Secure communication with custom applications

Secure communication with custom applications

Custom applications that access the ISIM Server must adhere to programming guidelines the ensure:

Security boundaries built into ISIM Server are observed strictly.
Only authorized application programming interfaces (APIs) are used for communication between the server and custom applications.
Appropriate roles are assigned to users and user groups that use custom applications to access IBM Security Identity Manager functions.

IBM Security Identity Manager shields its core functions with a layer of managed enterprise Java beans. These EJBs are in an unprivileged layer of ISIM. When ISIM communicates with a client application, every managed EJB method takes a signed token from the caller. The token verifies the caller identity, except when the method does the authentication. The caller obtains this signed token after authentication with ISIM Server.

The following types of custom applications can be created to communicate with ISIM Server.

Stand-alone Java client Deployed as a WebSphere Application Server thin client.
Web application Deployed outside of WebSphere Application Server. A web application can start only a specific subset of ISIM Server APIs.
Enterprise application, same JVM Deployed in the same server instance (enrole.ear) as ISIM Server .
Enterprise application, separate JVM Deployed on the same computer as ISIM Server, but runs as a separate JVM process.
Servlets Deployed on a separate computer that runs WebSphere Application Server. Servlets are not deployed in the context of a web application.

When developing custom applications to communicate with ISIM Server, use the following rules to ensure secure communication:

Allow only published APIs to access the managed EJBs in the unprivileged area.
Allow custom applications to use only the functions that the APIs provide.
Ensure that the computer on which ISIM Server runs is always secure.

WebSphere Application Server uses roles to manage access to application components and other objects, including user and group names. Use the following guidelines for assigning roles in custom applications that interface with ISIM Server.

ITIM_SYSTEM This role is defined when ISIM Server is deployed into WebSphere Application Server. ITIM_SYSTEM is used by ISIM Server components. It is authorized to call all EJB methods in both privileged and unprivileged layers. Do not assign any principal names or user IDs to this role without prior consultation with an IBM representative.
ITIM_CLIENT This role is authorized to call only managed EJB methods in the unprivileged layer. Map to this role the users, and user group names, and other principals that perform less restricted tasks in ISIM Server.

Parent topic: Security

Stand-alone Java client	Deployed as a WebSphere Application Server thin client.
Web application	Deployed outside of WebSphere Application Server. A web application can start only a specific subset of ISIM Server APIs.
Enterprise application, same JVM	Deployed in the same server instance (enrole.ear) as ISIM Server .
Enterprise application, separate JVM	Deployed on the same computer as ISIM Server, but runs as a separate JVM process.
Servlets	Deployed on a separate computer that runs WebSphere Application Server. Servlets are not deployed in the context of a web application.

ITIM_SYSTEM	This role is defined when ISIM Server is deployed into WebSphere Application Server. ITIM_SYSTEM is used by ISIM Server components. It is authorized to call all EJB methods in both privileged and unprivileged layers. Do not assign any principal names or user IDs to this role without prior consultation with an IBM representative.
ITIM_CLIENT	This role is authorized to call only managed EJB methods in the unprivileged layer. Map to this role the users, and user group names, and other principals that perform less restricted tasks in ISIM Server.