SlideShare a Scribd company logo

(ATS6-PLAT05) Security enhancements in AEP 9

BIOVIA
BIOVIA

In the latest version of the Accelrys Enterprise Platform we have streamlined how permissions are managed and added the capability for packages to define groups and permission sets. In addition, enhancements have been made to File Based Authentication, we have added support for enterprise authentication solutions like Kerberos and SAML and improved the usability of the Administration Portal. This session describes the new features and how to manage them through the Administration Portal.

Technology
1 of 24
(ATS6-PLAT05) Security enhancements in AEP 9 Jon Hurley Senior Manager Platform R&D Jon.Hurley@accelrys.com
The information on the roadmap and future software development efforts are intended to outline general product direction and should not be relied on in making a purchasing decision.
• Security – Authentication – Authorization – Session Security • Administration Portal – Home Page – Extensible WAF container – New and updated Security pages Content
• Authentication – Determination of identity, i.e. who you are – Usually provided by an external service, e.g. Active Directory • Authorization – Controls access to resources – E.g. ability to use the admin portal – E.g. access to a particular XMLDB folder Authentication vs. Authorization
Authentication • New Authentication Providers in AEP 9.0
• AEP can use an external authentication service – Local or Domain authentication – ‘File’ authentication can be enabled independently – SSL can be required • File authentication active with other methods – File is attempted first, then external service – DO NOT create File users with the same name as Domain accounts • Anonymous account can be a ‘File’ or a domain account – Protocols run with file accounts will not impersonate • Administration portal uses standard authentication – Platform/Administration/Logon permission required Authentication
• Kerberos Delegation on Windows – Full or Restricted Impersonation – Protocols can use their Kerberos token to connect to other Kerberized resources (e.g. UNC files, HTTP services, SQL Server databases) – Requires AEP server configured for Impersonation and the Kerberos realm (e.g. Active Directory) configured to allow Delegation • Kerberos Authentication on Linux – Kerberos authentication is now supported on Linux – Delegation is NOT supported on Linux in AEP 9.0 • Kerberos requires clients that support SPNEGO – Web browsers: IE, Firefox, Chrome – Windows SDKs: • .NET Client SDK, JavaScript Client SDK, C Client SDK, RunProtocol – Not supported: other SDKs (Java), Linux SDKs or Pipeline Pilot client Enhanced support for Kerberos/SPNEGO
• Kerberos is ticket based authentication baked into the Operating System – Many components (e.g. Web Browsers) are able to transmit Kerberos tickets • Provides Single Sign On – if you are already signed on to the browser, the Kerberos ticket can log you in to another system – The server requests an ‘authentication negotiation’ with the browser • If the browser (and OS account) is appropriately configured, a Kerberos ticket can be transmitted in response • Kerberos requires clients that support SPNEGO: – Web browsers: IE, Firefox, Chrome – Windows SDKs: .NET Client SDK, JavaScript Client SDK, C Client SDK, RunProtocol – Not supported: other SDKs (Java), Linux SDKs or Pipeline Pilot client What is Kerberos?
AEP Authentication Providers Authentication Provider 8.5 9.0 Windows Linux Windows Linux File Y Y Y Y Local Y Y Y Y Domain Y Y Y Y Kerberos Y Y Y Kerberos w/delegation Y SAML Sender Vouches Y Y Changes for 9.0 • Kerberos on Linux • Kerberos delegation on Windows • SAML Sender Vouches – SOAP-based – Inbound/Outbound • File authentication active with other methods • Administration portal uses standard authentication New for 9.0
• SAML is Security Assertions Markup Language – Commonly associated to SOAP services – SAML allows federation of multiple Identify Providers (IdP) • Often used in externalization scenarios to link IdPs across companies • SAML Sender Vouches Sender Confirmation in AEP 9 – Web Services securely calling AEP – AEP securely calling SAML protected Web Services SAML Support
Outbound SAML Sender Vouches Inbound SAML Sender Vouches Inbound/Outbound SAML Support SAML Kerberos Username Custom Cookie ServiceContainer WebLogic Server Other Server SAML Kerberos Form Based Basic AEP 9.0 Server Browser IE, FF, Chrome Other Clients SAML Kerberos Form Based Basic ServiceContainer WebLogic Server Other Server SAML Kerberos Form Based Basic AEP 9.0 Server Browser IE, FF, Chrome SDKs CALPP, NALPP, JALPP
Authorization • Changes to permissions, groups • Greater support for package specification
AEP 9.0 Security Model Goals • Implement scalable model – Assignment via APIs – Envision thousands of permission assignments • Standardize terminology – Groups, Users, Permissions • Establish extension points – Packages can manage their own security Changes from 8.5 • Roles renamed to Permissions – Role was really a permission to do something (e.g. use WebPort) • All assignment happens against AEP users/groups – OS groups cannot be used directly • Packages can define Groups, Permissions, and Assignments
• Permissions should be verbs – E.g. Platform/Logon, Platform/Administration/Logon • Groups are used to define roles – E.g. Platform/Administrators • Previously roles could be ‘Allow All’ – If no explicit assignment, all users had the role • Now permissions must be explicitly assigned – If you haven’t been assigned the permission, you don’t have it • NEW: If you do not have the Platform/Logon, you cannot log on to any AEP service or application 8.5 Role Name 9.0 Permission Name Admin Portal Platform/Administration/Logon PPClient Platform/PipelinePilot/Logon PPClient/Administrator Platform/PipelinePilot/Administer Run Protocol Platform/RunProtocol WebPort Platform/WebPort/Logon Platform/Logon Permissions
Group Members Permissions Administrators scitegicadmin (user) Administration/Logon Logon RunProtocol DeniedUsers – ~Logon PowerUsers – Logon PipelinePilot/Logon PipelinePilot/Administer RunProtocol Users Everyone Logon PipelinePilot/Logon PipelinePilot/Administer RunProtocol WebPort/Users Everyone WebPort/Logon • AEP Built-In Groups: – Platform/Everyone • All users automatically belong to this group – Platform/Users • All general users of the AEP installation – Platform/PowerUsers • General user rights + ability to administer Pipeline Pilot – Platform/Administrators • Ability to use the Administration Portal and run administration components – Platform/WebPort/Users • Users that can log into WebPort – Platform/DeniedUsers • Used to prevent users from logging in to AEP Default ‘Platform’ Permission Assignments All group and permission names above start with Platform/ (E.g. Platform/Administrators, Platform/Everyone, Platform/Administration/Logon, Platform/WebPort/Logon)
• In 8.5 (and earlier) we could specify that a user had to belong to one or more groups in order to log on to the platform – If groups were specified, user has to belong to one of these groups to login – This was ‘authorization’ on the ‘authentication’ page • In 9.0, the Platform/Logon permission controls the ability to log on to AEP – By default all users (e.g. the group Platform/Users) have this permission • By default every authenticated user can log in to AEP – Since the Platform/Everyone group is a member of the Platform/Users group – And the Platform/Users group has the Platform/Logon permission • IMPORTANT: Always assign Platform/Logon to the Platform/Administrators group! Logon Authorization
Additional Details Packages • Each package can define – Groups – Permissions – Assignments (i.e. which groups have which permissions) • Permission assignments can be overwritten by the administrator – Will be remembered when a package is reinstalled • Package developers can use/extend the AEP Authorization Model – Define their own groups and permissions – Within protocols, use the ‘Check User Has Permission’ and ‘Check User Is Group Member’ components to restrict access OS Group Usage • In 9.0, operating system groups are only used to define Group Membership – We call groups (i.e. the groups defined in AEP) Group throughout the system (administration portal and components) – Group memberships are determined at login (may be determined from OS groups) and then stored with the session – The administrator can control whether Operating System groups are used in a particular AEP installation • The installer will migrate OS group security settings to the AEP 9 security model
Session Cookie • Security Enhancements
• Restrict session cookies to a server – Additional encryption key – Session cookie can only be used on servers with the same key – Set ‘Session Salt’ in Server Configuration to activate • Leave empty to retain 8.5 behavior • Non-persistent session cookies – Delete cookie when browser is closed – Set ‘Retain session cookie beyond web browser session’ to No • Set to Yes to retain 8.5 behavior • Restrict cookie use to secure connection – Set ‘secure’ flag on cookies if SSL-only mode • Do not set SSL-only to retain 8.5 behavior Session Cookie Security Enhancements
Administration • What’s new in the Administration Portal
• Home Page – Orient the administrator – Shortcuts to common and recently used pages • Extensible WAF container – Applications can add their own administration pages – Pages can be protected by permissions Administration Portal Highlights
• New and updated Security pages – Authentication – Groups – Permissions – SAML • Consolidated server information pages (Tomcat, Apache, etc.) • Refreshed existing pages for consistency Administration Portal Highlights
DemoAdministration Portal • New Administration Portal Home Page • Sample Security Pages
• In this session we reviewed new security and administration features in 9.0 – Authentication methods – Authorization model – Session security • More detailed information is available – Kerberos/SPNEGO – SAML – Package development and the permissions model – ATS6-DEV09 – Discussion of the SOAP Connector accessing SAML Sender Vouches protected SOAP Web Services Summary

Recommended

(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0
(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0
(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0
BIOVIA
 
May 19-20 l Washington, DC l Omni Shoreham
May 19-20 l Washington, DC l Omni ShorehamMay 19-20 l Washington, DC l Omni Shoreham
May 19-20 l Washington, DC l Omni Shoreham
webhostingguy
 
Parallels Plesk Panel 9 Quick Start Guide
Parallels Plesk Panel 9 Quick Start GuideParallels Plesk Panel 9 Quick Start Guide
Parallels Plesk Panel 9 Quick Start Guide
webhostingguy
 
Unleashing the Power: A Lap Around PowerShell 3.0
Unleashing the Power: A Lap Around PowerShell 3.0Unleashing the Power: A Lap Around PowerShell 3.0
Unleashing the Power: A Lap Around PowerShell 3.0
Sarah Dutkiewicz
 
Plesk Training Level 1
Plesk Training Level 1Plesk Training Level 1
Plesk Training Level 1
Superb Internet Training Division
 
pleskwindows92
pleskwindows92pleskwindows92
pleskwindows92
webhostingguy
 
Hyperion 11-1-2-3-installation-guide-on-linux
Hyperion 11-1-2-3-installation-guide-on-linuxHyperion 11-1-2-3-installation-guide-on-linux
Hyperion 11-1-2-3-installation-guide-on-linux
Amit Sharma
 
Vsp 4 legacy_host_lic
Vsp 4 legacy_host_licVsp 4 legacy_host_lic
Vsp 4 legacy_host_lic
netccnaamar
 

Recommended

(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0
(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0
(ATS4-PLAT09) Kerberos & SAML with Accelrys Enterprise Platform 9.0
BIOVIA
 
May 19-20 l Washington, DC l Omni Shoreham
May 19-20 l Washington, DC l Omni ShorehamMay 19-20 l Washington, DC l Omni Shoreham
May 19-20 l Washington, DC l Omni Shoreham
webhostingguy
 
Parallels Plesk Panel 9 Quick Start Guide
Parallels Plesk Panel 9 Quick Start GuideParallels Plesk Panel 9 Quick Start Guide
Parallels Plesk Panel 9 Quick Start Guide
webhostingguy
 
Unleashing the Power: A Lap Around PowerShell 3.0
Unleashing the Power: A Lap Around PowerShell 3.0Unleashing the Power: A Lap Around PowerShell 3.0
Unleashing the Power: A Lap Around PowerShell 3.0
Sarah Dutkiewicz
 
Plesk Training Level 1
Plesk Training Level 1Plesk Training Level 1
Plesk Training Level 1
Superb Internet Training Division
 
pleskwindows92
pleskwindows92pleskwindows92
pleskwindows92
webhostingguy
 
Hyperion 11-1-2-3-installation-guide-on-linux
Hyperion 11-1-2-3-installation-guide-on-linuxHyperion 11-1-2-3-installation-guide-on-linux
Hyperion 11-1-2-3-installation-guide-on-linux
Amit Sharma
 
Vsp 4 legacy_host_lic
Vsp 4 legacy_host_licVsp 4 legacy_host_lic
Vsp 4 legacy_host_lic
netccnaamar
 
One push architecture total architecture
One push architecture total architectureOne push architecture total architecture
One push architecture total architecture
Andy Yang
 
How to Use NDS eDirectory to Secure Apache Web Server for NetWare
How to Use NDS eDirectory to Secure Apache Web Server for NetWareHow to Use NDS eDirectory to Secure Apache Web Server for NetWare
How to Use NDS eDirectory to Secure Apache Web Server for NetWare
webhostingguy
 
Aem offline content
Aem offline contentAem offline content
Aem offline content
Ashokkumar T A
 
000webhost
000webhost000webhost
000webhost
Tito Romeu Gomes de Sousa Maia Mendes
 
Essbase installation 11.1.1.3 chapter
Essbase installation 11.1.1.3 chapterEssbase installation 11.1.1.3 chapter
Essbase installation 11.1.1.3 chapter
Amit Sharma
 
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nycJohn Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
SharePoint Saturday NY
 
Citrix xenapp Training in Hyderabad
Citrix xenapp Training in HyderabadCitrix xenapp Training in Hyderabad
Citrix xenapp Training in Hyderabad
Acutelearn Technologies
 
Tutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan Virtualmin
Tutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan VirtualminTutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan Virtualmin
Tutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan Virtualmin
Beni Krisbiantoro
 
Installing web sphere application server v7 on red hat enterprise linux v6.3
Installing web sphere application server v7 on red hat enterprise linux v6.3Installing web sphere application server v7 on red hat enterprise linux v6.3
Installing web sphere application server v7 on red hat enterprise linux v6.3
Dave Hay
 
IIS 7.0 Architecture And Integration With Asp.Net
IIS 7.0 Architecture And Integration With Asp.NetIIS 7.0 Architecture And Integration With Asp.Net
IIS 7.0 Architecture And Integration With Asp.Net
Manny Siddiqui MCS, MBA, PMP
 
Plesklinux11
Plesklinux11Plesklinux11
Plesklinux11
24x7Admission.com
 
Brian Jackett: Managing SharePoint 2010 Farms with Powershell
Brian Jackett: Managing SharePoint 2010 Farms with PowershellBrian Jackett: Managing SharePoint 2010 Farms with Powershell
Brian Jackett: Managing SharePoint 2010 Farms with Powershell
SharePoint Saturday NY
 
SharePoint 2010 Upgrade User Group and SharePoint Saturday
SharePoint 2010 Upgrade User Group and SharePoint SaturdaySharePoint 2010 Upgrade User Group and SharePoint Saturday
SharePoint 2010 Upgrade User Group and SharePoint Saturday
Joel Oleson
 
Install and configure_hfm 11.1.2.3
Install and configure_hfm 11.1.2.3Install and configure_hfm 11.1.2.3
Install and configure_hfm 11.1.2.3
Charles Babu J
 
OWIN
OWINOWIN
OWIN
Saran Doraiswamy
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
sanya6900
 
ApacheCon NA 2010 - High Performance Cloud-enabled SCA Runtimes
ApacheCon NA 2010 - High Performance Cloud-enabled SCA RuntimesApacheCon NA 2010 - High Performance Cloud-enabled SCA Runtimes
ApacheCon NA 2010 - High Performance Cloud-enabled SCA Runtimes
Jean-Sebastien Delfino
 
Obiee installation 31 july
Obiee installation 31 julyObiee installation 31 july
Obiee installation 31 july
Amit Sharma
 
Installing and Configuring Oracle Beehive Clients (whitepaper)
Installing and Configuring Oracle Beehive Clients (whitepaper)Installing and Configuring Oracle Beehive Clients (whitepaper)
Installing and Configuring Oracle Beehive Clients (whitepaper)
Revelation Technologies
 
ApacheCon NA 2010 - Building Apps with Apache Tuscany
ApacheCon NA 2010 - Building Apps with Apache TuscanyApacheCon NA 2010 - Building Apps with Apache Tuscany
ApacheCon NA 2010 - Building Apps with Apache Tuscany
Jean-Sebastien Delfino
 
Tefl20130528 6key
Tefl20130528 6keyTefl20130528 6key
Tefl20130528 6key
youwatari
 
Sebastian
SebastianSebastian
Sebastian
Sebastian Arboleda
 

More Related Content

What's hot

How to Use NDS eDirectory to Secure Apache Web Server for NetWare
How to Use NDS eDirectory to Secure Apache Web Server for NetWareHow to Use NDS eDirectory to Secure Apache Web Server for NetWare
How to Use NDS eDirectory to Secure Apache Web Server for NetWare
webhostingguy
 
Essbase installation 11.1.1.3 chapter
Essbase installation 11.1.1.3 chapterEssbase installation 11.1.1.3 chapter
Essbase installation 11.1.1.3 chapter
Amit Sharma
 
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nycJohn Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
SharePoint Saturday NY
 
Tutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan Virtualmin
Tutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan VirtualminTutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan Virtualmin
Tutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan Virtualmin
Beni Krisbiantoro
 
Brian Jackett: Managing SharePoint 2010 Farms with Powershell
Brian Jackett: Managing SharePoint 2010 Farms with PowershellBrian Jackett: Managing SharePoint 2010 Farms with Powershell
Brian Jackett: Managing SharePoint 2010 Farms with Powershell
SharePoint Saturday NY
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
sanya6900
 
ApacheCon NA 2010 - High Performance Cloud-enabled SCA Runtimes
ApacheCon NA 2010 - High Performance Cloud-enabled SCA RuntimesApacheCon NA 2010 - High Performance Cloud-enabled SCA Runtimes
ApacheCon NA 2010 - High Performance Cloud-enabled SCA Runtimes
Jean-Sebastien Delfino
 
Obiee installation 31 july
Obiee installation 31 julyObiee installation 31 july
Obiee installation 31 july
Amit Sharma
 
Installing and Configuring Oracle Beehive Clients (whitepaper)
Installing and Configuring Oracle Beehive Clients (whitepaper)Installing and Configuring Oracle Beehive Clients (whitepaper)
Installing and Configuring Oracle Beehive Clients (whitepaper)
Revelation Technologies
 
ApacheCon NA 2010 - Building Apps with Apache Tuscany
ApacheCon NA 2010 - Building Apps with Apache TuscanyApacheCon NA 2010 - Building Apps with Apache Tuscany
ApacheCon NA 2010 - Building Apps with Apache Tuscany
Jean-Sebastien Delfino
 

What's hot (20)

One push architecture total architecture
One push architecture total architectureOne push architecture total architecture
One push architecture total architecture
 
How to Use NDS eDirectory to Secure Apache Web Server for NetWare
How to Use NDS eDirectory to Secure Apache Web Server for NetWareHow to Use NDS eDirectory to Secure Apache Web Server for NetWare
How to Use NDS eDirectory to Secure Apache Web Server for NetWare
 
Aem offline content
Aem offline contentAem offline content
Aem offline content
 
000webhost
000webhost000webhost
000webhost
 
Essbase installation 11.1.1.3 chapter
Essbase installation 11.1.1.3 chapterEssbase installation 11.1.1.3 chapter
Essbase installation 11.1.1.3 chapter
 
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nycJohn Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
 
Citrix xenapp Training in Hyderabad
Citrix xenapp Training in HyderabadCitrix xenapp Training in Hyderabad
Citrix xenapp Training in Hyderabad
 
Tutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan Virtualmin
Tutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan VirtualminTutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan Virtualmin
Tutorial Installasi Ubuntu 11.04 untuk Webhost dengan Webmin dan Virtualmin
 
Installing web sphere application server v7 on red hat enterprise linux v6.3
Installing web sphere application server v7 on red hat enterprise linux v6.3Installing web sphere application server v7 on red hat enterprise linux v6.3
Installing web sphere application server v7 on red hat enterprise linux v6.3
 
IIS 7.0 Architecture And Integration With Asp.Net
IIS 7.0 Architecture And Integration With Asp.NetIIS 7.0 Architecture And Integration With Asp.Net
IIS 7.0 Architecture And Integration With Asp.Net
 
Plesklinux11
Plesklinux11Plesklinux11
Plesklinux11
 
Brian Jackett: Managing SharePoint 2010 Farms with Powershell
Brian Jackett: Managing SharePoint 2010 Farms with PowershellBrian Jackett: Managing SharePoint 2010 Farms with Powershell
Brian Jackett: Managing SharePoint 2010 Farms with Powershell
 
SharePoint 2010 Upgrade User Group and SharePoint Saturday
SharePoint 2010 Upgrade User Group and SharePoint SaturdaySharePoint 2010 Upgrade User Group and SharePoint Saturday
SharePoint 2010 Upgrade User Group and SharePoint Saturday
 
Install and configure_hfm 11.1.2.3
Install and configure_hfm 11.1.2.3Install and configure_hfm 11.1.2.3
Install and configure_hfm 11.1.2.3
 
OWIN
OWINOWIN
OWIN
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
 
ApacheCon NA 2010 - High Performance Cloud-enabled SCA Runtimes
ApacheCon NA 2010 - High Performance Cloud-enabled SCA RuntimesApacheCon NA 2010 - High Performance Cloud-enabled SCA Runtimes
ApacheCon NA 2010 - High Performance Cloud-enabled SCA Runtimes
 
Obiee installation 31 july
Obiee installation 31 julyObiee installation 31 july
Obiee installation 31 july
 
Installing and Configuring Oracle Beehive Clients (whitepaper)
Installing and Configuring Oracle Beehive Clients (whitepaper)Installing and Configuring Oracle Beehive Clients (whitepaper)
Installing and Configuring Oracle Beehive Clients (whitepaper)
 
ApacheCon NA 2010 - Building Apps with Apache Tuscany
ApacheCon NA 2010 - Building Apps with Apache TuscanyApacheCon NA 2010 - Building Apps with Apache Tuscany
ApacheCon NA 2010 - Building Apps with Apache Tuscany
 

Viewers also liked

Tefl20130528 6key
Tefl20130528 6keyTefl20130528 6key
Tefl20130528 6key
youwatari
 
Mel20140423 2key
Mel20140423 2keyMel20140423 2key
Mel20140423 2key
youwatari
 

Viewers also liked (9)

Tefl20130528 6key
Tefl20130528 6keyTefl20130528 6key
Tefl20130528 6key
 
Sebastian
SebastianSebastian
Sebastian
 
Mel20140423 2key
Mel20140423 2keyMel20140423 2key
Mel20140423 2key
 
Serão os prematuros irrequietos e distraidos?
Serão os prematuros irrequietos e distraidos?Serão os prematuros irrequietos e distraidos?
Serão os prematuros irrequietos e distraidos?
 
(ATS6-PLAT06) Maximizing AEP Performance
(ATS6-PLAT06) Maximizing AEP Performance(ATS6-PLAT06) Maximizing AEP Performance
(ATS6-PLAT06) Maximizing AEP Performance
 
O que se passa num cérebro deprimido?
O que se passa num cérebro deprimido?O que se passa num cérebro deprimido?
O que se passa num cérebro deprimido?
 
Merieme HAROUCHE : Kératocône du diagnostic au traitement
Merieme HAROUCHE : Kératocône du diagnostic au traitementMerieme HAROUCHE : Kératocône du diagnostic au traitement
Merieme HAROUCHE : Kératocône du diagnostic au traitement
 
Merieme HAROUCHE : Le Relex Smile Correction de la myopie au laser Femtosec...
Merieme HAROUCHE : Le Relex Smile Correction de la myopie au laser Femtosec...Merieme HAROUCHE : Le Relex Smile Correction de la myopie au laser Femtosec...
Merieme HAROUCHE : Le Relex Smile Correction de la myopie au laser Femtosec...
 
Introduction to Refractive Eye Surgery
Introduction to Refractive Eye SurgeryIntroduction to Refractive Eye Surgery
Introduction to Refractive Eye Surgery
 

Similar to (ATS6-PLAT05) Security enhancements in AEP 9

Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUG
Denis Gundarev
 
E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_lab
Mustafa Jarrar
 
Google appenginejava.ppt
Google appenginejava.pptGoogle appenginejava.ppt
Google appenginejava.ppt
Young Alista
 

Similar to (ATS6-PLAT05) Security enhancements in AEP 9 (20)

(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
 
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
 
59264945-Websphere-Security.pdf
59264945-Websphere-Security.pdf59264945-Websphere-Security.pdf
59264945-Websphere-Security.pdf
 
Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUG
 
Apache logs monitoring
Apache logs monitoringApache logs monitoring
Apache logs monitoring
 
SharePoint 2013 - What's New
SharePoint 2013 - What's NewSharePoint 2013 - What's New
SharePoint 2013 - What's New
 
(ATS6-PLAT08) AEP in a Validated Environment
(ATS6-PLAT08) AEP in a Validated Environment(ATS6-PLAT08) AEP in a Validated Environment
(ATS6-PLAT08) AEP in a Validated Environment
 
E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_lab
 
(ATS6-DEV09) Deep Dive into REST and SOAP Integration for Protocol Authors
(ATS6-DEV09) Deep Dive into REST and SOAP Integration for Protocol Authors(ATS6-DEV09) Deep Dive into REST and SOAP Integration for Protocol Authors
(ATS6-DEV09) Deep Dive into REST and SOAP Integration for Protocol Authors
 
EPiServer Deployment Tips & Tricks
EPiServer Deployment Tips & TricksEPiServer Deployment Tips & Tricks
EPiServer Deployment Tips & Tricks
 
SAP TechEd 2013 session Tec118 managing your-environment
SAP TechEd 2013 session Tec118 managing your-environmentSAP TechEd 2013 session Tec118 managing your-environment
SAP TechEd 2013 session Tec118 managing your-environment
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016
 
Season 4 [Free OpManager training] Part2- Monitoring Server Performance
Season 4 [Free OpManager training] Part2- Monitoring Server PerformanceSeason 4 [Free OpManager training] Part2- Monitoring Server Performance
Season 4 [Free OpManager training] Part2- Monitoring Server Performance
 
Sutol How To Be A Lion Tamer
Sutol How To Be A Lion TamerSutol How To Be A Lion Tamer
Sutol How To Be A Lion Tamer
 
Alfresco DevCon 2019: BiDirectional Sync to Other Platforms
Alfresco DevCon 2019: BiDirectional Sync to Other PlatformsAlfresco DevCon 2019: BiDirectional Sync to Other Platforms
Alfresco DevCon 2019: BiDirectional Sync to Other Platforms
 
WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise Applications
 
SharePoint Topology
SharePoint Topology SharePoint Topology
SharePoint Topology
 
Managing your exchange architecture
Managing your exchange architectureManaging your exchange architecture
Managing your exchange architecture
 
Build and Manage Your APIs with Amazon API Gateway
Build and Manage Your APIs with Amazon API GatewayBuild and Manage Your APIs with Amazon API Gateway
Build and Manage Your APIs with Amazon API Gateway
 
Google appenginejava.ppt
Google appenginejava.pptGoogle appenginejava.ppt
Google appenginejava.ppt
 

More from BIOVIA

(ATS6-PLAT03) What's behind Discngine collections
(ATS6-PLAT03) What's behind Discngine collections(ATS6-PLAT03) What's behind Discngine collections
(ATS6-PLAT03) What's behind Discngine collections
BIOVIA
 
(ATS6-PLAT02) Accelrys Catalog and Protocol Validation
(ATS6-PLAT02) Accelrys Catalog and Protocol Validation(ATS6-PLAT02) Accelrys Catalog and Protocol Validation
(ATS6-PLAT02) Accelrys Catalog and Protocol Validation
BIOVIA
 
(ATS6-PLAT01) Chemistry Harmonization: Bringing together the Direct 9 and Pip...
(ATS6-PLAT01) Chemistry Harmonization: Bringing together the Direct 9 and Pip...(ATS6-PLAT01) Chemistry Harmonization: Bringing together the Direct 9 and Pip...
(ATS6-PLAT01) Chemistry Harmonization: Bringing together the Direct 9 and Pip...
BIOVIA
 
(ATS6-APP07) Configuration of Accelrys ELN to Clone to the Latest Template Ve...
(ATS6-APP07) Configuration of Accelrys ELN to Clone to the Latest Template Ve...(ATS6-APP07) Configuration of Accelrys ELN to Clone to the Latest Template Ve...
(ATS6-APP07) Configuration of Accelrys ELN to Clone to the Latest Template Ve...
BIOVIA
 

More from BIOVIA (20)

ScienceCloud: Collaborative Workflows in Biologics R&D
ScienceCloud: Collaborative Workflows in Biologics R&DScienceCloud: Collaborative Workflows in Biologics R&D
ScienceCloud: Collaborative Workflows in Biologics R&D
 
(ATS6-PLAT03) What's behind Discngine collections
(ATS6-PLAT03) What's behind Discngine collections(ATS6-PLAT03) What's behind Discngine collections
(ATS6-PLAT03) What's behind Discngine collections
 
(ATS6-PLAT09) Deploying Applications on load balanced AEP servers for high av...
(ATS6-PLAT09) Deploying Applications on load balanced AEP servers for high av...(ATS6-PLAT09) Deploying Applications on load balanced AEP servers for high av...
(ATS6-PLAT09) Deploying Applications on load balanced AEP servers for high av...
 
(ATS6-PLAT07) Managing AEP in an enterprise environment
(ATS6-PLAT07) Managing AEP in an enterprise environment(ATS6-PLAT07) Managing AEP in an enterprise environment
(ATS6-PLAT07) Managing AEP in an enterprise environment
 
(ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service (ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service
 
(ATS6-PLAT02) Accelrys Catalog and Protocol Validation
(ATS6-PLAT02) Accelrys Catalog and Protocol Validation(ATS6-PLAT02) Accelrys Catalog and Protocol Validation
(ATS6-PLAT02) Accelrys Catalog and Protocol Validation
 
(ATS6-PLAT01) Chemistry Harmonization: Bringing together the Direct 9 and Pip...
(ATS6-PLAT01) Chemistry Harmonization: Bringing together the Direct 9 and Pip...(ATS6-PLAT01) Chemistry Harmonization: Bringing together the Direct 9 and Pip...
(ATS6-PLAT01) Chemistry Harmonization: Bringing together the Direct 9 and Pip...
 
(ATS6-GS04) Performance Analysis of Accelrys Enterprise Platform 9.0 on IBM’s...
(ATS6-GS04) Performance Analysis of Accelrys Enterprise Platform 9.0 on IBM’s...(ATS6-GS04) Performance Analysis of Accelrys Enterprise Platform 9.0 on IBM’s...
(ATS6-GS04) Performance Analysis of Accelrys Enterprise Platform 9.0 on IBM’s...
 
(ATS6-GS02) Integrating Contur and HEOS
(ATS6-GS02) Integrating Contur and HEOS(ATS6-GS02) Integrating Contur and HEOS
(ATS6-GS02) Integrating Contur and HEOS
 
(ATS6-GS01) Welcome
(ATS6-GS01) Welcome (ATS6-GS01) Welcome
(ATS6-GS01) Welcome
 
(ATS6-DEV08) Integrating Contur ELN with other systems using a RESTful API
(ATS6-DEV08) Integrating Contur ELN with other systems using a RESTful API(ATS6-DEV08) Integrating Contur ELN with other systems using a RESTful API
(ATS6-DEV08) Integrating Contur ELN with other systems using a RESTful API
 
(ATS6-DEV07) Building widgets for ELN home page
(ATS6-DEV07) Building widgets for ELN home page(ATS6-DEV07) Building widgets for ELN home page
(ATS6-DEV07) Building widgets for ELN home page
 
(ATS6-DEV06) Using Packages for Protocol, Component, and Application Delivery
(ATS6-DEV06) Using Packages for Protocol, Component, and Application Delivery(ATS6-DEV06) Using Packages for Protocol, Component, and Application Delivery
(ATS6-DEV06) Using Packages for Protocol, Component, and Application Delivery
 
(ATS6-DEV05) Building Interactive Web Applications with the Reporting Collection
(ATS6-DEV05) Building Interactive Web Applications with the Reporting Collection(ATS6-DEV05) Building Interactive Web Applications with the Reporting Collection
(ATS6-DEV05) Building Interactive Web Applications with the Reporting Collection
 
(ATS6-DEV04) Building Web MashUp applications that include Accelrys Applicati...
(ATS6-DEV04) Building Web MashUp applications that include Accelrys Applicati...(ATS6-DEV04) Building Web MashUp applications that include Accelrys Applicati...
(ATS6-DEV04) Building Web MashUp applications that include Accelrys Applicati...
 
(ATS6-DEV03) Building an Enterprise Web Solution with AEP
(ATS6-DEV03) Building an Enterprise Web Solution with AEP(ATS6-DEV03) Building an Enterprise Web Solution with AEP
(ATS6-DEV03) Building an Enterprise Web Solution with AEP
 
(ATS6-DEV02) Web Application Strategies
(ATS6-DEV02) Web Application Strategies(ATS6-DEV02) Web Application Strategies
(ATS6-DEV02) Web Application Strategies
 
(ATS6-DEV01) What’s new for Protocol and Component Developers in AEP 9.0
(ATS6-DEV01) What’s new for Protocol and Component Developers in AEP 9.0(ATS6-DEV01) What’s new for Protocol and Component Developers in AEP 9.0
(ATS6-DEV01) What’s new for Protocol and Component Developers in AEP 9.0
 
(ATS6-APP09) ELN configuration management with ADM
(ATS6-APP09) ELN configuration management with ADM(ATS6-APP09) ELN configuration management with ADM
(ATS6-APP09) ELN configuration management with ADM
 
(ATS6-APP07) Configuration of Accelrys ELN to Clone to the Latest Template Ve...
(ATS6-APP07) Configuration of Accelrys ELN to Clone to the Latest Template Ve...(ATS6-APP07) Configuration of Accelrys ELN to Clone to the Latest Template Ve...
(ATS6-APP07) Configuration of Accelrys ELN to Clone to the Latest Template Ve...
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

(ATS6-PLAT05) Security enhancements in AEP 9

  • 1. (ATS6-PLAT05) Security enhancements in AEP 9 Jon Hurley Senior Manager Platform R&D Jon.Hurley@accelrys.com
  • 2. The information on the roadmap and future software development efforts are intended to outline general product direction and should not be relied on in making a purchasing decision.
  • 3. • Security – Authentication – Authorization – Session Security • Administration Portal – Home Page – Extensible WAF container – New and updated Security pages Content
  • 4. • Authentication – Determination of identity, i.e. who you are – Usually provided by an external service, e.g. Active Directory • Authorization – Controls access to resources – E.g. ability to use the admin portal – E.g. access to a particular XMLDB folder Authentication vs. Authorization
  • 6. • AEP can use an external authentication service – Local or Domain authentication – ‘File’ authentication can be enabled independently – SSL can be required • File authentication active with other methods – File is attempted first, then external service – DO NOT create File users with the same name as Domain accounts • Anonymous account can be a ‘File’ or a domain account – Protocols run with file accounts will not impersonate • Administration portal uses standard authentication – Platform/Administration/Logon permission required Authentication
  • 7. • Kerberos Delegation on Windows – Full or Restricted Impersonation – Protocols can use their Kerberos token to connect to other Kerberized resources (e.g. UNC files, HTTP services, SQL Server databases) – Requires AEP server configured for Impersonation and the Kerberos realm (e.g. Active Directory) configured to allow Delegation • Kerberos Authentication on Linux – Kerberos authentication is now supported on Linux – Delegation is NOT supported on Linux in AEP 9.0 • Kerberos requires clients that support SPNEGO – Web browsers: IE, Firefox, Chrome – Windows SDKs: • .NET Client SDK, JavaScript Client SDK, C Client SDK, RunProtocol – Not supported: other SDKs (Java), Linux SDKs or Pipeline Pilot client Enhanced support for Kerberos/SPNEGO
  • 8. • Kerberos is ticket based authentication baked into the Operating System – Many components (e.g. Web Browsers) are able to transmit Kerberos tickets • Provides Single Sign On – if you are already signed on to the browser, the Kerberos ticket can log you in to another system – The server requests an ‘authentication negotiation’ with the browser • If the browser (and OS account) is appropriately configured, a Kerberos ticket can be transmitted in response • Kerberos requires clients that support SPNEGO: – Web browsers: IE, Firefox, Chrome – Windows SDKs: .NET Client SDK, JavaScript Client SDK, C Client SDK, RunProtocol – Not supported: other SDKs (Java), Linux SDKs or Pipeline Pilot client What is Kerberos?
  • 9. AEP Authentication Providers Authentication Provider 8.5 9.0 Windows Linux Windows Linux File Y Y Y Y Local Y Y Y Y Domain Y Y Y Y Kerberos Y Y Y Kerberos w/delegation Y SAML Sender Vouches Y Y Changes for 9.0 • Kerberos on Linux • Kerberos delegation on Windows • SAML Sender Vouches – SOAP-based – Inbound/Outbound • File authentication active with other methods • Administration portal uses standard authentication New for 9.0
  • 10. • SAML is Security Assertions Markup Language – Commonly associated to SOAP services – SAML allows federation of multiple Identify Providers (IdP) • Often used in externalization scenarios to link IdPs across companies • SAML Sender Vouches Sender Confirmation in AEP 9 – Web Services securely calling AEP – AEP securely calling SAML protected Web Services SAML Support
  • 11. Outbound SAML Sender Vouches Inbound SAML Sender Vouches Inbound/Outbound SAML Support SAML Kerberos Username Custom Cookie ServiceContainer WebLogic Server Other Server SAML Kerberos Form Based Basic AEP 9.0 Server Browser IE, FF, Chrome Other Clients SAML Kerberos Form Based Basic ServiceContainer WebLogic Server Other Server SAML Kerberos Form Based Basic AEP 9.0 Server Browser IE, FF, Chrome SDKs CALPP, NALPP, JALPP
  • 12. Authorization • Changes to permissions, groups • Greater support for package specification
  • 13. AEP 9.0 Security Model Goals • Implement scalable model – Assignment via APIs – Envision thousands of permission assignments • Standardize terminology – Groups, Users, Permissions • Establish extension points – Packages can manage their own security Changes from 8.5 • Roles renamed to Permissions – Role was really a permission to do something (e.g. use WebPort) • All assignment happens against AEP users/groups – OS groups cannot be used directly • Packages can define Groups, Permissions, and Assignments
  • 14. • Permissions should be verbs – E.g. Platform/Logon, Platform/Administration/Logon • Groups are used to define roles – E.g. Platform/Administrators • Previously roles could be ‘Allow All’ – If no explicit assignment, all users had the role • Now permissions must be explicitly assigned – If you haven’t been assigned the permission, you don’t have it • NEW: If you do not have the Platform/Logon, you cannot log on to any AEP service or application 8.5 Role Name 9.0 Permission Name Admin Portal Platform/Administration/Logon PPClient Platform/PipelinePilot/Logon PPClient/Administrator Platform/PipelinePilot/Administer Run Protocol Platform/RunProtocol WebPort Platform/WebPort/Logon Platform/Logon Permissions
  • 15. Group Members Permissions Administrators scitegicadmin (user) Administration/Logon Logon RunProtocol DeniedUsers – ~Logon PowerUsers – Logon PipelinePilot/Logon PipelinePilot/Administer RunProtocol Users Everyone Logon PipelinePilot/Logon PipelinePilot/Administer RunProtocol WebPort/Users Everyone WebPort/Logon • AEP Built-In Groups: – Platform/Everyone • All users automatically belong to this group – Platform/Users • All general users of the AEP installation – Platform/PowerUsers • General user rights + ability to administer Pipeline Pilot – Platform/Administrators • Ability to use the Administration Portal and run administration components – Platform/WebPort/Users • Users that can log into WebPort – Platform/DeniedUsers • Used to prevent users from logging in to AEP Default ‘Platform’ Permission Assignments All group and permission names above start with Platform/ (E.g. Platform/Administrators, Platform/Everyone, Platform/Administration/Logon, Platform/WebPort/Logon)
  • 16. • In 8.5 (and earlier) we could specify that a user had to belong to one or more groups in order to log on to the platform – If groups were specified, user has to belong to one of these groups to login – This was ‘authorization’ on the ‘authentication’ page • In 9.0, the Platform/Logon permission controls the ability to log on to AEP – By default all users (e.g. the group Platform/Users) have this permission • By default every authenticated user can log in to AEP – Since the Platform/Everyone group is a member of the Platform/Users group – And the Platform/Users group has the Platform/Logon permission • IMPORTANT: Always assign Platform/Logon to the Platform/Administrators group! Logon Authorization
  • 17. Additional Details Packages • Each package can define – Groups – Permissions – Assignments (i.e. which groups have which permissions) • Permission assignments can be overwritten by the administrator – Will be remembered when a package is reinstalled • Package developers can use/extend the AEP Authorization Model – Define their own groups and permissions – Within protocols, use the ‘Check User Has Permission’ and ‘Check User Is Group Member’ components to restrict access OS Group Usage • In 9.0, operating system groups are only used to define Group Membership – We call groups (i.e. the groups defined in AEP) Group throughout the system (administration portal and components) – Group memberships are determined at login (may be determined from OS groups) and then stored with the session – The administrator can control whether Operating System groups are used in a particular AEP installation • The installer will migrate OS group security settings to the AEP 9 security model
  • 19. • Restrict session cookies to a server – Additional encryption key – Session cookie can only be used on servers with the same key – Set ‘Session Salt’ in Server Configuration to activate • Leave empty to retain 8.5 behavior • Non-persistent session cookies – Delete cookie when browser is closed – Set ‘Retain session cookie beyond web browser session’ to No • Set to Yes to retain 8.5 behavior • Restrict cookie use to secure connection – Set ‘secure’ flag on cookies if SSL-only mode • Do not set SSL-only to retain 8.5 behavior Session Cookie Security Enhancements
  • 20. Administration • What’s new in the Administration Portal
  • 21. • Home Page – Orient the administrator – Shortcuts to common and recently used pages • Extensible WAF container – Applications can add their own administration pages – Pages can be protected by permissions Administration Portal Highlights
  • 22. • New and updated Security pages – Authentication – Groups – Permissions – SAML • Consolidated server information pages (Tomcat, Apache, etc.) • Refreshed existing pages for consistency Administration Portal Highlights
  • 23. DemoAdministration Portal • New Administration Portal Home Page • Sample Security Pages
  • 24. • In this session we reviewed new security and administration features in 9.0 – Authentication methods – Authorization model – Session security • More detailed information is available – Kerberos/SPNEGO – SAML – Package development and the permissions model – ATS6-DEV09 – Discussion of the SOAP Connector accessing SAML Sender Vouches protected SOAP Web Services Summary