Designing Portal Security Strategies

The user nobody does not have a password, which prevents a regular user from becoming nobody. Only the superuser can change users without being prompted for a password. Thus, you still need root access to start and stop Portal Server services.

See the Java Enterprise System Installation Guide for more information.

Non-rootuser. You can run Portal Server as a regular UNIX user. The security benefits of a regular user are similar to the security benefits provided by the user nobody. A regular UNIX user has additional benefits as this type of user can start, stop, and configure services. After installation, you need to change ownership of some files.

See the Java Enterprise System Installation Guide for more information.

Limiting Access Control

While the traditional security UNIX model is typically viewed as all-or-nothing, you can use alternative tools to provide some additional flexibility. These tools provide the mechanisms needed to create a fine grain access control to individual resources, such as different UNIX commands. For example, this toolset enables Portal Server to be run as root, while allowing certain users and roles superuser privileges to start, stop, and maintain the Portal Server framework.

These tools include:

Role-Based Access Control (RBAC). Solaris™ 8 and Solaris™ 9 include the Role-Based Access Control (RBAC) to package superuser privileges and assign them to user accounts. RBAC enables separation of powers, controlled delegation of privileged operations to users, and a variable degree of access control.

Sudo. Sudo is publicly available software, which enables a system administrator to give certain users the ability to execute a command as another user. Please see:

http://www.courtesan.com/sudo/sudo.html

Using a Demilitarized Zone (DMZ)

For maximum security, the Gateway is installed in the DMZ between two firewalls. The outermost firewall enables only SSL traffic from the Internet to the Gateways, which then direct traffic to servers on the internal network.

104 Portal Server 6 2005Q1 • Deployment Planning Guide

Page 104
Image 104
Sun Microsystems 2005Q1 manual Using a Demilitarized Zone DMZ, Limiting Access Control