One of these things is not like the other…CA SiteMinder and Novell Access Manager

I thought I’d talk about the two Access Manager products I am familiar with. This is not a “who’s the better product” thread, they both are excellent products. If someone asked me to pick one, I would hem and haw until they forgot they asked.

As far as the user experience goes, I don’t think any user is going to care about the difference. The ones who will have the most influence are the folks paying the bills. I tell people, I am technical, not sales, so I am not going to comment there either.

What I can do is highlight some of the technical differences. These two products both protect very well, but do it very differently. Let’s start with a little background on the products. This won’t be too deep. If you want deep, go see the company web sites.

Novell Access Manager is built around a fortress philosophy. You put an appliance in front of your sites and nobody gets through unless you allow it.  Appliances can be stacked for increased workloads, all protected by a cluster of administrative servers. The database that holds all the setup and access rules is eDirectory (no surprise there) and is self contained. You do not need to use an existing eDirectory but rather one setup exclusively for Access Manager. User Stores can be just about anything; LDAP, AD, eDirectory, Databases, whatever… Administration is via a customized version of iManager, the Novell Web Manager. I can build a basic version on two servers. I combine the Identity Server and Management Console on a single box, and one additional server for the Access Gateway. The last Access Manager project I was involved in we had two Gateways in the DMZ for public access, two Gateways inside the firewall for private access and a management cluster of two servers. Our User Store was the IDM LDAP instance. Protection methods are pretty much standard, just about any piece of any web site can be protected if you choose. Federation is supported… well, you get the picture. It protects your web resources well.

CA SiteMinder uses a distributed protection method. Agents do the guarding, controlled by policy servers, that talk to external databases. The key difference here is, you are protecting the resources at the source. The Agents install on the Web/Application Servers. SiteMinder does not bring along any data storage. You have a number of “Stores” involved. Policy Store, User Store, Admin User Store, Token Store, Certificate Store… (did I forget any?) These can be a number of different database types. LDAP and SQL are the most recognizable. Most of the common SQL servers are supported. I cannot claim to have worked with all types of web servers, but I have yet to find one that does not support a SiteMinder Agent. One point I might add, when choosing an agent, pay attention to the Web Server build (32 vs 64 bit) not the OS build. I did have one site that was running 32 bit Apache on 64 bit Solaris and, oops, installed the wrong agent 🙁 With SiteMinder R12 you also have an AdminUI server that requires an App server. It comes with JBOSS, and I typically will install it on the Policy Servers. They play real well together.

This was not intended to be a feature by feature comparison. I won’t tell you which product is right for you. Only you can decide that. I will put in a shameless plug for IDMWorks, we can help you decide, analyze your needs, examine how your business works, and help you decide the best way to protect your web assets.