Integrating Two-Tier Web-Based Applications

A two-tier Web-based application is a existing application whose administration interface is accessed through a Web browser. It can be implemented in HTML, CGI, or Java Applets and Servlets (or some combination). Such an interface requires a Web server installed and running on the computer where the service is installed.

Because this interface is accessible via URLs, there are some security issues to consider. The interface should be protected by the Web server's ACLs so only authorized administrators can access it. To take advantage of the administrator management provided by Sun Internet Administrator, you must use Sun^TM WebServer^TM (SWS) and configure it with the same ACLs used by the Sun Internet Administrator administration Web server (see "Configuring for Administrator Account Coordination").

To secure the connection between the browser and the administration interface, consider secure HTTP (HTTPS) or SKIP. See the SWS on-line help and the SKIP man pages (/opt/SUNWicp/man) for instructions on how to configure these security tools.

Registering Information for a Two-Tier Web-Based Application

When the service application is installed on a computer in the network, run the mcreg(1m) command to store information about the application. This information is used by Sun Internet Administrator to correctly handle the presentation and launch of the administration GUI. The information you need for the mcreg command is:

• The component identifier (componentID), a unique string that identifies the service application. Because they are unique, Solaris for ISPs recommends using package names as component identifiers. The service application developer chooses the component identifier.

• A user-friendly name, appropriate for presentation to the administrator. This is the service name that Sun Internet Administrator displays in its Manage Services screen, where the administrator accesses all services. The service application developer chooses the application name.

• The version number of the application being registered. The recommended format for the version number is major.minor for example, 1.2). The service application developer chooses the version number.

• The URL to the entry point of the Web-based administration interface. Enter the absolute (not a relative) path.

When you have all required information, obtain root access and register the information as shown below. Run this command on the computer where the service administration interface is installed.

See the mcreg(1m) man page for an example of this form of the command.

After running mcreg, you can log into Sun Internet Administrator as a console administrator and register the new application for management. If you want other administrators to have rights to manage the new application, edit their administrator access lists to include it. The Sun Internet Administrator on-line help has full instructions on performing these tasks.

Configuring for Administrator Account Coordination

If the two-tier service application uses SWS for its administration interface, it is possible to configure the server's ACLs to use the same administrator login information as Sun Internet Administrator. Thus, you have a single set of administrator accounts (in the directory services) to manage. This simplifies management of these accounts and enhances your ability to respond to security risk situations.

You must first install SWS on the service host (the computer where the service application is installed), and arrange the interface documents and files within the document tree of the server. Then, configure SWS as follows:

1. Create a realm in the default Web site of the SWS instance:

   # htrealm add -i instance -h hostname -r realmname -s ISPADMIN -d ComponentID-VersionNo
   

   Where

   • instance is the name of the httpd instance being configured.

   • hostname is the name of the host containing the realm.

   • realmname is the name of the realm you are creating.

   • ISPAdmin is the source of the realm. Enter ISPADMIN, indicating that these are Sun Internet Administrator administrators.

   • ComponentID-VersionNo is the directory where the administration GUI files (HTML and others) are located.

2. Add ACL protection to the URL where the administration GUI for this service resides:

   # htaccess add -i instance -h hostname -U URI -r realname -s BASIC
   

   Where

   • instance is the name of the httpd instance being configured.

   • hostname is the name of the computer where the Web server is running.

   • realmname is the name of the realm you are creating.

   • BASIC is the authentication scheme wanted. Enter BASIC.

3. Restart the default site, if it is already running. Use the SWS administration GUI to perform this task. Full instructions are available in the on-line help.