WebSphere brand IBM WebSphere XML Document Management Server, Version 7.0

Planning authentication security using the Trust Association Interceptor

The Trust Association Interceptor (TAI) security component is intended to enhance the overall authentication security for the IBM® WebSphere® software for Telecom. An implementation scenario describes how you can deploy the TAI for IBM XDMS.

About the scenario

IBM XDMS is an extensible framework that also provides shipped support for two Application Unique ID (AUID) extensions: Shared lists (includes rls-services and resource-lists) and Presence rules (pres-rules). Other AUIDs could be deployed similarly. The constituent components are deployed and scaled separately from each other, so there are different cluster descriptions for the XDMS configuration.

The following section depicts a common system configuration in which components are deployed in a production scenarios. The scenario is presented with the following conditions:

The following diagram illustrates the scenario. Three IBM XDMS nodes, with the Trust Association Interceptor deployed on each one, receive SIP traffic that flows through a converged proxy. An Address List Manager on each node receives SOAP/HTTP traffic flowing through the converged proxy. Additionally, each IBM XDMS instance also receives XCAP/HTTP traffic flowing through a different converged proxy (or load balancer) pair.
XDMS configuration scenario for TAI
Note:
  • The WebSphere Application Server converged proxy or any third-party load balancer may be deployed pair-wise (for HA reasons).
  • The converged proxy must be used for SIP traffic to maintain session affinity, but the same instance could also be used for HTTP traffic.
  • The ALM service is a separately-deployed Parlay X Address List management service that is configured to not require TWSS Web service implementations.
  • The Trust Association Interceptor detects authenticated user identity from inbound messages.
  • IBM Tivoli Composite Application Management (ITCAM) users communicate directly with the IBM XDMS node for purposes of collecting PMI data from that node.
  • An aggregation proxy is the reverse proxy security server (RPSS) that performs user authentication before Trust Association Interceptor/XDMS is invoked.
  • The aggregation proxy adds an X-XCAP-Asserted-Identity header in the HTTP request.
  • The Trust Association Interceptor searches for the asserted identity header.



Terms of use
(C) Copyright IBM Corporation 2009. All Rights Reserved.