Softlink International Liberty Security www.softlinkint.com
The Product: Liberty Liberty is Softlink s flagship product for Special, Academic, Government and Public libraries used by hundreds of academics, information specialists, professionals and library staff daily to manage, access and share information resources to facilitate organisational goals. Built specifically for web deployment and to deliver flexibility, reliability and scalability for users, Liberty has been the focus of intense development and design at Softlink to facilitate a web-based library solution that meets the needs of today and tomorrow s library users, researchers and professionals. Selected by a prestigious range of libraries, consortia and multinational organisations in Australia and overseas, Liberty integrates leading technology, 25 years information management technology experience and established library standards to continue to benefit all members of the library and business communities. Network Configuration Liberty is architected as a three-tier application which inherently enables both horizontal and vertical scalability. Each deployed element of Liberty is both vertically and horizontally scalable as follows: Liberty is built in a multi-tier architecture to facilitate scaling to an enterprise-level deployment. This consists of: Web & Application Server Database Server Reporting Server By separating the different tiers of the application, greater security and performance is provided. In addition to security and performance benefits, users also benefit from increases in scalability and more flexible deployment options. The configuration is comprised of: 1. Web Server. The Web Server maintains and controls end-user connections. The Web Server runs the Apache Web Server application and can also act as a load-balancer for the deployment. 2. Application Server. The Application Server contains the application. The system runs within the JBoss Application server within the JEE framework. All business logic is maintained within the application server. 3. Reporting Server. The Reporting Server runs MS SQL Reporting Services and is the reporting framework used within the system. A separate server is recommended to maximise performance and security of the SQL database. 4. Database Server. The database server stores all user data and runs MS SQL Server. P a g e 2
Deploying the software in a 3 tier architecture provides benefits in terms of security. In most usage scenarios however, a two tier architecture whereby the web and application servers are combined simplifies the deployment without adding significant negatives. This 2 tier deployment model is recommended for the majority of sites both enterprise and otherwise. Server Communications As an Enterprise deployment disperses the Liberty application across several different servers, it is important to understand how each of the servers communicates to each other. All inter-server communication is performed over the http protocol. The default configuration is to use port 8080 for http communication, however this is completely configurable. Secure communication is also supported using the https protocol with the default port of 443. The Application Server communicates with the SQL server using socket based communication over TCP/IP. The default port for this is 1433 but is fully customisable. This allows the firewalls between the different network zones to be fully secured allowing communication on set protocols and ports from defined sources to set destinations. The application server will also communicate with the report server via port 80. Security Requirements There are two types of security requirements when it comes to Liberty Enterprise: 1. User security 2. Application security User Security User security settings are easily maintained within the Liberty application by an administrator and work at a number of levels: Each user is added to a User Role. The User Role defines what User Privileges the user role has, and what Security Groups the user belongs to. These privileges define what actions the user can perform (View, Add, Edit etc) and what modules the user can access (OPAC, Cataloguing, Acquisitions etc) according to your organisational structure and user roles. P a g e 3
Resources within Liberty can also be assigned a Security Group. This means that only users that belong to that Security Group can view and access the record in the OPAC. In addition to this, Security Groups can also be used to exclude users. Individual User Roles can be assigned to Security Groups. User Roles, User Privileges and Security Groups are fully customisable within Liberty and definable by the library staff via the application interface. Users can be authenticated into Liberty through a number of different mechanisms: 1. Direct authentication with Liberty 2. LDAP Authentication 3. Single-Sign-On using a SSO mechanism supported by Liberty Direct Authentication with Liberty means the user enters their username and password and the details are authenticated by Liberty using the information stored within Liberty. LDAP Authentication is similar to Direct Authentication except the username and password information is queried against an Access Directory (Active Directory) on the network with the authentication status returned to Liberty. This mechanism uses the LDAP protocol. All user roles and privileges are maintained within Liberty. Single-Sign-On allows the user to sign on once to the network or intranet and be automatically authenticated into other applications on the network. Single-Sign-on can use either Integrated Authentication (provided by Microsoft) or a third-party SSO web portal. To use Integrated Authentication the servers must all be on the same network and domain as the end user and using Active Directory and LDAP. Softlink currently supports the SAFE and SAML protocols. User Role and User Privilege configurations are maintained within Liberty. Within Liberty, the only difference between a Liberty Staff Member and an End User is the User Role granted to the user and the associated User Privileges allocated to the different roles. Application Security Minimal network security requirements exist for Liberty to work correctly; these requirements largely relate to reporting. For example, the user account running the Application Server (Service Account of JBoss) must have the right to run as a service, access to any network paths used by the application and read and write access to the Reporting Services Database. Access to the main SQL Database on the Database Server is configured within the application. The application prefers to use an SQL user to access the library data, while Reporting Services requires a network user account. Framework Liberty is built on the Java Enterprise Edition framework designed for building large-scale, multi-tiered, scalable, reliable, and secure network applications. P a g e 4
Performance testing and tuning Softlink conducts performance tests at the IBM Test Centre on Liberty to validate current benchmarks and identify any areas requiring improvement. In order to leverage enhanced frameworks for improved performance, Liberty has been upgraded to provide support for Wildfly which has a lighter footprint than the currently supported version of the JBoss application server. The version of Java running on the application server has also been upgraded, to Java 7. Adoption of international standards. Softlink seeks to adopt those standards that are most needed by clients as a result of legislative requirements, widespread acceptance, or those that have the potential to offer end user value. Liberty is compliant with a wide range of industry standards that relate to library data, including the following: MARC21 EDI Z39.50 SIP2 RDA AACR2 P a g e 5