Secure communications allow IDOL components to share information with other IDOL components, and with external components. It ensures that:
third parties cannot read communications.
the communication occurs between trusted entities.
The first option for secure communications is to use authorization roles to allow access by IP address, SSL identity, or GSS principal.
You define the allowed identities of systems or users that HPE IDOL has permission to communicate with. You can use the [AuthorizationRoles]
configuration sections to define access separately for different types of actions (for example, standard roles allow you to define authorization restrictions for administrative actions, index actions, queries, and service actions), or for specific sets of actions. You also define the IP addresses, SSL identities, and GSS principals that each authorization role applies to. A user can send a particular action if they use one of the allowed methods to access IDOL Server.
You can also bind HPE IDOL Server components to an explicit network interface in systems with multiple interfaces, by using the ExplicitHost
configuration parameter.
Main Topic: SSL in IDOL
Transport Layer Security (TLS/SSL) provides both transport encryption (HTTPS), and endpoint authentication.
In the most basic configuration, TLS encrypts the communication channel to and from the HPE IDOL Server component so that third parties cannot decrypt the information. In more advanced configurations, you can use client and server certificates to check that communication happens only between trusted clients and servers (with certificates signed by a trusted authority).
You configure TLS/SSL by using the SSLConfig
configuration parameter, and the associated [SSLOptionN]
configuration sections, which you can use to configure one or more sets of SSL options for your components to use.
HPE IDOL can plug in to an existing Kerberos system, by using the Generic Security Services Application Program Interface (GSSAPI). Kerberos provides both secure channel encryption and end-user identification.
In general, a Kerberos system is more complicated to set up and troubleshoot than a TLS/SSL system. For ACI port communications, it also requires external access to the HPE IDOL system through one of the ACI API libraries provided by HPE, rather than using a standard HTTP/HTTPS library. You can use a standard HTTP/HTTPS library for using Kerberos on the index port.
You configure Kerberos by using the CommsEncryptionType
configuration parameter.
Secure communications using TLS or GSSAPI have a minor performance impact, because they need to negotiate encryption protocols and encrypt the responses. You can reduce the overhead by using persistent HTTP/HTTPS connections to reuse an established connection.
|