Authentication Service and Communication Log Service
1. In order to be able to send messages to the inner server, the Message Service of the DMZ IS must be started (which is generally necessary for a DMZ configuration). This is managed by the respective section in ./etc/factory_dmz.xml on the DMZ server. The remote interface should be activated as well (as in section Configuration of the Inner System). It is necessary if an FTP user needs to be created that also needs a home directory on the DMZ.
2. A DMZ server (in simple DMZ configuration) or multiple DMZ servers (in a DMZ cluster) need to use their Message Authentication Service to access the Authentication Service of the inner server. The file ./etc/auth_dmz.xml also contains comment sections that contain the most important configuration parameters. The required minimum configuration is the defaultTarget, which is the IP address or DNS name of the inner server. 8020 is used as a default port number.
<
Configure
class
=
"com.ebd.hub.services.auth.MessageAuthenticationService"
>
<!-- The Message Queue for receiving from DMZ. Default if not set: System:AuthCall
<
Set
name
=
"messageContext"
>System</
Set
>
<
Set
name
=
"messageQueue"
>AuthCall</
Set
>
-->
<!-- Host and port for forwarding Messages. Use it if no Routes are defined for Message Service. If no routes and no defaultTarget
is defined, the service can not connect. If the port is omitted, the default port 8020 is used. -->
<
Set
name
=
"defaultTarget"
>192.168.93.67</
Set
>
...
If the Message Service of the inner servers listens on a different port, the number needs to be specified, e.g.: 192.168.93.67:8722.
Note: The defaultTarget is the simplest means to define a route to the inner Message Service if there are no routes defined in file ./etc/message.xml (DMZ). If there are explicit routes defined for the Message Service of the DMZ, parameter defaultTarget is ignored by the Message Authentication Service.
If the message queue does not exist yet, it is created during startup. The name of the queue needs to be identical to the one for the inner server (see chapter Configuration of the Inner System ). Recommendation: Use standard names (uncomment section).
The Message Communication Log Service has configuration parameters of the same name, the default value for the Message Queue is System:CommlogCall though.
3. The network connection between DMZ server and inner server usually is secured by a firewall. The firewall must allow for incoming TCP connections from the DMZ server (from all DMZ servers respectively if clustered) to the message port of the inner server (default: 8020). The Message Authentication Service and the Message Communication Log Service both work using the same target port number. The configuration of the defaultTarget should be identical. This port is also used by Communication Forward Manager (DMZ). Because of this, only one port, namely the message port (Default: 8020) needs to be opened for incoming connections from the DMZ.
4. Additional function: The Message Communication Log Service allows (as the Communication Log Service) that an application registers as Communication Log Listener, in order to be notified of events and entries that are logged by the Communication Log Service. This feature is not used in the standard configuration. In order to use this feature the following is required:
DMZ server: The remote interface of the Message Service needs to be activated.
Firewall: TCP connection from the inner server to the DMZ remote interface (Port 8020).