File Name: ca siteminder interview questions and answers .zip
- CA SiteMinder Interview Questions
- CA SiteMinder Integration Guide - Oracle
- CA Identity Manager Interview Questions
CA SiteMinder Interview Questions
A subject area as critical as application server security prompts a noteworthy volume of equally critical questions. Secure workloads against the latest threats, simplify access control, and comply with regulatory requirements efficiently with Security services in IBM Bluemix.
WebSphere Application Server queries the registry for user information as well as for administrative operations. When running the WebSphere Application Server processes as a non-administrator, if global security is enabled, the user registry must be either LDAP or a custom registry. To use the Local OS user registry, the user under which the product processes run must have Administrative and Act as part of the operating system privileges to call the Windows operating system APIs that authenticate or collect user and group information.
The process needs special authority, which is given by these privileges. The user in this example should not be the same as the security server ID the requirement for which is a valid user in the registry. This user logs into the machine if using the command line to start the product process or the Log On User setting in the services panel if the product processes have started using the services.
If the machine is also part of a domain, this user should be part of the Domain Admin group in the domain to call the operating system APIs in the domain, in addition to having the Act as part of operating system privilege in the local machine.
To use the Local OS user registry, the user under which the product processes run must have the root privilege. The process needs special authority, which is given by the root privilege. Using the Local OS user registry requires the node agent, the deployment manager, and the application server process to run as root. In WebSphere Application Server Network Deployment with application server nodes distributed over more than one physical machine, you cannot use Local OS authentication.
In this environment, you must use either LDAP or a custom registry. There is one exception though; a Windows domain registry is a centralized registry and can be used in this situation. More information can be found in the Information Center article: Local operating system registries.
There is a way to configure WebSphere Application Server to do just that. This assumes that the LDAP entry for each user has an attribute containing a string that can be used for the second userid. For example, let's call this attribute myname. Let's also assume the userid used for authentication is contained in an LDAP attribute called uid.
Normally, WebSphere Application Server would return the same userid that was used to logon. If the application has the capability to extract the J2EE principal, the application will see the user as "sueping" and not as "dale.
Yes, there is a configuration option that enables the authentication to continue if one or more other registries are down, as long as the ID is found in one of the registries that are still up and functional. The federated repository configuration command to permit this is:. If SSO is not enabled, each individual request requires authentication.
If you choose to use form-based login, once the form completes authenticating, the user then redirects back to the originally requested URL.
Without SSO, the user's authentication is now lost and the authorization will fail. This is not seen when using basic authentication because the authentication information is in every HTTP request and WebSphere Application Server can use it whenever needed this does impact both security and performance. Thus, the WebSphere Application Server login session will not expire if the user performs no action for some period of time. If in your application you need to expire the use of an application based on idleness, you must explicitly code this in your application.
You can capture when a user arrives with an expired session really, a new session and force them to login again if you think this is necessary. Keep in mind that doing this undermines Single Sign On across applications. If the time is too far into the past, you can of course fail the access and force a new authentication. Either of these approaches can be made transparent to the application code through the use of servlet filters. Users often ask why WebSphere Application Server works this way.
Why can't it timeout idle login sessions? The reason is because WebSphere Application Server is fundamentally a loosely coupled distributed system. Application servers that participate in an SSO domain don't need to talk to each other. They don't even have to be in the same cell. So, if you want to limit the idleness lifetime of an LTPA token aka SSO token , you'd have to update the token itself with a last usage time on every request or perhaps on the first request seen during a one minute interval.
This means that the token itself would change frequently meaning the browser would be accepting new cookies frequently and that WebSphere Application Server would have to decrypt and verify the inbound token when it is seen to validate it.
That could be expensive WebSphere Application Server today only validates a token on the first use at each application server. It's not impossible to solve these problems with clever caching and such, but that's not how WebSphere Application Server works today. WebSphere Application Server V6.
While this is a real nice feature for a simple cell configuration, any user who has multiple cells and requires that LTPA keys be in sync between the cells should turn off the auto-regen feature for LTPA. If you provided a value, the cookie domain was set to that and then the cookie would go back to hosts within the same DNS domain.
This is the behavior required by the HTTP specification. The problem was that if your cell or really the Web servers served requests for multiple DNS domains, there was no way to specify more than one domain. Now, you specify all of the domains you need. When WebSphere Application Server creates the cookie, it will set the domain value for the cookie the HTTP spec allows for only one value to the value from the inbound request that matches one of the configured domains.
Examples of a valid domain name are ibm. Microsoft has a fix for this. The single application server restriction is due to the fact that SWAM does not support forwardable credentials. What this means is that if a servlet or enterprise bean in one application server process invokes a remote method on an enterprise bean living in another application server process, the caller identity is not transmitted to the second server process.
What is transmitted is an unauthenticated credential, which, depending on the security permissions configured on the EJB methods, might cause authorization failures. Using it in the base edition is even discouraged because it relies on the HTTP Session object for maintaining the user state, which is problematic since the HTTP Session layer is not part of the security infrastructure.
Note: If a user has already been authenticated by some authentication system other than WebSphere Application Server, it is possible to inform WebSphere Application Server of the user's identity information rather than requiring that the user re-authenticate. This is known as identity assertion. All of these products are responsible for their own implementation that leverages the WebSphere Application Server TAI plug point, and for insuring that it functions with their solution.
From a WebSphere Application Server perspective, you can use any of these products you wish, but any questions or problems you experience must be handled through the vendor, such as CA for Siteminder. It is important to understand that the support line is at the plug point.
By design, WebSphere Application Server will support up to the plug point, and the implementer such as Siteminder is responsible for the implementation of the plug point, which is designed to work with their solution.
To do this you implement the plugin interface com. CustomPasswordEncryption and then specify two custom security properties in security. You can also set these in PropFilePasswordEncoder. The two properties are:. For more information, see the Information Center article: Plug point for custom password encryption. There are two primary aids, the WebSphere SystemOut.
This information is usually enough to determine the missing permission and the code requiring the permission. When Java 2 security is enabled in WebSphere Application Server, the security manager component throws a java. AccessControl exception when a permission violation occurs. This exception, if not handled, often causes a run time failure. This exception is also logged in the SystemOut.
However, when the JVM com. This information is logged. To set the com. In the Name field, type com. In the Value field, type true. Yes, we recently added some helpful tips based on experience our IBM Software Services for WebSphere team has had with other customers. The sample below can be used to programmatically get the userid and password from a J2C alias in the WebSphere Application Server configuration. In brief, NTLM is a Microsoft closed HTTP transport security protocol that provides authentication, integrity, and confidentiality for web applications running on the Microsoft platform, designed to only work within a Microsoft networking environment.
Microsoft has also published a statement that it no longer recommends using NTLM. For web services applications using the WS-Security standards, both Microsoft. Be aware that Microsoft's recommended replacement authentication technology, Kerberos, supports credential delegation which enables the propagation of user identity through applications without requiring the user password. Similarly, SAML-based authentication supports propagation of user identity without a password, or an original Kerberos identity.
Prevention and mitigation of denial of service DOS attacks is best accomplished using firewalls and network configuration, not with WebSphere Application Server or any middleware for that matter. These properties in the HTTP server plugin configuration file plugin-cfg. The number of requests on a keep-alive persistent connection and the number of client connections on the the web container transport can be limited by setting:.
First, before discussing your network options for using firewalls or a management network, it's essential to understand that a WebSphere Application Server Network Deployment cell is a single trust domain, so the placement of firewalls between WebSphere Application Server nodes provides no additional security protection, since the firewall must be configured to allow WebSphere Application Server inter-node communication; a breach on one node compromises all nodes and, in the same vein, using a separate management network provides no additional security protection - again, because a breach on one WebSphere Application Server node, on either management or application processes running on that node, will compromise all WebSphere Application Server Network Deployment processes in the cell.
Specific to firewalls, you need to determine the ports in use in your environment and determine the ports in use between WebSphere Application Server Network Deployment processes. Refer to this advanced security hardening article for a discussion and diagram on the connections between various Network Deployment processes and to the Information Center for a list of the default ports in use, then determine the specific ports in use for your environment and proceed to configure the firewall.
With regard to assistance or support for firewall configuration, the WebSphere Application Server Product Support Policy on firewalls is as follows:. During troubleshooting process, IBM may require that the problem be recreated without a firewall being in the flow between WAS DM and its Agents to check if the problem is related to the implemented firewall or not. Turning to the use of a management network, the WebSphere Application Server default is for WebSphere Application Server profiles to use all of the network interfaces on a given node that are available for use, but WebSphere Application Server can be configured to use only a specific interface which would correspond to an administrative network.
Refer to the Information Center for information on configuring a WebSphere Application Server profile to use just a single interface Note that WebSphere Application Server cannot be configured to use a subset of interfaces, only "all" interfaces or a single interface. If your most important security questions were not answered here, be sure to check the Related topics below, and particularly the new WebSphere Application Server security resources page on developerWorks, where much of the most noteworthy material on WebSphere Application Server security will be continually spotlighted.
United States. Build security into applications by design Secure workloads against the latest threats, simplify access control, and comply with regulatory requirements efficiently with Security services in IBM Bluemix.
Sign up for a free trial.
CA SiteMinder Integration Guide - Oracle
IT Skills. Management Skills. Communication Skills. Business Skills. Digital Marketing Skills.
He loves his few friends-basically the Dawn Patrol-and would do anything to help them. The rest of the human race exists solely to make him money. The company probably had one or more of the destroyed homes, which, as total losses, would stack up into the tens of millions of dollars, and hired Schering to determine the cause of the loss. We apologize for the inconvenience. If you require immediate assistance please call Support using the division contacts below. S 1 day ago answers to the astronomy lab manual It would take thirty men to stop up every hole these rats get out of. The outfit is owned by a family named Lovell.
CA Identity Manager Interview Questions
AllAboutIAM is a fast-growing community of passionate technologists who seek to revolutionise the world of IAM software design industry. If you are in a position where you are responsible for managing users in your organization, you need an IAM service that takes care of the complicated user access management stuff. Are you having difficulty in implementing the chosen IAM product? Identity and Access Management has gradually become one of the most talked about technologies in the recent times.
If you are interviewing for a job as a SiteMinder Admin and are asking this question, you might want to consider another job Most of the documentation is not really geared towards people new to SiteMinder, but the topics covered should provide an idea of the types of questions to expect. Skip to main content Press Enter. Sign in.
There are a lot of opportunities from many reputed companies in the world. According to research CA SiteMinder has a market share of about 2. Ans: Well, there are certain things that can be done for this.
A subject area as critical as application server security prompts a noteworthy volume of equally critical questions. Secure workloads against the latest threats, simplify access control, and comply with regulatory requirements efficiently with Security services in IBM Bluemix. WebSphere Application Server queries the registry for user information as well as for administrative operations.
Questions and Answers
Выбросьте пробелы и наберите ключ! - не сдержался Бринкерхофф. Фонтейн повернулся к Сьюзан. - Как вы думаете, мисс Флетчер. Сьюзан задумалась. Она чувствовала, что здесь что-то не то, но не могла сообразить, что. Она достаточно хорошо знала Танкадо и знала, что он боготворил простоту. Его доказательства, его программы всегда отличали кристальная ясность и законченность.
Сьюзан, - сказал он торжественно. - Здесь мы в безопасности. Нам нужно поговорить.
Я хочу вернуться домой, - сказала блондинка. - Не поможете. - Опоздала на самолет.
Верно, Шерлок Холмс. - Забавное имя. Сам придумал. - А кто же еще! - ответил тот с гордостью. - Хочу его запатентовать.
Пройдемте с нами, пожалуйста. Сюда. В этой встрече было что-то нереальное - нечто, заставившее снова напрячься все его нервные клетки.
Наконец он нашел его и снова выстрелил. Пуля ударила в закрывающуюся дверь. Пустое пространство зала аэропорта открылось перед Беккером подобно бескрайней пустыне.