Sun Microsystems JAVA 2005Q1 User Manual

Sun Java™ System

Portal Server 6

Deployment Planning Guide

2005Q1

Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A.

Part No: 817-7697

Copyright © 2005 Su n Mi cr osy stems, Inc., 4150 Netw or k Circle, Santa Clar a, California 95054, U. S . A. All rights reserved. Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in th e p r oduct that is described in this document. In

particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at

http://www.sun.com/patents

and one or more additional patents or pending patent applications in the U.S. and in other countries.

THIS PRODUCT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF SUN MICROSYSTEMS, INC. USE, DISCLOSURE OR REPRODUCTION IS PROHIBITED WITHOUT THE PRIOR EXPRESS WRITTEN PERMISSION OF SUN MICROSYSTEMS, INC.

U.S. Government Rights - Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements.

This distribution may include materials de ve lo ped by third parties. Parts of the product may be derived from Berkeley BSD systems, li censed from the Un iversity of Californ ia. UNIX is a registe red tr ademar k in the

U.S. and in other c ountries, exclusively licensed through X/ Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, Java, Solaris, JDK, Java Naming and Directory Interface, JavaMail, JavaHelp, J2SE, iPlanet, the Duke logo,

the Java Coffee Cup logo, the Solaris logo, the SunTone Certified logo and the Sun ONE logo are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

All SPARC trademar k s ar e u s e d under license and ar e tr ademarks or registered trademarks o f SPARC Internatio nal, Inc. in the U.S . a n d other countries. Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems, Inc.

Legato and the Legato logo are registered trademarks, and Legato NetWorker, are trademarks or registered trademarks of Legato Systems, Inc . The Netscape Communications Corp logo is a trademark or registered trademark of Netscape Communications Corporation.

The OPEN LOOK and Sun(TM) Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xer ox Gr aphi c al User Interface, which li cense also covers Sun's license e s w ho implement O P EN LOOK GUIs and otherwise comply with Sun's written license agreements.

Products covered by and information contained in this service manual are controlled by U.S. Export Control laws and may be subject to the export or import laws in other countries. Nuclear, missile, chemical biological weapons or nuclear maritime end uses or end users, whether direct or indirect, are strictly prohibited. Export or reexport to countries subject to U.S. embargo or to entities identified on U.S. export exclusion lists, including, but not limited to, th e de nie d persons a nd spe cially designated nationals lists is strictly prohibited.

DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE O R NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

_______________________________________________________________________________________________________________ Copyright © 2005 Su n Mi c r osy stems, Inc., 4150 Ne tw or k C ir c le , S anta Clara, Calif or nia 95054, Etats-Unis. Tous droits rése r vé s. Sun Microsystems, Inc. détient les droits de propriété intellectuels relatifs à la technologie incorporée dans le produit qui est décrit dans ce

document. En particulier, et ce sans limitation, ces droits de propriété intellectuelle peuvent inclure un ou plus des brevets américains listés à

http://www.sun.com/patents

l'adresse

et un ou les brevets supplémentaires ou les applications de brevet en attente aux Etats - Unis et dans les

autres pays. CE PRODUIT CONTIENT DES INFORMATI ONS CONFIDENTIEL LES ET DES SECRETS COMMERCIAUX DE SUN MICR O S Y S TEMS, INC.

SON UTILISATION, SA DIVULGATION ET SA REPRODUCTION SONT INTERDITES SANS L AUTORISATION EXPRESSE, ECRITE ET PREALABLE DE SUN MICROSYSTEMS, INC.

Cette distribution peut comprendre des composants développés par des tierces parties. Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l'Université de Californie. UNIX est une marque

déposée aux Etats-Unis et dans d'autres pays et licenciée exclusivement par X/Open Company, Ltd. Sun, Sun Microsystems, le logo Sun, Java, Solaris, JDK, Java Naming and Directory Interface, JavaMail, JavaHelp, J2SE, iPlanet, le logo Duke, le

logo Java Coffee Cup, le logo Solaris, le logo SunTone Certified et le logo Sun[tm] ONE sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d'autres pays.

Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabriq ue ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d'autres pays . Les produits po rtant l es marques SPARC sont basés sur un e archi tecture déve loppée p ar Sun Microsystems, Inc.

Legato, le logo Legato, et Legato NetWorker sont des marques de fabrique ou des marques déposées de Legato Systems, Inc. Le logo Netscape Communications Corp est une marque de fabrique ou une marque déposée de Netscape Communications Corporation.

L'interface d'utilisation graphique OPEN LOOK et Sun(TM) a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d'utilisation visuelle ou graphique pour l'industrie de l'informatique. Sun détient une license non exclusive de Xerox sur l'interface d'utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l'interface d'utilisation graphique OPEN LOOK et qui, en outre, se conforment aux licences écrites de Sun.

Les produits qui font l'objet de ce manuel d'entretien et les infor ma tions qu'il contient sont regis par la legisla tion americaine en matiere de controle des exportations et peuvent etre soumis au droit d'autres pays dans le domaine des exportations et importations. Les utilisations finales, ou utilisateurs f inaux, pour des arme s nu c leaires, des mis s iles, des armes biolo g iq u e s et c himiques ou du nucleaire maritime, directement ou indirectement, sont strictement interdites. Les exportations ou reexportations vers des pays sous embargo des Etats-Unis, ou vers des entites figurant sur les li ste s d' exclusion d'exportation americaines, y c om pr is, mais de maniere n on exclusive, la liste de pe r sonnes qui fon t ob jet d'un ordre de ne pas participer, d'une facon directe ou indirecte, aux exportations des produits ou des services qui sont regi par la legislation americaine en matiere de controle des exportations e t l a l ist e de ress orti ssa nts specifiquement designes, sont rigoureusement interdites.

LA DOCUMENTATION EST FOURNIE "EN L'ETAT" ET TOUTES AUTRES CONDI TI ONS, DECLARATIONS ET GARANTI ES E XPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L'APTITUDE A UNE UTILI SATI ON PARTI CULIE RE OU A L'ABSENCE DE CONTREFACON.

List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Before You Read This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Who Should Read This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Typographic Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Books in This Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Other Portal Server Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Other Server Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Accessing Sun Resources Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Contacting Sun Te chnical Suppor t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Related Third-Party Web Site References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Sun Welcomes Your Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 1 Portal Server Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

What is a Portal? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Types of Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Collaborative Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Business Intelligence Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Portal Server Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Sun Java System Portal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Secure Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Portal Sever in Open Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Portal Server in Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Security, Encryption, and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Portal Server Deployment Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Portal Server Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Identity Manag e m ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Portal Server Software Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Software Packaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Software Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Compatibility With Java Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

A Typical Portal Server Installati on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 2 Portal Server Secure Remote Access Architecture . . . . . . . . . . . . . . . . . . . . . . . . 37

SRA Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Multiple Gateway Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Multiple Portal Server Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Proxy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Gateway and HTTP Basic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Gateway and SSL Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Gateway Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Gateway Logg ing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Using Accelerators with the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Netlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Static and Dynamic Port Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Netlet and Application Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Split Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Netlet Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

NetFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Validating Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Special Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

NetFile and Multithreading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Rewriter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Rewriter Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Proxylet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 3 Identifying and Evaluating Your Business and Technical Requirements . . . . . . 51

Business Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Technical Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Mapping Portal Server Features to Your Business Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

SRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Search Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4 Portal Server 6 2005Q1 • Deployment Planning Guide

Personalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Aggregation and Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Understanding User Behaviors and Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Chapter 4 Pre-Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Determine Your Tuning Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Portal Sizing Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Establish Performance Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Portal Sizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Establish Baseline Sizi ng Fig ur es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Customize the Baseline Sizing Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Validate Baseline Sizing Fig ures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Refine Baseline Sizing Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Validate Your Final Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

SRA Sizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Identifying Gateway Key Performance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Advanced Gatewa y Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

SRA Gateway and SSL Hardware Accelerators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

SRA and Sun Enterprise Midframe Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Chapter 5 Creating Your Portal Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Portal Design Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Overview of High-Level Portal Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Overview of Low-Level Portal Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Logical Portal Architectu re . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Portal Server and Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Vertical Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Horizontal Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Portal Server and High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

System Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Degrees of High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Achieving High Availability for Portal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Portal Server System Communication Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Working with Portal Server Building Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Building Modules and High Availability Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Building Module Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Deploying Your Building Module Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Designing Portal Use Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Elements of Portal Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Example Use Case: Authenticate Portal User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Designing Portal Security Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Securing the Operating Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Contents 5

Using Platform Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Using a Demilitarized Zone (DMZ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Portal Server and Access Manager on Different Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Designing SRA Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Basic SRA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Disable Netlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Proxylet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Multiple Gateway Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Netlet and Rewriter Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Netlet and Rewriter Proxies on Separate Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Using Two Gateways and Netlet Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Using an Accelerator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Netlet with 3rd Party Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Reverse Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Designing for Localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Content and Design Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Integration Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Identity and Directory Structure Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Implementing Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Portal Desktop Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Client Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Chapter 6 The Production Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Moving to a Production Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Monitoring and Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Documenting the Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Monitoring Portal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Memory Consumption and Garbage Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

CPU Utiliza tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Access Manager Cache and Session s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Thread Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Portal Usage Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Appendix A Installed Product Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Directories Installed for Portal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Directories Installed for SRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Appendix B Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

mpstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

iostat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

6 Portal Server 6 2005Q1 • Deployment Planning Guide

Tuning Parameters for

/etc/system

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Appendix C Portal Server and Application Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Introduction to Application Server Support in Portal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Portal Server on an Application Server Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Overview of Application Server Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Overview of BEA WebLogic Server Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Overview of IBM WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Appendix D Troubleshooting Your Portal Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Troubleshooting Portal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

UNIX Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Recovering the Search Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Working with the Display Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

High CPU Utilization for Portal Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Configuring a Sun Java System Portal Server Instance to Use an HTTP Proxy . . . . . . . . . . . . . . . 162

Troubleshooting SRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Debugging the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Introduction to Using

shooter

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

SRA Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Appendix E Portal Deployment Worksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Portal Assessment Worksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Portal Design Task List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Appendix F Portal Server on the Linux Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Limitations Using Linu x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Comparison of Solaris and Linux Path Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Contents 7

8 Portal Server 6 2005Q1 • Deployment Planning Guide

List of Figures

Figure 1-1 Portal Server in Open Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 1-2 Portal Server in Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 1-3 High-level Architecture for a Busines s -t o-Emp loye e Portal . . . . . . . . . . . . . . . . . . . . . . 34

Figure 1- 4 SRA Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Figure 5-1 Portal Server Communication Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Figure 5-2 Portal Server Building Module Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Figure 5-3 Best Effort Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Figure 5-4 No Single Point of Failure Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Figure 5-5 Transparent Failover Example Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Figure 5-6 Portal Server and Access Manager on Different Nodes . . . . . . . . . . . . . . . . . . . . . . . . 106

Figure 5-7 Two Portal Servers and One Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Figure 5-8 One Portal Server and Two Access Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Figure 5-9 Two Portal Servers and Two Access Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Figure 5-10 Basic SRA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Figure 5-11 Disable Netlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Figure 5-12 Proxylet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Figure 5-13 Multiple Gateway Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Figure 5-14 Netlet and Rewriter Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Figure 5-15 Proxies on Separate Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Figure 5-16 Two Gat eways and Netl et Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Figure 5-17 SRA Gateway with External Accelerator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Figure 5-18 Netlet and Third-Party Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Figure 5-19 Using a Reverse Proxy in Front of the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

List of Figures 9

10 Portal Server 6 2005Q1 • Deployment Planning Guide

List of Tables

Table 1 Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Table 3-1 Identity Management Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Table 3-2 SRA Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Table 3-3 Search Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Table 3-4 Personalization Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Table 3-5 Aggregation Featur es and Bene fits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Table 5-1 Portal Server High Av ailability Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Table 5-2 Use Case: Authenticate Po rtal User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Table A-1 Portal Server Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Table A-2 Portal Server, SRA Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Table B-1 Performance Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Table B-2 /etc/system Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Table B-3 TCP/IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Table E-1 General Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Table E-2 Organizational Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Table E-3 Business Service-level Expectations Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Table E-4 Content Management Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Table E-5 User Management and Security Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Table E-6 Business Intelligence Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Table E-7 Architecture Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Table E-8 Design Task List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Table F-1 Comparison of Solaris and Linux Path Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

List of Tables 11

12 Portal Server 6 2005Q1 • Deployment Planning Guide

This Administration Guide explains how to plan for and deploy Sun Java™ System Portal Server 6 2005Q1 software. Portal Server Secure Remote Access provides a platform to create portals for your organizatio n’s integrated data, knowledge management, and applications. The Portal Server platform offers a complete infrastructure solution for building and deploying all types of portals, including business-to-business, business-to-employee, and business-to-consumer.

Before You Read This Book

Portal Server Secure Remote Access is a component of Sun Java Enterprise System, a software infrastructure that supports enterprise applications distributed across a network or Internet environment. You should be familiar wi th the documentation provided with Sun Java Enterprise System, which can be accessed online at

http://docs.sun.com/coll/entsys_05q1

Preface

Who Should Read This Book

This Administration Guide is intended for use by those responsible for deploying Portal Server at your site.

Before you deploy Portal Server, you must be familiar with the following technologies:

• Sun Java Enterprise System

• Solaris™ Operating System administrative procedures

• Sun Java System Access Manager

• Sun Java System Directory Server

How This Book Is Organized

•Java™ Web Server

• JavaServer Pages™ technology

• Lightweight Directory Access Protocol (LDAP)

• Hypertext Markup Language (HTML)

• Extensible Markup Language (XML)

How This Book Is Organized

Chapters 1 through 5 provide information on Portal Server Secure Remote Access deployment. The following table summarizes the content of this book..

Chapter Description

Chapter 1, “Portal Server Architecture” on page 21

Chapter 2, “Portal Server Secure Remote Access Architecture” on page 37

Chapter 3, “Identifying and Evaluating Your Business and Technical Requirements” on page 51

Chapter 4, “Pre-Deployment Considerations” on page 61

Chapter 5, “Creating Your Portal Design” on page 79

Chapter 6, “The Production Environment” on page 133

Appendix A, “Installed Product Layout” on page 139

Appendix B, “Analysis Tools” on page 143

This chapter describes types of portals servers, Sun Java System Portal Server in open and secure mode, the Portal Server components.

This chapter describes the Portal Server Secure Remote Access architecture, including the key components of Secure Remote Access with respect to their role in providing secure remote access to corporate intranet resources from outside the intranet.

This chapter describes how to analyze your organization’s needs and requirements that lead to designing your portal deployment.

This chapter describes how to establish a baseline sizing figure for your portal. With a baseline figure established, you can then refine that figure to account for scalability, high availability, reliability, and good performance.

This chapter describes how to create your high-level and low-level portal design and provides information on creating specific sections of your design plan.

This chapter describes how to tune and monitor your portal.

This appendix describes the directories and configuration files fo r Portal Server and Remote Access (SRA).

This appendix describes analysis tools for tuning the operating system.

Sun Java System Portal Server Secure

14 Portal Server Secure Remote Access 6 2005Q1 • Administration Guide

Chapter Description

Appendix C, “Portal Server and Application Servers” on page 153

Appendix D, “Troubleshooting Your Portal Deployment” on page 159

Appendix E, “Portal Deployment Worksheets” on page 167

Appendix F, “Portal Server on the Linux Platform” on page 179

Glossary Glossary

This appendix describes the support for application servers.

This appendix describes how to troubleshoot the Portal Server software and the Portal Server Secure Remote Access (SRA) product.

This appendix provides various worksheets to help in the deployment process.

This appendix contains notes on running Portal Server on a Linux platform.

Conventions Used in This Book

The tables in this section describe the conventions used in this book.

How This Book Is Organized

Typographic Conventions

The following table describes the typographic conventions used in this book

Table 1 Typographical Conventions.

Typeface Meaning Examples

AaBbCc123

(Monospace)

AaBbCc123

(Monospace bold)

API and language elements, HTML tags, web site URLs, command names, file names, directory path names, onscreen computer output, sample code.

What you type, when contrasted with onscreen computer output.

Edit your Use

ls -a

.login

to list all files.

% You have mail % su

Password:

file.

Preface 15

Sun is interested in improving its documentation and welcomes your comments and suggestions.

Sun Welcomes Your Comments

To share your comments, go to the online form, provide the document title and part number. The part n umber is a seven-digit or nine-digit number that can be found on the title page of the book or at the top of the document. For example, the title of this book is Sun Java System Portal Server Secure R emo te Access 2005Q1 Adminis tration Guide, and the part number is 817-7693.

http://docs.sun.com

and click Send Comments. In

Preface 19

Sun Welcomes Your Comments

20 Portal Server Secure Remote Access 6 2005Q1 • Administration Guide

Portal Server Architecture

This chapter contains the following s e ctions:

• What is a P o rtal?

• Types of Portals

• Portal Server Capabilities

• Sun Java System Portal Server

• Secure Remote Access

Chapter 1

• Security, Encryption, and Authentication

• Portal Server Deployment Components

• Portal Server Architecture

• Identity Management

• A Typical Portal Server Installation

What is a Portal?

Portals provide the user with a single point of access to a wide variety of content, data, and services throughout an enterprise. The content displayed through portal providers, channels, and portlets on the portal page can be personalized based on user preferences, user role or department within an organization, site design, and marketing campaigns for customers as end-users.

Types of Portals

Portals serve as a unified access point to web applications. Portals a lso provide valuable functions like security, search, collaboration, and workflow. A portal delivers integrated content and applications, plus a unified, collaborative workplace. Indeed, portals are the next-generation desktop, delivering e-business applications over the web to all kinds of client de vices. A complete portal solution should provide users with access to everything users need to get their tasks done—any time, anywhere, in a secure manner.

Types of Portals

With many new portal products being announced, the marketpla ce has become very confusing. Indeed, any product or application that provides a web interface to business content cou ld be classified as a porta l. For this reason port als have many different uses and can be classified as one of the following:

• Collaborative Portals

• Business Intelligence Po rtals

Collaborative Portals

Collaborative portals help busi ne ss users organize, find, and share unstructured office content—for example, e-mail, discussion group material, office documents, forms, memos , me e ti ng minutes, web d o c u ments, and some s u p p ort for live feeds. Collaborative portals differ from Internet and intranet portals not only in supporting a wider range of information, but also by providing a set of content management and collaborative services.

Content management services include the following:

• Text mining (the discovery of new, previously unknown information)

• Clustering of related unstructured information

• Information categorization

• Summarization to generate abstracts for documents,

• Publishing and subscribing

• Finding people

• Tracking expertise Collaborative portals are mainly used interna lly as a corporate facility.

22 Portal Server 6 2005Q1 • Deployment Planning Guide

Portal Server Capabilities

Collaborative services allow users to do the following:

•Chat

• Organize meetings

• Share calendaring information

• Define user communities

• Participate in net meetings

• Share information in discussion groups and on white boards

Business Intelligence Portals

Business intelligence portals provide executives, managers, and business analysts with access to business intelligence for making business decisions. This type of portal typically indexes business intelligence reports, analyses, and predefined queries, and are associated with financial management, customer relationship management, and supply chain performa nce management. Business intelligence portals also provide access to business intelligence tools (reporting, OLAP, data mining), packaged analytic applications, alerting, publishing and subscribing. Peoplesoft is a typical vendor provider of bu siness intelligence types of portal.

Types of business intelligence portals include:

• Procurement portal

• Self-service portal

• Business portal

• e-Commerce portal

• Sales support

• Customer relationship management, operations, and employee portals

• Consumer portal

Portal Server Capabilities

Sun Java™ System Portal Server 6 2005Q1 software provides the following capabilities to your organization:

Chapter 1 Portal Server Architecture 23

Sun Java System Portal Server

• Secure access and authorized connectivity, optio na lly using encryption

• Authentication of users before allowing access to a set of resource s that are

• Support for abstractions that provide the ability to pull content from a variety

• A search engine infrastructure to enable intranet content to be organized and

• Ability to store user- and service-specific persistent d ata

• Access to commonly needed applications for accessing services such as mail,

• An administration interface enabling delegated and remote administration

• Single sign-on and security features, enabling standard access to enterprise

• Personalization through the use of portal providers, portlet and web service

between the user’s browser and the enterprise

specific for each user

of sources and aggregate and personalize it into an output format suitable for the user’s device

accessed from the portal

calendar, and file storage

applications and content

remote portlet.

• Publishing and managing content (provided by third-party applications such as FatWire)

Sun Java System Portal Server

Portal Server is a component of the Sun Java™ Enterprise System technology. Sun Java Enterprise System technology supports a wide range of enterprise computing needs, such as creating a secure intranet portal to provide the employees of an enterprise with secure access to email and in-house business applications.

The Portal Server product is an identity-enabled portal server solution. It provides all the user, policy, and identity management to enforce security, web application single sign-on (SSO), and access capabilities to end user communities. In addition, Portal Server combines portal services, such as person alization, aggregation, security, integration, and search. Unique capabilities that enable secure remote access to inter nal resources and applications round out a complete portal platform for deploying business-to-employee, business-to-business, and business-to-consumer portals. The Sun Java System Portal Server Secure Remote Access (SRA) provides additional secure remote access capabilities to access weband non-web enabled resources.

24 Portal Server 6 2005Q1 • Deployment Planning Guide

Each enterprise assesses its own needs and plans its own deplo yment of Java Enterprise System technology. The optimal deployment for each enterprise depends on the type of applications that Java Enterprise System technology supports, the number of users, the kind of hardware that is available, and other considerations of this type.

Portal Server is able to work with previously installed software components. In this case, Portal Server uses the installed software when the software is an appropriate version.

Secure Remote Access

Sun Java System Portal Server Secure Remote Access (SRA) offers browser-based secure access to portal content and services from any remote browser enabled with Java technology.

SRA is accessible to users from any Java technology-enabled browser, eliminating the need for client software. Integration with Portal Server software ensures that users receive secure encrypted access to the content and services that users have permission to access.

Secure Remote Access

SRA is targeted toward enterprises deploying highly secure remote access portals. These portals emphasize security, protection, and privacy of intranet resources. The SRA services–Access List, the Gateway, NetFile, Netlet, and Proxylet– ena ble users to securely access intranet resources through the Internet without exposing these resources to the Internet.

Portal Server runs in open mode and secure mode, that is, either without SRA or with SRA.

Portal Sever in Open Mode

In open mode, Portal Server is installed without SRA. The typical public portal runs without secure access using only th e HTTP protocol. Although you can configure Portal Server to use the HTTPS protocol in open mode (either during or after installation), secure remot e access is not possible. This means tha t users cannot access remote file systems and applications.

The main difference between an open portal and a secure portal is that the services presented by the open portal typically reside within the demilitarized zone (DMZ) and not within the secured intranet.

Chapter 1 Portal Server Architecture 25

Secure Remote Access

If the portal does not contain sensitive information ( d eploying public information and allowing access to free applications), then responses to access requests by a large number of users is faster than secure mode.

Figure 1-1 shows Portal Server configured for open mode. In this figure, Portal

Server is installed on a single server behind the firewall. Multiple clients access the Portal Server system across the Internet through the single firewall, or from a web proxy server that sits behind a firewall.

NOTE You can provide secure access to users of web-enabled resources by

running Portal Server in open mode with the HTTPS protocol. However, without SRA, you cannot provide secure remote access to file systems or TCP/IP applications.

Figure 1-1 Portal Server in Open Mode

Firewall

Client

Internet

Client

Portal Server in Secure Mode

In secure mode, Portal Server is installed with SRA. Secure mode provides users with secure remote access to required intra ne t file systems and applications.

26 Portal Server 6 2005Q1 • Deployment Planning Guide

intranet

Portal Server

Applications

Secure Remote Access

The main advantage of SRA is that only the IP address of the Gateway is published to the Internet. All other services and their IP addresses are hidden and never published to a Domain Name Service (DNS) that is running on the public ne twork (such as the Internet).

The Gateway resides in the demilitarized zone (DMZ). The Gateway provides a single secure access point to all intranet URL s a nd applications, thus reducing the number of ports to be opened in the firewall. All other Sun Java System services such as Session, Authentication, and Portal Desktop, reside behind the DMZ in the secured intranet. Communication from the client browser to the Gateway is encrypted using HTTP over Secure Sockets Layer (SSL). Communication fro m th e Gateway to the server and intranet resources can be either HTTP or HTTPS.

Figure 1-2 shows Portal Server installed with SRA. SSL is used to encrypt the

connection between the client and the Gateway over the Internet. SSL can also be used to encrypt the connection between the Gateway and the Portal Server system. The presence of a Gateway between the intranet and the Internet extends the secure path between the client and the Portal Server system.

Figure 1-2 Portal Server in Secure Mode

Client

Firewall

Internet

Firewall

Gateway

DMZ

Firewall

Portal Server

intranet

Chapter 1 Portal Server Architecture 27

Applications

Security, Encryption, and Authentication

You can add additional servers and Gateways for site expansion. You can also configure the components of SRA in various ways based on your business requirements.

Security, Encryption, an d Au the ntica tio n

Portal Server system security relies on the HTTPS encryption protocol, in addition to UNIX system security, for protecting the Portal Server system software.

Security is provided by the web container, which yo u can configure to use SSL, if desired. Portal Server also supports SSL for authentication and end-user registration. By enabling SSL certificates on the web server, the Portal Desktop and other web applications can also be accessed securely. You can use the Access Manager policy to enforce URL-based access policy.

Portal Server depends on the authentication service provided by Sun Java System Access Manager and suppo rts sing le si gn-on (S SO) wi th any produc t that al so us es the Access Manager SSO mechanism. The SSO mechanism uses encoded cookies to maintain session state.

Another layer of security is provided by SRA. It uses HTTPS by default for connecting the client browser to the intranet. The Gateway uses Rewriter to enable all intranet web sites to be accessed without exposing them directly to the Internet. The Gateway also provides URL-based access policy enforcement without having to modify the web servers being accessed.

Communication from the Gateway to the server and intranet resources can be HTTPS or HTTP. Communication within the Portal Server system, for example between web applications and the directory server, does not use encryption by default, but it can be configured to use SSL.

Portal Server Deployment Components

Portal Server deployment consists of the following components:

• IAccess Manager Access Manager provides user and service management, authentication and

single sign-on services, policy management, logging service, debug utility, the administration console, and client support interfaces for Portal Server. This consists of:

28 Portal Server 6 2005Q1 • Deployment Planning Guide

Portal Server Architecture

❍ Java Development Kit™ (JDK™)--Java Developm ent Kit software provides

the Java run-time environment for all Java software in Portal Server and its underlying components. Portal Server depends on the JDK software in the web container.

❍ Network Security Services for Java software ❍ Sun Java System Web Server ❍ Java API for XML Processing (JAXP),

• Sun Java System Directory Server Directory Server provides the primary config uration and user profile data

repository for Portal Server. The Directory Server is LDAP compliant and implemented on an extensible, open schema.

•Web Containers

❍ Sun Java System Web Server ❍ Sun Java System Application Server Enterprise Edition

The following web containers can be used in place of the Web Server and Application Server software:

❍ BEA WebLogic Server™ ❍ IBM WebSphere® Application Server

See the Sun Java System In stallation Guide for information on deploying Portal Server in various web containers.

NOTE See the Portal Server 6 Release Notes for specific versions of products

supported by P ortal Server.

Portal Server Architecture

Usually, but not always, you deploy Portal Server software on th e following different portal nodes (servers) that work together to implement the portal:

• Portal Server node. The web server where Portal Server resides. You can also install the Search component on this node if desired. Access Manager can reside here.

Chapter 1 Portal Server Architecture 29

Identity Management

• Access Manager node.The server where Access Manager can reside. Access

Manager does not have to reside on the same node as Portal Server.

• Search node. Optional. The server you use for the Portal Server Search service.

You can install the Portal Server Search service on its own server for performance, scalability and availability reasons.

• Gateway nodes. Optional. The server where the SRA Gateway resides. You

can install the Gateway on the portal n ode . Beca use you locate the Gateway in the DMZ, the Gateway is installed on a separate, non-portal node.

• Netlet Proxy node. Optional. The server used to run applications securely

between users’ remote desktops and the servers running applications on your intranet.

• Rewriter Proxy node. Optional. The server used to run applications securely

between users’ remote desktops and the servers running applications on your intranet.

• Directory Server node. The server running Directory Server software. You can

install Directory Server on a non-portal nod e .

• Other servers. These servers, such as mail, file, and legacy servers, provide

backend support, data, and applications to portal users.

Identity Management

Portal Server uses the Access Manager to control many users spanning a variety of different roles across the organization and sometimes outside the organization while accessing content, applications and services. The challenges include: Who is using an application? In what capacity do users serve the organ ization or company? What do users need to do, and what should users be able to access? How can others help with the administrative work?

Access Manager software consists of the following components:

• Java software APIs used to access SSO Token, user profiles, logging, and debugging

• Command line tools such as amadmin, amserver, and ampassword

• Web application services such as session, authentication, logging, and naming

• Administration console web application

• Access Manager SDK

30 Portal Server 6 2005Q1 • Deployment Planning Guide

+ 162 hidden pages

Sun Microsystems JAVA 2005Q1 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

List of Figures

List of Tables

Before You Read This Book

Preface

Who Should Read This Book

How This Book Is Organized

Typographic Conventions

Related Documentation

Books in This Documentation Set

Other Portal Server Documentation

Other Server Documentation

Accessing Sun Resources Online

Contacting Sun Technical Support

Related Third-Party Web Site References

Sun Welcomes Your Comments

Portal Server Architecture

What is a Portal?

Types of Portals

Collaborative Portals

Portal Server Capabilities

Business Intelligence Portals

Sun Java System Portal Server

Secure Remote Access

Portal Sever in Open Mode

Portal Server in Secure Mode

Security, Encryption, and Authentication

Portal Server Deployment Components

Portal Server Architecture

Identity Management