WebSphere brand IBM WebSphere XML Document Management Server, Version 7.0

Planning authentication and authorization

The Aggregation Proxy and the IBM® XDMS application provide mechanisms for authentication and authorization. (The Trust Association Interceptor (TAI) provides additional security mechanisms as well.)

Requester authentication

The Aggregation Proxy performs HTTP digest authentication using a TAI, which requires the provisioning and configuration of an Lightweight Directory Access Protocol (LDAP) repository containing the subscriber identity and passwords of all users needing access to the system. (In digest authentication, encryption is used so that a user's credentials can be established without the need to transmit a password in plaintext over the network.)

The Aggregation Proxy can also reject authentication attempts after a pre-configured number of failed attempts. This function requires maintaining user session affinity with the initial Aggregation Proxy instance using techniques such as source IP address affinity.

IBM XDMS uses a TAI, which is included with the IBM WebSphere® IP Multimedia Subsystem Connector and which enables consumption of the private extension security headers for both HTTP and Session Initiation Protocol (SIP) traffic. This TAI consumes the headers created by the HTTP Digest TAI that runs with the Aggregation Proxy.

If the Aggregation Proxy is not used in the environment and authentication security is still required, then authentication mechanisms can be configured directly on the WebSphere Application Server that is running IBM XDMS. These mechanisms can include a Digest authentication (using a custom TAI), or the built-in WebSphere Application Server global security.

Any IBM-supplied TAI can be replaced with a custom version if the function does not suit your environment.

Requester authorization

For authorization access to user documents, IBM XDMS provides a default behavior that gives each user automatic universal access to all documents that user creates and read access to all global documents. This behavior can be changed through comprehensive or selective provisioning of document authorization documents for affected users.

Confidentiality and integrity

Open Mobile Alliance (OMA) relies on Transport-Level Security (TLS) for ensuring confidentiality on transmitted information and for integrity on information, at least in context of the connection with the previous network element. TLS is supported by WebSphere Application Server.
Note: Security can be turned off when running in a test or pre-production mode. If this mode is used, you will need to configure a default authorization policy in IBM XDMS for anonymous access.



Terms of use
(C) Copyright IBM Corporation 2009. All Rights Reserved.