The Trust Association Interceptor (TAI)
security component is intended to enhance the overall authentication
security for the IBM® WebSphere® software for Telecom.
An implementation scenario describes how you can deploy the TAI for IBM XDMS.
About the scenario
IBM XDMS is
an extensible framework that also provides shipped support for two
Application Unique ID (AUID) extensions: Shared lists (includes rls-services
and resource-lists) and Presence rules (pres-rules). Other AUIDs could
be deployed similarly. The constituent components are deployed and
scaled separately from each other, so there are different cluster
descriptions for the XDMS configuration.
The following section depicts a common system configuration
in which components are deployed in a production scenarios. The scenario is
presented with the following conditions:
The following diagram illustrates the scenario. Three
IBM XDMS nodes,
with the
Trust Association Interceptor deployed
on each one, receive SIP traffic that flows through a converged proxy.
An Address List Manager on each node receives SOAP/HTTP traffic flowing
through the converged proxy. Additionally, each
IBM XDMS instance
also receives XCAP/HTTP traffic flowing through a different converged
proxy (or load balancer) pair.
Note: - The WebSphere Application Server converged
proxy or any third-party load balancer may be deployed pair-wise (for
HA reasons).
- The converged proxy must be used for SIP traffic to maintain session
affinity, but the same instance could also be used for HTTP traffic.
- The ALM service is a separately-deployed Parlay X Address List
management service that is configured to not require TWSS Web service implementations.
- The Trust Association Interceptor detects
authenticated user identity from inbound messages.
- IBM Tivoli Composite Application Management (ITCAM) users communicate
directly with the IBM XDMS node
for purposes of collecting PMI data from that node.
- An aggregation proxy is the reverse proxy security server (RPSS)
that performs user authentication before Trust Association Interceptor/XDMS
is invoked.
- The aggregation proxy adds an X-XCAP-Asserted-Identity header
in the HTTP request.
- The Trust Association Interceptor searches
for the asserted identity header.