test

Solaris ISP Server 2.0 Administration Guide

Three-Tier Service Architecture

The recommended three-tier browser-based application architecture receives all Sun Internet Administrator security benefits.

Figure 1-5 Three-Tier ISP Service Architecture

Graphic

As shown in Figure 1-5, an administrator uses the following steps to access a service's administration functions:

  1. From a browser, the administrator accesses either http://<hostname>:50080/ispmc or https://<hostname>:50087/ispmc (the location of the main Sun Internet Administrator GUI page).

    The AWC is downloaded to the client browser, and the administrator chooses a service to manage.

  2. Sun Internet Administrator prompts the administrator for user name and password. The administrator need not use a UNIX account for access to the user interface; a directory services repository (Sun Directory Services) manages administrator information for Sun Internet Administrator. This connection should be secured by using secure HTTP.

    The selected service resolves to a URL, designating the services's ASCA. The server agent GUI is downloaded to the administrator's browser in response. At this step, control passes to the service's administration program.

  3. Subsequent access is directly between the client browser and the application's server agent on the AWS.

    The AWS authenticates the administrator against the directory services, and logs each administrator request via syslog. If the administrator has appropriate access, requests are passed to the ASCA. If not, access is denied and a log entry is made.

  4. The ASCA communicates with the ASRA via a protocol independent of Sun Internet Administrator (chosen by the developer of the service). Appropriate IP-level security measures should be taken to protect this connection and its traffic.

    The ASRA again authenticates and logs each administrator action.

To secure the communications for three-tier applications, we recommend using SSL or SunScreenTM SKIP on the client browser connection and SunScreen SKIP on all other intercomputer connections.

ASCA and ASRA modules for command-line and X-based programs are provided in Solaris ISP Server. Sun Internet Administrator uses them automatically when you register these applications.