Security
Security is a vital component to any architecture choice that customers make. There are a variety of ways to grant access to the system for external users. The following are some configurations that are commonly used by customers.
Reverse Proxy
A reverse proxy configuration is a popular way of placing a secured web server or even the incoming port to a load balancer like a Cisco ACE or F5 BigIP into a public DMZ of your network. Any incoming user request is directed into the reverse proxy server. After the request is received the web server proxies a new request, typically across a firewall, to the application server. The response is ultimately sent back to the user through the reverse proxy and this cycle continues.
Some customers have more extensive reverse proxy infrastructures to support their existing extranet infrastructure. When a proxy communicates with the application server, the request is typically HTTP(S) to HTTP(S).
Authentication and Single Sign-On
PTC Arbortext Content Delivery uses BASIC authentication as the default configuration with the application server and LDAP. Other formats of authentication can be configured if required, however various application functionalities with PTC Arbortext Content Delivery may not be compatible with those formats.
For large implementations where the PTC Arbortext Content Delivery Publisher and Viewers operate in a split configuration, authentication is managed separately as well.
• The PTC Arbortext Content Delivery Publisher user base is limited to a few users that manage the publishing tasks and may not require the rigors of a Single Sign On (SSO) authentication system.
• Whereas the PTC Arbortext Content Delivery Viewer user base can be quite extensive and require the rigors of safely authenticating users accessing this internet-facing application. SSO authentications systems are a typical feature applied to large Viewer applications.
Within the WildFly application server that is part of the PTC Arbortext Content Delivery solution, authentication to one or more LDAP servers is supported to the extent that no LDAP contains a duplicate user ID found in another. Authentication against multiple LDAP servers assumes that the user credentials in each LDAP are unique and are identified on a first match basis.
For customer implementations that have more complex authentication requirements, PTC strongly recommends that a more advanced identity management solution be leveraged. Customers have successfully deployed the use of identity management products from CA SiteMinder, Oracle Identity Manager and several other identity management solutions. However, if you decide to choose any of these more advanced identity management solutions, then you must customize PTC Arbortext Content Delivery to support it.
While PTC Arbortext Content Delivery is an application that is accessible through standard web browsers over HTTP, not all clients that access PTC Arbortext Content Delivery are guaranteed access through a web browser. If you are implementing an authentication solution such as form-based authentication (which is supported with PTC Arbortext Content Delivery 6.0), there are additional configuration details that need to be made, including possible coding changes in PTC Arbortext Content Delivery.