At what stages in Identity Manager processing is the information encrypted?

Document ID : KB000052495
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Article discusses the security and encryption options present at the various tiers of a standard Identity Manager enterprise architecture.

Solution:

Identity Manager can encrypt communications at every stage of the process, including the following.

  • Initial Credential Entry: Identity Manager provides functioning templates, which can mask sensitive data (e.g., passwords) during user entry.

  • Browser to Web Server: Data transmitted between the browser and web agent is beyond the control of Identity Manager SSL is recommended, if encryption is required. The web agents can support no encryption, 40-bit encryption, and 128-bit encryption between browser and web server.

  • Internal Communications: Identity Manager encrypts all data and control information that is passed between its components. All traffic between the servers, agents, and user interface is encrypted over TCP. The encryption is done using RSA RC4 128-bit encryption, providing very strong confidentiality of all information passed between these components. In addition, communication between the server components and repositories can be
    done over SSL.

  • External Communications: The communication from the provisioning server to the target systems managed are typically agent-less and over secure channels either provided by the managed namespace or over encrypted channels such as SSL.

  • User Stores: Identity Manager can encrypt sensitive user profile data (e.g., passwords, challenge/response answers) in the user store using RSA RC4 128-bit encryption, or leverage the native user store encryption. Identity Manager does encrypt its system and configuration data stored in the policy store using RSA RC4 128-bit encryption.

The following describes the point to point encryption employed throughout the CA Identity Manager solution:

  1. Browser to web server/portal - Data transmitted between the browser and the Web Agent is beyond the control of CA SiteMinder SSL is recommended, if encryption is required. SiteMinder can support 128-bit SSL encryption between the browser and web server.

  2. Web agent to Identity Manager Application - Communication between the Web Agent and Identity Manager is encrypted using RSA RC4 128-bit encryption over a proprietary transport protocol, TLI.

  3. Identity Manager to Workflow Engine - Communication between Identity Manager and the Workflow Engine is encrypted.

  4. Identity Manager to SiteMinder Policy Server - Communication between Identity Manager and the Policy Server is encrypted using RSA RC4 128-bit encryption over a proprietary transport protocol, TLI.

  5. SiteMinder Policy Server to Provisioning Engine - Communication between the SiteMinder Policy Server and the Provisioning Engine is conducted via LDAP SSL.

  6. Provisioning Engine to Target Systems - Communication between the Provisioning Engine and the Identity / Provisioning stores is encrypted via LDAP SSL. Communication from the provisioning server to the target systems are typically agent-less and over secure channels either provided by the managed namespace or over encrypted channels such as SSL.

  7. SiteMinder Policy Server to Identity / Policy Store - Communication between the SiteMinder Policy Server and the Identity / Policy Store can be transmitted over encrypted tunnels, if the user directory / database is SSL-enabled.