Chapter 7. Scenario: Laura’s Gadgets e-shop
7.4 Review Runtime patterns
7.7.3 Security requirements for this scenario
In this section we discuss how our topology addresses the various security requirements.
Access control
Laura’s Gadgets e-shop is a typical e-commerce site, which partially opens up resources to all Internet users for viewing, but still demands a very high level of security and protection for the entire site and resources. Since the site also stores credit card information for the
guidelines must meet or exceed what is imposed by the authorities in the areas where the e-shop operates. In the United States there are federal guidelines that must be adhered to. All customers’ IDs, passwords, and address information are stored in a secure LDAP located in the internal network, well shielded by the two DMZs.
Domino protects its assets using
access control lists
(ACLs) with multiple levels of security that include organization, server, database, form, field, and so on. Since Domino renders the catalog, home page, and promotions to all Internet users, Anonymous access is allowed for viewing and searching this information.When a customer checks out, the system automatically prompts the user to register in the LDAP (if they have not already done so). Once registered, the LDAP is used for validating the credentials and authenticating the customer for all further transactions. This includes
transactions in and access to WebSphere, Domino, DB2, and MQ series. All authentication information is verified among the application servers and the LDAP over SSL.
WebSphere is configured to use its Security Policy for Servlets and EJBs. Domino and WebSphere could be configured to use session sharing and single sign-on for sharing the authentication information; however, this is not strictly required in this scenario since all the Domino data in the application (the catalog) is public and therefore user authentication is not required.
Access to the Domino.Doc-based catalog and the associated publishing cycle is controlled and protected using Domino ACL policies.
To ensure that a price is not altered by the Internet user and resubmitted, a separate secure request is done by WebSphere to Domino using CORBA/IIOP to retrieve the price of the product the customer requested.
Inventory, fulfillment, and order processing data is stored on secure DB2 servers that restrict access to WebSphere EJBs through MQ and authoring sources. MQ restricts access to its resources at Queue Manager and Queue levels.
Flow control
The Protocol and Domain firewalls, one on each side of the IBM HTTP server, provide a complete separation of the internal network and its data from the Internet. This prevents the possibility of hacking, or intentional or accidental damage to the business data from the Internet.
The first domain firewall is configured to allow only the traffic forwarded by IHS, serving as a Web redirector, to get to the application server. The second domain firewall restricts all data other than that originating from the application servers themselves from going to the internal network resources. This way, even if there is a security compromise on either of the Web Application servers, the rest of the system remains invisible and protected.
SSL plays a vital role when the customer credit card information is collected or retrieved. End-to-end high encryption and SSL is used for credit card authorization by the bank. The data flow is encrypted all the way from the browser through the Web redirector, the WebSphere Application Server, the MQ Series queues, and on to the Bank Information processing system. All responses on this path are also SSL encrypted.
Audit control
catalog; in order to ensure that the data in Domino is not compromised, all successful and failed login and access attempts to Domino resources are logged. The firewalls restrict the traffic that goes through them to ensure that configured sources are the only ones that can get past them.
With multiple firewalls hiding the internal network, WebSphere, LDAP, MQ, DB2, and other internal staging and production servers can concentrate on functional auditing and database integrity auditing.
Credential management
Anonymous users are allowed to view the home page of the retail store and to request inventory information for any product. The only operation that requires the user to log in is the process of ordering the items in a customer’s shopping cart. WebSphere Application Server challenges any user who attempts to check out to provide a user ID and password over SSL. The SSL connection is also used to secure information that the user supplies when checking out, like credit card number, e-mail address, delivery address, and so on. If the customer is a new user, WebSphere automatically allows the user to register with the LDAP Directory over SSL.
This scenario ensures that all user, group, and related information is centrally and securely maintained by the LDAP, and that all application servers use it for their authentication needs. MQ and DB2 use their own native authentication mechanism with their own internally managed credentials.
Integrity
End-to-end data integrity is ensured by the use of secure authenticated sessions for sending and retrieving data over the network. Transaction logging and the two-phase commit features in DB2, MQ, and WebSphere EJBs ensure that even if inventory is reserved, the order is not completed until the bank returns an authorization code for payment. It also ensures that items are not shipped until payment is debited from the customer’s bank.
For additional information about security infrastructure and security considerations in application design and development, see Appendix , “Related publications” on page 187.
7.8 Summary
In this chapter we began by describing the business requirements for extending an existing catalog system to the Web. After reviewing the business goals and current IT environment, we chose the Electronic Commerce composite pattern as the appropriate Composite
business pattern for achieving the business goals. After investigating the business processes that the new application will need to provide, we selected the Enterprise-out application pattern. Further analysis led to the selection of the Web Redirector with Domino and
WebSphere Hybrid Runtime pattern as the basic Runtime pattern for our solution. This hybrid pattern is the same as the Enterprise-out basic Runtime pattern, except that it specifically includes both Domino and WebSphere as application servers. The Runtime pattern was then modified slightly by adding a second DMZ to further protect the back-end data and systems. After the pattern selection was complete, we did a partial review of design, development, and management guidelines for the application. We followed this with a discussion of the