PKI is a system for verifying the authenticity of each party involved in an Internet transaction, protecting against fraud or sabotage, and for nonrepudiation purposes to help consumers and retailers protect themselves against denial of transactions. Trusted third-party organizations called certificate authorities issue digital certificates -- attachments to electronic messages -- that specify key components of the user's identity. During an Internet transaction, signed, encrypted messages are automatically routed to the certificate authority, where the certificates are verified before the transaction can proceed. PKI can be embedded in software applications, or offered as a service or a product. e-business leaders agree that PKIs are critical for transaction security and integrity, and the software industry is moving to adopt open standards for their use.

The DNS Node assists in determining the physical network address associated with the symbolic address (URL) of the requested information. The Domain Name Server Node provides the technology platform to provide host to IP address mapping, that is, to allow for the translation of names (referred to as URLs) into IP addresses and vice versa.

Additional Resources

• (in English) ESS

The user node is most frequently a personal computing device (PC) supporting a commercial browser, for example, Netscape Navigator and Internet Explorer. The browser is expected to support SSL and some level of DHTML. Increasingly, designers need to also consider that this node might be a pervasive computing device, such as a Personal Digital Assistant (PDA).

In order to separate the Web server from the application server, a so-called Web Server Redirector Node (or just redirector for short) is introduced. The Web server redirector is used in conjunction with a Web server. The Web server serves HTTP pages and the redirector forwards servlet and JSP requests to the application servers. The advantage of using a redirector is that you can move the application server behind the domain firewall into the secure network, where it is more protected than within the DMZ.

A firewall is a hardware/software system that manages the flow of information between the Internet and an organization's private network. Firewalls can prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets, and can block some virus attacks -- as long as those viruses are coming from the Internet. A firewall can separate two or more parts of a local network to control data exchange between departments. Components of firewalls include filters or screens, each of which controls transmission of certain classes of traffic. Firewalls provide the first line of defense for protecting private information, but comprehensive security systems combine firewalls with encryption and other complementary services, such as content filtering and intrusion detection.

Firewalls control access from a less trusted network to a more trusted network. Traditional implementations of firewall services include:

• Screening routers (the Protocol Firewall)
• application gateways (The Domain Firewall)

A pair of Firewall Nodes provides increasing levels of protection at the expense of increasing computing resource requirements. The Domain Firewall is typically implemented as a dedicated server Node.

See Also

• Protocol Firewall Node

Additional Resources

• (in English) ESS

A firewall is a hardware/software system that manages the flow of information between the Internet and an organization's private network. Firewalls can prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets, and can block some virus attacks -- as long as those viruses are coming from the Internet. A firewall can separate two or more parts of a local network to control data exchange between departments. Components of firewalls include filters or screens, each of which controls transmission of certain classes of traffic. Firewalls provide the first line of defense for protecting private information, but comprehensive security systems combine firewalls with encryption and other complementary services, such as content filtering and intrusion detection.

Firewalls control access from a less trusted network to a more trusted network. Traditional implementations of firewall services include:

• Screening routers, (the Protocol Firewall)
• Application gateways (The Domain Firewall)

A pair of Firewall Nodes provides increasing levels of protection at the expense of increasing computing resource requirements. The Protocol Firewall is typically implemented as an IP Router.

See Also

• Domain Firewall Node

Additional Resources

• (in English) ESS

The directory and security services node supplies information on the location, capabilities, and attributes (including user ID/password pairs and certificates) of resources and users known to this Web application system. This node can supply information for various security services (authentication and authorization) and can also perform the actual security processing, for example, to verify certificates. The authentication in most current designs validates the access to the Web application server part of the Web server, but this node also authenticates for access to the database server.

See Also

• Database server

Additional Resources

• (in English) ESS

This Node's function is to provide a persistent data storage and retrieval in support of the user-to-business transactional interaction. The data stored is relevant to the specific business interaction, for example bank balance, insurance information, and current purchase by the user.

It is important to note that the mode of database access is perhaps the most important factor determining the performance of this Web application, in all but the simplest cases. The recommended approach is to collapse the database accesses into single or very few calls. This can be achieved via coding and invoking stored procedure calls on the database.

See Also

• Thin Client Transactional Pattern

Additional Resources

• (in English) ESS

The Thin Client Transactional Pattern is the Enterprise Solution Structure (ESS) technical architecture which addresses the need to do enterprise-scale administrative business as opposed to solutions requiring real-time control of equipment. For example:

• Customer sales and service
• Order processing
• Claims processing, loan origination, and so on.

Its purpose is to support the business need of doing enterprise-scale commerce (as contrasted with business intelligence or collaboration) over the Web or via network-connected workstations. The essence of this pattern is the need to use highly secure, highly scalable transaction processing via this new channel.

See Also

• Enterprise Solution Structure (ESS)

Additional Resources

• (in English) "Enterprise Solutions Structure," IBM Systems Journal 38, No. 1 (1999)
• (in English) "Technical Reference Architectures," IBM Systems Journal 38, No. 1 (1999)

Enterprise Solutions Structure (ESS) is a major IBM initiative to establish a standard architectural framework to support creation, reuse, and maintenance of architecture and design assets. These intellectual capital assets are used by IBM services practitioners for developing and delivering enterprise solutions. ESS draws on experiences with building customer solutions to distill "best practice" structures, models, and sample deliverables. The framework provides a rich set of architectural building blocks for solution architects and provides guidance on when and how to use this content to advantage. Specifically, this architecture provides a common, consistent approach for understanding and documenting business requirements via a business model, designing a logical architecture of key components and services, and finally, implementing a physical architecture based on actual products, platforms, and services.

The term "Reference Architecture" is used to refer to the collection of assets which as a whole describe how to implement a given type of business solution. For example, there is a reference architecture which shows how to implement a call center. There is another one which shows how to implement an online buying application. This site which provides Patterns for e-business is based to a large extent upon the ESS reference architecture assets. The intent is to share a summary of those reference architectures with you in this way.

See Also

• Thin Client Transactional Pattern

Additional Resources

• (in English) "Enterprise Solutions Structure," IBM Systems Journal 38, No. 1 (1999)
• (in English) "Technical Reference Architectures," IBM Systems Journal 38, No. 1 (1999)

The application server node provides the infrastructure for application logic and can be part of a Web application server. It is capable of running both presentation and business logic but generally does not serve HTTP requests. When used with a Web server redirector, the application server node can run both presentation and business logic. In other situations, it can be used for business logic only.

Lightweight Directory Access Protocol (LDAP) refers to the protocol that is used to communicate from a calling program (running on a node such as a Commerce Server) and a Directory Node. Information is kept on the LDAP-based directory node about such topics as people and/or services.

For example, the directory could be used to store information needed to identify registered shoppers (referred to as authentication). It could also be used to store information about what functions those shoppers are allowed to perform after being identified (referred to as authorization).

This Node's function is to provide persistent data storage and retrieval in support of the user to-online buying transactional interaction.

Customer related data that is stored is relevant to the specific business interaction, for example, the shopping cart and shipping address information. Some sites are registering users and storing customer profile data such as address, clothing sizes, preferences, and gift wish lists that others can access when buying presents. Most sites today do not store credit card information on this server for security reasons.

Also stored here is the product and catalog information used to dynamically build HTML pages for presentation during the shopping process.

The mode of DB access is perhaps the most important factor determining the performance of this Web application, in all but the simplest cases. The recommended approach is to collapse the DB accesses into a single or very few calls. This can be achieved using coding and invoking Stored Procedure Calls on the database. Typically many commerce servers share only one database server in a high volume site, so the technology to implement this node must be able to scale vertically.