|
|
This section describes the components of AquaLogic Enterprise Security and provides information about deploying them on the network.
The following diagram gives a high-level view of ALES components.
The Administration Server is a servlet-based application and can run in both WebLogic Server and Tomcat. It consists of the following components:
Business Logic Manager-The BLM is responsible for managing security policies stored in the Policy Database. The BLM includes the policy distributor which pushes policy to the runtime tier of ALES. The BLM features an external API for managing policy and configuration.
Policy Database-Maintains policy data in a relational database. This data is distributed to the Security Service Modules by the Policy Distributor.
Policy Loader-Imports policy data from an external file. The external file can be generated by another system or another Administrative Server, or it can be manually coded. For additional information on how to use the Policy Loader, see the Policy Managers Guide.
Authorization and Role Mapping. -Synonymous with ASIAuthorizer. Enforces security policy for Administration Server and console as it does for any other runtime application.
Administrative Console-Supports administrative policy security and administration delegation through a web browser-based user interface. Security configuration, policy configuration, user attributes (if required), resources, and rules are all managed through the console.
The Service Control Module (SCM) is an essential component of ALES's remote administration mechanism. Each Service Control Module stores SSM configuration data and provides each SSM on its machine the appropriate data.
| Note: | AquaLogic Enterprise Security version 2.5 removes the requirement that a Service Control Module (SCM) be installed on each system where one or more Security Service Modules (SSMs) are installed. See Installing Security Service Modules for more information. |
The Service Control Manager receives and stores both full and incremental configuration updates. When a configuration change relevant to a SSM is made, it is provisioned to the Service Control Manager through the Policy Distributor. The provisioning mechanism ensures that only the configuration data absolutely required by a Service Control Manager is provisioned to that module. Likewise, the Service Control Manager ensures that only the configuration data absolutely required by an SSM is made available to that module.
SSMs are a platform specific security plug-ins that are embedded in applications, application servers, and web servers to be secured by ALES. The SSM ties the application server (or applications, web servers) into ALES so that all security administration for the application is performed through ALES.
Configuration data for each module is specified centrally and then distributed to and locally cached on the appropriate machine. A benefit of this architecture is that there is no impact on the application if the Administration Server is stopped.
| Note: | AquaLogic Enterprise Security version 2.5 removes the requirement that a Service Control Module (SCM) be installed on each system where one or more Security Service Modules (SSMs) are installed. See Installing Security Service Modules for more information. |
Table 2-1 below describes the SSM modules provided with ALES.
Security providers are used to provide authentication, authorization, auditing, role mapping, and credential mapping, and other services. Each SSM can be configured with a set of security providers as described in Table 2-2.
An ALES environment can consist of a single or multiple instances of the Administration Server, one or more Service Control Managers (hosted on individual machines), and any number of Security Service Modules, each associated with an SCM.
| Note: | AquaLogic Enterprise Security version 2.5 removes the requirement that a Service Control Module (SCM) be installed on each system where one or more Security Service Modules (SSMs) are installed. See Installing Security Service Modules for more information. |
Each Security Service Module may share or use different configuration or policy data, based on the business needs of an organization. The Administration Server serves as a central point of contact for instances and system administration tools.
Installation of ALES depends on the application environment being secured. The basic requirement is that the Administration Server must be accessible to all Security Service Modules that are "plugged" into the applications being secured in that domain. A Service Control Manager must be installed on any machine running one or more SSMs, except as noted in Installing Security Service Modules.
Figure 2-4 below shows SSMs deployed on varying application environments and connecting to the Administration Server on a separate machine.
Figure 2-5 below provides some insight into the interconnections of the ALES components.
|