<Project Name> SSD Version <nn.

rr>

AITT Migration Project

Document Author: I&AM Delivery Team
Project ID: <ClarityId>

System Design Document

Version 0.6

Ameriprise Financial, Inc., 707 Second Ave South, Minneapolis, MN 55474

This document based on AQMS V5.01

< Jan, 2013>

Internal Use Only

1
System Design Document Template SSD Version <nn.rr>

Warning
This is a hard copy of a document maintained on electronic media. It may not be the latest version. Kindly
ascertain the latest version from the Document Master List available with the Project Manager .
System Design Document Template SSD Version <nn.rr>

DOCUMENT RELEASE NOTICE

Document Details

Name Version No. Description Release Date

System Design <nn.rr> System Design
Document (SDD) Document for <Project
Name>

Revision Details

Only include revision details for current release

Revision Revision Section Page Revision Change type Rationale for
No. Date No. No. Description (add / change
(mm/dd/yyyy) modify /
delete)

This document and any revised pages are subject to document control. Please keep them up-to-date using the
release notices from the distributor of the document.

Approved by: Date:

Authorized by: Date:

System Design Document Template SSD Version <nn.rr>

DOCUMENT REVISION LIST

Customer Name & Dept. :
Document Name :
Project :
Project ID :

Revision Revision Section Page Revision Change type Rationale for change
No. Date No. No. Description (add/modify/
(mm/dd/yyyy) delete)
System Design Document Template SSD Version <nn.rr>

PREFACE

Purpose of this Document

This document details the System Design of the Siteminder Client, Siteminder A&C, Federation Manager
Client and Federation Manager A&C. This is the main deliverable in the Design phase and describes the
overall system specification in terms of user interface, processes, data flows, and internal and external linkages.

This document will help in meeting the following needs:

To translate the system requirement specifications into design specifications which will be used to
develop the application
To serve as the basis for mutual understanding between the designer and the developer.
To provide a basis for the detailed design, construction and acceptance testing for the application

Intended Audience

This document is intended for use by the designers and developers of the system. It also includes anyone who
will read or contribute to this document such as the project owner, sponsor, project team, support groups,
MEPG and EQAG,

Related Documents / References

The following documents have been referred for preparation of this SDD document.

Sr. No Document Title and Version No. Description

1. System Requirements Document The document lists the Requirements of the
System being designed
2. Technical Proposal Technical Impact Assessment Document
3. Any other document

Acronyms and Abbreviations

The following acronyms and abbreviations have been used in this document.

Acronym/ Abbreviation Description

SM Siteminder
FM Federation Manager
System Design Document Template SSD Version <nn.rr>

CONTENTS

1. INTRODUCTION.................................................................................................................. 8
1.1 SCOPE OF THE LOGICAL DESIGN......................................................................................... 8
1.2 DESIGN OBJECTIVES AND PRINCIPLES..................................................................................8
1.3 SYSTEMS ARCHITECTURE OVERVIEW...................................................................................9
1.4 HARDWARE ENVIRONMENT.................................................................................................. 9
1.5 SOFTWARE ENVIRONMENT................................................................................................ 10
1.6 NETWORK ENVIRONMENT.................................................................................................. 10
1.7 ASSUMPTIONS, CONSTRAINTS AND DEPENDENCIES............................................................10
2. SYSTEMS ARCHITECTURE............................................................................................. 11
2.1 USE-CASE REALIZATIONS.................................................................................................. 11
2.1.1 Use-Case Realizations Inventory............................................................................11
2.2 APPLICATION ARCHITECTURE.............................................................................................15
2.2.1 Architecture Layering Overview..............................................................................15
2.2.2 <Layer Name>........................................................................................................ 16
2.2.3 Component Module Inventory.................................................................................18
2.3 HIGH-LEVEL DATA MODEL................................................................................................. 18
3. KEY DESIGN CONCEPTS................................................................................................19
3.1 FUNCTIONAL DESIGN........................................................................................................ 19
3.2 INFRASTRUCTURE DESIGN................................................................................................. 19
3.3 PERFORMANCE EXPECTATIONS..........................................................................................19
3.4 APPLICATION SECURITY.................................................................................................... 19
4. MODULE SPECIFICATIONS.............................................................................................20
4.1 <MODULE NAME>............................................................................................................. 20
4.1.1 Purpose and Functionality.......................................................................................20
4.1.2 Public Interfaces..................................................................................................... 20
4.1.3 Design..................................................................................................................... 21
4.1.4 Operational Procedures / Batch Processes............................................................28
4.1.5 Quality Attributes..................................................................................................... 28
5. DATA MIGRATION STRATEGY........................................................................................29
5.1 STRATEGY........................................................................................................................ 29
5.2 DATA MIGRATION PROCESS FLOW.....................................................................................29
6. COMPONENT INTEGRATION STRATEGY......................................................................30
6.1 COMPONENT LIST............................................................................................................. 30
6.2 COMPONENT INTEGRATION SEQUENCE..............................................................................30
6.3 COMPONENT INTEGRATION PROCEDURE............................................................................30
7. OPERATIONAL CONTROLS............................................................................................31
7.1 STARTUP AND SHUTDOWN................................................................................................. 31
7.2 AUDIT AND RECOVERY...................................................................................................... 31
7.3 RESTART.......................................................................................................................... 31
7.4 BACKUP STRATEGY.......................................................................................................... 31
7.5 FALLBACK STRATEGY........................................................................................................ 31
7.6 MANUAL PROCEDURES..................................................................................................... 31
7.7 SERVICE MANAGEMENT DISCIPLINES.................................................................................31
8. GLOSSARY OF TERMS.................................................................................................... 33

APPENDIX A: ERROR MESSAGES........................................................................................ 35

System Design Document Template SSD Version <nn.rr>
System Design Document Template SSD Version <nn.rr>

1. Introduction
As part of AFIs technology infrastructure migration from AFI data center in Minneapolis to IBM data
center in Saint Louis

This Program encompasses analysis, designing, building, testing, and implementation for migration
of I&AM utilities to the new environment at IBMs Saint Louis data center

1.1Scope of the Logical Design

The scope of the project involves detailed Analysis, Design and Development of a computer based
solution

Below objectives are considered to be in scope for this project

Siteminder

Upgrade I&AM Access Management to RHEL6 based CA

1 Siteminder r12.5 in Client and A&C
Increase I&AM Access Management capacity to 1 extra servers
than total servers in existing environment in Client and A&C
2 respectively
Migrate all I&AM Access Management infrastructure related Cron
3 Jobs to TWS (if any) in Client and A&C
Creating separate Oracle 11g based Audit stores for Client and
4 A&C Access Management layer in new infrastructure
Migrate schema/configuration/data along with
operations/maintenance jobs from old to new Oracle 11g based
5 Audit store in Client and A&C
In Scope Migrating policy store configuration/schema/data to LDAP based
policy store in new infrastructure keeping CA Siteminder r12.0
7 schema in Client and A&C
Migrating operation/maintenance jobs from old to new ODSEE
8 11g policy store in Client and A&C
Integrate new CA Siteminder r12.5 with LDAP based policy store
in new environment with CA Sitemidner r12.0 schema in Client
9 and A&C
1
0 New I&AM Access Management layer would integration ready
All applications that are not in AITT Scope or those which have
not migrated to the new SSO infrastructure by the end of AITT
1 Program will be migrated as cross commits by IAM AITT Team
1

Out of Old and new I&AM Access Management environment intra-

Scope 1 operability
System Design Document Template SSD Version <nn.rr>

Federation manager

Upgrade I&AM Access Management to RHEL6 based CA

1 Federation Manager r12.1 in Client and A&C
Migrate all I&AM Access Management infrastructure related Cron
2 Jobs to TWS (if any) in Client and A&C
Creating separate Oracle 11g based CA Federation Manager
Policy stores for Client and A&C Access Management layer in new
In Scope 3 infrastructure
Migrate schema/configuration/data along with
operations/maintenance jobs from old to new Oracle 11g based
4 CA Federation Manager Policy stores in Client and A&C
Integrate new CA federation Manager r12.1 with new Oracle 11g
based CA Federation Manager Policy stores upgrading schema to
5 CA Federation Manager r12.1 in Client and A&C
6 New I&AM Access Management layer would be integration ready

1 All Phase 1 and Phase 3 work packets

Out of
Scope Old and new I&AM Access Management environment intra-
2 operability

1.2 Design objectives and principles

Migrate all Identity and Access Management assets to the new environment with minimal or no impact to
availability, in a better, faster and cost efficient way.

1.3 Systems Architecture Overview

Below diagrams provide the Architecture Overview of the Siteminder & Federation Services for A&C and
Client Environment. The Siteminder & Federation Services program traverses three distinct states for
each of A&C and Client Environment
System Design Document Template SSD Version <nn.rr>

1.3.1 Siteminder

1. Point of Departure State

The State explains the Legacy Siteminder instances supporting the Authentication,
Authorization and Auditing Services in Advisor and Corporate env.
The System connects to Policy Store and User Store for Policy and User information
respectively and consumers Oracle Audit Store for Auditing Information.
The Legacy System provides the Services with 2 Policy Servers with two Admin Servers

2. Interim State

This state will have Siteminder System in the legacy St Louis Data Center as well as a new
System built in new Data Center. Replication on Policy and User Stores will be established
between the legacy and new systems.
System Design Document Template SSD Version <nn.rr>

The state will exist till the final phase of I&AM AITT migration program.
System Design Document Template SSD Version <nn.rr>
System Design Document Template SSD Version <nn.rr>

3. Point of Arrival State

After all applications consuming the Siteminder are migrated to the new environment, legacy
system will be decommissioned and only the Siteminder System built in the new data center
will support all Authentication, Authorization and Auditing Services functions

The PoA System provides Standalone env. Siteminder Services with 3 Policy Servers and
two Admin Servers
System Design Document Template SSD Version <nn.rr>

1.3.2 Federation Manager A&C

1. Point of Departure State

The State explains the Legacy Federation Manager env. Supporting the Authentication,
Authorization and Auditing Services for Federation Manager Integrated Applications.

2. Interim State
NOT Applicable

3. Point of Arrival State

After all applications consuming the Federation Manager are migrated to the new environment,
legacy system will be decommissioned
Only the Federation System built in the new data center will support all Authentication,
Authorization and Auditing Services functions for Federation Integrated Applications.
System Design Document Template SSD Version <nn.rr>

1.3.3 Federation Manager Client

1. Point of Departure State

The State explains the Legacy Federation Manager Client env. Supporting the Authentication,
Authorization and Auditing Services in Client env. for Federation Manager Integrated Applications.
System Design Document Template SSD Version <nn.rr>

Federation Manager Migration State Diagram

WebServer WebServer

Consuming
Apps

Federation
AdminServer Siteminder
Manager

Policy User
Shared Database Store Store

Shared Windows Server

Existing Data Center - POD

2. Interim State
NOT Applicable

3. Point of Arrival State

After all applications consuming the Client Federation Manager are migrated to the new
environment, legacy system will be decommissioned
Only the Federation Client System built in the new data center will support all Authentication,
Authorization and Auditing Services functions for Federation Integrated Applications.
System Design Document Template SSD Version <nn.rr>

New Data Center - POA WebServer

Consuming
Apps

Federation
Siteminder
Manager

Policy User
Dedicated
Store Store
Database

Dedicated Windows Server

System Design Document Template SSD Version <nn.rr>

1.4 Hardware Environment

Hardware Requirement for Siteminder .

We have 6 policy servers and 2 admin servers in A&C and Client

Component Parameter Value

RHEL 6.0
Operating System

Min 64 GB
Memory/RAM

Min 6 CPUs with 4 chores of 2.66 GHz each.

CPU Speed

App Install - 40GB - Tier1b

Hard Disk
Logs - 100GB - Tier2
Others - 60GB - Tier2.
Policy Servers
R12.5 Policy servers(3 in count for A&C and 3 in count for Client)

Admin servers
(2 in count for A&C and 2 in count for Client)

Hardware Requirement for Federation Manager

Component Parameter Value

Windows 2008 R2
Operating System

Min 8 GB
Memory/RAM

Min computing units equivalent to 6 CPUs with 4 chores of 2.66

CPU Speed
GHz each.

Hard Disk App Install - 30GB - Tier1b

Logs - 60GB - Tier2

Others - 40GB - Tier2

Servers
R 12.1 Federation Manager Servers (2 in count for A&c and 2 in
count for Client) Webserver reverse proxy (2 in count for A&c
System Design Document Template SSD Version <nn.rr>

and 2 in count for Client)

DB
Federation Manager policy store Data Base

1.5 Software Environment

Software for the Siteminder and Federation Manager

RHEL 6.0
Oracle Directory Server Enterprise Edition (ODSEE) 11g (ODSEE 11.1.1.5) for RHEL 5.0
Siteminder 12.5 SP3 CR2
Audit DB
Federation Manager 12.1

1.6 Network Environment

Firewall sheet ot be attached here. <TBD>

1.7 Assumptions, Constraints and Dependencies

Assumpti Network connectivity between new and old infrastructure

ons 1 would be available till completion of migration
Performance capability of migrated/upgraded vendor
packaged product would be limited by the capacity and
capability provided by hardware/OS/network technology
2 stack
New hardware/OS stack would be provided with capacity
same or better than existing I&AM hardware/OS stack for
3 each asset
Network capacity of new infrastructure will be same or
4 better
Technology Architecture design for clustering, failover and
DR of migrated/upgraded I&AM assets would remain AS-
5 IS
Hardware is delivered as quoted in the wave planning
6 document
CDO Team like Asset Managers, Architects have sufficient
7 bandwidth to support the work load of AITT
8 Upgraded / migrated vendor packaged products would be
certified for the new technology stack where ever
System Design Document Template SSD Version <nn.rr>

applicable
1 Delivery of Access management servers by IBM
2 CA Support required for any compatibility/performance issues
3 Up gradation of Policy Store schema from R12 to R12.5 schema
Dependen AITT Dev team will be provided access E1 dev server to
cies 4 deploy apps
AITT Dev team will be provided access E2 and E3 servers
5 to validate the servers
6 Dependency of DBA team for the delivery of Oracle Database instances
System Design Document Template SSD Version <nn.rr>

2. Systems Architecture

2.1.1 Siteminder
Please find attached below diagram that gives system Architectural overview.

Siteminder with components below will be populated with data in the new Data Center.

Siteminder policy server R 12.5 installed on 3 dedicated physical servers each for A&C and Client
Siteminder admin UI instance installed on 2 dedicated physical servers common for A&C and
Client
Siteminder Audit Store instances on 3 Oracle 11g RAC nodes each for A&C and Client
Siteminder Policy Server will consume
o Policy Store LDAP Directory Server instances deployed on 2 physical directory servers
each for A&C and Client
o SUD LDAP Directory Server instances deployed on 2 physical directory servers each for
A&C and Client

Below Technological Placement Diagrams depict the Siteminder client and A&C architecture in
details.

TPD for Siteminder Client - Figure 2.1

System Design Document Template SSD Version <nn.rr>

TPD for Siteminder A&C - Figure 2.2

2.1.2 Federation Manager

Federation Manager with components below will be built in the new Data Center.

Federation Manger policy instance on 2 physical servers will be deployed each for A&C and
Client
Federation Manager policy store database shared instances on Oracle 11g RAC each for A&C
and Client

Below Technology Placement Diagrams depict the Federation Manager A&C and client architecture in
details.

TPD for Federation Manager Client

System Design Document Template SSD Version <nn.rr>

TPD for Federation Manager A&C

System Design Document Template SSD Version <nn.rr>
System Design Document Template SSD Version <nn.rr>

2.1 Use-Case Realizations

2.1.1 Use-Case Realizations Inventory

Siteminder Use Cases

1 Admin accessing the Basic Flow

Siteminder Client ===========
Admin UI Admin user should be able to access Siteminder Admin client UI.
Admin user should be able to view /edit the polices

Alternate flow#1
If the credentials provided by the admin user are not correct, the user will be
thrown Incorrect User/Password Error message screen.

Alternate flow#2
If the user is unauthorized to access the application, user will be thrown
Unauthorized Error message screen.

Alternate flow#3
If the SSO components are down, then the user will be thrown Service Down
Error Message.

2 User Authentication & Basic Flow

Authorization ===========
User user should be able to access websites protected by Siteminder

Alternate flow#1
If the credentials provided by the user are not correct, the user will be thrown
Incorrect User/Password Error message screen.

Alternate flow#2
If the user is unauthorized to access the application, user will be thrown
Unauthorized Error message screen.

Alternate flow#3
If the SSO components are down, then the user will be thrown Service Down
Error Message.
System Design Document Template SSD Version <nn.rr>

SSO Federation Manager Use Cases

1 User Authentication & Basic Flow

Authorization ===========
User user should be able to access websites protected by
Federation Manager through SIteminder

Alternate flow#1
If the credentials provided by the user are not correct, the user will be
thrown Incorrect User/Password Error message screen.

Alternate flow#2
If the user is unauthorized to access the application, user will be thrown
Unauthorized Error message screen.

Alternate flow#3
If the SSO components are down, then the user will be thrown Service
Down Error Message..
System Design Document Template SSD Version <nn.rr>

2.2 Application Architecture

Not applicable

2.2.1 Component Module Inventory

Sr. Module Name Short Type Status CMDB

No Name ID

1 Siteminder Policy server SM System Migration A3473

2 Admin UI Subsystem Migration

3 SM Policy Store Subsystem Migration

and
Modification

4 Siteminder User Store SUD Subsystem Migration

5 Audit Store Subsystem Migration

and
Modification

6 Federation Manager FM Subsystem Migration A3614

7 FM admin UI Subsystem Migration

8 FM Policy Store Subsystem Migration

9 FM Audit Store Subsystem New

System Design Document Template SSD Version <nn.rr>

2.3 High-level Data Model

2.3.1 Siteminder

Siteminder User Directory (SUD) Instance A&C

The SUD instance will have the following Schema (Refer to Attached file 1.0 below)

A&C SUD Schema.zip

Attachment 1.0

Siteminder User Directory Instance Client

The SUD instance will have the following Schema (Refer Attached file 2.0 below)

Client SUD
Schema.zip

Attachment 2.0

2.3.2 Federation Manager

Does not have any custom Schema Defined
System Design Document Template SSD Version <nn.rr>

3. Key Design Concepts

3.1 Functional Design

- System supports
o Authentication function
o Authorization function
o Audit functionality

- Information Flow:
o End user tries to access SSO protected application; the application redirects to Login page.
Credentials are provided on the login page to get the user authenticated and authorized.
o WAM Policy information is retrieved by Siteminder from Policy Store
o User Credential Information and associated information for authentication is retrieved by
Siteminder from User Store.
o Authentication and Authorization functions are performed and the user gets redirected to target /
expected application.

- Information Flow States:

o PoD State Information Flow: Information will be as described above within the existing data
center
o Interim State Information Flow:
SUD will be in replication with the old Datacener.
Policy Store will be upgraded to R12.5 schema.
Siteminder will be in Integration ready state.
Applications will be integrated in phases with the Siteminder in the Interim state.
o Point Of Arrival State:
All of the Applications protected with Old Siteminder Infrastructure will be protected with
new Siteminder Infrastructure in new Data Center.

The above States of Information Flow is depicted in diagrams as below

System Design Document Template SSD Version <nn.rr>

3.1.1 Siteminder

IFD for Siteminder Client - PoD

Figure 3.1.2
System Design Document Template SSD Version <nn.rr>

IFD for Siteminder Client - Interim

Figure 3.1.2
System Design Document Template SSD Version <nn.rr>

IFD for Siteminder Client - PoA

System Design Document Template SSD Version <nn.rr>

IFD for Siteminder A&C - PoD

Figure 3.1.2
System Design Document Template SSD Version <nn.rr>

IFD for Siteminder A&C - Interim

System Design Document Template SSD Version <nn.rr>

IFD for Siteminder A&C - PoA

.
System Design Document Template SSD Version <nn.rr>

3.1.2 Federation Manager

Information Flow Diagram Federation Manager A&C PoD

System Design Document Template SSD Version <nn.rr>

Information Flow Diagram Federation Manager A&C PoA

System Design Document Template SSD Version <nn.rr>

Information Flow Diagram Federation Manager Client PoD

Information Flow Diagram Federation Manager Client PoA

System Design Document Template SSD Version <nn.rr>

3.2 Infrastructure Design

3.2.1 Siteminder E3 Logical Deployment Diagram

System Design Document Template SSD Version <nn.rr>

Siteminder will be deployed in the new data center as shown in the deployment diagrams below. It
has three distinct servers each for A&C and Client respectively; the servers are completely isolated
from each other.

A&C related Siteminder Functions will be provided by

a. Three physical servers
b. Each physical server will have Siteminder R 12.5 policy server instance connected to
SUD and Policy Stores on Directory Servers
c. Two Admin UI Servers as depicted in diagram will help administer the three Policy
Servers

Client related Directory Services Functions will be provided by

a. Three physical servers
b. Each physical server will have Siteminder R 12.5 policy server instance connected to
SUD and Policy Stores on Directory Servers
c. Two Admin UI Servers as depicted in diagram will help administer the three Policy
Servers

Please find below depicted diagrams that describe the Logical Deployment of Siteminder in client
and A&C in detail.

Logical Deployment Diagram of Siteminder A&Co

System Design Document Template SSD Version <nn.rr>

Logical Deployment Diagram of Siteminder Client : Figure 3.2.2

System Design Document Template SSD Version <nn.rr>
System Design Document Template SSD Version <nn.rr>

3.2.2 Siteminder E2 Logical Deployment Diagram

E2 environment will be created with the exact deployment configuration as that of E3. It will be
completely isolated from E3 Systems and will be a standalone self-sufficient environment that will
service all Siteminder Functions similar to Production Siteminder Infrastructure.

Siteminder will be deployed in the new data center as shown in the deployment diagrams below. It
has three distinct servers each for A&C and Client respectively; the servers are completely isolated
from each other.

A&C related Siteminder Functions will be provided by

a. Three physical servers
b. Each physical server will have Siteminder R 12.5 policy server instance connected to
SUD and Policy Stores on Directory Servers
c. Two Admin UI Servers as depicted in diagram will help administer the three Policy
Servers

Client related Directory Services Functions will be provided by

a. Three physical servers
b. Each physical server will have Siteminder R 12.5 policy server instance connected to
SUD and Policy Stores on Directory Servers
c. Two Admin UI Servers as depicted in diagram will help administer the three Policy
Servers

Please find below depicted diagrams that describe the Logical Deployment of Siteminder in client
and A&C in detail.

Same as those of E3

3.2.3 Siteminder E1 Logical Deployment Diagram

E1 environment will be created with similar deployment configuration as that of E2 but with
reduced capacity; E1 Siteminder env. will have Two Policy Servers
The Servers will be completely isolated from other Systems and will be a standalone self-
sufficient environment that will service all Siteminder Function similar to Production env.
A&C and Client will have independent E1 environment with the above characteristics
System Design Document Template SSD Version <nn.rr>

Logical Deployment Diagram of Siteminder for E1

System Design Document Template SSD Version <nn.rr>

3.2.4 Siteminder SAN Logical Deployment Diagram

For high availability a SAN topology as depicted in diagram is required
System Design Document Template SSD Version <nn.rr>

3.2.5 Federation Manager E3 Logical Deployment Diagram

Federation Manager will be deployed in the new data center as shown in the deployment diagrams
below. It has two distinct servers each for A&C and Client respectively; the servers are completely
isolated from each other.

A&C related Federation Manager Functions will be provided by

a. Two physical servers
b. Each physical server will have CA Federation Manager R 12.1 instance connected to
SUD and Policy Store on Oracle Database.

Client related Federation Manager Functions will be provided by

a. Two physical servers
b. Each physical server will have Federation Manager R 12.1 policy server instance
connected to SUD and Policy Store on Oracle Database
System Design Document Template SSD Version <nn.rr>

Logical Deployment Diagram of Federation Manager A&C: Figure 3.2.7

System Design Document Template SSD Version <nn.rr>

Logical Deployment Diagram of Federation Manager Client: Figure 3.2.8

System Design Document Template SSD Version <nn.rr>

3.2.6 Federation Manager E2 Logical Deployment Diagram

E2 environment will be created with the exact deployment configuration as that of E3. It will be
completely isolated from E3 Systems and will be a standalone self-sufficient environment that will
service all Federation Manager Functions similar to Production Federation Manager Infrastructure.

A&C related Federation Manager Functions will be provided by

a. Two physical servers
b. Each physical server will have CA Federation Manager R 12.1 instance connected to
SUD and Policy Store on Oracle Database.

Client related Federation Manager Functions will be provided by

a. Two physical servers
b. Each physical server will have Federation Manager R 12.1 policy server instance
connected to SUD and Policy Store on Oracle Database

Refer E3 Diagrams

3.2.7 Federation Manager E1 Logical Deployment Diagram

E1 environment will be created with similar deployment configuration as that of E2 but with
reduced capacity; E1 Federation Manager env. will have Two Federation Manager Servers.
The servers will be completely isolated from other Systems and will be a standalone self-sufficient
environment that will service all Federation Manager Function similar to Production env.

Refer E3 Diagrams
System Design Document Template SSD Version <nn.rr>

3.2.8 Federation Manager SAN Logical Deployment Diagram

For high availability SAN, below deployment architecture is required
System Design Document Template SSD Version <nn.rr>

3.3 Performance Expectations

3.3.1 Siteminder

Performance
Peak load capacity (transaction/sec) handling for Auth-Az calls in new CA Siteminder r12.5 Policy
servers (per servers) should be same or better in comparison to old CA Siteminder r12.0 Policy
servers

Peak load sustenance (max load for delta time without impact to response) handling for Auth-Az
calls in new CA Siteminder r12.5 Policy servers (per servers) should be same or better in
comparison to old CA Siteminder r12.0 Policy servers

Compatibility
New CA Siteminder r12.5 Policy server instances should support new Web Agent r12.0
integrations
New CA Siteminder r12.5 Policy servers should be capable triggering/running Access
Management policies configured in old CA Siteminder r12.0 infrastructure as per existing design
New CA Siteminder r12.5 Admin server instances should be capable of creating and
administering new access management policies through Admin UI
New CA Siteminder r12.5 Policy servers should have capability of performing operations using
XPS-family of tools
New CA Siteminder r12.5 Policy servers should have capability of running Siteminder CLI API
based perl scripts

3.3.2 Federation Manager

Performance
Peak load capacity (transaction/sec) handling for Auth-Az calls in new CA Federation Manger
r12.1 Policy servers (per servers) should be same or better in comparison to old CA Federation
Manger r12.1 in existing env.
Peak load sustenance (max load for delta time without impact to response) handling for Auth-Az
calls in new CA Federation Manger r12.1 servers (per servers) should be same or better in
comparison to old CA Federation Manger r12.1 servers

3.4 Application Security

Siteminder & Federation Manager Assets has gone through Information Security review and TIAs;
Systems built are to be aligned with AFI Security Standards with no open security exception. Migration will
be performed as-is; no changes in application security.
System Design Document Template SSD Version <nn.rr>

Module Specifications

N/A
System Design Document Template SSD Version <nn.rr>

4. Data Migration Strategy

4.1 Strategy

1. Siteminder

Below is the Data Migration Strategy that will be followed for the Siteminder Consuming Instances
SUD (A&C and Client) and Policy Store (A&C and Client).

Directory Server Instances will be built in the new env.

Using Directory Server Tool, Schema will be imported to the new instances from instances in
existing Directory Servers
Using Directory Server Tool, Data will be imported to the new instances from instances in existing
Directory Servers
Using Directory Server Control Center features, Replication (i.e. Synchronizing the schema and
data between two instances of same type) will be enabled between the old and new instances
Replication will be stopped on Policy Store instances before upgrading Siteminder schema to
R12.5

2. Federation Manager

Database Migration for Federation manager will be as per Ameriprise database Team process and
standards.
System Design Document Template SSD Version <nn.rr>

4.2 Data Migration Process Flow

Start

Schema Migrate Schema to instance

exported from created in new env.
old env.

Migrate Data from Old

Run Sync. Instances to new.
Processes

Data Files Enable Replication from Old

exported from to new Instances
old env.

End
System Design Document Template SSD Version <nn.rr>

Component Integration Strategy

4.3 Component List

Please refer to Section 2.2.3 above for Component List Inventory

4.4 Component Integration Sequence

Integration sequence of the different components is listed below.

Siteminder A&C :

Policy store data migration from old to new

Audit store data migration from old to new

Install Siteminder in the new server

Install Siteminder admin GUI

Configure siteminder instance with new policy store

Upgrade policy store schema

Upgrade audit store

Configure policy server instance with new policy store

Configure policy server instance with new audit store

Migrate User store ie. AFI directory in A&C

Enable replication between old user store and new user store

Configure user store in Siteminder admin GUI admin GUI pointing

to the new user store.

Siteminder Client :

Policy store data migration from old to new

Audit store data migration from old to new

System Design Document Template SSD Version <nn.rr>

Install siteminder in the new server

Install Siteminder admin GUI

Configure Siteminder instance with new policy store

Upgrade policy store schema

Upgrade audit store

Configure policy server instance with new policy store

Configure policy server instance with new audit store

Migrate User store ie. SUD in Client

Enable replication between old user store and new user store

Configure user store in Siteminder admin GUI admin GUI pointing

to the new user store.

Federation Manager A&C :

Migrate Oracle policy store from old to new configuration

Install Federation Manager in new server

Install Federation Manager admin GUI

Configure Federation Manger instance with policy store

Configure Federation Manger instance with Audit store

Migrate User store ie. AFI directory

Configure user store AFI directory in the federation manager admin GUI pointing

to the new user store

Federation Manager Client :

Migrate Oracle policy store from old to new configuration

Install Federation Manager in new server

Install Federation Manager admin GUI

Configure Federation Manger instance with policy store

System Design Document Template SSD Version <nn.rr>

Configure Federation Manger instance with Audit store

Migrate User store ie. SUD in Client

Configure user store SUD in the federation manager admin GUI pointing

to the new user store.

4.5 Component Integration Procedure

Detailed Component Integration Procedure will be compiled during the E build and will be published in
the Build Phase of the program.
System Design Document Template SSD Version <nn.rr>

5. OPERATIONAL CONTROLS

5.1 Startup and Shutdown

Application Support Manual will be included with the Startup and Shutdown procedure details and will be
handed over to Production Support team.

5.2 Audit and Recovery

Audit and recovery will be followed as per RPO (Recovery time objective) and RTO (Recovery point
objective) specifications of Ameriprise. DR Level 1. Please refer to DR level specifications for more details.

5.3 Restart
Please refer ASM (Application support manual) which will handover to production support group.

5.4 Backup Strategy

Siteminder:
SUD and User Store Schema and Data backups are taken with nightly jobs.
Backed up content will be retained for 3 days onsite and upto 1 year offsite

Federation Manager:

Data backup will be taken as per Amerirpise database backup procedure, for further references
please refer to DBA backup policy.
Tier 1 database backup policies and processes will be followed.

5.5 Fallback Strategy

Siteminder

Old and new Siteminder infrastructure will be run in parallel till the end of AITT project completion. On any
Issues with the new env. the applications can fall back on the old Siteminder infrastructure.

Federation Manager

Old federation manager infrastructure will be maintained for 60 days after migration, fallback will be to go
back to old environment. Any issues after 60 days needs forward fix in the new env.

5.6 Manual Procedures

1. This section will be updated after E1 implementation.
2. New Siteminder Policies configured will be named by <AppName_appRelease_SMVersion_objectype>
System Design Document Template SSD Version <nn.rr>

5.7 Service Management Disciplines

Service Level Management:

Below are the SLA targets (as in the existing env.)

SLA for Siteminder Instances will be 2.18 sec for A&C env. with a load of 100 Concurrent
users.
SLA for Siteminder Instances will be 5.10 sec for A&C env. with a load of 100 Concurrent
users.
SLA for Federation Manager Instances in A&C env.
SLA for Federation Manager Instances in Client env.

Availability:

Availability target for Siteminder is 99.90 % (as in the existing env.)

Configuration Management:

CMDB will be updated at the end of each Phase of the Project

Release Management:

Please refer AITT Project Plan document for Release Management activities / steps.

Problem Management:

Service Now Tool will be used for Incident Management Process and tracking of Problems related
to the Project.

Change Management:

Service Now Tool will be used for Change Management Process; will be used for executing RFC
(Request for Change).

CEC: Contact the CEC SME

GSAM Support: Contact the CEC SME

System Design Document Template SSD Version <nn.rr>

6. Glossary of Terms
All the terms used in the application must be defined in a clear manner in the glossary. The objective of this is to
have in one place common and clear definitions of all the terms. In addition the glossary must contain the list of
allowed values for the term in one place.