The security framework provided with webMethods Enteprise Server (ES) supports authentication, authorization, and encryption. ES authenticates clients that connect to an enterprise server. Authenticated clients are then authorized to access the Enterprise Server, brokers, client groups, or client states according to ACL configurations. Encryption is used for adapter-to-broker and broker-to-broker communication.
Security between adapters and native resources falls outside of the webMethods Enteprise Server environment and each adapter conforms (or not) to the security provided by the native resource.
Enteprise Server only supports authentication using digital certificates. Password authentication is not supported. The use of digital certificates makes it easy to encrypt the data exchanged between clients and brokers.
webMethods requires any client connecting to the enterprise (broker) server to provide a digital certificate to authenticate its identity. Clients can be any of:
- Resource (intelligent or standard) Adapters
- ATC Agents
- Manager tool
- Document (Event) Tracker
- Document (Event) Type Editor
- Enterprise (Visual) Integrator
- Monitor Tool
- Custom Adapters
Once authenticated, specific access to the Enterprise Server can be granted to the client. Access can be granted to the following types of entities within the enterprise server:
- Enterprise Server
- Client Groups
- Clients (already created client states)
For each type of entity an access control list (ACL) of distinguished names determines which authenticated clients are authorized to access the entity. A distinguished name is the uniquely identifying information for a digital certificate.
In addition to ACL authorization, Client Groups provide an even finer level of access control. Client Groups are used to configure what events/documents clients can publish and subscribe to. This authorization functionality exists independently from the use of digital certificates, but it is not until digital certificates are used for client authentication that the system is secure. Without client authentication, anyone can run an adapter for any client group and both subscribe to and publish events the client group has been configured with.
- LDAP flaw in OS X Lion opens major authentication security hole (reviews.cnet.com)
- Microsoft Warns of Weakness in Authentication Protocol for Windows Phone 8 (threatpost.com)
- GlobalSign Automates Management of Digital Certificates with Auto Enrollment Gateway (news.softpedia.com)
- PKI for Authenticating Remote Access VPNs: How Government Agencies Ensure Secure Communications (vpnhaus.ncp-e.com)
- Managing Secrets With Chef Vault (jtimberman.housepub.org)