I found this below discussion in one of the forums and Hope this will be useful in understanding the flow,
Discussion 1:
============
1.When user enters the application url in the browser, it goes to the web server, if web agent is installed on the web server, The request is first intercepted by the webagent.conf file
2. In web agent.conf file it finds the path of the smhost.conf file and the request goes to smhost.conf file.
3.In smhost.conf file it finds the policy server which it needs to contact.
4.Now Web server contacts the policy server through the ports 4444(1,2,3) that are mentioned in smhost.conf file. This is done by LLAWP(Low Level Agent Worker Process)
5.LLAWP sends the request to policy server asking for initializing the communication between the web agent and policy server. In the request web agents send the details of trusted host that is present in smhost.conf file
6.When policy server receives the request it checks whether it can trust the request by seeing whether the trusted host present is present in policy store and if it belongs to web server from which it got the request.
7. This initial request sent by web agent is encrypted by the shared secret present in smhost file. So the request is securely and only policy server can decry-pt it.
8. If policy server trusts the request it starts the communication with the web agent. This communication will be started HLA process from policy server. HLA process uses HCO that web agent used to register with policy server.
9. When the communication from policy server reaches the web agent it decrypts the communication using shared secret and in communication it will have details about the HCO which have started the communication, it compares if HCO in communication is same as HCO present in smhost.conf file.
10.This way the policy server and web agent handshake with each other and sets the communication.Now Web agent sends the details of the ACO present in webagent.conf to policy server.
11.The policy server now takes the this ACO and it will see if it is present in policy store, if it is present it will get the agent name present in ACO and also the properties of the agent present in ACO.
12. Now policy server asks for the resource and web agents sends the resource it go from browser.
13. policy server gets the list of all the realms present in policy store which are linked to the agent that is present in the ACO. It compares the resource it got from web agent is present in any realm in the list (Here it sees the longest match) and gets the realm which has this resource and policy server see's whether this realm is configured for protected or not protected. If not protected , it will say web agent it is not protected.
14.if it is protected, it will whether the request that got from browser has smsession. If no smsession then policy server fetches the authscheme from realm and gives the corresponding login page to web agent and it gives it to browser.
This the process that will occur to check whether the resource or request got from browser is protected or not.
Note: All the communication that occur after hand shake between policy server and web agent is in encrypted for security. The encryption and decryption is done using keys present in key store.
Discussion 2:
=========
WebAgent Initialization:
========================
When you register the agent with the policy server thru smreghost command, The SmHost.conf file gets created and SmHost.conf file contains information that the Web Agent uses to make initial connections to the Policy Servers to which it is associated.it also creates a trustedHost object into the policy store.which you specify at the time of registration.
Trusted Host is a client computer where one or more Web Agents is installed. It handles the connection to the Policy Server. The term trusted host refers to the physical system. You can have more than one trusted host on a physical server, but each must be identified by a unique name.
Now when you enable the webagent and bounce the webserver, the initial connection flow goes like this, the webagent reads the WebAgent.conf file and looks for the path of SmHost.conf file, from that path it reads the SmHost.conf file and tries to connect to the IP Address of the policy Server m/c which are present there. once that is done, it then fetches the trustedHost object from the policy store (The policy Store is connected with the policy Server). Once that is done then a successful TCP connection is established between the webAgent and the policy server. the WebAgent then never uses the SmHost.conf file.
Before i expalin the request processing part, let me explain the connection between WebAgent and the WebServer. There is a Http connection between the WebAgent and the WebServer. As soon as you configure the webagent with the webserver, remember we specify the webagent binaries inside the configuration of webserver. so when you bounce the webserver after configuration, it loads the webagent DLL / Binaries into the webserver process. This is how a Http connection is made.
Request Processing:
===================
Now when user access a resource from the browser say http://www.sample.com/mysite/abc.html . The WebAgent filters this request from the web server module and after parsing the host and the resource name webagent sends the resource name to the policy server thru the TCP socket connection in form of packets. for e.g. ACO, AgentName, HostName, Client IP, resourceName etc. each in a seperate encrypted packet.
Now Policy Server decrypts the each packet and it knows the agent name which has sent the request, from the agent name it fetches all the matching Realm Object and from the Realm object it checks the resource which has been associated with a specific realm, it then checks that if the resource is protected in a realm and if it is protected, it sends a challange response back to the webagent over the same TCP socket connection, WegAgent who is listing over that socket connection reads the response and throw a chalange to the user in the browser.
This is how a basic IsProtected request is processed.
One thing i want to mention that each request goes seperately, IsProtected request is different then IsAuthenticated Request is different and IsAuthorize request is different.
There are three different requests.
Discussion 1:
============
1.When user enters the application url in the browser, it goes to the web server, if web agent is installed on the web server, The request is first intercepted by the webagent.conf file
2. In web agent.conf file it finds the path of the smhost.conf file and the request goes to smhost.conf file.
3.In smhost.conf file it finds the policy server which it needs to contact.
4.Now Web server contacts the policy server through the ports 4444(1,2,3) that are mentioned in smhost.conf file. This is done by LLAWP(Low Level Agent Worker Process)
5.LLAWP sends the request to policy server asking for initializing the communication between the web agent and policy server. In the request web agents send the details of trusted host that is present in smhost.conf file
6.When policy server receives the request it checks whether it can trust the request by seeing whether the trusted host present is present in policy store and if it belongs to web server from which it got the request.
7. This initial request sent by web agent is encrypted by the shared secret present in smhost file. So the request is securely and only policy server can decry-pt it.
8. If policy server trusts the request it starts the communication with the web agent. This communication will be started HLA process from policy server. HLA process uses HCO that web agent used to register with policy server.
9. When the communication from policy server reaches the web agent it decrypts the communication using shared secret and in communication it will have details about the HCO which have started the communication, it compares if HCO in communication is same as HCO present in smhost.conf file.
10.This way the policy server and web agent handshake with each other and sets the communication.Now Web agent sends the details of the ACO present in webagent.conf to policy server.
11.The policy server now takes the this ACO and it will see if it is present in policy store, if it is present it will get the agent name present in ACO and also the properties of the agent present in ACO.
12. Now policy server asks for the resource and web agents sends the resource it go from browser.
13. policy server gets the list of all the realms present in policy store which are linked to the agent that is present in the ACO. It compares the resource it got from web agent is present in any realm in the list (Here it sees the longest match) and gets the realm which has this resource and policy server see's whether this realm is configured for protected or not protected. If not protected , it will say web agent it is not protected.
14.if it is protected, it will whether the request that got from browser has smsession. If no smsession then policy server fetches the authscheme from realm and gives the corresponding login page to web agent and it gives it to browser.
This the process that will occur to check whether the resource or request got from browser is protected or not.
Note: All the communication that occur after hand shake between policy server and web agent is in encrypted for security. The encryption and decryption is done using keys present in key store.
Discussion 2:
=========
WebAgent Initialization:
========================
When you register the agent with the policy server thru smreghost command, The SmHost.conf file gets created and SmHost.conf file contains information that the Web Agent uses to make initial connections to the Policy Servers to which it is associated.it also creates a trustedHost object into the policy store.which you specify at the time of registration.
Trusted Host is a client computer where one or more Web Agents is installed. It handles the connection to the Policy Server. The term trusted host refers to the physical system. You can have more than one trusted host on a physical server, but each must be identified by a unique name.
Now when you enable the webagent and bounce the webserver, the initial connection flow goes like this, the webagent reads the WebAgent.conf file and looks for the path of SmHost.conf file, from that path it reads the SmHost.conf file and tries to connect to the IP Address of the policy Server m/c which are present there. once that is done, it then fetches the trustedHost object from the policy store (The policy Store is connected with the policy Server). Once that is done then a successful TCP connection is established between the webAgent and the policy server. the WebAgent then never uses the SmHost.conf file.
Before i expalin the request processing part, let me explain the connection between WebAgent and the WebServer. There is a Http connection between the WebAgent and the WebServer. As soon as you configure the webagent with the webserver, remember we specify the webagent binaries inside the configuration of webserver. so when you bounce the webserver after configuration, it loads the webagent DLL / Binaries into the webserver process. This is how a Http connection is made.
Request Processing:
===================
Now when user access a resource from the browser say http://www.sample.com/mysite/abc.html . The WebAgent filters this request from the web server module and after parsing the host and the resource name webagent sends the resource name to the policy server thru the TCP socket connection in form of packets. for e.g. ACO, AgentName, HostName, Client IP, resourceName etc. each in a seperate encrypted packet.
Now Policy Server decrypts the each packet and it knows the agent name which has sent the request, from the agent name it fetches all the matching Realm Object and from the Realm object it checks the resource which has been associated with a specific realm, it then checks that if the resource is protected in a realm and if it is protected, it sends a challange response back to the webagent over the same TCP socket connection, WegAgent who is listing over that socket connection reads the response and throw a chalange to the user in the browser.
This is how a basic IsProtected request is processed.
One thing i want to mention that each request goes seperately, IsProtected request is different then IsAuthenticated Request is different and IsAuthorize request is different.
There are three different requests.
10 comments:
Really useful... Thanks for posting such articles
Thanks for posting in detail work flow
CA Siteminder Online Training - 21st Century Software ...
www.21cssindia.com/courses/ca-siteminder-online-training-190.html
21st Century CA Siteminder training is offered CA Siteminder 6.0 and CA Siteminder 12.0. We cover both basic and advanced topics in Siteminder Online ...
Call Us +919000444287 or contact@21cssindia.com
CA Siteminder Online Training, http://www.21cssindia.com/courses/ca-siteminder-online-training-190.html The 21st Century Software Solutions of India offers one of the Largest conglomerations of Software Training, IT Support, Corporate Training institute in India - +919000444287 - +917386622889 - Visakhapatnam,Hyderabad CA Siteminder Online Training, CA Siteminder Training, CA Siteminder, CA Siteminder Online Training| CA Siteminder Training| CA Siteminder| "Courses at 21st Century Software Solutions
Talend Online Training -Hyperion Online Training - IBM Unica Online Training - Siteminder Online Training - SharePoint Online Training - Informatica Online Training - SalesForce Online Training - Many more… | Call Us +917386622889 - +919000444287 - contact@21cssindia.com
Visit: http://www.21cssindia.com/courses.html"
HI , How to find the version of siteminder and webagent installed on unix with iplanet webserver.
hi guys , can any one help regardind my above query
One of the main reasons why businesses approach a web agency is for them to handle the online side of the enterprise, making sure that the
company sticks to online requests and needs.
agence web Lyon
Really helpful!!!! Thanks a lot...
Worth reading this article, Thanks for the detailed description !
Post a Comment