Access Control, Security | Sun Microsystems 2005Q1 instruction

NetFile

Access Control

NetFile provides various means of file system access control. You can deny access to users to a particular file system based on the protocol. For example, you can deny a particular user, role, or organization access to file systems that are accessible only over NFS.

You can configure NetFile to allow or deny access to file systems at any level, from organization, to suborganization, to user. You can also allow or deny access to specific servers. Access can be allowed or denied to file systems for users depending on the type of host, including Windows, FTP, NFS, and FTP over NetWare. For example, you can deny access for Windows hosts to all users of an organization. You can also specify a set of common hosts at an organization or role level, so that all users in that organization or role can access the common hosts without having to add them for each and every member of the organization or role.

As part of the NetFile service, you can configure the Allowed URLs or Denied URLs lists to allow or deny access to servers at the organization, role, or user level. The Denied URLs list takes precedence over the Allowed URLs. The Allowed URLs and Denied URLs lists can contain the * wildcard to allow or deny access to a set of servers under a single domain or subdomain.

Security

When you use NetFile with SRA configured for SSL, all connections made from NetFile applets to the underlying file system happen over the SSL connection established between the Gateway and the browser. Because you typically install the Gateway in a DMZ, and open a limited number of ports (usually only one) in the second firewall, you do not compromise security while providing access to the file systems.

Special Operations

NetFile is much like a typical file manager application with a set of features that are appropriate for a remote file manager application. NetFile enables users to upload and download files between the local and remote file systems (shares). You can limit the size of the upload file (from the local to the remote file system) through the Access Manager administration console.

46 Portal Server 6 2005Q1 • Deployment Planning Guide

Image 46

Sun Microsystems 2005Q1 manual Access Control, Security, Special Operations

Contents

Portal Server Deployment Planning Guide 2005Q1Page Contents Portal Server Secure Remote Access Architecture Creating Your Portal Design Portal Server 6 2005Q1 Deployment Planning Guide Appendix E Portal Deployment Worksheets 167 Portal Server 6 2005Q1 Deployment Planning Guide List of Figures Portal Server 6 2005Q1 Deployment Planning Guide List of Tables Portal Server 6 2005Q1 Deployment Planning Guide Preface Before You Read This Book Who Should Read This Book How This Book Is Organized Chapter Typographic Conventions Conventions Used in This BookTypographical Conventions Related Documentation Books in This Documentation Set Other Portal Server Documentation Other Server Documentation Accessing Sun Resources Online Sun Welcomes Your Comments Page What is a Portal? Portal Server Architecture Types of Portals Collaborative Portals Portal Server Capabilities Business Intelligence Portals Sun Java System Portal Server Secure Remote Access Portal Sever in Open Mode Portal Server in Secure Mode 1Portal Server in Open Mode Firewall Gateway Internet Security, Encryption, and Authentication Portal Server Deployment Components Portal Server Architecture Identity Management Software Packaging Portal Server Software DeploymentSoftware Categories Compatibility With Java Software Typical Portal Server Installation DMZ 4SRA Deployment Page Portal Server Secure Remote Access Architecture SRA Gateway Multiple Gateway Instances Multiple Portal Server Instances Gateway and Http Basic Authentication Proxy ConfigurationGateway and SSL Support Gateway Access Control Gateway Logging Using Accelerators with the GatewayNetlet Static and Dynamic Port Applications Netlet Netlet and Application Integration Split Tunneling NetFile Netlet ProxyComponents Initialization Validating Credentials Security Access ControlSpecial Operations Rewriter NetFile and Multithreading Rewriter Proxy Proxylet Proxylet Portal Server 6 2005Q1 Deployment Planning Guide Business Objectives Business Objectives Technical Goals 1Identity Management Features and Benefits Mapping Portal Server Features to Your Business NeedsIdentity Management SSO 2SRA Features and Benefits SRA 3Search Features and Benefits Search Engine Personalization Search Features and Benefits4Personalization Features and Benefits Aggregation and Integration 5Aggregation Features and Benefits Understanding User Behaviors and Patterns Understanding User Behaviors and Patterns Determine Your Tuning Goals Pre-Deployment Considerations Portal Sizing Tips Establish Performance Methodology Portal Sizing See Portal Sizing on Establish Baseline Sizing Figures Peak Numbers Average Time Between Page Requests Concurrent Users Average Session Time Search Engine Factors Portal Desktop Configuration TIP Back-End Servers Hardware and ApplicationsTransaction Time Customize the Baseline Sizing Figures Workload Conditions Ldap Transaction Numbers Validate Baseline Sizing FiguresApplication Server Requirements Refine Baseline Sizing Figures SRA Sizing Validate Your Final Figures Session Characteristics Identifying Gateway Key Performance Requirements Netlet Usage Characteristics Advanced Gateway Settings Configuration Scalability SRA Gateway and SSL Hardware AcceleratorsSecure Portal Pilot Measured Numbers SRA and Sun Enterprise Midframe Line SRA Sizing Portal Server 6 2005Q1 Deployment Planning Guide Creating Your Portal Design Portal Design Approach Overview of High-Level Portal Design Overview of Low-Level Portal Design Logical Portal Architecture Portal Design Approach Vertical Scaling Portal Server and ScalabilityHorizontal Scaling Portal Server and High Availability Degrees of High Availability System AvailabilityAchieving High Availability for Portal Server Portal Server System Communication Links HTTPs Portal Server System Communication Links Working with Portal Server Building Modules 2Portal Server Building Module Architecture Building Modules and High Availability Scenarios Best Effort Portal Server High Availability Scenarios Best Effort 3Best Effort Scenario No Single Point of Failure No Single Point of Failure Example Working with Portal Server Building Modules Working with Portal Server Building Modules Transparent Failover 5Transparent Failover Example Scenario Building Module Constraints Deploying Your Building Module SolutionDeployment Guidelines Directory Server Requirements Search Engine Structure Designing Portal Use Case Scenarios Elements of Portal Use Cases Example Use Case Authenticate Portal User Use Case Authenticate Portal User Designing Portal Security Strategies Securing the Operating Environment Using Platform Security Unix User Installation Using a Demilitarized Zone DMZ Limiting Access Control Portal Server and Access Manager on Different Nodes SDK 7Two Portal Servers and One Access Manager 8One Portal Server and Two Access Managers 9Two Portal Servers and Two Access Managers Restart amserver services Designing SRA Deployment Scenarios Basic SRA Configuration 10Basic SRA Configuration Disable Netlet 11Disable Netlet Proxylet 12 Proxylet NetFile Gateway Netlet and Rewriter Proxies NetFile Netlet and Rewriter Proxies on Separate Nodes Proxies on Separate Nodes Using Two Gateways and Netlet Proxy 16Two Gateways and Netlet Proxy Using an Accelerator Accelerator Netlet with 3rd Party Proxy Host 19Using a Reverse Proxy in Front of the Gateway Reverse Proxy Content and Design Implementation Designing for Localization Integration Design Placement of Static Portal ContentCreating a Custom Access Manager Service Integrating Applications Independent Software Vendors Integrating Microsoft Exchange Identity and Directory Structure Design Implementing Single Sign-On Portal Desktop Design Choosing and Implementing the Correct Aggregration Strategy Working with Providers String name=url value=file//path/filename Client Support Page Production Environment Monitoring and TuningMoving to a Production Environment Documenting the Portal Monitoring Portal Server Memory Consumption and Garbage Collection CPU Utilization Access Manager Cache and Sessions Thread Usage Portal Usage Information Directories Installed for Portal Server Installed Product LayoutTable A-1Portal Server Directories Directories Installed for SRA Table A-2Portal Server, SRA Directories Configuration Files Etc/opt/SUNWpsPage Analysis Tools Table B-1Performance Analysis Tools Agrep Socket connection MpstatCount What to Look For Iostat Netstat Netstat -I hme0 Netstat -sP tcp Output Consider the following Etc/system Options Tuning Parameters for /etc/systemTable B-3TCP/IP Options Max Page Portal Server and Application Servers Introduction to Application Server Support in Portal Server Portal Server on an Application Server Cluster Overview of Application Server Enterprise Edition Overview of BEA WebLogic Server Clusters Installdir/config/domainname/startWeblogic.sh Overview of IBM WebSphere Application Server Page Troubleshooting Portal Server Troubleshooting Your Portal DeploymentUnix Processes Log Files Recovering the Search DatabaseWorking with the Display Profile High CPU Utilization for Portal Server Instance To Extract the Display Profile Troubleshooting SRA Debugging the Gateway Introduction to shooter SRA Shooter.sh Gctool.pl Uniq.pl SRA Log FilesMemfoot.sh GWDump.class Netlet Portal Assessment Worksheets Portal Deployment WorksheetsTable E-1General Questions Table E-2Organizational Questions Table E-3Business Service-level Expectations Questions Table E-4Content Management Questions Table E-6Business Intelligence Questions Table E-5User Management and Security QuestionsTable E-7Architecture Questions Portal Design Task List Table E-8 Table E-8 Design Task List 2 Design Task List 3 Develop and Integrate Sun Java System Portal Server, Sun Table E-8Design Task List 4 Design Task List 5 Design Task List 6 Deployment Production Design Task List 7 Page Comparison of Solaris and Linux Path Names Limitations Using LinuxPortal Server on the Linux Platform Table F-1Comparison of Solaris and Linux Path NamesPage Glossary Portal Server 6 2005Q1 Deployment Planning Guide Etc/system tuning parameters 150 /opt/SUNWps directory Index Section B Dpadmin command Dp-org.xml file Dp-providers.xml file Gctool.pl tool Memfoot.sh script Psdp.dtd file Section Q SRA Section W Section Portal Server 6 2005Q1 Deployment Planning Guide