AuthenticationService and CommunicationLogService
1. In order to be able to send messages to the inner server, the MessageService of the DMZ server must be started (which is required in the DMZ configuration anyway). This is managed by the respective section in ./etc/factory_dmz.xml on the DMZ server. The remote interface should be activated as well (as in section Configuration of the Inner System). This is necessary, for example, if a new FTP user is created for which a home directory is also to be created on the DMZ server.
2. A DMZ server or multiple DMZ servers (in a DMZ cluster) needs/need to use their MessageAuthenticationService to access the AuthenticationService of the inner server. The file ./etc/auth_dmz.xml also contains comment sections that contain the most important configuration parameters. The required minimum configuration is parameter defaultTarget, which is the IP address or the DNS name of the inner server. 8020 is used as the default port number.
<Configure class="com.ebd.hub.services.auth.MessageAuthenticationService"><!-- The Message Queue for receiving from DMZ. Default if not set: System:AuthCall<Set name="messageContext">System</Set><Set name="messageQueue">AuthCall</Set>--><!-- Host and port for forwarding Messages. Use it if no Routes are defined for Message Service. If no routes and no defaultTargetis defined, the service can not connect. If the port is omitted, the default port 8020 is used. --><Set name="defaultTarget">192.168.93.67</Set>...If the MessageService of the inner server listens on a different port, the port number needs to be specified explicitly, e.g.: 192.168.93.67:8722
Note: The defaultTarget is the simplest means to define a route to the inner MessageService if there are no routes defined in file ./etc/message.xml (on the DMZ server). If there are explicit routes defined for the MessageService of the DMZ, parameter defaultTarget is ignored by the MessageAuthenticationService. If the message queue does not exist yet, it is created during startup. The name of the queue needs to be identical to the one for the inner server (see section Configuration of the Inner System ). Recommendation: Use the default standard name (comment the section out). The MessageCommunicationLogService has configuration parameters of the same name. The default value for the Message Queue is System:CommlogCall though.
3. The network connection between DMZ server and inner server usually is secured by a firewall. The firewall must allow for incoming TCP connections from the DMZ server (from all DMZ servers respectively if clustered) to the message port of the inner server (default: 8020). The MessageAuthenticationService and the MessageCommunicationLogService both work using the same target port number. The configuration of the defaultTarget should be identical. This port is also used by the CommunicationForwardManager (on the DMZ server). Because of this, only one port, namely the message port (Default: 8020) needs to be opened for incoming connections into the inner system from the DMZ server.
4. Additional function: The MessageCommunicationLogService allows (as the CommunicationLogService) that an application registers as Communication Log Listener, in order to be notified of events and entries that are logged by the CommunicationLogService. This feature is not used in the standard configuration. In order to use this feature, the following is required.
DMZ server: The remote interface of the MessageService needs to be activated.
Firewall: TCP connection from the inner server to the DMZ remote interface (Port 8020) needs to be open.