Professional Documents
Culture Documents
AITT-IAM SDD Siteminder+FedMgr v1.0 - Updating
AITT-IAM SDD Siteminder+FedMgr v1.0 - Updating
rr>
Warning
This is a hard copy of a document maintained on electronic media. It may not be the latest version. Kindly
ascertain the latest version from the Document Master List available with the Project Manager .
System Design Document Template SSD Version <nn.rr>
Document Details
Revision Details
This document and any revised pages are subject to document control. Please keep them up-to-date using the
release notices from the distributor of the document.
Revision Revision Section Page Revision Change type Rationale for change
No. Date No. No. Description (add/modify/
(mm/dd/yyyy) delete)
System Design Document Template SSD Version <nn.rr>
PREFACE
This document details the System Design of the Siteminder Client, Siteminder A&C, Federation Manager
Client and Federation Manager A&C. This is the main deliverable in the Design phase and describes the
overall system specification in terms of user interface, processes, data flows, and internal and external linkages.
Intended Audience
This document is intended for use by the designers and developers of the system. It also includes anyone who
will read or contribute to this document such as the project owner, sponsor, project team, support groups,
MEPG and EQAG,
The following documents have been referred for preparation of this SDD document.
The following acronyms and abbreviations have been used in this document.
CONTENTS
1. INTRODUCTION.................................................................................................................. 7
1.1 SCOPE OF THE LOGICAL DESIGN......................................................................................... 7
1.2 DESIGN OBJECTIVES AND PRINCIPLES..................................................................................8
1.3 SYSTEMS ARCHITECTURE OVERVIEW...................................................................................9
1.4 HARDWARE ENVIRONMENT.................................................................................................. 9
1.5 SOFTWARE ENVIRONMENT................................................................................................ 10
1.6 NETWORK ENVIRONMENT.................................................................................................. 10
1.7 ASSUMPTIONS, CONSTRAINTS AND DEPENDENCIES............................................................10
2. SYSTEMS ARCHITECTURE............................................................................................. 11
2.1 USE-CASE REALIZATIONS.................................................................................................. 11
2.1.1 Use-Case Realizations Inventory............................................................................11
2.2 APPLICATION ARCHITECTURE.............................................................................................15
2.2.1 Architecture Layering Overview..............................................................................15
2.2.2 <Layer Name>........................................................................................................ 16
2.2.3 Component Module Inventory.................................................................................18
2.3 HIGH-LEVEL DATA MODEL................................................................................................. 18
3. KEY DESIGN CONCEPTS................................................................................................19
3.1 FUNCTIONAL DESIGN........................................................................................................ 19
3.2 INFRASTRUCTURE DESIGN................................................................................................. 19
3.3 PERFORMANCE EXPECTATIONS..........................................................................................19
3.4 APPLICATION SECURITY.................................................................................................... 19
4. MODULE SPECIFICATIONS.............................................................................................20
4.1 <MODULE NAME>............................................................................................................. 20
4.1.1 Purpose and Functionality.......................................................................................20
4.1.2 Public Interfaces..................................................................................................... 20
4.1.3 Design..................................................................................................................... 21
4.1.4 Operational Procedures / Batch Processes............................................................28
4.1.5 Quality Attributes..................................................................................................... 28
5. DATA MIGRATION STRATEGY........................................................................................29
5.1 STRATEGY........................................................................................................................ 29
5.2 DATA MIGRATION PROCESS FLOW.....................................................................................29
6. COMPONENT INTEGRATION STRATEGY......................................................................30
6.1 COMPONENT LIST............................................................................................................. 30
6.2 COMPONENT INTEGRATION SEQUENCE..............................................................................30
6.3 COMPONENT INTEGRATION PROCEDURE............................................................................30
7. OPERATIONAL CONTROLS............................................................................................31
7.1 STARTUP AND SHUTDOWN................................................................................................. 31
7.2 AUDIT AND RECOVERY...................................................................................................... 31
7.3 RESTART.......................................................................................................................... 31
7.4 BACKUP STRATEGY.......................................................................................................... 31
7.5 FALLBACK STRATEGY........................................................................................................ 31
7.6 MANUAL PROCEDURES..................................................................................................... 31
7.7 SERVICE MANAGEMENT DISCIPLINES.................................................................................31
8. GLOSSARY OF TERMS.................................................................................................... 33
Introduction
As part of AFIs technology infrastructure migration from AFI data center in Minneapolis to IBM
data center in Saint Louis.
This Program encompasses analysis, designing, building, testing, and implementation for
migration of I&AM utilities to the new environment at IBMs Saint Louis data center.
The scope of the project involves detailed Analysis, Design and Development of a computer based
solution.
Siteminder
Federation manager
Migrate all Identity and Access Management assets to the new environment with minimal or no impact to
availability, in a better, faster and cost efficient way.
Below diagrams provide the Architecture Overview of the Siteminder and Federation Services for A&C
and Client Environment. The Siteminder and Federation Services program traverses three distinct states
for each of A&C and Client Environment.
1.3.1 Siteminder
After all applications consuming the Siteminder are migrated to the new environment, legacy
system will be decommissioned and only the Siteminder System built in the new data center
will support all Authentication, Authorization and Auditing Services functions.
The PoA System provides Standalone environment for Siteminder Services with 3 Policy
Servers each and one Admin Server each for A&C and Client.
System Design Document Template SSD Version <nn.rr>
After all applications consuming the Federation Manager are migrated to the new environment,
legacy system will be decommissioned.
Only the Federation System built in the new data center will support all Authentication,
Authorization and Auditing Services functions for Federation Integrated Applications.
After all applications consuming the Client Federation Manager are migrated to the new
environment and legacy system will be decommissioned.
Only the Federation Client System built in the new data center will support all Authentication,
Authorization and Auditing Services functions for Federation Integrated Applications.
System Design Document Template SSD Version <nn.rr>
System Design Document Template SSD Version <nn.rr>
There are 3 policy servers and 1 admin server each for A&C and Client.
252 GB
Memory/RAM
Admin servers
(1 in count for A&C and 1 in count for Client)
Min 8 GB
Memory/RAM
DB
Federation Manager policy store Data Base
RHEL 6.0
Oracle Directory Server Enterprise Edition (ODSEE) 11g (ODSEE 11.1.1.5) for RHEL 5.0
Siteminder 12.5 SP3 CR04
Audit DB
Federation ManageR 12.5
applicable.
1 Delivery of Access management servers by IBM.
CA Support required for any compatibility/performance
2 issues.
Up gradation of Policy Store schema from R12 to R12.5
3 schema.
Dependen
cies AITT Dev team will be provided access to E1 dev server
4 for deploying apps.
AITT Dev team will be provided access to E2 and E3
5 servers for validation of the servers.
Dependency of DBA team for the delivery of Oracle
6 Database instances.
System Design Document Template SSD Version <nn.rr>
2. Systems Architecture
2.1.1 Siteminder
Please find attached below diagram that gives system Architectural overview.
Siteminder with components below will be populated with data in the new Data Center.
Siteminder policy server R 12.5 installed on 3 dedicated physical servers each for A&C and
Client.
Siteminder admin UI instance is installed on dedicated physical servers separate for A&C and
Client.
Siteminder Audit Store instances on 3 Oracle 11g RAC nodes each for A&C and Client.
Siteminder Policy Server will consume,
o Policy Store LDAP Directory Server instances deployed on 3 physical directory servers
each for A&C and Client.
o SUD LDAP Directory Server instances deployed on 3 physical directory servers each for
A&C and Client.
Below Technological Placement Diagrams depict the Siteminder client and A&C architecture in
detail.
Federation Manger policy instance on 2 physical servers will be deployed each for A&C and
Client.
Federation Manager policy store database shared instances on Oracle 11g RAC each for A&C
and Client.
Below Technology Placement Diagrams depict the Federation Manager A&C and Client architecture
in detail.
System Design Document Template SSD Version <nn.rr>
Alternate flow#1
If the credentials provided by the admin user are incorrect, the user will be
thrown Incorrect User/Password Error message screen.
Alternate flow#2
If the user is unauthorized to access the application, user will be thrown
Unauthorized Error message screen.
Alternate flow#3
If the SSO components are down, then the user will be thrown Service Down
Error Message.
Alternate flow#1
If the credentials provided by the user are incorrect, the user will be thrown
Incorrect User/Password Error message screen.
Alternate flow#2
If the user is unauthorized to access the application, user will be thrown
Unauthorized Error message screen.
Alternate flow#3
If the SSO components are down, then the user will be thrown Service Down
Error Message.
System Design Document Template SSD Version <nn.rr>
Alternate flow#1
If the credentials provided by the user are incorrect, the user will be
thrown Incorrect User/Password Error message screen.
Alternate flow#2
If the user is unauthorized to access the application, user will be thrown
Unauthorized Error message screen.
Alternate flow#3
If the SSO components are down, then the user will be thrown Service
Down Error Message..
System Design Document Template SSD Version <nn.rr>
2.3.1 Siteminder
The SUD instance will have the following Schema (Refer to Attached file 1.0 below)
Attachment 1.0
Client SUD
Schema.zip
Attachment 2.0
- Information Flow:
o End user tries to access SSO protected application; the application redirects to Login page.
Credentials are provided on the login page to get the user authenticated and authorized.
o WAM Policy information is retrieved by Siteminder from Policy Store
o User Credential Information and associated information for authentication is retrieved by
Siteminder from User Store.
o Authentication and Authorization functions are performed and the user gets redirected to target /
expected application.
3.1.1 Siteminder
.
System Design Document Template SSD Version <nn.rr>
Siteminder will be deployed in the new data center as shown in the deployment diagrams below. It
has three distinct servers each for A&C and Client respectively; the servers are completely isolated
from each other.
Please find below depicted diagrams that describe the Logical Deployment of Siteminder in client
and A&C in detail.
E2 environment will be created with the exact deployment configuration as that of E3. It will be
completely isolated from E3 Systems and will be a standalone self-sufficient environment that will
service all Siteminder Functions similar to Production Siteminder Infrastructure.
Siteminder will be deployed in the new data center as shown in the deployment diagrams below. It
has three distinct servers each for A&C and Client respectively; the servers are completely isolated
from each other.
Please find below depicted diagrams that describe the Logical Deployment of Siteminder in client
and A&C in detail.
Same as those of E3
E1 environment will be created with similar deployment configuration as that of E2 but with
reduced capacity; E1 Siteminder env. will have Two Policy Servers
The Servers will be completely isolated from other Systems and will be a standalone self-
sufficient environment that will service all Siteminder Function similar to Production env.
A&C and Client will have independent E1 environment with the above characteristics
System Design Document Template SSD Version <nn.rr>
Federation Manager will be deployed in the new data center as shown in the deployment diagrams
below. It has two distinct servers each for A&C and Client respectively; the servers are completely
isolated from each other.
E2 environment will be created with the exact deployment configuration as that of E3. It will be
completely isolated from E3 Systems and will be a standalone self-sufficient environment that will
service all Federation Manager Functions similar to Production Federation Manager Infrastructure.
Refer E3 Diagrams
E1 environment will be created with similar deployment configuration as that of E2 but with
reduced capacity; E1 Federation Manager env. will have Two Federation Manager Servers.
The servers will be completely isolated from other Systems and will be a standalone self-sufficient
environment that will service all Federation Manager Function similar to Production env.
Refer E3 Diagrams
System Design Document Template SSD Version <nn.rr>
3.3.1 Siteminder
Performance
Peak load capacity (transaction/sec) handling for Auth-Az calls in new CA Siteminder r12.5 Policy
servers (per servers) should be same or better in comparison to old CA Siteminder r12.0 Policy
servers
Peak load sustenance (max load for delta time without impact to response) handling for Auth-Az
calls in new CA Siteminder r12.5 Policy servers (per servers) should be same or better in
comparison to old CA Siteminder r12.0 Policy servers
Compatibility
New CA Siteminder r12.5 Policy server instances should support new Web Agent r12.0
integrations
New CA Siteminder r12.5 Policy servers should be capable triggering/running Access
Management policies configured in old CA Siteminder r12.0 infrastructure as per existing design
New CA Siteminder r12.5 Admin server instances should be capable of creating and
administering new access management policies through Admin UI
New CA Siteminder r12.5 Policy servers should have capability of performing operations using
XPS-family of tools
New CA Siteminder r12.5 Policy servers should have capability of running Siteminder CLI API
based Perl scripts
Performance
Peak load capacity (transaction/sec) handling for Auth-Az calls in new CA Federation Manger R
12.5 Policy servers (per servers) should be same or better in comparison to old CA Federation
Manger R 12.5 in existing env.
Peak load sustenance (max load for delta time without impact to response) handling for Auth-Az
calls in new CA Federation Manger R 12.5 servers (per servers) should be same or better in
comparison to old CA Federation Manger R 12.5 servers
Siteminder & Federation Manager Assets has gone through Information Security review and TIAs;
Systems built are to be aligned with AFI Security Standards with no open security exception. Migration will
be performed as-is; no changes in application security.
System Design Document Template SSD Version <nn.rr>
Module Specifications
N/A
System Design Document Template SSD Version <nn.rr>
4.1 Strategy
1. Siteminder
Below is the Data Migration Strategy that will be followed for the Siteminder Consuming Instances
SUD (A&C and Client) and Policy Store (A&C and Client).
2. Federation Manager
Database Migration for Federation manager will be as per Ameriprise database Team process and
standards.
System Design Document Template SSD Version <nn.rr>
Start
End
System Design Document Template SSD Version <nn.rr>
Siteminder A&C :
Enable replication between old user store and new user store
Siteminder Client :
Enable replication between old user store and new user store
Configure user store AFI directory in the federation manager admin GUI pointing
Configure user store SUD in the federation manager admin GUI pointing
Detailed Component Integration Procedure will be compiled during the E build and will be published in
the Build Phase of the program.
System Design Document Template SSD Version <nn.rr>
5. OPERATIONAL CONTROLS
5.3 Restart
Please refer ASM (Application support manual) which will handover to production support group.
Siteminder:
SUD and User Store Schema and Data backups are taken with nightly jobs.
Backed up content will be retained for 3 days onsite and upto 1 year offsite
Federation Manager:
Data backup will be taken as per Ameriprise database backup procedure, for further references
please refer to DBA backup policy.
Tier 1 database backup policies and processes will be followed.
Old and new Siteminder infrastructure will be run in parallel till the end of AITT project completion. On any
Issues with the new env. the applications can fall back on the old Siteminder infrastructure.
Federation Manager
Old federation manager infrastructure will be maintained for 60 days after migration, fallback will be to go
back to old environment. Any issues after 60 days needs forward fix in the new env.
SLA for Siteminder Instances will be 2.18 sec for A&C env. with a load of 100 Concurrent
users.
SLA for Siteminder Instances will be 5.10 sec for A&C env. with a load of 100 Concurrent
users.
SLA for Federation Manager Instances in A&C env.
SLA for Federation Manager Instances in Client env.
Availability:
Configuration Management:
Release Management:
Please refer AITT Project Plan document for Release Management activities / steps.
Problem Management:
Service Now Tool will be used for Incident Management Process and tracking of Problems related
to the Project.
Change Management:
Service Now Tool will be used for Change Management Process; will be used for executing RFC
(Request for Change).
6. Glossary of Terms
All the terms used in the application must be defined in a clear manner in the glossary. The objective of this is to
have in one place common and clear definitions of all the terms. In addition the glossary must contain the list of
allowed values for the term in one place.