enportal / AppBoard Technical Overview White Paper April White Paper 2016 Edge Technologies, Inc. 1

Transcription

1 White Paper enportal / AppBoard Technical Overview April 2016 Edge Technologies 1881 Campus Commons Drive Suite 101 Reston, VA T F EDGE White Paper 2016 Edge Technologies, Inc. 1

2 Table of Contents Overview... 5 Core Features and Capabilities... 7 Edge Integrations enportal Integrations COTS-Based Product Integration Modules (PIMs) PIM Failover and Traffic Management Content Retrieval Application Hardening: Real-time Content Filtering and Modification Custom Integrations AppBoard Integrations Data Adapters Data Sources Advanced Security Attack Prevention Password Management Policies Access Control List Rules SSL Communications Support Proxy Technology Firewall Support Protection of Private Networks and Application Assets User Management Single Sign-On Provisioning of Single Sign-On Tokens Single Sign-Out Kerberos Authentication and Login Processing External User Authentication CAC/PKI CA Single Sign-On (formerly CA SiteMinder) Customer Portal to enportal Authentication Mapping White Paper 2016 Edge Technologies, Inc. 2

3 Two-factor Authentication Systems Web Access Management Custom Authentication IP Address and Session Limiting Branding and Customization enportal and AppBoard Deployment Models Deployment Model 1: For Internal Users Deployment Model 2a: For External Users or Customers with Multi-Tenancy Deployment Model 2b: In Your Existing External Portal Customer Example Architecture Design Architecture Scalability, Clustering, and Failover Basic Deployment High Availability (Failover) Optimized Performance with Failover (Clustering) Running in Modern Environments Virtualized Networks (VMware) IPv6 Network Through an Existing Proxy Server Remote Application Delivery enportal and AppBoard Component Architecture Request Engine Business Logic Engine Integration Engine Data Source Engine Web Application Proxy and Content Filtering Object Database AppBoard Client Component Architecture Data Source Data Collections Widgets White Paper 2016 Edge Technologies, Inc. 3

4 Stacks and Boards About Edge Technologies, Inc Appendix A: enportal Product Integrations White Paper 2016 Edge Technologies, Inc. 4

5 Overview Integration is no longer just a nice-to-have it has become a must-have in commercial and government environments around the globe. Managers of modern companies face many challenges for providing the necessary information and tools to their users: Too Much Information: End-users are presented an overwhelming amount of data. It is difficult to find the relevant data and assess the impact of issues from a business perspective. Numerous OSS/BSS Tools: When working with Operations Support Systems or Business Support Systems, each tool has its own URL, login, interface, product terminology, and unique training requirements. There is often limited native interoperability between all of these tools. Complexity: Users need to use data collected by monitoring tools, but want to be shielded from the complexity of the underlying technologies. Security and Compliance: Customers need direct, real-time access to many tools across the network, while the security of the network is maintained. This white paper details how the patented technology of Edge Technologies enportal and AppBoard tackles all of the above challenges. enportal and AppBoard provide solutions to the integrator with elements that are critical for any deployment, including: Time: Rapid integration of existing products and data from multiple vendors Standardization: Integration of information provided by various applications into a single cohesive, branded display Flexibility: An integration platform that creates interoperability between disparate tools, and can be rapidly adapted to meet unknown future requirements Convenience: A single, secure access point for all tools, with minimal disruption to end-users when applications are replaced or upgraded Scalability: Support for large numbers of concurrent users without impacting system performance White Paper 2016 Edge Technologies, Inc. 5

6 This is why, since its release, Edge's solution delivered significant value for a diverse set of customers, including Telecommunications companies, Managed Service Providers, large banks, manufacturing companies, federal agencies, the U.S. Department of Defense, foreign militaries, and other global corporations. "The implementation has been very successful and has allowed us, in a very short period of time, to reach our primary objectives: Secure revenue assurance and improved Quality of Service perceived by end customers. We have achieved savings by means of providing automated reports and proactive management of incidents for clients avoiding SLA penalties and economic loss for the company. - Vicente Espinaza, Project Manager and Senior Engineer for Telefonica White Paper 2016 Edge Technologies, Inc. 6

7 Core Features and Capabilities The core software components of enportal and AppBoard combine to provide advanced capabilities and significant benefits many of which are unique to Edge's solution offering and not possible through other products. enportal offers a vast array of features and functions. The core features/capabilities include: Integration of existing web-based tools and applications Advanced security Single Sign-On Integration with external user authentication systems Branding and customization Dashboard views Multi-tenancy Scalability In addition to the web-layer integrations provided by enportal, Edge offers an information visualization component, called AppBoard, which provides additional integration through data-layer adapters. This unique model allows for the seamless combination of new visualizations based on raw data with native, in-context views from existing tools into role-based custom dashboards. This also offers additional ways for the system designer to always provide the right data to the right user with clear and concise visualizations. AppBoard adds value by: Providing high-level summaries, with filtering and drill-down Providing seamless transition from custom visualizations to fully interactive use of integrated tools Transforming event data to service impact information Providing visualizations of information derived from multiple data sources Supporting presentation on mobile devices The combination of the GUI-based AppBoard Builder, widgets, and data adapters allow the dashboard designer to rapidly integrate and visualize raw data. These visualizations are then available for presentation alongside the enportal views of integrated application GUIs. AppBoard is licensed separately from enportal but both applications are designed to be deployed together as a single, cohesive solution. White Paper 2016 Edge Technologies, Inc. 7

8 The figure below demonstrates how enportal and AppBoard work together to provide a full suite of integration. enportal s Product Integration Modules (PIMs) provide GUIlayer integration of existing application interfaces, while AppBoard s Data Adapters provide data-layer integration through direct connections to application databases or Web Services: Figure 1: Comparing integration through enportal and AppBoard Below are examples of visualizations that combine enportal GUI-layer PIM integrations together with AppBoard data-layer visualizations: Figure 2: Device Status, Network Topology, Bandwidth Utilization, and Ticket List from a suite of integrated OSS applications White Paper 2016 Edge Technologies, Inc. 8

9 Figure 3: Enterprise View using PIMs and Data Adapters White Paper 2016 Edge Technologies, Inc. 9

10 Edge Integrations To get the most from an integration platform, customers need the ability to integrate new content elements quickly and securely. Customers also need the ability to enable partners and other third parties to organize application services, multi-media streams, and web-based utilities into any number of user or role-specific views without complex software development. To meet the challenge of integrating, controlling, protecting, and multiplexing fully interactive back-end applications and content into a virtual desktop, over private and public networks, Edge offers three types of integration: Product Integration Modules (PIMs) - Proxied views of web-based applications combined with user authentication, Single Sign-On, secure multi-tenancy, and HMTL content manipulation Data Adapters - Direct connections to data from a variety of files and databases via Web Services, JDBC, APIs, scripts, or other mechanisms Integration Packages - Bundled integrations and content, purpose-built for specific applications or application suites. Integration packages may include web and/or data-layer integrations, preconfigured dashboards, widgets, and actions, and pre-packaged sample content. Figure 4: A single dashboard driven by multiple data sources and integration types White Paper 2016 Edge Technologies, Inc. 10

11 enportal Integrations COTS-Based Product Integration Modules (PIMs) A distinct advantage of enportal is rapid deployment, made possible by enportal s prepackaged PIMs. enportal PIMs provide plug-and-play Commercial Off-The-Shelf (COTS)-based integration of products from BMC, CA, Cisco, EMC, HP, InfoVista, IBM, Oracle, SevOne, VMware, and many more. PIMs offer immediate value to an organization that has made existing investments in these applications. Interfaces from multiple applications can be presented side-by-side in the enportal display to the user. PIMs are essentially XML definitions that define how enportal will integrate the thirdparty products and applications into content Channels and Views. To integrate a new application with enportal using a PIM, an administrator specifies the IP address, web server port, and configuration information for a live application. enportal then automatically creates content Channels for the third-party application for immediate incorporation into an enportal page. A list of web-based products for which Edge offers PIMs is available in Appendix A: enportal Product Integrations. enportal also provides integration of applications that are not web-based and which cannot typically be integrated into other portals. Integration with non-web application GUIs is via an integration module to remote access tools that enable non-web or thickclient applications to be accessed from any Java-enabled web browser. PIM Failover and Traffic Management The PIM Failover option configures enportal to connect to more than one instance of an integrated application. If there is a failure of the primary application server, the enportal PIM will failover to the backup instance of the application, providing uninterrupted access to the application by enportal users. The Round-Robin option can also be enabled, which will direct users to alternate between accessing different instances of an integrated application. This spreads the load across the multiple back-end application servers and allows a large number of concurrent users of the proxied tool. White Paper 2016 Edge Technologies, Inc. 11

12 Content Retrieval An integral part of enportal, the CRS patented technology detects, modifies, stores, and disseminates information being retrieved from the web applications integrated through the enportal framework. The CRS is designed to incorporate any number of fully interactive dynamic applications into a single cohesive view. From an administrative perspective, CRS manages user access and control to fully interactive applications and web content based on user, domain, and role. CRS also provides for the multiplexing of disparate external HTTP(S) communication streams over a single HTTP(S) port to the web browser by: Supporting remote access to an unlimited number of fully interactive applications through firewalls and multi-layer DMZ environments utilizing network address translation regardless of the application s IP address or port number for transport over public networks Supporting the ability to conceal IP addresses and port numbers to applications, web resources and their network elements, thereby protecting the operational network and corporate applications Application Hardening: Real-time Content Filtering and Modification Most companies have well-known policies in place for hardening or securing their servers, VMs, and Operating Systems, and to look for vulnerabilities that are common to web applications. Application and web UI hardening is a natural extension of these critical requirements. For Managed Service Providers and IT organizations that act as service providers, this is an essential element in delivering customer-facing views of third-party tools safely and securely. Only Edge Technologies, with enportal s HTML content filtering and modification capabilities, can effectively harden or secure most web-based applications by controlling which features of an application s user interface are dynamically filtered or modified before presentation to the user. Additionally, applications may be modified to "behave properly" within the browser (e.g. remove pop-up windows). Examples of content filtering, modification, and addressing potential security risks for proxied applications often include: White Paper 2016 Edge Technologies, Inc. 12

13 Locking down access to specific URLs Obfuscating URLs Removing available buttons and links on web pages Modifying menu options or labels Removing breadcrumb trails from headers or URLs Hiding or replacing logos Preventing script execution that may pose a threat, e.g. cross-site scripting (XSS) In this real-world example, the customer needed to harden the application by removing several elements from the native user interface. Figure 5: The original content of the User Interface enportal CRS rules are used to secure the application by dynamically removing the customer-specified links and associated functionality. White Paper 2016 Edge Technologies, Inc. 13

14 Figure 6: The hardened application UI Custom Integrations The content retrieval and modification capabilities of the CRS are what enable Edge and its customers to write custom integration modules. These modules extend the same features of Edge s COTS-based PIMs to all of your custom applications. These custom integrations can also include applications that would not integrate into most standard portals such as Java applets or non-standard web applications. The tools for building and testing these integrations are provided in the Integration Manager, which resides in the enportal administration UI. White Paper 2016 Edge Technologies, Inc. 14

15 AppBoard Integrations Data Adapters Edge AppBoard s Data Adapters function as a liaison between the AppBoard data service and an organization s various files, application APIs, and databases. Data sources can be on the AppBoard server or on remote hosts. Virtually any type of structured data can be used in AppBoard, through an ever-expanding library of datalayer integrations. Standards-based integrations include: Local: CSV, Microsoft Excel XLS files, shell commands Web Services: CSV, XML/SPAP, JSON Databases (via JDBC and SQL queries): DB2 MySQL Microsoft SQL Server Oracle PostgreSQL Sybase OLAP systems (via XML/A and MDX queries): Microsoft Server Analysis Services Pentaho Analysis (Mondrian) SQP BW Edge customers have used AppBoard s integration options to incorporate data from a variety of applications including: BMC Atrium CMDB & Orchestrator IBM Tivoli Service Request Manager BMC Remedy ARS ServiceNow EMC lonix SAM SevOne HP ArcSight Tripwire Enterprise & Log Detector HP NNMi Fluke Networks Visual TruView IBM Tivoli Netcool/OMNIbus Data Sources AppBoard Data Sources identify the adapter and the configuration settings required to connect and filter the external data sources to be accessed by the AppBoard server. Data is brought into the AppBoard server as data sets (Entities) and returned to the AppBoard Client as Data Collections. A Data Source may bring one or more unique data sets into the system. Relationships between Entities are modeled as Associations. They can be established through the Data Source UI or imported from existing associations defined by the external data source. White Paper 2016 Edge Technologies, Inc. 15

16 Advanced Security enportal and AppBoard have a strong security model with powerful features to restrict access to content based on domain, role (group), and/or user. The solution also provides a combination of firewall infrastructure support, port mapping, content filtering, and a sophisticated security manager. Enhanced security features include multiple N-Factor authentication methods, secure communications channels, security policies, directory services support, and more as detailed in the following sections. Attack Prevention enportal provides comprehensive protection against cross-site scripting attacks. All aspects of the HTTP communication are tested by the proxy, including requests, headers, and body. Captured attacks display HTTP 500 responses and are detailed in the system log files for investigation. Updates to the output encoding scheme are also implemented to improve system efficiency and to eliminate cross-site scripting attacks. The default behavior is to deny requests that contain malicious characters if the page that initiated the request is not from the enportal server. Password Management Policies The security of the system is enhanced by the ability to define password management policies for users passwords. The following types of policies can be instituted: Specifying a password lifetime, which forces users to change passwords Syntax polices, to avoid the use of predictable passwords Account lockout upon consecutive failed login attempts When integration of third-party authentication tools (such as LDAP) is used for user management, enportal will also cooperatively sync with any password policies in effect on the associated server. Access Control List Rules enportal enables Administrators to create "allow" and "deny" rules that can be enforced from the global and/or Channel-specific level. For example, these rules can prevent users from accessing specific URLs. White Paper 2016 Edge Technologies, Inc. 16

17 SSL Communications Support Communications between clients and the enportal/appboard server can be secured using HTTPS (HTTP over SSL). This protects the communications streams as they pass through the public Internet. The Tomcat web server provides the HTTPS support, and the configuration rules to enable this are delivered with the stock configuration files. The enportal server can also communicate with external HTTPS web servers. This typically occurs within the web resource proxy (discussed below) and is dictated by the protocol field of the URL that the Proxy has been directed to retrieve. Proxy Technology A key component, and differentiator, of enportal is its proxy technology. enportal s bidirectional proxy technology provides protected access to fully interactive applications over public and private networks. It works by allowing access to specifically identified back-end web applications and content to authorized enportal users. Of significant importance, enportal s web resource proxy does not require installation of additional software on the servers being proxied. Figure 7a: Secure data access in enportal Figure 7b: Un-proxied data access in typical portal The figures above illustrate two communications methods by which various portal systems interact with, and render, fully interactive applications to the user. The enportal example (Figure 7a: Secure data access in enportal) illustrates data flow White Paper 2016 Edge Technologies, Inc. 17

18 between applications and client browsers through the enportal web resource proxy technology. The Typical Portal example (Figure 7b: Un-proxied data access in typical portal) illustrates data flow between applications and client browsers within other portal frameworks. Note that in a typical portal system, direct communication is required between the browser and the external application. In these systems, the login page, initial portal page, and wrapper-based pages are requested directly from the portal server. However, when the user begins interacting with an embedded application, the browser begins communicating directly to the external application. The enportal system, on the other hand, uses a web resource proxy approach to provide controlled access to fully interactive web applications. The web resource proxy approach allows the web browser to communicate entirely with the enportal server for all interaction with the external web applications. Yet enportal seamlessly handles all interaction as if the browser were communicating directly with the application. The enportal solution provides a higher level of security, because end-users never directly connect to the back-end proxied servers. Firewall Support The enportal web resource proxy provides users with a single access point - exactly one HTTP(S) port - to all integrated HTTP(S)-based applications. enportal content retrieval allows all HTTP(S)-based content and applications to be accessed through a single socket connection within a network DMZ, network address translation (NAT), and firewall environment. Referring again to Figures 7a and 7b, the enportal solution (Figure 7a: Secure data access in enportal) only requires a single firewall rule to allow access from the user s browser to enportal. The typical portal solution (Figure 7b: Un-proxied data access in typical portal) requires additional holes in the firewall between the user and each integrated application. Protection of Private Networks and Application Assets The protection and concealment of back-end applications and network assets are of critical concern to organizations that must provide application access to users and customers over a public network. enportal allows multiple dynamic HTTP(S)-based applications to be integrated into the enportal framework, concealed, and pushed through a DMZ environment for presentation to external users on a public network. The web resource proxy does not allow clients to directly connect to these resources. White Paper 2016 Edge Technologies, Inc. 18

19 Additionally, external entities have no knowledge of applications addresses, port numbers or operational networks. The enportal proxy provides an additional layer of protection between internal resources and external users. White Paper 2016 Edge Technologies, Inc. 19

20 User Management A key component of any integration platform is managing the accounts and credentials for users in each of the underlying systems. enportal provides a suite of tools that allow the administrator to either create and manage new users, or to leverage the users and accounts that are already in place in your organization. Single Sign-On Out of the box, Single Sign-On is a feature of enportal where all of a user's credentials to multiple applications are securely stored by enportal. This allows users to access and display information from back-end applications without having to manually log in to each of these applications. Once a user logs into enportal, no other credentials are required from that user. Using enportal s pre-built PIMs, this capability is provided with no custom software development or modification to back-end applications. Figure 8: Single Sign-On accesses all integrated applications with a single login An additional benefit of enportal s Single Sign-On is that a single account for a back-end application can be shared across and entire group of users if desired. This allows the application administrator to configure access options for many users through a single account and also limits the number of named user accounts that are needed in the application. A Group membership attribute in LDAP can be leveraged for this purpose, so that no special group configuration needs to be implemented by the enportal administrator. White Paper 2016 Edge Technologies, Inc. 20

21 The enportal Single Sign-On feature supports the integration of various security and authentication schemes presented by existing applications. This capability is implemented through a component called the Login Proxy Service (LPS) that handles all authentication interactions between the user and third-party services. Because many applications have unique or proprietary mechanisms, web-based Single Sign- On can be difficult for other portal solutions to standardize into a solution that fits in all cases. Each single login implementation for an application is a unique integration with its own distinct interface. However, while the method of presentation can vary, most methods of authentication use the HTTP protocol to submit credentials and maintain authentication. The powerful enportal CRS engine allows Single Sign-On to be rapidly configured for virtually any application. Provisioning of Single Sign-On Tokens If the integrated backend applications and enportal are tied to a common external user authentication system, SSO tokens can be configured to simply pass user credentials to the backend applications. If a user enters his credentials and there is no matching SSO token stored for that user and that backend application, the credentials are no longer valid and the user will be re-prompted for their credentials. Single Sign-Out When a user logs out of enportal, Single Sign-Out automatically logs the user out of all integrated applications with open sessions. This provides additional security and performance by limiting the number of open sessions. It also can lower costs and eliminate lockouts by reducing the number of concurrent licenses that are needed for the integrated applications. Kerberos enportal currently supports Kerberos-controlled SSO access to proxied applications. Kerberos authentication differs from basic HTTP, NTLM-based, and application (PIM) specific authentication in that enportal needs to communicate with both the proxied web application and the Kerberos authentication server. Kerberos also requires an additional configuration file that contains details about the authentication domain and servers. The Kerberos Configuration page in the Edge online documentation provides additional information. Edge does not currently support Kerberos as the authentication mechanism to login to enportal itself. White Paper 2016 Edge Technologies, Inc. 21

22 Authentication and Login Processing enportal provides a complete UI and embedded database for internally managing domains, users, and roles. However, some organizations already have one or more LDAP servers in place to manage this information. This enables the organization to store all user information and credentials in one centralized location. In this case, enportal can simply map to the existing LDAP configuration and rely on LDAP for externally managing this information. Typical LDAP repositories supported by enportal include Active Directory and OpenLDAP, but others are also supported. Figure 9: Delegated user management with LDAP enportal provides a full toolset for mapping LDAP groups to enportal roles, enforcing password policies, and keeping user credentials in sync between the LDAP server and enportal. External User Authentication enportal supports several common authentication tools that are already in use by many customers. This allows enportal to rapidly integrate with an existing login management infrastructure. CAC/PKI Common Access Card (CAC) is a two-factor authentication mechanism used by certain organizations, including the United States Department of Defense. This allows Single Sign-On integration with the desktop authentication via a Client Certificate, a feature of Public Key Infrastructure (PKI). Use of this module requires that the desktop operating system and web browser are configured with the necessary hardware and middleware White Paper 2016 Edge Technologies, Inc. 22

23 to support the physical CAC token and associated protocols. This module can be adapted to other single- and two-factor authentication mechanisms that present a Client Certificate to web applications. CA Single Sign-On (formerly CA SiteMinder) To facilitate enportal integration with CA Single Sign-On, CA s Web Agent must be installed at enportal s access point. A common implementation is to have an Apache version of the Web Agent installed on an Apache HTTP Server which is then configured as a reverse proxy to enportal. When a user accesses enportal via the Apache server, the CA Web Agent will check to see if the user has been authenticated for enportal access. If not, it will forward to request to the CA Single Sign-On instance which then prompts the user with the CA login page. Once a user authenticates successfully through CA Single Sign-On, all the subsequent enportal access requests will be granted. In this deployment scenario, enportal is configured in Trusted Authentication mode so there is no authentication required for enportal s login request. However, enportal also supports an on-demand, or lazy load, to allow role assignment in which case enportal will then communicate with the LDAP server with which CA Single Sign-On is also communicating. Figure 10: enportal deployed with CA Single Sign-On White Paper 2016 Edge Technologies, Inc. 23

24 Customer Portal to enportal Authentication Mapping Similar to the CA Single Sign-On deployment described above, in this scenario there is another portal already in place that provides a reverse proxy capability. The external customer or end-user is required to access this other system first which in-turn picks up a token that is sent in response to the initial request to enportal. If enportal does not detect that the request has a valid session, it will look for the access token and then respond back to that other system to: a) Validate the token b) Make a request for user information from the other portal c) Check to see if the user exists and if not, perform on-demand user creation d) Create the session Two-factor Authentication Systems Two-factor authentication (2FA), adds a second level of authentication to a basic login procedure requiring that the user provide additional credentials in order to access secured resources. Examples of 2FA include Google Authenticator, RSA SecurID tokens, and CAC. enportal provides the means to satisfy security requirements by providing a single, secure access point to backend applications through enhanced authentication. One possible scenario illustrating the integration of enportal with 2FA is as follows: An administrator has configured their system to require 'clientauth', meaning that the Secure Sockets Layer (SSL) connection requires a valid certificate chain from the client. The enportal server will send the chain to an Online Certificate Status Protocol (OCSP) Responder to validate the certificate. It may also look up the user name information in the certificate and additionally request a valid password. This password has typically been validated against an LDAP server which in turn may perform an on-demand, or lazy load, of the user and any role assignments before a valid session is created. Web Access Management Web Access Management (WAM) tools have become more commonly used in recent years. These tools include CA Single Sign-On (formerly SIteMinder), Oracle Access Manager, and Novell Access Manager. The WAM tool provides authentication management, policy-based authorizations, and reporting services. By having the capability to quickly integrate with these tools, enportal allows an organization to continue using these tools for authentication while implementing all of the integration and proxying capabilities provided by enportal. White Paper 2016 Edge Technologies, Inc. 24

25 Custom Authentication The powerful enportal CRS provides the capability and tools for quickly creating custom authentication modules. This allows enportal users to leverage Single Sign-On to enable them to auto-login to any application, including custom home-built applications with proprietary login mechanisms. Over the years, Edge has developed many of these custom authentications for a variety of applications. IP Address and Session Limiting One of the validations that can be required before a session is established is to check the user s source network address and only allow certain roles to be accessed from specified networks. The administrator is able to restrict the content available to that role to only users who are assigned that role and who are accessing the system from within a known and approved network. enportal provides for several session-based constraints including: 1. Limiting the number of simultaneous active sessions for a specific set of users or Domains 2. Limiting initial sessions to a set time and/or defining the duration of extensions when users are actively using the system 3. Determining what action to take if a user attempts to start a new session when an existing session already exists: Block access, terminate previous sessions, or prompt user to terminate the active session or cancel the login request 4. Displaying a security statement to be acknowledged prior to login White Paper 2016 Edge Technologies, Inc. 25

26 Branding and Customization enportal offers many features for uniquely branding the presentation of the Edge user interface, along with HTML content from proxied applications, so the user has a completely customized and unified experience. Custom Login Page The default enportal login screen can be customized, allowing for a variety of static or dynamic content to be displayed as users access the system. Custom login screens can also provide links to relevant information or resources. A service provider, for example, might include information on new customer offerings. Figure 11. Default login screen Figure 12. Custom login screen Look and Feel By using the configuration tools in the enportal administration interface, the administrator can modify the enportal Look and Feel (LAF), create multiple versions of the LAF, and assign different LAFs on a per-domain or perrole basis. Content Views When logging in to enportal, the content presented to each user is tailored to meet the needs of his business function. This is accomplished White Paper 2016 Edge Technologies, Inc. 26

27 by customizing the Views that are assigned to each role in the system. The enportal administration interface provides all of the tools for managing this customization. Security Policies The administrator can also set custom security policies. This locks down the content in the system and ensures that users can only access the information to which they have security privileges. Read, write, and view privileges can be restricted by user, role, or domain. API In addition to the customization options noted above which are available in the standard UI, enportal also provides an API to allow for additional customization of the system at a programmatic level. White Paper 2016 Edge Technologies, Inc. 27

28 enportal and AppBoard Deployment Models enportal and AppBoard solve different integration challenges for different organizations. The following sections outline the typical models for how enportal and AppBoard can be deployed. Deployment Model 1: For Internal Users The first deployment option for enportal is for internal use, such as in a Network Operations Center. In this model, enportal augments both the security and operational efficiency of your organization (see Figure 13: enportal/appboard internal deployment). Figure 13: enportal/appboard internal deployment enportal and AppBoard provide different application and data views to different teams, such as Engineering, Management, or Executive. Each team is provided direct, secure access to only the applications and data relevant to their function. This enables enportal and AppBoard to always provide the right picture to the right user. For Government agencies, the advanced security features of enportal enhance applications to meet stringent security requirements that go beyond the existing capabilities of those individual native applications. Edge Technologies enportal is the industry s only COTS-based integration platform focused specifically on network management application integration. The Internal delivery model of enportal enhances security and operational efficiency in many ways: White Paper 2016 Edge Technologies, Inc. 28

29 Allowing organizations to provide secure access to interactive back-end applications Providing consolidated Single Sign-On Centrally coordinating interaction between applications with little or no coding Improve user experience by providing a more unified look and feel for disparate existing applications White Paper 2016 Edge Technologies, Inc. 29

30 Deployment Model 2a: For External Users or Customers with Multi-Tenancy The second deployment option is frequently used by Managed Service Providers to generate revenue. These organizations service multiple external customers by allowing their end-users to access enportal and AppBoard via the Internet (see Figure 14: enportal/appboard deployment to multiple customers). Figure 14: enportal/appboard deployment to multiple customers Each customer is segmented into their own domain, with customer access credentials often managed by integration with an existing user repository, such as LDAP or a web access management tool like CA SiteMinder. The concept of multi-tenancy is utilized, in which multiple customers are accessing the same enportal and AppBoard system, but each user can only access the information and tools that they are authorized to see within that domain. By locking down access to URLs and content, enportal and AppBoard can also impose multi-tenancy access controls on proxied applications and data, even if the tools do not natively provide it. Each customer s experience is also uniquely branded by their marketing team to optimize the end-user experience. This deployment model leverages enportal and AppBoard s core features - Single Sign-On, PIMs, re-branding, security, tailored data access and content manipulation (see Core Features and Capabilities) - to provide only the appropriate content to each customer and to each individual in that customer s user base. The integration capabilities of enportal can also provide web access to legacy thickclient applications that would not otherwise be web accessible. White Paper 2016 Edge Technologies, Inc. 30

31 Deployment Model 2b: In Your Existing External Portal For many successful organizations, a portal strategy serves as the foundation for integration. As such, the concept of a portal is maturing rapidly. The original concept of a portal addressed the need to publish information to users via a web page. Companies today, however, need a portal that provides more than just static displays of back-end applications and information. They need a tool that can rapidly integrate applications and data into their existing portal infrastructure. Companies with existing external-facing portals already in place can leverage enportal s proxy technology and AppBoard s data integration capabilities to increase the value of their existing portal. enportal and AppBoard reach well beyond the capabilities of existing portal solutions that focus primarily on document management, indexed searches, and static displays of data. enportal and AppBoard provide true integration by combining COTS-based PIMs for integration of vendor-specific tools and their data. Working with your existing portal, enportal and AppBoard can rapidly integrate new applications into the portal framework (see Figure 15: enportal/appboard deployment inside an existing portal). Figure 15: enportal/appboard deployment inside an existing portal As seen in the above illustration, enportal and AppBoard increase the value of the existing customer portal by integrating additional applications and their data. The enportal proxy integrates applications as portlets into the existing portal container. enportal and AppBoard can run in parallel to the existing portal, immediately providing White Paper 2016 Edge Technologies, Inc. 31

32 value without requiring a full replacement of the existing portal. In addition to integrating applications, portlets can also integrate individual enportal tools into a portal. This can provide enportal features to administrative users beyond what may be supported by the existing customer portal. Examples include user/role management, LDAP integration, Single Sign-On, and dashboard visualizations. Customer Example A large telecommunications company used an in-house portal to deliver access to their customers, over the Internet, to a suite of tools for managing their voice, data, and IP services. The company had requirements for additional features that were not provided by their existing portal. The company added enportal and AppBoard to the existing portal platform to provide Single Sign-On capability, data visualization, application link provisioning, system administration capabilities, and enhanced security. White Paper 2016 Edge Technologies, Inc. 32

33 Architecture The enportal and AppBoard systems run as a web application inside an Apache Tomcat server, and access a JDBC-compliant database (or database cluster). The system is designed with flexible deployment options, to meet the varying needs of an organization. The following sections detail these available options. Design Architecture The enportal and AppBoard products are built upon a standards-based, XML-driven application. They have been developed with Java technologies to provide unparalleled flexibility, scalability, application and content protection, application interaction, and complete platform independence. Both are deployed in a self-contained Tomcat web application with an embedded H2 database. In a multi-tier deployment architecture, the first tier is typically one or more customerprovided hardware load-balancers and/or SSL accelerators. These front-end loadbalancers pass incoming requests to one or more enportal servers on tier two, running as Java web applications executing under the Tomcat web/application server (referred to as the Servlet/JSP engine). The configuration database is then resident on tier three, and will often be a redundant database cluster to provide load-balancing and high availability. All components support maximum platform independence (UNIX or Windows), scalability, and overall system performance. White Paper 2016 Edge Technologies, Inc. 33

34 Scalability, Clustering, and Failover The enportal and AppBoard system is implemented as a web application. The web application server can scale horizontally by replication on additional servers/platforms. Redundant nodes can also be implemented to provide fault tolerance, allowing users to be redirected to alternate servers in the event of an outage. The scalability of the solution is related to number of page views per second. The scalability of proxied web integrations can be variable and dependent on the complexity of the specific integrations used. Basic Deployment A single enportal/appboard server may be sufficient for handling the requirements of smaller deployments (see Figure 16: Basic enportal deployment). Figure 16: Basic enportal/appboard deployment High Availability (Failover) Many organizations require that enportal and AppBoard will have limited down time over the lifetime of the deployment. In this case, failover can be implemented by configuring redundant enportal servers. If there is an outage on the primary server, enportal/appboard can continue to provide uninterrupted service by switching to the backup server until the primary server is repaired (see Figure 17: Failover deployment for High Availability). Figure 17: Failover deployment for High Availability White Paper 2016 Edge Technologies, Inc. 34

35 Optimized Performance with Failover (Clustering) Some organizations further require a platform where many users can access the system concurrently without impacting the performance of the application. In this case, clustering of enportal/appboard servers can be implemented to route user sessions to servers with the smallest load or network traffic (see Figure 18: Clustered deployment for optimal performance). Figure 18: Clustered deployment for optimal performance White Paper 2016 Edge Technologies, Inc. 35

36 Running in Modern Environments Edge Solution s Java and Tomcat infrastructure allow it to be platform independent and run on any operating system that supports the Java Development Kit (JDK v1.6+). The enportal/appboard views can be accessed by any supported web browser, including Internet Explorer, Firefox, or Google Chrome. The solution flexible configuration options also enable it to co-exist with other software applications on the same server. By co-locating enportal and AppBoard on an existing application server, this can reduce deployment cost and network latency. Since its initial release, enportal and AppBoard have shown the flexibility to run in a variety of customer environments. Some of these are noted in the following sections. Virtualized Networks (VMware) enportal and AppBoard fully support running on a virtualized server, or in a virtualized network. enportal and AppBoard can also be configured to auto-start so that it will automatically come back online when a server is re-started. The license will run on any server that can resolve to a static hostname or IP address. IPv6 Network enportal and AppBoard can run on an IPv4 network, IPv6 network, or dual-stack network that requires simultaneous support for both protocols. Through an Existing Proxy Server enportal contains special configuration options for applications that are not directly accessible and can only be accessed through a separate proxy server. The details for both the proxy server and back-end application are stored and managed by the enportal proxy. Remote Application Delivery Several options are available for integrating enportal with Oracle Secure Global Desktop (SGD) or similar Remote Application Delivery technologies (e.g. Citrix, Ericom AccessNow, Resource Dynamics Go-Global). There are different architectures that can work with enportal and its proxy, but there are some differences in what may be supported in each. Oracle SGD software provides remote access to published applications and published White Paper 2016 Edge Technologies, Inc. 36

37 desktops from a variety of client platforms and devices. The software web-enables legacy applications and, when used along with enportal, provides for the delivery of those applications side-by-side with typical web-based apps. The enportal PIM for Oracle SGD lets you to deliver the published application or desktop in a portal channel. This allows applications that do not natively provide a webbased interface to be accessed through enportal. enportal aggregates application views, enforces security policies, and presents the application interface. The user s web browser client communicates directly and exclusively with enportal. enportal proxies the communication between the web client and the back-end application through the Oracle SGD server. Security and performance are top priorities with any web-enablement solution. The Oracle SGD PIM enforces strict user authentication and controlled role-based access to specific content as well as the ability to restrict content delivery to defined IP addresses. The solution tracks all sessions and creates a detailed audit trail for each session. The Oracle SGD PIM also provides bandwidth management end-to-end with no change to existing firewalls. White Paper 2016 Edge Technologies, Inc. 37

38 enportal and AppBoard Component Architecture The primary functions of enportal are contained within six system components: Request Engine Business Logic Engine Integration Engine Data Source Engine Web Resource Proxy and Content Filtering Object Database Request Engine The Request Engine serves all requests coming from a user via a web browser. In fact, all external communications with an enportal/appboard system are requested through the Request Engine. The Request Engine s primary responsibilities are to translate HTTP(S) requests into object requests and to dynamically translate the application-specific results into HTML for transmission to the client web browser. The Request Engine executes within a Servlet/JSP engine; Java Servlets and JSPs are the primary components of the Request Engine. The Request Engine also provides an extra level of access security by verifying that the user is logged in to the system before accepting and servicing the request. Business Logic Engine The Business Logic Engine is responsible for the overall business logic of the system s security, and the storage of system objects. These responsibilities pertain to users, roles, domains, virtual directory access, and content management. Business Logic manages and stores system objects to a chosen object repository/database. The Business Logic Engine runs on the same process (Tomcat as the JSP/Servlet Engine) as the Request Engine. Integration Engine The Integration Engine allows new content to be created and integrated into a system at runtime. The Integration Engine consists of a Channel classification model and a set of Request Handlers that are implemented as Java Servlets or JSPs. Request Handlers are the public web interfaces into enportal Channels that service the Channel requests White Paper 2016 Edge Technologies, Inc. 38

39 being made from web browser clients. The Integration Engine provides an external interface through the Portal Request Engine that allows HTTP(S) requests to be sent to any plugged-in visual Channel. Upon receipt of a request to render a content Channel, the Integration Engine retrieves the specified Channel (if security allows it) from the enportal server and calls the specified Request Handler to render the Channel content Data Source Engine The Data Source Engine provides a mechanism for data retrieval, common record formatting, enrichment/transformation and delivery to the AppBoard client. The Data Source engine consists of a data model and management framework that is implemented in Java. New data source adapters can be incorporated into the Data Source Engine using either a Java SDK or a scripting/command line interface. The Data Source Engine employs a data caching mechanism to minimize unnecessary requests against relatively static data sources. Upon receipt of a request for data, the Data Source Engine retrieves, normalizes, transforms and then delivers the requested data to the AppBoard client UI. Web Application Proxy and Content Filtering The web application proxy and content filtering function facilitates the delivery of and interaction with existing HTTP(S)-based content. It is responsible for applying Single Sign-On rules to the retrieval of external HTTP(S) requests, and for manipulating the resulting data streams being returned from an integrated application for control and data customization. The HTTP(S) stream manipulation support within enportal is both extensive and configurable and is available as a Proxy Channel. A potential example of the use of this function is the removal of an image from an HTML stream as enportal delivers the HTTP(S) stream to the browser client. Object Database The Object Database is a JDBC-compliant RDBMS, and enportal/appboard supports numerous databases, including Microsoft SQL Server, MySQL, and Oracle. enportal/appboard ships with an embedded H2 database. The database handles mapping between the object-based data model used within enportal/appboard and the relational database model that stores the actual content. White Paper 2016 Edge Technologies, Inc. 39

40 AppBoard Client Component Architecture AppBoard features a web client consisting of a Viewer mode for normal (read only) use and a Builder mode for administrators to configure AppBoard content. There are also mobile apps (Viewer mode) for both the ios and Android platforms. The AppBoard Builder has three major components: Data Sources Data Collections Visualization (Widgets, Stacks & Boards) Data Source Good data visualization requires good data. This data can be stored in a variety of different locations and formats, which can lead to problems when trying to create holistic summary views. AppBoard has a dedicated Data Source mode that allows for access to all this information, regardless of where it is or what format it is in. Appboard provides powerful data manipulation tools to optimize data so that it can be effectively visualized: Ability to Group, Pivot, and Sort information both on the client, and at the server "Server Side Filters" to optimize large data sets before you bring it into a memory on the client "Client Side Filters" to take advantage of information that's already available in client memory Caching and Polling settings to optimize the performance of refreshing data White Paper 2016 Edge Technologies, Inc. 40

41 Data Collections Any data that is pulled into AppBoard gets placed into a Data Collection. This information is stored in memory on the client, so it is rapidly available to any Widget or Board that has appropriate permissions. Like Data Sources, AppBoard has a dedicated mode for managing Data Collections. The Data Collections Wizard provides control over how much information is brought into memory via Server Side Filters, but the data already in memory can also be manipulated via Client Side Filters. Data Collections are the foundational block that all AppBoard visualizations are based upon. Widgets Data visualization inside AppBoard is done by associating a Data Collection with a Widget. AppBoard contains a number of Widgets, and every Widget requires a Data Collection. In addition to visualizing data, Widgets can have defined Actions. For example, the contents of one Widget can be contextually filtered based on a selection in another, or a Widget can be configured to drill down into a child board that shows details based on an item selected in the parent. The key is knowing that clicking on a Widget is actually clicking on the piece of data that's being represented by the Widget. Actions allow for the use of this piece of data as context to alter Client or Server Side Filters for any Data Collection inside AppBoard. This flexibility allows for extremely powerful interactions. White Paper 2016 Edge Technologies, Inc. 41

42 Stacks and Boards In AppBoard, Widgets are placed on Boards. A collection of Boards is called a Stack. Each Stack has a corresponding tab in the banner area of the builder which let the user navigate to that Stack. Stacks are an important concept because user permissions are provisioned at the Stack level. White Paper 2016 Edge Technologies, Inc. 42