Using a Demilitarized Zone DMZ | Sun Microsystems 2005Q1 guide

Designing Portal Security Strategies

The user nobody does not have a password, which prevents a regular user from becoming nobody. Only the superuser can change users without being prompted for a password. Thus, you still need root access to start and stop Portal Server services.

See the Java Enterprise System Installation Guide for more information.

•Non-rootuser. You can run Portal Server as a regular UNIX user. The security benefits of a regular user are similar to the security benefits provided by the user nobody. A regular UNIX user has additional benefits as this type of user can start, stop, and configure services. After installation, you need to change ownership of some files.

See the Java Enterprise System Installation Guide for more information.

Limiting Access Control

While the traditional security UNIX model is typically viewed as all-or-nothing, you can use alternative tools to provide some additional flexibility. These tools provide the mechanisms needed to create a fine grain access control to individual resources, such as different UNIX commands. For example, this toolset enables Portal Server to be run as root, while allowing certain users and roles superuser privileges to start, stop, and maintain the Portal Server framework.

These tools include:

•Role-Based Access Control (RBAC). Solaris™ 8 and Solaris™ 9 include the Role-Based Access Control (RBAC) to package superuser privileges and assign them to user accounts. RBAC enables separation of powers, controlled delegation of privileged operations to users, and a variable degree of access control.

•Sudo. Sudo is publicly available software, which enables a system administrator to give certain users the ability to execute a command as another user. Please see:

http://www.courtesan.com/sudo/sudo.html

Using a Demilitarized Zone (DMZ)

For maximum security, the Gateway is installed in the DMZ between two firewalls. The outermost firewall enables only SSL traffic from the Internet to the Gateways, which then direct traffic to servers on the internal network.

104 Portal Server 6 2005Q1 • Deployment Planning Guide

Image 104

Sun Microsystems 2005Q1 manual Using a Demilitarized Zone DMZ, Limiting Access Control

Contents

Portal Server Deployment Planning Guide 2005Q1Page Contents Portal Server Secure Remote Access Architecture Creating Your Portal Design Portal Server 6 2005Q1 Deployment Planning Guide Appendix E Portal Deployment Worksheets 167 Portal Server 6 2005Q1 Deployment Planning Guide List of Figures Portal Server 6 2005Q1 Deployment Planning Guide List of Tables Portal Server 6 2005Q1 Deployment Planning Guide Preface Before You Read This Book Who Should Read This Book How This Book Is Organized Chapter Typographical Conventions Conventions Used in This BookTypographic Conventions Related Documentation Books in This Documentation Set Other Portal Server Documentation Other Server Documentation Accessing Sun Resources Online Sun Welcomes Your Comments Page What is a Portal? Portal Server Architecture Types of Portals Collaborative Portals Portal Server Capabilities Business Intelligence Portals Sun Java System Portal Server Secure Remote Access Portal Sever in Open Mode Portal Server in Secure Mode 1Portal Server in Open Mode Firewall Gateway Internet Security, Encryption, and Authentication Portal Server Deployment Components Portal Server Architecture Identity Management Software Categories Portal Server Software DeploymentSoftware Packaging Compatibility With Java Software Typical Portal Server Installation DMZ 4SRA Deployment Page Portal Server Secure Remote Access Architecture SRA Gateway Multiple Gateway Instances Multiple Portal Server Instances Gateway and SSL Support Proxy ConfigurationGateway and Http Basic Authentication Gateway Access Control Using Accelerators with the Gateway NetletGateway Logging Static and Dynamic Port Applications Netlet Netlet and Application Integration Split Tunneling Components Netlet ProxyNetFile Initialization Validating Credentials Special Operations Access ControlSecurity Rewriter NetFile and Multithreading Rewriter Proxy Proxylet Proxylet Portal Server 6 2005Q1 Deployment Planning Guide Business Objectives Business Objectives Technical Goals Identity Management Mapping Portal Server Features to Your Business Needs1Identity Management Features and Benefits SSO 2SRA Features and Benefits SRA 3Search Features and Benefits Search Engine Search Features and Benefits 4Personalization Features and BenefitsPersonalization Aggregation and Integration 5Aggregation Features and Benefits Understanding User Behaviors and Patterns Understanding User Behaviors and Patterns Determine Your Tuning Goals Pre-Deployment Considerations Portal Sizing Tips Establish Performance Methodology Portal Sizing See Portal Sizing on Establish Baseline Sizing Figures Peak Numbers Average Time Between Page Requests Concurrent Users Average Session Time Search Engine Factors Portal Desktop Configuration TIP Transaction Time Hardware and ApplicationsBack-End Servers Customize the Baseline Sizing Figures Workload Conditions Application Server Requirements Validate Baseline Sizing FiguresLdap Transaction Numbers Refine Baseline Sizing Figures SRA Sizing Validate Your Final Figures Session Characteristics Identifying Gateway Key Performance Requirements Netlet Usage Characteristics Advanced Gateway Settings Configuration Secure Portal Pilot Measured Numbers SRA Gateway and SSL Hardware AcceleratorsScalability SRA and Sun Enterprise Midframe Line SRA Sizing Portal Server 6 2005Q1 Deployment Planning Guide Creating Your Portal Design Portal Design Approach Overview of High-Level Portal Design Overview of Low-Level Portal Design Logical Portal Architecture Portal Design Approach Horizontal Scaling Portal Server and ScalabilityVertical Scaling Portal Server and High Availability Achieving High Availability for Portal Server System AvailabilityDegrees of High Availability Portal Server System Communication Links HTTPs Portal Server System Communication Links Working with Portal Server Building Modules 2Portal Server Building Module Architecture Building Modules and High Availability Scenarios Best Effort Portal Server High Availability Scenarios Best Effort 3Best Effort Scenario No Single Point of Failure No Single Point of Failure Example Working with Portal Server Building Modules Working with Portal Server Building Modules Transparent Failover 5Transparent Failover Example Scenario Deployment Guidelines Deploying Your Building Module SolutionBuilding Module Constraints Directory Server Requirements Search Engine Structure Designing Portal Use Case Scenarios Elements of Portal Use Cases Example Use Case Authenticate Portal User Use Case Authenticate Portal User Designing Portal Security Strategies Securing the Operating Environment Using Platform Security Unix User Installation Using a Demilitarized Zone DMZ Limiting Access Control Portal Server and Access Manager on Different Nodes SDK 7Two Portal Servers and One Access Manager 8One Portal Server and Two Access Managers 9Two Portal Servers and Two Access Managers Restart amserver services Designing SRA Deployment Scenarios Basic SRA Configuration 10Basic SRA Configuration Disable Netlet 11Disable Netlet Proxylet 12 Proxylet NetFile Gateway Netlet and Rewriter Proxies NetFile Netlet and Rewriter Proxies on Separate Nodes Proxies on Separate Nodes Using Two Gateways and Netlet Proxy 16Two Gateways and Netlet Proxy Using an Accelerator Accelerator Netlet with 3rd Party Proxy Host 19Using a Reverse Proxy in Front of the Gateway Reverse Proxy Content and Design Implementation Designing for Localization Placement of Static Portal Content Creating a Custom Access Manager ServiceIntegration Design Integrating Applications Independent Software Vendors Integrating Microsoft Exchange Identity and Directory Structure Design Implementing Single Sign-On Portal Desktop Design Choosing and Implementing the Correct Aggregration Strategy Working with Providers String name=url value=file//path/filename Client Support Page Moving to a Production Environment Monitoring and TuningProduction Environment Documenting the Portal Monitoring Portal Server Memory Consumption and Garbage Collection CPU Utilization Access Manager Cache and Sessions Thread Usage Portal Usage Information Table A-1Portal Server Directories Installed Product LayoutDirectories Installed for Portal Server Directories Installed for SRA Table A-2Portal Server, SRA Directories Configuration Files Etc/opt/SUNWpsPage Analysis Tools Table B-1Performance Analysis Tools Count MpstatAgrep Socket connection What to Look For Iostat Netstat Netstat -I hme0 Netstat -sP tcp Output Consider the following Table B-3TCP/IP Options Tuning Parameters for /etc/systemEtc/system Options Max Page Portal Server and Application Servers Introduction to Application Server Support in Portal Server Portal Server on an Application Server Cluster Overview of Application Server Enterprise Edition Overview of BEA WebLogic Server Clusters Installdir/config/domainname/startWeblogic.sh Overview of IBM WebSphere Application Server Page Unix Processes Troubleshooting Your Portal DeploymentTroubleshooting Portal Server Working with the Display Profile Recovering the Search DatabaseLog Files High CPU Utilization for Portal Server Instance To Extract the Display Profile Troubleshooting SRA Debugging the Gateway Introduction to shooter SRA Shooter.sh Gctool.pl SRA Log Files Memfoot.shUniq.pl GWDump.class Netlet Table E-1General Questions Portal Deployment WorksheetsPortal Assessment Worksheets Table E-2Organizational Questions Table E-3Business Service-level Expectations Questions Table E-4Content Management Questions Table E-7Architecture Questions Table E-5User Management and Security QuestionsTable E-6Business Intelligence Questions Portal Design Task List Table E-8 Table E-8 Design Task List 2 Design Task List 3 Develop and Integrate Sun Java System Portal Server, Sun Table E-8Design Task List 4 Design Task List 5 Design Task List 6 Deployment Production Design Task List 7 Page Limitations Using Linux Portal Server on the Linux PlatformComparison of Solaris and Linux Path Names Table F-1Comparison of Solaris and Linux Path NamesPage Glossary Portal Server 6 2005Q1 Deployment Planning Guide Etc/system tuning parameters 150 /opt/SUNWps directory Index Section B Dpadmin command Dp-org.xml file Dp-providers.xml file Gctool.pl tool Memfoot.sh script Psdp.dtd file Section Q SRA Section W Section Portal Server 6 2005Q1 Deployment Planning Guide