Enhance your CA SiteMinder with the Ezio ServerFor comprehensive protection of online sessions and data, enhance the CA SiteMinder solution to include Gemalto’s security features using multi-factor authentication with End-to-End (E2E) encryption of passwords and One Time Passwords (OTPs).

OverviewOnline businesses worldwide are struggling to protect

their sensitive data against the constantly evolving security breaches. Yet, more and more businesses are deploying web and mobile based applications to tap into the new growth opportunities in these channels. These businesses need a secure and unified online system that allows its users to sign-on once to access all of their online applications spread across a complex network of servers, applications, portals and security domains, without any compromise in security.

The CA SiteMinder provides a highly secure Single Sign On (SSO) and flexible access management solution that enables users to access their online applications and web services available on-premises, cloud and partner portals, with a secure single sign on. But, the users, typically, log on using just their username and static password. This makes them vulnerable to a wide variety of phishing, pharming and cryptographic replay attacks. By integrating the Gemalto Ezio Server with the CA SiteMinder, you can enhance the protection of sensitive data through Two-Factor Authentication (2FA), and E2E of passwords or OTPs.

With 2FA, the user provides two or more of the three means of identification (factors) for authentication. These factors are:

> A knowledge factor - something the user knows, for example, a static password or PIN

> A possession factor - generated from something that the user has, for example, a hardware or software token device

> An inherence factor – something the user is, for example, biometric finger print.

When a user tries to access an online service or system, he is required to enter both the first factor (static password) and the second factor (for example, an OTP from a token) for validation. The Ezio Server validates the user using both factors and if successful, allows access to the requested resource or system.

With E2E encryption, the Ezio Server encrypts the

password entered during the login session at the end-user browser. This encrypted password is only decrypted and verified in a FIPS-certified tamper-resistant Hardware security Module (HSM) within the Ezio Server. The clear password is never exposed during transit, and all sensitive data remains encrypted from its point of entry to the final destination.

Features and benefitsThe Ezio Server, in combination with the Siteminder,

offers a strong Identity Access Management solution that extends the core capabilities of the CA Siteminder with add-on security measures using multi-factor authentication with End-to-End (E2E) encryption of passwords and OTPs. The combined solution provides strong, secure, and seamless Single Sign On (SSO), Federation, and access management to applications spread across a wide array of web servers, domains and diverse applications.

The Ezio Server is a multi-factor and token-agnostic server that supports almost all kinds of authentication methods and tokens, offering freedom of choice to customers in selecting the most appropriate authentication method for their use. When combined with Siteminder, it allows customers to mix and match different authentication technologies such as OATH, VASCO, RSA and EMV with different kinds of tokens to suit different use-cases in their business setup.

The Ezio server can be fitted with tamper-resistant FIPS-certified 140-2 L3 Hardware Security Module (HSM) for secure storage of master keys and cryptographic operations. This makes it possible to protect the passwords using E2E comply with many government and industry-specific regulations.

The Ezio Server protects the current investments by integrating easily with the Siteminder using a new authentication type with an authentication scheme. This authentication scheme calls the Ezio Server directly for authentication and password authentication using relevant API calls.

How it worksThe Ezio Server can be integrated with the SiteMinder

for Multi-factor authentication with E2E encryption through the installation of Authentication Scheme provided by Gemalto.

The Authentication Scheme is an HTML form-based scheme supported on both version 6 and 12 of SiteMinder, which communicates with the Ezio Server through Two-way RMI-SSL for authentication. It also supports load distribution and failback mechanism to Ezio Server cluster.

When a user tries to log in or request a resource protected by Gemalto authentication Scheme, the SiteMinder Web Server displays a login page on the user’s browser to collect the user credentials, for example, user Id, password and OTP. When the user enters the required credentials on the login page, the credentials are authenticated against the Ezio Server using the Authentication Scheme.

If the login page is configured for E2E, the JavaScript embedded in the login page first performs an encryption of the password and/or OTP from the user’s browser, and then sends these credentials to the SiteMinder Web Server for processing. The Web Agent sends the request to the Policy Server, which then validates the user credentials against the Ezio Server using the

Authentication Scheme. If the user credentials are successfully authenticated, the Web Server redirects the user to the requested resource, or sends an appropriate response.

The Ezio Server can also be used for Step-up authentication. Whenever an application requires a re-validation of the user, the SiteMinder Step-Up authentication mechanism redirects the additional details, for example OTP, to the Ezio Server for authentication.

The Ezio Server is a leading cost-effective authentication solution that authenticates millions of users every day, authorizes remote access and transactions, and protects confidential data from fraudulent attacks.

Integrated with the existing SiteMinder solution, it extends the core capabilities of the SiteMinder to provide unprecedented levels of security to our mutual customers. For detailed information about the Ezio Server, or how it can help secure your confidential data or access control, contact ezio.server@gemalto.com.

Internet DMZ Intranet

User login to SiteMinder

Web server with CA web agent

CA SiteMinder policy server with authentication scheme installed

Multi-factor authentication with the Ezio Server

Ezio Server

GEMALTO.COM/EBANKING

About Gemalto

Gemalto is the world leader in digital security with pro-forma 2012 annual revenues of €2.2 billion and more than 10,000 employees, including 1,700 Research & Development engineers.

Gemalto eBanking is a global and trusted partner for financial services and retail institutions. To date, Gemalto has designed, manufactured and rolled-out over 70 million eBanking devices and solutions to banks' customers worldwide. Solutions that are part of the Gemalto online banking suite – the Ezio Suite.

Gemalto's Ezio Suite brings together a unique authentication server, plug-in modules and a range of authentication devices. Common characteristics of Gemalto’s Ezio Suite of online banking solutions and services include scalability, flexibility, modularity and ease of implementation, that are designed to be future-proof, supporting seamless upgrades and the introduction of new products and services by banks. An approach strengthened by the Ezio Server, a multi-channel, multi-token and vendor-agnostic authentication solution that supports all forms of authentication technologies.