3.4 Security features

Previous page
Table of content
Next page

  < Day Day Up > 


3.4 Security features

TMTP Version 5.2 includes features to allow your transaction monitoring infrastructure to be secure. The key features that support secure implementations are shown in the following sections.

SSL communications between components

SSL is a security protocol that provides for authentication, integrity, and confidentiality. Each of the components of TMTP Version 5.2 WTP can optionally be configured to utilize SSL for communications.

A sample HTTP-based SSL transaction using server-side certificates follows:

  1. The client requests a secure session with the server.

  2. The server provides a certificate, its public key, and a list of its ciphers to the client.

  3. The client uses the certificate to authenticate the server (that is, to verify that the server is who they claim to be).

  4. The client picks the strongest cipher that they have in common and uses the server's public key to encrypt a newly-generated session key.

  5. The server decrypts the session key with its private key.

  6. Henceforth, the client and server use the session key to encrypt all messages.

TMTP uses the Java Secure Sockets Extensions (JSSE) API to create SSL sockets within Java applications and includes IBM's GSKIT to manage certificates. Chapter 4, "TMTP WTP Version 5.2 installation and deployment" on page 85 includes information on how to configure the environment to use SSL.

Store and Forward Agent

The Store and Forward Management Service is a new component in the TMTP infrastructure. The service resides on a TMTP Management Agent. The new service was created in order to allow the TMTP Version 5.2 Management Server to be moved from the DMZ into the Enterprise. The agent enables a point-to-point connection between the TMTP Management Agents in the DMZ with the TMTP Management Server in the Enterprise. The functions provided by the Store and Forward agent (hereafter referred to as the SnF agent) are:

  • Behaves as a pipe between the TMTP Management Server and TMTP Management Agents

  • Maintains a single open and optionally persistent connection to the Management Server in order to forward agent requests

  • Minimizes access from the DMZ through the firewall (one port for a SnF agent)

  • Acts as part of the TMTP framework (that is, the JMX environment, User Interface, Policy, and so on).

Configuration of the SnF agent, including how to configure SnF to relay across multiple DMZs, is discussed further in Chapter 4, "TMTP WTP Version 5.2 installation and deployment" on page 85.

The SnF agent is comprised of two parts: the reverse proxy component, which utilizes WebSphere Caching Proxy, and the JMX TMTP agent, which manages the reverse proxy (both of these components will be installed transparently when you install the SnF agent). The TMTP architecture, utilizing a SnF, precludes direct connection from the Management Server. All endpoint requests are driven to the Management Server via the reverse proxy. All communication between the SnF agent and the Management Server is via HTTP/HTTPS over a persistent connection. Connections to other Management Agents from the SnF agent are not persistent and are optionally SSL. The SnF agent performs no authorization of other Management Agents, as the TMTP endpoint is considered trusted, because registration occurs as part of a user/manual process.

Figure 3-9 shows the SnF Agent communication flows.

click to expand
Figure 3-9: SnF Agent communication flows

Ports used

Because of the Store and Forward agent, the number of ports used to communicate from the Management Agent to the Management Servers can be limited to one and communications via this port is secured using SSL. Additionally, each of the ports that are used by TMTP for communication between the various components can be configured. The default port usage and configuration of non default ports is discussed in Chapter 4, "TMTP WTP Version 5.2 installation and deployment" on page 85.

TMTP users and roles

TMTP uses WebSphere Application Server 5.0 security. This means that TMTP authentication can be performed using the operating system, that is, standard operating system user accounts, LDAP, or a custom registry. Also, the TMTP Application defines over 20 roles, which can be assigned to TMTP users in order to limit their access to the various functions which TMTP offers. Users are mapped to TMTP roles utilizing standard WebSphere Application Server 5.0 functionality. The process of mapping users to roles within WebSphere is described in Chapter 4, "TMTP WTP Version 5.2 installation and deployment" on page 85. Also, as TMTP uses WebSphere Security, it is possible to configure TMTP for Single Sign On (the details of how to do this are beyond the scope of this redbook; however, the documentation that comes with WebSphere 5.0.1 discusses this in some depth). The redbook IBM WebSphere V5.0 Security, SG24-6573 is also a useful reference for learning about WebSphere 5.0 security.


  < Day Day Up > 


Previous page
Table of content
Next page
End-to-End E-business Transaction Management Made Easy
End-To-End E-Business Transaction Management Made Easy
ISBN: 0738499323
EAN: 2147483647
Year: 2003
Pages: 105
Authors: IBM Redbooks
BUY ON AMAZON
Beginning Cryptography with Java
Software Configuration Management
The Complete Cisco VPN Configuration Guide
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Java Concurrency in Practice
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy