not agree with the whole but generally it’s more than decent article.

Leave a Reply

Your email address will not be published. Required fields are marked *

(Required)

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com