Cisco Cisco Transport Manager 9.0 Technical References
7
Cisco Transport Manager Release 9.0 Basic External Authentication
OL-15571-01
Understanding the Typical SiteMinder CTM Agent Init Call Sequence
the required user credentials that must be obtained to validate the user’s identity. If the resource is
incorrect or unprotected, access to the requested resource is denied. The resulting output can be
cached.
incorrect or unprotected, access to the requested resource is denied. The resulting output can be
cached.
4.
Collection of required credentials.
CTM issues a SiteMinder API login call to collect the required user credentials and authenticate the
user. Upon successful authentication, the policy server creates a session and returns response
attributes, including the unique session ID and the session specification. The session specification
is a type of ticket that uniquely identifies the session. These policy-driven response attributes
include user profile data, static or dynamic privileges, predefined authentication state attributes, and
other data designated by the policy administrator. The actual implementation does not use the
response attributes, because the user profile is retrieved from the CTM database.
user. Upon successful authentication, the policy server creates a session and returns response
attributes, including the unique session ID and the session specification. The session specification
is a type of ticket that uniquely identifies the session. These policy-driven response attributes
include user profile data, static or dynamic privileges, predefined authentication state attributes, and
other data designated by the policy administrator. The actual implementation does not use the
response attributes, because the user profile is retrieved from the CTM database.
The CTM agent caches the user session information. The CTM server configures the custom agent
for version 4.x to have only one connection to the policy server. The timeout value is 15 seconds.
For agent version 5.x, the configuration is set up by the SiteMinder administrator, and CTM loads
all information from the SmHost.conf file.
for version 4.x to have only one connection to the policy server. The timeout value is 15 seconds.
For agent version 5.x, the configuration is set up by the SiteMinder administrator, and CTM loads
all information from the SmHost.conf file.
5.
CTM agent initialization.
The CTM SiteMinder agent is loaded when the application boots up. For agent version 4.x, all
parameters are loaded from the database to configure a reliable connection to the policy server. For
agent version 5.x, all parameters are loaded from the SmHost.conf file. The external authentication
flag is loaded so that the server loads the library dynamically. This technical solution is driven by
the necessity of deploying the CTM installation without the SiteMinder library, which is subject to
royalties. Not all parameters require a server reboot; changes to the Enable SysAdmin and Allow
Local Fallback settings take effect immediately.
parameters are loaded from the database to configure a reliable connection to the policy server. For
agent version 5.x, all parameters are loaded from the SmHost.conf file. The external authentication
flag is loaded so that the server loads the library dynamically. This technical solution is driven by
the necessity of deploying the CTM installation without the SiteMinder library, which is subject to
royalties. Not all parameters require a server reboot; changes to the Enable SysAdmin and Allow
Local Fallback settings take effect immediately.
Understanding the Typical SiteMinder CTM Agent Init Call
Sequence
Sequence
The CTM agent uses two sequences for the init call sequence, one for each agent version (4.x or 5.x).
All agent version 4.x configuration parameters are stored in the CTM database and read when the CTM
server boots up. If agent version 5.x is selected, the CTM custom agent uses the server IP address and
the API call to retrieve the agent configuration from the SmHost.conf file configured by the SiteMinder
administrator. If the call is correct, CTM memorizes the agent API reference in a global variable so that
all authentication modules can easily reference it. After the connection is up and running, CTM clients
begin placing authorization requests.
server boots up. If agent version 5.x is selected, the CTM custom agent uses the server IP address and
the API call to retrieve the agent configuration from the SmHost.conf file configured by the SiteMinder
administrator. If the call is correct, CTM memorizes the agent API reference in a global variable so that
all authentication modules can easily reference it. After the connection is up and running, CTM clients
begin placing authorization requests.
CTM Session Services
The SiteMinder environment maintains consistent user sessions across multitiered applications. The
CTM custom agent (not the policy server) maintains a per-user session specification, also called a
session ticket. The CTM agent uses the session services of the agent API to create, delegate, validate,
and terminate user sessions.
CTM custom agent (not the policy server) maintains a per-user session specification, also called a
session ticket. The CTM agent uses the session services of the agent API to create, delegate, validate,
and terminate user sessions.
The following agent API methods implement session services:
•
Login()
•
Logout()