This section deals with security issues of network traffic. Authentication of users and authorization (permissions for parts of documents) are described in the documentation of the Tamino Manager (see the section Tamino Security). The X-Machine provides two mechanisms to safeguard communications: it is possible to specify that a given database may only talk to particular web servers, and the communication can be encrypted. The two mechanisms can be combined.
By default, the X-Machine accepts requests from clients without checking their IP addresses. This behavior can be changed by specifying the clients that are allowed to communicate with the database. If at least one client is specified, all unspecified clients are rejected. Clients are specified and assigned via the Tamino Manager.
The Tamino Manager uses the term web server, but the logic also works for the Tamino Data Loader. Clients are specified in the Tamino Manager with their IP addresses (host/port). The Tamino Data Loader is treated like a web server that runs on port 80.
If a list of web servers is specified for a database, only these clients can access the database.
Note:
Clients that use the webserverless feature of the APIs cannot access
databases that have web servers assigned.
The communication between client and Tamino can be encrypted if the XTS
communication method is used. The Native TCP/IP communication method currently
does not offer encryption. If all communication is to be encrypted, Native
TCP/IP must be switched off. A combination of encrypted and unencrypted
communication makes sense for those use cases where trusted clients (e.g. web
servers that talk to the X-Machine over a secure wire) and untrusted clients
should be able to talk to the database. Encryption uses SSL. Please note that
the X-Machine currently does not support SSL's authentication capabilities.
Clients currently do not use the server certificate to authenticate the server.
Encryption is activated via the database property communication
method
. If this property is set to
"SSL" (or "SSL and
TCP/IP"), then XTS communication is encrypted using the
certificate that is specified in the database properties SSL
certificate file
and SSL key file
.
If the used key is password protected, then the password must be specified via
the server parameter SSL password
. A sample
certificate is contained in the Tamino distribution (see the directory
files/certs under the Tamino installation directory).
Note:
Under Solaris 8, Solaris patch 112438 is required for SSL.