Using Credential Collectors Between 4.x Type and Newer Type Agents

Older versions of the agent objects used a security model that featured a shared secret that is stored on the Policy Server and in the WebAgent.conf file. These agents are named 4.x type agents. You can specify support for 4.x agent functions when creating an agent object in the Administrative UI. Later versions use a trusted host object on the Policy Sever instead of the shared secret security model.
sm1252sp1
Older versions of the
CA Single Sign-On
agent objects used a security model that featured a shared secret that is stored on the Policy Server and in the WebAgent.conf file. These agents are named 4.x type agents. You can specify support for 4.x agent functions when creating an agent object in the Administrative UI. Later versions use a trusted host object on the Policy Sever instead of the shared secret security model.
You can use credential collectors between 4.x type and later agents. This usage of credential collectors is named mixed mode. Additional configuration steps are required for mixed mode deployments.
Configure Credential Collectors in a Mixed Environment
From r6.x to the current release of the product, the credential collectors operate differently than the older 4.x type credential collectors do. 4.x type credential collectors placed a cookie in the browser of the user, and then redirected the user back to the original agent.
In the newer versions, the credential collector logs the user in to the Policy Server on behalf of the agent protecting the requested resource. Cookies are
not
used.
A credential collector requires the following information to log a user in:
  • The name of the agent protecting the requested resource.
  • The credentials that are supplied by the user.
To learn the Agent name, a credential collector uses the following process:
  1. Use the SMAGENTNAME query parameter that the original Agent adds to the query string of the URL as it redirects to the credential collector.
  2. If no Agent name is appended to the URL, use the mappings defined in the AgentName configuration parameter that is associated with the credential collector.
    Each mapping in the AgentName parameter specifies the name and IP address of a host using that collector for its protected resources.
  3. If no Agent name mappings are configured, use the fully qualified host name of the target URL as the Agent name. This behavior is determined by enabling the AgentNamesAreFQHostNames configuration parameter.
    This parameter is disabled by default, so the credential collector uses the value of the DefaultAgentName parameter as the agent name.
Consider the previous implications before configuring credential collectors in a mixed environment.
Use FCCs and NTCs in a Mixed Environment
To process requests, the FCC and NTC rely on the user credentials and the name of the Web Agent that is protecting the requested resource. However, 4.x agents and third-party agents posting to the FCC and NTC do not pass the Agent name on the URL they send.
FCC Compatibility Mode
Use FCC Compatibility Mode to help FCCs and NTCs to operate with 4.x Web Agents. Enable the
FCCCompatMode
agent configuration parameter (FCCCompatMode="Yes") to enable an r5.x, r6.x, or the current version of the FCC/NTC can serve up forms for resources that are protected by 4.x agents or third-party applications.
FCCCompatMode was named 4xCompatMode in earlier releases. 4xCompatMode is still supported for backward compatibility purposes.
 
In compatibility mode, the Agent can handle forms and NTLM credential collection like a 4.x Agent. A form or NTLM credential cookie is written to the browser and the browser is redirected back to the Agent before logging in. This configuration permits the agents to interoperate.
If you use FCC Compatibility Mode, the user credentials are encrypted and sent back to the browser. The browser then passes the credentials to the web agent instead of immediately authenticating the user.
 
For traditional Web Agents, the FCCCompatMode parameter is enabled by default. Framework Agents have the FCCCompatMode parameter disabled by default.
When the FCCCompatMode parameter is set to No, compatibility with 4.x Agents is disabled. In a homogeneous product environment, set the value of the parameter to no.
  • Specify Agent name mappings—FCC only: If you disable backward compatibility, map the AgentName parameter to the name and IP address of each host using that FCC for its protected resources. Set up these mappings in the configuration settings of the FCC.
    Example mappings:
    myagent, 123.1.12.1
    myagent, www.sitea.com
  • Use Host Names as Agent Names—FCC only
    :
    If the first two options in the algorithm are not optimal, you can set the value of the AgentNamesAreFQHostNames parameter to yes. This setting instructs the FCC to use the fully qualified host name in the target URL as the Agent name. For example, if the Target URL string includes:
    url?A=1&Target=http://www.nete.com/index.html
    The www.nete.com portion of the string serves as the Agent name.
    By default, this parameter is set to no. Consequently, the value of the DefaultAgentName parameter is used as the Agent name.
The following tables list guidelines for configuring r5.x, r6.x, or the current version of the 4.x FCCs and NTCs. The table also describes how each behaves in a mixed environment: Note the following:
  • NTLM credential collectors can redirect users from non-IIS Web Servers to IIS Web Servers.
  • For framework Web Agents, refer only to the instructions where FCC compatibility mode is disabled.
r5.x, r6.x, 12.52, or the current version of the FCC Guidelines
Web Agent
r5.x, r6.x, 12.52, or the current version of the FCC
(FCC Compatibility Mode)
r5.x, r6.x, or
the current version of the
FCC
(FCC Compatibility Mode Disabled)
r5.x, r6.x, or 12.52
FCC issues a credential cookie.
Certificate
and
Forms authentication are disabled.
Certificate
or
Forms authentication are disabled.
FCC issues a session cookie
Certificate
and
Forms authentication works.
Certificate
or
Forms authentication works.
4.x QMR 2/3/4 FCC Guidelines
Web Agent
4.x QMR 2/3/4 FCC
4.x QMR 5 or
4.x QMR 6
Agent issues a credential cookie
Certificate and Forms authentication are disabled.
Certificate or Forms authentication works
r5.x, r6.x, or 12.52
Agent issues a credential cookie
Certificate and Forms authentication are disabled.
Certificate or Forms authentication works
 
r5.x, r6.x, 12.52, or current version NTC Guidelines
Web Agent
r5.x, r6.x, or
the current version of the
NTC
(FCC Compatibility Mode)
r5.x, r6.x, or
the current version of the
NTC
(FCC Compatibility Mode Disabled)
4.x QMR 5 or
4.x QMR 6
NTC issues a credential cookie.
NTC issues a session cookie
r5.x, r6.x, or 12.52
NTC issues a credential cookie.
NTC issues a session cookie
4.x QMR 2/3/4 NTC Guidelines
Web Agent
4.x QMR 2/3/4 NTC
4.x QMR 5, 4.x QMR 6
Agent issues a credential cookie
r5.x, r6.x, or 12.52
Agent issues a credential cookie
Use SCCs in a Mixed Environment
To enable 4.x type Web Agents and r5.x, r6.x, or 12.52 SCCs to interoperate, do one of the following tasks:
  • Specify Agent name mappings: Map the AgentName parameter to the host name and IP address of each host using that SCC for its protected resources. Create these mappings in the agent configuration parameters of the SCC.
  • Use Host Names as Agent Names:If you do not specify Agent name mappings, you can set the AgentNamesAreFQHostNames parameter to Yes. This setting instructs the SCC to use the fully qualified host name in the target URL as the Agent name.
    For example, if the URL string is:
    url?A=1&Target=http://www.nete.com/index.html
    The www.nete.com portion of the Target string serves as the Agent name.
    By default, this parameter is set to no. Consequently, the value of the DefaultAgentName parameter is used as the Agent name.
The following table shows how 4.x and r5.x, r6.x, or 12.52 Agents acting as SCCs operate in a mixed environment:
Web Agent Version
4.x QMR 2/3/4 SCC
r5.x, r6.x, or
the current version of the
SCC
4.x QMR 5 or4.x QMR 6
Agent issues an SSL credential cookie.
Certificates cannot be collected without redirecting requests, even if the original connection from the browser to server is over SSL.
Create mappings in the AgentName parameter or set AgentNamesAreFQHostNamesto Yes.
SCC issues a session cookie
Certificates cannot be collected without redirecting requests, even if the original connection from the browser to server is over SSL.
r5.x, r6.x, or 12.52
Agent issues an SSL credential cookie.
Certificates can be collected without redirecting requests.
SCC issues a session cookie
Certificates can be collected without redirecting requests.