|
| Sun ONE Portal Server 6.0 Deployment Guide |
Chapter 2 Sun ONE Portal Server Core Architecture
This chapter describes the architecture, protocols, interfaces, directory structure, deployment, and customization of the Sun™ ONE Portal Server 6.0 product.
This chapter contains the following sections:
- Sun ONE Portal Server Core Components
- Sun ONE Portal Server Protocols
- Sun ONE Portal Server Software Interfaces
- Sun ONE Portal Server Configuration Files and Directory Structure
- Sun ONE Portal Server Software Deployment
- Sun ONE Portal Server Desktop
- Sun ONE Portal Server Customization
- Sun ONE Portal Server Availability and Fault Tolerance
- Sun ONE Portal Server Security, Encryption, and Authentication
Sun ONE Portal Server Core Components
This section describes the core Portal Server components, first in terms of the platform itself and individual components, then in terms of the portal services. See Chapter 3 "Sun ONE Portal Server, Secure Remote Access Architecture" for details on the Sun™ ONE Portal Server, Secure Remote Access add-on product.
Deployment Platform
Portal Server is part of the Sun ONE architecture. Within the Sun ONE architecture, Portal Server provides technologies that locate, connect, aggregate, present, communicate, personalize, notify, and deliver content. The content within Sun ONE is provided by web services. Portal Server does not provide web services itself. Rather, it is the mechanism by which a user interface is associated with web services and by which web services are made useful to people.
In addition, the Sun™ ONE Portal Server 6.0 for Multi Application Servers product can use the following as its web application container, in place of Sun™ ONE Web Server:
- Sun™ ONE Application Server
- BEA WebLogic
- IBM WebSphere Advanced Edition
Core Portal Server ships with Sun ONE Web Server as its web application container. To use one of the above application servers as the web application container, obtain the appropriate release:
- Sun ONE Portal Server 6.0 for BEA Application Server
- Sun ONE Portal Server 6.0 for IBM Application Server
- Sun ONE Portal Server 6.0 for Sun ONE Application Server
- Sun ONE Portal Server 6.0 for Multi Application Servers (bundles all three application servers)
The above versions of Portal Server are identical to Sun ONE Portal Server 6.0; only the installer has been modified to enable installation of the various application servers. The application server versions of Portal Server function exactly as core Portal Server does, and you use the same customization, administration, and developer tasks as described in the core Portal Server documentation.
See Appendix C "Sun ONE Portal Server and Application Servers," for more information on deploying an application server as the Portal Server web container.
When installing Portal Server, the product is able to work with previously installed software components. In this case, Portal Server uses the installed software as long as the software is an appropriate version. Each Portal Server add-on product only includes the additional software that is needed for that product. You must install Portal Server before installing an add-on product.
Software Components
Figure 2-1 shows the software components that comprise Sun ONE Portal Server. (This figure shows Sun™ ONE Web Server as the web container. It could just as well use one of the application servers previously mentioned.) The software components are arranged in a hierarchy.
The bottom layer is iPlanet™ Directory Server Access Management Edition, now known as Sun™ ONE Identity Server. Within it are the following core components: the Java™ API for XML Processing (JAXP), Network Security Services for Java™ (JSS), Java™ Development Kit (JDK™), Sun ONE Web Server, and Sun™ ONE Directory Server.
The next layer is the Sun ONE Portal Server. Within it are the following internal components (services): Desktop, NetMail, Rewriter, and Search Engine.
The top layer contains the add-on components, such as Sun ONE Portal Server, Secure Remote Access.
Throughout the figure, the line type in which a component is drawn indicates the following:
- Dotted lines indicate components that can use their own copies of a contained component or share copies with other components. Other components can directly use the interfaces from contained components. In addition, contained components can be updated independently from a component. For Portal Server, these components include Sun ONE Identity Server, Java Development Kit, and Sun ONE Directory Server.
- Dashed lines indicate components that have one or more characteristics from each of the other two categories. For Sun ONE Portal Server, this component is Sun ONE Web Server.
- Solid lines indicate components that use their own copies of the contained component. Other components are not allowed to share the contained component or directly use the interfaces from the contained component. In SPortal Server, these components are the add-on components, Sun ONE Portal Server itself, the Search Engine, Desktop, NetMail, and Rewriter components, and the JAXP and JSS components.
Figure 2-1 Sun ONE Portal Server Software Components
Core Components
This section provides general information about each core component identified in Figure 2-1.
Sun ONE Web Server, Sun ONE Application Server, BEA WebLogic, and IBM WebSphere Advanced Edition
Sun ONE Web Server is included with the Sun ONE Identity Server. You cannot install Sun ONE Portal Server onto an existing Sun ONE Web Server installation.
Sun ONE Portal Server uses Sun ONE Web Server, or one of the supported application servers, as the web application container for Sun ONE Portal Server and Sun ONE Portal Server add-on applications. A Portal Server instance runs in the context of the web container. Components within an instance communicate through the JVM™ using Java APIs. An instance is identified by a fully qualified domain name and a TCP port number.
See Appendix C "Sun ONE Portal Server and Application Servers" for more information on deploying an application server as the Portal Server web application container.
Sun ONE Directory Server
Sun ONE Directory Server provides the primary configuration and user profile data repository for Portal Server. It is installed by the Identity Server product if it is not already installed on the Portal Server node. The Sun ONE Directory Server is LDAP compliant and implemented on an extensible, open schema.
Sun ONE Identity Server
Sun ONE Identity Server provides user and service management, authentication and Single Sign-on services, policy management, logging service, debug utility, the administration console, and client support interfaces for Portal Server.
Java Development Kit
Java Development Kit provides the Java run-time environment for all Java software in Portal Server and its underlying components. Although Web Server and Application Server both include Java environments, Portal Server depends on the JDK that is included with the Sun ONE Identity Server product.
Note See the Sun ONE Portal Server 6.0 Release Notes for specific versions of products supported by Sun ONE Portal Server 6.0.
Internal Components
This section provides general information about Portal Server internal components. These integrate external components into a system that is easier to install and use, provide additional functionality to external components, and provide backward compatibility for old interfaces. The relationships and interfaces associated with these components are shown in Figure 2-2.
Figure 2-2 Sun ONE Portal Server Internal Components
Installer
The Portal Server installer handles installation of all integrated components through packaging dependencies and performs initial system configuration. During a fresh Portal Server installation, the installation program populates the Sun ONE directory with the necessary service configuration data. This directory can already exist with user accounts that are used for other services too, or it can be a directory instance that is created as part of the installation.
The installer also includes a data migration capability to convert data from Sun ONE Portal Server 3.0 Support Pack 4 into formats that are required for Sun ONE Portal Server Release 6.0. Finally, the installer component includes migration tools for upgrading software to the new Sun ONE Portal Server APIs in the Release 6.0 release.
For more information on migrating from Sun ONE Portal Server 3.0 Support Pack 4 to Sun ONE Portal Server Release 6.0, see the Sun ONE Portal Server 6.0 Migration Guide.
Sun ONE Portal Server Providers
Providers create information in specific areas of a user's Desktop. Portal Server implements several content providers as part of the Portal Server product rather than in the Desktop component because of dependencies that they have on other system components. These providers include:
- JSPProvider - Uses JavaServer Pages™ (JSP™) technology. JSPProvider obtains content from one or more JSP files. A JSP file can be a static document (HTML only) or a standard JSP file with HTML and Java code. A JSP file can include other JSP files. However, only the topmost JSP file can be configured through the display profile. The topmost JSP files are defined through the contentPage, editPage, and processPage properties.
- LoginProvider - Provides access to the Identity Server authentication service through a Desktop channel. This provider enables anonymous Desktop login so that a user can log in directly from the Desktop.
- UserInfoProvider - Provides a channel for enabling the user to edit user-specific information such as name, preferred locale, and mail server. The directory stores some of this information, so Identity Server direct access is required.
- URLScraperProvider - Provides the ability to gather content from another web server and put the content into a channel. This provider depends on the Rewriter component.
- XMLProvider - Uses URLScraperProvider to gather content, but rather than rewriting the content using the Rewriter, content is passed through an XSLT engine to produce the desired markup.
- RSS Channel - Provides a channel that retrieves Rich Site Summary files and displays them in the desired markup. This channel is based on XMLProvider.
Desktop
The Desktop provides the primary end-user interface for Portal Server and a mechanism for extensible content aggregation through the Provider Application Programming Interface (PAPI). The Desktop includes a variety of providers that enable container hierarchy and the basic building blocks for building some types of channels. For storing content provider and channel data, the Desktop implements a display profile data storage mechanism on top of an Identity Server service. You can edit the display profile and other Desktop service data through the Identity Server administration console.
NetMail
The NetMail component implements the NetMail (based on Java technology) and NetMail Lite email clients. These clients work with standard IMAP and SMTP servers. You can edit NetMail service data through the Identity Server administration console.
Rewriter
The Rewriter provides a Java class library for rewriting URL references in various web languages such as HTML, JavaScript™, and WML, and in HTTP Location headers (redirections). The Rewriter defines an Identity Server service for storing rules that define how rewriting is to be done and the data to be rewritten. You can edit Rewriter rules through the Identity Server administration console.
Search Engine
The Search Engine service provides basic and advanced search and browse channels for the Desktop. It uses a robot to create resource descriptions for documents that are available in the intranet, and stores these resource descriptions in an indexed database. Resource descriptions (RDs) can also be imported from another server or from a backup Summary Object Interchange Format (SOIF) file. The Search Engine includes Java and C APIs for submitting resource descriptions and for searching the database. The Search Engine database can also be used for storing other, arbitrary content, for example, a shared content cache for other content providers. You can edit Search Engine service data through the Identity Server administration console.
Sun ONE Portal Server Add-On Products
Portal Server add-on products are optional. They are not required to run Portal Server but they provide additional functionality. Each product is available for purchase separately. Because they are separate products, each one has its own release schedule. Contact your Sun sales representative for release information.
Sun ONE Portal Server, Secure Remote Access
The Sun ONE Portal Server, Secure Remote Access add-on product enables remote users to securely access their organization's network and its services over the Internet. Additionally, it gives your organization a secure Internet portal, providing access to content, applications, and data to any targeted audience—employees, business partners, or the general public.
See Chapter 3 "Sun ONE Portal Server, Secure Remote Access Architecture" for more information.
Sun ONE Portal Server, Mobile Access
Sun ONE Portal Server, Mobile Access makes portal content available to mobile users. Mobile Access enables users to access the full array of personalized content and services provided by Sun ONE Portal Server such as email, calendar, address book, news, stock quotes, weather, location-based services, short message services (SMS), and enterprise information and applications.
Sun ONE Portal Server: Personalized Knowledge
Sun™ ONE Portal Server: Personalized Knowledge is a software product that provides a knowledge management system. It works as a plugin module to Portal Server and facilitates the storage, organization, sharing, and retrieval of documents. Sun ONE Portal Server: Personalized Knowledge simplifies knowledge management and speeds up data retrieval.
Sun ONE Instant Messaging
The Sun™ ONE Instant Messaging add-on product enables portal users across the extended enterprise to collaborate instantly and securely. It provides instant messaging, chat, alerting, and file sharing capabilities within the context of the Portal Server environment. This enables business users to receive all the benefits of instant collaboration while IT ensures that communications are properly administered and secure.
Service Configuration
As a Sun ONE Identity Server application, Sun ONE Portal Server defines services that are managed using the Identity Server service management system. Generally, any service-related data that is not server-specific is stored in the LDAP directory. Server-specific data can be stored in properties files that are local to the specific server. See the Sun ONE Portal Server 6.0 Administrator's Guide for information on these files.
The Portal Server registers its services into the Identity Server Service Management Services (SMS) framework. This occurs during the pre-installation of the Portal Server and post-installation for Identity Server.
Within the Identity Server framework, Portal Server defines services related to the following functional areas:
- Desktop - SunPortalDesktopService includes data associated with the Desktop component, including the display profile and other configuration parameters associated with the Desktop.
- Search Engine - Search defines at least one service, but can use multiple services.
- NetMail - SunPortalNetMailService includes data associated with the NetMail application primarily consisting of the user's preferences.
- Rewriter - SunPortalRewriterService includes data associated with the Rewriter component, including the named rule sets that control the rewriting operation. The Rewriter API makes reference to the named rule sets that are stored in the directory.
SMS provides a mechanism for services to define and manage their configuration data by using an XML file that adheres to the SMS Document Type Definition (DTD). The definition of the configuration parameters through the XML file is called the schema for the service. The service configuration schema and the service configuration data are stored in the directory server using the LDAP Directory Information Tree (DIT) and schema defined by the product. Each Portal Server service (Desktop, NetMail, Rewriter, and Search) has its own XML and properties files for presenting and modifying service specific data.
Configuration data for a service can be classified as global, dynamic, organization, user, and policy. In general, configuration data that is global and not instance-specific is stored under the root node as ou=service. Configuration information that is specific to an organization is stored under the organization's node as ou=services. Figure 2-3 represents the Portal Server services that are common across all organizations. Each organization has its own configuration for Desktop, NetMail, Rewriter, and Search services.
Figure 2-3 DIT to Store Sun ONE Portal Server Service Configuration Information
You administer Portal Server services (as well as the Identity Server services) through the Identity Server administration console. For more information, see the Sun ONE Portal Server 6.0 Administrator's Guide.
Sun ONE Portal Server Protocols
Portal Server supports the following standard protocols:
- HTTP and HTTPS for web-based access to applications and the administration console
- Authentication protocols, including LDAP, RADIUS, Safeword, SecurID, and UNIX®
- Internet-standard Simple Mail Transfer Protocol (SMTP) service to handle both internal and Internet mail messages
- Internet Mail Access Protocol (IMAP4) service for mailbox retrieval
- FTP, NFS, and SMB for file access
- LDAP for user profile retrieval
Sun ONE Portal Server Software Interfaces
The Portal Server software has the following interfaces:
- The front-end interface enables users to access enterprise resources from the Internet.
- Back-end interfaces are used by Portal Server to access those resources and to provide the administrative interface.
- Customer and third-party software interfaces are used by developers to add functionality to the Portal Server system.
These interfaces are shown in Figure 2-4.
Figure 2-4 Sun ONE Portal Server Interfaces
Front-end Interface
The front-end interface uses the HTTP or HTTPS protocol with markup languages (such as HTML), JavaScript functions, and Java applets, depending on the application. All of these are standard protocols supported by the most commonly used browser software. When Java applets, which are bundled with Portal Server, are downloaded into the browser, the applets use proprietary protocols layered on top of the protocols listed above to communicate with other components within Portal Server. However, since the applet is considered part of the Portal Server system, that communication happens within the Portal Server system rather than external to it.
Back-end Interfaces
The back-end interfaces include:
- Authentication protocols - For example, Radius, NT domain, NIS, token card, and so forth. The use of an external authentication server is optional so this interface might not always be used.
- Enterprise resource access protocols - Mail (for example, SMTP, IMAP4, and LDAP); file access (for example, FTP, NFS, and SMB); web browsing and information services (HTTP and HTTPS); and calendar (rpc.cmsd and IETF calendar protocol later). Additional protocols might be used if you add applications to the system.
- Administration console protocols - HTTP with HTML and other web languages as described in the front-end interface.
Customer and Third-Party Software Interface
The customer and third-party software interface consists of extension APIs and protocols that are used to extend the Portal Server system. For more information, see the Sun ONE Portal Server 6.0 Developer's Guide.
Users of the Interfaces
The three classes of human interfaces to the Portal Server system correspond to the three types of people who use it:
- End-users - End users interact with the end-user interface, which consists of several web applications that are accessed by a web browser. The Desktop application is the primary portal interface, providing web pages that consist of a collection of channels. Each channel provides an access point into some function or information. Users can configure the set of channels that is displayed and specific characteristics of each channel. Other web applications in the end-user interface provide access to specific resources, such as mail, files, and calendar.
- Administrators - Administrators use the Identity Server console, and Identity Server and Portal Server command-line utilities, to configure, administer, and maintain the system. A Portal Server system can have many administrators, each delegated with a specific responsibility. Many administrative tasks can be accomplished by using the Identity Server administration console, which is a web application accessed using a web browser. Command-line tools for administration are also available to facilitate scripting and batch execution.
- Developers - Developers use the programming APIs to extend the Portal Server system. These APIs provide for developing enterprise resource applications, authentication modules, and Desktop channel providers.
Exported Interfaces in Sun ONE Portal Server
This section lists exported interfaces and the components they apply to. Each table has two columns. The first column gives the name of the interface with a brief description. The second column has a brief description.
Sun ONE Portal Server Configuration Files and Directory Structure
This section describes the Sun ONE Portal Server directory structure and properties files used to store configuration and operational data.
Directories Installed for Portal Server
Table 2-6 shows the platform-specific directory structures that are installed for Portal Server. Each table has two columns. The first column describes the directory; the second column provides the directory location.
Configuration Files
All Portal Server configuration data is stored using the Identity Server services management function. Identity Server provides the bootstrap configuration file that is needed to find the directory server.
Sun ONE Portal Server Software Deployment
This section provides information on software deployed in the Portal Server. It provides information on the software packaging mechanism, the software categories within the system, and the Java compatibility of the software.
Software Packaging
Portal Server uses a "dynamic WAR file" approach to deploy software to the system. Portal Server is installed using Solaris™ packages, which consist of individual files that comprise web applications, for example, JAR, JSP, template, and HTML files. The packages do not contain WAR or EAR files. The packages do contain web.xml fragments that are used to construct the Portal Server WAR file at installation time. This dynamically constructed file is then deployed to the web application container. As additional packages are added to the system, for example, for localization, the web application file is rebuilt and redeployed.
Software Categories
Portal Server distinguishes between the following kinds of software that it installs onto the Portal Server node:
- Dynamic web applications - Includes Java servlets, JSP files, content providers, and other items that the Java web container processes when accessed by the user's browser. For Portal Server, these files are installed in the web server.
- Static web content - Includes static HTML files, images, applet JAR files, and other items that can be served up directly by the web server without using the Java web container. For Portal Server, these files are also installed in the web server.
Note Static web content and dynamic web applications are all grouped together into a single WAR file.
- Configuration data - Includes data that is installed into the directory, that is, the Identity Server service definitions and any other data that modifies the directory at installation time. This includes modifications to the console configuration data to connect in the Portal Server extensions. Configuration data is installed only once no matter how many Portal Server nodes there are.
- SDK - This is the JAR file or files that contain the Java APIs that are made available by a component. Developers need to install this package on a development system so that they can compile classes that use the API. If a component does not export any public Java APIs, it would not have this package.
Java Compatibility
Portal Server Java software falls into three categories:
- Applets
- Web applications
- Stand-alone Java processes
Applets used in Portal Server are compatible with Java 1.1, which is supported by most browsers.
Web applications are intended to be compatible with the J2EE™ web container based on the servlets interface except where uses of special interfaces are identified. This includes compatibility with Java 2 and later.
Stand-alone Java processes are compatible with Java 2 and later. Some Portal Server software, specifically in the Sun ONE Portal Server, Secure Remote Access product, uses JNI to call C APIs. These calls are necessary to enable the system to run as the user nobody.
Sun ONE Portal Server Desktop
The Desktop is the primary user interface for the Portal Server product. This section describes the Desktop, the user experience with the Desktop, and a typical user session.
Desktop Component
The Desktop is the presentation of the portal. It is the logical component consisting of the Desktop servlet, provider APIs, channels, and various other support APIs and utilities. The Desktop is constructed of a set of channels that can be easily replaced. The Desktop also uses a proprietary templating mechanism used by many Desktop providers to separate static content from compiled Java code.
The Desktop is composed of the following entities:
- Content provider - The programmatic entity responsible for the generation of content. Generated content can consist of entire pages, frames, or channels; any markup.
- Channel - A unit of content, usually (but not necessarily) arranged in rows and columns. A provider generates a channel.
- Display profile - An XML document describing container management and properties for channels.
See the Sun ONE Portal Server 6.0 Administrator's Guide for Desktop administration tasks. See the Sun ONE Portal Server 6.0 Desktop Customization Guide for tasks on how to customize the Desktop's look and feel.
User Experience with the Desktop
Figure 2-5 shows a sample of the out-of-the-box Desktop front page from Sun ONE Portal Server Release 6.0.
Figure 2-5 Sun ONE Portal Server Sample Desktop
After the user is authenticated through the Identity Server Authentication service, the user is directed to the Portal Server Desktop. From there, the user can access a variety of services and applications. These services and applications can be categorized as follows:
- Desktop channel applications - Applications based entirely on one or more Portal Server Desktop channels. For example, Portal Server includes a bookmark channel that enables users to save bookmarks and use those bookmarks from any browser that has access to the portal.
- Stand-alone web applications - Applications for which the Portal Server Desktop provides a link to the web application. This link helps the user start the application, but there is no application-specific functionality provided on the Desktop itself. An example of this type of application is NetFile in Sun ONE Portal Server, Secure Remote Access, which provides access to files in intranet file systems.
- Web applications with front-end channel - Applications in which the Portal Server provides one or more channels as an entry point into the web application. In this context, a web application is any application whose interface is delivered through a web browser, whether it uses HTML, JavaScript functions, Java applets, plugins, or some other markup language.
User Session
Figure 2-6 represents a typical Portal Server user session. Session exit is either by an explicit Desktop log out or by an implicit session time out event. The horizontal line is a Portal Server activity time line. The activities of a single user's session is represented. Session activities proceed from left to right and are labeled from A to I as follows:
A: User submits request to home page.
B: Portal Server returns the authentication menu.
C: User submits request to authentication module.
D: Portal Server returns authentication form.
E: User submits request login credentials.
F: Portal Server returns initial Desktop display.
G: User submits request to Desktop action.
H: Portal Server returns result of new request.
I: User logs out or exits.
Note Items B and C are valid only if more than one authentication mechanism is enabled. Most organizations use a single authentication mechanism, and hence will not see the authentication menu.
Figure 2-6 Sun ONE Portal Server Users Session
During this session:
- From point A to B, Portal Server processes the user's request to download Portal Server's home page.
- From point B to C, the user views the result of the request and decides which authentication method to use.
- From point C to point D, the server computes and returns the authentication page for the method that the user selected.
- From point D to Point E, the user, in think mode, enters authentication credentials.
- From point E to point F, Portal Server computes and returns the initial Desktop display.
- From point F to point G, the user browses sites referenced by the Desktop. To Portal Server, this is equivalent to think time.
- From point G to point H, Portal Server executes a new user request.
Sun ONE Portal Server Customization
The Portal Server user interface is fully customizable and extensible by the customer or third-parties. This section describes the various customizations you can perform on Portal Server.
The methods for customizing Portal Server include:
- Modifying the look and feel of the user interface by using JSP and template files
- Defining additional content channels using built-in content providers
- Writing custom content providers to be used in defining new channels
- Writing custom authentication modules
- Writing custom service administration modules
Customization is provided through templates (JSP or other template languages) that can be edited to modify branding or other look-and-feel characteristics. Extension is possible through the creation of applications and services that use any of these user interface models.
In addition, you can customize the system by using the capabilities of the underlying components such as Identity Server and the web container. These types of customizations include:
- Defining new services, including new data for the directory
- Writing custom web applications (servlet, JSP, and EJB™ applications)
See the Sun ONE Portal Server 6.0 Desktop Customization Guide and the Sun ONE Portal Server 6.0 Developer's Guide for information on how to customize and develop applications for Portal Server. See the iPlanet Directory Access Management Edition Programmer's Guide for information on defining new services and writing custom web applications.
Sun ONE Portal Server Availability and Fault Tolerance
Portal Server achieves high availability and fault tolerance through software replication. You can configure Portal Server to run multiple instances of each web application, thereby providing a backup if one of the instances fails. In addition, Portal Server uses Identity Server services for session management and non-local data access. Therefore, the portal system inherits all the benefits and constraints of Identity Server with respect to high availability and fault tolerance. The Identity Server services are either stateless, or they can share context data so that they can recover to the previous state in case of a service failure. See the Identity Server documentation for more information.
Within the Portal Server web applications, state is not shared among instances. This means that a failure causes the application to be restarted. Usually, end users do not notice that this has happened because the state information that is associated with the Portal Server applications (Desktop, NetMail, and so forth) can be restored by reading the user's profile and using information in the request. (This refers to the case where HTTP session replication provided by the application sever is being used, so that re-authentication is not necessary.)
Replication eliminates single points of failure in the system. For Sun ONE Directory Server, this is provided by using a multiple master configuration. However, this solution does not completely address all fault tolerant aspects of the system. A data loss can still occur due to a crash during the process of data synchronization among masters. See the Directory Server documentation for more information.
See Chapter 7 "Creating Your Portal Design," for details on creating your portal design to include high availability.
The high availability features described above are transparent to the client of those services. Portal Server components address high availability natively to different extent. There is a different level of recovery for different components. For details, check the corresponding Portal Server family products documentation.
Sun ONE Portal Server Security, Encryption, and Authentication
Portal Server system security relies on the HTTPS encryption protocol, in addition to UNIX system security, for protecting the Portal Server system software. The first layer of security is provided by the web container, which you can configure to use SSL if desired. Portal Server also supports SSL for authentication and end-user registration. By enabling SSL certificates on the web server, the Desktop and other web applications can also be accessed securely. You can use the Identity Server policy to enforce URL-based access policy.
The second layer of security is provided by the Sun ONE Portal Server, Secure Remote Access product as an add-on. This product provides a gateway that resides in the DMZ and provides a single secure access point to all intranet URLs and applications. It uses HTTPS by default for connecting the browser to the intranet. The gateway includes a Reverse proxy that uses the Rewriter, which enables all intranet web sites to be accessed without exposing them directly to the Internet. The gateway also provides URL-based access policy enforcement without having to modify the web servers being accessed.
Communication from the gateway to the server and intranet resources can be HTTPS or HTTP. Communication within the Portal Server system, for example between web applications and the directory server, does not use encryption by default, but it can be configured to use SSL.
Portal Server depends on the authentication service provided by Identity Server and supports Single Sign-on (SSO) with any product that also uses the Identity Server SSO mechanism. The SSO mechanism uses encoded cookies to maintain session state.