Sun Internet Administrator Overview

Sun Internet Administrator provides secure central management for distributed ISP services. It gives ISPs the following benefits:

• Single sign-on for administrators. ISP administrators log in to Sun Internet Administrator once to access all functions for which they have authorization. Applications in the three-tier configuration and managed from Sun Internet Administrator receive login information from it; the user is not subsequently challenged. Three-tier services are described in "Three-Tier Service Architecture".

• Administrator access control. Access is controlled per ISP service. An administrator allowed to manage FTP servers on the network may or may not also have access to news servers. Console administrators (those who can manage Sun Internet Administrator processes) have access to all managed services.

• Secure communications between administrators' client machines and service hosts. Web server access control lists (ACLs) protect Sun Internet Administrator from access by unauthorized users. SSL can be used on the HTTP connection. Also, the optional SunScreen SKIP software can be installed and configured on all connections to the Sun Internet Administrator, and from it to the service host machines, encrypting those communications.

• Logging of administrator actions for traceability. Each administrator action, from initial login attempt through logout, is logged via the syslog utility. This provides both troubleshooting and accountability information.

• Remote management of ISP services. Services provided with Solaris ISP Server can all be managed from Sun Internet Administrator, regardless of their location on the network. Additionally, Sun^TM Internet FTP Server^TM, Sun^TM Internet News Server^TM, and Sun^TM Directory Services are three-tier components and receive all the security benefits built into Sun Internet Administrator. See "Three-Tier Service Architecture" and "Two-Tier Service Architecture" for more information on service interaction with Sun Internet Administrator.

• Extensibility for existing services. ISPs can integrate their own applications with Sun Internet Administrator and manage them in the same way as services provided with Solaris ISP Server. See Chapter 7, Integrating Existing Service Applications for instructions on integrating applications with Sun Internet Administrator.

Sun Internet Administrator supports services in two architectures: three-tier and two-tier. Only the three-tier architecture receives all of the listed security benefits. Four types of application interfaces are supported:

• Three-tier, browser-based applications receive all security benefits offered by Sun Internet Administrator.

• Two-tier, browser-based applications cannot make use of the single sign-on feature, but are manageable through the Sun Internet Administrator. If they use Sun WebServer to support the administration application, they can configure it to provide administrator authentication and access control, but not single sign-on. The two-tier architecture is included to support existing applications without requiring additional programming. See Chapter 7, Integrating Existing Service Applications for details on this configuration.

• X-based applications receive all the benefits of a three-tier application.

• Command-line functions (scripts, programs, or in combination) receive all the benefits of three-tier applications. Any number of them can be registered for a given service and managed by Sun Internet Administrator, which constructs a web interface to the command-line programs.

Three-Tier Service Architecture

The recommended three-tier browser-based application architecture receives all Sun Internet Administrator security benefits.

Figure 1-5 Three-Tier ISP Service Architecture

As shown in Figure 1-5, an administrator uses the following steps to access a service's administration functions:

1. From a browser, the administrator accesses either http://<hostname>:50080/ispmc or https://<hostname>:50087/ispmc (the location of the main Sun Internet Administrator GUI page).

   The AWC is downloaded to the client browser, and the administrator chooses a service to manage.

2. Sun Internet Administrator prompts the administrator for user name and password. The administrator need not use a UNIX account for access to the user interface; a directory services repository (Sun Directory Services) manages administrator information for Sun Internet Administrator. This connection should be secured by using secure HTTP.

   The selected service resolves to a URL, designating the services's ASCA. The server agent GUI is downloaded to the administrator's browser in response. At this step, control passes to the service's administration program.

3. Subsequent access is directly between the client browser and the application's server agent on the AWS.

   The AWS authenticates the administrator against the directory services, and logs each administrator request via syslog. If the administrator has appropriate access, requests are passed to the ASCA. If not, access is denied and a log entry is made.

4. The ASCA communicates with the ASRA via a protocol independent of Sun Internet Administrator (chosen by the developer of the service). Appropriate IP-level security measures should be taken to protect this connection and its traffic.

   The ASRA again authenticates and logs each administrator action.

To secure the communications for three-tier applications, we recommend using SSL or SunScreen^TM SKIP on the client browser connection and SunScreen SKIP on all other intercomputer connections.

ASCA and ASRA modules for command-line and X-based programs are provided in Solaris ISP Server. Sun Internet Administrator uses them automatically when you register these applications.

Two-Tier Service Architecture

For some applications, especially existing services, a two-tier architecture for access via Sun Internet Administrator is more practical. These services can be managed from Sun Internet Administrator, but do not receive the security benefits of single sign-on and central logging (though they can do their own logging in syslog).

Figure 1-6 Two-Tier ISP Service Architecture

As shown in Figure 1-6, an administrator uses the following steps to access a service's administration functions:

1. From a browser, the administrator accesses either http://<hostname>:50080/ispmc or https://<hostname>:50087/ispmc (the location of the main Sun Internet Administrator GUI page).

   This step is the same as for the three-tier architecture. The AWC is downloaded to the client browser, where the administrator can choose a service to manage.

   The selected service resolves to a URL, designating the component's user interface.

2. Subsequent access is directly between the client browser and the service's remote agent. Appropriate IP-level security measures should be taken to protect this connection and its traffic.

In a two-tier architecture, services are not able to take advantage of the single sign-on feature. If a two-tier web-based application uses Sun WebServer to support its user interface, it can configure the web server to provide the same service-level access protection as a three-tier application enjoys. See Chapter 7, Integrating Existing Service Applications for information on this configuration.

To secure the communications for a two-tier application, we recommend using SSL or SunScreen SKIP.

Restoring the Administration Web Server Configuration

Sun Internet Administrator uses an instance of Sun WebServer to support its web-based user interface. This web server is referred to as the administration web server (AWS). You can, reconfigure the AWS to suit your requirements, for example to use SSL for security reasons.

Refer to the Sun WebServer online help to reconfigure the AWS. In particular, see httpd.conf(4) and the Sun WebServer on line help for configuring SSL. The web server instance that is the AWS is called "aws" in the Sun WebServer user interface.

To ensure that you do not lose the default configuration, this section discusses the location of the default AWS configuration files and the method to restore the default settings.

Backups of the AWS default configuration files are located in /etc/opt/SUNWixamc/awsconf/default/*. The files in use are at /var/opt/SUNWixamc/awsconf. To restore the default settings:

cp /etc/opt/SUNWixamc/awsconf/default/*.* /var/opt/SUNWixamc/awsconf/.

Ensure that adm has read and write access to all files.

For the effective functioning of Sun Internet Administrator, do not change the default settings in aws.conf, site.conf, map.conf, realms.conf, and access.acl.