AITT-IAM SDD Siteminder+FedMgr v1.0 - Updating

<Project Name> SSD Version <nn.
rr>
AITT Migration Project

Document Author: I&AM Delivery Team
Project ID: <ClarityId>
System Design Document

Version 0.7
Ameriprise Financial, Inc., 707 Second Ave South, Minneapolis, MN 55474

This document based on AQMS V5.01
< JUNE, 2014>
Internal Use Only

1
System Design Document Template SSD Version <nn.rr>
Warning
This is a hard copy of a document maintained on electronic media. It may not be the latest version. Kindly
ascertain the latest version from the Document Master List available with the Project Manager .
DOCUMENT RELEASE NOTICE
Document Details
Name Version No. Description Release Date

System Design <nn.rr> System Design
Document (SDD) Document for <Project
Name>
Revision Details
Only include revision details for current release

Revision Revision Section Page Revision Change type Rationale for
No. Date No. No. Description (add / change
(mm/dd/yyyy) modify /
delete)
This document and any revised pages are subject to document control. Please keep them up-to-date using the
release notices from the distributor of the document.
Approved by: Date:
Authorized by: Date:

DOCUMENT REVISION LIST

Customer Name & Dept. :
Document Name :
Project :
Project ID :
Revision Revision Section Page Revision Change type Rationale for change
No. Date No. No. Description (add/modify/
(mm/dd/yyyy) delete)
PREFACE
Purpose of this Document
This document details the System Design of the Siteminder Client, Siteminder A&C, Federation Manager
Client and Federation Manager A&C. This is the main deliverable in the Design phase and describes the
overall system specification in terms of user interface, processes, data flows, and internal and external linkages.
This document will help in meeting the following needs:

To translate the system requirement specifications into design specifications which will be used to
develop the application
To serve as the basis for mutual understanding between the designer and the developer.
To provide a basis for the detailed design, construction and acceptance testing for the application
Intended Audience
This document is intended for use by the designers and developers of the system. It also includes anyone who
will read or contribute to this document such as the project owner, sponsor, project team, support groups,
MEPG and EQAG,
Related Documents / References
The following documents have been referred for preparation of this SDD document.
Sr. No Document Title and Version No. Description

1. System Requirements Document The document lists the Requirements of the
System being designed
2. Technical Proposal Technical Impact Assessment Document
3. Any other document
Acronyms and Abbreviations
The following acronyms and abbreviations have been used in this document.
Acronym/ Abbreviation Description

SM Siteminder
FM Federation Manager
CONTENTS
1. INTRODUCTION.................................................................................................................. 7
1.1 SCOPE OF THE LOGICAL DESIGN......................................................................................... 7
1.2 DESIGN OBJECTIVES AND PRINCIPLES..................................................................................8
1.3 SYSTEMS ARCHITECTURE OVERVIEW...................................................................................9
1.4 HARDWARE ENVIRONMENT.................................................................................................. 9
1.5 SOFTWARE ENVIRONMENT................................................................................................ 10
1.6 NETWORK ENVIRONMENT.................................................................................................. 10
1.7 ASSUMPTIONS, CONSTRAINTS AND DEPENDENCIES............................................................10
2. SYSTEMS ARCHITECTURE............................................................................................. 11
2.1 USE-CASE REALIZATIONS.................................................................................................. 11
2.1.1 Use-Case Realizations Inventory............................................................................11
2.2 APPLICATION ARCHITECTURE.............................................................................................15
2.2.1 Architecture Layering Overview..............................................................................15
2.2.2 <Layer Name>........................................................................................................ 16
2.2.3 Component Module Inventory.................................................................................18
2.3 HIGH-LEVEL DATA MODEL................................................................................................. 18
3. KEY DESIGN CONCEPTS................................................................................................19
3.1 FUNCTIONAL DESIGN........................................................................................................ 19
3.2 INFRASTRUCTURE DESIGN................................................................................................. 19
3.3 PERFORMANCE EXPECTATIONS..........................................................................................19
3.4 APPLICATION SECURITY.................................................................................................... 19
4. MODULE SPECIFICATIONS.............................................................................................20
4.1 <MODULE NAME>............................................................................................................. 20
4.1.1 Purpose and Functionality.......................................................................................20
4.1.2 Public Interfaces..................................................................................................... 20
4.1.3 Design..................................................................................................................... 21
4.1.4 Operational Procedures / Batch Processes............................................................28
4.1.5 Quality Attributes..................................................................................................... 28
5. DATA MIGRATION STRATEGY........................................................................................29
5.1 STRATEGY........................................................................................................................ 29
5.2 DATA MIGRATION PROCESS FLOW.....................................................................................29
6. COMPONENT INTEGRATION STRATEGY......................................................................30
6.1 COMPONENT LIST............................................................................................................. 30
6.2 COMPONENT INTEGRATION SEQUENCE..............................................................................30
6.3 COMPONENT INTEGRATION PROCEDURE............................................................................30
7. OPERATIONAL CONTROLS............................................................................................31
7.1 STARTUP AND SHUTDOWN................................................................................................. 31
7.2 AUDIT AND RECOVERY...................................................................................................... 31
7.3 RESTART.......................................................................................................................... 31
7.4 BACKUP STRATEGY.......................................................................................................... 31
7.5 FALLBACK STRATEGY........................................................................................................ 31
7.6 MANUAL PROCEDURES..................................................................................................... 31
7.7 SERVICE MANAGEMENT DISCIPLINES.................................................................................31
8. GLOSSARY OF TERMS.................................................................................................... 33
APPENDIX A: ERROR MESSAGES........................................................................................ 35

Introduction
As part of AFIs technology infrastructure migration from AFI data center in Minneapolis to IBM
data center in Saint Louis.
This Program encompasses analysis, designing, building, testing, and implementation for
migration of I&AM utilities to the new environment at IBMs Saint Louis data center.
1.1Scope of the Logical Design
The scope of the project involves detailed Analysis, Design and Development of a computer based
solution.
Below objectives are considered to be in scope for this project,
Siteminder
Upgrade I&AM Access Management to RHEL6 based CA

1 Siteminder r12.5 in Client and A&C.
Increase I&AM Access Management capacity to 1 extra servers
than total servers in existing environment in Client and A&C
2 respectively.
Migrate all I&AM Access Management infrastructure related Cron
3 Jobs to TWS (if any) in Client and A&C.
Creating separate Oracle 11g based Audit stores for Client and
4 A&C Access Management layer in new infrastructure.
Migrate schema/configuration/data along with
operations/maintenance jobs from old to new Oracle 11g based
5 Audit store in Client and A&C.
In Scope Migrating policy store configuration/schema/data to LDAP based
policy store in new infrastructure keeping CA Siteminder r12.0
7 schema in Client and A&C.
Migrating operation/maintenance jobs from old to new ODSEE
8 11g policy store in Client and A&C.
Integrate new CA Siteminder r12.5 with LDAP based policy store
in new environment with CA Siteminder r12.0 schema in Client
9 and A&C.
1 New I&AM Access Management layer would make integration
0 ready.
All applications that are not in AITT Scope or those which have
not migrated to the new SSO infrastructure by the end of AITT
1 Program will be migrated as cross commits by IAM AITT Team.
1
Out of Old and new I&AM Access Management environment intra-

Scope 1 operability.
Federation manager
Upgrade I&AM Access Management to RHEL6 based CA

1 Federation Manager r12.1 in Client and A&C.
Migrate all I&AM Access Management infrastructure related Cron
2 Jobs to TWS (if any) in Client and A&C.
Creating separate Oracle 11g based CA Federation Manager
Policy stores for Client and A&C Access Management layer in new
3 infrastructure.
In Scope Migrate schema/configuration/data along with
operations/maintenance jobs from old to new Oracle 11g based
4 CA Federation Manager Policy stores in Client and A&C.
Integrate new CA federation Manager r12.1 with new Oracle 11g
based CA Federation Manager Policy stores upgrading schema to
5 CA Federation Manager r12.1 in Client and A&C.
New I&AM Access Management layer would make integration
6 ready.
1 All Phase 1 and Phase 3 work packets.

Out of
Scope Old and new I&AM Access Management environment intra-
2 operability.
1.2 Design objectives and principles
Migrate all Identity and Access Management assets to the new environment with minimal or no impact to
availability, in a better, faster and cost efficient way.
1.3 Systems Architecture Overview
Below diagrams provide the Architecture Overview of the Siteminder and Federation Services for A&C
and Client Environment. The Siteminder and Federation Services program traverses three distinct states
for each of A&C and Client Environment.
1.3.1 Siteminder
1. Point of Arrival State

After all applications consuming the Siteminder are migrated to the new environment, legacy
system will be decommissioned and only the Siteminder System built in the new data center
will support all Authentication, Authorization and Auditing Services functions.
The PoA System provides Standalone environment for Siteminder Services with 3 Policy
Servers each and one Admin Server each for A&C and Client.
1.3.2 Federation Manager A&C
After all applications consuming the Federation Manager are migrated to the new environment,
legacy system will be decommissioned.
Only the Federation System built in the new data center will support all Authentication,
Authorization and Auditing Services functions for Federation Integrated Applications.
1.3.3 Federation Manager Client
After all applications consuming the Client Federation Manager are migrated to the new
environment and legacy system will be decommissioned.
Only the Federation Client System built in the new data center will support all Authentication,
Authorization and Auditing Services functions for Federation Integrated Applications.
1.4 Hardware Environment
Hardware Requirement for Siteminder .
There are 3 policy servers and 1 admin server each for A&C and Client.
Component Parameter Value

RHEL 6.0
Operating System
252 GB
Memory/RAM
Min 6 CPUs with 8 cores of 2.13 GHz each.

CPU Speed
App Install - 40GB - Tier1b

Hard Disk
Logs - 100GB - Tier2
Others 112 GB - Tier2.
Policy Servers
R12.5 Policy servers(3 in count for A&C and 3 in count for Client)
Admin servers
(1 in count for A&C and 1 in count for Client)
Hardware Requirement for Federation Manager
Component Parameter Value

Windows 2008 R2
Operating System
Min 8 GB
Memory/RAM
Min computing units equivalent to 2 CPUs with 6 cores of 2.70 GHz

CPU Speed
each.
Hard Disk App Install - 30GB - Tier1b
Logs - 60GB - Tier2
Others - 40GB - Tier2

Servers
R 12.5 Federation Manager Servers (2 in count for A&C and 2 in
count for Client) Webserver reverse proxy (2 in count for A&C
and 2 in count for Client)
DB
Federation Manager policy store Data Base
1.5 Software Environment
Software for the Siteminder and Federation Manager
RHEL 6.0
Oracle Directory Server Enterprise Edition (ODSEE) 11g (ODSEE 11.1.1.5) for RHEL 5.0
Siteminder 12.5 SP3 CR04
Audit DB
Federation ManageR 12.5
1.6 Network Environment

Firewall sheet ot be attached here. <TBD>
1.7 Assumptions, Constraints and Dependencies
Assumpti Network connectivity between new and old infrastructure

ons 1 would be available till completion of migration.
Performance capability of migrated/upgraded vendor
packaged product would be limited by the capacity and
capability provided by hardware/OS/network technology
2 stack.
New hardware/OS stack would be provided with a
capacity of same or better than existing I&AM
3 hardware/OS stack for each asset.
Network capacity of new infrastructure will be same or
4 better.
Technology Architecture design for clustering, failover and
DR of migrated/upgraded I&AM assets would remain AS-
5 IS.
Hardware is delivered as quoted in the wave planning
6 document.
CDO Team like Asset Managers, Architects have sufficient
7 bandwidth to support the work load of AITT.
8 Upgraded / migrated vendor packaged products would be
certified for the new technology stack wherever
applicable.
1 Delivery of Access management servers by IBM.
CA Support required for any compatibility/performance
2 issues.
Up gradation of Policy Store schema from R12 to R12.5
3 schema.
Dependen
cies AITT Dev team will be provided access to E1 dev server
4 for deploying apps.
AITT Dev team will be provided access to E2 and E3
5 servers for validation of the servers.
Dependency of DBA team for the delivery of Oracle
6 Database instances.
2. Systems Architecture
2.1.1 Siteminder
Please find attached below diagram that gives system Architectural overview.
Siteminder with components below will be populated with data in the new Data Center.
Siteminder policy server R 12.5 installed on 3 dedicated physical servers each for A&C and
Client.
Siteminder admin UI instance is installed on dedicated physical servers separate for A&C and
Client.
Siteminder Audit Store instances on 3 Oracle 11g RAC nodes each for A&C and Client.
Siteminder Policy Server will consume,
o Policy Store LDAP Directory Server instances deployed on 3 physical directory servers
each for A&C and Client.
o SUD LDAP Directory Server instances deployed on 3 physical directory servers each for
A&C and Client.
Below Technological Placement Diagrams depict the Siteminder client and A&C architecture in
detail.
TPD for Siteminder Client - Figure 2.1

TPD for Siteminder A&C - Figure 2.2
2.1.2 Federation Manager

Federation Manager with components below will be built in the new Data Center.
Federation Manger policy instance on 2 physical servers will be deployed each for A&C and
Client.
Federation Manager policy store database shared instances on Oracle 11g RAC each for A&C
and Client.
Below Technology Placement Diagrams depict the Federation Manager A&C and Client architecture
in detail.
TPD for Federation Manager Client

TPD for Federation Manager A&C

1.1 Use-Case Realizations
1.1.1 Use-Case Realizations Inventory
Siteminder Use Cases:
1 Admin accessing the Basic Flow

Siteminder Client ===========
Admin UI Admin user should be able to access Siteminder Admin UI.
Admin user should be able to view /edit the polices
Alternate flow#1
If the credentials provided by the admin user are incorrect, the user will be
thrown Incorrect User/Password Error message screen.
Alternate flow#2
If the user is unauthorized to access the application, user will be thrown
Unauthorized Error message screen.
Alternate flow#3
If the SSO components are down, then the user will be thrown Service Down
Error Message.
2 User Authentication & Basic Flow

Authorization ===========
User should be able to access websites protected by Siteminder
Alternate flow#1
If the credentials provided by the user are incorrect, the user will be thrown
Incorrect User/Password Error message screen.
Alternate flow#2
Alternate flow#3
If the SSO components are down, then the user will be thrown Service Down
Error Message.
SSO Federation Manager Use Cases:
1 User Authentication & Basic Flow

Authorization ===========
User should be able to access websites protected by Federation
Manager through Siteminder.
Alternate flow#1
If the credentials provided by the user are incorrect, the user will be
thrown Incorrect User/Password Error message screen.
Alternate flow#2
Alternate flow#3
If the SSO components are down, then the user will be thrown Service
Down Error Message..
2.2 Application Architecture

Not applicable
2.2.1 Component Module Inventory
Sr. Module Name Short Type Status CMDB

No Name ID
1 Siteminder Policy server SM System Migration A3473
2 SM Admin UI Subsystem Migration

505326
3 SM Policy Store Subsystem Migration A00564

and 61
Modification
4 Siteminder User Store SUD Subsystem Migration A00564

61
5 Audit Store Subsystem Migration

and
Modification
6 Federation Manager FM Subsystem Migration A3614
7 FM admin UI Subsystem Migration

480506
505325
505326
8 FM Policy Store Subsystem Migration
9 FM Audit Store Subsystem New

2.3 High-level Data Model
2.3.1 Siteminder
Siteminder User Directory (SUD) Instance A&C
The SUD instance will have the following Schema (Refer to Attached file 1.0 below)
A&C SUD Schema.zip
Attachment 1.0
Siteminder User Directory Instance Client

The SUD instance will have the following Schema (Refer Attached file 2.0 below)
Client SUD
Schema.zip
Attachment 2.0

Does not have any custom Schema Defined
3. Key Design Concepts
3.1 Functional Design

- System supports
o Authentication function
o Authorization function
o Audit functionality
- Information Flow:
o End user tries to access SSO protected application; the application redirects to Login page.
Credentials are provided on the login page to get the user authenticated and authorized.
o WAM Policy information is retrieved by Siteminder from Policy Store
o User Credential Information and associated information for authentication is retrieved by
Siteminder from User Store.
o Authentication and Authorization functions are performed and the user gets redirected to target /
expected application.
- Information Flow States:

o PoD State Information Flow: Information will be as described above within the existing data
center
o Interim State Information Flow:
SUD will be in replication with the old Datacenter.
Policy Store will be upgraded to R12.5 schema.
Siteminder will be in Integration ready state.
Applications will be integrated in phases with the Siteminder in the Interim state.
o Point Of Arrival State:
All of the Applications protected with Old Siteminder Infrastructure will be protected with
new Siteminder Infrastructure in new Data Center.
o Current State:
All the applications are protected with new Siteminder Infrastructure in new Data Center.
The above States of Information Flow is depicted in diagrams as below

3.1.1 Siteminder
IFD for Siteminder A&C - PoA
.
Information Flow Diagram Federation Manager A&C PoA
Information Flow Diagram Federation Manager Client PoA

3.2 Infrastructure Design
3.2.1 Siteminder E3 Logical Deployment Diagram

Siteminder will be deployed in the new data center as shown in the deployment diagrams below. It
has three distinct servers each for A&C and Client respectively; the servers are completely isolated
from each other.
A&C related Siteminder Functions will be provided by

a. Three physical servers
b. Each physical server will have Siteminder R 12.5 policy server instance connected to
SUD and Policy Stores on Directory Servers
c. Two Admin UI Servers as depicted in diagram will help administer the three Policy
Servers
Client related Siteminder Functions will be provided by

Servers
Please find below depicted diagrams that describe the Logical Deployment of Siteminder in client
and A&C in detail.
Logical Deployment Diagram of Siteminder A&Co

Logical Deployment Diagram of Siteminder Client : Figure 3.2.2

E2 environment will be created with the exact deployment configuration as that of E3. It will be
completely isolated from E3 Systems and will be a standalone self-sufficient environment that will
service all Siteminder Functions similar to Production Siteminder Infrastructure.
Siteminder will be deployed in the new data center as shown in the deployment diagrams below. It
has three distinct servers each for A&C and Client respectively; the servers are completely isolated
from each other.
A&C related Siteminder Functions will be provided by

Servers
Client related Siteminder Functions will be provided by

Servers
Please find below depicted diagrams that describe the Logical Deployment of Siteminder in client
and A&C in detail.
Same as those of E3
E1 environment will be created with similar deployment configuration as that of E2 but with
reduced capacity; E1 Siteminder env. will have Two Policy Servers
The Servers will be completely isolated from other Systems and will be a standalone self-
sufficient environment that will service all Siteminder Function similar to Production env.
A&C and Client will have independent E1 environment with the above characteristics
Logical Deployment Diagram of Siteminder for E1 A&C
Logical Deployment Diagram of Siteminder for E1 Client

3.2.4 Siteminder SAN Logical Deployment Diagram

For high availability a SAN topology as depicted in diagram is required
3.2.5 Federation Manager E3 Logical Deployment Diagram
Federation Manager will be deployed in the new data center as shown in the deployment diagrams
below. It has two distinct servers each for A&C and Client respectively; the servers are completely
isolated from each other.
A&C related Federation Manager Functions will be provided by

a. Two physical servers
b. Each physical server will have CA Federation Manager R 12.5 instance connected to
SUD and Policy Store on Oracle Database.
Client related Federation Manager Functions will be provided by

b. Each physical server will have Federation Manager R 12.5 policy server instance
connected to SUD and Policy Store on Oracle Database
Logical Deployment Diagram of Federation Manager A&C: Figure 3.2.7

Logical Deployment Diagram of Federation Manager Client: Figure 3.2.8

E2 environment will be created with the exact deployment configuration as that of E3. It will be
completely isolated from E3 Systems and will be a standalone self-sufficient environment that will
service all Federation Manager Functions similar to Production Federation Manager Infrastructure.
A&C related Federation Manager Functions will be provided by

b. Each physical server will have CA Federation Manager R 12.5 instance connected to
SUD and Policy Store on Oracle Database.
Client related Federation Manager Functions will be provided by

b. Each physical server will have Federation Manager R 12.5 policy server instance
connected to SUD and Policy Store on Oracle Database
Refer E3 Diagrams
E1 environment will be created with similar deployment configuration as that of E2 but with
reduced capacity; E1 Federation Manager env. will have Two Federation Manager Servers.
The servers will be completely isolated from other Systems and will be a standalone self-sufficient
environment that will service all Federation Manager Function similar to Production env.
Refer E3 Diagrams
3.2.8 Federation Manager SAN Logical Deployment Diagram

For high availability SAN, below deployment architecture is required
3.3 Performance Expectations
3.3.1 Siteminder
Performance
Peak load capacity (transaction/sec) handling for Auth-Az calls in new CA Siteminder r12.5 Policy
servers (per servers) should be same or better in comparison to old CA Siteminder r12.0 Policy
servers
Peak load sustenance (max load for delta time without impact to response) handling for Auth-Az
calls in new CA Siteminder r12.5 Policy servers (per servers) should be same or better in
comparison to old CA Siteminder r12.0 Policy servers
Compatibility
New CA Siteminder r12.5 Policy server instances should support new Web Agent r12.0
integrations
New CA Siteminder r12.5 Policy servers should be capable triggering/running Access
Management policies configured in old CA Siteminder r12.0 infrastructure as per existing design
New CA Siteminder r12.5 Admin server instances should be capable of creating and
administering new access management policies through Admin UI
New CA Siteminder r12.5 Policy servers should have capability of performing operations using
XPS-family of tools
New CA Siteminder r12.5 Policy servers should have capability of running Siteminder CLI API
based Perl scripts
Performance
Peak load capacity (transaction/sec) handling for Auth-Az calls in new CA Federation Manger R
12.5 Policy servers (per servers) should be same or better in comparison to old CA Federation
Manger R 12.5 in existing env.
Peak load sustenance (max load for delta time without impact to response) handling for Auth-Az
calls in new CA Federation Manger R 12.5 servers (per servers) should be same or better in
comparison to old CA Federation Manger R 12.5 servers
3.4 Application Security
Siteminder & Federation Manager Assets has gone through Information Security review and TIAs;
Systems built are to be aligned with AFI Security Standards with no open security exception. Migration will
be performed as-is; no changes in application security.
Module Specifications
N/A
4. Data Migration Strategy
4.1 Strategy
1. Siteminder
Below is the Data Migration Strategy that will be followed for the Siteminder Consuming Instances
SUD (A&C and Client) and Policy Store (A&C and Client).
Directory Server Instances will be built in the new env.

Using Directory Server Tool, Schema will be imported to the new instances from instances in
existing Directory Servers
Using Directory Server Tool, Data will be imported to the new instances from instances in existing
Directory Servers
Using Directory Server Control Center features, Replication (i.e. Synchronizing the schema and
data between two instances of same type) will be enabled between the old and new instances
Replication will be stopped on Policy Store instances before upgrading Siteminder schema to
R12.5
2. Federation Manager
Database Migration for Federation manager will be as per Ameriprise database Team process and
standards.
4.2 Data Migration Process Flow
Start
Schema Migrate Schema to instance

exported from created in new env.
old env.
Migrate Data from Old

Run Sync. Instances to new.
Processes
Data Files Enable Replication from Old

exported from to new Instances
old env.
End
Component Integration Strategy
4.3 Component List
Please refer to Section 2.2.3 above for Component List Inventory
4.4 Component Integration Sequence
Integration sequence of the different components is listed below.
Siteminder A&C :
Policy store data migration from old to new
Audit store data migration from old to new
Install Siteminder in the new server
Install Siteminder admin GUI
Configure siteminder instance with new policy store
Upgrade policy store schema
Upgrade audit store
Configure policy server instance with new policy store
Configure policy server instance with new audit store
Migrate User store ie. AFI directory in A&C
Enable replication between old user store and new user store
Configure user store in Siteminder admin GUI admin GUI pointing
to the new user store.
Siteminder Client :
Policy store data migration from old to new
Audit store data migration from old to new

Install siteminder in the new server
Install Siteminder admin GUI
Configure Siteminder instance with new policy store
Upgrade policy store schema
Upgrade audit store
Configure policy server instance with new policy store
Configure policy server instance with new audit store
Migrate User store ie. SUD in Client
Enable replication between old user store and new user store
Configure user store in Siteminder admin GUI admin GUI pointing
Federation Manager A&C :
Migrate Oracle policy store from old to new configuration
Install Federation Manager in new server
Install Federation Manager admin GUI
Configure Federation Manger instance with policy store
Configure Federation Manger instance with Audit store
Migrate User store ie. AFI directory
Configure user store AFI directory in the federation manager admin GUI pointing
to the new user store
Federation Manager Client :
Migrate Oracle policy store from old to new configuration
Install Federation Manager in new server
Install Federation Manager admin GUI
Configure Federation Manger instance with policy store

Configure Federation Manger instance with Audit store
Migrate User store ie. SUD in Client
Configure user store SUD in the federation manager admin GUI pointing
4.5 Component Integration Procedure
Detailed Component Integration Procedure will be compiled during the E build and will be published in
the Build Phase of the program.
5. OPERATIONAL CONTROLS
5.1 Startup and Shutdown

Application Support Manual will be included with the Startup and Shutdown procedure details and will be
handed over to Production Support team.
5.2 Audit and Recovery

Audit and recovery will be followed as per RPO (Recovery time objective) and RTO (Recovery point
objective) specifications of Ameriprise. DR Level 1. Please refer to DR level specifications for more details.
5.3 Restart
Please refer ASM (Application support manual) which will handover to production support group.
5.4 Backup Strategy
Siteminder:
SUD and User Store Schema and Data backups are taken with nightly jobs.
Backed up content will be retained for 3 days onsite and upto 1 year offsite
Federation Manager:
Data backup will be taken as per Ameriprise database backup procedure, for further references
please refer to DBA backup policy.
Tier 1 database backup policies and processes will be followed.
5.5 Fallback Strategy

Siteminder
Old and new Siteminder infrastructure will be run in parallel till the end of AITT project completion. On any
Issues with the new env. the applications can fall back on the old Siteminder infrastructure.
Federation Manager
Old federation manager infrastructure will be maintained for 60 days after migration, fallback will be to go
back to old environment. Any issues after 60 days needs forward fix in the new env.
5.6 Manual Procedures

1. This section will be updated after E1 implementation.
2. New Siteminder Policies configured will be named by <AITT_assetid_ApplicationName_objectname>.
5.7 Service Management Disciplines
Service Level Management:
Below are the SLA targets (as in the existing env.)
SLA for Siteminder Instances will be 2.18 sec for A&C env. with a load of 100 Concurrent
users.
SLA for Siteminder Instances will be 5.10 sec for A&C env. with a load of 100 Concurrent
users.
SLA for Federation Manager Instances in A&C env.
SLA for Federation Manager Instances in Client env.
Availability:
Availability target for Siteminder is 99.90 % (as in the existing env.)
Configuration Management:
CMDB will be updated at the end of each Phase of the Project
Release Management:
Please refer AITT Project Plan document for Release Management activities / steps.
Problem Management:
Service Now Tool will be used for Incident Management Process and tracking of Problems related
to the Project.
Change Management:
Service Now Tool will be used for Change Management Process; will be used for executing RFC
(Request for Change).
CEC: Contact the CEC SME
GSAM Support: Contact the CEC SME

6. Glossary of Terms
All the terms used in the application must be defined in a clear manner in the glossary. The objective of this is to
have in one place common and clear definitions of all the terms. In addition the glossary must contain the list of
allowed values for the term in one place.

AITT-IAM SDD Siteminder+FedMgr v1.0 - Updating

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AITT-IAM SDD Siteminder+FedMgr v1.0 - Updating

Uploaded by

Copyright:

Available Formats

<Project Name> SSD Version <nn.

AITT Migration Project

System Design Document

Ameriprise Financial, Inc., 707 Second Ave South, Minneapolis, MN 55474

< JUNE, 2014>

Internal Use Only

DOCUMENT RELEASE NOTICE

Name Version No. Description Release Date

Only include revision details for current release

Approved by: Date:

Authorized by: Date:

DOCUMENT REVISION LIST

Purpose of this Document

This document will help in meeting the following needs:

Related Documents / References

Sr. No Document Title and Version No. Description

Acronyms and Abbreviations

Acronym/ Abbreviation Description

APPENDIX A: ERROR MESSAGES........................................................................................ 35

1.1Scope of the Logical Design

Below objectives are considered to be in scope for this project,

Upgrade I&AM Access Management to RHEL6 based CA

Out of Old and new I&AM Access Management environment intra-

Upgrade I&AM Access Management to RHEL6 based CA

1 All Phase 1 and Phase 3 work packets.

1.2 Design objectives and principles

1.3 Systems Architecture Overview

1. Point of Arrival State

1.3.2 Federation Manager A&C

1. Point of Arrival State

1.3.3 Federation Manager Client

1. Point of Arrival State

1.4 Hardware Environment

Hardware Requirement for Siteminder .

Component Parameter Value

Min 6 CPUs with 8 cores of 2.13 GHz each.

App Install - 40GB - Tier1b

Hardware Requirement for Federation Manager

Component Parameter Value

Min computing units equivalent to 2 CPUs with 6 cores of 2.70 GHz

Hard Disk App Install - 30GB - Tier1b

Logs - 60GB - Tier2

Others - 40GB - Tier2

and 2 in count for Client)

1.5 Software Environment

Software for the Siteminder and Federation Manager

1.6 Network Environment

1.7 Assumptions, Constraints and Dependencies

Assumpti Network connectivity between new and old infrastructure

TPD for Siteminder Client - Figure 2.1

TPD for Siteminder A&C - Figure 2.2

2.1.2 Federation Manager

TPD for Federation Manager Client

TPD for Federation Manager A&C

1.1 Use-Case Realizations

1.1.1 Use-Case Realizations Inventory

Siteminder Use Cases:

1 Admin accessing the Basic Flow

2 User Authentication & Basic Flow

SSO Federation Manager Use Cases:

1 User Authentication & Basic Flow

2.2 Application Architecture