Sun Java System Reference Configuration Series: Portal Service on Application Server Cluster

Logical Architecture of the Reference Configuration

A logical architecture shows the software components (and the interactions between them) that are needed to provide a specific set of services to end users.

An analysis of the reference configuration's functional requirements and quality-of-service requirements (which specify the required performance, availability, scalability, security, and serviceability) is the basis for determining the main Java ES software components that are needed to meet these requirements. In most cases, these components interact with or are dependent upon other, secondary software components. For information about Java ES components, the services they provide, and interdependencies between those components, see the Sun Java Enterprise System 5 Update 1 Technical Overview.

The following sections describe the Java ES components that are used in the portal service reference configuration, their roles within the reference configuration, and the interactions between them:

Logical Architecture Diagram

The various components that are needed to meet the reference configuration requirements depend on their functions as distributed infrastructure services or their roles within a tiered application framework. In other words, the various components represent two views or dimensions that define a logical architecture: the logical tier dimension and the distributed infrastructure services dimension. These dimensions are described in the Sun Java Enterprise System 5 Update 1 Technical Overview.

The positioning of reference configuration components in such a two-dimensional framework is shown in the following logical architecture diagram. Components are placed within a horizontal dimension that represents standard logical tiers and within a vertical dimension that represents infrastructure service dependency levels. The positioning of a component in this matrix helps describe the role that the component plays in the logical architecture.

For example, Access Manager is a component that is used by presentation and business service tier components to provide security and policy infrastructure services. However, Application Server is a component that is used by presentation and business service tier components to provide distributed runtime services.

Figure 2–1 Logical Architecture of the Reference Configuration

Graphic representation of the logical architecture described
in the text.

A description of the tiers shown in Figure 2–1 is provided in the following table.

Table 2–1 Logical Tiers in the Architecture Diagram




In the Client tier are applications that are used by users to access portal services. In this reference configuration, the only client applications that are used are a browser and a stand-alone Java client.  


This tier enables remote users to securely access their organization's network and its services over the Internet. The Access tier acts as a communication relay between the Client tier and the Presentation tier, and includes the Portal Server Secure Remote Access components needed to securely access portal services from the Internet.


This tier provides aggregation and presentation capabilities that enable users to access relevant information and personalize their desktop to best meet their needs. In addition, this tier provides community, collaboration, content, and knowledge management capabilities. This tier is implemented using Portal Server software. 

Business Service 

This tier contains the back-end services that are aggregated and presented to users by services in the Presentation tier. Examples of applications that might reside in this tier include: email systems, calendar servers, and Enterprise Resource Planning (ERP) applications (SAP, PeopleSoft, Siebel, and so forth.). Also, this tier contains portlets and application components that are deployed in a web container or application server. 


This tier provides a permanent repository that business services can use to store persistent information. This tier includes Directory Server (used by Access Manager and Portal Server to store user profiles) and Java DB (used to store application data). High Availability Session Store (HADB), which is used to store portlet session state, is placed in the Presentation tier to indicate its functional relationship to Portal Server. 

Software Components in the Logical Architecture

While Figure 2–1 is indicative of the role of the different components within the reference configuration's logical architecture, the following table describes more precisely the purpose of each component.

Table 2–2 Software Components in the Logical Architecture


Component's Role in the Architecture 

Web Browser client 

While not formally a component of the reference configuration, the browser client is included in the architecture diagram to show how users will access portal services. There are two access scenarios: 

  • Access from a trusted network: browser clients (for example, an organization's employees) connect to portal services over the local network (or intranet) or from the Internet by using a virtual private network (VPN) or a similar solution.

  • Access from an unsecured network: Web browser clients (of a business-to-business or business-to-consumer portal) connect to portal services over the public Internet. This access scenario is supported by the Secure Remote Access (SRA) Gateway.

Remote client (optional) 

In addition to browsers, users can use applets that are included with Portal Server SRA software:  

  • Netlet. The Netlet applet runs on the browser and sets up an encrypted TCP/IP tunnel between the remote client and intranet applications in the Business Service tier. Netlet listens to and accepts connections on preconfigured ports, and routes both incoming and outgoing traffic between the client and the destination server. In this way, Netlet enables client applications to securely access intranet business service components.

  • Netfile. NetFile is a file manager application that allows remote access and operation of file systems.

  • Proxylet. Proxylet is a dynamic proxy server that runs on the browser and redirects a URL to the SRA Gateway. It does so by reading and modifying the proxy settings of the browser on the client so that the settings point to the local proxy server or Proxylet. Proxylet is used to reduce the number of ports that must be opened in a firewall through which the SRA Gateway(see next item) connects to Internet hosts. It is also used to minimize or eliminate the dependency on the Rewriter Proxy (see next item) and Rewriter rulesets.

Sun Java System Portal Server Secure Remote Access (Portal Server SRA) 

Portal Server SRA provides a gateway service that allows secure connections over the public Internet to applications and content on an internal intranet, but only to authorized users. In addition to the SRA Gateway, SRA includes the following two optional components, depending on your requirements: 

  • Netlet Proxy. The Netlet proxy is an stand-alone Java process that enhances the security between the SRA Gateway and the intranet by extending the secure tunnel from the client through the Gateway to the Netlet proxy that resides in the intranet. Netlet packets are decrypted by the proxy and then sent to their destinations. This mechanism helps to reduce the number of ports that must be opened in a firewall.

  • Rewriter Proxy. The Rewriter proxy is a stand-alone Java process that is installed on the intranet. The SRA Gateway forwards all requests to the Rewriter proxy, which fetches and returns the content of the request to the Gateway. This mechanism helps to reduce the number of ports that must be opened in a firewall.

Sun Java System Portal Server (Portal Server) 

Portal Server provides key portal services, such as content aggregation and personalization, to browser-based clients that are accessing business applications or services in the Business Service tier.  

Sun Java System Access Manager (Access Manager) 

Access Manager provides access management services such as authentication and role-based authorization for user access to applications and services. In cases where Access Manager is remote from a local component, Access Manager SDK provides an interface to the remote Access Manager services. 

Sun Java System Application Server (Application Server) 

Application Server provides the Java Platform, Enterprise Edition (Java EE) web container that is needed to support web components, such as Portal Server, Access Manager, portlet applications, and so forth. While a web container can also be provided by Sun Java System Web Server, the Portal Service on Application Server Cluster reference configuration uses Application Server. 


Various kinds of applications provide the content for Portal Server channels that are accessed by end users. These applications can include email systems, calendar servers, ERP applications, custom or third-party portlet applications deployed on a web container, and so forth. 

Sun Java System Directory Server (Directory Server) 

Directory Server provides an LDAP repository for storing information about portal users, such as identity profiles, user credentials, access privileges, application resource information, and so forth. This information is used by Access Manager for authentication and authorization and by Portal Server to build users' portal desktops.  

Sun Java System Message Queue (Message Queue) 

Message Queue is a reliable asynchronous messaging service that is used by Access Manager to write user session state into a replicated session database and to retrieve such state information when necessary.  

High Availability Session Store (HADB) 

HADB provides a data store that makes application data, especially session state data, available even in the case of failure. 

Java DB 

Java DB is the default relational database used by Portal Server to support community features and selected portal applications. 

Interactions Between Reference Configuration Components

To design a logical architecture, you must understand the software dependencies and interactions between the various components that are listed in Table 2–2. These interactions can be somewhat complicated and difficult to illustrate in a single diagram such as Figure 2–1. The main interactions between components in the reference configuration are therefore described briefly in the table below, in the context of typical portal service operations.

Two access scenarios are incorporated into the following table:

Table 2–3 Interactions Between Reference Configuration Components


What Happens 

The user starts a browser and opens the portal service or SRA Gateway service URL, depending on the access scenario being used. 

If portal services are accessed directly, Portal Server returns the anonymous desktop, which includes the login channel. If portal services are accessed through the SRA Gateway, the Gateway redirects the user request to Access Manager. Access Manager returns the login page (by way of the Gateway). 

The user logs in by typing a user ID and password in the appropriate form and clicking Login. 

Access Manager interacts with Directory Server to retrieve the user's profile, which contains authentication, authorization, and application-specific information. 

Access Manager authenticates the user's ID and password against the LDAP directory information and creates a session object.  

When the user has been authenticated, Access Manager returns a session cookie to the user's browser and redirects the browser to Portal Server. 


Portal Server uses the session cookie to interact with Access Manager to access information in the user's profile (cached by Access Manager). Portal Server uses the information to build the user's personalized portal desktop. Portal Server returns the desktop to the user's browser (by way of the Gateway). 

The user reviews his or her portal desktop, and clicks a portal channel. 

Portal Server interacts with Access Manager to validate the status of the user session. Access Manager authorizes the channel content that is being requested by the user.  

When appropriate, Portal Server creates a portlet session and returns channel content to the user's browser. 


The user logs out or the session times out. 


Portal Server closes the portlet session, if any, and Access Manager deletes the user's session object. 

The understanding of component interactions represented in the logical architecture can be used later in the design process when you estimate the load on different components for sizing purposes and when you create a network connectivity specification.