Securing of communication with custom applications

Edit online

If you develop custom applications to access the Verify Identity Governance Server, these applications must adhere to the programming guidelines described in this section.

These guidelines ensure that:

Security boundaries built into the Verify Identity Governance Server are observed strictly.
Only authorized application programming interfaces (APIs) are used for communication between the server and custom applications.
Appropriate roles are assigned to users and user groups that use custom applications to access IBM Verify Identity Governance functions.

IBM Verify Identity Governance shields its core functions with a layer of managed enterprise Java™ beans (EJBs). These EJBs are in an unprivileged layer of the IBM Verify Identity Governance, which is illustrated in Figure 1.

When the IBM Verify Identity Governance communicates with a client application, every managed EJB method takes a signed token from the caller. The token verifies the caller identity, except when the method does the authentication. The caller obtains this signed token after authentication with the Verify Identity Governance Server.

Shows the unprivileged EJBs in the outer layer of the EJB container. — Figure 1. Security layers in Verify Identity Governance Server

The following types of custom applications can be created to communicate with the Verify Identity Governance Server:

Stand-alone Java client: Deployed as a WebSphere® Liberty thin client.
Web application: Deployed outside of WebSphere Liberty. A web application can start only a specific subset of Verify Identity Governance Server APIs.
Enterprise application, same Java virtual machine (JVM): Deployed in the same server instance (enrole.ear) as the Verify Identity Governance Server .
Enterprise application, separate JVM: Deployed on the same computer as the Verify Identity Governance Server, but runs as a separate JVM process.
Servlets: Deployed on a separate computer that runs WebSphere Liberty. Servlets are not deployed in the context of a web application.

When you develop custom applications to communicate with the Verify Identity Governance Server, use the following rules to ensure secure communication:

Allow only published APIs to access the managed EJBs in the unprivileged area.
Allow custom applications to use only the functions that the APIs provide.
Ensure that the computer on which the Verify Identity Governance Server runs is always secure.

WebSphere Liberty uses roles to manage access to application components and other objects, including user and group names. Use the following guidelines for assigning roles in custom applications that interface with Verify Identity Governance Server.

ITIM_SYSTEM: This role is defined when the Verify Identity Governance Server is deployed into WebSphere Liberty. ITIM_SYSTEM is used by Verify Identity Governance Server components. It is authorized to call all EJB methods in both privileged and unprivileged layers. Do not assign any principal names or user IDs to this role without prior consultation with an IBM® representative.
ITIM_CLIENT: This role is authorized to call only managed EJB methods in the unprivileged layer. Map to this role the users, and user group names, and other principals that perform less restricted tasks in the Verify Identity Governance Server.