Tamino XML Server Version 9.7
 —  Communication with Tamino's X-Machine  —

Security


Introduction

This section deals with security issues of network traffic. Authentication of users and authorization (permissions for parts of documents) are described in the documentation of the Tamino Manager (see the section Tamino Security). The X-Machine provides two mechanisms to safeguard communications: it is possible to specify that a given database may only talk to particular web servers, and the communication can be encrypted. The two mechanisms can be combined.

Top of page

Web Server Assignment

By default, the X-Machine accepts requests from clients without checking their IP addresses. This behavior can be changed by specifying the clients that are allowed to communicate with the database. If at least one client is specified, all unspecified clients are rejected. Clients are specified and assigned via the Tamino Manager.

The Tamino Manager uses the term web server, but the logic also works for the Tamino Data Loader. Clients are specified in the Tamino Manager with their IP addresses (host/port). The Tamino Data Loader is treated like a web server that runs on port 80.

If a list of web servers is specified for a database, only these clients can access the database.

Note:
Clients that use the webserverless feature of the APIs cannot access databases that have web servers assigned.

Top of page

Encryption

The communication between client and Tamino can be encrypted if the XTS communication method is used. The Native TCP/IP communication method currently does not offer encryption. If all communication is to be encrypted, Native TCP/IP must be switched off. A combination of encrypted and unencrypted communication makes sense for those use cases where trusted clients (e.g. web servers that talk to the X-Machine over a secure wire) and untrusted clients should be able to talk to the database. Encryption uses SSL. Please note that the X-Machine currently does not support SSL's authentication capabilities. Clients currently do not use the server certificate to authenticate the server. Encryption is activated via the database property communication method. If this property is set to "SSL" (or "SSL and TCP/IP"), then XTS communication is encrypted using the certificate that is specified in the database properties SSL certificate file and SSL key file. If the used key is password protected, then the password must be specified via the server parameter SSL password. A sample certificate is contained in the Tamino distribution (see the directory files/certs under the Tamino installation directory).

Note:
Under Solaris 8, Solaris patch 112438 is required for SSL.

Top of page

Using SSL with Native HTTP access (HTTPS)

Native HTTP communication with a Tamino server supports the usage of the SSL protocol (TLS 1.0).

The SSL encrypted traffic is handled through the Tamino HTTP port (link to server properties).

In order to configure the usage of the SSL protocol when talking to a terminal server the following server properties need to be set appropriately:

Top of page