Chapter 7 Integrating Existing Service Applications

Solaris ISP Server^TM is designed to allow integration of your existing services with Sun^TM Internet Administrator^TM. When you integrate these services, they gain the benefits of centralized remote administration and administrator account management provided by that product. Because Sun Internet Administrator manages administrator access, integrating an application with it is an easy way to add the security of administrator authorization to an existing service application.

Topics in this chapter include:

• "General Steps to Integrating an Existing Service"

• "Integrating X-Based Services"

• "Integrating Command-Line Programs"

• "Integrating Two-Tier Web-Based Applications"

General Steps to Integrating an Existing Service

Sun Internet Administrator integrates and manages Web-based, X-based, and command-line administration interfaces using the following, general steps.

1. Install the service application on a computer that is accessible by Sun Internet Administrator via the network. This host computer must have the Solaris ISP Server platform component (SUNWisp) installed on it, to provide platform extensions that Sun Internet Administrator uses.

2. Run the mcreg(1M) command on the service host computer with the correct parameters for this type of service. The form of the mcreg command is different for each type of service and is fully described later in this chapter as well as on the man page for the command. You must have root access to run mcreg.

   ---

   Note -

   You must run mcreg again if you change the URL or other service configuration information (for example, if you change the port where an administrative Web server is running). If you run mcreg more than once for a service (on a single host machine), the later information overwrites the information recorded previously.

   ---

3. In Sun Internet Administrator, register the service host and select the new service.

4. Also in Sun Internet Administrator, create administrators with access to the new service or modify existing administrators to grant them access.

   You must be an administrator with rights to manage Sun Internet Administrator to perform these tasks.

Integrating X-Based Services

When the service application is installed on a computer in the network, run the mcreg(1m) command to store information about the application. This information is used by Sun Internet Administrator to correctly handle the presentation and launch of the administration GUI. The information you need for the mcreg command is:

• The component identifier, a unique string that identifies the service application. Because they are unique, Solaris ISP Server recommends using package names as component identifiers. The service application developer chooses the component identifier.

• A user-friendly name, appropriate for presentation to the administrator. This is the service name that Sun Internet Administrator displays in its Manage Services screen, where the administrator accesses all services. The service application developer chooses the application name.

• The version number of the application being registered. The recommended format for the version number is major.minor (for example, 1.2). The service application developer chooses the version number.

• The complete file system path to the X-based administration interface executable on the service host.

• The user name under which the administration interface runs. This identifies the UNIX UID that Sun Internet Administrator uses to invoke the program.

• The group name under which the administration interface runs. This identifies the UNIX GID that Sun Internet Administrator uses to invoke the program.

When you have all required information, obtain root access and register the information as shown below. Run this command on the computer where the service administration interface is installed.

# mcreg -c componentID -n name -v version -x X_path -u user_name -g group_name

See the mcreg(1m) man page for an example of this form of the command.

After running mcreg, you can log into Sun Internet Administrator as a console administrator and register the new application for management. If you want other administrators to have rights to manage the new application, edit their administrator access to include it. The Sun Internet Administrator on-line help has full instructions on performing these tasks.

Integrating Command-Line Programs

To integrate a command-line administration program with Sun Internet Administrator, run the mcreg(1m) command to store information about the application. This information is used by Sun Internet Administrator to correctly handle the presentation and launch of the command. The information you need for the mcreg command is:

• The component identifier, a unique string that identifies the service application. The service application developer chooses the component identifier.

• A user-friendly name, appropriate for presentation to the administrator. This is the service name that Sun Internet Administrator displays in its Manage Services screen, where the administrator accesses all services. The service application developer chooses the application name.

• The version number of the application being registered. The recommended format for the version number is major.minor (for example, 1.2). The service application developer chooses the version number.

• The complete path to the command-line program, plus information about its parameters and documentation. Enclose this command option in quotes ("). There are three fields:

  • The full path to the executable, with any static parameters. For example, -p "/usr/bin/ps -ef". This field is required.

  • A -a indicates that this command takes parameters from the user at run time. This field is optional

  • A -h helpfile indicates the on-line documentation associated with this command. This field is optional.

• The user name under which the administration interface runs. This identifies the UNIX UID that Sun Internet Administrator uses to invoke the program.

• The group name under which the administration interface runs. This identifies the UNIX GID that Sun Internet Administrator uses to invoke the program.

When you have all required information, obtain root access and register the information as shown below. Run this command on the computer where the service administration interface is installed.

# mcreg -c componentID -n name -p "prog_path [-a] [-h help_file]"... -v version -u user_name -g group_name

See the mcreg(1m) man page for examples of this and other forms of the command.

To record information about multiple command-line operations, enter multiple -p arguments.

After running mcreg, you can log into Sun Internet Administrator as a console administrator and register the new application for management. If you want other administrators to have rights to manage the new application, edit their administrator access lists to include it. The Sun Internet Administrator on-line help has full instructions on performing these tasks.

Integrating Two-Tier Web-Based Applications

A two-tier Web-based application is an existing application whose administration interface is accessed through a Web browser. It can be implemented in HTML, CGI, or Java Applets and Servlets (or some combination). Such an interface requires a Web server installed and running on the computer where the service is installed.

Because this interface is accessible via URLs, there are some security issues to consider. The interface should be protected by the Web server's ACLs so only authorized administrators can access it. To take advantage of the administrator management provided by Sun Internet Administrator, you must use Sun^TM WebServer^TM and configure it with the same ACLs used by the Sun Internet Administrator administration Web server (see "Configuring for Administrator Account Coordination").

To secure the connection between the browser and the administration interface, consider secure HTTP (HTTPS) or SKIP. See the Sun WebServer on-line help and the SunScreen SKIP man pages (/opt/SUNWicp/man) for instructions on how to configure these security tools.

Registering Information for a Two-Tier Web-Based Application

When the service application is installed on a computer in the network, run the mcreg(1m) command to store information about the application. This information is used by Sun Internet Administrator to correctly handle the presentation and launch of the administration GUI. The information you need for the mcreg command is:

• The component identifier (componentID), a unique string that identifies the service application. Because they are unique, Solaris ISP Server recommends using package names as component identifiers. The service application developer chooses the component identifier.

• A user-friendly name, appropriate for presentation to the administrator. This is the service name that Sun Internet Administrator displays in its Manage Services screen, where the administrator accesses all services. The service application developer chooses the application name.

• The version number of the application being registered. The recommended format for the version number is major.minor for example, 1.2). The service application developer chooses the version number.

• The URL to the entry point of the Web-based administration interface. Enter the absolute (not a relative) path. The URL should use the fully qualified domain name of the service host.

When you have all required information, obtain root access and register the information as shown below. Run this command on the computer where the service administration interface is installed.

# mcreg -c componentID -n name -v version -w URL

See the mcreg(1m) man page for an example of this form of the command.

After running mcreg, you can log into Sun Internet Administrator as a console administrator and register the new application for management. If you want other administrators to have rights to manage the new application, edit their administrator access lists to include it. The Sun Internet Administrator on-line help has full instructions on performing these tasks.

Configuring for Administrator Account Coordination

If the two-tier service application uses Sun WebServer for its administration interface, it is possible to configure the server's ACLs to use the same administrator login information as Sun Internet Administrator. Thus, you have a single set of administrator accounts (in the directory services) to manage. This simplifies management of these accounts and enhances your ability to respond to security risk situations.

You must first install Sun WebServer on the service host (the computer where the service application is installed), and arrange the interface documents and files within the document tree of the server. Then, configure SWS as follows:

1. Create a realm in the default Web site of the SWS instance:

   # htrealm add -i instance -h hostname -r realmname -s ISPADMIN -d ComponentID-VersionNo
   

   Where

   • instance is the name of the httpd instance being configured.

   • hostname is the name of the host containing the realm.

   • realmname is the name of the realm you are creating.

   • ISPAdmin is the source of the realm. Enter ISPADMIN, indicating that these are Sun Internet Administrator administrators.

   • ComponentID-VersionNo is the directory where the administration GUI files (HTML and others) are located.

2. Add ACL protection to the URL where the administration GUI for this service resides:

   # htaccess add -i instance -h hostname -U URI -r realname -s BASIC
   

   Where

   • instance is the name of the httpd instance being configured.

   • hostname is the name of the computer where the Web server is running.

   • realmname is the name of the realm you are creating.

   • BASIC is the authentication scheme wanted. Enter BASIC.

3. Restart the default site, if it is already running. Use the Sun WebServer administration GUI to perform this task. Full instructions are available in the on-line help.