edge enportal and appboard technical overview · appboard client component ... -based integration...
TRANSCRIPT
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
1
White Paper
PaperPape
r
Edge Technologies 1881 Campus Commons Drive
Suite 101 Reston, VA 20191
T 703.691.7900 F 703.691.4020
888.771.EDGE
enPortal®/ AppBoard®
Technical
Overview
April 2016
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
2
Table of Contents Overview ....................................................................................................................... 5
Core Features and Capabilities ......................................................................... 7
Edge Integrations ............................................................................................. 10
enPortal Integrations ..................................................................................... 11
COTS-Based Product Integration Modules (PIMs) ..................... 11
PIM Failover and Traffic Management ............................................. 11
Content Retrieval ......................................................................................... 12
Application Hardening: Real-time Content Filtering and Modification ................................................................................................... 12
Custom Integrations .................................................................................. 14
AppBoard Integrations ................................................................................. 15
Data Adapters ................................................................................................ 15
Data Sources ................................................................................................... 15
Advanced Security ........................................................................................... 16
Attack Prevention ....................................................................................... 16
Password Management Policies .......................................................... 16
Access Control List Rules ......................................................................... 16
SSL Communications Support ............................................................... 17
Proxy Technology ........................................................................................ 17
Firewall Support .......................................................................................... 18
Protection of Private Networks and Application Assets ......... 18
User Management ............................................................................................ 20
Single Sign-On ................................................................................................ 20
Provisioning of Single Sign-On Tokens ............................................ 21
Single Sign-Out .............................................................................................. 21
Kerberos ........................................................................................................... 21
Authentication and Login Processing ............................................... 22
External User Authentication ............................................................... 22
CAC/PKI ............................................................................................................ 22
CA Single Sign-On (formerly CA SiteMinder) ................................ 23
Customer Portal to enPortal Authentication Mapping ............ 24
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
3
Two-factor Authentication Systems .................................................. 24
Web Access Management ........................................................................ 24
Custom Authentication ............................................................................. 25
IP Address and Session Limiting ......................................................... 25
Branding and Customization ..................................................................... 26
enPortal and AppBoard Deployment Models ........................................ 28
Deployment Model 1: For Internal Users ............................................ 28
Deployment Model 2a: For External Users or Customers with Multi-Tenancy .................................................................................................... 30
Deployment Model 2b: In Your Existing External Portal ............ 31
Customer Example ...................................................................................... 32
Architecture ............................................................................................................. 33
Design Architecture ........................................................................................ 33
Scalability, Clustering, and Failover ....................................................... 34
Basic Deployment ........................................................................................ 34
High Availability (Failover) ................................................................... 34
Optimized Performance with Failover (Clustering) ................. 35
Running in Modern Environments ......................................................... 36
Virtualized Networks (VMware) ......................................................... 36
IPv6 Network ................................................................................................. 36
Through an Existing Proxy Server ...................................................... 36
Remote Application Delivery ................................................................ 36
enPortal and AppBoard Component Architecture ......................... 38
Request Engine ............................................................................................. 38
Business Logic Engine ............................................................................... 38
Integration Engine ...................................................................................... 38
Data Source Engine ..................................................................................... 39
Web Application Proxy and Content Filtering ............................. 39
Object Database ............................................................................................ 39
AppBoard Client Component Architecture ......................................... 40
Data Source ..................................................................................................... 40
Data Collections ............................................................................................ 41
Widgets ............................................................................................................. 41
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
4
Stacks and Boards ....................................................................................... 42
About Edge Technologies, Inc. ....................................................................... 43
Appendix A: enPortal Product Integrations ........................................... 44
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
5
Overview
Integration is no longer just a nice-to-have – it has become a must-have in commercial
and government environments around the globe.
Managers of modern companies face many challenges for providing the necessary
information and tools to their users:
Too Much Information: End-users are presented an overwhelming amount of
data. It is difficult to find the relevant data and assess the impact of issues from a
business perspective.
Numerous OSS/BSS Tools: When working with Operations Support Systems or
Business Support Systems, each tool has its own URL, login, interface, product
terminology, and unique training requirements. There is often limited native
interoperability between all of these tools.
Complexity: Users need to use data collected by monitoring tools, but want to be
shielded from the complexity of the underlying technologies.
Security and Compliance: Customers need direct, real-time access to many tools
across the network, while the security of the network is maintained.
This white paper details how the patented technology of Edge Technologies’ enPortal®
and AppBoard® tackles all of the above challenges. enPortal and AppBoard provide
solutions to the integrator with elements that are critical for any deployment,
including:
Time: Rapid integration of existing products and data from multiple vendors
Standardization: Integration of information provided by various applications into a
single cohesive, branded display
Flexibility: An integration platform that creates interoperability between disparate
tools, and can be rapidly adapted to meet unknown future requirements
Convenience: A single, secure access point for all tools, with minimal disruption to
end-users when applications are replaced or upgraded
Scalability: Support for large numbers of concurrent users without impacting
system performance
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
6
This is why, since its release, Edge's solution delivered significant value for a diverse set
of customers, including Telecommunications companies, Managed Service Providers,
large banks, manufacturing companies, federal agencies, the U.S. Department of
Defense, foreign militaries, and other global corporations.
"The implementation has been very successful and has allowed us, in a very short
period of time, to reach our primary objectives: Secure revenue assurance and
improved Quality of Service perceived by end customers. We have achieved savings
by means of providing automated reports and proactive management of incidents for
clients avoiding SLA penalties and economic loss for the company.” - Vicente Espinaza,
Project Manager and Senior Engineer for Telefonica
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
7
Core Features and Capabilities
The core software components of enPortal and AppBoard combine to provide
advanced capabilities and significant benefits – many of which are unique to Edge's
solution offering and not possible through other products.
enPortal offers a vast array of features and functions. The core features/capabilities
include:
Integration of existing web-based tools and applications
Advanced security
Single Sign-On
Integration with external user authentication systems
Branding and customization
Dashboard views
Multi-tenancy
Scalability
In addition to the web-layer integrations provided by enPortal, Edge offers an
information visualization component, called AppBoard, which provides additional
integration through data-layer adapters. This unique model allows for the seamless
combination of new visualizations based on raw data with native, in-context views from
existing tools into role-based custom dashboards. This also offers additional ways for
the system designer to always provide the right data to the right user with clear and
concise visualizations.
AppBoard adds value by:
Providing high-level summaries, with filtering and drill-down
Providing seamless transition from custom visualizations to fully interactive
use of integrated tools
Transforming event data to service impact information
Providing visualizations of information derived from multiple data sources
Supporting presentation on mobile devices
The combination of the GUI-based AppBoard Builder, widgets, and data adapters allow
the dashboard designer to rapidly integrate and visualize raw data. These visualizations
are then available for presentation alongside the enPortal views of integrated
application GUIs. AppBoard is licensed separately from enPortal but both applications
are designed to be deployed together as a single, cohesive solution.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
8
The figure below demonstrates how enPortal and AppBoard work together to provide a
full suite of integration. enPortal’s Product Integration Modules (PIMs) provide GUI-
layer integration of existing application interfaces, while AppBoard’s Data Adapters
provide data-layer integration through direct connections to application databases or
Web Services:
Figure 1: Comparing integration through enPortal and AppBoard
Below are examples of visualizations that combine enPortal GUI-layer PIM integrations
together with AppBoard data-layer visualizations:
Figure 2: Device Status, Network Topology, Bandwidth Utilization, and Ticket List from a
suite of integrated OSS applications
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
9
Figure 3: Enterprise View using PIMs and Data Adapters
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
10
Edge Integrations
To get the most from an integration platform, customers need the ability to integrate
new content elements quickly and securely. Customers also need the ability to enable
partners and other third parties to organize application services, multi-media streams,
and web-based utilities into any number of user or role-specific views – without
complex software development.
To meet the challenge of integrating, controlling, protecting, and multiplexing fully
interactive back-end applications and content into a virtual desktop, over private and
public networks, Edge offers three types of integration:
Product Integration Modules (PIMs) - Proxied views of web-based applications
combined with user authentication, Single Sign-On, secure multi-tenancy, and
HMTL content manipulation
Data Adapters - Direct connections to data from a variety of files and
databases via Web Services, JDBC, APIs, scripts, or other mechanisms
Integration Packages - Bundled integrations and content, purpose-built for
specific applications or application suites. Integration packages may include
web and/or data-layer integrations, preconfigured dashboards, widgets, and
actions, and pre-packaged sample content.
Figure 4: A single dashboard driven by multiple data sources and integration types
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
11
enPortal Integrations
COTS-Based Product Integration Modules (PIMs)
A distinct advantage of enPortal is rapid deployment, made possible by enPortal’s
prepackaged PIMs. enPortal PIMs provide plug-and-play Commercial Off-The-Shelf
(COTS)-based integration of products from BMC, CA, Cisco, EMC, HP, InfoVista, IBM,
Oracle, SevOne, VMware, and many more.
PIMs offer immediate value to an organization that has made existing investments in
these applications. Interfaces from multiple applications can be presented side-by-side
in the enPortal display to the user.
PIMs are essentially XML definitions that define how enPortal will integrate the third-
party products and applications into content Channels and Views. To integrate a new
application with enPortal using a PIM, an administrator specifies the IP address, web
server port, and configuration information for a live application. enPortal then
automatically creates content Channels for the third-party application for immediate
incorporation into an enPortal page.
A list of web-based products for which Edge offers PIMs is available in Appendix A:
enPortal Product Integrations.
enPortal also provides integration of applications that are not web-based and which
cannot typically be integrated into other portals. Integration with non-web application
GUIs is via an integration module to remote access tools that enable non-web or thick-
client applications to be accessed from any Java-enabled web browser.
PIM Failover and Traffic Management
The PIM Failover option configures enPortal to connect to more than one instance of an
integrated application. If there is a failure of the primary application server, the
enPortal PIM will “failover” to the backup instance of the application, providing
uninterrupted access to the application by enPortal users.
The Round-Robin option can also be enabled, which will direct users to alternate
between accessing different instances of an integrated application. This spreads the
load across the multiple back-end application servers and allows a large number of
concurrent users of the proxied tool.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
12
Content Retrieval
An integral part of enPortal, the CRS patented technology detects, modifies, stores, and
disseminates information being retrieved from the web applications integrated through
the enPortal framework. The CRS is designed to incorporate any number of fully
interactive dynamic applications into a single cohesive view. From an administrative
perspective, CRS manages user access and control to fully interactive applications and
web content based on user, domain, and role.
CRS also provides for the multiplexing of disparate external HTTP(S) communication
streams over a single HTTP(S) port to the web browser by:
Supporting remote access to an unlimited number of fully interactive
applications through firewalls and multi-layer DMZ environments utilizing
network address translation – regardless of the application’s IP address or port
number – for transport over public networks
Supporting the ability to conceal IP addresses and port numbers to applications,
web resources and their network elements, thereby protecting the operational
network and corporate applications
Application Hardening: Real-time Content Filtering and Modification
Most companies have well-known policies in place for hardening or securing their
servers, VMs, and Operating Systems, and to look for vulnerabilities that are common
to web applications. Application and web UI hardening is a natural extension of these
critical requirements. For Managed Service Providers and IT organizations that act as
service providers, this is an essential element in delivering customer-facing views of
third-party tools safely and securely.
Only Edge Technologies, with enPortal’s HTML content filtering and modification
capabilities, can effectively harden or secure most web-based applications by
controlling which features of an application’s user interface are dynamically filtered or
modified before presentation to the user. Additionally, applications may be modified
to "behave properly" within the browser (e.g. remove pop-up windows).
Examples of content filtering, modification, and addressing potential security risks for
proxied applications often include:
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
13
Locking down access to specific URLs
Obfuscating URLs
Removing available buttons and links on web pages
Modifying menu options or labels
Removing breadcrumb trails from headers or URLs
Hiding or replacing logos
Preventing script execution that may pose a threat, e.g. cross-site scripting (XSS)
In this real-world example, the customer needed to harden the application by removing
several elements from the native user interface.
Figure 5: The original content of the User Interface
enPortal CRS rules are used to secure the application by dynamically removing the
customer-specified links and associated functionality.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
14
Figure 6: The hardened application UI
Custom Integrations
The content retrieval and modification capabilities of the CRS are what enable Edge and
its customers to write custom integration modules. These modules extend the same
features of Edge’s COTS-based PIMs to all of your custom applications. These custom
integrations can also include applications that would not integrate into most standard
portals – such as Java applets or non-standard web applications.
The tools for building and testing these integrations are provided in the Integration
Manager, which resides in the enPortal administration UI.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
15
AppBoard Integrations
Data Adapters
Edge AppBoard’s Data Adapters function as a liaison between the AppBoard data
service and an organization’s various files, application APIs, and databases. Data
sources can be on the AppBoard server or on remote hosts. Virtually any type of
structured data can be used in AppBoard, through an ever-expanding library of data-
layer integrations. Standards-based integrations include:
Local: CSV, Microsoft Excel XLS files, shell commands
Web Services: CSV, XML/SPAP, JSON
Databases (via JDBC and SQL queries):
DB2 Oracle
MySQL PostgreSQL
Microsoft SQL Server Sybase
OLAP systems (via XML/A and MDX queries):
Microsoft Server Analysis Services
Pentaho Analysis (Mondrian)
SQP BW
Edge customers have used AppBoard’s integration options to incorporate data from a
variety of applications including:
BMC Atrium CMDB & Orchestrator IBM Tivoli Service Request Manager
BMC Remedy ARS ServiceNow
EMC lonix SAM SevOne
HP ArcSight Tripwire Enterprise & Log Detector
HP NNMi Fluke Networks Visual TruView
IBM Tivoli Netcool/OMNIbus
Data Sources
AppBoard Data Sources identify the adapter and the configuration settings required to
connect and filter the external data sources to be accessed by the AppBoard server.
Data is brought into the AppBoard server as data sets (Entities) and returned to the
AppBoard Client as Data Collections. A Data Source may bring one or more unique data
sets into the system. Relationships between Entities are modeled as Associations. They
can be established through the Data Source UI or imported from existing associations
defined by the external data source.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
16
Advanced Security
enPortal and AppBoard have a strong security model with powerful features to restrict
access to content based on domain, role (group), and/or user. The solution also
provides a combination of firewall infrastructure support, port mapping, content
filtering, and a sophisticated security manager.
Enhanced security features include multiple N-Factor authentication methods, secure
communications channels, security policies, directory services support, and more – as
detailed in the following sections.
Attack Prevention
enPortal provides comprehensive protection against cross-site scripting attacks. All
aspects of the HTTP communication are tested by the proxy, including requests,
headers, and body. Captured attacks display HTTP 500 responses and are detailed in
the system log files for investigation. Updates to the output encoding scheme are also
implemented to improve system efficiency and to eliminate cross-site scripting attacks.
The default behavior is to deny requests that contain malicious characters if the page
that initiated the request is not from the enPortal server.
Password Management Policies
The security of the system is enhanced by the ability to define password management
policies for users’ passwords. The following types of policies can be instituted:
Specifying a password lifetime, which forces users to change passwords
Syntax polices, to avoid the use of predictable passwords
Account lockout upon consecutive failed login attempts
When integration of third-party authentication tools (such as LDAP) is used for user
management, enPortal will also cooperatively sync with any password policies in effect
on the associated server.
Access Control List Rules
enPortal enables Administrators to create "allow" and "deny" rules that can be
enforced from the global and/or Channel-specific level. For example, these rules can
prevent users from accessing specific URLs.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
17
SSL Communications Support
Communications between clients and the enPortal/AppBoard server can be secured
using HTTPS (HTTP over SSL). This protects the communications streams as they pass
through the public Internet. The Tomcat web server provides the HTTPS support, and
the configuration rules to enable this are delivered with the stock configuration files.
The enPortal server can also communicate with external HTTPS web servers. This
typically occurs within the web resource proxy (discussed below) and is dictated by the
protocol field of the URL that the Proxy has been directed to retrieve.
Proxy Technology
A key component, and differentiator, of enPortal is its proxy technology. enPortal’s bi-
directional proxy technology provides protected access to fully interactive applications
over public and private networks. It works by allowing access to specifically identified
back-end web applications and content to authorized enPortal users. Of significant
importance, enPortal’s web resource proxy does not require installation of additional
software on the servers being proxied.
Figure 7a: Secure data access in enPortal
Figure 7b: Un-proxied data access in typical portal
The figures above illustrate two communications methods by which various portal
systems interact with, and render, fully interactive applications to the user. The
“enPortal” example (Figure 7a: Secure data access in enPortal) illustrates data flow
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
18
between applications and client browsers through the enPortal web resource proxy
technology. The “Typical Portal” example (Figure 7b: Un-proxied data access in typical
portal) illustrates data flow between applications and client browsers within other
portal frameworks.
Note that in a typical portal system, direct communication is required between the
browser and the external application. In these systems, the login page, initial portal
page, and wrapper-based pages are requested directly from the portal server.
However, when the user begins interacting with an embedded application, the browser
begins communicating directly to the external application.
The enPortal system, on the other hand, uses a web resource proxy approach to
provide controlled access to fully interactive web applications. The web resource proxy
approach allows the web browser to communicate entirely with the enPortal server for
all interaction with the external web applications. Yet enPortal seamlessly handles all
interaction as if the browser were communicating directly with the application. The
enPortal solution provides a higher level of security, because end-users never directly
connect to the back-end proxied servers.
Firewall Support
The enPortal web resource proxy provides users with a single access point - exactly one
HTTP(S) port - to all integrated HTTP(S)-based applications. enPortal content retrieval
allows all HTTP(S)-based content and applications to be accessed through a single
socket connection within a network DMZ, network address translation (NAT), and
firewall environment.
Referring again to Figures 7a and 7b, the enPortal solution (Figure 7a: Secure data
access in enPortal) only requires a single firewall rule to allow access from the user’s
browser to enPortal. The “typical portal” solution (Figure 7b: Un-proxied data access in
typical portal) requires additional holes in the firewall between the user and each
integrated application.
Protection of Private Networks and Application Assets
The protection and concealment of back-end applications and network assets are of
critical concern to organizations that must provide application access to users and
customers over a public network. enPortal allows multiple dynamic HTTP(S)-based
applications to be integrated into the enPortal framework, concealed, and pushed
through a DMZ environment for presentation to external users on a public network.
The web resource proxy does not allow clients to directly connect to these resources.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
19
Additionally, external entities have no knowledge of applications’ addresses, port
numbers or operational networks. The enPortal proxy provides an additional layer of
protection between internal resources and external users.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
20
User Management
A key component of any integration platform is managing the accounts and credentials
for users in each of the underlying systems. enPortal provides a suite of tools that
allow the administrator to either create and manage new users, or to leverage the
users and accounts that are already in place in your organization.
Single Sign-On
Out of the box, Single Sign-On is a feature of enPortal where all of a user's credentials
to multiple applications are securely stored by enPortal. This allows users to access and
display information from back-end applications without having to manually log in to
each of these applications. Once a user logs into enPortal, no other credentials are
required from that user. Using enPortal’s pre-built PIMs, this capability is provided
with no custom software development or modification to back-end applications.
Figure 8: Single Sign-On accesses all integrated applications with a single login
An additional benefit of enPortal’s Single Sign-On is that a single account for a back-end
application can be shared across and entire group of users if desired. This allows the
application administrator to configure access options for many users through a single
account and also limits the number of named user accounts that are needed in the
application. A Group membership attribute in LDAP can be leveraged for this purpose,
so that no special group configuration needs to be implemented by the enPortal
administrator.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
21
The enPortal Single Sign-On feature supports the integration of various security and
authentication schemes presented by existing applications. This capability is
implemented through a component called the Login Proxy Service (LPS) that handles all
authentication interactions between the user and third-party services.
Because many applications have unique or proprietary mechanisms, web-based Single Sign-
On can be difficult for other portal solutions to standardize into a solution that fits in all
cases. Each single login implementation for an application is a unique integration with its
own distinct interface. However, while the method of presentation can vary, most
methods of authentication use the HTTP protocol to submit credentials and maintain
authentication. The powerful enPortal CRS engine allows Single Sign-On to be rapidly
configured for virtually any application.
Provisioning of Single Sign-On Tokens
If the integrated backend applications and enPortal are tied to a common external user
authentication system, SSO tokens can be configured to simply pass user credentials to the
backend applications. If a user enters his credentials and there is no matching SSO token
stored for that user and that backend application, the credentials are no longer valid and
the user will be re-prompted for their credentials.
Single Sign-Out
When a user logs out of enPortal, Single Sign-Out automatically logs the user out of all
integrated applications with open sessions. This provides additional security and
performance by limiting the number of open sessions. It also can lower costs and
eliminate lockouts by reducing the number of concurrent licenses that are needed for
the integrated applications.
Kerberos
enPortal currently supports Kerberos-controlled SSO access to proxied applications.
Kerberos authentication differs from basic HTTP, NTLM-based, and application (PIM)
specific authentication in that enPortal needs to communicate with both the proxied
web application and the Kerberos authentication server.
Kerberos also requires an additional configuration file that contains details about the
authentication domain and servers. The Kerberos Configuration page in the Edge
online documentation provides additional information. Edge does not currently
support Kerberos as the authentication mechanism to login to enPortal itself.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
22
Authentication and Login Processing
enPortal provides a complete UI and embedded database for internally managing
domains, users, and roles. However, some organizations already have one or more
LDAP servers in place to manage this information. This enables the organization to
store all user information and credentials in one centralized location. In this case,
enPortal can simply map to the existing LDAP configuration and rely on LDAP for
externally managing this information. Typical LDAP repositories supported by enPortal
include Active Directory and OpenLDAP, but others are also supported.
Figure 9: Delegated user management with LDAP
enPortal provides a full toolset for mapping LDAP groups to enPortal roles, enforcing
password policies, and keeping user credentials in sync between the LDAP server and
enPortal.
External User Authentication
enPortal supports several common authentication tools that are already in use by many
customers. This allows enPortal to rapidly integrate with an existing login management
infrastructure.
CAC/PKI
Common Access Card (CAC) is a two-factor authentication mechanism used by certain
organizations, including the United States Department of Defense. This allows Single
Sign-On integration with the desktop authentication via a Client Certificate, a feature of
Public Key Infrastructure (PKI). Use of this module requires that the desktop operating
system and web browser are configured with the necessary hardware and middleware
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
23
to support the physical CAC token and associated protocols. This module can be
adapted to other single- and two-factor authentication mechanisms that present a
Client Certificate to web applications.
CA Single Sign-On (formerly CA SiteMinder)
To facilitate enPortal integration with CA Single Sign-On, CA’s Web Agent must be
installed at enPortal’s access point. A common implementation is to have an Apache
version of the Web Agent installed on an Apache HTTP Server which is then configured
as a reverse proxy to enPortal.
When a user accesses enPortal via the Apache server, the CA Web Agent will check to
see if the user has been authenticated for enPortal access. If not, it will forward to
request to the CA Single Sign-On instance which then prompts the user with the CA
login page. Once a user authenticates successfully through CA Single Sign-On, all the
subsequent enPortal access requests will be granted.
In this deployment scenario, enPortal is configured in Trusted Authentication mode so
there is no authentication required for enPortal’s login request. However, enPortal also
supports an on-demand, or “lazy load,” to allow role assignment in which case enPortal
will then communicate with the LDAP server with which CA Single Sign-On is also
communicating.
Figure 10: enPortal deployed with CA Single Sign-On
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
24
Customer Portal to enPortal Authentication Mapping
Similar to the CA Single Sign-On deployment described above, in this scenario there is
another portal already in place that provides a reverse proxy capability. The external
customer or end-user is required to access this other system first which in-turn picks up
a token that is sent in response to the initial request to enPortal. If enPortal does not
detect that the request has a valid session, it will look for the access token and then
respond back to that other system to:
a) Validate the token
b) Make a request for user information from the other portal
c) Check to see if the user exists and if not, perform on-demand user creation
d) Create the session
Two-factor Authentication Systems
Two-factor authentication (2FA), adds a second level of authentication to a basic login
procedure requiring that the user provide additional credentials in order to access
secured resources. Examples of 2FA include Google Authenticator, RSA SecurID tokens,
and CAC. enPortal provides the means to satisfy security requirements by providing a
single, secure access point to backend applications through enhanced authentication.
One possible scenario illustrating the integration of enPortal with 2FA is as follows:
An administrator has configured their system to require 'clientAuth', meaning that the
Secure Sockets Layer (SSL) connection requires a valid certificate chain from the client.
The enPortal server will send the chain to an Online Certificate Status Protocol (OCSP)
Responder to validate the certificate. It may also look up the user name information in
the certificate and additionally request a valid password. This password has typically
been validated against an LDAP server which in turn may perform an on-demand, or
“lazy load,” of the user and any role assignments before a valid session is created.
Web Access Management
Web Access Management (WAM) tools have become more commonly used in recent
years. These tools include CA Single Sign-On (formerly SIteMinder), Oracle Access
Manager, and Novell Access Manager. The WAM tool provides authentication
management, policy-based authorizations, and reporting services. By having the
capability to quickly integrate with these tools, enPortal allows an organization to
continue using these tools for authentication while implementing all of the integration
and proxying capabilities provided by enPortal.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
25
Custom Authentication
The powerful enPortal CRS provides the capability and tools for quickly creating custom
authentication modules. This allows enPortal users to leverage Single Sign-On to
enable them to auto-login to any application, including custom home-built applications
with proprietary login mechanisms. Over the years, Edge has developed many of these
custom authentications for a variety of applications.
IP Address and Session Limiting
One of the validations that can be required before a session is established is to check
the user’s source network address and only allow certain roles to be accessed from
specified networks. The administrator is able to restrict the content available to that
role to only users who are assigned that role and who are accessing the system from
within a known and approved network.
enPortal provides for several session-based constraints including:
1. Limiting the number of simultaneous active sessions for a specific set of users
or Domains
2. Limiting initial sessions to a set time and/or defining the duration of extensions
when users are actively using the system
3. Determining what action to take if a user attempts to start a new session when
an existing session already exists: Block access, terminate previous sessions, or
prompt user to terminate the active session or cancel the login request
4. Displaying a security statement to be acknowledged prior to login
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
26
Branding and Customization
enPortal offers many features for uniquely branding the presentation of the Edge user
interface, along with HTML content from proxied applications, so the user has a
completely customized and unified experience.
Custom Login Page – The default enPortal login screen can be customized,
allowing for a variety of static or dynamic content to be displayed as users access
the system. Custom login screens can also provide links to relevant information
or resources. A service provider, for example, might include information on new
customer offerings.
Figure 11. Default login screen
Figure 12. Custom login screen
Look and Feel – By using the configuration tools in the enPortal administration
interface, the administrator can modify the enPortal Look and Feel (LAF), create
multiple versions of the LAF, and assign different LAFs on a per-domain or per-
role basis.
Content Views – When logging in to enPortal, the content presented to each
user is tailored to meet the needs of his business function. This is accomplished
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
27
by customizing the Views that are assigned to each role in the system. The
enPortal administration interface provides all of the tools for managing this
customization.
Security Policies – The administrator can also set custom security policies. This
locks down the content in the system and ensures that users can only access the
information to which they have security privileges. Read, write, and view
privileges can be restricted by user, role, or domain.
API – In addition to the customization options noted above which are available in
the standard UI, enPortal also provides an API to allow for additional
customization of the system at a programmatic level.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
28
enPortal and AppBoard Deployment Models
enPortal and AppBoard solve different integration challenges for different
organizations. The following sections outline the typical models for how enPortal and
AppBoard can be deployed.
Deployment Model 1: For Internal Users
The first deployment option for enPortal is for internal use, such as in a Network
Operations Center. In this model, enPortal augments both the security and operational
efficiency of your organization (see Figure 13: enPortal/AppBoard internal deployment).
Figure 13: enPortal/AppBoard internal deployment
enPortal and AppBoard provide different application and data views to different teams,
such as Engineering, Management, or Executive. Each team is provided direct, secure
access to only the applications and data relevant to their function. This enables
enPortal and AppBoard to always provide the right picture to the right user.
For Government agencies, the advanced security features of enPortal enhance
applications to meet stringent security requirements that go beyond the existing
capabilities of those individual native applications.
Edge Technologies’ enPortal is the industry’s only COTS-based integration platform
focused specifically on network management application integration. The Internal
delivery model of enPortal enhances security and operational efficiency in many ways:
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
29
Allowing organizations to provide secure access to interactive back-end
applications
Providing consolidated Single Sign-On
Centrally coordinating interaction between applications – with little or no coding
Improve user experience by providing a more unified look and feel for disparate
existing applications
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
30
Deployment Model 2a: For External Users or Customers with Multi-Tenancy
The second deployment option is frequently used by Managed Service Providers to
generate revenue. These organizations service multiple external customers by allowing
their end-users to access enPortal and AppBoard via the Internet (see Figure 14:
enPortal/AppBoard deployment to multiple customers).
Figure 14: enPortal/AppBoard deployment to multiple customers
Each customer is segmented into their own “domain”, with customer access credentials
often managed by integration with an existing user repository, such as LDAP or a web
access management tool like CA SiteMinder. The concept of “multi-tenancy” is utilized,
in which multiple customers are accessing the same enPortal and AppBoard system, but
each user can only access the information and tools that they are authorized to see
within that domain. By locking down access to URLs and content, enPortal and
AppBoard can also impose multi-tenancy access controls on proxied applications and
data, even if the tools do not natively provide it. Each customer’s experience is also
uniquely branded by their marketing team to optimize the end-user experience.
This deployment model leverages enPortal and AppBoard’s core features - Single
Sign-On, PIMs, re-branding, security, tailored data access and content manipulation
(see Core Features and Capabilities) - to provide only the appropriate content to each
customer and to each individual in that customer’s user base.
The integration capabilities of enPortal can also provide web access to legacy thick-
client applications that would not otherwise be web accessible.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
31
Deployment Model 2b: In Your Existing External Portal
For many successful organizations, a portal strategy serves as the foundation for
integration. As such, the concept of a portal is maturing rapidly. The original concept of
a portal addressed the need to publish information to users via a web page. Companies
today, however, need a portal that provides more than just static displays of back-end
applications and information. They need a tool that can rapidly integrate applications
and data into their existing portal infrastructure.
Companies with existing external-facing portals already in place can leverage enPortal’s
proxy technology and AppBoard’s data integration capabilities to increase the value of
their existing portal. enPortal and AppBoard reach well beyond the capabilities of
existing portal solutions that focus primarily on document management, indexed
searches, and static displays of data. enPortal and AppBoard provide true integration by
combining COTS-based PIMs for integration of vendor-specific tools and their data.
Working with your existing portal, enPortal and AppBoard can rapidly integrate new
applications into the portal framework (see Figure 15: enPortal/AppBoard deployment
inside an existing portal).
Figure 15: enPortal/AppBoard deployment inside an existing portal
As seen in the above illustration, enPortal and AppBoard increase the value of the
existing customer portal by integrating additional applications and their data. The
enPortal proxy integrates applications as portlets into the existing portal container.
enPortal and AppBoard can run in parallel to the existing portal, immediately providing
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
32
value without requiring a full replacement of the existing portal.
In addition to integrating applications, portlets can also integrate individual enPortal
tools into a portal. This can provide enPortal features to administrative users beyond
what may be supported by the existing customer portal. Examples include user/role
management, LDAP integration, Single Sign-On, and dashboard visualizations.
Customer Example
A large telecommunications company used an in-house portal to deliver access to their
customers, over the Internet, to a suite of tools for managing their voice, data, and IP
services. The company had requirements for additional features that were not
provided by their existing portal.
The company added enPortal and AppBoard to the existing portal platform to provide
Single Sign-On capability, data visualization, application link provisioning, system
administration capabilities, and enhanced security.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
33
Architecture
The enPortal and AppBoard systems run as a web application inside an Apache Tomcat
server, and access a JDBC-compliant database (or database cluster). The system is
designed with flexible deployment options, to meet the varying needs of an
organization. The following sections detail these available options.
Design Architecture
The enPortal and AppBoard products are built upon a standards-based, XML-driven
application. They have been developed with Java technologies to provide unparalleled
flexibility, scalability, application and content protection, application interaction, and
complete platform independence. Both are deployed in a self-contained Tomcat web
application with an embedded H2 database.
In a multi-tier deployment architecture, the first tier is typically one or more customer-
provided hardware load-balancers and/or SSL accelerators. These front-end load-
balancers pass incoming requests to one or more enPortal servers on tier two, running
as Java web applications executing under the Tomcat web/application server (referred
to as the Servlet/JSP engine). The configuration database is then resident on tier three,
and will often be a redundant database cluster to provide load-balancing and high
availability.
All components support maximum platform independence (UNIX or Windows),
scalability, and overall system performance.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
34
Scalability, Clustering, and Failover
The enPortal and AppBoard system is implemented as a web application. The web
application server can scale horizontally by replication on additional servers/platforms.
Redundant nodes can also be implemented to provide fault tolerance, allowing users to
be redirected to alternate servers in the event of an outage.
The scalability of the solution is related to number of page views per second. The
scalability of proxied web integrations can be variable and dependent on the
complexity of the specific integrations used.
Basic Deployment
A single enPortal/AppBoard server may be sufficient for handling the requirements of
smaller deployments (see Figure 16: Basic enPortal deployment).
Figure 16: Basic enPortal/AppBoard deployment
High Availability (Failover)
Many organizations require that enPortal and AppBoard will have limited down time
over the lifetime of the deployment. In this case, failover can be implemented by
configuring redundant enPortal servers. If there is an outage on the primary server,
enPortal/AppBoard can continue to provide uninterrupted service by switching to the
backup server until the primary server is repaired (see Figure 17: Failover deployment
for High Availability).
Figure 17: Failover deployment for High Availability
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
35
Optimized Performance with Failover (Clustering)
Some organizations further require a platform where many users can access the system
concurrently without impacting the performance of the application. In this case,
clustering of enPortal/AppBoard servers can be implemented to route user sessions to
servers with the smallest load or network traffic (see Figure 18: Clustered deployment
for optimal performance).
Figure 18: Clustered deployment for optimal performance
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
36
Running in Modern Environments
Edge Solution’s Java and Tomcat infrastructure allow it to be platform independent and
run on any operating system that supports the Java Development Kit (JDK v1.6+). The
enPortal/AppBoard views can be accessed by any supported web browser, including
Internet Explorer, Firefox, or Google Chrome.
The solution flexible configuration options also enable it to co-exist with other software
applications on the same server. By co-locating enPortal and AppBoard on an existing
application server, this can reduce deployment cost and network latency.
Since its initial release, enPortal and AppBoard have shown the flexibility to run in a
variety of customer environments. Some of these are noted in the following sections.
Virtualized Networks (VMware)
enPortal and AppBoard fully support running on a virtualized server, or in a virtualized
network. enPortal and AppBoard can also be configured to auto-start so that it will
automatically come back online when a server is re-started. The license will run on any
server that can resolve to a static hostname or IP address.
IPv6 Network
enPortal and AppBoard can run on an IPv4 network, IPv6 network, or dual-stack
network that requires simultaneous support for both protocols.
Through an Existing Proxy Server
enPortal contains special configuration options for applications that are not directly
accessible and can only be accessed through a separate proxy server. The details for
both the proxy server and back-end application are stored and managed by the
enPortal proxy.
Remote Application Delivery
Several options are available for integrating enPortal with Oracle Secure Global Desktop
(SGD) or similar Remote Application Delivery technologies (e.g. Citrix, Ericom
AccessNow, Resource Dynamics Go-Global). There are different architectures that can
work with enPortal and its proxy, but there are some differences in what may be
supported in each.
Oracle SGD software provides remote access to published applications and published
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
37
desktops from a variety of client platforms and devices. The software web-enables
legacy applications and, when used along with enPortal, provides for the delivery of
those applications side-by-side with typical web-based apps.
The enPortal PIM for Oracle SGD lets you to deliver the published application or
desktop in a portal channel. This allows applications that do not natively provide a web-
based interface to be accessed through enPortal. enPortal aggregates application
views, enforces security policies, and presents the application interface. The user’s web
browser client communicates directly and exclusively with enPortal. enPortal proxies
the communication between the web client and the back-end application through the
Oracle SGD server.
Security and performance are top priorities with any web-enablement solution. The
Oracle SGD PIM enforces strict user authentication and controlled role-based access to
specific content as well as the ability to restrict content delivery to defined IP
addresses. The solution tracks all sessions and creates a detailed audit trail for each
session. The Oracle SGD PIM also provides bandwidth management end-to-end with no
change to existing firewalls.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
38
enPortal and AppBoard Component Architecture
The primary functions of enPortal are contained within six system components:
Request Engine
Business Logic Engine
Integration Engine
Data Source Engine
Web Resource Proxy and Content Filtering
Object Database
Request Engine
The Request Engine serves all requests coming from a user via a web browser.
In fact, all external communications with an enPortal/AppBoard system are requested
through the Request Engine. The Request Engine’s primary responsibilities are to
translate HTTP(S) requests into object requests and to dynamically translate the
application-specific results into HTML for transmission to the client web browser.
The Request Engine executes within a Servlet/JSP engine; Java Servlets and JSPs are the
primary components of the Request Engine. The Request Engine also provides an extra
level of access security by verifying that the user is logged in to the system before
accepting and servicing the request.
Business Logic Engine
The Business Logic Engine is responsible for the overall business logic of the system’s
security, and the storage of system objects. These responsibilities pertain to users,
roles, domains, virtual directory access, and content management.
Business Logic manages and stores system objects to a chosen object
repository/database. The Business Logic Engine runs on the same process (Tomcat as
the JSP/Servlet Engine) as the Request Engine.
Integration Engine
The Integration Engine allows new content to be created and integrated into a system
at runtime. The Integration Engine consists of a Channel classification model and a set
of Request Handlers that are implemented as Java Servlets or JSPs. Request Handlers
are the public web interfaces into enPortal Channels that service the Channel requests
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
39
being made from web browser clients. The Integration Engine provides an external
interface through the Portal Request Engine that allows HTTP(S) requests to be sent to
any plugged-in visual Channel.
Upon receipt of a request to render a content Channel, the Integration Engine retrieves
the specified Channel (if security allows it) from the enPortal server and calls the
specified Request Handler to render the Channel content
Data Source Engine
The Data Source Engine provides a mechanism for data retrieval, common record
formatting, enrichment/transformation and delivery to the AppBoard client. The Data
Source engine consists of a data model and management framework that is
implemented in Java. New data source adapters can be incorporated into the Data
Source Engine using either a Java SDK or a scripting/command line interface. The Data
Source Engine employs a data caching mechanism to minimize unnecessary requests
against relatively static data sources.
Upon receipt of a request for data, the Data Source Engine retrieves, normalizes,
transforms and then delivers the requested data to the AppBoard client UI.
Web Application Proxy and Content Filtering
The web application proxy and content filtering function facilitates the delivery of and
interaction with existing HTTP(S)-based content. It is responsible for applying Single
Sign-On rules to the retrieval of external HTTP(S) requests, and for manipulating the
resulting data streams being returned from an integrated application for control and
data customization. The HTTP(S) stream manipulation support within enPortal is both
extensive and configurable and is available as a Proxy Channel. A potential example of
the use of this function is the removal of an image from an HTML stream as enPortal
delivers the HTTP(S) stream to the browser client.
Object Database
The Object Database is a JDBC-compliant RDBMS, and enPortal/AppBoard supports
numerous databases, including Microsoft SQL Server, MySQL, and Oracle.
enPortal/AppBoard ships with an embedded H2 database. The database handles
mapping between the object-based data model used within enPortal/AppBoard and the
relational database model that stores the actual content.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
40
AppBoard Client Component Architecture
AppBoard features a web client consisting of a Viewer mode for normal (read only) use
and a Builder mode for administrators to configure AppBoard content. There are also
mobile apps (Viewer mode) for both the iOS and Android platforms.
The AppBoard Builder has three major components:
Data Sources
Data Collections
Visualization (Widgets, Stacks & Boards)
Data Source
Good data visualization requires good data. This data can be stored in a variety of
different locations and formats, which can lead to problems when trying to create
holistic summary views. AppBoard has a dedicated Data Source mode that allows for
access to all this information, regardless of where it is or what format it is in.
Appboard provides powerful data manipulation tools to optimize data so that it can be
effectively visualized:
Ability to Group, Pivot, and Sort information both on the client, and at the
server
"Server Side Filters" to optimize large data sets before you bring it into a
memory on the client
"Client Side Filters" to take advantage of information that's already available in
client memory
Caching and Polling settings to optimize the performance of refreshing data
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
41
Data Collections
Any data that is pulled into AppBoard gets placed into a Data Collection. This
information is stored in memory on the client, so it is rapidly available to any Widget or
Board that has appropriate permissions. Like Data Sources, AppBoard has a dedicated
mode for managing Data Collections. The Data Collections Wizard provides control over
how much information is brought into memory via Server Side Filters, but the data
already in memory can also be manipulated via Client Side Filters.
Data Collections are the foundational block that all AppBoard visualizations are based
upon.
Widgets
Data visualization inside AppBoard is done by associating a Data Collection with a
Widget. AppBoard contains a number of Widgets, and every Widget requires a Data
Collection.
In addition to visualizing data, Widgets can have defined Actions. For example, the
contents of one Widget can be contextually filtered based on a selection in another, or
a Widget can be configured to drill down into a child board that shows details based on
an item selected in the parent. The key is knowing that clicking on a Widget is actually
clicking on the piece of data that's being represented by the Widget. Actions allow for
the use of this piece of data as context to alter Client or Server Side Filters for any Data
Collection inside AppBoard. This flexibility allows for extremely powerful interactions.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
42
Stacks and Boards
In AppBoard, Widgets are placed on Boards. A collection of Boards is called a Stack.
Each Stack has a corresponding tab in the banner area of the builder which let the user
navigate to that Stack. Stacks are an important concept because user permissions are
provisioned at the Stack level.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
43
About Edge Technologies, Inc.
Edge Technologies is an innovative and proven software company specializing in the
Access, Integration, Visualization, and Understanding of information. Edge products
and services facilitate faster, more complete data integration; user-centric, customized
visualizations; easy, secure information sharing; and enhanced operational awareness
across a diverse set of information stakeholders.
Edge has been delivering leading-edge solutions in many of the world’s most
sophisticated network, intelligence, operational and logistics environments since 1993.
Recognized for the ability to identify, adopt and deploy emerging technology platforms,
Edge’s industry-leading products have proven to be ground breaking solutions that
stand the test of time.
Edge’s technological expertise in developing lasting innovation is fortified by the
company’s value-focused customer and partner relationships. Recognized for
meticulous software engineering and a high-touch customer service approach, Edge’s
success is built on innovative technology driven by experienced, customer-focused
personnel.
The Edge Agile Development Methodology first identifies customer challenges, then
applies design expertise and innovation to create better solutions and backs it all by the
people and technology to ensure the solutions work in the real-world and for the long-
haul.
Unlike competitive offerings, Edge’s products are designed with both the development
staff and the executive team in mind. Edge software toolkits do the heavy lifting to
streamline internal development efforts, accelerate time to market, and empower staff
to focus on situational and operational objectives. What’s more, Edge’s advanced
software architecture enables its products to easily scale to handle hundreds of
concurrent users.
Edge empowers businesses and government agencies to fulfill the potential of their
network and business systems management assets to make better decisions faster.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
44
Appendix A: enPortal Product Integrations
Edge provides pre-built integrations for products from these vendors:
AirTight Networks
Alcatel-Lucent
Apica
AppDynamics
AppNeta
Arbor Networks
Axios Systems
BMC Software
CA Technologies
Cisco Networks
Citrix
Compuware
Cuculus
EIQ
EMC
eMite
Entuity
Fluke Networks
Fortinet
HP
IBM
IneoQuest
Infoblox
InfoVista
Interactive Intelligence
Ipanema Technologies
Koverse
LiveAction
ManageEngine
McAfee
Monolith Software
MYCOM OSI
Nagios
NetBoss
NetWitness
Oracle
Plixer
Resilient Systems
Riverbed
SAP
ScienceLogic
ServiceNow
SevOne
SolarWinds
Splunk
Tableau
Talisma
Tektronix
Viador
Visionael
VMware
Websense
xMatters
Zenoss
The above list continues to expand as Edge generates PIMs for new applications. The
complete list of PIMs can be found on the Edge Documentation site.