This section deals with security issues of network traffic. Authentication of users and authorization (permissions for parts of documents) are described in the documentation of the Tamino Manager (see the section Tamino Security). The X-Machine provides two mechanisms to safeguard communications: it is possible to specify that a given database may only talk to particular web servers, and the communication can be encrypted. The two mechanisms can be combined.
By default, the X-Machine accepts requests from clients without checking their IP addresses. This behavior can be changed by specifying the clients that are allowed to communicate with the database. If at least one client is specified, all unspecified clients are rejected. Clients are specified and assigned via the Tamino Manager.
The Tamino Manager uses the term web server, but the logic also works for the Tamino Data Loader. Clients are specified in the Tamino Manager with their IP addresses (host/port). The Tamino Data Loader is treated like a web server that runs on port 80.
If a list of web servers is specified for a database, only these clients can access the database.
Note:
Clients that use the webserverless feature of the APIs cannot access
databases that have web servers assigned.
The communication between client and Tamino can be encrypted if the XTS
communication method is used. The Native TCP/IP communication method currently
does not offer encryption. If all communication is to be encrypted, Native
TCP/IP must be switched off. A combination of encrypted and unencrypted
communication makes sense for those use cases where trusted clients (e.g. web
servers that talk to the X-Machine over a secure wire) and untrusted clients
should be able to talk to the database. Encryption uses SSL. Please note that
the X-Machine currently does not support SSL's authentication capabilities.
Clients currently do not use the server certificate to authenticate the server.
Encryption is activated via the database property communication
method
. If this property is set to
"SSL" (or "SSL and
TCP/IP"), then XTS communication is encrypted using the
certificate that is specified in the database properties SSL
certificate file
and SSL key file
.
If the used key is password protected, then the password must be specified via
the server parameter SSL password
. A sample
certificate is contained in the Tamino distribution (see the directory
files/certs under the Tamino installation directory).
Note:
Under Solaris 8, Solaris patch 112438 is required for SSL.
Native HTTP communication with a Tamino server supports the usage of the SSL protocol (TLS 1.0).
The SSL encrypted traffic is handled through the Tamino HTTP port (link to server properties).
In order to configure the usage of the SSL protocol when talking to a terminal server the following server properties need to be set appropriately:
SSL certificate file
contains the full
path to the SSL certificate file to be used. Only pem format is supported.
SSL key file
contains the full path to
the server's private key file
SSL password
contains the password in
case the various SSL certificate files are password protected
SSL CA file
contains the full path to the
file containing the CA certificate required
SSL verify depth contains an integer value to indicate the maximum depth of chained certificate verification, the default value is 1.
SSL verify client
indicates whether the
client is to be authenticated by the server based on its certificate, default
value is "no".