Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CA Single Sign-On (CA SSO),
The Innocent Bystander
Alec Cartwright
Security
BT PLC
Identity Services Architect
SCX14S
#CAW...
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong...
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
You may be familiar with the refrain “I can’t
login, it must b...
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
WHERE DOES BT USE CA SSO
HOW DO WE STAY CALM
WE CAN ALWAYS GET M...
5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
BT Overview
Communication Services and Broadcaster
• BT operates in 170...
Where does BT use CA SSO
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Where is CA SSO Used
450+ applications
• Customer facing portals
• Inte...
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
So When Things Go Wrong…..
It’s easy to blame CA SSO
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Availability Requirements
Must always be available
• 99.995% availabili...
How Do We Stay Calm
(Coping with “I Can’t Login”)
11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
We Needed to…
Architect CA SSO for maximum availability
Know the healt...
Deployed For Resilience
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Policy Server – Local Resilience
Single build for all policy servers
C...
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Policy Servers – Geographic Resilience
Agent failover across all sites...
15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
We Need to Always Take Orders
Split consumer / employee applications
O...
16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Other Stuff
Components
• Federation servers
• Policy/Key/Session store...
Monitor And Alert Everything
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Set Thresholds
All is OK
Attention
Its getting critical
ALERT
WARNING
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Basic Monitoring
CPU Memory
Disk usage Processes
20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Policy Servers
Oneview Monitor
• Server Queue Length
• Priority Queue ...
Routing Issues To The Right People
22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Test Page
On CA SSO
team’s
infrastructure
Simple policy – a
page prote...
23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Know Your Infrastructure
We Can Always Do More
25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Review and Continuous Improvement
26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
More to Do
CA APM being deployed
• Improved level of monitoring
• Iden...
Summary
28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What We Have Achieved
100%
availability for
the service
We proactively...
29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Leveraging the Experience
30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
SCT05S
Roadmap: CA Adva...
31 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
32 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2V...
Upcoming SlideShare
Loading in …5
×

CA Single Sign-On (CA SSO), The Innocent Bystander

1,167 views

Published on

You may be familiar with the refrain “I can’t login, it must be CA SSO that has failed”. In this presentation I will take a look at BT’s 13 years of experience running a CA SSO (formerly CA SiteMinder) infrastructure that supports 150,000 employees and 27M customers and their access to business critical applications, and customer services. The infrastructure must guarantee that someone can always login, even whilst doing upgrades, and it must deal with time critical entertainment/broadcast events where we see sudden peaks in traffic jumping to 1000’s of transactions per second. During the presentation we will also review some of the lessons we have learnt over the 13 years and what we have done to improve our deployment of CA SSO.

For more information, please visit http://cainc.to/Nv2VOe

Published in: Technology
  • Be the first to comment

CA Single Sign-On (CA SSO), The Innocent Bystander

  1. 1. CA Single Sign-On (CA SSO), The Innocent Bystander Alec Cartwright Security BT PLC Identity Services Architect SCX14S #CAWorld
  2. 2. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  3. 3. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract You may be familiar with the refrain “I can’t login, it must be my single sign on that’s failed.” In this presentation I will take a look at BT’s experience of running a CA Single Sign-On (CA SSO) infrastructure; what we have done to reduce the chance of failures and to quickly diagnose issues to get them to the right people who can fix them. Alec Cartwright BT Identity Services Architect
  4. 4. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda WHERE DOES BT USE CA SSO HOW DO WE STAY CALM WE CAN ALWAYS GET MORE SUMMARY 1 2 3 4
  5. 5. 5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD BT Overview Communication Services and Broadcaster • BT operates in 170 countries • Revenue 18 bn (£ GBP) User Identities • 150,000 employees and partners • 27M+ online customer
  6. 6. Where does BT use CA SSO
  7. 7. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Where is CA SSO Used 450+ applications • Customer facing portals • Internal applications 50+ federations • Services behind customer products • Employee services Includes many critical to BT’s ability to trade • Cost BT • Impact BT’s brand
  8. 8. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD So When Things Go Wrong….. It’s easy to blame CA SSO
  9. 9. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Availability Requirements Must always be available • 99.995% availability target • No scheduled down time • There are some “very hot” times Transaction volumes • 30M transactions per day • Peaks of 7,000+ TPS
  10. 10. How Do We Stay Calm (Coping with “I Can’t Login”)
  11. 11. 11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD We Needed to… Architect CA SSO for maximum availability Know the health of the infrastructure Have processes that • Quickly identify issues • Send details to the people who can fix the problem
  12. 12. Deployed For Resilience
  13. 13. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Policy Server – Local Resilience Single build for all policy servers Cluster of 3 policy servers Use web agent load balancing Service still resilient if one is lost Allows in service upgrades Application Web Server Policy Servers Web Agent Load Balancing
  14. 14. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Policy Servers – Geographic Resilience Agent failover across all sites Be careful – don’t configure failover storms Site 1 Site 2 Site 3 Site 4 Site 5 Policy Servers Web Agent Failover Application Web Server
  15. 15. 15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD We Need to Always Take Orders Split consumer / employee applications One will always be working Separate policy stores
  16. 16. 16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Other Stuff Components • Federation servers • Policy/Key/Session store database • Login servers • Admin servers • Load balancers and switches
  17. 17. Monitor And Alert Everything
  18. 18. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Set Thresholds All is OK Attention Its getting critical ALERT WARNING
  19. 19. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Basic Monitoring CPU Memory Disk usage Processes
  20. 20. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Policy Servers Oneview Monitor • Server Queue Length • Priority Queue Length Log files • “Connection Dead” • “Timeout Expired” • “Failed to connect to datasource” • “Unexpected Network Error” • “Wait Timeout. Code is” • “Delete of tombstone failed”
  21. 21. Routing Issues To The Right People
  22. 22. 22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Test Page On CA SSO team’s infrastructure Simple policy – a page protected for all users Confirms infrastructure is working Helpdesk can walk users though access
  23. 23. 23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Know Your Infrastructure
  24. 24. We Can Always Do More
  25. 25. 25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Review and Continuous Improvement
  26. 26. 26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD More to Do CA APM being deployed • Improved level of monitoring • Identify baseline • Set alerts Deploy CA Directory • Improved policy store resilience
  27. 27. Summary
  28. 28. 28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What We Have Achieved 100% availability for the service We proactively warn about developing issues CA SSO is seen as the “Innocent Bystander”
  29. 29. 29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Leveraging the Experience
  30. 30. 30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME SCT05S Roadmap: CA Advanced Authentication and CA Single Sign-On 11/18/2015 04:30 PM SCT30S Panel: Securing you in the Cloud 11/19/2015 02:00 PM
  31. 31. 31 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Q & A
  32. 32. 32 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For More Information To learn more, please visit: http://cainc.to/Nv2VOe CA World ’15

×