Secure communications allow IDOL components to share information with other IDOL components, and with external components. It ensures that:
third parties cannot read communications.
the communication occurs between trusted entities.
The first option for secure communications is IP address and host name access control lists. You define the IP addresses of systems that HPE IDOL has permission to communicate with. You can define this access separately for administrative actions, index actions, queries, and allowed proxies, by using the AdminClients
, IndexClients
, UserClients
, QueryClients
, and ProxyClients
configuration parameters.
You can also bind HPE IDOL Server components to an explicit network interface in systems with multiple interfaces, by using the ExplicitHost
configuration parameter.
Main Topic: SSL in IDOL
Transport Layer Security (TLS/SSL) provides both transport encryption (HTTPS), and endpoint authentication.
In the most basic configuration, TLS encrypts the communication channel to and from the HPE IDOL Server component so that third parties cannot decrypt the information. In more advanced configurations, you can use client and server certificates to check that communication happens only between trusted clients and servers (with certificates signed by a trusted authority).
You configure TLS/SSL by using the SSLConfig
configuration parameter, and the associated [SSLOptionN]
configuration sections, which you can use to configure one or more sets of SSL options for your components to use.
HPE IDOL can plug in to an existing Kerberos system, by using the Generic Security Services Application Program Interface (GSSAPI). Kerberos provides both secure channel encryption and end-user identification.
In general, a Kerberos system is more complicated to set up and troubleshoot than a TLS/SSL system. It also requires external access to the HPE IDOL system through one of the ACI API libraries provided by HPE, rather than using a standard HTTP/HTTPS library.
You configure Kerberos by using the CommsEncryptionType
configuration parameter.
Secure communications using TLS or GSSAPI have a minor performance impact, because they need to negotiate encryption protocols and encrypt the responses. You can reduce the overhead by using persistent HTTP/HTTPS connections to reuse an established connection.
|