Sun Microsystems 2005Q1 Server User Manual


 
SRA Gateway
40 Portal Server 6 2005Q1 Deployment Planning Guide
Mandatory server authentication. The client must authenticate the server.
Optional authentication. The server is configured to authenticate the client.
Personal Digital Certificate (PDC) authentication is a mechanism that authenticates
a user through SSL client authentication. The Gateway supports PDC
authentication with the support of Access Manager authentication modules. With
SSL client authentication, the SSL handshake ends at the Gateway. This PDC-based
authentication is integrated along with the Access Manager’s certificate-based
authentication. Thus, the client certificate is handled by Access Manager and not by
the Gateway.
If the session information is not found as part of the HTTP or HTTPS request, the
Gateway directly takes the user to the authentication page by obtaining the login
URL from Access Manager. Similarly, if the Gateway finds that the session is not
valid as part of a request, it takes the user to the login URL and at successful login,
takes the user to the requested destination.
After the SSL session has been established, the Gateway continues to receive the
incoming requests, checks session validity, and then forwards the request to the
destination web server.
The Gateway server handles all Netlet traffic. If an incoming client request is Netlet
traffic, the Gateway checks for session validity, decrypts the traffic, and forwards it
to the application server. If Netlet Proxy is enabled, the Gateway checks for session
validity and forwards it to Netlet Proxy. The Netlet Proxy then decrypts and
forwards it to the application server.
Gateway Access Control
The Gateway enforces access control by using Allowed URLs and Denied URLs
lists. Even when URL access is allowed, the Gateway checks the validly of the
session against the Access Manager session server. URLs that are designated in the
Non Authenticated URL list bypass session validation, as well as the Allowed and
Denied lists. Entries in the Denied URLs list take precedence over entries in the
Allowed URLs list. If a particular URL is not part of any list, then access is denied
to that URL. The wildcard character,
*
, can also be used as a part of the URL in
either the Allow or Deny list.
NOTE Because 40-bit encryption is very insecure, the Gateway provides an
option that enables you to reject connections from a 40-bit
encryption browser.